Update from 5.4 to 5.10.1

- rediffed most of patches, renamed files to easify further rediffs by git format-patch - thanks to abf.io/kernels_stable for some patches for kernel 5.9 - using unofficial patch for AUFS for kernel 5.10, there may be issues with stability, try to avoid using AUFS (I would have dropped it, but MagOS wants it very much) - pulled updates of AltHa from http://git.altlinux.org/gears/k/kernel-image-un-def.git?p=kernel-image-un-def.git;a=history;f=security/altha;hb=HEAD - dropped patch adding sysctl to disable disk-based swap because it has not found any usage - bpf is now in the list of LSM modules (ability to write LSM modules as BPF programs), enable it, it is potentially useful and does not seem to be harmful - keeping kernel libc headers in older kernels for now - dropped building external virtualbox guest modules because they are now included into the mainline kernel - offed building VirtualBox host modules, I do not know how to keep these binary modules in sync with userspace part of VirtualBox, users can continue using dkms - offed building kernel-shredder because it is not buildable on kernel 5.10 - updated rtl8821ce and added a dependency from its "blacklist" subpackage here (see https://github.com/tomaspinho/rtl8821ce/commit/14b536f0) It is not clear if kernel 5.10 will receive an LTS support longer than 5.4 or not. Support until Dec, 2022 is declared right now at https://www.kernel.org/category/releases.html for 5.10 and until Dec, 2025 - for 5.4. TODO: update kernel configs TODO: solve problems with version of virtualbox host modules not matching version of the virtualbox package after virtualbox is updated but kernel is not rebuilt
2025-02-23 10:32:54 +00:00 · 2020-12-20 18:49:24 +03:00 · 2020-12-20 18:49:24 +03:00 · 5488a28d4b
commit 5488a28d4b
parent cdf9863011
14 changed files with 1329 additions and 660 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,6 +1,6 @@
 sources:
-  linux-5.4.tar.xz: 98ae49ad49397d5a4dcb3ff9a082223edf7c5bbd
+  linux-5.10.tar.xz: be0b909f1fbb760cc2d5cf146e1da3b2af0cf899
-  patch-5.4.83.xz: fd46a3194568fde38ce5deb974b522c835beed22
+  patch-5.10.1.xz: bd49d5869b7b8654f0492622893e1b5b56ca245e
  public_key_GOST_1.pem: b4fb6bf1cf73824944931a8f0c2cb7bf427e0774
  public_key_GOST_2.pem: cba209bd331f29031c5d945949b230a8d7a4dc12
  public_key_GOST_3.pem: e5a223dd7c556d4d0cac326f5ed9fc12dd769afb
--- a/0001-AltHa-LSM-module.patch
+++ b/0001-AltHa-LSM-module.patch
@ -1,4 +1,4 @@
-From f690c6792f5ca5737627ebf800086d7408f17456 Mon Sep 17 00:00:00 2001
+From e9343095462964e78faadde92bab44a6a13cd4da Mon Sep 17 00:00:00 2001
 From: Kernel Bot <kernelbot@altlinux.org>
 Date: Wed, 21 Aug 2019 16:11:26 +0300
 Subject: [PATCH 1/2] AltHa LSM module
@ -15,7 +15,7 @@ Changelog:
 * lists handling rewritten
 * indentation fixed
-Rediffed for vanilla kernel 5.4.25
+Rediffed for vanilla kernel 5.10.1
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 security/Kconfig           |   3 +-
@ -29,7 +29,7 @@ Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 create mode 100644 security/altha/altha_lsm.c
 diff --git a/security/Kconfig b/security/Kconfig
-index 2a1a2d396228..d21a120b66d4 100644
+index 7561f6f99f1d..b7551d9001e6 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
@@ -238,6 +238,7 @@ source "security/loadpin/Kconfig"
@ -41,34 +41,34 @@ index 2a1a2d396228..d21a120b66d4 100644
 source "security/integrity/Kconfig"
@@ -281,7 +282,7 @@ config LSM
- 	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
+ 	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
- 	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
+ 	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
- 	default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
+ 	default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
-	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
+-	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
-+	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,altha"
+	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,altha"
 	help
 	  A comma-separated list of LSMs, in initialization order.
 	  Any LSMs left off this list will be ignored. This can be
 diff --git a/security/Makefile b/security/Makefile
-index be1dd9d2cb2f..7c9628c2017e 100644
+index 3baf435de541..9cc6f5b1b099 100644
 --- a/security/Makefile
 +++ b/security/Makefile
-@@ -12,6 +12,7 @@ subdir-$(CONFIG_SECURITY_YAMA)		+= yama
+@@ -13,6 +13,7 @@ subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
 subdir-$(CONFIG_SECURITY_SAFESETID)    += safesetid
 subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown
 subdir-$(CONFIG_BPF_LSM)		+= bpf
 +subdir-$(CONFIG_SECURITY_ALTHA)		+= altha
 # always enable default capabilities
 obj-y					+= commoncap.o
-@@ -29,6 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA)		+= yama/
+@@ -32,6 +33,7 @@ obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
 obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/
 obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 +obj-$(CONFIG_SECURITY_ALTHA)		+= altha/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity
 diff --git a/security/altha/Kconfig b/security/altha/Kconfig
 new file mode 100644
 index 000000000000..4bafdef4e58e
@ -427,5 +427,5 @@ index 000000000000..7d1cc8f8a1a7
 +};
 +
 -- 
-2.20.1
+2.25.1
--- a/0001-Apply-AUFS-5.patch
+++ b/0001-Apply-AUFS-5.patch
--- a/0001-audit-make-it-less-verbose.patch
+++ b/0001-audit-make-it-less-verbose.patch
@ -1,7 +1,7 @@
-From bd9b98a36fb8afa9d3a3900817b340543215da6d Mon Sep 17 00:00:00 2001
+From edce12c92c0d1e02a6f41344290ee7adee745ef4 Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
 Date: Wed, 11 Dec 2019 21:10:42 +0300
-Subject: [PATCH 1/4] audit: make it less verbose
+Subject: [PATCH] audit: make it less verbose
 It seems, if audit itself is not installed and therefore nothing listens
 to the messages from the kernel's audit subsystem, the latter spams the
@ -11,15 +11,16 @@ Let us make them debug-level and thus invisible by default.
 http://bugs.rosalinux.ru/show_bug.cgi?id=6235
 http://bugs.rosalinux.ru/show_bug.cgi?id=6459
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 kernel/audit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/audit.c b/kernel/audit.c
-index da8dc0db5bd3..b1d0cebb78dd 100644
+index 68cee3bc8cfe..805633090ea5 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
-@@ -529,7 +529,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
+@@ -535,7 +535,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
 	char *data = nlmsg_data(nlh);
 	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
@ -29,5 +30,5 @@ index da8dc0db5bd3..b1d0cebb78dd 100644
 /**
 -- 
-2.20.1
+2.25.1
--- a/0001-disable-mrproper-prepare-scripts-configs-in-devel-rp.patch
+++ b/0001-disable-mrproper-prepare-scripts-configs-in-devel-rp.patch
@ -1,19 +1,22 @@
-From 48ce0cd16a2ea82bf0146ca82d883d677e1ab574 Mon Sep 17 00:00:00 2001
+From 1a821310ed4c0519e7fe534ea0a4ba46e604ee4f Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 Date: Wed, 11 Dec 2019 21:15:36 +0300
-Subject: [PATCH 3/4] disable mrproper prepare scripts configs in devel rpms
+Subject: [PATCH] disable mrproper prepare scripts configs in devel rpms
 This is for disabling *config, mrproper, prepare, scripts on -devel rpms
 Needed, because otherwise the -devel won't build correctly.
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
- Makefile                 | 23 ++++++-----------------
+ Makefile                 | 22 +++++-----------------
 scripts/kconfig/Makefile | 17 -----------------
- 2 files changed, 6 insertions(+), 34 deletions(-)
+ 2 files changed, 5 insertions(+), 34 deletions(-)
 diff --git a/Makefile b/Makefile
-index e67f2e95b71d..a30833efd9a2 100644
+index 076d4e6b9ccc..75bf27049d60 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -1093,8 +1093,7 @@ include/config/kernel.release: FORCE
+@@ -1186,8 +1186,7 @@ include/config/kernel.release: FORCE
 # Carefully list dependencies so we do not try to build scripts twice
 # in parallel
 PHONY += scripts
@ -23,36 +26,35 @@ index e67f2e95b71d..a30833efd9a2 100644
 # Things we need to do before we recursively start building the kernel
 # or the modules are listed in "prepare".
-@@ -1112,7 +1111,7 @@ prepare0: archprepare
+@@ -1206,7 +1205,7 @@ prepare0: archprepare
 	$(Q)$(MAKE) $(build)=.
