Merge android-4.4.175 (08d5867) into msm-4.4

* refs/heads/tmp-08d5867
  Linux 4.4.175
  uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
  pinctrl: msm: fix gpio-hog related boot issues
  usb: dwc2: Remove unnecessary kfree
  kaweth: use skb_cow_head() to deal with cloned skbs
  ch9200: use skb_cow_head() to deal with cloned skbs
  smsc95xx: Use skb_cow_head to deal with cloned skbs
  dm thin: fix bug where bio that overwrites thin block ignores FUA
  x86/a.out: Clear the dump structure initially
  signal: Restore the stop PTRACE_EVENT_EXIT
  x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
  tracing/uprobes: Fix output for multiple string arguments
  alpha: Fix Eiger NR_IRQS to 128
  alpha: fix page fault handling for r16-r18 targets
  Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
  Input: bma150 - register input device after setting private data
  ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
  ALSA: hda - Add quirk for HP EliteBook 840 G5
  perf/core: Fix impossible ring-buffer sizes warning
  Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
  Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
  Documentation/network: reword kernel version reference
  cifs: Limit memory used by lock request calls to a page
  gpio: pl061: handle failed allocations
  ARM: dts: kirkwood: Fix polarity of GPIO fan lines
  ARM: dts: da850-evm: Correct the sound card name
  uapi/if_ether.h: prevent redefinition of struct ethhdr
  Revert "exec: load_script: don't blindly truncate shebang string"
  batman-adv: Force mac header to start of data on xmit
  batman-adv: Avoid WARN on net_device without parent in netns
  xfrm: refine validation of template and selector families
  libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
  Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)"
  NFC: nxp-nci: Include unaligned.h instead of access_ok.h
  HID: debug: fix the ring buffer implementation
  drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
  drm/vmwgfx: Fix setting of dma masks
  drm/modes: Prevent division by zero htotal
  mac80211: ensure that mgmt tx skbs have tailroom for encryption
  ARM: iop32x/n2100: fix PCI IRQ mapping
  MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
  MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
  mips: cm: reprime error cause
  debugfs: fix debugfs_rename parameter checking
  misc: vexpress: Off by one in vexpress_syscfg_exec()
  signal: Better detection of synchronous signals
  signal: Always notice exiting tasks
  mtd: rawnand: gpmi: fix MX28 bus master lockup problem
  perf tests evsel-tp-sched: Fix bitwise operator
  perf/core: Don't WARN() for impossible ring-buffer sizes
  x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()
  perf/x86/intel/uncore: Add Node ID mask
  KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
  KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
  usb: gadget: udc: net2272: Fix bitwise and boolean operations
  usb: phy: am335x: fix race condition in _probe
  dmaengine: imx-dma: fix wrong callback invoke
  fuse: handle zero sized retrieve correctly
  fuse: decrement NR_WRITEBACK_TEMP on the right page
  fuse: call pipe_buf_release() under pipe lock
  ALSA: hda - Serialize codec registrations
  ALSA: compress: Fix stop handling on compressed capture streams
  net: dsa: slave: Don't propagate flag changes on down slave interfaces
  net: systemport: Fix WoL with password after deep sleep
  skge: potential memory corruption in skge_get_regs()
  net: dp83640: expire old TX-skb
  enic: fix checksum validation for IPv6
  dccp: fool proof ccid_hc_[rt]x_parse_options()
  string: drop __must_check from strscpy() and restore strscpy() usages in cgroup
  tipc: use destination length for copy string
  test_hexdump: use memcpy instead of strncpy
  thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
  exec: load_script: don't blindly truncate shebang string
  fs/epoll: drop ovflist branch prediction
  kernel/hung_task.c: break RCU locks based on jiffies
  HID: lenovo: Add checks to fix of_led_classdev_register
