Integrate security patch 2023-07-05-CVE-2022-42703 (694aebf4) · Commits · e / devices / android_kernel_fairphone_FP4

android/abi_gki_aarch64.xml

100644 → 100755

+10 −4

Original line number	Original line	Diff line number	Diff line
	@@ -85236,7 +85236,7 @@
	<var-decl name='' type-id='2c04e77f' visibility='default' filepath='include/linux/uio.h' line='43' column='1'/>		<var-decl name='' type-id='2c04e77f' visibility='default' filepath='include/linux/uio.h' line='43' column='1'/>
	</data-member>		</data-member>
	</union-decl>		</union-decl>
	<class-decl name='anon_vma' size-in-bits='704' is-struct='yes' visibility='default' filepath='include/linux/rmap.h' line='29' column='1' id='14f332cc'>		<class-decl name='anon_vma' size-in-bits='832' is-struct='yes' visibility='default' filepath='include/linux/rmap.h' line='29' column='1' id='14f332cc'>
	<data-member access='public' layout-offset-in-bits='0'>		<data-member access='public' layout-offset-in-bits='0'>
	<var-decl name='root' type-id='a8f86cda' visibility='default' filepath='include/linux/rmap.h' line='30' column='1'/>		<var-decl name='root' type-id='a8f86cda' visibility='default' filepath='include/linux/rmap.h' line='30' column='1'/>
	</data-member>		</data-member>
	@@ -85247,13 +85247,19 @@
	<var-decl name='refcount' type-id='49178f86' visibility='default' filepath='include/linux/rmap.h' line='39' column='1'/>		<var-decl name='refcount' type-id='49178f86' visibility='default' filepath='include/linux/rmap.h' line='39' column='1'/>
	</data-member>		</data-member>
	<data-member access='public' layout-offset-in-bits='480'>		<data-member access='public' layout-offset-in-bits='480'>
	<var-decl name='degree' type-id='f0981eeb' visibility='default' filepath='include/linux/rmap.h' line='47' column='1'/>		<var-decl name='degree' type-id='f0981eeb' visibility='default' filepath='include/linux/rmap.h' line='41' column='1'/>
	</data-member>		</data-member>
	<data-member access='public' layout-offset-in-bits='512'>		<data-member access='public' layout-offset-in-bits='512'>
	<var-decl name='parent' type-id='a8f86cda' visibility='default' filepath='include/linux/rmap.h' line='49' column='1'/>		<var-decl name='parent' type-id='a8f86cda' visibility='default' filepath='include/linux/rmap.h' line='43' column='1'/>
	</data-member>		</data-member>
	<data-member access='public' layout-offset-in-bits='576'>		<data-member access='public' layout-offset-in-bits='576'>
	<var-decl name='rb_root' type-id='6fe1603d' visibility='default' filepath='include/linux/rmap.h' line='61' column='1'/>		<var-decl name='rb_root' type-id='6fe1603d' visibility='default' filepath='include/linux/rmap.h' line='55' column='1'/>
			</data-member>
			<data-member access='public' layout-offset-in-bits='704'>
			<var-decl name='num_children' type-id='7359adad' visibility='default' filepath='include/linux/rmap.h' line='70' column='1'/>
			</data-member>
			<data-member access='public' layout-offset-in-bits='768'>
			<var-decl name='num_active_vmas' type-id='7359adad' visibility='default' filepath='include/linux/rmap.h' line='72' column='1'/>
	</data-member>		</data-member>
	</class-decl>		</class-decl>
	<pointer-type-def type-id='c7ead0f9' size-in-bits='64' id='0cbbabe1'/>		<pointer-type-def type-id='c7ead0f9' size-in-bits='64' id='0cbbabe1'/>

include/linux/rmap.h

+20 −7

Original line number	Original line	Diff line number	Diff line
	@@ -43,13 +43,7 @@ struct anon_vma {
	*/		*/
	atomic_t refcount;		atomic_t refcount;

	/*		unsigned degree; /* ANDROID: KABI preservation, DO NOT USE! */
	* Count of child anon_vmas and VMAs which points to this anon_vma.
	*
	* This counter is used for making decision about reusing anon_vma
	* instead of forking new one. See comments in function anon_vma_clone.
	*/
	unsigned degree;

	struct anon_vma parent; / Parent of this anon_vma */		struct anon_vma parent; / Parent of this anon_vma */

	@@ -64,6 +58,25 @@ struct anon_vma {

	/* Interval tree of private "related" vmas */		/* Interval tree of private "related" vmas */
	struct rb_root_cached rb_root;		struct rb_root_cached rb_root;

			/*
			* ANDROID: KABI preservation, it's safe to put these at the end of this structure as it's
			* only passed by a pointer everywhere, the size and internal structures are local to the
			* core kernel.
			*/
			#ifndef __GENKSYMS__
			/*
			* Count of child anon_vmas. Equals to the count of all anon_vmas that
			* have ->parent pointing to this one, including itself.
			*
			* This counter is used for making decision about reusing anon_vma
			* instead of forking new one. See comments in function anon_vma_clone.
			*/
			unsigned long num_children;
			/* Count of VMAs whose ->anon_vma pointer points to this object. */
			unsigned long num_active_vmas;
			#endif

	};		};

