git.stricted.de - GitHub/MotorolaMobilityLLC/kernel-slsi.git/log

[RAMEN9610-21500]Input: ff-memless - kill timer in destroy()

commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.

No timer must be left running when the device goes away.

Change-Id: I7a5642e94ab73741cd4f2918a12d0299284d0715
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21480][9610] ASoC: abox: Change read/write function.

If the register of ABOX is written by some driver or F/W(abox) that don't not use regmap I/F,
ABOX driver may gets an invalid value when ABOX driver read register using by regmap I/F.

Change-Id: I682c1c29c9bf2714f9a88cc04533f684a8cfb47f
Signed-off-by: ShinHyung <s47.kang@samsung.com>

[RAMEN9610-21471]wlbt: SCSC Driver release 10.17.1.0

SCSC WLBT Driver release 10.17.1.0

Change-Id: I9ac42b0d835862fa13cd18fd0a1ed5a68a7e1f6b
SCSC-Bug-Id: Rels-3495
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21471]wlbt: Remove SCSC drivers before update

Remove SCSC wlbt drivers before update

Change-Id: If4e2e2d2dd33e5dde0d4bcbde626172936298c88
SCSC-Bug-Id: HOST-12257
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21416]wlbt: update with 10.16.0.0

Change-Id: If33b49fef8665adeee976c150dfe0d7bc537f7aa
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-21380]USB: core: Fix races in character device registration and deregistraion

commit 303911cfc5b95d33687d9046133ff184cf5043ff upstream.

The syzbot fuzzer has found two (!) races in the USB character device
registration and deregistration routines.  This patch fixes the races.

The first race results from the fact that usb_deregister_dev() sets
usb_minors[intf->minor] to NULL before calling device_destroy() on the
class device.  This leaves a window during which another thread can
allocate the same minor number but will encounter a duplicate name
error when it tries to register its own class device.  A typical error
message in the system log would look like:

    sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'

The patch fixes this race by destroying the class device first.

The second race is in usb_register_dev().  When that routine runs, it
first allocates a minor number, then drops minor_rwsem, and then
creates the class device.  If the device creation fails, the minor
number is deallocated and the whole routine returns an error.  But
during the time while minor_rwsem was dropped, there is a window in
which the minor number is allocated and so another thread can
successfully open the device file.  Typically this results in
use-after-free errors or invalid accesses when the other thread closes
its open file reference, because the kernel then tries to release
resources that were already deallocated when usb_register_dev()
failed.  The patch fixes this race by keeping minor_rwsem locked
throughout the entire routine.

Change-Id: I5c397332bfd13378d0257e37df20872e134515fb
Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21380]tcp: Clear sk_send_head after purging the write queue

Denis Andzakovic discovered a potential use-after-free in older kernel
versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
the TCP write queue and can leave sk->sk_send_head pointing to freed
memory.  tcp_disconnect() clears that pointer after calling
tcp_write_queue_purge(), but tcp_connect() does not.  It is
(surprisingly) possible to add to the write queue between
disconnection and reconnection, so this needs to be done in both
places.

This bug was introduced by backports of commit 7f582b248d0a ("tcp:
purge write queue in tcp_connect_init()") and does not exist upstream
because of earlier changes in commit 75c119afe14f ("tcp: implement
rb-tree based retransmit queue").  The latter is a major change that's
not suitable for stable.

Change-Id: I993e67fce84bf59ef86bb432229802b3e1d8821c
Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
Cc: <stable@vger.kernel.org> # before 4.15
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21380]HID: hiddev: do cleanup in failure of opening a device

commit 6d4472d7bec39917b54e4e80245784ea5d60ce49 upstream.

Undo what we did for opening before releasing the memory slice.

Change-Id: I0af2538257801d16761dd60e5eaeeb448e6a7aa4
Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21380]HID: hiddev: avoid opening a disconnected device

commit 9c09b214f30e3c11f9b0b03f89442df03643794d upstream.

syzbot found the following crash on:

HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=147ac20c600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
link: https://syzkaller.appspot.com/bug?extid=62a1e04fd3ec2abf099e
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50
kernel/locking/lockdep.c:3753
Read of size 8 at addr ffff8881cf591a08 by task syz-executor.1/26260

CPU: 1 PID: 26260 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753
  lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159
  hiddev_release+0x82/0x520 drivers/hid/usbhid/hiddev.c:221
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  exit_task_work include/linux/task_work.h:22 [inline]
  do_exit+0x8ef/0x2c50 kernel/exit.c:878
  do_group_exit+0x125/0x340 kernel/exit.c:982
  get_signal+0x466/0x23d0 kernel/signal.c:2728
  do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815
  exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f75b2a6ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075c078 RCX: 0000000000459829
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c
R13: 00007ffcdfe1023f R14: 00007f75b2a6d9c0 R15: 000000000075c07c

Allocated by task 104:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:487 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
  kmalloc include/linux/slab.h:552 [inline]
  kzalloc include/linux/slab.h:748 [inline]
  hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900
  hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
  hid_hw_start drivers/hid/hid-core.c:1981 [inline]
  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
  appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
  hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
  usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 104:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  hiddev_connect.cold+0x45/0x5c drivers/hid/usbhid/hiddev.c:914
  hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
  hid_hw_start drivers/hid/hid-core.c:1981 [inline]
  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
  appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
  hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
  usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881cf591900
  which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
  512-byte region [ffff8881cf591900, ffff8881cf591b00)
The buggy address belongs to the page:
page:ffffea00073d6400 refcount:1 mapcount:0 mapping:ffff8881da002500
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da002500
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881cf591900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf591980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cf591a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff8881cf591a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf591b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

In order to avoid opening a disconnected device, we need to check exist
again after acquiring the existance lock, and bail out if necessary.

