17.1 June ASB work

Note: 358555 is prone to mismerge Signed-off-by: Tad <tad@spotco.us>
2025-01-11 23:49:34 -05:00 · 2023-06-09 22:29:55 -04:00 · 2023-06-09 22:29:55 -04:00 · 67dd049bf6
commit 67dd049bf6
parent e7b390d7e6
31 changed files with 3085 additions and 11 deletions
--- a/Patches/LineageOS-17.1/android_frameworks_av/358555.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_av/358555.patch
@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Mon, 27 Mar 2023 18:16:46 -0500
+Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling
+
+readSampleData() did not initialize buffer before filling it,
+leading to OOB memory references. Correct and clarify the book
+keeping around output buffer management.
+
+Bug: 275418191
+Test: CtsMediaExtractorTestCases w/debug messages
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
+Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+---
+ media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
+index 680d426d96..ddab6d3923 100644
+--- a/media/libstagefright/NuMediaExtractor.cpp
+++ b/media/libstagefright/NuMediaExtractor.cpp
+@@ -595,9 +595,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(
+         numPageSamples = -1;
+     }
+ 
+    // insert, including accounting for the space used.
+     memcpy((uint8_t *)buffer->data() + mbuf->range_length(),
+            &numPageSamples,
+            sizeof(numPageSamples));
+    buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples));
+ 
+     uint32_t type;
+     const void *data;
+@@ -646,6 +648,8 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+ 
+     ssize_t minIndex = fetchAllTrackSamples();
+ 
+    buffer->setRange(0, 0);     // start with an empty buffer
+
+     if (minIndex < 0) {
+         return ERROR_END_OF_STREAM;
+     }
+@@ -661,25 +665,25 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+         sampleSize += sizeof(int32_t);
+     }
+ 
+    // capacity() is ok since we cleared out the buffer
+     if (buffer->capacity() < sampleSize) {
+         return -ENOMEM;
+     }
+ 
+    const size_t srclen = it->mBuffer->range_length();
+     const uint8_t *src =
+         (const uint8_t *)it->mBuffer->data()
+             + it->mBuffer->range_offset();
+ 
+-    memcpy((uint8_t *)buffer->data(), src, it->mBuffer->range_length());
+    memcpy((uint8_t *)buffer->data(), src, srclen);
+    buffer->setRange(0, srclen);
+ 
+     status_t err = OK;
+     if (info->mTrackFlags & kIsVorbis) {
+        // adjusts range when it inserts the extra bits
+         err = appendVorbisNumPageSamples(it->mBuffer, buffer);
+     }
+ 
+-    if (err == OK) {
+-        buffer->setRange(0, sampleSize);
+-    }
+-
+     return err;
+ }
+ 
--- a/Patches/LineageOS-17.1/android_frameworks_base/0013-Private_DNS.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0013-Private_DNS.patch
@ -21,7 +21,7 @@ Change-Id: Id75a774ce1ed109a83c6a5bf512536c643165d71
 2 files changed, 170 insertions(+)

 diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
-index 111a8c48a46c..12102a140947 100644
+index 111a8c48a46c..962c4215f7b6 100644
 --- a/core/java/android/net/ConnectivityManager.java
 +++ b/core/java/android/net/ConnectivityManager.java
@@ -757,6 +757,58 @@ public class ConnectivityManager {
--- a/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/0014-Network_Permission-6.patch
@ -8,7 +8,7 @@ Subject: [PATCH] skip reportNetworkConnectivity() when permission is revoked
 1 file changed, 8 insertions(+)

 diff --git a/core/java/android/net/ConnectivityManager.java b/core/java/android/net/ConnectivityManager.java
-index 12102a140947..21661609ff72 100644
+index 962c4215f7b6..089f6b65a908 100644
 --- a/core/java/android/net/ConnectivityManager.java
 +++ b/core/java/android/net/ConnectivityManager.java
@@ -17,6 +17,7 @@ package android.net;
--- a/Patches/LineageOS-17.1/android_frameworks_base/358556.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358556.patch
@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hongwei Wang <hwwang@google.com>
+Date: Thu, 23 Feb 2023 13:23:37 -0800
+Subject: [PATCH] Remove Activity if it enters PiP without window
+
+This is to prevent malicious app entering PiP without being visible
+first, like blocking onResume from completion. Which in turn
+leaves the PiP window in limbo and non-interactable.
+
+Bug: 265293293
+Test: atest PinnedStackTests
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4fad1456409b79d6e649a29d5116a4fe3160bd21)
+Merged-In: I458a9508662e72a1adb9d9818105f2e9d7096d44
+Change-Id: I458a9508662e72a1adb9d9818105f2e9d7096d44
+---
+ .../core/java/com/android/server/wm/ActivityRecord.java     | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/services/core/java/com/android/server/wm/ActivityRecord.java b/services/core/java/com/android/server/wm/ActivityRecord.java
+index 55e8e19fd278..ffd27481a280 100644
+--- a/services/core/java/com/android/server/wm/ActivityRecord.java
+++ b/services/core/java/com/android/server/wm/ActivityRecord.java
+@@ -781,6 +781,12 @@ final class ActivityRecord extends ConfigurationContainer {
+             }
+             schedulePictureInPictureModeChanged(newConfig);
+             scheduleMultiWindowModeChanged(newConfig);
+            if (inPictureInPictureMode && findMainWindow() == null) {
+                // Prevent malicious app entering PiP without valid WindowState, which can in turn
+                // result a non-touchable PiP window since the InputConsumer for PiP requires it.
+                EventLog.writeEvent(0x534e4554, "265293293", -1, "");
+                removeImmediately();
+            }
+         }
+     }
+ 
--- a/Patches/LineageOS-17.1/android_frameworks_base/358557.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358557.patch
@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mark Renouf <mrenouf@google.com>
+Date: Wed, 22 Feb 2023 15:14:08 +0000
+Subject: [PATCH] Prevent sharesheet from previewing unowned URIs
+
+Bug: 261036568
+Test: manually via supplied tool (see bug)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3062b80fb28014a7482d5fa8b2a5c852134a5845)
+Merged-In: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
+Change-Id: I21accf6f753d2f676f1602d6e1ce829c5ef29e9a
+---
+ .../android/internal/app/ChooserActivity.java | 36 +++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java
+index f43ff17ed7d0..2e17dce90240 100644
+--- a/core/java/com/android/internal/app/ChooserActivity.java
+++ b/core/java/com/android/internal/app/ChooserActivity.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.internal.app;
+ 
+import static android.content.ContentProvider.getUserIdFromUri;
+
+ import static java.lang.annotation.RetentionPolicy.SOURCE;
+ 
+ import android.animation.Animator;
+@@ -140,6 +142,7 @@ import java.util.HashSet;
+ import java.util.List;
+ import java.util.Map;
+ import java.util.Set;
+import java.util.stream.Collectors;
+ 
+ /**
+  * The Chooser Activity handles intent resolution specifically for sharing intents -
+@@ -1082,7 +1085,7 @@ public class ChooserActivity extends ResolverActivity {
+ 
+             ImageView previewThumbnailView = contentPreviewLayout.findViewById(
+                     R.id.content_preview_thumbnail);
+-            if (previewThumbnail == null) {
+            if (!validForContentPreview(previewThumbnail)) {
+                 previewThumbnailView.setVisibility(View.GONE);
+             } else {
+                 mPreviewCoord = new ContentPreviewCoordinator(contentPreviewLayout, false);
+@@ -1109,6 +1112,10 @@ public class ChooserActivity extends ResolverActivity {
+         String action = targetIntent.getAction();
+         if (Intent.ACTION_SEND.equals(action)) {
+             Uri uri = targetIntent.getParcelableExtra(Intent.EXTRA_STREAM);
+            if (!validForContentPreview(uri)) {
+                contentPreviewLayout.setVisibility(View.GONE);
+                return contentPreviewLayout;
+            }
+             mPreviewCoord.loadUriIntoView(R.id.content_preview_image_1_large, uri, 0);
+         } else {
+             ContentResolver resolver = getContentResolver();
+@@ -1116,7 +1123,7 @@ public class ChooserActivity extends ResolverActivity {
+             List<Uri> uris = targetIntent.getParcelableArrayListExtra(Intent.EXTRA_STREAM);
+             List<Uri> imageUris = new ArrayList<>();
+             for (Uri uri : uris) {
+-                if (isImageType(resolver.getType(uri))) {
+                if (validForContentPreview(uri) && isImageType(resolver.getType(uri))) {
+                     imageUris.add(uri);
+                 }
+             }
+@@ -1222,9 +1229,16 @@ public class ChooserActivity extends ResolverActivity {
+         String action = targetIntent.getAction();
+         if (Intent.ACTION_SEND.equals(action)) {
+             Uri uri = targetIntent.getParcelableExtra(Intent.EXTRA_STREAM);
+            if (!validForContentPreview(uri)) {
+                contentPreviewLayout.setVisibility(View.GONE);
+                return contentPreviewLayout;
+            }
+             loadFileUriIntoView(uri, contentPreviewLayout);
+         } else {
+             List<Uri> uris = targetIntent.getParcelableArrayListExtra(Intent.EXTRA_STREAM);
+            uris = uris.stream()
+                    .filter(ChooserActivity::validForContentPreview)
+                    .collect(Collectors.toList());
+             int uriCount = uris.size();
+ 
+             if (uriCount == 0) {
+@@ -1278,6 +1292,24 @@ public class ChooserActivity extends ResolverActivity {
+         }
+     }
+ 
+    /**
+     * Indicate if the incoming content URI should be allowed.
