Merge android-4.4.183 (94fd428) into msm-4.4

* refs/heads/tmp-94fd428
  Linux 4.4.183
  Abort file_remove_privs() for non-reg. files
  coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
  Revert "crypto: crypto4xx - properly set IV after de- and encrypt"
  scsi: libsas: delete sas port if expander discover failed
  scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
  net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
  KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
  ia64: fix build errors by exporting paddr_to_nid()
  configfs: Fix use-after-free when accessing sd->s_dentry
  i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
  net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
  gpio: fix gpio-adp5588 build errors
  perf/ring_buffer: Add ordering to rb->nest increment
  perf/ring_buffer: Fix exposing a temporarily decreased data_head
  x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
  mISDN: make sure device name is NUL terminated
  sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
  neigh: fix use-after-free read in pneigh_get_next
  lapb: fixed leak of control-blocks.
  ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
  be2net: Fix number of Rx queues used for flow hashing
  ax25: fix inconsistent lock state in ax25_destroy_timer
  USB: serial: option: add Telit 0x1260 and 0x1261 compositions
  USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
  USB: serial: pl2303: add Allied Telesis VT-Kit3
  USB: usb-storage: Add new ID to ums-realtek
  USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
  drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
  drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
  KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
  KVM: x86/pmu: do not mask the value that is written to fixed PMUs
  usbnet: ipheth: fix racing condition
  scsi: bnx2fc: fix incorrect cast to u64 on shift operation
  scsi: lpfc: add check for loss of ndlp when sending RRQ
  Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
  ASoC: cs42xx8: Add regcache mask dirty
  cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
  bcache: fix stack corruption by PRECEDING_KEY()
  i2c: acorn: fix i2c warning
  ptrace: restore smp_rmb() in __ptrace_may_access()
  signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
  fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
  mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
  libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
  ALSA: seq: Cover unsubscribe_port() in list_mutex
  Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
  futex: Fix futex lock the wrong page
  ARM: exynos: Fix undefined instruction during Exynos5422 resume
  pwm: Fix deadlock warning when removing PWM device
  ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
  pwm: tiehrpwm: Update shadow register for disabling PWMs
  dmaengine: idma64: Use actual device for DMA transfers
  gpio: gpio-omap: add check for off wake capable gpios
  PCI: xilinx: Check for __get_free_pages() failure
  video: imsttfb: fix potential NULL pointer dereferences
  video: hgafb: fix potential NULL pointer dereference
  PCI: rcar: Fix a potential NULL pointer dereference
  PCI: rpadlpar: Fix leaked device_node references in add/remove paths
  ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
  ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
  ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
  clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
  soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
  platform/chrome: cros_ec_proto: check for NULL transfer function
  x86/PCI: Fix PCI IRQ routing table memory leak
  nfsd: allow fh_want_write to be called twice
  fuse: retrieve: cap requested size to negotiated max_write
  nvmem: core: fix read buffer in place
  ALSA: hda - Register irq handler after the chip initialization
  iommu/vt-d: Set intel_iommu_gfx_mapped correctly
  f2fs: fix to do sanity check on valid block count of segment
  f2fs: fix to avoid panic in do_recover_data()
  ntp: Allow TAI-UTC offset to be set to zero
  drm/bridge: adv7511: Fix low refresh rate selection
  perf/x86/intel: Allow PEBS multi-entry in watermark mode
  mfd: twl6040: Fix device init errors for ACCCTL register
  mfd: intel-lpss: Set the device in reset state when init
  kernel/sys.c: prctl: fix false positive in validate_prctl_map()
  mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
  mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
  hugetlbfs: on restore reserve error path retain subpool reservation
  ipc: prevent lockup on alloc_msg and free_msg
  sysctl: return -EINVAL if val violates minmax
  fs/fat/file.c: issue flush after the writeback of FAT
  ANDROID: kernel: cgroup: cpuset: Clear cpus_requested for empty buf
  ANDROID: kernel: cgroup: cpuset: Add missing allocation of cpus_requested in alloc_trial_cpuset

Change-Id: I5b33449bd21ec21d91b1030d53df3658a305bded
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

