Merge branch 'akpm' (patches from Andrew)

Merge fourth set of updates from Andrew Morton:

 - the rest of lib/

 - checkpatch updates

 - a few misc things

 - kasan: kernel address sanitizer

 - the rtc tree

* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (108 commits)
  ARM: mvebu: enable Armada 38x RTC driver in mvebu_v7_defconfig
  ARM: mvebu: add Device Tree description of RTC on Armada 38x
  MAINTAINERS: add the RTC driver for the Armada38x
  drivers/rtc/rtc-armada38x: add a new RTC driver for recent mvebu SoCs
  rtc: armada38x: add the device tree binding documentation
  rtc: rtc-ab-b5ze-s3: add sub-minute alarm support
  rtc: add support for Abracon AB-RTCMC-32.768kHz-B5ZE-S3 I2C RTC chip
  of: add vendor prefix for Abracon Corporation
  drivers/rtc/rtc-rk808.c: fix rtc time reading issue
  drivers/rtc/rtc-isl12057.c: constify struct regmap_config
  drivers/rtc/rtc-at91sam9.c: constify struct regmap_config
  drivers/rtc/rtc-imxdi.c: add more known register bits
  drivers/rtc/rtc-imxdi.c: trivial clean up code
  ARM: mvebu: ISL12057 rtc chip can now wake up RN102, RN102 and RN2120
  rtc: rtc-isl12057: add isil,irq2-can-wakeup-machine property for in-tree users
  drivers/rtc/rtc-isl12057.c: add alarm support to Intersil ISL12057 RTC driver
  drivers/rtc/rtc-pcf2123.c: add support for devicetree
  kprobes: makes kprobes/enabled works correctly for optimized kprobes.
  kprobes: set kprobes_all_disarmed earlier to enable re-optimization.
  init: remove CONFIG_INIT_FALLBACK
  ...

10 files changed, 470 insertions, 180 deletions

diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 79a9bb67aeaf..ecb3516f6546 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -651,6 +651,8 @@ config DEBUG_STACKOVERFLOW
 
 source "lib/Kconfig.kmemcheck"
 
+source "lib/Kconfig.kasan"
+
 endmenu # "Memory Debugging"
 
 config DEBUG_SHIRQ
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
new file mode 100644
index 000000000000..4fecaedc80a2
--- /dev/null
+++ b/lib/Kconfig.kasan
@@ -0,0 +1,54 @@
+config HAVE_ARCH_KASAN
+        bool
+
+if HAVE_ARCH_KASAN
+
+config KASAN
+        bool "KASan: runtime memory debugger"
+        depends on SLUB_DEBUG
+        select CONSTRUCTORS
+        help
+          Enables kernel address sanitizer - runtime memory debugger,
+          designed to find out-of-bounds accesses and use-after-free bugs.
+          This is strictly debugging feature. It consumes about 1/8
+          of available memory and brings about ~x3 performance slowdown.
+          For better error detection enable CONFIG_STACKTRACE,
+          and add slub_debug=U to boot cmdline.
+
+config KASAN_SHADOW_OFFSET
+        hex
+        default 0xdffffc0000000000 if X86_64
+
+choice
+        prompt "Instrumentation type"
+        depends on KASAN
+        default KASAN_OUTLINE
+
+config KASAN_OUTLINE
+        bool "Outline instrumentation"
+        help
+          Before every memory access compiler insert function call
+          __asan_load*/__asan_store*. These functions performs check
+          of shadow memory. This is slower than inline instrumentation,
+          however it doesn't bloat size of kernel's .text section so
+          much as inline does.
+
+config KASAN_INLINE
+        bool "Inline instrumentation"
+        help
+          Compiler directly inserts code checking shadow memory before
+          memory accesses. This is faster than outline (in some workloads
+          it gives about x2 boost over outline instrumentation), but
+          make kernel's .text size much bigger.
+
+endchoice
+
+config TEST_KASAN
+        tristate "Module for testing kasan for bug detection"
+        depends on m && KASAN
+        help
+          This is a test module doing various nasty things like
+          out of bounds accesses, use after free. It is useful for testing
+          kernel debugging features like kernel address sanitizer.
+
+endif
diff --git a/lib/Makefile b/lib/Makefile
index e456defd1021..87eb3bffc283 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -32,12 +32,13 @@ obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o
 obj-y += hexdump.o
 obj-$(CONFIG_TEST_HEXDUMP) += test-hexdump.o
 obj-y += kstrtox.o
-obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
-obj-$(CONFIG_TEST_LKM) += test_module.o
-obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
 obj-$(CONFIG_TEST_BPF) += test_bpf.o
 obj-$(CONFIG_TEST_FIRMWARE) += test_firmware.o
+obj-$(CONFIG_TEST_KASAN) += test_kasan.o
+obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
+obj-$(CONFIG_TEST_LKM) += test_module.o
 obj-$(CONFIG_TEST_RHASHTABLE) += test_rhashtable.o
+obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
 
