Speculative Store Bypass mitigation

xfrm: policy: check policy direction value

tcp: avoid collapses in tcp_prune_queue() if possible

tcp: detect malicious patterns in tcp_collapse_ofo_queue()

crypto: algif_skcipher - Load TX SG list after waiting

Revert "net: increase fragment memory usage limits"

fix for use-after-free bug via crafted system calls in mm/mempolicy.c:do_get_mempolicy()

ALSA: seq: Fix racy pool initializations

introduce barrier_nospec() and array_index_nospec() (adaptation, 862.2.3.el7)

fix regression when using the last syscall on x86 (adaptation)

fix regression for ipv6 in latest kernels after spectre commit (adaptation)

Add disable SMT knob

Setup L1TF bug bit

Add ability to flush l1d cache on vmexit

Limit arg stack to at most 75% of _STK_LIM

get_rock_ridge_filename(): handle malformed NM entries

ALSA: pcm: prevent UAF in snd_pcm_info

timerfd: Protect the might cancel mechanism proper

timerfd: Protect the might cancel mechanism proper (kpatch adaptation)

crypto: salsa20 - fix blkcipher_walk API usage

ext4: fail ext4_iget for root directory if unallocated

posix-timer: Properly check sigevent->sigev_notify

fix possible deadlock with mutex within SCSI libsas (adaptation)

vhost: Use kzalloc() to allocate vhost_msg_node

net: dccp: check sk for closed state

loop: fix concurrent lo_open/lo_release

sctp: verify size of a new chunk in _sctp_make_chunk()

kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption

scsi: libsas: fix memory leak

drm: udl: Properly check framebuffer mmap offsets

ext4: always verify the magic number in xattr blocks

ext4: always verify the magic number in xattr blocks

ext4: clear i_data in ext4_inode_info when removing inline data

ext4: avoid running out of journal credits when appending to an inline file

ALSA: rawmidi: Change resized buffers atomically

Fix up non-directory creation in SGID directories

net: create skb_gso_validate_mac_len()

mm/madvise.c: fix madvise() infinite loop under special circumstances

ext4: don't allow r/w mounts if metadata blocks overlap the superblock

xfs: move inode fork verifiers to xfs_dinode_verify

xfs: enhance dinode verifier

cdrom-information-leak-in-cdrom_ioctl_media_changed.patch

proc: do not access cmdline nor environ from file-backed areas

AIO: properly check iovec sizes

ext4: always check block group bounds in ext4_init_block_bitmap()

ext4: make sure bitmaps and the inode table don't overlap with bg descriptors

include/linux/mmdebug.h: add VM_WARN which maps to WARN()

include/linux/mmdebug.h: add VM_WARN_ONCE()

hugetlbfs: check for pgoff value overflow

hugetlbfs: check for pgoff value overflow

hugetlbfs: check for pgoff value overflow

include/linux/mmdebug.h: fix VM_WARN[_*]() with CONFIG_DEBUG_VM=n

mm/hugetlb.c: clean up VM_WARN usage

scsi: target: iscsi: Use hex2bin instead of a re-implementation

scsi: target: iscsi: Use bin2hex instead of a re-implementation

rtnetlink: give a user socket to get_target_net()

[fs] xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE

[fs] ext4: add more inode number paranoia checks

[drm] drm/i915/cmdparser: Check reg_table_count before derefencing

[drm] drm/i915/cmdparser: Do not check past the cmd length

[drm] drm/i915: Silence smatch for cmdparser

[drm] drm/i915: Don't use GPU relocations prior to cmdparser stalls

[drm] drm/i915: Move engine->needs_cmd_parser to engine->flags

net/packet: fix a race in packet_bind() and packet_notifier()

userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails

userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas

userfaultfd: shmem: add i_size checks

userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set

net: Set sk_prot_creator when cloning sockets to the right proto

proc: restrict kernel stack dumps to root

use-after-free vulnerability in the way the Linux kernel's KVM hypervisor implements its device control API

use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested (=1) virtualization is enabled

