Merge pull request #90065 from wizeman/u/fix-config-merge

linux: make sure all config options have the same value

nixos/modules/system/boot/kernel_config.nix

@@ -2,24 +2,6 @@
 
 with lib;
 let
-  findWinner = candidates: winner:
-    any (x: x == winner) candidates;
-
-  # winners is an ordered list where first item wins over 2nd etc
-  mergeAnswer = winners: locs: defs:
-    let
-      values = map (x: x.value) defs;
-      inter = intersectLists values winners;
-      winner = head winners;
-    in
-    if defs == [] then abort "This case should never happen."
-    else if winner == [] then abort "Give a valid list of winner"
-    else if inter == [] then mergeOneOption locs defs
-    else if findWinner values winner then
-      winner
-    else
-      mergeAnswer (tail winners) locs defs;
-
   mergeFalseByDefault = locs: defs:
     if defs == [] then abort "This case should never happen."
     else if any (x: x == false) (getValues defs) then false
@@ -28,9 +10,7 @@ let
   kernelItem = types.submodule {
     options = {
       tristate = mkOption {
-        type = types.enum [ "y" "m" "n" null ] // {
+        type = types.enum [ "y" "m" "n" null ];
-          merge = mergeAnswer [ "y" "m" "n" ];
-        };
         default = null;
         internal = true;
         visible = true;

pkgs/os-specific/linux/kernel/common-config.nix

@@ -193,16 +193,17 @@ let
       NET_DROP_MONITOR = yes;
 
       # needed for ss
-      INET_DIAG         = module;
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
-      INET_TCP_DIAG     = module;
+      INET_DIAG         = mkDefault module;
-      INET_UDP_DIAG     = module;
+      INET_TCP_DIAG     = mkDefault module;
-      INET_RAW_DIAG     = whenAtLeast "4.14" module;
+      INET_UDP_DIAG     = mkDefault module;
-      INET_DIAG_DESTROY = whenAtLeast "4.9" yes;
+      INET_RAW_DIAG     = whenAtLeast "4.14" (mkDefault module);
+      INET_DIAG_DESTROY = whenAtLeast "4.9" (mkDefault yes);
 
       # enable multipath-tcp
       MPTCP           = whenAtLeast "5.6" yes;
       MPTCP_IPV6      = whenAtLeast "5.6" yes;
-      INET_MPTCP_DIAG = whenAtLeast "5.9" module;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
     };
 
     wireless = {

pkgs/os-specific/linux/kernel/hardened/config.nix

@@ -65,7 +65,7 @@ assert (versionAtLeast version "4.9");
   PANIC_TIMEOUT = freeform "-1";
 
   GCC_PLUGINS = yes; # Enable gcc plugin options
-  # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
   GCC_PLUGIN_LATENT_ENTROPY = yes;
 
   GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
@@ -79,6 +79,14 @@ assert (versionAtLeast version "4.9");
   PROC_KCORE         = no; # Exposes kernel text image layout
   INET_DIAG          = no; # Has been used for heap based attacks in the past
 
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;