 ifeq ($(CONFIG_DEBUG_KOBJECT),y)
 CFLAGS_kobject.o += -DDEBUG
diff --git a/lib/bitmap.c b/lib/bitmap.c
index ad161a6c82db..d456f4c15a9f 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -104,18 +104,18 @@ EXPORT_SYMBOL(__bitmap_complement);
  *   @dst : destination bitmap
  *   @src : source bitmap
  *   @shift : shift by this many bits
- *   @bits : bitmap size, in bits
+ *   @nbits : bitmap size, in bits
  *
  * Shifting right (dividing) means moving bits in the MS -> LS bit
  * direction.  Zeros are fed into the vacated MS positions and the
  * LS bits shifted off the bottom are lost.
  */
-void __bitmap_shift_right(unsigned long *dst,
-                        const unsigned long *src, int shift, int bits)
+void __bitmap_shift_right(unsigned long *dst, const unsigned long *src,
+                        unsigned shift, unsigned nbits)
 {
-        int k, lim = BITS_TO_LONGS(bits), left = bits % BITS_PER_LONG;
-        int off = shift/BITS_PER_LONG, rem = shift % BITS_PER_LONG;
-        unsigned long mask = (1UL << left) - 1;
+        unsigned k, lim = BITS_TO_LONGS(nbits);
+        unsigned off = shift/BITS_PER_LONG, rem = shift % BITS_PER_LONG;
+        unsigned long mask = BITMAP_LAST_WORD_MASK(nbits);
         for (k = 0; off + k < lim; ++k) {
                 unsigned long upper, lower;
 
@@ -127,17 +127,15 @@ void __bitmap_shift_right(unsigned long *dst,
                         upper = 0;
                 else {
                         upper = src[off + k + 1];
-                        if (off + k + 1 == lim - 1 && left)
+                        if (off + k + 1 == lim - 1)
                                 upper &= mask;
+                        upper <<= (BITS_PER_LONG - rem);
                 }
                 lower = src[off + k];
-                if (left && off + k == lim - 1)
+                if (off + k == lim - 1)
                         lower &= mask;
-                dst[k] = lower >> rem;
-                if (rem)
-                        dst[k] |= upper << (BITS_PER_LONG - rem);
-                if (left && k == lim - 1)
-                        dst[k] &= mask;
+                lower >>= rem;
+                dst[k] = lower | upper;
         }
         if (off)
                 memset(&dst[lim - off], 0, off*sizeof(unsigned long));
@@ -150,18 +148,19 @@ EXPORT_SYMBOL(__bitmap_shift_right);
  *   @dst : destination bitmap
  *   @src : source bitmap
  *   @shift : shift by this many bits
- *   @bits : bitmap size, in bits
+ *   @nbits : bitmap size, in bits
  *
  * Shifting left (multiplying) means moving bits in the LS -> MS
  * direction.  Zeros are fed into the vacated LS bit positions
  * and those MS bits shifted off the top are lost.
  */
 