[net] tcp: pass previous skb to tcp_shifted_skb()

[net] tcp: limit payload size of sacked skbs

[net] tcp: tcp_fragment() should apply sane memory limits

[net] tcp: add tcp_min_snd_mss sysctl

[net] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()

nfsd: COPY and CLONE operations require the saved filehandle to be set

drm/i915/gvt: Fix mmap range check

ipmi_si: fix use-after-free of resource->name

sunrpc: use-after-free in svc_process_common()

CVE-2018-16884 kpatch adaptation

CVE-2018-16884 kpatch adaptation

Bluetooth: hidp: buffer overflow in hidp_process_report

MDS CPU Side-channel Attacks mitigation

vhost-net: set packet weight of tx polling to 2 * vq size

vhost_net: use packet weight for rx handler, too

vhost_net: introduce vhost_exceeds_weight()

vhost_net: fix possible infinite loop

vhost: vsock: add weight support

mm/mincore.c: make mincore() more conservative

l2tp: pass tunnel pointer to ->session_create()

KVM: x86: introduce linear_{read,write}_system

KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system

kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access

vhost/vsock: fix use-after-free in network stack callers

vhost/vsock: fix use-after-free in network stack callers

3.10.0/CVE-2018-15594.patch

Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

vfio/type1: Limit DMA mappings per container

coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

scsi: megaraid_sas: return error when create DMA pool failed

ext4: zero out the unused memory region in the extent tree block

floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

HID: debug: check length before copy_to_user()

alarmtimer: Prevent overflow for relative nanosleep

validate cached inodes are free when allocated in xfs

xfs: fixed incorrect xfs_da_shrink_inode call with NULL buffer

xfs: fixed possible ifp->if_broot dereference based on the XFS_DINODE_FMT_BTREE format

xfs: fix a null pointer dereference in xfs_bmap_extents_to_btree

xfs: fix error handling in xfs_bmap_extents_to_btree

cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status

iovec: make sure the caller actually wants anything in memcpy_fromiovecend

KVM: x86: work around leak of uninitialized stack contents

[drm] drm/i915/gtt: Add read only pages to gen8_pte_encode

[drm] erm/i915/gtt: Read-only pages for insert_entries on bdw+

[drm] drm/i915/gtt: Disable read-only support under GVT

[drm] drm/i915: Prevent writing into a read-only object via a GGTT mmap

[x86] x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations

brcmfmac: assure SSID length from firmware is limited

host: make sure log_num < in_num

block: blk_init_allocated_queue() set q->fq as NULL in the fail case

mwifiex: Fix possible buffer overflows at parsing bss descriptor

mwifiex: Fix possible buffer overflows at parsing bss descriptor

mwifiex: Fix skipped vendor specific IEs

mwifiex: Mark expected switch fall-through

mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()

Bluetooth: Align minimum encryption key size for LE and BR/EDR connections

Bluetooth: Fix regression with minimum encryption key size alignment

Bluetooth: Fix faulty expression for minimum encryption key size check

ext4: never move the system.data xattr out of the inode body

x86: kvm: Do not release the page inside mmu_set_spte() (CVE-2018-12207 prerequirement)

CVE-2018-12207 prerequirement - code cleanup and simplification

x86: kvm: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (CVE-2018-12207 prerequirement)

x86: kvm: vmx,svm: always run with EFER.NXE=1 when shadow paging is active (CVE-2018-12207 prerequirement)

kvm: Convert kvm_lock to a mutex (CVE-2018-12207 prerequirement)

kvm: mmu: ITLB_MULTIHIT mitigation (adaptation)

