Merge tag 'audit-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
 "We've got a reasonably broad set of audit patches for the v5.2 merge
  window, the highlights are below:

   - The biggest change, and the source of all the arch/* changes, is
     the patchset from Dmitry to help enable some of the work he is
     doing around PTRACE_GET_SYSCALL_INFO.

     To be honest, including this in the audit tree is a bit of a
     stretch, but it does help move audit a little further along towards
     proper syscall auditing for all arches, and everyone else seemed to
     agree that audit was a "good" spot for this to land (or maybe they
     just didn't want to merge it? dunno.).

   - We can now audit time/NTP adjustments.

   - We continue the work to connect associated audit records into a
     single event"

* tag 'audit-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: (21 commits)
  audit: fix a memory leak bug
  ntp: Audit NTP parameters adjustment
  timekeeping: Audit clock adjustments
  audit: purge unnecessary list_empty calls
  audit: link integrity evm_write_xattrs record to syscall event
  syscall_get_arch: add "struct task_struct *" argument
  unicore32: define syscall_get_arch()
  Move EM_UNICORE to uapi/linux/elf-em.h
  nios2: define syscall_get_arch()
  nds32: define syscall_get_arch()
  Move EM_NDS32 to uapi/linux/elf-em.h
  m68k: define syscall_get_arch()
  hexagon: define syscall_get_arch()
  Move EM_HEXAGON to uapi/linux/elf-em.h
  h8300: define syscall_get_arch()
  c6x: define syscall_get_arch()
  arc: define syscall_get_arch()
  Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h
  audit: Make audit_log_cap and audit_copy_inode static
  audit: connect LOGIN record to its syscall record
  ...

43 files changed, 331 insertions, 107 deletions

diff --git a/arch/alpha/include/asm/syscall.h b/arch/alpha/include/asm/syscall.h
index d73a6fcb519c..11c688c1d7ec 100644
--- a/arch/alpha/include/asm/syscall.h
+++ b/arch/alpha/include/asm/syscall.h
@@ -4,7 +4,7 @@
 
 #include <uapi/linux/audit.h>
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_ALPHA;
 }
diff --git a/arch/arc/include/asm/elf.h b/arch/arc/include/asm/elf.h
index aa2d6da9d187..2b80c184c9c8 100644
--- a/arch/arc/include/asm/elf.h
+++ b/arch/arc/include/asm/elf.h
@@ -10,13 +10,9 @@
 #define __ASM_ARC_ELF_H
 
 #include <linux/types.h>
+#include <linux/elf-em.h>
 #include <uapi/asm/elf.h>
 
-/* These ELF defines belong to uapi but libc elf.h already defines them */
-#define EM_ARCOMPACT            93
-
-#define EM_ARCV2                195     /* ARCv2 Cores */
-
 #define EM_ARC_INUSE            (IS_ENABLED(CONFIG_ISA_ARCOMPACT) ? \
                                         EM_ARCOMPACT : EM_ARCV2)
 
diff --git a/arch/arc/include/asm/syscall.h b/arch/arc/include/asm/syscall.h
index c7a4201ed62b..9cac959ca4e8 100644
--- a/arch/arc/include/asm/syscall.h
+++ b/arch/arc/include/asm/syscall.h
@@ -9,6 +9,7 @@
 #ifndef _ASM_ARC_SYSCALL_H
 #define _ASM_ARC_SYSCALL_H  1
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 #include <linux/sched.h>
 #include <asm/unistd.h>
@@ -67,4 +68,14 @@ syscall_get_arguments(struct task_struct *task, struct pt_regs *regs,
         }
 }
 
+static inline int
+syscall_get_arch(struct task_struct *task)
+{
+        return IS_ENABLED(CONFIG_ISA_ARCOMPACT)
+                ? (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
+                        ? AUDIT_ARCH_ARCOMPACTBE : AUDIT_ARCH_ARCOMPACT)
+                : (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
+                        ? AUDIT_ARCH_ARCV2BE : AUDIT_ARCH_ARCV2);
+}
+
 #endif
diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h
index 080ce70cab12..fd02761ba06c 100644
--- a/arch/arm/include/asm/syscall.h
+++ b/arch/arm/include/asm/syscall.h
@@ -73,7 +73,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         memcpy(&regs->ARM_r0 + 1, args, 5 * sizeof(args[0]));
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         /* ARM tasks don't change audit architectures on the fly. */
         return AUDIT_ARCH_ARM;
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index a179df3674a1..a65167f5cded 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -87,9 +87,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
  * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
  * AArch64 has the same system calls both on little- and big- endian.
  */
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
-        if (is_compat_task())
+        if (is_compat_thread(task_thread_info(task)))
                 return AUDIT_ARCH_ARM;
 
         return AUDIT_ARCH_AARCH64;
diff --git a/arch/c6x/include/asm/syscall.h b/arch/c6x/include/asm/syscall.h
index 15ba8599858e..5bcdcb651b19 100644
--- a/arch/c6x/include/asm/syscall.h
+++ b/arch/c6x/include/asm/syscall.h
@@ -11,6 +11,7 @@
 #ifndef __ASM_C6X_SYSCALL_H
 #define __ASM_C6X_SYSCALL_H
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 #include <linux/sched.h>
 
@@ -69,4 +70,10 @@ static inline void syscall_set_arguments(struct task_struct *task,
         regs->a9 = *args;
 }
 