+     *
+     * @param uri the uri to test
+     * @return true if the URI is allowed for content preview
+     */
+    private static boolean validForContentPreview(Uri uri) throws SecurityException {
+        if (uri == null) {
+            return false;
+        }
+        int userId = getUserIdFromUri(uri, UserHandle.USER_CURRENT);
+        if (userId != UserHandle.USER_CURRENT && userId != UserHandle.myUserId()) {
+            Log.e(TAG, "dropped invalid content URI belonging to user " + userId);
+            return false;
+        }
+        return true;
+    }
+
+     @VisibleForTesting
+     protected boolean isImageType(String mimeType) {
+         return mimeType != null && mimeType.startsWith("image/");
--- a/Patches/LineageOS-17.1/android_frameworks_base/358560.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358560.patch
@ -0,0 +1,167 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Lee <brnlee@google.com>
+Date: Fri, 17 Feb 2023 16:05:17 -0800
+Subject: [PATCH] Check key intent for selectors and prohibited flags
+
+Bug: 265015796
+Test: atest
+FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
+(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8)
+Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
+Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
+---
+ .../accounts/AccountManagerService.java       | 18 +++++++---
+ .../accounts/AccountManagerServiceTest.java   | 36 +++++++++++++++++++
+ .../AccountManagerServiceTestFixtures.java    |  5 ++-
+ .../TestAccountType1Authenticator.java        |  5 +--
+ 4 files changed, 54 insertions(+), 10 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index b4edf94927b2..a9c7b0c6a3f1 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
+++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4808,10 +4808,6 @@ public class AccountManagerService
+             if (intent.getClipData() == null) {
+                 intent.setClipData(ClipData.newPlainText(null, null));
+             }
+-            intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
+             long bid = Binder.clearCallingIdentity();
+             try {
+                 PackageManager pm = mContext.getPackageManager();
+@@ -4858,7 +4854,19 @@ public class AccountManagerService
+             if (intent == null) {
+                 return (simulateIntent == null);
+             }
+-            return intent.filterEquals(simulateIntent);
+            if (!intent.filterEquals(simulateIntent)) {
+                return false;
+            }
+
+            if (intent.getSelector() != simulateIntent.getSelector()) {
+                return false;
+            }
+
+            int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
+                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
+            return (simulateIntent.getFlags() & prohibitedFlags) == 0;
+         }
+ 
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+index 215f1e8e2a9e..d379e8131268 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+@@ -18,6 +18,7 @@ package com.android.server.accounts;
+ 
+ import static android.database.sqlite.SQLiteDatabase.deleteDatabase;
+ 
+import static org.mockito.ArgumentMatchers.contains;
+ import static org.mockito.Matchers.any;
+ import static org.mockito.Matchers.anyBoolean;
+ import static org.mockito.Matchers.anyInt;
+@@ -686,6 +687,41 @@ public class AccountManagerServiceTest extends AndroidTestCase {
+         assertNotNull(intent.getParcelableExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK));
+     }
+ 
+    @SmallTest
+    public void testStartAddAccountSessionWhereAuthenticatorReturnsIntentWithProhibitedFlags()
+            throws Exception {
+        unlockSystemUser();
+        ResolveInfo resolveInfo = new ResolveInfo();
+        resolveInfo.activityInfo = new ActivityInfo();
+        resolveInfo.activityInfo.applicationInfo = new ApplicationInfo();
+        when(mMockPackageManager.resolveActivityAsUser(
+                any(Intent.class), anyInt(), anyInt())).thenReturn(resolveInfo);
+        when(mMockPackageManager.checkSignatures(
+                anyInt(), anyInt())).thenReturn(PackageManager.SIGNATURE_MATCH);
+
+        final CountDownLatch latch = new CountDownLatch(1);
+        Response response = new Response(latch, mMockAccountManagerResponse);
+        Bundle options = createOptionsWithAccountName(
+                AccountManagerServiceTestFixtures.ACCOUNT_NAME_INTERVENE);
+        int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
+                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+                | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+                | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
+        options.putInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, prohibitedFlags);
+
+        mAms.startAddAccountSession(
+                response, // response
+                AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1, // accountType
+                "authTokenType",
+                null, // requiredFeatures
+                true, // expectActivityLaunch
+                options); // optionsIn
+        waitForLatch(latch);
+
+        verify(mMockAccountManagerResponse).onError(
+                eq(AccountManager.ERROR_CODE_INVALID_RESPONSE), contains("invalid intent"));
+    }
+
+     @SmallTest
+     public void testStartAddAccountSessionError() throws Exception {
+         unlockSystemUser();
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+index 73f30d9f9e79..b98a6a891d55 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+@@ -17,9 +17,6 @@ package com.android.server.accounts;
+ 
+ import android.accounts.Account;
+ 
+-import java.util.ArrayList;
+-import java.util.List;
+-
+ /**
+  * Constants shared between test AccountAuthenticators and AccountManagerServiceTest.
+  */
+@@ -31,6 +28,8 @@ public final class AccountManagerServiceTestFixtures {
+             "account_manager_service_test:account_status_token_key";
+     public static final String KEY_ACCOUNT_PASSWORD =
+             "account_manager_service_test:account_password_key";
+    public static final String KEY_INTENT_FLAGS =
+            "account_manager_service_test:intent_flags_key";
+     public static final String KEY_OPTIONS_BUNDLE =
+             "account_manager_service_test:option_bundle_key";
+     public static final String ACCOUNT_NAME_SUCCESS = "success_on_return@fixture.com";
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+index 8106364477d9..924443e9d5cf 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+++ b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+@@ -24,8 +24,6 @@ import android.content.Context;
+ import android.content.Intent;
+ import android.os.Bundle;
+ 
+-import com.android.frameworks.servicestests.R;
+-
+ import java.util.concurrent.atomic.AtomicInteger;
+ 
+ /**
+@@ -270,11 +268,13 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
+         String accountName = null;
+         Bundle sessionBundle = null;
+         String password = null;
+        int intentFlags = 0;
+         if (options != null) {
+             accountName = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_NAME);
+             sessionBundle = options.getBundle(
+                     AccountManagerServiceTestFixtures.KEY_ACCOUNT_SESSION_BUNDLE);
+             password = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_PASSWORD);
+            intentFlags = options.getInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, 0);
+         }
+ 
+         Bundle result = new Bundle();
+@@ -302,6 +302,7 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
+             intent.putExtra(AccountManagerServiceTestFixtures.KEY_RESULT,
+                     eventualActivityResultData);
+             intent.putExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK, response);
+            intent.setFlags(intentFlags);
+ 
+             result.putParcelable(AccountManager.KEY_INTENT, intent);
+         } else {
--- a/Patches/LineageOS-17.1/android_frameworks_base/358561-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358561-backport.patch
@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kweku Adams <kwekua@google.com>
+Date: Wed, 21 Sep 2022 22:13:01 +0000
+Subject: [PATCH] Handle invalid data during job loading.
+
+Catch exceptions that may be thrown if invalid data ended up in the
+persisted job file.
+
+Bug: 246541702
+Bug: 246542132
+Bug: 246542285
+Bug: 246542330
+Test: install test app with invalid job config, start app to schedule job, then reboot device
+(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203)
+Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+---
+ .../java/com/android/server/job/JobStore.java | 26 ++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java
+index 4ef37a2e484d..1f2772571e71 100644
+--- a/services/core/java/com/android/server/job/JobStore.java
+++ b/services/core/java/com/android/server/job/JobStore.java
+@@ -677,6 +677,10 @@ public final class JobStore {
+                 }
+             } catch (XmlPullParserException | IOException e) {
+                 Slog.wtf(TAG, "Error jobstore xml.", e);
+            } catch (Exception e) {
+                // Crashing at this point would result in a boot loop, so live with a general
+                // Exception for system stability's sake.
+                Slog.wtf(TAG, "Unexpected exception", e);
+             } finally {
+                 if (mPersistInfo.countAllJobsLoaded < 0) { // Only set them once.
+                     mPersistInfo.countAllJobsLoaded = numJobs;
+@@ -807,6 +811,15 @@ public final class JobStore {
+             } catch (NumberFormatException e) {
+                 Slog.d(TAG, "Error reading constraints, skipping.");
+                 return null;
+            } catch (XmlPullParserException e) {
+                Slog.d(TAG, "Error Parser Exception.", e);
+                return null;
+            } catch (IOException e) {
+                Slog.d(TAG, "Error I/O Exception.", e);
+                return null;
+            } catch (IllegalArgumentException e) {
+                Slog.e(TAG, "Constraints contained invalid data", e);
+                return null;
+             }
+             parser.next(); // Consume </constraints>
+ 
+@@ -902,8 +915,14 @@ public final class JobStore {
+                 return null;
+             }
+ 
+-            PersistableBundle extras = PersistableBundle.restoreFromXml(parser);
+-            jobBuilder.setExtras(extras);
+            final PersistableBundle extras;
+            try {
+                extras = PersistableBundle.restoreFromXml(parser);
+                jobBuilder.setExtras(extras);
+            } catch (IllegalArgumentException e) {
+                Slog.e(TAG, "Persisted extras contained invalid data", e);
+                return null;
+            }
+             parser.nextTag(); // Consume </extras>
+ 
+             final JobInfo builtJob;
+@@ -950,7 +969,8 @@ public final class JobStore {
+             return new JobInfo.Builder(jobId, cname);
+         }
+ 
+-        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) {
+        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser)
+                throws XmlPullParserException, IOException {
+             String val;
+ 
+             final String netCapabilities = parser.getAttributeValue(null, "net-capabilities");
--- a/Patches/LineageOS-17.1/android_frameworks_base/358562-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358562-backport.patch
@ -0,0 +1,231 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 7 Mar 2023 15:44:49 -0500
+Subject: [PATCH] Allow filtering of services
+
+Test: ServiceListingTest
+Bug: 260570119
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44dcb8351e61f4b3a63ec68fa5d8490501e8a823)
+Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760
+Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760
+---
+ .../applications/ServiceListing.java          | 19 +++-
+ .../applications/ServiceListingTest.java      | 98 ++++++++++++++++++-
+ 2 files changed, 113 insertions(+), 4 deletions(-)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+index 454d1dce0b2f..6ed7b5065175 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+++ b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+@@ -35,6 +35,7 @@ import android.util.Slog;
+ import java.util.ArrayList;
+ import java.util.HashSet;
+ import java.util.List;
+import java.util.function.Predicate;
+ 
+ /**
+  * Class for managing services matching a given intent and requesting a given permission.
