Reported-by: Dave Jones <davej@codemonkey.org.uk> Reported-by: Mike Snitzer <snitzer@redhat.com> Cc: Song Liu <songliubraving@fb.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Linus Torvalds <torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Allows users to implement MAC and Audit Policies using BPF programs.
The LSM won't be added to the list of active LSMs by default (in
CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect
function call overhead by registering an empty callback for all hooks.
The LSM can be made "active" by default when the upstream effort [1] of
getting rid of this overhead is merged in the mainline kernel.
[Regression Potential]
Since the LSM is not active by default, it does not cause any
functional or performance regression.
Signed-off-by: KP Singh <kpsingh@google.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ arighi: updated also the annotations file ] Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andy Shevchenko [Fri, 4 Dec 2020 14:21:55 +0000 (22:21 +0800)]
PCI: Disable MSI for Pericom PCIe-USB adapter
BugLink: https://bugs.launchpad.net/bugs/1906839
Pericom PCIe-USB adapter advertises MSI, but documentation says "The MSI
Function is not implemented on this device" in chapters 7.3.27,
7.3.29-7.3.31, and Alberto found that MSI in fact does not work.
Kamal Mostafa [Mon, 14 Dec 2020 22:00:40 +0000 (14:00 -0800)]
UBUNTU: disable building bpf selftests (no VMLINUX_BTF)
BugLink: https://bugs.launchpad.net/bugs/1908144
Disable selftests/bpf since it cannot be built without having built vmlinux
first, else build fails with either:
Makefile:148: *** cannot find a vmlinux for VMLINUX_BTF at any of
"{paths}". Stop.
or this more cryptic variant:
Error: failed to load BTF from format: No such file or directory
Reference: "UBUNTU: SAUCE: selftests/bpf: clarify build error if no vmlinux"
Reference: https://lore.kernel.org/bpf/20201210185233.28091-1-broonie@kernel.org/ Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Mark Brown [Mon, 14 Dec 2020 22:00:39 +0000 (14:00 -0800)]
UBUNTU: SAUCE: selftests: Skip BPF seftests by default
BugLink: https://bugs.launchpad.net/bugs/1908144
The BPF selftests have build time dependencies on cutting edge versions
of tools in the BPF ecosystem including LLVM which are more involved
to satisfy than more typical requirements like installing a package from
your distribution. This causes issues for users looking at kselftest in
as a whole who find that a default build of kselftest fails and that
resolving this is time consuming and adds administrative overhead. The
fast pace of BPF development and the need for a full BPF stack to do
substantial development or validation work on the code mean that people
working directly on it don't see a reasonable way to keep supporting
older environments without causing problems with the usability of the
BPF tests in BPF development so these requirements are unlikely to be
relaxed in the immediate future.
There is already support for skipping targets so in order to reduce the
barrier to entry for people interested in kselftest as a whole let's use
that to skip the BPF tests by default when people work with the top
level kselftest build system. Users can still build the BPF selftests
as part of the wider kselftest build by specifying SKIP_TARGETS,
including setting an empty SKIP_TARGETS to build everything. They can
also continue to build the BPF selftests individually in cases where
they are specifically focused on BPF.
This isn't ideal since it means people will need to take special steps
to build the BPF tests but the dependencies mean that realistically this
is already the case to some extent and it makes it easier for people to
pick up and work with the other selftests which is hopefully a net win.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reference: https://lore.kernel.org/bpf/20201210185233.28091-1-broonie@kernel.org/ Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Kamal Mostafa [Mon, 14 Dec 2020 22:00:38 +0000 (14:00 -0800)]
UBUNTU: SAUCE: selftests/bpf: clarify build error if no vmlinux
BugLink: https://bugs.launchpad.net/bugs/1908144
If Makefile cannot find any of the vmlinux's in its VMLINUX_BTF_PATHS list,
it tries to run btftool incorrectly, with VMLINUX_BTF unset:
bpftool btf dump file $(VMLINUX_BTF) format c
Such that the keyword 'format' is misinterpreted as the path to vmlinux.
