https://source.android.com/docs/security/bulletin/2024-09-01
CVE-2024-36972
* tag 'ASB-2024-09-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Linux 4.19.321
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
ipc: remove memcg accounting for sops objects in do_semtimedop()
scsi: aacraid: Fix double-free on probe failure
usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes()
usb: dwc3: st: fix probed platform device ref count on probe error path
usb: dwc3: core: Prevent USB core invalid event buffer address access
usb: dwc3: omap: add missing depopulate in probe error path
USB: serial: option: add MeiG Smart SRM825L
cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
net: busy-poll: use ktime_get_ns() instead of local_clock()
gtp: fix a potential NULL pointer dereference
soundwire: stream: fix programming slave ports for non-continous port maps
net: prevent mss overflow in skb_segment()
ida: Fix crash in ida_free when the bitmap is empty
net:rds: Fix possible deadlock in rds_message_put
fbmem: Check virtual screen sizes in fb_set_var()
fbcon: Prevent that screen size is smaller than font size
memcg: enable accounting of ipc resources
cgroup/cpuset: Prevent UAF in proc_cpuset_show()
ata: libata-core: Fix null pointer dereference on error
media: uvcvideo: Fix integer overflow calculating timestamp
filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
dm suspend: return -ERESTARTSYS instead of -EINTR
wifi: mwifiex: duplicate static structs used in driver instances
pinctrl: single: fix potential NULL dereference in pcs_get_function()
drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
tools: move alignment-related macros to new <linux/align.h>
Input: MT - limit max slots
Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO
ALSA: timer: Relax start tick time check for slave timer elements
mmc: dw_mmc: allow biu and ciu clocks to defer
cxgb4: add forgotten u64 ivlan cast before shift
HID: wacom: Defer calculation of resolution until resolution_code is known
Bluetooth: MGMT: Add error handling to pair_device()
mmc: mmc_test: Fix NULL dereference on allocation failure
drm/msm/dpu: don't play tricks with debug macros
drm/msm: use drm_debug_enabled() to check for debug categories
net: xilinx: axienet: Always disable promiscuous mode
ipv6: prevent UAF in ip6_send_skb()
netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
kcm: Serialise kcm_sendmsg() for the same socket.
Bluetooth: hci_core: Fix LE quote calculation
Bluetooth: hci_core: Fix not handling link timeouts propertly
Bluetooth: Make use of __check_timeout on hci_sched_le
block: use "unsigned long" for blk_validate_block_size().
gtp: pull network headers in gtp_dev_xmit()
hrtimer: Prevent queuing of hrtimer without a function callback
nvmet-rdma: fix possible bad dereference when freeing rsps
ext4: set the type of max_zeroout to unsigned int to avoid overflow
irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
usb: dwc3: core: Skip setting event buffers for host only controllers
s390/iucv: fix receive buffer virtual vs physical address confusion
openrisc: Call setup_memory() earlier in the init sequence
NFS: avoid infinite loop in pnfs_update_layout.
Bluetooth: bnep: Fix out-of-bound access
usb: gadget: fsl: Increase size of name buffer for endpoints
f2fs: fix to do sanity check in update_sit_entry
btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
btrfs: send: handle unexpected data in header buffer in begin_cmd()
btrfs: handle invalid root reference found in may_destroy_subvol()
btrfs: change BUG_ON to assertion when checking for delayed_node root
powerpc/boot: Only free if realloc() succeeds
powerpc/boot: Handle allocation failure in simple_realloc()
parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
md: clean up invalid BUG_ON in md_ioctl
net/sun3_82586: Avoid reading past buffer in debug output
scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
fs: binfmt_elf_efpic: don't use missing interpreter's properties
media: pci: cx23885: check cx23885_vdev_init() return
quota: Remove BUG_ON from dqget()
ext4: do not trim the group with corrupted block bitmap
powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
wifi: iwlwifi: abort scan when rfkill on but device enabled
gfs2: setattr_chown: Add missing initialization
scsi: spi: Fix sshdr use
binfmt_misc: cleanup on filesystem umount
staging: ks7010: disable bh on tx_dev_lock
i2c: riic: avoid potential division by zero
wifi: cw1200: Avoid processing an invalid TIM IE
ssb: Fix division by zero issue in ssb_calc_clock_rate
net: dsa: vsc73xx: pass value in phy_write operation
atm: idt77252: prevent use after free in dequeue_rx()
net/mlx5e: Correctly report errors for ethtool rx flows
btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
overflow: Implement size_t saturating arithmetic helpers
overflow.h: Add flex_array_size() helper
s390/cio: rename bitmap_size() -> idset_bitmap_size()
memcg_write_event_control(): fix a user-triggerable oops
drm/amdgpu: Actually check flags for all context ops.
