upg nss ca-certificates-mozilla

add linux-lts 5.4-200

linux-lts/PKGBUILD

@@ -209,229 +209,3 @@ sha256sums=(9044e7b4084afc636ccd7a7fe06439d8941b28613df79f16ce603ccca35292c6 # l
 	76fa1fc28bd76b30a1d93ac5fe5749e60f2c5c026d06065f2278782f01558383 # config
 	18d5666ba88aa811c1f627444c60101839d77cbdc467ac7d1495be73e752693f # sha256sums
 	96a72e1652314215da7140956c3abcf495cafd00811eda3cf4ce03ec5f791f1e) # 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
-####### diffs between old and new Arch PKGBUILD
---- PKGBUILD-arch	1970-01-01 02:00:00.000000000 +0200
-+++ PKGBUILD-arch.new	2022-06-11 01:30:15.825578620 +0300
-@@ -0,0 +1,218 @@
-+# Maintainer: Andreas Radke <andyrtr@archlinux.org>
-+
-+pkgbase=linux-lts
-+pkgver=5.15.46
-+pkgrel=1
-+pkgdesc='LTS Linux'
-+url="https://www.kernel.org/"
-+arch=(x86_64)
-+license=(GPL2)
-+makedepends=(
-+  bc libelf pahole cpio perl tar xz
-+  xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick texlive-latexextra
-+)
-+options=('!strip')
-+_srcname=linux-$pkgver
-+source=(
-+  https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
-+  config         # the main kernel config file
-+  0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
-+  0002-PCI_Add_more_NVIDIA_controllers_to_the_MSI_masking_quirk.patch
-+  0003-iommu_intel_do_deep_dma-unmapping_to_avoid_kernel-flooding.patch
-+  0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
-+  0005-lg-laptop_Recognize_more_models.patch
-+  0006_fix_NFSv4_mount_regression.diff
-+)
-+validpgpkeys=(
-+  'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
-+  '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
-+)
-+# https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-+sha256sums=('eb455746779bb79533e6c1afcd0d5e8ad2295898b786f47d718f087a3d07376b'
-+            'SKIP'
-+            '35b54c38a302a957d3cabebbe74f231da43b52f033c302e1813a33fad401e41c'
-+            '99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423'
-+            'c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706'
-+            '7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e'
-+            '3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4'
-+            '79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78'
-+            'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f')
-+
-+export KBUILD_BUILD_HOST=archlinux
-+export KBUILD_BUILD_USER=$pkgbase
-+export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
-+
-+prepare() {
-+  cd $_srcname
-+
-+  # fix NFSv4 mounting issue regression - FS#73838 / FS#73860
-+  # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=6f2836341d8a39e1e000572b10959347d7e61fd9
-+  patch -Rp1 -i ../0006_fix_NFSv4_mount_regression.diff
-+
-+  echo "Setting version..."
-+  scripts/setlocalversion --save-scmversion
-+  echo "-$pkgrel" > localversion.10-pkgrel
-+  echo "${pkgbase#linux}" > localversion.20-pkgname
-+
-+  local src
-+  for src in "${source[@]}"; do
-+    src="${src%%::*}"
-+    src="${src##*/}"
-+    [[ $src = *.patch ]] || continue
-+    echo "Applying patch $src..."
-+    patch -Np1 < "../$src"
-+  done
-+
-+  echo "Setting config..."
-+  cp ../config .config
-+  make olddefconfig
-+#  diff -u ../config .config || :
-+#return 1
-+  make -s kernelrelease > version
-+  echo "Prepared $pkgbase version $(<version)"
-+}
-+
-+build() {
-+  cd $_srcname
-+  make all
-+  make htmldocs
-+}
-+
-+_package() {
-+  pkgdesc="The $pkgdesc kernel and modules"
-+  depends=(coreutils kmod initramfs)
-+  optdepends=('wireless-regdb: to set the correct wireless channels of your country'
-+              'linux-firmware: firmware images needed for some devices')
-+  provides=(VIRTUALBOX-GUEST-MODULES WIREGUARD-MODULE)
-+  replaces=(wireguard-lts)
-+
-+  cd $_srcname
-+  local kernver="$(<version)"
-+  local modulesdir="$pkgdir/usr/lib/modules/$kernver"
-+
-+  echo "Installing boot image..."
-+  # systemd expects to find the kernel here to allow hibernation
-+  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
-+  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
-+
-+  # Used by mkinitcpio to name the kernel
-+  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
-+
-+  echo "Installing modules..."
-+  make INSTALL_MOD_PATH="$pkgdir/usr" INSTALL_MOD_STRIP=1 \
-+    DEPMOD=/doesnt/exist modules_install  # Suppress depmod
-+
-+  # remove build and source links
-+  rm "$modulesdir"/{source,build}
-+}
-+
-+_package-headers() {
-+  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"
-+  depends=(pahole)
-+
-+  cd $_srcname
-+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
-+
-+  echo "Installing build files..."
-+  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
-+    localversion.* version vmlinux
-+  install -Dt "$builddir/kernel" -m644 kernel/Makefile
-+  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
-+  cp -t "$builddir" -a scripts
-+
-+  # add objtool for external module building and enabled VALIDATION_STACK option
-+  install -Dt "$builddir/tools/objtool" tools/objtool/objtool
-+
-+  # add xfs and shmem for aufs building
-+  mkdir -p "$builddir"/{fs/xfs,mm}
-+
-+  echo "Installing headers..."
-+  cp -t "$builddir" -a include
-+  cp -t "$builddir/arch/x86" -a arch/x86/include
-+  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
-+
-+  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
-+  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
-+
-+  # https://bugs.archlinux.org/task/13146
-+  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
-+
-+  # https://bugs.archlinux.org/task/20402
-+  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
-+  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
-+  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
-+
-+  # https://bugs.archlinux.org/task/71392
-+  install -Dt "$builddir/drivers/iio/common/hid-sensors" -m644 drivers/iio/common/hid-sensors/*.h
-+
-+  echo "Installing KConfig files..."
-+  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
-+
-+  echo "Removing unneeded architectures..."
-+  local arch
-+  for arch in "$builddir"/arch/*/; do
-+    [[ $arch = */x86/ ]] && continue
-+    echo "Removing $(basename "$arch")"
-+    rm -r "$arch"
-+  done
-+
-+  echo "Removing documentation..."
-+  rm -r "$builddir/Documentation"
-+
-+  echo "Removing broken symlinks..."
-+  find -L "$builddir" -type l -printf 'Removing %P\n' -delete
-+
-+  echo "Removing loose objects..."
-+  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
-+
-+  echo "Stripping build tools..."
-+  local file
-+  while read -rd '' file; do
-+    case "$(file -bi "$file")" in
-+      application/x-sharedlib\;*)      # Libraries (.so)
-+        strip -v $STRIP_SHARED "$file" ;;
-+      application/x-archive\;*)        # Libraries (.a)
-+        strip -v $STRIP_STATIC "$file" ;;
-+      application/x-executable\;*)     # Binaries
-+        strip -v $STRIP_BINARIES "$file" ;;
-+      application/x-pie-executable\;*) # Relocatable binaries
-+        strip -v $STRIP_SHARED "$file" ;;
-+    esac
-+  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
-+
-+  echo "Stripping vmlinux..."
-+  strip -v $STRIP_STATIC "$builddir/vmlinux"
-+
-+  echo "Adding symlink..."
-+  mkdir -p "$pkgdir/usr/src"
-+  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
-+}
-+
-+_package-docs() {
-+  pkgdesc="Documentation for the $pkgdesc kernel"
-+
-+  cd $_srcname
-+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
-+
-+  echo "Installing documentation..."
-+  local src dst
-+  while read -rd '' src; do
-+    dst="${src#Documentation/}"
-+    dst="$builddir/Documentation/${dst#output/}"
-+    install -Dm644 "$src" "$dst"
-+  done < <(find Documentation -name '.*' -prune -o ! -type d -print0)
-+
-+  echo "Adding symlink..."
-+  mkdir -p "$pkgdir/usr/share/doc"
-+  ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
-+}
-+
-+pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
-+for _p in "${pkgname[@]}"; do
-+  eval "package_$_p() {
-+    $(declare -f "_package${_p#$pkgbase}")
-+    _package${_p#$pkgbase}
-+  }"
-+done
-+
-+# vim:set ts=8 sts=2 sw=2 et:
-scan for systemd ipv6 service & socket
-##### systemd crap in new PKGBUILD ###
-  # systemd expects to find the kernel here to allow hibernation
-  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344