+@@ -50,11 +51,13 @@ public class ServiceListing {
+     private final HashSet<ComponentName> mEnabledServices = new HashSet<>();
+     private final List<ServiceInfo> mServices = new ArrayList<>();
+     private final List<Callback> mCallbacks = new ArrayList<>();
+    private final Predicate mValidator;
+ 
+     private boolean mListening;
+ 
+     private ServiceListing(Context context, String tag,
+-            String setting, String intentAction, String permission, String noun) {
+            String setting, String intentAction, String permission, String noun,
+            Predicate validator) {
+         mContentResolver = context.getContentResolver();
+         mContext = context;
+         mTag = tag;
+@@ -62,6 +65,7 @@ public class ServiceListing {
+         mIntentAction = intentAction;
+         mPermission = permission;
+         mNoun = noun;
+        mValidator = validator;
+     }
+ 
+     public void addCallback(Callback callback) {
+@@ -130,7 +134,6 @@ public class ServiceListing {
+                 new Intent(mIntentAction),
+                 PackageManager.GET_SERVICES | PackageManager.GET_META_DATA,
+                 user);
+-
+         for (ResolveInfo resolveInfo : installedServices) {
+             ServiceInfo info = resolveInfo.serviceInfo;
+ 
+@@ -141,6 +144,9 @@ public class ServiceListing {
+                         + mPermission);
+                 continue;
+             }
+            if (mValidator != null && !mValidator.test(info)) {
+                continue;
+            }
+             mServices.add(info);
+         }
+         for (Callback callback : mCallbacks) {
+@@ -186,6 +192,7 @@ public class ServiceListing {
+         private String mIntentAction;
+         private String mPermission;
+         private String mNoun;
+        private Predicate mValidator;
+ 
+         public Builder(Context context) {
+             mContext = context;
+@@ -216,8 +223,14 @@ public class ServiceListing {
+             return this;
+         }
+ 
+        public Builder setValidator(Predicate<ServiceInfo> validator) {
+            mValidator = validator;
+            return this;
+        }
+
+         public ServiceListing build() {
+-            return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun);
+            return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun,
+                    mValidator);
+         }
+     }
+ }
+diff --git a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+index f7fd25b9fb7d..7ff0988c494d 100644
+--- a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+++ b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+@@ -18,20 +18,35 @@ package com.android.settingslib.applications;
+ 
+ import static com.google.common.truth.Truth.assertThat;
+ 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+ import static org.mockito.ArgumentMatchers.anyList;
+ import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+ import static org.mockito.Mockito.times;
+ import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+ 
+ import android.content.ComponentName;
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.content.pm.ServiceInfo;
+ import android.provider.Settings;
+ 
+import androidx.test.core.app.ApplicationProvider;
+
+import com.google.common.collect.ImmutableList;
+
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+ import org.robolectric.RobolectricTestRunner;
+ import org.robolectric.RuntimeEnvironment;
+ 
+import java.util.List;
+
+ @RunWith(RobolectricTestRunner.class)
+ public class ServiceListingTest {
+ 
+@@ -39,16 +54,97 @@ public class ServiceListingTest {
+     private static final String TEST_INTENT = "com.example.intent";
+ 
+     private ServiceListing mServiceListing;
+    private Context mContext;
+    private PackageManager mPm;
+ 
+     @Before
+     public void setUp() {
+-        mServiceListing = new ServiceListing.Builder(RuntimeEnvironment.application)
+        mPm = mock(PackageManager.class);
+        mContext = spy(ApplicationProvider.getApplicationContext());
+        when(mContext.getPackageManager()).thenReturn(mPm);
+
+        mServiceListing = new ServiceListing.Builder(mContext)
+                .setTag("testTag")
+                .setSetting(TEST_SETTING)
+                .setNoun("testNoun")
+                .setIntentAction(TEST_INTENT)
+                .setPermission("testPermission")
+                .build();
+    }
+
+    @Test
+    public void testValidator() {
+        ServiceInfo s1 = new ServiceInfo();
+        s1.permission = "testPermission";
+        s1.packageName = "pkg";
+        ServiceInfo s2 = new ServiceInfo();
+        s2.permission = "testPermission";
+        s2.packageName = "pkg2";
+        ResolveInfo r1 = new ResolveInfo();
+        r1.serviceInfo = s1;
+        ResolveInfo r2 = new ResolveInfo();
+        r2.serviceInfo = s2;
+
+        when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
+                ImmutableList.of(r1, r2));
+
+        mServiceListing = new ServiceListing.Builder(mContext)
+                .setTag("testTag")
+                .setSetting(TEST_SETTING)
+                .setNoun("testNoun")
+                .setIntentAction(TEST_INTENT)
+                .setValidator(info -> {
+                    if (info.packageName.equals("pkg")) {
+                        return true;
+                    }
+                    return false;
+                })
+                .setPermission("testPermission")
+                .build();
+        ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
+        mServiceListing.addCallback(callback);
+        mServiceListing.reload();
+
+        verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
+        ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
+        verify(callback, times(1)).onServicesReloaded(captor.capture());
+
+        assertThat(captor.getValue().size()).isEqualTo(1);
+        assertThat(captor.getValue().get(0)).isEqualTo(s1);
+    }
+
+    @Test
+    public void testNoValidator() {
+        ServiceInfo s1 = new ServiceInfo();
+        s1.permission = "testPermission";
+        s1.packageName = "pkg";
+        ServiceInfo s2 = new ServiceInfo();
+        s2.permission = "testPermission";
+        s2.packageName = "pkg2";
+        ResolveInfo r1 = new ResolveInfo();
+        r1.serviceInfo = s1;
+        ResolveInfo r2 = new ResolveInfo();
+        r2.serviceInfo = s2;
+
+        when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
+                ImmutableList.of(r1, r2));
+
+        mServiceListing = new ServiceListing.Builder(mContext)
+                 .setTag("testTag")
+                 .setSetting(TEST_SETTING)
+                 .setNoun("testNoun")
+                 .setIntentAction(TEST_INTENT)
+                 .setPermission("testPermission")
+                 .build();
+        ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
+        mServiceListing.addCallback(callback);
+        mServiceListing.reload();
+
+        verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
+        ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
+        verify(callback, times(1)).onServicesReloaded(captor.capture());
+
+        assertThat(captor.getValue().size()).isEqualTo(2);
+     }
+ 
+     @Test
--- a/Patches/LineageOS-17.1/android_frameworks_base/358564-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358564-backport.patch
@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jeff DeCew <jeffdq@google.com>
+Date: Fri, 24 Mar 2023 16:15:24 +0000
+Subject: [PATCH] Add BubbleMetadata detection to block FSI
+
+Bug: 274759612
+Test: atest NotificationInterruptStateProviderImplTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c60e264a551df9f880fd73683321b7e821429da7)
+Merged-In: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
+Change-Id: I40e1aa6377b8a60d91cb2f4189df1e9a4a4578a2
+---
+ .../NotificationInterruptionStateProvider.java     | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java b/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
+index ff71db4dc3b5..336c65b3c7d4 100644
+--- a/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/notification/NotificationInterruptionStateProvider.java
+@@ -461,6 +461,20 @@ public class NotificationInterruptionStateProvider {
+             return false;
+         }
+ 
+        // If the notification has suppressive BubbleMetadata, block FSI and warn.
+        Notification.BubbleMetadata bubbleMetadata = sbn.getNotification().getBubbleMetadata();
+        if (bubbleMetadata != null && bubbleMetadata.isNotificationSuppressed()) {
+            // b/274759612: Detect and report an event when a notification has both an FSI and a
+            // suppressive BubbleMetadata, and now correctly block the FSI from firing.
+            final int uid = entry.getSbn().getUid();
+            android.util.EventLog.writeEvent(0x534e4554, "274759612", uid, "bubbleMetadata");
+            if (DEBUG) {
+                Log.w(TAG, "No FullScreenIntent: WARNING: BubbleMetadata may prevent HUN: "
+                        + entry.getKey());
+            }
+            return false;
+        }
+
+         // If the screen is off, then launch the FullScreenIntent
+         if (!mPowerManager.isInteractive()) {
+             if (DEBUG) {
--- a/Patches/LineageOS-17.1/android_frameworks_base/358732-backport.patch
+++ b/Patches/LineageOS-17.1/android_frameworks_base/358732-backport.patch
@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <valiiftime@google.com>
+Date: Wed, 22 Feb 2023 09:38:55 +0100
+Subject: [PATCH] Prevent RemoteViews crashing SystemUi
+
+  Catch canvas drawing exceptions caused  by unsuported image sizes.
+
+Test: 1. Post a custom view notification with a layout
+	containing an ImageView that references a 5k x 5k image
+2. Add an App Widget to the home screen with that has the
+	layout mentioned above as preview/initial layout.
+
+Bug: 268193777
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d)
+Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+---
+ .../android/appwidget/AppWidgetHostView.java  | 39 ++++++++++++++-----
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
+index 85f0e2342412..eafb631216e5 100644
+--- a/core/java/android/appwidget/AppWidgetHostView.java
+++ b/core/java/android/appwidget/AppWidgetHostView.java
+@@ -28,6 +28,7 @@ import android.content.pm.LauncherActivityInfo;
+ import android.content.pm.LauncherApps;
+ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.res.Resources;
+import android.graphics.Canvas;
+ import android.graphics.Color;
+ import android.graphics.Rect;
+ import android.os.Bundle;
+@@ -250,19 +251,26 @@ public class AppWidgetHostView extends FrameLayout {
+             super.onLayout(changed, left, top, right, bottom);
+         } catch (final RuntimeException e) {
+             Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e);
+-            removeViewInLayout(mView);
+-            View child = getErrorView();
+-            prepareView(child);
+-            addViewInLayout(child, 0, child.getLayoutParams());
+-            measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
+-                    MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
+-            child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
+-                    child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
+-            mView = child;
+-            mViewMode = VIEW_MODE_ERROR;
+            handleViewError();
+         }
+     }
+ 
+    /**
+     * Remove bad view and replace with error message view
+     */
+    private void handleViewError() {
+        removeViewInLayout(mView);
+        View child = getErrorView();
+        prepareView(child);
+        addViewInLayout(child, 0, child.getLayoutParams());
+        measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
+                MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
+        child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
+                child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
+        mView = child;
+        mViewMode = VIEW_MODE_ERROR;
+    }
+
+     /**
+      * Provide guidance about the size of this widget to the AppWidgetManager. The widths and
+      * heights should correspond to the full area the AppWidgetHostView is given. Padding added by
+@@ -711,4 +719,15 @@ public class AppWidgetHostView extends FrameLayout {
+         }
+         return null;
+     }
+
+    @Override
+    protected void dispatchDraw(Canvas canvas) {
+        try {
+            super.dispatchDraw(canvas);
+        } catch (Exception e) {
+            // Catch draw exceptions that may be caused by RemoteViews
+            Log.e(TAG, "Drawing view failed: " + e);
+            post(this::handleViewError);
+        }
+    }
+ }
--- a/Patches/LineageOS-17.1/android_packages_apps_Car_Settings/358565-backport.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Car_Settings/358565-backport.patch
@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 7 Mar 2023 10:59:38 -0800
+Subject: [PATCH] Convert argument to Intent in car settings
+ AddAccountActivity.
