From b35bf678f2d065c47f45a714997f22b932fec0bb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 18 Jan 2024 11:41:14 +0100
Subject: [PATCH] 4.19-stable patches

added patches:
	binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
	binder-use-epollerr-from-eventpoll.h.patch
	coresight-etm4x-fix-width-of-ccitmin-field.patch
	uio-fix-use-after-free-in-uio_open.patch
---
 ...on-binder_alloc_new_buf-return-value.patch | 35 +++++++++
 ...binder-use-epollerr-from-eventpoll.h.patch | 38 ++++++++++
 ...ght-etm4x-fix-width-of-ccitmin-field.patch | 47 ++++++++++++
 ...-crtc-fix-uninitialized-variable-use.patch | 11 +--
 queue-4.19/series                             |  4 +
 .../uio-fix-use-after-free-in-uio_open.patch  | 74 +++++++++++++++++++
 6 files changed, 201 insertions(+), 8 deletions(-)
 create mode 100644 queue-4.19/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
 create mode 100644 queue-4.19/binder-use-epollerr-from-eventpoll.h.patch
 create mode 100644 queue-4.19/coresight-etm4x-fix-width-of-ccitmin-field.patch
 create mode 100644 queue-4.19/uio-fix-use-after-free-in-uio_open.patch

diff --git a/queue-4.19/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch b/queue-4.19/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
new file mode 100644
index 00000000000..13b90cb2fc1
--- /dev/null
+++ b/queue-4.19/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
@@ -0,0 +1,35 @@
+From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:36 +0000
+Subject: binder: fix comment on binder_alloc_new_buf() return value
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream.
+
+Update the comments of binder_alloc_new_buf() to reflect that the return
+value of the function is now ERR_PTR(-errno) on failure.
+
+No functional changes in this patch.
+
+Cc: stable@vger.kernel.org
+Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -535,7 +535,7 @@ err_alloc_buf_struct_failed:
+  * is the sum of the three given sizes (each rounded up to
+  * pointer-sized boundary)
+  *
+- * Return:	The allocated buffer or %NULL if error
++ * Return:	The allocated buffer or %ERR_PTR(-errno) if error
+  */
+ struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
+ 					   size_t data_size,
diff --git a/queue-4.19/binder-use-epollerr-from-eventpoll.h.patch b/queue-4.19/binder-use-epollerr-from-eventpoll.h.patch
new file mode 100644
index 00000000000..13101f6c9ad
--- /dev/null
+++ b/queue-4.19/binder-use-epollerr-from-eventpoll.h.patch
@@ -0,0 +1,38 @@
+From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:30 +0000
+Subject: binder: use EPOLLERR from eventpoll.h
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream.
+
+Use EPOLLERR instead of POLLERR to make sure it is cast to the correct
+__poll_t type. This fixes the following sparse issue:
+
+  drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types)
+  drivers/android/binder.c:5030:24:    expected restricted __poll_t
+  drivers/android/binder.c:5030:24:    got int
+
+Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()")
+Cc: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4462,7 +4462,7 @@ static __poll_t binder_poll(struct file
+ 
+ 	thread = binder_get_thread(proc);
+ 	if (!thread)
+-		return POLLERR;
++		return EPOLLERR;
+ 
+ 	binder_inner_proc_lock(thread->proc);
+ 	thread->looper |= BINDER_LOOPER_STATE_POLL;
diff --git a/queue-4.19/coresight-etm4x-fix-width-of-ccitmin-field.patch b/queue-4.19/coresight-etm4x-fix-width-of-ccitmin-field.patch
new file mode 100644
index 00000000000..cc0f79bdf16
--- /dev/null
+++ b/queue-4.19/coresight-etm4x-fix-width-of-ccitmin-field.patch
@@ -0,0 +1,47 @@
+From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001
+From: James Clark <james.clark@arm.com>
+Date: Wed, 1 Nov 2023 11:52:06 +0000
+Subject: coresight: etm4x: Fix width of CCITMIN field
+
+From: James Clark <james.clark@arm.com>
+
+commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream.
+
+CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16.
+This probably wasn't an issue previously because values higher than 255
+never occurred.
+
+But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN
+on errata affected cpus"), a comparison with 256 was done to enable the
+errata, generating the following W=1 build error:
+
+  coresight-etm4x-core.c:1188:24: error: result of comparison of
+  constant 256 with expression of type 'u8' (aka 'unsigned char') is
+  always false [-Werror,-Wtautological-constant-out-of-range-compare]
+
+   if (drvdata->ccitmin == 256)
+
+Cc: stable@vger.kernel.org
+Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/
+Reviewed-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-etm4x.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x.h
++++ b/drivers/hwtracing/coresight/coresight-etm4x.h
+@@ -363,7 +363,7 @@ struct etmv4_drvdata {
+ 	u8				ctxid_size;
+ 	u8				vmid_size;
+ 	u8				ccsize;
+-	u8				ccitmin;
++	u16				ccitmin;
+ 	u8				s_ex_level;
+ 	u8				ns_ex_level;
+ 	u8				q_support;
diff --git a/queue-4.19/drm-crtc-fix-uninitialized-variable-use.patch b/queue-4.19/drm-crtc-fix-uninitialized-variable-use.patch
index 48eff536ae3..680a402958f 100644
--- a/queue-4.19/drm-crtc-fix-uninitialized-variable-use.patch
+++ b/queue-4.19/drm-crtc-fix-uninitialized-variable-use.patch
@@ -25,14 +25,12 @@ Signed-off-by: Maxime Ripard <mripard@kernel.org>
 Link: https://patchwork.freedesktop.org/patch/msgid/20231208131238.2924571-1-jani.nikula@intel.com
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/gpu/drm/drm_crtc.c | 3 +--
+ drivers/gpu/drm/drm_crtc.c |    3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 
-diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
-index 52a1bfeef0d9..22eba10af165 100644
 --- a/drivers/gpu/drm/drm_crtc.c
 +++ b/drivers/gpu/drm/drm_crtc.c
-@@ -573,7 +573,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+@@ -573,7 +573,7 @@ int drm_mode_setcrtc(struct drm_device *
  	struct drm_mode_set set;
  	uint32_t __user *set_connectors_ptr;
  	struct drm_modeset_acquire_ctx ctx;
@@ -41,7 +39,7 @@ index 52a1bfeef0d9..22eba10af165 100644
  
