5.15.25 hardened bump (#447)

Co-authored-by: amelia <farikoskillz2gmail.com>

PKGBUILD

@@ -640,7 +640,7 @@ case $_basever in
             'b6003a066e39b013336bc41b15a836c1beb08417849ce563830c125bcba0cc9b'
             'SKIP'
             '24be2e8863e265195a24d7082804cd4328fd9f0a31b88672c884b9fd42469ed8'
-            '5786bbcc3f655592958ba7011f9ce361d69211b0478c5b86bd3e600fee3ffd27'
+            'e885f7b2c68d6d7ec9050a692aa044fecab3c1dda6908175a6d4e13bf8507ceb'
             '1e15fc2ef3fa770217ecc63a220e5df2ddbcf3295eb4a021171e7edd4c6cc898'
             '66a03c246037451a77b4d448565b1d7e9368270c7d02872fbd0b5d024ed0a997'
             'f6383abef027fd9a430fd33415355e0df492cdc3c90e9938bf2d98f4f63b32e6'
@@ -658,7 +658,7 @@ case $_basever in
             '9fad4a40449e09522899955762c8928ae17f4cdaa16e01239fd12592e9d58177'
             '978b197efa56781a1d5651a3649c3d8b926d55748b4b9063788dfe1a861fc1bc'
             'd11edf802031e9335e4236ea1bb56d7fff9f6159dbc5f0afe407256b95d601fc'
-            'c010206dc3278d2652afebaed9fac58e55e65f65deb0565687faa1dec577494b'
+            'b5e0f50ef64c25069987cf4c4ec3501ed5288bc43106c52e3aefddaa7a649c39'
             '434e4707efc1bc3919597c87d44fa537f7563ae04236479bbf1adb5f410ab69d'
             '1b656ad96004f27e9dc63d7f430b50d5c48510d6d4cd595a81c24b21adb70313'
             'b0319a7dff9c48b2f3e3d3597ee154bf92223149a633a8b7ce4026252db86da6')

linux-tkg-config/5.15/config_hardened.x86_64

@@ -1,15 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.15-hardened1 Kernel Configuration
+# Linux/x86 5.15.25-hardened1 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.1.0"
+CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=110100
+CONFIG_GCC_VERSION=110200
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=23601
+CONFIG_AS_VERSION=23800
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=23601
+CONFIG_LD_VERSION=23800
 CONFIG_LLD_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
@@ -6445,6 +6445,7 @@ CONFIG_DUMMY_CONSOLE=y
 CONFIG_DUMMY_CONSOLE_COLUMNS=80
 CONFIG_DUMMY_CONSOLE_ROWS=25
 CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
 CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
 CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
 CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
@@ -10478,3 +10479,4 @@ CONFIG_ARCH_USE_MEMTEST=y
 # CONFIG_HYPERV_TESTING is not set
 # end of Kernel Testing and Coverage
 # end of Kernel hacking
+

linux-tkg-patches/5.15/0012-linux-hardened.patch

@@ -102,13 +102,13 @@ index d91ab28718d4..4ead5cd52644 100644
  	If set, provide RFC2861 behavior and time out the congestion
  	window after an idle period.  An idle period is defined at
 diff --git a/Makefile b/Makefile
-index aed26e228dde..fd511db4d97f 100644
+index c50d4ec83be8..a88b0b67c745 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -2,7 +2,7 @@
  VERSION = 5
  PATCHLEVEL = 15
- SUBLEVEL = 15
+ SUBLEVEL = 25
 -EXTRAVERSION =
 +EXTRAVERSION = -hardened1
  NAME = Trick or Treat
@@ -242,7 +242,7 @@ index 1f96809606ac..5dc5b06d6955 100644
  	  Linux can allow user programs to install a per-process x86
  	  Local Descriptor Table (LDT) using the modify_ldt(2) system
 diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
-index e8a7a0af2bda..8e8947dceab4 100644
+index d7298b104a45..f65c7ca3602d 100644
 --- a/arch/x86/configs/x86_64_defconfig
 +++ b/arch/x86/configs/x86_64_defconfig
 @@ -1,5 +1,4 @@
@@ -502,10 +502,10 @@ index 82de39926a9f..7363072fbcb4 100644
  	blk_complete_reqs(this_cpu_ptr(&blk_cpu_done));
  }
 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 4d848cfc406f..94427b7ee3b9 100644
+index 24b67d78cb83..bf5189847efe 100644
 --- a/drivers/ata/libata-core.c
 +++ b/drivers/ata/libata-core.c
-@@ -4599,7 +4599,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4600,7 +4600,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	unsigned int tag;
  
