Merge branch 'android-msm-pixel-4.14-tm-security' into android-msm-pixel-4.14-tm
Aug 2022.1
Bug: 216140062
Change-Id: Ifbe45af5dcfa2fd49b2de2e2f82525e9db097c82
diff --git a/drivers/md/dm-bow.c b/drivers/md/dm-bow.c
index 4728985..0a4c177 100644
--- a/drivers/md/dm-bow.c
+++ b/drivers/md/dm-bow.c
@@ -600,6 +600,7 @@
struct bow_context *bc = (struct bow_context *) ti->private;
struct kobject *kobj;
+ mutex_lock(&bc->ranges_lock);
while (rb_first(&bc->ranges)) {
struct bow_range *br = container_of(rb_first(&bc->ranges),
struct bow_range, node);
@@ -607,6 +608,8 @@
rb_erase(&br->node, &bc->ranges);
kfree(br);
}
+ mutex_unlock(&bc->ranges_lock);
+
if (bc->workqueue)
destroy_workqueue(bc->workqueue);
if (bc->bufio)
@@ -1182,6 +1185,7 @@
return;
}
+ mutex_lock(&bc->ranges_lock);
for (i = rb_first(&bc->ranges); i; i = rb_next(i)) {
struct bow_range *br = container_of(i, struct bow_range, node);
@@ -1189,11 +1193,11 @@
readable_type[br->type],
(unsigned long long)br->sector);
if (result >= end)
- return;
+ goto unlock;
result += scnprintf(result, end - result, "\n");
if (result >= end)
- return;
+ goto unlock;
if (br->type == TRIMMED)
++trimmed_range_count;
@@ -1215,19 +1219,22 @@
if (!rb_next(i)) {
scnprintf(result, end - result,
"\nERROR: Last range not of type TOP");
- return;
+ goto unlock;
}
if (br->sector > range_top(br)) {
scnprintf(result, end - result,
"\nERROR: sectors out of order");
- return;
+ goto unlock;
}
}
if (trimmed_range_count != trimmed_list_length)
scnprintf(result, end - result,
"\nERROR: not all trimmed ranges in trimmed list");
+
+unlock:
+ mutex_unlock(&bc->ranges_lock);
}
static void dm_bow_status(struct dm_target *ti, status_type_t type,
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index d166256..b6039b0 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -225,6 +225,9 @@
void *vaddr;
if (buffer->kmap_cnt) {
+ if (buffer->kmap_cnt == INT_MAX)
+ return ERR_PTR(-EOVERFLOW);
+
buffer->kmap_cnt++;
return buffer->vaddr;
}
diff --git a/fs/super.c b/fs/super.c
index e6019ed..51f4320 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -459,6 +459,8 @@
spin_unlock(&sb_lock);
up_write(&sb->s_umount);
if (sb->s_bdi != &noop_backing_dev_info) {
+ if (sb->s_iflags & SB_I_PERSB_BDI)
+ bdi_unregister(sb->s_bdi);
bdi_put(sb->s_bdi);
sb->s_bdi = &noop_backing_dev_info;
}
@@ -1322,6 +1324,7 @@
}
WARN_ON(sb->s_bdi != &noop_backing_dev_info);
sb->s_bdi = bdi;
+ sb->s_iflags |= SB_I_PERSB_BDI;
return 0;
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 5fda30e..9dede5f 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1342,6 +1342,8 @@
/* sb->s_iflags to limit user namespace mounts */
#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */
+#define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */
+
/* Possible states of 'frozen' field */
enum {
SB_UNFROZEN = 0, /* FS is unfrozen */
diff --git a/include/net/sock.h b/include/net/sock.h
index 00d2c53..c791f3a 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2456,6 +2456,9 @@
extern __u32 sysctl_wmem_default;
extern __u32 sysctl_rmem_default;
+/* On 32bit arches, an skb frag is limited to 2^15 */
+#define SKB_FRAG_PAGE_ORDER get_order(32768)
+
/* Default TCP Small queue budget is ~1 ms of data (1sec >> 10)
* Some wifi drivers need to tweak it to get more chunks.
* They can use this helper from their ndo_start_xmit()
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index cd607fb..fdae423 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -877,9 +877,13 @@
if (bdi->dev) /* The driver needs to use separate queues per device */
return 0;
+ bdi_get(bdi);
+
dev = device_create_vargs(bdi_class, NULL, MKDEV(0, 0), bdi, fmt, args);
- if (IS_ERR(dev))
+ if (IS_ERR(dev)) {
+ bdi_put(bdi);
return PTR_ERR(dev);
+ }
cgwb_bdi_register(bdi);
bdi->dev = dev;
@@ -959,6 +963,8 @@
put_device(bdi->owner);
bdi->owner = NULL;
}
+
+ bdi_put(bdi);
}
static void release_bdi(struct kref *ref)
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 0c9bc29..fdbdcba 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -395,15 +395,20 @@
return 0;
}
-static int u32_destroy_key(struct tcf_proto *tp, struct tc_u_knode *n,
- bool free_pf)
+static void __u32_destroy_key(struct tc_u_knode *n)
{
struct tc_u_hnode *ht = rtnl_dereference(n->ht_down);
tcf_exts_destroy(&n->exts);
- tcf_exts_put_net(&n->exts);
if (ht && --ht->refcnt == 0)
kfree(ht);
+ kfree(n);
+}
+
+static void u32_destroy_key(struct tcf_proto *tp, struct tc_u_knode *n,
+ bool free_pf)
+{
+ tcf_exts_put_net(&n->exts);
#ifdef CONFIG_CLS_U32_PERF
if (free_pf)
free_percpu(n->pf);
@@ -412,8 +417,7 @@
if (free_pf)
free_percpu(n->pcpu_success);
#endif
- kfree(n);
- return 0;
+ __u32_destroy_key(n);
}
/* u32_delete_key_rcu should be called when free'ing a copied
@@ -942,13 +946,13 @@
tca[TCA_RATE], ovr);
if (err) {
- u32_destroy_key(tp, new, false);
+ __u32_destroy_key(new);
return err;
}
err = u32_replace_hw_knode(tp, new, flags);
if (err) {
- u32_destroy_key(tp, new, false);
+ __u32_destroy_key(new);
return err;
}
