From 9e9f9c35036561b1e973a80656a16dc1fe5ca838 Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Thu, 13 May 2021 15:45:50 -0700 Subject: Updated to 5.12.3 Renamed sysctl patch since it is effectively permanent --- ...ctl-and-CONFIG-to-disallow-unprivileged-C.patch | 153 --------------------- PKGBUILD | 13 +- ...ctl-and-CONFIG-to-disallow-unprivileged-C.patch | 153 +++++++++++++++++++++ ...low-and-wide-link-training-for-everything.patch | 116 ++++++++++++++++ 4 files changed, 277 insertions(+), 158 deletions(-) delete mode 100644 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch create mode 100644 ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch create mode 100644 drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch deleted file mode 100644 index 48371cd..0000000 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 048c6dda33c592ef025b372311eede5e05ef9cb7 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 5 files changed, 53 insertions(+) - -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 6ef1c7109fc4..2140091b0b8d 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index 0872a5a2e759..a40d8afeb1bb 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1173,6 +1173,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index 6d266388d380..635146a691c1 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -97,6 +97,10 @@ - #include - #include - -+#ifdef CONFIG_USER_NS -+#include -+#endif -+ - #include - #include - #include -@@ -1862,6 +1866,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2927,6 +2935,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index afad085960b8..a94828fb31c2 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -103,6 +103,9 @@ - #ifdef CONFIG_LOCKUP_DETECTOR - #include - #endif -+#ifdef CONFIG_USER_NS -+#include -+#endif - - #if defined(CONFIG_SYSCTL) - -@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e703d5d9cbe8..5758274feaee 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include - #include - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -cgit v1.2.3-1-gf6bb5 - diff --git a/PKGBUILD b/PKGBUILD index f2911be..d3c2f48 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -23,7 +23,7 @@ _custom=1 pkgbase=linux-ck _supver=5 _majver=12 -_minver=2 +_minver=3 _gccpatchver='20210412' _gccpatchger='10' _gccpatchker='5.8' @@ -33,7 +33,7 @@ _ckpatchversion=ck1 else pkgver=${_supver}.${_majver}.${_minver} fi -pkgrel=1 +pkgrel=2.2 pkgdesc='Linux-ck' url='https://kernel.org' #url='http://ck.kolivas.org/patches/' @@ -50,7 +50,8 @@ source=( https://www.kernel.org/pub/linux/kernel/v${_supver}.x/${_srcname}.tar.{xz,sign} config # the main kernel config file linux-ck-patch-${_supver}.${_majver}-${_ckpatchversion}.xz::http://ck.kolivas.org/patches/${_supver}.0/${_supver}.${_majver}/${_supver}.${_majver}-${_ckpatchversion}/patch-${_supver}.${_majver}-${_ckpatchversion}.xz - 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch kernel_gcc_patch-${_gccpatchver}.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/${_gccpatchver}.tar.gz ath9k-regdom-hack.patch raid6-default-algo.patch @@ -60,11 +61,12 @@ validpgpkeys=( '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -b2sums=('43d449d3099471c5d3baf6cae8f432fd5f9d39e24b4efc908b04cbfad1ed5c63e5197394c78100e47bd786c92b530dd475fd6098152144a36a8dd0c50a0b3f33' +b2sums=('5bea5556a81fabc4b6c5d2b58d7d30ff7f38a42ad6bd7f4ab9f4d2a07e3f9b88639e68cf8142788912aaca282585fce8eece557bc4393480327b64ac078aebd1' 'SKIP' '1dcdae744c69a4118bb0434a31dfa98c6a77be6e422a52822c936c93bf32cf593724f517e4bd183fd194c3456795e001ce336dea463148bb875656d60e39142e' 'c9f729ba1efe6f04e7b2c57d3999bc9675b577596dccb2f227e5b6e444285e1fdd270bf67c0fcf9f5808a4c3a4b1c7a5c13a76f754ad9b9447243ccbaf2ce6a3' '2f9195675270d79d735a3aaec25887c2f80b76eae98be8fcc5fd59ab71d925c5ee20ec5e2a015deb68b61bc2cc7f56f546a22cb96ee038e2e24c2c9dd5c3f79f' + 'af00ac636a9107252e3be195d61862287e3fbe75c495b2ee625d2063f8a4f06fa53cec891038ec1b3be0b95e6b104801dde1038f5bd4cc6cddc247a219b5a38c' '72194a32a06c43809d1272bd675890b6d27c6c54353150a366e8e2c50ad6eca6ee23c5d6281822965a228cfedfa07a60fe135d1b4f539e4a62728d4460cc0b0e' 'b6ef77035611139fa9a6d5b8d30570e2781bb4da483bb569884b0bd0129b62e0b82a5a6776fefe43fee801c70d39de1ea4d4c177f7cedd5ac135e3c64f7b895a' 'fde132f3705d908e6f2147c78a2193289916d72304ca5efa2229d79fc3e57a857314ce94e71425caef2f7f7b6cf87f05ef86335dc8bd4be78e7035afe608005a') @@ -85,7 +87,8 @@ prepare() { # Hotfixes echo "Applying hotfixes" - patch -p1 -i ../0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + patch -p1 -i ../ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + patch -p1 -i ../drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch # ck patch diff --git a/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch new file mode 100644 index 0000000..48371cd --- /dev/null +++ b/ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -0,0 +1,153 @@ +From 048c6dda33c592ef025b372311eede5e05ef9cb7 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + include/linux/user_namespace.h | 4 ++++ + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 14 ++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 5 files changed, 53 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..a40d8afeb1bb 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1173,6 +1173,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index 6d266388d380..635146a691c1 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -97,6 +97,10 @@ + #include + #include + ++#ifdef CONFIG_USER_NS ++#include ++#endif ++ + #include + #include + #include +@@ -1862,6 +1866,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2927,6 +2935,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..a94828fb31c2 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include + #endif ++#ifdef CONFIG_USER_NS ++#include ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +cgit v1.2.3-1-gf6bb5 + diff --git a/drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch b/drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch new file mode 100644 index 0000000..61a6117 --- /dev/null +++ b/drm-i915-dp-Use-slow-and-wide-link-training-for-everything.patch @@ -0,0 +1,116 @@ +From d290a24cb45e73e4f8d2700d5f47c2132d066fe2 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 21 Apr 2021 13:20:31 +0800 +Subject: drm/i915/dp: Use slow and wide link training for everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Screen flickers on Innolux eDP 1.3 panel when clock rate 540000 is in use. + +According to the panel vendor, though clock rate 540000 is advertised, +but the max clock rate it really supports is 270000. + +Ville Syrjälä mentioned that fast and narrow also breaks some eDP 1.4 +panel, so use slow and wide training for all panels to resolve the +issue. + +User also confirmed that the new strategy doesn't introduce any +regression on XPS 9380. + +v2: + - Use slow and wide for everything. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3384 +References: https://gitlab.freedesktop.org/drm/intel/-/issues/272 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20210421052054.1434718-1-kai.heng.feng@canonical.com +(cherry picked from commit acca7762eb71bc05a8f28d29320d193150051f79) +Fixes: 2bbd6dba84d4 ("drm/i915: Try to use fast+narrow link on eDP again and fall back to the old max strategy on failure") +Cc: # v5.12+ +Signed-off-by: Jani Nikula +--- + drivers/gpu/drm/i915/display/intel_dp.c | 59 +++------------------------------ + 1 file changed, 5 insertions(+), 54 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index 775d89b6c3fc..5a5103632564 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -1174,44 +1174,6 @@ intel_dp_compute_link_config_wide(struct intel_dp *intel_dp, + return -EINVAL; + } + +-/* Optimize link config in order: max bpp, min lanes, min clock */ +-static int +-intel_dp_compute_link_config_fast(struct intel_dp *intel_dp, +- struct intel_crtc_state *pipe_config, +- const struct link_config_limits *limits) +-{ +- const struct drm_display_mode *adjusted_mode = &pipe_config->hw.adjusted_mode; +- int bpp, clock, lane_count; +- int mode_rate, link_clock, link_avail; +- +- for (bpp = limits->max_bpp; bpp >= limits->min_bpp; bpp -= 2 * 3) { +- int output_bpp = intel_dp_output_bpp(pipe_config->output_format, bpp); +- +- mode_rate = intel_dp_link_required(adjusted_mode->crtc_clock, +- output_bpp); +- +- for (lane_count = limits->min_lane_count; +- lane_count <= limits->max_lane_count; +- lane_count <<= 1) { +- for (clock = limits->min_clock; clock <= limits->max_clock; clock++) { +- link_clock = intel_dp->common_rates[clock]; +- link_avail = intel_dp_max_data_rate(link_clock, +- lane_count); +- +- if (mode_rate <= link_avail) { +- pipe_config->lane_count = lane_count; +- pipe_config->pipe_bpp = bpp; +- pipe_config->port_clock = link_clock; +- +- return 0; +- } +- } +- } +- } +- +- return -EINVAL; +-} +- + static int intel_dp_dsc_compute_bpp(struct intel_dp *intel_dp, u8 dsc_max_bpc) + { + int i, num_bpc; +@@ -1461,22 +1423,11 @@ intel_dp_compute_link_config(struct intel_encoder *encoder, + intel_dp_can_bigjoiner(intel_dp)) + pipe_config->bigjoiner = true; + +- if (intel_dp_is_edp(intel_dp)) +- /* +- * Optimize for fast and narrow. eDP 1.3 section 3.3 and eDP 1.4 +- * section A.1: "It is recommended that the minimum number of +- * lanes be used, using the minimum link rate allowed for that +- * lane configuration." +- * +- * Note that we fall back to the max clock and lane count for eDP +- * panels that fail with the fast optimal settings (see +- * intel_dp->use_max_params), in which case the fast vs. wide +- * choice doesn't matter. +- */ +- ret = intel_dp_compute_link_config_fast(intel_dp, pipe_config, &limits); +- else +- /* Optimize for slow and wide. */ +- ret = intel_dp_compute_link_config_wide(intel_dp, pipe_config, &limits); ++ /* ++ * Optimize for slow and wide for everything, because there are some ++ * eDP 1.3 and 1.4 panels don't work well with fast and narrow. ++ */ ++ ret = intel_dp_compute_link_config_wide(intel_dp, pipe_config, &limits); + + /* enable compression if the mode doesn't fit available BW */ + drm_dbg_kms(&i915->drm, "Force DSC en = %d\n", intel_dp->force_dsc_en); +-- +cgit v1.2.3-1-gf6bb5 + -- cgit v1.2.1