The resulting build error message is fairly cryptic:
GEN vmlinux.h
Error: failed to load BTF from format: No such file or directory
This patch makes the failure reason clearer by yielding this instead:
Makefile:...: *** cannot find a vmlinux for VMLINUX_BTF at any of
"{paths}". Stop.
Fixes: acbd06206bbb ("selftests/bpf: Add vmlinux.h selftest exercising tracing of syscalls") Cc: stable@vger.kernel.org # 5.7+ Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Reference: https://lore.kernel.org/bpf/20201214202049.7205-1-kamal@canonical.com/
Andrei Matei [Wed, 25 Nov 2020 03:52:55 +0000 (22:52 -0500)]
bpf: Fix selftest compilation on clang 11
BugLink: c/dtmwdtfJ/115 (Fix bpf selftest compilation with clang 11)
Before this patch, profiler.inc.h wouldn't compile with clang-11 (before
the __builtin_preserve_enum_value LLVM builtin was introduced in
https://reviews.llvm.org/D83242).
Another test that uses this builtin (test_core_enumval) is conditionally
skipped if the compiler is too old. In that spirit, this patch inhibits
part of populate_cgroup_info(), which needs this CO-RE builtin. The
selftests build again on clang-11.
The affected test (the profiler test) doesn't pass on clang-11 because
it's missing https://reviews.llvm.org/D85570, but at least the test suite
as a whole compiles. The test's expected failure is already called out in
the README.
Signed-off-by: Andrei Matei <andreimatei1@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Florian Lehner <dev@der-flo.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20201125035255.17970-1-andreimatei1@gmail.com
(cherry picked from commit fb3558127cb62ba2dea9e3d0efa1bb1d7e5eee2a
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Thu, 12 Nov 2020 18:34:01 +0000 (12:34 -0600)]
UBUNTU: [Debian] Build linux-libc-dev for debian.master* branches
BugLink: https://bugs.launchpad.net/bugs/1904067
We don't build linux-libc-dev if $DEBIAN is not debian.master.
However, for a master kernel forward ported to the devel series
we do want to build linux-libc-dev. $DEBIAN will be named
debian.master-SERIES for these kernels, so allow building
linux-libc-dev for these kernels too.
Seth Forshee [Wed, 4 Nov 2020 22:25:00 +0000 (23:25 +0100)]
UBUNTU: [Debian] Update for leader included in BACKPORT_SUFFIX
BugLink: https://bugs.launchpad.net/bugs/1902957
Currently a ~ is always added to the version string before
BACKPORT_SUFFIX. Now we will also doing forward-ports to
development releases, which works exactly the same as a
backport, but we want to use + as the leader instead.
Our kernel source doesn't contain the information to determine
which leader is appropriate, but that information is available
when generating update.conf. Therefore the leader will be added
as part of BACKPORT_SUFFIX, and our packaging should not insert
any leader.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Seth Forshee [Mon, 30 Nov 2020 15:34:06 +0000 (09:34 -0600)]
UBUNTU: [Config] CONFIG_RCU_SCALE_TEST=n
BugLink: https://bugs.launchpad.net/bugs/1904906
This was enabled when rebasing to 5.10-rc1, but it is not an
option we would normally enable, and no justification was
provided for enabling it. The option also may be related to
ppc64el boot problems (though it is as of yet unclear how that
would be possible), so let's disable it.
UBUNTU: [Packaging]: linux-image should suggest linux-modules-extra
When installing linux-image, we don't want the linux-modules-extra to be
installed by default, so it should not be a Recommends. It can, however, be a
Suggests.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: [Packaging]: linux-modules should depend on linux-image
When installing linux-modules package directly, it will not bring a linux-image
package as a dependency. linux-modules-extra, on the other hand, depend on a
linux-image package.
