summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch30
-rw-r--r--debian/patches/bugfix/all/cpupower-bump-soname-version.patch27
-rw-r--r--debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch49
-rw-r--r--debian/patches/bugfix/all/disable-some-marvell-phys.patch91
-rw-r--r--debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch2557
-rw-r--r--debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch83
-rw-r--r--debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch70
-rw-r--r--debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch23
-rw-r--r--debian/patches/bugfix/all/libcpupower-hide-private-function.patch20
-rw-r--r--debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch23
-rw-r--r--debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch73
-rw-r--r--debian/patches/bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch49
-rw-r--r--debian/patches/bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch140
-rw-r--r--debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch139
-rw-r--r--debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch375
-rw-r--r--debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch156
-rw-r--r--debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch27
-rw-r--r--debian/patches/bugfix/all/tools-perf-man-date.patch44
-rw-r--r--debian/patches/bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch175
-rw-r--r--debian/patches/bugfix/all/tools-perf-remove-shebangs.patch39
-rw-r--r--debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch29
-rw-r--r--debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch100
-rw-r--r--debian/patches/bugfix/all/wireguard-ignore-config_android.patch29
-rw-r--r--debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch37
-rw-r--r--debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch31
-rw-r--r--debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch92
-rw-r--r--debian/patches/bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch45
-rw-r--r--debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch39
-rw-r--r--debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch124
-rw-r--r--debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch35
-rw-r--r--debian/patches/bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch34
-rw-r--r--debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch22
-rw-r--r--debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch34
-rw-r--r--debian/patches/bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch29
-rw-r--r--debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch104
-rw-r--r--debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch29
-rw-r--r--debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch106
-rw-r--r--debian/patches/debian/arch-sh4-fix-uimage-build.patch26
-rw-r--r--debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch35
-rw-r--r--debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch27
-rw-r--r--debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch41
-rw-r--r--debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch29
-rw-r--r--debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch18
-rw-r--r--debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch15
-rw-r--r--debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch54
-rw-r--r--debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch128
-rw-r--r--debian/patches/debian/dfsg/vs6624-disable.patch24
-rw-r--r--debian/patches/debian/documentation-drop-sphinx-version-check.patch52
-rw-r--r--debian/patches/debian/export-symbols-needed-by-android-drivers.patch113
-rw-r--r--debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch29
-rw-r--r--debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch52
-rw-r--r--debian/patches/debian/fjes-disable-autoload.patch24
-rw-r--r--debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch22
-rw-r--r--debian/patches/debian/gitignore.patch49
-rw-r--r--debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch48
-rw-r--r--debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch27
-rw-r--r--debian/patches/debian/ia64-hardcode-arch-script-output.patch75
-rw-r--r--debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch26
-rw-r--r--debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch37
-rw-r--r--debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch45
-rw-r--r--debian/patches/debian/kernelvariables.patch82
-rw-r--r--debian/patches/debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch83
-rw-r--r--debian/patches/debian/mips-boston-disable-its.patch20
-rw-r--r--debian/patches/debian/mips-disable-werror.patch23
-rw-r--r--debian/patches/debian/mips-ieee754-relaxed.patch32
-rw-r--r--debian/patches/debian/ntfs-mark-it-as-broken.patch22
-rw-r--r--debian/patches/debian/overlayfs-permit-mounts-in-userns.patch58
-rw-r--r--debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch54
-rw-r--r--debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch34
-rw-r--r--debian/patches/debian/sched-autogroup-disabled.patch19
-rw-r--r--debian/patches/debian/snd-pcsp-disable-autoload.patch30
-rw-r--r--debian/patches/debian/tools-perf-install.patch52
-rw-r--r--debian/patches/debian/tools-perf-version.patch128
-rw-r--r--debian/patches/debian/uname-version-timestamp.patch33
-rw-r--r--debian/patches/debian/version.patch172
-rw-r--r--debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch1452
-rw-r--r--debian/patches/debian/yama-disable-by-default.patch32
-rw-r--r--debian/patches/features/all/aufs5/aufs5-base.patch332
-rw-r--r--debian/patches/features/all/aufs5/aufs5-mmap.patch405
-rw-r--r--debian/patches/features/all/aufs5/aufs5-standalone.patch308
-rw-r--r--debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch40
-rw-r--r--debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch117
-rw-r--r--debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch113
-rw-r--r--debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch37
-rw-r--r--debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch28
-rw-r--r--debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch149
-rw-r--r--debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch153
-rw-r--r--debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch152
-rw-r--r--debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch127
-rw-r--r--debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch75
-rw-r--r--debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch80
-rw-r--r--debian/patches/features/arm64/arm64-compat-Implement-misalignment-fixups-for-multi.patch480
-rw-r--r--debian/patches/features/arm64/arm64-dts-raspberry-Add-support-for-the-CM4.patch423
-rw-r--r--debian/patches/features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch419
-rw-r--r--debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-PCIe-on-helios64.patch113
-rw-r--r--debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-two-PWM-fans-on-h.patch61
-rw-r--r--debian/patches/features/arm64/arm64-dts-rockchip-Rely-on-SoC-external-pull-up-on-p.patch32
-rw-r--r--debian/patches/features/arm64/arm64-dts-rockchip-kobol-helios64-Add-mmc-aliases.patch30
-rw-r--r--debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch85
-rw-r--r--debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch91
-rw-r--r--debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch193
-rw-r--r--debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch28
-rw-r--r--debian/patches/series141
103 files changed, 12643 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch b/debian/patches/bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch
new file mode 100644
index 000000000..3f2d75a6a
--- /dev/null
+++ b/debian/patches/bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch
@@ -0,0 +1,30 @@
+From: Ben Hutchings <benh@debian.org>
+Date: Fri, 14 Aug 2020 00:43:54 +0100
+Subject: bpftool: Fix version string in recursive builds
+Forwarded: https://lore.kernel.org/bpf/20200813235837.GA497088@decadent.org.uk/T/#u
+
+When bpftool is built as part of a Debian package build, which itself
+uses make, "bpftool version" shows:
+
+ bpftool vmake[4]: Entering directory /build/linux-5.8/tools/bpf/bpftool 5.8.8.0 make[4]: Leaving directory /build/linux-5.8
+
+Although we pass the "--no-print-directory" option, this is overridden
+by the environment variable "MAKEFLAGS=w". Clear MAKEFLAGS for the
+"make kernelversion" command.
+
+I have no explanation for the doubled ".8" in the version string, but
+this seems to fix that as well.
+
+Signed-off-by: Ben Hutchings <benh@debian.org>
+---
+--- a/tools/bpf/bpftool/Makefile
++++ b/tools/bpf/bpftool/Makefile
+@@ -25,7 +25,7 @@ endif
+
+ LIBBPF = $(LIBBPF_PATH)libbpf.a
+
+-BPFTOOL_VERSION ?= $(shell make -rR --no-print-directory -sC ../../.. kernelversion)
++BPFTOOL_VERSION ?= $(shell MAKEFLAGS= make -rR --no-print-directory -sC ../../.. kernelversion)
+
+ $(LIBBPF): FORCE
+ $(if $(LIBBPF_OUTPUT),@mkdir -p $(LIBBPF_OUTPUT))
diff --git a/debian/patches/bugfix/all/cpupower-bump-soname-version.patch b/debian/patches/bugfix/all/cpupower-bump-soname-version.patch
new file mode 100644
index 000000000..7e5f52eaa
--- /dev/null
+++ b/debian/patches/bugfix/all/cpupower-bump-soname-version.patch
@@ -0,0 +1,27 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 9 Jun 2016 23:35:08 +0100
+Subject: cpupower: Bump soname version
+Forwarded: http://mid.gmane.org/20160610005619.GQ7555@decadent.org.uk
+
+Several functions in the libcpupower API are renamed or removed in
+Linux 4.7. This is an backward-incompatible ABI change, so the
+library soname should change from libcpupower.so.0 to
+libcpupower.so.1.
+
+Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ tools/power/cpupower/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/power/cpupower/Makefile
++++ b/tools/power/cpupower/Makefile
+@@ -53,7 +53,7 @@ DESTDIR ?=
+
+ VERSION:= $(shell ./utils/version-gen.sh)
+ LIB_MAJ= 0.0.1
+-LIB_MIN= 0
++LIB_MIN= 1
+
+ PACKAGE = cpupower
+ PACKAGE_BUGREPORT = linux-pm@vger.kernel.org
diff --git a/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
new file mode 100644
index 000000000..5cce9b76a
--- /dev/null
+++ b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
@@ -0,0 +1,49 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 03 Nov 2016 15:25:26 -0600
+Subject: cpupower: Fix checks for CPU existence
+Forwarded: https://marc.info/?l=linux-pm&m=149248268214265
+
+Calls to cpufreq_cpu_exists(cpu) were converted to
+cpupower_is_cpu_online(cpu) when libcpupower was introduced and the
+former function was deleted. However, cpupower_is_cpu_online() does
+not distinguish physically absent and offline CPUs, and does not set
+errno.
+
+cpufreq-set has already been fixed (commit c25badc9ceb6).
+
+In cpufreq-bench, which prints an error message for offline CPUs,
+properly distinguish and report the zero and negative cases.
+
+Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library")
+Fixes: 53d1cd6b125f ("cpupowerutils: bench - Fix cpu online check")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[carnil: Update/Refresh patch for 4.14.17: The issue with the
+incorrect check has been fixed with upstream commit 53d1cd6b125f.
+Keep in the patch the distinction and report for the zero and
+negative cases.]
+---
+--- a/tools/power/cpupower/bench/system.c
++++ b/tools/power/cpupower/bench/system.c
+@@ -58,12 +58,19 @@ long long int get_time()
+
+ int set_cpufreq_governor(char *governor, unsigned int cpu)
+ {
++ int rc;
+
+ dprintf("set %s as cpufreq governor\n", governor);
+
+- if (cpupower_is_cpu_online(cpu) != 1) {
+- perror("cpufreq_cpu_exists");
+- fprintf(stderr, "error: cpu %u does not exist\n", cpu);
++ rc = cpupower_is_cpu_online(cpu);
++ if (rc != 1) {
++ if (rc < 0)
++ fprintf(stderr, "cpupower_is_cpu_online: %s\n",
++ strerror(-rc));
++ else
++ fprintf(stderr,
++ "error: cpu %u is offline or does not exist\n",
++ cpu);
+ return -1;
+ }
+
diff --git a/debian/patches/bugfix/all/disable-some-marvell-phys.patch b/debian/patches/bugfix/all/disable-some-marvell-phys.patch
new file mode 100644
index 000000000..31fd6bf14
--- /dev/null
+++ b/debian/patches/bugfix/all/disable-some-marvell-phys.patch
@@ -0,0 +1,91 @@
+From: Ian Campbell <ijc@hellion.org.uk>
+Subject: phy/marvell: disable 4-port phys
+Date: Wed, 20 Nov 2013 08:30:14 +0000
+Bug-Debian: https://bugs.debian.org/723177
+Forwarded: http://thread.gmane.org/gmane.linux.debian.devel.bugs.general/1107774/
+
+The Marvell PHY was originally disabled because it can cause networking
+failures on some systems. According to Lennert Buytenhek this is because some
+of the variants added did not share the same register layout. Since the known
+cases are all 4-ports disable those variants (indicated by a 4 in the
+penultimate position of the model name) until they can be audited for
+correctness.
+
+[bwh: Also #if-out the init functions for these PHYs to avoid
+ compiler warnings]
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1006,6 +1006,7 @@ static int m88e1118_config_init(struct p
+ return genphy_soft_reset(phydev);
+ }
+
++#if 0
+ static int m88e1149_config_init(struct phy_device *phydev)
+ {
+ int err;
+@@ -1031,7 +1032,9 @@ static int m88e1149_config_init(struct p
+
+ return genphy_soft_reset(phydev);
+ }
++#endif
+
++#if 0
+ static int m88e1145_config_init_rgmii(struct phy_device *phydev)
+ {
+ int err;
+@@ -1106,6 +1109,7 @@ static int m88e1145_config_init(struct p
+
+ return 0;
+ }
++#endif
+
+ static int m88e1540_get_fld(struct phy_device *phydev, u8 *msecs)
+ {
+@@ -2272,6 +2276,7 @@ static struct phy_driver marvell_drivers
+ .get_strings = marvell_get_strings,
+ .get_stats = marvell_get_stats,
+ },
++#if 0
+ {
+ .phy_id = MARVELL_PHY_ID_88E1145,
+ .phy_id_mask = MARVELL_PHY_ID_MASK,
+@@ -2293,6 +2298,8 @@ static struct phy_driver marvell_drivers
+ .get_tunable = m88e1111_get_tunable,
+ .set_tunable = m88e1111_set_tunable,
+ },
++#endif
++#if 0
+ {
+ .phy_id = MARVELL_PHY_ID_88E1149R,
+ .phy_id_mask = MARVELL_PHY_ID_MASK,
+@@ -2311,6 +2318,8 @@ static struct phy_driver marvell_drivers
+ .get_strings = marvell_get_strings,
+ .get_stats = marvell_get_stats,
+ },
++#endif
++#if 0
+ {
+ .phy_id = MARVELL_PHY_ID_88E1240,
+ .phy_id_mask = MARVELL_PHY_ID_MASK,
+@@ -2329,6 +2338,7 @@ static struct phy_driver marvell_drivers
+ .get_strings = marvell_get_strings,
+ .get_stats = marvell_get_stats,
+ },
++#endif
+ {
+ .phy_id = MARVELL_PHY_ID_88E1116R,
+ .phy_id_mask = MARVELL_PHY_ID_MASK,
+@@ -2469,9 +2479,9 @@ static struct mdio_device_id __maybe_unu
+ { MARVELL_PHY_ID_88E1111, MARVELL_PHY_ID_MASK },
+ { MARVELL_PHY_ID_88E1118, MARVELL_PHY_ID_MASK },
+ { MARVELL_PHY_ID_88E1121R, MARVELL_PHY_ID_MASK },
+- { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK },
+- { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK },
+- { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK },
++/* { MARVELL_PHY_ID_88E1145, MARVELL_PHY_ID_MASK }, */
++/* { MARVELL_PHY_ID_88E1149R, MARVELL_PHY_ID_MASK }, */
++/* { MARVELL_PHY_ID_88E1240, MARVELL_PHY_ID_MASK }, */
+ { MARVELL_PHY_ID_88E1318S, MARVELL_PHY_ID_MASK },
+ { MARVELL_PHY_ID_88E1116R, MARVELL_PHY_ID_MASK },
+ { MARVELL_PHY_ID_88E1510, MARVELL_PHY_ID_MASK },
diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
new file mode 100644
index 000000000..8ee5acc89
--- /dev/null
+++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
@@ -0,0 +1,2557 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: firmware: Remove redundant log messages from drivers
+Date: Sun, 09 Dec 2012 16:40:31 +0000
+Forwarded: no
+
+Now that firmware_class logs every success and failure consistently,
+many other log messages can be removed from drivers.
+
+This will probably need to be split up into multiple patches prior to
+upstream submission.
+
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -901,10 +901,8 @@ static enum ucode_state request_microcod
+ if (c->x86 >= 0x15)
+ snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86);
+
+- if (request_firmware_direct(&fw, (const char *)fw_name, device)) {
+- pr_debug("failed to load file %s\n", fw_name);
++ if (request_firmware_direct(&fw, (const char *)fw_name, device))
+ goto out;
+- }
+
+ ret = UCODE_ERROR;
+ if (!verify_container(fw->data, fw->size, false))
+--- a/drivers/atm/ambassador.c
++++ b/drivers/atm/ambassador.c
+@@ -1914,10 +1914,8 @@ static int ucode_init(loader_block *lb,
+ int res;
+
+ res = request_ihex_firmware(&fw, "atmsar11.fw", &dev->pci_dev->dev);
+- if (res) {
+- PRINTK (KERN_ERR, "Cannot load microcode data");
++ if (res)
+ return res;
+- }
+
+ /* First record contains just the start address */
+ rec = (const struct ihex_binrec *)fw->data;
+--- a/drivers/atm/fore200e.c
++++ b/drivers/atm/fore200e.c
+@@ -2400,10 +2400,9 @@ static int fore200e_load_and_start_fw(st
+ int err;
+
+ sprintf(buf, "%s%s", fore200e->bus->proc_name, FW_EXT);
+- if ((err = request_firmware(&firmware, buf, fore200e->dev)) < 0) {
+- printk(FORE200E "problem loading firmware image %s\n", fore200e->bus->model_name);
++ err = request_firmware(&firmware, buf, fore200e->dev);
++ if (err)
+ return err;
+- }
+
+ fw_data = (const __le32 *)firmware->data;
+ fw_size = firmware->size / sizeof(u32);
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -382,10 +382,8 @@ static int ath3k_load_patch(struct usb_d
+ le32_to_cpu(fw_version.rom_version));
+
+ ret = request_firmware(&firmware, filename, &udev->dev);
+- if (ret < 0) {
+- BT_ERR("Patch file not found %s", filename);
++ if (ret)
+ return ret;
+- }
+
+ pt_rom_version = get_unaligned_le32(firmware->data +
+ firmware->size - 8);
+@@ -445,10 +443,8 @@ static int ath3k_load_syscfg(struct usb_
+ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
+
+ ret = request_firmware(&firmware, filename, &udev->dev);
+- if (ret < 0) {
+- BT_ERR("Configuration file not found %s", filename);
++ if (ret)
+ return ret;
+- }
+
+ ret = ath3k_load_fwfile(udev, firmware);
+ release_firmware(firmware);
+--- a/drivers/bluetooth/bcm203x.c
++++ b/drivers/bluetooth/bcm203x.c
+@@ -174,7 +174,6 @@ static int bcm203x_probe(struct usb_inte
+ return -ENOMEM;
+
+ if (request_firmware(&firmware, "BCM2033-MD.hex", &udev->dev) < 0) {
+- BT_ERR("Mini driver request failed");
+ usb_free_urb(data->urb);
+ return -EIO;
+ }
+@@ -199,7 +198,6 @@ static int bcm203x_probe(struct usb_inte
+ release_firmware(firmware);
+
+ if (request_firmware(&firmware, "BCM2033-FW.bin", &udev->dev) < 0) {
+- BT_ERR("Firmware request failed");
+ usb_free_urb(data->urb);
+ kfree(data->buffer);
+ return -EIO;
+--- a/drivers/bluetooth/bfusb.c
++++ b/drivers/bluetooth/bfusb.c
+@@ -636,10 +636,8 @@ static int bfusb_probe(struct usb_interf
+ skb_queue_head_init(&data->pending_q);
+ skb_queue_head_init(&data->completed_q);
+
+- if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) {
+- BT_ERR("Firmware request failed");
++ if (request_firmware(&firmware, "bfubase.frm", &udev->dev))
+ goto done;
+- }
+
+ BT_DBG("firmware data %p size %zu", firmware->data, firmware->size);
+
+--- a/drivers/bluetooth/bt3c_cs.c
++++ b/drivers/bluetooth/bt3c_cs.c
+@@ -569,10 +569,8 @@ static int bt3c_open(struct bt3c_info *i
+
+ /* Load firmware */
+ err = request_firmware(&firmware, "BT3CPCC.bin", &info->p_dev->dev);
+- if (err < 0) {
+- BT_ERR("Firmware request failed");
++ if (err)
+ goto error;
+- }
+
+ err = bt3c_load_firmware(info, firmware->data, firmware->size);
+
+--- a/drivers/bluetooth/btmrvl_sdio.c
++++ b/drivers/bluetooth/btmrvl_sdio.c
+@@ -483,8 +483,6 @@ static int btmrvl_sdio_download_helper(s
+ ret = request_firmware(&fw_helper, card->helper,
+ &card->func->dev);
+ if ((ret < 0) || !fw_helper) {
+- BT_ERR("request_firmware(helper) failed, error code = %d",
+- ret);
+ ret = -ENOENT;
+ goto done;
+ }
+@@ -583,8 +581,6 @@ static int btmrvl_sdio_download_fw_w_hel
+ ret = request_firmware(&fw_firmware, card->firmware,
+ &card->func->dev);
+ if ((ret < 0) || !fw_firmware) {
+- BT_ERR("request_firmware(firmware) failed, error code = %d",
+- ret);
+ ret = -ENOENT;
+ goto done;
+ }
+--- a/drivers/char/dsp56k.c
++++ b/drivers/char/dsp56k.c
+@@ -140,11 +140,8 @@ static int dsp56k_upload(u_char __user *
+ }
+ err = request_firmware(&fw, fw_name, &pdev->dev);
+ platform_device_unregister(pdev);
+- if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fw_name, err);
++ if (err)
+ return err;
+- }
+ if (fw->size % 3) {
+ printk(KERN_ERR "Bogus length %d in image \"%s\"\n",
+ fw->size, fw_name);
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1733,11 +1733,8 @@ static void sdma_load_firmware(const str
+ const struct sdma_script_start_addrs *addr;
+ unsigned short *ram_code;
+
+- if (!fw) {
+- dev_info(sdma->dev, "external firmware not found, using ROM firmware\n");
+- /* In this case we just use the ROM firmware. */
++ if (!fw)
+ return;
+- }
+
+ if (fw->size < sizeof(*header))
+ goto err_firmware;
+--- a/drivers/gpu/drm/mga/mga_warp.c
++++ b/drivers/gpu/drm/mga/mga_warp.c
+@@ -77,11 +77,8 @@ int mga_warp_install_microcode(drm_mga_p
+ }
+ rc = request_ihex_firmware(&fw, firmware_name, &pdev->dev);
+ platform_device_unregister(pdev);
+- if (rc) {
+- DRM_ERROR("mga: Failed to load microcode \"%s\"\n",
+- firmware_name);
++ if (rc)
+ return rc;
+- }
+
+ size = 0;
+ where = 0;
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c
+@@ -2445,10 +2445,8 @@ gf100_gr_load_fw(struct gf100_gr *gr, co
+ if (ret) {
+ snprintf(f, sizeof(f), "nouveau/%s", name);
+ ret = request_firmware(&fw, f, device->dev);
+- if (ret) {
+- nvkm_error(subdev, "failed to load %s\n", name);
++ if (ret)
+ return ret;
+- }
+ }
+
+ blob->size = fw->size;
+--- a/drivers/gpu/drm/r128/r128_cce.c
++++ b/drivers/gpu/drm/r128/r128_cce.c
+@@ -162,11 +162,8 @@ static int r128_cce_load_microcode(drm_r
+ }
+ rc = request_firmware(&fw, FIRMWARE_NAME, &pdev->dev);
+ platform_device_unregister(pdev);
+- if (rc) {
+- pr_err("r128_cce: Failed to load firmware \"%s\"\n",
+- FIRMWARE_NAME);
++ if (rc)
+ return rc;
+- }
+
+ if (fw->size != 256 * 8) {
+ pr_err("r128_cce: Bogus length %zu in firmware \"%s\"\n",
+--- a/drivers/gpu/drm/radeon/ni.c
++++ b/drivers/gpu/drm/radeon/ni.c
+@@ -833,9 +833,6 @@ int ni_init_microcode(struct radeon_devi
+
+ out:
+ if (err) {
+- if (err != -EINVAL)
+- pr_err("ni_cp: Failed to load firmware \"%s\"\n",
+- fw_name);
+ release_firmware(rdev->pfp_fw);
+ rdev->pfp_fw = NULL;
+ release_firmware(rdev->me_fw);
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -1047,9 +1047,7 @@ static int r100_cp_init_microcode(struct
+ }
+
+ err = request_firmware(&rdev->me_fw, fw_name, rdev->dev);
+- if (err) {
+- pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name);
+- } else if (rdev->me_fw->size % 8) {
++ if (err == 0 && rdev->me_fw->size % 8) {
+ pr_err("radeon_cp: Bogus length %zu in firmware \"%s\"\n",
+ rdev->me_fw->size, fw_name);
+ err = -EINVAL;
+--- a/drivers/gpu/drm/radeon/r600.c
++++ b/drivers/gpu/drm/radeon/r600.c
+@@ -2599,9 +2599,6 @@ int r600_init_microcode(struct radeon_de
+
+ out:
+ if (err) {
+- if (err != -EINVAL)
+- pr_err("r600_cp: Failed to load firmware \"%s\"\n",
+- fw_name);
+ release_firmware(rdev->pfp_fw);
+ rdev->pfp_fw = NULL;
+ release_firmware(rdev->me_fw);
+--- a/drivers/infiniband/hw/qib/qib_sd7220.c
++++ b/drivers/infiniband/hw/qib/qib_sd7220.c
+@@ -406,10 +406,8 @@ int qib_sd7220_init(struct qib_devdata *
+ }
+
+ ret = request_firmware(&fw, SD7220_FW_NAME, &dd->pcidev->dev);
+- if (ret) {
+- qib_dev_err(dd, "Failed to load IB SERDES image\n");
++ if (ret)
+ goto done;
+- }
+
+ /* Substitute our deduced value for was_reset */
+ ret = qib_ibsd_ucode_loaded(dd->pport, fw);
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -2827,10 +2827,8 @@ static int mxt_load_fw(struct device *de
+ int ret;
+
+ ret = request_firmware(&fw, fn, dev);
+- if (ret) {
+- dev_err(dev, "Unable to open firmware %s\n", fn);
++ if (ret)
+ return ret;
+- }
+
+ /* Check for incorrect enc file */
+ ret = mxt_check_firmware_format(dev, fw);
+--- a/drivers/isdn/hardware/mISDN/speedfax.c
++++ b/drivers/isdn/hardware/mISDN/speedfax.c
+@@ -379,11 +379,8 @@ setup_instance(struct sfax_hw *card)
+ card->isar.owner = THIS_MODULE;
+
+ err = request_firmware(&firmware, "isdn/ISAR.BIN", &card->pdev->dev);
+- if (err < 0) {
+- pr_info("%s: firmware request failed %d\n",
+- card->name, err);
++ if (err)
+ goto error_fw;
+- }
+ if (debug & DEBUG_HW)
+ pr_notice("%s: got firmware %zu bytes\n",
+ card->name, firmware->size);
+--- a/drivers/media/common/siano/smscoreapi.c
++++ b/drivers/media/common/siano/smscoreapi.c
+@@ -1156,10 +1156,8 @@ static int smscore_load_firmware_from_fi
+ return -EINVAL;
+
+ rc = request_firmware(&fw, fw_filename, coredev->device);
+- if (rc < 0) {
+- pr_err("failed to open firmware file '%s'\n", fw_filename);
++ if (rc < 0)
+ return rc;
+- }
+ pr_debug("read fw %s, buffer size=0x%zx\n", fw_filename, fw->size);
+ fw_buf = kmalloc(ALIGN(fw->size + sizeof(struct sms_firmware),
+ SMS_ALLOC_ALIGNMENT), GFP_KERNEL | coredev->gfp_buf_flags);
+--- a/drivers/media/dvb-frontends/af9013.c
++++ b/drivers/media/dvb-frontends/af9013.c
+@@ -1049,14 +1049,8 @@ static int af9013_download_firmware(stru
+
+ /* Request the firmware, will block and timeout */
+ ret = request_firmware(&firmware, name, &client->dev);
+- if (ret) {
+- dev_info(&client->dev, "firmware file '%s' not found %d\n",
+- name, ret);
++ if (ret)
+ goto err;
+- }
+-
+- dev_info(&client->dev, "downloading firmware from file '%s'\n",
+- name);
+
+ /* Write firmware checksum & size */
+ for (i = 0; i < firmware->size; i++)
+--- a/drivers/media/dvb-frontends/bcm3510.c
++++ b/drivers/media/dvb-frontends/bcm3510.c
+@@ -636,10 +636,9 @@ static int bcm3510_download_firmware(str
+ int ret,i;
+
+ deb_info("requesting firmware\n");
+- if ((ret = st->config->request_firmware(fe, &fw, BCM3510_DEFAULT_FIRMWARE)) < 0) {
+- err("could not load firmware (%s): %d",BCM3510_DEFAULT_FIRMWARE,ret);
++ ret = st->config->request_firmware(fe, &fw, BCM3510_DEFAULT_FIRMWARE);
++ if (ret)
+ return ret;
+- }
+ deb_info("got firmware: %zu\n", fw->size);
+
+ b = fw->data;
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -479,13 +479,8 @@ static int cx24116_firmware_ondemand(str
+ __func__, CX24116_DEFAULT_FIRMWARE);
+ ret = request_firmware(&fw, CX24116_DEFAULT_FIRMWARE,
+ state->i2c->dev.parent);
+- printk(KERN_INFO "%s: Waiting for firmware upload(2)...\n",
+- __func__);
+- if (ret) {
+- printk(KERN_ERR "%s: No firmware uploaded (timeout or file not found?)\n",
+- __func__);
++ if (ret)
+ return ret;
+- }
+
+ /* Make sure we don't recurse back through here
+ * during loading */
+--- a/drivers/media/dvb-frontends/drxd_hard.c
++++ b/drivers/media/dvb-frontends/drxd_hard.c
+@@ -891,10 +891,8 @@ static int load_firmware(struct drxd_sta
+ {
+ const struct firmware *fw;
+
+- if (request_firmware(&fw, fw_name, state->dev) < 0) {
+- printk(KERN_ERR "drxd: firmware load failure [%s]\n", fw_name);
++ if (request_firmware(&fw, fw_name, state->dev))
+ return -EIO;
+- }
+
+ state->microcode = kmemdup(fw->data, fw->size, GFP_KERNEL);
+ if (!state->microcode) {
+--- a/drivers/media/dvb-frontends/drxk_hard.c
++++ b/drivers/media/dvb-frontends/drxk_hard.c
+@@ -6259,10 +6259,6 @@ static void load_firmware_cb(const struc
+
+ dprintk(1, ": %s\n", fw ? "firmware loaded" : "firmware not loaded");
+ if (!fw) {
+- pr_err("Could not load firmware file %s.\n",
+- state->microcode_name);
+- pr_info("Copy %s to your hotplug directory!\n",
+- state->microcode_name);
+ state->microcode_name = NULL;
+
+ /*
+--- a/drivers/media/dvb-frontends/ds3000.c
++++ b/drivers/media/dvb-frontends/ds3000.c
+@@ -348,12 +348,8 @@ static int ds3000_firmware_ondemand(stru
+ DS3000_DEFAULT_FIRMWARE);
+ ret = request_firmware(&fw, DS3000_DEFAULT_FIRMWARE,
+ state->i2c->dev.parent);
+- printk(KERN_INFO "%s: Waiting for firmware upload(2)...\n", __func__);
+- if (ret) {
+- printk(KERN_ERR "%s: No firmware uploaded (timeout or file not found?)\n",
+- __func__);
++ if (ret)
+ return ret;
+- }
+
+ ret = ds3000_load_firmware(fe, fw);
+ if (ret)
+--- a/drivers/media/dvb-frontends/nxt200x.c
++++ b/drivers/media/dvb-frontends/nxt200x.c
+@@ -876,12 +876,8 @@ static int nxt2002_init(struct dvb_front
+ __func__, NXT2002_DEFAULT_FIRMWARE);
+ ret = request_firmware(&fw, NXT2002_DEFAULT_FIRMWARE,
+ state->i2c->dev.parent);
+- pr_debug("%s: Waiting for firmware upload(2)...\n", __func__);
+- if (ret) {
+- pr_err("%s: No firmware uploaded (timeout or file not found?)\n",
+- __func__);
++ if (ret)
+ return ret;
+- }
+
+ ret = nxt2002_load_firmware(fe, fw);
+ release_firmware(fw);
+@@ -943,12 +939,8 @@ static int nxt2004_init(struct dvb_front
+ __func__, NXT2004_DEFAULT_FIRMWARE);
+ ret = request_firmware(&fw, NXT2004_DEFAULT_FIRMWARE,
+ state->i2c->dev.parent);
+- pr_debug("%s: Waiting for firmware upload(2)...\n", __func__);
+- if (ret) {
+- pr_err("%s: No firmware uploaded (timeout or file not found?)\n",
+- __func__);
++ if (ret)
+ return ret;
+- }
+
+ ret = nxt2004_load_firmware(fe, fw);
+ release_firmware(fw);
+--- a/drivers/media/dvb-frontends/or51132.c
++++ b/drivers/media/dvb-frontends/or51132.c
+@@ -326,10 +326,8 @@ static int or51132_set_parameters(struct
+ printk("or51132: Waiting for firmware upload(%s)...\n",
+ fwname);
+ ret = request_firmware(&fw, fwname, state->i2c->dev.parent);
+- if (ret) {
+- printk(KERN_WARNING "or51132: No firmware uploaded(timeout or file not found?)\n");
++ if (ret)
+ return ret;
+- }
+ ret = or51132_load_firmware(fe, fw);
+ release_firmware(fw);
+ if (ret) {
+--- a/drivers/media/dvb-frontends/or51211.c
++++ b/drivers/media/dvb-frontends/or51211.c
+@@ -361,11 +361,8 @@ static int or51211_init(struct dvb_front
+ OR51211_DEFAULT_FIRMWARE);
+ ret = config->request_firmware(fe, &fw,
+ OR51211_DEFAULT_FIRMWARE);
+- pr_info("Got Hotplug firmware\n");
+- if (ret) {
+- pr_warn("No firmware uploaded (timeout or file not found?)\n");
++ if (ret)
+ return ret;
+- }
+
+ ret = or51211_load_firmware(fe, fw);
+ release_firmware(fw);
+--- a/drivers/media/dvb-frontends/sp8870.c
++++ b/drivers/media/dvb-frontends/sp8870.c
+@@ -304,10 +304,8 @@ static int sp8870_init (struct dvb_front
+
+ /* request the firmware, this will block until someone uploads it */
+ printk("sp8870: waiting for firmware upload (%s)...\n", SP8870_DEFAULT_FIRMWARE);
+- if (state->config->request_firmware(fe, &fw, SP8870_DEFAULT_FIRMWARE)) {
+- printk("sp8870: no firmware upload (timeout or file not found?)\n");
++ if (state->config->request_firmware(fe, &fw, SP8870_DEFAULT_FIRMWARE))
+ return -EIO;
+- }
+
+ if (sp8870_firmware_upload(state, fw)) {
+ printk("sp8870: writing firmware to device failed\n");
+--- a/drivers/media/dvb-frontends/sp887x.c
++++ b/drivers/media/dvb-frontends/sp887x.c
+@@ -527,10 +527,8 @@ static int sp887x_init(struct dvb_fronte
+ /* request the firmware, this will block until someone uploads it */
+ printk("sp887x: waiting for firmware upload (%s)...\n", SP887X_DEFAULT_FIRMWARE);
+ ret = state->config->request_firmware(fe, &fw, SP887X_DEFAULT_FIRMWARE);
+- if (ret) {
+- printk("sp887x: no firmware upload (timeout or file not found?)\n");
++ if (ret)
+ return ret;
+- }
+
+ ret = sp887x_initial_setup(fe, fw);
+ release_firmware(fw);
+--- a/drivers/media/dvb-frontends/tda10048.c
++++ b/drivers/media/dvb-frontends/tda10048.c
+@@ -483,8 +483,6 @@ static int tda10048_firmware_upload(stru
+ ret = request_firmware(&fw, TDA10048_DEFAULT_FIRMWARE,
+ state->i2c->dev.parent);
+ if (ret) {
+- printk(KERN_ERR "%s: Upload failed. (file not found?)\n",
+- __func__);
+ return -EIO;
+ } else {
+ printk(KERN_INFO "%s: firmware read %zu bytes.\n",
+--- a/drivers/media/dvb-frontends/tda1004x.c
++++ b/drivers/media/dvb-frontends/tda1004x.c
+@@ -388,10 +388,8 @@ static int tda10045_fwupload(struct dvb_
+ /* request the firmware, this will block until someone uploads it */
+ printk(KERN_INFO "tda1004x: waiting for firmware upload (%s)...\n", TDA10045_DEFAULT_FIRMWARE);
+ ret = state->config->request_firmware(fe, &fw, TDA10045_DEFAULT_FIRMWARE);
+- if (ret) {
+- printk(KERN_ERR "tda1004x: no firmware upload (timeout or file not found?)\n");
++ if (ret)
+ return ret;
+- }
+
+ /* reset chip */
+ tda1004x_write_mask(state, TDA1004X_CONFC4, 0x10, 0);
+@@ -532,7 +530,6 @@ static int tda10046_fwupload(struct dvb_
+ /* remain compatible to old bug: try to load with tda10045 image name */
+ ret = state->config->request_firmware(fe, &fw, TDA10045_DEFAULT_FIRMWARE);
+ if (ret) {
+- printk(KERN_ERR "tda1004x: no firmware upload (timeout or file not found?)\n");
+ return ret;
+ } else {
+ printk(KERN_INFO "tda1004x: please rename the firmware file to %s\n",
+--- a/drivers/media/dvb-frontends/tda10071.c
++++ b/drivers/media/dvb-frontends/tda10071.c
+@@ -838,12 +838,8 @@ static int tda10071_init(struct dvb_fron
+
+ /* request the firmware, this will block and timeout */
+ ret = request_firmware(&fw, fw_file, &client->dev);
+- if (ret) {
+- dev_err(&client->dev,
+- "did not find the firmware file '%s' (status %d). You can use <kernel_dir>/scripts/get_dvb_firmware to get the firmware\n",
+- fw_file, ret);
++ if (ret)
+ goto error;
+- }
+
+ /* init */
+ for (i = 0; i < ARRAY_SIZE(tab2); i++) {
+--- a/drivers/media/i2c/cx25840/cx25840-firmware.c
++++ b/drivers/media/i2c/cx25840/cx25840-firmware.c
+@@ -113,10 +113,8 @@ int cx25840_loadfw(struct i2c_client *cl
+ if (is_cx231xx(state) && max_buf_size > 16)
+ max_buf_size = 16;
+
+- if (request_firmware(&fw, fwname, FWDEV(client)) != 0) {
+- v4l_err(client, "unable to open firmware %s\n", fwname);
++ if (request_firmware(&fw, fwname, FWDEV(client)) != 0)
+ return -EINVAL;
+- }
+
+ start_fw_load(client);
+
+--- a/drivers/media/pci/bt8xx/bttv-cards.c
++++ b/drivers/media/pci/bt8xx/bttv-cards.c
+@@ -3904,10 +3904,8 @@ static int pvr_boot(struct bttv *btv)
+ int rc;
+
+ rc = request_firmware(&fw_entry, "hcwamc.rbf", &btv->c.pci->dev);
+- if (rc != 0) {
+- pr_warn("%d: no altera firmware [via hotplug]\n", btv->c.nr);
++ if (rc != 0)
+ return rc;
+- }
+ rc = pvr_altera_load(btv, fw_entry->data, fw_entry->size);
+ pr_info("%d: altera firmware upload %s\n",
+ btv->c.nr, (rc < 0) ? "failed" : "ok");
+--- a/drivers/media/pci/cx18/cx18-av-firmware.c
++++ b/drivers/media/pci/cx18/cx18-av-firmware.c
+@@ -70,10 +70,8 @@ int cx18_av_loadfw(struct cx18 *cx)
+ int i;
+ int retries1 = 0;
+
+- if (request_firmware(&fw, FWFILE, &cx->pci_dev->dev) != 0) {
+- CX18_ERR_DEV(sd, "unable to open firmware %s\n", FWFILE);
++ if (request_firmware(&fw, FWFILE, &cx->pci_dev->dev) != 0)
+ return -EINVAL;
+- }
+
+ /* The firmware load often has byte errors, so allow for several
+ retries, both at byte level and at the firmware load level. */
+--- a/drivers/media/pci/cx18/cx18-dvb.c
++++ b/drivers/media/pci/cx18/cx18-dvb.c
+@@ -127,9 +127,7 @@ static int yuan_mpc718_mt352_reqfw(struc
+ int ret;
+
+ ret = request_firmware(fw, fn, &cx->pci_dev->dev);
+- if (ret)
+- CX18_ERR("Unable to open firmware file %s\n", fn);
+- else {
++ if (!ret) {
+ size_t sz = (*fw)->size;
+ if (sz < 2 || sz > 64 || (sz % 2) != 0) {
+ CX18_ERR("Firmware %s has a bad size: %lu bytes\n",
+--- a/drivers/media/pci/cx18/cx18-firmware.c
++++ b/drivers/media/pci/cx18/cx18-firmware.c
+@@ -92,11 +92,8 @@ static int load_cpu_fw_direct(const char
+ u32 __iomem *dst = (u32 __iomem *)mem;
+ const u32 *src;
+
+- if (request_firmware(&fw, fn, &cx->pci_dev->dev)) {
+- CX18_ERR("Unable to open firmware %s\n", fn);
+- CX18_ERR("Did you put the firmware in the hotplug firmware directory?\n");
++ if (request_firmware(&fw, fn, &cx->pci_dev->dev))
+ return -ENOMEM;
+- }
+
+ src = (const u32 *)fw->data;
+
+@@ -137,8 +134,6 @@ static int load_apu_fw_direct(const char
+ int sz;
+
+ if (request_firmware(&fw, fn, &cx->pci_dev->dev)) {
+- CX18_ERR("unable to open firmware %s\n", fn);
+- CX18_ERR("did you put the firmware in the hotplug firmware directory?\n");
+ cx18_setup_page(cx, 0);
+ return -ENOMEM;
+ }
+--- a/drivers/media/pci/cx23885/cx23885-417.c
++++ b/drivers/media/pci/cx23885/cx23885-417.c
+@@ -920,12 +920,8 @@ static int cx23885_load_firmware(struct
+ retval = request_firmware(&firmware, CX23885_FIRM_IMAGE_NAME,
+ &dev->pci->dev);
+
+- if (retval != 0) {
+- pr_err("ERROR: Hotplug firmware request failed (%s).\n",
+- CX23885_FIRM_IMAGE_NAME);
+- pr_err("Please fix your hotplug setup, the board will not work without firmware loaded!\n");
++ if (retval != 0)
+ return -1;
+- }
+
+ if (firmware->size != CX23885_FIRM_IMAGE_SIZE) {
+ pr_err("ERROR: Firmware size mismatch (have %zu, expected %d)\n",
+--- a/drivers/media/pci/cx23885/cx23885-cards.c
++++ b/drivers/media/pci/cx23885/cx23885-cards.c
+@@ -2480,10 +2480,7 @@ void cx23885_card_setup(struct cx23885_d
+ cinfo.rev, filename);
+
+ ret = request_firmware(&fw, filename, &dev->pci->dev);
+- if (ret != 0)
+- pr_err("did not find the firmware file '%s'. You can use <kernel_dir>/scripts/get_dvb_firmware to get the firmware.",
+- filename);
+- else
++ if (ret == 0)
+ altera_init(&netup_config, fw);
+
+ release_firmware(fw);
+--- a/drivers/media/pci/cx88/cx88-blackbird.c
++++ b/drivers/media/pci/cx88/cx88-blackbird.c
+@@ -462,12 +462,8 @@ static int blackbird_load_firmware(struc
+ retval = request_firmware(&firmware, CX2341X_FIRM_ENC_FILENAME,
+ &dev->pci->dev);
+
+- if (retval != 0) {
+- pr_err("Hotplug firmware request failed (%s).\n",
+- CX2341X_FIRM_ENC_FILENAME);
+- pr_err("Please fix your hotplug setup, the board will not work without firmware loaded!\n");
++ if (retval != 0)
+ return -EIO;
+- }
+
+ if (firmware->size != BLACKBIRD_FIRM_IMAGE_SIZE) {
+ pr_err("Firmware size mismatch (have %zd, expected %d)\n",
+--- a/drivers/media/pci/ivtv/ivtv-firmware.c
++++ b/drivers/media/pci/ivtv/ivtv-firmware.c
+@@ -68,8 +68,6 @@ retry:
+ release_firmware(fw);
+ return size;
+ }
+- IVTV_ERR("Unable to open firmware %s (must be %ld bytes)\n", fn, size);
+- IVTV_ERR("Did you put the firmware in the hotplug firmware directory?\n");
+ return -ENOMEM;
+ }
+
+--- a/drivers/media/pci/ngene/ngene-core.c
++++ b/drivers/media/pci/ngene/ngene-core.c
+@@ -1236,19 +1236,14 @@ static int ngene_load_firm(struct ngene
+ break;
+ }
+
+- if (request_firmware(&fw, fw_name, &dev->pci_dev->dev) < 0) {
+- dev_err(pdev, "Could not load firmware file %s.\n", fw_name);
+- dev_info(pdev, "Copy %s to your hotplug directory!\n",
+- fw_name);
++ if (request_firmware(&fw, fw_name, &dev->pci_dev->dev))
+ return -1;
+- }
+ if (size == 0)
+ size = fw->size;
+ if (size != fw->size) {
+ dev_err(pdev, "Firmware %s has invalid size!", fw_name);
+ err = -1;
+ } else {
+- dev_info(pdev, "Loading firmware file %s.\n", fw_name);
+ ngene_fw = (u8 *) fw->data;
+ err = ngene_command_load_firmware(dev, ngene_fw, size);
+ }
+--- a/drivers/media/pci/saa7164/saa7164-fw.c
++++ b/drivers/media/pci/saa7164/saa7164-fw.c
+@@ -406,11 +406,8 @@ int saa7164_downloadfirmware(struct saa7
+ __func__, fwname);
+
+ ret = request_firmware(&fw, fwname, &dev->pci->dev);
+- if (ret) {
+- printk(KERN_ERR "%s() Upload failed. (file not found?)\n",
+- __func__);
++ if (ret)
+ return -ENOMEM;
+- }
+
+ printk(KERN_INFO "%s() firmware read %zu bytes.\n",
+ __func__, fw->size);
+--- a/drivers/media/pci/ttpci/av7110.c
++++ b/drivers/media/pci/ttpci/av7110.c
+@@ -1501,13 +1501,8 @@ static int get_firmware(struct av7110* a
+ /* request the av7110 firmware, this will block until someone uploads it */
+ ret = request_firmware(&fw, "dvb-ttpci-01.fw", &av7110->dev->pci->dev);
+ if (ret) {
+- if (ret == -ENOENT) {
+- printk(KERN_ERR "dvb-ttpci: could not load firmware, file not found: dvb-ttpci-01.fw\n");
+- printk(KERN_ERR "dvb-ttpci: usually this should be in /usr/lib/hotplug/firmware or /lib/firmware\n");
+- printk(KERN_ERR "dvb-ttpci: and can be downloaded from https://linuxtv.org/download/dvb/firmware/\n");
+- } else
+- printk(KERN_ERR "dvb-ttpci: cannot request firmware (error %i)\n",
+- ret);
++ if (ret == -ENOENT)
++ printk(KERN_ERR "dvb-ttpci: firmware can be downloaded from https://linuxtv.org/download/dvb/firmware/\n");
+ return -EINVAL;
+ }
+
+--- a/drivers/media/pci/ttpci/av7110_hw.c
++++ b/drivers/media/pci/ttpci/av7110_hw.c
+@@ -235,11 +235,8 @@ int av7110_bootarm(struct av7110 *av7110
+ //saa7146_setgpio(dev, 3, SAA7146_GPIO_INPUT);
+
+ ret = request_firmware(&fw, fw_name, &dev->pci->dev);
+- if (ret) {
+- printk(KERN_ERR "dvb-ttpci: Failed to load firmware \"%s\"\n",
+- fw_name);
++ if (ret)
+ return ret;
+- }
+
+ mwdebi(av7110, DEBISWAB, DPRAM_BASE, fw->data, fw->size);
+ release_firmware(fw);
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
+@@ -65,10 +65,8 @@ int s5p_mfc_load_firmware(struct s5p_mfc
+ }
+ }
+
+- if (err != 0) {
+- mfc_err("Firmware is not present in the /lib/firmware directory nor compiled in kernel\n");
++ if (err != 0)
+ return -EINVAL;
+- }
+ if (fw_blob->size > dev->fw_buf.size) {
+ mfc_err("MFC firmware is too big to be loaded\n");
+ release_firmware(fw_blob);
+--- a/drivers/media/radio/radio-wl1273.c
++++ b/drivers/media/radio/radio-wl1273.c
+@@ -502,11 +502,8 @@ static int wl1273_fm_upload_firmware_pat
+ * Uploading the firmware patch is not always necessary,
+ * so we only print an info message.
+ */
+- if (request_firmware(&fw_p, fw_name, dev)) {
+- dev_info(dev, "%s - %s not found\n", __func__, fw_name);
+-
++ if (request_firmware(&fw_p, fw_name, dev))
+ return 0;
+- }
+
+ ptr = (__u8 *) fw_p->data;
+ packet_num = ptr[0];
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -1240,10 +1240,8 @@ static int fm_download_firmware(struct f
+
+ ret = request_firmware(&fw_entry, fw_name,
+ &fmdev->radio_dev->dev);
+- if (ret < 0) {
+- fmerr("Unable to read firmware(%s) content\n", fw_name);
++ if (ret)
+ return ret;
+- }
+ fmdbg("Firmware(%s) length : %zu bytes\n", fw_name, fw_entry->size);
+
+ fw_data = (void *)fw_entry->data;
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -1366,7 +1366,6 @@ static void load_firmware_cb(const struc
+
+ tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error");
+ if (!fw) {
+- tuner_err("Could not load firmware %s.\n", priv->fname);
+ priv->state = XC2028_NODEV;
+ return;
+ }
+--- a/drivers/media/usb/cpia2/cpia2_core.c
++++ b/drivers/media/usb/cpia2/cpia2_core.c
+@@ -912,11 +912,8 @@ static int apply_vp_patch(struct camera_
+ struct cpia2_command cmd;
+
+ ret = request_firmware(&fw, fw_name, &cam->dev->dev);
+- if (ret) {
+- printk(KERN_ERR "cpia2: failed to load VP patch \"%s\"\n",
+- fw_name);
++ if (ret)
+ return ret;
+- }
+
+ cmd.req_mode = CAMERAACCESS_TYPE_REPEAT | CAMERAACCESS_VP;
+ cmd.direction = TRANSFER_WRITE;
+--- a/drivers/media/usb/cx231xx/cx231xx-417.c
++++ b/drivers/media/usb/cx231xx/cx231xx-417.c
+@@ -983,11 +983,6 @@ static int cx231xx_load_firmware(struct
+ dev->dev);
+
+ if (retval != 0) {
+- dev_err(dev->dev,
+- "ERROR: Hotplug firmware request failed (%s).\n",
+- CX231xx_FIRM_IMAGE_NAME);
+- dev_err(dev->dev,
+- "Please fix your hotplug setup, the board will not work without firmware loaded!\n");
+ vfree(p_current_fw);
+ vfree(p_buffer);
+ return retval;
+--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
+@@ -2408,12 +2408,9 @@ static int stk9090m_frontend_attach(stru
+
+ dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, 0x80);
+
+- if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev)) {
+- deb_info("%s: Upload failed. (file not found?)\n", __func__);
++ if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev))
+ return -ENODEV;
+- } else {
+- deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size);
+- }
++ deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size);
+ stk9090m_config.microcode_B_fe_size = state->frontend_firmware->size;
+ stk9090m_config.microcode_B_fe_buffer = state->frontend_firmware->data;
+
+@@ -2478,12 +2475,9 @@ static int nim9090md_frontend_attach(str
+ msleep(20);
+ dib0700_set_gpio(adap->dev, GPIO0, GPIO_OUT, 1);
+
+- if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev)) {
+- deb_info("%s: Upload failed. (file not found?)\n", __func__);
++ if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev))
+ return -EIO;
+- } else {
+- deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size);
+- }
++ deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size);
+ nim9090md_config[0].microcode_B_fe_size = state->frontend_firmware->size;
+ nim9090md_config[0].microcode_B_fe_buffer = state->frontend_firmware->data;
+ nim9090md_config[1].microcode_B_fe_size = state->frontend_firmware->size;
+--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
+@@ -90,13 +90,9 @@ int dvb_usb_download_firmware(struct usb
+ int ret;
+ const struct firmware *fw = NULL;
+
+- if ((ret = request_firmware(&fw, props->firmware, &udev->dev)) != 0) {
+- err("did not find the firmware file '%s' (status %d). You can use <kernel_dir>/scripts/get_dvb_firmware to get the firmware",
+- props->firmware,ret);
++ ret = request_firmware(&fw, props->firmware, &udev->dev);
++ if (ret)
+ return ret;
+- }
+-
+- info("downloading firmware from file '%s'",props->firmware);
+
+ switch (props->usb_ctrl) {
+ case CYPRESS_AN2135:
+--- a/drivers/media/usb/dvb-usb/gp8psk.c
++++ b/drivers/media/usb/dvb-usb/gp8psk.c
+@@ -131,19 +131,14 @@ static int gp8psk_load_bcm4500fw(struct
+ const u8 *ptr;
+ u8 *buf;
+ if ((ret = request_firmware(&fw, bcm4500_firmware,
+- &d->udev->dev)) != 0) {
+- err("did not find the bcm4500 firmware file '%s' (status %d). You can use <kernel_dir>/scripts/get_dvb_firmware to get the firmware",
+- bcm4500_firmware,ret);
++ &d->udev->dev)) != 0)
+ return ret;
+- }
+
+ ret = -EINVAL;
+
+ if (gp8psk_usb_out_op(d, LOAD_BCM4500,1,0,NULL, 0))
+ goto out_rel_fw;
+
+- info("downloading bcm4500 firmware from file '%s'",bcm4500_firmware);
+-
+ ptr = fw->data;
+ buf = kmalloc(64, GFP_KERNEL);
+ if (!buf) {
+--- a/drivers/media/usb/dvb-usb/opera1.c
++++ b/drivers/media/usb/dvb-usb/opera1.c
+@@ -450,8 +450,6 @@ static int opera1_xilinx_load_firmware(s
+ info("start downloading fpga firmware %s",filename);
+
+ if ((ret = request_firmware(&fw, filename, &dev->dev)) != 0) {
+- err("did not find the firmware file '%s'. You can use <kernel_dir>/scripts/get_dvb_firmware to get the firmware",
+- filename);
+ return ret;
+ } else {
+ p = kmalloc(fw->size, GFP_KERNEL);
+--- a/drivers/media/usb/go7007/go7007-driver.c
++++ b/drivers/media/usb/go7007/go7007-driver.c
+@@ -84,10 +84,8 @@ static int go7007_load_encoder(struct go
+ u16 intr_val, intr_data;
+
+ if (go->boot_fw == NULL) {
+- if (request_firmware(&fw_entry, fw_name, go->dev)) {
+- v4l2_err(go, "unable to load firmware from file \"%s\"\n", fw_name);
++ if (request_firmware(&fw_entry, fw_name, go->dev))
+ return -1;
+- }
+ if (fw_entry->size < 16 || memcmp(fw_entry->data, "WISGO7007FW", 11)) {
+ v4l2_err(go, "file \"%s\" does not appear to be go7007 firmware\n", fw_name);
+ release_firmware(fw_entry);
+--- a/drivers/media/usb/go7007/go7007-fw.c
++++ b/drivers/media/usb/go7007/go7007-fw.c
+@@ -1565,12 +1565,8 @@ int go7007_construct_fw_image(struct go7
+ default:
+ return -1;
+ }
+- if (request_firmware(&fw_entry, GO7007_FW_NAME, go->dev)) {
+- dev_err(go->dev,
+- "unable to load firmware from file \"%s\"\n",
+- GO7007_FW_NAME);
++ if (request_firmware(&fw_entry, GO7007_FW_NAME, go->dev))
+ return -1;
+- }
+ code = kcalloc(codespace, 2, GFP_KERNEL);
+ if (code == NULL)
+ goto fw_failed;
+--- a/drivers/media/usb/go7007/go7007-loader.c
++++ b/drivers/media/usb/go7007/go7007-loader.c
+@@ -67,11 +67,8 @@ static int go7007_loader_probe(struct us
+
+ dev_info(&interface->dev, "loading firmware %s\n", fw1);
+
+- if (request_firmware(&fw, fw1, &usbdev->dev)) {
+- dev_err(&interface->dev,
+- "unable to load firmware from file \"%s\"\n", fw1);
++ if (request_firmware(&fw, fw1, &usbdev->dev))
+ goto failed2;
+- }
+ ret = cypress_load_firmware(usbdev, fw, CYPRESS_FX2);
+ release_firmware(fw);
+ if (0 != ret) {
+@@ -82,11 +79,8 @@ static int go7007_loader_probe(struct us
+ if (fw2 == NULL)
+ return 0;
+
+- if (request_firmware(&fw, fw2, &usbdev->dev)) {
+- dev_err(&interface->dev,
+- "unable to load firmware from file \"%s\"\n", fw2);
++ if (request_firmware(&fw, fw2, &usbdev->dev))
+ goto failed2;
+- }
+ ret = cypress_load_firmware(usbdev, fw, CYPRESS_FX2);
+ release_firmware(fw);
+ if (0 != ret) {
+--- a/drivers/media/usb/gspca/vicam.c
++++ b/drivers/media/usb/gspca/vicam.c
+@@ -230,10 +230,8 @@ static int sd_init(struct gspca_dev *gsp
+
+ ret = request_ihex_firmware(&fw, VICAM_FIRMWARE,
+ &gspca_dev->dev->dev);
+- if (ret) {
+- pr_err("Failed to load \"vicam/firmware.fw\": %d\n", ret);
++ if (ret)
+ return ret;
+- }
+
+ firmware_buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
+ if (!firmware_buf) {
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -1370,25 +1370,6 @@ static int pvr2_locate_firmware(struct p
+ "request_firmware fatal error with code=%d",ret);
+ return ret;
+ }
+- pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "***WARNING*** Device %s firmware seems to be missing.",
+- fwtypename);
+- pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "Did you install the pvrusb2 firmware files in their proper location?");
+- if (fwcount == 1) {
+- pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "request_firmware unable to locate %s file %s",
+- fwtypename,fwnames[0]);
+- } else {
+- pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "request_firmware unable to locate one of the following %s files:",
+- fwtypename);
+- for (idx = 0; idx < fwcount; idx++) {
+- pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "request_firmware: Failed to find %s",
+- fwnames[idx]);
+- }
+- }
+ return ret;
+ }
+
+--- a/drivers/media/usb/s2255/s2255drv.c
++++ b/drivers/media/usb/s2255/s2255drv.c
+@@ -2278,10 +2278,8 @@ static int s2255_probe(struct usb_interf
+ }
+ /* load the first chunk */
+ if (request_firmware(&dev->fw_data->fw,
+- FIRMWARE_FILE_NAME, &dev->udev->dev)) {
+- dev_err(&interface->dev, "sensoray 2255 failed to get firmware\n");
++ FIRMWARE_FILE_NAME, &dev->udev->dev))
+ goto errorREQFW;
+- }
+ /* check the firmware is valid */
+ fw_size = dev->fw_data->fw->size;
+ pdata = (__le32 *) &dev->fw_data->fw->data[fw_size - 8];
+--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
++++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+@@ -282,10 +282,8 @@ static int ttusb_boot_dsp(struct ttusb *
+
+ err = request_firmware(&fw, "ttusb-budget/dspbootcode.bin",
+ &ttusb->dev->dev);
+- if (err) {
+- pr_err("failed to request firmware\n");
++ if (err)
+ return err;
+- }
+
+ /* BootBlock */
+ b[0] = 0xaa;
+--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
+@@ -1324,11 +1324,8 @@ static int ttusb_dec_boot_dsp(struct ttu
+ dprintk("%s\n", __func__);
+
+ result = request_firmware(&fw_entry, dec->firmware_name, &dec->udev->dev);
+- if (result) {
+- printk(KERN_ERR "%s: Firmware (%s) unavailable.\n",
+- __func__, dec->firmware_name);
++ if (result)
+ return result;
+- }
+
+ firmware = fw_entry->data;
+ firmware_size = fw_entry->size;
+--- a/drivers/misc/ti-st/st_kim.c
++++ b/drivers/misc/ti-st/st_kim.c
+@@ -295,11 +295,8 @@ static long download_firmware(struct kim
+ request_firmware(&kim_gdata->fw_entry, bts_scr_name,
+ &kim_gdata->kim_pdev->dev);
+ if (unlikely((err != 0) || (kim_gdata->fw_entry->data == NULL) ||
+- (kim_gdata->fw_entry->size == 0))) {
+- pr_err(" request_firmware failed(errno %ld) for %s", err,
+- bts_scr_name);
++ (kim_gdata->fw_entry->size == 0)))
+ return -EINVAL;
+- }
+ ptr = (void *)kim_gdata->fw_entry->data;
+ len = kim_gdata->fw_entry->size;
+ /*
+--- a/drivers/net/can/softing/softing_fw.c
++++ b/drivers/net/can/softing/softing_fw.c
+@@ -226,11 +226,8 @@ int softing_load_app_fw(const char *file
+ int8_t type_end = 0, type_entrypoint = 0;
+
+ ret = request_firmware(&fw, file, &card->pdev->dev);
+- if (ret) {
+- dev_alert(&card->pdev->dev, "request_firmware(%s) got %i\n",
+- file, ret);
++ if (ret)
+ return ret;
+- }
+ dev_dbg(&card->pdev->dev, "firmware(%s) got %lu bytes\n",
+ file, (unsigned long)fw->size);
+ /* parse the firmware */
+--- a/drivers/net/ethernet/3com/typhoon.c
++++ b/drivers/net/ethernet/3com/typhoon.c
+@@ -1282,11 +1282,8 @@ typhoon_request_firmware(struct typhoon
+ return 0;
+
+ err = request_firmware(&typhoon_fw, FIRMWARE_NAME, &tp->pdev->dev);
+- if (err) {
+- netdev_err(tp->dev, "Failed to load firmware \"%s\"\n",
+- FIRMWARE_NAME);
++ if (err)
+ return err;
+- }
+
+ image_data = typhoon_fw->data;
+ remaining = typhoon_fw->size;
+--- a/drivers/net/ethernet/adaptec/starfire.c
++++ b/drivers/net/ethernet/adaptec/starfire.c
+@@ -1002,11 +1002,8 @@ static int netdev_open(struct net_device
+ #endif /* VLAN_SUPPORT */
+
+ retval = request_firmware(&fw_rx, FIRMWARE_RX, &np->pci_dev->dev);
+- if (retval) {
+- printk(KERN_ERR "starfire: Failed to load firmware \"%s\"\n",
+- FIRMWARE_RX);
++ if (retval)
+ goto out_init;
+- }
+ if (fw_rx->size % 4) {
+ printk(KERN_ERR "starfire: bogus length %zu in \"%s\"\n",
+ fw_rx->size, FIRMWARE_RX);
+@@ -1014,11 +1011,8 @@ static int netdev_open(struct net_device
+ goto out_rx;
+ }
+ retval = request_firmware(&fw_tx, FIRMWARE_TX, &np->pci_dev->dev);
+- if (retval) {
+- printk(KERN_ERR "starfire: Failed to load firmware \"%s\"\n",
+- FIRMWARE_TX);
++ if (retval)
+ goto out_rx;
+- }
+ if (fw_tx->size % 4) {
+ printk(KERN_ERR "starfire: bogus length %zu in \"%s\"\n",
+ fw_tx->size, FIRMWARE_TX);
+--- a/drivers/net/ethernet/alacritech/slicoss.c
++++ b/drivers/net/ethernet/alacritech/slicoss.c
+@@ -1051,11 +1051,8 @@ static int slic_load_rcvseq_firmware(str
+ file = (sdev->model == SLIC_MODEL_OASIS) ? SLIC_RCV_FIRMWARE_OASIS :
+ SLIC_RCV_FIRMWARE_MOJAVE;
+ err = request_firmware(&fw, file, &sdev->pdev->dev);
+- if (err) {
+- dev_err(&sdev->pdev->dev,
+- "failed to load receive sequencer firmware %s\n", file);
++ if (err)
+ return err;
+- }
+ /* Do an initial sanity check concerning firmware size now. A further
+ * check follows below.
