--- /dev/null
+From f7e0e8b2f1b0a09b527885babda3e912ba820798 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Wed, 9 Sep 2020 03:17:00 -0400
+Subject: Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream.
+
+`num_reports` is not being properly checked. A malformed event packet with
+a large `num_reports` number makes hci_le_direct_adv_report_evt() read out
+of bounds. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events")
+Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5868,21 +5868,19 @@ static void hci_le_direct_adv_report_evt
+ struct sk_buff *skb)
+ {
+ u8 num_reports = skb->data[0];
+- void *ptr = &skb->data[1];
++ struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
+
+- hci_dev_lock(hdev);
++ if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
++ return;
+
+- while (num_reports--) {
+- struct hci_ev_le_direct_adv_info *ev = ptr;
++ hci_dev_lock(hdev);
+
++ for (; num_reports; num_reports--, ev++)
+ process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+ ev->bdaddr_type, &ev->direct_addr,
+ ev->direct_addr_type, ev->rssi, NULL, 0,
+ false);
+
+- ptr += sizeof(*ev);
+- }
+-
+ hci_dev_unlock(hdev);
+ }
+
--- /dev/null
+From 92eb6c3060ebe3adf381fd9899451c5b047bb14d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 26 Oct 2020 13:07:15 -0700
+Subject: crypto: af_alg - avoid undefined behavior accessing salg_name
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream.
+
+Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm
+names") made the kernel start accepting arbitrarily long algorithm names
+in sockaddr_alg. However, the actual length of the salg_name field
+stayed at the original 64 bytes.
+
+This is broken because the kernel can access indices >= 64 in salg_name,
+which is undefined behavior -- even though the memory that is accessed
+is still located within the sockaddr structure. It would only be
+defined behavior if the array were properly marked as arbitrary-length
+(either by making it a flexible array, which is the recommended way
+these days, or by making it an array of length 0 or 1).
+
+We can't simply change salg_name into a flexible array, since that would
+break source compatibility with userspace programs that embed
+sockaddr_alg into another struct, or (more commonly) declare a
+sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'.
+
+One solution would be to change salg_name into a flexible array only
+when '#ifdef __KERNEL__'. However, that would keep userspace without an
+easy way to actually use the longer algorithm names.
+
+Instead, add a new structure 'sockaddr_alg_new' that has the flexible
+array field, and expose it to both userspace and the kernel.
+Make the kernel use it correctly in alg_bind().
+
+This addresses the syzbot report
+"UBSAN: array-index-out-of-bounds in alg_bind"
+(https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e).
+
+Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com
+Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 10 +++++++---
+ include/uapi/linux/if_alg.h | 16 ++++++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -147,7 +147,7 @@ static int alg_bind(struct socket *sock,
+ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
+ struct sock *sk = sock->sk;
+ struct alg_sock *ask = alg_sk(sk);
+- struct sockaddr_alg *sa = (void *)uaddr;
++ struct sockaddr_alg_new *sa = (void *)uaddr;
+ const struct af_alg_type *type;
+ void *private;
+ int err;
+@@ -155,7 +155,11 @@ static int alg_bind(struct socket *sock,
+ if (sock->state == SS_CONNECTED)
+ return -EINVAL;
+
+- if (addr_len < sizeof(*sa))
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) !=
++ offsetof(struct sockaddr_alg, salg_name));
++ BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa));
++
++ if (addr_len < sizeof(*sa) + 1)
+ return -EINVAL;
+
+ /* If caller uses non-allowed flag, return error. */
+@@ -163,7 +167,7 @@ static int alg_bind(struct socket *sock,
+ return -EINVAL;
+
+ sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
+- sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
++ sa->salg_name[addr_len - sizeof(*sa) - 1] = 0;
+
+ type = alg_get_type(sa->salg_type);
+ if (PTR_ERR(type) == -ENOENT) {
+--- a/include/uapi/linux/if_alg.h
++++ b/include/uapi/linux/if_alg.h
+@@ -24,6 +24,22 @@ struct sockaddr_alg {
+ __u8 salg_name[64];
+ };
+
++/*
++ * Linux v4.12 and later removed the 64-byte limit on salg_name[]; it's now an
++ * arbitrary-length field. We had to keep the original struct above for source
++ * compatibility with existing userspace programs, though. Use the new struct
++ * below if support for very long algorithm names is needed. To do this,
++ * allocate 'sizeof(struct sockaddr_alg_new) + strlen(algname) + 1' bytes, and
++ * copy algname (including the null terminator) into salg_name.
++ */
++struct sockaddr_alg_new {
++ __u16 salg_family;
++ __u8 salg_type[14];
++ __u32 salg_feat;
++ __u32 salg_mask;
++ __u8 salg_name[];
++};
++
+ struct af_alg_iv {
+ __u32 ivlen;
+ __u8 iv[0];
--- /dev/null
+From e51d68e76d604c6d5d1eb13ae1d6da7f6c8c0dfc Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 9 Dec 2020 01:13:38 +0530
+Subject: fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit e51d68e76d604c6d5d1eb13ae1d6da7f6c8c0dfc upstream.
