From 1e3ddb91657ba702ee20a4d9e560d54cf5098461 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jan 2024 07:05:57 -0800
Subject: [PATCH] 5.4-stable patches

added patches:
	binder-fix-async-space-check-for-0-sized-buffers.patch
---
 ...sync-space-check-for-0-sized-buffers.patch | 44 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 queue-5.4/binder-fix-async-space-check-for-0-sized-buffers.patch

diff --git a/queue-5.4/binder-fix-async-space-check-for-0-sized-buffers.patch b/queue-5.4/binder-fix-async-space-check-for-0-sized-buffers.patch
new file mode 100644
index 00000000000..978b3afd1f4
--- /dev/null
+++ b/queue-5.4/binder-fix-async-space-check-for-0-sized-buffers.patch
@@ -0,0 +1,44 @@
+From 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:33 +0000
+Subject: binder: fix async space check for 0-sized buffers
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
+
+Move the padding of 0-sized buffers to an earlier stage to account for
+this round up during the alloc->free_async_space check.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -378,6 +378,10 @@ static struct binder_buffer *binder_allo
+ 				alloc->pid, extra_buffers_size);
+ 		return ERR_PTR(-EINVAL);
+ 	}
++
++	/* Pad 0-size buffers so they get assigned unique addresses */
++	size = max(size, sizeof(void *));
++
+ 	if (is_async &&
+ 	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+@@ -386,9 +390,6 @@ static struct binder_buffer *binder_allo
+ 		return ERR_PTR(-ENOSPC);
+ 	}
+ 
+-	/* Pad 0-size buffers so they get assigned unique addresses */
+-	size = max(size, sizeof(void *));
+-
+ 	while (n) {
+ 		buffer = rb_entry(n, struct binder_buffer, rb_node);
+ 		BUG_ON(!buffer->free);
diff --git a/queue-5.4/series b/queue-5.4/series
index f39cad96fe8..2c16f97325c 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -136,3 +136,4 @@ clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch
 mmc-sdhci_omap-fix-ti-soc-dependencies.patch
 of-fix-double-free-in-of_parse_phandle_with_args_map.patch
 of-unittest-fix-of_count_phandle_with_args-expected-.patch
+binder-fix-async-space-check-for-0-sized-buffers.patch
-- 
2.47.3