hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------

Add meminfo_k2u_size and delete duplicate or similar code.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------

Add meminfo_alloc_sum_byKB and meminfo_alloc_sum, and
delete duplicate or similar code.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------

comm is not memory usage information and
should not be stored in sp_proc_stat.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------

The tgid information is also stored in sp_group_master.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

There is a double delete list problem in sp_group_exit
Unable to handle kernel paging request at virtual address
dead000000000108
Call trace:
 sp_group_exit+0x104/0x238
  do_exit+0x188/0xb88
  __arm64_sys_exit+0x24/0x28

Calls to sp_group_exit depends on the value of group_dead, which is
controlled by CLONE_THREAD. If process A clone B with CLONE_VM and
*NO* CLONE_THREAD. A and B will have group_dead = 1 and have the same
mm_struct on exit. So sp_group_exit processes an mm_struct more than
once.

To sovle the problem, we check the tgid in sp_group_exit and allow only
the parent process to continue.

Similar check should be added in mg_sp_group_add/del_task.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------

spa_num is not general information, but differentiated information.
It should not be placed in sp_spg_stat.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ET9W

----------------------------------------------
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6G76L

----------------------------------------------

1. Give more informaton in the error log.
2. No need to limit thre rate.
3. Add a '\n' at the end of the format string.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6G76L

----------------------------------------------

When a process is deleted from a group, the process does not apply for
memory from the shared group. Otherwise, the UAF problem occurs. We checked
this, but it didn't do a good job of preventing sp_alloc and del_task
concurrency. The process applies for memory after passing the check, which
violates our requirements and causes problems. The solution is to place the
checked code in the critical area to ensure that no memory can be allocated
after the check is passed.

[ T7596] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000098
[ T7596] Mem abort info:
[ T7596]   ESR = 0x96000004
[ T7596]   EC = 0x25: DABT (current EL), IL = 32 bits
[ T7596]   SET = 0, FnV = 0
[ T7596]   EA = 0, S1PTW = 0
[ T7596] Data abort info:
[ T7596]   ISV = 0, ISS = 0x00000004
[ T7596]   CM = 0, WnR = 0
[ T7596] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001040a3000
[ T7596] [0000000000000098] pgd=0000000000000000, p4d=0000000000000000
[ T7596] Internal error: Oops: 96000004 [#1] SMP
[ T7596] Modules linked in: sharepool_dev(OE) [last unloaded: demo]
[ T7596] CPU: 1 PID: 7596 Comm: test_sp_group_d Tainted: G OE 5.10.0+ #8
[ T7596] Hardware name: linux,dummy-virt (DT)
[ T7596] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--)
[ T7596] pc : sp_free_area+0x34/0x120
[ T7596] lr : sp_free_area+0x30/0x120
[ T7596] sp : ffff80001c6a3b20
[ T7596] x29: ffff80001c6a3b20 x28: 0000000000000009
[ T7596] x27: 0000000000000000 x26: ffff800011c49d20
[ T7596] x25: ffff0000c227f6c0 x24: 0000000000000008
[ T7596] x23: ffff0000c0cf0ce8 x22: 0000000000000001
[ T7596] x21: ffff0000c4082b30 x20: 0000000000000000
[ T7596] x19: ffff0000c4082b00 x18: 0000000000000000
[ T7596] x17: 0000000000000000 x16: 0000000000000000
[ T7596] x15: 0000000000000000 x14: 0000000000000000
[ T7596] x13: 0000000000000000 x12: ffff0005fffe12c0
[ T7596] x11: 0000000000000008 x10: ffff0005fffe12c0
[ T7596] x9 : ffff8000103eb690 x8 : 0000000000000001
[ T7596] x7 : 0000000000210d00 x6 : 0000000000000000
[ T7596] x5 : ffff8000123edea0 x4 : 0000000000000030
[ T7596] x3 : ffffeff000000000 x2 : 0000eff000000000
[ T7596] x1 : 0000e80000000000 x0 : 0000000000000000
[ T7596] Call trace:
[ T7596]  sp_free_area+0x34/0x120
[ T7596]  __sp_area_drop_locked+0x3c/0x60
[ T7596]  sp_area_drop+0x80/0xbc
[ T7596]  remove_vma+0x54/0x70
[ T7596]  exit_mmap+0x114/0x1d0
[ T7596]  mmput+0x90/0x1ec
[ T7596]  exit_mm+0x1d0/0x2f0
[ T7596]  do_exit+0x180/0x400
[ T7596]  do_group_exit+0x40/0x114
[ T7596]  get_signal+0x1e8/0x720
[ T7596]  do_signal+0x11c/0x1e4
[ T7596]  do_notify_resume+0x15c/0x250
[ T7596]  work_pending+0xc/0x6d8
[ T7596] Code: f9400001 f9402c00 97fff0e5 aa0003f4 (f9404c00)
[ T7596] ---[ end trace 3c8368d77e758ebd ]---
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