linux-lts54/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch

@@ -0,0 +1,129 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Mon, 16 Sep 2019 04:53:20 +0200
+Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
+ CLONE_NEWUSER
+
+Our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig            | 16 ++++++++++++++++
+ kernel/fork.c           | 15 +++++++++++++++
+ kernel/sysctl.c         | 12 ++++++++++++
+ kernel/user_namespace.c |  7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 96fc45d1b686..3bc58f03a2cd 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1084,6 +1084,22 @@ config USER_NS
+ 
+ 	  If unsure, say N.
+ 
++config USER_NS_UNPRIVILEGED
++	bool "Allow unprivileged users to create namespaces"
++	default y
++	depends on USER_NS
++	help
++	  When disabled, unprivileged users will not be able to create
++	  new namespaces. Allowing users to create their own namespaces
++	  has been part of several recent local privilege escalation
++	  exploits, so if you need user namespaces but are
++	  paranoid^Wsecurity-conscious you want to disable this.
++
++	  This setting can be overridden at runtime via the
++	  kernel.unprivileged_userns_clone sysctl.
++
++	  If unsure, say Y.
++
+ config PID_NS
+ 	bool "PID Namespaces"
+ 	default y
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 419fff8eb9e5..70da21e5c06a 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -106,6 +106,11 @@
+ 
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+ 
+ /*
+  * Minimum number of threads to boot the kernel
+@@ -1799,6 +1804,10 @@ static __latent_entropy struct task_struct *copy_process(
+ 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ 		return ERR_PTR(-EINVAL);
+ 
++	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++		if (!capable(CAP_SYS_ADMIN))
++			return ERR_PTR(-EPERM);
++
+ 	/*
+ 	 * Thread groups must share signals as well, and detached threads
+ 	 * can only be started up within the thread group.
+@@ -2859,6 +2868,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ 	if (unshare_flags & CLONE_NEWNS)
+ 		unshare_flags |= CLONE_FS;
+ 
++	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++		err = -EPERM;
++		if (!capable(CAP_SYS_ADMIN))
++			goto bad_unshare_out;
++	}
++
+ 	err = check_unshare_flags(unshare_flags);
+ 	if (err)
+ 		goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 70665934d53e..9797869ed829 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -110,6 +110,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -546,6 +549,15 @@ static struct ctl_table kern_table[] = {
+ 		.proc_handler	= proc_dointvec,
+ 	},
+ #endif
++#ifdef CONFIG_USER_NS
++	{
++		.procname	= "unprivileged_userns_clone",
++		.data		= &unprivileged_userns_clone,
++		.maxlen		= sizeof(int),
++		.mode		= 0644,
++		.proc_handler	= proc_dointvec,
++	},
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ 	{
+ 		.procname	= "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 8eadadc478f9..c36ecd19562c 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -21,6 +21,13 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+ 
++/* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
++int unprivileged_userns_clone;
++#endif
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+ 

