summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBertrand Jacquin <bertrand@jacquin.bzh>2020-08-02 20:24:03 +0100
committerBertrand Jacquin <bertrand@jacquin.bzh>2020-08-02 21:15:58 +0100
commit596c01198ce4b96e6e334dd93e37ebd113166a91 (patch)
treee4749e88823034750d773baf88e402ab3a1ec8ef
parentsys-kernel/stable-sources: Drop 5.5 (diff)
downloadetc-portage-patches-master.tar.gz
sys-kernel/stable-sources: Add 5.7HEADmaster
-rw-r--r--sys-kernel/boest-v5.7.12/0001-patch-5.7-ja1.diff.patch2134
-rw-r--r--sys-kernel/boest-v5.7.12/0002-pool-2.6.25-tcp-timewait-20s.diff.patch27
-rw-r--r--sys-kernel/boest-v5.7.12/0003-pool-2.6.25-disable-tcp-debug.diff.patch25
-rw-r--r--sys-kernel/boest-v5.7.12/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch141
-rw-r--r--sys-kernel/boest-v5.7.12/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch34
-rw-r--r--sys-kernel/boest-v5.7.12/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch45
-rw-r--r--sys-kernel/boest-v5.7.12/0007-This-patch-adds-support-for-a-restricted-user-contro.patch74
-rw-r--r--sys-kernel/boest-v5.7.12/0008-fs-Enable-link-security-restrictions-by-default.patch26
-rw-r--r--sys-kernel/boest-v5.7.12/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch38
-rw-r--r--sys-kernel/boest-v5.7.12/0010-5.7-2600_enable-key-swapping-for-apple-mac.patch.patch125
-rw-r--r--sys-kernel/boest-v5.7.12/0011-This-driver-requires-REGMAP_I2C-to-build.-Select-it-.patch26
-rw-r--r--sys-kernel/boest-v5.7.12/0012-5.7-2910_TVP5150-Fix-build-issue-by-selecting-REGMAP.patch22
-rw-r--r--sys-kernel/boest-v5.7.12/0013-5.7-2920_sign-file-patch-for-libressl.patch.patch27
-rw-r--r--sys-kernel/boest-v5.7.12/0014-5.7-4567_distro-Gentoo-Kconfig.patch.patch183
-rw-r--r--sys-kernel/boest-v5.7.12/0015-5.7-5000_ZSTD-v5-1-8-prepare-zstd-for-preboot-env.pa.patch93
-rw-r--r--sys-kernel/boest-v5.7.12/0016-5.7-5001_ZSTD-v5-2-8-prepare-xxhash-for-preboot-env..patch103
-rw-r--r--sys-kernel/boest-v5.7.12/0017-5.7-5002_ZSTD-v5-3-8-add-zstd-support-to-decompress..patch435
-rw-r--r--sys-kernel/boest-v5.7.12/0018-5.7-5003_ZSTD-v5-4-8-add-support-for-zstd-compres-ke.patch75
-rw-r--r--sys-kernel/boest-v5.7.12/0019-5.7-5004_ZSTD-v5-5-8-add-support-for-zstd-compressed.patch61
-rw-r--r--sys-kernel/boest-v5.7.12/0020-5.7-5005_ZSTD-v5-6-8-bump-ZO-z-extra-bytes-margin.pa.patch29
-rw-r--r--sys-kernel/boest-v5.7.12/0021-5.7-5006_ZSTD-v5-7-8-support-for-ZSTD-compressed-ker.patch105
-rw-r--r--sys-kernel/boest-v5.7.12/0022-5.7-5007_ZSTD-v5-8-8-gitignore-add-ZSTD-compressed-f.patch22
-rw-r--r--sys-kernel/boest-v5.7.12/0023-WARNING.patch661
l---------sys-kernel/stable-sources-5.7.121
24 files changed, 4512 insertions, 0 deletions
diff --git a/sys-kernel/boest-v5.7.12/0001-patch-5.7-ja1.diff.patch b/sys-kernel/boest-v5.7.12/0001-patch-5.7-ja1.diff.patch
new file mode 100644
index 00000000..b431a77e
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0001-patch-5.7-ja1.diff.patch
@@ -0,0 +1,2134 @@
+From be4e4ca31134d2fd4aa54f4a1d9eac2117b050a4 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 6 Jun 2020 14:32:04 +0000
+Subject: [PATCH] patch-5.7-ja1.diff
+
+Jumbo patch containing the following parts:
+ - routes-2.X.*.diff (static_routes, alt_routes, nf_reroute but without arp_prefsrc functionality, it is replaced by arprules and rp_filter_mask)
+ - hidden-2.X.*.diff (conf/*/hidden)
+ - arprules-2.X.*.diff (iparp/arprules support)
+ - rp_filter_mask-2.X.*.diff (conf/*/rp_filter_mask)
+ - forward_shared-2.X.*.diff (conf/*/forward_shared)
+ - send-to-self-2.X.*.diff (conf/*/loop, included March 3, 2004, up to Linux 3.5)
+
+URL: http://ja.ssi.bg/patch-5.7-ja1.diff
+---
+ Documentation/networking/ip-sysctl.txt | 30 ++
+ include/linux/inetdevice.h | 3 +
+ include/net/flow.h | 2 +
+ include/net/ip_fib.h | 5 +-
+ include/net/netfilter/nf_nat.h | 5 +
+ include/net/route.h | 5 +
+ include/uapi/linux/ip.h | 3 +
+ include/uapi/linux/rtnetlink.h | 64 ++-
+ net/bridge/br_netfilter_hooks.c | 3 +
+ net/ipv4/arp.c | 695 ++++++++++++++++++++++++-
+ net/ipv4/devinet.c | 16 +-
+ net/ipv4/fib_frontend.c | 56 +-
+ net/ipv4/fib_rules.c | 5 +
+ net/ipv4/fib_semantics.c | 237 ++++++---
+ net/ipv4/fib_trie.c | 5 +
+ net/ipv4/netfilter/iptable_nat.c | 7 +
+ net/ipv4/route.c | 72 ++-
+ net/netfilter/nf_nat_core.c | 43 ++
+ net/netfilter/nf_nat_masquerade.c | 27 +-
+ security/selinux/nlmsgtab.c | 5 +-
+ 20 files changed, 1169 insertions(+), 119 deletions(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 9375324aa8e1..a456dae1a8ef 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -1149,6 +1149,19 @@ forwarding - BOOLEAN
+ Enable IP forwarding on this interface. This controls whether packets
+ received _on_ this interface can be forwarded.
+
++forward_shared - BOOLEAN
++ Integer value determines if a source validation should allow
++ forwarding of packets with local source address. 1 means yes,
++ 0 means no. By default the flag is disabled and such packets
++ are not forwarded.
++
++ If you enable this flag on internal network, the router will forward
++ packets from internal hosts with shared IP addresses no matter how
++ the rp_filter is set. This flag is activated only if it is
++ enabled both in specific device section and in "all" section.
++
++ The forward_shared value could be ignored when rp_filter is set to 0.
++
+ mc_forwarding - BOOLEAN
+ Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
+ and a multicast routing daemon is required.
+@@ -1264,6 +1277,15 @@ rp_filter - INTEGER
+ Default value is 0. Note that some distributions enable it
+ in startup scripts.
+
++rp_filter_mask - INTEGER
++ Integer value representing bitmask of the mediums for which the
++ reverse path protection is disabled. If the source validation
++ results in reverse path to interface with medium_id value in
++ the 1..31 range the access is allowed if the corresponding bit
++ is set in the bitmask. The bitmask value is considered only when
++ rp_filter is enabled. By default the bitmask is empty preserving
++ the original rp_filter semantic.
++
+ arp_filter - BOOLEAN
+ 1 - Allows you to have multiple network interfaces on the same
+ subnet, and have the ARPs for each interface be answered
+@@ -1404,6 +1426,14 @@ drop_gratuitous_arp - BOOLEAN
+ Default: off (0)
+
+
++hidden - BOOLEAN
++ Hide addresses attached to this device from other devices.
++ Such addresses will never be selected by source address autoselection
++ mechanism, host does not answer broadcast ARP requests for them,
++ does not announce them as source address of ARP requests, but they
++ are still reachable via IP. This flag is activated only if it is
++ enabled both in specific device section and in "all" section.
++
+ tag - INTEGER
+ Allows you to write a number, which can be used as required.
+ Default value is 0.
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index 3515ca64e638..d859a561ad61 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -97,9 +97,11 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
+ #define IN_DEV_MFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), MC_FORWARDING)
+ #define IN_DEV_BFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), BC_FORWARDING)
+ #define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
++#define IN_DEV_RPFILTER_MASK(in_dev) IN_DEV_CONF_GET(in_dev, RP_FILTER_MASK)
+ #define IN_DEV_SRC_VMARK(in_dev) IN_DEV_ORCONF((in_dev), SRC_VMARK)
+ #define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
+ ACCEPT_SOURCE_ROUTE)
++#define IN_DEV_FORWARD_SHARED(in_dev) IN_DEV_ANDCONF((in_dev), FORWARD_SHARED)
+ #define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
+ #define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
+
+@@ -112,6 +114,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
+ SECURE_REDIRECTS)
+ #define IN_DEV_IDTAG(in_dev) IN_DEV_CONF_GET(in_dev, TAG)
+ #define IN_DEV_MEDIUM_ID(in_dev) IN_DEV_CONF_GET(in_dev, MEDIUM_ID)
++#define IN_DEV_HIDDEN(in_dev) IN_DEV_ANDCONF((in_dev), HIDDEN)
+ #define IN_DEV_PROMOTE_SECONDARIES(in_dev) \
+ IN_DEV_ORCONF((in_dev), \
+ PROMOTE_SECONDARIES)
+diff --git a/include/net/flow.h b/include/net/flow.h
+index a50fb77a0b27..7dcdb9b3162e 100644
+--- a/include/net/flow.h
++++ b/include/net/flow.h
+@@ -93,6 +93,7 @@ struct flowi4 {
+ #define fl4_ipsec_spi uli.spi
+ #define fl4_mh_type uli.mht.type
+ #define fl4_gre_key uli.gre_key
++ __be32 fl4_gw;
+ } __attribute__((__aligned__(BITS_PER_LONG/8)));
+
+ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
+@@ -116,6 +117,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
+ fl4->saddr = saddr;
+ fl4->fl4_dport = dport;
+ fl4->fl4_sport = sport;
++ fl4->fl4_gw = 0;
+ }
+
+ /* Reset some input parameters after previous lookup */
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index 2ec062aaa978..6fd01305bb68 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -422,6 +422,8 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net,
+ return true;
+ }
+
++u32 fib_result_table(struct fib_result *res);
++
+ #endif /* CONFIG_IP_MULTIPLE_TABLES */
+
+ /* Exported by fib_frontend.c */
+@@ -433,7 +435,8 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb);
+ bool fib_info_nh_uses_dev(struct fib_info *fi, const struct net_device *dev);
+ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- struct in_device *idev, u32 *itag);
++ struct in_device *idev, u32 *itag, int our);
++void fib_select_default(const struct flowi4 *flp, struct fib_result *res);
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+ static inline int fib_num_tclassid_users(struct net *net)
+ {
+diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
+index 0d412dd63707..f465b617aac7 100644
+--- a/include/net/netfilter/nf_nat.h
++++ b/include/net/netfilter/nf_nat.h
+@@ -35,6 +35,11 @@ struct nf_conn_nat {
+ #endif
+ };
+
++/* Call input routing for SNAT-ed traffic */
++unsigned int ip_nat_route_input(void *priv,
++ struct sk_buff *skb,
++ const struct nf_hook_state *state);
++
+ /* Set up the info structure to map into this range. */
+ unsigned int nf_nat_setup_info(struct nf_conn *ct,
+ const struct nf_nat_range2 *range,
+diff --git a/include/net/route.h b/include/net/route.h
+index ff021cab657e..4252c2724ec9 100644
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -190,6 +190,9 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
+ int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
+ u8 tos, struct net_device *devin,
+ struct fib_result *res);
++int ip_route_input_common_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
++ u8 tos, struct net_device *devin, __be32 lsrc,
++ struct fib_result *res);
+
+ int ip_route_use_hint(struct sk_buff *skb, __be32 dst, __be32 src,
+ u8 tos, struct net_device *devin,
+@@ -229,6 +232,8 @@ unsigned int inet_addr_type_dev_table(struct net *net,
+ void ip_rt_multicast_event(struct in_device *);
+ int ip_rt_ioctl(struct net *, unsigned int cmd, struct rtentry *rt);
+ void ip_rt_get_source(u8 *src, struct sk_buff *skb, struct rtable *rt);
++int ip_route_input_lookup(struct sk_buff*, __be32 dst, __be32 src, u8 tos,
++ struct net_device *devin, __be32 lsrc);
+ struct rtable *rt_dst_alloc(struct net_device *dev,
+ unsigned int flags, u16 type,
+ bool nopolicy, bool noxfrm);
+diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+index e42d13b55cf3..d03711046f2e 100644
+--- a/include/uapi/linux/ip.h
++++ b/include/uapi/linux/ip.h
+@@ -169,6 +169,9 @@ enum
+ IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
+ IPV4_DEVCONF_DROP_GRATUITOUS_ARP,
+ IPV4_DEVCONF_BC_FORWARDING,
++ IPV4_DEVCONF_HIDDEN,
++ IPV4_DEVCONF_RP_FILTER_MASK,
++ IPV4_DEVCONF_FORWARD_SHARED,
+ __IPV4_DEVCONF_MAX
+ };
+
+diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
+index 4a8c5b745157..cf303a6c3bb3 100644
+--- a/include/uapi/linux/rtnetlink.h
++++ b/include/uapi/linux/rtnetlink.h
+@@ -178,6 +178,13 @@ enum {
+ RTM_GETVLAN,
+ #define RTM_GETVLAN RTM_GETVLAN
+
++ RTM_NEWARPRULE = 116,
++#define RTM_NEWARPRULE RTM_NEWARPRULE
++ RTM_DELARPRULE,
++#define RTM_DELARPRULE RTM_DELARPRULE
++ RTM_GETARPRULE,
++#define RTM_GETARPRULE RTM_GETARPRULE
++
+ __RTM_MAX,
+ #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1)
+ };
+@@ -398,8 +405,11 @@ struct rtnexthop {
+ #define RTNH_F_OFFLOAD 8 /* offloaded route */
+ #define RTNH_F_LINKDOWN 16 /* carrier-down on nexthop */
+ #define RTNH_F_UNRESOLVED 32 /* The entry is unresolved (ipmr) */
++#define RTNH_F_SUSPECT 64 /* We don't know the real state */
++#define RTNH_F_BADSTATE (RTNH_F_DEAD | RTNH_F_SUSPECT)
+
+-#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | RTNH_F_OFFLOAD)
++#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | \
++ RTNH_F_OFFLOAD | RTNH_F_SUSPECT)
+
+ /* Macros to handle hexthops */
+
+@@ -641,6 +651,54 @@ enum {
+
+ #define NDUSEROPT_MAX (__NDUSEROPT_MAX - 1)
+
++/******************************************************************************
++ * Definitions used in ARP tables administration
++ ****/
++
++#define ARPA_TABLE_INPUT 0
++#define ARPA_TABLE_OUTPUT 1
++#define ARPA_TABLE_FORWARD 2
++#define ARPA_TABLE_ALL -1
++
++#define ARPM_F_PREFSRC 0x0001
++#define ARPM_F_WILDIIF 0x0002
++#define ARPM_F_WILDOIF 0x0004
++#define ARPM_F_BROADCAST 0x0008
++#define ARPM_F_UNICAST 0x0010
++
++struct arpmsg
++{
++ unsigned char arpm_family;
++ unsigned char arpm_table;
++ unsigned char arpm_action;
++ unsigned char arpm_from_len;
++ unsigned char arpm_to_len;
++ unsigned char arpm__pad1;
++ unsigned short arpm__pad2;
++ unsigned arpm_pref;
++ unsigned arpm_flags;
++};
++
++enum
++{
++ ARPA_UNSPEC,
++ ARPA_FROM, /* FROM IP prefix */
++ ARPA_TO, /* TO IP prefix */
++ ARPA_LLFROM, /* FROM LL prefix */
++ ARPA_LLTO, /* TO LL prefix */
++ ARPA_LLSRC, /* New SRC lladdr */
++ ARPA_LLDST, /* New DST lladdr */
++ ARPA_IIF, /* In interface prefix */
++ ARPA_OIF, /* Out interface prefix */
++ ARPA_SRC, /* New IP SRC */
++ ARPA_DST, /* New IP DST, not used */
++ ARPA_PACKETS, /* Packets */
++};
++
++#define ARPA_MAX ARPA_PACKETS
++
++#define ARPA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct arpmsg))))
++
+ #ifndef __KERNEL__
+ /* RTnetlink multicast groups - backwards compatibility for userspace */
+ #define RTMGRP_LINK 1
+@@ -661,6 +719,8 @@ enum {
+ #define RTMGRP_DECnet_IFADDR 0x1000
+ #define RTMGRP_DECnet_ROUTE 0x4000
+
++#define RTMGRP_ARP 0x00010000
++
+ #define RTMGRP_IPV6_PREFIX 0x20000
+ #endif
+
+@@ -732,6 +792,8 @@ enum rtnetlink_groups {
+ #define RTNLGRP_NEXTHOP RTNLGRP_NEXTHOP
+ RTNLGRP_BRVLAN,
+ #define RTNLGRP_BRVLAN RTNLGRP_BRVLAN
++ RTNLGRP_ARP,
++#define RTNLGRP_ARP RTNLGRP_ARP
+ __RTNLGRP_MAX
+ };
+ #define RTNLGRP_MAX (__RTNLGRP_MAX - 1)
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 59980ecfc962..e3efd38ae52f 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -359,6 +359,9 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
+
+ nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
+
++ /* Old skb->dst is not expected, it is lost in all cases */
++ skb_dst_drop(skb);
++
+ if (nf_bridge->pkt_otherhost) {
+ skb->pkt_type = PACKET_OTHERHOST;
+ nf_bridge->pkt_otherhost = false;
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 687971d83b4e..64f1e91c7ce1 100644
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -67,6 +67,9 @@
+ * sending (e.g. insert 8021q tag).
+ * Harald Welte : convert to make use of jenkins hash
+ * Jesper D. Brouer: Proxy ARP PVLAN RFC 3069 support.
++ * Julian Anastasov: "hidden" flag: hide the
++ * interface and don't reply for it
++ * Julian Anastasov: ARP filtering via netlink
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -91,6 +94,7 @@
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
+ #include <linux/stat.h>
++#include <net/netlink.h>
+ #include <linux/init.h>
+ #include <linux/net.h>
+ #include <linux/rcupdate.h>
+@@ -181,6 +185,48 @@ struct neigh_table arp_tbl = {
+ };
+ EXPORT_SYMBOL(arp_tbl);
+
++struct arpf_node {
++ struct arpf_node * at_next;
++ u32 at_pref;
++ u32 at_from;
++ u32 at_from_mask;
++ u32 at_to;
++ u32 at_to_mask;
++ u32 at_src;
++ atomic_t at_packets;
++ atomic_t at_refcnt;
++ unsigned at_flags;
++ unsigned char at_from_len;
++ unsigned char at_to_len;
++ unsigned char at_action;
++ char at_dead;
++ unsigned char at_llfrom_len;
++ unsigned char at_llto_len;
++ unsigned char at_llsrc_len;
++ unsigned char at_lldst_len;
++ unsigned char at_iif_len;
++ unsigned char at_oif_len;
++ unsigned short at__pad1;
++ unsigned char at_llfrom[MAX_ADDR_LEN];
++ unsigned char at_llto[MAX_ADDR_LEN];
++ unsigned char at_llsrc[MAX_ADDR_LEN];
++ unsigned char at_lldst[MAX_ADDR_LEN];
++ char at_iif[IFNAMSIZ];
++ char at_oif[IFNAMSIZ];
++};
++
++static struct arpf_node *arp_tabs[3];
++
++static struct kmem_cache *arpf_cachep;
++
++static DEFINE_RWLOCK(arpf_lock);
++
++static void
++arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev,
++ struct dst_entry *dst);
++
+ int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
+ {
+ switch (dev->type) {
+@@ -334,7 +380,9 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ struct net_device *dev = neigh->dev;
+ __be32 target = *(__be32 *)neigh->primary_key;
+ int probes = atomic_read(&neigh->probes);
+- struct in_device *in_dev;
++ struct in_device *in_dev, *in_dev2;
++ struct net_device *dev2;
++ int mode;
+ struct dst_entry *dst = NULL;
+
+ rcu_read_lock();
+@@ -343,9 +391,22 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ rcu_read_unlock();
+ return;
+ }
+- switch (IN_DEV_ARP_ANNOUNCE(in_dev)) {
++ mode = IN_DEV_ARP_ANNOUNCE(in_dev);
++ if (mode != 2 && skb &&
++ (dev2 = __ip_dev_find(dev_net(dev), ip_hdr(skb)->saddr,
++ false)) != NULL &&
++ (saddr = ip_hdr(skb)->saddr,
++ in_dev2 = __in_dev_get_rcu(dev2)) != NULL &&
++ IN_DEV_HIDDEN(in_dev2)) {
++ saddr = 0;
++ goto get;
++ }
++
++ switch (mode) {
+ default:
+ case 0: /* By default announce any local IP */
++ if (saddr)
++ break;
+ if (skb && inet_addr_type_dev_table(dev_net(dev), dev,
+ ip_hdr(skb)->saddr) == RTN_LOCAL)
+ saddr = ip_hdr(skb)->saddr;
+@@ -353,9 +414,10 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ case 1: /* Restrict announcements of saddr in same subnet */
+ if (!skb)
+ break;
+- saddr = ip_hdr(skb)->saddr;
+- if (inet_addr_type_dev_table(dev_net(dev), dev,
+- saddr) == RTN_LOCAL) {
++ if (saddr ||
++ (saddr = ip_hdr(skb)->saddr,
++ inet_addr_type_dev_table(dev_net(dev), dev,
++ saddr) == RTN_LOCAL)) {
+ /* saddr should be known to target */
+ if (inet_addr_onlink(in_dev, target, saddr))
+ break;
+@@ -365,6 +427,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ case 2: /* Avoid secondary IPs, get a primary/preferred one */
+ break;
+ }
++
++get:
+ rcu_read_unlock();
+
+ if (!saddr)
+@@ -386,8 +450,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+
+ if (skb && !(dev->priv_flags & IFF_XMIT_DST_RELEASE))
+ dst = skb_dst(skb);
+- arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, target, dev, saddr,
+- dst_hw, dev->dev_addr, NULL, dst);
++ arpf_send(ARPA_TABLE_OUTPUT, dev_net(dev), skb, saddr, target, NULL,
++ dst_hw, NULL, dev, dst);
+ }
+
+ static int arp_ignore(struct in_device *in_dev, __be32 sip, __be32 tip)
+@@ -444,6 +508,21 @@ static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
+ return flag;
+ }
+
++static int arp_hidden(u32 tip, struct net_device *dev)
++{
++ struct net_device *dev2;
++ struct in_device *in_dev2;
++ int ret = 0;
++
++ if (!IPV4_DEVCONF_ALL(dev_net(dev), HIDDEN))
++ return 0;
++
++ if ((dev2 = __ip_dev_find(dev_net(dev), tip, false)) && dev2 != dev &&
++ (in_dev2 = __in_dev_get_rcu(dev2)) && IN_DEV_HIDDEN(in_dev2))
++ ret = 1;
++ return ret;
++}
++
+ /*
+ * Check if we can use proxy ARP for this path
+ */
+@@ -804,9 +883,10 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ if (sip == 0) {
+ if (arp->ar_op == htons(ARPOP_REQUEST) &&
+ inet_addr_type_dev_table(net, dev, tip) == RTN_LOCAL &&
++ !arp_hidden(tip, dev) &&
+ !arp_ignore(in_dev, sip, tip))
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip,
+- sha, dev->dev_addr, sha, reply_dst);
++ arpf_send(ARPA_TABLE_INPUT, net, skb, sip, tip, sha,
++ tha, dev, NULL, reply_dst);
+ goto out_consume_skb;
+ }
+
+@@ -822,13 +902,14 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ dont_send = arp_ignore(in_dev, sip, tip);
+ if (!dont_send && IN_DEV_ARPFILTER(in_dev))
+ dont_send = arp_filter(sip, tip, dev);
++ if (!dont_send && skb->pkt_type != PACKET_HOST)
++ dont_send = arp_hidden(tip,dev);
+ if (!dont_send) {
+ n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
+ if (n) {
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
+- sip, dev, tip, sha,
+- dev->dev_addr, sha,
+- reply_dst);
++ arpf_send(ARPA_TABLE_INPUT, net, skb,
++ sip, tip, sha, tha, dev,
++ NULL, reply_dst);
+ neigh_release(n);
+ }
+ }
+@@ -846,10 +927,9 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ if (NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED ||
+ skb->pkt_type == PACKET_HOST ||
+ NEIGH_VAR(in_dev->arp_parms, PROXY_DELAY) == 0) {
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
+- sip, dev, tip, sha,
+- dev->dev_addr, sha,
+- reply_dst);
++ arpf_send(ARPA_TABLE_FORWARD, net,
++ skb, sip, tip, sha, tha, dev,
++ rt->dst.dev, reply_dst);
+ } else {
+ pneigh_enqueue(&arp_tbl,
+ in_dev->arp_parms, skb);
+@@ -1275,6 +1355,577 @@ void arp_ifdown(struct net_device *dev)
+ }
+
+
++static void arpf_destroy(struct arpf_node *afp)
++{
++ if (!afp->at_dead) {
++ printk(KERN_ERR "Destroying alive arp table node %p from %08lx\n", afp,
++ *(((unsigned long*)&afp)-1));
++ return;
++ }
++ kmem_cache_free(arpf_cachep, afp);
++}
++
++static inline void arpf_put(struct arpf_node *afp)
++{
++ if (atomic_dec_and_test(&afp->at_refcnt))
++ arpf_destroy(afp);
++}
++
++static inline struct arpf_node *
++arpf_lookup(int table, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev)
++{
++ int sz_iif = idev? strlen(idev->name) : 0;
++ int sz_oif = odev? strlen(odev->name) : 0;
++ int alen;
++ struct arpf_node *afp;
++
++ if (ARPA_TABLE_OUTPUT != table) {
++ alen = idev->addr_len;
++ } else {
++ if (!from_hw) from_hw = odev->dev_addr;
++ if (!to_hw) to_hw = odev->broadcast;
++ alen = odev->addr_len;
++ }
++
++ read_lock_bh(&arpf_lock);
++ for (afp = arp_tabs[table]; afp; afp = afp->at_next) {
++ if ((tip ^ afp->at_to) & afp->at_to_mask)
++ continue;
++ if ((sip ^ afp->at_from) & afp->at_from_mask)
++ continue;
++ if (afp->at_llfrom_len &&
++ (afp->at_llfrom_len > alen ||
++ memcmp(from_hw, afp->at_llfrom, afp->at_llfrom_len)))
++ continue;
++ if (afp->at_llto_len &&
++ (afp->at_llto_len > alen ||
++ memcmp(to_hw, afp->at_llto, afp->at_llto_len)))
++ continue;
++ if (afp->at_iif_len &&
++ (afp->at_iif_len > sz_iif ||
++ memcmp(afp->at_iif, idev->name, afp->at_iif_len) ||
++ (sz_iif != afp->at_iif_len &&
++ !(afp->at_flags & ARPM_F_WILDIIF))))
++ continue;
++ if (afp->at_oif_len &&
++ (afp->at_oif_len > sz_oif ||
++ memcmp(afp->at_oif, odev->name, afp->at_oif_len) ||
++ (sz_oif != afp->at_oif_len &&
++ !(afp->at_flags & ARPM_F_WILDOIF))))
++ continue;
++ if (afp->at_flags & ARPM_F_BROADCAST &&
++ skb->pkt_type == PACKET_HOST)
++ continue;
++ if (afp->at_flags & ARPM_F_UNICAST &&
++ skb->pkt_type != PACKET_HOST)
++ continue;
++ if (afp->at_llsrc_len && afp->at_llsrc_len != alen)
++ continue;
++ if (afp->at_lldst_len && afp->at_lldst_len != alen)
++ continue;
++ atomic_inc(&afp->at_refcnt);
++ atomic_inc(&afp->at_packets);
++ break;
++ }
++ read_unlock_bh(&arpf_lock);
++ return afp;
++}
++
++static void
++arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev,
++ struct dst_entry *dst)
++{
++ struct arpf_node *afp = NULL;
++
++ if (!arp_tabs[table] ||
++ !net_eq(net, &init_net) ||
++ !(afp = arpf_lookup(table, skb, sip, tip,
++ from_hw, to_hw, idev, odev))) {
++ switch (table) {
++ case ARPA_TABLE_INPUT:
++ case ARPA_TABLE_FORWARD:
++ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
++ from_hw, idev->dev_addr, from_hw, dst);
++ break;
++ case ARPA_TABLE_OUTPUT:
++ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev, sip,
++ to_hw, odev->dev_addr, NULL, dst);
++ break;
++ }
++ return;
++ }
++
++ /* deny? */
++ if (!afp->at_action) goto out;
++
++ switch (table) {
++ case ARPA_TABLE_INPUT:
++ case ARPA_TABLE_FORWARD:
++ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
++ afp->at_lldst_len?afp->at_lldst:from_hw,
++ afp->at_llsrc_len?afp->at_llsrc:idev->dev_addr,
++ afp->at_lldst_len?afp->at_lldst:from_hw, dst);
++ break;
++ case ARPA_TABLE_OUTPUT:
++ if (afp->at_flags & ARPM_F_PREFSRC && afp->at_src == 0) {
++ struct rtable *rt;
++ struct flowi4 fl4 = { .daddr = tip,
++ .flowi4_oif = odev->ifindex };
++
++ rt = ip_route_output_key(net, &fl4);
++ if (IS_ERR(rt))
++ break;
++ sip = fl4.saddr;
++ ip_rt_put(rt);
++ if (!sip)
++ break;
++ }
++ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev,
++ afp->at_src?:sip,
++ afp->at_lldst_len?afp->at_lldst:to_hw,
++ afp->at_llsrc_len?afp->at_llsrc:odev->dev_addr,
++ NULL, dst);
++ break;
++ }
++
++out:
++ arpf_put(afp);
++}
++
++static int
++arpf_fill_node(struct sk_buff *skb, u32 portid, u32 seq, unsigned flags,
++ int event, int table, struct arpf_node *afp)
++{
++ struct arpmsg *am;
++ struct nlmsghdr *nlh;
++ u32 packets = atomic_read(&afp->at_packets);
++
++ nlh = nlmsg_put(skb, portid, seq, event, sizeof(*am), 0);
++ if (nlh == NULL)
++ return -ENOBUFS;
++ nlh->nlmsg_flags = flags;
++ am = nlmsg_data(nlh);
++ am->arpm_family = AF_UNSPEC;
++ am->arpm_table = table;
++ am->arpm_action = afp->at_action;
++ am->arpm_from_len = afp->at_from_len;
++ am->arpm_to_len = afp->at_to_len;
++ am->arpm_pref = afp->at_pref;
++ am->arpm_flags = afp->at_flags;
++ if (afp->at_from_len &&
++ nla_put(skb, ARPA_FROM, 4, &afp->at_from))
++ goto nla_put_failure;
++ if (afp->at_to_len &&
++ nla_put(skb, ARPA_TO, 4, &afp->at_to))
++ goto nla_put_failure;
++ if ((afp->at_src || afp->at_flags & ARPM_F_PREFSRC) &&
++ nla_put(skb, ARPA_SRC, 4, &afp->at_src))
++ goto nla_put_failure;
++ if (afp->at_iif[0] &&
++ nla_put(skb, ARPA_IIF, sizeof(afp->at_iif), afp->at_iif))
++ goto nla_put_failure;
++ if (afp->at_oif[0] &&
++ nla_put(skb, ARPA_OIF, sizeof(afp->at_oif), afp->at_oif))
++ goto nla_put_failure;
++ if (afp->at_llfrom_len &&
++ nla_put(skb, ARPA_LLFROM, afp->at_llfrom_len, afp->at_llfrom))
++ goto nla_put_failure;
++ if (afp->at_llto_len &&
++ nla_put(skb, ARPA_LLTO, afp->at_llto_len, afp->at_llto))
++ goto nla_put_failure;
++ if (afp->at_llsrc_len &&
++ nla_put(skb, ARPA_LLSRC, afp->at_llsrc_len, afp->at_llsrc))
++ goto nla_put_failure;
++ if (afp->at_lldst_len &&
++ nla_put(skb, ARPA_LLDST, afp->at_lldst_len, afp->at_lldst))
++ goto nla_put_failure;
++ if (nla_put(skb, ARPA_PACKETS, 4, &packets))
++ goto nla_put_failure;
++ nlmsg_end(skb, nlh);
++ return 0;
++
++nla_put_failure:
++ nlmsg_cancel(skb, nlh);
++ return -EMSGSIZE;
++}
++
++static void
++arpmsg_notify(struct sk_buff *oskb, struct nlmsghdr *nlh, int table,
++ struct arpf_node *afp, int event)
++{
++ struct sk_buff *skb;
++ u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
++ int payload = sizeof(struct arpmsg) + 256;
++ int err = -ENOBUFS;
++
++ skb = nlmsg_new(nlmsg_total_size(payload), GFP_KERNEL);
++ if (!skb)
++ goto errout;
++
++ err = arpf_fill_node(skb, portid, nlh->nlmsg_seq, 0, event, table, afp);
++ if (err < 0) {
++ kfree_skb(skb);
++ goto errout;
++ }
++
++ rtnl_notify(skb, &init_net, portid, RTNLGRP_ARP, nlh, GFP_KERNEL);
++ return;
++errout:
++ if (err < 0)
++ rtnl_set_sk_err(&init_net, RTNLGRP_ARP, err);
++}
++
++static inline int
++arpf_str_size(int a, struct nlattr **rta, int maxlen)
++{
++ int size = 0;
++
++ if (rta[a] && (size = nla_len(rta[a]))) {
++ if (size > maxlen)
++ size = maxlen;
++ }
++ return size;
++}
++
++static inline int
++arpf_get_str(int a, struct nlattr **rta, unsigned char *p,
++ int maxlen, unsigned char *l)
++{
++ int size = arpf_str_size(a, rta, maxlen);
++
++ if (size) {
++ memcpy(p, nla_data(rta[a]), size);
++ *l = size;
++ }
++ return size;
++}
++
++#define ARPF_MATCH_U32(ind, field) ( \
++ (!rta[ind] && r->at_ ## field == 0) || \
++ (rta[ind] && \
++ *(u32*) nla_data(rta[ind]) == r->at_ ## field))
++
++#define ARPF_MATCH_STR(ind, field) ( \
++ (!rta[ind] && r->at_ ## field ## _len == 0) || \
++ (rta[ind] && r->at_ ## field ## _len && \
++ r->at_ ## field ## _len < nla_len(rta[ind]) && \
++ strcmp(nla_data(rta[ind]), r->at_ ## field) == 0))
++
++#define ARPF_MATCH_DATA(ind, field) ( \
++ (!rta[ind] && r->at_ ## field ## _len == 0) || \
++ (rta[ind] && r->at_ ## field ## _len && \
++ r->at_ ## field ## _len == nla_len(rta[ind]) && \
++ memcmp(nla_data(rta[ind]), &r->at_ ## field, \
++ r->at_ ## field ## _len) == 0))
++
++/* RTM_NEWARPRULE/RTM_DELARPRULE/RTM_GETARPRULE */
++
++int arpf_rule_ctl(struct sk_buff *skb, struct nlmsghdr *n,
++ struct netlink_ext_ack *extack)
++{
++ struct net *net = sock_net(skb->sk);
++ struct nlattr *rta[ARPA_MAX + 1];
++ struct arpmsg *am;
++ struct arpf_node *r, **rp, **prevp = 0, **delp = 0, *newp = 0;
++ unsigned pref = 1;
++ int size, ret;
++
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
++ if (!net_eq(net, &init_net))
++ return -EINVAL;
++
++ ret = nlmsg_parse(n, sizeof(struct arpmsg), rta, ARPA_MAX, NULL,
++ extack);
++ if (ret < 0)
++ return ret;
++
++ am = nlmsg_data(n);
++ ret = -EINVAL;
++ if (am->arpm_table >= sizeof(arp_tabs)/sizeof(arp_tabs[0]))
++ goto out;
++ if (!((~am->arpm_flags) & (ARPM_F_BROADCAST|ARPM_F_UNICAST)))
++ goto out;
++ if (am->arpm_action > 1)
++ goto out;
++ if (am->arpm_to_len > 32 || am->arpm_from_len > 32)
++ goto out;
++ if (am->arpm_flags & ARPM_F_WILDIIF &&
++ (!rta[ARPA_IIF] || !nla_len(rta[ARPA_IIF]) ||
++ !*(char*) nla_data(rta[ARPA_IIF])))
++ am->arpm_flags &= ~ARPM_F_WILDIIF;
++ if (am->arpm_flags & ARPM_F_WILDOIF &&
++ (!rta[ARPA_OIF] || !nla_len(rta[ARPA_OIF]) ||
++ !*(char*) nla_data(rta[ARPA_OIF])))
++ am->arpm_flags &= ~ARPM_F_WILDOIF;
++ switch (am->arpm_table) {
++ case ARPA_TABLE_INPUT:
++ if (rta[ARPA_SRC] || rta[ARPA_OIF])
++ goto out;
++ break;
++ case ARPA_TABLE_OUTPUT:
++ if (rta[ARPA_IIF])
++ goto out;
++ if (am->arpm_flags & (ARPM_F_BROADCAST|ARPM_F_UNICAST))
++ goto out;
++ break;
++ case ARPA_TABLE_FORWARD:
++ if (rta[ARPA_SRC])
++ goto out;
++ break;
++ }
++ if (rta[ARPA_SRC] && !*(u32*) nla_data(rta[ARPA_SRC]))
++ am->arpm_flags |= ARPM_F_PREFSRC;
++ else
++ am->arpm_flags &= ~ARPM_F_PREFSRC;
++
++ for (rp = &arp_tabs[am->arpm_table]; (r=*rp) != NULL; rp=&r->at_next) {
++ if (pref < r->at_pref)
++ prevp = rp;
++ if (am->arpm_pref == r->at_pref ||
++ (!am->arpm_pref &&
++ am->arpm_to_len == r->at_to_len &&
++ am->arpm_from_len == r->at_from_len &&
++ !((am->arpm_flags ^ r->at_flags) &
++ (ARPM_F_BROADCAST | ARPM_F_UNICAST |
++ ARPM_F_WILDIIF | ARPM_F_WILDOIF)) &&
++ ARPF_MATCH_U32(ARPA_TO, to) &&
++ ARPF_MATCH_U32(ARPA_FROM, from) &&
++ ARPF_MATCH_DATA(ARPA_LLFROM, llfrom) &&
++ ARPF_MATCH_DATA(ARPA_LLTO, llto) &&
++ ARPF_MATCH_STR(ARPA_IIF, iif) &&
++ ARPF_MATCH_STR(ARPA_OIF, oif) &&
++ (n->nlmsg_type != RTM_DELARPRULE ||
++ /* DEL matches more keys */
++ (am->arpm_flags == r->at_flags &&
++ am->arpm_action == r->at_action &&
++ ARPF_MATCH_U32(ARPA_SRC, src) &&
++ ARPF_MATCH_DATA(ARPA_LLSRC, llsrc) &&
++ ARPF_MATCH_DATA(ARPA_LLDST, lldst)
++ )
++ )
++ )
++ )
++ break;
++ if (am->arpm_pref && r->at_pref > am->arpm_pref) {
++ r = NULL;
++ break;
++ }
++ pref = r->at_pref+1;
++ }
++
++ /*
++ * r=NULL: *rp != NULL (stopped before next pref), pref: not valid
++ * *rp == NULL (not found), pref: ready to use
++ * r!=NULL: found, pref: not valid
++ *
++ * prevp=NULL: no free slot
++ * prevp!=NULL: free slot for rule
++ */
++
++ if (n->nlmsg_type == RTM_DELARPRULE) {
++ if (!r)
++ return -ESRCH;
++ delp = rp;
++ goto dequeue;
++ }
++
++ if (r) {
++ /* Existing rule */
++ ret = -EEXIST;
++ if (n->nlmsg_flags&NLM_F_EXCL)
++ goto out;
++
++ if (n->nlmsg_flags&NLM_F_REPLACE) {
++ pref = r->at_pref;
++ prevp = delp = rp;
++ goto replace;
++ }
++ }
++
++ if (n->nlmsg_flags&NLM_F_APPEND) {
++ if (r) {
++ pref = r->at_pref+1;
++ for (rp=&r->at_next; (r=*rp) != NULL; rp=&r->at_next) {
++ if (pref != r->at_pref)
++ break;
++ pref ++;
++ }
++ ret = -EBUSY;
++ if (!pref)
++ goto out;
++ } else if (am->arpm_pref)
++ pref = am->arpm_pref;
++ prevp = rp;
++ }
++
++ if (!(n->nlmsg_flags&NLM_F_CREATE)) {
++ ret = -ENOENT;
++ if (n->nlmsg_flags&NLM_F_EXCL || r)
++ ret = 0;
++ goto out;
++ }
++
++ if (!(n->nlmsg_flags&NLM_F_APPEND)) {
++ if (!prevp) {
++ ret = -EBUSY;
++ if (r || *rp ||
++ (!am->arpm_pref && arp_tabs[am->arpm_table]))
++ goto out;
++ prevp = rp;
++ pref = am->arpm_pref? : 99;
++ } else {
++ if (r || !am->arpm_pref) {
++ pref = (*prevp)->at_pref - 1;
++ if (am->arpm_pref && am->arpm_pref < pref)
++ pref = am->arpm_pref;
++ } else {
++ prevp = rp;
++ pref = am->arpm_pref;
++ }
++ }
++ }
++
++replace:
++
++ ret = -ENOMEM;
++ r = kmem_cache_alloc(arpf_cachep, GFP_KERNEL);
++ if (!r)
++ return ret;
++ memset(r, 0, sizeof(*r));
++
++ arpf_get_str(ARPA_LLFROM, rta, r->at_llfrom, MAX_ADDR_LEN,
++ &r->at_llfrom_len);
++ arpf_get_str(ARPA_LLTO, rta, r->at_llto, MAX_ADDR_LEN,
++ &r->at_llto_len);
++ arpf_get_str(ARPA_LLSRC, rta, r->at_llsrc, MAX_ADDR_LEN,
++ &r->at_llsrc_len);
++ arpf_get_str(ARPA_LLDST, rta, r->at_lldst, MAX_ADDR_LEN,
++ &r->at_lldst_len);
++
++ if (delp)
++ r->at_next = (*delp)->at_next;
++ else if (*prevp)
++ r->at_next = *prevp;
++
++ r->at_pref = pref;
++ r->at_from_len = am->arpm_from_len;
++ r->at_from_mask = inet_make_mask(r->at_from_len);
++ if (rta[ARPA_FROM])
++ r->at_from = *(u32*) nla_data(rta[ARPA_FROM]);
++ r->at_from &= r->at_from_mask;
++ r->at_to_len = am->arpm_to_len;
++ r->at_to_mask = inet_make_mask(r->at_to_len);
++ if (rta[ARPA_TO])
++ r->at_to = *(u32*) nla_data(rta[ARPA_TO]);
++ r->at_to &= r->at_to_mask;
++ if (rta[ARPA_SRC])
++ r->at_src = *(u32*) nla_data(rta[ARPA_SRC]);
++ if (rta[ARPA_PACKETS]) {
++ u32 packets = *(u32*) nla_data(rta[ARPA_PACKETS]);
++ atomic_set(&r->at_packets, packets);
++ }
++ atomic_set(&r->at_refcnt, 1);
++ r->at_flags = am->arpm_flags;
++ r->at_action = am->arpm_action;
++
++ if (rta[ARPA_IIF] && (size = nla_len(rta[ARPA_IIF]))) {
++ if (size >= sizeof(r->at_iif))
++ size = sizeof(r->at_iif)-1;
++ memcpy(r->at_iif, nla_data(rta[ARPA_IIF]), size);
++ r->at_iif_len = strlen(r->at_iif);
++ }
++ if (rta[ARPA_OIF] && (size = nla_len(rta[ARPA_OIF]))) {
++ if (size >= sizeof(r->at_oif))
++ size = sizeof(r->at_oif)-1;
++ memcpy(r->at_oif, nla_data(rta[ARPA_OIF]), size);
++ r->at_oif_len = strlen(r->at_oif);
++ }
++
++ newp = r;
++
++dequeue:
++
++ if (delp) {
++ r = *delp;
++ write_lock_bh(&arpf_lock);
++ if (newp) {
++ if (!rta[ARPA_PACKETS])
++ atomic_set(&newp->at_packets,
++ atomic_read(&r->at_packets));
++ *delp = newp;
++ } else {
++ *delp = r->at_next;
++ }
++ r->at_dead = 1;
++ write_unlock_bh(&arpf_lock);
++ arpmsg_notify(skb, n, am->arpm_table, r, RTM_DELARPRULE);
++ arpf_put(r);
++ prevp = 0;
++ }
++
++ if (newp) {
++ if (prevp) {
++ write_lock_bh(&arpf_lock);
++ *prevp = newp;
++ write_unlock_bh(&arpf_lock);
++ }
++ arpmsg_notify(skb, n, am->arpm_table, newp, RTM_NEWARPRULE);
++ }
++
++ ret = 0;
++
++out:
++ return ret;
++}
++
++int arpf_dump_table(int t, struct sk_buff *skb, struct netlink_callback *cb)
++{
++ int idx, ret = -1;
++ struct arpf_node *afp;
++ int s_idx = cb->args[1];
++
++ for (idx=0, afp = arp_tabs[t]; afp; afp = afp->at_next, idx++) {
++ if (idx < s_idx)
++ continue;
++ if (arpf_fill_node(skb, NETLINK_CB(cb->skb).portid,
++ cb->nlh->nlmsg_seq, NLM_F_MULTI, RTM_NEWARPRULE, t, afp) < 0)
++ goto out;
++ }
++
++ ret = skb->len;
++
++out:
++ cb->args[1] = idx;
++
++ return ret;
++}
++
++int arpf_dump_rules(struct sk_buff *skb, struct netlink_callback *cb)
++{
++ int idx;
++ int s_idx = cb->args[0];
++
++ read_lock_bh(&arpf_lock);
++ for (idx = 0; idx < sizeof(arp_tabs)/sizeof(arp_tabs[0]); idx++) {
++ if (idx < s_idx)
++ continue;
++ if (idx > s_idx)
++ memset(&cb->args[1], 0, sizeof(cb->args)-1*sizeof(cb->args[0]));
++ if (arpf_dump_table(idx, skb, cb) < 0)
++ break;
++ }
++ read_unlock_bh(&arpf_lock);
++ cb->args[0] = idx;
++
++ return skb->len;
++}
++
+ /*
+ * Called once on startup.
