From 35a2816c3280e3a2f9567420b4e6477d87f25eaf Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Jan 2024 07:05:34 -0800
Subject: [PATCH] 4.19-stable patches

added patches:
	binder-fix-async-space-check-for-0-sized-buffers.patch
---
 ...sync-space-check-for-0-sized-buffers.patch | 44 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 queue-4.19/binder-fix-async-space-check-for-0-sized-buffers.patch

diff --git a/queue-4.19/binder-fix-async-space-check-for-0-sized-buffers.patch b/queue-4.19/binder-fix-async-space-check-for-0-sized-buffers.patch
new file mode 100644
index 00000000000..ccd9e008318
--- /dev/null
+++ b/queue-4.19/binder-fix-async-space-check-for-0-sized-buffers.patch
@@ -0,0 +1,44 @@
+From 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:33 +0000
+Subject: binder: fix async space check for 0-sized buffers
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
+
+Move the padding of 0-sized buffers to an earlier stage to account for
+this round up during the alloc->free_async_space check.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -398,6 +398,10 @@ static struct binder_buffer *binder_allo
+ 				alloc->pid, extra_buffers_size);
+ 		return ERR_PTR(-EINVAL);
+ 	}
++
++	/* Pad 0-size buffers so they get assigned unique addresses */
++	size = max(size, sizeof(void *));
++
+ 	if (is_async &&
+ 	    alloc->free_async_space < size + sizeof(struct binder_buffer)) {
+ 		binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
+@@ -406,9 +410,6 @@ static struct binder_buffer *binder_allo
+ 		return ERR_PTR(-ENOSPC);
+ 	}
+ 
+-	/* Pad 0-size buffers so they get assigned unique addresses */
+-	size = max(size, sizeof(void *));
+-
+ 	while (n) {
+ 		buffer = rb_entry(n, struct binder_buffer, rb_node);
+ 		BUG_ON(!buffer->free);
diff --git a/queue-4.19/series b/queue-4.19/series
index fba6603d0ef..05f890ef6a4 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -109,3 +109,4 @@ watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch
 mmc-sdhci_omap-fix-ti-soc-dependencies.patch
 of-fix-double-free-in-of_parse_phandle_with_args_map.patch
 of-unittest-fix-of_count_phandle_with_args-expected-.patch
+binder-fix-async-space-check-for-0-sized-buffers.patch
-- 
2.47.3