-void __bitmap_shift_left(unsigned long *dst,
-                        const unsigned long *src, int shift, int bits)
+void __bitmap_shift_left(unsigned long *dst, const unsigned long *src,
+                        unsigned int shift, unsigned int nbits)
 {
-        int k, lim = BITS_TO_LONGS(bits), left = bits % BITS_PER_LONG;
-        int off = shift/BITS_PER_LONG, rem = shift % BITS_PER_LONG;
+        int k;
+        unsigned int lim = BITS_TO_LONGS(nbits);
+        unsigned int off = shift/BITS_PER_LONG, rem = shift % BITS_PER_LONG;
         for (k = lim - off - 1; k >= 0; --k) {
                 unsigned long upper, lower;
 
@@ -170,17 +169,11 @@ void __bitmap_shift_left(unsigned long *dst,
                  * word below and make them the bottom rem bits of result.
                  */
                 if (rem && k > 0)
-                        lower = src[k - 1];
+                        lower = src[k - 1] >> (BITS_PER_LONG - rem);
                 else
                         lower = 0;
-                upper = src[k];
-                if (left && k == lim - 1)
-                        upper &= (1UL << left) - 1;
-                dst[k + off] = upper << rem;
-                if (rem)
-                        dst[k + off] |= lower >> (BITS_PER_LONG - rem);
-                if (left && k + off == lim - 1)
-                        dst[k + off] &= (1UL << left) - 1;
+                upper = src[k] << rem;
+                dst[k + off] = lower | upper;
         }
         if (off)
                 memset(dst, 0, off*sizeof(unsigned long));
@@ -377,45 +370,6 @@ EXPORT_SYMBOL(bitmap_find_next_zero_area_off);
 #define BASEDEC 10              /* fancier cpuset lists input in decimal */
 
 /**
- * bitmap_scnprintf - convert bitmap to an ASCII hex string.
- * @buf: byte buffer into which string is placed
- * @buflen: reserved size of @buf, in bytes
- * @maskp: pointer to bitmap to convert
- * @nmaskbits: size of bitmap, in bits
- *
- * Exactly @nmaskbits bits are displayed.  Hex digits are grouped into
- * comma-separated sets of eight digits per set.  Returns the number of
- * characters which were written to *buf, excluding the trailing \0.
- */
-int bitmap_scnprintf(char *buf, unsigned int buflen,
-        const unsigned long *maskp, int nmaskbits)
-{
-        int i, word, bit, len = 0;
-        unsigned long val;
-        const char *sep = "";
-        int chunksz;
-        u32 chunkmask;
-
-        chunksz = nmaskbits & (CHUNKSZ - 1);
-        if (chunksz == 0)
-                chunksz = CHUNKSZ;
-
-        i = ALIGN(nmaskbits, CHUNKSZ) - CHUNKSZ;
-        for (; i >= 0; i -= CHUNKSZ) {
-                chunkmask = ((1ULL << chunksz) - 1);
-                word = i / BITS_PER_LONG;
-                bit = i % BITS_PER_LONG;
-                val = (maskp[word] >> bit) & chunkmask;
-                len += scnprintf(buf+len, buflen-len, "%s%0*lx", sep,
-                        (chunksz+3)/4, val);
-                chunksz = CHUNKSZ;
-                sep = ",";
-        }
-        return len;
-}
-EXPORT_SYMBOL(bitmap_scnprintf);
-
-/**
  * __bitmap_parse - convert an ASCII hex string into a bitmap.
  * @buf: pointer to buffer containing string.
  * @buflen: buffer size in bytes.  If string is smaller than this
@@ -528,65 +482,6 @@ int bitmap_parse_user(const char __user *ubuf,
 }
 EXPORT_SYMBOL(bitmap_parse_user);
 
