diff options
author | John Ericson <John.Ericson@Obsidian.Systems> | 2018-10-23 23:23:03 -0400 |
---|---|---|
committer | John Ericson <John.Ericson@Obsidian.Systems> | 2018-10-24 08:20:53 -0400 |
commit | bbd12f558367034c77c68795c88b01b9cf5705dd (patch) | |
tree | de93cbfef38b2fea9be2987f7d22d633f7991363 /pkgs/os-specific/linux | |
parent | 22df9423cd1f87b4390e9f7879636ecd0c508d96 (diff) | |
parent | d3f328e59218b7bd2240dd5aeca3565ee7b2045f (diff) | |
download | nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar.gz nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar.bz2 nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar.lz nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar.xz nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.tar.zst nixlib-bbd12f558367034c77c68795c88b01b9cf5705dd.zip |
Merge remote-tracking branch 'upstream/master' into darwin-to-linux-cross
Diffstat (limited to 'pkgs/os-specific/linux')
90 files changed, 1109 insertions, 5828 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 08428f95b06c..3ffaef8109f3 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -1,10 +1,10 @@ -{ stdenv, fetchurl, fetchpatch, makeWrapper, autoreconfHook +{ stdenv, lib, fetchurl, fetchpatch, makeWrapper, autoreconfHook , pkgconfig, which , flex, bison , linuxHeaders ? stdenv.cc.libc.linuxHeaders , gawk -, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && perl.meta.available or false, perl -, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && python.meta.available or false, python +, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl +, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python , swig , ncurses , pam diff --git a/pkgs/os-specific/linux/batman-adv/alfred.nix b/pkgs/os-specific/linux/batman-adv/alfred.nix index cc632db160f2..605334e12a10 100644 --- a/pkgs/os-specific/linux/batman-adv/alfred.nix +++ b/pkgs/os-specific/linux/batman-adv/alfred.nix @@ -1,14 +1,14 @@ { stdenv, fetchurl, pkgconfig, gpsd, libcap, libnl }: let - ver = "2018.2"; + ver = "2018.3"; in stdenv.mkDerivation rec { name = "alfred-${ver}"; src = fetchurl { url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${ver}/${name}.tar.gz"; - sha256 = "0640p9zy1511pl30i5yybqa0s1yqz83291vw1z22jrcsq57rrgib"; + sha256 = "06lbyac0w48jkxpji9pgkxnwcrwbzs2dwzfgw2vfr1lix6ivhrb2"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/os-specific/linux/batman-adv/batctl.nix b/pkgs/os-specific/linux/batman-adv/batctl.nix index 9ccda9178f10..fdb6ea3695e8 100644 --- a/pkgs/os-specific/linux/batman-adv/batctl.nix +++ b/pkgs/os-specific/linux/batman-adv/batctl.nix @@ -1,14 +1,14 @@ { stdenv, fetchurl, pkgconfig, libnl }: let - ver = "2018.2"; + ver = "2018.3"; in stdenv.mkDerivation rec { name = "batctl-${ver}"; src = fetchurl { url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${ver}/${name}.tar.gz"; - sha256 = "09bxh4yifqiphn0ljc3msbxid62ynd9kk3vn82h13gcpfnyckw6z"; + sha256 = "1rljx2jlh3wlk6l9p068mhbqpdr5p5qnwm0336ay1316x0zjvqr4"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix index a02127ab7989..5a40368f3ceb 100644 --- a/pkgs/os-specific/linux/bcc/default.nix +++ b/pkgs/os-specific/linux/bcc/default.nix @@ -4,14 +4,14 @@ }: python.pkgs.buildPythonApplication rec { - version = "0.6.1"; + version = "0.7.0"; name = "bcc-${version}"; src = fetchFromGitHub { owner = "iovisor"; repo = "bcc"; rev = "v${version}"; - sha256 = "1rfqjbq8ah8zrsnpbx0h5irq3h2snncfvi4pvaxl7574kciprjxj"; + sha256 = "1ww7l0chx2ivw9d2ahxjyhxmh6hz3w5z69r4lz02f0361rnrvk7f"; }; format = "other"; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 69fe94a1fe47..71ad6203e325 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -32,14 +32,14 @@ let in stdenv.mkDerivation rec { - name = "busybox-1.29.2"; + name = "busybox-1.29.3"; # Note to whoever is updating busybox: please verify that: # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test # still builds after the update. src = fetchurl { url = "https://busybox.net/downloads/${name}.tar.bz2"; - sha256 = "0qax9926qx9lpxiw75f4hkknz1pg0zcn5pkjx5gqfibs2ipgmlk7"; + sha256 = "1dzg45vgy2w1xcd3p6h8d76ykhabbvk1h0lf8yb24ikrwlv8cr4p"; }; hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ]; diff --git a/pkgs/os-specific/linux/can-isotp/default.nix b/pkgs/os-specific/linux/can-isotp/default.nix new file mode 100644 index 000000000000..0c32c3f5e62a --- /dev/null +++ b/pkgs/os-specific/linux/can-isotp/default.nix @@ -0,0 +1,36 @@ +{ stdenv, kernel, fetchFromGitHub }: + +stdenv.mkDerivation rec { + name = "can-isotp-${version}"; + version = "20180629"; + + hardeningDisable = [ "pic" ]; + + src = fetchFromGitHub { + owner = "hartkopp"; + repo = "can-isotp"; + rev = "6003f9997587e6a563cebf1f246bcd0eb6deff3d"; + sha256 = "0b2pqb0vd1wgv2zpl7lvfavqkzr8mrwhrv7zdqkq3rz9givcv8w7"; + }; + + KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; + INSTALL_MOD_PATH = "\${out}"; + + buildPhase = '' + make modules + ''; + + installPhase = '' + make modules_install + ''; + + nativeBuildInputs = kernel.moduleBuildDependencies; + + meta = with stdenv.lib; { + description = "Kernel module for ISO-TP (ISO 15765-2)"; + homepage = "https://github.com/hartkopp/can-isotp"; + license = licenses.gpl2; + platforms = platforms.linux; + maintainers = [ maintainers.evck ]; + }; +} diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix index 45a7fe177f2b..c146e18f68d5 100644 --- a/pkgs/os-specific/linux/cryptodev/default.nix +++ b/pkgs/os-specific/linux/cryptodev/default.nix @@ -7,7 +7,6 @@ stdenv.mkDerivation rec { src = fetchurl { urls = [ "http://nwl.cc/pub/cryptodev-linux/${pname}.tar.gz" - "http://download.gna.org/cryptodev-linux/${pname}.tar.gz" ]; sha256 = "0l3r8s71vkd0s2h01r7fhqnc3j8cqw4msibrdxvps9hfnd4hnk4z"; }; @@ -20,7 +19,7 @@ stdenv.mkDerivation rec { meta = { description = "Device that allows access to Linux kernel cryptographic drivers"; - homepage = http://home.gna.org/cryptodev-linux/; + homepage = http://cryptodev-linux.org/; license = stdenv.lib.licenses.gpl2Plus; platforms = stdenv.lib.platforms.linux; broken = !stdenv.lib.versionOlder kernel.version "4.13"; diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix index 178fc7d91408..4eec4754ca9a 100644 --- a/pkgs/os-specific/linux/cryptsetup/default.nix +++ b/pkgs/os-specific/linux/cryptsetup/default.nix @@ -14,8 +14,19 @@ stdenv.mkDerivation rec { sha256 = "0d2p9g2wqcv6l3671gvw96p16jadbgyh21ddy2bhqgi96dq3qflx"; }; + # Disable 4 test cases that fail in a sandbox + patches = [ ./disable-failing-tests.patch ]; + postPatch = '' patchShebangs tests + ${stdenv.lib.optionalString enablePython '' + patchShebangs ./python/pycryptsetup-test.py + ''} + + # O_DIRECT is filesystem dependent and fails in a sandbox (on tmpfs) + # and on several filesystem types (btrfs, zfs) without sandboxing. + # Remove it, see discussion in #46151 + substituteInPlace tests/unit-utils-io.c --replace "| O_DIRECT" "" ''; NIX_LDFLAGS = "-lgcc_s"; @@ -30,6 +41,8 @@ stdenv.mkDerivation rec { buildInputs = [ lvm2 json_c openssl libuuid popt ] ++ stdenv.lib.optional enablePython python2; + doCheck = true; + meta = { homepage = https://gitlab.com/cryptsetup/cryptsetup/; description = "LUKS for dm-crypt"; diff --git a/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch b/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch new file mode 100644 index 000000000000..1504bf3e1511 --- /dev/null +++ b/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch @@ -0,0 +1,19 @@ +diff -ur a/tests/blockwise-compat b/tests/blockwise-compat +--- a/tests/blockwise-compat 2018-09-08 12:23:11.706555098 +0200 ++++ b/tests/blockwise-compat 2018-09-08 12:24:24.444393460 +0200 +@@ -148,15 +148,11 @@ + # device/file fn_name length + RUN "P" $1 read_buffer $BSIZE + RUN "P" $1 read_buffer $((2*BSIZE)) +- RUN "F" $1 read_buffer $((BSIZE-1)) +- RUN "F" $1 read_buffer $((BSIZE+1)) + RUN "P" $1 read_buffer 0 + + RUN "P" $1 write_buffer $BSIZE + RUN "P" $1 write_buffer $((2*BSIZE)) + +- RUN "F" $1 write_buffer $((BSIZE-1)) +- RUN "F" $1 write_buffer $((BSIZE+1)) + RUN "F" $1 write_buffer 0 + + # basic blockwise functions diff --git a/pkgs/os-specific/linux/dmidecode/default.nix b/pkgs/os-specific/linux/dmidecode/default.nix index 0216e48d58f5..49163cc8b790 100644 --- a/pkgs/os-specific/linux/dmidecode/default.nix +++ b/pkgs/os-specific/linux/dmidecode/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl }: stdenv.mkDerivation rec { - name = "dmidecode-3.1"; + name = "dmidecode-3.2"; src = fetchurl { url = "mirror://savannah/dmidecode/${name}.tar.xz"; - sha256 = "1h0sg0lxa15nzf8s7884p6q7p6md9idm0c79wyqmk32l4ndwwrnp"; + sha256 = "1pcfhcgs2ifdjwp7amnsr3lq95pgxpr150bjhdinvl505px0cw07"; }; makeFlags = "prefix=$(out)"; diff --git a/pkgs/os-specific/linux/earlyoom/default.nix b/pkgs/os-specific/linux/earlyoom/default.nix index 081996dfd42b..0c2f1a872fd9 100644 --- a/pkgs/os-specific/linux/earlyoom/default.nix +++ b/pkgs/os-specific/linux/earlyoom/default.nix @@ -1,19 +1,19 @@ { lib, stdenv, fetchFromGitHub }: stdenv.mkDerivation rec { - name = "earlyoom-${version}"; - version = "0.11"; + name = "earlyoom-${VERSION}"; + # This environment variable is read by make to set the build version. + VERSION = "1.1"; src = fetchFromGitHub { owner = "rfjakob"; repo = "earlyoom"; - rev = "08b7ed8e72feed2eec2e558ba2cfacbf6d469594"; - sha256 = "1k3xslb70fzk80wlka32l0k2v45qn1xgwyjkjiz85gv6v4mv92vl"; + rev = "v${VERSION}"; + sha256 = "1hczn59mmx287hnlhcmpxrf3jy3arllif165dq7b2ha6w3ywngww"; }; installPhase = '' - mkdir -p $out/bin - cp earlyoom $out/bin + install -D earlyoom $out/bin/earlyoom ''; meta = { diff --git a/pkgs/os-specific/linux/eudev/default.nix b/pkgs/os-specific/linux/eudev/default.nix index 0ca85c7e50bc..771f012c2c21 100644 --- a/pkgs/os-specific/linux/eudev/default.nix +++ b/pkgs/os-specific/linux/eudev/default.nix @@ -3,10 +3,10 @@ let s = # Generated upstream information rec { baseName="eudev"; - version = "3.2.5"; + version = "3.2.6"; name="${baseName}-${version}"; url="http://dev.gentoo.org/~blueness/eudev/eudev-${version}.tar.gz"; - sha256 = "1bwh72brp4dvr2dm6ng0lflic6abl87h8zk209im5lna0m0x1hj9"; + sha256 = "1qdpnvsv3qqwy6jl4i4b1dn212y6nvawpaladb7plfping9p2n46"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/os-specific/linux/evdi/default.nix b/pkgs/os-specific/linux/evdi/default.nix index 730df56a6429..3c7e2f98b890 100644 --- a/pkgs/os-specific/linux/evdi/default.nix +++ b/pkgs/os-specific/linux/evdi/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "evdi-${version}"; - version = "1.5.0"; + version = "1.5.0.2"; src = fetchFromGitHub { owner = "DisplayLink"; repo = "evdi"; rev = "v${version}"; - sha256 = "01z7bx5rgpb5lc4c6dxfiv52ni25564djxmvmgy3d7r1x1mqhxgs"; + sha256 = "1wjk023lpjxnspfl34c6rzkrixahfdzdkmc3hnmrdw12s3i6ca5x"; }; nativeBuildInputs = kernel.moduleBuildDependencies; @@ -29,6 +29,6 @@ stdenv.mkDerivation rec { platforms = platforms.linux; license = licenses.gpl2; homepage = http://www.displaylink.com/; - broken = versionOlder kernel.version "4.9" || versionAtLeast kernel.version "4.15"; + broken = versionOlder kernel.version "4.9" || versionAtLeast kernel.version "4.15" || stdenv.isAarch64; }; } diff --git a/pkgs/os-specific/linux/ffado/default.nix b/pkgs/os-specific/linux/ffado/default.nix index 4e3e373d244c..85218042cf76 100644 --- a/pkgs/os-specific/linux/ffado/default.nix +++ b/pkgs/os-specific/linux/ffado/default.nix @@ -11,7 +11,7 @@ let - shouldUsePkg = pkg: if pkg != null && pkg.meta.available then pkg else null; + shouldUsePkg = pkg: if pkg != null && stdenv.lib.any (stdenv.lib.meta.platformMatch stdenv.hostPlatform) pkg.meta.platforms then pkg else null; libOnly = prefix == "lib"; diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix index 9f2374e75a88..553b3804a038 100644 --- a/pkgs/os-specific/linux/firejail/default.nix +++ b/pkgs/os-specific/linux/firejail/default.nix @@ -3,11 +3,11 @@ let s = # Generated upstream information rec { baseName="firejail"; - version="0.9.54"; + version="0.9.56"; name="${baseName}-${version}"; - hash="0mkpqlhi1vxiwd1pmlsk02vpydy1gj61k1gi3zlz6qw84xa6i6ff"; - url="https://vorboss.dl.sourceforge.net/project/firejail/firejail/firejail-0.9.54.tar.xz"; - sha256="0mkpqlhi1vxiwd1pmlsk02vpydy1gj61k1gi3zlz6qw84xa6i6ff"; + hash="0b9ig0a91i19sfm94a6yl510pm4dlidmani3fsnb7vh0qy3l9121"; + url="https://vorboss.dl.sourceforge.net/project/firejail/firejail/firejail-0.9.56.tar.xz"; + sha256="0b9ig0a91i19sfm94a6yl510pm4dlidmani3fsnb7vh0qy3l9121"; }; buildInputs = [ which @@ -37,6 +37,14 @@ stdenv.mkDerivation { sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile ''; + # We need to set the directory for the .local override files back to + # /etc/firejail so we can actually override them + postInstall = '' + sed -E -e 's@^include (.*)(/firejail/.*.local)$@include /etc\2@g' -i $out/etc/firejail/*.profile + ''; + + enableParallelBuilding = true; + meta = { inherit (s) version; description = ''Namespace-based sandboxing tool for Linux''; diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix index 82978d3e3ca9..43747aeaf0d0 100644 --- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix +++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix @@ -2,12 +2,12 @@ stdenv.mkDerivation rec { name = "firmware-linux-nonfree-${version}"; - version = "2018-08-25"; + version = "2018-10-17"; src = fetchgit { url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git"; - rev = "fea76a04f25fd0a217c0d566ff5ff8f23ad3e648"; - sha256 = "1xy1s9vd7jny4hf4f1hzhlbnm0l4pnw7xycky0v6kfwlg5nnjii5"; + rev = "de9cefa74bba6fce3834144460868a468b8818f2"; + sha256 = "101j4jk3ixl8r3mxbkcrr5ybhb44ij3l52js4dqfxpylpiaw2cgk"; }; installFlags = [ "DESTDIR=$(out)" ]; @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { outputHashMode = "recursive"; outputHashAlgo = "sha256"; - outputHash = "1p1dkzclj718w7di81s6486dn5zw77c4i2qn63bvp9q4vid452hn"; + outputHash = "1ndwp9yhpmx0kzayddy9i93mpv3d8gxypqm85069ic13lrjz1gdf"; meta = with stdenv.lib; { description = "Binary firmware collection packaged by kernel.org"; diff --git a/pkgs/os-specific/linux/firmware/fwupd/default.nix b/pkgs/os-specific/linux/firmware/fwupd/default.nix index e29dd2e6ee53..eabb27f6ae2f 100644 --- a/pkgs/os-specific/linux/firmware/fwupd/default.nix +++ b/pkgs/os-specific/linux/firmware/fwupd/default.nix @@ -7,7 +7,7 @@ }: let # Updating? Keep $out/etc synchronized with passthru.filesInstalledToEtc - version = "1.1.1"; + version = "1.1.2"; python = python3.withPackages (p: with p; [ pygobject3 pycairo pillow ]); installedTestsPython = python3.withPackages (p: with p; [ pygobject3 requests ]); @@ -18,7 +18,7 @@ in stdenv.mkDerivation { name = "fwupd-${version}"; src = fetchurl { url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz"; - sha256 = "0szakfnp6pl8vv3ivb40p5j8pxapfp724a55s2dr1qzzdlbjd08s"; + sha256 = "1qhg8h1dv9k3i0429j0wl37rpxfbahggfd1j8s7a4cw83k42cgfs"; }; outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ]; diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix index b29cf88f168f..db1091e349dc 100644 --- a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix +++ b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "raspberrypi-firmware-${version}"; - version = "1.20180619"; + version = "1.20180919"; src = fetchFromGitHub { owner = "raspberrypi"; repo = "firmware"; rev = version; - sha256 = "1wppk6c5mbanx9h2wa3yz3rzh5am8bqvgw23gxqgwhbar8w99cfn"; + sha256 = "0aw5fzz7kr18cc4phdn81g45swkpaf4022sgi72pq2q6zzqnrdg4"; }; installPhase = '' diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix b/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix index 91e6e7f4cc59..4685f6757179 100644 --- a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix +++ b/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "raspberrypi-tools-${version}"; - version = "2018-02-05"; + version = "2018-10-03"; src = fetchFromGitHub { owner = "raspberrypi"; repo = "userland"; - rev = "a343dcad1dae4e93f4bfb99496697e207f91027e"; - sha256 = "1z4qrwjb7x3a45mx978q8vyhnx068sgzhymm4z0ayhckji4ngal1"; + rev = "de4a7f2e3c391e2d3bc76af31864270e7802d9ac"; + sha256 = "0w96xa98ngdk9m6wv185w8waa7wm2hkn2bhxz52zd477hchzrxlg"; }; patches = [ ./tools-dont-install-sysv-init-scripts.patch ]; diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix index eacac156c975..3f90b91f10d8 100644 --- a/pkgs/os-specific/linux/i2c-tools/default.nix +++ b/pkgs/os-specific/linux/i2c-tools/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "Set of I2C tools for Linux"; - homepage = http://www.lm-sensors.org/wiki/I2CTools; + homepage = https://i2c.wiki.kernel.org/index.php/I2C_Tools; license = licenses.gpl2; maintainers = [ maintainers.dezgeg ]; platforms = platforms.linux; diff --git a/pkgs/os-specific/linux/i7z/default.nix b/pkgs/os-specific/linux/i7z/default.nix index 48d28036aa4f..ac5f9fc5ba30 100644 --- a/pkgs/os-specific/linux/i7z/default.nix +++ b/pkgs/os-specific/linux/i7z/default.nix @@ -1,51 +1,55 @@ -{ stdenv, lib, fetchurl, ncurses -, withGui ? false, qt4 ? null }: +{ stdenv, lib, fetchFromGitHub, fetchpatch, ncurses +, withGui ? false, qtbase }: stdenv.mkDerivation rec { - name = "i7z-0.27.2"; - - src = fetchurl { - url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/i7z/${name}.tar.gz"; - sha256 = "1wa7ix6m75wl3k2n88sz0x8cckvlzqklja2gvzqfw5rcfdjjvxx7"; + name = "i7z-${version}"; + version = "0.27.3"; + + src = fetchFromGitHub { + owner = "DimitryAndric"; + repo = "i7z"; + rev = "v${version}"; + sha256 = "0l8wz0ffb27nkwchc606js652spk8masy3kjmzh7ygipwsary5ds"; }; - buildInputs = [ ncurses ] ++ lib.optional withGui qt4; + buildInputs = [ ncurses ] ++ lib.optional withGui qtbase; + + patches = [ + (fetchpatch { + url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/fix-insecure-tempfile.patch"; + sha256 = "0ifg06xjw14y4fnzzgkhqm4sv9mcdzgi8m2wffq9z8b1r0znya3s"; + }) + (fetchpatch { + url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/nehalem.patch"; + sha256 = "1ys6sgm01jkqb6d4y7qc3h89dzph8jjjcfya5c5jcm7dkxlzjq8a"; + }) + (fetchpatch { + url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/hyphen-used-as-minus-sign.patch"; + sha256 = "1ji2qvdyq0594cpqz0dlsfggvw3rm63sygh0jxvwjgxpnhykhg1p"; + }) + ./qt5.patch + ]; enableParallelBuilding = true; - buildPhase = '' - runHook preBuild - - make - ${lib.optionalString withGui '' + postBuild = lib.optionalString withGui '' cd GUI qmake make clean make cd .. - ''} - - runHook postBuild ''; - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,sbin} - make install prefix=$out - ${lib.optionalString withGui '' - install -Dm755 GUI/i7z_GUI $out/bin/i7z-gui - ''} - mv $out/sbin/* $out/bin/ - rmdir $out/sbin + makeFlags = [ "prefix=${placeholder "out"}" ]; - runHook postInstall + postInstall = lib.optionalString withGui '' + install -Dm755 GUI/i7z_GUI $out/bin/i7z-gui ''; meta = with lib; { description = "A better i7 (and now i3, i5) reporting tool for Linux"; - homepage = https://github.com/ajaiantilal/i7z; - repositories.git = https://github.com/ajaiantilal/i7z.git; + homepage = https://github.com/DimitryAndric/i7z; + repositories.git = https://github.com/DimitryAndric/i7z.git; license = licenses.gpl2; maintainers = with maintainers; [ bluescreen303 ]; # broken on ARM diff --git a/pkgs/os-specific/linux/i7z/qt5.patch b/pkgs/os-specific/linux/i7z/qt5.patch new file mode 100644 index 000000000000..9e9b162d9e85 --- /dev/null +++ b/pkgs/os-specific/linux/i7z/qt5.patch @@ -0,0 +1,13 @@ +diff -Naur a/GUI/i7z_GUI.pro b/GUI/i7z_GUI.pro +--- a/GUI/i7z_GUI.pro 2013-10-12 21:59:19.000000000 +0100 ++++ b/GUI/i7z_GUI.pro 2016-11-05 13:54:30.118655672 +0000 +@@ -3,7 +3,8 @@ + ###################################################################### + + TEMPLATE = app +-TARGET = ++TARGET = i7z_GUI ++QT += widgets + DEPENDPATH += . + INCLUDEPATH += . + CONFIG += debug diff --git a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix index 0ccc8acfdca9..dcd5b4763ff1 100644 --- a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix +++ b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix @@ -3,19 +3,23 @@ stdenv.mkDerivation rec { name = "iio-sensor-proxy-${version}"; - version = "2.4"; + version = "2.5"; src = fetchFromGitHub { owner = "hadess"; repo = "iio-sensor-proxy"; rev = version; - sha256 = "1c8izq73c00gvv0jc6zby5hcircs4cb16a1d3ivp1i1iflknj46n"; + sha256 = "06x1vvslsa44bgw8s5rr17q9i2ssbw0x04l75zsy3rql9r3y2jzg"; }; configurePhase = '' + runHook preConfigure + ./autogen.sh --prefix=$out \ --with-udevrulesdir=$out/lib/udev/rules.d \ --with-systemdsystemunitdir=$out/lib/systemd/system + + runHook postConfigure ''; buildInputs = [ diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix index f1abf0fbe925..8f81ec4918ed 100644 --- a/pkgs/os-specific/linux/iproute/default.nix +++ b/pkgs/os-specific/linux/iproute/default.nix @@ -1,6 +1,4 @@ -{ fetchurl, stdenv, config, flex, bash, bison, db, iptables, pkgconfig -, libelf -}: +{ fetchurl, stdenv, flex, bash, bison, db, iptables, pkgconfig, libelf }: stdenv.mkDerivation rec { name = "iproute2-${version}"; @@ -18,6 +16,8 @@ stdenv.mkDerivation rec { substituteInPlace Makefile --replace " netem " " " ''; + outputs = [ "out" "dev"]; + makeFlags = [ "DESTDIR=" "LIBDIR=$(out)/lib" @@ -25,12 +25,11 @@ stdenv.mkDerivation rec { "MANDIR=$(out)/share/man" "BASH_COMPDIR=$(out)/share/bash-completion/completions" "DOCDIR=$(TMPDIR)/share/doc/${name}" # Don't install docs - "HDRDIR=$(TMPDIR)/include/iproute2" # Don't install headers + "HDRDIR=$(dev)/include/iproute2" ]; - # enable iproute2 module if you want this folder to be created buildFlags = [ - "CONFDIR=${config.iproute2.confDir or "/run/iproute2"}" + "CONFDIR=/etc/iproute2" ]; installFlags = [ diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix index e66dbe41d013..2248f0329c60 100644 --- a/pkgs/os-specific/linux/iputils/default.nix +++ b/pkgs/os-specific/linux/iputils/default.nix @@ -30,6 +30,16 @@ in stdenv.mkDerivation { url = "https://github.com/iputils/iputils/commit/d0ff83e87ea9064d9215a18e93076b85f0f9e828.patch"; sha256 = "05wrwf0bfmax69bsgzh3b40n7rvyzw097j8z5ix0xsg0kciygjvx"; }) + (fetchpatch { + name = "add-missing-idn-declarations.patch"; + url = "https://github.com/iputils/iputils/commit/5007d7067918fb3d950d34c01d059e5222db679a.patch"; + sha256 = "0dhgxdhjcbb2q6snm3mjp38l066knykmrx4k8rn167cizn7akpdx"; + }) + (fetchpatch { + name = "fix-ping-idn.patch"; + url = "https://github.com/iputils/iputils/commit/25899e849aa3abc1ad29ebf0b830262a859eaed5.patch"; + sha256 = "1bqjcdjjnc2j6indcli7s7gbbhkcaligvh94asixfrmjzkbn533n"; + }) ]; prePatch = '' diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix index 79179f3fcbb8..f30eac588a2f 100644 --- a/pkgs/os-specific/linux/iwd/default.nix +++ b/pkgs/os-specific/linux/iwd/default.nix @@ -3,17 +3,17 @@ let ell = fetchgit { url = https://git.kernel.org/pub/scm/libs/ell/ell.git; - rev = "0.9"; - sha256 = "1kg7cx7ir8bvz33n624ncrq9r4fh7rg9z22fly894a3mk1imq22p"; + rev = "0.11"; + sha256 = "0nifa5w6fxy7cagyas2a0zhcppi83yrcsnnp70ls2rc90x4r1ip8"; }; in stdenv.mkDerivation rec { name = "iwd-${version}"; - version = "0.7"; + version = "0.9"; src = fetchgit { url = https://git.kernel.org/pub/scm/network/wireless/iwd.git; rev = version; - sha256 = "0q76fh6fcl7nxyjl8z2n4plp2qaxc1fqx575by6xqf1rnv4nk0ab"; + sha256 = "1l1jbwsshjbz32s4rf0zfcn3fd16si4y9qa0zaxp00bfzflnpcd4"; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 84a621e7f120..d65be175fc1d 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchFromGitHub, kernel }: -assert stdenv.lib.versionOlder kernel.version "4.17"; +assert stdenv.lib.versionOlder kernel.version "4.18"; let sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; }; diff --git a/pkgs/os-specific/linux/jool/source.nix b/pkgs/os-specific/linux/jool/source.nix index f15b91f9f142..24134b8b8182 100644 --- a/pkgs/os-specific/linux/jool/source.nix +++ b/pkgs/os-specific/linux/jool/source.nix @@ -1,11 +1,11 @@ { fetchFromGitHub }: rec { - version = "3.5.7"; + version = "unstable-20180706"; src = fetchFromGitHub { owner = "NICMx"; repo = "Jool"; - rev = "v${version}"; - sha256 = "1qxhrchhm4lbyxkp6wm47a85aa4d9wlyy3kdijl8rarngvh8j1yx"; + rev = "de791931d94e972c36bb3c102a9cadab5230c285"; + sha256 = "09mr7lc9k17znpslsfmndx4vgl240llcgblxm92fizmwz23y1d6c"; }; } diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix index bfade509fcac..a37e65f8cb50 100644 --- a/pkgs/os-specific/linux/kbd/default.nix +++ b/pkgs/os-specific/linux/kbd/default.nix @@ -25,6 +25,19 @@ stdenv.mkDerivation rec { # Add Neo keymap subdirectory sed -i -e 's,^KEYMAPSUBDIRS *= *,&i386/neo ,' data/Makefile.am + # Renaming keymaps with name clashes, because loadkeys just picks + # the first keymap it sees. The clashing names lead to e.g. + # "loadkeys no" defaulting to a norwegian dvorak map instead of + # the much more common qwerty one. + pushd data/keymaps/i386 + mv qwertz/cz{,-qwertz}.map + mv olpc/es{,-olpc}.map + mv olpc/pt{,-olpc}.map + mv dvorak/{no.map,dvorak-no.map} + mv fgGIod/trf{,-fgGIod}.map + mv colemak/{en-latin9,colemak}.map + popd + # Fix the path to gzip/bzip2. substituteInPlace src/libkeymap/findfile.c \ --replace gzip ${gzip}/bin/gzip \ diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix index 3f0b8e9b3593..011668f0c679 100644 --- a/pkgs/os-specific/linux/kernel-headers/default.nix +++ b/pkgs/os-specific/linux/kernel-headers/default.nix @@ -84,8 +84,8 @@ let in { linuxHeaders = common { - version = "4.15"; - sha256 = "0sd7l9n9h7vf9c6gd6ciji28hawda60yj0llh17my06m0s4lf9js"; + version = "4.18.3"; + sha256 = "1m23hjd02bg8mqnd8dc4z4m3kxds1cyrc6j5saiwnhzbz373rvc1"; # TODO make unconditional next mass rebuild patches = lib.optionals (stdenvNoCC.hostPlatform != stdenvNoCC.buildPlatform) [ ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms diff --git a/pkgs/os-specific/linux/kernel-headers/no-dynamic-cc-version-check.patch b/pkgs/os-specific/linux/kernel-headers/no-dynamic-cc-version-check.patch index b69dc65e1587..9b582cac7153 100644 --- a/pkgs/os-specific/linux/kernel-headers/no-dynamic-cc-version-check.patch +++ b/pkgs/os-specific/linux/kernel-headers/no-dynamic-cc-version-check.patch @@ -1,3 +1,19 @@ +diff --git a/Makefile b/Makefile +index 863f58503bee..b778d5023208 100644 +--- a/Makefile ++++ b/Makefile +@@ -501,11 +501,9 @@ KBUILD_CFLAGS += $(call cc-option,-fno-PIE) + KBUILD_AFLAGS += $(call cc-option,-fno-PIE) + + # check for 'asm goto' +-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) + CC_HAVE_ASM_GOTO := 1 + KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO + KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO +-endif + + # The expansion should be delayed until arch/$(SRCARCH)/Makefile is included. + # Some architectures define CROSS_COMPILE in arch/$(SRCARCH)/Makefile. diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include index 065324a8046f..d09c67194549 100644 --- a/scripts/Kbuild.include @@ -6,10 +22,10 @@ index 065324a8046f..d09c67194549 100644 cc-name = $(call shell-cached,$(CC) -v 2>&1 | grep -q "clang version" && echo clang || echo gcc) # cc-version --cc-version = $(call shell-cached,$(CONFIG_SHELL) $(srctree)/scripts/gcc-version.sh $(CC)) +-cc-version = $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-version.sh $(CC)) # cc-fullversion --cc-fullversion = $(call shell-cached,$(CONFIG_SHELL) \ +-cc-fullversion = $(shell $(CONFIG_SHELL) \ - $(srctree)/scripts/gcc-version.sh -p $(CC)) # cc-ifversion diff --git a/pkgs/os-specific/linux/kernel/copperhead-4-14.patch b/pkgs/os-specific/linux/kernel/copperhead-4-14.patch deleted file mode 100644 index 78112d164f06..000000000000 --- a/pkgs/os-specific/linux/kernel/copperhead-4-14.patch +++ /dev/null @@ -1,2864 +0,0 @@ -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 0380a45ecf4b..39956a3ef645 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -490,16 +490,6 @@ - nosocket -- Disable socket memory accounting. - nokmem -- Disable kernel memory accounting. - -- checkreqprot [SELINUX] Set initial checkreqprot flag value. -- Format: { "0" | "1" } -- See security/selinux/Kconfig help text. -- 0 -- check protection applied by kernel (includes -- any implied execute protection). -- 1 -- check protection requested by application. -- Default value is set via a kernel config option. -- Value can be changed at runtime via -- /selinux/checkreqprot. -- - cio_ignore= [S390] - See Documentation/s390/CommonIO for details. - clk_ignore_unused -@@ -2899,6 +2889,11 @@ - the specified number of seconds. This is to be used if - your oopses keep scrolling off the screen. - -+ extra_latent_entropy -+ Enable a very simple form of latent entropy extraction -+ from the first 4GB of memory as the bootmem allocator -+ passes the memory pages to the buddy allocator. -+ - pcbit= [HW,ISDN] - - pcd. [PARIDE] -diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt -index 694968c7523c..002d86416ef8 100644 ---- a/Documentation/sysctl/kernel.txt -+++ b/Documentation/sysctl/kernel.txt -@@ -91,6 +91,7 @@ show up in /proc/sys/kernel: - - sysctl_writes_strict - - tainted - - threads-max -+- tiocsti_restrict - - unknown_nmi_panic - - watchdog - - watchdog_thresh -@@ -999,6 +1000,26 @@ available RAM pages threads-max is reduced accordingly. - - ============================================================== - -+tiocsti_restrict: -+ -+This toggle indicates whether unprivileged users are prevented -+from using the TIOCSTI ioctl to inject commands into other processes -+which share a tty session. -+ -+When tiocsti_restrict is set to (0) there are no restrictions(accept -+the default restriction of only being able to injection commands into -+one's own tty). When tiocsti_restrict is set to (1), users must -+have CAP_SYS_ADMIN to use the TIOCSTI ioctl. -+ -+When user namespaces are in use, the check for the capability -+CAP_SYS_ADMIN is done against the user namespace that originally -+opened the tty. -+ -+The kernel config option CONFIG_SECURITY_TIOCSTI_RESTRICT sets the -+default value of tiocsti_restrict. -+ -+============================================================== -+ - unknown_nmi_panic: - - The value in this file affects behavior of handling NMI. When the -diff --git a/Makefile b/Makefile -index 787cf6605209..e4fda5330730 100644 ---- a/Makefile -+++ b/Makefile -@@ -710,6 +710,9 @@ endif - KBUILD_CFLAGS += $(stackp-flag) - - ifeq ($(cc-name),clang) -+ifdef CONFIG_LOCAL_INIT -+KBUILD_CFLAGS += -fsanitize=local-init -+endif - KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) - KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable) - KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier) -diff --git a/arch/Kconfig b/arch/Kconfig -index 400b9e1b2f27..4637096f7902 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -440,6 +440,11 @@ config GCC_PLUGIN_LATENT_ENTROPY - is some slowdown of the boot process (about 0.5%) and fork and - irq processing. - -+ When extra_latent_entropy is passed on the kernel command line, -+ entropy will be extracted from up to the first 4GB of RAM while the -+ runtime memory allocator is being initialized. This costs even more -+ slowdown of the boot process. -+ - Note that entropy extracted this way is not cryptographically - secure! - -@@ -533,7 +538,7 @@ config CC_STACKPROTECTOR - choice - prompt "Stack Protector buffer overflow detection" - depends on HAVE_CC_STACKPROTECTOR -- default CC_STACKPROTECTOR_NONE -+ default CC_STACKPROTECTOR_STRONG - help - This option turns on the "stack-protector" GCC feature. This - feature puts, at the beginning of functions, a canary value on -@@ -735,7 +740,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -769,7 +774,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -@@ -952,6 +957,7 @@ config ARCH_HAS_REFCOUNT - - config REFCOUNT_FULL - bool "Perform full reference count validation at the expense of speed" -+ default y - help - Enabling this switches the refcounting infrastructure from a fast - unchecked atomic_t implementation to a fully state checked -diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig -index 2d5f7aca156d..aa4839a74c6a 100644 ---- a/arch/arm64/Kconfig -+++ b/arch/arm64/Kconfig -@@ -918,6 +918,7 @@ endif - - config ARM64_SW_TTBR0_PAN - bool "Emulate Privileged Access Never using TTBR0_EL1 switching" -+ default y - help - Enabling this option prevents the kernel from accessing - user-space memory directly by pointing TTBR0_EL1 to a reserved -@@ -1044,6 +1045,7 @@ config RANDOMIZE_BASE - bool "Randomize the address of the kernel image" - select ARM64_MODULE_PLTS if MODULES - select RELOCATABLE -+ default y - help - Randomizes the virtual address at which the kernel image is - loaded, as a security feature that deters exploit attempts -diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug -index cc6bd559af85..01d5442d4722 100644 ---- a/arch/arm64/Kconfig.debug -+++ b/arch/arm64/Kconfig.debug -@@ -45,6 +45,7 @@ config ARM64_RANDOMIZE_TEXT_OFFSET - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select ARM64_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig -index 34480e9af2e7..26304242250c 100644 ---- a/arch/arm64/configs/defconfig -+++ b/arch/arm64/configs/defconfig -@@ -1,4 +1,3 @@ --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_AUDIT=y - CONFIG_NO_HZ_IDLE=y -diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h -index 33be513ef24c..6f0c0e3ef0dd 100644 ---- a/arch/arm64/include/asm/elf.h -+++ b/arch/arm64/include/asm/elf.h -@@ -114,10 +114,10 @@ - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ --#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) -+#define ELF_ET_DYN_BASE 0x100000000UL - - #ifndef __ASSEMBLY__ - -@@ -158,10 +158,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, - /* 1GB of VA */ - #ifdef CONFIG_COMPAT - #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ -- 0x7ff >> (PAGE_SHIFT - 12) : \ -- 0x3ffff >> (PAGE_SHIFT - 12)) -+ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ -+ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #else --#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) -+#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #endif - - #ifdef __AARCH64EB__ -diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c -index 9e773732520c..91359f45b5fc 100644 ---- a/arch/arm64/kernel/process.c -+++ b/arch/arm64/kernel/process.c -@@ -419,9 +419,9 @@ unsigned long arch_align_stack(unsigned long sp) - unsigned long arch_randomize_brk(struct mm_struct *mm) - { - if (is_compat_task()) -- return randomize_page(mm->brk, SZ_32M); -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; - else -- return randomize_page(mm->brk, SZ_1G); -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 7483cd514c32..835a86c45fb0 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1153,8 +1153,7 @@ config VM86 - default X86_LEGACY_VM86 - - config X86_16BIT -- bool "Enable support for 16-bit segments" if EXPERT -- default y -+ bool "Enable support for 16-bit segments" - depends on MODIFY_LDT_SYSCALL - ---help--- - This option is required by programs like Wine to run 16-bit -@@ -2228,7 +2227,7 @@ config COMPAT_VDSO - choice - prompt "vsyscall table for legacy applications" - depends on X86_64 -- default LEGACY_VSYSCALL_EMULATE -+ default LEGACY_VSYSCALL_NONE - help - Legacy user code that does not know how to find the vDSO expects - to be able to issue three syscalls by calling fixed addresses in -@@ -2318,8 +2317,7 @@ config CMDLINE_OVERRIDE - be set to 'N' under normal conditions. - - config MODIFY_LDT_SYSCALL -- bool "Enable the LDT (local descriptor table)" if EXPERT -- default y -+ bool "Enable the LDT (local descriptor table)" - ---help--- - Linux can allow user programs to install a per-process x86 - Local Descriptor Table (LDT) using the modify_ldt(2) system -diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index 6293a8768a91..add82e0f1df3 100644 ---- a/arch/x86/Kconfig.debug -+++ b/arch/x86/Kconfig.debug -@@ -101,6 +101,7 @@ config EFI_PGT_DUMP - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select X86_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig -index e32fc1f274d8..d08acc76502a 100644 ---- a/arch/x86/configs/x86_64_defconfig -+++ b/arch/x86/configs/x86_64_defconfig -@@ -1,5 +1,4 @@ - # CONFIG_LOCALVERSION_AUTO is not set --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_BSD_PROCESS_ACCT=y - CONFIG_TASKSTATS=y -diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c -index 1911310959f8..bba8dbbc07a8 100644 ---- a/arch/x86/entry/vdso/vma.c -+++ b/arch/x86/entry/vdso/vma.c -@@ -203,55 +203,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) - } - - #ifdef CONFIG_X86_64 --/* -- * Put the vdso above the (randomized) stack with another randomized -- * offset. This way there is no hole in the middle of address space. -- * To save memory make sure it is still in the same PTE as the stack -- * top. This doesn't give that many random bits. -- * -- * Note that this algorithm is imperfect: the distribution of the vdso -- * start address within a PMD is biased toward the end. -- * -- * Only used for the 64-bit and x32 vdsos. -- */ --static unsigned long vdso_addr(unsigned long start, unsigned len) --{ -- unsigned long addr, end; -- unsigned offset; -- -- /* -- * Round up the start address. It can start out unaligned as a result -- * of stack start randomization. -- */ -- start = PAGE_ALIGN(start); -- -- /* Round the lowest possible end address up to a PMD boundary. */ -- end = (start + len + PMD_SIZE - 1) & PMD_MASK; -- if (end >= TASK_SIZE_MAX) -- end = TASK_SIZE_MAX; -- end -= len; -- -- if (end > start) { -- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); -- addr = start + (offset << PAGE_SHIFT); -- } else { -- addr = start; -- } -- -- /* -- * Forcibly align the final address in case we have a hardware -- * issue that requires alignment for performance reasons. -- */ -- addr = align_vdso_addr(addr); -- -- return addr; --} -- - static int map_vdso_randomized(const struct vdso_image *image) - { -- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); -- -- return map_vdso(image, addr); -+ return map_vdso(image, 0); - } - #endif - -diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h -index 3a091cea36c5..0931c05a3348 100644 ---- a/arch/x86/include/asm/elf.h -+++ b/arch/x86/include/asm/elf.h -@@ -249,11 +249,11 @@ extern int force_personality32; - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ - #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ -- (DEFAULT_MAP_WINDOW / 3 * 2)) -+ 0x100000000UL) - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, -@@ -312,8 +312,8 @@ extern unsigned long get_mmap_base(int is_legacy); - - #ifdef CONFIG_X86_32 - --#define __STACK_RND_MASK(is32bit) (0x7ff) --#define STACK_RND_MASK (0x7ff) -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) - - #define ARCH_DLINFO ARCH_DLINFO_IA32 - -@@ -322,7 +322,11 @@ extern unsigned long get_mmap_base(int is_legacy); - #else /* CONFIG_X86_32 */ - - /* 1GB for 64bit, 8MB for 32bit */ --#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) -+#ifdef CONFIG_COMPAT -+#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) -+#else -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#endif - #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) - - #define ARCH_DLINFO \ -@@ -380,5 +384,4 @@ struct va_alignment { - } ____cacheline_aligned; - - extern struct va_alignment va_align; --extern unsigned long align_vdso_addr(unsigned long); - #endif /* _ASM_X86_ELF_H */ -diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index 704f31315dde..bb82b6344a7b 100644 ---- a/arch/x86/include/asm/tlbflush.h -+++ b/arch/x86/include/asm/tlbflush.h -@@ -253,6 +253,7 @@ static inline void cr4_set_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 | mask) != cr4) { - cr4 |= mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); -@@ -266,6 +267,7 @@ static inline void cr4_clear_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 & ~mask) != cr4) { - cr4 &= ~mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); -@@ -278,6 +280,7 @@ static inline void cr4_toggle_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - cr4 ^= mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); - __write_cr4(cr4); -@@ -386,6 +389,7 @@ static inline void __native_flush_tlb_global(void) - raw_local_irq_save(flags); - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - /* toggle PGE */ - native_write_cr4(cr4 ^ X86_CR4_PGE); - /* write old PGE again and flush TLBs */ -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 48e98964ecad..a94dc690612f 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1637,7 +1637,6 @@ void cpu_init(void) - wrmsrl(MSR_KERNEL_GS_BASE, 0); - barrier(); - -- x86_configure_nx(); - x2apic_setup(); - - /* -diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c -index 988a98f34c66..dc36d2d9078a 100644 ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -40,6 +40,8 @@ - #include <asm/desc.h> - #include <asm/prctl.h> - #include <asm/spec-ctrl.h> -+#include <asm/elf.h> -+#include <linux/sizes.h> - - /* - * per-CPU TSS segments. Threads are completely 'soft' on Linux, -@@ -719,7 +721,10 @@ unsigned long arch_align_stack(unsigned long sp) - - unsigned long arch_randomize_brk(struct mm_struct *mm) - { -- return randomize_page(mm->brk, 0x02000000); -+ if (mmap_is_ia32()) -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; -+ else -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index a63fe77b3217..e1085e76043e 100644 ---- a/arch/x86/kernel/sys_x86_64.c -+++ b/arch/x86/kernel/sys_x86_64.c -@@ -54,13 +54,6 @@ static unsigned long get_align_bits(void) - return va_align.bits & get_align_mask(); - } - --unsigned long align_vdso_addr(unsigned long addr) --{ -- unsigned long align_mask = get_align_mask(); -- addr = (addr + align_mask) & ~align_mask; -- return addr | get_align_bits(); --} -- - static int __init control_va_addr_alignment(char *str) - { - /* guard against enabling this on other CPU families */ -@@ -122,10 +115,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, - } - - *begin = get_mmap_base(1); -- if (in_compat_syscall()) -- *end = task_size_32bit(); -- else -- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); -+ *end = get_mmap_base(0); - } - - unsigned long -@@ -206,7 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, - - info.flags = VM_UNMAPPED_AREA_TOPDOWN; - info.length = len; -- info.low_limit = PAGE_SIZE; -+ info.low_limit = get_mmap_base(1); - info.high_limit = get_mmap_base(0); - - /* -diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 3141e67ec24c..e93173193f60 100644 ---- a/arch/x86/mm/init_32.c -+++ b/arch/x86/mm/init_32.c -@@ -558,7 +558,7 @@ static void __init pagetable_init(void) - permanent_kmaps_init(pgd_base); - } - --pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL); -+pteval_t __supported_pte_mask __ro_after_init = ~(_PAGE_NX | _PAGE_GLOBAL); - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - /* user-defined highmem size */ -@@ -865,7 +865,7 @@ int arch_remove_memory(u64 start, u64 size) - #endif - #endif - --int kernel_set_to_readonly __read_mostly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -917,12 +917,11 @@ void mark_rodata_ro(void) - unsigned long start = PFN_ALIGN(_text); - unsigned long size = PFN_ALIGN(_etext) - start; - -+ kernel_set_to_readonly = 1; - set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); - printk(KERN_INFO "Write protecting the kernel text: %luk\n", - size >> 10); - -- kernel_set_to_readonly = 1; -- - #ifdef CONFIG_CPA_DEBUG - printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", - start, start+size); -diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 642357aff216..8bbf93ce3cd2 100644 ---- a/arch/x86/mm/init_64.c -+++ b/arch/x86/mm/init_64.c -@@ -65,7 +65,7 @@ - * around without checking the pgd every time. - */ - --pteval_t __supported_pte_mask __read_mostly = ~0; -+pteval_t __supported_pte_mask __ro_after_init = ~0; - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - int force_personality32; -@@ -1185,7 +1185,7 @@ void __init mem_init(void) - mem_init_print_info(NULL); - } - --int kernel_set_to_readonly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -1234,9 +1234,8 @@ void mark_rodata_ro(void) - - printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", - (end - start) >> 10); -- set_memory_ro(start, (end - start) >> PAGE_SHIFT); -- - kernel_set_to_readonly = 1; -+ set_memory_ro(start, (end - start) >> PAGE_SHIFT); - - /* - * The rodata/data/bss/brk section (but not the kernel text!) -diff --git a/block/blk-softirq.c b/block/blk-softirq.c -index 01e2b353a2b9..9aeddca4a29f 100644 ---- a/block/blk-softirq.c -+++ b/block/blk-softirq.c -@@ -20,7 +20,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done); - * Softirq action handler - move entries to local list and loop over them - * while passing them to the queue registered handler. - */ --static __latent_entropy void blk_done_softirq(struct softirq_action *h) -+static __latent_entropy void blk_done_softirq(void) - { - struct list_head *cpu_list, local_list; - -diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 473f150d6b22..65a65f9824ed 100644 ---- a/drivers/ata/libata-core.c -+++ b/drivers/ata/libata-core.c -@@ -5141,7 +5141,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) - struct ata_port *ap; - unsigned int tag; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - ap = qc->ap; - - qc->flags = 0; -@@ -5158,7 +5158,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) - struct ata_port *ap; - struct ata_link *link; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); - ap = qc->ap; - link = qc->dev->link; -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index c28dca0c613d..d4813f0d25ca 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -9,7 +9,6 @@ source "drivers/tty/Kconfig" - - config DEVMEM - bool "/dev/mem virtual device support" -- default y - help - Say Y here if you want to support the /dev/mem device. - The /dev/mem device is used to access areas of physical -@@ -568,7 +567,6 @@ config TELCLOCK - config DEVPORT - bool "/dev/port character device" - depends on ISA || PCI -- default y - help - Say Y here if you want to support the /dev/port device. The /dev/port - device is similar to /dev/mem, but for I/O ports. -diff --git a/drivers/media/dvb-frontends/cx24116.c b/drivers/media/dvb-frontends/cx24116.c -index e105532bfba8..e07d52bb9b62 100644 ---- a/drivers/media/dvb-frontends/cx24116.c -+++ b/drivers/media/dvb-frontends/cx24116.c -@@ -1462,7 +1462,7 @@ static int cx24116_tune(struct dvb_frontend *fe, bool re_tune, - return cx24116_read_status(fe, status); - } - --static int cx24116_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24116_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24117.c b/drivers/media/dvb-frontends/cx24117.c -index d37cb7762bd6..97e0feff0ede 100644 ---- a/drivers/media/dvb-frontends/cx24117.c -+++ b/drivers/media/dvb-frontends/cx24117.c -@@ -1555,7 +1555,7 @@ static int cx24117_tune(struct dvb_frontend *fe, bool re_tune, - return cx24117_read_status(fe, status); - } - --static int cx24117_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24117_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c -index 7f11dcc94d85..01da670760ba 100644 ---- a/drivers/media/dvb-frontends/cx24120.c -+++ b/drivers/media/dvb-frontends/cx24120.c -@@ -1491,7 +1491,7 @@ static int cx24120_tune(struct dvb_frontend *fe, bool re_tune, - return cx24120_read_status(fe, status); - } - --static int cx24120_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24120_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24123.c b/drivers/media/dvb-frontends/cx24123.c -index 1d59d1d3bd82..41cd0e9ea199 100644 ---- a/drivers/media/dvb-frontends/cx24123.c -+++ b/drivers/media/dvb-frontends/cx24123.c -@@ -1005,7 +1005,7 @@ static int cx24123_tune(struct dvb_frontend *fe, - return retval; - } - --static int cx24123_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24123_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cxd2820r_core.c b/drivers/media/dvb-frontends/cxd2820r_core.c -index f6ebbb47b9b2..3e0d8cbd76da 100644 ---- a/drivers/media/dvb-frontends/cxd2820r_core.c -+++ b/drivers/media/dvb-frontends/cxd2820r_core.c -@@ -403,7 +403,7 @@ static enum dvbfe_search cxd2820r_search(struct dvb_frontend *fe) - return DVBFE_ALGO_SEARCH_ERROR; - } - --static int cxd2820r_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cxd2820r_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_CUSTOM; - } -diff --git a/drivers/media/dvb-frontends/mb86a20s.c b/drivers/media/dvb-frontends/mb86a20s.c -index e8ac8c3e2ec0..e0f4ba8302d1 100644 ---- a/drivers/media/dvb-frontends/mb86a20s.c -+++ b/drivers/media/dvb-frontends/mb86a20s.c -@@ -2055,7 +2055,7 @@ static void mb86a20s_release(struct dvb_frontend *fe) - kfree(state); - } - --static int mb86a20s_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo mb86a20s_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/s921.c b/drivers/media/dvb-frontends/s921.c -index 274544a3ae0e..9ef9b9bc1bd2 100644 ---- a/drivers/media/dvb-frontends/s921.c -+++ b/drivers/media/dvb-frontends/s921.c -@@ -464,7 +464,7 @@ static int s921_tune(struct dvb_frontend *fe, - return rc; - } - --static int s921_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo s921_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/pci/bt8xx/dst.c b/drivers/media/pci/bt8xx/dst.c -index 7166d2279465..fa682f9fdc4b 100644 ---- a/drivers/media/pci/bt8xx/dst.c -+++ b/drivers/media/pci/bt8xx/dst.c -@@ -1657,7 +1657,7 @@ static int dst_tune_frontend(struct dvb_frontend* fe, - return 0; - } - --static int dst_get_tuning_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo dst_get_tuning_algo(struct dvb_frontend *fe) - { - return dst_algo ? DVBFE_ALGO_HW : DVBFE_ALGO_SW; - } -diff --git a/drivers/media/pci/pt1/va1j5jf8007s.c b/drivers/media/pci/pt1/va1j5jf8007s.c -index f75f69556be7..d913a6050e8c 100644 ---- a/drivers/media/pci/pt1/va1j5jf8007s.c -+++ b/drivers/media/pci/pt1/va1j5jf8007s.c -@@ -98,7 +98,7 @@ static int va1j5jf8007s_read_snr(struct dvb_frontend *fe, u16 *snr) - return 0; - } - --static int va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/pci/pt1/va1j5jf8007t.c b/drivers/media/pci/pt1/va1j5jf8007t.c -index 63fda79a75c0..4115c3ccd4a8 100644 ---- a/drivers/media/pci/pt1/va1j5jf8007t.c -+++ b/drivers/media/pci/pt1/va1j5jf8007t.c -@@ -88,7 +88,7 @@ static int va1j5jf8007t_read_snr(struct dvb_frontend *fe, u16 *snr) - return 0; - } - --static int va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c -index 981b3ef71e47..9883da1da383 100644 ---- a/drivers/misc/lkdtm_core.c -+++ b/drivers/misc/lkdtm_core.c -@@ -78,7 +78,7 @@ static irqreturn_t jp_handle_irq_event(unsigned int irq, - return 0; - } - --static void jp_tasklet_action(struct softirq_action *a) -+static void jp_tasklet_action(void) - { - lkdtm_handler(); - jprobe_return(); -diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig -index b811442c5ce6..4f62a63cbcb1 100644 ---- a/drivers/tty/Kconfig -+++ b/drivers/tty/Kconfig -@@ -122,7 +122,6 @@ config UNIX98_PTYS - - config LEGACY_PTYS - bool "Legacy (BSD) PTY support" -- default y - ---help--- - A pseudo terminal (PTY) is a software device consisting of two - halves: a master and a slave. The slave device behaves identical to -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 562d31073f9a..2184b9b5485f 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) - put_device(tty->dev); - kfree(tty->write_buf); - tty->magic = 0xDEADDEAD; -+ put_user_ns(tty->owner_user_ns); - kfree(tty); - } - -@@ -2154,11 +2155,19 @@ static int tty_fasync(int fd, struct file *filp, int on) - * FIXME: may race normal receive processing - */ - -+int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); -+ - static int tiocsti(struct tty_struct *tty, char __user *p) - { - char ch, mbz = 0; - struct tty_ldisc *ld; - -+ if (tiocsti_restrict && -+ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { -+ dev_warn_ratelimited(tty->dev, -+ "Denied TIOCSTI ioctl for non-privileged process\n"); -+ return -EPERM; -+ } - if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) - return -EPERM; - if (get_user(ch, p)) -@@ -2841,6 +2850,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) - tty->index = idx; - tty_line_name(driver, idx, tty->name); - tty->dev = tty_get_device(tty); -+ tty->owner_user_ns = get_user_ns(current_user_ns()); - - return tty; - } -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 442be7f312f6..788557d5c454 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -38,6 +38,8 @@ - #define USB_VENDOR_GENESYS_LOGIC 0x05e3 - #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 - -+extern int deny_new_usb; -+ - /* Protect struct usb_device->state and ->children members - * Note: Both are also protected by ->dev.sem, except that ->state can - * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ -@@ -4806,6 +4808,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, - goto done; - return; - } -+ -+ if (deny_new_usb) { -+ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); -+ goto done; -+ } -+ - if (hub_is_superspeed(hub->hdev)) - unit_load = 150; - else -diff --git a/fs/exec.c b/fs/exec.c -index 0da4d748b4e6..69fcee853363 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -62,6 +62,7 @@ - #include <linux/oom.h> - #include <linux/compat.h> - #include <linux/vmalloc.h> -+#include <linux/random.h> - - #include <linux/uaccess.h> - #include <asm/mmu_context.h> -@@ -321,6 +322,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) - arch_bprm_mm_init(mm, vma); - up_write(&mm->mmap_sem); - bprm->p = vma->vm_end - sizeof(void *); -+ if (randomize_va_space) -+ bprm->p ^= get_random_int() & ~PAGE_MASK; - return 0; - err: - up_write(&mm->mmap_sem); -diff --git a/fs/namei.c b/fs/namei.c -index 0b46b858cd42..3ae8e72341da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -902,8 +902,8 @@ static inline void put_link(struct nameidata *nd) - path_put(&last->link); - } - --int sysctl_protected_symlinks __read_mostly = 0; --int sysctl_protected_hardlinks __read_mostly = 0; -+int sysctl_protected_symlinks __read_mostly = 1; -+int sysctl_protected_hardlinks __read_mostly = 1; - - /** - * may_follow_link - Check symlink following for unsafe situations -diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig -index 5f93cfacb3d1..cea0d7d3b23e 100644 ---- a/fs/nfs/Kconfig -+++ b/fs/nfs/Kconfig -@@ -195,4 +195,3 @@ config NFS_DEBUG - bool - depends on NFS_FS && SUNRPC_DEBUG - select CRC32 -- default y -diff --git a/fs/pipe.c b/fs/pipe.c -index 8ef7d7bef775..b82f305ec13d 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -38,7 +38,7 @@ unsigned int pipe_max_size = 1048576; - /* - * Minimum pipe size, as required by POSIX - */ --unsigned int pipe_min_size = PAGE_SIZE; -+unsigned int pipe_min_size __read_only = PAGE_SIZE; - - /* Maximum allocatable pages per user. Hard limit is unset by default, soft - * matches default values. -diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig -index 1ade1206bb89..60b0f76dec47 100644 ---- a/fs/proc/Kconfig -+++ b/fs/proc/Kconfig -@@ -39,7 +39,6 @@ config PROC_KCORE - config PROC_VMCORE - bool "/proc/vmcore support" - depends on PROC_FS && CRASH_DUMP -- default y - help - Exports the dump image of crashed kernel in ELF format. - -diff --git a/fs/stat.c b/fs/stat.c -index 873785dae022..d3c2ada8b9c7 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -40,8 +40,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) - stat->gid = inode->i_gid; - stat->rdev = inode->i_rdev; - stat->size = i_size_read(inode); -- stat->atime = inode->i_atime; -- stat->mtime = inode->i_mtime; -+ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { -+ stat->atime = inode->i_ctime; -+ stat->mtime = inode->i_ctime; -+ } else { -+ stat->atime = inode->i_atime; -+ stat->mtime = inode->i_mtime; -+ } - stat->ctime = inode->i_ctime; - stat->blksize = i_blocksize(inode); - stat->blocks = inode->i_blocks; -@@ -75,9 +80,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->result_mask |= STATX_BASIC_STATS; - request_mask &= STATX_ALL; - query_flags &= KSTAT_QUERY_FLAGS; -- if (inode->i_op->getattr) -- return inode->i_op->getattr(path, stat, request_mask, -- query_flags); -+ if (inode->i_op->getattr) { -+ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); -+ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { -+ stat->atime = stat->ctime; -+ stat->mtime = stat->ctime; -+ } -+ return retval; -+ } - - generic_fillattr(inode, stat); - return 0; -diff --git a/include/linux/cache.h b/include/linux/cache.h -index 750621e41d1c..e7157c18c62c 100644 ---- a/include/linux/cache.h -+++ b/include/linux/cache.h -@@ -31,6 +31,8 @@ - #define __ro_after_init __attribute__((__section__(".data..ro_after_init"))) - #endif - -+#define __read_only __ro_after_init -+ - #ifndef ____cacheline_aligned - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) - #endif -diff --git a/include/linux/capability.h b/include/linux/capability.h -index f640dcbc880c..2b4f5d651f19 100644 ---- a/include/linux/capability.h -+++ b/include/linux/capability.h -@@ -207,6 +207,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); - extern bool has_ns_capability_noaudit(struct task_struct *t, - struct user_namespace *ns, int cap); - extern bool capable(int cap); -+extern bool capable_noaudit(int cap); - extern bool ns_capable(struct user_namespace *ns, int cap); - extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); - #else -@@ -232,6 +233,10 @@ static inline bool capable(int cap) - { - return true; - } -+static inline bool capable_noaudit(int cap) -+{ -+ return true; -+} - static inline bool ns_capable(struct user_namespace *ns, int cap) - { - return true; -diff --git a/include/linux/fs.h b/include/linux/fs.h -index cc613f20e5a6..7606596d6c2e 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -3392,4 +3392,15 @@ static inline bool dir_relax_shared(struct inode *inode) - extern bool path_noexec(const struct path *path); - extern void inode_nohighmem(struct inode *inode); - -+extern int device_sidechannel_restrict; -+ -+static inline bool is_sidechannel_device(const struct inode *inode) -+{ -+ umode_t mode; -+ if (!device_sidechannel_restrict) -+ return false; -+ mode = inode->i_mode; -+ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); -+} -+ - #endif /* _LINUX_FS_H */ -diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index bdaf22582f6e..326ff15d4637 100644 ---- a/include/linux/fsnotify.h -+++ b/include/linux/fsnotify.h -@@ -181,6 +181,9 @@ static inline void fsnotify_access(struct file *file) - struct inode *inode = path->dentry->d_inode; - __u32 mask = FS_ACCESS; - -+ if (is_sidechannel_device(inode)) -+ return; -+ - if (S_ISDIR(inode->i_mode)) - mask |= FS_ISDIR; - -@@ -199,6 +202,9 @@ static inline void fsnotify_modify(struct file *file) - struct inode *inode = path->dentry->d_inode; - __u32 mask = FS_MODIFY; - -+ if (is_sidechannel_device(inode)) -+ return; -+ - if (S_ISDIR(inode->i_mode)) - mask |= FS_ISDIR; - -diff --git a/include/linux/gfp.h b/include/linux/gfp.h -index b041f94678de..a5e0175c79e0 100644 ---- a/include/linux/gfp.h -+++ b/include/linux/gfp.h -@@ -518,9 +518,9 @@ extern struct page *alloc_pages_vma(gfp_t gfp_mask, int order, - extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); - extern unsigned long get_zeroed_page(gfp_t gfp_mask); - --void *alloc_pages_exact(size_t size, gfp_t gfp_mask); -+void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); - void free_pages_exact(void *virt, size_t size); --void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); -+void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); - - #define __get_free_page(gfp_mask) \ - __get_free_pages((gfp_mask), 0) -diff --git a/include/linux/highmem.h b/include/linux/highmem.h -index 776f90f3a1cd..3f5c47000059 100644 ---- a/include/linux/highmem.h -+++ b/include/linux/highmem.h -@@ -191,6 +191,13 @@ static inline void clear_highpage(struct page *page) - kunmap_atomic(kaddr); - } - -+static inline void verify_zero_highpage(struct page *page) -+{ -+ void *kaddr = kmap_atomic(page); -+ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); -+ kunmap_atomic(kaddr); -+} -+ - static inline void zero_user_segments(struct page *page, - unsigned start1, unsigned end1, - unsigned start2, unsigned end2) -diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h -index 69c238210325..ee487ea4f48f 100644 ---- a/include/linux/interrupt.h -+++ b/include/linux/interrupt.h -@@ -485,7 +485,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; - - struct softirq_action - { -- void (*action)(struct softirq_action *); -+ void (*action)(void); - }; - - asmlinkage void do_softirq(void); -@@ -500,7 +500,7 @@ static inline void do_softirq_own_stack(void) - } - #endif - --extern void open_softirq(int nr, void (*action)(struct softirq_action *)); -+extern void __init open_softirq(int nr, void (*action)(void)); - extern void softirq_init(void); - extern void __raise_softirq_irqoff(unsigned int nr); - -diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h -index df32d2508290..c992d130b94d 100644 ---- a/include/linux/kobject_ns.h -+++ b/include/linux/kobject_ns.h -@@ -46,7 +46,7 @@ struct kobj_ns_type_operations { - void (*drop_ns)(void *); - }; - --int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); -+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); - int kobj_ns_type_registered(enum kobj_ns_type type); - const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); - const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); -diff --git a/include/linux/mm.h b/include/linux/mm.h -index f23215854c80..98df98c44cc0 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -525,7 +525,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) - } - #endif - --extern void *kvmalloc_node(size_t size, gfp_t flags, int node); -+extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); - static inline void *kvmalloc(size_t size, gfp_t flags) - { - return kvmalloc_node(size, flags, NUMA_NO_NODE); -diff --git a/include/linux/percpu.h b/include/linux/percpu.h -index 296bbe49d5d1..b26652c9a98d 100644 ---- a/include/linux/percpu.h -+++ b/include/linux/percpu.h -@@ -129,7 +129,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, - pcpu_fc_populate_pte_fn_t populate_pte_fn); - #endif - --extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); -+extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); - extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); - extern bool is_kernel_percpu_address(unsigned long addr); - -@@ -137,8 +137,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); - extern void __init setup_per_cpu_areas(void); - #endif - --extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); --extern void __percpu *__alloc_percpu(size_t size, size_t align); -+extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); -+extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); - extern void free_percpu(void __percpu *__pdata); - extern phys_addr_t per_cpu_ptr_to_phys(void *addr); - -diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 8e22f24ded6a..b7fecdfa6de5 100644 ---- a/include/linux/perf_event.h -+++ b/include/linux/perf_event.h -@@ -1165,6 +1165,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, - int perf_event_max_stack_handler(struct ctl_table *table, int write, - void __user *buffer, size_t *lenp, loff_t *ppos); - -+static inline bool perf_paranoid_any(void) -+{ -+ return sysctl_perf_event_paranoid > 2; -+} -+ - static inline bool perf_paranoid_tracepoint_raw(void) - { - return sysctl_perf_event_paranoid > -1; -diff --git a/include/linux/slab.h b/include/linux/slab.h -index ae5ed6492d54..fd0786124504 100644 ---- a/include/linux/slab.h -+++ b/include/linux/slab.h -@@ -146,8 +146,8 @@ void memcg_destroy_kmem_caches(struct mem_cgroup *); - /* - * Common kmalloc functions provided by all allocators - */ --void * __must_check __krealloc(const void *, size_t, gfp_t); --void * __must_check krealloc(const void *, size_t, gfp_t); -+void * __must_check __krealloc(const void *, size_t, gfp_t) __attribute__((alloc_size(2))); -+void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); - void kfree(const void *); - void kzfree(const void *); - size_t ksize(const void *); -@@ -324,7 +324,7 @@ static __always_inline int kmalloc_index(size_t size) - } - #endif /* !CONFIG_SLOB */ - --void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; -+void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); - void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; - void kmem_cache_free(struct kmem_cache *, void *); - -@@ -348,7 +348,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) - } - - #ifdef CONFIG_NUMA --void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; -+void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); - void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; - #else - static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) -@@ -473,7 +473,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) - * for general use, and so are not documented here. For a full list of - * potential flags, always refer to linux/gfp.h. - */ --static __always_inline void *kmalloc(size_t size, gfp_t flags) -+static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) - { - if (__builtin_constant_p(size)) { - if (size > KMALLOC_MAX_CACHE_SIZE) -@@ -513,7 +513,7 @@ static __always_inline int kmalloc_size(int n) - return 0; - } - --static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) -+static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) - { - #ifndef CONFIG_SLOB - if (__builtin_constant_p(size) && -diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h -index 39fa09bcde23..0b7a48cd883b 100644 ---- a/include/linux/slub_def.h -+++ b/include/linux/slub_def.h -@@ -120,6 +120,11 @@ struct kmem_cache { - unsigned long random; - #endif - -+#ifdef CONFIG_SLAB_CANARY -+ unsigned long random_active; -+ unsigned long random_inactive; -+#endif -+ - #ifdef CONFIG_NUMA - /* - * Defragmentation by allocating from a remote node. -diff --git a/include/linux/string.h b/include/linux/string.h -index