Merge 4.4.236 into android-4.4-p

Changes in 4.4.236
	HID: core: Correctly handle ReportSize being zero
	HID: core: Sanitize event code and type when mapping input
	perf record/stat: Explicitly call out event modifiers in the documentation
	mm, page_alloc: remove unnecessary variable from free_pcppages_bulk
	hwmon: (applesmc) check status earlier.
	ceph: don't allow setlease on cephfs
	s390: don't trace preemption in percpu macros
	xen/xenbus: Fix granting of vmalloc'd memory
	dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
	batman-adv: Avoid uninitialized chaddr when handling DHCP
	batman-adv: bla: use netif_rx_ni when not in interrupt context
	dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate()
	netfilter: nf_tables: incorrect enum nft_list_attributes definition
	netfilter: nf_tables: fix destination register zeroing
	dmaengine: pl330: Fix burst length if burst size is smaller than bus width
	bnxt_en: Check for zero dir entries in NVRAM.
	fix regression in "epoll: Keep a reference on files added to the check list"
	tg3: Fix soft lockup when tg3_reset_task() fails.
	iommu/vt-d: Serialize IOMMU GCMD register modifications
	thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
	include/linux/log2.h: add missing () around n in roundup_pow_of_two()
	btrfs: drop path before adding new uuid tree entry
	btrfs: Remove redundant extent_buffer_get in get_old_root
	btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind
	btrfs: set the lockdep class for log tree extent buffers
	uaccess: Add non-pagefault user-space read functions
	uaccess: Add non-pagefault user-space write function
	btrfs: fix potential deadlock in the search ioctl
	net: qmi_wwan: MDM9x30 specific power management
	net: qmi_wwan: support "raw IP" mode
	net: qmi_wwan: should hold RTNL while changing netdev type
	net: qmi_wwan: ignore bogus CDC Union descriptors
	Add Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card (rev3) to qmi_wwan
	qmi_wwan: Added support for Gemalto's Cinterion PHxx WWAN interface
	qmi_wwan: add support for Quectel EC21 and EC25
	NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
	drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201
	usb: qmi_wwan: add D-Link DWM-222 A2 device ID
	net: usb: qmi_wwan: add Telit ME910 support
	net: usb: qmi_wwan: add Telit 0x1050 composition
	ALSA: ca0106: fix error code handling
	ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
	dm cache metadata: Avoid returning cmd->bm wild pointer on error
	dm thin metadata: Avoid returning cmd->bm wild pointer on error
	net: refactor bind_bucket fastreuse into helper
	net: initialize fastreuse on inet_inherit_port
	checkpatch: fix the usage of capture group ( ... )
	mm/hugetlb: fix a race between hugetlb sysctl handlers
	cfg80211: regulatory: reject invalid hints
	net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
	ALSA: firewire-digi00x: add support for console models of Digi00x series
	ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
	ALSA; firewire-tascam: exclude Tascam FE-8 from detection
	fs/affs: use octal for permissions
	affs: fix basic permission bits to actually work
	ravb: Fixed to be able to unload modules
	net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
	bnxt_en: Failure to update PHY is not fatal condition.
	bnxt: don't enable NAPI until rings are ready
	net: usb: dm9601: Add USB ID of Keenetic Plus DSL
	sctp: not disable bh in the whole sctp_get_port_local()
	net: disable netpoll on fresh napis
	Linux 4.4.236

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I45da24ccdf864c8774a1265a5d81685e04add060

