Merge branch 'android-msm-pixel-4.19-tm-security' into android-msm-pixel-4.19-tm
Aug 2022.1
Bug: 216139370
Change-Id: I5a14b51abc45a3f94ccd1eba471e9fb9386fe9a8
diff --git a/drivers/md/dm-bow.c b/drivers/md/dm-bow.c
index 62a1203..ee4359f 100644
--- a/drivers/md/dm-bow.c
+++ b/drivers/md/dm-bow.c
@@ -599,6 +599,7 @@
struct bow_context *bc = (struct bow_context *) ti->private;
struct kobject *kobj;
+ mutex_lock(&bc->ranges_lock);
while (rb_first(&bc->ranges)) {
struct bow_range *br = container_of(rb_first(&bc->ranges),
struct bow_range, node);
@@ -606,6 +607,8 @@
rb_erase(&br->node, &bc->ranges);
kfree(br);
}
+ mutex_unlock(&bc->ranges_lock);
+
if (bc->workqueue)
destroy_workqueue(bc->workqueue);
if (bc->bufio)
@@ -1182,6 +1185,7 @@
return;
}
+ mutex_lock(&bc->ranges_lock);
for (i = rb_first(&bc->ranges); i; i = rb_next(i)) {
struct bow_range *br = container_of(i, struct bow_range, node);
@@ -1189,11 +1193,11 @@
readable_type[br->type],
(unsigned long long)br->sector);
if (result >= end)
- return;
+ goto unlock;
result += scnprintf(result, end - result, "\n");
if (result >= end)
- return;
+ goto unlock;
if (br->type == TRIMMED)
++trimmed_range_count;
@@ -1215,19 +1219,22 @@
if (!rb_next(i)) {
scnprintf(result, end - result,
"\nERROR: Last range not of type TOP");
- return;
+ goto unlock;
}
if (br->sector > range_top(br)) {
scnprintf(result, end - result,
"\nERROR: sectors out of order");
- return;
+ goto unlock;
}
}
if (trimmed_range_count != trimmed_list_length)
scnprintf(result, end - result,
"\nERROR: not all trimmed ranges in trimmed list");
+
+unlock:
+ mutex_unlock(&bc->ranges_lock);
}
static void dm_bow_status(struct dm_target *ti, status_type_t type,
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index 7da94b8..01f145f 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -220,6 +220,9 @@
void *vaddr;
if (buffer->kmap_cnt) {
+ if (buffer->kmap_cnt == INT_MAX)
+ return ERR_PTR(-EOVERFLOW);
+
buffer->kmap_cnt++;
return buffer->vaddr;
}
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index fe246e0..ad82c63 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -404,15 +404,20 @@
return 0;
}
-static int u32_destroy_key(struct tcf_proto *tp, struct tc_u_knode *n,
- bool free_pf)
+static void __u32_destroy_key(struct tc_u_knode *n)
{
struct tc_u_hnode *ht = rtnl_dereference(n->ht_down);
tcf_exts_destroy(&n->exts);
- tcf_exts_put_net(&n->exts);
if (ht && --ht->refcnt == 0)
kfree(ht);
+ kfree(n);
+}
+
+static void u32_destroy_key(struct tcf_proto *tp, struct tc_u_knode *n,
+ bool free_pf)
+{
+ tcf_exts_put_net(&n->exts);
#ifdef CONFIG_CLS_U32_PERF
if (free_pf)
free_percpu(n->pf);
@@ -421,8 +426,7 @@
if (free_pf)
free_percpu(n->pcpu_success);
#endif
- kfree(n);
- return 0;
+ __u32_destroy_key(n);
}
/* u32_delete_key_rcu should be called when free'ing a copied
@@ -965,13 +969,13 @@
tca[TCA_RATE], ovr, extack);
if (err) {
- u32_destroy_key(tp, new, false);
+ __u32_destroy_key(new);
return err;
}
err = u32_replace_hw_knode(tp, new, flags, extack);
if (err) {
- u32_destroy_key(tp, new, false);
+ __u32_destroy_key(new);
return err;
}