kernel 6.2.6

1 files changed, 1797 insertions, 0 deletions

diff --git a/SOURCES/patch-6.2-redhat.patch b/SOURCES/patch-6.2-redhat.patch
new file mode 100644
index 0000000..54d6478
--- /dev/null
+++ b/SOURCES/patch-6.2-redhat.patch
@@ -0,0 +1,1797 @@
+ Makefile                                           |   4 +
+ arch/arm/Kconfig                                   |   4 +-
+ arch/arm64/Kconfig                                 |   3 +-
+ arch/s390/include/asm/ipl.h                        |   1 +
+ arch/s390/kernel/ipl.c                             |   5 +
+ arch/s390/kernel/setup.c                           |   4 +
+ arch/x86/kernel/setup.c                            |  22 +-
+ drivers/acpi/apei/hest.c                           |   8 +
+ drivers/acpi/irq.c                                 |  17 +-
+ drivers/acpi/scan.c                                |   9 +
+ drivers/ata/libahci.c                              |  18 +
+ drivers/char/ipmi/ipmi_dmi.c                       |  15 +
+ drivers/char/ipmi/ipmi_msghandler.c                |  16 +-
+ drivers/firmware/efi/Makefile                      |   1 +
+ drivers/firmware/efi/efi.c                         | 124 +++--
+ drivers/firmware/efi/secureboot.c                  |  38 ++
+ drivers/firmware/sysfb.c                           |  18 +-
+ drivers/hid/hid-rmi.c                              |  66 ---
+ drivers/hwtracing/coresight/coresight-etm4x-core.c |  19 +
+ drivers/input/rmi4/rmi_driver.c                    | 124 +++--
+ drivers/iommu/iommu.c                              |  22 +
+ drivers/pci/quirks.c                               |  24 +
+ drivers/usb/core/hub.c                             |   7 +
+ include/linux/efi.h                                |  22 +-
+ include/linux/lsm_hook_defs.h                      |   2 +
+ include/linux/lsm_hooks.h                          |   6 +
+ include/linux/rh_kabi.h                            | 515 +++++++++++++++++++++
+ include/linux/rmi.h                                |   1 +
+ include/linux/security.h                           |   5 +
+ kernel/module/signing.c                            |   9 +-
+ scripts/tags.sh                                    |   2 +
+ security/integrity/platform_certs/load_uefi.c      |   6 +-
+ security/lockdown/Kconfig                          |  13 +
+ security/lockdown/lockdown.c                       |   1 +
+ security/security.c                                |   6 +
+ 35 files changed, 980 insertions(+), 177 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 70e66e771608..f2acee86e2e0 100644
+--- a/Makefile
++++ b/Makefile
+@@ -22,6 +22,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
+ PHONY := __all
+ __all:
+
++# Set RHEL variables
++# Use this spot to avoid future merge conflicts
++include Makefile.rhelver
++
+ # We are using a recursive build, so we need to do a little thinking
+ # to get the ordering right.
+ #
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 43c7773b89ae..2c1db1cb5528 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1299,9 +1299,9 @@ config HIGHMEM
+ 	  If unsure, say n.
+
+ config HIGHPTE
+-	bool "Allocate 2nd-level pagetables from highmem" if EXPERT
++	bool "Allocate 2nd-level pagetables from highmem"
+ 	depends on HIGHMEM
+-	default y
++	default n
+ 	help
+ 	  The VM uses one page of physical memory for each page table.
+ 	  For systems with a lot of processes, this can use a lot of
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index ddfd35c86bda..2b69e42dff58 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1233,7 +1233,7 @@ endchoice
+
+ config ARM64_FORCE_52BIT
+ 	bool "Force 52-bit virtual addresses for userspace"
+-	depends on ARM64_VA_BITS_52 && EXPERT
++	depends on ARM64_VA_BITS_52
+ 	help
+ 	  For systems with 52-bit userspace VAs enabled, the kernel will attempt
+ 	  to maintain compatibility with older software by providing 48-bit VAs
+@@ -1472,6 +1472,7 @@ config XEN
+ config ARCH_FORCE_MAX_ORDER
+ 	int
+ 	default "14" if ARM64_64K_PAGES
++	default "13" if (ARCH_THUNDER && !ARM64_64K_PAGES)
+ 	default "12" if ARM64_16K_PAGES
+ 	default "11"
+ 	help
+diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
+index b0d00032479d..afb9544fb007 100644
+--- a/arch/s390/include/asm/ipl.h
++++ b/arch/s390/include/asm/ipl.h
+@@ -139,6 +139,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
+ 			     unsigned char flags, unsigned short cert);
+ int ipl_report_add_certificate(struct ipl_report *report, void *key,
+ 			       unsigned long addr, unsigned long len);
++bool ipl_get_secureboot(void);
+
+ /*
+  * DIAG 308 support
+diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
+index bcf03939e6fe..3773e027b034 100644
+--- a/arch/s390/kernel/ipl.c
++++ b/arch/s390/kernel/ipl.c
+@@ -2520,3 +2520,8 @@ int ipl_report_free(struct ipl_report *report)
+ }
+
+ #endif
++
++bool ipl_get_secureboot(void)
++{
++	return !!ipl_secure_flag;
++}
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index 696c9e007a36..80a56c8eaaae 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -49,6 +49,7 @@
+ #include <linux/memory.h>
+ #include <linux/compat.h>
+ #include <linux/start_kernel.h>
++#include <linux/security.h>
+ #include <linux/hugetlb.h>
+ #include <linux/kmemleak.h>
+
+@@ -981,6 +982,9 @@ void __init setup_arch(char **cmdline_p)
+
+ 	log_component_list();
+
++	if (ipl_get_secureboot())
++		security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
++
+ 	/* Have one command line that is parsed and saved in /proc/cmdline */
+ 	/* boot_command_line has been already set up in early.c */
+ 	*cmdline_p = boot_command_line;
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index 88188549647c..d4147393237b 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -21,6 +21,7 @@
+ #include <linux/root_dev.h>
+ #include <linux/hugetlb.h>
+ #include <linux/tboot.h>
++#include <linux/security.h>
+ #include <linux/usb/xhci-dbgp.h>
+ #include <linux/static_call.h>
+ #include <linux/swiotlb.h>
+@@ -1038,6 +1039,13 @@ void __init setup_arch(char **cmdline_p)
+ 	if (efi_enabled(EFI_BOOT))
+ 		efi_init();
+
++	efi_set_secure_boot(boot_params.secure_boot);
++
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++	if (efi_enabled(EFI_SECURE_BOOT))
++		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
++#endif
++
+ 	dmi_setup();
+
+ 	/*
+@@ -1196,19 +1204,7 @@ void __init setup_arch(char **cmdline_p)
+ 	/* Allocate bigger log buffer */
+ 	setup_log_buf(1);
+
+-	if (efi_enabled(EFI_BOOT)) {
+-		switch (boot_params.secure_boot) {
+-		case efi_secureboot_mode_disabled:
+-			pr_info("Secure boot disabled\n");
+-			break;
+-		case efi_secureboot_mode_enabled:
+-			pr_info("Secure boot enabled\n");
+-			break;
+-		default:
+-			pr_info("Secure boot could not be determined\n");
+-			break;
+-		}
+-	}
++	efi_set_secure_boot(boot_params.secure_boot);
+
+ 	reserve_initrd();
+
+diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c
+index 6aef1ee5e1bd..8f146b1b4972 100644
+--- a/drivers/acpi/apei/hest.c
++++ b/drivers/acpi/apei/hest.c
+@@ -96,6 +96,14 @@ static int apei_hest_parse(apei_hest_func_t func, void *data)
+ 	if (hest_disable || !hest_tab)
+ 		return -EINVAL;
+
++#ifdef CONFIG_ARM64
++	/* Ignore broken firmware */
++	if (!strncmp(hest_tab->header.oem_id, "HPE   ", 6) &&
++	    !strncmp(hest_tab->header.oem_table_id, "ProLiant", 8) &&
++	    MIDR_IMPLEMENTOR(read_cpuid_id()) == ARM_CPU_IMP_APM)
++		return -EINVAL;
++#endif
++
+ 	hest_hdr = (struct acpi_hest_header *)(hest_tab + 1);
+ 	for (i = 0; i < hest_tab->error_source_count; i++) {
+ 		len = hest_esrc_len(hest_hdr);
+diff --git a/drivers/acpi/irq.c b/drivers/acpi/irq.c
+index c2c786eb95ab..4e3aa80cd5cf 100644
+--- a/drivers/acpi/irq.c
++++ b/drivers/acpi/irq.c
+@@ -138,6 +138,7 @@ struct acpi_irq_parse_one_ctx {
+ 	unsigned int index;
+ 	unsigned long *res_flags;
+ 	struct irq_fwspec *fwspec;
++	bool skip_producer_check;
+ };
+
+ /**
+@@ -211,7 +212,8 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ 		return AE_CTRL_TERMINATE;
+ 	case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ 		eirq = &ares->data.extended_irq;
+-		if (eirq->producer_consumer == ACPI_PRODUCER)
++		if (!ctx->skip_producer_check &&
++		    eirq->producer_consumer == ACPI_PRODUCER)
+ 			return AE_OK;
+ 		if (ctx->index >= eirq->interrupt_count) {
+ 			ctx->index -= eirq->interrupt_count;
+@@ -247,8 +249,19 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ static int acpi_irq_parse_one(acpi_handle handle, unsigned int index,
+ 			      struct irq_fwspec *fwspec, unsigned long *flags)
+ {
+-	struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec };
++	struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec, false };
+
++	/*
++	 * Firmware on arm64-based HPE m400 platform incorrectly marks
++	 * its UART interrupt as ACPI_PRODUCER rather than ACPI_CONSUMER.
