5.14.8-1 (clr 5.14.8-1078)

.SRCINFO

@@ -1,6 +1,6 @@
 pkgbase = linux-clear
 	pkgdesc = Clear Linux
-	pkgver = 5.13.19
+	pkgver = 5.14.8
 	pkgrel = 1
 	url = https://github.com/clearlinux-pkgs/linux
 	arch = x86_64
@@ -12,22 +12,22 @@ pkgbase = linux-clear
 	makedepends = libelf
 	makedepends = xmlto
 	options = !strip
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.xz
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.sign
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.13.19.xz
-	source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.13.17-1074
-	source = more-uarches-20210818.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210818.tar.gz
-	source = pci-enable-overrides-for-missing-acs-capabilities.patch
-	source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.xz
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.sign
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.14.8.xz
+	source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.14.8-1078
+	source = more-uarches-20210914.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210914.tar.gz
+	source = 0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch
+	source = 0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
-	sha256sums = 3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9
+	sha256sums = 7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2
 	sha256sums = SKIP
-	sha256sums = 6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71
+	sha256sums = 3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9
 	sha256sums = SKIP
-	sha256sums = d361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf
-	sha256sums = 2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e
-	sha256sums = 34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba
+	sha256sums = b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611
+	sha256sums = 1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd
+	sha256sums = ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28
 