+
+Bug: 265798353
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3195c559667939b458445b7e133fb4a7c76aaead)
+Merged-In: I4b035fd370197b7f4838af5fb6e4d0ce27a5f3e7
+Change-Id: I4b035fd370197b7f4838af5fb6e4d0ce27a5f3e7
+---
+ src/com/android/car/settings/accounts/AddAccountActivity.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/com/android/car/settings/accounts/AddAccountActivity.java b/src/com/android/car/settings/accounts/AddAccountActivity.java
+index d5ce57142..69ada037f 100644
+--- a/src/com/android/car/settings/accounts/AddAccountActivity.java
+++ b/src/com/android/car/settings/accounts/AddAccountActivity.java
+@@ -94,7 +94,7 @@ public class AddAccountActivity extends Activity {
+                 intent.putExtras(addAccountOptions);
+                 intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+                 startActivityForResultAsUser(
+-                        intent, ADD_ACCOUNT_REQUEST, mUserHandle);
+                        new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
+                 LOG.v("account added: " + result);
+             } catch (OperationCanceledException | IOException | AuthenticatorException e) {
+                 LOG.v("addAccount error: " + e);
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0005-Automatic_Reboot.patch
@ -55,7 +55,7 @@ index b983f467df..5813bb18db 100644
         <item msgid="6490061470416867723">Small</item>
         <item msgid="3579015730662088893">Default</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 2180ea45f6..eeee1c039f 100644
+index f6e3b0f62d..8f4a3c6115 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -810,6 +810,9 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0006-Bluetooth_Timeout.patch
@ -67,7 +67,7 @@ index 5813bb18db..40d01907a4 100644
     <string-array name="screen_timeout_entries">
         <item>15 seconds</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index eeee1c039f..c5287c4489 100644
+index 8f4a3c6115..ef517e8503 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -25,6 +25,25 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0007-WiFi_Timeout.patch
@ -67,7 +67,7 @@ index 40d01907a4..0a9a9a31e8 100644
     <string-array name="screen_timeout_entries">
         <item>15 seconds</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index c5287c4489..0f254706ff 100644
+index ef517e8503..228d9570dd 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -44,6 +44,25 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0008-ptrace_scope.patch
@ -12,7 +12,7 @@ Subject: [PATCH] add native debugging setting
 create mode 100644 src/com/android/settings/security/NativeDebugPreferenceController.java

 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 0f254706ff..fcac812417 100644
+index 228d9570dd..d965a63b0d 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -11316,6 +11316,9 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0009-exec_spawning_toggle.patch
@ -12,7 +12,7 @@ Subject: [PATCH] add exec spawning toggle
 create mode 100644 src/com/android/settings/security/ExecSpawnPreferenceController.java

 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index fcac812417..197882d66e 100644
+index d965a63b0d..e7dcf62ddc 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -11316,6 +11316,8 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0011-LTE_Only_Mode.patch
@ -106,7 +106,7 @@ index 6d95bcc58b..072004e447 100644
         <item>"18"</item>
         <item>"1"</item>
 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 197882d66e..88bd100122 100644
+index e7dcf62ddc..fedb9f3fde 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -10942,6 +10942,8 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0012-hosts_toggle.patch
@ -16,7 +16,7 @@ Change-Id: Ic01a142722372d9d57f52947025cd9db23e58ef4
 create mode 100644 src/com/android/settings/security/HostsPreferenceController.java

 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index 88bd100122..a64940d793 100644
+index fedb9f3fde..b5dbdc7d81 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -11327,6 +11327,9 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/0013-SUPL_Toggle.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/0013-SUPL_Toggle.patch
@ -11,7 +11,7 @@ Subject: [PATCH] add a toggle for forcibly disabling SUPL
 create mode 100644 src/com/android/settings/location/ForceDisableSuplPrefController.java

 diff --git a/res/values/strings.xml b/res/values/strings.xml
-index a64940d793..f1ea003e3b 100644
+index b5dbdc7d81..a5aab8e5d0 100644
 --- a/res/values/strings.xml
 +++ b/res/values/strings.xml
@@ -11517,4 +11517,7 @@
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/358566.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/358566.patch
@ -0,0 +1,190 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Bonian Chen <bonianchen@google.com>
+Date: Thu, 18 Nov 2021 10:27:34 +0800
+Subject: [PATCH] Move display of VPN version into summary text
+
+Move the display of version text within VPN into summary part of the
+display, and limit the height of summary area.
+
+Bug: 205460459
+Test: install apk from b/205460459#comment3 and verify
+(cherry picked from commit 144f295d7aa66bae8556ba030553a49615eab0b2)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dddd74a491a206178feb10d5ef983d5cd273504d)
+Merged-In: I666b9db356feeebf04e3be688897c2d9110a5275
+Change-Id: I666b9db356feeebf04e3be688897c2d9110a5275
+---
+ res/values/strings.xml                        |  2 +-
+ res/values/styles.xml                         | 10 ++++
+ res/xml/vpn_app_management.xml                | 14 ++++-
+ .../settings/vpn2/AppManagementFragment.java  | 51 +++++++++++++++++--
+ 4 files changed, 71 insertions(+), 6 deletions(-)
+
+diff --git a/res/values/strings.xml b/res/values/strings.xml
+index 2180ea45f6..f6e3b0f62d 100644
+--- a/res/values/strings.xml
+++ b/res/values/strings.xml
+@@ -6613,7 +6613,7 @@
+     <!-- Button label to disconnect from a VPN profile. [CHAR LIMIT=40] -->
+     <string name="vpn_disconnect">Disconnect</string>
+     <!-- Field label to show the version number for a VPN app. [CHAR LIMIT=40] -->
+-    <string name="vpn_version">Version <xliff:g id="version" example="3.3.0">%s</xliff:g></string>
+    <string name="vpn_version">Version</string>
+     <!-- Button label to forget a VPN profile [CHAR LIMIT=40] -->
+     <string name="vpn_forget_long">Forget VPN</string>
+     <!-- Dialog message title to set another VPN app to be always-on [CHAR LIMIT=40] -->
+diff --git a/res/values/styles.xml b/res/values/styles.xml
+index d3d3199f62..ec66bc8d1b 100644
+--- a/res/values/styles.xml
+++ b/res/values/styles.xml
+@@ -197,6 +197,16 @@
+         <item name="android:textAppearance">@android:style/TextAppearance.DeviceDefault.Small</item>
+     </style>
+ 
+    <style name="vpn_app_management_version_title">
+        <item name="android:textAppearance">?android:attr/textAppearanceListItem</item>
+        <item name="android:textColor">?android:attr/textColorPrimary</item>
+    </style>
+
+    <style name="vpn_app_management_version_summary">
+        <item name="android:textAppearance">?android:attr/textAppearanceListItemSecondary</item>
+        <item name="android:textColor">?android:attr/textColorSecondary</item>
+    </style>
+
+     <style name="TextAppearance" parent="android:TextAppearance.DeviceDefault"/>
+ 
+     <style name="TextAppearance.info_label">
+diff --git a/res/xml/vpn_app_management.xml b/res/xml/vpn_app_management.xml
+index bcaa6b0a62..adc441d846 100644
+--- a/res/xml/vpn_app_management.xml
+++ b/res/xml/vpn_app_management.xml
+@@ -15,14 +15,24 @@
+ -->
+ 
+ <PreferenceScreen xmlns:android="http://schemas.android.com/apk/res/android"
+-        xmlns:settings="http://schemas.android.com/apk/res-auto">
+        xmlns:settings="http://schemas.android.com/apk/res-auto"
+        orderingFromXml="false"
+        >
+
+        <!-- To limit the size (in height) of version Preference displayed here,
+             maximum height of TextView need to be set programmingly.
+             Therefore, this Preference got removed from here and will be added
+             dynamically through source code.