linux-lts54/0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch

@@ -0,0 +1,689 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
+Date: Wed, 15 Jul 2020 22:42:07 +0200
+Subject: [PATCH] virt: vbox: Add support for the new
+ VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES ioctl
+
+https://lore.kernel.org/patchwork/cover/1270301/
+
+Needed for https://bugs.archlinux.org/task/67253
+
+Squashed commit of the following:
+
+commit 0d7bec556896815f4920a5ed87339732c697175c
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:58 2020 +0200
+
+    virt: vbox: Fix some comments which talk about the "session spinlock"
+
+    The session lock is a mutex, not a spinlock, fix the comments to match.
+
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit fed91350029e0c3bf626bd55a148e766587ec439
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:57 2020 +0200
+
+    virt: vbox: Log unknown ioctl requests as error
+
+    Every now and then upstream adds new ioctls without notifying us,
+    log unknown ioctl requests as an error to catch these.
+
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit 245d06f4c1b8f84cde07d14c09296a4fe90a26f0
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:56 2020 +0200
+
+    virt: vbox: Add a few new vmmdev request types to the userspace whitelist
+
+    Upstream VirtualBox has defined and is using a few new request types for
+    vmmdev requests passed through /dev/vboxguest to the hypervisor.
+
+    Add the defines for these to vbox_vmmdev_types.h and add add them to the
+    whitelists of vmmdev requests which userspace is allowed to make.
+
+    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1789545
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit 2f24f5446915322bbbb1ccf4ee2297512feab942
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:55 2020 +0200
+
+    virt: vbox: Add support for the new VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES ioctl
+
+    Add support for the new VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES ioctl, this
+    is necessary for automatic resizing of the guest resolution to match the
+    VM-window size to work with the new VMSVGA virtual GPU which is now the
+    new default in VirtualBox.
+
+    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1789545
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit 2fc9822453e8dd215765cd2b28e5e6e26338829e
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:54 2020 +0200
+
+    virt: vbox: Add vbg_set_host_capabilities() helper function
+
+    Add vbg_set_host_capabilities() helper function,  this is a preparation
+    patch for adding support for the VBGL_IOCTL_GUEST_CAPS_ACQUIRE ioctl.
+
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit 1594daf929c8691849c00e49e4a1ed977048addc
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:53 2020 +0200
+
+    virt: vbox: Rename guest_caps struct members to set_guest_caps
+
+    Rename guest_caps[_tracker] struct members to set_guest_caps[_tracker]
+    this is a preparation patch for adding support for the
+    VBGL_IOCTL_GUEST_CAPS_ACQUIRE ioctl.
+
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit d7f3b7cec66d171cf5194ad37f647f4562da6ccc
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:52 2020 +0200
+
+    virt: vbox: Fix guest capabilities mask check
+
+    Check the passed in capabilities against VMMDEV_GUEST_CAPABILITIES_MASK
+    instead of against VMMDEV_EVENT_VALID_EVENT_MASK.
+    This tightens the allowed mask from 0x7ff to 0x7.
+
+    Fixes: 0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration")
+    Cc: stable@vger.kernel.org
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+
+commit f6694fa90e2183874def2d022d097795e2269a15
+Author: Hans de Goede <hdegoede@redhat.com>
+Date:   Thu Jul 9 14:08:51 2020 +0200
+
+    virt: vbox: Fix VBGL_IOCTL_VMMDEV_REQUEST_BIG and _LOG req numbers to match upstream
+
+    Until this commit the mainline kernel version (this version) of the
+    vboxguest module contained a bug where it defined
+    VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG using
+    _IOC(_IOC_READ | _IOC_WRITE, 'V', ...) instead of
+    _IO(V, ...) as the out of tree VirtualBox upstream version does.
+
+    Since the VirtualBox userspace bits are always built against VirtualBox
+    upstream's headers, this means that so far the mainline kernel version
+    of the vboxguest module has been failing these 2 ioctls with -ENOTTY.
+    I guess that VBGL_IOCTL_VMMDEV_REQUEST_BIG is never used causing us to
+    not hit that one and sofar the vboxguest driver has failed to actually
+    log any log messages passed it through VBGL_IOCTL_LOG.
+
+    This commit changes the VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG
+    defines to match the out of tree VirtualBox upstream vboxguest version,
+    while keeping compatibility with the old wrong request defines so as
+    to not break the kernel ABI in case someone has been using the old
+    request defines.
+
+    Fixes: f6ddd094f579 ("virt: Add vboxguest driver for Virtual Box Guest integration UAPI")
+    Cc: stable@vger.kernel.org
+    Acked-by: Arnd Bergmann <arnd@arndb.de>
+    Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ drivers/virt/vboxguest/vboxguest_core.c  | 266 +++++++++++++++++++----
+ drivers/virt/vboxguest/vboxguest_core.h  |  23 +-
+ drivers/virt/vboxguest/vboxguest_utils.c |   1 +
+ include/linux/vbox_utils.h               |   1 +
+ include/uapi/linux/vbox_vmmdev_types.h   |   3 +
+ include/uapi/linux/vboxguest.h           |  24 ++
+ 6 files changed, 269 insertions(+), 49 deletions(-)
+
+diff --git a/drivers/virt/vboxguest/vboxguest_core.c b/drivers/virt/vboxguest/vboxguest_core.c
+index 95bfdb8ac8a2..f449fc366cf3 100644
+--- a/drivers/virt/vboxguest/vboxguest_core.c
++++ b/drivers/virt/vboxguest/vboxguest_core.c
+@@ -558,7 +558,7 @@ static int vbg_reset_host_event_filter(struct vbg_dev *gdev,
+  * Changes the event filter mask for the given session.
+  *
+  * This is called in response to VBG_IOCTL_CHANGE_FILTER_MASK as well as to
+- * do session cleanup. Takes the session spinlock.
++ * do session cleanup. Takes the session mutex.
