summaryrefslogtreecommitdiffstats
path: root/patch-5.17-redhat.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patch-5.17-redhat.patch')
-rw-r--r--patch-5.17-redhat.patch3220
1 files changed, 3220 insertions, 0 deletions
diff --git a/patch-5.17-redhat.patch b/patch-5.17-redhat.patch
new file mode 100644
index 000000000..e5ec4a276
--- /dev/null
+++ b/patch-5.17-redhat.patch
@@ -0,0 +1,3220 @@
+ Documentation/admin-guide/kernel-parameters.txt | 9 +
+ Kconfig | 2 +
+ Kconfig.redhat | 17 ++
+ Makefile | 12 +-
+ arch/arm/Kconfig | 4 +-
+ arch/arm64/Kconfig | 3 +-
+ arch/arm64/kernel/acpi.c | 4 +
+ arch/s390/include/asm/ipl.h | 1 +
+ arch/s390/kernel/ipl.c | 5 +
+ arch/s390/kernel/setup.c | 4 +
+ arch/x86/kernel/cpu/common.c | 1 +
+ arch/x86/kernel/setup.c | 70 ++++-
+ crypto/rng.c | 73 ++++-
+ drivers/acpi/apei/hest.c | 8 +
+ drivers/acpi/irq.c | 17 +-
+ drivers/acpi/scan.c | 9 +
+ drivers/ata/libahci.c | 18 ++
+ drivers/char/ipmi/ipmi_dmi.c | 15 ++
+ drivers/char/ipmi/ipmi_msghandler.c | 16 +-
+ drivers/char/random.c | 115 ++++++++
+ drivers/firmware/efi/Makefile | 1 +
+ drivers/firmware/efi/efi.c | 124 ++++++---
+ drivers/firmware/efi/secureboot.c | 38 +++
+ drivers/hid/hid-rmi.c | 64 -----
+ drivers/hwtracing/coresight/coresight-etm4x-core.c | 19 ++
+ drivers/input/rmi4/rmi_driver.c | 124 +++++----
+ drivers/iommu/iommu.c | 22 ++
+ drivers/message/fusion/mptsas.c | 10 +
+ drivers/message/fusion/mptspi.c | 11 +
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 2 +
+ drivers/net/team/team.c | 2 +
+ drivers/net/wireguard/main.c | 7 +
+ drivers/nvme/host/core.c | 22 +-
+ drivers/nvme/host/multipath.c | 19 +-
+ drivers/nvme/host/nvme.h | 4 +
+ drivers/pci/pci-driver.c | 78 ++++++
+ drivers/pci/quirks.c | 24 ++
+ drivers/scsi/aacraid/linit.c | 2 +
+ drivers/scsi/be2iscsi/be_main.c | 2 +
+ drivers/scsi/hpsa.c | 4 +
+ drivers/scsi/lpfc/lpfc_ids.h | 14 +
+ drivers/scsi/megaraid/megaraid_sas_base.c | 4 +
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +
+ drivers/scsi/qla2xxx/qla_os.c | 6 +
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +
+ drivers/usb/core/hub.c | 7 +
+ fs/ext4/super.c | 5 +
+ fs/xfs/xfs_super.c | 5 +
+ include/linux/efi.h | 22 +-
+ include/linux/kernel.h | 19 ++
+ include/linux/lsm_hook_defs.h | 2 +
+ include/linux/lsm_hooks.h | 6 +
+ include/linux/module.h | 1 +
+ include/linux/panic.h | 19 +-
+ include/linux/pci.h | 16 ++
+ include/linux/random.h | 7 +
+ include/linux/rh_kabi.h | 297 +++++++++++++++++++++
+ include/linux/rmi.h | 1 +
+ include/linux/security.h | 5 +
+ init/Kconfig | 2 +-
+ kernel/Makefile | 1 +
+ kernel/bpf/syscall.c | 18 ++
+ kernel/module.c | 2 +
+ kernel/module_signing.c | 9 +-
+ kernel/panic.c | 14 +
+ kernel/rh_messages.c | 179 +++++++++++++
+ kernel/sysctl.c | 5 +
+ lib/crypto/Kconfig | 8 +-
+ mm/cma.c | 10 +
+ scripts/mod/modpost.c | 8 +
+ scripts/tags.sh | 2 +
+ security/integrity/platform_certs/load_uefi.c | 6 +-
+ security/lockdown/Kconfig | 13 +
+ security/lockdown/lockdown.c | 1 +
+ security/security.c | 6 +
+ 75 files changed, 1516 insertions(+), 192 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 49f495c9a7f8..aa7c84429250 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -5958,6 +5958,15 @@
+ unknown_nmi_panic
+ [X86] Cause panic on unknown NMI.
+
++ unprivileged_bpf_disabled=
++ Format: { "0" | "1" | "2" }
++ Sets the initial value of
++ kernel.unprivileged_bpf_disabled sysctl knob.
++ 0 - unprivileged bpf() syscall access is enabled.
++ 1 - unprivileged bpf() syscall access is disabled permanently.
++ 2 - unprivileged bpf() syscall access is disabled.
++ Default value is 2.
++
+ usbcore.authorized_default=
+ [USB] Default USB device authorization:
+ (default -1 = authorized except for wireless USB,
+diff --git a/Kconfig b/Kconfig
+index 745bc773f567..f57ff40109d7 100644
+--- a/Kconfig
++++ b/Kconfig
+@@ -30,3 +30,5 @@ source "lib/Kconfig"
+ source "lib/Kconfig.debug"
+
+ source "Documentation/Kconfig"
++
++source "Kconfig.redhat"
+diff --git a/Kconfig.redhat b/Kconfig.redhat
+new file mode 100644
+index 000000000000..effb81d04bfd
+--- /dev/null
++++ b/Kconfig.redhat
+@@ -0,0 +1,17 @@
++# SPDX-License-Identifier: GPL-2.0-only
++#
++# Red Hat specific options
++#
++
++menu "Red Hat options"
++
++config RHEL_DIFFERENCES
++ bool "Remove support for deprecated features"
++ help
++ Red Hat may choose to deprecate certain features in its kernels.
++ Enable this option to remove support for hardware that is no
++ longer supported.
++
++ Unless you want a restricted kernel, say N here.
++
++endmenu
+diff --git a/Makefile b/Makefile
+index 08510230b42f..6b4160ecf0bd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
+ PHONY := __all
+ __all:
+
++# Set RHEL variables
++# Use this spot to avoid future merge conflicts
++include Makefile.rhelver
++
+ # We are using a recursive build, so we need to do a little thinking
+ # to get the ordering right.
+ #
+@@ -1241,7 +1245,13 @@ define filechk_version.h
+ ((c) > 255 ? 255 : (c)))'; \
+ echo \#define LINUX_VERSION_MAJOR $(VERSION); \
+ echo \#define LINUX_VERSION_PATCHLEVEL $(PATCHLEVEL); \
+- echo \#define LINUX_VERSION_SUBLEVEL $(SUBLEVEL)
++ echo \#define LINUX_VERSION_SUBLEVEL $(SUBLEVEL); \
++ echo '#define RHEL_MAJOR $(RHEL_MAJOR)'; \
++ echo '#define RHEL_MINOR $(RHEL_MINOR)'; \
++ echo '#define RHEL_RELEASE_VERSION(a,b) (((a) << 8) + (b))'; \
++ echo '#define RHEL_RELEASE_CODE \
++ $(shell expr $(RHEL_MAJOR) \* 256 + $(RHEL_MINOR))'; \
++ echo '#define RHEL_RELEASE "$(RHEL_RELEASE)"'
+ endef
+
+ $(version_h): PATCHLEVEL := $(if $(PATCHLEVEL), $(PATCHLEVEL), 0)
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 796fc8017f5d..427312380687 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1478,9 +1478,9 @@ config HIGHMEM
+ If unsure, say n.
+
+ config HIGHPTE
+- bool "Allocate 2nd-level pagetables from highmem" if EXPERT
++ bool "Allocate 2nd-level pagetables from highmem"
+ depends on HIGHMEM
+- default y
++ default n
+ help
+ The VM uses one page of physical memory for each page table.
+ For systems with a lot of processes, this can use a lot of
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index ef3b5cb40d16..c3f0f2fbb9f9 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1025,7 +1025,7 @@ endchoice
+
+ config ARM64_FORCE_52BIT
+ bool "Force 52-bit virtual addresses for userspace"
+- depends on ARM64_VA_BITS_52 && EXPERT
++ depends on ARM64_VA_BITS_52
+ help
+ For systems with 52-bit userspace VAs enabled, the kernel will attempt
+ to maintain compatibility with older software by providing 48-bit VAs
+@@ -1279,6 +1279,7 @@ config XEN
+ config FORCE_MAX_ZONEORDER
+ int
+ default "14" if ARM64_64K_PAGES
++ default "13" if (ARCH_THUNDER && !ARM64_64K_PAGES)
+ default "12" if ARM64_16K_PAGES
+ default "11"
+ help
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index e4dea8db6924..3f17c7b5bd78 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -41,7 +41,11 @@ int acpi_pci_disabled = 1; /* skip ACPI PCI scan and IRQ initialization */
+ EXPORT_SYMBOL(acpi_pci_disabled);
+
+ static bool param_acpi_off __initdata;
++#ifdef CONFIG_RHEL_DIFFERENCES
++static bool param_acpi_on __initdata = true;
++#else
+ static bool param_acpi_on __initdata;
++#endif
+ static bool param_acpi_force __initdata;
+
+ static int __init parse_acpi(char *arg)
+diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h
+index 3f8ee257f9aa..3ab92feb6241 100644
+--- a/arch/s390/include/asm/ipl.h
++++ b/arch/s390/include/asm/ipl.h
+@@ -128,6 +128,7 @@ int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf,
+ unsigned char flags, unsigned short cert);
+ int ipl_report_add_certificate(struct ipl_report *report, void *key,
+ unsigned long addr, unsigned long len);
++bool ipl_get_secureboot(void);
+
+ /*
+ * DIAG 308 support
+diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
+index 5ad1dde23dc5..b6192d58eed3 100644
+--- a/arch/s390/kernel/ipl.c
++++ b/arch/s390/kernel/ipl.c
+@@ -2216,3 +2216,8 @@ int ipl_report_free(struct ipl_report *report)
+ }
+
+ #endif
++
++bool ipl_get_secureboot(void)
++{
++ return !!ipl_secure_flag;
++}
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index f2c25d113e7b..059fe82e020a 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -49,6 +49,7 @@
+ #include <linux/memory.h>
+ #include <linux/compat.h>
+ #include <linux/start_kernel.h>
++#include <linux/security.h>
+ #include <linux/hugetlb.h>
+ #include <linux/kmemleak.h>
+
+@@ -963,6 +964,9 @@ void __init setup_arch(char **cmdline_p)
+
+ log_component_list();
+
++ if (ipl_get_secureboot())
++ security_lock_kernel_down("Secure IPL mode", LOCKDOWN_INTEGRITY_MAX);
++
+ /* Have one command line that is parsed and saved in /proc/cmdline */
+ /* boot_command_line has been already set up in early.c */
+ *cmdline_p = boot_command_line;
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 7b8382c11788..4aa07bcf45cf 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1316,6 +1316,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ cpu_detect(c);
+ get_cpu_vendor(c);
+ get_cpu_cap(c);
++ get_model_name(c); /* RHEL: get model name for unsupported check */
+ get_cpu_address_sizes(c);
+ setup_force_cpu_cap(X86_FEATURE_CPUID);
+ cpu_parse_early_param();
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index f7a132eb794d..2305f8353e49 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -20,6 +20,7 @@
+ #include <linux/root_dev.h>
+ #include <linux/hugetlb.h>
+ #include <linux/tboot.h>
++#include <linux/security.h>
+ #include <linux/usb/xhci-dbgp.h>
+ #include <linux/static_call.h>
+ #include <linux/swiotlb.h>
+@@ -51,6 +52,7 @@
+ #include <asm/unwind.h>
+ #include <asm/vsyscall.h>
+ #include <linux/vmalloc.h>
++#include <asm/intel-family.h>
+
+ /*
+ * max_low_pfn_mapped: highest directly mapped pfn < 4 GB
+@@ -721,6 +723,51 @@ static void __init early_reserve_memory(void)
+ trim_snb_memory();
+ }
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++
++static void rh_check_supported(void)
++{
++ bool guest;
++
++ guest = (x86_hyper_type != X86_HYPER_NATIVE || boot_cpu_has(X86_FEATURE_HYPERVISOR));
++
++ /* RHEL supports single cpu on guests only */
++ if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
++ !guest && is_kdump_kernel()) {
++ pr_crit("Detected single cpu native boot.\n");
++ pr_crit("Important: In this kernel, single threaded, single CPU 64-bit physical systems are unsupported.");
++ }
++
++ /*
++ * If the RHEL kernel does not support this hardware, the kernel will
++ * attempt to boot, but no support is provided for this hardware
++ */
++ switch (boot_cpu_data.x86_vendor) {
++ case X86_VENDOR_AMD:
++ case X86_VENDOR_INTEL:
++ break;
++ default:
++ pr_crit("Detected processor %s %s\n",
++ boot_cpu_data.x86_vendor_id,
++ boot_cpu_data.x86_model_id);
++ mark_hardware_unmaintained("x86 processor", "%s %s", boot_cpu_data.x86_vendor_id,
++ boot_cpu_data.x86_model_id);
++ break;
++ }
++
++ /*
++ * Due to the complexity of x86 lapic & ioapic enumeration, and PCI IRQ
++ * routing, ACPI is required for x86. acpi=off is a valid debug kernel
++ * parameter, so just print out a loud warning in case something
++ * goes wrong (which is most of the time).
++ */
++ if (acpi_disabled && !guest)
++ pr_crit("ACPI has been disabled or is not available on this hardware. This may result in a single cpu boot, incorrect PCI IRQ routing, or boot failure.\n");
++}
++#else
++#define rh_check_supported()
++#endif
++
+ /*
+ * Dump out kernel offset information on panic.