cfd83eb2f926..b9ecb42c762d 100644 ---- a/include/linux/string.h -+++ b/include/linux/string.h -@@ -234,10 +234,16 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob - void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); - void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); - -+#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING -+#define __string_size(p) __builtin_object_size(p, 1) -+#else -+#define __string_size(p) __builtin_object_size(p, 0) -+#endif -+ - #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) - __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - if (__builtin_constant_p(size) && p_size < size) - __write_overflow(); - if (p_size < size) -@@ -247,7 +253,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) - - __FORTIFY_INLINE char *strcat(char *p, const char *q) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - if (p_size == (size_t)-1) - return __builtin_strcat(p, q); - if (strlcat(p, q, p_size) >= p_size) -@@ -258,7 +264,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) - __FORTIFY_INLINE __kernel_size_t strlen(const char *p) - { - __kernel_size_t ret; -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - - /* Work around gcc excess stack consumption issue */ - if (p_size == (size_t)-1 || -@@ -273,7 +279,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) - extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); - __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); - if (p_size <= ret && maxlen != ret) - fortify_panic(__func__); -@@ -285,8 +291,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); - __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) - { - size_t ret; -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __real_strlcpy(p, q, size); - ret = strlen(q); -@@ -306,8 +312,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) - __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) - { - size_t p_len, copy_len; -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __builtin_strncat(p, q, count); - p_len = strlen(p); -@@ -420,8 +426,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) - /* defined after fortified strlen and memcpy to reuse them */ - __FORTIFY_INLINE char *strcpy(char *p, const char *q) - { -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __builtin_strcpy(p, q); - memcpy(p, q, strlen(q) + 1); -diff --git a/include/linux/tty.h b/include/linux/tty.h -index 1dd587ba6d88..9a9a04fb641d 100644 ---- a/include/linux/tty.h -+++ b/include/linux/tty.h -@@ -13,6 +13,7 @@ - #include <uapi/linux/tty.h> - #include <linux/rwsem.h> - #include <linux/llist.h> -+#include <linux/user_namespace.h> - - - /* -@@ -335,6 +336,7 @@ struct tty_struct { - /* If the tty has a pending do_SAK, queue it here - akpm */ - struct work_struct SAK_work; - struct tty_port *port; -+ struct user_namespace *owner_user_ns; - } __randomize_layout; - - /* Each of a tty's open files has private_data pointing to tty_file_private */ -@@ -344,6 +346,8 @@ struct tty_file_private { - struct list_head list; - }; - -+extern int tiocsti_restrict; -+ - /* tty magic number */ - #define TTY_MAGIC 0x5401 - -diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h -index 1e5d8c392f15..66d0e49c9987 100644 ---- a/include/linux/vmalloc.h -+++ b/include/linux/vmalloc.h -@@ -68,19 +68,19 @@ static inline void vmalloc_init(void) - } - #endif - --extern void *vmalloc(unsigned long size); --extern void *vzalloc(unsigned long size); --extern void *vmalloc_user(unsigned long size); --extern void *vmalloc_node(unsigned long size, int node); --extern void *vzalloc_node(unsigned long size, int node); --extern void *vmalloc_exec(unsigned long size); --extern void *vmalloc_32(unsigned long size); --extern void *vmalloc_32_user(unsigned long size); --extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot); -+extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); -+extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); -+extern void *vmalloc_exec(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); -+extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot) __attribute__((alloc_size(1))); - extern void *__vmalloc_node_range(unsigned long size, unsigned long align, - unsigned long start, unsigned long end, gfp_t gfp_mask, - pgprot_t prot, unsigned long vm_flags, int node, -- const void *caller); -+ const void *caller) __attribute__((alloc_size(1))); - #ifndef CONFIG_MMU - extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags); - static inline void *__vmalloc_node_flags_caller(unsigned long size, int node, -diff --git a/init/Kconfig b/init/Kconfig -index 46075327c165..0c78750bc76d 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -309,6 +309,7 @@ config USELIB - config AUDIT - bool "Auditing support" - depends on NET -+ default y - help - Enable auditing infrastructure that can be used with another - kernel subsystem, such as SELinux (which requires this for -@@ -1052,6 +1053,12 @@ config CC_OPTIMIZE_FOR_SIZE - - endchoice - -+config LOCAL_INIT -+ bool "Zero uninitialized locals" -+ help -+ Zero-fill uninitialized local variables, other than variable-length -+ arrays. Requires compiler support. -+ - config SYSCTL - bool - -@@ -1361,8 +1368,7 @@ config SHMEM - which may be appropriate on small systems without swap. - - config AIO -- bool "Enable AIO support" if EXPERT -- default y -+ bool "Enable AIO support" - help - This option enables POSIX asynchronous I/O which may by used - by some high performance threaded applications. Disabling -@@ -1491,7 +1497,7 @@ config VM_EVENT_COUNTERS - - config SLUB_DEBUG - default y -- bool "Enable SLUB debugging support" if EXPERT -+ bool "Enable SLUB debugging support" - depends on SLUB && SYSFS - help - SLUB has extensive debug support features. Disabling these can -@@ -1515,7 +1521,6 @@ config SLUB_MEMCG_SYSFS_ON - - config COMPAT_BRK - bool "Disable heap randomization" -- default y - help - Randomizing heap placement makes heap exploits harder, but it - also breaks ancient binaries (including anything libc5 based). -@@ -1562,7 +1567,6 @@ endchoice - - config SLAB_MERGE_DEFAULT - bool "Allow slab caches to be merged" -- default y - help - For reduced kernel memory fragmentation, slab caches can be - merged when they share the same size and other characteristics. -@@ -1575,9 +1579,9 @@ config SLAB_MERGE_DEFAULT - command line. - - config SLAB_FREELIST_RANDOM -- default n - depends on SLAB || SLUB - bool "SLAB freelist randomization" -+ default y - help - Randomizes the freelist order used on creating new pages. This - security feature reduces the predictability of the kernel slab -@@ -1586,12 +1590,56 @@ config SLAB_FREELIST_RANDOM - config SLAB_FREELIST_HARDENED - bool "Harden slab freelist metadata" - depends on SLUB -+ default y - help - Many kernel heap attacks try to target slab cache metadata and - other infrastructure. This options makes minor performance - sacrifies to harden the kernel slab allocator against common - freelist exploit methods. - -+config SLAB_HARDENED -+ default y -+ depends on SLUB -+ bool "Hardened SLAB infrastructure" -+ help -+ Make minor performance sacrifices to harden the kernel slab -+ allocator. -+ -+config SLAB_CANARY -+ depends on SLUB -+ depends on !SLAB_MERGE_DEFAULT -+ bool "SLAB canaries" -+ default y -+ help -+ Place canaries at the end of kernel slab allocations, sacrificing -+ some performance and memory usage for security. -+ -+ Canaries can detect some forms of heap corruption when allocations -+ are freed and as part of the HARDENED_USERCOPY feature. It provides -+ basic use-after-free detection for HARDENED_USERCOPY. -+ -+ Canaries absorb small overflows (rendering them harmless), mitigate -+ non-NUL terminated C string overflows on 64-bit via a guaranteed zero -+ byte and provide basic double-free detection. -+ -+config SLAB_SANITIZE -+ bool "Sanitize SLAB allocations" -+ depends on SLUB -+ default y -+ help -+ Zero fill slab allocations on free, reducing the lifetime of -+ sensitive data and helping to mitigate use-after-free bugs. -+ -+ For slabs with debug poisoning enabling, this has no impact. -+ -+config SLAB_SANITIZE_VERIFY -+ depends on SLAB_SANITIZE && PAGE_SANITIZE -+ default y -+ bool "Verify sanitized SLAB allocations" -+ help -+ Verify that newly allocated slab allocations are zeroed to detect -+ write-after-free bugs. -+ - config SLUB_CPU_PARTIAL - default y - depends on SLUB && SMP -diff --git a/kernel/audit.c b/kernel/audit.c -index 5b34d3114af4..e57930192ce1 100644 ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -1573,6 +1573,9 @@ static int __init audit_enable(char *str) - audit_default = !!simple_strtol(str, NULL, 0); - if (!audit_default) - audit_initialized = AUDIT_DISABLED; -+ else -+ audit_initialized = AUDIT_UNINITIALIZED; -+ - audit_enabled = audit_default; - audit_ever_enabled = !!audit_enabled; - -diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index d203a5d6b726..2a6c3e2c57a6 100644 ---- a/kernel/bpf/core.c -+++ b/kernel/bpf/core.c -@@ -539,7 +539,7 @@ void __weak bpf_jit_free(struct bpf_prog *fp) - bpf_prog_unlock_free(fp); - } - --int bpf_jit_harden __read_mostly; -+int bpf_jit_harden __read_mostly = 2; - - static int bpf_jit_blind_insn(const struct bpf_insn *from, - const struct bpf_insn *aux, -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 4e933219fec6..0f37db32a2b1 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); - static DEFINE_IDR(map_idr); - static DEFINE_SPINLOCK(map_idr_lock); - --int sysctl_unprivileged_bpf_disabled __read_mostly; -+int sysctl_unprivileged_bpf_disabled __read_mostly = 1; - - static const struct bpf_map_ops * const bpf_map_types[] = { - #define BPF_PROG_TYPE(_id, _ops) -diff --git a/kernel/capability.c b/kernel/capability.c -index 1e1c0236f55b..452062fe45ce 100644 ---- a/kernel/capability.c -+++ b/kernel/capability.c -@@ -431,6 +431,12 @@ bool capable(int cap) - return ns_capable(&init_user_ns, cap); - } - EXPORT_SYMBOL(capable); -+ -+bool capable_noaudit(int cap) -+{ -+ return ns_capable_noaudit(&init_user_ns, cap); -+} -+EXPORT_SYMBOL(capable_noaudit); - #endif /* CONFIG_MULTIUSER */ - - /** -diff --git a/kernel/events/core.c b/kernel/events/core.c -index cb8274d7824f..c1b3d232b0a4 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -397,8 +397,13 @@ static cpumask_var_t perf_online_mask; - * 0 - disallow raw tracepoint access for unpriv - * 1 - disallow cpu events for unpriv - * 2 - disallow kernel profiling for unpriv -+ * 3 - disallow all unpriv perf event use - */ -+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT -+int sysctl_perf_event_paranoid __read_mostly = 3; -+#else - int sysctl_perf_event_paranoid __read_mostly = 2; -+#endif - - /* Minimum for 512 kiB + 1 user control page */ - int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ -@@ -9941,6 +9946,9 @@ SYSCALL_DEFINE5(perf_event_open, - if (flags & ~PERF_FLAG_ALL) - return -EINVAL; - -+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) -+ return -EACCES; -+ - err = perf_copy_attr(attr_uptr, &attr); - if (err) - return err; -diff --git a/kernel/fork.c b/kernel/fork.c -index 98c91bd341b4..dbb9540ee61c 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -102,6 +102,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c -index 0972a8e09d08..00dde7aad47a 100644 ---- a/kernel/power/snapshot.c -+++ b/kernel/power/snapshot.c -@@ -1136,7 +1136,7 @@ void free_basic_memory_bitmaps(void) - - void clear_free_pages(void) - { --#ifdef CONFIG_PAGE_POISONING_ZERO -+#if defined(CONFIG_PAGE_POISONING_ZERO) || defined(CONFIG_PAGE_SANITIZE) - struct memory_bitmap *bm = free_pages_map; - unsigned long pfn; - -@@ -1153,7 +1153,7 @@ void clear_free_pages(void) - } - memory_bm_position_reset(bm); - pr_info("PM: free pages cleared after restore\n"); --#endif /* PAGE_POISONING_ZERO */ -+#endif /* PAGE_POISONING_ZERO || PAGE_SANITIZE */ - } - - /** -diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c -index a64eee0db39e..4d7de378fe4c 100644 ---- a/kernel/rcu/tiny.c -+++ b/kernel/rcu/tiny.c -@@ -164,7 +164,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp) - } - } - --static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) -+static __latent_entropy void rcu_process_callbacks(void) - { - __rcu_process_callbacks(&rcu_sched_ctrlblk); - __rcu_process_callbacks(&rcu_bh_ctrlblk); -diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c -index 3e3650e94ae6..7ecd7a5d04b3 100644 ---- a/kernel/rcu/tree.c -+++ b/kernel/rcu/tree.c -@@ -2918,7 +2918,7 @@ __rcu_process_callbacks(struct rcu_state *rsp) - /* - * Do RCU core processing for the current CPU. - */ --static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) -+static __latent_entropy void rcu_process_callbacks(void) - { - struct rcu_state *rsp; - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 5c09ddf8c832..f5db6ece105a 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -8986,7 +8986,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { } - * run_rebalance_domains is triggered when needed from the scheduler tick. - * Also triggered for nohz idle balancing (with nohz_balancing_kick set). - */ --static __latent_entropy void run_rebalance_domains(struct softirq_action *h) -+static __latent_entropy void run_rebalance_domains(void) - { - struct rq *this_rq = this_rq(); - enum cpu_idle_type idle = this_rq->idle_balance ? -diff --git a/kernel/softirq.c b/kernel/softirq.c -index e89c3b0cff6d..0d3ebd520931 100644 ---- a/kernel/softirq.c -+++ b/kernel/softirq.c -@@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; - EXPORT_SYMBOL(irq_stat); - #endif - --static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; -+static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); - - DEFINE_PER_CPU(struct task_struct *, ksoftirqd); - -@@ -281,7 +281,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) - kstat_incr_softirqs_this_cpu(vec_nr); - - trace_softirq_entry(vec_nr); -- h->action(h); -+ h->action(); - trace_softirq_exit(vec_nr); - if (unlikely(prev_count != preempt_count())) { - pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", -@@ -444,7 +444,7 @@ void __raise_softirq_irqoff(unsigned int nr) - or_softirq_pending(1UL << nr); - } - --void open_softirq(int nr, void (*action)(struct softirq_action *)) -+void __init open_softirq(int nr, void (*action)(void)) - { - softirq_vec[nr].action = action; - } -@@ -486,7 +486,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) - } - EXPORT_SYMBOL(__tasklet_hi_schedule); - --static __latent_entropy void tasklet_action(struct softirq_action *a) -+static __latent_entropy void tasklet_action(void) - { - struct tasklet_struct *list; - -@@ -522,7 +522,7 @@ static __latent_entropy void tasklet_action(struct softirq_action *a) - } - } - --static __latent_entropy void tasklet_hi_action(struct softirq_action *a) -+static __latent_entropy void tasklet_hi_action(void) - { - struct tasklet_struct *list; - -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 069550540a39..822783a174aa 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -66,6 +66,7 @@ - #include <linux/kexec.h> - #include <linux/bpf.h> - #include <linux/mount.h> -+#include <linux/tty.h> - - #include <linux/uaccess.h> - #include <asm/processor.h> -@@ -98,12 +99,19 @@ - #if defined(CONFIG_SYSCTL) - - /* External variables not in a header file. */ -+#if IS_ENABLED(CONFIG_USB) -+int deny_new_usb __read_mostly = 0; -+EXPORT_SYMBOL(deny_new_usb); -+#endif - extern int suid_dumpable; - #ifdef CONFIG_COREDUMP - extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -115,40 +123,43 @@ extern int sysctl_nr_trim_pages; - - /* Constants used for minimum and maximum */ - #ifdef CONFIG_LOCKUP_DETECTOR --static int sixty = 60; -+static int sixty __read_only = 60; - #endif - --static int __maybe_unused neg_one = -1; -+static int __maybe_unused neg_one __read_only = -1; - - static int zero; --static int __maybe_unused one = 1; --static int __maybe_unused two = 2; --static int __maybe_unused four = 4; --static unsigned long one_ul = 1; --static int one_hundred = 100; --static int one_thousand = 1000; -+static int __maybe_unused one __read_only = 1; -+static int __maybe_unused two __read_only = 2; -+static int __maybe_unused four __read_only = 4; -+static unsigned long one_ul __read_only = 1; -+static int one_hundred __read_only = 100; -+static int one_thousand __read_only = 1000; - #ifdef CONFIG_PRINTK --static int ten_thousand = 10000; -+static int ten_thousand __read_only = 10000; - #endif - #ifdef CONFIG_PERF_EVENTS --static int six_hundred_forty_kb = 640 * 1024; -+static int six_hundred_forty_kb __read_only = 640 * 1024; - #endif - - /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ --static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; -+static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; - - /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ --static int maxolduid = 65535; --static int minolduid; -+static int maxolduid __read_only = 65535; -+static int minolduid __read_only; - --static int ngroups_max = NGROUPS_MAX; -+static int ngroups_max __read_only = NGROUPS_MAX; - static const int cap_last_cap = CAP_LAST_CAP; - - /*this is needed for proc_doulongvec_minmax of sysctl_hung_task_timeout_secs */ - #ifdef CONFIG_DETECT_HUNG_TASK --static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); -+static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); - #endif - -+int device_sidechannel_restrict __read_mostly = 1; -+EXPORT_SYMBOL(device_sidechannel_restrict); -+ - #ifdef CONFIG_INOTIFY_USER - #include <linux/inotify.h> - #endif -@@ -286,19 +297,19 @@ static struct ctl_table sysctl_base_table[] = { - }; - - #ifdef CONFIG_SCHED_DEBUG --static int min_sched_granularity_ns = 100000; /* 100 usecs */ --static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ --static int min_wakeup_granularity_ns; /* 0 usecs */ --static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ -+static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ -+static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ -+static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ -+static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ - #ifdef CONFIG_SMP --static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; --static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; -+static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; -+static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; - #endif /* CONFIG_SMP */ - #endif /* CONFIG_SCHED_DEBUG */ - - #ifdef CONFIG_COMPACTION --static int min_extfrag_threshold; --static int max_extfrag_threshold = 1000; -+static int min_extfrag_threshold __read_only; -+static int max_extfrag_threshold __read_only = 1000; - #endif - - static struct ctl_table kern_table[] = { -@@ -512,6 +523,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -@@ -853,6 +873,37 @@ static struct ctl_table kern_table[] = { - .extra1 = &zero, - .extra2 = &two, - }, -+#endif -+#if defined CONFIG_TTY -+ { -+ .procname = "tiocsti_restrict", -+ .data = &tiocsti_restrict, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, -+ .extra2 = &one, -+ }, -+#endif -+ { -+ .procname = "device_sidechannel_restrict", -+ .data = &device_sidechannel_restrict, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, -+ .extra2 = &one, -+ }, -+#if IS_ENABLED(CONFIG_USB) -+ { -+ .procname = "deny_new_usb", -+ .data = &deny_new_usb, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, -+ .extra2 = &one, -+ }, - #endif - { - .procname = "ngroups_max", -diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index 9fe525f410bf..6a85b0e1292e 100644 ---- a/kernel/time/timer.c -+++ b/kernel/time/timer.c -@@ -1624,7 +1624,7 @@ static inline void __run_timers(struct timer_base *base) - /* - * This function runs timers and the timer-tq in bottom half context. - */ --static __latent_entropy void run_timer_softirq(struct softirq_action *h) -+static __latent_entropy void run_timer_softirq(void) - { - struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); - -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index c490f1e4313b..dd03bd39d7bf 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -24,6 +24,9 @@ - #include <linux/projid.h> - #include <linux/fs_struct.h> - -+/* sysctl */ -+int unprivileged_userns_clone; -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - -diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug -index 62d0e25c054c..3953072277eb 100644 ---- a/lib/Kconfig.debug -+++ b/lib/Kconfig.debug -@@ -937,6 +937,7 @@ endmenu # "Debug lockups and hangs" - - config PANIC_ON_OOPS - bool "Panic on Oops" -+ default y - help - Say Y here to enable the kernel to panic when it oopses. This - has the same effect as setting oops=panic on the kernel command -@@ -946,7 +947,7 @@ config PANIC_ON_OOPS - anything erroneous after an oops which could result in data - corruption or other issues. - -- Say N if unsure. -+ Say Y if unsure. - - config PANIC_ON_OOPS_VALUE - int -@@ -1319,6 +1320,7 @@ config DEBUG_BUGVERBOSE - config DEBUG_LIST - bool "Debug linked list manipulation" - depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION -+ default y - help - Enable this to turn on extended checks in the linked-list - walking routines. -@@ -1932,6 +1934,7 @@ config MEMTEST - config BUG_ON_DATA_CORRUPTION - bool "Trigger a BUG when data corruption is detected" - select DEBUG_LIST -+ default y - help - Select this option if the kernel should BUG when it encounters - data corruption in kernel memory structures when they get checked -@@ -1952,7 +1955,7 @@ config STRICT_DEVMEM - bool "Filter access to /dev/mem" - depends on MMU && DEVMEM - depends on ARCH_HAS_DEVMEM_IS_ALLOWED -- default y if TILE || PPC -+ default y - ---help--- - If this option is disabled, you allow userspace (root) access to all - of memory, including kernel and userspace memory. Accidental -@@ -1971,6 +1974,7 @@ config STRICT_DEVMEM - config IO_STRICT_DEVMEM - bool "Filter I/O access to /dev/mem" - depends on STRICT_DEVMEM -+ default y - ---help--- - If this option is disabled, you allow userspace (root) access to all - io-memory regardless of whether a driver is actively using that -diff --git a/lib/irq_poll.c b/lib/irq_poll.c -index 86a709954f5a..6f15787fcb1b 100644 ---- a/lib/irq_poll.c -+++ b/lib/irq_poll.c -@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) - } - EXPORT_SYMBOL(irq_poll_complete); - --static void __latent_entropy irq_poll_softirq(struct softirq_action *h) -+static void __latent_entropy irq_poll_softirq(void) - { - struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); - int rearm = 0, budget = irq_poll_budget; -diff --git a/lib/kobject.c b/lib/kobject.c -index 34f847252c02..4fda329de614 100644 ---- a/lib/kobject.c -+++ b/lib/kobject.c -@@ -956,9 +956,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); - - - static DEFINE_SPINLOCK(kobj_ns_type_lock); --static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; -+static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; - --int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) -+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) - { - enum kobj_ns_type type = ops->type; - int error; -diff --git a/lib/nlattr.c b/lib/nlattr.c -index 3d8295c85505..3fa3b3409d69 100644 ---- a/lib/nlattr.c -+++ b/lib/nlattr.c -@@ -341,6 +341,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) - { - int minlen = min_t(int, count, nla_len(src)); - -+ BUG_ON(minlen < 0); -+ - memcpy(dest, nla_data(src), minlen); - if (count > minlen) - memset(dest + minlen, 0, count - minlen); -diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index 86c3385b9eb3..c482070e379b 100644 ---- a/lib/vsprintf.c -+++ b/lib/vsprintf.c -@@ -1591,7 +1591,7 @@ char *device_node_string(char *buf, char *end, struct device_node *dn, - return widen_string(buf, buf - buf_start, end, spec); - } - --int kptr_restrict __read_mostly; -+int kptr_restrict __read_mostly = 2; - - /* - * Show a '%p' thing. A kernel extension is that the '%p' is followed -diff --git a/mm/Kconfig b/mm/Kconfig -index 59efbd3337e0..c070e14ec83d 100644 ---- a/mm/Kconfig -+++ b/mm/Kconfig -@@ -319,7 +319,8 @@ config KSM - config DEFAULT_MMAP_MIN_ADDR - int "Low address space to protect from user allocation" - depends on MMU -- default 4096 -+ default 32768 if ARM || (ARM64 && COMPAT) -+ default 65536 - help - This is the portion of low virtual memory which should be protected - from userspace allocation. Keeping a user from writing to low pages -diff --git a/mm/mmap.c b/mm/mmap.c -index 11f96fad5271..632e7f9a710e 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -220,6 +220,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) - - newbrk = PAGE_ALIGN(brk); - oldbrk = PAGE_ALIGN(mm->brk); -+ /* properly handle unaligned min_brk as an empty heap */ -+ if (min_brk & ~PAGE_MASK) { -+ if (brk == min_brk) -+ newbrk -= PAGE_SIZE; -+ if (mm->brk == min_brk) -+ oldbrk -= PAGE_SIZE; -+ } - if (oldbrk == newbrk) - goto set_brk; - -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 1d7693c35424..8963a3b4d37c 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -67,6 +67,7 @@ - #include <linux/ftrace.h> - #include <linux/lockdep.h> - #include <linux/nmi.h> -+#include <linux/random.h> - - #include <asm/sections.h> - #include <asm/tlbflush.h> -@@ -98,6 +99,15 @@ int _node_numa_mem_[MAX_NUMNODES]; - DEFINE_MUTEX(pcpu_drain_mutex); - DEFINE_PER_CPU(struct work_struct, pcpu_drain); - -+bool __meminitdata extra_latent_entropy; -+ -+static int __init setup_extra_latent_entropy(char *str) -+{ -+ extra_latent_entropy = true; -+ return 0; -+} -+early_param("extra_latent_entropy", setup_extra_latent_entropy); -+ - #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY - volatile unsigned long latent_entropy __latent_entropy; - EXPORT_SYMBOL(latent_entropy); -@@ -1063,6 +1073,13 @@ static __always_inline bool free_pages_prepare(struct page *page, - debug_check_no_obj_freed(page_address(page), - PAGE_SIZE << order); - } -+ -+ if (IS_ENABLED(CONFIG_PAGE_SANITIZE)) { -+ int i; -+ for (i = 0; i < (1 << order); i++) -+ clear_highpage(page + i); -+ } -+ - arch_free_page(page, order); - kernel_poison_pages(page, 1 << order, 0); - kernel_map_pages(page, 1 << order, 0); -@@ -1278,6 +1295,21 @@ static void __init __free_pages_boot_core(struct page *page, unsigned int order) - __ClearPageReserved(p); - set_page_count(p, 0); - -+ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { -+ unsigned long hash = 0; -+ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; -+ const unsigned long *data = lowmem_page_address(page); -+ -+ for (index = 0; index < end; index++) -+ hash ^= hash + data[index]; -+#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY -+ latent_entropy ^= hash; -+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); -+#else -+ add_device_randomness((const void *)&hash, sizeof(hash)); -+#endif -+ } -+ - page_zone(page)->managed_pages += nr_pages; - set_page_refcounted(page); - __free_pages(page, order); -@@ -1718,8 +1750,8 @@ static inline int check_new_page(struct page *page) - - static inline bool free_pages_prezeroed(void) - { -- return IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && -- page_poisoning_enabled(); -+ return IS_ENABLED(CONFIG_PAGE_SANITIZE) || -+ (IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && page_poisoning_enabled()); - } - - #ifdef CONFIG_DEBUG_VM -@@ -1776,6 +1808,11 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags - - post_alloc_hook(page, order, gfp_flags); - -+ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY)) { -+ for (i = 0; i < (1 << order); i++) -+ verify_zero_highpage(page + i); -+ } -+ - if (!free_pages_prezeroed() && (gfp_flags & __GFP_ZERO)) - for (i = 0; i < (1 << order); i++) - clear_highpage(page + i); -diff --git a/mm/slab.h b/mm/slab.h -index 485d9fbb8802..436461588804 100644 ---- a/mm/slab.h -+++ b/mm/slab.h -@@ -311,7 +311,11 @@ static inline bool is_root_cache(struct kmem_cache *s) - static inline bool slab_equal_or_root(struct kmem_cache *s, - struct kmem_cache *p) - { -+#ifdef CONFIG_SLAB_HARDENED -+ return p == s; -+#else - return true; -+#endif - } - - static inline const char *cache_name(struct kmem_cache *s) -@@ -363,18 +367,26 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) - * to not do even the assignment. In that case, slab_equal_or_root - * will also be a constant. - */ -- if (!memcg_kmem_enabled() && -+ if (!IS_ENABLED(CONFIG_SLAB_HARDENED) && -+ !memcg_kmem_enabled() && - !unlikely(s->flags & SLAB_CONSISTENCY_CHECKS)) - return s; - - page = virt_to_head_page(x); -+#ifdef CONFIG_SLAB_HARDENED -+ BUG_ON(!PageSlab(page)); -+#endif - cachep = page->slab_cache; - if (slab_equal_or_root(cachep, s)) - return cachep; - - pr_err("%s: Wrong slab cache. %s but object is from %s\n", - __func__, s->name, cachep->name); -+#ifdef CONFIG_BUG_ON_DATA_CORRUPTION -+ BUG_ON(1); -+#else - WARN_ON_ONCE(1); -+#endif - return s; - } - -@@ -399,7 +411,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) - * back there or track user information then we can - * only use the space before that information. - */ -- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) -+ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) - return s->inuse; - /* - * Else we can use all the padding etc for the allocation -diff --git a/mm/slab_common.c b/mm/slab_common.c -index 65212caa1f2a..d8bf8a75f445 100644 ---- a/mm/slab_common.c -+++ b/mm/slab_common.c -@@ -26,10 +26,10 @@ - - #include "slab.h" - --enum slab_state slab_state; -+enum slab_state slab_state __ro_after_init; - LIST_HEAD(slab_caches); - DEFINE_MUTEX(slab_mutex); --struct kmem_cache *kmem_cache; -+struct kmem_cache *kmem_cache __ro_after_init; - - static LIST_HEAD(slab_caches_to_rcu_destroy); - static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work); -@@ -49,7 +49,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, - /* - * Merge control. If this is set then no merging of slab caches will occur. - */ --static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); -+static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); - - static int __init setup_slab_nomerge(char *str) - { -@@ -927,7 +927,7 @@ EXPORT_SYMBOL(kmalloc_dma_caches); - * of two cache sizes there. The size of larger slabs can be determined using - * fls. - */ --static s8 size_index[24] = { -+static s8 size_index[24] __ro_after_init = { - 3, /* 8 */ - 4, /* 16 */ - 5, /* 24 */ -diff --git a/mm/slub.c b/mm/slub.c -index 41c01690d116..591dd60d37f3 100644 ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -125,6 +125,16 @@ static inline int kmem_cache_debug(struct kmem_cache *s) - #endif - } - -+static inline bool has_sanitize(struct kmem_cache *s) -+{ -+ return IS_ENABLED(CONFIG_SLAB_SANITIZE) && !(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)); -+} -+ -+static inline bool has_sanitize_verify(struct kmem_cache *s) -+{ -+ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && has_sanitize(s); -+} -+ - void *fixup_red_left(struct kmem_cache *s, void *p) - { - if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) -@@ -297,6 +307,35 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) - *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); - } - -+#ifdef CONFIG_SLAB_CANARY -+static inline unsigned long *get_canary(struct kmem_cache *s, void *object) -+{ -+ if (s->offset) -+ return object + s->offset + sizeof(void *); -+ return object + s->inuse; -+} -+ -+static inline unsigned long get_canary_value(const void *canary, unsigned long value) -+{ -+ return (value ^ (unsigned long)canary) & CANARY_MASK; -+} -+ -+static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) -+{ -+ unsigned long *canary = get_canary(s, object); -+ *canary = get_canary_value(canary, value); -+} -+ -+static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) -+{ -+ unsigned long *canary = get_canary(s, object); -+ BUG_ON(*canary != get_canary_value(canary, value)); -+} -+#else -+#define set_canary(s, object, value) -+#define check_canary(s, object, value) -+#endif -+ - /* Loop over all objects in a slab */ - #define for_each_object(__p, __s, __addr, __objects) \ - for (__p = fixup_red_left(__s, __addr); \ -@@ -484,13 +523,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) - * Debug settings: - */ - #if defined(CONFIG_SLUB_DEBUG_ON) --static int slub_debug = DEBUG_DEFAULT_FLAGS; -+static int slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; - #else --static int slub_debug; -+static int slub_debug __ro_after_init; - #endif - --static char *slub_debug_slabs; --static int disable_higher_order_debug; -+static char *slub_debug_slabs __ro_after_init; -+static int disable_higher_order_debug __ro_after_init; - - /* - * slub is about to manipulate internal object metadata. This memory lies -@@ -550,6 +589,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, - else - p = object + s->inuse; - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ p = (void *)p + sizeof(void *); -+ - return p + alloc; - } - -@@ -688,6 +730,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) - else - off = s->inuse; - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ off += sizeof(void *); -+ - if (s->flags & SLAB_STORE_USER) - off += 2 * sizeof(struct track); - -@@ -817,6 +862,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) - /* Freepointer is placed after the object. */ - off += sizeof(void *); - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ off += sizeof(void *); -+ - if (s->flags & SLAB_STORE_USER) - /* We also have user information there */ - off += 2 * sizeof(struct track); -@@ -1416,8 +1464,9 @@ static void setup_object(struct kmem_cache *s, struct page *page, - void *object) - { - setup_object_debug(s, page, object); -+ set_canary(s, object, s->random_inactive); - kasan_init_slab_obj(s, object); -- if (unlikely(s->ctor)) { -+ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { - kasan_unpoison_object_data(s, object); - s->ctor(object); - kasan_poison_object_data(s, object); -@@ -2717,9 +2766,21 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, - stat(s, ALLOC_FASTPATH); - } - -- if (unlikely(gfpflags & __GFP_ZERO) && object) -+ if (has_sanitize_verify(s) && object) { -+ size_t offset = s->offset ? 