Make the linux-modules package depend on either the linux-image or the
linux-image-unsigned package.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1903293
When some changes have been already added to the changelog, like when using
insert-ubuntu-changes, and there are no other changes, we end up with two
newlines right after the stanza header.
Add a $skip_newline variable that allows us to skip that extra newline when
there are no other changes.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Acked-by: Kelsey Skunberg <kelsey.skunberg@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Mon, 23 Nov 2020 07:43:31 +0000 (08:43 +0100)]
UBUNTU: [Config] add CONFIG_INFINIBAND_VIRT_DMA
Add CONFIG_INFINIBAND_VIRT_DMA, introduced after rebasing to 5.10-rc5.
NOTE: this config option can only be enabled if CONFIG_HIGHMEM is not
set and that is false in armhf, so it needs to be disabled in this
specific architecture.
As a consequence the following dependent config options are also
disabled (on armhf only):
- CONFIG_RDMA_RXE
- CONFIG_RDMA_SIW
This shouldn't be a problem, since these options are used by infiniband,
that is unlikely to be used with armhf.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Thu, 24 Sep 2020 12:49:32 +0000 (14:49 +0200)]
UBUNTU: [Packaging] reduce the size required to build packages
During the build we are removing flavor build directory, but this is not
applied until the end of the binary-% rule. This is too late as we have
to build, install, and generate dbgsyms for all flavors before this
triggers.
Removing the flavor build directory at the end of the install-% phase
allows to free up some space in advance and use less space overall to
build the packages.
Suggested-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Seth Forshee [Wed, 4 Nov 2020 20:46:21 +0000 (14:46 -0600)]
UBUNTU: [Config] Update CONFIG_E1000E for ppc64el in annotations
BugLink: https://bugs.launchpad.net/bugs/1902687
This option now depends on CONFIG_DMI, and thus is no longer
selectable for ppc64el. Update the annotations accordingly.
This is being submitted separately from released hardware in case of
a regression between pre-release and release hardware so this commit
can be reverted alone.
Signed-off-by: Mario Limonciello <mario.limonciello@dell.com> Tested-by: Yijun Shen <Yijun.shen@dell.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: e1000e: Add Dell's Comet Lake systems into s0ix heuristics
BugLink: https://bugs.launchpad.net/bugs/1902687
Dell's Comet Lake Latitude and Precision systems containing i219LM are
properly configured and should use the s0ix flows.
Signed-off-by: Mario Limonciello <mario.limonciello@dell.com> Tested-by: Yijun Shen <Yijun.shen@dell.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: e1000e: allow turning s0ix flows on for systems with ME
BugLink: https://bugs.launchpad.net/bugs/1902687
S0ix for GBE flows are needed for allowing the system to get into deepest
power state, but these require coordination of components outside of
control of Linux kernel. For systems that have confirmed to coordinate
this properly, allow turning on the s0ix flows at load time or runtime.
Fixes: e086ba2fccda ("e1000e: disable s0ix entry and exit flows for ME systems") Signed-off-by: Mario Limonciello <mario.limonciello@dell.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Kan Liang [Thu, 29 Oct 2020 09:09:27 +0000 (11:09 +0200)]
UBUNTU: SAUCE: perf/x86/intel/uncore: Add Rocket Lake support
BugLink: https://bugs.launchpad.net/bugs/1902004
For Rocket Lake, the MSR uncore, e.g., CBOX, ARB and CLOCKBOX, are the
same as Tiger Lake. Share the perf code with it.
For Rocket Lake and Tiger Lake, the 8th CBOX is not mapped into a
different MSR space anymore. Add rkl_uncore_msr_init_box() to replace
skl_uncore_msr_init_box().
The IMC uncore is the similar to Ice Lake. Add new PCIIDs of IMC for
Rocket Lake.
Signed-off-by: Kan Liang <kan.liang@linux.intel.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Kan Liang [Thu, 29 Oct 2020 09:09:25 +0000 (11:09 +0200)]
UBUNTU: SAUCE: perf/x86/cstate: Add Rocket Lake CPU support
BugLink: https://bugs.launchpad.net/bugs/1902004
From the perspective of Intel cstate residency counters, Rocket Lake is
the same as Ice Lake and Tiger Lake. Share the code with them. Update
the comments for Rocket Lake.