 # All the preparing..
-prepare: prepare0 prepare-objtool
+-prepare: prepare0 prepare-objtool prepare-resolve_btfids
 +prepare:
 # Support for using generic headers in asm-generic
 asm-generic := -f $(srctree)/scripts/Makefile.asm-generic obj
-@@ -1363,15 +1362,8 @@ CLEAN_DIRS  += include/ksym
+@@ -1472,15 +1471,7 @@ CLEAN_FILES += include/ksym vmlinux.symvers \
- CLEAN_FILES += modules.builtin.modinfo
+ 	       compile_commands.json
 # Directories & files removed with 'make mrproper'
-MRPROPER_DIRS  += include/config include/generated          \
+-MRPROPER_FILES += include/config include/generated          \
 -		  arch/$(SRCARCH)/include/generated .tmp_objdiff \
-		  debian/ snap/ tar-install/
+-		  debian snap tar-install \
-MRPROPER_FILES += .config .config.old .version \
+-		  .config .config.old .version \
 -		  Module.symvers \
 -		  signing_key.pem signing_key.priv signing_key.x509	\
 -		  x509.genkey extra_certificates signing_key.x509.keyid	\
 -		  signing_key.x509.signer vmlinux-gdb.py \
 -		  *.spec
 +MRPROPER_DIRS  += ""
 +MRPROPER_FILES += ""
 # Directories & files removed with 'make distclean'
- DISTCLEAN_DIRS  +=
+ DISTCLEAN_FILES += tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
-@@ -1394,13 +1386,10 @@ clean: archclean vmlinuxclean
+@@ -1500,13 +1491,10 @@ clean: archclean vmlinuxclean
 # mrproper - Delete all generated files, including .config
 #
 mrproper: rm-dirs  := $(wildcard $(MRPROPER_DIRS))
 mrproper: rm-files := $(wildcard $(MRPROPER_FILES))
 -mrproper-dirs      := $(addprefix _mrproper_,scripts)
@ -63,55 +65,55 @@ index e67f2e95b71d..a30833efd9a2 100644
 -mrproper: clean $(mrproper-dirs)
 +mrproper: clean
 	$(call cmd,rmdirs)
 	$(call cmd,rmfiles)
 # distclean
 diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile
-index ef2f2336c469..0a8eb06085ba 100644
+index e46df0a2d4f9..edceb8d1d213 100644
 --- a/scripts/kconfig/Makefile
 +++ b/scripts/kconfig/Makefile
-@@ -24,19 +24,14 @@ endif
+@@ -20,19 +20,14 @@ endif
 unexport CONFIG_
 xconfig: $(obj)/qconf
-	$< $(silent) $(Kconfig)
+-	$(Q)$< $(silent) $(Kconfig)
 gconfig: $(obj)/gconf
-	$< $(silent) $(Kconfig)
+-	$(Q)$< $(silent) $(Kconfig)
 menuconfig: $(obj)/mconf
-	$< $(silent) $(Kconfig)
+-	$(Q)$< $(silent) $(Kconfig)
 config: $(obj)/conf
-	$< $(silent) --oldaskconfig $(Kconfig)
+-	$(Q)$< $(silent) --oldaskconfig $(Kconfig)
 nconfig: $(obj)/nconf
-	$< $(silent) $(Kconfig)
+-	$(Q)$< $(silent) $(Kconfig)
 build_menuconfig: $(obj)/mconf
-@@ -52,11 +47,9 @@ localyesconfig localmodconfig: $(obj)/conf
+@@ -48,11 +43,9 @@ localyesconfig localmodconfig: $(obj)/conf
- 			cmp -s .tmp.config .config ||			\
+ 		cmp -s .tmp.config .config ||			\
- 			(mv -f .config .config.old.1;			\
+ 		(mv -f .config .config.old.1;			\
- 			 mv -f .tmp.config .config;			\
+ 		 mv -f .tmp.config .config;			\
-			 $< $(silent) --oldconfig $(Kconfig);		\
+-		 $< $(silent) --oldconfig $(Kconfig);		\
- 			 mv -f .config.old.1 .config.old)		\
+ 		 mv -f .config.old.1 .config.old)		\
- 	else								\
+ 	else							\
- 			mv -f .tmp.config .config;			\
+ 		mv -f .tmp.config .config;			\
-			$< $(silent) --oldconfig $(Kconfig);		\
+-		$< $(silent) --oldconfig $(Kconfig);		\
 	fi
 	$(Q)rm -f .tmp.config
-@@ -70,24 +63,14 @@ simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \
+@@ -68,24 +61,14 @@ simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \
 PHONY += $(simple-targets)
 $(simple-targets): $(obj)/conf
-	$< $(silent) --$@ $(Kconfig)
+-	$(Q)$< $(silent) --$@ $(Kconfig)
 PHONY += savedefconfig defconfig
 savedefconfig: $(obj)/conf
-	$< $(silent) --$@=defconfig $(Kconfig)
+-	$(Q)$< $(silent) --$@=defconfig $(Kconfig)
 defconfig: $(obj)/conf
 -ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),)
@ -128,5 +130,5 @@ index ef2f2336c469..0a8eb06085ba 100644
 configfiles=$(wildcard $(srctree)/kernel/configs/$@ $(srctree)/arch/$(SRCARCH)/configs/$@)
 -- 
-2.20.1
+2.25.1
--- a/0001-mm-add-sysctl-to-disable-disk-based-swap.patch
+++ b/0001-mm-add-sysctl-to-disable-disk-based-swap.patch
@ -1,170 +0,0 @@
 From 739b745efb929453f41472e111760be6f8be6a3a Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Sat, 1 Aug 2020 12:43:53 +0300
 Subject: [PATCH] mm: add sysctl to disable disk-based swap
 Sometimes it is needed to disallow using disk-based swaps, for example,
 when it is required to ensure that any secret information is not left on disk.
 When something is written to disk, it can be restored in most cases
 unless being overwritten. When memory data is stored on disk, we cannot be
 sure that it will be overwritten and so cannot be sure that secret information
 is deleted securely.
 CONFIG_INIT_ON_FREE_DEFAULT_ON=y makes the kernel overwrite everything that is
 deleted from memory, but it does not ensure that regions of the disk with swap
 are overwritten. Currently there is no way to ensure wiping swap on disk.
 In such conditions it makes sense to disallow usage of disk-based swap.
 This patch adds sysctl vm.disk_based_swap, by default is is 1, which means that
 disk-based swap (both swap files and swap partitions) can be used.
 If = 0, than only zram swap is allowed, zram is not a disk-based swap
 (but note that zram can offload parts of it to disk, CONFIG_ZRAM_WRITEBACK,
 it is not controlled by this sysctl).
 This patch is based on patches from Chromium OS Linux kernel [1, 2, 3, 4]
 Patch [5] is taken as an example of adding a sysctl.
 TODO: print a message why swap was blocked.
 [1] https://gitlab.freedesktop.org/seanpaul/dpu-staging/commit/0b992f2dbb044896c3584e10bd5b97cf41e2ec6d
 [2] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/880b2d77404682761ae2e19297f1183fd434b0ec%5E%21/
 [3] https://chromium.googlesource.com/chromiumos/third_party/kernel/+blame/refs/heads/chromeos-5.4/mm/swapfile.c
 [4] https://chromium.googlesource.com/chromiumos/third_party/kernel/+blame/refs/heads/chromeos-5.4/kernel/sysctl.c
 [5] https://patchwork.kernel.org/patch/10858771/
 Author of [2] in Chromium OS kernel:
 Co-authored-by: Will Drewry <wad@chromium.org>
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 Documentation/admin-guide/sysctl/vm.rst |  8 ++++++++
 include/linux/mm.h                      |  2 ++
 init/Kconfig                            | 11 +++++++++++
 kernel/sysctl.c                         |  9 +++++++++
 mm/swapfile.c                           | 16 ++++++++++++++++
 5 files changed, 46 insertions(+)
 diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
 index 64aeee1009ca..9d60154695f6 100644
 --- a/Documentation/admin-guide/sysctl/vm.rst
 +++ b/Documentation/admin-guide/sysctl/vm.rst
@@ -35,6 +35,7 @@ Currently, these files are in /proc/sys/vm:
 - dirty_ratio
 - dirtytime_expire_seconds
 - dirty_writeback_centisecs
 +- disk_based_swap
 - drop_caches
 - extfrag_threshold
 - hugetlb_shm_group
@@ -209,6 +210,13 @@ out to disk.  This tunable expresses the interval between those wakeups, in
 Setting this to zero disables periodic writeback altogether.
 +disk_based_swap
 +===============
 +
 +Disables (0) or enables (1) usage of disk-based swap, both swap files and
 +swap partitions. When disabled, only zram swap can be used, and disk-based
 +swap is prohibited then.
 +
 drop_caches
 ===========
 diff --git a/include/linux/mm.h b/include/linux/mm.h
 index 3285dae06c03..f8b9522da07d 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
@@ -2901,5 +2901,7 @@ static inline int pages_identical(struct page *page1, struct page *page2)
 	return !memcmp_pages(page1, page2);
 }
 +extern int sysctl_disk_based_swap;
 +
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */
 diff --git a/init/Kconfig b/init/Kconfig
 index 87e4f2ac7c5e..4187799a9d13 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
@@ -280,6 +280,17 @@ config SWAP
 	  used to provide more virtual memory than the actual RAM present
 	  in your computer.  If unsure say Y.
 +config DISK_BASED_SWAP_DEFAULT_ON
 +	bool "Allow disk-based swap"
 +	depends on SWAP
 +	default y
 +	help
 +	  If true, disk-based swap (either a file or a partition) is allowed,
 +	  otherwise only zram swap is allowed.
 +	  sysctl vm.disk_based_swap = [ 1 | 0 ]
 +	  Note that zram writeback feature is not controlled by this sysctl.
 +	  If unsure say Y.