selinux: fix potential counting error in avc_add_xperms_decision()
fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
bitmap: introduce generic optimized bitmap_size()
dm persistent data: fix memory allocation failure
dm resume: don't return EINVAL when signalled
arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
ALSA: usb-audio: Support Yamaha P-125 quirk entry
fuse: Initialize beyond-EOF page contents before setting uptodate
Linux 4.19.320
nvme/pci: Add APST quirk for Lenovo N60z laptop
exec: Fix ToCToU between perm check and set-uid/gid usage
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
arm64: cpufeature: Fix the visibility of compat hwcaps
netfilter: nf_tables: prefer nft_chain_validate
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: set element extended ACK reporting support
kbuild: Fix '-S -c' in x86 stack protector scripts
drm/mgag200: Set DDC timeout in milliseconds
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
x86/mtrr: Check if fixed MTRRs exist before saving them
tracing: Fix overflow in get_free_elt()
power: supply: axp288_charger: Round constant_charge_voltage writes down
power: supply: axp288_charger: Fix constant_charge_voltage writes
serial: core: check uartclk for zero to avoid divide by zero
ntp: Safeguard against time_constant overflow
driver core: Fix uevent_show() vs driver detach race
ntp: Clamp maxerror and esterror to operating range
tick/broadcast: Move per CPU pointer access into the atomic section
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
usb: gadget: core: Check for unset descriptor
USB: serial: debug: do not echo input by default
usb: vhci-hcd: Do not drop references before new references are gained
ALSA: line6: Fix racy access to midibuf
spi: spi-fsl-lpspi: Fix scldiv calculation
spi: fsl-lpspi: remove unneeded array
spi: lpspi: add the error info of transfer speed setting
spi: lpspi: Add i.MX8 boards support for lpspi
spi: lpspi: Let watermark change with send data length
spi: lpspi: Add slave mode support
spi: lpspi: Replace all "master" with "controller"
bpf: kprobe: remove unused declaring of bpf_kprobe_override
i2c: smbus: Send alert notifications to all devices if source not found
i2c: smbus: Improve handling of stuck alerts
i2c: smbus: Don't filter out duplicate alerts
arm64: errata: Expand speculative SSBS workaround (again)
arm64: cputype: Add Cortex-A725 definitions
arm64: cputype: Add Cortex-X1C definitions
arm64: errata: Expand speculative SSBS workaround
arm64: errata: Unify speculative SSBS errata logic
arm64: cputype: Add Cortex-X925 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Neoverse-V3 definitions
arm64: cputype: Add Cortex-X4 definitions
arm64: Add Neoverse-V2 part
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add support for SB barrier and patch in over DSB; ISB sequences
ext4: fix wrong unit use in ext4_mb_find_by_goal
SUNRPC: Fix a race to wake a sync task
s390/sclp: Prevent release of buffer in I/O
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
media: uvcvideo: Ignore empty TS packets
btrfs: fix bitmap leak when loading free space cache on duplicate entry
wifi: nl80211: don't give key data to userspace
udf: prevent integer overflow in udf_bitmap_free_blocks()
PCI: Add Edimax Vendor ID to pci_ids.h
clocksource/drivers/sh_cmt: Address race condition for clock events
md/raid5: avoid BUG_ON() while continue reshape after reassembling
net: fec: Stop PPS on driver remove
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: linkwatch: use system_unbound_wq
net: usb: qmi_wwan: fix memory leak for not ip packets
x86/mm: Fix pti_clone_pgtable() alignment assumption
irqchip/mbigen: Fix mbigen node address layout
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
ALSA: usb-audio: Correct surround channels in UAC1 channel map
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ipv6: fix ndisc_is_useropt() handling for PIO
net/iucv: fix use after free in iucv_sock_close()
drm/vmwgfx: Fix overlay when using Screen Targets
remoteproc: imx_rproc: Skip over memory region when node value is NULL
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: ignore mapping vdev regions
perf/x86/intel/pt: Fix a topa_entry base address calculation
perf/x86/intel/pt: Split ToPA metadata and page layout
perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation
perf/x86/intel/pt: Use helpers to obtain ToPA entry size
perf/x86/intel/pt: Export pt_cap_get()
devres: Fix memory leakage caused by driver API devm_free_percpu()
driver core: Cast to (void *) with __force for __percpu pointer
dev/parport: fix the array out-of-bounds risk
parport: Standardize use of printmode
parport: Convert printk(KERN_<LEVEL> to pr_<level>(
parport: parport_pc: Mark expected switch fall-through
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
PCI: rockchip: Make 'ep-gpios' DT property optional
mm: avoid overflows in dirty throttling logic
mISDN: Fix a use after free in hfcmulti_tx()
tipc: Return non-zero value from tipc_udp_addr2str() on error
net: bonding: correctly annotate RCU in bond_should_notify_peers()
ipv4: Fix incorrect source address in Record Route option
net: ip_rt_get_source() - use new style struct initializer instead of memset
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
dma: fix call order in dmam_free_coherent
jfs: Fix array-index-out-of-bounds in diFree
kdb: Use the passed prompt in kdb_position_cursor()
kdb: address -Wformat-security warnings
kdb: Fix bound check compiler warning
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
selftests/sigaltstack: Fix ppc64 GCC build
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
perf/x86/intel/pt: Fix topa_entry base length
scsi: qla2xxx: validate nvme_local_port correctly
scsi: qla2xxx: During vport delete send async logout explicitly
rtc: cmos: Fix return value of nvmem callbacks
kobject_uevent: Fix OOB access within zap_modalias_env()
decompress_bunzip2: fix rare decompression failure
ubi: eba: properly rollback inside self_check_eba
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
f2fs: fix to don't dirty inode for readonly filesystem
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
binder: fix hang of unregistered readers
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
hwrng: amd - Convert PCIBIOS_* return codes to errnos
tools/memory-model: Fix bug in lock.cat
leds: ss4200: Convert PCIBIOS_* return codes to errnos
wifi: mwifiex: Fix interface type change
ext4: make sure the first directory block is not a hole
ext4: check dot and dotdot of dx_root before making dir indexed
m68k: amiga: Turn off Warp1260 interrupts during boot
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
media: venus: fix use after free in vdec_close
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
ipv6: take care of scope when choosing the src addr
af_packet: Handle outgoing VLAN packets without hardware offloading
net: netconsole: Disable target before netpoll cleanup
tick/broadcast: Make takeover of broadcast hrtimer reliable
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
fs/nilfs2: remove some unused macros to tame gcc
pinctrl: freescale: mxs: Fix refcount of child
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
netfilter: ctnetlink: use helper function to calculate expect ID
ice: Rework flex descriptor programming
bnxt_re: Fix imm_data endianness
macintosh/therm_windtunnel: fix module unload.