++	 * Don't do the producer/consumer check for that device.
++	 */
++	if (IS_ENABLED(CONFIG_ARM64)) {
++		struct acpi_device *adev = acpi_get_acpi_dev(handle);
++
++		if (adev && !strcmp(acpi_device_hid(adev), "APMC0D08"))
++			ctx.skip_producer_check = true;
++	}
+ 	acpi_walk_resources(handle, METHOD_NAME__CRS, acpi_irq_parse_one_cb, &ctx);
+ 	return ctx.rc;
+ }
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 0c6f06abe3f4..f66b85b2c108 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1746,6 +1746,15 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+ 	if (!acpi_match_device_ids(device, ignore_serial_bus_ids))
+ 		return false;
+
++	/*
++	 * Firmware on some arm64 X-Gene platforms will make the UART
++	 * device appear as both a UART and a slave of that UART. Just
++	 * bail out here for X-Gene UARTs.
++	 */
++	if (IS_ENABLED(CONFIG_ARM64) &&
++	    !strcmp(acpi_device_hid(device), "APMC0D08"))
++		return false;
++
+ 	INIT_LIST_HEAD(&resource_list);
+ 	acpi_dev_get_resources(device, &resource_list,
+ 			       acpi_check_serial_bus_slave,
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index 29acc35bf4a6..c0eaa763cdad 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -727,6 +727,24 @@ int ahci_stop_engine(struct ata_port *ap)
+ 	tmp &= ~PORT_CMD_START;
+ 	writel(tmp, port_mmio + PORT_CMD);
+
++#ifdef CONFIG_ARM64
++	/* Rev Ax of Cavium CN99XX needs a hack for port stop */
++	if (dev_is_pci(ap->host->dev) &&
++	    to_pci_dev(ap->host->dev)->vendor == 0x14e4 &&
++	    to_pci_dev(ap->host->dev)->device == 0x9027 &&
++	    midr_is_cpu_model_range(read_cpuid_id(),
++			MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_VULCAN),
++			MIDR_CPU_VAR_REV(0, 0),
++			MIDR_CPU_VAR_REV(0, MIDR_REVISION_MASK))) {
++		tmp = readl(hpriv->mmio + 0x8000);
++		udelay(100);
++		writel(tmp | (1 << 26), hpriv->mmio + 0x8000);
++		udelay(100);
++		writel(tmp & ~(1 << 26), hpriv->mmio + 0x8000);
++		dev_warn(ap->host->dev, "CN99XX SATA reset workaround applied\n");
++	}
++#endif
++
+ 	/* wait for engine to stop. This could be as long as 500 msec */
+ 	tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
+ 				PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
+diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
+index bbf7029e224b..cf7faa970dd6 100644
+--- a/drivers/char/ipmi/ipmi_dmi.c
++++ b/drivers/char/ipmi/ipmi_dmi.c
+@@ -215,6 +215,21 @@ static int __init scan_for_dmi_ipmi(void)
+ {
+ 	const struct dmi_device *dev = NULL;
+
++#ifdef CONFIG_ARM64
++	/* RHEL-only
++	 * If this is ARM-based HPE m400, return now, because that platform
++	 * reports the host-side ipmi address as intel port-io space, which
++	 * does not exist in the ARM architecture.
++	 */
++	const char *dmistr = dmi_get_system_info(DMI_PRODUCT_NAME);
++
++	if (dmistr && (strcmp("ProLiant m400 Server", dmistr) == 0)) {
++		pr_debug("%s does not support host ipmi\n", dmistr);
++		return 0;
++	}
++	/* END RHEL-only */
++#endif
++
+ 	while ((dev = dmi_find_device(DMI_DEV_TYPE_IPMI, NULL, dev)))
+ 		dmi_decode_ipmi((const struct dmi_header *) dev->device_data);
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 186f1fee7534..93e3a76596ff 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -35,6 +35,7 @@
+ #include <linux/uuid.h>
+ #include <linux/nospec.h>
+ #include <linux/vmalloc.h>
++#include <linux/dmi.h>
+ #include <linux/delay.h>
+
+ #define IPMI_DRIVER_VERSION "39.2"
+@@ -5516,8 +5517,21 @@ static int __init ipmi_init_msghandler_mod(void)
+ {
+ 	int rv;
+
+-	pr_info("version " IPMI_DRIVER_VERSION "\n");
++#ifdef CONFIG_ARM64
++	/* RHEL-only
++	 * If this is ARM-based HPE m400, return now, because that platform
++	 * reports the host-side ipmi address as intel port-io space, which
++	 * does not exist in the ARM architecture.
++	 */
++	const char *dmistr = dmi_get_system_info(DMI_PRODUCT_NAME);
+
++	if (dmistr && (strcmp("ProLiant m400 Server", dmistr) == 0)) {
++		pr_debug("%s does not support host ipmi\n", dmistr);
++		return -ENOSYS;
++	}
++	/* END RHEL-only */
++#endif
++	pr_info("version " IPMI_DRIVER_VERSION "\n");
+ 	mutex_lock(&ipmi_interfaces_mutex);
+ 	rv = ipmi_register_driver();
+ 	mutex_unlock(&ipmi_interfaces_mutex);
+diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
+index b51f2a4c821e..be31d32aba53 100644
+--- a/drivers/firmware/efi/Makefile
++++ b/drivers/firmware/efi/Makefile
+@@ -25,6 +25,7 @@ subdir-$(CONFIG_EFI_STUB)		+= libstub
+ obj-$(CONFIG_EFI_BOOTLOADER_CONTROL)	+= efibc.o
+ obj-$(CONFIG_EFI_TEST)			+= test/
+ obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
++obj-$(CONFIG_EFI)			+= secureboot.o
+ obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
+ obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o
+ obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 1e0b016fdc2b..7417f131db15 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -32,6 +32,7 @@
+ #include <linux/ucs2_string.h>
+ #include <linux/memblock.h>
+ #include <linux/security.h>
++#include <linux/bsearch.h>
+
+ #include <asm/early_ioremap.h>
+
+@@ -907,40 +908,101 @@ int efi_mem_type(unsigned long phys_addr)
+ }
+ #endif
+
++struct efi_error_code {
++	efi_status_t status;
++	int errno;
++	const char *description;
++};
++
++static const struct efi_error_code efi_error_codes[] = {
++	{ EFI_SUCCESS, 0, "Success"},
++#if 0
++	{ EFI_LOAD_ERROR, -EPICK_AN_ERRNO, "Load Error"},
++#endif
++	{ EFI_INVALID_PARAMETER, -EINVAL, "Invalid Parameter"},
++	{ EFI_UNSUPPORTED, -ENOSYS, "Unsupported"},
++	{ EFI_BAD_BUFFER_SIZE, -ENOSPC, "Bad Buffer Size"},
++	{ EFI_BUFFER_TOO_SMALL, -ENOSPC, "Buffer Too Small"},
++	{ EFI_NOT_READY, -EAGAIN, "Not Ready"},
++	{ EFI_DEVICE_ERROR, -EIO, "Device Error"},
++	{ EFI_WRITE_PROTECTED, -EROFS, "Write Protected"},
++	{ EFI_OUT_OF_RESOURCES, -ENOMEM, "Out of Resources"},
++#if 0
++	{ EFI_VOLUME_CORRUPTED, -EPICK_AN_ERRNO, "Volume Corrupt"},
++	{ EFI_VOLUME_FULL, -EPICK_AN_ERRNO, "Volume Full"},
++	{ EFI_NO_MEDIA, -EPICK_AN_ERRNO, "No Media"},
++	{ EFI_MEDIA_CHANGED, -EPICK_AN_ERRNO, "Media changed"},
++#endif
++	{ EFI_NOT_FOUND, -ENOENT, "Not Found"},
++#if 0
++	{ EFI_ACCESS_DENIED, -EPICK_AN_ERRNO, "Access Denied"},
++	{ EFI_NO_RESPONSE, -EPICK_AN_ERRNO, "No Response"},
++	{ EFI_NO_MAPPING, -EPICK_AN_ERRNO, "No mapping"},
++	{ EFI_TIMEOUT, -EPICK_AN_ERRNO, "Time out"},
++	{ EFI_NOT_STARTED, -EPICK_AN_ERRNO, "Not started"},
++	{ EFI_ALREADY_STARTED, -EPICK_AN_ERRNO, "Already started"},
++#endif
++	{ EFI_ABORTED, -EINTR, "Aborted"},
++#if 0
++	{ EFI_ICMP_ERROR, -EPICK_AN_ERRNO, "ICMP Error"},
++	{ EFI_TFTP_ERROR, -EPICK_AN_ERRNO, "TFTP Error"},
++	{ EFI_PROTOCOL_ERROR, -EPICK_AN_ERRNO, "Protocol Error"},
++	{ EFI_INCOMPATIBLE_VERSION, -EPICK_AN_ERRNO, "Incompatible Version"},
++#endif
++	{ EFI_SECURITY_VIOLATION, -EACCES, "Security Policy Violation"},
++#if 0
++	{ EFI_CRC_ERROR, -EPICK_AN_ERRNO, "CRC Error"},
++	{ EFI_END_OF_MEDIA, -EPICK_AN_ERRNO, "End of Media"},
++	{ EFI_END_OF_FILE, -EPICK_AN_ERRNO, "End of File"},
++	{ EFI_INVALID_LANGUAGE, -EPICK_AN_ERRNO, "Invalid Languages"},
++	{ EFI_COMPROMISED_DATA, -EPICK_AN_ERRNO, "Compromised Data"},
++
++	// warnings
++	{ EFI_WARN_UNKOWN_GLYPH, -EPICK_AN_ERRNO, "Warning Unknown Glyph"},
++	{ EFI_WARN_DELETE_FAILURE, -EPICK_AN_ERRNO, "Warning Delete Failure"},