 +
 config SYSVIPC
 	bool "System V IPC"
 	---help---
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
 index 70665934d53e..5f2e4613e655 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
@@ -1405,6 +1405,15 @@ static struct ctl_table vm_table[] = {
 		.proc_handler	= dirtytime_interval_handler,
 		.extra1		= SYSCTL_ZERO,
 	},
 +	{
 +		.procname	= "disk_based_swap",
 +		.data		= &sysctl_disk_based_swap,
 +		.maxlen		= sizeof(sysctl_disk_based_swap),
 +		.mode		= 0644,
 +		.proc_handler	= proc_dointvec_minmax,
 +		.extra1		= SYSCTL_ZERO,
 +		.extra2		= SYSCTL_ONE,
 +	},
 	{
 		.procname	= "swappiness",
 		.data		= &vm_swappiness,
 diff --git a/mm/swapfile.c b/mm/swapfile.c
 index 891a3ef48651..ef79f4d03809 100644
 --- a/mm/swapfile.c
 +++ b/mm/swapfile.c
@@ -2871,12 +2871,26 @@ static struct swap_info_struct *alloc_swap_info(void)
 	return p;
 }
 +#ifdef CONFIG_DISK_BASED_SWAP_DEFAULT_ON
 +int sysctl_disk_based_swap __read_mostly = 1;
 +#else
 +int sysctl_disk_based_swap __read_mostly = 0;
 +#endif
 +
 static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
 {
 	int error;
 	if (S_ISBLK(inode->i_mode)) {
 +		char name[BDEVNAME_SIZE];
 		p->bdev = bdgrab(I_BDEV(inode));
 +		bdevname(p->bdev, name);
 +		// If sysctl vm.disk_based_swap = false, prohibit any swaps but zram
 +		if (!sysctl_disk_based_swap && strncmp(name, "zram", strlen("zram"))) {
 +			bdput(p->bdev);
 +			p->bdev = NULL;
 +			return -EINVAL;
 +		}
 		error = blkdev_get(p->bdev,
 				   FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
 		if (error < 0) {
@@ -2889,6 +2903,8 @@ static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
 			return error;
 		p->flags |= SWP_BLKDEV;
 	} else if (S_ISREG(inode->i_mode)) {
 +		if (!sysctl_disk_based_swap)
 +			return -EINVAL;
 		p->bdev = inode->i_sb->s_bdev;
 	}
 -- 
 2.17.1
--- a/0001-perf-skip-xmlto-validation.patch
+++ b/0001-perf-skip-xmlto-validation.patch
@ -1,18 +1,23 @@
-From fca5cb9534cbe7da52c234021aa802542fccceff Mon Sep 17 00:00:00 2001
+From 8d376cb0241182ae4859db3aa7f790996054ae75 Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
 Date: Wed, 11 Dec 2019 21:12:06 +0300
-Subject: [PATCH 2/4] perf: skip xmlto validation
+Subject: [PATCH] perf: skip xmlto validation
 Perf docs are built after all the kernels. To validate the xml files
 generated during that process, xmlto tries to get DTD files from the Net.
 If it fails, the whole build fails, which is unfortunate. Let us avoid this.
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 tools/perf/Documentation/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
-index adc5a7e44b98..317dac191d8c 100644
+index 6e54979c2124..ccbc7a68769d 100644
 --- a/tools/perf/Documentation/Makefile
 +++ b/tools/perf/Documentation/Makefile
@@ -51,7 +51,7 @@ ASCIIDOC=asciidoc
- ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf
+ ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
 ASCIIDOC_HTML = xhtml11
 MANPAGE_XSL = manpage-normal.xsl
 -XMLTO_EXTRA =
@ -21,5 +26,5 @@ index adc5a7e44b98..317dac191d8c 100644
 RM ?= rm -f
 DOC_REF = origin/man
 -- 
-2.20.1
+2.25.1
--- a/0002-Documentation-for-AltHa-LSM.patch
+++ b/0002-Documentation-for-AltHa-LSM.patch
@ -1,8 +1,9 @@
-From b7faaef27bb8ede32f5cf2958fa6d84976806f14 Mon Sep 17 00:00:00 2001
+From fe0e9e1b7fc6bc4a8ca0e0473bf88297ca7020a7 Mon Sep 17 00:00:00 2001
 From: "Anton V. Boyarshinov" <boyarsh@altlinux.org>
 Date: Thu, 17 May 2018 08:30:25 +0000
 Subject: [PATCH 2/2] Documentation for AltHa LSM
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 Documentation/admin-guide/LSM/AltHa.rst | 43 +++++++++++++++++++++++++
 Documentation/admin-guide/LSM/index.rst |  1 +
@ -68,5 +69,5 @@ index a6ba95fbaa9f..20b57e7adadd 100644
    SafeSetID
 +   AltHa
 -- 
-2.20.1
+2.25.1
--- a/0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch
+++ b/0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch
@ -0,0 +1,68 @@
 From d89442861500242809d99c9e178b0ed1dd741b28 Mon Sep 17 00:00:00 2001
 From: Kernel Bot <kernelbot@altlinux.org>
 Date: Mon, 24 Aug 2020 17:16:53 +0300
 Subject: [PATCH 3/4] security/altha/altha_lsm.c: build fixed with kernel 5.8
 ---
 security/altha/altha_lsm.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)
 diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
 index 7d1cc8f8a1a7..41f0fc7ac8e5 100644
 --- a/security/altha/altha_lsm.c
 +++ b/security/altha/altha_lsm.c
@@ -216,6 +216,15 @@ struct altha_readdir_callback {
 	int found;
 };
 +int compare_paths(const struct path *path1, const struct path *path2)
 +{
 +	char a1[PATH_MAX];
 +	char a2[PATH_MAX];
 +	char* p1, *p2;
 +	p1=d_path(path1,a1,PATH_MAX);
 +        p2=d_path(path2,a2,PATH_MAX);
 +	return strcmp(p1,p2);
 +}
 int is_olock_dir(struct inode *inode)
 {
@@ -233,14 +242,14 @@ int is_olock_dir(struct inode *inode)
 }
 /* Hooks */
 -static int altha_bprm_set_creds(struct linux_binprm *bprm)
 +static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi)
 {
 	struct altha_list_struct *node;
 	/* when it's not a shebang issued script interpreter */
 -	if (rstrscript_enabled && !bprm->called_set_creds) {
 +	if (rstrscript_enabled && bprm->filename == bprm->interp) {
 		down_read(&interpreters_sem);
 		list_for_each_entry(node, &interpreters_list, list) {
 -			if (path_equal(&bprm->file->f_path, &node->path)) {
 +			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 				uid_t cur_uid = from_kuid(bprm->cred->user_ns,
 							  bprm->cred->uid);
 				pr_notice_ratelimited
@@ -257,7 +266,7 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
 		uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);
 		down_read(&nosuid_exceptions_sem);
 		list_for_each_entry(node, &nosuid_exceptions_list, list) {
 -			if (path_equal(&bprm->file->f_path, &node->path)) {
 +			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 				pr_notice_ratelimited
 				    ("AltHa/NoSUID: %s permitted to setuid from %d\n",
 				     bprm->filename, cur_uid);
@@ -291,7 +300,7 @@ static int altha_inode_unlink(struct inode *inode, struct dentry *dentry)
 /* Initialization */
 static struct security_hook_list altha_hooks[] = {
 -	LSM_HOOK_INIT(bprm_set_creds, altha_bprm_set_creds),
 +	LSM_HOOK_INIT(bprm_creds_from_file, altha_bprm_creds_from_file),
 	LSM_HOOK_INIT(inode_unlink, altha_inode_unlink),
 };
 -- 
 2.25.1
--- a/0004-altha-use-path-strings-instead-of-path-structs.patch
+++ b/0004-altha-use-path-strings-instead-of-path-structs.patch
@ -0,0 +1,101 @@
 From 5765b709411696cd58db43e6e006a36e5a207ee0 Mon Sep 17 00:00:00 2001
 From: Kernel Bot <kernelbot@altlinux.org>
 Date: Wed, 2 Sep 2020 15:19:59 +0300
 Subject: [PATCH 4/4] altha: use path strings instead of path structs
 Path strings continueto work even when target file was replaced.
