fixup! Update Debian kernel to v6.6.1

pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch

@@ -1,4 +1,4 @@
-From be7a0019f698b236692d06f6beff99d44f3802b5 Mon Sep 17 00:00:00 2001
+From 408551029a78a655c5fea864b45a8e370d7d9e8c Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Mon, 7 Sep 2020 02:51:53 +0100
 Subject: [PATCH 1/2] Export symbols needed by Android drivers
@@ -20,10 +20,10 @@ Export the currently un-exported symbols they depend on.
  7 files changed, 10 insertions(+)
 
 diff --git a/fs/file.c b/fs/file.c
-index 7893ea161d77..066f90a4f572 100644
+index 3e4a4dfa38fca..bdded3fcdbd87 100644
 --- a/fs/file.c
 +++ b/fs/file.c
-@@ -814,6 +814,7 @@ struct file *close_fd_get_file(unsigned int fd)
+@@ -816,6 +816,7 @@ struct file *close_fd_get_file(unsigned int fd)
  
  	return file;
  }
@@ -32,10 +32,10 @@ index 7893ea161d77..066f90a4f572 100644
  void do_close_on_exec(struct files_struct *files)
  {
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index a68d1276bab0..5e5adf3f4f49 100644
+index 802551e0009bf..2698c78062b2f 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -7227,6 +7227,7 @@ static bool is_nice_reduction(const struct task_struct *p, const int nice)
+@@ -7253,6 +7253,7 @@ static bool is_nice_reduction(const struct task_struct *p, const int nice)
  
  	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE));
  }
@@ -44,10 +44,10 @@ index a68d1276bab0..5e5adf3f4f49 100644
  /*
   * can_nice - check if a task can reduce its nice value
 diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c
-index 133b74730738..a2a3381ede73 100644
+index 802d98cf2de31..8eec46f066d86 100644
 --- a/kernel/sched/wait.c
 +++ b/kernel/sched/wait.c
-@@ -247,6 +247,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head)
+@@ -252,6 +252,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head)
  	/* POLLFREE must have cleared the queue. */
  	WARN_ON_ONCE(waitqueue_active(wq_head));
  }
@@ -56,7 +56,7 @@ index 133b74730738..a2a3381ede73 100644
  /*
   * Note: we use "set_current_state()" _after_ the wait-queue add,
 diff --git a/kernel/task_work.c b/kernel/task_work.c
-index 065e1ef8fc8d..7d06ea82a53e 100644
+index 95a7e1b7f1dab..972c3280337e8 100644
 --- a/kernel/task_work.c
 +++ b/kernel/task_work.c
 @@ -73,6 +73,7 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
@@ -68,22 +68,22 @@ index 065e1ef8fc8d..7d06ea82a53e 100644
  /**
   * task_work_cancel_match - cancel a pending work added by task_work_add()
 diff --git a/mm/memory.c b/mm/memory.c
-index 5ce82a76201d..c20d92584f25 100644
+index 517221f013035..b747095cfea68 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
-@@ -1755,6 +1755,7 @@ void zap_page_range_single(struct vm_area_struct *vma, unsigned long address,
- 	mmu_notifier_invalidate_range_end(&range);
+@@ -1770,6 +1770,7 @@ void zap_page_range_single(struct vm_area_struct *vma, unsigned long address,
  	tlb_finish_mmu(&tlb);
+ 	hugetlb_zap_end(vma, details);
  }
 +EXPORT_SYMBOL_GPL(zap_page_range_single);
  