0 : sizeof(void *); -+ BUG_ON(memchr_inv(object + offset, 0, s->object_size - offset)); -+ if (s->ctor) -+ s->ctor(object); -+ if (unlikely(gfpflags & __GFP_ZERO) && offset) -+ memset(object, 0, sizeof(void *)); -+ } else if (unlikely(gfpflags & __GFP_ZERO) && object) - memset(object, 0, s->object_size); - -+ if (object) { -+ check_canary(s, object, s->random_inactive); -+ set_canary(s, object, s->random_active); -+ } -+ - slab_post_alloc_hook(s, gfpflags, 1, &object); - - return object; -@@ -2926,6 +2987,27 @@ static __always_inline void do_slab_free(struct kmem_cache *s, - void *tail_obj = tail ? : head; - struct kmem_cache_cpu *c; - unsigned long tid; -+ bool sanitize = has_sanitize(s); -+ -+ if (IS_ENABLED(CONFIG_SLAB_CANARY) || sanitize) { -+ __maybe_unused int offset = s->offset ? 0 : sizeof(void *); -+ void *x = head; -+ -+ while (1) { -+ check_canary(s, x, s->random_active); -+ set_canary(s, x, s->random_inactive); -+ -+ if (sanitize) { -+ memset(x + offset, 0, s->object_size - offset); -+ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) -+ s->ctor(x); -+ } -+ if (x == tail_obj) -+ break; -+ x = get_freepointer(s, x); -+ } -+ } -+ - redo: - /* - * Determine the currently cpus per cpu slab. -@@ -3104,7 +3186,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, - void **p) - { - struct kmem_cache_cpu *c; -- int i; -+ int i, k; - - /* memcg and kmem_cache debug support */ - s = slab_pre_alloc_hook(s, flags); -@@ -3141,13 +3223,29 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, - local_irq_enable(); - - /* Clear memory outside IRQ disabled fastpath loop */ -- if (unlikely(flags & __GFP_ZERO)) { -+ if (has_sanitize_verify(s)) { -+ int j; -+ -+ for (j = 0; j < i; j++) { -+ size_t offset = s->offset ? 0 : sizeof(void *); -+ BUG_ON(memchr_inv(p[j] + offset, 0, s->object_size - offset)); -+ if (s->ctor) -+ s->ctor(p[j]); -+ if (unlikely(flags & __GFP_ZERO) && offset) -+ memset(p[j], 0, sizeof(void *)); -+ } -+ } else if (unlikely(flags & __GFP_ZERO)) { - int j; - - for (j = 0; j < i; j++) - memset(p[j], 0, s->object_size); - } - -+ for (k = 0; k < i; k++) { -+ check_canary(s, p[k], s->random_inactive); -+ set_canary(s, p[k], s->random_active); -+ } -+ - /* memcg and kmem_cache debug support */ - slab_post_alloc_hook(s, flags, size, p); - return i; -@@ -3179,9 +3277,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); - * and increases the number of allocations possible without having to - * take the list_lock. - */ --static int slub_min_order; --static int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; --static int slub_min_objects; -+static int slub_min_order __ro_after_init; -+static int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; -+static int slub_min_objects __ro_after_init; - - /* - * Calculate the order of allocation given an slab object size. -@@ -3351,6 +3449,7 @@ static void early_kmem_cache_node_alloc(int node) - init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); - init_tracking(kmem_cache_node, n); - #endif -+ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); - kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), - GFP_KERNEL); - init_kmem_cache_node(n); -@@ -3507,6 +3606,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - size += sizeof(void *); - } - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ size += sizeof(void *); -+ - #ifdef CONFIG_SLUB_DEBUG - if (flags & SLAB_STORE_USER) - /* -@@ -3577,6 +3679,10 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags) - #ifdef CONFIG_SLAB_FREELIST_HARDENED - s->random = get_random_long(); - #endif -+#ifdef CONFIG_SLAB_CANARY -+ s->random_active = get_random_long(); -+ s->random_inactive = get_random_long(); -+#endif - - if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) - s->reserved = sizeof(struct rcu_head); -@@ -3841,6 +3947,8 @@ const char *__check_heap_object(const void *ptr, unsigned long n, - offset -= s->red_left_pad; - } - -+ check_canary(s, (void *)ptr - offset, s->random_active); -+ - /* Allow address range falling entirely within object size. */ - if (offset <= object_size && n <= object_size - offset) - return NULL; -@@ -3859,7 +3967,11 @@ static size_t __ksize(const void *object) - page = virt_to_head_page(object); - - if (unlikely(!PageSlab(page))) { -+#ifdef CONFIG_BUG_ON_DATA_CORRUPTION -+ BUG_ON(!PageCompound(page)); -+#else - WARN_ON(!PageCompound(page)); -+#endif - return PAGE_SIZE << compound_order(page); - } - -@@ -4724,7 +4836,7 @@ enum slab_stat_type { - #define SO_TOTAL (1 << SL_TOTAL) - - #ifdef CONFIG_MEMCG --static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); -+static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); - - static int __init setup_slub_memcg_sysfs(char *str) - { -diff --git a/mm/swap.c b/mm/swap.c -index a77d68f2c1b6..d1f1d75f4d1f 100644 ---- a/mm/swap.c -+++ b/mm/swap.c -@@ -92,6 +92,13 @@ static void __put_compound_page(struct page *page) - if (!PageHuge(page)) - __page_cache_release(page); - dtor = get_compound_page_dtor(page); -+ if (!PageHuge(page)) -+ BUG_ON(dtor != free_compound_page -+#ifdef CONFIG_TRANSPARENT_HUGEPAGE -+ && dtor != free_transhuge_page -+#endif -+ ); -+ - (*dtor)(page); - } - -diff --git a/net/core/dev.c b/net/core/dev.c -index 6ca771f2f25b..6da2c9c3e6a5 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -4095,7 +4095,7 @@ int netif_rx_ni(struct sk_buff *skb) - } - EXPORT_SYMBOL(netif_rx_ni); - --static __latent_entropy void net_tx_action(struct softirq_action *h) -+static __latent_entropy void net_tx_action(void) - { - struct softnet_data *sd = this_cpu_ptr(&softnet_data); - -@@ -5609,7 +5609,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) - return work; - } - --static __latent_entropy void net_rx_action(struct softirq_action *h) -+static __latent_entropy void net_rx_action(void) - { - struct softnet_data *sd = this_cpu_ptr(&softnet_data); - unsigned long time_limit = jiffies + -diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig -index f48fe6fc7e8c..d78c52835c08 100644 ---- a/net/ipv4/Kconfig -+++ b/net/ipv4/Kconfig -@@ -261,6 +261,7 @@ config IP_PIMSM_V2 - - config SYN_COOKIES - bool "IP: TCP syncookie support" -+ default y - ---help--- - Normal TCP/IP networking is open to an attack known as "SYN - flooding". This denial-of-service attack prevents legitimate remote -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 54deaa1066cf..211f97bd5ee3 100644 ---- a/scripts/mod/modpost.c -+++ b/scripts/mod/modpost.c -@@ -37,6 +37,7 @@ static int vmlinux_section_warnings = 1; - static int warn_unresolved = 0; - /* How a symbol is exported */ - static int sec_mismatch_count = 0; -+static int writable_fptr_count = 0; - static int sec_mismatch_verbose = 1; - static int sec_mismatch_fatal = 0; - /* ignore missing files */ -@@ -965,6 +966,7 @@ enum mismatch { - ANY_EXIT_TO_ANY_INIT, - EXPORT_TO_INIT_EXIT, - EXTABLE_TO_NON_TEXT, -+ DATA_TO_TEXT - }; - - /** -@@ -1091,6 +1093,12 @@ static const struct sectioncheck sectioncheck[] = { - .good_tosec = {ALL_TEXT_SECTIONS , NULL}, - .mismatch = EXTABLE_TO_NON_TEXT, - .handler = extable_mismatch_handler, -+}, -+/* Do not reference code from writable data */ -+{ -+ .fromsec = { DATA_SECTIONS, NULL }, -+ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, -+ .mismatch = DATA_TO_TEXT - } - }; - -@@ -1240,10 +1248,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, - continue; - if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) - continue; -- if (sym->st_value == addr) -- return sym; - /* Find a symbol nearby - addr are maybe negative */ - d = sym->st_value - addr; -+ if (d == 0) -+ return sym; - if (d < 0) - d = addr - sym->st_value; - if (d < distance) { -@@ -1402,7 +1410,11 @@ static void report_sec_mismatch(const char *modname, - char *prl_from; - char *prl_to; - -- sec_mismatch_count++; -+ if (mismatch->mismatch == DATA_TO_TEXT) -+ writable_fptr_count++; -+ else -+ sec_mismatch_count++; -+ - if (!sec_mismatch_verbose) - return; - -@@ -1526,6 +1538,14 @@ static void report_sec_mismatch(const char *modname, - fatal("There's a special handler for this mismatch type, " - "we should never get here."); - break; -+ case DATA_TO_TEXT: -+#if 0 -+ fprintf(stderr, -+ "The %s %s:%s references\n" -+ "the %s %s:%s%s\n", -+ from, fromsec, fromsym, to, tosec, tosym, to_p); -+#endif -+ break; - } - fprintf(stderr, "\n"); - } -@@ -2539,6 +2559,14 @@ int main(int argc, char **argv) - } - } - free(buf.p); -+ if (writable_fptr_count) { -+ if (!sec_mismatch_verbose) { -+ warn("modpost: Found %d writable function pointer(s).\n" -+ "To see full details build your kernel with:\n" -+ "'make CONFIG_DEBUG_SECTION_MISMATCH=y'\n", -+ writable_fptr_count); -+ } -+ } - - return err; - } -diff --git a/security/Kconfig b/security/Kconfig -index 87f2a6f842fd..7bdbb7edf5bf 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -8,7 +8,7 @@ source security/keys/Kconfig - - config SECURITY_DMESG_RESTRICT - bool "Restrict unprivileged access to the kernel syslog" -- default n -+ default y - help - This enforces restrictions on unprivileged users reading the kernel - syslog via dmesg(8). -@@ -18,10 +18,34 @@ config SECURITY_DMESG_RESTRICT - - If you are unsure how to answer this question, answer N. - -+config SECURITY_PERF_EVENTS_RESTRICT -+ bool "Restrict unprivileged use of performance events" -+ depends on PERF_EVENTS -+ default y -+ help -+ If you say Y here, the kernel.perf_event_paranoid sysctl -+ will be set to 3 by default, and no unprivileged use of the -+ perf_event_open syscall will be permitted unless it is -+ changed. -+ -+config SECURITY_TIOCSTI_RESTRICT -+ bool "Restrict unprivileged use of tiocsti command injection" -+ default y -+ help -+ This enforces restrictions on unprivileged users injecting commands -+ into other processes which share a tty session using the TIOCSTI -+ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. -+ -+ If this option is not selected, no restrictions will be enforced -+ unless the tiocsti_restrict sysctl is explicitly set to (1). -+ -+ If you are unsure how to answer this question, answer N. -+ - config SECURITY - bool "Enable different security models" - depends on SYSFS - depends on MULTIUSER -+ default y - help - This allows you to choose different security modules to be - configured into your kernel. -@@ -48,6 +72,7 @@ config SECURITYFS - config SECURITY_NETWORK - bool "Socket and Networking Security Hooks" - depends on SECURITY -+ default y - help - This enables the socket and networking security hooks. - If enabled, a security module can use these hooks to -@@ -155,6 +180,7 @@ config HARDENED_USERCOPY - depends on HAVE_HARDENED_USERCOPY_ALLOCATOR - select BUG - imply STRICT_DEVMEM -+ default y - help - This option checks for obviously wrong memory regions when - copying memory to/from the kernel (via copy_to_user() and -@@ -178,10 +204,36 @@ config HARDENED_USERCOPY_PAGESPAN - config FORTIFY_SOURCE - bool "Harden common str/mem functions against buffer overflows" - depends on ARCH_HAS_FORTIFY_SOURCE -+ default y - help - Detect overflows of buffers in common string and memory functions - where the compiler can determine and validate the buffer sizes. - -+config FORTIFY_SOURCE_STRICT_STRING -+ bool "Harden common functions against buffer overflows" -+ depends on FORTIFY_SOURCE -+ depends on EXPERT -+ help -+ Perform stricter overflow checks catching overflows within objects -+ for common C string functions rather than only between objects. -+ -+ This is not yet intended for production use, only bug finding. -+ -+config PAGE_SANITIZE -+ bool "Sanitize pages" -+ default y -+ help -+ Zero fill page allocations on free, reducing the lifetime of -+ sensitive data and helping to mitigate use-after-free bugs. -+ -+config PAGE_SANITIZE_VERIFY -+ bool "Verify sanitized pages" -+ depends on PAGE_SANITIZE -+ default y -+ help -+ Verify that newly allocated pages are zeroed to detect -+ write-after-free bugs. -+ - config STATIC_USERMODEHELPER - bool "Force all usermode helper calls through a single binary" - help -diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig -index 8af7a690eb40..6539694b0fd3 100644 ---- a/security/selinux/Kconfig -+++ b/security/selinux/Kconfig -@@ -2,7 +2,7 @@ config SECURITY_SELINUX - bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET - select NETWORK_SECMARK -- default n -+ default y - help - This selects NSA Security-Enhanced Linux (SELinux). - You will also need a policy configuration and a labeled filesystem. -@@ -79,23 +79,3 @@ config SECURITY_SELINUX_AVC_STATS - This option collects access vector cache statistics to - /selinux/avc/cache_stats, which may be monitored via - tools such as avcstat. -- --config SECURITY_SELINUX_CHECKREQPROT_VALUE -- int "NSA SELinux checkreqprot default value" -- depends on SECURITY_SELINUX -- range 0 1 -- default 0 -- help -- This option sets the default value for the 'checkreqprot' flag -- that determines whether SELinux checks the protection requested -- by the application or the protection that will be applied by the -- kernel (including any implied execute for read-implies-exec) for -- mmap and mprotect calls. If this option is set to 0 (zero), -- SELinux will default to checking the protection that will be applied -- by the kernel. If this option is set to 1 (one), SELinux will -- default to checking the protection requested by the application. -- The checkreqprot flag may be changed from the default via the -- 'checkreqprot=' boot parameter. It may also be changed at runtime -- via /selinux/checkreqprot if authorized by policy. -- -- If you are unsure how to answer this question, answer 0. -diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index 1649cd18eb0b..067f35559aa7 100644 ---- a/security/selinux/include/objsec.h -+++ b/security/selinux/include/objsec.h -@@ -150,6 +150,6 @@ struct pkey_security_struct { - u32 sid; /* SID of pkey */ - }; - --extern unsigned int selinux_checkreqprot; -+extern const unsigned int selinux_checkreqprot; - - #endif /* _SELINUX_OBJSEC_H_ */ -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 00eed842c491..8f7b8d7e6f91 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -41,16 +41,7 @@ - #include "objsec.h" - #include "conditional.h" - --unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; -- --static int __init checkreqprot_setup(char *str) --{ -- unsigned long checkreqprot; -- if (!kstrtoul(str, 0, &checkreqprot)) -- selinux_checkreqprot = checkreqprot ? 1 : 0; -- return 1; --} --__setup("checkreqprot=", checkreqprot_setup); -+const unsigned int selinux_checkreqprot; - - static DEFINE_MUTEX(sel_mutex); - -@@ -610,10 +601,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, - return PTR_ERR(page); - - length = -EINVAL; -- if (sscanf(page, "%u", &new_value) != 1) -+ if (sscanf(page, "%u", &new_value) != 1 || new_value) - goto out; - -- selinux_checkreqprot = new_value ? 1 : 0; - length = count; - out: - kfree(page); -diff --git a/security/yama/Kconfig b/security/yama/Kconfig -index 96b27405558a..485c1b85c325 100644 ---- a/security/yama/Kconfig -+++ b/security/yama/Kconfig -@@ -1,7 +1,7 @@ - config SECURITY_YAMA - bool "Yama support" - depends on SECURITY -- default n -+ default y - help - This selects Yama, which extends DAC support with additional - system-wide security settings beyond regular Linux discretionary diff --git a/pkgs/os-specific/linux/kernel/copperhead-4-16.patch b/pkgs/os-specific/linux/kernel/copperhead-4-16.patch deleted file mode 100644 index f0a4bc940347..000000000000 --- a/pkgs/os-specific/linux/kernel/copperhead-4-16.patch +++ /dev/null @@ -1,2571 +0,0 @@ -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 9824d049367e..6ff72316ff0a 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -496,16 +496,6 @@ - nosocket -- Disable socket memory accounting. - nokmem -- Disable kernel memory accounting. - -- checkreqprot [SELINUX] Set initial checkreqprot flag value. -- Format: { "0" | "1" } -- See security/selinux/Kconfig help text. -- 0 -- check protection applied by kernel (includes -- any implied execute protection). -- 1 -- check protection requested by application. -- Default value is set via a kernel config option. -- Value can be changed at runtime via -- /selinux/checkreqprot. -- - cio_ignore= [S390] - See Documentation/s390/CommonIO for details. - clk_ignore_unused -@@ -2946,6 +2936,11 @@ - the specified number of seconds. This is to be used if - your oopses keep scrolling off the screen. - -+ extra_latent_entropy -+ Enable a very simple form of latent entropy extraction -+ from the first 4GB of memory as the bootmem allocator -+ passes the memory pages to the buddy allocator. -+ - pcbit= [HW,ISDN] - - pcd. [PARIDE] -diff --git a/Makefile b/Makefile -index ded9e8480d74..2e948bb78142 100644 ---- a/Makefile -+++ b/Makefile -@@ -734,6 +734,9 @@ endif - endif - - ifeq ($(cc-name),clang) -+ifdef CONFIG_LOCAL_INIT -+KBUILD_CFLAGS += -fsanitize=local-init -+endif - KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) - KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier) - KBUILD_CFLAGS += $(call cc-disable-warning, gnu) -diff --git a/arch/Kconfig b/arch/Kconfig -index 76c0b54443b1..63a2d30f807f 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -454,6 +454,11 @@ config GCC_PLUGIN_LATENT_ENTROPY - is some slowdown of the boot process (about 0.5%) and fork and - irq processing. - -+ When extra_latent_entropy is passed on the kernel command line, -+ entropy will be extracted from up to the first 4GB of RAM while the -+ runtime memory allocator is being initialized. This costs even more -+ slowdown of the boot process. -+ - Note that entropy extracted this way is not cryptographically - secure! - -@@ -747,7 +752,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -781,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -@@ -968,6 +973,7 @@ config ARCH_HAS_REFCOUNT - - config REFCOUNT_FULL - bool "Perform full reference count validation at the expense of speed" -+ default y - help - Enabling this switches the refcounting infrastructure from a fast - unchecked atomic_t implementation to a fully state checked -diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig -index be665760f2bd..5fb9026c9762 100644 ---- a/arch/arm64/Kconfig -+++ b/arch/arm64/Kconfig -@@ -988,6 +988,7 @@ endif - - config ARM64_SW_TTBR0_PAN - bool "Emulate Privileged Access Never using TTBR0_EL1 switching" -+ default y - help - Enabling this option prevents the kernel from accessing - user-space memory directly by pointing TTBR0_EL1 to a reserved -@@ -1141,6 +1142,7 @@ config RANDOMIZE_BASE - bool "Randomize the address of the kernel image" - select ARM64_MODULE_PLTS if MODULES - select RELOCATABLE -+ default y - help - Randomizes the virtual address at which the kernel image is - loaded, as a security feature that deters exploit attempts -diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug -index cc6bd559af85..01d5442d4722 100644 ---- a/arch/arm64/Kconfig.debug -+++ b/arch/arm64/Kconfig.debug -@@ -45,6 +45,7 @@ config ARM64_RANDOMIZE_TEXT_OFFSET - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select ARM64_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig -index 634b373785c4..5b255a6db6a7 100644 ---- a/arch/arm64/configs/defconfig -+++ b/arch/arm64/configs/defconfig -@@ -1,4 +1,3 @@ --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_AUDIT=y - CONFIG_NO_HZ_IDLE=y -diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h -index fac1c4de7898..34786ca166e4 100644 ---- a/arch/arm64/include/asm/elf.h -+++ b/arch/arm64/include/asm/elf.h -@@ -114,10 +114,10 @@ - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ --#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) -+#define ELF_ET_DYN_BASE 0x100000000UL - - #ifndef __ASSEMBLY__ - -@@ -158,10 +158,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, - /* 1GB of VA */ - #ifdef CONFIG_COMPAT - #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ -- 0x7ff >> (PAGE_SHIFT - 12) : \ -- 0x3ffff >> (PAGE_SHIFT - 12)) -+ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ -+ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #else --#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) -+#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #endif - - #ifdef __AARCH64EB__ -diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c -index c0da6efe5465..f308b521c114 100644 ---- a/arch/arm64/kernel/process.c -+++ b/arch/arm64/kernel/process.c -@@ -481,9 +481,9 @@ unsigned long arch_align_stack(unsigned long sp) - unsigned long arch_randomize_brk(struct mm_struct *mm) - { - if (is_compat_task()) -- return randomize_page(mm->brk, SZ_32M); -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; - else -- return randomize_page(mm->brk, SZ_1G); -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 0fa71a78ec99..d78d44944374 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1208,8 +1208,7 @@ config VM86 - default X86_LEGACY_VM86 - - config X86_16BIT -- bool "Enable support for 16-bit segments" if EXPERT -- default y -+ bool "Enable support for 16-bit segments" - depends on MODIFY_LDT_SYSCALL - ---help--- - This option is required by programs like Wine to run 16-bit -@@ -2299,7 +2298,7 @@ config COMPAT_VDSO - choice - prompt "vsyscall table for legacy applications" - depends on X86_64 -- default LEGACY_VSYSCALL_EMULATE -+ default LEGACY_VSYSCALL_NONE - help - Legacy user code that does not know how to find the vDSO expects - to be able to issue three syscalls by calling fixed addresses in -@@ -2380,8 +2379,7 @@ config CMDLINE_OVERRIDE - be set to 'N' under normal conditions. - - config MODIFY_LDT_SYSCALL -- bool "Enable the LDT (local descriptor table)" if EXPERT -- default y -+ bool "Enable the LDT (local descriptor table)" - ---help--- - Linux can allow user programs to install a per-process x86 - Local Descriptor Table (LDT) using the modify_ldt(2) system -diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index 192e4d2f9efc..343c2f1b13da 100644 ---- a/arch/x86/Kconfig.debug -+++ b/arch/x86/Kconfig.debug -@@ -101,6 +101,7 @@ config EFI_PGT_DUMP - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select X86_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig -index e32fc1f274d8..d08acc76502a 100644 ---- a/arch/x86/configs/x86_64_defconfig -+++ b/arch/x86/configs/x86_64_defconfig -@@ -1,5 +1,4 @@ - # CONFIG_LOCALVERSION_AUTO is not set --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_BSD_PROCESS_ACCT=y - CONFIG_TASKSTATS=y -diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c -index 5b8b556dbb12..a569f08b4478 100644 ---- a/arch/x86/entry/vdso/vma.c -+++ b/arch/x86/entry/vdso/vma.c -@@ -204,55 +204,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) - } - - #ifdef CONFIG_X86_64 --/* -- * Put the vdso above the (randomized) stack with another randomized -- * offset. This way there is no hole in the middle of address space. -- * To save memory make sure it is still in the same PTE as the stack -- * top. This doesn't give that many random bits. -- * -- * Note that this algorithm is imperfect: the distribution of the vdso -- * start address within a PMD is biased toward the end. -- * -- * Only used for the 64-bit and x32 vdsos. -- */ --static unsigned long vdso_addr(unsigned long start, unsigned len) --{ -- unsigned long addr, end; -- unsigned offset; -- -- /* -- * Round up the start address. It can start out unaligned as a result -- * of stack start randomization. -- */ -- start = PAGE_ALIGN(start); -- -- /* Round the lowest possible end address up to a PMD boundary. */ -- end = (start + len + PMD_SIZE - 1) & PMD_MASK; -- if (end >= TASK_SIZE_MAX) -- end = TASK_SIZE_MAX; -- end -= len; -- -- if (end > start) { -- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); -- addr = start + (offset << PAGE_SHIFT); -- } else { -- addr = start; -- } -- -- /* -- * Forcibly align the final address in case we have a hardware -- * issue that requires alignment for performance reasons. -- */ -- addr = align_vdso_addr(addr); -- -- return addr; --} -- - static int map_vdso_randomized(const struct vdso_image *image) - { -- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); -- -- return map_vdso(image, addr); -+ return map_vdso(image, 0); - } - #endif - -diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h -index 0d157d2a1e2a..770c8ae97f92 100644 ---- a/arch/x86/include/asm/elf.h -+++ b/arch/x86/include/asm/elf.h -@@ -249,11 +249,11 @@ extern int force_personality32; - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ - #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ -- (DEFAULT_MAP_WINDOW / 3 * 2)) -+ 0x100000000UL) - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, -@@ -313,8 +313,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); - - #ifdef CONFIG_X86_32 - --#define __STACK_RND_MASK(is32bit) (0x7ff) --#define STACK_RND_MASK (0x7ff) -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) - - #define ARCH_DLINFO ARCH_DLINFO_IA32 - -@@ -323,7 +323,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); - #else /* CONFIG_X86_32 */ - - /* 1GB for 64bit, 8MB for 32bit */ --#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) -+#ifdef CONFIG_COMPAT -+#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) -+#else -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#endif - #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) - - #define ARCH_DLINFO \ -@@ -381,5 +385,4 @@ struct va_alignment { - } ____cacheline_aligned; - - extern struct va_alignment va_align; --extern unsigned long align_vdso_addr(unsigned long); - #endif /* _ASM_X86_ELF_H */ -diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index 84137c22fdfa..4f197404cab9 100644 ---- a/arch/x86/include/asm/tlbflush.h -+++ b/arch/x86/include/asm/tlbflush.h -@@ -261,6 +261,7 @@ static inline void cr4_set_bits(unsigned long mask) - - local_irq_save(flags); - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 | mask) != cr4) - __cr4_set(cr4 | mask); - local_irq_restore(flags); -@@ -273,6 +274,7 @@ static inline void cr4_clear_bits(unsigned long mask) - - local_irq_save(flags); - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 & ~mask) != cr4) - __cr4_set(cr4 & ~mask); - local_irq_restore(flags); -@@ -283,6 +285,7 @@ static inline void cr4_toggle_bits_irqsoff(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - __cr4_set(cr4 ^ mask); - } - -@@ -389,6 +392,7 @@ static inline void __native_flush_tlb_global(void) - raw_local_irq_save(flags); - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - /* toggle PGE */ - native_write_cr4(cr4 ^ X86_CR4_PGE); - /* write old PGE again and flush TLBs */ -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 5f74f94244e1..9c9fdb5ef52e 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1662,7 +1662,6 @@ void cpu_init(void) - wrmsrl(MSR_KERNEL_GS_BASE, 0); - barrier(); - -- x86_configure_nx(); - x2apic_setup(); - - /* -diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c -index 30ca2d1a9231..bde0a18cd9f9 100644 ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -39,6 +39,8 @@ - #include <asm/desc.h> - #include <asm/prctl.h> - #include <asm/spec-ctrl.h> -+#include <asm/elf.h> -+#include <linux/sizes.h> - - /* - * per-CPU TSS segments. Threads are completely 'soft' on Linux, -@@ -718,7 +720,10 @@ unsigned long arch_align_stack(unsigned long sp) - - unsigned long arch_randomize_brk(struct mm_struct *mm) - { -- return randomize_page(mm->brk, 0x02000000); -+ if (mmap_is_ia32()) -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; -+ else -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index 676774b9bb8d..5ad7a95382b0 100644 ---- a/arch/x86/kernel/sys_x86_64.c -+++ b/arch/x86/kernel/sys_x86_64.c -@@ -54,13 +54,6 @@ static unsigned long get_align_bits(void) - return va_align.bits & get_align_mask(); - } - --unsigned long align_vdso_addr(unsigned long addr) --{ -- unsigned long align_mask = get_align_mask(); -- addr = (addr + align_mask) & ~align_mask; -- return addr | get_align_bits(); --} -- - static int __init control_va_addr_alignment(char *str) - { - /* guard against enabling this on other CPU families */ -@@ -122,10 +115,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, - } - - *begin = get_mmap_base(1); -- if (in_compat_syscall()) -- *end = task_size_32bit(); -- else -- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); -+ *end = get_mmap_base(0); - } - - unsigned long -@@ -210,7 +200,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, - - info.flags = VM_UNMAPPED_AREA_TOPDOWN; - info.length = len; -- info.low_limit = PAGE_SIZE; -+ info.low_limit = get_mmap_base(1); - info.high_limit = get_mmap_base(0); - - /* -diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 396e1f0151ac..6526b19579dc 100644 ---- a/arch/x86/mm/init_32.c -+++ b/arch/x86/mm/init_32.c -@@ -558,7 +558,7 @@ static void __init pagetable_init(void) - permanent_kmaps_init(pgd_base); - } - --pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL); -+pteval_t __supported_pte_mask __ro_after_init = ~(_PAGE_NX | _PAGE_GLOBAL); - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - /* user-defined highmem size */ -@@ -866,7 +866,7 @@ int arch_remove_memory(u64 start, u64 size, struct vmem_altmap *altmap) - #endif - #endif - --int kernel_set_to_readonly __read_mostly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -918,12 +918,11 @@ void mark_rodata_ro(void) - unsigned long start = PFN_ALIGN(_text); - unsigned long size = PFN_ALIGN(_etext) - start; - -+ kernel_set_to_readonly = 1; - set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); - printk(KERN_INFO "Write protecting the kernel text: %luk\n", - size >> 10); - -- kernel_set_to_readonly = 1; -- - #ifdef CONFIG_CPA_DEBUG - printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", - start, start+size); -diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index af11a2890235..b2d28d38c01e 100644 ---- a/arch/x86/mm/init_64.c -+++ b/arch/x86/mm/init_64.c -@@ -65,7 +65,7 @@ - * around without checking the pgd every time. - */ - --pteval_t __supported_pte_mask __read_mostly = ~0; -+pteval_t __supported_pte_mask __ro_after_init = ~0; - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - int force_personality32; -@@ -1195,7 +1195,7 @@ void __init mem_init(void) - mem_init_print_info(NULL); - } - --int kernel_set_to_readonly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -1244,9 +1244,8 @@ void mark_rodata_ro(void) - - printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", - (end - start) >> 10); -- set_memory_ro(start, (end - start) >> PAGE_SHIFT); -- - kernel_set_to_readonly = 1; -+ set_memory_ro(start, (end - start) >> PAGE_SHIFT); - - /* - * The rodata/data/bss/brk section (but not the kernel text!) -diff --git a/block/blk-softirq.c b/block/blk-softirq.c -index 01e2b353a2b9..9aeddca4a29f 100644 ---- a/block/blk-softirq.c -+++ b/block/blk-softirq.c -@@ -20,7 +20,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done); - * Softirq action handler - move entries to local list and loop over them - * while passing them to the queue registered handler. - */ --static __latent_entropy void blk_done_softirq(struct softirq_action *h) -+static __latent_entropy void blk_done_softirq(void) - { - struct list_head *cpu_list, local_list; - -diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 0df21f046fc6..6f8d9bf71bba 100644 ---- a/drivers/ata/libata-core.c -+++ b/drivers/ata/libata-core.c -@@ -5151,7 +5151,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) - struct ata_port *ap; - unsigned int tag; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - ap = qc->ap; - - qc->flags = 0; -@@ -5168,7 +5168,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) - struct ata_port *ap; - struct ata_link *link; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); - ap = qc->ap; - link = qc->dev->link; -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index