From 6ad609468d93cd2080e6f76d8596f4dff6cc860f Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 29 Oct 2021 11:00:34 -0700
Subject: [PATCH 1/3] ANDROID: Fix mmu_notifier imbalance

SPF patchset introduced an mmu_notifier imbalance by adding a new exit
path that skips mmu_notifier_invalidate_range_only_end after calling
mmu_notifier_invalidate_range_start. This triggers a BUG in KVM driver
checking for mmu_notifier_count to remain balanced

Fixes: afeec97a8dfc ("FROMLIST: mm: prepare for FAULT_FLAG_SPECULATIVE")
Bug: 161210518
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ibe9d1f0903a23b48c9d733b81249b190e5321c2f
---
 mm/memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/memory.c b/mm/memory.c
index 44c6a8ee197b..5db2a3ed395b 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3159,7 +3159,7 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 	 */
 	if (!pte_map_lock(vmf)) {
 		ret = VM_FAULT_RETRY;
-		goto out_free_new;
+		goto out_invalidate_end;
 	}
 	if (likely(pte_same(*vmf->pte, vmf->orig_pte))) {
 		if (old_page) {
@@ -3247,6 +3247,8 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 		put_page(old_page);
 	}
 	return page_copied ? VM_FAULT_WRITE : 0;
+out_invalidate_end:
+	mmu_notifier_invalidate_range_only_end(&range);
 out_free_new:
 	put_page(new_page);
 out:

From 9cafb6afaa2c155af1fa5c87681cb9b0bbdd4cc4 Mon Sep 17 00:00:00 2001
From: Liujie Xie <xieliujie@oppo.com>
Date: Fri, 29 Oct 2021 17:53:50 +0800
Subject: [PATCH 2/3] ANDROID: GKI: Update symbols to symbol list

Update symbols to symbol list externed by oem modules.

Leaf changes summary: 2 artifacts changed
Changed leaf types summary: 0 leaf type changed
Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 1 Added variable

1 Added function:

  [A] 'function int __traceiter_android_vh_cpu_up(void*, unsigned int)'

1 Added variable:

  [A] 'tracepoint __tracepoint_android_vh_cpu_up'

