In Android Security Bulletins, it have 3 type of security information.
- Android platform fixes are merged into AOSP 24–48 hours after the security bulletin is released and can be picked up directly from there.
- Upstream Linux kernel fixes are linked to directly from the bulletin on release and can be picked up from there.
- Fixes from SOC manufacturers are available directly from the manufacturers.
My understanding that who must apply patches for this
About "Fixed from SOC manufacturers" will be released some patches from NXP.
Others, "Android platform fixes" and "Upstream Linux kernel fixes", customer must get fixed code for each
security Bulletins and apply it by themselves.
Is it correct?