https://source.android.com/security/bulletin/2022-01-01
CVE-2020-14305
CVE-2020-29368
CVE-2021-39633
CVE-2021-39634
* tag 'ASB-2022-01-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Linux 4.19.224
net: fix use-after-free in tw_timer_handler
Input: spaceball - fix parsing of movement data packets
Input: appletouch - initialize work before device registration
scsi: vmw_pvscsi: Set residual data length conditionally
binder: fix async_free_space accounting for empty parcels
usb: mtu3: set interval of FS intr and isoc endpoint
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
uapi: fix linux/nfc.h userspace compilation errors
nfc: uapi: use kernel size_t to fix user-space builds
i2c: validate user data in compat ioctl
fsl/fman: Fix missing put_device() call in fman_port_probe
selftests/net: udpgso_bench_tx: fix dst ip argument
net/mlx5e: Fix wrong features assignment in case of error
NFC: st21nfca: Fix memory leak in device probe and remove
net: usb: pegasus: Do not drop long Ethernet frames
sctp: use call_rcu to free endpoint
selftests: Calculate udpgso segment count without header adjustment
udp: using datalen to cap ipv6 udp max gso segments
scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
selinux: initialize proto variable in selinux_ip_postroute_compat()
recordmcount.pl: fix typo in s390 mcount regex
platform/x86: apple-gmux: use resource_size() with res
Input: i8042 - enable deferred probe quirk for ASUS UM325UA
Input: i8042 - add deferred probe support
tee: handle lookup of shm with reference count 0
HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option
Linux 4.19.223
phonet/pep: refuse to enable an unbound pipe
hamradio: improve the incomplete fix to avoid NPD
hamradio: defer ax25 kfree after unregister_netdev
ax25: NPD bug when detaching AX25 device
hwmon: (lm90) Do not report 'busy' status bit as alarm
KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
usb: gadget: u_ether: fix race in setting MAC address in setup phase
f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
parisc: Correct completer in lws start
ipmi: fix initialization when workqueue allocation fails
ipmi: bail out if init_srcu_struct fails
Input: atmel_mxt_ts - fix double free in mxt_read_info_block
ALSA: drivers: opl3: Fix incorrect use of vp->state
ALSA: jack: Check the return value of kstrdup()
hwmon: (lm90) Fix usage of CONFIG2 register in detect function
sfc: falcon: Check null pointer of rx_queue->page_ring
drivers: net: smc911x: Check for error irq
fjes: Check for error irq
bonding: fix ad_actor_system option setting to default
ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
net: skip virtio_net_hdr_set_proto if protocol already set
net: accept UFOv6 packages in virtio_net_hdr_to_skb
qlcnic: potential dereference null pointer of rx_queue->page_ring
netfilter: fix regression in looped (broad|multi)cast's MAC handling
IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
spi: change clk_disable_unprepare to clk_unprepare
arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode
HID: holtek: fix mouse probing
block, bfq: fix use after free in bfq_bfqq_expire
block, bfq: fix queue removal from weights tree
block, bfq: fix decrement of num_active_groups
block, bfq: fix asymmetric scenarios detection
block, bfq: improve asymmetric scenarios detection
net: usb: lan78xx: add Allied Telesis AT29M2-AF
Revert "ARM: 8800/1: use choice for kernel unwinders"
Linux 4.19.222
xen/netback: don't queue unlimited number of packages
xen/netback: fix rx queue stall detection
xen/console: harden hvc_xen against event channel storms
xen/netfront: harden netfront against event channel storms
xen/blkfront: harden blkfront against event channel storms
scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
ovl: fix warning in ovl_create_real()
fuse: annotate lock in fuse_reverse_inval_entry()
media: mxl111sf: change mutex_init() location
ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
firmware: arm_scpi: Fix string overflow in SCPI genpd driver
Input: touchscreen - avoid bitwise vs logical OR warning
ARM: 8800/1: use choice for kernel unwinders
mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