+  *
+  * Return: 0 or negative errno value.
+  * @gdev:			The Guest extension device.
+@@ -661,78 +661,205 @@ static int vbg_reset_host_capabilities(struct vbg_dev *gdev)
+ }
+ 
+ /**
+- * Sets the guest capabilities for a session. Takes the session spinlock.
++ * Set guest capabilities on the host.
++ * Must be called with gdev->session_mutex hold.
++ * Return: 0 or negative errno value.
++ * @gdev:			The Guest extension device.
++ * @session:			The session.
++ * @session_termination:	Set if we're called by the session cleanup code.
++ */
++static int vbg_set_host_capabilities(struct vbg_dev *gdev,
++				     struct vbg_session *session,
++				     bool session_termination)
++{
++	struct vmmdev_mask *req;
++	u32 caps;
++	int rc;
++
++	WARN_ON(!mutex_is_locked(&gdev->session_mutex));
++
++	caps = gdev->acquired_guest_caps | gdev->set_guest_caps_tracker.mask;
++
++	if (gdev->guest_caps_host == caps)
++		return 0;
++
++	/* On termination the requestor is the kernel, as we're cleaning up. */
++	req = vbg_req_alloc(sizeof(*req), VMMDEVREQ_SET_GUEST_CAPABILITIES,
++			    session_termination ? VBG_KERNEL_REQUEST :
++						  session->requestor);
++	if (!req) {
++		gdev->guest_caps_host = U32_MAX;
++		return -ENOMEM;
++	}
++
++	req->or_mask = caps;
++	req->not_mask = ~caps;
++	rc = vbg_req_perform(gdev, req);
++	vbg_req_free(req, sizeof(*req));
++
++	gdev->guest_caps_host = (rc >= 0) ? caps : U32_MAX;
++
++	return vbg_status_code_to_errno(rc);
++}
++
++/**
++ * Acquire (get exclusive access) guest capabilities for a session.
++ * Takes the session mutex.
++ * Return: 0 or negative errno value.
++ * @gdev:			The Guest extension device.
++ * @session:			The session.
++ * @flags:			Flags (VBGL_IOC_AGC_FLAGS_XXX).
++ * @or_mask:			The capabilities to add.
++ * @not_mask:			The capabilities to remove.
++ * @session_termination:	Set if we're called by the session cleanup code.
++ *				This tweaks the error handling so we perform
++ *				proper session cleanup even if the host
++ *				misbehaves.
++ */
++static int vbg_acquire_session_capabilities(struct vbg_dev *gdev,
++					    struct vbg_session *session,
++					    u32 or_mask, u32 not_mask,
++					    u32 flags, bool session_termination)
++{
++	unsigned long irqflags;
++	bool wakeup = false;
++	int ret = 0;
++
++	mutex_lock(&gdev->session_mutex);
++
++	if (gdev->set_guest_caps_tracker.mask & or_mask) {
++		vbg_err("%s error: cannot acquire caps which are currently set\n",
++			__func__);
++		ret = -EINVAL;
++		goto out;
++	}
++
++	/*
++	 * Mark any caps in the or_mask as now being in acquire-mode. Note
++	 * once caps are in acquire_mode they always stay in this mode.
++	 * This impacts event handling, so we take the event-lock.
++	 */
++	spin_lock_irqsave(&gdev->event_spinlock, irqflags);
++	gdev->acquire_mode_guest_caps |= or_mask;
++	spin_unlock_irqrestore(&gdev->event_spinlock, irqflags);
++
++	/* If we only have to switch the caps to acquire mode, we're done. */
++	if (flags & VBGL_IOC_AGC_FLAGS_CONFIG_ACQUIRE_MODE)
++		goto out;
++
++	not_mask &= ~or_mask; /* or_mask takes priority over not_mask */
++	not_mask &= session->acquired_guest_caps;
++	or_mask &= ~session->acquired_guest_caps;
++
++	if (or_mask == 0 && not_mask == 0)
++		goto out;
++
++	if (gdev->acquired_guest_caps & or_mask) {
++		ret = -EBUSY;
++		goto out;
++	}
++
++	gdev->acquired_guest_caps |= or_mask;
++	gdev->acquired_guest_caps &= ~not_mask;
++	/* session->acquired_guest_caps impacts event handling, take the lock */
++	spin_lock_irqsave(&gdev->event_spinlock, irqflags);
++	session->acquired_guest_caps |= or_mask;
++	session->acquired_guest_caps &= ~not_mask;
++	spin_unlock_irqrestore(&gdev->event_spinlock, irqflags);
++
++	ret = vbg_set_host_capabilities(gdev, session, session_termination);
++	/* Roll back on failure, unless it's session termination time. */
++	if (ret < 0 && !session_termination) {
++		gdev->acquired_guest_caps &= ~or_mask;
++		gdev->acquired_guest_caps |= not_mask;
++		spin_lock_irqsave(&gdev->event_spinlock, irqflags);
++		session->acquired_guest_caps &= ~or_mask;
++		session->acquired_guest_caps |= not_mask;
++		spin_unlock_irqrestore(&gdev->event_spinlock, irqflags);
++	}
++
++	/*
++	 * If we added a capability, check if that means some other thread in
++	 * our session should be unblocked because there are events pending
++	 * (the result of vbg_get_allowed_event_mask_for_session() may change).
++	 *
++	 * HACK ALERT! When the seamless support capability is added we generate
++	 *	a seamless change event so that the ring-3 client can sync with
++	 *	the seamless state.
++	 */
++	if (ret == 0 && or_mask != 0) {
++		spin_lock_irqsave(&gdev->event_spinlock, irqflags);
++
++		if (or_mask & VMMDEV_GUEST_SUPPORTS_SEAMLESS)
++			gdev->pending_events |=
++				VMMDEV_EVENT_SEAMLESS_MODE_CHANGE_REQUEST;
++
++		if (gdev->pending_events)
++			wakeup = true;
++
++		spin_unlock_irqrestore(&gdev->event_spinlock, irqflags);
++
++		if (wakeup)
++			wake_up(&gdev->event_wq);
++	}
++
++out:
++	mutex_unlock(&gdev->session_mutex);
++
++	return ret;
++}
++
++/**
++ * Sets the guest capabilities for a session. Takes the session mutex.
+  * Return: 0 or negative errno value.
+  * @gdev:			The Guest extension device.
+  * @session:			The session.
+  * @or_mask:			The capabilities to add.
+  * @not_mask:			The capabilities to remove.
+  * @session_termination:	Set if we're called by the session cleanup code.
+  *				This tweaks the error handling so we perform
+  *				proper session cleanup even if the host
+  *				misbehaves.
+  */
+ static int vbg_set_session_capabilities(struct vbg_dev *gdev,
+ 					struct vbg_session *session,
+ 					u32 or_mask, u32 not_mask,
+ 					bool session_termination)
+ {
+-	struct vmmdev_mask *req;
+ 	u32 changed, previous;
+-	int rc, ret = 0;
+-
+-	/*
+-	 * Allocate a request buffer before taking the spinlock, when
+-	 * the session is being terminated the requestor is the kernel,
+-	 * as we're cleaning up.
+-	 */
+-	req = vbg_req_alloc(sizeof(*req), VMMDEVREQ_SET_GUEST_CAPABILITIES,
+-			    session_termination ? VBG_KERNEL_REQUEST :
+-						  session->requestor);
+-	if (!req) {
