commit a444dcad030800e3d05850425bc89457f7bf0e89 · pyrox.dev/nixpkgs

+2864

pkgs/os-specific/linux/kernel/copperhead-4-14.patch

···

··· 1 + diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt 2 + index 0380a45ecf4b..39956a3ef645 100644 3 + --- a/Documentation/admin-guide/kernel-parameters.txt 4 + +++ b/Documentation/admin-guide/kernel-parameters.txt 5 + @@ -490,16 +490,6 @@ 6 + nosocket -- Disable socket memory accounting. 7 + nokmem -- Disable kernel memory accounting. 8 + 9 + - checkreqprot [SELINUX] Set initial checkreqprot flag value. 10 + - Format: { "0" | "1" } 11 + - See security/selinux/Kconfig help text. 12 + - 0 -- check protection applied by kernel (includes 13 + - any implied execute protection). 14 + - 1 -- check protection requested by application. 15 + - Default value is set via a kernel config option. 16 + - Value can be changed at runtime via 17 + - /selinux/checkreqprot. 18 + - 19 + cio_ignore= [S390] 20 + See Documentation/s390/CommonIO for details. 21 + clk_ignore_unused 22 + @@ -2899,6 +2889,11 @@ 23 + the specified number of seconds. This is to be used if 24 + your oopses keep scrolling off the screen. 25 + 26 + + extra_latent_entropy 27 + + Enable a very simple form of latent entropy extraction 28 + + from the first 4GB of memory as the bootmem allocator 29 + + passes the memory pages to the buddy allocator. 30 + + 31 + pcbit= [HW,ISDN] 32 + 33 + pcd. [PARIDE] 34 + diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt 35 + index 694968c7523c..002d86416ef8 100644 36 + --- a/Documentation/sysctl/kernel.txt 37 + +++ b/Documentation/sysctl/kernel.txt 38 + @@ -91,6 +91,7 @@ show up in /proc/sys/kernel: 39 + - sysctl_writes_strict 40 + - tainted 41 + - threads-max 42 + +- tiocsti_restrict 43 + - unknown_nmi_panic 44 + - watchdog 45 + - watchdog_thresh 46 + @@ -999,6 +1000,26 @@ available RAM pages threads-max is reduced accordingly. 47 + 48 + ============================================================== 49 + 50 + +tiocsti_restrict: 51 + + 52 + +This toggle indicates whether unprivileged users are prevented 53 + +from using the TIOCSTI ioctl to inject commands into other processes 54 + +which share a tty session. 55 + + 56 + +When tiocsti_restrict is set to (0) there are no restrictions(accept 57 + +the default restriction of only being able to injection commands into 58 + +one's own tty). When tiocsti_restrict is set to (1), users must 59 + +have CAP_SYS_ADMIN to use the TIOCSTI ioctl. 60 + + 61 + +When user namespaces are in use, the check for the capability 62 + +CAP_SYS_ADMIN is done against the user namespace that originally 63 + +opened the tty. 64 + + 65 + +The kernel config option CONFIG_SECURITY_TIOCSTI_RESTRICT sets the 66 + +default value of tiocsti_restrict. 67 + + 68 + +============================================================== 69 + + 70 + unknown_nmi_panic: 71 + 72 + The value in this file affects behavior of handling NMI. When the 73 + diff --git a/Makefile b/Makefile 74 + index 787cf6605209..e4fda5330730 100644 75 + --- a/Makefile 76 + +++ b/Makefile 77 + @@ -710,6 +710,9 @@ endif 78 + KBUILD_CFLAGS += $(stackp-flag) 79 + 80 + ifeq ($(cc-name),clang) 81 + +ifdef CONFIG_LOCAL_INIT 82 + +KBUILD_CFLAGS += -fsanitize=local-init 83 + +endif 84 + KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) 85 + KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable) 86 + KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier) 87 + diff --git a/arch/Kconfig b/arch/Kconfig 88 + index 400b9e1b2f27..4637096f7902 100644 89 + --- a/arch/Kconfig 90 + +++ b/arch/Kconfig 91 + @@ -440,6 +440,11 @@ config GCC_PLUGIN_LATENT_ENTROPY 92 + is some slowdown of the boot process (about 0.5%) and fork and 93 + irq processing. 94 + 95 + + When extra_latent_entropy is passed on the kernel command line, 96 + + entropy will be extracted from up to the first 4GB of RAM while the 97 + + runtime memory allocator is being initialized. This costs even more 98 + + slowdown of the boot process. 99 + + 100 + Note that entropy extracted this way is not cryptographically 101 + secure! 102 + 103 + @@ -533,7 +538,7 @@ config CC_STACKPROTECTOR 104 + choice 105 + prompt "Stack Protector buffer overflow detection" 106 + depends on HAVE_CC_STACKPROTECTOR 107 + - default CC_STACKPROTECTOR_NONE 108 + + default CC_STACKPROTECTOR_STRONG 109 + help 110 + This option turns on the "stack-protector" GCC feature. This 111 + feature puts, at the beginning of functions, a canary value on 112 + @@ -735,7 +740,7 @@ config ARCH_MMAP_RND_BITS 113 + int "Number of bits to use for ASLR of mmap base address" if EXPERT 114 + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX 115 + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT 116 + - default ARCH_MMAP_RND_BITS_MIN 117 + + default ARCH_MMAP_RND_BITS_MAX 118 + depends on HAVE_ARCH_MMAP_RND_BITS 119 + help 120 + This value can be used to select the number of bits to use to 121 + @@ -769,7 +774,7 @@ config ARCH_MMAP_RND_COMPAT_BITS 122 + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT 123 + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX 124 + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT 125 + - default ARCH_MMAP_RND_COMPAT_BITS_MIN 126 + + default ARCH_MMAP_RND_COMPAT_BITS_MAX 127 + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS 128 + help 129 + This value can be used to select the number of bits to use to 130 + @@ -952,6 +957,7 @@ config ARCH_HAS_REFCOUNT 131 + 132 + config REFCOUNT_FULL 133 + bool "Perform full reference count validation at the expense of speed" 134 + + default y 135 + help 136 + Enabling this switches the refcounting infrastructure from a fast 137 + unchecked atomic_t implementation to a fully state checked 138 + diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig 139 + index 2d5f7aca156d..aa4839a74c6a 100644 140 + --- a/arch/arm64/Kconfig 141 + +++ b/arch/arm64/Kconfig 142 + @@ -918,6 +918,7 @@ endif 143 + 144 + config ARM64_SW_TTBR0_PAN 145 + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" 146 + + default y 147 + help 148 + Enabling this option prevents the kernel from accessing 149 + user-space memory directly by pointing TTBR0_EL1 to a reserved 150 + @@ -1044,6 +1045,7 @@ config RANDOMIZE_BASE 151 + bool "Randomize the address of the kernel image" 152 + select ARM64_MODULE_PLTS if MODULES 153 + select RELOCATABLE 154 + + default y 155 + help 156 + Randomizes the virtual address at which the kernel image is 157 + loaded, as a security feature that deters exploit attempts 158 + diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug 159 + index cc6bd559af85..01d5442d4722 100644 160 + --- a/arch/arm64/Kconfig.debug 161 + +++ b/arch/arm64/Kconfig.debug 162 + @@ -45,6 +45,7 @@ config ARM64_RANDOMIZE_TEXT_OFFSET 163 + config DEBUG_WX 164 + bool "Warn on W+X mappings at boot" 165 + select ARM64_PTDUMP_CORE 166 + + default y 167 + ---help--- 168 + Generate a warning if any W+X mappings are found at boot. 169 + 170 + diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig 171 + index 34480e9af2e7..26304242250c 100644 172 + --- a/arch/arm64/configs/defconfig 173 + +++ b/arch/arm64/configs/defconfig 174 + @@ -1,4 +1,3 @@ 175 + -CONFIG_SYSVIPC=y 176 + CONFIG_POSIX_MQUEUE=y 177 + CONFIG_AUDIT=y 178 + CONFIG_NO_HZ_IDLE=y 179 + diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h 180 + index 33be513ef24c..6f0c0e3ef0dd 100644 181 + --- a/arch/arm64/include/asm/elf.h 182 + +++ b/arch/arm64/include/asm/elf.h 183 + @@ -114,10 +114,10 @@ 184 + 185 + /* 186 + * This is the base location for PIE (ET_DYN with INTERP) loads. On 187 + - * 64-bit, this is above 4GB to leave the entire 32-bit address 188 + + * 64-bit, this is raised to 4GB to leave the entire 32-bit address 189 + * space open for things that want to use the area for 32-bit pointers. 190 + */ 191 + -#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) 192 + +#define ELF_ET_DYN_BASE 0x100000000UL 193 + 194 + #ifndef __ASSEMBLY__ 195 + 196 + @@ -158,10 +158,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, 197 + /* 1GB of VA */ 198 + #ifdef CONFIG_COMPAT 199 + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ 200 + - 0x7ff >> (PAGE_SHIFT - 12) : \ 201 + - 0x3ffff >> (PAGE_SHIFT - 12)) 202 + + ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ 203 + + ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) 204 + #else 205 + -#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) 206 + +#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) 207 + #endif 208 + 209 + #ifdef __AARCH64EB__ 210 + diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c 211 + index 9e773732520c..91359f45b5fc 100644 212 + --- a/arch/arm64/kernel/process.c 213 + +++ b/arch/arm64/kernel/process.c 214 + @@ -419,9 +419,9 @@ unsigned long arch_align_stack(unsigned long sp) 215 + unsigned long arch_randomize_brk(struct mm_struct *mm) 216 + { 217 + if (is_compat_task()) 218 + - return randomize_page(mm->brk, SZ_32M); 219 + + return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; 220 + else 221 + - return randomize_page(mm->brk, SZ_1G); 222 + + return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; 223 + } 224 + 225 + /* 226 + diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig 227 + index 7483cd514c32..835a86c45fb0 100644 228 + --- a/arch/x86/Kconfig 229 + +++ b/arch/x86/Kconfig 230 + @@ -1153,8 +1153,7 @@ config VM86 231 + default X86_LEGACY_VM86 232 + 233 + config X86_16BIT 234 + - bool "Enable support for 16-bit segments" if EXPERT 235 + - default y 236 + + bool "Enable support for 16-bit segments" 237 + depends on MODIFY_LDT_SYSCALL 238 + ---help--- 239 + This option is required by programs like Wine to run 16-bit 240 + @@ -2228,7 +2227,7 @@ config COMPAT_VDSO 241 + choice 242 + prompt "vsyscall table for legacy applications" 243 + depends on X86_64 244 + - default LEGACY_VSYSCALL_EMULATE 245 + + default LEGACY_VSYSCALL_NONE 246 + help 247 + Legacy user code that does not know how to find the vDSO expects 248 + to be able to issue three syscalls by calling fixed addresses in 249 + @@ -2318,8 +2317,7 @@ config CMDLINE_OVERRIDE 250 + be set to 'N' under normal conditions. 251 + 252 + config MODIFY_LDT_SYSCALL 253 + - bool "Enable the LDT (local descriptor table)" if EXPERT 254 + - default y 255 + + bool "Enable the LDT (local descriptor table)" 256 + ---help--- 257 + Linux can allow user programs to install a per-process x86 258 + Local Descriptor Table (LDT) using the modify_ldt(2) system 259 + diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug 260 + index 6293a8768a91..add82e0f1df3 100644 261 + --- a/arch/x86/Kconfig.debug 262 + +++ b/arch/x86/Kconfig.debug 263 + @@ -101,6 +101,7 @@ config EFI_PGT_DUMP 264 + config DEBUG_WX 265 + bool "Warn on W+X mappings at boot" 266 + select X86_PTDUMP_CORE 267 + + default y 268 + ---help--- 269 + Generate a warning if any W+X mappings are found at boot. 270 + 271 + diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig 272 + index e32fc1f274d8..d08acc76502a 100644 273 + --- a/arch/x86/configs/x86_64_defconfig 274 + +++ b/arch/x86/configs/x86_64_defconfig 275 + @@ -1,5 +1,4 @@ 276 + # CONFIG_LOCALVERSION_AUTO is not set 277 + -CONFIG_SYSVIPC=y 278 + CONFIG_POSIX_MQUEUE=y 279 + CONFIG_BSD_PROCESS_ACCT=y 280 + CONFIG_TASKSTATS=y 281 + diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c 282 + index 1911310959f8..bba8dbbc07a8 100644 283 + --- a/arch/x86/entry/vdso/vma.c 284 + +++ b/arch/x86/entry/vdso/vma.c 285 + @@ -203,55 +203,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) 286 + } 287 + 288 + #ifdef CONFIG_X86_64 289 + -/* 290 + - * Put the vdso above the (randomized) stack with another randomized 291 + - * offset. This way there is no hole in the middle of address space. 292 + - * To save memory make sure it is still in the same PTE as the stack 293 + - * top. This doesn't give that many random bits. 294 + - * 295 + - * Note that this algorithm is imperfect: the distribution of the vdso 296 + - * start address within a PMD is biased toward the end. 297 + - * 298 + - * Only used for the 64-bit and x32 vdsos. 299 + - */ 300 + -static unsigned long vdso_addr(unsigned long start, unsigned len) 301 + -{ 302 + - unsigned long addr, end; 303 + - unsigned offset; 304 + - 305 + - /* 306 + - * Round up the start address. It can start out unaligned as a result 307 + - * of stack start randomization. 308 + - */ 309 + - start = PAGE_ALIGN(start); 310 + - 311 + - /* Round the lowest possible end address up to a PMD boundary. */ 312 + - end = (start + len + PMD_SIZE - 1) & PMD_MASK; 313 + - if (end >= TASK_SIZE_MAX) 314 + - end = TASK_SIZE_MAX; 315 + - end -= len; 316 + - 317 + - if (end > start) { 318 + - offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); 319 + - addr = start + (offset << PAGE_SHIFT); 320 + - } else { 321 + - addr = start; 322 + - } 323 + - 324 + - /* 325 + - * Forcibly align the final address in case we have a hardware 326 + - * issue that requires alignment for performance reasons. 327 + - */ 328 + - addr = align_vdso_addr(addr); 329 + - 330 + - return addr; 331 + -} 332 + - 333 + static int map_vdso_randomized(const struct vdso_image *image) 334 + { 335 + - unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); 336 + - 337 + - return map_vdso(image, addr); 338 + + return map_vdso(image, 0); 339 + } 340 + #endif 341 + 342 + diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h 343 + index 3a091cea36c5..0931c05a3348 100644 344 + --- a/arch/x86/include/asm/elf.h 345 + +++ b/arch/x86/include/asm/elf.h 346 + @@ -249,11 +249,11 @@ extern int force_personality32; 347 + 348 + /* 349 + * This is the base location for PIE (ET_DYN with INTERP) loads. On 350 + - * 64-bit, this is above 4GB to leave the entire 32-bit address 351 + + * 64-bit, this is raised to 4GB to leave the entire 32-bit address 352 + * space open for things that want to use the area for 32-bit pointers. 