dvyukov/gist:578aba253735e331376a27452a3c2c0b

## gistfile1.txt
git shortlog --grep 'Reported-.*\(syzbot\|syzkaller\)' --author=penguin-kernel --author=mudongliangabcd --author=paskripkin --author=asml.silence --author=johannes.berg
Dongliang Mu (23):
      NFC: nci: fix memory leak in nci_allocate_device
      misc/uss720: fix memory leak in uss720_probe
      ALSA: control led: fix memory leak in snd_ctl_led_register
      media: dvd_usb: memory leak in cinergyt2_fe_attach
      ieee802154: hwsim: Fix memory leak in hwsim_add_one
      usb: hso: fix error handling code of hso_create_net_device
      netfilter: nf_tables: fix audit memory leak in nf_tables_commit
      usb: hso: fix error handling code of hso_create_net_device
      media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
      media: em28xx: fix memory leak in em28xx_init_dev
      HID: elo: fix memory leak in elo_probe
      media: em28xx: initialize refcount before kref_get
      media: hdpvr: initialize dev->worker at hdpvr_register_videodev
      btrfs: don't access possibly stale fs_info data in device_list_add
      ntfs: add sanity check on allocation size
      HID: bigben: fix slab-out-of-bounds Write in bigben_probe
      f2fs: remove WARN_ON in f2fs_is_valid_blkaddr
      rtlwifi: Use pr_warn instead of WARN_ONCE
      media: pvrusb2: fix memory leak in pvr_probe
      media: airspy: fix memory leak in airspy probe
      usb: idmouse: fix an uninit-value in idmouse_open
      fs: jfs: fix shift-out-of-bounds in dbAllocAG
      fs: hfsplus: fix UAF issue in hfsplus_put_super

Johannes Berg (37):
      mac80211_hwsim: validate number of different channels
      cfg80211: check dev_set_name() return value
      mac80211_hwsim: don't use WQ_MEM_RECLAIM
      cfg80211: limit wiphy names to 128 bytes
      mac80211_hwsim: require at least one channel
      mac80211_hwsim: check that n_limits makes sense
      nl80211: fix NLA_POLICY_NESTED() arguments
      mac80211_hwsim: calculate if_combination.max_interfaces
      mac80211: don't attempt to rename ERR_PTR() debugfs dirs
      cfg80211: check for set_wiphy_params
      cfg80211: fix debugfs rename crash
      cfg80211: regulatory: reject invalid hints
      netlink: policy: correct validation type check
      mac80211: fix use of skb payload instead of header
      mac80211: always wind down STA state
      mac80211: free sta in sta_info_insert_finish() on errors
      wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
      mac80211: pause TX while changing interface type
      virt_wifi: fix deadlock on RTNL
      nl80211: call cfg80211_dev_rename() under RTNL
      wext: call cfg80211_change_iface() with wiphy lock held
      cfg80211: call cfg80211_destroy_ifaces() with wiphy lock held
      cfg80211: fix netdev registration deadlock
      nl80211: fix beacon head validation
      bonding: init notify_work earlier to avoid uninitialized use
      netlink: disable IRQs for netlink_lock_table()
      mac80211: remove warning in ieee80211_get_sband()
      mac80211_hwsim: drop pending frames on stop
      mac80211: fix deadlock in AP/VLAN handling
      mac80211-hwsim: fix late beacon hrtimer handling
      cfg80211: always free wiphy specific regdomain
      mac80211: track only QoS data frames for admission control
      mac80211: validate extended element ID is present
      mac80211: fix locking in ieee80211_start_ap error path
      wifi: mac80211: properly skip link info driver update
      wifi: cfg80211: handle IBSS in channel switch
      wifi: nl80211: hold wdev mutex for tid config

Pavel Begunkov (35):
      io_uring: fix files cancellation
      io_uring: fix double io_uring free
      io_uring: dont kill fasync under completion_lock
      io_uring: fix null-deref in io_disable_sqo_submit
      io_uring: do sqo disable on install_fd error
      io_uring: fix false positive sqo warning on flush
      io_uring: fix uring_flush in exit_files() warning
      io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE
      io_uring: fix list corruption for splice file_get
      io_uring: fix sqo ownership false positive warning
      io_uring: fix inconsistent lock state
      io_uring: unpark SQPOLL thread for cancelation
      io_uring: clear request count when freeing caches
      io_uring: fix __tctx_task_work() ctx race
      io_uring: do ctx sqd ejection in a clear context
      io_uring: handle setup-failed ctx in kill_timeouts
      io_uring: fix unchecked error in switch_start()
      io_uring: fix link timeout refs
      io_uring: fix ltout double free on completion race
      io_uring: don't modify req->poll for rw