+-		if (!session_termination)
+-			return -ENOMEM;
+-		/* Ignore allocation failure, we must do session cleanup. */
+-	}
++	int ret = 0;
+ 
+ 	mutex_lock(&gdev->session_mutex);
+ 
++	if (gdev->acquire_mode_guest_caps & or_mask) {
++		vbg_err("%s error: cannot set caps which are in acquire_mode\n",
++			__func__);
++		ret = -EBUSY;
++		goto out;
++	}
++
+ 	/* Apply the changes to the session mask. */
+-	previous = session->guest_caps;
+-	session->guest_caps |= or_mask;
+-	session->guest_caps &= ~not_mask;
++	previous = session->set_guest_caps;
++	session->set_guest_caps |= or_mask;
++	session->set_guest_caps &= ~not_mask;
+ 
+ 	/* If anything actually changed, update the global usage counters. */
+-	changed = previous ^ session->guest_caps;
++	changed = previous ^ session->set_guest_caps;
+ 	if (!changed)
+ 		goto out;
+ 
+-	vbg_track_bit_usage(&gdev->guest_caps_tracker, changed, previous);
+-	or_mask = gdev->guest_caps_tracker.mask;
++	vbg_track_bit_usage(&gdev->set_guest_caps_tracker, changed, previous);
+ 
+-	if (gdev->guest_caps_host == or_mask || !req)
+-		goto out;
+-
+-	gdev->guest_caps_host = or_mask;
+-	req->or_mask = or_mask;
+-	req->not_mask = ~or_mask;
+-	rc = vbg_req_perform(gdev, req);
+-	if (rc < 0) {
+-		ret = vbg_status_code_to_errno(rc);
+-
+-		/* Failed, roll back (unless it's session termination time). */
+-		gdev->guest_caps_host = U32_MAX;
+-		if (session_termination)
+-			goto out;
+-
+-		vbg_track_bit_usage(&gdev->guest_caps_tracker, changed,
+-				    session->guest_caps);
+-		session->guest_caps = previous;
++	ret = vbg_set_host_capabilities(gdev, session, session_termination);
++	/* Roll back on failure, unless it's session termination time. */
++	if (ret < 0 && !session_termination) {
++		vbg_track_bit_usage(&gdev->set_guest_caps_tracker, changed,
++				    session->set_guest_caps);
++		session->set_guest_caps = previous;
+ 	}
+ 
+ out:
+ 	mutex_unlock(&gdev->session_mutex);
+-	vbg_req_free(req, sizeof(*req));
+ 
+ 	return ret;
+ }
+@@ -948,6 +1075,7 @@ void vbg_core_close_session(struct vbg_session *session)
+ 	struct vbg_dev *gdev = session->gdev;
+ 	int i, rc;
+ 
++	vbg_acquire_session_capabilities(gdev, session, 0, U32_MAX, 0, true);
+ 	vbg_set_session_capabilities(gdev, session, 0, U32_MAX, true);
+ 	vbg_set_session_event_filter(gdev, session, 0, U32_MAX, true);
+ 
+@@ -1005,31 +1133,52 @@ static int vbg_ioctl_driver_version_info(
+ 	return 0;
+ }
+ 
++/* Must be called with the event_lock held */
++static u32 vbg_get_allowed_event_mask_for_session(struct vbg_dev *gdev,
++						  struct vbg_session *session)
++{
++	u32 acquire_mode_caps = gdev->acquire_mode_guest_caps;
++	u32 session_acquired_caps = session->acquired_guest_caps;
++	u32 allowed_events = VMMDEV_EVENT_VALID_EVENT_MASK;
++
++	if ((acquire_mode_caps & VMMDEV_GUEST_SUPPORTS_GRAPHICS) &&
++	    !(session_acquired_caps & VMMDEV_GUEST_SUPPORTS_GRAPHICS))
++		allowed_events &= ~VMMDEV_EVENT_DISPLAY_CHANGE_REQUEST;
++
++	if ((acquire_mode_caps & VMMDEV_GUEST_SUPPORTS_SEAMLESS) &&
++	    !(session_acquired_caps & VMMDEV_GUEST_SUPPORTS_SEAMLESS))
++		allowed_events &= ~VMMDEV_EVENT_SEAMLESS_MODE_CHANGE_REQUEST;
++
++	return allowed_events;
++}
++
+ static bool vbg_wait_event_cond(struct vbg_dev *gdev,
+ 				struct vbg_session *session,
+ 				u32 event_mask)
+ {
+ 	unsigned long flags;
+ 	bool wakeup;
+ 	u32 events;
+ 
+ 	spin_lock_irqsave(&gdev->event_spinlock, flags);
+ 
+ 	events = gdev->pending_events & event_mask;
++	events &= vbg_get_allowed_event_mask_for_session(gdev, session);
+ 	wakeup = events || session->cancel_waiters;
+ 
+ 	spin_unlock_irqrestore(&gdev->event_spinlock, flags);
+ 
+ 	return wakeup;
+ }
+ 
+ /* Must be called with the event_lock held */
+ static u32 vbg_consume_events_locked(struct vbg_dev *gdev,
+ 				     struct vbg_session *session,
+ 				     u32 event_mask)
+ {
+ 	u32 events = gdev->pending_events & event_mask;
+ 
++	events &= vbg_get_allowed_event_mask_for_session(gdev, session);
+ 	gdev->pending_events &= ~events;
+ 	return events;
+ }
+@@ -1149,7 +1298,9 @@ static int vbg_req_allowed(struct vbg_dev *gdev, struct vbg_session *session,
+ 	case VMMDEVREQ_VIDEO_ACCEL_ENABLE:
+ 	case VMMDEVREQ_VIDEO_ACCEL_FLUSH:
+ 	case VMMDEVREQ_VIDEO_SET_VISIBLE_REGION:
++	case VMMDEVREQ_VIDEO_UPDATE_MONITOR_POSITIONS:
+ 	case VMMDEVREQ_GET_DISPLAY_CHANGE_REQEX:
++	case VMMDEVREQ_GET_DISPLAY_CHANGE_REQ_MULTI:
+ 	case VMMDEVREQ_GET_SEAMLESS_CHANGE_REQ:
+ 	case VMMDEVREQ_GET_VRDPCHANGE_REQ:
+ 	case VMMDEVREQ_LOG_STRING:
+@@ -1431,27 +1582,50 @@ static int vbg_ioctl_change_filter_mask(struct vbg_dev *gdev,
+ 					    false);
+ }
+ 
++static int vbg_ioctl_acquire_guest_capabilities(struct vbg_dev *gdev,
++	     struct vbg_session *session,
++	     struct vbg_ioctl_acquire_guest_caps *caps)
++{
++	u32 flags, or_mask, not_mask;
++
++	if (vbg_ioctl_chk(&caps->hdr, sizeof(caps->u.in), 0))
++		return -EINVAL;
++
++	flags = caps->u.in.flags;
++	or_mask = caps->u.in.or_mask;
++	not_mask = caps->u.in.not_mask;
++
++	if (flags & ~VBGL_IOC_AGC_FLAGS_VALID_MASK)
++		return -EINVAL;
++
++	if ((or_mask | not_mask) & ~VMMDEV_GUEST_CAPABILITIES_MASK)
++		return -EINVAL;
++
++	return vbg_acquire_session_capabilities(gdev, session, or_mask,
++						not_mask, flags, false);
++}
++
+ static int vbg_ioctl_change_guest_capabilities(struct vbg_dev *gdev,
+ 	     struct vbg_session *session, struct vbg_ioctl_set_guest_caps *caps)
+ {
+ 	u32 or_mask, not_mask;
+ 	int ret;
+ 
+ 	if (vbg_ioctl_chk(&caps->hdr, sizeof(caps->u.in), sizeof(caps->u.out)))
+ 		return -EINVAL;
+ 
+ 	or_mask = caps->u.in.or_mask;
+ 	not_mask = caps->u.in.not_mask;
+ 
+ 	if ((or_mask | not_mask) & ~VMMDEV_GUEST_CAPABILITIES_MASK)
+ 		return -EINVAL;
+ 
+ 	ret = vbg_set_session_capabilities(gdev, session, or_mask, not_mask,
+ 					   false);
+ 	if (ret)
+ 		return ret;
+ 
+-	caps->u.out.session_caps = session->guest_caps;
++	caps->u.out.session_caps = session->set_guest_caps;
+ 	caps->u.out.global_caps = gdev->guest_caps_host;
+ 
+ 	return 0;
+@@ -1540,29 +1714,31 @@ int vbg_core_ioctl(struct vbg_session *session, unsigned int req, void *data)
+ 		return vbg_ioctl_interrupt_all_wait_events(gdev, session, data);