The unshare process for k2task can be normalized with k2spg
since there exist a local sp group for k2task.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

Rename sp_group_drop[_locked] to sp_group_put[_locked].
Rename __sp_find_spg[_locked] to sp_group_get[_locked].
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

The process for k2task can be normalized with k2spg since there exist a
local sp group for k2task.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

1. Extract a function that initialize all the members for a newly
   allocated sp_group. Just to decrease the function size.
2. Move the idr_alloc to the end of the function, since we should not
   add an uninitialized sp_group to the global idr.
3. Rename the file for hugetlb map.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

----------------------------------------------

Add two Helper functions sp_add_group_master and
sp_del_group_master to manipulate master_list.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

hulk inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

----------------------------------------------

In spa_overview_show, spg_info_show and spg_overview_show,
there is similar code.

The solution is to extract the difference into the function macro.
Signed-off-by: NXu Qiang <xuqiang36@huawei.com>

ascend inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

--------------------------------------------

The sharepool statistics record the sharepool memory information used
by all containers in the system. We do not expect to query the
sharepool memory information applied by processes in other containers
in the container.

Therefore, the sharepool statistics cannot be queried in the container
to solve this problem.
Signed-off-by: NZhou Guanghui <zhouguanghui1@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I650K6

--------------------------------

If we delete a task that has not been added to any group from a
specified group, NULL pointer dereference would occur.
[  162.566615] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[  162.567699] Mem abort info:
[  162.567971]   ESR = 0x96000006
[  162.568187]   EC = 0x25: DABT (current EL), IL = 32 bits
[  162.568508]   SET = 0, FnV = 0
[  162.568670]   EA = 0, S1PTW = 0
[  162.568794] Data abort info:
[  162.568906]   ISV = 0, ISS = 0x00000006
[  162.569032]   CM = 0, WnR = 0
[  162.569314] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001029e0000
[  162.569516] [0000000000000008] pgd=00000001026da003, p4d=00000001026da003, pud=0000000102a90003, pmd=0000000000000000
[  162.570346] Internal error: Oops: 96000006 [#1] SMP
[  162.570524] CPU: 0 PID: 880 Comm: test_sp_group_d Tainted: G        W  O      5.10.0+ #1
[  162.570868] Hardware name: linux,dummy-virt (DT)
[  162.571053] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
[  162.571370] pc : mg_sp_group_del_task+0x164/0x488
[  162.571511] lr : mg_sp_group_del_task+0x158/0x488
[  162.571644] sp : ffff8000127d3ca0
[  162.571749] x29: ffff8000127d3ca0 x28: ffff372281b8c140
[  162.571922] x27: 0000000000000000 x26: ffff372280b261c0
[  162.572090] x25: ffffd075db9a9000 x24: ffffd075db9a90f8
[  162.572259] x23: ffffd075db9a90e0 x22: 0000000000000371
[  162.572425] x21: ffff372280826b00 x20: 0000000000000000
[  162.572592] x19: ffffd075db12b000 x18: 0000000000000000
[  162.572756] x17: 0000000000000000 x16: ffffd075da51e60c
[  162.572923] x15: 0000ffffdcf1a540 x14: 0000000000000000
[  162.573087] x13: 0000000000000000 x12: 0000000000000000
[  162.573250] x11: 0000000000000040 x10: ffffd075db5f1908
[  162.573415] x9 : ffffd075db5f1900 x8 : ffff3722816f54b0
[  162.573579] x7 : 0000000000000000 x6 : 0000000000000000
[  162.573741] x5 : ffff3722816f5488 x4 : 0000000000000000
[  162.573906] x3 : ffff372280b2620c x2 : ffff37228036b4a0
[  162.574069] x1 : 0000000000000000 x0 : ffff372280b261c0
[  162.574239] Call trace:
[  162.574336]  mg_sp_group_del_task+0x164/0x488
[  162.575262]  dev_ioctl+0x10cc/0x2478 [sharepool_dev]
[  162.575443]  __arm64_sys_ioctl+0xb4/0xf0
[  162.575585]  el0_svc_common.constprop.0+0xe4/0x2d4
[  162.575726]  do_el0_svc+0x34/0xa8
[  162.575838]  el0_svc+0x1c/0x28
[  162.575941]  el0_sync_handler+0x90/0xf0
[  162.576060]  el0_sync+0x168/0x180
[  162.576391] Code: 97f4d4bf aa0003fa b4001580 f9420c01 (f8408c20)
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I64Y5Y

-------------------------------

If local_group_add_task fails in init_local_group. ida free the
same id twice.

init_local_group
  local_group_add_task    // failed
  goto free_spg

free_spg:
  free_sp_group_locked
    free_sp_group_id      // free spg->id
free_spg_id:
  free_new_spg_id         // double free spg->id

To fix it, return before calling free_new_spg_id.
Signed-off-by: NChen Jun <chenjun102@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

------------------------------------------------

Add config to encapsulate the code introduced in
2fb141bf9c23 ("[Huawei] mm: sharepool: fix hugepage_rsvd count increase
error").
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

----------------------------------------------------

Add CONFIG_ARM_SMMU_V3_PM to control the support
for arm-smmu-v3 suspend and resume which was introduced
in 4b009f70.
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

----------------------------------------

Use CONFIG_EXTEND_HUGEPAGE_MAPPING to isolate code
introduced in a3425d41.