c28dca0c613d..d4813f0d25ca 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -9,7 +9,6 @@ source "drivers/tty/Kconfig" - - config DEVMEM - bool "/dev/mem virtual device support" -- default y - help - Say Y here if you want to support the /dev/mem device. - The /dev/mem device is used to access areas of physical -@@ -568,7 +567,6 @@ config TELCLOCK - config DEVPORT - bool "/dev/port character device" - depends on ISA || PCI -- default y - help - Say Y here if you want to support the /dev/port device. The /dev/port - device is similar to /dev/mem, but for I/O ports. -diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig -index b811442c5ce6..4f62a63cbcb1 100644 ---- a/drivers/tty/Kconfig -+++ b/drivers/tty/Kconfig -@@ -122,7 +122,6 @@ config UNIX98_PTYS - - config LEGACY_PTYS - bool "Legacy (BSD) PTY support" -- default y - ---help--- - A pseudo terminal (PTY) is a software device consisting of two - halves: a master and a slave. The slave device behaves identical to -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 83c58a20d16f..32ef2e3a8482 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -41,6 +41,8 @@ - #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ - #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ - -+extern int deny_new_usb; -+ - /* Protect struct usb_device->state and ->children members - * Note: Both are also protected by ->dev.sem, except that ->state can - * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ -@@ -4847,6 +4849,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, - goto done; - return; - } -+ -+ if (deny_new_usb) { -+ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); -+ goto done; -+ } -+ - if (hub_is_superspeed(hub->hdev)) - unit_load = 150; - else -diff --git a/fs/exec.c b/fs/exec.c -index 7eb8d21bcab9..171f31b3bf05 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -62,6 +62,7 @@ - #include <linux/oom.h> - #include <linux/compat.h> - #include <linux/vmalloc.h> -+#include <linux/random.h> - - #include <linux/uaccess.h> - #include <asm/mmu_context.h> -@@ -321,6 +322,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) - arch_bprm_mm_init(mm, vma); - up_write(&mm->mmap_sem); - bprm->p = vma->vm_end - sizeof(void *); -+ if (randomize_va_space) -+ bprm->p ^= get_random_int() & ~PAGE_MASK; - return 0; - err: - up_write(&mm->mmap_sem); -diff --git a/fs/namei.c b/fs/namei.c -index b61d6aa9279d..255c2dc36189 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -883,8 +883,8 @@ static inline void put_link(struct nameidata *nd) - path_put(&last->link); - } - --int sysctl_protected_symlinks __read_mostly = 0; --int sysctl_protected_hardlinks __read_mostly = 0; -+int sysctl_protected_symlinks __read_mostly = 1; -+int sysctl_protected_hardlinks __read_mostly = 1; - - /** - * may_follow_link - Check symlink following for unsafe situations -diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig -index 5f93cfacb3d1..cea0d7d3b23e 100644 ---- a/fs/nfs/Kconfig -+++ b/fs/nfs/Kconfig -@@ -195,4 +195,3 @@ config NFS_DEBUG - bool - depends on NFS_FS && SUNRPC_DEBUG - select CRC32 -- default y -diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig -index 1ade1206bb89..60b0f76dec47 100644 ---- a/fs/proc/Kconfig -+++ b/fs/proc/Kconfig -@@ -39,7 +39,6 @@ config PROC_KCORE - config PROC_VMCORE - bool "/proc/vmcore support" - depends on PROC_FS && CRASH_DUMP -- default y - help - Exports the dump image of crashed kernel in ELF format. - -diff --git a/fs/stat.c b/fs/stat.c -index 873785dae022..d3c2ada8b9c7 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -40,8 +40,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) - stat->gid = inode->i_gid; - stat->rdev = inode->i_rdev; - stat->size = i_size_read(inode); -- stat->atime = inode->i_atime; -- stat->mtime = inode->i_mtime; -+ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { -+ stat->atime = inode->i_ctime; -+ stat->mtime = inode->i_ctime; -+ } else { -+ stat->atime = inode->i_atime; -+ stat->mtime = inode->i_mtime; -+ } - stat->ctime = inode->i_ctime; - stat->blksize = i_blocksize(inode); - stat->blocks = inode->i_blocks; -@@ -75,9 +80,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->result_mask |= STATX_BASIC_STATS; - request_mask &= STATX_ALL; - query_flags &= KSTAT_QUERY_FLAGS; -- if (inode->i_op->getattr) -- return inode->i_op->getattr(path, stat, request_mask, -- query_flags); -+ if (inode->i_op->getattr) { -+ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); -+ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { -+ stat->atime = stat->ctime; -+ stat->mtime = stat->ctime; -+ } -+ return retval; -+ } - - generic_fillattr(inode, stat); - return 0; -diff --git a/include/linux/cache.h b/include/linux/cache.h -index 750621e41d1c..e7157c18c62c 100644 ---- a/include/linux/cache.h -+++ b/include/linux/cache.h -@@ -31,6 +31,8 @@ - #define __ro_after_init __attribute__((__section__(".data..ro_after_init"))) - #endif - -+#define __read_only __ro_after_init -+ - #ifndef ____cacheline_aligned - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) - #endif -diff --git a/include/linux/capability.h b/include/linux/capability.h -index f640dcbc880c..2b4f5d651f19 100644 ---- a/include/linux/capability.h -+++ b/include/linux/capability.h -@@ -207,6 +207,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); - extern bool has_ns_capability_noaudit(struct task_struct *t, - struct user_namespace *ns, int cap); - extern bool capable(int cap); -+extern bool capable_noaudit(int cap); - extern bool ns_capable(struct user_namespace *ns, int cap); - extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); - #else -@@ -232,6 +233,10 @@ static inline bool capable(int cap) - { - return true; - } -+static inline bool capable_noaudit(int cap) -+{ -+ return true; -+} - static inline bool ns_capable(struct user_namespace *ns, int cap) - { - return true; -diff --git a/include/linux/fs.h b/include/linux/fs.h -index c6baf767619e..31904f3d38a6 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -3407,4 +3407,15 @@ static inline bool dir_relax_shared(struct inode *inode) - extern bool path_noexec(const struct path *path); - extern void inode_nohighmem(struct inode *inode); - -+extern int device_sidechannel_restrict; -+ -+static inline bool is_sidechannel_device(const struct inode *inode) -+{ -+ umode_t mode; -+ if (!device_sidechannel_restrict) -+ return false; -+ mode = inode->i_mode; -+ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); -+} -+ - #endif /* _LINUX_FS_H */ -diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index bdaf22582f6e..326ff15d4637 100644 ---- a/include/linux/fsnotify.h -+++ b/include/linux/fsnotify.h -@@ -181,6 +181,9 @@ static inline void fsnotify_access(struct file *file) - struct inode *inode = path->dentry->d_inode; - __u32 mask = FS_ACCESS; - -+ if (is_sidechannel_device(inode)) -+ return; -+ - if (S_ISDIR(inode->i_mode)) - mask |= FS_ISDIR; - -@@ -199,6 +202,9 @@ static inline void fsnotify_modify(struct file *file) - struct inode *inode = path->dentry->d_inode; - __u32 mask = FS_MODIFY; - -+ if (is_sidechannel_device(inode)) -+ return; -+ - if (S_ISDIR(inode->i_mode)) - mask |= FS_ISDIR; - -diff --git a/include/linux/gfp.h b/include/linux/gfp.h -index 1a4582b44d32..4d445a8fe7f2 100644 ---- a/include/linux/gfp.h -+++ b/include/linux/gfp.h -@@ -513,9 +513,9 @@ extern struct page *alloc_pages_vma(gfp_t gfp_mask, int order, - extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); - extern unsigned long get_zeroed_page(gfp_t gfp_mask); - --void *alloc_pages_exact(size_t size, gfp_t gfp_mask); -+void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); - void free_pages_exact(void *virt, size_t size); --void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); -+void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); - - #define __get_free_page(gfp_mask) \ - __get_free_pages((gfp_mask), 0) -diff --git a/include/linux/highmem.h b/include/linux/highmem.h -index 776f90f3a1cd..3f5c47000059 100644 ---- a/include/linux/highmem.h -+++ b/include/linux/highmem.h -@@ -191,6 +191,13 @@ static inline void clear_highpage(struct page *page) - kunmap_atomic(kaddr); - } - -+static inline void verify_zero_highpage(struct page *page) -+{ -+ void *kaddr = kmap_atomic(page); -+ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); -+ kunmap_atomic(kaddr); -+} -+ - static inline void zero_user_segments(struct page *page, - unsigned start1, unsigned end1, - unsigned start2, unsigned end2) -diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h -index 69c238210325..ee487ea4f48f 100644 ---- a/include/linux/interrupt.h -+++ b/include/linux/interrupt.h -@@ -485,7 +485,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; - - struct softirq_action - { -- void (*action)(struct softirq_action *); -+ void (*action)(void); - }; - - asmlinkage void do_softirq(void); -@@ -500,7 +500,7 @@ static inline void do_softirq_own_stack(void) - } - #endif - --extern void open_softirq(int nr, void (*action)(struct softirq_action *)); -+extern void __init open_softirq(int nr, void (*action)(void)); - extern void softirq_init(void); - extern void __raise_softirq_irqoff(unsigned int nr); - -diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h -index 069aa2ebef90..cb9e3637a620 100644 ---- a/include/linux/kobject_ns.h -+++ b/include/linux/kobject_ns.h -@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { - void (*drop_ns)(void *); - }; - --int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); -+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); - int kobj_ns_type_registered(enum kobj_ns_type type); - const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); - const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); -diff --git a/include/linux/mm.h b/include/linux/mm.h -index a4e9bdbec490..0fe7ebd0f462 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -535,7 +535,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) - } - #endif - --extern void *kvmalloc_node(size_t size, gfp_t flags, int node); -+extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); - static inline void *kvmalloc(size_t size, gfp_t flags) - { - return kvmalloc_node(size, flags, NUMA_NO_NODE); -diff --git a/include/linux/percpu.h b/include/linux/percpu.h -index 296bbe49d5d1..b26652c9a98d 100644 ---- a/include/linux/percpu.h -+++ b/include/linux/percpu.h -@@ -129,7 +129,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, - pcpu_fc_populate_pte_fn_t populate_pte_fn); - #endif - --extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); -+extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); - extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); - extern bool is_kernel_percpu_address(unsigned long addr); - -@@ -137,8 +137,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); - extern void __init setup_per_cpu_areas(void); - #endif - --extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); --extern void __percpu *__alloc_percpu(size_t size, size_t align); -+extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); -+extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); - extern void free_percpu(void __percpu *__pdata); - extern phys_addr_t per_cpu_ptr_to_phys(void *addr); - -diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 7546822a1d74..320033b310d2 100644 ---- a/include/linux/perf_event.h -+++ b/include/linux/perf_event.h -@@ -1151,6 +1151,11 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write, - int perf_event_max_stack_handler(struct ctl_table *table, int write, - void __user *buffer, size_t *lenp, loff_t *ppos); - -+static inline bool perf_paranoid_any(void) -+{ -+ return sysctl_perf_event_paranoid > 2; -+} -+ - static inline bool perf_paranoid_tracepoint_raw(void) - { - return sysctl_perf_event_paranoid > -1; -diff --git a/include/linux/slab.h b/include/linux/slab.h -index 231abc8976c5..b0bf5d4a4934 100644 ---- a/include/linux/slab.h -+++ b/include/linux/slab.h -@@ -177,8 +177,8 @@ void memcg_destroy_kmem_caches(struct mem_cgroup *); - /* - * Common kmalloc functions provided by all allocators - */ --void * __must_check __krealloc(const void *, size_t, gfp_t); --void * __must_check krealloc(const void *, size_t, gfp_t); -+void * __must_check __krealloc(const void *, size_t, gfp_t) __attribute__((alloc_size(2))); -+void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); - void kfree(const void *); - void kzfree(const void *); - size_t ksize(const void *); -@@ -351,7 +351,7 @@ static __always_inline int kmalloc_index(size_t size) - } - #endif /* !CONFIG_SLOB */ - --void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; -+void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); - void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; - void kmem_cache_free(struct kmem_cache *, void *); - -@@ -375,7 +375,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) - } - - #ifdef CONFIG_NUMA --void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; -+void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); - void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; - #else - static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) -@@ -497,7 +497,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) - * for general use, and so are not documented here. For a full list of - * potential flags, always refer to linux/gfp.h. - */ --static __always_inline void *kmalloc(size_t size, gfp_t flags) -+static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) - { - if (__builtin_constant_p(size)) { - if (size > KMALLOC_MAX_CACHE_SIZE) -@@ -537,7 +537,7 @@ static __always_inline int kmalloc_size(int n) - return 0; - } - --static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) -+static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) - { - #ifndef CONFIG_SLOB - if (__builtin_constant_p(size) && -diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h -index 8ad99c47b19c..91fea0d0db3b 100644 ---- a/include/linux/slub_def.h -+++ b/include/linux/slub_def.h -@@ -120,6 +120,11 @@ struct kmem_cache { - unsigned long random; - #endif - -+#ifdef CONFIG_SLAB_CANARY -+ unsigned long random_active; -+ unsigned long random_inactive; -+#endif -+ - #ifdef CONFIG_NUMA - /* - * Defragmentation by allocating from a remote node. -diff --git a/include/linux/string.h b/include/linux/string.h -index dd39a690c841..00d16d874c0a 100644 ---- a/include/linux/string.h -+++ b/include/linux/string.h -@@ -235,10 +235,16 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob - void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); - void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); - -+#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING -+#define __string_size(p) __builtin_object_size(p, 1) -+#else -+#define __string_size(p) __builtin_object_size(p, 0) -+#endif -+ - #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) - __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - if (__builtin_constant_p(size) && p_size < size) - __write_overflow(); - if (p_size < size) -@@ -248,7 +254,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) - - __FORTIFY_INLINE char *strcat(char *p, const char *q) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - if (p_size == (size_t)-1) - return __builtin_strcat(p, q); - if (strlcat(p, q, p_size) >= p_size) -@@ -259,7 +265,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) - __FORTIFY_INLINE __kernel_size_t strlen(const char *p) - { - __kernel_size_t ret; -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - - /* Work around gcc excess stack consumption issue */ - if (p_size == (size_t)-1 || -@@ -274,7 +280,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) - extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); - __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) - { -- size_t p_size = __builtin_object_size(p, 0); -+ size_t p_size = __string_size(p); - __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); - if (p_size <= ret && maxlen != ret) - fortify_panic(__func__); -@@ -286,8 +292,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); - __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) - { - size_t ret; -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __real_strlcpy(p, q, size); - ret = strlen(q); -@@ -307,8 +313,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) - __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) - { - size_t p_len, copy_len; -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __builtin_strncat(p, q, count); - p_len = strlen(p); -@@ -421,8 +427,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) - /* defined after fortified strlen and memcpy to reuse them */ - __FORTIFY_INLINE char *strcpy(char *p, const char *q) - { -- size_t p_size = __builtin_object_size(p, 0); -- size_t q_size = __builtin_object_size(q, 0); -+ size_t p_size = __string_size(p); -+ size_t q_size = __string_size(q); - if (p_size == (size_t)-1 && q_size == (size_t)-1) - return __builtin_strcpy(p, q); - memcpy(p, q, strlen(q) + 1); -diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h -index 1e5d8c392f15..66d0e49c9987 100644 ---- a/include/linux/vmalloc.h -+++ b/include/linux/vmalloc.h -@@ -68,19 +68,19 @@ static inline void vmalloc_init(void) - } - #endif - --extern void *vmalloc(unsigned long size); --extern void *vzalloc(unsigned long size); --extern void *vmalloc_user(unsigned long size); --extern void *vmalloc_node(unsigned long size, int node); --extern void *vzalloc_node(unsigned long size, int node); --extern void *vmalloc_exec(unsigned long size); --extern void *vmalloc_32(unsigned long size); --extern void *vmalloc_32_user(unsigned long size); --extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot); -+extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); -+extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); -+extern void *vmalloc_exec(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); -+extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); -+extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot) __attribute__((alloc_size(1))); - extern void *__vmalloc_node_range(unsigned long size, unsigned long align, - unsigned long start, unsigned long end, gfp_t gfp_mask, - pgprot_t prot, unsigned long vm_flags, int node, -- const void *caller); -+ const void *caller) __attribute__((alloc_size(1))); - #ifndef CONFIG_MMU - extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags); - static inline void *__vmalloc_node_flags_caller(unsigned long size, int node, -diff --git a/init/Kconfig b/init/Kconfig -index e37f4b2a6445..49c20dea1afd 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -296,6 +296,7 @@ config USELIB - config AUDIT - bool "Auditing support" - depends on NET -+ default y - help - Enable auditing infrastructure that can be used with another - kernel subsystem, such as SELinux (which requires this for -@@ -1039,6 +1040,12 @@ config CC_OPTIMIZE_FOR_SIZE - - endchoice - -+config LOCAL_INIT -+ bool "Zero uninitialized locals" -+ help -+ Zero-fill uninitialized local variables, other than variable-length -+ arrays. Requires compiler support. -+ - config SYSCTL - bool - -@@ -1296,8 +1303,7 @@ config SHMEM - which may be appropriate on small systems without swap. - - config AIO -- bool "Enable AIO support" if EXPERT -- default y -+ bool "Enable AIO support" - help - This option enables POSIX asynchronous I/O which may by used - by some high performance threaded applications. Disabling -@@ -1502,7 +1508,7 @@ config VM_EVENT_COUNTERS - - config SLUB_DEBUG - default y -- bool "Enable SLUB debugging support" if EXPERT -+ bool "Enable SLUB debugging support" - depends on SLUB && SYSFS - help - SLUB has extensive debug support features. Disabling these can -@@ -1526,7 +1532,6 @@ config SLUB_MEMCG_SYSFS_ON - - config COMPAT_BRK - bool "Disable heap randomization" -- default y - help - Randomizing heap placement makes heap exploits harder, but it - also breaks ancient binaries (including anything libc5 based). -@@ -1573,7 +1578,6 @@ endchoice - - config SLAB_MERGE_DEFAULT - bool "Allow slab caches to be merged" -- default y - help - For reduced kernel memory fragmentation, slab caches can be - merged when they share the same size and other characteristics. -@@ -1586,9 +1590,9 @@ config SLAB_MERGE_DEFAULT - command line. - - config SLAB_FREELIST_RANDOM -- default n - depends on SLAB || SLUB - bool "SLAB freelist randomization" -+ default y - help - Randomizes the freelist order used on creating new pages. This - security feature reduces the predictability of the kernel slab -@@ -1597,12 +1601,56 @@ config SLAB_FREELIST_RANDOM - config SLAB_FREELIST_HARDENED - bool "Harden slab freelist metadata" - depends on SLUB -+ default y - help - Many kernel heap attacks try to target slab cache metadata and - other infrastructure. This options makes minor performance - sacrifies to harden the kernel slab allocator against common - freelist exploit methods. - -+config SLAB_HARDENED -+ default y -+ depends on SLUB -+ bool "Hardened SLAB infrastructure" -+ help -+ Make minor performance sacrifices to harden the kernel slab -+ allocator. -+ -+config SLAB_CANARY -+ depends on SLUB -+ depends on !SLAB_MERGE_DEFAULT -+ bool "SLAB canaries" -+ default y -+ help -+ Place canaries at the end of kernel slab allocations, sacrificing -+ some performance and memory usage for security. -+ -+ Canaries can detect some forms of heap corruption when allocations -+ are freed and as part of the HARDENED_USERCOPY feature. It provides -+ basic use-after-free detection for HARDENED_USERCOPY. -+ -+ Canaries absorb small overflows (rendering them harmless), mitigate -+ non-NUL terminated C string overflows on 64-bit via a guaranteed zero -+ byte and provide basic double-free detection. -+ -+config SLAB_SANITIZE -+ bool "Sanitize SLAB allocations" -+ depends on SLUB -+ default y -+ help -+ Zero fill slab allocations on free, reducing the lifetime of -+ sensitive data and helping to mitigate use-after-free bugs. -+ -+ For slabs with debug poisoning enabling, this has no impact. -+ -+config SLAB_SANITIZE_VERIFY -+ depends on SLAB_SANITIZE && PAGE_SANITIZE -+ default y -+ bool "Verify sanitized SLAB allocations" -+ help -+ Verify that newly allocated slab allocations are zeroed to detect -+ write-after-free bugs. -+ - config SLUB_CPU_PARTIAL - default y - depends on SLUB && SMP -diff --git a/kernel/audit.c b/kernel/audit.c -index 227db99b0f19..aec52b408543 100644 ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -1578,6 +1578,9 @@ static int __init audit_enable(char *str) - - if (audit_default == AUDIT_OFF) - audit_initialized = AUDIT_DISABLED; -+ else if (!audit_ever_enabled) -+ audit_initialized = AUDIT_UNINITIALIZED; -+ - if (audit_set_enabled(audit_default)) - panic("audit: error setting audit state (%d)\n", audit_default); - -diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index ba03ec39efb3..47ed9081b668 100644 ---- a/kernel/bpf/core.c -+++ b/kernel/bpf/core.c -@@ -302,7 +302,7 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, - #ifdef CONFIG_BPF_JIT - /* All BPF JIT sysctl knobs here. */ - int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON); --int bpf_jit_harden __read_mostly; -+int bpf_jit_harden __read_mostly = 2; - int bpf_jit_kallsyms __read_mostly; - - static __always_inline void -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 43f95d190eea..8e353f596873 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -42,7 +42,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); - static DEFINE_IDR(map_idr); - static DEFINE_SPINLOCK(map_idr_lock); - --int sysctl_unprivileged_bpf_disabled __read_mostly; -+int sysctl_unprivileged_bpf_disabled __read_mostly = 1; - - static const struct bpf_map_ops * const bpf_map_types[] = { - #define BPF_PROG_TYPE(_id, _ops) -diff --git a/kernel/capability.c b/kernel/capability.c -index 1e1c0236f55b..452062fe45ce 100644 ---- a/kernel/capability.c -+++ b/kernel/capability.c -@@ -431,6 +431,12 @@ bool capable(int cap) - return ns_capable(&init_user_ns, cap); - } - EXPORT_SYMBOL(capable); -+ -+bool capable_noaudit(int cap) -+{ -+ return ns_capable_noaudit(&init_user_ns, cap); -+} -+EXPORT_SYMBOL(capable_noaudit); - #endif /* CONFIG_MULTIUSER */ - - /** -diff --git a/kernel/events/core.c b/kernel/events/core.c -index ca7298760c83..910ac6cc9f07 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -397,8 +397,13 @@ static cpumask_var_t perf_online_mask; - * 0 - disallow raw tracepoint access for unpriv - * 1 - disallow cpu events for unpriv - * 2 - disallow kernel profiling for unpriv -+ * 3 - disallow all unpriv perf event use - */ -+#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT -+int sysctl_perf_event_paranoid __read_mostly = 3; -+#else - int sysctl_perf_event_paranoid __read_mostly = 2; -+#endif - - /* Minimum for 512 kiB + 1 user control page */ - int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ -@@ -9921,6 +9926,9 @@ SYSCALL_DEFINE5(perf_event_open, - if (flags & ~PERF_FLAG_ALL) - return -EINVAL; - -+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) -+ return -EACCES; -+ - err = perf_copy_attr(attr_uptr, &attr); - if (err) - return err; -diff --git a/kernel/fork.c b/kernel/fork.c -index e5d9d405ae4e..c4be89c51f25 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -103,6 +103,11 @@ - - #define CREATE_TRACE_POINTS - #include <trace/events/task.h> -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1591,6 +1596,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2385,6 +2394,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c -index 3d37c279c090..0789ca413f09 100644 ---- a/kernel/power/snapshot.c -+++ b/kernel/power/snapshot.c -@@ -1138,7 +1138,7 @@ void free_basic_memory_bitmaps(void) - - void clear_free_pages(void) - { --#ifdef CONFIG_PAGE_POISONING_ZERO -+#if defined(CONFIG_PAGE_POISONING_ZERO) || defined(CONFIG_PAGE_SANITIZE) - struct memory_bitmap *bm = free_pages_map; - unsigned long pfn; - -@@ -1155,7 +1155,7 @@ void clear_free_pages(void) - } - memory_bm_position_reset(bm); - pr_info("free pages cleared after restore\n"); --#endif /* PAGE_POISONING_ZERO */ -+#endif /* PAGE_POISONING_ZERO || PAGE_SANITIZE */ - } - - /** -diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c -index a64eee0db39e..4d7de378fe4c 100644 ---- a/kernel/rcu/tiny.c -+++ b/kernel/rcu/tiny.c -@@ -164,7 +164,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp) - } - } - --static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) -+static __latent_entropy void rcu_process_callbacks(void) - { - __rcu_process_callbacks(&rcu_sched_ctrlblk); - __rcu_process_callbacks(&rcu_bh_ctrlblk); -diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c -index 491bdf39f276..28f51c774671 100644 ---- a/kernel/rcu/tree.c -+++ b/kernel/rcu/tree.c -@@ -2906,7 +2906,7 @@ __rcu_process_callbacks(struct rcu_state *rsp) - /* - * Do RCU core processing for the current CPU. - */ --static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) -+static __latent_entropy void rcu_process_callbacks(void) - { - struct rcu_state *rsp; - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 5eb3ffc9be84..a60c59cbbaee 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -9387,7 +9387,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { } - * run_rebalance_domains is triggered when needed from the scheduler tick. - * Also triggered for nohz idle balancing (with nohz_balancing_kick set). - */ --static __latent_entropy void run_rebalance_domains(struct softirq_action *h) -+static __latent_entropy void run_rebalance_domains(void) - { - struct rq *this_rq = this_rq(); - enum cpu_idle_type idle = this_rq->idle_balance ? -diff --git a/kernel/softirq.c b/kernel/softirq.c -index 24d243ef8e71..4ed8a162cd70 100644 ---- a/kernel/softirq.c -+++ b/kernel/softirq.c -@@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned; - EXPORT_SYMBOL(irq_stat); - #endif - --static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; -+static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); - - DEFINE_PER_CPU(struct task_struct *, ksoftirqd); - -@@ -282,7 +282,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) - kstat_incr_softirqs_this_cpu(vec_nr); - - trace_softirq_entry(vec_nr); -- h->action(h); -+ h->action(); - trace_softirq_exit(vec_nr); - if (unlikely(prev_count != preempt_count())) { - pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", -@@ -444,7 +444,7 @@ void __raise_softirq_irqoff(unsigned int nr) - or_softirq_pending(1UL << nr); - } - --void open_softirq(int nr, void (*action)(struct softirq_action *)) -+void __init open_softirq(int nr, void (*action)(void)) - { - softirq_vec[nr].action = action; - } -@@ -486,7 +486,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) - } - EXPORT_SYMBOL(__tasklet_hi_schedule); - --static __latent_entropy void tasklet_action(struct softirq_action *a) -+static __latent_entropy void tasklet_action(void) - { - struct tasklet_struct *list; - -@@ -522,7 +522,7 @@ static __latent_entropy void tasklet_action(struct softirq_action *a) - } - } - --static __latent_entropy void tasklet_hi_action(struct softirq_action *a) -+static __latent_entropy void tasklet_hi_action(void) - { - struct tasklet_struct *list; - -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index f98f28c12020..861e8b721161 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -99,12 +99,19 @@ - #if defined(CONFIG_SYSCTL) - - /* External variables not in a header file. */ -+#if IS_ENABLED(CONFIG_USB) -+int deny_new_usb __read_mostly = 0; -+EXPORT_SYMBOL(deny_new_usb); -+#endif - extern int suid_dumpable; - #ifdef CONFIG_COREDUMP - extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -116,40 +123,43 @@ extern int sysctl_nr_trim_pages; - - /* Constants used for minimum and maximum */ - #ifdef CONFIG_LOCKUP_DETECTOR --static int sixty = 60; -+static int sixty __read_only = 60; - #endif - --static int __maybe_unused neg_one = -1; -+static int __maybe_unused neg_one __read_only = -1; - - static int zero; --static int __maybe_unused one = 1; --static int __maybe_unused two = 2; --static int __maybe_unused four = 4; --static unsigned long one_ul = 1; --static int one_hundred = 100; --static int one_thousand = 1000; -+static int __maybe_unused one __read_only = 1; -+static int __maybe_unused two __read_only = 2; -+static int __maybe_unused four __read_only = 4; -+static unsigned long one_ul __read_only = 1; -+static int one_hundred __read_only = 100; -+static int one_thousand __read_only = 1000; - #ifdef CONFIG_PRINTK --static int ten_thousand = 10000; -+static int ten_thousand __read_only = 10000; - #endif - #ifdef CONFIG_PERF_EVENTS --static int six_hundred_forty_kb = 640 * 1024; -+static int six_hundred_forty_kb __read_only = 640 * 1024; - #endif - - /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ --static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; -+static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; - - /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ --static int maxolduid = 65535; --static int minolduid; -+static int maxolduid __read_only = 65535; -+static int minolduid __read_only; - --static int ngroups_max = NGROUPS_MAX; -+static int ngroups_max __read_only = NGROUPS_MAX; - static const int cap_last_cap = CAP_LAST_CAP; - - /*this is needed for proc_doulongvec_minmax of sysctl_hung_task_timeout_secs */ - #ifdef CONFIG_DETECT_HUNG_TASK --static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); -+static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); - #endif - -+int device_sidechannel_restrict __read_mostly = 1; -+EXPORT_SYMBOL(device_sidechannel_restrict); -+ - #ifdef CONFIG_INOTIFY_USER - #include <linux/inotify.h> - #endif -@@ -289,19 +299,19 @@ static struct ctl_table sysctl_base_table[] = { - }; - - #ifdef CONFIG_SCHED_DEBUG --static int min_sched_granularity_ns = 100000; /* 100 usecs */ --static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ --static int min_wakeup_granularity_ns; /* 0 usecs */ --static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ -+static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ -+static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ -+static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ -+static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ - #ifdef CONFIG_SMP --static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; --static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; -+static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; -+static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; - #endif /* CONFIG_SMP */ - #endif /* CONFIG_SCHED_DEBUG */ - - #ifdef CONFIG_COMPACTION --static int min_extfrag_threshold; --static int max_extfrag_threshold = 1000; -+static int min_extfrag_threshold __read_only; -+static int max_extfrag_threshold __read_only = 1000; - #endif - - static struct ctl_table kern_table[] = { -@@ -515,6 +525,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -@@ -856,6 +875,26 @@ static struct ctl_table kern_table[] = { - .extra1 = &zero, - .extra2 = &two, - }, -+#endif -+ { -+ .procname = "device_sidechannel_restrict", -+ .data = &device_sidechannel_restrict, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, -+ .extra2 = &one, -+ }, -+#if IS_ENABLED(CONFIG_USB) -+ { -+ .procname = "deny_new_usb", -+ .data = &deny_new_usb, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax_sysadmin, -+ .extra1 = &zero, -+ .extra2 = &one, -+ }, - #endif - { - .procname = "ngroups_max", -diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c -index 23788100e214..5577a58d1c7a 100644 ---- a/kernel/time/hrtimer.c -+++ b/kernel/time/hrtimer.c -@@ -1413,7 +1413,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, - } - } - --static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) -+static __latent_entropy void hrtimer_run_softirq(void) - { - struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); - unsigned long flags; -diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index 4a4fd567fb26..be236ef42690 100644 ---- a/kernel/time/timer.c -+++ b/kernel/time/timer.c -@@ -1672,7 +1672,7 @@ static inline void __run_timers(struct timer_base *base) - /* - * This function runs timers and the timer-tq in bottom half context. - */ --static __latent_entropy void run_timer_softirq(struct softirq_action *h) -+static __latent_entropy void run_timer_softirq(void) - { - struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); - -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 246d4d4ce5c7..f64432b45cec 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+int unprivileged_userns_clone; -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - -diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug -index 64155e310a9f..0c002bbb8f75 100644 ---- a/lib/Kconfig.debug -+++ b/lib/Kconfig.debug -@@ -945,6 +945,7 @@ endmenu # "Debug lockups and hangs" - - config PANIC_ON_OOPS - bool "Panic on Oops" -+ default y - help - Say Y here to enable the kernel to panic when it oopses. This - has the same effect as setting oops=panic on the kernel command -@@ -954,7 +955,7 @@ config PANIC_ON_OOPS - anything erroneous after an oops which could result in data - corruption or other issues. - -- Say N if unsure. -+ Say Y if unsure. - - config PANIC_ON_OOPS_VALUE - int -@@ -1309,6 +1310,7 @@ config DEBUG_BUGVERBOSE - config DEBUG_LIST - bool "Debug linked list manipulation" - depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION -+ default y - help - Enable this to turn on extended checks in the linked-list - walking routines. -@@ -1949,6 +1951,7 @@ config MEMTEST - config BUG_ON_DATA_CORRUPTION - bool "Trigger a BUG when data corruption is detected" - select DEBUG_LIST -+ default y - help - Select this option if the kernel should BUG when it encounters - data corruption in kernel memory structures when they get checked -@@ -1988,6 +1991,7 @@ config STRICT_DEVMEM - config IO_STRICT_DEVMEM - bool "Filter I/O access to /dev/mem" - depends on STRICT_DEVMEM -+ default y - ---help--- - If this option is disabled, you allow userspace (root) access to all - io-memory regardless of whether a driver is actively using that -diff --git a/lib/irq_poll.c b/lib/irq_poll.c -index 86a709954f5a..6f15787fcb1b 100644 ---- a/lib/irq_poll.c -+++ b/lib/irq_poll.c -@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) - } - EXPORT_SYMBOL(irq_poll_complete); - --static void __latent_entropy irq_poll_softirq(struct softirq_action *h) -+static void __latent_entropy irq_poll_softirq(void) - { - struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); - int rearm = 0, budget = irq_poll_budget; -diff --git a/lib/kobject.c b/lib/kobject.c -index d20a97a7e168..7afe7fcfa6c9 100644 ---- a/lib/kobject.c -+++ b/lib/kobject.c -@@ -954,9 +954,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); - - - static DEFINE_SPINLOCK(kobj_ns_type_lock); --static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; -+static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; - --int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) -+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) - { - enum kobj_ns_type type = ops->type; - int error; -diff --git a/lib/nlattr.c b/lib/nlattr.c -index dfa55c873c13..c6b0436f473d 100644 ---- a/lib/nlattr.c -+++ b/lib/nlattr.c -@@ -364,6 +364,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) - { - int minlen = min_t(int, count, nla_len(src)); - -+ BUG_ON(minlen < 0); -+ - memcpy(dest, nla_data(src), minlen); - if (count > minlen) - memset(dest + minlen, 0, count - minlen); -diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index 38b509cc6b46..6b3bf13d57d6 100644 ---- a/lib/vsprintf.c -+++ b/lib/vsprintf.c -@@ -1344,7 +1344,7 @@ char *uuid_string(char *buf, char *end, const u8 *addr, - return string(buf, end, uuid, spec); - } - --int kptr_restrict __read_mostly; -+int kptr_restrict __read_mostly = 2; - - static noinline_for_stack - char *restricted_pointer(char *buf, char *end, const void *ptr, -diff --git a/mm/Kconfig b/mm/Kconfig -index e07608f64d47..18937911b87a 100644 ---- a/mm/Kconfig -+++ b/mm/Kconfig -@@ -319,7 +319,8 @@ config KSM - config DEFAULT_MMAP_MIN_ADDR - int "Low address space to protect from user allocation" - depends on MMU -- default 4096 -+ default 32768 if ARM || (ARM64 && COMPAT) -+ default 65536 - help - This is the portion of low virtual memory which should be protected - from userspace allocation. Keeping a user from writing to low pages -diff --git a/mm/mmap.c b/mm/mmap.c -index 03ca089cce0f..9bf52aa6b042 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -220,6 +220,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) - - newbrk = PAGE_ALIGN(brk); - oldbrk = PAGE_ALIGN(mm->brk); -+ /* properly handle unaligned min_brk as an empty heap */ -+ if (min_brk & ~PAGE_MASK) { -+ if (brk == min_brk) -+ newbrk -= PAGE_SIZE; -+ if (mm->brk == min_brk) -+ oldbrk -= PAGE_SIZE; -+ } - if (oldbrk == newbrk) - goto set_brk; - -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 1741dd23e7c1..462ce9910e43 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -68,6 +68,7 @@ - #include <linux/ftrace.h> - #include <linux/lockdep.h> - #include <linux/nmi.h> -+#include <linux/random.h> - - #include <asm/sections.h> - #include <asm/tlbflush.h> -@@ -101,6 +102,15 @@ int _node_numa_mem_[MAX_NUMNODES]; - DEFINE_MUTEX(pcpu_drain_mutex); - DEFINE_PER_CPU(struct work_struct, pcpu_drain); - -+bool __meminitdata extra_latent_entropy; -+ -+static int __init setup_extra_latent_entropy(char *str) -+{ -+ extra_latent_entropy = true; -+ return 0; -+} -+early_param("extra_latent_entropy", setup_extra_latent_entropy); -+ - #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY - volatile unsigned long latent_entropy __latent_entropy; - EXPORT_SYMBOL(latent_entropy); -@@ -1069,6 +1079,13 @@ static __always_inline bool free_pages_prepare(struct page *page, - debug_check_no_obj_freed(page_address(page), - PAGE_SIZE << order); - } -+ -+ if (IS_ENABLED(CONFIG_PAGE_SANITIZE)) { -+ int i; -+ for (i = 0; i < (1 << order); i++) -+ clear_highpage(page + i); -+ } -+ - arch_free_page(page, order); - kernel_poison_pages(page, 1 << order, 0); - kernel_map_pages(page, 1 << order, 0); -@@ -1286,6 +1303,21 @@ static void __init __free_pages_boot_core(struct page *page, unsigned int order) - __ClearPageReserved(p); - set_page_count(p, 0); - -+ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { -+ unsigned long hash = 0; -+ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; -+ const unsigned long *data = lowmem_page_address(page); -+ -+ for (index = 0; index < end; index++) -+ hash ^= hash + data[index]; -+#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY -+ latent_entropy ^= hash; -+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); -+#else -+ add_device_randomness((const void *)&hash, sizeof(hash)); -+#endif -+ } -+ - page_zone(page)->managed_pages += nr_pages; - set_page_refcounted(page); - __free_pages(page, order); -@@ -1754,8 +1786,8 @@ static inline int check_new_page(struct page *page) - - static inline bool free_pages_prezeroed(void) - { -- return IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && -- page_poisoning_enabled(); -+ return IS_ENABLED(CONFIG_PAGE_SANITIZE) || -+ (IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && page_poisoning_enabled()); - } - - #ifdef CONFIG_DEBUG_VM -@@ -1812,6 +1844,11 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags - - post_alloc_hook(page, order, gfp_flags); - -+ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY)) { -+ for (i = 0; i < (1 << order); i++) -+ verify_zero_highpage(page + i); -+ } -+ - if (!free_pages_prezeroed() && (gfp_flags & __GFP_ZERO)) - for (i = 0; i < (1 << order); i++) - clear_highpage(page + i); -diff --git a/mm/slab.h b/mm/slab.h -index 51813236e773..e0d1b194a454 100644 ---- a/mm/slab.h -+++ b/mm/slab.h -@@ -312,7 +312,11 @@ static inline bool is_root_cache(struct kmem_cache *s) - static inline bool slab_equal_or_root(struct kmem_cache *s, - struct kmem_cache *p) - { -+#ifdef CONFIG_SLAB_HARDENED -+ return p == s; -+#else - return true; -+#endif - } - - static inline const char *cache_name(struct kmem_cache *s) -@@ -364,18 +368,26 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) - * to not do even the assignment. In that case, slab_equal_or_root - * will also be a constant. - */ -- if (!memcg_kmem_enabled() && -+ if (!IS_ENABLED(CONFIG_SLAB_HARDENED) && -+ !memcg_kmem_enabled() && - !unlikely(s->flags & SLAB_CONSISTENCY_CHECKS)) - return s; - - page = virt_to_head_page(x); -+#ifdef CONFIG_SLAB_HARDENED -+ BUG_ON(!PageSlab(page)); -+#endif - cachep = page->slab_cache; - if (slab_equal_or_root(cachep, s)) - return cachep; - - pr_err("%s: Wrong slab cache. %s but object is from %s\n", - __func__, s->name, cachep->name); -+#ifdef CONFIG_BUG_ON_DATA_CORRUPTION -+ BUG_ON(1); -+#else - WARN_ON_ONCE(1); -+#endif - return s; - } - -@@ -400,7 +412,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) - * back there or track user information then we can - * only use the space before that information. - */ -- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) -+ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) - return s->inuse; - /* - * Else we can use all the padding etc for the allocation -diff --git a/mm/slab_common.c b/mm/slab_common.c -index 10f127b2de7c..3637ef72c5b4 100644 ---- a/mm/slab_common.c -+++ b/mm/slab_common.c -@@ -26,10 +26,10 @@ - - #include "slab.h" - --enum slab_state slab_state; -+enum slab_state slab_state __ro_after_init; - LIST_HEAD(slab_caches); - DEFINE_MUTEX(slab_mutex); --struct kmem_cache *kmem_cache; -+struct kmem_cache *kmem_cache __ro_after_init; - - #ifdef CONFIG_HARDENED_USERCOPY - bool usercopy_fallback __ro_after_init = -@@ -57,7 +57,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, - /* - * Merge control. If this is set then no merging of slab caches will occur. - */ --static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); -+static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); - - static int __init setup_slab_nomerge(char *str) - { -@@ -968,7 +968,7 @@ EXPORT_SYMBOL(kmalloc_dma_caches); - * of two cache sizes there. The size of larger slabs can be determined using - * fls. - */ --static s8 size_index[24] = { -+static s8 size_index[24] __ro_after_init = { - 3, /* 8 */ - 4, /* 16 */ - 5, /* 24 */ -diff --git a/mm/slub.c b/mm/slub.c -index e381728a3751..76dd844d978a 100644 ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -125,6 +125,16 @@ static inline int kmem_cache_debug(struct kmem_cache *s) - #endif - } - -+static inline bool has_sanitize(struct kmem_cache *s) -+{ -+ return IS_ENABLED(CONFIG_SLAB_SANITIZE) && !(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)); -+} -+ -+static inline bool has_sanitize_verify(struct kmem_cache *s) -+{ -+ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && has_sanitize(s); -+} -+ - void *fixup_red_left(struct kmem_cache *s, void *p) - { - if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) -@@ -299,6 +309,35 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp) - *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr); - } - -+#ifdef CONFIG_SLAB_CANARY -+static inline unsigned long *get_canary(struct kmem_cache *s, void *object) -+{ -+ if (s->offset) -+ return object + s->offset + sizeof(void *); -+ return object + s->inuse; -+} -+ -+static inline unsigned long get_canary_value(const void *canary, unsigned long value) -+{ -+ return (value ^ (unsigned long)canary) & CANARY_MASK; -+} -+ -+static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) -+{ -+ unsigned long *canary = get_canary(s, object); -+ *canary = get_canary_value(canary, value); -+} -+ -+static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) -+{ -+ unsigned long *canary = get_canary(s, object); -+ BUG_ON(*canary != get_canary_value(canary, value)); -+} -+#else -+#define set_canary(s, object, value) -+#define check_canary(s, object, value) -+#endif -+ - /* Loop over all objects in a slab */ - #define for_each_object(__p, __s, __addr, __objects) \ - for (__p = fixup_red_left(__s, __addr); \ -@@ -486,13 +525,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) - * Debug settings: - */ - #if defined(CONFIG_SLUB_DEBUG_ON) --static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; -+static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; - #else --static slab_flags_t slub_debug; -+static slab_flags_t slub_debug __ro_after_init; - #endif - --static char *slub_debug_slabs; --static int disable_higher_order_debug; -+static char *slub_debug_slabs __ro_after_init; -+static int disable_higher_order_debug __ro_after_init; - - /* - * slub is about to manipulate internal object metadata. This memory lies -@@ -552,6 +591,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, - else - p = object + s->inuse; - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ p = (void *)p + sizeof(void *); -+ - return p + alloc; - } - -@@ -690,6 +732,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) - else - off = s->inuse; - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ off += sizeof(void *); -+ - if (s->flags & SLAB_STORE_USER) - off += 2 * sizeof(struct track); - -@@ -819,6 +864,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) - /* Freepointer is placed after the object. */ - off += sizeof(void *); - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ off += sizeof(void *); -+ - if (s->flags & SLAB_STORE_USER) - /* We also have user information there */ - off += 2 * sizeof(struct track); -@@ -1420,8 +1468,9 @@ static void setup_object(struct kmem_cache *s, struct page *page, - void *object) - { - setup_object_debug(s, page, object); -+ set_canary(s, object, s->random_inactive); - kasan_init_slab_obj(s, object); -- if (unlikely(s->ctor)) { -+ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { - kasan_unpoison_object_data(s, object); - s->ctor(object); - kasan_poison_object_data(s, object); -@@ -2719,9 +2768,21 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, - stat(s, ALLOC_FASTPATH); - } - -- if (unlikely(gfpflags & __GFP_ZERO) && object) -+ if (has_sanitize_verify(s) && object) { -+ size_t offset = s->offset ? 0 : sizeof(void *); -+ BUG_ON(memchr_inv(object + offset, 0, s->object_size - offset)); -+ if (s->ctor) -+ s->ctor(object); -+ if (unlikely(gfpflags & __GFP_ZERO) && offset) -+ memset(object, 0, sizeof(void *)); -+ } else if (unlikely(gfpflags & __GFP_ZERO) && object) - memset(object, 0, s->object_size); - -+ if (object) { -+ check_canary(s, object, s->random_inactive); -+ set_canary(s, object, s->random_active); -+ } -+ - slab_post_alloc_hook(s, gfpflags, 1, &object); - - return object; -@@ -2928,6 +2989,27 @@ static __always_inline void do_slab_free(struct kmem_cache *s, - void *tail_obj = tail ? : head; - struct kmem_cache_cpu *c; - unsigned long tid; -+ bool sanitize = has_sanitize(s); -+ -+ if (IS_ENABLED(CONFIG_SLAB_CANARY) || sanitize) { -+ __maybe_unused int offset = s->offset ? 0 : sizeof(void *); -+ void *x = head; -+ -+ while (1) { -+ check_canary(s, x, s->random_active); -+ set_canary(s, x, s->random_inactive); -+ -+ if (sanitize) { -+ memset(x + offset, 0, s->object_size - offset); -+ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) -+ s->ctor(x); -+ } -+ if (x == tail_obj) -+ break; -+ x = get_freepointer(s, x); -+ } -+ } -+ - redo: - /* - * Determine the currently cpus per cpu slab. -@@ -3106,7 +3188,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, - void **p) - { - struct kmem_cache_cpu *c; -- int i; -+ int i, k; - - /* memcg and kmem_cache debug support */ - s = slab_pre_alloc_hook(s, flags); -@@ -3143,13 +3225,29 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, - local_irq_enable(); - - /* Clear memory outside IRQ disabled fastpath loop */ -- if (unlikely(flags & __GFP_ZERO)) { -+ if (has_sanitize_verify(s)) { -+ int j; -+ -+ for (j = 0; j < i; j++) { -+ size_t offset = s->offset ? 0 : sizeof(void *); -+ BUG_ON(memchr_inv(p[j] + offset, 0, s->object_size - offset)); -+ if (s->ctor) -+ s->ctor(p[j]); -+ if (unlikely(flags & __GFP_ZERO) && offset) -+ memset(p[j], 0, sizeof(void *)); -+ } -+ } else if (unlikely(flags & __GFP_ZERO)) { - int j; - - for (j = 0; j < i; j++) - memset(p[j], 0, s->object_size); - } - -+ for (k = 0; k < i; k++) { -+ check_canary(s, p[k], s->random_inactive); -+ set_canary(s, p[k], s->random_active); -+ } -+ - /* memcg and kmem_cache debug support */ - slab_post_alloc_hook(s, flags, size, p); - return i; -@@ -3181,9 +3279,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); - * and increases the number of allocations possible without having to - * take the list_lock. - */ --static int slub_min_order; --static int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; --static int slub_min_objects; -+static int slub_min_order __ro_after_init; -+static int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; -+static int slub_min_objects __ro_after_init; - - /* - * Calculate the order of allocation given an slab object size. -@@ -3353,6 +3451,7 @@ static void early_kmem_cache_node_alloc(int node) - init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); - init_tracking(kmem_cache_node, n); - #endif -+ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); - kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), - GFP_KERNEL); - init_kmem_cache_node(n); -@@ -3509,6 +3608,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) - size += sizeof(void *); - } - -+ if (IS_ENABLED(CONFIG_SLAB_CANARY)) -+ size += sizeof(void *); -+ - #ifdef CONFIG_SLUB_DEBUG - if (flags & SLAB_STORE_USER) - /* -@@ -3579,6 +3681,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) - #ifdef CONFIG_SLAB_FREELIST_HARDENED - s->random = get_random_long(); - #endif -+#ifdef CONFIG_SLAB_CANARY -+ s->random_active = get_random_long(); -+ s->random_inactive = get_random_long(); -+#endif - - if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU)) - s->reserved = sizeof(struct rcu_head); -@@ -3846,6 +3952,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, - offset -= s->red_left_pad; - } - -+ check_canary(s, (void *)ptr - offset, s->random_active); -+ - /* Allow address range falling entirely within usercopy region. */ - if (offset >= s->useroffset && - offset - s->useroffset <= s->usersize && -@@ -3879,7 +3987,11 @@ static size_t __ksize(const void *object) - page = virt_to_head_page(object); - - if (unlikely(!PageSlab(page))) { -+#ifdef CONFIG_BUG_ON_DATA_CORRUPTION -+ BUG_ON(!PageCompound(page)); -+#else - WARN_ON(!PageCompound(page)); -+#endif - return PAGE_SIZE << compound_order(page); - } - -@@ -4744,7 +4856,7 @@ enum slab_stat_type { - #define SO_TOTAL (1 << SL_TOTAL) - - #ifdef CONFIG_MEMCG --static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); -+static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); - - static int __init setup_slub_memcg_sysfs(char *str) - { -diff --git a/mm/swap.c b/mm/swap.c -index 0f17330dd0e5..6e52cb476ef5 100644 ---- a/mm/swap.c -+++ b/mm/swap.c -@@ -92,6 +92,13 @@ static void __put_compound_page(struct page *page) - if (!PageHuge(page)) - __page_cache_release(page); - dtor = get_compound_page_dtor(page); -+ if (!PageHuge(page)) -+ BUG_ON(dtor != free_compound_page -+#ifdef CONFIG_TRANSPARENT_HUGEPAGE -+ && dtor != free_transhuge_page -+#endif -+ ); -+ - (*dtor)(page); - } - -diff --git a/net/core/dev.c b/net/core/dev.c -index ace13bea3e50..77a1519c52b7 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -4196,7 +4196,7 @@ int netif_rx_ni(struct sk_buff *skb) - } - EXPORT_SYMBOL(netif_rx_ni); - --static __latent_entropy void net_tx_action(struct softirq_action *h) -+static __latent_entropy void net_tx_action(void) - { - struct softnet_data *sd = this_cpu_ptr(&softnet_data); - -@@ -5745,7 +5745,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) - return work; - } - --static __latent_entropy void net_rx_action(struct softirq_action *h) -+static __latent_entropy void net_rx_action(void) - { - struct softnet_data *sd = this_cpu_ptr(&softnet_data); - unsigned long time_limit = jiffies + -diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig -index f48fe6fc7e8c..d78c52835c08 100644 ---- a/net/ipv4/Kconfig -+++ b/net/ipv4/Kconfig -@@ -261,6 +261,7 @@ config IP_PIMSM_V2 - - config SYN_COOKIES - bool "IP: TCP syncookie support" -+ default y - ---help--- - Normal TCP/IP networking is open to an attack known as "SYN - flooding". This denial-of-service attack prevents legitimate remote -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 9917f928d0fd..784e0e2fc839 100644 ---- a/scripts/mod/modpost.c -+++ b/scripts/mod/modpost.c -@@ -37,6 +37,7 @@ static int vmlinux_section_warnings = 1; - static int warn_unresolved = 0; - /* How a symbol is exported */ - static int sec_mismatch_count = 0; -+static int writable_fptr_count = 0; - static int sec_mismatch_verbose = 1; - static int sec_mismatch_fatal = 0; - /* ignore missing files */ -@@ -965,6 +966,7 @@ enum mismatch { - ANY_EXIT_TO_ANY_INIT, - EXPORT_TO_INIT_EXIT, - EXTABLE_TO_NON_TEXT, -+ DATA_TO_TEXT - }; - - /** -@@ -1091,6 +1093,12 @@ static const struct sectioncheck sectioncheck[] = { - .good_tosec = {ALL_TEXT_SECTIONS , NULL}, - .mismatch = EXTABLE_TO_NON_TEXT, - .handler = extable_mismatch_handler, -+}, -+/* Do not reference code from writable data */ -+{ -+ .fromsec = { DATA_SECTIONS, NULL }, -+ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, -+ .mismatch = DATA_TO_TEXT - } - }; - -@@ -1240,10 +1248,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, - continue; - if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) - continue; -- if (sym->st_value == addr) -- return sym; - /* Find a symbol nearby - addr are maybe negative */ - d = sym->st_value - addr; -+ if (d == 0) -+ return sym; - if (d < 0) - d = addr - sym->st_value; - if (d < distance) { -@@ -1402,7 +1410,11 @@ static void report_sec_mismatch(const char *modname, - char *prl_from; - char *prl_to; - -- sec_mismatch_count++; -+ if (mismatch->mismatch == DATA_TO_TEXT) -+ writable_fptr_count++; -+ else -+ sec_mismatch_count++; -+ - if (!sec_mismatch_verbose) - return; - -@@ -1526,6 +1538,14 @@ static void report_sec_mismatch(const char *modname, - fatal("There's a special handler for this mismatch type, " - "we should never get here."); - break; -+ case DATA_TO_TEXT: -+#if 0 -+ fprintf(stderr, -+ "The %s %s:%s references\n" -+ "the %s %s:%s%s\n", -+ from, fromsec, fromsym, to, tosec, tosym, to_p); -+#endif -+ break; - } - fprintf(stderr, "\n"); - } -@@ -2539,6 +2559,14 @@ int main(int argc, char **argv) - } - } - free(buf.p); -+ if (writable_fptr_count) { -+ if (!sec_mismatch_verbose) { -+ warn("modpost: Found %d writable function pointer(s).\n" -+ "To see full details build your kernel with:\n" -+ "'make CONFIG_DEBUG_SECTION_MISMATCH=y'\n", -+ writable_fptr_count); -+ } -+ } - - return err; - } -diff --git a/security/Kconfig b/security/Kconfig -index c4302067a3ad..1b1e9368cae5 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -8,7 +8,7 @@ source security/keys/Kconfig - - config SECURITY_DMESG_RESTRICT - bool "Restrict unprivileged access to the kernel syslog" -- default n -+ default y - help - This enforces restrictions on unprivileged users reading the kernel - syslog via dmesg(8). -@@ -18,10 +18,21 @@ config SECURITY_DMESG_RESTRICT - - If you are unsure how to answer this question, answer N. - -+config SECURITY_PERF_EVENTS_RESTRICT -+ bool "Restrict unprivileged use of performance events" -+ depends on PERF_EVENTS -+ default y -+ help -+ If you say Y here, the kernel.perf_event_paranoid sysctl -+ will be set to 3 by default, and no unprivileged use of the -+ perf_event_open syscall will be permitted unless it is -+ changed. -+ - config SECURITY - bool "Enable different security models" - depends on SYSFS - depends on MULTIUSER -+ default y - help - This allows you to choose different security modules to be - configured into your kernel. -@@ -48,6 +59,7 @@ config SECURITYFS - config SECURITY_NETWORK - bool "Socket and Networking Security Hooks" - depends on SECURITY -+ default y - help - This enables the socket and networking security hooks. - If enabled, a security module can use these hooks to -@@ -155,6 +167,7 @@ config HARDENED_USERCOPY - depends on HAVE_HARDENED_USERCOPY_ALLOCATOR - select BUG - imply STRICT_DEVMEM -+ default y - help - This option checks for obviously wrong memory regions when - copying memory to/from the kernel (via copy_to_user() and -@@ -167,7 +180,6 @@ config HARDENED_USERCOPY - config HARDENED_USERCOPY_FALLBACK - bool "Allow usercopy whitelist violations to fallback to object size" - depends on HARDENED_USERCOPY -- default y - help - This is a temporary option that allows missing usercopy whitelists - to be discovered via a WARN() to the kernel log, instead of -@@ -192,10 +204,36 @@ config HARDENED_USERCOPY_PAGESPAN - config FORTIFY_SOURCE - bool "Harden common str/mem functions against buffer overflows" - depends on ARCH_HAS_FORTIFY_SOURCE -+ default y - help - Detect overflows of buffers in common string and memory functions - where the compiler can determine and validate the buffer sizes. - -+config FORTIFY_SOURCE_STRICT_STRING -+ bool "Harden common functions against buffer overflows" -+ depends on FORTIFY_SOURCE -+ depends on EXPERT -+ help -+ Perform stricter overflow checks catching overflows within objects -+ for common C string functions rather than only between objects. -+ -+ This is not yet intended for production use, only bug finding. -+ -+config PAGE_SANITIZE -+ bool "Sanitize pages" -+ default y -+ help -+ Zero fill page allocations on free, reducing the lifetime of -+ sensitive data and helping to mitigate use-after-free bugs. -+ -+config PAGE_SANITIZE_VERIFY -+ bool "Verify sanitized pages" -+ depends on PAGE_SANITIZE -+ default y -+ help -+ Verify that newly allocated pages are zeroed to detect -+ write-after-free bugs. -+ - config STATIC_USERMODEHELPER - bool "Force all usermode helper calls through a single binary" - help -diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig -index 8af7a690eb40..6539694b0fd3 100644 ---- a/security/selinux/Kconfig -+++ b/security/selinux/Kconfig -@@ -2,7 +2,7 @@ config SECURITY_SELINUX - bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET - select NETWORK_SECMARK -- default n -+ default y - help - This selects NSA Security-Enhanced Linux (SELinux). - You will also need a policy configuration and a labeled filesystem. -@@ -79,23 +79,3 @@ config SECURITY_SELINUX_AVC_STATS - This option collects access vector cache statistics to - /selinux/avc/cache_stats, which may be monitored via - tools such as avcstat. -- --config SECURITY_SELINUX_CHECKREQPROT_VALUE -- int "NSA SELinux checkreqprot default value" -- depends on SECURITY_SELINUX -- range 0 1 -- default 0 -- help -- This option sets the default value for the 'checkreqprot' flag -- that determines whether SELinux checks the protection requested -- by the application or the protection that will be applied by the -- kernel (including any implied execute for read-implies-exec) for -- mmap and mprotect calls. If this option is set to 0 (zero), -- SELinux will default to checking the protection that will be applied -- by the kernel. If this option is set to 1 (one), SELinux will -- default to checking the protection requested by the application. -- The checkreqprot flag may be changed from the default via the -- 'checkreqprot=' boot parameter. It may also be changed at runtime -- via /selinux/checkreqprot if authorized by policy. -- -- If you are unsure how to answer this question, answer 0. -diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index 3d54468ce334..ceafb908afde 100644 ---- a/security/selinux/include/objsec.h -+++ b/security/selinux/include/objsec.h -@@ -154,6 +154,6 @@ struct bpf_security_struct { - u32 sid; /*SID of bpf obj creater*/ - }; - --extern unsigned int selinux_checkreqprot; -+extern const unsigned int selinux_checkreqprot; - - #endif /* _SELINUX_OBJSEC_H_ */ -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 00eed842c491..8f7b8d7e6f91 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -41,16 +41,7 @@ - #include "objsec.h" - #include "conditional.h" - --unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; -- --static int __init checkreqprot_setup(char *str) --{ -- unsigned long checkreqprot; -- if (!kstrtoul(str, 0, &checkreqprot)) -- selinux_checkreqprot = checkreqprot ? 1 : 0; -- return 1; --} --__setup("checkreqprot=", checkreqprot_setup); -+const unsigned int selinux_checkreqprot; - - static DEFINE_MUTEX(sel_mutex); - -@@ -610,10 +601,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, - return PTR_ERR(page); - - length = -EINVAL; -- if (sscanf(page, "%u", &new_value) != 1) -+ if (sscanf(page, "%u", &new_value) != 1 || new_value) - goto out; - -- selinux_checkreqprot = new_value ? 1 : 0; - length = count; - out: - kfree(page); -diff --git a/security/yama/Kconfig b/security/yama/Kconfig -index 96b27405558a..485c1b85c325 100644 ---- a/security/yama/Kconfig -+++ b/security/yama/Kconfig -@@ -1,7 +1,7 @@ - config SECURITY_YAMA - bool "Yama support" - depends on SECURITY -- default n -+ default y - help - This selects Yama, which extends DAC support with additional - system-wide security settings beyond regular Linux discretionary diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix index 000764eca9b3..f4a728c9d25f 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.14.67"; + version = "4.14.78"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1fkha288nv5vk2l13dj0xj09c2pxvipysdaaga7sfcvjq9nhajrz"; + sha256 = "0v2cwykgd2hxlqja4yl4pq45nhd5x8917ixqq7hj1r3ry304vnpl"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.18.nix b/pkgs/os-specific/linux/kernel/linux-4.18.nix index e76beadc27bf..d6c4b58b980a 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.18.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.18.5"; + version = "4.18.16"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "1ga7ys6s5d9dk1ly9722sbik1y6kbc3w6nw9pw86zpzdh0v0l2gv"; + sha256 = "1rjjkhl8lz4y4sn7icy8mp6p1x7rvapybp51p92sanbjy3i19fmy"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.17.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix index 5c13f366221e..5aa033348d4e 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.17.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.17.19"; + version = "4.19"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "05wz76qq70bfhfwd1zwzfmzq4rlgz40jpi9plb31njx1y7vkx6xs"; + sha256 = "18a92z17alh5kkvjv7l9z8wk5jgdb6raawdfkpwx9bi8amjzas0c"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 7c5f345e3400..f4ef5c6eb1cf 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.4.153"; + version = "4.4.162"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "00jlajwbq7w5cxzzaa5mib5qvihqab3ysfq401b71ji2bi8ma8qg"; + sha256 = "0l2agmxzmq89jbh7r00qg4msvmhny40m2jar96fibwpklwd44kki"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index ed0075b7876b..89702c44ccbc 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.9.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -1,11 +1,11 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.9.124"; + version = "4.9.135"; extraMeta.branch = "4.9"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "04a3iqy6divkd9bamn60d0v8jkls2jbip7qn0m82dlcdikab19jw"; + sha256 = "1kjly5ynsg2jy5nj41z21s8f18wfs4nk843jlmmcazzax6xv08z0"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-copperhead-lts.nix b/pkgs/os-specific/linux/kernel/linux-copperhead-lts.nix deleted file mode 100644 index 366cfd39e4af..000000000000 --- a/pkgs/os-specific/linux/kernel/linux-copperhead-lts.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, ... } @ args: - -with stdenv.lib; - -let - version = "4.14.44"; - revision = "a"; - sha256 = "1alvhpwy9xzppwsag7qh1lkk3l4piyh2fv27w37il6gclja4dxkf"; - - # modVersion needs to be x.y.z, will automatically add .0 if needed - modVersion = concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))); - - # branchVersion needs to be x.y - branchVersion = concatStrings (intersperse "." (take 2 (splitString "." version))); - - modDirVersion = "${modVersion}-hardened"; -in -buildLinux (args // { - inherit modDirVersion; - - version = "${version}-${revision}"; - extraMeta.branch = "${branchVersion}"; - - src = fetchFromGitHub { - inherit sha256; - owner = "copperhead"; - repo = "linux-hardened"; - rev = "${version}.