Change-Id: Icf3149111974c711be319e9afa36bd2860e76700
Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21374]wlbt: SCSC Driver Release 10.15.0.0

SCSC WLBT Driver release 10.15.0.0

Change-Id: Ia43e9764afa9b1fddcb6472238e8d30ae8824719
SCSC-Bug-Id: RELS-3458
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21374]wlbt: Remove drivers before update

Remove SCSC Drivers before update

Change-Id: Ieb12b7848ef8e390c397b179b0b2d47b0b124611
SCSC-Bug-Id: Rels-3458
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21317]wlbt: SCSC Driver update 10.13.0.0

Change-Id: I0b271797f2ea29bf587d8ab5d1a18d6298516993
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-21317]wlbt: Delete SCSC driver before update

Change-Id: I4cb42032a807c270ac6a4cfeefdd5275bd5f1c35
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-20999][9610] driver: chub: change alive check time

from 2sec to 200msec * 10 times

Change-Id: Ied3cb7b92f86520a1fb8c4e883e9b61e8f0b093c
Signed-off-by: Sukwon Ryoo <sw.ryoo@samsung.com>

[RAMEN9610-21231]UPSTREAM: binder: check for overflow when alloc for security context

commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21208]coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.

The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it.  Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier.  For example in Hugh's post from Jul 2017:

  https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils

  "Not strictly relevant here, but a related note: I was very surprised
   to discover, only quite recently, how handle_mm_fault() may be called
   without down_read(mmap_sem) - when core dumping. That seems a
   misguided optimization to me, which would also be nice to correct"

In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.

Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.

Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.

For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs.  Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.

Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.

In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.

Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm().  The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.

Change-Id: Iedaf822707c7bf926f7a7212c4e44d9d60fda348
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21150][MODAP-65597][COMMON] chub: fix CHUB_NO_RESPONCE

The first poweron of multi-os don't send alive.
And, This patch checks the poweron error after alive retry.

Change-Id: I43761a6aa5705c4635c86b344408ec00e41f9bc8
Signed-off-by: Sukwon Ryoo <sw.ryoo@samsung.com>
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[RAMEN9610-21150][MODAP-64438] chub: disable mailbox interrupt during chub reset

If AP access SRAM during CHUB Reset, the read/write H/W transaction from AP to CHUB is blocked in bus and ITMON occurs.
This patch disables mailbox interrupt during chub reset to prevent itmon.

Change-Id: I38ee1ad8a1833aa94b4ca0365dee9bae42a79cfe
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[RAMEN9610-21160]loop: set max_part to 4

If the value is zero, loop driver doesn't permit
partition rescan, so ioctl with BLKRRPART would fail.
Now we want to enable it.

Change-Id: Ife77b8703eb33f507a531da8110d7b773c0dfdfd
Signed-off-by: dukhyun kwon <d_hyun.kwon@samsung.com>

[RAMEN9610-21136][9630] wlbt: SCSC Driver release 10.11.1.0

SCSC WLBT Drivers release 10.11.1.0

Change-Id: I0691654a6e8185c1ae287c916f7c33aa1747d775
SCSC-Bug-Id: Rels-3365
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21136][9630] wlbt: Remove SCSC Drivers before update

Remove SCSC WLBT drivers before update

Change-Id: Ic87d7ebcb295befd5071d9b5a3acfd2e47899e8e
SCSC-Bug-Id: Rels-3365
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-21116][9610] drivers: muic: change dcdtmr 1.2s

Change-Id: Iecad108aa11586ad61b3147b12377275957aa01e
Signed-off-by: Kim Taejeong <tj.kim@samsung.com>

Revert "[RAMEN9610-21055][9610] arm64: dts: Keep VCCQ power when S2R mode for Sandisk UFS."

This reverts commit 593ccc71a9b415db39b7b8913f08fa35c29a8f77.

[RAMEN9610-21055][9610] arm64: dts: Keep VCCQ power when S2R mode for Sandisk UFS.

Change-Id: I6a81f833af04d64e85977f9bab35e2ac64202b29
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-21043][common] wlbt: disable NAN as default

disable NAN config as default

Change-Id: I048cf1506167671d039a3efb7add32f6a9fa2ab1
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-21029]staging: android: ashmem: Disallow ashmem memory from being remapped

When ashmem file is being mmapped the resulting vma->vm_file points to the
backing shmem file with the generic fops that do not check ashmem
permissions like fops of ashmem do. Fix that by disallowing mapping
operation for backing shmem file.

Bug: 142903466
Change-Id: Ic24b44d3fc5b1cb7f2704f251d700ce3667bd2ee
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

[RAMEN9610-21029]rtlwifi: Fix potential overflow on P2P code

commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.

Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.

Change-Id: I2c8d9c778e901815603f53628e0166106b36c640
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21029]ALSA: core: Fix card races between register and disconnect

commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream.

There is a small race window in the card disconnection code that
allows the registration of another card with the very same card id.
This leads to a warning in procfs creation as caught by syzkaller.

The problem is that we delete snd_cards and snd_cards_lock entries at
the very beginning of the disconnection procedure.  This makes the
slot available to be assigned for another card object while the
disconnection procedure is being processed.  Then it becomes possible
to issue a procfs registration with the existing file name although we
check the conflict beforehand.

