Move many old cherry picks in tree for archival/support purposes

2025-01-11 15:39:28 -05:00 · 2021-02-05 19:23:12 -05:00 · 2021-02-05 19:23:12 -05:00 · 820c637f20
commit 820c637f20
parent ebd992580c
53 changed files with 2476 additions and 19 deletions
--- a/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/251199.patch
+++ b/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/251199.patch
@ -0,0 +1,183 @@
+From 3d89c4fb28b44ad5cbc0e75315e28b96eaee95db Mon Sep 17 00:00:00 2001
+From: Ted Wang <tedwang@google.com>
+Date: Mon, 29 Apr 2019 10:11:04 +0800
+Subject: [PATCH] Fix potential OOB read in sdpu_get_len_from_type
+
+Add boundary check in sdpu_get_len_from_type to prevent potential OOB read.
+
+Bug: 117105007
+Test: Manul
+Merged-In: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
+Change-Id: I3755e13ee0a7e22ffd5f48fca909610a26b09d0a
+(cherry picked from commit 1243f8da338dadfe2a3c281a08297b431402d41c)
+(cherry picked from commit 4d8e1d63e1a2116c47702d38d858f5a742e8292f)
+---
+ stack/sdp/sdp_db.c        |  7 ++++++-
+ stack/sdp/sdp_discovery.c | 37 ++++++++++++++++++++++++++++---------
+ stack/sdp/sdp_utils.c     | 17 ++++++++++++++++-
+ stack/sdp/sdpint.h        |  2 +-
+ 4 files changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/stack/sdp/sdp_db.c b/stack/sdp/sdp_db.c
+index 318a8cc2..f9518f77 100644
+--- a/stack/sdp/sdp_db.c
+++ b/stack/sdp/sdp_db.c
+@@ -130,7 +130,12 @@ static BOOLEAN find_uuid_in_seq (UINT8 *p , UINT32 seq_len, UINT8 *p_uuid,
+     while (p < p_end)
+     {
+         type = *p++;
+-        p = sdpu_get_len_from_type (p, type, &len);
+        p = sdpu_get_len_from_type (p, p_end, type, &len);
+        if (p == NULL || (p + len) > p_end)
+        {
+            SDP_TRACE_WARNING1("%s: bad length", __func__);
+            break;
+        }
+         type = type >> 3;
+         if (type == UUID_DESC_TYPE)
+         {
+diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
+index d92d1e52..81b5d584 100644
+--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
+@@ -408,6 +408,7 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+     UINT32          list_len;
+     UINT8           *p;
+     UINT8           * p_temp;
+    UINT8           *p_end;
+     UINT8           type;
+     UINT32          delta_len = 0;
+ 
+@@ -427,13 +428,19 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+         cpy_len = p_ccb->p_db->raw_size - p_ccb->p_db->raw_used;
+         list_len = p_ccb->list_len;
+         p_temp = p = &p_ccb->rsp_list[0];
+        p_end = &p_ccb->rsp_list[0] + list_len;
+ 
+         if(offset)
+         {
+             cpy_len -= 1;
+             type = *p++;
+             uint8_t* old_p = p;
+-            p = sdpu_get_len_from_type (p, type, &list_len);
+            p = sdpu_get_len_from_type(p, p_end, type, &list_len);
+            if (p == NULL || (p + list_len) > p_end)
+            {
+                SDP_TRACE_WARNING1("%s: bad length", __func__);
+                return;
+            }
+             if ((int)cpy_len < (p - old_p))
+             {
+                 SDP_TRACE_WARNING1("%s: no bytes left for data", __func__);
+@@ -810,8 +817,12 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
+         SDP_TRACE_WARNING1 ("SDP - Wrong type: 0x%02x in attr_rsp", type);
+         return;
+     }
+-    p = sdpu_get_len_from_type (p, type, &seq_len);
+-
+    p = sdpu_get_len_from_type(p, p + p_ccb->list_len, type, &seq_len);
+    if (p == NULL || (p + seq_len) > (p + p_ccb->list_len))
+    {
+        SDP_TRACE_WARNING1("%s: bad length", __func__);
+        return;
+    }
+     p_end = &p_ccb->rsp_list[p_ccb->list_len];
+ 
+     if ((p + seq_len) != p_end)
+@@ -858,9 +869,8 @@ static UINT8 *save_attr_seq (tCONN_CB *p_ccb, UINT8 *p, UINT8 *p_msg_end)
+         SDP_TRACE_WARNING1 ("SDP - Wrong type: 0x%02x in attr_rsp", type);
+         return (NULL);
+     }
+-
+-    p = sdpu_get_len_from_type (p, type, &seq_len);
+-    if ((p + seq_len) > p_msg_end)
+    p = sdpu_get_len_from_type(p, p_msg_end, type, &seq_len);
+    if (p == NULL || (p + seq_len) > p_msg_end)
+     {
+         SDP_TRACE_WARNING1 ("SDP - Bad len in attr_rsp %d", seq_len);
+         return (NULL);
+@@ -880,7 +890,12 @@ static UINT8 *save_attr_seq (tCONN_CB *p_ccb, UINT8 *p, UINT8 *p_msg_end)
+     {
+         /* First get the attribute ID */
+         type = *p++;
+-        p = sdpu_get_len_from_type (p, type, &attr_len);
+        p = sdpu_get_len_from_type(p, p_msg_end, type, &attr_len);
+        if (p == NULL || (p + attr_len) > p_seq_end)
+        {
+            SDP_TRACE_WARNING2("%s: Bad len in attr_rsp %d", __func__, attr_len);
+            return (NULL);
+        }
+         if (((type >> 3) != UINT_DESC_TYPE) || (attr_len != 2))
+         {
+             SDP_TRACE_WARNING2 ("SDP - Bad type: 0x%02x or len: %d in attr_rsp", type, attr_len);
+@@ -970,8 +985,12 @@ static UINT8 *add_attr (UINT8 *p, UINT8 *p_end, tSDP_DISCOVERY_DB *p_db, tSDP_DI
+     nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);
+ 
+     type = *p++;
+-    p = sdpu_get_len_from_type (p, type, &attr_len);
+-
+    p = sdpu_get_len_from_type(p, p_end, type, &attr_len);
+    if (p == NULL || (p + attr_len) > p_end)
+    {
+        SDP_TRACE_WARNING1("%s: bad length in attr_rsp", __func__);
+        return NULL;
+    }
+     attr_len &= SDP_DISC_ATTR_LEN_MASK;
+     attr_type = (type >> 3) & 0x0f;
+ 
+diff --git a/stack/sdp/sdp_utils.c b/stack/sdp/sdp_utils.c
+index 210fbcc8..c99378b8 100644
+--- a/stack/sdp/sdp_utils.c
+++ b/stack/sdp/sdp_utils.c
+@@ -608,7 +608,7 @@ UINT8 *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq)
+ ** Returns          void
+ **
+ *******************************************************************************/
+-UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 type, UINT32 *p_len)
+UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 *p_end, UINT8 type, UINT32 *p_len)
+ {
+     UINT8   u8;
+     UINT16  u16;
+@@ -632,14 +632,29 @@ UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 type, UINT32 *p_len)
+         *p_len = 16;
+         break;
+     case SIZE_IN_NEXT_BYTE:
+        if (p + 1 > p_end)
+        {
+            *p_len = 0;
+            return NULL;
+        }
+         BE_STREAM_TO_UINT8 (u8, p);
+         *p_len = u8;
+         break;
+     case SIZE_IN_NEXT_WORD:
+        if (p + 2 > p_end)
+        {
+            *p_len = 0;
+            return NULL;
+        }
+         BE_STREAM_TO_UINT16 (u16, p);
+         *p_len = u16;
+         break;
+     case SIZE_IN_NEXT_LONG:
+        if (p + 4 > p_end)
+        {
+            *p_len = 0;
+            return NULL;
+        }
+         BE_STREAM_TO_UINT32 (u32, p);
+         *p_len = (UINT16) u32;
+         break;
+diff --git a/stack/sdp/sdpint.h b/stack/sdp/sdpint.h
+index b3006640..74f748aa 100644
+--- a/stack/sdp/sdpint.h
+++ b/stack/sdp/sdpint.h
+@@ -285,7 +285,7 @@ extern void      sdpu_build_n_send_error (tCONN_CB *p_ccb, UINT16 trans_num, UIN
+ extern UINT8    *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq);
+ extern UINT8    *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq);
+ 
+-SDP_API extern UINT8    *sdpu_get_len_from_type (UINT8 *p, UINT8 type, UINT32 *p_len);
+SDP_API extern UINT8    *sdpu_get_len_from_type (UINT8 *p, UINT8 *p_end, UINT8 type, UINT32 *p_len);
+ extern BOOLEAN  sdpu_is_base_uuid (UINT8 *p_uuid);
+ extern BOOLEAN  sdpu_compare_uuid_arrays (UINT8 *p_uuid1, UINT32 len1, UINT8 *p_uuid2, UINT16 len2);
+ SDP_API extern BOOLEAN  sdpu_compare_bt_uuids (tBT_UUID *p_uuid1, tBT_UUID *p_uuid2);
--- a/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265361.patch
+++ b/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265361.patch
@ -0,0 +1,55 @@
+From 7b32c85942c038866d44634b0c08593133e150b7 Mon Sep 17 00:00:00 2001
+From: Martin Brabham <optedoblivion@google.com>
+Date: Fri, 24 May 2019 15:13:38 -0700
+Subject: [PATCH] DO NOT MERGE: btif: require pairing dialog for JustWorks SSP
+
+Bug: 110433804
+Test: Manual; atest net_test_bluetooth
+Change-Id: If65a8d53ff368ba3ddddb47cfc0072469090b46a
+(cherry picked from commit ddae6274742e241c03526c7659dca7b3446b9f8d)
+(cherry picked from commit 26ba26be830f04e6fd9c77b075bcae48677d4cce)
+---
+ btif/src/btif_dm.c | 23 -----------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
+index f2bd9001..544cb1a4 100644
+--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c
+@@ -915,7 +915,6 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ *p_ssp_cfm_req)
+     bt_bdaddr_t bd_addr;
+     bt_bdname_t bd_name;
+     UINT32 cod;
+-    BOOLEAN is_incoming = !(pairing_cb.state == BT_BOND_STATE_BONDING);
+ 
+     BTIF_TRACE_DEBUG1("%s", __FUNCTION__);
+ 
+@@ -946,28 +945,6 @@ static void btif_dm_ssp_cfm_req_evt(tBTA_DM_SP_CFM_REQ *p_ssp_cfm_req)
+ 
+     pairing_cb.is_ssp = TRUE;
+ 
+-    /* If JustWorks auto-accept */
+-    if (p_ssp_cfm_req->just_works)
+-    {
+-        /* Pairing consent for JustWorks needed if:
+-         * 1. Incoming pairing is detected AND
+-         * 2. local IO capabilities are DisplayYesNo AND
+-         * 3. remote IO capabiltiies are DisplayOnly or NoInputNoOutput;
+-         */
+-        if ((is_incoming) && ((p_ssp_cfm_req->loc_io_caps == 0x01) &&
+-                (p_ssp_cfm_req->rmt_io_caps == 0x00 || p_ssp_cfm_req->rmt_io_caps == 0x03)))
+-        {
+-            BTIF_TRACE_EVENT3("%s: User consent needed for incoming pairing request. loc_io_caps: %d, rmt_io_caps: %d",
+-                __FUNCTION__, p_ssp_cfm_req->loc_io_caps, p_ssp_cfm_req->rmt_io_caps);
+-        }
+-        else
+-        {
+-            BTIF_TRACE_EVENT1("%s: Auto-accept JustWorks pairing", __FUNCTION__);
+-            btif_dm_ssp_reply(&bd_addr, BT_SSP_VARIANT_CONSENT, TRUE, 0);
+-            return;
+-        }
+-    }
+-
+     cod = devclass2uint(p_ssp_cfm_req->dev_class);
+ 
+     if ( cod == 0) {
--- a/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265493.patch
+++ b/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265493.patch
@ -0,0 +1,89 @@
+From 83f6ba8dc3f5bd609c117527da4e46bb36612e04 Mon Sep 17 00:00:00 2001
+From: Zongheng Wang <wangzongheng@google.com>
+Date: Mon, 5 Aug 2019 12:45:35 -0700
+Subject: [PATCH] SDP: disconnect if sdp_copy_raw_data fails
+
+Our partners met with the problem with sdp_copy_raw_data updated in
+CVE-2019-2116. When peer device responds with a wrong size,
+sdp_copy_raw_data will not complete and won't trigger
+disconnection. This CL enables the disconnection when a wrong size is
+received.
+
+Bug: 137239831
+Bug: 117105007
+Test: manual test
+Change-Id: I9f0df8b2de28970e7d69b737ce5d363785183bf3
+Merged-In: I9f0df8b2de28970e7d69b737ce5d363785183bf3
+(cherry picked from commit bc9df3451dad17c1ab1002fdbc85d60e57d4f0af)
+(cherry picked from commit 41939a2b5a8e3584c5a99dfe264a47df79e3091f)
+---
+ stack/sdp/sdp_discovery.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
+index 81b5d584..474ce6b7 100644
+--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
+@@ -398,11 +398,13 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
+ ** Description      copy the raw data
+ **
+ **
+-** Returns          void
+** Returns          BOOLEAN
+**                          true if successful
+**                          false if not copied
+ **
+ *******************************************************************************/
+ #if (SDP_RAW_DATA_INCLUDED == TRUE)
+-static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+static BOOLEAN sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+ {
+     unsigned int    cpy_len, rem_len;
+     UINT32          list_len;
+@@ -439,12 +441,12 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+             if (p == NULL || (p + list_len) > p_end)
+             {
+                 SDP_TRACE_WARNING1("%s: bad length", __func__);
+-                return;
+                return FALSE;
+             }
+             if ((int)cpy_len < (p - old_p))
+             {
+                 SDP_TRACE_WARNING1("%s: no bytes left for data", __func__);
+-                return;
+                return FALSE;
+             }
+             cpy_len -= (p - old_p);
+         }
+@@ -464,6 +466,7 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+         memcpy (&p_ccb->p_db->raw_data[p_ccb->p_db->raw_used], p, cpy_len);
+         p_ccb->p_db->raw_used += cpy_len;
+     }
+    return TRUE;
+ }
+ #endif
+ 
+@@ -547,7 +550,10 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
+ 
+ #if (SDP_RAW_DATA_INCLUDED == TRUE)
+             SDP_TRACE_WARNING0("process_service_attr_rsp");
+-            sdp_copy_raw_data (p_ccb, FALSE);
+            if (!sdp_copy_raw_data(p_ccb, FALSE)) {
+                SDP_TRACE_ERROR0("sdp_copy_raw_data failed");
+                sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+            }
+ #endif
+ 
+             /* Save the response in the database. Stop on any error */
+@@ -804,7 +810,10 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
+ 
+ #if (SDP_RAW_DATA_INCLUDED == TRUE)
+     SDP_TRACE_WARNING0("process_service_search_attr_rsp");
+-    sdp_copy_raw_data (p_ccb, TRUE);
+    if (!sdp_copy_raw_data (p_ccb, TRUE)) {
+        SDP_TRACE_ERROR0("sdp_copy_raw_data failed");
+        sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+    }
+ #endif
+ 
+     p = &p_ccb->rsp_list[0];
--- a/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265494.patch
+++ b/Patches/LineageOS-11.0/android_external_bluetooth_bluedroid/265494.patch
@ -0,0 +1,31 @@
+From 583460635a78028e8724275ad5370a8db3ae9d54 Mon Sep 17 00:00:00 2001
+From: Zongheng Wang <wangzongheng@google.com>
+Date: Tue, 20 Aug 2019 17:56:04 -0700
+Subject: [PATCH] SDP: Disconnect when there is a bad length
+
+Handle the case when SDP_RAW_DATA_INCLUDED is FALSE.
+Related to: I9f0df8b2de28970e7d69b737ce5d363785183bf3
+
+Bug: 137239831
+Bug: 117105007
+Test: manual test
+Change-Id: I354494565005f2ca9093486546fc54c145066413
+Merged-In: I354494565005f2ca9093486546fc54c145066413
+(cherry picked from commit e45fe0a8ec678c73c57967b69c2fd485eef92927)
+(cherry picked from commit 7f555a1a9b641a8e4892a4e7a7cc1ff294d8f2b7)
+---
+ stack/sdp/sdp_discovery.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
+index 474ce6b7..68308e67 100644
+--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
+@@ -830,6 +830,7 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
+     if (p == NULL || (p + seq_len) > (p + p_ccb->list_len))
+     {
+         SDP_TRACE_WARNING1("%s: bad length", __func__);
+        sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+         return;
+     }
+     p_end = &p_ccb->rsp_list[p_ccb->list_len];
--- a/Patches/LineageOS-11.0/android_external_libnfc-nci/258164.patch
+++ b/Patches/LineageOS-11.0/android_external_libnfc-nci/258164.patch
@ -0,0 +1,47 @@
+From 414b324868ebcd0fb4d213e7951cd2e82a3eee3a Mon Sep 17 00:00:00 2001
+From: George Chang <georgekgchang@google.com>
+Date: Thu, 6 Jun 2019 19:07:54 +0800
+Subject: [PATCH] Prevent integer overflow in NDEF_MsgValidate
+
+Bug: 126200054
+Test: Read a Ndef Tag
+Change-Id: I156047fa8b6219a4d4d269f7ca720f9a0ee55e17
+---
+ src/nfc/ndef/ndef_utils.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/nfc/ndef/ndef_utils.c b/src/nfc/ndef/ndef_utils.c
+index 9d44526..8b73c70 100644
+--- a/src/nfc/ndef/ndef_utils.c
+++ b/src/nfc/ndef/ndef_utils.c
+@@ -24,6 +24,7 @@
+  *
+  ******************************************************************************/
+ #include <string.h>
+#include <log/log.h>
+ #include "ndef_utils.h"
+ 
+ /*******************************************************************************
+@@ -80,6 +81,7 @@ tNDEF_STATUS NDEF_MsgValidate (UINT8 *p_msg, UINT32 msg_len, BOOLEAN b_allow_chu
+ {
+     UINT8   *p_rec = p_msg;
+     UINT8   *p_end = p_msg + msg_len;
+    UINT8   *p_new;
+     UINT8   rec_hdr=0, type_len, id_len;
+     int     count;
+     UINT32  payload_len;
+@@ -187,6 +189,14 @@ tNDEF_STATUS NDEF_MsgValidate (UINT8 *p_msg, UINT32 msg_len, BOOLEAN b_allow_chu
+                 return (NDEF_MSG_LENGTH_MISMATCH);
+         }
+ 
+        /* Check for OOB */
+        p_new = p_rec + (payload_len + type_len + id_len);
+        if (p_rec > p_new || p_end < p_new)
+        {
+            android_errorWriteLog(0x534e4554, "126200054");
+            return (NDEF_MSG_LENGTH_MISMATCH);
+        }
+
+         /* Point to next record */
+         p_rec += (payload_len + type_len + id_len);
+ 
--- a/Patches/LineageOS-11.0/android_external_libnfc-nci/258165.patch
+++ b/Patches/LineageOS-11.0/android_external_libnfc-nci/258165.patch
@ -0,0 +1,45 @@
+From 818a7f04e004cae09ccd62e35911b9853a02b96b Mon Sep 17 00:00:00 2001
+From: George Chang <georgekgchang@google.com>
+Date: Tue, 9 Jul 2019 16:17:23 +0800
+Subject: [PATCH] Prevent OOB read in rw_t4t.cc part 2
+
+Bug: 120865977
+Bug: 120274615
+Bug: 124462242
+Test: Read T4T Tag
+Change-Id: I4d70537d71442205a9456c0ece7a836fa4473558
+---
+ src/nfc/tags/rw_t4t.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/nfc/tags/rw_t4t.c b/src/nfc/tags/rw_t4t.c
+index 7a7f457..29fbc02 100644
+--- a/src/nfc/tags/rw_t4t.c
+++ b/src/nfc/tags/rw_t4t.c
+@@ -1075,6 +1075,8 @@ static void rw_t4t_handle_error (tNFC_STATUS status, UINT8 sw1, UINT8 sw2)
+ 
+         rw_data.t4t_sw.sw1    = sw1;
+         rw_data.t4t_sw.sw2    = sw2;
+        rw_data.ndef.cur_size = 0;
+        rw_data.ndef.max_size = 0;
+ 
+         switch (p_t4t->state)
+         {
+@@ -1980,6 +1982,17 @@ static void rw_t4t_data_cback (UINT8 conn_id, tNFC_CONN_EVT event, tNFC_CONN *p_
+     RW_TRACE_DEBUG1 ("RW T4T state: %d", p_t4t->state);
+ #endif
+ 
+    if (p_t4t->state != RW_T4T_STATE_IDLE &&
+        p_t4t->state != RW_T4T_STATE_PRESENCE_CHECK &&
+        p_r_apdu->len < T4T_RSP_STATUS_WORDS_SIZE)
+    {
+        RW_TRACE_DEBUG1 ("%s incorrect p_r_apdu length", __func__);
+        RW_TRACE_DEBUG0 ("0x534e4554 120865977");
+        rw_t4t_handle_error(NFC_STATUS_FAILED, 0, 0);
+        GKI_freebuf(p_r_apdu);
+        return;
+    }
+
+     switch (p_t4t->state)
+     {
+     case RW_T4T_STATE_IDLE:
--- a/Patches/LineageOS-11.0/android_external_libnfc-nci/264094.patch
+++ b/Patches/LineageOS-11.0/android_external_libnfc-nci/264094.patch
@ -0,0 +1,59 @@
+From 3b4afbcac25aed96d157b05921077ce83f05b518 Mon Sep 17 00:00:00 2001
+From: George Chang <georgekgchang@google.com>
+Date: Fri, 16 Aug 2019 20:37:23 +0800
+Subject: [PATCH] Prevent OOB in rw_i93.cc
+
+Bug: 139188579
