diff --git a/CVE-2020-11267/ANY/0001.patch b/CVE-2020-11267/ANY/0001.patch
new file mode 100644
index 0000000000000000000000000000000000000000..88263147bcfadb0bd6761c527fcea308923541ca
--- /dev/null
+++ b/CVE-2020-11267/ANY/0001.patch
@@ -0,0 +1,67 @@
+From 4e921964bd0686950cd89eca69e77a5f3f109d3a Mon Sep 17 00:00:00 2001
+From: Tanwee Kausar <tkausar@codeaurora.org>
+Date: Mon, 10 Aug 2020 16:10:50 -0700
+Subject: crypto: Fix possible stack out of bound error
+
+Adding fix to check upper limit on the length
+of the destination array while copying elements from
+source address to avoid stack out of bound error.
+
+Change-Id: Ieb24e8f9b4a2b53fbc9442b25d790b12f737d471
+Signed-off-by: Tanwee Kausar <tkausar@codeaurora.org>
+---
+ drivers/crypto/msm/qce.c   | 7 ++++++-
+ drivers/crypto/msm/qce50.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/msm/qce.c b/drivers/crypto/msm/qce.c
+index 4cf95b9..0623838 100644
+--- a/drivers/crypto/msm/qce.c
++++ b/drivers/crypto/msm/qce.c
+@@ -1,6 +1,6 @@
+ /* Qualcomm Crypto Engine driver.
+  *
+- * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2010-2016, 2020 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -768,6 +768,11 @@ static int _ce_setup(struct qce_device *pce_dev, struct qce_req *q_req,
+ 	switch (q_req->alg) {
+ 	case CIPHER_ALG_DES:
+ 		if (q_req->mode !=  QCE_MODE_ECB) {
++			if (ivsize > MAX_IV_LENGTH) {
++				pr_err("%s: error: Invalid length parameter\n",
++					__func__);
++				return -EINVAL;
++			}
+ 			_byte_stream_to_net_words(enciv32, q_req->iv, ivsize);
+ 			writel_relaxed(enciv32[0], pce_dev->iobase +
+ 						CRYPTO_CNTR0_IV0_REG);
+diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
+index 4d65c48..bb90bf0 100644
+--- a/drivers/crypto/msm/qce50.c
++++ b/drivers/crypto/msm/qce50.c
+@@ -1,6 +1,6 @@
+ /* Qualcomm Crypto Engine driver.
+  *
+- * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2016, 2020 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -859,6 +859,11 @@ static int _ce_setup_cipher(struct qce_device *pce_dev, struct qce_req *creq,
+ 	switch (creq->alg) {
+ 	case CIPHER_ALG_DES:
+ 		if (creq->mode !=  QCE_MODE_ECB) {
++			if (ivsize > MAX_IV_LENGTH) {
++				pr_err("%s: error: Invalid length parameter\n",
++					 __func__);
++				return -EINVAL;
++			}
+ 			_byte_stream_to_net_words(enciv32, creq->iv, ivsize);
+ 			pce = cmdlistinfo->encr_cntr_iv;
+ 			pce->data = enciv32[0];
+-- 
+cgit v1.1
+
diff --git a/CVE-2020-11267/ANY/0002.patch b/CVE-2020-11267/ANY/0002.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7309b309591f1f8c882a2ef523c7905fc57cea66
--- /dev/null
+++ b/CVE-2020-11267/ANY/0002.patch
@@ -0,0 +1,34 @@
+From 6b3e480f729f291ec9e89e9864582795f02ac1d9 Mon Sep 17 00:00:00 2001
+From: Tanwee Kausar <tkausar@codeaurora.org>
+Date: Mon, 10 Aug 2020 16:10:50 -0700
+Subject: crypto: Fix possible stack out of bound error
+
+Adding fix to check the upper limit on the length
+of the destination array while copying elements from
+source address to avoid stack out of bound error.