++	{ EFI_WARN_WRITE_FAILURE, -EPICK_AN_ERRNO, "Warning Write Failure"},
++	{ EFI_WARN_BUFFER_TOO_SMALL, -EPICK_AN_ERRNO, "Warning Buffer Too Small"},
++#endif
++};
++
++static int
++efi_status_cmp_bsearch(const void *key, const void *item)
++{
++	u64 status = (u64)(uintptr_t)key;
++	struct efi_error_code *code = (struct efi_error_code *)item;
++
++	if (status < code->status)
++		return -1;
++	if (status > code->status)
++		return 1;
++	return 0;
++}
++
+ int efi_status_to_err(efi_status_t status)
+ {
+-	int err;
+-
+-	switch (status) {
+-	case EFI_SUCCESS:
+-		err = 0;
+-		break;
+-	case EFI_INVALID_PARAMETER:
+-		err = -EINVAL;
+-		break;
+-	case EFI_OUT_OF_RESOURCES:
+-		err = -ENOSPC;
+-		break;
+-	case EFI_DEVICE_ERROR:
+-		err = -EIO;
+-		break;
+-	case EFI_WRITE_PROTECTED:
+-		err = -EROFS;
+-		break;
+-	case EFI_SECURITY_VIOLATION:
+-		err = -EACCES;
+-		break;
+-	case EFI_NOT_FOUND:
+-		err = -ENOENT;
+-		break;
+-	case EFI_ABORTED:
+-		err = -EINTR;
+-		break;
+-	default:
+-		err = -EINVAL;
+-	}
++	struct efi_error_code *found;
++	size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
+
+-	return err;
++	found = bsearch((void *)(uintptr_t)status, efi_error_codes,
++			sizeof(struct efi_error_code), num,
++			efi_status_cmp_bsearch);
++	if (!found)
++		return -EINVAL;
++	return found->errno;
++}
++
++const char *
++efi_status_to_str(efi_status_t status)
++{
++	struct efi_error_code *found;
++	size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
++
++	found = bsearch((void *)(uintptr_t)status, efi_error_codes,
++			sizeof(struct efi_error_code), num,
++			efi_status_cmp_bsearch);
++	if (!found)
++		return "Unknown error code";
++	return found->description;
+ }
+ EXPORT_SYMBOL_GPL(efi_status_to_err);
+
+diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
+new file mode 100644
+index 000000000000..de0a3714a5d4
+--- /dev/null
++++ b/drivers/firmware/efi/secureboot.c
+@@ -0,0 +1,38 @@
++/* Core kernel secure boot support.
++ *
++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <linux/efi.h>
++#include <linux/kernel.h>
++#include <linux/printk.h>
++
++/*
++ * Decide what to do when UEFI secure boot mode is enabled.
++ */
++void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
++{
++	if (efi_enabled(EFI_BOOT)) {
++		switch (mode) {
++		case efi_secureboot_mode_disabled:
++			pr_info("Secure boot disabled\n");
++			break;
++		case efi_secureboot_mode_enabled:
++			set_bit(EFI_SECURE_BOOT, &efi.flags);
++			pr_info("Secure boot enabled\n");
++			break;
++		default:
++			pr_warn("Secure boot could not be determined (mode %u)\n",
++				   mode);
++			break;
++		}
++	}
++}
+diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c
+index 3fd3563d962b..75d67e6dde2a 100644
+--- a/drivers/firmware/sysfb.c
++++ b/drivers/firmware/sysfb.c
+@@ -34,6 +34,22 @@
+ #include <linux/screen_info.h>
+ #include <linux/sysfb.h>
+
++static int skip_simpledrm;
++
++static int __init simpledrm_disable(char *opt)
++{
++	if (!opt)
++                return -EINVAL;
++
++	get_option(&opt, &skip_simpledrm);
++
++	if (skip_simpledrm)
++		pr_info("The simpledrm driver will not be probed\n");
++
++	return 0;
++}
++early_param("nvidia-drm.modeset", simpledrm_disable);
++
+ static struct platform_device *pd;
+ static DEFINE_MUTEX(disable_lock);
+ static bool disabled;
+@@ -83,7 +99,7 @@ static __init int sysfb_init(void)
+
+ 	/* try to create a simple-framebuffer device */
+ 	compatible = sysfb_parse_mode(si, &mode);
+-	if (compatible) {
++	if (compatible && !skip_simpledrm) {
+ 		pd = sysfb_create_simplefb(si, &mode);
+ 		if (!IS_ERR(pd))
+ 			goto unlock_mutex;
+diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
+index 84e7ba5314d3..efc96776f761 100644
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -321,21 +321,12 @@ static int rmi_input_event(struct hid_device *hdev, u8 *data, int size)
+ {
+ 	struct rmi_data *hdata = hid_get_drvdata(hdev);
+ 	struct rmi_device *rmi_dev = hdata->xport.rmi_dev;
+-	unsigned long flags;
+
+ 	if (!(test_bit(RMI_STARTED, &hdata->flags)))
+ 		return 0;
+
+-	pm_wakeup_event(hdev->dev.parent, 0);
+-
+-	local_irq_save(flags);
+-
+ 	rmi_set_attn_data(rmi_dev, data[1], &data[2], size - 2);
+
+-	generic_handle_irq(hdata->rmi_irq);
+-
+-	local_irq_restore(flags);
+-
+ 	return 1;
+ }
+
+@@ -591,56 +582,6 @@ static const struct rmi_transport_ops hid_rmi_ops = {
+ 	.reset		= rmi_hid_reset,
+ };
+
+-static void rmi_irq_teardown(void *data)
+-{
+-	struct rmi_data *hdata = data;
+-	struct irq_domain *domain = hdata->domain;
+-
+-	if (!domain)
+-		return;
+-
+-	irq_dispose_mapping(irq_find_mapping(domain, 0));
+-
+-	irq_domain_remove(domain);
+-	hdata->domain = NULL;
+-	hdata->rmi_irq = 0;
+-}
+-
+-static int rmi_irq_map(struct irq_domain *h, unsigned int virq,
+-		       irq_hw_number_t hw_irq_num)
+-{
+-	irq_set_chip_and_handler(virq, &dummy_irq_chip, handle_simple_irq);
+-
+-	return 0;
+-}
+-
+-static const struct irq_domain_ops rmi_irq_ops = {
+-	.map = rmi_irq_map,
+-};
+-
+-static int rmi_setup_irq_domain(struct hid_device *hdev)
+-{
+-	struct rmi_data *hdata = hid_get_drvdata(hdev);
+-	int ret;
+-
+-	hdata->domain = irq_domain_create_linear(hdev->dev.fwnode, 1,
+-						 &rmi_irq_ops, hdata);
+-	if (!hdata->domain)
+-		return -ENOMEM;
+-
+-	ret = devm_add_action_or_reset(&hdev->dev, &rmi_irq_teardown, hdata);
+-	if (ret)
+-		return ret;
+-
+-	hdata->rmi_irq = irq_create_mapping(hdata->domain, 0);
+-	if (hdata->rmi_irq <= 0) {
+-		hid_err(hdev, "Can't allocate an IRQ\n");
+-		return hdata->rmi_irq < 0 ? hdata->rmi_irq : -ENXIO;
+-	}
+-
+-	return 0;
+-}
+-
+ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ {
+ 	struct rmi_data *data = NULL;
+@@ -713,18 +654,11 @@ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
+
+ 	mutex_init(&data->page_mutex);
+
+-	ret = rmi_setup_irq_domain(hdev);
+-	if (ret) {
+-		hid_err(hdev, "failed to allocate IRQ domain\n");
+-		return ret;
+-	}
+-
+ 	if (data->device_flags & RMI_DEVICE_HAS_PHYS_BUTTONS)
+ 		rmi_hid_pdata.gpio_data.disable = true;
+
+ 	data->xport.dev = hdev->dev.parent;
+ 	data->xport.pdata = rmi_hid_pdata;
+-	data->xport.pdata.irq = data->rmi_irq;
+ 	data->xport.proto_name = "hid";
+ 	data->xport.ops = &hid_rmi_ops;
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+index 77bca6932f01..27f5455aef6c 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+@@ -9,6 +9,7 @@
+ #include <linux/init.h>
+ #include <linux/types.h>
+ #include <linux/device.h>
++#include <linux/dmi.h>
+ #include <linux/io.h>
+ #include <linux/err.h>
+ #include <linux/fs.h>
+@@ -2216,6 +2217,16 @@ static const struct amba_id etm4_ids[] = {
+ 	{},
+ };
+
++static const struct dmi_system_id broken_coresight[] = {
++	{
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "HPE"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Apollo 70"),
++		},
++	},
++	{ }	/* terminating entry */
++};
++
+ MODULE_DEVICE_TABLE(amba, etm4_ids);
+
+ static struct amba_driver etm4x_amba_driver = {
+@@ -2249,6 +2260,11 @@ static int __init etm4x_init(void)
+ {
+ 	int ret;
+
++	if (dmi_check_system(broken_coresight)) {
++		pr_info("ETM4 disabled due to firmware bug\n");
++		return 0;
++	}
++
+ 	ret = etm4_pm_setup();
+
+ 	/* etm4_pm_setup() does its own cleanup - exit on error */
+@@ -2275,6 +2291,9 @@ static int __init etm4x_init(void)
+
+ static void __exit etm4x_exit(void)