      io_uring: fix false WARN_ONCE
      io_uring: fix io_drain_req()
      io_uring: remove double poll entry on arm failure
      io_uring: fix io_try_cancel_userdata race for iowq
      io_uring: fix queueing half-created requests
      io_uring: reexpand under-reexpanded iters
      io-wq: remove worker to owner tw dependency
      io_uring: fail cancellation for EXITING tasks
      io_uring: fix link traversal locking
      io_uring: fix UAF due to missing POLLFREE handling
      io_uring: don't miss setting REQ_F_DOUBLE_POLL
      io_uring/net: fix UAF in io_sendrecv_fail()
      io_uring/net: fix cleanup double free free_iov init
      io_uring: fix fdinfo sqe offsets calculation
      io_uring: lock overflowing for IOPOLL

Pavel Skripkin (69):
      net/qrtr: fix __netdev_alloc_skb call
      ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe
      USB: serial: io_edgeport: fix memory leak in edge_startup
      media: drivers/media/usb: fix memory leak in zr364xx_probe
      tty: fix memory leak in vc_deallocate
      drivers: net: fix memory leak in atusb_probe
      drivers: net: fix memory leak in peak_usb_create_dev
      net: mac802154: Fix general protection fault
      media: dvb-usb: fix memory leak in dvb_usb_adapter_init
      reiserfs: add check for invalid 1st journal block
      media: cpia2: fix memory leak in cpia2_usb_probe
      media: dvb-usb: fix wrong definition
      net: usb: fix memory leak in smsc75xx_bind
      media: zr364xx: fix memory leak in zr364xx_start_readpipe
      net: kcm: fix memory leak in kcm_sendmsg
      net: caif: fix memory leak in caif_device_notify
      revert "net: kcm: fix memory leak in kcm_sendmsg"
      net: rds: fix memory leak in rds_recvmsg
      net: caif: fix memory leak in ldisc_open
      net: qrtr: fix OOB Read in qrtr_endpoint_post
      can: mcba_usb: fix memory leak in mcba_usb
      ext4: fix memory leak in ext4_fill_super
      jfs: fix GPF in diFree
      net: sched: fix warning in tcindex_alloc_perfect_hash
      net: xfrm: fix memory leak in xfrm_user_rcv_msg
      net: sched: fix memory leak in tcindex_partial_destroy_work
      net: qrtr: fix memory leaks
      net: llc: fix skb_over_panic
      staging: rtl8712: error handling refactoring
      net: cipso: fix warnings in netlbl_cipsov4_add_std
      net: xfrm: fix shift-out-of-bounce
      net: pegasus: fix uninit-value in get_interrupt_interval
      netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex
      udmabuf: fix general protection fault in udmabuf_create
      net: 6pack: fix slab-out-of-bounds in decode_data
      block: nbd: add sanity check for first_minor
      net: asix: fix uninit value bugs
      Bluetooth: add timeout sanity check to hci_inquiry
      profiling: fix shift-out-of-bounds bugs
      net: xfrm: fix shift-out-of-bounds in xfrm_get_default
      Bluetooth: hci_uart: fix GPF in h5_recv
      media: em28xx: add missing em28xx_close_extension
      media: dvb-usb: fix ununit-value in az6027_rc_query
      media: mxl111sf: change mutex_init() location
      Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
      phy: mdio: fix memory leak
      staging: rtl8712: fix use-after-free in rtl8712_dl_fw
      ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
      net: batman-adv: fix error handling
      Bluetooth: stop proccessing malicious adv data
      RDMA: Fix use-after-free in rxe_queue_cleanup
      asix: fix uninit-value in asix_mdio_read()
      Input: appletouch - initialize work before device registration
      i2c: validate user data in compat ioctl
      mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
      net: mcs7830: handle usb read errors properly
      udmabuf: validate ubuf->pagecount
      ath9k_htc: fix uninit value bugs
      net: asix: add proper error handling of usb read errors
      HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts
      NFC: port100: fix use-after-free in port100_send_complete
      Input: aiptek - properly check endpoint type
      Bluetooth: hci_uart: add missing NULL check in h5_enqueue
      jfs: fix divide error in dbNextAG
      can: mcba_usb: properly check endpoint type
      video: fbdev: udlfb: properly check endpoint type
      media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
      ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
      fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr

Tetsuo Handa (115):
      mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
      block/loop: fix deadlock after loop_set_status
      commoncap: Handle memory allocation failure.
