perf/hwbp: Simplify the perf-hwbp code, fix documentation

kvm/x86: fix icebp instruction handling

x86/entry/64: Don't use IST entry for #BP stack

x86/entry/64: Don't use IST entry for #BP stack (kpatch adaptation)

Revert "bpf: fix incorrect sign extension in check_alu_op()"

bpf: fix incorrect sign extension in check_alu_op()

UBUNTU: SAUCE: Add missing hunks from "bpf: fix branch pruning logic"

ALSA: seq: Don't allow resizing pool in use

ALSA: seq: More protection for concurrent write and ioctl races(kpatch adoptation)

f2fs: fix a bug caused by NULL extent tree

net: hns: ethtool_get_strings() overflow in hns driver

net: netfilter: add back stackpointer size check

net: netfilter: don't trust user-space offsets

net: dccp: check sk for closed state

net: sctp: verify size of a new chunk

blkcg: fix doube free of new_blkg in blkcg_init_queue

scsi: libsas: fix memory leak

x86/MCE: serialize sysfs changes

check framebuffer mmap offsets

Speculative Store Bypass mitigation

sctp: fix dst refcnt leak in sctp_v4_get_dst

mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()

ext4: fail ext4_iget for root directory if unallocated

cdrom: information leak in cdrom_ioctl_media_changed()

ext4: add validity checks for bitmap block numbers

ext4: add validity checks for bitmap block numbers

scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()

ACPI cache leak in early ACPI terminnation.

perf/core: Fix the perf_cpu_time_max_percent check

floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

kernel/signal.c: avoid undefined behaviour in kill_something_info

kernel/exit.c: avoid undefined behaviour when calling wait4()

f2fs: fix a dead loop in f2fs_fiemap()

scsi: libsas: defer ata device eh commands to libata

tcp: avoid collapses in tcp_prune_queue() if possible

tcp: detect malicious patterns in tcp_collapse_ofo_queue()

Revert "net: increase fragment memory usage limits"

Revert "net: increase fragment memory usage limits"

fix possible out-of-bound write in jbd2_journal_dirty_metadata() by mounting crafted ext4 fs

Cipso: cipso_v4_optptr enter infinite loop

fix to do sanity check with {sit,nat}_ver_bitmap_bytesize

pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration

pinctrl: Add devm_ apis for pinctrl_{register, unregister}

pinctrl: Add devm_ apis for pinctrl_{register, unregister}

posix-timers: Sanitize overrun handling

posix-timers: Sanitize overrun handling

xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE

cdrom: fix improper type cast, which can leat to information leak

fix possible out-of-bound write in jbd2_journal_dirty_metadata() by mounting crafted ext4 fs (adaptation)

cleancache: fix corruption on missed inode invalidation (new file with same inode may contain old file's data)

fix use-after-free bug in ALSA when supplying a malicious USB Sound device (with zero interfaces)

add size checks for reading of an extra descriptor in __usb_get_extra_descriptor()

kvm: x86: fix NULL pointer dereference in the vcpu_scan_ioapic()

f2fs: fix a panic caused by NULL flush_cmd_control

USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data

denial of service (system crash)

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached

denial of service

f2fs: fix race condition in between free nid allocator/initializer

f2fs: fix race condition in between free nid allocator/initializer

f2fs: fix race condition in between free nid allocator/initializer

f2fs: fix to do sanity check with user_block_count

f2fs: fix to do sanity check with user_block_count

f2fs: fix to do sanity check with user_block_count

f2fs: fix to do sanity check with reserved blkaddr of inline inode

f2fs: fix to do sanity check with secs_per_zone

f2fs: fix to do sanity check with secs_per_zone

btrfs: Check that each block group has corresponding chunk at mount time

btrfs: Check that each block group has corresponding chunk at mount time

btrfs: validate type when reading a chunk

btrfs: validate type when reading a chunk

btrfs: validate type when reading a chunk

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Detect invalid and empty essential trees

btrfs: tree-checker: Verify block_group_item

f2fs: fix to do sanity check with cp_pack_start_sum

f2fs: fix to do sanity check with block address in main area v2

f2fs: fix to do sanity check with block address in main area v2

sunrpc: use-after-free in svc_process_common

CVE-2018-16884 kpatch adaptation

Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

can: gw: ensure DLC boundaries after CAN frame modification

HID: debug: fix the ring buffer implementation

kvm: fix kvm_ioctl_create_device() reference counting

KVM: nVMX: unconditionally cancel preemption timer in free_nested

KVM: x86: work around leak of uninitialized stack contents

mm: enforce min addr even if capable() in expand_downwards()

l2tp: pass tunnel pointer to ->session_create()

mds clear cpu buffers

binfmt_elf: switch to new creds when switching to new mm

vfio/type1: Limit DMA mappings per container

sctp: implement memory accounting on rx path

sctp: implement memory accounting on tx path

scsi: megaraid_sas: return error when create DMA pool failed

net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().