+ 	case VBG_IOCTL_CHANGE_FILTER_MASK:
+ 		return vbg_ioctl_change_filter_mask(gdev, session, data);
++	case VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES:
++		return vbg_ioctl_acquire_guest_capabilities(gdev, session, data);
+ 	case VBG_IOCTL_CHANGE_GUEST_CAPABILITIES:
+ 		return vbg_ioctl_change_guest_capabilities(gdev, session, data);
+ 	case VBG_IOCTL_CHECK_BALLOON:
+ 		return vbg_ioctl_check_balloon(gdev, data);
+ 	case VBG_IOCTL_WRITE_CORE_DUMP:
+ 		return vbg_ioctl_write_core_dump(gdev, session, data);
+ 	}
+ 
+ 	/* Variable sized requests. */
+ 	switch (req_no_size) {
+ #ifdef CONFIG_COMPAT
+ 	case VBG_IOCTL_HGCM_CALL_32(0):
+ 		f32bit = true;
+ #endif
+ 		/* Fall through */
+ 	case VBG_IOCTL_HGCM_CALL(0):
+ 		return vbg_ioctl_hgcm_call(gdev, session, f32bit, data);
+ 	case VBG_IOCTL_LOG(0):
+ 	case VBG_IOCTL_LOG_ALT(0):
+ 		return vbg_ioctl_log(data);
+ 	}
+ 
+-	vbg_debug("VGDrvCommonIoCtl: Unknown req %#08x\n", req);
++	vbg_err_ratelimited("Userspace made an unknown ioctl req %#08x\n", req);
+ 	return -ENOTTY;
+ }
+ 
+diff --git a/drivers/virt/vboxguest/vboxguest_core.h b/drivers/virt/vboxguest/vboxguest_core.h
+index 77c3a9c8255d..ab4bf64e2cec 100644
+--- a/drivers/virt/vboxguest/vboxguest_core.h
++++ b/drivers/virt/vboxguest/vboxguest_core.h
+@@ -118,11 +118,21 @@ struct vbg_dev {
+ 	u32 event_filter_host;
+ 
+ 	/**
+-	 * Usage counters for guest capabilities. Indexed by capability bit
++	 * Guest capabilities which have been switched to acquire_mode.
++	 */
++	u32 acquire_mode_guest_caps;
++	/**
++	 * Guest capabilities acquired by vbg_acquire_session_capabilities().
++	 * Only one session can acquire a capability at a time.
++	 */
++	u32 acquired_guest_caps;
++	/**
++	 * Usage counters for guest capabilities requested through
++	 * vbg_set_session_capabilities(). Indexed by capability bit
+ 	 * number, one count per session using a capability.
+ 	 * Protected by session_mutex.
+ 	 */
+-	struct vbg_bit_usage_tracker guest_caps_tracker;
++	struct vbg_bit_usage_tracker set_guest_caps_tracker;
+ 	/**
+ 	 * The guest capabilities last reported to the host (or UINT32_MAX).
+ 	 * Protected by session_mutex.
+@@ -164,11 +174,16 @@ struct vbg_session {
+ 	 */
+ 	u32 event_filter;
+ 	/**
+-	 * Guest capabilities for this session.
++	 * Guest capabilities acquired by vbg_acquire_session_capabilities().
++	 * Only one session can acquire a capability at a time.
++	 */
++	u32 acquired_guest_caps;
++	/**
++	 * Guest capabilities set through vbg_set_session_capabilities().
+ 	 * A capability claimed by any guest session will be reported to the
+ 	 * host. Protected by vbg_gdev.session_mutex.
+ 	 */
+-	u32 guest_caps;
++	u32 set_guest_caps;
+ 	/** VMMDEV_REQUESTOR_* flags */
+ 	u32 requestor;
+ 	/** Set on CANCEL_ALL_WAITEVENTS, protected by vbg_devevent_spinlock. */
+diff --git a/drivers/virt/vboxguest/vboxguest_utils.c b/drivers/virt/vboxguest/vboxguest_utils.c
+index 43c391626a00..b6fd06eb015e 100644
+--- a/drivers/virt/vboxguest/vboxguest_utils.c
++++ b/drivers/virt/vboxguest/vboxguest_utils.c
+@@ -58,6 +58,7 @@ EXPORT_SYMBOL(name)
+ VBG_LOG(vbg_info, pr_info);
+ VBG_LOG(vbg_warn, pr_warn);
+ VBG_LOG(vbg_err, pr_err);
++VBG_LOG(vbg_err_ratelimited, pr_err_ratelimited);
+ #if defined(DEBUG) && !defined(CONFIG_DYNAMIC_DEBUG)
+ VBG_LOG(vbg_debug, pr_debug);
+ #endif
+diff --git a/include/linux/vbox_utils.h b/include/linux/vbox_utils.h
+index ff56c443180c..db8a7d118093 100644
+--- a/include/linux/vbox_utils.h
++++ b/include/linux/vbox_utils.h
+@@ -16,6 +16,7 @@ struct vbg_dev;
+ __printf(1, 2) void vbg_info(const char *fmt, ...);
+ __printf(1, 2) void vbg_warn(const char *fmt, ...);
+ __printf(1, 2) void vbg_err(const char *fmt, ...);
++__printf(1, 2) void vbg_err_ratelimited(const char *fmt, ...);
+ 
+ /* Only use backdoor logging for non-dynamic debug builds */
+ #if defined(DEBUG) && !defined(CONFIG_DYNAMIC_DEBUG)
+diff --git a/include/uapi/linux/vbox_vmmdev_types.h b/include/uapi/linux/vbox_vmmdev_types.h
+index c27289fd619a..f8a8d6b3c521 100644
+--- a/include/uapi/linux/vbox_vmmdev_types.h
++++ b/include/uapi/linux/vbox_vmmdev_types.h
+@@ -63,6 +63,7 @@ enum vmmdev_request_type {
+ 	VMMDEVREQ_SET_GUEST_CAPABILITIES       = 56,
+ 	VMMDEVREQ_VIDEMODE_SUPPORTED2          = 57, /* since version 3.2.0 */
+ 	VMMDEVREQ_GET_DISPLAY_CHANGE_REQEX     = 80, /* since version 4.2.4 */
++	VMMDEVREQ_GET_DISPLAY_CHANGE_REQ_MULTI = 81,
+ 	VMMDEVREQ_HGCM_CONNECT                 = 60,
+ 	VMMDEVREQ_HGCM_DISCONNECT              = 61,
+ 	VMMDEVREQ_HGCM_CALL32                  = 62,
+@@ -92,6 +93,8 @@ enum vmmdev_request_type {
+ 	VMMDEVREQ_WRITE_COREDUMP               = 218,
+ 	VMMDEVREQ_GUEST_HEARTBEAT              = 219,
+ 	VMMDEVREQ_HEARTBEAT_CONFIGURE          = 220,
++	VMMDEVREQ_NT_BUG_CHECK                 = 221,
++	VMMDEVREQ_VIDEO_UPDATE_MONITOR_POSITIONS = 222,
+ 	/* Ensure the enum is a 32 bit data-type */
+ 	VMMDEVREQ_SIZEHACK                     = 0x7fffffff
+ };
+diff --git a/include/uapi/linux/vboxguest.h b/include/uapi/linux/vboxguest.h
+index f79d7abe27db..15125f6ec60d 100644
+--- a/include/uapi/linux/vboxguest.h
++++ b/include/uapi/linux/vboxguest.h
+@@ -257,6 +257,30 @@ VMMDEV_ASSERT_SIZE(vbg_ioctl_change_filter, 24 + 8);
+ 	_IOWR('V', 12, struct vbg_ioctl_change_filter)
+ 
+ 
++/** VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES data structure. */
++struct vbg_ioctl_acquire_guest_caps {
++	/** The header. */
++	struct vbg_ioctl_hdr hdr;
++	union {
++		struct {
++			/** Flags (VBGL_IOC_AGC_FLAGS_XXX). */
++			__u32 flags;
++			/** Capabilities to set (VMMDEV_GUEST_SUPPORTS_XXX). */
++			__u32 or_mask;
++			/** Capabilities to drop (VMMDEV_GUEST_SUPPORTS_XXX). */
++			__u32 not_mask;
++		} in;
++	} u;
++};
++VMMDEV_ASSERT_SIZE(vbg_ioctl_acquire_guest_caps, 24 + 12);
++
++#define VBGL_IOC_AGC_FLAGS_CONFIG_ACQUIRE_MODE		0x00000001
++#define VBGL_IOC_AGC_FLAGS_VALID_MASK			0x00000001
++
++#define VBG_IOCTL_ACQUIRE_GUEST_CAPABILITIES \
++	_IOWR('V', 13, struct vbg_ioctl_acquire_guest_caps)
++
++
+ /** VBG_IOCTL_CHANGE_GUEST_CAPABILITIES data structure. */
+ struct vbg_ioctl_set_guest_caps {
+ 	/** The header. */