+ */
+@@ -930,6 +977,13 @@ void __init setup_arch(char **cmdline_p)
+ if (efi_enabled(EFI_BOOT))
+ efi_init();
+
++ efi_set_secure_boot(boot_params.secure_boot);
++
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++ if (efi_enabled(EFI_SECURE_BOOT))
++ security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
++#endif
++
+ dmi_setup();
+
+ /*
+@@ -1099,19 +1153,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Allocate bigger log buffer */
+ setup_log_buf(1);
+
+- if (efi_enabled(EFI_BOOT)) {
+- switch (boot_params.secure_boot) {
+- case efi_secureboot_mode_disabled:
+- pr_info("Secure boot disabled\n");
+- break;
+- case efi_secureboot_mode_enabled:
+- pr_info("Secure boot enabled\n");
+- break;
+- default:
+- pr_info("Secure boot could not be determined\n");
+- break;
+- }
+- }
++ efi_set_secure_boot(boot_params.secure_boot);
+
+ reserve_initrd();
+
+@@ -1224,6 +1266,8 @@ void __init setup_arch(char **cmdline_p)
+ efi_apply_memmap_quirks();
+ #endif
+
++ rh_check_supported();
++
+ unwind_init();
+ }
+
+diff --git a/crypto/rng.c b/crypto/rng.c
+index fea082b25fe4..50a9d040bed1 100644
+--- a/crypto/rng.c
++++ b/crypto/rng.c
+@@ -11,14 +11,17 @@
+ #include <linux/atomic.h>
+ #include <crypto/internal/rng.h>
+ #include <linux/err.h>
++#include <linux/fips.h>
++#include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
+ #include <linux/random.h>
+ #include <linux/seq_file.h>
++#include <linux/sched.h>
++#include <linux/sched/signal.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/cryptouser.h>
+-#include <linux/compiler.h>
+ #include <net/netlink.h>
+
+ #include "internal.h"
+@@ -224,5 +227,73 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count)
+ }
+ EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
+
++static ssize_t crypto_devrandom_read(void __user *buf, size_t buflen)
++{
++ u8 tmp[256];
++ ssize_t ret;
++
++ if (!buflen)
++ return 0;
++
++ ret = crypto_get_default_rng();
++ if (ret)
++ return ret;
++
++ for (;;) {
++ int err;
++ int i;
++
++ i = min_t(int, buflen, sizeof(tmp));
++ err = crypto_rng_get_bytes(crypto_default_rng, tmp, i);
++ if (err) {
++ ret = err;
++ break;
++ }
++
++ if (copy_to_user(buf, tmp, i)) {
++ ret = -EFAULT;
++ break;
++ }
++
++ buflen -= i;
++ buf += i;
++ ret += i;
++
++ if (!buflen)
++ break;
++
++ if (need_resched()) {
++ if (signal_pending(current))
++ break;
++ schedule();
++ }
++ }
++
++ crypto_put_default_rng();
++ memzero_explicit(tmp, sizeof(tmp));
++
++ return ret;
++}
++
++static const struct random_extrng crypto_devrandom_rng = {
++ .extrng_read = crypto_devrandom_read,
++ .owner = THIS_MODULE,
++};
++
++static int __init crypto_rng_init(void)
++{
++ if (fips_enabled)
++ random_register_extrng(&crypto_devrandom_rng);
++ return 0;
++}
++
++static void __exit crypto_rng_exit(void)
++{
++ random_unregister_extrng();
++}
++
++late_initcall(crypto_rng_init);
++module_exit(crypto_rng_exit);
++
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Random Number Generator");
+diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c
+index 0edc1ed47673..782e2f399af2 100644
+--- a/drivers/acpi/apei/hest.c
++++ b/drivers/acpi/apei/hest.c
+@@ -96,6 +96,14 @@ static int apei_hest_parse(apei_hest_func_t func, void *data)
+ if (hest_disable || !hest_tab)
+ return -EINVAL;
+
++#ifdef CONFIG_ARM64
++ /* Ignore broken firmware */
++ if (!strncmp(hest_tab->header.oem_id, "HPE ", 6) &&
++ !strncmp(hest_tab->header.oem_table_id, "ProLiant", 8) &&
++ MIDR_IMPLEMENTOR(read_cpuid_id()) == ARM_CPU_IMP_APM)
++ return -EINVAL;
++#endif
++
+ hest_hdr = (struct acpi_hest_header *)(hest_tab + 1);
+ for (i = 0; i < hest_tab->error_source_count; i++) {
+ len = hest_esrc_len(hest_hdr);
+diff --git a/drivers/acpi/irq.c b/drivers/acpi/irq.c
+index c68e694fca26..146cba5ae5bc 100644
+--- a/drivers/acpi/irq.c
++++ b/drivers/acpi/irq.c
+@@ -130,6 +130,7 @@ struct acpi_irq_parse_one_ctx {
+ unsigned int index;
+ unsigned long *res_flags;
+ struct irq_fwspec *fwspec;
++ bool skip_producer_check;
+ };
+
+ /**
+@@ -201,7 +202,8 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ return AE_CTRL_TERMINATE;
+ case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ eirq = &ares->data.extended_irq;
+- if (eirq->producer_consumer == ACPI_PRODUCER)
++ if (!ctx->skip_producer_check &&
++ eirq->producer_consumer == ACPI_PRODUCER)
+ return AE_OK;
+ if (ctx->index >= eirq->interrupt_count) {
+ ctx->index -= eirq->interrupt_count;
+@@ -236,8 +238,19 @@ static acpi_status acpi_irq_parse_one_cb(struct acpi_resource *ares,
+ static int acpi_irq_parse_one(acpi_handle handle, unsigned int index,
+ struct irq_fwspec *fwspec, unsigned long *flags)
+ {
+- struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec };
++ struct acpi_irq_parse_one_ctx ctx = { -EINVAL, index, flags, fwspec, false };
+
++ /*
++ * Firmware on arm64-based HPE m400 platform incorrectly marks
++ * its UART interrupt as ACPI_PRODUCER rather than ACPI_CONSUMER.
++ * Don't do the producer/consumer check for that device.
++ */
++ if (IS_ENABLED(CONFIG_ARM64)) {
++ struct acpi_device *adev = acpi_bus_get_acpi_device(handle);
++
++ if (adev && !strcmp(acpi_device_hid(adev), "APMC0D08"))
++ ctx.skip_producer_check = true;
++ }
+ acpi_walk_resources(handle, METHOD_NAME__CRS, acpi_irq_parse_one_cb, &ctx);
+ return ctx.rc;
+ }
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 1185ecea59d1..f913b21a0be5 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1753,6 +1753,15 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+ if (!acpi_match_device_ids(device, ignore_serial_bus_ids))
+ return false;
+
++ /*
++ * Firmware on some arm64 X-Gene platforms will make the UART
++ * device appear as both a UART and a slave of that UART. Just
++ * bail out here for X-Gene UARTs.
++ */
++ if (IS_ENABLED(CONFIG_ARM64) &&
++ !strcmp(acpi_device_hid(device), "APMC0D08"))
++ return false;
++
+ INIT_LIST_HEAD(&resource_list);
+ acpi_dev_get_resources(device, &resource_list,
+ acpi_check_serial_bus_slave,
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index f76b8418e6fb..350e52fccc30 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -690,6 +690,24 @@ int ahci_stop_engine(struct ata_port *ap)
+ tmp &= ~PORT_CMD_START;
+ writel(tmp, port_mmio + PORT_CMD);
+
++#ifdef CONFIG_ARM64
++ /* Rev Ax of Cavium CN99XX needs a hack for port stop */
++ if (dev_is_pci(ap->host->dev) &&
++ to_pci_dev(ap->host->dev)->vendor == 0x14e4 &&
++ to_pci_dev(ap->host->dev)->device == 0x9027 &&
++ midr_is_cpu_model_range(read_cpuid_id(),
++ MIDR_CPU_MODEL(ARM_CPU_IMP_BRCM, BRCM_CPU_PART_VULCAN),
++ MIDR_CPU_VAR_REV(0, 0),
++ MIDR_CPU_VAR_REV(0, MIDR_REVISION_MASK))) {
++ tmp = readl(hpriv->mmio + 0x8000);
++ udelay(100);
++ writel(tmp | (1 << 26), hpriv->mmio + 0x8000);
++ udelay(100);
++ writel(tmp & ~(1 << 26), hpriv->mmio + 0x8000);
++ dev_warn(ap->host->dev, "CN99XX SATA reset workaround applied\n");
++ }
++#endif
++
+ /* wait for engine to stop. This could be as long as 500 msec */
+ tmp = ata_wait_register(ap, port_mmio + PORT_CMD,
+ PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500);
+diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c
+index bbf7029e224b..cf7faa970dd6 100644
+--- a/drivers/char/ipmi/ipmi_dmi.c
++++ b/drivers/char/ipmi/ipmi_dmi.c
+@@ -215,6 +215,21 @@ static int __init scan_for_dmi_ipmi(void)
+ {
+ const struct dmi_device *dev = NULL;
+
++#ifdef CONFIG_ARM64
++ /* RHEL-only
++ * If this is ARM-based HPE m400, return now, because that platform
++ * reports the host-side ipmi address as intel port-io space, which
++ * does not exist in the ARM architecture.
++ */
++ const char *dmistr = dmi_get_system_info(DMI_PRODUCT_NAME);
++
++ if (dmistr && (strcmp("ProLiant m400 Server", dmistr) == 0)) {
++ pr_debug("%s does not support host ipmi\n", dmistr);
++ return 0;
++ }
++ /* END RHEL-only */
++#endif
++
+ while ((dev = dmi_find_device(DMI_DEV_TYPE_IPMI, NULL, dev)))
+ dmi_decode_ipmi((const struct dmi_header *) dev->device_data);
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index c59265146e9c..caa8458edde2 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -35,6 +35,7 @@
+ #include <linux/uuid.h>
+ #include <linux/nospec.h>
+ #include <linux/vmalloc.h>
++#include <linux/dmi.h>
+ #include <linux/delay.h>
+
+ #define IPMI_DRIVER_VERSION "39.2"
+@@ -5422,8 +5423,21 @@ static int __init ipmi_init_msghandler_mod(void)
+ {
+ int rv;
+
+- pr_info("version " IPMI_DRIVER_VERSION "\n");
++#ifdef CONFIG_ARM64
++ /* RHEL-only
++ * If this is ARM-based HPE m400, return now, because that platform
++ * reports the host-side ipmi address as intel port-io space, which
++ * does not exist in the ARM architecture.
++ */
++ const char *dmistr = dmi_get_system_info(DMI_PRODUCT_NAME);
+
++ if (dmistr && (strcmp("ProLiant m400 Server", dmistr) == 0)) {
++ pr_debug("%s does not support host ipmi\n", dmistr);
++ return -ENOSYS;
++ }
++ /* END RHEL-only */
++#endif
++ pr_info("version " IPMI_DRIVER_VERSION "\n");
+ mutex_lock(&ipmi_interfaces_mutex);
+ rv = ipmi_register_driver();
+ mutex_unlock(&ipmi_interfaces_mutex);
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 227fb7802738..2836c089d2f3 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -345,6 +345,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/completion.h>
+ #include <linux/uuid.h>
++#include <linux/rcupdate.h>
+ #include <crypto/chacha.h>
+ #include <crypto/blake2s.h>
+
+@@ -359,6 +360,11 @@
+
+ /* #define ADD_INTERRUPT_BENCH */
+
++/*
++ * Hook for external RNG.