ARM: 8805/2: remove unneeded naked function usage
net: lan78xx: Avoid unnecessary self assignment
mac80211: validate extended element ID is present
net: systemport: Add global locking for descriptor lifecycle
drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
libata: if T_LENGTH is zero, dma direction should be DMA_NONE
timekeeping: Really make sure wall_to_monotonic isn't positive
USB: serial: option: add Telit FN990 compositions
USB: serial: cp210x: fix CP2105 GPIO registration
PCI/MSI: Mask MSI-X vectors only on success
PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
USB: gadget: bRequestType is a bitfield, not a enum
sit: do not call ipip6_dev_free() from sit_init_net()
net/packet: rx_owner_map depends on pg_vec
netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
ixgbe: set X550 MDIO speed before talking to PHY
igbvf: fix double free in `igbvf_probe`
igb: Fix removal of unicast MAC filters of VFs
soc/tegra: fuse: Fix bitwise vs. logical OR warning
rds: memory leak in __rds_conn_create()
dmaengine: st_fdma: fix MODULE_ALIAS
sch_cake: do not call cake_destroy() from cake_init()
ARM: socfpga: dts: fix qspi node compatible
mac80211: track only QoS data frames for admission control
x86/sme: Explicitly map new EFI memmap table as encrypted
x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol
nfsd: fix use-after-free due to delegation race
audit: improve robustness of the audit queue handling
dm btree remove: fix use after free in rebalance_children()
recordmcount.pl: look for jgnop instruction as well as bcrl on s390
mac80211: send ADDBA requests using the tid/queue of the aggregation session
hwmon: (dell-smm) Fix warning on /proc/i8k creation error
tracing: Fix a kmemleak false positive in tracing_map
net: netlink: af_netlink: Prevent empty skb by adding a check on len.
i2c: rk3x: Handle a spurious start completion interrupt flag
parisc/agp: Annotate parisc agp init functions with __init
net/mlx4_en: Update reported link modes for 1/10G
drm/msm/dsi: set default num_data_lanes
nfc: fix segfault in nfc_genl_dump_devices_done
stable: clamp SUBLEVEL in 4.19
FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum
ANDROID: GKI: abi workaround for 4.19.221
Linux 4.19.221
net: sched: make function qdisc_free_cb() static
net_sched: fix a crash in tc_new_tfilter()
irqchip: nvic: Fix offset for Interrupt Priority Offsets
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
iio: adc: axp20x_adc: fix charging current reporting on AXP22x
iio: at91-sama5d2: Fix incorrect sign extension
iio: dln2: Check return value of devm_iio_trigger_register()
iio: dln2-adc: Fix lockdep complaint
iio: itg3200: Call iio_trigger_notify_done() on error
iio: kxsd9: Don't return error code in trigger handler
iio: ltr501: Don't return error code in trigger handler
iio: mma8452: Fix trigger reference couting
iio: stk3310: Don't return error code in interrupt handler
iio: trigger: stm32-timer: fix MODULE_ALIAS
iio: trigger: Fix reference counting
xhci: avoid race between disable slot command and host runtime suspend
usb: core: config: using bit mask instead of individual bits
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
usb: core: config: fix validation of wMaxPacketValue entries
USB: gadget: zero allocate endpoint 0 buffers
USB: gadget: detect too-big endpoint 0 requests
net/qla3xxx: fix an error code in ql_adapter_up()
net, neigh: clear whole pneigh_entry at alloc time
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
net: altera: set a couple error code in probe()
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
tools build: Remove needless libpython-version feature check that breaks test-all fast path
mtd: rawnand: fsmc: Take instruction delay into account
i40e: Fix pre-set max number of queues for VF
ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
qede: validate non LSO skb length
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
tracefs: Set all files to the same group ownership as the mount option
aio: fix use-after-free due to missing POLLFREE handling
aio: keep poll requests on waitqueue until completed
signalfd: use wake_up_pollfree()