 pkgname = linux-clear
 	pkgdesc = The Clear Linux kernel and modules

0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch

@@ -1,154 +0,0 @@
-From a0a84528e06b99d83046fd16d2fa132c8d20a46c Mon Sep 17 00:00:00 2001
-From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
-Date: Mon, 16 Sep 2019 04:53:20 +0200
-Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
- CLONE_NEWUSER
-
-Our default behavior continues to match the vanilla kernel.
----
- include/linux/user_namespace.h |  4 ++++
- init/Kconfig                   | 16 ++++++++++++++++
- kernel/fork.c                  | 14 ++++++++++++++
- kernel/sysctl.c                | 12 ++++++++++++
- kernel/user_namespace.c        |  7 +++++++
- 5 files changed, 53 insertions(+)
-
-diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
-index 1d08dbbcf..180da8f71 100644
---- a/include/linux/user_namespace.h
-+++ b/include/linux/user_namespace.h
-@@ -112,6 +112,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
- 
- #ifdef CONFIG_USER_NS
- 
-+extern int unprivileged_userns_clone;
-+
- static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
- {
- 	if (ns)
-@@ -145,6 +147,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
- struct ns_common *ns_get_owner(struct ns_common *ns);
- #else
- 
-+#define unprivileged_userns_clone 0
-+
- static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
- {
- 	return &init_user_ns;
-diff --git a/init/Kconfig b/init/Kconfig
-index a61c92066..6a2920f2e 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1195,6 +1195,22 @@ config USER_NS
- 
- 	  If unsure, say N.
- 
-+config USER_NS_UNPRIVILEGED
-+	bool "Allow unprivileged users to create namespaces"
-+	default y
-+	depends on USER_NS
-+	help
-+	  When disabled, unprivileged users will not be able to create
-+	  new namespaces. Allowing users to create their own namespaces
-+	  has been part of several recent local privilege escalation
-+	  exploits, so if you need user namespaces but are
-+	  paranoid^Wsecurity-conscious you want to disable this.
-+
-+	  This setting can be overridden at runtime via the
-+	  kernel.unprivileged_userns_clone sysctl.
-+
-+	  If unsure, say Y.
-+
- config PID_NS
- 	bool "PID Namespaces"
- 	default y
-diff --git a/kernel/fork.c b/kernel/fork.c
-index a070caed5..03baafd70 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -98,6 +98,10 @@
- #include <linux/io_uring.h>
- #include <linux/bpf.h>
- 
-+#ifdef CONFIG_USER_NS
-+#include <linux/user_namespace.h>
-+#endif
-+
- #include <asm/pgalloc.h>
- #include <linux/uaccess.h>
- #include <asm/mmu_context.h>
-@@ -1871,6 +1875,10 @@ static __latent_entropy struct task_struct *copy_process(
- 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
- 		return ERR_PTR(-EINVAL);
- 
-+	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
-+		if (!capable(CAP_SYS_ADMIN))
-+			return ERR_PTR(-EPERM);
-+
- 	/*
- 	 * Thread groups must share signals as well, and detached threads
- 	 * can only be started up within the thread group.
-@@ -2973,6 +2981,12 @@ int ksys_unshare(unsigned long unshare_flags)
- 	if (unshare_flags & CLONE_NEWNS)
- 		unshare_flags |= CLONE_FS;
- 
-+	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
-+		err = -EPERM;
-+		if (!capable(CAP_SYS_ADMIN))
-+			goto bad_unshare_out;
-+	}
-+
- 	err = check_unshare_flags(unshare_flags);
- 	if (err)
- 		goto bad_unshare_out;
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index d4a78e08f..0260dfe2d 100644
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -103,6 +103,9 @@
- #ifdef CONFIG_LOCKUP_DETECTOR
- #include <linux/nmi.h>
- #endif
-+#ifdef CONFIG_USER_NS
-+#include <linux/user_namespace.h>
-+#endif
- 
- #if defined(CONFIG_SYSCTL)
- 
-@@ -1896,6 +1899,15 @@ static struct ctl_table kern_table[] = {
- 		.proc_handler	= proc_dointvec,
- 	},
- #endif
-+#ifdef CONFIG_USER_NS
-+	{
-+		.procname	= "unprivileged_userns_clone",
-+		.data		= &unprivileged_userns_clone,
-+		.maxlen		= sizeof(int),
-+		.mode		= 0644,
-+		.proc_handler	= proc_dointvec,
-+	},
-+#endif
- #ifdef CONFIG_PROC_SYSCTL
- 	{
- 		.procname	= "tainted",
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 8d6286372..5ca391b2b 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -21,6 +21,13 @@
- #include <linux/bsearch.h>
- #include <linux/sort.h>
- 
-+/* sysctl */
-+#ifdef CONFIG_USER_NS_UNPRIVILEGED
-+int unprivileged_userns_clone = 1;
-+#else
-+int unprivileged_userns_clone;
-+#endif
-+
- static struct kmem_cache *user_ns_cachep __read_mostly;
- static DEFINE_MUTEX(userns_state_mutex);
- 
--- 
-2.32.0.93.g670b81a890
-

PKGBUILD

@@ -73,10 +73,10 @@ _use_current=
 
 ### IMPORTANT: Do no edit below this line unless you know what you're doing
 
-_major=5.13
-_minor=19
+_major=5.14
+_minor=8
 _srcname=linux-${_major}
-_clr=${_major}.17-1074
+_clr=${_major}.8-1078
 pkgbase=linux-clear
 pkgver=${_major}.${_minor}
 pkgrel=1
@@ -86,15 +86,15 @@ url="https://github.com/clearlinux-pkgs/linux"
 license=('GPL2')
 makedepends=('bc' 'cpio' 'git' 'kmod' 'libelf' 'xmlto')
 options=('!strip')
-_gcc_more_v='20210818'
+_gcc_more_v='20210914'
 source=(
   "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.xz"
   "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.sign"
   "https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-${pkgver}.xz"
   "clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=${_clr}"
   "more-uarches-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/$_gcc_more_v.tar.gz"
-  'pci-enable-overrides-for-missing-acs-capabilities.patch'
-  '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch'
+  "0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch"
+  "0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch"
 )
 
 export KBUILD_BUILD_HOST=archlinux
@@ -185,7 +185,7 @@ prepare() {
     # https://github.com/graysky2/kernel_compiler_patch
     # make sure to apply after olddefconfig to allow the next section
     echo "Patching to enable GCC optimization for other uarchs..."
-    patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8+.patch"
+    patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8-5.14.patch"
 
     if [ -n "$_subarch" ]; then
         # user wants a subarch so apply choice defined above interactively via 'yes'
@@ -351,13 +351,13 @@ for _p in "${pkgname[@]}"; do
   }"
 done
 