353 + */ 354 + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ 355 + - (DEFAULT_MAP_WINDOW / 3 * 2)) 356 + + 0x100000000UL) 357 + 358 + /* This yields a mask that user programs can use to figure out what 359 + instruction set this CPU supports. This could be done in user space, 360 + @@ -312,8 +312,8 @@ extern unsigned long get_mmap_base(int is_legacy); 361 + 362 + #ifdef CONFIG_X86_32 363 + 364 + -#define __STACK_RND_MASK(is32bit) (0x7ff) 365 + -#define STACK_RND_MASK (0x7ff) 366 + +#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) 367 + +#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) 368 + 369 + #define ARCH_DLINFO ARCH_DLINFO_IA32 370 + 371 + @@ -322,7 +322,11 @@ extern unsigned long get_mmap_base(int is_legacy); 372 + #else /* CONFIG_X86_32 */ 373 + 374 + /* 1GB for 64bit, 8MB for 32bit */ 375 + -#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) 376 + +#ifdef CONFIG_COMPAT 377 + +#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) 378 + +#else 379 + +#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) 380 + +#endif 381 + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) 382 + 383 + #define ARCH_DLINFO \ 384 + @@ -380,5 +384,4 @@ struct va_alignment { 385 + } ____cacheline_aligned; 386 + 387 + extern struct va_alignment va_align; 388 + -extern unsigned long align_vdso_addr(unsigned long); 389 + #endif /* _ASM_X86_ELF_H */ 390 + diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h 391 + index 704f31315dde..bb82b6344a7b 100644 392 + --- a/arch/x86/include/asm/tlbflush.h 393 + +++ b/arch/x86/include/asm/tlbflush.h 394 + @@ -253,6 +253,7 @@ static inline void cr4_set_bits(unsigned long mask) 395 + unsigned long cr4; 396 + 397 + cr4 = this_cpu_read(cpu_tlbstate.cr4); 398 + + BUG_ON(cr4 != __read_cr4()); 399 + if ((cr4 | mask) != cr4) { 400 + cr4 |= mask; 401 + this_cpu_write(cpu_tlbstate.cr4, cr4); 402 + @@ -266,6 +267,7 @@ static inline void cr4_clear_bits(unsigned long mask) 403 + unsigned long cr4; 404 + 405 + cr4 = this_cpu_read(cpu_tlbstate.cr4); 406 + + BUG_ON(cr4 != __read_cr4()); 407 + if ((cr4 & ~mask) != cr4) { 408 + cr4 &= ~mask; 409 + this_cpu_write(cpu_tlbstate.cr4, cr4); 410 + @@ -278,6 +280,7 @@ static inline void cr4_toggle_bits(unsigned long mask) 411 + unsigned long cr4; 412 + 413 + cr4 = this_cpu_read(cpu_tlbstate.cr4); 414 + + BUG_ON(cr4 != __read_cr4()); 415 + cr4 ^= mask; 416 + this_cpu_write(cpu_tlbstate.cr4, cr4); 417 + __write_cr4(cr4); 418 + @@ -386,6 +389,7 @@ static inline void __native_flush_tlb_global(void) 419 + raw_local_irq_save(flags); 420 + 421 + cr4 = this_cpu_read(cpu_tlbstate.cr4); 422 + + BUG_ON(cr4 != __read_cr4()); 423 + /* toggle PGE */ 424 + native_write_cr4(cr4 ^ X86_CR4_PGE); 425 + /* write old PGE again and flush TLBs */ 426 + diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c 427 + index 48e98964ecad..a94dc690612f 100644 428 + --- a/arch/x86/kernel/cpu/common.c 429 + +++ b/arch/x86/kernel/cpu/common.c 430 + @@ -1637,7 +1637,6 @@ void cpu_init(void) 431 + wrmsrl(MSR_KERNEL_GS_BASE, 0); 432 + barrier(); 433 + 434 + - x86_configure_nx(); 435 + x2apic_setup(); 436 + 437 + /* 438 + diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c 439 + index 988a98f34c66..dc36d2d9078a 100644 440 + --- a/arch/x86/kernel/process.c 441 + +++ b/arch/x86/kernel/process.c 442 + @@ -40,6 +40,8 @@ 443 + #include <asm/desc.h> 444 + #include <asm/prctl.h> 445 + #include <asm/spec-ctrl.h> 446 + +#include <asm/elf.h> 447 + +#include <linux/sizes.h> 448 + 449 + /* 450 + * per-CPU TSS segments. Threads are completely 'soft' on Linux, 451 + @@ -719,7 +721,10 @@ unsigned long arch_align_stack(unsigned long sp) 452 + 453 + unsigned long arch_randomize_brk(struct mm_struct *mm) 454 + { 455 + - return randomize_page(mm->brk, 0x02000000); 456 + + if (mmap_is_ia32()) 457 + + return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; 458 + + else 459 + + return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; 460 + } 461 + 462 + /* 463 + diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c 464 + index a63fe77b3217..e1085e76043e 100644 465 + --- a/arch/x86/kernel/sys_x86_64.c 466 + +++ b/arch/x86/kernel/sys_x86_64.c 467 + @@ -54,13 +54,6 @@ static unsigned long get_align_bits(void) 468 + return va_align.bits & get_align_mask(); 469 + } 470 + 471 + -unsigned long align_vdso_addr(unsigned long addr) 472 + -{ 473 + - unsigned long align_mask = get_align_mask(); 474 + - addr = (addr + align_mask) & ~align_mask; 475 + - return addr | get_align_bits(); 476 + -} 477 + - 478 + static int __init control_va_addr_alignment(char *str) 479 + { 480 + /* guard against enabling this on other CPU families */ 481 + @@ -122,10 +115,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, 482 + } 483 + 484 + *begin = get_mmap_base(1); 485 + - if (in_compat_syscall()) 486 + - *end = task_size_32bit(); 487 + - else 488 + - *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); 489 + + *end = get_mmap_base(0); 490 + } 491 + 492 + unsigned long 493 + @@ -206,7 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, 494 + 495 + info.flags = VM_UNMAPPED_AREA_TOPDOWN; 496 + info.length = len; 497 + - info.low_limit = PAGE_SIZE; 498 + + info.low_limit = get_mmap_base(1); 499 + info.high_limit = get_mmap_base(0); 500 + 501 + /* 502 + diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c 503 + index 3141e67ec24c..e93173193f60 100644 504 + --- a/arch/x86/mm/init_32.c 505 + +++ b/arch/x86/mm/init_32.c 506 + @@ -558,7 +558,7 @@ static void __init pagetable_init(void) 507 + permanent_kmaps_init(pgd_base); 508 + } 509 + 510 + -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL); 511 + +pteval_t __supported_pte_mask __ro_after_init = ~(_PAGE_NX | _PAGE_GLOBAL); 512 + EXPORT_SYMBOL_GPL(__supported_pte_mask); 513 + 514 + /* user-defined highmem size */ 515 + @@ -865,7 +865,7 @@ int arch_remove_memory(u64 start, u64 size) 516 + #endif 517 + #endif 518 + 519 + -int kernel_set_to_readonly __read_mostly; 520 + +int kernel_set_to_readonly __ro_after_init; 521 + 522 + void set_kernel_text_rw(void) 523 + { 524 + @@ -917,12 +917,11 @@ void mark_rodata_ro(void) 525 + unsigned long start = PFN_ALIGN(_text); 526 + unsigned long size = PFN_ALIGN(_etext) - start; 527 + 528 + + kernel_set_to_readonly = 1; 529 + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); 530 + printk(KERN_INFO "Write protecting the kernel text: %luk\n", 531 + size >> 10); 532 + 533 + - kernel_set_to_readonly = 1; 534 + - 535 + #ifdef CONFIG_CPA_DEBUG 536 + printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", 537 + start, start+size); 538 + diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c 539 + index 642357aff216..8bbf93ce3cd2 100644 540 + --- a/arch/x86/mm/init_64.c 541 + +++ b/arch/x86/mm/init_64.c 542 + @@ -65,7 +65,7 @@ 543 + * around without checking the pgd every time. 544 + */ 545 + 546 + -pteval_t __supported_pte_mask __read_mostly = ~0; 547 + +pteval_t __supported_pte_mask __ro_after_init = ~0; 548 + EXPORT_SYMBOL_GPL(__supported_pte_mask); 549 + 550 + int force_personality32; 551 + @@ -1185,7 +1185,7 @@ void __init mem_init(void) 552 + mem_init_print_info(NULL); 553 + } 554 + 555 + -int kernel_set_to_readonly; 556 + +int kernel_set_to_readonly __ro_after_init; 557 + 558 + void set_kernel_text_rw(void) 559 + { 560 + @@ -1234,9 +1234,8 @@ void mark_rodata_ro(void) 561 + 562 + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", 563 + (end - start) >> 10); 564 + - set_memory_ro(start, (end - start) >> PAGE_SHIFT); 565 + - 566 + kernel_set_to_readonly = 1; 567 + + set_memory_ro(start, (end - start) >> PAGE_SHIFT); 568 + 569 + /* 570 + * The rodata/data/bss/brk section (but not the kernel text!) 571 + diff --git a/block/blk-softirq.c b/block/blk-softirq.c 572 + index 01e2b353a2b9..9aeddca4a29f 100644 573 + --- a/block/blk-softirq.c 574 + +++ b/block/blk-softirq.c 575 + @@ -20,7 +20,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done); 576 + * Softirq action handler - move entries to local list and loop over them 577 + * while passing them to the queue registered handler. 578 + */ 579 + -static __latent_entropy void blk_done_softirq(struct softirq_action *h) 580 + +static __latent_entropy void blk_done_softirq(void) 581 + { 582 + struct list_head *cpu_list, local_list; 583 + 584 + diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c 585 + index 473f150d6b22..65a65f9824ed 100644 586 + --- a/drivers/ata/libata-core.c 587 + +++ b/drivers/ata/libata-core.c 588 + @@ -5141,7 +5141,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) 589 + struct ata_port *ap; 590 + unsigned int tag; 591 + 592 + - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ 593 + + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ 594 + ap = qc->ap; 595 + 596 + qc->flags = 0; 597 + @@ -5158,7 +5158,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) 598 + struct ata_port *ap; 599 + struct ata_link *link; 600 + 601 + - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ 602 + + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ 603 + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); 604 + ap = qc->ap; 605 + link = qc->dev->link; 606 + diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig 607 + index c28dca0c613d..d4813f0d25ca 100644 608 + --- a/drivers/char/Kconfig 609 + +++ b/drivers/char/Kconfig 610 + @@ -9,7 +9,6 @@ source "drivers/tty/Kconfig" 611 + 612 + config DEVMEM 613 + bool "/dev/mem virtual device support" 614 + - default y 615 + help 616 + Say Y here if you want to support the /dev/mem device. 617 + The /dev/mem device is used to access areas of physical 618 + @@ -568,7 +567,6 @@ config TELCLOCK 619 + config DEVPORT 620 + bool "/dev/port character device" 621 + depends on ISA || PCI 622 + - default y 623 + help 624 + Say Y here if you want to support the /dev/port device. The /dev/port 625 + device is similar to /dev/mem, but for I/O ports. 626 + diff --git a/drivers/media/dvb-frontends/cx24116.c b/drivers/media/dvb-frontends/cx24116.c 627 + index e105532bfba8..e07d52bb9b62 100644 628 + --- a/drivers/media/dvb-frontends/cx24116.c 629 + +++ b/drivers/media/dvb-frontends/cx24116.c 630 + @@ -1462,7 +1462,7 @@ static int cx24116_tune(struct dvb_frontend *fe, bool re_tune, 631 + return cx24116_read_status(fe, status); 632 + } 633 + 634 + -static int cx24116_get_algo(struct dvb_frontend *fe) 635 + +static enum dvbfe_algo cx24116_get_algo(struct dvb_frontend *fe) 636 + { 637 + return DVBFE_ALGO_HW; 638 + } 639 + diff --git a/drivers/media/dvb-frontends/cx24117.c b/drivers/media/dvb-frontends/cx24117.c 640 + index d37cb7762bd6..97e0feff0ede 100644 641 + --- a/drivers/media/dvb-frontends/cx24117.c 642 + +++ b/drivers/media/dvb-frontends/cx24117.c 643 + @@ -1555,7 +1555,7 @@ static int cx24117_tune(struct dvb_frontend *fe, bool re_tune, 644 + return cx24117_read_status(fe, status); 645 + } 646 + 647 + -static int cx24117_get_algo(struct dvb_frontend *fe) 648 + +static enum dvbfe_algo cx24117_get_algo(struct dvb_frontend *fe) 649 + { 650 + return DVBFE_ALGO_HW; 651 + } 652 + diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c 653 + index 7f11dcc94d85..01da670760ba 100644 654 + --- a/drivers/media/dvb-frontends/cx24120.c 655 + +++ b/drivers/media/dvb-frontends/cx24120.c 656 + @@ -1491,7 +1491,7 @@ static int cx24120_tune(struct dvb_frontend *fe, bool re_tune, 657 + return cx24120_read_status(fe, status); 658 + } 659 + 660 + -static int cx24120_get_algo(struct dvb_frontend *fe) 661 + +static enum dvbfe_algo cx24120_get_algo(struct dvb_frontend *fe) 662 + { 663 + return DVBFE_ALGO_HW; 664 + } 665 + diff --git a/drivers/media/dvb-frontends/cx24123.c b/drivers/media/dvb-frontends/cx24123.c 666 + index 1d59d1d3bd82..41cd0e9ea199 100644 667 + --- a/drivers/media/dvb-frontends/cx24123.c 668 + +++ b/drivers/media/dvb-frontends/cx24123.c 669 + @@ -1005,7 +1005,7 @@ static int cx24123_tune(struct dvb_frontend *fe, 670 + return retval; 671 + } 672 + 673 + -static int cx24123_get_algo(struct dvb_frontend *fe) 674 + +static enum dvbfe_algo cx24123_get_algo(struct dvb_frontend *fe) 675 + { 676 + return DVBFE_ALGO_HW; 677 + } 678 + diff --git a/drivers/media/dvb-frontends/cxd2820r_core.c b/drivers/media/dvb-frontends/cxd2820r_core.c 679 + index f6ebbb47b9b2..3e0d8cbd76da 100644 680 + --- a/drivers/media/dvb-frontends/cxd2820r_core.c 681 + +++ b/drivers/media/dvb-frontends/cxd2820r_core.c 682 + @@ -403,7 +403,7 @@ static enum dvbfe_search cxd2820r_search(struct dvb_frontend *fe) 683 + return DVBFE_ALGO_SEARCH_ERROR; 684 + } 685 + 686 + -static int cxd2820r_get_frontend_algo(struct dvb_frontend *fe) 687 + +static enum dvbfe_algo cxd2820r_get_frontend_algo(struct dvb_frontend *fe) 688 + { 689 + return DVBFE_ALGO_CUSTOM; 690 + } 691 + diff --git a/drivers/media/dvb-frontends/mb86a20s.c b/drivers/media/dvb-frontends/mb86a20s.c 692 + index e8ac8c3e2ec0..e0f4ba8302d1 100644 693 + --- a/drivers/media/dvb-frontends/mb86a20s.c 694 + +++ b/drivers/media/dvb-frontends/mb86a20s.c 695 + @@ -2055,7 +2055,7 @@ static void mb86a20s_release(struct dvb_frontend *fe) 696 + kfree(state); 697 + } 698 + 699 + -static int mb86a20s_get_frontend_algo(struct dvb_frontend *fe) 700 + +static enum dvbfe_algo mb86a20s_get_frontend_algo(struct dvb_frontend *fe) 701 + { 702 + return DVBFE_ALGO_HW; 703 + } 704 + diff --git a/drivers/media/dvb-frontends/s921.c b/drivers/media/dvb-frontends/s921.c 705 + index 274544a3ae0e..9ef9b9bc1bd2 100644 706 + --- a/drivers/media/dvb-frontends/s921.c 707 + +++ b/drivers/media/dvb-frontends/s921.c 708 + @@ -464,7 +464,7 @@ static int s921_tune(struct dvb_frontend *fe, 709 + return rc; 710 + } 711 + 712 + -static int s921_get_algo(struct dvb_frontend *fe) 713 + +static enum dvbfe_algo s921_get_algo(struct dvb_frontend *fe) 714 + { 715 + return DVBFE_ALGO_HW; 716 + } 717 + diff --git a/drivers/media/pci/bt8xx/dst.c b/drivers/media/pci/bt8xx/dst.c 718 + index 7166d2279465..fa682f9fdc4b 100644 719 + --- a/drivers/media/pci/bt8xx/dst.c 720 + +++ b/drivers/media/pci/bt8xx/dst.c 721 + @@ -1657,7 +1657,7 @@ static int dst_tune_frontend(struct dvb_frontend* fe, 722 + return 0; 723 + } 724 + 725 + -static int dst_get_tuning_algo(struct dvb_frontend *fe) 726 + +static enum dvbfe_algo dst_get_tuning_algo(struct dvb_frontend *fe) 727 + { 728 + return dst_algo ? DVBFE_ALGO_HW : DVBFE_ALGO_SW; 729 + } 730 + diff --git a/drivers/media/pci/pt1/va1j5jf8007s.c b/drivers/media/pci/pt1/va1j5jf8007s.c 731 + index f75f69556be7..d913a6050e8c 100644 732 + --- a/drivers/media/pci/pt1/va1j5jf8007s.c 733 + +++ b/drivers/media/pci/pt1/va1j5jf8007s.c 734 + @@ -98,7 +98,7 @@ static int va1j5jf8007s_read_snr(struct dvb_frontend *fe, u16 *snr) 735 + return 0; 736 + } 737 + 738 + -static int va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) 739 + +static enum dvbfe_algo va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) 740 + { 741 + return DVBFE_ALGO_HW; 742 + } 743 + diff --git a/drivers/media/pci/pt1/va1j5jf8007t.c b/drivers/media/pci/pt1/va1j5jf8007t.c 744 + index 63fda79a75c0..4115c3ccd4a8 100644 745 + --- a/drivers/media/pci/pt1/va1j5jf8007t.c 746 + +++ b/drivers/media/pci/pt1/va1j5jf8007t.c 747 + @@ -88,7 +88,7 @@ static int va1j5jf8007t_read_snr(struct dvb_frontend *fe, u16 *snr) 748 + return 0; 749 + } 750 + 751 + -static int va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) 752 + +static enum dvbfe_algo va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) 753 + { 754 + return DVBFE_ALGO_HW; 755 + } 756 + diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c 757 + index 981b3ef71e47..9883da1da383 100644 758 + --- a/drivers/misc/lkdtm_core.c 759 + +++ b/drivers/misc/lkdtm_core.c 760 + @@ -78,7 +78,7 @@ static irqreturn_t jp_handle_irq_event(unsigned int irq, 761 + return 0; 762 + } 763 + 764 + -static void jp_tasklet_action(struct softirq_action *a) 765 + +static void jp_tasklet_action(void) 766 + { 767 + lkdtm_handler(); 768 + jprobe_return(); 769 + diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig 770 + index b811442c5ce6..4f62a63cbcb1 100644 771 + --- a/drivers/tty/Kconfig 772 + +++ b/drivers/tty/Kconfig 773 + @@ -122,7 +122,6 @@ config UNIX98_PTYS 774 + 775 + config LEGACY_PTYS 776 + bool "Legacy (BSD) PTY support" 777 + - default y 778 + ---help--- 779 + A pseudo terminal (PTY) is a software device consisting of two 780 + halves: a master and a slave. The slave device behaves identical to 781 + diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c 782 + index 562d31073f9a..2184b9b5485f 100644 783 + --- a/drivers/tty/tty_io.c 784 + +++ b/drivers/tty/tty_io.c 785 + @@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) 786 + put_device(tty->dev); 787 + kfree(tty->write_buf); 788 + tty->magic = 0xDEADDEAD; 789 + + put_user_ns(tty->owner_user_ns); 790 + kfree(tty); 791 + } 792 + 793 + @@ -2154,11 +2155,19 @@ static int tty_fasync(int fd, struct file *filp, int on) 794 + * FIXME: may race normal receive processing 795 + */ 796 + 797 + +int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); 798 + + 799 + static int tiocsti(struct tty_struct *tty, char __user *p) 800 + { 801 + char ch, mbz = 0; 802 + struct tty_ldisc *ld; 803 + 804 + + if (tiocsti_restrict && 805 + + !