+ */
+@@ -1288,6 +1939,16 @@ static int arp_proc_init(void);
+
+ void __init arp_init(void)
+ {
++ arpf_cachep = kmem_cache_create("ip_arpf_cache",
++ sizeof(struct arpf_node), 0,
++ SLAB_HWCACHE_ALIGN, NULL);
++ if (!arpf_cachep)
++ panic("IP: failed to allocate ip_arpf_cache\n");
++
++ rtnl_register(PF_UNSPEC, RTM_NEWARPRULE, arpf_rule_ctl, NULL, 0);
++ rtnl_register(PF_UNSPEC, RTM_DELARPRULE, arpf_rule_ctl, NULL, 0);
++ rtnl_register(PF_UNSPEC, RTM_GETARPRULE, NULL, arpf_dump_rules, 0);
++
+ neigh_table_init(NEIGH_ARP_TABLE, &arp_tbl);
+
+ dev_add_pack(&arp_packet_type);
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 5267b6b191eb..8e622303018e 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1358,9 +1358,16 @@ __be32 inet_select_addr(const struct net_device *dev, __be32 dst, int scope)
+ if (!in_dev)
+ continue;
+
+- addr = in_dev_select_addr(in_dev, scope);
+- if (addr)
+- goto out_unlock;
++ in_dev_for_each_ifa_rcu(ifa, in_dev) {
++ if (ifa->ifa_flags & IFA_F_SECONDARY)
++ break;
++ if (!IN_DEV_HIDDEN(in_dev) &&
++ ifa->ifa_scope != RT_SCOPE_LINK &&
++ ifa->ifa_scope <= scope) {
++ addr = ifa->ifa_local;
++ goto out_unlock;
++ }
++ }
+ }
+ out_unlock:
+ rcu_read_unlock();
+@@ -2518,13 +2525,16 @@ static struct devinet_sysctl_table {
+ DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
+ "accept_source_route"),
++ DEVINET_SYSCTL_RW_ENTRY(FORWARD_SHARED, "forward_shared"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
+ DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
+ DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
+ DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
++ DEVINET_SYSCTL_RW_ENTRY(RP_FILTER_MASK, "rp_filter_mask"),
+ DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
+ DEVINET_SYSCTL_RW_ENTRY(LOG_MARTIANS, "log_martians"),
+ DEVINET_SYSCTL_RW_ENTRY(TAG, "tag"),
++ DEVINET_SYSCTL_RW_ENTRY(HIDDEN, "hidden"),
+ DEVINET_SYSCTL_RW_ENTRY(ARPFILTER, "arp_filter"),
+ DEVINET_SYSCTL_RW_ENTRY(ARP_ANNOUNCE, "arp_announce"),
+ DEVINET_SYSCTL_RW_ENTRY(ARP_IGNORE, "arp_ignore"),
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 41079490a118..53be999254b0 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -48,6 +48,8 @@
+
+ #ifndef CONFIG_IP_MULTIPLE_TABLES
+
++#define FIB_RES_TABLE(r) (RT_TABLE_MAIN)
++
+ static int __net_init fib4_rules_init(struct net *net)
+ {
+ struct fib_table *local_table, *main_table;
+@@ -72,6 +74,8 @@ static int __net_init fib4_rules_init(struct net *net)
+ }
+ #else
+
++#define FIB_RES_TABLE(r) (fib_result_table(r))
++
+ struct fib_table *fib_new_table(struct net *net, u32 id)
+ {
+ struct fib_table *tb, *alias = NULL;
+@@ -342,13 +346,19 @@ EXPORT_SYMBOL_GPL(fib_info_nh_uses_dev);
+ */
+ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- int rpf, struct in_device *idev, u32 *itag)
++ int rpf, struct in_device *idev, u32 *itag,
++ int our)
+ {
+ struct net *net = dev_net(dev);
+ struct flow_keys flkeys;
++ u32 table;
++ unsigned char prefixlen;
++ unsigned char scope;
+ int ret, no_addr;
+ struct fib_result res;
+ struct flowi4 fl4;
++ int fwdsh;
++ unsigned int rpf_mask;
+ bool dev_match;
+
+ fl4.flowi4_oif = 0;
+@@ -362,10 +372,13 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ fl4.flowi4_tun_key.tun_id = 0;
+ fl4.flowi4_flags = 0;
+ fl4.flowi4_uid = sock_net_uid(net, NULL);
++ fl4.fl4_gw = 0;
+
+ no_addr = idev->ifa_list == NULL;
+
++ fwdsh = IN_DEV_FORWARD_SHARED(idev);
+ fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
++ rpf_mask = IN_DEV_RPFILTER_MASK(idev);
+ if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
+ fl4.flowi4_proto = 0;
+ fl4.fl4_sport = 0;
+@@ -374,7 +387,12 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+
+ if (fib_lookup(net, &fl4, &res, 0))
+ goto last_resort;
+- if (res.type != RTN_UNICAST &&
++ if (fwdsh) {
++ fwdsh = (res.type == RTN_LOCAL && !our);
++ if (fwdsh)
++ rpf = 0;
++ }
++ if (res.type != RTN_UNICAST && !fwdsh &&
+ (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev)))
+ goto e_inval;
+ fib_combine_itag(itag, &res);
+@@ -389,17 +407,36 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
+ return ret;
+ }
++ if (rpf_mask && rpf) {
++ int omi = 0;
++
++ idev = __in_dev_get_rcu(FIB_RES_DEV(res));
++ if (idev)
++ omi = IN_DEV_MEDIUM_ID(idev);
++ if (omi >= 1 && omi <= 31 && ((1 << omi) & rpf_mask))
++ rpf = 0;
++ }
+ if (no_addr)
+ goto last_resort;
+- if (rpf == 1)
+- goto e_rpf;
++ table = FIB_RES_TABLE(&res);
++ prefixlen = res.prefixlen;
++ scope = res.scope;
+ fl4.flowi4_oif = dev->ifindex;
++ if (fwdsh)
++ fl4.flowi4_iif = LOOPBACK_IFINDEX;
+
+ ret = 0;
+ if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) {
+- if (res.type == RTN_UNICAST)
++ if (res.type == RTN_UNICAST &&
++ ((table == FIB_RES_TABLE(&res) &&
++ res.prefixlen >= prefixlen && res.scope >= scope) ||
++ !rpf)) {
+ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
++ return ret;
++ }
+ }
++ if (rpf == 1)
++ goto e_rpf;
+ return ret;
+
+ last_resort:
+@@ -417,7 +454,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ /* Ignore rp_filter for packets protected by IPsec. */
+ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- struct in_device *idev, u32 *itag)
++ struct in_device *idev, u32 *itag, int our)
+ {
+ int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev);
+ struct net *net = dev_net(dev);
+@@ -442,7 +479,8 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ }
+
+ full_check:
+- return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev, itag);
++ return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev,
++ itag, our);
+ }
+
+ static inline __be32 sk_extract_addr(struct sockaddr *addr)
+@@ -1417,9 +1455,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
+ switch (event) {
+ case NETDEV_UP:
+ fib_add_ifaddr(ifa);
+-#ifdef CONFIG_IP_ROUTE_MULTIPATH
+ fib_sync_up(dev, RTNH_F_DEAD);
+-#endif
+ atomic_inc(&net->ipv4.dev_addr_genid);
+ rt_cache_flush(dev_net(dev));
+ break;
+@@ -1464,9 +1500,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
+ in_dev_for_each_ifa_rtnl(ifa, in_dev) {
+ fib_add_ifaddr(ifa);
+ }
+-#ifdef CONFIG_IP_ROUTE_MULTIPATH
+ fib_sync_up(dev, RTNH_F_DEAD);
+-#endif
+ atomic_inc(&net->ipv4.dev_addr_genid);
+ rt_cache_flush(net);
+ break;
+diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
+index f99e3bac5cab..64e8059f3b9d 100644
+--- a/net/ipv4/fib_rules.c
++++ b/net/ipv4/fib_rules.c
+@@ -76,6 +76,11 @@ unsigned int fib4_rules_seq_read(struct net *net)
+ return fib_rules_seq_read(net, AF_INET);
+ }
+
++u32 fib_result_table(struct fib_result *res)
++{
++ return res->table ? res->table->tb_id : RT_TABLE_UNSPEC;
++}
++
+ int __fib_lookup(struct net *net, struct flowi4 *flp,
+ struct fib_result *res, unsigned int flags)
+ {
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 871c035be31f..40b67ad5d539 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -52,6 +52,7 @@ static struct hlist_head *fib_info_hash;
+ static struct hlist_head *fib_info_laddrhash;
+ static unsigned int fib_info_hash_size;
+ static unsigned int fib_info_cnt;
++DEFINE_RWLOCK(fib_nhflags_lock);
+
+ #define DEVINDEX_HASHBITS 8
+ #define DEVINDEX_HASHSIZE (1U << DEVINDEX_HASHBITS)
+@@ -538,36 +539,77 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
+
+ static int fib_detect_death(struct fib_info *fi, int order,
+ struct fib_info **last_resort, int *last_idx,
+- int dflt)
++ int dflt, int *last_nhsel,
++ const struct flowi4 *flp)
+ {
+- const struct fib_nh_common *nhc = fib_info_nhc(fi, 0);
++ struct fib_nh_common *nhc;
+ struct neighbour *n;
+- int state = NUD_NONE;
++ int nhsel;
++ int state;
++ int flag, dead = 1;
+
+- if (likely(nhc->nhc_gw_family == AF_INET))
+- n = neigh_lookup(&arp_tbl, &nhc->nhc_gw.ipv4, nhc->nhc_dev);
+- else if (nhc->nhc_gw_family == AF_INET6)
+- n = neigh_lookup(ipv6_stub->nd_tbl, &nhc->nhc_gw.ipv6,
+- nhc->nhc_dev);
+- else
+- n = NULL;
++ /* change_nexthops(fi) { */
++ for (nhsel = 0; nhsel < fib_info_num_path(fi); nhsel++) {
++ nhc = fib_info_nhc(fi, nhsel);
++ if (flp->flowi4_oif && flp->flowi4_oif != nhc->nhc_oif &&
++ !(flp->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
++ continue;
++ if (flp->fl4_gw && flp->fl4_gw != nhc->nhc_gw.ipv4 &&
++ nhc->nhc_gw.ipv4 && nhc->nhc_scope == RT_SCOPE_LINK)
++ continue;
++ if (nhc->nhc_flags & RTNH_F_DEAD)
++ continue;
+
+- if (n) {
+- state = n->nud_state;
+- neigh_release(n);
+- } else {
+- return 0;
+- }
+- if (state == NUD_REACHABLE)
+- return 0;
+- if ((state & NUD_VALID) && order != dflt)
+- return 0;
+- if ((state & NUD_VALID) ||
+- (*last_idx < 0 && order > dflt && state != NUD_INCOMPLETE)) {
+- *last_resort = fi;
+- *last_idx = order;
++ flag = 0;
++ if (nhc->nhc_dev->flags & IFF_NOARP) {
++ dead = 0;
++ goto setfl;
++ }
++
++ state = NUD_NONE;
++ if (!nhc->nhc_gw_family || nhc->nhc_scope != RT_SCOPE_LINK ||
++ (nhc->nhc_gw_family == AF_INET && !nhc->nhc_gw.ipv4))
++ n = neigh_lookup(&arp_tbl, &flp->daddr,
++ nhc->nhc_dev);
++ else if (likely(nhc->nhc_gw_family == AF_INET))
++ n = neigh_lookup(&arp_tbl, &nhc->nhc_gw.ipv4,
++ nhc->nhc_dev);
++ else if (nhc->nhc_gw_family == AF_INET6)
++ n = neigh_lookup(ipv6_stub->nd_tbl, &nhc->nhc_gw.ipv6,
++ nhc->nhc_dev);
++ else
++ n = NULL;
++ if (n) {
++ state = n->nud_state;
++ neigh_release(n);
++ }
++ if (state == NUD_REACHABLE ||
++ ((state & NUD_VALID) && order != dflt)) {
++ dead = 0;
++ goto setfl;
++ }
++ if (!(state & NUD_VALID))
++ flag = 1;
++ if (!dead)
++ goto setfl;
++ if ((state & NUD_VALID) ||
++ (*last_idx < 0 && order >= dflt)) {
++ *last_resort = fi;
++ *last_idx = order;
++ *last_nhsel = nhsel;
++ }
++
++setfl:
++ read_lock_bh(&fib_nhflags_lock);
++ if (flag)
++ nhc->nhc_flags |= RTNH_F_SUSPECT;
++ else
++ nhc->nhc_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
+ }
+- return 1;
++ /* } endfor_nexthops(fi) */
++
++ return dead;
+ }
+
+ int fib_nh_common_init(struct net *net, struct fib_nh_common *nhc,
+@@ -1063,6 +1105,7 @@ static int fib_check_nh_v6_gw(struct net *net, struct fib_nh *nh,
+ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ u8 scope, struct netlink_ext_ack *extack)
+ {
++ struct fib_info *fi = nh->nh_parent;
+ struct net_device *dev;
+ struct fib_result res;
+ int err = 0;
+@@ -1080,8 +1123,12 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ return -ENODEV;
+ }
+ if (!(dev->flags & IFF_UP)) {
+- NL_SET_ERR_MSG(extack, "Nexthop device is not up");
+- return -ENETDOWN;
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ NL_SET_ERR_MSG(extack,
++ "Nexthop device is not up");
++ return -ENETDOWN;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
+ }
+ addr_type = inet_addr_type_dev_table(net, dev, nh->fib_nh_gw4);
+ if (addr_type != RTN_UNICAST) {
+@@ -1125,11 +1172,29 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ err = fib_lookup(net, &fl4, &res,
+ FIB_LOOKUP_IGNORE_LINKSTATE);
+ }
++ }
+
+- if (err) {
++ if (err) {
++ struct in_device *in_dev;
++
++ if (err != -ENETUNREACH ||
++ fi->fib_protocol != RTPROT_STATIC) {
+ NL_SET_ERR_MSG(extack, "Nexthop has invalid gateway");
+ goto out;
+ }
++ in_dev = inetdev_by_index(net, nh->fib_nh_oif);
++ if (in_dev == NULL ||
++ in_dev->dev->flags & IFF_UP) {
++ NL_SET_ERR_MSG(extack,
++ "Nexthop has invalid gateway");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
++ nh->fib_nh_scope = RT_SCOPE_LINK;
++ nh->fib_nh_dev = in_dev->dev;
++ dev_hold(nh->fib_nh_dev);
++ err = 0;
++ goto out;
+ }
+
+ err = -EINVAL;
+@@ -1148,7 +1213,16 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ dev_hold(dev);
+ if (!netif_carrier_ok(dev))
+ nh->fib_nh_flags |= RTNH_F_LINKDOWN;
+- err = (dev->flags & IFF_UP) ? 0 : -ENETDOWN;
++ if (!(dev->flags & IFF_UP)) {
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ err = -ENETDOWN;
++ NL_SET_ERR_MSG(extack,
++ "Device for nexthop is not up");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
++ }
++ err = 0;
+ out:
+ rcu_read_unlock();
+ return err;
+@@ -1157,6 +1231,7 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ static int fib_check_nh_nongw(struct net *net, struct fib_nh *nh,
+ struct netlink_ext_ack *extack)
+ {
++ struct fib_info *fi = nh->nh_parent;
+ struct in_device *in_dev;
+ int err;
+
+@@ -1174,8 +1249,11 @@ static int fib_check_nh_nongw(struct net *net, struct fib_nh *nh,
+ goto out;
+ err = -ENETDOWN;
+ if (!(in_dev->dev->flags & IFF_UP)) {
+- NL_SET_ERR_MSG(extack, "Device for nexthop is not up");
+- goto out;
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ NL_SET_ERR_MSG(extack, "Device for nexthop is not up");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
+ }
+
+ nh->fib_nh_dev = in_dev->dev;
+@@ -1956,10 +2034,15 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ prev_fi = fi;
+ dead = 0;
+ change_nexthops(fi) {
+- if (nexthop_nh->fib_nh_flags & RTNH_F_DEAD)
+- dead++;
+- else if (nexthop_nh->fib_nh_dev == dev &&
+- nexthop_nh->fib_nh_scope != scope) {
++ if (nexthop_nh->fib_nh_flags & RTNH_F_DEAD) {
++ if (fi->fib_protocol != RTPROT_STATIC ||
++ !nexthop_nh->fib_nh_dev ||
++ !__in_dev_get_rtnl(nexthop_nh->fib_nh_dev) ||
++ nexthop_nh->fib_nh_dev->flags&IFF_UP)
++ dead++;
++ } else if (nexthop_nh->fib_nh_dev == dev &&
++ nexthop_nh->fib_nh_scope != scope) {
++ write_lock_bh(&fib_nhflags_lock);
+ switch (event) {
+ case NETDEV_DOWN:
+ case NETDEV_UNREGISTER:
+@@ -1971,7 +2054,11 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ }
+ call_fib_nh_notifiers(nexthop_nh,
+ FIB_EVENT_NH_DEL);
+- dead++;
++ write_unlock_bh(&fib_nhflags_lock);
++ if (fi->fib_protocol != RTPROT_STATIC ||
++ force ||
++ !__in_dev_get_rtnl(dev))
++ dead++;
+ }
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (event == NETDEV_UNREGISTER &&
+@@ -2001,20 +2088,19 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ }
+
+ /* Must be invoked inside of an RCU protected region. */
+-static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
++void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ {
+ struct fib_info *fi = NULL, *last_resort = NULL;
+ struct hlist_head *fa_head = res->fa_head;
+ struct fib_table *tb = res->table;
+ u8 slen = 32 - res->prefixlen;
+- int order = -1, last_idx = -1;
++ int order = -1, last_idx = -1, last_nhsel = 0;
+ struct fib_alias *fa, *fa1 = NULL;
+ u32 last_prio = res->fi->fib_priority;
+ u8 last_tos = 0;
+
+ hlist_for_each_entry_rcu(fa, fa_head, fa_list) {
+ struct fib_info *next_fi = fa->fa_info;
+- struct fib_nh_common *nhc;
+
+ if (fa->fa_slen != slen)
+ continue;
+@@ -2037,10 +2123,6 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ fa->fa_type != RTN_UNICAST)
+ continue;
+
+- nhc = fib_info_nhc(next_fi, 0);
+- if (!nhc->nhc_gw_family || nhc->nhc_scope != RT_SCOPE_LINK)
+- continue;
+-
+ fib_alias_accessed(fa);
+
+ if (!fi) {
+@@ -2048,7 +2130,8 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ break;
+ fa1 = fa;
+ } else if (!fib_detect_death(fi, order, &last_resort,
+- &last_idx, fa1->fa_default)) {
++ &last_idx, fa1->fa_default,
++ &last_nhsel, flp)) {
+ fib_result_assign(res, fi);
+ fa1->fa_default = order;
+ goto out;
+@@ -2058,28 +2141,39 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ }
+
+ if (order <= 0 || !fi) {
++ if (fi && fib_info_num_path(fi) > 1 &&
++ fib_detect_death(fi, order, &last_resort, &last_idx,
++ fa1->fa_default, &last_nhsel, flp) &&
++ last_resort == fi) {
++ read_lock_bh(&fib_nhflags_lock);
++ fi->fib_nh[last_nhsel].fib_nh_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
++ }
+ if (fa1)
+ fa1->fa_default = -1;
+ goto out;
+ }
+
+ if (!fib_detect_death(fi, order, &last_resort, &last_idx,
+- fa1->fa_default)) {
++ fa1->fa_default, &last_nhsel, flp)) {
+ fib_result_assign(res, fi);
+ fa1->fa_default = order;
+ goto out;
+ }
+
+- if (last_idx >= 0)
++ if (last_idx >= 0) {
+ fib_result_assign(res, last_resort);
++ read_lock_bh(&fib_nhflags_lock);
++ last_resort->fib_nh[last_nhsel].fib_nh_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
++ }
+ fa1->fa_default = last_idx;
+ out:
+ return;
+ }
+
+ /*
+- * Dead device goes up. We wake up dead nexthops.
+- * It takes sense only on multipath routes.