-/*
- * bscnl_emit(buf, buflen, rbot, rtop, bp)
- *
- * Helper routine for bitmap_scnlistprintf().  Write decimal number
- * or range to buf, suppressing output past buf+buflen, with optional
- * comma-prefix.  Return len of what was written to *buf, excluding the
- * trailing \0.
- */
-static inline int bscnl_emit(char *buf, int buflen, int rbot, int rtop, int len)
-{
-        if (len > 0)
-                len += scnprintf(buf + len, buflen - len, ",");
-        if (rbot == rtop)
-                len += scnprintf(buf + len, buflen - len, "%d", rbot);
-        else
-                len += scnprintf(buf + len, buflen - len, "%d-%d", rbot, rtop);
-        return len;
-}
-
-/**
- * bitmap_scnlistprintf - convert bitmap to list format ASCII string
- * @buf: byte buffer into which string is placed
- * @buflen: reserved size of @buf, in bytes
- * @maskp: pointer to bitmap to convert
- * @nmaskbits: size of bitmap, in bits
- *
- * Output format is a comma-separated list of decimal numbers and
- * ranges.  Consecutively set bits are shown as two hyphen-separated
- * decimal numbers, the smallest and largest bit numbers set in
- * the range.  Output format is compatible with the format
- * accepted as input by bitmap_parselist().
- *
- * The return value is the number of characters which were written to *buf
- * excluding the trailing '\0', as per ISO C99's scnprintf.
- */
-int bitmap_scnlistprintf(char *buf, unsigned int buflen,
-        const unsigned long *maskp, int nmaskbits)
-{
-        int len = 0;
-        /* current bit is 'cur', most recently seen range is [rbot, rtop] */
-        int cur, rbot, rtop;
-
-        if (buflen == 0)
-                return 0;
-        buf[0] = 0;
-
-        rbot = cur = find_first_bit(maskp, nmaskbits);
-        while (cur < nmaskbits) {
-                rtop = cur;
-                cur = find_next_bit(maskp, nmaskbits, cur+1);
-                if (cur >= nmaskbits || cur > rtop + 1) {
-                        len = bscnl_emit(buf, buflen, rbot, rtop, len);
-                        rbot = cur;
-                }
-        }
-        return len;
-}
-EXPORT_SYMBOL(bitmap_scnlistprintf);
-
 /**
  * bitmap_print_to_pagebuf - convert bitmap to list or hex format ASCII string
  * @list: indicates whether the bitmap must be list
@@ -605,8 +500,8 @@ int bitmap_print_to_pagebuf(bool list, char *buf, const unsigned long *maskp,
         int n = 0;
 
         if (len > 1) {
-                n = list ? bitmap_scnlistprintf(buf, len, maskp, nmaskbits) :
-                           bitmap_scnprintf(buf, len, maskp, nmaskbits);
+                n = list ? scnprintf(buf, len, "%*pbl", nmaskbits, maskp) :
+                           scnprintf(buf, len, "%*pb", nmaskbits, maskp);
                 buf[n++] = '\n';
                 buf[n] = '\0';
         }
@@ -1191,16 +1086,17 @@ EXPORT_SYMBOL(bitmap_allocate_region);
  *
  * Require nbits % BITS_PER_LONG == 0.
  */
-void bitmap_copy_le(void *dst, const unsigned long *src, int nbits)
+#ifdef __BIG_ENDIAN
+void bitmap_copy_le(unsigned long *dst, const unsigned long *src, unsigned int nbits)
 {
-        unsigned long *d = dst;
-        int i;
+        unsigned int i;
 