+static inline int syscall_get_arch(struct task_struct *task)
+{
+        return IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
+                ? AUDIT_ARCH_C6XBE : AUDIT_ARCH_C6X;
+}
+
 #endif /* __ASM_C6X_SYSCALLS_H */
diff --git a/arch/csky/include/asm/syscall.h b/arch/csky/include/asm/syscall.h
index bda0a446c63e..bc0d8717d28b 100644
--- a/arch/csky/include/asm/syscall.h
+++ b/arch/csky/include/asm/syscall.h
@@ -60,7 +60,7 @@ syscall_set_arguments(struct task_struct *task, struct pt_regs *regs,
 }
 
 static inline int
-syscall_get_arch(void)
+syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_CSKY;
 }
diff --git a/arch/h8300/include/asm/syscall.h b/arch/h8300/include/asm/syscall.h
index ddd483c6ca95..01666b8bb263 100644
--- a/arch/h8300/include/asm/syscall.h
+++ b/arch/h8300/include/asm/syscall.h
@@ -8,6 +8,7 @@
 #include <linux/linkage.h>
 #include <linux/types.h>
 #include <linux/ptrace.h>
+#include <uapi/linux/audit.h>
 
 static inline int
 syscall_get_nr(struct task_struct *task, struct pt_regs *regs)
@@ -27,6 +28,11 @@ syscall_get_arguments(struct task_struct *task, struct pt_regs *regs,
         *args   = regs->er6;
 }
 
+static inline int
+syscall_get_arch(struct task_struct *task)
+{
+        return AUDIT_ARCH_H8300;
+}
 
 
 /* Misc syscall related bits */
diff --git a/arch/hexagon/include/asm/elf.h b/arch/hexagon/include/asm/elf.h
index 80311e7b8ca6..d10fbd54ae51 100644
--- a/arch/hexagon/include/asm/elf.h
+++ b/arch/hexagon/include/asm/elf.h
@@ -23,11 +23,7 @@
 
 #include <asm/ptrace.h>
 #include <asm/user.h>
-
-/*
- * This should really be in linux/elf-em.h.
- */
-#define EM_HEXAGON      164   /* QUALCOMM Hexagon */
+#include <linux/elf-em.h>
 
 struct elf32_hdr;
 
diff --git a/arch/hexagon/include/asm/syscall.h b/arch/hexagon/include/asm/syscall.h
index ae3a1e24fabd..dab26a71f577 100644
--- a/arch/hexagon/include/asm/syscall.h
+++ b/arch/hexagon/include/asm/syscall.h
@@ -21,6 +21,8 @@
 #ifndef _ASM_HEXAGON_SYSCALL_H
 #define _ASM_HEXAGON_SYSCALL_H
 
+#include <uapi/linux/audit.h>
+
 typedef long (*syscall_fn)(unsigned long, unsigned long,
         unsigned long, unsigned long,
         unsigned long, unsigned long);
@@ -41,4 +43,10 @@ static inline void syscall_get_arguments(struct task_struct *task,
 {
         memcpy(args, &(&regs->r00)[0], 6 * sizeof(args[0]));
 }
+
+static inline int syscall_get_arch(struct task_struct *task)
+{
+        return AUDIT_ARCH_HEXAGON;
+}
+
 #endif
diff --git a/arch/ia64/include/asm/syscall.h b/arch/ia64/include/asm/syscall.h
index 0d9e7fab4a79..da108cd45174 100644
--- a/arch/ia64/include/asm/syscall.h
+++ b/arch/ia64/include/asm/syscall.h
@@ -74,7 +74,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         ia64_syscall_get_set_arguments(task, regs, args, 1);
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_IA64;
 }
diff --git a/arch/m68k/include/asm/syscall.h b/arch/m68k/include/asm/syscall.h
new file mode 100644
index 000000000000..465ac039be09
--- /dev/null
+++ b/arch/m68k/include/asm/syscall.h
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_M68K_SYSCALL_H
+#define _ASM_M68K_SYSCALL_H
+
+#include <uapi/linux/audit.h>
+
+static inline int syscall_get_arch(struct task_struct *task)
+{
+        return AUDIT_ARCH_M68K;
+}
+
+#endif  /* _ASM_M68K_SYSCALL_H */
diff --git a/arch/microblaze/include/asm/syscall.h b/arch/microblaze/include/asm/syscall.h
index 833d3a53dab3..3a6924f3cbde 100644
--- a/arch/microblaze/include/asm/syscall.h
+++ b/arch/microblaze/include/asm/syscall.h
@@ -105,7 +105,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
 asmlinkage unsigned long do_syscall_trace_enter(struct pt_regs *regs);
 asmlinkage void do_syscall_trace_leave(struct pt_regs *regs);
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_MICROBLAZE;
 }
diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index a2b4748655df..acf80ae0a430 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -141,14 +141,14 @@ extern const unsigned long sys_call_table[];
 extern const unsigned long sys32_call_table[];
 extern const unsigned long sysn32_call_table[];
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         int arch = AUDIT_ARCH_MIPS;
 #ifdef CONFIG_64BIT
-        if (!test_thread_flag(TIF_32BIT_REGS)) {
+        if (!test_tsk_thread_flag(task, TIF_32BIT_REGS)) {
                 arch |= __AUDIT_ARCH_64BIT;
                 /* N32 sets only TIF_32BIT_ADDR */
-                if (test_thread_flag(TIF_32BIT_ADDR))
+                if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
                         arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
         }
 #endif
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 3a62f80958e1..414b6e9c900b 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -1418,7 +1418,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
                 unsigned long args[6];
 
                 sd.nr = syscall;
-                sd.arch = syscall_get_arch();
+                sd.arch = syscall_get_arch(current);
                 syscall_get_arguments(current, regs, args);
                 for (i = 0; i < 6; i++)
                         sd.args[i] = args[i];
diff --git a/arch/nds32/include/asm/elf.h b/arch/nds32/include/asm/elf.h
index 95f3ea253e4c..02250626b9f0 100644
--- a/arch/nds32/include/asm/elf.h
+++ b/arch/nds32/include/asm/elf.h
@@ -10,14 +10,13 @@
 
