diff options
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files')
-rw-r--r-- | sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch | 418 |
1 files changed, 325 insertions, 93 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch index 57be76d5..ce442fa8 100644 --- a/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch +++ b/sys-kernel/linux-image-redcore-lts-legacy/files/5.4-linux-hardened.patch @@ -1,5 +1,5 @@ diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index fea15cd49fbc..62bb46156795 100644 +index a19ae163c058..f4b0cb4456e6 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -509,16 +509,6 @@ @@ -97,11 +97,24 @@ index 8af3771a3ebf..5ae781e17da6 100644 tcp_slow_start_after_idle - BOOLEAN If set, provide RFC2861 behavior and time out the congestion window after an idle period. An idle period is defined at +diff --git a/Makefile b/Makefile +index 9b64ebcf4531..6aef436ab64e 100644 +--- a/Makefile ++++ b/Makefile +@@ -2,7 +2,7 @@ + VERSION = 5 + PATCHLEVEL = 4 + SUBLEVEL = 122 +-EXTRAVERSION = ++EXTRAVERSION = -hardened1 + NAME = Kleptomaniac Octopus + + # *DOCUMENTATION* diff --git a/arch/Kconfig b/arch/Kconfig -index 84653a823d3b..77d70dc0769a 100644 +index a8df66e64544..1e5f5c8f7ae3 100644 --- a/arch/Kconfig +++ b/arch/Kconfig -@@ -660,7 +660,7 @@ config ARCH_MMAP_RND_BITS +@@ -676,7 +676,7 @@ config ARCH_MMAP_RND_BITS int "Number of bits to use for ASLR of mmap base address" if EXPERT range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT @@ -110,7 +123,7 @@ index 84653a823d3b..77d70dc0769a 100644 depends on HAVE_ARCH_MMAP_RND_BITS help This value can be used to select the number of bits to use to -@@ -694,7 +694,7 @@ config ARCH_MMAP_RND_COMPAT_BITS +@@ -710,7 +710,7 @@ config ARCH_MMAP_RND_COMPAT_BITS int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT @@ -119,7 +132,7 @@ index 84653a823d3b..77d70dc0769a 100644 depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS help This value can be used to select the number of bits to use to -@@ -913,6 +913,7 @@ config ARCH_HAS_REFCOUNT +@@ -929,6 +929,7 @@ config ARCH_HAS_REFCOUNT config REFCOUNT_FULL bool "Perform full reference count validation at the expense of speed" @@ -128,7 +141,7 @@ index 84653a823d3b..77d70dc0769a 100644 Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig -index a0bc9bbb92f3..94eec74e4949 100644 +index 9c8ea5939865..71de5a508605 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1155,6 +1155,7 @@ config RODATA_FULL_DEFAULT_ENABLED @@ -204,10 +217,10 @@ index b618017205a3..0a228dbcad65 100644 #ifdef __AARCH64EB__ diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 8ef85139553f..e16076b30625 100644 +index 36a28b9e46cb..891160e4ac95 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1219,8 +1219,7 @@ config VM86 +@@ -1220,8 +1220,7 @@ config VM86 default X86_LEGACY_VM86 config X86_16BIT @@ -217,7 +230,7 @@ index 8ef85139553f..e16076b30625 100644 depends on MODIFY_LDT_SYSCALL ---help--- This option is required by programs like Wine to run 16-bit -@@ -2365,7 +2364,7 @@ config COMPAT_VDSO +@@ -2366,7 +2365,7 @@ config COMPAT_VDSO choice prompt "vsyscall table for legacy applications" depends on X86_64 @@ -226,7 +239,7 @@ index 8ef85139553f..e16076b30625 100644 help Legacy user code that does not know how to find the vDSO expects to be able to issue three syscalls by calling fixed addresses in -@@ -2461,8 +2460,7 @@ config CMDLINE_OVERRIDE +@@ -2462,8 +2461,7 @@ config CMDLINE_OVERRIDE be set to 'N' under normal conditions. config MODIFY_LDT_SYSCALL @@ -404,7 +417,7 @@ index 6f66d841262d..b786e7cb395d 100644 native_write_cr4(cr4 ^ X86_CR4_PGE); /* write old PGE again and flush TLBs */ diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 8a85c2e144a6..4732605f4cc0 100644 +index f961a56e9da3..a9644573b14a 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1895,7 +1895,6 @@ void cpu_init(void) @@ -579,7 +592,7 @@ index c7623f99ac0f..859c2782c8e2 100644 A pseudo terminal (PTY) is a software device consisting of two halves: a master and a slave. The slave device behaves identical to diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 642765bf1023..703ad957528f 100644 +index cee7514c3aaf..2c41c4dd1516 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -173,6 +173,7 @@ static void free_tty_struct(struct tty_struct *tty) @@ -618,20 +631,23 @@ index 642765bf1023..703ad957528f 100644 return tty; } +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..a010a4a5830e 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 4d3de33885ff..4aa21cd2531a 100644 +index 6c89d714adb6..4b32b4c8b529 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c -@@ -45,6 +45,8 @@ - #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ - #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ - -+extern int deny_new_usb; -+ - /* Protect struct usb_device->state and ->children members - * Note: Both are also protected by ->dev.sem, except that ->state can - * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ -@@ -5014,6 +5016,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, +@@ -5014,6 +5014,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } @@ -644,11 +660,113 @@ index 4d3de33885ff..4aa21cd2531a 100644 if (hub_is_superspeed(hub->hdev)) unit_load = 150; else +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..23cce3221518 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,47 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static int zero = 0; ++static int one = 1; ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = &zero, ++ .extra2 = &one, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index f16c26dc079d..cdf79ee2cdb3 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -73,6 +73,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -991,6 +994,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1025,6 +1031,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1048,6 +1056,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); diff --git a/fs/exec.c b/fs/exec.c -index 2441eb1a1e2d..bd04325c9e2b 100644 +index 1b4d2206d53a..e206516c49c5 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -63,6 +63,7 @@ +@@ -33,6 +33,7 @@ + #include <linux/swap.h> + #include <linux/string.h> + #include <linux/init.h> ++#include <linux/sched.h> + #include <linux/sched/mm.h> + #include <linux/sched/coredump.h> + #include <linux/sched/signal.h> +@@ -63,6 +64,7 @@ #include <linux/oom.h> #include <linux/compat.h> #include <linux/vmalloc.h> @@ -656,11 +774,11 @@ index 2441eb1a1e2d..bd04325c9e2b 100644 #include <linux/uaccess.h> #include <asm/mmu_context.h> -@@ -276,6 +277,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) +@@ -276,6 +278,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) arch_bprm_mm_init(mm, vma); up_write(&mm->mmap_sem); bprm->p = vma->vm_end - sizeof(void *); -+ if (randomize_va_space) ++ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + bprm->p ^= get_random_int() & ~PAGE_MASK; return 0; err: @@ -685,7 +803,7 @@ index 5b5759d70822..63ab73f6121c 100644 /** * may_follow_link - Check symlink following for unsafe situations diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig -index e7dd07f47825..2b357b4355fd 100644 +index e84c187d942e..fdac5ca7f677 100644 --- a/fs/nfs/Kconfig +++ b/fs/nfs/Kconfig @@ -195,4 +195,3 @@ config NFS_DEBUG @@ -816,10 +934,10 @@ index 6b64b6cc2175..fe1770732cf2 100644 static inline struct dccp_sock *dccp_sk(const struct sock *sk) diff --git a/include/linux/fs.h b/include/linux/fs.h -index 4c82683e034a..560901350ab5 100644 +index ef118b8ba699..2ae0bf808be8 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h -@@ -3632,4 +3632,15 @@ static inline int inode_drain_writes(struct inode *inode) +@@ -3631,4 +3631,15 @@ static inline int inode_drain_writes(struct inode *inode) return filemap_write_and_wait(inode->i_mapping); } @@ -929,7 +1047,7 @@ index 069aa2ebef90..cb9e3637a620 100644 const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); diff --git a/include/linux/mm.h b/include/linux/mm.h -index 7249cf58f78d..3a45bb3a8f21 100644 +index 5565d11f9542..0802188c8daa 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -664,7 +664,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) @@ -1134,6 +1252,19 @@ index b2264355272d..2115131ba73f 100644 if (p_size == (size_t)-1 && q_size == (size_t)-1) return __underlying_strcpy(p, q); memcpy(p, q, strlen(q) + 1); +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 6df477329b76..ff3c700acbe9 