The fix is simply to move the snd_cards and snd_cards_lock clearances
at the end of the disconnection procedure.  The references to these
entries are merely either from the global proc files like
/proc/asound/cards or from the card registration / disconnection, so
it should be fine to shift at the very end.

Change-Id: I41623db42717d2d4bacab913b966faad7407d5c7
Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-21027]wlbt: Resetting the QoS Info after use, instead on VIF Deactivation.

Resetting the QoS Info after use, instead on
VIF Deactivation, to maintain the consistency
of QoS Info data.

Change-Id: I6b5fcc2336a236652e8d9f6c3f6bbfc9d1eb5111
SCSC-Bug-Id: HOST-11594
Signed-off-by: Mohit Ghuley <mohit.ghuley@samsung.com>
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-21009][COMMON] scsi: ufs: Add device reset for malfunction in bkops.

When UFS device goes to malfunction in bkops setting.
UFS device return response error code to host.
In case, Add device reset for need recover.

Change-Id: I2ec2ad3c280f2bc7cd29b76251fe4fef580f9eab
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-20982][9610] usbpd change abnormal threshold/time

Change-Id: I6ddde4d621ec1cdbda8869fb2721c15bad1760fb
Signed-off-by: Junhan <junhan84.bae@samsung.com>

[ERD][RAMEN9610-20953]wlbt: [NAN] Fix MAX interface on erd9610

For NAN CONFIG_SCSC_WLAN_MAX_INTERFACES should be 12

Change-Id: I72c4b2f81c8494ca05bbdb1addffa8d7a100ee05
SCSC-Bug-Id: HOST-11124
Signed-off-by: Jaya Prakash Sangaru <j.sangaru@samsung.com>

[ERD][RAMEN9610-20953][9610] wlbt: SCSC Driver version 10.9.1.0

SCSC WLBT Driver version 10.9.1.0

Change-Id: I4704fc7904c12a9ad121c9153f774e68422cd883
SCSC-Bug-Id: Rels-3182
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[ERD][RAMEN9610-20953][9610] wlbt: Remove SCSC drivers before update

Remove SCSC WLBT drivers before update

Change-Id: I6cd0641767c4bb2834e748a488512e0730a21abe
SCSC-Bug-Id: Rels-3182
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-20929][9610] usbpd cc instead of vbus

Change-Id: I34765d950ae47f1056a84fdf198e4b5e65028765
Signed-off-by: Jinsu Park <js00.park@samsung.com>

[RAMEN9610-20933][COMMON] scsi: ufs: Add reset for PA_ERROR interrupt storming control.

Sometimes PA_ERROR could not recover phy status automatically.
So, We shuld execute phy reset for recovery.

Change-Id: Ic5d8a202712626fe4fb242daea8eedd73d31dc0e
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-20926] usb: gadget: Zero ffs_io_data

[ Upstream commit 508595515f4bcfe36246e4a565cf280937aeaade ]

In some cases the "Allocate & copy" block in ffs_epfile_io() is not
executed. Consequently, in such a case ffs_alloc_buffer() is never called
and struct ffs_io_data is not initialized properly. This in turn leads to
problems when ffs_free_buffer() is called at the end of ffs_epfile_io().

This patch uses kzalloc() instead of kmalloc() in the aio case and memset()
in non-aio case to properly initialize struct ffs_io_data.

Change-Id: I9a9f0af8cf2b842dc84ba0cb0225957b183a3357
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kisang Lee <kisang80.lee@samsung.com>

[RAMEN9610-20926] usb: gadget: ffs: Make sparse happier

Silences the following warnings:
drivers/usb/gadget/function/f_fs.c:1253:37: warning: incorrect type in argument 1 (different address spaces)
drivers/usb/gadget/function/f_fs.c:1253:37: expected void [noderef] <asn:1>*to
drivers/usb/gadget/function/f_fs.c:1253:37: got void *<noident>
drivers/usb/gadget/function/f_fs.c:2322:23: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:2876:38: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:272:12: warning: context imbalance in '__ffs_ep0_queue_wait' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:450:17: warning: context imbalance in 'ffs_ep0_write' - different lock contexts for basic block
drivers/usb/gadget/function/f_fs.c:490:24: warning: context imbalance in '__ffs_ep0_read_events' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:496:16: warning: context imbalance in 'ffs_ep0_read' - different lock contexts for basic block

Also, add an "unlocks spinlock" comment for consistency with existing ones.
No behaviour change is intended.

Change-Id: Ic8dafdbc1fe8c3ede87630d2fc9eecd53479285f
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Kisang Lee <kisang80.lee@samsung.com>

[RAMEN9610-20923][MODAP-55016][COMMON] driver: chub: No new thread when running

No new thread when running

Change-Id: I69d2ff453d915dc50f8d005c4f52bac86cb05fe7
Signed-off-by: Sukwon Ryoo <sw.ryoo@samsung.com>

[RAMEN9610-20893]wlbt: Fix for memory leak in driver

Free supported_channels_buffer after it has been used.