  /**
   * zap_vma_ptes - remove ptes mapping the vma
 diff --git a/mm/shmem.c b/mm/shmem.c
-index e40a08c5c6d7..3082bd4dfd52 100644
+index 69595d3418829..e155894de651c 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
-@@ -4351,6 +4351,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
+@@ -4871,6 +4871,7 @@ int shmem_zero_setup(struct vm_area_struct *vma)
  
  	return 0;
  }
@@ -92,10 +92,10 @@ index e40a08c5c6d7..3082bd4dfd52 100644
  /**
   * shmem_read_folio_gfp - read into page cache, using specified page allocation flags.
 diff --git a/security/security.c b/security/security.c
-index d5ff7ff45b77..79cc02ff5971 100644
+index 23b129d482a7c..eeb7162a02674 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -798,6 +798,7 @@ int security_binder_set_context_mgr(const struct cred *mgr)
+@@ -799,6 +799,7 @@ int security_binder_set_context_mgr(const struct cred *mgr)
  {
  	return call_int_hook(binder_set_context_mgr, 0, mgr);
  }
@@ -103,7 +103,7 @@ index d5ff7ff45b77..79cc02ff5971 100644
  
  /**
   * security_binder_transaction() - Check if a binder transaction is allowed
-@@ -813,6 +814,7 @@ int security_binder_transaction(const struct cred *from,
+@@ -814,6 +815,7 @@ int security_binder_transaction(const struct cred *from,
  {
  	return call_int_hook(binder_transaction, 0, from, to);
  }
@@ -111,7 +111,7 @@ index d5ff7ff45b77..79cc02ff5971 100644
  
  /**
   * security_binder_transfer_binder() - Check if a binder transfer is allowed
-@@ -828,6 +830,7 @@ int security_binder_transfer_binder(const struct cred *from,
+@@ -829,6 +831,7 @@ int security_binder_transfer_binder(const struct cred *from,
  {
  	return call_int_hook(binder_transfer_binder, 0, from, to);
  }
@@ -119,7 +119,7 @@ index d5ff7ff45b77..79cc02ff5971 100644
  
  /**
   * security_binder_transfer_file() - Check if a binder file xfer is allowed
-@@ -844,6 +847,7 @@ int security_binder_transfer_file(const struct cred *from,
+@@ -845,6 +848,7 @@ int security_binder_transfer_file(const struct cred *from,
  {
  	return call_int_hook(binder_transfer_file, 0, from, to, file);
  }
@@ -128,5 +128,5 @@ index d5ff7ff45b77..79cc02ff5971 100644
  /**
   * security_ptrace_access_check() - Check if tracing is allowed
 -- 
-2.41.0
+2.42.1
 

pkg/debian/kernel/0001-Partially-revert-integrity-Only-use-machine-keyring-.patch

@@ -0,0 +1,41 @@
+From fbfaff58fe821fa93ceeb17e034886a6d8447207 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Mon, 20 Nov 2023 22:54:05 +0100
+Subject: [PATCH] Partially revert "integrity: Only use machine keyring when
+ uefi_check_trust_mok_keys is true"
+
+This partially reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7.
+
+MokListTrustedRT doesn't seem to be set by the Shim version used by
+Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on
+newer kernels. While pre-5.19 kernels silently disregard the untrusted
+keys and (without signature enforcement enabled) still load external
+modules (tainting the kernel), on 5.19 kernels, this breaks module
+loading. Therefore, revert this change.
+---
+ security/integrity/platform_certs/machine_keyring.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
+index a401640a63cd1..a1ad244cbf86d 100644
+--- a/security/integrity/platform_certs/machine_keyring.c
++++ b/security/integrity/platform_certs/machine_keyring.c
+@@ -51,14 +51,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t
+  */
+ static __init bool uefi_check_trust_mok_keys(void)
+ {
+-	struct efi_mokvar_table_entry *mokvar_entry;
+-
+-	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
+-
+-	if (mokvar_entry)
+-		return true;
+-
+-	return false;
++	return true;
+ }
+ 
+ static bool __init trust_moklist(void)
+-- 
+2.42.1
+

pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch

@@ -1,102 +0,0 @@
-From 9564bb04930ddcffa8b859ccf48ca40767ec8da4 Mon Sep 17 00:00:00 2001
-From: Maximilian Luz <luzmaximilian@gmail.com>
-Date: Fri, 26 Aug 2022 21:24:36 +0200
-Subject: [PATCH] Revert "integrity: Only use machine keyring when
- uefi_check_trust_mok_keys is true"
-
-This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7.
-
-MokListTrustedRT doesn't seem to be set by the Shim version used by
-Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on
-newer kernels. While pre-5.19 kernels silently disregard the untrusted
-keys and (without signature enforcement enabled) still load external
-modules (tainting the kernel), on 5.19 kernels, this breaks module
-loading. Therefore, revert this change.
-
-See https://github.com/linux-surface/linux-surface/issues/906.
----
- security/integrity/digsig.c                      |  2 +-
- security/integrity/integrity.h                   |  5 -----
- .../integrity/platform_certs/keyring_handler.c   |  2 +-
- .../integrity/platform_certs/machine_keyring.c   | 16 ----------------
- 4 files changed, 2 insertions(+), 23 deletions(-)
-
-diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
-index 6f31ffe23c48..590cd07b804b 100644
---- a/security/integrity/digsig.c
-+++ b/security/integrity/digsig.c
-@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
- 	} else {
- 		if (id == INTEGRITY_KEYRING_PLATFORM)
- 			set_platform_trusted_keys(keyring[id]);
--		if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
-+		if (id == INTEGRITY_KEYRING_MACHINE)
- 			set_machine_trusted_keys(keyring[id]);
- 		if (id == INTEGRITY_KEYRING_IMA)
- 			load_module_cert(keyring[id]);
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 7167a6e99bdc..1dbb494c86c0 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source,
- 
- #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
- void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
--bool __init trust_moklist(void);
- #else
- static inline void __init add_to_machine_keyring(const char *source,
- 						  const void *data, size_t len)
- {
- }
--static inline bool __init trust_moklist(void)
--{
--	return false;
--}
- #endif
-diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
-index 8a1124e4d769..b22e0125a483 100644
---- a/security/integrity/platform_certs/keyring_handler.c
-+++ b/security/integrity/platform_certs/keyring_handler.c
-@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
- __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
- {
- 	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
--		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
-+		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
- 			return add_to_machine_keyring;
- 		else
- 			return add_to_platform_keyring;
-diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
-index 7aaed7950b6e..09fd8f20c756 100644
---- a/security/integrity/platform_certs/machine_keyring.c
-+++ b/security/integrity/platform_certs/machine_keyring.c
-@@ -8,8 +8,6 @@
- #include <linux/efi.h>
- #include "../integrity.h"
- 
--static bool trust_mok;
--
- static __init int machine_keyring_init(void)
- {
- 	int rc;
-@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void)
- 
- 	return false;
- }
--
--bool __init trust_moklist(void)
--{
--	static bool initialized;
--
--	if (!initialized) {
--		initialized = true;
--
--		if (uefi_check_trust_mok_keys())
--			trust_mok = true;
--	}
--
--	return trust_mok;
--}
--- 
-2.41.0
-