  	if (!drm_core_check_feature(dev, DRIVER_MODESET))
  		return -EINVAL;
-@@ -718,7 +718,6 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+@@ -718,7 +718,6 @@ retry:
  			goto out;
  		}
  
@@ -49,6 +47,3 @@ index 52a1bfeef0d9..22eba10af165 100644
  		for (i = 0; i < crtc_req->count_connectors; i++) {
  			connector_set[i] = NULL;
  			set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
--- 
-2.43.0
-
diff --git a/queue-4.19/series b/queue-4.19/series
index f4e09b7db65..c7a725dce85 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -20,3 +20,7 @@ arc-fix-spare-error.patch
 input-xpad-add-razer-wolverine-v2-support.patch
 arm-sun9i-smp-fix-return-code-check-of-of_property_m.patch
 drm-crtc-fix-uninitialized-variable-use.patch
+binder-use-epollerr-from-eventpoll.h.patch
+binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
+uio-fix-use-after-free-in-uio_open.patch
+coresight-etm4x-fix-width-of-ccitmin-field.patch
diff --git a/queue-4.19/uio-fix-use-after-free-in-uio_open.patch b/queue-4.19/uio-fix-use-after-free-in-uio_open.patch
new file mode 100644
index 00000000000..a622f41cfb5
--- /dev/null
+++ b/queue-4.19/uio-fix-use-after-free-in-uio_open.patch
@@ -0,0 +1,74 @@
+From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Date: Thu, 21 Dec 2023 17:57:43 +0800
+Subject: uio: Fix use-after-free in uio_open
+
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+
+commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream.
+
+core-1				core-2
+-------------------------------------------------------
+uio_unregister_device		uio_open
+				idev = idr_find()
+device_unregister(&idev->dev)
+put_device(&idev->dev)
+uio_device_release
+				get_device(&idev->dev)
+kfree(idev)
+uio_free_minor(minor)
+				uio_release
+				put_device(&idev->dev)
+				kfree(idev)
+-------------------------------------------------------
+
+In the core-1 uio_unregister_device(), the device_unregister will kfree
+idev when the idev->dev kobject ref is 1. But after core-1
+device_unregister, put_device and before doing kfree, the core-2 may
+get_device. Then:
+1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
+2. When core-2 do uio_release and put_device, the idev will be double
+   freed.
+
+To address this issue, we can get idev atomic & inc idev reference with
+minor_lock.
+
+Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -464,13 +464,13 @@ static int uio_open(struct inode *inode,
+ 
+ 	mutex_lock(&minor_lock);
+ 	idev = idr_find(&uio_idr, iminor(inode));
+-	mutex_unlock(&minor_lock);
+ 	if (!idev) {
+ 		ret = -ENODEV;
++		mutex_unlock(&minor_lock);
+ 		goto out;
+ 	}
+-
+ 	get_device(&idev->dev);
++	mutex_unlock(&minor_lock);
+ 
+ 	if (!try_module_get(idev->owner)) {
+ 		ret = -ENODEV;
+@@ -1019,9 +1019,8 @@ void uio_unregister_device(struct uio_in
+ 	idev->info = NULL;
+ 	mutex_unlock(&idev->info_lock);
+ 
+-	device_unregister(&idev->dev);
+-
+ 	uio_free_minor(minor);
++	device_unregister(&idev->dev);
+ 
+ 	return;
+ }
-- 
2.47.3