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { 806 + + dev_warn_ratelimited(tty->dev, 807 + + "Denied TIOCSTI ioctl for non-privileged process\n"); 808 + + return -EPERM; 809 + + } 810 + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) 811 + return -EPERM; 812 + if (get_user(ch, p)) 813 + @@ -2841,6 +2850,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) 814 + tty->index = idx; 815 + tty_line_name(driver, idx, tty->name); 816 + tty->dev = tty_get_device(tty); 817 + + tty->owner_user_ns = get_user_ns(current_user_ns()); 818 + 819 + return tty; 820 + } 821 + diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c 822 + index 442be7f312f6..788557d5c454 100644 823 + --- a/drivers/usb/core/hub.c 824 + +++ b/drivers/usb/core/hub.c 825 + @@ -38,6 +38,8 @@ 826 + #define USB_VENDOR_GENESYS_LOGIC 0x05e3 827 + #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 828 + 829 + +extern int deny_new_usb; 830 + + 831 + /* Protect struct usb_device->state and ->children members 832 + * Note: Both are also protected by ->dev.sem, except that ->state can 833 + * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ 834 + @@ -4806,6 +4808,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, 835 + goto done; 836 + return; 837 + } 838 + + 839 + + if (deny_new_usb) { 840 + + dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); 841 + + goto done; 842 + + } 843 + + 844 + if (hub_is_superspeed(hub->hdev)) 845 + unit_load = 150; 846 + else 847 + diff --git a/fs/exec.c b/fs/exec.c 848 + index 0da4d748b4e6..69fcee853363 100644 849 + --- a/fs/exec.c 850 + +++ b/fs/exec.c 851 + @@ -62,6 +62,7 @@ 852 + #include <linux/oom.h> 853 + #include <linux/compat.h> 854 + #include <linux/vmalloc.h> 855 + +#include <linux/random.h> 856 + 857 + #include <linux/uaccess.h> 858 + #include <asm/mmu_context.h> 859 + @@ -321,6 +322,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) 860 + arch_bprm_mm_init(mm, vma); 861 + up_write(&mm->mmap_sem); 862 + bprm->p = vma->vm_end - sizeof(void *); 863 + + if (randomize_va_space) 864 + + bprm->p ^= get_random_int() & ~PAGE_MASK; 865 + return 0; 866 + err: 867 + up_write(&mm->mmap_sem); 868 + diff --git a/fs/namei.c b/fs/namei.c 869 + index 0b46b858cd42..3ae8e72341da 100644 870 + --- a/fs/namei.c 871 + +++ b/fs/namei.c 872 + @@ -902,8 +902,8 @@ static inline void put_link(struct nameidata *nd) 873 + path_put(&last->link); 874 + } 875 + 876 + -int sysctl_protected_symlinks __read_mostly = 0; 877 + -int sysctl_protected_hardlinks __read_mostly = 0; 878 + +int sysctl_protected_symlinks __read_mostly = 1; 879 + +int sysctl_protected_hardlinks __read_mostly = 1; 880 + 881 + /** 882 + * may_follow_link - Check symlink following for unsafe situations 883 + diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig 884 + index 5f93cfacb3d1..cea0d7d3b23e 100644 885 + --- a/fs/nfs/Kconfig 886 + +++ b/fs/nfs/Kconfig 887 + @@ -195,4 +195,3 @@ config NFS_DEBUG 888 + bool 889 + depends on NFS_FS && SUNRPC_DEBUG 890 + select CRC32 891 + - default y 892 + diff --git a/fs/pipe.c b/fs/pipe.c 893 + index 8ef7d7bef775..b82f305ec13d 100644 894 + --- a/fs/pipe.c 895 + +++ b/fs/pipe.c 896 + @@ -38,7 +38,7 @@ unsigned int pipe_max_size = 1048576; 897 + /* 898 + * Minimum pipe size, as required by POSIX 899 + */ 900 + -unsigned int pipe_min_size = PAGE_SIZE; 901 + +unsigned int pipe_min_size __read_only = PAGE_SIZE; 902 + 903 + /* Maximum allocatable pages per user. Hard limit is unset by default, soft 904 + * matches default values. 905 + diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig 906 + index 1ade1206bb89..60b0f76dec47 100644 907 + --- a/fs/proc/Kconfig 908 + +++ b/fs/proc/Kconfig 909 + @@ -39,7 +39,6 @@ config PROC_KCORE 910 + config PROC_VMCORE 911 + bool "/proc/vmcore support" 912 + depends on PROC_FS && CRASH_DUMP 913 + - default y 914 + help 915 + Exports the dump image of crashed kernel in ELF format. 916 + 917 + diff --git a/fs/stat.c b/fs/stat.c 918 + index 873785dae022..d3c2ada8b9c7 100644 919 + --- a/fs/stat.c 920 + +++ b/fs/stat.c 921 + @@ -40,8 +40,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) 922 + stat->gid = inode->i_gid; 923 + stat->rdev = inode->i_rdev; 924 + stat->size = i_size_read(inode); 925 + - stat->atime = inode->i_atime; 926 + - stat->mtime = inode->i_mtime; 927 + + if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { 928 + + stat->atime = inode->i_ctime; 929 + + stat->mtime = inode->i_ctime; 930 + + } else { 931 + + stat->atime = inode->i_atime; 932 + + stat->mtime = inode->i_mtime; 933 + + } 934 + stat->ctime = inode->i_ctime; 935 + stat->blksize = i_blocksize(inode); 936 + stat->blocks = inode->i_blocks; 937 + @@ -75,9 +80,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, 938 + stat->result_mask |= STATX_BASIC_STATS; 939 + request_mask &= STATX_ALL; 940 + query_flags &= KSTAT_QUERY_FLAGS; 941 + - if (inode->i_op->getattr) 942 + - return inode->i_op->getattr(path, stat, request_mask, 943 + - query_flags); 944 + + if (inode->i_op->getattr) { 945 + + int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); 946 + + if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { 947 + + stat->atime = stat->ctime; 948 + + stat->mtime = stat->ctime; 949 + + } 950 + + return retval; 951 + + } 952 + 953 + generic_fillattr(inode, stat); 954 + return 0; 955 + diff --git a/include/linux/cache.h b/include/linux/cache.h 956 + index 750621e41d1c..e7157c18c62c 100644 957 + --- a/include/linux/cache.h 958 + +++ b/include/linux/cache.h 959 + @@ -31,6 +31,8 @@ 960 + #define __ro_after_init __attribute__((__section__(".data..ro_after_init"))) 961 + #endif 962 + 963 + +#define __read_only __ro_after_init 964 + + 965 + #ifndef ____cacheline_aligned 966 + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) 967 + #endif 968 + diff --git a/include/linux/capability.h b/include/linux/capability.h 969 + index f640dcbc880c..2b4f5d651f19 100644 970 + --- a/include/linux/capability.h 971 + +++ b/include/linux/capability.h 972 + @@ -207,6 +207,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); 973 + extern bool has_ns_capability_noaudit(struct task_struct *t, 974 + struct user_namespace *ns, int cap); 975 + extern bool capable(int cap); 976 + +extern bool capable_noaudit(int cap); 977 + extern bool ns_capable(struct user_namespace *ns, int cap); 978 + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); 979 + #else 980 + @@ -232,6 +233,10 @@ static inline bool capable(int cap) 981 + { 982 + return true; 983 + } 984 + +static inline bool capable_noaudit(int cap) 985 + +{ 986 + + return true; 987 + +} 988 + static inline bool ns_capable(struct user_namespace *ns, int cap) 989 + { 990 + return true; 991 + diff --git a/include/linux/fs.h b/include/linux/fs.h 992 + index cc613f20e5a6..7606596d6c2e 100644 993 + --- a/include/linux/fs.h 994 + +++ b/include/linux/fs.h 995 + @@ -3392,4 +3392,15 @@ static inline bool dir_relax_shared(struct inode *inode) 996 + extern bool path_noexec(const struct path *path); 997 + extern void inode_nohighmem(struct inode *inode); 998 + 999 + +extern int device_sidechannel_restrict; 1000 + + 1001 + +static inline bool is_sidechannel_device(const struct inode *inode) 1002 + +{ 1003 + + umode_t mode; 1004 + + if (!device_sidechannel_restrict) 1005 + + return false; 1006 + + mode = inode->i_mode; 1007 + + return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); 1008 + +} 1009 + + 1010 + #endif /* _LINUX_FS_H */ 1011 + diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h 1012 + index bdaf22582f6e..326ff15d4637 100644 1013 + --- a/include/linux/fsnotify.h 1014 + +++ b/include/linux/fsnotify.h 1015 + @@ -181,6 +181,9 @@ static inline void fsnotify_access(struct file *file) 1016 + struct inode *inode = path->dentry->d_inode; 1017 + __u32 mask = FS_ACCESS; 1018 + 1019 + + if (is_sidechannel_device(inode)) 1020 + + return; 1021 + + 1022 + if (S_ISDIR(inode->i_mode)) 1023 + mask |= FS_ISDIR; 1024 + 1025 + @@ -199,6 +202,9 @@ static inline void fsnotify_modify(struct file *file) 1026 + struct inode *inode = path->dentry->d_inode; 1027 + __u32 mask = FS_MODIFY; 1028 + 1029 + + if (is_sidechannel_device(inode)) 1030 + + return; 1031 + + 1032 + if (S_ISDIR(inode->i_mode)) 1033 + mask |= FS_ISDIR; 1034 + 1035 + diff --git a/include/linux/gfp.h b/include/linux/gfp.h 1036 + index b041f94678de..a5e0175c79e0 100644 1037 + --- a/include/linux/gfp.h 1038 + +++ b/include/linux/gfp.h 1039 + @@ -518,9 +518,9 @@ extern struct page *alloc_pages_vma(gfp_t gfp_mask, int order, 1040 + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); 1041 + extern unsigned long get_zeroed_page(gfp_t gfp_mask); 1042 + 1043 + -void *alloc_pages_exact(size_t size, gfp_t gfp_mask); 1044 + +void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); 1045 + void free_pages_exact(void *virt, size_t size); 1046 + -void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); 1047 + +void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); 1048 + 1049 + #define __get_free_page(gfp_mask) \ 1050 + __get_free_pages((gfp_mask), 0) 1051 + diff --git a/include/linux/highmem.h b/include/linux/highmem.h 1052 + index 776f90f3a1cd..3f5c47000059 100644 1053 + --- a/include/linux/highmem.h 1054 + +++ b/include/linux/highmem.h 1055 + @@ -191,6 +191,13 @@ static inline void clear_highpage(struct page *page) 1056 + kunmap_atomic(kaddr); 1057 + } 1058 + 1059 + +static inline void verify_zero_highpage(struct page *page) 1060 + +{ 1061 + + void *kaddr = kmap_atomic(page); 1062 + + BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); 1063 + + kunmap_atomic(kaddr); 1064 + +} 1065 + + 1066 + static inline void zero_user_segments(struct page *page, 1067 + unsigned start1, unsigned end1, 1068 + unsigned start2, unsigned end2) 1069 + diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h 1070 + index 69c238210325..ee487ea4f48f 100644 1071 + --- a/include/linux/interrupt.h 1072 + +++ b/include/linux/interrupt.h 1073 + @@ -485,7 +485,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; 1074 + 1075 + struct softirq_action 1076 + { 1077 + - void (*action)(struct softirq_action *); 1078 + + void (*action)(void); 1079 + }; 1080 + 1081 + asmlinkage void do_softirq(void); 1082 + @@ -500,7 +500,7 @@ static inline void do_softirq_own_stack(void) 1083 + } 1084 + #endif 1085 + 1086 + -extern void open_softirq(int nr, void (*action)(struct softirq_action *)); 1087 + +extern void __init open_softirq(int nr, void (*action)(void)); 1088 + extern void softirq_init(void); 1089 + extern void __raise_softirq_irqoff(unsigned int nr); 1090 + 1091 + diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h 1092 + index df32d2508290..c992d130b94d 100644 1093 + --- a/include/linux/kobject_ns.h 1094 + +++ b/include/linux/kobject_ns.h 1095 + @@ -46,7 +46,7 @@ struct kobj_ns_type_operations { 1096 + void (*drop_ns)(void *); 1097 + }; 1098 + 1099 + -int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); 1100 + +int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); 1101 + int kobj_ns_type_registered(enum kobj_ns_type type); 1102 + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); 1103 + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); 1104 + diff --git a/include/linux/mm.h b/include/linux/mm.h 1105 + index f23215854c80..98df98c44cc0 100644 1106 + --- a/include/linux/mm.h 1107 + +++ b/include/linux/mm.h 1108 + @@ -525,7 +525,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) 1109 + } 1110 + #endif 1111 + 1112 + -extern void *kvmalloc_node(size_t size, gfp_t flags, int node); 1113 + +extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); 1114 + static inline void *kvmalloc(size_t size, gfp_t flags) 1115 + { 1116 + return kvmalloc_node(size, flags, NUMA_NO_NODE); 1117 + diff --git a/include/linux/percpu.h b/include/linux/percpu.h 1118 + index 296bbe49d5d1..b26652c9a98d 100644 1119 + --- a/include/linux/percpu.h 1120 + +++ b/include/linux/percpu.h 1121 + @@ -129,7 +129,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, 1122 + pcpu_fc_populate_pte_fn_t populate_pte_fn); 1123 + #endif 1124 + 1125 + -extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); 1126 + +extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); 1127 + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); 1128 + extern bool is_kernel_percpu_address(unsigned long addr); 1129 + 1130 + @@ -137,8 +137,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); 1131 + extern void __init setup_per_cpu_areas(void); 1132 + #endif 1133 + 1134 + -extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); 1135 + -extern void __percpu *__alloc_percpu(size_t size, size_t align); 1136 + +extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); 1137 + +extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); 1138 + extern void free_percpu(void __percpu *__pdata); 1139 + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); 1140 + 1141 + diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h 1142 + index 8e22f24ded6a..b7fecdfa6de5 100644 1143 + --- a/include/linux/perf_event.h 1144 + +++ b/include/linux/perf_event.h 1145 + @@ -1165,6 +1165,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, 1146 + int perf_event_max_stack_handler(struct ctl_table *table, int write, 1147 + void __user *buffer, size_t *lenp, loff_t *ppos); 1148 + 1149 + +static inline bool perf_paranoid_any(void) 1150 + +{ 1151 + + return sysctl_perf_event_paranoid > 2; 1152 + +} 1153 + + 1154 + static inline bool perf_paranoid_tracepoint_raw(void) 1155 + { 1156 + return sysctl_perf_event_paranoid > -1; 1157 + diff --git a/include/linux/slab.h b/include/linux/slab.h 1158 + index ae5ed6492d54..fd0786124504 100644 1159 + --- a/include/linux/slab.h 1160 + +++ b/include/linux/slab.h 1161 + @@ -146,8 +146,8 @@ void memcg_destroy_kmem_caches(struct mem_cgroup *); 1162 + /* 1163 + * Common kmalloc functions provided by all allocators 1164 + */ 1165 + -void * __must_check __krealloc(const void *, size_t, gfp_t); 1166 + -void * __must_check krealloc(const void *, size_t, gfp_t); 1167 + +void * __must_check __krealloc(const void *, size_t, gfp_t) __attribute__((alloc_size(2))); 1168 + +void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); 1169 + void kfree(const void *); 1170 + void kzfree(const void *); 1171 + size_t ksize(const void *); 1172 + @@ -324,7 +324,7 @@ static __always_inline int kmalloc_index(size_t size) 1173 + } 1174 + #endif /* !CONFIG_SLOB */ 1175 + 1176 + -void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; 1177 + +void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); 1178 + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; 1179 + void kmem_cache_free(struct kmem_cache *, void *); 1180 + 1181 + @@ -348,7 +348,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) 1182 + } 1183 + 1184 + #ifdef CONFIG_NUMA 1185 + -void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; 1186 + +void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); 1187 + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; 1188 + #else 1189 + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) 1190 + @@ -473,7 +473,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) 1191 + * for general use, and so are not documented here. For a full list of 1192 + * potential flags, always refer to linux/gfp.h. 1193 + */ 1194 + -static __always_inline void *kmalloc(size_t size, gfp_t flags) 1195 + +static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) 1196 + { 1197 + if (__builtin_constant_p(size)) { 1198 + if (size > KMALLOC_MAX_CACHE_SIZE) 1199 + @@ -513,7 +513,7 @@ static __always_inline int kmalloc_size(int n) 1200 + return 0; 1201 + } 1202 + 1203 + -static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) 1204 + +static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) 