Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2884542



Change-Id: I9689c80ddcad3540c4ef441b3676822de4bbbebe
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2873197



Change-Id: Idde345a590821155ecadf609d0ac616f0f49830e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

[automerger skipped] arm64/dts: gs201: Add Alive S2MPU am: b4d74ef4 -s ours am: 3e07d89c -s ours

am skip reason: Merged-In I844cdd4e2485fbae416c618b0b8a83e30b847065 with SHA-1 7b40bac4 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877409



Change-Id: I6854543c88e55dfbad722b2064d168d2fb25bab4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

am skip reason: Merged-In I38a1a2af556eaca83be3bd93db1b5dd400034255 with SHA-1 d913e04f is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877864



Change-Id: Ic253cae204672d26767dedf70031cff4483eb27e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

[automerger skipped] arm64/s2mpu: Add deny-all support am: 3a4aa019 -s ours am: 2ab6052c -s ours

am skip reason: Merged-In Id8a38b38310ec950841074b288797041355a3ec7 with SHA-1 0f1c59c0 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877863



Change-Id: I907d4232884506201eebc62275c018c642d596da
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2870608



Change-Id: I1b97d1973702faf287747a8263e87e6689e0b220
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2870607



Change-Id: I401d792dd1076dc578f869a1ddef3e02dda3053d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2870606



Change-Id: I149556c8754655fa7cc8dd6af7f74ad9b6935599
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Reduce the amount of data being dumped into logs via the panic notifier if the Trusty kernel has not itself panicked.

Bug: 332426051
Test: sys-rq crash with force option
Test: sys-rq crash without force option
Test: Trusty panic without force option
Change-Id: I0d2622b905236f50388c2f5b00c17cbdbd0c2edb
Signed-off-by: Michael McTernan <mikemcternan@google.com>

misfit_task_load will be set as 0 when task util is 1024

Bug: 346060683
Change-Id: Ib59d76264b9beba9471c6f301b3b2db7867945aa
Signed-off-by: Chungkai Mei <chungkai@google.com>

am skip reason: Merged-In I844cdd4e2485fbae416c618b0b8a83e30b847065 with SHA-1 7b40bac4 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877409



Change-Id: I7965f476dd52444d1ccd7a1e9965039723a03130
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

am skip reason: Merged-In I38a1a2af556eaca83be3bd93db1b5dd400034255 with SHA-1 d913e04f is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877864



Change-Id: I4a5955495de690eaa4e423cb47fe95c9aad05140
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

am skip reason: Merged-In Id8a38b38310ec950841074b288797041355a3ec7 with SHA-1 0f1c59c0 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877863



Change-Id: I24f0e9ffce21318e06645aefbe7b5bf5cb4fae4d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Alive S2MPU is fully trusted and is not managed by the kernel.
However, we need to make sure the kernel can’t map it to use
it in emulation mode of the S2MPU.

So we define it as:
- “deny-all”: So it never gets power managed or updated
- “off-at-boot”: Never configured at boot.

Which mainly means it remains unconfigured but it's MMIO is not
accessible to the kernel.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:7b40bac463a2ce4ea983b0c5963a8f65532f37fb)
Merged-In: I844cdd4e2485fbae416c618b0b8a83e30b847065
Change-Id: I844cdd4e2485fbae416c618b0b8a83e30b847065

AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:d913e04f18a500d4b46e4e928fd4e69106b28ebd)
Merged-In: I38a1a2af556eaca83be3bd93db1b5dd400034255
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:0f1c59c0ddc06986260f0e99d58d543ab43cf4de)
Merged-In: Id8a38b38310ec950841074b288797041355a3ec7
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7

Alive S2MPU is fully trusted and is not managed by the kernel.
However, we need to make sure the kernel can’t map it to use
it in emulation mode of the S2MPU.

So we define it as:
- “deny-all”: So it never gets power managed or updated
- “off-at-boot”: Never configured at boot.

Which mainly means it remains unconfigured but it's MMIO is not
accessible to the kernel.

