One fix is in staging https://github.com/NixOS/nixpkgs/pull/84032/files. I haven't adjusted the config though because I had not the power to compile all the kernels so that part of the PR may be relevant.

Oh, great, I hadn't noticed that.
I'll rebase this on top of staging with only the config option changes.
Some of the config changes I made seem to be more accurate than what's on #84032.

cc @teto Done, let me know if I should do anything else.

Note: I've mostly used https://cateee.net/lkddb/web-lkddb/ to figure out kernel version constraints.

The issues I have mainly just come from how yes overrides everything else.

What I use locally

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index d239455ad34..bd791a5696a 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -427,7 +427,7 @@ let

     container = {
       NAMESPACES     = yes; #  Required by 'unshare' used by 'nixos-install'
-      RT_GROUP_SCHED = no;
+      RT_GROUP_SCHED = option no;
       CGROUP_DEVICE  = yes;
       CGROUP_HUGETLB = yes;
       CGROUP_PERF    = yes;
@@ -734,8 +734,8 @@ let
       RT2800USB_RT53XX = yes;
       RT2800USB_RT55XX = yes;

-      SCHED_AUTOGROUP  = yes;
-      CFS_BANDWIDTH    = yes;
+      SCHED_AUTOGROUP  = option yes;
+      CFS_BANDWIDTH    = option yes;

       SCSI_LOGGING = yes; # SCSI logging facility
       SERIAL_8250  = yes; # 8250/16550 and compatible serial support
@@ -770,7 +770,7 @@ let
       DRM_AMDGPU_USERPTR = whenAtLeast "5.3" yes;

       PREEMPT = no;
-      PREEMPT_VOLUNTARY = yes;
+      PREEMPT_VOLUNTARY = option yes;

       X86_AMD_PLATFORM_DEVICE = yes;

diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index 95510fe218e..5d173230403 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -40,11 +40,11 @@ assert (versionAtLeast version "4.9");
   # Perform additional validation of commonly targeted structures.
   DEBUG_CREDENTIALS     = yes;
   DEBUG_NOTIFIERS       = yes;
-  DEBUG_PI_LIST         = yes; # doesn't BUG()
+  DEBUG_PI_LIST         = option yes; # doesn't BUG()
   DEBUG_SG              = yes;
   SCHED_STACK_END_CHECK = yes;

-  REFCOUNT_FULL = whenAtLeast "4.13" yes;
+  REFCOUNT_FULL = whenAtLeast "4.13" (option yes);

   # Randomize page allocator when page_alloc.shuffle=1
   SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;

@eadwu Assuming I understood you correctly, that sounds like something that should be fixed (probably in another PR), i.e., that config options passed in as structuredExtraConfig take precedence over those in common-config.nix and (possibly) those from kernel patches, rather than (for instance) yes always taking precedence over no.

It would probably be good to reuse the existing option overriding mechanism (with priorities) and to make sure all options defined with the highest priority have the same value.

You just made me realize that a few kernel config options that I had explicitly disabled were being silently enabled by common-config.nix...

you can use mkForce etc to override with your settings. I was planning to wrtie some documentation on the mechanism after fixing the merge config issue (that is in staging). Would like to update some kernel-related PRs too.

I think the current merge strategy can silently lead to undesired results.

For example, hardened-config.nix defines INET_DIAG = no # Has been used for heap based attacks in the past but common-config.nix defines INET_DIAG = yes so as far as I can tell, the hardened config is ending up with the wrong result.

Furthermore, even if we fix this instance, there's nothing guaranteeing that if in the future someone adds another config option to common-config.nix that it won't silently modify the config in hardened-config.nix.

I would be in favor of removing the mergeAnswer function and just use the default merge strategy that makes sure all options whose values have the highest priority have been defined with the same value. This would make sure that different kernel configs in nixpkgs don't conflict with each other and end up with the wrong result such as what's happening with INET_DIAG above.

We can further recommend that the user always uses mkForce in their config to reduce the chance that their config gets broken when someone adds a new option to common-config.nix.

Or if possible, in addition to removing mergeAnswer, we should somehow make the config options defined in nixpkgs to have a lower priority by default than what the user passes in as their personalized kernel config, so that the user doesn't even have to use mkForce to make sure their options override the ones defined in nixpkgs.

Just to note that merging linux config is non trivial (even with the merge scripts), hopefully it can be solved outside of nix (SAT solvers are WIP). It is also why I proposed #69013 . I think it's ok to have a merge strategy except:

• it is not properly documented yet.
• we should definitely add a mkDefault to common-config and at least have the hardened version generate a faithful config.

Here's some of the changes I found (that should be wrong in the default configuration)

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index b3f01b2b207..32eedbd7330 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -269,7 +269,7 @@ let
       SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = yes;
       SND_SOC_SOF_GEMINILAKE_SUPPORT    = yes;
       SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
-      SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = yes;
+      SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
       SND_SOC_SOF_HDA_LINK              = yes;
       SND_SOC_SOF_ICELAKE_SUPPORT       = yes;
       SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index 95510fe218e..d0e0a89635f 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -40,11 +40,12 @@ assert (versionAtLeast version "4.9");
   # Perform additional validation of commonly targeted structures.
   DEBUG_CREDENTIALS     = yes;
   DEBUG_NOTIFIERS       = yes;
-  DEBUG_PI_LIST         = yes; # doesn't BUG()
+  DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()
+  DEBUG_PLIST           = whenAtLeast "5.2" yes; # DEBUG_PI_LIST as of v5.2, 8e18fae
   DEBUG_SG              = yes;
   SCHED_STACK_END_CHECK = yes;
 
-  REFCOUNT_FULL = whenAtLeast "4.13" yes;
+  REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;
 
   # Randomize page allocator when page_alloc.shuffle=1
   SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
@@ -76,10 +77,19 @@ assert (versionAtLeast version "4.9");
   # Disable various dangerous settings
   ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
   PROC_KCORE         = no; # Exposes kernel text image layout
-  INET_DIAG          = no; # Has been used for heap based attacks in the past
+  INET_DIAG          = mkForce no; # Has been used for heap based attacks in the past
+  INET_TCP_DIAG      = mkForce (option no);
+  INET_UDP_DIAG      = mkForce (option no);
+  INET_RAW_DIAG      = mkForce (option no);
+  INET_DIAG_DESTROY  = mkForce (option no);
 
   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
+  # Satisfy configfile build
+  DEVMEM = yes; # needed for STRICT_DEVMEM to show, oh well to disabled DEVMEM
+  STRICT_DEVMEM = yes; # somehow wants this, probably because something we enabled needs it
+  IO_STRICT_DEVMEM = yes; # enabled from patchset, but for the sake of completion of the DEVMEM
+
 }