1205 + { 1206 + #ifndef CONFIG_SLOB 1207 + if (__builtin_constant_p(size) && 1208 + diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h 1209 + index 39fa09bcde23..0b7a48cd883b 100644 1210 + --- a/include/linux/slub_def.h 1211 + +++ b/include/linux/slub_def.h 1212 + @@ -120,6 +120,11 @@ struct kmem_cache { 1213 + unsigned long random; 1214 + #endif 1215 + 1216 + +#ifdef CONFIG_SLAB_CANARY 1217 + + unsigned long random_active; 1218 + + unsigned long random_inactive; 1219 + +#endif 1220 + + 1221 + #ifdef CONFIG_NUMA 1222 + /* 1223 + * Defragmentation by allocating from a remote node. 1224 + diff --git a/include/linux/string.h b/include/linux/string.h 1225 + index cfd83eb2f926..b9ecb42c762d 100644 1226 + --- a/include/linux/string.h 1227 + +++ b/include/linux/string.h 1228 + @@ -234,10 +234,16 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob 1229 + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); 1230 + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); 1231 + 1232 + +#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING 1233 + +#define __string_size(p) __builtin_object_size(p, 1) 1234 + +#else 1235 + +#define __string_size(p) __builtin_object_size(p, 0) 1236 + +#endif 1237 + + 1238 + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) 1239 + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) 1240 + { 1241 + - size_t p_size = __builtin_object_size(p, 0); 1242 + + size_t p_size = __string_size(p); 1243 + if (__builtin_constant_p(size) && p_size < size) 1244 + __write_overflow(); 1245 + if (p_size < size) 1246 + @@ -247,7 +253,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) 1247 + 1248 + __FORTIFY_INLINE char *strcat(char *p, const char *q) 1249 + { 1250 + - size_t p_size = __builtin_object_size(p, 0); 1251 + + size_t p_size = __string_size(p); 1252 + if (p_size == (size_t)-1) 1253 + return __builtin_strcat(p, q); 1254 + if (strlcat(p, q, p_size) >= p_size) 1255 + @@ -258,7 +264,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) 1256 + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) 1257 + { 1258 + __kernel_size_t ret; 1259 + - size_t p_size = __builtin_object_size(p, 0); 1260 + + size_t p_size = __string_size(p); 1261 + 1262 + /* Work around gcc excess stack consumption issue */ 1263 + if (p_size == (size_t)-1 || 1264 + @@ -273,7 +279,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) 1265 + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); 1266 + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) 1267 + { 1268 + - size_t p_size = __builtin_object_size(p, 0); 1269 + + size_t p_size = __string_size(p); 1270 + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); 1271 + if (p_size <= ret && maxlen != ret) 1272 + fortify_panic(__func__); 1273 + @@ -285,8 +291,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); 1274 + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) 1275 + { 1276 + size_t ret; 1277 + - size_t p_size = __builtin_object_size(p, 0); 1278 + - size_t q_size = __builtin_object_size(q, 0); 1279 + + size_t p_size = __string_size(p); 1280 + + size_t q_size = __string_size(q); 1281 + if (p_size == (size_t)-1 && q_size == (size_t)-1) 1282 + return __real_strlcpy(p, q, size); 1283 + ret = strlen(q); 1284 + @@ -306,8 +312,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) 1285 + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) 1286 + { 1287 + size_t p_len, copy_len; 1288 + - size_t p_size = __builtin_object_size(p, 0); 1289 + - size_t q_size = __builtin_object_size(q, 0); 1290 + + size_t p_size = __string_size(p); 1291 + + size_t q_size = __string_size(q); 1292 + if (p_size == (size_t)-1 && q_size == (size_t)-1) 1293 + return __builtin_strncat(p, q, count); 1294 + p_len = strlen(p); 1295 + @@ -420,8 +426,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) 1296 + /* defined after fortified strlen and memcpy to reuse them */ 1297 + __FORTIFY_INLINE char *strcpy(char *p, const char *q) 1298 + { 1299 + - size_t p_size = __builtin_object_size(p, 0); 1300 + - size_t q_size = __builtin_object_size(q, 0); 1301 + + size_t p_size = __string_size(p); 1302 + + size_t q_size = __string_size(q); 1303 + if (p_size == (size_t)-1 && q_size == (size_t)-1) 1304 + return __builtin_strcpy(p, q); 1305 + memcpy(p, q, strlen(q) + 1); 1306 + diff --git a/include/linux/tty.h b/include/linux/tty.h 1307 + index 1dd587ba6d88..9a9a04fb641d 100644 1308 + --- a/include/linux/tty.h 1309 + +++ b/include/linux/tty.h 1310 + @@ -13,6 +13,7 @@ 1311 + #include <uapi/linux/tty.h> 1312 + #include <linux/rwsem.h> 1313 + #include <linux/llist.h> 1314 + +#include <linux/user_namespace.h> 1315 + 1316 + 1317 + /* 1318 + @@ -335,6 +336,7 @@ struct tty_struct { 1319 + /* If the tty has a pending do_SAK, queue it here - akpm */ 1320 + struct work_struct SAK_work; 1321 + struct tty_port *port; 1322 + + struct user_namespace *owner_user_ns; 1323 + } __randomize_layout; 1324 + 1325 + /* Each of a tty's open files has private_data pointing to tty_file_private */ 1326 + @@ -344,6 +346,8 @@ struct tty_file_private { 1327 + struct list_head list; 1328 + }; 1329 + 1330 + +extern int tiocsti_restrict; 1331 + + 1332 + /* tty magic number */ 1333 + #define TTY_MAGIC 0x5401 1334 + 1335 + diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h 1336 + index 1e5d8c392f15..66d0e49c9987 100644 1337 + --- a/include/linux/vmalloc.h 1338 + +++ b/include/linux/vmalloc.h 1339 + @@ -68,19 +68,19 @@ static inline void vmalloc_init(void) 1340 + } 1341 + #endif 1342 + 1343 + -extern void *vmalloc(unsigned long size); 1344 + -extern void *vzalloc(unsigned long size); 1345 + -extern void *vmalloc_user(unsigned long size); 1346 + -extern void *vmalloc_node(unsigned long size, int node); 1347 + -extern void *vzalloc_node(unsigned long size, int node); 1348 + -extern void *vmalloc_exec(unsigned long size); 1349 + -extern void *vmalloc_32(unsigned long size); 1350 + -extern void *vmalloc_32_user(unsigned long size); 1351 + -extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot); 1352 + +extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); 1353 + +extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); 1354 + +extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); 1355 + +extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); 1356 + +extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); 1357 + +extern void *vmalloc_exec(unsigned long size) __attribute__((alloc_size(1))); 1358 + +extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); 1359 + +extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); 1360 + +extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot) __attribute__((alloc_size(1))); 1361 + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, 1362 + unsigned long start, unsigned long end, gfp_t gfp_mask, 1363 + pgprot_t prot, unsigned long vm_flags, int node, 1364 + - const void *caller); 1365 + + const void *caller) __attribute__((alloc_size(1))); 1366 + #ifndef CONFIG_MMU 1367 + extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags); 1368 + static inline void *__vmalloc_node_flags_caller(unsigned long size, int node, 1369 + diff --git a/init/Kconfig b/init/Kconfig 1370 + index 46075327c165..0c78750bc76d 100644 1371 + --- a/init/Kconfig 1372 + +++ b/init/Kconfig 1373 + @@ -309,6 +309,7 @@ config USELIB 1374 + config AUDIT 1375 + bool "Auditing support" 1376 + depends on NET 1377 + + default y 1378 + help 1379 + Enable auditing infrastructure that can be used with another 1380 + kernel subsystem, such as SELinux (which requires this for 1381 + @@ -1052,6 +1053,12 @@ config CC_OPTIMIZE_FOR_SIZE 1382 + 1383 + endchoice 1384 + 1385 + +config LOCAL_INIT 1386 + + bool "Zero uninitialized locals" 1387 + + help 1388 + + Zero-fill uninitialized local variables, other than variable-length 1389 + + arrays. Requires compiler support. 1390 + + 1391 + config SYSCTL 1392 + bool 1393 + 1394 + @@ -1361,8 +1368,7 @@ config SHMEM 1395 + which may be appropriate on small systems without swap. 1396 + 1397 + config AIO 1398 + - bool "Enable AIO support" if EXPERT 1399 + - default y 1400 + + bool "Enable AIO support" 1401 + help 1402 + This option enables POSIX asynchronous I/O which may by used 1403 + by some high performance threaded applications. Disabling 1404 + @@ -1491,7 +1497,7 @@ config VM_EVENT_COUNTERS 1405 + 1406 + config SLUB_DEBUG 1407 + default y 1408 + - bool "Enable SLUB debugging support" if EXPERT 1409 + + bool "Enable SLUB debugging support" 1410 + depends on SLUB && SYSFS 1411 + help 1412 + SLUB has extensive debug support features. Disabling these can 1413 + @@ -1515,7 +1521,6 @@ config SLUB_MEMCG_SYSFS_ON 1414 + 1415 + config COMPAT_BRK 1416 + bool "Disable heap randomization" 1417 + - default y 1418 + help 1419 + Randomizing heap placement makes heap exploits harder, but it 1420 + also breaks ancient binaries (including anything libc5 based). 1421 + @@ -1562,7 +1567,6 @@ endchoice 1422 + 1423 + config SLAB_MERGE_DEFAULT 1424 + bool "Allow slab caches to be merged" 1425 + - default y 1426 + help 1427 + For reduced kernel memory fragmentation, slab caches can be 1428 + merged when they share the same size and other characteristics. 1429 + @@ -1575,9 +1579,9 @@ config SLAB_MERGE_DEFAULT 1430 + command line. 1431 + 1432 + config SLAB_FREELIST_RANDOM 1433 + - default n 1434 + depends on SLAB || SLUB 1435 + bool "SLAB freelist randomization" 1436 + + default y 1437 + help 1438 + Randomizes the freelist order used on creating new pages. This 1439 + security feature reduces the predictability of the kernel slab 1440 + @@ -1586,12 +1590,56 @@ config SLAB_FREELIST_RANDOM 1441 + config SLAB_FREELIST_HARDENED 1442 + bool "Harden slab freelist metadata" 1443 + depends on SLUB 1444 + + default y 1445 + help 1446 + Many kernel heap attacks try to target slab cache metadata and 1447 + other infrastructure. This options makes minor performance 1448 + sacrifies to harden the kernel slab allocator against common 1449 + freelist exploit methods. 1450 + 1451 + +config SLAB_HARDENED 1452 + + default y 1453 + + depends on SLUB 1454 + + bool "Hardened SLAB infrastructure" 1455 + + help 1456 + + Make minor performance sacrifices to harden the kernel slab 1457 + + allocator. 1458 + + 1459 + +config SLAB_CANARY 1460 + + depends on SLUB 1461 + + depends on !SLAB_MERGE_DEFAULT 1462 + + bool "SLAB canaries" 1463 + + default y 1464 + + help 1465 + + Place canaries at the end of kernel slab allocations, sacrificing 1466 + + some performance and memory usage for security. 1467 + + 1468 + + Canaries can detect some forms of heap corruption when allocations 1469 + + are freed and as part of the HARDENED_USERCOPY feature. It provides 1470 + + basic use-after-free detection for HARDENED_USERCOPY. 1471 + + 1472 + + Canaries absorb small overflows (rendering them harmless), mitigate 1473 + + non-NUL terminated C string overflows on 64-bit via a guaranteed zero 1474 + + byte and provide basic double-free detection. 1475 + + 1476 + +config SLAB_SANITIZE 1477 + + bool "Sanitize SLAB allocations" 1478 + + depends on SLUB 1479 + + default y 1480 + + help 1481 + + Zero fill slab allocations on free, reducing the lifetime of 1482 + + sensitive data and helping to mitigate use-after-free bugs. 1483 + + 1484 + + For slabs with debug poisoning enabling, this has no impact. 1485 + + 1486 + +config SLAB_SANITIZE_VERIFY 1487 + + depends on SLAB_SANITIZE && PAGE_SANITIZE 1488 + + default y 1489 + + bool "Verify sanitized SLAB allocations" 1490 + + help 1491 + + Verify that newly allocated slab allocations are zeroed to detect 1492 + + write-after-free bugs. 1493 + + 1494 + config SLUB_CPU_PARTIAL 1495 + default y 1496 + depends on SLUB && SMP 1497 + diff --git a/kernel/audit.c b/kernel/audit.c 1498 + index 5b34d3114af4..e57930192ce1 100644 1499 + --- a/kernel/audit.c 1500 + +++ b/kernel/audit.c 1501 + @@ -1573,6 +1573,9 @@ static int __init audit_enable(char *str) 1502 + audit_default = !!simple_strtol(str, NULL, 0); 1503 + if (!audit_default) 1504 + audit_initialized = AUDIT_DISABLED; 1505 + + else 1506 + + audit_initialized = AUDIT_UNINITIALIZED; 1507 + + 1508 + audit_enabled = audit_default; 1509 + audit_ever_enabled = !!audit_enabled; 1510 + 1511 + diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c 1512 + index d203a5d6b726..2a6c3e2c57a6 100644 1513 + --- a/kernel/bpf/core.c 1514 + +++ b/kernel/bpf/core.c 1515 + @@ -539,7 +539,7 @@ void __weak bpf_jit_free(struct bpf_prog *fp) 1516 + bpf_prog_unlock_free(fp); 1517 + } 1518 + 1519 + -int bpf_jit_harden __read_mostly; 1520 + +int bpf_jit_harden __read_mostly = 2; 1521 + 1522 + static int bpf_jit_blind_insn(const struct bpf_insn *from, 1523 + const struct bpf_insn *aux, 1524 + diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c 1525 + index 4e933219fec6..0f37db32a2b1 100644 1526 + --- a/kernel/bpf/syscall.c 1527 + +++ b/kernel/bpf/syscall.c 1528 + @@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); 1529 + static DEFINE_IDR(map_idr); 1530 + static DEFINE_SPINLOCK(map_idr_lock); 1531 + 1532 + -int sysctl_unprivileged_bpf_disabled __read_mostly; 1533 + +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; 1534 + 1535 + static const struct bpf_map_ops * const bpf_map_types[] = { 1536 + #define BPF_PROG_TYPE(_id, _ops) 1537 + diff --git a/kernel/capability.c b/kernel/capability.c 1538 + index 1e1c0236f55b..452062fe45ce 100644 1539 + --- a/kernel/capability.c 1540 + +++ b/kernel/capability.c 1541 + @@ -431,6 +431,12 @@ bool capable(int cap) 1542 + return ns_capable(&init_user_ns, cap); 1543 + } 1544 + EXPORT_SYMBOL(capable); 1545 + + 1546 + +bool capable_noaudit(int cap) 1547 + +{ 1548 + + return ns_capable_noaudit(&init_user_ns, cap); 1549 + +} 1550 + +EXPORT_SYMBOL(capable_noaudit); 1551 + #endif /* CONFIG_MULTIUSER */ 1552 + 1553 + /** 1554 + diff --git a/kernel/events/core.c b/kernel/events/core.c 1555 + index cb8274d7824f..c1b3d232b0a4 100644 1556 + --- a/kernel/events/core.c 1557 + +++ b/kernel/events/core.c 1558 + @@ -397,8 +397,13 @@ static cpumask_var_t perf_online_mask; 1559 + * 0 - disallow raw tracepoint access for unpriv 1560 + * 1 - disallow cpu events for unpriv 1561 + * 2 - disallow kernel profiling for unpriv 1562 + + * 3 - disallow all unpriv perf event use 1563 + */ 1564 + +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT 1565 + +int sysctl_perf_event_paranoid __read_mostly = 3; 1566 + +#else 1567 + int sysctl_perf_event_paranoid __read_mostly = 2; 1568 + +#endif 1569 + 1570 + /* Minimum for 512 kiB + 1 user control page */ 1571 + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ 1572 + @@ -9941,6 +9946,9 @@ SYSCALL_DEFINE5(perf_event_open, 1573 + if (flags & ~PERF_FLAG_ALL) 1574 + return -EINVAL; 1575 + 1576 + + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) 1577 + + return -EACCES; 1578 + + 1579 + err = perf_copy_attr(attr_uptr, &attr); 1580 + if (err) 1581 + return err; 1582 + diff --git a/kernel/fork.c b/kernel/fork.c 1583 + index 98c91bd341b4..dbb9540ee61c 100644 1584 + --- a/kernel/fork.c 1585 + +++ b/kernel/fork.c 1586 + @@ -102,6 +102,11 @@ 1587 + 1588 + #define CREATE_TRACE_POINTS 1589 + #include <trace/events/task.h> 1590 + +#ifdef CONFIG_USER_NS 1591 + +extern int unprivileged_userns_clone; 1592 + +#else 1593 + +#define unprivileged_userns_clone 0 1594 + +#endif 1595 + 1596 + /* 1597 + * Minimum number of threads to boot the kernel 1598 + @@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process( 1599 + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) 1600 + return ERR_PTR(-EINVAL); 1601 + 1602 + + if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) 1603 + + if (!capable(CAP_SYS_ADMIN)) 1604 + + return ERR_PTR(-EPERM); 1605 + + 1606 + /* 1607 + * Thread groups must share signals as well, and detached threads 1608 + * can only be started up within the thread group. 