binder: replace "%p" with "%pK"

scsi: libsas: fix a race condition when smp task timeout

brcmfmac: screening firmware event packet

brcmfmac: revise handling events in receive path

brcmfmac: fix incorrect event channel deduction

brcmfmac: add subtype check for event handling in data path

denial of service

denial of service

9p: use inode->i_lock to protect i_size_write() under 32-bit

net: hsr: fix memory leak in hsr_dev_finalize()

fixed possible OOB-read with improper input validation in drivers/media/usb/uvc/uvc_driver.c

i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

UBUNTU: SAUCE: tcp: limit payload size of sacked skbs

UBUNTU: SAUCE: tcp: tcp_fragment() should apply sane memory limits

tcp: add tcp_min_snd_mss sysctl

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()

fix buffer overflow

local user can obtain sensitive information by reading uninitialized data in the filesystem

drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl

mwifiex: Abort at too short BSS descriptor element

mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()

x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations

coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME

kvm: fix vhost_net log overflow

use-after-free

denial of service by division-by-zero

drivers/block/floppy.c: an integer overflow and out-of-bounds read

xfs: clear sb->s_fs_info on mount failure

GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt

usb: gadget: f_midi: fail if set_alt fails to allocate requests

USB: gadget: f_midi: fixing a possible double-free in f_midi

mac80211: drop robust management frames from unknown TA

mac80211: handle deauthentication/disassociation from TDLS peer

Bluetooth: hci_uart: check for missing tty operations

pipe: add pipe_buf_get() helper

mm: add 'try_get_page()' helper function

fs: prevent page refcount overflow in pipe_buf_get

mm: make page ref count overflow check tighter and more explicit

mm, gup: ensure real head page is ref-counted when using hugepages

mm: prevent get_user_pages() from overflowing page refcount

Input: gtco - bounds check collection indent level

media: radio-raremono: change devm_k*alloc to k*alloc

media: cpia2_usb: first wake up, then free in disconnect

ath6kl: add some bounds checking

media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap

fix possible deadlock with mutex within SCSI libsas (adaptation)

rsi: add fix for crash during assertions

mwifiex: Fix three heap overflow at parsing element in

mwifiex: Fix three heap overflow at parsing element in

KVM: coalesced_mmio: add bounds checking

ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit

ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit

media: technisat-usb2: break out of loop at end of buffer

x86: kvm: Do not release the page inside mmu_set_spte() (CVE-2018-12207 prerequirement)

CVE-2018-12207 prerequirement - code cleanup and simplification

x86: kvm: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (CVE-2018-12207 prerequirement)

x86: kvm: vmx,svm: always run with EFER.NXE=1 when shadow paging is active (CVE-2018-12207 prerequirement)

kvm: Convert kvm_lock to a mutex (CVE-2018-12207 prerequirement)

kvm: mmu: ITLB_MULTIHIT mitigation (adaptation)

ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

ax25: enforce CAP_NET_RAW for raw sockets

ieee802154: enforce CAP_NET_RAW for raw sockets

appletalk: enforce CAP_NET_RAW for raw sockets

mISDN: enforce CAP_NET_RAW for raw sockets

nfc: enforce CAP_NET_RAW for raw sockets

rtlwifi: enforce CAP_NET_RAW for raw sockets

ANDROID: binder: remove waitqueue when thread exits.

nl80211: fixed buffer overflow when handling beacon settings

nl80211: fixed buffer overflow when handling beacon settings (helper functions)

drm/i915/gtt: Add read only pages to gen8_pte_encode

drm/i915/gtt: Read-only pages for insert_entries on bdw+

drm/i915/gtt: Disable read-only support under GVT

drm/i915: Rename gen7 cmdparser tables

drm/i915: Disable Secure Batches for gen6+

drm/i915/cmdparser: Use binary search for faster register lookup

drm/i915/cmdparser: Check reg_table_count before derefencing.

