Merge tag 'ASB-2024-03-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina

https://source.android.com/docs/security/bulletin/2024-03-01 * tag 'ASB-2024-03-05_11-5.4' of https://android.googlesource.com/kernel/common: ANDROID: GKI: Update symbol list for Zebra UPSTREAM: usb: raw-gadget: properly handle interrupted requests UPSTREAM: net: prevent skb corruption on frag list segmentation UPSTREAM: netfilter: nft_set_rbtree: skip end interval element from gc UPSTREAM: net: tls, update curr on splice as well Change-Id: I7a6117e861e8c35bb66bcc3a9a21cc6db49946b2
2024-03-12 10:52:58 +00:00 · 2024-03-12 10:52:58 +00:00 · f32a592779
commit f32a592779
parent 7f04c28240 d24801ee88
5 changed files with 84922 additions and 81428 deletions
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
--- a/android/abi_gki_aarch64_zebra
+++ b/android/abi_gki_aarch64_zebra
@ -6,3 +6,11 @@
  nla_reserve
  nla_append
  prandom_seed
+  regulatory_set_wiphy_regd_sync_rtnl
+  cfg80211_cac_event
+  cfg80211_radar_event
+  cfg80211_chandef_valid
+  kobject_add
+  sock_wfree
+  dev_change_flags
+  netdev_master_upper_dev_get
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@ -624,12 +624,12 @@ static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
 	if (WARN_ON(in && dev->ep0_out_pending)) {
 		ret = -ENODEV;
 		dev->state = STATE_DEV_FAILED;
-		goto out_done;
+		goto out_unlock;
 	}
 	if (WARN_ON(!in && dev->ep0_in_pending)) {
 		ret = -ENODEV;
 		dev->state = STATE_DEV_FAILED;
-		goto out_done;
+		goto out_unlock;
 	}

 	dev->req->buf = data;
@ -644,7 +644,7 @@ static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
 				"fail, usb_ep_queue returned %d\n", ret);
 		spin_lock_irqsave(&dev->lock, flags);
 		dev->state = STATE_DEV_FAILED;
-		goto out_done;
+		goto out_queue_failed;
 	}

 	ret = wait_for_completion_interruptible(&dev->ep0_done);
@ -653,13 +653,16 @@ static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
 		usb_ep_dequeue(dev->gadget->ep0, dev->req);
 		wait_for_completion(&dev->ep0_done);
 		spin_lock_irqsave(&dev->lock, flags);
-		goto out_done;
+		if (dev->ep0_status == -ECONNRESET)
+			dev->ep0_status = -EINTR;
+		goto out_interrupted;
 	}

 	spin_lock_irqsave(&dev->lock, flags);
-	ret = dev->ep0_status;

-out_done:
+out_interrupted:
+	ret = dev->ep0_status;
+out_queue_failed:
 	dev->ep0_urb_queued = false;
 out_unlock:
 	spin_unlock_irqrestore(&dev->lock, flags);
@ -1021,7 +1024,7 @@ static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
 				"fail, usb_ep_queue returned %d\n", ret);
 		spin_lock_irqsave(&dev->lock, flags);
 		dev->state = STATE_DEV_FAILED;
-		goto out_done;
+		goto out_queue_failed;
 	}

 	ret = wait_for_completion_interruptible(&done);
@ -1030,13 +1033,16 @@ static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
 		usb_ep_dequeue(ep->ep, ep->req);
 		wait_for_completion(&done);
 		spin_lock_irqsave(&dev->lock, flags);
-		goto out_done;
+		if (ep->status == -ECONNRESET)
+			ep->status = -EINTR;
+		goto out_interrupted;
 	}

 	spin_lock_irqsave(&dev->lock, flags);
-	ret = ep->status;

-out_done:
+out_interrupted:
+	ret = ep->status;
+out_queue_failed:
 	ep->urb_queued = false;
 out_unlock:
 	spin_unlock_irqrestore(&dev->lock, flags);
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@ -3695,6 +3695,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,

 	skb_push(skb, -skb_network_offset(skb) + offset);

+	/* Ensure the head is writeable before touching the shared info */
+	err = skb_unclone(skb, GFP_ATOMIC);
+	if (err)
+		goto err_linearize;
+
 	skb_shinfo(skb)->frag_list = NULL;

 	while (list_skb) {
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@ -237,8 +237,7 @@ static void nft_rbtree_gc_remove(struct net *net, struct nft_set *set,

 static int nft_rbtree_gc_elem(const struct nft_set *__set,
 			      struct nft_rbtree *priv,
-			      struct nft_rbtree_elem *rbe,
-			      u8 genmask)
+			      struct nft_rbtree_elem *rbe)
 {
 	struct nft_set *set = (struct nft_set *)__set;
 	struct rb_node *prev = rb_prev(&rbe->node);
@ -257,7 +256,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
 	while (prev) {
 		rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
 		if (nft_rbtree_interval_end(rbe_prev) &&
-		    nft_set_elem_active(&rbe_prev->ext, genmask))
+		    nft_set_elem_active(&rbe_prev->ext, NFT_GENMASK_ANY))
 			break;

 		prev = rb_prev(prev);
@ -365,7 +364,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
 		 */
 		if (nft_set_elem_expired(&rbe->ext) &&
 		    nft_set_elem_active(&rbe->ext, cur_genmask)) {
-			err = nft_rbtree_gc_elem(set, priv, rbe, genmask);
+			err = nft_rbtree_gc_elem(set, priv, rbe);
 			if (err < 0)
 				return err;