summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-image-redcore-lts-legacy/files
diff options
context:
space:
mode:
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files')
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch418
1 files changed, 325 insertions, 93 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch
index 57be76d5..ce442fa8 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch
@@ -1,5 +1,5 @@
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index fea15cd49fbc..62bb46156795 100644
+index a19ae163c058..f4b0cb4456e6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -509,16 +509,6 @@
@@ -97,11 +97,24 @@ index 8af3771a3ebf..5ae781e17da6 100644
tcp_slow_start_after_idle - BOOLEAN
If set, provide RFC2861 behavior and time out the congestion
window after an idle period. An idle period is defined at
+diff --git a/Makefile b/Makefile
+index 9b64ebcf4531..6aef436ab64e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -2,7 +2,7 @@
+ VERSION = 5
+ PATCHLEVEL = 4
+ SUBLEVEL = 122
+-EXTRAVERSION =
++EXTRAVERSION = -hardened1
+ NAME = Kleptomaniac Octopus
+
+ # *DOCUMENTATION*
diff --git a/arch/Kconfig b/arch/Kconfig
-index 84653a823d3b..77d70dc0769a 100644
+index a8df66e64544..1e5f5c8f7ae3 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
-@@ -660,7 +660,7 @@ config ARCH_MMAP_RND_BITS
+@@ -676,7 +676,7 @@ config ARCH_MMAP_RND_BITS
int "Number of bits to use for ASLR of mmap base address" if EXPERT
range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
@@ -110,7 +123,7 @@ index 84653a823d3b..77d70dc0769a 100644
depends on HAVE_ARCH_MMAP_RND_BITS
help
This value can be used to select the number of bits to use to
-@@ -694,7 +694,7 @@ config ARCH_MMAP_RND_COMPAT_BITS
+@@ -710,7 +710,7 @@ config ARCH_MMAP_RND_COMPAT_BITS
int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
@@ -119,7 +132,7 @@ index 84653a823d3b..77d70dc0769a 100644
depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
help
This value can be used to select the number of bits to use to
-@@ -913,6 +913,7 @@ config ARCH_HAS_REFCOUNT
+@@ -929,6 +929,7 @@ config ARCH_HAS_REFCOUNT
config REFCOUNT_FULL
bool "Perform full reference count validation at the expense of speed"
@@ -128,7 +141,7 @@ index 84653a823d3b..77d70dc0769a 100644
Enabling this switches the refcounting infrastructure from a fast
unchecked atomic_t implementation to a fully state checked
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
-index a0bc9bbb92f3..94eec74e4949 100644
+index 9c8ea5939865..71de5a508605 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1155,6 +1155,7 @@ config RODATA_FULL_DEFAULT_ENABLED
@@ -204,10 +217,10 @@ index b618017205a3..0a228dbcad65 100644
#ifdef __AARCH64EB__
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 8ef85139553f..e16076b30625 100644
+index 36a28b9e46cb..891160e4ac95 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
-@@ -1219,8 +1219,7 @@ config VM86
+@@ -1220,8 +1220,7 @@ config VM86
default X86_LEGACY_VM86
config X86_16BIT
@@ -217,7 +230,7 @@ index 8ef85139553f..e16076b30625 100644
depends on MODIFY_LDT_SYSCALL
---help---
This option is required by programs like Wine to run 16-bit
-@@ -2365,7 +2364,7 @@ config COMPAT_VDSO
+@@ -2366,7 +2365,7 @@ config COMPAT_VDSO
choice
prompt "vsyscall table for legacy applications"
depends on X86_64
@@ -226,7 +239,7 @@ index 8ef85139553f..e16076b30625 100644
help
Legacy user code that does not know how to find the vDSO expects
to be able to issue three syscalls by calling fixed addresses in
-@@ -2461,8 +2460,7 @@ config CMDLINE_OVERRIDE
+@@ -2462,8 +2461,7 @@ config CMDLINE_OVERRIDE
be set to 'N' under normal conditions.