 ---
 security/altha/altha_lsm.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)
 diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
 index 41f0fc7ac8e5..ccde83ebb26c 100644
 --- a/security/altha/altha_lsm.c
 +++ b/security/altha/altha_lsm.c
@@ -52,6 +52,8 @@ __setup("altha=", altha_enabled_setup);
 struct altha_list_struct {
 	struct path path;
 +	char * spath;
 +	char * spath_p;
 	struct list_head list;
 };
@@ -91,6 +93,7 @@ static int altha_list_handler(struct ctl_table *table, int write,
 		list_for_each_entry_safe(item, tmp, list_struct, list) {
 			list_del(&item->list);
 			path_put(&item->path);
 +			kfree(item->spath_p);
 			kfree(item);
 		}
@@ -106,7 +109,9 @@ static int altha_list_handler(struct ctl_table *table, int write,
 		while ((p = strsep(&fluid, ":\n")) != NULL) {
 			if (strlen(p)) {
 				item = kmalloc(sizeof(*item), GFP_KERNEL);
 -				if (!item) {
 +				if (item)
 +					item->spath_p = kmalloc(PATH_MAX, GFP_KERNEL);
 +				if (!item || !item->spath_p) {
 					pr_err
 					    ("AltHa: can't get memory processing sysctl\n");
 					kfree(copy_buffer);
@@ -118,6 +123,7 @@ static int altha_list_handler(struct ctl_table *table, int write,
 					    ("AltHa: error lookup '%s'\n", p);
 					kfree(item);
 				} else {
 +					item->spath=d_path(&item->path,item->spath_p,PATH_MAX);
 					list_add_tail(&item->list, list_struct);
 				}
 			}
@@ -216,16 +222,6 @@ struct altha_readdir_callback {
 	int found;
 };
 -int compare_paths(const struct path *path1, const struct path *path2)
 -{
 -	char a1[PATH_MAX];
 -	char a2[PATH_MAX];
 -	char* p1, *p2;
 -	p1=d_path(path1,a1,PATH_MAX);
 -        p2=d_path(path2,a2,PATH_MAX);
 -	return strcmp(p1,p2);
 -}
 -
 int is_olock_dir(struct inode *inode)
 {
 	struct altha_list_struct *node;
@@ -246,10 +242,13 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
 {
 	struct altha_list_struct *node;
 	/* when it's not a shebang issued script interpreter */
 -	if (rstrscript_enabled && bprm->filename == bprm->interp) {
 +	if (rstrscript_enabled && bprm->executable == bprm->interpreter) {
 +		char path_buffer[PATH_MAX];
 +		char *path_p;
 +		path_p = d_path(&bprm->file->f_path,path_buffer,PATH_MAX);
 		down_read(&interpreters_sem);
 		list_for_each_entry(node, &interpreters_list, list) {
 -			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 +			if (strcmp(path_p, node->spath) == 0) {
 				uid_t cur_uid = from_kuid(bprm->cred->user_ns,
 							  bprm->cred->uid);
 				pr_notice_ratelimited
@@ -263,10 +262,13 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
 	}
 	if (unlikely(nosuid_enabled &&
 		     !uid_eq(bprm->cred->uid, bprm->cred->euid))) {
 +		char path_buffer[PATH_MAX];
 +		char *path_p;
 		uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);
 +		path_p = d_path(&bprm->file->f_path,path_buffer,PATH_MAX);
 		down_read(&nosuid_exceptions_sem);
 		list_for_each_entry(node, &nosuid_exceptions_list, list) {
 -			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 +			if (strcmp(path_p, node->spath) == 0) {
 				pr_notice_ratelimited
 				    ("AltHa/NoSUID: %s permitted to setuid from %d\n",
 				     bprm->filename, cur_uid);
 -- 
 2.25.1
--- a/aufs-k510.diff
+++ b/aufs-k510.diff
@ -0,0 +1,658 @@
 diff --git a/fs/aufs/branch.h b/fs/aufs/branch.h
 index 594c8bd674b2..82c24958edd8 100644
 --- a/fs/aufs/branch.h
 +++ b/fs/aufs/branch.h
@@ -241,10 +241,8 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 		 ino_t *ino);
 int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 		  ino_t ino);
 -ssize_t xino_fread(vfs_readf_t func, struct file *file, void *buf, size_t size,
 -		   loff_t *pos);
 -ssize_t xino_fwrite(vfs_writef_t func, struct file *file, void *buf,
 -		    size_t size, loff_t *pos);
 +ssize_t xino_fread(struct file *file, void *buf, size_t size, loff_t *pos);
 +ssize_t xino_fwrite(struct file *file, void *buf, size_t size, loff_t *pos);
 int au_xib_trunc(struct super_block *sb);
 int au_xino_trunc(struct super_block *sb, aufs_bindex_t bindex, int idx_begin);
 diff --git a/fs/aufs/cpup.c b/fs/aufs/cpup.c
 index 492442339b6c..50141f5a45f9 100644
 --- a/fs/aufs/cpup.c
 +++ b/fs/aufs/cpup.c
@@ -569,32 +569,19 @@ static int au_do_cpup_regular(struct au_cp_generic *cpg,
 static int au_do_cpup_symlink(struct path *h_path, struct dentry *h_src,
 			      struct inode *h_dir)
 {
 -	int err, symlen;
 -	mm_segment_t old_fs;
 -	union {
 -		char *k;
 -		char __user *u;
 -	} sym;
 +	int err;
 +	DEFINE_DELAYED_CALL(done);
 +	const char *sym;
 -	err = -ENOMEM;
 -	sym.k = (void *)__get_free_page(GFP_NOFS);
 -	if (unlikely(!sym.k))
 +	sym = vfs_get_link(h_src, &done);
 +	err = PTR_ERR(sym);
 +	if (IS_ERR(sym))
 		goto out;
 -	/* unnecessary to support mmap_sem since symlink is not mmap-able */
 -	old_fs = get_fs();
 -	set_fs(KERNEL_DS);
 -	symlen = vfs_readlink(h_src, sym.u, PATH_MAX);
 -	err = symlen;
 -	set_fs(old_fs);
 -
 -	if (symlen > 0) {
 -		sym.k[symlen] = 0;
 -		err = vfsub_symlink(h_dir, h_path, sym.k);
 -	}
 -	free_page((unsigned long)sym.k);
 +	err = vfsub_symlink(h_dir, h_path, sym);
 out:
 +	do_delayed_call(&done);
 	return err;
 }
 diff --git a/fs/aufs/dynop.c b/fs/aufs/dynop.c
 index 837f94d49f74..4732edb340d7 100644
 --- a/fs/aufs/dynop.c
 +++ b/fs/aufs/dynop.c
@@ -180,6 +180,7 @@ static void dy_aop(struct au_dykey *key, const void *h_op,
 	DySetAop(writepages);
 	DySetAop(set_page_dirty);
 	DySetAop(readpages);
 +	DySetAop(readahead);
 	DySetAop(write_begin);
 	DySetAop(write_end);
 	DySetAop(bmap);
 diff --git a/fs/aufs/export.c b/fs/aufs/export.c
 index 842df6f05517..f883d2bf5325 100644
 --- a/fs/aufs/export.c
 +++ b/fs/aufs/export.c
@@ -121,8 +121,7 @@ void au_xigen_inc(struct inode *inode)
 	pos = inode->i_ino;
 	pos *= sizeof(igen);
 	igen = inode->i_generation + 1;
 -	sz = xino_fwrite(sbinfo->si_xwrite, sbinfo->si_xigen, &igen,
 -			 sizeof(igen), &pos);
 +	sz = xino_fwrite(sbinfo->si_xigen, &igen, sizeof(igen), &pos);
 	if (sz == sizeof(igen))
 		return; /* success */
@@ -164,10 +163,10 @@ int au_xigen_new(struct inode *inode)
 	if (vfsub_f_size_read(file)
 	    < pos + sizeof(inode->i_generation)) {
 		inode->i_generation = atomic_inc_return(&sbinfo->si_xigen_next);
 -		sz = xino_fwrite(sbinfo->si_xwrite, file, &inode->i_generation,
 +		sz = xino_fwrite(file, &inode->i_generation,
 				 sizeof(inode->i_generation), &pos);
 	} else
 -		sz = xino_fread(sbinfo->si_xread, file, &inode->i_generation,
 +		sz = xino_fread(file, &inode->i_generation,
 				sizeof(inode->i_generation), &pos);
 	if (sz == sizeof(inode->i_generation))
 		goto out; /* success */
 diff --git a/fs/aufs/f_op.c b/fs/aufs/f_op.c
 index 9894e2124bd5..37eb4f6bcc23 100644
 --- a/fs/aufs/f_op.c
 +++ b/fs/aufs/f_op.c
@@ -242,34 +242,6 @@ static void au_write_post(struct inode *inode, struct file *h_file,
 	fput(h_file);
 }
 -static ssize_t aufs_read(struct file *file, char __user *buf, size_t count,
 -			 loff_t *ppos)
 -{
 -	ssize_t err;
 -	struct inode *inode;
 -	struct file *h_file;
 -	struct super_block *sb;
 -
 -	inode = file_inode(file);
 -	sb = inode->i_sb;
 -	si_read_lock(sb, AuLock_FLUSH | AuLock_NOPLMW);
 -
 -	h_file = au_read_pre(file, /*keep_fi*/0, /*lsc*/0);
 -	err = PTR_ERR(h_file);
 -	if (IS_ERR(h_file))
 -		goto out;
 -
 -	/* filedata may be obsoleted by concurrent copyup, but no problem */
 -	err = vfsub_read_u(h_file, buf, count, ppos);
 -	/* todo: necessary? */
 -	/* file->f_ra = h_file->f_ra; */
 -	au_read_post(inode, h_file);
 -
 -out:
 -	si_read_unlock(sb);
 -	return err;
 -}
 -
 /*
  * todo: very ugly
  * it locks both of i_mutex and si_rwsem for read in safe.