+ {
++	if (dmi_check_system(broken_coresight))
++		return;
++
+ 	amba_driver_unregister(&etm4x_amba_driver);
+ 	platform_driver_unregister(&etm4_platform_driver);
+ 	etm4_pm_clear();
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index 258d5fe3d395..f7298e3dc8f3 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -182,34 +182,47 @@ void rmi_set_attn_data(struct rmi_device *rmi_dev, unsigned long irq_status,
+ 	attn_data.data = fifo_data;
+
+ 	kfifo_put(&drvdata->attn_fifo, attn_data);
++
++	schedule_work(&drvdata->attn_work);
+ }
+ EXPORT_SYMBOL_GPL(rmi_set_attn_data);
+
+-static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
++static void attn_callback(struct work_struct *work)
+ {
+-	struct rmi_device *rmi_dev = dev_id;
+-	struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
++	struct rmi_driver_data *drvdata = container_of(work,
++							struct rmi_driver_data,
++							attn_work);
+ 	struct rmi4_attn_data attn_data = {0};
+ 	int ret, count;
+
+ 	count = kfifo_get(&drvdata->attn_fifo, &attn_data);
+-	if (count) {
+-		*(drvdata->irq_status) = attn_data.irq_status;
+-		drvdata->attn_data = attn_data;
+-	}
++	if (!count)
++		return;
+
+-	ret = rmi_process_interrupt_requests(rmi_dev);
++	*(drvdata->irq_status) = attn_data.irq_status;
++	drvdata->attn_data = attn_data;
++
++	ret = rmi_process_interrupt_requests(drvdata->rmi_dev);
+ 	if (ret)
+-		rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++		rmi_dbg(RMI_DEBUG_CORE, &drvdata->rmi_dev->dev,
+ 			"Failed to process interrupt request: %d\n", ret);
+
+-	if (count) {
+-		kfree(attn_data.data);
+-		drvdata->attn_data.data = NULL;
+-	}
++	kfree(attn_data.data);
++	drvdata->attn_data.data = NULL;
+
+ 	if (!kfifo_is_empty(&drvdata->attn_fifo))
+-		return rmi_irq_fn(irq, dev_id);
++		schedule_work(&drvdata->attn_work);
++}
++
++static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
++{
++	struct rmi_device *rmi_dev = dev_id;
++	int ret;
++
++	ret = rmi_process_interrupt_requests(rmi_dev);
++	if (ret)
++		rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++			"Failed to process interrupt request: %d\n", ret);
+
+ 	return IRQ_HANDLED;
+ }
+@@ -217,7 +230,6 @@ static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
+ static int rmi_irq_init(struct rmi_device *rmi_dev)
+ {
+ 	struct rmi_device_platform_data *pdata = rmi_get_platform_data(rmi_dev);
+-	struct rmi_driver_data *data = dev_get_drvdata(&rmi_dev->dev);
+ 	int irq_flags = irq_get_trigger_type(pdata->irq);
+ 	int ret;
+
+@@ -235,8 +247,6 @@ static int rmi_irq_init(struct rmi_device *rmi_dev)
+ 		return ret;
+ 	}
+
+-	data->enabled = true;
+-
+ 	return 0;
+ }
+
+@@ -886,23 +896,27 @@ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+ 	if (data->enabled)
+ 		goto out;
+
+-	enable_irq(irq);
+-	data->enabled = true;
+-	if (clear_wake && device_may_wakeup(rmi_dev->xport->dev)) {
+-		retval = disable_irq_wake(irq);
+-		if (retval)
+-			dev_warn(&rmi_dev->dev,
+-				 "Failed to disable irq for wake: %d\n",
+-				 retval);
+-	}
++	if (irq) {
++		enable_irq(irq);
++		data->enabled = true;
++		if (clear_wake && device_may_wakeup(rmi_dev->xport->dev)) {
++			retval = disable_irq_wake(irq);
++			if (retval)
++				dev_warn(&rmi_dev->dev,
++					 "Failed to disable irq for wake: %d\n",
++					 retval);
++		}
+
+-	/*
+-	 * Call rmi_process_interrupt_requests() after enabling irq,
+-	 * otherwise we may lose interrupt on edge-triggered systems.
+-	 */
+-	irq_flags = irq_get_trigger_type(pdata->irq);
+-	if (irq_flags & IRQ_TYPE_EDGE_BOTH)
+-		rmi_process_interrupt_requests(rmi_dev);
++		/*
++		 * Call rmi_process_interrupt_requests() after enabling irq,
++		 * otherwise we may lose interrupt on edge-triggered systems.
++		 */
++		irq_flags = irq_get_trigger_type(pdata->irq);
++		if (irq_flags & IRQ_TYPE_EDGE_BOTH)
++			rmi_process_interrupt_requests(rmi_dev);
++	} else {
++		data->enabled = true;
++	}
+
+ out:
+ 	mutex_unlock(&data->enabled_mutex);
+@@ -922,20 +936,22 @@ void rmi_disable_irq(struct rmi_device *rmi_dev, bool enable_wake)
+ 		goto out;
+
+ 	data->enabled = false;
+-	disable_irq(irq);
+-	if (enable_wake && device_may_wakeup(rmi_dev->xport->dev)) {
+-		retval = enable_irq_wake(irq);
+-		if (retval)
+-			dev_warn(&rmi_dev->dev,
+-				 "Failed to enable irq for wake: %d\n",
+-				 retval);
+-	}
+-
+-	/* make sure the fifo is clean */
+-	while (!kfifo_is_empty(&data->attn_fifo)) {
+-		count = kfifo_get(&data->attn_fifo, &attn_data);
+-		if (count)
+-			kfree(attn_data.data);
++	if (irq) {
++		disable_irq(irq);
++		if (enable_wake && device_may_wakeup(rmi_dev->xport->dev)) {
++			retval = enable_irq_wake(irq);
++			if (retval)
++				dev_warn(&rmi_dev->dev,
++					 "Failed to enable irq for wake: %d\n",
++					 retval);
++		}
++	} else {
++		/* make sure the fifo is clean */
++		while (!kfifo_is_empty(&data->attn_fifo)) {
++			count = kfifo_get(&data->attn_fifo, &attn_data);
++			if (count)
++				kfree(attn_data.data);
++		}
+ 	}
+
+ out:
+@@ -981,6 +997,8 @@ static int rmi_driver_remove(struct device *dev)
+ 	irq_domain_remove(data->irqdomain);
+ 	data->irqdomain = NULL;
+
++	cancel_work_sync(&data->attn_work);
++
+ 	rmi_f34_remove_sysfs(rmi_dev);
+ 	rmi_free_function_list(rmi_dev);
+
+@@ -1219,9 +1237,15 @@ static int rmi_driver_probe(struct device *dev)
+ 		}
+ 	}
+
+-	retval = rmi_irq_init(rmi_dev);
+-	if (retval < 0)
+-		goto err_destroy_functions;
++	if (pdata->irq) {
++		retval = rmi_irq_init(rmi_dev);
++		if (retval < 0)
++			goto err_destroy_functions;
++	}
++
++	data->enabled = true;
++
++	INIT_WORK(&data->attn_work, attn_callback);
+
+ 	if (data->f01_container->dev.driver) {
+ 		/* Driver already bound, so enable ATTN now. */
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index f8100067502f..e0823c45e2fa 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -8,6 +8,7 @@
+
+ #include <linux/amba/bus.h>
+ #include <linux/device.h>
++#include <linux/dmi.h>
+ #include <linux/kernel.h>
+ #include <linux/bits.h>
+ #include <linux/bug.h>
+@@ -2813,6 +2814,27 @@ int iommu_dev_disable_feature(struct device *dev, enum iommu_dev_features feat)
+ }
+ EXPORT_SYMBOL_GPL(iommu_dev_disable_feature);
+
++#ifdef CONFIG_ARM64
++static int __init iommu_quirks(void)
++{
++	const char *vendor, *name;
++
++	vendor = dmi_get_system_info(DMI_SYS_VENDOR);
++	name = dmi_get_system_info(DMI_PRODUCT_NAME);
++
++	if (vendor &&
++	    (strncmp(vendor, "GIGABYTE", 8) == 0 && name &&
++	     (strncmp(name, "R120", 4) == 0 ||
++	      strncmp(name, "R270", 4) == 0))) {
++		pr_warn("Gigabyte %s detected, force iommu passthrough mode", name);
++		iommu_def_domain_type = IOMMU_DOMAIN_IDENTITY;
++	}
++
++	return 0;
++}
++arch_initcall(iommu_quirks);
++#endif
++
+ /*
+  * Changes the default domain of an iommu group that has *only* one device
+  *
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 494fa46f5767..27bc8dd45ad8 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4296,6 +4296,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9084,
+ 				quirk_bridge_cavm_thrx2_pcie_root);
+
++/*
++ * PCI BAR 5 is not setup correctly for the on-board AHCI controller
++ * on Broadcom's Vulcan processor. Added a quirk to fix BAR 5 by
++ * using BAR 4's resources which are populated correctly and NOT
++ * actually used by the AHCI controller.