config MODIFY_LDT_SYSCALL
@@ -404,7 +417,7 @@ index 6f66d841262d..b786e7cb395d 100644
native_write_cr4(cr4 ^ X86_CR4_PGE);
/* write old PGE again and flush TLBs */
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 8a85c2e144a6..4732605f4cc0 100644
+index f961a56e9da3..a9644573b14a 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1895,7 +1895,6 @@ void cpu_init(void)
@@ -579,7 +592,7 @@ index c7623f99ac0f..859c2782c8e2 100644
A pseudo terminal (PTY) is a software device consisting of two
halves: a master and a slave. The slave device behaves identical to
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 642765bf1023..703ad957528f 100644
+index cee7514c3aaf..2c41c4dd1516 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -173,6 +173,7 @@ static void free_tty_struct(struct tty_struct *tty)
@@ -618,20 +631,23 @@ index 642765bf1023..703ad957528f 100644
return tty;
}
+diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile
+index 18e874b0441e..a010a4a5830e 100644
+--- a/drivers/usb/core/Makefile
++++ b/drivers/usb/core/Makefile
+@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o
+ usbcore-$(CONFIG_OF) += of.o
+ usbcore-$(CONFIG_USB_PCI) += hcd-pci.o
+ usbcore-$(CONFIG_ACPI) += usb-acpi.o
++usbcore-$(CONFIG_SYSCTL) += sysctl.o
+
+ obj-$(CONFIG_USB) += usbcore.o
+
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 4d3de33885ff..4aa21cd2531a 100644
+index 6c89d714adb6..4b32b4c8b529 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
-@@ -45,6 +45,8 @@
- #define USB_TP_TRANSMISSION_DELAY 40 /* ns */
- #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */
-
-+extern int deny_new_usb;
-+
- /* Protect struct usb_device->state and ->children members
- * Note: Both are also protected by ->dev.sem, except that ->state can
- * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */
-@@ -5014,6 +5016,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
+@@ -5014,6 +5014,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
goto done;
return;
}
@@ -644,11 +660,113 @@ index 4d3de33885ff..4aa21cd2531a 100644
if (hub_is_superspeed(hub->hdev))
unit_load = 150;
else
+diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c
+new file mode 100644
+index 000000000000..23cce3221518
+--- /dev/null
++++ b/drivers/usb/core/sysctl.c
+@@ -0,0 +1,47 @@
++#include <linux/errno.h>
++#include <linux/init.h>
++#include <linux/kmemleak.h>
++#include <linux/sysctl.h>
++#include <linux/usb.h>
++
++static int zero = 0;
++static int one = 1;
++
++static struct ctl_table usb_table[] = {
++ {
++ .procname = "deny_new_usb",
++ .data = &deny_new_usb,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec_minmax_sysadmin,
++ .extra1 = &zero,
++ .extra2 = &one,
++ },
++ { }
++};
++
++static struct ctl_table usb_root_table[] = {
++ { .procname = "kernel",
++ .mode = 0555,
++ .child = usb_table },
++ { }
++};
++
++static struct ctl_table_header *usb_table_header;
++
++int __init usb_init_sysctl(void)
++{
++ usb_table_header = register_sysctl_table(usb_root_table);
++ if (!usb_table_header) {
++ pr_warn("usb: sysctl registration failed\n");
++ return -ENOMEM;
++ }
++
++ kmemleak_not_leak(usb_table_header);
++ return 0;
++}
++
++void usb_exit_sysctl(void)
++{
++ unregister_sysctl_table(usb_table_header);
++}
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index f16c26dc079d..cdf79ee2cdb3 100644
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -73,6 +73,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay");
+ #define usb_autosuspend_delay 0
+ #endif
+
++int deny_new_usb __read_mostly = 0;
++EXPORT_SYMBOL(deny_new_usb);
++
+ static bool match_endpoint(struct usb_endpoint_descriptor *epd,
+ struct usb_endpoint_descriptor **bulk_in,