++ * Dead device goes up or new address is added. We wake up dead nexthops.
+ *
+ * only used when fib_nh is built into fib_info
+ */
+@@ -2089,8 +2183,10 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ unsigned int hash;
+ struct hlist_head *head;
+ struct fib_nh *nh;
+- int ret;
++ struct fib_result res;
++ int ret, rep;
+
++repeat:
+ if (!(dev->flags & IFF_UP))
+ return 0;
+
+@@ -2105,6 +2201,7 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ hash = fib_devindex_hashfn(dev->ifindex);
+ head = &fib_info_devhash[hash];
+ ret = 0;
++ rep = 0;
+
+ hlist_for_each_entry(nh, head, nh_hash) {
+ struct fib_info *fi = nh->nh_parent;
+@@ -2117,16 +2214,39 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ prev_fi = fi;
+ alive = 0;
+ change_nexthops(fi) {
+- if (!(nexthop_nh->fib_nh_flags & nh_flags)) {
+- alive++;
++ if (!(nexthop_nh->fib_nh_flags & nh_flags))
+ continue;
+- }
+ if (!nexthop_nh->fib_nh_dev ||
+ !(nexthop_nh->fib_nh_dev->flags & IFF_UP))
+ continue;
+ if (nexthop_nh->fib_nh_dev != dev ||
+ !__in_dev_get_rtnl(dev))
+ continue;
++ if ((nh_flags & RTNH_F_DEAD) &&
++ nexthop_nh->fib_nh_gw4 &&
++ nexthop_nh->fib_nh_gw_family == AF_INET &&
++ fi->fib_protocol == RTPROT_STATIC) {
++ struct flowi4 fl4 = {
++ .daddr = nexthop_nh->fib_nh_gw4,
++ .flowi4_scope = nexthop_nh->fib_nh_scope,
++ .flowi4_oif = nexthop_nh->fib_nh_oif,
++ };
++
++ rcu_read_lock();
++ if (fib_lookup(dev_net(dev), &fl4, &res,
++ FIB_LOOKUP_IGNORE_LINKSTATE) != 0) {
++ rcu_read_unlock();
++ continue;
++ }
++ if (res.type != RTN_UNICAST &&
++ res.type != RTN_LOCAL) {
++ rcu_read_unlock();
++ continue;
++ }
++ nexthop_nh->fib_nh_scope = res.scope;
++ rcu_read_unlock();
++ rep = 1;
++ }
+ alive++;
+ nexthop_nh->fib_nh_flags &= ~nh_flags;
+ call_fib_nh_notifiers(nexthop_nh, FIB_EVENT_NH_ADD);
+@@ -2139,6 +2259,8 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+
+ fib_rebalance(fi);
+ }
++ if (rep)
++ goto repeat;
+
+ return ret;
+ }
+@@ -2205,23 +2327,16 @@ void fib_select_multipath(struct fib_result *res, int hash)
+ void fib_select_path(struct net *net, struct fib_result *res,
+ struct flowi4 *fl4, const struct sk_buff *skb)
+ {
+- if (fl4->flowi4_oif && !(fl4->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
+- goto check_saddr;
+-
++ if (res->type == RTN_UNICAST)
++ fib_select_default(fl4, res);
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (fib_info_num_path(res->fi) > 1) {
+ int h = fib_multipath_hash(net, fl4, skb, NULL);
+
+ fib_select_multipath(res, h);
+ }
+- else
+ #endif
+- if (!res->prefixlen &&
+- res->table->tb_num_default > 1 &&
+- res->type == RTN_UNICAST)
+- fib_select_default(fl4, res);
+
+-check_saddr:
+ if (!fl4->saddr)
+ fl4->saddr = fib_result_prefsrc(net, res);
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 248f1c1959a6..f23c165781f5 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1386,6 +1386,11 @@ bool fib_lookup_good_nhc(const struct fib_nh_common *nhc, int fib_flags,
+ if (flp->flowi4_oif &&
+ flp->flowi4_oif != nhc->nhc_oif)
+ return false;
++ if (flp->fl4_gw &&
++ flp->fl4_gw != nhc->nhc_gw.ipv4 &&
++ nhc->nhc_gw.ipv4 &&
++ nhc->nhc_scope == RT_SCOPE_LINK)
++ return false;
+ }
+
+ return true;
+diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
+index ad33687b7444..49d98f51458b 100644
+--- a/net/ipv4/netfilter/iptable_nat.c
++++ b/net/ipv4/netfilter/iptable_nat.c
+@@ -40,6 +40,13 @@ static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
+ .hooknum = NF_INET_PRE_ROUTING,
+ .priority = NF_IP_PRI_NAT_DST,
+ },
++ /* Before routing, route before mangling */
++ {
++ .hook = ip_nat_route_input,
++ .pf = NFPROTO_IPV4,
++ .hooknum = NF_INET_PRE_ROUTING,
++ .priority = NF_IP_PRI_LAST-1,
++ },
+ {
+ .hook = iptable_nat_do_chain,
+ .pf = NFPROTO_IPV4,
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index abe12caf2451..9b153823a56c 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1705,7 +1705,7 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ return -EINVAL;
+ } else {
+ err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
+- in_dev, itag);
++ in_dev, itag, 1);
+ if (err < 0)
+ return err;
+ }
+@@ -1780,7 +1780,7 @@ static void ip_handle_martian_source(struct net_device *dev,
+ static int __mkroute_input(struct sk_buff *skb,
+ const struct fib_result *res,
+ struct in_device *in_dev,
+- __be32 daddr, __be32 saddr, u32 tos)
++ __be32 daddr, __be32 saddr, u32 tos, __be32 lsrc)
+ {
+ struct fib_nh_common *nhc = FIB_RES_NHC(*res);
+ struct net_device *dev = nhc->nhc_dev;
+@@ -1799,7 +1799,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+
+ err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res),
+- in_dev->dev, in_dev, &itag);
++ in_dev->dev, in_dev, &itag, 0);
+ if (err < 0) {
+ ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr,
+ saddr);
+@@ -1809,7 +1809,7 @@ static int __mkroute_input(struct sk_buff *skb,
+
+ do_cache = res->fi && !itag;
+ if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
+- skb->protocol == htons(ETH_P_IP)) {
++ skb->protocol == htons(ETH_P_IP) && !lsrc) {
+ __be32 gw;
+
+ gw = nhc->nhc_gw_family == AF_INET ? nhc->nhc_gw.ipv4 : 0;
+@@ -2002,10 +2002,12 @@ int fib_multipath_hash(const struct net *net, const struct flowi4 *fl4,
+
+ static int ip_mkroute_input(struct sk_buff *skb,
+ struct fib_result *res,
++ const struct flowi4 *fl4,
+ struct in_device *in_dev,
+ __be32 daddr, __be32 saddr, u32 tos,
+- struct flow_keys *hkeys)
++ struct flow_keys *hkeys, __be32 lsrc)
+ {
++ fib_select_default(fl4, res);
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (res->fi && fib_info_num_path(res->fi) > 1) {
+ int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys);
+@@ -2015,7 +2017,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
+ #endif
+
+ /* create a routing cache entry */
+- return __mkroute_input(skb, res, in_dev, daddr, saddr, tos);
++ return __mkroute_input(skb, res, in_dev, daddr, saddr, tos, lsrc);
+ }
+
+ /* Implements all the saddr-related checks as ip_route_input_slow(),
+@@ -2045,7 +2047,8 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ goto skip_validate_source;
+
+ tos &= IPTOS_RT_MASK;
+- err = fib_validate_source(skb, saddr, daddr, tos, 0, dev, in_dev, &tag);
++ err = fib_validate_source(skb, saddr, daddr, tos, 0, dev, in_dev, &tag,
++ 0);
+ if (err < 0)
+ goto martian_source;
+
+@@ -2072,7 +2075,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ */
+
+ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+- u8 tos, struct net_device *dev,
++ u8 tos, struct net_device *dev, __be32 lsrc,
+ struct fib_result *res)
+ {
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
+@@ -2130,18 +2133,25 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ goto martian_source;
+ }
+
++ if (lsrc) {
++ if (ipv4_is_multicast(lsrc) || ipv4_is_lbcast(lsrc) ||
++ ipv4_is_zeronet(lsrc) || ipv4_is_loopback(lsrc))
++ goto martian_source;
++ }
++
+ /*
+ * Now we are ready to route packet.
+ */
+ fl4.flowi4_oif = 0;
+- fl4.flowi4_iif = dev->ifindex;
++ fl4.flowi4_iif = lsrc ? LOOPBACK_IFINDEX : dev->ifindex;
+ fl4.flowi4_mark = skb->mark;
+ fl4.flowi4_tos = tos;
+ fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
+ fl4.flowi4_flags = 0;
+ fl4.daddr = daddr;
+- fl4.saddr = saddr;
++ fl4.saddr = lsrc? : saddr;
+ fl4.flowi4_uid = sock_net_uid(net, NULL);
++ fl4.fl4_gw = 0;
+
+ if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
+ flkeys = &_flkeys;
+@@ -2152,6 +2162,8 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ }
+
+ err = fib_lookup(net, &fl4, res, 0);
++ fl4.flowi4_iif = dev->ifindex;
++ fl4.saddr = saddr;
+ if (err != 0) {
+ if (!IN_DEV_FORWARD(in_dev))
+ err = -EHOSTUNREACH;
+@@ -2169,7 +2181,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+
+ if (res->type == RTN_LOCAL) {
+ err = fib_validate_source(skb, saddr, daddr, tos,
+- 0, dev, in_dev, &itag);
++ 0, dev, in_dev, &itag, 1);
+ if (err < 0)
+ goto martian_source;
+ goto local_input;
+@@ -2183,16 +2195,19 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ goto martian_destination;
+
+ make_route:
+- err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, tos, flkeys);
++ err = ip_mkroute_input(skb, res, &fl4, in_dev, daddr, saddr, tos,
++ flkeys, lsrc);
+ out: return err;
+
+ brd_input:
+ if (skb->protocol != htons(ETH_P_IP))
+ goto e_inval;
++ if (lsrc)
++ goto e_inval;
+
+ if (!ipv4_is_zeronet(saddr)) {
+ err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
+- in_dev, &itag);
++ in_dev, &itag, 1);
+ if (err < 0)
+ goto martian_source;
+ }
+@@ -2295,9 +2310,26 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ }
+ EXPORT_SYMBOL(ip_route_input_noref);
+
++int ip_route_input_lookup(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, __be32 lsrc)
++{
++ struct fib_result res;
++ int err;
++
++ tos &= IPTOS_RT_MASK;
++ rcu_read_lock();
++ err = ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, lsrc,
++ &res);
++ rcu_read_unlock();
++
++ return err;
++}
++EXPORT_SYMBOL(ip_route_input_lookup);
++
+ /* called with rcu_read_lock held */
+-int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+- u8 tos, struct net_device *dev, struct fib_result *res)
++int ip_route_input_common_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, __be32 lsrc,
++ struct fib_result *res)
+ {
+ /* Multicast recognition logic is moved from route cache to here.
+ The problem was that too many Ethernet cards have broken/missing
+@@ -2343,7 +2375,13 @@ int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ return err;
+ }
+
+- return ip_route_input_slow(skb, daddr, saddr, tos, dev, res);
++ return ip_route_input_slow(skb, daddr, saddr, tos, dev, lsrc, res);
++}
++
++int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, struct fib_result *res)
++{
++ return ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, 0, res);
+ }
+
+ /* called with rcu_read_lock() */
+@@ -2597,6 +2635,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
+ fl4->daddr = fl4->saddr = htonl(INADDR_LOOPBACK);
+ dev_out = net->loopback_dev;
+ fl4->flowi4_oif = LOOPBACK_IFINDEX;
++ fl4->fl4_gw = 0;
+ res->type = RTN_LOCAL;
+ flags |= RTCF_LOCAL;
+ goto make_route;
+@@ -2655,6 +2694,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
+ orig_oif = FIB_RES_OIF(*res);
+
+ fl4->flowi4_oif = dev_out->ifindex;
++ fl4->fl4_gw = 0;
+ flags |= RTCF_LOCAL;
+ goto make_route;
+ }
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
+index bfc555fcbc72..be98c87aa05e 100644
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -1148,6 +1148,49 @@ static struct nf_nat_hook nat_hook = {
+ .manip_pkt = nf_nat_manip_pkt,
+ };
+
++unsigned int ip_nat_route_input(void *priv,
++ struct sk_buff *skb,
++ const struct nf_hook_state *state)
++{
++ struct iphdr *iph;
++ struct nf_conn *conn;
++ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
++ unsigned long statusbit;
++ __be32 saddr;
++
++ if (!(conn = nf_ct_get(skb, &ctinfo)))
++ return NF_ACCEPT;
++
++ if (!(conn->status & IPS_NAT_DONE_MASK))
++ return NF_ACCEPT;
++ dir = CTINFO2DIR(ctinfo);
++ statusbit = IPS_SRC_NAT;
++ if (dir == IP_CT_DIR_REPLY)
++ statusbit ^= IPS_NAT_MASK;
++ if (!(conn->status & statusbit))
++ return NF_ACCEPT;
++
++ if (skb_dst(skb))
++ return NF_ACCEPT;
++
++ if (skb->len < sizeof(struct iphdr))
++ return NF_ACCEPT;
++
++ /* use daddr in other direction as masquerade address (lsrc) */
++ iph = ip_hdr(skb);
++ saddr = conn->tuplehash[!dir].tuple.dst.u3.ip;
++ if (saddr == iph->saddr)
++ return NF_ACCEPT;
++
++ if (ip_route_input_lookup(skb, iph->daddr, iph->saddr, iph->tos,
++ skb->dev, saddr))
++ return NF_DROP;
++
++ return NF_ACCEPT;
++}
++EXPORT_SYMBOL_GPL(ip_nat_route_input);
++
+ static int __init nf_nat_init(void)
+ {
+ int ret, i;
+diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
+index 8e8a65d46345..df1376143cd6 100644
+--- a/net/netfilter/nf_nat_masquerade.c
++++ b/net/netfilter/nf_nat_masquerade.c
+@@ -21,8 +21,8 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ struct nf_conn_nat *nat;
+ enum ip_conntrack_info ctinfo;
+ struct nf_nat_range2 newrange;
+- const struct rtable *rt;
+- __be32 newsrc, nh;
++ struct rtable *rt;
++ __be32 newsrc;
+
+ WARN_ON(hooknum != NF_INET_POST_ROUTING);
+
+@@ -37,12 +37,23 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
+ return NF_ACCEPT;
+
+- rt = skb_rtable(skb);
+- nh = rt_nexthop(rt, ip_hdr(skb)->daddr);
+- newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
+- if (!newsrc) {
+- pr_info("%s ate my IP address\n", out->name);
+- return NF_DROP;
++ {
++ struct flowi4 fl4 = { .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
++ .flowi4_mark = skb->mark,
++ .flowi4_oif = out->ifindex,
++ .daddr = ip_hdr(skb)->daddr,
++ .fl4_gw = skb_rtable(skb)->rt_gw4 };
++ rt = ip_route_output_key(dev_net(out), &fl4);
++ if (IS_ERR(rt)) {
++ /* Funky routing can do this. */
++ if (net_ratelimit())
++ pr_info("%s:"
++ " No route: Rusty's brain broke!\n",
++ out->name);
++ return NF_DROP;
++ }
++ newsrc = fl4.saddr;
++ ip_rt_put(rt);
+ }
+
+ nat = nf_ct_nat_ext_add(ct);
+diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
+index b69231918686..26b1df65ea97 100644
+--- a/security/selinux/nlmsgtab.c
++++ b/security/selinux/nlmsgtab.c
+@@ -88,6 +88,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
+ { RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
++ { RTM_NEWARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
++ { RTM_DELARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
++ { RTM_GETARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
+ };
+
+ static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+@@ -171,7 +174,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
+ * structures at the top of this file with the new mappings
+ * before updating the BUILD_BUG_ON() macro!
+ */
+- BUILD_BUG_ON(RTM_MAX != (RTM_NEWVLAN + 3));
++ BUILD_BUG_ON(RTM_MAX != (RTM_NEWARPRULE + 3));
+ err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
+ sizeof(nlmsg_route_perms));
+ break;
diff --git a/sys-kernel/boest-v5.7.12/0002-pool-2.6.25-tcp-timewait-20s.diff.patch b/sys-kernel/boest-v5.7.12/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
new file mode 100644
index 00000000..39bea1bd
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
@@ -0,0 +1,27 @@
+From ae70759014bbd9ea2b7d90acca669eccb5b00d98 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH] pool/2.6.25-tcp-timewait-20s.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ include/net/tcp.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 6f8e60c6fbc7..45e3a80f3cd6 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -118,8 +118,8 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
+ * initial RTO.
+ */
+
+-#define TCP_TIMEWAIT_LEN (60*HZ) /* how long to wait to destroy TIME-WAIT
+- * state, about 60 seconds */
++#define TCP_TIMEWAIT_LEN (20*HZ) /* how long to wait to destroy TIME-WAIT
++ * state, about 20 seconds */
+ #define TCP_FIN_TIMEOUT TCP_TIMEWAIT_LEN
+ /* BSD style FIN_WAIT2 deadlock breaker.
+ * It used to be 3min, new value is 60sec,
diff --git a/sys-kernel/boest-v5.7.12/0003-pool-2.6.25-disable-tcp-debug.diff.patch b/sys-kernel/boest-v5.7.12/0003-pool-2.6.25-disable-tcp-debug.diff.patch
new file mode 100644
index 00000000..d147cf71
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0003-pool-2.6.25-disable-tcp-debug.diff.patch
@@ -0,0 +1,25 @@
+From 14696360ebc9188821e7e1fb5cf8ced41b823f93 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH] pool/2.6.25-disable-tcp-debug.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ include/net/tcp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 45e3a80f3cd6..6790d1e57295 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -14,7 +14,7 @@
+ #ifndef _TCP_H
+ #define _TCP_H
+
+-#define FASTRETRANS_DEBUG 1
++#define FASTRETRANS_DEBUG 0
+
+ #include <linux/list.h>
+ #include <linux/tcp.h>
diff --git a/sys-kernel/boest-v5.7.12/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch b/sys-kernel/boest-v5.7.12/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
new file mode 100644
index 00000000..509137a0
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
@@ -0,0 +1,141 @@
+From 203b010f6670a8d45c9d854d5ecd70bbb6b9d05b Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 8 Oct 2008 10:00:42 +0200
+Subject: [PATCH] TCP: add a sysctl to disable simultaneous connection opening.
+
+Strict implementation of RFC793 (TCP) requires support for a feature
+called "simultaneous connect", which allows two clients to connect to
+each other without anyone entering a listening state. While almost
+never used, and supported by few OSes, Linux supports this feature.
+
+However, it introduces a weakness in the protocol which makes it very
+easy for an attacker to prevent a client from connecting to a known
+server. The attacker only has to guess the source port to shut down
+the client connection during its establishment. The impact is limited,
+but it may be used to prevent an antivirus or IPS from fetching updates
+and not detecting an attack, or to prevent an SSL gateway from fetching
+a CRL for example.
+
+This patch provides a new sysctl "tcp_simult_connect" to enable or disable
+support for this useless feature. It comes disabled by default.
+
+Hundreds of systems running with that feature disabled for more than 4 years
+have never encountered an application which requires it. It is almost never
+supported by firewalls BTW.
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ Documentation/networking/ip-sysctl.txt | 22 ++++++++++++++++++++++
+ include/net/netns/ipv4.h | 1 +
+ include/uapi/linux/sysctl.h | 1 +
+ net/ipv4/sysctl_net_ipv4.c | 7 +++++++
+ net/ipv4/tcp_input.c | 6 +++++-
+ 5 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index a456dae1a8ef..331b481174fb 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -205,6 +205,28 @@ inet_peer_maxttl - INTEGER
+
+ TCP variables:
+
++tcp_simult_connect - BOOLEAN
++ Enables TCP simultaneous connect feature conforming to RFC793.
++ Strict implementation of RFC793 (TCP) requires support for a feature
++ called "simultaneous connect", which allows two clients to connect to
++ each other without anyone entering a listening state. While almost
++ never used, and supported by few OSes, Linux supports this feature.
++
++ However, it introduces a weakness in the protocol which makes it very
++ easy for an attacker to prevent a client from connecting to a known
++ server. The attacker only has to guess the source port to shut down
++ the client connection during its establishment. The impact is limited,
++ but it may be used to prevent an antivirus or IPS from fetching updates
++ and not detecting an attack, or to prevent an SSL gateway from fetching
++ a CRL for example.
++
++ If you want absolute compatibility with any possible application,
++ you should set it to 1. If you prefer to enhance security on your
++ systems you'd better let it to 0. After four years of usage on
++ hundreds of systems, no application was ever found to require this
++ feature, which is not even supported by most firewalls.
++ Default: 0
++
+ somaxconn - INTEGER
+ Limit of socket listen() backlog, known in userspace as SOMAXCONN.
+ Defaults to 4096. (Was 128 before linux-5.4)
+diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
+index 154b8f01499b..1cd47606b488 100644
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -144,6 +144,7 @@ struct netns_ipv4 {
+ int sysctl_tcp_recovery;
+ int sysctl_tcp_thin_linear_timeouts;
+ int sysctl_tcp_slow_start_after_idle;
++ int sysctl_tcp_simult_connect;
+ int sysctl_tcp_retrans_collapse;
+ int sysctl_tcp_stdurg;
+ int sysctl_tcp_rfc1337;
+diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
+index 27c1ed2822e6..b3c945a0cd56 100644
+--- a/include/uapi/linux/sysctl.h
++++ b/include/uapi/linux/sysctl.h
+@@ -426,6 +426,7 @@ enum
+ NET_TCP_ALLOWED_CONG_CONTROL=123,
+ NET_TCP_MAX_SSTHRESH=124,
+ NET_TCP_FRTO_RESPONSE=125,
++ NET_TCP_SIMULT_CONNECT=126,
+ };
+
+ enum {
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 81b267e990a1..12cda42f85be 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -888,6 +888,13 @@ static struct ctl_table ipv4_net_table[] = {
+ .mode = 0444,
+ .proc_handler = proc_tcp_available_congestion_control,
+ },
++ {
++ .procname = "tcp_simult_connect",
++ .data = &init_net.ipv4.sysctl_tcp_simult_connect,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec,
++ },
+ {
+ .procname = "tcp_allowed_congestion_control",
+ .maxlen = TCP_CA_BUF_MAX,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 32ac66a8c657..604db3ae6d7c 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5905,6 +5905,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+ const struct tcphdr *th)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
++ struct net *net = sock_net(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_cookie foc = { .len = -1 };
+ int saved_clamp = tp->rx_opt.mss_clamp;
+@@ -6067,10 +6068,13 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+ tcp_paws_reject(&tp->rx_opt, 0))
+ goto discard_and_undo;
+
+- if (th->syn) {
++ if (th->syn && net->ipv4.sysctl_tcp_simult_connect) {
+ /* We see SYN without ACK. It is attempt of
+ * simultaneous connect with crossed SYNs.
