Merge android-4.4.133 (3f51ea2) into msm-4.4

* refs/heads/tmp-3f51ea2
  Linux 4.4.133
  x86/kexec: Avoid double free_page() upon do_kexec_load() failure
  hfsplus: stop workqueue when fill_super() failed
  cfg80211: limit wiphy names to 128 bytes
  gpio: rcar: Add Runtime PM handling for interrupts
  time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
  dmaengine: ensure dmaengine helpers check valid callback
  scsi: zfcp: fix infinite iteration on ERP ready list
  scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
  scsi: libsas: defer ata device eh commands to libata
  s390: use expoline thunks in the BPF JIT
  s390: extend expoline to BC instructions
  s390: move spectre sysfs attribute code
  s390/kernel: use expoline for indirect branches
  s390/lib: use expoline for indirect branches
  s390: move expoline assembler macros to a header
  s390: add assembler macros for CPU alternatives
  ext2: fix a block leak
  tcp: purge write queue in tcp_connect_init()
  sock_diag: fix use-after-free read in __sk_free
  packet: in packet_snd start writing at link layer allocation
  net: test tailroom before appending to linear skb
  btrfs: fix reading stale metadata blocks after degraded raid1 mounts
  btrfs: fix crash when trying to resume balance without the resume flag
  Btrfs: fix xattr loss after power failure
  ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
  ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
  ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
  tick/broadcast: Use for_each_cpu() specially on UP kernels
  ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
  efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode
  s390: remove indirect branch from do_softirq_own_stack
  s390/qdio: don't release memory in qdio_setup_irq()
  s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero
  s390/qdio: fix access to uninitialized qdio_q fields
  mm: don't allow deferred pages with NEED_PER_CPU_KM
  powerpc/powernv: Fix NVRAM sleep in invalid context when crashing
  procfs: fix pthread cross-thread naming if !PR_DUMPABLE
  proc read mm's {arg,env}_{start,end} with mmap semaphore taken.
  tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}
  cpufreq: intel_pstate: Enable HWP by default
  signals: avoid unnecessary taking of sighand->siglock
  mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read
  mm: filemap: remove redundant code in do_read_cache_page
  proc: meminfo: estimate available memory more conservatively
  vmscan: do not force-scan file lru if its absolute size is small
  powerpc: Don't preempt_disable() in show_cpuinfo()
  cpuidle: coupled: remove unused define cpuidle_coupled_lock
  powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL
  powerpc/powernv: Remove OPALv2 firmware define and references
  powerpc/powernv: panic() on OPAL < V3
  spi: pxa2xx: Allow 64-bit DMA
  ALSA: control: fix a redundant-copy issue
  ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
  ALSA: usb: mixer: volume quirk for CM102-A+/102S+
  usbip: usbip_host: fix bad unlock balance during stub_probe()
  usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
  usbip: usbip_host: run rebind from exit when module is removed
  usbip: usbip_host: delete device from busid_table after rebind
  usbip: usbip_host: refine probe and disconnect debug msgs to be useful
  kernel/exit.c: avoid undefined behaviour when calling wait4()
  futex: futex_wake_op, fix sign_extend32 sign bits
  pipe: cap initial pipe capacity according to pipe-max-size limit
  l2tp: revert "l2tp: fix missing print session offset info"
  Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap"
  lockd: lost rollback of set_grace_period() in lockd_down_net()
  xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM)
  futex: Remove duplicated code and fix undefined behaviour
  futex: Remove unnecessary warning from get_futex_key
  arm64: Add work around for Arm Cortex-A55 Erratum 1024718
  arm64: introduce mov_q macro to move a constant into a 64-bit register
  audit: move calcs after alloc and check when logging set loginuid
  ALSA: timer: Call notifier in the same spinlock
  sctp: delay the authentication for the duplicated cookie-echo chunk
  sctp: fix the issue that the cookie-ack with auth can't get processed
  tcp: ignore Fast Open on repair mode
  bonding: do not allow rlb updates to invalid mac
  tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
  sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
  sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
  r8169: fix powering up RTL8168h
  qmi_wwan: do not steal interfaces from class drivers
  openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
  net: support compat 64-bit time in {s,g}etsockopt
  net_sched: fq: take care of throttled flows before reuse
  net/mlx4_en: Verify coalescing parameters are in range
  net: ethernet: sun: niu set correct packet size in skb
  llc: better deal with too small mtu
  ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
  dccp: fix tasklet usage
  bridge: check iface upper dev when setting master via ioctl
  8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
  BACKPORT, FROMLIST: fscrypt: add Speck128/256 support
  cgroup: Disable IRQs while holding css_set_lock
  Revert "cgroup: Disable IRQs while holding css_set_lock"
  cgroup: Disable IRQs while holding css_set_lock
  ANDROID: proc: fix undefined behavior in proc_uid_base_readdir
  x86: vdso: Fix leaky vdso linker with CC=clang.
  ANDROID: build: cuttlefish: Upgrade clang to newer version.
  ANDROID: build: cuttlefish: Upgrade clang to newer version.
  ANDROID: build: cuttlefish: Fix path to clang.
  UPSTREAM: dm bufio: avoid sleeping while holding the dm_bufio lock
  ANDROID: sdcardfs: Don't d_drop in d_revalidate

