sound/drivers/pcsp/pcsp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 snd-pcsp: disable autoload

drivers/video/fbdev/via/via-core.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 viafb: autoload on olpc xo 1.5 only
Bug-Debian: https://bugs.debian.org/705788

drivers/net/fjes/fjes_main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fjes: disable auto-loading
Bug-Debian: https://bugs.debian.org/853976

fs/notify/fanotify/fanotify_user.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 fanotify: taint on use of fanotify_access_permissions
Date: Wed, 13 Jul 2016 01:37:22 +0100

fs/btrfs/disk-io.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 btrfs: warn about raid5/6 being experimental at mount time
Bug-Debian: https://bugs.debian.org/863290

arch/arm/boot/dts/kirkwood-ts419.dtsi | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 arm: dts: kirkwood: fix sata pinmux-ing for ts419

arch/arm64/boot/dts/rockchip/rk3399-firefly.dts | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 arm64: dts: rockchip: correct voltage selector on firefly-rk3399
Bug-Debian: https://bugs.debian.org/900799

tools/perf/arch/x86/util/unwind-libunwind.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 perf tools: fix unwind build on i386

arch/sh/Makefile | 10 5 + 5 - 0 !
arch/sh/boot/Makefile | 16 8 + 8 - 0 !
arch/sh/boot/compressed/Makefile | 6 3 + 3 - 0 !
arch/sh/boot/romimage/Makefile | 4 2 + 2 - 0 !
4 files changed, 18 insertions(+), 18 deletions(-)

 sh: do not use hyphen in exported variable names

arch/arm/mm/flush.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 arm: mm: export __sync_icache_dcache() for xen-privcmd

arch/powerpc/boot/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 powerpc/boot: fix missing crc32poly.h when building with kernel_xz

arch/arm64/kernel/acpi.c | 40 36 + 4 - 0 !
1 file changed, 36 insertions(+), 4 deletions(-)

 arm64/acpi: add fixup for hpe m400 quirks

arch/x86/Kconfig.cpu | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 x86-32: disable 3d-now in generic config

We want the 686 flavour to run on Geode LX and similar AMD family 5
CPUs as well as family 6 and higher CPUs.  This used to work with
CONFIG_M686=y.  However commit 25d76ac88821 "x86/Kconfig: Explicitly
enumerate i686-class CPUs in Kconfig" in Linux 4.16 has made the
kernel require family 6 or higher.

It looks like a sensible choice would be to enable CONFIG_MGEODE_LX
and CONFIG_X86_GENERIC (for more generic optimisations), but this
currently enables CONFIG_X86_USE_3D_NOW which will cause the kernel to
crash on CPUs without the AMD-specific 3D-Now instructions.

Make CONFIG_X86_USE_3DNOW depend on CONFIG_X86_GENERIC being disabled.

arch/arm64/boot/dts/rockchip/Makefile | 1 1 + 0 - 0 !
arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts | 372 372 + 0 - 0 !
2 files changed, 373 insertions(+)

 arm64: dts: rockchip: add basic support for kobol's helios64

mm/memtest.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 x86: memtest: warn if bad ram found
Bug-Debian: https://bugs.debian.org/613321

Documentation/admin-guide/kernel-parameters.txt | 4 4 + 0 - 0 !
arch/x86/Kconfig | 8 8 + 0 - 0 !
arch/x86/entry/common.c | 3 2 + 1 - 0 !
arch/x86/entry/syscall_x32.c | 46 46 + 0 - 0 !
arch/x86/include/asm/elf.h | 6 5 + 1 - 0 !
arch/x86/include/asm/syscall.h | 13 13 + 0 - 0 !
6 files changed, 78 insertions(+), 2 deletions(-)

 x86: make x32 syscall support conditional on a kernel parameter
Bug-Debian: https://bugs.debian.org/708070

drivers/net/phy/marvell.c | 16 13 + 3 - 0 !
1 file changed, 13 insertions(+), 3 deletions(-)

 phy/marvell: disable 4-port phys
Date: Wed, 20 Nov 2013 08:30:14 +0000
Bug-Debian: https://bugs.debian.org/723177

fs/btrfs/super.c | 2 1 + 1 - 0 !
fs/ext4/super.c | 2 1 + 1 - 0 !
fs/f2fs/super.c | 1 1 + 0 - 0 !
fs/jbd2/journal.c | 1 1 + 0 - 0 !
fs/nfsd/nfsctl.c | 3 3 + 0 - 0 !
5 files changed, 7 insertions(+), 2 deletions(-)

 fs: add module_softdep declarations for hard-coded crypto drivers
Bug-Debian: https://bugs.debian.org/819725

drivers/usb/common/Kconfig | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 partially revert "usb: kconfig: using select for usb_common  dependency"

Makefile | 44 22 + 22 - 0 !
1 file changed, 22 insertions(+), 22 deletions(-)

 makefile: do not check for libelf when building oot module

When building out-of-tree modules, the necessary tools should have
already been built.  We therefore do not need libelf-dev to be
installed.