+ * Particularly, it can be connect to self.
++ * This feature is disabled by default as it introduces
++ * weakness in the protocol. It can be enabled by a
++ * sysctl.
+ */
+ tcp_set_state(sk, TCP_SYN_RECV);
+
diff --git a/sys-kernel/boest-v5.7.12/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch b/sys-kernel/boest-v5.7.12/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
new file mode 100644
index 00000000..6224390c
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
@@ -0,0 +1,34 @@
+From c6ff4f0ceeaf88a05cff9863b07376b0df67f37c Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH] pool/2.6.25-disable-kbdrate-at-boot.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ arch/x86/boot/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/boot/main.c b/arch/x86/boot/main.c
+index e3add857c2c9..f079483126a6 100644
+--- a/arch/x86/boot/main.c
++++ b/arch/x86/boot/main.c
+@@ -63,6 +63,8 @@ static void copy_boot_params(void)
+ */
+ static void keyboard_init(void)
+ {
++/*This may take several seconds if the system has no kbd controller */
++#ifdef CONFIG_INPUT_KEYBOARD
+ struct biosregs ireg, oreg;
+ initregs(&ireg);
+
+@@ -72,6 +74,7 @@ static void keyboard_init(void)
+
+ ireg.ax = 0x0305; /* Set keyboard repeat rate */
+ intcall(0x16, &ireg, NULL);
++#endif
+ }
+
+ /*
diff --git a/sys-kernel/boest-v5.7.12/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch b/sys-kernel/boest-v5.7.12/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
new file mode 100644
index 00000000..d0531808
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
@@ -0,0 +1,45 @@
+From dcab90d6a28f5326275b303744906bee84915340 Mon Sep 17 00:00:00 2001
+From: Bertrand Jacquin <bertrand@jacquin.bzh>
+Date: Wed, 9 Jan 2013 00:28:28 +0100
+Subject: [PATCH] Disable CONFIG_PROCESSOR_SELECT printk()'s
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ arch/x86/kernel/cpu/common.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index c669a5756bdf..67cd9d2ab5d4 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1269,10 +1269,6 @@ void __init early_cpu_init(void)
+ const struct cpu_dev *const *cdev;
+ int count = 0;
+
+-#ifdef CONFIG_PROCESSOR_SELECT
+- pr_info("KERNEL supported cpus:\n");
+-#endif
+-
+ for (cdev = __x86_cpu_dev_start; cdev < __x86_cpu_dev_end; cdev++) {
+ const struct cpu_dev *cpudev = *cdev;
+
+@@ -1280,19 +1276,6 @@ void __init early_cpu_init(void)
+ break;
+ cpu_devs[count] = cpudev;
+ count++;
+-
+-#ifdef CONFIG_PROCESSOR_SELECT
+- {
+- unsigned int j;
+-
+- for (j = 0; j < 2; j++) {
+- if (!cpudev->c_ident[j])
+- continue;
+- pr_info(" %s %s\n", cpudev->c_vendor,
+- cpudev->c_ident[j]);
+- }
+- }
+-#endif
+ }
+ early_identify_cpu(&boot_cpu_data);
+ }
diff --git a/sys-kernel/boest-v5.7.12/0007-This-patch-adds-support-for-a-restricted-user-contro.patch b/sys-kernel/boest-v5.7.12/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
new file mode 100644
index 00000000..52515d06
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
@@ -0,0 +1,74 @@
+From 4fa327cd7b809e3de85c5fe4295105e50b65149c Mon Sep 17 00:00:00 2001
+From: "Anthony G. Basile" <blueness@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] This patch adds support for a restricted user-controlled
+ namespace on tmpfs filesystem used to house PaX flags. The namespace must be
+ of the form user.pax.* and its value cannot exceed a size of 8 bytes.
+
+This is needed even on all Gentoo systems so that XATTR_PAX flags
+are preserved for users who might build packages using portage on
+a tmpfs system with a non-hardened kernel and then switch to a
+hardened kernel with XATTR_PAX enabled.
+
+The namespace is added to any user with Extended Attribute support
+enabled for tmpfs. Users who do not enable xattrs will not have
+the XATTR_PAX flags preserved.
+---
+ include/uapi/linux/xattr.h | 4 ++++
+ mm/shmem.c | 15 +++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
+index c1395b5bd432..bac6d48eca8e 100644
+--- a/include/uapi/linux/xattr.h
++++ b/include/uapi/linux/xattr.h
+@@ -77,5 +77,9 @@
+ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
+ #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
+
++/* User namespace */
++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
++#define XATTR_PAX_FLAGS_SUFFIX "flags"
++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+
+ #endif /* _UAPI_LINUX_XATTR_H */
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 97b4a47e9767..aece0dea7b29 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const struct xattr_handler *handler,
+ struct shmem_inode_info *info = SHMEM_I(inode);
+
+ name = xattr_full_name(handler, name);
++
++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
++ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
++ return -EOPNOTSUPP;
++ if (size > 8)
++ return -EINVAL;
++ }
++
+ return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL);
+ }
+
+@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_trusted_xattr_handler = {
+ .set = shmem_xattr_handler_set,
+ };
+
++static const struct xattr_handler shmem_user_xattr_handler = {
++ .prefix = XATTR_USER_PREFIX,
++ .get = shmem_xattr_handler_get,
++ .set = shmem_xattr_handler_set,
++};
++
+ static const struct xattr_handler *shmem_xattr_handlers[] = {
+ #ifdef CONFIG_TMPFS_POSIX_ACL
+ &posix_acl_access_xattr_handler,
+@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
+ #endif
+ &shmem_security_xattr_handler,
+ &shmem_trusted_xattr_handler,
++ &shmem_user_xattr_handler,
+ NULL
+ };
+
diff --git a/sys-kernel/boest-v5.7.12/0008-fs-Enable-link-security-restrictions-by-default.patch b/sys-kernel/boest-v5.7.12/0008-fs-Enable-link-security-restrictions-by-default.patch
new file mode 100644
index 00000000..51944229
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0008-fs-Enable-link-security-restrictions-by-default.patch
@@ -0,0 +1,26 @@
+From ea1f23e2fa73d34c4ed6c3ce811e273aa45a40f2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 2 Nov 2012 05:32:06 +0000
+Subject: [PATCH] fs: Enable link security restrictions by default
+
+This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
+('VFS: don't do protected {sym,hard}links by default').
+---
+ fs/namei.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index a320371899cf..26ab1117efcb 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -918,8 +918,8 @@ static inline void put_link(struct nameidata *nd)
+ path_put(&last->link);
+ }
+
+-int sysctl_protected_symlinks __read_mostly = 0;
+-int sysctl_protected_hardlinks __read_mostly = 0;
++int sysctl_protected_symlinks __read_mostly = 1;
++int sysctl_protected_hardlinks __read_mostly = 1;
+ int sysctl_protected_fifos __read_mostly;
+ int sysctl_protected_regular __read_mostly;
+
diff --git a/sys-kernel/boest-v5.7.12/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch b/sys-kernel/boest-v5.7.12/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
new file mode 100644
index 00000000..2ff45ccd
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
@@ -0,0 +1,38 @@
+From e90466a93ce83229cc41e537c03b27b1a2c20b57 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] The encryption is only mandatory to be enforced when both
+ sides are using Secure Simple Pairing and this means the key size check makes
+ only sense in that case.
+
+On legacy Bluetooth 2.0 and earlier devices like mice the encryption was
+optional and thus causing an issue if the key size check is not bound to
+using Secure Simple Pairing.
+
+Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+---
+ net/bluetooth/hci_conn.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index e245bc155cc2..1c46f48c0928 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1308,8 +1308,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
+ return 0;
+ }
+
+- if (hci_conn_ssp_enabled(conn) &&
+- !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
++ /* If Secure Simple Pairing is not enabled, then legacy connection
++ * setup is used and no encryption or key sizes can be enforced.
++ */
++ if (!hci_conn_ssp_enabled(conn))
++ return 1;
++
++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ return 0;
+
+ return 1;
diff --git a/sys-kernel/boest-v5.7.12/0010-5.7-2600_enable-key-swapping-for-apple-mac.patch.patch b/sys-kernel/boest-v5.7.12/0010-5.7-2600_enable-key-swapping-for-apple-mac.patch.patch
new file mode 100644
index 00000000..96289020
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0010-5.7-2600_enable-key-swapping-for-apple-mac.patch.patch
@@ -0,0 +1,125 @@
+From a0ffbf6485d5971687aebe355dbe458a65e6e724 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:2600_enable-key-swapping-for-apple-mac.patch
+
+---
+ drivers/hid/hid-apple.c | 76 +++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 74 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index 6909c045fece..467bc8b0837b 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -51,6 +51,22 @@ MODULE_PARM_DESC(swap_opt_cmd, "Swap the Option (\"Alt\") and Command (\"Flag\")
+ "(For people who want to keep Windows PC keyboard muscle memory. "
+ "[0] = as-is, Mac layout. 1 = swapped, Windows layout.)");
+
++static unsigned int swap_fn_leftctrl;
++module_param(swap_fn_leftctrl, uint, 0644);
++MODULE_PARM_DESC(swap_fn_leftctrl, "Swap the Fn and left Control keys. "
++ "(For people who want to keep PC keyboard muscle memory. "
++ "[0] = as-is, Mac layout, 1 = swapped, PC layout)");
++
++static unsigned int rightalt_as_rightctrl;
++module_param(rightalt_as_rightctrl, uint, 0644);
++MODULE_PARM_DESC(rightalt_as_rightctrl, "Use the right Alt key as a right Ctrl key. "
++ "[0] = as-is, Mac layout. 1 = Right Alt is right Ctrl");
++
++static unsigned int ejectcd_as_delete;
++module_param(ejectcd_as_delete, uint, 0644);
++MODULE_PARM_DESC(ejectcd_as_delete, "Use Eject-CD key as Delete key. "
++ "([0] = disabled, 1 = enabled)");
++
+ struct apple_sc {
+ unsigned long quirks;
+ unsigned int fn_on;
+@@ -163,6 +179,21 @@ static const struct apple_key_translation swapped_option_cmd_keys[] = {
+ { }
+ };
+
++static const struct apple_key_translation swapped_fn_leftctrl_keys[] = {
++ { KEY_FN, KEY_LEFTCTRL },
++ { }
++};
++
++static const struct apple_key_translation rightalt_as_rightctrl_keys[] = {
++ { KEY_RIGHTALT, KEY_RIGHTCTRL },
++ { }
++};
++
++static const struct apple_key_translation ejectcd_as_delete_keys[] = {
++ { KEY_EJECTCD, KEY_DELETE },
++ { }
++};
++
+ static const struct apple_key_translation *apple_find_translation(
+ const struct apple_key_translation *table, u16 from)
+ {
+@@ -184,9 +215,11 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ bool do_translate;
+ u16 code = 0;
+
+- if (usage->code == KEY_FN) {
++ u16 fn_keycode = (swap_fn_leftctrl) ? (KEY_LEFTCTRL) : (KEY_FN);
++
++ if (usage->code == fn_keycode) {
+ asc->fn_on = !!value;
+- input_event(input, usage->type, usage->code, value);
++ input_event(input, usage->type, KEY_FN, value);
+ return 1;
+ }
+
+@@ -271,6 +304,30 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ }
+ }
+
++ if (swap_fn_leftctrl) {
++ trans = apple_find_translation(swapped_fn_leftctrl_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
++ if (ejectcd_as_delete) {
++ trans = apple_find_translation(ejectcd_as_delete_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
++ if (rightalt_as_rightctrl) {
++ trans = apple_find_translation(rightalt_as_rightctrl_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
+ return 0;
+ }
+
+@@ -334,6 +391,21 @@ static void apple_setup_input(struct input_dev *input)
+
+ for (trans = apple_iso_keyboard; trans->from; trans++)
+ set_bit(trans->to, input->keybit);
++
++ if (swap_fn_leftctrl) {
++ for (trans = swapped_fn_leftctrl_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
++
++ if (ejectcd_as_delete) {
++ for (trans = ejectcd_as_delete_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
++
++ if (rightalt_as_rightctrl) {
++ for (trans = rightalt_as_rightctrl_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
+ }
+
+ static int apple_input_mapping(struct hid_device *hdev, struct hid_input *hi,
diff --git a/sys-kernel/boest-v5.7.12/0011-This-driver-requires-REGMAP_I2C-to-build.-Select-it-.patch b/sys-kernel/boest-v5.7.12/0011-This-driver-requires-REGMAP_I2C-to-build.-Select-it-.patch
new file mode 100644
index 00000000..9efdb660
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0011-This-driver-requires-REGMAP_I2C-to-build.-Select-it-.patch
@@ -0,0 +1,26 @@
+From 70467167e333fd2707bb8a31a38dad62ff1a5e99 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 23 Mar 2020 08:20:06 -0400
+Subject: [PATCH] This driver requires REGMAP_I2C to build. Select it by
+ default in Kconfig. Reported at gentoo bugzilla:
+ https://bugs.gentoo.org/710790
+
+Reported-by: Phil Stracchino <phils@caerllewys.net>
+
+Signed-off-by: Mike Pagano <mpagano@gentoo.org>
+---
+ drivers/hwmon/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig
+index 4c62f900bf7e..83480a7a1e87 100644
+--- a/drivers/hwmon/Kconfig
++++ b/drivers/hwmon/Kconfig
+@@ -1778,6 +1778,7 @@ config SENSORS_TMP421
+ config SENSORS_TMP513
+ tristate "Texas Instruments TMP513 and compatibles"
+ depends on I2C
++ select REGMAP_I2C
+ help
+ If you say yes here you get support for Texas Instruments TMP512,
+ and TMP513 temperature and power supply sensor chips.
diff --git a/sys-kernel/boest-v5.7.12/0012-5.7-2910_TVP5150-Fix-build-issue-by-selecting-REGMAP.patch b/sys-kernel/boest-v5.7.12/0012-5.7-2910_TVP5150-Fix-build-issue-by-selecting-REGMAP.patch
new file mode 100644
index 00000000..207a6b00
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0012-5.7-2910_TVP5150-Fix-build-issue-by-selecting-REGMAP.patch
@@ -0,0 +1,22 @@
+From f233df279e587239194224ff2c6594dae3c012e4 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Tue, 26 May 2020 13:58:36 -0400
+Subject: [PATCH]
+ 5.7:2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch
+
+---
+ drivers/media/i2c/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig
+index 125d596c13dd..47bf86ee77d9 100644
+--- a/drivers/media/i2c/Kconfig
++++ b/drivers/media/i2c/Kconfig
+@@ -379,6 +379,7 @@ config VIDEO_TVP514X
+ config VIDEO_TVP5150
+ tristate "Texas Instruments TVP5150 video decoder"
+ depends on VIDEO_V4L2 && I2C
++ select REGMAP_I2C
+ select V4L2_FWNODE
+ select REGMAP_I2C
+ help
diff --git a/sys-kernel/boest-v5.7.12/0013-5.7-2920_sign-file-patch-for-libressl.patch.patch b/sys-kernel/boest-v5.7.12/0013-5.7-2920_sign-file-patch-for-libressl.patch.patch
new file mode 100644
index 00000000..b0a3c980
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0013-5.7-2920_sign-file-patch-for-libressl.patch.patch
@@ -0,0 +1,27 @@
+From e7eb3c3d763cec89849222edf094e21387abe059 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Tue, 26 May 2020 13:58:36 -0400
+Subject: [PATCH] 5.7:2920_sign-file-patch-for-libressl.patch
+
+---
+ scripts/sign-file.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/sign-file.c b/scripts/sign-file.c
+index fbd34b8e8f57..fd4d7c31d1bf 100644
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -41,9 +41,10 @@
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
+ */
+-#if defined(LIBRESSL_VERSION_NUMBER) || \
+- OPENSSL_VERSION_NUMBER < 0x10000000L || \
+- defined(OPENSSL_NO_CMS)
++#if defined(OPENSSL_NO_CMS) || \
++ ( defined(LIBRESSL_VERSION_NUMBER) \
++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \
++ OPENSSL_VERSION_NUMBER < 0x10000000L
+ #define USE_PKCS7
+ #endif
+ #ifndef USE_PKCS7
diff --git a/sys-kernel/boest-v5.7.12/0014-5.7-4567_distro-Gentoo-Kconfig.patch.patch b/sys-kernel/boest-v5.7.12/0014-5.7-4567_distro-Gentoo-Kconfig.patch.patch
new file mode 100644
index 00000000..cb85d54c
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0014-5.7-4567_distro-Gentoo-Kconfig.patch.patch
@@ -0,0 +1,183 @@
+From 6973aaa02bf2a62a7078edb451f9be9b2b02b15b Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Wed, 13 May 2020 07:55:40 -0400
+Subject: [PATCH] 5.7:4567_distro-Gentoo-Kconfig.patch
+
+---
+ Kconfig | 2 +
+ distro/Kconfig | 157 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 159 insertions(+)
+
+diff --git a/Kconfig b/Kconfig
+index e10b3ee084d4..3f5d235382c0 100644
+--- a/Kconfig
++++ b/Kconfig
+@@ -32,3 +32,5 @@ source "lib/Kconfig"
+ source "lib/Kconfig.debug"
+
+ source "Documentation/Kconfig"
++
++source "distro/Kconfig"
+diff --git a/distro/Kconfig b/distro/Kconfig
+new file mode 100644
+index 000000000000..827a0b2202c8
+--- /dev/null
++++ b/distro/Kconfig
+@@ -0,0 +1,157 @@
++menu "Gentoo Linux"
++
++config GENTOO_LINUX
++ bool "Gentoo Linux support"
++
++ default y
++
++ help
++ In order to boot Gentoo Linux a minimal set of config settings needs to
++ be enabled in the kernel; to avoid the users from having to enable them
++ manually as part of a Gentoo Linux installation or a new clean config,
++ we enable these config settings by default for convenience.
++
++ See the settings that become available for more details and fine-tuning.
++
++config GENTOO_LINUX_UDEV
++ bool "Linux dynamic and persistent device naming (userspace devfs) support"
++
++ depends on GENTOO_LINUX
++ default y if GENTOO_LINUX
++
++ select DEVTMPFS
++ select TMPFS
++ select UNIX
++
++ select MMU
++ select SHMEM
++
++ help
++ In order to boot Gentoo Linux a minimal set of config settings needs to
++ be enabled in the kernel; to avoid the users from having to enable them
++ manually as part of a Gentoo Linux installation or a new clean config,
++ we enable these config settings by default for convenience.
++
++ Currently this only selects TMPFS, DEVTMPFS and their dependencies.
++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
++
++ Some of these are critical files that need to be available early in the
++ boot process; if not available, it causes sysfs and udev to malfunction.
++
++ To ensure Gentoo Linux boots, it is best to leave this setting enabled;
++ if you run a custom setup, you could consider whether to disable this.
++
++config GENTOO_LINUX_PORTAGE
++ bool "Select options required by Portage features"
++
++ depends on GENTOO_LINUX
++ default y if GENTOO_LINUX
++
++ select CGROUPS
++ select NAMESPACES
++ select IPC_NS
++ select NET_NS
++ select PID_NS
++ select SYSVIPC
++ select UTS_NS
++
++ help
++ This enables options required by various Portage FEATURES.
++ Currently this selects:
++
++ CGROUPS (required for FEATURES=cgroup)
++ IPC_NS (required for FEATURES=ipc-sandbox)
++ NET_NS (required for FEATURES=network-sandbox)
++ PID_NS (required for FEATURES=pid-sandbox)
++ SYSVIPC (required by IPC_NS)
++
++
++ It is highly recommended that you leave this enabled as these FEATURES
++ are, or will soon be, enabled by default.
++
++menu "Support for init systems, system and service managers"
++ visible if GENTOO_LINUX
++
++config GENTOO_LINUX_INIT_SCRIPT
++ bool "OpenRC, runit and other script based systems and managers"
++
++ default y if GENTOO_LINUX
++
++ depends on GENTOO_LINUX
++
++ select BINFMT_SCRIPT
++ select CGROUPS
++ select EPOLL
++ select FILE_LOCKING
++ select INOTIFY_USER
++ select SIGNALFD
++ select TIMERFD
++
++ help
++ The init system is the first thing that loads after the kernel booted.
++
++ These config settings allow you to select which init systems to support;
++ instead of having to select all the individual settings all over the
++ place, these settings allows you to select all the settings at once.
++
++ This particular setting enables all the known requirements for OpenRC,
++ runit and similar script based systems and managers.
++
++ If you are unsure about this, it is best to leave this setting enabled.
++
++config GENTOO_LINUX_INIT_SYSTEMD
++ bool "systemd"
++
++ default n
++
++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
++
++ select AUTOFS4_FS
++ select BLK_DEV_BSG
++ select BPF_SYSCALL
++ select CGROUP_BPF
++ select CGROUPS
++ select CHECKPOINT_RESTORE
++ select CRYPTO_HMAC
++ select CRYPTO_SHA256
++ select CRYPTO_USER_API_HASH
++ select DEVPTS_MULTIPLE_INSTANCES
++ select DMIID if X86_32 || X86_64 || X86
++ select EPOLL
++ select FANOTIFY
++ select FHANDLE
++ select FILE_LOCKING
++ select INOTIFY_USER
++ select IPV6
++ select NET
++ select NET_NS
++ select PROC_FS
++ select SECCOMP
++ select SECCOMP_FILTER
++ select SIGNALFD
++ select SYSFS
++ select TIMERFD
++ select TMPFS_POSIX_ACL
++ select TMPFS_XATTR
++
++ select ANON_INODES
++ select BLOCK
++ select EVENTFD
++ select FSNOTIFY
++ select INET
++ select NLATTR
++
++ help
++ The init system is the first thing that loads after the kernel booted.
++
++ These config settings allow you to select which init systems to support;
++ instead of having to select all the individual settings all over the
++ place, these settings allows you to select all the settings at once.