++ */
++static const struct random_extrng __rcu *extrng;
++
+ /*
+ * Configuration information
+ */
+@@ -493,6 +499,9 @@ static int ratelimit_disable __read_mostly;
+ module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
+ MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
+
++static const struct file_operations extrng_random_fops;
++static const struct file_operations extrng_urandom_fops;
++
+ /**********************************************************************
+ *
+ * OS independent entropy store. Here are the functions which handle
+@@ -1869,6 +1878,13 @@ random_poll(struct file *file, poll_table * wait)
+ return mask;
+ }
+
++static __poll_t
++extrng_poll(struct file *file, poll_table * wait)
++{
++ /* extrng pool is always full, always read, no writes */
++ return EPOLLIN | EPOLLRDNORM;
++}
++
+ static int
+ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+@@ -1972,7 +1988,58 @@ static int random_fasync(int fd, struct file *filp, int on)
+ return fasync_helper(fd, filp, on, &fasync);
+ }
+
++static int random_open(struct inode *inode, struct file *filp)
++{
++ const struct random_extrng *rng;
++
++ rcu_read_lock();
++ rng = rcu_dereference(extrng);
++ if (rng && !try_module_get(rng->owner))
++ rng = NULL;
++ rcu_read_unlock();
++
++ if (!rng)
++ return 0;
++
++ filp->f_op = &extrng_random_fops;
++ filp->private_data = rng->owner;
++
++ return 0;
++}
++
++static int urandom_open(struct inode *inode, struct file *filp)
++{
++ const struct random_extrng *rng;
++
++ rcu_read_lock();
++ rng = rcu_dereference(extrng);
++ if (rng && !try_module_get(rng->owner))
++ rng = NULL;
++ rcu_read_unlock();
++
++ if (!rng)
++ return 0;
++
++ filp->f_op = &extrng_urandom_fops;
++ filp->private_data = rng->owner;
++
++ return 0;
++}
++
++static int extrng_release(struct inode *inode, struct file *filp)
++{
++ module_put(filp->private_data);
++ return 0;
++}
++
++static ssize_t
++extrng_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
++{
++ return rcu_dereference_raw(extrng)->extrng_read(buf, nbytes);
++}
++
+ const struct file_operations random_fops = {
++ .open = random_open,
+ .read = random_read,
+ .write = random_write,
+ .poll = random_poll,
+@@ -1983,6 +2050,7 @@ const struct file_operations random_fops = {
+ };
+
+ const struct file_operations urandom_fops = {
++ .open = urandom_open,
+ .read = urandom_read,
+ .write = random_write,
+ .unlocked_ioctl = random_ioctl,
+@@ -1991,9 +2059,31 @@ const struct file_operations urandom_fops = {
+ .llseek = noop_llseek,
+ };
+
++static const struct file_operations extrng_random_fops = {
++ .open = random_open,
++ .read = extrng_read,
++ .write = random_write,
++ .poll = extrng_poll,
++ .unlocked_ioctl = random_ioctl,
++ .fasync = random_fasync,
++ .llseek = noop_llseek,
++ .release = extrng_release,
++};
++
++static const struct file_operations extrng_urandom_fops = {
++ .open = urandom_open,
++ .read = extrng_read,
++ .write = random_write,
++ .unlocked_ioctl = random_ioctl,
++ .fasync = random_fasync,
++ .llseek = noop_llseek,
++ .release = extrng_release,
++};
++
+ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
+ unsigned int, flags)
+ {
++ const struct random_extrng *rng;
+ int ret;
+
+ if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE))
+@@ -2009,6 +2099,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
+ if (count > INT_MAX)
+ count = INT_MAX;
+
++ rcu_read_lock();
++ rng = rcu_dereference(extrng);
++ if (rng && !try_module_get(rng->owner))
++ rng = NULL;
++ rcu_read_unlock();
++
++ if (rng) {
++ ret = rng->extrng_read(buf, count);
++ module_put(rng->owner);
++ return ret;
++ }
++
+ if (!(flags & GRND_INSECURE) && !crng_ready()) {
+ if (flags & GRND_NONBLOCK)
+ return -EAGAIN;
+@@ -2319,3 +2421,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size)
+ add_device_randomness(buf, size);
+ }
+ EXPORT_SYMBOL_GPL(add_bootloader_randomness);
++
++void random_register_extrng(const struct random_extrng *rng)
++{
++ rcu_assign_pointer(extrng, rng);
++}
++EXPORT_SYMBOL_GPL(random_register_extrng);
++
++void random_unregister_extrng(void)
++{
++ RCU_INIT_POINTER(extrng, NULL);
++ synchronize_rcu();
++}
++EXPORT_SYMBOL_GPL(random_unregister_extrng);
+diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
+index c02ff25dd477..d860f8eb9a81 100644
+--- a/drivers/firmware/efi/Makefile
++++ b/drivers/firmware/efi/Makefile
+@@ -28,6 +28,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_map.o
+ obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
+ obj-$(CONFIG_EFI_TEST) += test/
+ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
++obj-$(CONFIG_EFI) += secureboot.o
+ obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
+ obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
+ obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index ae79c3300129..e9205ea7aeb3 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -31,6 +31,7 @@
+ #include <linux/ucs2_string.h>
+ #include <linux/memblock.h>
+ #include <linux/security.h>
++#include <linux/bsearch.h>
+
+ #include <asm/early_ioremap.h>
+
+@@ -844,40 +845,101 @@ int efi_mem_type(unsigned long phys_addr)
+ }
+ #endif
+
++struct efi_error_code {
++ efi_status_t status;
++ int errno;
++ const char *description;
++};
++
++static const struct efi_error_code efi_error_codes[] = {
++ { EFI_SUCCESS, 0, "Success"},
++#if 0
++ { EFI_LOAD_ERROR, -EPICK_AN_ERRNO, "Load Error"},
++#endif
++ { EFI_INVALID_PARAMETER, -EINVAL, "Invalid Parameter"},
++ { EFI_UNSUPPORTED, -ENOSYS, "Unsupported"},
++ { EFI_BAD_BUFFER_SIZE, -ENOSPC, "Bad Buffer Size"},
++ { EFI_BUFFER_TOO_SMALL, -ENOSPC, "Buffer Too Small"},
++ { EFI_NOT_READY, -EAGAIN, "Not Ready"},
++ { EFI_DEVICE_ERROR, -EIO, "Device Error"},
++ { EFI_WRITE_PROTECTED, -EROFS, "Write Protected"},
++ { EFI_OUT_OF_RESOURCES, -ENOMEM, "Out of Resources"},
++#if 0
++ { EFI_VOLUME_CORRUPTED, -EPICK_AN_ERRNO, "Volume Corrupt"},
++ { EFI_VOLUME_FULL, -EPICK_AN_ERRNO, "Volume Full"},
++ { EFI_NO_MEDIA, -EPICK_AN_ERRNO, "No Media"},
++ { EFI_MEDIA_CHANGED, -EPICK_AN_ERRNO, "Media changed"},
++#endif
++ { EFI_NOT_FOUND, -ENOENT, "Not Found"},
++#if 0
++ { EFI_ACCESS_DENIED, -EPICK_AN_ERRNO, "Access Denied"},
++ { EFI_NO_RESPONSE, -EPICK_AN_ERRNO, "No Response"},
++ { EFI_NO_MAPPING, -EPICK_AN_ERRNO, "No mapping"},
++ { EFI_TIMEOUT, -EPICK_AN_ERRNO, "Time out"},
++ { EFI_NOT_STARTED, -EPICK_AN_ERRNO, "Not started"},
++ { EFI_ALREADY_STARTED, -EPICK_AN_ERRNO, "Already started"},
++#endif
++ { EFI_ABORTED, -EINTR, "Aborted"},
++#if 0
++ { EFI_ICMP_ERROR, -EPICK_AN_ERRNO, "ICMP Error"},
++ { EFI_TFTP_ERROR, -EPICK_AN_ERRNO, "TFTP Error"},
++ { EFI_PROTOCOL_ERROR, -EPICK_AN_ERRNO, "Protocol Error"},
++ { EFI_INCOMPATIBLE_VERSION, -EPICK_AN_ERRNO, "Incompatible Version"},
++#endif
++ { EFI_SECURITY_VIOLATION, -EACCES, "Security Policy Violation"},
++#if 0
++ { EFI_CRC_ERROR, -EPICK_AN_ERRNO, "CRC Error"},
++ { EFI_END_OF_MEDIA, -EPICK_AN_ERRNO, "End of Media"},
++ { EFI_END_OF_FILE, -EPICK_AN_ERRNO, "End of File"},
++ { EFI_INVALID_LANGUAGE, -EPICK_AN_ERRNO, "Invalid Languages"},
++ { EFI_COMPROMISED_DATA, -EPICK_AN_ERRNO, "Compromised Data"},
++
++ // warnings
++ { EFI_WARN_UNKOWN_GLYPH, -EPICK_AN_ERRNO, "Warning Unknown Glyph"},
++ { EFI_WARN_DELETE_FAILURE, -EPICK_AN_ERRNO, "Warning Delete Failure"},
++ { EFI_WARN_WRITE_FAILURE, -EPICK_AN_ERRNO, "Warning Write Failure"},
++ { EFI_WARN_BUFFER_TOO_SMALL, -EPICK_AN_ERRNO, "Warning Buffer Too Small"},
++#endif
++};
++
++static int
++efi_status_cmp_bsearch(const void *key, const void *item)
++{
++ u64 status = (u64)(uintptr_t)key;
++ struct efi_error_code *code = (struct efi_error_code *)item;
++
++ if (status < code->status)
++ return -1;
++ if (status > code->status)
++ return 1;
++ return 0;
++}
++
+ int efi_status_to_err(efi_status_t status)
+ {
+- int err;
+-
+- switch (status) {
+- case EFI_SUCCESS:
+- err = 0;
+- break;
+- case EFI_INVALID_PARAMETER:
+- err = -EINVAL;
+- break;
+- case EFI_OUT_OF_RESOURCES:
+- err = -ENOSPC;
+- break;
+- case EFI_DEVICE_ERROR:
+- err = -EIO;
+- break;
+- case EFI_WRITE_PROTECTED:
+- err = -EROFS;
+- break;
+- case EFI_SECURITY_VIOLATION:
+- err = -EACCES;
+- break;
+- case EFI_NOT_FOUND:
+- err = -ENOENT;
+- break;
+- case EFI_ABORTED:
+- err = -EINTR;
+- break;
+- default:
+- err = -EINVAL;
+- }
++ struct efi_error_code *found;
++ size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
+
+- return err;
++ found = bsearch((void *)(uintptr_t)status, efi_error_codes,
++ sizeof(struct efi_error_code), num,
++ efi_status_cmp_bsearch);
++ if (!found)
++ return -EINVAL;
++ return found->errno;
++}
++
++const char *
++efi_status_to_str(efi_status_t status)
++{
++ struct efi_error_code *found;
++ size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code);
++
++ found = bsearch((void *)(uintptr_t)status, efi_error_codes,
++ sizeof(struct efi_error_code), num,
++ efi_status_cmp_bsearch);
++ if (!found)
++ return "Unknown error code";
++ return found->description;
+ }
+
+ static DEFINE_SPINLOCK(efi_mem_reserve_persistent_lock);
+diff --git a/drivers/firmware/efi/secureboot.c b/drivers/firmware/efi/secureboot.c
+new file mode 100644
+index 000000000000..de0a3714a5d4
+--- /dev/null
++++ b/drivers/firmware/efi/secureboot.c
+@@ -0,0 +1,38 @@
++/* Core kernel secure boot support.
++ *
++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <linux/efi.h>
++#include <linux/kernel.h>
++#include <linux/printk.h>
++
++/*
++ * Decide what to do when UEFI secure boot mode is enabled.
++ */
++void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
++{
++ if (efi_enabled(EFI_BOOT)) {
++ switch (mode) {
++ case efi_secureboot_mode_disabled:
++ pr_info("Secure boot disabled\n");
++ break;
++ case efi_secureboot_mode_enabled:
++ set_bit(EFI_SECURE_BOOT, &efi.flags);
++ pr_info("Secure boot enabled\n");
++ break;
++ default:
++ pr_warn("Secure boot could not be determined (mode %u)\n",
++ mode);
++ break;
++ }
++ }
++}
+diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
+index 311eee599ce9..2460c6bd46f8 100644
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -322,19 +322,12 @@ static int rmi_input_event(struct hid_device *hdev, u8 *data, int size)
+ {
+ struct rmi_data *hdata = hid_get_drvdata(hdev);
+ struct rmi_device *rmi_dev = hdata->xport.rmi_dev;
+- unsigned long flags;
+
+ if (!(test_bit(RMI_STARTED, &hdata->flags)))
+ return 0;
+
+- local_irq_save(flags);
+-
+ rmi_set_attn_data(rmi_dev, data[1], &data[2], size - 2);
+
+- generic_handle_irq(hdata->rmi_irq);
+-
+- local_irq_restore(flags);
+-
+ return 1;
+ }
+
+@@ -591,56 +584,6 @@ static const struct rmi_transport_ops hid_rmi_ops = {
+ .reset = rmi_hid_reset,
+ };
+
+-static void rmi_irq_teardown(void *data)
+-{
+- struct rmi_data *hdata = data;
+- struct irq_domain *domain = hdata->domain;
+-
+- if (!domain)
+- return;
+-
+- irq_dispose_mapping(irq_find_mapping(domain, 0));
+-
+- irq_domain_remove(domain);
+- hdata->domain = NULL;
+- hdata->rmi_irq = 0;
+-}
+-
+-static int rmi_irq_map(struct irq_domain *h, unsigned int virq,
+- irq_hw_number_t hw_irq_num)
+-{
+- irq_set_chip_and_handler(virq, &dummy_irq_chip, handle_simple_irq);
+-
+- return 0;
+-}
+-
+-static const struct irq_domain_ops rmi_irq_ops = {
+- .map = rmi_irq_map,
+-};
+-
+-static int rmi_setup_irq_domain(struct hid_device *hdev)
+-{
+- struct rmi_data *hdata = hid_get_drvdata(hdev);
+- int ret;
+-
+- hdata->domain = irq_domain_create_linear(hdev->dev.fwnode, 1,
+- &rmi_irq_ops, hdata);
+- if (!hdata->domain)
+- return -ENOMEM;
+-
+- ret = devm_add_action_or_reset(&hdev->dev, &rmi_irq_teardown, hdata);
+- if (ret)
+- return ret;
+-
+- hdata->rmi_irq = irq_create_mapping(hdata->domain, 0);
+- if (hdata->rmi_irq <= 0) {
+- hid_err(hdev, "Can't allocate an IRQ\n");
+- return hdata->rmi_irq < 0 ? hdata->rmi_irq : -ENXIO;
+- }
+-
+- return 0;
+-}
+-
+ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ {
+ struct rmi_data *data = NULL;
+@@ -713,18 +656,11 @@ static int rmi_probe(struct hid_device *hdev, const struct hid_device_id *id)
+
+ mutex_init(&data->page_mutex);
+
+- ret = rmi_setup_irq_domain(hdev);
+- if (ret) {
+- hid_err(hdev, "failed to allocate IRQ domain\n");
+- return ret;
+- }
+-
+ if (data->device_flags & RMI_DEVICE_HAS_PHYS_BUTTONS)
+ rmi_hid_pdata.gpio_data.disable = true;
+
+ data->xport.dev = hdev->dev.parent;
+ data->xport.pdata = rmi_hid_pdata;
+- data->xport.pdata.irq = data->rmi_irq;
+ data->xport.proto_name = "hid";
+ data->xport.ops = &hid_rmi_ops;
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+index 86a313857b58..dcfc95d0e328 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+@@ -9,6 +9,7 @@
+ #include <linux/init.h>
+ #include <linux/types.h>
+ #include <linux/device.h>
++#include <linux/dmi.h>
+ #include <linux/io.h>
+ #include <linux/err.h>
+ #include <linux/fs.h>
+@@ -2156,6 +2157,16 @@ static const struct amba_id etm4_ids[] = {
+ {},
+ };
+
++static const struct dmi_system_id broken_coresight[] = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HPE"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Apollo 70"),
++ },
++ },
++ { } /* terminating entry */
++};
++
+ MODULE_DEVICE_TABLE(amba, etm4_ids);
+
+ static struct amba_driver etm4x_amba_driver = {
+@@ -2189,6 +2200,11 @@ static int __init etm4x_init(void)
+ {
+ int ret;
+
++ if (dmi_check_system(broken_coresight)) {
++ pr_info("ETM4 disabled due to firmware bug\n");
++ return 0;
++ }
++
+ ret = etm4_pm_setup();
+
+ /* etm4_pm_setup() does its own cleanup - exit on error */
+@@ -2215,6 +2231,9 @@ static int __init etm4x_init(void)
+
+ static void __exit etm4x_exit(void)
+ {
++ if (dmi_check_system(broken_coresight))
++ return;
++
+ amba_driver_unregister(&etm4x_amba_driver);
+ platform_driver_unregister(&etm4_platform_driver);
+ etm4_pm_clear();
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index 258d5fe3d395..f7298e3dc8f3 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -182,34 +182,47 @@ void rmi_set_attn_data(struct rmi_device *rmi_dev, unsigned long irq_status,
+ attn_data.data = fifo_data;
+
+ kfifo_put(&drvdata->attn_fifo, attn_data);
++
++ schedule_work(&drvdata->attn_work);
+ }
+ EXPORT_SYMBOL_GPL(rmi_set_attn_data);
+
+-static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
++static void attn_callback(struct work_struct *work)
+ {
+- struct rmi_device *rmi_dev = dev_id;
+- struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
++ struct rmi_driver_data *drvdata = container_of(work,
++ struct rmi_driver_data,
++ attn_work);
+ struct rmi4_attn_data attn_data = {0};
+ int ret, count;
+
+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
+- if (count) {
+- *(drvdata->irq_status) = attn_data.irq_status;
+- drvdata->attn_data = attn_data;
+- }
++ if (!count)
++ return;
+
+- ret = rmi_process_interrupt_requests(rmi_dev);
++ *(drvdata->irq_status) = attn_data.irq_status;
++ drvdata->attn_data = attn_data;
++
++ ret = rmi_process_interrupt_requests(drvdata->rmi_dev);
+ if (ret)
+- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++ rmi_dbg(RMI_DEBUG_CORE, &drvdata->rmi_dev->dev,
+ "Failed to process interrupt request: %d\n", ret);
+
+- if (count) {
+- kfree(attn_data.data);
+- drvdata->attn_data.data = NULL;
+- }
++ kfree(attn_data.data);
++ drvdata->attn_data.data = NULL;
+
+ if (!kfifo_is_empty(&drvdata->attn_fifo))
+- return rmi_irq_fn(irq, dev_id);
++ schedule_work(&drvdata->attn_work);
++}
++
++static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
++{
++ struct rmi_device *rmi_dev = dev_id;
++ int ret;
++
++ ret = rmi_process_interrupt_requests(rmi_dev);
++ if (ret)
++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++ "Failed to process interrupt request: %d\n", ret);
+
+ return IRQ_HANDLED;
+ }
+@@ -217,7 +230,6 @@ static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
+ static int rmi_irq_init(struct rmi_device *rmi_dev)
+ {
+ struct rmi_device_platform_data *pdata = rmi_get_platform_data(rmi_dev);
+- struct rmi_driver_data *data = dev_get_drvdata(&rmi_dev->dev);
+ int irq_flags = irq_get_trigger_type(pdata->irq);
+ int ret;
+
+@@ -235,8 +247,6 @@ static int rmi_irq_init(struct rmi_device *rmi_dev)
+ return ret;
+ }
+
+- data->enabled = true;
+-
+ return 0;
+ }
+
+@@ -886,23 +896,27 @@ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+ if (data->enabled)
+ goto out;
+
+- enable_irq(irq);
+- data->enabled = true;
+- if (clear_wake && device_may_wakeup(rmi_dev->xport->dev)) {
+- retval = disable_irq_wake(irq);
+- if (retval)
+- dev_warn(&rmi_dev->dev,
+- "Failed to disable irq for wake: %d\n",
+- retval);
+- }
++ if (irq) {
++ enable_irq(irq);
++ data->enabled = true;
++ if (clear_wake && device_may_wakeup(rmi_dev->xport->dev)) {
++ retval = disable_irq_wake(irq);
++ if (retval)
++ dev_warn(&rmi_dev->dev,
++ "Failed to disable irq for wake: %d\n",
++ retval);
++ }
+
+- /*
+- * Call rmi_process_interrupt_requests() after enabling irq,
+- * otherwise we may lose interrupt on edge-triggered systems.