         for (i = 0; i < nbits/BITS_PER_LONG; i++) {
                 if (BITS_PER_LONG == 64)
-                        d[i] = cpu_to_le64(src[i]);
+                        dst[i] = cpu_to_le64(src[i]);
                 else
-                        d[i] = cpu_to_le32(src[i]);
+                        dst[i] = cpu_to_le32(src[i]);
         }
 }
 EXPORT_SYMBOL(bitmap_copy_le);
+#endif
diff --git a/lib/gen_crc32table.c b/lib/gen_crc32table.c
index 71fcfcd96410..d83a372fa76f 100644
--- a/lib/gen_crc32table.c
+++ b/lib/gen_crc32table.c
@@ -109,7 +109,7 @@ int main(int argc, char** argv)
 
         if (CRC_LE_BITS > 1) {
                 crc32init_le();
-                printf("static u32 __cacheline_aligned "
+                printf("static const u32 ____cacheline_aligned "
                        "crc32table_le[%d][%d] = {",
                        LE_TABLE_ROWS, LE_TABLE_SIZE);
                 output_table(crc32table_le, LE_TABLE_ROWS,
@@ -119,7 +119,7 @@ int main(int argc, char** argv)
 
         if (CRC_BE_BITS > 1) {
                 crc32init_be();
-                printf("static u32 __cacheline_aligned "
+                printf("static const u32 ____cacheline_aligned "
                        "crc32table_be[%d][%d] = {",
                        BE_TABLE_ROWS, BE_TABLE_SIZE);
                 output_table(crc32table_be, LE_TABLE_ROWS,
@@ -128,7 +128,7 @@ int main(int argc, char** argv)
         }
         if (CRC_LE_BITS > 1) {
                 crc32cinit_le();
-                printf("static u32 __cacheline_aligned "
+                printf("static const u32 ____cacheline_aligned "
                        "crc32ctable_le[%d][%d] = {",
                        LE_TABLE_ROWS, LE_TABLE_SIZE);
                 output_table(crc32ctable_le, LE_TABLE_ROWS,
diff --git a/lib/genalloc.c b/lib/genalloc.c
index 0fe1cbe87700..d214866eeea2 100644
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -586,6 +586,8 @@ struct gen_pool *devm_gen_pool_create(struct device *dev, int min_alloc_order,
         struct gen_pool **ptr, *pool;
 
         ptr = devres_alloc(devm_gen_pool_release, sizeof(*ptr), GFP_KERNEL);
+        if (!ptr)
+                return NULL;
 
         pool = gen_pool_create(min_alloc_order, nid);
         if (pool) {
diff --git a/lib/seq_buf.c b/lib/seq_buf.c
index 4eedfedb9e31..88c0854bd752 100644
--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -91,42 +91,6 @@ int seq_buf_printf(struct seq_buf *s, const char *fmt, ...)
         return ret;
 }
 