+ */
+@@ -1126,10 +1123,8 @@ static int slic_load_firmware(struct sli
+ file = (sdev->model == SLIC_MODEL_OASIS) ? SLIC_FIRMWARE_OASIS :
+ SLIC_FIRMWARE_MOJAVE;
+ err = request_firmware(&fw, file, &sdev->pdev->dev);
+- if (err) {
+- dev_err(&sdev->pdev->dev, "failed to load firmware %s\n", file);
++ if (err)
+ return err;
+- }
+ /* Do an initial sanity check concerning firmware size now. A further
+ * check follows below.
+ */
+--- a/drivers/net/ethernet/alteon/acenic.c
++++ b/drivers/net/ethernet/alteon/acenic.c
+@@ -2881,11 +2881,8 @@ static int ace_load_firmware(struct net_
+ fw_name = "acenic/tg1.bin";
+
+ ret = request_firmware(&fw, fw_name, &ap->pdev->dev);
+- if (ret) {
+- printk(KERN_ERR "%s: Failed to load firmware \"%s\"\n",
+- ap->name, fw_name);
++ if (ret)
+ return ret;
+- }
+
+ fw_data = (void *)fw->data;
+
+--- a/drivers/net/ethernet/broadcom/bnx2.c
++++ b/drivers/net/ethernet/broadcom/bnx2.c
+@@ -3712,16 +3712,13 @@ static int bnx2_request_uncached_firmwar
+ }
+
+ rc = request_firmware(&bp->mips_firmware, mips_fw_file, &bp->pdev->dev);
+- if (rc) {
+- pr_err("Can't load firmware file \"%s\"\n", mips_fw_file);
++ if (rc)
+ goto out;
+- }
+
+ rc = request_firmware(&bp->rv2p_firmware, rv2p_fw_file, &bp->pdev->dev);
+- if (rc) {
+- pr_err("Can't load firmware file \"%s\"\n", rv2p_fw_file);
++ if (rc)
+ goto err_release_mips_firmware;
+- }
++
+ mips_fw = (const struct bnx2_mips_fw_file *) bp->mips_firmware->data;
+ rv2p_fw = (const struct bnx2_rv2p_fw_file *) bp->rv2p_firmware->data;
+ if (bp->mips_firmware->size < sizeof(*mips_fw) ||
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -11413,11 +11413,8 @@ static int tg3_request_firmware(struct t
+ {
+ const struct tg3_firmware_hdr *fw_hdr;
+
+- if (request_firmware(&tp->fw, tp->fw_needed, &tp->pdev->dev)) {
+- netdev_err(tp->dev, "Failed to load firmware \"%s\"\n",
+- tp->fw_needed);
++ if (request_firmware(&tp->fw, tp->fw_needed, &tp->pdev->dev))
+ return -ENOENT;
+- }
+
+ fw_hdr = (struct tg3_firmware_hdr *)tp->fw->data;
+
+--- a/drivers/net/ethernet/brocade/bna/cna_fwimg.c
++++ b/drivers/net/ethernet/brocade/bna/cna_fwimg.c
+@@ -24,10 +24,8 @@ cna_read_firmware(struct pci_dev *pdev,
+ const struct firmware *fw;
+ u32 n;
+
+- if (request_firmware(&fw, fw_name, &pdev->dev)) {
+- dev_alert(&pdev->dev, "can't load firmware %s\n", fw_name);
++ if (request_firmware(&fw, fw_name, &pdev->dev))
+ goto error;
+- }
+
+ *bfi_image = (u32 *)fw->data;
+ *bfi_image_size = fw->size/sizeof(u32);
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -1036,12 +1036,8 @@ int t3_get_edc_fw(struct cphy *phy, int
+ fw_name = get_edc_fw_name(edc_idx);
+ if (fw_name)
+ ret = request_firmware(&fw, fw_name, &adapter->pdev->dev);
+- if (ret < 0) {
+- dev_err(&adapter->pdev->dev,
+- "could not upgrade firmware: unable to load %s\n",
+- fw_name);
++ if (ret)
+ return ret;
+- }
+
+ /* check size, take checksum in account */
+ if (fw->size > size + 4) {
+@@ -1078,11 +1074,8 @@ static int upgrade_fw(struct adapter *ad
+ struct device *dev = &adap->pdev->dev;
+
+ ret = request_firmware(&fw, FW_FNAME, dev);
+- if (ret < 0) {
+- dev_err(dev, "could not upgrade firmware: unable to load %s\n",
+- FW_FNAME);
++ if (ret)
+ return ret;
+- }
+ ret = t3_load_fw(adap, fw->data, fw->size);
+ release_firmware(fw);
+
+@@ -1127,11 +1120,8 @@ static int update_tpsram(struct adapter
+ snprintf(buf, sizeof(buf), TPSRAM_NAME, rev);
+
+ ret = request_firmware(&tpsram, buf, dev);
+- if (ret < 0) {
+- dev_err(dev, "could not load TP SRAM: unable to load %s\n",
+- buf);
++ if (ret)
+ return ret;
+- }
+
+ ret = t3_check_tpsram(adap, tpsram->data, tpsram->size);
+ if (ret)
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1262,9 +1262,6 @@ static const struct firmware *e100_reque
+
+ if (err) {
+ if (required) {
+- netif_err(nic, probe, nic->netdev,
+- "Failed to load firmware \"%s\": %d\n",
+- fw_name, err);
+ return ERR_PTR(err);
+ } else {
+ netif_info(nic, probe, nic->netdev,
+--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+@@ -580,8 +580,6 @@ static int myri10ge_load_hotplug_firmwar
+ unsigned i;
+
+ if ((status = request_firmware(&fw, mgp->fw_name, dev)) < 0) {
+- dev_err(dev, "Unable to load %s firmware image via hotplug\n",
+- mgp->fw_name);
+ status = -EINVAL;
+ goto abort_with_nothing;
+ }
+--- a/drivers/net/ethernet/smsc/smc91c92_cs.c
++++ b/drivers/net/ethernet/smsc/smc91c92_cs.c
+@@ -647,10 +647,8 @@ static int osi_load_firmware(struct pcmc
+ int i, err;
+
+ err = request_firmware(&fw, FIRMWARE_NAME, &link->dev);
+- if (err) {
+- pr_err("Failed to load firmware \"%s\"\n", FIRMWARE_NAME);
++ if (err)
+ return err;
+- }
+
+ /* Download the Seven of Diamonds firmware */
+ for (i = 0; i < fw->size; i++) {
+--- a/drivers/net/ethernet/sun/cassini.c
++++ b/drivers/net/ethernet/sun/cassini.c
+@@ -793,11 +793,8 @@ static void cas_saturn_firmware_init(str
+ return;
+
+ err = request_firmware(&fw, fw_name, &cp->pdev->dev);
+- if (err) {
+- pr_err("Failed to load firmware \"%s\"\n",
+- fw_name);
++ if (err)
+ return;
+- }
+ if (fw->size < 2) {
+ pr_err("bogus length %zu in \"%s\"\n",
+ fw->size, fw_name);
+--- a/drivers/net/hamradio/yam.c
++++ b/drivers/net/hamradio/yam.c
+@@ -357,11 +357,8 @@ static unsigned char *add_mcs(unsigned c
+ }
+ err = request_firmware(&fw, fw_name[predef], &pdev->dev);
+ platform_device_unregister(pdev);
+- if (err) {
+- printk(KERN_ERR "Failed to load firmware \"%s\"\n",
+- fw_name[predef]);
++ if (err)
+ return NULL;
+- }
+ if (fw->size != YAM_FPGA_SIZE) {
+ printk(KERN_ERR "Bogus length %zu in firmware \"%s\"\n",
+ fw->size, fw_name[predef]);
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -305,10 +305,8 @@ static int kaweth_download_firmware(stru
+ int ret;
+
+ ret = request_firmware(&fw, fwname, &kaweth->dev->dev);
+- if (ret) {
+- dev_err(&kaweth->intf->dev, "Firmware request failed\n");
++ if (ret)
+ return ret;
+- }
+
+ if (fw->size > KAWETH_FIRMWARE_BUF_SIZE) {
+ dev_err(&kaweth->intf->dev, "Firmware too big: %zu\n",
+--- a/drivers/net/wimax/i2400m/fw.c
++++ b/drivers/net/wimax/i2400m/fw.c
+@@ -1578,11 +1578,8 @@ int i2400m_dev_bootstrap(struct i2400m *
+ }
+ d_printf(1, dev, "trying firmware %s (%d)\n", fw_name, itr);
+ ret = request_firmware(&fw, fw_name, dev);
+- if (ret < 0) {
+- dev_err(dev, "fw %s: cannot load file: %d\n",
+- fw_name, ret);
++ if (ret)
+ continue;
+- }
+ i2400m->fw_name = fw_name;
+ ret = i2400m_fw_bootstrap(i2400m, fw, flags);
+ release_firmware(fw);
+@@ -1625,8 +1622,6 @@ void i2400m_fw_cache(struct i2400m *i240
+ kref_init(&i2400m_fw->kref);
+ result = request_firmware(&i2400m_fw->fw, i2400m->fw_name, dev);
+ if (result < 0) {
+- dev_err(dev, "firmware %s: failed to cache: %d\n",
+- i2400m->fw_name, result);
+ kfree(i2400m_fw);
+ i2400m_fw = (void *) ~0;
+ } else
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1216,9 +1216,6 @@ static void ath9k_hif_usb_firmware_cb(co
+ if (!ret)
+ return;
+
+- dev_err(&hif_dev->udev->dev,
+- "ath9k_htc: Failed to get firmware %s\n",
+- hif_dev->fw_name);
+ goto err_fw;
+ }
+
+--- a/drivers/net/wireless/ath/carl9170/usb.c
++++ b/drivers/net/wireless/ath/carl9170/usb.c
+@@ -1029,7 +1029,6 @@ static void carl9170_usb_firmware_step2(
+ return;
+ }
+
+- dev_err(&ar->udev->dev, "firmware not found.\n");
+ carl9170_usb_firmware_failed(ar);
+ }
+
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -1616,13 +1616,8 @@ static struct fwentry *at76_load_firmwar
+
+ at76_dbg(DBG_FW, "downloading firmware %s", fwe->fwname);
+ ret = request_firmware(&fwe->fw, fwe->fwname, &udev->dev);
+- if (ret < 0) {
+- dev_err(&udev->dev, "firmware %s not found!\n",
+- fwe->fwname);
+- dev_err(&udev->dev,
+- "you may need to download the firmware from http://developer.berlios.de/projects/at76c503a/\n");
++ if (ret)
+ goto exit;
+- }
+
+ at76_dbg(DBG_FW, "got it.");
+ fwh = (struct at76_fw_header *)(fwe->fw->data);
+--- a/drivers/net/wireless/atmel/atmel.c
++++ b/drivers/net/wireless/atmel/atmel.c
+@@ -3892,12 +3892,8 @@ static int reset_atmel_card(struct net_d
+ strcpy(priv->firmware_id, "atmel_at76c502.bin");
+ }
+ err = request_firmware(&fw_entry, priv->firmware_id, priv->sys_dev);
+- if (err != 0) {
+- printk(KERN_ALERT
+- "%s: firmware %s is missing, cannot continue.\n",
+- dev->name, priv->firmware_id);
++ if (err != 0)
+ return err;
+- }
+ } else {
+ int fw_index = 0;
+ int success = 0;
+--- a/drivers/net/wireless/broadcom/b43/main.c
++++ b/drivers/net/wireless/broadcom/b43/main.c
+@@ -2245,19 +2245,8 @@ int b43_do_request_fw(struct b43_request
+ }
+ err = request_firmware(&ctx->blob, ctx->fwname,
+ ctx->dev->dev->dev);
+- if (err == -ENOENT) {
+- snprintf(ctx->errors[ctx->req_type],
+- sizeof(ctx->errors[ctx->req_type]),
+- "Firmware file \"%s\" not found\n",
+- ctx->fwname);
++ if (err)
+ return err;
+- } else if (err) {
+- snprintf(ctx->errors[ctx->req_type],
+- sizeof(ctx->errors[ctx->req_type]),
+- "Firmware file \"%s\" request failed (err=%d)\n",
+- ctx->fwname, err);
+- return err;
+- }
+ fw_ready:
+ if (ctx->blob->size < sizeof(struct b43_fw_header))
+ goto err_format;
+--- a/drivers/net/wireless/broadcom/b43legacy/main.c
++++ b/drivers/net/wireless/broadcom/b43legacy/main.c
+@@ -1524,11 +1524,8 @@ static int do_request_fw(struct b43legac
+ } else {
+ err = request_firmware(fw, path, dev->dev->dev);
+ }
+- if (err) {
+- b43legacyerr(dev->wl, "Firmware file \"%s\" not found "
+- "or load failed.\n", path);
++ if (err)
+ return err;
+- }
+ if ((*fw)->size < sizeof(struct b43legacy_fw_header))
+ goto err_format;
+ hdr = (struct b43legacy_fw_header *)((*fw)->data);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -377,19 +377,13 @@ static int brcms_request_fw(struct brcms
+ sprintf(fw_name, "%s-%d.fw", brcms_firmwares[i],
+ UCODE_LOADER_API_VER);
+ status = request_firmware(&wl->fw.fw_bin[i], fw_name, device);
+- if (status) {
+- wiphy_err(wl->wiphy, "%s: fail to load firmware %s\n",
+- KBUILD_MODNAME, fw_name);
++ if (status)
+ return status;
+- }
+ sprintf(fw_name, "%s_hdr-%d.fw", brcms_firmwares[i],
+ UCODE_LOADER_API_VER);
+ status = request_firmware(&wl->fw.fw_hdr[i], fw_name, device);
+- if (status) {
+- wiphy_err(wl->wiphy, "%s: fail to load firmware %s\n",
+- KBUILD_MODNAME, fw_name);
++ if (status)
+ return status;
+- }
+ wl->fw.hdr_num_entries[i] =
+ wl->fw.fw_hdr[i]->size / (sizeof(struct firmware_hdr));
+ }
+--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c
++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c
+@@ -8370,12 +8370,8 @@ static int ipw2100_get_firmware(struct i
+
+ rc = request_firmware(&fw->fw_entry, fw_name, &priv->pci_dev->dev);
+
+- if (rc < 0) {
+- printk(KERN_ERR DRV_NAME ": "
+- "%s: Firmware '%s' not available or load failed.\n",
+- priv->net_dev->name, fw_name);
++ if (rc)
+ return rc;
+- }
+ IPW_DEBUG_INFO("firmware data %p size %zd\n", fw->fw_entry->data,
+ fw->fw_entry->size);
+
+--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c
+@@ -3396,10 +3396,8 @@ static int ipw_get_fw(struct ipw_priv *p
+
+ /* ask firmware_class module to get the boot firmware off disk */
+ rc = request_firmware(raw, name, &priv->pci_dev->dev);
+- if (rc < 0) {
+- IPW_ERROR("%s request_firmware failed: Reason %d\n", name, rc);
++ if (rc)
+ return rc;
+- }
+
+ if ((*raw)->size < sizeof(*fw)) {
+ IPW_ERROR("%s is too small (%zd)\n", name, (*raw)->size);
+--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c
+@@ -1837,7 +1837,6 @@ il3945_read_ucode(struct il_priv *il)
+ sprintf(buf, "%s%u%s", name_pre, idx, ".ucode");
+ ret = request_firmware(&ucode_raw, buf, &il->pci_dev->dev);
+ if (ret < 0) {
+- IL_ERR("%s firmware file req failed: %d\n", buf, ret);
+ if (ret == -ENOENT)
+ continue;
+ else
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -235,8 +235,6 @@ static int iwl_request_firmware(struct i
+ }
+
+ if (drv->fw_index < cfg->ucode_api_min) {
+- IWL_ERR(drv, "no suitable firmware found!\n");
+-
+ if (cfg->ucode_api_min == cfg->ucode_api_max) {
+ IWL_ERR(drv, "%s%d is required\n", cfg->fw_name_pre,
+ cfg->ucode_api_max);
+--- a/drivers/net/wireless/intersil/orinoco/fw.c
++++ b/drivers/net/wireless/intersil/orinoco/fw.c
+@@ -132,7 +132,6 @@ orinoco_dl_firmware(struct orinoco_priva
+ err = request_firmware(&fw_entry, firmware, priv->dev);
+
+ if (err) {
+- dev_err(dev, "Cannot find firmware %s\n", firmware);
+ err = -ENOENT;
+ goto free;
+ }
+@@ -292,10 +291,8 @@ symbol_dl_firmware(struct orinoco_privat
+ const struct firmware *fw_entry;
+
+ if (!orinoco_cached_fw_get(priv, true)) {
+- if (request_firmware(&fw_entry, fw->pri_fw, priv->dev) != 0) {
+- dev_err(dev, "Cannot find firmware: %s\n", fw->pri_fw);
++ if (request_firmware(&fw_entry, fw->pri_fw, priv->dev) != 0)
+ return -ENOENT;
+- }
+ } else
+ fw_entry = orinoco_cached_fw_get(priv, true);
+
+@@ -311,10 +308,8 @@ symbol_dl_firmware(struct orinoco_privat
+ }
+
+ if (!orinoco_cached_fw_get(priv, false)) {
+- if (request_firmware(&fw_entry, fw->sta_fw, priv->dev) != 0) {
+- dev_err(dev, "Cannot find firmware: %s\n", fw->sta_fw);
++ if (request_firmware(&fw_entry, fw->sta_fw, priv->dev) != 0)
+ return -ENOENT;
+- }
+ } else
+ fw_entry = orinoco_cached_fw_get(priv, false);
+
+--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+@@ -1664,7 +1664,6 @@ static int ezusb_probe(struct usb_interf
+ if (ezusb_firmware_download(upriv, &firmware) < 0)
+ goto error;
+ } else {
+- err("No firmware to download");
+ goto error;
+ }
+
+--- a/drivers/net/wireless/intersil/p54/p54pci.c
++++ b/drivers/net/wireless/intersil/p54/p54pci.c
+@@ -502,7 +502,6 @@ static void p54p_firmware_step2(const st
+ int err;
+
+ if (!fw) {
+- dev_err(&pdev->dev, "Cannot find firmware (isl3886pci)\n");
+ err = -ENOENT;
+ goto out;
+ }
+--- a/drivers/net/wireless/intersil/p54/p54spi.c
++++ b/drivers/net/wireless/intersil/p54/p54spi.c
+@@ -157,10 +157,8 @@ static int p54spi_request_firmware(struc
+ /* FIXME: should driver use it's own struct device? */
+ ret = request_firmware(&priv->firmware, "3826.arm", &priv->spi->dev);
+
+- if (ret < 0) {
+- dev_err(&priv->spi->dev, "request_firmware() failed: %d", ret);
++ if (ret)
+ return ret;
+- }
+
+ ret = p54_parse_firmware(dev, priv->firmware);
+ if (ret) {
+--- a/drivers/net/wireless/intersil/p54/p54usb.c
++++ b/drivers/net/wireless/intersil/p54/p54usb.c
+@@ -929,7 +929,6 @@ static void p54u_load_firmware_cb(const
+ err = p54u_start_ops(priv);
+ } else {
+ err = -ENOENT;
+- dev_err(&udev->dev, "Firmware not found.\n");
+ }
+
+ complete(&priv->fw_wait_load);
+--- a/drivers/net/wireless/intersil/prism54/islpci_dev.c
++++ b/drivers/net/wireless/intersil/prism54/islpci_dev.c
+@@ -80,12 +80,9 @@ isl_upload_firmware(islpci_private *priv
+ const u32 *fw_ptr;
+
+ rc = request_firmware(&fw_entry, priv->firmware, PRISM_FW_PDEV);
+- if (rc) {
+- printk(KERN_ERR
+- "%s: request_firmware() failed for '%s'\n",
+- "prism54", priv->firmware);
++ if (rc)
+ return rc;
+- }
++
+ /* prepare the Direct Memory Base register */
+ reg = ISL38XX_DEV_FIRMWARE_ADDRES;
+
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -818,8 +818,6 @@ static int if_usb_prog_firmware(struct l
+ kernel_param_lock(THIS_MODULE);
+ ret = request_firmware(&cardp->fw, lbtf_fw_name, &cardp->udev->dev);
+ if (ret < 0) {
+- pr_err("request_firmware() failed with %#x\n", ret);
+- pr_err("firmware %s not found\n", lbtf_fw_name);
+ kernel_param_unlock(THIS_MODULE);
+ goto done;
+ }
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -527,11 +527,8 @@ static int _mwifiex_fw_dpc(const struct
+ struct wireless_dev *wdev;
+ struct completion *fw_done = adapter->fw_done;
+
+- if (!firmware) {
+- mwifiex_dbg(adapter, ERROR,
+- "Failed to get firmware %s\n", adapter->fw_name);
++ if (!firmware)
+ goto err_dnld_fw;
+- }
+
+ memset(&fw, 0, sizeof(struct mwifiex_fw_image));
+ adapter->firmware = firmware;
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -5727,16 +5727,12 @@ static int mwl8k_firmware_load_success(s
+ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
+ {
+ struct mwl8k_priv *priv = context;
+- struct mwl8k_device_info *di = priv->device_info;
+ int rc;
+
+ switch (priv->fw_state) {
+ case FW_STATE_INIT:
+- if (!fw) {
+- printk(KERN_ERR "%s: Error requesting helper fw %s\n",
+- pci_name(priv->pdev), di->helper_image);
++ if (!fw)
+ goto fail;
+- }
+ priv->fw_helper = fw;
+ rc = mwl8k_request_fw(priv, priv->fw_pref, &priv->fw_ucode,
+ true);
+@@ -5771,11 +5767,8 @@ static void mwl8k_fw_state_machine(const
+ break;
+
+ case FW_STATE_LOADING_ALT:
+- if (!fw) {
+- printk(KERN_ERR "%s: Error requesting alt fw %s\n",
+- pci_name(priv->pdev), di->helper_image);
++ if (!fw)
+ goto fail;
+- }
+ priv->fw_ucode = fw;
+ rc = mwl8k_firmware_load_success(priv);
+ if (rc)
+@@ -5813,10 +5806,8 @@ retry:
+
+ /* Ask userland hotplug daemon for the device firmware */
+ rc = mwl8k_request_firmware(priv, fw_image, nowait);
+- if (rc) {
+- wiphy_err(hw->wiphy, "Firmware files not found\n");
++ if (rc)
+ return rc;
+- }
+
+ if (nowait)
+ return rc;
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00firmware.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00firmware.c
+@@ -38,10 +38,8 @@ static int rt2x00lib_request_firmware(st
+ rt2x00_info(rt2x00dev, "Loading firmware file '%s'\n", fw_name);
+
+ retval = request_firmware(&fw, fw_name, device);
+- if (retval) {
+- rt2x00_err(rt2x00dev, "Failed to request Firmware\n");
++ if (retval)
+ return retval;
+- }
+
+ if (!fw || !fw->size || !fw->data) {
+ rt2x00_err(rt2x00dev, "Failed to read Firmware\n");
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -88,7 +88,6 @@ static void rtl_fw_do_work(const struct
+ if (!err)
+ goto found_alt;
+ }
+- pr_err("Selected firmware is not available\n");
+ rtlpriv->max_fw_size = 0;
+ goto exit;
+ }
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
+@@ -63,13 +63,11 @@ static void rtl92se_fw_cb(const struct f
+ struct ieee80211_hw *hw = context;
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rt_firmware *pfirmware = NULL;
+- char *fw_name = "rtlwifi/rtl8192sefw.bin";
+
+ rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD,
+ "Firmware callback routine entered!\n");
+ complete(&rtlpriv->firmware_loading_complete);
+ if (!firmware) {
+- pr_err("Firmware %s not available\n", fw_name);
+ rtlpriv->max_fw_size = 0;
+ return;
+ }
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -57,10 +57,8 @@ static int wl1251_fetch_firmware(struct
+
+ ret = request_firmware(&fw, WL1251_FW_NAME, dev);
+
+- if (ret < 0) {
+- wl1251_error("could not get firmware: %d", ret);
++ if (ret)
+ return ret;
+- }
+
+ if (fw->size % 4) {
+ wl1251_error("firmware size is not multiple of 32 bits: %zu",
+@@ -96,10 +94,8 @@ static int wl1251_fetch_nvs(struct wl125
+
+ ret = request_firmware(&fw, WL1251_NVS_NAME, dev);
+
+- if (ret < 0) {
+- wl1251_error("could not get nvs file: %d", ret);
++ if (ret)
+ return ret;
+- }
+
+ if (fw->size % 4) {
+ wl1251_error("nvs size is not multiple of 32 bits: %zu",
+--- a/drivers/net/wireless/ti/wlcore/main.c
++++ b/drivers/net/wireless/ti/wlcore/main.c
+@@ -764,10 +764,8 @@ static int wl12xx_fetch_firmware(struct
+
+ ret = request_firmware(&fw, fw_name, wl->dev);
+
+- if (ret < 0) {
+- wl1271_error("could not get firmware %s: %d", fw_name, ret);
++ if (ret)
+ return ret;
+- }
+
+ if (fw->size % 4) {
+ wl1271_error("firmware size is not multiple of 32 bits: %zu",
+--- a/drivers/net/wireless/zydas/zd1201.c
++++ b/drivers/net/wireless/zydas/zd1201.c
+@@ -62,8 +62,6 @@ static int zd1201_fw_upload(struct usb_d
+
+ err = request_firmware(&fw_entry, fwfile, &dev->dev);
+ if (err) {
+- dev_err(&dev->dev, "Failed to load %s firmware file!\n", fwfile);
+- dev_err(&dev->dev, "Make sure the hotplug firmware loader is installed.\n");
+ dev_err(&dev->dev, "Goto http://linux-lc100020.sourceforge.net for more info.\n");
+ return err;
+ }
+--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
++++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+@@ -108,16 +108,9 @@ static void int_urb_complete(struct urb
+ static int request_fw_file(
+ const struct firmware **fw, const char *name, struct device *device)
+ {
+- int r;
+-
+ dev_dbg_f(device, "fw name %s\n", name);
+
+- r = request_firmware(fw, name, device);
+- if (r)
+- dev_err(device,
+- "Could not load firmware file %s. Error number %d\n",
+- name, r);
+- return r;
++ return request_firmware(fw, name, device);
+ }
+
+ static inline u16 get_bcdDevice(const struct usb_device *udev)
+--- a/drivers/scsi/advansys.c
++++ b/drivers/scsi/advansys.c
+@@ -4103,8 +4103,6 @@ static int AscInitAsc1000Driver(ASC_DVC_
+
+ err = request_firmware(&fw, fwname, asc_dvc->drv_ptr->dev);
+ if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
+ asc_dvc->err_code |= ASC_IERR_MCODE_CHKSUM;
+ return err;
+ }
+@@ -4469,8 +4467,6 @@ static int AdvInitAsc3550Driver(ADV_DVC_
+
+ err = request_firmware(&fw, fwname, asc_dvc->drv_ptr->dev);
+ if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
+ asc_dvc->err_code = ASC_IERR_MCODE_CHKSUM;
+ return err;
+ }
+@@ -4969,8 +4965,6 @@ static int AdvInitAsc38C0800Driver(ADV_D
+
+ err = request_firmware(&fw, fwname, asc_dvc->drv_ptr->dev);
+ if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
+ asc_dvc->err_code = ASC_IERR_MCODE_CHKSUM;
+ return err;
+ }
+@@ -5457,8 +5451,6 @@ static int AdvInitAsc38C1600Driver(ADV_D
+
+ err = request_firmware(&fw, fwname, asc_dvc->drv_ptr->dev);
+ if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
+ asc_dvc->err_code = ASC_IERR_MCODE_CHKSUM;
+ return err;
+ }
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -369,8 +369,6 @@ static ssize_t asd_store_update_bios(str
+ filename_ptr,
+ &asd_ha->pcidev->dev);
+ if (err) {
+- asd_printk("Failed to load bios image file %s, error %d\n",
+- filename_ptr, err);
+ err = FAIL_OPEN_BIOS_FILE;
+ goto out1;
+ }
+--- a/drivers/scsi/aic94xx/aic94xx_seq.c
++++ b/drivers/scsi/aic94xx/aic94xx_seq.c
+@@ -1302,11 +1302,8 @@ int asd_init_seqs(struct asd_ha_struct *
+
+ err = asd_request_firmware(asd_ha);
+
+- if (err) {
+- asd_printk("Failed to load sequencer firmware file %s, error %d\n",
+- SAS_RAZOR_SEQUENCER_FW_FILE, err);
++ if (err)
+ return err;
+- }
+
+ err = asd_seq_download_seqs(asd_ha);
+ if (err) {
+--- a/drivers/scsi/bfa/bfad.c
++++ b/drivers/scsi/bfa/bfad.c
+@@ -1749,7 +1749,6 @@ bfad_read_firmware(struct pci_dev *pdev,
+ const struct firmware *fw;
+
+ if (request_firmware(&fw, fw_name, &pdev->dev)) {
+- printk(KERN_ALERT "Can't locate firmware %s\n", fw_name);
+ *bfi_image = NULL;
+ goto out;
+ }
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -4102,10 +4102,8 @@ static ssize_t ipr_store_update_fw(struc
+ if (endline)
+ *endline = '\0';
+
+- if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) {
+- dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
++ if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev))
+ return -EIO;
+- }
+
+ image_hdr = (struct ipr_ucode_image_header *)fw_entry->data;
+
+--- a/drivers/scsi/pm8001/pm8001_ctl.c
++++ b/drivers/scsi/pm8001/pm8001_ctl.c
+@@ -841,9 +841,6 @@ static ssize_t pm8001_store_update_fw(st
+ pm8001_ha->dev);
+
+ if (ret) {
+- pm8001_dbg(pm8001_ha, FAIL,
+- "Failed to load firmware image file %s, error %d\n",
+- filename_ptr, ret);
+ pm8001_ha->fw_status = FAIL_OPEN_BIOS_FILE;
+ goto out;
+ }
+--- a/drivers/scsi/qla1280.c
++++ b/drivers/scsi/qla1280.c
+@@ -1514,8 +1514,6 @@ qla1280_request_firmware(struct scsi_qla
+ err = request_firmware(&fw, fwname, &ha->pdev->dev);
+
+ if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
+ fw = ERR_PTR(err);
+ goto unlock;
+ }
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -7935,10 +7935,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha,
+ /* Load firmware blob. */
+ blob = qla2x00_request_firmware(vha);
+ if (!blob) {
+- ql_log(ql_log_info, vha, 0x0083,
+- "Firmware image unavailable.\n");
+- ql_log(ql_log_info, vha, 0x0084,
+- "Firmware images can be retrieved from: "QLA_FW_URL ".\n");
+ return QLA_FUNCTION_FAILED;
+ }
+
+@@ -8041,9 +8037,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t *
+
+ blob = qla2x00_request_firmware(vha);
+ if (!blob) {
+- ql_log(ql_log_warn, vha, 0x0092,
+- "-> Firmware file not found.\n");
+-
+ return QLA_FUNCTION_FAILED;
+ }
+
+--- a/drivers/scsi/qla2xxx/qla_nx.c
++++ b/drivers/scsi/qla2xxx/qla_nx.c
+@@ -2431,11 +2431,8 @@ try_blob_fw:
+
+ /* Load firmware blob. */
+ blob = ha->hablob = qla2x00_request_firmware(vha);
+- if (!blob) {
+- ql_log(ql_log_fatal, vha, 0x00a3,
+- "Firmware image not present.\n");
++ if (!blob)
+ goto fw_load_failed;
+- }
+
+ /* Validating firmware blob */
+ if (qla82xx_validate_firmware_blob(vha,
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -7346,8 +7346,6 @@ qla2x00_request_firmware(scsi_qla_host_t
+ goto out;
+
+ if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) {
+- ql_log(ql_log_warn, vha, 0x0063,
+- "Failed to load firmware image (%s).\n", blob->name);
+ blob->fw = NULL;
+ blob = NULL;
+ }
+--- a/drivers/scsi/qlogicpti.c
++++ b/drivers/scsi/qlogicpti.c
+@@ -486,11 +486,8 @@ static int qlogicpti_load_firmware(struc
+ int i, timeout;
+
+ err = request_firmware(&fw, fwname, &qpti->op->dev);
+- if (err) {
+- printk(KERN_ERR "Failed to load image \"%s\" err %d\n",
+- fwname, err);
++ if (err)
+ return err;
+- }
+ if (fw->size % 2) {
+ printk(KERN_ERR "Bogus length %zu in image \"%s\"\n",
+ fw->size, fwname);
+--- a/drivers/staging/rtl8192u/r819xU_firmware.c
++++ b/drivers/staging/rtl8192u/r819xU_firmware.c
+@@ -240,10 +240,8 @@ bool init_firmware(struct net_device *de
+ */
+ if (rst_opt == OPT_SYSTEM_RESET) {
+ rc = request_firmware(&fw_entry, fw_name[init_step], &priv->udev->dev);
+- if (rc < 0) {
+- RT_TRACE(COMP_ERR, "request firmware fail!\n");
++ if (rc)
+ goto download_firmware_fail;
+- }
+
+ if (fw_entry->size > sizeof(pfirmware->firmware_buf)) {
+ RT_TRACE(COMP_ERR, "img file size exceed the container buffer fail!\n");
+--- a/drivers/staging/rtl8712/hal_init.c
++++ b/drivers/staging/rtl8712/hal_init.c
+@@ -60,8 +60,6 @@ int rtl871x_load_fw(struct _adapter *pad
+ dev_info(dev, "r8712u: Loading firmware from \"%s\"\n", firmware_file);
+ rc = request_firmware_nowait(THIS_MODULE, 1, firmware_file, dev,
+ GFP_KERNEL, padapter, rtl871x_load_fw_cb);
+- if (rc)
+- dev_err(dev, "r8712u: Firmware request error %d\n", rc);
+ return rc;
+ }
+ MODULE_FIRMWARE("rtlwifi/rtl8712u.bin");
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -109,11 +109,8 @@ static int vnt_download_firmware(struct
+ dev_dbg(dev, "---->Download firmware\n");
+
+ ret = request_firmware(&fw, FIRMWARE_NAME, dev);
+- if (ret) {
+- dev_err(dev, "firmware file %s request failed (%d)\n",
+- FIRMWARE_NAME, ret);
++ if (ret)
+ goto end;
+- }
+
+ for (ii = 0; ii < fw->size; ii += FIRMWARE_CHUNK_SIZE) {
+ length = min_t(int, fw->size - ii, FIRMWARE_CHUNK_SIZE);
+--- a/drivers/tty/cyclades.c
++++ b/drivers/tty/cyclades.c
+@@ -3484,10 +3484,8 @@ static int cyz_load_fw(struct pci_dev *p
+ int retval;
+
+ retval = request_firmware(&fw, "cyzfirm.bin", &pdev->dev);
+- if (retval) {
+- dev_err(&pdev->dev, "can't get firmware\n");
++ if (retval)
+ goto err;
+- }
+
+ /* Check whether the firmware is already loaded and running. If
+ positive, skip this board */
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -854,13 +854,8 @@ static int moxa_init_board(struct moxa_b
+ }
+
+ ret = request_firmware(&fw, file, dev);
+- if (ret) {
+- printk(KERN_ERR "MOXA: request_firmware failed. Make sure "
+- "you've placed '%s' file into your firmware "
+- "loader directory (e.g. /lib/firmware)\n",
+- file);
++ if (ret)
+ goto err_free;
+- }
+
+ ret = moxa_load_fw(brd, fw);
+
+--- a/drivers/tty/serial/icom.c
++++ b/drivers/tty/serial/icom.c
+@@ -362,7 +362,6 @@ static void load_code(struct icom_port *
+
+ /* Load Call Setup into Adapter */
+ if (request_firmware(&fw, "icom_call_setup.bin", &dev->dev) < 0) {
+- dev_err(&dev->dev,"Unable to load icom_call_setup.bin firmware image\n");
+ status = -1;
+ goto load_code_exit;
+ }
+@@ -382,7 +381,6 @@ static void load_code(struct icom_port *
+
+ /* Load Resident DCE portion of Adapter */
+ if (request_firmware(&fw, "icom_res_dce.bin", &dev->dev) < 0) {
+- dev_err(&dev->dev,"Unable to load icom_res_dce.bin firmware image\n");
+ status = -1;
+ goto load_code_exit;
+ }
+@@ -427,7 +425,6 @@ static void load_code(struct icom_port *
+ }
+
+ if (request_firmware(&fw, "icom_asc.bin", &dev->dev) < 0) {
+- dev_err(&dev->dev,"Unable to load icom_asc.bin firmware image\n");
+ status = -1;
+ goto load_code_exit;
+ }
+--- a/drivers/tty/serial/ucc_uart.c
++++ b/drivers/tty/serial/ucc_uart.c
+@@ -1161,10 +1161,8 @@ static void uart_firmware_cont(const str
+ struct device *dev = context;
+ int ret;
+
+- if (!fw) {
+- dev_err(dev, "firmware not found\n");
++ if (!fw)
+ return;
+- }
+
+ firmware = (struct qe_firmware *) fw->data;
+
+--- a/drivers/usb/atm/cxacru.c
++++ b/drivers/usb/atm/cxacru.c
+@@ -1087,8 +1087,6 @@ static int cxacru_find_firmware(struct c
+ return -ENOENT;
+ }
+
+- usb_info(usbatm, "found firmware %s\n", buf);
+-
+ return 0;
+ }
+
+--- a/drivers/usb/atm/ueagle-atm.c
++++ b/drivers/usb/atm/ueagle-atm.c
+@@ -606,10 +606,8 @@ static void uea_upload_pre_firmware(cons
+ int ret, size;
+
+ uea_enters(usb);
+- if (!fw_entry) {
+- uea_err(usb, "firmware is not available\n");
++ if (!fw_entry)
+ goto err;
+- }
+
+ pfw = fw_entry->data;
+ size = fw_entry->size;
+@@ -704,10 +702,6 @@ static int uea_load_firmware(struct usb_
+ ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
+ GFP_KERNEL, usb,
+ uea_upload_pre_firmware);
+- if (ret)
+- uea_err(usb, "firmware %s is not available\n", fw_name);
+- else
+- uea_info(usb, "loading firmware %s\n", fw_name);
+
+ uea_leaves(usb);
+ return ret;
+@@ -869,12 +863,8 @@ static int request_dsp(struct uea_softc
+ }
+
+ ret = request_firmware(&sc->dsp_firm, dsp_name, &sc->usb_dev->dev);
+- if (ret < 0) {
+- uea_err(INS_TO_USBDEV(sc),
+- "requesting firmware %s failed with error %d\n",
+- dsp_name, ret);
++ if (ret)
+ return ret;
+- }
+
+ if (UEA_CHIP_VERSION(sc) == EAGLE_IV)
+ ret = check_dsp_e4(sc->dsp_firm->data, sc->dsp_firm->size);
+@@ -1587,12 +1577,8 @@ static int request_cmvs_old(struct uea_s
+
+ cmvs_file_name(sc, cmv_name, 1);
+ ret = request_firmware(fw, cmv_name, &sc->usb_dev->dev);
+- if (ret < 0) {
+- uea_err(INS_TO_USBDEV(sc),
+- "requesting firmware %s failed with error %d\n",
+- cmv_name, ret);
++ if (ret)
+ return ret;
+- }
+
+ data = (u8 *) (*fw)->data;
+ size = (*fw)->size;
+@@ -1629,9 +1615,6 @@ static int request_cmvs(struct uea_softc
+ "try to get older cmvs\n", cmv_name);
+ return request_cmvs_old(sc, cmvs, fw);
+ }
+- uea_err(INS_TO_USBDEV(sc),
+- "requesting firmware %s failed with error %d\n",
+- cmv_name, ret);
+ return ret;
+ }
+
+@@ -1914,11 +1897,8 @@ static int load_XILINX_firmware(struct u
+ uea_enters(INS_TO_USBDEV(sc));
+
+ ret = request_firmware(&fw_entry, fw_name, &sc->usb_dev->dev);
+- if (ret) {
+- uea_err(INS_TO_USBDEV(sc), "firmware %s is not available\n",
+- fw_name);
++ if (ret)
+ goto err0;
+- }
+
+ pfw = fw_entry->data;
+ size = fw_entry->size;
+--- a/drivers/usb/misc/emi26.c
++++ b/drivers/usb/misc/emi26.c
+@@ -85,21 +85,17 @@ static int emi26_load_firmware (struct u
+
+ err = request_ihex_firmware(&loader_fw, "emi26/loader.fw", &dev->dev);
+ if (err)
+- goto nofw;
++ goto wraperr;
+
+ err = request_ihex_firmware(&bitstream_fw, "emi26/bitstream.fw",
+ &dev->dev);
+ if (err)
+- goto nofw;
++ goto wraperr;
+
+ err = request_ihex_firmware(&firmware_fw, "emi26/firmware.fw",
+ &dev->dev);
+- if (err) {
+- nofw:
+- dev_err(&dev->dev, "%s - request_firmware() failed\n",
+- __func__);
++ if (err)
+ goto wraperr;
+- }
+
+ /* Assert reset (stop the CPU in the EMI) */
+ err = emi26_set_reset(dev,1);
+--- a/drivers/usb/misc/ezusb.c
++++ b/drivers/usb/misc/ezusb.c
+@@ -76,12 +76,8 @@ static int ezusb_ihex_firmware_download(
+ const struct ihex_binrec *record;
+
+ if (request_ihex_firmware(&firmware, firmware_path,
+- &dev->dev)) {
+- dev_err(&dev->dev,
+- "%s - request \"%s\" failed\n",
+- __func__, firmware_path);
++ &dev->dev))
+ goto out;
+- }
+
+ ret = ezusb_set_reset(dev, fx.cpucs_reg, 0);
+ if (ret < 0)
+--- a/drivers/usb/misc/isight_firmware.c
++++ b/drivers/usb/misc/isight_firmware.c
+@@ -45,7 +45,6 @@ static int isight_firmware_load(struct u
+ return -ENOMEM;
+
+ if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
+- printk(KERN_ERR "Unable to load isight firmware\n");
+ ret = -ENODEV;
+ goto out;
+ }
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -375,11 +375,8 @@ static void update_edgeport_E2PROM(struc
+
+ response = request_ihex_firmware(&fw, fw_name,
+ &edge_serial->serial->dev->dev);
+- if (response) {
+- dev_err(dev, "Failed to load image \"%s\" err %d\n",
+- fw_name, response);
++ if (response)
+ return;
+- }
+
+ rec = (const struct ihex_binrec *)fw->data;
+ BootMajorVersion = rec->data[0];
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -1010,8 +1010,6 @@ static int download_fw(struct edgeport_s
+
+ status = request_firmware(&fw, fw_name, dev);
+ if (status) {
+- dev_err(dev, "Failed to load image \"%s\" err %d\n",
+- fw_name, status);
+ return status;
+ }
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -1663,10 +1663,8 @@ static int ti_download_firmware(struct t
+ }
+
+ check_firmware:
+- if (status) {
+- dev_err(&dev->dev, "%s - firmware not found\n", __func__);
++ if (status)
+ return -ENOENT;
+- }
+ if (fw_p->size > TI_FIRMWARE_BUF_SIZE) {
+ dev_err(&dev->dev, "%s - firmware too large %zu\n", __func__, fw_p->size);
+ release_firmware(fw_p);
+--- a/drivers/video/fbdev/broadsheetfb.c
++++ b/drivers/video/fbdev/broadsheetfb.c
+@@ -743,10 +743,8 @@ static ssize_t broadsheet_loadstore_wave
+ return -EINVAL;
+
+ err = request_firmware(&fw_entry, "broadsheet.wbf", dev);
+- if (err < 0) {
+- dev_err(dev, "Failed to get broadsheet waveform\n");
++ if (err)
+ goto err_failed;
+- }
+
+ /* try to enforce reasonable min max on waveform */
+ if ((fw_entry->size < 8*1024) || (fw_entry->size > 64*1024)) {
+--- a/drivers/video/fbdev/metronomefb.c
++++ b/drivers/video/fbdev/metronomefb.c
+@@ -679,10 +679,8 @@ static int metronomefb_probe(struct plat
+ a) request the waveform file from userspace
+ b) process waveform and decode into metromem */
+ retval = request_firmware(&fw_entry, "metronome.wbf", &dev->dev);
+- if (retval < 0) {
+- dev_err(&dev->dev, "Failed to get waveform\n");
++ if (retval)
+ goto err_csum_table;
+- }
+
+ retval = load_waveform((u8 *) fw_entry->data, fw_entry->size, 3, 31,
+ par);
+--- a/sound/drivers/vx/vx_hwdep.c
++++ b/sound/drivers/vx/vx_hwdep.c
+@@ -58,10 +58,8 @@ int snd_vx_setup_firmware(struct vx_core
+ if (! fw_files[chip->type][i])
+ continue;
+ sprintf(path, "vx/%s", fw_files[chip->type][i]);
+- if (request_firmware(&fw, path, chip->dev)) {
+- snd_printk(KERN_ERR "vx: can't load firmware %s\n", path);
++ if (request_firmware(&fw, path, chip->dev))
+ return -ENOENT;
+- }
+ err = chip->ops->load_dsp(chip, i, fw);
+ if (err < 0) {
+ release_firmware(fw);
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -376,15 +376,11 @@ static int upload_dsp_code(struct snd_ca
+ outb(HPBLKSEL_0, chip->io + HP_BLKS);
+
+ err = request_firmware(&init_fw, INITCODEFILE, card->dev);
+- if (err < 0) {
+- printk(KERN_ERR LOGNAME ": Error loading " INITCODEFILE);
++ if (err)
+ goto cleanup1;
+- }
+ err = request_firmware(&perm_fw, PERMCODEFILE, card->dev);
+- if (err < 0) {
+- printk(KERN_ERR LOGNAME ": Error loading " PERMCODEFILE);
++ if (err)
+ goto cleanup;
+- }
+
+ memcpy_toio(chip->mappedbase, perm_fw->data, perm_fw->size);
+ if (snd_msnd_upload_host(chip, init_fw->data, init_fw->size) < 0) {
+--- a/sound/isa/sscape.c
++++ b/sound/isa/sscape.c
+@@ -531,10 +531,8 @@ static int sscape_upload_bootblock(struc
+ int ret;
+
+ ret = request_firmware(&init_fw, "scope.cod", card->dev);
+- if (ret < 0) {
+- snd_printk(KERN_ERR "sscape: Error loading scope.cod");
++ if (ret)
+ return ret;
+- }
+ ret = upload_dma_data(sscape, init_fw->data, init_fw->size);
+
+ release_firmware(init_fw);
+@@ -571,11 +569,8 @@ static int sscape_upload_microcode(struc
+ snprintf(name, sizeof(name), "sndscape.co%d", version);
+
+ err = request_firmware(&init_fw, name, card->dev);
+- if (err < 0) {
+- snd_printk(KERN_ERR "sscape: Error loading sndscape.co%d",
+- version);
++ if (err)
+ return err;
+- }
+ err = upload_dma_data(sscape, init_fw->data, init_fw->size);
+ if (err == 0)
+ snd_printk(KERN_INFO "sscape: MIDI firmware loaded %zu KBs\n",
+--- a/sound/isa/wavefront/wavefront_synth.c
++++ b/sound/isa/wavefront/wavefront_synth.c
+@@ -1959,10 +1959,8 @@ wavefront_download_firmware (snd_wavefro
+ const struct firmware *firmware;
+
+ err = request_firmware(&firmware, path, dev->card->dev);
+- if (err < 0) {
+- snd_printk(KERN_ERR "firmware (%s) download failed!!!\n", path);
++ if (err)
+ return 1;
+- }
+
+ len = 0;
+ buf = firmware->data;
+--- a/sound/pci/asihpi/hpidspcd.c
++++ b/sound/pci/asihpi/hpidspcd.c
+@@ -35,8 +35,6 @@ short hpi_dsp_code_open(u32 adapter, voi
+ err = request_firmware(&firmware, fw_name, &dev->dev);
+
+ if (err || !firmware) {
+- dev_err(&dev->dev, "%d, request_firmware failed for %s\n",
+- err, fw_name);
+ goto error1;
+ }
+ if (firmware->size < sizeof(header)) {
+--- a/sound/pci/cs46xx/cs46xx_lib.c
++++ b/sound/pci/cs46xx/cs46xx_lib.c
+@@ -3235,11 +3235,8 @@ int snd_cs46xx_start_dsp(struct snd_cs46
+ #ifdef CONFIG_SND_CS46XX_NEW_DSP
+ for (i = 0; i < CS46XX_DSP_MODULES; i++) {
+ err = load_firmware(chip, &chip->modules[i], module_names[i]);
+- if (err < 0) {
+- dev_err(chip->card->dev, "firmware load error [%s]\n",
+- module_names[i]);
++ if (err < 0)
+ return err;
+- }
+ err = cs46xx_dsp_load_module(chip, chip->modules[i]);
+ if (err < 0) {
+ dev_err(chip->card->dev, "image download error [%s]\n",
+--- a/sound/pci/echoaudio/echoaudio.c
++++ b/sound/pci/echoaudio/echoaudio.c
+@@ -49,11 +49,8 @@ static int get_firmware(const struct fir
+ "firmware requested: %s\n", card_fw[fw_index].data);
+ snprintf(name, sizeof(name), "ea/%s", card_fw[fw_index].data);
+ err = request_firmware(fw_entry, name, &chip->pci->dev);
+- if (err < 0)
+- dev_err(chip->card->dev,
+- "get_firmware(): Firmware not available (%d)\n", err);
+ #ifdef CONFIG_PM_SLEEP
+- else
++ if (!err)
+ chip->fw_cache[fw_index] = *fw_entry;
+ #endif
+ return err;
+--- a/sound/pci/emu10k1/emu10k1_main.c
++++ b/sound/pci/emu10k1/emu10k1_main.c
+@@ -873,10 +873,8 @@ static int snd_emu10k1_emu1010_init(stru
+ dev_info(emu->card->dev, "emu1010: EMU_HANA_ID = 0x%x\n", reg);
+
+ err = snd_emu1010_load_firmware(emu, 0, &emu->firmware);
+- if (err < 0) {
+- dev_info(emu->card->dev, "emu1010: Loading Firmware failed\n");
++ if (err < 0)
+ return err;
+- }
+
+ /* ID, should read & 0x7f = 0x55 when FPGA programmed. */
+ snd_emu1010_fpga_read(emu, EMU_HANA_ID, &reg);
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2057,8 +2057,6 @@ static void azx_firmware_cb(const struct
+
+ if (fw)
+ chip->fw = fw;
+- else
+- dev_err(card->dev, "Cannot load firmware, continue without patching\n");
+ if (!chip->disabled) {
+ /* continue probing */
+ azx_probe_continue(chip);
+--- a/sound/pci/korg1212/korg1212.c
++++ b/sound/pci/korg1212/korg1212.c
+@@ -2335,7 +2335,6 @@ static int snd_korg1212_create(struct sn
+
+ err = request_firmware(&dsp_code, "korg/k1212.dsp", &pci->dev);
+ if (err < 0) {
+- snd_printk(KERN_ERR "firmware not available\n");
+ snd_korg1212_free(korg1212);
+ return err;
+ }
+--- a/sound/pci/mixart/mixart_hwdep.c
++++ b/sound/pci/mixart/mixart_hwdep.c
+@@ -558,11 +558,8 @@ int snd_mixart_setup_firmware(struct mix
+
+ for (i = 0; i < 3; i++) {
+ sprintf(path, "mixart/%s", fw_files[i]);
+- if (request_firmware(&fw_entry, path, &mgr->pci->dev)) {
+- dev_err(&mgr->pci->dev,
+- "miXart: can't load firmware %s\n", path);
++ if (request_firmware(&fw_entry, path, &mgr->pci->dev))
+ return -ENOENT;
+- }
+ /* fake hwdep dsp record */
+ err = mixart_dsp_load(mgr, i, fw_entry);
+ release_firmware(fw_entry);
+--- a/sound/pci/pcxhr/pcxhr_hwdep.c
++++ b/sound/pci/pcxhr/pcxhr_hwdep.c
+@@ -372,12 +372,8 @@ int pcxhr_setup_firmware(struct pcxhr_mg
+ if (!fw_files[fw_set][i])
+ continue;
+ sprintf(path, "pcxhr/%s", fw_files[fw_set][i]);
+- if (request_firmware(&fw_entry, path, &mgr->pci->dev)) {
+- dev_err(&mgr->pci->dev,
+- "pcxhr: can't load firmware %s\n",
+- path);
++ if (request_firmware(&fw_entry, path, &mgr->pci->dev))
+ return -ENOENT;
+- }
+ /* fake hwdep dsp record */
+ err = pcxhr_dsp_load(mgr, i, fw_entry);
+ release_firmware(fw_entry);
+--- a/sound/pci/riptide/riptide.c
++++ b/sound/pci/riptide/riptide.c
+@@ -1217,11 +1217,8 @@ static int try_to_load_firmware(struct c
+ if (!chip->fw_entry) {
+ err = request_firmware(&chip->fw_entry, "riptide.hex",
+ &chip->pci->dev);
+- if (err) {
+- snd_printk(KERN_ERR
+- "Riptide: Firmware not available %d\n", err);
++ if (err)
+ return -EIO;
+- }
+ }
+ err = loadfirmware(cif, chip->fw_entry->data, chip->fw_entry->size);
+ if (err) {
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -5111,11 +5111,8 @@ static int hdsp_request_fw_loader(struct
+ return -EINVAL;
+ }
+
+- if (request_firmware(&fw, fwfile, &hdsp->pci->dev)) {
+- dev_err(hdsp->card->dev,
+- "cannot load firmware %s\n", fwfile);
++ if (request_firmware(&fw, fwfile, &hdsp->pci->dev))
+ return -ENOENT;
+- }
+ if (fw->size < HDSP_FIRMWARE_SIZE) {
+ dev_err(hdsp->card->dev,
+ "too short firmware size %d (expected %d)\n",
+--- a/sound/soc/codecs/wm2000.c
++++ b/sound/soc/codecs/wm2000.c
+@@ -894,10 +894,8 @@ static int wm2000_i2c_probe(struct i2c_c
+ }
+
+ ret = request_firmware(&fw, filename, &i2c->dev);
+- if (ret != 0) {
+- dev_err(&i2c->dev, "Failed to acquire ANC data: %d\n", ret);
++ if (ret != 0)
+ goto err_supplies;
+- }
+
+ /* Pre-cook the concatenation of the register address onto the image */
+ wm2000->anc_download_size = fw->size + 2;
+--- a/sound/usb/6fire/firmware.c
++++ b/sound/usb/6fire/firmware.c
+@@ -203,8 +203,6 @@ static int usb6fire_fw_ezusb_upload(
+ ret = request_firmware(&fw, fwname, &device->dev);
+ if (ret < 0) {
+ kfree(rec);
+- dev_err(&intf->dev,
+- "error requesting ezusb firmware %s.\n", fwname);
+ return ret;
+ }
+ ret = usb6fire_fw_ihex_init(fw, rec);
+@@ -280,8 +278,6 @@ static int usb6fire_fw_fpga_upload(
+
+ ret = request_firmware(&fw, fwname, &device->dev);
+ if (ret < 0) {
+- dev_err(&intf->dev, "unable to get fpga firmware %s.\n",
+- fwname);
+ kfree(buffer);
+ return -EIO;
+ }
diff --git a/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch b/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch
new file mode 100644
index 000000000..092a74496
--- /dev/null
+++ b/debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch
@@ -0,0 +1,83 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: firmware_class: Log every success and failure against given device
+Date: Sun, 09 Dec 2012 16:02:00 +0000
+Forwarded: no
+
+The hundreds of users of request_firmware() have nearly as many
+different log formats for reporting failures. They also have only the
+vaguest hint as to what went wrong; only firmware_class really knows
+that. Therefore, add specific log messages for the failure modes that
+aren't currently logged.