+ 
+         <Preference
+                android:order="0"
+                 android:key="version"
+                 android:textColor="?android:attr/textColorSecondary"
+                 android:selectable="false"/>
+        -->
+ 
+         <com.android.settingslib.RestrictedSwitchPreference
+                android:order="10"
+                 android:key="always_on_vpn"
+                 android:title="@string/vpn_menu_lockdown"
+                 android:defaultValue="false"
+@@ -32,6 +42,7 @@
+                 settings:restrictedSwitchSummary="@string/disabled_by_admin_summary_text" />
+ 
+         <com.android.settingslib.RestrictedSwitchPreference
+                android:order="20"
+                 android:key="lockdown_vpn"
+                 android:title="@string/vpn_require_connection"
+                 android:defaultValue="false"
+@@ -41,6 +52,7 @@
+                 settings:restrictedSwitchSummary="@string/disabled_by_admin_summary_text" />
+ 
+         <com.android.settingslib.RestrictedPreference
+                android:order="30"
+                 android:key="forget_vpn"
+                 android:title="@string/vpn_forget_long"
+                 android:icon="@drawable/ic_delete"
+diff --git a/src/com/android/settings/vpn2/AppManagementFragment.java b/src/com/android/settings/vpn2/AppManagementFragment.java
+index 5f4644614c..805ffb2854 100644
+--- a/src/com/android/settings/vpn2/AppManagementFragment.java
+++ b/src/com/android/settings/vpn2/AppManagementFragment.java
+@@ -35,11 +35,13 @@ import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.text.TextUtils;
+ import android.util.Log;
+import android.widget.TextView;
+ 
+ import androidx.annotation.VisibleForTesting;
+ import androidx.appcompat.app.AlertDialog;
+ import androidx.fragment.app.DialogFragment;
+ import androidx.preference.Preference;
+import androidx.preference.PreferenceViewHolder;
+ 
+ import com.android.internal.net.VpnConfig;
+ import com.android.internal.util.ArrayUtils;
+@@ -76,7 +78,6 @@ public class AppManagementFragment extends SettingsPreferenceFragment
+     private String mVpnLabel;
+ 
+     // UI preference
+-    private Preference mPreferenceVersion;
+     private RestrictedSwitchPreference mPreferenceAlwaysOn;
+     private RestrictedSwitchPreference mPreferenceLockdown;
+     private RestrictedPreference mPreferenceForget;
+@@ -122,7 +123,6 @@ public class AppManagementFragment extends SettingsPreferenceFragment
+         mConnectivityService = IConnectivityManager.Stub
+                 .asInterface(ServiceManager.getService(Context.CONNECTIVITY_SERVICE));
+ 
+-        mPreferenceVersion = findPreference(KEY_VERSION);
+         mPreferenceAlwaysOn = (RestrictedSwitchPreference) findPreference(KEY_ALWAYS_ON_VPN);
+         mPreferenceLockdown = (RestrictedSwitchPreference) findPreference(KEY_LOCKDOWN_VPN);
+         mPreferenceForget = (RestrictedPreference) findPreference(KEY_FORGET_VPN);
+@@ -138,9 +138,52 @@ public class AppManagementFragment extends SettingsPreferenceFragment
+ 
+         boolean isInfoLoaded = loadInfo();
+         if (isInfoLoaded) {
+-            mPreferenceVersion.setTitle(
+-                    getPrefContext().getString(R.string.vpn_version, mPackageInfo.versionName));
+             updateUI();
+
+            Preference version = getPreferenceScreen().findPreference(KEY_VERSION);
+            if (version != null) {
+                // Version field has been added.
+                return;
+            }
+
+            /**
+             * Create version field at runtime, and set max height on the display area.
+             *
+             * When long length of text given within version field, a large text area
+             * might be created and inconvenient to the user (User need to scroll
+             * for a long time in order to get to the Preferences after this field.)
+             */
+            version = new Preference(getPrefContext()) {
+                @Override
+                public void onBindViewHolder(PreferenceViewHolder holder) {
+                    super.onBindViewHolder(holder);
+
+                    TextView titleView =
+                            (TextView) holder.findViewById(android.R.id.title);
+                    if (titleView != null) {
+                        titleView.setTextAppearance(R.style.vpn_app_management_version_title);
+                    }
+
+                    TextView summaryView =
+                            (TextView) holder.findViewById(android.R.id.summary);
+                    if (summaryView != null) {
+                        summaryView.setTextAppearance(R.style.vpn_app_management_version_summary);
+
+                        // Set max height in summary area.
+                        int versionMaxHeight = getListView().getHeight();
+                        summaryView.setMaxHeight(versionMaxHeight);
+                        summaryView.setVerticalScrollBarEnabled(false);
+                        summaryView.setHorizontallyScrolling(false);
+                    }
+                }
+            };
+            version.setOrder(0);            // Set order to 0 in order to be placed
+                                            // in front of other Preference(s).
+            version.setKey(KEY_VERSION);    // Set key to avoid from creating multi instance.
+            version.setTitle(R.string.vpn_version);
+            version.setSummary(mPackageInfo.versionName);
+            version.setSelectable(false);
+            getPreferenceScreen().addPreference(version);
+         } else {
+             finish();
+         }
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/358567-backport.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/358567-backport.patch
--- a/Patches/LineageOS-17.1/android_packages_apps_Settings/358568-backport.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/358568-backport.patch
@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 7 Mar 2023 10:36:41 -0800
+Subject: [PATCH] Convert argument to intent in AddAccountSettings.
+
+Bug: 265798353
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7e8052b527434ed8660e3babdab718f7f3cd7da)
+Merged-In: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
+Change-Id: I0051e5d5fc9fd3691504cb5fbb959f701e0bce6a
+---
+ src/com/android/settings/accounts/AddAccountSettings.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/accounts/AddAccountSettings.java b/src/com/android/settings/accounts/AddAccountSettings.java
+index cca15c96d3..2e23e93124 100644
+--- a/src/com/android/settings/accounts/AddAccountSettings.java
+++ b/src/com/android/settings/accounts/AddAccountSettings.java
+@@ -102,7 +102,8 @@ public class AddAccountSettings extends Activity {
+                     addAccountOptions.putParcelable(EXTRA_USER, mUserHandle);
+                     intent.putExtras(addAccountOptions);
+                     intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+-                    startActivityForResultAsUser(intent, ADD_ACCOUNT_REQUEST, mUserHandle);
+                    startActivityForResultAsUser(
+                            new Intent(intent), ADD_ACCOUNT_REQUEST, mUserHandle);
+                 } else {
+                     setResult(RESULT_OK);
+                     if (mPendingIntent != null) {
--- a/Patches/LineageOS-17.1/android_packages_apps_TvSettings/358578.patch
+++ b/Patches/LineageOS-17.1/android_packages_apps_TvSettings/358578.patch
@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 7 Mar 2023 10:55:07 -0800
+Subject: [PATCH] Convert argument to intent in addAccount TvSettings.
+
+Bug: 265798353
+Test: manual
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:706edcb7532d74788f899968016b7a6273bfbcac)
+Merged-In: I06a63078f55ee8169123b1dfcf1811e682e0776e
+Change-Id: I06a63078f55ee8169123b1dfcf1811e682e0776e
+---
+ .../tv/settings/accounts/AddAccountWithTypeActivity.java        | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+index a608bc4fa..ff71ac93b 100644
+--- a/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+++ b/Settings/src/com/android/tv/settings/accounts/AddAccountWithTypeActivity.java
+@@ -52,7 +52,7 @@ public class AddAccountWithTypeActivity extends Activity {
+                     Log.e(TAG, "Failed to retrieve add account intent from authenticator");
+                     setResultAndFinish(Activity.RESULT_CANCELED);
+                 } else {
+-                    startActivityForResult(addAccountIntent, REQUEST_ADD_ACCOUNT);
+                    startActivityForResult(new Intent(addAccountIntent), REQUEST_ADD_ACCOUNT);
+                 }
+             } catch (IOException|AuthenticatorException|OperationCanceledException e) {
+                 Log.e(TAG, "Failed to get add account intent: ", e);
--- a/Patches/LineageOS-17.1/android_packages_services_Telecomm/358579-backport.patch
+++ b/Patches/LineageOS-17.1/android_packages_services_Telecomm/358579-backport.patch
@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Tue, 21 Mar 2023 23:28:56 +0000
+Subject: [PATCH] Call Redirection: unbind service when onBind returns null
+
+The call redirection service does not handle the corner case of
+onNullBinding (occurs when onBind returns null). This vulnerability
+would give the app that has the call redirection role unintentional
+access to launch background activities outside the scope of a call
+lifecycle.
+
+Fixes: 273260090
+Test: Unit test to ensure we unbind the service on null onBind
+Test: CTS for similar assertion
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c3580d96071a7232ce11ad83848d6394b93121d8)
+Merged-In: Ib9d44d239833131eb055e83801cb635e8efe0b81
+Change-Id: Ib9d44d239833131eb055e83801cb635e8efe0b81
+---
+ .../CallRedirectionProcessor.java             | 13 ++++++++++
+ .../tests/CallRedirectionProcessorTest.java   | 25 +++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+index 7a54118f8..9ddc4ab6c 100644
+--- a/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+++ b/src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java
+@@ -151,6 +151,19 @@ public class CallRedirectionProcessor implements CallRedirectionCallback {
+                     Log.endSession();
+                 }
+             }
+
+            @Override
+            public void onNullBinding(ComponentName componentName) {
+                // Make sure we unbind the service if onBind returns null
+                Log.startSession("CRSC.oNB");
+                try {
+                    synchronized (mTelecomLock) {
+                        finishCallRedirection();
+                    }
+                } finally {
+                    Log.endSession();
+                }
+            }
+         }
+ 
+         private class CallRedirectionAdapter extends ICallRedirectionAdapter.Stub {
+diff --git a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
+index 169c56acf..44d2b8956 100644
+--- a/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
+++ b/tests/src/com/android/server/telecom/tests/CallRedirectionProcessorTest.java
+@@ -280,4 +280,29 @@ public class CallRedirectionProcessorTest extends TelecomTestCase {
+                 eq(mPhoneAccountHandle), eq(mGatewayInfo), eq(SPEAKER_PHONE_ON), eq(VIDEO_STATE),
+                 eq(false), eq(CallRedirectionProcessor.UI_TYPE_NO_ACTION));
+     }
+
+
+    @Test
+    public void testUnbindOnNullBind() throws Exception {
+        startProcessWithNoGateWayInfo();
+        // To make sure tests are not flaky, clean all the previous handler messages
+        waitForHandlerAction(mProcessor.getHandler(), HANDLER_TIMEOUT_DELAY);
+        enableUserDefinedCallRedirectionService();
+        disableCarrierCallRedirectionService();
+
+        mProcessor.performCallRedirection();
+
+        // Capture the binder
+        ArgumentCaptor<ServiceConnection> serviceConnectionCaptor = ArgumentCaptor.forClass(
+                ServiceConnection.class);
+        // Verify binding occurred
+        verify(mContext, times(1)).bindServiceAsUser(any(Intent.class),
+                serviceConnectionCaptor.capture(), anyInt(), eq(UserHandle.CURRENT));
+        // Simulate null return from onBind
+        serviceConnectionCaptor.getValue().onNullBinding(USER_DEFINED_SERVICE_TEST_COMPONENT_NAME);
+
+        // Verify service was unbound
+        verify(mContext, times(1)).
