From 157b63879e8fb8f44d084ae47545f0603eca5cc6 Mon Sep 17 00:00:00 2001
From: Albert I <kras@raphielgang.org>
Date: Sun, 30 May 2021 17:28:40 +0800
Subject: [PATCH 1/4] Revert "of/fdt: Use memblock_remove() for "no-map" on
 select Qualcomm SoCs"

This reverts commit 5cd209285d2f3fa1b24659cdc48f0c6fe9f6dcf8.

The whole patchset is reverted with v4.9.269.

Signed-off-by: Albert I <kras@raphielgang.org>
---
 drivers/of/fdt.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 42094d7a6c76..b78ecc52f4eb 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -1192,11 +1192,7 @@ int __init __weak early_init_dt_reserve_memory_arch(phys_addr_t base,
 		if (memblock_is_region_reserved(base, size))
 			return -EBUSY;
 
-#if defined(CONFIG_ARCH_SDM670) || defined(CONFIG_ARCH_SDM845)
-		return memblock_remove(base, size);
-#else
 		return memblock_mark_nomap(base, size);
-#endif
 	}
 	return memblock_reserve(base, size);
 }

From e8e7356fcc3aba163b00dd1f0be53a2b7e431fb5 Mon Sep 17 00:00:00 2001
From: Swathi K <kataka@codeaurora.org>
Date: Wed, 14 Jul 2021 17:51:10 +0530
Subject: [PATCH 2/4] msm: adsprpc: Handle UAF in process shell memory

Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.

Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>
---
 drivers/char/adsprpc.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 40abe945d1ce..a6dc56eff5f1 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -361,6 +361,7 @@ struct fastrpc_mmap {
 	int uncached;
 	int secure;
 	uintptr_t attr;
+	bool is_filemap; /*flag to indicate map used in process init*/
 };
 
 enum fastrpc_perfkeys {
@@ -710,9 +711,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,
 
 	spin_lock(&me->hlock);
 	hlist_for_each_entry_safe(map, n, &me->maps, hn) {
-		if (map->raddr == va &&
+		if (map->refs == 1 && map->raddr == va &&
 			map->raddr + map->len == va + len &&
-			map->refs == 1) {
+			/*Remove map if not used in process initialization*/
+			!map->is_filemap) {
 			match = map;
 			hlist_del_init(&map->hn);
 			break;
@@ -724,9 +726,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,
 		return 0;
 	}
 	hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
-		if (map->raddr == va &&
+		if (map->refs == 1 && map->raddr == va &&
 			map->raddr + map->len == va + len &&
-			map->refs == 1) {
+			/*Remove map if not used in process initialization*/
+			!map->is_filemap) {
 			match = map;
 			hlist_del_init(&map->hn);
 			break;
@@ -872,6 +875,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd,
 	map->fl = fl;
 	map->fd = fd;
 	map->attr = attr;
+	map->is_filemap = false;
 	if (mflags == ADSP_MMAP_HEAP_ADDR ||
 				mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
 		unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -2277,6 +2281,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
 			mutex_lock(&fl->fl_map_mutex);
 			VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0,
 				init->file, init->filelen, mflags, &file));
+			if (file)
+				file->is_filemap = true;
 			mutex_unlock(&fl->fl_map_mutex);
 			if (err)
 				goto bail;

From d107eb6a946480a72aebf4d611adbf10928f176c Mon Sep 17 00:00:00 2001
From: Krishna Manikandan <mkrishn@codeaurora.org>
Date: Thu, 8 Jul 2021 11:17:16 +0530
Subject: [PATCH 3/4] disp: msm: sde: add null check for drm file in
 msm_release

Drm file is not set to NULL after freeing it from drm
release. This can result in use-after-free issues in
some scenarios. Add a mutex lock and other proper null
checks to prevent such issues.

