Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2023-03-02 23:01:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Thu Mar 2 23:01:38 2023 rev:680 rq:1068171 version:6.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2023-02-28 12:47:45.924138692 +0100 +++ /work/SRC/openSUSE:Factory/.kernel-source.new.31432/dtb-aarch64.changes 2023-03-02 23:01:40.130666081 +0100 @@ -1,0 +2,86 @@ +Mon Feb 27 12:39:20 CET 2023 - [email protected] + +- Linux 6.2.1 (bsc#1012628). +- bpf: add missing header file include (bsc#1012628). +- randstruct: disable Clang 15 support (bsc#1012628). +- ext4: Fix function prototype mismatch for ext4_feat_ktype + (bsc#1012628). +- platform/x86: nvidia-wmi-ec-backlight: Add force module + parameter (bsc#1012628). +- platform/x86/amd/pmf: Add depends on CONFIG_POWER_SUPPLY + (bsc#1012628). +- audit: update the mailing list in MAINTAINERS (bsc#1012628). +- wifi: mwifiex: Add missing compatible string for SD8787 + (bsc#1012628). +- HID: mcp-2221: prevent UAF in delayed work (bsc#1012628). +- x86/static_call: Add support for Jcc tail-calls (bsc#1012628). +- x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 + instructions (bsc#1012628). +- x86/alternatives: Introduce int3_emulate_jcc() (bsc#1012628). +- uaccess: Add speculation barrier to copy_from_user() + (bsc#1012628). +- commit 15796ef + +------------------------------------------------------------------- +Fri Feb 24 15:32:06 CET 2023 - [email protected] + +- Disable PS3 support + The PS3 hardware cannot be used with up-to-date firmware. +- commit 484fa63 + +------------------------------------------------------------------- +Fri Feb 24 14:53:02 CET 2023 - [email protected] + +- uvesafb: Disable fbdev driver (boo#1208662) + A VESA-based driver. Dropped in favor of generic DRM drivers. +- commit f0d0f1a + +------------------------------------------------------------------- +Fri Feb 24 14:39:16 CET 2023 - [email protected] + +- ocfb: Disable fbdev driver (boo#1208660) + The OpenCores fbdev driver is for an old homebrew chip design. Probably + unused. +- commit 00dd263 + +------------------------------------------------------------------- +Fri Feb 24 14:10:24 CET 2023 - [email protected] + +- udlfb: Disable fbdev driver (boo#1208658) + We've long shipped the DRM-based udl driver, which handles the same + devices. +- commit 8a53173 + +------------------------------------------------------------------- +Fri Feb 24 13:16:18 CET 2023 - [email protected] + +- ssd1307fb: Replace with ssd130x (boo#1208656) + Replace fbdev's ssd1307fb driver with the new DRM-based driver + ssd130x. Adds support for SPI and Wayland-based userspace. +- commit 1fe1b4c + +------------------------------------------------------------------- +Fri Feb 24 10:30:43 CET 2023 - [email protected] + +- vfb: Disable fbdev driver (boo#1208646) + The vfb fbdev driver is backed by system memory and only relevant for + testing. Disable it. There is DRM's vkms, if a software-only driver is + required. +- commit b1c9331 + +------------------------------------------------------------------- +Fri Feb 24 09:43:37 CET 2023 - [email protected] + +- Disable gxt4500 fbdev driver (boo#1208642) + The gxt4500 driver serves a 20yrs-old graphics hardware for + IBM RS/6000 system. Probably not in use any longer. +- commit 5313a19 + +------------------------------------------------------------------- +Tue Feb 21 07:32:10 CET 2023 - [email protected] + +- blacklist.conf: clean up + Remove the only (5.5) entry. It was needed only years ago. +- commit de1e630 + +------------------------------------------------------------------- @@ -6,0 +93,20 @@ + +------------------------------------------------------------------- +Sat Feb 18 08:02:26 CET 2023 - [email protected] + +- arm64: lock down kernel in secure boot mode (jsc#SLE-15020, bsc#1198101). +- efi: Lock down the kernel at the integrity level if booted in + secure boot mode (jsc#SLE-9870, bsc#1198101). +- efi: Lock down the kernel if booted in secure boot mode + (jsc#SLE-9870, bsc#1198101). +- Update config files. + - The shim for openSUSE Tumbleweed needs to be reviewed by upstream + and signed by Microsoft. So we need to lockdown kernel on x86_64 + and arm64 because EFI secure boot. + - We disable CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT in other + architectures. +- efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode + (jsc#SLE-9870, bsc#1198101). +- security: lockdown: expose a hook to lock the kernel down + (jsc#SLE-9870, bsc#1198101). +- commit a7d5b50 dtb-armv6l.changes: same change dtb-armv7l.changes: same change dtb-riscv64.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-kvmsmall.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change kernel-zfcpdump.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.238693748 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.250693803 +0100 @@ -17,7 +17,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb,check-module-license,klp-symbols,splitflist,mergedep,moddep,modflist,kernel-subpackage-build}) Name: dtb-aarch64 -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change dtb-riscv64.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.406694509 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.410694528 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %obsolete_rebuilds %name Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz Source3: kernel-source.rpmlintrc ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.446694690 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.454694726 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %ifarch ppc64 Provides: kernel-kdump = 2.6.28 Obsoletes: kernel-kdump <= 2.6.28 ++++++ kernel-default.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.482694853 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.494694907 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: The Standard Kernel License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %ifarch %ix86 Provides: kernel-smp = 2.6.17 Obsoletes: kernel-smp <= 2.6.17 ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.518695016 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.526695052 +0100 @@ -17,7 +17,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -31,9 +31,9 @@ Summary: Kernel Documentation License: GPL-2.0-only Group: Documentation/Man -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -67,7 +67,7 @@ %endif URL: https://www.kernel.org/ Provides: %name = %version-%source_rel -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz ++++++ kernel-kvmsmall.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.558695197 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.566695234 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: The Small Developer Kernel for KVM License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %obsolete_rebuilds %name Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz Source3: kernel-source.rpmlintrc kernel-lpae.spec: same change ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.634695542 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.642695578 +0100 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 @@ -45,7 +45,7 @@ %endif %endif %endif -BuildRequires: kernel%kernel_flavor-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +BuildRequires: kernel%kernel_flavor-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %if 0%{?rhel_version} BuildRequires: kernel @@ -64,9 +64,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0-only Group: SLES -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.674695723 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.682695759 +0100 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0-only Group: SLES -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.714695904 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.722695940 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: Kernel with PAE Support License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %ifarch %ix86 Provides: kernel-bigsmp = 2.6.17 Obsoletes: kernel-bigsmp <= 2.6.17 ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.750696067 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.762696121 +0100 @@ -17,7 +17,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 @@ -31,9 +31,9 @@ %endif Name: kernel-source -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -50,7 +50,7 @@ BuildRequires: sed Requires(post): coreutils sed Provides: %name = %version-%source_rel -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 Provides: linux Provides: multiversion(kernel) Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.802696303 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.806696321 +0100 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0-only Group: Development/Sources -Version: 6.2.0 +Version: 6.2.1 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -52,7 +52,7 @@ %endif Requires: pesign-obs-integration Provides: %name = %version-%source_rel -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 Provides: multiversion(kernel) Source: README.KSYMS Requires: kernel-devel%variant = %version-%source_rel ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:46.842696484 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:46.850696520 +0100 @@ -18,7 +18,7 @@ %define srcversion 6.2 -%define patchversion 6.2.0 +%define patchversion 6.2.1 %define variant %{nil} %define vanilla_only 0 %define compress_modules zstd @@ -111,9 +111,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0-only Group: System/Kernel -Version: 6.2.0 +Version: 6.2.1 %if 0%{?is_kotd} -Release: <RELEASE>.g89e2785 +Release: <RELEASE>.g69e0e95 %else Release: 0 %endif @@ -240,10 +240,10 @@ Conflicts: libc.so.6()(64bit) %endif Provides: kernel = %version-%source_rel -Provides: kernel-%build_flavor-base-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 -Provides: kernel-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: kernel-%build_flavor-base-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 +Provides: kernel-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 # END COMMON DEPS -Provides: %name-srchash-89e27851f72a9025c71bfb1a4edc9748cfbed036 +Provides: %name-srchash-69e0e95118afe307ac9da57c2cc7f80673a41423 %obsolete_rebuilds %name Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz Source3: kernel-source.rpmlintrc kernel-zfcpdump.spec: same change ++++++ config.