feat: update kernel for 2150.5.0

prepare_source

@@ -1,5 +1,5 @@
 pkg=linux
-version_orig=6.18.33
+version_orig=6.18.35
 version="$version_orig-1"
 
 (

upstream_patches/CVE-2026-31688.patch

@@ -0,0 +1,48 @@
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dc23806a7c47ec5f1293aba407fb69519f976ee0
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -166,9 +166,18 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format
+ static inline int driver_match_device(const struct device_driver *drv,
+ 				      struct device *dev)
+ {
++	device_lock_assert(dev);
++
+ 	return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
+
++static inline int driver_match_device_locked(const struct device_driver *drv,
++					     struct device *dev)
++{
++	guard(device)(dev);
++	return driver_match_device(drv, dev);
++}
++
+ static inline void dev_sync_state(struct device *dev)
+ {
+ 	if (dev->bus->sync_state)
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index 2653670f962f..2b039aa2da74 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf,
+ 	int err = -ENODEV;
+
+ 	dev = bus_find_device_by_name(bus, NULL, buf);
+-	if (dev && driver_match_device(drv, dev)) {
++	if (dev && driver_match_device_locked(drv, dev)) {
+ 		err = device_driver_attach(drv, dev);
+ 		if (!err) {
+ 			/* success */
+diff --git a/drivers/base/dd.c b/drivers/base/dd.c
+index 2c3a610f52a7..04087a4961ef 100644
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1250,7 +1250,7 @@ static int __driver_attach(struct device *dev, void *data)
+ 	 * is an error.
+ 	 */
+
+-	ret = driver_match_device(drv, dev);
++	ret = driver_match_device_locked(drv, dev);
+ 	if (ret == 0) {
+ 		/* no match */
+ 		return 0;

upstream_patches/CVE-2026-43009.patch

@@ -0,0 +1,45 @@
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ffbe45b1d227e24659998a91cfd4c27af457e71
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -610,6 +610,13 @@ static bool is_atomic_load_insn(const struct bpf_insn *insn)
+ 	       insn->imm == BPF_LOAD_ACQ;
+ }
+
++static bool is_atomic_fetch_insn(const struct bpf_insn *insn)
++{
++	return BPF_CLASS(insn->code) == BPF_STX &&
++	       BPF_MODE(insn->code) == BPF_ATOMIC &&
++	       (insn->imm & BPF_FETCH);
++}
++
+ static int __get_spi(s32 off)
+ {
+ 	return (-off - 1) / BPF_REG_SIZE;
+@@ -4322,10 +4329,24 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
+ 			   * dreg still needs precision before this insn
+ 			   */
+ 		}
+-	} else if (class == BPF_LDX || is_atomic_load_insn(insn)) {
+-		if (!bt_is_reg_set(bt, dreg))
++	} else if (class == BPF_LDX ||
++		   is_atomic_load_insn(insn) ||
++		   is_atomic_fetch_insn(insn)) {
++		u32 load_reg = dreg;
++
++		/*
++		 * Atomic fetch operation writes the old value into
++		 * a register (sreg or r0) and if it was tracked for
++		 * precision, propagate to the stack slot like we do
++		 * in regular ldx.
++		 */
++		if (is_atomic_fetch_insn(insn))
++			load_reg = insn->imm == BPF_CMPXCHG ?
++				   BPF_REG_0 : sreg;
++
++		if (!bt_is_reg_set(bt, load_reg))
+ 			return 0;
+-		bt_clear_reg(bt, dreg);
++		bt_clear_reg(bt, load_reg);
+
+ 		/* scalars can only be spilled into stack w/o losing precision.
+ 		 * Load from any other memory can be zero extended.

upstream_patches/series

@@ -3,3 +3,5 @@
 0003-implement-FIPS-PCT-for-ECDH.patch
 0004-flag-instantiations-as-FIPS_compliant.patch
 0005-disable-xxhash64.patch
+CVE-2026-31688.patch
+CVE-2026-43009.patch