+- */
+- irq_flags = irq_get_trigger_type(pdata->irq);
+- if (irq_flags & IRQ_TYPE_EDGE_BOTH)
+- rmi_process_interrupt_requests(rmi_dev);
++ /*
++ * Call rmi_process_interrupt_requests() after enabling irq,
++ * otherwise we may lose interrupt on edge-triggered systems.
++ */
++ irq_flags = irq_get_trigger_type(pdata->irq);
++ if (irq_flags & IRQ_TYPE_EDGE_BOTH)
++ rmi_process_interrupt_requests(rmi_dev);
++ } else {
++ data->enabled = true;
++ }
+
+ out:
+ mutex_unlock(&data->enabled_mutex);
+@@ -922,20 +936,22 @@ void rmi_disable_irq(struct rmi_device *rmi_dev, bool enable_wake)
+ goto out;
+
+ data->enabled = false;
+- disable_irq(irq);
+- if (enable_wake && device_may_wakeup(rmi_dev->xport->dev)) {
+- retval = enable_irq_wake(irq);
+- if (retval)
+- dev_warn(&rmi_dev->dev,
+- "Failed to enable irq for wake: %d\n",
+- retval);
+- }
+-
+- /* make sure the fifo is clean */
+- while (!kfifo_is_empty(&data->attn_fifo)) {
+- count = kfifo_get(&data->attn_fifo, &attn_data);
+- if (count)
+- kfree(attn_data.data);
++ if (irq) {
++ disable_irq(irq);
++ if (enable_wake && device_may_wakeup(rmi_dev->xport->dev)) {
++ retval = enable_irq_wake(irq);
++ if (retval)
++ dev_warn(&rmi_dev->dev,
++ "Failed to enable irq for wake: %d\n",
++ retval);
++ }
++ } else {
++ /* make sure the fifo is clean */
++ while (!kfifo_is_empty(&data->attn_fifo)) {
++ count = kfifo_get(&data->attn_fifo, &attn_data);
++ if (count)
++ kfree(attn_data.data);
++ }
+ }
+
+ out:
+@@ -981,6 +997,8 @@ static int rmi_driver_remove(struct device *dev)
+ irq_domain_remove(data->irqdomain);
+ data->irqdomain = NULL;
+
++ cancel_work_sync(&data->attn_work);
++
+ rmi_f34_remove_sysfs(rmi_dev);
+ rmi_free_function_list(rmi_dev);
+
+@@ -1219,9 +1237,15 @@ static int rmi_driver_probe(struct device *dev)
+ }
+ }
+
+- retval = rmi_irq_init(rmi_dev);
+- if (retval < 0)
+- goto err_destroy_functions;
++ if (pdata->irq) {
++ retval = rmi_irq_init(rmi_dev);
++ if (retval < 0)
++ goto err_destroy_functions;
++ }
++
++ data->enabled = true;
++
++ INIT_WORK(&data->attn_work, attn_callback);
+
+ if (data->f01_container->dev.driver) {
+ /* Driver already bound, so enable ATTN now. */
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index dd7863e453a5..6759ef17a2c3 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -7,6 +7,7 @@
+ #define pr_fmt(fmt) "iommu: " fmt
+
+ #include <linux/device.h>
++#include <linux/dmi.h>
+ #include <linux/dma-iommu.h>
+ #include <linux/kernel.h>
+ #include <linux/bits.h>
+@@ -3118,6 +3119,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle)
+ }
+ EXPORT_SYMBOL_GPL(iommu_sva_get_pasid);
+
++#ifdef CONFIG_ARM64
++static int __init iommu_quirks(void)
++{
++ const char *vendor, *name;
++
++ vendor = dmi_get_system_info(DMI_SYS_VENDOR);
++ name = dmi_get_system_info(DMI_PRODUCT_NAME);
++
++ if (vendor &&
++ (strncmp(vendor, "GIGABYTE", 8) == 0 && name &&
++ (strncmp(name, "R120", 4) == 0 ||
++ strncmp(name, "R270", 4) == 0))) {
++ pr_warn("Gigabyte %s detected, force iommu passthrough mode", name);
++ iommu_def_domain_type = IOMMU_DOMAIN_IDENTITY;
++ }
++
++ return 0;
++}
++arch_initcall(iommu_quirks);
++#endif
++
+ /*
+ * Changes the default domain of an iommu group that has *only* one device
+ *
+diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
+index 091b45024d34..4457c5c7e173 100644
+--- a/drivers/message/fusion/mptsas.c
++++ b/drivers/message/fusion/mptsas.c
+@@ -5318,6 +5318,11 @@ mptsas_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ ioc, MPI_SAS_OP_CLEAR_ALL_PERSISTENT);
+ }
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++ add_taint(TAINT_SUPPORT_REMOVED, LOCKDEP_STILL_OK);
++ pr_warn("MPTSAS MODULE IS NOT SUPPORTED\n");
++#endif
++
+ error = scsi_add_host(sh, &ioc->pcidev->dev);
+ if (error) {
+ dprintk(ioc, printk(MYIOC_s_ERR_FMT
+@@ -5381,6 +5386,10 @@ static void mptsas_remove(struct pci_dev *pdev)
+ }
+
+ static struct pci_device_id mptsas_pci_table[] = {
++#ifdef CONFIG_RHEL_DIFFERENCES
++ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_SAS1068,
++ PCI_VENDOR_ID_VMWARE, PCI_ANY_ID },
++#else
+ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_SAS1064,
+ PCI_ANY_ID, PCI_ANY_ID },
+ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_SAS1068,
+@@ -5393,6 +5402,7 @@ static struct pci_device_id mptsas_pci_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID },
+ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_SAS1068_820XELP,
+ PCI_ANY_ID, PCI_ANY_ID },
++#endif
+ {0} /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(pci, mptsas_pci_table);
+diff --git a/drivers/message/fusion/mptspi.c b/drivers/message/fusion/mptspi.c
+index acd4805dcf83..5f814d447ab3 100644
+--- a/drivers/message/fusion/mptspi.c
++++ b/drivers/message/fusion/mptspi.c
+@@ -1238,12 +1238,17 @@ static struct spi_function_template mptspi_transport_functions = {
+ */
+
+ static struct pci_device_id mptspi_pci_table[] = {
++#ifdef CONFIG_RHEL_DIFFERENCES
++ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_53C1030,
++ PCI_VENDOR_ID_VMWARE, PCI_ANY_ID },
++#else
+ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_53C1030,
+ PCI_ANY_ID, PCI_ANY_ID },
+ { PCI_VENDOR_ID_ATTO, MPI_MANUFACTPAGE_DEVID_53C1030,
+ PCI_ANY_ID, PCI_ANY_ID },
+ { PCI_VENDOR_ID_LSI_LOGIC, MPI_MANUFACTPAGE_DEVID_53C1035,
+ PCI_ANY_ID, PCI_ANY_ID },
++#endif
+ {0} /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(pci, mptspi_pci_table);
+@@ -1534,6 +1539,12 @@ mptspi_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ 0, 0, 0, 0, 5);
+
+ scsi_scan_host(sh);
++
++#ifdef CONFIG_RHEL_DIFFERENCES
++ add_taint(TAINT_SUPPORT_REMOVED, LOCKDEP_STILL_OK);
++ pr_warn("MPTSPI MODULE IS NOT SUPPORTED\n");
++#endif
++
+ return 0;
+
+ out_mptspi_probe:
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 3f5feb55cfba..9d8cb34845b3 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -933,6 +933,8 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ int bars, need_ioport;
+ bool disable_dev = false;
+
++ pci_hw_unmaintained(e1000_pci_tbl, pdev);
++
+ /* do not allocate ioport bars when not needed */
+ need_ioport = e1000_is_need_ioport(pdev);
+ if (need_ioport) {
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 8b2adc56b92a..3263b33c9b69 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -3045,6 +3045,8 @@ static int __init team_module_init(void)
+ if (err)
+ goto err_nl_init;
+
++ mark_driver_deprecated(DRV_NAME);
++
+ return 0;
+
+ err_nl_init:
+diff --git a/drivers/net/wireguard/main.c b/drivers/net/wireguard/main.c
+index ee4da9ab8013..0f217997a764 100644
+--- a/drivers/net/wireguard/main.c
++++ b/drivers/net/wireguard/main.c
+@@ -12,6 +12,7 @@
+
+ #include <uapi/linux/wireguard.h>
+
++#include <linux/fips.h>
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/genetlink.h>
+@@ -21,6 +22,11 @@ static int __init wg_mod_init(void)
+ {
+ int ret;
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++ if (fips_enabled)
++ return -EOPNOTSUPP;
++#endif
++
+ ret = wg_allowedips_slab_init();
+ if (ret < 0)
+ goto err_allowedips;
+@@ -48,6 +54,7 @@ static int __init wg_mod_init(void)
+ pr_info("WireGuard " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
+ pr_info("Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n");
+
++ mark_tech_preview("WireGuard", THIS_MODULE);
+ return 0;
+
+ err_netlink:
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 1af8a4513708..5a23e077ab86 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -244,6 +244,9 @@ static void nvme_delete_ctrl_sync(struct nvme_ctrl *ctrl)
+
+ static blk_status_t nvme_error_status(u16 status)
+ {
++ if (unlikely(status & NVME_SC_DNR))
++ return BLK_STS_TARGET;
++
+ switch (status & 0x7ff) {
+ case NVME_SC_SUCCESS:
+ return BLK_STS_OK;
+@@ -303,6 +306,7 @@ enum nvme_disposition {
+ COMPLETE,
+ RETRY,
+ FAILOVER,
++ FAILUP,
+ };
+
+ static inline enum nvme_disposition nvme_decide_disposition(struct request *req)
+@@ -310,15 +314,16 @@ static inline enum nvme_disposition nvme_decide_disposition(struct request *req)
+ if (likely(nvme_req(req)->status == 0))
+ return COMPLETE;
+
+- if (blk_noretry_request(req) ||
++ if ((req->cmd_flags & (REQ_FAILFAST_DEV | REQ_FAILFAST_DRIVER)) ||
+ (nvme_req(req)->status & NVME_SC_DNR) ||
+ nvme_req(req)->retries >= nvme_max_retries)
+ return COMPLETE;
+
+- if (req->cmd_flags & REQ_NVME_MPATH) {
++ if (req->cmd_flags & (REQ_NVME_MPATH | REQ_FAILFAST_TRANSPORT)) {
+ if (nvme_is_path_error(nvme_req(req)->status) ||
+ blk_queue_dying(req->q))
+- return FAILOVER;
++ return (req->cmd_flags & REQ_NVME_MPATH) ?
++ FAILOVER : FAILUP;
+ } else {
+ if (blk_queue_dying(req->q))
+ return COMPLETE;
+@@ -344,6 +349,14 @@ static inline void nvme_end_req(struct request *req)
+ blk_mq_end_request(req, status);
+ }
+
++static inline void nvme_failup_req(struct request *req)
++{
++ nvme_update_ana(req);
++
++ nvme_req(req)->status = NVME_SC_HOST_PATH_ERROR;
++ nvme_end_req(req);
++}
++
+ void nvme_complete_rq(struct request *req)
+ {
+ trace_nvme_complete_rq(req);
+@@ -362,6 +375,9 @@ void nvme_complete_rq(struct request *req)
+ case FAILOVER:
+ nvme_failover_req(req);
+ return;
++ case FAILUP:
++ nvme_failup_req(req);
++ return;
+ }
+ }
+ EXPORT_SYMBOL_GPL(nvme_complete_rq);
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 13e5d503ed07..daaeb316f624 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -65,14 +65,10 @@ bool nvme_mpath_set_disk_name(struct nvme_ns *ns, char *disk_name, int *flags)
+ return true;
+ }
+
+-void nvme_failover_req(struct request *req)
++void nvme_update_ana(struct request *req)
+ {
+ struct nvme_ns *ns = req->q->queuedata;
+ u16 status = nvme_req(req)->status & 0x7ff;
+- unsigned long flags;
+- struct bio *bio;
+-
+- nvme_mpath_clear_current_path(ns);
+
+ /*
+ * If we got back an ANA error, we know the controller is alive but not
+@@ -83,6 +79,16 @@ void nvme_failover_req(struct request *req)
+ set_bit(NVME_NS_ANA_PENDING, &ns->flags);
+ queue_work(nvme_wq, &ns->ctrl->ana_work);
+ }
++}
++
++void nvme_failover_req(struct request *req)
++{
++ struct nvme_ns *ns = req->q->queuedata;
++ unsigned long flags;
++ struct bio *bio;
++
++ nvme_mpath_clear_current_path(ns);
++ nvme_update_ana(req);
+
+ spin_lock_irqsave(&ns->head->requeue_lock, flags);
+ for (bio = req->bio; bio; bio = bio->bi_next) {
+@@ -838,8 +844,7 @@ int nvme_mpath_init_identify(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
+ int error = 0;
+
+ /* check if multipath is enabled and we have the capability */
+- if (!multipath || !ctrl->subsys ||
+- !(ctrl->subsys->cmic & NVME_CTRL_CMIC_ANA))
++ if (!ctrl->subsys || !(ctrl->subsys->cmic & NVME_CTRL_CMIC_ANA))
+ return 0;
+
+ if (!ctrl->max_namespaces ||
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 9b095ee01364..bf25ef206cd2 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -765,6 +765,7 @@ void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys);
+ void nvme_mpath_start_freeze(struct nvme_subsystem *subsys);
+ bool nvme_mpath_set_disk_name(struct nvme_ns *ns, char *disk_name, int *flags);
+ void nvme_failover_req(struct request *req);
++void nvme_update_ana(struct request *req);
+ void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl);
+ int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl,struct nvme_ns_head *head);
+ void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id);
+@@ -803,6 +804,9 @@ static inline bool nvme_mpath_set_disk_name(struct nvme_ns *ns, char *disk_name,
+ static inline void nvme_failover_req(struct request *req)
+ {
+ }
++static inline void nvme_update_ana(struct request *req)
++{
++}
+ static inline void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl)
+ {
+ }
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 588588cfda48..adb3a91b0ba3 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -19,6 +19,7 @@
+ #include <linux/kexec.h>
+ #include <linux/of_device.h>
+ #include <linux/acpi.h>
++#include <linux/kernel.h>
+ #include <linux/dma-map-ops.h>
+ #include "pci.h"
+ #include "pcie/portdrv.h"
+@@ -295,6 +296,83 @@ static struct attribute *pci_drv_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(pci_drv);
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++/**
++ * pci_hw_deprecated - Tell if a PCI device is deprecated
++ * @ids: array of PCI device id structures to search in
++ * @dev: the PCI device structure to match against
++ *
++ * Used by a driver to check whether this device is in its list of deprecated
++ * devices. Returns the matching pci_device_id structure or %NULL if there is
++ * no match.
