Change-Id: I7a1cc325aa74e78a6da12ff8513743034354d586

Make sure there is enough room in the memory descriptor to store the
entire profiling buffer object.

Change-Id: I1e1c73097bb2bba9645b0a3c66fdbbc71d8ba8fa
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>

Change-Id: Iab72024cf4deca8861c57f8b12e8dbadab05e688

Add slatecom_interface header file in gen_headers to make it
accessible from userspace modules who uses Android.bp files
for compilation.

Change-Id: Ie298ec28983c16999d941ee8667e2dd7b5c3db22
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>

Adding check in msm_minidump_add_region() to handle scenarios for
out of bound access while adding region in minidump table in SMEM.

Change-Id: Ic20663dbd2fa8ae96899930a7f7ba79dc204ff5e
Signed-off-by: Komal Bajaj <kbajaj@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.

Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>

Change-Id: I6676bda3e6e2f39a93967d16a9450684d4a9ffaa

Add UAPI headers for QBG (Qualcomm Battery Gauge).

Change-Id: Iae5ba52ebff9fb4b591065c2bffe15763ab9518a
Signed-off-by: Shyam Kumar Thella <sthella@codeaurora.org>

Change-Id: Iacb765a5bbfb09415ed09dba0574b621c62be9cf

The HID subsystem allows an "HID report field" to have a different
number of "values" and "usages" when it is allocated. When a field
struct is created, the size of the usage array is guaranteed to be at
least as large as the values array, but it may be larger. This leads to
a potential out-of-bounds write in
__hidinput_change_resolution_multipliers() and an out-of-bounds read in
hidinput_count_leds().

To fix this, let's make sure that both the usage and value arrays are
the same size.

Cc: stable@vger.kernel.org
Signed-off-by: Will McVicker <willmcvicker@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Change-Id: I8e1a5c776e76b592ce53612c2022829b123779d6
Git-commit: ed9be64e
Git-repo: https://android.googlesource.com/kernel/common


Signed-off-by: Uppala Revanth Kumar <urevanth@codeaurora.org>

Could you please push this patch into stable@?
it fixes memory corruption in kernels  v3.5 .. v4.10

Lost .data_len definition leads to write beyond end of
struct nf_ct_h323_master. Usually it corrupts following
struct nf_conn_nat, however if nat is not loaded it corrupts
following slab object.

In mainline this problem went away in v4.11,
after commit 9f0f3ebe ("netfilter: helpers: remove data_len usage
for inkernel helpers") however many stable kernels are still affected.

Fixes: 1afc5679 ("netfilter: nf_ct_helper: implement variable length helper private data") # v3.5
cc: stable@vger.kernel.org
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I5793b715bc2ac3808be87b5cb1aa21d3f05cb075
Git-commit: 396ba2fc
Git-repo: https://android.googlesource.com/kernel/msm


Signed-off-by: Uppala Revanth Kumar <urevanth@codeaurora.org>

For a valid token indicating remote proc use data_source to
indicate packet originated from dci remote source.

Change-Id: I01729a905d532fae7ea046acc143598eca04460b
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

Change-Id: I6460e3af14269458116edfeb434b72fc0ea9e00d

[ Upstream commit b38e7819 ]

Keyu Man reported that the ICMP rate limiter could be used
by attackers to get useful signal. Details will be provided
in an upcoming academic publication.

Our solution is to add some noise, so that the attackers
no longer can get help from the predictable token bucket limiter.

Fixes: 4cdf507d ("icmp: add a global rate limitation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I8373925e50fd35fd35d59fd32b8a0e7da9257683
Git-commit: d6c55250
Git-repo: https://android.googlesource.com/kernel/msm


Signed-off-by: urevanth <urevanth@codeaurora.org>

Checksum for the HDR infoframe is set to zero by default
as this is not a mandatory field as per the HDMI spec.

However certain HDMI sinks still expect a non-zero
checksum. Otherwise they disregard the infoframe
and the sink does not enter HDR mode despite other fields
of the infoframe being valid.

Add a valid checksum to the HDR infoframe to improve
interoperability of our HDR solution for HDMI.

Change-Id: Ic715981c458384e75f3ab1af69080478ab852d37
Signed-off-by: Narender Ankam <nankam@codeaurora.org>

CEC Read and Write protocol and state machine uses 50us pulse
to ensure the CEC signaling adheres to the relatively slow protocol.
The reftimer to generate 50us is configured using
CEC_REFTIMER:REFTIMER.
Current value of REFTIMER is not properly configured to generate
50us pulse.
Finetune CEC_REFTIMER:REFTIMER from current value to slightly
higher value to generate 51us to ensure CEC Read and Write
logic are working properly without any CEC line errors.