+ struct usb_endpoint_descriptor **bulk_out,
+@@ -991,6 +994,9 @@ static int __init usb_init(void)
+ usb_debugfs_init();
+
+ usb_acpi_register();
++ retval = usb_init_sysctl();
++ if (retval)
++ goto sysctl_init_failed;
+ retval = bus_register(&usb_bus_type);
+ if (retval)
+ goto bus_register_failed;
+@@ -1025,6 +1031,8 @@ static int __init usb_init(void)
+ bus_notifier_failed:
+ bus_unregister(&usb_bus_type);
+ bus_register_failed:
++ usb_exit_sysctl();
++sysctl_init_failed:
+ usb_acpi_unregister();
+ usb_debugfs_cleanup();
+ out:
+@@ -1048,6 +1056,7 @@ static void __exit usb_exit(void)
+ usb_hub_cleanup();
+ bus_unregister_notifier(&usb_bus_type, &usb_bus_nb);
+ bus_unregister(&usb_bus_type);
++ usb_exit_sysctl();
+ usb_acpi_unregister();
+ usb_debugfs_cleanup();
+ idr_destroy(&usb_bus_idr);
diff --git a/fs/exec.c b/fs/exec.c
-index 2441eb1a1e2d..bd04325c9e2b 100644
+index 1b4d2206d53a..e206516c49c5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
-@@ -63,6 +63,7 @@
+@@ -33,6 +33,7 @@
+ #include <linux/swap.h>
+ #include <linux/string.h>
+ #include <linux/init.h>
++#include <linux/sched.h>
+ #include <linux/sched/mm.h>
+ #include <linux/sched/coredump.h>
+ #include <linux/sched/signal.h>
+@@ -63,6 +64,7 @@
#include <linux/oom.h>
#include <linux/compat.h>
#include <linux/vmalloc.h>
@@ -656,11 +774,11 @@ index 2441eb1a1e2d..bd04325c9e2b 100644
#include <linux/uaccess.h>
#include <asm/mmu_context.h>
-@@ -276,6 +277,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+@@ -276,6 +278,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
arch_bprm_mm_init(mm, vma);
up_write(&mm->mmap_sem);
bprm->p = vma->vm_end - sizeof(void *);
-+ if (randomize_va_space)
++ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+ bprm->p ^= get_random_int() & ~PAGE_MASK;
return 0;
err:
@@ -685,7 +803,7 @@ index 5b5759d70822..63ab73f6121c 100644
/**
* may_follow_link - Check symlink following for unsafe situations
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
-index e7dd07f47825..2b357b4355fd 100644
+index e84c187d942e..fdac5ca7f677 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -195,4 +195,3 @@ config NFS_DEBUG
@@ -816,10 +934,10 @@ index 6b64b6cc2175..fe1770732cf2 100644
static inline struct dccp_sock *dccp_sk(const struct sock *sk)
diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 4c82683e034a..560901350ab5 100644
+index ef118b8ba699..2ae0bf808be8 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
-@@ -3632,4 +3632,15 @@ static inline int inode_drain_writes(struct inode *inode)
+@@ -3631,4 +3631,15 @@ static inline int inode_drain_writes(struct inode *inode)
return filemap_write_and_wait(inode->i_mapping);
}
@@ -929,7 +1047,7 @@ index 069aa2ebef90..cb9e3637a620 100644
const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent);
const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj);
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 7249cf58f78d..3a45bb3a8f21 100644
+index 5565d11f9542..0802188c8daa 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -664,7 +664,7 @@ static inline int is_vmalloc_or_module_addr(const void *x)
@@ -1134,6 +1252,19 @@ index b2264355272d..2115131ba73f 100644
if (p_size == (size_t)-1 && q_size == (size_t)-1)
return __underlying_strcpy(p, q);
memcpy(p, q, strlen(q) + 1);
+diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
+index 6df477329b76..ff3c700acbe9 100644
+--- a/include/linux/sysctl.h
++++ b/include/linux/sysctl.h
+@@ -58,6 +58,8 @@ extern int proc_dointvec_minmax(struct ctl_table *, int,
+ extern int proc_douintvec_minmax(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos);
++extern int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
++ void *buffer, size_t *lenp, loff_t *ppos);