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/arm64/default new/config/arm64/default --- old/config/arm64/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/arm64/default 2023-02-25 23:38:51.000000000 +0100 @@ -7668,7 +7668,7 @@ # CONFIG_FB_UDL is not set # CONFIG_FB_IBM_GXT4500 is not set CONFIG_FB_XILINX=m -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set CONFIG_FB_MX3=y @@ -12194,6 +12194,7 @@ # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/arm64/kvmsmall new/config/arm64/kvmsmall --- old/config/arm64/kvmsmall 2023-02-20 00:02:32.000000000 +0100 +++ new/config/arm64/kvmsmall 2023-02-25 23:38:51.000000000 +0100 @@ -97,7 +97,6 @@ # CONFIG_EQUALIZER is not set # CONFIG_EXTCON_FSA9480 is not set CONFIG_FAILOVER=y -# CONFIG_FB_VIRTUAL is not set # CONFIG_FDDI is not set # CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/armv6hl/default new/config/armv6hl/default --- old/config/armv6hl/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/armv6hl/default 2023-02-25 23:38:51.000000000 +0100 @@ -5660,7 +5660,7 @@ # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set # CONFIG_FB_IBM_GXT4500 is not set -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set CONFIG_FB_MX3=m # CONFIG_FB_SSD1307 is not set @@ -8371,6 +8371,7 @@ # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/armv7hl/default new/config/armv7hl/default --- old/config/armv7hl/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/armv7hl/default 2023-02-25 23:38:51.000000000 +0100 @@ -7507,15 +7507,15 @@ CONFIG_FB_TMIO_ACCELL=y CONFIG_FB_SM501=m # CONFIG_FB_SMSCUFX is not set -CONFIG_FB_UDL=m +# CONFIG_FB_UDL is not set # CONFIG_FB_IBM_GXT4500 is not set CONFIG_FB_XILINX=m CONFIG_FB_DA8XX=m -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set CONFIG_FB_MX3=m -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices @@ -11765,6 +11765,7 @@ # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/i386/pae new/config/i386/pae --- old/config/i386/pae 2023-02-20 00:02:32.000000000 +0100 +++ new/config/i386/pae 2023-02-25 23:38:51.000000000 +0100 @@ -6841,7 +6841,9 @@ CONFIG_DRM_XEN_FRONTEND=m CONFIG_DRM_VBOXVIDEO=m CONFIG_DRM_GUD=m -# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_SSD130X=m +CONFIG_DRM_SSD130X_I2C=m +CONFIG_DRM_SSD130X_SPI=m CONFIG_DRM_HYPERV=m # CONFIG_DRM_LEGACY is not set CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y @@ -6864,7 +6866,6 @@ # CONFIG_FB_FOREIGN_ENDIAN is not set CONFIG_FB_SYS_FOPS=y CONFIG_FB_DEFERRED_IO=y -CONFIG_FB_BACKLIGHT=m CONFIG_FB_MODE_HELPERS=y CONFIG_FB_TILEBLITTING=y @@ -6911,13 +6912,13 @@ # CONFIG_FB_GEODE is not set # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set -CONFIG_FB_IBM_GXT4500=m -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_IBM_GXT4500 is not set +# CONFIG_FB_VIRTUAL is not set CONFIG_XEN_FBDEV_FRONTEND=m # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_HYPERV is not set -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/ppc64/default new/config/ppc64/default --- old/config/ppc64/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/ppc64/default 2023-02-25 23:38:51.000000000 +0100 @@ -397,28 +397,7 @@ CONFIG_PPC_PMAC64=y CONFIG_PPC_MAPLE=y # CONFIG_PPC_PASEMI is not set -CONFIG_PPC_PS3=y - -# -# PS3 Platform Options -# -CONFIG_PS3_ADVANCED=y -CONFIG_PS3_HTAB_SIZE=20 -# CONFIG_PS3_DYNAMIC_DMA is not set -CONFIG_PS3_VUART=y -CONFIG_PS3_PS3AV=y -CONFIG_PS3_SYS_MANAGER=y -# CONFIG_PS3_VERBOSE_RESULT is not set -# CONFIG_PS3_REPOSITORY_WRITE is not set -CONFIG_PS3_STORAGE=m -CONFIG_PS3_DISK=m -CONFIG_PS3_ROM=m -CONFIG_PS3_FLASH=m -CONFIG_PS3_VRAM=m -CONFIG_PS3_LPM=m -# CONFIG_PS3GELIC_UDBG is not set -# end of PS3 Platform Options - +# CONFIG_PPC_PS3 is not set CONFIG_PPC_CELL=y CONFIG_PPC_CELL_COMMON=y CONFIG_PPC_CELL_NATIVE=y @@ -3183,8 +3162,6 @@ # CONFIG_TI_CPSW_PHY_SEL is not set CONFIG_TLAN=m CONFIG_NET_VENDOR_TOSHIBA=y -CONFIG_GELIC_NET=m -CONFIG_GELIC_WIRELESS=y CONFIG_SPIDER_NET=m CONFIG_NET_VENDOR_VERTEXCOM=y CONFIG_MSE102X=m @@ -6127,7 +6104,9 @@ # CONFIG_TINYDRM_ST7586 is not set # CONFIG_TINYDRM_ST7735R is not set CONFIG_DRM_GUD=m -# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_SSD130X=m +CONFIG_DRM_SSD130X_I2C=m +CONFIG_DRM_SSD130X_SPI=m # CONFIG_DRM_LEGACY is not set CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y # CONFIG_DRM_LIB_RANDOM is not set @@ -6149,7 +6128,6 @@ # CONFIG_FB_FOREIGN_ENDIAN is not set CONFIG_FB_SYS_FOPS=y CONFIG_FB_DEFERRED_IO=y -CONFIG_FB_BACKLIGHT=m CONFIG_FB_MODE_HELPERS=y CONFIG_FB_TILEBLITTING=y @@ -6162,8 +6140,8 @@ # CONFIG_FB_ASILIANT is not set # CONFIG_FB_IMSTT is not set # CONFIG_FB_VGA16 is not set -CONFIG_FB_UVESA=m -CONFIG_FB_OPENCORES=m +# CONFIG_FB_UVESA is not set +# CONFIG_FB_OPENCORES is not set # CONFIG_FB_S1D13XXX is not set # CONFIG_FB_NVIDIA is not set # CONFIG_FB_RIVA is not set @@ -6186,14 +6164,12 @@ # CONFIG_FB_CARMINE is not set # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set -CONFIG_FB_IBM_GXT4500=m -CONFIG_FB_PS3=y -CONFIG_FB_PS3_DEFAULT_SIZE_M=9 +# CONFIG_FB_IBM_GXT4500 is not set # CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_SIMPLE is not set -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices @@ -6377,8 +6353,6 @@ CONFIG_SND_PPC=y CONFIG_SND_POWERMAC=m CONFIG_SND_POWERMAC_AUTO_DRC=y -CONFIG_SND_PS3=m -CONFIG_SND_PS3_DEFAULT_START_DELAY=2000 CONFIG_SND_AOA=m CONFIG_SND_AOA_FABRIC_LAYOUT=m CONFIG_SND_AOA_ONYX=m @@ -6585,7 +6559,6 @@ CONFIG_USB_OHCI_BIG_ENDIAN_DESC=y CONFIG_USB_OHCI_BIG_ENDIAN_MMIO=y CONFIG_USB_OHCI_LITTLE_ENDIAN=y -CONFIG_USB_EHCI_BIG_ENDIAN_MMIO=y CONFIG_USB_SUPPORT=y CONFIG_USB_COMMON=m CONFIG_USB_LED_TRIG=y @@ -7136,7 +7109,6 @@ CONFIG_RTC_DRV_GENERIC=m CONFIG_RTC_DRV_CADENCE=m # CONFIG_RTC_DRV_FTRTC010 is not set -CONFIG_RTC_DRV_PS3=m # CONFIG_RTC_DRV_R7301 is not set # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/ppc64/kvmsmall new/config/ppc64/kvmsmall --- old/config/ppc64/kvmsmall 2023-02-20 00:02:32.000000000 +0100 +++ new/config/ppc64/kvmsmall 2023-02-25 23:38:51.000000000 +0100 @@ -238,7 +238,6 @@ # CONFIG_PPC_MAPLE is not set # CONFIG_PPC_PMAC is not set # CONFIG_PPC_POWERNV is not set -# CONFIG_PPC_PS3 is not set # CONFIG_PPS_CLIENT_GPIO is not set # CONFIG_PPS_CLIENT_LDISC is not set # CONFIG_PTP_1588_CLOCK is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/ppc64le/default new/config/ppc64le/default --- old/config/ppc64le/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/ppc64le/default 2023-02-25 23:38:51.000000000 +0100 @@ -5993,7 +5993,9 @@ # CONFIG_TINYDRM_ST7586 is not set # CONFIG_TINYDRM_ST7735R is not set CONFIG_DRM_GUD=m -# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_SSD130X=m +CONFIG_DRM_SSD130X_I2C=m +CONFIG_DRM_SSD130X_SPI=m # CONFIG_DRM_LEGACY is not set CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y # CONFIG_DRM_LIB_RANDOM is not set @@ -6015,7 +6017,6 @@ # CONFIG_FB_FOREIGN_ENDIAN is not set CONFIG_FB_SYS_FOPS=y CONFIG_FB_DEFERRED_IO=y -CONFIG_FB_BACKLIGHT=m CONFIG_FB_MODE_HELPERS=y CONFIG_FB_TILEBLITTING=y @@ -6028,8 +6029,8 @@ # CONFIG_FB_ASILIANT is not set # CONFIG_FB_IMSTT is not set # CONFIG_FB_VGA16 is not set -CONFIG_FB_UVESA=m -CONFIG_FB_OPENCORES=m +# CONFIG_FB_UVESA is not set +# CONFIG_FB_OPENCORES is not set # CONFIG_FB_S1D13XXX is not set # CONFIG_FB_NVIDIA is not set # CONFIG_FB_RIVA is not set @@ -6052,12 +6053,12 @@ # CONFIG_FB_CARMINE is not set # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set -CONFIG_FB_IBM_GXT4500=m +# CONFIG_FB_IBM_GXT4500 is not set # CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_SIMPLE is not set -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/riscv64/default new/config/riscv64/default --- old/config/riscv64/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/riscv64/default 2023-02-25 23:38:51.000000000 +0100 @@ -6203,7 +6203,9 @@ # CONFIG_TINYDRM_ST7586 is not set # CONFIG_TINYDRM_ST7735R is not set CONFIG_DRM_GUD=m -# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_SSD130X=m +CONFIG_DRM_SSD130X_I2C=m +CONFIG_DRM_SSD130X_SPI=m # CONFIG_DRM_LEGACY is not set CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y # CONFIG_DRM_LIB_RANDOM is not set @@ -6225,7 +6227,6 @@ # CONFIG_FB_FOREIGN_ENDIAN is not set CONFIG_FB_SYS_FOPS=y CONFIG_FB_DEFERRED_IO=y -CONFIG_FB_BACKLIGHT=m CONFIG_FB_MODE_HELPERS=y CONFIG_FB_TILEBLITTING=y @@ -6263,12 +6264,12 @@ # CONFIG_FB_SH_MOBILE_LCDC is not set # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set -CONFIG_FB_IBM_GXT4500=m +# CONFIG_FB_IBM_GXT4500 is not set CONFIG_FB_GOLDFISH=m -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices @@ -9201,6 +9202,7 @@ # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/x86_64/default new/config/x86_64/default --- old/config/x86_64/default 2023-02-20 00:02:32.000000000 +0100 +++ new/config/x86_64/default 2023-02-25 23:38:51.000000000 +0100 @@ -6669,7 +6669,9 @@ CONFIG_DRM_XEN_FRONTEND=m CONFIG_DRM_VBOXVIDEO=m CONFIG_DRM_GUD=m -# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_SSD130X=m +CONFIG_DRM_SSD130X_I2C=m +CONFIG_DRM_SSD130X_SPI=m CONFIG_DRM_HYPERV=m # CONFIG_DRM_LEGACY is not set CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y @@ -6692,7 +6694,6 @@ # CONFIG_FB_FOREIGN_ENDIAN is not set CONFIG_FB_SYS_FOPS=y CONFIG_FB_DEFERRED_IO=y -CONFIG_FB_BACKLIGHT=m CONFIG_FB_MODE_HELPERS=y CONFIG_FB_TILEBLITTING=y @@ -6737,13 +6738,13 @@ # CONFIG_FB_CARMINE is not set # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set -CONFIG_FB_IBM_GXT4500=m -CONFIG_FB_VIRTUAL=m +# CONFIG_FB_IBM_GXT4500 is not set +# CONFIG_FB_VIRTUAL is not set CONFIG_XEN_FBDEV_FRONTEND=m # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_HYPERV is not set -CONFIG_FB_SSD1307=m +# CONFIG_FB_SSD1307 is not set # CONFIG_FB_SM712 is not set # end of Frame buffer Devices @@ -10280,6 +10281,7 @@ # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/x86_64/kvmsmall new/config/x86_64/kvmsmall --- old/config/x86_64/kvmsmall 2023-02-20 00:02:32.000000000 +0100 +++ new/config/x86_64/kvmsmall 2023-02-25 23:38:51.000000000 +0100 @@ -127,8 +127,6 @@ # CONFIG_EXTCON_FSA9480 is not set # CONFIG_F71808E_WDT is not set CONFIG_FAILOVER=y -# CONFIG_FB_IBM_GXT4500 is not set -# CONFIG_FB_VIRTUAL is not set # CONFIG_FCOE_FNIC is not set # CONFIG_FDDI is not set # CONFIG_FIREWIRE is not set ++++++ patches.kernel.org.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-001-uaccess-Add-speculation-barrier-to-copy_from_us.patch new/patches.kernel.org/6.2.1-001-uaccess-Add-speculation-barrier-to-copy_from_us.patch --- old/patches.kernel.org/6.2.1-001-uaccess-Add-speculation-barrier-to-copy_from_us.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-001-uaccess-Add-speculation-barrier-to-copy_from_us.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,116 @@ +From: Dave Hansen <[email protected]> +Date: Tue, 21 Feb 2023 12:30:15 -0800 +Subject: [PATCH] uaccess: Add speculation barrier to copy_from_user() +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 74e19ef0ff8061ef55957c3abd71614ef0f42f47 + +commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 upstream. + +The results of "access_ok()" can be mis-speculated. The result is that +you can end speculatively: + + if (access_ok(from, size)) + // Right here + +even for bad from/size combinations. On first glance, it would be ideal +to just add a speculation barrier to "access_ok()" so that its results +can never be mis-speculated. + +But there are lots of system calls just doing access_ok() via +"copy_to_user()" and friends (example: fstat() and friends). Those are +generally not problematic because they do not _consume_ data from +userspace other than the pointer. They are also very quick and common +system calls that should not be needlessly slowed down. + +"copy_from_user()" on the other hand uses a user-controller pointer and +is frequently followed up with code that might affect caches. Take +something like this: + + if (!copy_from_user(&kernelvar, uptr, size)) + do_something_with(kernelvar); + +If userspace passes in an evil 'uptr' that *actually* points to a kernel +addresses, and then do_something_with() has cache (or other) +side-effects, it could allow userspace to infer kernel data values. + +Add a barrier to the common copy_from_user() code to prevent +mis-speculated values which happen after the copy. + +Also add a stub for architectures that do not define barrier_nospec(). +This makes the macro usable in generic code. + +Since the barrier is now usable in generic code, the x86 #ifdef in the +BPF code can also go away. + +Reported-by: Jordy Zomer <[email protected]> +Suggested-by: Linus Torvalds <[email protected]> +Signed-off-by: Dave Hansen <[email protected]> +Reviewed-by: Thomas Gleixner <[email protected]> +Acked-by: Daniel Borkmann <[email protected]> # BPF bits +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + include/linux/nospec.h | 4 ++++ + kernel/bpf/core.c | 2 -- + lib/usercopy.c | 7 +++++++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/include/linux/nospec.h b/include/linux/nospec.h +index c1e79f72..9f0af4f1 100644 +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -11,6 +11,10 @@ + + struct task_struct; + ++#ifndef barrier_nospec ++# define barrier_nospec() do { } while (0) ++#endif ++ + /** + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise + * @index: array element index +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index ba3fff17..430c66d5 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1910,9 +1910,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) + * reuse preexisting logic from Spectre v1 mitigation that + * happens to produce the required code on x86 for v4 as well. + */ +-#ifdef CONFIG_X86 + barrier_nospec(); +-#endif + CONT; + #define LDST(SIZEOP, SIZE) \ + STX_MEM_##SIZEOP: \ +diff --git a/lib/usercopy.c b/lib/usercopy.c +index 1505a52f..d29fe29c 100644 +--- a/lib/usercopy.c ++++ b/lib/usercopy.c +@@ -3,6 +3,7 @@ + #include <linux/fault-inject-usercopy.h> + #include <linux/instrumented.h> + #include <linux/uaccess.h> ++#include <linux/nospec.h> + + /* out-of-line parts */ + +@@ -12,6 +13,12 @@ unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n + unsigned long res = n; + might_fault(); + if (!should_fail_usercopy() && likely(access_ok(from, n))) { ++ /* ++ * Ensure that bad access_ok() speculation will not ++ * lead to nasty side effects *after* the copy is ++ * finished: ++ */ ++ barrier_nospec(); + instrument_copy_from_user_before(to, from, n); + res = raw_copy_from_user(to, from, n); + instrument_copy_from_user_after(to, from, n, res); +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-002-x86-alternatives-Introduce-int3_emulate_jcc.patch new/patches.kernel.org/6.2.1-002-x86-alternatives-Introduce-int3_emulate_jcc.patch --- old/patches.kernel.org/6.2.1-002-x86-alternatives-Introduce-int3_emulate_jcc.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-002-x86-alternatives-Introduce-int3_emulate_jcc.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,140 @@ +From: Peter Zijlstra <[email protected]> +Date: Mon, 23 Jan 2023 21:59:16 +0100 +Subject: [PATCH] x86/alternatives: Introduce int3_emulate_jcc() +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: db7adcfd1cec4e95155e37bc066fddab302c6340 + +commit db7adcfd1cec4e95155e37bc066fddab302c6340 upstream. + +Move the kprobe Jcc emulation into int3_emulate_jcc() so it can be +used by more code -- specifically static_call() will need this. + +Signed-off-by: Peter Zijlstra (Intel) <[email protected]> +Signed-off-by: Ingo Molnar <[email protected]> +Reviewed-by: Masami Hiramatsu (Google) <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Cc: Nathan Chancellor <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + arch/x86/include/asm/text-patching.h | 31 +++++++++++++++++++++++ + arch/x86/kernel/kprobes/core.c | 38 ++++++---------------------- + 2 files changed, 39 insertions(+), 30 deletions(-) + +diff --git a/arch/x86/include/asm/text-patching.h b/arch/x86/include/asm/text-patching.h +index f4b87f08..29832c33 100644 +--- a/arch/x86/include/asm/text-patching.h ++++ b/arch/x86/include/asm/text-patching.h +@@ -184,6 +184,37 @@ void int3_emulate_ret(struct pt_regs *regs) + unsigned long ip = int3_emulate_pop(regs); + int3_emulate_jmp(regs, ip); + } ++ ++static __always_inline ++void int3_emulate_jcc(struct pt_regs *regs, u8 cc, unsigned long ip, unsigned long disp) ++{ ++ static const unsigned long jcc_mask[6] = { ++ [0] = X86_EFLAGS_OF, ++ [1] = X86_EFLAGS_CF, ++ [2] = X86_EFLAGS_ZF, ++ [3] = X86_EFLAGS_CF | X86_EFLAGS_ZF, ++ [4] = X86_EFLAGS_SF, ++ [5] = X86_EFLAGS_PF, ++ }; ++ ++ bool invert = cc & 1; ++ bool match; ++ ++ if (cc < 0xc) { ++ match = regs->flags & jcc_mask[cc >> 1]; ++ } else { ++ match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^ ++ ((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT); ++ if (cc >= 0xe) ++ match = match || (regs->flags & X86_EFLAGS_ZF); ++ } ++ ++ if ((match && !invert) || (!match && invert)) ++ ip += disp; ++ ++ int3_emulate_jmp(regs, ip); ++} ++ + #endif /* !CONFIG_UML_X86 */ + + #endif /* _ASM_X86_TEXT_PATCHING_H */ +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 695873c0..0ce969ae 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -464,50 +464,26 @@ static void kprobe_emulate_call(struct kprobe *p, struct pt_regs *regs) + } + NOKPROBE_SYMBOL(kprobe_emulate_call); + +-static nokprobe_inline +-void __kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs, bool cond) ++static void kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs) + { + unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size; + +- if (cond) +- ip += p->ainsn.rel32; ++ ip += p->ainsn.rel32; + int3_emulate_jmp(regs, ip); + } +- +-static