Change-Id: I57e3f8e8197763b2a2c910b12705c232ad8eb1a8
Signed-off-by: Narender Ankam <nankam@codeaurora.org>

Change-Id: I5714dc8010a1c9043005a760ec3b8a250ec4a10f

[ Upstream commit 2d3a8e2d ]

In blkdev_get() we call __blkdev_get() to do some internal jobs and if
there is some errors in __blkdev_get(), the bdput() is called which
means we have released the refcount of the bdev (actually the refcount of
the bdev inode). This means we cannot access bdev after that point. But
acctually bdev is still accessed in blkdev_get() after calling
__blkdev_get(). This results in use-after-free if the refcount is the
last one we released in __blkdev_get(). Let's take a look at the
following scenerio:

  CPU0            CPU1                    CPU2
blkdev_open     blkdev_open           Remove disk
                  bd_acquire
		  blkdev_get
		    __blkdev_get      del_gendisk
					bdev_unhash_inode
  bd_acquire          bdev_get_gendisk
    bd_forget           failed because of unhashed
	  bdput
	              bdput (the last one)
		        bdev_evict_inode

	  	    access bdev => use after free

[  459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0
[  459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132
[  459.352347]
[  459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2
[  459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  459.354947] Call Trace:
[  459.355337]  dump_stack+0x111/0x19e
[  459.355879]  ? __lock_acquire+0x24c1/0x31b0
[  459.356523]  print_address_description+0x60/0x223
[  459.357248]  ? __lock_acquire+0x24c1/0x31b0
[  459.357887]  kasan_report.cold+0xae/0x2d8
[  459.358503]  __lock_acquire+0x24c1/0x31b0
[  459.359120]  ? _raw_spin_unlock_irq+0x24/0x40
[  459.359784]  ? lockdep_hardirqs_on+0x37b/0x580
[  459.360465]  ? _raw_spin_unlock_irq+0x24/0x40
[  459.361123]  ? finish_task_switch+0x125/0x600
[  459.361812]  ? finish_task_switch+0xee/0x600
[  459.362471]  ? mark_held_locks+0xf0/0xf0
[  459.363108]  ? __schedule+0x96f/0x21d0
[  459.363716]  lock_acquire+0x111/0x320
[  459.364285]  ? blkdev_get+0xce/0xbe0
[  459.364846]  ? blkdev_get+0xce/0xbe0
[  459.365390]  __mutex_lock+0xf9/0x12a0
[  459.365948]  ? blkdev_get+0xce/0xbe0
[  459.366493]  ? bdev_evict_inode+0x1f0/0x1f0
[  459.367130]  ? blkdev_get+0xce/0xbe0
[  459.367678]  ? destroy_inode+0xbc/0x110
[  459.368261]  ? mutex_trylock+0x1a0/0x1a0
[  459.368867]  ? __blkdev_get+0x3e6/0x1280
[  459.369463]  ? bdev_disk_changed+0x1d0/0x1d0
[  459.370114]  ? blkdev_get+0xce/0xbe0
[  459.370656]  blkdev_get+0xce/0xbe0
[  459.371178]  ? find_held_lock+0x2c/0x110
[  459.371774]  ? __blkdev_get+0x1280/0x1280
[  459.372383]  ? lock_downgrade+0x680/0x680
[  459.373002]  ? lock_acquire+0x111/0x320
[  459.373587]  ? bd_acquire+0x21/0x2c0
[  459.374134]  ? do_raw_spin_unlock+0x4f/0x250
[  459.374780]  blkdev_open+0x202/0x290
[  459.375325]  do_dentry_open+0x49e/0x1050
[  459.375924]  ? blkdev_get_by_dev+0x70/0x70
[  459.376543]  ? __x64_sys_fchdir+0x1f0/0x1f0
[  459.377192]  ? inode_permission+0xbe/0x3a0
[  459.377818]  path_openat+0x148c/0x3f50
[  459.378392]  ? kmem_cache_alloc+0xd5/0x280
[  459.379016]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  459.379802]  ? path_lookupat.isra.0+0x900/0x900
[  459.380489]  ? __lock_is_held+0xad/0x140
[  459.381093]  do_filp_open+0x1a1/0x280
[  459.381654]  ? may_open_dev+0xf0/0xf0
[  459.382214]  ? find_held_lock+0x2c/0x110
[  459.382816]  ? lock_downgrade+0x680/0x680
[  459.383425]  ? __lock_is_held+0xad/0x140
[  459.384024]  ? do_raw_spin_unlock+0x4f/0x250
[  459.384668]  ? _raw_spin_unlock+0x1f/0x30
[  459.385280]  ? __alloc_fd+0x448/0x560
[  459.385841]  do_sys_open+0x3c3/0x500
[  459.386386]  ? filp_open+0x70/0x70
[  459.386911]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  459.387610]  ? trace_hardirqs_off_caller+0x55/0x1c0
[  459.388342]  ? do_syscall_64+0x1a/0x520
[  459.388930]  do_syscall_64+0xc3/0x520
[  459.389490]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  459.390248] RIP: 0033:0x416211
[  459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83
04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f
   05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d
      01
[  459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
[  459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211
[  459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00
[  459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a
[  459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff
[  459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c
[  459.400168]
[  459.400430] Allocated by task 20132:
[  459.401038]  kasan_kmalloc+0xbf/0xe0
[  459.401652]  kmem_cache_alloc+0xd5/0x280
[  459.402330]  bdev_alloc_inode+0x18/0x40
[  459.402970]  alloc_inode+0x5f/0x180
[  459.403510]  iget5_locked+0x57/0xd0
[  459.404095]  bdget+0x94/0x4e0
[  459.404607]  bd_acquire+0xfa/0x2c0
[  459.405113]  blkdev_open+0x110/0x290
[  459.405702]  do_dentry_open+0x49e/0x1050
[  459.406340]  path_openat+0x148c/0x3f50
[  459.406926]  do_filp_open+0x1a1/0x280
[  459.407471]  do_sys_open+0x3c3/0x500
[  459.408010]  do_syscall_64+0xc3/0x520
[  459.408572]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  459.409415]
[  459.409679] Freed by task 1262:
[  459.410212]  __kasan_slab_free+0x129/0x170
[  459.410919]  kmem_cache_free+0xb2/0x2a0
[  459.411564]  rcu_process_callbacks+0xbb2/0x2320
[  459.412318]  __do_softirq+0x225/0x8ac