+Test: Read/Write/Lock Type 5 Tag
+Change-Id: Ife24f097c926184019038e559cbd806b289911c6
+Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
+(cherry picked from commit 4025e2b929905f9b751f3612a6ee26cd5e599417)
+---
+ src/nfc/tags/rw_i93.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
+index 4713d8f..7d6a3d7 100644
+--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
+@@ -41,6 +41,8 @@
+ #define RW_I93_READ_MULTI_BLOCK_SIZE            128     /* max reading data if read multi block is supported */
+ #define RW_I93_FORMAT_DATA_LEN                  8       /* CC, zero length NDEF, Terminator TLV              */
+ #define RW_I93_GET_MULTI_BLOCK_SEC_SIZE         512     /* max getting lock status if get multi block sec is supported */
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
+ 
+ /* main state */
+ enum
+@@ -1630,8 +1632,15 @@ void rw_i93_sm_detect_ndef (BT_HDR *p_resp)
+ 
+     case RW_I93_SUBSTATE_WAIT_CC:
+ 
+-        /* assume block size is more than 4 */
+-        STREAM_TO_ARRAY (cc, p, 4);
+        if (length < RW_I93_CC_SIZE)
+        {
+            android_errorWriteLog(0x534e4554, "139188579");
+            rw_i93_handle_error(NFC_STATUS_FAILED);
+            return;
+        }
+
+        /* assume block size is more than RW_I93_CC_SIZE 4 */
+        STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
+ 
+         status = NFC_STATUS_FAILED;
+ 
+@@ -2863,6 +2872,13 @@ void rw_i93_sm_set_read_only (BT_HDR *p_resp)
+     {
+     case RW_I93_SUBSTATE_WAIT_CC:
+ 
+        if (length < RW_I93_CC_SIZE)
+        {
+            android_errorWriteLog(0x534e4554, "139188579");
+            rw_i93_handle_error(NFC_STATUS_FAILED);
+            return;
+        }
+
+         /* mark CC as read-only */
+         *(p+1) |= I93_ICODE_CC_READ_ONLY;
+ 
--- a/Patches/LineageOS-11.0/android_external_libnfc-nci/264097.patch
+++ b/Patches/LineageOS-11.0/android_external_libnfc-nci/264097.patch
@ -0,0 +1,106 @@
+From 11f084f3bddf24d1747603363090ffab9217d7f3 Mon Sep 17 00:00:00 2001
+From: George Chang <georgekgchang@google.com>
+Date: Sun, 8 Sep 2019 22:55:33 +0800
+Subject: [PATCH] Add boundary check in nfa_hci_handle_admin_gate_rsp
+
+Bug: 124524315
+Test: Nfc Enable/Disable with NFC SIM
+Merged-In: Ic5b9398f7fc4f3aa8c83bd902e47d7785c5a6161
+Change-Id: Ic5b9398f7fc4f3aa8c83bd902e47d7785c5a6161
+Exempt-From-Owner-Approval: new owner approved
+(cherry picked from commit dc58f77ff10e8a6502208249741ab6879c038bf1)
+---
+ src/nfa/hci/nfa_hci_act.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/src/nfa/hci/nfa_hci_act.c b/src/nfa/hci/nfa_hci_act.c
+index 9a25cf6..c800a34 100644
+--- a/src/nfa/hci/nfa_hci_act.c
+++ b/src/nfa/hci/nfa_hci_act.c
+@@ -33,6 +33,7 @@
+ #include "nfa_nv_co.h"
+ #include "nfa_mem_co.h"
+ #include "nfa_hci_defs.h"
+#include <log/log.h>
+ 
+ 
+ /* Static local functions       */
+@@ -1405,8 +1406,8 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+             }
+             else if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX)
+             {
+-                /* The only parameter we get when initializing is the session ID. Check for match. */
+-                if (!memcmp ((UINT8 *) nfa_hci_cb.cfg.admin_gate.session_id, p_data, NFA_HCI_SESSION_ID_LEN) )
+                if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+                    !memcmp((uint8_t*)nfa_hci_cb.cfg.admin_gate.session_id, p_data, NFA_HCI_SESSION_ID_LEN))
+                 {
+                     /* Session has not changed. Set the WHITELIST */
+                     nfa_hciu_send_set_param_cmd (NFA_HCI_ADMIN_PIPE, NFA_HCI_WHITELIST_INDEX, 0x02, hosts);
+@@ -1416,6 +1417,10 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+                     /* Something wrong, NVRAM data could be corrupt or first start with default session id */
+                     nfa_hciu_send_clear_all_pipe_cmd ();
+                     nfa_hci_cb.b_hci_netwk_reset = TRUE;
+                    if (data_len < NFA_HCI_SESSION_ID_LEN)
+                    {
+                        android_errorWriteLog(0x534e4554, "124524315");
+                    }
+                 }
+             }
+             break;
+@@ -1466,7 +1471,8 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+         case NFA_HCI_ANY_GET_PARAMETER:
+             if (nfa_hci_cb.param_in_use == NFA_HCI_SESSION_IDENTITY_INDEX)
+             {
+-                if (!memcmp ((UINT8 *) default_session, p_data , NFA_HCI_SESSION_ID_LEN))
+                if (data_len >= NFA_HCI_SESSION_ID_LEN &&
+                    !memcmp((uint8_t*)default_session, p_data, NFA_HCI_SESSION_ID_LEN))
+                 {
+                     memcpy (&nfa_hci_cb.cfg.admin_gate.session_id[(NFA_HCI_SESSION_ID_LEN / 2)], nfa_hci_cb.cfg.admin_gate.session_id, (NFA_HCI_SESSION_ID_LEN / 2));
+                     os_tick = GKI_get_os_tick_count ();
+@@ -1476,6 +1482,10 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+                 }
+                 else
+                 {
+                    if (data_len < NFA_HCI_SESSION_ID_LEN)
+                    {
+                        android_errorWriteLog(0x534e4554, "124524315");
+                    }
+                     if (nfa_hci_cb.hci_state == NFA_HCI_STATE_APP_DEREGISTER)
+                         nfa_hci_api_deregister (NULL);
+                     else if (nfa_hci_cb.hci_state == NFA_HCI_STATE_REMOVE_GATE)
+@@ -1485,6 +1495,11 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+             else if (nfa_hci_cb.param_in_use == NFA_HCI_HOST_LIST_INDEX)
+             {
+                 evt_data.hosts.status    = status;
+                if (data_len > NFA_HCI_MAX_HOST_IN_NETWORK)
+                {
+                    data_len = NFA_HCI_MAX_HOST_IN_NETWORK;
+                    android_errorWriteLog(0x534e4554, "124524315");
+                }
+                 evt_data.hosts.num_hosts = data_len;
+                 memcpy (evt_data.hosts.host, p_data, data_len);
+ 
+@@ -1516,7 +1531,8 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+             break;
+ 
+         case NFA_HCI_ADM_CREATE_PIPE:
+-            if (status == NFA_STATUS_OK)
+            // p_data should have at least 5 bytes length for pipe info
+            if (data_len >= 5 && status == NFA_STATUS_OK)
+             {
+                 STREAM_TO_UINT8 (source_host, p_data);
+                 STREAM_TO_UINT8 (source_gate, p_data);
+@@ -1533,8 +1549,11 @@ void nfa_hci_handle_admin_gate_rsp (UINT8 *p_data, UINT8 data_len)
+                 }
+ 
+                 nfa_hciu_add_pipe_to_gate (pipe, source_gate, dest_host, dest_gate);
+-
+-            }
+            } else if (data_len < 5 && status == NFA_STATUS_OK)
+                   {
+                       android_errorWriteLog(0x534e4554, "124524315");
+                       status = NFA_STATUS_FAILED;
+                   }
+ 
+             /* Tell the application his pipe was created or not */
+             evt_data.created.status       = status;
--- a/Patches/LineageOS-11.0/android_external_libvpx/253499.patch
+++ b/Patches/LineageOS-11.0/android_external_libvpx/253499.patch
@ -0,0 +1,33 @@
+From 2acc89d321bf0d1ea4bc08bc4620f165cb7e65f3 Mon Sep 17 00:00:00 2001
+From: Frank Galligan <fgalligan@google.com>
+Date: Fri, 10 May 2019 17:42:46 -0700
+Subject: [PATCH] Check there is only one settings per ContentCompression
+
+This fixes a memory leak with invalid files.
+
+BUG: 127702368
+
+Merged-In: Id7de1f8c35ef2f6458c6fb6c7751a84fe43ed1cc
+Change-Id: I73bd34e212d74ffcf8d428e01b5269037147bf8c
+(cherry picked from commit 0fbbf3c3e05647aa10174a1876e02ba6a2ec631d)
+---
+ libwebm/mkvparser.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libwebm/mkvparser.cpp b/libwebm/mkvparser.cpp
+index f0cd97f..e65e9c7 100644
+--- a/libwebm/mkvparser.cpp
+++ b/libwebm/mkvparser.cpp
+@@ -4284,6 +4284,12 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size,
+         return status;
+       }
+ 
+      // There should be only one settings element per content compression.
+      if (compression->settings != NULL) {
+        delete[] buf;
+        return E_FILE_FORMAT_INVALID;
+      }
+
+       compression->settings = buf;
+       compression->settings_len = buflen;
+     }
--- a/Patches/LineageOS-11.0/android_external_libvpx/253500.patch
+++ b/Patches/LineageOS-11.0/android_external_libvpx/253500.patch
@ -0,0 +1,26 @@
+From 3e54ae6106d08aac9707919631ba6d8adb91b87d Mon Sep 17 00:00:00 2001
+From: Frank Galligan <fgalligan@google.com>
+Date: Fri, 10 May 2019 18:21:43 -0700
+Subject: [PATCH] Fixes a double free in ContentEncoding
+
+BUG: 127702368
+
+Merged-In: Id7de1f8c35ef2f6458c6fb6c7751a84fe43ed1cc
+Change-Id: Id17f570fe60ea2ecb3cf5cdbc179246486401005
+(cherry picked from commit d2ff9ba6d9376f295b13d822d345e83841bc6189)
+---
+ libwebm/mkvparser.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libwebm/mkvparser.cpp b/libwebm/mkvparser.cpp
+index e65e9c7..78cdcee 100644
+--- a/libwebm/mkvparser.cpp
+++ b/libwebm/mkvparser.cpp
+@@ -4182,6 +4182,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
+         new (std::nothrow) ContentEncryption*[encryption_count];
+     if (!encryption_entries_) {
+       delete[] compression_entries_;
+      compression_entries_ = NULL;
+       return -1;
+     }
+     encryption_entries_end_ = encryption_entries_;
--- a/Patches/LineageOS-11.0/android_external_sfntly/251198.patch
+++ b/Patches/LineageOS-11.0/android_external_sfntly/251198.patch
@ -0,0 +1,40 @@
+From 30cc508a007fa28db6d5d5582bae001ced5db1fe Mon Sep 17 00:00:00 2001
+From: Haibo Huang <hhb@google.com>
+Date: Mon, 6 May 2019 12:43:47 -0700
+Subject: [PATCH] Fix uninitialized value in sfntly
+
+Bug: 116114182
+Test: build
+Change-Id: Ief84dd8a19bdb461945e07504270be76a3545701
+Merged-In: Ief84dd8a19bdb461945e07504270be76a3545701
+(cherry picked from commit 51ecc82faa63aacdde6648f80a3898b53653da78)
+---
+ README.android                           | 4 ++++
+ cpp/src/sfntly/port/file_input_stream.cc | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/README.android b/README.android
+index 4447b27..39b0cf9 100644
+--- a/README.android
+++ b/README.android
+@@ -9,3 +9,7 @@ git rm -rf cpp/data
+ git rm -rf cpp/ext
+ git rm -rf cpp/tools
+ git commit
+
+
+# Local changes
+Fixed uninitialized variable. See bug 116114182 for details.
+diff --git a/cpp/src/sfntly/port/file_input_stream.cc b/cpp/src/sfntly/port/file_input_stream.cc
+index dfe9a7b..883c1fd 100644
+--- a/cpp/src/sfntly/port/file_input_stream.cc
+++ b/cpp/src/sfntly/port/file_input_stream.cc
+@@ -70,7 +70,7 @@ int32_t FileInputStream::Read() {
+ #endif
+     return 0;
+   }
+-  byte_t value;
+  byte_t value = 0;
+   size_t length = fread(&value, 1, 1, file_);
+   position_ += length;
+   return value;
--- a/Patches/LineageOS-11.0/android_external_skia/249705.patch
+++ b/Patches/LineageOS-11.0/android_external_skia/249705.patch
@ -0,0 +1,63 @@
+From 2d696238c1acdd26b824b80c26942d06c071f451 Mon Sep 17 00:00:00 2001
+From: Mike Klein <mtklein@google.com>
+Date: Mon, 17 Sep 2018 17:29:39 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Make listener lists threadsafe with a
+ mutex.
+
+Bug: 124232283
+Test: Infeasible
+
+Cherry-pick of https://skia-review.googlesource.com/155060 in Skia
+
+There were conflicts due the fact that pi-dev does not have commit
+afa11586d782c7cb3e83b8af48023ff227349516 ("Make the SkPathRef
+GenIDChangeListener ref counted") or
+6c8d242b14355bf66c9137e9e4d6c7861d22168f ("Make atomic lists list for
+bitmaps and paths" - an alternate fix for this issue) and some smaller
+header file changes.
+
+Change-Id: I7c2c5cd6603007d099169071a1b7d1a230c621bc
+Merged-In: I91a8fbdd1b8fb4cf8b124ebdf17212c643058ef3
+---
+ include/core/SkPixelRef.h | 3 ++-
+ src/core/SkPixelRef.cpp   | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/core/SkPixelRef.h b/include/core/SkPixelRef.h
+index 4369e5d537..3b2de4eaa8 100644
+--- a/include/core/SkPixelRef.h
+++ b/include/core/SkPixelRef.h
+@@ -236,7 +236,7 @@ class SK_API SkPixelRef : public SkFlattenable {
+         virtual void onChange() = 0;
+     };
+ 
+-    // Takes ownership of listener.
+    // Takes ownership of listener. Threadsafe.
+     void addGenIDChangeListener(GenIDChangeListener* listener);
+ 
+ protected:
+@@ -311,6 +311,7 @@ class SK_API SkPixelRef : public SkFlattenable {
+     mutable uint32_t fGenerationID;
+     mutable bool     fUniqueGenerationID;
+ 
+    SkMutex                         fGenIDChangeListenersMutex;
+     SkTDArray<GenIDChangeListener*> fGenIDChangeListeners;  // pointers are owned
+ 
+     SkString    fURI;
+diff --git a/src/core/SkPixelRef.cpp b/src/core/SkPixelRef.cpp
+index 6cc67d89af..290d29d71c 100644
+--- a/src/core/SkPixelRef.cpp
+++ b/src/core/SkPixelRef.cpp
+@@ -242,10 +242,12 @@ void SkPixelRef::addGenIDChangeListener(GenIDChangeListener* listener) {
+         SkDELETE(listener);
+         return;
+     }
+    SkAutoMutexAcquire lock(fGenIDChangeListenersMutex);
+     *fGenIDChangeListeners.append() = listener;
+ }
+ 
+ void SkPixelRef::callGenIDChangeListeners() {
+    SkAutoMutexAcquire lock(fGenIDChangeListenersMutex);
+     // We don't invalidate ourselves if we think another SkPixelRef is sharing our genID.
+     if (fUniqueGenerationID) {
+         for (int i = 0; i < fGenIDChangeListeners.count(); i++) {
--- a/Patches/LineageOS-11.0/android_external_sqlite/263910.patch
+++ b/Patches/LineageOS-11.0/android_external_sqlite/263910.patch
@ -0,0 +1,53 @@
+From 098f0a757422c049440af7c5e64f73288d091c15 Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Tue, 27 Aug 2019 09:48:01 -0700
+Subject: [PATCH] sqlite3_android.cpp: disable _TOKENIZE
+
+Comment out the tokenize function. This code doesn't appear to be used.
+A future change will further clean up this code and delete it properly.
+
+Bug: 139186193
+Test: compiles and boots
+Change-Id: I0b2c37b6716162228205fc1ca8bea0f397f36baf
+(cherry picked from commit c52a17358593062a7eb75a023c115df9ad89563b)
+(cherry picked from commit 2f967a222a948027bb7f02970370ccaa8ae608a2)
+---
+ android/sqlite3_android.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/android/sqlite3_android.cpp b/android/sqlite3_android.cpp
+index b836952..2aee08d 100644
+--- a/android/sqlite3_android.cpp
+++ b/android/sqlite3_android.cpp
+@@ -226,6 +226,7 @@ struct SqliteUserData {
+     UCollator* collator;
+ };
+ 
+#if 0
+ /**
+  * This function is invoked as:
+  *
+@@ -402,6 +403,7 @@ static void tokenize(sqlite3_context * context, int argc, sqlite3_value ** argv)
+     } while ((token = u_strtok_r(NULL, delim, &state)) != NULL);
+     sqlite3_result_int(context, numTokens);
+ }
+#endif
+ 
+ static void localized_collator_dtor(UCollator* collator)
+ {
+@@ -445,6 +447,7 @@ extern "C" int register_localized_collators(sqlite3* handle, const char* systemL
+         return err;
+     }
+ 
+#if 0
+     // Register the _TOKENIZE function
+     err = sqlite3_create_function(handle, "_TOKENIZE", 4, SQLITE_UTF16, collator, tokenize, NULL, NULL);
+     if (err != SQLITE_OK) {
+@@ -458,6 +461,7 @@ extern "C" int register_localized_collators(sqlite3* handle, const char* systemL
+     if (err != SQLITE_OK) {
+         return err;
+     }
+#endif
+ 
+ 
+     //// PHONEBOOK_COLLATOR
--- a/Patches/LineageOS-11.0/android_frameworks_av/247874.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/247874.patch
@ -0,0 +1,31 @@
+From 811aa12c4308817abc681f0d85cba82fd12b40c4 Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Tue, 26 Feb 2019 15:47:01 -0800
+Subject: [PATCH] Reserve enough space for RTSP CSD
+
+make parameters to GetSizeWidth() reflect values being used in
+corresponding EncodeSize() invocations so we won't overflow the buffer.
+
+Bug: 123701862
+Test: y
+Change-Id: I78596176e6042c95582494a8ae1b9c3160bf5955
+(cherry picked from commit c025be8ce5f1b34bdf293ac367685c969bd430ba)
+---
+ media/libstagefright/rtsp/APacketSource.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/media/libstagefright/rtsp/APacketSource.cpp b/media/libstagefright/rtsp/APacketSource.cpp
+index 462c384130..39424fa689 100644
+--- a/media/libstagefright/rtsp/APacketSource.cpp
+++ b/media/libstagefright/rtsp/APacketSource.cpp
+@@ -379,8 +379,8 @@ static sp<ABuffer> MakeMPEG4VideoCodecSpecificData(
+     ALOGI("VOL dimensions = %dx%d", *width, *height);
+ 
+     size_t len1 = config->size() + GetSizeWidth(config->size()) + 1;
+-    size_t len2 = len1 + GetSizeWidth(len1) + 1 + 13;
+-    size_t len3 = len2 + GetSizeWidth(len2) + 1 + 3;
+    size_t len2 = len1 + GetSizeWidth(len1 + 13) + 1 + 13;
+    size_t len3 = len2 + GetSizeWidth(len2 + 3) + 1 + 3;
+ 
+     sp<ABuffer> csd = new ABuffer(len3);
+     uint8_t *dst = csd->data();
--- a/Patches/LineageOS-11.0/android_frameworks_av/249706.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/249706.patch
@ -0,0 +1,44 @@
+From b742278f2c4365be0021ce3498887e89e2cc8a4a Mon Sep 17 00:00:00 2001
+From: Andy Hung <hunga@google.com>
+Date: Tue, 12 Mar 2019 19:39:03 -0700
+Subject: [PATCH] AudioFlinger: Prevent multiple effect chains with same
+ sessionId
+
+Allow at most one effect chain with same sessionId on mPlaybackThreads.
+
+Test: poc, CTS effect tests
+Bug: 123237974
+Merged-In: Ide46cd23b0a9f4295f0dca2fea23379a76b836ee
+Change-Id: Ide46cd23b0a9f4295f0dca2fea23379a76b836ee
+(cherry picked from commit 1631f06feb36df5406ad00e850dcca9394f67772)
+(cherry picked from commit f963b2bfdaf406b42d371322402172b4380bbba5)
+---
+ services/audioflinger/AudioFlinger.cpp | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp
+index c06bf1e05c..b5ec45884d 100644
+--- a/services/audioflinger/AudioFlinger.cpp
+++ b/services/audioflinger/AudioFlinger.cpp
+@@ -2759,6 +2759,21 @@ sp<IEffect> AudioFlinger::createEffect(
+                 io = mPlaybackThreads.keyAt(0);
+             }
+             ALOGV("createEffect() got io %d for effect %s", io, desc.name);
+        } else if (checkPlaybackThread_l(io) != NULL) {
+            // allow only one effect chain per sessionId on mPlaybackThreads.
+            for (size_t i = 0; i < mPlaybackThreads.size(); i++) {
+                const audio_io_handle_t checkIo = mPlaybackThreads.keyAt(i);
+                if (io == checkIo) continue;
+                const uint32_t sessionType =
+                        mPlaybackThreads.valueAt(i)->hasAudioSession(sessionId);
+                if ((sessionType & ThreadBase::EFFECT_SESSION) != 0) {
