* kernel/nokia/msm8610 a27b480 [NOKIA-MSM8610] ARM: msm8610: Demodulize Nokia X2 defconfig b9066b6 Revert "[NOKIA-MSM8610] Nokia X2 changes and updates to Siano SMSXXXX DVB adapter support" 4c85a6e bluetooth: Validate socket address length in sco_sock_bind(). b66d64a net: add validation for the socket syscall protocol argument e496f64 mm: reorder can_do_mlock to fix audit denial fa1df4e md: use kzalloc() when bitmap is disabled 2d177c1 KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring d3d3e08 KEYS: Fix race between key destruction and finding a keyring by name bf560c0 KEYS: Add invalidation support 4136d6b KEYS: Permit in-place link replacement in keyring list d339251 KEYS: Perform RCU synchronisation on keys prior to key destruction 3f36062 KEYS: Fix handling of stored error in a negatively instantiated user key bc885fc ipv6: addrconf: validate new MTU before applying it 5474105 net: fix iterating over hashtable in tcp_nuke_addr() ecd3b45 pagemap: do not leak physical addresses to non-privileged userspace 4fd4338 __ptrace_may_access() should not deny sub-threads 58c8517 wlan: Address buffer overflow due to invalid length ff78768 net: add length argument to skb_copy_and_csum_datagram_iovec 3bec66e tcp_cubic: do not set epoch_start in the future 576b76d tcp_cubic: better follow cubic curve after idle period e5b0fc7 [NOKIA-MSM8610] ARM: msm8610: Enable BFQ io scheduler f46dc4f block, bfq: add Early Queue Merge (EQM) to BFQ-v7r8 for 3.4.0 edddd2c block: introduce the BFQ-v7r8 I/O sched for 3.4 0a56004 block: cgroups, kconfig, build bits for BFQ-v7r8-3.4 7f27aaf [NOKIA-MSM8610] ARM: msm8610: Default to noop io scheduler a6eb8c9 [NOKIA-MSM8610] ARM: msm8610: Use ext4 for ext2/3 8014668 android: drivers: workaround debugfs race in binder 8925a45 block: fiops ioscheduler core 751a935 fs: take i_mutex during prepare_binprm for set[ug]id executables 531204d udp: fix behavior of wrong checksums * device/nokia/ara b2b8c33 wifi: Remove CRDA 9870296 system.prop: Disable kernel samepage merging by default 5574606 memory: Disable low ram setting 2077271 overlay: enable in-call volume boost option 0f29849 fm: remove unnecessary script and files 68ae117 ramdisk: switch to bfq io scheduler when boot is completed f62fdcf Boardconfig: wifi: Remove modular support e7ac685 fix kcal permission * bootable/recovery 90afeeb Track usage of Vector / SortedVector from libutils DO NOT MERGE * bootable/recovery-cm f34be06 Track usage of Vector / SortedVector from libutils DO NOT MERGE * build 040dbab Update Security String to 2016-01-01 - DO NOT MERGE 602b987 Update security string to 2015-12-01 - DO NOT MERGE 63c4e1f DO NOT MERGE - Backport of ag/748221 - Security Patch Level in Settings CL#2/3 * external/bluetooth/bluedroid 9187e00 DO NOT MERGE - Add proper checks for PAN & BNEP in BD stack * external/bouncycastle 74e3da7 DO NOT MERGE bouncycastle: limit input length as specified by the NIST spec * external/skia 93b1665 Fix removal of SI8_opaque_D32_nofilter_DX_arm 4d85ee6 Remove SI8_opaque_D32_nofilter_DX_arm DO NOT MERGE b95b5cc SkScaledBitmapSampler: fix memory overwritten * external/sonivox 224d96d Check segments and libs 1c56a7e Sonivox: check loopStart/loopLength against one specific wave, not whole wave pool. 8cd7f81 Sonivox: fix overflow in Parse_data in eas_mdls.c ebe5523 Sonivox: make sure waveIndex is valid in Parse_rgn() in eas_mdls.c. * external/sqlite a3aff41 sqlite: upgrade to patched SQLite 3.7.11 - DO NOT MERGE * external/tremolo e5fb631 libvorbisidec: sanity check index of marker. 84f7802 Fix vorbis decoder crash due to out of bounds memory access aec79a4 Fix allocation failure crash b6a2eee Add sanity checks to fix crash * external/wpa_supplicant_8 1c78404 NFC: Fix payload length validation in NDEF record parser 6cd2401 WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use d1106ab EAP-pwd peer: Fix last fragment length validation f1a1108 EAP-pwd server: Fix last fragment length validation 77ebbf5 EAP-pwd peer: Fix error path for unexpected Confirm message 4060a8f EAP-pwd peer: Fix asymmetric fragmentation behavior 84b0fb9 EAP-pwd server: Fix Total-Length parsing for fragment reassembly dcf16cc EAP-pwd peer: Fix Total-Length parsing for fragment reassembly b80a22d EAP-pwd server: Fix payload length validation for Commit and Confirm 9d163e3 EAP-pwd peer: Fix payload length validation for Commit and Confirm 01d5bf8 AP WMM: Fix integer underflow in WMM Action frame parser a549bf5 WPS: Fix HTTP chunked transfer encoding parser * frameworks/av d5d8c1d DO NOT MERGE - AudioFlinger: Clear record buffers when starting RecordThread 0e00f01 DO NOT MERGE - OMX: allow only secure codec to remotely call allocateBuffer. ac85e85 ID3: check possible integer overflow for extendedHeaderSize and paddingSize. fbf2cec Check NAL size before use 933b093 MPEG4Extractor: ensure buffer size is not less than 8 for LastCommentData. c4f36d3 Don't crash when there's no conceal frame b9369b9 DO NOT MERGE stagefright: fix AMessage::FromParcel 28acbc8 DO NOT MERGE Fix vulnerability in mediaserver 9b2a7f2 DO NOT MERGE NuCachedSource2: fix possible erroneous early free 5873008 Limit allocations to avoid out-of-memory 92b4787 Fix heap data leak vulnerability 5ce45a2 Fix for security vulnerability in media server DO NOT MERGE 86570d2 DO NOT MERGE - IAudioFlinger: always initialize variables to ensure no info leak when writing them to Parcel. 