Fix this by delaying bdput() to the end of blkdev_get() which means we
have finished accessing bdev.

Fixes: 77ea887e ("implement in-kernel gendisk events handling")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Change-Id: I0a63b196fdebc57d72ba043b2ce327a2356b113d
Git-commit: 49289b1f
Git-repo: https://android.googlesource.com/kernel/msm


Signed-off-by: urevanth <urevanth@codeaurora.org>

Currently max length size of DL flt rule is
sent to Q6. But 64K memory allocation is not
always guranteed. Send actual size of DL flt rule
to Q6 to avoid memory error and install flt rule.

Change-Id: I5bb6d2d2b564d06c2f0521aaa2a3c54dc646f07e
Signed-off-by: Armaan Siddiqui <asiddiqu@codeaurora.org>

devm_kzalloc causes memory failure, so using kzalloc
to avoid memory allocation failure.

Change-Id: I85befc8c2b06ce74419e4e508fc982ff4df5a343
Signed-off-by: Armaan Siddiqui <asiddiqu@codeaurora.org>

Checking if there is enough room in between the offset of the
two subsequent field so that data of field 2 will not overlap
the data of field 1.

Change-Id: I96f656bb25878a302e7de109dd8f981045ed52e7
Signed-off-by: Nitin LNU <nlakra@codeaurora.org>

Long int negative value passed as part of ucontrol structure
is assigned to int num_app_cfg_type making it positive and
leading to overflow while populating maximum supported
lsm_app_type_cfg structures.

Change-Id: I81e3c75eea82265c8e8e1b3f8f95d9e334c895c4
Signed-off-by: Arungopal Kondaveeti <c_kondav@codeaurora.org>

In kgsl_mem_entry_create, access map_count only if entry is allocated
successfully to avoid invalid access.

Change-Id: I57bce1aec2da6a27b6d13dbee96ed86a45c9660c
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
Signed-off-by: Pankaj Gupta <gpankaj@codeaurora.org>

If emergency system shutdown is called, like by thermal shutdown,
dm device could be alive when the block device couldn't process
I/O requests anymore. In this status, the handling of I/O errors
by new dm I/O requests or by those already in-flight can lead to
a verity corruption state, which is misjudgment.
So, skip verity work for I/O error when system is shutting down.

Change-Id: I7b2e79283bb5810cefe688bf43b9ae97030ce917
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Hyeongseok Kim <hyeongseok@gmail.com>
Patch-mainline: dm-devel @ 12/03/20, 00:46
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Preemption of secure context is not supported in A5x. Currently we
disable preemptive context switching during execution of commands from
secure contexts by placing appropriate PREEMPT_ENABLE_GLOBAL/LOCAL
packets in ringbuffer. These packets have no effect on the behavior of
CONTEXT_SWITCH_YIELD packet. So a cooperative context switch (yield) can
still be serviced. To avoid this, disable all yield packets in case of
secure contexts.

Change-Id: Icfd73795ca4dccfc04f7a5b4497a908b15794e5a
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>

A sock_tag_entry can only be part of one process's
pqd_entry->sock_tag_list. Retagging the socket only updates
sock_tag_entry->tag, and does not add the tag entry to the current
process's pqd_entry list, nor update sock_tag_entry->pid.
So the sock_tag_entry is only ever present in the
pqd_entry list of the process that initially tagged the socket.

A sock_tag_entry can also get created and not be added to any process's
pqd_entry list. This happens if the process that initially tags the
socket has not opened /dev/xt_qtaguid.

ctrl_cmd_untag() supports untagging from a context other than the
process that initially tagged the socket. Currently, the sock_tag_entry is
only removed from its containing pqd_entry->sock_tag_list if the
process that does the untagging has opened /dev/xt_qtaguid. However, the
tag entry should always be deleted from its pqd entry list (if present).

Bug: 176919394
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Change-Id: I5b6f0c36c0ebefd98cc6873a4057104c7d885ccc
Git-commit: c2ab93b4
Git-repo: https://android.googlesource.com/kernel/msm


Signed-off-by: urevanth <urevanth@codeaurora.org>

Change-Id: I43e7e99b5517b7fc464d91373d88770e0a035cdd