Merge android13-5.10-2024-05 ab/12324538 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
17e85e80 UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune()

Bug: 349777785
Bug: 336226035 (ACK)
Bug: 349143236 (ACK)
Bug: 349777785 (ACK)
Bug: 352520660 (ACK)
Change-Id: Ic338319f2b5c82a887d84b2359856a681033c23a
Signed-off-by: Pindar Yang <pindaryang@google.com>

[ Upstream commit affc18fd ]

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.

Bug: 349777785
Fixes: c2999f7f ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 0f208fad)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Iec8413c39878596795420ae58bbe6974890cf2de

Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.

Fixes: 6d98eb95 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>

Bug: 352520660
Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/


Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit b42ed94769088450987f2b52f41a3fb274244827)
Signed-off-by: Lee Jones <joneslee@google.com>

In order to print less log to make room for other logs.
Skip print if the data not filled.

Bug: 332426051
Test: echo c > /proc/sysrq-trigger and check irq info

Change-Id: I6519455c02ff6905f33464bd8f220c194e152a65
Signed-off-by: Eric Lai <ericllai@google.com>

Remove dpm override, let the driver direct control the
support method without dpm change.

In order to print less log to make room for other logs.
Disable last info which is unsupported.

Bug: 332426051
Test: echo c > /proc/sysrq-trigger and check irq info

Change-Id: I9789da3b8c96ae7c0023a80560a86f5f912d0a89
Signed-off-by: Eric Lai <ericllai@google.com>

In order to print less log to make room for other logs.
Uses IRQ_THRESHOLD * boot time to filter normal IRQ. Since no IRQ
should reach 50 times per second beside system IRQ. Set IRQ_THRESHOLD
to 50.

Bug: 332426051
Test: echo c > /proc/sysrq-trigger and check irq info
Change-Id: I838aa119ae214f533c83ee64fffd1642bf6b64ce
Signed-off-by: Eric Lai <ericllai@google.com>

Reduce the amount of data being dumped into logs via the panic notifier if the Trusty kernel has not itself panicked.

Bug: 332426051
Test: sys-rq crash with force option
Test: sys-rq crash without force option
Test: Trusty panic without force option
Change-Id: I0d2622b905236f50388c2f5b00c17cbdbd0c2edb
Signed-off-by: Michael McTernan <mikemcternan@google.com>

misfit_task_load will be set as 0 when task util is 1024

Bug: 346060683
Change-Id: Ib59d76264b9beba9471c6f301b3b2db7867945aa
Signed-off-by: Chungkai Mei <chungkai@google.com>

am skip reason: Merged-In I844cdd4e2485fbae416c618b0b8a83e30b847065 with SHA-1 7b40bac4 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877409



Change-Id: I7965f476dd52444d1ccd7a1e9965039723a03130
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

am skip reason: Merged-In I38a1a2af556eaca83be3bd93db1b5dd400034255 with SHA-1 d913e04f is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877864



Change-Id: I4a5955495de690eaa4e423cb47fe95c9aad05140
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

am skip reason: Merged-In Id8a38b38310ec950841074b288797041355a3ec7 with SHA-1 0f1c59c0 is already in history

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2877863



Change-Id: I24f0e9ffce21318e06645aefbe7b5bf5cb4fae4d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Alive S2MPU is fully trusted and is not managed by the kernel.
However, we need to make sure the kernel can’t map it to use
it in emulation mode of the S2MPU.

So we define it as:
- “deny-all”: So it never gets power managed or updated
- “off-at-boot”: Never configured at boot.

Which mainly means it remains unconfigured but it's MMIO is not
accessible to the kernel.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:7b40bac463a2ce4ea983b0c5963a8f65532f37fb)
Merged-In: I844cdd4e2485fbae416c618b0b8a83e30b847065
Change-Id: I844cdd4e2485fbae416c618b0b8a83e30b847065

AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:d913e04f18a500d4b46e4e928fd4e69106b28ebd)
Merged-In: I38a1a2af556eaca83be3bd93db1b5dd400034255
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:0f1c59c0ddc06986260f0e99d58d543ab43cf4de)
Merged-In: Id8a38b38310ec950841074b288797041355a3ec7
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7

Alive S2MPU is fully trusted and is not managed by the kernel.
However, we need to make sure the kernel can’t map it to use
it in emulation mode of the S2MPU.