pkg/debian/kernel/0001-serial-core-Fix-checks-for-tx-runtime-PM-state.patch

@@ -1,59 +0,0 @@
-From 8459746f889d72794c164d18423344686267a451 Mon Sep 17 00:00:00 2001
-From: Tony Lindgren <tony@atomide.com>
-Date: Thu, 5 Oct 2023 10:56:42 +0300
-Subject: [PATCH] serial: core: Fix checks for tx runtime PM state
-
-commit 81a61051e0ce5fd7e09225c0d5985da08c7954a7 upstream.
-
-Maximilian reported that surface_serial_hub serdev tx does not work during
-system suspend. During system suspend, runtime PM gets disabled in
-__device_suspend_late(), and tx is unable to wake-up the serial core port
-device that we use to check if tx is safe to start. Johan summarized the
-regression noting that serdev tx no longer always works as earlier when the
-serdev device is runtime PM active.
-
-The serdev device and the serial core controller devices are siblings of
-the serial port hardware device. The runtime PM usage count from serdev
-device does not propagate to the serial core device siblings, it only
-propagates to the parent.
-
-In addition to the tx issue for suspend, testing for the serial core port
-device can cause an unnecessary delay in enabling tx while waiting for the
-serial core port device to wake-up. The serial core port device wake-up is
-only needed to flush pending tx when the serial port hardware device was
-in runtime PM suspended state.
-
-To fix the regression, we need to check the runtime PM state of the parent
-serial port hardware device for tx instead of the serial core port device.
-
-As the serial port device drivers may or may not implement runtime PM, we
-need to also add a check for pm_runtime_enabled().
-
-Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
-Cc: stable <stable@kernel.org>
-Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
-Signed-off-by: Tony Lindgren <tony@atomide.com>
-Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
-Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Link: https://lore.kernel.org/r/20231005075644.25936-1-tony@atomide.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/serial_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index bf63a045fdc8..83c419ac78bc 100644
---- a/drivers/tty/serial/serial_core.c
-+++ b/drivers/tty/serial/serial_core.c
-@@ -157,7 +157,7 @@ static void __uart_start(struct tty_struct *tty)
- 	 * enabled, serial_port_runtime_resume() calls start_tx() again
- 	 * after enabling the device.
- 	 */
--	if (pm_runtime_active(&port_dev->dev))
-+	if (!pm_runtime_enabled(port->dev) || pm_runtime_active(port->dev))
- 		port->ops->start_tx(port);
- 	pm_runtime_mark_last_busy(&port_dev->dev);
- 	pm_runtime_put_autosuspend(&port_dev->dev);
--- 
-2.42.0
-

pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch

@@ -1,4 +1,4 @@
-From 9917ce49cb4e0d91977f11ce5b04b15856a0d82c Mon Sep 17 00:00:00 2001
+From 2802d75f2b216a35c6a976c0064fcc0e20d82e4b Mon Sep 17 00:00:00 2001
 From: Ben Hutchings <ben@decadent.org.uk>
 Date: Fri, 22 Jun 2018 17:27:00 +0100
 Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules
@@ -26,7 +26,7 @@ Consequently, the ashmem part of this patch has been removed.
  3 files changed, 6 insertions(+), 5 deletions(-)
 
 diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig
-index 07aa8ae0a058..94a3a86f9bd4 100644
+index 07aa8ae0a058c..94a3a86f9bd4f 100644
 --- a/drivers/android/Kconfig
 +++ b/drivers/android/Kconfig
 @@ -2,7 +2,7 @@
@@ -39,7 +39,7 @@ index 07aa8ae0a058..94a3a86f9bd4 100644
  	default n
  	help
 diff --git a/drivers/android/Makefile b/drivers/android/Makefile
-index c9d3d0c99c25..55411d9a9c2a 100644
+index c9d3d0c99c257..55411d9a9c2a1 100644
 --- a/drivers/android/Makefile
 +++ b/drivers/android/Makefile
 @@ -1,6 +1,7 @@
@@ -54,7 +54,7 @@ index c9d3d0c99c25..55411d9a9c2a 100644
 +binder_linux-$(CONFIG_ANDROID_BINDERFS)	+= binderfs.o
 +binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
 diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
-index 662a2a2e2e84..98fcbb0c8325 100644
+index e3db8297095a2..eef695eff0025 100644
 --- a/drivers/android/binder_alloc.c
 +++ b/drivers/android/binder_alloc.c
 @@ -38,7 +38,7 @@ enum {
@@ -67,5 +67,5 @@ index 662a2a2e2e84..98fcbb0c8325 100644
  
  #define binder_alloc_debug(mask, x...) \
 -- 
-2.41.0
+2.42.1