drm/i915: Remove Master tables from cmdparser

drm/i915: Add support for mandatory cmdparsing

drm/i915: Support ro ppgtt mapped cmdparser shadow buffers

drm/i915: Allow parsing of unsized batches

drm/i915: Add gen9 BCS cmdparsing

Add support for backward jumps

drm/i915/cmdparser: Ignore Length operands during command matching

drm/i915: Lower RM timeout to avoid DSI hard hangs

drm/i915/gen8+: Add RC6 CTX corruption WA

drm/i915/cmdparser: Fix jump whitelist clearing

x86/speculation/taa: Add mitigation for TSX Async Abort

sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c

fixed possible DoS in drivers/infiniband/hw/cxgb4/mem.c via directly calling dma_map_single() from a stack variable

fixed buffer overflow in cfg80211_mgd_wext_giwessid() in net/wireless/wext-sme.c which does not reject a long SSID IE

mwifiex: fix possible heap overflow in mwifiex_process_country_ie()

libertas: Fix two buffer overflows at parsing bss descriptor

fix a heap overflow in mmwifiex_process_tdls_action_frame()

can: gs_usb: gs_can_open(): prevent memory leak

Input: ff-memless - kill timer in destroy()

can: peak_usb: fix slab info leak

drm/i915/gen9: Clear residual context state on context switch

media: b2c2-flexcop-usb: add sanity checking

media: vivid: Fix wrong locking that causes race conditions on streaming stop

btrfs: abort transaction after failed inode updates in create_subvol

btrfs: Remove btrfs_bio::flags member

btrfs: refactor btrfs_find_device() take fs_devices as argument

btrfs: merge btrfs_find_device and find_device

mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring

crypto: user - fix memory leak in crypto_report

rtlwifi: prevent memory leak in rtl_usb_probe

appletalk: Fix potential NULL pointer dereference in unregister_snap_client

KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)

Revert "KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)"

net: icmp: fix data-race in cmp_global_allow()

p54usb: Fix race between disconnect and firmware loading

ALSA: line6: Fix write on zero-sized buffer

xen: let alloc_xenballooned_pages() fail if not enough memory free

wimax: i2400: fix memory leak

wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle

mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf

scsi: bfa: release allocated memory in case of error

rtl8xxxu: prevent leaking urb

scsi: libsas: stop discovering if oob mode is disconnected

dccp: Fix memleak in __feat_register_sp

cfg80211/mac80211: make ieee80211_send_layer2_update a public function

mac80211: Do not send Layer 2 Update frame before authorization

kvm: nVMX: fixed L2 guest possible tricking the L0 hypervisor to access sensitive L1 resources

can, slip: Protect tty->disc_data in write_wakeup and close with RCU

blktrace: fix unlocked registration of tracepoints

tracing/blktrace: Fix to allow setting same value

blktrace: Protect q->blk_trace with RCU

blktrace: fix dereference after null check

scsi: qla2xxx: fix a potential NULL pointer dereference

iwlwifi: pcie: fix rb_allocator workqueue allocation

vt: selection, close sel_buffer race

floppy: check FDC index for errors before assigning it

stack-based out-of-bounds write

kernel stack corruption via crafted system calls

media: ov519: add missing endpoint sanity checks

media: stv06xx: add missing descriptor sanity checks

media: xirlink_cit: add missing descriptor sanity checks

iio: imu: adis16400: release allocated memory on failure

CAN: zero scl_bump properly

sctp: fix possibly using a bad saddr with a given dst

net: ipv6: add net argument to ip6_dst_lookup_flow

net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup

signal: Extend exec_id to 64bits

signal: Extend exec_id to 64bits (kpatch adaptation)

signal: Extend exec_id to 64bits (kpatch adaptation)

fs/namespace.c: fix mountpoint reference counter race

drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit.

drivers: usb: core: Minimize irq disabling in usb_sg_cancel()