      mm,vmscan: Allow preallocating memory for register_shrinker().
      tty: Avoid possible error pointer dereference at tty_ldisc_restore().
      tty: Don't call panic() at tty_ldisc_init()
      tty: Use __GFP_NOFAIL for tty_ldisc_get()
      bdi: wake up concurrent wb_shutdown() callers.
      bdi: Fix use after free bug in debugfs_remove()
      loop: remember whether sysfs_create_group() was done
      x86/kexec: Avoid double free_page() upon do_kexec_load() failure
      driver core: Don't ignore class_dir_create_and_add() failure.
      hfsplus: stop workqueue when fill_super() failed
      PM / hibernate: Fix oops at snapshot_write()
      fuse: don't keep dead fuse_conn at fuse_fill_super().
      n_tty: Fix stall at n_tty_receive_char_special().
      n_tty: Access echo_* variables carefully.
      net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
      hfsplus: don't return 0 when fill_super() failed
      selinux: Add __GFP_NOWARN to allocation at str_read()
      bfs: add sanity check at bfs_fill_super()
      block/loop: Use global lock for ioctl() operation.
      loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
      gpu/drm: Fix lock held when returning to user space.
      drm/vkms: Fix flush_work() without INIT_WORK().
      block: pass no-op callback to INIT_WORK().
      staging: android: ashmem: Don't call fallocate() with ashmem_mutex held.
      fs/open.c: allow opening only regular files during execve()
      kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.
      NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
      net/rds: Check address length before reading address family
      tomoyo: Add a kernel config option for fuzzing testing.
      staging: android: ion: Bail out upon SIGKILL when allocating memory.
      nfsd: fix dentry leak upon mkdir failure.
      /dev/mem: Bail out upon SIGKILL.
      kexec: bail out upon SIGKILL when allocating memory.
      tomoyo: Don't use nifty names on sockets.
      tomoyo: Use atomic_t for statistics counter
      pipe: Fix pipe_full() test in opipe_prep().
      vt: Reject zero-sized screen buffer size.
      binder: Don't use mmput() from shrinker function.
      driver core: Fix probe_count imbalance in really_probe()
      fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
      fbmem: pull fbcon_update_vcs() out of fb_set_var()
      vt: defer kfree() of vc_screenbuf in vc_do_resize()
      mwifiex: don't call del_timer_sync() on uninitialized timer
      tipc: fix shutdown() of connectionless socket
      video: fbdev: fix OOB read in vga_8planes_imageblit()
      fbcon: Fix user font detection test at fbcon_resize().
      vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
      USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
      tomoyo: ignore data race while checking quota
      pstore: Fix warning in pstore_kill_sb()
      Bluetooth: initialize skb_queue_head at l2cap_chan_create()
      reiserfs: update reiserfs_xattrs_initialized() condition
      batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
      ttyprintk: Add TTY hangup callback.