+                    ALOGE("%s: effect %s io %d denied because session %d effect exists on io %d",
+                            __func__, desc.name, (int)io, (int)sessionId, (int)checkIo);
+                    android_errorWriteLog(0x534e4554, "123237974");
+                    lStatus = BAD_VALUE;
+                    goto Exit;
+                }
+            }
+         }
+         ThreadBase *thread = checkRecordThread_l(io);
+         if (thread == NULL) {
--- a/Patches/LineageOS-11.0/android_frameworks_av/249707.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/249707.patch
@ -0,0 +1,43 @@
+From 620f9a1effe8cfb6b30d8a7f5247397259a618dc Mon Sep 17 00:00:00 2001
+From: Weiyin Jiang <wjiang@codeaurora.org>
+Date: Fri, 27 Apr 2018 00:39:29 +0800
+Subject: [PATCH] audio: ensure effect chain with specific session id is unique
+
+It's possible that tracks with the same session id running on various
+playback outputs, which causes effect chain being created on the same
+session twice. As a result, the same effect engine will be released
+twice as the same context is reused.
+
+Output that has effect chain with same session id is more preferable.
+
+Test: No regression with Play Music and Effects
+Bug: 123082420
+Bug: 123237974
+Merged-In: I690ea3cb942d1fdc96b46048e271557d48000f43
+Change-Id: I690ea3cb942d1fdc96b46048e271557d48000f43
+(cherry picked from commit 9aeb1770d49bab13ea5c6454c969a713641fe686)
+(cherry picked from commit 5945746bcabff8d833229a6c230cbe873474087f)
+---
+ services/audioflinger/AudioFlinger.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/services/audioflinger/AudioFlinger.cpp b/services/audioflinger/AudioFlinger.cpp
+index b5ec45884d..ecad12b867 100644
+--- a/services/audioflinger/AudioFlinger.cpp
+++ b/services/audioflinger/AudioFlinger.cpp
+@@ -2739,9 +2739,13 @@ sp<IEffect> AudioFlinger::createEffect(
+             }
+             // look for the thread where the specified audio session is present
+             for (size_t i = 0; i < mPlaybackThreads.size(); i++) {
+-                if (mPlaybackThreads.valueAt(i)->hasAudioSession(sessionId) != 0) {
+                uint32_t sessionType = mPlaybackThreads.valueAt(i)->hasAudioSession(sessionId);
+                if (sessionType != 0) {
+                     io = mPlaybackThreads.keyAt(i);
+-                    break;
+                    // thread with same effect session is preferable
+                    if ((sessionType & ThreadBase::EFFECT_SESSION) != 0) {
+                        break;
+                    }
+                 }
+             }
+             if (io == 0) {
--- a/Patches/LineageOS-11.0/android_frameworks_av/253521.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/253521.patch
@ -0,0 +1,68 @@
+From c007165a4c8ff93ed1b4d5659cbd71e961e14ef4 Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Fri, 17 May 2019 07:29:07 -0700
+Subject: [PATCH] AMR WB encoder: prevent OOB write in ACELP_4t64_fx
+
+In ACELP_4t64_fx, when iterating over ind array, check index against
+  array size to prevent OOB write, log an error if such an access
+  was about to happen.
+
+Bug: 132647222
+Test: atest EncoderTest#testAMRWBEncoders
+Change-Id: I33f476d94baec2feffc7bcccd0ad0481b8452518
+(cherry picked from commit 82cb46d0d55a407f468023977204eb7133b7fd77)
+Merged-in: I33f476d94baec2feffc7bcccd0ad0481b8452518
+(cherry picked from commit 9a44849c88b306e1b4fb37bd9aa34d6ba0607b7a)
+---
+ .../codecs/amrwbenc/SampleCode/Android.mk           |  3 ++-
+ media/libstagefright/codecs/amrwbenc/src/c4t64fx.c  | 13 +++++++++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
+index c203f77e84..7ddbbe5f7b 100644
+--- a/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
+++ b/media/libstagefright/codecs/amrwbenc/SampleCode/Android.mk
+@@ -14,7 +14,8 @@ LOCAL_CFLAGS := -DLINUX
+ 
+ LOCAL_SHARED_LIBRARIES := \
+     libstagefright \
+-    libdl
+    libdl \
+    liblog
+ 
+ LOCAL_C_INCLUDES := \
+     $(LOCAL_PATH)/ \
+diff --git a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
+index 1ecc11f536..9262a0d49b 100644
+--- a/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
+++ b/media/libstagefright/codecs/amrwbenc/src/c4t64fx.c
+@@ -47,6 +47,10 @@
+ 
+ #include "q_pulse.h"
+ 
+#undef LOG_TAG
+#define LOG_TAG "amrwbenc"
+#include "log/log.h"
+
+ static Word16 tipos[36] = {
+ 	0, 1, 2, 3,                            /* starting point &ipos[0], 1st iter */
+ 	1, 2, 3, 0,                            /* starting point &ipos[4], 2nd iter */
+@@ -737,11 +741,16 @@ void ACELP_4t64_fx(
+ 
+ 		i = (Word16)((vo_L_mult(track, NPMAXPT) >> 1));
+ 
+-		while (ind[i] >= 0)
+		while (i < NPMAXPT * NB_TRACK && ind[i] >= 0)
+ 		{
+ 			i += 1;
+ 		}
+-		ind[i] = index;
+                if (i < NPMAXPT * NB_TRACK) {
+                    ind[i] = index;
+                } else {
+                    ALOGE("b/132647222, OOB access in ind array track=%d i=%d", track, i);
+                    android_errorWriteLog(0x534e4554, "132647222");
+                }
+ 	}
+ 
+ 	k = 0;
--- a/Patches/LineageOS-11.0/android_frameworks_av/253522.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/253522.patch
@ -0,0 +1,26 @@
+From f996521d68b88375bf5a1b357b684bac51e65d47 Mon Sep 17 00:00:00 2001
+From: Marco Nelissen <marcone@google.com>
+Date: Tue, 14 May 2019 10:53:06 -0700
+Subject: [PATCH] Fix overflow/dos in 3gg text description parsing
+
+Bug: 124781927
+Test: run pocs
+Change-Id: I8765ac9746c3de7d711ef866d4ec0e29972320c0
+(cherry picked from commit 851e22d1dc89a7f708b9d2b56947f69cd1a08b94)
+---
+ media/libstagefright/timedtext/TextDescriptions.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/timedtext/TextDescriptions.cpp b/media/libstagefright/timedtext/TextDescriptions.cpp
+index c762a74d08..83d15a28ca 100644
+--- a/media/libstagefright/timedtext/TextDescriptions.cpp
+++ b/media/libstagefright/timedtext/TextDescriptions.cpp
+@@ -383,7 +383,7 @@ status_t TextDescriptions::extract3GPPGlobalDescriptions(
+         tmpData += 8;
+         size_t remaining = size - 8;
+ 
+-        if (size < chunkSize) {
+        if (chunkSize <= 8 || size < chunkSize) {
+             return OK;
+         }
+         switch(chunkType) {
--- a/Patches/LineageOS-11.0/android_frameworks_av/261040.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/261040.patch
@ -0,0 +1,30 @@
+From 69e4cbac1cbe2d4c5d3fc92b1b5c731078e8ba13 Mon Sep 17 00:00:00 2001
+From: Dongwon Kang <dwkang@google.com>
+Date: Fri, 21 Jun 2019 14:17:58 -0700
+Subject: [PATCH] m4v_h263: add a test for invalid/negative value
+
+Test: run poc with and without the patch.
+Bug: 134578122
+Change-Id: I2d11826d1d9e2669aa5627065dc627729ddc823b
+(cherry picked from commit 7802c68aebf7908983508fd4a52a7d53746a80eb)
+---
+ .../libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp  | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
+index 48414d7b32..5880e3260d 100644
+--- a/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/packet_util.cpp
+@@ -52,7 +52,11 @@ PV_STATUS PV_ReadVideoPacketHeader(VideoDecData *video, int *next_MB)
+         PV_BitstreamByteAlign(stream);
+         BitstreamReadBits32(stream, resync_marker_length);
+ 
+-        *next_MB = (int) BitstreamReadBits16(stream, nbits);
+        int mbnum = (int) BitstreamReadBits16(stream, nbits);
+        if (mbnum < 0) {
+            return PV_FAIL;
+        }
+        *next_MB = mbnum;
+ //      if (*next_MB <= video->mbnum)   /*  needs more investigation */
+ //          *next_MB = video->mbnum+1;
+ 
--- a/Patches/LineageOS-11.0/android_frameworks_av/261041.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_av/261041.patch
@ -0,0 +1,40 @@
+From 1ce50d3b7dc2658354a878a8c7291bd115f63632 Mon Sep 17 00:00:00 2001
+From: Marco Nelissen <marcone@google.com>
+Date: Tue, 23 Jul 2019 08:27:46 -0700
+Subject: [PATCH] Fix OOB access in mpeg4/h263 decoder
+
+The decoder does not support an increase in frame width, and
+would exceed its buffer if the width increased mid-stream.
+There was an existing check to prevent the total frame size
+(width*height) from increasing, but in fact the decoder also
+does not even support a width increase, even if the height
+decreases correspondingly.
+
+Bug: 136175447
+Bug: 136173699
+Test: manual
+Change-Id: Ic2d28bb0503635dadeb69ba3be9412d58684e910
+(cherry picked from commit ef4ce157000b2b5bcbf2bcb36a228ec604803547)
+---
+ media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+index 56ade8f920..f4c51ae7a6 100644
+--- a/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+++ b/media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp
+@@ -1351,6 +1351,14 @@ PV_STATUS DecodeShortHeader(VideoDecData *video, Vop *currVop)
+             int tmpHeight = (tmpDisplayHeight + 15) & -16;
+             int tmpWidth = (tmpDisplayWidth + 15) & -16;
+ 
+            if (tmpWidth > video->width)
+            {
+                // while allowed by the spec, this decoder does not actually
+                // support an increase in size.
+                ALOGE("width increase not supported");
+                status = PV_FAIL;
+                goto return_point;
+            }
+             if (tmpHeight * tmpWidth > video->size)
+             {
+                 // This is just possibly "b/37079296".
--- a/Patches/LineageOS-11.0/android_frameworks_base/253523.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_base/253523.patch
@ -0,0 +1,49 @@
+From ba3aeed507b4af79be3dee4ea401a542b47247e1 Mon Sep 17 00:00:00 2001
+From: Chalard Jean <jchalard@google.com>
+Date: Mon, 20 May 2019 13:11:37 +0900
+Subject: [PATCH] [RESTRICT AUTOMERGE] Protect VPN dialogs against overlay.
+
+Bug: 130568701
+Test: manual. After this, can't display on top of it
+Change-Id: Ib032f800edb0416cc15f01a34954340d0d0ffa78
+(cherry picked from commit 4e80dc2861614d25a1f957f50040a8cf04812d11)
+(cherry picked from commit 27d47340496580d66f36a734a115e47eaf550972)
+---
+ packages/VpnDialogs/AndroidManifest.xml                        | 2 ++
+ .../VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java   | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/packages/VpnDialogs/AndroidManifest.xml b/packages/VpnDialogs/AndroidManifest.xml
+index ef640d5fcedb..1e15b2257c21 100644
+--- a/packages/VpnDialogs/AndroidManifest.xml
+++ b/packages/VpnDialogs/AndroidManifest.xml
+@@ -1,6 +1,8 @@
+ <manifest xmlns:android="http://schemas.android.com/apk/res/android"
+         package="com.android.vpndialogs">
+ 
+    <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
+
+     <application android:label="VpnDialogs"
+             android:allowBackup="false" >
+         <activity android:name=".ConfirmDialog"
+diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+index 6faf4e09fcbb..65f99268ec77 100644
+--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.vpndialogs;
+ 
+import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+
+ import android.content.Context;
+ import android.content.DialogInterface;
+ import android.content.Intent;
+@@ -76,6 +78,7 @@ protected void onResume() {
+             setupAlert();
+ 
+             getWindow().setCloseOnTouchOutside(false);
+            getWindow().addPrivateFlags(PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+             mButton = mAlert.getButton(DialogInterface.BUTTON_POSITIVE);
+             mButton.setEnabled(false);
+             mButton.setFilterTouchesWhenObscured(true);
--- a/Patches/LineageOS-11.0/android_frameworks_base/256318.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_base/256318.patch
@ -0,0 +1,30 @@
+From 119329bdfbebf3826859000472afbcdb50ad96d8 Mon Sep 17 00:00:00 2001
+From: Michael Wachenschwanz <mwachens@google.com>
+Date: Wed, 15 May 2019 22:58:15 -0700
+Subject: [PATCH] Clear the Parcel before writing an exception during a
+ transaction
+
+This prevents any object data from being accidentally overwritten by the
+exception, which could cause unexpected malformed objects to be sent
+across the transaction.
+
+Test: atest CtsOsTestCases:ParcelTest#testExceptionOverwritesObject
+Fixes: 34175893
+Change-Id: Iaf80a0ad711762992b8ae60f76d861c97a403013
+---
+ core/java/android/os/Binder.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/os/Binder.java b/core/java/android/os/Binder.java
+index f4a83910e652..cd0e5ea76551 100644
+--- a/core/java/android/os/Binder.java
+++ b/core/java/android/os/Binder.java
+@@ -413,6 +413,8 @@ private boolean execTransact(int code, int dataObj, int replyObj,
+             if ((flags & FLAG_ONEWAY) != 0) {
+                 Log.w(TAG, "Caught a RuntimeException from the binder stub implementation.", e);
+             }
+            // Clear the parcel before writing the exception
+            reply.setDataSize(0);
+             reply.setDataPosition(0);
+             reply.writeException(e);
+             res = true;
--- a/Patches/LineageOS-11.0/android_frameworks_base/264100.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_base/264100.patch
@ -0,0 +1,99 @@
+From 563e93ae4a060df93044313818b4164fd96362d9 Mon Sep 17 00:00:00 2001
+From: Jeff Sharkey <jsharkey@android.com>
+Date: Wed, 17 Jul 2019 18:51:28 -0600
+Subject: [PATCH] RESTRICT AUTOMERGE Enable stricter SQLiteQueryBuilder
+ options.
+
+Malicious callers can leak side-channel information by using
+subqueries in any untrusted inputs where SQLite allows "expr" values.
+
+This change starts using setStrictColumns() and setStrictGrammar()
+on SQLiteQueryBuilder to block this class of attacks.  This means we
+now need to define the projection mapping of valid columns, which
+consists of both the columns defined in the public API and columns
+read internally by DownloadInfo.Reader.
+
+We're okay growing sAppReadableColumnsSet like this, since we're
+relying on our trusted WHERE clause to filter away any rows that
+don't belong to the calling UID.
+
+Remove the legacy Lexer code, since we're now internally relying on
+the robust and well-tested SQLiteTokenizer logic.
+
+Bug: 135270103
+Bug: 135269143
+Test: atest DownloadProviderTests
+Test: atest CtsAppTestCases:android.app.cts.DownloadManagerTest
+Change-Id: Iec1e8ce18dc4a9564318e0473d9d3863c8c2988a
+(cherry picked from commit 13f49c42599dc2ea0be376be34275aefcb70d398)
+---
+ core/java/android/app/DownloadManager.java | 42 +++++++++++-----------
+ 1 file changed, 22 insertions(+), 20 deletions(-)
+
+diff --git a/core/java/android/app/DownloadManager.java b/core/java/android/app/DownloadManager.java
+index 91925db26e58..67b7446388d7 100755
+--- a/core/java/android/app/DownloadManager.java
+++ b/core/java/android/app/DownloadManager.java
+@@ -114,6 +114,9 @@
+      */
+     public final static String COLUMN_STATUS = Downloads.Impl.COLUMN_STATUS;
+ 
+    /** {@hide} */
+    public static final String COLUMN_FILE_NAME_HINT = Downloads.Impl.COLUMN_FILE_NAME_HINT;
+
+     /**
+      * Provides more detail on the status of the download.  Its meaning depends on the value of
+      * {@link #COLUMN_STATUS}.
+@@ -151,6 +154,9 @@
+      */
+     public static final String COLUMN_MEDIAPROVIDER_URI = Downloads.Impl.COLUMN_MEDIAPROVIDER_URI;
+ 
+    /** {@hide} */
+    public static final String COLUMN_DESTINATION = Downloads.Impl.COLUMN_DESTINATION;
+
+     /**
+      * @hide
+      */
+@@ -319,26 +325,22 @@
+      * @hide
+      */
+     public static final String[] UNDERLYING_COLUMNS = new String[] {
+-        Downloads.Impl._ID,
+-        Downloads.Impl._DATA + " AS " + COLUMN_LOCAL_FILENAME,
+-        Downloads.Impl.COLUMN_MEDIAPROVIDER_URI,
+-        Downloads.Impl.COLUMN_DESTINATION,
+-        Downloads.Impl.COLUMN_TITLE,
+-        Downloads.Impl.COLUMN_DESCRIPTION,
+-        Downloads.Impl.COLUMN_URI,
+-        Downloads.Impl.COLUMN_STATUS,
+-        Downloads.Impl.COLUMN_FILE_NAME_HINT,
+-        Downloads.Impl.COLUMN_MIME_TYPE + " AS " + COLUMN_MEDIA_TYPE,
+-        Downloads.Impl.COLUMN_TOTAL_BYTES + " AS " + COLUMN_TOTAL_SIZE_BYTES,
+-        Downloads.Impl.COLUMN_LAST_MODIFICATION + " AS " + COLUMN_LAST_MODIFIED_TIMESTAMP,
+-        Downloads.Impl.COLUMN_CURRENT_BYTES + " AS " + COLUMN_BYTES_DOWNLOADED_SO_FAR,
+-        Downloads.Impl.COLUMN_ALLOW_WRITE,
+-        /* add the following 'computed' columns to the cursor.
+-         * they are not 'returned' by the database, but their inclusion
+-         * eliminates need to have lot of methods in CursorTranslator
+-         */
+-        "'placeholder' AS " + COLUMN_LOCAL_URI,
+-        "'placeholder' AS " + COLUMN_REASON
+        DownloadManager.COLUMN_ID,
+        DownloadManager.COLUMN_LOCAL_FILENAME,
+        DownloadManager.COLUMN_MEDIAPROVIDER_URI,
+        DownloadManager.COLUMN_DESTINATION,
+        DownloadManager.COLUMN_TITLE,
+        DownloadManager.COLUMN_DESCRIPTION,
+        DownloadManager.COLUMN_URI,
+        DownloadManager.COLUMN_STATUS,
+        DownloadManager.COLUMN_FILE_NAME_HINT,
+        DownloadManager.COLUMN_MEDIA_TYPE,
+        DownloadManager.COLUMN_TOTAL_SIZE_BYTES,
+        DownloadManager.COLUMN_LAST_MODIFIED_TIMESTAMP,
+        DownloadManager.COLUMN_BYTES_DOWNLOADED_SO_FAR,
+        DownloadManager.COLUMN_ALLOW_WRITE,
+        DownloadManager.COLUMN_LOCAL_URI,
+        DownloadManager.COLUMN_REASON
+     };
+ 
+     /**
--- a/Patches/LineageOS-11.0/android_frameworks_base/265311.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_base/265311.patch
@ -0,0 +1,38 @@
+From 34d287505f8c992b1ba3416b89fca16482123e48 Mon Sep 17 00:00:00 2001
+From: Seigo Nonaka <nona@google.com>
+Date: Mon, 16 Sep 2019 14:49:49 -0700
+Subject: [PATCH] Do not compute outside given range in TextLine
+
+This is second attempt of I646851973b3816bf9ba32dfe26748c0345a5a081
+which breaks various layout test on application.
+The empty string must be also handled by the TextLine since it
+retrieves the default line height from the empty string.
+
+Bug: 140632678
+Test: StaticLayoutTest
+Test: Manually done
+Change-Id: I7089ed9b711dddd7de2b27c9c2fa0fb4cb53a735
+---
+ core/java/android/text/TextLine.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/java/android/text/TextLine.java b/core/java/android/text/TextLine.java
+index 1fecf81d5a4f..712007ed0577 100644
+--- a/core/java/android/text/TextLine.java
+++ b/core/java/android/text/TextLine.java
+@@ -206,6 +206,7 @@ void draw(Canvas c, float x, int top, int y, int bottom) {
+         int lastRunIndex = runs.length - 2;
+         for (int i = 0; i < runs.length; i += 2) {
+             int runStart = runs[i];
+            if (runStart > mLen) break;