USB: core: Fix free-while-in-use bug in the USB S-Glibrary

ext4: protect journal inode's blocks using block_validity

ext4: unsigned int compared against zero

ext4: don't perform block validity checks on the journal inode

propagate_one(): mnt_set_mountpoint() needs mount_lock

selinux: properly handle multiple messages in selinux_netlink_send()

spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls

x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation

ext4: add cond_resched() to ext4_protect_reserved_inode

Incorrect version of patch were initially used. Work on correct fix is in progress.

scsi: sg: add sg_remove_request in sg_write

netlabel: cope with NULL catmap

USB: gadget: fix illegal array access in binding with UDC

kernel: memory corruption in Voice over IP nf_conntrack_h323 module

can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices

fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()

media: go7007: fix a miss of snd_card_free

vt: keyboard: avoid signed integer overflow in k_ascii

aufs: do not call i_readcount_inc

aufs: bugfix, IMA i_readcount

bcache: fix potential deadlock problem in btree_gc_coalesce

btrfs: merge btrfs_find_device and find_device

xfs: set format back to extents if xfs_bmap_extents_to_btree

f2fs: fix to avoid accessing xattr across the boundary

f2fs: check memory boundary by insane namelen

f2fs: check if file namelen exceeds max value

media: rc: prevent memory leak in cx23888_ir_probe

ath9k_htc: release allocated buffer if timed out

ath9k: release allocated buffer if timed out

f2fs: fix to avoid memory leakage in f2fs_listxattr

net-sysfs: call dev_hold if kobject_init_and_add success

nfs: Fix getxattr kernel panic and memory overflow

mm/hugetlb: fix a race between hugetlb sysctl handlers

libxfs: synchronize dinode_verify with userspace

xfs: sanity check directory inode di_size

xfs: move inode fork verifiers to xfs_dinode_verify

xfs: enhance dinode verifier

ext4: fix potential negative array index in do_split()

powercap: make attributes only readable by root

powercap: make attributes only readable by root (adaptation)

icmp: randomize the global rate limiter

hdlc_ppp: add range checks in ppp_cp_parse_cr()

fbcon: remove soft scrollback code

fbcon: remove soft scrollback code (adaptation)

Bluetooth: Disconnect if E0 is used for Level 4

Bluetooth: Disconnect if E0 is used for Level 4

perf/core: Fix race in the perf_mmap_close() function

rbd: require global CAP_SYS_ADMIN for mapping and unmapping

netfilter: ctnetlink: add a range check for l3/l4 protonum

geneve: add transport ports in route lookup for geneve

fbcon: Fix global-out-of-bounds read in fbcon_get_font()

fbcon: Fix global-out-of-bounds read in fbcon_get_font()

tty/vt: fix write/write race in ioctl(KDSKBSENT) handler

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage

xen/events: avoid removing an event channel while handling it

i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c.

i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c.

tty: make FONTX ioctl use the tty pointer they were actually passed

vt: Disable KD_FONT_OP_COPY

target: simplify XCOPY wwn->se_dev lookup helper

UBUNTU: SAUCE: target: fix XCOPY NAA identifier lookup

UBUNTU: SAUCE: target: fix XCOPY NAA identifier lookup (adaptation )

btrfs: inode: Verify inode mode to avoid NULL pointer dereference

Input: sunkbd - avoid use-after-free in teardown paths

tty: Fix ->pgrp locking in tiocspgrp()

tty: Fix ->session locking

jfs: Fix array index bounds check in dbAdjTree

mm/userfaultfd: do not access vma->vm_mm after calling

mm/userfaultfd: do not access vma->vm_mm after calling

limit size of watch_events dom0 queue.

handle xenwatch_thread patching.

nfsd4: readdirplus shouldn't return parent of export

xen-blkback: set ring->xenblkd to NULL after kthread_stop()

mwifiex: Fix possible buffer overflows in

sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output

scsi: iscsi: Restrict sessions and handles to admin capabilities

scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE

scsi: iscsi: Verify lengths on passthrough PDUs

iio: imu: adis16400: fix memory leak

[netdrv] fjes: Handle workqueue allocation failure

xfs: More robust inode extent count validation

hdpvr: Fix an error handling path in hdpvr_probe()

vfs: Move security_inode_killpriv() after permission checks

libertas: fix a potential NULL pointer dereference

xen-blkback: fix error handling in xen_blkbk_map()

xen-blkback: don't "handle" error by BUG()

xen-blkback: don't "handle" error by BUG()

xen-blkback: don't "handle" error by BUG()

Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()

Xen/gnttab: handle p2m update errors on a per-slot basis

floppy: fix lock_fdc() signal handling

timer: Restrict timer_stats to initial PID namespace

futex: Handle faults correctly for PI futexes

bpf, x86: Validate computation of branch displacements for x86-64

Introduce v3 namespaced file capabilities

Introduce v3 namespaced file capabilities (adaptation)

vfs: move cap_convert_nscap() call into vfs_setxattr()

UBUNTU: SAUCE: vfs_setxattr: free converted value if xattr_permission returns error

seq_file: Disallow extremely large seq buffer allocations

netfilter: x_tables: fix compat match/target pad out-of-bound write

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

hugetlbfs: flush TLBs correctly after huge_pmd_unshare

ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

netfilter: nf_tables: disallow non-stateful expression in sets

Not affected without certain conditions - Secure Boot, configured kgdb/kdb. Complex adaptation

mac80211: assure all fragments are encrypted

Bluetooth: SMP: Fail if remote and local public keys are identical

PCI: rpadlpar: Fix potential drc_name corruption in store functions

firewire: nosy: Fix a use-after-free bug in nosy_ioctl()

Bluetooth: fix the erroneous flush_work() order

Input: joydev - prevent potential read overflow in ioctl

tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.

net: 6pack: fix slab-out-of-bounds in decode_data

ipv6: use prandom_u32() for ID generation

usb: max-3421: Prevent corruption of freed memory

usb: max-3421: Prevent corruption of freed memory (Adaptation)

Bluetooth: verify AMP hci_chan before amp_destroy

Bluetooth: verify AMP hci_chan before amp_destroy

can: bcm: fix infoleak in struct bcm_msg_head

vmx_vcpu_run wrapper

Restrict access to pagemap/kpageflags/kpagecount

pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()

USB: gadget: validate endpoint index for xilinx udc

can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()

net: sched: use Qdisc rcu API instead of relying on rtnl lock

Out of scope as the patch is for NFC/Android

cgroup: Use open-time cgroup namespace for process migration perm checks

NFC: reorder the logic in nfc_{un,}register_device

NFC: add NCI_UNREG flag to eliminate the race

NFC: reorganize the functions in nci_request

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

drm/vgem: Close use-after-free race in vgem_gem_create

floppy: use a statically allocated error counter

floppy: use a statically allocated error counter (kpatch adaptation)

ath9k fix use-after-free in ath9k_hif_usb_rx_cb

nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs

llc: fix netdevice reference leaks in llc_ui_bind()

x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data

usb: gadget: rndis: check size of RNDIS_MSG_SET command

USB: gadget: validate interface OS descriptor requests

igmp: Add ip_mc_list lock in ip_check_mc_rcu

netfilter: nf_tables: stricter validation of element data

net: Rename and export copy_skb_header

xen/blkfront: fix leaking data in shared pages

xen/netfront: fix leaking data in shared pages

xen/netfront: force data bouncing when backend is untrusted (adaptation)

packet: in recvmsg msg_name return at least sizeof sockaddr_ll

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

fbcon: Disallow setting font bigger than screen size

fbcon: Prevent that screen size is smaller than font size

fbmem: Check virtual screen sizes in fb_set_var()

vt: drop old FONT ioctls

netfilter: nf_queue: do not allow packet truncation below transport header offset

net_sched: cls_route: remove from list when handle is 0

netfilter: nf_tables: do not allow SET_ID to refer to another table

percpu: stop printing kernel addresses

f2fs: fix to do sanity check on segment/section count

xfs: add agf freeblocks verify in xfs_agf_verify

nfc: fix memory leak in llcp_sock_bind()

nfc: fix refcount leak in llcp_sock_bind()

nfc: fix refcount leak in llcp_sock_connect()

nfc: fix memory leak in llcp_sock_bind()

nfc: Avoid endless loops caused by repeated llcp_sock_connect()

drm/ttm/nouveau: don't call tt destroy callback on alloc failure.

netfilter: x_tables: Use correct memory barriers.

xen-blkback: don't leak persistent grants from xen_blkbk_map()

fuse: fix bad inode

An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c

bluetooth: eliminate the potential race condition when removing the HCI controller

mac80211: do not accept/forward invalid EAPOL frames

cipso,calipso: resolve a number of problems with the DOI refcounts

RDMA/ucma: check fd type in ucma_migrate_id()