1609 + @@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) 1610 + if (unshare_flags & CLONE_NEWNS) 1611 + unshare_flags |= CLONE_FS; 1612 + 1613 + + if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { 1614 + + err = -EPERM; 1615 + + if (!capable(CAP_SYS_ADMIN)) 1616 + + goto bad_unshare_out; 1617 + + } 1618 + + 1619 + err = check_unshare_flags(unshare_flags); 1620 + if (err) 1621 + goto bad_unshare_out; 1622 + diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c 1623 + index 0972a8e09d08..00dde7aad47a 100644 1624 + --- a/kernel/power/snapshot.c 1625 + +++ b/kernel/power/snapshot.c 1626 + @@ -1136,7 +1136,7 @@ void free_basic_memory_bitmaps(void) 1627 + 1628 + void clear_free_pages(void) 1629 + { 1630 + -#ifdef CONFIG_PAGE_POISONING_ZERO 1631 + +#if defined(CONFIG_PAGE_POISONING_ZERO) || defined(CONFIG_PAGE_SANITIZE) 1632 + struct memory_bitmap *bm = free_pages_map; 1633 + unsigned long pfn; 1634 + 1635 + @@ -1153,7 +1153,7 @@ void clear_free_pages(void) 1636 + } 1637 + memory_bm_position_reset(bm); 1638 + pr_info("PM: free pages cleared after restore\n"); 1639 + -#endif /* PAGE_POISONING_ZERO */ 1640 + +#endif /* PAGE_POISONING_ZERO || PAGE_SANITIZE */ 1641 + } 1642 + 1643 + /** 1644 + diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c 1645 + index a64eee0db39e..4d7de378fe4c 100644 1646 + --- a/kernel/rcu/tiny.c 1647 + +++ b/kernel/rcu/tiny.c 1648 + @@ -164,7 +164,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp) 1649 + } 1650 + } 1651 + 1652 + -static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) 1653 + +static __latent_entropy void rcu_process_callbacks(void) 1654 + { 1655 + __rcu_process_callbacks(&rcu_sched_ctrlblk); 1656 + __rcu_process_callbacks(&rcu_bh_ctrlblk); 1657 + diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c 1658 + index 3e3650e94ae6..7ecd7a5d04b3 100644 1659 + --- a/kernel/rcu/tree.c 1660 + +++ b/kernel/rcu/tree.c 1661 + @@ -2918,7 +2918,7 @@ __rcu_process_callbacks(struct rcu_state *rsp) 1662 + /* 1663 + * Do RCU core processing for the current CPU. 1664 + */ 1665 + -static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) 1666 + +static __latent_entropy void rcu_process_callbacks(void) 1667 + { 1668 + struct rcu_state *rsp; 1669 + 1670 + diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c 1671 + index 5c09ddf8c832..f5db6ece105a 100644 1672 + --- a/kernel/sched/fair.c 1673 + +++ b/kernel/sched/fair.c 1674 + @@ -8986,7 +8986,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { } 1675 + * run_rebalance_domains is triggered when needed from the scheduler tick. 1676 + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). 1677 + */ 1678 + -static __latent_entropy void run_rebalance_domains(struct softirq_action *h) 1679 + +static __latent_entropy void run_rebalance_domains(void) 1680 + { 1681 + struct rq *this_rq = this_rq(); 1682 + enum cpu_idle_type idle = this_rq->idle_balance ? 1683 + diff --git a/kernel/softirq.c b/kernel/softirq.c 1684 + index e89c3b0cff6d..0d3ebd520931 100644 1685 + --- a/kernel/softirq.c 1686 + +++ b/kernel/softirq.c 1687 + @@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; 1688 + EXPORT_SYMBOL(irq_stat); 1689 + #endif 1690 + 1691 + -static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; 1692 + +static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); 1693 + 1694 + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); 1695 + 1696 + @@ -281,7 +281,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) 1697 + kstat_incr_softirqs_this_cpu(vec_nr); 1698 + 1699 + trace_softirq_entry(vec_nr); 1700 + - h->action(h); 1701 + + h->action(); 1702 + trace_softirq_exit(vec_nr); 1703 + if (unlikely(prev_count != preempt_count())) { 1704 + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", 1705 + @@ -444,7 +444,7 @@ void __raise_softirq_irqoff(unsigned int nr) 1706 + or_softirq_pending(1UL << nr); 1707 + } 1708 + 1709 + -void open_softirq(int nr, void (*action)(struct softirq_action *)) 1710 + +void __init open_softirq(int nr, void (*action)(void)) 1711 + { 1712 + softirq_vec[nr].action = action; 1713 + } 1714 + @@ -486,7 +486,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) 1715 + } 1716 + EXPORT_SYMBOL(__tasklet_hi_schedule); 1717 + 1718 + -static __latent_entropy void tasklet_action(struct softirq_action *a) 1719 + +static __latent_entropy void tasklet_action(void) 1720 + { 1721 + struct tasklet_struct *list; 1722 + 1723 + @@ -522,7 +522,7 @@ static __latent_entropy void tasklet_action(struct softirq_action *a) 1724 + } 1725 + } 1726 + 1727 + -static __latent_entropy void tasklet_hi_action(struct softirq_action *a) 1728 + +static __latent_entropy void tasklet_hi_action(void) 1729 + { 1730 + struct tasklet_struct *list; 1731 + 1732 + diff --git a/kernel/sysctl.c b/kernel/sysctl.c 1733 + index 069550540a39..822783a174aa 100644 1734 + --- a/kernel/sysctl.c 1735 + +++ b/kernel/sysctl.c 1736 + @@ -66,6 +66,7 @@ 1737 + #include <linux/kexec.h> 1738 + #include <linux/bpf.h> 1739 + #include <linux/mount.h> 1740 + +#include <linux/tty.h> 1741 + 1742 + #include <linux/uaccess.h> 1743 + #include <asm/processor.h> 1744 + @@ -98,12 +99,19 @@ 1745 + #if defined(CONFIG_SYSCTL) 1746 + 1747 + /* External variables not in a header file. */ 1748 + +#if IS_ENABLED(CONFIG_USB) 1749 + +int deny_new_usb __read_mostly = 0; 1750 + +EXPORT_SYMBOL(deny_new_usb); 1751 + +#endif 1752 + extern int suid_dumpable; 1753 + #ifdef CONFIG_COREDUMP 1754 + extern int core_uses_pid; 1755 + extern char core_pattern[]; 1756 + extern unsigned int core_pipe_limit; 1757 + #endif 1758 + +#ifdef CONFIG_USER_NS 1759 + +extern int unprivileged_userns_clone; 1760 + +#endif 1761 + extern int pid_max; 1762 + extern int pid_max_min, pid_max_max; 1763 + extern int percpu_pagelist_fraction; 1764 + @@ -115,40 +123,43 @@ extern int sysctl_nr_trim_pages; 1765 + 1766 + /* Constants used for minimum and maximum */ 1767 + #ifdef CONFIG_LOCKUP_DETECTOR 1768 + -static int sixty = 60; 1769 + +static int sixty __read_only = 60; 1770 + #endif 1771 + 1772 + -static int __maybe_unused neg_one = -1; 1773 + +static int __maybe_unused neg_one __read_only = -1; 1774 + 1775 + static int zero; 1776 + -static int __maybe_unused one = 1; 1777 + -static int __maybe_unused two = 2; 1778 + -static int __maybe_unused four = 4; 1779 + -static unsigned long one_ul = 1; 1780 + -static int one_hundred = 100; 1781 + -static int one_thousand = 1000; 1782 + +static int __maybe_unused one __read_only = 1; 1783 + +static int __maybe_unused two __read_only = 2; 1784 + +static int __maybe_unused four __read_only = 4; 1785 + +static unsigned long one_ul __read_only = 1; 1786 + +static int one_hundred __read_only = 100; 1787 + +static int one_thousand __read_only = 1000; 1788 + #ifdef CONFIG_PRINTK 1789 + -static int ten_thousand = 10000; 1790 + +static int ten_thousand __read_only = 10000; 1791 + #endif 1792 + #ifdef CONFIG_PERF_EVENTS 1793 + -static int six_hundred_forty_kb = 640 * 1024; 1794 + +static int six_hundred_forty_kb __read_only = 640 * 1024; 1795 + #endif 1796 + 1797 + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ 1798 + -static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; 1799 + +static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; 1800 + 1801 + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ 1802 + -static int maxolduid = 65535; 1803 + -static int minolduid; 1804 + +static int maxolduid __read_only = 65535; 1805 + +static int minolduid __read_only; 1806 + 1807 + -static int ngroups_max = NGROUPS_MAX; 1808 + +static int ngroups_max __read_only = NGROUPS_MAX; 1809 + static const int cap_last_cap = CAP_LAST_CAP; 1810 + 1811 + /*this is needed for proc_doulongvec_minmax of sysctl_hung_task_timeout_secs */ 1812 + #ifdef CONFIG_DETECT_HUNG_TASK 1813 + -static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); 1814 + +static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); 1815 + #endif 1816 + 1817 + +int device_sidechannel_restrict __read_mostly = 1; 1818 + +EXPORT_SYMBOL(device_sidechannel_restrict); 1819 + + 1820 + #ifdef CONFIG_INOTIFY_USER 1821 + #include <linux/inotify.h> 1822 + #endif 1823 + @@ -286,19 +297,19 @@ static struct ctl_table sysctl_base_table[] = { 1824 + }; 1825 + 1826 + #ifdef CONFIG_SCHED_DEBUG 1827 + -static int min_sched_granularity_ns = 100000; /* 100 usecs */ 1828 + -static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ 1829 + -static int min_wakeup_granularity_ns; /* 0 usecs */ 1830 + -static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ 1831 + +static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ 1832 + +static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ 1833 + +static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ 1834 + +static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ 1835 + #ifdef CONFIG_SMP 1836 + -static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; 1837 + -static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; 1838 + +static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; 1839 + +static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; 1840 + #endif /* CONFIG_SMP */ 1841 + #endif /* CONFIG_SCHED_DEBUG */ 1842 + 1843 + #ifdef CONFIG_COMPACTION 1844 + -static int min_extfrag_threshold; 1845 + -static int max_extfrag_threshold = 1000; 1846 + +static int min_extfrag_threshold __read_only; 1847 + +static int max_extfrag_threshold __read_only = 1000; 1848 + #endif 1849 + 1850 + static struct ctl_table kern_table[] = { 1851 + @@ -512,6 +523,15 @@ static struct ctl_table kern_table[] = { 1852 + .proc_handler = proc_dointvec, 1853 + }, 1854 + #endif 1855 + +#ifdef CONFIG_USER_NS 1856 + + { 1857 + + .procname = "unprivileged_userns_clone", 1858 + + .data = &unprivileged_userns_clone, 1859 + + .maxlen = sizeof(int), 1860 + + .mode = 0644, 1861 + + .proc_handler = proc_dointvec, 1862 + + }, 1863 + +#endif 1864 + #ifdef CONFIG_PROC_SYSCTL 1865 + { 1866 + .procname = "tainted", 1867 + @@ -853,6 +873,37 @@ static struct ctl_table kern_table[] = { 1868 + .extra1 = &zero, 1869 + .extra2 = &two, 1870 + }, 1871 + +#endif 1872 + +#if defined CONFIG_TTY 1873 + + { 1874 + + .procname = "tiocsti_restrict", 1875 + + .data = &tiocsti_restrict, 1876 + + .maxlen = sizeof(int), 1877 + + .mode = 0644, 1878 + + .proc_handler = proc_dointvec_minmax_sysadmin, 1879 + + .extra1 = &zero, 1880 + + .extra2 = &one, 1881 + + }, 1882 + +#endif 1883 + + { 1884 + + .procname = "device_sidechannel_restrict", 1885 + + .data = &device_sidechannel_restrict, 1886 + + .maxlen = sizeof(int), 1887 + + .mode = 0644, 1888 + + .proc_handler = proc_dointvec_minmax_sysadmin, 1889 + + .extra1 = &zero, 1890 + + .extra2 = &one, 1891 + + }, 1892 + +#if IS_ENABLED(CONFIG_USB) 1893 + + { 1894 + + .procname = "deny_new_usb", 1895 + + .data = &deny_new_usb, 1896 + + .maxlen = sizeof(int), 1897 + + .mode = 0644, 1898 + + .proc_handler = proc_dointvec_minmax_sysadmin, 1899 + + .extra1 = &zero, 1900 + + .extra2 = &one, 1901 + + }, 1902 + #endif 1903 + { 1904 + .procname = "ngroups_max", 1905 + diff --git a/kernel/time/timer.c b/kernel/time/timer.c 1906 + index 9fe525f410bf..6a85b0e1292e 100644 1907 + --- a/kernel/time/timer.c 1908 + +++ b/kernel/time/timer.c 1909 + @@ -1624,7 +1624,7 @@ static inline void __run_timers(struct timer_base *base) 1910 + /* 1911 + * This function runs timers and the timer-tq in bottom half context. 1912 + */ 1913 + -static __latent_entropy void run_timer_softirq(struct softirq_action *h) 1914 + +static __latent_entropy void run_timer_softirq(void) 1915 + { 1916 + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); 1917 + 1918 + diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c 1919 + index c490f1e4313b..dd03bd39d7bf 100644 1920 + --- a/kernel/user_namespace.c 1921 + +++ b/kernel/user_namespace.c 1922 + @@ -24,6 +24,9 @@ 1923 + #include <linux/projid.h> 1924 + #include <linux/fs_struct.h> 1925 + 1926 + +/* sysctl */ 1927 + +int unprivileged_userns_clone; 1928 + + 1929 + static struct kmem_cache *user_ns_cachep __read_mostly; 1930 + static DEFINE_MUTEX(userns_state_mutex); 1931 + 1932 + diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug 1933 + index 62d0e25c054c..3953072277eb 100644 1934 + --- a/lib/Kconfig.debug 1935 + +++ b/lib/Kconfig.debug 1936 + @@ -937,6 +937,7 @@ endmenu # "Debug lockups and hangs" 1937 + 1938 + config PANIC_ON_OOPS 1939 + bool "Panic on Oops" 1940 + + default y 1941 + help 1942 + Say Y here to enable the kernel to panic when it oopses. This 1943 + has the same effect as setting oops=panic on the kernel command 1944 + @@ -946,7 +947,7 @@ config PANIC_ON_OOPS 1945 + anything erroneous after an oops which could result in data 1946 + corruption or other issues. 1947 + 1948 + - Say N if unsure. 1949 + + Say Y if unsure. 1950 + 1951 + config PANIC_ON_OOPS_VALUE 1952 + int 1953 + @@ -1319,6 +1320,7 @@ config DEBUG_BUGVERBOSE 1954 + config DEBUG_LIST 1955 + bool "Debug linked list manipulation" 1956 + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION 1957 + + default y 1958 + help 1959 + Enable this to turn on extended checks in the linked-list 1960 + walking routines. 