@@ -514,7 +514,7 @@ index 4d848cfc406f..94427b7ee3b9 100644
  	ap = qc->ap;
  
  	qc->flags = 0;
-@@ -4616,7 +4616,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4617,7 +4617,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	struct ata_link *link;
  
@@ -608,10 +608,10 @@ index 18e874b0441e..fc7a3a9aa72a 100644
  obj-$(CONFIG_USB)		+= usbcore.o
  
 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 3bc4a86c3d0a..16c451593031 100644
+index ac6c5ccfe1cb..dd810d902ea1 100644
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
-@@ -5238,6 +5238,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
+@@ -5241,6 +5241,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
  			goto done;
  		return;
  	}
@@ -751,7 +751,7 @@ index 9abc88d7959c..4dae3fd45fdd 100644
  {
  	return -ENXIO;
 diff --git a/fs/namei.c b/fs/namei.c
-index 1946d9667790..d34d594154b6 100644
+index 3bb65f48fe1d..046e797c9663 100644
 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -1020,10 +1020,10 @@ static inline void put_link(struct nameidata *nd)
@@ -926,7 +926,7 @@ index 56eba723477e..bf53bd6efdc6 100644
 +
  #endif /* _LINUX_FS_H */
 diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
-index 12d3a7d308ab..c20fb1eb3f25 100644
+index a9477c14fad5..41129acd7507 100644
 --- a/include/linux/fsnotify.h
 +++ b/include/linux/fsnotify.h
 @@ -96,6 +96,9 @@ static inline int fsnotify_file(struct file *file, __u32 mask)
@@ -1007,7 +1007,7 @@ index 2b5b64256cf4..8cdce21dce0f 100644
  const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent);
  const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj);
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 73a52aba448f..26370aeee4b6 100644
+index 90c2d7f3c7a8..de4d4b976c5e 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -799,7 +799,7 @@ static inline int is_vmalloc_or_module_addr(const void *x)
@@ -1062,10 +1062,10 @@ index 5e76af742c80..9a6c682ec127 100644
  extern phys_addr_t per_cpu_ptr_to_phys(void *addr);
  
 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 9b60bb89d86a..32116e32809b 100644
+index 6cce33e7e7ac..5eb6522e017f 100644
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
-@@ -1320,6 +1320,14 @@ static inline int perf_is_paranoid(void)
+@@ -1322,6 +1322,14 @@ static inline int perf_is_paranoid(void)
  	return sysctl_perf_event_paranoid > -1;
  }
  
@@ -1414,10 +1414,10 @@ index 11f8a845f259..a64ec536890d 100644
  	bool "Page allocator randomization"
  	default SLAB_FREELIST_RANDOM && ACPI_NUMA
 diff --git a/kernel/audit.c b/kernel/audit.c
-index 4cebadb5f30d..436931ce46a0 100644
+index 94ded5de9131..6b7e12855359 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
-@@ -1692,6 +1692,9 @@ static int __init audit_enable(char *str)
+@@ -1730,6 +1730,9 @@ static int __init audit_enable(char *str)
  
  	if (audit_default == AUDIT_OFF)
  		audit_initialized = AUDIT_DISABLED;
@@ -1470,7 +1470,7 @@ index 46a361dde042..f0c387f421a0 100644
  
  /**
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 2931faf92a76..1638619f1afb 100644
+index b81652fc2cdd..fce3ec1a1e1b 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
 @@ -414,8 +414,13 @@ static struct kmem_cache *perf_event_cache;
@@ -1487,7 +1487,7 @@ index 2931faf92a76..1638619f1afb 100644
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -12010,7 +12015,7 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -12094,7 +12099,7 @@ SYSCALL_DEFINE5(perf_event_open,
  		return -EINVAL;
  
  	/* Do we allow access to perf_event_open(2) ? */
@@ -1497,7 +1497,7 @@ index 2931faf92a76..1638619f1afb 100644
  		return err;
  