+             int runLimit = runStart + (runs[i+1] & Layout.RUN_LENGTH_MASK);
+             if (runLimit > mLen) {
+                 runLimit = mLen;
+@@ -301,6 +302,7 @@ float measure(int offset, boolean trailing, FontMetricsInt fmi) {
+         int[] runs = mDirections.mDirections;
+         for (int i = 0; i < runs.length; i += 2) {
+             int runStart = runs[i];
+            if (runStart > mLen) break;
+             int runLimit = runStart + (runs[i+1] & Layout.RUN_LENGTH_MASK);
+             if (runLimit > mLen) {
+                 runLimit = mLen;
--- a/Patches/LineageOS-11.0/android_frameworks_base/267438.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_base/267438.patch
@ -0,0 +1,29 @@
+From a501f19d464306ed340c1c9d1b217c82cf8fda57 Mon Sep 17 00:00:00 2001
+From: Jing Ji <jji@google.com>
+Date: Mon, 4 Nov 2019 14:22:27 -0800
+Subject: [PATCH] Prevent system uid component from running in an isolated app
+ process
+
+Bug: 140055304
+Test: Manua
+Change-Id: Ie7f6ed23f0c6009aad0f67a00af119b02cdceac3
+Merged-In: I5a1618fab529cb0300d4a8e9c7762ee218ca09eb
+(cherry picked from commit 0bfebadf304bdd5f921e80f93de3e0d13b88b79c)
+---
+ .../java/com/android/server/am/ActivityManagerService.java     | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/services/java/com/android/server/am/ActivityManagerService.java b/services/java/com/android/server/am/ActivityManagerService.java
+index bae278c5450e..12d22c03bc75 100644
+--- a/services/java/com/android/server/am/ActivityManagerService.java
+++ b/services/java/com/android/server/am/ActivityManagerService.java
+@@ -2651,7 +2651,8 @@ final ProcessRecord getProcessRecordLocked(String processName, int uid, boolean
+             final int procCount = procs.size();
+             for (int i = 0; i < procCount; i++) {
+                 final int procUid = procs.keyAt(i);
+-                if (UserHandle.isApp(procUid) || !UserHandle.isSameUser(procUid, uid)) {
+                if (UserHandle.isApp(procUid) || !UserHandle.isSameUser(procUid, uid)
+                        || UserHandle.isIsolated(procUid)) {
+                     // Don't use an app process or different user process for system component.
+                     continue;
+                 }
--- a/Patches/LineageOS-11.0/android_frameworks_native/253524.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_native/253524.patch
@ -0,0 +1,29 @@
+From 2f6bf894b7c3462f0af6cebfb7b7400f820e4220 Mon Sep 17 00:00:00 2001
+From: Steven Moreland <smoreland@google.com>
+Date: Fri, 17 May 2019 13:11:30 -0700
+Subject: [PATCH] readCString: no ubsan sub-overflow
+
+Bug: 132650049
+Test: fuzzer
+Change-Id: I1f6dcad6906951ab505a7500573b74b210a68705
+Merged-In: I1f6dcad6906951ab505a7500573b74b210a68705
+(cherry picked from commit 1086548c6ceb141e2852d2690db8386911a014dd)
+---
+ libs/binder/Parcel.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
+index e369c444ba..2ca4170c7d 100644
+--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
+@@ -1136,8 +1136,8 @@ intptr_t Parcel::readIntPtr() const
+ 
+ const char* Parcel::readCString() const
+ {
+-    const size_t avail = mDataSize-mDataPos;
+-    if (avail > 0) {
+    if (mDataPos < mDataSize) {
+        const size_t avail = mDataSize-mDataPos;
+         const char* str = reinterpret_cast<const char*>(mData+mDataPos);
+         // is the string's trailing NUL within the parcel's valid bounds?
+         const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
--- a/Patches/LineageOS-11.0/android_frameworks_native/256319.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_native/256319.patch
@ -0,0 +1,37 @@
+From 8abbfba105c0d394b10a6f9d2fcc1a6441a8b0ca Mon Sep 17 00:00:00 2001
+From: Michael Wachenschwanz <mwachens@google.com>
+Date: Mon, 3 Jun 2019 17:24:51 -0700
+Subject: [PATCH] Free mObjects if no objects left to realloc on resize
+
+Fixes: 134168436
+Test: atest CtsOsTestCases:ParcelTest#testObjectDoubleFree
+Change-Id: I82e7e8c7b4206fb45b832a71d174df45edb62710
+---
+ libs/binder/Parcel.cpp | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
+index 2ca4170c7d..4d13767a2b 100644
+--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
+@@ -1647,10 +1647,16 @@ status_t Parcel::continueWrite(size_t desired)
+                 }
+                 release_object(proc, *flat, this);
+             }
+-            size_t* objects =
+-                (size_t*)realloc(mObjects, objectsSize*sizeof(size_t));
+-            if (objects) {
+-                mObjects = objects;
+
+            if (objectsSize == 0) {
+                free(mObjects);
+                mObjects = NULL;
+            } else { 
+                size_t* objects =
+                    (size_t*)realloc(mObjects, objectsSize*sizeof(size_t));
+                if (objects) {
+                    mObjects = objects;
+                }
+             }
+             mObjectsSize = objectsSize;
+             mNextObjectHint = 0;
--- a/Patches/LineageOS-11.0/android_frameworks_native/256322.patch
+++ b/Patches/LineageOS-11.0/android_frameworks_native/256322.patch
@ -0,0 +1,28 @@
+From 84a415c8fc3b7e22d253243eb7a23c058483cc92 Mon Sep 17 00:00:00 2001
+From: Brian Duddie <bduddie@google.com>
+Date: Thu, 6 Jun 2019 16:43:41 -0700
+Subject: [PATCH] Fix race between SensorManager ctor and callback
+
+Avoids potential invalid memory access if system server crashes during
+initialization.
+
+Bug: 132927376
+Test: confirm sensors initialize
+Change-Id: If7421c452b5893ab2567323d265503a1ce304482
+---
+ libs/gui/SensorManager.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libs/gui/SensorManager.cpp b/libs/gui/SensorManager.cpp
+index b80da56813..3450395756 100644
+--- a/libs/gui/SensorManager.cpp
+++ b/libs/gui/SensorManager.cpp
+@@ -41,7 +41,7 @@ ANDROID_SINGLETON_STATIC_INSTANCE(SensorManager)
+ SensorManager::SensorManager()
+     : mSensorList(0)
+ {
+-    // okay we're not locked here, but it's not needed during construction
+    Mutex::Autolock _l(mLock);
+     assertStateLocked();
+ }
+ 
--- a/Patches/LineageOS-11.0/android_packages_apps_Bluetooth/264098.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Bluetooth/264098.patch
@ -0,0 +1,46 @@
+From 0cf201d4e94528a997efc74e8937d3950d8c9ed9 Mon Sep 17 00:00:00 2001
+From: Cheney Ni <cheneyni@google.com>
+Date: Fri, 23 Aug 2019 23:05:19 +0800
+Subject: [PATCH] AdapterService: Check the PIN code length before using
+
+The length is assigned by the framework. We should be better to check
+again before using, and dropped any unexcepted input.
+
+Bug: 139287605
+Test: PoC, atest -t BluetoothInstrumentationTests:com.android.bluetooth.btservice
+Change-Id: Ie2dd01e0b192e7ed1fe4b464618ddfa415dbf15c
+(cherry picked from commit d6c84aa34962333448e0ed8e4ddbc9de8b73c5ac)
+---
+ .../android/bluetooth/btservice/AdapterService.java  | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
+index a6d0b1cb2..0e4845f71 100644
+--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
+@@ -1457,6 +1457,12 @@ boolean setPin(BluetoothDevice device, boolean accept, int len, byte[] pinCode)
+             return false;
+         }
+ 
+        if (pinCode.length != len) {
+            android.util.EventLog.writeEvent(0x534e4554, "139287605", -1,
+                    "PIN code length mismatch");
+            return false;
+        }
+
+         byte[] addr = Utils.getBytesFromAddress(device.getAddress());
+         return pinReplyNative(addr, accept, len, pinCode);
+     }
+@@ -1468,6 +1474,12 @@ boolean setPasskey(BluetoothDevice device, boolean accept, int len, byte[] passk
+             return false;
+         }
+ 
+        if (passkey.length != len) {
+            android.util.EventLog.writeEvent(0x534e4554, "139287605", -1,
+                    "Passkey length mismatch");
+            return false;
+        }
+
+         byte[] addr = Utils.getBytesFromAddress(device.getAddress());
+         return sspReplyNative(addr, AbstractionLayer.BT_SSP_VARIANT_PASSKEY_ENTRY, accept,
+                 Utils.byteArrayToInt(passkey));
--- a/Patches/LineageOS-11.0/android_packages_apps_Email/253862.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Email/253862.patch
@ -0,0 +1,107 @@
+From f291cb8c6b1e0c8554f4407e9b1e9be27e74058e Mon Sep 17 00:00:00 2001
+From: Raman Tenneti <rtenneti@google.com>
+Date: Mon, 13 May 2019 13:29:40 -0700
+Subject: [PATCH] AOSP/Email - bug fix: do not allow composing message with
+ hidden private data attachments.
+
+Ported/merged thefollowing from CL
+  https://critique.corp.google.com/#review/247540041
+
+original file:
+  java/com/google/android/apps/gmail/unifiedgmail/src/com/google/android/gm/ComposeActivityGmailExternal.java
+
+aosp's version:
+  src/com/android/email/activity/ComposeActivityEmailExternal.java
+
+Change description from the above CL:
+  "Switch intent filtering to be whitelist based rather than blacklist based.
+
+   ComposeActivityGmailExternal should whitelist what extras we allow in.
+   This is a very belated follow up to cl/235253805 where I wrote a quick fix
+   as a blacklist based solution."
+
+Bug: 127320867
+
+Test: manual - Ran the following tests on Pixel phone. Tested the email UI.
+
+$ make -j 40
+  -rw-r--r-- 1 rtenneti primarygroup 6375626 May  5 19:49 out/target/product/marlin/system/product/app/Email/Email.apk
+
+$ make UnifiedEmailTests -j
+  -rw-r--r-- 1 rtenneti primarygroup 311703 May  5 20:04 out/target/product/marlin/testcases/UnifiedEmailTests/arm64/UnifiedEmailTests.apk
+
+$ make EmailTests -j
+  -rw-r--r-- 1 rtenneti primarygroup 365023 May 13 14:39 out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+
+$ adb install -r out/target/product/marlin/system/product/app/Email/Email.apk
+$ adb install -r out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+$ adb install -r out/target/product/marlin/testcases/UnifiedEmailTests/arm64/UnifiedEmailTests.apk
+
+$ adb shell am instrument -w com.android.mail.emailtests
+  Time: 3.519
+  OK (157 tests)
+
+Change-Id: I5f6541ceb79a1a1c598d0c8207e3cab98d1a8ac5
+Merged-In: I5f6541ceb79a1a1c598d0c8207e3cab98d1a8ac5
+(cherry picked from commit e81f6f92bbdd43f34aa25fc2b7605aeb887af2cc)
+---
+ .../ComposeActivityEmailExternal.java         | 36 +++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/src/com/android/email/activity/ComposeActivityEmailExternal.java b/src/com/android/email/activity/ComposeActivityEmailExternal.java
+index 455193bea..a5cbe9d3a 100644
+--- a/src/com/android/email/activity/ComposeActivityEmailExternal.java
+++ b/src/com/android/email/activity/ComposeActivityEmailExternal.java
+@@ -16,11 +16,21 @@
+ 
+ package com.android.email.activity;
+ 
+import android.content.Intent;
+import android.os.Bundle;
+import com.android.mail.compose.ComposeActivity;
+
+ /**
+  * A subclass of {@link ComposeActivityEmail} which is exported for other Android packages to open.
+  */
+ public class ComposeActivityEmailExternal extends ComposeActivityEmail {
+ 
+  @Override
+  protected void onCreate(Bundle savedInstanceState) {
+    sanitizeIntent();
+    super.onCreate(savedInstanceState);
+  }
+
+   /**
+    * Only relevant when WebView Compose is enabled. Change this when WebView
+    * Compose is enabled for Email.
+@@ -29,4 +39,30 @@
+   public boolean isExternal() {
+       return false;
+   }
+
+  /**
+   * Overrides the value of {@code #getIntent()} so any future callers will get a sanitized version
+   * of the intent.
+   */
+  // See b/114493057 for context.
+  private void sanitizeIntent() {
+    Intent sanitizedIntent = getIntent();
+    if (sanitizedIntent != null) {
+      Bundle originalExtras = sanitizedIntent.getExtras();
+      sanitizedIntent.replaceExtras(new Bundle());
+      copyStringExtraIfExists(ComposeActivity.EXTRA_SUBJECT, originalExtras, sanitizedIntent);
+      copyStringExtraIfExists(ComposeActivity.EXTRA_TO, originalExtras, sanitizedIntent);
+      copyStringExtraIfExists(ComposeActivity.EXTRA_CC, originalExtras, sanitizedIntent);
+      copyStringExtraIfExists(ComposeActivity.EXTRA_BCC, originalExtras, sanitizedIntent);
+      copyStringExtraIfExists(ComposeActivity.EXTRA_BODY, originalExtras, sanitizedIntent);
+      setIntent(sanitizedIntent);
+    }
+  }
+
+  private void copyStringExtraIfExists(
+      String extraKey, Bundle originalExtras, Intent sanitizedIntent) {
+    if (originalExtras.containsKey(extraKey)) {
+      sanitizedIntent.putExtra(extraKey, originalExtras.getString(extraKey));
+    }
+  }
+ }
--- a/Patches/LineageOS-11.0/android_packages_apps_Email/256927.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Email/256927.patch
@ -0,0 +1,48 @@
+From 0e2e8cafa51610f103da120bd75f216bfae12769 Mon Sep 17 00:00:00 2001
+From: Raman Tenneti <rtenneti@google.com>
+Date: Tue, 25 Jun 2019 18:04:39 -0700
+Subject: [PATCH] AOSP/Email - Create an empty Bundle if originalExtras doesn't
+ exit. Backporting the fix to fix NullPointerException.
+
+ Added "originalExtras = new Bundle();" change from cl/247540041
+
+Bug: 135889250
+Bug: 127320867
+
+Test: manual - Ran the following tests on Pixel phone. Tested the email UI.
+
+$ make -j 40
+  -rw-r--r-- 1 rtenneti primarygroup 6371530 Jun 25 17:23 out/target/product/marlin/system/product/app/Email/Email.apk
+
+$ make EmailTests -j
+  -rw-r--r-- 1 rtenneti primarygroup 365023 Jun 25 17:49 out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+
+$ adb install -r out/target/product/marlin/system/product/app/Email/Email.apk
+
+$ adb install -r out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+
+$ adb shell am instrument -w com.android.email.tests
+  Time: 2.986
+  OK (157 tests)
+
+Change-Id: Ica9eb7ad3ddd11c752a526c2b1d5f086c74da283
+Merged-In: Ica9eb7ad3ddd11c752a526c2b1d5f086c74da283
+(cherry picked from commit 3150b66305bea67a83ce289c42c85efc669088d3)
+---
+ .../android/email/activity/ComposeActivityEmailExternal.java   | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/com/android/email/activity/ComposeActivityEmailExternal.java b/src/com/android/email/activity/ComposeActivityEmailExternal.java
+index a5cbe9d3a..a94313a86 100644
+--- a/src/com/android/email/activity/ComposeActivityEmailExternal.java
+++ b/src/com/android/email/activity/ComposeActivityEmailExternal.java
+@@ -49,6 +49,9 @@ private void sanitizeIntent() {
+     Intent sanitizedIntent = getIntent();
+     if (sanitizedIntent != null) {
+       Bundle originalExtras = sanitizedIntent.getExtras();
+       if (originalExtras == null) {
+        originalExtras = new Bundle();
+      }
+       sanitizedIntent.replaceExtras(new Bundle());
+       copyStringExtraIfExists(ComposeActivity.EXTRA_SUBJECT, originalExtras, sanitizedIntent);
+       copyStringExtraIfExists(ComposeActivity.EXTRA_TO, originalExtras, sanitizedIntent);
--- a/Patches/LineageOS-11.0/android_packages_apps_Nfc/261042.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Nfc/261042.patch
@ -0,0 +1,45 @@
+From 248cb503bdf5196dc827a3eb7f216e655cc2ee4b Mon Sep 17 00:00:00 2001
+From: George Chang <georgekgchang@google.com>
+Date: Tue, 9 Jul 2019 15:46:28 +0800
+Subject: [PATCH] Prevent length underflow in NfcTag.cpp
+
+Bug: 124940143
+Test: Read Type4B Tag
+Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
+Change-Id: Ibdab756410bf55d701875279df3e289dbc9369d6
+(cherry picked from commit c7b41a96744e1ac30920991ef1b427acbcde44db)
+---
+ nci/jni/NfcTag.cpp | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/nci/jni/NfcTag.cpp b/nci/jni/NfcTag.cpp
+index b0fe9ab7..9a08dea2 100755
+--- a/nci/jni/NfcTag.cpp
+++ b/nci/jni/NfcTag.cpp
+@@ -40,6 +40,7 @@
+ #include "JavaClassConstants.h"
+ #include <ScopedLocalRef.h>
+ #include <ScopedPrimitiveArray.h>
+#include <log/log.h>
+ 
+ extern "C"
+ {
+@@ -712,7 +713,17 @@ void NfcTag::fillNativeNfcTagMembers3 (JNIEnv* e, jclass tag_cls, jobject tag, t
+                 *****************/
+                 ALOGD ("%s: tech B; TARGET_TYPE_ISO14443_3B", fn);
+                 len = mTechParams [i].param.pb.sensb_res_len;
+-                len = len - 4; //subtract 4 bytes for NFCID0 at byte 2 through 5
+                if (len >= NFC_NFCID0_MAX_LEN)
+                {
+                    // subtract 4 bytes for NFCID0 at byte 2 through 5
+                    len = len - NFC_NFCID0_MAX_LEN;
+                }
+                else
+                {
+                    android_errorWriteLog(0x534e4554, "124940143");
+                    ALOGE ("%s: sensb_res_len error", fn);
+                    len = 0;
+                }
+                 pollBytes.reset(e->NewByteArray(len));
+                 e->SetByteArrayRegion(pollBytes.get(), 0, len, (jbyte*) (mTechParams [i].param.pb.sensb_res+4));
+             }
--- a/Patches/LineageOS-11.0/android_packages_apps_Settings/230054.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Settings/230054.patch
@ -0,0 +1,85 @@
+From f2fdb82e9c4f396657239ae68d300510c6be4b63 Mon Sep 17 00:00:00 2001
+From: MSe1969 <mse1969@posteo.de>
+Date: Mon, 24 Sep 2018 21:09:57 +0200
+Subject: [PATCH] Settings/DeviceInfo - Provide "patch level" explanation and
+ disclaimer
+
+Make it clear to the user, that this is an outdated, no longer
+supported Android version. And that we have only backported stuff
+from newer Android versions in the monthly Android security bulletins.
+
+Change-Id: I6d706dcb598dd836c6a6f0b499782be9bd59b4dc
+---
+ res/values/cm_strings.xml                        |  3 +++
+ res/xml/device_info_settings.xml                 |  2 +-
+ src/com/android/settings/DeviceInfoSettings.java | 11 ++++++++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/res/values/cm_strings.xml b/res/values/cm_strings.xml
+index 67348ac05ac..defc226c12e 100644
+--- a/res/values/cm_strings.xml
+++ b/res/values/cm_strings.xml
+@@ -1463,4 +1463,7 @@ two in order to insert additional control points. \'Remove\' deletes the selecte
+     <string name="lock_to_cyanogen_disable_msg">Disabling this feature will allow unauthorized users to reset your phone to factory defaults if it is stolen. Your personal data may not be protected. Do you want to disable this feature?</string>
+     <string name="lock_to_cyanogen_master_clear_warning">Device Protection is enabled. Please disable to continue resetting your device.</string>
+ 
+    <!-- "Legacy" Security Patch label -->
+    <string name="security_patch_legacy">Unofficial security backport</string>
+    <string name="security_patch_legacy_info">There are no official security patches for this Android version anymore.\nAll patches contained in this build are backports from newer versions.</string>