-/**
- * seq_buf_bitmask - write a bitmask array in its ASCII representation
- * @s:          seq_buf descriptor
- * @maskp:      points to an array of unsigned longs that represent a bitmask
- * @nmaskbits:  The number of bits that are valid in @maskp
- *
- * Writes a ASCII representation of a bitmask string into @s.
- *
- * Returns zero on success, -1 on overflow.
- */
-int seq_buf_bitmask(struct seq_buf *s, const unsigned long *maskp,
-                    int nmaskbits)
-{
-        unsigned int len = seq_buf_buffer_left(s);
-        int ret;
-
-        WARN_ON(s->size == 0);
-
-        /*
-         * Note, because bitmap_scnprintf() only returns the number of bytes
-         * written and not the number that would be written, we use the last
-         * byte of the buffer to let us know if we overflowed. There's a small
-         * chance that the bitmap could have fit exactly inside the buffer, but
-         * it's not that critical if that does happen.
-         */
-        if (len > 1) {
-                ret = bitmap_scnprintf(s->buffer + s->len, len, maskp, nmaskbits);
-                if (ret < len) {
-                        s->len += ret;
-                        return 0;
-                }
-        }
-        seq_buf_set_overflow(s);
-        return -1;
-}
-
 #ifdef CONFIG_BINARY_PRINTF
 /**
  * seq_buf_bprintf - Write the printf string from binary arguments
diff --git a/lib/string.c b/lib/string.c
index 3206d0178296..cdd97f431ae2 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -313,12 +313,12 @@ EXPORT_SYMBOL(strchrnul);
  */
 char *strrchr(const char *s, int c)
 {
-       const char *p = s + strlen(s);
-       do {
-           if (*p == (char)c)
-               return (char *)p;
-       } while (--p >= s);
-       return NULL;
+        const char *last = NULL;
+        do {
+                if (*s == (char)c)
+                        last = s;
+        } while (*s++);
+        return (char *)last;
 }
 EXPORT_SYMBOL(strrchr);
 #endif
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
new file mode 100644
index 000000000000..098c08eddfab
--- /dev/null
+++ b/lib/test_kasan.c
@@ -0,0 +1,277 @@
+/*
+ *
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd.
+ * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
+
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/module.h>
+
+static noinline void __init kmalloc_oob_right(void)
+{
+        char *ptr;
+        size_t size = 123;
+
+        pr_info("out-of-bounds to right\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        ptr[size] = 'x';
+        kfree(ptr);
+}
+
+static noinline void __init kmalloc_oob_left(void)
+{
+        char *ptr;
+        size_t size = 15;
+
+        pr_info("out-of-bounds to left\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        *ptr = *(ptr - 1);
+        kfree(ptr);
+}
+
+static noinline void __init kmalloc_node_oob_right(void)
+{
+        char *ptr;
+        size_t size = 4096;
+
+        pr_info("kmalloc_node(): out-of-bounds to right\n");
+        ptr = kmalloc_node(size, GFP_KERNEL, 0);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        ptr[size] = 0;
+        kfree(ptr);
+}
+
+static noinline void __init kmalloc_large_oob_rigth(void)
+{
+        char *ptr;
+        size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
+
+        pr_info("kmalloc large allocation: out-of-bounds to right\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        ptr[size] = 0;
+        kfree(ptr);
+}
+
+static noinline void __init kmalloc_oob_krealloc_more(void)
+{
+        char *ptr1, *ptr2;
+        size_t size1 = 17;
+        size_t size2 = 19;
+
+        pr_info("out-of-bounds after krealloc more\n");
+        ptr1 = kmalloc(size1, GFP_KERNEL);
+        ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
+        if (!ptr1 || !ptr2) {
+                pr_err("Allocation failed\n");
+                kfree(ptr1);
+                return;
+        }
+
+        ptr2[size2] = 'x';
+        kfree(ptr2);
+}
+
+static noinline void __init kmalloc_oob_krealloc_less(void)
+{
+        char *ptr1, *ptr2;
+        size_t size1 = 17;
+        size_t size2 = 15;
+
+        pr_info("out-of-bounds after krealloc less\n");
+        ptr1 = kmalloc(size1, GFP_KERNEL);