1961 + @@ -1932,6 +1934,7 @@ config MEMTEST 1962 + config BUG_ON_DATA_CORRUPTION 1963 + bool "Trigger a BUG when data corruption is detected" 1964 + select DEBUG_LIST 1965 + + default y 1966 + help 1967 + Select this option if the kernel should BUG when it encounters 1968 + data corruption in kernel memory structures when they get checked 1969 + @@ -1952,7 +1955,7 @@ config STRICT_DEVMEM 1970 + bool "Filter access to /dev/mem" 1971 + depends on MMU && DEVMEM 1972 + depends on ARCH_HAS_DEVMEM_IS_ALLOWED 1973 + - default y if TILE || PPC 1974 + + default y 1975 + ---help--- 1976 + If this option is disabled, you allow userspace (root) access to all 1977 + of memory, including kernel and userspace memory. Accidental 1978 + @@ -1971,6 +1974,7 @@ config STRICT_DEVMEM 1979 + config IO_STRICT_DEVMEM 1980 + bool "Filter I/O access to /dev/mem" 1981 + depends on STRICT_DEVMEM 1982 + + default y 1983 + ---help--- 1984 + If this option is disabled, you allow userspace (root) access to all 1985 + io-memory regardless of whether a driver is actively using that 1986 + diff --git a/lib/irq_poll.c b/lib/irq_poll.c 1987 + index 86a709954f5a..6f15787fcb1b 100644 1988 + --- a/lib/irq_poll.c 1989 + +++ b/lib/irq_poll.c 1990 + @@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) 1991 + } 1992 + EXPORT_SYMBOL(irq_poll_complete); 1993 + 1994 + -static void __latent_entropy irq_poll_softirq(struct softirq_action *h) 1995 + +static void __latent_entropy irq_poll_softirq(void) 1996 + { 1997 + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); 1998 + int rearm = 0, budget = irq_poll_budget; 1999 + diff --git a/lib/kobject.c b/lib/kobject.c 2000 + index 34f847252c02..4fda329de614 100644 2001 + --- a/lib/kobject.c 2002 + +++ b/lib/kobject.c 2003 + @@ -956,9 +956,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); 2004 + 2005 + 2006 + static DEFINE_SPINLOCK(kobj_ns_type_lock); 2007 + -static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; 2008 + +static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; 2009 + 2010 + -int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) 2011 + +int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) 2012 + { 2013 + enum kobj_ns_type type = ops->type; 2014 + int error; 2015 + diff --git a/lib/nlattr.c b/lib/nlattr.c 2016 + index 3d8295c85505..3fa3b3409d69 100644 2017 + --- a/lib/nlattr.c 2018 + +++ b/lib/nlattr.c 2019 + @@ -341,6 +341,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) 2020 + { 2021 + int minlen = min_t(int, count, nla_len(src)); 2022 + 2023 + + BUG_ON(minlen < 0); 2024 + + 2025 + memcpy(dest, nla_data(src), minlen); 2026 + if (count > minlen) 2027 + memset(dest + minlen, 0, count - minlen); 2028 + diff --git a/lib/vsprintf.c b/lib/vsprintf.c 2029 + index 86c3385b9eb3..c482070e379b 100644 2030 + --- a/lib/vsprintf.c 2031 + +++ b/lib/vsprintf.c 2032 + @@ -1591,7 +1591,7 @@ char *device_node_string(char *buf, char *end, struct device_node *dn, 2033 + return widen_string(buf, buf - buf_start, end, spec); 2034 + } 2035 + 2036 + -int kptr_restrict __read_mostly; 2037 + +int kptr_restrict __read_mostly = 2; 2038 + 2039 + /* 2040 + * Show a '%p' thing. A kernel extension is that the '%p' is followed 2041 + diff --git a/mm/Kconfig b/mm/Kconfig 2042 + index 59efbd3337e0..c070e14ec83d 100644 2043 + --- a/mm/Kconfig 2044 + +++ b/mm/Kconfig 2045 + @@ -319,7 +319,8 @@ config KSM 2046 + config DEFAULT_MMAP_MIN_ADDR 2047 + int "Low address space to protect from user allocation" 2048 + depends on MMU 2049 + - default 4096 2050 + + default 32768 if ARM || (ARM64 && COMPAT) 2051 + + default 65536 2052 + help 2053 + This is the portion of low virtual memory which should be protected 2054 + from userspace allocation. Keeping a user from writing to low pages 2055 + diff --git a/mm/mmap.c b/mm/mmap.c 2056 + index 11f96fad5271..632e7f9a710e 100644 2057 + --- a/mm/mmap.c 2058 + +++ b/mm/mmap.c 2059 + @@ -220,6 +220,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) 2060 + 2061 + newbrk = PAGE_ALIGN(brk); 2062 + oldbrk = PAGE_ALIGN(mm->brk); 2063 + + /* properly handle unaligned min_brk as an empty heap */ 2064 + + if (min_brk & ~PAGE_MASK) { 2065 + + if (brk == min_brk) 2066 + + newbrk -= PAGE_SIZE; 2067 + + if (mm->brk == min_brk) 2068 + + oldbrk -= PAGE_SIZE; 2069 + + } 2070 + if (oldbrk == newbrk) 2071 + goto set_brk; 2072 + 2073 + diff --git a/mm/page_alloc.c b/mm/page_alloc.c 2074 + index 1d7693c35424..8963a3b4d37c 100644 2075 + --- a/mm/page_alloc.c 2076 + +++ b/mm/page_alloc.c 2077 + @@ -67,6 +67,7 @@ 2078 + #include <linux/ftrace.h> 2079 + #include <linux/lockdep.h> 2080 + #include <linux/nmi.h> 2081 + +#include <linux/random.h> 2082 + 2083 + #include <asm/sections.h> 2084 + #include <asm/tlbflush.h> 2085 + @@ -98,6 +99,15 @@ int _node_numa_mem_[MAX_NUMNODES]; 2086 + DEFINE_MUTEX(pcpu_drain_mutex); 2087 + DEFINE_PER_CPU(struct work_struct, pcpu_drain); 2088 + 2089 + +bool __meminitdata extra_latent_entropy; 2090 + + 2091 + +static int __init setup_extra_latent_entropy(char *str) 2092 + +{ 2093 + + extra_latent_entropy = true; 2094 + + return 0; 2095 + +} 2096 + +early_param("extra_latent_entropy", setup_extra_latent_entropy); 2097 + + 2098 + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY 2099 + volatile unsigned long latent_entropy __latent_entropy; 2100 + EXPORT_SYMBOL(latent_entropy); 2101 + @@ -1063,6 +1073,13 @@ static __always_inline bool free_pages_prepare(struct page *page, 2102 + debug_check_no_obj_freed(page_address(page), 2103 + PAGE_SIZE << order); 2104 + } 2105 + + 2106 + + if (IS_ENABLED(CONFIG_PAGE_SANITIZE)) { 2107 + + int i; 2108 + + for (i = 0; i < (1 << order); i++) 2109 + + clear_highpage(page + i); 2110 + + } 2111 + + 2112 + arch_free_page(page, order); 2113 + kernel_poison_pages(page, 1 << order, 0); 2114 + kernel_map_pages(page, 1 << order, 0); 2115 + @@ -1278,6 +1295,21 @@ static void __init __free_pages_boot_core(struct page *page, unsigned int order) 2116 + __ClearPageReserved(p); 2117 + set_page_count(p, 0); 2118 + 2119 + + if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { 2120 + + unsigned long hash = 0; 2121 + + size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; 2122 + + const unsigned long *data = lowmem_page_address(page); 2123 + + 2124 + + for (index = 0; index < end; index++) 2125 + + hash ^= hash + data[index]; 2126 + +#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY 2127 + + latent_entropy ^= hash; 2128 + + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); 2129 + +#else 2130 + + add_device_randomness((const void *)&hash, sizeof(hash)); 2131 + +#endif 2132 + + } 2133 + + 2134 + page_zone(page)->managed_pages += nr_pages; 2135 + set_page_refcounted(page); 2136 + __free_pages(page, order); 2137 + @@ -1718,8 +1750,8 @@ static inline int check_new_page(struct page *page) 2138 + 2139 + static inline bool free_pages_prezeroed(void) 2140 + { 2141 + - return IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && 2142 + - page_poisoning_enabled(); 2143 + + return IS_ENABLED(CONFIG_PAGE_SANITIZE) || 2144 + + (IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && page_poisoning_enabled()); 2145 + } 2146 + 2147 + #ifdef CONFIG_DEBUG_VM 2148 + @@ -1776,6 +1808,11 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags 2149 + 2150 + post_alloc_hook(page, order, gfp_flags); 2151 + 2152 + + if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY)) { 2153 + + for (i = 0; i < (1 << order); i++) 2154 + + verify_zero_highpage(page + i); 2155 + + } 2156 + + 2157 + if (!free_pages_prezeroed() && (gfp_flags & __GFP_ZERO)) 2158 + for (i = 0; i < (1 << order); i++) 2159 + clear_highpage(page + i); 2160 + diff --git a/mm/slab.h b/mm/slab.h 2161 + index 485d9fbb8802..436461588804 100644 2162 + --- a/mm/slab.h 2163 + +++ b/mm/slab.h 2164 + @@ -311,7 +311,11 @@ static inline bool is_root_cache(struct kmem_cache *s) 2165 + static inline bool slab_equal_or_root(struct kmem_cache *s, 2166 + struct kmem_cache *p) 2167 + { 2168 + +#ifdef CONFIG_SLAB_HARDENED 2169 + + return p == s; 2170 + +#else 2171 + return true; 2172 + +#endif 2173 + } 2174 + 2175 + static inline const char *cache_name(struct kmem_cache *s) 2176 + @@ -363,18 +367,26 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) 2177 + * to not do even the assignment. In that case, slab_equal_or_root 2178 + * will also be a constant. 2179 + */ 2180 + - if (!memcg_kmem_enabled() && 2181 + + if (!IS_ENABLED(CONFIG_SLAB_HARDENED) && 2182 + + !memcg_kmem_enabled() && 2183 + !unlikely(s->flags & SLAB_CONSISTENCY_CHECKS)) 2184 + return s; 2185 + 2186 + page = virt_to_head_page(x); 2187 + +#ifdef CONFIG_SLAB_HARDENED 2188 + + BUG_ON(!PageSlab(page)); 2189 + +#endif 2190 + cachep = page->slab_cache; 2191 + if (slab_equal_or_root(cachep, s)) 2192 + return cachep; 2193 + 2194 + pr_err("%s: Wrong slab cache. %s but object is from %s\n", 2195 + __func__, s->name, cachep->name); 2196 + +#ifdef CONFIG_BUG_ON_DATA_CORRUPTION 2197 + + BUG_ON(1); 2198 + +#else 2199 + WARN_ON_ONCE(1); 2200 + +#endif 2201 + return s; 2202 + } 2203 + 2204 + @@ -399,7 +411,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) 2205 + * back there or track user information then we can 2206 + * only use the space before that information. 2207 + */ 2208 + - if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) 2209 + + if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) 2210 + return s->inuse; 2211 + /* 2212 + * Else we can use all the padding etc for the allocation 2213 + diff --git a/mm/slab_common.c b/mm/slab_common.c 2214 + index 65212caa1f2a..d8bf8a75f445 100644 2215 + --- a/mm/slab_common.c 2216 + +++ b/mm/slab_common.c 2217 + @@ -26,10 +26,10 @@ 2218 + 2219 + #include "slab.h" 2220 + 2221 + -enum slab_state slab_state; 2222 + +enum slab_state slab_state __ro_after_init; 2223 + LIST_HEAD(slab_caches); 2224 + DEFINE_MUTEX(slab_mutex); 2225 + -struct kmem_cache *kmem_cache; 2226 + +struct kmem_cache *kmem_cache __ro_after_init; 2227 + 2228 + static LIST_HEAD(slab_caches_to_rcu_destroy); 2229 + static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work); 2230 + @@ -49,7 +49,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, 2231 + /* 2232 + * Merge control. If this is set then no merging of slab caches will occur. 2233 + */ 2234 + -static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); 2235 + +static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); 2236 + 2237 + static int __init setup_slab_nomerge(char *str) 2238 + { 2239 + @@ -927,7 +927,7 @@ EXPORT_SYMBOL(kmalloc_dma_caches); 2240 + * of two cache sizes there. The size of larger slabs can be determined using 2241 + * fls. 2242 + */ 2243 + -static s8 size_index[24] = { 2244 + +static s8 size_index[24] __ro_after_init = { 2245 + 3, /* 8 */ 2246 + 4, /* 16 */ 2247 + 5, /* 24 */ 2248 + diff --git a/mm/slub.c b/mm/slub.c 2249 + index 41c01690d116..591dd60d37f3 100644 2250 + --- a/mm/slub.c 2251 + +++ b/mm/slub.c 2252 + @@ -125,6 +125,16 @@ static inline int kmem_cache_debug(struct kmem_cache *s) 2253 + #endif 2254 + } 2255 + 2256 + +static inline bool has_sanitize(struct kmem_cache *s) 2257 + +{ 2258 + + return IS_ENABLED(CONFIG_SLAB_SANITIZE) && !(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)); 2259 + +} 2260 + + 2261 + +static inline bool has_sanitize_verify(struct kmem_cache *s) 2262 + +{ 2263 + + return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && has_sanitize(s); 2264 + +} 2265 + + 2266 + void *fixup_red_left(struct kmem_cache *s, void *p) 2267 + { 2268 + if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) 2269 + @@ -297,6 +307,35 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) 2270 + *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); 2271 + } 2272 + 2273 + +#ifdef CONFIG_SLAB_CANARY 2274 + +static inline unsigned long *get_canary(struct kmem_cache *s, void *object) 2275 + +{ 2276 + + if (s->offset) 2277 + + return object + s->offset + sizeof(void *); 2278 + + return object + s->inuse; 2279 + +} 2280 + + 2281 + +static inline unsigned long get_canary_value(const void *canary, unsigned long value) 2282 + +{ 2283 + + return (value ^ (unsigned long)canary) & CANARY_MASK; 2284 + +} 2285 + + 2286 + +static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) 2287 + +{ 2288 + + unsigned long *canary = get_canary(s, object); 2289 + + *canary = get_canary_value(canary, value); 2290 + +} 2291 + + 2292 + +static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) 2293 + +{ 2294 + + unsigned long *canary = get_canary(s, object); 2295 + + BUG_ON(*canary != get_canary_value(canary, value)); 2296 + +} 2297 + +#else 2298 + +#define set_canary(s, object, value) 2299 + +#define check_canary(s, object, value) 2300 + +#endif 2301 + + 2302 + /* Loop over all objects in a slab */ 2303 + #define for_each_object(__p, __s, __addr, __objects) \ 2304 + for (__p = fixup_red_left(__s, __addr); \ 2305 + @@ -484,13 +523,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) 2306 + * Debug settings: 2307 + */ 2308 + #if defined(CONFIG_SLUB_DEBUG_ON) 2309 + -static int slub_debug = DEBUG_DEFAULT_FLAGS; 2310 + +static int slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; 2311 + #else 2312 + -static int slub_debug; 2313 + +static int slub_debug __ro_after_init; 2314 + #endif 2315 + 2316 + -static char *slub_debug_slabs; 2317 + -static int disable_higher_order_debug; 2318 + +static char *slub_debug_slabs __ro_after_init; 2319 + +static int disable_higher_order_debug __ro_after_init; 2320 + 2321 + /* 2322 + * slub is about to manipulate internal object metadata. This memory lies 2323 + @@ -550,6 +589,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, 2324 + else 2325 + p = object + s->inuse; 2326 + 2327 + + if (IS_ENABLED(CONFIG_SLAB_CANARY)) 2328 + + p = (void *)p + sizeof(void *); 2329 + + 2330 + return p + alloc; 2331 + } 2332 + 2333 + @@ -688,6 +730,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) 2334 + else 2335 + off = s->inuse; 2336 + 2337 + + if (IS_ENABLED(CONFIG_SLAB_CANARY)) 2338 + + off += sizeof(void *); 2339 + + 2340 + if (s->flags & SLAB_STORE_USER) 2341 + off += 2 * sizeof(struct track); 2342 + 2343 + @@ -817,6 +862,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) 2344 + /* Freepointer is placed after the object. */ 2345 + off += sizeof(void *); 2346 + 2347 + + if (IS_ENABLED(CONFIG_SLAB_CANARY)) 2348 + + off += sizeof(void *); 2349 + + 2350 + if (s->flags & SLAB_STORE_USER) 2351 + /* We also have user information there */ 2352 + off += 2 * sizeof(struct track); 2353 + @@ -1416,8 +1464,9 @@ static void setup_object(struct kmem_cache *s, struct page *page, 2354 + void *object) 2355 + { 2356 + setup_object_debug(s, page, object); 2357 + + set_canary(s, object, s->random_inactive); 2358 + kasan_init_slab_obj(s, object); 2359 + - if (unlikely(s->ctor)) { 2360 + + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { 2361 + kasan_unpoison_object_data(s, object); 2362 + s->ctor(object); 2363 + kasan_poison_object_data(s, object); 2364 + @@ -2717,9 +2766,21 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, 2365 + stat(s, ALLOC_FASTPATH); 2366 + } 2367 + 2368 + - if (unlikely(gfpflags & __GFP_ZERO) && object) 2369 + + if (has_sanitize_verify(s) && object) { 2370 + + size_t offset = s->offset ? 0 : sizeof(void *); 2371 + + BUG_ON(memchr_inv(object + offset, 0, s->object_size - offset)); 2372 + + if (s->ctor) 2373 + + s->ctor(object); 2374 + + if (unlikely(gfpflags & __GFP_ZERO) && offset) 2375 + + memset(object, 0, sizeof(void *)); 2376 + + } else if (unlikely(gfpflags & __GFP_ZERO) && object) 2377 + memset(object, 0, s->object_size); 2378 + 2379 + + if (object) { 2380 + + check_canary(s, object, s->random_inactive); 2381 + + set_canary(s, object, s->random_active); 2382 + + } 2383 + + 2384 + slab_post_alloc_hook(s, gfpflags, 1, &object); 2385 + 2386 + return object; 2387 + @@ -2926,6 +2987,27 @@ static __always_inline void do_slab_free(struct kmem_cache *s, 2388 + void *tail_obj = tail ? : head; 2389 + struct kmem_cache_cpu *c; 2390 + unsigned long tid; 2391 + + bool sanitize = has_sanitize(s); 2392 + + 2393 + + if (IS_ENABLED(CONFIG_SLAB_CANARY) || sanitize) { 2394 + + __maybe_unused int offset = s->offset ? 0 : sizeof(void *); 2395 + + void *x = head; 2396 + + 2397 + + while (1) { 2398 + + check_canary(s, x, s->random_active); 2399 + + set_canary(s, x, s->random_inactive); 2400 + + 2401 + + if (sanitize) { 2402 + + memset(x + offset, 0, s->object_size - offset); 2403 + + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) 2404 + + s->ctor(x); 2405 + + } 2406 + + if (x == tail_obj) 2407 + + break; 2408 + + x = get_freepointer(s, x); 2409 + + } 2410 + + } 2411 + + 2412 + redo: 2413 + /* 2414 + * Determine the currently cpus per cpu slab. 2415 + @@ -3104,7 +3186,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, 2416 + void **p) 2417 + { 2418 + struct kmem_cache_cpu *c; 2419 + - int i; 2420 + + int i, k; 2421 + 2422 + /* memcg and kmem_cache debug support */ 2423 + s = slab_pre_alloc_hook(s, flags); 2424 + @@ -3141,13 +3223,29 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, 2425 + local_irq_enable(); 2426 + 2427 + /* Clear memory outside IRQ disabled fastpath loop */ 2428 + - if (unlikely(flags & __GFP_ZERO)) { 2429 + + if (has_sanitize_verify(s)) { 2430 + + int j; 2431 + + 2432 + + for (j = 0; j < i; j++) { 2433 + + size_t offset = s->offset ? 