Merge 4.19.139 into android-4.19-stable

Changes in 4.19.139
	USB: serial: qcserial: add EM7305 QDL product ID
	USB: iowarrior: fix up report size handling for some devices
	usb: xhci: define IDs for various ASMedia host controllers
	usb: xhci: Fix ASMedia ASM1142 DMA addressing
	Revert "ALSA: hda: call runtime_allow() for all hda controllers"
	ALSA: seq: oss: Serialize ioctls
	staging: android: ashmem: Fix lockdep warning for write operation
	Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
	Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
	Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
	omapfb: dss: Fix max fclk divider for omap36xx
	binder: Prevent context manager from incrementing ref 0
	vgacon: Fix for missing check in scrollback handling
	mtd: properly check all write ioctls for permissions
	leds: wm831x-status: fix use-after-free on unbind
	leds: da903x: fix use-after-free on unbind
	leds: lm3533: fix use-after-free on unbind
	leds: 88pm860x: fix use-after-free on unbind
	net/9p: validate fds in p9_fd_open
	drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
	drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
	i2c: slave: improve sanity check when registering
	i2c: slave: add sanity check when unregistering
	usb: hso: check for return value in hso_serial_common_create()
	firmware: Fix a reference count leak.
	cfg80211: check vendor command doit pointer before use
	igb: reinit_locked() should be called with rtnl_lock
	atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
	tools lib traceevent: Fix memory leak in process_dynamic_array_len
	Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
	xattr: break delegations in {set,remove}xattr
	ipv4: Silence suspicious RCU usage warning
	ipv6: fix memory leaks on IPV6_ADDRFORM path
	net: ethernet: mtk_eth_soc: fix MTU warnings
	vxlan: Ensure FDB dump is performed under RCU
	net: lan78xx: replace bogus endpoint lookup
	hv_netvsc: do not use VF device if link is down
	net: gre: recompute gre csum for sctp over gre tunnels
	net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task()
	openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
	Revert "vxlan: fix tos value before xmit"
	selftests/net: relax cpu affinity requirement in msg_zerocopy test
	rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
	i40e: add num_vectors checker in iwarp handler
	i40e: Wrong truncation from u16 to u8
	i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
	i40e: Memory leak in i40e_config_iwarp_qvlist
	Smack: fix use-after-free in smk_write_relabel_self()
	Linux 4.19.139

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If64996b6bc365365c5f06165ed8c7648336731bf

drivers/android/binder.c

@@ -3081,6 +3081,12 @@ static void binder_transaction(struct binder_proc *proc,
 			goto err_dead_binder;
 		}
 		e->to_node = target_node->debug_id;
+		if (WARN_ON(proc == target_proc)) {
+			return_error = BR_FAILED_REPLY;
+			return_error_param = -EINVAL;
+			return_error_line = __LINE__;
+			goto err_invalid_target_handle;
+		}
 		if (security_binder_transaction(proc->tsk,
 						target_proc->tsk) < 0) {
 			return_error = BR_FAILED_REPLY;
@@ -3683,10 +3689,17 @@ static int binder_thread_write(struct binder_proc *proc,
 				struct binder_node *ctx_mgr_node;
 				mutex_lock(&context->context_mgr_node_lock);
 				ctx_mgr_node = context->binder_context_mgr_node;
-				if (ctx_mgr_node)
+				if (ctx_mgr_node) {
+					if (ctx_mgr_node->proc == proc) {
+						binder_user_error("%d:%d context manager tried to acquire desc 0\n",
+								  proc->pid, thread->pid);
+						mutex_unlock(&context->context_mgr_node_lock);
+						return -EINVAL;
+					}
 					ret = binder_inc_ref_for_node(
 							proc, ctx_mgr_node,
 							strong, NULL, &rdata);
+				}
 				mutex_unlock(&context->context_mgr_node_lock);
 			}
 			if (ret)