12a2014 Make IEffect command more robust (second try) d1acab9 libmedia: clear reply data for IEffect command ba1d568 Fix timedtext parsing 064a7e4 DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp 879442a DO NOT MERGE fix build cc76163 DO NOT MERGE Avoid size_t overflow in base64 decoding once again bfa8b8d Ogg: avoid size_t overflow in base64 decoding b129e0d DO NOT MERGE - IAudioFlinger: clear config before reading it from parcel. ca36121 Zero out return values in media binder calls 231e1d9 IMediaPlayer.cpp: make sure structures are initialized to 0 07d491d stagefright: check IMemory::pointer() before using the allocation 1a43e1e Fail more gracefully on allocation failure 20bafbc Fix compile failure after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4 8c5c143 libstagefright: fix overflow in pvdec_api.cpp. 23f57b6 libstagefright: check memory size for overflow before allocation. 3036568 Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). Bug: 23227354 1d13da4 Fix build break DO NOT MERGE 7485da5 Fix crash on malformed id3 791804d libstagefright: fix possible overflow in amrwbenc. 1ea4e5d DO NOT MERGE - audio flinger: fix fuzz test crash 5fcaf16 DO NOT MERGE Part of fix for libmedia OOB write anywhere be85917 libstagefright: fix possible overflow in ID3. d79af09 Prevent integer issues in ID3::Iterator::findFrame 7fec270 SampleTable: fix integer overflow checks. fc85b4d Extra sanity checks on sample size and resolution 3fec328 libstagefright: check overflow before memory allocation in OMXCodec.cpp 1add19b Sanity check padding/delay values for gapless playback 57dd075 MatroskaExtractor: detect infinite loop when parsing NALs 5263b0a DO NOT MERGE libstagefright: Fix crash in convertMetaDataToMessage cb87203 Fix Ogg album art 8275b47 Fix comparison sign warnings. 3d75bcf libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets. d87e881 MPEG4Extractor.cpp: Add check for size == SIZE_MAX a61ca48 Check RTSP payload length bed69c4 ABuffer: reset members when memory allocation fails. 1bd3761 DO NOT MERGE - Fix software video decoder buffer size calculation e37fa84 DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data. 806c716 Check vector size before accessing 39addd4 SoftAVCEnc: check requested memory size before allocation. 85db3f0 Check buffer size before using it 5396ca2 MPEG4Source::fragmentedRead: check range before writing into buffers adb0333 do not dequeue from native window after we hit fatal error -- DO NOT MERGE af8bd6e libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable. de62a60 libstagefright: check remaining data size before parsing it. 749ffc9 Check integer overflow to prevent memory corruption 273449c Guard against codecinfo overflow * frameworks/base fa71dc0 Sync extras bundle comparison can throw NPE 74fdccf Make Bitmap_createFromParcel check the color count. DO NOT MERGE c7d9ada DO NOT MERGE - Backport of ag/748165 to klp-dev Security patch level in Settings d813014 Allow debugging only for apps forked from zygote DO NOT MERGE 7f332ba DO NOT MERGE: Ensure that unparcelling Region only reads the expected number of bytes a09a739 Check that the parcel contained the expected amount of region data. DO NOT MERGE * frameworks/native 1b6afeb DO NOT MERGE: fix build try #2 e08cbda DO NOT MERGE: fix build breakage df18096 add number constraint for samples per MotionEvent a82fb1e Disregard alleged binder entities beyond parcel bounds 7d6f940 Update maxNumber to be smaller. 33a5e13 Fix for corruption when numFds or numInts is too large. 61998d4 Initialize local variables to avoid data leak * frameworks/opt/telephony e54009e Externally-reported Moderate severity vulnerability in SMS: Apps can bypass the SMS short code notification prompt * packages/apps/Bluetooth 398e640 DO NOT MERGE Fix security vulnerabilities in permission of deleting MMS/SMS * packages/apps/LockClock e1bb691 LockClock : Add api key for open weather * packages/apps/Settings 15e214e Add translations for Security Patch Level. 82e036d Present the security patch date in a human-friendly format f3fcb88 DO NOT MERGE - Backport of ag/748147 - Security Patch Level in Settings CL#3/3 31739cb Check for special char when renaming device for Wi-Fi direct. * system/core b0cb2ce Add macro to call event logger for errors. DO NOT MERGE 6bac0a9 libutils: Fix integer overflows in VectorImpl. DO NOT MERGE f49bbc4 Fix compile failure after rIfe1dc0791040150132bea6884f1e6c8d31972d1b f7a83e5 libutils: fix overflow in String8::allocFromUTF8 c60568a libutils: fix overflow in SharedBuffer * system/security 4cf5c0d Properly check for Blob max length 291aaf5 Fix unchecked length in Blob creation