++ */
++static void quirk_fix_vulcan_ahci_bars(struct pci_dev *dev)
++{
++	struct resource *r =  &dev->resource[4];
++
++	if (!(r->flags & IORESOURCE_MEM) || (r->start == 0))
++		return;
++
++	/* Set BAR5 resource to BAR4 */
++	dev->resource[5] = *r;
++
++	/* Update BAR5 in pci config space */
++	pci_write_config_dword(dev, PCI_BASE_ADDRESS_5, r->start);
++
++	/* Clear BAR4's resource */
++	memset(r, 0, sizeof(*r));
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9027, quirk_fix_vulcan_ahci_bars);
++
+ /*
+  * Intersil/Techwell TW686[4589]-based video capture cards have an empty (zero)
+  * class code.  Fix it.
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 97a0f8faea6e..d837548d2024 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5734,6 +5734,13 @@ static void hub_event(struct work_struct *work)
+ 			(u16) hub->change_bits[0],
+ 			(u16) hub->event_bits[0]);
+
++	/* Don't disconnect USB-SATA on TrimSlice */
++	if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
++		if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
++				(hub->event_bits[0] == 0x2))
++			hub->event_bits[0] = 0;
++	}
++
+ 	/* Lock the device, then check to see if we were
+ 	 * disconnected while waiting for the lock to succeed. */
+ 	usb_lock_device(hdev);
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 98598bd1d2fa..34a6233fabaf 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -43,6 +43,8 @@
+ #define EFI_ABORTED		(21 | (1UL << (BITS_PER_LONG-1)))
+ #define EFI_SECURITY_VIOLATION	(26 | (1UL << (BITS_PER_LONG-1)))
+
++#define EFI_IS_ERROR(x)		((x) & (1UL << (BITS_PER_LONG-1)))
++
+ typedef unsigned long efi_status_t;
+ typedef u8 efi_bool_t;
+ typedef u16 efi_char16_t;		/* UNICODE character */
+@@ -851,6 +853,14 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_MEM_ATTR		10	/* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+ #define EFI_MEM_NO_SOFT_RESERVE	11	/* Is the kernel configured to ignore soft reservations? */
+ #define EFI_PRESERVE_BS_REGIONS	12	/* Are EFI boot-services memory segments available? */
++#define EFI_SECURE_BOOT		13	/* Are we in Secure Boot mode? */
++
++enum efi_secureboot_mode {
++	efi_secureboot_mode_unset,
++	efi_secureboot_mode_unknown,
++	efi_secureboot_mode_disabled,
++	efi_secureboot_mode_enabled,
++};
+
+ #ifdef CONFIG_EFI
+ /*
+@@ -862,6 +872,8 @@ static inline bool efi_enabled(int feature)
+ }
+ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+
++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
++
+ bool __pure __efi_soft_reserve_enabled(void);
+
+ static inline bool __pure efi_soft_reserve_enabled(void)
+@@ -883,6 +895,8 @@ static inline bool efi_enabled(int feature)
+ static inline void
+ efi_reboot(enum reboot_mode reboot_mode, const char *__unused) {}
+
++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
++
+ static inline bool efi_soft_reserve_enabled(void)
+ {
+ 	return false;
+@@ -897,6 +911,7 @@ static inline void efi_find_mirror(void) {}
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
++extern const char *efi_status_to_str(efi_status_t status);
+
+ /*
+  * Variable Attributes
+@@ -1099,13 +1114,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
+ extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+ extern unsigned long efi_call_virt_save_flags(void);
+
+-enum efi_secureboot_mode {
+-	efi_secureboot_mode_unset,
+-	efi_secureboot_mode_unknown,
+-	efi_secureboot_mode_disabled,
+-	efi_secureboot_mode_enabled,
+-};
+-
+ static inline
+ enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
+ {
+diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
+index ed6cb2ac55fa..72fb26d13f28 100644
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -403,6 +403,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
+ #endif /* CONFIG_BPF_SYSCALL */
+
+ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
++LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
++
+
+ #ifdef CONFIG_PERF_EVENTS
+ LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 0a5ba81f7367..39826de8d680 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1618,6 +1618,12 @@
+  *	@what: kernel feature being accessed.
+  *	Return 0 if permission is granted.
+  *
++ * @lock_kernel_down
++ * 	Put the kernel into lock-down mode.
++ *
++ * 	@where: Where the lock-down is originating from (e.g. command line option)
++ * 	@level: The lock-down level (can only increase)
++ *
+  * Security hooks for perf events
+  *
+  * @perf_event_open:
+diff --git a/include/linux/rh_kabi.h b/include/linux/rh_kabi.h
+new file mode 100644
+index 000000000000..c7b42c1f1681
+--- /dev/null
++++ b/include/linux/rh_kabi.h
+@@ -0,0 +1,515 @@
++/*
++ * rh_kabi.h - Red Hat kABI abstraction header
++ *
++ * Copyright (c) 2014 Don Zickus
++ * Copyright (c) 2015-2020 Jiri Benc
++ * Copyright (c) 2015 Sabrina Dubroca, Hannes Frederic Sowa
++ * Copyright (c) 2016-2018 Prarit Bhargava
++ * Copyright (c) 2017 Paolo Abeni, Larry Woodman
++ *
++ * This file is released under the GPLv2.
++ * See the file COPYING for more details.
++ *
++ * These kabi macros hide the changes from the kabi checker and from the
++ * process that computes the exported symbols' checksums.
++ * They have 2 variants: one (defined under __GENKSYMS__) used when
++ * generating the checksums, and the other used when building the kernel's
++ * binaries.
++ *
++ * The use of these macros does not guarantee that the usage and modification
++ * of code is correct.  As with all Red Hat only changes, an engineer must
++ * explain why the use of the macro is valid in the patch containing the
++ * changes.
++ *
++ */
++
++#ifndef _LINUX_RH_KABI_H
++#define _LINUX_RH_KABI_H
++
++#include <linux/kconfig.h>
++#include <linux/compiler.h>
++#include <linux/stringify.h>
++
++/*
++ * NOTE
++ *   Unless indicated otherwise, don't use ';' after these macros as it
++ *   messes up the kABI checker by changing what the resulting token string
++ *   looks like.  Instead let the macros add the ';' so it can be properly
++ *   hidden from the kABI checker (mainly for RH_KABI_EXTEND, but applied to
++ *   most macros for uniformity).
++ *
++ *
++ * RH_KABI_CONST
++ *   Adds a new const modifier to a function parameter preserving the old
++ *   checksum.
++ *
++ * RH_KABI_ADD_MODIFIER
++ *   Adds a new modifier to a function parameter or a typedef, preserving
++ *   the old checksum.  Useful e.g. for adding rcu annotations or changing
++ *   int to unsigned.  Beware that this may change the semantics; if you're
++ *   sure this is safe, always explain why binary compatibility with 3rd
++ *   party modules is retained.
++ *
++ * RH_KABI_DEPRECATE
++ *   Marks the element as deprecated and make it unusable by modules while
++ *   keeping a hole in its place to preserve binary compatibility.
++ *
++ * RH_KABI_DEPRECATE_FN
++ *   Marks the function pointer as deprecated and make it unusable by modules
++ *   while keeping a hole in its place to preserve binary compatibility.
++ *
++ * RH_KABI_EXTEND
++ *   Adds a new field to a struct.  This must always be added to the end of
++ *   the struct.  Before using this macro, make sure this is actually safe
++ *   to do - there is a number of conditions under which it is *not* safe.
++ *   In particular (but not limited to), this macro cannot be used:
++ *   - if the struct in question is embedded in another struct, or
++ *   - if the struct is allocated by drivers either statically or
++ *     dynamically, or
++ *   - if the struct is allocated together with driver data (an example of
++ *     such behavior is struct net_device or struct request).
++ *
++ * RH_KABI_EXTEND_WITH_SIZE
++ *   Adds a new element (usually a struct) to a struct and reserves extra
++ *   space for the new element.  The provided 'size' is the total space to
++ *   be added in longs (i.e. it's 8 * 'size' bytes), including the size of
++ *   the added element.  It is automatically checked that the new element
++ *   does not overflow the reserved space, now nor in the future. However,
++ *   no attempt is done to check the content of the added element (struct)
++ *   for kABI conformance - kABI checking inside the added element is
++ *   effectively switched off.