binder: use wake_up_pollfree()
wait: add wake_up_pollfree()
libata: add horkage for ASMedia 1092
can: m_can: Disable and ignore ELO interrupt
can: pch_can: pch_can_rx_normal: fix use after free
clk: qcom: regmap-mux: fix parent clock lookup
tracefs: Have new files inherit the ownership of their parent
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
ALSA: pcm: oss: Limit the period size to 16MB
ALSA: pcm: oss: Fix negative period/buffer sizes
ALSA: ctl: Fix copy of updated id with element read/write
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
IB/hfi1: Correct guard on eager buffer deallocation
udp: using datalen to cap max gso segments
seg6: fix the iif in the IPv6 socket control block
nfp: Fix memory leak in nfp_cpp_area_cache_add()
bonding: make tx_rebalance_counter an atomic
ice: ignore dropped packets during init
bpf: Fix the off-by-two error in range markings
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
net: sched: use Qdisc rcu API instead of relying on rtnl lock
net: sched: add helper function to take reference to Qdisc
net: sched: extend Qdisc with rcu
net: sched: rename qdisc_destroy() to qdisc_put()
net: core: netlink: add helper refcount dec and lock function
can: sja1000: fix use after free in ems_pcmcia_add_card()
can: kvaser_usb: get CAN clock frequency from device
HID: check for valid USB device for many HID drivers
HID: wacom: fix problems when device is not a valid USB device
HID: add USB_HID dependancy on some USB HID drivers
HID: add USB_HID dependancy to hid-chicony
HID: add USB_HID dependancy to hid-prodikeys
HID: add hid_is_usb() function to make it simpler for USB detection
HID: google: add eel USB id
UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers
UPSTREAM: USB: gadget: detect too-big endpoint 0 requests
Linux 4.19.220
ipmi: msghandler: Make symbol 'remove_work_wq' static
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
serial: core: fix transmit-buffer reset and memleak
serial: pl011: Add ACPI SBSA UART match id
tty: serial: msm_serial: Deactivate RX DMA for polling support
x86/64/mm: Map all kernel memory into trampoline_pgd
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
vgacon: Propagate console boot parameters before calling `vc_resize'
parisc: Fix "make install" on newer debian releases
parisc: Fix KBUILD_IMAGE for self-extracting kernel
drm/msm: Do hw_init() before capturing GPU state
net/smc: Keep smc_close_final rc during active close
net/rds: correct socket tunable error in rds_tcp_tune()
net: annotate data-races on txq->xmit_lock_owner
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
siphash: use _unaligned version by default
net: mpls: Fix notifications when deleting a device
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
natsemi: xtensa: fix section mismatch warnings
i2c: stm32f7: stop dma transfer in case of NACK
i2c: stm32f7: recover the bus on access timeout
fget: check that the fd still exists after getting a ref to it
fs: add fget_many() and fput_many()
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
ipmi: Move remove_work to dedicated workqueue
kprobes: Limit max data_size of the kretprobe instances
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
perf hist: Fix memory leak of a perf_hpp_fmt
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
scsi: iscsi: Unblock session then wake up error handler
thermal: core: Reset previous low and high trip during thermal zone init
btrfs: check-integrity: fix a warning on write caching disabled disk
s390/setup: avoid using memblock_enforce_memory_limit
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
net: return correct error code
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
gfs2: Fix length of holes reported at end-of-file
of: clk: Make <linux/of_clk.h> self-contained
NFSv42: Fix pagecache invalidation after COPY/CLONE
shm: extend forced shm destroy to support objects from several IPC nses
Conflicts:
drivers/hid/hid-holtek-mouse.c (used theirs)
drivers/usb/gadget/legacy/dbgp.c
Change-Id: I7d36754e28ada463e28de2fbd95a5d8c9c9554d9
Signed-off-by: bengris32 <bengris32@protonmail.ch>
74c4856529