https://source.android.com/security/bulletin/2021-09-01
CVE-2021-0695
* tag 'ASB-2021-09-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Linux 4.19.206
net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
Revert "floppy: reintroduce O_NDELAY fix"
KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
fbmem: add margin check to fb_check_caps()
vt_kdsetmode: extend console locking
net/rds: dma_map_sg is entitled to merge entries
drm/nouveau/disp: power down unused DP links during init
drm: Copy drm_wait_vblank to user before returning
qed: Fix null-pointer dereference in qed_rdma_create_qp()
qed: qed ll2 race condition fixes
vringh: Use wiov->used to check for read/write desc order
virtio_pci: Support surprise removal of virtio pci device
virtio: Improve vq->broken access to avoid any compiler optimization
opp: remove WARN when no valid OPPs remain
usb: gadget: u_audio: fix race condition on endpoint stop
net: hns3: fix get wrong pfc_en when query PFC configuration
net: marvell: fix MVNETA_TX_IN_PRGRS bit number
xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()'
ip_gre: add validation for csum_start
e1000e: Fix the max snoop/no-snoop latency for 10M
IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs()
usb: dwc3: gadget: Stop EP0 transfers during pullup disable
usb: dwc3: gadget: Fix dwc3_calc_trbs_left()
USB: serial: option: add new VID/PID to support Fibocom FG150
Revert "USB: serial: ch341: fix character loss at high transfer rates"
can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
once: Fix panic when module unload
netfilter: conntrack: collect all entries in one cycle
ARC: Fix CONFIG_STACKDEPOT
bpf: Fix truncation handling for mod32 dst reg wrt zero
bpf: Fix 32 bit src register truncation on div/mod
bpf: Do not use ax register in interpreter on div/mod
net: qrtr: fix another OOB Read in qrtr_endpoint_post
Revert "net: igmp: fix data-race in igmp_ifc_timer_expire()"
Revert "net: igmp: increase size of mr_ifc_count"
Revert "PCI/MSI: Protect msi_desc::masked for multi-MSI"
ANDROID: update ABI representation
Linux 4.19.205
netfilter: nft_exthdr: fix endianness of tcp option cast
fs: warn about impending deprecation of mandatory locks
locks: print a warning when mount fails due to lack of "mand" support
ASoC: intel: atom: Fix breakage for PCM buffer address setup
PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI
btrfs: prevent rename2 from exchanging a subvol with a directory from different parents
ipack: tpci200: fix memory leak in the tpci200_register
ipack: tpci200: fix many double free issues in tpci200_pci_probe
slimbus: ngd: reset dma setup during runtime pm
slimbus: messaging: check for valid transaction id
slimbus: messaging: start transaction ids from 1 instead of zero
tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name
ALSA: hda - fix the 'Capture Switch' value change notifications
mmc: dw_mmc: Fix hang on data CRC error
net: mdio-mux: Handle -EPROBE_DEFER correctly
net: mdio-mux: Don't ignore memory allocation errors
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
ptp_pch: Restore dependency on PCI
net: 6pack: fix slab-out-of-bounds in decode_data
bnxt: disable napi before canceling DIM
bnxt: don't lock the tx queue from napi poll
vhost: Fix the calculation in vhost_overflow()
dccp: add do-while-0 stubs for dccp_pr_debug macros
cpufreq: armada-37xx: forbid cpufreq for 1.2 GHz variant
Bluetooth: hidp: use correct wait queue when removing ctrl_wait
net: usb: lan78xx: don't modify phy_device state concurrently
ARM: dts: nomadik: Fix up interrupt controller node names
scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach()
scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers
ath9k: Postpone key cache entry deletion for TXQ frames reference it
ath: Modify ath_key_delete() to not need full key entry
ath: Export ath_hw_keysetmac()
ath9k: Clear key cache explicitly on disabling hardware
ath: Use safer key clearing with key cache entries
x86/fpu: Make init_fpstate correct with optimized XSAVE
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)
mac80211: drop data frames without key on encrypted links