Bug: 342511931
Change-Id: I844cdd4e2485fbae416c618b0b8a83e30b847065
Signed-off-by: Mostafa Saleh <smostafa@google.com>

AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255
Signed-off-by: Mostafa Saleh <smostafa@google.com>

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7
Signed-off-by: Mostafa Saleh <smostafa@google.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2860179



Change-Id: Ia19bfe383688889adaa7a4cf55ff5763d24719ce
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Assigns device data to `s3c_wdt[cluster_index]` only when probe function
completes. Several functions of s3c2410_wdt use the existence of
`s3c_wdt[*]` to decide whether the device data is ready to be accessed.
This causes an invalid access issue as long as the probe function puts
device data to `s3c_wdt[cluster_index]` before completely preparing the
content. Fixes the issue by rearranging the assignment order.

Bug: 342585125
Change-Id: Idb4c3b71fb2e0518725c697db01e708aa0c7c86b
Signed-off-by: Woody Lin <woodylin@google.com>
(cherry picked from commit d7bd15571d51e658a081d98dfbcc17e3aa104585)

[automerger skipped] Merge android13-5.10-2024-05 ab/11971276 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ] am: f125c99a -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2859035



Change-Id: I1e7d6198bf695a98486f2766d43e72631d19033b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge android13-5.10-2024-05 ab/11971276 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
28a6e1ad ANDROID: 16K: Only check basename of linker context

Bug: 330767927
Bug: 299190787 (ACK)
Bug: 330767927 (ACK)
Bug: 335584973 (ACK)
Bug: 336226035 (ACK)
Bug: 345872992 (ACK)
Bug: 347106837 (ACK)
Change-Id: I0e651fe0318d2e6b66d2281cc327767c2faa5b49
Signed-off-by: Pindar Yang <pindaryang@google.com>

The backport of commit 3080ea55 ("stddef: Introduce
DECLARE_FLEX_ARRAY() helper") to 5.10.y (as a prerequisite of another
fix) modified scripts/kernel-doc and introduced a syntax error:

Global symbol "$args" requires explicit package name (did you forget to declare "my $args"?) at ./scripts/kernel-doc line 1236.
Global symbol "$args" requires explicit package name (did you forget to declare "my $args"?) at ./scripts/kernel-doc line 1236.
Execution of ./scripts/kernel-doc aborted due to compilation errors.

Note: The issue could be fixed in the 5.10.y series as well by
backporting e86bdb24 ("scripts: kernel-doc: reduce repeated regex
expressions into variables") but just replacing the undeclared args back
to ([^,)]+) was the most straightforward approach. The issue is specific
to the backport to the 5.10.y series. Thus there is as well no upstream
commit for this change.

Fixes: 443b16ee ("stddef: Introduce DECLARE_FLEX_ARRAY() helper") # 5.10.y
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Link: https://lore.kernel.org/regressions/ZeHKjjPGoyv_b2Tg@eldamar.lan/T/#u
Link: https://bugs.debian.org/1064035


Change-Id: Ia652484d0342397be5d2999e72782e9e6896a42c
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>

Depending on the platform binary being executed, the linker
(interpreter) requested can be one of:

    1) /system/bin/bootstrap/linker64
    2) /system/bin/linker64
    3) /apex/com.android.runtime/bin/linker64

Relax the check to the basename (linker64), instead of the path.

Bug: 330767927
Bug: 335584973
Bug: 347106837
Change-Id: I4a1f95b7cecd126f85ad8cefd9ff10d272947f9e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 38965378)

Merge SHA:
38965378 ANDROID: 16K: Only check basename of linker context

Bug: 300854197
Bug: 146449535 (ACK)
Bug: 161946584 (ACK)
Bug: 239396464 (ACK)
Bug: 254441685 (ACK)
Bug: 299190787 (ACK)
Bug: 330767927 (ACK)
Bug: 333778731 (ACK)
Bug: 335584973 (ACK)
Bug: 335718233 (ACK)
Bug: 336226035 (ACK)
Bug: 339526723 (ACK)
Bug: 340049585 (ACK)
Bug: 343727534 (ACK)
Change-Id: I58eef8bebe29ffdab2c47d90bd835af24837d735
Signed-off-by: Pindar Yang <pindaryang@google.com>

Depending on the platform binary being executed, the linker
(interpreter) requested can be one of:

    1) /system/bin/bootstrap/linker64
    2) /system/bin/linker64
    3) /apex/com.android.runtime/bin/linker64

Relax the check to the basename (linker64), instead of the path.