+
+In case of a driver that tries multiple names, this may result in the
+impression that it failed to initialise. Therefore, also log successes.
+
+This makes many error messages in drivers redundant, which will be
+removed in later patches.
+
+This does not cover the case where we fall back to a user-mode helper
+(which is no longer enabled in Debian).
+
+NOTE: hw-detect will depend on the "firmware: failed to load %s (%d)\n"
+format to detect missing firmware.
+---
+ drivers/base/firmware_loader/fallback.c | 2 +-
+ drivers/base/firmware_loader/main.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/base/firmware_loader/fallback.c
++++ b/drivers/base/firmware_loader/fallback.c
+@@ -558,7 +558,7 @@ static int fw_load_from_user_helper(stru
+ if (opt_flags & FW_OPT_NOWAIT) {
+ timeout = usermodehelper_read_lock_wait(timeout);
+ if (!timeout) {
+- dev_dbg(device, "firmware: %s loading timed out\n",
++ dev_err(device, "firmware: %s loading timed out\n",
+ name);
+ return -EBUSY;
+ }
+--- a/drivers/base/firmware_loader/main.c
++++ b/drivers/base/firmware_loader/main.c
+@@ -535,18 +535,15 @@ fw_get_filesystem_firmware(struct device
+ file_size_ptr,
+ READING_FIRMWARE);
+ if (rc < 0) {
+- if (rc != -ENOENT)
+- dev_warn(device, "loading %s failed with error %d\n",
+- path, rc);
+- else
+- dev_dbg(device, "loading %s failed for no such file or directory.\n",
+- path);
++ dev_dbg(device, "loading %s failed with error %d\n",
++ path, rc);
+ continue;
+ }
+ size = rc;
+ rc = 0;
+
+- dev_dbg(device, "Loading firmware from %s\n", path);
++ dev_info(device, "firmware: direct-loading firmware %s\n",
++ fw_priv->fw_name);
+ if (decompress) {
+ dev_dbg(device, "f/w decompressing %s\n",
+ fw_priv->fw_name);
+@@ -559,8 +556,6 @@ fw_get_filesystem_firmware(struct device
+ continue;
+ }
+ } else {
+- dev_dbg(device, "direct-loading %s\n",
+- fw_priv->fw_name);
+ if (!fw_priv->data)
+ fw_priv->data = buffer;
+ fw_priv->size = size;
+@@ -570,6 +565,10 @@ fw_get_filesystem_firmware(struct device
+ }
+ __putname(path);
+
++ if (rc)
++ dev_err(device, "firmware: failed to load %s (%d)\n",
++ fw_priv->fw_name, rc);
++
+ return rc;
+ }
+
diff --git a/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
new file mode 100644
index 000000000..540a1341c
--- /dev/null
+++ b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
@@ -0,0 +1,70 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 13 Apr 2016 21:48:06 +0100
+Subject: fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers
+Bug-Debian: https://bugs.debian.org/819725
+Forwarded: http://mid.gmane.org/20160517133631.GF7555@decadent.org.uk
+
+This helps initramfs builders and other tools to find the full
+dependencies of a module.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
+---
+ fs/btrfs/super.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ fs/f2fs/super.c | 1 +
+ fs/jbd2/journal.c | 1 +
+ fs/nfsd/nfsctl.c | 3 +++
+ 5 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -2597,7 +2597,7 @@ late_initcall(init_btrfs_fs);
+ module_exit(exit_btrfs_fs)
+
+ MODULE_LICENSE("GPL");
+-MODULE_SOFTDEP("pre: crc32c");
++MODULE_SOFTDEP("pre: crypto-crc32c");
+ MODULE_SOFTDEP("pre: xxhash64");
+ MODULE_SOFTDEP("pre: sha256");
+ MODULE_SOFTDEP("pre: blake2b-256");
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -6746,6 +6746,6 @@ static void __exit ext4_exit_fs(void)
+ MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others");
+ MODULE_DESCRIPTION("Fourth Extended Filesystem");
+ MODULE_LICENSE("GPL");
+-MODULE_SOFTDEP("pre: crc32c");
++MODULE_SOFTDEP("pre: crypto-crc32c");
+ module_init(ext4_init_fs)
+ module_exit(ext4_exit_fs)
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4122,5 +4122,5 @@ module_exit(exit_f2fs_fs)
+ MODULE_AUTHOR("Samsung Electronics's Praesto Team");
+ MODULE_DESCRIPTION("Flash Friendly File System");
+ MODULE_LICENSE("GPL");
+-MODULE_SOFTDEP("pre: crc32");
++MODULE_SOFTDEP("pre: crypto-crc32");
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -3012,6 +3012,7 @@ static void __exit journal_exit(void)
+ }
+
+ MODULE_LICENSE("GPL");
++MODULE_SOFTDEP("pre: crypto-crc32c");
+ module_init(journal_init);
+ module_exit(journal_exit);
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1580,5 +1580,8 @@ static void __exit exit_nfsd(void)
+
+ MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
+ MODULE_LICENSE("GPL");
++#ifdef CONFIG_NFSD_V4
++MODULE_SOFTDEP("pre: crypto-md5");
++#endif
+ module_init(init_nfsd)
+ module_exit(exit_nfsd)
diff --git a/debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch b/debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch
new file mode 100644
index 000000000..820479896
--- /dev/null
+++ b/debian/patches/bugfix/all/kbuild-fix-recordmcount-dependency.patch
@@ -0,0 +1,23 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: kbuild: Fix recordmcount dependency for OOT modules
+Date: Mon, 08 Sep 2014 18:31:24 +0100
+Forwarded: no
+
+We never rebuild anything in-tree when building an out-of-tree
+modules, so external modules should not depend on the recordmcount
+sources.
+
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -232,6 +232,11 @@ cmd_record_mcount = \
+ endif # CC_USING_RECORD_MCOUNT
+ endif # CONFIG_FTRACE_MCOUNT_RECORD
+
++# Don't require recordmcount source for an OOT build.
++ifdef KBUILD_EXTMOD
++recordmcount_source :=
++endif
++
+ ifdef CONFIG_STACK_VALIDATION
+ ifneq ($(SKIP_STACK_VALIDATION),1)
+
diff --git a/debian/patches/bugfix/all/libcpupower-hide-private-function.patch b/debian/patches/bugfix/all/libcpupower-hide-private-function.patch
new file mode 100644
index 000000000..ac76e638e
--- /dev/null
+++ b/debian/patches/bugfix/all/libcpupower-hide-private-function.patch
@@ -0,0 +1,20 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 01 Dec 2018 19:22:50 +0000
+Subject: libcpupower: Hide private function
+
+cpupower_read_sysfs() (previously known as sysfs_read_file()) is an
+internal function in libcpupower and should not be exported when
+libcpupower is a shared library. Change its visibility to "hidden".
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/tools/power/cpupower/lib/cpupower.c
++++ b/tools/power/cpupower/lib/cpupower.c
+@@ -15,6 +15,7 @@
+ #include "cpupower.h"
+ #include "cpupower_intern.h"
+
++__attribute__((visibility("hidden")))
+ unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen)
+ {
+ int fd;
diff --git a/debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch b/debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch
new file mode 100644
index 000000000..2ab62688a
--- /dev/null
+++ b/debian/patches/bugfix/all/module-disable-matching-missing-version-crc.patch
@@ -0,0 +1,23 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 02 Dec 2016 23:06:18 +0000
+Subject: module: Disable matching missing version CRC
+Forwarded: not-needed
+
+This partly reverts commit cd3caefb4663e3811d37cc2afad3cce642d60061.
+We want to fail closed if a symbol version CRC is missing, as the
+alternative may allow subverting module signing.
+---
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1313,9 +1313,8 @@ static int check_version(const struct lo
+ goto bad_version;
+ }
+
+- /* Broken toolchain. Warn once, then let it go.. */
+- pr_warn_once("%s: no symbol version for %s\n", info->name, symname);
+- return 1;
++ pr_warn("%s: no symbol version for %s\n", info->name, symname);
++ return 0;
+
+ bad_version:
+ pr_warn("%s: disagrees about version of symbol %s\n",
diff --git a/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch b/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch
new file mode 100644
index 000000000..a6e35b7f2
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch
@@ -0,0 +1,73 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 20 Jan 2024 22:50:04 +0100
+Subject: netfilter: nf_tables: reject QUEUE/DROP verdict parameters
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=11351dcb86e3eec82492e20a63bb36f5a340dc85
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-1086
+
+commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream.
+
+This reverts commit e0abdadcc6e1.
+
+core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
+verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
+or 0.
+
+Due to the reverted commit, its possible to provide a positive
+value, e.g. NF_ACCEPT (1), which results in use-after-free.
+
+Its not clear to me why this commit was made.
+
+NF_QUEUE is not used by nftables; "queue" rules in nftables
+will result in use of "nft_queue" expression.
+
+If we later need to allow specifiying errno values from userspace
+(do not know why), this has to call NF_DROP_GETERR and check that
+"err <= 0" holds true.
+
+Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
+Cc: stable@vger.kernel.org
+Reported-by: Notselwyn <notselwyn@pwning.tech>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0d0b76a5ddfa..f586e8b3c6cf 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9340,16 +9340,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
+
+ switch (data->verdict.code) {
+- default:
+- switch (data->verdict.code & NF_VERDICT_MASK) {
+- case NF_ACCEPT:
+- case NF_DROP:
+- case NF_QUEUE:
+- break;
+- default:
+- return -EINVAL;
+- }
+- fallthrough;
++ case NF_ACCEPT:
++ case NF_DROP:
++ case NF_QUEUE:
++ break;
+ case NFT_CONTINUE:
+ case NFT_BREAK:
+ case NFT_RETURN:
+@@ -9384,6 +9378,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+
+ data->verdict.chain = chain;
+ break;
++ default:
++ return -EINVAL;
+ }
+
+ desc->len = sizeof(data->verdict);
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch b/debian/patches/bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch
new file mode 100644
index 000000000..368787579
--- /dev/null
+++ b/debian/patches/bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch
@@ -0,0 +1,49 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 24 Jan 2023 16:41:18 +0100
+Subject: ovl: fail on invalid uid/gid mapping at copy up
+Origin: https://git.kernel.org/linus/4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-0386
+
+If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then
+copy-up should fail, just like it would fail if the mounter task was doing
+the copy using "cp -a".
+
+There's a corner case where the "cp -a" would succeed but copy up fail: if
+there's a mapping of the invalid uid/gid (65534 by default) in the user
+namespace. This is because stat(2) will return this value if the mapping
+doesn't exist in the current user_ns and "cp -a" will in turn be able to
+create a file with this uid/gid.
+
+This behavior would be inconsistent with POSIX ACL's, which return -1 for
+invalid uid/gid which result in a failed copy.
+
+For consistency and simplicity fail the copy of the st_uid/st_gid are
+invalid.
+
+Fixes: 459c7c565ac3 ("ovl: unprivieged mounts")
+Cc: <stable@vger.kernel.org> # v5.11
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reviewed-by: Seth Forshee <sforshee@kernel.org>
+---
+ fs/overlayfs/copy_up.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 140f2742074d..c14e90764e35 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -1011,6 +1011,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
+ if (err)
+ return err;
+
++ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) ||
++ !kgid_has_mapping(current_user_ns(), ctx.stat.gid))
++ return -EOVERFLOW;
++
+ ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags);
+
+ if (parent) {
+--
+2.40.1
+
diff --git a/debian/patches/bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch b/debian/patches/bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
new file mode 100644
index 000000000..7367a1416
--- /dev/null
+++ b/debian/patches/bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
@@ -0,0 +1,140 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 20 Aug 2019 18:12:35 +0100
+Subject: Partially revert "net: socket: implement 64-bit timestamps"
+
+The introduction of SIOCGSTAMP{,NS}_OLD and move of SICOGSTAMP{,NS} to
+a different header has caused build failures for various user-space
+programs including qemu and suricata. It also causes a test failure
+for glibc.
+
+For now, remove the _OLD suffix on the old ioctl numbers and require
+programs using 64-bit timestamps to explicitly use SIOCGSTAMP{,NS}_NEW.
+
+References: https://lore.kernel.org/lkml/af0eb47a-5b98-1bd9-3e8d-652e7f28b01f@de.ibm.com/
+References: https://bugs.debian.org/934316
+References: https://ci.debian.net/data/autopkgtest/testing/amd64/g/glibc/2772289/log.gz
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/alpha/include/uapi/asm/sockios.h
++++ b/arch/alpha/include/uapi/asm/sockios.h
+@@ -11,7 +11,7 @@
+ #define SIOCSPGRP _IOW('s', 8, pid_t)
+ #define SIOCGPGRP _IOR('s', 9, pid_t)
+
+-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
+-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
++#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
++#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
+
+ #endif /* _ASM_ALPHA_SOCKIOS_H */
+--- a/arch/mips/include/uapi/asm/sockios.h
++++ b/arch/mips/include/uapi/asm/sockios.h
+@@ -21,7 +21,7 @@
+ #define SIOCSPGRP _IOW('s', 8, pid_t)
+ #define SIOCGPGRP _IOR('s', 9, pid_t)
+
+-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
+-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
++#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
++#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
+
+ #endif /* _ASM_SOCKIOS_H */
+--- a/arch/sh/include/uapi/asm/sockios.h
++++ b/arch/sh/include/uapi/asm/sockios.h
+@@ -12,7 +12,6 @@
+ #define SIOCSPGRP _IOW('s', 8, pid_t)
+ #define SIOCGPGRP _IOR('s', 9, pid_t)
+
+-#define SIOCGSTAMP_OLD _IOR('s', 100, struct __kernel_old_timeval) /* Get stamp (timeval) */
+-#define SIOCGSTAMPNS_OLD _IOR('s', 101, struct __kernel_old_timespec) /* Get stamp (timespec) */
+-
++#define SIOCGSTAMP _IOR('s', 100, struct __kernel_old_timeval) /* Get stamp (timeval) */
++#define SIOCGSTAMPNS _IOR('s', 101, struct __kernel_old_timespec) /* Get stamp (timespec) */
+ #endif /* __ASM_SH_SOCKIOS_H */
+--- a/arch/xtensa/include/uapi/asm/sockios.h
++++ b/arch/xtensa/include/uapi/asm/sockios.h
+@@ -26,7 +26,7 @@
+ #define SIOCSPGRP _IOW('s', 8, pid_t)
+ #define SIOCGPGRP _IOR('s', 9, pid_t)
+
+-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
+-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
++#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
++#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
+
+ #endif /* _XTENSA_SOCKIOS_H */
+--- a/include/uapi/asm-generic/sockios.h
++++ b/include/uapi/asm-generic/sockios.h
+@@ -8,7 +8,7 @@
+ #define FIOGETOWN 0x8903
+ #define SIOCGPGRP 0x8904
+ #define SIOCATMARK 0x8905
+-#define SIOCGSTAMP_OLD 0x8906 /* Get stamp (timeval) */
+-#define SIOCGSTAMPNS_OLD 0x8907 /* Get stamp (timespec) */
++#define SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
++#define SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
+
+ #endif /* __ASM_GENERIC_SOCKIOS_H */
+--- a/include/uapi/linux/sockios.h
++++ b/include/uapi/linux/sockios.h
+@@ -19,7 +19,6 @@
+ #ifndef _LINUX_SOCKIOS_H
+ #define _LINUX_SOCKIOS_H
+
+-#include <asm/bitsperlong.h>
+ #include <asm/sockios.h>
+
+ /* Linux-specific socket ioctls */
+@@ -37,17 +36,6 @@
+ /* Get stamp (timespec) */
+ #define SIOCGSTAMPNS_NEW _IOR(SOCK_IOC_TYPE, 0x07, long long[2])
+
+-#if __BITS_PER_LONG == 64 || (defined(__x86_64__) && defined(__ILP32__))
+-/* on 64-bit and x32, avoid the ?: operator */
+-#define SIOCGSTAMP SIOCGSTAMP_OLD
+-#define SIOCGSTAMPNS SIOCGSTAMPNS_OLD
+-#else
+-#define SIOCGSTAMP ((sizeof(struct timeval)) == 8 ? \
+- SIOCGSTAMP_OLD : SIOCGSTAMP_NEW)
+-#define SIOCGSTAMPNS ((sizeof(struct timespec)) == 8 ? \
+- SIOCGSTAMPNS_OLD : SIOCGSTAMPNS_NEW)
+-#endif
+-
+ /* Routing table calls. */
+ #define SIOCADDRT 0x890B /* add routing table entry */
+ #define SIOCDELRT 0x890C /* delete routing table entry */
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1163,14 +1163,14 @@ static long sock_ioctl(struct file *file
+
+ err = open_related_ns(&net->ns, get_net_ns);
+ break;
+- case SIOCGSTAMP_OLD:
+- case SIOCGSTAMPNS_OLD:
++ case SIOCGSTAMP:
++ case SIOCGSTAMPNS:
+ if (!sock->ops->gettstamp) {
+ err = -ENOIOCTLCMD;
+ break;
+ }
+ err = sock->ops->gettstamp(sock, argp,
+- cmd == SIOCGSTAMP_OLD,
++ cmd == SIOCGSTAMP,
+ !IS_ENABLED(CONFIG_64BIT));
+ break;
+ case SIOCGSTAMP_NEW:
+@@ -3273,11 +3273,11 @@ static int compat_sock_ioctl_trans(struc
+ case SIOCGIFMAP:
+ case SIOCSIFMAP:
+ return compat_sioc_ifmap(net, cmd, argp);
+- case SIOCGSTAMP_OLD:
+- case SIOCGSTAMPNS_OLD:
++ case SIOCGSTAMP:
++ case SIOCGSTAMPNS:
+ if (!sock->ops->gettstamp)
+ return -ENOIOCTLCMD;
+- return sock->ops->gettstamp(sock, argp, cmd == SIOCGSTAMP_OLD,
++ return sock->ops->gettstamp(sock, argp, cmd == SIOCGSTAMP,
+ !COMPAT_USE_64BIT_TIME);
+
+ case SIOCETHTOOL:
diff --git a/debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch b/debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
new file mode 100644
index 000000000..a40c600ae
--- /dev/null
+++ b/debian/patches/bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
@@ -0,0 +1,139 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward
+Date: Tue, 08 Jan 2013 03:25:52 +0000
+Bug-Debian: https://bugs.debian.org/607194
+Bug-Debian: https://bugs.debian.org/607471
+Bug-Debian: https://bugs.debian.org/610851
+Bug-Debian: https://bugs.debian.org/627497
+Bug-Debian: https://bugs.debian.org/632212
+Bug-Debian: https://bugs.debian.org/637943
+Bug-Debian: https://bugs.debian.org/649448
+Bug-Debian: https://bugs.debian.org/697229
+Forwarded: no
+
+radeon requires firmware/microcode for the GPU in all chips, but for
+newer chips (apparently R600 'Evergreen' onward) it also expects
+firmware for the memory controller and other sub-blocks.
+
+radeon attempts to gracefully fall back and disable some features if
+the firmware is not available, but becomes unstable - the framebuffer
+and/or system memory may be corrupted, or the display may stay black.
+
+Therefore, perform a basic check for the existence of
+/lib/firmware/{radeon,amdgpu} when a device is probed, and abort if it
+is missing, except for the pre-R600 case.
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 29 ++++++++++++++++++++++++
+ drivers/gpu/drm/radeon/radeon_drv.c | 30 +++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+Index: debian-kernel/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+===================================================================
+--- debian-kernel.orig/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ debian-kernel/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -36,6 +36,8 @@
+ #include <linux/vga_switcheroo.h>
+ #include <drm/drm_probe_helper.h>
+ #include <linux/mmu_notifier.h>
++#include <linux/namei.h>
++#include <linux/path.h>
+
+ #include "amdgpu.h"
+ #include "amdgpu_irq.h"
+@@ -1017,6 +1019,28 @@ MODULE_DEVICE_TABLE(pci, pciidlist);
+
+ static struct drm_driver kms_driver;
+
++/* Test that /lib/firmware/amdgpu is a directory (or symlink to a
++ * directory). We could try to match the udev search path, but let's
++ * keep it simple.
++ */
++static bool amdgpu_firmware_installed(void)
++{
++#if IS_BUILTIN(CONFIG_DRM_AMDGPU)
++ /* It may be too early to tell. Assume it's there. */
++ return true;
++#else
++ struct path path;
++
++ if (kern_path("/lib/firmware/amdgpu", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
++ &path) == 0) {
++ path_put(&path);
++ return true;
++ }
++
++ return false;
++#endif
++}
++
+ static int amdgpu_pci_probe(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -1070,6 +1094,11 @@ static int amdgpu_pci_probe(struct pci_d
+ }
+ #endif
+
++ if (!amdgpu_firmware_installed()) {
++ DRM_ERROR("amdgpu requires firmware installed\n");
++ return -ENODEV;
++ }
++
+ /* Get rid of things like offb */
+ ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, "amdgpudrmfb");
+ if (ret)
+Index: debian-kernel/drivers/gpu/drm/radeon/radeon_drv.c
+===================================================================
+--- debian-kernel.orig/drivers/gpu/drm/radeon/radeon_drv.c
++++ debian-kernel/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -48,6 +48,8 @@
+ #include <drm/drm_probe_helper.h>
+ #include <drm/drm_vblank.h>
+ #include <drm/radeon_drm.h>
++#include <linux/namei.h>
++#include <linux/path.h>
+
+ #include "radeon_drv.h"
+
+@@ -321,6 +323,28 @@ static struct drm_driver kms_driver;
+
+ bool radeon_device_is_virtual(void);
+
++/* Test that /lib/firmware/radeon is a directory (or symlink to a
++ * directory). We could try to match the udev search path, but let's
++ * keep it simple.
++ */
++static bool radeon_firmware_installed(void)
++{
++#if IS_BUILTIN(CONFIG_DRM_RADEON)
++ /* It may be too early to tell. Assume it's there. */
++ return true;
++#else
++ struct path path;
++
++ if (kern_path("/lib/firmware/radeon", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
++ &path) == 0) {
++ path_put(&path);
++ return true;
++ }
++
++ return false;
++#endif
++}
++
+ static int radeon_pci_probe(struct pci_dev *pdev,
+ const struct pci_device_id *ent)
+ {
+@@ -360,6 +384,12 @@ static int radeon_pci_probe(struct pci_d
+ if (vga_switcheroo_client_probe_defer(pdev))
+ return -EPROBE_DEFER;
+
++ if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 &&
++ !radeon_firmware_installed()) {
++ DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n");
++ return -ENODEV;
++ }
++
+ /* Get rid of things like offb */
+ ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, "radeondrmfb");
+ if (ret)
diff --git a/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch b/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch
new file mode 100644
index 000000000..bc4e28488
--- /dev/null
+++ b/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch
@@ -0,0 +1,375 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 26 Jan 2024 22:31:43 +0300
+Subject: smb3: Replace smb2pdu 1-element arrays with flex-arrays
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=06aa6eff7b243891c631b40852a0c453e274955d
+
+commit eb3e28c1e89b4984308777231887e41aa8a0151f upstream.
+
+The kernel is globally removing the ambiguous 0-length and 1-element
+arrays in favor of flexible arrays, so that we can gain both compile-time
+and run-time array bounds checking[1].
+
+Replace the trailing 1-element array with a flexible array in the
+following structures:
+
+ struct smb2_err_rsp
+ struct smb2_tree_connect_req
+ struct smb2_negotiate_rsp
+ struct smb2_sess_setup_req
+ struct smb2_sess_setup_rsp
+ struct smb2_read_req
+ struct smb2_read_rsp
+ struct smb2_write_req
+ struct smb2_write_rsp
+ struct smb2_query_directory_req
+ struct smb2_query_directory_rsp
+ struct smb2_set_info_req
+ struct smb2_change_notify_rsp
+ struct smb2_create_rsp
+ struct smb2_query_info_req
+ struct smb2_query_info_rsp
+
+Replace the trailing 1-element array with a flexible array, but leave
+the existing structure padding:
+
+ struct smb2_file_all_info
+ struct smb2_lock_req
+
+Adjust all related size calculations to match the changes to sizeof().
+
+No machine code output or .data section differences are produced after
+these changes.
+
+[1] For lots of details, see both:
+ https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
+ https://people.kernel.org/kees/bounded-flexible-arrays-in-c
+
+Cc: Steve French <sfrench@samba.org>
+Cc: Paulo Alcantara <pc@cjr.nz>
+Cc: Ronnie Sahlberg <lsahlber@redhat.com>
+Cc: Shyam Prasad N <sprasad@microsoft.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2misc.c | 2 +-
+ fs/cifs/smb2ops.c | 14 +++++++-------
+ fs/cifs/smb2pdu.c | 13 ++++++-------
+ fs/cifs/smb2pdu.h | 42 ++++++++++++++++++++++++------------------
+ 4 files changed, 38 insertions(+), 33 deletions(-)
+
+diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
+index b98bba887f84..660e00eb4206 100644
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -117,7 +117,7 @@ static __u32 get_neg_ctxt_len(struct smb2_sync_hdr *hdr, __u32 len,
+ } else if (nc_offset + 1 == non_ctxlen) {
+ cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n");
+ size_of_pad_before_neg_ctxts = 0;
+- } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE)
++ } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1)
+ /* has padding, but no SPNEGO blob */
+ size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1;
+ else
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 26edaeb4245d..84850a55c8b7 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -5561,7 +5561,7 @@ struct smb_version_values smb20_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5583,7 +5583,7 @@ struct smb_version_values smb21_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5604,7 +5604,7 @@ struct smb_version_values smb3any_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5625,7 +5625,7 @@ struct smb_version_values smbdefault_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5646,7 +5646,7 @@ struct smb_version_values smb30_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5667,7 +5667,7 @@ struct smb_version_values smb302_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+@@ -5688,7 +5688,7 @@ struct smb_version_values smb311_values = {
+ .header_size = sizeof(struct smb2_sync_hdr),
+ .header_preamble_size = 0,
+ .max_header_size = MAX_SMB2_HDR_SIZE,
+- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1,
++ .read_rsp_size = sizeof(struct smb2_read_rsp),
+ .lock_cmd = SMB2_LOCK,
+ .cap_unix = 0,
+ .cap_nt_find = SMB2_NT_FIND,
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 76679dc4e632..4aec01841f0f 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1261,7 +1261,7 @@ SMB2_sess_sendreceive(struct SMB2_sess_data *sess_data)
+
+ /* Testing shows that buffer offset must be at location of Buffer[0] */
+ req->SecurityBufferOffset =
+- cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 1 /* pad */);
++ cpu_to_le16(sizeof(struct smb2_sess_setup_req));
+ req->SecurityBufferLength = cpu_to_le16(sess_data->iov[1].iov_len);
+
+ memset(&rqst, 0, sizeof(struct smb_rqst));
+@@ -1760,8 +1760,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
+ iov[0].iov_len = total_len - 1;
+
+ /* Testing shows that buffer offset must be at location of Buffer[0] */
+- req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req)
+- - 1 /* pad */);
++ req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req));
+ req->PathLength = cpu_to_le16(unc_path_len - 2);
+ iov[1].iov_base = unc_path;
+ iov[1].iov_len = unc_path_len;
+@@ -4676,7 +4675,7 @@ int SMB2_query_directory_init(const unsigned int xid,
+ memcpy(bufptr, &asteriks, len);
+
+ req->FileNameOffset =
+- cpu_to_le16(sizeof(struct smb2_query_directory_req) - 1);
++ cpu_to_le16(sizeof(struct smb2_query_directory_req));
+ req->FileNameLength = cpu_to_le16(len);
+ /*
+ * BB could be 30 bytes or so longer if we used SMB2 specific
+@@ -4873,7 +4872,7 @@ SMB2_set_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
+ req->AdditionalInformation = cpu_to_le32(additional_info);
+
+ req->BufferOffset =
+- cpu_to_le16(sizeof(struct smb2_set_info_req) - 1);
++ cpu_to_le16(sizeof(struct smb2_set_info_req));
+ req->BufferLength = cpu_to_le32(*size);
+
+ memcpy(req->Buffer, *data, *size);
+@@ -5105,9 +5104,9 @@ build_qfs_info_req(struct kvec *iov, struct cifs_tcon *tcon,
+ req->VolatileFileId = volatile_fid;
+ /* 1 for pad */
+ req->InputBufferOffset =
+- cpu_to_le16(sizeof(struct smb2_query_info_req) - 1);
++ cpu_to_le16(sizeof(struct smb2_query_info_req));
+ req->OutputBufferLength = cpu_to_le32(
+- outbuf_len + sizeof(struct smb2_query_info_rsp) - 1);
++ outbuf_len + sizeof(struct smb2_query_info_rsp));
+
+ iov->iov_base = (char *)req;
+ iov->iov_len = total_len;
+diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
+index 89a732b31390..eaa873175318 100644
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -220,7 +220,7 @@ struct smb2_err_rsp {
+ __le16 StructureSize;
+ __le16 Reserved; /* MBZ */
+ __le32 ByteCount; /* even if zero, at least one byte follows */
+- __u8 ErrorData[1]; /* variable length */
++ __u8 ErrorData[]; /* variable length */
+ } __packed;
+
+ #define SYMLINK_ERROR_TAG 0x4c4d5953
+@@ -464,7 +464,7 @@ struct smb2_negotiate_rsp {
+ __le16 SecurityBufferOffset;
+ __le16 SecurityBufferLength;
+ __le32 NegotiateContextOffset; /* Pre:SMB3.1.1 was reserved/ignored */
+- __u8 Buffer[1]; /* variable length GSS security buffer */
++ __u8 Buffer[]; /* variable length GSS security buffer */
+ } __packed;
+
+ /* Flags */
+@@ -481,7 +481,7 @@ struct smb2_sess_setup_req {
+ __le16 SecurityBufferOffset;
+ __le16 SecurityBufferLength;
+ __u64 PreviousSessionId;
+- __u8 Buffer[1]; /* variable length GSS security buffer */
++ __u8 Buffer[]; /* variable length GSS security buffer */
+ } __packed;
+
+ /* Currently defined SessionFlags */
+@@ -494,7 +494,7 @@ struct smb2_sess_setup_rsp {
+ __le16 SessionFlags;
+ __le16 SecurityBufferOffset;
+ __le16 SecurityBufferLength;
+- __u8 Buffer[1]; /* variable length GSS security buffer */
++ __u8 Buffer[]; /* variable length GSS security buffer */
+ } __packed;
+
+ struct smb2_logoff_req {
+@@ -520,7 +520,7 @@ struct smb2_tree_connect_req {
+ __le16 Flags; /* Reserved MBZ for dialects prior to SMB3.1.1 */
+ __le16 PathOffset;
+ __le16 PathLength;
+- __u8 Buffer[1]; /* variable length */
++ __u8 Buffer[]; /* variable length */
+ } __packed;
+
+ /* See MS-SMB2 section 2.2.9.2 */
+@@ -828,7 +828,7 @@ struct smb2_create_rsp {
+ __u64 VolatileFileId; /* opaque endianness */
+ __le32 CreateContextsOffset;
+ __le32 CreateContextsLength;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ struct create_context {
+@@ -1289,7 +1289,7 @@ struct smb2_read_plain_req {
+ __le32 RemainingBytes;
+ __le16 ReadChannelInfoOffset;
+ __le16 ReadChannelInfoLength;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ /* Read flags */
+@@ -1304,7 +1304,7 @@ struct smb2_read_rsp {
+ __le32 DataLength;
+ __le32 DataRemaining;
+ __u32 Flags;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ /* For write request Flags field below the following flags are defined: */
+@@ -1324,7 +1324,7 @@ struct smb2_write_req {
+ __le16 WriteChannelInfoOffset;
+ __le16 WriteChannelInfoLength;
+ __le32 Flags;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ struct smb2_write_rsp {
+@@ -1335,7 +1335,7 @@ struct smb2_write_rsp {
+ __le32 DataLength;
+ __le32 DataRemaining;
+ __u32 Reserved2;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ /* notify flags */
+@@ -1371,7 +1371,7 @@ struct smb2_change_notify_rsp {
+ __le16 StructureSize; /* Must be 9 */
+ __le16 OutputBufferOffset;
+ __le32 OutputBufferLength;
+- __u8 Buffer[1]; /* array of file notify structs */
++ __u8 Buffer[]; /* array of file notify structs */
+ } __packed;
+
+ #define SMB2_LOCKFLAG_SHARED_LOCK 0x0001
+@@ -1394,7 +1394,10 @@ struct smb2_lock_req {
+ __u64 PersistentFileId; /* opaque endianness */
+ __u64 VolatileFileId; /* opaque endianness */
+ /* Followed by at least one */
+- struct smb2_lock_element locks[1];
++ union {
++ struct smb2_lock_element lock;
++ DECLARE_FLEX_ARRAY(struct smb2_lock_element, locks);
++ };
+ } __packed;
+
+ struct smb2_lock_rsp {
+@@ -1434,7 +1437,7 @@ struct smb2_query_directory_req {
+ __le16 FileNameOffset;
+ __le16 FileNameLength;
+ __le32 OutputBufferLength;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ struct smb2_query_directory_rsp {
+@@ -1442,7 +1445,7 @@ struct smb2_query_directory_rsp {
+ __le16 StructureSize; /* Must be 9 */
+ __le16 OutputBufferOffset;
+ __le32 OutputBufferLength;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ /* Possible InfoType values */
+@@ -1483,7 +1486,7 @@ struct smb2_query_info_req {
+ __le32 Flags;
+ __u64 PersistentFileId; /* opaque endianness */
+ __u64 VolatileFileId; /* opaque endianness */
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ struct smb2_query_info_rsp {
+@@ -1491,7 +1494,7 @@ struct smb2_query_info_rsp {
+ __le16 StructureSize; /* Must be 9 */
+ __le16 OutputBufferOffset;
+ __le32 OutputBufferLength;
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ /*
+@@ -1514,7 +1517,7 @@ struct smb2_set_info_req {
+ __le32 AdditionalInformation;
+ __u64 PersistentFileId; /* opaque endianness */
+ __u64 VolatileFileId; /* opaque endianness */
+- __u8 Buffer[1];
++ __u8 Buffer[];
+ } __packed;
+
+ struct smb2_set_info_rsp {
+@@ -1716,7 +1719,10 @@ struct smb2_file_all_info { /* data block encoding of response to level 18 */
+ __le32 Mode;
+ __le32 AlignmentRequirement;
+ __le32 FileNameLength;
+- char FileName[1];
++ union {
++ char __pad; /* Legacy structure padding */
++ DECLARE_FLEX_ARRAY(char, FileName);
++ };
+ } __packed; /* level 18 Query */
+
+ struct smb2_file_eof_info { /* encoding of request for level 10 */
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch b/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch
new file mode 100644
index 000000000..8f8066530
--- /dev/null
+++ b/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch
@@ -0,0 +1,156 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 26 Jan 2024 22:31:42 +0300
+Subject: stddef: Introduce DECLARE_FLEX_ARRAY() helper
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=ef8316e0e29e98d9cf7e0689ddffa37e79d33736
+
+commit 3080ea5553cc909b000d1f1d964a9041962f2c5b upstream.
+
+There are many places where kernel code wants to have several different
+typed trailing flexible arrays. This would normally be done with multiple
+flexible arrays in a union, but since GCC and Clang don't (on the surface)
+allow this, there have been many open-coded workarounds, usually involving
+neighboring 0-element arrays at the end of a structure. For example,
+instead of something like this:
+
+struct thing {
+ ...
+ union {
+ struct type1 foo[];
+ struct type2 bar[];
+ };
+};
+
+code works around the compiler with:
+
+struct thing {
+ ...
+ struct type1 foo[0];
+ struct type2 bar[];
+};
+
+Another case is when a flexible array is wanted as the single member
+within a struct (which itself is usually in a union). For example, this
+would be worked around as:
+
+union many {
+ ...
+ struct {
+ struct type3 baz[0];
+ };
+};
+
+These kinds of work-arounds cause problems with size checks against such
+zero-element arrays (for example when building with -Warray-bounds and
+-Wzero-length-bounds, and with the coming FORTIFY_SOURCE improvements),
+so they must all be converted to "real" flexible arrays, avoiding warnings
+like this:
+
+fs/hpfs/anode.c: In function 'hpfs_add_sector_to_btree':
+fs/hpfs/anode.c:209:27: warning: array subscript 0 is outside the bounds of an interior zero-length array 'struct bplus_internal_node[0]' [-Wzero-length-bounds]
+ 209 | anode->btree.u.internal[0].down = cpu_to_le32(a);
+ | ~~~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from fs/hpfs/hpfs_fn.h:26,
+ from fs/hpfs/anode.c:10:
+fs/hpfs/hpfs.h:412:32: note: while referencing 'internal'
+ 412 | struct bplus_internal_node internal[0]; /* (internal) 2-word entries giving
+ | ^~~~~~~~
+
+drivers/net/can/usb/etas_es58x/es58x_fd.c: In function 'es58x_fd_tx_can_msg':
+drivers/net/can/usb/etas_es58x/es58x_fd.c:360:35: warning: array subscript 65535 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[]'} [-Wzero-length-bounds]
+ 360 | tx_can_msg = (typeof(tx_can_msg))&es58x_fd_urb_cmd->raw_msg[msg_len];
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from drivers/net/can/usb/etas_es58x/es58x_core.h:22,
+ from drivers/net/can/usb/etas_es58x/es58x_fd.c:17:
+drivers/net/can/usb/etas_es58x/es58x_fd.h:231:6: note: while referencing 'raw_msg'
+ 231 | u8 raw_msg[0];
+ | ^~~~~~~
+
+However, it _is_ entirely possible to have one or more flexible arrays
+in a struct or union: it just has to be in another struct. And since it
+cannot be alone in a struct, such a struct must have at least 1 other
+named member -- but that member can be zero sized. Wrap all this nonsense
+into the new DECLARE_FLEX_ARRAY() in support of having flexible arrays
+in unions (or alone in a struct).
+
+As with struct_group(), since this is needed in UAPI headers as well,
+implement the core there, with a non-UAPI wrapper.
+
+Additionally update kernel-doc to understand its existence.
+
+https://github.com/KSPP/linux/issues/137
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/stddef.h | 13 +++++++++++++
+ include/uapi/linux/stddef.h | 16 ++++++++++++++++
+ scripts/kernel-doc | 3 ++-
+ 3 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/stddef.h b/include/linux/stddef.h
+index 938216f8ab7e..31fdbb784c24 100644
+--- a/include/linux/stddef.h
++++ b/include/linux/stddef.h
+@@ -84,4 +84,17 @@ enum {
+ #define struct_group_tagged(TAG, NAME, MEMBERS...) \
+ __struct_group(TAG, NAME, /* no attrs */, MEMBERS)
+
++/**
++ * DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union
++ *
++ * @TYPE: The type of each flexible array element
++ * @NAME: The name of the flexible array member
++ *
++ * In order to have a flexible array member in a union or alone in a
++ * struct, it needs to be wrapped in an anonymous struct with at least 1
++ * named member, but that member can be empty.
++ */
++#define DECLARE_FLEX_ARRAY(TYPE, NAME) \
++ __DECLARE_FLEX_ARRAY(TYPE, NAME)
++
+ #endif
+diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
+index c3725b492263..7837ba4fe728 100644
+--- a/include/uapi/linux/stddef.h
++++ b/include/uapi/linux/stddef.h
+@@ -28,4 +28,20 @@
+ struct { MEMBERS } ATTRS; \
+ struct TAG { MEMBERS } ATTRS NAME; \
+ }
++
++/**
++ * __DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union
++ *
++ * @TYPE: The type of each flexible array element
++ * @NAME: The name of the flexible array member
++ *
++ * In order to have a flexible array member in a union or alone in a
++ * struct, it needs to be wrapped in an anonymous struct with at least 1
++ * named member, but that member can be empty.
++ */
++#define __DECLARE_FLEX_ARRAY(TYPE, NAME) \
++ struct { \
++ struct { } __empty_ ## NAME; \
++ TYPE NAME[]; \
++ }
+ #endif
+diff --git a/scripts/kernel-doc b/scripts/kernel-doc
+index 19af6dd160e6..7a04d4c05326 100755
+--- a/scripts/kernel-doc
++++ b/scripts/kernel-doc
+@@ -1232,7 +1232,8 @@ sub dump_struct($$) {
+ $members =~ s/DECLARE_KFIFO\s*\(([^,)]+),\s*([^,)]+),\s*([^,)]+)\)/$2 \*$1/gos;
+ # replace DECLARE_KFIFO_PTR
+ $members =~ s/DECLARE_KFIFO_PTR\s*\(([^,)]+),\s*([^,)]+)\)/$2 \*$1/gos;
+-
++ # replace DECLARE_FLEX_ARRAY
++ $members =~ s/(?:__)?DECLARE_FLEX_ARRAY\s*\($args,\s*$args\)/$1 $2\[\]/gos;
+ my $declaration = $members;
+
+ # Split nested struct/union elements as newer ones
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch b/debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
new file mode 100644
index 000000000..3818dbb17
--- /dev/null
+++ b/debian/patches/bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
@@ -0,0 +1,27 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 21 Feb 2016 15:33:15 +0000
+Subject: tools/build: Remove bpf() run-time check at build time
+Forwarded: no
+
+It is not correct to test that a syscall works on the build system's
+kernel. We might be building on an earlier kernel version or with
+security restrictions that block bpf().
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/tools/build/feature/test-bpf.c
++++ b/tools/build/feature/test-bpf.c
+@@ -35,8 +35,10 @@ int main(void)
+ attr.prog_flags = 0;
+
+ /*
+- * Test existence of __NR_bpf and BPF_PROG_LOAD.
+- * This call should fail if we run the testcase.
++ * bwh: Don't use the bpf() syscall as we might be building on a
++ * much older kernel. Do "use" the attr structure here to avoid
++ * a "set but not used" warning.
+ */
+- return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
++ (void)&attr;
++ return 0;
+ }
diff --git a/debian/patches/bugfix/all/tools-perf-man-date.patch b/debian/patches/bugfix/all/tools-perf-man-date.patch
new file mode 100644
index 000000000..80a19b554
--- /dev/null
+++ b/debian/patches/bugfix/all/tools-perf-man-date.patch
@@ -0,0 +1,44 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 13 Jul 2015 20:29:20 +0100
+Subject: perf tools: Use $KBUILD_BUILD_TIMESTAMP as man page date
+Forwarded: http://mid.gmane.org/20160517132809.GE7555@decadent.org.uk
+
+This allows man pages to be built reproducibly.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ tools/perf/Documentation/Makefile | 3 +++
+ tools/perf/Documentation/asciidoc.conf | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
+index adc5a7e44b98..2161b2e838b7 100644
+--- a/tools/perf/Documentation/Makefile
++++ b/tools/perf/Documentation/Makefile
+@@ -132,6 +132,9 @@ endif
+ ifdef DOCBOOK_SUPPRESS_SP
+ XMLTO_EXTRA += -m manpage-suppress-sp.xsl
+ endif
++ifdef KBUILD_BUILD_TIMESTAMP
++ASCIIDOC_EXTRA += -a revdate=$(shell date -u -d '$(KBUILD_BUILD_TIMESTAMP)' +%Y-%m-%d)
++endif
+
+ SHELL_PATH ?= $(SHELL)
+ # Shell quote;
+diff --git a/tools/perf/Documentation/asciidoc.conf b/tools/perf/Documentation/asciidoc.conf
+index 2b62ba1e72b7..82d3060177ba 100644
+--- a/tools/perf/Documentation/asciidoc.conf
++++ b/tools/perf/Documentation/asciidoc.conf
+@@ -71,6 +71,9 @@ ifdef::backend-docbook[]
+ [header]
+ template::[header-declarations]
+ <refentry>
++<refentryinfo>
++template::[docinfo]
++</refentryinfo>
+ ifdef::perf_date[]
+ <refentryinfo><date>{perf_date}</date></refentryinfo>
+ endif::perf_date[]
+--
+2.23.0
+
diff --git a/debian/patches/bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch b/debian/patches/bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
new file mode 100644
index 000000000..6da31fcd3
--- /dev/null
+++ b/debian/patches/bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
@@ -0,0 +1,175 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 25 Aug 2019 13:49:41 +0100
+Subject: tools/perf: pmu-events: Fix reproducibility
+Forwarded: https://lore.kernel.org/lkml/20190825131329.naqzd5kwg7mw5d3f@decadent.org.uk/T/#u
+
+jevents.c uses nftw() to enumerate files and outputs the corresponding
+C structs in the order they are found. This makes it sensitive to
+directory ordering, so that the perf executable is not reproducible.
+
+To avoid this, store all the files and directories found and then sort
+them by their (relative) path. (This maintains the parent-first
+ordering that nftw() promises.) Then apply the existing callbacks to
+them in the sorted order.
+
+Don't both storing the stat buffers as we don't need them.
+
+References: https://tests.reproducible-builds.org/debian/dbdtxt/bullseye/i386/linux_4.19.37-6.diffoscope.txt.gz
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -50,6 +50,18 @@
+ #include "json.h"
+ #include "pmu-events.h"
+
++struct ordered_ftw_entry {
++ const char *fpath;
++ int typeflag;
++ struct FTW ftwbuf;
++};
++
++struct ordered_ftw_state {
++ struct ordered_ftw_entry *entries;
++ size_t n;
++ size_t max;
++};
++
+ int verbose;
+ char *prog;
+
+@@ -905,6 +917,78 @@ static int get_maxfds(void)
+ */
+ static FILE *eventsfp;
+ static char *mapfile;
++static struct ordered_ftw_state *ordered_ftw_state;
++
++static int ordered_ftw_add(const char *fpath, const struct stat *sb,
++ int typeflag, struct FTW *ftwbuf)
++{
++ struct ordered_ftw_state *state = ordered_ftw_state;
++ struct ordered_ftw_entry *entry;
++
++ if (ftwbuf->level == 0 || ftwbuf->level > 3)
++ return 0;
++
++ /* Grow array if necessary */
++ if (state->n >= state->max) {
++ if (state->max == 0)
++ state->max = 16;
++ else
++ state->max *= 2;
++ state->entries = realloc(state->entries,
++ state->max * sizeof(*state->entries));
++ }
++
++ entry = &state->entries[state->n++];
++ entry->fpath = strdup(fpath);
++ entry->typeflag = typeflag;
++ entry->ftwbuf = *ftwbuf;
++
++ return 0;
++}
++
++static int ordered_ftw_compare(const void *left, const void *right)
++{
++ const struct ordered_ftw_entry *left_entry = left;
++ const struct ordered_ftw_entry *right_entry = right;
++
++ return strcmp(left_entry->fpath, right_entry->fpath);
++}
++
++/*
++ * Wrapper for nftw() that iterates files in ASCII-order to ensure
++ * reproducible output
++ */
++static int ordered_ftw(const char *dirpath,
++ int (*fn)(const char *, int, struct FTW *),
++ int nopenfd)
++{
++ struct ordered_ftw_state state = { NULL, 0, 0 };
++ size_t i;
++ int rc;
++
++ ordered_ftw_state = &state;
++ rc = nftw(dirpath, ordered_ftw_add, nopenfd, 0);
++ if (rc)
++ goto out;
++
++ qsort(state.entries, state.n, sizeof(*state.entries),
++ ordered_ftw_compare);
++
++ for (i = 0; i < state.n; i++) {
++ rc = fn(state.entries[i].fpath,
++ state.entries[i].typeflag,
++ &state.entries[i].ftwbuf);
++ if (rc)
++ goto out;
++ }
++
++out:
++ for (i = 0; i < state.n; i++)
++ free((char *)state.entries[i].fpath);
++ free(state.entries);;
++
++ return rc;
++}
+
+ static int is_leaf_dir(const char *fpath)
+ {
+@@ -957,19 +1041,19 @@ static int is_json_file(const char *name
+ return 0;
+ }
+
+-static int preprocess_arch_std_files(const char *fpath, const struct stat *sb,
++static int preprocess_arch_std_files(const char *fpath,
+ int typeflag, struct FTW *ftwbuf)
+ {
+ int level = ftwbuf->level;
+ int is_file = typeflag == FTW_F;
+
+ if (level == 1 && is_file && is_json_file(fpath))
+- return json_events(fpath, save_arch_std_events, (void *)sb);
++ return json_events(fpath, save_arch_std_events, NULL);
+
+ return 0;
+ }
+
+-static int process_one_file(const char *fpath, const struct stat *sb,
++static int process_one_file(const char *fpath,
+ int typeflag, struct FTW *ftwbuf)
+ {
+ char *tblname, *bname;
+@@ -994,9 +1078,9 @@ static int process_one_file(const char *
+ } else
+ bname = (char *) fpath + ftwbuf->base;
+
+- pr_debug("%s %d %7jd %-20s %s\n",
++ pr_debug("%s %d %-20s %s\n",
+ is_file ? "f" : is_dir ? "d" : "x",
+- level, sb->st_size, bname, fpath);
++ level, bname, fpath);
+
+ /* base dir or too deep */
+ if (level == 0 || level > 3)
+@@ -1152,17 +1236,17 @@ int main(int argc, char *argv[])
+ */
+
+ maxfds = get_maxfds();
+- rc = nftw(ldirname, preprocess_arch_std_files, maxfds, 0);
++ rc = ordered_ftw(ldirname, preprocess_arch_std_files, maxfds);
+ if (rc)
+ goto err_processing_std_arch_event_dir;
+
+- rc = nftw(ldirname, process_one_file, maxfds, 0);
++ rc = ordered_ftw(ldirname, process_one_file, maxfds);
+ if (rc)
+ goto err_processing_dir;
+
+ sprintf(ldirname, "%s/test", start_dirname);
+
+- rc = nftw(ldirname, process_one_file, maxfds, 0);
++ rc = ordered_ftw(ldirname, process_one_file, maxfds);
+ if (rc)
+ goto err_processing_dir;
+
diff --git a/debian/patches/bugfix/all/tools-perf-remove-shebangs.patch b/debian/patches/bugfix/all/tools-perf-remove-shebangs.patch
new file mode 100644
index 000000000..9766e0e4a
--- /dev/null
+++ b/debian/patches/bugfix/all/tools-perf-remove-shebangs.patch
@@ -0,0 +1,39 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 25 Sep 2015 20:09:23 +0100
+Subject: tools/perf: Remove shebang lines from perf scripts
+Forwarded: no
+
+perf scripts need to be invoked through perf, not directly through
+perl (or other language interpreter). So including shebang lines in
+them is useless and possibly misleading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/tools/perf/scripts/perl/rw-by-file.pl
++++ b/tools/perf/scripts/perl/rw-by-file.pl
+@@ -1,4 +1,3 @@
+-#!/usr/bin/perl -w
+ # SPDX-License-Identifier: GPL-2.0-only
+ # (c) 2009, Tom Zanussi <tzanussi@gmail.com>
+
+--- a/tools/perf/scripts/perl/rw-by-pid.pl
++++ b/tools/perf/scripts/perl/rw-by-pid.pl
+@@ -1,4 +1,3 @@
+-#!/usr/bin/perl -w
+ # SPDX-License-Identifier: GPL-2.0-only
+ # (c) 2009, Tom Zanussi <tzanussi@gmail.com>
+
+--- a/tools/perf/scripts/perl/rwtop.pl
++++ b/tools/perf/scripts/perl/rwtop.pl
+@@ -1,4 +1,3 @@
+-#!/usr/bin/perl -w
+ # SPDX-License-Identifier: GPL-2.0-only
+ # (c) 2010, Tom Zanussi <tzanussi@gmail.com>
+
+--- a/tools/perf/scripts/perl/wakeup-latency.pl
++++ b/tools/perf/scripts/perl/wakeup-latency.pl
+@@ -1,4 +1,3 @@
+-#!/usr/bin/perl -w
+ # SPDX-License-Identifier: GPL-2.0-only
+ # (c) 2009, Tom Zanussi <tzanussi@gmail.com>
+
diff --git a/debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch b/debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch
new file mode 100644
index 000000000..d9d7b301d
--- /dev/null
+++ b/debian/patches/bugfix/all/usbip-document-tcp-wrappers.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 24 Jun 2012 02:51:39 +0100
+Subject: usbip: Document TCP wrappers
+Forwarded: no
+
+Add references to TCP wrappers configuration in the manual page.
