--- /dev/null
+From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: aacraid: Check size values after double-fetch from user
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
+
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
+ struct fib *fibptr;
+ struct hw_fib * hw_fib = (struct hw_fib *)0;
+ dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+- unsigned size;
++ unsigned int size, osize;
+ int retval;
+
+ if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
+ * will not overrun the buffer when we copy the memory. Return
+ * an error if we would.
+ */
+- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
++ osize = size = le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr);
+ if (size < le16_to_cpu(kfib->header.SenderSize))
+ size = le16_to_cpu(kfib->header.SenderSize);
+ if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
+ goto cleanup;
+ }
+
++ /* Sanity check the second copy */
++ if ((osize != le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr))
++ || (size < le16_to_cpu(kfib->header.SenderSize))) {
++ retval = -EINVAL;
++ goto cleanup;
++ }
++
+ if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+ aac_adapter_interrupt(dev);
+ /*
--- /dev/null
+From add125054b8727103631dce116361668436ef6a7 Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Fri, 12 Aug 2016 00:52:56 -0700
+Subject: cdc-acm: fix wrong pipe type on rx interrupt xfers
+
+From: Gavin Li <git@thegavinli.com>
+
+commit add125054b8727103631dce116361668436ef6a7 upstream.
+
+This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 5 ++---
+ drivers/usb/class/cdc-acm.h | 1 -
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1296,7 +1296,6 @@ made_compressed_probe:
+ spin_lock_init(&acm->write_lock);
+ spin_lock_init(&acm->read_lock);
+ mutex_init(&acm->mutex);
+- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
+ acm->is_int_ep = usb_endpoint_xfer_int(epread);
+ if (acm->is_int_ep)
+ acm->bInterval = epread->bInterval;
+@@ -1345,14 +1344,14 @@ made_compressed_probe:
+ urb->transfer_dma = rb->dma;
+ if (acm->is_int_ep) {
+ usb_fill_int_urb(urb, acm->dev,
+- acm->rx_endpoint,
++ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
+ rb->base,
+ acm->readsize,
+ acm_read_bulk_callback, rb,
+ acm->bInterval);
+ } else {
+ usb_fill_bulk_urb(urb, acm->dev,
+- acm->rx_endpoint,
++ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
+ rb->base,
+ acm->readsize,
+ acm_read_bulk_callback, rb);
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -95,7 +95,6 @@ struct acm {
+ struct urb *read_urbs[ACM_NR];
+ struct acm_rb read_buffers[ACM_NR];
+ int rx_buflimit;
+- int rx_endpoint;
+ spinlock_t read_lock;
+ int write_used; /* number of non-empty write buffers */
+ int transmitting;
--- /dev/null
+From 993f88f1cc7f0879047ff353e824e5cc8f10adfc Mon Sep 17 00:00:00 2001
+From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+Date: Sat, 23 Apr 2016 18:33:00 +0300
+Subject: EDAC: Increment correct counter in edac_inc_ue_error()
+
+From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+
+commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream.
+
+Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of
+ce_noinfo_count.
+
+Signed-off-by: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 4275be635597 ("edac: Change internal representation to work with layers")
+Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_mc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_mc.c
++++ b/drivers/edac/edac_mc.c
+@@ -962,7 +962,7 @@ static void edac_inc_ue_error(struct mem
+ mci->ue_mc += count;
+
+ if (!enable_per_layer_report) {
+- mci->ce_noinfo_count += count;
++ mci->ue_noinfo_count += count;
+ return;
+ }
+
--- /dev/null
+From 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 25 Aug 2016 15:17:11 -0700
+Subject: fs/seq_file: fix out-of-bounds read
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.
+
+seq_read() is a nasty piece of work, not to mention buggy.
+
+It has (I think) an old bug which allows unprivileged userspace to read
+beyond the end of m->buf.