powerpc/xmon: Fix disassembly CPU feature checks
MIPS: Octeron: remove source file executable bit
Input: elan_i2c - do not leave interrupt disabled on suspend failure
mtd: make mtd_test.c a separate module
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/mlx4: Fix truncated output warning in mad.c
PCI: Fix resource double counting on remove & rescan
PCI: Equalize hotplug memory and io for occupied and empty slots
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
ext4: avoid writing unitialized memory to disk in EA inodes
mfd: omap-usb-tll: Use struct_size to allocate tll
drm/etnaviv: fix DMA direction handling for cached RW buffers
perf report: Fix condition in sort__sym_cmp()
leds: trigger: Unregister sysfs attributes before calling deactivate()
media: renesas: vsp1: Store RPF partition configuration per RPF instance
media: renesas: vsp1: Fix _irqsave and _irq mix
media: uvcvideo: Override default flags
media: uvcvideo: Allow entity-defined get_info and get_cur
saa7134: Unchecked i2c_transfer function result fixed
media: imon: Fix race getting ictx->lock
selftests: forwarding: devlink_lib: Wait for udev events after reloading
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
perf: Prevent passing zero nr_pages to rb_alloc_aux()
perf: Fix perf_aux_size() for greater-than 32-bit size
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
net: fec: Refactor: #define magic constants
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
selftests/bpf: Check length of recv in test_sockmap
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
net/smc: Allow SMC-D 1MB DMB allocations
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
x86/xen: Convert comma to semicolon
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
arm64: dts: rockchip: Increase VOP clk rate on RK3328
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO}
hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants
hwmon: (max6697) Fix underflow when writing limit attributes
pwm: stm32: Always do lazy disabling
hwmon: (adt7475) Fix default duty on fan is disabled
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/of: Return consistent error type from x86_of_pci_irq_enable()
hfsplus: fix to avoid false alarm of circular locking
platform/chrome: cros_ec_debugfs: fix wrong EC message version
Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()"
Linux 4.19.319
filelock: Fix fcntl/close race recovery compat path
jfs: don't walk off the end of ealist
ocfs2: add bounds checking to ocfs2_check_dir_entry()
net: relax socket state check at accept time.
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
ARM: 9324/1: fix get_user() broken with veneer
filelock: Remove locks reliably when fcntl/close race is detected
hfsplus: fix uninit-value in copy_name
selftests/vDSO: fix clang build errors and warnings
spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
fs: better handle deep ancestor chains in is_subdir()
Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()
net: usb: qmi_wwan: add Telit FN912 compositions
ALSA: dmaengine_pcm: terminate dmaengine before synchronize
s390/sclp: Fix sclp_init() cleanup on failure
can: kvaser_usb: fix return value for hif_usb_send_regout
bytcr_rt5640 : inverse jack detect for Archos 101 cesium
Input: elantech - fix touchpad state on resume for Lenovo N24
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
mei: demote client disconnect warning on suspend to debug
fs/file: fix the check in find_next_fd()
kconfig: remove wrong expr_trans_bool()
kconfig: gconf: give a proper initial state to the Save button
ila: block BH in ila_output()
Input: silead - Always support 10 fingers
wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
ACPI: EC: Avoid returning AE_OK on errors in address space handler
ACPI: EC: Abort address space access upon error
scsi: qedf: Set qed_slowpath_params to zero before use
gcc-plugins: Rename last_stmt() for GCC 14+
Change-Id: I5d910141e3e22bc861c6b0343780dcfbf31b6341
Signed-off-by: bengris32 <bengris32@protonmail.ch>
6880313f90