+
+--- a/tools/usb/usbip/doc/usbipd.8
++++ b/tools/usb/usbip/doc/usbipd.8
+@@ -14,7 +14,8 @@ Devices have to explicitly be exported u
+ before usbipd makes them available to other hosts.
+
+ The daemon accepts connections from USB/IP clients
+-on TCP port 3240 by default.
++on TCP port 3240 by default. The clients authorised to connect may be
++configured as documented in hosts_access(5).
+
+ .SH OPTIONS
+ .HP
+@@ -69,7 +70,8 @@ Show version.
+
+ .B usbipd
+ offers no authentication or authorization for USB/IP. Any
+-USB/IP client can connect and use exported devices.
++USB/IP client running on an authorised host can connect and
++use exported devices.
+
+ .SH EXAMPLES
+
diff --git a/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch b/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch
new file mode 100644
index 000000000..d6f698251
--- /dev/null
+++ b/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch
@@ -0,0 +1,100 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 14 Dec 2020 15:26:13 +0100
+Subject: vfs: move cap_convert_nscap() call into vfs_setxattr()
+Origin: https://git.kernel.org/linus/7c03e2cda4a584cadc398e8f6641ca9988a39d52
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3493
+
+cap_convert_nscap() does permission checking as well as conversion of the
+xattr value conditionally based on fs's user-ns.
+
+This is needed by overlayfs and probably other layered fs (ecryptfs) and is
+what vfs_foo() is supposed to do anyway.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: James Morris <jamorris@linux.microsoft.com>
+---
+ fs/xattr.c | 17 +++++++++++------
+ include/linux/capability.h | 2 +-
+ security/commoncap.c | 3 +--
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/fs/xattr.c b/fs/xattr.c
+index cd7a563e8bcd..fd57153b1f61 100644
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -276,8 +276,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ {
+ struct inode *inode = dentry->d_inode;
+ struct inode *delegated_inode = NULL;
++ const void *orig_value = value;
+ int error;
+
++ if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
++ error = cap_convert_nscap(dentry, &value, size);
++ if (error < 0)
++ return error;
++ size = error;
++ }
++
+ retry_deleg:
+ inode_lock(inode);
+ error = __vfs_setxattr_locked(dentry, name, value, size, flags,
+@@ -289,6 +297,9 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ if (!error)
+ goto retry_deleg;
+ }
++ if (value != orig_value)
++ kfree(value);
++
+ return error;
+ }
+ EXPORT_SYMBOL_GPL(vfs_setxattr);
+@@ -537,12 +548,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
+ if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+ posix_acl_fix_xattr_from_user(kvalue, size);
+- else if (strcmp(kname, XATTR_NAME_CAPS) == 0) {
+- error = cap_convert_nscap(d, &kvalue, size);
+- if (error < 0)
+- goto out;
+- size = error;
+- }
+ }
+
+ error = vfs_setxattr(d, kname, kvalue, size, flags);
+diff --git a/include/linux/capability.h b/include/linux/capability.h
+index 1e7fe311cabe..b2f698915c0f 100644
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -270,6 +270,6 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
+ /* audit system wants to get cap info from files as well */
+ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
+
+-extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size);
++extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size);
+
+ #endif /* !_LINUX_CAPABILITY_H */
+diff --git a/security/commoncap.c b/security/commoncap.c
+index 59bf3c1674c8..bacc1111d871 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -473,7 +473,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap)
+ *
+ * If all is ok, we return the new size, on error return < 0.
+ */
+-int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
++int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
+ {
+ struct vfs_ns_cap_data *nscap;
+ uid_t nsrootid;
+@@ -516,7 +516,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
+ nscap->magic_etc = cpu_to_le32(nsmagic);
+ memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
+
+- kvfree(*ivalue);
+ *ivalue = nscap;
+ return newsize;
+ }
+--
+2.31.0
+
diff --git a/debian/patches/bugfix/all/wireguard-ignore-config_android.patch b/debian/patches/bugfix/all/wireguard-ignore-config_android.patch
new file mode 100644
index 000000000..5ff53c0b7
--- /dev/null
+++ b/debian/patches/bugfix/all/wireguard-ignore-config_android.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <benh@debian.org>
+Date: Thu, 07 Jul 2022 18:58:43 +0200
+Subject: wireguard: Clear keys after suspend despite CONFIG_ANDROID=y
+Forwarded: not-needed
+
+WireGuard assumes that CONFIG_ANDROID implies Android power
+management, i.e. user-space suspending the system automatically at
+short intervals, and so does not clear keys after a suspend/resume
+cycle. Debian systems don't do that kind of power management but we
+do set CONFIG_ANDROID on some architectures as a dependency of Binder.
+
+In 5.20, CONFIG_PM_USERSPACE_AUTOSLEEP will be introduced to tell the
+kernel that this kind of power management is in use, and
+CONFIG_ANDROID will be removed. For now, remove this one test that
+does the wrong thing for us.
+
+References: https://lwn.net/Articles/899743/
+---
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -71,7 +71,7 @@ static int wg_pm_notification(struct not
+ * its normal operation rather than as a somewhat rare event, then we
+ * don't actually want to clear keys.
+ */
+- if (IS_ENABLED(CONFIG_PM_AUTOSLEEP) || IS_ENABLED(CONFIG_ANDROID))
++ if (IS_ENABLED(CONFIG_PM_AUTOSLEEP))
+ return 0;
+
+ if (action != PM_HIBERNATION_PREPARE && action != PM_SUSPEND_PREPARE)
diff --git a/debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch b/debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
new file mode 100644
index 000000000..9e6622fb0
--- /dev/null
+++ b/debian/patches/bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 17 Feb 2017 01:30:30 +0000
+Subject: ARM: dts: kirkwood: Fix SATA pinmux-ing for TS419
+Forwarded: https://www.spinics.net/lists/arm-kernel/msg563610.html
+Bug-Debian: https://bugs.debian.org/855017
+
+The old board code for the TS419 assigns MPP pins 15 and 16 as SATA
+activity signals (and none as SATA presence signals). Currently the
+device tree assigns the SoC's default pinmux groups for SATA, which
+conflict with the second Ethernet port.
+
+Reported-by: gmbh@gazeta.pl
+Tested-by: gmbh@gazeta.pl
+References: https://bugs.debian.org/855017
+Cc: stable@vger.kernel.org # 3.15+
+Fixes: 934b524b3f49 ("ARM: Kirkwood: Add DT description of QNAP 419")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/boot/dts/kirkwood-ts419.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/arm/boot/dts/kirkwood-ts419.dtsi b/arch/arm/boot/dts/kirkwood-ts419.dtsi
+index 02bd53762705..532506cb0f4a 100644
+--- a/arch/arm/boot/dts/kirkwood-ts419.dtsi
++++ b/arch/arm/boot/dts/kirkwood-ts419.dtsi
+@@ -73,3 +73,11 @@
+ phy-handle = <&ethphy1>;
+ };
+ };
++
++&pmx_sata0 {
++ marvell,pins = "mpp15";
++};
++
++&pmx_sata1 {
++ marvell,pins = "mpp16";
++};
diff --git a/debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch b/debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
new file mode 100644
index 000000000..1bdd37fbe
--- /dev/null
+++ b/debian/patches/bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
@@ -0,0 +1,31 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 11 Jul 2018 23:40:55 +0100
+Subject: ARM: mm: Export __sync_icache_dcache() for xen-privcmd
+Forwarded: https://marc.info/?l=linux-arm-kernel&m=153134944429241
+
+The xen-privcmd driver, which can be modular, calls set_pte_at()
+which in turn may call __sync_icache_dcache().
+
+The call to __sync_icache_dcache() may be optimised out because it is
+conditional on !pte_special(), and xen-privcmd calls pte_mkspecial().
+However, in a non-LPAE configuration there is no "special" bit and the
+call is really unconditional.
+
+Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mm/flush.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: debian-kernel/arch/arm/mm/flush.c
+===================================================================
+--- debian-kernel.orig/arch/arm/mm/flush.c
++++ debian-kernel/arch/arm/mm/flush.c
+@@ -292,6 +292,7 @@ void __sync_icache_dcache(pte_t pteval)
+ if (pte_exec(pteval))
+ __flush_icache_all();
+ }
++EXPORT_SYMBOL_GPL(__sync_icache_dcache);
+ #endif
+
+ /*
diff --git a/debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch b/debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
new file mode 100644
index 000000000..b3b031668
--- /dev/null
+++ b/debian/patches/bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
@@ -0,0 +1,92 @@
+From: Geoff Levand <geoff@infradead.org>
+Date: Wed, 13 Jun 2018 10:56:08 -0700
+Subject: arm64/acpi: Add fixup for HPE m400 quirks
+Forwarded: https://patchwork.codeaurora.org/patch/547277/
+
+Adds a new ACPI init routine acpi_fixup_m400_quirks that adds
+a work-around for HPE ProLiant m400 APEI firmware problems.
+
+The work-around disables APEI when CONFIG_ACPI_APEI is set and
+m400 firmware is detected. Without this fixup m400 systems
+experience errors like these on startup:
+
+ [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 2
+ [Hardware Error]: event severity: fatal
+ [Hardware Error]: Error 0, type: fatal
+ [Hardware Error]: section_type: memory error
+ [Hardware Error]: error_status: 0x0000000000001300
+ [Hardware Error]: error_type: 10, invalid address
+ Kernel panic - not syncing: Fatal hardware error!
+
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+[bwh: Adjust context to apply to Linux 4.19]
+---
+ arch/arm64/kernel/acpi.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+Index: debian-kernel/arch/arm64/kernel/acpi.c
+===================================================================
+--- debian-kernel.orig/arch/arm64/kernel/acpi.c
++++ debian-kernel/arch/arm64/kernel/acpi.c
+@@ -32,6 +32,8 @@
+ #include <asm/daifflags.h>
+ #include <asm/smp_plat.h>
+
++#include <acpi/apei.h>
++
+ int acpi_noirq = 1; /* skip ACPI IRQ initialization */
+ int acpi_disabled = 1;
+ EXPORT_SYMBOL(acpi_disabled);
+@@ -178,6 +180,33 @@ out:
+ }
+
+ /*
++ * acpi_fixup_m400_quirks - Work-around for HPE ProLiant m400 APEI firmware
++ * problems.
++ */
++static void __init acpi_fixup_m400_quirks(void)
++{
++ acpi_status status;
++ struct acpi_table_header *header;
++#if !defined(CONFIG_ACPI_APEI)
++ int hest_disable = HEST_DISABLED;
++#endif
++
++ if (!IS_ENABLED(CONFIG_ACPI_APEI) || hest_disable != HEST_ENABLED)
++ return;
++
++ status = acpi_get_table(ACPI_SIG_HEST, 0, &header);
++
++ if (ACPI_SUCCESS(status) && !strncmp(header->oem_id, "HPE ", 6) &&
++ !strncmp(header->oem_table_id, "ProLiant", 8) &&
++ MIDR_IMPLEMENTOR(read_cpuid_id()) == ARM_CPU_IMP_APM) {
++ hest_disable = HEST_DISABLED;
++ pr_info("Disabled APEI for m400.\n");
++ }
++
++ acpi_put_table(header);
++}
++
++/*
+ * acpi_boot_table_init() called from setup_arch(), always.
+ * 1. find RSDP and get its address, and then find XSDT
+ * 2. extract all tables and checksums them all
+@@ -232,11 +261,14 @@ done:
+ if (acpi_disabled) {
+ if (earlycon_acpi_spcr_enable)
+ early_init_dt_scan_chosen_stdout();
+- } else {
+- acpi_parse_spcr(earlycon_acpi_spcr_enable, true);
+- if (IS_ENABLED(CONFIG_ACPI_BGRT))
+- acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
++ return;
+ }
++
++ acpi_parse_spcr(earlycon_acpi_spcr_enable, true);
++ if (IS_ENABLED(CONFIG_ACPI_BGRT))
++ acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt);
++
++ acpi_fixup_m400_quirks();
+ }
+
+ pgprot_t __acpi_get_mem_attribute(phys_addr_t addr)
diff --git a/debian/patches/bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch b/debian/patches/bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
new file mode 100644
index 000000000..2d568d35e
--- /dev/null
+++ b/debian/patches/bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
@@ -0,0 +1,45 @@
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Date: Mon, 4 Jun 2018 19:15:23 +0200
+Subject: arm64: dts: rockchip: correct voltage selector on Firefly-RK3399
+Bug-Debian: https://bugs.debian.org/900799
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git/patch/?id=710e8c4a54be82ee8a97324e7b4330bf191e08bf
+
+Without this patch the Firefly-RK3399 board boot process hangs after these
+lines:
+
+ fan53555-regulator 0-0040: FAN53555 Option[8] Rev[1] Detected!
+ fan53555-reg: supplied by vcc_sys
+ vcc1v8_s3: supplied by vcc_1v8
+
+Blacklisting driver fan53555 allows booting.
+
+The device tree uses a value of fcs,suspend-voltage-selector different to
+any other board.
+
+Changing this setting to the usual value is sufficient to enable booting
+and also matches the value used in the vendor kernel.
+
+Fixes: 171582e00db1 ("arm64: dts: rockchip: add support for firefly-rk3399 board")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-firefly.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts b/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
+index 86ff1eb..d8a2f0b 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-firefly.dts
+@@ -421,7 +421,7 @@
+ vdd_cpu_b: regulator@40 {
+ compatible = "silergy,syr827";
+ reg = <0x40>;
+- fcs,suspend-voltage-selector = <0>;
++ fcs,suspend-voltage-selector = <1>;
+ regulator-name = "vdd_cpu_b";
+ regulator-min-microvolt = <712500>;
+ regulator-max-microvolt = <1500000>;
+--
+cgit v1.1
+
diff --git a/debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch b/debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
new file mode 100644
index 000000000..0b3acfadb
--- /dev/null
+++ b/debian/patches/bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
@@ -0,0 +1,39 @@
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 29 Aug 2018 09:32:23 +0200
+Subject: powerpc/boot: Fix missing crc32poly.h when building with KERNEL_XZ
+Origin: https://patchwork.ozlabs.org/patch/963258/
+
+After commit faa16bc404d7 ("lib: Use existing define with
+polynomial") the lib/xz/xz_crc32.c includes a header from include/linux
+directory thus any other user of this code should define proper include
+path.
+
+This fixes the build error on powerpc with CONFIG_KERNEL_XZ:
+
+ In file included from ../arch/powerpc/boot/../../../lib/decompress_unxz.c:233:0,
+ from ../arch/powerpc/boot/decompress.c:42:
+ ../arch/powerpc/boot/../../../lib/xz/xz_crc32.c:18:29: fatal error: linux/crc32poly.h: No such file or directory
+
+Reported-by: Michal Kubecek <mkubecek@suse.cz>
+Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Meelis Roos <mroos@linux.ee>
+Tested-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ arch/powerpc/boot/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
+index 0fb96c26136f..ba4182fb185d 100644
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -63,7 +63,7 @@ ifeq ($(call cc-option-yn, -fstack-protector),y)
+ BOOTCFLAGS += -fno-stack-protector
+ endif
+
+-BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj)
++BOOTCFLAGS += -I$(objtree)/$(obj) -I$(srctree)/$(obj) -I$(srctree)/include
+
+ DTC_FLAGS ?= -p 1024
+
diff --git a/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch b/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
new file mode 100644
index 000000000..25e5b1044
--- /dev/null
+++ b/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
@@ -0,0 +1,124 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 19 Aug 2017 21:42:09 +0100
+Subject: sh: Do not use hyphen in exported variable names
+Forwarded: https://marc.info/?l=linux-sh&m=150317827322995&w=2
+
+arch/sh/Makefile defines and exports ld-bfd to be used by
+arch/sh/boot/Makefile and arch/sh/boot/compressed/Makefile. Similarly
+arch/sh/boot/Makefile defines and exports suffix-y to be used by
+arch/sh/boot/compressed/Makefile. However some shells, including
+dash, will not pass through environment variables whose name includes
+a hyphen. Usually GNU make does not use a shell to recurse, but if
+e.g. $(srctree) contains '~' it will use a shell here.
+
+Rename these variables to ld_bfd and suffix_y.
+
+References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
+Fixes: ef9b542fce00 ("sh: bzip2/lzma uImage support.")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/sh/Makefile | 10 +++++-----
+ arch/sh/boot/Makefile | 16 ++++++++--------
+ arch/sh/boot/compressed/Makefile | 6 +++---
+ arch/sh/boot/romimage/Makefile | 4 ++--
+ 4 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/arch/sh/Makefile
++++ b/arch/sh/Makefile
+@@ -102,16 +102,16 @@ UTS_MACHINE := sh
+ LDFLAGS_vmlinux += -e _stext
+
+ ifdef CONFIG_CPU_LITTLE_ENDIAN
+-ld-bfd := elf32-sh-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
++ld_bfd := elf32-sh-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EL
+ else
+-ld-bfd := elf32-shbig-linux
+-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
++ld_bfd := elf32-shbig-linux
++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
+ KBUILD_LDFLAGS += -EB
+ endif
+
+-export ld-bfd
++export ld_bfd
+
+ head-y := arch/sh/kernel/head_32.o
+
+--- a/arch/sh/boot/Makefile
++++ b/arch/sh/boot/Makefile
+@@ -19,12 +19,12 @@ CONFIG_ZERO_PAGE_OFFSET ?= 0x00001000
+ CONFIG_ENTRY_OFFSET ?= 0x00001000
+ CONFIG_PHYSICAL_START ?= $(CONFIG_MEMORY_START)
+
+-suffix-y := bin
+-suffix-$(CONFIG_KERNEL_GZIP) := gz
+-suffix-$(CONFIG_KERNEL_BZIP2) := bz2
+-suffix-$(CONFIG_KERNEL_LZMA) := lzma
+-suffix-$(CONFIG_KERNEL_XZ) := xz
+-suffix-$(CONFIG_KERNEL_LZO) := lzo
++suffix_y := bin
++suffix_$(CONFIG_KERNEL_GZIP) := gz
++suffix_$(CONFIG_KERNEL_BZIP2) := bz2
++suffix_$(CONFIG_KERNEL_LZMA) := lzma
++suffix_$(CONFIG_KERNEL_XZ) := xz
++suffix_$(CONFIG_KERNEL_LZO) := lzo
+
+ targets := zImage vmlinux.srec romImage uImage uImage.srec uImage.gz \
+ uImage.bz2 uImage.lzma uImage.xz uImage.lzo uImage.bin
+@@ -106,10 +106,10 @@ OBJCOPYFLAGS_uImage.srec := -I binary -O
+ $(obj)/uImage.srec: $(obj)/uImage
+ $(call if_changed,objcopy)
+
+-$(obj)/uImage: $(obj)/uImage.$(suffix-y)
++$(obj)/uImage: $(obj)/uImage.$(suffix_y)
+ @ln -sf $(notdir $<) $@
+ @echo ' Image $@ is ready'
+
+ export CONFIG_PAGE_OFFSET CONFIG_MEMORY_START CONFIG_BOOT_LINK_OFFSET \
+ CONFIG_PHYSICAL_START CONFIG_ZERO_PAGE_OFFSET CONFIG_ENTRY_OFFSET \
+- KERNEL_MEMORY suffix-y
++ KERNEL_MEMORY suffix_y
+--- a/arch/sh/boot/compressed/Makefile
++++ b/arch/sh/boot/compressed/Makefile
+@@ -30,7 +30,7 @@ endif
+
+ ccflags-remove-$(CONFIG_MCOUNT) += -pg
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ #
+@@ -68,7 +68,7 @@ $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.al
+
+ OBJCOPYFLAGS += -R .empty_zero_page
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+-$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE
++$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE
+ $(call if_changed,ld)
+--- a/arch/sh/boot/romimage/Makefile
++++ b/arch/sh/boot/romimage/Makefile
+@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) :
+ load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
+ obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
+
+-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
+ -T $(obj)/../../kernel/vmlinux.lds
+
+ $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
+@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
+ $(obj)/zeropage.bin: vmlinux FORCE
+ $(call if_changed,objcopy)
+
+-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
+
+ $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
+ $(call if_changed,ld)
diff --git a/debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch b/debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
new file mode 100644
index 000000000..f9baa7bd3
--- /dev/null
+++ b/debian/patches/bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
@@ -0,0 +1,35 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 22 Jul 2017 17:37:33 +0100
+Subject: perf tools: Fix unwind build on i386
+Forwarded: no
+
+EINVAL may not be defined when building unwind-libunwind.c with
+REMOTE_UNWIND_LIBUNWIND, resulting in a compiler error in
+LIBUNWIND__ARCH_REG_ID(). Its only caller, access_reg(), only checks
+for a negative return value and doesn't care what it is. So change
+-EINVAL to -1.
+
+Fixes: 52ffe0ff02fc ("Support x86(32-bit) cross platform callchain unwind.")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+
+--- a/tools/perf/arch/x86/util/unwind-libunwind.c
++++ b/tools/perf/arch/x86/util/unwind-libunwind.c
+@@ -66,7 +66,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
+ break;
+ default:
+ pr_err("unwind: invalid reg id %d\n", regnum);
+- return -EINVAL;
++ return -1;
+ }
+
+ return id;
+@@ -106,7 +106,7 @@ int LIBUNWIND__ARCH_REG_ID(int regnum)
+ break;
+ default:
+ pr_err("unwind: invalid reg id %d\n", regnum);
+- return -EINVAL;
++ return -1;
+ }
+
+ return id;
diff --git a/debian/patches/bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch b/debian/patches/bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch
new file mode 100644
index 000000000..73d28aeb6
--- /dev/null
+++ b/debian/patches/bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch
@@ -0,0 +1,34 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 19 May 2021 15:56:18 +0200
+Subject: platform/x86: toshiba_haps: Fix missing newline in pr_debug call in
+ toshiba_haps_notify
+Origin: https://git.kernel.org/linus/7dc4a18d017ca26abd1cea197e486fb3e5cd7632
+Bug-Debian: https://bugs.debian.org/799193
+
+The pr_debug() call in toshiba_haps_notify() is missing a newline at the
+end of the string, add this.
+
+BugLink: https://bugs.debian.org/799193
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210519135618.139701-1-hdegoede@redhat.com
+---
+ drivers/platform/x86/toshiba_haps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c
+index b237bd6b1ee5..49e84095bb01 100644
+--- a/drivers/platform/x86/toshiba_haps.c
++++ b/drivers/platform/x86/toshiba_haps.c
+@@ -131,7 +131,7 @@ static const struct attribute_group haps_attr_group = {
+ */
+ static void toshiba_haps_notify(struct acpi_device *device, u32 event)
+ {
+- pr_debug("Received event: 0x%x", event);
++ pr_debug("Received event: 0x%x\n", event);
+
+ acpi_bus_generate_netlink_event(device->pnp.device_class,
+ dev_name(&device->dev),
+--
+2.32.0
+
diff --git a/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch b/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
new file mode 100644
index 000000000..cfbf98e82
--- /dev/null
+++ b/debian/patches/bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
@@ -0,0 +1,22 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 25 Sep 2015 22:50:50 +0100
+Subject: Revert "perf build: Fix libunwind feature detection on 32-bit x86"
+Forwarded: no
+
+This reverts commit 05b41775e2edd69a83f592e3534930c934d4038e.
+It broke feature detection that was working just fine for us.
+---
+ tools/perf/Makefile.config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -38,7 +38,7 @@ ifeq ($(SRCARCH),x86)
+ LIBUNWIND_LIBS = -lunwind-x86_64 -lunwind -llzma
+ $(call detected,CONFIG_X86_64)
+ else
+- LIBUNWIND_LIBS = -lunwind-x86 -llzma -lunwind
++ LIBUNWIND_LIBS = -lunwind -lunwind-x86
+ endif
+ NO_PERF_REGS := 0
+ endif
diff --git a/debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch b/debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
new file mode 100644
index 000000000..62b4eb7de
--- /dev/null
+++ b/debian/patches/bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
@@ -0,0 +1,34 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 20 Apr 2013 15:52:02 +0100
+Subject: viafb: Autoload on OLPC XO 1.5 only
+Bug-Debian: https://bugs.debian.org/705788
+Forwarded: no
+
+It appears that viafb won't work automatically on all the boards for
+which it has a PCI device ID match. Currently, it is blacklisted by
+udev along with most other framebuffer drivers, so this doesn't matter
+much.
+
+However, this driver is required for console support on the XO 1.5.
+We need to allow it to be autoloaded on this model only, and then
+un-blacklist it in udev.
+
+---
+--- a/drivers/video/fbdev/via/via-core.c
++++ b/drivers/video/fbdev/via/via-core.c
+@@ -695,7 +695,14 @@ static const struct pci_device_id via_pc
+ .driver_data = UNICHROME_VX900 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(pci, via_pci_table);
++
++static const struct pci_device_id via_pci_autoload_table[] __initconst = {
++ /* OLPC XO 1.5 */
++ { PCI_DEVICE(PCI_VENDOR_ID_VIA, UNICHROME_VX855_DID),
++ .subvendor = 0x152d, .subdevice = 0x0833 },
++ { }
++};
++MODULE_DEVICE_TABLE(pci, via_pci_autoload_table);
+
+ static const struct dev_pm_ops via_pm_ops = {
+ #ifdef CONFIG_PM_SLEEP
diff --git a/debian/patches/bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch b/debian/patches/bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
new file mode 100644
index 000000000..074c856be
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 25 Sep 2018 19:44:13 +0100
+Subject: x86-32: Disable 3D-Now in generic config
+
+We want the 686 flavour to run on Geode LX and similar AMD family 5
+CPUs as well as family 6 and higher CPUs. This used to work with
+CONFIG_M686=y. However commit 25d76ac88821 "x86/Kconfig: Explicitly
+enumerate i686-class CPUs in Kconfig" in Linux 4.16 has made the
+kernel require family 6 or higher.
+
+It looks like a sensible choice would be to enable CONFIG_MGEODE_LX
+and CONFIG_X86_GENERIC (for more generic optimisations), but this
+currently enables CONFIG_X86_USE_3D_NOW which will cause the kernel to
+crash on CPUs without the AMD-specific 3D-Now instructions.
+
+Make CONFIG_X86_USE_3DNOW depend on CONFIG_X86_GENERIC being disabled.
+
+---
+--- a/arch/x86/Kconfig.cpu
++++ b/arch/x86/Kconfig.cpu
+@@ -337,7 +337,7 @@ config X86_USE_PPRO_CHECKSUM
+
+ config X86_USE_3DNOW
+ def_bool y
+- depends on (MCYRIXIII || MK7 || MGEODE_LX) && !UML
++ depends on (MCYRIXIII || MK7 || MGEODE_LX) && !X86_GENERIC && !UML
+
+ #
+ # P6_NOPs are a relatively minor optimization that require a family >=
diff --git a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
new file mode 100644
index 000000000..801fd6a8d
--- /dev/null
+++ b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
@@ -0,0 +1,104 @@
+From: Serge Hallyn <serge.hallyn@canonical.com>
+Date: Fri, 31 May 2013 19:12:12 +0000 (+0100)
+Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default
+Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8
+
+add sysctl to disallow unprivileged CLONE_NEWUSER by default
+
+This is a short-term patch. Unprivileged use of CLONE_NEWUSER
+is certainly an intended feature of user namespaces. However
+for at least saucy we want to make sure that, if any security
+issues are found, we have a fail-safe.
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+[bwh: Remove unneeded binary sysctl bits]
+[bwh: Keep this sysctl, but change the default to enabled]
+---
+diff --git a/kernel/fork.c b/kernel/fork.c
+index efc5493203ae..bc596683cc31 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -106,6 +106,11 @@
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+
+ /*
+ * Minimum number of threads to boot the kernel
+@@ -1861,6 +1866,10 @@ static __latent_entropy struct task_struct *copy_process(
+ if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ return ERR_PTR(-EINVAL);
+
++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++ if (!capable(CAP_SYS_ADMIN))
++ return ERR_PTR(-EPERM);
++
+ /*
+ * Thread groups must share signals as well, and detached threads
+ * can only be started up within the thread group.
+@@ -2961,6 +2970,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ if (unshare_flags & CLONE_NEWNS)
+ unshare_flags |= CLONE_FS;
+
++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++ err = -EPERM;
++ if (!capable(CAP_SYS_ADMIN))
++ goto bad_unshare_out;
++ }
++
+ err = check_unshare_flags(unshare_flags);
+ if (err)
+ goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index db1ce7af2563..2bb29f495b02 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -200,6 +200,10 @@ static int min_extfrag_threshold;
+ static int max_extfrag_threshold = 1000;
+ #endif
+
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
++
+ #endif /* CONFIG_SYSCTL */
+
+ #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_SYSCTL)
+@@ -1882,6 +1886,15 @@ static struct ctl_table kern_table[] = {
+ .proc_handler = proc_dointvec,
+ },
+ #endif
++#ifdef CONFIG_USER_NS
++ {
++ .procname = "unprivileged_userns_clone",
++ .data = &unprivileged_userns_clone,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec,
++ },
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ {
+ .procname = "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 87804e0371fe..2fd16493231b 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -21,6 +21,9 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+
++/* sysctl */
++int unprivileged_userns_clone = 1;
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+
+--
+2.27.0
+
diff --git a/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
new file mode 100644
index 000000000..3b33f845a
--- /dev/null
+++ b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
+Forwarded: not-needed
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation. We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
+not present in the 'lenny' kernel, and seems to receive only sporadic
+maintenance. Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ieee802154/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1122,4 +1122,4 @@ module_init(af_ieee802154_init);
+ module_exit(af_ieee802154_remove);
+
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
++/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */
diff --git a/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch
new file mode 100644
index 000000000..2df107cfb
--- /dev/null
+++ b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch
@@ -0,0 +1,106 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 22 Jun 2018 17:27:00 +0100
+Subject: android: Enable building ashmem and binder as modules
+Bug-Debian: https://bugs.debian.org/901492
+
+We want to enable use of the Android ashmem and binder drivers to
+support Anbox, but they should not be built-in as that would waste
+resources and increase security attack surface on systems that don't
+need them.
+
+- Add a MODULE_LICENSE declaration to ashmem
+- Change the Makefiles to build each driver as an object with the
+ "_linux" suffix (which is what Anbox expects)
+- Change config symbol types to tristate
+---
+ drivers/android/Kconfig | 2 +-
+ drivers/android/Makefile | 7 ++++---
+ drivers/android/binder_alloc.c | 2 +-
+ drivers/staging/android/Kconfig | 2 +-
+ drivers/staging/android/Makefile | 3 ++-
+ drivers/staging/android/ashmem.c | 3 +++
+ 6 files changed, 12 insertions(+), 7 deletions(-)
+
+Index: debian-kernel/drivers/android/Kconfig
+===================================================================
+--- debian-kernel.orig/drivers/android/Kconfig
++++ debian-kernel/drivers/android/Kconfig
+@@ -9,7 +9,7 @@ config ANDROID
+ if ANDROID
+
+ config ANDROID_BINDER_IPC
+- bool "Android Binder IPC Driver"
++ tristate "Android Binder IPC Driver"
+ depends on MMU
+ default n
+ help
+Index: debian-kernel/drivers/android/Makefile
+===================================================================
+--- debian-kernel.orig/drivers/android/Makefile
++++ debian-kernel/drivers/android/Makefile
+@@ -1,6 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ ccflags-y += -I$(src) # needed for trace events
+
+-obj-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
+-obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o
+-obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
++obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o
++binder_linux-y := binder.o binder_alloc.o
++binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o
++binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o
+Index: debian-kernel/drivers/android/binder_alloc.c
+===================================================================
+--- debian-kernel.orig/drivers/android/binder_alloc.c
++++ debian-kernel/drivers/android/binder_alloc.c
+@@ -38,7 +38,7 @@ enum {
+ };
+ static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR;
+
+-module_param_named(debug_mask, binder_alloc_debug_mask,
++module_param_named(alloc_debug_mask, binder_alloc_debug_mask,
+ uint, 0644);
+
+ #define binder_alloc_debug(mask, x...) \
+Index: debian-kernel/drivers/staging/android/Kconfig
+===================================================================
+--- debian-kernel.orig/drivers/staging/android/Kconfig
++++ debian-kernel/drivers/staging/android/Kconfig
+@@ -4,7 +4,7 @@ menu "Android"
+ if ANDROID
+
+ config ASHMEM
+- bool "Enable the Anonymous Shared Memory Subsystem"
++ tristate "Enable the Anonymous Shared Memory Subsystem"
+ depends on SHMEM
+ help
+ The ashmem subsystem is a new shared memory allocator, similar to
+Index: debian-kernel/drivers/staging/android/Makefile
+===================================================================
+--- debian-kernel.orig/drivers/staging/android/Makefile
++++ debian-kernel/drivers/staging/android/Makefile
+@@ -3,4 +3,5 @@ ccflags-y += -I$(src) # needed for tra
+
+ obj-y += ion/
+
+-obj-$(CONFIG_ASHMEM) += ashmem.o
++obj-$(CONFIG_ASHMEM) += ashmem_linux.o
++ashmem_linux-y += ashmem.o
+Index: debian-kernel/drivers/staging/android/ashmem.c
+===================================================================
+--- debian-kernel.orig/drivers/staging/android/ashmem.c
++++ debian-kernel/drivers/staging/android/ashmem.c
+@@ -24,6 +24,7 @@
+ #include <linux/bitops.h>
+ #include <linux/mutex.h>
+ #include <linux/shmem_fs.h>
++#include <linux/module.h>
+ #include "ashmem.h"
+
+ #define ASHMEM_NAME_PREFIX "dev/ashmem/"
+@@ -953,3 +954,5 @@ out:
+ return ret;
+ }
+ device_initcall(ashmem_init);
++
++MODULE_LICENSE("GPL v2");
diff --git a/debian/patches/debian/arch-sh4-fix-uimage-build.patch b/debian/patches/debian/arch-sh4-fix-uimage-build.patch
new file mode 100644
index 000000000..89e626b6b
--- /dev/null
+++ b/debian/patches/debian/arch-sh4-fix-uimage-build.patch
@@ -0,0 +1,26 @@
+From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
+Subject: [sh4] Fix uImage build
+Bug-Debian: https://bugs.debian.org/569034
+Forwarded: not-needed
+
+[bwh: This was added without a description, but I think it is done
+ only to avoid a build-dependency on u-boot-tools.]
+---
+ arch/sh/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/sh/Makefile b/arch/sh/Makefile
+index da9cf952f33c..974bbd9dcfcf 100644
+--- a/arch/sh/Makefile
++++ b/arch/sh/Makefile
+@@ -85,7 +85,6 @@ OBJCOPYFLAGS := -O binary -R .note -R .note.gnu.build-id -R .comment \
+
+ # Give the various platforms the opportunity to set default image types
+ defaultimage-y := zImage
+-defaultimage-$(CONFIG_SH_SH7785LCR) := uImage
+ defaultimage-$(CONFIG_SH_RSK) := uImage
+ defaultimage-$(CONFIG_SH_URQUELL) := uImage
+ defaultimage-$(CONFIG_SH_MIGOR) := uImage
+--
+2.27.0
+
diff --git a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
new file mode 100644
index 000000000..9f21e0705
--- /dev/null
+++ b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
@@ -0,0 +1,35 @@
+From: Adam Borowski <kilobyte@angband.pl>
+Date: Tue, 28 Mar 2017 16:55:05 +0200
+Subject: btrfs: warn about RAID5/6 being experimental at mount time
+Bug-Debian: https://bugs.debian.org/863290
+Origin: https://bugs.debian.org/863290#5
+
+Too many people come complaining about losing their data -- and indeed,
+there's no warning outside a wiki and the mailing list tribal knowledge.
+Message severity chosen for consistency with XFS -- "alert" makes dmesg
+produce nice red background which should get the point across.
+
+Signed-off-by: Adam Borowski <kilobyte@angband.pl>
+[bwh: Also add_taint() so this is flagged in bug reports]
+---
+ fs/btrfs/disk-io.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3060,6 +3060,15 @@ retry_root_backup:
+ btrfs_set_and_info(fs_info, SSD, "enabling ssd optimizations");
+ }
+
++ if ((fs_info->avail_data_alloc_bits |
++ fs_info->avail_metadata_alloc_bits |
++ fs_info->avail_system_alloc_bits) &
++ BTRFS_BLOCK_GROUP_RAID56_MASK) {
++ btrfs_alert(fs_info,
++ "btrfs RAID5/6 is EXPERIMENTAL and has known data-loss bugs");
++ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
++ }
++
+ /*
+ * Mount does not set all options immediately, we can do it now and do
+ * not have to wait for transaction commit
diff --git a/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
new file mode 100644
index 000000000..70b446860
--- /dev/null
+++ b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
@@ -0,0 +1,27 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: cdc_ncm,cdc_mbim: Use NCM by default
+Date: Sun, 31 Mar 2013 03:58:04 +0100
+Forwarded: not-needed
+
+Devices that support both NCM and MBIM modes should be kept in NCM
+mode unless there is userland support for MBIM.
+
+Set the default value of cdc_ncm.prefer_mbim to false and leave it to
+userland (modem-manager) to override this with a modprobe.conf file
+once it's ready to speak MBIM.
+
+---
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -53,11 +53,7 @@
+ #include <linux/usb/cdc.h>
+ #include <linux/usb/cdc_ncm.h>
+
+-#if IS_ENABLED(CONFIG_USB_NET_CDC_MBIM)
+-static bool prefer_mbim = true;
+-#else
+ static bool prefer_mbim;
+-#endif
+ module_param(prefer_mbim, bool, 0644);
+ MODULE_PARM_DESC(prefer_mbim, "Prefer MBIM setting on dual NCM/MBIM functions");
+
diff --git a/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
new file mode 100644
index 000000000..83583184e
--- /dev/null
+++ b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 16 Feb 2017 19:09:17 +0000
+Subject: dccp: Disable auto-loading as mitigation against local exploits
+Forwarded: not-needed
+
+We can mitigate the effect of vulnerabilities in obscure protocols by
+preventing unprivileged users from loading the modules, so that they
+are only exploitable on systems where the administrator has chosen to
+load the protocol.
+
+The 'dccp' protocol is not actively maintained or widely used.
+Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
+ * values directly, Also cover the case where the protocol is not specified,
+ * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
+ */
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
+ MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
+ * values directly, Also cover the case where the protocol is not specified,
+ * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
+ */
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
+ MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");
diff --git a/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
new file mode 100644
index 000000000..0e5176908
--- /dev/null
+++ b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 13 Apr 2009 17:34:00 +0100
+Subject: Remove microcode patches for mgsuvd (not enabled in Debian configs)
+Forwarded: not-needed
+
+diff --git a/arch/powerpc/platforms/8xx/Kconfig b/arch/powerpc/platforms/8xx/Kconfig
+index 48a920a..81570b6 100644
+--- a/arch/powerpc/platforms/8xx/Kconfig
++++ b/arch/powerpc/platforms/8xx/Kconfig
+@@ -160,16 +160,19 @@ config NO_UCODE_PATCH
+
+ config USB_SOF_UCODE_PATCH
+ bool "USB SOF patch"
++ depends on BROKEN
+ help
+ Help not implemented yet, coming soon.
+
+ config I2C_SPI_UCODE_PATCH
+ bool "I2C/SPI relocation patch"
++ depends on BROKEN
+ help
+ Help not implemented yet, coming soon.
+
+ config I2C_SPI_SMC1_UCODE_PATCH
+ bool "I2C/SPI/SMC1 relocation patch"
++ depends on BROKEN
+ help
+ Help not implemented yet, coming soon.
+
diff --git a/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch b/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
new file mode 100644
index 000000000..840cf24d7
--- /dev/null
+++ b/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
@@ -0,0 +1,18 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 24 Aug 2019 19:00:41 +0100
+Subject: Documentation: Fix broken link to CIPSO draft
+Forwarded: not-needed
+
+We exclude the CIPSO draft text as its licence is not DFSG compliant.
+Link to the IETF's online version instead.
+
+---
+--- a/Documentation/netlabel/draft_ietf.rst
++++ b/Documentation/netlabel/draft_ietf.rst
+@@ -1,5 +1,4 @@
+ Draft IETF CIPSO IP Security
+ ----------------------------
+
+- .. include:: draft-ietf-cipso-ipsecurity-01.txt
+- :literal:
++https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01
diff --git a/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
new file mode 100644
index 000000000..4e42da9a9
--- /dev/null
+++ b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
@@ -0,0 +1,15 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 17 Aug 2009 02:45:41 +0100
+Subject: dvb-usb-af9005: mark as broken
+Forwarded: not-needed
+
+--- a/drivers/media/usb/dvb-usb/Kconfig
++++ b/drivers/media/usb/dvb-usb/Kconfig
+@@ -227,6 +227,7 @@ config DVB_USB_OPERA1
+
+ config DVB_USB_AF9005
+ tristate "Afatech AF9005 DVB-T USB1.1 support"
++ depends on BROKEN
+ depends on DVB_USB
+ select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
+ select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT
diff --git a/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch
new file mode 100644
index 000000000..44258800a
--- /dev/null
+++ b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch
@@ -0,0 +1,54 @@
+From: Frederik Schüler <fs@debian.org>
+Date: Fri, 05 Jan 2007 15:55:24 +0000
+Subject: Add removal patches for: 3c359, smctr, keyspan, cops
+Forwarded: not-needed
+
+---
+ drivers/net/appletalk/Kconfig | 26 --------------------------
+ drivers/net/appletalk/Makefile | 1 -
+ 2 files changed, 27 deletions(-)
+
+--- a/drivers/net/appletalk/Kconfig
++++ b/drivers/net/appletalk/Kconfig
+@@ -50,33 +50,6 @@ config LTPC
+ This driver is experimental, which means that it may not work.
+ See the file <file:Documentation/networking/device_drivers/appletalk/ltpc.rst>.
+
+-config COPS
+- tristate "COPS LocalTalk PC support"
+- depends on DEV_APPLETALK && (ISA || EISA)
+- help
+- This allows you to use COPS AppleTalk cards to connect to LocalTalk
+- networks. You also need version 1.3.3 or later of the netatalk
+- package. This driver is experimental, which means that it may not
+- work. This driver will only work if you choose "AppleTalk DDP"
+- networking support, above.
+- Please read the file
+- <file:Documentation/networking/device_drivers/appletalk/cops.rst>.
+-
+-config COPS_DAYNA
+- bool "Dayna firmware support"
+- depends on COPS
+- help
+- Support COPS compatible cards with Dayna style firmware (Dayna
+- DL2000/ Daynatalk/PC (half length), COPS LT-95, Farallon PhoneNET PC
+- III, Farallon PhoneNET PC II).
+-
+-config COPS_TANGENT
+- bool "Tangent firmware support"
+- depends on COPS
+- help
+- Support COPS compatible cards with Tangent style firmware (Tangent
+- ATB_II, Novell NL-1000, Daystar Digital LT-200.
+-
+ config IPDDP
+ tristate "Appletalk-IP driver support"
+ depends on DEV_APPLETALK && ATALK
+--- a/drivers/net/appletalk/Makefile
++++ b/drivers/net/appletalk/Makefile
+@@ -4,5 +4,4 @@
+ #
+
+ obj-$(CONFIG_IPDDP) += ipddp.o
+-obj-$(CONFIG_COPS) += cops.o
+ obj-$(CONFIG_LTPC) += ltpc.o
diff --git a/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
new file mode 100644
index 000000000..4adc90c2d
--- /dev/null
+++ b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
@@ -0,0 +1,128 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 2 Jun 2012 19:53:38 +0100
+Subject: video: Remove nvidiafb and rivafb
+Bug-Debian: https://bugs.debian.org/383481
+Forwarded: no
+
+These drivers contain register programming code provided by the
+hardware vendor that appears to have been deliberately obfuscated.
+This is arguably not the preferred form for modification.
+
+These drivers are also largely redundant with nouveau. The RIVA 128
+(NV3) is not supported by nouveau but is about 15 years old and
+probably discontinued 10 years ago.
+
+---
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -866,99 +866,6 @@ config FB_ATMEL
+ help
+ This enables support for the AT91 LCD Controller.
+
+-config FB_NVIDIA
+- tristate "nVidia Framebuffer Support"
+- depends on FB && PCI
+- select FB_BACKLIGHT if FB_NVIDIA_BACKLIGHT
+- select FB_MODE_HELPERS
+- select FB_CFB_FILLRECT
+- select FB_CFB_COPYAREA
+- select FB_CFB_IMAGEBLIT
+- select BITREVERSE
+- select VGASTATE
+- help
+- This driver supports graphics boards with the nVidia chips, TNT
+- and newer. For very old chipsets, such as the RIVA128, then use
+- the rivafb.
+- Say Y if you have such a graphics board.
+-
+- To compile this driver as a module, choose M here: the
+- module will be called nvidiafb.
+-
+-config FB_NVIDIA_I2C
+- bool "Enable DDC Support"
+- depends on FB_NVIDIA
+- select FB_DDC
+- help
+- This enables I2C support for nVidia Chipsets. This is used
+- only for getting EDID information from the attached display
+- allowing for robust video mode handling and switching.
+-
+- Because fbdev-2.6 requires that drivers must be able to
+- independently validate video mode parameters, you should say Y
+- here.
+-
+-config FB_NVIDIA_DEBUG
+- bool "Lots of debug output"
+- depends on FB_NVIDIA
+- help
+- Say Y here if you want the nVidia driver to output all sorts
+- of debugging information to provide to the maintainer when
+- something goes wrong.
+-
+-config FB_NVIDIA_BACKLIGHT
+- bool "Support for backlight control"
+- depends on FB_NVIDIA
+- default y
+- help
+- Say Y here if you want to control the backlight of your display.
+-
+-config FB_RIVA
+- tristate "nVidia Riva support"
+- depends on FB && PCI
+- select FB_BACKLIGHT if FB_RIVA_BACKLIGHT
+- select FB_MODE_HELPERS
+- select FB_CFB_FILLRECT
+- select FB_CFB_COPYAREA
+- select FB_CFB_IMAGEBLIT
+- select BITREVERSE
+- select VGASTATE
+- help
+- This driver supports graphics boards with the nVidia Riva/Geforce
+- chips.
+- Say Y if you have such a graphics board.
+-
+- To compile this driver as a module, choose M here: the
+- module will be called rivafb.
+-
+-config FB_RIVA_I2C
+- bool "Enable DDC Support"
+- depends on FB_RIVA
+- select FB_DDC
+- help
+- This enables I2C support for nVidia Chipsets. This is used
+- only for getting EDID information from the attached display
+- allowing for robust video mode handling and switching.
+-
+- Because fbdev-2.6 requires that drivers must be able to
+- independently validate video mode parameters, you should say Y
+- here.
+-
+-config FB_RIVA_DEBUG
+- bool "Lots of debug output"
+- depends on FB_RIVA
+- help
+- Say Y here if you want the Riva driver to output all sorts
+- of debugging information to provide to the maintainer when
+- something goes wrong.
+-
+-config FB_RIVA_BACKLIGHT
+- bool "Support for backlight control"
+- depends on FB_RIVA
+- default y
+- help
+- Say Y here if you want to control the backlight of your display.
+-
+ config FB_I740
+ tristate "Intel740 support"
+ depends on FB && PCI
+--- a/drivers/video/fbdev/Makefile
++++ b/drivers/video/fbdev/Makefile
+@@ -21,8 +21,6 @@ obj-$(CONFIG_FB_PM3) += pm3fb.o
+
+ obj-$(CONFIG_FB_I740) += i740fb.o
+ obj-$(CONFIG_FB_MATROX) += matrox/
+-obj-$(CONFIG_FB_RIVA) += riva/
+-obj-$(CONFIG_FB_NVIDIA) += nvidia/
+ obj-$(CONFIG_FB_ATY) += aty/ macmodes.o
+ obj-$(CONFIG_FB_ATY128) += aty/ macmodes.o
+ obj-$(CONFIG_FB_RADEON) += aty/
diff --git a/debian/patches/debian/dfsg/vs6624-disable.patch b/debian/patches/debian/dfsg/vs6624-disable.patch
new file mode 100644
index 000000000..b99070c0c
--- /dev/null
+++ b/debian/patches/debian/dfsg/vs6624-disable.patch
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 27 May 2012 01:56:58 +0100
+Subject: vs6624: mark as broken
+Forwarded: not-needed
+
+---
+ drivers/media/i2c/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig
+index c68e002d26ea..9055d4658c78 100644
+--- a/drivers/media/i2c/Kconfig
++++ b/drivers/media/i2c/Kconfig
+@@ -843,6 +843,7 @@ config VIDEO_OV13858
+ OV13858 camera.
+
+ config VIDEO_VS6624
++ depends on BROKEN
+ tristate "ST VS6624 sensor support"
+ depends on VIDEO_V4L2 && I2C
+ help
+--
+2.24.0
+
diff --git a/debian/patches/debian/documentation-drop-sphinx-version-check.patch b/debian/patches/debian/documentation-drop-sphinx-version-check.patch
new file mode 100644
index 000000000..cb7f53bbe
--- /dev/null
+++ b/debian/patches/debian/documentation-drop-sphinx-version-check.patch
@@ -0,0 +1,52 @@
+From 252aa79fdbd4ac2da09d9b98f81bf11f5e3e1870 Mon Sep 17 00:00:00 2001
+From: Bastian Blank <waldi@debian.org>
+Date: Tue, 4 Aug 2020 09:44:19 +0000
+Subject: [PATCH 1/2] Documentation: Drop sphinx version check
+Forwarded: not-needed
+
+---
+ Documentation/Makefile | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/Documentation/Makefile b/Documentation/Makefile
+index 6b12dd82f712..613276ca41f6 100644
+--- a/Documentation/Makefile
++++ b/Documentation/Makefile
+@@ -78,14 +78,12 @@ quiet_cmd_sphinx = SPHINX $@ --> file://$(abspath $(BUILDDIR)/$3/$4)
+ $(abspath $(BUILDDIR)/$3/$4)
+
+ htmldocs:
+- @$(srctree)/scripts/sphinx-pre-install --version-check
+ @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,html,$(var),,$(var)))
+
+ linkcheckdocs:
+ @$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,linkcheck,$(var),,$(var)))
+
+ latexdocs:
+- @$(srctree)/scripts/sphinx-pre-install --version-check
+ @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,latex,$(var),latex,$(var)))
+
+ ifeq ($(HAVE_PDFLATEX),0)
+@@ -97,7 +95,6 @@ pdfdocs:
+ else # HAVE_PDFLATEX
+
+ pdfdocs: latexdocs
+- @$(srctree)/scripts/sphinx-pre-install --version-check
+ $(foreach var,$(SPHINXDIRS), \
+ $(MAKE) PDFLATEX="$(PDFLATEX)" LATEXOPTS="$(LATEXOPTS)" -C $(BUILDDIR)/$(var)/latex || exit; \
+ mkdir -p $(BUILDDIR)/$(var)/pdf; \
+@@ -107,11 +104,9 @@ pdfdocs: latexdocs
+ endif # HAVE_PDFLATEX
+
+ epubdocs:
+- @$(srctree)/scripts/sphinx-pre-install --version-check
+ @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,epub,$(var),epub,$(var)))
+
+ xmldocs:
+- @$(srctree)/scripts/sphinx-pre-install --version-check
+ @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,xml,$(var),xml,$(var)))
+
+ endif # HAVE_SPHINX
+--
+2.28.0
+
diff --git a/debian/patches/debian/export-symbols-needed-by-android-drivers.patch b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch
new file mode 100644
index 000000000..66b6b9722
--- /dev/null
+++ b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch
@@ -0,0 +1,113 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 07 Sep 2020 02:51:53 +0100
+Subject: Export symbols needed by Android drivers
+Bug-Debian: https://bugs.debian.org/901492
+
+We want to enable use of the Android ashmem and binder drivers to
+support Anbox, but they should not be built-in as that would waste
+resources and increase security attack surface on systems that don't
+need them.
+
+Export the currently un-exported symbols they depend on.
+
+---
+ fs/file.c | 1 +
+ kernel/sched/core.c | 1 +
+ kernel/sched/wait.c | 1 +
+ kernel/task_work.c | 1 +
+ mm/memory.c | 1 +
+ mm/shmem.c | 1 +
+ security/security.c | 4 ++++
+ 7 files changed, 10 insertions(+)
+
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -823,6 +823,7 @@ int close_fd_get_file(unsigned int fd, s
+
+ return ret;
+ }
++EXPORT_SYMBOL(close_fd_get_file);
+
+ void do_close_on_exec(struct files_struct *files)
+ {
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5049,6 +5049,7 @@ int can_nice(const struct task_struct *p
+ return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
+ capable(CAP_SYS_NICE));
+ }
++EXPORT_SYMBOL_GPL(can_nice);
+
+ #ifdef __ARCH_WANT_SYS_NICE
+
+--- a/kernel/task_work.c
++++ b/kernel/task_work.c
+@@ -57,6 +57,7 @@ int task_work_add(struct task_struct *ta
+
+ return 0;
+ }
++EXPORT_SYMBOL(task_work_add);
+
+ /**
+ * task_work_cancel_match - cancel a pending work added by task_work_add()
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1578,6 +1578,7 @@ void zap_page_range(struct vm_area_struc
+ mmu_notifier_invalidate_range_end(&range);
+ tlb_finish_mmu(&tlb, start, range.end);
+ }
++EXPORT_SYMBOL_GPL(zap_page_range);
+
+ /**
+ * zap_page_range_single - remove user pages in a given range
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -4288,6 +4288,7 @@ int shmem_zero_setup(struct vm_area_stru
+
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(shmem_zero_setup);
+
+ /**
+ * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags.
+--- a/security/security.c
++++ b/security/security.c
+@@ -729,24 +729,28 @@ int security_binder_set_context_mgr(cons
+ {
+ return call_int_hook(binder_set_context_mgr, 0, mgr);
+ }
++EXPORT_SYMBOL_GPL(security_binder_set_context_mgr);
+
+ int security_binder_transaction(const struct cred *from,
+ const struct cred *to)
+ {
+ return call_int_hook(binder_transaction, 0, from, to);
+ }
++EXPORT_SYMBOL_GPL(security_binder_transaction);
+
+ int security_binder_transfer_binder(const struct cred *from,
+ const struct cred *to)
+ {
+ return call_int_hook(binder_transfer_binder, 0, from, to);
+ }
++EXPORT_SYMBOL_GPL(security_binder_transfer_binder);
+
+ int security_binder_transfer_file(const struct cred *from,
+ const struct cred *to, struct file *file)
+ {
+ return call_int_hook(binder_transfer_file, 0, from, to, file);
+ }
++EXPORT_SYMBOL_GPL(security_binder_transfer_file);
+
+ int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
+ {
+--- a/kernel/sched/wait.c
++++ b/kernel/sched/wait.c
+@@ -229,6 +229,7 @@ void __wake_up_pollfree(struct wait_queu
+ /* POLLFREE must have cleared the queue. */
+ WARN_ON_ONCE(waitqueue_active(wq_head));
+ }
++EXPORT_SYMBOL_GPL(__wake_up_pollfree);
+
+ /*
+ * Note: we use "set_current_state()" _after_ the wait-queue add,
diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
new file mode 100644
index 000000000..82cdda18e
--- /dev/null
+++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
+Date: Wed, 13 Jul 2016 01:37:22 +0100
+Forwarded: not-needed
+
+Various free and proprietary AV products use this feature and users
+apparently want it. But punting access checks to userland seems like
+an easy way to deadlock the system, and there will be nothing we can
+do about that. So warn and taint the kernel if this feature is
+actually used.