Change-Id: I1944f94a3bf6a614a2a5c5a112d8c409851f50fa
SCSC-Bug-Id: HOST-11425
Signed-off-by: Srishti Piplani <srishti.p@samsung.com>

[RAMEN9610-20880]wlbt: Driver changes for VTS Q Support for Auto Channel Selection

Auto Channel Selection driver changes for
"WPA_DRIVER_FLAGS_SUPPORT_HW_MODE_ANY"

Change-Id: Ib53209068b432ae4c37914d9ee4a413816eebdd5
SCSC-Bug-Id: HOST-10725
Signed-off-by: Abhishek Chaudhary <ab.chaudhary@samsung.com>

[RAMEN9610-20892] fimc-is2: Fix CTS verifier: testDualCameraPreview fail

JIRA ID: CSWPR-697

Change-Id: Ic58ed3b1d804445b0cca41bc71ca7a0651c97f86
Signed-off-by: qings.zhou <qings.zhou@samsung.com>

[RAMEN9610-20892] fimc-is2: Fix CTS verifier: testDualCameraPreview fail

JIRA ID :CSWPR-697

Change-Id: I33f6a07eca7bb79b9641845c5a9217bddb133658
Signed-off-by: qings.zhou <qings.zhou@samsung.com>

[RAMEN9610-20877]p54usb: Fix race between disconnect and firmware loading

commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream.

The syzbot fuzzer found a bug in the p54 USB wireless driver.  The
issue involves a race between disconnect and the firmware-loader
callback routine, and it has several aspects.

One big problem is that when the firmware can't be loaded, the
callback routine tries to unbind the driver from the USB _device_ (by
calling device_release_driver) instead of from the USB _interface_ to
which it is actually bound (by calling usb_driver_release_interface).

The race involves access to the private data structure.  The driver's
disconnect handler waits for a completion that is signalled by the
firmware-loader callback routine.  As soon as the completion is
signalled, you have to assume that the private data structure may have
been deallocated by the disconnect handler -- even if the firmware was
loaded without errors.  However, the callback routine does access the
private data several times after that point.

Another problem is that, in order to ensure that the USB device
structure hasn't been freed when the callback routine runs, the driver
takes a reference to it.  This isn't good enough any more, because now
that the callback routine calls usb_driver_release_interface, it has
to ensure that the interface structure hasn't been freed.

Finally, the driver takes an unnecessary reference to the USB device
structure in the probe function and drops the reference in the
disconnect handler.  This extra reference doesn't accomplish anything,
because the USB core already guarantees that a device structure won't
be deallocated while a driver is still bound to any of its interfaces.

To fix these problems, this patch makes the following changes:

Call usb_driver_release_interface() rather than
device_release_driver().

Don't signal the completion until after the important
information has been copied out of the private data structure,
and don't refer to the private data at all thereafter.

Lock udev (the interface's parent) before unbinding the driver
instead of locking udev->parent.

During the firmware loading process, take a reference to the
USB interface instead of the USB device.

Don't take an unnecessary reference to the device during probe
(and then don't drop it during disconnect).

Change-Id: I3085112dc94967098660fd961e5d28b20a54a4a0
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-20877]ANDROID: fiq_debugger: remove

This represents a rollup of a series of reverts, simplified are
modifications to remove fiq_glue and fiq_debugger references in:

arch/arm/common/Kconfig
arch/arm/common/Makefile
drivers/staging/android/Kconfig
drivers/staging/android/Makefile

And deletion of:

arch/arm/common/fiq_glue.S
arch/arm/common/fiq_glue_setup.c
drivers/staging/android/fiq_debugger/

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32402555
Bug: 36101220
Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5

[RAMEN9610-20876][MODAP-53888][COMMON] chub: change resume from complete to resume

Change-Id: Ia51cc7ccea3f8025ad23b493c9d4830060837f27
Signed-off-by: Sukwon Ryoo <sw.ryoo@samsung.com>

[RAMEN9610-20868]wlbt: fix memory leak in wlan_sw.hcf loading

The second HCF file was not being freed

cherry-pick change-Id: I2327d526226241e9f6e8aceba6dd7c69ee9bdc81
SCSC-Bug-Id: HOST-11402

Change-Id: I0f4f28f110022bb74763ece881eeabb6af40fc88
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-20866][9610] usbpd Rp default to Contract.

Change-Id: I653309e3f33eefa61b202fc0c073941fd8ead9ec
Signed-off-by: Junhan Bae <junhan84.bae@samsung.com>

[RAMEN9610-20799][ERD][9610] nfc: add config to control ldo37

Change-Id: I493d248552459c7b0eef5f2a14ee0fff44b35967
Signed-off-by: Jia Lee <jia0515.lee@samsung.com>

[RAMEN9610-20799][ERD][NEUS7920-623] [NEUS7920-263][9610] nfc: control nfc pvdd for low power mode

nfc pvdd should be low during phone off and USB charging mode.

Change-Id: I31aed59395e06d031895ad7cc2a4b82eccc75bd3
Signed-off-by: Jia Lee <jia0515.lee@samsung.com>

[RAMEN9610-20797][COMMON][MODAP-49152] misc: modem_if: fix the problem of free duplication

Change-Id: I83078bc3d9c44fac80ee56ab43f38b0ffb5fbe12
Signed-off-by: Jiyoung Jeong <ji_0.jeong@samsung.com>

[RAMEN9610-20794][nfc] Remove wake_lock

Change-Id: Ib608c39ab9a96488b067fc8951ac03dc18534992
Signed-off-by: Wonchul Shin <wchuls.shin@samsung.com>

[RAMEN9610-20778][9610] drivers: enable LEGACY_COMPAT after applying ion flushing patch

Change-Id: I1cfb9953f4b99c2d56e585cc6fe9d9c6ce91e639
Signed-off-by: Yoojin Park <yoojin1.park@samsung.com>

[RAMEN9610-20778][9610] drivers: gpu: check ion buffer is cached before flush v4

With LEGACY_COMPAT option enabled,
only flush an ion buffer if it is a cached buffer.