++
++ This particular setting enables all the known requirements for systemd;
++ it also enables suggested optional settings, as the package suggests to.
++
++endmenu
++
++endmenu
diff --git a/sys-kernel/boest-v5.7.12/0015-5.7-5000_ZSTD-v5-1-8-prepare-zstd-for-preboot-env.pa.patch b/sys-kernel/boest-v5.7.12/0015-5.7-5000_ZSTD-v5-1-8-prepare-zstd-for-preboot-env.pa.patch
new file mode 100644
index 00000000..78c7015b
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0015-5.7-5000_ZSTD-v5-1-8-prepare-zstd-for-preboot-env.pa.patch
@@ -0,0 +1,93 @@
+From 11bc311989f725bbc8c6f905e9d7adb888bd0da6 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5000_ZSTD-v5-1-8-prepare-zstd-for-preboot-env.patch
+
+---
+ lib/zstd/decompress.c | 2 ++
+ lib/zstd/fse_decompress.c | 9 +--------
+ lib/zstd/zstd_internal.h | 14 ++++++++++++--
+ 3 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/lib/zstd/decompress.c b/lib/zstd/decompress.c
+index 269ee9a796c1..73ded63278cf 100644
+--- a/lib/zstd/decompress.c
++++ b/lib/zstd/decompress.c
+@@ -2490,6 +2490,7 @@ size_t ZSTD_decompressStream(ZSTD_DStream *zds, ZSTD_outBuffer *output, ZSTD_inB
+ }
+ }
+
++#ifndef ZSTD_PREBOOT
+ EXPORT_SYMBOL(ZSTD_DCtxWorkspaceBound);
+ EXPORT_SYMBOL(ZSTD_initDCtx);
+ EXPORT_SYMBOL(ZSTD_decompressDCtx);
+@@ -2529,3 +2530,4 @@ EXPORT_SYMBOL(ZSTD_insertBlock);
+
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("Zstd Decompressor");
++#endif
+diff --git a/lib/zstd/fse_decompress.c b/lib/zstd/fse_decompress.c
+index a84300e5a013..0b353530fb3f 100644
+--- a/lib/zstd/fse_decompress.c
++++ b/lib/zstd/fse_decompress.c
+@@ -47,6 +47,7 @@
+ ****************************************************************/
+ #include "bitstream.h"
+ #include "fse.h"
++#include "zstd_internal.h"
+ #include <linux/compiler.h>
+ #include <linux/kernel.h>
+ #include <linux/string.h> /* memcpy, memset */
+@@ -60,14 +61,6 @@
+ enum { FSE_static_assert = 1 / (int)(!!(c)) }; \
+ } /* use only *after* variable declarations */
+
+-/* check and forward error code */
+-#define CHECK_F(f) \
+- { \
+- size_t const e = f; \
+- if (FSE_isError(e)) \
+- return e; \
+- }
+-
+ /* **************************************************************
+ * Templates
+ ****************************************************************/
+diff --git a/lib/zstd/zstd_internal.h b/lib/zstd/zstd_internal.h
+index 1a79fab9e13a..dac753397f86 100644
+--- a/lib/zstd/zstd_internal.h
++++ b/lib/zstd/zstd_internal.h
+@@ -127,7 +127,14 @@ static const U32 OF_defaultNormLog = OF_DEFAULTNORMLOG;
+ * Shared functions to include for inlining
+ *********************************************/
+ ZSTD_STATIC void ZSTD_copy8(void *dst, const void *src) {
+- memcpy(dst, src, 8);
++ /*
++ * zstd relies heavily on gcc being able to analyze and inline this
++ * memcpy() call, since it is called in a tight loop. Preboot mode
++ * is compiled in freestanding mode, which stops gcc from analyzing
++ * memcpy(). Use __builtin_memcpy() to tell gcc to analyze this as a
++ * regular memcpy().
++ */
++ __builtin_memcpy(dst, src, 8);
+ }
+ /*! ZSTD_wildcopy() :
+ * custom version of memcpy(), can copy up to 7 bytes too many (8 bytes if length==0) */
+@@ -137,13 +144,16 @@ ZSTD_STATIC void ZSTD_wildcopy(void *dst, const void *src, ptrdiff_t length)
+ const BYTE* ip = (const BYTE*)src;
+ BYTE* op = (BYTE*)dst;
+ BYTE* const oend = op + length;
+- /* Work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81388.
++#if defined(GCC_VERSION) && GCC_VERSION >= 70000 && GCC_VERSION < 70200
++ /*
++ * Work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81388.
+ * Avoid the bad case where the loop only runs once by handling the
+ * special case separately. This doesn't trigger the bug because it
+ * doesn't involve pointer/integer overflow.
+ */
+ if (length <= 8)
+ return ZSTD_copy8(dst, src);
++#endif
+ do {
+ ZSTD_copy8(op, ip);
+ op += 8;
diff --git a/sys-kernel/boest-v5.7.12/0016-5.7-5001_ZSTD-v5-2-8-prepare-xxhash-for-preboot-env..patch b/sys-kernel/boest-v5.7.12/0016-5.7-5001_ZSTD-v5-2-8-prepare-xxhash-for-preboot-env..patch
new file mode 100644
index 00000000..9322e31d
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0016-5.7-5001_ZSTD-v5-2-8-prepare-xxhash-for-preboot-env..patch
@@ -0,0 +1,103 @@
+From b6e796dde7189b3049d48aba1eda113dd1573121 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5001_ZSTD-v5-2-8-prepare-xxhash-for-preboot-env.patch
+
+---
+ lib/xxhash.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/lib/xxhash.c b/lib/xxhash.c
+index aa61e2a3802f..b4364e011392 100644
+--- a/lib/xxhash.c
++++ b/lib/xxhash.c
+@@ -80,13 +80,11 @@ void xxh32_copy_state(struct xxh32_state *dst, const struct xxh32_state *src)
+ {
+ memcpy(dst, src, sizeof(*dst));
+ }
+-EXPORT_SYMBOL(xxh32_copy_state);
+
+ void xxh64_copy_state(struct xxh64_state *dst, const struct xxh64_state *src)
+ {
+ memcpy(dst, src, sizeof(*dst));
+ }
+-EXPORT_SYMBOL(xxh64_copy_state);
+
+ /*-***************************
+ * Simple Hash Functions
+@@ -151,7 +149,6 @@ uint32_t xxh32(const void *input, const size_t len, const uint32_t seed)
+
+ return h32;
+ }
+-EXPORT_SYMBOL(xxh32);
+
+ static uint64_t xxh64_round(uint64_t acc, const uint64_t input)
+ {
+@@ -234,7 +231,6 @@ uint64_t xxh64(const void *input, const size_t len, const uint64_t seed)
+
+ return h64;
+ }
+-EXPORT_SYMBOL(xxh64);
+
+ /*-**************************************************
+ * Advanced Hash Functions
+@@ -251,7 +247,6 @@ void xxh32_reset(struct xxh32_state *statePtr, const uint32_t seed)
+ state.v4 = seed - PRIME32_1;
+ memcpy(statePtr, &state, sizeof(state));
+ }
+-EXPORT_SYMBOL(xxh32_reset);
+
+ void xxh64_reset(struct xxh64_state *statePtr, const uint64_t seed)
+ {
+@@ -265,7 +260,6 @@ void xxh64_reset(struct xxh64_state *statePtr, const uint64_t seed)
+ state.v4 = seed - PRIME64_1;
+ memcpy(statePtr, &state, sizeof(state));
+ }
+-EXPORT_SYMBOL(xxh64_reset);
+
+ int xxh32_update(struct xxh32_state *state, const void *input, const size_t len)
+ {
+@@ -334,7 +328,6 @@ int xxh32_update(struct xxh32_state *state, const void *input, const size_t len)
+
+ return 0;
+ }
+-EXPORT_SYMBOL(xxh32_update);
+
+ uint32_t xxh32_digest(const struct xxh32_state *state)
+ {
+@@ -372,7 +365,6 @@ uint32_t xxh32_digest(const struct xxh32_state *state)
+
+ return h32;
+ }
+-EXPORT_SYMBOL(xxh32_digest);
+
+ int xxh64_update(struct xxh64_state *state, const void *input, const size_t len)
+ {
+@@ -439,7 +431,6 @@ int xxh64_update(struct xxh64_state *state, const void *input, const size_t len)
+
+ return 0;
+ }
+-EXPORT_SYMBOL(xxh64_update);
+
+ uint64_t xxh64_digest(const struct xxh64_state *state)
+ {
+@@ -494,7 +485,19 @@ uint64_t xxh64_digest(const struct xxh64_state *state)
+
+ return h64;
+ }
++
++#ifndef XXH_PREBOOT
++EXPORT_SYMBOL(xxh32_copy_state);
++EXPORT_SYMBOL(xxh64_copy_state);
++EXPORT_SYMBOL(xxh32);
++EXPORT_SYMBOL(xxh64);
++EXPORT_SYMBOL(xxh32_reset);
++EXPORT_SYMBOL(xxh64_reset);
++EXPORT_SYMBOL(xxh32_update);
++EXPORT_SYMBOL(xxh32_digest);
++EXPORT_SYMBOL(xxh64_update);
+ EXPORT_SYMBOL(xxh64_digest);
+
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("xxHash");
++#endif
diff --git a/sys-kernel/boest-v5.7.12/0017-5.7-5002_ZSTD-v5-3-8-add-zstd-support-to-decompress..patch b/sys-kernel/boest-v5.7.12/0017-5.7-5002_ZSTD-v5-3-8-add-zstd-support-to-decompress..patch
new file mode 100644
index 00000000..b72a1835
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0017-5.7-5002_ZSTD-v5-3-8-add-zstd-support-to-decompress..patch
@@ -0,0 +1,435 @@
+From 4f87a058bbb71186f865cc946b5420b329bc04fd Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5002_ZSTD-v5-3-8-add-zstd-support-to-decompress.patch
+
+---
+ include/linux/decompress/unzstd.h | 11 +
+ lib/Kconfig | 4 +
+ lib/Makefile | 1 +
+ lib/decompress.c | 5 +
+ lib/decompress_unzstd.c | 342 ++++++++++++++++++++++++++++++
+ 5 files changed, 363 insertions(+)
+
+diff --git a/include/linux/decompress/unzstd.h b/include/linux/decompress/unzstd.h
+new file mode 100644
+index 000000000000..56d539ae880f
+--- /dev/null
++++ b/include/linux/decompress/unzstd.h
+@@ -0,0 +1,11 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef LINUX_DECOMPRESS_UNZSTD_H
++#define LINUX_DECOMPRESS_UNZSTD_H
++
++int unzstd(unsigned char *inbuf, long len,
++ long (*fill)(void*, unsigned long),
++ long (*flush)(void*, unsigned long),
++ unsigned char *output,
++ long *pos,
++ void (*error_fn)(char *x));
++#endif
+diff --git a/lib/Kconfig b/lib/Kconfig
+index 5d53f9609c25..e883aecb9279 100644
+--- a/lib/Kconfig
++++ b/lib/Kconfig
+@@ -336,6 +336,10 @@ config DECOMPRESS_LZ4
+ select LZ4_DECOMPRESS
+ tristate
+
++config DECOMPRESS_ZSTD
++ select ZSTD_DECOMPRESS
++ tristate
++
+ #
+ # Generic allocator support is selected if needed
+ #
+diff --git a/lib/Makefile b/lib/Makefile
+index 685aee60de1d..46a4c7a39beb 100644
+--- a/lib/Makefile
++++ b/lib/Makefile
+@@ -163,6 +163,7 @@ lib-$(CONFIG_DECOMPRESS_LZMA) += decompress_unlzma.o
+ lib-$(CONFIG_DECOMPRESS_XZ) += decompress_unxz.o
+ lib-$(CONFIG_DECOMPRESS_LZO) += decompress_unlzo.o
+ lib-$(CONFIG_DECOMPRESS_LZ4) += decompress_unlz4.o
++lib-$(CONFIG_DECOMPRESS_ZSTD) += decompress_unzstd.o
+
+ obj-$(CONFIG_TEXTSEARCH) += textsearch.o
+ obj-$(CONFIG_TEXTSEARCH_KMP) += ts_kmp.o
+diff --git a/lib/decompress.c b/lib/decompress.c
+index 857ab1af1ef3..ab3fc90ffc64 100644
+--- a/lib/decompress.c
++++ b/lib/decompress.c
+@@ -13,6 +13,7 @@
+ #include <linux/decompress/inflate.h>
+ #include <linux/decompress/unlzo.h>
+ #include <linux/decompress/unlz4.h>
++#include <linux/decompress/unzstd.h>
+
+ #include <linux/types.h>
+ #include <linux/string.h>
+@@ -37,6 +38,9 @@
+ #ifndef CONFIG_DECOMPRESS_LZ4
+ # define unlz4 NULL
+ #endif
++#ifndef CONFIG_DECOMPRESS_ZSTD
++# define unzstd NULL
++#endif
+
+ struct compress_format {
+ unsigned char magic[2];
+@@ -52,6 +56,7 @@ static const struct compress_format compressed_formats[] __initconst = {
+ { {0xfd, 0x37}, "xz", unxz },
+ { {0x89, 0x4c}, "lzo", unlzo },
+ { {0x02, 0x21}, "lz4", unlz4 },
++ { {0x28, 0xb5}, "zstd", unzstd },
+ { {0, 0}, NULL, NULL }
+ };
+
+diff --git a/lib/decompress_unzstd.c b/lib/decompress_unzstd.c
+new file mode 100644
+index 000000000000..f317afab502f
+--- /dev/null
++++ b/lib/decompress_unzstd.c
+@@ -0,0 +1,342 @@
++// SPDX-License-Identifier: GPL-2.0
++
++/*
++ * Important notes about in-place decompression
++ *
++ * At least on x86, the kernel is decompressed in place: the compressed data
++ * is placed to the end of the output buffer, and the decompressor overwrites
++ * most of the compressed data. There must be enough safety margin to
++ * guarantee that the write position is always behind the read position.
++ *
++ * The safety margin for ZSTD with a 128 KB block size is calculated below.
++ * Note that the margin with ZSTD is bigger than with GZIP or XZ!
++ *
++ * The worst case for in-place decompression is that the beginning of
++ * the file is compressed extremely well, and the rest of the file is
++ * uncompressible. Thus, we must look for worst-case expansion when the
++ * compressor is encoding uncompressible data.
++ *
++ * The structure of the .zst file in case of a compresed kernel is as follows.
++ * Maximum sizes (as bytes) of the fields are in parenthesis.
++ *
++ * Frame Header: (18)
++ * Blocks: (N)
++ * Checksum: (4)
++ *
++ * The frame header and checksum overhead is at most 22 bytes.
++ *
++ * ZSTD stores the data in blocks. Each block has a header whose size is
++ * a 3 bytes. After the block header, there is up to 128 KB of payload.
++ * The maximum uncompressed size of the payload is 128 KB. The minimum
++ * uncompressed size of the payload is never less than the payload size
++ * (excluding the block header).
++ *
++ * The assumption, that the uncompressed size of the payload is never
++ * smaller than the payload itself, is valid only when talking about
++ * the payload as a whole. It is possible that the payload has parts where
++ * the decompressor consumes more input than it produces output. Calculating
++ * the worst case for this would be tricky. Instead of trying to do that,
++ * let's simply make sure that the decompressor never overwrites any bytes
++ * of the payload which it is currently reading.
++ *
++ * Now we have enough information to calculate the safety margin. We need
++ * - 22 bytes for the .zst file format headers;
++ * - 3 bytes per every 128 KiB of uncompressed size (one block header per
++ * block); and
++ * - 128 KiB (biggest possible zstd block size) to make sure that the
++ * decompressor never overwrites anything from the block it is currently
++ * reading.
++ *
++ * We get the following formula:
++ *
++ * safety_margin = 22 + uncompressed_size * 3 / 131072 + 131072
++ * <= 22 + (uncompressed_size >> 15) + 131072
++ */
++
++/*
++ * Preboot environments #include "path/to/decompress_unzstd.c".
++ * All of the source files we depend on must be #included.
++ * zstd's only source dependeny is xxhash, which has no source
++ * dependencies.
++ *
++ * zstd and xxhash avoid declaring themselves as modules
++ * when ZSTD_PREBOOT and XXH_PREBOOT are defined.
++ */
++#ifdef STATIC
++# define ZSTD_PREBOOT
++# define XXH_PREBOOT
++# include "xxhash.c"
++# include "zstd/entropy_common.c"
++# include "zstd/fse_decompress.c"
++# include "zstd/huf_decompress.c"
++# include "zstd/zstd_common.c"
++# include "zstd/decompress.c"
++#endif
++
++#include <linux/decompress/mm.h>
++#include <linux/kernel.h>
++#include <linux/zstd.h>
++
++/* 128MB is the maximum window size supported by zstd. */
++#define ZSTD_WINDOWSIZE_MAX (1 << ZSTD_WINDOWLOG_MAX)
++/* Size of the input and output buffers in multi-call mode.
++ * Pick a larger size because it isn't used during kernel decompression,
++ * since that is single pass, and we have to allocate a large buffer for
++ * zstd's window anyways. The larger size speeds up initramfs decompression.
++ */
++#define ZSTD_IOBUF_SIZE (1 << 17)
++
++static int INIT handle_zstd_error(size_t ret, void (*error)(char *x))
++{
++ const int err = ZSTD_getErrorCode(ret);
++
++ if (!ZSTD_isError(ret))
++ return 0;
++
++ switch (err) {
++ case ZSTD_error_memory_allocation:
++ error("ZSTD decompressor ran out of memory");
++ break;
++ case ZSTD_error_prefix_unknown:
++ error("Input is not in the ZSTD format (wrong magic bytes)");
++ break;
++ case ZSTD_error_dstSize_tooSmall:
++ case ZSTD_error_corruption_detected:
++ case ZSTD_error_checksum_wrong:
++ error("ZSTD-compressed data is corrupt");
++ break;
++ default:
++ error("ZSTD-compressed data is probably corrupt");
++ break;
++ }
++ return -1;
++}
++
++/*
++ * Handle the case where we have the entire input and output in one segment.
++ * We can allocate less memory (no circular buffer for the sliding window),
++ * and avoid some memcpy() calls.
++ */
++static int INIT decompress_single(const u8 *in_buf, long in_len, u8 *out_buf,
++ long out_len, long *in_pos,
++ void (*error)(char *x))
++{
++ const size_t wksp_size = ZSTD_DCtxWorkspaceBound();
++ void *wksp = large_malloc(wksp_size);
++ ZSTD_DCtx *dctx = ZSTD_initDCtx(wksp, wksp_size);
++ int err;
++ size_t ret;
++
++ if (dctx == NULL) {
++ error("Out of memory while allocating ZSTD_DCtx");
++ err = -1;
++ goto out;
++ }
++ /*
++ * Find out how large the frame actually is, there may be junk at
++ * the end of the frame that ZSTD_decompressDCtx() can't handle.
++ */
++ ret = ZSTD_findFrameCompressedSize(in_buf, in_len);
++ err = handle_zstd_error(ret, error);
++ if (err)
++ goto out;
++ in_len = (long)ret;
++
++ ret = ZSTD_decompressDCtx(dctx, out_buf, out_len, in_buf, in_len);
++ err = handle_zstd_error(ret, error);
++ if (err)
++ goto out;
++
++ if (in_pos != NULL)
++ *in_pos = in_len;
++
++ err = 0;
++out:
++ if (wksp != NULL)
++ large_free(wksp);
++ return err;
++}
++
++static int INIT __unzstd(unsigned char *in_buf, long in_len,
++ long (*fill)(void*, unsigned long),
++ long (*flush)(void*, unsigned long),
++ unsigned char *out_buf, long out_len,
++ long *in_pos,
++ void (*error)(char *x))
++{
++ ZSTD_inBuffer in;
++ ZSTD_outBuffer out;
++ ZSTD_frameParams params;
++ void *in_allocated = NULL;
++ void *out_allocated = NULL;
++ void *wksp = NULL;
++ size_t wksp_size;
++ ZSTD_DStream *dstream;
++ int err;
++ size_t ret;
++
++ if (out_len == 0)
++ out_len = LONG_MAX; /* no limit */
++
++ if (fill == NULL && flush == NULL)
++ /*
++ * We can decompress faster and with less memory when we have a
++ * single chunk.
++ */
++ return decompress_single(in_buf, in_len, out_buf, out_len,
++ in_pos, error);
++
++ /*
++ * If in_buf is not provided, we must be using fill(), so allocate
++ * a large enough buffer. If it is provided, it must be at least
++ * ZSTD_IOBUF_SIZE large.
++ */
++ if (in_buf == NULL) {
++ in_allocated = large_malloc(ZSTD_IOBUF_SIZE);
++ if (in_allocated == NULL) {
++ error("Out of memory while allocating input buffer");
++ err = -1;
++ goto out;
++ }
++ in_buf = in_allocated;
++ in_len = 0;
++ }
++ /* Read the first chunk, since we need to decode the frame header. */
++ if (fill != NULL)
++ in_len = fill(in_buf, ZSTD_IOBUF_SIZE);
++ if (in_len < 0) {
++ error("ZSTD-compressed data is truncated");
++ err = -1;
++ goto out;
++ }
++ /* Set the first non-empty input buffer. */
++ in.src = in_buf;
++ in.pos = 0;
++ in.size = in_len;
++ /* Allocate the output buffer if we are using flush(). */
++ if (flush != NULL) {
++ out_allocated = large_malloc(ZSTD_IOBUF_SIZE);
++ if (out_allocated == NULL) {
++ error("Out of memory while allocating output buffer");
++ err = -1;
++ goto out;
++ }
++ out_buf = out_allocated;
++ out_len = ZSTD_IOBUF_SIZE;
++ }
++ /* Set the output buffer. */
++ out.dst = out_buf;
++ out.pos = 0;
++ out.size = out_len;
++
++ /*
++ * We need to know the window size to allocate the ZSTD_DStream.
++ * Since we are streaming, we need to allocate a buffer for the sliding
++ * window. The window size varies from 1 KB to ZSTD_WINDOWSIZE_MAX
++ * (8 MB), so it is important to use the actual value so as not to
++ * waste memory when it is smaller.
++ */
++ ret = ZSTD_getFrameParams(&params, in.src, in.size);
++ err = handle_zstd_error(ret, error);
++ if (err)
++ goto out;
++ if (ret != 0) {
++ error("ZSTD-compressed data has an incomplete frame header");
++ err = -1;
++ goto out;
++ }
++ if (params.windowSize > ZSTD_WINDOWSIZE_MAX) {
++ error("ZSTD-compressed data has too large a window size");
++ err = -1;
++ goto out;
++ }
++
++ /*
++ * Allocate the ZSTD_DStream now that we know how much memory is
++ * required.