@@ -292,33 +264,6 @@ static void au_mtx_and_read_lock(struct inode *inode)
 	}
 }
 -static ssize_t aufs_write(struct file *file, const char __user *ubuf,
 -			  size_t count, loff_t *ppos)
 -{
 -	ssize_t err;
 -	struct au_write_pre wpre;
 -	struct inode *inode;
 -	struct file *h_file;
 -	char __user *buf = (char __user *)ubuf;
 -
 -	inode = file_inode(file);
 -	au_mtx_and_read_lock(inode);
 -
 -	wpre.lsc = 0;
 -	h_file = au_write_pre(file, /*do_ready*/1, &wpre);
 -	err = PTR_ERR(h_file);
 -	if (IS_ERR(h_file))
 -		goto out;
 -
 -	err = vfsub_write_u(h_file, buf, count, ppos);
 -	au_write_post(inode, h_file, &wpre, err);
 -
 -out:
 -	si_read_unlock(inode->i_sb);
 -	inode_unlock(inode);
 -	return err;
 -}
 -
 static ssize_t au_do_iter(struct file *h_file, int rw, struct kiocb *kio,
 			  struct iov_iter *iov_iter)
 {
@@ -788,8 +733,6 @@ const struct file_operations aufs_file_fop = {
 	.llseek		= default_llseek,
 -	.read		= aufs_read,
 -	.write		= aufs_write,
 	.read_iter	= aufs_read_iter,
 	.write_iter	= aufs_write_iter,
 diff --git a/fs/aufs/file.c b/fs/aufs/file.c
 index b0075b57d8bc..53d0f16c3bab 100644
 --- a/fs/aufs/file.c
 +++ b/fs/aufs/file.c
@@ -790,6 +790,10 @@ static ssize_t aufs_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
 /* they will never be called. */
 #ifdef CONFIG_AUFS_DEBUG
 +/*
 +void aufs_readahead(struct readahead_control *)
 +{ AuUnsupport(); }
 +*/
 static int aufs_write_begin(struct file *file, struct address_space *mapping,
 			    loff_t pos, unsigned len, unsigned flags,
 			    struct page **pagep, void **fsdata)
 diff --git a/fs/aufs/hfsnotify.c b/fs/aufs/hfsnotify.c
 index cb4eeb1e6069..d0abe8ac783f 100644
 --- a/fs/aufs/hfsnotify.c
 +++ b/fs/aufs/hfsnotify.c
@@ -160,8 +160,8 @@ static void au_hfsn_free_group(struct fsnotify_group *group)
 }
 static int au_hfsn_handle_event(struct fsnotify_group *group,
 -				struct inode *inode,
 				u32 mask, const void *data, int data_type,
 +				struct inode *dir,
 				const struct qstr *file_name, u32 cookie,
 				struct fsnotify_iter_info *iter_info)
 {
@@ -178,7 +178,7 @@ static int au_hfsn_handle_event(struct fsnotify_group *group,
 	if (mask & (FS_IN_IGNORED | FS_UNMOUNT))
 		goto out;
 -	h_dir = inode;
 +	h_dir = dir;
 	h_inode = NULL;
 #ifdef AuDbgHnotify
 	au_debug_on();
 diff --git a/fs/aufs/super.h b/fs/aufs/super.h
 index c0cb0051242c..4638331366b7 100644
 --- a/fs/aufs/super.h
 +++ b/fs/aufs/super.h
@@ -131,8 +131,6 @@ struct au_sbinfo {
 	unsigned int		si_mntflags;
 	/* external inode number (bitmap and translation table) */
 -	vfs_readf_t		si_xread;
 -	vfs_writef_t		si_xwrite;
 	loff_t			si_ximaxent;	/* max entries in a xino */
 	struct file		*si_xib;
 diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
 index a5e10c5c004f..de875cd4eedc 100644
 --- a/fs/aufs/vfsub.c
 +++ b/fs/aufs/vfsub.c
@@ -513,22 +513,17 @@ ssize_t vfsub_read_u(struct file *file, char __user *ubuf, size_t count,
 	return err;
 }
 -/* todo: kernel_read()? */
 ssize_t vfsub_read_k(struct file *file, void *kbuf, size_t count,
 		     loff_t *ppos)
 {
 	ssize_t err;
 -	mm_segment_t oldfs;
 -	union {
 -		void *k;
 -		char __user *u;
 -	} buf;
 -
 -	buf.k = kbuf;
 -	oldfs = get_fs();
 -	set_fs(KERNEL_DS);
 -	err = vfsub_read_u(file, buf.u, count, ppos);
 -	set_fs(oldfs);
 +
 +	lockdep_off();
 +	err = kernel_read(file, kbuf, count, ppos);
 +	lockdep_on();
 +	AuTraceErr(err);
 +	if (err >= 0)
 +		vfsub_update_h_iattr(&file->f_path, /*did*/NULL); /*ignore*/
 	return err;
 }
@@ -548,17 +543,12 @@ ssize_t vfsub_write_u(struct file *file, const char __user *ubuf, size_t count,
 ssize_t vfsub_write_k(struct file *file, void *kbuf, size_t count, loff_t *ppos)
 {
 	ssize_t err;
 -	mm_segment_t oldfs;
 -	union {
 -		void *k;
 -		const char __user *u;
 -	} buf;
 -
 -	buf.k = kbuf;
 -	oldfs = get_fs();
 -	set_fs(KERNEL_DS);
 -	err = vfsub_write_u(file, buf.u, count, ppos);
 -	set_fs(oldfs);
 +
 +	lockdep_off();
 +	err = kernel_write(file, kbuf, count, ppos);
 +	lockdep_on();
 +	if (err >= 0)
 +		vfsub_update_h_iattr(&file->f_path, /*did*/NULL); /*ignore*/
 	return err;
 }
 diff --git a/fs/aufs/xino.c b/fs/aufs/xino.c
 index b3152c0ce0b5..ae7bd07b022d 100644
 --- a/fs/aufs/xino.c
 +++ b/fs/aufs/xino.c
@@ -660,8 +660,8 @@ struct au_xi_writing {
 	ino_t h_ino, ino;
 };
 -static int au_xino_do_write(vfs_writef_t write, struct file *file,
 -			    struct au_xi_calc *calc, ino_t ino);
 +static int au_xino_do_write(struct file *file, struct au_xi_calc *calc,
 +			    ino_t ino);
 static void au_xino_call_do_new_async(void *args)
 {
@@ -690,7 +690,7 @@ static void au_xino_call_do_new_async(void *args)
 	file = au_xino_file(br->br_xino, a->calc.idx);
 	AuDebugOn(!file);
 -	err = au_xino_do_write(sbi->si_xwrite, file, &a->calc, a->ino);
 +	err = au_xino_do_write(file, &a->calc, a->ino);
 	if (unlikely(err)) {
 		AuIOErr("err %d\n", err);
 		goto out;
@@ -791,7 +791,7 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 		return 0; /* no xino */
 	sbinfo = au_sbi(sb);
 -	sz = xino_fread(sbinfo->si_xread, file, ino, sizeof(*ino), &calc.pos);
 +	sz = xino_fread(file, ino, sizeof(*ino), &calc.pos);
 	if (sz == sizeof(*ino))
 		return 0; /* success */
@@ -803,12 +803,12 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 	return err;
 }
 -static int au_xino_do_write(vfs_writef_t write, struct file *file,
 -			    struct au_xi_calc *calc, ino_t ino)
 +static int au_xino_do_write(struct file *file, struct au_xi_calc *calc,
 +			    ino_t ino)
 {
 	ssize_t sz;
 -	sz = xino_fwrite(write, file, &ino, sizeof(ino), &calc->pos);
 +	sz = xino_fwrite(file, &ino, sizeof(ino), &calc->pos);
 	if (sz == sizeof(ino))
 		return 0; /* success */
@@ -858,7 +858,7 @@ int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 		goto out;
 	}
 -	err = au_xino_do_write(au_sbi(sb)->si_xwrite, file, &calc, ino);
 +	err = au_xino_do_write(file, &calc, ino);
 	if (!err) {
 		br = au_sbr(sb, bindex);
 		if (au_opt_test(mnt_flags, TRUNC_XINO)
@@ -872,40 +872,27 @@ int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
 	return -EIO;
 }
 -static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
 -			      size_t size, loff_t *pos);
 +static ssize_t xino_fread_wkq(struct file *file, void *buf, size_t size,
 +			      loff_t *pos);
 /* todo: unnecessary to support mmap_sem since kernel-space? */
 -ssize_t xino_fread(vfs_readf_t func, struct file *file, void *kbuf, size_t size,
 -		   loff_t *pos)
 +ssize_t xino_fread(struct file *file, void *kbuf, size_t size, loff_t *pos)
 {
 	ssize_t err;
 -	mm_segment_t oldfs;
 -	union {
 -		void *k;
 -		char __user *u;
 -	} buf;
 	int i;
 	const int prevent_endless = 10;
 	i = 0;
 -	buf.k = kbuf;
 -	oldfs = get_fs();
 -	set_fs(KERNEL_DS);
 	do {
 -		err = func(file, buf.u, size, pos);
 +		err = vfsub_read_k(file, kbuf, size, pos);
 		if (err == -EINTR
 		    && !au_wkq_test()
 		    && fatal_signal_pending(current)) {
 -			set_fs(oldfs);
 -			err = xino_fread_wkq(func, file, kbuf, size, pos);
 +			err = xino_fread_wkq(file, kbuf, size, pos);
 			BUG_ON(err == -EINTR);
 -			oldfs = get_fs();
 -			set_fs(KERNEL_DS);
 		}
 	} while (i++ < prevent_endless
 		 && (err == -EAGAIN || err == -EINTR));
 -	set_fs(oldfs);
 #if 0 /* reserved for future use */
 	if (err > 0)
@@ -917,7 +904,6 @@ ssize_t xino_fread(vfs_readf_t func, struct file *file, void *kbuf, size_t size,
 struct xino_fread_args {
 	ssize_t *errp;
 -	vfs_readf_t func;
 	struct file *file;
 	void *buf;
 	size_t size;
@@ -927,17 +913,16 @@ struct xino_fread_args {
 static void call_xino_fread(void *args)
 {
 	struct xino_fread_args *a = args;
 -	*a->errp = xino_fread(a->func, a->file, a->buf, a->size, a->pos);
 +	*a->errp = xino_fread(a->file, a->buf, a->size, a->pos);
 }
 -static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
 -			      size_t size, loff_t *pos)
 +static ssize_t xino_fread_wkq(struct file *file, void *buf, size_t size,
 +			      loff_t *pos)
 {
 	ssize_t err;
 	int wkq_err;
 	struct xino_fread_args args = {