Besides, use tab instead of space to match the format
of Kconfig
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

--------------------------------------------------

Add CONFIG_ACPI_APEI_NOTIFY_ALL_RAS_ERR to isolate Notify all
ras err to driver, which was introduced in
924ceaed.
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

-------------------------------------------------

Add CONFIG_ACPI_APEI_GHES_TS_CORE to isolate code introduced in
01dbadfe.
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HRGK

------------------------------------------

Add CONFIG_HISI_L3T_PMU and CONFIG_HISI_LPDDRC_PMU to isolate features
of hisi pmu driver.

This patch isolates commit 0edc58409e30 and 6bf896bea639.
Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>

Merge Pull Request from: @aubrey-intel 
 
 **Content:** 
- In order to meet the massive industry wide push, Platform Runtime Mechanism
(PRM) provides means to reduce System Management Mode (SMM) foot print. PRM
introduces the capability of transitioning certain usages that were executed
out of SMM, to a code that executes with the OS/VMM context.
- There are 15 patches in total in this patch set to Add Platform Runtime
Mechanism(PRM) feature support in openEuler. 14 patches are from upstream
kernel and 1 patch is for the default kconfig change.

 **Intel-kernel issue:** 
- #I6HNB8

 **Passed Test:**
- OS kernel built and run the successfully on OpenEuler 22.03 LTS with and without ACPI PRMT support
- PRM sample handler was invoked successfully from user space and the content in ACPI parameter buffer was verified.

 **Known issue:**
- N/A

 **Default config change:**
```
CONFIG_ACPI_PRMT=y
CONFIG_ACPI_DEBUGGER=y
CONFIG_ACPI_DEBUGGER_USER=m
```

 **Specification Link:**
https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf 
 
Link:https://gitee.com/openeuler/kernel/pulls/413 

Reviewed-by: Jason Zeng <jason.zeng@intel.com> 
Reviewed-by: Aichun Shi <aichun.shi@intel.com> 
Reviewed-by: Liu Chao <liuchao173@huawei.com> 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

!402 Fixed the following errors:  The reset with stream fails, the query of AH attr is invalid and the RoCE Bonding

Merge Pull Request from: @stinft 
 
Bugfix information:
1.RDMA/hns: Kernel notify usr space to stop ring db
 In the reset scenario, if the kernel receives the reset signal,
 it needs to notify the user space to stop ring doorbell.
 bugzilla: #I6F3ZU

2.RDMA/hns: Fix AH attr queried by query_qp
  bugzilla: #I6F3ZA

3.RDMA/hns: fix the error of RoCE VF based on RoCE Bonding PF
    In this patch, the following constraints are added:
    1. RoCE Bonding cannot be set with a PF which enables VF;
    2. A PF in RoCE Bonding cannot enable RoCE VF.
  bugzilla: #I6F1IQ 
 
Link:https://gitee.com/openeuler/kernel/pulls/402 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

driver inclusion
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6HNB8
CVE: N/A

Intel-SIG: openeuler_defconfig: Enable ACPI Platform Runtime
Mechanism(PRM) feature support

--------------------------------------------

Enable ACPI Platform Runtime Mechanism(PRM) feature support by default.

For the purpose to validate PRM from user space, set:
- CONFIG_ACPI_DEBUGGER = y
- CONFIG_ACPI_DEBUGGER_USER = m
Signed-off-by: NAubrey Li <aubrey.li@linux.intel.com>

mainline inclusion
from mainline-v6.2
commit 182da6f2
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I6HNB8
CVE: N/A

Intel-SIG: commit 182da6f2 ACPI: PRM: Check whether EFI runtime is
available.
ACPI Platform Runtime Mechanism feature backport.

--------------------------------

The ACPI PRM address space handler calls efi_call_virt_pointer() to
execute PRM firmware code, but doing so is only permitted when the EFI
runtime environment is available. Otherwise, such calls are guaranteed
to result in a crash, and must therefore be avoided.

Given that the EFI runtime services may become unavailable after a crash
occurring in the firmware, we need to check this each time the PRM
address space handler is invoked. If the EFI runtime services were not
available at registration time to being with, don't install the address
space handler at all.