	/*		/*

mm/rmap.c

+18 −14

Original line number	Original line	Diff line number	Diff line
	@@ -82,7 +82,8 @@ static inline struct anon_vma *anon_vma_alloc(void)
	anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);		anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
	if (anon_vma) {		if (anon_vma) {
	atomic_set(&anon_vma->refcount, 1);		atomic_set(&anon_vma->refcount, 1);
	anon_vma->degree = 1; /* Reference for first vma */		anon_vma->num_children = 0;
			anon_vma->num_active_vmas = 0;
	anon_vma->parent = anon_vma;		anon_vma->parent = anon_vma;
	/*		/*
	* Initialise the anon_vma root to point to itself. If called		* Initialise the anon_vma root to point to itself. If called
	@@ -190,6 +191,7 @@ int __anon_vma_prepare(struct vm_area_struct *vma)
	anon_vma = anon_vma_alloc();		anon_vma = anon_vma_alloc();
	if (unlikely(!anon_vma))		if (unlikely(!anon_vma))
	goto out_enomem_free_avc;		goto out_enomem_free_avc;
			anon_vma->num_children++; /* self-parent link for new root */
	allocated = anon_vma;		allocated = anon_vma;
	}		}

	@@ -199,8 +201,7 @@ int __anon_vma_prepare(struct vm_area_struct *vma)
	if (likely(!vma->anon_vma)) {		if (likely(!vma->anon_vma)) {
	vma->anon_vma = anon_vma;		vma->anon_vma = anon_vma;
	anon_vma_chain_link(vma, avc, anon_vma);		anon_vma_chain_link(vma, avc, anon_vma);
	/* vma reference or self-parent link for new root */		anon_vma->num_active_vmas++;
	anon_vma->degree++;
	allocated = NULL;		allocated = NULL;
	avc = NULL;		avc = NULL;
	}		}
	@@ -279,19 +280,19 @@ int anon_vma_clone(struct vm_area_struct dst, struct vm_area_struct src)
	anon_vma_chain_link(dst, avc, anon_vma);		anon_vma_chain_link(dst, avc, anon_vma);

	/*		/*
	* Reuse existing anon_vma if its degree lower than two,		* Reuse existing anon_vma if it has no vma and only one
	* that means it has no vma and only one anon_vma child.		* anon_vma child.
	*		*
	* Do not chose parent anon_vma, otherwise first child		* Root anon_vma is never reused:
	* will always reuse it. Root anon_vma is never reused:
	* it has self-parent reference and at least one child.		* it has self-parent reference and at least one child.
	*/		*/
	if (!dst->anon_vma && anon_vma != src->anon_vma &&		if (!dst->anon_vma && src->anon_vma &&
	anon_vma->degree < 2)		anon_vma->num_children < 2 &&
			anon_vma->num_active_vmas == 0)
	dst->anon_vma = anon_vma;		dst->anon_vma = anon_vma;
	}		}
	if (dst->anon_vma)		if (dst->anon_vma)
	dst->anon_vma->degree++;		dst->anon_vma->num_active_vmas++;
	unlock_anon_vma_root(root);		unlock_anon_vma_root(root);
	return 0;		return 0;

	@@ -341,6 +342,7 @@ int anon_vma_fork(struct vm_area_struct vma, struct vm_area_struct pvma)
	anon_vma = anon_vma_alloc();		anon_vma = anon_vma_alloc();
	if (!anon_vma)		if (!anon_vma)
	goto out_error;		goto out_error;
			anon_vma->num_active_vmas++;
	avc = anon_vma_chain_alloc(GFP_KERNEL);		avc = anon_vma_chain_alloc(GFP_KERNEL);
	if (!avc)		if (!avc)
	goto out_error_free_anon_vma;		goto out_error_free_anon_vma;
	@@ -361,7 +363,7 @@ int anon_vma_fork(struct vm_area_struct vma, struct vm_area_struct pvma)
	vma->anon_vma = anon_vma;		vma->anon_vma = anon_vma;
	anon_vma_lock_write(anon_vma);		anon_vma_lock_write(anon_vma);
	anon_vma_chain_link(vma, avc, anon_vma);		anon_vma_chain_link(vma, avc, anon_vma);
	anon_vma->parent->degree++;		anon_vma->parent->num_children++;
	anon_vma_unlock_write(anon_vma);		anon_vma_unlock_write(anon_vma);

	return 0;		return 0;
	@@ -393,7 +395,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
	* to free them outside the lock.		* to free them outside the lock.
	*/		*/
	if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) {		if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) {
	anon_vma->parent->degree--;		anon_vma->parent->num_children--;
	continue;		continue;
	}		}

	@@ -401,7 +403,8 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
	anon_vma_chain_free(avc);		anon_vma_chain_free(avc);
	}		}
	if (vma->anon_vma)		if (vma->anon_vma)
	vma->anon_vma->degree--;		vma->anon_vma->num_active_vmas--;

	unlock_anon_vma_root(root);		unlock_anon_vma_root(root);

	/*		/*
	@@ -412,7 +415,8 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
	list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {		list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
	struct anon_vma *anon_vma = avc->anon_vma;		struct anon_vma *anon_vma = avc->anon_vma;

	VM_WARN_ON(anon_vma->degree);		VM_WARN_ON(anon_vma->num_children);
			VM_WARN_ON(anon_vma->num_active_vmas);
	put_anon_vma(anon_vma);		put_anon_vma(anon_vma);

	list_del(&avc->same_vma);		list_del(&avc->same_vma);