+ </resources>
+diff --git a/res/xml/device_info_settings.xml b/res/xml/device_info_settings.xml
+index bcee3a76413..9081296a8aa 100644
+--- a/res/xml/device_info_settings.xml
+++ b/res/xml/device_info_settings.xml
+@@ -145,7 +145,7 @@
+         <!-- Security patch level -->
+         <Preference android:key="security_patch"
+                 style="?android:preferenceInformationStyle"
+-                android:title="@string/security_patch"
+                android:title="@string/security_patch_legacy"
+                 android:summary="@string/device_info_default"/>
+ 
+         <!-- Device FCC equipment id -->
+diff --git a/src/com/android/settings/DeviceInfoSettings.java b/src/com/android/settings/DeviceInfoSettings.java
+index cc7f7020c3a..b00f545ef99 100644
+--- a/src/com/android/settings/DeviceInfoSettings.java
+++ b/src/com/android/settings/DeviceInfoSettings.java
+@@ -17,6 +17,7 @@
+ package com.android.settings;
+ 
+ import android.app.Activity;
+import android.app.AlertDialog;
+ import android.content.Context;
+ import android.content.Intent;
+ import android.content.pm.PackageInfo;
+@@ -111,7 +112,7 @@ public void onCreate(Bundle icicle) {
+             try {
+                 SimpleDateFormat template = new SimpleDateFormat("yyyy-MM-dd");
+                 Date patchDate = template.parse(patch);
+-                String format = DateFormat.getBestDateTimePattern(Locale.getDefault(), "dMMMMyyyy");
+                String format = DateFormat.getBestDateTimePattern(Locale.getDefault(), "MMMMyyyy");
+                 patch = DateFormat.format(format, patchDate).toString();
+             } catch (ParseException e) {
+                 // broken parse; fall through and use the raw string
+@@ -131,6 +132,7 @@ public void onCreate(Bundle icicle) {
+         setValueSummary(KEY_MOD_VERSION, "ro.cm.display.version");
+         findPreference(KEY_MOD_VERSION).setEnabled(true);
+         setValueSummary(KEY_MOD_BUILD_DATE, "ro.build.date");
+        findPreference(KEY_SECURITY_PATCH).setEnabled(true);
+ 
+         if (!SELinux.isSELinuxEnabled()) {
+             String status = getResources().getString(R.string.selinux_status_disabled);
+@@ -306,6 +308,13 @@ public boolean onPreferenceTreeClick(PreferenceScreen preferenceScreen, Preferen
+                     Log.e(LOG_TAG, "Unable to start activity " + intent.toString());
+                 }
+             }
+        } else if (preference.getKey().equals(KEY_SECURITY_PATCH)) {
+            new AlertDialog.Builder(getActivity())
+                .setTitle(R.string.security_patch)
+                .setIcon(android.R.drawable.ic_dialog_alert)
+                .setMessage(R.string.security_patch_legacy_info)
+                .setNegativeButton(R.string.cancel, null)
+                .create().show();
+         }
+         return super.onPreferenceTreeClick(preferenceScreen, preference);
+     }
--- a/Patches/LineageOS-11.0/android_packages_apps_Settings/230392.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Settings/230392.patch
@ -0,0 +1,96 @@
+From a63ed5dc0c965d0e9455dbfab40903e8a0e916d8 Mon Sep 17 00:00:00 2001
+From: MSe1969 <mse1969@posteo.de>
+Date: Sat, 29 Sep 2018 12:19:18 +0200
+Subject: [PATCH] Settings/DeviceInfo - Translations for patch level disclaimer
+
+cm-11.0 does not receive any more translations from 'crowdin'
+Translations contained in this patch: DE/ES/FR/IT/PL/RU/UA
+
+Change-Id: I5426cc4a73859271c1a772817520a247b1697c3f
+---
+ res/values-de/cm_strings.xml | 2 ++
+ res/values-es/cm_strings.xml | 2 ++
+ res/values-fr/cm_strings.xml | 2 ++
+ res/values-it/cm_strings.xml | 2 ++
+ res/values-pl/cm_strings.xml | 2 ++
+ res/values-ru/cm_strings.xml | 2 ++
+ res/values-uk/cm_strings.xml | 2 ++
+ 7 files changed, 14 insertions(+)
+
+diff --git a/res/values-de/cm_strings.xml b/res/values-de/cm_strings.xml
+index 8bb1fed83c4..7121ab1090f 100644
+--- a/res/values-de/cm_strings.xml
+++ b/res/values-de/cm_strings.xml
+@@ -1038,4 +1038,6 @@ auf <xliff:g id="new" example="libart.so">%2$s</xliff:g> zu ändern?</string>
+   <string name="lock_to_cyanogen_create_account_msg">Das Passwort Ihres Cyanogen OS-Kontos wird genutzt, um Ihr Gerät auch beim Rücksetzen auf Werkseinstellungen zu schützen. Dazu müssen Sie ein Cyanogen OS-Konto anlegen.</string>
+   <string name="lock_to_cyanogen_disable_msg">Deaktivieren dieser Funktion erlaubt es nicht autorisierten Benutzern Ihr Telefon auf Werkseinstellungen zurückzusetzen, wenn es gestohlen wird. Ihre persönlichen Daten können nicht sicher sein. Wollen Sie diese Funktion deaktivieren?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">Geräteschutz ist aktiviert. Bitte deaktivieren, um mit dem Zurücksetzen Ihres Gerätes fortzufahren.</string>
+  <string name="security_patch_legacy">Inoffizielle Sicherheitsstufe</string>
+  <string name="security_patch_legacy_info">Für diese Android-Version sind keine offiziellen Sicherheitsupdates mehr erhältlich.\nAlle enthaltenen Patches wurden aus neueren Versionen rückportiert.</string>
+ </resources>
+diff --git a/res/values-es/cm_strings.xml b/res/values-es/cm_strings.xml
+index a9b656ae788..883290b29ef 100644
+--- a/res/values-es/cm_strings.xml
+++ b/res/values-es/cm_strings.xml
+@@ -1023,4 +1023,6 @@ Tocando de forma prolongada cada línea se mostrarán opciones adicionales. Sele
+   <string name="lock_to_cyanogen_create_account_msg">El dispositivo usa una contraseña de cuenta de Cyanogen OS para protegerse incluso después de un restablecimiento de fábrica. Necesitarás crear una cuenta de Cyanogen OS.</string>
+   <string name="lock_to_cyanogen_disable_msg">Deshabilitar esta característica permitirá que usuarios no autorizados puedan restablecer a fábrica el dispositivo si éste es sustraído. Tus datos personales podrán quedar desprotegidos. ¿Quieres deshabilitar esta característica?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">La protección del dispositivo está habilitada. Por favor, deshabilita la protección para continuar con el restablecimiento del dispositivo.</string>
+  <string name="security_patch_legacy">Parche de seguridad no oficial</string>
+  <string name="security_patch_legacy_info">No hay actualizaciones de seguridad oficiales disponibles para esta versión de Android.\nTodos los parches incluidos fueron portados desde versiones más nuevas.</string>
+ </resources>
+diff --git a/res/values-fr/cm_strings.xml b/res/values-fr/cm_strings.xml
+index a5b212d13f3..21fdcbfc52b 100644
+--- a/res/values-fr/cm_strings.xml
+++ b/res/values-fr/cm_strings.xml
+@@ -1023,4 +1023,6 @@ Des options supplémentaires sont disponibles en appuyant longtemps sur une lign
+   <string name="lock_to_cyanogen_create_account_msg">Votre appareil utilise le mot de passe du compte Cyanogen OS pour protéger votre appareil même dans le cas d\'une réinitialisation d\'usine. Vous devrez créer un compte Cyanogen OS.</string>
+   <string name="lock_to_cyanogen_disable_msg">La désactivation de cette fonction permettra à des utilisateurs non autorisés de réinitialiser votre téléphone aux paramètres par défaut s\'il est volé. Vos données personnelles ne peuvent pas être protégées. Voulez-vous désactiver cette fonction ?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">La protection de l\'appareil est activée. Veuillez la désactiver pour continuer la réinitialisation de votre appareil.</string>
+  <string name="security_patch_legacy">Niveau de sécurité non officiel</string>
+  <string name="security_patch_legacy_info">Il n\'y a pas de mises à jour de sécurité officielles disponibles pour cette version d\'Android.\nTous les correctifs contenus ont été répliqués à partir de versions plus récentes.</string>
+ </resources>
+diff --git a/res/values-it/cm_strings.xml b/res/values-it/cm_strings.xml
+index 59d76b59c9a..981ed9879a9 100644
+--- a/res/values-it/cm_strings.xml
+++ b/res/values-it/cm_strings.xml
+@@ -1034,4 +1034,6 @@ inserire punti di controllo aggiuntivi. \'Rimuovi\' elimina la riga selezionata.
+   <string name="lock_to_cyanogen_create_account_msg">Il dispositivo utilizza la password dell\'account Cyanogen OS per proteggerlo anche in caso di un reset di fabbrica. Devi creare un account Cyanogen OS.</string>
+   <string name="lock_to_cyanogen_disable_msg">Disattivando questa funzione gli utenti non autorizzati potranno ripristinare il telefono alle impostazioni di fabbrica, se viene rubato. I dati personali non possono essere protetti. Desideri disattivare questa funzione?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">La protezione del dispositivo è attiva. Disattivala per ripristinare il tuo dispositivo.</string>
+  <string name="security_patch_legacy">Backport di sicurezza non ufficiale</string>
+  <string name="security_patch_legacy_info">Non ci sono più patch di sicurezza ufficiali per questa versione di Android.\nTutte le patch contenute in questa build sono backport dalle versioni più recenti.</string>
+ </resources>
+diff --git a/res/values-pl/cm_strings.xml b/res/values-pl/cm_strings.xml
+index e1a7ad91ac1..dcadae48874 100644
+--- a/res/values-pl/cm_strings.xml
+++ b/res/values-pl/cm_strings.xml
+@@ -1024,4 +1024,6 @@ Dodatkowe opcje są dostępne przez długie przytrzymanie linii. Wybierając opc
+   <string name="lock_to_cyanogen_create_account_msg">Twoje urządzenie korzysta z hasła twojego konta Cyanogen OS, aby chronić twoje urządzenie nawet w przypadku przywrócenia ustawień fabrycznych. Musisz utworzyć konto Cyanogen OS.</string>
+   <string name="lock_to_cyanogen_disable_msg">Wyłączenie tej funkcji umożliwi nieautoryzowanym użytkownikom na przywrócenie ustawień fabrycznych jeśli twoje urządzenie zostanie zgubione. Twoje prywatne dane mogą nie być chronione. Czy chcesz wyłączyć tę funkcję?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">Ochrona urządzenia jest włączona. Proszę wyłącz ją, aby kontynuować resetowanie urządzenia.</string>
+  <string name="security_patch_legacy">Nieoficjalna aktualizacja zabezpieczeń</string>
+  <string name="security_patch_legacy_info">Nie ma oficjalnych aktualizacji zabezpieczeń dla tej wersji Androida.\nWszystkie zawarte łaty zostały przeniesione z nowszych wersji.</string>
+ </resources>
+diff --git a/res/values-ru/cm_strings.xml b/res/values-ru/cm_strings.xml
+index 14186323da3..cf9ac14991d 100644
+--- a/res/values-ru/cm_strings.xml
+++ b/res/values-ru/cm_strings.xml
+@@ -1024,4 +1024,6 @@
+   <string name="lock_to_cyanogen_create_account_msg">Устройство использует пароль аккаунта ОС Cyanogen для защиты устройства от сброса настроек. Потребуется создать новый аккаунт ОС Cyanogen.</string>
+   <string name="lock_to_cyanogen_disable_msg">Отключение этой функции позволит другим людям выполнить удаление всех данных на устройстве в случае его кражи. Ваши личные данные могут стать недостаточно защищёнными. Вы действительно хотите отключить эту функцию?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">Защита устройства включена. Необходимо отключить её, чтобы выполнить сброс настроек на устройстве.</string>
+  <string name="security_patch_legacy">Неофициальные исправления безопасности</string>
+  <string name="security_patch_legacy_info">Официальные исправления безопасности более не выпускаются для данной версии Android.\nВсе исправления, представленные в этой сборке, адаптированы из более новых версий системы.</string>
+ </resources>
+diff --git a/res/values-uk/cm_strings.xml b/res/values-uk/cm_strings.xml
+index 00f896b862e..0eba0913b9b 100644
+--- a/res/values-uk/cm_strings.xml
+++ b/res/values-uk/cm_strings.xml
+@@ -1024,4 +1024,6 @@
+   <string name="lock_to_cyanogen_create_account_msg">Ваш пристрій використовує пароль облікового запису Cyanogen OS для захисту навіть у разі повернення до заводських налаштувань. Вам потрібно буде створити обліковий запис Cyanogen OS.</string>
+   <string name="lock_to_cyanogen_disable_msg">Вимкнення цієї функції дозволить неавторизованим користувачам скинути до заводських налаштувань телефон, наприклад, при викраденні. Ваші персональні дані не будуть захищені. Ви хочете вимкнути цю функцію?</string>
+   <string name="lock_to_cyanogen_master_clear_warning">Захист пристрою увімкнено. Необхідно вимкнути його, щоб виконати скидання налаштувань на пристрої.</string>
+  <string name="security_patch_legacy">Неофіційні виправлення безпеки</string>
+  <string name="security_patch_legacy_info">Офіційні виправлення безпеки більше не випускаються для даної версії Android.\nУсі виправлення, наявні у цій збірці, адаптовані з новіших версій системи.</string>
+ </resources>
--- a/Patches/LineageOS-11.0/android_packages_apps_Settings/248015.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_Settings/248015.patch
@ -0,0 +1,66 @@
+From 0afe7bd5b556b96ca442f632b9a789bbe4915d48 Mon Sep 17 00:00:00 2001
+From: Fan Zhang <zhfan@google.com>
+Date: Thu, 14 Feb 2019 16:07:37 -0800
+Subject: [PATCH] Do not allow draw on top for default sms picker.
+
+Fixes: 120484087
+Test: manual
+Change-Id: I4be265565678302fad207839216d5cd65dcb6e94
+Merged-In: I4be265565678302fad207839216d5cd65dcb6e94
+(cherry picked from commit 9d46e1fdfe1b70618c5a92c3e3461a4b379db236)
+(cherry picked from commit 95d0fb7f4911403844666632ece42467f60ad753)
+---
+ .../android/settings/SmsDefaultDialog.java    | 22 ++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/settings/SmsDefaultDialog.java b/src/com/android/settings/SmsDefaultDialog.java
+index 3a3848ba4f7..f4adc4a3aee 100644
+--- a/src/com/android/settings/SmsDefaultDialog.java
+++ b/src/com/android/settings/SmsDefaultDialog.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.settings;
+ 
+import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+
+ import android.content.ComponentName;
+ import android.content.Context;
+ import android.content.DialogInterface;
+@@ -31,12 +33,30 @@
+ import com.android.internal.telephony.SmsApplication;
+ import com.android.internal.telephony.SmsApplication.SmsApplicationData;
+ import com.android.settings.R;
+import android.view.Window;
+import android.view.WindowManager;
+ 
+ public final class SmsDefaultDialog extends AlertActivity implements
+         DialogInterface.OnClickListener {
+     private ComponentName mNewDefault;
+     private SmsApplicationData mNewSmsApplicationData;
+ 
+    @Override
+    protected void onStart() {
+        super.onStart();
+        getWindow().addPrivateFlags(PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+        android.util.EventLog.writeEvent(0x534e4554, "120484087", -1, "");
+    }
+
+    @Override
+    protected void onStop() {
+        super.onStop();
+        final Window window = getWindow();
+        final WindowManager.LayoutParams attrs = window.getAttributes();
+        attrs.privateFlags &= ~PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS;
+        window.setAttributes(attrs);
+    }
+
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+@@ -103,4 +123,4 @@ private boolean buildDialog(String packageName) {
+ 
+         return true;
+     }
+-}
+\ No newline at end of file
+}
--- a/Patches/LineageOS-11.0/android_packages_apps_UnifiedEmail/253861.patch
+++ b/Patches/LineageOS-11.0/android_packages_apps_UnifiedEmail/253861.patch
@ -0,0 +1,66 @@
+From d64211dbe4c630e7bc1ffd68ec977525f9b334e9 Mon Sep 17 00:00:00 2001
+From: Raman Tenneti <rtenneti@google.com>
+Date: Mon, 13 May 2019 11:57:09 -0700
+Subject: [PATCH] AOSP/UnifiedEmail - bug fix to composing messages.
+
+As part of porting https://critique.corp.google.com/#review/247540041,
+needed to make EXTRA_TO, EXTRA_CC, EXTRA_BCC, EXTRA_SUBJECT, EXTRA_BODY
+public so that they couuld be accessed from packages/apps/Email package.
+
+Bug: 127320867
+
+Test: manual - Ran the following tests on Pixel phone. Tested the email UI.
+
+$ make -j 40
+  -rw-r--r-- 1 rtenneti primarygroup 6375626 May  5 19:49 out/target/product/marlin/system/product/app/Email/Email.apk
+
+$ make UnifiedEmailTests -j
+  -rw-r--r-- 1 rtenneti primarygroup 311703 May  5 20:04 out/target/product/marlin/testcases/UnifiedEmailTests/arm64/UnifiedEmailTests.apk
+
+$ make EmailTests -j
+  -rw-r--r-- 1 rtenneti primarygroup 365023 May 13 14:39 out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+
+$ adb install -r out/target/product/marlin/system/product/app/Email/Email.apk
+$ adb install -r out/target/product/marlin/testcases/EmailTests/arm64/EmailTests.apk
+$ adb install -r out/target/product/marlin/testcases/UnifiedEmailTests/arm64/UnifiedEmailTests.apk
+
+$ adb shell am instrument -w com.android.mail.emailtests
+  Time: 3.519
+  OK (157 tests)
+
+Change-Id: I2a0e1048bac20c4346ec16d4bc8151297971fe0d
+Merged-In: I2a0e1048bac20c4346ec16d4bc8151297971fe0d
+(cherry picked from commit 8c19e4f8fa80ab21da9bd684f038f24cb1240011)
+---
+ src/com/android/mail/compose/ComposeActivity.java | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/com/android/mail/compose/ComposeActivity.java b/src/com/android/mail/compose/ComposeActivity.java
+index b1bed47ee..d4da5327c 100644
+--- a/src/com/android/mail/compose/ComposeActivity.java
+++ b/src/com/android/mail/compose/ComposeActivity.java
+@@ -153,9 +153,9 @@
+ 
+     private static final String MAIL_TO = "mailto";
+ 
+-    private static final String EXTRA_SUBJECT = "subject";
+    public static final String EXTRA_SUBJECT = "subject";
+ 
+-    private static final String EXTRA_BODY = "body";
+    public static final String EXTRA_BODY = "body";
+ 
+     /**
+      * Expected to be html formatted text.
+@@ -168,9 +168,9 @@
+ 
+     // Extra that we can get passed from other activities
+     @VisibleForTesting
+-    protected static final String EXTRA_TO = "to";
+-    private static final String EXTRA_CC = "cc";
+-    private static final String EXTRA_BCC = "bcc";
+    public static final String EXTRA_TO = "to";
+    public static final String EXTRA_CC = "cc";
+    public static final String EXTRA_BCC = "bcc";
+ 
+     /**
+      * An optional extra containing a {@link ContentValues} of values to be added to
--- a/Patches/LineageOS-16.0/android_device_google_wahoo/232948.patch
+++ b/Patches/LineageOS-16.0/android_device_google_wahoo/232948.patch
@ -0,0 +1,44 @@
+From 2a85ab00b30f1d3a3212fecfad1138cc2d54af3b Mon Sep 17 00:00:00 2001
+From: Zhao Wei Liew <zhaoweiliew@gmail.com>
+Date: Wed, 31 Oct 2018 14:05:57 +0000
+Subject: [PATCH] liblight: Fix potential fd leak
+
+Currently, when the value to be written to an LED file does not
