https://source.android.com/docs/security/bulletin/2024-06-01
CVE-2024-26926
* tag 'ASB-2024-06-05_4.19-stable' of https://android.googlesource.com/kernel/common:
BACKPORT: net: fix __dst_negative_advice() race
Linux 4.19.315
docs: kernel_include.py: Cope with docutils 0.21
serial: kgdboc: Fix NMI-safety problems from keyboard reset code
tracing: Remove unnecessary var_ref destroy in track_data_destroy()
tracing: Generalize hist trigger onmax and save action
tracing: Split up onmatch action data
tracing: Refactor hist trigger action code
tracing: Have the historgram use the result of str_has_prefix() for len of prefix
tracing: Use str_has_prefix() instead of using fixed sizes
tracing: Use str_has_prefix() helper for histogram code
string.h: Add str_has_prefix() helper function
tracing: Consolidate trace_add/remove_event_call back to the nolock functions
tracing: Remove unneeded synth_event_mutex
tracing: Use dyn_event framework for synthetic events
tracing: Add unified dynamic event framework
tracing: Simplify creation and deletion of synthetic events
btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
dm: limit the number of targets and parameter size area
Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems"
Linux 4.19.314
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
net: fix out-of-bounds access in ops_init
drm/vmwgfx: Fix invalid reads in fence signaled events
dyndbg: fix old BUG_ON in >control parser
tipc: fix UAF in error path
usb: gadget: f_fs: Fix a race condition when processing setup packets.
usb: gadget: composite: fix OS descriptors w_value logic
firewire: nosy: ensure user_length is taken into account when fetching packet contents
af_unix: Fix garbage collector racing against connect()
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
net: bridge: fix corrupted ethernet header on multicast-to-unicast
phonet: fix rtm_phonet_notify() skb allocation
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
tcp: remove redundant check on tskb
net:usb:qmi_wwan: support Rolling modules
fs/9p: drop inodes immediately on non-.L too
gpio: crystalcove: Use -ENOTSUPP consistently
gpio: wcove: Use -ENOTSUPP consistently
9p: explicitly deny setlease attempts
fs/9p: translate O_TRUNC into OTRUNC
fs/9p: only translate RWX permissions for plain 9P2000
selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
scsi: target: Fix SELinux error when systemd-modules loads the target module
btrfs: always clear PERTRANS metadata during commit
btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve
tools/power turbostat: Fix Bzy_MHz documentation typo
tools/power turbostat: Fix added raw MSR output
firewire: ohci: mask bus reset interrupts between ISR and bottom half
ata: sata_gemini: Check clk_enable() result
net: bcmgenet: Reset RBUF on first open
ALSA: line6: Zero-initialize message buffers
scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload
net: mark racy access on sk->sk_rcvbuf
wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
gfs2: Fix invalid metadata access in punch_hole
scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
tipc: fix a possible memleak in tipc_buf_append
net: bridge: fix multicast-to-unicast with fraglist GSO
net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
net: dsa: mv88e6xxx: Add number of MACs in the ATU
net l2tp: drop flow hash on forward
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
bna: ensure the copied buf is NUL terminated
s390/mm: Fix clearing storage keys for huge pages
s390/mm: Fix storage key clearing for guest huge pages
pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
power: rt9455: hide unused rt9455_boost_voltage_values
pinctrl: core: delete incorrect free in pinctrl_enable()
ethernet: Add helper for assigning packet type when dest address does not match device address
ethernet: add a helper for assigning port addresses
net: slightly optimize eth_type_trans
drm/amdgpu: Fix leak when GPU memory allocation fails
drm/amdkfd: change system memory overcommit limit
wifi: nl80211: don't free NULL coalescing rule
dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
dmaengine: pl330: issue_pending waits until WFP state
Linux 4.19.313
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
udp: preserve the connected status if only UDP cmsg
Revert "y2038: rusage: use __kernel_old_timeval"
Revert "loop: Remove sector_t truncation checks"
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
i2c: smbus: fix NULL function pointer dereference
idma64: Don't try to serve interrupts when device is powered off
dmaengine: owl: fix register access functions
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
mtd: diskonchip: work around ubsan link failure
stackdepot: respect __GFP_NOLOCKDEP allocation flag
net: b44: set pause params only when interface is up
irqchip/gic-v3-its: Prevent double free on error
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
tracing: Show size of requested perf buffer
Revert "crypto: api - Disallow identical driver names"
drm/amdgpu: validate the parameters of bo mapping operations more clearly
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
drm/amdgpu: restrict bo mapping within gpu address limits
serial: mxs-auart: add spinlock around changing cts state
serial: core: Provide port lock wrappers
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
net: openvswitch: ovs_ct_exit to be done under ovs_lock
ipvs: Fix checksumming on GSO of SCTP packets
net: gtp: Fix Use-After-Free in gtp_dellink
net: usb: ax88179_178a: stop lying about skb->truesize
NFC: trf7970a: disable all regulators on removal
mlxsw: core: Unregister EMAD trap using FORWARD action
vxlan: drop packets from invalid src-address
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
tracing: Use var_refs[] for hist trigger reference checking
tracing: Remove hist trigger synth_var_refs
nilfs2: fix OOB in nilfs_set_de_type
nouveau: fix instmem race condition around ptr stores
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
speakup: Avoid crash on very long word
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
Revert "usb: cdc-wdm: close race between read and workqueue"
USB: serial: option: add Telit FN920C04 rmnet compositions
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Fibocom FM135-GL variants
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
comedi: vmk80xx: fix incomplete endpoint checking
drm: nv04: Fix out of bounds access
RDMA/mlx5: Fix port number for counter query in multi-port configuration
tun: limit printing rate when illegal packet received by tun dev
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
netfilter: nf_tables: __nft_expr_type_get() selects specific family type
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
kprobes: Fix possible use-after-free issue on kprobe registration
selftests/ftrace: Limit length in subsystem-enable tests
btrfs: record delayed inode root in transaction
x86/apic: Force native_apic_mem_read() to use the MOV instruction
selftests: timers: Fix abs() warning in posix_timers test
vhost: Add smp_rmb() in vhost_vq_avail_empty()
tracing: hide unused ftrace_event_id_fops
net/mlx5: Properly link new fs rules into the tree
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
ipv4/route: avoid unused-but-set-variable warning
ipv6: fib: hide unused 'pn' variable
geneve: fix header validation in geneve[6]_xmit_skb
nouveau: fix function cast warning
Bluetooth: Fix memory leak in hci_req_sync_complete()
batman-adv: Avoid infinite loop trying to resize local TT
Conflicts:
drivers/net/usb/ax88179_178a.c
Change-Id: I73f07cafe3403d98dad2e4a8b34f89cfbd49818c
18144fafc4