+                unbindService(any(ServiceConnection.class));
+    }
+ }
--- a/Patches/LineageOS-17.1/android_system_bt/358580.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/358580.patch
@ -0,0 +1,107 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 11 Oct 2022 21:23:22 +0000
+Subject: [PATCH] Prevent use-after-free of HID reports
+
+BTA sends the the HID report pointer to BTIF and deallocates it immediately.
+This is now prevented by providing a deep copy callback function for HID
+reports when tranferring context from BTA to BTIF.
+
+This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
+already merged on T for b/227620181.
+
+Bug: 228837201
+Test: Validated against researcher POC, ran BT unit tests, played audio
+manually.
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
+Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
+Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
+---
+ btif/src/btif_hh.cc | 50 ++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 45 insertions(+), 5 deletions(-)
+
+diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
+index 650923a3c..5c57ee80c 100644
+--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
+@@ -1096,6 +1096,38 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+   }
+ }
+ 
+/*******************************************************************************
+ *
+ * Function         btif_hh_hsdata_rpt_copy_cb
+ *
+ * Description      Deep copies the tBTA_HH_HSDATA structure
+ *
+ * Returns          void
+ *
+ ******************************************************************************/
+
+static void btif_hh_hsdata_rpt_copy_cb(uint16_t event, char* p_dest,
+                                       char* p_src) {
+  tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
+  tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
+  BT_HDR* hdr;
+
+  if (!p_src) {
+    BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
+    return;
+  }
+
+  memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
+
+  hdr = p_src_data->rsp_data.p_rpt_data;
+  if (hdr != NULL) {
+    uint8_t* p_data = ((uint8_t*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
+    memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
+
+    p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
+  }
+}
+
+ /*******************************************************************************
+  *
+  * Function         bte_hh_evt
+@@ -1109,6 +1141,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+   bt_status_t status;
+   int param_len = 0;
+  tBTIF_COPY_CBACK* p_copy_cback = NULL;
+ 
+   if (BTA_HH_ENABLE_EVT == event)
+     param_len = sizeof(tBTA_HH_STATUS);
+@@ -1120,11 +1153,18 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+     param_len = sizeof(tBTA_HH_CBDATA);
+   else if (BTA_HH_GET_DSCP_EVT == event)
+     param_len = sizeof(tBTA_HH_DEV_DSCP_INFO);
+-  else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event) ||
+-           (BTA_HH_GET_IDLE_EVT == event))
+  else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
+    param_len = sizeof(tBTA_HH_HSDATA);
+  else if (BTA_HH_GET_RPT_EVT == event) {
+    BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
+     param_len = sizeof(tBTA_HH_HSDATA);
+-  else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+-           (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+
+    if (hdr != NULL) {
+      p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
+      param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
+    }
+  } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+             (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+     param_len = sizeof(tBTA_HH_CBDATA);
+   else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event))
+     param_len = sizeof(tBTA_HH_DEV_INFO);
+@@ -1133,7 +1173,7 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+   /* switch context to btif task context (copy full union size for convenience)
+    */
+   status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
+-                                 (char*)p_data, param_len, NULL);
+                                 (char*)p_data, param_len, p_copy_cback);
+ 
+   /* catch any failed context transfers */
+   ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);
--- a/Patches/LineageOS-17.1/android_system_bt/358581.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/358581.patch
@ -0,0 +1,141 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:35:35 +0000
+Subject: [PATCH] Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length
+ in sdpu_build_uuid_seq""
+
+This reverts commit 487a1079078f3717fdc4665c19a45eca5b3ec5e6.
+
+Reason for revert: Reinstate original change for QPR
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a681067af2ea4565543238db3025d749923f63ec)
+Merged-In: If0528519a29dc73ff99163098da2a05592ab15d8
+Change-Id: If0528519a29dc73ff99163098da2a05592ab15d8
+---
+ stack/sdp/sdp_discovery.cc | 65 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 7 deletions(-)
+
+diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
+index f5938e423..553e068f5 100644
+--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
+@@ -70,10 +70,15 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
+  *
+  ******************************************************************************/
+ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
+-                                    Uuid* p_uuid_list) {
+                                    Uuid* p_uuid_list, uint16_t& bytes_left) {
+   uint16_t xx;
+   uint8_t* p_len;
+ 
+  if (bytes_left < 2) {
+    DCHECK(0) << "SDP: No space for data element header";
+    return (p_out);
+  }
+
+   /* First thing is the data element header */
+   UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
+ 
+@@ -81,9 +86,20 @@ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
+   p_len = p_out;
+   p_out += 1;
+ 
+  /* Account for data element header and length */
+  bytes_left -= 2;
+
+   /* Now, loop through and put in all the UUID(s) */
+   for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) {
+     int len = p_uuid_list->GetShortestRepresentationSize();
+
+    if (len + 1 > bytes_left) {
+      DCHECK(0) << "SDP: Too many UUIDs for internal buffer";
+      break;
+    } else {
+      bytes_left -= (len + 1);
+    }
+
+     if (len == Uuid::kNumBytes16) {
+       UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
+       UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit());
+@@ -120,6 +136,7 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
+   uint8_t *p, *p_start, *p_param_len;
+   BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
+   uint16_t param_len;
+  uint16_t bytes_left = SDP_DATA_BUF_SIZE;
+ 
+   /* Prepare the buffer for sending the packet to L2CAP */
+   p_cmd->offset = L2CAP_MIN_OFFSET;
+@@ -134,13 +151,30 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
+   p_param_len = p;
+   p += 2;
+ 
+-/* Build the UID sequence. */
+  /* Account for header size, max service record count and
+   * continuation state */
+  const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+                               3u + /* service search request header */
+                               2u + /* param len */
+                               3u + ((p_cont) ? cont_len : 0));
+
+  if (base_bytes > bytes_left) {
+    DCHECK(0) << "SDP: Overran SDP data buffer";
+    osi_free(p_cmd);
+    return;
+  }
+
+  bytes_left -= base_bytes;
+
+  /* Build the UID sequence. */
+ #if (SDP_BROWSE_PLUS == TRUE)
+   p = sdpu_build_uuid_seq(p, 1,
+-                          &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+                          &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+                          bytes_left);
+ #else
+  /* Build the UID sequence. */
+   p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
+-                          p_ccb->p_db->uuid_filters);
+                          p_ccb->p_db->uuid_filters, bytes_left);
+ #endif
+ 
+   /* Set max service record count */
+@@ -575,6 +609,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+   if ((cont_request_needed) || (!p_reply)) {
+     BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
+     uint8_t* p;
+    uint16_t bytes_left = SDP_DATA_BUF_SIZE;
+ 
+     p_msg->offset = L2CAP_MIN_OFFSET;
+     p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
+@@ -588,13 +623,29 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+     p_param_len = p;
+     p += 2;
+ 
+-/* Build the UID sequence. */
+    /* Account for header size, max service record count and
+     * continuation state */
+    const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+                                 3u + /* service search request header */
+                                 2u + /* param len */
+                                 3u + /* max service record count */
+                                 ((p_reply) ? (*p_reply) : 0));
+
+    if (base_bytes > bytes_left) {
+      sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
+      return;
+    }
+
+    bytes_left -= base_bytes;
+
+    /* Build the UID sequence. */
+ #if (SDP_BROWSE_PLUS == TRUE)
+     p = sdpu_build_uuid_seq(p, 1,
+-                            &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+                            &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+                            bytes_left);
+ #else
+     p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
+-                            p_ccb->p_db->uuid_filters);
+                            p_ccb->p_db->uuid_filters, bytes_left);
+ #endif
+ 
+     /* Max attribute byte count */
--- a/Patches/LineageOS-17.1/android_system_bt/358582.patch
+++ b/Patches/LineageOS-17.1/android_system_bt/358582.patch
@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:39:16 +0000
+Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
+ (P_256->P_192)""
+
+This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
+
+Function btm_sec_encrypt_change() is called at most places
+with argument "encr_enable" treated as bool and not as per
+(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
+function has special handling for "encr_enable=1" to downgrade
+the link key type for BR/EDR case. This gets executed even
+when the caller/context did not mean/expect so. It appears
+this handling in btm_sec_encrypt_change() is not necessary and
+is removed by this commit to prevent accidental execution of it.
+
+Test: Verified re-pairing with an iPhone works fine now
+
+Issue Reproduction Steps:
+1. Enable Bluetooth Hotspot on Android device (DUT).
+2. Pair and connect an iPhone to DUT.
+3. Forget this pairing on DUT.
+4. On iPhone settings, click on old DUT's paired entry to connect.
+5. iPhone notifies to click 'Forget Device' and try fresh pairing.
+6. On iPhone, after doing 'Forget Device', discover DUT again.
+7. Attempt pairing to DUT by clicking on discovered DUT entry.
+   Pairing will be unsuccessful.
+
+Issue Cause:
+During re-pairing, DUT is seen to downgrade
+BR/EDR link key unexpectedly from link key type 0x8
+(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
+
+Log snippet (re-pairing time):
+btm_sec_link_key_notification set new_encr_key_256 to 1
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
+btm_sec_encrypt_change new_encr_key_256 is 1
+--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
+btm_sec_encrypt_change new_encr_key_256 is 0
+updated link key type to 5
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
+
+This is a backport of the following patch: aosp/1890096
+
+Bug: 258834033
+
+Reason for revert: Reinstate original change for QPR
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
+Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+---
+ stack/btm/btm_sec.cc | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 277e01dc1..3ba1a6023 100644
+--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
+@@ -4035,22 +4035,6 @@ void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
+           SMP_BR_PairWith(p_dev_rec->bd_addr);
+         }
+       }
+-    } else {
+-      // BR/EDR is successfully encrypted. Correct LK type if needed
+-      // (BR/EDR LK derived from LE LTK was used for encryption)
+-      if ((encr_enable == 1) && /* encryption is ON for SSP */
+-          /* LK type is for BR/EDR SC */
+-          (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
+-           p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
+-        if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
+-          p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
+-        else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
+-          p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
+-
+-        BTM_TRACE_DEBUG("updated link key type to %d",
+-                        p_dev_rec->link_key_type);
+-        btm_send_link_key_notif(p_dev_rec);
+-      }
+     }
+   }
+ 
--- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358583.patch
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358583.patch
@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 11 Oct 2022 21:23:22 +0000
+Subject: [PATCH] Prevent use-after-free of HID reports
+
+BTA sends the the HID report pointer to BTIF and deallocates it immediately.