+fit into the buffer, the opened file descriptor is not closed,
+leaking the file descriptor.
+
+Fix it by closing the file descriptor before returning.
+
+Change-Id: I1c46fcc35f560358b1f60e0fac45f4c5a42cd484
+---
+ liblight/lights.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/liblight/lights.c b/liblight/lights.c
+index d5717488..9f605270 100644
+--- a/liblight/lights.c
+++ b/liblight/lights.c
+@@ -123,7 +123,10 @@ write_int(char const* path, int value)
+     if (fd >= 0) {
+         char buffer[20];
+         size_t bytes = snprintf(buffer, sizeof(buffer), "%d\n", value);
+-        if(bytes >= sizeof(buffer)) return -EINVAL;
+        if (bytes >= sizeof(buffer)) {
+            close(fd);
+            return -EINVAL;
+        }
+         ssize_t amt = write(fd, buffer, bytes);
+         close(fd);
+         return amt == -1 ? -errno : 0;
+@@ -146,7 +149,10 @@ write_double_int(char const* path, int value1, int value2)
+     if (fd >= 0) {
+         char buffer[20];
+         size_t bytes = snprintf(buffer, sizeof(buffer), "%d %d\n", value1, value2);
+-        if(bytes >= sizeof(buffer)) return -EINVAL;
+        if (bytes >= sizeof(buffer)) {
+            close(fd);
+            return -EINVAL;
+        }
+         ssize_t amt = write(fd, buffer, bytes);
+         close(fd);
+         return amt == -1 ? -errno : 0;
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263103.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263103.patch
@ -0,0 +1,40 @@
+From 303349ca33b80052b0f16defdddc7f4c126f5349 Mon Sep 17 00:00:00 2001
+From: Adrian DC <radian.dc@gmail.com>
+Date: Sun, 3 Nov 2019 00:54:38 +0200
+Subject: [PATCH] sepolicy: Resolve surfaceflinger access to qdisplay service
+
+ * denied { add find } for service=display.qservice uid=1000
+    scontext=u:r:surfaceflinger:s0
+    tcontext=u:object_r:qdisplay_service:s0 tclass=service_manager
+
+Change-Id: I9e8af53ecbc475056497926d401d2312b43283c9
+---
+ sepolicy/service.te        | 1 +
+ sepolicy/service_contexts  | 1 +
+ sepolicy/surfaceflinger.te | 1 +
+ 3 files changed, 3 insertions(+)
+ create mode 100644 sepolicy/service.te
+ create mode 100644 sepolicy/service_contexts
+
+diff --git a/sepolicy/service.te b/sepolicy/service.te
+new file mode 100644
+index 00000000..60490a58
+--- /dev/null
+++ b/sepolicy/service.te
+@@ -0,0 +1 @@
+type qdisplay_service, service_manager_type;
+diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
+new file mode 100644
+index 00000000..3d6b681b
+--- /dev/null
+++ b/sepolicy/service_contexts
+@@ -0,0 +1 @@
+display.qservice u:object_r:qdisplay_service:s0
+diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
+index 02adf8ac..a92feab8 100644
+--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
+@@ -1,2 +1,3 @@
+ allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
+ allow surfaceflinger sysfs_thermal:file r_file_perms;
+allow surfaceflinger qdisplay_service:service_manager { add find };
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263104.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263104.patch
@ -0,0 +1,47 @@
+From df76b984675254e8b8c9c493fd6a0865d1e065de Mon Sep 17 00:00:00 2001
+From: Sashko <sashko506@gmail.com>
+Date: Sun, 3 Nov 2019 01:11:48 +0200
+Subject: [PATCH] sepolicy: Resolve healthd denials
+
+* Label all healthd devices as sysfs_batteryinfo
+
+* denied { getattr } for path=/sys/devices/f9923000.i2c/i2c-84/84-0036/power_supply/battery/present dev=sysfs ino=19172 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/f9923000.i2c/i2c-84/84-006b/power_supply/ac/type dev=sysfs ino=16691 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/msm_dwc3/power_supply/usb/type dev=sysfs ino=15162 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/f9923000.i2c/i2c-84/84-0036/power_supply/battery/voltage_now dev=sysfs ino=19162 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/f9923000.i2c/i2c-84/84-0036/power_supply/battery/current_now dev=sysfs ino=19163 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/f9923000.i2c/i2c-84/84-0036/power_supply/battery/temp dev=sysfs ino=19180 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for pid=217 comm=healthd path=/sys/devices/bq51013b_wlc.77/power_supply/wireless/type dev=sysfs ino=16663 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/virtual/power_supply/touch/type dev=sysfs ino=15931 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+Change-Id: I4b8a4dbbcb687de966e9f2dee02f668f6ce5a602
+---
+ sepolicy/file_contexts | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index b65aa2a3..66969cbd 100644
+--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
+@@ -149,7 +149,13 @@
+ /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk        u:object_r:sysfs_thermal:s0
+ /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk    u:object_r:sysfs_thermal:s0
+ /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/reset_count   u:object_r:sysfs_thermal:s0
+-/sys/devices/f9923000\.i2c/i2c-84/84-0036/power_supply/battery/capacity   u:object_r:sysfs_batteryinfo:s0
+
+/sys/devices/f9923000\.i2c/i2c-84/84-0036/power_supply/battery(/.*)?    u:object_r:sysfs_batteryinfo:s0
+/sys/devices/f9923000.i2c/i2c-84/84-006b/power_supply/ac(/.*)?          u:object_r:sysfs_batteryinfo:s0
+/sys/devices/msm_dwc3/power_supply/usb(/.*)?                            u:object_r:sysfs_batteryinfo:s0
+/sys/devices/virtual/power_supply/touch(/.*)?                           u:object_r:sysfs_batteryinfo:s0
+/sys/devices/bq51013b_wlc.77/power_supply/wireless(/.*)?                u:object_r:sysfs_batteryinfo:s0
+/sys/devices/battery_tm_ctrl.78/power_supply/batt_therm(/.*)?           u:object_r:sysfs_batteryinfo:s0
+ 
+ # Sysfs files used by qmuxd
+ /sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263105.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263105.patch
@ -0,0 +1,29 @@
+From dbd5721bb8845fe408d53f48601df500d685065c Mon Sep 17 00:00:00 2001
+From: Roman Yarullin <firefox883@gmail.com>
+Date: Sun, 3 Nov 2019 01:20:04 +0200
+Subject: [PATCH] sepolicy: Resolve storaged denials
+
+*Label /sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/block/mmcblk0/stat as sysfs_disk_stat
+
+* denied { read open } for name=stat dev=sysfs ino=19332 scontext=u:r:storaged:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { getattr } for path=/sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/block/mmcblk0/stat dev=sysfs ino=19332 scontext=u:r:storaged:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+Change-Id: Ic4047346cdc282568069b9abdb3d250c051d6579
+---
+ sepolicy/file_contexts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index 66969cbd..4540ce06 100644
+--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
+@@ -157,6 +157,8 @@
+ /sys/devices/bq51013b_wlc.77/power_supply/wireless(/.*)?                u:object_r:sysfs_batteryinfo:s0
+ /sys/devices/battery_tm_ctrl.78/power_supply/batt_therm(/.*)?           u:object_r:sysfs_batteryinfo:s0
+ 
+/sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/block/mmcblk0/stat      u:object_r:sysfs_disk_stat:s0
+
+ # Sysfs files used by qmuxd
+ /sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
+ 
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263106.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263106.patch
@ -0,0 +1,30 @@
+From 48c9750798e2e06baf61f598ba4715ad402b3493 Mon Sep 17 00:00:00 2001
+From: Kevin Haggerty <haggertk@lineageos.org>
+Date: Sun, 3 Nov 2019 01:36:15 +0200
+Subject: [PATCH] sepolicy: Label sysfs_net
+
+ * avc: denied { write } for name=mtu dev=sysfs ino=24282
+   scontext=u:r:netd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+   avc: denied { open } for name=mtu dev=sysfs ino=24282
+   scontext=u:r:netd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+Change-Id: I6f40b8bdac2537b7000c02af6fac8277acb2a718
+---
+ sepolicy/file_contexts | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index 4540ce06..7cb352a2 100644
+--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
+@@ -159,6 +159,9 @@
+ 
+ /sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/block/mmcblk0/stat      u:object_r:sysfs_disk_stat:s0
+ 
+#sysfs - net
+/sys/devices/virtual/net(/.*)?   u:object_r:sysfs_net:s0
+
+ # Sysfs files used by qmuxd
+ /sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
+ 
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263107.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263107.patch
@ -0,0 +1,99 @@
+From 513a0c7562b5f15852090cf4ba3b9e4321e03102 Mon Sep 17 00:00:00 2001
+From: Sashko <sashko506@gmail.com>
+Date: Sun, 3 Nov 2019 01:47:42 +0200
+Subject: [PATCH] sepolicy: Resolve init denials
+
+* denied { setattr } for name=state dev=sysfs ino=9120 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_bluetooth_writable:s0 tclass=file permissive=1
+
+* denied { setattr } for name=hpd dev=sysfs ino=11773 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=file permissive=1
+
+* denied { setattr } for pid=1 comm=init name=firmware_path dev=sysfs ino=5881 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=1
+
+* denied { setattr } for name=file dev=sysfs ino=15720 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { write } for name=boot dev=sysfs ino=8899 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+* denied { open } for name=boot dev=sysfs ino=8899 scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+Change-Id: I2f35267ea74a5646bb423192162752e44aa51064
+---
+ sepolicy/file.te       |  5 +++++
+ sepolicy/file_contexts | 23 ++++++++++++++++++++++-
+ sepolicy/init.te       | 17 +++++++++++++++++
+ 3 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/sepolicy/file.te b/sepolicy/file.te
+index 34eb6229..0c1a3820 100644
+--- a/sepolicy/file.te
+++ b/sepolicy/file.te
+@@ -26,3 +26,8 @@ type sysfs_mpdecision, fs_type, sysfs_type;
+ type sysfs_surfaceflinger, fs_type, sysfs_type;
+ type sysfs_smdcntl_open_timeout, fs_type, sysfs_type;
+ type sysfs_soc, fs_type, sysfs_type;
+type sysfs_adsp, fs_type, sysfs_type;
+type sysfs_thermal_control, fs_type, sysfs_type;
+type sysfs_ssr_toggle, fs_type, sysfs_type;
+type sysfs_ramdump, fs_type, sysfs_type;
+type sysfs_irq, fs_type, sysfs_type;
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index 7cb352a2..602f1753 100644
+--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
+@@ -162,11 +162,32 @@
+ #sysfs - net
+ /sys/devices/virtual/net(/.*)?   u:object_r:sysfs_net:s0
+ 
+/sys/devices/mdp\.0/qcom,mdss_fb_primary.160/leds/lcd-backlight/brightness    u:object_r:sysfs_leds:s0
+/sys/devices/leds-qpnp-23/leds(/.*)?        u:object_r:sysfs_leds:s0
+
+/sys/kernel/boot_adsp/boot     u:object_r:sysfs_adsp:s0
+
+/sys/module/msm_thermal/core_control/enabled    u:object_r:sysfs_thermal_control:s0
+
+/sys/devices/fe200000\.qcom,lpass/subsys[0-2]/restart_level     u:object_r:sysfs_ssr_toggle:s0
+/sys/devices/fc880000\.qcom,mss/subsys[0-2]/restart_level       u:object_r:sysfs_ssr_toggle:s0
+/sys/devices/fdce0000\.qcom,venus/subsys[0-2]/restart_level     u:object_r:sysfs_ssr_toggle:s0
+
+/sys/module/subsystem_restart/parameters/enable_ramdumps        u:object_r:sysfs_ramdump:s0
+
+/sys/devices/msm_dwc3/f9200000\.dwc3/gadget/lun[0-9]+(/.*)?     u:object_r:sysfs_android_usb:s0
+
+ # Sysfs files used by qmuxd
+ /sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0
+ 
+ # Bluetooth
+-/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/state     u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bluetooth_rfkill/rfkill/rfkill0/type      u:object_r:sysfs_bluetooth_writable:s0
+
+/sys/module/lpm_resources/enable_low_power(/.*)?            u:object_r:sysfs_mpdecision:s0
+
+/sys/module/slimport/parameters/enable_irq                  u:object_r:sysfs_irq:s0
+/sys/module/msm_show_resume_irq/parameters/debug_mask       u:object_r:sysfs_irq:s0
+ 
+ # Thermal engine
+ /dev/msm_thermal_query            u:object_r:thermal_engine_device:s0
+diff --git a/sepolicy/init.te b/sepolicy/init.te
+index 3aa81d1b..05a26d5b 100644
+--- a/sepolicy/init.te
+++ b/sepolicy/init.te
+@@ -1 +1,18 @@
+ allow init tmpfs:lnk_file create_file_perms;
+
+allow init {
+   sysfs_bluetooth_writable
+   sysfs_leds
+   sysfs_surfaceflinger
+   sysfs_wlan_fwpath
+ }:file setattr;
+
+allow init {
+   sysfs_adsp
+   sysfs_devices_system_cpu
+   sysfs_mpdecision
+   sysfs_irq
+   sysfs_ramdump
+   sysfs_ssr_toggle
+   sysfs_thermal_control
+ }:file w_file_perms;
+\ No newline at end of file
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263108.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263108.patch
@ -0,0 +1,59 @@
+From 5ff294c0a20302e01695ebc82180d0ad6ea11501 Mon Sep 17 00:00:00 2001
+From: Sashko <sashko506@gmail.com>
+Date: Sun, 3 Nov 2019 02:07:03 +0200
+Subject: [PATCH] sepolicy: Resolve surfaceflinger denials
+
+denied { read open } for name=msm_fb_split dev=sysfs ino=11739 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+denied { getattr } for path=/sys/devices/virtual/graphics/fb0/msm_fb_split dev=sysfs ino=11739 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+denied { read open } for name=fb2 dev=sysfs ino=11788 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
+
+denied { search read open } for name=fb0 dev=sysfs ino=11697 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=dir permissive=1
+
+denied { write } for name=rgb dev=sysfs ino=11740 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=file permissive=1
+
+Change-Id: I404b61992eb082d87c5b3b1b7875a7bc83f8cf7d
+---
+ sepolicy/file_contexts     | 4 +---
+ sepolicy/surfaceflinger.te | 1 +
+ sepolicy/system_server.te  | 2 ++
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
+index 9ec66741..cb9b79e7 100644
+--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
+@@ -142,9 +142,7 @@
+ /sys/module/pm_8x60/modes(/.*)?        u:object_r:sysfs_mpdecision:s0
+ 
+ # Sysfs files used by surfaceflinger
+-/sys/devices/virtual/graphics/fb1/hpd          -- u:object_r:sysfs_surfaceflinger:s0
+-/sys/devices/virtual/graphics/fb1/vendor_name  -- u:object_r:sysfs_surfaceflinger:s0
+-/sys/devices/virtual/graphics/fb1/product_description       -- u:object_r:sysfs_surfaceflinger:s0
+/sys/devices/virtual/graphics/fb([0-2])+(/.*)? 	u:object_r:sysfs_surfaceflinger:s0
+ 
+ /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk        u:object_r:sysfs_thermal:s0
+ /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk    u:object_r:sysfs_thermal:s0
+diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
+index a92feab8..e2760a36 100644
+--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
+@@ -1,3 +1,4 @@
+allow surfaceflinger sysfs_surfaceflinger:dir r_dir_perms;
+ allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
+ allow surfaceflinger sysfs_thermal:file r_file_perms;
+ allow surfaceflinger qdisplay_service:service_manager { add find };
+diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
+index ab211feb..cf161518 100644
+--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
+@@ -22,6 +22,8 @@ allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+ 
+ allow system_server sysfs_thermal:file r_file_perms;
+ 
+allow system_server sysfs_surfaceflinger:file write;
+
+ allow system_server sensors_device:chr_file getattr;
+ 
+ allowxperm system_server self:udp_socket ioctl { SIOCSIFFLAGS SIOCDEVPRIVATE_D };
--- a/Patches/LineageOS-16.0/android_device_lge_hammerhead/263109.patch
+++ b/Patches/LineageOS-16.0/android_device_lge_hammerhead/263109.patch
@ -0,0 +1,20 @@
+From cc823367ab4624a34502121c5671c8a37fb6fbb6 Mon Sep 17 00:00:00 2001
+From: Sashko <sashko506@gmail.com>
+Date: Sun, 3 Nov 2019 02:36:57 +0200
+Subject: [PATCH] sepolicy: Resolve nfc denial
+
+ denied { search } for pid=236 comm=android.hardwar name=nfc dev=mmcblk0p29 ino=610801 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:nfc_data_file:s0 tclass=dir permissive=0
+
+Change-Id: I455e2ca9e35f287b757e958cbc1f67d19d903ac6
+---
+ sepolicy/hal_nfc_default.te | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 sepolicy/hal_nfc_default.te
+
+diff --git a/sepolicy/hal_nfc_default.te b/sepolicy/hal_nfc_default.te
+new file mode 100644
+index 00000000..e183dd8e
+--- /dev/null
+++ b/sepolicy/hal_nfc_default.te
+@@ -0,0 +1 @@
+allow hal_nfc_default nfc_data_file:dir search;
--- a/Patches/LineageOS-17.1/android_build/271361.patch
+++ b/Patches/LineageOS-17.1/android_build/271361.patch
@ -0,0 +1,32 @@
+From 1e54b3cf486cf942ecb32e294e8cde1c028e4f8b Mon Sep 17 00:00:00 2001
+From: gesangtome <gesangtome@foxmail.com>
+Date: Tue, 24 Mar 2020 05:47:25 +0800
+Subject: [PATCH] releasetools: fix Unicode-objects must be encoded before
+ hashing
+
+This error occurs when using 'ota_from_target_files' to make an incremental package.
+According to the prompt, first encode fp to resolve this error.
+
+build/make/tools/releasetools/common.py", line 448, in LoadInfoDict
+    d["avb_salt"] = sha256(fp).hexdigest()
+
+TypeError: Unicode-objects must be encoded before hashing
+
+Change-Id: I196b3ae37e1fb92be58c48aa8ab0928b6e6aec69
+---
+ tools/releasetools/common.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
+index 9f57773ba7..d54689bd2e 100644
+--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
+@@ -445,7 +445,7 @@ def makeint(key):
+       elif "ro.build.thumbprint" in build_prop:
+         fp = build_prop["ro.build.thumbprint"]
+     if fp:
+-      d["avb_salt"] = sha256(fp).hexdigest()
+      d["avb_salt"] = sha256(fp.encode()).hexdigest()
+ 
+   return d
+ 
--- a/Patches/Linux
+++ b/Patches/Linux
@ -1 +1 @@
-Subproject commit c068565d97abfa7803914e9e0e19d171ef230872
+Subproject commit 1461e32a6f9be0d5a875dabc99dd9a2c08148022
--- a/Scripts/LineageOS-11.0/Functions.sh
+++ b/Scripts/LineageOS-11.0/Functions.sh
@ -60,19 +60,7 @@ patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
 	sed -i "s/'git', 'show', '-q'/'git', 'show'/" build/tools/repopick.py; #fix for old git versions
 	source build/envsetup.sh;
-	repopick -itf asb-2018.09-cm11-qcom;
-	repopick -i 230054 230392; #asb disclaimer
-	#repopick -it asb-2019.03-cm11;
-	#repopick -it asb-2019.04-cm11 -e 246293;
-	repopick -it asb-2019.05-cm11;
-	repopick -it asb-2019.06-cm11;
-	repopick -it asb-2019.07-cm11;
-	repopick -it asb-2019.08-cm11;
-	repopick -it asb-2019.09-cm11;
-	repopick -it asb-2019.10-cm11;
-	repopick -it asb-2019.11-cm11;
-	repopick -it asb-2019.12-cm11;
-	repopick -it asb-2020.01-cm11;
+	repopick -itf asb-2018.09-cm11-qcom; #TODO: move in tree