${revision}"; - }; -} // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix index d1d7d240cce5..fc9cb2f238b2 100644 --- a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix @@ -1,10 +1,10 @@ { stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, libelf, utillinux, ... } @ args: buildLinux (args // rec { - version = "4.14.66-147"; + version = "4.14.73-149"; # modDirVersion needs to be x.y.z. - modDirVersion = "4.14.66"; + modDirVersion = "4.14.73"; # branchVersion needs to be x.y. extraMeta.branch = "4.14"; @@ -13,7 +13,7 @@ buildLinux (args // rec { owner = "hardkernel"; repo = "linux"; rev = version; - sha256 = "06v38jl4i7l8gl8zcpyp9vmjjhaqhbp7by15f82rxa724zppxi9x"; + sha256 = "1zc5py6v3xyvy6dwghnqb7nsn9l1aib3d96i5bqy9dd56vyiy5m2"; }; defconfig = "odroidxu4_defconfig"; diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix index 8014cb565267..7375daf61da5 100644 --- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -1,8 +1,8 @@ { stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, ... } @ args: buildLinux (rec { - mptcpVersion = "0.94"; - modDirVersion = "4.14.24"; + mptcpVersion = "0.94.1"; + modDirVersion = "4.14.70"; version = "${modDirVersion}-mptcp_v${mptcpVersion}"; # autoModules= true; @@ -15,7 +15,7 @@ buildLinux (rec { owner = "multipath-tcp"; repo = "mptcp"; rev = "v${mptcpVersion}"; - sha256 = "01y3jf5awdxcv6vfpr30n0vaa8w1wgip0whiv88d610550299hkv"; + sha256 = "13mi672jr1x463kzig1hi9cpdi8x6nqdfd4bqlrjn8zca48f4ln4"; }; extraConfig = '' diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index e6d7b1cee9db..096b3ecde22a 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -1,10 +1,10 @@ -{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, ... } @ args: +{ stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, ... } @ args: let - modDirVersion = "4.14.50"; - tag = "1.20180619"; + modDirVersion = "4.14.70"; + tag = "1.20180919"; in -stdenv.lib.overrideDerivation (buildLinux (args // rec { +lib.overrideDerivation (buildLinux (args // rec { version = "${modDirVersion}-${tag}"; inherit modDirVersion; @@ -12,12 +12,13 @@ stdenv.lib.overrideDerivation (buildLinux (args // rec { owner = "raspberrypi"; repo = "linux"; rev = "raspberrypi-kernel_${tag}-1"; - sha256 = "0yccz8j3vrzv6h23b7yn7dx84kkzq3dmicm3shhz18nkpyyq71ch"; + sha256 = "1zjvzk6rhrn3ngc012gjq3v7lxn8hy89ljb7fqwld5g7py9lkf0b"; }; defconfig = { "armv6l-linux" = "bcmrpi_defconfig"; "armv7l-linux" = "bcm2709_defconfig"; + "aarch64-linux" = "bcmrpi3_defconfig"; }.${stdenv.hostPlatform.system} or (throw "linux_rpi not supported on '${stdenv.hostPlatform.system}'"); features = { @@ -31,14 +32,15 @@ stdenv.lib.overrideDerivation (buildLinux (args // rec { sed -i $buildRoot/.config -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/' ''; + # Make copies of the DTBs named after the upstream names so that U-Boot finds them. + # This is ugly as heck, but I don't know a better solution so far. postFixup = '' - # Make copies of the DTBs named after the upstream names so that U-Boot finds them. - # This is ugly as heck, but I don't know a better solution so far. - rm $out/dtbs/bcm283*.dtb + dtbDir=${if stdenv.isAarch64 then "$out/dtbs/broadcom" else "$out/dtbs"} + rm $dtbDir/bcm283*.dtb copyDTB() { - cp -v "$out/dtbs/$1" "$out/dtbs/$2" + cp -v "$dtbDir/$1" "$dtbDir/$2" } - + '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv6l-linux"]) '' copyDTB bcm2708-rpi-0-w.dtb bcm2835-rpi-zero.dtb copyDTB bcm2708-rpi-0-w.dtb bcm2835-rpi-zero-w.dtb copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb @@ -48,7 +50,9 @@ stdenv.lib.overrideDerivation (buildLinux (args // rec { copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus.dtb copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb copyDTB bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb + '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux"]) '' copyDTB bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb + '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux" "aarch64-linux"]) '' copyDTB bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb copyDTB bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb diff --git a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix index 6e3a7614a56b..b4df3b7b33e8 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix @@ -1,13 +1,13 @@ { stdenv, buildPackages, fetchgit, perl, buildLinux, ... } @ args: buildLinux (args // rec { - version = "4.18.2018.08.31"; + version = "4.18.2018.10.12"; modDirVersion = "4.18.0"; src = fetchgit { url = "https://evilpiepirate.org/git/bcachefs.git"; - rev = "9c08efd02b827e6ee2a6e5a751045c6c6bd484d4"; - sha256 = "0xnkg0fpilmwckyb1drspggv3ibx8vkqic9ai53d5vx2rrnvvafw"; + rev = "d7f6da1d60ec24266301231538ff6f09716537ed"; + sha256 = "05d7dh41nc35www8vmrn47wlf2mr2b8i4rm15vq3zgm32d0xv3lk"; }; extraConfig = "BCACHEFS_FS m"; diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 44f267bf7151..f866d858eaeb 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, buildPackages, fetchurl, perl, buildLinux, libelf, utillinux, ... } @ args: buildLinux (args // rec { - version = "4.19-rc1"; - modDirVersion = "4.19.0-rc1"; + version = "4.19-rc8"; + modDirVersion = "4.19.0-rc8"; extraMeta.branch = "4.19"; src = fetchurl { url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz"; - sha256 = "14c9xg9sv0jrdri36das97vdbybi7vmcy59mj9wmgaz81cdk3wg5"; + sha256 = "1xw8grzn4i4b2vprfwi4p4003n7rr9725dbiqyrl8w1pm11jwpin"; }; # Should the testing kernels ever be built on Hydra? diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 2cc83e62d11e..1d280647c5a1 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -1,4 +1,5 @@ { buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl +, pkgconfig ? null, ncurses ? null , libelf , utillinux , writeTextFile @@ -247,6 +248,7 @@ let maintainers.thoughtpolice ]; platforms = platforms.linux; + timeout = 14400; # 4 hours } // extraMeta; }; in @@ -264,6 +266,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches ++ optional (stdenv.lib.versionAtLeast version "4.14") libelf ++ optional (stdenv.lib.versionAtLeast version "4.15") utillinux ++ optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ] + ++ optionals stdenv.lib.inNixShell [ pkgconfig ncurses ] ; hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 143671428c41..d54e0153229d 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -28,16 +28,6 @@ rec { patch = ./tag-hardened.patch; }; - copperhead_4_14 = rec { - name = "copperhead-4.14"; - patch = ./copperhead-4-14.patch; - }; - - copperhead_4_16 = rec { - name = "copperhead-4.16"; - patch = ./copperhead-4-16.patch; - }; - # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6 iwlwifi_mvm_support_version_7_scan_req_umac_fw_command = rec { name = "iwlwifi_mvm_support_version_7_scan_req_umac_fw_command"; diff --git a/pkgs/os-specific/linux/kmscube/default.nix b/pkgs/os-specific/linux/kmscube/default.nix index 99ef7d4a5508..442c54ac8462 100644 --- a/pkgs/os-specific/linux/kmscube/default.nix +++ b/pkgs/os-specific/linux/kmscube/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchgit, autoreconfHook, libdrm, libX11, libGL, mesa_noglu, pkgconfig }: stdenv.mkDerivation rec { - name = "kmscube-2017-03-19"; + name = "kmscube-2018-06-17"; src = fetchgit { url = git://anongit.freedesktop.org/mesa/kmscube; - rev = "b88a44d95eceaeebc5b9c6972ffcbfe9eca00aea"; - sha256 = "029ccslfavz6jllqv980sr6mj9bdbr0kx7bi21ra0q9yl2vh0yca"; + rev = "9dcce71e603616ee7a54707e932f962cdf8fb20a"; + sha256 = "1q5b5yvyfj3127385mp1bfmcbnpnbdswdk8gspp7g4541xk4k933"; }; nativeBuildInputs = [ autoreconfHook pkgconfig ]; @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "Example OpenGL app using KMS/GBM"; - homepage = https://github.com/robclark/kmscube; + homepage = https://gitlab.freedesktop.org/mesa/kmscube; license = licenses.mit; maintainers = with maintainers; [ dezgeg ]; platforms = platforms.linux; diff --git a/pkgs/os-specific/linux/libratbag/default.nix b/pkgs/os-specific/linux/libratbag/default.nix new file mode 100644 index 000000000000..271dc156695a --- /dev/null +++ b/pkgs/os-specific/linux/libratbag/default.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig +, glib, systemd, udev, libevdev, gitMinimal, check, valgrind, swig, python3 }: + +stdenv.mkDerivation rec { + name = "libratbag-${version}"; + version = "0.9.903"; + + src = fetchFromGitHub { + owner = "libratbag"; + repo = "libratbag"; + rev = "v${version}"; + sha256 = "0cr5skrb7a5mgj7dkm647ib8336hb88bf11blaf6xldafi8b0jlj"; + }; + + + # todo: python should be in buildInputs, but right now meson propagates + # its own python. see: https://github.com/NixOS/nixpkgs/pull/46020 + nativeBuildInputs = [ + (python3.withPackages (ps: with ps; [ evdev pygobject3 ])) + meson ninja pkgconfig gitMinimal swig check valgrind + ]; + + buildInputs = [ glib systemd udev libevdev ]; + + mesonFlags = [ + "-Dsystemd-unit-dir=./lib/systemd/system/" + ]; + + meta = with stdenv.lib; { + description = "Configuration library for gaming mice"; + homepage = https://github.com/libratbag/libratbag; + license = licenses.mit; + maintainers = with maintainers; [ mvnetbiz ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/os-specific/linux/light/default.nix b/pkgs/os-specific/linux/light/default.nix index d500019c50b4..1856c8861cc4 100644 --- a/pkgs/os-specific/linux/light/default.nix +++ b/pkgs/os-specific/linux/light/default.nix @@ -1,26 +1,31 @@ -{ stdenv, fetchFromGitHub, help2man }: +{ stdenv, fetchFromGitHub, autoreconfHook, coreutils }: stdenv.mkDerivation rec { - version = "1.1.2"; + version = "1.2"; name = "light-${version}"; src = fetchFromGitHub { owner = "haikarainen"; repo = "light"; - rev = version; - sha256 = "0c934gxav9cgdf94li6dp0rfqmpday9d33vdn9xb2mfp4war9n4w"; + rev = "v${version}"; + sha256 = "1h286va0r1xgxlnxfaaarrj3qhxmjjsivfn3khwm0wq1mhkfihra"; }; - buildInputs = [ help2man ]; + configureFlags = [ "--with-udev" ]; - installPhase = "mkdir -p $out/bin; cp light $out/bin/"; + nativeBuildInputs = [ autoreconfHook ]; - preFixup = "make man; mkdir -p $out/man/man1; mv light.1.gz $out/man/man1"; + # ensure udev rules can find the commands used + postPatch = '' + substituteInPlace 90-backlight.rules \ + --replace '/bin/chgrp' '${coreutils}/bin/chgrp' \ + --replace '/bin/chmod' '${coreutils}/bin/chmod' + ''; meta = { description = "GNU/Linux application to control backlights"; homepage = https://haikarainen.github.io/light/; license = stdenv.lib.licenses.gpl3; - maintainers = with stdenv.lib.maintainers; [ puffnfresh ]; + maintainers = with stdenv.lib.maintainers; [ puffnfresh dtzWill ]; platforms = stdenv.lib.platforms.linux; }; } diff --git a/pkgs/os-specific/linux/lm-sensors/default.nix b/pkgs/os-specific/linux/lm-sensors/default.nix index af52dc551ddd..04ce60c87b04 100644 --- a/pkgs/os-specific/linux/lm-sensors/default.nix +++ b/pkgs/os-specific/linux/lm-sensors/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { src = fetchurl { urls = [ - "http://dl.lm-sensors.org/lm-sensors/releases/lm_sensors-${version}.tar.bz2" + # "http://dl.lm-sensors.org/lm-sensors/releases/lm_sensors-${version}.tar.bz2" # dead + # https://github.com/lm-sensors/lm-sensors/releases/... # only generated tarballs "https://src.fedoraproject.org/repo/pkgs/lm_sensors/lm_sensors-${version}.tar.bz2/c03675ae9d43d60322110c679416901a/lm_sensors-${version}.tar.bz2" ]; sha256 = "07q6811l4pp0f7pxr8bk3s97ippb84mx5qdg7v92s9hs10b90mz0"; @@ -28,7 +29,7 @@ stdenv.mkDerivation rec { ''; meta = with stdenv.lib; { - homepage = http://www.lm-sensors.org/; + homepage = https://hwmon.wiki.kernel.org/lm_sensors; description = "Tools for reading hardware sensors"; license = with licenses; [ gpl2 lgpl21 ]; platforms = platforms.linux; diff --git a/pkgs/os-specific/linux/mbpfan/default.nix b/pkgs/os-specific/linux/mbpfan/default.nix index 77b0d915edb6..7351712b887d 100644 --- a/pkgs/os-specific/linux/mbpfan/default.nix +++ b/pkgs/os-specific/linux/mbpfan/default.nix @@ -2,12 +2,12 @@ stdenv.mkDerivation rec { name = "mbpfan-${version}"; - version = "2.0.2"; + version = "2.1.0"; src = fetchFromGitHub { owner = "dgraziotin"; repo = "mbpfan"; rev = "v${version}"; - sha256 = "1l8fj92jxfp0sldvznsdsm3pn675b35clq3371h6d5wk4jx67fvg"; + sha256 = "1gysq778rkl6dvvj9a1swxcl15wvz0bng5bn4nwq118cl8p8pask"; }; installPhase = '' mkdir -p $out/bin $out/etc diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix index 642653259c34..c0e8e1292330 100644 --- a/pkgs/os-specific/linux/mcelog/default.nix +++ b/pkgs/os-specific/linux/mcelog/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "mcelog-${version}"; - version = "160"; + version = "161"; src = fetchFromGitHub { owner = "andikleen"; repo = "mcelog"; rev = "v${version}"; - sha256 = "1m985wvdykl3003967lp1i7707qhwdj3h13cl8g1afjaip9ccd48"; + sha256 = "1bqz53xgvwab3r487ihri3nvk7nsgjykdv8m993983vxsi2bgjmz"; }; postPatch = '' diff --git a/pkgs/os-specific/linux/musl/0001-in-pthread_mutex_trylock-EBUSY-out-more-directly-whe.patch b/pkgs/os-specific/linux/musl/0001-in-pthread_mutex_trylock-EBUSY-out-more-directly-whe.patch new file mode 100644 index 000000000000..5e691ae99e6e --- /dev/null +++ b/pkgs/os-specific/linux/musl/0001-in-pthread_mutex_trylock-EBUSY-out-more-directly-whe.patch @@ -0,0 +1,37 @@ +From 4e4a162d9af283cf71f7310c497672e0c2b8ca3b Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 4 Sep 2018 21:28:38 -0400 +Subject: [PATCH 1/3] in pthread_mutex_trylock, EBUSY out more directly when + possible + +avoid gratuitously setting up and tearing down the robust list pending +slot. +--- + src/thread/pthread_mutex_trylock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/thread/pthread_mutex_trylock.c b/src/thread/pthread_mutex_trylock.c +index 54876a61..783ca0c4 100644 +--- a/src/thread/pthread_mutex_trylock.c ++++ b/src/thread/pthread_mutex_trylock.c +@@ -15,6 +15,7 @@ int __pthread_mutex_trylock_owner(pthread_mutex_t *m) + return 0; + } + if (own == 0x7fffffff) return ENOTRECOVERABLE; ++ if (own && (!(own & 0x40000000) || !(type & 4))) return EBUSY; + + if (m->_m_type & 128) { + if (!self->robust_list.off) { +@@ -25,8 +26,7 @@ int __pthread_mutex_trylock_owner(pthread_mutex_t *m) + self->robust_list.pending = &m->_m_next; + } + +- if ((own && (!(own & 0x40000000) || !(type & 4))) +- || a_cas(&m->_m_lock, old, tid) != old) { ++ if (a_cas(&m->_m_lock, old, tid) != old) { + self->robust_list.pending = 0; + return EBUSY; + } +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/0002-in-pthread_mutex_timedlock-avoid-repeatedly-reading-.patch b/pkgs/os-specific/linux/musl/0002-in-pthread_mutex_timedlock-avoid-repeatedly-reading-.patch new file mode 100644 index 000000000000..2f611fc467e7 --- /dev/null +++ b/pkgs/os-specific/linux/musl/0002-in-pthread_mutex_timedlock-avoid-repeatedly-reading-.patch @@ -0,0 +1,41 @@ +From d1fa28860634af4f0efd70d533a756b51a45f83e Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 4 Sep 2018 21:31:47 -0400 +Subject: [PATCH 2/3] in pthread_mutex_timedlock, avoid repeatedly reading + mutex type field + +compiler cannot cache immutable fields of the mutex object across +external calls it can't see, much less across atomics. +--- + src/thread/pthread_mutex_timedlock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/thread/pthread_mutex_timedlock.c b/src/thread/pthread_mutex_timedlock.c +index 0a240e79..f91f4a61 100644 +--- a/src/thread/pthread_mutex_timedlock.c ++++ b/src/thread/pthread_mutex_timedlock.c +@@ -6,7 +6,8 @@ int __pthread_mutex_timedlock(pthread_mutex_t *restrict m, const struct timespec + && !a_cas(&m->_m_lock, 0, EBUSY)) + return 0; + +- int r, t, priv = (m->_m_type & 128) ^ 128; ++ int type = m->_m_type; ++ int r, t, priv = (type & 128) ^ 128; + + r = pthread_mutex_trylock(m); + if (r != EBUSY) return r; +@@ -15,9 +16,9 @@ int __pthread_mutex_timedlock(pthread_mutex_t *restrict m, const struct timespec + while (spins-- && m->_m_lock && !m->_m_waiters) a_spin(); + + while ((r=pthread_mutex_trylock(m)) == EBUSY) { +- if (!(r=m->_m_lock) || ((r&0x40000000) && (m->_m_type&4))) ++ if (!(r=m->_m_lock) || ((r&0x40000000) && (type&4))) + continue; +- if ((m->_m_type&3) == PTHREAD_MUTEX_ERRORCHECK ++ if ((type&3) == PTHREAD_MUTEX_ERRORCHECK + && (r&0x7fffffff) == __pthread_self()->tid) + return EDEADLK; + +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/0003-fix-namespace-violation-for-c11-mutex-functions.patch b/pkgs/os-specific/linux/musl/0003-fix-namespace-violation-for-c11-mutex-functions.patch new file mode 100644 index 000000000000..783873732afd --- /dev/null +++ b/pkgs/os-specific/linux/musl/0003-fix-namespace-violation-for-c11-mutex-functions.patch @@ -0,0 +1,35 @@ +From 2de29bc994029b903a366b8a4a9f8c3c3ee2be90 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 4 Sep 2018 22:56:57 -0400 +Subject: [PATCH 3/3] fix namespace violation for c11 mutex functions + +__pthread_mutex_timedlock is used to implement c11 mutex functions, +and therefore cannot call pthread_mutex_trylock by name. +--- + src/thread/pthread_mutex_timedlock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/thread/pthread_mutex_timedlock.c b/src/thread/pthread_mutex_timedlock.c +index f91f4a61..d2bd1960 100644 +--- a/src/thread/pthread_mutex_timedlock.c ++++ b/src/thread/pthread_mutex_timedlock.c +@@ -1,5 +1,7 @@ + #include "pthread_impl.h" + ++int __pthread_mutex_trylock(pthread_mutex_t *); ++ + int __pthread_mutex_timedlock(pthread_mutex_t *restrict m, const struct timespec *restrict at) + { + if ((m->_m_type&15) == PTHREAD_MUTEX_NORMAL +@@ -15,7 +17,7 @@ int __pthread_mutex_timedlock(pthread_mutex_t *restrict m, const struct timespec + int spins = 100; + while (spins-- && m->_m_lock && !m->_m_waiters) a_spin(); + +- while ((r=pthread_mutex_trylock(m)) == EBUSY) { ++ while ((r=__pthread_mutex_trylock(m)) == EBUSY) { + if (!(r=m->_m_lock) || ((r&0x40000000) && (type&4))) + continue; + if ((type&3) == PTHREAD_MUTEX_ERRORCHECK +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/default.nix b/pkgs/os-specific/linux/musl/default.nix index 9628ec516763..6137a5942c26 100644 --- a/pkgs/os-specific/linux/musl/default.nix +++ b/pkgs/os-specific/linux/musl/default.nix @@ -29,11 +29,11 @@ let in stdenv.mkDerivation rec { name = "musl-${version}"; - version = "1.1.19"; + version = "1.1.20"; src = fetchurl { url = "https://www.musl-libc.org/releases/musl-${version}.tar.gz"; - sha256 = "1nf1wh44bhm8gdcfr75ayib29b99vpq62zmjymrq7f96h9bshnfv"; + sha256 = "0q8dsjxl41dccscv9a0r78bs7jap57mn4mni5pwbbip6s1qqggj4"; }; enableParallelBuilding = true; @@ -56,12 +56,31 @@ stdenv.mkDerivation rec { url = https://raw.githubusercontent.com/openwrt/openwrt/87606e25afac6776d1bbc67ed284434ec5a832b4/toolchain/musl/patches/300-relative.patch; sha256 = "0hfadrycb60sm6hb6by4ycgaqc9sgrhh42k39v8xpmcvdzxrsq2n"; }) + # Upstream bugfix, see: https://git.musl-libc.org/cgit/musl/commit/?id=0db393d3a77bb9f300a356c6a5484fc2dddb161d + # Explicitly flagged for inclusion by distributions using musl + ./fix-file-locking-race.patch + # More specific error reporting + ./tty-more-precise-errors.patch + # Use execveat to impl fexecve when avail (useful for containers) + ./fexecve-execveat.patch + # improve behavior in few cases + ./0001-in-pthread_mutex_trylock-EBUSY-out-more-directly-whe.patch + ./0002-in-pthread_mutex_timedlock-avoid-repeatedly-reading-.patch + ./0003-fix-namespace-violation-for-c11-mutex-functions.patch + # Fix getaddrinfo usage encountered sometimes in containers + ./fix-getaddrinfo-regression-with-AI_ADDRCONFIG.patch + # name_to_handle_at + ./name-to-handle-at.patch + ./max-handle-sz-for-name-to-handle-at.patch + # stacksize bump (upstream) + ./stacksize-bump.patch ]; preConfigure = '' configureFlagsArray+=("--syslibdir=$out/lib") ''; - CFLAGS="-fstack-protector-strong" + lib.optionalString stdenv.hostPlatform.isPower " -mlong-double-64"; + CFLAGS = [ "-fstack-protector-strong" ] + ++ lib.optional stdenv.hostPlatform.isPower "-mlong-double-64"; configureFlags = [ "--enable-shared" diff --git a/pkgs/os-specific/linux/musl/fexecve-execveat.patch b/pkgs/os-specific/linux/musl/fexecve-execveat.patch new file mode 100644 index 000000000000..6b3894a916c8 --- /dev/null +++ b/pkgs/os-specific/linux/musl/fexecve-execveat.patch @@ -0,0 +1,33 @@ +From e36f80cba6d5eefcc1ee664f16c2c72054b83134 Mon Sep 17 00:00:00 2001 +From: "Joseph C. Sible" <josephcsible@gmail.com> +Date: Sun, 2 Sep 2018 13:42:26 -0400 +Subject: implement fexecve in terms of execveat when it exists + +This lets fexecve work even when /proc isn't mounted. +--- + src/process/fexecve.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/process/fexecve.c b/src/process/fexecve.c +index 6507b429..8be3f760 100644 +--- a/src/process/fexecve.c ++++ b/src/process/fexecve.c +@@ -1,10 +1,15 @@ ++#define _GNU_SOURCE + #include <unistd.h> + #include <errno.h> ++#include <fcntl.h> ++#include "syscall.h" + + void __procfdname(char *, unsigned); + + int fexecve(int fd, char *const argv[], char *const envp[]) + { ++ int r = __syscall(SYS_execveat, fd, "", argv, envp, AT_EMPTY_PATH); ++ if (r != -ENOSYS) return __syscall_ret(r); + char buf[15 + 3*sizeof(int)]; + __procfdname(buf, fd); + execve(buf, argv, envp); +-- +cgit v1.2.1 + diff --git a/pkgs/os-specific/linux/musl/fix-file-locking-race.patch b/pkgs/os-specific/linux/musl/fix-file-locking-race.patch new file mode 100644 index 000000000000..2ef91390a691 --- /dev/null +++ b/pkgs/os-specific/linux/musl/fix-file-locking-race.patch @@ -0,0 +1,54 @@ +From 0db393d3a77bb9f300a356c6a5484fc2dddb161d Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Tue, 18 Sep 2018 10:03:27 +0300 +Subject: fix race condition in file locking + +The condition occurs when +- thread #1 is holding the lock +- thread #2 is waiting for it on __futexwait +- thread #1 is about to release the lock and performs a_swap +- thread #3 enters the __lockfile function and manages to grab the lock + before thread #1 calls __wake, resetting the MAYBE_WAITERS flag +- thread #1 calls __wake +- thread #2 wakes up but goes again to __futexwait as the lock is + held by thread #3 +- thread #3 releases the lock but does not call __wake as the + MAYBE_WAITERS flag is not set + +This condition results in thread #2 not being woken up. This patch fixes +the problem by making the woken up thread ensure that the flag is +properly set before going to sleep again. + +Mainainer's note: This fixes a regression introduced in commit +c21f750727515602a9e84f2a190ee8a0a2aeb2a1. +--- + src/stdio/__lockfile.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/stdio/__lockfile.c b/src/stdio/__lockfile.c +index 2ff75d8a..0dcb2a42 100644 +--- a/src/stdio/__lockfile.c ++++ b/src/stdio/__lockfile.c +@@ -8,13 +8,13 @@ int __lockfile(FILE *f) + int owner = f->lock, tid = __pthread_self()->tid; + if ((owner & ~MAYBE_WAITERS) == tid) + return 0; +- for (;;) { +- owner = a_cas(&f->lock, 0, tid); +- if (!owner) return 1; +- if (a_cas(&f->lock, owner, owner|MAYBE_WAITERS)==owner) break; ++ owner = a_cas(&f->lock, 0, tid); ++ if (!owner) return 1; ++ while ((owner = a_cas(&f->lock, 0, tid|MAYBE_WAITERS))) { ++ if ((owner & MAYBE_WAITERS) || ++ a_cas(&f->lock, owner, owner|MAYBE_WAITERS)==owner) ++ __futexwait(&f->lock, owner|MAYBE_WAITERS, 1); + } +- while ((owner = a_cas(&f->lock, 0, tid|MAYBE_WAITERS))) +- __futexwait(&f->lock, owner, 1); + return 1; + } + +-- +cgit v1.2.1 + diff --git a/pkgs/os-specific/linux/musl/fix-getaddrinfo-regression-with-AI_ADDRCONFIG.patch b/pkgs/os-specific/linux/musl/fix-getaddrinfo-regression-with-AI_ADDRCONFIG.patch new file mode 100644 index 000000000000..d603c16f8062 --- /dev/null +++ b/pkgs/os-specific/linux/musl/fix-getaddrinfo-regression-with-AI_ADDRCONFIG.patch @@ -0,0 +1,52 @@ +From f381c118b2d4f7d914481d3cdc830ce41369b002 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Wed, 19 Sep 2018 18:03:22 -0400 +Subject: [PATCH] fix getaddrinfo regression with AI_ADDRCONFIG on some + configurations + +despite not being documented to do so in the standard or Linux +documentation, attempts to udp connect to 127.0.0.1 or ::1 generate +EADDRNOTAVAIL when the loopback device is not configured and there is +no default route for IPv6. this caused getaddrinfo with AI_ADDRCONFIG +to fail with EAI_SYSTEM and EADDRNOTAVAIL on some no-IPv6 +configurations, rather than the intended behavior of detecting IPv6 as +unsuppported and producing IPv4-only results. + +previously, only EAFNOSUPPORT was treated as unavailability of the +address family being probed. instead, treat all errors related to +inability to get an address or route as conclusive that the family +being probed is unsupported, and only fail with EAI_SYSTEM on other +errors. + +further improvements may be desirable, such as reporting EAI_AGAIN +instead of EAI_SYSTEM for errors which are expected to be transient, +but this patch should suffice to fix the serious regression. +--- + src/network/getaddrinfo.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/network/getaddrinfo.c b/src/network/getaddrinfo.c +index ba26847a..e33bfa28 100644 +--- a/src/network/getaddrinfo.c ++++ b/src/network/getaddrinfo.c +@@ -76,7 +76,16 @@ int getaddrinfo(const char *restrict host, const char *restrict serv, const stru + close(s); + if (!r) continue; + } +- if (errno != EAFNOSUPPORT) return EAI_SYSTEM; ++ switch (errno) { ++ case EADDRNOTAVAIL: ++ case EAFNOSUPPORT: ++ case EHOSTUNREACH: ++ case ENETDOWN: ++ case ENETUNREACH: ++ break; ++ default: ++ return EAI_SYSTEM; ++ } + if (family == tf[i]) return EAI_NONAME; + family = tf[1-i]; + } +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/max-handle-sz-for-name-to-handle-at.patch b/pkgs/os-specific/linux/musl/max-handle-sz-for-name-to-handle-at.patch new file mode 100644 index 000000000000..aa00b4619f86 --- /dev/null +++ b/pkgs/os-specific/linux/musl/max-handle-sz-for-name-to-handle-at.patch @@ -0,0 +1,26 @@ +From 7d7f44253f2d8cfd0a7adf9f918d88aa24d4e012 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 13 Sep 2018 07:00:05 -0700 +Subject: [PATCH] define MAX_HANDLE_SZ for use with name_to_handle_at + +MAX_HANDLE_SZ is described in name_to_handle_at() to contain maximum +expected size for a file handle +--- + include/fcntl.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/fcntl.h b/include/fcntl.h +index 99b21759..4d91338b 100644 +--- a/include/fcntl.h ++++ b/include/fcntl.h +@@ -166,6 +166,7 @@ struct f_owner_ex { + }; + #define FALLOC_FL_KEEP_SIZE 1 + #define FALLOC_FL_PUNCH_HOLE 2 ++#define MAX_HANDLE_SZ 128 + #define SYNC_FILE_RANGE_WAIT_BEFORE 1 + #define SYNC_FILE_RANGE_WRITE 2 + #define SYNC_FILE_RANGE_WAIT_AFTER 4 +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/name-to-handle-at.patch b/pkgs/os-specific/linux/musl/name-to-handle-at.patch new file mode 100644 index 000000000000..10cd8a9947c8 --- /dev/null +++ b/pkgs/os-specific/linux/musl/name-to-handle-at.patch @@ -0,0 +1,71 @@ +From 3e14bbcd1979376b188bfabb816ff828608fb5d7 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 12 Sep 2018 18:02:11 -0700 +Subject: [PATCH] wireup linux/name_to_handle_at and name_to_handle_at syscalls + +--- + include/fcntl.h | 7 +++++++ + src/linux/name_to_handle_at.c | 10 ++++++++++ + src/linux/open_by_handle_at.c | 8 ++++++++ + 3 files changed, 25 insertions(+) + create mode 100644 src/linux/name_to_handle_at.c + create mode 100644 src/linux/open_by_handle_at.c + +diff --git a/include/fcntl.h b/include/fcntl.h +index 6d8edcd1..99b21759 100644 +--- a/include/fcntl.h ++++ b/include/fcntl.h +@@ -155,6 +155,11 @@ int lockf(int, int, off_t); + #define F_OWNER_PID 1 + #define F_OWNER_PGRP 2 + #define F_OWNER_GID 2 ++struct file_handle { ++ unsigned handle_bytes; ++ int handle_type; ++ unsigned char f_handle[]; ++}; + struct f_owner_ex { + int type; + pid_t pid; +@@ -170,6 +175,8 @@ struct f_owner_ex { + #define SPLICE_F_GIFT 8 + int fallocate(int, int, off_t, off_t); + #define fallocate64 fallocate ++int name_to_handle_at(int, const char *, struct file_handle *, int *, int); ++int open_by_handle_at(int, struct file_handle *, int); + ssize_t readahead(int, off_t, size_t); + int sync_file_range(int, off_t, off_t, unsigned); + ssize_t vmsplice(int, const struct iovec *, size_t, unsigned); +diff --git a/src/linux/name_to_handle_at.c b/src/linux/name_to_handle_at.c +new file mode 100644 +index 00000000..cd4075bd +--- /dev/null ++++ b/src/linux/name_to_handle_at.c +@@ -0,0 +1,10 @@ ++#define _GNU_SOURCE ++#include <fcntl.h> ++#include "syscall.h" ++ ++int name_to_handle_at(int dirfd, const char *pathname, ++ struct file_handle *handle, int *mount_id, int flags) ++{ ++ return syscall(SYS_name_to_handle_at, dirfd, ++ pathname, handle, mount_id, flags); ++} +diff --git a/src/linux/open_by_handle_at.c b/src/linux/open_by_handle_at.c +new file mode 100644 +index 00000000..1c9b6a2b +--- /dev/null ++++ b/src/linux/open_by_handle_at.c +@@ -0,0 +1,8 @@ ++#define _GNU_SOURCE ++#include <fcntl.h> ++#include "syscall.h" ++ ++int open_by_handle_at(int mount_fd, struct file_handle *handle, int flags) ++{ ++ return syscall(SYS_open_by_handle_at, mount_fd, handle, flags); ++} +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/stacksize-bump.patch b/pkgs/os-specific/linux/musl/stacksize-bump.patch new file mode 100644 index 000000000000..fb5373005cbf --- /dev/null +++ b/pkgs/os-specific/linux/musl/stacksize-bump.patch @@ -0,0 +1,36 @@ +From c0058ab465e950c2c3302d2b62e21cc0b494224b Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 18 Sep 2018 23:11:49 -0400 +Subject: [PATCH 3/4] increase default thread stack/guard size + +stack size default is increased from 80k to 128k. this coincides with +Linux's hard-coded default stack for the main thread (128k is +initially committed; growth beyond that up to ulimit is contingent on +additional allocation succeeding) and GNU ld's default PT_GNU_STACK +size for FDPIC, at least on sh. + +guard size default is increased from 4k to 8k to reduce the risk of +guard page jumping on overflow, since use of just over 4k of stack is +common (PATH_MAX buffers, etc.). +--- + src/internal/pthread_impl.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/internal/pthread_impl.h b/src/internal/pthread_impl.h +index e73a251f..d491f975 100644 +--- a/src/internal/pthread_impl.h ++++ b/src/internal/pthread_impl.h +@@ -185,8 +185,8 @@ hidden void __inhibit_ptc(void); + extern hidden unsigned __default_stacksize; + extern hidden unsigned __default_guardsize; + +-#define DEFAULT_STACK_SIZE 81920 +-#define DEFAULT_GUARD_SIZE 4096 ++#define DEFAULT_STACK_SIZE 131072 ++#define DEFAULT_GUARD_SIZE 8192 + + #define DEFAULT_STACK_MAX (8<<20) + #define DEFAULT_GUARD_MAX (1<<20) +-- +2.19.0 + diff --git a/pkgs/os-specific/linux/musl/tty-more-precise-errors.patch b/pkgs/os-specific/linux/musl/tty-more-precise-errors.patch new file mode 100644 index 000000000000..06b108559e46 --- /dev/null +++ b/pkgs/os-specific/linux/musl/tty-more-precise-errors.patch @@ -0,0 +1,51 @@ +From c84971995b3a6d5118f9357c040572f4c78bcd55 Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson <benjamin@python.org> +Date: Thu, 13 Sep 2018 14:23:42 -0700 +Subject: improve error handling of ttyname_r and isatty + +POSIX allows ttyname(_r) and isatty to return EBADF if passed file +descriptor is invalid. + +maintainer's note: these are optional ("may fail") errors, but it's +non-conforming for ttyname_r to return ENOTTY when it failed for a +different reason. +--- + src/unistd/isatty.c | 6 +++++- + src/unistd/ttyname_r.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/unistd/isatty.c b/src/unistd/isatty.c +index c8badaf5..75a9c186 100644 +--- a/src/unistd/isatty.c ++++ b/src/unistd/isatty.c +@@ -1,9 +1,13 @@ + #include <unistd.h> ++#include <errno.h> + #include <sys/ioctl.h> + #include "syscall.h" + + int isatty(int fd) + { + struct winsize wsz; +- return !__syscall(SYS_ioctl, fd, TIOCGWINSZ, &wsz); ++ unsigned long r = syscall(SYS_ioctl, fd, TIOCGWINSZ, &wsz); ++ if (r == 0) return 1; ++ if (errno != EBADF) errno = ENOTTY; ++ return 0; + } +diff --git a/src/unistd/ttyname_r.c b/src/unistd/ttyname_r.c +index cb364c29..82acb75e 100644 +--- a/src/unistd/ttyname_r.c ++++ b/src/unistd/ttyname_r.c +@@ -9,7 +9,7 @@ int ttyname_r(int fd, char *name, size_t size) + char procname[sizeof "/proc/self/fd/" + 3*sizeof(int) + 2]; + ssize_t l; + +- if (!isatty(fd)) return ENOTTY; ++ if (!isatty(fd)) return errno; + + __procfdname(procname, fd); + l = readlink(procname, name, size); +-- +cgit v1.2.1 + diff --git a/pkgs/os-specific/linux/mwprocapture/default.nix b/pkgs/os-specific/linux/mwprocapture/default.nix index 72095bc8cdab..f6f6c10112a7 100644 --- a/pkgs/os-specific/linux/mwprocapture/default.nix +++ b/pkgs/os-specific/linux/mwprocapture/default.nix @@ -15,17 +15,15 @@ let in stdenv.mkDerivation rec { name = "mwprocapture-1.2.