+This is now prevented by providing a deep copy callback function for HID
+reports when tranferring context from BTA to BTIF.
+
+This is a backport of change Icef7a7ed1185b4283ee4fe4f812ca154d8f1b825,
+already merged on T for b/227620181.
+
+Bug: 228837201
+Test: Validated against researcher POC, ran BT unit tests, played audio
+manually.
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:874c495c886cd8722625756dc5fd0634b16b4f42)
+Merged-In: Ib837f395883de2369207f1b3b974d6bff02dcb19
+Change-Id: Ib837f395883de2369207f1b3b974d6bff02dcb19
+
+Change-Id: I7e94dbdf4990ce8ebb03d8ffdacd4049f16873bb
+---
+ btif/src/btif_hh.cc | 50 ++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 45 insertions(+), 5 deletions(-)
+
+diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc
+index 1b770ddb1..b5135ff2f 100644
+--- a/btif/src/btif_hh.cc
+++ b/btif/src/btif_hh.cc
+@@ -1127,6 +1127,38 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+   }
+ }
+ 
+/*******************************************************************************
+ *
+ * Function         btif_hh_hsdata_rpt_copy_cb
+ *
+ * Description      Deep copies the tBTA_HH_HSDATA structure
+ *
+ * Returns          void
+ *
+ ******************************************************************************/
+
+static void btif_hh_hsdata_rpt_copy_cb(uint16_t event, char* p_dest,
+                                       char* p_src) {
+  tBTA_HH_HSDATA* p_dst_data = (tBTA_HH_HSDATA*)p_dest;
+  tBTA_HH_HSDATA* p_src_data = (tBTA_HH_HSDATA*)p_src;
+  BT_HDR* hdr;
+
+  if (!p_src) {
+    BTIF_TRACE_ERROR("%s: Nothing to copy", __func__);
+    return;
+  }
+
+  memcpy(p_dst_data, p_src_data, sizeof(tBTA_HH_HSDATA));
+
+  hdr = p_src_data->rsp_data.p_rpt_data;
+  if (hdr != NULL) {
+    uint8_t* p_data = ((uint8_t*)p_dst_data) + sizeof(tBTA_HH_HSDATA);
+    memcpy(p_data, hdr, BT_HDR_SIZE + hdr->offset + hdr->len);
+
+    p_dst_data->rsp_data.p_rpt_data = (BT_HDR*)p_data;
+  }
+}
+
+ /*******************************************************************************
+  *
+  * Function         bte_hh_evt
+@@ -1140,6 +1172,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) {
+ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+   bt_status_t status;
+   int param_len = 0;
+  tBTIF_COPY_CBACK* p_copy_cback = NULL;
+ 
+   if (BTA_HH_ENABLE_EVT == event)
+     param_len = sizeof(tBTA_HH_STATUS);
+@@ -1151,11 +1184,18 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+     param_len = sizeof(tBTA_HH_CBDATA);
+   else if (BTA_HH_GET_DSCP_EVT == event)
+     param_len = sizeof(tBTA_HH_DEV_HANDLE_DSCP_INFO);
+-  else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_RPT_EVT == event) ||
+-           (BTA_HH_GET_IDLE_EVT == event))
+  else if ((BTA_HH_GET_PROTO_EVT == event) || (BTA_HH_GET_IDLE_EVT == event))
+    param_len = sizeof(tBTA_HH_HSDATA);
+  else if (BTA_HH_GET_RPT_EVT == event) {
+    BT_HDR* hdr = p_data->hs_data.rsp_data.p_rpt_data;
+     param_len = sizeof(tBTA_HH_HSDATA);
+-  else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+-           (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+
+    if (hdr != NULL) {
+      p_copy_cback = btif_hh_hsdata_rpt_copy_cb;
+      param_len += BT_HDR_SIZE + hdr->offset + hdr->len;
+    }
+  } else if ((BTA_HH_SET_PROTO_EVT == event) || (BTA_HH_SET_RPT_EVT == event) ||
+             (BTA_HH_VC_UNPLUG_EVT == event) || (BTA_HH_SET_IDLE_EVT == event))
+     param_len = sizeof(tBTA_HH_CBDATA);
+   else if ((BTA_HH_ADD_DEV_EVT == event) || (BTA_HH_RMV_DEV_EVT == event))
+     param_len = sizeof(tBTA_HH_DEV_INFO);
+@@ -1164,7 +1204,7 @@ void bte_hh_evt(tBTA_HH_EVT event, tBTA_HH* p_data) {
+   /* switch context to btif task context (copy full union size for convenience)
+    */
+   status = btif_transfer_context(btif_hh_upstreams_evt, (uint16_t)event,
+-                                 (char*)p_data, param_len, NULL);
+                                 (char*)p_data, param_len, p_copy_cback);
+ 
+   /* catch any failed context transfers */
+   ASSERTC(status == BT_STATUS_SUCCESS, "context transfer failed", status);
--- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358584.patch
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358584.patch
@ -0,0 +1,139 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:35:08 +0000
+Subject: [PATCH] Revert^2 "Validate buffer length in sdpu_build_uuid_seq"
+
+fd2ded7341c7f867a153e86f003758808f11bfb9
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4d33899d2c0573cf351691cdf27628416621f545)
+Merged-In: I40ea9f3858215f460e6dab3768e0c6d2155e4755
+Change-Id: I40ea9f3858215f460e6dab3768e0c6d2155e4755
+
+Change-Id: I41b3e52c09638f8a46a26d9527b0e114f6c8682e
+---
+ stack/sdp/sdp_discovery.cc | 64 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
+index ebfa510f1..14713c4b1 100644
+--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
+@@ -74,10 +74,15 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
+  *
+  ******************************************************************************/
+ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
+-                                    Uuid* p_uuid_list) {
+                                    Uuid* p_uuid_list, uint16_t& bytes_left) {
+   uint16_t xx;
+   uint8_t* p_len;
+ 
+  if (bytes_left < 2) {
+    DCHECK(0) << "SDP: No space for data element header";
+    return (p_out);
+  }
+
+   /* First thing is the data element header */
+   UINT8_TO_BE_STREAM(p_out, (DATA_ELE_SEQ_DESC_TYPE << 3) | SIZE_IN_NEXT_BYTE);
+ 
+@@ -85,9 +90,20 @@ static uint8_t* sdpu_build_uuid_seq(uint8_t* p_out, uint16_t num_uuids,
+   p_len = p_out;
+   p_out += 1;
+ 
+  /* Account for data element header and length */
+  bytes_left -= 2;
+
+   /* Now, loop through and put in all the UUID(s) */
+   for (xx = 0; xx < num_uuids; xx++, p_uuid_list++) {
+     int len = p_uuid_list->GetShortestRepresentationSize();
+
+    if (len + 1 > bytes_left) {
+      DCHECK(0) << "SDP: Too many UUIDs for internal buffer";
+      break;
+    } else {
+      bytes_left -= (len + 1);
+    }
+
+     if (len == Uuid::kNumBytes16) {
+       UINT8_TO_BE_STREAM(p_out, (UUID_DESC_TYPE << 3) | SIZE_TWO_BYTES);
+       UINT16_TO_BE_STREAM(p_out, p_uuid_list->As16Bit());
+@@ -124,6 +140,7 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
+   uint8_t *p, *p_start, *p_param_len;
+   BT_HDR* p_cmd = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
+   uint16_t param_len;
+  uint16_t bytes_left = SDP_DATA_BUF_SIZE;
+ 
+   /* Prepare the buffer for sending the packet to L2CAP */
+   p_cmd->offset = L2CAP_MIN_OFFSET;
+@@ -138,13 +155,29 @@ static void sdp_snd_service_search_req(tCONN_CB* p_ccb, uint8_t cont_len,
+   p_param_len = p;
+   p += 2;
+ 
+-/* Build the UID sequence. */
+  /* Account for header size, max service record count and
+   * continuation state */
+  const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+                               3u + /* service search request header */
+                               2u + /* param len */
+                               3u + ((p_cont) ? cont_len : 0));
+
+  if (base_bytes > bytes_left) {
+    DCHECK(0) << "SDP: Overran SDP data buffer";
+    osi_free(p_cmd);
+    return;
+  }
+
+  bytes_left -= base_bytes;
+
+  /* Build the UID sequence. */
+ #if (SDP_BROWSE_PLUS == TRUE)
+   p = sdpu_build_uuid_seq(p, 1,
+-                          &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+                          &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+                          bytes_left);
+ #else
+   p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
+-                          p_ccb->p_db->uuid_filters);
+                          p_ccb->p_db->uuid_filters, bytes_left);
+ #endif
+ 
+   /* Set max service record count */
+@@ -635,6 +668,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+   if ((cont_request_needed) || (!p_reply)) {
+     BT_HDR* p_msg = (BT_HDR*)osi_malloc(SDP_DATA_BUF_SIZE);
+     uint8_t* p;
+    uint16_t bytes_left = SDP_DATA_BUF_SIZE;
+ 
+     p_msg->offset = L2CAP_MIN_OFFSET;
+     p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET;
+@@ -648,13 +682,29 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+     p_param_len = p;
+     p += 2;
+ 
+-/* Build the UID sequence. */
+    /* Account for header size, max service record count and
+     * continuation state */
+    const uint16_t base_bytes = (sizeof(BT_HDR) + L2CAP_MIN_OFFSET +
+                                 3u + /* service search request header */
+                                 2u + /* param len */
+                                 3u + /* max service record count */
+                                 ((p_reply) ? (*p_reply) : 0));
+
+    if (base_bytes > bytes_left) {
+      sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
+      return;
+    }
+
+    bytes_left -= base_bytes;
+
+    /* Build the UID sequence. */
+ #if (SDP_BROWSE_PLUS == TRUE)
+     p = sdpu_build_uuid_seq(p, 1,
+-                            &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx]);
+                            &p_ccb->p_db->uuid_filters[p_ccb->cur_uuid_idx],
+                            bytes_left);
+ #else
+     p = sdpu_build_uuid_seq(p, p_ccb->p_db->num_uuid_filters,
+-                            p_ccb->p_db->uuid_filters);
+                            p_ccb->p_db->uuid_filters, bytes_left);
+ #endif
+ 
+     /* Max attribute byte count */
--- a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358585.patch
+++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/358585.patch
@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 21 Mar 2023 22:39:16 +0000
+Subject: [PATCH] Revert "Revert "Fix wrong BR/EDR link key downgrades
+ (P_256->P_192)""
+
+This reverts commit d733c86cbc06ce0ec72216b9d41e172d1939c46f.