  block/swim3: Fix -EBUSY error when re-opening device after unmount
  gdrom: fix a memory leak bug
  isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()
  ocfs2: don't clear bh uptodate for block read
  scripts/decode_stacktrace: only strip base path when a prefix of the path
  niu: fix missing checks of niu_pci_eeprom_read
  um: Avoid marking pages with "changed protection"
  cifs: check ntwrk_buf_start for NULL before dereferencing it
  crypto: ux500 - Use proper enum in hash_set_dma_transfer
  crypto: ux500 - Use proper enum in cryp_set_dma_transfer
  seq_buf: Make seq_buf_puts() null-terminate the buffer
  hwmon: (lm80) fix a missing check of bus read in lm80 probe
  hwmon: (lm80) fix a missing check of the status of SMBus read
  NFS: nfs_compare_mount_options always compare auth flavors.
  KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
  fbdev: fbcon: Fix unregister crash when more than one framebuffer
  igb: Fix an issue that PME is not enabled during runtime suspend
  fbdev: fbmem: behave better with small rotated displays and many CPUs
  video: clps711x-fb: release disp device node in probe()
  drbd: Avoid Clang warning about pointless switch statment
  drbd: skip spurious timeout (ping-timeo) when failing promote
  drbd: disconnect, if the wrong UUIDs are attached on a connected peer
  drbd: narrow rcu_read_lock in drbd_sync_handshake
  cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
  Bluetooth: Fix unnecessary error message for HCI request completion
  xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
  mac80211: fix radiotap vendor presence bitmap handling
  powerpc/uaccess: fix warning/error with access_ok()
  arm64: KVM: Skip MMIO insn after emulation
  tty: serial: samsung: Properly set flags in autoCTS mode
  memstick: Prevent memstick host from getting runtime suspended during card detection
  ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
  ARM: pxa: avoid section mismatch warning
  udf: Fix BUG on corrupted inode
  i2c-axxia: check for error conditions first
  cpuidle: big.LITTLE: fix refcount leak
  clk: imx6sl: ensure MMDC CH0 handshake is bypassed
  sata_rcar: fix deferred probing
  iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
  mips: bpf: fix encoding bug for mm_srlv32_op
  ARM: dts: Fix OMAP4430 SDP Ethernet startup
  timekeeping: Use proper seqcount initializer
  usb: hub: delay hub autosuspend if USB3 port is still link training
  smack: fix access permissions for keyring
  media: DaVinci-VPBE: fix error handling in vpbe_initialize()
  x86/fpu: Add might_fault() to user_insn()
  ARM: dts: mmp2: fix TWSI2
  arm64: ftrace: don't adjust the LR value
  nfsd4: fix crash on writing v4_end_grace before nfsd startup
  sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN
  f2fs: fix wrong return value of f2fs_acl_create
  f2fs: move dir data flush to write checkpoint process
  soc/tegra: Don't leak device tree node reference
  perf tools: Add Hygon Dhyana support
  modpost: validate symbol names also in find_elf_symbol
  ARM: OMAP2+: hwmod: Fix some section annotations
  staging: iio: ad7780: update voltage on read
  staging:iio:ad2s90: Make probe handle spi_setup failure
  ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
  serial: fsl_lpuart: clear parity enable bit when disable parity
  powerpc/pseries: add of_node_put() in dlpar_detach_node()
  x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
  dlm: Don't swamp the CPU with callbacks queued during recovery
  ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
  scsi: lpfc: Correct LCB RJT handling
  ASoC: Intel: mrfld: fix uninitialized variable access
  staging: iio: adc: ad7280a: handle error from __ad7280_read32()
  drm/bufs: Fix Spectre v1 vulnerability
  BACKPORT: userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
  ANDROID: cuttlefish_defconfig: Enable DEBUG_SET_MODULE_RONX
  ANDROID: Move from clang r346389b to r349610.
  UPSTREAM: virt_wifi: fix error return code in virt_wifi_newlink()
  ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG

Change-Id: I8456a2f1d229a2d454295d660f749a2b436c6440
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

14 files changed, 67 insertions, 9 deletions

diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
index 8bef27b8f85d..e7b478b49985 100644
--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -111,7 +111,7 @@ config CIFS_XATTR
 
 config CIFS_POSIX
         bool "CIFS POSIX Extensions"
-        depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
+        depends on CIFS_XATTR
         help
           Enabling this option will cause the cifs client to attempt to
 	  negotiate a newer dialect with servers, such as Samba 3.0.5
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 7b00727e1c11..e5357c7b5d4c 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1081,6 +1081,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
 		return -EINVAL;
 	}
 
+	BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
+		     PAGE_SIZE);
+	max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
+			PAGE_SIZE);
 	max_num = (max_buf - sizeof(struct smb_hdr)) /
 						sizeof(LOCKING_ANDX_RANGE);
 	buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
@@ -1410,6 +1414,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 	if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
 		return -EINVAL;
 
+	BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
+		     PAGE_SIZE);
+	max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
+			PAGE_SIZE);
 	max_num = (max_buf - sizeof(struct smb_hdr)) /
 						sizeof(LOCKING_ANDX_RANGE);
 	buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index 57b039ebfb1f..43fa471c88d7 100644
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -652,7 +652,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
 		/* scan and find it */
 		int i;
 		char *cur_ent;
-		char *end_of_smb = cfile->srch_inf.ntwrk_buf_start +
+		char *end_of_smb;
+
+		if (cfile->srch_inf.ntwrk_buf_start == NULL) {
+			cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n");
+			return -EIO;
+		}
+
+		end_of_smb = cfile->srch_inf.ntwrk_buf_start +
 			server->ops->calc_smb_size(
 					cfile->srch_inf.ntwrk_buf_start);
 
diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index b7885dc0d9bb..dee5250701de 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -129,6 +129,8 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 	if (max_buf < sizeof(struct smb2_lock_element))
 		return -EINVAL;
 
+	BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
+	max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
 	max_num = max_buf / sizeof(struct smb2_lock_element);
 	buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
 	if (!buf)
@@ -265,6 +267,8 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
 		return -EINVAL;
 	}
 
+	BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
+	max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
 	max_num = max_buf / sizeof(struct smb2_lock_element);
 	buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
 	if (!buf) {
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index e49ba072bd64..22fe11baef2b 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -671,6 +671,13 @@ struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
 	struct dentry *dentry = NULL, *trap;
 	struct name_snapshot old_name;
 
+	if (IS_ERR(old_dir))
+		return old_dir;
+	if (IS_ERR(new_dir))
+		return new_dir;
+	if (IS_ERR_OR_NULL(old_dentry))
+		return old_dentry;
+
 	trap = lock_rename(new_dir, old_dir);
 	/* Source or destination directories don't exist? */
 	if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir))
diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c
index dcea1e37a1b7..f18619bc2e09 100644
--- a/fs/dlm/ast.c
+++ b/fs/dlm/ast.c
@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls)
 		flush_workqueue(ls->ls_callback_wq);
 }
 
+#define MAX_CB_QUEUE 25
+
 void dlm_callback_resume(struct dlm_ls *ls)
 {
 	struct dlm_lkb *lkb, *safe;
@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls)
 	if (!ls->ls_callback_wq)
 		return;
 
+more:
 	mutex_lock(&ls->ls_cb_mutex);
 	list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) {
 		list_del_init(&lkb->lkb_cb_list);
 		queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work);
 		count++;
+		if (count == MAX_CB_QUEUE)
+			break;
 	}
 	mutex_unlock(&ls->ls_cb_mutex);
 
 	if (count)
 		log_rinfo(ls, "dlm_callback_resume %d", count);
+	if (count == MAX_CB_QUEUE) {
+		count = 0;
+		cond_resched();
+		goto more;
+	}
 }
 
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 066df649a6b0..ac21caad6729 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1035,7 +1035,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k
 	 * semantics). All the events that happen during that period of time are
 	 * chained in ep->ovflist and requeued later on.
 	 */
-	if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) {
+	if (ep->ovflist != EP_UNACTIVE_PTR) {
 		if (epi->next == EP_UNACTIVE_PTR) {
 			epi->next = ep->ovflist;
 			ep->ovflist = epi;
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index c6e4e4c0221b..0fc9e87802b5 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1751,7 +1751,6 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
 	req->in.h.nodeid = outarg->nodeid;
 	req->in.numargs = 2;
 	req->in.argpages = 1;
-	req->page_descs[0].offset = offset;
 	req->end = fuse_retrieve_end;
 
 	index = outarg->offset >> PAGE_CACHE_SHIFT;
@@ -1766,6 +1765,7 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
 
 		this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset);
 		req->pages[req->num_pages] = page;
+		req->page_descs[req->num_pages].offset = offset;
 		req->page_descs[req->num_pages].length = this_num;
 		req->num_pages++;
 