 #include <asm/ptrace.h>
 #include <asm/fpu.h>
+#include <linux/elf-em.h>
 
 typedef unsigned long elf_greg_t;
 typedef unsigned long elf_freg_t[3];
 
 extern unsigned int elf_hwcap;
 
-#define EM_NDS32                        167
-
 #define R_NDS32_NONE                    0
 #define R_NDS32_16_RELA                 19
 #define R_NDS32_32_RELA                 20
diff --git a/arch/nds32/include/asm/syscall.h b/arch/nds32/include/asm/syscall.h
index 671ebd357496..174b8571d362 100644
--- a/arch/nds32/include/asm/syscall.h
+++ b/arch/nds32/include/asm/syscall.h
@@ -5,6 +5,7 @@
 #ifndef _ASM_NDS32_SYSCALL_H
 #define _ASM_NDS32_SYSCALL_H    1
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 struct task_struct;
 struct pt_regs;
@@ -145,4 +146,12 @@ void syscall_set_arguments(struct task_struct *task, struct pt_regs *regs,
 
         memcpy(&regs->uregs[0] + 1, args, 5 * sizeof(args[0]));
 }
+
+static inline int
+syscall_get_arch(struct task_struct *task)
+{
+        return IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
+                ? AUDIT_ARCH_NDS32BE : AUDIT_ARCH_NDS32;
+}
+
 #endif /* _ASM_NDS32_SYSCALL_H */
diff --git a/arch/nios2/include/asm/syscall.h b/arch/nios2/include/asm/syscall.h
index d7624ed06efb..c4f3f8b86f28 100644
--- a/arch/nios2/include/asm/syscall.h
+++ b/arch/nios2/include/asm/syscall.h
@@ -17,6 +17,7 @@
 #ifndef __ASM_NIOS2_SYSCALL_H__
 #define __ASM_NIOS2_SYSCALL_H__
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
 #include <linux/sched.h>
 
@@ -79,4 +80,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
         regs->r9 = *args;
 }
 
+static inline int syscall_get_arch(struct task_struct *task)
+{
+        return AUDIT_ARCH_NIOS2;
+}
+
 #endif
diff --git a/arch/openrisc/include/asm/syscall.h b/arch/openrisc/include/asm/syscall.h
index b4ff07c1baed..61de227f53a1 100644
--- a/arch/openrisc/include/asm/syscall.h
+++ b/arch/openrisc/include/asm/syscall.h
@@ -68,7 +68,7 @@ syscall_set_arguments(struct task_struct *task, struct pt_regs *regs,
         memcpy(&regs->gpr[3], args, 6 * sizeof(args[0]));
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_OPENRISC;
 }
diff --git a/arch/parisc/include/asm/syscall.h b/arch/parisc/include/asm/syscall.h
index 62a6d477fae0..80757e43cf2c 100644
--- a/arch/parisc/include/asm/syscall.h
+++ b/arch/parisc/include/asm/syscall.h
@@ -48,11 +48,11 @@ static inline void syscall_rollback(struct task_struct *task,
         /* do nothing */
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         int arch = AUDIT_ARCH_PARISC;
 #ifdef CONFIG_64BIT
-        if (!is_compat_task())
+        if (!__is_compat_task(task))
                 arch = AUDIT_ARCH_PARISC64;
 #endif
         return arch;
diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
index 1243045bad2d..a048fed0722f 100644
--- a/arch/powerpc/include/asm/syscall.h
+++ b/arch/powerpc/include/asm/syscall.h
@@ -94,9 +94,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
         regs->orig_gpr3 = args[0];
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
-        int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+        int arch;
+
+        if (IS_ENABLED(CONFIG_PPC64) && !test_tsk_thread_flag(task, TIF_32BIT))
+                arch = AUDIT_ARCH_PPC64;
+        else
+                arch = AUDIT_ARCH_PPC;
+
 #ifdef __LITTLE_ENDIAN__
         arch |= __AUDIT_ARCH_LE;
 #endif
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index a3d5273ded7c..0f2fe1794c8f 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -88,7 +88,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         memcpy(&regs->a1, args, 5 * sizeof(regs->a1));
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
 #ifdef CONFIG_64BIT
         return AUDIT_ARCH_RISCV64;
diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h
index ab3407aa4fd8..f073292e9fdb 100644
--- a/arch/s390/include/asm/syscall.h
+++ b/arch/s390/include/asm/syscall.h
@@ -79,10 +79,10 @@ static inline void syscall_set_arguments(struct task_struct *task,
         regs->orig_gpr2 = args[0];
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
 #ifdef CONFIG_COMPAT
-        if (test_tsk_thread_flag(current, TIF_31BIT))
+        if (test_tsk_thread_flag(task, TIF_31BIT))
                 return AUDIT_ARCH_S390;
 #endif
         return AUDIT_ARCH_S390X;
diff --git a/arch/sh/include/asm/syscall_32.h b/arch/sh/include/asm/syscall_32.h
index 8c9d7e5e5dcc..0b5b8e75edac 100644
--- a/arch/sh/include/asm/syscall_32.h
+++ b/arch/sh/include/asm/syscall_32.h
@@ -72,7 +72,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         regs->regs[4] = args[0];
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         int arch = AUDIT_ARCH_SH;
 
diff --git a/arch/sh/include/asm/syscall_64.h b/arch/sh/include/asm/syscall_64.h
index 22fad97da066..72efcbc76f91 100644
--- a/arch/sh/include/asm/syscall_64.h
+++ b/arch/sh/include/asm/syscall_64.h
@@ -59,7 +59,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         memcpy(&regs->regs[2], args, 6 * sizeof(args[0]));
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         int arch = AUDIT_ARCH_SH;
 