 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";
--- a/Scripts/LineageOS-11.0/Patch.sh
+++ b/Scripts/LineageOS-11.0/Patch.sh
@ -68,8 +68,40 @@ sed -i 's/Mms/Silence/' target/product/*.mk; #Replace AOSP Messaging app with Si
 sed -i '497i$(LOCAL_INTERMEDIATE_TARGETS) : PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/base_rules.mk;
 sed -i '80iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package.mk;

+enterAndClear "external/bluetooth/bluedroid";
+patch -p1 < "$DOS_PATCHES/android_external_bluetooth_bluedroid/251199.patch"; #asb-2019.12-cm11
+patch -p1 < "$DOS_PATCHES/android_external_bluetooth_bluedroid/265361.patch"; #asb-2019.12-cm11
+patch -p1 < "$DOS_PATCHES/android_external_bluetooth_bluedroid/265493.patch"; #asb-2019.12-cm11
+patch -p1 < "$DOS_PATCHES/android_external_bluetooth_bluedroid/265494.patch"; #asb-2019.12-cm11
+
+enterAndClear "external/libnfc-nci";
+patch -p1 < "$DOS_PATCHES/android_external_libnfc-nci/258164.patch"; #asb-2019.09-cm11
+patch -p1 < "$DOS_PATCHES/android_external_libnfc-nci/258165.patch"; #asb-2019.09-cm11
+patch -p1 < "$DOS_PATCHES/android_external_libnfc-nci/264094.patch"; #asb-2019.11-cm11
+patch -p1 < "$DOS_PATCHES/android_external_libnfc-nci/264097.patch"; #asb-2019.11-cm11
+
+enterAndClear "external/libvpx";
+patch -p1 < "$DOS_PATCHES/android_external_libvpx/253499.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_external_libvpx/253500.patch"; #asb-2019.08-cm11
+
+enterAndClear "external/sfntly";
+patch -p1 < "$DOS_PATCHES/android_external_sfntly/251198.patch"; #asb-2019.07-cm11
+
+enterAndClear "external/skia";
+patch -p1 < "$DOS_PATCHES/android_external_skia/249705.patch"; #asb-2019.06-cm11
+
 enterAndClear "external/sqlite";
 patch -p1 < "$DOS_PATCHES/android_external_sqlite/0001-Secure_Delete.patch"; #Enable secure_delete by default (CopperheadOS-13.0)
+patch -p1 < "$DOS_PATCHES/android_external_sqlite/263910.patch"; #asb-2019.11-cm11
+
+enterAndClear "frameworks/av";
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/247874.patch"; #asb-2019.06-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/249706.patch"; #asb-2019.07-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/249707.patch"; #asb-2019.07-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/253521.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/253522.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/261040.patch"; #asb-2019.10-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_av/261041.patch"; #asb-2019.10-cm11