Fixes: cefc7ca4 ("ACPI: PRM: implement OperationRegion handler for the PlatformRtMechanism subtype")
Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: NAubrey Li <aubrey.li@linux.intel.com>

Merge Pull Request from: @zhangjialin11 
 
Pull new CVEs:
CVE-2023-26545
CVE-2023-0045
CVE-2023-20938
CVE-2023-0240

rcu bugfix from Zheng Yejian
net bugfixes from Zhengchao Shao
block bugfix from Zhong Jinghua
md/raid10 bugfixes from Li Nan
arm64/topology bugfix from Lin Yujun
arm/kasan bugfix from Longlong Xia 
 
Link:https://gitee.com/openeuler/kernel/pulls/418 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

stable inclusion
from stable-v5.10.169
commit 7ff0fdba82298d1f456c685e24930da89703c0fb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6HZHU
CVE: CVE-2023-26545

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ff0fdba82298d1f456c685e24930da89703c0fb

--------------------------------

commit fda6c89f upstream.

lianhui reports that when MPLS fails to register the sysctl table
under new location (during device rename) the old pointers won't
get overwritten and may be freed again (double free).

Handle this gracefully. The best option would be unregistering
the MPLS from the device completely on failure, but unfortunately
mpls_ifdown() can fail. So failing fully is also unreliable.

Another option is to register the new table first then only
remove old one if the new one succeeds. That requires more
code, changes order of notifications and two tables may be
visible at the same time.

sysctl point is not used in the rest of the code - set to NULL
on failures and skip unregister if already NULL.
Reported-by: Nlianhui tang <bluetlh@gmail.com>
Fixes: 0fae3bf0 ("mpls: handle device renames for per-device sysctls")
Signed-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

stable inclusion
from stable-v5.10.163
commit 67e39c4f4cb318cfbbf8982ab016c649ed97edaf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6CU98
CVE: CVE-2023-0045

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=67e39c4f4cb318cfbbf8982ab016c649ed97edaf

--------------------------------

commit a664ec91 upstream.

We missed the window between the TIF flag update and the next reschedule.
Signed-off-by: NRodrigo Branco <bsdaemon@google.com>
Reviewed-by: NBorislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: NIngo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NYuyao Lin <linyuyao1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

stable inclusion
from stable-v5.10.157
commit ae9e0cc973fb7499ea1b1a8dfd0795f728b84faf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DKVG
CVE: CVE-2023-20938

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ae9e0cc973fb7499ea1b1a8dfd0795f728b84faf

--------------------------------

commit ef38de92 upstream.

Some android userspace is sending BINDER_TYPE_FDA objects with
num_fds=0. Like the previous patch, this is reproducible when
playing a video.

Before commit 09184ae9 BINDER_TYPE_FDA objects with num_fds=0
were 'correctly handled', as in no fixup was performed.

After commit 09184ae9 we aggregate fixup and skip regions in
binder_ptr_fixup structs and distinguish between the two by using
the skip_size field: if it's 0, then it's a fixup, otherwise skip.
When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
skip region of skip_size=0, and this causes issues because now
binder_do_deferred_txn_copies will think this was a fixup region.

To address that, return early from binder_translate_fd_array to
avoid adding an empty skip region.

Fixes: 09184ae9 ("binder: defer copies of pre-patched txn data")
Acked-by: NTodd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: NAlessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-1-ales.astone@gmail.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NCarlos Llamas <cmllamas@google.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NLi Huafei <lihuafei1@huawei.com>
Reviewed-by: NZheng Yejian <zhengyejian1@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>

stable inclusion
from stable-v5.10.157
commit 017de842533f4334d646f1d480f591f4ca9f5c7a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DKVG
CVE: CVE-2023-20938

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=017de842533f4334d646f1d480f591f4ca9f5c7a

--------------------------------

commit 2d1746e3 upstream.

When handling BINDER_TYPE_FDA object we are pushing a parent fixup
with a certain skip_size but no scatter-gather copy object, since
the copy is handled standalone.
If BINDER_TYPE_FDA is the last children the scatter-gather copy
loop will never stop to skip it, thus we are left with an item in
the parent fixup list. This will trigger the BUG_ON().

This is reproducible in android when playing a video.
We receive a transaction that looks like this:
    obj[0] BINDER_TYPE_PTR, parent
    obj[1] BINDER_TYPE_PTR, child
    obj[2] BINDER_TYPE_PTR, child
    obj[3] BINDER_TYPE_FDA, child

Fixes: 09184ae9 ("binder: defer copies of pre-patched txn data")
Acked-by: NTodd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: NAlessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-2-ales.astone@gmail.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NCarlos Llamas <cmllamas@google.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NLi Huafei <lihuafei1@huawei.com>
Reviewed-by: NZheng Yejian <zhengyejian1@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>