diff --git a/arch/sparc/include/asm/syscall.h b/arch/sparc/include/asm/syscall.h
index 4d075434e816..62a5a78804c4 100644
--- a/arch/sparc/include/asm/syscall.h
+++ b/arch/sparc/include/asm/syscall.h
@@ -127,10 +127,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
                 regs->u_regs[UREG_I0 + i] = args[i];
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
 #if defined(CONFIG_SPARC64) && defined(CONFIG_COMPAT)
-        return in_compat_syscall() ? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64;
+        return test_tsk_thread_flag(task, TIF_32BIT)
+                ? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64;
 #elif defined(CONFIG_SPARC64)
         return AUDIT_ARCH_SPARC64;
 #else
diff --git a/arch/unicore32/include/asm/elf.h b/arch/unicore32/include/asm/elf.h
index 829042d07722..ae66dc1be49e 100644
--- a/arch/unicore32/include/asm/elf.h
+++ b/arch/unicore32/include/asm/elf.h
@@ -19,6 +19,7 @@
  * ELF register definitions..
  */
 #include <asm/ptrace.h>
+#include <linux/elf-em.h>
 
 typedef unsigned long elf_greg_t;
 typedef unsigned long elf_freg_t[3];
@@ -28,8 +29,6 @@ typedef elf_greg_t elf_gregset_t[ELF_NGREG];
 
 typedef struct fp_state elf_fpregset_t;
 
-#define EM_UNICORE              110
-
 #define R_UNICORE_NONE          0
 #define R_UNICORE_PC24          1
 #define R_UNICORE_ABS32         2
diff --git a/arch/unicore32/include/asm/syscall.h b/arch/unicore32/include/asm/syscall.h
new file mode 100644
index 000000000000..607961797fff
--- /dev/null
+++ b/arch/unicore32/include/asm/syscall.h
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_UNICORE_SYSCALL_H
+#define _ASM_UNICORE_SYSCALL_H
+
+#include <uapi/linux/audit.h>
+
+static inline int syscall_get_arch(struct task_struct *task)
+{
+        return AUDIT_ARCH_UNICORE;
+}
+
+#endif  /* _ASM_UNICORE_SYSCALL_H */
diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
index 4c305471ec33..b05ad16174e5 100644
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -105,7 +105,7 @@ static inline void syscall_set_arguments(struct task_struct *task,
         memcpy(&regs->bx + i, args, n * sizeof(args[0]));
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_I386;
 }
@@ -160,10 +160,12 @@ static inline void syscall_set_arguments(struct task_struct *task,
         }
 }
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         /* x32 tasks should be considered AUDIT_ARCH_X86_64. */
-        return in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
+        return (IS_ENABLED(CONFIG_IA32_EMULATION) &&
+                task->thread_info.status & TS_COMPAT)
+                ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
 }
 #endif  /* CONFIG_X86_32 */
 
diff --git a/arch/x86/um/asm/syscall.h b/arch/x86/um/asm/syscall.h
index ef898af102d1..56a2f0913e3c 100644
--- a/arch/x86/um/asm/syscall.h
+++ b/arch/x86/um/asm/syscall.h
@@ -9,7 +9,7 @@ typedef asmlinkage long (*sys_call_ptr_t)(unsigned long, unsigned long,
                                           unsigned long, unsigned long,
                                           unsigned long, unsigned long);
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
 #ifdef CONFIG_X86_32
         return AUDIT_ARCH_I386;
diff --git a/arch/xtensa/include/asm/syscall.h b/arch/xtensa/include/asm/syscall.h
index 91dc06d58060..359ab40e935a 100644
--- a/arch/xtensa/include/asm/syscall.h
+++ b/arch/xtensa/include/asm/syscall.h
@@ -14,7 +14,7 @@
 #include <asm/ptrace.h>
 #include <uapi/linux/audit.h>
 
-static inline int syscall_get_arch(void)
+static inline int syscall_get_arch(struct task_struct *task)
 {
         return AUDIT_ARCH_XTENSA;
 }
diff --git a/include/asm-generic/syscall.h b/include/asm-generic/syscall.h
index b88239e9efe4..e06b468a0ebe 100644
--- a/include/asm-generic/syscall.h
+++ b/include/asm-generic/syscall.h
@@ -133,14 +133,15 @@ void syscall_set_arguments(struct task_struct *task, struct pt_regs *regs,
 
 /**
  * syscall_get_arch - return the AUDIT_ARCH for the current system call
+ * @task:       task of interest, must be blocked
  *
  * Returns the AUDIT_ARCH_* based on the system call convention in use.
  *
- * It's only valid to call this when current is stopped on entry to a system
+ * It's only valid to call this when @task is stopped on entry to a system
  * call, due to %TIF_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or %TIF_SECCOMP.
  *
  * Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
  * provide an implementation of this.
  */
-int syscall_get_arch(void);
+int syscall_get_arch(struct task_struct *task);
 #endif  /* _ASM_SYSCALL_H */
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1e69d9fe16da..43a23e28ba23 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -86,6 +86,29 @@ struct audit_field {
         u32                             op;
 };
 
+enum audit_ntp_type {
+        AUDIT_NTP_OFFSET,
+        AUDIT_NTP_FREQ,
+        AUDIT_NTP_STATUS,
+        AUDIT_NTP_TAI,
+        AUDIT_NTP_TICK,
+        AUDIT_NTP_ADJUST,
+
+        AUDIT_NTP_NVALS /* count */
+};
+
+#ifdef CONFIG_AUDITSYSCALL
+struct audit_ntp_val {
+        long long oldval, newval;
+};
+
+struct audit_ntp_data {
+        struct audit_ntp_val vals[AUDIT_NTP_NVALS];
+};
+#else
+struct audit_ntp_data {};
+#endif
+
 extern int is_audit_feature_set(int which);
 
 extern int __init audit_register_class(int class, unsigned *list);
@@ -365,6 +388,8 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
 extern void __audit_mmap_fd(int fd, int flags);
 extern void __audit_log_kern_module(char *name);
 extern void __audit_fanotify(unsigned int response);
+extern void __audit_tk_injoffset(struct timespec64 offset);
+extern void __audit_ntp_log(const struct audit_ntp_data *ad);
 