+
+Change-Id: Ieb24e8f9b4a2b53fbc9442b25d790b12f737d471
+Signed-off-by: Tanwee Kausar <tkausar@codeaurora.org>
+---
+ drivers/crypto/msm/qce50.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
+index 1ef5382..3890b683 100644
+--- a/drivers/crypto/msm/qce50.c
++++ b/drivers/crypto/msm/qce50.c
+@@ -850,6 +850,11 @@ static int _ce_setup_cipher(struct qce_device *pce_dev, struct qce_req *creq,
+ 	switch (creq->alg) {
+ 	case CIPHER_ALG_DES:
+ 		if (creq->mode !=  QCE_MODE_ECB) {
++			if (ivsize > MAX_IV_LENGTH) {
++				pr_err("%s: error: Invalid length parameter\n",
++					 __func__);
++				return -EINVAL;
++			}
+ 			_byte_stream_to_net_words(enciv32, creq->iv, ivsize);
+ 			pce = cmdlistinfo->encr_cntr_iv;
+ 			pce->data = enciv32[0];
+-- 
+cgit v1.1
+
diff --git a/CVE-2020-11267/ANY/0003.patch b/CVE-2020-11267/ANY/0003.patch
new file mode 100644
index 0000000000000000000000000000000000000000..46a7b1382810821bcca38fad6a8afd3388dbfed6
--- /dev/null
+++ b/CVE-2020-11267/ANY/0003.patch
@@ -0,0 +1,34 @@
+From b2d624743de45b07bffc53224fa8987dd7199fae Mon Sep 17 00:00:00 2001
+From: Karthick Shanmugham <kartshan@codeaurora.org>
+Date: Mon, 5 Oct 2020 18:46:14 +0530
+Subject: crypto: Fix possible stack out of bound error
+
+Adding fix to check the upper limit on the length
+of the destination array while copying elements from
+source address to avoid stack out of bound error.
+
+Signed-off-by: Karthick Shanmugham <kartshan@codeaurora.org>
+Change-Id: I01cfc1ec1776a00010800846becc0b6ece17b9c8
+---
+ drivers/crypto/msm/qce.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/crypto/msm/qce.c b/drivers/crypto/msm/qce.c
+index 4cf95b9..e204dcc 100644
+--- a/drivers/crypto/msm/qce.c
++++ b/drivers/crypto/msm/qce.c
+@@ -768,6 +768,11 @@ static int _ce_setup(struct qce_device *pce_dev, struct qce_req *q_req,
+ 	switch (q_req->alg) {
+ 	case CIPHER_ALG_DES:
+ 		if (q_req->mode !=  QCE_MODE_ECB) {
++			if (ivsize > MAX_IV_LENGTH) {
++				pr_err("%s: error: Invalid length parameter\n",
++					 __func__);
++				return -EINVAL;
++			}
+ 			_byte_stream_to_net_words(enciv32, q_req->iv, ivsize);
+ 			writel_relaxed(enciv32[0], pce_dev->iobase +
+ 						CRYPTO_CNTR0_IV0_REG);
+-- 
+cgit v1.1
+
diff --git a/CVE-2021-0512/^5.10/0001.patch b/CVE-2021-0512/^5.10/0001.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5c29b9d650c19a5477bf75c23f65671779521b07
--- /dev/null
+++ b/CVE-2021-0512/^5.10/0001.patch
@@ -0,0 +1,57 @@
+From ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f Mon Sep 17 00:00:00 2001
+From: Will McVicker <willmcvicker@google.com>
+Date: Sat, 5 Dec 2020 00:48:48 +0000
+Subject: HID: make arrays usage and value to be the same
+
+The HID subsystem allows an "HID report field" to have a different
+number of "values" and "usages" when it is allocated. When a field
+struct is created, the size of the usage array is guaranteed to be at
+least as large as the values array, but it may be larger. This leads to
+a potential out-of-bounds write in
+__hidinput_change_resolution_multipliers() and an out-of-bounds read in
+hidinput_count_leds().
+
+To fix this, let's make sure that both the usage and value arrays are
+the same size.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 4d0faf77c14bf..097cb1ee31268 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -90,7 +90,7 @@ EXPORT_SYMBOL_GPL(hid_register_report);
+  * Register a new field for this report.