+
+---
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -1170,6 +1170,14 @@ static int do_fanotify_mark(int fanotify
+ if (ignored)
+ mask &= ~FANOTIFY_EVENT_FLAGS;
+
++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
++ if (mask & FANOTIFY_PERM_EVENTS) {
++ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
++ current->comm, current->pid);
++ add_taint(TAINT_AUX, LOCKDEP_STILL_OK);
++ }
++#endif
++
+ f = fdget(fanotify_fd);
+ if (unlikely(!f.file))
+ return -EBADF;
diff --git a/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
new file mode 100644
index 000000000..27bc69903
--- /dev/null
+++ b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
@@ -0,0 +1,52 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 12 Mar 2018 01:14:03 +0000
+Subject: firmware_class: Refer to Debian wiki page when logging missing firmware
+Bug-Debian: https://bugs.debian.org/888405
+Forwarded: not-needed
+
+If firmware loading fails due to a missing file, log a second error
+message referring to our wiki page about firmware. This will explain
+why some firmware is in non-free, or can't be packaged at all. Only
+do this once per boot.
+
+Do something similar in the radeon and amdgpu drivers, where we have
+an early check to avoid failing at a point where we cannot display
+anything.
+
+---
+--- a/drivers/base/firmware_loader/main.c
++++ b/drivers/base/firmware_loader/main.c
+@@ -334,9 +334,12 @@ fw_get_filesystem_firmware(struct device
+ }
+ __putname(path);
+
+- if (rc)
++ if (rc) {
+ dev_err(device, "firmware: failed to load %s (%d)\n",
+ fw_priv->fw_name, rc);
++ if (rc == -ENOENT)
++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
++ }
+
+ return rc;
+ }
+--- a/drivers/gpu/drm/radeon/radeon_drv.c
++++ b/drivers/gpu/drm/radeon/radeon_drv.c
+@@ -367,6 +367,7 @@ static int radeon_pci_probe(struct pci_d
+ if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 &&
+ !radeon_firmware_installed()) {
+ DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n");
++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
+ return -ENODEV;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -626,6 +626,7 @@ static int amdgpu_pci_probe(struct pci_d
+
+ if (!amdgpu_firmware_installed()) {
+ DRM_ERROR("amdgpu requires firmware installed\n");
++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n");
+ return -ENODEV;
+ }
+
diff --git a/debian/patches/debian/fjes-disable-autoload.patch b/debian/patches/debian/fjes-disable-autoload.patch
new file mode 100644
index 000000000..59b56708e
--- /dev/null
+++ b/debian/patches/debian/fjes-disable-autoload.patch
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 18 Mar 2017 20:47:58 +0000
+Subject: fjes: Disable auto-loading
+Bug-Debian: https://bugs.debian.org/853976
+Forwarded: no
+
+fjes matches a generic ACPI device ID, and relies on its probe
+function to distinguish whether that really corresponds to a supported
+device. Very few system will need the driver and it wastes memory on
+all the other systems where the same device ID appears, so disable
+auto-loading.
+
+---
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -81,7 +81,7 @@ static const struct acpi_device_id fjes_
+ {ACPI_MOTHERBOARD_RESOURCE_HID, 0},
+ {"", 0},
+ };
+-MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids);
++/* MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); */
+
+ static struct acpi_driver fjes_acpi_driver = {
+ .name = DRV_NAME,
diff --git a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch
new file mode 100644
index 000000000..e2a8679a5
--- /dev/null
+++ b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch
@@ -0,0 +1,22 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: fs: Enable link security restrictions by default
+Date: Fri, 02 Nov 2012 05:32:06 +0000
+Bug-Debian: https://bugs.debian.org/609455
+Forwarded: not-needed
+
+This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
+('VFS: don't do protected {sym,hard}links by default').
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -885,8 +885,8 @@ static inline void put_link(struct namei
+ path_put(&last->link);
+ }
+
+-int sysctl_protected_symlinks __read_mostly = 0;
+-int sysctl_protected_hardlinks __read_mostly = 0;
++int sysctl_protected_symlinks __read_mostly = 1;
++int sysctl_protected_hardlinks __read_mostly = 1;
+ int sysctl_protected_fifos __read_mostly;
+ int sysctl_protected_regular __read_mostly;
+
diff --git a/debian/patches/debian/gitignore.patch b/debian/patches/debian/gitignore.patch
new file mode 100644
index 000000000..78a7235fa
--- /dev/null
+++ b/debian/patches/debian/gitignore.patch
@@ -0,0 +1,49 @@
+From: Ian Campbell <ijc@hellion.org.uk>
+Date: Thu, 17 Jan 2013 08:55:21 +0000
+Subject: Tweak gitignore for Debian pkg-kernel using git svn.
+Forwarded: not-needed
+
+[bwh: Tweak further for pure git]
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -71,11 +71,6 @@ modules.order
+ /*.spec
+
+ #
+-# Debian directory (make deb-pkg)
+-#
+-/debian/
+-
+-#
+ # Snap directory (make snap-pkg)
+ #
+ /snap/
+@@ -86,16 +81,6 @@ modules.order
+ /tar-install/
+
+ #
+-# We don't want to ignore the following even if they are dot-files
+-#
+-!.clang-format
+-!.cocciconfig
+-!.get_maintainer.ignore
+-!.gitattributes
+-!.gitignore
+-!.mailmap
+-
+-#
+ # Generated include files
+ #
+ /include/config/
+@@ -155,3 +140,10 @@ x509.genkey
+
+ # Documentation toolchain
+ sphinx_*/
++
++#
++# Debian packaging: ignore everything at the top level, since it isn't
++# included in our repository
++#
++/*
++!/debian/
diff --git a/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
new file mode 100644
index 000000000..b532d0054
--- /dev/null
+++ b/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
@@ -0,0 +1,48 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 05 Aug 2019 00:29:11 +0100
+Subject: hamradio: Disable auto-loading as mitigation against local exploits
+Forwarded: not-needed
+
+We can mitigate the effect of vulnerabilities in obscure protocols by
+preventing unprivileged users from loading the modules, so that they
+are only exploitable on systems where the administrator has chosen to
+load the protocol.
+
+The 'ham' radio protocols (ax25, netrom, rose) are not actively
+maintained or widely used. Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1986,7 +1986,7 @@ module_init(ax25_init);
+ MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
+ MODULE_DESCRIPTION("The amateur radio AX.25 link layer protocol");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_AX25);
++/* MODULE_ALIAS_NETPROTO(PF_AX25); */
+
+ static void __exit ax25_exit(void)
+ {
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1486,7 +1486,7 @@ MODULE_PARM_DESC(nr_ndevs, "number of NE
+ MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
+ MODULE_DESCRIPTION("The amateur radio NET/ROM network and transport layer protocol");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_NETROM);
++/* MODULE_ALIAS_NETPROTO(PF_NETROM); */
+
+ static void __exit nr_exit(void)
+ {
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1577,7 +1577,7 @@ MODULE_PARM_DESC(rose_ndevs, "number of
+ MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>");
+ MODULE_DESCRIPTION("The amateur radio ROSE network layer protocol");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_ROSE);
++/* MODULE_ALIAS_NETPROTO(PF_ROSE); */
+
+ static void __exit rose_exit(void)
+ {
diff --git a/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
new file mode 100644
index 000000000..1b216d0d1
--- /dev/null
+++ b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
@@ -0,0 +1,27 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 16 Feb 2016 02:45:42 +0000
+Subject: [i386/686-pae] PCI: Set pci=nobios by default
+Forwarded: not-needed
+
+CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped
+W+X, which is undesirable for security reasons and will result in a
+warning at boot now that we enable CONFIG_DEBUG_WX.
+
+This can be overridden using the kernel parameter "pci=nobios", but we
+want to disable W+X by default. Disable PCI BIOS probing by default;
+it can still be enabled using "pci=bios".
+
+---
+--- a/arch/x86/pci/common.c
++++ b/arch/x86/pci/common.c
+@@ -21,8 +21,8 @@
+ #include <asm/setup.h>
+ #include <asm/irqdomain.h>
+
+-unsigned int pci_probe = PCI_PROBE_BIOS | PCI_PROBE_CONF1 | PCI_PROBE_CONF2 |
+- PCI_PROBE_MMCONF;
++unsigned int pci_probe = PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | PCI_PROBE_MMCONF |
++ (IS_ENABLED(CONFIG_X86_64) || IS_ENABLED(CONFIG_X86_PAE) ? 0 : PCI_PROBE_BIOS);
+
+ static int pci_bf_sort;
+ int pci_routeirq;
diff --git a/debian/patches/debian/ia64-hardcode-arch-script-output.patch b/debian/patches/debian/ia64-hardcode-arch-script-output.patch
new file mode 100644
index 000000000..064157efc
--- /dev/null
+++ b/debian/patches/debian/ia64-hardcode-arch-script-output.patch
@@ -0,0 +1,75 @@
+From: dann frazier <dannf@debian.org>
+Subject: Hardcode arch script output
+Date: Mon, 26 Mar 2007 16:30:51 -0600
+Bug-Debian: https://bugs.debian.org/392592
+Forwarded: not-needed
+
+Here's a patch that simply uses hardcoded definitions instead of
+doing the dynamic tests that require architecture-specific scripts.
+
+I don't particularly like this approach because it restricts
+portability and diverts from upstream. But, it is simpler, and this
+really needs to be fixed somehow before etch (along with a rebuild of
+linux-modules-extra-2.6), so I'm willing to live with it if my other
+patch is deemed unacceptable.
+
+My primary concern is that, in the future, the output of these scripts
+will change and we (or our successors) will either not notice or
+forget to update the hardcoded values.
+
+Including the scripts in linux-kbuild will avoid this manual step
+altogether, and allow for the possibility of other archs to provide
+their own scripts in the future.
+---
+ arch/ia64/Makefile | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+Index: debian-kernel/arch/ia64/Makefile
+===================================================================
+--- debian-kernel.orig/arch/ia64/Makefile
++++ debian-kernel/arch/ia64/Makefile
+@@ -28,16 +28,7 @@ cflags-y := -pipe $(EXTRA) -ffixed-r13 -
+ -falign-functions=32 -frename-registers -fno-optimize-sibling-calls
+ KBUILD_CFLAGS_KERNEL := -mconstant-gp
+
+-GAS_STATUS = $(shell $(srctree)/arch/ia64/scripts/check-gas "$(CC)" "$(OBJDUMP)")
+-KBUILD_CPPFLAGS += $(shell $(srctree)/arch/ia64/scripts/toolchain-flags "$(CC)" "$(OBJDUMP)" "$(READELF)")
+-
+-ifeq ($(GAS_STATUS),buggy)
+-$(error Sorry, you need a newer version of the assember, one that is built from \
+- a source-tree that post-dates 18-Dec-2002. You can find a pre-compiled \
+- static binary of such an assembler at: \
+- \
+- ftp://ftp.hpl.hp.com/pub/linux-ia64/gas-030124.tar.gz)
+-endif
++KBUILD_CPPFLAGS += -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE
+
+ quiet_cmd_gzip = GZIP $@
+ cmd_gzip = cat $(real-prereqs) | $(KGZIP) -n -f -9 > $@
+@@ -57,7 +48,7 @@ drivers-$(CONFIG_OPROFILE) += arch/ia64/
+
+ PHONY += compressed check
+
+-all: compressed unwcheck
++all: compressed
+
+ compressed: vmlinux.gz
+
+@@ -69,9 +60,6 @@ vmlinux.gz: vmlinux.bin FORCE
+ vmlinux.bin: vmlinux FORCE
+ $(call if_changed,objcopy)
+
+-unwcheck: vmlinux
+- -$(Q)READELF=$(READELF) $(PYTHON) $(srctree)/arch/ia64/scripts/unwcheck.py $<
+-
+ archclean:
+
+ archheaders:
+@@ -85,7 +73,6 @@ install: vmlinux.gz
+ define archhelp
+ echo '* compressed - Build compressed kernel image'
+ echo ' install - Install compressed kernel image'
+- echo '* unwcheck - Check vmlinux for invalid unwind info'
+ endef
+
+ archprepare: make_nr_irqs_h
diff --git a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch
new file mode 100644
index 000000000..c8061436d
--- /dev/null
+++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch
@@ -0,0 +1,26 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: iwlwifi: Do not request unreleased firmware for IWL6000
+Bug-Debian: https://bugs.debian.org/689416
+Forwarded: not-needed
+
+The iwlwifi driver currently supports firmware API versions 4-6 for
+these devices. It will request the file for the latest supported
+version and then fall back to earlier versions. However, the latest
+version that has actually been released is 4, so we expect the
+requests for versions 6 and then 5 to fail.
+
+The installer appears to report any failed request, and it is probably
+not easy to detect that this particular failure is harmless. So stop
+requesting the unreleased firmware.
+
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/6000.c
+@@ -31,7 +31,7 @@
+ #include "dvm/commands.h" /* needed for BT for now */
+
+ /* Highest firmware API version supported */
+-#define IWL6000_UCODE_API_MAX 6
++#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */
+ #define IWL6050_UCODE_API_MAX 5
+ #define IWL6000G2_UCODE_API_MAX 6
+ #define IWL6035_UCODE_API_MAX 6
diff --git a/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch b/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch
new file mode 100644
index 000000000..ec23040d8
--- /dev/null
+++ b/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch
@@ -0,0 +1,37 @@
+From: Ben Hutchings <benh@debian.org>
+Date: Mon, 26 Apr 2021 18:27:16 +0200
+Subject: kbuild: Abort build if SUBDIRS used
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/987575
+
+DKMS and module-assistant both build OOT modules as root. If they
+build an old OOT module that still use SUBDIRS this causes Kbuild
+to try building a full kernel, which obviously fails but not before
+deleting files from the installed headers package.
+
+To avoid such mishaps, detect this situation and abort the build.
+
+The error message is based on that used in commit 0126be38d988
+"kbuild: announce removal of SUBDIRS if used".
+---
+--- a/Makefile
++++ b/Makefile
+@@ -218,6 +218,18 @@ ifeq ("$(origin M)", "command line")
+ KBUILD_EXTMOD := $(M)
+ endif
+
++# Old syntax make ... SUBDIRS=$PWD should be rejected to avoid mishaps
++# (see Debian bugs #982334, #987575)
++ifndef KBUILD_EXTMOD
++ ifdef SUBDIRS
++ $(warning =============== ERROR ==============)
++ $(warning 'SUBDIRS' was removed in Linux 5.3)
++ $(warning Use 'M=' or 'KBUILD_EXTMOD=' instead)
++ $(warning ====================================)
++ $(error .)
++ endif
++endif
++
+ $(if $(word 2, $(KBUILD_EXTMOD)), \
+ $(error building multiple external modules is not supported))
+
diff --git a/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch b/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
new file mode 100644
index 000000000..04e636319
--- /dev/null
+++ b/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
@@ -0,0 +1,45 @@
+From: Ben Hutchings <benh@debian.org>
+Date: Thu, 10 Dec 2020 17:31:39 +0100
+Subject: kbuild: Look for module.lds under arch directory too
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/975571
+
+The module.lds linker script is now built under the scripts directory,
+where previously it was under arch/$(SRCARCH).
+
+However, we package the scripts directory as linux-kbuild, which is
+meant to be able to do support native and cross-builds. That means it
+shouldn't contain files for a specific target architecture without a
+wrapper to select between them, and it doesn't appear that linker
+scripts are powerful enough to implement such a wrapper.
+
+Building module.lds in a different location would require relatively
+large changes. Moving it in the package build rules can work, but we
+need to support custom kernel builds from the same source so we can't
+assume it's moved.
+
+Therefore, we move module.lds under the arch build directory in
+rules.real and change Makefile.modfinal to look for it in both places.
+
+---
+--- a/scripts/Makefile.modfinal
++++ b/scripts/Makefile.modfinal
+@@ -28,15 +28,16 @@ quiet_cmd_cc_o_c = CC [M] $@
+ $(call if_changed_dep,cc_o_c)
+
+ ARCH_POSTLINK := $(wildcard $(srctree)/arch/$(SRCARCH)/Makefile.postlink)
++ARCH_MODULE_LDS := $(word 1,$(wildcard scripts/module.lds arch/$(SRCARCH)/module.lds))
+
+ quiet_cmd_ld_ko_o = LD [M] $@
+ cmd_ld_ko_o = \
+ $(LD) -r $(KBUILD_LDFLAGS) \
+ $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \
+- -T scripts/module.lds -o $@ $(filter %.o, $^); \
++ -T $(ARCH_MODULE_LDS) -o $@ $(filter %.o, $^); \
+ $(if $(ARCH_POSTLINK), $(MAKE) -f $(ARCH_POSTLINK) $@, true)
+
+-$(modules): %.ko: %.o %.mod.o scripts/module.lds FORCE
++$(modules): %.ko: %.o %.mod.o $(ARCH_MODULE_LDS) FORCE
+ +$(call if_changed,ld_ko_o)
+
+ targets += $(modules) $(modules:.ko=.mod.o)
diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch
new file mode 100644
index 000000000..c574f984a
--- /dev/null
+++ b/debian/patches/debian/kernelvariables.patch
@@ -0,0 +1,82 @@
+From: Bastian Blank <waldi@debian.org>
+Subject: kbuild: Make the toolchain variables easily overwritable
+Date: Sun, 22 Feb 2009 15:39:35 +0100
+Forwarded: not-needed
+
+Allow make variables to be overridden for each flavour by a file in
+the build tree, .kernelvariables.
+
+We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
+also CROSS_COMPILE, KCFLAGS.
+
+This file can only be read after we establish the build tree, and all
+use of $(ARCH) needs to be moved after this.
+
+[bwh: Updated for 5.3: include .kernelvariables from current directory
+ rather than using undefined $(obj).]
+---
+--- a/Makefile
++++ b/Makefile
+@@ -363,31 +363,6 @@ include scripts/subarch.include
+ # Note: Some architectures assign CROSS_COMPILE in their arch/*/Makefile
+ ARCH ?= $(SUBARCH)
+
+-# Architecture as present in compile.h
+-UTS_MACHINE := $(ARCH)
+-SRCARCH := $(ARCH)
+-
+-# Additional ARCH settings for x86
+-ifeq ($(ARCH),i386)
+- SRCARCH := x86
+-endif
+-ifeq ($(ARCH),x86_64)
+- SRCARCH := x86
+-endif
+-
+-# Additional ARCH settings for sparc
+-ifeq ($(ARCH),sparc32)
+- SRCARCH := sparc
+-endif
+-ifeq ($(ARCH),sparc64)
+- SRCARCH := sparc
+-endif
+-
+-# Additional ARCH settings for sh
+-ifeq ($(ARCH),sh64)
+- SRCARCH := sh
+-endif
+-
+ KCONFIG_CONFIG ?= .config
+ export KCONFIG_CONFIG
+
+@@ -442,6 +417,30 @@ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+
++-include .kernelvariables
++
++# Architecture as present in compile.h
++UTS_MACHINE := $(ARCH)
++SRCARCH := $(ARCH)
++
++# Additional ARCH settings for x86
++ifeq ($(ARCH),i386)
++ SRCARCH := x86
++endif
++ifeq ($(ARCH),x86_64)
++ SRCARCH := x86
++endif
++
++# Additional ARCH settings for sparc
++ifeq ($(ARCH),sparc64)
++ SRCARCH := sparc
++endif
++
++# Additional ARCH settings for sh
++ifeq ($(ARCH),sh64)
++ SRCARCH := sh
++endif
++
+ # Use USERINCLUDE when you must reference the UAPI directories only.
+ USERINCLUDE := \
+ -I$(srctree)/arch/$(SRCARCH)/include/uapi \
diff --git a/debian/patches/debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch b/debian/patches/debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
new file mode 100644
index 000000000..037999c8d
--- /dev/null
+++ b/debian/patches/debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
@@ -0,0 +1,83 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 07 Sep 2020 03:38:04 +0100
+Subject: Makefile: Do not check for libelf when building OOT module
+
+When building out-of-tree modules, the necessary tools should have
+already been built. We therefore do not need libelf-dev to be
+installed.
+
+This effectively reverts commit 9f0c18aec620 "objtool: Fix
+CONFIG_STACK_VALIDATION=y warning for out-of-tree modules", and
+similarly moves the check introduced by commit 33a57ce0a54d "bpf:
+Compile resolve_btfids tool at kernel compilation start".
+---
+ Makefile | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1083,18 +1083,6 @@ export mod_sign_cmd
+
+ HOST_LIBELF_LIBS = $(shell pkg-config libelf --libs 2>/dev/null || echo -lelf)
+
+-has_libelf = $(call try-run,\
+- echo "int main() {}" | $(HOSTCC) $(KBUILD_HOSTLDFLAGS) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0)
+-
+-ifdef CONFIG_STACK_VALIDATION
+- ifeq ($(has_libelf),1)
+- objtool_target := tools/objtool FORCE
+- else
+- SKIP_STACK_VALIDATION := 1
+- export SKIP_STACK_VALIDATION
+- endif
+-endif
+-
+ PHONY += resolve_btfids_clean
+
+ resolve_btfids_O = $(abspath $(objtree))/tools/bpf/resolve_btfids
+@@ -1106,16 +1094,6 @@ ifneq ($(wildcard $(resolve_btfids_O)),)
+ $(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean
+ endif
+
+-ifdef CONFIG_BPF
+-ifdef CONFIG_DEBUG_INFO_BTF
+- ifeq ($(has_libelf),1)
+- resolve_btfids_target := tools/bpf/resolve_btfids FORCE
+- else
+- ERROR_RESOLVE_BTFIDS := 1
+- endif
+-endif # CONFIG_DEBUG_INFO_BTF
+-endif # CONFIG_BPF
+-
+ PHONY += prepare0
+
+ export MODORDER := $(extmod-prefix)modules.order
+@@ -1239,6 +1217,28 @@ uapi-asm-generic:
+ $(Q)$(MAKE) $(asm-generic)=arch/$(SRCARCH)/include/generated/uapi/asm \
+ generic=include/uapi/asm-generic
+
++has_libelf = $(call try-run,\
++ echo "int main() {}" | $(HOSTCC) $(KBUILD_HOSTLDFLAGS) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0)
++
++ifdef CONFIG_STACK_VALIDATION
++ ifeq ($(has_libelf),1)
++ objtool_target := tools/objtool FORCE
++ else
++ SKIP_STACK_VALIDATION := 1
++ export SKIP_STACK_VALIDATION
++ endif
++endif
++
++ifdef CONFIG_BPF
++ifdef CONFIG_DEBUG_INFO_BTF
++ ifeq ($(has_libelf),1)
++ resolve_btfids_target := tools/bpf/resolve_btfids FORCE
++ else
++ ERROR_RESOLVE_BTFIDS := 1
++ endif
++endif # CONFIG_DEBUG_INFO_BTF
++endif # CONFIG_BPF
++
+ PHONY += prepare-objtool prepare-resolve_btfids
+ prepare-objtool: $(objtool_target)
+ ifeq ($(SKIP_STACK_VALIDATION),1)
diff --git a/debian/patches/debian/mips-boston-disable-its.patch b/debian/patches/debian/mips-boston-disable-its.patch
new file mode 100644
index 000000000..be108f35e
--- /dev/null
+++ b/debian/patches/debian/mips-boston-disable-its.patch
@@ -0,0 +1,20 @@
+From: YunQiang Su <syq@debian.org>
+Date: Mon, 14 May 2018 16:16:18 +0800
+Subject: Disable uImage generation for mips generic
+Forwarded: not-needed
+
+MIPS generic trys to generate uImage when build, which then ask for
+u-boot-tools.
+
+--- a/arch/mips/generic/Platform
++++ b/arch/mips/generic/Platform
+@@ -14,9 +14,6 @@ cflags-$(CONFIG_MIPS_GENERIC) += -I$(src
+
+ load-$(CONFIG_MIPS_GENERIC) += 0xffffffff80100000
+ zload-$(CONFIG_MIPS_GENERIC) += 0xffffffff81000000
+-all-$(CONFIG_MIPS_GENERIC) := vmlinux.gz.itb
+-
+-its-y := vmlinux.its.S
+ its-$(CONFIG_FIT_IMAGE_FDT_BOSTON) += board-boston.its.S
+ its-$(CONFIG_FIT_IMAGE_FDT_NI169445) += board-ni169445.its.S
+ its-$(CONFIG_FIT_IMAGE_FDT_OCELOT) += board-ocelot.its.S
diff --git a/debian/patches/debian/mips-disable-werror.patch b/debian/patches/debian/mips-disable-werror.patch
new file mode 100644
index 000000000..b8fe8b44c
--- /dev/null
+++ b/debian/patches/debian/mips-disable-werror.patch
@@ -0,0 +1,23 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 13 Sep 2010 02:16:18 +0100
+Subject: [PATCH] Partially revert "MIPS: Add -Werror to arch/mips/Kbuild"
+Forwarded: not-needed
+
+This reverts commits 66f9ba101f54bda63ab1db97f9e9e94763d0651b and
+5373633cc9253ba82547473e899cab141c54133e.
+
+We really don't want to add -Werror anywhere.
+---
+--- a/arch/mips/Kbuild
++++ b/arch/mips/Kbuild
+@@ -1,10 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0
+-# Fail on warnings - also for files referenced in subdirs
+-# -Werror can be disabled for specific files using:
+-# CFLAGS_<file.o> := -Wno-error
+-ifeq ($(W),)
+-subdir-ccflags-y := -Werror
+-endif
+
+ # platform specific definitions
+ include arch/mips/Kbuild.platforms
diff --git a/debian/patches/debian/mips-ieee754-relaxed.patch b/debian/patches/debian/mips-ieee754-relaxed.patch
new file mode 100644
index 000000000..20dff251c
--- /dev/null
+++ b/debian/patches/debian/mips-ieee754-relaxed.patch
@@ -0,0 +1,32 @@
+From: YunQiang Su <syq@debian.org>
+Date: Mon 16 Nov 2020 09:11:00 +0800
+Subject: Use RELAXED ieee754 mode for Loongson-3 as 3A 4000 is 2008-only
+Forwarded: not-needed
+
+There are 2 mode of value of IEEE NaN hardcoded by CPU.
+Currently, our mipsel/mips64el port is in so-called lagacy mode.
+Loongson 3A 4000 is set as the so-called 2008 mode.
+
+To make Debian workable on Loongson 3A 4000, we need set the kerenl in
+RELAXED mode.
+
+https://web.archive.org/web/20180830093617/https://dmz-portal.mips.com/wiki/MIPS_ABI_-_NaN_Interlinking
+
+diff --git a/arch/mips/kernel/fpu-probe.c b/arch/mips/kernel/fpu-probe.c
+index e689d6a83..667226f94 100644
+--- a/arch/mips/kernel/fpu-probe.c
++++ b/arch/mips/kernel/fpu-probe.c
+@@ -144,7 +144,12 @@ static void cpu_set_fpu_2008(struct cpuinfo_mips *c)
+ * IEEE 754 conformance mode to use. Affects the NaN encoding and the
+ * ABS.fmt/NEG.fmt execution mode.
+ */
+-static enum { STRICT, LEGACY, STD2008, RELAXED } ieee754 = STRICT;
++enum ieee754_mode { STRICT, LEGACY, STD2008, RELAXED };
++#ifdef CONFIG_CPU_LOONGSON64
++static enum ieee754_mode ieee754 = RELAXED;
++#else
++static enum ieee754_mode ieee754 = STRICT;
++#endif
+
+ /*
+ * Set the IEEE 754 NaN encodings and the ABS.fmt/NEG.fmt execution modes
diff --git a/debian/patches/debian/ntfs-mark-it-as-broken.patch b/debian/patches/debian/ntfs-mark-it-as-broken.patch
new file mode 100644
index 000000000..207f9751e
--- /dev/null
+++ b/debian/patches/debian/ntfs-mark-it-as-broken.patch
@@ -0,0 +1,22 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 25 Apr 2019 15:31:33 +0100
+Subject: ntfs: mark it as broken
+
+NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
+CVE-2018-12931. ntfs-3g is a better supported alternative.
+
+Make sure it can't be enabled even in custom kernels.
+
+---
+Index: debian-kernel/fs/ntfs/Kconfig
+===================================================================
+--- debian-kernel.orig/fs/ntfs/Kconfig
++++ debian-kernel/fs/ntfs/Kconfig
+@@ -1,6 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ config NTFS_FS
+ tristate "NTFS file system support"
++ depends on BROKEN
+ select NLS
+ help
+ NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003.
diff --git a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
new file mode 100644
index 000000000..2cba9b70e
--- /dev/null
+++ b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
@@ -0,0 +1,58 @@
+From: Nicolas Schier <nicolas@fjasle.eu>
+Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
+Date: Mon, 19 Nov 2018 20:36:14 +0100
+
+Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
+unprivileged LXC overlay snapshots.
+
+Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
+expected to be a security risk [2] and thus are not enabled on upstream
+Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
+overlay-based LXCs, this meant to patch and compile the kernel manually.
+Instead, adding the kernel tainting 'permit_mounts_in_userns' module
+parameter allows a kind of a user-friendly way to enable the feature.
+
+Testable with:
+
+ sudo modprobe overlay permit_mounts_in_userns=1
+ sudo sysctl -w kernel.unprivileged_userns_clone=1
+ mkdir -p lower upper work mnt
+ unshare --map-root-user --mount \
+ mount -t overlay none mnt \
+ -o lowerdir=lower,upperdir=upper,workdir=work
+
+[1]: Ubuntu allows unprivileged mounting of overlay filesystem
+https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
+
+[2]: User namespaces + overlayfs = root privileges
+https://lwn.net/Articles/671641/
+
+Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
+[bwh: Forward-ported to 5.6: adjust context]
+---
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -53,6 +53,11 @@ module_param_named(xino_auto, ovl_xino_a
+ MODULE_PARM_DESC(xino_auto,
+ "Auto enable xino feature");
+
++static bool ovl_permit_mounts_in_userns;
++module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
++ bool, 0444);
++MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces");
++
+ static void ovl_entry_stack_free(struct ovl_entry *oe)
+ {
+ unsigned int i;
+@@ -1777,6 +1782,11 @@ static int __init ovl_init(void)
+ if (ovl_inode_cachep == NULL)
+ return -ENOMEM;
+
++ if (unlikely(ovl_permit_mounts_in_userns)) {
++ pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n");
++ ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
++ }
++
+ err = ovl_aio_request_cache_init();
+ if (!err) {
+ err = register_filesystem(&ovl_fs_type);
diff --git a/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch b/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
new file mode 100644
index 000000000..89df33ab0
--- /dev/null
+++ b/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
@@ -0,0 +1,54 @@
+From cd02fc78859ef9aefd7c92406f9523622da0b472 Mon Sep 17 00:00:00 2001
+From: Bastian Blank <waldi@debian.org>
+Date: Tue, 4 Aug 2020 09:44:37 +0000
+Subject: [PATCH 2/2] perf/traceevent: Support asciidoctor for documentation
+Forwarded: not-needed
+
+---
+ tools/lib/perf/Documentation/Makefile | 2 +-
+ tools/lib/traceevent/Documentation/Makefile | 2 +-
+ tools/perf/Documentation/Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/perf/Documentation/Makefile b/tools/lib/perf/Documentation/Makefile
+index 972754082a85..272d06173a3e 100644
+--- a/tools/lib/perf/Documentation/Makefile
++++ b/tools/lib/perf/Documentation/Makefile
+@@ -35,7 +35,7 @@ htmldir = $(docdir)/html
+ exdir = $(docdir)/examples
+
+ ASCIIDOC = asciidoc
+-ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf
++ASCIIDOC_EXTRA =
+ ASCIIDOC_HTML = xhtml11
+ MANPAGE_XSL = manpage-normal.xsl
+ XMLTO_EXTRA =
+diff --git a/tools/lib/traceevent/Documentation/Makefile b/tools/lib/traceevent/Documentation/Makefile
+index aa72ab96c3c1..f3a4ff3b8b0e 100644
+--- a/tools/lib/traceevent/Documentation/Makefile
++++ b/tools/lib/traceevent/Documentation/Makefile
+@@ -28,7 +28,7 @@ mandir?=$(prefix)/share/man
+ man3dir=$(mandir)/man3
+
+ ASCIIDOC=asciidoc
+-ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf
++ASCIIDOC_EXTRA =
+ ASCIIDOC_HTML = xhtml11
+ MANPAGE_XSL = manpage-normal.xsl
+ XMLTO_EXTRA =
+diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
+index 6e54979c2124..7bfa6ae971ab 100644
+--- a/tools/perf/Documentation/Makefile
++++ b/tools/perf/Documentation/Makefile
+@@ -48,7 +48,7 @@ man5dir=$(mandir)/man5
+ man7dir=$(mandir)/man7
+
+ ASCIIDOC=asciidoc
+-ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
++ASCIIDOC_EXTRA +=
+ ASCIIDOC_HTML = xhtml11
+ MANPAGE_XSL = manpage-normal.xsl
+ XMLTO_EXTRA =
+--
+2.28.0
+
diff --git a/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
new file mode 100644
index 000000000..3343aecac
--- /dev/null
+++ b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
@@ -0,0 +1,34 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
+Forwarded: not-needed
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation. We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'rds' protocol is one such protocol that has been found to be
+vulnerable, and which was not present in the 'lenny' kernel.
+Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/rds/af_rds.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
+index 98e0538..d8d4525 100644
+--- a/net/rds/af_rds.c
++++ b/net/rds/af_rds.c
+@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
+ " v" DRV_VERSION " (" DRV_RELDATE ")");
+ MODULE_VERSION(DRV_VERSION);
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_ALIAS_NETPROTO(PF_RDS);
++/* MODULE_ALIAS_NETPROTO(PF_RDS); */
+--
+1.7.2.3
+
diff --git a/debian/patches/debian/sched-autogroup-disabled.patch b/debian/patches/debian/sched-autogroup-disabled.patch
new file mode 100644
index 000000000..e9988022e
--- /dev/null
+++ b/debian/patches/debian/sched-autogroup-disabled.patch
@@ -0,0 +1,19 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: sched: Do not enable autogrouping by default
+Date: Wed, 16 Mar 2011 03:17:06 +0000
+Forwarded: not-needed
+
+We want to provide the option of autogrouping but without enabling
+it by default yet.
+
+--- a/kernel/sched/autogroup.c
++++ b/kernel/sched/autogroup.c
+@@ -5,7 +5,7 @@
+ #include <linux/nospec.h>
+ #include "sched.h"
+
+-unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
++unsigned int __read_mostly sysctl_sched_autogroup_enabled = 0;
+ static struct autogroup autogroup_default;
+ static atomic_t autogroup_seq_nr;
+
diff --git a/debian/patches/debian/snd-pcsp-disable-autoload.patch b/debian/patches/debian/snd-pcsp-disable-autoload.patch
new file mode 100644
index 000000000..5871dc6ef
--- /dev/null
+++ b/debian/patches/debian/snd-pcsp-disable-autoload.patch
@@ -0,0 +1,30 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 05 Feb 2014 23:01:30 +0000
+Subject: snd-pcsp: Disable autoload
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/697709
+
+There are two drivers claiming the platform:pcspkr device:
+- pcspkr creates an input(!) device that can only beep
+- snd-pcsp creates an equivalent input device plus a PCM device that can
+ play barely recognisable renditions of sampled sound
+
+snd-pcsp is blacklisted by the alsa-base package, but not everyone
+installs that. On PCs where no sound is wanted at all, both drivers
+will still be loaded and one or other will complain that it couldn't
+claim the relevant I/O range.
+
+In case anyone finds snd-pcsp useful, we continue to build it. But
+remove the alias, to ensure it's not loaded where it's not wanted.
+
+--- a/sound/drivers/pcsp/pcsp.c
++++ b/sound/drivers/pcsp/pcsp.c
+@@ -21,7 +21,7 @@ MODULE_AUTHOR("Stas Sergeev <stsp@users.
+ MODULE_DESCRIPTION("PC-Speaker driver");
+ MODULE_LICENSE("GPL");
+ MODULE_SUPPORTED_DEVICE("{{PC-Speaker, pcsp}}");
+-MODULE_ALIAS("platform:pcspkr");
++/*MODULE_ALIAS("platform:pcspkr");*/
+
+ static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */
+ static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */
diff --git a/debian/patches/debian/tools-perf-install.patch b/debian/patches/debian/tools-perf-install.patch
new file mode 100644
index 000000000..b25bd2575
--- /dev/null
+++ b/debian/patches/debian/tools-perf-install.patch
@@ -0,0 +1,52 @@
+From: Bastian Blank <waldi@debian.org>
+Date: Fri, 07 Oct 2011 21:37:52 +0100
+Subject: Install perf scripts non-executable
+Forwarded: no
+
+[bwh: Forward-ported to 4.13]
+---
+ tools/perf/Makefile.perf | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/tools/perf/Makefile.perf
++++ b/tools/perf/Makefile.perf
+@@ -952,8 +952,8 @@ endif
+ ifndef NO_LIBPERL
+ $(call QUIET_INSTALL, perl-scripts) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
+- $(INSTALL) scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
+- $(INSTALL) scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \
++ $(INSTALL) -m 644 scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
++ $(INSTALL) -m 644 scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'; \
+ $(INSTALL) scripts/perl/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'
+ endif
+@@ -967,22 +967,22 @@ ifndef NO_LIBPYTHON
+ endif
+ $(call QUIET_INSTALL, perf_completion-script) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \
+- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
++ $(INSTALL) -m 644 perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
+ $(call QUIET_INSTALL, perf-tip) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \
+- $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
++ $(INSTALL) -m 644 Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
+
+ install-tests: all install-gtk
+ $(call QUIET_INSTALL, tests) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
+- $(INSTALL) tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
++ $(INSTALL) -m 644 tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
+ $(INSTALL) tests/pe-file.exe* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
+- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
++ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
+- $(INSTALL) tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
++ $(INSTALL) -m 644 tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'; \
+- $(INSTALL) tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'
++ $(INSTALL) -m 644 tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'
+
+ install-bin: install-tools install-tests install-traceevent-plugins
+
diff --git a/debian/patches/debian/tools-perf-version.patch b/debian/patches/debian/tools-perf-version.patch
new file mode 100644
index 000000000..ccc28833d
--- /dev/null
+++ b/debian/patches/debian/tools-perf-version.patch
@@ -0,0 +1,128 @@
+From: Bastian Blank <waldi@debian.org>
+Date: Mon, 26 Sep 2011 13:53:12 +0100
+Subject: Create manpages and binaries including the version
+Forwarded: no
+
+[bwh: Fix version insertion in perf man page cross-references and perf
+man page title. Install bash_completion script for perf with a
+version-dependent name. And do the same for trace.]
+---
+ tools/perf/Documentation/Makefile | 14 ++++++++------
+ tools/perf/Makefile.perf | 16 ++++++++--------
+ tools/perf/util/Build | 1 +
+ tools/perf/util/vdso.c | 4 ++--
+ 4 files changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
+index 6e54979c2124..db2cb7669da1 100644
+--- a/tools/perf/Documentation/Makefile
++++ b/tools/perf/Documentation/Makefile
+@@ -195,14 +195,16 @@ ifdef missing_tools
+ $(error "You need to install $(missing_tools) for man pages")
+ endif
+
+-do-install-man: man
++do-install-man: $(addprefix install-man-,$(_DOC_MAN1))
++
++install-man-perf.1: $(OUTPUT)perf.1
++ $(INSTALL) -d -m 755 $(DESTDIR)$(man1dir)
++ sed -e 's/"PERF"/"PERF_$(VERSION)"/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION).1
++
++install-man-perf%.1: $(OUTPUT)perf%.1
+ $(call QUIET_INSTALL, Documentation-man) \
+ $(INSTALL) -d -m 755 $(DESTDIR)$(man1dir); \
+-# $(INSTALL) -d -m 755 $(DESTDIR)$(man5dir); \
+-# $(INSTALL) -d -m 755 $(DESTDIR)$(man7dir); \
+- $(INSTALL) -m 644 $(DOC_MAN1) $(DESTDIR)$(man1dir); \
+-# $(INSTALL) -m 644 $(DOC_MAN5) $(DESTDIR)$(man5dir); \
+-# $(INSTALL) -m 644 $(DOC_MAN7) $(DESTDIR)$(man7dir)
++ sed -e 's/"PERF\\-/"PERF_$(VERSION)\\-/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION)$*.1
+
+ install-man: check-man-tools man do-install-man
+
+diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf
+index 86dbb51bb272..ed69643c3249 100644
+--- a/tools/perf/Makefile.perf
++++ b/tools/perf/Makefile.perf
+@@ -888,23 +888,23 @@ endif
+ install-tools: all install-gtk
+ $(call QUIET_INSTALL, binaries) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(bindir_SQ)'; \
+- $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)'; \
+- $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf' '$(DESTDIR_SQ)$(bindir_SQ)/trace'
++ $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)'; \
++ $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)' '$(DESTDIR_SQ)$(bindir_SQ)/trace_$(VERSION)'
++ $(call QUIET_INSTALL, libexec) \
++ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
+ ifndef NO_PERF_READ_VDSO32
+ $(call QUIET_INSTALL, perf-read-vdso32) \
+- $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(bindir_SQ)';
++ $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
+ endif
+ ifndef NO_PERF_READ_VDSOX32
+ $(call QUIET_INSTALL, perf-read-vdsox32) \
+- $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(bindir_SQ)';
++ $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)';
+ endif
+ ifndef NO_JVMTI
+ $(call QUIET_INSTALL, $(LIBJVMTI)) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \
+ $(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)';
+ endif
+- $(call QUIET_INSTALL, libexec) \
+- $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'
+ ifndef NO_LIBBPF
+ $(call QUIET_INSTALL, bpf-headers) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perf_include_instdir_SQ)/bpf'; \
+@@ -942,7 +942,7 @@ ifndef NO_LIBPYTHON
+ endif
+ $(call QUIET_INSTALL, perf_completion-script) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \
+- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf'
++ $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)'
+ $(call QUIET_INSTALL, perf-tip) \
+ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \
+ $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)'
+@@ -967,7 +967,7 @@ install-python_ext:
+
+ # 'make install-doc' should call 'make -C Documentation install'
+ $(INSTALL_DOC_TARGETS):
+- $(Q)$(MAKE) -C $(DOC_DIR) O=$(OUTPUT) $(@:-doc=) ASCIIDOC_EXTRA=$(ASCIIDOC_EXTRA)
++ $(Q)$(MAKE) -C $(DOC_DIR) O=$(OUTPUT) $(@:-doc=) ASCIIDOC_EXTRA=$(ASCIIDOC_EXTRA) VERSION=$(VERSION)
+
+ ### Cleaning rules
+
+diff --git a/tools/perf/util/Build b/tools/perf/util/Build
+index 8d18380ecd10..5dd0f6c387b3 100644
+--- a/tools/perf/util/Build
++++ b/tools/perf/util/Build
+@@ -234,6 +234,7 @@ CFLAGS_hweight.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ET
+ CFLAGS_parse-events.o += -Wno-redundant-decls
+ CFLAGS_expr.o += -Wno-redundant-decls
+ CFLAGS_header.o += -include $(OUTPUT)PERF-VERSION-FILE
++CFLAGS_vdso.o += -DPERFEXECDIR='"$(perfexec_instdir_SQ)"'
+
+ $(OUTPUT)util/kallsyms.o: ../lib/symbol/kallsyms.c FORCE
+ $(call rule_mkdir)
+diff --git a/tools/perf/util/vdso.c b/tools/perf/util/vdso.c
+index 3cc91ad048ea..e7483388bb5d 100644
+--- a/tools/perf/util/vdso.c
++++ b/tools/perf/util/vdso.c
+@@ -55,12 +55,12 @@ static struct vdso_info *vdso_info__new(void)
+ .vdso32 = {
+ .temp_file_name = VDSO__TEMP_FILE_NAME,
+ .dso_name = DSO__NAME_VDSO32,
+- .read_prog = "perf-read-vdso32",
++ .read_prog = PERFEXECDIR "/perf-read-vdso32",
+ },
+ .vdsox32 = {
+ .temp_file_name = VDSO__TEMP_FILE_NAME,
+ .dso_name = DSO__NAME_VDSOX32,
+- .read_prog = "perf-read-vdsox32",
++ .read_prog = PERFEXECDIR "/perf-read-vdsox32",
+ },
+ #endif
+ };
+--
+2.27.0
+
diff --git a/debian/patches/debian/uname-version-timestamp.patch b/debian/patches/debian/uname-version-timestamp.patch
new file mode 100644
index 000000000..5cd565c1e
--- /dev/null
+++ b/debian/patches/debian/uname-version-timestamp.patch
@@ -0,0 +1,33 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: Make mkcompile_h accept an alternate timestamp string
+Date: Tue, 12 May 2015 19:29:22 +0100
+Forwarded: not-needed
+
+We want to include the Debian version in the utsname::version string
+instead of a full timestamp string. However, we still need to provide
+a standard timestamp string for gen_initramfs_list.sh to make the
+kernel image reproducible.
+
+Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
+$KBUILD_BUILD_TIMESTAMP.
+
+--- a/scripts/mkcompile_h
++++ b/scripts/mkcompile_h
+@@ -37,10 +37,14 @@ else
+ VERSION=$KBUILD_BUILD_VERSION
+ fi
+
+-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
+- TIMESTAMP=`date`
++if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
++ if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
++ TIMESTAMP=`date`
++ else
++ TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++ fi
+ else
+- TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++ TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
+ fi
+ if test -z "$KBUILD_BUILD_USER"; then
+ LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')
diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch
new file mode 100644
index 000000000..542dc53d9
--- /dev/null
+++ b/debian/patches/debian/version.patch
@@ -0,0 +1,172 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: Include package version along with kernel release in stack traces
+Date: Tue, 24 Jul 2012 03:13:10 +0100
+Forwarded: not-needed
+
+For distribution binary packages we assume
+$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
+are set.