 		.errp	= &err,
 -		.func	= func,
 		.file	= file,
 		.buf	= buf,
 		.size	= size,
@@ -951,39 +936,27 @@ static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
 	return err;
 }
 -static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
 -			       size_t size, loff_t *pos);
 +static ssize_t xino_fwrite_wkq(struct file *file, void *buf, size_t size,
 +			       loff_t *pos);
 -static ssize_t do_xino_fwrite(vfs_writef_t func, struct file *file, void *kbuf,
 -			      size_t size, loff_t *pos)
 +static ssize_t do_xino_fwrite(struct file *file, void *kbuf, size_t size,
 +			      loff_t *pos)
 {
 	ssize_t err;
 -	mm_segment_t oldfs;
 -	union {
 -		void *k;
 -		const char __user *u;
 -	} buf;
 	int i;
 	const int prevent_endless = 10;
 	i = 0;
 -	buf.k = kbuf;
 -	oldfs = get_fs();
 -	set_fs(KERNEL_DS);
 	do {
 -		err = func(file, buf.u, size, pos);
 +		err = vfsub_write_k(file, kbuf, size, pos);
 		if (err == -EINTR
 		    && !au_wkq_test()
 		    && fatal_signal_pending(current)) {
 -			set_fs(oldfs);
 -			err = xino_fwrite_wkq(func, file, kbuf, size, pos);
 +			err = xino_fwrite_wkq(file, kbuf, size, pos);
 			BUG_ON(err == -EINTR);
 -			oldfs = get_fs();
 -			set_fs(KERNEL_DS);
 		}
 	} while (i++ < prevent_endless
 		 && (err == -EAGAIN || err == -EINTR));
 -	set_fs(oldfs);
 #if 0 /* reserved for future use */
 	if (err > 0)
@@ -995,7 +968,6 @@ static ssize_t do_xino_fwrite(vfs_writef_t func, struct file *file, void *kbuf,
 struct do_xino_fwrite_args {
 	ssize_t *errp;
 -	vfs_writef_t func;
 	struct file *file;
 	void *buf;
 	size_t size;
@@ -1005,17 +977,16 @@ struct do_xino_fwrite_args {
 static void call_do_xino_fwrite(void *args)
 {
 	struct do_xino_fwrite_args *a = args;
 -	*a->errp = do_xino_fwrite(a->func, a->file, a->buf, a->size, a->pos);
 +	*a->errp = do_xino_fwrite(a->file, a->buf, a->size, a->pos);
 }
 -static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
 -			       size_t size, loff_t *pos)
 +static ssize_t xino_fwrite_wkq(struct file *file, void *buf, size_t size,
 +			       loff_t *pos)
 {
 	ssize_t err;
 	int wkq_err;
 	struct do_xino_fwrite_args args = {
 		.errp	= &err,
 -		.func	= func,
 		.file	= file,
 		.buf	= buf,
 		.size	= size,
@@ -1033,18 +1004,17 @@ static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
 	return err;
 }
 -ssize_t xino_fwrite(vfs_writef_t func, struct file *file, void *buf,
 -		    size_t size, loff_t *pos)
 +ssize_t xino_fwrite(struct file *file, void *buf, size_t size, loff_t *pos)
 {
 	ssize_t err;
 	if (rlimit(RLIMIT_FSIZE) == RLIM_INFINITY) {
 		lockdep_off();
 -		err = do_xino_fwrite(func, file, buf, size, pos);
 +		err = do_xino_fwrite(file, buf, size, pos);
 		lockdep_on();
 	} else {
 		lockdep_off();
 -		err = xino_fwrite_wkq(func, file, buf, size, pos);
 +		err = xino_fwrite_wkq(file, buf, size, pos);
 		lockdep_on();
 	}
@@ -1095,17 +1065,17 @@ static int xib_pindex(struct super_block *sb, unsigned long pindex)
 	p = sbinfo->si_xib_buf;
 	pos = sbinfo->si_xib_last_pindex;
 	pos *= PAGE_SIZE;
 -	sz = xino_fwrite(sbinfo->si_xwrite, xib, p, PAGE_SIZE, &pos);
 +	sz = xino_fwrite(xib, p, PAGE_SIZE, &pos);
 	if (unlikely(sz != PAGE_SIZE))
 		goto out;
 	pos = pindex;
 	pos *= PAGE_SIZE;
 	if (vfsub_f_size_read(xib) >= pos + PAGE_SIZE)
 -		sz = xino_fread(sbinfo->si_xread, xib, p, PAGE_SIZE, &pos);
 +		sz = xino_fread(xib, p, PAGE_SIZE, &pos);
 	else {
 		memset(p, 0, PAGE_SIZE);
 -		sz = xino_fwrite(sbinfo->si_xwrite, xib, p, PAGE_SIZE, &pos);
 +		sz = xino_fwrite(xib, p, PAGE_SIZE, &pos);
 	}
 	if (sz == PAGE_SIZE) {
 		sbinfo->si_xib_last_pindex = pindex;
@@ -1156,7 +1126,6 @@ static int do_xib_restore(struct super_block *sb, struct file *file, void *page)
 	unsigned long pindex;
 	loff_t pos, pend;
 	struct au_sbinfo *sbinfo;
 -	vfs_readf_t func;
 	ino_t *ino;
 	unsigned long *p;
@@ -1164,11 +1133,10 @@ static int do_xib_restore(struct super_block *sb, struct file *file, void *page)
 	sbinfo = au_sbi(sb);
 	MtxMustLock(&sbinfo->si_xib_mtx);
 	p = sbinfo->si_xib_buf;
 -	func = sbinfo->si_xread;
 	pend = vfsub_f_size_read(file);
 	pos = 0;
 	while (pos < pend) {
 -		sz = xino_fread(func, file, page, PAGE_SIZE, &pos);
 +		sz = xino_fread(file, page, PAGE_SIZE, &pos);
 		err = sz;
 		if (unlikely(sz <= 0))
 			goto out;
@@ -1257,7 +1225,7 @@ int au_xib_trunc(struct super_block *sb)
 	p = sbinfo->si_xib_buf;
 	memset(p, 0, PAGE_SIZE);
 	pos = 0;
 -	sz = xino_fwrite(sbinfo->si_xwrite, sbinfo->si_xib, p, PAGE_SIZE, &pos);
 +	sz = xino_fwrite(sbinfo->si_xib, p, PAGE_SIZE, &pos);
 	if (unlikely(sz != PAGE_SIZE)) {
 		err = sz;
 		AuIOErr("err %d\n", err);
@@ -1396,7 +1364,6 @@ static void xino_clear_xib(struct super_block *sb)
 	SiMustWriteLock(sb);
 	sbinfo = au_sbi(sb);
 -	/* unnecessary to clear sbinfo->si_xread and ->si_xwrite */
 	if (sbinfo->si_xib)
 		fput(sbinfo->si_xib);
 	sbinfo->si_xib = NULL;
@@ -1423,8 +1390,6 @@ static int au_xino_set_xib(struct super_block *sb, struct path *path)
 	if (sbinfo->si_xib)
 		fput(sbinfo->si_xib);
 	sbinfo->si_xib = file;
 -	sbinfo->si_xread = vfs_readf(file);
 -	sbinfo->si_xwrite = vfs_writef(file);
 	xi_sb = file_inode(file)->i_sb;
 	sbinfo->si_ximaxent = xi_sb->s_maxbytes;
 	if (unlikely(sbinfo->si_ximaxent < PAGE_SIZE)) {
@@ -1445,8 +1410,7 @@ static int au_xino_set_xib(struct super_block *sb, struct path *path)
 	sbinfo->si_xib_next_bit = 0;
 	if (vfsub_f_size_read(file) < PAGE_SIZE) {
 		pos = 0;
 -		err = xino_fwrite(sbinfo->si_xwrite, file, sbinfo->si_xib_buf,
 -				  PAGE_SIZE, &pos);
 +		err = xino_fwrite(file, sbinfo->si_xib_buf, PAGE_SIZE, &pos);
 		if (unlikely(err != PAGE_SIZE))
 			goto out_free;
 	}
@@ -1497,7 +1461,6 @@ static void au_xino_set_br_shared(struct super_block *sb, struct au_branch *br,
 }
 struct au_xino_do_set_br {
 -	vfs_writef_t writef;
 	struct au_branch *br;
 	ino_t h_ino;
 	aufs_bindex_t bshared;
@@ -1539,7 +1502,7 @@ static int au_xino_do_set_br(struct super_block *sb, struct path *path,
 		goto out;
 	AuDebugOn(!file);
 -	err = au_xino_do_write(args->writef, file, &calc, AUFS_ROOT_INO);
 +	err = au_xino_do_write(file, &calc, AUFS_ROOT_INO);
 	if (unlikely(err))
 		au_xino_put(br);
@@ -1559,7 +1522,6 @@ static int au_xino_set_br(struct super_block *sb, struct path *path)
 	bbot = au_sbbot(sb);
 	inode = d_inode(sb->s_root);
 -	args.writef = au_sbi(sb)->si_xwrite;
 	for (bindex = 0; bindex <= bbot; bindex++) {
 		args.h_ino = au_h_iptr(inode, bindex)->i_ino;
 		args.br = au_sbr(sb, bindex);
@@ -1714,7 +1676,6 @@ int au_xino_init_br(struct super_block *sb, struct au_branch *br, ino_t h_ino,
 		.br	= br
 	};
 -	args.writef = au_sbi(sb)->si_xwrite;
 	args.bshared = sbr_find_shared(sb, /*btop*/0, au_sbbot(sb),
 				       au_br_sb(br));
 	err = au_xino_do_set_br(sb, base, &args);
@@ -1798,7 +1759,6 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
 	struct au_hinode *hi;
 	struct inode *h_inode;
 	struct au_branch *br;
 -	vfs_writef_t xwrite;
 	struct au_xi_calc calc;
 	struct file *file;
@@ -1820,7 +1780,6 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
 	if (bindex < 0)
 		return;
 -	xwrite = au_sbi(sb)->si_xwrite;
 	try_trunc = !!au_opt_test(mnt_flags, TRUNC_XINO);
 	hi = au_hinode(iinfo, bindex);
 	bbot = iinfo->ii_bbot;
@@ -1841,7 +1800,7 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
 		if (IS_ERR_OR_NULL(file))
 			continue;
 -		err = au_xino_do_write(xwrite, file, &calc, /*ino*/0);
 +		err = au_xino_do_write(file, &calc, /*ino*/0);
 		if (!err && try_trunc
 		    && au_test_fs_trunc_xino(au_br_sb(br)))
 			xino_try_trunc(sb, br);
--- a/fs-aufs-2.patch
+++ b/fs-aufs-2.patch
@ -1,133 +0,0 @@
 From 4d4c05a8901e313264433db69cc3374cef5164f6 Mon Sep 17 00:00:00 2001
 From: Mauricio Faria de Oliveira <mfo@canonical.com>
 Date: Mon, 29 Jun 2020 15:31:22 -0300
 Subject: aufs: do not call i_readcount_inc()
 The 'struct inode.i_readcount' field is maintained at the VFS, and
 should not be modified by filesystems.  But aufs does in one place,
 which causes it to be unbalanced.