+ extern int proc_dointvec_jiffies(struct ctl_table *, int,
+ void __user *, size_t *, loff_t *);
+ extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
diff --git a/include/linux/tty.h b/include/linux/tty.h
index eb33d948788c..116138eb394c 100644
--- a/include/linux/tty.h
@@ -1163,6 +1294,27 @@ index eb33d948788c..116138eb394c 100644
/* tty magic number */
#define TTY_MAGIC 0x5401
+diff --git a/include/linux/usb.h b/include/linux/usb.h
+index e656e7b4b1e4..48d450ba9191 100644
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -2015,6 +2015,16 @@ extern void usb_led_activity(enum usb_led_event ev);
+ static inline void usb_led_activity(enum usb_led_event ev) {}
+ #endif
+
++/* sysctl.c */
++extern int deny_new_usb;
++#ifdef CONFIG_SYSCTL
++extern int usb_init_sysctl(void);
++extern void usb_exit_sysctl(void);
++#else
++static inline int usb_init_sysctl(void) { return 0; }
++static inline void usb_exit_sysctl(void) { }
++#endif /* CONFIG_SYSCTL */
++
+ #endif /* __KERNEL__ */
+
+ #endif
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
index 01a1334c5fc5..576e00382884 100644
--- a/include/linux/vmalloc.h
@@ -1198,7 +1350,7 @@ index 01a1334c5fc5..576e00382884 100644
extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags);
static inline void *__vmalloc_node_flags_caller(unsigned long size, int node,
diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 377179283c46..3b4282e81fa8 100644
+index b914959cd2c6..419154fee6a2 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -242,6 +242,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
@@ -1210,10 +1362,10 @@ index 377179283c46..3b4282e81fa8 100644
#define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */
#define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */
diff --git a/init/Kconfig b/init/Kconfig
-index 96fc45d1b686..63aac6d6734c 100644
+index 4f9fd78e2200..1fc8302d56f2 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -346,6 +346,7 @@ config USELIB
+@@ -345,6 +345,7 @@ config USELIB
config AUDIT
bool "Auditing support"
depends on NET
@@ -1221,7 +1373,7 @@ index 96fc45d1b686..63aac6d6734c 100644
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
-@@ -1084,6 +1085,22 @@ config USER_NS
+@@ -1083,6 +1084,22 @@ config USER_NS
If unsure, say N.
@@ -1244,7 +1396,35 @@ index 96fc45d1b686..63aac6d6734c 100644
config PID_NS
bool "PID Namespaces"
default y
-@@ -1502,8 +1519,7 @@ config SHMEM
+@@ -1295,9 +1312,8 @@ menuconfig EXPERT
+ Only use this if you really know what you are doing.
+
+ config UID16
+- bool "Enable 16-bit UID system calls" if EXPERT
++ bool "Enable 16-bit UID system calls"
+ depends on HAVE_UID16 && MULTIUSER
+- default y
+ help
+ This enables the legacy 16-bit UID syscall wrappers.
+
+@@ -1326,14 +1342,13 @@ config SGETMASK_SYSCALL
+ If unsure, leave the default option here.
+
+ config SYSFS_SYSCALL
+- bool "Sysfs syscall support" if EXPERT
+- default y
++ bool "Sysfs syscall support"
+ ---help---
+ sys_sysfs is an obsolete system call no longer supported in libc.
+ Note that disabling this option is more secure but might break
+ compatibility with some systems.
+
+- If unsure say Y here.
++ If unsure say N here.
+
+ config SYSCTL_SYSCALL
+ bool "Sysctl syscall support" if EXPERT
+@@ -1501,8 +1516,7 @@ config SHMEM
which may be appropriate on small systems without swap.
config AIO
@@ -1254,7 +1434,7 @@ index 96fc45d1b686..63aac6d6734c 100644
help
This option enables POSIX asynchronous I/O which may by used
by some high performance threaded applications. Disabling
-@@ -1614,6 +1630,23 @@ config USERFAULTFD
+@@ -1613,6 +1627,23 @@ config USERFAULTFD
Enable the userfaultfd() system call that allows to intercept and
handle page faults in userland.