3 files changed, 56 insertions, 14 deletions

diff --git a/include/linux/hid.h b/include/linux/hid.h
index ee5378eacda6..88c4f0538646 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -869,34 +869,49 @@ static inline void hid_device_io_stop(struct hid_device *hid) {
  * @max: maximal valid usage->code to consider later (out parameter)
  * @type: input event type (EV_KEY, EV_REL, ...)
  * @c: code which corresponds to this usage and type
+ *
+ * The value pointed to by @bit will be set to NULL if either @type is
+ * an unhandled event type, or if @c is out of range for @type. This
+ * can be used as an error condition.
  */
 static inline void hid_map_usage(struct hid_input *hidinput,
 		struct hid_usage *usage, unsigned long **bit, int *max,
-		__u8 type, __u16 c)
+		__u8 type, unsigned int c)
 {
 	struct input_dev *input = hidinput->input;
-
-	usage->type = type;
-	usage->code = c;
+	unsigned long *bmap = NULL;
+	unsigned int limit = 0;
 
 	switch (type) {
 	case EV_ABS:
-		*bit = input->absbit;
-		*max = ABS_MAX;
+		bmap = input->absbit;
+		limit = ABS_MAX;
 		break;
 	case EV_REL:
-		*bit = input->relbit;
-		*max = REL_MAX;
+		bmap = input->relbit;
+		limit = REL_MAX;
 		break;
 	case EV_KEY:
-		*bit = input->keybit;
-		*max = KEY_MAX;
+		bmap = input->keybit;
+		limit = KEY_MAX;
 		break;
 	case EV_LED:
-		*bit = input->ledbit;
-		*max = LED_MAX;
+		bmap = input->ledbit;
+		limit = LED_MAX;
 		break;
 	}
+
+	if (unlikely(c > limit || !bmap)) {
+		pr_warn_ratelimited("%s: Invalid code %d type %d\n",
+				    input->name, c, type);
+		*bit = NULL;
+		return;
+	}
+
+	usage->type = type;
+	usage->code = c;
+	*max = limit;
+	*bit = bmap;
 }
 
 /**
@@ -910,7 +925,8 @@ static inline void hid_map_usage_clear(struct hid_input *hidinput,
 		__u8 type, __u16 c)
 {
 	hid_map_usage(hidinput, usage, bit, max, type, c);
-	clear_bit(c, *bit);
+	if (*bit)
+		clear_bit(usage->code, *bit);
 }
 
 /**
diff --git a/include/linux/log2.h b/include/linux/log2.h
index c373295f359f..cca606609e1b 100644
--- a/include/linux/log2.h
+++ b/include/linux/log2.h
@@ -159,7 +159,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
 #define roundup_pow_of_two(n)			\
 (						\
 	__builtin_constant_p(n) ? (		\
-		(n == 1) ? 1 :			\
+		((n) == 1) ? 1 :		\
 		(1UL << (ilog2((n) - 1) + 1))	\
 				   ) :		\
 	__roundup_pow_of_two(n)			\
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 9442423979c1..cc5ba47062e8 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -91,6 +91,17 @@ extern long probe_kernel_read(void *dst, const void *src, size_t size);
 extern long __probe_kernel_read(void *dst, const void *src, size_t size);
 
 /*
+ * probe_user_read(): safely attempt to read from a location in user space
+ * @dst: pointer to the buffer that shall take the data
+ * @src: address to read from
+ * @size: size of the data chunk
+ *
+ * Safely read from address @src to the buffer at @dst.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ */
+extern long probe_user_read(void *dst, const void __user *src, size_t size);
+
+/*
  * probe_kernel_write(): safely attempt to write to a location
  * @dst: address to write to
  * @src: pointer to the data that shall be written
@@ -102,7 +113,22 @@ extern long __probe_kernel_read(void *dst, const void *src, size_t size);
 extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
 extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
 
+/*
+ * probe_user_write(): safely attempt to write to a location in user space
+ * @dst: address to write to
+ * @src: pointer to the data that shall be written
+ * @size: size of the data chunk
+ *
+ * Safely write to address @dst from the buffer at @src.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ */
+extern long notrace probe_user_write(void __user *dst, const void *src, size_t size);
+extern long notrace __probe_user_write(void __user *dst, const void *src, size_t size);
+
 extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
+extern long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
+				     long count);
+extern long strnlen_unsafe_user(const void __user *unsafe_addr, long count);
 
 /**
  * probe_kernel_address(): safely attempt to read from a location