Signed-off-by: Kan Liang <kan.liang@linux.intel.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Kan Liang [Thu, 29 Oct 2020 09:09:24 +0000 (11:09 +0200)]
UBUNTU: SAUCE: perf/x86/intel: Add Rocket Lake CPU support
BugLink: https://bugs.launchpad.net/bugs/1902004
From the perspective of Intel PMU, Rocket Lake is the same as Ice Lake
and Tiger Lake. Share the perf code with them.
Signed-off-by: Kan Liang <kan.liang@linux.intel.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Seth Forshee [Wed, 4 Nov 2020 00:12:45 +0000 (18:12 -0600)]
UBUNTU: [Debian] Include scripts/module.lds from builddir in headers package
The script which was previously named scripts/module-common.lds
has now been renamed to scripts/module.lds.S. We need the final
linker script in headers packages. Move it to the per-arch
headers packages since it may now differ between architectures.
Seth Forshee [Mon, 2 Nov 2020 18:05:57 +0000 (12:05 -0600)]
UBUNTU: [Config] Update numerous configs to conform with policy
When reviewing the annotations updates for the 5.10-rc2 rebase,
I noted a large number of options which did not conform to our
config policy. These have been updated. I suspect there may be
others from the 5.10-rc1 rebase which also do not conform to
policy, so further review is needed.
According to Intel, all CML root ports need this workaround, so add all
root ports from [1] to existing quirk.
[1] IntelĀ® 400 Series Chipset Family Platform Controller Hub (PCH) Datasheet, Volume 1 of 2, Content ID: 620854 Version: 002
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1896801
Since upstream has removed python3-venv, update our build dependencies and let
linux-doc build outside a virtualenv.
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket
When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and
dccps_hc_tx_ccid are copied. When CCID features are activated on the child
socket, the CCID objects are freed, leaving the parent socket with dangling
pointers.
During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the
parent objects are not freed.
Reported-by: Hadar Manor
CVE-2020-16119 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Kai-Heng Feng [Wed, 7 Oct 2020 11:54:00 +0000 (19:54 +0800)]
UBUNTU: SAUCE: drm/i915/dpcd_bl: Skip testing control capability with force DPCD quirk
BugLink: https://bugs.launchpad.net/bugs/1898865
HP DreamColor panel needs to be controlled via AUX interface. However,
it has both DP_EDP_BACKLIGHT_BRIGHTNESS_AUX_SET_CAP and
DP_EDP_BACKLIGHT_BRIGHTNESS_PWM_PIN_CAP set, so it fails to pass
intel_dp_aux_display_control_capable() test.
Skip the test if the panel has force DPCD quirk.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
With the inclusion of the "display" process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Fri, 21 Aug 2020 22:27:38 +0000 (15:27 -0700)]
UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
Add an entry /proc/.../attr/context which displays the full
process security "context" in compound format:
lsm1\0value\0lsm2\0value\0...
This entry is not writable.
A security module may decide that its policy does not allow
this information to be displayed. In this case none of the
information will be displayed.
Casey Schaufler [Fri, 21 Aug 2020 21:59:03 +0000 (14:59 -0700)]
UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM
attributes
Create a new audit record type to contain the object information
when there are multiple security modules that require such data.
This record is emitted before the other records for the event, but
is linked with the same timestamp and serial number.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Fri, 21 Aug 2020 21:29:19 +0000 (14:29 -0700)]
UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
Create a new audit record type to contain the subject information
when there are multiple security modules that require such data.
This record is linked with the same timestamp and serial number.
The record is produced only in cases where there is more than one
security module with a process "context".
Before this change the only audit events that required multiple
records were syscall events. Several non-syscall events include
subject contexts, so the use of audit_context data has been expanded
as necessary.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>