@@ -1278,7 +1458,7 @@ index 96fc45d1b686..63aac6d6734c 100644
config ARCH_HAS_MEMBARRIER_CALLBACKS
bool
-@@ -1726,7 +1759,7 @@ config VM_EVENT_COUNTERS
+@@ -1725,7 +1756,7 @@ config VM_EVENT_COUNTERS
config SLUB_DEBUG
default y
@@ -1287,7 +1467,7 @@ index 96fc45d1b686..63aac6d6734c 100644
depends on SLUB && SYSFS
help
SLUB has extensive debug support features. Disabling these can
-@@ -1750,7 +1783,6 @@ config SLUB_MEMCG_SYSFS_ON
+@@ -1749,7 +1780,6 @@ config SLUB_MEMCG_SYSFS_ON
config COMPAT_BRK
bool "Disable heap randomization"
@@ -1295,7 +1475,7 @@ index 96fc45d1b686..63aac6d6734c 100644
help
Randomizing heap placement makes heap exploits harder, but it
also breaks ancient binaries (including anything libc5 based).
-@@ -1797,7 +1829,6 @@ endchoice
+@@ -1796,7 +1826,6 @@ endchoice
config SLAB_MERGE_DEFAULT
bool "Allow slab caches to be merged"
@@ -1303,7 +1483,7 @@ index 96fc45d1b686..63aac6d6734c 100644
help
For reduced kernel memory fragmentation, slab caches can be
merged when they share the same size and other characteristics.
-@@ -1810,9 +1841,9 @@ config SLAB_MERGE_DEFAULT
+@@ -1809,9 +1838,9 @@ config SLAB_MERGE_DEFAULT
command line.
config SLAB_FREELIST_RANDOM
@@ -1314,7 +1494,7 @@ index 96fc45d1b686..63aac6d6734c 100644
help
Randomizes the freelist order used on creating new pages. This
security feature reduces the predictability of the kernel slab
-@@ -1821,12 +1852,30 @@ config SLAB_FREELIST_RANDOM
+@@ -1820,12 +1849,30 @@ config SLAB_FREELIST_RANDOM
config SLAB_FREELIST_HARDENED
bool "Harden slab freelist metadata"
depends on SLUB
@@ -1403,7 +1583,7 @@ index 1444f3954d75..8cc9dd7992f2 100644
/**
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9f7c2da99299..e917f4c3fa83 100644
+index ec1add9e7f3a..917f5f3da06a 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -404,8 +404,13 @@ static cpumask_var_t perf_online_mask;
@@ -1431,7 +1611,7 @@ index 9f7c2da99299..e917f4c3fa83 100644
if (err)
return err;
diff --git a/kernel/fork.c b/kernel/fork.c
-index 419fff8eb9e5..70da21e5c06a 100644
+index 50f37d5afb32..47ccbe911d65 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -106,6 +106,11 @@
@@ -1484,10 +1664,10 @@ index 477b4eb44af5..db28cc3fd301 100644
struct rcu_head *next, *list;
unsigned long flags;
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
-index 1b1d2b09efa9..64c74cc05cf7 100644
+index 4dfa9dd47223..4263b6181c29 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
-@@ -2382,7 +2382,7 @@ static __latent_entropy void rcu_core(void)
+@@ -2388,7 +2388,7 @@ static __latent_entropy void rcu_core(void)
trace_rcu_utilization(TPS("End RCU core"));
}
@@ -1497,10 +1677,10 @@ index 1b1d2b09efa9..64c74cc05cf7 100644
rcu_core();
}
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 3dd7c10d6a58..a1e019026c7f 100644
+index 092aa5e47251..a2f1b57a2ad6 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
-@@ -9968,7 +9968,7 @@ int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
+@@ -9972,7 +9972,7 @@ int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
* run_rebalance_domains is triggered when needed from the scheduler tick.
* Also triggered for nohz idle balancing (with nohz_balancing_kick set).