Change-Id: Ic35b0a76166b0f47a354b1737e6f4c3ac1437ed4
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
---
 drivers/gpu/drm/msm/msm_drv.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index ff8c1cd9aba8..dd5fd575d45f 100755
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -57,6 +57,8 @@
 #define MSM_VERSION_MINOR	2
 #define MSM_VERSION_PATCHLEVEL	0
 
+static DEFINE_MUTEX(msm_release_lock);
+
 static void msm_fb_output_poll_changed(struct drm_device *dev)
 {
 	struct msm_drm_private *priv = NULL;
@@ -1420,13 +1422,25 @@ void msm_mode_object_event_notify(struct drm_mode_object *obj,
 static int msm_release(struct inode *inode, struct file *filp)
 {
 	struct drm_file *file_priv = filp->private_data;
-	struct drm_minor *minor = file_priv->minor;
-	struct drm_device *dev = minor->dev;
-	struct msm_drm_private *priv = dev->dev_private;
+	struct drm_minor *minor;
+	struct drm_device *dev;
+	struct msm_drm_private *priv;
 	struct msm_drm_event *node, *temp, *tmp_node;
 	u32 count;
 	unsigned long flags;
 	LIST_HEAD(tmp_head);
+	int ret = 0;
+
+	mutex_lock(&msm_release_lock);
+
+	if (!file_priv) {
+		ret = -EINVAL;
+		goto end;
+	}
+
+	minor = file_priv->minor;
+	dev = minor->dev;
+	priv = dev->dev_private;
 
 	spin_lock_irqsave(&dev->event_lock, flags);
 	list_for_each_entry_safe(node, temp, &priv->client_event_list,
@@ -1454,7 +1468,18 @@ static int msm_release(struct inode *inode, struct file *filp)
 		kfree(node);
 	}
 
-	return drm_release(inode, filp);
+	msm_preclose(dev, file_priv);
+
+       /**
+	* Handle preclose operation here for removing fb's whose
+	* refcount > 1. This operation is not triggered from upstream
+	* drm as msm_driver does not support DRIVER_LEGACY feature.
+	*/
+	ret = drm_release(inode, filp);
+	filp->private_data = NULL;
+end:
+	mutex_unlock(&msm_release_lock);
+	return ret;
 }
 
 /**

From d781e77a7015092603ecff71d131853dfdf406c2 Mon Sep 17 00:00:00 2001
From: Albert I <kras@raphielgang.org>
Date: Tue, 31 Aug 2021 13:00:27 +0800
Subject: [PATCH 4/4] Revert "ANDROID: xt_quota2: clear quota2_log message
 before sending"

This reverts commit 6fa30e1b46aa085c338ef3aafe0a0c304125a7bd.

Doesn't apply to CAF kernel tree due to commit e8a34e5aecb1.

Signed-off-by: Albert I <kras@raphielgang.org>
---
 net/netfilter/xt_quota2.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_quota2.c b/net/netfilter/xt_quota2.c
index b1123626c714..31a178d47444 100644
--- a/net/netfilter/xt_quota2.c
+++ b/net/netfilter/xt_quota2.c
@@ -106,16 +106,23 @@ static void quota2_log(unsigned int hooknum,
 		return;
 	}
 	pm = nlmsg_data(nlh);
-	memset(pm, 0, sizeof(*pm));
 	if (skb->tstamp.tv64 == 0)
 		__net_timestamp((struct sk_buff *)skb);
+	pm->data_len = 0;
 	pm->hook = hooknum;
 	if (prefix != NULL)
 		strlcpy(pm->prefix, prefix, sizeof(pm->prefix));
+	else
+		*(pm->prefix) = '\0';
 	if (in)
 		strlcpy(pm->indev_name, in->name, sizeof(pm->indev_name));
+	else
+		pm->indev_name[0] = '\0';
+
 	if (out)
 		strlcpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
+	else
+		pm->outdev_name[0] = '\0';
 
 	NETLINK_CB(log_skb).dst_group = 1;
 	pr_debug("throwing 1 packets to netlink group 1\n");