RDMA/cma: Add missing locking to rdma_accept()

RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

Bluetooth: use correct lock to prevent UAF of hdev object

Same as CVE-2020-26558 patch

KVM: X86: MMU: Use the correct inherited permissions to get shadow

virtio_console: Assure used length from device is limited

ext4: fix race writing to an inline_data file while its xattrs are changing

rbtree: cache leftmost node internally

lib/timerqueue: Rely on rbtree semantics for next timer

lib/timerqueue: Rely on rbtree semantics for next timer (adaptation)

isdn: cpai: check ctr->cnr to avoid array index out of bound

ixgbe: fix large MTU request from VF

aufs: security bugfix, test mnt_ns in open(2) for fuse branch

aufs: security bugfix, test mnt_ns in open(2) for fuse branch (adaptation)

Ignored (was needed ESM criteria)

Ignored (Code / Infra not present)

Ignored (Complex adaptation required)

Ignored (Complex adaptation required)

Ignored (Complex adaptation required)

mwifiex: Fix skb_over_panic in mwifiex_usb_recv()

dm ioctl: fix out of bounds array access when no devices

af_unix: fix garbage collect vs MSG_PEEK

af_unix: fix garbage collect vs MSG_PEEK (Adaptation)

af_unix: fix garbage collect vs MSG_PEEK (Adaptation)

btrfs: fix race when cloning extent buffer during rewind of an old root

media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()

usb: hso: fix error handling code of hso_create_net_device

l2tp: fix races with ipv4-mapped ipv6 addresses

l2tp: fix races with ipv4-mapped ipv6 addresses (Adaptation)

net: ipv6: keep sk status consistent after datagram connect failure

xtables: add xt_match, xt_target and data copy_to_user functions

iptables: use match, target and data copy_to_user helpers

ip6tables: use match, target and data copy_to_user helpers

xtables: extend matches and targets with .usersize

netfilter: x_tables: fix pointer leaks to userspace

iptables: use match, target and data copy_to_user helpers (Adaptation)

media: em28xx: initialize refcount before kref_get

tcp/udp: Fix memory leak in ipv6_renew_options()

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

mISDN: fix use-after-free bugs in l1oip timer handlers

mISDN: fix use-after-free bugs in l1oip timer handlers (adaptation)

ipv6: annotate some data-races around sk->sk_prot

ipv6: Fix data races around sk->sk_prot.

tcp: Fix data races around icsk->icsk_af_ops.

r8152: Rate limit overflow messages

nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

atm: idt77252: fix use-after-free bugs caused by tst_timer

nilfs2: fix use-after-free bug of struct nilfs_root

scsi: stex: Properly zero out the passthrough command structure

usb: mon: make mmapped memory read only

xfs: fix up non-directory creation in SGID directories

ext4: fix kernel infoleak via ext4_extent_header

ax25: fix a use-after-free in ax25_fillin_cb()

ax25: NPD bug when detaching AX25 device

ax25: improve the incomplete fix to avoid UAF and NPD bugs

ax25: Fix NULL pointer dereference in ax25_kill_by_device

ax25: add refcount in ax25_dev to avoid UAF bugs

ax25: fix reference count leaks of ax25_dev

ax25: fix UAF bugs of net_device caused by rebinding operation

ax25: Fix refcount leaks caused by ax25_cb_del

ax25: fix UAF bug in ax25_send_control()

ax25: add refcount in ax25_dev to avoid UAF bugs (adaptation)

ax25: fix NPD bug in ax25_disconnect

perf: Fix sys_perf_event_open() race against self

openvswitch: fix OOB access in reserve_sfa_size()

net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup

fs: fix UAF/GPF bug in nilfs_mdt_destroy

af_key: Do not call xfrm_probe_algs in parallel

jfs: prevent NULL deref in diFree

CVE-2018-16884 kpatch adaptation

ext4: never move the system.data xattr out of the inode body

alarmtimer: Prevent overflow for relative nanosleep

btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized

hfsplus: fix NULL dereference in hfsplus_lookup()

proc: restrict kernel stack dumps to root

Add disable SMT knob

x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations

x86/topology: Add topology_max_smt_threads()

Setup L1TF bug bit

Add ability to flush l1d cache on vmexit