linux-lts54/PKGBUILD

@@ -0,0 +1,211 @@
+#!/usr/bin/bash
+# JOBoRun		: Jwm OpenBox Obarun RUNit
+# Maintainer	: Joe Bo Run <joborun@disroot.org>
+# PkgSource		: url="https://gittea.disroot.org/joborun-pkg/jobcore/$pkgname"
+# Website		: https://pozol.eu
+#-----------------------------------------| DESCRIPTION |---------------------------------------
+
+pkgbase=linux-lts54
+pkgver=5.4.200
+pkgrel=01
+pkgdesc='LTS Linux 5.4  w/o zstd & ipv6'
+#url="https://www.kernel.org/"
+arch=(x86_64)
+makedepends=(
+  bc kmod libelf cpio perl tar xz
+  xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick
+) # python-six 
+options=('!strip')
+_srcname=linux-$pkgver
+url="https://cdn.kernel.org/pub/linux/kernel"
+source=($url/v5.x/$_srcname.tar.{xz,sign}
+  config         # the main kernel config file
+  sha256sums
+  0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+  0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch
+  sphinx-workaround.patch)
+
+export KBUILD_BUILD_HOST=joborun
+export KBUILD_BUILD_USER=$pkgbase
+export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
+
+prepare() {
+  cd $_srcname
+
+  echo "Setting version... $pkgver"
+  scripts/setlocalversion --save-scmversion
+  echo "-$pkgrel" > localversion.10-pkgrel
+  echo "${pkgbase#linux}" > localversion.20-pkgname
+
+  local src
+  for src in "${source[@]}"; do
+    src="${src%%::*}"
+    src="${src##*/}"
+    [[ $src = *.patch ]] || continue
+    echo "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done
+
+  echo "Setting joborunlinux config..."
+  cp ../config .config
+  make olddefconfig
+
+  make -s kernelrelease > version
+  echo "Prepared $pkgbase version $(<version)"
+}
+
+build() {
+  cd $_srcname
+  make all
+}
+##  make htmldocs
+
+_package() {
+  pkgdesc="The $pkgdesc kernel and modules w/o zstd ipv6 touchscreen"
+  depends=(coreutils kmod initramfs)
+  optdepends=('crda: to set the correct wireless channels of your country'
+              'linux-firmware: firmware images needed for some devices')
+  provides=(VIRTUALBOX-GUEST-MODULES WIREGUARD-MODULE)
+  replaces=(wireguard-lts)
+
+  cd $_srcname
+  local kernver="$(<version)"
+  local modulesdir="$pkgdir/usr/lib/modules/$kernver"
+
+  echo "Installing boot image..."
+  # systemd expects to find the kernel here to allow hibernation
+  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
+  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
+
+  # Used by mkinitcpio to name the kernel
+  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
+
+  echo "Installing modules..."
+  make INSTALL_MOD_PATH="$pkgdir/usr" INSTALL_MOD_STRIP=1 modules_install
+
+  # remove build and source links
+  rm "$modulesdir"/{source,build}
+}
+
+_package-headers() {
+  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"
+  depends=(pahole)
+
+  cd $_srcname
+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
+
+  echo "Installing build files..."
+  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
+    localversion.* version vmlinux
+  install -Dt "$builddir/kernel" -m644 kernel/Makefile
+  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
+  cp -t "$builddir" -a scripts
+
+  # add objtool for external module building and enabled VALIDATION_STACK option
+  install -Dt "$builddir/tools/objtool" tools/objtool/objtool
+
+  # add xfs and shmem for aufs building
+  mkdir -p "$builddir"/{fs/xfs,mm}
+
+  echo "Installing headers..."
+  cp -t "$builddir" -a include
+  cp -t "$builddir/arch/x86" -a arch/x86/include
+  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
+
+  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
+  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
+
+  # https://bugs.archlinux.org/task/13146
+  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
+
+  # https://bugs.archlinux.org/task/20402
+  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
+  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
+  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
+
+  echo "Installing KConfig files..."
+  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
+
+  echo "Removing unneeded architectures..."
+  local arch
+  for arch in "$builddir"/arch/*/; do
+    [[ $arch = */x86/ ]] && continue
+    echo "Removing $(basename "$arch")"
+    rm -r "$arch"
+  done
+
+  echo "Removing documentation..."
+  rm -r "$builddir/Documentation"
+
+  echo "Removing broken symlinks..."
+  find -L "$builddir" -type l -printf 'Removing %P\n' -delete
+
+  echo "Removing loose objects..."
+  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
+
+  echo "Stripping build tools..."
+  local file
+  while read -rd '' file; do
+    case "$(file -bi "$file")" in
+      application/x-sharedlib\;*)      # Libraries (.so)
+        strip -v $STRIP_SHARED "$file" ;;
+      application/x-archive\;*)        # Libraries (.a)
+        strip -v $STRIP_STATIC "$file" ;;
+      application/x-executable\;*)     # Binaries
+        strip -v $STRIP_BINARIES "$file" ;;
+      application/x-pie-executable\;*) # Relocatable binaries
+        strip -v $STRIP_SHARED "$file" ;;
+    esac
+  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
+
+  echo "Stripping vmlinux..."
+  strip -v $STRIP_STATIC "$builddir/vmlinux"
+
+  echo "Adding symlink..."
+  mkdir -p "$pkgdir/usr/src"
+  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
+}
+
+#_package-docs() {
+#  pkgdesc="Documentation for the $pkgdesc kernel"
+#
+#  cd $_srcname
+#  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
+#
+#  echo "Installing documentation..."
+#  local src dst
+#  while read -rd '' src; do
+#    dst="${src#Documentation/}"
+#    dst="$builddir/Documentation/${dst#output/}"
+#    install -Dm644 "$src" "$dst"
+#  done < <(find Documentation -name '.*' -prune -o ! -type d -print0)
+#
+#  echo "Adding symlink..."
+#  mkdir -p "$pkgdir/usr/share/doc"
+#  ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
+#}
+
+pkgname=("$pkgbase" "$pkgbase-headers") # "$pkgbase-docs")
+for _p in "${pkgname[@]}"; do
+  eval "package_$_p() {
+    $(declare -f "_package${_p#$pkgbase}")
+    _package${_p#$pkgbase}
+  }"
+done
+
+#---- license gpg-key sha256sums ----
+
+license=(GPL2)
+
+validpgpkeys=(ABAF11C65A2970B130ABE3C479BE3E4300411886  # Linus Torvalds
+	647F28654894E3BD457199BE38DBBDC86092693E) # Greg Kroah-Hartman
+
+# https://cdn.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
+
+sha256sums=(eae97c9bbf0228bef165be60283ec42cfc9531cea5c641aa3ba131f2125525b8 # linux-5.4.200.tar.xz
+	b9f32ec6525361da38d133048e1e98ab424cf9c0251a708f6b55c6ba91fe9e71 # linux-5.4.200.tar.sign
+	b1311e94cb105aafc5c4c3cc09096b23b83ce7a50b6e12a5ad44082f9fa17a05 # config
+	4ddf8dd1ebdb44af29df8fab575b3547543493eadfe85bb849ee9fad8d071b0d # sha256sums
+	b439f57b84bc98730c0265695abb92385ee4dcd35a5c00d4cb3d3155c75fb491 # 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+	4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5 # 0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch
+	b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e) # sphinx-workaround.patch