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -58,6 +58,8 @@ extern int proc_dointvec_minmax(struct ctl_table *, int, + extern int proc_douintvec_minmax(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos); ++extern int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + extern int proc_dointvec_jiffies(struct ctl_table *, int, + void __user *, size_t *, loff_t *); + extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int, diff --git a/include/linux/tty.h b/include/linux/tty.h index eb33d948788c..116138eb394c 100644 --- a/include/linux/tty.h @@ -1163,6 +1294,27 @@ index eb33d948788c..116138eb394c 100644 /* tty magic number */ #define TTY_MAGIC 0x5401 +diff --git a/include/linux/usb.h b/include/linux/usb.h +index e656e7b4b1e4..48d450ba9191 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2015,6 +2015,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl.c */ ++extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + #endif /* __KERNEL__ */ + + #endif diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index 01a1334c5fc5..576e00382884 100644 --- a/include/linux/vmalloc.h @@ -1198,7 +1350,7 @@ index 01a1334c5fc5..576e00382884 100644 extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags); static inline void *__vmalloc_node_flags_caller(unsigned long size, int node, diff --git a/include/net/tcp.h b/include/net/tcp.h -index 377179283c46..3b4282e81fa8 100644 +index b914959cd2c6..419154fee6a2 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -242,6 +242,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); @@ -1210,10 +1362,10 @@ index 377179283c46..3b4282e81fa8 100644 #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ diff --git a/init/Kconfig b/init/Kconfig -index 96fc45d1b686..63aac6d6734c 100644 +index 4f9fd78e2200..1fc8302d56f2 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -346,6 +346,7 @@ config USELIB +@@ -345,6 +345,7 @@ config USELIB config AUDIT bool "Auditing support" depends on NET @@ -1221,7 +1373,7 @@ index 96fc45d1b686..63aac6d6734c 100644 help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for -@@ -1084,6 +1085,22 @@ config USER_NS +@@ -1083,6 +1084,22 @@ config USER_NS If unsure, say N. @@ -1244,7 +1396,35 @@ index 96fc45d1b686..63aac6d6734c 100644 config PID_NS bool "PID Namespaces" default y -@@ -1502,8 +1519,7 @@ config SHMEM +@@ -1295,9 +1312,8 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +@@ -1326,14 +1342,13 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT +- default y ++ bool "Sysfs syscall support" + ---help--- + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config SYSCTL_SYSCALL + bool "Sysctl syscall support" if EXPERT +@@ -1501,8 +1516,7 @@ config SHMEM which may be appropriate on small systems without swap. config AIO @@ -1254,7 +1434,7 @@ index 96fc45d1b686..63aac6d6734c 100644 help This option enables POSIX asynchronous I/O which may by used by some high performance threaded applications. Disabling -@@ -1614,6 +1630,23 @@ config USERFAULTFD +@@ -1613,6 +1627,23 @@ config USERFAULTFD Enable the userfaultfd() system call that allows to intercept and handle page faults in userland. @@ -1278,7 +1458,7 @@ index 96fc45d1b686..63aac6d6734c 100644 config ARCH_HAS_MEMBARRIER_CALLBACKS bool -@@ -1726,7 +1759,7 @@ config VM_EVENT_COUNTERS +@@ -1725,7 +1756,7 @@ config VM_EVENT_COUNTERS config SLUB_DEBUG default y @@ -1287,7 +1467,7 @@ index 96fc45d1b686..63aac6d6734c 100644 depends on SLUB && SYSFS help SLUB has extensive debug support features. Disabling these can -@@ -1750,7 +1783,6 @@ config SLUB_MEMCG_SYSFS_ON +@@ -1749,7 +1780,6 @@ config SLUB_MEMCG_SYSFS_ON config COMPAT_BRK bool "Disable heap randomization" @@ -1295,7 +1475,7 @@ index 96fc45d1b686..63aac6d6734c 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). -@@ -1797,7 +1829,6 @@ endchoice +@@ -1796,7 +1826,6 @@ endchoice config SLAB_MERGE_DEFAULT bool "Allow slab caches to be merged" @@ -1303,7 +1483,7 @@ index 96fc45d1b686..63aac6d6734c 100644 help For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. -@@ -1810,9 +1841,9 @@ config SLAB_MERGE_DEFAULT +@@ -1809,9 +1838,9 @@ config SLAB_MERGE_DEFAULT command line. config SLAB_FREELIST_RANDOM @@ -1314,7 +1494,7 @@ index 96fc45d1b686..63aac6d6734c 100644 