iommu/vt-d: Fix agaw for a supported 48 bit guest address width
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
PCI/MSI: Enforce MSI[X] entry updates to be visible
PCI/MSI: Enforce that MSI-X table entry is masked for update
PCI/MSI: Mask all unused MSI-X entries
PCI/MSI: Protect msi_desc::masked for multi-MSI
PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
PCI/MSI: Correct misleading comments
PCI/MSI: Do not set invalid bits in MSI mask
PCI/MSI: Enable and mask MSI-X early
genirq/msi: Ensure deactivation on teardown
x86/resctrl: Fix default monitoring groups reporting
x86/ioapic: Force affinity setup before startup
x86/msi: Force affinity setup before startup
genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP
x86/tools: Fix objdump version check again
powerpc/kprobes: Fix kprobe Oops happens in booke
vsock/virtio: avoid potential deadlock when vsock device remove
xen/events: Fix race in set_evtchn_to_irq
net: igmp: increase size of mr_ifc_count
tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
net: bridge: fix memleak in br_add_if()
net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
net: igmp: fix data-race in igmp_ifc_timer_expire()
net: Fix memory leak in ieee802154_raw_deliver
psample: Add a fwd declaration for skbuff
ppp: Fix generating ifname when empty IFLA_IFNAME is specified
net: dsa: mt7530: add the missing RxUnicast MIB counter
ASoC: cs42l42: Fix LRCLK frame start edge
ASoC: cs42l42: Remove duplicate control for WNF filter frequency
ASoC: cs42l42: Fix inversion of ADC Notch Switch control
ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
ASoC: cs42l42: Correct definition of ADC Volume control
ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
ACPI: NFIT: Fix support for virtual SPA ranges
i2c: dev: zero out array used for i2c reads from userspace
ASoC: intel: atom: Fix reference to PCM buffer address
iio: adc: Fix incorrect exit of for-loop
iio: humidity: hdc100x: Add margin to the conversion time
ANDROID: xt_quota2: set usersize in xt_match registration object
ANDROID: xt_quota2: clear quota2_log message before sending
ANDROID: xt_quota2: remove trailing junk which might have a digit in it
Linux 4.19.204
net: xilinx_emaclite: Do not print real IOMEM pointer
ovl: prevent private clone if bind mount is not allowed
ppp: Fix generating ppp unit id when ifname is not specified
USB:ehci:fix Kunpeng920 ehci hardware problem
KVM: X86: MMU: Use the correct inherited permissions to get shadow page
bpf, selftests: Adjust few selftest outcomes wrt unreachable code
bpf: Fix leakage under speculation on mispredicted branches
bpf: Do not mark insn as seen under speculative path verification
bpf: Inherit expanded/patched seen count from old aux data
tracing: Reject string operand in the histogram expression
KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
Linux 4.19.203
ARM: imx: add mmdc ipg clock operation for mmdc
net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset
alpha: Send stop IPI to send to online CPUs
reiserfs: check directory items on read from disk
reiserfs: add check for root_inode in reiserfs_fill_super
libata: fix ata_pio_sector for CONFIG_HIGHMEM
qmi_wwan: add network device usage statistics for qmimux devices
perf/x86/amd: Don't touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest
spi: meson-spicc: fix memory leak in meson_spicc_remove
KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
KVM: x86: accept userspace interrupt only if no event is injected
pcmcia: i82092: fix a null pointer dereference bug
MIPS: Malta: Do not byte-swap accesses to the CBUS UART
serial: 8250: Mask out floating 16/32-bit bus bits
ext4: fix potential htree corruption when growing large_dir directories
pipe: increase minimum default pipe size to 2 pages
media: rtl28xxu: fix zero-length control request
staging: rtl8723bs: Fix a resource leak in sd_int_dpc
optee: Clear stale cache entries during initialization
tracing/histogram: Rename "cpu" to "common_cpu"
tracing / histogram: Give calculation hist_fields a size
scripts/tracing: fix the bug that can't parse raw_trace_func
usb: otg-fsm: Fix hrtimer list corruption
usb: gadget: f_hid: idle uses the highest byte for duration
