diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 6df0490f4..dee6a7c77 100755
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -52,6 +52,8 @@
 #define USB_TP_TRANSMISSION_DELAY_MAX	65535	/* ns */
 #define USB_PING_RESPONSE_TIME		400	/* ns */
 
+extern int deny_new_usb;
+
 /* Protect struct usb_device->state and ->children members
  * Note: Both are also protected by ->dev.sem, except that ->state can
  * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */
@@ -5368,6 +5370,11 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 	if (unreliable_port == port1)
 		unreliable_port = -1;
 
+	if (deny_new_usb) {
+		dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1);
+		goto done;
+	}
+
 	if (hub_is_superspeed(hub->hdev))
 		unit_load = 150;
 	else
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e8f5a67c7..de72764b9 100755
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -112,6 +112,10 @@
 
 /* External variables not in a header file. */
 extern int extra_free_kbytes;
+#if IS_ENABLED(CONFIG_USB)
+int deny_new_usb __read_mostly = 0;
+EXPORT_SYMBOL(deny_new_usb);
+#endif
 
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
@@ -2353,6 +2357,17 @@ static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_TWO,
 	},
+#endif
+#if IS_ENABLED(CONFIG_USB)
+	{
+		.procname	= "deny_new_usb",
+		.data		= &deny_new_usb,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 #endif
 	{
 		.procname	= "ngroups_max",