https://source.android.com/docs/security/bulletin/2023-04-01
CVE-2022-4696
CVE-2023-20941
* tag 'ASB-2023-04-05_4.14-stable' of https://android.googlesource.com/kernel/common:
ANDROID: gki_defconfig: enable BLAKE2b support
UPSTREAM: crypto: testmgr - fix testing OPTIONAL_KEY hash algorithms
UPSTREAM: crypto: blake2b - Fix clang optimization for ARMv7-M
UPSTREAM: crypto: blake2b - rename tfm context and _setkey callback
UPSTREAM: crypto: blake2b - merge _update to api callback
UPSTREAM: crypto: blake2b - open code set last block helper
UPSTREAM: crypto: blake2b - delete unused structs or members
UPSTREAM: crypto: blake2b - simplify key init
UPSTREAM: crypto: blake2b - merge blake2 init to api callback
UPSTREAM: crypto: blake2b - merge _final implementation to callback
UPSTREAM: crypto: testmgr - add test vectors for blake2b
UPSTREAM: crypto: blake2b - add blake2b generic implementation
Linux 4.14.311
HID: uhid: Over-ride the default maximum data buffer value with our own
HID: core: Provide new max_buffer_size attribute to over-ride the default
serial: 8250_em: Fix UART port type
drm/i915: Don't use stolen memory for ring buffers with LLC
fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
ftrace: Fix invalid address access in lookup_rec() when index is 0
sh: intc: Avoid spurious sizeof-pointer-div warning
ext4: fix task hung in ext4_xattr_delete_inode
ext4: fail ext4_iget if special inode unallocated
mmc: atmel-mci: fix race between stop command and start of next command
media: m5mols: fix off-by-one loop termination error
hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition
hwmon: (adt7475) Fix masking of hysteresis registers
hwmon: (adt7475) Display smoothing attributes in correct order
ethernet: sun: add check for the mdesc_grab()
net/iucv: Fix size of interrupt data
net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull
ipv4: Fix incorrect table ID in IOCTL path
block: sunvdc: add check for mdesc_grab() returning NULL
nvmet: avoid potential UAF in nvmet_req_complete()
net: usb: smsc75xx: Limit packet length to skb->len
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
net: tunnels: annotate lockless accesses to dev->needed_headroom
qed/qed_dev: guard against a possible division by zero
nfc: pn533: initialize struct pn533_out_arg properly
tcp: tcp_make_synack() can be called from process context
fs: sysfs_emit_at: Remove PAGE_SIZE alignment check
ext4: fix cgroup writeback accounting with fs-layer encryption
Linux 4.14.310
x86/cpu: Fix LFENCE serialization check in init_amd()
drm/i915: Don't use BAR mappings for ring buffers with LLC
tipc: improve function tipc_wait_for_cond()
media: ov5640: Fix analogue gain control
PCI: Add SolidRun vendor ID
macintosh: windfarm: Use unsigned type for 1-bit bitfields
alpha: fix R_ALPHA_LITERAL reloc for large modules
MIPS: Fix a compilation issue
net: caif: Fix use-after-free in cfusbl_device_notify()
ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
nfc: change order inside nfc_se_io error path
ext4: zero i_disksize when initializing the bootloader inode
ext4: fix WARNING in ext4_update_inline_data
ext4: move where set the MAY_INLINE_DATA flag is set
ext4: fix another off-by-one fsmap error on 1k block filesystems
ext4: fix RENAME_WHITEOUT handling for inline directories
x86/CPU/AMD: Disable XSAVES on AMD family 0x17
fs: prevent out-of-bounds array speculation when closing a file descriptor
Linux 4.14.309
staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh
staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
Linux 4.14.308
thermal: intel: powerclamp: Fix cur_state for multi package system
tcp: Fix listen() regression in 4.14.303.