+        ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
+        if (!ptr1 || !ptr2) {
+                pr_err("Allocation failed\n");
+                kfree(ptr1);
+                return;
+        }
+        ptr2[size1] = 'x';
+        kfree(ptr2);
+}
+
+static noinline void __init kmalloc_oob_16(void)
+{
+        struct {
+                u64 words[2];
+        } *ptr1, *ptr2;
+
+        pr_info("kmalloc out-of-bounds for 16-bytes access\n");
+        ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
+        ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
+        if (!ptr1 || !ptr2) {
+                pr_err("Allocation failed\n");
+                kfree(ptr1);
+                kfree(ptr2);
+                return;
+        }
+        *ptr1 = *ptr2;
+        kfree(ptr1);
+        kfree(ptr2);
+}
+
+static noinline void __init kmalloc_oob_in_memset(void)
+{
+        char *ptr;
+        size_t size = 666;
+
+        pr_info("out-of-bounds in memset\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        memset(ptr, 0, size+5);
+        kfree(ptr);
+}
+
+static noinline void __init kmalloc_uaf(void)
+{
+        char *ptr;
+        size_t size = 10;
+
+        pr_info("use-after-free\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        kfree(ptr);
+        *(ptr + 8) = 'x';
+}
+
+static noinline void __init kmalloc_uaf_memset(void)
+{
+        char *ptr;
+        size_t size = 33;
+
+        pr_info("use-after-free in memset\n");
+        ptr = kmalloc(size, GFP_KERNEL);
+        if (!ptr) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        kfree(ptr);
+        memset(ptr, 0, size);
+}
+
+static noinline void __init kmalloc_uaf2(void)
+{
+        char *ptr1, *ptr2;
+        size_t size = 43;
+
+        pr_info("use-after-free after another kmalloc\n");
+        ptr1 = kmalloc(size, GFP_KERNEL);
+        if (!ptr1) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        kfree(ptr1);
+        ptr2 = kmalloc(size, GFP_KERNEL);
+        if (!ptr2) {
+                pr_err("Allocation failed\n");
+                return;
+        }
+
+        ptr1[40] = 'x';
+        kfree(ptr2);
+}
+
+static noinline void __init kmem_cache_oob(void)
+{
+        char *p;
+        size_t size = 200;
+        struct kmem_cache *cache = kmem_cache_create("test_cache",
+                                                size, 0,
+                                                0, NULL);
+        if (!cache) {
+                pr_err("Cache allocation failed\n");
+                return;
+        }
+        pr_info("out-of-bounds in kmem_cache_alloc\n");
+        p = kmem_cache_alloc(cache, GFP_KERNEL);
+        if (!p) {
+                pr_err("Allocation failed\n");
+                kmem_cache_destroy(cache);
+                return;
+        }
+
+        *p = p[size];
+        kmem_cache_free(cache, p);
+        kmem_cache_destroy(cache);
+}
+
+static char global_array[10];
+
+static noinline void __init kasan_global_oob(void)
+{
+        volatile int i = 3;
+        char *p = &global_array[ARRAY_SIZE(global_array) + i];
+
+        pr_info("out-of-bounds global variable\n");
+        *(volatile char *)p;
+}
+
+static noinline void __init kasan_stack_oob(void)
+{
+        char stack_array[10];
+        volatile int i = 0;
+        char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
+
+        pr_info("out-of-bounds on stack\n");
+        *(volatile char *)p;
+}
+
+static int __init kmalloc_tests_init(void)
+{
+        kmalloc_oob_right();
+        kmalloc_oob_left();
+        kmalloc_node_oob_right();
+        kmalloc_large_oob_rigth();
+        kmalloc_oob_krealloc_more();
+        kmalloc_oob_krealloc_less();
+        kmalloc_oob_16();
+        kmalloc_oob_in_memset();
+        kmalloc_uaf();
+        kmalloc_uaf_memset();
+        kmalloc_uaf2();
+        kmem_cache_oob();
+        kasan_stack_oob();
+        kasan_global_oob();
+        return -EAGAIN;
+}
+
+module_init(kmalloc_tests_init);
+MODULE_LICENSE("GPL");
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 602d2081e713..b235c96167d3 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -794,6 +794,87 @@ char *hex_string(char *buf, char *end, u8 *addr, struct printf_spec spec,
 }
 