++ */
++ wksp_size = ZSTD_DStreamWorkspaceBound(params.windowSize);
++ wksp = large_malloc(wksp_size);
++ dstream = ZSTD_initDStream(params.windowSize, wksp, wksp_size);
++ if (dstream == NULL) {
++ error("Out of memory while allocating ZSTD_DStream");
++ err = -1;
++ goto out;
++ }
++
++ /*
++ * Decompression loop:
++ * Read more data if necessary (error if no more data can be read).
++ * Call the decompression function, which returns 0 when finished.
++ * Flush any data produced if using flush().
++ */
++ if (in_pos != NULL)
++ *in_pos = 0;
++ do {
++ /*
++ * If we need to reload data, either we have fill() and can
++ * try to get more data, or we don't and the input is truncated.
++ */
++ if (in.pos == in.size) {
++ if (in_pos != NULL)
++ *in_pos += in.pos;
++ in_len = fill ? fill(in_buf, ZSTD_IOBUF_SIZE) : -1;
++ if (in_len < 0) {
++ error("ZSTD-compressed data is truncated");
++ err = -1;
++ goto out;
++ }
++ in.pos = 0;
++ in.size = in_len;
++ }
++ /* Returns zero when the frame is complete. */
++ ret = ZSTD_decompressStream(dstream, &out, &in);
++ err = handle_zstd_error(ret, error);
++ if (err)
++ goto out;
++ /* Flush all of the data produced if using flush(). */
++ if (flush != NULL && out.pos > 0) {
++ if (out.pos != flush(out.dst, out.pos)) {
++ error("Failed to flush()");
++ err = -1;
++ goto out;
++ }
++ out.pos = 0;
++ }
++ } while (ret != 0);
++
++ if (in_pos != NULL)
++ *in_pos += in.pos;
++
++ err = 0;
++out:
++ if (in_allocated != NULL)
++ large_free(in_allocated);
++ if (out_allocated != NULL)
++ large_free(out_allocated);
++ if (wksp != NULL)
++ large_free(wksp);
++ return err;
++}
++
++#ifndef ZSTD_PREBOOT
++STATIC int INIT unzstd(unsigned char *buf, long len,
++ long (*fill)(void*, unsigned long),
++ long (*flush)(void*, unsigned long),
++ unsigned char *out_buf,
++ long *pos,
++ void (*error)(char *x))
++{
++ return __unzstd(buf, len, fill, flush, out_buf, 0, pos, error);
++}
++#else
++STATIC int INIT __decompress(unsigned char *buf, long len,
++ long (*fill)(void*, unsigned long),
++ long (*flush)(void*, unsigned long),
++ unsigned char *out_buf, long out_len,
++ long *pos,
++ void (*error)(char *x))
++{
++ return __unzstd(buf, len, fill, flush, out_buf, out_len, pos, error);
++}
++#endif
diff --git a/sys-kernel/boest-v5.7.12/0018-5.7-5003_ZSTD-v5-4-8-add-support-for-zstd-compres-ke.patch b/sys-kernel/boest-v5.7.12/0018-5.7-5003_ZSTD-v5-4-8-add-support-for-zstd-compres-ke.patch
new file mode 100644
index 00000000..776a3b82
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0018-5.7-5003_ZSTD-v5-4-8-add-support-for-zstd-compres-ke.patch
@@ -0,0 +1,75 @@
+From d77c704439d7c16b10c31d9bc7a71a1c73fe1ccd Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5003_ZSTD-v5-4-8-add-support-for-zstd-compres-kern.patch
+
+---
+ init/Kconfig | 15 ++++++++++++++-
+ scripts/Makefile.lib | 15 +++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 74a5ac65644f..c3f7f0630b43 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -160,13 +160,16 @@ config HAVE_KERNEL_LZO
+ config HAVE_KERNEL_LZ4
+ bool
+
++config HAVE_KERNEL_ZSTD
++ bool
++
+ config HAVE_KERNEL_UNCOMPRESSED
+ bool
+
+ choice
+ prompt "Kernel compression mode"
+ default KERNEL_GZIP
+- depends on HAVE_KERNEL_GZIP || HAVE_KERNEL_BZIP2 || HAVE_KERNEL_LZMA || HAVE_KERNEL_XZ || HAVE_KERNEL_LZO || HAVE_KERNEL_LZ4 || HAVE_KERNEL_UNCOMPRESSED
++ depends on HAVE_KERNEL_GZIP || HAVE_KERNEL_BZIP2 || HAVE_KERNEL_LZMA || HAVE_KERNEL_XZ || HAVE_KERNEL_LZO || HAVE_KERNEL_LZ4 || HAVE_KERNEL_ZSTD || HAVE_KERNEL_UNCOMPRESSED
+ help
+ The linux kernel is a kind of self-extracting executable.
+ Several compression algorithms are available, which differ
+@@ -245,6 +248,16 @@ config KERNEL_LZ4
+ is about 8% bigger than LZO. But the decompression speed is
+ faster than LZO.
+
++config KERNEL_ZSTD
++ bool "ZSTD"
++ depends on HAVE_KERNEL_ZSTD
++ help
++ ZSTD is a compression algorithm targeting intermediate compression
++ with fast decompression speed. It will compress better than GZIP and
++ decompress around the same speed as LZO, but slower than LZ4. You
++ will need at least 192 KB RAM or more for booting. The zstd command
++ line tools is required for compression.
++
+ config KERNEL_UNCOMPRESSED
+ bool "None"
+ depends on HAVE_KERNEL_UNCOMPRESSED
+diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
+index 4b799737722c..41063ffd92b3 100644
+--- a/scripts/Makefile.lib
++++ b/scripts/Makefile.lib
+@@ -395,6 +395,21 @@ quiet_cmd_xzkern = XZKERN $@
+ quiet_cmd_xzmisc = XZMISC $@
+ cmd_xzmisc = cat $(real-prereqs) | xz --check=crc32 --lzma2=dict=1MiB > $@
+
++# ZSTD
++# ---------------------------------------------------------------------------
++# Appends the uncompressed size of the data using size_append. The .zst
++# format has the size information available at the beginning of the file too,
++# but it's in a more complex format and it's good to avoid changing the part
++# of the boot code that reads the uncompressed size.
++# Note that the bytes added by size_append will make the zstd tool think that
++# the file is corrupt. This is expected.
++
++quiet_cmd_zstd = ZSTD $@
++cmd_zstd = (cat $(filter-out FORCE,$^) | \
++ zstd -19 && \
++ $(call size_append, $(filter-out FORCE,$^))) > $@ || \
++ (rm -f $@ ; false)
++
+ # ASM offsets
+ # ---------------------------------------------------------------------------
+
diff --git a/sys-kernel/boest-v5.7.12/0019-5.7-5004_ZSTD-v5-5-8-add-support-for-zstd-compressed.patch b/sys-kernel/boest-v5.7.12/0019-5.7-5004_ZSTD-v5-5-8-add-support-for-zstd-compressed.patch
new file mode 100644
index 00000000..3ba2bda4
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0019-5.7-5004_ZSTD-v5-5-8-add-support-for-zstd-compressed.patch
@@ -0,0 +1,61 @@
+From ab728152e9231787e3888997ffb9ce62559c1d16 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH]
+ 5.7:5004_ZSTD-v5-5-8-add-support-for-zstd-compressed-initramfs.patch
+
+---
+ usr/Kconfig | 20 ++++++++++++++++++++
+ usr/Makefile | 1 +
+ 2 files changed, 21 insertions(+)
+
+diff --git a/usr/Kconfig b/usr/Kconfig
+index 96afb03b65f9..2599bc21c1b2 100644
+--- a/usr/Kconfig
++++ b/usr/Kconfig
+@@ -100,6 +100,15 @@ config RD_LZ4
+ Support loading of a LZ4 encoded initial ramdisk or cpio buffer
+ If unsure, say N.
+
++config RD_ZSTD
++ bool "Support initial ramdisk/ramfs compressed using ZSTD"
++ default y
++ depends on BLK_DEV_INITRD
++ select DECOMPRESS_ZSTD
++ help
++ Support loading of a ZSTD encoded initial ramdisk or cpio buffer.
++ If unsure, say N.
++
+ choice
+ prompt "Built-in initramfs compression mode"
+ depends on INITRAMFS_SOURCE != ""
+@@ -196,6 +205,17 @@ config INITRAMFS_COMPRESSION_LZ4
+ If you choose this, keep in mind that most distros don't provide lz4
+ by default which could cause a build failure.
+
++config INITRAMFS_COMPRESSION_ZSTD
++ bool "ZSTD"
++ depends on RD_ZSTD
++ help
++ ZSTD is a compression algorithm targeting intermediate compression
++ with fast decompression speed. It will compress better than GZIP and
++ decompress around the same speed as LZO, but slower than LZ4.
++
++ If you choose this, keep in mind that you may need to install the zstd
++ tool to be able to compress the initram.
++
+ config INITRAMFS_COMPRESSION_NONE
+ bool "None"
+ help
+diff --git a/usr/Makefile b/usr/Makefile
+index c12e6b15ce72..b1a81a40eab1 100644
+--- a/usr/Makefile
++++ b/usr/Makefile
+@@ -15,6 +15,7 @@ compress-$(CONFIG_INITRAMFS_COMPRESSION_LZMA) := lzma
+ compress-$(CONFIG_INITRAMFS_COMPRESSION_XZ) := xzmisc
+ compress-$(CONFIG_INITRAMFS_COMPRESSION_LZO) := lzo
+ compress-$(CONFIG_INITRAMFS_COMPRESSION_LZ4) := lz4
++compress-$(CONFIG_INITRAMFS_COMPRESSION_ZSTD) := zstd
+
+ obj-$(CONFIG_BLK_DEV_INITRD) := initramfs_data.o
+
diff --git a/sys-kernel/boest-v5.7.12/0020-5.7-5005_ZSTD-v5-6-8-bump-ZO-z-extra-bytes-margin.pa.patch b/sys-kernel/boest-v5.7.12/0020-5.7-5005_ZSTD-v5-6-8-bump-ZO-z-extra-bytes-margin.pa.patch
new file mode 100644
index 00000000..9ab68142
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0020-5.7-5005_ZSTD-v5-6-8-bump-ZO-z-extra-bytes-margin.pa.patch
@@ -0,0 +1,29 @@
+From 78b95ddec0f43b745e9ac213d2b95da7288322dd Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5005_ZSTD-v5-6-8-bump-ZO-z-extra-bytes-margin.patch
+
+---
+ arch/x86/boot/header.S | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
+index 735ad7f21ab0..6dbd7e9f74c9 100644
+--- a/arch/x86/boot/header.S
++++ b/arch/x86/boot/header.S
+@@ -539,8 +539,14 @@ pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
+ # the size-dependent part now grows so fast.
+ #
+ # extra_bytes = (uncompressed_size >> 8) + 65536
++#
++# ZSTD compressed data grows by at most 3 bytes per 128K, and only has a 22
++# byte fixed overhead but has a maximum block size of 128K, so it needs a
++# larger margin.
++#
++# extra_bytes = (uncompressed_size >> 8) + 131072
+
+-#define ZO_z_extra_bytes ((ZO_z_output_len >> 8) + 65536)
++#define ZO_z_extra_bytes ((ZO_z_output_len >> 8) + 131072)
+ #if ZO_z_output_len > ZO_z_input_len
+ # define ZO_z_extract_offset (ZO_z_output_len + ZO_z_extra_bytes - \
+ ZO_z_input_len)
diff --git a/sys-kernel/boest-v5.7.12/0021-5.7-5006_ZSTD-v5-7-8-support-for-ZSTD-compressed-ker.patch b/sys-kernel/boest-v5.7.12/0021-5.7-5006_ZSTD-v5-7-8-support-for-ZSTD-compressed-ker.patch
new file mode 100644
index 00000000..c0bf0606
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0021-5.7-5006_ZSTD-v5-7-8-support-for-ZSTD-compressed-ker.patch
@@ -0,0 +1,105 @@
+From 2c115090f865bcbb024033ddc6e26180a3af2b54 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH] 5.7:5006_ZSTD-v5-7-8-support-for-ZSTD-compressed-kernel.patch
+
+---
+ Documentation/x86/boot.rst | 6 +++---
+ arch/x86/Kconfig | 1 +
+ arch/x86/boot/compressed/Makefile | 5 ++++-
+ arch/x86/boot/compressed/misc.c | 4 ++++
+ arch/x86/include/asm/boot.h | 6 ++++--
+ 5 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/x86/boot.rst b/Documentation/x86/boot.rst
+index 5325c71ca877..7fafc7ac00d7 100644
+--- a/Documentation/x86/boot.rst
++++ b/Documentation/x86/boot.rst
+@@ -782,9 +782,9 @@ Protocol: 2.08+
+ uncompressed data should be determined using the standard magic
+ numbers. The currently supported compression formats are gzip
+ (magic numbers 1F 8B or 1F 9E), bzip2 (magic number 42 5A), LZMA
+- (magic number 5D 00), XZ (magic number FD 37), and LZ4 (magic number
+- 02 21). The uncompressed payload is currently always ELF (magic
+- number 7F 45 4C 46).
++ (magic number 5D 00), XZ (magic number FD 37), LZ4 (magic number
++ 02 21) and ZSTD (magic number 28 B5). The uncompressed payload is
++ currently always ELF (magic number 7F 45 4C 46).
+
+ ============ ==============
+ Field name: payload_length
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 2d3f963fd6f1..897b3253147b 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -185,6 +185,7 @@ config X86
+ select HAVE_KERNEL_LZMA
+ select HAVE_KERNEL_LZO
+ select HAVE_KERNEL_XZ
++ select HAVE_KERNEL_ZSTD
+ select HAVE_KPROBES
+ select HAVE_KPROBES_ON_FTRACE
+ select HAVE_FUNCTION_ERROR_INJECTION
+diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
+index 20aac9968315..3ca979473ae9 100644
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -24,7 +24,7 @@ OBJECT_FILES_NON_STANDARD := y
+ KCOV_INSTRUMENT := n
+
+ targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \
+- vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4
++ vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4 vmlinux.bin.zst
+
+ KBUILD_CFLAGS := -m$(BITS) -O2
+ KBUILD_CFLAGS += -fno-strict-aliasing $(call cc-option, -fPIE, -fPIC)
+@@ -143,6 +143,8 @@ $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE
+ $(call if_changed,lzo)
+ $(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE
+ $(call if_changed,lz4)
++$(obj)/vmlinux.bin.zst: $(vmlinux.bin.all-y) FORCE
++ $(call if_changed,zstd)
+
+ suffix-$(CONFIG_KERNEL_GZIP) := gz
+ suffix-$(CONFIG_KERNEL_BZIP2) := bz2
+@@ -150,6 +152,7 @@ suffix-$(CONFIG_KERNEL_LZMA) := lzma
+ suffix-$(CONFIG_KERNEL_XZ) := xz
+ suffix-$(CONFIG_KERNEL_LZO) := lzo
+ suffix-$(CONFIG_KERNEL_LZ4) := lz4
++suffix-$(CONFIG_KERNEL_ZSTD) := zst
+
+ quiet_cmd_mkpiggy = MKPIGGY $@
+ cmd_mkpiggy = $(obj)/mkpiggy $< > $@
+diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
+index 9652d5c2afda..39e592d0e0b4 100644
+--- a/arch/x86/boot/compressed/misc.c
++++ b/arch/x86/boot/compressed/misc.c
+@@ -77,6 +77,10 @@ static int lines, cols;
+ #ifdef CONFIG_KERNEL_LZ4
+ #include "../../../../lib/decompress_unlz4.c"
+ #endif
++
++#ifdef CONFIG_KERNEL_ZSTD
++#include "../../../../lib/decompress_unzstd.c"
++#endif
+ /*
+ * NOTE: When adding a new decompressor, please update the analysis in
+ * ../header.S.
+diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
+index 680c320363db..d6dd43d25d9f 100644
+--- a/arch/x86/include/asm/boot.h
++++ b/arch/x86/include/asm/boot.h
+@@ -24,9 +24,11 @@
+ # error "Invalid value for CONFIG_PHYSICAL_ALIGN"
+ #endif
+
+-#ifdef CONFIG_KERNEL_BZIP2
++#if defined(CONFIG_KERNEL_BZIP2)
+ # define BOOT_HEAP_SIZE 0x400000
+-#else /* !CONFIG_KERNEL_BZIP2 */
++#elif defined(CONFIG_KERNEL_ZSTD)
++# define BOOT_HEAP_SIZE 0x30000
++#else
+ # define BOOT_HEAP_SIZE 0x10000
+ #endif
+
diff --git a/sys-kernel/boest-v5.7.12/0022-5.7-5007_ZSTD-v5-8-8-gitignore-add-ZSTD-compressed-f.patch b/sys-kernel/boest-v5.7.12/0022-5.7-5007_ZSTD-v5-8-8-gitignore-add-ZSTD-compressed-f.patch
new file mode 100644
index 00000000..592dcd86
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0022-5.7-5007_ZSTD-v5-8-8-gitignore-add-ZSTD-compressed-f.patch
@@ -0,0 +1,22 @@
+From af8863c9ffe927d979c5d90d324344e15b69a24e Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 4 May 2020 16:58:59 -0400
+Subject: [PATCH]
+ 5.7:5007_ZSTD-v5-8-8-gitignore-add-ZSTD-compressed-files.patch
+
+---
+ .gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/.gitignore b/.gitignore
+index 2258e906f01c..23871de69072 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -44,6 +44,7 @@
+ *.tab.[ch]
+ *.tar
+ *.xz
++*.zst
+ Module.symvers
+ modules.builtin
+ modules.order
diff --git a/sys-kernel/boest-v5.7.12/0023-WARNING.patch b/sys-kernel/boest-v5.7.12/0023-WARNING.patch
new file mode 100644
index 00000000..a0dfd81c
--- /dev/null
+++ b/sys-kernel/boest-v5.7.12/0023-WARNING.patch
@@ -0,0 +1,661 @@
+From 7d07a696f554020eea5781d23652bd20810dbcff Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Mon, 29 Jun 2020 13:31:54 -0400
+Subject: [PATCH] WARNING This patch works with gcc versions 9.1+ and with
+ kernel version 5.7+ and should NOT be applied when compiling on older
+ versions of gcc due to key name changes of the march flags introduced with
+ the version 4.9 release of gcc.[1]
+
+Use the older version of this patch hosted on the same github for older
+versions of gcc.
+
+FEATURES
+This patch adds additional CPU options to the Linux kernel accessible under:
+ Processor type and features --->
+ Processor family --->
+
+The expanded microarchitectures include:
+* AMD Improved K8-family
+* AMD K10-family
+* AMD Family 10h (Barcelona)
+* AMD Family 14h (Bobcat)
+* AMD Family 16h (Jaguar)
+* AMD Family 15h (Bulldozer)
+* AMD Family 15h (Piledriver)
+* AMD Family 15h (Steamroller)
+* AMD Family 15h (Excavator)
+* AMD Family 17h (Zen)
+* AMD Family 17h (Zen 2)
+* Intel Silvermont low-power processors
+* Intel Goldmont low-power processors (Apollo Lake and Denverton)
+* Intel Goldmont Plus low-power processors (Gemini Lake)
+* Intel 1st Gen Core i3/i5/i7 (Nehalem)
+* Intel 1.5 Gen Core i3/i5/i7 (Westmere)
+* Intel 2nd Gen Core i3/i5/i7 (Sandybridge)
+* Intel 3rd Gen Core i3/i5/i7 (Ivybridge)
+* Intel 4th Gen Core i3/i5/i7 (Haswell)
+* Intel 5th Gen Core i3/i5/i7 (Broadwell)
+* Intel 6th Gen Core i3/i5/i7 (Skylake)
+* Intel 6th Gen Core i7/i9 (Skylake X)
+* Intel 8th Gen Core i3/i5/i7 (Cannon Lake)
+* Intel 10th Gen Core i7/i9 (Ice Lake)
+* Intel Xeon (Cascade Lake)
+
+It also offers to compile passing the 'native' option which, "selects the CPU
+to generate code for at compilation time by determining the processor type of
+the compiling machine. Using -march=native enables all instruction subsets
+supported by the local machine and will produce code optimized for the local
+machine under the constraints of the selected instruction set."[2]
+
+Do NOT try using the 'native' option on AMD Piledriver, Steamroller, or
+Excavator CPUs (-march=bdver{2,3,4} flag). The build will error out due the
+kernel's objtool issue with these.[3a,b]
+
+MINOR NOTES
+This patch also changes 'atom' to 'bonnell' in accordance with the gcc v4.9
+changes. Note that upstream is using the deprecated 'match=atom' flags when I
+believe it should use the newer 'march=bonnell' flag for atom processors.[4]
+
+It is not recommended to compile on Atom-CPUs with the 'native' option.[5] The
+recommendation is to use the 'atom' option instead.
+
+BENEFITS
+Small but real speed increases are measurable using a make endpoint comparing
+a generic kernel to one built with one of the respective microarchs.
+
+See the following experimental evidence supporting this statement:
+https://github.com/graysky2/kernel_gcc_patch
+
+REQUIREMENTS
+linux version >=5.7
+gcc version >=9.1 and <10
+
+ACKNOWLEDGMENTS
+This patch builds on the seminal work by Jeroen.[6]
+
+REFERENCES
+1. https://gcc.gnu.org/gcc-4.9/changes.html
+2. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html
+3a. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95671#c11
+3b. https://github.com/graysky2/kernel_gcc_patch/issues/55
+4. https://bugzilla.kernel.org/show_bug.cgi?id=77461
+5. https://github.com/graysky2/kernel_gcc_patch/issues/15
+6. http://www.linuxforge.net/docs/linux/linux-gcc.php
+---
+ arch/x86/Kconfig.cpu | 287 ++++++++++++++++++++++++++++----
+ arch/x86/Makefile | 49 +++++-
+ arch/x86/Makefile_32.cpu | 30 +++-
+ arch/x86/include/asm/vermagic.h | 52 ++++++
+ 4 files changed, 381 insertions(+), 37 deletions(-)
+
+diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
+index bc3a497c029c..997e50da4303 100644
+--- a/arch/x86/Kconfig.cpu
++++ b/arch/x86/Kconfig.cpu
+@@ -123,6 +123,7 @@ config MPENTIUMM
+ config MPENTIUM4
+ bool "Pentium-4/Celeron(P4-based)/Pentium-4 M/older Xeon"
+ depends on X86_32
++ select X86_P6_NOP
+ ---help---
+ Select this for Intel Pentium 4 chips. This includes the
+ Pentium 4, Pentium D, P4-based Celeron and Xeon, and
+@@ -155,9 +156,8 @@ config MPENTIUM4
+ -Paxville
+ -Dempsey
+
+-
+ config MK6
+- bool "K6/K6-II/K6-III"
++ bool "AMD K6/K6-II/K6-III"
+ depends on X86_32
+ ---help---
+ Select this for an AMD K6-family processor. Enables use of
+@@ -165,7 +165,7 @@ config MK6
+ flags to GCC.