Bug: 193384408
Change-Id: I5c0f08e4a5b07c2277189aabdee1d49f2a690189
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
---
 android/abi_gki_aarch64.xml   | 8 ++++++++
 android/abi_gki_aarch64_oplus | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml
index 2640a4369214..9e7bbdc91f7a 100644
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
@@ -384,6 +384,7 @@
       <elf-symbol name='__traceiter_android_vh_commit_creds' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x9177823e'/>
       <elf-symbol name='__traceiter_android_vh_cpu_idle_enter' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xbdc34d2e'/>
       <elf-symbol name='__traceiter_android_vh_cpu_idle_exit' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xd966796c'/>
+      <elf-symbol name='__traceiter_android_vh_cpu_up' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xa6d87b6a'/>
       <elf-symbol name='__traceiter_android_vh_cpuidle_psci_enter' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x6cbffc19'/>
       <elf-symbol name='__traceiter_android_vh_cpuidle_psci_exit' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x9e5cd40b'/>
       <elf-symbol name='__traceiter_android_vh_do_send_sig_info' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x9d17560f'/>
@@ -5735,6 +5736,7 @@
       <elf-symbol name='__tracepoint_android_vh_commit_creds' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x8defd009'/>
       <elf-symbol name='__tracepoint_android_vh_cpu_idle_enter' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xefbedb90'/>
       <elf-symbol name='__tracepoint_android_vh_cpu_idle_exit' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xd391e1ed'/>
+      <elf-symbol name='__tracepoint_android_vh_cpu_up' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x8bc81124'/>
       <elf-symbol name='__tracepoint_android_vh_cpuidle_psci_enter' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x137e6ebe'/>
       <elf-symbol name='__tracepoint_android_vh_cpuidle_psci_exit' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xaaacb3b6'/>
       <elf-symbol name='__tracepoint_android_vh_do_send_sig_info' size='72' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x6db82691'/>
@@ -115132,6 +115134,11 @@
         <parameter type-id='1b0e1d00' name='dev' filepath='include/trace/hooks/cpuidle.h' line='18' column='1'/>
         <return type-id='95e97e5e'/>
       </function-decl>
+      <function-decl name='__traceiter_android_vh_cpu_up' mangled-name='__traceiter_android_vh_cpu_up' filepath='include/trace/hooks/cpu.h' line='13' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='__traceiter_android_vh_cpu_up'>
+        <parameter type-id='eaa32e2f' name='__data' filepath='include/trace/hooks/cpu.h' line='13' column='1'/>
+        <parameter type-id='f0981eeb' name='cpu' filepath='include/trace/hooks/cpu.h' line='13' column='1'/>
+        <return type-id='95e97e5e'/>
+      </function-decl>
       <function-decl name='__traceiter_android_vh_cpuidle_psci_enter' mangled-name='__traceiter_android_vh_cpuidle_psci_enter' filepath='include/trace/hooks/cpuidle_psci.h' line='15' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='__traceiter_android_vh_cpuidle_psci_enter'>
         <parameter type-id='eaa32e2f' name='__data' filepath='include/trace/hooks/cpuidle_psci.h' line='15' column='1'/>
         <parameter type-id='1b0e1d00' name='dev' filepath='include/trace/hooks/cpuidle_psci.h' line='15' column='1'/>
@@ -116385,6 +116392,7 @@
       <var-decl name='__tracepoint_android_vh_commit_creds' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_commit_creds' visibility='default' filepath='include/trace/hooks/creds.h' line='16' column='1' elf-symbol-id='__tracepoint_android_vh_commit_creds'/>
       <var-decl name='__tracepoint_android_vh_cpu_idle_enter' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_cpu_idle_enter' visibility='default' filepath='include/trace/hooks/cpuidle.h' line='15' column='1' elf-symbol-id='__tracepoint_android_vh_cpu_idle_enter'/>
       <var-decl name='__tracepoint_android_vh_cpu_idle_exit' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_cpu_idle_exit' visibility='default' filepath='include/trace/hooks/cpuidle.h' line='18' column='1' elf-symbol-id='__tracepoint_android_vh_cpu_idle_exit'/>
+      <var-decl name='__tracepoint_android_vh_cpu_up' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_cpu_up' visibility='default' filepath='include/trace/hooks/cpu.h' line='13' column='1' elf-symbol-id='__tracepoint_android_vh_cpu_up'/>
       <var-decl name='__tracepoint_android_vh_cpuidle_psci_enter' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_cpuidle_psci_enter' visibility='default' filepath='include/trace/hooks/cpuidle_psci.h' line='15' column='1' elf-symbol-id='__tracepoint_android_vh_cpuidle_psci_enter'/>
       <var-decl name='__tracepoint_android_vh_cpuidle_psci_exit' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_cpuidle_psci_exit' visibility='default' filepath='include/trace/hooks/cpuidle_psci.h' line='19' column='1' elf-symbol-id='__tracepoint_android_vh_cpuidle_psci_exit'/>
       <var-decl name='__tracepoint_android_vh_do_send_sig_info' type-id='4ca0c298' mangled-name='__tracepoint_android_vh_do_send_sig_info' visibility='default' filepath='include/trace/hooks/signal.h' line='12' column='1' elf-symbol-id='__tracepoint_android_vh_do_send_sig_info'/>
diff --git a/android/abi_gki_aarch64_oplus b/android/abi_gki_aarch64_oplus
index 8d81b5dc8b62..d4abfde0e0b2 100644
--- a/android/abi_gki_aarch64_oplus
+++ b/android/abi_gki_aarch64_oplus
@@ -2594,6 +2594,7 @@
   __traceiter_android_vh_commit_creds
   __traceiter_android_vh_cpu_idle_enter
   __traceiter_android_vh_cpu_idle_exit
+  __traceiter_android_vh_cpu_up
   __traceiter_android_vh_do_send_sig_info
   __traceiter_android_vh_em_cpu_energy
   __traceiter_android_vh_exclude_reserved_zone
@@ -2776,6 +2777,7 @@
   __tracepoint_android_vh_commit_creds
   __tracepoint_android_vh_cpu_idle_enter
   __tracepoint_android_vh_cpu_idle_exit
+  __tracepoint_android_vh_cpu_up
   __tracepoint_android_vh_do_send_sig_info
   __tracepoint_android_vh_em_cpu_energy
   __tracepoint_android_vh_exclude_reserved_zone

From aee113fcef3a143b4997377354546f4cffa81664 Mon Sep 17 00:00:00 2001
From: Lee Jones <lee.jones@linaro.org>
Date: Fri, 22 Oct 2021 19:07:29 +0100
Subject: [PATCH 3/3] ANDROID: Incremental fs: Fix dentry get/put imbalance on
 vfs_mkdir() failure