+
+I was getting these:
+
+ BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
+ Read of size 2713 by task trinity-c2/1329
+ CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+ Call Trace:
+ kasan_object_err+0x1c/0x80
+ kasan_report_error+0x2cb/0x7e0
+ kasan_report+0x4e/0x80
+ check_memory_region+0x13e/0x1a0
+ kasan_check_read+0x11/0x20
+ seq_read+0xcd2/0x1480
+ proc_reg_read+0x10b/0x260
+ do_loop_readv_writev.part.5+0x140/0x2c0
+ do_readv_writev+0x589/0x860
+ vfs_readv+0x7b/0xd0
+ do_readv+0xd8/0x2c0
+ SyS_readv+0xb/0x10
+ do_syscall_64+0x1b3/0x4b0
+ entry_SYSCALL64_slow_path+0x25/0x25
+ Object at ffff880116889100, in cache kmalloc-4096 size: 4096
+ Allocated:
+ PID = 1329
+ save_stack_trace+0x26/0x80
+ save_stack+0x46/0xd0
+ kasan_kmalloc+0xad/0xe0
+ __kmalloc+0x1aa/0x4a0
+ seq_buf_alloc+0x35/0x40
+ seq_read+0x7d8/0x1480
+ proc_reg_read+0x10b/0x260
+ do_loop_readv_writev.part.5+0x140/0x2c0
+ do_readv_writev+0x589/0x860
+ vfs_readv+0x7b/0xd0
+ do_readv+0xd8/0x2c0
+ SyS_readv+0xb/0x10
+ do_syscall_64+0x1b3/0x4b0
+ return_from_SYSCALL_64+0x0/0x6a
+ Freed:
+ PID = 0
+ (stack is not available)
+ Memory state around the buggy address:
+ ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+This seems to be the same thing that Dave Jones was seeing here:
+
+ https://lkml.org/lkml/2016/8/12/334
+
+There are multiple issues here:
+
+ 1) If we enter the function with a non-empty buffer, there is an attempt
+ to flush it. But it was not clearing m->from after doing so, which
+ means that if we try to do this flush twice in a row without any call
+ to traverse() in between, we are going to be reading from the wrong
+ place -- the splat above, fixed by this patch.
+
+ 2) If there's a short write to userspace because of page faults, the
+ buffer may already contain multiple lines (i.e. pos has advanced by
+ more than 1), but we don't save the progress that was made so the
+ next call will output what we've already returned previously. Since
+ that is a much less serious issue (and I have a headache after
+ staring at seq_read() for the past 8 hours), I'll leave that for now.
+
+Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/seq_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -207,8 +207,10 @@ ssize_t seq_read(struct file *file, char
+ size -= n;
+ buf += n;
+ copied += n;
+- if (!m->count)
++ if (!m->count) {
++ m->from = 0;
+ m->index++;
++ }
+ if (!size)
+ goto Done;
+ }
--- /dev/null
+From 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 09:58:25 +0200
+Subject: gpio: Fix OF build problem on UM
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream.
+
+The UserMode (UM) Linux build was failing in gpiolib-of as it requires
+ioremap()/iounmap() to exist, which is absent from UM. The non-existence
+of IO memory is negatively defined as CONFIG_NO_IOMEM which means we
+need to depend on HAS_IOMEM.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/Kconfig
++++ b/drivers/gpio/Kconfig
+@@ -50,6 +50,7 @@ config GPIO_DEVRES
+ config OF_GPIO
+ def_bool y
+ depends on OF
++ depends on HAS_IOMEM
+
+ config GPIO_ACPI
+ def_bool y
--- /dev/null
+From 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 2 Aug 2016 11:13:41 +0200
+Subject: mac80211: fix purging multicast PS buffer queue
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream.
+
+The code currently assumes that buffered multicast PS frames don't have
+a pending ACK frame for tx status reporting.
+However, hostapd sends a broadcast deauth frame on teardown for which tx
+status is requested. This can lead to the "Have pending ack frames"
+warning on module reload.
+Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/tx.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1126,7 +1126,7 @@ static int ieee80211_stop_ap(struct wiph
+
+ /* free all potentially still buffered bcast frames */
+ local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
+- skb_queue_purge(&sdata->u.ap.ps.bc_buf);
++ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
+
+ ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
+ mutex_lock(&local->mtx);
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -351,7 +351,7 @@ static void purge_old_ps_buffers(struct
+ skb = skb_dequeue(&ps->bc_buf);
+ if (skb) {
+ purged++;
+- dev_kfree_skb(skb);
++ ieee80211_free_txskb(&local->hw, skb);
+ }
+ total += skb_queue_len(&ps->bc_buf);
+ }
+@@ -434,7 +434,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
+ ps_dbg(tx->sdata,
+ "BC TX buffer full - dropping the oldest frame\n");
+- dev_kfree_skb(skb_dequeue(&ps->bc_buf));
++ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
+ } else
+ tx->local->total_ps_buffered++;
+
+@@ -2910,7 +2910,7 @@ ieee80211_get_buffered_bc(struct ieee802
+ sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
+ if (!ieee80211_tx_prepare(sdata, &tx, skb))
+ break;
+- dev_kfree_skb_any(skb);
++ ieee80211_free_txskb(hw, skb);
+ }
+
+ info = IEEE80211_SKB_CB(skb);
--- /dev/null
+From e7f851684efb3377e9c93aca7fae6e76212e5680 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Fri, 5 Aug 2016 23:37:34 -0700
+Subject: megaraid_sas: Fix probing cards without io port
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.