-sha256sums=('3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9'
+sha256sums=('7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2'
             'SKIP'
-            '6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71'
+            '3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9'
             'SKIP'
-            'd361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf'
-            '2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e'
-            '34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba')
+            'b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611'
+            '1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd'
+            'ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28')
 
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds

pci-enable-overrides-for-missing-acs-capabilities.patch

@@ -1,193 +0,0 @@
-From f56f33917f418568141184eb2503ec65309a8255 Mon Sep 17 00:00:00 2001
-From: Mark Weiman <mark.weiman@markzz.com>
-Date: Thu, 13 Dec 2018 13:15:16 -0500
-Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.18)
-
-This an updated version of Alex Williamson's patch from:
-https://lkml.org/lkml/2013/5/30/513
-
-Original commit message follows:
----
-PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that
-allows us to control whether transactions are allowed to be redirected
-in various subnodes of a PCIe topology.  For instance, if two
-endpoints are below a root port or downsteam switch port, the
-downstream port may optionally redirect transactions between the
-devices, bypassing upstream devices.  The same can happen internally
-on multifunction devices.  The transaction may never be visible to the
-upstream devices.
-
-One upstream device that we particularly care about is the IOMMU.  If
-a redirection occurs in the topology below the IOMMU, then the IOMMU
-cannot provide isolation between devices.  This is why the PCIe spec
-encourages topologies to include ACS support.  Without it, we have to
-assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation.
-
-Unfortunately, far too many topologies do not support ACS to make this
-a steadfast requirement.  Even the latest chipsets from Intel are only
-sporadically supporting ACS.  We have trouble getting interconnect
-vendors to include the PCIe spec required PCIe capability, let alone
-suggested features.
-
-Therefore, we need to add some flexibility.  The pcie_acs_override=
-boot option lets users opt-in specific devices or sets of devices to
-assume ACS support.  The "downstream" option assumes full ACS support
-on root ports and downstream switch ports.  The "multifunction"
-option assumes the subset of ACS features available on multifunction
-endpoints and upstream switch ports are supported.  The "id:nnnn:nnnn"
-option enables ACS support on devices matching the provided vendor
-and device IDs, allowing more strategic ACS overrides.  These options
-may be combined in any order.  A maximum of 16 id specific overrides
-are available.  It's suggested to use the most limited set of options
-necessary to avoid completely disabling ACS across the topology.
-Note to hardware vendors, we have facilities to permanently quirk
-specific devices which enforce isolation but not provide an ACS
-capability.  Please contact me to have your devices added and save
-your customers the hassle of this boot option.
----
- .../admin-guide/kernel-parameters.txt         |   8 ++
- drivers/pci/quirks.c                          | 102 ++++++++++++++++++
- 2 files changed, 110 insertions(+)
-
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 0c404cda531a..0d45f0014f4a 100644
---- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3408,6 +3408,14 @@