void kprobe_emulate_jmp(struct kprobe *p, struct pt_regs *regs) +-{ +- __kprobe_emulate_jmp(p, regs, true); +-} + NOKPROBE_SYMBOL(kprobe_emulate_jmp); + +-static const unsigned long jcc_mask[6] = { +- [0] = X86_EFLAGS_OF, +- [1] = X86_EFLAGS_CF, +- [2] = X86_EFLAGS_ZF, +- [3] = X86_EFLAGS_CF | X86_EFLAGS_ZF, +- [4] = X86_EFLAGS_SF, +- [5] = X86_EFLAGS_PF, +-}; +- + static void kprobe_emulate_jcc(struct kprobe *p, struct pt_regs *regs) + { +- bool invert = p->ainsn.jcc.type & 1; +- bool match; ++ unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size; + +- if (p->ainsn.jcc.type < 0xc) { +- match = regs->flags & jcc_mask[p->ainsn.jcc.type >> 1]; +- } else { +- match = ((regs->flags & X86_EFLAGS_SF) >> X86_EFLAGS_SF_BIT) ^ +- ((regs->flags & X86_EFLAGS_OF) >> X86_EFLAGS_OF_BIT); +- if (p->ainsn.jcc.type >= 0xe) +- match = match || (regs->flags & X86_EFLAGS_ZF); +- } +- __kprobe_emulate_jmp(p, regs, (match && !invert) || (!match && invert)); ++ int3_emulate_jcc(regs, p->ainsn.jcc.type, ip, p->ainsn.rel32); + } + NOKPROBE_SYMBOL(kprobe_emulate_jcc); + + static void kprobe_emulate_loop(struct kprobe *p, struct pt_regs *regs) + { ++ unsigned long ip = regs->ip - INT3_INSN_SIZE + p->ainsn.size; + bool match; + + if (p->ainsn.loop.type != 3) { /* LOOP* */ +@@ -535,7 +511,9 @@ static void kprobe_emulate_loop(struct kprobe *p, struct pt_regs *regs) + else if (p->ainsn.loop.type == 1) /* LOOPE */ + match = match && (regs->flags & X86_EFLAGS_ZF); + +- __kprobe_emulate_jmp(p, regs, match); ++ if (match) ++ ip += p->ainsn.rel32; ++ int3_emulate_jmp(regs, ip); + } + NOKPROBE_SYMBOL(kprobe_emulate_loop); + +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-003-x86-alternatives-Teach-text_poke_bp-to-patch-Jc.patch new/patches.kernel.org/6.2.1-003-x86-alternatives-Teach-text_poke_bp-to-patch-Jc.patch --- old/patches.kernel.org/6.2.1-003-x86-alternatives-Teach-text_poke_bp-to-patch-Jc.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-003-x86-alternatives-Teach-text_poke_bp-to-patch-Jc.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,193 @@ +From: Peter Zijlstra <[email protected]> +Date: Mon, 23 Jan 2023 21:59:17 +0100 +Subject: [PATCH] x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 + instructions +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: ac0ee0a9560c97fa5fe1409e450c2425d4ebd17a + +commit ac0ee0a9560c97fa5fe1409e450c2425d4ebd17a upstream. + +In order to re-write Jcc.d32 instructions text_poke_bp() needs to be +taught about them. + +The biggest hurdle is that the whole machinery is currently made for 5 +byte instructions and extending this would grow struct text_poke_loc +which is currently a nice 16 bytes and used in an array. + +However, since text_poke_loc contains a full copy of the (s32) +displacement, it is possible to map the Jcc.d32 2 byte opcodes to +Jcc.d8 1 byte opcode for the int3 emulation. + +This then leaves the replacement bytes; fudge that by only storing the +last 5 bytes and adding the rule that 'length == 6' instruction will +be prefixed with a 0x0f byte. + +Signed-off-by: Peter Zijlstra (Intel) <[email protected]> +Signed-off-by: Ingo Molnar <[email protected]> +Reviewed-by: Masami Hiramatsu (Google) <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Cc: Nathan Chancellor <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + arch/x86/kernel/alternative.c | 62 ++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index 7d8c3cbd..81381a01 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -340,6 +340,12 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start, + } + } + ++static inline bool is_jcc32(struct insn *insn) ++{ ++ /* Jcc.d32 second opcode byte is in the range: 0x80-0x8f */ ++ return insn->opcode.bytes[0] == 0x0f && (insn->opcode.bytes[1] & 0xf0) == 0x80; ++} ++ + #if defined(CONFIG_RETPOLINE) && defined(CONFIG_OBJTOOL) + + /* +@@ -378,12 +384,6 @@ static int emit_indirect(int op, int reg, u8 *bytes) + return i; + } + +-static inline bool is_jcc32(struct insn *insn) +-{ +- /* Jcc.d32 second opcode byte is in the range: 0x80-0x8f */ +- return insn->opcode.bytes[0] == 0x0f && (insn->opcode.bytes[1] & 0xf0) == 0x80; +-} +- + static int emit_call_track_retpoline(void *addr, struct insn *insn, int reg, u8 *bytes) + { + u8 op = insn->opcode.bytes[0]; +@@ -1772,6 +1772,11 @@ void text_poke_sync(void) + on_each_cpu(do_sync_core, NULL, 1); + } + ++/* ++ * NOTE: crazy scheme to allow patching Jcc.d32 but not increase the size of ++ * this thing. When len == 6 everything is prefixed with 0x0f and we map ++ * opcode to Jcc.d8, using len to distinguish. ++ */ + struct text_poke_loc { + /* addr := _stext + rel_addr */ + s32 rel_addr; +@@ -1893,6 +1898,10 @@ noinstr int poke_int3_handler(struct pt_regs *regs) + int3_emulate_jmp(regs, (long)ip + tp->disp); + break; + ++ case 0x70 ... 0x7f: /* Jcc */ ++ int3_emulate_jcc(regs, tp->opcode & 0xf, (long)ip, tp->disp); ++ break; ++ + default: + BUG(); + } +@@ -1966,16 +1975,26 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries + * Second step: update all but the first byte of the patched range. + */ + for (do_sync = 0, i = 0; i < nr_entries; i++) { +- u8 old[POKE_MAX_OPCODE_SIZE] = { tp[i].old, }; ++ u8 old[POKE_MAX_OPCODE_SIZE+1] = { tp[i].old, }; ++ u8 _new[POKE_MAX_OPCODE_SIZE+1]; ++ const u8 *new = tp[i].text; + int len = tp[i].len; + + if (len - INT3_INSN_SIZE > 0) { + memcpy(old + INT3_INSN_SIZE, + text_poke_addr(&tp[i]) + INT3_INSN_SIZE, + len - INT3_INSN_SIZE); ++ ++ if (len == 6) { ++ _new[0] = 0x0f; ++ memcpy(_new + 1, new, 5); ++ new = _new; ++ } ++ + text_poke(text_poke_addr(&tp[i]) + INT3_INSN_SIZE, +- (const char *)tp[i].text + INT3_INSN_SIZE, ++ new + INT3_INSN_SIZE, + len - INT3_INSN_SIZE); ++ + do_sync++; + } + +@@ -2003,8 +2022,7 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries + * The old instruction is recorded so that the event can be + * processed forwards or backwards. + */ +- perf_event_text_poke(text_poke_addr(&tp[i]), old, len, +- tp[i].text, len); ++ perf_event_text_poke(text_poke_addr(&tp[i]), old, len, new, len); + } + + if (do_sync) { +@@ -2021,10 +2039,15 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries + * replacing opcode. + */ + for (do_sync = 0, i = 0; i < nr_entries; i++) { +- if (tp[i].text[0] == INT3_INSN_OPCODE) ++ u8 byte = tp[i].text[0]; ++ ++ if (tp[i].len == 6) ++ byte = 0x0f; ++ ++ if (byte == INT3_INSN_OPCODE) + continue; + +- text_poke(text_poke_addr(&tp[i]), tp[i].text, INT3_INSN_SIZE); ++ text_poke(text_poke_addr(&tp[i]), &byte, INT3_INSN_SIZE); + do_sync++; + } + +@@ -2042,9 +2065,11 @@ static void text_poke_loc_init(struct text_poke_loc *tp, void *addr, + const void *opcode, size_t len, const void *emulate) + { + struct insn insn; +- int ret, i; ++ int ret, i = 0; + +- memcpy((void *)tp->text, opcode, len); ++ if (len == 6) ++ i = 1; ++ memcpy((void *)tp->text, opcode+i, len-i); + if (!emulate) + emulate = opcode; + +@@ -2055,6 +2080,13 @@ static void text_poke_loc_init(struct text_poke_loc *tp, void *addr, + tp->len = len; + tp->opcode = insn.opcode.bytes[0]; + ++ if (is_jcc32(&insn)) { ++ /* ++ * Map Jcc.d32 onto Jcc.d8 and use len to distinguish. ++ */ ++ tp->opcode = insn.opcode.bytes[1] - 0x10; ++ } ++ + switch (tp->opcode) { + case RET_INSN_OPCODE: + case JMP32_INSN_OPCODE: +@@ -2071,7 +2103,6 @@ static void text_poke_loc_init(struct text_poke_loc *tp, void *addr, + BUG_ON(len != insn.length); + } + +- + switch (tp->opcode) { + case INT3_INSN_OPCODE: + case RET_INSN_OPCODE: +@@ -2080,6 +2111,7 @@ static void text_poke_loc_init(struct text_poke_loc *tp, void *addr, + case CALL_INSN_OPCODE: + case JMP32_INSN_OPCODE: + case JMP8_INSN_OPCODE: ++ case 0x70 ... 0x7f: /* Jcc */ + tp->disp = insn.immediate.value; + break; + +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-004-x86-static_call-Add-support-for-Jcc-tail-calls.patch new/patches.kernel.org/6.2.1-004-x86-static_call-Add-support-for-Jcc-tail-calls.patch --- old/patches.kernel.org/6.2.1-004-x86-static_call-Add-support-for-Jcc-tail-calls.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-004-x86-static_call-Add-support-for-Jcc-tail-calls.