+---
+ Makefile | 15 ++++++++++++++-
+ arch/ia64/kernel/process.c | 5 +++--
+ arch/powerpc/kernel/process.c | 6 ++++--
+ arch/x86/um/sysrq_64.c | 6 ++++--
+ kernel/hung_task.c | 6 ++++--
+ lib/dump_stack.c | 6 ++++--
+ 6 files changed, 33 insertions(+), 11 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1195,7 +1195,7 @@ PHONY += prepare archprepare
+
+ archprepare: outputmakefile archheaders archscripts scripts include/config/kernel.release \
+ asm-generic $(version_h) $(autoksyms_h) include/generated/utsrelease.h \
+- include/generated/autoconf.h
++ include/generated/autoconf.h include/generated/package.h
+
+ prepare0: archprepare
+ $(Q)$(MAKE) $(build)=scripts/mod
+@@ -1258,6 +1258,16 @@ define filechk_version.h
+ ((c) > 255 ? 255 : (c)))'
+ endef
+
++ifneq ($(DISTRIBUTION_OFFICIAL_BUILD),)
++define filechk_package.h
++ echo \#define LINUX_PACKAGE_ID \" $(DISTRIBUTOR) $(DISTRIBUTION_VERSION)\"
++endef
++else
++define filechk_package.h
++ echo \#define LINUX_PACKAGE_ID \"\"
++endef
++endif
++
+ $(version_h): PATCHLEVEL := $(if $(PATCHLEVEL), $(PATCHLEVEL), 0)
+ $(version_h): SUBLEVEL := $(if $(SUBLEVEL), $(SUBLEVEL), 0)
+ $(version_h): FORCE
+@@ -1267,6 +1277,9 @@ $(version_h): FORCE
+ include/generated/utsrelease.h: include/config/kernel.release FORCE
+ $(call filechk,utsrelease.h)
+
++include/generated/package.h: $(srctree)/Makefile FORCE
++ $(call filechk,package.h)
++
+ PHONY += headerdep
+ headerdep:
+ $(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \
+--- a/arch/ia64/kernel/process.c
++++ b/arch/ia64/kernel/process.c
+@@ -34,6 +34,7 @@
+ #include <linux/utsname.h>
+ #include <linux/tracehook.h>
+ #include <linux/rcupdate.h>
++#include <generated/package.h>
+
+ #include <asm/cpu.h>
+ #include <asm/delay.h>
+@@ -101,9 +102,9 @@ show_regs (struct pt_regs *regs)
+ print_modules();
+ printk("\n");
+ show_regs_print_info(KERN_DEFAULT);
+- printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s)\n",
++ printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s%s)\n",
+ regs->cr_ipsr, regs->cr_ifs, ip, print_tainted(),
+- init_utsname()->release);
++ init_utsname()->release, LINUX_PACKAGE_ID);
+ printk("ip is at %pS\n", (void *)ip);
+ printk("unat: %016lx pfs : %016lx rsc : %016lx\n",
+ regs->ar_unat, regs->ar_pfs, regs->ar_rsc);
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -40,6 +40,7 @@
+ #include <linux/elf-randomize.h>
+ #include <linux/pkeys.h>
+ #include <linux/seq_buf.h>
++#include <generated/package.h>
+
+ #include <asm/io.h>
+ #include <asm/processor.h>
+@@ -1474,8 +1475,9 @@ void show_regs(struct pt_regs * regs)
+
+ printk("NIP: "REG" LR: "REG" CTR: "REG"\n",
+ regs->nip, regs->link, regs->ctr);
+- printk("REGS: %px TRAP: %04lx %s (%s)\n",
+- regs, regs->trap, print_tainted(), init_utsname()->release);
++ printk("REGS: %px TRAP: %04lx %s (%s%s)\n",
++ regs, regs->trap, print_tainted(), init_utsname()->release,
++ LINUX_PACKAGE_ID);
+ printk("MSR: "REG" ", regs->msr);
+ print_msr_bits(regs->msr);
+ pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer);
+--- a/arch/x86/um/sysrq_64.c
++++ b/arch/x86/um/sysrq_64.c
+@@ -9,6 +9,7 @@
+ #include <linux/sched.h>
+ #include <linux/sched/debug.h>
+ #include <linux/utsname.h>
++#include <generated/package.h>
+ #include <asm/current.h>
+ #include <asm/ptrace.h>
+ #include <asm/sysrq.h>
+@@ -17,8 +18,9 @@ void show_regs(struct pt_regs *regs)
+ {
+ printk("\n");
+ print_modules();
+- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s\n", task_pid_nr(current),
+- current->comm, print_tainted(), init_utsname()->release);
++ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s%s\n", task_pid_nr(current),
++ current->comm, print_tainted(), init_utsname()->release,
++ LINUX_PACKAGE_ID);
+ printk(KERN_INFO "RIP: %04lx:[<%016lx>]\n", PT_REGS_CS(regs) & 0xffff,
+ PT_REGS_IP(regs));
+ printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs),
+--- a/kernel/hung_task.c
++++ b/kernel/hung_task.c
+@@ -23,6 +23,7 @@
+ #include <linux/sched/sysctl.h>
+
+ #include <trace/events/sched.h>
++#include <generated/package.h>
+
+ /*
+ * The number of tasks checked:
+@@ -128,10 +129,11 @@ static void check_hung_task(struct task_
+ sysctl_hung_task_warnings--;
+ pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n",
+ t->comm, t->pid, (jiffies - t->last_switch_time) / HZ);
+- pr_err(" %s %s %.*s\n",
++ pr_err(" %s %s %.*s%s\n",
+ print_tainted(), init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+- init_utsname()->version);
++ init_utsname()->version,
++ LINUX_PACKAGE_ID);
+ pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\""
+ " disables this message.\n");
+ sched_show_task(t);
+--- a/lib/dump_stack.c
++++ b/lib/dump_stack.c
+@@ -12,6 +12,7 @@
+ #include <linux/atomic.h>
+ #include <linux/kexec.h>
+ #include <linux/utsname.h>
++#include <generated/package.h>
+
+ static char dump_stack_arch_desc_str[128];
+
+@@ -44,13 +45,14 @@ void __init dump_stack_set_arch_desc(con
+ */
+ void dump_stack_print_info(const char *log_lvl)
+ {
+- printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s\n",
++ printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s%s\n",
+ log_lvl, raw_smp_processor_id(), current->pid, current->comm,
+ kexec_crash_loaded() ? "Kdump: loaded " : "",
+ print_tainted(),
+ init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+- init_utsname()->version);
++ init_utsname()->version,
++ LINUX_PACKAGE_ID);
+
+ if (dump_stack_arch_desc_str[0] != '\0')
+ printk("%sHardware name: %s\n",
diff --git a/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch
new file mode 100644
index 000000000..edbf8657f
--- /dev/null
+++ b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch
@@ -0,0 +1,1452 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 13 Apr 2018 20:10:28 +0100
+Subject: wireless: Add Debian wireless-regdb certificates
+Forwarded: not-needed
+
+This hex dump is generated using:
+
+{
+ for cert in debian/certs/wireless-regdb-*.pem; do
+ openssl x509 -in $cert -outform der;
+ done
+} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex
+---
+ net/wireless/certs/debian.hex | 1426 +++++++++++++++++++++++++++++++++
+ 1 file changed, 1426 insertions(+)
+ create mode 100644 net/wireless/certs/debian.hex
+
+diff --git a/net/wireless/certs/debian.hex b/net/wireless/certs/debian.hex
+new file mode 100644
+index 000000000000..c5ab03f8c500
+--- /dev/null
++++ b/net/wireless/certs/debian.hex
+@@ -0,0 +1,1426 @@
++0x30,
++0x82,
++0x02,
++0xbd,
++0x30,
++0x82,
++0x01,
++0xa5,
++0x02,
++0x14,
++0x57,
++0x7e,
++0x02,
++0x1c,
++0xb9,
++0x80,
++0xe0,
++0xe8,
++0x20,
++0x82,
++0x1b,
++0xa7,
++0xb5,
++0x4b,
++0x49,
++0x61,
++0xb8,
++0xb4,
++0xfa,
++0xdf,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x0b,
++0x05,
++0x00,
++0x30,
++0x1a,
++0x31,
++0x18,
++0x30,
++0x16,
++0x06,
++0x03,
++0x55,
++0x04,
++0x03,
++0x0c,
++0x0f,
++0x62,
++0x65,
++0x6e,
++0x68,
++0x40,
++0x64,
++0x65,
++0x62,
++0x69,
++0x61,
++0x6e,
++0x2e,
++0x6f,
++0x72,
++0x67,
++0x30,
++0x20,
++0x17,
++0x0d,
++0x32,
++0x30,
++0x30,
++0x31,
++0x33,
++0x30,
++0x31,
++0x33,
++0x32,
++0x36,
++0x31,
++0x33,
++0x5a,
++0x18,
++0x0f,
++0x32,
++0x31,
++0x32,
++0x30,
++0x30,
++0x31,
++0x30,
++0x36,
++0x31,
++0x33,
++0x32,
++0x36,
++0x31,
++0x33,
++0x5a,
++0x30,
++0x1a,
++0x31,
++0x18,
++0x30,
++0x16,
++0x06,
++0x03,
++0x55,
++0x04,
++0x03,
++0x0c,
++0x0f,
++0x62,
++0x65,
++0x6e,
++0x68,
++0x40,
++0x64,
++0x65,
++0x62,
++0x69,
++0x61,
++0x6e,
++0x2e,
++0x6f,
++0x72,
++0x67,
++0x30,
++0x82,
++0x01,
++0x22,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x01,
++0x05,
++0x00,
++0x03,
++0x82,
++0x01,
++0x0f,
++0x00,
++0x30,
++0x82,
++0x01,
++0x0a,
++0x02,
++0x82,
++0x01,
++0x01,
++0x00,
++0x9d,
++0xe1,
++0x77,
++0xa0,
++0x24,
++0xa0,
++0xd5,
++0x79,
++0x65,
++0x3a,
++0x07,
++0x90,
++0xc9,
++0xf6,
++0xa5,
++0xa6,
++0x1f,
++0x84,
++0x1c,
++0x23,
++0x07,
++0x4b,
++0x4f,
++0xa5,
++0x03,
++0xc6,
++0x0f,
++0xf7,
++0x54,
++0xd5,
++0x8b,
++0x7e,
++0x79,
++0x81,
++0x00,
++0xd2,
++0xe9,
++0x3d,
++0xf4,
++0x97,
++0xfe,
++0x84,
++0xcd,
++0x55,
++0xbd,
++0xc9,
++0x8f,
++0x21,
++0x57,
++0x88,
++0x06,
++0x39,
++0x90,
++0x66,
++0x41,
++0x26,
++0x79,
++0x2c,
++0xca,
++0x3f,
++0x95,
++0x87,
++0x01,
++0x11,
++0x2f,
++0x2f,
++0xb0,
++0xe1,
++0x0b,
++0x43,
++0xfc,
++0x5f,
++0x2f,
++0x4f,
++0x67,
++0x04,
++0xdb,
++0x4d,
++0xb7,
++0x72,
++0x4d,
++0xd1,
++0xc5,
++0x76,
++0x73,
++0x4d,
++0x91,
++0x69,
++0xb0,
++0x71,
++0x17,
++0x36,
++0xea,
++0xab,
++0x0a,
++0x3a,
++0xcd,
++0x95,
++0x9b,
++0x76,
++0x1b,
++0x8e,
++0x21,
++0x17,
++0x8f,
++0xc5,
++0x02,
++0xbf,
++0x24,
++0xc7,
++0xc0,
++0x40,
++0xb1,
++0x3b,
++0xc4,
++0x80,
++0x7c,
++0x71,
++0xa5,
++0x51,
++0xdc,
++0xf7,
++0x3a,
++0x58,
++0x7f,
++0xb1,
++0x07,
++0x81,
++0x8a,
++0x10,
++0xd1,
++0xf6,
++0x93,
++0x17,
++0x71,
++0xe0,
++0xfa,
++0x51,
++0x79,
++0x15,
++0xd4,
++0xd7,
++0x8f,
++0xad,
++0xbd,
++0x6f,
++0x38,
++0xe1,
++0x26,
++0x7d,
++0xbc,
++0xf0,
++0x3e,
++0x80,
++0x89,
++0xb4,
++0xec,
++0x8e,
++0x69,
++0x90,
++0xdb,
++0x97,
++0x8a,
++0xf0,
++0x23,
++0x23,
++0x83,
++0x82,
++0x3b,
++0x6a,
++0xb1,
++0xac,
++0xeb,
++0xe7,
++0x99,
++0x74,
++0x2a,
++0x35,
++0x8e,
++0xa9,
++0x64,
++0xfd,
++0x46,
++0x9e,
++0xe8,
++0xe5,
++0x48,
++0x61,
++0x31,
++0x6e,
++0xe6,
++0xfc,
++0x19,
++0x18,
++0x54,
++0xc3,
++0x1b,
++0x4f,
++0xd6,
++0x00,
++0x44,
++0x87,
++0x1c,
++0x37,
++0x45,
++0xea,
++0xf5,
++0xc9,
++0xcb,
++0x0f,
++0x0c,
++0x55,
++0xec,
++0xcf,
++0x6a,
++0xc2,
++0x45,
++0x26,
++0x23,
++0xa2,
++0x31,
++0x52,
++0x4d,
++0xee,
++0x21,
++0x7d,
++0xfd,
++0x58,
++0x72,
++0xc2,
++0x28,
++0xc5,
++0x8e,
++0xa9,
++0xd0,
++0xee,
++0x01,
++0x77,
++0x08,
++0xa5,
++0xf0,
++0x22,
++0x2b,
++0x47,
++0x79,
++0x2b,
++0xcf,
++0x9a,
++0x46,
++0xb5,
++0x8f,
++0xfd,
++0x64,
++0xa2,
++0xb5,
++0xed,
++0x02,
++0x03,
++0x01,
++0x00,
++0x01,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x0b,
++0x05,
++0x00,
++0x03,
++0x82,
++0x01,
++0x01,
++0x00,
++0x20,
++0x44,
++0xfe,
++0xa9,
++0x9e,
++0xdd,
++0x9b,
++0xea,
++0xce,
++0x25,
++0x75,
++0x08,
++0xf0,
++0x2b,
++0x53,
++0xf7,
++0x5a,
++0x36,
++0x1c,
++0x4a,
++0x23,
++0x7f,
++0xd0,
++0x41,
++0x3c,
++0x12,
++0x2b,
++0xb9,
++0x80,
++0x4e,
++0x8a,
++0x15,
++0x5d,
++0x1f,
++0x40,
++0xa7,
++0x26,
++0x28,
++0x32,
++0xc3,
++0x5b,
++0x06,
++0x28,
++0x2d,
++0x3d,
++0x08,
++0x09,
++0x1e,
++0x01,
++0xe9,
++0x67,
++0xe3,
++0x33,
++0xe6,
++0x15,
++0x45,
++0x39,
++0xee,
++0x17,
++0x83,
++0xdb,
++0x42,
++0xff,
++0x7f,
++0x35,
++0xf4,
++0xac,
++0x16,
++0xdb,
++0xba,
++0xb8,
++0x1a,
++0x20,
++0x21,
++0x41,
++0xff,
++0xf3,
++0x92,
++0xff,
++0x65,
++0x6e,
++0x29,
++0x16,
++0xd0,
++0xbf,
++0x8d,
++0xdf,
++0x48,
++0x2c,
++0x73,
++0x36,
++0x7f,
++0x22,
++0xe6,
++0xee,
++0x78,
++0xb4,
++0x63,
++0x83,
++0x0e,
++0x39,
++0xeb,
++0xaf,
++0x10,
++0x2a,
++0x90,
++0xd3,
++0xfc,
++0xe6,
++0xc3,
++0x8f,
++0x97,
++0x5b,
++0x76,
++0xbf,
++0x9b,
++0xf5,
++0x98,
++0xd2,
++0x53,
++0x06,
++0x8b,
++0xf8,
++0xa4,
++0x04,
++0x9b,
++0x1b,
++0x62,
++0x6a,
++0x9d,
++0xac,
++0xe6,
++0x4b,
++0x0d,
++0xc9,
++0xd7,
++0x56,
++0x63,
++0x15,
++0x01,
++0x38,
++0x8c,
++0xbe,
++0xf1,
++0x44,
++0xc4,
++0x38,
++0x27,
++0xe0,
++0xcf,
++0x72,
++0xd6,
++0x3d,
++0xe4,
++0xf7,
++0x4b,
++0x3b,
++0xd2,
++0xb1,
++0x0c,
++0xd5,
++0x83,
++0x6d,
++0x1e,
++0x10,
++0x04,
++0x69,
++0x29,
++0x88,
++0x69,
++0xe0,
++0x7d,
++0xd7,
++0xdb,
++0xb4,
++0x59,
++0x72,
++0x8d,
++0x9d,
++0x3c,
++0x43,
++0xaf,
++0xc6,
++0x7d,
++0xb7,
++0x21,
++0x15,
++0x52,
++0x8a,
++0xe9,
++0x9b,
++0x6b,
++0x2e,
++0xe8,
++0x27,
++0x3c,
++0x3f,
++0x2d,
++0x84,
++0xfb,
++0x9a,
++0x22,
++0x0a,
++0x9f,
++0x6a,
++0x25,
++0xe6,
++0x39,
++0xe4,
++0x74,
++0x73,
++0xb6,
++0x2a,
++0x70,
++0xaa,
++0x1d,
++0xcb,
++0xcc,
++0xd4,
++0xa0,
++0x1b,
++0x26,
++0x71,
++0x63,
++0x04,
++0xc5,
++0x12,
++0x21,
++0x48,
++0xba,
++0x92,
++0x27,
++0x06,
++0xa8,
++0x3e,
++0x6d,
++0xa1,
++0x43,
++0xa5,
++0xd2,
++0x2a,
++0xf7,
++0xca,
++0xc4,
++0x26,
++0xe8,
++0x5b,
++0x1f,
++0xe4,
++0xdc,
++0x89,
++0xdc,
++0x1f,
++0x04,
++0x79,
++0x3f,
++0x30,
++0x82,
++0x02,
++0xcd,
++0x30,
++0x82,
++0x01,
++0xb5,
++0x02,
++0x14,
++0x3a,
++0xbb,
++0xc6,
++0xec,
++0x14,
++0x6e,
++0x09,
++0xd1,
++0xb6,
++0x01,
++0x6a,
++0xb9,
++0xd6,
++0xcf,
++0x71,
++0xdd,
++0x23,
++0x3f,
++0x03,
++0x28,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x0b,
++0x05,
++0x00,
++0x30,
++0x22,
++0x31,
++0x20,
++0x30,
++0x1e,
++0x06,
++0x03,
++0x55,
++0x04,
++0x03,
++0x0c,
++0x17,
++0x72,
++0x6f,
++0x6d,
++0x61,
++0x69,
++0x6e,
++0x2e,
++0x70,
++0x65,
++0x72,
++0x69,
++0x65,
++0x72,
++0x40,
++0x67,
++0x6d,
++0x61,
++0x69,
++0x6c,
++0x2e,
++0x63,
++0x6f,
++0x6d,
++0x30,
++0x20,
++0x17,
++0x0d,
++0x32,
++0x30,
++0x30,
++0x32,
++0x32,
++0x34,
++0x31,
++0x39,
++0x30,
++0x31,
++0x34,
++0x34,
++0x5a,
++0x18,
++0x0f,
++0x32,
++0x31,
++0x32,
++0x30,
++0x30,
++0x31,
++0x33,
++0x31,
++0x31,
++0x39,
++0x30,
++0x31,
++0x34,
++0x34,
++0x5a,
++0x30,
++0x22,
++0x31,
++0x20,
++0x30,
++0x1e,
++0x06,
++0x03,
++0x55,
++0x04,
++0x03,
++0x0c,
++0x17,
++0x72,
++0x6f,
++0x6d,
++0x61,
++0x69,
++0x6e,
++0x2e,
++0x70,
++0x65,
++0x72,
++0x69,
++0x65,
++0x72,
++0x40,
++0x67,
++0x6d,
++0x61,
++0x69,
++0x6c,
++0x2e,
++0x63,
++0x6f,
++0x6d,
++0x30,
++0x82,
++0x01,
++0x22,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x01,
++0x05,
++0x00,
++0x03,
++0x82,
++0x01,
++0x0f,
++0x00,
++0x30,
++0x82,
++0x01,
++0x0a,
++0x02,
++0x82,
++0x01,
++0x01,
++0x00,
++0xf0,
++0xb8,
++0x4f,
++0x3f,
++0x70,
++0x78,
++0xf8,
++0x74,
++0x45,
++0xa2,
++0x28,
++0xaf,
++0x04,
++0x75,
++0x04,
++0xa3,
++0xf3,
++0xa7,
++0xc7,
++0x04,
++0xac,
++0xb6,
++0xe1,
++0xfc,
++0xe1,
++0xc0,
++0x3d,
++0xe0,
++0x26,
++0x90,
++0x8a,
++0x45,
++0x60,
++0xc4,
++0x75,
++0xf3,
++0x1a,
++0x33,
++0x37,
++0x56,
++0x7d,
++0x30,
++0x07,
++0x75,
++0x0e,
++0xa6,
++0x79,
++0x06,
++0x95,
++0x9d,
++0x17,
++0x3c,
++0x09,
++0xa9,
++0x7f,
++0xab,
++0x95,
++0x5d,
++0xed,
++0xe0,
++0x75,
++0x26,
++0x2f,
++0x65,
++0x65,
++0xcd,
++0x61,
++0xb1,
++0x33,
++0x27,
++0x67,
++0x41,
++0xa1,
++0x01,
++0x13,
++0xe9,
++0x13,
++0x6a,
++0x6d,
++0x4e,
++0x98,
++0xe1,
++0x9e,
++0x7b,
++0x0b,
++0x5b,
++0x44,
++0xef,
++0x68,
++0x5a,
++0x6f,
++0x7d,
++0x97,
++0xa1,
++0x33,
++0x22,
++0x97,
++0x12,
++0x21,
++0x09,
++0x8f,
++0x90,
++0xe0,
++0x25,
++0x94,
++0xdd,
++0x8a,
++0x3a,
++0xf7,
++0x4a,
++0x60,
++0x04,
++0x26,
++0x6d,
++0x00,
++0x82,
++0xe4,
++0xcf,
++0x64,
++0x1c,
++0x79,
++0x15,
++0x24,
++0xf2,
++0x42,
++0x86,
++0xf5,
++0x10,
++0x86,
++0xac,
++0x20,
++0x88,
++0x90,
++0x87,
++0xdf,
++0x8c,
++0x37,
++0x7c,
++0xbf,
++0x35,
++0xd5,
++0x6f,
++0x9f,
++0x77,
++0xc3,
++0xcd,
++0x69,
++0x25,
++0x06,
++0xc2,
++0x65,
++0x51,
++0x71,
++0x89,
++0x7f,
++0x6e,
++0x4d,
++0xe5,
++0xd5,
++0x8a,
++0x36,
++0x1a,
++0xad,
++0xc1,
++0x18,
++0xd6,
++0x14,
++0x42,
++0x87,
++0xf0,
++0x93,
++0x83,
++0xf1,
++0x99,
++0x74,
++0xc4,
++0x13,
++0xaa,
++0x3b,
++0x66,
++0x85,
++0x6f,
++0xe0,
++0xbc,
++0x5f,
++0xb6,
++0x40,
++0xa6,
++0x41,
++0x06,
++0x0a,
++0xba,
++0x0e,
++0xe9,
++0x32,
++0x44,
++0x10,
++0x39,
++0x53,
++0xcd,
++0xbf,
++0xf3,
++0xd3,
++0x26,
++0xf6,
++0xb6,
++0x2b,
++0x40,
++0x2e,
++0xb9,
++0x88,
++0xc1,
++0xf4,
++0xe3,
++0xa0,
++0x28,
++0x77,
++0x4f,
++0xba,
++0xa8,
++0xca,
++0x9c,
++0x05,
++0xba,
++0x88,
++0x96,
++0x99,
++0x54,
++0x89,
++0xa2,
++0x8d,
++0xf3,
++0x73,
++0xa1,
++0x8c,
++0x4a,
++0xa8,
++0x71,
++0xee,
++0x2e,
++0xd2,
++0x83,
++0x14,
++0x48,
++0xbd,
++0x98,
++0xc6,
++0xce,
++0xdc,
++0xa8,
++0xa3,
++0x97,
++0x2e,
++0x40,
++0x16,
++0x2f,
++0x02,
++0x03,
++0x01,
++0x00,
++0x01,
++0x30,
++0x0d,
++0x06,
++0x09,
++0x2a,
++0x86,
++0x48,
++0x86,
++0xf7,
++0x0d,
++0x01,
++0x01,
++0x0b,
++0x05,
++0x00,
++0x03,
++0x82,
++0x01,
++0x01,
++0x00,
++0x76,
++0x5d,
++0x03,
++0x3d,
++0xb6,
++0x96,
++0x00,
++0x1b,
++0x6e,
++0x0c,
++0xdd,
++0xbb,
++0xc8,
++0xdf,
++0xbc,
++0xeb,
++0x6c,
++0x01,
++0x40,
++0x1a,
++0x2b,
++0x07,
++0x60,
++0xa1,
++0x1a,
++0xe1,
++0x43,
++0x57,
++0xfa,
++0xbe,
++0xde,
++0xbb,
++0x8f,
++0x73,
++0xf3,
++0x92,
++0xa2,
++0xaa,
++0x83,
++0x01,
++0xc1,
++0x17,
++0xe4,
++0x9d,
++0x09,
++0x41,
++0xe0,
++0x32,
++0x33,
++0x97,
++0x4b,
++0xf2,
++0xdc,
++0x0f,
++0x8b,
++0xa8,
++0xb8,
++0x5a,
++0x04,
++0x86,
++0xf6,
++0x71,
++0xa1,
++0x97,
++0xd0,
++0x54,
++0x56,
++0x10,
++0x8e,
++0x54,
++0x99,
++0x0d,
++0x2a,
++0xa9,
++0xaf,
++0x1b,
++0x55,
++0x59,
++0x06,
++0x2b,
++0xa4,
++0x5f,
++0xb1,
++0x54,
++0xa6,
++0xec,
++0xc7,
++0xd6,
++0x43,
++0xee,
++0x86,
++0x2c,
++0x9b,
++0x18,
++0x9d,
++0x8f,
++0x00,
++0x82,
++0xc1,
++0x88,
++0x61,
++0x16,
++0x85,
++0x3c,
++0x17,
++0x56,
++0xfe,
++0x6a,
++0xa0,
++0x7a,
++0x68,
++0xc5,
++0x7b,
++0x3d,
++0x3c,
++0xb6,
++0x13,
++0x18,
++0x99,
++0x6d,
++0x74,
++0x65,
++0x13,
++0x67,
++0xb7,
++0xfc,
++0x5a,
++0x44,
++0x48,
++0x72,
++0xa0,
++0x73,
++0xb8,
++0xff,
++0x02,
++0x9d,
++0x7c,
++0x5b,
++0xf9,
++0x7c,
++0x75,
++0x0a,
++0x3c,
++0x81,
++0x80,
++0x3c,
++0x41,
++0xf2,
++0xd5,
++0xfa,
++0x3d,
++0x1f,
++0xe3,
++0xda,
++0x8c,
++0xa5,
++0x17,
++0x1f,
++0x53,
++0x1a,
++0x75,
++0xad,
++0x4e,
++0x11,
++0x1c,
++0x07,
++0xec,
++0x0a,
++0x69,
++0xfd,
++0x33,
++0xfa,
++0x32,
++0x7e,
++0x66,
++0xf5,
++0x29,
++0xe8,
++0x4d,
++0x8a,
++0xfa,
++0x0d,
++0x4b,
++0x68,
++0xc3,
++0x95,
++0x11,
++0xba,
++0x6f,
++0x1e,
++0x07,
++0x8c,
++0x85,
++0xc7,
++0xc7,
++0xc9,
++0xc1,
++0x30,
++0xa3,
++0x70,
++0xb0,
++0xa1,
++0xe0,
++0xd5,
++0x85,
++0x15,
++0x94,
++0x77,
++0xc1,
++0x1c,
++0x91,
++0xf1,
++0x5f,
++0x50,
++0xcd,
++0x2c,
++0x57,
++0x4b,
++0x22,
++0x4f,
++0xee,
++0x95,
++0xd7,
++0xa7,
++0xa4,
++0x59,
++0x62,
++0xae,
++0xb9,
++0xbf,
++0xd7,
++0x63,
++0x5a,
++0x04,
++0xfc,
++0x24,
++0x11,
++0xae,
++0x34,
++0x4b,
++0xf4,
++0x0c,
++0x9f,
++0x0b,
++0x59,
++0x7d,
++0x27,
++0x39,
++0x54,
++0x69,
++0x4f,
++0xfd,
++0x6e,
++0x44,
++0x9f,
++0x21,
+--
+2.25.1
+
diff --git a/debian/patches/debian/yama-disable-by-default.patch b/debian/patches/debian/yama-disable-by-default.patch
new file mode 100644
index 000000000..c33ac0c9d
--- /dev/null
+++ b/debian/patches/debian/yama-disable-by-default.patch
@@ -0,0 +1,32 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: yama: Disable by default
+Date: Wed, 19 Jun 2013 04:35:28 +0100
+Bug-Debian: https://bugs.debian.org/712740
+Forwarded: not-needed
+
+---
+ security/yama/yama_lsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
+index efac68556b45..95ff3e778a17 100644
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -28,7 +28,7 @@
+ #define YAMA_SCOPE_CAPABILITY 2
+ #define YAMA_SCOPE_NO_ATTACH 3
+
+-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
++static int ptrace_scope = YAMA_SCOPE_DISABLED;
+
+ /* describe a ptrace relationship for potential exception */
+ struct ptrace_relation {
+@@ -481,7 +481,7 @@ static inline void yama_init_sysctl(void) { }
+
+ static int __init yama_init(void)
+ {
+- pr_info("Yama: becoming mindful.\n");
++ pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n");
+ security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
+ yama_init_sysctl();
+ return 0;
diff --git a/debian/patches/features/all/aufs5/aufs5-base.patch b/debian/patches/features/all/aufs5/aufs5-base.patch
new file mode 100644
index 000000000..60f24b56b
--- /dev/null
+++ b/debian/patches/features/all/aufs5/aufs5-base.patch
@@ -0,0 +1,332 @@
+From: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Tue Apr 7 22:14:47 2020 +0900
+Subject: aufs5.6 base patch
+Origin: https://github.com/sfjro/aufs5-standalone/tree/7c07d9737e9de058981f020d66ac0d4407a80899
+Bug-Debian: https://bugs.debian.org/541828
+
+Patch headers added by debian/bin/genpatch-aufs
+
+SPDX-License-Identifier: GPL-2.0
+aufs5.6 base patch
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index b4a43a9e7fbc..32f7c8c48001 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -2984,6 +2984,19 @@ F: include/linux/audit.h
+ F: include/uapi/linux/audit.h
+ F: kernel/audit*
+
++AUFS (advanced multi layered unification filesystem) FILESYSTEM
++M: "J. R. Okajima" <hooanon05g@gmail.com>
++L: aufs-users@lists.sourceforge.net (members only)
++L: linux-unionfs@vger.kernel.org
++W: http://aufs.sourceforge.net
++T: git://github.com/sfjro/aufs4-linux.git
++S: Supported
++F: Documentation/filesystems/aufs/
++F: Documentation/ABI/testing/debugfs-aufs
++F: Documentation/ABI/testing/sysfs-aufs
++F: fs/aufs/
++F: include/uapi/linux/aufs_type.h
++
+ AUXILIARY DISPLAY DRIVERS
+ M: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com>
+ S: Maintained
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 475e1a738560..8d77e68aa52b 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -763,6 +763,24 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
+ return error;
+ }
+
++/*
++ * for AUFS
++ * no get/put for file.
++ */
++struct file *loop_backing_file(struct super_block *sb)
++{
++ struct file *ret;
++ struct loop_device *l;
++
++ ret = NULL;
++ if (MAJOR(sb->s_dev) == LOOP_MAJOR) {
++ l = sb->s_bdev->bd_disk->private_data;
++ ret = l->lo_backing_file;
++ }
++ return ret;
++}
++EXPORT_SYMBOL_GPL(loop_backing_file);
++
+ /* loop sysfs attributes */
+
+ static ssize_t loop_attr_show(struct device *dev, char *page,
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 361ea7ab30ea..3cd36474f302 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1285,7 +1285,7 @@ enum d_walk_ret {
+ *
+ * The @enter() callbacks are called with d_lock held.
+ */
+-static void d_walk(struct dentry *parent, void *data,
++void d_walk(struct dentry *parent, void *data,
+ enum d_walk_ret (*enter)(void *, struct dentry *))
+ {
+ struct dentry *this_parent;
+diff --git a/fs/fcntl.c b/fs/fcntl.c
+index 2e4c0fa2074b..0b28a37f7e50 100644
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -32,7 +32,7 @@
+
+ #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
+
+-static int setfl(int fd, struct file * filp, unsigned long arg)
++int setfl(int fd, struct file *filp, unsigned long arg)
+ {
+ struct inode * inode = file_inode(filp);
+ int error = 0;
+@@ -63,6 +63,8 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
+
+ if (filp->f_op->check_flags)
+ error = filp->f_op->check_flags(arg);
++ if (!error && filp->f_op->setfl)
++ error = filp->f_op->setfl(filp, arg);
+ if (error)
+ return error;
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 72c4c347afb7..a7ff2099c2ef 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1768,7 +1768,7 @@ EXPORT_SYMBOL(generic_update_time);
+ * This does the actual work of updating an inodes time or version. Must have
+ * had called mnt_want_write() before calling this.
+ */
+-static int update_time(struct inode *inode, struct timespec64 *time, int flags)
++int update_time(struct inode *inode, struct timespec64 *time, int flags)
+ {
+ if (inode->i_op->update_time)
+ return inode->i_op->update_time(inode, time, flags);
+diff --git a/fs/namespace.c b/fs/namespace.c
+index f30ed401cc6d..8ddebaf7ad57 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -792,6 +792,12 @@ static inline int check_mnt(struct mount *mnt)
+ return mnt->mnt_ns == current->nsproxy->mnt_ns;
+ }
+
++/* for aufs, CONFIG_AUFS_BR_FUSE */
++int is_current_mnt_ns(struct vfsmount *mnt)
++{
++ return check_mnt(real_mount(mnt));
++}
++
+ /*
+ * vfsmount lock must be held for write
+ */
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 4fb797822567..744831cd0094 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -507,6 +507,28 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t
+ return ret;
+ }
+
++vfs_readf_t vfs_readf(struct file *file)
++{
++ const struct file_operations *fop = file->f_op;
++
++ if (fop->read)
++ return fop->read;
++ if (fop->read_iter)
++ return new_sync_read;
++ return ERR_PTR(-ENOSYS); /* doesn't have ->read(|_iter)() op */
++}
++
++vfs_writef_t vfs_writef(struct file *file)
++{
++ const struct file_operations *fop = file->f_op;
++
++ if (fop->write)
++ return fop->write;
++ if (fop->write_iter)
++ return new_sync_write;
++ return ERR_PTR(-ENOSYS); /* doesn't have ->write(|_iter)() op */
++}
++
+ /* caller is responsible for file_start_write/file_end_write */
+ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+ {
+diff --git a/fs/splice.c b/fs/splice.c
+index d7c8a7c4db07..f0b625e27554 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -839,8 +839,8 @@ EXPORT_SYMBOL(generic_splice_sendpage);
+ /*
+ * Attempt to initiate a splice from pipe to file.
+ */
+-static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
+- loff_t *ppos, size_t len, unsigned int flags)
++long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
++ loff_t *ppos, size_t len, unsigned int flags)
+ {
+ if (out->f_op->splice_write)
+ return out->f_op->splice_write(pipe, out, ppos, len, flags);
+@@ -850,9 +850,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
+ /*
+ * Attempt to initiate a splice from a file to a pipe.
+ */
+-static long do_splice_to(struct file *in, loff_t *ppos,
+- struct pipe_inode_info *pipe, size_t len,
+- unsigned int flags)
++long do_splice_to(struct file *in, loff_t *ppos,
++ struct pipe_inode_info *pipe, size_t len,
++ unsigned int flags)
+ {
+ int ret;
+
+diff --git a/fs/sync.c b/fs/sync.c
+index 1373a610dc78..b7b5a0a0df6f 100644
+--- a/fs/sync.c
++++ b/fs/sync.c
+@@ -28,7 +28,7 @@
+ * wait == 1 case since in that case write_inode() functions do
+ * sync_dirty_buffer() and thus effectively write one block at a time.
+ */
+-static int __sync_filesystem(struct super_block *sb, int wait)
++int __sync_filesystem(struct super_block *sb, int wait)
+ {
+ if (wait)
+ sync_inodes_sb(sb);
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index f5abba86107d..0b008da5678d 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1360,6 +1360,7 @@ extern void fasync_free(struct fasync_struct *);
+ /* can be called from interrupts */
+ extern void kill_fasync(struct fasync_struct **, int, int);
+
++extern int setfl(int fd, struct file *filp, unsigned long arg);
+ extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force);
+ extern int f_setown(struct file *filp, unsigned long arg, int force);
+ extern void f_delown(struct file *filp);
+@@ -1848,6 +1849,7 @@ struct file_operations {
+ ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);
+ unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
+ int (*check_flags)(int);
++ int (*setfl)(struct file *, unsigned long);
+ int (*flock) (struct file *, int, struct file_lock *);
+ ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
+ ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
+@@ -1918,6 +1920,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
+ struct iovec *fast_pointer,
+ struct iovec **ret_pointer);
+
++typedef ssize_t (*vfs_readf_t)(struct file *, char __user *, size_t, loff_t *);
++typedef ssize_t (*vfs_writef_t)(struct file *, const char __user *, size_t,
++ loff_t *);
++vfs_readf_t vfs_readf(struct file *file);
++vfs_writef_t vfs_writef(struct file *file);
++
+ extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *);
+ extern ssize_t vfs_write(struct file *, const char __user *, size_t, loff_t *);
+ extern ssize_t vfs_readv(struct file *, const struct iovec __user *,
+@@ -2352,6 +2360,7 @@ extern int current_umask(void);
+ extern void ihold(struct inode * inode);
+ extern void iput(struct inode *);
+ extern int generic_update_time(struct inode *, struct timespec64 *, int);
++extern int update_time(struct inode *, struct timespec64 *, int);
+
+ /* /sys/fs */
+ extern struct kobject *fs_kobj;
+@@ -2633,6 +2642,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb)
+ return false;
+ }
+ #endif
++extern int __sync_filesystem(struct super_block *, int);
+ extern int sync_filesystem(struct super_block *);
+ extern const struct file_operations def_blk_fops;
+ extern const struct file_operations def_chr_fops;
+diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
+index 8fce5c98a4b0..c1a3f172e97a 100644
+--- a/include/linux/lockdep.h
++++ b/include/linux/lockdep.h
+@@ -395,6 +395,8 @@ static inline int lockdep_match_key(struct lockdep_map *lock,
+ return lock->key == key;
+ }
+
++struct lock_class *lockdep_hlock_class(struct held_lock *hlock);
++
+ /*
+ * Acquire a lock.
+ *
+@@ -540,6 +542,7 @@ struct lockdep_map { };
+
+ #define lockdep_depth(tsk) (0)
+
++#define lockdep_is_held(lock) (1)
+ #define lockdep_is_held_type(l, r) (1)
+
+ #define lockdep_assert_held(l) do { (void)(l); } while (0)
+diff --git a/include/linux/mnt_namespace.h b/include/linux/mnt_namespace.h
+index 8f882f5881e8..6b9808f09843 100644
+--- a/include/linux/mnt_namespace.h
++++ b/include/linux/mnt_namespace.h
+@@ -7,12 +7,15 @@ struct mnt_namespace;
+ struct fs_struct;
+ struct user_namespace;
+ struct ns_common;
++struct vfsmount;
+
+ extern struct mnt_namespace *copy_mnt_ns(unsigned long, struct mnt_namespace *,
+ struct user_namespace *, struct fs_struct *);
+ extern void put_mnt_ns(struct mnt_namespace *ns);
+ extern struct ns_common *from_mnt_ns(struct mnt_namespace *);
+
++extern int is_current_mnt_ns(struct vfsmount *mnt);
++
+ extern const struct file_operations proc_mounts_operations;
+ extern const struct file_operations proc_mountinfo_operations;
+ extern const struct file_operations proc_mountstats_operations;
+diff --git a/include/linux/splice.h b/include/linux/splice.h
+index 5c47013f708e..fef6c59ed92a 100644
+--- a/include/linux/splice.h
++++ b/include/linux/splice.h
+@@ -93,4 +93,10 @@ extern void splice_shrink_spd(struct splice_pipe_desc *);
+
+ extern const struct pipe_buf_operations page_cache_pipe_buf_ops;
+ extern const struct pipe_buf_operations default_pipe_buf_ops;
++
++extern long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
++ loff_t *ppos, size_t len, unsigned int flags);
++extern long do_splice_to(struct file *in, loff_t *ppos,
++ struct pipe_inode_info *pipe, size_t len,
++ unsigned int flags);
+ #endif
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 29a8de4c50b9..6cfff5e18c84 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -169,7 +169,7 @@ static
+ struct lock_class lock_classes[MAX_LOCKDEP_KEYS];
+ static DECLARE_BITMAP(lock_classes_in_use, MAX_LOCKDEP_KEYS);
+
+-static inline struct lock_class *hlock_class(struct held_lock *hlock)
++inline struct lock_class *lockdep_hlock_class(struct held_lock *hlock)
+ {
+ unsigned int class_idx = hlock->class_idx;
+
+@@ -190,6 +190,7 @@ static inline struct lock_class *hlock_class(struct held_lock *hlock)
+ */
+ return lock_classes + class_idx;
+ }
++#define hlock_class(hlock) lockdep_hlock_class(hlock)
+
+ #ifdef CONFIG_LOCK_STAT
+ static DEFINE_PER_CPU(struct lock_class_stats[MAX_LOCKDEP_KEYS], cpu_lock_stats);
+--
+2.27.0
+
diff --git a/debian/patches/features/all/aufs5/aufs5-mmap.patch b/debian/patches/features/all/aufs5/aufs5-mmap.patch
new file mode 100644
index 000000000..4cf1e0b2b
--- /dev/null
+++ b/debian/patches/features/all/aufs5/aufs5-mmap.patch
@@ -0,0 +1,405 @@
+From: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Tue Apr 7 22:14:47 2020 +0900
+Subject: aufs5.6 mmap patch
+Origin: https://github.com/sfjro/aufs5-standalone/tree/7c07d9737e9de058981f020d66ac0d4407a80899
+Bug-Debian: https://bugs.debian.org/541828
+
+Patch headers added by debian/bin/genpatch-aufs
+
+SPDX-License-Identifier: GPL-2.0
+aufs5.6 mmap patch
+
+Index: debian-kernel/fs/proc/base.c
+===================================================================
+--- debian-kernel.orig/fs/proc/base.c
++++ debian-kernel/fs/proc/base.c
+@@ -2170,7 +2170,7 @@ static int map_files_get_link(struct den
+ rc = -ENOENT;
+ vma = find_exact_vma(mm, vm_start, vm_end);
+ if (vma && vma->vm_file) {
+- *path = vma->vm_file->f_path;
++ *path = vma_pr_or_file(vma)->f_path;
+ path_get(path);
+ rc = 0;
+ }
+Index: debian-kernel/fs/proc/nommu.c
+===================================================================
+--- debian-kernel.orig/fs/proc/nommu.c
++++ debian-kernel/fs/proc/nommu.c
+@@ -40,7 +40,10 @@ static int nommu_region_show(struct seq_
+ file = region->vm_file;
+
+ if (file) {
+- struct inode *inode = file_inode(region->vm_file);
++ struct inode *inode;
++
++ file = vmr_pr_or_file(region);
++ inode = file_inode(file);
+ dev = inode->i_sb->s_dev;
+ ino = inode->i_ino;
+ }
+Index: debian-kernel/fs/proc/task_mmu.c
+===================================================================
+--- debian-kernel.orig/fs/proc/task_mmu.c
++++ debian-kernel/fs/proc/task_mmu.c
+@@ -280,7 +280,10 @@ show_map_vma(struct seq_file *m, struct
+ const char *name = NULL;
+
+ if (file) {
+- struct inode *inode = file_inode(vma->vm_file);
++ struct inode *inode;
++
++ file = vma_pr_or_file(vma);
++ inode = file_inode(file);
+ dev = inode->i_sb->s_dev;
+ ino = inode->i_ino;
+ pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
+@@ -1793,7 +1796,7 @@ static int show_numa_map(struct seq_file
+ struct proc_maps_private *proc_priv = &numa_priv->proc_maps;
+ struct vm_area_struct *vma = v;
+ struct numa_maps *md = &numa_priv->md;
+- struct file *file = vma->vm_file;
++ struct file *file = vma_pr_or_file(vma);
+ struct mm_struct *mm = vma->vm_mm;
+ struct mempolicy *pol;
+ char buffer[64];
+Index: debian-kernel/fs/proc/task_nommu.c
+===================================================================
+--- debian-kernel.orig/fs/proc/task_nommu.c
++++ debian-kernel/fs/proc/task_nommu.c
+@@ -155,7 +155,10 @@ static int nommu_vma_show(struct seq_fil
+ file = vma->vm_file;
+
+ if (file) {
+- struct inode *inode = file_inode(vma->vm_file);
++ struct inode *inode;
++
++ file = vma_pr_or_file(vma);
++ inode = file_inode(file);
+ dev = inode->i_sb->s_dev;
+ ino = inode->i_ino;
+ pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
+Index: debian-kernel/include/linux/mm.h
+===================================================================
+--- debian-kernel.orig/include/linux/mm.h
++++ debian-kernel/include/linux/mm.h
+@@ -1684,6 +1684,28 @@ static inline void unmap_shared_mapping_
+ unmap_mapping_range(mapping, holebegin, holelen, 0);
+ }
+
++extern void vma_do_file_update_time(struct vm_area_struct *, const char[], int);
++extern struct file *vma_do_pr_or_file(struct vm_area_struct *, const char[],
++ int);
++extern void vma_do_get_file(struct vm_area_struct *, const char[], int);
++extern void vma_do_fput(struct vm_area_struct *, const char[], int);
++
++#define vma_file_update_time(vma) vma_do_file_update_time(vma, __func__, \
++ __LINE__)
++#define vma_pr_or_file(vma) vma_do_pr_or_file(vma, __func__, \
++ __LINE__)
++#define vma_get_file(vma) vma_do_get_file(vma, __func__, __LINE__)
++#define vma_fput(vma) vma_do_fput(vma, __func__, __LINE__)
++
++#ifndef CONFIG_MMU
++extern struct file *vmr_do_pr_or_file(struct vm_region *, const char[], int);
++extern void vmr_do_fput(struct vm_region *, const char[], int);
++
++#define vmr_pr_or_file(region) vmr_do_pr_or_file(region, __func__, \
++ __LINE__)
++#define vmr_fput(region) vmr_do_fput(region, __func__, __LINE__)
++#endif /* !CONFIG_MMU */
++
+ extern int access_process_vm(struct task_struct *tsk, unsigned long addr,
+ void *buf, int len, unsigned int gup_flags);
+ extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
+Index: debian-kernel/include/linux/mm_types.h
+===================================================================
+--- debian-kernel.orig/include/linux/mm_types.h
++++ debian-kernel/include/linux/mm_types.h
+@@ -276,6 +276,7 @@ struct vm_region {
+ unsigned long vm_top; /* region allocated to here */
+ unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */
+ struct file *vm_file; /* the backing file or NULL */
++ struct file *vm_prfile; /* the virtual backing file or NULL */
+
+ int vm_usage; /* region usage count (access under nommu_region_sem) */
+ bool vm_icache_flushed : 1; /* true if the icache has been flushed for
+@@ -355,6 +356,7 @@ struct vm_area_struct {
+ unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE
+ units */
+ struct file * vm_file; /* File we map to (can be NULL). */
++ struct file *vm_prfile; /* shadow of vm_file */
+ void * vm_private_data; /* was vm_pte (shared mem) */
+
+ #ifdef CONFIG_SWAP
+Index: debian-kernel/kernel/fork.c
+===================================================================
+--- debian-kernel.orig/kernel/fork.c
++++ debian-kernel/kernel/fork.c
+@@ -570,7 +570,7 @@ static __latent_entropy int dup_mmap(str
+ struct inode *inode = file_inode(file);
+ struct address_space *mapping = file->f_mapping;
+
+- get_file(file);
++ vma_get_file(tmp);
+ if (tmp->vm_flags & VM_DENYWRITE)
+ atomic_dec(&inode->i_writecount);
+ i_mmap_lock_write(mapping);
+Index: debian-kernel/mm/Makefile
+===================================================================
+--- debian-kernel.orig/mm/Makefile
++++ debian-kernel/mm/Makefile
+@@ -52,7 +52,7 @@ obj-y := filemap.o mempool.o oom_kill.
+ mm_init.o percpu.o slab_common.o \
+ compaction.o vmacache.o \
+ interval_tree.o list_lru.o workingset.o \
+- debug.o gup.o $(mmu-y)
++ prfile.o debug.o gup.o $(mmu-y)
+
+ # Give 'page_alloc' its own module-parameter namespace
+ page-alloc-y := page_alloc.o
+Index: debian-kernel/mm/filemap.c
+===================================================================
+--- debian-kernel.orig/mm/filemap.c
++++ debian-kernel/mm/filemap.c
+@@ -2676,7 +2676,7 @@ vm_fault_t filemap_page_mkwrite(struct v
+ vm_fault_t ret = VM_FAULT_LOCKED;
+
+ sb_start_pagefault(inode->i_sb);
+- file_update_time(vmf->vma->vm_file);
++ vma_file_update_time(vmf->vma);
+ lock_page(page);
+ if (page->mapping != inode->i_mapping) {
+ unlock_page(page);
+Index: debian-kernel/mm/mmap.c
+===================================================================
+--- debian-kernel.orig/mm/mmap.c
++++ debian-kernel/mm/mmap.c
+@@ -179,7 +179,7 @@ static struct vm_area_struct *remove_vma
+ if (vma->vm_ops && vma->vm_ops->close)
+ vma->vm_ops->close(vma);
+ if (vma->vm_file)
+- fput(vma->vm_file);
++ vma_fput(vma);
+ mpol_put(vma_policy(vma));
+ vm_area_free(vma);
+ return next;
+@@ -910,7 +910,7 @@ again:
+ if (remove_next) {
+ if (file) {
+ uprobe_munmap(next, next->vm_start, next->vm_end);
+- fput(file);
++ vma_fput(vma);
+ }
+ if (next->anon_vma)
+ anon_vma_merge(vma, next);
+@@ -1831,8 +1831,8 @@ out:
+ return addr;
+
+ unmap_and_free_vma:
++ vma_fput(vma);
+ vma->vm_file = NULL;
+- fput(file);
+
+ /* Undo any partial mapping done by a device driver. */
+ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
+@@ -2683,7 +2683,7 @@ int __split_vma(struct mm_struct *mm, st
+ goto out_free_mpol;
+
+ if (new->vm_file)
+- get_file(new->vm_file);
++ vma_get_file(new);
+
+ if (new->vm_ops && new->vm_ops->open)
+ new->vm_ops->open(new);
+@@ -2702,7 +2702,7 @@ int __split_vma(struct mm_struct *mm, st
+ if (new->vm_ops && new->vm_ops->close)
+ new->vm_ops->close(new);
+ if (new->vm_file)
+- fput(new->vm_file);
++ vma_fput(new);
+ unlink_anon_vmas(new);
+ out_free_mpol:
+ mpol_put(vma_policy(new));
+@@ -2894,7 +2894,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
+ struct vm_area_struct *vma;
+ unsigned long populate = 0;
+ unsigned long ret = -EINVAL;
+- struct file *file;
++ struct file *file, *prfile;
+
+ pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n",
+ current->comm, current->pid);
+@@ -2969,10 +2969,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
+ }
+ }
+
+- file = get_file(vma->vm_file);
++ vma_get_file(vma);
++ file = vma->vm_file;
++ prfile = vma->vm_prfile;
+ ret = do_mmap_pgoff(vma->vm_file, start, size,
+ prot, flags, pgoff, &populate, NULL);
++ if (!IS_ERR_VALUE(ret) && file && prfile) {
++ struct vm_area_struct *new_vma;
++
++ new_vma = find_vma(mm, ret);
++ if (!new_vma->vm_prfile)
++ new_vma->vm_prfile = prfile;
++ if (new_vma != vma)
++ get_file(prfile);
++ }
++ /*
++ * two fput()s instead of vma_fput(vma),
++ * coz vma may not be available anymore.
++ */
+ fput(file);
++ if (prfile)
++ fput(prfile);
+ out:
+ mmap_write_unlock(mm);
+ if (populate)
+@@ -3263,7 +3280,7 @@ struct vm_area_struct *copy_vma(struct v
+ if (anon_vma_clone(new_vma, vma))
+ goto out_free_mempol;
+ if (new_vma->vm_file)
+- get_file(new_vma->vm_file);
++ vma_get_file(new_vma);
+ if (new_vma->vm_ops && new_vma->vm_ops->open)
+ new_vma->vm_ops->open(new_vma);
+ vma_link(mm, new_vma, prev, rb_link, rb_parent);
+Index: debian-kernel/mm/nommu.c
+===================================================================
+--- debian-kernel.orig/mm/nommu.c
++++ debian-kernel/mm/nommu.c
+@@ -540,7 +540,7 @@ static void __put_nommu_region(struct vm
+ up_write(&nommu_region_sem);
+
+ if (region->vm_file)
+- fput(region->vm_file);
++ vmr_fput(region);
+
+ /* IO memory and memory shared directly out of the pagecache
+ * from ramfs/tmpfs mustn't be released here */
+@@ -672,7 +672,7 @@ static void delete_vma(struct mm_struct
+ if (vma->vm_ops && vma->vm_ops->close)
+ vma->vm_ops->close(vma);
+ if (vma->vm_file)
+- fput(vma->vm_file);
++ vma_fput(vma);
+ put_nommu_region(vma->vm_region);
+ vm_area_free(vma);
+ }
+@@ -1195,7 +1195,7 @@ unsigned long do_mmap(struct file *file,
+ goto error_just_free;
+ }
+ }
+- fput(region->vm_file);
++ vmr_fput(region);
+ kmem_cache_free(vm_region_jar, region);
+ region = pregion;
+ result = start;
+@@ -1272,10 +1272,10 @@ error_just_free:
+ up_write(&nommu_region_sem);
+ error:
+ if (region->vm_file)
+- fput(region->vm_file);
++ vmr_fput(region);
+ kmem_cache_free(vm_region_jar, region);
+ if (vma->vm_file)
+- fput(vma->vm_file);
++ vma_fput(vma);
+ vm_area_free(vma);
+ return ret;
+
+Index: debian-kernel/mm/prfile.c
+===================================================================
+--- /dev/null
++++ debian-kernel/mm/prfile.c
+@@ -0,0 +1,86 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Mainly for aufs which mmap(2) different file and wants to print different
++ * path in /proc/PID/maps.
++ * Call these functions via macros defined in linux/mm.h.
++ *
++ * See Documentation/filesystems/aufs/design/06mmap.txt
++ *
++ * Copyright (c) 2014-2020 Junjro R. Okajima
++ * Copyright (c) 2014 Ian Campbell
++ */
++
++#include <linux/mm.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++
++/* #define PRFILE_TRACE */
++static inline void prfile_trace(struct file *f, struct file *pr,
++ const char func[], int line, const char func2[])
++{
++#ifdef PRFILE_TRACE
++ if (pr)
++ pr_info("%s:%d: %s, %pD2\n", func, line, func2, f);
++#endif
++}
++
++void vma_do_file_update_time(struct vm_area_struct *vma, const char func[],
++ int line)
++{
++ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ file_update_time(f);
++ if (f && pr)
++ file_update_time(pr);
++}
++
++struct file *vma_do_pr_or_file(struct vm_area_struct *vma, const char func[],
++ int line)
++{
++ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ return (f && pr) ? pr : f;
++}
++
++void vma_do_get_file(struct vm_area_struct *vma, const char func[], int line)
++{
++ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ get_file(f);
++ if (f && pr)
++ get_file(pr);
++}
++
++void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
++{
++ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ fput(f);
++ if (f && pr)
++ fput(pr);
++}
++
++#ifndef CONFIG_MMU
++struct file *vmr_do_pr_or_file(struct vm_region *region, const char func[],
++ int line)
++{
++ struct file *f = region->vm_file, *pr = region->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ return (f && pr) ? pr : f;
++}
++
++void vmr_do_fput(struct vm_region *region, const char func[], int line)
++{
++ struct file *f = region->vm_file, *pr = region->vm_prfile;
++
++ prfile_trace(f, pr, func, line, __func__);
++ fput(f);
++ if (f && pr)
++ fput(pr);
++}
++#endif /* !CONFIG_MMU */
diff --git a/debian/patches/features/all/aufs5/aufs5-standalone.patch b/debian/patches/features/all/aufs5/aufs5-standalone.patch
new file mode 100644
index 000000000..ffd06c8ce
--- /dev/null
+++ b/debian/patches/features/all/aufs5/aufs5-standalone.patch
@@ -0,0 +1,308 @@
+From: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Tue Apr 7 22:14:47 2020 +0900
+Subject: aufs5.6 standalone patch
+Origin: https://github.com/sfjro/aufs5-standalone/tree/7c07d9737e9de058981f020d66ac0d4407a80899
+Bug-Debian: https://bugs.debian.org/541828
+
+Patch headers added by debian/bin/genpatch-aufs
+
+SPDX-License-Identifier: GPL-2.0
+aufs5.6 standalone patch
+
+Index: debian-kernel/fs/dcache.c
+===================================================================
+--- debian-kernel.orig/fs/dcache.c
++++ debian-kernel/fs/dcache.c
+@@ -1390,6 +1390,7 @@ rename_retry:
+ seq = 1;
+ goto again;
+ }
++EXPORT_SYMBOL_GPL(d_walk);
+
+ struct check_mount {
+ struct vfsmount *mnt;
+@@ -2935,6 +2936,7 @@ void d_exchange(struct dentry *dentry1,
+
+ write_sequnlock(&rename_lock);
+ }
++EXPORT_SYMBOL_GPL(d_exchange);
+
+ /**
+ * d_ancestor - search for an ancestor
+Index: debian-kernel/fs/exec.c
+===================================================================
+--- debian-kernel.orig/fs/exec.c
++++ debian-kernel/fs/exec.c
+@@ -111,6 +111,7 @@ bool path_noexec(const struct path *path
+ return (path->mnt->mnt_flags & MNT_NOEXEC) ||
+ (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC);
+ }
++EXPORT_SYMBOL_GPL(path_noexec);
+
+ #ifdef CONFIG_USELIB
+ /*
+Index: debian-kernel/fs/fcntl.c
+===================================================================
+--- debian-kernel.orig/fs/fcntl.c
++++ debian-kernel/fs/fcntl.c
+@@ -85,6 +85,7 @@ int setfl(int fd, struct file *filp, uns
+ out:
+ return error;
+ }
++EXPORT_SYMBOL_GPL(setfl);
+
+ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
+ int force)
+Index: debian-kernel/fs/file_table.c
+===================================================================
+--- debian-kernel.orig/fs/file_table.c
++++ debian-kernel/fs/file_table.c
+@@ -162,6 +162,7 @@ over:
+ }
+ return ERR_PTR(-ENFILE);
+ }
++EXPORT_SYMBOL_GPL(alloc_empty_file);
+
+ /*
+ * Variant of alloc_empty_file() that doesn't check and modify nr_files.
+@@ -376,6 +377,7 @@ void __fput_sync(struct file *file)
+ }
+
+ EXPORT_SYMBOL(fput);
++EXPORT_SYMBOL_GPL(__fput_sync);
+
+ void __init files_init(void)
+ {
+Index: debian-kernel/fs/inode.c
+===================================================================
+--- debian-kernel.orig/fs/inode.c
++++ debian-kernel/fs/inode.c
+@@ -1774,6 +1774,7 @@ int update_time(struct inode *inode, str
+ return inode->i_op->update_time(inode, time, flags);
+ return generic_update_time(inode, time, flags);
+ }
++EXPORT_SYMBOL_GPL(update_time);
+
+ /**
+ * touch_atime - update the access time
+Index: debian-kernel/fs/namespace.c
+===================================================================
+--- debian-kernel.orig/fs/namespace.c
++++ debian-kernel/fs/namespace.c
+@@ -431,6 +431,7 @@ void __mnt_drop_write(struct vfsmount *m
+ mnt_dec_writers(real_mount(mnt));
+ preempt_enable();
+ }
++EXPORT_SYMBOL_GPL(__mnt_drop_write);
+
+ /**
+ * mnt_drop_write - give up write access to a mount
+@@ -797,6 +798,7 @@ int is_current_mnt_ns(struct vfsmount *m
+ {
+ return check_mnt(real_mount(mnt));
+ }
++EXPORT_SYMBOL_GPL(is_current_mnt_ns);
+
+ /*
+ * vfsmount lock must be held for write
+@@ -1961,6 +1963,7 @@ int iterate_mounts(int (*f)(struct vfsmo
+ }
+ return 0;
+ }
++EXPORT_SYMBOL_GPL(iterate_mounts);
+
+ static void lock_mnt_tree(struct mount *mnt)
+ {
+Index: debian-kernel/fs/notify/group.c
+===================================================================
+--- debian-kernel.orig/fs/notify/group.c
++++ debian-kernel/fs/notify/group.c
+@@ -100,6 +100,7 @@ void fsnotify_get_group(struct fsnotify_
+ {
+ refcount_inc(&group->refcnt);
+ }
++EXPORT_SYMBOL_GPL(fsnotify_get_group);
+
+ /*
+ * Drop a reference to a group. Free it if it's through.
+Index: debian-kernel/fs/open.c
+===================================================================
+--- debian-kernel.orig/fs/open.c
++++ debian-kernel/fs/open.c
+@@ -65,6 +65,7 @@ int do_truncate(struct dentry *dentry, l
+ inode_unlock(dentry->d_inode);
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(do_truncate);
+
+ long vfs_truncate(const struct path *path, loff_t length)
+ {
+Index: debian-kernel/fs/read_write.c
+===================================================================
+--- debian-kernel.orig/fs/read_write.c
++++ debian-kernel/fs/read_write.c
+@@ -488,6 +488,7 @@ ssize_t vfs_read(struct file *file, char
+ inc_syscr(current);
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(vfs_read);
+
+ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t len, loff_t *ppos)
+ {
+@@ -517,6 +518,7 @@ vfs_readf_t vfs_readf(struct file *file)
+ return new_sync_read;
+ return ERR_PTR(-ENOSYS); /* doesn't have ->read(|_iter)() op */
+ }
++EXPORT_SYMBOL_GPL(vfs_readf);
+
+ vfs_writef_t vfs_writef(struct file *file)
+ {
+@@ -528,6 +530,7 @@ vfs_writef_t vfs_writef(struct file *fil
+ return new_sync_write;
+ return ERR_PTR(-ENOSYS); /* doesn't have ->write(|_iter)() op */
+ }
++EXPORT_SYMBOL_GPL(vfs_writef);
+
+ /* caller is responsible for file_start_write/file_end_write */
+ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+@@ -608,6 +611,7 @@ ssize_t vfs_write(struct file *file, con
+ file_end_write(file);
+ return ret;
+ }
++EXPORT_SYMBOL_GPL(vfs_write);
+
+ /* file_ppos returns &file->f_pos or NULL if file is stream */
+ static inline loff_t *file_ppos(struct file *file)
+Index: debian-kernel/fs/splice.c
+===================================================================
+--- debian-kernel.orig/fs/splice.c
++++ debian-kernel/fs/splice.c
+@@ -870,6 +870,7 @@ long do_splice_to(struct file *in, loff_
+ return in->f_op->splice_read(in, ppos, pipe, len, flags);
+ return default_file_splice_read(in, ppos, pipe, len, flags);
+ }
++EXPORT_SYMBOL_GPL(do_splice_from);
+
+ /**
+ * splice_direct_to_actor - splices data directly between two non-pipes
+@@ -1016,6 +1017,7 @@ static int direct_splice_actor(struct pi
+ return do_splice_from(pipe, file, sd->opos, sd->total_len,
+ sd->flags);
+ }
++EXPORT_SYMBOL_GPL(do_splice_to);
+
+ /**
+ * do_splice_direct - splices data directly between two files
+Index: debian-kernel/fs/sync.c
+===================================================================
+--- debian-kernel.orig/fs/sync.c
++++ debian-kernel/fs/sync.c
+@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block
+ sb->s_op->sync_fs(sb, wait);
+ return __sync_blockdev(sb->s_bdev, wait);
+ }
++EXPORT_SYMBOL_GPL(__sync_filesystem);
+
+ /*
+ * Write out and wait upon all dirty data associated with this
+Index: debian-kernel/fs/xattr.c
+===================================================================
+--- debian-kernel.orig/fs/xattr.c
++++ debian-kernel/fs/xattr.c
+@@ -296,6 +296,7 @@ vfs_getxattr_alloc(struct dentry *dentry
+ *xattr_value = value;
+ return error;
+ }
++EXPORT_SYMBOL_GPL(vfs_getxattr_alloc);
+
+ ssize_t
+ __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
+Index: debian-kernel/kernel/locking/lockdep.c
+===================================================================
+--- debian-kernel.orig/kernel/locking/lockdep.c
++++ debian-kernel/kernel/locking/lockdep.c
+@@ -190,6 +190,7 @@ inline struct lock_class *lockdep_hlock_
+ */
+ return lock_classes + class_idx;
+ }
++EXPORT_SYMBOL_GPL(lockdep_hlock_class);
+ #define hlock_class(hlock) lockdep_hlock_class(hlock)
+
+ #ifdef CONFIG_LOCK_STAT
+Index: debian-kernel/kernel/task_work.c
+===================================================================
+--- debian-kernel.orig/kernel/task_work.c
++++ debian-kernel/kernel/task_work.c
+@@ -139,3 +139,4 @@ void task_work_run(void)
+ } while (work);
+ }
+ }
++EXPORT_SYMBOL_GPL(task_work_run);
+Index: debian-kernel/security/security.c
+===================================================================
+--- debian-kernel.orig/security/security.c
++++ debian-kernel/security/security.c
+@@ -1096,6 +1096,7 @@ int security_path_rmdir(const struct pat
+ return 0;
+ return call_int_hook(path_rmdir, 0, dir, dentry);
+ }
++EXPORT_SYMBOL_GPL(security_path_rmdir);
+
+ int security_path_unlink(const struct path *dir, struct dentry *dentry)
+ {
+@@ -1112,6 +1113,7 @@ int security_path_symlink(const struct p
+ return 0;
+ return call_int_hook(path_symlink, 0, dir, dentry, old_name);
+ }
++EXPORT_SYMBOL_GPL(security_path_symlink);
+
+ int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
+ struct dentry *new_dentry)
+@@ -1120,6 +1122,7 @@ int security_path_link(struct dentry *ol
+ return 0;
+ return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry);
+ }
++EXPORT_SYMBOL_GPL(security_path_link);
+
+ int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
+ const struct path *new_dir, struct dentry *new_dentry,
+@@ -1147,6 +1150,7 @@ int security_path_truncate(const struct
+ return 0;
+ return call_int_hook(path_truncate, 0, path);
+ }
++EXPORT_SYMBOL_GPL(security_path_truncate);
+
+ int security_path_chmod(const struct path *path, umode_t mode)
+ {
+@@ -1154,6 +1158,7 @@ int security_path_chmod(const struct pat
+ return 0;
+ return call_int_hook(path_chmod, 0, path, mode);
+ }
++EXPORT_SYMBOL_GPL(security_path_chmod);
+
+ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
+ {
+@@ -1161,6 +1166,7 @@ int security_path_chown(const struct pat
+ return 0;
+ return call_int_hook(path_chown, 0, path, uid, gid);
+ }
++EXPORT_SYMBOL_GPL(security_path_chown);
+
+ int security_path_chroot(const struct path *path)
+ {
+@@ -1261,6 +1267,7 @@ int security_inode_permission(struct ino
+ return 0;
+ return call_int_hook(inode_permission, 0, inode, mask);
+ }
++EXPORT_SYMBOL_GPL(security_inode_permission);
+
+ int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
+ {
+@@ -1453,6 +1460,7 @@ int security_file_permission(struct file
+
+ return fsnotify_perm(file, mask);
+ }
++EXPORT_SYMBOL_GPL(security_file_permission);
+
+ int security_file_alloc(struct file *file)
+ {
diff --git a/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch b/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
new file mode 100644
index 000000000..5d4ec82f0
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
@@ -0,0 +1,40 @@
+From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
+Date: Tue, 13 Mar 2018 18:37:59 +0800
+Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
+Origin: https://lore.kernel.org/patchwork/patch/933173/
+
+The mok can not be trusted when the secure boot is disabled. Which
+means that the kernel embedded certificate is the only trusted key.