++ *   For any struct being added by RH_KABI_EXTEND_WITH_SIZE, it is
++ *   recommended its content to be documented as not covered by kABI
++ *   guarantee.
++ *
++ * RH_KABI_FILL_HOLE
++ *   Fills a hole in a struct.
++ *
++ *   Warning: only use if a hole exists for _all_ arches.  Use pahole to verify.
++ *
++ * RH_KABI_RENAME
++ *   Renames an element without changing its type.  This macro can be used in
++ *   bitfields, for example.
++ *
++ *   NOTE: this macro does not add the final ';'
++ *
++ * RH_KABI_REPLACE
++ *   Replaces the _orig field by the _new field.  The size of the occupied
++ *   space is preserved, it's fine if the _new field is smaller than the
++ *   _orig field.  If a _new field is larger or has a different alignment,
++ *   compilation will abort.
++ *
++ * RH_KABI_REPLACE_SPLIT
++ *   Works the same as RH_KABI_REPLACE but replaces a single _orig field by
++ *   multiple new fields.  The checks for size and alignment done by
++ *   RH_KABI_REPLACE are still applied.
++ *
++ * RH_KABI_HIDE_INCLUDE
++ *   Hides the given include file from kABI checksum computations.  This is
++ *   used when a newly added #include makes a previously opaque struct
++ *   visible.
++ *
++ *   Example usage:
++ *   #include RH_KABI_HIDE_INCLUDE(<linux/poll.h>)
++ *
++ * RH_KABI_FAKE_INCLUDE
++ *   Pretends inclusion of the given file for kABI checksum computations.
++ *   This is used when upstream removed a particular #include but that made
++ *   some structures opaque that were previously visible and is causing kABI
++ *   checker failures.
++ *
++ *   Example usage:
++ *   #include RH_KABI_FAKE_INCLUDE(<linux/rhashtable.h>)
++ *
++ * RH_KABI_RESERVE
++ *   Adds a reserved field to a struct.  This is done prior to kABI freeze
++ *   for structs that cannot be expanded later using RH_KABI_EXTEND (for
++ *   example because they are embedded in another struct or because they are
++ *   allocated by drivers or because they use unusual memory layout).  The
++ *   size of the reserved field is 'unsigned long' and is assumed to be
++ *   8 bytes.
++ *
++ *   The argument is a number unique for the given struct; usually, multiple
++ *   RH_KABI_RESERVE macros are added to a struct with numbers starting from
++ *   one.
++ *
++ *   Example usage:
++ *   struct foo {
++ *           int a;
++ *           RH_KABI_RESERVE(1)
++ *           RH_KABI_RESERVE(2)
++ *           RH_KABI_RESERVE(3)
++ *           RH_KABI_RESERVE(4)
++ *   };
++ *
++ * RH_KABI_USE
++ *   Uses a previously reserved field or multiple fields.  The arguments are
++ *   one or more numbers assigned to RH_KABI_RESERVE, followed by a field to
++ *   be put in their place.  The compiler ensures that the new field is not
++ *   larger than the reserved area.
++ *
++ *   Example usage:
++ *   struct foo {
++ *           int a;
++ *           RH_KABI_USE(1, int b)
++ *           RH_KABI_USE(2, 3, int c[3])
++ *           RH_KABI_RESERVE(4)
++ *   };
++ *
++ * RH_KABI_USE_SPLIT
++ *   Works the same as RH_KABI_USE but replaces a single reserved field by
++ *   multiple new fields.
++ *
++ * RH_KABI_AUX_EMBED
++ * RH_KABI_AUX_PTR
++ *   Adds an extenstion of a struct in the form of "auxiliary structure".
++ *   This is done prior to kABI freeze for structs that cannot be expanded
++ *   later using RH_KABI_EXTEND.  See also RH_KABI_RESERVED, these two
++ *   approaches can (and often are) combined.
++ *
++ *   To use this for 'struct foo' (the "base structure"), define a new
++ *   structure called 'struct foo_rh'; this new struct is called "auxiliary
++ *   structure".  Then add RH_KABI_AUX_EMBED or RH_KABI_AUX_PTR to the end
++ *   of the base structure.  The argument is the name of the base structure,
++ *   without the 'struct' keyword.
++ *
++ *   RH_KABI_AUX_PTR stores a pointer to the aux structure in the base
++ *   struct.  The lifecycle of the aux struct needs to be properly taken
++ *   care of.
++ *
++ *   RH_KABI_AUX_EMBED embeds the aux struct into the base struct.  This
++ *   cannot be used when the base struct is itself embedded into another
++ *   struct, allocated in an array, etc.
++ *
++ *   Both approaches (ptr and embed) work correctly even when the aux struct
++ *   is allocated by modules.  To ensure this, the code responsible for
++ *   allocation/assignment of the aux struct has to properly set the size of
++ *   the aux struct; see the RH_KABI_AUX_SET_SIZE and RH_KABI_AUX_INIT_SIZE
++ *   macros.
++ *
++ *   New fields can be later added to the auxiliary structure, always to its
++ *   end.  Note the auxiliary structure cannot be shrunk in size later (i.e.,
++ *   fields cannot be removed, only deprecated).  Any code accessing fields
++ *   from the aux struct must guard the access using the RH_KABI_AUX macro.
++ *   The access itself is then done via a '_rh' field in the base struct.
++ *
++ *   The auxiliary structure is not guaranteed for access by modules unless
++ *   explicitly commented as such in the declaration of the aux struct
++ *   itself or some of its elements.
++ *
++ *   Example:
++ *
++ *   struct foo_rh {
++ *           int newly_added;
++ *   };
++ *
++ *   struct foo {
++ *           bool big_hammer;
++ *           RH_KABI_AUX_PTR(foo)
++ *   };
++ *
++ *   void use(struct foo *f)
++ *   {
++ *           if (RH_KABI_AUX(f, foo, newly_added))
++ *                   f->_rh->newly_added = 123;
++ *	     else
++ *	             // the field 'newly_added' is not present in the passed
++ *	             // struct, fall back to old behavior
++ *	             f->big_hammer = true;
++ *   }
++ *
++ *   static struct foo_rh my_foo_rh {
++ *           .newly_added = 0;
++ *   }
++ *
++ *   static struct foo my_foo = {
++ *           .big_hammer = false,
++ *           ._rh = &my_foo_rh,
++ *           RH_KABI_AUX_INIT_SIZE(foo)
++ *   };
++ *
++ * RH_KABI_USE_AUX_PTR
++ *   Creates an auxiliary structure post kABI freeze.  This works by using
++ *   two reserved fields (thus there has to be two reserved fields still
++ *   available) and converting them to RH_KABI_AUX_PTR.
++ *
++ *   Example:
++ *
++ *   struct foo_rh {
++ *   };
++ *
++ *   struct foo {
++ *           int a;
++ *           RH_KABI_RESERVE(1)
++ *           RH_KABI_USE_AUX_PTR(2, 3, foo)
++ *   };
++ *
++ * RH_KABI_AUX_SET_SIZE
++ * RH_KABI_AUX_INIT_SIZE
++ *   Calculates and stores the size of the auxiliary structure.
++ *
++ *   RH_KABI_AUX_SET_SIZE is for dynamically allocated base structs,
++ *   RH_KABI_AUX_INIT_SIZE is for statically allocated case structs.
++ *
++ *   These macros must be called from the allocation (RH_KABI_AUX_SET_SIZE)
++ *   or declaration (RH_KABI_AUX_INIT_SIZE) site, regardless of whether
++ *   that happens in the kernel or in a module.  Without calling one of
++ *   these macros, the aux struct will appear to have no fields to the
++ *   kernel.
++ *
++ *   Note: since RH_KABI_AUX_SET_SIZE is intended to be invoked outside of
++ *   a struct definition, it does not add the semicolon and must be
++ *   terminated by semicolon by the caller.
++ *
++ * RH_KABI_AUX
++ *   Verifies that the given field exists in the given auxiliary structure.
++ *   This MUST be called prior to accessing that field; failing to do that
++ *   may lead to invalid memory access.
++ *
++ *   The first argument is a pointer to the base struct, the second argument
++ *   is the name of the base struct (without the 'struct' keyword), the
++ *   third argument is the field name.
++ *
++ *   This macro works for structs extended by either of RH_KABI_AUX_EMBED,
++ *   RH_KABI_AUX_PTR and RH_KABI_USE_AUX_PTR.
++ *
++ * RH_KABI_FORCE_CHANGE
++ *   Force change of the symbol checksum.  The argument of the macro is a
++ *   version for cases we need to do this more than once.
++ *
++ *   This macro does the opposite: it changes the symbol checksum without
++ *   actually changing anything about the exported symbol.  It is useful for
++ *   symbols that are not whitelisted, we're changing them in an
++ *   incompatible way and want to prevent 3rd party modules to silently
++ *   corrupt memory.  Instead, by changing the symbol checksum, such modules
++ *   won't be loaded by the kernel.  This macro should only be used as a
++ *   last resort when all other KABI workarounds have failed.
++ *
++ * RH_KABI_EXCLUDE
++ *   !!! WARNING: DANGEROUS, DO NOT USE unless you are aware of all the !!!