[drm] drm/i915: Rename gen7 cmdparser tables

[drm] drm/i915: Disable Secure Batches for gen6+

[drm] drm/i915: Remove Master tables from cmdparser

[drm] drm/i915: Add support for mandatory cmdparsing

[drm] drm/i915: Support ro ppgtt mapped cmdparser shadow buffers

[drm] drm/i915: Allow parsing of unsized batches

[drm] drm/i915: Add gen9 BCS cmdparsing

[drm] drm/i915/cmdparser: Use explicit goto for error paths

[drm] drm/i915/cmdparser: Add support for backward jumps

[drm] drm/i915/cmdparser: Ignore Length operands during command matching

[drm] drm/i915/gen8+: Add RC6 CTX corruption WA

[drm] drm/i915: Lower RM timeout to avoid DSI hard hangs

[drm] drm/i915/gen8+: Add RC6 CTX corruption WA

[drm] drm/i915/cmdparser: Fix jump whitelist clearing

KVM: coalesced_mmio: add bounds checking

tcp: purge write queue in tcp_connect_init()

mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

Heap Overflow in mwifiex_process_country_ie() function of Marvell Wifi Driver

mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

cfg80211: wext: avoid copying malformed SSIDs

[fs] userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx

[wireless] rtlwifi: Fix potential overflow on P2P code

[x86] kvm: x86: do not modify masked bits of shared MSRs

[kernel] mm: optimize dev_pagemap reference counting around get_dev_pagemap

[mm] gup: don't leak pte_devmap references in the gup slow paths

[mm] mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page errors

[mm] mm: prevent get_user_pages() from overflowing page refcount

[netdrv] brcmfmac: add subtype check for event handling in data path

[usb] check usb_get_extra_descriptor for proper size

[usb] hso: Fix OOB memory access in hso_probe/hso_get_config_data

[net] bluetooth: hidp: fix buffer overflow

[bluetooth] Bluetooth: hci_uart: check for missing tty operations

[block] floppy: fix out-of-bounds read in copy_buffer

[sound] ALSA: info: Fix racy addition/deletion of nodes

[sound] ALSA: core: Fix card races between register and disconnect

[sound] ALSA: line6: Fix write on zero-sized buffer

[sound] ALSA: line6: Fix memory leak at line6_init_pcm() error path

[net] tun: call dev_get_valid_name() before register_netdevice()

[net] tun: allow positive return values on dev_get_valid_name() call

[fs] dcache: allow word-at-a-time name hashing with big-endian CPUs

[lib] siphash: add cryptographically secure PRF

[net] inet: switch IP ID generator to siphash

[security] KEYS: Strip trailing spaces

[security] KEYS: remove unnecessary get/put of explicit dest_keyring

[security] KEYS: add missing permission check for request_key() destination

[drm] drm/edid: Fix a missing-check bug in drm_load_edid_firmware()

binfmt_elf: switch to new creds when switching to new mm

[kernel] perf/core: Fix perf_event_open() vs. execve() race

[net] sysfs: Fix mem leak in netdev_register_kobject

cfg80211: add and use strongly typed element iteration macros

ieee80211: fix for_each_element_extid()

cfg80211: Use const more consistently in for_each_element macros

[net] mac80211: Do not send Layer 2 Update frame before authorization

[net] nl80211: validate beacon head

[media] cx24116: fix a buffer overflow when checking userspace params

scsi: qedi: remove memset/memcpy to nfunc and use func instead

netlabel: cope with NULL catmap

tracing: Fix possible double free on failure of allocating trace buffer

blktrace: fix dereference after null check

x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

mm: Fix mremap not considering huge pmd devmap

HID: hiddev: avoid opening a disconnected device

mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()

mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()

mac80211: drop robust management frames from unknown TA

mac80211: handle deauthentication/disassociation from TDLS peer

kernel: memory corruption in Voice over IP nf_conntrack_h323 module

KVM: fix overflow of zero page refcount with ksm running

floppy: check FDC index for errors before assigning it

mwifiex: Fix mem leak in mwifiex_tm_cmd

vgacon: Fix a UAF in vgacon_invert_region

ipv6: constify ip6_dst_lookup_{flow|tail}() sock arguments

net: ipv6: add net argument to ip6_dst_lookup_flow

net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup

net: ipv6_stub: ip6_dst_lookup_flow (adaptation)

