diff options
3 files changed, 163 insertions, 12 deletions
diff --git a/kernels/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/kernels/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000..c40f1002e --- /dev/null +++ b/kernels/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,102 @@ +From 5dde1cf2f63a2e20ff411eac47fb5a53230642fe Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 3 files changed, 30 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index 1b27babc4c78..a88dd3ccd31c 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -103,6 +103,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1624,6 +1629,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2420,6 +2429,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 2d9837c0aff4..eb5236c069fc 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -105,6 +105,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -519,6 +522,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index c3d7583fcd21..6ee37e516869 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -26,6 +26,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.18.0 + diff --git a/kernels/linux-libre-pae/0002-drm-i915-Increase-LSPCON-timeout.patch b/kernels/linux-libre-pae/0002-drm-i915-Increase-LSPCON-timeout.patch new file mode 100644 index 000000000..06c514258 --- /dev/null +++ b/kernels/linux-libre-pae/0002-drm-i915-Increase-LSPCON-timeout.patch @@ -0,0 +1,50 @@ +From 670aed8119f293b41b82195cf96fa78c86cc3d49 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fredrik=20Sch=C3=B6n?= <fredrikschon@gmail.com> +Date: Fri, 17 Aug 2018 22:07:28 +0200 +Subject: [PATCH 2/2] drm/i915: Increase LSPCON timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +100 ms is not enough time for the LSPCON adapter on Intel NUC devices to +settle. This causes dropped display modes at boot or screen reconfiguration. +Empirical testing can reproduce the error up to a timeout of 190 ms. Basic +boot and stress testing at 200 ms has not (yet) failed. + +Increase timeout to 400 ms to get some margin of error. + +Changes from v1: +The initial suggestion of 1000 ms was lowered due to concerns about delaying +valid timeout cases. +Update patch metadata. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107503 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1570392 +Fixes: 357c0ae9198a ("drm/i915/lspcon: Wait for expected LSPCON mode to settle") +Cc: Shashank Sharma <shashank.sharma@intel.com> +Cc: Imre Deak <imre.deak@intel.com> +Cc: Jani Nikula <jani.nikula@intel.com> +Cc: <stable@vger.kernel.org> # v4.11+ +Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> +Signed-off-by: Fredrik Schön <fredrik.schon@gmail.com> +Reviewed-by: Shashank Sharma <shashank.sharma@intel.com> +--- + drivers/gpu/drm/i915/intel_lspcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_lspcon.c b/drivers/gpu/drm/i915/intel_lspcon.c +index 8ae8f42f430a..6b6758419fb3 100644 +--- a/drivers/gpu/drm/i915/intel_lspcon.c ++++ b/drivers/gpu/drm/i915/intel_lspcon.c +@@ -74,7 +74,7 @@ static enum drm_lspcon_mode lspcon_wait_mode(struct intel_lspcon *lspcon, + DRM_DEBUG_KMS("Waiting for LSPCON mode %s to settle\n", + lspcon_mode_name(mode)); + +- wait_for((current_mode = lspcon_get_current_mode(lspcon)) == mode, 100); ++ wait_for((current_mode = lspcon_get_current_mode(lspcon)) == mode, 400); + if (current_mode != mode) + DRM_ERROR("LSPCON mode hasn't settled\n"); + +-- +2.18.0 + diff --git a/kernels/linux-libre-pae/PKGBUILD b/kernels/linux-libre-pae/PKGBUILD index 8baa536ed..3a844b131 100644 --- a/kernels/linux-libre-pae/PKGBUILD +++ b/kernels/linux-libre-pae/PKGBUILD @@ -11,8 +11,7 @@ pkgbase=linux-libre-pae _srcbasever=4.18-gnu -_srcver=4.18.4-gnu -_archrel=arch1 +_srcver=4.18.5-gnu _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname _replacesoldkernels=() # '%' gets replaced with _kernelname @@ -30,7 +29,6 @@ options=('!strip') source=( "https://linux-libre.fsfla.org/pub/linux-libre/releases/$_srcbasever/linux-libre-$_srcbasever.tar.xz"{,.sign} "https://linux-libre.fsfla.org/pub/linux-libre/releases/$_srcver/patch-$_srcbasever-$_srcver.xz"{,.sign} - "https://repo.parabola.nu/other/arch/patches/${_srcver%-*}/patch-${_srcver%-*}-${_archrel}.patch"{,.sig} "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_clut224.ppm"{,.sig} "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_mono.pbm"{,.sig} "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_vga16.ppm"{,.sig} @@ -43,6 +41,8 @@ source=( # other patches '0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch' '0002-fix-Atmel-maXTouch-touchscreen-support.patch' + '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch' + '0002-drm-i915-Increase-LSPCON-timeout.patch' ) validpgpkeys=( '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva @@ -50,9 +50,7 @@ validpgpkeys=( ) sha512sums=('0c221c6e84eb5bc270ef79454bf407079daed84534afb1d449d40fa46e42868a471d3063016a4eb3f68d42879e18ee314ab30716116805fee35b5084b23df2a9' 'SKIP' - 'c17f1ddc83015dfbb9657ee18078313f97791af0d70d8d4ae22f69b1387066f4fd83ef2c73a9a7c8589c7ad63fe1687575a4219fca34622920ccf973219184b6' - 'SKIP' - '8dbf970e7006ffe3497463c4664e3485a8d5a4dac0efecea3873851955a14a920406302354e1af473dac627cec716ef095310c2628a0befdd33c35546a03cc71' + '4185dde406aafd020a0c7ab5cadff02a6f92812b5e7616c39b85051af23adc6bb0927f75bcc5213f9df8d34d0e7deb7c930844565318dd771b6695763deef174' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' @@ -65,7 +63,9 @@ sha512sums=('0c221c6e84eb5bc270ef79454bf407079daed84534afb1d449d40fa46e42868a471 '4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44' '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf' '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af' - 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168') + 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168' + '8ed3859b495f88287222bd87927fad795b409541c113784bea933099d10bb62bbf24dd7f847dd47f8742d83d7143d9a0d04642528c2c1d41ef7e0ffde3d4a0b3' + 'f97ec2ad3d919c1a59211dab61be6701e3ebd5647afc725c32365bc083272d770c0ad8be5bf8b43b32905d2d107da822bd1013668a5cf75ec51770e151e4f5f8') _kernelname=${pkgbase#linux-libre} _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}") @@ -80,15 +80,14 @@ prepare() { patch -p1 -i ../patch-$_srcbasever-$_srcver fi - # add Arch Linux kernel patch - if [ -e ../patch-${_srcver%-*}-${_archrel}.patch ]; then - patch -p1 -i ../patch-${_srcver%-*}-${_archrel}.patch - fi - # add freedo as boot logo install -m644 -t drivers/video/logo \ ../logo_linux_{clut224.ppm,vga16.ppm,mono.pbm} + # Arch's linux patches + patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + patch -p1 -i ../0002-drm-i915-Increase-LSPCON-timeout.patch + # maintain the TTY over USB disconnects # http://www.coreboot.org/EHCI_Gadget_Debug patch -p1 -i ../0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch |