AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:d913e04f18a500d4b46e4e928fd4e69106b28ebd)
Merged-In: I38a1a2af556eaca83be3bd93db1b5dd400034255
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:0f1c59c0ddc06986260f0e99d58d543ab43cf4de)
Merged-In: Id8a38b38310ec950841074b288797041355a3ec7
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7

Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
12f33888 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 340128979 (ACK)
Bug: 343727534 (ACK)
Bug: 344562971 (ACK)
Change-Id: I1e0f407578e010015b21265b563bb264ae405074
Merged-In: I3736ae2a7ac2172cb9a0454636be1d4122fcbb1b
Signed-off-by: Pindar Yang <pindaryang@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344562971
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344562971
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

commit 0c9ae0b8 upstream.

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Bug: 340128979
Fixes: 57c5f4df ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5e0be122)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Id6e67948d146997c2861db5f634e8eeafa32a53f

SMFC driver only supports SMFC_MAX_PLANES (6) planes. Add validation for
security.

Bug: 322065862

Change-Id: I48da4a5fa3fb8499e568d9edb9c862c65dfa8a9b
Signed-off-by: Michelle Yang <micya@google.com>

Merge SHA:
7a2aa337 FROMLIST: binder: check offset alignment in binder_get_object()

Bug: 320661088
Bug: 320478828 (ACK)
Bug: 320661088 (ACK)
Bug: 331530096 (ACK)
Bug: 332642003 (ACK)
Change-Id: Id6c67c3a15d8eefd1d6a30d09a3141d9daf40d22
Merged-In: I3736ae2a7ac2172cb9a0454636be1d4122fcbb1b
Signed-off-by: Pindar Yang <pindaryang@google.com>

Commit 6d98eb95 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().

These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.

It is worth noting this check existed prior to commit 7a67a393
("binder: add function to copy binder object from buffer"), likely
removed due to redundancy at the time.

Fixes: 6d98eb95 ("binder: avoid potential data leakage when copying txn")
Cc:  <stable@vger.kernel.org>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>

Bug: 320661088
Bug: 332642003
Link: https://lore.kernel.org/all/20240330190115.1877819-1-cmllamas@google.com/


Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: Iaddabaa28de7ba7b7d35dbb639d38ca79dbc5077
Bug: 332642003
Signed-off-by: Pindar Yang <pindaryang@google.com>
(cherry picked from commit 7859c5c9)

There are two instances where a pointer from CP shared memory is
used to read from the CP buffer. Without checking for bounds, we risk
OOB read from AP.

Bug: 321714444
Change-Id: I9af053638a85584a9f259c7e43edbf66ee7568ca
Signed-off-by: Mahesh Kallelil <kallelil@google.com>

Check if the mmap_lock is contended when looping over the pages that
are requested to be filled. When it is observed, we rely on the already
existing mechanism to return bytes copied/filled and -EAGAIN as error.

This helps by avoiding contention of mmap_lock for long running
userfaultfd operations. The userspace can perform other tasks before
retrying the operation for the remaining pages.

Bug: 320478828
Bug: 331530096
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:6bc28fdfeec3373198d11fae1c9663a598ddb05c)
Merged-In: I6d485fd03c96a826956ee3962e58058be3cf81c1
Change-Id: I6d485fd03c96a826956ee3962e58058be3cf81c1

In case mmap_lock is contended, it is possible that userspace can spend
time performing other tasks rather than waiting in uninterruptible-sleep
state for the lock to become available. Even if no other task is
available, it is better to yield or sleep rather than adding contention
to already contended lock.

We introduce MMAP_TRYLOCK mode so that when possible, userspace can
request to use mmap_read_trylock(), returning -EAGAIN if and when it
fails.

Bug: 320478828
Bug: 331530096
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:4a4450b4a7205367d1e8ed43a8792cbaf2cfb1e9)
Merged-In: I2d196fd317e054af03dbd35ac1b0c7634cb370dc
Change-Id: I2d196fd317e054af03dbd35ac1b0c7634cb370dc

Merge SHA:
78e051b2 ANDROID: GKI: fix ABI breakage in struct ipv6_devconf

Bug: 325847673
Bug: 314338409 (ACK)
Bug: 320243175 (ACK)
Bug: 320478828 (ACK)
Bug: 324437514 (ACK)
Bug: 327480636 (ACK)
Bug: 328786602 (ACK)
Bug: 330729479 (ACK)
Change-Id: I8f07b24d69dd2b2ced6040f100ccf6a6d7ea169b
Merged-In: I9e5e1e0be1b3332f8c9c15b4309e8a3d234068d8
Signed-off-by: Pindar Yang <pindaryang@google.com>

The following list of commits, which are in the 5.10.199 release, add a
new field in struct ipv6_devconf and this breaks the abi. Fix this by
using one of the reserved slots for upstream changes and update the xml
file to preserve the build.

  014cab53 ("net: release reference to inet6_dev pointer")
  d491ac7a ("net: change accept_ra_min_rtr_lft to affect all RA lifetimes")
  354a9677 ("net: add sysctl accept_ra_min_rtr_lft")

type 'struct ipv6_devconf' changed
  member 'union { struct { __s32 accept_ra_min_lft; u32 padding; }; struct { u64 android_kabi_reserved1; }; union { }; }' was added
  member 'u64 android_kabi_reserved1' was removed

Bug: 330729479
Bug: 320243175
Change-Id: Icddcad574f3c29f6d3e63b10f8c7e51bdf46fe7f
Signed-off-by: Carlos Llamas <cmllamas@google.com>

This reverts commit 48e5a04e.

Bug: 330729479
Bug: 320243175
Change-Id: I4627e1097dddbb697597cbb51e4ba9f4f1af61da
Signed-off-by: Carlos Llamas <cmllamas@google.com>

This reverts commit 1000d91d.

Bug: 330729479
Bug: 320243175
Change-Id: If51722d74fe9b326d69c96c0cdfca43db6e33b93
Signed-off-by: Carlos Llamas <cmllamas@google.com>

This reverts commit 53ca2e02.

Bug: 330729479
Bug: 320243175
Change-Id: Ia31692230f2f5cbd2ac349edcb2be320497c52f3
Signed-off-by: Carlos Llamas <cmllamas@google.com>

The android_kabi.h header file uses the __stringify() macro without
explicitly including its definition via linux/stringify.h. This can
result in build breaking when using the ANDROID_KABI_USE macro:

  common/include/linux/ipv6.h:83:2: error: expected ')'
  ANDROID_KABI_USE(1, struct { __s32 accept_ra_min_lft; u32 padding; });
  ^
  [...]
  common/include/linux/android_kabi.h:44:24: note: expanded from macro '__ANDROID_KABI_CHECK_SIZE_ALIGN'
      __FILE__ ":" __stringify(__LINE__) ": "          \
                   ^

To fix this let android_kabi.h include stringify.h explicitly instead of
relying on includes of previous unrelated header files.

Bug: 330729479
Bug: 324437514
Change-Id: I16cced44e723871b2e1a92b312e60f38e41fea70
Signed-off-by: Carlos Llamas <cmllamas@google.com>

Tele camera will sometime hit a timeout due to a very long transaction
processing time. Increase the priority for image sensor to resolve this
issue.

Bug: 326832004
Test: build
Change-Id: Ibdbac634312b6173d55af3359257b668f6a78732
Signed-off-by: Kamal Shafi <kamalshafi@google.com>

Revert submission 2753879-gpu-slcv2-gs201

Reason for revert: Prebuild did not land before cutoff

Reverted changes: /q/submissionid:2753879-gpu-slcv2-gs201

Bug: 329447972
Change-Id: Id15f73be490cc93bffcff163b5c059ed491a6d8b

Revert submission 2753879-gpu-slcv2-gs201

Reason for revert: Prebuild did not land before cutoff

Reverted changes: /q/submissionid:2753879-gpu-slcv2-gs201

Bug: 329447972
Change-Id: I02fd996152594ea3d6756ba08e07ec12ac9e3681

Revert submission 2753879-gpu-slcv2-gs201

Reason for revert: Prebuild did not land before cutoff

Reverted changes: /q/submissionid:2753879-gpu-slcv2-gs201

Bug: 329447972
Change-Id: Ic6326155b12d9286874d90c5737f88d7c9b945bb

Currently we bail out of speculative page fault when we detect that the
fault address is in a userfaultfd registered vma. However, if userfaultfd
is being used with UFFD_FEATURE_SIGBUS feature, then handle_userfault()
doesn't do much and is easiest to handle with SPF. This patch lets
MISSING userfaultfs on private anonymous mappings be allowed with SPF if
UFFD_FEATURE_SIGBUS is used.