Bug: 330767927
Bug: 335584973
Change-Id: I4a1f95b7cecd126f85ad8cefd9ff10d272947f9e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

[ Upstream commit 97af84a6 ]

When touching unix_sk(sk)->inflight, we are always under
spin_lock(&unix_gc_lock).

Let's convert unix_sk(sk)->inflight to the normal unsigned long.

Bug: 336226035
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 47d8ac01 ("af_unix: Fix garbage collector racing against connect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 301fdbaa0bba4653570f07789909939f977a7620)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e

[ Upstream commit 97af84a6 ]

When touching unix_sk(sk)->inflight, we are always under
spin_lock(&unix_gc_lock).

Let's convert unix_sk(sk)->inflight to the normal unsigned long.

Bug: 336226035
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 47d8ac01 ("af_unix: Fix garbage collector racing against connect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 301fdbaa)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e

Pixel MM Metrics:
   add the missing symbol 'seq_put_decimal_ll' and re-do update list

Bug: 299190787
Bug: 345872992
Test: local build
Change-Id: I005ccfa15cee8252bc51242460bbab9b7d0eb2ab
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry-pick from commit 8b3b0f2a)

Pixel MM Metrics:
   add the missing symbol 'seq_put_decimal_ll' and re-do update list

Bug: 299190787
Test: local build
Change-Id: I005ccfa15cee8252bc51242460bbab9b7d0eb2ab
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry-pick from d86f55a38edfefc37fedd356d10979d697c42eb5)
(amend: generate xml for 5.10 kernel)

[automerger skipped] Merge android13-5.10-2024-05 ab/11918793 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ] am: 4bfefd19 -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2842492



Change-Id: I1ffab8ac217664ae14b6daf2a0bc301c8fdc9dec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge android13-5.10-2024-05 ab/11918793 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
dc586962 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 299190787 (ACK)
Bug: 343363380 (ACK)
Bug: 343727534 (ACK)
Bug: 344531723 (ACK)
Change-Id: I073af721f6ca4d418c690bdd6612568730c5b3cd
Signed-off-by: Pindar Yang <pindaryang@google.com>

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2838467



Change-Id: I9817bbf2ee1d279b2301a3aea0b35bff9c4a56ed
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

ref_info of mfc_dec is allocated as size of MFC_MAX_BUFFERS(32),
but the error condition in mfc_dec_dqbuf check the limitation of buf index
as MFC_MAX_DPBS. This can be make the OOB issue so it is fixed.

Bug: 337803567
Test: video playback

Change-Id: I608e2253381d39bbf334d43cb7702551ad3ffb37
Signed-off-by: Seungchul Kim <sc377.kim@samsung.com>
Signed-off-by: wenchangliu <wenchangliu@google.com>

[automerger skipped] Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ] am: 83d992bc -s ours am: 527698b3 -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2839550



Change-Id: Iea30aff9a967a583c646419587f478c19435747c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

[automerger skipped] Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ] am: 83d992bc -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2839550



Change-Id: I19631324e65be7ee899774c9945d505f9e6d43c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
12f33888 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 340128979 (ACK)
Bug: 343727534 (ACK)
Bug: 344562971 (ACK)
Change-Id: I1e0f407578e010015b21265b563bb264ae405074
Merged-In: I3736ae2a7ac2172cb9a0454636be1d4122fcbb1b
Signed-off-by: Pindar Yang <pindaryang@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344562971
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344562971
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>