KVM: nVMX: Don't emulate instructions in guest mode

KVM: nVMX: Refactor IO bitmap checks into helper function

KVM: nVMX: Check IO instruction VM-exit conditions

KVM: VMX: check descriptor table exits on instruction emulation

KVM: x86: clear stale x86_emulate_ctxt->intercept value

vhost: Check docket sk_family instead of call getname

mm: mempolicy: require at least one nodeid for MPOL_PREFERRED

Input: add safety guards to input_set_keycode

fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info

signal: Extend exec_id to 64bits

signal: Extend exec_id to 64bits (adaptation)

scsi: sg: add sg_remove_request in sg_write

nfs: Correct an nfs page array calculation error

selinux: properly handle multiple messages in selinux_netlink_send

crypto: ccp - Release all allocated memory

mISDN: enforce CAP_NET_RAW for raw sockets

ieee802154: enforce CAP_NET_RAW for raw sockets

net: sit: fix memory leak in sit_init_net()

scsi: qla2xxx: fix a potential NULL pointer dereference

fjes: Handle workqueue allocation failure.

Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()

scsi: libsas: delete sas port if expander discover failed

media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap

scsi: libsas: fix a race condition when smp task timeout

fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links

fs/proc/proc_sysctl.c: Fix a NULL pointer dereference

can: peak_usb: fix slab info leak

ext4: work around deleting a file with i_nlink == 0 safely

KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)

i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

Input: ff-memless - kill timer in destroy()

iwlwifi: dbg_ini: fix memory leak in alloc_sgtable

rtlwifi: prevent memory leak in rtl_usb_probe

crypto: user - fix memory leak in crypto_report

media: v4l: event: Prevent freeing event subscriptions while accessed

media: v4l: event: Prevent freeing event subscriptions while accessed (adaptation)

ext4: validate the debug_want_extra_isize mount option at parse time

ext4: forbid i_extra_isize not divisible by 4

ext4: add more paranoia checking in ext4_expand_extra_isize handling

ext4: fix support for inode sizes > 1024 bytes

USB: adutux: fix use-after-free on disconnect

usb: cdc-acm: make sure a refcount is taken early enough

USB: core: Fix races in character device registration and deregistraion

Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

Bluetooth: A2MP: Fix not initializing all members

net-sysfs: call dev_hold if kobject_init_and_add success

net-sysfs: Call dev_hold always in netdev_queue_add_kobject

net-sysfs: Call dev_hold always in rx_queue_add_kobject

Fix for missing check in vgacon scrollback handling

net/flow_dissector: switch to siphash

net/flow_dissector: switch to siphash (adaptation)

crypto: authenc - fix parsing key with misaligned rta_len

ext4: fix potential negative array index in do_split()

nfsd: apply umask on fs without ACL support

nfs: Fix getxattr kernel panic and memory overflow

hdlc_ppp: add range checks in ppp_cp_parse_cr()

block: Fix use-after-free in blkdev_get()

nfsd: fix incorrect umasks

nfsd: fix incorrect umasks (adaptation)

icmp: randomize the global rate limiter

HID: Fix assumption that devices have inputs

pinctrl: Delete an error message

pinctrl: devicetree: Avoid taking direct reference to device name string

perf/core: Fix race in the perf_mmap_close() function

netfilter: ctnetlink: add a range check for l3/l4 protonum

geneve: add transport ports in route lookup for geneve

tty/vt: fix write/write race in ioctl(KDSKBSENT) handler

tty: keyboard, do not speculate on func_table index

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

[target] add SAM_STAT_BUSY sense reason

[target] Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE

[target] Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code

[target] add XCOPY target/segment desc sense codes

[target] bounds check XCOPY segment descriptor list

[target] simplify XCOPY wwn->se_dev lookup helper

[target] use XCOPY segment descriptor CSCD IDs

[target] check for XCOPY parameter truncation

[target] support XCOPY requests without parameters

[target] Use correct SCSI status during EXTENDED_COPY exception

[target] Fix a deadlock between the XCOPY code and iSCSI session shutdown

[xcopy] loop over devices using idr helper

scsi: target: Fix XCOPY NAA identifier lookup

scsi: target: Fix XCOPY NAA identifier lookup

tty: Fix ->pgrp locking in tiocspgrp()