8 files changed, 76 insertions, 18 deletions

diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index a599351997ad..2ce1a5297b92 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -419,14 +419,19 @@ static struct cpuset *alloc_trial_cpuset(struct cpuset *cs)
 
 	if (!alloc_cpumask_var(&trial->cpus_allowed, GFP_KERNEL))
 		goto free_cs;
+	if (!alloc_cpumask_var(&trial->cpus_requested, GFP_KERNEL))
+		goto free_allowed;
 	if (!alloc_cpumask_var(&trial->effective_cpus, GFP_KERNEL))
 		goto free_cpus;
 
 	cpumask_copy(trial->cpus_allowed, cs->cpus_allowed);
+	cpumask_copy(trial->cpus_requested, cs->cpus_requested);
 	cpumask_copy(trial->effective_cpus, cs->effective_cpus);
 	return trial;
 
 free_cpus:
+	free_cpumask_var(trial->cpus_requested);
+free_allowed:
 	free_cpumask_var(trial->cpus_allowed);
 free_cs:
 	kfree(trial);
@@ -440,6 +445,7 @@ free_cs:
 static void free_trial_cpuset(struct cpuset *trial)
 {
 	free_cpumask_var(trial->effective_cpus);
+	free_cpumask_var(trial->cpus_requested);
 	free_cpumask_var(trial->cpus_allowed);
 	kfree(trial);
 }
@@ -948,23 +954,23 @@ static int update_cpumask(struct cpuset *cs, struct cpuset *trialcs,
 		return -EACCES;
 
 	/*
-	 * An empty cpus_allowed is ok only if the cpuset has no tasks.
+	 * An empty cpus_requested is ok only if the cpuset has no tasks.
 	 * Since cpulist_parse() fails on an empty mask, we special case
 	 * that parsing.  The validate_change() call ensures that cpusets
 	 * with tasks have cpus.
 	 */
 	if (!*buf) {
-		cpumask_clear(trialcs->cpus_allowed);
+		cpumask_clear(trialcs->cpus_requested);
 	} else {
 		retval = cpulist_parse(buf, trialcs->cpus_requested);
 		if (retval < 0)
 			return retval;
+	}
 
-		if (!cpumask_subset(trialcs->cpus_requested, cpu_present_mask))
-			return -EINVAL;
+	if (!cpumask_subset(trialcs->cpus_requested, cpu_present_mask))
+		return -EINVAL;
 
-		cpumask_and(trialcs->cpus_allowed, trialcs->cpus_requested, cpu_active_mask);
-	}
+	cpumask_and(trialcs->cpus_allowed, trialcs->cpus_requested, cpu_active_mask);
 
 	/* Nothing to do if the cpus didn't change */
 	if (cpumask_equal(cs->cpus_requested, trialcs->cpus_requested))
diff --git a/kernel/cred.c b/kernel/cred.c
index ff8606f77d90..098af0bc0b7e 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -447,6 +447,15 @@ int commit_creds(struct cred *new)
 		if (task->mm)
 			set_dumpable(task->mm, suid_dumpable);
 		task->pdeath_signal = 0;
+		/*
+		 * If a task drops privileges and becomes nondumpable,
+		 * the dumpability change must become visible before
+		 * the credential change; otherwise, a __ptrace_may_access()
+		 * racing with this change may be able to attach to a task it
+		 * shouldn't be able to attach to (as if the task had dropped
+		 * privileges without becoming nondumpable).
+		 * Pairs with a read barrier in __ptrace_may_access().
+		 */
 		smp_wmb();
 	}
 
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index 424f5a5fa5a2..b128cc829bd8 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -49,14 +49,30 @@ static void perf_output_put_handle(struct perf_output_handle *handle)
 	unsigned long head;
 
 again:
+	/*
+	 * In order to avoid publishing a head value that goes backwards,
+	 * we must ensure the load of @rb->head happens after we've
+	 * incremented @rb->nest.
+	 *
+	 * Otherwise we can observe a @rb->head value before one published
+	 * by an IRQ/NMI happening between the load and the increment.
+	 */
+	barrier();
 	head = local_read(&rb->head);
 
 	/*
-	 * IRQ/NMI can happen here, which means we can miss a head update.
+	 * IRQ/NMI can happen here and advance @rb->head, causing our
+	 * load above to be stale.
 	 */
 
-	if (!local_dec_and_test(&rb->nest))
+	/*
+	 * If this isn't the outermost nesting, we don't have to update
+	 * @rb->user_page->data_head.
+	 */
+	if (local_read(&rb->nest) > 1) {
+		local_dec(&rb->nest);
 		goto out;
+	}
 
 	/*
 	 * Since the mmap() consumer (userspace) can run on a different CPU:
@@ -88,9 +104,18 @@ again:
 	rb->user_page->data_head = head;
 