This effectively reverts commit 9f0c18aec620 "objtool: Fix
CONFIG_STACK_VALIDATION=y warning for out-of-tree modules", and
similarly moves the check introduced by commit 33a57ce0a54d "bpf:
Compile resolve_btfids tool at kernel compilation start".

arch/alpha/include/uapi/asm/sockios.h | 4 2 + 2 - 0 !
arch/mips/include/uapi/asm/sockios.h | 4 2 + 2 - 0 !
arch/sh/include/uapi/asm/sockios.h | 5 2 + 3 - 0 !
arch/xtensa/include/uapi/asm/sockios.h | 4 2 + 2 - 0 !
include/uapi/asm-generic/sockios.h | 4 2 + 2 - 0 !
include/uapi/linux/sockios.h | 12 0 + 12 - 0 !
net/socket.c | 12 6 + 6 - 0 !
7 files changed, 16 insertions(+), 29 deletions(-)

 partially revert "net: socket: implement 64-bit timestamps"

The introduction of SIOCGSTAMP{,NS}_OLD and move of SICOGSTAMP{,NS} to

arch/x86/kernel/setup.c | 14 1 + 13 - 0 !
drivers/firmware/efi/Makefile | 1 1 + 0 - 0 !
drivers/firmware/efi/secureboot.c | 39 39 + 0 - 0 !
include/linux/efi.h | 16 10 + 6 - 0 !
4 files changed, 51 insertions(+), 19 deletions(-)

 [28/30] efi: add an efi_secure_boot flag to indicate secure boot mode

arch/x86/kernel/setup.c | 4 2 + 2 - 0 !
drivers/firmware/efi/secureboot.c | 5 5 + 0 - 0 !
include/linux/security.h | 6 6 + 0 - 0 !
security/lockdown/Kconfig | 15 15 + 0 - 0 !
security/lockdown/lockdown.c | 2 1 + 1 - 0 !
5 files changed, 29 insertions(+), 3 deletions(-)

> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels.  Certain use cases may also
> require that all kernel modules also be signed.  Add a configuration option
> that to lock down the kernel - which includes requiring validly signed
> modules - if the kernel is secure-booted.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

drivers/mtd/devices/phram.c | 6 5 + 1 - 0 !
drivers/mtd/devices/slram.c | 9 8 + 1 - 0 !
2 files changed, 13 insertions(+), 2 deletions(-)

 mtd: phram,slram: disable when the kernel is locked down

drivers/firmware/efi/efi-init.c | 5 4 + 1 - 0 !
drivers/firmware/efi/fdtparams.c | 12 11 + 1 - 0 !
drivers/firmware/efi/libstub/fdt.c | 6 6 + 0 - 0 !
include/linux/efi.h | 3 2 + 1 - 0 !
4 files changed, 23 insertions(+), 3 deletions(-)

 arm64: add kernel config option to lock down when in secure boot mode
Bug-Debian: https://bugs.debian.org/831827

security/integrity/platform_certs/load_uefi.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch 1/5] modsign: do not load mok when secure boot disabled

security/integrity/platform_certs/load_uefi.c | 47 31 + 16 - 0 !
1 file changed, 31 insertions(+), 16 deletions(-)

 modsign: load blacklist from mokx

Loosely based on a patch by "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
at <https://lore.kernel.org/patchwork/patch/933177/> which was later
rebased by Luca Boccassi.

This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.

Since MOK list loading became more complicated in 5.10 and was moved
to load_moklist_certs(), add parameters to that and call it once for
each of MokListRT and MokListXRT.

Signed-off-by: Ben Hutchings <benh@debian.org>

kernel/module_signing.c | 59 57 + 2 - 0 !
1 file changed, 57 insertions(+), 2 deletions(-)

 [patch 3/4] modsign: checking the blacklisted hash before loading a
 kernel module

security/integrity/platform_certs/load_uefi.c | 24 19 + 5 - 0 !
1 file changed, 19 insertions(+), 5 deletions(-)

 [patch 4/4] modsign: check the attributes of db and mok

kernel/module_signing.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 modsign: make shash allocation failure fatal

mod_is_hash_blacklisted() currently returns 0 (suceess) if
crypto_alloc_shash() fails.  This should instead be a fatal error,
so unwrap and pass up the error code.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

kernel/module_signing.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] keys: make use of platform keyring for module signature
 verify
Bug-Debian: https://bugs.debian.org/935945

arch/x86/pci/common.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [i386/686-pae] pci: set pci=nobios by default

fs/ntfs/Kconfig | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 ntfs: mark it as broken

NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
CVE-2018-12931.  ntfs-3g is a better supported alternative.

Make sure it can't be enabled even in custom kernels.

arch/x86/net/bpf_jit_comp.c | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 bpf, x86: validate computation of branch displacements for x86-64

arch/x86/net/bpf_jit_comp32.c | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 bpf, x86: validate computation of branch displacements for x86-32

kernel/module.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 module: disable matching missing version crc

tools/usb/usbip/doc/usbipd.8 | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 usbip: document tcp wrappers

scripts/Makefile.build | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 kbuild: fix recordmcount dependency for oot modules
Date: Mon, 08 Sep 2014 18:31:24 +0100

tools/perf/Documentation/Makefile | 3 3 + 0 - 0 !
tools/perf/Documentation/asciidoc.conf | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 perf tools: use $kbuild_build_timestamp as man page date

tools/perf/scripts/perl/rw-by-file.pl | 1 0 + 1 - 0 !
tools/perf/scripts/perl/rw-by-pid.pl | 1 0 + 1 - 0 !
tools/perf/scripts/perl/rwtop.pl | 1 0 + 1 - 0 !
tools/perf/scripts/perl/wakeup-latency.pl | 1 0 + 1 - 0 !
4 files changed, 4 deletions(-)

 tools/perf: remove shebang lines from perf scripts