drm/i915: Fix use-after-free when destroying GEM context

af_unix: fix struct pid memory leak

af_unix: fix struct pid memory leak (adaptation)

scsi: iscsi: Restrict sessions and handles to admin capabilities

sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output (CVE-2021-27365 dependency)

scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE

scsi: iscsi: Verify lengths on passthrough PDUs

futex: Replace pointless printk in fixup_owner()

futex: Provide and use pi_state_update_owner()

futex: Handle faults correctly for PI futexes

vt: selection, close sel_buffer race

seq_file: Disallow extremely large seq buffer allocations

media: xirlink_cit: add missing descriptor sanity checks

cipso,calipso: resolve a number of problems with the DOI refcounts

net: mac802154: Fix general protection fault

Bluetooth: verify AMP hci_chan before amp_destroy

Bluetooth: verify AMP hci_chan before amp_destroy (kcare adaptation)

sched/numa: Move task_numa_free() to __put_task_struct()

sched/numa: Fix task_numa_free() lockdep splat

sched/numa: Simplify task_numa_compare()

sched/fair: Don't free p->numa_faults with concurrent readers

sched/fair: Use RCU accessors consistently for ->numa_group

netfilter: x_tables: fix compat match/target pad out-of-bound write

bpf, x86: Validate computation of branch displacements for x86-64

netfilter: x_tables: Use correct memory barriers.

bluetooth: eliminate the potential race condition when removing the

net_sched: cls_route: remove the right filter from hashtable

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (adaptation)

KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

RDMA/cma: Add missing locking to rdma_accept()

RDMA/ucma: Fix the locking of ctx->file

RDMA/ucma: Fix locking for ctx->events_reported

RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

perf/core: Fix a memory leak in perf_event_parse_addr_filter()

firewire: firedtv-avc: potential buffer overflow

media: firewire: firedtv-avc: fix a buffer overflow

[media] firewire: don't break long lines

media: firewire: firedtv-avc: fix a buffer overflow

fuse: fix bad inode

HID: core: Sanitize event code and type when mapping input

do_epoll_ctl(): clean the failure exits up a bit

af_unix: fix garbage collect vs MSG_PEEK

af_unix: fix garbage collect vs MSG_PEEK (adaptation)

Bluetooth: fix the erroneous flush_work() order

Bluetooth: use correct lock to prevent UAF of hdev object

Bluetooth: fix use-after-free error in lock_sock_nested()

xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like

drm/vmwgfx: Fix stale file descriptors on failed usercopy

drm/i915: Flush TLBs before releasing backing store

RDMA/cma: Do not change route.addr.src_addr.ss_family

fget: check that the fd still exists after getting a ref to it

fget: check that the fd still exists after getting a ref to it

fget: check that the fd still exists after getting a ref to it (adaptation)

Initialize registers to avoid stack leak into userspace.

Bail out in case userspace uses unsupported registers.

cgroup-v1: Require capabilities to set release_agent

perf: Fix sys_perf_event_open() race against self

netfilter: nf_tables: disallow non-stateful expression in

x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data

net_sched: cls_route: remove from list when handle is 0

net: usb: ax88179_178a: fix packet alignment padding

ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32

net: usb: Merge cpu_to_le32s + memcpy to put_unaligned_le32

net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup

net: usb: ax88179_178a: Fix packet receiving

Restrict access to pagemap/kpageflags/kpagecount

vmx_vcpu_run wrapper