0 : sizeof(void *); 2434 + + BUG_ON(memchr_inv(p[j] + offset, 0, s->object_size - offset)); 2435 + + if (s->ctor) 2436 + + s->ctor(p[j]); 2437 + + if (unlikely(flags & __GFP_ZERO) && offset) 2438 + + memset(p[j], 0, sizeof(void *)); 2439 + + } 2440 + + } else if (unlikely(flags & __GFP_ZERO)) { 2441 + int j; 2442 + 2443 + for (j = 0; j < i; j++) 2444 + memset(p[j], 0, s->object_size); 2445 + } 2446 + 2447 + + for (k = 0; k < i; k++) { 2448 + + check_canary(s, p[k], s->random_inactive); 2449 + + set_canary(s, p[k], s->random_active); 2450 + + } 2451 + + 2452 + /* memcg and kmem_cache debug support */ 2453 + slab_post_alloc_hook(s, flags, size, p); 2454 + return i; 2455 + @@ -3179,9 +3277,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); 2456 + * and increases the number of allocations possible without having to 2457 + * take the list_lock. 2458 + */ 2459 + -static int slub_min_order; 2460 + -static int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; 2461 + -static int slub_min_objects; 2462 + +static int slub_min_order __ro_after_init; 2463 + +static int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; 2464 + +static int slub_min_objects __ro_after_init; 2465 + 2466 + /* 2467 + * Calculate the order of allocation given an slab object size. 2468 + @@ -3351,6 +3449,7 @@ static void early_kmem_cache_node_alloc(int node) 2469 + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); 2470 + init_tracking(kmem_cache_node, n); 2471 + #endif 2472 + + set_canary(kmem_cache_node, n, kmem_cache_node->random_active); 2473 + kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), 2474 + GFP_KERNEL); 2475 + init_kmem_cache_node(n); 2476 + @@ -3507,6 +3606,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) 2477 + size += sizeof(void *); 2478 + } 2479 + 2480 + + if (IS_ENABLED(CONFIG_SLAB_CANARY)) 2481 + + size += sizeof(void *); 2482 + + 2483 + #ifdef CONFIG_SLUB_DEBUG 2484 + if (flags & SLAB_STORE_USER) 2485 + /* 2486 + @@ -3577,6 +3679,10 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags) 2487 + #ifdef CONFIG_SLAB_FREELIST_HARDENED 2488 + s->random = get_random_long(); 2489 + #endif 2490 + +#ifdef CONFIG_SLAB_CANARY 2491 + + s->random_active = get_random_long(); 2492 + + s->random_inactive = get_random_long(); 2493 + +#endif 2494 + 2495 + if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) 2496 + s->reserved = sizeof(struct rcu_head); 2497 + @@ -3841,6 +3947,8 @@ const char *__check_heap_object(const void *ptr, unsigned long n, 2498 + offset -= s->red_left_pad; 2499 + } 2500 + 2501 + + check_canary(s, (void *)ptr - offset, s->random_active); 2502 + + 2503 + /* Allow address range falling entirely within object size. */ 2504 + if (offset <= object_size && n <= object_size - offset) 2505 + return NULL; 2506 + @@ -3859,7 +3967,11 @@ static size_t __ksize(const void *object) 2507 + page = virt_to_head_page(object); 2508 + 2509 + if (unlikely(!PageSlab(page))) { 2510 + +#ifdef CONFIG_BUG_ON_DATA_CORRUPTION 2511 + + BUG_ON(!PageCompound(page)); 2512 + +#else 2513 + WARN_ON(!PageCompound(page)); 2514 + +#endif 2515 + return PAGE_SIZE << compound_order(page); 2516 + } 2517 + 2518 + @@ -4724,7 +4836,7 @@ enum slab_stat_type { 2519 + #define SO_TOTAL (1 << SL_TOTAL) 2520 + 2521 + #ifdef CONFIG_MEMCG 2522 + -static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); 2523 + +static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); 2524 + 2525 + static int __init setup_slub_memcg_sysfs(char *str) 2526 + { 2527 + diff --git a/mm/swap.c b/mm/swap.c 2528 + index a77d68f2c1b6..d1f1d75f4d1f 100644 2529 + --- a/mm/swap.c 2530 + +++ b/mm/swap.c 2531 + @@ -92,6 +92,13 @@ static void __put_compound_page(struct page *page) 2532 + if (!PageHuge(page)) 2533 + __page_cache_release(page); 2534 + dtor = get_compound_page_dtor(page); 2535 + + if (!PageHuge(page)) 2536 + + BUG_ON(dtor != free_compound_page 2537 + +#ifdef CONFIG_TRANSPARENT_HUGEPAGE 2538 + + && dtor != free_transhuge_page 2539 + +#endif 2540 + + ); 2541 + + 2542 + (*dtor)(page); 2543 + } 2544 + 2545 + diff --git a/net/core/dev.c b/net/core/dev.c 2546 + index 6ca771f2f25b..6da2c9c3e6a5 100644 2547 + --- a/net/core/dev.c 2548 + +++ b/net/core/dev.c 2549 + @@ -4095,7 +4095,7 @@ int netif_rx_ni(struct sk_buff *skb) 2550 + } 2551 + EXPORT_SYMBOL(netif_rx_ni); 2552 + 2553 + -static __latent_entropy void net_tx_action(struct softirq_action *h) 2554 + +static __latent_entropy void net_tx_action(void) 2555 + { 2556 + struct softnet_data *sd = this_cpu_ptr(&softnet_data); 2557 + 2558 + @@ -5609,7 +5609,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) 2559 + return work; 2560 + } 2561 + 2562 + -static __latent_entropy void net_rx_action(struct softirq_action *h) 2563 + +static __latent_entropy void net_rx_action(void) 2564 + { 2565 + struct softnet_data *sd = this_cpu_ptr(&softnet_data); 2566 + unsigned long time_limit = jiffies + 2567 + diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig 2568 + index f48fe6fc7e8c..d78c52835c08 100644 2569 + --- a/net/ipv4/Kconfig 2570 + +++ b/net/ipv4/Kconfig 2571 + @@ -261,6 +261,7 @@ config IP_PIMSM_V2 2572 + 2573 + config SYN_COOKIES 2574 + bool "IP: TCP syncookie support" 2575 + + default y 2576 + ---help--- 2577 + Normal TCP/IP networking is open to an attack known as "SYN 2578 + flooding". This denial-of-service attack prevents legitimate remote 2579 + diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c 2580 + index 54deaa1066cf..211f97bd5ee3 100644 2581 + --- a/scripts/mod/modpost.c 2582 + +++ b/scripts/mod/modpost.c 2583 + @@ -37,6 +37,7 @@ static int vmlinux_section_warnings = 1; 2584 + static int warn_unresolved = 0; 2585 + /* How a symbol is exported */ 2586 + static int sec_mismatch_count = 0; 2587 + +static int writable_fptr_count = 0; 2588 + static int sec_mismatch_verbose = 1; 2589 + static int sec_mismatch_fatal = 0; 2590 + /* ignore missing files */ 2591 + @@ -965,6 +966,7 @@ enum mismatch { 2592 + ANY_EXIT_TO_ANY_INIT, 2593 + EXPORT_TO_INIT_EXIT, 2594 + EXTABLE_TO_NON_TEXT, 2595 + + DATA_TO_TEXT 2596 + }; 2597 + 2598 + /** 2599 + @@ -1091,6 +1093,12 @@ static const struct sectioncheck sectioncheck[] = { 2600 + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, 2601 + .mismatch = EXTABLE_TO_NON_TEXT, 2602 + .handler = extable_mismatch_handler, 2603 + +}, 2604 + +/* Do not reference code from writable data */ 2605 + +{ 2606 + + .fromsec = { DATA_SECTIONS, NULL }, 2607 + + .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, 2608 + + .mismatch = DATA_TO_TEXT 2609 + } 2610 + }; 2611 + 2612 + @@ -1240,10 +1248,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, 2613 + continue; 2614 + if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) 2615 + continue; 2616 + - if (sym->st_value == addr) 2617 + - return sym; 2618 + /* Find a symbol nearby - addr are maybe negative */ 2619 + d = sym->st_value - addr; 2620 + + if (d == 0) 2621 + + return sym; 2622 + if (d < 0) 2623 + d = addr - sym->st_value; 2624 + if (d < distance) { 2625 + @@ -1402,7 +1410,11 @@ static void report_sec_mismatch(const char *modname, 2626 + char *prl_from; 2627 + char *prl_to; 2628 + 2629 + - sec_mismatch_count++; 2630 + + if (mismatch->mismatch == DATA_TO_TEXT) 2631 + + writable_fptr_count++; 2632 + + else 2633 + + sec_mismatch_count++; 2634 + + 2635 + if (!sec_mismatch_verbose) 2636 + return; 2637 + 2638 + @@ -1526,6 +1538,14 @@ static void report_sec_mismatch(const char *modname, 2639 + fatal("There's a special handler for this mismatch type, " 2640 + "we should never get here."); 2641 + break; 2642 + + case DATA_TO_TEXT: 2643 + +#if 0 2644 + + fprintf(stderr, 2645 + + "The %s %s:%s references\n" 2646 + + "the %s %s:%s%s\n", 2647 + + from, fromsec, fromsym, to, tosec, tosym, to_p); 2648 + +#endif 2649 + + break; 2650 + } 2651 + fprintf(stderr, "\n"); 2652 + } 2653 + @@ -2539,6 +2559,14 @@ int main(int argc, char **argv) 2654 + } 2655 + } 2656 + free(buf.p); 2657 + + if (writable_fptr_count) { 2658 + + if (!sec_mismatch_verbose) { 2659 + + warn("modpost: Found %d writable function pointer(s).\n" 2660 + + "To see full details build your kernel with:\n" 2661 + + "'make CONFIG_DEBUG_SECTION_MISMATCH=y'\n", 2662 + + writable_fptr_count); 2663 + + } 2664 + + } 2665 + 2666 + return err; 2667 + } 2668 + diff --git a/security/Kconfig b/security/Kconfig 2669 + index 87f2a6f842fd..7bdbb7edf5bf 100644 2670 + --- a/security/Kconfig 2671 + +++ b/security/Kconfig 2672 + @@ -8,7 +8,7 @@ source security/keys/Kconfig 2673 + 2674 + config SECURITY_DMESG_RESTRICT 2675 + bool "Restrict unprivileged access to the kernel syslog" 2676 + - default n 2677 + + default y 2678 + help 2679 + This enforces restrictions on unprivileged users reading the kernel 2680 + syslog via dmesg(8). 2681 + @@ -18,10 +18,34 @@ config SECURITY_DMESG_RESTRICT 2682 + 2683 + If you are unsure how to answer this question, answer N. 2684 + 2685 + +config SECURITY_PERF_EVENTS_RESTRICT 2686 + + bool "Restrict unprivileged use of performance events" 2687 + + depends on PERF_EVENTS 2688 + + default y 2689 + + help 2690 + + If you say Y here, the kernel.perf_event_paranoid sysctl 2691 + + will be set to 3 by default, and no unprivileged use of the 2692 + + perf_event_open syscall will be permitted unless it is 2693 + + changed. 2694 + + 2695 + +config SECURITY_TIOCSTI_RESTRICT 2696 + + bool "Restrict unprivileged use of tiocsti command injection" 2697 + + default y 2698 + + help 2699 + + This enforces restrictions on unprivileged users injecting commands 2700 + + into other processes which share a tty session using the TIOCSTI 2701 + + ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. 2702 + + 2703 + + If this option is not selected, no restrictions will be enforced 2704 + + unless the tiocsti_restrict sysctl is explicitly set to (1). 2705 + + 2706 + + If you are unsure how to answer this question, answer N. 2707 + + 2708 + config SECURITY 2709 + bool "Enable different security models" 2710 + depends on SYSFS 2711 + depends on MULTIUSER 2712 + + default y 2713 + help 2714 + This allows you to choose different security modules to be 2715 + configured into your kernel. 2716 + @@ -48,6 +72,7 @@ config SECURITYFS 2717 + config SECURITY_NETWORK 2718 + bool "Socket and Networking Security Hooks" 2719 + depends on SECURITY 2720 + + default y 2721 + help 2722 + This enables the socket and networking security hooks. 2723 + If enabled, a security module can use these hooks to 2724 + @@ -155,6 +180,7 @@ config HARDENED_USERCOPY 2725 + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 2726 + select BUG 2727 + imply STRICT_DEVMEM 2728 + + default y 2729 + help 2730 + This option checks for obviously wrong memory regions when 2731 + copying memory to/from the kernel (via copy_to_user() and 2732 + @@ -178,10 +204,36 @@ config HARDENED_USERCOPY_PAGESPAN 2733 + config FORTIFY_SOURCE 2734 + bool "Harden common str/mem functions against buffer overflows" 2735 + depends on ARCH_HAS_FORTIFY_SOURCE 2736 + + default y 2737 + help 2738 + Detect overflows of buffers in common string and memory functions 2739 + where the compiler can determine and validate the buffer sizes. 2740 + 2741 + +config FORTIFY_SOURCE_STRICT_STRING 2742 + + bool "Harden common functions against buffer overflows" 2743 + + depends on FORTIFY_SOURCE 2744 + + depends on EXPERT 2745 + + help 2746 + + Perform stricter overflow checks catching overflows within objects 2747 + + for common C string functions rather than only between objects. 2748 + + 2749 + + This is not yet intended for production use, only bug finding. 2750 + + 2751 + +config PAGE_SANITIZE 2752 + + bool "Sanitize pages" 2753 + + default y 2754 + + help 2755 + + Zero fill page allocations on free, reducing the lifetime of 2756 + + sensitive data and helping to mitigate use-after-free bugs. 2757 + + 2758 + +config PAGE_SANITIZE_VERIFY 2759 + + bool "Verify sanitized pages" 2760 + + depends on PAGE_SANITIZE 2761 + + default y 2762 + + help 2763 + + Verify that newly allocated pages are zeroed to detect 2764 + + write-after-free bugs. 2765 + + 2766 + config STATIC_USERMODEHELPER 2767 + bool "Force all usermode helper calls through a single binary" 2768 + help 2769 + diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig 2770 + index 8af7a690eb40..6539694b0fd3 100644 2771 + --- a/security/selinux/Kconfig 2772 + +++ b/security/selinux/Kconfig 2773 + @@ -2,7 +2,7 @@ config SECURITY_SELINUX 2774 + bool "NSA SELinux Support" 2775 + depends on SECURITY_NETWORK && AUDIT && NET && INET 2776 + select NETWORK_SECMARK 2777 + - default n 2778 + + default y 2779 + help 2780 + This selects NSA Security-Enhanced Linux (SELinux). 2781 + You will also need a policy configuration and a labeled filesystem. 2782 + @@ -79,23 +79,3 @@ config SECURITY_SELINUX_AVC_STATS 2783 + This option collects access vector cache statistics to 2784 + /selinux/avc/cache_stats, which may be monitored via 2785 + tools such as avcstat. 2786 + - 2787 + -config SECURITY_SELINUX_CHECKREQPROT_VALUE 2788 + - int "NSA SELinux checkreqprot default value" 2789 + - depends on SECURITY_SELINUX 2790 + - range 0 1 2791 + - default 0 2792 + - help 2793 + - This option sets the default value for the 'checkreqprot' flag 2794 + - that determines whether SELinux checks the protection requested 2795 + - by the application or the protection that will be applied by the 2796 + - kernel (including any implied execute for read-implies-exec) for 2797 + - mmap and mprotect calls. If this option is set to 0 (zero), 2798 + - SELinux will default to checking the protection that will be applied 2799 + - by the kernel. If this option is set to 1 (one), SELinux will 2800 + - default to checking the protection requested by the application. 2801 + - The checkreqprot flag may be changed from the default via the 2802 + - 'checkreqprot=' boot parameter. It may also be changed at runtime 2803 + - via /selinux/checkreqprot if authorized by policy. 2804 + - 2805 + - If you are unsure how to answer this question, answer 0. 2806 + diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h 2807 + index 1649cd18eb0b..067f35559aa7 100644 2808 + --- a/security/selinux/include/objsec.h 2809 + +++ b/security/selinux/include/objsec.h 2810 + @@ -150,6 +150,6 @@ struct pkey_security_struct { 2811 + u32 sid; /* SID of pkey */ 2812 + }; 2813 + 2814 + -extern unsigned int selinux_checkreqprot; 2815 + +extern const unsigned int selinux_checkreqprot; 2816 + 2817 + #endif /* _SELINUX_OBJSEC_H_ */ 2818 + diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c 2819 + index 00eed842c491..8f7b8d7e6f91 100644 2820 + --- a/security/selinux/selinuxfs.c 2821 + +++ b/security/selinux/selinuxfs.c 2822 + @@ -41,16 +41,7 @@ 2823 + #include "objsec.h" 2824 + #include "conditional.h" 2825 + 2826 + -unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 2827 + - 2828 + -static int __init checkreqprot_setup(char *str) 2829 + -{ 2830 + - unsigned long checkreqprot; 2831 + - if (!kstrtoul(str, 0, &checkreqprot)) 2832 + - selinux_checkreqprot = checkreqprot ? 1 : 0; 2833 + - return 1; 2834 + -} 2835 + -__setup("checkreqprot=", checkreqprot_setup); 2836 + +const unsigned int selinux_checkreqprot; 2837 + 2838 + static DEFINE_MUTEX(sel_mutex); 2839 + 2840 + @@ -610,10 +601,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, 2841 + return PTR_ERR(page); 2842 + 2843 + length = -EINVAL; 2844 + - if (sscanf(page, "%u", &new_value) != 1) 2845 + + if (sscanf(page, "%u", &new_value) != 1 || new_value) 2846 + goto out; 2847 + 2848 + - selinux_checkreqprot = new_value ? 1 : 0; 2849 + length = count; 2850 + out: 2851 + kfree(page); 2852 + diff --git a/security/yama/Kconfig b/security/yama/Kconfig 2853 + index 96b27405558a..485c1b85c325 100644 2854 + --- a/security/yama/Kconfig 2855 + +++ b/security/yama/Kconfig 2856 + @@ -1,7 +1,7 @@ 2857 + config SECURITY_YAMA 2858 + bool "Yama support" 2859 + depends on SECURITY 2860 + - default n 2861 + + default y 2862 + help 2863 + This selects Yama, which extends DAC support with additional 2864 + system-wide security settings beyond regular Linux discretionary