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 {
@@ -467,6 +492,39 @@ static inline void audit_fanotify(unsigned int response)
                 __audit_fanotify(response);
 }
 
+static inline void audit_tk_injoffset(struct timespec64 offset)
+{
+        /* ignore no-op events */
+        if (offset.tv_sec == 0 && offset.tv_nsec == 0)
+                return;
+
+        if (!audit_dummy_context())
+                __audit_tk_injoffset(offset);
+}
+
+static inline void audit_ntp_init(struct audit_ntp_data *ad)
+{
+        memset(ad, 0, sizeof(*ad));
+}
+
+static inline void audit_ntp_set_old(struct audit_ntp_data *ad,
+                                     enum audit_ntp_type type, long long val)
+{
+        ad->vals[type].oldval = val;
+}
+
+static inline void audit_ntp_set_new(struct audit_ntp_data *ad,
+                                     enum audit_ntp_type type, long long val)
+{
+        ad->vals[type].newval = val;
+}
+
+static inline void audit_ntp_log(const struct audit_ntp_data *ad)
+{
+        if (!audit_dummy_context())
+                __audit_ntp_log(ad);
+}
+
 extern int audit_n_rules;
 extern int audit_signals;
 #else /* CONFIG_AUDITSYSCALL */
@@ -580,6 +638,23 @@ static inline void audit_log_kern_module(char *name)
 static inline void audit_fanotify(unsigned int response)
 { }
 
+static inline void audit_tk_injoffset(struct timespec64 offset)
+{ }
+
+static inline void audit_ntp_init(struct audit_ntp_data *ad)
+{ }
+
+static inline void audit_ntp_set_old(struct audit_ntp_data *ad,
+                                     enum audit_ntp_type type, long long val)
+{ }
+
+static inline void audit_ntp_set_new(struct audit_ntp_data *ad,
+                                     enum audit_ntp_type type, long long val)
+{ }
+
+static inline void audit_ntp_log(const struct audit_ntp_data *ad)
+{ }
+
 static inline void audit_ptrace(struct task_struct *t)
 { }
 #define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index f28acd952d03..a1280af20336 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -114,6 +114,8 @@
 #define AUDIT_REPLACE           1329    /* Replace auditd if this packet unanswerd */
 #define AUDIT_KERN_MODULE       1330    /* Kernel Module events */
 #define AUDIT_FANOTIFY          1331    /* Fanotify access decision */
+#define AUDIT_TIME_INJOFFSET    1332    /* Timekeeping offset injected */
+#define AUDIT_TIME_ADJNTPVAL    1333    /* NTP value adjustment */
 
 #define AUDIT_AVC               1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR       1401    /* Internal SE Linux Errors */
@@ -375,11 +377,19 @@ enum {
 
 #define AUDIT_ARCH_AARCH64      (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA        (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_ARCOMPACT    (EM_ARCOMPACT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_ARCOMPACTBE  (EM_ARCOMPACT)
+#define AUDIT_ARCH_ARCV2        (EM_ARCV2|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_ARCV2BE      (EM_ARCV2)
 #define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB        (EM_ARM)
+#define AUDIT_ARCH_C6X          (EM_TI_C6000|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_C6XBE        (EM_TI_C6000)
 #define AUDIT_ARCH_CRIS         (EM_CRIS|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_CSKY         (EM_CSKY|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_FRV          (EM_FRV)
+#define AUDIT_ARCH_H8300        (EM_H8_300)
+#define AUDIT_ARCH_HEXAGON      (EM_HEXAGON)
 #define AUDIT_ARCH_I386         (EM_386|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_IA64         (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_M32R         (EM_M32R)
@@ -393,6 +403,9 @@ enum {
 #define AUDIT_ARCH_MIPSEL64     (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_MIPSEL64N32  (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE|\
                                  __AUDIT_ARCH_CONVENTION_MIPS64_N32)
+#define AUDIT_ARCH_NDS32        (EM_NDS32|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_NDS32BE      (EM_NDS32)
+#define AUDIT_ARCH_NIOS2        (EM_ALTERA_NIOS2|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
 #define AUDIT_ARCH_PARISC       (EM_PARISC)
 #define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
@@ -413,6 +426,7 @@ enum {
 #define AUDIT_ARCH_TILEGX       (EM_TILEGX|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_TILEGX32     (EM_TILEGX|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_TILEPRO      (EM_TILEPRO|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_UNICORE      (EM_UNICORE|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_X86_64       (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_XTENSA       (EM_XTENSA)
 