+
+Function btm_sec_encrypt_change() is called at most places
+with argument "encr_enable" treated as bool and not as per
+(tHCI_ENCRYPT_MODE = 0/1/2) expected by the function. The
+function has special handling for "encr_enable=1" to downgrade
+the link key type for BR/EDR case. This gets executed even
+when the caller/context did not mean/expect so. It appears
+this handling in btm_sec_encrypt_change() is not necessary and
+is removed by this commit to prevent accidental execution of it.
+
+Test: Verified re-pairing with an iPhone works fine now
+
+Issue Reproduction Steps:
+1. Enable Bluetooth Hotspot on Android device (DUT).
+2. Pair and connect an iPhone to DUT.
+3. Forget this pairing on DUT.
+4. On iPhone settings, click on old DUT's paired entry to connect.
+5. iPhone notifies to click 'Forget Device' and try fresh pairing.
+6. On iPhone, after doing 'Forget Device', discover DUT again.
+7. Attempt pairing to DUT by clicking on discovered DUT entry.
+   Pairing will be unsuccessful.
+
+Issue Cause:
+During re-pairing, DUT is seen to downgrade
+BR/EDR link key unexpectedly from link key type 0x8
+(BTM_LKEY_TYPE_AUTH_COMB_P_256) to 0x5 (BTM_LKEY_TYPE_AUTH_COMB).
+
+Log snippet (re-pairing time):
+btm_sec_link_key_notification set new_encr_key_256 to 1
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x8, bond_type=1
+btm_sec_encrypt_change new_encr_key_256 is 1
+--On DUT, HCI_Encryption_Key_Refresh_Complete event noticed---
+btm_sec_encrypt_change new_encr_key_256 is 0
+updated link key type to 5
+btif_dm_auth_cmpl_evt: Storing link key. key_type=0x5, bond_type=1
+
+This is a backport of the following patch: aosp/1890096
+
+Bug: 258834033
+
+Reason for revert: Reinstate original change for QPR
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:56891eedc68c86b40977191dad28d65ebf86a94f)
+Merged-In: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+Change-Id: Iba0c220b82bcf6b15368762b7052a3987ccbc0c6
+
+Change-Id: Ic5130971306864e5bd2a590f238175c9545a297a
+---
+ stack/btm/btm_sec.cc | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 2e4c0c196..40f051c0d 100644
+--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
+@@ -4303,31 +4303,6 @@ void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
+           SMP_BR_PairWith(p_dev_rec->bd_addr);
+         }
+       }
+-    } else {
+-      // BR/EDR is successfully encrypted. Correct LK type if needed
+-      // (BR/EDR LK derived from LE LTK was used for encryption)
+-      if ((encr_enable == 1) && /* encryption is ON for SSP */
+-          /* LK type is for BR/EDR SC */
+-          (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
+-           p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
+-          if (p_dev_rec->sec_smp_pair_pending != BTM_SEC_SMP_PAIR_PENDING) {
+-            if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
+-              p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
+-            else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
+-              p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
+-
+-            BTM_TRACE_DEBUG("updated link key type to %d",
+-                        p_dev_rec->link_key_type);
+-            btm_send_link_key_notif(p_dev_rec);
+-          } else {
+-            BTM_TRACE_DEBUG("link key type to %d will update after SMP",
+-                        p_dev_rec->link_key_type);
+-            if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
+-              p_dev_rec->sec_smp_pair_pending |= BTM_SEC_LINK_KEY_TYPE_UNAUTH;
+-            else
+-              p_dev_rec->sec_smp_pair_pending |= BTM_SEC_LINK_KEY_TYPE_AUTH;
+-          }
+-      }
+     }
+   }
+ 
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2023-02-05/2023-05-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-05 #XXX
+sed -i 's/2023-02-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-06 #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -136,6 +136,10 @@ if enterAndClear "external/zlib"; then
 applyPatch "$DOS_PATCHES/android_external_zlib/351107.patch"; #n-asb-2023-03 Fix a bug when getting a gzip header extra field with inflate().
 fi;

+if enterAndClear "frameworks/av"; then
+applyPatch "$DOS_PATCHES/android_frameworks_av/358555.patch"; #R_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
+fi;
+
 if enterAndClear "frameworks/base"; then
 applyPatch "$DOS_PATCHES/android_frameworks_base/351411-backport.patch"; #R_asb_2023-03 Move service initialization
 applyPatch "$DOS_PATCHES/android_frameworks_base/351412.patch"; #R_asb_2023-03 Stop managed profile owner granting READ_SMS
@ -158,6 +162,13 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/355763-backport.patch"; #R_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/355765-backport.patch"; #R_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
 applyPatch "$DOS_PATCHES/android_frameworks_base/355766-backport.patch"; #R_asb_2023-05 Uri: check authority and scheme as part of determining URI path
 applyPatch "$DOS_PATCHES/android_frameworks_base/355767.patch"; #R_asb_2023-05 Enforce stricter rules when registering phoneAccounts
+#applyPatch "$DOS_PATCHES/android_frameworks_base/358556.patch"; #R_asb_2023-06 Remove Activity if it enters PiP without window #TODO: needs backport of findMainWindow
+applyPatch "$DOS_PATCHES/android_frameworks_base/358557.patch"; #R_asb_2023-06 Prevent sharesheet from previewing unowned URIs
+applyPatch "$DOS_PATCHES/android_frameworks_base/358560.patch"; #R_asb_2023-06 Check key intent for selectors and prohibited flags
+applyPatch "$DOS_PATCHES/android_frameworks_base/358561-backport.patch"; #R_asb_2023-06 Handle invalid data during job loading.
+applyPatch "$DOS_PATCHES/android_frameworks_base/358562-backport.patch"; #R_asb_2023-06 Allow filtering of services
+#applyPatch "$DOS_PATCHES/android_frameworks_base/358564-backport.patch"; #R_asb_2023-06 Add BubbleMetadata detection to block FSI #TODO: needs backport of getSbn
+applyPatch "$DOS_PATCHES/android_frameworks_base/358732-backport.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@ -297,6 +308,10 @@ if enterAndClear "packages/apps/Bluetooth"; then
 if [ "$DOS_GRAPHENE_CONSTIFY" = true ]; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; fi; #Constify JNINativeMethod tables (GrapheneOS)
 fi;

+if enterAndClear "packages/apps/Car/Settings"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_Car_Settings/358565-backport.patch"; #R_asb_2023-06 Convert argument to Intent in car settings AddAccountActivity.
+fi;
+
 #if enterAndClear "packages/apps/CarrierConfig"; then
 #rm -rf assets/*.xml;
 #cp $DOS_PATCHES_COMMON/android_packages_apps_CarrierConfig/*.xml assets/;
@ -337,6 +352,9 @@ git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM u
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351440-backport.patch"; #R_asb_2023-03 FRP bypass defense in the settings app
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351441.patch"; #R_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/353956.patch"; #R_asb_2023-04 Only primary user is allowed to control secure nfc
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358566.patch"; #R_asb_2023-06 Move display of VPN version into summary text
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358567-backport.patch"; #R_asb_2023-06 Import translations.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle-gos.patch"; #Add option to disable captive portal checks (GrapheneOS) #FIXME: needs work
@ -364,6 +382,10 @@ if enterAndClear "packages/apps/Trebuchet"; then
 cp $DOS_BUILD_BASE/vendor/divested/overlay/common/packages/apps/Trebuchet/res/xml/default_workspace_*.xml res/xml/; #XXX: Likely no longer needed
 fi;

+if enterAndClear "packages/apps/TvSettings"; then
+applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/358578.patch"; #R_asb_2023-06 Convert argument to intent in addAccount TvSettings.
+fi;
+
 if enterAndClear "packages/apps/Updater"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0001-Server.patch"; #Switch to our server (DivestOS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Updater/0002-Tor_Support.patch"; #Add Tor support (DivestOS)
@ -396,6 +418,7 @@ if enterAndClear "packages/services/Telecomm"; then
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353958-backport.patch"; #R_asb_2023-04 Ensure service unbind when receiving a null call screening service in onBind.
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/353959.patch"; #R_asb_2023-04 Do not process content uri in call Intents
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccounts
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/358579-backport.patch"; #R_asb_2023-06 Call Redirection: unbind service when onBind returns null
 fi;

 if enterAndClear "prebuilts/abi-dumps/vndk"; then
@ -408,6 +431,9 @@ applyPatch "$DOS_PATCHES/android_system_bt/351444.patch"; #R_asb_2023-03 Fix an
 applyPatch "$DOS_PATCHES/android_system_bt/351445.patch"; #R_asb_2023-03 Fix an OOB write in SDP_AddAttribute
 applyPatch "$DOS_PATCHES/android_system_bt/353960.patch"; #R_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
 applyPatch "$DOS_PATCHES/android_system_bt/353961.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports
+applyPatch "$DOS_PATCHES/android_system_bt/358581.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
+applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@ -492,6 +518,9 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351450.patch";
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/351451.patch"; #R_asb_2023-03 AVRCP: Fix potential buffer overflow
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353967.patch"; #R_asb_2023-04 Fix an OOB bug in register_notification_rsp
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/353968.patch"; #R_asb_2023-04 AVDTP: Fix a potential overflow about the media payload offset
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358583.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358584.patch"; #R_asb_2023-06 Revert^2 "Validate buffer length in sdpu_build_uuid_seq"
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/358585.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
 fi;
 #
 #END OF ROM CHANGES