++ *
++ * Reserved for Internal Red Hat use only.
++ */
++const struct pci_device_id *pci_hw_deprecated(const struct pci_device_id *ids,
++ struct pci_dev *dev)
++{
++ const struct pci_device_id *ret = pci_match_id(ids, dev);
++
++ if (!ret)
++ return NULL;
++
++ mark_hardware_deprecated(dev_driver_string(&dev->dev), "%04X:%04X @ %s",
++ dev->device, dev->vendor, pci_name(dev));
++ return ret;
++}
++EXPORT_SYMBOL(pci_hw_deprecated);
++
++/**
++ * pci_hw_unmaintained - Tell if a PCI device is unmaintained
++ * @ids: array of PCI device id structures to search in
++ * @dev: the PCI device structure to match against
++ *
++ * Used by a driver to check whether this device is in its list of unmaintained
++ * devices. Returns the matching pci_device_id structure or %NULL if there is
++ * no match.
++ *
++ * Reserved for Internal Red Hat use only.
++ */
++const struct pci_device_id *pci_hw_unmaintained(const struct pci_device_id *ids,
++ struct pci_dev *dev)
++{
++ const struct pci_device_id *ret = pci_match_id(ids, dev);
++
++ if (!ret)
++ return NULL;
++
++ mark_hardware_unmaintained(dev_driver_string(&dev->dev), "%04X:%04X @ %s",
++ dev->device, dev->vendor, pci_name(dev));
++ return ret;
++}
++EXPORT_SYMBOL(pci_hw_unmaintained);
++
++/**
++ * pci_hw_disabled - Tell if a PCI device is disabled
++ * @ids: array of PCI device id structures to search in
++ * @dev: the PCI device structure to match against
++ *
++ * Used by a driver to check whether this device is in its list of disabled
++ * devices. Returns the matching pci_device_id structure or %NULL if there is
++ * no match.
++ *
++ * Reserved for Internal Red Hat use only.
++ */
++const struct pci_device_id *pci_hw_disabled(const struct pci_device_id *ids,
++ struct pci_dev *dev)
++{
++ const struct pci_device_id *ret = pci_match_id(ids, dev);
++
++ if (!ret)
++ return NULL;
++
++ mark_hardware_disabled(dev_driver_string(&dev->dev), "%04X:%04X @ %s",
++ dev->device, dev->vendor, pci_name(dev));
++ return ret;
++}
++EXPORT_SYMBOL(pci_hw_disabled);
++#endif
++
+ struct drv_dev_and_id {
+ struct pci_driver *drv;
+ struct pci_dev *dev;
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index b4cb658cce2b..287443efe522 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4269,6 +4269,30 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9000,
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9084,
+ quirk_bridge_cavm_thrx2_pcie_root);
+
++/*
++ * PCI BAR 5 is not setup correctly for the on-board AHCI controller
++ * on Broadcom's Vulcan processor. Added a quirk to fix BAR 5 by
++ * using BAR 4's resources which are populated correctly and NOT
++ * actually used by the AHCI controller.
++ */
++static void quirk_fix_vulcan_ahci_bars(struct pci_dev *dev)
++{
++ struct resource *r = &dev->resource[4];
++
++ if (!(r->flags & IORESOURCE_MEM) || (r->start == 0))
++ return;
++
++ /* Set BAR5 resource to BAR4 */
++ dev->resource[5] = *r;
++
++ /* Update BAR5 in pci config space */
++ pci_write_config_dword(dev, PCI_BASE_ADDRESS_5, r->start);
++
++ /* Clear BAR4's resource */
++ memset(r, 0, sizeof(*r));
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_BROADCOM, 0x9027, quirk_fix_vulcan_ahci_bars);
++
+ /*
+ * Intersil/Techwell TW686[4589]-based video capture cards have an empty (zero)
+ * class code. Fix it.
+diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
+index a911252075a6..9bc69f6880f3 100644
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -78,6 +78,7 @@ char aac_driver_version[] = AAC_DRIVER_FULL_VERSION;
+ * Note: The last field is used to index into aac_drivers below.
+ */
+ static const struct pci_device_id aac_pci_tbl[] = {
++#ifndef CONFIG_RHEL_DIFFERENCES
+ { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
+ { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
+ { 0x1028, 0x0003, 0x1028, 0x0003, 0, 0, 2 }, /* PERC 3/Si (SlimFast/PERC3Si */
+@@ -145,6 +146,7 @@ static const struct pci_device_id aac_pci_tbl[] = {
+ { 0x9005, 0x0285, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 59 }, /* Adaptec Catch All */
+ { 0x9005, 0x0286, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 60 }, /* Adaptec Rocket Catch All */
+ { 0x9005, 0x0288, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 61 }, /* Adaptec NEMER/ARK Catch All */
++#endif
+ { 0x9005, 0x028b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 62 }, /* Adaptec PMC Series 6 (Tupelo) */
+ { 0x9005, 0x028c, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 63 }, /* Adaptec PMC Series 7 (Denali) */
+ { 0x9005, 0x028d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 64 }, /* Adaptec PMC Series 8 */
+diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
+index ab55681145f8..1f8b0f73597b 100644
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -372,11 +372,13 @@ static int beiscsi_eh_device_reset(struct scsi_cmnd *sc)
+
+ /*------------------- PCI Driver operations and data ----------------- */
+ static const struct pci_device_id beiscsi_pci_id_table[] = {
++#ifndef CONFIG_RHEL_DIFFERENCES
+ { PCI_DEVICE(BE_VENDOR_ID, BE_DEVICE_ID1) },
+ { PCI_DEVICE(BE_VENDOR_ID, BE_DEVICE_ID2) },
+ { PCI_DEVICE(BE_VENDOR_ID, OC_DEVICE_ID1) },
+ { PCI_DEVICE(BE_VENDOR_ID, OC_DEVICE_ID2) },
+ { PCI_DEVICE(BE_VENDOR_ID, OC_DEVICE_ID3) },
++#endif
+ { PCI_DEVICE(ELX_VENDOR_ID, OC_SKH_ID1) },
+ { 0 }
+ };
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index cdf3328cc065..6754c7ee79d7 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -82,7 +82,9 @@ MODULE_DESCRIPTION("Driver for HP Smart Array Controller version " \
+ HPSA_DRIVER_VERSION);
+ MODULE_VERSION(HPSA_DRIVER_VERSION);
+ MODULE_LICENSE("GPL");
++#ifndef CONFIG_RHEL_DIFFERENCES
+ MODULE_ALIAS("cciss");
++#endif
+
+ static int hpsa_simple_mode;
+ module_param(hpsa_simple_mode, int, S_IRUGO|S_IWUSR);
+@@ -144,10 +146,12 @@ static const struct pci_device_id hpsa_pci_device_id[] = {
+ {PCI_VENDOR_ID_HP_3PAR, 0x0075, 0x1590, 0x007D},
+ {PCI_VENDOR_ID_HP_3PAR, 0x0075, 0x1590, 0x0088},
+ {PCI_VENDOR_ID_HP, 0x333f, 0x103c, 0x333f},
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_HP, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
+ {PCI_VENDOR_ID_COMPAQ, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
++#endif
+ {0,}
+ };
+
+diff --git a/drivers/scsi/lpfc/lpfc_ids.h b/drivers/scsi/lpfc/lpfc_ids.h
+index 6a90e6e53d09..7e48c3bf701d 100644
+--- a/drivers/scsi/lpfc/lpfc_ids.h
++++ b/drivers/scsi/lpfc/lpfc_ids.h
+@@ -24,6 +24,7 @@
+ #include <linux/pci.h>
+
+ const struct pci_device_id lpfc_id_table[] = {
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_VIPER,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_FIREFLY,
+@@ -54,14 +55,19 @@ const struct pci_device_id lpfc_id_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_HELIOS_DCSP,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_BMID,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_BSMB,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_ZEPHYR,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_HORNET,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_ZEPHYR_SCSP,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_ZEPHYR_DCSP,
+@@ -70,6 +76,7 @@ const struct pci_device_id lpfc_id_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_ZSMB,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_TFLY,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LP101,
+@@ -80,6 +87,7 @@ const struct pci_device_id lpfc_id_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LPE11000S,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_SAT,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_SAT_MID,
+@@ -92,6 +100,7 @@ const struct pci_device_id lpfc_id_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_SAT_S,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_PROTEUS_VF,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_PROTEUS_PF,
+@@ -102,18 +111,23 @@ const struct pci_device_id lpfc_id_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_SERVERENGINE, PCI_DEVICE_ID_TOMCAT,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_FALCON,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_BALIUS,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_FC,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_FCOE,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_FC_VF,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_FCOE_VF,
+ PCI_ANY_ID, PCI_ANY_ID, },
++#endif
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_G6_FC,
+ PCI_ANY_ID, PCI_ANY_ID, },
+ {PCI_VENDOR_ID_EMULEX, PCI_DEVICE_ID_LANCER_G7_FC,
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index aeb95f409826..68a999b02009 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -149,6 +149,7 @@ megasas_set_ld_removed_by_fw(struct megasas_instance *instance);
+ */
+ static struct pci_device_id megasas_pci_table[] = {
+
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS1064R)},
+ /* xscale IOP */
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS1078R)},
+@@ -157,16 +158,19 @@ static struct pci_device_id megasas_pci_table[] = {
+ /* ppc IOP */
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS1078GEN2)},
+ /* gen2*/
++#endif
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS0079GEN2)},
+ /* gen2*/
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS0073SKINNY)},
+ /* skinny*/
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_SAS0071SKINNY)},
+ /* skinny*/
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_VERDE_ZCR)},
+ /* xscale IOP, vega */
+ {PCI_DEVICE(PCI_VENDOR_ID_DELL, PCI_DEVICE_ID_DELL_PERC5)},
+ /* xscale IOP */
++#endif
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_FUSION)},
+ /* Fusion */
+ {PCI_DEVICE(PCI_VENDOR_ID_LSI_LOGIC, PCI_DEVICE_ID_LSI_PLASMA)},
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 00792767c620..2ee890521ed7 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -12605,6 +12605,7 @@ bool scsih_ncq_prio_supp(struct scsi_device *sdev)
+ * The pci device ids are defined in mpi/mpi2_cnfg.h.