 This started with Linux v2.6.39 commit 890275b5eb79 ("IMA: maintain
 i_readcount in the VFS layer"), which moved the i_readcount updates
 from IMA into the VFS (at the same places IMA was called previously)
 and introduced 'mutex_lock(i_mutex)' in the ima_file_check() path.
 The former change is functionally equivalent, thus no changes are
 needed in response to it.
 The latter change, on the other hand, is _not_; and is reported to
 cause a deadlock in aufs (see below), thus it dropped the call to
 ima_file_check().
 However, when dropping the ima_file_check() call, aufs introduced
 the i_readcount_inc() call as well, which according to the commit
 changes is not necessary.
 This can be observed in aufs2-standalone.git commit 1dbd1c864e455
 ("aufs2.1 standalone version for linux-2.6."), announced to the
 aufs-users mailing list on 2011-04-04 [1].
    diff --git a/ChangeLog b/ChangeLog
    ...
    +commit 17eac367b03334e57a93e8051eb712add24d2534
    +Author: J. R. Okajima <hooanon05@yahoo.co.jp>
    +Date:   Fri Apr 1 16:31:22 2011 +0900
    +
    +    aufs: for 2.6.39, limit the support for IMA
    +
    +    Since it acquires i_mutex and causes a deadlock, replace a
    +    ima_file_check() call by i_readcount_inc().
    +
    +    Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
    ...
    diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
    ...
    struct file *vfsub_dentry_open(struct path *path, int flags)
    ...
    +       if (!IS_ERR_OR_NULL(file)
    +           && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
    +               i_readcount_inc(path->dentry->d_inode);
    -       err = ima_file_check(file, au_conv_oflags(flags));
    ...
 Apparently, this might have been a misunderstanding of one hunk in
 the 2.6.39 commit, that deletes the lines to increment i_readcount,
 and adds the lines to acquire i_mutex.
 It reuses code from the removed function ima_counts_get() to create
 ima_rdwr_violation_check(), and another hunk calls the new function
 from ima_file_check().  But note that the i_readcount increment was
 _not_ called from ima_file_check() previously, via ima_counts_get():
    -void ima_counts_get(struct file *file)
    +static void ima_rdwr_violation_check(struct file *file)
     {
    ...
    +       mutex_lock(&inode->i_mutex);    /* file metadata: permissions, xattr */
    ...
    -               atomic_inc(&inode->i_readcount);
    #@@ -318,6 +308,7 @@ int ima_file_check(struct file *file, int mask)
    ...
    +       ima_rdwr_violation_check(file);
 So, in order to avoid the unbalance caused to i_readcount, drop the
 i_readcount_inc() call.
 Note the issue is not the lack of a corresponding i_readcount_dec()
 call; it's the mere usage of these functions outside of VFS layer,
 where i_readcount is maintained.
 Links:
 [1] https://sourceforge.net/p/aufs/mailman/message/27304125/
    snippet:
    """
    aufs2 Monday GIT release
    From: <sfjro@us...> - 2011-04-04 04:59:18
    o news
    - begin supporting linux-2.6.39-rcN.
    ...
    - aufs2-2.6.git#aufs2.1 branch
    ...
          aufs: for 2.6.39, limit the support for IMA
    ...
    """
 Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
 (cherry picked from commit 515a586eeef31e0717d5dea21e2c11a965340b3c aufs4-linux.git)
 CVE-2020-11935
 Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
 Acked-by: Kamal Mostafa <kamal@canonical.com>
 Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
 ---
 fs/aufs/vfsub.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)
 diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
 index e954cd7..a5e10c5 100644
 --- a/fs/aufs/vfsub.c
 +++ b/fs/aufs/vfsub.c
@@ -76,15 +76,8 @@ int vfsub_update_h_iattr(struct path *h_path, int *did)
 struct file *vfsub_dentry_open(struct path *path, int flags)
 {
 -	struct file *file;
 -
 -	file = dentry_open(path, flags /* | __FMODE_NONOTIFY */,
 +	return dentry_open(path, flags /* | __FMODE_NONOTIFY */,
 			   current_cred());
 -	if (!IS_ERR_OR_NULL(file)
 -	    && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
 -		i_readcount_inc(d_inode(path->dentry));
 -
 -	return file;
 }
 struct file *vfsub_filp_open(const char *path, int oflags, int mode)
 -- 
 cgit v1.1
--- a/kernel.spec
+++ b/kernel.spec
@ -19,12 +19,12 @@
 %global _find_debuginfo_dwz_opts %{nil}
 %define kernelversion	5
-%define patchlevel	4
+%define patchlevel	10
 # sublevel is used for stable-based kernels
-%define sublevel	83
+%define sublevel	1
 # Release number. Increase this before a rebuild.
-%define rpmrel		2
+%define rpmrel		1
 %define fullrpmrel	%{rpmrel}
 %define rpmtag		%{disttag}
@ -98,6 +98,16 @@
 %bcond_with ccache
 %bcond_without flow_abi
 # 1. VirtualBox is for x86_32 and x86_64 only
 # 2. I do not know how to solve the problem that userspace part of VirtualBox
 #    will be updated ahead of these binary modules. So just off building them.
 %bcond_with binary_virtualbox_host
 # shredder-kernel works only on x86_64, makes manipulations with syscalls tables,
 # loading/unloading of the module failed sometimes on kernel 5.4
 # and it has not been adapted for kernel 5.10 (is not buildable)
 %bcond_with binary_shredder
 # Kernel flavour
 %if %{with nickel}
 %define flavour		nickel
@ -146,12 +156,9 @@
 %define build_debug		1
 # Build kernel-headers package
-# Make headers of this kernel not default for rosa2016.1
+# Headers from LTS kernel 5.4 are default in rosa2019.1/05 for now
-%if %{mdvver} <= 201610
+# and headers from 4.15 are default in rosa2016.1
 %define build_headers 0
 %else
 %define build_headers 1
 %endif
 # build perf and cpupower tools
 %define build_perf		1
@ -230,7 +237,7 @@ Source0: 	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{ta
 # This is for disabling *config, mrproper, prepare, scripts on -devel rpms
 # Needed, because otherwise the -devel won't build correctly.
-Source2: 	disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch
+Source2: 	0001-disable-mrproper-prepare-scripts-configs-in-devel-rp.patch
 # TODO: make a separate package "ksobirator" and BR it
 # after testing these macros properly
@ -271,15 +278,17 @@ Patch1:   	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{k