diff --git a/include/uapi/linux/elf-em.h b/include/uapi/linux/elf-em.h
index 0c3000faedba..f47e853546fa 100644
--- a/include/uapi/linux/elf-em.h
+++ b/include/uapi/linux/elf-em.h
@@ -34,14 +34,20 @@
 #define EM_M32R         88      /* Renesas M32R */
 #define EM_MN10300      89      /* Panasonic/MEI MN10300, AM33 */
 #define EM_OPENRISC     92     /* OpenRISC 32-bit embedded processor */
+#define EM_ARCOMPACT    93      /* ARCompact processor */
 #define EM_XTENSA       94      /* Tensilica Xtensa Architecture */
 #define EM_BLACKFIN     106     /* ADI Blackfin Processor */
+#define EM_UNICORE      110     /* UniCore-32 */
 #define EM_ALTERA_NIOS2 113     /* Altera Nios II soft-core processor */
 #define EM_TI_C6000     140     /* TI C6X DSPs */
+#define EM_HEXAGON      164     /* QUALCOMM Hexagon */
+#define EM_NDS32        167     /* Andes Technology compact code size
+                                   embedded RISC processor family */
 #define EM_AARCH64      183     /* ARM 64 bit */
 #define EM_TILEPRO      188     /* Tilera TILEPro */
 #define EM_MICROBLAZE   189     /* Xilinx MicroBlaze */
 #define EM_TILEGX       191     /* Tilera TILE-Gx */
+#define EM_ARCV2        195     /* ARCv2 Cores */
 #define EM_RISCV        243     /* RISC-V */
 #define EM_BPF          247     /* Linux BPF - in-kernel virtual machine */
 #define EM_CSKY         252     /* C-SKY */
diff --git a/kernel/audit.c b/kernel/audit.c
index c89ea48c70a6..b96bf69183f4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2220,7 +2220,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
         if (!audit_enabled)
                 return;
 
-        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+        ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN);
         if (!ab)
                 return;
 
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f26fab..1bc6410413e6 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1114,22 +1114,24 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
         int err = 0;
         struct audit_entry *entry;
 
-        entry = audit_data_to_entry(data, datasz);
-        if (IS_ERR(entry))
-                return PTR_ERR(entry);
-
         switch (type) {
         case AUDIT_ADD_RULE:
+                entry = audit_data_to_entry(data, datasz);
+                if (IS_ERR(entry))
+                        return PTR_ERR(entry);
                 err = audit_add_rule(entry);
                 audit_log_rule_change("add_rule", &entry->rule, !err);
                 break;
         case AUDIT_DEL_RULE:
+                entry = audit_data_to_entry(data, datasz);
+                if (IS_ERR(entry))
+                        return PTR_ERR(entry);
                 err = audit_del_rule(entry);
                 audit_log_rule_change("remove_rule", &entry->rule, !err);
                 break;
         default:
-                err = -EINVAL;
                 WARN_ON(1);
+                return -EINVAL;
         }
 
         if (err || type == AUDIT_DEL_RULE) {
@@ -1315,8 +1317,6 @@ int audit_filter(int msgtype, unsigned int listtype)
         int ret = 1; /* Audit by default */
 
         rcu_read_lock();
-        if (list_empty(&audit_filter_list[listtype]))
-                goto unlock_and_return;
         list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
                 int i, result = 0;
 
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d1eab1d4a930..5371b59bde36 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -771,15 +771,13 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
                 return AUDIT_DISABLED;
 
         rcu_read_lock();
-        if (!list_empty(list)) {
-                list_for_each_entry_rcu(e, list, list) {
-                        if (audit_in_mask(&e->rule, ctx->major) &&
-                            audit_filter_rules(tsk, &e->rule, ctx, NULL,
-                                               &state, false)) {
-                                rcu_read_unlock();
-                                ctx->current_state = state;
-                                return state;
-                        }
+        list_for_each_entry_rcu(e, list, list) {
+                if (audit_in_mask(&e->rule, ctx->major) &&
+                    audit_filter_rules(tsk, &e->rule, ctx, NULL,
+                                       &state, false)) {
+                        rcu_read_unlock();
+                        ctx->current_state = state;
+                        return state;
                 }
         }
         rcu_read_unlock();
@@ -798,9 +796,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
         struct audit_entry *e;
         enum audit_state state;
 
-        if (list_empty(list))
-                return 0;
-
         list_for_each_entry_rcu(e, list, list) {
                 if (audit_in_mask(&e->rule, ctx->major) &&
                     audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
@@ -808,7 +803,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
                         return 1;
                 }
         }
-
         return 0;
 }
 
@@ -840,6 +834,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
         context->proctitle.len = 0;
 }
 
+static inline void audit_free_module(struct audit_context *context)
+{
+        if (context->type == AUDIT_KERN_MODULE) {
+                kfree(context->module.name);
+                context->module.name = NULL;
+        }
+}
 static inline void audit_free_names(struct audit_context *context)
 {
         struct audit_names *n, *next;
@@ -923,6 +924,7 @@ int audit_alloc(struct task_struct *tsk)
 
 static inline void audit_free_context(struct audit_context *context)
 {
+        audit_free_module(context);
         audit_free_names(context);
         unroll_tree_refs(context, NULL, 0);
         free_tree_refs(context);
@@ -1139,7 +1141,8 @@ out:
         kfree(buf_head);
 }
 
-void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
+static void audit_log_cap(struct audit_buffer *ab, char *prefix,
+                          kernel_cap_t *cap)
 {
         int i;
 
@@ -1266,7 +1269,6 @@ static void show_special(struct audit_context *context, int *call_panic)
                 audit_log_format(ab, "name=");
                 if (context->module.name) {
                         audit_log_untrustedstring(ab, context->module.name);
-                        kfree(context->module.name);
                 } else
                         audit_log_format(ab, "(null)");
 
@@ -1628,7 +1630,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
                         return;
         }
 
-        context->arch       = syscall_get_arch();
+        context->arch       = syscall_get_arch(current);
         context->major      = major;
         context->argv[0]    = a1;
         context->argv[1]    = a2;
@@ -1697,6 +1699,7 @@ void __audit_syscall_exit(int success, long return_code)
         context->in_syscall = 0;
         context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
 
+        audit_free_module(context);
         audit_free_names(context);
         unroll_tree_refs(context, NULL, 0);
         audit_free_aux(context);
@@ -1897,8 +1900,9 @@ static inline int audit_copy_fcaps(struct audit_names *name,
 }
 