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 10885c649ca4..1c4b4598eb55 100644
+index 28aee1a8875b..475372883e06 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -82,6 +82,7 @@
@@ -1519,7 +1519,7 @@ index 10885c649ca4..1c4b4598eb55 100644
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -3056,6 +3061,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -3055,6 +3060,12 @@ int ksys_unshare(unsigned long unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -1546,10 +1546,10 @@ index 340b3f8b090d..e0ef77dc0564 100644
  	struct rcu_head *next, *list;
  	unsigned long flags;
 diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
-index 7ae10fab68b8..c60b242913a0 100644
+index 4ca6d5b199e8..82639c274d65 100644
 --- a/kernel/rcu/tree.c
 +++ b/kernel/rcu/tree.c
-@@ -2751,7 +2751,7 @@ static __latent_entropy void rcu_core(void)
+@@ -2752,7 +2752,7 @@ static __latent_entropy void rcu_core(void)
  		queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work);
  }
  
@@ -1559,10 +1559,10 @@ index 7ae10fab68b8..c60b242913a0 100644
  	rcu_core();
  }
 diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 6f16dfb74246..a01d70fb5697 100644
+index 6420580f2730..b9fe0e786cc6 100644
 --- a/kernel/sched/fair.c
 +++ b/kernel/sched/fair.c
-@@ -10883,7 +10883,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
+@@ -10895,7 +10895,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
   * run_rebalance_domains is triggered when needed from the scheduler tick.
   * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
   */
@@ -2070,7 +2070,7 @@ index 88dcc5c25225..c903d803fe4e 100644
  		mm->brk = brk;
  		goto success;
 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 23d3339ac4e8..bf38b6559613 100644
+index 7773bae3b6ed..91e67c6e59ce 100644
 --- a/mm/page_alloc.c
 +++ b/mm/page_alloc.c
 @@ -155,6 +155,15 @@ struct pcpu_drain {
@@ -2711,7 +2711,7 @@ index bacabe446906..a3bcc8aef4b4 100644
  
  unsigned long arch_mmap_rnd(void)
 diff --git a/net/core/dev.c b/net/core/dev.c
-index e0878a500aa9..e6d9d916aa2c 100644
+index 33dc2a3ff7d7..657f746d78cd 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -4978,7 +4978,7 @@ int netif_rx_any_context(struct sk_buff *skb)
@@ -2792,7 +2792,7 @@ index 6f1e64d49232..96a5a252b750 100644
  };
  
 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index f3b623967436..e6dc036f2c5e 100644
+index 509f577869d4..936f1b007861 100644
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
 @@ -82,6 +82,7 @@
@@ -2803,7 +2803,7 @@ index f3b623967436..e6dc036f2c5e 100644
  
  #define FLAG_DATA		0x01 /* Incoming frame contained data.		*/
  #define FLAG_WIN_UPDATE		0x02 /* Incoming ACK was a window update.	*/
-@@ -6253,7 +6254,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -6255,7 +6256,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
  	    tcp_paws_reject(&tp->rx_opt, 0))
  		goto discard_and_undo;
  
@@ -3112,7 +3112,7 @@ index 9e921fc72538..ae851a826c26 100644
  	int "NSA SELinux sidtab hashtable size"
  	depends on SECURITY_SELINUX
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 9309e62d46ed..87c3cb8babce 100644
+index baa12d1007c7..6378e2be49fa 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
 @@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str)
@@ -3188,10 +3188,10 @@ index 4fe3b8b1958f..a7d88cc23a70 100644
     in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
  
 diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
-index dbfeceb2546c..53ab8d6b473e 100644
+index c87f9974c0c1..1c9afa8f7064 100644
 --- a/tools/perf/util/evsel.c
 +++ b/tools/perf/util/evsel.c
-@@ -2780,6 +2780,7 @@ int evsel__open_strerror(struct evsel *evsel, struct target *target,
+@@ -2789,6 +2789,7 @@ int evsel__open_strerror(struct evsel *evsel, struct target *target,
  		 ">= 0: Disallow raw and ftrace function tracepoint access\n"
  		 ">= 1: Disallow CPU event access\n"
  		 ">= 2: Disallow kernel profiling\n"