*/
@@ -1570,28 +1750,20 @@ index 0427a86743a4..5e6a9b4ccb41 100644
void tasklet_init(struct tasklet_struct *t,
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 70665934d53e..8ea67d08b926 100644
+index eae6a078619f..f4944948f015 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
-@@ -68,6 +68,7 @@
- #include <linux/bpf.h>
- #include <linux/mount.h>
- #include <linux/userfaultfd_k.h>
+@@ -100,6 +100,9 @@
+ #ifdef CONFIG_LOCKUP_DETECTOR
+ #include <linux/nmi.h>
+ #endif
++#if defined CONFIG_TTY
+#include <linux/tty.h>
++#endif
- #include "../lib/kstrtox.h"
-
-@@ -104,12 +105,19 @@
#if defined(CONFIG_SYSCTL)
- /* External variables not in a header file. */
-+#if IS_ENABLED(CONFIG_USB)
-+int deny_new_usb __read_mostly = 0;
-+EXPORT_SYMBOL(deny_new_usb);
-+#endif
- extern int suid_dumpable;
- #ifdef CONFIG_COREDUMP
- extern int core_uses_pid;
+@@ -110,6 +113,9 @@ extern int core_uses_pid;
extern char core_pattern[];
extern unsigned int core_pipe_limit;
#endif
@@ -1601,7 +1773,7 @@ index 70665934d53e..8ea67d08b926 100644
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
-@@ -121,32 +129,32 @@ extern int sysctl_nr_trim_pages;
+@@ -121,32 +127,32 @@ extern int sysctl_nr_trim_pages;
/* Constants used for minimum and maximum */
#ifdef CONFIG_LOCKUP_DETECTOR
@@ -1649,7 +1821,7 @@ index 70665934d53e..8ea67d08b926 100644
static const int cap_last_cap = CAP_LAST_CAP;
/*
-@@ -154,9 +162,12 @@ static const int cap_last_cap = CAP_LAST_CAP;
+@@ -154,9 +160,12 @@ static const int cap_last_cap = CAP_LAST_CAP;
* and hung_task_check_interval_secs
*/
#ifdef CONFIG_DETECT_HUNG_TASK
@@ -1663,7 +1835,19 @@ index 70665934d53e..8ea67d08b926 100644
#ifdef CONFIG_INOTIFY_USER
#include <linux/inotify.h>
#endif
-@@ -301,19 +312,19 @@ static struct ctl_table sysctl_base_table[] = {
+@@ -214,11 +223,6 @@ static int proc_taint(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+ #endif
+
+-#ifdef CONFIG_PRINTK
+-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+- void __user *buffer, size_t *lenp, loff_t *ppos);
+-#endif
+-
+ static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+ #ifdef CONFIG_COREDUMP
+@@ -301,19 +305,19 @@ static struct ctl_table sysctl_base_table[] = {
};
#ifdef CONFIG_SCHED_DEBUG
@@ -1691,7 +1875,7 @@ index 70665934d53e..8ea67d08b926 100644
#endif
static struct ctl_table kern_table[] = {
-@@ -546,6 +557,15 @@ static struct ctl_table kern_table[] = {
+@@ -546,6 +550,15 @@ static struct ctl_table kern_table[] = {
.proc_handler = proc_dointvec,
},
#endif
@@ -1707,11 +1891,10 @@ index 70665934d53e..8ea67d08b926 100644
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
-@@ -901,6 +921,37 @@ static struct ctl_table kern_table[] = {
- .extra1 = SYSCTL_ZERO,
+@@ -902,6 +915,26 @@ static struct ctl_table kern_table[] = {
.extra2 = &two,
},
-+#endif
+ #endif
+#if defined CONFIG_TTY
+ {
+ .procname = "tiocsti_restrict",
@@ -1732,24 +1915,73 @@ index 70665934d53e..8ea67d08b926 100644
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
-+#if IS_ENABLED(CONFIG_USB)
-+ {
-+ .procname = "deny_new_usb",
-+ .data = &deny_new_usb,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = proc_dointvec_minmax_sysadmin,
-+ .extra1 = SYSCTL_ZERO,
-+ .extra2 = SYSCTL_ONE,
-+ },
- #endif
{
.procname = "ngroups_max",
+ .data = &ngroups_max,
+@@ -2636,8 +2669,27 @@ static int proc_taint(struct ctl_table *table, int write,
+ return err;
+ }
+
+-#ifdef CONFIG_PRINTK
+-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
++/**
++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values
++ * checking CAP_SYS_ADMIN on write
++ * @table: the sysctl table
++ * @write: %TRUE if this is a write to the sysctl file
++ * @buffer: the user buffer
++ * @lenp: the size of the user buffer
++ * @ppos: file position
++ *
++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer
++ * values from/to the user buffer, treated as an ASCII string.
++ *
++ * This routine will ensure the values are within the range specified by
++ * table->extra1 (min) and table->extra2 (max).