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,137 @@ +From: Peter Zijlstra <[email protected]> +Date: Thu, 26 Jan 2023 16:34:27 +0100 +Subject: [PATCH] x86/static_call: Add support for Jcc tail-calls +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 923510c88d2b7d947c4217835fd9ca6bd65cc56c + +commit 923510c88d2b7d947c4217835fd9ca6bd65cc56c upstream. + +Clang likes to create conditional tail calls like: + + 0000000000000350 <amd_pmu_add_event>: + 350: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 351: R_X86_64_NONE __fentry__-0x4 + 355: 48 83 bf 20 01 00 00 00 cmpq $0x0,0x120(%rdi) + 35d: 0f 85 00 00 00 00 jne 363 <amd_pmu_add_event+0x13> 35f: R_X86_64_PLT32 __SCT__amd_pmu_branch_add-0x4 + 363: e9 00 00 00 00 jmp 368 <amd_pmu_add_event+0x18> 364: R_X86_64_PLT32 __x86_return_thunk-0x4 + +Where 0x35d is a static call site that's turned into a conditional +tail-call using the Jcc class of instructions. + +Teach the in-line static call text patching about this. + +Notably, since there is no conditional-ret, in that case patch the Jcc +to point at an empty stub function that does the ret -- or the return +thunk when needed. + +Reported-by: "Erhard F." <[email protected]> +Signed-off-by: Peter Zijlstra (Intel) <[email protected]> +Signed-off-by: Ingo Molnar <[email protected]> +Reviewed-by: Masami Hiramatsu (Google) <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Cc: Nathan Chancellor <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + arch/x86/kernel/static_call.c | 50 ++++++++++++++++++++++++++++++++--- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/static_call.c b/arch/x86/kernel/static_call.c +index 2ebc3389..b70670a9 100644 +--- a/arch/x86/kernel/static_call.c ++++ b/arch/x86/kernel/static_call.c +@@ -9,6 +9,7 @@ enum insn_type { + NOP = 1, /* site cond-call */ + JMP = 2, /* tramp / site tail-call */ + RET = 3, /* tramp / site cond-tail-call */ ++ JCC = 4, + }; + + /* +@@ -25,12 +26,40 @@ static const u8 xor5rax[] = { 0x2e, 0x2e, 0x2e, 0x31, 0xc0 }; + + static const u8 retinsn[] = { RET_INSN_OPCODE, 0xcc, 0xcc, 0xcc, 0xcc }; + ++static u8 __is_Jcc(u8 *insn) /* Jcc.d32 */ ++{ ++ u8 ret = 0; ++ ++ if (insn[0] == 0x0f) { ++ u8 tmp = insn[1]; ++ if ((tmp & 0xf0) == 0x80) ++ ret = tmp; ++ } ++ ++ return ret; ++} ++ ++extern void __static_call_return(void); ++ ++asm (".global __static_call_return\n\t" ++ ".type __static_call_return, @function\n\t" ++ ASM_FUNC_ALIGN "\n\t" ++ "__static_call_return:\n\t" ++ ANNOTATE_NOENDBR ++ ANNOTATE_RETPOLINE_SAFE ++ "ret; int3\n\t" ++ ".size __static_call_return, . - __static_call_return \n\t"); ++ + static void __ref __static_call_transform(void *insn, enum insn_type type, + void *func, bool modinit) + { + const void *emulate = NULL; + int size = CALL_INSN_SIZE; + const void *code; ++ u8 op, buf[6]; ++ ++ if ((type == JMP || type == RET) && (op = __is_Jcc(insn))) ++ type = JCC; + + switch (type) { + case CALL: +@@ -57,6 +86,20 @@ static void __ref __static_call_transform(void *insn, enum insn_type type, + else + code = &retinsn; + break; ++ ++ case JCC: ++ if (!func) { ++ func = __static_call_return; ++ if (cpu_feature_enabled(X86_FEATURE_RETHUNK)) ++ func = x86_return_thunk; ++ } ++ ++ buf[0] = 0x0f; ++ __text_gen_insn(buf+1, op, insn+1, func, 5); ++ code = buf; ++ size = 6; ++ ++ break; + } + + if (memcmp(insn, code, size) == 0) +@@ -68,9 +111,9 @@ static void __ref __static_call_transform(void *insn, enum insn_type type, + text_poke_bp(insn, code, size, emulate); + } + +-static void __static_call_validate(void *insn, bool tail, bool tramp) ++static void __static_call_validate(u8 *insn, bool tail, bool tramp) + { +- u8 opcode = *(u8 *)insn; ++ u8 opcode = insn[0]; + + if (tramp && memcmp(insn+5, tramp_ud, 3)) { + pr_err("trampoline signature fail"); +@@ -79,7 +122,8 @@ static void __static_call_validate(void *insn, bool tail, bool tramp) + + if (tail) { + if (opcode == JMP32_INSN_OPCODE || +- opcode == RET_INSN_OPCODE) ++ opcode == RET_INSN_OPCODE || ++ __is_Jcc(insn)) + return; + } else { + if (opcode == CALL_INSN_OPCODE || +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-005-HID-mcp-2221-prevent-UAF-in-delayed-work.patch new/patches.kernel.org/6.2.1-005-HID-mcp-2221-prevent-UAF-in-delayed-work.patch --- old/patches.kernel.org/6.2.1-005-HID-mcp-2221-prevent-UAF-in-delayed-work.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-005-HID-mcp-2221-prevent-UAF-in-delayed-work.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,44 @@ +From: Benjamin Tissoires <[email protected]> +Date: Thu, 16 Feb 2023 11:22:58 +0100 +Subject: [PATCH] HID: mcp-2221: prevent UAF in delayed work +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 47e91fdfa511139f2549687edb0d8649b123227b + +commit 47e91fdfa511139f2549687edb0d8649b123227b upstream. + +If the device is plugged/unplugged without giving time for mcp_init_work() +to complete, we might kick in the devm free code path and thus have +unavailable struct mcp_2221 while in delayed work. + +Canceling the delayed_work item is enough to solve the issue, because +cancel_delayed_work_sync will prevent the work item to requeue itself. + +Fixes: 960f9df7c620 ("HID: mcp2221: add ADC/DAC support via iio subsystem") +CC: [email protected] +Acked-by: Jiri Kosina <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Benjamin Tissoires <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hid/hid-mcp2221.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c +index e61dd039..f74a977c 100644 +--- a/drivers/hid/hid-mcp2221.c ++++ b/drivers/hid/hid-mcp2221.c +@@ -922,6 +922,9 @@ static void mcp2221_hid_unregister(void *ptr) + /* This is needed to be sure hid_hw_stop() isn't called twice by the subsystem */ + static void mcp2221_remove(struct hid_device *hdev) + { ++ struct mcp2221 *mcp = hid_get_drvdata(hdev); ++ ++ cancel_delayed_work_sync(&mcp->init_work); + } + + #if IS_REACHABLE(CONFIG_IIO) +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-006-wifi-mwifiex-Add-missing-compatible-string-for-.patch new/patches.kernel.org/6.2.1-006-wifi-mwifiex-Add-missing-compatible-string-for-.patch --- old/patches.kernel.org/6.2.1-006-wifi-mwifiex-Add-missing-compatible-string-for-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-006-wifi-mwifiex-Add-missing-compatible-string-for-.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,40 @@ +From: Lukas Wunner <[email protected]> +Date: Fri, 27 Jan 2023 15:01:00 +0100 +Subject: [PATCH] wifi: mwifiex: Add missing compatible string for SD8787 +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 36dd7a4c6226133b0b7aa92b8e604e688d958d0c + +commit 36dd7a4c6226133b0b7aa92b8e604e688d958d0c upstream. + +Commit e3fffc1f0b47 ("devicetree: document new marvell-8xxx and +pwrseq-sd8787 options") documented a compatible string for SD8787 in +the devicetree bindings, but neglected to add it to the mwifiex driver. + +Fixes: e3fffc1f0b47 ("devicetree: document new marvell-8xxx and pwrseq-sd8787 options") +Signed-off-by: Lukas Wunner <[email protected]> +Cc: [email protected] # v4.11+ +Cc: Matt Ranostay <[email protected]> +Signed-off-by: Kalle Valo <[email protected]> +Link: https://lore.kernel.org/r/320de5005ff3b8fd76be2d2b859fd021689c3681.1674827105.git.lu...@wunner.de +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/net/wireless/marvell/mwifiex/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index b8dc3b5c..9f506efa 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -480,6 +480,7 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = { + }; + + static const struct of_device_id mwifiex_sdio_of_match_table[] = { ++ { .compatible = "marvell,sd8787" }, + { .compatible = "marvell,sd8897" }, + { .compatible = "marvell,sd8997" }, + { } +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-007-audit-update-the-mailing-list-in-MAINTAINERS.patch new/patches.kernel.org/6.2.1-007-audit-update-the-mailing-list-in-MAINTAINERS.patch --- old/patches.kernel.org/6.2.1-007-audit-update-the-mailing-list-in-MAINTAINERS.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-007-audit-update-the-mailing-list-in-MAINTAINERS.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,41 @@ +From: Paul Moore <[email protected]> +Date: Tue, 7 Feb 2023 10:21:47 -0500 +Subject: [PATCH] audit: update the mailing list in MAINTAINERS +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 6c6cd913accd77008f74a1a9d57b816db3651daa + +commit 6c6cd913accd77008f74a1a9d57b816db3651daa upstream. + +We've moved the upstream Linux Kernel audit subsystem discussions to +a new mailing list, this patch updates the MAINTAINERS info with the +new list address. + +Marking this for stable inclusion to help speed uptake of the new +list across all of the supported kernel releases. This is a doc only +patch so the risk should be close to nil. + +Cc: [email protected] +Signed-off-by: Paul Moore <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + MAINTAINERS | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MAINTAINERS b/MAINTAINERS +index 135d9336..f77188f3 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -3515,7 +3515,7 @@ F: drivers/net/ieee802154/atusb.h + AUDIT SUBSYSTEM + M: Paul Moore <[email protected]> + M: Eric Paris <[email protected]> +-L: [email protected] (moderated for non-subscribers) ++L: [email protected] + S: Supported + W: https://github.com/linux-audit + T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-008-platform-x86-amd-pmf-Add-depends-on-CONFIG_POWE.patch new/patches.kernel.org/6.2.1-008-platform-x86-amd-pmf-Add-depends-on-CONFIG_POWE.patch --- old/patches.kernel.org/6.2.1-008-platform-x86-amd-pmf-Add-depends-on-CONFIG_POWE.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-008-platform-x86-amd-pmf-Add-depends-on-CONFIG_POWE.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,49 @@ +From: Shyam Sundar S K <[email protected]> +Date: Mon, 13 Feb 2023 17:44:57 +0530 +Subject: [PATCH] platform/x86/amd/pmf: Add depends on CONFIG_POWER_SUPPLY +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 3004e8d2a0a98bbf4223ae146464fadbff68bf78 + +commit 3004e8d2a0a98bbf4223ae146464fadbff68bf78 upstream. + +It is reported that amd_pmf driver is missing "depends on" for +CONFIG_POWER_SUPPLY causing the following build error. + +ld: drivers/platform/x86/amd/pmf/core.o: in function `amd_pmf_remove': +core.c:(.text+0x10): undefined reference to `power_supply_unreg_notifier' +ld: drivers/platform/x86/amd/pmf/core.o: in function `amd_pmf_probe': +core.c:(.text+0x38f): undefined reference to `power_supply_reg_notifier' +make[1]: *** [scripts/Makefile.vmlinux:34: vmlinux] Error 1 +make: *** [Makefile:1248: vmlinux] Error 2 + +Add this to the Kconfig file. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217028 +Fixes: c5258d39fc4c ("platform/x86/amd/pmf: Add helper routine to update SPS thermals") +Signed-off-by: Shyam Sundar S K <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Cc: [email protected] +Reviewed-by: Hans de Goede <[email protected]> +Signed-off-by: Hans de Goede <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/platform/x86/amd/pmf/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/amd/pmf/Kconfig b/drivers/platform/x86/amd/pmf/Kconfig +index c375498c..6d89528c 100644 +--- a/drivers/platform/x86/amd/pmf/Kconfig ++++ b/drivers/platform/x86/amd/pmf/Kconfig +@@ -6,6 +6,7 @@ + config AMD_PMF + tristate "AMD Platform Management Framework" + depends on ACPI && PCI ++ depends on POWER_SUPPLY + select ACPI_PLATFORM_PROFILE + help + This driver provides support for the AMD Platform Management Framework. +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-009-platform-x86-nvidia-wmi-ec-backlight-Add-force-.patch new/patches.kernel.org/6.2.1-009-platform-x86-nvidia-wmi-ec-backlight-Add-force-.patch --- old/patches.kernel.org/6.2.1-009-platform-x86-nvidia-wmi-ec-backlight-Add-force-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-009-platform-x86-nvidia-wmi-ec-backlight-Add-force-.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,65 @@ +From: Hans de Goede <[email protected]> +Date: Fri, 17 Feb 2023 15:42:08 +0100 +Subject: [PATCH] platform/x86: nvidia-wmi-ec-backlight: Add force module + parameter +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 0d9bdd8a550170306c2021b8d6766c5343b870c2 + +commit 0d9bdd8a550170306c2021b8d6766c5343b870c2 upstream. + +On some Lenovo Legion models, the backlight might be driven by either +one of nvidia_wmi_ec_backlight or amdgpu_bl0 at different times. + +When the Nvidia WMI EC backlight interface reports the backlight is +controlled by the EC, the current backlight handling only registers +nvidia_wmi_ec_backlight (and registers no other backlight interfaces). + +This hides (never registers) the amdgpu_bl0 interface, where as prior +to 6.1.4 users would have both nvidia_wmi_ec_backlight and amdgpu_bl0 +and could work around things in userspace. + +Add a force module parameter which can be used with acpi_backlight=native +to restore the old behavior as a workound (for now) by passing: + +"acpi_backlight=native nvidia-wmi-ec-backlight.force=1" + +Fixes: 8d0ca287fd8c ("platform/x86: nvidia-wmi-ec-backlight: Use acpi_video_get_backlight_type()") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217026 +Cc: [email protected] +Signed-off-by: Hans de Goede <[email protected]> +Reviewed-by: Daniel Dadap <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/platform/x86/nvidia-wmi-ec-backlight.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/nvidia-wmi-ec-backlight.c b/drivers/platform/x86/nvidia-wmi-ec-backlight.c +index baccdf65..1b572c90 100644 +--- a/drivers/platform/x86/nvidia-wmi-ec-backlight.c ++++ b/drivers/platform/x86/nvidia-wmi-ec-backlight.c +@@ -12,6 +12,10 @@ + #include <linux/wmi.h> + #include <acpi/video.h> + ++static bool force; ++module_param(force, bool, 0444); ++MODULE_PARM_DESC(force, "Force loading (disable acpi_backlight=xxx checks"); ++ + /** + * wmi_brightness_notify() - helper function for calling WMI-wrapped ACPI method + * @w: Pointer to the struct wmi_device identified by %WMI_BRIGHTNESS_GUID +@@ -91,7 +95,7 @@ static int nvidia_wmi_ec_backlight_probe(struct wmi_device *wdev, const void *ct + int ret; + + /* drivers/acpi/video_detect.c also checks that SOURCE == EC */ +- if (acpi_video_get_backlight_type() != acpi_backlight_nvidia_wmi_ec) ++ if (!force && acpi_video_get_backlight_type() != acpi_backlight_nvidia_wmi_ec) + return -ENODEV; + + /* +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-010-ext4-Fix-function-prototype-mismatch-for-ext4_f.patch new/patches.kernel.org/6.2.1-010-ext4-Fix-function-prototype-mismatch-for-ext4_f.patch --- old/patches.kernel.org/6.2.1-010-ext4-Fix-function-prototype-mismatch-for-ext4_f.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-010-ext4-Fix-function-prototype-mismatch-for-ext4_f.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,80 @@ +From: Kees Cook <[email protected]> +Date: Wed, 4 Jan 2023 13:09:12 -0800 +Subject: [PATCH] ext4: Fix function prototype mismatch for ext4_feat_ktype +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 118901ad1f25d2334255b3d50512fa20591531cd + +commit 118901ad1f25d2334255b3d50512fa20591531cd upstream. + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. + +ext4_feat_ktype was setting the "release" handler to "kfree", which +doesn't have a matching function prototype. Add a simple wrapper +with the correct prototype. + +This was found as a result of Clang's new -Wcast-function-type-strict +flag, which is more sensitive than the simpler -Wcast-function-type, +which only checks for type width mismatches. + +Note that this code is only reached when ext4 is a loadable module and +it is being unloaded: + + CFI failure at kobject_put+0xbb/0x1b0 (target: kfree+0x0/0x180; expected type: 0x7c4aa698) + ... + RIP: 0010:kobject_put+0xbb/0x1b0 + ... + Call Trace: + <TASK> + ext4_exit_sysfs+0x14/0x60 [ext4] + cleanup_module+0x67/0xedb [ext4] + +Fixes: b99fee58a20a ("ext4: create ext4_feat kobject dynamically") +Cc: Theodore Ts'o <[email protected]> +Cc: Eric Biggers <[email protected]> +Cc: [email protected] +Build-tested-by: Gustavo A. R. Silva <[email protected]> +Reviewed-by: Gustavo A. R. Silva <[email protected]> +Reviewed-by: Nathan Chancellor <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Kees Cook <[email protected]> +Reviewed-by: Eric Biggers <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + fs/ext4/sysfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c +index d233c24e..e2b8b343 100644 +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -491,6 +491,11 @@ static void ext4_sb_release(struct kobject *kobj) + complete(&sbi->s_kobj_unregister); + } + ++static void ext4_feat_release(struct kobject *kobj) ++{ ++ kfree(kobj); ++} ++ + static const struct sysfs_ops ext4_attr_ops = { + .show = ext4_attr_show, + .store = ext4_attr_store, +@@ -505,7 +510,7 @@ static struct kobj_type ext4_sb_ktype = { + static struct kobj_type ext4_feat_ktype = { + .default_groups = ext4_feat_groups, + .sysfs_ops = &ext4_attr_ops, +- .release = (void (*)(struct kobject *))kfree, ++ .release = ext4_feat_release, + }; + + void ext4_notify_error_sysfs(struct ext4_sb_info *sbi) +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-011-randstruct-disable-Clang-15-support.patch new/patches.kernel.org/6.2.1-011-randstruct-disable-Clang-15-support.patch --- old/patches.kernel.org/6.2.1-011-randstruct-disable-Clang-15-support.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-011-randstruct-disable-Clang-15-support.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,46 @@ +From: Eric Biggers <[email protected]> +Date: Tue, 7 Feb 2023 22:51:33 -0800 +Subject: [PATCH] randstruct: disable Clang 15 support +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 78f7a3fd6dc66cb788c21d7705977ed13c879351 + +commit 78f7a3fd6dc66cb788c21d7705977ed13c879351 upstream. + +The randstruct support released in Clang 15 is unsafe to use due to a +bug that can cause miscompilations: "-frandomize-layout-seed +inconsistently randomizes all-function-pointers structs" +(https://github.com/llvm/llvm-project/issues/60349). It has been fixed +on the Clang 16 release branch, so add a Clang version check. + +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Cc: [email protected] +Signed-off-by: Eric Biggers <[email protected]> +Acked-by: Nick Desaulniers <[email protected]> +Reviewed-by: Nathan Chancellor <[email protected]> +Reviewed-by: Bill Wendling <[email protected]> +Signed-off-by: Kees Cook <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + security/Kconfig.hardening | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 53baa95c..0f295961 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -281,6 +281,9 @@ endmenu + + config CC_HAS_RANDSTRUCT + def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) ++ # Randstruct was first added in Clang 15, but it isn't safe to use until ++ # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 ++ depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 + + choice + prompt "Randomize layout of sensitive kernel structures" +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-012-bpf-add-missing-header-file-include.patch new/patches.kernel.org/6.2.1-012-bpf-add-missing-header-file-include.patch --- old/patches.kernel.org/6.2.1-012-bpf-add-missing-header-file-include.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-012-bpf-add-missing-header-file-include.