      smackfs: restrict bytes count in smk_set_cipso()
      tty: vt: always invoke vc->vc_sw->con_resize callback
      can: bcm/raw/isotp: use per module netdevice notifier
      Bluetooth: defer cleanup of resources in hci_unregister_dev()
      Bluetooth: defer cleanup of resources in hci_unregister_dev()
      loop: reduce the loop_ctl_mutex scope
      fbmem: don't allow too huge resolutions
      block: genhd: fix double kfree() in __alloc_disk_node()
      smackfs: use __GFP_NOFAIL for smk_cipso_doi()
      smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
      loop: don't hold lo_mutex during __loop_clr_fd()
      loop: make autoclear operation asynchronous
      tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
      ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep()
      ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()
      loop: revert "make autoclear operation asynchronous"
      net: rds: acquire refcount on TCP sockets
      media: imon: reorganize serialization
      wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop()
      tty: vt: initialize unicode screen buffer
      PM: hibernate: defer device probing when resuming from hibernation
      wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop()
      mm: shrinkers: fix double kfree on shrinker name
      mm: memcontrol: fix potential oom_lock recursion deadlock
      mtd: core: check partition before dereference
      Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()
      cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
      Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor()
      Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor()
      Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
      wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
      tty: n_gsm: initialize more members at gsm_alloc_mux()
      bpf: add missing percpu_counter_destroy() in htab_map_alloc()
      Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
      Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
      Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
      Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
      open: always initialize ownership fields
      netfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()
      btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
      net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
      net/ieee802154: reject zero-sized raw_sendmsg()
      net/ieee802154: don't warn zero-sized raw_sendmsg()
      9p/trans_fd: always use O_NONBLOCK read/write
      NFSD: unregister shrinker when nfsd_init_net() fails
      Revert "cpumask: fix checking valid cpu range".
      Input: iforce - invert valid length check when fetching device IDs
      f2fs: initialize locks earlier in f2fs_fill_super()
      fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init()
      fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super()
      fbdev: fbcon: release buffer when fbcon_do_set_font() failed
      fs/ntfs3: don't hold ni_lock when calling truncate_setsize()
      RDMA/siw: Remove namespace check from siw_netdev_event()
      nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field
      fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
      cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex
      mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
      debugobjects: Don't wake up kswapd from fill_pool()
	git shortlog --grep 'Reported-.*\(syzbot\\|syzkaller\)' --author=penguin-kernel --author=mudongliangabcd --author=paskripkin --author=asml.silence --author=johannes.berg
	Dongliang Mu (23):
	NFC: nci: fix memory leak in nci_allocate_device
	misc/uss720: fix memory leak in uss720_probe
	ALSA: control led: fix memory leak in snd_ctl_led_register
	media: dvd_usb: memory leak in cinergyt2_fe_attach
	ieee802154: hwsim: Fix memory leak in hwsim_add_one
	usb: hso: fix error handling code of hso_create_net_device
	netfilter: nf_tables: fix audit memory leak in nf_tables_commit
	usb: hso: fix error handling code of hso_create_net_device
	media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
	media: em28xx: fix memory leak in em28xx_init_dev
	HID: elo: fix memory leak in elo_probe
	media: em28xx: initialize refcount before kref_get
	media: hdpvr: initialize dev->worker at hdpvr_register_videodev
	btrfs: don't access possibly stale fs_info data in device_list_add