linux-lts54/PKGBUILD-aur

@@ -0,0 +1,201 @@
+# Maintainer: Jonathon Fernyhough <jonathon+m2x+dev>
+# Contributor: Andreas Radke <andyrtr@archlinux.org>
+
+pkgbase=linux-lts54
+pkgver=5.4.200
+pkgrel=1
+pkgdesc='LTS 5.4 Linux'
+url="https://www.kernel.org/"
+arch=(x86_64)
+license=(GPL2)
+makedepends=(
+  bc kmod libelf cpio perl tar xz
+  xmlto python-six python-sphinx python-sphinx_rtd_theme graphviz imagemagick
+)
+options=('!strip')
+_srcname=linux-$pkgver
+source=(
+  https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
+  config         # the main kernel config file
+  0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+  0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch
+  0003-Add-support-for-ZSTD-compressed-kernel.patch
+  sphinx-workaround.patch
+)
+validpgpkeys=(
+  'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
+  '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
+)
+# https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
+sha256sums=('eae97c9bbf0228bef165be60283ec42cfc9531cea5c641aa3ba131f2125525b8'
+            'SKIP'
+            'df3e11d360eb17fa6564a55ff05f14624c5ed8763a64cf0a9b9f4ebde5863412'
+            'b439f57b84bc98730c0265695abb92385ee4dcd35a5c00d4cb3d3155c75fb491'
+            '4fd74bb2a7101d700fba91806141339d8c9e46a14f8fc1fe276cfb68f1eec0f5'
+            '8b604b7dc447b5f1f6f0b6239d5dd3ec6a5336cba78ac6dcef8f3e59357bd8c0'
+            'b7c814c8183e4645947a6dcc3cbf80431de8a8fd4e895b780f9a5fd92f82cb8e')
+
+export KBUILD_BUILD_HOST=archlinux
+export KBUILD_BUILD_USER=$pkgbase
+export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
+
+prepare() {
+  cd $_srcname
+
+  echo "Setting version..."
+  scripts/setlocalversion --save-scmversion
+  echo "-$pkgrel" > localversion.10-pkgrel
+  echo "${pkgbase#linux}" > localversion.20-pkgname
+
+  local src
+  for src in "${source[@]}"; do
+    src="${src%%::*}"
+    src="${src##*/}"
+    [[ $src = *.patch ]] || continue
+    echo "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done
+
+  echo "Setting config..."
+  cp ../config .config
+  make olddefconfig
+
+  make -s kernelrelease > version
+  echo "Prepared $pkgbase version $(<version)"
+}
+
+build() {
+  cd $_srcname
+  make all
+  make htmldocs
+}
+
+_package() {
+  pkgdesc="The $pkgdesc kernel and modules"
+  depends=(coreutils kmod initramfs)
+  optdepends=('crda: to set the correct wireless channels of your country'
+              'linux-firmware: firmware images needed for some devices')
+  provides=(VIRTUALBOX-GUEST-MODULES)
+
+  cd $_srcname
+  local kernver="$(<version)"
+  local modulesdir="$pkgdir/usr/lib/modules/$kernver"
+
+  echo "Installing boot image..."
+  # systemd expects to find the kernel here to allow hibernation
+  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
+  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
+
+  # Used by mkinitcpio to name the kernel
+  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
+
+  echo "Installing modules..."
+  make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
+
+  # remove build and source links
+  rm "$modulesdir"/{source,build}
+}
+
+_package-headers() {
+  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"
+
+  cd $_srcname
+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
+
+  echo "Installing build files..."
+  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
+    localversion.* version vmlinux
+  install -Dt "$builddir/kernel" -m644 kernel/Makefile
+  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
+  cp -t "$builddir" -a scripts
+
+  # add objtool for external module building and enabled VALIDATION_STACK option
+  install -Dt "$builddir/tools/objtool" tools/objtool/objtool
+
+  # add xfs and shmem for aufs building
+  mkdir -p "$builddir"/{fs/xfs,mm}
+
+  echo "Installing headers..."
+  cp -t "$builddir" -a include
+  cp -t "$builddir/arch/x86" -a arch/x86/include
+  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
+
+  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
+  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
+
+  # http://bugs.archlinux.org/task/13146
+  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
+
+  # http://bugs.archlinux.org/task/20402
+  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
+  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
+  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
+
+  echo "Installing KConfig files..."
+  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
+
+  echo "Removing unneeded architectures..."
+  local arch
+  for arch in "$builddir"/arch/*/; do
+    [[ $arch = */x86/ ]] && continue
+    echo "Removing $(basename "$arch")"
+    rm -r "$arch"
+  done
+
+  echo "Removing documentation..."
+  rm -r "$builddir/Documentation"
+
+  echo "Removing broken symlinks..."
+  find -L "$builddir" -type l -printf 'Removing %P\n' -delete
+
+  echo "Removing loose objects..."
+  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
+
+  echo "Stripping build tools..."
+  local file
+  while read -rd '' file; do
+    case "$(file -bi "$file")" in
+      application/x-sharedlib\;*)      # Libraries (.so)
+        strip -v $STRIP_SHARED "$file" ;;
+      application/x-archive\;*)        # Libraries (.a)
+        strip -v $STRIP_STATIC "$file" ;;
+      application/x-executable\;*)     # Binaries
+        strip -v $STRIP_BINARIES "$file" ;;
+      application/x-pie-executable\;*) # Relocatable binaries
+        strip -v $STRIP_SHARED "$file" ;;
+    esac
+  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
+
+  echo "Adding symlink..."
+  mkdir -p "$pkgdir/usr/src"
+  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
+}
+
+_package-docs() {
+  pkgdesc="Documentation for the $pkgdesc kernel"
+
+  cd $_srcname
+  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
+
+  echo "Installing documentation..."
+  local src dst
+  while read -rd '' src; do
+    dst="${src#Documentation/}"
+    dst="$builddir/Documentation/${dst#output/}"
+    install -Dm644 "$src" "$dst"
+  done < <(find Documentation -name '.*' -prune -o ! -type d -print0)
+
+  echo "Adding symlink..."
+  mkdir -p "$pkgdir/usr/share/doc"
+  ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
+}
+
+pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
+for _p in "${pkgname[@]}"; do
+  eval "package_$_p() {
+    $(declare -f "_package${_p#$pkgbase}")
+    _package${_p#$pkgbase}
+  }"
+done
+
+# vim:set ts=8 sts=2 sw=2 et:

linux-lts54/clean

@@ -0,0 +1 @@
+rm -rf {src,pkg,linux-5.4*.tar.*}

linux-lts54/deps

@@ -0,0 +1,11 @@
+bc
+pahole
+cpio
+xmlto
+python-sphinx
+python-sphinx_rtd_theme
+graphviz
+imagemagick
+bison
+python-six
+

linux-lts54/key

@@ -0,0 +1 @@
+gpg -v --recv-key 38DBBDC86092693E

linux-lts54/sphinx-workaround.patch

@@ -0,0 +1,15 @@
+diff --git i/Documentation/conf.py w/Documentation/conf.py
+index a8fe845832bc..2dae2e830c26 100644
+--- i/Documentation/conf.py
++++ w/Documentation/conf.py
+@@ -36,8 +36,8 @@ needs_sphinx = '1.3'
+ # Add any Sphinx extension module names here, as strings. They can be
+ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+ # ones.
+-extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain',
+-              'kfigure', 'sphinx.ext.ifconfig', 'automarkup']
++extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include',
++              'kfigure', 'sphinx.ext.ifconfig']
+ 
+ # The name of the math extension changed on Sphinx 1.4
+ if (major == 1 and minor > 3) or (major > 1):

linux-lts54/sums

@@ -0,0 +1,7 @@
+    linux-5.4.200.tar.xz 
+    linux-5.4.200.tar.sign
+    config
+    sha256sums
+    0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
+    0002-virt-vbox-Add-support-for-the-new-VBG_IOCTL_ACQUIRE_.patch
+    sphinx-workaround.patch 

linux-lts54/time

@@ -0,0 +1,4 @@
+
+real	81m58.624s
+user	277m0.813s
+sys	18m54.045s

nss/PKGBUILD

@@ -7,7 +7,7 @@
 
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
-pkgver=3.79
+pkgver=3.80
 pkgrel=01
 pkgdesc="Network Security Services - zstd mandatory here!"
 # experiment without zstd
@@ -16,8 +16,7 @@ arch=(x86_64)
 depends=('nspr>=4.34' sqlite zlib sh 'p11-kit>=0.23.19')
 makedepends=(perl python gyp mercurial)
 #options=(debug) # uncomment this if you need to build the nss debug pkg
-_revision=3463596523bee515266f572dc73e6724e68f6afd
-
+_revision=9fb4de4bec24f23c7b5580d7c53607e432a4520d
 source=("hg+https://hg.mozilla.org/projects/nss#revision=$_revision"
         certdata2pem.py
 	bundle.sh)
@@ -109,4 +108,3 @@ sha256sums=(SKIP # nss
 	d2a1579dae05fd16175fac27ef08b54731ecefdf414085c610179afcf62b096c # certdata2pem.py
 	3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd) #  bundle.sh
 
-

nss/PKGBUILD-arch

@@ -3,7 +3,7 @@
 
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
-pkgver=3.79
+pkgver=3.80
 pkgrel=1
 pkgdesc="Network Security Services"
 url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
@@ -12,7 +12,7 @@ license=(MPL GPL)
 depends=('nspr>=4.34' sqlite zlib sh 'p11-kit>=0.23.19')
 makedepends=(perl python gyp mercurial)
 options=(debug)
-_revision=3463596523bee515266f572dc73e6724e68f6afd
+_revision=9fb4de4bec24f23c7b5580d7c53607e432a4520d
 source=("hg+https://hg.mozilla.org/projects/nss#revision=$_revision"
         certdata2pem.py bundle.sh)
 sha256sums=('SKIP'