--- /dev/null
+From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Sat, 29 Jun 2024 14:42:11 +0200
+Subject: ata: libata-core: Fix null pointer dereference on error
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream.
+
+If the ata_port_alloc() call in ata_host_alloc() fails,
+ata_host_release() will get called.
+
+However, the code in ata_host_release() tries to free ata_port struct
+members unconditionally, which can lead to the following:
+
+BUG: unable to handle page fault for address: 0000000000003990
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
+Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
+RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
+RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
+RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
+R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
+R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
+FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x27
+ ? page_fault_oops+0x15a/0x2f0
+ ? exc_page_fault+0x7e/0x180
+ ? asm_exc_page_fault+0x26/0x30
+ ? ata_host_release.cold+0x2f/0x6e [libata]
+ ? ata_host_release.cold+0x2f/0x6e [libata]
+ release_nodes+0x35/0xb0
+ devres_release_group+0x113/0x140
+ ata_host_alloc+0xed/0x120 [libata]
+ ata_host_alloc_pinfo+0x14/0xa0 [libata]
+ ahci_init_one+0x6c9/0xd20 [ahci]
+
+Do not access ata_port struct members unconditionally.
+
+Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it")
+Cc: stable@vger.kernel.org
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -5366,6 +5366,9 @@ static void ata_host_release(struct kref
+ for (i = 0; i < host->n_ports; i++) {
+ struct ata_port *ap = host->ports[i];
+
++ if (!ap)
++ continue;
++
+ kfree(ap->pmp_link);
+ kfree(ap->slave_link);
+ kfree(ap);
--- /dev/null
+From 1be59c97c83ccd67a519d8a49486b3a8a73ca28a Mon Sep 17 00:00:00 2001
+From: Chen Ridong <chenridong@huawei.com>
+Date: Fri, 28 Jun 2024 01:36:04 +0000
+Subject: cgroup/cpuset: Prevent UAF in proc_cpuset_show()
+
+From: Chen Ridong <chenridong@huawei.com>
+
+commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream.
+
+An UAF can happen when /proc/cpuset is read as reported in [1].
+
+This can be reproduced by the following methods:
+1.add an mdelay(1000) before acquiring the cgroup_lock In the
+ cgroup_path_ns function.
+2.$cat /proc/<pid>/cpuset repeatly.
+3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
+$umount /sys/fs/cgroup/cpuset/ repeatly.
+
+The race that cause this bug can be shown as below:
+
+(umount) | (cat /proc/<pid>/cpuset)
+css_release | proc_cpuset_show
+css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id);
+css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...);
+cgroup_destroy_root | mutex_lock(&cgroup_mutex);
+rebind_subsystems |
+cgroup_free_root |
+ | // cgrp was freed, UAF
+ | cgroup_path_ns_locked(cgrp,..);
+
+When the cpuset is initialized, the root node top_cpuset.css.cgrp
+will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
+allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
+&cgroup_root.cgrp. When the umount operation is executed,
+top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.
+
+The problem is that when rebinding to cgrp_dfl_root, there are cases
+where the cgroup_root allocated by setting up the root for cgroup v1
+is cached. This could lead to a Use-After-Free (UAF) if it is
+subsequently freed. The descendant cgroups of cgroup v1 can only be
+freed after the css is released. However, the css of the root will never
+be released, yet the cgroup_root should be freed when it is unmounted.
+This means that obtaining a reference to the css of the root does
+not guarantee that css.cgrp->root will not be freed.
+
+Fix this problem by using rcu_read_lock in proc_cpuset_show().
+As cgroup_root is kfree_rcu after commit d23b5c577715
+("cgroup: Make operations on the cgroup root_list RCU safe"),
+css->cgroup won't be freed during the critical section.
+To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
+replace task_get_css with task_css.
+
+[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
+
+Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -22,6 +22,7 @@
+ * distribution for more details.
+ */
+
++#include "cgroup-internal.h"
+ #include <linux/cpu.h>
+ #include <linux/cpumask.h>
+ #include <linux/cpuset.h>
+@@ -3725,10 +3726,14 @@ int proc_cpuset_show(struct seq_file *m,
+ if (!buf)
+ goto out;
+
+- css = task_get_css(tsk, cpuset_cgrp_id);
+- retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX,
+- current->nsproxy->cgroup_ns);
+- css_put(css);
++ rcu_read_lock();
++ spin_lock_irq(&css_set_lock);
++ css = task_css(tsk, cpuset_cgrp_id);
++ retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX,
++ current->nsproxy->cgroup_ns);
++ spin_unlock_irq(&css_set_lock);
++ rcu_read_unlock();
++
+ if (retval >= PATH_MAX)
+ retval = -ENAMETOOLONG;
+ if (retval < 0)
--- /dev/null
+From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 10 Jun 2024 19:17:49 +0000
+Subject: media: uvcvideo: Fix integer overflow calculating timestamp
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 upstream.