+ */
+ static const struct pci_device_id mpt3sas_pci_table[] = {
++#ifndef CONFIG_RHEL_DIFFERENCES
+ /* Spitfire ~ 2004 */
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI2_MFGPAGE_DEVID_SAS2004,
+ PCI_ANY_ID, PCI_ANY_ID },
+@@ -12623,6 +12624,7 @@ static const struct pci_device_id mpt3sas_pci_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID },
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI2_MFGPAGE_DEVID_SAS2116_2,
+ PCI_ANY_ID, PCI_ANY_ID },
++#endif
+ /* Thunderbolt ~ 2208 */
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI2_MFGPAGE_DEVID_SAS2208_1,
+ PCI_ANY_ID, PCI_ANY_ID },
+@@ -12647,9 +12649,11 @@ static const struct pci_device_id mpt3sas_pci_table[] = {
+ PCI_ANY_ID, PCI_ANY_ID },
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI2_MFGPAGE_DEVID_SWITCH_MPI_EP_1,
+ PCI_ANY_ID, PCI_ANY_ID },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ /* SSS6200 */
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI2_MFGPAGE_DEVID_SSS6200,
+ PCI_ANY_ID, PCI_ANY_ID },
++#endif
+ /* Fury ~ 3004 and 3008 */
+ { MPI2_MFGPAGE_VENDORID_LSI, MPI25_MFGPAGE_DEVID_SAS3004,
+ PCI_ANY_ID, PCI_ANY_ID },
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index abcd30917263..3f0b22e61350 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -7937,6 +7937,7 @@ static const struct pci_error_handlers qla2xxx_err_handler = {
+ };
+
+ static struct pci_device_id qla2xxx_pci_tbl[] = {
++#ifndef CONFIG_RHEL_DIFFERENCES
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2100) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2200) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2300) },
+@@ -7949,13 +7950,18 @@ static struct pci_device_id qla2xxx_pci_tbl[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP8432) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP5422) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP5432) },
++#endif
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2532) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2031) },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP8001) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP8021) },
++#endif
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP8031) },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISPF001) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP8044) },
++#endif
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2071) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2271) },
+ { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, PCI_DEVICE_ID_QLOGIC_ISP2261) },
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 8987acc24dac..5013d52a7211 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -9855,6 +9855,7 @@ static struct pci_device_id qla4xxx_pci_tbl[] = {
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ },
++#ifndef CONFIG_RHEL_DIFFERENCES
+ {
+ .vendor = PCI_VENDOR_ID_QLOGIC,
+ .device = PCI_DEVICE_ID_QLOGIC_ISP8022,
+@@ -9873,6 +9874,7 @@ static struct pci_device_id qla4xxx_pci_tbl[] = {
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ },
++#endif
+ {0, 0},
+ };
+ MODULE_DEVICE_TABLE(pci, qla4xxx_pci_tbl);
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 00070a8a6507..e9e0ffa990cd 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5666,6 +5666,13 @@ static void hub_event(struct work_struct *work)
+ (u16) hub->change_bits[0],
+ (u16) hub->event_bits[0]);
+
++ /* Don't disconnect USB-SATA on TrimSlice */
++ if (strcmp(dev_name(hdev->bus->controller), "tegra-ehci.0") == 0) {
++ if ((hdev->state == 7) && (hub->change_bits[0] == 0) &&
++ (hub->event_bits[0] == 0x2))
++ hub->event_bits[0] = 0;
++ }
++
+ /* Lock the device, then check to see if we were
+ * disconnected while waiting for the lock to succeed. */
+ usb_lock_device(hdev);
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 4e33b5eca694..b480ca4934de 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4304,6 +4304,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ set_bit(EXT4_FLAGS_BDEV_IS_DAX, &sbi->s_ext4_flags);
+
+ if (sbi->s_mount_opt & EXT4_MOUNT_DAX_ALWAYS) {
++ static bool printed = false;
+ if (ext4_has_feature_inline_data(sb)) {
+ ext4_msg(sb, KERN_ERR, "Cannot use DAX on a filesystem"
+ " that may contain inline data");
+@@ -4314,6 +4315,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ "DAX unsupported by block device.");
+ goto failed_mount;
+ }
++ if (!printed) {
++ mark_tech_preview("ext4 direct access (dax)", NULL);
++ printed = true;
++ }
+ }
+
+ if (ext4_has_feature_encrypt(sb) && es->s_encryption_level) {
+diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
+index 778b57b1f020..2a152330076d 100644
+--- a/fs/xfs/xfs_super.c
++++ b/fs/xfs/xfs_super.c
+@@ -1594,6 +1594,7 @@ xfs_fs_fill_super(
+
+ if (xfs_has_dax_always(mp)) {
+ bool rtdev_is_dax = false, datadev_is_dax;
++ static bool printed = false;
+
+ xfs_warn(mp,
+ "DAX enabled. Warning: EXPERIMENTAL, use at your own risk");
+@@ -1613,6 +1614,10 @@ xfs_fs_fill_super(
+ error = -EINVAL;
+ goto out_filestream_unmount;
+ }
++ if (!printed) {
++ mark_tech_preview("xfs direct access (dax)", NULL);
++ printed = true;
++ }
+ }
+
+ if (xfs_has_discard(mp)) {
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index ef8dbc0a1522..836a5dfc6156 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -43,6 +43,8 @@
+ #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1)))
+ #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1)))
+
++#define EFI_IS_ERROR(x) ((x) & (1UL << (BITS_PER_LONG-1)))
++
+ typedef unsigned long efi_status_t;
+ typedef u8 efi_bool_t;
+ typedef u16 efi_char16_t; /* UNICODE character */
+@@ -783,6 +785,14 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+ #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */
+ #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */
++#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */
++
++enum efi_secureboot_mode {
++ efi_secureboot_mode_unset,
++ efi_secureboot_mode_unknown,
++ efi_secureboot_mode_disabled,
++ efi_secureboot_mode_enabled,
++};
+
+ #ifdef CONFIG_EFI
+ /*
+@@ -794,6 +804,8 @@ static inline bool efi_enabled(int feature)
+ }
+ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+
++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
++
+ bool __pure __efi_soft_reserve_enabled(void);
+
+ static inline bool __pure efi_soft_reserve_enabled(void)
+@@ -814,6 +826,8 @@ static inline bool efi_enabled(int feature)
+ static inline void
+ efi_reboot(enum reboot_mode reboot_mode, const char *__unused) {}
+
++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
++
+ static inline bool efi_soft_reserve_enabled(void)
+ {
+ return false;
+@@ -826,6 +840,7 @@ static inline bool efi_rt_services_supported(unsigned int mask)
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
++extern const char *efi_status_to_str(efi_status_t status);
+
+ /*
+ * Variable Attributes
+@@ -1078,13 +1093,6 @@ static inline bool efi_runtime_disabled(void) { return true; }
+ extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+ extern unsigned long efi_call_virt_save_flags(void);
+
+-enum efi_secureboot_mode {
+- efi_secureboot_mode_unset,
+- efi_secureboot_mode_unknown,
+- efi_secureboot_mode_disabled,
+- efi_secureboot_mode_enabled,
+-};
+-
+ static inline
+ enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
+ {
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 77755ac3e189..e236de3f9073 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -495,4 +495,23 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
+ /* OTHER_WRITABLE? Generally considered a bad idea. */ \
+ BUILD_BUG_ON_ZERO((perms) & 2) + \
+ (perms))
++
++struct module;
++
++#ifdef CONFIG_RHEL_DIFFERENCES
++void mark_hardware_unmaintained(const char *driver_name, char *fmt, ...);
++void mark_driver_unmaintained(const char *driver_name);
++void mark_hardware_deprecated(const char *driver_name, char *fmt, ...);
++void mark_driver_deprecated(const char *driver_name);
++void mark_hardware_disabled(const char *driver_name, char *fmt, ...);
++void mark_tech_preview(const char *msg, struct module *mod);
++#else
++static inline void mark_hardware_unsupported(const char *driver_name, char *fmt, ...) { }
++static inline void mark_driver_unmaintained(const char *driver_name) { }
++static inline void mark_hardware_deprecated(const char *driver_name, char *fmt, ...) { }
++static inline void mark_driver_deprecated(const char *driver_name) { }
++static inline void mark_hardware_disabled(const char *driver_name, char *fmt, ...) { }
++static inline void mark_tech_preview(const char *msg, struct module *mod) { }
++#endif
++
+ #endif
+diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
+index df8de62f4710..f4bbbeb1623a 100644
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -395,6 +395,8 @@ LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
+ #endif /* CONFIG_BPF_SYSCALL */
+
+ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
++LSM_HOOK(int, 0, lock_kernel_down, const char *where, enum lockdown_reason level)
++
+
+ #ifdef CONFIG_PERF_EVENTS
+ LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type)
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index d45b6f6e27fd..70622b506461 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1548,6 +1548,12 @@
+ *
+ * @what: kernel feature being accessed
+ *
++ * @lock_kernel_down
++ * Put the kernel into lock-down mode.
++ *
++ * @where: Where the lock-down is originating from (e.g. command line option)
++ * @level: The lock-down level (can only increase)
++ *
+ * Security hooks for perf events
+ *
+ * @perf_event_open:
+diff --git a/include/linux/module.h b/include/linux/module.h
+index c9f1200b2312..8ebb51f34be4 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -380,6 +380,7 @@ struct module {
+ struct module_attribute *modinfo_attrs;
+ const char *version;
+ const char *srcversion;
++ const char *rhelversion;
+ struct kobject *holders_dir;
+
+ /* Exported symbols */
+diff --git a/include/linux/panic.h b/include/linux/panic.h
+index f5844908a089..901d51012738 100644
+--- a/include/linux/panic.h
++++ b/include/linux/panic.h
+@@ -74,7 +74,24 @@ static inline void set_arch_panic_timeout(int timeout, int arch_default_timeout)
+ #define TAINT_LIVEPATCH 15
+ #define TAINT_AUX 16
+ #define TAINT_RANDSTRUCT 17
+-#define TAINT_FLAGS_COUNT 18
++/* Start of Red Hat-specific taint flags */
++#define TAINT_18 18
++#define TAINT_19 19
++#define TAINT_20 20
++#define TAINT_21 21
++#define TAINT_22 22
++#define TAINT_23 23
++#define TAINT_24 24
++#define TAINT_25 25
++#define TAINT_26 26
++#define TAINT_SUPPORT_REMOVED 27
++/* Bits 28 - 31 are reserved for Red Hat use only */
++#define TAINT_RESERVED28 28
++#define TAINT_RESERVED29 29
++#define TAINT_RESERVED30 30
++#define TAINT_UNPRIVILEGED_BPF 31
++/* End of Red Hat-specific taint flags */
++#define TAINT_FLAGS_COUNT 32
+ #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1)
+
+ struct taint_flag {
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 18a75c8e615c..8cc24460267e 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1478,6 +1478,22 @@ int pci_add_dynid(struct pci_driver *drv,
+ unsigned long driver_data);
+ const struct pci_device_id *pci_match_id(const struct pci_device_id *ids,
+ struct pci_dev *dev);
++
++#ifdef CONFIG_RHEL_DIFFERENCES
++const struct pci_device_id *pci_hw_deprecated(const struct pci_device_id *ids,
++ struct pci_dev *dev);
++const struct pci_device_id *pci_hw_unmaintained(const struct pci_device_id *ids,
++ struct pci_dev *dev);
++const struct pci_device_id *pci_hw_disabled(const struct pci_device_id *ids,
++ struct pci_dev *dev);
++#else
++static inline const struct pci_device_id *pci_hw_deprecated(const struct pci_device_id *ids,
++ struct pci_dev *dev) { return NULL; }
++static inline const struct pci_device_id *pci_hw_unmaintained(const struct pci_device_id *ids,
++ struct pci_dev *dev) { return NULL; }
++static inline const struct pci_device_id *pci_hw_disabled(const struct pci_device_id *ids,
++ struct pci_dev *dev) {return NULL; }
++#endif
+ int pci_scan_bridge(struct pci_bus *bus, struct pci_dev *dev, int max,
+ int pass);
+
+diff --git a/include/linux/random.h b/include/linux/random.h
+index c45b2693e51f..4edfdb3e44a9 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -14,6 +14,11 @@
+
+ #include <uapi/linux/random.h>
+
++struct random_extrng {
++ ssize_t (*extrng_read)(void __user *buf, size_t buflen);
++ struct module *owner;
++};
++
+ struct random_ready_callback {
+ struct list_head list;
+ void (*func)(struct random_ready_callback *rdy);
+@@ -44,6 +49,8 @@ extern bool rng_is_initialized(void);
+ extern int add_random_ready_callback(struct random_ready_callback *rdy);
+ extern void del_random_ready_callback(struct random_ready_callback *rdy);
+ extern int __must_check get_random_bytes_arch(void *buf, int nbytes);
++void random_register_extrng(const struct random_extrng *rng);
++void random_unregister_extrng(void);
+
+ #ifndef MODULE
+ extern const struct file_operations random_fops, urandom_fops;
+diff --git a/include/linux/rh_kabi.h b/include/linux/rh_kabi.h
+new file mode 100644
+index 000000000000..ea9c136bf884
+--- /dev/null
++++ b/include/linux/rh_kabi.h
+@@ -0,0 +1,297 @@
++/*
++ * rh_kabi.h - Red Hat kABI abstraction header
++ *
++ * Copyright (c) 2014 Don Zickus
++ * Copyright (c) 2015-2018 Jiri Benc
++ * Copyright (c) 2015 Sabrina Dubroca, Hannes Frederic Sowa
++ * Copyright (c) 2016-2018 Prarit Bhargava
++ * Copyright (c) 2017 Paolo Abeni, Larry Woodman
++ *
++ * This file is released under the GPLv2.
++ * See the file COPYING for more details.
++ *
++ * These kabi macros hide the changes from the kabi checker and from the
++ * process that computes the exported symbols' checksums.
++ * They have 2 variants: one (defined under __GENKSYMS__) used when
++ * generating the checksums, and the other used when building the kernel's
++ * binaries.
++ *
++ * The use of these macros does not guarantee that the usage and modification
++ * of code is correct. As with all Red Hat only changes, an engineer must
++ * explain why the use of the macro is valid in the patch containing the
++ * changes.
++ *
++ */
++
++#ifndef _LINUX_RH_KABI_H
++#define _LINUX_RH_KABI_H
++
++#include <linux/compiler.h>
++#include <linux/stringify.h>
++
++/*
++ * RH_KABI_CONST
++ * Adds a new const modifier to a function parameter preserving the old
++ * checksum.
++ *
++ * RH_KABI_DEPRECATE
++ * Mark the element as deprecated and make it unusable by modules while
++ * preserving kABI checksums.
++ *
++ * RH_KABI_DEPRECATE_FN
++ * Mark the function pointer as deprecated and make it unusable by modules
++ * while preserving kABI checksums.
++ *
++ * RH_KABI_EXTEND
++ * Simple macro for adding a new element to a struct.
++ *
++ * RH_KABI_EXTEND_WITH_SIZE
++ * Adds a new element (usually a struct) to a struct and reserves extra
++ * space for the new element. The provided 'size' is the total space to
++ * be added in longs (i.e. it's 8 * 'size' bytes), including the size of
++ * the added element. It is automatically checked that the new element
++ * does not overflow the reserved space, now nor in the future. However,
++ * no attempt is done to check the content of the added element (struct)
++ * for kABI conformance - kABI checking inside the added element is
++ * effectively switched off.
++ * For any struct being added by RH_KABI_EXTEND_WITH_SIZE, it is
++ * recommended its content to be documented as not covered by kABI
++ * guarantee.
++ *
++ * RH_KABI_FILL_HOLE
++ * Simple macro for filling a hole in a struct.
++ *
++ * Warning: only use if a hole exists for _all_ arches. Use pahole to verify.
++ *
++ * RH_KABI_RENAME
++ * Simple macro for renaming an element without changing its type. This
++ * macro can be used in bitfields, for example.
++ *
++ * NOTE: does not include the final ';'
++ *
++ * RH_KABI_REPLACE
++ * Simple replacement of _orig with a union of _orig and _new.
++ *
++ * The RH_KABI_REPLACE* macros attempt to add the ability to use the '_new'
++ * element while preserving size alignment with the '_orig' element.
++ *
++ * The #ifdef __GENKSYMS__ preserves the kABI agreement, while the anonymous
++ * union structure preserves the size alignment (assuming the '_new' element
++ * is not bigger than the '_orig' element).
++ *
++ * RH_KABI_REPLACE_UNSAFE
++ * Unsafe version of RH_KABI_REPLACE. Only use for typedefs.
++ *
++ * RH_KABI_FORCE_CHANGE
++ * Force change of the symbol checksum. The argument of the macro is a
++ * version for cases we need to do this more than once.
++ *
++ * This macro does the opposite: it changes the symbol checksum without
++ * actually changing anything about the exported symbol. It is useful for
++ * symbols that are not whitelisted, we're changing them in an
++ * incompatible way and want to prevent 3rd party modules to silently
++ * corrupt memory. Instead, by changing the symbol checksum, such modules
++ * won't be loaded by the kernel. This macro should only be used as a
++ * last resort when all other KABI workarounds have failed.
++ *
++ * RH_KABI_EXCLUDE
++ * !!! WARNING: DANGEROUS, DO NOT USE unless you are aware of all the !!!
++ * !!! implications. This should be used ONLY EXCEPTIONALLY and only !!!
++ * !!! under specific circumstances. Very likely, this macro does not !!!
++ * !!! do what you expect it to do. Note that any usage of this macro !!!
++ * !!! MUST be paired with a RH_KABI_FORCE_CHANGE annotation of !!!
++ * !!! a suitable symbol (or an equivalent safeguard) and the commit !!!
++ * !!! log MUST explain why the chosen solution is appropriate. !!!
++ *
++ * Exclude the element from checksum generation. Any such element is
++ * considered not to be part of the kABI whitelist and may be changed at
++ * will. Note however that it's the responsibility of the developer
++ * changing the element to ensure 3rd party drivers using this element
++ * won't panic, for example by not allowing them to be loaded. That can
++ * be achieved by changing another, non-whitelisted symbol they use,
++ * either by nature of the change or by using RH_KABI_FORCE_CHANGE.