+
+ config MK7
+- bool "Athlon/Duron/K7"
++ bool "AMD Athlon/Duron/K7"
+ depends on X86_32
+ ---help---
+ Select this for an AMD Athlon K7-family processor. Enables use of
+@@ -173,12 +173,90 @@ config MK7
+ flags to GCC.
+
+ config MK8
+- bool "Opteron/Athlon64/Hammer/K8"
++ bool "AMD Opteron/Athlon64/Hammer/K8"
+ ---help---
+ Select this for an AMD Opteron or Athlon64 Hammer-family processor.
+ Enables use of some extended instructions, and passes appropriate
+ optimization flags to GCC.
+
++config MK8SSE3
++ bool "AMD Opteron/Athlon64/Hammer/K8 with SSE3"
++ ---help---
++ Select this for improved AMD Opteron or Athlon64 Hammer-family processors.
++ Enables use of some extended instructions, and passes appropriate
++ optimization flags to GCC.
++
++config MK10
++ bool "AMD 61xx/7x50/PhenomX3/X4/II/K10"
++ ---help---
++ Select this for an AMD 61xx Eight-Core Magny-Cours, Athlon X2 7x50,
++ Phenom X3/X4/II, Athlon II X2/X3/X4, or Turion II-family processor.
++ Enables use of some extended instructions, and passes appropriate
++ optimization flags to GCC.
++
++config MBARCELONA
++ bool "AMD Barcelona"
++ ---help---
++ Select this for AMD Family 10h Barcelona processors.
++
++ Enables -march=barcelona
++
++config MBOBCAT
++ bool "AMD Bobcat"
++ ---help---
++ Select this for AMD Family 14h Bobcat processors.
++
++ Enables -march=btver1
++
++config MJAGUAR
++ bool "AMD Jaguar"
++ ---help---
++ Select this for AMD Family 16h Jaguar processors.
++
++ Enables -march=btver2
++
++config MBULLDOZER
++ bool "AMD Bulldozer"
++ ---help---
++ Select this for AMD Family 15h Bulldozer processors.
++
++ Enables -march=bdver1
++
++config MPILEDRIVER
++ bool "AMD Piledriver"
++ ---help---
++ Select this for AMD Family 15h Piledriver processors.
++
++ Enables -march=bdver2
++
++config MSTEAMROLLER
++ bool "AMD Steamroller"
++ ---help---
++ Select this for AMD Family 15h Steamroller processors.
++
++ Enables -march=bdver3
++
++config MEXCAVATOR
++ bool "AMD Excavator"
++ ---help---
++ Select this for AMD Family 15h Excavator processors.
++
++ Enables -march=bdver4
++
++config MZEN
++ bool "AMD Zen"
++ ---help---
++ Select this for AMD Family 17h Zen processors.
++
++ Enables -march=znver1
++
++config MZEN2
++ bool "AMD Zen 2"
++ ---help---
++ Select this for AMD Family 17h Zen 2 processors.
++
++ Enables -march=znver2
++
+ config MCRUSOE
+ bool "Crusoe"
+ depends on X86_32
+@@ -260,6 +338,7 @@ config MVIAC7
+
+ config MPSC
+ bool "Intel P4 / older Netburst based Xeon"
++ select X86_P6_NOP
+ depends on X86_64
+ ---help---
+ Optimize for Intel Pentium 4, Pentium D and older Nocona/Dempsey
+@@ -269,17 +348,9 @@ config MPSC
+ using the cpu family field
+ in /proc/cpuinfo. Family 15 is an older Xeon, Family 6 a newer one.
+
+-config MCORE2
+- bool "Core 2/newer Xeon"
+- ---help---
+-
+- Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
+- 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
+- family in /proc/cpuinfo. Newer ones have 6 and older ones 15
+- (not a typo)
+-
+ config MATOM
+ bool "Intel Atom"
++ select X86_P6_NOP
+ ---help---
+
+ Select this for the Intel Atom platform. Intel Atom CPUs have an
+@@ -287,6 +358,144 @@ config MATOM
+ accordingly optimized code. Use a recent GCC with specific Atom
+ support in order to fully benefit from selecting this option.
+
++config MCORE2
++ bool "Intel Core 2"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
++ 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
++ family in /proc/cpuinfo. Newer ones have 6 and older ones 15
++ (not a typo)
++
++ Enables -march=core2
++
++config MNEHALEM
++ bool "Intel Nehalem"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 1st Gen Core processors in the Nehalem family.
++
++ Enables -march=nehalem
++
++config MWESTMERE
++ bool "Intel Westmere"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Westmere formerly Nehalem-C family.
++
++ Enables -march=westmere
++
++config MSILVERMONT
++ bool "Intel Silvermont"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Silvermont platform.
++
++ Enables -march=silvermont
++
++config MGOLDMONT
++ bool "Intel Goldmont"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Goldmont platform including Apollo Lake and Denverton.
++
++ Enables -march=goldmont
++
++config MGOLDMONTPLUS
++ bool "Intel Goldmont Plus"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Goldmont Plus platform including Gemini Lake.
++
++ Enables -march=goldmont-plus
++
++config MSANDYBRIDGE
++ bool "Intel Sandy Bridge"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 2nd Gen Core processors in the Sandy Bridge family.
++
++ Enables -march=sandybridge
++
++config MIVYBRIDGE
++ bool "Intel Ivy Bridge"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 3rd Gen Core processors in the Ivy Bridge family.
++
++ Enables -march=ivybridge
++
++config MHASWELL
++ bool "Intel Haswell"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 4th Gen Core processors in the Haswell family.
++
++ Enables -march=haswell
++
++config MBROADWELL
++ bool "Intel Broadwell"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 5th Gen Core processors in the Broadwell family.
++
++ Enables -march=broadwell
++
++config MSKYLAKE
++ bool "Intel Skylake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 6th Gen Core processors in the Skylake family.
++
++ Enables -march=skylake
++
++config MSKYLAKEX
++ bool "Intel Skylake X"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 6th Gen Core processors in the Skylake X family.
++
++ Enables -march=skylake-avx512
++
++config MCANNONLAKE
++ bool "Intel Cannon Lake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 8th Gen Core processors
++
++ Enables -march=cannonlake
++
++config MICELAKE
++ bool "Intel Ice Lake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 10th Gen Core processors in the Ice Lake family.
++
++ Enables -march=icelake-client
++
++config MCASCADELAKE
++ bool "Intel Cascade Lake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for Xeon processors in the Cascade Lake family.
++
++ Enables -march=cascadelake
++
+ config GENERIC_CPU
+ bool "Generic-x86-64"
+ depends on X86_64
+@@ -294,6 +503,19 @@ config GENERIC_CPU
+ Generic x86-64 CPU.
+ Run equally well on all x86-64 CPUs.
+
++config MNATIVE
++ bool "Native optimizations autodetected by GCC"
++ ---help---
++
++ GCC 4.2 and above support -march=native, which automatically detects
++ the optimum settings to use based on your processor. -march=native
++ also detects and applies additional settings beyond -march specific
++ to your CPU, (eg. -msse4). Unless you have a specific reason not to
++ (e.g. distcc cross-compiling), you should probably be using
++ -march=native rather than anything listed below.
++
++ Enables -march=native
++
+ endchoice
+
+ config X86_GENERIC
+@@ -318,7 +540,7 @@ config X86_INTERNODE_CACHE_SHIFT
+ config X86_L1_CACHE_SHIFT
+ int
+ default "7" if MPENTIUM4 || MPSC
+- default "6" if MK7 || MK8 || MPENTIUMM || MCORE2 || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
++ default "6" if MK7 || MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MZEN2 || MJAGUAR || MPENTIUMM || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MNATIVE || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
+ default "4" if MELAN || M486SX || M486 || MGEODEGX1
+ default "5" if MWINCHIP3D || MWINCHIPC6 || MCRUSOE || MEFFICEON || MCYRIXIII || MK6 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || MVIAC3_2 || MGEODE_LX
+
+@@ -336,35 +558,36 @@ config X86_ALIGNMENT_16
+
+ config X86_INTEL_USERCOPY
+ def_bool y
+- depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK7 || MEFFICEON || MCORE2
++ depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK8SSE3 || MK7 || MEFFICEON || MCORE2 || MK10 || MBARCELONA || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MNATIVE
+
+ config X86_USE_PPRO_CHECKSUM
+ def_bool y
+- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MATOM
++ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MK10 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MATOM || MNATIVE
+
+ config X86_USE_3DNOW
+ def_bool y
+ depends on (MCYRIXIII || MK7 || MGEODE_LX) && !UML
+
+-#
+-# P6_NOPs are a relatively minor optimization that require a family >=
+-# 6 processor, except that it is broken on certain VIA chips.
+-# Furthermore, AMD chips prefer a totally different sequence of NOPs
+-# (which work on all CPUs). In addition, it looks like Virtual PC
+-# does not understand them.
+-#
+-# As a result, disallow these if we're not compiling for X86_64 (these
+-# NOPs do work on all x86-64 capable chips); the list of processors in
+-# the right-hand clause are the cores that benefit from this optimization.
+-#
+ config X86_P6_NOP
+- def_bool y
+- depends on X86_64
+- depends on (MCORE2 || MPENTIUM4 || MPSC)
++ default n
++ bool "Support for P6_NOPs on Intel chips"
++ depends on (MCORE2 || MPENTIUM4 || MPSC || MATOM || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MNATIVE)
++ ---help---
++ P6_NOPs are a relatively minor optimization that require a family >=
++ 6 processor, except that it is broken on certain VIA chips.
++ Furthermore, AMD chips prefer a totally different sequence of NOPs
++ (which work on all CPUs). In addition, it looks like Virtual PC
++ does not understand them.
++
++ As a result, disallow these if we're not compiling for X86_64 (these
++ NOPs do work on all x86-64 capable chips); the list of processors in
++ the right-hand clause are the cores that benefit from this optimization.
++
++ Say Y if you have Intel CPU newer than Pentium Pro, N otherwise.
+
+ config X86_TSC
+ def_bool y
+- depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MATOM) || X86_64
++ depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MNATIVE || MATOM) || X86_64
+
+ config X86_CMPXCHG64
+ def_bool y
+@@ -374,7 +597,7 @@ config X86_CMPXCHG64
+ # generates cmov.
+ config X86_CMOV
+ def_bool y
+- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
++ depends on (MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MZEN2 || MJAGUAR || MK7 || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MGOLDMONT || MGOLDMONTPLUS || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MCASCADELAKE || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MNATIVE || MATOM || MGEODE_LX)
+
+ config X86_MINIMUM_CPU_FAMILY
+ int
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index b65ec63c7db7..b537b2564ef8 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -119,13 +119,56 @@ else
+ KBUILD_CFLAGS += $(call cc-option,-mskip-rax-setup)
+
+ # FIXME - should be integrated in Makefile.cpu (Makefile_32.cpu)
++ cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
+ cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8)
++ cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-mtune=k8)
++ cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10)
++ cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona)
++ cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1)
++ cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2)
++ cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1)
++ cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2)
++ cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-mno-tbm)
++ cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3)
++ cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-mno-tbm)
++ cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4)
++ cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-mno-tbm)
++ cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1)
++ cflags-$(CONFIG_MZEN2) += $(call cc-option,-march=znver2)
+ cflags-$(CONFIG_MPSC) += $(call cc-option,-march=nocona)
+
+ cflags-$(CONFIG_MCORE2) += \
+- $(call cc-option,-march=core2,$(call cc-option,-mtune=generic))
+- cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom) \
+- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
++ $(call cc-option,-march=core2,$(call cc-option,-mtune=core2))
++ cflags-$(CONFIG_MNEHALEM) += \
++ $(call cc-option,-march=nehalem,$(call cc-option,-mtune=nehalem))
++ cflags-$(CONFIG_MWESTMERE) += \
++ $(call cc-option,-march=westmere,$(call cc-option,-mtune=westmere))
++ cflags-$(CONFIG_MSILVERMONT) += \
++ $(call cc-option,-march=silvermont,$(call cc-option,-mtune=silvermont))
++ cflags-$(CONFIG_MGOLDMONT) += \
++ $(call cc-option,-march=goldmont,$(call cc-option,-mtune=goldmont))
++ cflags-$(CONFIG_MGOLDMONTPLUS) += \
++ $(call cc-option,-march=goldmont-plus,$(call cc-option,-mtune=goldmont-plus))
++ cflags-$(CONFIG_MSANDYBRIDGE) += \
++ $(call cc-option,-march=sandybridge,$(call cc-option,-mtune=sandybridge))
++ cflags-$(CONFIG_MIVYBRIDGE) += \
++ $(call cc-option,-march=ivybridge,$(call cc-option,-mtune=ivybridge))
++ cflags-$(CONFIG_MHASWELL) += \
++ $(call cc-option,-march=haswell,$(call cc-option,-mtune=haswell))
++ cflags-$(CONFIG_MBROADWELL) += \
++ $(call cc-option,-march=broadwell,$(call cc-option,-mtune=broadwell))
++ cflags-$(CONFIG_MSKYLAKE) += \
++ $(call cc-option,-march=skylake,$(call cc-option,-mtune=skylake))
++ cflags-$(CONFIG_MSKYLAKEX) += \
++ $(call cc-option,-march=skylake-avx512,$(call cc-option,-mtune=skylake-avx512))
++ cflags-$(CONFIG_MCANNONLAKE) += \
++ $(call cc-option,-march=cannonlake,$(call cc-option,-mtune=cannonlake))
++ cflags-$(CONFIG_MICELAKE) += \
++ $(call cc-option,-march=icelake-client,$(call cc-option,-mtune=icelake-client))
++ cflags-$(CONFIG_MCASCADELAKE) += \
++ $(call cc-option,-march=cascadelake,$(call cc-option,-mtune=cascadelake))
++ cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell) \
++ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
+ cflags-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=generic)
+ KBUILD_CFLAGS += $(cflags-y)
+
+diff --git a/arch/x86/Makefile_32.cpu b/arch/x86/Makefile_32.cpu
+index cd3056759880..2c81838df533 100644
+--- a/arch/x86/Makefile_32.cpu
++++ b/arch/x86/Makefile_32.cpu
+@@ -24,7 +24,19 @@ cflags-$(CONFIG_MK6) += -march=k6
+ # Please note, that patches that add -march=athlon-xp and friends are pointless.
+ # They make zero difference whatsosever to performance at this time.
+ cflags-$(CONFIG_MK7) += -march=athlon
++cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
+ cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8,-march=athlon)
++cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-march=athlon)
++cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10,-march=athlon)
++cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona,-march=athlon)
++cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1,-march=athlon)
++cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2,-march=athlon)
++cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1,-march=athlon)
++cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2,-march=athlon)
++cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3,-march=athlon)
++cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4,-march=athlon)
++cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1,-march=athlon)
++cflags-$(CONFIG_MZEN2) += $(call cc-option,-march=znver2,-march=athlon)
+ cflags-$(CONFIG_MCRUSOE) += -march=i686 -falign-functions=0 -falign-jumps=0 -falign-loops=0
+ cflags-$(CONFIG_MEFFICEON) += -march=i686 $(call tune,pentium3) -falign-functions=0 -falign-jumps=0 -falign-loops=0
+ cflags-$(CONFIG_MWINCHIPC6) += $(call cc-option,-march=winchip-c6,-march=i586)
+@@ -33,8 +45,22 @@ cflags-$(CONFIG_MCYRIXIII) += $(call cc-option,-march=c3,-march=i486) -falign-fu
+ cflags-$(CONFIG_MVIAC3_2) += $(call cc-option,-march=c3-2,-march=i686)
+ cflags-$(CONFIG_MVIAC7) += -march=i686
+ cflags-$(CONFIG_MCORE2) += -march=i686 $(call tune,core2)
+-cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom,$(call cc-option,-march=core2,-march=i686)) \
+- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
++cflags-$(CONFIG_MNEHALEM) += -march=i686 $(call tune,nehalem)
++cflags-$(CONFIG_MWESTMERE) += -march=i686 $(call tune,westmere)
++cflags-$(CONFIG_MSILVERMONT) += -march=i686 $(call tune,silvermont)
++cflags-$(CONFIG_MGOLDMONT) += -march=i686 $(call tune,goldmont)
++cflags-$(CONFIG_MGOLDMONTPLUS) += -march=i686 $(call tune,goldmont-plus)
++cflags-$(CONFIG_MSANDYBRIDGE) += -march=i686 $(call tune,sandybridge)
++cflags-$(CONFIG_MIVYBRIDGE) += -march=i686 $(call tune,ivybridge)
++cflags-$(CONFIG_MHASWELL) += -march=i686 $(call tune,haswell)
++cflags-$(CONFIG_MBROADWELL) += -march=i686 $(call tune,broadwell)
++cflags-$(CONFIG_MSKYLAKE) += -march=i686 $(call tune,skylake)
++cflags-$(CONFIG_MSKYLAKEX) += -march=i686 $(call tune,skylake-avx512)
++cflags-$(CONFIG_MCANNONLAKE) += -march=i686 $(call tune,cannonlake)
++cflags-$(CONFIG_MICELAKE) += -march=i686 $(call tune,icelake-client)
++cflags-$(CONFIG_MCASCADELAKE) += -march=i686 $(call tune,cascadelake)
++cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell,$(call cc-option,-march=core2,-march=i686)) \
++ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
+
+ # AMD Elan support
+ cflags-$(CONFIG_MELAN) += -march=i486
+diff --git a/arch/x86/include/asm/vermagic.h b/arch/x86/include/asm/vermagic.h
+index 75884d2cdec3..0cf864d2d110 100644
+--- a/arch/x86/include/asm/vermagic.h
++++ b/arch/x86/include/asm/vermagic.h
+@@ -17,6 +17,36 @@
+ #define MODULE_PROC_FAMILY "586MMX "
+ #elif defined CONFIG_MCORE2
+ #define MODULE_PROC_FAMILY "CORE2 "
++#elif defined CONFIG_MNATIVE
++#define MODULE_PROC_FAMILY "NATIVE "
++#elif defined CONFIG_MNEHALEM
++#define MODULE_PROC_FAMILY "NEHALEM "
++#elif defined CONFIG_MWESTMERE
++#define MODULE_PROC_FAMILY "WESTMERE "
++#elif defined CONFIG_MSILVERMONT
++#define MODULE_PROC_FAMILY "SILVERMONT "
++#elif defined CONFIG_MGOLDMONT
++#define MODULE_PROC_FAMILY "GOLDMONT "
++#elif defined CONFIG_MGOLDMONTPLUS
++#define MODULE_PROC_FAMILY "GOLDMONTPLUS "
++#elif defined CONFIG_MSANDYBRIDGE
++#define MODULE_PROC_FAMILY "SANDYBRIDGE "
++#elif defined CONFIG_MIVYBRIDGE
++#define MODULE_PROC_FAMILY "IVYBRIDGE "
++#elif defined CONFIG_MHASWELL
++#define MODULE_PROC_FAMILY "HASWELL "
++#elif defined CONFIG_MBROADWELL
++#define MODULE_PROC_FAMILY "BROADWELL "
++#elif defined CONFIG_MSKYLAKE
++#define MODULE_PROC_FAMILY "SKYLAKE "
++#elif defined CONFIG_MSKYLAKEX
++#define MODULE_PROC_FAMILY "SKYLAKEX "
++#elif defined CONFIG_MCANNONLAKE
++#define MODULE_PROC_FAMILY "CANNONLAKE "
++#elif defined CONFIG_MICELAKE
++#define MODULE_PROC_FAMILY "ICELAKE "
++#elif defined CONFIG_MCASCADELAKE
++#define MODULE_PROC_FAMILY "CASCADELAKE "
+ #elif defined CONFIG_MATOM
+ #define MODULE_PROC_FAMILY "ATOM "
+ #elif defined CONFIG_M686
+@@ -35,6 +65,28 @@
+ #define MODULE_PROC_FAMILY "K7 "
+ #elif defined CONFIG_MK8
+ #define MODULE_PROC_FAMILY "K8 "
++#elif defined CONFIG_MK8SSE3
++#define MODULE_PROC_FAMILY "K8SSE3 "
++#elif defined CONFIG_MK10
++#define MODULE_PROC_FAMILY "K10 "
++#elif defined CONFIG_MBARCELONA
++#define MODULE_PROC_FAMILY "BARCELONA "
++#elif defined CONFIG_MBOBCAT
++#define MODULE_PROC_FAMILY "BOBCAT "
++#elif defined CONFIG_MBULLDOZER
++#define MODULE_PROC_FAMILY "BULLDOZER "
++#elif defined CONFIG_MPILEDRIVER
++#define MODULE_PROC_FAMILY "PILEDRIVER "
++#elif defined CONFIG_MSTEAMROLLER
++#define MODULE_PROC_FAMILY "STEAMROLLER "
++#elif defined CONFIG_MJAGUAR
++#define MODULE_PROC_FAMILY "JAGUAR "
++#elif defined CONFIG_MEXCAVATOR
++#define MODULE_PROC_FAMILY "EXCAVATOR "
++#elif defined CONFIG_MZEN
++#define MODULE_PROC_FAMILY "ZEN "
++#elif defined CONFIG_MZEN2
++#define MODULE_PROC_FAMILY "ZEN2 "
+ #elif defined CONFIG_MELAN
+ #define MODULE_PROC_FAMILY "ELAN "
+ #elif defined CONFIG_MCRUSOE
diff --git a/sys-kernel/stable-sources-5.7.12 b/sys-kernel/stable-sources-5.7.12
new file mode 120000
index 00000000..ef5da50b
--- /dev/null
+++ b/sys-kernel/stable-sources-5.7.12
@@ -0,0 +1 @@
+boest-v5.7.12 \ No newline at end of file