@@ -2091,10 +2091,13 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
 
 	ret = fuse_dev_do_write(fud, &cs, len);
 
+	pipe_lock(pipe);
 	for (idx = 0; idx < nbuf; idx++) {
 		struct pipe_buffer *buf = &bufs[idx];
 		buf->ops->release(pipe, buf);
 	}
+	pipe_unlock(pipe);
+
 out:
 	kfree(bufs);
 	return ret;
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 5ff580633a63..690bbb22ed6b 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1853,7 +1853,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req,
 		spin_unlock(&fc->lock);
 
 		dec_wb_stat(&bdi->wb, WB_WRITEBACK);
-		dec_zone_page_state(page, NR_WRITEBACK_TEMP);
+		dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP);
 		wb_writeout_inc(&bdi->wb);
 		fuse_writepage_free(fc, new_req);
 		fuse_request_free(new_req);
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 62f358f67764..412fcfbc50e2 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2376,8 +2376,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n
 		goto Ebusy;
 	if (a->acdirmax != b->acdirmax)
 		goto Ebusy;
-	if (b->auth_info.flavor_len > 0 &&
-	   clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
+	if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
 		goto Ebusy;
 	return 1;
 Ebusy:
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index 9690cb4dd588..03c7a4e7b6ba 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1106,6 +1106,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size)
 		case 'Y':
 		case 'y':
 		case '1':
+			if (nn->nfsd_serv)
+				return -EBUSY;
 			nfsd4_end_grace(nn);
 			break;
 		default:
diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index 272269f1c310..9ee8bcfbf00f 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -146,7 +146,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
 			BUG();
 		}
 
-		clear_buffer_uptodate(bh);
 		get_bh(bh); /* for end_buffer_read_sync() */
 		bh->b_end_io = end_buffer_read_sync;
 		submit_bh(READ, bh);
@@ -300,7 +299,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
 				continue;
 			}
 
-			clear_buffer_uptodate(bh);
 			get_bh(bh); /* for end_buffer_read_sync() */
 			if (validate)
 				set_buffer_needs_validate(bh);
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 0e659d9c69a1..613193c6bb42 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1364,6 +1364,12 @@ reread:
 
 	iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) &
 							ICBTAG_FLAG_AD_MASK;
+	if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT &&
+	    iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG &&
+	    iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) {
+		ret = -EIO;
+		goto out;
+	}
 	iinfo->i_unique = 0;
 	iinfo->i_lenEAttr = 0;
 	iinfo->i_lenExtents = 0;
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index d859d8bd1f96..e7cc0d860499 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -793,6 +793,18 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
 			goto out_unlock;
 
 		/*
+		 * UFFDIO_COPY will fill file holes even without
+		 * PROT_WRITE. This check enforces that if this is a
+		 * MAP_SHARED, the process has write permission to the backing
+		 * file. If VM_MAYWRITE is set it also enforces that on a
+		 * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
+		 * F_WRITE_SEAL can be taken until the vma is destroyed.
+		 */
+		ret = -EPERM;
+		if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
+			goto out_unlock;
+
+		/*
 		 * Check that this vma isn't already owned by a
 		 * different userfaultfd. We can't allow more than one
 		 * userfaultfd to own a single vma simultaneously or we
@@ -817,6 +829,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
 		BUG_ON(vma->vm_ops);
 		BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
 		       vma->vm_userfaultfd_ctx.ctx != ctx);
+		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
 
 		/*
 		 * Nothing to do: this vma is already registered into this
@@ -953,6 +966,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 		cond_resched();
 
 		BUG_ON(vma->vm_ops);
+		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
 
 		/*
 		 * Nothing to do: this vma is already registered into this