+
+Found one megaraid_sas HBA probe fails,
+
+[ 187.235190] scsi host2: Avago SAS based MegaRAID driver
+[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff]
+[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!
+
+and the card has resource like,
+[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
+[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff]
+[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
+[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
+[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]
+
+that does not io port resource allocated from BIOS, and kernel can not
+assign one as io port shortage.
+
+The driver is only looking for MEM, and should not fail.
+
+It turns out megasas_init_fw() etc are using bar index as mask. index 1
+is used as mask 1, so that pci_request_selected_regions() is trying to
+request BAR0 instead of BAR1.
+
+Fix all related reference.
+
+Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3624,7 +3624,7 @@ static int megasas_init_fw(struct megasa
+ /* Find first memory bar */
+ bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
+ instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
+- if (pci_request_selected_regions(instance->pdev, instance->bar,
++ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
+ "megasas: LSI")) {
+ printk(KERN_DEBUG "megasas: IO memory region busy!\n");
+ return -EBUSY;
+@@ -3858,7 +3858,7 @@ fail_ready_state:
+ iounmap(instance->reg_set);
+
+ fail_ioremap:
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+
+ return -EINVAL;
+ }
+@@ -3879,7 +3879,7 @@ static void megasas_release_mfi(struct m
+
+ iounmap(instance->reg_set);
+
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+
+ /**
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -2175,7 +2175,7 @@ megasas_release_fusion(struct megasas_in
+
+ iounmap(instance->reg_set);
+
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+
+ /**
--- /dev/null
+From 9ba333dc55cbb9523553df973adb3024d223e905 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+Date: Mon, 8 Aug 2016 14:08:17 +0200
+Subject: s390/dasd: fix hanging device after clear subchannel
+
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream.
+
+When a device is in a status where CIO has killed all I/O by itself the
+interrupt for a clear request may not contain an irb to determine the
+clear function. Instead it contains an error pointer -EIO.
+This was ignored by the DASD int_handler leading to a hanging device
+waiting for a clear interrupt.
+
+Handle -EIO error pointer correctly for requests that are clear pending and
+treat the clear as successful.
+
+Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/block/dasd.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -1613,9 +1613,18 @@ void dasd_int_handler(struct ccw_device
+ unsigned long long now;
+ int expires;
+
++ cqr = (struct dasd_ccw_req *) intparm;
+ if (IS_ERR(irb)) {
+ switch (PTR_ERR(irb)) {
+ case -EIO:
++ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
++ device = (struct dasd_device *) cqr->startdev;
++ cqr->status = DASD_CQR_CLEARED;
++ dasd_device_clear_timer(device);
++ wake_up(&dasd_flush_wq);
++ dasd_schedule_device_bh(device);
++ return;
++ }
+ break;
+ case -ETIMEDOUT:
+ DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
+@@ -1631,7 +1640,6 @@ void dasd_int_handler(struct ccw_device
+ }
+
+ now = get_tod_clock();
+- cqr = (struct dasd_ccw_req *) intparm;
+ /* check for conditions that should be handled immediately */
+ if (!cqr ||
+ !(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&
usb-serial-ftdi_sio-add-device-id-for-wiced-usb-uart-dev-board.patch
usb-serial-ftdi_sio-add-pids-for-ivium-technologies-devices.patch
xhci-make-sure-xhci-handles-usb_speed_super_plus-devices.patch
+edac-increment-correct-counter-in-edac_inc_ue_error.patch
+s390-dasd-fix-hanging-device-after-clear-subchannel.patch
+mac80211-fix-purging-multicast-ps-buffer-queue.patch
+aacraid-check-size-values-after-double-fetch-from-user.patch
+cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch
+megaraid_sas-fix-probing-cards-without-io-port.patch
+gpio-fix-of-build-problem-on-um.patch
+fs-seq_file-fix-out-of-bounds-read.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