 /* Copy inode data into an audit_names. */
-void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
-                      struct inode *inode, unsigned int flags)
+static void audit_copy_inode(struct audit_names *name,
+                             const struct dentry *dentry,
+                             struct inode *inode, unsigned int flags)
 {
         name->ino   = inode->i_ino;
         name->dev   = inode->i_sb->s_dev;
@@ -1935,18 +1939,16 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
                 return;
 
         rcu_read_lock();
-        if (!list_empty(list)) {
-                list_for_each_entry_rcu(e, list, list) {
-                        for (i = 0; i < e->rule.field_count; i++) {
-                                struct audit_field *f = &e->rule.fields[i];
-
-                                if (f->type == AUDIT_FSTYPE
-                                    && audit_comparator(inode->i_sb->s_magic,
-                                                        f->op, f->val)
-                                    && e->rule.action == AUDIT_NEVER) {
-                                        rcu_read_unlock();
-                                        return;
-                                }
+        list_for_each_entry_rcu(e, list, list) {
+                for (i = 0; i < e->rule.field_count; i++) {
+                        struct audit_field *f = &e->rule.fields[i];
+
+                        if (f->type == AUDIT_FSTYPE
+                            && audit_comparator(inode->i_sb->s_magic,
+                                                f->op, f->val)
+                            && e->rule.action == AUDIT_NEVER) {
+                                rcu_read_unlock();
+                                return;
                         }
                 }
         }
@@ -2055,18 +2057,16 @@ void __audit_inode_child(struct inode *parent,
                 return;
 
         rcu_read_lock();
-        if (!list_empty(list)) {
-                list_for_each_entry_rcu(e, list, list) {
-                        for (i = 0; i < e->rule.field_count; i++) {
-                                struct audit_field *f = &e->rule.fields[i];
-
-                                if (f->type == AUDIT_FSTYPE
-                                    && audit_comparator(parent->i_sb->s_magic,
-                                                        f->op, f->val)
-                                    && e->rule.action == AUDIT_NEVER) {
-                                        rcu_read_unlock();
-                                        return;
-                                }
+        list_for_each_entry_rcu(e, list, list) {
+                for (i = 0; i < e->rule.field_count; i++) {
+                        struct audit_field *f = &e->rule.fields[i];
+
+                        if (f->type == AUDIT_FSTYPE
+                            && audit_comparator(parent->i_sb->s_magic,
+                                                f->op, f->val)
+                            && e->rule.action == AUDIT_NEVER) {
+                                rcu_read_unlock();
+                                return;
                         }
                 }
         }
@@ -2512,6 +2512,35 @@ void __audit_fanotify(unsigned int response)
                 AUDIT_FANOTIFY, "resp=%u", response);
 }
 
+void __audit_tk_injoffset(struct timespec64 offset)
+{
+        audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
+                  "sec=%lli nsec=%li",
+                  (long long)offset.tv_sec, offset.tv_nsec);
+}
+
+static void audit_log_ntp_val(const struct audit_ntp_data *ad,
+                              const char *op, enum audit_ntp_type type)
+{
+        const struct audit_ntp_val *val = &ad->vals[type];
+
+        if (val->newval == val->oldval)
+                return;
+
+        audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
+                  "op=%s old=%lli new=%lli", op, val->oldval, val->newval);
+}
+
+void __audit_ntp_log(const struct audit_ntp_data *ad)
+{
+        audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
+        audit_log_ntp_val(ad, "freq",   AUDIT_NTP_FREQ);
+        audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
+        audit_log_ntp_val(ad, "tai",    AUDIT_NTP_TAI);
+        audit_log_ntp_val(ad, "tick",   AUDIT_NTP_TICK);
+        audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
+}
+
 static void audit_log_task(struct audit_buffer *ab)
 {
         kuid_t auid, uid;
@@ -2580,7 +2609,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
                 return;
         audit_log_task(ab);
         audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
-                         signr, syscall_get_arch(), syscall,
+                         signr, syscall_get_arch(current), syscall,
                          in_compat_syscall(), KSTK_EIP(current), code);
         audit_log_end(ab);
 }
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index a635ecba6fe2..811b4a86cdf6 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -148,7 +148,7 @@ static void populate_seccomp_data(struct seccomp_data *sd)
         unsigned long args[6];
 
         sd->nr = syscall_get_nr(task, regs);
-        sd->arch = syscall_get_arch();
+        sd->arch = syscall_get_arch(task);
         syscall_get_arguments(task, regs, args);
         sd->args[0] = args[0];
         sd->args[1] = args[1];
@@ -594,7 +594,7 @@ static void seccomp_init_siginfo(kernel_siginfo_t *info, int syscall, int reason
         info->si_code = SYS_SECCOMP;
         info->si_call_addr = (void __user *)KSTK_EIP(current);
         info->si_errno = reason;
-        info->si_arch = syscall_get_arch();
+        info->si_arch = syscall_get_arch(current);
         info->si_syscall = syscall;
 }
 
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index 92a90014a925..ac5555e25733 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -17,6 +17,7 @@
 #include <linux/mm.h>
 #include <linux/module.h>
 #include <linux/rtc.h>
+#include <linux/audit.h>
 
 #include "ntp_internal.h"
 #include "timekeeping_internal.h"
@@ -709,7 +710,7 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc,
  * kernel time-keeping variables. used by xntpd.
  */
 int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts,
-                  s32 *time_tai)
+                  s32 *time_tai, struct audit_ntp_data *ad)
 {
         int result;
 