+
+When dquot_resume() was last updated, the argument that got passed
+to vfs_cleanup_quota_inode was incorrectly set.
+
+If type = -1 and dquot_load_quota_sb() returns a negative value,
+then vfs_cleanup_quota_inode() gets called with -1 passed as an
+argument, and this leads to an array-index-out-of-bounds bug.
+
+Fix this issue by correctly passing the arguments.
+
+Fixes: ae45f07d47cc ("quota: Simplify dquot_resume()")
+Link: https://lore.kernel.org/r/20201208194338.7064-1-anant.thazhemadam@gmail.com
+Reported-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com
+Tested-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/dquot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2455,7 +2455,7 @@ int dquot_resume(struct super_block *sb,
+ ret = dquot_load_quota_sb(sb, cnt, dqopt->info[cnt].dqi_fmt_id,
+ flags);
+ if (ret < 0)
+- vfs_cleanup_quota_inode(sb, type);
++ vfs_cleanup_quota_inode(sb, cnt);
+ }
+
+ return ret;
--- /dev/null
+From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001
+From: "Dae R. Jeong" <dae.r.jeong@kaist.ac.kr>
+Date: Thu, 22 Oct 2020 10:21:28 +0900
+Subject: md: fix a warning caused by a race between concurrent md_ioctl()s
+
+From: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+
+commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream.
+
+Syzkaller reports a warning as belows.
+WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169
+...
+Call Trace:
+...
+RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169
+RSP: 0018:ffff888096027950 EFLAGS: 00010293
+RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2
+RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007
+RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482
+R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932
+R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408
+ __blkdev_driver_ioctl block/ioctl.c:304 [inline]
+ blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606
+ block_ioctl+0xee/0x130 fs/block_dev.c:1930
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is caused by a race between two concurrenct md_ioctl()s closing
+the array.
+CPU1 (md_ioctl()) CPU2 (md_ioctl())
+------ ------
+set_bit(MD_CLOSING, &mddev->flags);
+did_set_md_closing = true;
+ WARN_ON_ONCE(test_bit(MD_CLOSING,
+ &mddev->flags));
+if(did_set_md_closing)
+ clear_bit(MD_CLOSING, &mddev->flags);
+
+Fix the warning by returning immediately if the MD_CLOSING bit is set
+in &mddev->flags which indicates that the array is being closed.
+
+Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop")
+Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7590,8 +7590,11 @@ static int md_ioctl(struct block_device
+ err = -EBUSY;
+ goto out;
+ }
+- WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags));
+- set_bit(MD_CLOSING, &mddev->flags);
++ if (test_and_set_bit(MD_CLOSING, &mddev->flags)) {
++ mutex_unlock(&mddev->open_mutex);
++ err = -EBUSY;
++ goto out;
++ }
+ did_set_md_closing = true;
+ mutex_unlock(&mddev->open_mutex);
+ sync_blockdev(bdev);
--- /dev/null
+From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Sat, 17 Aug 2019 03:12:10 +0200
+Subject: media: msi2500: assign SPI bus number dynamically
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream.
+
+SPI bus number must be assigned dynamically for each device, otherwise it
+will crash when multiple devices are plugged to system.
+
+Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/msi2500/msi2500.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/msi2500/msi2500.c
++++ b/drivers/media/usb/msi2500/msi2500.c
+@@ -1230,7 +1230,7 @@ static int msi2500_probe(struct usb_inte
+ }
+
+ dev->master = master;
+- master->bus_num = 0;
++ master->bus_num = -1;
+ master->num_chipselect = 1;
+ master->transfer_one_message = msi2500_transfer_one_message;
+ spi_master_set_devdata(master, dev);
--- /dev/null
+From 2d9463083ce92636a1bdd3e30d1236e3e95d859e Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Sat, 5 Dec 2020 03:28:25 +0530
+Subject: nl80211: validate key indexes for cfg80211_registered_device
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream.
+
+syzbot discovered a bug in which an OOB access was being made because
+an unsuitable key_idx value was wrongly considered to be acceptable
+while deleting a key in nl80211_del_key().
+
+Since we don't know the cipher at the time of deletion, if
+cfg80211_validate_key_settings() were to be called directly in
+nl80211_del_key(), even valid keys would be wrongly determined invalid,
+and deletion wouldn't occur correctly.
+For this reason, a new function - cfg80211_valid_key_idx(), has been
+created, to determine if the key_idx value provided is valid or not.
+cfg80211_valid_key_idx() is directly called in 2 places -
+nl80211_del_key(), and cfg80211_validate_key_settings().
