Merge android-4.4.156 (7eb7037) into msm-4.4

* refs/heads/tmp-7eb7037
  Linux 4.4.156
  btrfs: use correct compare function of dirty_metadata_bytes
  ASoC: wm8994: Fix missing break in switch
  s390/lib: use expoline for all bcr instructions
  mei: me: allow runtime pm for platform with D0i3
  sch_tbf: fix two null pointer dereferences on init failure
  sch_netem: avoid null pointer deref on init failure
  sch_hhf: fix null pointer dereference on init failure
  sch_multiq: fix double free on init failure
  sch_htb: fix crash on init failure
  ovl: proper cleanup of workdir
  ovl: override creds with the ones from the superblock mounter
  ovl: rename is_merge to is_lowest
  irqchip/gic: Make interrupt ID 1020 invalid
  irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
  irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
  irqchip/gicv3-its: Fix memory leak in its_free_tables()
  irqchip/gic-v3-its: Recompute the number of pages on page size change
  genirq: Delay incrementing interrupt count if it's disabled/pending
  Fixes: Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated pages")
  enic: do not call enic_change_mtu in enic_probe
  Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
  irda: Only insert new objects into the global database via setsockopt
  irda: Fix memory leak caused by repeated binds of irda socket
  kbuild: make missing $DEPMOD a Warning instead of an Error
  x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
  debugobjects: Make stack check warning more informative
  btrfs: Don't remove block group that still has pinned down bytes
  btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
  btrfs: replace: Reset on-disk dev stats value after replace
  powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
  SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
  smb3: fix reset of bytes read and written stats
  selftests/powerpc: Kill child processes on SIGINT
  staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
  dm kcopyd: avoid softlockup in run_complete_job
  PCI: mvebu: Fix I/O space end address calculation
  scsi: aic94xx: fix an error code in aic94xx_init()
  s390/dasd: fix hanging offline processing due to canceled worker
  powerpc: Fix size calculation using resource_size()
  net/9p: fix error path of p9_virtio_probe
  irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
  platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
  mfd: sm501: Set coherent_dma_mask when creating subdevices
  ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
  fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
  mm/fadvise.c: fix signed overflow UBSAN complaint
  scripts: modpost: check memory allocation results
  fat: validate ->i_start before using
  hfsplus: fix NULL dereference in hfsplus_lookup()
  reiserfs: change j_timestamp type to time64_t
  fork: don't copy inconsistent signal handler state to child
  hfs: prevent crash on exit from failed search
  hfsplus: don't return 0 when fill_super() failed
  cifs: check if SMB2 PDU size has been padded and suppress the warning
  vti6: remove !skb->ignore_df check from vti6_xmit()
  tcp: do not restart timewait timer on rst reception
  qlge: Fix netdev features configuration.
  net: bcmgenet: use MAC link status for fixed phy
  staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
  x86/speculation/l1tf: Fix up pte->pfn conversion for PAE

Conflicts:
	drivers/staging/android/ion/ion.c

Change-Id: I7153f61c3a676a788f64eeb8bab13e840bbbf985
[readded the function ion_handle_get_by_id() which got deleted with
commit 'staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free'
since it is used in msm/msm_ion.c]
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 12 insertions, 7 deletions

diff --git a/fs/fat/cache.c b/fs/fat/cache.c
index 93fc62232ec2..9ae2c4d7e921 100644
--- a/fs/fat/cache.c
+++ b/fs/fat/cache.c
@@ -224,7 +224,8 @@ static inline void cache_init(struct fat_cache_id *cid, int fclus, int dclus)
 int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 {
 	struct super_block *sb = inode->i_sb;
-	const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits;
+	struct msdos_sb_info *sbi = MSDOS_SB(sb);
+	const int limit = sb->s_maxbytes >> sbi->cluster_bits;
 	struct fat_entry fatent;
 	struct fat_cache_id cid;
 	int nr;
@@ -233,6 +234,12 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 
 	*fclus = 0;
 	*dclus = MSDOS_I(inode)->i_start;
+	if (!fat_valid_entry(sbi, *dclus)) {
+		fat_fs_error_ratelimit(sb,
+			"%s: invalid start cluster (i_pos %lld, start %08x)",
+			__func__, MSDOS_I(inode)->i_pos, *dclus);
+		return -EIO;
+	}
 	if (cluster == 0)
 		return 0;
 
@@ -249,9 +256,8 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 		/* prevent the infinite loop of cluster chain */
 		if (*fclus > limit) {
 			fat_fs_error_ratelimit(sb,
-					"%s: detected the cluster chain loop"
-					" (i_pos %lld)", __func__,
-					MSDOS_I(inode)->i_pos);
+				"%s: detected the cluster chain loop (i_pos %lld)",
+				__func__, MSDOS_I(inode)->i_pos);
 			nr = -EIO;
 			goto out;
 		}
@@ -261,9 +267,8 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 			goto out;
 		else if (nr == FAT_ENT_FREE) {
 			fat_fs_error_ratelimit(sb,
-				       "%s: invalid cluster chain (i_pos %lld)",
-				       __func__,
-				       MSDOS_I(inode)->i_pos);
+				"%s: invalid cluster chain (i_pos %lld)",
+				__func__, MSDOS_I(inode)->i_pos);
 			nr = -EIO;
 			goto out;
 		} else if (nr == FAT_ENT_EOF) {