${version}-${kernel.version}"; - version = "3773"; + version = "3950"; src = fetchurl { url = "http://www.magewell.com/files/drivers/ProCaptureForLinux_${version}.tar.gz"; - sha256 = "1ri7c4l4xgkhpz0f15jra1p7mpzi8ir6lpwjm7q7hc9m4cvxcs1g"; + sha256 = "1im3k533r6c0dx08h9wjfbhadzk7zawrxxaz7v94c92m3q133ys6"; }; nativeBuildInputs = [ kernel.moduleBuildDependencies ]; - patches = [ ./linux_4_14_fix.patch ]; - preConfigure = '' cd ./src diff --git a/pkgs/os-specific/linux/mwprocapture/linux_4_14_fix.patch b/pkgs/os-specific/linux/mwprocapture/linux_4_14_fix.patch deleted file mode 100644 index 94da5a00a2e2..000000000000 --- a/pkgs/os-specific/linux/mwprocapture/linux_4_14_fix.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff -Naur ProCaptureForLinux_3773/src/sources/ospi/linux-file.c ProCaptureForLinux_3773_new/src/sources/ospi/linux-file.c ---- ProCaptureForLinux_3773/src/sources/ospi/linux-file.c 2017-12-15 01:59:57.000000000 -0800 -+++ ProCaptureForLinux_3773_new/src/sources/ospi/linux-file.c 2017-12-23 22:47:33.666823299 -0800 -@@ -7,8 +7,9 @@ - - #include "linux-file.h" - --#include <asm/uaccess.h> - #include <linux/sched.h> -+#include <asm/uaccess.h> -+#include <linux/version.h> - - struct file *linux_file_open(const char *path, int flags, int mode) - { -@@ -28,29 +29,36 @@ - filp_close(file, NULL); - } - --ssize_t linux_file_read(struct file *file, loff_t offset, unsigned char *data, size_t size) -+ssize_t linux_file_read(struct file *file, loff_t offset, void *data, size_t size) - { -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) -+ return(kernel_read(file, data, size, &offset)); -+#else - mm_segment_t oldfs; - ssize_t ret; - - oldfs = get_fs(); - set_fs(get_ds()); -- ret = vfs_read(file, data, size, &offset); -+ ret = vfs_read(file, (unsigned char *)data, size, &offset); - set_fs(oldfs); - - return ret; -+#endif - } - --ssize_t linux_file_write(struct file *file, loff_t offset, unsigned char *data, size_t size) -+ssize_t linux_file_write(struct file *file, loff_t offset, const void *data, size_t size) - { -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) -+ return(kernel_write(file, data, size, &offset)); -+#else - mm_segment_t oldfs; - ssize_t ret; - - oldfs = get_fs(); - set_fs(get_ds()); -- ret = vfs_write(file, data, size, &offset); -+ ret = vfs_write(file, (const unsigned char *)data, size, &offset); - set_fs(oldfs); - - return ret; -+#endif - } -- -diff -Naur ProCaptureForLinux_3773/src/sources/ospi/linux-file.h ProCaptureForLinux_3773_new/src/sources/ospi/linux-file.h ---- ProCaptureForLinux_3773/src/sources/ospi/linux-file.h 2017-12-15 01:59:57.000000000 -0800 -+++ ProCaptureForLinux_3773_new/src/sources/ospi/linux-file.h 2017-12-23 22:46:22.028545189 -0800 -@@ -13,9 +13,9 @@ - - void linux_file_close(struct file *file); - --ssize_t linux_file_read(struct file *file, loff_t offset, unsigned char *data, size_t size); -+ssize_t linux_file_read(struct file *file, loff_t offset, void *data, size_t size); - --ssize_t linux_file_write(struct file *file, loff_t offset, unsigned char *data, size_t size); -+ssize_t linux_file_write(struct file *file, loff_t offset, const void *data, size_t size); - - #endif /* __LINUX_FILE_H__ */ - diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix index f67663b31061..19a5184f8962 100644 --- a/pkgs/os-specific/linux/nfs-utils/default.nix +++ b/pkgs/os-specific/linux/nfs-utils/default.nix @@ -1,24 +1,19 @@ { stdenv, fetchurl, fetchpatch, lib, pkgconfig, utillinux, libcap, libtirpc, libevent , sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers -, buildEnv +, buildEnv, python3 }: let statdPath = lib.makeBinPath [ systemd utillinux coreutils ]; +in - # Not nice; feel free to find a nicer solution. - kerberosEnv = buildEnv { - name = "kerberos-env-${kerberos.version}"; - paths = with lib; [ (getDev kerberos) (getLib kerberos) ]; - }; - -in stdenv.mkDerivation rec { +stdenv.mkDerivation rec { name = "nfs-utils-${version}"; - version = "2.3.2"; + version = "2.3.3"; src = fetchurl { url = "https://kernel.org/pub/linux/utils/nfs-utils/${version}/${name}.tar.xz"; - sha256 = "06av6cjf8h18dpaxh8cd1awsra75zf6s5sj5r2z5g7scbj051ziw"; + sha256 = "08k36d7l8yqylscnln3p85lcfwi7r7g6n3bnslgmzc1i71wk92zn"; }; # libnfsidmap is built together with nfs-utils from the same source, @@ -30,14 +25,24 @@ in stdenv.mkDerivation rec { buildInputs = [ libtirpc libcap libevent sqlite lvm2 libuuid keyutils kerberos tcp_wrappers + python3 ]; enableParallelBuilding = true; + preConfigure = + '' + substituteInPlace configure \ + --replace '$dir/include/gssapi' ${lib.getDev kerberos}/include/gssapi \ + --replace '$dir/bin/krb5-config' ${lib.getDev kerberos}/bin/krb5-config + ''; + + #configureScript = "bash -x configure"; + configureFlags = [ "--enable-gss" "--with-statedir=/var/lib/nfs" - "--with-krb5=${kerberosEnv}" + "--with-krb5=${lib.getLib kerberos}" "--with-systemd=${placeholder "out"}/etc/systemd/system" "--enable-libmount-mount" "--with-pluginpath=${placeholder "lib"}/lib/libnfsidmap" # this installs libnfsidmap @@ -83,6 +88,8 @@ in stdenv.mkDerivation rec { "statdpath=$(TMPDIR)" ]; + stripDebugList = [ "lib" "libexec" "bin" "etc/systemd/system-generators" ]; + postInstall = '' # Not used on NixOS @@ -95,6 +102,8 @@ in stdenv.mkDerivation rec { # One test fails on mips. doCheck = !stdenv.isMips; + disallowedReferences = [ (lib.getDev kerberos) ]; + meta = with stdenv.lib; { description = "Linux user-space NFS utilities"; diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix index bf21f92bd66d..3c02cf2bb889 100644 --- a/pkgs/os-specific/linux/numactl/default.nix +++ b/pkgs/os-specific/linux/numactl/default.nix @@ -13,11 +13,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; - patches = stdenv.lib.optional stdenv.hostPlatform.isMusl (fetchpatch { - url = https://git.alpinelinux.org/cgit/aports/plain/testing/numactl/musl.patch?id=0592b128c71c3e70d493bc7a13caed0d7fae91dd; - sha256 = "080b0sygmg7104qbbh1amh3b322yyiajwi2d3d0vayffgva0720v"; - }); - postPatch = '' patchShebangs test ''; diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh index 15c3e10e1199..8882ffdd45e7 100755 --- a/pkgs/os-specific/linux/nvidia-x11/builder.sh +++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh @@ -26,32 +26,44 @@ buildPhase() { fi } - + installPhase() { # Install libGL and friends. + + # since version 391, 32bit libraries are bundled in the 32/ sub-directory + if [ "$i686bundled" = "1" ]; then + mkdir -p "$lib32/lib" + cp -prd 32/*.so.* 32/tls "$lib32/lib/" + fi + mkdir -p "$out/lib" cp -prd *.so.* tls "$out/lib/" - rm $out/lib/lib{glx,nvidia-wfb}.so.* # handled separately - rm -f $out/lib/libnvidia-gtk* # built from source - if [ "$useGLVND" = "1" ]; then - # Pre-built libglvnd - rm $out/lib/lib{GL,GLX,EGL,GLESv1_CM,GLESv2,OpenGL,GLdispatch}.so.* - fi - # Use ocl-icd instead - rm $out/lib/libOpenCL.so* - # Move VDPAU libraries to their place - mkdir $out/lib/vdpau - mv $out/lib/libvdpau* $out/lib/vdpau - - # Install ICDs. - install -Dm644 nvidia.icd $out/etc/OpenCL/vendors/nvidia.icd - if [ -e nvidia_icd.json.template ]; then - sed "s#__NV_VK_ICD__#libGLX_nvidia.so#" nvidia_icd.json.template > nvidia_icd.json - install -Dm644 nvidia_icd.json $out/share/vulkan/icd.d/nvidia.json - fi - if [ "$useGLVND" = "1" ]; then - install -Dm644 10_nvidia.json $out/share/glvnd/egl_vendor.d/nvidia.json - fi + + for i in $lib32 $out; do + rm -f $i/lib/lib{glx,nvidia-wfb}.so.* # handled separately + rm -f $i/lib/libnvidia-gtk* # built from source + if [ "$useGLVND" = "1" ]; then + # Pre-built libglvnd + rm $i/lib/lib{GL,GLX,EGL,GLESv1_CM,GLESv2,OpenGL,GLdispatch}.so.* + fi + # Use ocl-icd instead + rm -f $i/lib/libOpenCL.so* + # Move VDPAU libraries to their place + mkdir $i/lib/vdpau + mv $i/lib/libvdpau* $i/lib/vdpau + + # Install ICDs. + install -Dm644 nvidia.icd $i/etc/OpenCL/vendors/nvidia.icd + if [ -e nvidia_icd.json.template ]; then + sed "s#__NV_VK_ICD__#libGLX_nvidia.so#" nvidia_icd.json.template > nvidia_icd.json + install -Dm644 nvidia_icd.json $i/share/vulkan/icd.d/nvidia.json + fi + if [ "$useGLVND" = "1" ]; then + install -Dm644 10_nvidia.json $i/share/glvnd/egl_vendor.d/nvidia.json + fi + + done + if [ -n "$bin" ]; then # Install the X drivers. @@ -60,7 +72,7 @@ installPhase() { mkdir -p $bin/lib/xorg/modules/drivers cp -p nvidia_drv.so $bin/lib/xorg/modules/drivers mkdir -p $bin/lib/xorg/modules/extensions - cp -p libglx.so.* $bin/lib/xorg/modules/extensions + cp -p libglx*.so* $bin/lib/xorg/modules/extensions # Install the kernel module. mkdir -p $bin/lib/modules/$kernelVersion/misc @@ -78,7 +90,7 @@ installPhase() { fi # All libs except GUI-only are installed now, so fixup them. - for libname in `find "$out/lib/" -name '*.so.*'` `test -z "$bin" || find "$bin/lib/" -name '*.so.*'` + for libname in $(find "$out/lib/" $(test -n "$lib32" && echo "$lib32/lib/") $(test -n "$bin" && echo "$bin/lib/") -name '*.so.*') do # I'm lazy to differentiate needed libs per-library, as the closure is the same. # Unfortunately --shrink-rpath would strip too much. diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix index 16bab9979d03..44598588db9d 100644 --- a/pkgs/os-specific/linux/nvidia-x11/default.nix +++ b/pkgs/os-specific/linux/nvidia-x11/default.nix @@ -1,4 +1,4 @@ -{ lib, callPackage, fetchurl }: +{ lib, callPackage, fetchurl, stdenv }: let generic = args: callPackage (import ./generic.nix args) { }; @@ -16,16 +16,28 @@ let in rec { # Policy: use the highest stable version as the default (on our master). - stable = generic { - version = "390.77"; - sha256_32bit = "1yd313ghh2qbn07d5wbkshfwgkm4mh49vcqkydds3b3xk0mx4i8l"; - sha256_64bit = "10kjccrkdn360035lh985cadhwy6lk9xrw3wlmww2wqfaa25f775"; - settingsSha256 = "1wvxldpjkrx0ldjm5l6ycm6paxpcw89h0n6hfkznfkahkq7fwxdj"; - persistencedSha256 = "1gklmc0v17m018cwpdlzwdyd45y4sjvjhj8a3l44baygix5zn30f"; + stable = if stdenv.hostPlatform.system == "x86_64-linux" then stable_410 else stable_390; + + stable_410 = generic { + version = "410.66"; + sha256_64bit = "05xjzvj0fgmkpz36dbd7hy2vzl6xxiflzx7kml3k7ad9gy2svdlg"; + settingsSha256 = "1nsxz1byshgjs3c03lyx6ya36dp0f2vg2l0d9pkh1i6cpzkp53kz"; + persistencedSha256 = "0m4wdpb8w4y323d8py105p9hizwmf2ai8frkl7h77sn3ski17zw6"; }; - beta = stable; # not enough interest to maintain beta ATM + # Last one supporting x86 + stable_390 = generic { + version = "390.87"; + sha256_32bit = "0rlr1f4lnpb8c4qz4w5r8xw5gdy9bzz26qww45qyl1qav3wwaaaw"; + sha256_64bit = "07k1kq8lkgbvjyr2dnbxcz6nppcwpq17wf925w8kfq78345hla9q"; + settingsSha256 = "0xlaiy7jr95z0v2c6cwll89nxnb142pybw7m08jg44r7n13ffv3r"; + persistencedSha256 = "0mhwk321garyl6m12261cj03ycv0qz1sbrlbq6cqwjpq4f1s7h58"; + + patches = lib.optional (kernel.meta.branch == "4.19") ./drm_mode_connector.patch; + }; + # No active beta right now + beta = stable; legacy_340 = generic { version = "340.104"; diff --git a/pkgs/os-specific/linux/nvidia-x11/drm_mode_connector.patch b/pkgs/os-specific/linux/nvidia-x11/drm_mode_connector.patch new file mode 100644 index 000000000000..58cf06fae45f --- /dev/null +++ b/pkgs/os-specific/linux/nvidia-x11/drm_mode_connector.patch @@ -0,0 +1,24 @@ +diff -ura a/kernel/nvidia-drm/nvidia-drm-connector.c b/kernel/nvidia-drm/nvidia-drm-connector.c +--- a/kernel/nvidia-drm/nvidia-drm-connector.c 2018-09-07 17:38:31.807453997 -0400 ++++ b/kernel/nvidia-drm/nvidia-drm-connector.c 2018-09-07 17:39:22.446185824 -0400 +@@ -226,7 +226,7 @@ + + + if (nv_connector->edid != NULL) { +- drm_mode_connector_update_edid_property( ++ drm_connector_update_edid_property( + connector, nv_connector->edid); + } + +diff -ura a/kernel/nvidia-drm/nvidia-drm-encoder.c b/kernel/nvidia-drm/nvidia-drm-encoder.c +--- a/kernel/nvidia-drm/nvidia-drm-encoder.c 2018-09-07 17:38:31.807453997 -0400 ++++ b/kernel/nvidia-drm/nvidia-drm-encoder.c 2018-09-07 17:39:35.083798484 -0400 +@@ -216,7 +216,7 @@ + + /* Attach encoder and connector */ + +- ret = drm_mode_connector_attach_encoder(connector, encoder); ++ ret = drm_connector_attach_encoder(connector, encoder); + + if (ret != 0) { + NV_DRM_DEV_LOG_ERR( diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix index 06125787a588..a40a64344932 100644 --- a/pkgs/os-specific/linux/nvidia-x11/generic.nix +++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix @@ -1,5 +1,5 @@ { version -, sha256_32bit +, sha256_32bit ? null , sha256_64bit , settingsSha256 , persistencedSha256 @@ -22,11 +22,15 @@ with stdenv.lib; -assert (!libsOnly) -> kernel != null; +assert !libsOnly -> kernel != null; +assert versionOlder version "391" -> sha256_32bit != null; +assert ! versionOlder version "391" -> stdenv.hostPlatform.system == "x86_64-linux"; let nameSuffix = optionalString (!libsOnly) "-${kernel.version}"; pkgSuffix = optionalString (versionOlder version "304") "-pkg0"; + i686bundled = versionAtLeast version "391"; + self = stdenv.mkDerivation { name = "nvidia-x11-${version}${nameSuffix}"; @@ -34,24 +38,27 @@ let builder = ./builder.sh; src = - if stdenv.hostPlatform.system == "i686-linux" then - fetchurl { - url = "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run"; - sha256 = sha256_32bit; - } - else if stdenv.hostPlatform.system == "x86_64-linux" then + if stdenv.hostPlatform.system == "x86_64-linux" then fetchurl { url = "https://download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run"; sha256 = sha256_64bit; } + else if stdenv.hostPlatform.system == "i686-linux" then + fetchurl { + url = "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run"; + sha256 = sha256_32bit; + } else throw "nvidia-x11 does not support platform ${stdenv.hostPlatform.system}"; patches = if libsOnly then null else patches; inherit prePatch; inherit version useGLVND useProfiles; inherit (stdenv.hostPlatform) system; + inherit i686bundled; - outputs = [ "out" ] ++ optional (!libsOnly) "bin"; + outputs = [ "out" ] + ++ optional i686bundled "lib32" + ++ optional (!libsOnly) "bin"; outputDev = if libsOnly then null else "bin"; kernel = if libsOnly then null else kernel.dev; @@ -62,7 +69,7 @@ let dontStrip = true; dontPatchELF = true; - libPath = makeLibraryPath [ xorg.libXext xorg.libX11 xorg.libXv xorg.libXrandr zlib stdenv.cc.cc ]; + libPath = makeLibraryPath [ xorg.libXext xorg.libX11 xorg.libXv xorg.libXrandr xorg.libxcb zlib stdenv.cc.cc ]; nativeBuildInputs = [ perl nukeReferences ] ++ optionals (!libsOnly) kernel.moduleBuildDependencies; diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index 52e4c512f9a2..8fdd2356c30d 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -9,18 +9,12 @@ stdenv.mkDerivation rec { sha256 = "0biw882fp1lmgs6kpxznp1v6758r7dg9x8iv5a06k0b82bcdsc53"; }; - # TODO Always do first way next mass rebuild. - buildInputs = stdenv.lib.optional - (!stdenv.hostPlatform.isLinux || !stdenv.buildPlatform.isLinux) - elf-header; + buildInputs = [ elf-header ]; - # TODO Always do first way next mass rebuild. - preBuild = if !stdenv.hostPlatform.isLinux || !stdenv.buildPlatform.isLinux then '' + preBuild = '' sed -i Makefile \ -e 's|--owner 0 --group 0||g' \ -e '/CC:=gcc/d' - '' else '' - sed "s|--owner 0 --group 0||g" -i Makefile ''; makeFlags = [ diff --git a/pkgs/os-specific/linux/piper/default.nix b/pkgs/os-specific/linux/piper/default.nix new file mode 100644 index 000000000000..a3ae0b74f126 --- /dev/null +++ b/pkgs/os-specific/linux/piper/default.nix @@ -0,0 +1,34 @@ +{ stdenv, meson, ninja, pkgconfig, gettext, fetchFromGitHub, python3 +, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome3 +, gobjectIntrospection }: + +python3.pkgs.buildPythonApplication rec { + pname = "piper-${version}"; + version = "0.2.902"; + + format = "other"; + + src = fetchFromGitHub { + owner = "libratbag"; + repo = "piper"; + rev = version; + sha256 = "1ny0vf8ym9v040cb5h084k5wwn929fnhq9infbdq8f8vvy61magb"; + }; + + nativeBuildInputs = [ meson ninja gettext pkgconfig wrapGAppsHook desktop-file-utils appstream-glib gobjectIntrospection ]; + buildInputs = [ gtk3 glib gnome3.defaultIconTheme python3 ]; + propagatedBuildInputs = with python3.pkgs; [ lxml evdev pygobject3 ]; + + postPatch = '' + chmod +x meson_install.sh # patchShebangs requires executable file + patchShebangs meson_install.sh + ''; + + meta = with stdenv.lib; { + description = "GTK frontend for ratbagd mouse config daemon"; + homepage = https://github.com/libratbag/piper; + license = licenses.gpl2; + maintainers = with maintainers; [ mvnetbiz ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/os-specific/linux/pmount/default.nix b/pkgs/os-specific/linux/pmount/default.nix index f0f706157ed1..cd0e277b2c6b 100644 --- a/pkgs/os-specific/linux/pmount/default.nix +++ b/pkgs/os-specific/linux/pmount/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation rec { doCheck = false; # fails 1 out of 1 tests with "Error: could not open fstab-type file: No such file or directory" meta = { - homepage = http://pmount.alioth.debian.org/; + homepage = https://bazaar.launchpad.net/~fourmond/pmount/main/files; description = "Mount removable devices as normal user"; license = stdenv.lib.licenses.gpl2; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/os-specific/linux/procps-ng/default.nix b/pkgs/os-specific/linux/procps-ng/default.nix index 7f1e93c072da..272812ccb588 100644 --- a/pkgs/os-specific/linux/procps-ng/default.nix +++ b/pkgs/os-specific/linux/procps-ng/default.nix @@ -1,10 +1,16 @@ { lib, stdenv, fetchurl, ncurses, pkgconfig +# `ps` with systemd support is able to properly report different +# attributes like unit name, so we want to have it on linux. +, withSystemd ? stdenv.isLinux +, systemd ? null + # procps is mostly Linux-only. Most commands require a running Linux # system (or very similar like that found in Cygwin). The one # exception is ‘watch’ which is portable enough to run on pretty much # any UNIX-compatible system. -, watchOnly ? !(stdenv.isLinux || stdenv.isCygwin) }: +, watchOnly ? !(stdenv.isLinux || stdenv.isCygwin) +}: stdenv.mkDerivation rec { name = "procps-${version}"; @@ -16,7 +22,8 @@ stdenv.mkDerivation rec { sha256 = "0r84kwa5fl0sjdashcn4vh7hgfm7ahdcysig3mcjvpmkzi7p9g8h"; }; - buildInputs = [ ncurses ]; + buildInputs = [ ncurses ] + ++ lib.optional withSystemd systemd; nativeBuildInputs = [ pkgconfig ]; makeFlags = [ "usrbin_execdir=$(out)/bin" ] @@ -26,6 +33,7 @@ stdenv.mkDerivation rec { # Too red configureFlags = [ "--disable-modern-top" ] + ++ lib.optional withSystemd "--with-systemd" ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "ac_cv_func_malloc_0_nonnull=yes" "ac_cv_func_realloc_0_nonnull=yes" ]; diff --git a/pkgs/os-specific/linux/pscircle/default.nix b/pkgs/os-specific/linux/pscircle/default.nix index a334465fb71d..1efbd7bc2c9f 100644 --- a/pkgs/os-specific/linux/pscircle/default.nix +++ b/pkgs/os-specific/linux/pscircle/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "pscircle-${version}"; - version = "1.0.0"; + version = "1.1.0"; src = fetchFromGitLab { owner = "mildlyparallel"; repo = "pscircle"; rev = "v${version}"; - sha256 = "188d0db62215pycmx2qfmbbjpmih03vigsz2j448zhsbyxapavv3"; + sha256 = "1sxdnhkcr26l29nk0zi1zkvkd7128xglfql47rdb1bx940vflgb6"; }; buildInputs = [ diff --git a/pkgs/os-specific/linux/psmisc/default.nix b/pkgs/os-specific/linux/psmisc/default.nix index 1eec10860f72..68e51afdf1bb 100644 --- a/pkgs/os-specific/linux/psmisc/default.nix +++ b/pkgs/os-specific/linux/psmisc/default.nix @@ -1,19 +1,34 @@ -{stdenv, fetchurl, ncurses}: +{stdenv, fetchFromGitLab, autoconf, automake, gettext, ncurses}: stdenv.mkDerivation rec { - name = "psmisc-23.1"; + pname = "psmisc"; + version = "23.2"; + name = "${pname}-${version}"; - src = fetchurl { - url = "mirror://sourceforge/psmisc/${name}.tar.xz"; - sha256 = "0c5s94hqpwfmyswx2f96gifa6wdbpxxpkyxcrlzbxpvmrxsd911f"; + src = fetchFromGitLab { + owner = pname; + repo = pname; + rev = "v${version}"; + sha256 = "0d90wmibxpkl0d7sdibvvkwpyxyg6m6ksh5gwrjh15vf1swvd5i1"; }; - buildInputs = [ncurses]; + nativeBuildInputs = [ autoconf automake gettext ]; + buildInputs = [ ncurses ]; - meta = { - homepage = http://psmisc.sourceforge.net/; + preConfigure = stdenv.lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) '' + # Goes past the rpl_malloc linking failure + export ac_cv_func_malloc_0_nonnull=yes + export ac_cv_func_realloc_0_nonnull=yes + '' + '' + echo $version > .tarball-version + ./autogen.sh + ''; + + meta = with stdenv.lib; { + homepage = https://gitlab.com/psmisc/psmisc; description = "A set of small useful utilities that use the proc filesystem (such as fuser, killall and pstree)"; - platforms = stdenv.lib.platforms.linux; - license = stdenv.lib.licenses.gpl2Plus; + platforms = platforms.linux; + license = licenses.gpl2Plus; + maintainers = with maintainers; [ ryantm ]; }; } diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix index de7164b2af03..ecfd8581ca9d 100644 --- a/pkgs/os-specific/linux/rdma-core/default.nix +++ b/pkgs/os-specific/linux/rdma-core/default.nix @@ -3,7 +3,7 @@ } : let - version = "19"; + version = "20.1"; in stdenv.mkDerivation { name = "rdma-core-${version}"; @@ -12,7 +12,7 @@ in stdenv.mkDerivation { owner = "linux-rdma"; repo = "rdma-core"; rev = "v${version}"; - sha256 = "0c01f9yn9sk7wslyrclsi2jvrn4d36bdw4qjbl0vmcv4858wf4bb"; + sha256 = "1j6d3n4wzl04m0k4nxbmahfwc094185d5jyijgvg3z5hwwb8lkwv"; }; nativeBuildInputs = [ cmake pkgconfig pandoc ]; diff --git a/pkgs/os-specific/linux/roccat-tools/default.nix b/pkgs/os-specific/linux/roccat-tools/default.nix new file mode 100644 index 000000000000..c2fb55b344b4 --- /dev/null +++ b/pkgs/os-specific/linux/roccat-tools/default.nix @@ -0,0 +1,41 @@ +{ stdenv, fetchurl, cmake, pkgconfig, gettext +, dbus, dbus-glib, libgaminggear, libgudev, lua +}: + +stdenv.mkDerivation rec { + name = "roccat-tools-${version}"; + version = "5.7.0"; + + src = fetchurl { + url = "mirror://sourceforge/roccat/${name}.tar.bz2"; + sha256 = "15gxplcm62167xhk65k8v6gg3j6jr0c5a64wlz72y1vfq0ai7qm6"; + }; + + postPatch = '' + sed -i -re 's,/(etc/xdg),\1,' roccateventhandler/CMakeLists.txt + + sed -i -e '/roccat_profile_dir(void).*{/,/}/ { + /return/c \ + return g_build_path("/", g_get_user_data_dir(), "roccat", NULL); + }' libroccat/roccat_helper.c + ''; + + nativeBuildInputs = [ cmake pkgconfig gettext ]; + buildInputs = [ dbus dbus-glib libgaminggear libgudev lua ]; + + enableParallelBuilding = true; + + cmakeFlags = [ + "-DUDEVDIR=\${out}/lib/udev/rules.d" + "-DCMAKE_MODULE_PATH=${libgaminggear.dev}/lib/cmake" + "-DWITH_LUA=${lua.luaversion}" + "-DLIBDIR=lib" + ]; + + meta = { + description = "Tools to configure ROCCAT devices"; + homepage = http://roccat.sourceforge.net/; + platforms = stdenv.lib.platforms.linux; + license = stdenv.lib.licenses.gpl2Plus; + }; +} diff --git a/pkgs/os-specific/linux/s6-linux-utils/default.nix b/pkgs/os-specific/linux/s6-linux-utils/default.nix index dbef7c41c067..0d208a6eb55f 100644 --- a/pkgs/os-specific/linux/s6-linux-utils/default.nix +++ b/pkgs/os-specific/linux/s6-linux-utils/default.nix @@ -1,24 +1,19 @@ -{ stdenv, fetchurl, skalibs }: +{ stdenv, skawarePackages }: -let +with skawarePackages; - version = "2.4.0.2"; +buildPackage { + pname = "s6-linux-utils"; + version = "2.5.0.0"; + sha256 = "04q2z71dkzahd2ppga2zikclz2qk014c23gm7rigqxjc8rs1amvq"; -in stdenv.mkDerivation rec { - - name = "s6-linux-utils-${version}"; - - src = fetchurl { - url = "https://www.skarnet.org/software/s6-linux-utils/${name}.tar.gz"; - sha256 = "0245rmk7wfyyfsi4g7f0niprwlvqlwkbyjxflb8kkbvhwfdavqip"; - }; + description = "A set of minimalistic Linux-specific system utilities"; + platforms = stdenv.lib.platforms.linux; outputs = [ "bin" "dev" "doc" "out" ]; - dontDisableStatic = true; - + # TODO: nsss support configureFlags = [ - "--enable-absolute-paths" "--bindir=\${bin}/bin" "--includedir=\${dev}/include" "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps" @@ -28,16 +23,10 @@ in stdenv.mkDerivation rec { ]; postInstall = '' - mkdir -p $doc/share/doc/s6-networking/ - mv doc $doc/share/doc/s6-networking/html - ''; + # remove all s6 executables from build directory + rm $(find -name "s6-*" -type f -mindepth 1 -maxdepth 1 -executable) - meta = { - homepage = http://www.skarnet.org/software/s6-linux-utils/; - description = "A set of minimalistic Linux-specific system utilities"; - platforms = stdenv.lib.platforms.linux; - license = stdenv.lib.licenses.isc; - maintainers = with stdenv.lib.maintainers; [ pmahoney Profpatsch ]; - }; + mv doc $doc/share/doc/s6-linux-utils/html + ''; } diff --git a/pkgs/os-specific/linux/semodule-utils/default.nix b/pkgs/os-specific/linux/semodule-utils/default.nix new file mode 100644 index 000000000000..10ba1a3c7d07 --- /dev/null +++ b/pkgs/os-specific/linux/semodule-utils/default.nix @@ -0,0 +1,27 @@ +{ stdenv, fetchurl, libsepol }: + +stdenv.mkDerivation rec { + name = "semodule-utils-${version}"; + version = "2.7"; + + inherit (libsepol) se_release se_url; + + src = fetchurl { + url = "${se_url}/${se_release}/${name}.tar.gz"; + sha256 = "1fl60x4w8rn5bcwy68sy48aydwsn1a17d48slni4sfx4c8rqpjch"; + }; + + buildInputs = [ libsepol ]; + + makeFlags = [ + "PREFIX=$(out)" + "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a" + ]; + + meta = with stdenv.lib; { + description = "SELinux policy core utilities (packaging additions)"; + license = licenses.gpl2; + inherit (libsepol.meta) homepage platforms; + maintainers = [ maintainers.e-user ]; + }; +} diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 146e1c276965..13fc9ae37605 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -10,13 +10,13 @@ assert kernel != null; stdenv.mkDerivation rec { name = "spl-${version}-${kernel.version}"; - version = "0.7.9"; + version = "0.7.11"; src = fetchFromGitHub { owner = "zfsonlinux"; repo = "spl"; rev = "spl-${version}"; - sha256 = "0540m1dv9jvrzk9kw61glg0h0cwj976mr9zb42y3nh17k47ywff0"; + sha256 = "15h02g5k3i20y2cycc72vr6hdn8n70jmzqii8dmx9za6bl9nk2rm"; }; patches = [ ./install_prefix.patch ]; @@ -52,6 +52,5 @@ stdenv.mkDerivation rec { platforms = platforms.linux; license = licenses.gpl2Plus; maintainers = with maintainers; [ jcumming wizeman wkennington fpletz globin ]; - broken = stdenv.lib.versionAtLeast kernel.version "4.18"; }; } diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 9b0f3ff767c2..20ecdb5b5773 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -3,13 +3,13 @@ with stdenv.lib; stdenv.mkDerivation rec { name = "sysdig-${version}"; - version = "0.22.1"; + version = "0.23.1"; src = fetchFromGitHub { owner = "draios"; repo = "sysdig"; rev = version; - sha256 = "1wbvpsalm2ccwh8xz6fa4gqviilvjd8lnwvdryixhsdsf7j8w0j0"; + sha256 = "0q52yfag97n6cvrnzgx7inx11zdg7bgwkvqn2idsg9874fd2wkzh"; }; buildInputs = [ diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix index 5f3eb22f127e..d3a9d7834cdc 100644 --- a/pkgs/os-specific/linux/sysstat/default.nix +++ b/pkgs/os-specific/linux/sysstat/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, gettext, bzip2 }: stdenv.mkDerivation rec { - name = "sysstat-12.0.1"; + name = "sysstat-12.1.1"; src = fetchurl { url = "http://perso.orange.fr/sebastien.godard/${name}.tar.xz"; - sha256 = "114wh7iqi82c0az8wn3dg3y56279fb2wg81v8kvx87mq5975bg51"; + sha256 = "0drrlv2fr64g5zf0a2bkla2rql4nmq4n192wvcr9r4zppg58d8k4"; }; buildInputs = [ gettext ]; diff --git a/pkgs/os-specific/linux/systemd-wait/default.nix b/pkgs/os-specific/linux/systemd-wait/default.nix new file mode 100644 index 000000000000..114f4c2444e6 --- /dev/null +++ b/pkgs/os-specific/linux/systemd-wait/default.nix @@ -0,0 +1,25 @@ +{ python3Packages, fetchFromGitHub, lib }: + +python3Packages.buildPythonApplication rec { + pname = "systemd-wait"; + version = "0.1+2018-10-05"; + + src = fetchFromGitHub { + owner = "Stebalien"; + repo = pname; + rev = "bbb58dd4584cc08ad20c3888edb7628f28aee3c7"; + sha256 = "1l8rd0wzf3m7fk0g1c8wc0csdisdfac0filhixpgp0ck9ignayq5"; + }; + + propagatedBuildInputs = with python3Packages; [ + dbus-python pygobject3 + ]; + + meta = { + homepage = https://github.com/Stebalien/systemd-wait; + license = lib.licenses.gpl3; + description = "Wait for a systemd unit to enter a specific state"; + maintainers = [ lib.maintainers.benley ]; + platforms = lib.platforms.linux; + }; +} diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index b4caa63799c7..db64b8e6f6de 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap, kmod +{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap, kmod , xz, pam, acl, libuuid, m4, utillinux, libffi , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor , audit, lz4, bzip2, libmicrohttpd, pcre2 @@ -10,8 +10,8 @@ , getent , buildPackages , withSelinux ? false, libselinux -, withLibseccomp ? libseccomp.meta.available, libseccomp -, withKexectools ? kexectools.meta.available, kexectools +, withLibseccomp ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) libseccomp.meta.platforms, libseccomp +, withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms, kexectools }: let @@ -26,8 +26,8 @@ in stdenv.mkDerivation rec { src = fetchFromGitHub { owner = "NixOS"; repo = "systemd"; - rev = "67c553805a9ebee2dce7c3a350b4abd4d7a489c2"; - sha256 = "114vq71gcddi4qm2hyrj5jsas9599s0h5mg65jfpvxhfyaw54cpv"; + rev = "31859ddd35fc3fa82a583744caa836d356c31d7f"; + sha256 = "1xci0491j95vdjgs397n618zii3sgwnvanirkblqqw6bcvcjvir1"; }; outputs = [ "out" "lib" "man" "dev" ]; diff --git a/pkgs/os-specific/linux/udisks/2-default.nix b/pkgs/os-specific/linux/udisks/2-default.nix index 78ab6b37532d..4f59828098c3 100644 --- a/pkgs/os-specific/linux/udisks/2-default.nix +++ b/pkgs/os-specific/linux/udisks/2-default.nix @@ -2,11 +2,11 @@ , gnome3, gtk-doc, acl, systemd, glib, libatasmart, polkit, coreutils, bash , expat, libxslt, docbook_xsl, utillinux, mdadm, libgudev, libblockdev, parted , gobjectIntrospection, docbook_xml_dtd_412, docbook_xml_dtd_43 -, libxfs, f2fs-tools, dosfstools, e2fsprogs, btrfs-progs, exfat, nilfs-utils, ntfs3g +, xfsprogs, f2fs-tools, dosfstools, e2fsprogs, btrfs-progs, exfat, nilfs-utils, ntfs3g }: let - version = "2.8.0"; + version = "2.8.1"; in stdenv.mkDerivation rec { name = "udisks-${version}"; @@ -14,7 +14,7 @@ in stdenv.mkDerivation rec { owner = "storaged-project"; repo = "udisks"; rev = name; - sha256 = "110g3vyai3p6vjzy01yd0bbvxk7n7dl5glxf54f3jvqf0zmaqipx"; + sha256 = "073iqa0pwa7ab0qw33h3ic89508a78incmg6rq914d6br7s030zy"; }; outputs = [ "out" "man" "dev" "devdoc" ]; @@ -33,7 +33,7 @@ in stdenv.mkDerivation rec { }) (substituteAll { src = ./force-path.patch; - path = stdenv.lib.makeBinPath [ btrfs-progs coreutils dosfstools e2fsprogs exfat f2fs-tools nilfs-utils libxfs ntfs3g parted utillinux ]; + path = stdenv.lib.makeBinPath [ btrfs-progs coreutils dosfstools e2fsprogs exfat f2fs-tools nilfs-utils xfsprogs ntfs3g parted utillinux ]; }) ]; diff --git a/pkgs/os-specific/linux/undervolt/default.nix b/pkgs/os-specific/linux/undervolt/default.nix index e9c033acd990..a97cca4dfa76 100644 --- a/pkgs/os-specific/linux/undervolt/default.nix +++ b/pkgs/os-specific/linux/undervolt/default.nix @@ -1,14 +1,14 @@ { stdenv, fetchFromGitHub, python3Packages }: python3Packages.buildPythonApplication rec { - version = "0.2.8"; + version = "0.2.9"; pname = "undervolt"; src = fetchFromGitHub { owner = "georgewhewell"; repo = "undervolt"; rev = "${version}"; - sha256 = "0crkqc5zq0gpyg031hfwdxymfc2gc1h8b6m0axzlh7gvnxlf5hra"; + sha256 = "1d934lp8yczrfslmwff6fxzd4arja2vg00s5kwdr949bxpa6w59c"; }; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 3db2814a0878..2e22b99a95f3 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "v4l2loopback-${version}-${kernel.version}"; - version = "0.11.0"; + version = "0.12.0"; src = fetchFromGitHub { owner = "umlaeute"; repo = "v4l2loopback"; rev = "v${version}"; - sha256 = "1wb5qmy13w8rl4279bwp69s4sb1x5hk5d2n563p1yk8yi567p2az"; + sha256 = "1rf8dvabksxb2sj14j32h7n7pw7byqfnpqs4m4afj3398y9y23c4"; }; hardeningDisable = [ "format" "pic" ]; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index c689faad492f..cae06dbd0f38 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -158,12 +158,12 @@ in { # to be adapted zfsStable = common { # comment/uncomment if breaking kernel versions are known - incompatibleKernelVersion = "4.18"; + # incompatibleKernelVersion = null; # this package should point to the latest release. - version = "0.7.9"; + version = "0.7.11"; - sha256 = "0krpxrvnda2jx6l71xhw9fsksyp2a6h9l9asppac3szsd1n7fp9n"; + sha256 = "0m9wkq6wf4cg8w38s3avd0bvybnv0avqwxk3gwz9rgb9rn0m98jg"; extraPatches = [ (fetchpatch { @@ -180,10 +180,10 @@ in { incompatibleKernelVersion = null; # this package should point to a version / git revision compatible with the latest kernel release - version = "2018-08-13"; + version = "0.8.0-rc1"; - rev = "64e96969a88c21aebb2f8d982a8c345e55a2ae6c"; - sha256 = "164fvsf9zqvq3vafnvjxafjl8gihmfqfsjwsmky16i90a6hs96gf"; + rev = "b8a90418f3a9c23b89c5d2c729a4dd0fea644508"; + sha256 = "041b7h8gbb042x9mhg8y87bgq9y793bawglc7b0fg871k6190drx"; isUnstable = true; extraPatches = [ |