Update 19.10.17:
Prevent wrongly printed warning logs when non-cached buffer
is not flushed as intended

Change-Id: Icce58c5c39c8898f5804d47ea1bf6e83776ab02a
Signed-off-by: SeYeong Byeon <sy.byeon@samsung.com>

[RAMEN9610-20774][COMMON] drivers: modem_if: Apply LCD notification

Change-Id: I8a5fd610cfa8bdbe1904437663191b319c109002
Signed-off-by: Taejin Kim <tj7.kim@samsung.com>

[RAMEN9610-20773][COMMON] mm: remove dump log to reduce delay

Change-Id: I0fbceed7b0dff9a77adeba3e99a26b1654813d8e
Signed-off-by: Oh Eomji <eomji.oh@samsung.com>

[RAMEN9610-20773][9610] arm64: defconfig: add configuration for USB stable operation

Change-Id: Ic6ca94de23b4a85a139a238731ff5c714a06a246
Signed-off-by: Oh Eomji <eomji.oh@samsung.com>

[RAMEN9610-20768][9610] ifconn delete deadcode

Change-Id: Ib3816f68851274a70b46349deabe75eec37b7b0a
Signed-off-by: Jinsu Park <js00.park@samsung.com>

[RAMEN9610-20768][9610] s2mu106_usbpd delete deadcode

Change-Id: I2bac68122656f6f5276ff9dc4fb995eda15d4be3
Signed-off-by: Jinsu Park <js00.park@samsung.com>

[RAMEN9610-20768][9610] s2mu106_muic move break

Change-Id: Id0d99453289b85aabf12dbb5b04a057198c527d5
Signed-off-by: Jinsu Park <js00.park@samsung.com>

[RAMEN9610-20759]wlbt: Changes to set key type as IGTK for BIP_GMAC ciphers

Currently driver sets the key type as IGTK for cipher suite :
(0x000FAC, 6 :WLAN_CIPHER_SUITE_AES_CMAC).
Driver should set the key type to IGTK for cipher suites
WLAN_CIPHER_SUITE_BIP_GMAC_128, WLAN_CIPHER_SUITE_BIP_GMAC_256 also.

Change-Id: Idfeb67fe9c170a12ebba89d59c2235a1b37f36e5
SCSC-Bug-Id: HOST-11211
Signed-off-by: Sushant B Butta <b.sushant@samsung.com>

[RAMEN9610-20756][COMMON] scsi: ufs: Change SSU timeout from 5s to 23s.

Micron UFS SSU is spend 20s when disk full status.

Change-Id: Ic01638f71e82a9498d5f29ea595aeba298347f81
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-20756][RAMEN9610-18380][COMMON] scsi: scsi_sysfs: Remove async_suspend.

async_suspend sometimes make watchdog reset when suspend.
So, Disable async_suspend.

Change-Id: Ifb9286003ef25aee9f89599c32e4ea6f370806de
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>
Signed-off-by: Kim Gunho <gunho.kim@samsung.com>

[RAMEN9610-20756][RAMEN9610-18204][COMMON] scsi: ufs: Change timeout for start_stop from 60s to 5s

Watchdog is 26s.
60s is too long in mobile device.
So, Change it.

Change-Id: Ic874ce9dca62649e9d33d25ee6251cc123e2001d
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>
Signed-off-by: Kim Gunho <gunho.kim@samsung.com>

[RAMEN9610-20756][COMMON] scsi: sd: Change scsi timeout form 30s to 5s.

UFS has very fast response device. So, We decrease timeout for recovery.

Change-Id: I4c0a6375413839a8495045a771ab50ff23edc614
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-20754][9610] ASoC: abox: requested cpu gear to hold the usage count of PM

Change-Id: I71181515f075308319156c5964298cec18b71750
Signed-off-by: ShinHyung <s47.kang@samsung.com>

[RAMEN9610-20751]ext4: zero out the unused memory region in the extent tree block

commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.

This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.

This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.

This fixes CVE-2019-11833.

Change-Id: I3dcc0bd0e41a601134041953158d73506110a88a
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[RAMEN9610-20751]BACKPORT: binder: Set end of SG buffer area properly.

In case the target node requests a security context, the
extra_buffers_size is increased with the size of the security context.
But, that size is not available for use by regular scatter-gather
buffers; make sure the ending of that buffer is marked correctly.

Bug: 136210786
Acked-by: Todd Kjos <tkjos@google.com>
Fixes: ec74136ded79 ("binder: create node flag to request sender's security context")
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable@vger.kernel.org # 5.1+
Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a56587065094fd96eb4c2b5ad65571daad32156d)

Change-Id: I415785c0e210c51a5ae1c90e6783f2beb7bdd86c

[RAMEN9610-20751]binder: fix possible UAF when freeing buffer

commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream.

There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.

Change-Id: I6b9b6a0b9e85b0953d5b53f62fb2ad35f62e1a23
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ERD][RAMEN9610-20750][RAMEN9610-18757] fbdev: dpu: lcd status notifier is added

Change-Id: I283f452e6ae88ddff4a7229d1e2b71c90c2d53ff
Signed-off-by: hwangjae lee <hj-yo.lee@samsung.com>
Signed-off-by: ChiHun Won <chihun.won@samsung.com>

[RAMEN9610-20741]UPSTREAM: xfrm: Make set-mark default behavior backward compatible

Fixes 9b42c1f, which changed the default route lookup behavior for
tunnel mode SAs in the outbound direction to use the skb mark, whereas
previously mark=0 was used if the output mark was unspecified. In
mark-based routing schemes such as Android’s, this change in default
behavior causes routing loops or lookup failures.

This patch restores the default behavior of using a 0 mark while still
incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is
specified.

Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/860150

Fixes: 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking")
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit e2612cd496e7b465711d219ea6118893d7253f52)
Bug: 122236988
Test: Passes kernel tests
Change-Id: I1289b5b7b1eb93c6d99a0ba7d28e24c3eb25883d
Signed-off-by: Benedict Wong <benedictwong@google.com>

[RAMEN9610-20741]UPSTREAM: xfrm: fix ptr_ret.cocci warnings

net/xfrm/xfrm_interface.c:692:1-3: WARNING: PTR_ERR_OR_ZERO can be used

Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR

Generated by: scripts/coccinelle/api/ptr_ret.cocci

Fixes: 44e2b838c24d ("xfrm: Return detailed errors from xfrmi_newlink")
CC: Benedict Wong <benedictwong@google.com>
Signed-off-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit c6f5e017df9dfa9f6cbe70da008e7d716d726f1b)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Test: All kernel net-tests run, passing (20x repeated)
Change-Id: I4ec93c0427fded57ff5126dc7b3d97d9b5fd615b

[RAMEN9610-20741]UPSTREAM: xfrm: Return detailed errors from xfrmi_newlink

Currently all failure modes of xfrm interface creation return EEXIST.
This change improves the granularity of errnos provided by also
returning ENODEV or EINVAL if failures happen in looking up the
underlying interface, or a required parameter is not provided.

This change has been tested against the Android Kernel Networking Tests,
with additional xfrmi_newlink tests here:

https://android-review.googlesource.com/c/kernel/tests/+/715755

Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 44e2b838c24d883dae8496dc7b6ddac7956ba53c)
Bug: 113046120
Change-Id: Ic680bf1e4a828aaae01b289223d9396a551eefd2

[RAMEN9610-20741]UPSTREAM: xfrm: Allow xfrmi if_id to be updated by UPDSA

Allow attaching an SA to an xfrm interface id after
the creation of the SA, so that tasks such as keying
which must be done as the SA is created, can remain
separate from the decision on how to route traffic
from an SA. This permits SA creation to be decomposed
in to three separate steps:
1) allocation of a SPI
2) algorithm and key negotiation
3) insertion into the data path

Signed-off-by: Nathan Harold <nharold@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 5baf4f9c0035f3e33bb693a1a1e87599f6e804e6)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: I45a4bf725f3b8eaa8dae3266f9c411febb4c8720

[RAMEN9610-20741]UPSTREAM: xfrm: Remove xfrmi interface ID from flowi

In order to remove performance impact of having the extra u32 in every
single flowi, this change removes the flowi_xfrm struct, prefering to
take the if_id as a method parameter where needed.

In the inbound direction, if_id is only needed during the
__xfrm_check_policy() function, and the if_id can be determined at that
point based on the skb. As such, xfrmi_decode_session() is only called
with the skb in __xfrm_check_policy().

In the outbound direction, the only place where if_id is needed is the
xfrm_lookup() call in xfrmi_xmit2(). With this change, the if_id is
directly passed into the xfrm_lookup_with_ifid() call. All existing
callers can still call xfrm_lookup(), which uses a default if_id of 0.

This change does not change any behavior of XFRMIs except for improving
overall system performance via flowi size reduction.

This change has been tested against the Android Kernel Networking Tests:

https://android.googlesource.com/kernel/tests/+/master/net/test

Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit bc56b33404599edc412b91933d74b36873e8ea25)
Bug: 113046120
Change-Id: Icd3a1ea08427b91c54a64318d9dbb9acfb5d429a

[RAMEN9610-20741]UPSTREAM: xfrm: Allow Set Mark to be Updated Using UPDSA

Allow UPDSA to change "set mark" to permit
policy separation of packet routing decisions from
SA keying in systems that use mark-based routing.

The set mark, used as a routing and firewall mark
for outbound packets, is made update-able which
allows routing decisions to be handled independently
of keying/SA creation. To maintain consistency with
other optional attributes, the set mark is only
updated if sent with a non-zero value.

The per-SA lock and the xfrm_state_lock are taken in
that order to avoid a deadlock with
xfrm_timer_handler(), which also takes the locks in
that order.

Signed-off-by: Nathan Harold <nharold@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 6d8e85ffe17895d7bc632dfbaa9e2e33b22fe873)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: Ie7ab34ca38aedb034cf5aa83457c552c43f4f566

[RAMEN9610-20741]UPSTREAM: xfrm: Add virtual xfrm interfaces

This patch adds support for virtual xfrm interfaces.
Packets that are routed through such an interface
are guaranteed to be IPsec transformed or dropped.
It is a generic virtual interface that ensures IPsec
transformation, no need to know what happens behind
the interface. This means that we can tunnel IPv4 and
IPv6 through the same interface and support all xfrm
modes (tunnel, transport and beet) on it.

Co-developed-by: Lorenzo Colitti <lorenzo@google.com>
Co-developed-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Shannon Nelson <shannon.nelson@oracle.com>
Tested-by: Benedict Wong <benedictwong@google.com>
Tested-by: Antony Antony <antony@phenome.org>
Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
(cherry picked from commit f203b76d78092faf248db3f851840fbecf80b40e)
Bug: 113046120
Change-Id: I05e8fe1e8a8a4b01886504ce694ddda29e4fbec6

[RAMEN9610-20741]UPSTREAM: xfrm: Add a new lookup key to match xfrm interfaces.