+4 -1

pkgs/os-specific/linux/kernel/linux-4.14.nix

··· 1 - { stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, ... } @ args: 2 3 with stdenv.lib; 4 5 buildLinux (args // rec { 6 version = "4.14.48"; 7 8 # branchVersion needs to be x.y 9 extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));

··· 1 + { stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args: 2 3 with stdenv.lib; 4 5 buildLinux (args // rec { 6 version = "4.14.48"; 7 + 8 + # modDirVersion needs to be x.y.z, will automatically add .0 if needed 9 + modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; 10 11 # branchVersion needs to be x.y 12 extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));

+5

pkgs/os-specific/linux/kernel/patches.nix

··· 28 patch = ./tag-hardened.patch; 29 }; 30 31 copperhead_4_16 = rec { 32 name = "copperhead-4.16"; 33 patch = ./copperhead-4-16.patch;

··· 28 patch = ./tag-hardened.patch; 29 }; 30 31 + copperhead_4_14 = rec { 32 + name = "copperhead-4.14"; 33 + patch = ./copperhead-4-14.patch; 34 + }; 35 + 36 copperhead_4_16 = rec { 37 name = "copperhead-4.16"; 38 patch = ./copperhead-4-16.patch;

+7 -7

pkgs/top-level/all-packages.nix

··· 13499 ]; 13500 }; 13501 13502 - linux_copperhead_lts = callPackage ../os-specific/linux/kernel/linux-copperhead-lts.nix { 13503 - kernelPatches = with kernelPatches; [ 13504 - bridge_stp_helper 13505 - modinst_arg_list_too_long 13506 - tag_hardened 13507 - ]; 13508 - }; 13509 13510 linux_copperhead_stable = (linux_4_16.override { 13511 kernelPatches = linux_4_16.kernelPatches ++ [

··· 13499 ]; 13500 }; 13501 13502 + linux_copperhead_lts = (linux_4_14.override { 13503 + kernelPatches = linux_4_14.kernelPatches ++ [ 13504 + kernelPatches.copperhead_4_14 13505 + kernelPatches.tag_hardened 13506 + ]; 13507 + modDirVersionArg = linux_4_14.modDirVersion + "-hardened"; 13508 + }); 13509 13510 linux_copperhead_stable = (linux_4_16.override { 13511 kernelPatches = linux_4_16.kernelPatches ++ [