 # generated during that process, xmlto tries to get DTD files from the Net.
 # If it fails, the whole build fails, which is unfortunate. Let us avoid
 # this.
-Patch101:	perf-xmlto-skip-validation.patch
+Patch101:	0001-perf-skip-xmlto-validation.patch
 # http://bugs.rosalinux.ru/show_bug.cgi?id=6235
 # http://bugs.rosalinux.ru/show_bug.cgi?id=6459
-Patch102:	audit-make-it-less-verbose.patch
+Patch102:	0001-audit-make-it-less-verbose.patch
 # AUFS 5 from http://aufs.sourceforge.net/
-Patch109:	fs-aufs.patch
+Patch109:	0001-Apply-AUFS-5.patch
-Patch110:	fs-aufs-2.patch
+# Unofficial AUFS for kernel 5.10
 # https://sourceforge.net/projects/lxpup/files/Other/huge-kernels/kernel-5.10-aufs-changes/
 Patch110:	aufs-k510.diff
 # For kmod() generator of RPM Provides
 # Changes version of aacraid.ko
@ -291,13 +300,11 @@ Patch111:	0001-Remove-RPM-illegal-chars-from-module-version.patch
 # TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
 Patch201:	0001-AltHa-LSM-module.patch
 Patch202:	0002-Documentation-for-AltHa-LSM.patch
 Patch203:	0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch
 Patch204:	0004-altha-use-path-strings-instead-of-path-structs.patch
 # Other patches
 Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch
 # sent to upstream, https://patchwork.kernel.org/patch/11446123/
 Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch
 # Add sysctl to disable disk-based swap
 Patch304: 	0001-mm-add-sysctl-to-disable-disk-based-swap.patch
 # Support loading GOST-signed modules
 Patch305:	0001-crypto-support-loading-GOST-signed-kernel-modules.patch
 # Allow to off modules signature check dynamically
@ -361,14 +368,10 @@ BuildRequires:		findutils util-linux
 %if %{with binary_extra_modules}
 BuildRequires: kernel-source-rtl8821ce
 BuildRequires: kernel-source-tripso
-%ifarch %{ix86} %{x86_64}
+%if %{with binary_virtualbox_host}
 BuildRequires: kernel-source-virtualbox
 # TODO: drop it for kernels >= 5.6
 # because all guest modules have been upstreamized
 # https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
 BuildRequires: kernel-source-virtualbox-vboxadditions
 %endif
-%ifarch %{x86_64}
+%if %{with binary_shredder}
 BuildRequires: kernel-source-shredder-kernel
 %endif
 # rosa-test-suite is maintained in certified branches only
@ -595,9 +598,11 @@ find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true
 %{devel_root}/include/generated
 %{devel_root}/include/keys
 %{devel_root}/include/kvm
 %{devel_root}/include/kunit
 %{devel_root}/include/linux
 %{devel_root}/include/math-emu
 %{devel_root}/include/media
 %{devel_root}/include/memory
 %{devel_root}/include/misc
 %{devel_root}/include/net
 %{devel_root}/include/pcmcia
@ -933,21 +938,22 @@ latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
 %if %{with binary_extra_modules}
-%ksob_mk_module_pkg -n 8821ce -s net/wireless
+%ksob_mk_module_pkg -n 8821ce -s net/wireless -r rtl8821ce-blacklist
 %ksob_mk_module_pkg -n xt_TRIPSO -s net -r tripso
-%ifarch %{x86_64}
+%if %{with binary_shredder}
 %ksob_mk_module_pkg -n shredder-kernel -s extra -r rosa-shredder-user
 %endif
 #------------------------------------------------
 # virtualbox host
-%ifarch %{ix86} %{x86_64}
+%if %{with binary_virtualbox_host}
 %ksob_mk_module_pkg -n vboxnetflt -s misc
 %ksob_mk_module_pkg -n vboxnetadp -s misc
 %ksob_mk_module_pkg -n vboxdrv -s misc
 %ksob_mk_module_pkg -n vboxpci -s misc
 #------------------------------------------------
 # a package which will pull all those modules
 %package -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
 Summary: Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
@ -964,31 +970,7 @@ Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kern
 %files -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
 # empty
-#------------------------------------------------
+%endif #ifarch x86
 # virtualbox guest, to be dropped in kernels 5.6+ (upsreamized)
 %ksob_mk_module_pkg -n vboxvideo -s misc
 %ksob_mk_module_pkg -n vboxguest -s misc
 %ksob_mk_module_pkg -n vboxsf -s misc
 #------------------------------------------------
 # a package which will pull all those modules
 %package -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
 Summary: Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
 Group: System/Kernel and hardware
 Version: %{kversion}
 Release: %{fullrpmrel}
 Requires: kernel-module-vboxvideo-%{flavour}-%{buildrel}
 Requires: kernel-module-vboxguest-%{flavour}-%{buildrel}
 Requires: kernel-module-vboxsf-%{flavour}-%{buildrel}
 %description -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
 Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
 %files -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
 # end ifarch
 %endif
 # empty
 #------------------------------------------------
 %if %{with nickel}
@ -1133,23 +1115,11 @@ for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
 done
 sed -i '/CONFIG_LSM/d' .config
-echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
+echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"' >> %{build_dir}/.config.append
 sed -i '/CONFIG_SECURITY_ALTHA/d' .config
 echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
 %endif
 # Disable disk-based swap (swap files and partitions) on certified systems by default
 # because we cannot guarantee that data stored in swap is erased from disk securely.
 # Our patch, based on Chromium OS kernel, allows to use only zram if CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y.
 # sysctl vm.disk_based_swap = 1 to allow disk-based swap, = 0 to disable it.
 # Note that CONFIG_ZRAM_WRITEBACK is still on.
 #sed -i '/CONFIG_DISK_BASED_SWAP_DEFAULT_ON/d' .config
 #%if %{with nickel}
 #echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=n' >> %{build_dir}/.config.append
 #%else
 echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y' >> %{build_dir}/.config.append
 #%endif
 cat %{build_dir}/.config.append >> .config
 # Store the config file in the appropriate directory.
@ -1381,7 +1351,7 @@ cp xt_TRIPSO.ko %{temp_modules}/%{kver_full}/kernel/net/
 popd
 rm -fr kernel-source-tripso
-%ifarch %{x86_64}
+%if %{with binary_shredder}
 cp -r "$(rpm -q --qf '/usr/src/shredder-kernel-%%{VERSION}-%%{RELEASE}' kernel-source-shredder-kernel)" kernel-source-shredder-kernel
 pushd kernel-source-shredder-kernel
 %kmake KERNEL_PATH=%{src_dir}
@ -1391,25 +1361,8 @@ popd
 rm -fr kernel-source-shredder-kernel
 %endif
-%ifarch %{ix86} %{x86_64}
+%if %{with binary_virtualbox_host}
 # build commands for virtualbox are based on the ones from the virtualbox package
 cp -r "$(rpm -q --qf '/usr/src/vboxadditions-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox-vboxadditions)" kernel-source-virtualbox-vboxadditions
 mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
 pushd kernel-source-virtualbox-vboxadditions
 %kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxguest
 cp -fv vboxguest/Module.symvers vboxsf/
 %kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxsf
 # TODO: vboxvideo is also build inside the upstream kernel...
 # vboxsf is not in kernel 5.4
 # https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
 cp -fv vboxsf/Module.symvers vboxvideo/
 %kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxvideo
 for i in vboxguest vboxsf vboxvideo
 do
 	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
 done
 popd
 cp -r "$(rpm -q --qf '/usr/src/virtualbox-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox)" kernel-source-virtualbox
 mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
 pushd kernel-source-virtualbox
@ -1626,12 +1579,12 @@ cat > $kernel_files <<EOF
 %if %{with binary_extra_modules}
 # 8821ce.ko.debug will not be excluded and will be in the main debug subpackage
 %exclude %{_modulesdir}/%{kver_full}/kernel/net/wireless/8821ce.ko%{kmod_suffix}
-%ifarch %{x86_64}
+%if %{with binary_shredder}
 %exclude %{_modulesdir}/%{kver_full}/kernel/extra/shredder-kernel.ko%{kmod_suffix}
 %endif
-%ifarch %{ix86} %{x86_64}
+%if %{with binary_virtualbox_host}
-# vbox host: vboxnetflt vboxnetadp vboxdrv vboxpci
+# vbox host modules may be built here (vboxnetflt vboxnetadp vboxdrv vboxpci)
-# vbox guest: vboxvideo vboxguest vboxsf
+# vbox guest modules are in the mainline kernel now (vboxvideo vboxguest vboxsf)
 %exclude %{_modulesdir}/%{kver_full}/kernel/misc/vbox*.ko%{kmod_suffix}
 %endif
 %exclude %{_modulesdir}/%{kver_full}/kernel/net/xt_TRIPSO.ko%{kmod_suffix}
--- a/objtool-sync-check.sh-set-the-exit-code-explicitly.patch
+++ b/objtool-sync-check.sh-set-the-exit-code-explicitly.patch
@ -1,32 +0,0 @@
 From 6b70660e7d730b1ef79360ba7c23fc9f1d4b60e3 Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 Date: Sat, 7 Mar 2020 19:23:40 +0300
 Subject: [PATCH] objtool/sync-check.sh: set the exit code explicitly
 Commit 6ec14aa7a58a "objtool: Silence build output" removed 'cd -' from
 the end of sync-check.sh script. As a side-effect, the script now exits
 with the exit code of the last executed 'check' command. If any of the
 files it should check are missing (which is not an error per se), it will
 return 1 and objtool will fail to build.
 Explicit 'exit 0' at the end should fix that.
 Fixes: 6ec14aa7a58a "objtool: Silence build output"
 Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 ---
 tools/objtool/sync-check.sh | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/tools/objtool/sync-check.sh b/tools/objtool/sync-check.sh
 index 2a1261bfbb62..f23bd02c1b77 100755
 --- a/tools/objtool/sync-check.sh
 +++ b/tools/objtool/sync-check.sh
@@ -48,3 +48,5 @@ check arch/x86/include/asm/inat.h     '-I "^#include [\"<]\(asm/\)*inat_types.h[
 check arch/x86/include/asm/insn.h     '-I "^#include [\"<]\(asm/\)*inat.h[\">]"'
 check arch/x86/lib/inat.c             '-I "^#include [\"<]\(../include/\)*asm/insn.h[\">]"'
 check arch/x86/lib/insn.c             '-I "^#include [\"<]\(../include/\)*asm/in\(at\|sn\).h[\">]"'
 +
 +exit 0
 -- 
 2.24.0