++ *   !!! implications. This should be used ONLY EXCEPTIONALLY and only  !!!
++ *   !!! under specific circumstances. Very likely, this macro does not !!!
++ *   !!! do what you expect it to do. Note that any usage of this macro !!!
++ *   !!! MUST be paired with a RH_KABI_FORCE_CHANGE annotation of       !!!
++ *   !!! a suitable symbol (or an equivalent safeguard) and the commit  !!!
++ *   !!! log MUST explain why the chosen solution is appropriate.       !!!
++ *
++ *   Exclude the element from checksum generation.  Any such element is
++ *   considered not to be part of the kABI whitelist and may be changed at
++ *   will.  Note however that it's the responsibility of the developer
++ *   changing the element to ensure 3rd party drivers using this element
++ *   won't panic, for example by not allowing them to be loaded.  That can
++ *   be achieved by changing another, non-whitelisted symbol they use,
++ *   either by nature of the change or by using RH_KABI_FORCE_CHANGE.
++ *
++ *   Also note that any change to the element must preserve its size. Change
++ *   of the size is not allowed and would constitute a silent kABI breakage.
++ *   Beware that the RH_KABI_EXCLUDE macro does not do any size checks.
++ *
++ * RH_KABI_BROKEN_INSERT
++ * RH_KABI_BROKEN_REMOVE
++ *   Insert a field to the middle of a struct / delete a field from a struct.
++ *   Note that this breaks kABI! It can be done only when it's certain that
++ *   no 3rd party driver can validly reach into the struct.  A typical
++ *   example is a struct that is:  both (a) referenced only through a long
++ *   chain of pointers from another struct that is part of a whitelisted
++ *   symbol and (b) kernel internal only, it should have never been visible
++ *   to genksyms in the first place.
++ *
++ *   Another example are structs that are explicitly exempt from kABI
++ *   guarantee but we did not have enough foresight to use RH_KABI_EXCLUDE.
++ *   In this case, the warning for RH_KABI_EXCLUDE applies.
++ *
++ *   A detailed explanation of correctness of every RH_KABI_BROKEN_* macro
++ *   use is especially important.
++ *
++ * RH_KABI_BROKEN_INSERT_BLOCK
++ * RH_KABI_BROKEN_REMOVE_BLOCK
++ *   A version of RH_KABI_BROKEN_INSERT / REMOVE that allows multiple fields
++ *   to be inserted or removed together.  All fields need to be terminated
++ *   by ';' inside(!) the macro parameter.  The macro itself must not be
++ *   terminated by ';'.
++ *
++ * RH_KABI_BROKEN_REPLACE
++ *   Replace a field by a different one without doing any checking.  This
++ *   allows replacing a field by another with a different size.  Similarly
++ *   to other RH_KABI_BROKEN macros, use of this indicates a kABI breakage.
++ *
++ * RH_KABI_BROKEN_INSERT_ENUM
++ * RH_KABI_BROKEN_REMOVE_ENUM
++ *   Insert a field to the middle of an enumaration type / delete a field from
++ *   an enumaration type. Note that this can break kABI especially if the
++ *   number of enum fields is used in an array within a structure. It can be
++ *   done only when it is certain that no 3rd party driver will use the
++ *   enumeration type or a structure that embeds an array with size determined
++ *   by an enumeration type.
++ *
++ * RH_KABI_EXTEND_ENUM
++ *   Adds a new field to an enumeration type.  This must always be added to
++ *   the end of the enum.  Before using this macro, make sure this is actually
++ *   safe to do.
++ */
++
++#undef linux
++#define linux linux
++
++#ifdef __GENKSYMS__
++
++# define RH_KABI_CONST
++# define RH_KABI_ADD_MODIFIER(_new)
++# define RH_KABI_EXTEND(_new)
++# define RH_KABI_FILL_HOLE(_new)
++# define RH_KABI_FORCE_CHANGE(ver)		__attribute__((rh_kabi_change ## ver))
++# define RH_KABI_RENAME(_orig, _new)		_orig
++# define RH_KABI_HIDE_INCLUDE(_file)		<linux/rh_kabi.h>
++# define RH_KABI_FAKE_INCLUDE(_file)		_file
++# define RH_KABI_BROKEN_INSERT(_new)
++# define RH_KABI_BROKEN_REMOVE(_orig)		_orig;
++# define RH_KABI_BROKEN_INSERT_BLOCK(_new)
++# define RH_KABI_BROKEN_REMOVE_BLOCK(_orig)	_orig
++# define RH_KABI_BROKEN_REPLACE(_orig, _new)	_orig;
++# define RH_KABI_BROKEN_INSERT_ENUM(_new)
++# define RH_KABI_BROKEN_REMOVE_ENUM(_orig)	_orig,
++# define RH_KABI_EXTEND_ENUM(_new)
++
++# define _RH_KABI_DEPRECATE(_type, _orig)	_type _orig
++# define _RH_KABI_DEPRECATE_FN(_type, _orig, _args...)	_type (*_orig)(_args)
++# define _RH_KABI_REPLACE(_orig, _new)		_orig
++# define _RH_KABI_EXCLUDE(_elem)
++
++#else
++
++# define RH_KABI_ALIGN_WARNING ".  Disable CONFIG_RH_KABI_SIZE_ALIGN_CHECKS if debugging."
++
++# define RH_KABI_CONST				const
++# define RH_KABI_ADD_MODIFIER(_new)		_new
++# define RH_KABI_EXTEND(_new)			_new;
++# define RH_KABI_FILL_HOLE(_new)		_new;
++# define RH_KABI_FORCE_CHANGE(ver)
++# define RH_KABI_RENAME(_orig, _new)		_new
++# define RH_KABI_HIDE_INCLUDE(_file)		_file
++# define RH_KABI_FAKE_INCLUDE(_file)		<linux/rh_kabi.h>
++# define RH_KABI_BROKEN_INSERT(_new)		_new;
++# define RH_KABI_BROKEN_REMOVE(_orig)
++# define RH_KABI_BROKEN_INSERT_BLOCK(_new)	_new
++# define RH_KABI_BROKEN_REMOVE_BLOCK(_orig)
++# define RH_KABI_BROKEN_REPLACE(_orig, _new)	_new;
++# define RH_KABI_BROKEN_INSERT_ENUM(_new)	_new,
++# define RH_KABI_BROKEN_REMOVE_ENUM(_orig)
++# define RH_KABI_EXTEND_ENUM(_new)		_new,
++
++#if IS_BUILTIN(CONFIG_RH_KABI_SIZE_ALIGN_CHECKS)
++# define __RH_KABI_CHECK_SIZE_ALIGN(_orig, _new)			\
++	union {								\
++		_Static_assert(sizeof(struct{_new;}) <= sizeof(struct{_orig;}), \
++			       __FILE__ ":" __stringify(__LINE__) ": "  __stringify(_new) " is larger than " __stringify(_orig) RH_KABI_ALIGN_WARNING); \
++		_Static_assert(__alignof__(struct{_new;}) <= __alignof__(struct{_orig;}), \
++			       __FILE__ ":" __stringify(__LINE__) ": "  __stringify(_orig) " is not aligned the same as " __stringify(_new) RH_KABI_ALIGN_WARNING); \
++	}
++# define __RH_KABI_CHECK_SIZE(_item, _size)				\
++	_Static_assert(sizeof(struct{_item;}) <= _size,			\
++		       __FILE__ ":" __stringify(__LINE__) ": " __stringify(_item) " is larger than the reserved size (" __stringify(_size) " bytes)" RH_KABI_ALIGN_WARNING)
++#else
++# define __RH_KABI_CHECK_SIZE_ALIGN(_orig, _new)
++# define __RH_KABI_CHECK_SIZE(_item, _size)
++#endif
++
++#define RH_KABI_UNIQUE_ID	__PASTE(rh_kabi_hidden_, __LINE__)
++
++# define _RH_KABI_DEPRECATE(_type, _orig)	_type rh_reserved_##_orig
++# define _RH_KABI_DEPRECATE_FN(_type, _orig, _args...)  \
++	_type (* rh_reserved_##_orig)(_args)
++# define _RH_KABI_REPLACE(_orig, _new)			  \
++	union {						  \
++		_new;					  \
++		struct {				  \
++			_orig;				  \
++		} RH_KABI_UNIQUE_ID;			  \
++		__RH_KABI_CHECK_SIZE_ALIGN(_orig, _new);  \
++	}
++
++# define _RH_KABI_EXCLUDE(_elem)		_elem
++
++#endif /* __GENKSYMS__ */
++
++# define RH_KABI_DEPRECATE(_type, _orig)	_RH_KABI_DEPRECATE(_type, _orig);
++# define RH_KABI_DEPRECATE_FN(_type, _orig, _args...)  \
++	_RH_KABI_DEPRECATE_FN(_type, _orig, _args);
++# define RH_KABI_REPLACE(_orig, _new)		_RH_KABI_REPLACE(_orig, _new);
++
++#define _RH_KABI_REPLACE1(_new)		_new;
++#define _RH_KABI_REPLACE2(_new, ...)	_new; _RH_KABI_REPLACE1(__VA_ARGS__)
++#define _RH_KABI_REPLACE3(_new, ...)	_new; _RH_KABI_REPLACE2(__VA_ARGS__)
++#define _RH_KABI_REPLACE4(_new, ...)	_new; _RH_KABI_REPLACE3(__VA_ARGS__)
++#define _RH_KABI_REPLACE5(_new, ...)	_new; _RH_KABI_REPLACE4(__VA_ARGS__)
++#define _RH_KABI_REPLACE6(_new, ...)	_new; _RH_KABI_REPLACE5(__VA_ARGS__)
++#define _RH_KABI_REPLACE7(_new, ...)	_new; _RH_KABI_REPLACE6(__VA_ARGS__)