With this patch we get >99% success rate for userfaults caused during
userfaultfd GC's compaction phase. This translates into eliminating
uninterruptible sleep time in do_page_fault() due to userfaults.

Bug: 320478828
Bug: 328786602
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Change-Id: Ic7fde0fde03602b35179bc0cf891ddbbc434190f
(cherry picked from commit 582c6d18)

The fore pointer is passed by CP using shared memory. Without an OOB
check for this, we risk an OOB access if the CP firmware gets compromised.

Bug: 321941700
Change-Id: I744d58fc54bfa5ac75575ba0921e269766d8a1c7
Signed-off-by: Mahesh Kallelil <kallelil@google.com>

Bug: 321712082
Change-Id: I220454ff345f07ed0ef10fb8937cc66e64de7f19
Signed-off-by: Seungchul Kim <sc377.kim@samsung.com>

Use a single WA partition.

Bug: 313458962
Bug: 290354607
Test: boot to home
Test: gfxbench
Signed-off-by: Jack Diver <diverj@google.com>
(cherry picked from commit 8609340a7ff318654cde355868c40d06d7713433)
Merged-In: Iea5167e9a9c17397a46981f2146a3053c0cf64b3
Change-Id: Iea5167e9a9c17397a46981f2146a3053c0cf64b3

Bug: 313458962
Test: gfxbench
Signed-off-by: Jack Diver <diverj@google.com>
(cherry picked from commit 2f8e75b8da70fd225bb3d5d1865d8db8de53eb67)
Merged-In: I76f8548738008b30426af738db2f20985f8cc92c
Change-Id: I76f8548738008b30426af738db2f20985f8cc92c

Bug: 313458962
Test: boot to home
Test: gfxbench
Signed-off-by: Jack Diver <diverj@google.com>
(cherry picked from commit e60d259df7557823aeef70c05a090790df38e519)
Merged-In: Icbe8697805e18f3104e1138fab1a5d4aaeb319e2
Change-Id: Icbe8697805e18f3104e1138fab1a5d4aaeb319e2

When handling error status from uvcg_video_usb_req_queue,
uvc_video_complete currently calls uvcg_queue_cancel with
video->req_lock held. uvcg_queue_cancel internally locks
queue->irqlock, which nests queue->irqlock inside
video->req_lock. This isn't a functional bug at the
moment, but does open up possibilities for ABBA
deadlocks in the future.

This patch fixes the accidental nesting by dropping
video->req_lock before calling uvcg_queue_cancel.

Fixes: 6acba034 ("usb:gadget:uvc Do not use worker thread to pump isoc usb requests")
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Link: https://lore.kernel.org/r/20240104215009.2252452-2-arakesh@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 327480636
Bug: 314338409
(cherry picked from commit 9866dc43)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:a73b2fce0ded6cc30703686710e2e15aa579cbe6)
Merged-In: I187bbbe218bbacc2eafd12a3685f03b264dd2d3b
Change-Id: I187bbbe218bbacc2eafd12a3685f03b264dd2d3b

There is a path that may lead to freed memory being referenced,
causing kernel panics.

The kernel panic has the following stack trace:

Workqueue: uvcgadget uvcg_video_pump.c51fb85fece46625450f86adbf92c56c.cfi_jt
pstate: 60c00085 (nZCv daIf +PAN +UAO -TCO BTYPE=--)
pc : __list_del_entry_valid+0xc0/0xd4
lr : __list_del_entry_valid+0xc0/0xd4
Call trace:
  __list_del_entry_valid+0xc0/0xd4
  uvc_video_free_request+0x60/0x98
  uvcg_video_pump+0x1cc/0x204
  process_one_work+0x21c/0x4b8
  worker_thread+0x29c/0x574
  kthread+0x158/0x1b0
  ret_from_fork+0x10/0x30

The root cause is that uvcg_video_usb_req_queue frees the uvc_request
if is_enabled is false and returns an error status. video_pump also
frees the associated request if uvcg_video_usb_req_queue returns an
error status, leading to double free and accessing garbage memory.