	ntfs: add sanity check on allocation size
	HID: bigben: fix slab-out-of-bounds Write in bigben_probe
	f2fs: remove WARN_ON in f2fs_is_valid_blkaddr
	rtlwifi: Use pr_warn instead of WARN_ONCE
	media: pvrusb2: fix memory leak in pvr_probe
	media: airspy: fix memory leak in airspy probe
	usb: idmouse: fix an uninit-value in idmouse_open
	fs: jfs: fix shift-out-of-bounds in dbAllocAG
	fs: hfsplus: fix UAF issue in hfsplus_put_super

	Johannes Berg (37):
	mac80211_hwsim: validate number of different channels
	cfg80211: check dev_set_name() return value
	mac80211_hwsim: don't use WQ_MEM_RECLAIM
	cfg80211: limit wiphy names to 128 bytes
	mac80211_hwsim: require at least one channel
	mac80211_hwsim: check that n_limits makes sense
	nl80211: fix NLA_POLICY_NESTED() arguments
	mac80211_hwsim: calculate if_combination.max_interfaces
	mac80211: don't attempt to rename ERR_PTR() debugfs dirs
	cfg80211: check for set_wiphy_params
	cfg80211: fix debugfs rename crash
	cfg80211: regulatory: reject invalid hints
	netlink: policy: correct validation type check
	mac80211: fix use of skb payload instead of header
	mac80211: always wind down STA state
	mac80211: free sta in sta_info_insert_finish() on errors
	wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
	mac80211: pause TX while changing interface type
	virt_wifi: fix deadlock on RTNL
	nl80211: call cfg80211_dev_rename() under RTNL
	wext: call cfg80211_change_iface() with wiphy lock held
	cfg80211: call cfg80211_destroy_ifaces() with wiphy lock held
	cfg80211: fix netdev registration deadlock
	nl80211: fix beacon head validation
	bonding: init notify_work earlier to avoid uninitialized use
	netlink: disable IRQs for netlink_lock_table()
	mac80211: remove warning in ieee80211_get_sband()
	mac80211_hwsim: drop pending frames on stop
	mac80211: fix deadlock in AP/VLAN handling
	mac80211-hwsim: fix late beacon hrtimer handling
	cfg80211: always free wiphy specific regdomain
	mac80211: track only QoS data frames for admission control
	mac80211: validate extended element ID is present
	mac80211: fix locking in ieee80211_start_ap error path
	wifi: mac80211: properly skip link info driver update
	wifi: cfg80211: handle IBSS in channel switch
	wifi: nl80211: hold wdev mutex for tid config

	Pavel Begunkov (35):
	io_uring: fix files cancellation
	io_uring: fix double io_uring free
	io_uring: dont kill fasync under completion_lock
	io_uring: fix null-deref in io_disable_sqo_submit
	io_uring: do sqo disable on install_fd error
	io_uring: fix false positive sqo warning on flush
	io_uring: fix uring_flush in exit_files() warning
	io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE
	io_uring: fix list corruption for splice file_get
	io_uring: fix sqo ownership false positive warning
	io_uring: fix inconsistent lock state
	io_uring: unpark SQPOLL thread for cancelation
	io_uring: clear request count when freeing caches
	io_uring: fix __tctx_task_work() ctx race
	io_uring: do ctx sqd ejection in a clear context
	io_uring: handle setup-failed ctx in kill_timeouts
	io_uring: fix unchecked error in switch_start()
	io_uring: fix link timeout refs
	io_uring: fix ltout double free on completion race
	io_uring: don't modify req->poll for rw
	io_uring: fix false WARN_ONCE
	io_uring: fix io_drain_req()
	io_uring: remove double poll entry on arm failure
	io_uring: fix io_try_cancel_userdata race for iowq
	io_uring: fix queueing half-created requests
	io_uring: reexpand under-reexpanded iters
	io-wq: remove worker to owner tw dependency
	io_uring: fail cancellation for EXITING tasks
	io_uring: fix link traversal locking
	io_uring: fix UAF due to missing POLLFREE handling
	io_uring: don't miss setting REQ_F_DOUBLE_POLL
	io_uring/net: fix UAF in io_sendrecv_fail()
	io_uring/net: fix cleanup double free free_iov init
	io_uring: fix fdinfo sqe offsets calculation
	io_uring: lock overflowing for IOPOLL

	Pavel Skripkin (69):
	net/qrtr: fix __netdev_alloc_skb call
	ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe
	USB: serial: io_edgeport: fix memory leak in edge_startup
	media: drivers/media/usb: fix memory leak in zr364xx_probe
	tty: fix memory leak in vc_deallocate
	drivers: net: fix memory leak in atusb_probe
	drivers: net: fix memory leak in peak_usb_create_dev
	net: mac802154: Fix general protection fault
	media: dvb-usb: fix memory leak in dvb_usb_adapter_init