usb: gadget: f_hid: fixed NULL pointer dereference
usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers
ALSA: usb-audio: Add registration quirk for JBL Quantum 600
firmware_loader: fix use-after-free in firmware_fallback_sysfs
firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback
USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
USB: serial: ch341: fix character loss at high transfer rates
USB: serial: option: add Telit FD980 composition 0x1056
USB: usbtmc: Fix RCU stall warning
Bluetooth: defer cleanup of resources in hci_unregister_dev()
blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit()
net: vxge: fix use-after-free in vxge_device_unregister
net: fec: fix use-after-free in fec_drv_remove
net: pegasus: fix uninit-value in get_interrupt_interval
bnx2x: fix an error code in bnx2x_nic_load()
mips: Fix non-POSIX regexp
net: ipv6: fix returned variable type in ip6_skb_dst_mtu
nfp: update ethtool reporting of pauseframe control
sctp: move the active_key update after sh_keys is added
net: natsemi: Fix missing pci_disable_device() in probe and remove
media: videobuf2-core: dequeue if start_streaming fails
scsi: sr: Return correct event when media event code is 3
omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator
clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
ALSA: usb-audio: fix incorrect clock source setting
ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz
ARM: imx: add missing iounmap()
ALSA: seq: Fix racy deletion of subscriber
Revert "ACPICA: Fix memory leak caused by _CID repair function"
Revert "bdi: add a ->dev_name field to struct backing_dev_info"
Revert "padata: validate cpumask without removed CPU during offline"
Revert "padata: add separate cpuhp node for CPUHP_PADATA_DEAD"
Linux 4.19.202
spi: mediatek: Fix fifo transfer
padata: add separate cpuhp node for CPUHP_PADATA_DEAD
padata: validate cpumask without removed CPU during offline
Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
firmware: arm_scmi: Ensure drivers provide a probe function
drm/i915: Ensure intel_engine_init_execlist() builds with Clang
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
bdi: add a ->dev_name field to struct backing_dev_info
bdi: use bdi_dev_name() to get device name
bdi: move bdi_dev_name out of line
net: Fix zero-copy head len calculation.
qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union()
r8152: Fix potential PM refcount imbalance
ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
btrfs: mark compressed range uptodate only if all bio succeed
Linux 4.19.201
i40e: Add additional info to PHY type error
Revert "perf map: Fix dso->nsinfo refcounting"
powerpc/pseries: Fix regression while building external modules
can: hi311x: fix a signedness bug in hi3110_cmd()
sis900: Fix missing pci_disable_device() in probe and remove
tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
sctp: fix return value check in __sctp_rcv_asconf_lookup
net/mlx5: Fix flow table chaining
net: llc: fix skb_over_panic
mlx4: Fix missing error code in mlx4_load_one()
tipc: fix sleeping in tipc accept routine
i40e: Fix log TC creation failure when max num of queues is exceeded
i40e: Fix logic of disabling queues
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
netfilter: conntrack: adjust stop timestamp to real expiry value
cfg80211: Fix possible memory leak in function cfg80211_bss_update
nfc: nfcsim: fix use after free during module unload
NIU: fix incorrect error return, missed in previous revert
can: esd_usb2: fix memory leak
can: ems_usb: fix memory leak
can: usb_8dev: fix memory leak
can: mcba_usb_start(): add missing urb->transfer_dma initialization
can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
ocfs2: issue zeroout to EOF blocks
ocfs2: fix zero out valid data
x86/kvm: fix vcpu-id indexed array sizes
btrfs: fix rw device counting in __btrfs_free_extra_devids
x86/asm: Ensure asm/proto.h can be included stand-alone
gro: ensure frag0 meets IP header alignment
virtio_net: Do not pull payload in skb->head
Change-Id: I6efce946e476223022d8ad8db874e9e037abf7fc
Signed-off-by: bengris32 <bengris32@protonmail.ch>
89f762b172