help Randomizes the freelist order used on creating new pages. This security feature reduces the predictability of the kernel slab -@@ -1821,12 +1852,30 @@ config SLAB_FREELIST_RANDOM +@@ -1820,12 +1849,30 @@ config SLAB_FREELIST_RANDOM config SLAB_FREELIST_HARDENED bool "Harden slab freelist metadata" depends on SLUB @@ -1403,7 +1583,7 @@ index 1444f3954d75..8cc9dd7992f2 100644 /** diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9f7c2da99299..e917f4c3fa83 100644 +index ec1add9e7f3a..917f5f3da06a 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -404,8 +404,13 @@ static cpumask_var_t perf_online_mask; @@ -1431,7 +1611,7 @@ index 9f7c2da99299..e917f4c3fa83 100644 if (err) return err; diff --git a/kernel/fork.c b/kernel/fork.c -index 419fff8eb9e5..70da21e5c06a 100644 +index 50f37d5afb32..47ccbe911d65 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -106,6 +106,11 @@ @@ -1484,10 +1664,10 @@ index 477b4eb44af5..db28cc3fd301 100644 struct rcu_head *next, *list; unsigned long flags; diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c -index 1b1d2b09efa9..64c74cc05cf7 100644 +index 4dfa9dd47223..4263b6181c29 100644 --- a/kernel/rcu/tree.c +++ b/kernel/rcu/tree.c -@@ -2382,7 +2382,7 @@ static __latent_entropy void rcu_core(void) +@@ -2388,7 +2388,7 @@ static __latent_entropy void rcu_core(void) trace_rcu_utilization(TPS("End RCU core")); } @@ -1497,10 +1677,10 @@ index 1b1d2b09efa9..64c74cc05cf7 100644 rcu_core(); } diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 3dd7c10d6a58..a1e019026c7f 100644 +index 092aa5e47251..a2f1b57a2ad6 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c -@@ -9968,7 +9968,7 @@ int newidle_balance(struct rq *this_rq, struct rq_flags *rf) +@@ -9972,7 +9972,7 @@ int newidle_balance(struct rq *this_rq, struct rq_flags *rf) * run_rebalance_domains is triggered when needed from the scheduler tick. * Also triggered for nohz idle balancing (with nohz_balancing_kick set). */ @@ -1570,28 +1750,20 @@ index 0427a86743a4..5e6a9b4ccb41 100644 void tasklet_init(struct tasklet_struct *t, diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 70665934d53e..8ea67d08b926 100644 +index eae6a078619f..f4944948f015 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -68,6 +68,7 @@ - #include <linux/bpf.h> - #include <linux/mount.h> - #include <linux/userfaultfd_k.h> +@@ -100,6 +100,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#if defined CONFIG_TTY +#include <linux/tty.h> ++#endif - #include "../lib/kstrtox.h" - -@@ -104,12 +105,19 @@ #if defined(CONFIG_SYSCTL) - /* External variables not in a header file. */ -+#if IS_ENABLED(CONFIG_USB) -+int deny_new_usb __read_mostly = 0; -+EXPORT_SYMBOL(deny_new_usb); -+#endif - extern int suid_dumpable; - #ifdef CONFIG_COREDUMP - extern int core_uses_pid; +@@ -110,6 +113,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -1601,7 +1773,7 @@ index 70665934d53e..8ea67d08b926 100644 extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -121,32 +129,32 @@ extern int sysctl_nr_trim_pages; +@@ -121,32 +127,32 @@ extern int sysctl_nr_trim_pages; /* Constants used for minimum and maximum */ #ifdef CONFIG_LOCKUP_DETECTOR @@ -1649,7 +1821,7 @@ index 70665934d53e..8ea67d08b926 100644 static const int cap_last_cap = CAP_LAST_CAP; /* -@@ -154,9 +162,12 @@ static const int cap_last_cap = CAP_LAST_CAP; +@@ -154,9 +160,12 @@ static const int cap_last_cap = CAP_LAST_CAP; * and hung_task_check_interval_secs */ #ifdef CONFIG_DETECT_HUNG_TASK @@ -1663,7 +1835,19 @@ index 70665934d53e..8ea67d08b926 100644 #ifdef CONFIG_INOTIFY_USER #include <linux/inotify.h> #endif -@@ -301,19 +312,19 @@ static struct ctl_table sysctl_base_table[] = { +@@ -214,11 +223,6 @@ static int proc_taint(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos); + #endif + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, +- void __user *buffer, size_t *lenp, loff_t *ppos); +-#endif +- + static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos); + #ifdef CONFIG_COREDUMP +@@ -301,19 +305,19 @@ static struct ctl_table sysctl_base_table[] = { }; #ifdef CONFIG_SCHED_DEBUG @@ -1691,7 +1875,7 @@ index 70665934d53e..8ea67d08b926 100644 #endif static struct ctl_table kern_table[] = { -@@ -546,6 +557,15 @@ static struct