So we define it as:
- “deny-all”: So it never gets power managed or updated
- “off-at-boot”: Never configured at boot.

Which mainly means it remains unconfigured but it's MMIO is not
accessible to the kernel.

Bug: 342511931
Change-Id: I844cdd4e2485fbae416c618b0b8a83e30b847065
Signed-off-by: Mostafa Saleh <smostafa@google.com>

AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255
Signed-off-by: Mostafa Saleh <smostafa@google.com>

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7
Signed-off-by: Mostafa Saleh <smostafa@google.com>

[ Upstream commit 47d8ac01 ]

Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.

sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped

connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
----------------	-------------------------	-----------

NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
			// V count=1 inflight=0

 			NS = unix_peer(S)
 			skb2 = sock_alloc()
			skb_queue_tail(NS, skb2[V])

			// V became in-flight
			// V count=2 inflight=1

			close(V)

			// V count=1 inflight=1
			// GC candidate condition met

						for u in gc_inflight_list:
						  if (total_refs == inflight_refs)
						    add u to gc_candidates

						// gc_candidates={L, V}

						for u in gc_candidates:
						  scan_children(u, dec_inflight)

						// embryo (skb1) was not
						// reachable from L yet, so V's
						// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
						for u in gc_candidates:
						  if (u.inflight)
						    scan_children(u, inc_inflight_move_tail)

						// V count=1 inflight=2 (!)

If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.

Bug: 349143236
Bug: 336226035
Fixes: 1fd05ba5 ("[AF_UNIX]: Rewrite garbage collector, fixes race.")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 507cc232ffe53a352847893f8177d276c3b532a9)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If321f78b8b3220f5a1caea4b5e9450f1235b0770
(cherry picked from commit 897b4b44ae08bc3a74e204536f49ab86a0b8002c)

Assigns device data to `s3c_wdt[cluster_index]` only when probe function
completes. Several functions of s3c2410_wdt use the existence of
`s3c_wdt[*]` to decide whether the device data is ready to be accessed.
This causes an invalid access issue as long as the probe function puts
device data to `s3c_wdt[cluster_index]` before completely preparing the
content. Fixes the issue by rearranging the assignment order.

Bug: 342585125
Change-Id: Idb4c3b71fb2e0518725c697db01e708aa0c7c86b
Signed-off-by: Woody Lin <woodylin@google.com>
(cherry picked from commit d7bd15571d51e658a081d98dfbcc17e3aa104585)

Merge android13-5.10-2024-05 ab/11971276 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
28a6e1ad ANDROID: 16K: Only check basename of linker context

Bug: 330767927
Bug: 299190787 (ACK)
Bug: 330767927 (ACK)
Bug: 335584973 (ACK)
Bug: 336226035 (ACK)
Bug: 345872992 (ACK)
Bug: 347106837 (ACK)
Change-Id: I0e651fe0318d2e6b66d2281cc327767c2faa5b49
Signed-off-by: Pindar Yang <pindaryang@google.com>

Depending on the platform binary being executed, the linker
(interpreter) requested can be one of:

    1) /system/bin/bootstrap/linker64
    2) /system/bin/linker64
    3) /apex/com.android.runtime/bin/linker64

Relax the check to the basename (linker64), instead of the path.

Bug: 330767927
Bug: 335584973
Bug: 347106837
Change-Id: I4a1f95b7cecd126f85ad8cefd9ff10d272947f9e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 38965378)

[ Upstream commit 97af84a6 ]

When touching unix_sk(sk)->inflight, we are always under
spin_lock(&unix_gc_lock).

Let's convert unix_sk(sk)->inflight to the normal unsigned long.