This patch adds the xfrm interface id as a lookup key
for xfrm states and policies. With this we can assign
states and policies to virtual xfrm interfaces.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Shannon Nelson <shannon.nelson@oracle.com>
Acked-by: Benedict Wong <benedictwong@google.com>
Tested-by: Benedict Wong <benedictwong@google.com>
Tested-by: Antony Antony <antony@phenome.org>
Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
(cherry picked from commit 7e6526404adedf079279aa7aa11722deaca8fe2e)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: I27d7757a374b0bd5f97c3e723773d6c7470a0717

[RAMEN9610-20741]UPSTREAM: flow: Extend flow informations with xfrm interface id.

Add a new flowi_xfrm structure with informations needed to do
a xfrm lookup. At the moment it keeps the informations about
the new xfrm interface id needed to lookup xfrm interfaces
that are introduced with a followup patch. We need this new
lookup key as other possible keys, like the ifindex is
already part of the xfrm selector and used as a key to
enforce the output device after the transformation in the
policy/state lookup.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Shannon Nelson <shannon.nelson@oracle.com>
Acked-by: Benedict Wong <benedictwong@google.com>
Tested-by: Benedict Wong <benedictwong@google.com>
Tested-by: Antony Antony <antony@phenome.org>
Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
(cherry picked from commit d159ce7957eec306eacda672e5909e26675ca8ef)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: I70b520d3cf67cd663e84868b0e7cc45ffa74d080

[RAMEN9610-20741]UPSTREAM: xfrm: Extend the output_mark to support input direction and masking.

We already support setting an output mark at the xfrm_state,
unfortunately this does not support the input direction and
masking the marks that will be applied to the skb. This change
adds support applying a masked value in both directions.

The existing XFRMA_OUTPUT_MARK number is reused for this purpose
and as it is now bi-directional, it is renamed to XFRMA_SET_MARK.

An additional XFRMA_SET_MARK_MASK attribute is added for setting the
mask. If the attribute mask not provided, it is set to 0xffffffff,
keeping the XFRMA_OUTPUT_MARK existing 'full mask' semantics.

Co-developed-by: Tobias Brunner <tobias@strongswan.org>
Co-developed-by: Eyal Birger <eyal.birger@gmail.com>
Co-developed-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit 9b42c1f179a614e11893ae4619f0304a38f481ae)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: I582f0b460dc58f01e0c30afb6167725aa337d054

[RAMEN9610-20741]UPSTREAM: xfrm: fix XFRMA_OUTPUT_MARK policy entry

This seems to be an obvious typo, NLA_U32 is type of the attribute, not its
(minimal) length.

Fixes: 077fbac405bf ("net: xfrm: support setting an output mark.")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit e719135881f00c01ca400abb8a5dadaf297a24f9)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Change-Id: I4c1a8de03febfa246b99c7eb67d77f74a1e3ba93

[RAMEN9610-20734][COMMON] lib: dss: register valid reserved memory

for user build, debug snapshot minimize reserved area,
but both node exists in reserved mem node of device tree.
So, skip reserve invalid dss's reserved memory area.

Change-Id: I6d1c24edf61556d0a8c314cee7b2896e8c5c45a3
Signed-off-by: Donghyeok Choe <d7271.choe@samsung.com>

[RAMEN9610-20734][COMMON] soc: samsung: clean dump_en when DEBUG_SNAPSHOT is disabled

This commit supports CONFIG_DEBUG_SNAPSHOT is disabled.
If it does, dump_en bit is de-asserted, and then it prevents
into entering fastboot.

Change-Id: Ie4657ff6e4afcf93ece0e5139252aa469beec790
Signed-off-by: Hosung Kim <hosung0.kim@samsung.com>

[RAMEN9610-20734][COMMON] lib: dss: fix to support DSS disabled

This commit supports when CONFIG_DEBUG_SNAPSHOT is disabled.

Change-Id: I9706d1bb2b715fa7c4cf2a1059fa4498c9e451fc
Signed-off-by: Hosung Kim <hosung0.kim@samsung.com>

[ERD][RAMEN9610-20672][MODAP-49764][COMMON] chub_ipc: fix spin_unlock error with ipc evt full

This patch fixed spin_lock error with ipc evt full.
And then, Added the slient reset with ipc evt failure.

Change-Id: Ia5cef3f10b2b5fd1afe38ba54bbae085227872c0
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[ERD][RAMEN9610-20672][MODAP-49617][COMMON] chub: run nanohub_kthread after contexthub_poweron

Change-Id: I3d17afb81db7606d4de4e037cb080a88d7196368
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[ERD][RAMEN9610-20672][COMMON] chub: add the validation of ipc index

Change-Id: I621610545307bbc3fc1286fa2ff9efbcd55f8da7
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[RAMEN9610-20695][COMMON] wlbt: Add support for testPasspointCapability

For GTS need to add support for testPasspointCapability

Change-Id: I7b60487078297aa910bbb3546aa6e60f77d6766d
SCSC-Bug-Id: HOST-11169
Signed-off-by: Abhishek Chaudhary <ab.chaudhary@samsung.com>

[RAMEN9610-20656]wlbt: Vts failed for configure_roaming API.

Modified set_bssid_blacklist to check proper length
for bssid attribute.

Change-Id: I0867246112f1059b2abf20ffdab171d2e733c695
SCSC-Bug-Id: HOST-10743
Signed-off-by: Himani Gupta <himani.g2@samsung.com>

[RAMEN9610-20643][NEUS7920-6688][ERD][COMMON] chub: fix prevent error (CID:275678,275715)

Change-Id: I4fef5095fe76fb8a6951f586f65e8a5bf2a39a97
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[RAMEN9610-20563][9610] : drivers : ccic : fix ccic rp threshold operating Source

Change-Id: I57e76dc68a94f1f8085b71d783f2b8145f816c99
Signed-off-by: Jinsu Park <js00.park@samsung.com>

[ERD][RAMEN9610-20560][MODAP-47871][COMMON] chub: check ipc index and run status

This patch checks the ipc index and the run status of chub.