 	/*
-	 * Now check if we missed an update -- rely on previous implied
-	 * compiler barriers to force a re-read.
+	 * We must publish the head before decrementing the nest count,
+	 * otherwise an IRQ/NMI can publish a more recent head value and our
+	 * write will (temporarily) publish a stale value.
+	 */
+	barrier();
+	local_set(&rb->nest, 0);
+
+	/*
+	 * Ensure we decrement @rb->nest before we validate the @rb->head.
+	 * Otherwise we cannot be sure we caught the 'last' nested update.
 	 */
+	barrier();
 	if (unlikely(head != local_read(&rb->head))) {
 		local_inc(&rb->nest);
 		goto again;
diff --git a/kernel/futex.c b/kernel/futex.c
index 39c2b3eda1b9..d24d164e9bdb 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -593,8 +593,8 @@ again:
 		 * applies. If this is really a shmem page then the page lock
 		 * will prevent unexpected transitions.
 		 */
-		lock_page(page);
-		shmem_swizzled = PageSwapCache(page) || page->mapping;
+		lock_page(page_head);
+		shmem_swizzled = PageSwapCache(page_head) || page_head->mapping;
 		unlock_page(page_head);
 		put_page(page_head);
 
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 8303874c2a06..1aa33fe37aa8 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -292,6 +292,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	return -EPERM;
 ok:
 	rcu_read_unlock();
+	/*
+	 * If a task drops privileges and becomes nondumpable (through a syscall
+	 * like setresuid()) while we are trying to access it, we must ensure
+	 * that the dumpability is read after the credentials; otherwise,
+	 * we may be able to attach to a task that we shouldn't be able to
+	 * attach to (as if the task had dropped privileges without becoming
+	 * nondumpable).
+	 * Pairs with a write barrier in commit_creds().
+	 */
+	smp_rmb();
 	mm = task->mm;
 	if (mm &&
 	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
@@ -673,6 +683,10 @@ static int ptrace_peek_siginfo(struct task_struct *child,
 	if (arg.nr < 0)
 		return -EINVAL;
 
+	/* Ensure arg.off fits in an unsigned long */
+	if (arg.off > ULONG_MAX)
+		return 0;
+
 	if (arg.flags & PTRACE_PEEKSIGINFO_SHARED)
 		pending = &child->signal->shared_pending;
 	else
@@ -680,18 +694,20 @@ static int ptrace_peek_siginfo(struct task_struct *child,
 
 	for (i = 0; i < arg.nr; ) {
 		siginfo_t info;
-		s32 off = arg.off + i;
+		unsigned long off = arg.off + i;
+		bool found = false;
 
 		spin_lock_irq(&child->sighand->siglock);
 		list_for_each_entry(q, &pending->list, list) {
 			if (!off--) {
+				found = true;
 				copy_siginfo(&info, &q->info);
 				break;
 			}
 		}
 		spin_unlock_irq(&child->sighand->siglock);
 
-		if (off >= 0) /* beyond the end of the list */
+		if (!found) /* beyond the end of the list */
 			break;
 
 #ifdef CONFIG_COMPAT
diff --git a/kernel/sys.c b/kernel/sys.c
index ede0c1f4b860..29413e2bee41 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1764,7 +1764,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
 	((unsigned long)prctl_map->__m1 __op				\
 	 (unsigned long)prctl_map->__m2) ? 0 : -EINVAL
 	error  = __prctl_check_order(start_code, <, end_code);
-	error |= __prctl_check_order(start_data, <, end_data);
+	error |= __prctl_check_order(start_data,<=, end_data);
 	error |= __prctl_check_order(start_brk, <=, brk);
 	error |= __prctl_check_order(arg_start, <=, arg_end);
 	error |= __prctl_check_order(env_start, <=, env_end);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 43a049f9264c..b25717eb3d3a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2782,8 +2782,10 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
 			if (neg)
 				continue;
 			val = convmul * val / convdiv;
-			if ((min && val < *min) || (max && val > *max))
-				continue;
+			if ((min && val < *min) || (max && val > *max)) {
+				err = -EINVAL;
+				break;
+			}
 			*i = val;
 		} else {
 			val = convdiv * (*i) / convmul;
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
index ab861771e37f..0e0dc5d89911 100644
--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -633,7 +633,7 @@ static inline void process_adjtimex_modes(struct timex *txc,
 		time_constant = max(time_constant, 0l);
 	}
 
-	if (txc->modes & ADJ_TAI && txc->constant > 0)
+	if (txc->modes & ADJ_TAI && txc->constant >= 0)
 		*time_tai = txc->constant;
 
 	if (txc->modes & ADJ_OFFSET)