++ *
++ * Writing is only allowed when root has CAP_SYS_ADMIN.
++ *
++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write
++ * when the range check fails.
++ */
++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+ if (write && !capable(CAP_SYS_ADMIN))
+@@ -2645,7 +2697,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ }
+-#endif
+
+ /**
+ * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure
+@@ -3343,6 +3394,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write,
+ return -ENOSYS;
+ }
+
++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
++ void *buffer, size_t *lenp, loff_t *ppos)
++{
++ return -ENOSYS;
++}
++
+ int proc_dointvec_jiffies(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+@@ -3423,6 +3480,7 @@ EXPORT_SYMBOL(proc_douintvec);
+ EXPORT_SYMBOL(proc_dointvec_jiffies);
+ EXPORT_SYMBOL(proc_dointvec_minmax);
+ EXPORT_SYMBOL_GPL(proc_douintvec_minmax);
++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin);
+ EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
+ EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
+ EXPORT_SYMBOL(proc_dostring);
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
-index 7f31932216a1..9ede224fc81f 100644
+index 1f3e3a17f67e..72589694911f 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
-@@ -1583,7 +1583,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now,
+@@ -1601,7 +1601,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now,
}
}
@@ -1874,7 +2106,7 @@ index 0c6d17503a11..9e8c12dc2c67 100644
enum kobj_ns_type type = ops->type;
int error;
diff --git a/lib/nlattr.c b/lib/nlattr.c
-index cace9b307781..39ba1387045d 100644
+index 0d84f79cb4b5..6b8f8be2283c 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -571,6 +571,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
@@ -1932,7 +2164,7 @@ index ba78f1f1b1bd..a47c237bdba8 100644
mm->brk = brk;
goto success;
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 1c869c6b825f..48d1abb3ae18 100644
+index 4357f5475a50..724fb8cace08 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -69,6 +69,7 @@
@@ -2132,7 +2364,7 @@ index e36dd36c7076..94cb3eed189c 100644
static int __init setup_slab_nomerge(char *str)
{
diff --git a/mm/slub.c b/mm/slub.c
-index f41414571c9e..8b973b283e66 100644
+index 52ded855b4ed..d7d59072b3ff 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -125,6 +125,12 @@ static inline int kmem_cache_debug(struct kmem_cache *s)
@@ -2468,7 +2700,7 @@ index ab358c64bbd3..afb474c171f7 100644
unsigned long arch_mmap_rnd(void)
diff --git a/net/core/dev.c b/net/core/dev.c
-index 20c7fd7b8b4b..9a187de240b7 100644
+index a30878346f54..52144816209a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4474,7 +4474,7 @@ int netif_rx_ni(struct sk_buff *skb)
@@ -2480,7 +2712,7 @@ index 20c7fd7b8b4b..9a187de240b7 100644
{
struct softnet_data *sd = this_cpu_ptr(&softnet_data);
-@@ -6349,7 +6349,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
+@@ -6351,7 +6351,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
return work;
}
@@ -2757,7 +2989,7 @@ index c83a5d05aeaa..51f464d6747a 100644
};
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 54fd6bc5adcc..37fe5c61bd17 100644
+index a1768ded2d54..8c055cd254de 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -81,6 +81,7 @@
@@ -2768,7 +3000,7 @@ index 54fd6bc5adcc..37fe5c61bd17 100644
#define FLAG_DATA 0x01 /* Incoming frame contained data. */
#define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */
-@@ -6051,7 +6052,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -6056,7 +6057,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;
@@ -2806,7 +3038,7 @@ index e3569543bdac..55cc439b3bc6 100644
secure!
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
-index 52f1152c9838..74a88a1b6dc0 100644
+index 13cda6aa2688..970c6134c6d4 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -36,6 +36,8 @@ static int warn_unresolved = 0;
@@ -3084,7 +3316,7 @@ index 5711689deb6a..fab0cb896907 100644
-
- If you are unsure how to answer this question, answer 0.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 212f48025db8..01c4ce80f402 100644
+index 717a398ef4d0..f8cedc7e809e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -135,18 +135,7 @@ static int __init selinux_enabled_setup(char *str)