 static noinline_for_stack
+char *bitmap_string(char *buf, char *end, unsigned long *bitmap,
+                    struct printf_spec spec, const char *fmt)
+{
+        const int CHUNKSZ = 32;
+        int nr_bits = max_t(int, spec.field_width, 0);
+        int i, chunksz;
+        bool first = true;
+
+        /* reused to print numbers */
+        spec = (struct printf_spec){ .flags = SMALL | ZEROPAD, .base = 16 };
+
+        chunksz = nr_bits & (CHUNKSZ - 1);
+        if (chunksz == 0)
+                chunksz = CHUNKSZ;
+
+        i = ALIGN(nr_bits, CHUNKSZ) - CHUNKSZ;
+        for (; i >= 0; i -= CHUNKSZ) {
+                u32 chunkmask, val;
+                int word, bit;
+
+                chunkmask = ((1ULL << chunksz) - 1);
+                word = i / BITS_PER_LONG;
+                bit = i % BITS_PER_LONG;
+                val = (bitmap[word] >> bit) & chunkmask;
+
+                if (!first) {
+                        if (buf < end)
+                                *buf = ',';
+                        buf++;
+                }
+                first = false;
+
+                spec.field_width = DIV_ROUND_UP(chunksz, 4);
+                buf = number(buf, end, val, spec);
+
+                chunksz = CHUNKSZ;
+        }
+        return buf;
+}
+
+static noinline_for_stack
+char *bitmap_list_string(char *buf, char *end, unsigned long *bitmap,
+                         struct printf_spec spec, const char *fmt)
+{
+        int nr_bits = max_t(int, spec.field_width, 0);
+        /* current bit is 'cur', most recently seen range is [rbot, rtop] */
+        int cur, rbot, rtop;
+        bool first = true;
+
+        /* reused to print numbers */
+        spec = (struct printf_spec){ .base = 10 };
+
+        rbot = cur = find_first_bit(bitmap, nr_bits);
+        while (cur < nr_bits) {
+                rtop = cur;
+                cur = find_next_bit(bitmap, nr_bits, cur + 1);
+                if (cur < nr_bits && cur <= rtop + 1)
+                        continue;
+
+                if (!first) {
+                        if (buf < end)
+                                *buf = ',';
+                        buf++;
+                }
+                first = false;
+
+                buf = number(buf, end, rbot, spec);
+                if (rbot < rtop) {
+                        if (buf < end)
+                                *buf = '-';
+                        buf++;
+
+                        buf = number(buf, end, rtop, spec);
+                }
+
+                rbot = cur;
+        }
+        return buf;
+}
+
+static noinline_for_stack
 char *mac_address_string(char *buf, char *end, u8 *addr,
                          struct printf_spec spec, const char *fmt)
 {
@@ -1258,6 +1339,10 @@ int kptr_restrict __read_mostly;
  * - 'B' For backtraced symbolic direct pointers with offset
  * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
  * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
+ * - 'b[l]' For a bitmap, the number of bits is determined by the field
+ *       width which must be explicitly specified either as part of the
+ *       format string '%32b[l]' or through '%*b[l]', [l] selects
+ *       range-list format instead of hex format
  * - 'M' For a 6-byte MAC address, it prints the address in the
  *       usual colon-separated hex notation
  * - 'm' For a 6-byte MAC address, it prints the hex address without colons
@@ -1354,6 +1439,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
                 return resource_string(buf, end, ptr, spec, fmt);
         case 'h':
                 return hex_string(buf, end, ptr, spec, fmt);
+        case 'b':
+                switch (fmt[1]) {
+                case 'l':
+                        return bitmap_list_string(buf, end, ptr, spec, fmt);
+                default:
+                        return bitmap_string(buf, end, ptr, spec, fmt);
+                }
         case 'M':                       /* Colon separated: 00:01:02:03:04:05 */
         case 'm':                       /* Contiguous: 000102030405 */
                                         /* [mM]F (FDDI) */
@@ -1689,6 +1781,8 @@ qualifier:
  * %pB output the name of a backtrace symbol with its offset
  * %pR output the address range in a struct resource with decoded flags
  * %pr output the address range in a struct resource with raw flags
+ * %pb output the bitmap with field width as the number of bits
+ * %pbl output the bitmap as range list with field width as the number of bits
  * %pM output a 6-byte MAC address with colons
  * %pMR output a 6-byte MAC address with colons in reversed order
  * %pMF output a 6-byte MAC address with dashes