+  */
+ 
+-static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values)
++static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages)
+ {
+ 	struct hid_field *field;
+ 
+@@ -101,7 +101,7 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned
+ 
+ 	field = kzalloc((sizeof(struct hid_field) +
+ 			 usages * sizeof(struct hid_usage) +
+-			 values * sizeof(unsigned)), GFP_KERNEL);
++			 usages * sizeof(unsigned)), GFP_KERNEL);
+ 	if (!field)
+ 		return NULL;
+ 
+@@ -300,7 +300,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
+ 	usages = max_t(unsigned, parser->local.usage_index,
+ 				 parser->global.report_count);
+ 
+-	field = hid_register_field(report, usages, parser->global.report_count);
++	field = hid_register_field(report, usages);
+ 	if (!field)
+ 		return 0;
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/CVE-2021-0606/4.14/0001.patch b/CVE-2021-0606/4.14/0001.patch
new file mode 100644
index 0000000000000000000000000000000000000000..41e28a3a38f9e87b0cdf750718fa76645e5f7b69
--- /dev/null
+++ b/CVE-2021-0606/4.14/0001.patch
@@ -0,0 +1,39 @@
+From 328ec6286a78a71500b74255448e8f3c83d2b2c4 Mon Sep 17 00:00:00 2001
+From: Giuliano Procida <gprocida@google.com>
+Date: Wed, 14 Oct 2020 09:51:09 +0200
+Subject: drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak
+
+Commit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
+upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
+refcount imbalance and thus a struct drm_syncobj object leak which can
+be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.
+
+The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
+which increments the refcount of the object on success. In all of the
+drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
+in the success path the refcount should remain at +1 as the struct
+drm_syncobj now belongs to the newly opened file. Instead, the
+refcount was incremented again to +2.
+
+Fixes: 5fb252cad61f ("drm/syncobj: Stop reusing the same struct file for all syncobj -> fd")
+Signed-off-by: Giuliano Procida <gprocida@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_syncobj.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_syncobj.c b/drivers/gpu/drm/drm_syncobj.c
+index 889c95d4feecc..3f71bc3d93fef 100644
+--- a/drivers/gpu/drm/drm_syncobj.c
++++ b/drivers/gpu/drm/drm_syncobj.c
+@@ -355,7 +355,6 @@ static int drm_syncobj_handle_to_fd(struct drm_file *file_private,
+ 		return PTR_ERR(file);
+ 	}
+ 
+-	drm_syncobj_get(syncobj);
+ 	fd_install(fd, file);
+ 
+ 	*p_fd = fd;
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/Kernel_CVE_Patch_List.txt b/Kernel_CVE_Patch_List.txt
index a326c473053b15b12ca0239e24cbb7b43a9a80c7..56c9f29ff44f43ae5e75dbbf808868957f3031fc 100644
--- a/Kernel_CVE_Patch_List.txt
+++ b/Kernel_CVE_Patch_List.txt
@@ -14198,6 +14198,10 @@ CVE-2020-11261
 CVE-2020-11262
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=10527de01e5fb34139487a3bc4e4dbbfa97eae0e
 	Link - https://github.com/LineageOS/android_kernel_essential_msm8998/commit/d22f1927ece9beb68c9dda72f4380582a8388dd3
+CVE-2020-11267
+	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=4e921964bd0686950
+	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=6b3e480f729f291ec9e89e9864582795f02ac1d9
+	Link - https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=b2d624743de45b07bffc53224fa8987dd7199fae
 CVE-2020-11271
 	Link - audio-kernel - https://source.codeaurora.org/quic/qsdk/platform/vendor/opensource/audio-kernel/commit/?id=80ac1b29f1ea6be32eddb33bdf3d72407b315f38
 CVE-2020-11272
@@ -15255,6 +15259,8 @@ CVE-2021-0448
 	Link - 4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3f5bfa0a2c3401bfbc0cab5894df8262de619641
 	Link - 4.9 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3f5bfa0a2c3401bfbc0cab5894df8262de619641
 	Link - 5.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=253052b636e98083b1ecc3e9b0cf6f151e1cb8c6
+CVE-2021-0512
+	Link - ^5.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f
 CVE-2021-0605
 	Link - 3.18 - https://android.googlesource.com/kernel/common/+/50f185f3a515efb07ecccb17468639604b70aae9
 	Link - ^5.8 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=37bd22420f856fcd976989f1d4f1f7ad28e1fcac
@@ -15263,6 +15269,9 @@ CVE-2021-0605
 	Link - 4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=831587619afe78cd72651b34a0f6ccb2acf3c503
 	Link - 4.9 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=31c59173dc9553d6857129d2a8e102c4700b54c4
 	Link - 5.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a769bff2333a8212cff4fd8bbe986979bf41c528
+CVE-2021-0606
+	FIXME
+	Link - 4.14 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=328ec6286a78a71500b74255448e8f3c83d2b2c4
 CVE-2021-1891
 	Link - audio-kernel - https://source.codeaurora.org/quic/qsdk/platform/vendor/opensource/audio-kernel/commit/?id=ee913fe2a44fce7f0e4b0a9ad261416eabcd4add
 CVE-2021-1905