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,55 @@ +From: Linus Torvalds <[email protected]> +Date: Wed, 22 Feb 2023 09:52:32 -0800 +Subject: [PATCH] bpf: add missing header file include +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: f3dd0c53370e70c0f9b7e931bbec12916f3bb8cc + +commit f3dd0c53370e70c0f9b7e931bbec12916f3bb8cc upstream. + +Commit 74e19ef0ff80 ("uaccess: Add speculation barrier to +copy_from_user()") built fine on x86-64 and arm64, and that's the extent +of my local build testing. + +It turns out those got the <linux/nospec.h> include incidentally through +other header files (<linux/kvm_host.h> in particular), but that was not +true of other architectures, resulting in build errors + + kernel/bpf/core.c: In function â___bpf_prog_runâ: + kernel/bpf/core.c:1913:3: error: implicit declaration of function âbarrier_nospecâ + +so just make sure to explicitly include the proper <linux/nospec.h> +header file to make everybody see it. + +Fixes: 74e19ef0ff80 ("uaccess: Add speculation barrier to copy_from_user()") +Reported-by: kernel test robot <[email protected]> +Reported-by: Viresh Kumar <[email protected]> +Reported-by: Huacai Chen <[email protected]> +Tested-by: Geert Uytterhoeven <[email protected]> +Tested-by: Dave Hansen <[email protected]> +Acked-by: Alexei Starovoitov <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + kernel/bpf/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 430c66d5..f9c3b103 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -34,6 +34,7 @@ + #include <linux/log2.h> + #include <linux/bpf_verifier.h> + #include <linux/nodemask.h> ++#include <linux/nospec.h> + #include <linux/bpf_mem_alloc.h> + + #include <asm/barrier.h> +-- +2.35.3 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/6.2.1-013-Linux-6.2.1.patch new/patches.kernel.org/6.2.1-013-Linux-6.2.1.patch --- old/patches.kernel.org/6.2.1-013-Linux-6.2.1.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/6.2.1-013-Linux-6.2.1.patch 2023-02-27 12:39:26.000000000 +0100 @@ -0,0 +1,42 @@ +From: Greg Kroah-Hartman <[email protected]> +Date: Sat, 25 Feb 2023 11:13:30 +0100 +Subject: [PATCH] Linux 6.2.1 +References: bsc#1012628 +Patch-mainline: 6.2.1 +Git-commit: 8c20eb7e6a27b2c493b0bbb435e75cae7135634f + +Link: https://lore.kernel.org/r/[email protected] +Link: https://lore.kernel.org/r/[email protected] +Tested-by: Luna Jernberg <[email protected]> +Tested-by: Justin M. Forbes <[email protected]> +Tested-by: Conor Dooley <[email protected]> +Tested-by: Florian Fainelli <[email protected]> +Tested-by: Shuah Khan <[email protected]> +Tested-by: Bagas Sanjaya <[email protected]> +Tested-by: Guenter Roeck <[email protected]> +Tested-by: Linux Kernel Functional Testing <[email protected]> +Tested-by: Ron Economos <[email protected]> +Tested-by: Slade Watkins <[email protected]> +Tested-by: Allen Pais <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 3f662878..f26824f3 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 6 + PATCHLEVEL = 2 +-SUBLEVEL = 0 ++SUBLEVEL = 1 + EXTRAVERSION = + NAME = Hurr durr I'ma ninja sloth + +-- +2.35.3 + ++++++ patches.suse.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch new/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch --- old/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch 2023-02-23 04:31:08.000000000 +0100 @@ -0,0 +1,91 @@ +From 478a0cff698409224330ea9e25eb332220b55dbb Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <[email protected]> +Date: Mon, 30 Sep 2019 21:22:47 +0000 +Subject: [PATCH 1/3] security: lockdown: expose a hook to lock the kernel down +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +In order to automatically lock down kernels running on UEFI machines +booted in Secure Boot mode, expose the lock_kernel_down() hook. + +Signed-off-by: Jeremy Cline <[email protected]> +Acked-by: Lee, Chun-Yi <[email protected]> +--- + include/linux/lsm_hook_defs.h | 1 + + include/linux/lsm_hooks.h | 6 ++++++ + include/linux/security.h | 5 +++++ + security/lockdown/lockdown.c | 1 + + security/security.c | 6 ++++++ + 5 files changed, 19 insertions(+) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -403,6 +403,7 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_fr + #endif /* CONFIG_BPF_SYSCALL */ + + LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) ++LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level) + + #ifdef CONFIG_PERF_EVENTS + LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1618,6 +1618,12 @@ + * @what: kernel feature being accessed. + * Return 0 if permission is granted. + * ++ * @lock_kernel_down ++ * Put the kernel into lock-down mode. ++ * ++ * @where: Where the lock-down is originating from (e.g. command line option) ++ * @level: The lock-down level (can only increase) ++ * + * Security hooks for perf events + * + * @perf_event_open: +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -487,6 +487,7 @@ int security_inode_notifysecctx(struct i + int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + int security_locked_down(enum lockdown_reason what); ++int security_lock_kernel_down(const char *where, enum lockdown_reason level); + #else /* CONFIG_SECURITY */ + + static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) +@@ -1402,6 +1403,10 @@ static inline int security_locked_down(e + { + return 0; + } ++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return 0; ++} + #endif /* CONFIG_SECURITY */ + + #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) +--- a/security/lockdown/lockdown.c ++++ b/security/lockdown/lockdown.c +@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum + + static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), ++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down), + }; + + static int __init lockdown_lsm_init(void) +--- a/security/security.c ++++ b/security/security.c +@@ -2705,6 +2705,12 @@ int security_locked_down(enum lockdown_r + } + EXPORT_SYMBOL(security_locked_down); + ++int security_lock_kernel_down(const char *where, enum lockdown_reason level) ++{ ++ return call_int_hook(lock_kernel_down, 0, where, level); ++} ++EXPORT_SYMBOL(security_lock_kernel_down); ++ + #ifdef CONFIG_PERF_EVENTS + int security_perf_event_open(struct perf_event_attr *attr, int type) + { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch new/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch --- old/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch 2023-02-23 04:31:08.000000000 +0100 @@ -0,0 +1,154 @@ +From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001 +From: David Howells <[email protected]> +Date: Tue, 27 Feb 2018 10:04:55 +0000 +Subject: [PATCH 2/3] efi: Add an EFI_SECURE_BOOT flag to indicate secure + boot mode +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT +flag that can be passed to efi_enabled() to find out whether secure boot is +enabled. + +Move the switch-statement in x86's setup_arch() that inteprets the +secure_boot boot parameter to generic code and set the bit there. + +Suggested-by: Ard Biesheuvel <[email protected]> +Signed-off-by: David Howells <[email protected]> +Reviewed-by: Ard Biesheuvel <[email protected]> +cc: [email protected] +[Rebased for context; efi_is_table_address was moved to arch/x86] +Signed-off-by: Jeremy Cline <[email protected]> +Acked-by: Lee, Chun-Yi <[email protected]> +Signed-off-by: Chester Lin <[email protected]> +--- + arch/x86/kernel/setup.c | 14 +------------- + drivers/firmware/efi/Makefile | 1 + + drivers/firmware/efi/secureboot.c | 38 ++++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 19 ++++++++++++------- + 4 files changed, 52 insertions(+), 20 deletions(-) + create mode 100644 drivers/firmware/efi/secureboot.c + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1114,19 +1114,7 @@ void __init setup_arch(char **cmdline_p) + /* Allocate bigger log buffer */ + setup_log_buf(1); + +- if (efi_enabled(EFI_BOOT)) { +- switch (boot_params.secure_boot) { +- case efi_secureboot_mode_disabled: +- pr_info("Secure boot disabled\n"); +- break; +- case efi_secureboot_mode_enabled: +- pr_info("Secure boot enabled\n"); +- break; +- default: +- pr_info("Secure boot could not be determined\n"); +- break; +- } +- } ++ efi_set_secure_boot(boot_params.secure_boot); + + reserve_initrd(); + +--- a/drivers/firmware/efi/Makefile ++++ b/drivers/firmware/efi/Makefile +@@ -27,6 +27,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m + obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o + obj-$(CONFIG_EFI_TEST) += test/ + obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o ++obj-$(CONFIG_EFI) += secureboot.o + obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o + obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o + obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o +--- /dev/null ++++ b/drivers/firmware/efi/secureboot.c +@@ -0,0 +1,38 @@ ++/* Core kernel secure boot support. ++ * ++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells ([email protected]) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ ++#include <linux/efi.h> ++#include <linux/kernel.h> ++#include <linux/printk.h> ++ ++/* ++ * Decide what to do when UEFI secure boot mode is enabled. ++ */ ++void __init efi_set_secure_boot(enum efi_secureboot_mode mode) ++{ ++ if (efi_enabled(EFI_BOOT)) { ++ switch (mode) { ++ case efi_secureboot_mode_disabled: ++ pr_info("Secure boot disabled\n"); ++ break; ++ case efi_secureboot_mode_enabled: ++ set_bit(EFI_SECURE_BOOT, &efi.flags); ++ pr_info("Secure boot enabled\n"); ++ break; ++ default: ++ pr_warn("Secure boot could not be determined (mode %u)\n", ++ mode); ++ break; ++ } ++ } ++} +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -847,6 +847,14 @@ extern int __init efi_setup_pcdp_console + #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */ + #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */ + #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */ ++#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */ ++ ++enum efi_secureboot_mode { ++ efi_secureboot_mode_unset, ++ efi_secureboot_mode_unknown, ++ efi_secureboot_mode_disabled, ++ efi_secureboot_mode_enabled, ++}; + + #ifdef CONFIG_EFI + /* +@@ -871,6 +879,8 @@ static inline bool efi_rt_services_suppo + return (efi.runtime_supported_mask & mask) == mask; + } + extern void efi_find_mirror(void); ++ ++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); + #else + static inline bool efi_enabled(int feature) + { +@@ -890,6 +900,8 @@ static inline bool efi_rt_services_suppo + } + + static inline void efi_find_mirror(void) {} ++ ++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} + #endif + + extern int efi_status_to_err(efi_status_t status); +@@ -1105,13 +1117,6 @@ static inline bool efi_runtime_disabled( + extern void efi_call_virt_check_flags(unsigned long flags, const char *call); + extern unsigned long efi_call_virt_save_flags(void); + +-enum efi_secureboot_mode { +- efi_secureboot_mode_unset, +- efi_secureboot_mode_unknown, +- efi_secureboot_mode_disabled, +- efi_secureboot_mode_enabled, +-}; +- + static inline + enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) + { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch new/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch --- old/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch 2023-02-23 04:31:08.000000000 +0100 @@ -0,0 +1,67 @@ +From 15368f76d4997912318d35c52bfeb9041d85098e Mon Sep 17 00:00:00 2001 +From: David Howells <[email protected]> +Date: Mon, 30 Sep 2019 21:28:16 +0000 +Subject: [PATCH 3/3] efi: Lock down the kernel if booted in secure boot mode +Patch-mainline: Never, Fedora Core 32 +References: jsc#SLE-9870 + +UEFI Secure Boot provides a mechanism for ensuring that the firmware +will only load signed bootloaders and kernels. Certain use cases may +also require that all kernel modules also be signed. Add a +configuration option that to lock down the kernel - which includes +requiring validly signed modules - if the kernel is secure-booted. + +Signed-off-by: David Howells <[email protected]> +Signed-off-by: Jeremy Cline <[email protected]> +Acked-by: Lee, Chun-Yi <[email protected]> +--- + arch/x86/kernel/setup.c | 8 ++++++++ + security/lockdown/Kconfig | 13 +++++++++++++ + 2 files changed, 21 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -25,6 +25,7 @@ + #include <linux/static_call.h> + #include <linux/swiotlb.h> + #include <linux/random.h> ++#include <linux/security.h> + + #include <uapi/linux/mount.h> + +@@ -1036,6 +1037,13 @@ void __init setup_arch(char **cmdline_p) + if (efi_enabled(EFI_BOOT)) + efi_init(); + ++ efi_set_secure_boot(boot_params.secure_boot); ++ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++#endif ++ + dmi_setup(); + + /* +--- a/security/lockdown/Kconfig ++++ b/security/lockdown/Kconfig +@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY + subsystem is fully initialised. If enabled, lockdown will + unconditionally be called before any other LSMs. + ++config LOCK_DOWN_IN_EFI_SECURE_BOOT ++ bool "Lock down the kernel in EFI Secure Boot mode" ++ default n ++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY ++ help ++ UEFI Secure Boot provides a mechanism for ensuring that the firmware ++ will only load signed bootloaders and kernels. Secure boot mode may ++ be determined from EFI variables provided by the system firmware if ++ not indicated by the boot parameters. ++ ++ Enabling this option results in kernel lockdown being triggered if ++ EFI Secure Boot is set. ++ + choice + prompt "Kernel default lockdown mode" + default LOCK_DOWN_KERNEL_FORCE_NONE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch new/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch --- old/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch 2023-02-23 04:31:08.000000000 +0100 @@ -0,0 +1,32 @@ +From a44d0b29e985f769540491f7f39b8ffe9ddc3768 Mon Sep 17 00:00:00 2001 +From: "Lee, Chun-Yi" <[email protected]> +Date: Tue, 26 Nov 2019 14:40:07 +0800 +Subject: [PATCH] efi: Lock down the kernel at the integrity level if booted in + secure boot mode +Patch-mainline: Never, SUSE specific tweak +References: jsc#SLE-9870 + +The perf and bpf are restricted in confidentiality level, but those +functions are available on SLE. So we use integrity level here. + +Signed-off-by: Lee, Chun-Yi <[email protected]> +--- + arch/x86/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 303abf8..a94e2b0 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1032,7 +1032,7 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + if (efi_enabled(EFI_SECURE_BOOT)) +- security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX); ++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX); + #endif + + dmi_setup(); +-- +2.16.4 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch new/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch --- old/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch 2023-02-23 04:31:08.000000000 +0100 @@ -0,0 +1,47 @@ +From: Chester Lin <[email protected]> +Date: Fri, 20 Nov 2020 14:08:38 +0800 +Subject: arm64: lock down kernel in secure boot mode +References: jsc#SLE-15020 +Patch-mainline: never, only for SLE + +This kernel lockdown feature on ARM64 depends on IMA and EFI to query +secure boot mode. Because aarch64 initiates the EFI subsystem late so +the lockdown check must be put off until the EFI subsystem has been +initialized. + +Signed-off-by: Chester Lin <[email protected]> +--- + drivers/firmware/efi/secureboot.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/firmware/efi/secureboot.c ++++ b/drivers/firmware/efi/secureboot.c +@@ -14,6 +14,8 @@ + #include <linux/efi.h> + #include <linux/kernel.h> + #include <linux/printk.h> ++#include <linux/init.h> ++#include <linux/ima.h> + + /* + * Decide what to do when UEFI secure boot mode is enabled. +@@ -36,3 +38,19 @@ void __init efi_set_secure_boot(enum efi + } + } + } ++ ++#if defined(CONFIG_ARM64) && defined(CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT) ++/* ++ * The arm64_kernel_lockdown() must run after efisubsys_init() because the ++ * the secure boot mode query relies on efi_rts_wq to call EFI_GET_VARIABLE. ++ */ ++static int __init arm64_kernel_lockdown(void) ++{ ++ if (arch_ima_get_secureboot()) ++ security_lock_kernel_down("EFI Secure Boot mode", ++ LOCKDOWN_INTEGRITY_MAX); ++ return 0; ++} ++ ++subsys_initcall(arm64_kernel_lockdown); ++#endif ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:48.330703224 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:48.334703242 +0100 @@ -27,6 +27,19 @@ # DO NOT MODIFY THEM! # Send separate patches upstream if you find a problem... ######################################################## + patches.kernel.org/6.2.1-001-uaccess-Add-speculation-barrier-to-copy_from_us.patch + patches.kernel.org/6.2.1-002-x86-alternatives-Introduce-int3_emulate_jcc.patch + patches.kernel.org/6.2.1-003-x86-alternatives-Teach-text_poke_bp-to-patch-Jc.patch + patches.kernel.org/6.2.1-004-x86-static_call-Add-support-for-Jcc-tail-calls.patch + patches.kernel.org/6.2.1-005-HID-mcp-2221-prevent-UAF-in-delayed-work.patch + patches.kernel.org/6.2.1-006-wifi-mwifiex-Add-missing-compatible-string-for-.patch + patches.kernel.org/6.2.1-007-audit-update-the-mailing-list-in-MAINTAINERS.patch + patches.kernel.org/6.2.1-008-platform-x86-amd-pmf-Add-depends-on-CONFIG_POWE.patch + patches.kernel.org/6.2.1-009-platform-x86-nvidia-wmi-ec-backlight-Add-force-.patch + patches.kernel.org/6.2.1-010-ext4-Fix-function-prototype-mismatch-for-ext4_f.patch + patches.kernel.org/6.2.1-011-randstruct-disable-Clang-15-support.patch + patches.kernel.org/6.2.1-012-bpf-add-missing-header-file-include.patch + patches.kernel.org/6.2.1-013-Linux-6.2.1.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -147,6 +160,14 @@ # Security ######################################################## + # Bug 1198101 - VUL-0: shim: openSUSE tumbleweed not fully locked down? Add opensuse-cert-prompt back to openSUSE shim + # Lock down functions for secure boot + patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch + patches.suse/0002-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-boot-mode.patch + patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch + patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch + patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch + # crypto ######################################################## ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:48.362703369 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:48.366703387 +0100 @@ -1,4 +1,4 @@ -2023-02-20 06:22:59 +0000 -GIT Revision: 89e27851f72a9025c71bfb1a4edc9748cfbed036 +2023-02-27 11:39:51 +0000 +GIT Revision: 69e0e95118afe307ac9da57c2cc7f80673a41423 GIT Branch: stable ++++++ supported.conf ++++++ --- /var/tmp/diff_new_pack.mzc6Cj/_old 2023-03-02 23:01:48.434703695 +0100 +++ /var/tmp/diff_new_pack.mzc6Cj/_new 2023-03-02 23:01:48.442703731 +0100 @@ -3443,8 +3443,8 @@ - drivers/video/fbdev/metronomefb - drivers/video/fbdev/ocfb - drivers/video/fbdev/smscufx - drivers/video/fbdev/uvesafb - drivers/video/fbdev/vfb +- drivers/video/fbdev/uvesafb +- drivers/video/fbdev/vfb +base drivers/video/fbdev/xen-fbfront - drivers/video/fbdev/xilinxfb drivers/video/macmodes # Standard MacOS video modes