+
+The function uvc_video_clock_update() supports a single SOF overflow. Or
+in other words, the maximum difference between the first ant the last
+timestamp can be 4096 ticks or 4.096 seconds.
+
+This results in a maximum value for y2 of: 0x12FBECA00, that overflows
+32bits.
+y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1;
+
+Extend the size of y2 to u64 to support all its values.
+
+Without this patch:
+ # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0
+Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened.
+Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes.
+Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200
+Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200
+Current frame rate: 1/5
+Setting frame rate to: 1/5
+Frame rate set: 1/5
+8 buffers requested.
+length: 4147200 offset: 0 timestamp type/source: mono/SoE
+Buffer 0/0 mapped at address 0x7947ea94c000.
+length: 4147200 offset: 4149248 timestamp type/source: mono/SoE
+Buffer 1/0 mapped at address 0x7947ea557000.
+length: 4147200 offset: 8298496 timestamp type/source: mono/SoE
+Buffer 2/0 mapped at address 0x7947ea162000.
+length: 4147200 offset: 12447744 timestamp type/source: mono/SoE
+Buffer 3/0 mapped at address 0x7947e9d6d000.
+length: 4147200 offset: 16596992 timestamp type/source: mono/SoE
+Buffer 4/0 mapped at address 0x7947e9978000.
+length: 4147200 offset: 20746240 timestamp type/source: mono/SoE
+Buffer 5/0 mapped at address 0x7947e9583000.
+length: 4147200 offset: 24895488 timestamp type/source: mono/SoE
+Buffer 6/0 mapped at address 0x7947e918e000.
+length: 4147200 offset: 29044736 timestamp type/source: mono/SoE
+Buffer 7/0 mapped at address 0x7947e8d99000.
+0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE
+1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE
+2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE
+3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE
+4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE
+5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE
+6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE
+7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE
+8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE
+9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE
+10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE
+11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE
+12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE
+13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE
+14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE
+15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE
+16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE
+17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE
+18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE
+19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE
+20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE
+21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE
+22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE
+23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE
+24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE
+25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE
+26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE
+27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE
+28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE
+29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE
+30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE
+31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE
+32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE
+33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE
+34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE
+35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE
+
+Cc: stable@vger.kernel.org
+Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@chromium.org
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -723,11 +723,11 @@ void uvc_video_clock_update(struct uvc_s
+ unsigned long flags;
+ u64 timestamp;
+ u32 delta_stc;
+- u32 y1, y2;
++ u32 y1;
+ u32 x1, x2;
+ u32 mean;
+ u32 sof;
+- u64 y;
++ u64 y, y2;
+
+ if (!uvc_hw_timestamps_param)
+ return;
+@@ -767,7 +767,7 @@ void uvc_video_clock_update(struct uvc_s
+ sof = y;
+
+ uvc_trace(UVC_TRACE_CLOCK, "%s: PTS %u y %llu.%06llu SOF %u.%06llu "
+- "(x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n",
++ "(x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n",
+ stream->dev->name, buf->pts,
+ y >> 16, div_u64((y & 0xffff) * 1000000, 65536),
+ sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536),
+@@ -782,7 +782,7 @@ void uvc_video_clock_update(struct uvc_s
+ goto done;
+
+ y1 = NSEC_PER_SEC;
+- y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1;
++ y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1;
+
+ /* Interpolated and host SOF timestamps can wrap around at slightly
+ * different times. Handle this by adding or removing 2048 to or from
+@@ -802,7 +802,7 @@ void uvc_video_clock_update(struct uvc_s
+ timestamp = ktime_to_ns(first->host_time) + y - y1;
+
+ uvc_trace(UVC_TRACE_CLOCK, "%s: SOF %u.%06llu y %llu ts %llu "
+- "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n",
++ "buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n",
+ stream->dev->name,
+ sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536),
+ y, timestamp, vbuf->vb2_buf.timestamp,
--- /dev/null
+From f1acf1ac84d2ae97b7889b87223c1064df850069 Mon Sep 17 00:00:00 2001
+From: Allison Henderson <allison.henderson@oracle.com>
+Date: Thu, 8 Feb 2024 19:28:54 -0700
+Subject: net:rds: Fix possible deadlock in rds_message_put
+
+From: Allison Henderson <allison.henderson@oracle.com>
+
+commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream.
+
+Functions rds_still_queued and rds_clear_recv_queue lock a given socket
+in order to safely iterate over the incoming rds messages. However
+calling rds_inc_put while under this lock creates a potential deadlock.