 enterAndClear "frameworks/base";
 hardenLocationFWB "$DOS_BUILD_BASE";
@ -77,27 +109,52 @@ sed -i 's/com.android.mms/org.smssecure.smssecure/' core/res/res/values/config.x
 sed -i 's|db_default_journal_mode">PERSIST|db_default_journal_mode">TRUNCATE|' core/res/res/values/config.xml; #Mirror SQLite secure_delete
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0001-Signature_Spoofing.patch"; fi; #Allow packages to spoof their signature (microG)
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0002-Harden_Sig_Spoofing.patch"; fi; #Restrict signature spoofing to system apps signed with the platform key
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/253523.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/256318.patch"; #asb-2019.09-cm11
+#patch -p1 < "$DOS_PATCHES/android_frameworks_base/264100.patch"; #asb-2019.11-cm11 XXX: breaks things
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/265311.patch"; #asb-2019.12-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_base/267438.patch"; #asb-2020.01-cm11
 changeDefaultDNS;
 #patch -p1 < "$DOS_PATCHES/android_frameworks_base/0008-Disable_Analytics.patch"; #Disable/reduce functionality of various ad/analytics libraries #TODO BACKPORT-11.0

+enterAndClear "frameworks/native";
+patch -p1 < "$DOS_PATCHES/android_frameworks_native/253524.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_native/256319.patch"; #asb-2019.09-cm11
+patch -p1 < "$DOS_PATCHES/android_frameworks_native/256322.patch"; #asb-2019.09-cm11
+
+enterAndClear "packages/apps/Bluetooth";
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Bluetooth/264098.patch"; #asb-2019.11-cm11
+
 enterAndClear "packages/apps/Dialer";
 rm -rf src/com/android/dialer/cmstats;
 patch -p1 < "$DOS_PATCHES/android_packages_apps_Dialer/0001-Remove_Analytics.patch"; #Remove CMStats

+enterAndClear "packages/apps/Email";
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Email/253862.patch"; #asb-2019.08-cm11
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Email/256927.patch"; #asb-2019.09-cm11
+
 enterAndClear "packages/apps/InCallUI";
 patch -p1 < "$DOS_PATCHES/android_packages_apps_InCallUI/0001-Remove_Analytics.patch"; #Remove CMStats

+enterAndClear "packages/apps/Nfc";
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Nfc/261042.patch"; #asb-2019.10-cm11
+
 enterAndClear "packages/apps/Settings";
 sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length
 if [ "$DOS_MICROG_INCLUDED" = "FULL" ]; then sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; fi; #microG doesn't support Backup, hide the options
 rm -rf src/com/android/settings/cmstats res/xml/security_settings_cyanogenmod.xml; #Nuke part of CMStats
 patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/0001-Remove_Analytics.patch"; #Remove the rest of CMStats
-
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/230054.patch"; #ASB disclaimer
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/230392.patch"; #ASB disclaimer translations
+patch -p1 < "$DOS_PATCHES/android_packages_apps_Settings/248015.patch"; #asb-2019.05-cm11

 enterAndClear "packages/apps/Trebuchet";
 #cp -r "$DOS_PATCHES_COMMON/android_packages_apps_Trebuchet/default_workspace/." "res/xml/"; #TODO BACKPORT-11.0
 sed -i 's/mCropView.setTouchEnabled(touchEnabled);/mCropView.setTouchEnabled(true);/' WallpaperPicker/src/com/android/launcher3/WallpaperCropActivity.java;

+enterAndClear "packages/apps/UnifiedEmail";
+patch -p1 < "$DOS_PATCHES/android_packages_apps_UnifiedEmail/253861.patch"; #asb-2019.08-cm11
+
 enterAndClear "system/core";
 sed -i 's/!= 2048/< 2048/' libmincrypt/tools/DumpPublicKey.java; #Allow 4096-bit keys
 if [ "$DOS_HOSTS_BLOCKING" = true ]; then cat "$DOS_HOSTS_FILE" >> rootdir/etc/hosts; fi; #Merge in our HOSTS file
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@ -122,7 +122,7 @@ export -f buildAll;
 patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/cm"; fi;
 	source build/envsetup.sh;
-	repopick -it n_asb_09-2018-qcom;
+	repopick -it n_asb_09-2018-qcom; #TODO: move in tree
 	#repopick -it bt-sbc-hd-dualchannel-nougat;
 	repopick -it n-asb-2021-01;
 	repopick -it n-asb-2021-02;
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@ -133,8 +133,6 @@ patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;

 	source build/envsetup.sh;
-	repopick -it hh-p-sepolicy;
-	repopick -i 232948; #wahoo: liblight: close fd
 	#repopick -it pie-firewall;
 	repopick -it tzdb2020f_P;
 	repopick -it tzdb2021a_P;
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -257,6 +257,9 @@ enterAndClear "device/google/marlin";
 git revert --no-edit eeb92c0f094f58b1bdfbaa775d239948f81e915b 8c729e4b016a5b35159992413a22c289ecf2c44c; #remove some carrier blobs
 patch -p1 < "$DOS_PATCHES/android_device_google_marlin/0001-Fix_MediaProvider_Deadlock.patch"; #Fix MediaProvider using 100% CPU (due to broken ppoll on functionfs?)

+enterAndClear "device/google/wahoo";
+patch -p1 < "$DOS_PATCHES/android_device_google_wahoo/232948.patch"; #liblight: close fd
+
 enterAndClear "device/lge/g2-common";
 sed -i '3itypeattribute hwaddrs misc_block_device_exception;' sepolicy/hwaddrs.te;

@ -272,6 +275,7 @@ enterAndClear "device/lge/d855";
 git revert --no-edit 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path

 enterAndClear "device/lge/hammerhead";
+git am $DOS_PATCHES/android_device_lge_hammerhead/*.patch; #hh-p-sepolicy
 rm -rf bdAddrLoader; #duplicate with mako
 echo "SELINUX_IGNORE_NEVERALLOWS := true" >> BoardConfig.mk; #qcom-legacy sepolicy

--- a/Scripts/LineageOS-17.1/Functions.sh
+++ b/Scripts/LineageOS-17.1/Functions.sh
@ -131,7 +131,6 @@ patchWorkspace() {
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;

 	source build/envsetup.sh;
-	repopick -i 271361; #releasetools: python3 fix, 287339 (alt)
 	#repopick -it ten-firewall;
 	repopick -it tzdb2020f_Q;
 	repopick -it tzdb2021a_Q;
--- a/Scripts/LineageOS-17.1/Patch.sh
+++ b/Scripts/LineageOS-17.1/Patch.sh
@ -66,6 +66,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0002-Symbol_Ordering.patch"; fi; #(GrapheneOS)

 enterAndClear "build/make";
+patch -p1 < "$DOS_PATCHES/android_build/271361.patch"; #releasetools: python3 fix, 287339 (alt)
 patch -p1 < "$DOS_PATCHES/android_build/0001-Restore_TTS.patch"; #Add back PicoTTS and language files
 patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
 awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;