Change-Id: I9165b1374641520965567493317c918a245e1d8d
Signed-off-by: Boojin Kim <boojin.kim@samsung.com>

[RAMEN9610-20555][COMMON] scsi: ufs: Add device reset when return error in query cmd.

UFS device is not responsed when return -EAGAIN.
So, It need device reset for working.

================================================================================================
<3>[  715.766410,1] exynos-ufs 13520000.ufs: ufshcd_print_pwr_info:[RX, TX]: gear=[1, 1], lane[1, 1], pwr[SLOWAUTO_MODE, SLOWAUTO_MODE], rate = 0
<6>[  715.768915,1] exynos-ufs 13520000.ufs: UFS link established
<3>[  716.376936,3] exynos-ufs 13520000.ufs: ufshcd_query_flag: Sending flag query for idn 1 failed, err = -11
<6>[  716.578308,1] acpm_noti_mif_callback : req 1794000 KHz
<3>[  716.990135,3] exynos-ufs 13520000.ufs: ufshcd_query_flag: Sending flag query for idn 1 failed, err = -11
<6>[  717.434411,1] acpm_noti_mif_callback : req 419000 KHz
<3>[  717.603532,3] exynos-ufs 13520000.ufs: ufshcd_query_flag: Sending flag query for idn 1 failed, err = -11
<3>[  717.603555,3] exynos-ufs 13520000.ufs: ufshcd_query_flag_retry: query attribute, opcode 6, idn 1, failed with error -11 after 3 retires
<3>[  717.603567,3] exynos-ufs 13520000.ufs: ufshcd_complete_dev_init setting fDeviceInit flag failed with error -11
<3>[  717.603577,3] exynos-ufs 13520000.ufs: ufshcd_probe_hba failed with err -11, retrying:1
....
<3>[  748.447849,3] exynos-ufs 13520000.ufs: UPIU[2] - issue time 717847005 us
<3>[  748.447868,3] exynos-ufs 13520000.ufs: UPIU[2] - Transfer Request Descriptor phys@0x8fc042040
...
<3>[  748.753470,3] exynos-ufs 13520000.ufs: ufshcd_issue_tm_cmd: task management cmd 0x80 timed-out
<3>[  748.753553,3] exynos-ufs 13520000.ufs: ufshcd_abort: no response from device. tag = 2, err -110
<3>[  748.753594,3] exynos-ufs 13520000.ufs: ufshcd_abort: query task failed with err -110
<3>[  748.753636,3] exynos-ufs 13520000.ufs: ufshcd_abort: failed with err -110
<3>[  748.753718,3] exynos-ufs 13520000.ufs: ufshcd_abort: tag:1, cmd:0x2a, lba:0x00bb993c, sct:0x0001, retries 0
<3>[  748.753764,3] exynos-ufs 13520000.ufs: ufshcd_abort: Device abort task at tag 1
=================================================================================================

Change-Id: I73609250b8454d3b0dfd928cb1643992f2117672
Signed-off-by: JaeHun Jung <jh0801.jung@samsung.com>

[RAMEN9610-20538]ion: fix wrong argument for dma_flush_area.

Change-Id: Idb3933c35b9b53d6d7c30c03db3d6d91a9f00034
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

[RAMEN9610-20413][lv] host update 10.6.1.1 for lenovo only

add ipv4 multicast packet filter again.
add prevent issue fix : 310263

Change-Id: I3895000b184dd6c8731b7ead4343056deb9d80cc
Signed-off-by: Youngsoo <youngss.kim@samsung.com>

[RAMEN9610-20413][9610] wlbt: SCSC Driver version 10.6.1.0

SCSC Driver version 10.6.1.0

Change-Id: Ib3cae4b7bce4b448477a1d5d0e92e4bad364282a
SCSC-Bug-Id: Rels-3171
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-20413][9610] [9630] wlbt: Delete SCSC drivers before update

Remove existing SCSC drivers before applying update

Change-Id: Ia9b0382ae916227a19498733ac362e8fdf752066
SCSC-Bug-Id: Rels-3171
Signed-off-by: Tarun Karela <t.karela@samsung.com>

[RAMEN9610-20350][9610] drivers: muic: support bad TA

Change-Id: I605bf8bbd5df0dfeea091836bd90cdeca5dfad34
Signed-off-by: Kim Taejeong <tj.kim@samsung.com>
Signed-off-by: Kim Gunho <gunho.kim@samsung.com>

[ERD][RAMEN9610-20347]arm64: defconfig: add CPU_FREQ_TIMES

Change-Id: I9292c790830c406e80d1b623d6946e0ba79fbe19
Signed-off-by: Sangkyu Kim <skwith.kim@samsung.com>

[ERD][RAMEN9610-20347]ANDROID: cpufreq: times: optimize proc files

The majority of the time spent reading /proc/uid_time_in_state is due
to seq_printf calls. Use the faster seq_put_* variations instead.

Also skip empty hash buckets in uid_seq_next for a further performance
improvement.

Bug: 111216804
Test: Read /proc/uid_time_in_state and confirm output is sane
Test: Compare read times to confirm performance improvement
Change-Id: I9a735a591b0f1d879dba8e1d9dd05bb47e18a9c5
Signed-off-by: Connor O'Brien <connoro@google.com>