+rds_inc_put may eventually call rds_message_purge, which will lock
+m_rs_lock. This is the incorrect locking order since m_rs_lock is
+meant to be locked before the socket. To fix this, we move the message
+item to a local list or variable that wont need rs_recv_lock protection.
+Then we can safely call rds_inc_put on any item stored locally after
+rs_recv_lock is released.
+
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Reported-by: syzbot+f9db6ff27b9bfdcfeca0@syzkaller.appspotmail.com
+Reported-by: syzbot+dcd73ff9291e6d34b3ab@syzkaller.appspotmail.com
+Signed-off-by: Allison Henderson <allison.henderson@oracle.com>
+Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/recv.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_s
+ struct sock *sk = rds_rs_to_sk(rs);
+ int ret = 0;
+ unsigned long flags;
++ struct rds_incoming *to_drop = NULL;
+
+ write_lock_irqsave(&rs->rs_recv_lock, flags);
+ if (!list_empty(&inc->i_item)) {
+@@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_s
+ -be32_to_cpu(inc->i_hdr.h_len),
+ inc->i_hdr.h_dport);
+ list_del_init(&inc->i_item);
+- rds_inc_put(inc);
++ to_drop = inc;
+ }
+ }
+ write_unlock_irqrestore(&rs->rs_recv_lock, flags);
+
++ if (to_drop)
++ rds_inc_put(to_drop);
++
+ rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop);
+ return ret;
+ }
+@@ -761,16 +765,21 @@ void rds_clear_recv_queue(struct rds_soc
+ struct sock *sk = rds_rs_to_sk(rs);
+ struct rds_incoming *inc, *tmp;
+ unsigned long flags;
++ LIST_HEAD(to_drop);
+
+ write_lock_irqsave(&rs->rs_recv_lock, flags);
+ list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) {
+ rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong,
+ -be32_to_cpu(inc->i_hdr.h_len),
+ inc->i_hdr.h_dport);
++ list_move(&inc->i_item, &to_drop);
++ }
++ write_unlock_irqrestore(&rs->rs_recv_lock, flags);
++
++ list_for_each_entry_safe(inc, tmp, &to_drop, i_item) {
+ list_del_init(&inc->i_item);
+ rds_inc_put(inc);
+ }
+- write_unlock_irqrestore(&rs->rs_recv_lock, flags);
+ }
+
+ /*
--- /dev/null
+From 1b0ea7ed25e6e7ab579fc53ad13a8febd14a352b Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Aug 2024 14:43:57 +0200
+Subject: Revert "Input: ioc3kbd - convert to platform remove callback returning void"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit 0096d223f78cb48db1ae8ae9fd56d702896ba8ae which is
+commit 150e792dee9ca8416f3d375e48f2f4d7f701fc6b upstream.
+
+It breaks the build and shouldn't be here, it was applied to make a
+follow-up one apply easier.
+
+Reported-by: Dominique Martinet <asmadeus@codewreck.org>
+Link: https://lore.kernel.org/r/Zs6hwNxk7QkCe7AW@codewreck.org
+Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230920125829.1478827-37-u.kleine-koenig@pengutronix.de
+Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/ioc3kbd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/serio/ioc3kbd.c
++++ b/drivers/input/serio/ioc3kbd.c
+@@ -190,7 +190,7 @@ static int ioc3kbd_probe(struct platform
+ return 0;
+ }
+
+-static void ioc3kbd_remove(struct platform_device *pdev)
++static int ioc3kbd_remove(struct platform_device *pdev)
+ {
+ struct ioc3kbd_data *d = platform_get_drvdata(pdev);
+
+@@ -198,6 +198,8 @@ static void ioc3kbd_remove(struct platfo
+
+ serio_unregister_port(d->kbd);
+ serio_unregister_port(d->aux);
++
++ return 0;
+ }
+
+ static const struct platform_device_id ioc3kbd_id_table[] = {
+@@ -208,7 +210,7 @@ MODULE_DEVICE_TABLE(platform, ioc3kbd_id
+
+ static struct platform_driver ioc3kbd_driver = {
+ .probe = ioc3kbd_probe,
+- .remove_new = ioc3kbd_remove,
++ .remove = ioc3kbd_remove,
+ .id_table = ioc3kbd_id_table,
+ .driver = {
+ .name = "ioc3-kbd",
mptcp-sched-check-both-backup-in-retrans.patch
ipc-replace-costly-bailout-check-in-sysvipc_find_ipc.patch
drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch
+media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch
+revert-input-ioc3kbd-convert-to-platform-remove-callback-returning-void.patch
+ata-libata-core-fix-null-pointer-dereference-on-error.patch
+cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch
+net-rds-fix-possible-deadlock-in-rds_message_put.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