Syz{bot,kaller} reports[0]:

  BUG: Dentry ffff888119d8a000{i=0,n=.index}  still in use (1) [unmount of ramfs ramfs]
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 367 at fs/dcache.c:1616 umount_check+0x18d/0x1d0 fs/dcache.c:1607
  Modules linked in:
  CPU: 0 PID: 367 Comm: syz-executor388 Not tainted 5.10.75-syzkaller-01082-g234d53d2bb60 #0
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  RIP: 0010:umount_check+0x18d/0x1d0 fs/dcache.c:1607
  Code: 8b 0b 49 81 c6 f8 03 00 00 48 c7 c7 00 40 2e 85 4c 89 e6 48 8b 55 d0 4c 89 e1 45 89 f8 31 c0 41 56 e8 ae d9 9e ff 48 83 c4 08 <0f> 0b e9 f1 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c9 fe ff
  RSP: 0018:ffffc9000096f770 EFLAGS: 00010292
  RAX: 0000000000000055 RBX: ffffffff866af200 RCX: 1ad6b89836e5b500
  RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
  RBP: ffffc9000096f7a0 R08: ffffffff81545368 R09: 0000000000000003
  R10: fffff5200012de41 R11: 0000000000000004 R12: ffff888119d8a000
  R13: dffffc0000000000 R14: ffff88811d7373f8 R15: 0000000000000001
  FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f01b7bddb68 CR3: 000000010c4f0000 CR4: 00000000003506b0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   d_walk+0x309/0x540 fs/dcache.c:1326
   do_one_tree fs/dcache.c:1623 [inline]
   shrink_dcache_for_umount+0x8e/0x1b0 fs/dcache.c:1639
   generic_shutdown_super+0x66/0x2c0 fs/super.c:447
   kill_anon_super fs/super.c:1108 [inline]
   kill_litter_super+0x75/0xa0 fs/super.c:1117
   ramfs_kill_sb+0x44/0x50 fs/ramfs/inode.c:270
   deactivate_locked_super+0xb0/0x100 fs/super.c:335
   deactivate_super+0xa5/0xd0 fs/super.c:366
   cleanup_mnt+0x45f/0x510 fs/namespace.c:1118
   __cleanup_mnt+0x19/0x20 fs/namespace.c:1125
   task_work_run+0x147/0x1b0 kernel/task_work.c:154
   exit_task_work include/linux/task_work.h:30 [inline]
   do_exit+0x70e/0x23a0 kernel/exit.c:813
   do_group_exit+0x16a/0x2d0 kernel/exit.c:910
   get_signal+0x133e/0x1f80 kernel/signal.c:2790
   arch_do_signal+0x8d/0x620 arch/x86/kernel/signal.c:805
   exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
   exit_to_user_mode_prepare+0xaa/0xe0 kernel/entry/common.c:191
   syscall_exit_to_user_mode+0x24/0x40 kernel/entry/common.c:266
   do_syscall_64+0x3d/0x70 arch/x86/entry/common.c:56
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7f01b7b884f9
  Code: Unable to access opcode bytes at RIP 0x7f01b7b884cf.
  RSP: 002b:00007f01b7b19308 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
  RAX: fffffffffffffe00 RBX: 00007f01b7c103f8 RCX: 00007f

Which was due to a missing dput() before returning from a vfs_mkdir() failure.

Bug: 203827798
Link: [0] https://syzkaller.appspot.com/bug?extid=81b5ca9b2848f4dad8fa
Reported-by: syzbot+81b5ca9b2848f4dad8fa@syzkaller.appspotmail.com
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: Iaef9aa0aecc964645aaca5fe8d79388ae28527bd
---
 fs/incfs/vfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/incfs/vfs.c b/fs/incfs/vfs.c
index 0650ee90f8b1..ea7866fbfd6e 100644
--- a/fs/incfs/vfs.c
+++ b/fs/incfs/vfs.c
@@ -458,8 +458,10 @@ static struct dentry *open_or_create_special_dir(struct dentry *backing_dir,
 	err = vfs_mkdir(backing_inode, index_dentry, 0777);
 	inode_unlock(backing_inode);
 
-	if (err)
+	if (err) {
+		dput(index_dentry);
 		return ERR_PTR(err);
+	}
 
 	if (!d_really_is_positive(index_dentry) ||
 		unlikely(d_unhashed(index_dentry))) {