@@ -720,14 +721,29 @@ int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts,
                         /* adjtime() is independent from ntp_adjtime() */
                         time_adjust = txc->offset;
                         ntp_update_frequency();
+
+                        audit_ntp_set_old(ad, AUDIT_NTP_ADJUST, save_adjust);
+                        audit_ntp_set_new(ad, AUDIT_NTP_ADJUST, time_adjust);
                 }
                 txc->offset = save_adjust;
         } else {
-
                 /* If there are input parameters, then process them: */
-                if (txc->modes)
+                if (txc->modes) {
+                        audit_ntp_set_old(ad, AUDIT_NTP_OFFSET, time_offset);
+                        audit_ntp_set_old(ad, AUDIT_NTP_FREQ,   time_freq);
+                        audit_ntp_set_old(ad, AUDIT_NTP_STATUS, time_status);
+                        audit_ntp_set_old(ad, AUDIT_NTP_TAI,    *time_tai);
+                        audit_ntp_set_old(ad, AUDIT_NTP_TICK,   tick_usec);
+
                         process_adjtimex_modes(txc, time_tai);
 
+                        audit_ntp_set_new(ad, AUDIT_NTP_OFFSET, time_offset);
+                        audit_ntp_set_new(ad, AUDIT_NTP_FREQ,   time_freq);
+                        audit_ntp_set_new(ad, AUDIT_NTP_STATUS, time_status);
+                        audit_ntp_set_new(ad, AUDIT_NTP_TAI,    *time_tai);
+                        audit_ntp_set_new(ad, AUDIT_NTP_TICK,   tick_usec);
+                }
+
                 txc->offset = shift_right(time_offset * NTP_INTERVAL_FREQ,
                                   NTP_SCALE_SHIFT);
                 if (!(time_status & STA_NANO))
diff --git a/kernel/time/ntp_internal.h b/kernel/time/ntp_internal.h
index 40e6122e634e..908ecaa65fc3 100644
--- a/kernel/time/ntp_internal.h
+++ b/kernel/time/ntp_internal.h
@@ -8,6 +8,8 @@ extern void ntp_clear(void);
 extern u64 ntp_tick_length(void);
 extern ktime_t ntp_get_next_leap(void);
 extern int second_overflow(time64_t secs);
-extern int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts, s32 *time_tai);
+extern int __do_adjtimex(struct __kernel_timex *txc,
+                         const struct timespec64 *ts,
+                         s32 *time_tai, struct audit_ntp_data *ad);
 extern void __hardpps(const struct timespec64 *phase_ts, const struct timespec64 *raw_ts);
 #endif /* _LINUX_NTP_INTERNAL_H */
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 5716e28bfa3c..85f5912d8f70 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -21,6 +21,7 @@
 #include <linux/stop_machine.h>
 #include <linux/pvclock_gtod.h>
 #include <linux/compiler.h>
+#include <linux/audit.h>
 
 #include "tick-internal.h"
 #include "ntp_internal.h"
@@ -1250,6 +1251,9 @@ out:
         /* signal hrtimers about time change */
         clock_was_set();
 
+        if (!ret)
+                audit_tk_injoffset(ts_delta);
+
         return ret;
 }
 EXPORT_SYMBOL(do_settimeofday64);
@@ -2303,6 +2307,7 @@ static int timekeeping_validate_timex(const struct __kernel_timex *txc)
 int do_adjtimex(struct __kernel_timex *txc)
 {
         struct timekeeper *tk = &tk_core.timekeeper;
+        struct audit_ntp_data ad;
         unsigned long flags;
         struct timespec64 ts;
         s32 orig_tai, tai;
@@ -2322,15 +2327,19 @@ int do_adjtimex(struct __kernel_timex *txc)
                 ret = timekeeping_inject_offset(&delta);
                 if (ret)
                         return ret;
+
+                audit_tk_injoffset(delta);
         }
 
+        audit_ntp_init(&ad);
+
         ktime_get_real_ts64(&ts);
 
         raw_spin_lock_irqsave(&timekeeper_lock, flags);
         write_seqcount_begin(&tk_core.seq);
 
         orig_tai = tai = tk->tai_offset;
-        ret = __do_adjtimex(txc, &ts, &tai);
+        ret = __do_adjtimex(txc, &ts, &tai, &ad);
 
         if (tai != orig_tai) {
                 __timekeeping_set_tai_offset(tk, tai);
@@ -2341,6 +2350,8 @@ int do_adjtimex(struct __kernel_timex *txc)
         write_seqcount_end(&tk_core.seq);
         raw_spin_unlock_irqrestore(&timekeeper_lock, flags);
 
+        audit_ntp_log(&ad);
+
         /* Update the multiplier immediately if frequency was set directly */
         if (txc->modes & (ADJ_FREQUENCY | ADJ_TICK))
                 timekeeping_advance(TK_ADV_FREQ);
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index 015aea8fdf1e..3f7cbb238923 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
         if (count > XATTR_NAME_MAX)
                 return -E2BIG;
 
-        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR);
+        ab = audit_log_start(audit_context(), GFP_KERNEL,
+                             AUDIT_INTEGRITY_EVM_XATTR);
         if (!ab)
                 return -ENOMEM;
 
@@ -214,6 +215,9 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
         if (len && xattr->name[len-1] == '\n')
                 xattr->name[len-1] = '\0';
 
+        audit_log_format(ab, "xattr=");
+        audit_log_untrustedstring(ab, xattr->name);
+
         if (strcmp(xattr->name, ".") == 0) {
                 evm_xattrs_locked = 1;
                 newattrs.ia_mode = S_IFREG | 0440;
@@ -222,15 +226,11 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
                 inode_lock(inode);
                 err = simple_setattr(evm_xattrs, &newattrs);
                 inode_unlock(inode);
-                audit_log_format(ab, "locked");
                 if (!err)
                         err = count;
                 goto out;
         }
 
-        audit_log_format(ab, "xattr=");
-        audit_log_untrustedstring(ab, xattr->name);
-
         if (strncmp(xattr->name, XATTR_SECURITY_PREFIX,
                     XATTR_SECURITY_PREFIX_LEN) != 0) {
                 err = -EINVAL;