+
+Due to db/dbx are authenticated variables, they needs manufacturer's
+KEK for update. So db/dbx are secure when secureboot disabled.
+
+Cc: David Howells <dhowells@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
+[Rebased by Luca Boccassi]
+[bwh: Forward-ported to 5.5.9:
+ - get_cert_list() takes a pointer to status and returns the cert list
+ - Adjust filename]
+[Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in
+38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate
+routine"). Refresh in context for change in ebd9c2ae369a ("integrity: Load mokx
+variables into the blacklist keyring")]
+---
+ security/integrity/platform_certs/load_uefi.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -176,6 +176,10 @@ static int __init load_uefi_certs(void)
+ kfree(dbx);
+ }
+
++ /* the MOK can not be trusted when secure boot is disabled */
++ if (!efi_enabled(EFI_SECURE_BOOT))
++ return 0;
++
+ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
+ if (!mokx) {
+ if (status == EFI_NOT_FOUND)
diff --git a/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch b/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
new file mode 100644
index 000000000..a7ec5ccb5
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
@@ -0,0 +1,117 @@
+From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
+Date: Tue, 13 Mar 2018 18:38:02 +0800
+Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
+ kernel module
+Origin: https://lore.kernel.org/patchwork/patch/933175/
+
+This patch adds the logic for checking the kernel module's hash
+base on blacklist. The hash must be generated by sha256 and enrolled
+to dbx/mokx.
+
+For example:
+ sha256sum sample.ko
+ mokutil --mokx --import-hash $HASH_RESULT
+
+Whether the signature on ko file is stripped or not, the hash can be
+compared by kernel.
+
+Cc: David Howells <dhowells@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
+[Rebased by Luca Boccassi]
+---
+ kernel/module_signing.c | 59 +++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 57 insertions(+), 2 deletions(-)
+
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -12,15 +12,62 @@
+ #include <linux/string.h>
+ #include <linux/verification.h>
+ #include <crypto/public_key.h>
++#include <crypto/hash.h>
++#include <keys/system_keyring.h>
+ #include "module-internal.h"
+
++static int mod_is_hash_blacklisted(const void *mod, size_t verifylen)
++{
++ struct crypto_shash *tfm;
++ struct shash_desc *desc;
++ size_t digest_size, desc_size;
++ u8 *digest;
++ int ret = 0;
++
++ tfm = crypto_alloc_shash("sha256", 0, 0);
++ if (IS_ERR(tfm))
++ goto error_return;
++
++ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
++ digest_size = crypto_shash_digestsize(tfm);
++ digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
++ if (!digest) {
++ pr_err("digest memory buffer allocate fail\n");
++ ret = -ENOMEM;
++ goto error_digest;
++ }
++ desc = (void *)digest + digest_size;
++ desc->tfm = tfm;
++ ret = crypto_shash_init(desc);
++ if (ret < 0)
++ goto error_shash;
++
++ ret = crypto_shash_finup(desc, mod, verifylen, digest);
++ if (ret < 0)
++ goto error_shash;
++
++ pr_debug("%ld digest: %*phN\n", verifylen, (int) digest_size, digest);
++
++ ret = is_hash_blacklisted(digest, digest_size, "bin");
++ if (ret == -EKEYREJECTED)
++ pr_err("Module hash %*phN is blacklisted\n",
++ (int) digest_size, digest);
++
++error_shash:
++ kfree(digest);
++error_digest:
++ crypto_free_shash(tfm);
++error_return:
++ return ret;
++}
++
+ /*
+ * Verify the signature on a module.
+ */
+ int mod_verify_sig(const void *mod, struct load_info *info)
+ {
+ struct module_signature ms;
+- size_t sig_len, modlen = info->len;
++ size_t sig_len, modlen = info->len, wholelen;
+ int ret;
+
+ pr_devel("==>%s(,%zu)\n", __func__, modlen);
+@@ -28,6 +75,7 @@ int mod_verify_sig(const void *mod, stru
+ if (modlen <= sizeof(ms))
+ return -EBADMSG;
+
++ wholelen = modlen + sizeof(MODULE_SIG_STRING) - 1;
+ memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
+
+ ret = mod_check_sig(&ms, modlen, "module");
+@@ -38,8 +86,15 @@ int mod_verify_sig(const void *mod, stru
+ modlen -= sig_len + sizeof(ms);
+ info->len = modlen;
+
+- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
++ pr_devel("verify_pkcs7_signature() = %d\n", ret);
++
++ /* checking hash of module is in blacklist */
++ if (!ret)
++ ret = mod_is_hash_blacklisted(mod, wholelen);
++
++ return ret;
+ }
diff --git a/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
new file mode 100644
index 000000000..530885944
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
@@ -0,0 +1,113 @@
+From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
+Date: Tue, 13 Mar 2018 18:38:03 +0800
+Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok
+Origin: https://lore.kernel.org/patchwork/patch/933176/
+
+That's better for checking the attributes of db and mok variables
+before loading certificates to kernel keyring.
+
+For db and dbx, both of them are authenticated variables. Which
+means that they can only be modified by manufacturer's key. So
+the kernel should checks EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+attribute before we trust it.
+
+For mok-rt and mokx-rt, both of them are created by shim boot loader
+to forward the mok/mokx content to runtime. They must be runtime-volatile
+variables. So kernel should checks that the attributes map did not set
+EFI_VARIABLE_NON_VOLATILE bit before we trust it.
+
+Cc: David Howells <dhowells@redhat.com>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
+[Rebased by Luca Boccassi]
+[bwh: Forward-ported to 5.5.9:
+ - get_cert_list() takes a pointer to status and returns the cert list
+ - Adjust filename, context]
+[bwh: Forward-ported to 5.10: MokListRT and MokListXRT are now both
+ loaded through a single code path.]
+---
+ security/integrity/platform_certs/load_uefi.c | 27 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -35,11 +35,13 @@ static __init bool uefi_check_ignore_db(
+ * Get a certificate list blob from the named EFI variable.
+ */
+ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+- unsigned long *size, efi_status_t *status)
++ unsigned long *size, efi_status_t *status,
++ u32 pos_attr, u32 neg_attr)
+ {
+ unsigned long lsize = 4;
+ unsigned long tmpdb[4];
+ void *db;
++ u32 attr = 0;
+
+ *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+ if (*status == EFI_NOT_FOUND)
+@@ -54,13 +56,22 @@ static __init void *get_cert_list(efi_ch
+ if (!db)
+ return NULL;
+
+- *status = efi.get_variable(name, guid, NULL, &lsize, db);
++ *status = efi.get_variable(name, guid, &attr, &lsize, db);
+ if (*status != EFI_SUCCESS) {
+ kfree(db);
+ pr_err("Error reading db var: 0x%lx\n", *status);
+ return NULL;
+ }
+
++ /* must have positive attributes and no negative attributes */
++ if ((pos_attr && !(attr & pos_attr)) ||
++ (neg_attr && (attr & neg_attr))) {
++ kfree(db);
++ pr_err("Error reading db var attributes: 0x%016x\n", attr);
++ *status = EFI_SECURITY_VIOLATION;
++ return NULL;
++ }
++
+ *size = lsize;
+ return db;
+ }
+@@ -106,7 +117,8 @@ static int __init load_moklist_certs(voi
+ /* Get MokListRT. It might not exist, so it isn't an error
+ * if we can't get it.
+ */
+- mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
++ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status,
++ 0, EFI_VARIABLE_NON_VOLATILE);
+ if (mok) {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+@@ -145,7 +157,8 @@ static int __init load_uefi_certs(void)
+ * if we can't get them.
+ */
+ if (!uefi_check_ignore_db()) {
+- db = get_cert_list(L"db", &secure_var, &dbsize, &status);
++ db = get_cert_list(L"db", &secure_var, &dbsize, &status,
++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0);
+ if (!db) {
+ if (status == EFI_NOT_FOUND)
+ pr_debug("MODSIGN: db variable wasn't found\n");
+@@ -161,7 +174,8 @@ static int __init load_uefi_certs(void)
+ }
+ }
+
+- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
++ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status,
++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0);
+ if (!dbx) {
+ if (status == EFI_NOT_FOUND)
+ pr_debug("dbx variable wasn't found\n");
+@@ -180,7 +194,8 @@ static int __init load_uefi_certs(void)
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+- mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
++ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status,
++ 0, EFI_VARIABLE_NON_VOLATILE);
+ if (!mokx) {
+ if (status == EFI_NOT_FOUND)
+ pr_debug("mokx variable wasn't found\n");
diff --git a/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
new file mode 100644
index 000000000..f00bf3d24
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
@@ -0,0 +1,37 @@
+From: Robert Holmes <robeholmes@gmail.com>
+Date: Tue, 23 Apr 2019 07:39:29 +0000
+Subject: [PATCH] KEYS: Make use of platform keyring for module signature
+ verify
+Bug-Debian: https://bugs.debian.org/935945
+Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+
+This patch completes commit 278311e417be ("kexec, KEYS: Make use of
+platform keyring for signature verify") which, while adding the
+platform keyring for bzImage verification, neglected to also add
+this keyring for module verification.
+
+As such, kernel modules signed with keys from the MokList variable
+were not successfully verified.
+
+Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ kernel/module_signing.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -135,6 +135,13 @@ int mod_verify_sig(const void *mod, stru
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ pr_devel("verify_pkcs7_signature() = %d\n", ret);
++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ VERIFY_USE_PLATFORM_KEYRING,
++ VERIFYING_MODULE_SIGNATURE,
++ NULL, NULL);
++ pr_devel("verify_pkcs7_signature() = %d\n", ret);
++ }
+
+ /* checking hash of module is in blacklist */
+ if (!ret)
diff --git a/debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch b/debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
new file mode 100644
index 000000000..2ae3ddde4
--- /dev/null
+++ b/debian/patches/features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
@@ -0,0 +1,28 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 05 May 2019 13:45:06 +0100
+Subject: MODSIGN: Make shash allocation failure fatal
+
+mod_is_hash_blacklisted() currently returns 0 (suceess) if
+crypto_alloc_shash() fails. This should instead be a fatal error,
+so unwrap and pass up the error code.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -51,11 +51,13 @@ static int mod_is_hash_blacklisted(const
+ struct shash_desc *desc;
+ size_t digest_size, desc_size;
+ u8 *digest;
+- int ret = 0;
++ int ret;
+
+ tfm = crypto_alloc_shash("sha256", 0, 0);
+- if (IS_ERR(tfm))
++ if (IS_ERR(tfm)) {
++ ret = PTR_ERR(tfm);
+ goto error_return;
++ }
+
+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+ digest_size = crypto_shash_digestsize(tfm);
diff --git a/debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch b/debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
new file mode 100644
index 000000000..a24ba17ef
--- /dev/null
+++ b/debian/patches/features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
@@ -0,0 +1,149 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 24 Aug 2009 23:19:58 +0100
+Subject: af9005: Use request_firmware() to load register init script
+Forwarded: no
+
+Read the register init script from the Windows driver. This is sick
+but should avoid the potential copyright infringement in distributing
+a version of the script which is directly derived from the driver.
+---
+ drivers/media/dvb/dvb-usb/Kconfig | 2 +-
+ drivers/media/dvb/dvb-usb/af9005-fe.c | 66 ++++++++++++++++++++++++++------
+ 2 files changed, 54 insertions(+), 14 deletions(-)
+
+Index: debian-kernel/drivers/media/usb/dvb-usb/Kconfig
+===================================================================
+--- debian-kernel.orig/drivers/media/usb/dvb-usb/Kconfig
++++ debian-kernel/drivers/media/usb/dvb-usb/Kconfig
+@@ -260,10 +260,10 @@ config DVB_USB_OPERA1
+
+ config DVB_USB_AF9005
+ tristate "Afatech AF9005 DVB-T USB1.1 support"
+- depends on BROKEN
+ depends on DVB_USB
+ select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT
+ select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT
++ select FW_LOADER
+ help
+ Say Y here to support the Afatech AF9005 based DVB-T USB1.1 receiver
+ and the TerraTec Cinergy T USB XE (Rev.1)
+Index: debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
+===================================================================
+--- debian-kernel.orig/drivers/media/usb/dvb-usb/af9005-fe.c
++++ debian-kernel/drivers/media/usb/dvb-usb/af9005-fe.c
+@@ -9,10 +9,26 @@
+ * see Documentation/driver-api/media/drivers/dvb-usb.rst for more information
+ */
+ #include "af9005.h"
+-#include "af9005-script.h"
+ #include "mt2060.h"
+ #include "qt1010.h"
+ #include <asm/div64.h>
++#include <linux/firmware.h>
++
++/* Register initialisation script to be extracted from the Windows driver */
++
++typedef struct {
++ __le16 reg;
++ u8 pos;
++ u8 len;
++ u8 val;
++ u8 pad;
++} __packed RegDesc;
++
++#define WIN_DRV_NAME "AF05BDA.sys"
++#define WIN_DRV_VERSION "6.3.2.1"
++#define WIN_DRV_SIZE 133504
++#define WIN_DRV_SCRIPT_OFFSET 88316
++#define WIN_DRV_SCRIPT_SIZE 1110
+
+ struct af9005_fe_state {
+ struct dvb_usb_device *d;
+@@ -804,6 +820,8 @@ static int af9005_fe_init(struct dvb_fro
+ {
+ struct af9005_fe_state *state = fe->demodulator_priv;
+ struct dvb_usb_adapter *adap = fe->dvb->priv;
++ const struct firmware *fw;
++ const RegDesc *script;
+ int ret, i, scriptlen;
+ u8 temp, temp0 = 0, temp1 = 0, temp2 = 0;
+ u8 buf[2];
+@@ -956,37 +974,55 @@ static int af9005_fe_init(struct dvb_fro
+ if ((ret = af9005_write_ofdm_register(state->d, 0xaefb, 0x01)))
+ return ret;
+
+- /* load init script */
+- deb_info("load init script\n");
+- scriptlen = sizeof(script) / sizeof(RegDesc);
++ /* load and validate init script */
++ deb_info("load init script from Windows driver\n");
++ ret = request_firmware(&fw, WIN_DRV_NAME, &state->d->udev->dev);
++ if (ret)
++ return ret;
++ BUILD_BUG_ON(sizeof(RegDesc) != 6);
++ if (fw->size != WIN_DRV_SIZE ||
++ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET,
++ "\x80\xa1\x00\x08\x0a\x00", 6) ||
++ memcmp(fw->data + WIN_DRV_SCRIPT_OFFSET + WIN_DRV_SCRIPT_SIZE - 6,
++ "\x49\xa3\x00\x06\x02\x00", 6)) {
++ err("%s is invalid - should be version %s, size %u bytes\n",
++ WIN_DRV_NAME, WIN_DRV_VERSION, WIN_DRV_SIZE);
++ ret = -EINVAL;
++ goto fail_release;
++ }
++
++ script = (const RegDesc *)(fw->data + WIN_DRV_SCRIPT_OFFSET);
++ scriptlen = WIN_DRV_SCRIPT_SIZE / sizeof(RegDesc);
+ for (i = 0; i < scriptlen; i++) {
++ u16 reg = le16_to_cpu(script[i].reg);
+ if ((ret =
+- af9005_write_register_bits(state->d, script[i].reg,
++ af9005_write_register_bits(state->d, reg,
+ script[i].pos,
+ script[i].len, script[i].val)))
+- return ret;
++ goto fail_release;
+ /* save 3 bytes of original fcw */
+- if (script[i].reg == 0xae18)
++ if (reg == 0xae18)
+ temp2 = script[i].val;
+- if (script[i].reg == 0xae19)
++ if (reg == 0xae19)
+ temp1 = script[i].val;
+- if (script[i].reg == 0xae1a)
++ if (reg == 0xae1a)
+ temp0 = script[i].val;
+
+ /* save original unplug threshold */
+- if (script[i].reg == xd_p_reg_unplug_th)
++ if (reg == xd_p_reg_unplug_th)
+ state->original_if_unplug_th = script[i].val;
+- if (script[i].reg == xd_p_reg_unplug_rf_gain_th)
++ if (reg == xd_p_reg_unplug_rf_gain_th)
+ state->original_rf_unplug_th = script[i].val;
+- if (script[i].reg == xd_p_reg_unplug_dtop_if_gain_th)
++ if (reg == xd_p_reg_unplug_dtop_if_gain_th)
+ state->original_dtop_if_unplug_th = script[i].val;
+- if (script[i].reg == xd_p_reg_unplug_dtop_rf_gain_th)
++ if (reg == xd_p_reg_unplug_dtop_rf_gain_th)
+ state->original_dtop_rf_unplug_th = script[i].val;
+
+ }
+ state->original_fcw =
+ ((u32) temp2 << 16) + ((u32) temp1 << 8) + (u32) temp0;
+
++ release_firmware(fw);
+
+ /* save original TOPs */
+ deb_info("save original TOPs\n");
+@@ -1066,6 +1102,10 @@ static int af9005_fe_init(struct dvb_fro
+
+ deb_info("profit!\n");
+ return 0;
++
++fail_release:
++ release_firmware(fw);
++ return ret;
+ }
+
+ static int af9005_fe_sleep(struct dvb_frontend *fe)
diff --git a/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
new file mode 100644
index 000000000..7f9ee1cf9
--- /dev/null
+++ b/debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
@@ -0,0 +1,153 @@
+From: Linn Crosetto <linn@hpe.com>
+Date: Tue, 30 Aug 2016 11:54:38 -0600
+Subject: arm64: add kernel config option to lock down when in Secure Boot mode
+Bug-Debian: https://bugs.debian.org/831827
+Forwarded: no
+
+Add a kernel configuration option to lock down the kernel, to restrict
+userspace's ability to modify the running kernel when UEFI Secure Boot is
+enabled. Based on the x86 patch by Matthew Garrett.
+
+Determine the state of Secure Boot in the EFI stub and pass this to the
+kernel using the FDT.
+
+Signed-off-by: Linn Crosetto <linn@hpe.com>
+[bwh: Forward-ported to 4.10: adjust context]
+[Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+ efi_set_secure_boot() in main kernel
+ - Use lockdown API and naming]
+[bwh: Forward-ported to 4.19.3: adjust context in update_fdt()]
+[dannf: Moved init_lockdown() call after uefi_init(), fixing SB detection]
+[bwh: Drop call to init_lockdown(), as efi_set_secure_boot() now calls this]
+[bwh: Forward-ported to 5.6: efi_get_secureboot() no longer takes a
+ sys_table parameter]
+[bwh: Forward-ported to 5.7: EFI initialisation from FDT was rewritten, so:
+ - Add Secure Boot mode to the parameter enumeration in fdtparams.c
+ - Add a parameter to efi_get_fdt_params() to return the Secure Boot mode
+ - Since Xen does not have a property name defined for Secure Boot mode,
+ change efi_get_fdt_prop() to handle a missing property name by clearing
+ the output variable]
+[Salvatore Bonaccorso: Forward-ported to 5.10: f30f242fb131 ("efi: Rename
+arm-init to efi-init common for all arch") renamed arm-init.c to efi-init.c]
+---
+ drivers/firmware/efi/efi-init.c | 5 ++++-
+ drivers/firmware/efi/fdtparams.c | 12 +++++++++++-
+ drivers/firmware/efi/libstub/fdt.c | 6 ++++++
+ include/linux/efi.h | 3 ++-
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/efi/efi-init.c
++++ b/drivers/firmware/efi/efi-init.c
+@@ -210,9 +210,10 @@ void __init efi_init(void)
+ {
+ struct efi_memory_map_data data;
+ u64 efi_system_table;
++ u32 secure_boot;
+
+ /* Grab UEFI information placed in FDT by stub */
+- efi_system_table = efi_get_fdt_params(&data);
++ efi_system_table = efi_get_fdt_params(&data, &secure_boot);
+ if (!efi_system_table)
+ return;
+
+@@ -234,6 +235,8 @@ void __init efi_init(void)
+ return;
+ }
+
++ efi_set_secure_boot(secure_boot);
++
+ reserve_regions();
+ efi_esrt_init();
+ efi_mokvar_table_init();
+--- a/drivers/firmware/efi/fdtparams.c
++++ b/drivers/firmware/efi/fdtparams.c
+@@ -16,6 +16,7 @@ enum {
+ MMSIZE,
+ DCSIZE,
+ DCVERS,
++ SBMODE,
+
+ PARAMCOUNT
+ };
+@@ -26,6 +27,7 @@ static __initconst const char name[][22]
+ [MMSIZE] = "MemMap Size ",
+ [DCSIZE] = "MemMap Desc. Size ",
+ [DCVERS] = "MemMap Desc. Version ",
++ [SBMODE] = "Secure Boot Enabled ",
+ };
+
+ static __initconst const struct {
+@@ -41,6 +43,7 @@ static __initconst const struct {
+ [MMSIZE] = "xen,uefi-mmap-size",
+ [DCSIZE] = "xen,uefi-mmap-desc-size",
+ [DCVERS] = "xen,uefi-mmap-desc-ver",
++ [SBMODE] = "",
+ }
+ }, {
+ #endif
+@@ -51,6 +54,7 @@ static __initconst const struct {
+ [MMSIZE] = "linux,uefi-mmap-size",
+ [DCSIZE] = "linux,uefi-mmap-desc-size",
+ [DCVERS] = "linux,uefi-mmap-desc-ver",
++ [SBMODE] = "linux,uefi-secure-boot",
+ }
+ }
+ };
+@@ -62,6 +66,11 @@ static int __init efi_get_fdt_prop(const
+ int len;
+ u64 val;
+
++ if (!pname[0]) {
++ memset(var, 0, size);
++ return 0;
++ }
++
+ prop = fdt_getprop(fdt, node, pname, &len);
+ if (!prop)
+ return 1;
+@@ -79,7 +88,7 @@ static int __init efi_get_fdt_prop(const
+ return 0;
+ }
+
+-u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
++u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm, u32 *secure_boot)
+ {
+ const void *fdt = initial_boot_params;
+ unsigned long systab;
+@@ -93,6 +102,7 @@ u64 __init efi_get_fdt_params(struct efi
+ [MMSIZE] = { &mm->size, sizeof(mm->size) },
+ [DCSIZE] = { &mm->desc_size, sizeof(mm->desc_size) },
+ [DCVERS] = { &mm->desc_version, sizeof(mm->desc_version) },
++ [SBMODE] = { secure_boot, sizeof(*secure_boot) },
+ };
+
+ BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
+--- a/drivers/firmware/efi/libstub/fdt.c
++++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -148,6 +148,12 @@ static efi_status_t update_fdt(void *ori
+ }
+ }
+
++ fdt_val32 = cpu_to_fdt32(efi_get_secureboot());
++ status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
++ &fdt_val32, sizeof(fdt_val32));
++ if (status)
++ goto fdt_set_fail;
++
+ /* Shrink the FDT back to its minimum size: */
+ fdt_pack(fdt);
+
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -665,7 +665,8 @@ extern void efi_mem_reserve(phys_addr_t
+ extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
+ extern void efi_initialize_iomem_resources(struct resource *code_resource,
+ struct resource *data_resource, struct resource *bss_resource);
+-extern u64 efi_get_fdt_params(struct efi_memory_map_data *data);
++extern u64 efi_get_fdt_params(struct efi_memory_map_data *data,
++ u32 *secure_boot);
+ extern struct kobject *efi_kobj;
+
+ extern int efi_reboot_quirk_mode;
diff --git a/debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch b/debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
new file mode 100644
index 000000000..431281249
--- /dev/null
+++ b/debian/patches/features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
@@ -0,0 +1,152 @@
+From: David Howells <dhowells@redhat.com>
+Date: Mon, 18 Feb 2019 12:45:03 +0000
+Subject: [28/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a5d70c55c603233c192b375f72116a395909da28
+
+UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
+flag that can be passed to efi_enabled() to find out whether secure boot is
+enabled.
+
+Move the switch-statement in x86's setup_arch() that inteprets the
+secure_boot boot parameter to generic code and set the bit there.
+
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+cc: linux-efi@vger.kernel.org
+[rperier: Forward-ported to 5.5:
+ - Use pr_warn()
+ - Adjust context]
+[bwh: Forward-ported to 5.6: adjust context]
+[bwh: Forward-ported to 5.7:
+ - Use the next available bit in efi.flags
+ - Adjust context]
+---
+ arch/x86/kernel/setup.c | 14 +----------
+ drivers/firmware/efi/Makefile | 1 +
+ drivers/firmware/efi/secureboot.c | 39 +++++++++++++++++++++++++++++++
+ include/linux/efi.h | 16 ++++++++-----
+ 4 files changed, 51 insertions(+), 19 deletions(-)
+ create mode 100644 drivers/firmware/efi/secureboot.c
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1124,19 +1124,7 @@ void __init setup_arch(char **cmdline_p)
+ /* Allocate bigger log buffer */
+ setup_log_buf(1);
+
+- if (efi_enabled(EFI_BOOT)) {
+- switch (boot_params.secure_boot) {
+- case efi_secureboot_mode_disabled:
+- pr_info("Secure boot disabled\n");
+- break;
+- case efi_secureboot_mode_enabled:
+- pr_info("Secure boot enabled\n");
+- break;
+- default:
+- pr_info("Secure boot could not be determined\n");
+- break;
+- }
+- }
++ efi_set_secure_boot(boot_params.secure_boot);
+
+ reserve_initrd();
+
+--- a/drivers/firmware/efi/Makefile
++++ b/drivers/firmware/efi/Makefile
+@@ -25,6 +25,7 @@ obj-$(CONFIG_EFI_FAKE_MEMMAP) += fake_m
+ obj-$(CONFIG_EFI_BOOTLOADER_CONTROL) += efibc.o
+ obj-$(CONFIG_EFI_TEST) += test/
+ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o
++obj-$(CONFIG_EFI) += secureboot.o
+ obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o
+ obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o
+ obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o
+--- /dev/null
++++ b/drivers/firmware/efi/secureboot.c
+@@ -0,0 +1,39 @@
++
++/* Core kernel secure boot support.
++ *
++ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
++
++#include <linux/efi.h>
++#include <linux/kernel.h>
++#include <linux/printk.h>
++
++/*
++ * Decide what to do when UEFI secure boot mode is enabled.
++ */
++void __init efi_set_secure_boot(enum efi_secureboot_mode mode)
++{
++ if (efi_enabled(EFI_BOOT)) {
++ switch (mode) {
++ case efi_secureboot_mode_disabled:
++ pr_info("Secure boot disabled\n");
++ break;
++ case efi_secureboot_mode_enabled:
++ set_bit(EFI_SECURE_BOOT, &efi.flags);
++ pr_info("Secure boot enabled\n");
++ break;
++ default:
++ pr_warn("Secure boot could not be determined (mode %u)\n",
++ mode);
++ break;
++ }
++ }
++}
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -776,6 +776,14 @@ extern int __init efi_setup_pcdp_console
+ #define EFI_MEM_ATTR 10 /* Did firmware publish an EFI_MEMORY_ATTRIBUTES table? */
+ #define EFI_MEM_NO_SOFT_RESERVE 11 /* Is the kernel configured to ignore soft reservations? */
+ #define EFI_PRESERVE_BS_REGIONS 12 /* Are EFI boot-services memory segments available? */
++#define EFI_SECURE_BOOT 13 /* Are we in Secure Boot mode? */
++
++enum efi_secureboot_mode {
++ efi_secureboot_mode_unset,
++ efi_secureboot_mode_unknown,
++ efi_secureboot_mode_disabled,
++ efi_secureboot_mode_enabled,
++};
+
+ #ifdef CONFIG_EFI
+ /*
+@@ -799,6 +807,7 @@ static inline bool efi_rt_services_suppo
+ {
+ return (efi.runtime_supported_mask & mask) == mask;
+ }
++extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
+ #else
+ static inline bool efi_enabled(int feature)
+ {
+@@ -822,6 +831,7 @@ static inline bool efi_rt_services_suppo
+ {
+ return false;
+ }
++static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
+@@ -1083,12 +1093,6 @@ static inline bool efi_runtime_disabled(
+ extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
+ extern unsigned long efi_call_virt_save_flags(void);
+
+-enum efi_secureboot_mode {
+- efi_secureboot_mode_unset,
+- efi_secureboot_mode_unknown,
+- efi_secureboot_mode_disabled,
+- efi_secureboot_mode_enabled,
+-};
+ enum efi_secureboot_mode efi_get_secureboot(void);
+
+ #ifdef CONFIG_RESET_ATTACK_MITIGATION
diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
new file mode 100644
index 000000000..627e37154
--- /dev/null
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -0,0 +1,127 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 10 Sep 2019 11:54:28 +0100
+Subject: efi: Lock down the kernel if booted in secure boot mode
+
+Based on an earlier patch by David Howells, who wrote the following
+description:
+
+> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
+> only load signed bootloaders and kernels. Certain use cases may also
+> require that all kernel modules also be signed. Add a configuration option
+> that to lock down the kernel - which includes requiring validly signed
+> modules - if the kernel is secure-booted.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kernel/setup.c | 4 ++--
+ drivers/firmware/efi/secureboot.c | 3 +++
+ include/linux/security.h | 6 ++++++
+ security/lockdown/Kconfig | 15 +++++++++++++++
+ security/lockdown/lockdown.c | 2 +-
+ 5 files changed, 27 insertions(+), 3 deletions(-)
+
+Index: debian-kernel/arch/x86/kernel/setup.c
+===================================================================
+--- debian-kernel.orig/arch/x86/kernel/setup.c
++++ debian-kernel/arch/x86/kernel/setup.c
+@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p)
+ if (efi_enabled(EFI_BOOT))
+ efi_init();
+
++ efi_set_secure_boot(boot_params.secure_boot);
++
+ dmi_setup();
+
+ /*
+@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p)
+ /* Allocate bigger log buffer */
+ setup_log_buf(1);
+
+- efi_set_secure_boot(boot_params.secure_boot);
+-
+ reserve_initrd();
+
+ acpi_table_upgrade();
+Index: debian-kernel/drivers/firmware/efi/secureboot.c
+===================================================================
+--- debian-kernel.orig/drivers/firmware/efi/secureboot.c
++++ debian-kernel/drivers/firmware/efi/secureboot.c
+@@ -15,6 +15,7 @@
+ #include <linux/efi.h>
+ #include <linux/kernel.h>
+ #include <linux/printk.h>
++#include <linux/security.h>
+
+ /*
+ * Decide what to do when UEFI secure boot mode is enabled.
+@@ -28,6 +29,10 @@ void __init efi_set_secure_boot(enum efi
+ break;
+ case efi_secureboot_mode_enabled:
+ set_bit(EFI_SECURE_BOOT, &efi.flags);
++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
++ lock_kernel_down("EFI Secure Boot",
++ LOCKDOWN_INTEGRITY_MAX);
++#endif
+ pr_info("Secure boot enabled\n");
+ break;
+ default:
+Index: debian-kernel/include/linux/security.h
+===================================================================
+--- debian-kernel.orig/include/linux/security.h
++++ debian-kernel/include/linux/security.h
+@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct i
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+ int security_locked_down(enum lockdown_reason what);
++int lock_kernel_down(const char *where, enum lockdown_reason level);
+ #else /* CONFIG_SECURITY */
+
+ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
+@@ -1291,6 +1292,11 @@ static inline int security_locked_down(e
+ {
+ return 0;
+ }
++static inline int
++lock_kernel_down(const char *where, enum lockdown_reason level)
++{
++ return -EOPNOTSUPP;
++}
+ #endif /* CONFIG_SECURITY */
+
+ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+Index: debian-kernel/security/lockdown/Kconfig
+===================================================================
+--- debian-kernel.orig/security/lockdown/Kconfig
++++ debian-kernel/security/lockdown/Kconfig
+@@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
+ disabled.
+
+ endchoice
++
++config LOCK_DOWN_IN_EFI_SECURE_BOOT
++ bool "Lock down the kernel in EFI Secure Boot mode"
++ default n
++ depends on SECURITY_LOCKDOWN_LSM
++ depends on EFI
++ select SECURITY_LOCKDOWN_LSM_EARLY
++ help
++ UEFI Secure Boot provides a mechanism for ensuring that the firmware
++ will only load signed bootloaders and kernels. Secure boot mode may
++ be determined from EFI variables provided by the system firmware if
++ not indicated by the boot parameters.
++
++ Enabling this option results in kernel lockdown being
++ triggered in confidentiality mode if EFI Secure Boot is set.
+Index: debian-kernel/security/lockdown/lockdown.c
+===================================================================
+--- debian-kernel.orig/security/lockdown/lockdown.c
++++ debian-kernel/security/lockdown/lockdown.c
+@@ -23,7 +23,7 @@ static const enum lockdown_reason lockdo
+ /*
+ * Put the kernel into lock-down mode.
+ */
+-static int lock_kernel_down(const char *where, enum lockdown_reason level)
++int lock_kernel_down(const char *where, enum lockdown_reason level)
+ {
+ if (kernel_locked_down >= level)
+ return -EPERM;
diff --git a/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
new file mode 100644
index 000000000..5004e5dca
--- /dev/null
+++ b/debian/patches/features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
@@ -0,0 +1,75 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 30 Aug 2019 15:54:24 +0100
+Subject: mtd: phram,slram: Disable when the kernel is locked down
+Forwarded: https://lore.kernel.org/linux-security-module/20190830154720.eekfjt6c4jzvlbfz@decadent.org.uk/
+
+These drivers allow mapping arbitrary memory ranges as MTD devices.
+This should be disabled to preserve the kernel's integrity when it is
+locked down.
+
+* Add the HWPARAM flag to the module parameters
+* When slram is built-in, it uses __setup() to read kernel parameters,
+ so add an explicit check security_locked_down() check
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Joern Engel <joern@lazybastard.org>
+Cc: linux-mtd@lists.infradead.org
+---
+ drivers/mtd/devices/phram.c | 6 +++++-
+ drivers/mtd/devices/slram.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/devices/phram.c
++++ b/drivers/mtd/devices/phram.c
+@@ -294,7 +294,11 @@ static int phram_param_call(const char *
+ #endif
+ }
+
+-module_param_call(phram, phram_param_call, NULL, NULL, 0200);
++static const struct kernel_param_ops phram_param_ops = {
++ .set = phram_param_call
++};
++__module_param_call(MODULE_PARAM_PREFIX, phram, &phram_param_ops, NULL,
++ 0200, -1, KERNEL_PARAM_FL_HWPARAM | hwparam_iomem);
+ MODULE_PARM_DESC(phram, "Memory region to map. \"phram=<name>,<start>,<length>\"");
+
+
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -43,6 +43,7 @@
+ #include <linux/ioctl.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
++#include <linux/security.h>
+
+ #include <linux/mtd/mtd.h>
+
+@@ -65,7 +66,7 @@ typedef struct slram_mtd_list {
+ #ifdef MODULE
+ static char *map[SLRAM_MAX_DEVICES_PARAMS];
+
+-module_param_array(map, charp, NULL, 0);
++module_param_hw_array(map, charp, iomem, NULL, 0);
+ MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
+ #else
+ static char *map;
+@@ -281,11 +282,17 @@ static int __init init_slram(void)
+ #ifndef MODULE
+ char *devstart;
+ char *devlength;
++ int ret;
+
+ if (!map) {
+ E("slram: not enough parameters.\n");
+ return(-EINVAL);
+ }
++
++ ret = security_locked_down(LOCKDOWN_MODULE_PARAMETERS);
++ if (ret)
++ return ret;
++
+ while (map) {
+ devname = devstart = devlength = NULL;
+
diff --git a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
new file mode 100644
index 000000000..33db1f765
--- /dev/null
+++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
@@ -0,0 +1,80 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 11 Jan 2016 15:23:55 +0000
+Subject: security,perf: Allow further restriction of perf_event_open
+Forwarded: https://lkml.org/lkml/2016/1/11/587
+
+When kernel.perf_event_open is set to 3 (or greater), disallow all
+access to performance events by users without CAP_SYS_ADMIN.
+Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
+makes this value the default.
+
+This is based on a similar feature in grsecurity
+(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
+the variable read-only. It also allows enabling further restriction
+at run-time regardless of whether the default is changed.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 8 ++++++++
+ security/Kconfig | 9 +++++++++
+ 3 files changed, 22 insertions(+)
+
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -1305,6 +1305,11 @@ int perf_cpu_time_max_percent_handler(st
+ int perf_event_max_stack_handler(struct ctl_table *table, int write,
+ void *buffer, size_t *lenp, loff_t *ppos);
+
++static inline bool perf_paranoid_any(void)
++{
++ return sysctl_perf_event_paranoid > 2;
++}
++
+ /* Access to perf_event_open(2) syscall. */
+ #define PERF_SECURITY_OPEN 0
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -408,8 +408,13 @@ static cpumask_var_t perf_online_mask;
+ * 0 - disallow raw tracepoint access for unpriv
+ * 1 - disallow cpu events for unpriv
+ * 2 - disallow kernel profiling for unpriv
++ * 3 - disallow all unpriv perf event use
+ */
++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT
++int sysctl_perf_event_paranoid __read_mostly = 3;
++#else
+ int sysctl_perf_event_paranoid __read_mostly = 2;
++#endif
+
+ /* Minimum for 512 kiB + 1 user control page */
+ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
+@@ -11785,6 +11790,9 @@ SYSCALL_DEFINE5(perf_event_open,
+ if (err)
+ return err;
+
++ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++ return -EACCES;
++
+ /* Do we allow access to perf_event_open(2) ? */
+ err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
+ if (err)
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT
+
+ If you are unsure how to answer this question, answer N.
+
++config SECURITY_PERF_EVENTS_RESTRICT
++ bool "Restrict unprivileged use of performance events"
++ depends on PERF_EVENTS
++ help
++ If you say Y here, the kernel.perf_event_paranoid sysctl
++ will be set to 3 by default, and no unprivileged use of the
++ perf_event_open syscall will be permitted unless it is
++ changed.
++
+ config SECURITY
+ bool "Enable different security models"
+ depends on SYSFS
diff --git a/debian/patches/features/arm64/arm64-compat-Implement-misalignment-fixups-for-multi.patch b/debian/patches/features/arm64/arm64-compat-Implement-misalignment-fixups-for-multi.patch
new file mode 100644
index 000000000..303e69f83
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-compat-Implement-misalignment-fixups-for-multi.patch
@@ -0,0 +1,480 @@
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 1 Jul 2022 15:53:22 +0200
+Subject: arm64: compat: Implement misalignment fixups for multiword loads
+Origin: https://git.kernel.org/linus/3fc24ef32d3b9368f4c103dcd21d6a3f959b4870
+
+The 32-bit ARM kernel implements fixups on behalf of user space when
+using LDM/STM or LDRD/STRD instructions on addresses that are not 32-bit
+aligned. This is not something that is supported by the architecture,
+but was done anyway to increase compatibility with user space software,
+which mostly targeted x86 at the time and did not care about aligned
+accesses.
+
+This feature is one of the remaining impediments to being able to switch
+to 64-bit kernels on 64-bit capable hardware running 32-bit user space,
+so let's implement it for the arm64 compat layer as well.
+
+Note that the intent is to implement the exact same handling of
+misaligned multi-word loads and stores as the 32-bit kernel does,
+including what appears to be missing support for user space programs
+that rely on SETEND to switch to a different byte order and back. Also,
+like the 32-bit ARM version, we rely on the faulting address reported by
+the CPU to infer the memory address, instead of decoding the instruction
+fully to obtain this information.
+
+This implementation is taken from the 32-bit ARM tree, with all pieces
+removed that deal with instructions other than LDRD/STRD and LDM/STM, or
+that deal with alignment exceptions taken in kernel mode.
+
+Cc: debian-arm@lists.debian.org
+Cc: Vagrant Cascadian <vagrant@debian.org>
+Cc: Riku Voipio <riku.voipio@iki.fi>
+Cc: Steve McIntyre <steve@einval.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20220701135322.3025321-1-ardb@kernel.org
+[catalin.marinas@arm.com: change the option to 'default n']
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+---
+ arch/arm64/Kconfig | 3 +
+ arch/arm64/include/asm/exception.h | 1 +
+ arch/arm64/kernel/Makefile | 1 +
+ arch/arm64/kernel/compat_alignment.c | 387 +++++++++++++++++++++++++++
+ arch/arm64/mm/fault.c | 3 +
+ 5 files changed, 395 insertions(+)
+ create mode 100644 arch/arm64/kernel/compat_alignment.c
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1328,6 +1328,9 @@ config THUMB2_COMPAT_VDSO
+ Compile the compat vDSO with '-mthumb -fomit-frame-pointer' if y,
+ otherwise with '-marm'.
+
++config COMPAT_ALIGNMENT_FIXUPS
++ bool "Fix up misaligned multi-word loads and stores in user space"
++
+ menuconfig ARMV8_DEPRECATED
+ bool "Emulate deprecated/obsolete ARMv8 instructions"
+ depends on SYSCTL
+--- a/arch/arm64/include/asm/exception.h
++++ b/arch/arm64/include/asm/exception.h
+@@ -47,6 +47,7 @@ void do_el0_sys(unsigned long esr, struc
+ void do_sp_pc_abort(unsigned long addr, unsigned int esr, struct pt_regs *regs);
+ void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr);
+ void do_el0_cp15(unsigned long esr, struct pt_regs *regs);
++int do_compat_alignment_fixup(unsigned long addr, struct pt_regs *regs);
+ void do_el0_svc(struct pt_regs *regs);
+ void do_el0_svc_compat(struct pt_regs *regs);
+ void do_el0_fpac(struct pt_regs *regs, unsigned long esr);
+--- a/arch/arm64/kernel/Makefile
++++ b/arch/arm64/kernel/Makefile
+@@ -28,6 +28,7 @@ $(obj)/%.stub.o: $(obj)/%.o FORCE
+ obj-$(CONFIG_COMPAT) += sys32.o signal32.o \
+ sys_compat.o
+ obj-$(CONFIG_COMPAT) += sigreturn32.o
++obj-$(CONFIG_COMPAT_ALIGNMENT_FIXUPS) += compat_alignment.o
+ obj-$(CONFIG_KUSER_HELPERS) += kuser32.o
+ obj-$(CONFIG_FUNCTION_TRACER) += ftrace.o entry-ftrace.o
+ obj-$(CONFIG_MODULES) += module.o
+--- /dev/null
++++ b/arch/arm64/kernel/compat_alignment.c
+@@ -0,0 +1,387 @@
++// SPDX-License-Identifier: GPL-2.0-only
++// based on arch/arm/mm/alignment.c
++
++#include <linux/compiler.h>
++#include <linux/errno.h>
++#include <linux/kernel.h>
++#include <linux/init.h>
++#include <linux/perf_event.h>
++#include <linux/uaccess.h>
++
++#include <asm/exception.h>
++#include <asm/ptrace.h>
++#include <asm/traps.h>
++
++/*
++ * 32-bit misaligned trap handler (c) 1998 San Mehat (CCC) -July 1998
++ *
++ * Speed optimisations and better fault handling by Russell King.
++ */
++#define CODING_BITS(i) (i & 0x0e000000)
++
++#define LDST_P_BIT(i) (i & (1 << 24)) /* Preindex */
++#define LDST_U_BIT(i) (i & (1 << 23)) /* Add offset */
++#define LDST_W_BIT(i) (i & (1 << 21)) /* Writeback */
++#define LDST_L_BIT(i) (i & (1 << 20)) /* Load */
++
++#define LDST_P_EQ_U(i) ((((i) ^ ((i) >> 1)) & (1 << 23)) == 0)
++
++#define LDSTHD_I_BIT(i) (i & (1 << 22)) /* double/half-word immed */
++
++#define RN_BITS(i) ((i >> 16) & 15) /* Rn */
++#define RD_BITS(i) ((i >> 12) & 15) /* Rd */
++#define RM_BITS(i) (i & 15) /* Rm */
++
++#define REGMASK_BITS(i) (i & 0xffff)
++
++#define BAD_INSTR 0xdeadc0de
++
++/* Thumb-2 32 bit format per ARMv7 DDI0406A A6.3, either f800h,e800h,f800h */
++#define IS_T32(hi16) \
++ (((hi16) & 0xe000) == 0xe000 && ((hi16) & 0x1800))
++
++union offset_union {
++ unsigned long un;
++ signed long sn;
++};
++
++#define TYPE_ERROR 0
++#define TYPE_FAULT 1
++#define TYPE_LDST 2
++#define TYPE_DONE 3
++
++static void
++do_alignment_finish_ldst(unsigned long addr, u32 instr, struct pt_regs *regs,
++ union offset_union offset)
++{
++ if (!LDST_U_BIT(instr))
++ offset.un = -offset.un;
++
++ if (!LDST_P_BIT(instr))
++ addr += offset.un;
++
++ if (!LDST_P_BIT(instr) || LDST_W_BIT(instr))
++ regs->regs[RN_BITS(instr)] = addr;
++}
++
++static int
++do_alignment_ldrdstrd(unsigned long addr, u32 instr, struct pt_regs *regs)
++{
++ unsigned int rd = RD_BITS(instr);
++ unsigned int rd2;
++ int load;
++
++ if ((instr & 0xfe000000) == 0xe8000000) {
++ /* ARMv7 Thumb-2 32-bit LDRD/STRD */
++ rd2 = (instr >> 8) & 0xf;
++ load = !!(LDST_L_BIT(instr));
++ } else if (((rd & 1) == 1) || (rd == 14)) {
++ return TYPE_ERROR;
++ } else {
++ load = ((instr & 0xf0) == 0xd0);
++ rd2 = rd + 1;
++ }
++
++ if (load) {
++ unsigned int val, val2;
++
++ if (get_user(val, (u32 __user *)addr) ||
++ get_user(val2, (u32 __user *)(addr + 4)))
++ return TYPE_FAULT;
++ regs->regs[rd] = val;
++ regs->regs[rd2] = val2;
++ } else {
++ if (put_user(regs->regs[rd], (u32 __user *)addr) ||
++ put_user(regs->regs[rd2], (u32 __user *)(addr + 4)))
++ return TYPE_FAULT;
++ }
++ return TYPE_LDST;
++}
++
++/*
++ * LDM/STM alignment handler.
++ *
++ * There are 4 variants of this instruction:
++ *
++ * B = rn pointer before instruction, A = rn pointer after instruction
++ * ------ increasing address ----->
++ * | | r0 | r1 | ... | rx | |
++ * PU = 01 B A
++ * PU = 11 B A
++ * PU = 00 A B
++ * PU = 10 A B
++ */
++static int
++do_alignment_ldmstm(unsigned long addr, u32 instr, struct pt_regs *regs)
++{
++ unsigned int rd, rn, nr_regs, regbits;
++ unsigned long eaddr, newaddr;
++ unsigned int val;
++
++ /* count the number of registers in the mask to be transferred */
++ nr_regs = hweight16(REGMASK_BITS(instr)) * 4;
++
++ rn = RN_BITS(instr);
++ newaddr = eaddr = regs->regs[rn];
++
++ if (!LDST_U_BIT(instr))
++ nr_regs = -nr_regs;
++ newaddr += nr_regs;
++ if (!LDST_U_BIT(instr))
++ eaddr = newaddr;
++
++ if (LDST_P_EQ_U(instr)) /* U = P */
++ eaddr += 4;
++
++ for (regbits = REGMASK_BITS(instr), rd = 0; regbits;
++ regbits >>= 1, rd += 1)
++ if (regbits & 1) {
++ if (LDST_L_BIT(instr)) {
++ if (get_user(val, (u32 __user *)eaddr))
++ return TYPE_FAULT;
++ if (rd < 15)
++ regs->regs[rd] = val;
++ else
++ regs->pc = val;
++ } else {
++ /*
++ * The PC register has a bias of +8 in ARM mode
++ * and +4 in Thumb mode. This means that a read
++ * of the value of PC should account for this.
++ * Since Thumb does not permit STM instructions
++ * to refer to PC, just add 8 here.
++ */
++ val = (rd < 15) ? regs->regs[rd] : regs->pc + 8;
++ if (put_user(val, (u32 __user *)eaddr))
++ return TYPE_FAULT;
++ }
++ eaddr += 4;
++ }
++
++ if (LDST_W_BIT(instr))
++ regs->regs[rn] = newaddr;
++
++ return TYPE_DONE;
++}
++
++/*
++ * Convert Thumb multi-word load/store instruction forms to equivalent ARM
++ * instructions so we can reuse ARM userland alignment fault fixups for Thumb.
++ *
++ * This implementation was initially based on the algorithm found in
++ * gdb/sim/arm/thumbemu.c. It is basically just a code reduction of same
++ * to convert only Thumb ld/st instruction forms to equivalent ARM forms.
++ *
++ * NOTES:
++ * 1. Comments below refer to ARM ARM DDI0100E Thumb Instruction sections.
++ * 2. If for some reason we're passed an non-ld/st Thumb instruction to
++ * decode, we return 0xdeadc0de. This should never happen under normal
++ * circumstances but if it does, we've got other problems to deal with
++ * elsewhere and we obviously can't fix those problems here.
++ */
++
++static unsigned long thumb2arm(u16 tinstr)
++{
++ u32 L = (tinstr & (1<<11)) >> 11;
++
++ switch ((tinstr & 0xf800) >> 11) {
++ /* 6.6.1 Format 1: */
++ case 0xc000 >> 11: /* 7.1.51 STMIA */
++ case 0xc800 >> 11: /* 7.1.25 LDMIA */
++ {
++ u32 Rn = (tinstr & (7<<8)) >> 8;
++ u32 W = ((L<<Rn) & (tinstr&255)) ? 0 : 1<<21;
++
++ return 0xe8800000 | W | (L<<20) | (Rn<<16) |
++ (tinstr&255);
++ }
++
++ /* 6.6.1 Format 2: */
++ case 0xb000 >> 11: /* 7.1.48 PUSH */
++ case 0xb800 >> 11: /* 7.1.47 POP */
++ if ((tinstr & (3 << 9)) == 0x0400) {
++ static const u32 subset[4] = {
++ 0xe92d0000, /* STMDB sp!,{registers} */
++ 0xe92d4000, /* STMDB sp!,{registers,lr} */
++ 0xe8bd0000, /* LDMIA sp!,{registers} */
++ 0xe8bd8000 /* LDMIA sp!,{registers,pc} */
++ };
++ return subset[(L<<1) | ((tinstr & (1<<8)) >> 8)] |
++ (tinstr & 255); /* register_list */
++ }
++ fallthrough; /* for illegal instruction case */
++
++ default:
++ return BAD_INSTR;
++ }
++}
++
++/*
++ * Convert Thumb-2 32 bit LDM, STM, LDRD, STRD to equivalent instruction
++ * handlable by ARM alignment handler, also find the corresponding handler,
++ * so that we can reuse ARM userland alignment fault fixups for Thumb.
++ *
++ * @pinstr: original Thumb-2 instruction; returns new handlable instruction
++ * @regs: register context.
++ * @poffset: return offset from faulted addr for later writeback
++ *
++ * NOTES:
++ * 1. Comments below refer to ARMv7 DDI0406A Thumb Instruction sections.
++ * 2. Register name Rt from ARMv7 is same as Rd from ARMv6 (Rd is Rt)
++ */
++static void *
++do_alignment_t32_to_handler(u32 *pinstr, struct pt_regs *regs,
++ union offset_union *poffset)
++{
++ u32 instr = *pinstr;
++ u16 tinst1 = (instr >> 16) & 0xffff;
++ u16 tinst2 = instr & 0xffff;
++
++ switch (tinst1 & 0xffe0) {
++ /* A6.3.5 Load/Store multiple */
++ case 0xe880: /* STM/STMIA/STMEA,LDM/LDMIA, PUSH/POP T2 */
++ case 0xe8a0: /* ...above writeback version */
++ case 0xe900: /* STMDB/STMFD, LDMDB/LDMEA */
++ case 0xe920: /* ...above writeback version */
++ /* no need offset decision since handler calculates it */
++ return do_alignment_ldmstm;
++
++ case 0xf840: /* POP/PUSH T3 (single register) */
++ if (RN_BITS(instr) == 13 && (tinst2 & 0x09ff) == 0x0904) {
++ u32 L = !!(LDST_L_BIT(instr));
++ const u32 subset[2] = {
++ 0xe92d0000, /* STMDB sp!,{registers} */
++ 0xe8bd0000, /* LDMIA sp!,{registers} */
++ };
++ *pinstr = subset[L] | (1<<RD_BITS(instr));
++ return do_alignment_ldmstm;
++ }
++ /* Else fall through for illegal instruction case */
++ break;
++
++ /* A6.3.6 Load/store double, STRD/LDRD(immed, lit, reg) */
++ case 0xe860:
++ case 0xe960:
++ case 0xe8e0:
++ case 0xe9e0:
++ poffset->un = (tinst2 & 0xff) << 2;
++ fallthrough;
++
++ case 0xe940:
++ case 0xe9c0:
++ return do_alignment_ldrdstrd;
++
++ /*
++ * No need to handle load/store instructions up to word size
++ * since ARMv6 and later CPUs can perform unaligned accesses.
++ */
++ default:
++ break;
++ }
++ return NULL;
++}
++
++static int alignment_get_arm(struct pt_regs *regs, __le32 __user *ip, u32 *inst)
++{
++ __le32 instr = 0;
++ int fault;
++
++ fault = get_user(instr, ip);
++ if (fault)
++ return fault;
++
++ *inst = __le32_to_cpu(instr);
++ return 0;
++}
++
++static int alignment_get_thumb(struct pt_regs *regs, __le16 __user *ip, u16 *inst)
++{
++ __le16 instr = 0;
++ int fault;
++
++ fault = get_user(instr, ip);
++ if (fault)
++ return fault;
++
++ *inst = __le16_to_cpu(instr);
++ return 0;
++}
++
++int do_compat_alignment_fixup(unsigned long addr, struct pt_regs *regs)
++{
++ union offset_union offset;
++ unsigned long instrptr;
++ int (*handler)(unsigned long addr, u32 instr, struct pt_regs *regs);
++ unsigned int type;
++ u32 instr = 0;
++ u16 tinstr = 0;
++ int isize = 4;
++ int thumb2_32b = 0;
++ int fault;
++
++ instrptr = instruction_pointer(regs);
++
++ if (compat_thumb_mode(regs)) {
++ __le16 __user *ptr = (__le16 __user *)(instrptr & ~1);
++
++ fault = alignment_get_thumb(regs, ptr, &tinstr);
++ if (!fault) {
++ if (IS_T32(tinstr)) {
++ /* Thumb-2 32-bit */
++ u16 tinst2;
++ fault = alignment_get_thumb(regs, ptr + 1, &tinst2);
++ instr = ((u32)tinstr << 16) | tinst2;
++ thumb2_32b = 1;
++ } else {
++ isize = 2;
++ instr = thumb2arm(tinstr);
++ }
++ }
++ } else {
++ fault = alignment_get_arm(regs, (__le32 __user *)instrptr, &instr);
++ }
++
++ if (fault)
++ return 1;
++
++ switch (CODING_BITS(instr)) {
++ case 0x00000000: /* 3.13.4 load/store instruction extensions */
++ if (LDSTHD_I_BIT(instr))
++ offset.un = (instr & 0xf00) >> 4 | (instr & 15);
++ else
++ offset.un = regs->regs[RM_BITS(instr)];
++
++ if ((instr & 0x001000f0) == 0x000000d0 || /* LDRD */
++ (instr & 0x001000f0) == 0x000000f0) /* STRD */
++ handler = do_alignment_ldrdstrd;
++ else
++ return 1;
++ break;
++
++ case 0x08000000: /* ldm or stm, or thumb-2 32bit instruction */
++ if (thumb2_32b) {
++ offset.un = 0;
++ handler = do_alignment_t32_to_handler(&instr, regs, &offset);
++ } else {
++ offset.un = 0;
++ handler = do_alignment_ldmstm;
++ }
++ break;
++
++ default:
++ return 1;
++ }
++
++ type = handler(addr, instr, regs);
++
++ if (type == TYPE_ERROR || type == TYPE_FAULT)
++ return 1;
++
++ if (type == TYPE_LDST)
++ do_alignment_finish_ldst(addr, instr, regs, offset);
++
++ perf_sw_event(PERF_COUNT_SW_ALIGNMENT_FAULTS, 1, regs, regs->pc);
++ arm64_skip_faulting_instruction(regs, isize);
++
++ return 0;
++}
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -610,6 +610,9 @@ static int __kprobes do_translation_faul
+ static int do_alignment_fault(unsigned long addr, unsigned int esr,
+ struct pt_regs *regs)
+ {
++ if (IS_ENABLED(CONFIG_COMPAT_ALIGNMENT_FIXUPS) &&
++ compat_user_mode(regs))
++ return do_compat_alignment_fixup(addr, regs);
+ do_bad_area(addr, esr, regs);
+ return 0;
+ }
diff --git a/debian/patches/features/arm64/arm64-dts-raspberry-Add-support-for-the-CM4.patch b/debian/patches/features/arm64/arm64-dts-raspberry-Add-support-for-the-CM4.patch
new file mode 100644
index 000000000..8619cfcdd
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-raspberry-Add-support-for-the-CM4.patch
@@ -0,0 +1,423 @@
+From: Cyril Brulebois <cyril@debamax.com>
+Date: Mon, 03 Jan 2022 21:59:36 +0100
+Subject: arm64: dts: Add support for Raspberry Pi Compute Module 4 IO Board
+
+It was introduced in mainline during the v5.16 release cycle. Since
+many broadcom includes were reworked since v5.10, adding support would
+involve more than cherry-picking a DTS addition that uses a few
+includes.