+
+Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
+Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com
+Cc: stable@vger.kernel.org
+[also disallow IGTK key IDs if no IGTK cipher is supported]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/core.h | 2 +
+ net/wireless/nl80211.c | 7 +++---
+ net/wireless/util.c | 51 +++++++++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 49 insertions(+), 11 deletions(-)
+
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -433,6 +433,8 @@ void cfg80211_sme_abandon_assoc(struct w
+
+ /* internal helpers */
+ bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
++ int key_idx, bool pairwise);
+ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
+ struct key_params *params, int key_idx,
+ bool pairwise, const u8 *mac_addr);
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4260,9 +4260,6 @@ static int nl80211_del_key(struct sk_buf
+ if (err)
+ return err;
+
+- if (key.idx < 0)
+- return -EINVAL;
+-
+ if (info->attrs[NL80211_ATTR_MAC])
+ mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+
+@@ -4278,6 +4275,10 @@ static int nl80211_del_key(struct sk_buf
+ key.type != NL80211_KEYTYPE_GROUP)
+ return -EINVAL;
+
++ if (!cfg80211_valid_key_idx(rdev, key.idx,
++ key.type == NL80211_KEYTYPE_PAIRWISE))
++ return -EINVAL;
++
+ if (!rdev->ops->del_key)
+ return -EOPNOTSUPP;
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -272,18 +272,53 @@ bool cfg80211_supported_cipher_suite(str
+ return false;
+ }
+
+-int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
+- struct key_params *params, int key_idx,
+- bool pairwise, const u8 *mac_addr)
++static bool
++cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev)
++{
++ struct wiphy *wiphy = &rdev->wiphy;
++ int i;
++
++ for (i = 0; i < wiphy->n_cipher_suites; i++) {
++ switch (wiphy->cipher_suites[i]) {
++ case WLAN_CIPHER_SUITE_AES_CMAC:
++ case WLAN_CIPHER_SUITE_BIP_CMAC_256:
++ case WLAN_CIPHER_SUITE_BIP_GMAC_128:
++ case WLAN_CIPHER_SUITE_BIP_GMAC_256:
++ return true;
++ }
++ }
++
++ return false;
++}
++
++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
++ int key_idx, bool pairwise)
+ {
+- int max_key_idx = 5;
++ int max_key_idx;
+
+- if (wiphy_ext_feature_isset(&rdev->wiphy,
+- NL80211_EXT_FEATURE_BEACON_PROTECTION) ||
+- wiphy_ext_feature_isset(&rdev->wiphy,
+- NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
++ if (pairwise)
++ max_key_idx = 3;
++ else if (wiphy_ext_feature_isset(&rdev->wiphy,
++ NL80211_EXT_FEATURE_BEACON_PROTECTION) ||
++ wiphy_ext_feature_isset(&rdev->wiphy,
++ NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
+ max_key_idx = 7;
++ else if (cfg80211_igtk_cipher_supported(rdev))
++ max_key_idx = 5;
++ else
++ max_key_idx = 3;
++
+ if (key_idx < 0 || key_idx > max_key_idx)
++ return false;
++
++ return true;
++}
++
++int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
++ struct key_params *params, int key_idx,
++ bool pairwise, const u8 *mac_addr)
++{
++ if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise))
+ return -EINVAL;
+
+ if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
--- /dev/null
+From 11c514a99bb960941535134f0587102855e8ddee Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 2 Nov 2020 16:16:29 +0100
+Subject: quota: Sanity-check quota file headers on load
+
+From: Jan Kara <jack@suse.cz>
+
+commit 11c514a99bb960941535134f0587102855e8ddee upstream.
+
+Perform basic sanity checks of quota headers to avoid kernel crashes on
+corrupted quota files.
+
+CC: stable@vger.kernel.org
+Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/quota_v2.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/quota/quota_v2.c
++++ b/fs/quota/quota_v2.c
+@@ -157,6 +157,25 @@ static int v2_read_file_info(struct supe
+ qinfo->dqi_entry_size = sizeof(struct v2r1_disk_dqblk);
+ qinfo->dqi_ops = &v2r1_qtree_ops;
+ }
++ ret = -EUCLEAN;
++ /* Some sanity checks of the read headers... */
++ if ((loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits >
++ i_size_read(sb_dqopt(sb)->files[type])) {
++ quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).",
++ (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits,
++ i_size_read(sb_dqopt(sb)->files[type]));
++ goto out;
++ }
++ if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) {
++ quota_error(sb, "Free block number too big (%u >= %u).",
++ qinfo->dqi_free_blk, qinfo->dqi_blocks);
++ goto out;
++ }
++ if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) {
++ quota_error(sb, "Block with free entry too big (%u >= %u).",
++ qinfo->dqi_free_entry, qinfo->dqi_blocks);
++ goto out;
++ }
+ ret = 0;
+ out:
+ up_read(&dqopt->dqio_sem);
ubifs-prevent-creating-duplicate-encrypted-filenames.patch
ext4-prevent-creating-duplicate-encrypted-filenames.patch
f2fs-prevent-creating-duplicate-encrypted-filenames.patch
+bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch
+quota-sanity-check-quota-file-headers-on-load.patch
+fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch
+media-msi2500-assign-spi-bus-number-dynamically.patch
+crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch
+nl80211-validate-key-indexes-for-cfg80211_registered_device.patch
+md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