Bug: 336226035
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 47d8ac01 ("af_unix: Fix garbage collector racing against connect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 301fdbaa0bba4653570f07789909939f977a7620)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e

Pixel MM Metrics:
   add the missing symbol 'seq_put_decimal_ll' and re-do update list

Bug: 299190787
Bug: 345872992
Test: local build
Change-Id: I005ccfa15cee8252bc51242460bbab9b7d0eb2ab
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry-pick from commit 8b3b0f2a)

Merge android13-5.10-2024-05 ab/11918793 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
dc586962 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 299190787 (ACK)
Bug: 343363380 (ACK)
Bug: 343727534 (ACK)
Bug: 344531723 (ACK)
Change-Id: I073af721f6ca4d418c690bdd6612568730c5b3cd
Signed-off-by: Pindar Yang <pindaryang@google.com>

ref_info of mfc_dec is allocated as size of MFC_MAX_BUFFERS(32),
but the error condition in mfc_dec_dqbuf check the limitation of buf index
as MFC_MAX_DPBS. This can be make the OOB issue so it is fixed.

Bug: 337803567
Test: video playback

Change-Id: I608e2253381d39bbf334d43cb7702551ad3ffb37
Signed-off-by: Seungchul Kim <sc377.kim@samsung.com>
Signed-off-by: wenchangliu <wenchangliu@google.com>

[automerger skipped] Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ] am: 83d992bc -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2839550



Change-Id: I19631324e65be7ee899774c9945d505f9e6d43c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
12f33888 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 340128979 (ACK)
Bug: 343727534 (ACK)
Bug: 344562971 (ACK)
Change-Id: I1e0f407578e010015b21265b563bb264ae405074
Merged-In: I3736ae2a7ac2172cb9a0454636be1d4122fcbb1b
Signed-off-by: Pindar Yang <pindaryang@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344562971
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344562971
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344531723
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 51e48339)

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344531723
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 3856ad0c)

export function for sysfs node formating

Bug: 299190787
Bug: 343363380
Change-Id: I71e6a0815efa8df99d036bf457b8a0081999f3de
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry picked from commit 402051fc)

Bug: 322889657
Bug: 338404349
Test: build pass
Change-Id: I9de35415228fb0fe5111cb8cc3ebb43b4c3bbf3e
Signed-off-by: Boyu Zhang <boyuzhang@google.com>

Test: pwm behavior works as expected during suspend and resume.
Bug: 332793240
Change-Id: Ibaa8e5e03ca6c449ce15572aaa85fdafb8448826
Signed-off-by: Chungjui Fan <chungjuifan@google.com>

To eventually get rid of all legacy drivers convert this driver to the
modern world implementing .apply(). The commit which brings these
changes is `5ec803ed` on the uplink
kernel.

Bug: 332793240
Change-Id: I385f487c474ca2d52a9f3bb4e8afc3843eb4d9f8
Signed-off-by: Karan Bhagoji <karan.rb@samsung.com>
Signed-off-by: Hyunki Koo <hyunki00.koo@samsung.com>

- clean up number of secure instance when init fail
- turn off mfc power when core instnace number is 1

Bug: 339129143
Test: play secure playback
Change-Id: I045c5300cb7196b013e59014a05d1bb2743f4664
Signed-off-by: wenchangliu <wenchangliu@google.com>
(cherry picked from commit f46e54677931700bf710b309dbb90737cc23fdb5)

Merge SHA:
7e9c226b ANDROID: Initialize android13-5.10-2024-05

Bug: 338118915
Bug: 327600007 (ACK)
Bug: 328266487 (ACK)
Bug: 329803029 (ACK)
Bug: 330117029 (ACK)
Bug: 330767927 (ACK)
Bug: 337902282 (ACK)
Change-Id: Iaf908ef6c5623387cbfcdb5bb36d15c8bc41cc61
Signed-off-by: Pindar Yang <pindaryang@google.com>

commit 0c9ae0b8 upstream.

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Bug: 340128979
Fixes: 57c5f4df ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5e0be122)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Id6e67948d146997c2861db5f634e8eeafa32a53f

Bug: 337902282
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Ie4fe7b26aaf90be57dcc18467ef9c8dedac0c1ed

Merge SHA:
42fe3e15 UPSTREAM: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

Bug: 300854197
Bug: 320661088 (ACK)
Bug: 329205787 (ACK)
Bug: 330876672 (ACK)
Bug: 331214192 (ACK)
Bug: 332803585 (ACK)
Bug: 332996726 (ACK)
Change-Id: I26cb0956a55574e16c7a62042a898ca44df47de8
Signed-off-by: Pindar Yang <pindaryang@google.com>