++ *
++ * Also note that any change to the element must preserve its size. Change
++ * of the size is not allowed and would constitute a silent kABI breakage.
++ * Beware that the RH_KABI_EXCLUDE macro does not do any size checks.
++ *
++ * NOTE
++ * Don't use ';' after these macros as it messes up the kABI checker by
++ * changing what the resulting token string looks like. Instead let this
++ * macro add the ';' so it can be properly hidden from the kABI checker
++ * (mainly for RH_KABI_EXTEND, but applied to all macros for uniformity).
++ *
++ */
++#ifdef __GENKSYMS__
++
++# define RH_KABI_CONST
++# define RH_KABI_EXTEND(_new)
++# define RH_KABI_FILL_HOLE(_new)
++# define RH_KABI_FORCE_CHANGE(ver) __attribute__((rh_kabi_change ## ver))
++# define RH_KABI_RENAME(_orig, _new) _orig
++
++# define _RH_KABI_DEPRECATE(_type, _orig) _type _orig
++# define _RH_KABI_DEPRECATE_FN(_type, _orig, _args...) _type (*_orig)(_args)
++# define _RH_KABI_REPLACE(_orig, _new) _orig
++# define _RH_KABI_REPLACE_UNSAFE(_orig, _new) _orig
++# define _RH_KABI_EXCLUDE(_elem)
++
++#else
++
++# define RH_KABI_ALIGN_WARNING ". Disable CONFIG_RH_KABI_SIZE_ALIGN_CHECKS if debugging."
++
++# define RH_KABI_CONST const
++# define RH_KABI_EXTEND(_new) _new;
++# define RH_KABI_FILL_HOLE(_new) _new;
++# define RH_KABI_FORCE_CHANGE(ver)
++# define RH_KABI_RENAME(_orig, _new) _new
++
++
++#if IS_BUILTIN(CONFIG_RH_KABI_SIZE_ALIGN_CHECKS)
++# define __RH_KABI_CHECK_SIZE_ALIGN(_orig, _new) \
++ union { \
++ _Static_assert(sizeof(struct{_new;}) <= sizeof(struct{_orig;}), \
++ __FILE__ ":" __stringify(__LINE__) ": " __stringify(_new) " is larger than " __stringify(_orig) RH_KABI_ALIGN_WARNING); \
++ _Static_assert(__alignof__(struct{_new;}) <= __alignof__(struct{_orig;}), \
++ __FILE__ ":" __stringify(__LINE__) ": " __stringify(_orig) " is not aligned the same as " __stringify(_new) RH_KABI_ALIGN_WARNING); \
++ }
++# define __RH_KABI_CHECK_SIZE(_item, _size) \
++ _Static_assert(sizeof(struct{_item;}) <= _size, \
++ __FILE__ ":" __stringify(__LINE__) ": " __stringify(_item) " is larger than the reserved size (" __stringify(_size) " bytes)" RH_KABI_ALIGN_WARNING)
++#else
++# define __RH_KABI_CHECK_SIZE_ALIGN(_orig, _new)
++# define __RH_KABI_CHECK_SIZE(_item, _size)
++#endif
++
++#define RH_KABI_UNIQUE_ID __PASTE(rh_kabi_hidden_, __LINE__)
++
++# define _RH_KABI_DEPRECATE(_type, _orig) _type rh_reserved_##_orig
++# define _RH_KABI_DEPRECATE_FN(_type, _orig, _args...) \
++ _type (* rh_reserved_##_orig)(_args)
++# define _RH_KABI_REPLACE(_orig, _new) \
++ union { \
++ _new; \
++ struct { \
++ _orig; \
++ } RH_KABI_UNIQUE_ID; \
++ __RH_KABI_CHECK_SIZE_ALIGN(_orig, _new); \
++ }
++# define _RH_KABI_REPLACE_UNSAFE(_orig, _new) _new
++
++# define _RH_KABI_EXCLUDE(_elem) _elem
++
++#endif /* __GENKSYMS__ */
++
++/* semicolon added wrappers for the RH_KABI_REPLACE macros */
++# define RH_KABI_DEPRECATE(_type, _orig) _RH_KABI_DEPRECATE(_type, _orig);
++# define RH_KABI_DEPRECATE_FN(_type, _orig, _args...) \
++ _RH_KABI_DEPRECATE_FN(_type, _orig, _args);
++# define RH_KABI_REPLACE(_orig, _new) _RH_KABI_REPLACE(_orig, _new);
++# define RH_KABI_REPLACE_UNSAFE(_orig, _new) _RH_KABI_REPLACE_UNSAFE(_orig, _new);
++/*
++ * Macro for breaking up a random element into two smaller chunks using an
++ * anonymous struct inside an anonymous union.
++ */
++# define RH_KABI_REPLACE2(orig, _new1, _new2) RH_KABI_REPLACE(orig, struct{ _new1; _new2;})
++
++# define RH_KABI_RESERVE(n) _RH_KABI_RESERVE(n);
++/*
++ * Simple wrappers to replace standard Red Hat reserved elements.
++ */
++# define RH_KABI_USE(n, _new) RH_KABI_REPLACE(_RH_KABI_RESERVE(n), _new)
++/*
++ * Macros for breaking up a reserved element into two smaller chunks using
++ * an anonymous struct inside an anonymous union.
++ */
++# define RH_KABI_USE2(n, _new1, _new2) RH_KABI_REPLACE(_RH_KABI_RESERVE(n), struct{ _new1; _new2; })
++
++/*
++ * We tried to standardize on Red Hat reserved names. These wrappers
++ * leverage those common names making it easier to read and find in the
++ * code.
++ */
++# define _RH_KABI_RESERVE(n) unsigned long rh_reserved##n
++
++#define RH_KABI_EXCLUDE(_elem) _RH_KABI_EXCLUDE(_elem);
++
++/*
++ * Extending a struct while reserving extra space.
++ */
++#define RH_KABI_EXTEND_WITH_SIZE(_new, _size) \
++ RH_KABI_EXTEND(union { \
++ _new; \
++ unsigned long RH_KABI_UNIQUE_ID[_size]; \
++ __RH_KABI_CHECK_SIZE(_new, 8 * (_size)); \
++ })
++
++/*
++ * RHEL macros to extend structs.
++ *
++ * base struct: The struct being extended. For example, pci_dev.
++ * extended struct: The Red Hat struct being added to the base struct.
++ * For example, pci_dev_rh.
++ *
++ * These macros should be used to extend structs before KABI freeze.
++ * They can be used post-KABI freeze in the limited case of the base
++ * struct not being embedded in another struct.
++ *
++ * Extended structs cannot be shrunk in size as changes will break
++ * the size & offset comparison.
++ *
++ * Extended struct elements are not guaranteed for access by modules unless
++ * explicitly commented as such in the declaration of the extended struct or
++ * the element in the extended struct.
++ */
++
++/*
++ * RH_KABI_SIZE_AND_EXTEND|_PTR() extends a struct by embedding or adding
++ * a pointer in a base struct. The name of the new struct is the name
++ * of the base struct appended with _rh.
++ */
++#define _RH_KABI_SIZE_AND_EXTEND_PTR(_struct) \
++ size_t _struct##_size_rh; \
++ RH_KABI_EXCLUDE(struct _struct##_rh *_struct##_rh)
++#define RH_KABI_SIZE_AND_EXTEND_PTR(_struct) \
++ _RH_KABI_SIZE_AND_EXTEND_PTR(_struct)
++
++#define _RH_KABI_SIZE_AND_EXTEND(_struct) \
++ size_t _struct##_size_rh; \
++ RH_KABI_EXCLUDE(struct _struct##_rh _struct##_rh)
++#define RH_KABI_SIZE_AND_EXTEND(_struct) \
++ _RH_KABI_SIZE_AND_EXTEND(_struct)
++
++/*
++ * RH_KABI_SET_SIZE calculates and sets the size of the extended struct and
++ * stores it in the size_rh field for structs that are dynamically allocated.
++ * This macro MUST be called when expanding a base struct with
++ * RH_KABI_SIZE_AND_EXTEND, and it MUST be called from the allocation site
++ * regardless of being allocated in the kernel or a module.
++ * Note: since this macro is intended to be invoked outside of a struct,
++ * a semicolon is necessary at the end of the line where it is invoked.
++ */
++#define RH_KABI_SET_SIZE(_name, _struct) ({ \
++ _name->_struct##_size_rh = sizeof(struct _struct##_rh); \
++})
++
++/*
++ * RH_KABI_INIT_SIZE calculates and sets the size of the extended struct and
++ * stores it in the size_rh field for structs that are statically allocated.
++ * This macro MUST be called when expanding a base struct with
++ * RH_KABI_SIZE_AND_EXTEND, and it MUST be called from the declaration site
++ * regardless of being allocated in the kernel or a module.
++ */
++#define RH_KABI_INIT_SIZE(_struct) \
++ ._struct##_size_rh = sizeof(struct _struct##_rh),
++
++/*
++ * RH_KABI_CHECK_EXT verifies allocated memory exists. This MUST be called to
++ * verify that memory in the _rh struct is valid, and can be called
++ * regardless if RH_KABI_SIZE_AND_EXTEND or RH_KABI_SIZE_AND_EXTEND_PTR is
++ * used.
++ */
++#define RH_KABI_CHECK_EXT(_ptr, _struct, _field) ({ \
++ size_t __off = offsetof(struct _struct##_rh, _field); \
++ _ptr->_struct##_size_rh > __off ? true : false; \
++})
++
++#endif /* _LINUX_RH_KABI_H */
+diff --git a/include/linux/rmi.h b/include/linux/rmi.h
+index ab7eea01ab42..fff7c5f737fc 100644
+--- a/include/linux/rmi.h
++++ b/include/linux/rmi.h
+@@ -364,6 +364,7 @@ struct rmi_driver_data {
+
+ struct rmi4_attn_data attn_data;
+ DECLARE_KFIFO(attn_fifo, struct rmi4_attn_data, 16);
++ struct work_struct attn_work;
+ };
+
+ int rmi_register_transport_device(struct rmi_transport_dev *xport);
+diff --git a/include/linux/security.h b/include/linux/security.h
+index bbf44a466832..026a06b98a96 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -473,6 +473,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int security_lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1355,6 +1356,10 @@ static inline int security_locked_down(enum lockdown_reason what)
+ {
+ return 0;
+ }
++static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++ return 0;
++}
+ #endif /* CONFIG_SECURITY */
+
+ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+diff --git a/init/Kconfig b/init/Kconfig
+index ec589e5c1b8c..e39293dd68fb 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1653,7 +1653,7 @@ config AIO
+ this option saves about 7k.
+
+ config IO_URING
+- bool "Enable IO uring support" if EXPERT
++ bool "Enable IO uring support"
+ select IO_WQ
+ default y
+ help
+diff --git a/kernel/Makefile b/kernel/Makefile
+index 186c49582f45..aa60b06d3cf7 100644
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -12,6 +12,7 @@ obj-y = fork.o exec_domain.o panic.o \
+ notifier.o ksysfs.o cred.o reboot.o \
+ async.o range.o smpboot.o ucount.o regset.o
+
++obj-$(CONFIG_RHEL_DIFFERENCES) += rh_messages.o
+ obj-$(CONFIG_USERMODE_DRIVER) += usermode_driver.o
+ obj-$(CONFIG_MODULES) += kmod.o
+ obj-$(CONFIG_MULTIUSER) += groups.o
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index fa4505f9b611..1955a6f41b7b 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -25,6 +25,7 @@
+ #include <linux/ctype.h>
+ #include <linux/nospec.h>
+ #include <linux/audit.h>
++#include <linux/init.h>
+ #include <uapi/linux/btf.h>
+ #include <linux/pgtable.h>
+ #include <linux/bpf_lsm.h>
+@@ -51,6 +52,23 @@ static DEFINE_SPINLOCK(map_idr_lock);
+ static DEFINE_IDR(link_idr);
+ static DEFINE_SPINLOCK(link_idr_lock);
+
++static int __init unprivileged_bpf_setup(char *str)
++{
++ unsigned long disabled;
++ if (!kstrtoul(str, 0, &disabled))
++ sysctl_unprivileged_bpf_disabled = !!disabled;
++
++ if (!sysctl_unprivileged_bpf_disabled) {
++ pr_warn("Unprivileged BPF has been enabled "
++ "(unprivileged_bpf_disabled=0 has been supplied "
++ "in boot parameters), tainting the kernel");
++ add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK);
++ }
++
++ return 1;
++}
++__setup("unprivileged_bpf_disabled=", unprivileged_bpf_setup);
++
+ int sysctl_unprivileged_bpf_disabled __read_mostly =
+ IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 84a9141a5e15..d5aabc30ba8d 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -743,6 +743,7 @@ static struct module_attribute modinfo_##field = { \
+
+ MODINFO_ATTR(version);
+ MODINFO_ATTR(srcversion);
++MODINFO_ATTR(rhelversion);
+
+ static char last_unloaded_module[MODULE_NAME_LEN+1];
+
+@@ -1206,6 +1207,7 @@ static struct module_attribute *modinfo_attrs[] = {
+ &module_uevent,
+ &modinfo_version,
+ &modinfo_srcversion,
++ &modinfo_rhelversion,
+ &modinfo_initstate,
+ &modinfo_coresize,
+ &modinfo_initsize,
+diff --git a/kernel/module_signing.c b/kernel/module_signing.c
+index 8723ae70ea1f..fb2d773498c2 100644
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ modlen -= sig_len + sizeof(ms);
+ info->len = modlen;
+
+- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ VERIFY_USE_PLATFORM_KEYRING,
++ VERIFYING_MODULE_SIGNATURE,
++ NULL, NULL);
++ }
++ return ret;
+ }
+diff --git a/kernel/panic.c b/kernel/panic.c
+index cefd7d82366f..ad43433c7013 100644
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -384,6 +384,20 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {
+ [ TAINT_LIVEPATCH ] = { 'K', ' ', true },
+ [ TAINT_AUX ] = { 'X', ' ', true },
+ [ TAINT_RANDSTRUCT ] = { 'T', ' ', true },
++ [ TAINT_18 ] = { '?', '-', false },
++ [ TAINT_19 ] = { '?', '-', false },
++ [ TAINT_20 ] = { '?', '-', false },
++ [ TAINT_21 ] = { '?', '-', false },
++ [ TAINT_22 ] = { '?', '-', false },
++ [ TAINT_23 ] = { '?', '-', false },
++ [ TAINT_24 ] = { '?', '-', false },
++ [ TAINT_25 ] = { '?', '-', false },
++ [ TAINT_26 ] = { '?', '-', false },
++ [ TAINT_SUPPORT_REMOVED ] = { 'h', ' ', false },
++ [ TAINT_RESERVED28 ] = { '?', '-', false },
++ [ TAINT_RESERVED29 ] = { '?', '-', false },
++ [ TAINT_RESERVED30 ] = { '?', '-', false },
++ [ TAINT_UNPRIVILEGED_BPF ] = { 'u', ' ', false },
+ };
+
+ /**
+diff --git a/kernel/rh_messages.c b/kernel/rh_messages.c
+new file mode 100644
+index 000000000000..345a979cd0e4
+--- /dev/null
++++ b/kernel/rh_messages.c
+@@ -0,0 +1,179 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++
++#define DEV_DESC_LEN 256
++/*
++ * The following functions are used by Red Hat to indicate to users that
++ * hardware and drivers are unsupported, or have limited support in RHEL major
++ * and minor releases. These functions output loud warning messages to the end
++ * user and should be USED WITH CAUTION.