++#define _RH_KABI_REPLACE8(_new, ...)	_new; _RH_KABI_REPLACE7(__VA_ARGS__)
++#define _RH_KABI_REPLACE9(_new, ...)	_new; _RH_KABI_REPLACE8(__VA_ARGS__)
++#define _RH_KABI_REPLACE10(_new, ...)	_new; _RH_KABI_REPLACE9(__VA_ARGS__)
++#define _RH_KABI_REPLACE11(_new, ...)	_new; _RH_KABI_REPLACE10(__VA_ARGS__)
++#define _RH_KABI_REPLACE12(_new, ...)	_new; _RH_KABI_REPLACE11(__VA_ARGS__)
++
++#define RH_KABI_REPLACE_SPLIT(_orig, ...)	_RH_KABI_REPLACE(_orig, \
++		struct { __PASTE(_RH_KABI_REPLACE, COUNT_ARGS(__VA_ARGS__))(__VA_ARGS__) });
++
++# define RH_KABI_RESERVE(n)		_RH_KABI_RESERVE(n);
++
++#define _RH_KABI_USE1(n, _new)	_RH_KABI_RESERVE(n), _new
++#define _RH_KABI_USE2(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE1(__VA_ARGS__)
++#define _RH_KABI_USE3(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE2(__VA_ARGS__)
++#define _RH_KABI_USE4(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE3(__VA_ARGS__)
++#define _RH_KABI_USE5(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE4(__VA_ARGS__)
++#define _RH_KABI_USE6(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE5(__VA_ARGS__)
++#define _RH_KABI_USE7(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE6(__VA_ARGS__)
++#define _RH_KABI_USE8(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE7(__VA_ARGS__)
++#define _RH_KABI_USE9(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE8(__VA_ARGS__)
++#define _RH_KABI_USE10(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE9(__VA_ARGS__)
++#define _RH_KABI_USE11(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE10(__VA_ARGS__)
++#define _RH_KABI_USE12(n, ...)	_RH_KABI_RESERVE(n); _RH_KABI_USE11(__VA_ARGS__)
++
++#define _RH_KABI_USE(...)	_RH_KABI_REPLACE(__VA_ARGS__)
++#define RH_KABI_USE(n, ...)	_RH_KABI_USE(__PASTE(_RH_KABI_USE, COUNT_ARGS(__VA_ARGS__))(n, __VA_ARGS__));
++
++# define RH_KABI_USE_SPLIT(n, ...)	RH_KABI_REPLACE_SPLIT(_RH_KABI_RESERVE(n), __VA_ARGS__)
++
++# define _RH_KABI_RESERVE(n)		unsigned long rh_reserved##n
++
++#define RH_KABI_EXCLUDE(_elem)		_RH_KABI_EXCLUDE(_elem);
++
++#define RH_KABI_EXTEND_WITH_SIZE(_new, _size)				\
++	RH_KABI_EXTEND(union {						\
++		_new;							\
++		unsigned long RH_KABI_UNIQUE_ID[_size];			\
++		__RH_KABI_CHECK_SIZE(_new, 8 * (_size));		\
++	})
++
++#define _RH_KABI_AUX_PTR(_struct)					\
++	size_t _struct##_size_rh;					\
++	_RH_KABI_EXCLUDE(struct _struct##_rh *_rh)
++#define RH_KABI_AUX_PTR(_struct)					\
++	_RH_KABI_AUX_PTR(_struct);
++
++#define _RH_KABI_AUX_EMBED(_struct)					\
++	size_t _struct##_size_rh;					\
++	_RH_KABI_EXCLUDE(struct _struct##_rh _rh)
++#define RH_KABI_AUX_EMBED(_struct)					\
++	_RH_KABI_AUX_EMBED(_struct);
++
++#define RH_KABI_USE_AUX_PTR(n1, n2, _struct)				\
++	RH_KABI_USE(n1, n2,						\
++		     struct { RH_KABI_AUX_PTR(_struct) })
++
++#define RH_KABI_AUX_SET_SIZE(_name, _struct) ({				\
++	(_name)->_struct##_size_rh = sizeof(struct _struct##_rh);	\
++})
++
++#define RH_KABI_AUX_INIT_SIZE(_struct)					\
++	._struct##_size_rh = sizeof(struct _struct##_rh),
++
++#define RH_KABI_AUX(_ptr, _struct, _field) ({				\
++	size_t __off = offsetof(struct _struct##_rh, _field);		\
++	(_ptr)->_struct##_size_rh > __off ? true : false;		\
++})
++
++#endif /* _LINUX_RH_KABI_H */
+diff --git a/include/linux/rmi.h b/include/linux/rmi.h
+index ab7eea01ab42..fff7c5f737fc 100644
+--- a/include/linux/rmi.h
++++ b/include/linux/rmi.h
+@@ -364,6 +364,7 @@ struct rmi_driver_data {
+
+ 	struct rmi4_attn_data attn_data;
+ 	DECLARE_KFIFO(attn_fifo, struct rmi4_attn_data, 16);
++	struct work_struct attn_work;
+ };
+
+ int rmi_register_transport_device(struct rmi_transport_dev *xport);
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 5b67f208f7de..060133d19a4b 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -487,6 +487,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1402,6 +1403,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ 	return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return 0;
++}
+ #endif	/* CONFIG_SECURITY */
+
+ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+diff --git a/kernel/module/signing.c b/kernel/module/signing.c
+index a2ff4242e623..f0d2be1ee4f1 100644
+--- a/kernel/module/signing.c
++++ b/kernel/module/signing.c
+@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ 	modlen -= sig_len + sizeof(ms);
+ 	info->len = modlen;
+
+-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ 				      VERIFY_USE_SECONDARY_KEYRING,
+ 				      VERIFYING_MODULE_SIGNATURE,
+ 				      NULL, NULL);
++	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++				VERIFY_USE_PLATFORM_KEYRING,
++				VERIFYING_MODULE_SIGNATURE,
++				NULL, NULL);
++	}
++	return ret;
+ }
+
+ int module_sig_check(struct load_info *info, int flags)
+diff --git a/scripts/tags.sh b/scripts/tags.sh
+index 0d045182c08c..8606325b0ec2 100755
+--- a/scripts/tags.sh
++++ b/scripts/tags.sh
+@@ -16,6 +16,8 @@ fi
+ ignore="$(echo "$RCS_FIND_IGNORE" | sed 's|\\||g' )"
+ # tags and cscope files should also ignore MODVERSION *.mod.c files
+ ignore="$ignore ( -name *.mod.c ) -prune -o"
++# RHEL tags and cscope should also ignore redhat/rpm
++ignore="$ignore ( -path redhat/rpm ) -prune -o"
+
+ # Use make KBUILD_ABS_SRCTREE=1 {tags|cscope}
+ # to force full paths for a non-O= build
+diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
+index d1fdd113450a..182e8090cfe8 100644
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -74,7 +74,8 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ 		return NULL;
+
+ 	if (*status != EFI_BUFFER_TOO_SMALL) {
+-		pr_err("Couldn't get size: 0x%lx\n", *status);
++		pr_err("Couldn't get size: %s (0x%lx)\n",
++		       efi_status_to_str(*status), *status);
+ 		return NULL;
+ 	}
+
+@@ -85,7 +86,8 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ 	*status = efi.get_variable(name, guid, NULL, &lsize, db);
+ 	if (*status != EFI_SUCCESS) {
+ 		kfree(db);
+-		pr_err("Error reading db var: 0x%lx\n", *status);
++		pr_err("Error reading db var: %s (0x%lx)\n",
++		       efi_status_to_str(*status), *status);
+ 		return NULL;
+ 	}
+
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ 	  subsystem is fully initialised. If enabled, lockdown will
+ 	  unconditionally be called before any other LSMs.
+
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++	bool "Lock down the kernel in EFI Secure Boot mode"
++	default n
++	depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
++	help
++	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
++	  will only load signed bootloaders and kernels.  Secure boot mode may
++	  be determined from EFI variables provided by the system firmware if
++	  not indicated by the boot parameters.
++
++	  Enabling this option results in kernel lockdown being triggered if
++	  EFI Secure Boot is set.
++
+ choice
+ 	prompt "Kernel default lockdown mode"
+ 	default LOCK_DOWN_KERNEL_FORCE_NONE
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index a79b985e917e..772a69bf43ec 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++	LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index 174afa4fad81..7ee7bcef4313 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2706,6 +2706,12 @@ int security_locked_down(enum lockdown_reason what)
+ }
+ EXPORT_SYMBOL(security_locked_down);
+
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++	return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
++
+ #ifdef CONFIG_PERF_EVENTS
+ int security_perf_event_open(struct perf_event_attr *attr, int type)
+ {