To fix the issue, this patch removes freeing logic from
uvcg_video_usb_req_queue, and lets the callers to the function handle
queueing errors as they see fit.

Fixes: 6acba034 ("usb:gadget:uvc Do not use worker thread to pump isoc usb requests")
Tested-by: Avichal Rakesh <arakesh@google.com>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Link: https://lore.kernel.org/r/20240104215009.2252452-1-arakesh@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 327480636
Bug: 314338409
(cherry picked from commit fe814b5b)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:d9d01f0076a102d93b1be001f6af671cc2899b76)
Merged-In: I7c2e96e02a129863bc2ae39f3a91bf03a1ad7172
Change-Id: I7c2e96e02a129863bc2ae39f3a91bf03a1ad7172

gvotable_election_for_each() tries to get all enabled votes as input to
callback, but votes might be deleted(null pointer) during iterating.
Should get result lock to avoid it.

Bug: 322656989
Test: not reproduce kernel panic for hours.
Change-Id: I58b660c1de8210aa804230a9e53f57ea7f4aeca7
Signed-off-by: Spade Lee <spadelee@google.com>

Merge SHA:
11d7e4f5 ANDROID: mm: Fix VMA ref count after fast-mremap

Bug: 322411509
Bug: 317942806 (ACK)
Bug: 322411509 (ACK)
Bug: 323371343 (ACK)
Change-Id: Icfe64eb3f1e3bbd72f118d0e5244f87273fc09c2
Signed-off-by: Pindar Yang <pindaryang@google.com>

Benjamin Schwartz authored 1 year ago and William McVicker committed 1 year ago

Bug: 315190967
Change-Id: Ifaaf126b32c02aa8a8acc6103043b797ef99c1d9
Signed-off-by: Benjamin Schwartz <bsschwar@google.com>

Benjamin Schwartz authored 1 year ago and William McVicker committed 1 year ago

Bug: 315190967
Change-Id: I987cfe3925e03866c5cc9a60945059706942b826
Signed-off-by: Benjamin Schwartz <bsschwar@google.com>

If optional GPIO are provisioned from the device tree, need to retry
probe if can't be acquired. This is to avoid peripherals unable to power
up.

Bug: 323257752
Test: build pass
Change-Id: I3c684d2bcc3325451cbe5a3c7017d253efbbaf1e
Signed-off-by: Kamal Shafi <kamalshafi@google.com>

Reduce log spam while establishing pcie link.
Remove print of 0x5FC register status to console log.

Bug: 318068691
Change-Id: Ie1082fd9e941e05ab2a689213f700dd09bfdc9aa
Signed-off-by: Sajid Dalvi <sdalvi@google.com>

The SPL in the platform build is being updated more frequently than
originally anticipated (previously it was updated quarterly in the
trunk_staging builds). Now the trunk staging SPL follows the monthly
SPL. To accomidate this, this patch updates the development build's SPL
to pick the QPR date after the next QPR, e.g. Nov 2023 builds would pick
March 2024.

Note, as a reminder, this is for development purposes only and the
Android platform build will override this SPL.

Tested: verified the SPL is set to '2024-06-05' with this patch
Bug: 274825778
Signed-off-by: Will McVicker <willmcvicker@google.com>
Change-Id: Ifb815a285baf9f633c03e122dfd126e653882ec7

Not needed after disabling CONFIG_VH_I2C.

Bug: 323447554
Change-Id: I98b2ca9859b2996d637f1997be2a7e0fff6f5b72
Signed-off-by: Jacky Liu <qsliu@google.com>

The related vendor hook is not upstreamed. So in different kernel
versions i2c devices have different paths and it's hard to maintain.
Disable VH_I2C so i2c devices have the same paths across different
kernel verions.

Bug: 323447554
Change-Id: Id159276b65a5bc87abb9f4113f2ca31fc039fbf6
Signed-off-by: Jacky Liu <qsliu@google.com>

Statically assign i2c bus numbers for gs201, and update i2c bus number
for gs101 to be aligned with gs201.

Bug: 323447554
Change-Id: I8a1abe22b471800c32304b4366b9c3711c8b1880
Signed-off-by: Jacky Liu <qsliu@google.com>