- 		nomsi		[MSI] If the PCI_MSI kernel config parameter is
- 				enabled, this kernel boot option can be used to
- 				disable the use of MSI interrupts system-wide.
-+		pci_acs_override [PCIE] Override missing PCIe ACS support for:
-+				downstream
-+					All downstream ports - full ACS capabilities
-+				multifunction
-+					Add multifunction devices - multifunction ACS subset
-+				id:nnnn:nnnn
-+					Specific device - full ACS capabilities
-+					Specified as vid:did (vendor/device ID) in hex
- 		noioapicquirk	[APIC] Disable all boot interrupt quirks.
- 				Safety option to keep boot IRQs enabled. This
- 				should never be necessary.
-diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index c0673a717239..695d99b390f7 100644
---- a/drivers/pci/quirks.c
-+++ b/drivers/pci/quirks.c
-@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
- }
- fs_initcall_sync(pci_apply_final_quirks);
- 
-+static bool acs_on_downstream;
-+static bool acs_on_multifunction;
-+
-+#define NUM_ACS_IDS 16
-+struct acs_on_id {
-+	unsigned short vendor;
-+	unsigned short device;
-+};
-+static struct acs_on_id acs_on_ids[NUM_ACS_IDS];
-+static u8 max_acs_id;
-+
-+static __init int pcie_acs_override_setup(char *p)
-+{
-+	if (!p)
-+		return -EINVAL;
-+
-+	while (*p) {
-+		if (!strncmp(p, "downstream", 10))
-+			acs_on_downstream = true;
-+		if (!strncmp(p, "multifunction", 13))
-+			acs_on_multifunction = true;
-+		if (!strncmp(p, "id:", 3)) {
-+			char opt[5];
-+			int ret;
-+			long val;
-+
-+			if (max_acs_id >= NUM_ACS_IDS - 1) {
-+				pr_warn("Out of PCIe ACS override slots (%d)\n",
-+						NUM_ACS_IDS);
-+				goto next;
-+			}
-+
-+			p += 3;
-+			snprintf(opt, 5, "%s", p);
-+			ret = kstrtol(opt, 16, &val);
-+			if (ret) {
-+				pr_warn("PCIe ACS ID parse error %d\n", ret);
-+				goto next;
-+			}
-+			acs_on_ids[max_acs_id].vendor = val;
-+		p += strcspn(p, ":");
-+		if (*p != ':') {
-+			pr_warn("PCIe ACS invalid ID\n");
-+			goto next;
-+			}
-+
-+			p++;
-+			snprintf(opt, 5, "%s", p);
-+			ret = kstrtol(opt, 16, &val);
-+			if (ret) {
-+				pr_warn("PCIe ACS ID parse error %d\n", ret);
-+				goto next;
-+			}
-+			acs_on_ids[max_acs_id].device = val;
-+			max_acs_id++;
-+		}
-+next:
-+		p += strcspn(p, ",");
-+		if (*p == ',')
-+			p++;
-+	}
-+
-+	if (acs_on_downstream || acs_on_multifunction || max_acs_id)
-+		pr_warn("Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n");
-+
-+	return 0;
-+}
-+early_param("pcie_acs_override", pcie_acs_override_setup);
-+
-+static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags)
-+{
-+	int i;
-+
-+	/* Never override ACS for legacy devices or devices with ACS caps */
-+	if (!pci_is_pcie(dev) ||
-+		pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS))
-+			return -ENOTTY;
-+
-+	for (i = 0; i < max_acs_id; i++)
-+		if (acs_on_ids[i].vendor == dev->vendor &&
-+			acs_on_ids[i].device == dev->device)
-+				return 1;
-+
-+switch (pci_pcie_type(dev)) {
-+	case PCI_EXP_TYPE_DOWNSTREAM:
-+	case PCI_EXP_TYPE_ROOT_PORT:
-+		if (acs_on_downstream)
-+			return 1;
-+		break;
-+	case PCI_EXP_TYPE_ENDPOINT:
-+	case PCI_EXP_TYPE_UPSTREAM:
-+	case PCI_EXP_TYPE_LEG_END:
-+	case PCI_EXP_TYPE_RC_END:
-+		if (acs_on_multifunction && dev->multifunction)
-+			return 1;
-+	}
-+
-+	return -ENOTTY;
-+}
-+
- /*
-  * Decoding should be disabled for a PCI device during BAR sizing to avoid
-  * conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4674,6 +4674,8 @@ static const struct pci_dev_acs_enabled {
-	{ PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs },
-	/* Zhaoxin Root/Downstream Ports */
-	{ PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs },
-+	/* allow acs for any */
-+	{ PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
- 	{ 0 }
- };
- 
--- 
-2.20.0
-