+
+To avoid side effects on other models, introduce a DTS that leverages
+some existing includes (bcm2711.dtsi and bcm283x-rpi-usb-host.dtsi)
+and describes the rest without re-using parts of the Raspberry Pi 4 B
+model.
+
+To avoid phandle rotation (0x16, 0x17, and 0x18) across 3 nodes
+(dma@7e007000, i2c@7e205000, and interrupt-controller@7ef00100), and the
+related changes in other nodes referencing them, hardcode 0x16 as the
+phandle for interrupt-controller@7ef00100. This leads to an empty dtdiff
+between this new DTB and the one produced by a v5.16-rc8 build.
+
+Authored-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Cyril Brulebois <cyril@debamax.com>
+
+--- a/arch/arm64/boot/dts/broadcom/Makefile
++++ b/arch/arm64/boot/dts/broadcom/Makefile
+@@ -1,5 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ dtb-$(CONFIG_ARCH_BCM2835) += bcm2711-rpi-4-b.dtb \
++ bcm2711-rpi-cm4-io.dtb \
+ bcm2837-rpi-3-a-plus.dtb \
+ bcm2837-rpi-3-b.dtb \
+ bcm2837-rpi-3-b-plus.dtb \
+--- /dev/null
++++ b/arch/arm64/boot/dts/broadcom/bcm2711-rpi-cm4-io.dts
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0
++#include "arm/bcm2711-rpi-cm4-io.dts"
+--- a/arch/arm/boot/dts/Makefile
++++ b/arch/arm/boot/dts/Makefile
+@@ -93,6 +93,7 @@ dtb-$(CONFIG_ARCH_BCM2835) += \
+ bcm2837-rpi-3-b-plus.dtb \
+ bcm2837-rpi-cm3-io3.dtb \
+ bcm2711-rpi-4-b.dtb \
++ bcm2711-rpi-cm4-io.dtb \
+ bcm2835-rpi-zero.dtb \
+ bcm2835-rpi-zero-w.dtb
+ dtb-$(CONFIG_ARCH_BCM_5301X) += \
+--- /dev/null
++++ b/arch/arm/boot/dts/bcm2711-rpi-cm4-io.dts
+@@ -0,0 +1,373 @@
++/dts-v1/;
++
++#include "bcm2711.dtsi"
++#include "bcm283x-rpi-usb-host.dtsi"
++
++/ {
++ model = "Raspberry Pi Compute Module 4 IO Board";
++ compatible = "raspberrypi,4-compute-module\0brcm,bcm2711";
++
++ aliases {
++ emmc2bus = "/emmc2bus";
++ ethernet0 = "/scb/ethernet@7d580000";
++ pcie0 = "/scb/pcie@7d500000";
++ blconfig = &blconfig;
++ };
++
++ chosen {
++ stdout-path = "serial1:115200n8";
++ };
++
++ leds {
++ compatible = "gpio-leds";
++
++ led-act {
++ label = "ACT";
++ default-state = "keep";
++ linux,default-trigger = "heartbeat";
++ gpios = <&gpio 42 GPIO_ACTIVE_HIGH>;
++ };
++
++ led-pwr {
++ label = "PWR";
++ gpios = <&expgpio 2 GPIO_ACTIVE_LOW>;
++ default-state = "keep";
++ linux,default-trigger = "default-on";
++ };
++ };
++
++ soc {
++ aon_intr: interrupt-controller@7ef00100 {
++ compatible = "brcm,bcm2711-l2-intc", "brcm,l2-intc";
++ reg = <0x7ef00100 0x30>;
++ phandle = <0x16>;
++ interrupts = <GIC_SPI 96 IRQ_TYPE_LEVEL_HIGH>;
++ interrupt-controller;
++ #interrupt-cells = <1>;
++ };
++
++ firmware: firmware {
++ compatible = "raspberrypi,bcm2835-firmware\0simple-mfd";
++ #address-cells = <0x01>;
++ #size-cells = <0x01>;
++ mboxes = <&mailbox>;
++ dma-ranges;
++
++ firmware_clocks: clocks {
++ compatible = "raspberrypi,firmware-clocks";
++ #clock-cells = <0x01>;
++ };
++
++ expgpio: gpio {
++ compatible = "raspberrypi,firmware-gpio";
++ gpio-controller;
++ #gpio-cells = <2>;
++ status = "okay";
++ gpio-line-names = "BT_ON", "WL_ON", "PWR_LED_OFF", "ANT1", "VDD_SD_IO_SEL", "CAM_GPIO", "SD_PWR_ON", "ANT2";
++ ant1-hog {
++ gpio-hog;
++ gpios = <0x03 0x00>;
++ output-high;
++ line-name = "ant1";
++ };
++
++ ant2-hog {
++ gpio-hog;
++ gpios = <0x07 0x00>;
++ output-low;
++ line-name = "ant2";
++ };
++ };
++
++ reset {
++ compatible = "raspberrypi,firmware-reset";
++ #reset-cells = <1>;
++ };
++ };
++
++ power: power {
++ compatible = "raspberrypi,bcm2835-power";
++ firmware = <&firmware>;
++ #power-domain-cells = <1>;
++ };
++
++ mailbox@7e00b840 {
++ compatible = "brcm,bcm2835-vchiq";
++ reg = <0x7e00b840 0x3c>;
++ interrupts = <GIC_SPI 34 IRQ_TYPE_LEVEL_HIGH>;
++ };
++
++ vec@7ec13000 {
++ compatible = "brcm,bcm2711-vec";
++ reg = <0x7ec13000 0x1000>;
++ clocks = <&clocks BCM2835_CLOCK_VEC>;
++ interrupts = <GIC_SPI 123 IRQ_TYPE_LEVEL_HIGH>;
++ status = "disabled";
++ power-domains = <&power /* RPI_POWER_DOMAIN_VEC = */ 7>;
++ };
++ };
++
++ memory@0 {
++ device_type = "memory";
++ reg = <0x00 0x00 0x00>;
++ };
++
++ wifi_pwrseq: wifi-pwrseq {
++ compatible = "mmc-pwrseq-simple";
++ reset-gpios = <&expgpio 0x01 0x01>;
++ };
++
++ sd_io_1v8_reg: sd_io_1v8_reg {
++ compatible = "regulator-gpio";
++ regulator-name = "vdd-sd-io";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-boot-on;
++ regulator-always-on;
++ regulator-settling-time-us = <5000>;
++ gpios = <&expgpio 0x04 GPIO_ACTIVE_HIGH>;
++ states = <1800000 0x1>,
++ <3300000 0x0>;
++ status = "okay";
++ };
++
++ sd_vcc_reg: sd_vcc_reg {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc-sd";
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-boot-on;
++ enable-active-high;
++ gpio = <&expgpio 6 GPIO_ACTIVE_HIGH>;
++ };
++};
++
++&ddc0 {
++ status = "okay";
++};
++
++&ddc1 {
++ status = "okay";
++};
++
++&dsi0 {
++ power-domains = <&power 17>;
++};
++
++&dsi1 {
++ compatible = "brcm,bcm2711-dsi1";
++ power-domains = <&power 18>;
++};
++
++&emmc2 {
++ status = "okay";
++ bus-width = <8>;
++ vqmmc-supply = <&sd_io_1v8_reg>;
++ vmmc-supply = <&sd_vcc_reg>;
++ broken-cd;
++ mmc-hs200-1_8v;
++};
++
++&gpio {
++ pinctrl-names = "default";
++ /*
++ * Parts taken from rpi_SCH_4b_4p0_reduced.pdf and
++ * the official GPU firmware DT blob.
++ *
++ * Legend:
++ * "FOO" = GPIO line named "FOO" on the schematic
++ * "FOO_N" = GPIO line named "FOO" on schematic, active low
++ */
++ gpio-line-names = "ID_SDA",
++ "ID_SCL",
++ "SDA1",
++ "SCL1",
++ "GPIO_GCLK",
++ "GPIO5",
++ "GPIO6",
++ "SPI_CE1_N",
++ "SPI_CE0_N",
++ "SPI_MISO",
++ "SPI_MOSI",
++ "SPI_SCLK",
++ "GPIO12",
++ "GPIO13",
++ /* Serial port */
++ "TXD1",
++ "RXD1",
++ "GPIO16",
++ "GPIO17",
++ "GPIO18",
++ "GPIO19",
++ "GPIO20",
++ "GPIO21",
++ "GPIO22",
++ "GPIO23",
++ "GPIO24",
++ "GPIO25",
++ "GPIO26",
++ "GPIO27",
++ "RGMII_MDIO",
++ "RGMIO_MDC",
++ /* Used by BT module */
++ "CTS0",
++ "RTS0",
++ "TXD0",
++ "RXD0",
++ /* Used by Wifi */
++ "SD1_CLK",
++ "SD1_CMD",
++ "SD1_DATA0",
++ "SD1_DATA1",
++ "SD1_DATA2",
++ "SD1_DATA3",
++ /* Shared with SPI flash */
++ "PWM0_MISO",
++ "PWM1_MOSI",
++ "STATUS_LED_G_CLK",
++ "SPIFLASH_CE_N",
++ "SDA0",
++ "SCL0",
++ "RGMII_RXCLK",
++ "RGMII_RXCTL",
++ "RGMII_RXD0",
++ "RGMII_RXD1",
++ "RGMII_RXD2",
++ "RGMII_RXD3",
++ "RGMII_TXCLK",
++ "RGMII_TXCTL",
++ "RGMII_TXD0",
++ "RGMII_TXD1",
++ "RGMII_TXD2",
++ "RGMII_TXD3";
++
++ gpioout {
++ brcm,pins = <0x06>;
++ brcm,function = <0x01>;
++ };
++
++ alt0 {
++ brcm,pins = <0x04 0x05 0x07 0x08 0x09 0x0a 0x0b>;
++ brcm,function = <0x04>;
++ };
++};
++
++&hdmi0 {
++ status = "okay";
++ interrupt-parent = <&aon_intr>;
++ interrupts = <0>, <1>, <2>, <3>, <4>, <5>;
++ interrupt-names = "cec-tx", "cec-rx", "cec-low", "wakeup", "hpd-connected", "hpd-removed";
++ clocks = <&firmware_clocks 13>, <&firmware_clocks 14>, <&dvp 0>, <&clk_27MHz>;
++ wifi-2.4ghz-coexistence;
++};
++
++&hdmi1 {
++ status = "okay";
++ interrupt-parent = <&aon_intr>;
++ interrupts = <8>, <7>, <6>, <9>, <10>, <11>;
++ interrupt-names = "cec-tx", "cec-rx", "cec-low", "wakeup", "hpd-connected", "hpd-removed";
++ clocks = <&firmware_clocks 13>, <&firmware_clocks 14>, <&dvp 1>, <&clk_27MHz>;
++ wifi-2.4ghz-coexistence;
++};
++
++&hvs {
++ clocks = <&firmware_clocks 4>;
++};
++
++&i2c0 {
++ status = "okay";
++ pinctrl-names = "default";
++ pinctrl-0 = <&i2c0_gpio0>;
++ clock-frequency = <100000>;
++};
++
++&i2c1 {
++ status = "okay";
++ pinctrl-names = "default";
++ pinctrl-0 = <&i2c1_gpio2>;
++ clock-frequency = <100000>;
++};
++
++&genet {
++ status = "okay";
++ phy-handle = <&ethphy0>;
++ phy-mode = "rgmii-rxid";
++};
++
++&genet_mdio {
++ ethphy0: ethernet-phy@0 {
++ reg = <0>;
++ };
++};
++
++&pixelvalve0 {
++ status = "okay";
++};
++
++&pixelvalve1 {
++ status = "okay";
++};
++
++&pixelvalve2 {
++ status = "okay";
++};
++
++&pixelvalve4 {
++ status = "okay";
++};
++
++&rmem {
++ blconfig: nvram@0 {
++ compatible = "raspberrypi,bootloader-config", "nvmem-rmem";
++ #address-cells = <0x01>;
++ #size-cells = <0x01>;
++ reg = <0x00 0x00 0x00>;
++ no-map;
++ status = "disabled";
++ };
++};
++
++&sdhci {
++ status = "okay";
++ #address-cells = <1>;
++ #size-cells = <0>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&emmc_gpio34>;
++ bus-width = <4>;
++ non-removable;
++ mmc-pwrseq = <&wifi_pwrseq>;
++
++ wifi@1 {
++ reg = <0x01>;
++ compatible = "brcm,bcm4329-fmac";
++ };
++};
++
++&uart0 {
++ status = "okay";
++ pinctrl-names = "default";
++ pinctrl-0 = <&uart0_ctsrts_gpio30 &uart0_gpio32>;
++ uart-has-rtscts;
++
++ bluetooth {
++ compatible = "brcm,bcm43438-bt";
++ max-speed = <0x1e8480>;
++ shutdown-gpios = <&expgpio 0x00 0x00>;
++ };
++};
++
++&uart1 {
++ status = "okay";
++ pinctrl-names = "default";
++ pinctrl-0 = <&uart1_gpio14>;
++};
++
++&usb {
++ power-domains = <&power 6>;
++};
++
++&vc4 {
++ status = "okay";
++};
++
++/delete-node/ &vec;
diff --git a/debian/patches/features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch b/debian/patches/features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
new file mode 100644
index 000000000..deeed7034
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
@@ -0,0 +1,419 @@
+From: Uwe Kleine-König <uwe@kleine-koenig.org>
+Date: Wed, 14 Oct 2020 22:00:30 +0200
+Subject: arm64: dts: rockchip: Add basic support for Kobol's Helios64
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=09e006cfb43e8ec38afe28278b210dab72e6cac8
+
+The hardware is described in detail on Kobol's wiki at
+https://wiki.kobol.io/helios64/intro/.
+
+Up to now the following peripherals are working:
+
+ - UART
+ - Micro-SD card
+ - eMMC
+ - ethernet port 1
+ - status LED
+ - temperature sensor on i2c bus 2
+
+Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
+Link: https://lore.kernel.org/r/20201014200030.845759-3-uwe@kleine-koenig.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+---
+ arch/arm64/boot/dts/rockchip/Makefile | 1 +
+ .../dts/rockchip/rk3399-kobol-helios64.dts | 372 ++++++++++++++++++
+ 2 files changed, 373 insertions(+)
+ create mode 100644 arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+
+diff --git a/arch/arm64/boot/dts/rockchip/Makefile b/arch/arm64/boot/dts/rockchip/Makefile
+index 26661c7b736b..28b26a874313 100644
+--- a/arch/arm64/boot/dts/rockchip/Makefile
++++ b/arch/arm64/boot/dts/rockchip/Makefile
+@@ -26,6 +26,7 @@ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-hugsun-x99.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge-captain.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-khadas-edge-v.dtb
++dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-kobol-helios64.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-leez-p710.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-nanopc-t4.dtb
+ dtb-$(CONFIG_ARCH_ROCKCHIP) += rk3399-nanopi-m4.dtb
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+new file mode 100644
+index 000000000000..2a561be724b2
+--- /dev/null
++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+@@ -0,0 +1,372 @@
++// SPDX-License-Identifier: (GPL-2.0+ OR MIT)
++/*
++ * Copyright (c) 2020 Aditya Prayoga <aditya@kobol.io>
++ */
++
++/*
++ * The Kobol Helios64 is a board designed to operate as a NAS and optionally
++ * ships with an enclosing that can host five 2.5" hard disks.
++ *
++ * See https://wiki.kobol.io/helios64/intro/ for further details.
++ */
++
++/dts-v1/;
++#include "rk3399.dtsi"
++#include "rk3399-opp.dtsi"
++
++/ {
++ model = "Kobol Helios64";
++ compatible = "kobol,helios64", "rockchip,rk3399";
++
++ avdd_1v8_s0: avdd-1v8-s0 {
++ compatible = "regulator-fixed";
++ regulator-name = "avdd_1v8_s0";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ vin-supply = <&vcc3v3_sys_s3>;
++ };
++
++ clkin_gmac: external-gmac-clock {
++ compatible = "fixed-clock";
++ clock-frequency = <125000000>;
++ clock-output-names = "clkin_gmac";
++ #clock-cells = <0>;
++ };
++
++ leds {
++ compatible = "gpio-leds";
++ pinctrl-names = "default";
++ pinctrl-0 = <&sys_grn_led_on &sys_red_led_on>;
++
++ led-0 {
++ label = "helios64:green:status";
++ gpios = <&gpio0 RK_PB4 GPIO_ACTIVE_HIGH>;
++ default-state = "on";
++ };
++
++ led-1 {
++ label = "helios64:red:fault";
++ gpios = <&gpio0 RK_PB5 GPIO_ACTIVE_HIGH>;
++ default-state = "keep";
++ };
++ };
++
++ vcc1v8_sys_s0: vcc1v8-sys-s0 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc1v8_sys_s0";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ vin-supply = <&vcc1v8_sys_s3>;
++ };
++
++ vcc3v0_sd: vcc3v0-sd {
++ compatible = "regulator-fixed";
++ enable-active-high;
++ gpio = <&gpio0 RK_PA1 GPIO_ACTIVE_HIGH>;
++ regulator-name = "vcc3v0_sd";
++ regulator-boot-on;
++ regulator-min-microvolt = <3000000>;
++ regulator-max-microvolt = <3000000>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&sdmmc0_pwr_h>;
++ vin-supply = <&vcc3v3_sys_s3>;
++ };
++
++ vcc3v3_sys_s3: vcc_lan: vcc3v3-sys-s3 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc3v3_sys_s3";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ vin-supply = <&vcc5v0_sys>;
++
++ regulator-state-mem {
++ regulator-on-in-suspend;
++ };
++ };
++
++ vcc5v0_sys: vcc5v0-sys {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc5v0_sys";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <5000000>;
++ regulator-max-microvolt = <5000000>;
++ vin-supply = <&vcc12v_dcin_bkup>;
++
++ regulator-state-mem {
++ regulator-on-in-suspend;
++ };
++ };
++
++ vcc12v_dcin: vcc12v-dcin {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc12v_dcin";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <12000000>;
++ regulator-max-microvolt = <12000000>;
++ };
++
++ vcc12v_dcin_bkup: vcc12v-dcin-bkup {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc12v_dcin_bkup";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <12000000>;
++ regulator-max-microvolt = <12000000>;
++ vin-supply = <&vcc12v_dcin>;
++ };
++};
++
++/*
++ * The system doesn't run stable with cpu freq enabled, so disallow the lower
++ * frequencies until this problem is properly understood and resolved.
++ */
++&cluster0_opp {
++ /delete-node/ opp00;
++ /delete-node/ opp01;
++ /delete-node/ opp02;
++ /delete-node/ opp03;
++ /delete-node/ opp04;
++};
++
++&cluster1_opp {
++ /delete-node/ opp00;
++ /delete-node/ opp01;
++ /delete-node/ opp02;
++ /delete-node/ opp03;
++ /delete-node/ opp04;
++ /delete-node/ opp05;
++ /delete-node/ opp06;
++};
++
++&cpu_b0 {
++ cpu-supply = <&vdd_cpu_b>;
++};
++
++&cpu_b1 {
++ cpu-supply = <&vdd_cpu_b>;
++};
++
++&cpu_l0 {
++ cpu-supply = <&vdd_cpu_l>;
++};
++
++&cpu_l1 {
++ cpu-supply = <&vdd_cpu_l>;
++};
++
++&cpu_l2 {
++ cpu-supply = <&vdd_cpu_l>;
++};
++
++&cpu_l3 {
++ cpu-supply = <&vdd_cpu_l>;
++};
++
++&emmc_phy {
++ status = "okay";
++};
++
++&gmac {
++ assigned-clock-parents = <&clkin_gmac>;
++ assigned-clocks = <&cru SCLK_RMII_SRC>;
++ clock_in_out = "input";
++ phy-mode = "rgmii";
++ phy-supply = <&vcc_lan>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&rgmii_pins &gphy_reset>;
++ rx_delay = <0x20>;
++ tx_delay = <0x28>;
++ snps,reset-active-low;
++ snps,reset-delays-us = <0 10000 50000>;
++ snps,reset-gpio = <&gpio3 RK_PB7 GPIO_ACTIVE_LOW>;
++ status = "okay";
++};
++
++&i2c0 {
++ clock-frequency = <400000>;
++ i2c-scl-rising-time-ns = <168>;
++ i2c-scl-falling-time-ns = <4>;
++ status = "okay";
++
++ rk808: pmic@1b {
++ compatible = "rockchip,rk808";
++ reg = <0x1b>;
++ interrupt-parent = <&gpio0>;
++ interrupts = <10 IRQ_TYPE_LEVEL_LOW>;
++ clock-output-names = "xin32k", "rk808-clkout2";
++ pinctrl-names = "default";
++ pinctrl-0 = <&pmic_int_l>;
++ vcc1-supply = <&vcc5v0_sys>;
++ vcc2-supply = <&vcc5v0_sys>;
++ vcc3-supply = <&vcc5v0_sys>;
++ vcc4-supply = <&vcc5v0_sys>;
++ vcc6-supply = <&vcc5v0_sys>;
++ vcc7-supply = <&vcc5v0_sys>;
++ vcc8-supply = <&vcc3v3_sys_s3>;
++ vcc9-supply = <&vcc5v0_sys>;
++ vcc10-supply = <&vcc5v0_sys>;
++ vcc11-supply = <&vcc5v0_sys>;
++ vcc12-supply = <&vcc3v3_sys_s3>;
++ vddio-supply = <&vcc3v0_s3>;
++ wakeup-source;
++ #clock-cells = <1>;
++
++ regulators {
++ vdd_cpu_l: DCDC_REG2 {
++ regulator-name = "vdd_cpu_l";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <750000>;
++ regulator-max-microvolt = <1350000>;
++ regulator-ramp-delay = <6001>;
++
++ regulator-state-mem {
++ regulator-off-in-suspend;
++ };
++ };
++
++ vcc1v8_sys_s3: DCDC_REG4 {
++ regulator-name = "vcc1v8_sys_s3";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++
++ regulator-state-mem {
++ regulator-on-in-suspend;
++ regulator-suspend-microvolt = <1800000>;
++ };
++ };
++
++ vcc_sdio_s0: LDO_REG4 {
++ regulator-name = "vcc_sdio_s0";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <3000000>;
++
++ regulator-state-mem {
++ regulator-on-in-suspend;
++ regulator-suspend-microvolt = <3000000>;
++ };
++ };
++
++ vcc3v0_s3: LDO_REG8 {
++ regulator-name = "vcc3v0_s3";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <3000000>;
++ regulator-max-microvolt = <3000000>;
++
++ regulator-state-mem {
++ regulator-on-in-suspend;
++ regulator-suspend-microvolt = <3000000>;
++ };
++ };
++ };
++ };
++
++ vdd_cpu_b: regulator@40 {
++ compatible = "silergy,syr827";
++ reg = <0x40>;
++ fcs,suspend-voltage-selector = <1>;
++ regulator-name = "vdd_cpu_b";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <712500>;
++ regulator-max-microvolt = <1500000>;
++ regulator-ramp-delay = <1000>;
++ vin-supply = <&vcc5v0_sys>;
++
++ regulator-state-mem {
++ regulator-off-in-suspend;
++ };
++ };
++};
++
++&i2c2 {
++ clock-frequency = <400000>;
++ i2c-scl-rising-time-ns = <160>;
++ i2c-scl-falling-time-ns = <30>;
++ status = "okay";
++
++ temp@4c {
++ compatible = "national,lm75";
++ reg = <0x4c>;
++ };
++};
++
++&io_domains {
++ audio-supply = <&vcc1v8_sys_s0>;
++ bt656-supply = <&vcc1v8_sys_s0>;
++ gpio1830-supply = <&vcc3v0_s3>;
++ sdmmc-supply = <&vcc_sdio_s0>;
++ status = "okay";
++};
++
++&pinctrl {
++ gmac {
++ gphy_reset: gphy-reset {
++ rockchip,pins = <3 RK_PB7 RK_FUNC_GPIO &pcfg_output_low>;
++ };
++ };
++
++ leds {
++ sys_grn_led_on: sys-grn-led-on {
++ rockchip,pins = <0 RK_PB4 RK_FUNC_GPIO &pcfg_pull_down>;
++ };
++
++ sys_red_led_on: sys-red-led-on {
++ rockchip,pins = <0 RK_PB5 RK_FUNC_GPIO &pcfg_pull_down>;
++ };
++ };
++
++ pmic {
++ pmic_int_l: pmic-int-l {
++ rockchip,pins = <0 RK_PB2 RK_FUNC_GPIO &pcfg_pull_up>;
++ };
++ };
++
++ vcc3v0-sd {
++ sdmmc0_pwr_h: sdmmc0-pwr-h {
++ rockchip,pins = <0 RK_PA1 RK_FUNC_GPIO &pcfg_pull_up>;
++ };
++ };
++};
++
++&pmu_io_domains {
++ pmu1830-supply = <&vcc3v0_s3>;
++ status = "okay";
++};
++
++&sdhci {
++ bus-width = <8>;
++ mmc-hs200-1_8v;
++ non-removable;
++ vqmmc-supply = <&vcc1v8_sys_s0>;
++ status = "okay";
++};
++
++&sdmmc {
++ bus-width = <4>;
++ cap-sd-highspeed;
++ cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>;
++ disable-wp;
++ pinctrl-names = "default";
++ pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>;
++ vmmc-supply = <&vcc3v0_sd>;
++ vqmmc-supply = <&vcc_sdio_s0>;
++ status = "okay";
++};
++
++&uart2 {
++ status = "okay";
++};
+--
+2.28.0
+
diff --git a/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-PCIe-on-helios64.patch b/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-PCIe-on-helios64.patch
new file mode 100644
index 000000000..6abebd080
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-PCIe-on-helios64.patch
@@ -0,0 +1,113 @@
+From: Uwe Kleine-König <uwe@kleine-koenig.org>
+Date: Mon, 10 May 2021 11:09:32 +0200
+Subject: arm64: dts: rockchip: Add support for PCIe on helios64
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git/patch/?id=5a65adfa2ad1542f856fc7de3999d51f3a35d2e2
+
+This is enough to make the SATA controller visible:
+
+# lspci
+00:00.0 PCI bridge: Fuzhou Rockchip Electronics Co., Ltd RK3399 PCI Express Root Port
+01:00.0 SATA controller: JMicron Technology Corp. JMB58x AHCI SATA controller
+
+Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
+Link: https://lore.kernel.org/r/20210510090932.970447-1-uwe@kleine-koenig.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+---
+ .../dts/rockchip/rk3399-kobol-helios64.dts | 53 +++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+index 9d4a0885fd12..037dc5cdc3f3 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+@@ -23,6 +23,16 @@ aliases {
+ mmc1 = &sdhci;
+ };
+
++ avdd_0v9_s0: avdd-0v9-s0 {
++ compatible = "regulator-fixed";
++ regulator-name = "avdd_0v9_s0";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <900000>;
++ regulator-max-microvolt = <900000>;
++ vin-supply = <&vcc1v8_sys_s3>;
++ };
++
+ avdd_1v8_s0: avdd-1v8-s0 {
+ compatible = "regulator-fixed";
+ regulator-name = "avdd_1v8_s0";
+@@ -72,6 +82,18 @@ led-1 {
+ };
+ };
+
++ pcie_power: pcie-power {
++ compatible = "regulator-fixed";
++ enable-active-high;
++ gpio = <&gpio1 RK_PD0 GPIO_ACTIVE_HIGH>;
++ pinctrl-0 = <&pcie_pwr>;
++ pinctrl-names = "default";
++ regulator-boot-on;
++ regulator-name = "pcie_power";
++ startup-delay-us = <10000>;
++ vin-supply = <&vcc5v0_perdev>;
++ };
++
+ vcc1v8_sys_s0: vcc1v8-sys-s0 {
+ compatible = "regulator-fixed";
+ regulator-name = "vcc1v8_sys_s0";
+@@ -109,6 +131,16 @@ regulator-state-mem {
+ };
+ };
+
++ vcc5v0_perdev: vcc5v0-perdev {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc5v0_perdev";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <5000000>;
++ regulator-max-microvolt = <5000000>;
++ vin-supply = <&vcc12v_dcin_bkup>;
++ };
++
+ vcc5v0_sys: vcc5v0-sys {
+ compatible = "regulator-fixed";
+ regulator-name = "vcc5v0_sys";
+@@ -331,6 +363,20 @@ &io_domains {
+ status = "okay";
+ };
+
++&pcie_phy {
++ status = "okay";
++};
++
++&pcie0 {
++ num-lanes = <2>;
++ status = "okay";
++
++ vpcie12v-supply = <&vcc12v_dcin>;
++ vpcie3v3-supply = <&pcie_power>;
++ vpcie1v8-supply = <&avdd_1v8_s0>;
++ vpcie0v9-supply = <&avdd_0v9_s0>;
++};
++
+ &pinctrl {
+ gmac {
+ gphy_reset: gphy-reset {
+@@ -348,6 +394,13 @@ sys_red_led_on: sys-red-led-on {
+ };
+ };
+
++ pcie {
++ pcie_pwr: pcie-pwr {
++ rockchip,pins =
++ <1 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>;
++ };
++ };
++
+ pmic {
+ pmic_int_l: pmic-int-l {
+ rockchip,pins = <0 RK_PB2 RK_FUNC_GPIO &pcfg_pull_none>;
+--
+2.30.2
+
diff --git a/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-two-PWM-fans-on-h.patch b/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-two-PWM-fans-on-h.patch
new file mode 100644
index 000000000..9755e0b8c
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-rockchip-Add-support-for-two-PWM-fans-on-h.patch
@@ -0,0 +1,61 @@
+From: Uwe Kleine-König <uwe@kleine-koenig.org>
+Date: Mon, 10 May 2021 11:06:07 +0200
+Subject: arm64: dts: rockchip: Add support for two PWM fans on
+ helios64
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git/patch/?id=271b66414df0b172c936b3cfd1894b7939f84165
+
+On the helios64 board the two connectors P6 and P7 are supposed to
+power two fans. Add the corresponding pwm-fan devices.
+
+Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
+Link: https://lore.kernel.org/r/20210510090607.970145-1-uwe@kleine-koenig.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+---
+ .../dts/rockchip/rk3399-kobol-helios64.dts | 24 +++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+index 19485b552bc4..9d4a0885fd12 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+@@ -40,6 +40,20 @@ clkin_gmac: external-gmac-clock {
+ #clock-cells = <0>;
+ };
+
++ fan1 {
++ /* fan connected to P7 */
++ compatible = "pwm-fan";
++ pwms = <&pwm0 0 40000 0>;
++ cooling-levels = <0 80 170 255>;
++ };
++
++ fan2 {
++ /* fan connected to P6 */
++ compatible = "pwm-fan";
++ pwms = <&pwm1 0 40000 0>;
++ cooling-levels = <0 80 170 255>;
++ };
++
+ leds {
+ compatible = "gpio-leds";
+ pinctrl-names = "default";
+@@ -352,6 +366,16 @@ &pmu_io_domains {
+ status = "okay";
+ };
+
++&pwm0 {
++ /* pwm-fan on P7 */
++ status = "okay";
++};
++
++&pwm1 {
++ /* pwm-fan on P6 */
++ status = "okay";
++};
++
+ &sdhci {
+ bus-width = <8>;
+ mmc-hs200-1_8v;
+--
+2.30.2
+
diff --git a/debian/patches/features/arm64/arm64-dts-rockchip-Rely-on-SoC-external-pull-up-on-p.patch b/debian/patches/features/arm64/arm64-dts-rockchip-Rely-on-SoC-external-pull-up-on-p.patch
new file mode 100644
index 000000000..ef6dab336
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-rockchip-Rely-on-SoC-external-pull-up-on-p.patch
@@ -0,0 +1,32 @@
+From: Uwe Kleine-König <uwe@kleine-koenig.org>
+Date: Sun, 24 Jan 2021 22:03:28 +0100
+Subject: arm64: dts: rockchip: Rely on SoC external pull up on pmic-int-l on Helios64
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=1e58ba111421375c5948c3e8145bdd84b06ac095
+
+According to the schematic there is an external pull up, so there is no
+need to enable the internal one additionally. Using no pull up matches
+the vendor device tree.
+
+Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
+Link: https://lore.kernel.org/r/20210124210328.611707-2-uwe@kleine-koenig.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+index 2a561be724b2..66c725a34220 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+@@ -331,7 +331,7 @@ sys_red_led_on: sys-red-led-on {
+
+ pmic {
+ pmic_int_l: pmic-int-l {
+- rockchip,pins = <0 RK_PB2 RK_FUNC_GPIO &pcfg_pull_up>;
++ rockchip,pins = <0 RK_PB2 RK_FUNC_GPIO &pcfg_pull_none>;
+ };
+ };
+
+--
+2.30.2
+
diff --git a/debian/patches/features/arm64/arm64-dts-rockchip-kobol-helios64-Add-mmc-aliases.patch b/debian/patches/features/arm64/arm64-dts-rockchip-kobol-helios64-Add-mmc-aliases.patch
new file mode 100644
index 000000000..ad4b53de9
--- /dev/null
+++ b/debian/patches/features/arm64/arm64-dts-rockchip-kobol-helios64-Add-mmc-aliases.patch
@@ -0,0 +1,30 @@
+From: Uwe Kleine-König <ukleinek@debian.org>
+Date: Wed, 29 Mar 2021 09:45:58 +0100
+Subject: arm64: dts: rockchip: kobol-helios64: Add mmc aliases
+
+This patch is part of commit 5dcbe7e3862d ("arm64: dts: rockchip: move mmc
+aliases to board dts on rk3399") upstream. It is applied here only for Kobol's
+helios64 to simplify conflict resolution for some further patches. It currently
+is a noop as the same aliases already exist in rk3399.dtsi.
+
+Link: https://lore.kernel.org/r/20210324122235.1059292-7-heiko@sntech.de
+---
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+index 66c725a34220..19485b552bc4 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+@@ -18,6 +18,11 @@ / {
+ model = "Kobol Helios64";
+ compatible = "kobol,helios64", "rockchip,rk3399";
+
++ aliases {
++ mmc0 = &sdmmc;
++ mmc1 = &sdhci;
++ };
++
+ avdd_1v8_s0: avdd-1v8-s0 {
+ compatible = "regulator-fixed";
+ regulator-name = "avdd_1v8_s0";
+--
+2.30.2
+
diff --git a/debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch b/debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
new file mode 100644
index 000000000..1840fc4bd
--- /dev/null
+++ b/debian/patches/features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
@@ -0,0 +1,85 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 21 Aug 2019 00:32:16 +0100
+Subject: intel-iommu: Add Kconfig option to exclude iGPU by default
+Bug-Debian: https://bugs.debian.org/935270
+Bug-Kali: https://bugs.kali.org/view.php?id=5644
+
+There is still laptop firmware that touches the integrated GPU behind
+the operating system's back, and doesn't say so in the RMRR table.
+Enabling the IOMMU for all devices causes breakage.
+
+Replace CONFIG_INTEL_IOMMU_DEFAULT_ON with a 3-way choice
+corresponding to "on", "off", and "on,intgpu_off".
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/iommu/intel/Kconfig
++++ b/drivers/iommu/intel/Kconfig
+@@ -45,14 +45,28 @@ config INTEL_IOMMU_SVM
+ to access DMA resources through process address space by
+ means of a Process Address Space ID (PASID).
+
+-config INTEL_IOMMU_DEFAULT_ON
+- def_bool y
+- prompt "Enable Intel DMA Remapping Devices by default"
+- depends on INTEL_IOMMU
++if INTEL_IOMMU
++
++choice
++ prompt "Default state of Intel DMA Remapping Devices"
++ default INTEL_IOMMU_DEFAULT_ON
+ help
+- Selecting this option will enable a DMAR device at boot time if
+- one is found. If this option is not selected, DMAR support can
+- be enabled by passing intel_iommu=on to the kernel.
++ Choose whether Intel DMA Remapping Devices should be enabled
++ by default. This can be overridden at boot time using the
++ intel_iommu= kernel parameter.
++
++config INTEL_IOMMU_DEFAULT_ON
++ bool "Enable"
++
++config INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF
++ bool "Enable, excluding integrated GPU"
++
++config INTEL_IOMMU_DEFAULT_OFF
++ bool "Disable"
++
++endchoice
++
++endif
+
+ config INTEL_IOMMU_BROKEN_GFX_WA
+ bool "Workaround broken graphics drivers (going away soon)"
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -338,11 +338,7 @@ static int intel_iommu_attach_device(str
+ static phys_addr_t intel_iommu_iova_to_phys(struct iommu_domain *domain,
+ dma_addr_t iova);
+
+-#ifdef CONFIG_INTEL_IOMMU_DEFAULT_ON
+-int dmar_disabled = 0;
+-#else
+-int dmar_disabled = 1;
+-#endif /* CONFIG_INTEL_IOMMU_DEFAULT_ON */
++int dmar_disabled = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_OFF);
+
+ #ifdef CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON
+ int intel_iommu_sm = 1;
+@@ -354,7 +350,7 @@ int intel_iommu_enabled = 0;
+ EXPORT_SYMBOL_GPL(intel_iommu_enabled);
+
+ static int dmar_map_gfx = 1;
+-static int dmar_map_intgpu = 1;
++static int dmar_map_intgpu = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
+ static int dmar_forcedac;
+ static int intel_iommu_strict;
+ static int intel_iommu_superpage = 1;
+@@ -442,6 +438,7 @@ static int __init intel_iommu_setup(char
+ while (*str) {
+ if (!strncmp(str, "on", 2)) {
+ dmar_disabled = 0;
++ dmar_map_intgpu = 1;
+ pr_info("IOMMU enabled\n");
+ } else if (!strncmp(str, "off", 3)) {
+ dmar_disabled = 1;
diff --git a/debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch b/debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
new file mode 100644
index 000000000..1717d8fe2
--- /dev/null
+++ b/debian/patches/features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
@@ -0,0 +1,91 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 21 Aug 2019 00:05:30 +0100
+Subject: intel-iommu: Add option to exclude integrated GPU only
+Bug-Debian: https://bugs.debian.org/935270
+Bug-Kali: https://bugs.kali.org/view.php?id=5644
+
+There is still laptop firmware that touches the integrated GPU behind
+the operating system's back, and doesn't say so in the RMRR table.
+Enabling the IOMMU for all devices causes breakage, but turning it off
+for all graphics devices seems like a major weakness.
+
+Add an option, intel_iommu=igpu_off, to exclude only integrated GPUs
+from remapping. This is a narrower exclusion than igfx_off: it only
+affects Intel devices on the root bus. Devices attached through an
+external port (Thunderbolt or ExpressCard) won't be on the root bus.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 2 ++
+ drivers/iommu/intel/iommu.c | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -1837,6 +1837,8 @@
+ bypassed by not enabling DMAR with this option. In
+ this case, gfx device will use physical address for
+ DMA.
++ intgpu_off [Default Off]
++ Bypass the DMAR unit for an integrated GPU only.
+ forcedac [X86-64]
+ With this option iommu will not optimize to look
+ for io virtual address below 32-bit forcing dual
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -54,6 +54,9 @@
+ #define CONTEXT_SIZE VTD_PAGE_SIZE
+
+ #define IS_GFX_DEVICE(pdev) ((pdev->class >> 16) == PCI_BASE_CLASS_DISPLAY)
++#define IS_INTGPU_DEVICE(pdev) (IS_GFX_DEVICE(pdev) && \
++ (pdev)->vendor == 0x8086 && \
++ pci_is_root_bus((pdev)->bus))
+ #define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
+ #define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
+ #define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
+@@ -351,6 +354,7 @@ int intel_iommu_enabled = 0;
+ EXPORT_SYMBOL_GPL(intel_iommu_enabled);
+
+ static int dmar_map_gfx = 1;
++static int dmar_map_intgpu = 1;
+ static int dmar_forcedac;
+ static int intel_iommu_strict;
+ static int intel_iommu_superpage = 1;
+@@ -360,6 +364,7 @@ static int iommu_skip_te_disable;
+
+ #define IDENTMAP_GFX 2
+ #define IDENTMAP_AZALIA 4
++#define IDENTMAP_INTGPU 8
+
+ int intel_iommu_gfx_mapped;
+ EXPORT_SYMBOL_GPL(intel_iommu_gfx_mapped);
+@@ -445,6 +450,9 @@ static int __init intel_iommu_setup(char
+ } else if (!strncmp(str, "igfx_off", 8)) {
+ dmar_map_gfx = 0;
+ pr_info("Disable GFX device mapping\n");
++ } else if (!strncmp(str, "intgpu_off", 8)) {
++ dmar_map_intgpu = 0;
++ pr_info("Disable integrated GPU device mapping\n");
+ } else if (!strncmp(str, "forcedac", 8)) {
+ pr_info("Forcing DAC for PCI devices\n");
+ dmar_forcedac = 1;
+@@ -2890,6 +2898,9 @@ static int device_def_domain_type(struct
+
+ if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev))
+ return IOMMU_DOMAIN_IDENTITY;
++
++ if ((iommu_identity_mapping & IDENTMAP_INTGPU) && IS_INTGPU_DEVICE(pdev))
++ return IOMMU_DOMAIN_IDENTITY;
+ }
+
+ return 0;
+@@ -3325,6 +3336,9 @@ static int __init init_dmars(void)
+ if (!dmar_map_gfx)
+ iommu_identity_mapping |= IDENTMAP_GFX;
+
++ if (!dmar_map_intgpu)
++ iommu_identity_mapping |= IDENTMAP_INTGPU;
++
+ check_tylersburg_isoch();
+
+ ret = si_domain_init(hw_pass_through);
diff --git a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
new file mode 100644
index 000000000..62731a997
--- /dev/null
+++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
@@ -0,0 +1,193 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 12 Feb 2018 23:59:26 +0000
+Subject: x86: Make x32 syscall support conditional on a kernel parameter
+Bug-Debian: https://bugs.debian.org/708070
+Forwarded: https://lore.kernel.org/lkml/1415245982.3398.53.camel@decadent.org.uk/T/#u
+
+Enabling x32 in the standard amd64 kernel would increase its attack
+surface while provide no benefit to the vast majority of its users.
+No-one seems interested in regularly checking for vulnerabilities
+specific to x32 (at least no-one with a white hat).
+
+Still, adding another flavour just to turn on x32 seems wasteful. And
+the only differences on syscall entry are a few instructions that mask
+out the x32 flag and compare the syscall number.
+
+Use a static key to control whether x32 syscalls are really enabled, a
+Kconfig parameter to set its default value and a kernel parameter
+"syscall.x32" to change it at boot time.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ .../admin-guide/kernel-parameters.txt | 4 ++
+ arch/x86/Kconfig | 8 ++++
+ arch/x86/entry/common.c | 3 +-
+ arch/x86/entry/syscall_64.c | 46 +++++++++++++++++++
+ arch/x86/include/asm/elf.h | 6 ++-
+ arch/x86/include/asm/syscall.h | 13 ++++++
+ 6 files changed, 78 insertions(+), 2 deletions(-)
+
+Index: debian-kernel/Documentation/admin-guide/kernel-parameters.txt
+===================================================================
+--- debian-kernel.orig/Documentation/admin-guide/kernel-parameters.txt
++++ debian-kernel/Documentation/admin-guide/kernel-parameters.txt
+@@ -5000,6 +5000,10 @@
+ later by a loaded module cannot be set this way.
+ Example: sysctl.vm.swappiness=40
+
++ syscall.x32= [KNL,x86_64] Enable/disable use of x32 syscalls on
++ an x86_64 kernel where CONFIG_X86_X32 is enabled.
++ Default depends on CONFIG_X86_X32_DISABLED.
++
+ sysfs.deprecated=0|1 [KNL]
+ Enable/disable old style sysfs layout for old udev
+ on older distributions. When this option is enabled
+Index: debian-kernel/arch/x86/Kconfig
+===================================================================
+--- debian-kernel.orig/arch/x86/Kconfig
++++ debian-kernel/arch/x86/Kconfig
+@@ -2888,6 +2888,14 @@ config COMPAT_32
+ select HAVE_UID16
+ select OLD_SIGSUSPEND3
+
++config X86_X32_DISABLED
++ bool "x32 ABI disabled by default"
++ depends on X86_X32
++ default n
++ help
++ Disable the x32 ABI unless explicitly enabled using the
++ kernel paramter "syscall.x32=y".
++
+ config COMPAT
+ def_bool y
+ depends on IA32_EMULATION || X86_X32
+Index: debian-kernel/arch/x86/entry/common.c
+===================================================================
+--- debian-kernel.orig/arch/x86/entry/common.c
++++ debian-kernel/arch/x86/entry/common.c
+@@ -383,7 +383,8 @@ __visible noinstr void do_syscall_64(uns
+ nr = array_index_nospec(nr, NR_syscalls);
+ regs->ax = sys_call_table[nr](regs);
+ #ifdef CONFIG_X86_X32_ABI
+- } else if (likely((nr & __X32_SYSCALL_BIT) &&
++ } else if (x32_enabled &&
++ likely((nr & __X32_SYSCALL_BIT) &&
+ (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) {
+ nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT,
+ X32_NR_syscalls);
+Index: debian-kernel/arch/x86/entry/syscall_x32.c
+===================================================================
+--- debian-kernel.orig/arch/x86/entry/syscall_x32.c
++++ debian-kernel/arch/x86/entry/syscall_x32.c
+@@ -4,6 +4,9 @@
+ #include <linux/linkage.h>
+ #include <linux/sys.h>
+ #include <linux/cache.h>
++#include <linux/moduleparam.h>
++#undef MODULE_PARAM_PREFIX
++#define MODULE_PARAM_PREFIX "syscall."
+ #include <linux/syscalls.h>
+ #include <asm/unistd.h>
+ #include <asm/syscall.h>
+@@ -27,3 +30,46 @@ asmlinkage const sys_call_ptr_t x32_sys_
+ [0 ... __NR_x32_syscall_max] = &__x64_sys_ni_syscall,
+ #include <asm/syscalls_64.h>
+ };
++
++/* Maybe enable x32 syscalls */
++
++#if defined(CONFIG_X86_X32_DISABLED)
++DEFINE_STATIC_KEY_FALSE(x32_enabled_skey);
++#else
++DEFINE_STATIC_KEY_TRUE(x32_enabled_skey);
++#endif
++
++static int __init x32_param_set(const char *val, const struct kernel_param *p)
++{
++ bool enabled;
++ int ret;
++
++ ret = kstrtobool(val, &enabled);
++ if (ret)
++ return ret;
++ if (IS_ENABLED(CONFIG_X86_X32_DISABLED)) {
++ if (enabled) {
++ static_key_enable(&x32_enabled_skey.key);
++ pr_info("Enabled x32 syscalls\n");
++ }
++ } else {
++ if (!enabled) {
++ static_key_disable(&x32_enabled_skey.key);
++ pr_info("Disabled x32 syscalls\n");
++ }
++ }
++ return 0;
++}
++
++static int x32_param_get(char *buffer, const struct kernel_param *p)
++{
++ return sprintf(buffer, "%c\n",
++ static_key_enabled(&x32_enabled_skey) ? 'Y' : 'N');
++}
++
++static const struct kernel_param_ops x32_param_ops = {
++ .set = x32_param_set,
++ .get = x32_param_get,
++};
++
++arch_param_cb(x32, &x32_param_ops, NULL, 0444);
+Index: debian-kernel/arch/x86/include/asm/elf.h
+===================================================================
+--- debian-kernel.orig/arch/x86/include/asm/elf.h
++++ debian-kernel/arch/x86/include/asm/elf.h
+@@ -11,6 +11,9 @@
+ #include <asm/user.h>
+ #include <asm/auxvec.h>
+ #include <asm/fsgsbase.h>
++#ifndef COMPILE_OFFSETS /* avoid a circular dependency on asm-offsets.h */
++#include <asm/syscall.h>
++#endif
+
+ typedef unsigned long elf_greg_t;
+
+@@ -163,7 +166,8 @@ do { \
+
+ #define compat_elf_check_arch(x) \
+ (elf_check_arch_ia32(x) || \
+- (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
++ (IS_ENABLED(CONFIG_X86_X32_ABI) && x32_enabled && \
++ (x)->e_machine == EM_X86_64))
+
+ #if __USER32_DS != __USER_DS
+ # error "The following code assumes __USER32_DS == __USER_DS"
+Index: debian-kernel/arch/x86/include/asm/syscall.h
+===================================================================
+--- debian-kernel.orig/arch/x86/include/asm/syscall.h
++++ debian-kernel/arch/x86/include/asm/syscall.h
+@@ -13,6 +13,7 @@
+ #include <uapi/linux/audit.h>
+ #include <linux/sched.h>
+ #include <linux/err.h>
++#include <linux/jump_label.h>
+ #include <asm/thread_info.h> /* for TS_COMPAT */
+ #include <asm/unistd.h>
+
+@@ -31,6 +32,18 @@ extern const sys_call_ptr_t ia32_sys_cal
+ extern const sys_call_ptr_t x32_sys_call_table[];
+ #endif
+
++#if defined(CONFIG_X86_X32_ABI)
++#if defined(CONFIG_X86_X32_DISABLED)
++DECLARE_STATIC_KEY_FALSE(x32_enabled_skey);
++#define x32_enabled static_branch_unlikely(&x32_enabled_skey)
++#else
++DECLARE_STATIC_KEY_TRUE(x32_enabled_skey);
++#define x32_enabled static_branch_likely(&x32_enabled_skey)
++#endif
++#else
++#define x32_enabled 0
++#endif
++
+ /*
+ * Only the low 32 bits of orig_ax are meaningful, so we return int.
+ * This importantly ignores the high bits on 64-bit, so comparisons
diff --git a/debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch b/debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
new file mode 100644
index 000000000..7a7952003
--- /dev/null
+++ b/debian/patches/features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
@@ -0,0 +1,28 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 5 Dec 2011 04:00:58 +0000
+Subject: x86: memtest: WARN if bad RAM found
+Bug-Debian: https://bugs.debian.org/613321
+Forwarded: http://thread.gmane.org/gmane.linux.kernel/1286471
+
+Since this is not a particularly thorough test, if we find any bad
+bits of RAM then there is a fair chance that there are other bad bits
+we fail to detect.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ mm/memtest.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+--- a/mm/memtest.c
++++ b/mm/memtest.c
+@@ -26,6 +26,10 @@ static u64 patterns[] __initdata = {
+
+ static void __init reserve_bad_mem(u64 pattern, phys_addr_t start_bad, phys_addr_t end_bad)
+ {
++#ifdef CONFIG_X86
++ WARN_ONCE(1, "Bad RAM detected. Use memtest86+ to perform a thorough test\n"
++ "and the memmap= parameter to reserve the bad areas.");
++#endif
+ pr_info(" %016llx bad mem addr %pa - %pa reserved\n",
+ cpu_to_be64(pattern), &start_bad, &end_bad);
+ memblock_reserve(start_bad, end_bad - start_bad);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000000000..772b165a1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,141 @@
+debian/gitignore.patch
+
+# Disable features broken by exclusion of upstream files
+debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
+debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
+debian/dfsg/vs6624-disable.patch
+debian/dfsg/drivers-net-appletalk-cops.patch
+debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
+debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
+
+# Changes to support package build system
+debian/version.patch
+debian/uname-version-timestamp.patch
+debian/kernelvariables.patch
+debian/ia64-hardcode-arch-script-output.patch
+debian/mips-disable-werror.patch
+debian/mips-boston-disable-its.patch
+debian/mips-ieee754-relaxed.patch
+debian/arch-sh4-fix-uimage-build.patch
+debian/tools-perf-version.patch
+debian/tools-perf-install.patch
+debian/wireless-add-debian-wireless-regdb-certificates.patch
+debian/export-symbols-needed-by-android-drivers.patch
+debian/android-enable-building-ashmem-and-binder-as-modules.patch
+debian/documentation-drop-sphinx-version-check.patch
+debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
+debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
+debian/kbuild-abort-build-if-subdirs-used.patch
+
+# Fixes/improvements to firmware loading
+features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
+debian/iwlwifi-do-not-request-unreleased-firmware.patch
+bugfix/all/firmware_class-log-every-success-and-failure.patch
+bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
+bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
+debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
+
+# Patches from aufs5 repository, imported with debian/bin/genpatch-aufs.
+# These are only the changes needed to allow aufs to be built out-of-tree.
+#features/all/aufs5/aufs5-base.patch
+#features/all/aufs5/aufs5-mmap.patch
+#features/all/aufs5/aufs5-standalone.patch
+
+# Change some defaults for security reasons
+debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
+debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
+debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
+debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
+debian/fs-enable-link-security-restrictions-by-default.patch
+
+# Set various features runtime-disabled by default
+debian/sched-autogroup-disabled.patch
+debian/yama-disable-by-default.patch
+debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
+features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
+features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
+
+# Disable autoloading/probing of various drivers by default
+debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
+debian/snd-pcsp-disable-autoload.patch
+bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
+debian/fjes-disable-autoload.patch
+
+# Taint if dangerous features are used
+debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
+debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
+
+# Arch bug fixes
+bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
+bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
+bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
+bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
+bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
+bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
+bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
+bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
+bugfix/x86/platform-x86-toshiba_haps-Fix-missing-newline-in-pr_.patch
+
+# Arch features
+features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
+features/arm64/arm64-dts-rockchip-Rely-on-SoC-external-pull-up-on-p.patch
+features/arm64/arm64-dts-rockchip-kobol-helios64-Add-mmc-aliases.patch
+features/arm64/arm64-dts-rockchip-Add-support-for-two-PWM-fans-on-h.patch
+features/arm64/arm64-dts-rockchip-Add-support-for-PCIe-on-helios64.patch
+features/arm64/arm64-dts-raspberry-Add-support-for-the-CM4.patch
+features/arm64/arm64-compat-Implement-misalignment-fixups-for-multi.patch
+features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
+features/x86/x86-make-x32-syscall-support-conditional.patch
+
+# Miscellaneous bug fixes
+bugfix/all/disable-some-marvell-phys.patch
+bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
+debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
+bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
+bugfix/all/wireguard-ignore-config_android.patch
+bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch
+bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch
+
+# Miscellaneous features
+
+# Lockdown missing pieces
+features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
+features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
+features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
+
+# Improve integrity platform keyring for kernel modules verification
+features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
+features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
+features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
+features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
+features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+
+# Security fixes
+debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+debian/ntfs-mark-it-as-broken.patch
+bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch
+bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch
+bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch
+
+# Fix exported symbol versions
+bugfix/all/module-disable-matching-missing-version-crc.patch
+
+# Tools bug fixes
+bugfix/all/usbip-document-tcp-wrappers.patch
+bugfix/all/kbuild-fix-recordmcount-dependency.patch
+bugfix/all/tools-perf-man-date.patch
+bugfix/all/tools-perf-remove-shebangs.patch
+bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
+bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
+bugfix/all/cpupower-bump-soname-version.patch
+bugfix/all/libcpupower-hide-private-function.patch
+bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
+bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
+bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch
+
+# overlay: allow mounting in user namespaces
+debian/overlayfs-permit-mounts-in-userns.patch
+
+# ABI maintenance