s390/setup: init jump labels before command line parsing
s390/maccess: add no DAT mode to kernel_write
Bluetooth: hci_sock: purge socket queues in the destruct() callback
phy: rockchip-typec: Fix unsigned comparison with less than zero
usb: uvc: Enumerate valid values for color matching
USB: ene_usb6250: Allocate enough memory for full object
usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
tools/iio/iio_utils:fix memory leak
tty: serial: fsl_lpuart: disable the CTS when send break signal
tty: fix out-of-bounds access in tty_driver_lookup_tty()
media: uvcvideo: Handle cameras with invalid descriptors
firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
thermal: intel: quark_dts: fix error pointer dereference
scsi: ipr: Work around fortify-string warning
tcp: tcp_check_req() can be called from process context
ARM: dts: spear320-hmi: correct STMPE GPIO compatible
nfc: fix memory leak of se_io context in nfc_genl_se_io
9p/xen: fix connection sequence
9p/xen: fix version parsing
net: fix __dev_kfree_skb_any() vs drop monitor
netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
watchdog: pcwd_usb: Fix attempting to access uninitialized memory
watchdog: Fix kmemleak in watchdog_cdev_register
watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
ubifs: ubifs_writepage: Mark page dirty after writing inode failed
ubifs: dirty_cow_znode: Fix memleak in error handling path
ubifs: Re-statistic cleaned znode count if commit failed
ubi: Fix possible null-ptr-deref in ubi_free_volume()
ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
ubi: Fix use-after-free when volume resizing failed
ubifs: Reserve one leb for each journal head while doing budget
ubifs: Fix wrong dirty space budget for dirty inode
ubifs: Rectify space budget for ubifs_xrename()
ubi: ensure that VID header offset + VID header size <= alloc, size
pwm: stm32-lp: fix the check on arr and cmp registers update
fs/jfs: fix shift exponent db_agl2size negative
net/sched: Retire tcindex classifier
kbuild: Port silent mode detection to future gnu make.
drm/radeon: Fix eDP for single-display iMac11,2
PCI: Avoid FLR for AMD FCH AHCI adapters
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
scsi: ses: Don't attach if enclosure has no components
scsi: qla2xxx: Fix erroneous link down
scsi: qla2xxx: Fix link failure in NPIV environment
ktest.pl: Fix missing "end_monitor" when machine check fails
mips: fix syscall_get_nr
alpha: fix FEN fault handling
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
ARM: dts: exynos: correct TMU phandle in Odroid XU
ARM: dts: exynos: correct TMU phandle in Exynos4
dm flakey: don't corrupt the zero page
dm flakey: fix logic when corrupting a bio
wifi: cfg80211: Fix use after free for wext
wifi: rtl8xxxu: Use a longer retry limit of 48
ext4: refuse to create ea block when umounted
ext4: optimize ea_inode block expansion
ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
irqdomain: Drop bogus fwspec-mapping error handling
irqdomain: Fix disassociation race
irqdomain: Fix association race
ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
x86/speculation: Allow enabling STIBP with legacy IBRS
x86/microcode/AMD: Fix mixed steppings support
x86/microcode/AMD: Add a @cpu parameter to the reloading functions
x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
x86/reboot: Disable SVM, not just VMX, when stopping CPUs
x86/reboot: Disable virtualization in an emergency if SVM is supported
x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
udf: Fix file corruption when appending just after end of preallocated extent
udf: Do not update file length for failed writes to inline files
udf: Do not bother merging very long extents
udf: Truncate added extents on failed expansion
ocfs2: fix non-auto defrag path not working issue
ocfs2: fix defrag path triggering jbd2 ASSERT
f2fs: fix information leak in f2fs_move_inline_dirents()
fs: hfsplus: fix UAF issue in hfsplus_put_super
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
s390/kprobes: fix current_kprobe never cleared after kprobes reenter
s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
rtc: pm8xxx: fix set-alarm race
wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
spi: bcm63xx-hsspi: Fix multi-bit mode setting