	reiserfs: add check for invalid 1st journal block
	media: cpia2: fix memory leak in cpia2_usb_probe
	media: dvb-usb: fix wrong definition
	net: usb: fix memory leak in smsc75xx_bind
	media: zr364xx: fix memory leak in zr364xx_start_readpipe
	net: kcm: fix memory leak in kcm_sendmsg
	net: caif: fix memory leak in caif_device_notify
	revert "net: kcm: fix memory leak in kcm_sendmsg"
	net: rds: fix memory leak in rds_recvmsg
	net: caif: fix memory leak in ldisc_open
	net: qrtr: fix OOB Read in qrtr_endpoint_post
	can: mcba_usb: fix memory leak in mcba_usb
	ext4: fix memory leak in ext4_fill_super
	jfs: fix GPF in diFree
	net: sched: fix warning in tcindex_alloc_perfect_hash
	net: xfrm: fix memory leak in xfrm_user_rcv_msg
	net: sched: fix memory leak in tcindex_partial_destroy_work
	net: qrtr: fix memory leaks
	net: llc: fix skb_over_panic
	staging: rtl8712: error handling refactoring
	net: cipso: fix warnings in netlbl_cipsov4_add_std
	net: xfrm: fix shift-out-of-bounce
	net: pegasus: fix uninit-value in get_interrupt_interval
	netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex
	udmabuf: fix general protection fault in udmabuf_create
	net: 6pack: fix slab-out-of-bounds in decode_data
	block: nbd: add sanity check for first_minor
	net: asix: fix uninit value bugs
	Bluetooth: add timeout sanity check to hci_inquiry
	profiling: fix shift-out-of-bounds bugs
	net: xfrm: fix shift-out-of-bounds in xfrm_get_default
	Bluetooth: hci_uart: fix GPF in h5_recv
	media: em28xx: add missing em28xx_close_extension
	media: dvb-usb: fix ununit-value in az6027_rc_query
	media: mxl111sf: change mutex_init() location
	Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
	phy: mdio: fix memory leak
	staging: rtl8712: fix use-after-free in rtl8712_dl_fw
	ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
	net: batman-adv: fix error handling
	Bluetooth: stop proccessing malicious adv data
	RDMA: Fix use-after-free in rxe_queue_cleanup
	asix: fix uninit-value in asix_mdio_read()
	Input: appletouch - initialize work before device registration
	i2c: validate user data in compat ioctl
	mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
	net: mcs7830: handle usb read errors properly
	udmabuf: validate ubuf->pagecount
	ath9k_htc: fix uninit value bugs
	net: asix: add proper error handling of usb read errors
	HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts
	NFC: port100: fix use-after-free in port100_send_complete
	Input: aiptek - properly check endpoint type
	Bluetooth: hci_uart: add missing NULL check in h5_enqueue
	jfs: fix divide error in dbNextAG
	can: mcba_usb: properly check endpoint type
	video: fbdev: udlfb: properly check endpoint type
	media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
	ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
	fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr

	Tetsuo Handa (115):
	mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
	block/loop: fix deadlock after loop_set_status
	commoncap: Handle memory allocation failure.
	mm,vmscan: Allow preallocating memory for register_shrinker().
	tty: Avoid possible error pointer dereference at tty_ldisc_restore().
	tty: Don't call panic() at tty_ldisc_init()
	tty: Use __GFP_NOFAIL for tty_ldisc_get()
	bdi: wake up concurrent wb_shutdown() callers.
	bdi: Fix use after free bug in debugfs_remove()
	loop: remember whether sysfs_create_group() was done
	x86/kexec: Avoid double free_page() upon do_kexec_load() failure
	driver core: Don't ignore class_dir_create_and_add() failure.
	hfsplus: stop workqueue when fill_super() failed
	PM / hibernate: Fix oops at snapshot_write()
	fuse: don't keep dead fuse_conn at fuse_fill_super().
	n_tty: Fix stall at n_tty_receive_char_special().
	n_tty: Access echo_* variables carefully.
	net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
	hfsplus: don't return 0 when fill_super() failed
	selinux: Add __GFP_NOWARN to allocation at str_read()
	bfs: add sanity check at bfs_fill_super()
	block/loop: Use global lock for ioctl() operation.
	loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
	gpu/drm: Fix lock held when returning to user space.
	drm/vkms: Fix flush_work() without INIT_WORK().
	block: pass no-op callback to INIT_WORK().
	staging: android: ashmem: Don't call fallocate() with ashmem_mutex held.
	fs/open.c: allow opening only regular files during execve()
	kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice.
	NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
	net/rds: Check address length before reading address family
	tomoyo: Add a kernel config option for fuzzing testing.
	staging: android: ion: Bail out upon SIGKILL when allocating memory.
	nfsd: fix dentry leak upon mkdir failure.
	/dev/mem: Bail out upon SIGKILL.
	kexec: bail out upon SIGKILL when allocating memory.
	tomoyo: Don't use nifty names on sockets.
	tomoyo: Use atomic_t for statistics counter
	pipe: Fix pipe_full() test in opipe_prep().
	vt: Reject zero-sized screen buffer size.
	binder: Don't use mmput() from shrinker function.
	driver core: Fix probe_count imbalance in really_probe()
	fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
	fbmem: pull fbcon_update_vcs() out of fb_set_var()
	vt: defer kfree() of vc_screenbuf in vc_do_resize()
	mwifiex: don't call del_timer_sync() on uninitialized timer
	tipc: fix shutdown() of connectionless socket
	video: fbdev: fix OOB read in vga_8planes_imageblit()
	fbcon: Fix user font detection test at fbcon_resize().
	vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
	USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
	tomoyo: ignore data race while checking quota
	pstore: Fix warning in pstore_kill_sb()
	Bluetooth: initialize skb_queue_head at l2cap_chan_create()
	reiserfs: update reiserfs_xattrs_initialized() condition
	batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
	ttyprintk: Add TTY hangup callback.
	smackfs: restrict bytes count in smk_set_cipso()
	tty: vt: always invoke vc->vc_sw->con_resize callback
	can: bcm/raw/isotp: use per module netdevice notifier
	Bluetooth: defer cleanup of resources in hci_unregister_dev()
	Bluetooth: defer cleanup of resources in hci_unregister_dev()
	loop: reduce the loop_ctl_mutex scope
	fbmem: don't allow too huge resolutions
	block: genhd: fix double kfree() in __alloc_disk_node()
	smackfs: use __GFP_NOFAIL for smk_cipso_doi()
	smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
	loop: don't hold lo_mutex during __loop_clr_fd()
	loop: make autoclear operation asynchronous
	tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
	ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep()
	ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()
	loop: revert "make autoclear operation asynchronous"
	net: rds: acquire refcount on TCP sockets
	media: imon: reorganize serialization
	wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop()
	tty: vt: initialize unicode screen buffer
	PM: hibernate: defer device probing when resuming from hibernation
	wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop()
	mm: shrinkers: fix double kfree on shrinker name
	mm: memcontrol: fix potential oom_lock recursion deadlock
	mtd: core: check partition before dereference
	Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()
	cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
	Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor()
	Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor()
	Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
	wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
	tty: n_gsm: initialize more members at gsm_alloc_mux()
	bpf: add missing percpu_counter_destroy() in htab_map_alloc()
	Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
	Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
	Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
	Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
	open: always initialize ownership fields
	netfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain()
	btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
	net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
	net/ieee802154: reject zero-sized raw_sendmsg()
	net/ieee802154: don't warn zero-sized raw_sendmsg()
	9p/trans_fd: always use O_NONBLOCK read/write
	NFSD: unregister shrinker when nfsd_init_net() fails
	Revert "cpumask: fix checking valid cpu range".
	Input: iforce - invert valid length check when fetching device IDs
	f2fs: initialize locks earlier in f2fs_fill_super()
	fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init()
	fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super()
	fbdev: fbcon: release buffer when fbcon_do_set_font() failed
	fs/ntfs3: don't hold ni_lock when calling truncate_setsize()
	RDMA/siw: Remove namespace check from siw_netdev_event()
	nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field
	fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
	cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex
	mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
	debugobjects: Don't wake up kswapd from fill_pool()