++ *
++ * Any use of these functions _MUST_ be documented in the RHEL Release Notes,
++ * and have approval of management.
++ *
++ * Generally, the process of disabling a driver or device in RHEL requires the
++ * driver or device to be marked as 'deprecated' in all existing releases, and
++ * then either 'unmaintained' or 'disabled' in a future release.
++ *
++ * In general, deprecated and unmaintained drivers continue to receive security
++ * related fixes until they are disabled.
++ */
++
++/**
++ * mark_hardware_unmaintained() - Mark hardware as unmaintained.
++ * @driver_name: driver name
++ * @fmt: format for device description
++ * @...: args for device description
++ *
++ * Called to notify users that the device will no longer be tested on a routine
++ * basis and driver code associated with this device is no longer being updated.
++ * Red Hat may fix security-related and critical issues. Support for this device
++ * will be disabled in a future major release and users deploying this device
++ * should plan to replace the device in production systems.
++ *
++ * This function should be used when the driver's usage can be tied to a
++ * specific hardware device. For example, a network device driver loading on a
++ * specific device that is no longer maintained by the manufacturer.
++ */
++void mark_hardware_unmaintained(const char *driver_name, char *fmt, ...)
++{
++ char device_description[DEV_DESC_LEN];
++ va_list args;
++
++ va_start(args, fmt);
++ vsnprintf(device_description, DEV_DESC_LEN, fmt, args);
++ pr_crit("Warning: Unmaintained hardware is detected: %s:%s\n", driver_name,
++ device_description);
++ va_end(args);
++}
++EXPORT_SYMBOL(mark_hardware_unmaintained);
++
++/**
++ * mark_driver_unmaintained() - Mark a driver as unmaintained.
++ * @driver_name: driver name
++ *
++ * Called to notify users that a driver will no longer be tested on a routine
++ * basis and the driver code is no longer being updated. Red Hat may fix
++ * security-related and critical issues. Support for this driver will be
++ * disabled in a future major release, and users should replace any affected
++ * devices in production systems.
++ *
++ * This function should be used when a driver's usage cannot be tied to a
++ * specific hardware device. For example, a network bonding driver or a higher
++ * level storage layer driver that is no longer maintained upstream.
++ */
++void mark_driver_unmaintained(const char *driver_name)
++{
++ pr_crit("Warning: Unmaintained driver is detected: %s\n", driver_name);
++}
++EXPORT_SYMBOL(mark_driver_unmaintained);
++
++/**
++ * mark_hardware_deprecated() - Mark hardware as deprecated.
++ * @driver_name: driver name
++ * @fmt: format for device description
++ * @...: args for device description
++ *
++ * Called to notify users that support for the device is planned to be
++ * unmaintained in a future major release, and will eventually be disabled in a
++ * future major release. This device should not be used in new production
++ * environments and users should replace the device in production systems.
++ *
++ * This function should be used when the driver's usage can be tied to a
++ * specific hardware device. For example, a network device driver loading on a
++ * specific device that is no longer maintained by the manufacturer.
++ */
++void mark_hardware_deprecated(const char *driver_name, char *fmt, ...)
++{
++ char device_description[DEV_DESC_LEN];
++ va_list args;
++
++ va_start(args, fmt);
++ vsnprintf(device_description, DEV_DESC_LEN, fmt, args);
++ pr_crit("Warning: Deprecated Hardware is detected: %s:%s will not be maintained in a future major release and may be disabled\n",
++ driver_name, device_description);
++ va_end(args);
++}
++EXPORT_SYMBOL(mark_hardware_deprecated);
++
++/**
++ * mark_driver_deprecated() - Mark a driver as deprecated.
++ * @driver_name: driver name
++ *
++ * Called to notify users that support for this driver is planned to be
++ * unmaintained in a future major release, and will eventually be disabled in a
++ * future major release. This driver should not be used in new production
++ * environments and users should replace any affected devices in production
++ * systems.
++ *
++ * This function should be used when a driver's usage cannot be tied to a
++ * specific hardware device. For example, a network bonding driver or a higher
++ * level storage layer driver that is no longer maintained upstream.
++ */
++void mark_driver_deprecated(const char *driver_name)
++{
++ pr_crit("Warning: Deprecated Driver is detected: %s will not be maintained in a future major release and may be disabled\n",
++ driver_name);
++}
++EXPORT_SYMBOL(mark_driver_deprecated);
++
++/**
++ * mark_hardware_disabled() - Mark a driver as removed.
++ * @driver_name: driver name
++ * @fmt: format for device description
++ * @...: args for device description
++ *
++ * Called to notify users that a device's support has been completely disabled
++ * and no future support updates will occur. This device cannot be used in new
++ * production environments, and users must replace the device in production
++ * systems.
++ *
++ * This function should be used when the driver's usage can be tied to a
++ * specific hardware device. For example, a network device driver loading on a
++ * specific device that is no longer maintained by the manufacturer.
++ */
++void mark_hardware_disabled(const char *driver_name, char *fmt, ...)
++{
++ char device_description[DEV_DESC_LEN];
++ va_list args;
++
++ va_start(args, fmt);
++ vsnprintf(device_description, DEV_DESC_LEN, fmt, args);
++ pr_crit("Warning: Disabled Hardware is detected: %s:%s is no longer enabled in this release.\n",
++ driver_name, device_description);
++ va_end(args);
++}
++EXPORT_SYMBOL(mark_hardware_disabled);
++
++/**
++ * mark_tech_preview() - Mark driver or kernel subsystem as 'Tech Preview'
++ * @msg: Driver or kernel subsystem name
++ *
++ * Called to minimize the support status of a new driver. This does TAINT the
++ * kernel. Calling this function indicates that the driver or subsystem has
++ * had limited testing and is not marked for full support within this RHEL
++ * minor release. The next RHEL minor release may contain full support for
++ * this driver. Red Hat does not guarantee that bugs reported against this
++ * driver or subsystem will be resolved.
++ */
++void mark_tech_preview(const char *msg, struct module *mod)
++{
++ const char *str = NULL;
++
++ if (msg)
++ str = msg;
++#ifdef CONFIG_MODULES
++ else if (mod && mod->name)
++ str = mod->name;
++#endif
++
++ pr_warn("TECH PREVIEW: %s may not be fully supported.\n"
++ "Please review provided documentation for limitations.\n",
++ (str ? str : "kernel"));
++ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
++#ifdef CONFIG_MODULES
++ if (mod)
++ mod->taints |= (1U << TAINT_AUX);
++#endif
++}
++EXPORT_SYMBOL(mark_tech_preview);
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index d7ed1dffa426..19a40d791c99 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -244,6 +244,11 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
+ if (write && !ret) {
+ if (locked_state && unpriv_enable != 1)
+ return -EPERM;
++ if (!unpriv_enable) {
++ pr_warn("Unprivileged BPF has been enabled, "
++ "tainting the kernel");
++ add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK);
++ }
+ *(int *)table->data = unpriv_enable;
+ }
+ return ret;
+diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
+index 8620f38e117c..a3e41b7a8054 100644
+--- a/lib/crypto/Kconfig
++++ b/lib/crypto/Kconfig
+@@ -40,7 +40,7 @@ config CRYPTO_LIB_CHACHA_GENERIC
+ of CRYPTO_LIB_CHACHA.
+
+ config CRYPTO_LIB_CHACHA
+- tristate
++ tristate "ChaCha library interface"
+ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
+ select CRYPTO_LIB_CHACHA_GENERIC if CRYPTO_ARCH_HAVE_LIB_CHACHA=n
+ help
+@@ -65,7 +65,7 @@ config CRYPTO_LIB_CURVE25519_GENERIC
+ of CRYPTO_LIB_CURVE25519.
+
+ config CRYPTO_LIB_CURVE25519
+- tristate
++ tristate "Curve25519 scalar multiplication library"
+ depends on CRYPTO_ARCH_HAVE_LIB_CURVE25519 || !CRYPTO_ARCH_HAVE_LIB_CURVE25519
+ select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n
+ help
+@@ -100,7 +100,7 @@ config CRYPTO_LIB_POLY1305_GENERIC
+ of CRYPTO_LIB_POLY1305.
+
+ config CRYPTO_LIB_POLY1305
+- tristate
++ tristate "Poly1305 library interface"
+ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
+ select CRYPTO_LIB_POLY1305_GENERIC if CRYPTO_ARCH_HAVE_LIB_POLY1305=n
+ help
+@@ -109,7 +109,7 @@ config CRYPTO_LIB_POLY1305
+ is available and enabled.
+
+ config CRYPTO_LIB_CHACHA20POLY1305
+- tristate
++ tristate "ChaCha20-Poly1305 AEAD support (8-byte nonce library version)"
+ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
+ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
+ select CRYPTO_LIB_CHACHA
+diff --git a/mm/cma.c b/mm/cma.c
+index bc9ca8f3c487..9fa9a485eb3a 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -125,6 +125,12 @@ static void __init cma_activate_area(struct cma *cma)
+ spin_lock_init(&cma->mem_head_lock);
+ #endif
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++ /* s390x and ppc64 has been using CMA already in RHEL 8 as default. */
++ if (!IS_ENABLED(CONFIG_S390) && !IS_ENABLED(CONFIG_PPC64))
++ mark_tech_preview("CMA", NULL);
++#endif /* CONFIG_RHEL_DIFFERENCES */
++
+ return;
+
+ not_in_zone:
+@@ -437,6 +443,10 @@ struct page *cma_alloc(struct cma *cma, unsigned long count,
+ if (!cma || !cma->count || !cma->bitmap)
+ goto out;
+
++#ifdef CONFIG_RHEL_DIFFERENCES
++ pr_info_once("Initial CMA usage detected\n");
++#endif /* CONFIG_RHEL_DIFFERENCES */
++
+ pr_debug("%s(cma %p, count %lu, align %d)\n", __func__, (void *)cma,
+ count, align);
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index cb8ab7d91d30..5f13183ccc23 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -21,6 +21,7 @@
+ #include <errno.h>
+ #include "modpost.h"
+ #include "../../include/linux/license.h"
++#include "../../include/generated/uapi/linux/version.h"
+
+ /* Are we using CONFIG_MODVERSIONS? */
+ static int modversions = 0;
+@@ -2351,6 +2352,12 @@ static void write_buf(struct buffer *b, const char *fname)
+ }
+ }
+
++static void add_rhelversion(struct buffer *b, struct module *mod)
++{
++ buf_printf(b, "MODULE_INFO(rhelversion, \"%d.%d\");\n", RHEL_MAJOR,
++ RHEL_MINOR);
++}
++
+ static void write_if_changed(struct buffer *b, const char *fname)
+ {
+ char *tmp;
+@@ -2580,6 +2587,7 @@ int main(int argc, char **argv)
+ add_depends(&buf, mod);
+ add_moddevtable(&buf, mod);
+ add_srcversion(&buf, mod);
++ add_rhelversion(&buf, mod);
+
+ sprintf(fname, "%s.mod.c", mod->name);
+ write_if_changed(&buf, fname);
+diff --git a/scripts/tags.sh b/scripts/tags.sh
+index b24bfaec6290..0418ba1d33f3 100755
+--- a/scripts/tags.sh
++++ b/scripts/tags.sh
+@@ -16,6 +16,8 @@ fi
+ ignore="$(echo "$RCS_FIND_IGNORE" | sed 's|\\||g' )"
+ # tags and cscope files should also ignore MODVERSION *.mod.c files
+ ignore="$ignore ( -name *.mod.c ) -prune -o"
++# RHEL tags and cscope should also ignore redhat/rpm
++ignore="$ignore ( -path redhat/rpm ) -prune -o"
+
+ # Use make KBUILD_ABS_SRCTREE=1 {tags|cscope}
+ # to force full paths for a non-O= build
+diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
+index f290f78c3f30..d3e7ae04f5be 100644
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -46,7 +46,8 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ return NULL;
+
+ if (*status != EFI_BUFFER_TOO_SMALL) {
+- pr_err("Couldn't get size: 0x%lx\n", *status);
++ pr_err("Couldn't get size: %s (0x%lx)\n",
++ efi_status_to_str(*status), *status);
+ return NULL;
+ }
+
+@@ -57,7 +58,8 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ *status = efi.get_variable(name, guid, NULL, &lsize, db);
+ if (*status != EFI_SUCCESS) {
+ kfree(db);
+- pr_err("Error reading db var: 0x%lx\n", *status);
++ pr_err("Error reading db var: %s (0x%lx)\n",
++ efi_status_to_str(*status), *status);
+ return NULL;
+ }
+
+diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
+index e84ddf484010..d0501353a4b9 100644
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
+@@ -16,6 +16,19 @@ config SECURITY_LOCKDOWN_LSM_EARLY
+ subsystem is fully initialised. If enabled, lockdown will
+ unconditionally be called before any other LSMs.
+
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++ bool "Lock down the kernel in EFI Secure Boot mode"
++ default n
++ depends on EFI && SECURITY_LOCKDOWN_LSM_EARLY
++ help
++ UEFI Secure Boot provides a mechanism for ensuring that the firmware
++ will only load signed bootloaders and kernels. Secure boot mode may
++ be determined from EFI variables provided by the system firmware if
++ not indicated by the boot parameters.
++
++ Enabling this option results in kernel lockdown being triggered if
++ EFI Secure Boot is set.
++
+ choice
+ prompt "Kernel default lockdown mode"
+ default LOCK_DOWN_KERNEL_FORCE_NONE
+diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
+index 87cbdc64d272..18555cf18da7 100644
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
+@@ -73,6 +73,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
+
+ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
++ LSM_HOOK_INIT(lock_kernel_down, lock_kernel_down),
+ };
+
+ static int __init lockdown_lsm_init(void)
+diff --git a/security/security.c b/security/security.c
+index c88167a414b4..e65a178ff9f4 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2600,6 +2600,12 @@ int security_locked_down(enum lockdown_reason what)
+ }
+ EXPORT_SYMBOL(security_locked_down);
+
++int security_lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++ return call_int_hook(lock_kernel_down, 0, where, level);
++}
++EXPORT_SYMBOL(security_lock_kernel_down);
++
+ #ifdef CONFIG_PERF_EVENTS
+ int security_perf_event_open(struct perf_event_attr *attr, int type)
+ {