dm cache: add cond_resched() to various workqueue loops
dm thin: add cond_resched() to various workqueue loops
pinctrl: at91: use devm_kasprintf() to avoid potential leaks
regulator: s5m8767: Bounds check id indexing into arrays
regulator: max77802: Bounds check regulator id against opmode
ASoC: kirkwood: Iterate over array indexes instead of using pointer math
docs/scripts/gdb: add necessary make scripts_gdb step
drm/msm/dsi: Add missing check for alloc_ordered_workqueue
drm/radeon: free iio for atombios when driver shutdown
ACPI: video: Fix Lenovo Ideapad Z570 DMI match
m68k: Check syscall_trace_enter() return code
net: bcmgenet: Add a check for oversized packets
ACPI: Don't build ACPICA with '-Os'
inet: fix fast path in __inet_hash_connect()
x86/bugs: Reset speculation control settings on init
timers: Prevent union confusion from unexpected restart_syscall()
thermal: intel: Fix unsigned comparison with less than zero
rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
udf: Define EFSCORRUPTED error code
rpmsg: glink: Avoid infinite loop on intent for missing channel
media: usb: siano: Fix use after free bugs caused by do_submit_urb
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
media: platform: ti: Add missing check for devm_regulator_get
MIPS: vpe-mt: drop physical_memsize
powerpc/pseries/lparcfg: add missing RTAS retry status handling
powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
Input: ads7846 - don't check penirq immediately for 7845
Input: ads7846 - don't report pressure for ads7845
mtd: rawnand: sunxi: Fix the size of the last OOB region
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
dm: remove flush_scheduled_work() during local_exit()
scsi: aic94xx: Add missing check for dma_map_single()
hwmon: (ltc2945) Handle error case in ltc2945_value_store
gpio: vf610: connect GPIO label to dev name
ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
drm/mediatek: Drop unbalanced obj unref
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
ALSA: hda/ca0132: minor fix for allocation size
pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
drm/bridge: megachips: Fix error handling in i2c_register_driver()
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
m68k: /proc/hardware should depend on PROC_FS
crypto: rsa-pkcs1pad - Use akcipher_request_complete
Bluetooth: L2CAP: Fix potential user-after-free
cpufreq: davinci: Fix clk use after free
irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
net/mlx5: Enhance debug print in page allocation failure
crypto: seqiv - Handle EBUSY correctly
ACPI: battery: Fix missing NUL-termination with large strings
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
wifi: orinoco: check return value of hermes_write_wordrec()
ACPICA: nsrepair: handle cases without a return value correctly
lib/mpi: Fix buffer overrun when SG is too long
genirq: Fix the return type of kstat_cpu_irqs_sum()
wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
wifi: ipw2200: fix memory leak in ipw_wdev_init()
wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: libertas: fix memory leak in lbs_init_adapter()
block: bio-integrity: Copy flags when bio_integrity_payload is cloned
arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
arm64: dts: meson-gx: Fix Ethernet MAC address unit name
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
HID: asus: use spinlock to safely schedule workers
HID: asus: use spinlock to protect concurrent accesses
HID: asus: Remove check for same LED brightness on set
USB: core: Don't hold device lock while reading the "descriptors" sysfs file
USB: serial: option: add support for VW/Skoda "Carstick LTE"
dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size
bpf: Fix truncation handling for mod32 dst reg wrt zero
bpf: Fix 32 bit src register truncation on div/mod
bpf: fix subprog verifier bypass by div/mod by 0 exception
bpf: Do not use ax register in interpreter on div/mod
net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
IB/hfi1: Assign npages earlier
btrfs: send: limit number of clones and allocated memory size
ARM: dts: rockchip: add power-domains property to dp node on rk3288
Conflicts:
drivers/mtd/ubi/wl.c
Change-Id: I2385e39a91a9591837e8c8c8e0807bf3e858eee8
ec83706f76