ctl_table kern_table[] = { +@@ -546,6 +550,15 @@ static struct ctl_table kern_table[] = { .proc_handler = proc_dointvec, }, #endif @@ -1707,11 +1891,10 @@ index 70665934d53e..8ea67d08b926 100644 #ifdef CONFIG_PROC_SYSCTL { .procname = "tainted", -@@ -901,6 +921,37 @@ static struct ctl_table kern_table[] = { - .extra1 = SYSCTL_ZERO, +@@ -902,6 +915,26 @@ static struct ctl_table kern_table[] = { .extra2 = &two, }, -+#endif + #endif +#if defined CONFIG_TTY + { + .procname = "tiocsti_restrict", @@ -1732,24 +1915,73 @@ index 70665934d53e..8ea67d08b926 100644 + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, -+#if IS_ENABLED(CONFIG_USB) -+ { -+ .procname = "deny_new_usb", -+ .data = &deny_new_usb, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = SYSCTL_ZERO, -+ .extra2 = SYSCTL_ONE, -+ }, - #endif { .procname = "ngroups_max", + .data = &ngroups_max, +@@ -2636,8 +2669,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -2645,7 +2697,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -3343,6 +3394,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3423,6 +3480,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c -index 7f31932216a1..9ede224fc81f 100644 +index 1f3e3a17f67e..72589694911f 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c -@@ -1583,7 +1583,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, +@@ -1601,7 +1601,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, } } @@ -1874,7 +2106,7 @@ index 0c6d17503a11..9e8c12dc2c67 100644 enum kobj_ns_type type = ops->type; int error; diff --git a/lib/nlattr.c b/lib/nlattr.c -index cace9b307781..39ba1387045d 100644 +index 0d84f79cb4b5..6b8f8be2283c 100644 --- a/lib/nlattr.c +++ b/lib/nlattr.c @@ -571,6 +571,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) @@ -1932,7 +2164,7 @@ index ba78f1f1b1bd..a47c237bdba8 100644 mm->brk = brk; goto success; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 1c869c6b825f..48d1abb3ae18 100644 +index 4357f5475a50..724fb8cace08 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -69,6 +69,7 @@ @@ -2132,7 +2364,7 @@ index e36dd36c7076..94cb3eed189c 100644 static int __init setup_slab_nomerge(char *str) { diff --git a/mm/slub.c b/mm/slub.c -index f41414571c9e..8b973b283e66 100644 +index 52ded855b4ed..d7d59072b3ff 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -125,6 +125,12 @@ static inline int kmem_cache_debug(struct kmem_cache *s) @@ -2468,7 +2700,7 @@ index ab358c64bbd3..afb474c171f7 100644 unsigned long arch_mmap_rnd(void) diff --git a/net/core/dev.c b/net/core/dev.c -index 20c7fd7b8b4b..9a187de240b7 100644 +index a30878346f54..52144816209a 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4474,7 +4474,7 @@ int netif_rx_ni(struct sk_buff *skb) @@ -2480,7 +2712,7 @@ index 20c7fd7b8b4b..9a187de240b7 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); -@@ -6349,7 +6349,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) +@@ -6351,7 +6351,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) return work; } @@ -2757,7 +2989,7 @@ index c83a5d05aeaa..51f464d6747a 100644 }; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 54fd6bc5adcc..37fe5c61bd17 100644 +index a1768ded2d54..8c055cd254de 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -81,6 +81,7 @@ @@ -2768,7 +3000,7 @@ index 54fd6bc5adcc..37fe5c61bd17 100644 #define FLAG_DATA 0x01 /* Incoming frame contained data. */ #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ -@@ -6051,7 +6052,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, +@@ -6056,7 +6057,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -2806,7 +3038,7 @@ index e3569543bdac..55cc439b3bc6 100644 secure! diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 52f1152c9838..74a88a1b6dc0 100644 +index 13cda6aa2688..970c6134c6d4 100644 --- a/scripts/mod/modpost.c +++ b/scripts/mod/modpost.c @@ -36,6 +36,8 @@ static int warn_unresolved = 0; @@ -3084,7 +3316,7 @@ index 5711689deb6a..fab0cb896907 100644 - - If you are unsure how to answer this question, answer 0. diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 212f48025db8..01c4ce80f402 100644 +index 717a398ef4d0..f8cedc7e809e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -135,18 +135,7 @@ static int __init selinux_enabled_setup(char *str) |