Conflicts:
	arch/arm64/include/asm/cputype.h
	fs/ext4/crypto.c
	fs/ext4/ext4.h
	kernel/cgroup.c
	mm/vmscan.c

Change-Id: Ic10c5722b6439af1cf423fd949c493f786764d7e
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 49 insertions, 40 deletions

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 29c7c43de108..df9ac3746c1b 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -144,10 +144,8 @@ static sctp_disposition_t sctp_sf_violation_chunk(
 				     void *arg,
 				     sctp_cmd_seq_t *commands);
 
-static sctp_ierror_t sctp_sf_authenticate(struct net *net,
-				    const struct sctp_endpoint *ep,
+static sctp_ierror_t sctp_sf_authenticate(
 				    const struct sctp_association *asoc,
-				    const sctp_subtype_t type,
 				    struct sctp_chunk *chunk);
 
 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
@@ -615,6 +613,38 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
 	return SCTP_DISPOSITION_CONSUME;
 }
 
+static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
+				   const struct sctp_association *asoc)
+{
+	struct sctp_chunk auth;
+
+	if (!chunk->auth_chunk)
+		return true;
+
+	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
+	 * is supposed to be authenticated and we have to do delayed
+	 * authentication.  We've just recreated the association using
+	 * the information in the cookie and now it's much easier to
+	 * do the authentication.
+	 */
+
+	/* Make sure that we and the peer are AUTH capable */
+	if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
+		return false;
+
+	/* set-up our fake chunk so that we can process it */
+	auth.skb = chunk->auth_chunk;
+	auth.asoc = chunk->asoc;
+	auth.sctp_hdr = chunk->sctp_hdr;
+	auth.chunk_hdr = (struct sctp_chunkhdr *)
+				skb_push(chunk->auth_chunk,
+					 sizeof(struct sctp_chunkhdr));
+	skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
+	auth.transport = chunk->transport;
+
+	return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
+}
+
 /*
  * Respond to a normal COOKIE ECHO chunk.
  * We are the side that is being asked for an association.
@@ -751,36 +781,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
 	if (error)
 		goto nomem_init;
 
-	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
-	 * is supposed to be authenticated and we have to do delayed
-	 * authentication.  We've just recreated the association using
-	 * the information in the cookie and now it's much easier to
-	 * do the authentication.
-	 */
-	if (chunk->auth_chunk) {
-		struct sctp_chunk auth;
-		sctp_ierror_t ret;
-
-		/* Make sure that we and the peer are AUTH capable */
-		if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
-			sctp_association_free(new_asoc);
-			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-		}
-
-		/* set-up our fake chunk so that we can process it */
-		auth.skb = chunk->auth_chunk;
-		auth.asoc = chunk->asoc;
-		auth.sctp_hdr = chunk->sctp_hdr;
-		auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
-					    sizeof(sctp_chunkhdr_t));
-		skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
-		auth.transport = chunk->transport;
-
-		ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
-		if (ret != SCTP_IERROR_NO_ERROR) {
-			sctp_association_free(new_asoc);
-			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-		}
+	if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
+		sctp_association_free(new_asoc);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 	}
 
 	repl = sctp_make_cookie_ack(new_asoc, chunk);
@@ -1717,13 +1720,15 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+		return SCTP_DISPOSITION_DISCARD;
+
 	/* Make sure no new addresses are being added during the
 	 * restart.  Though this is a pretty complicated attack
 	 * since you'd have to get inside the cookie.
 	 */
-	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
+	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
 		return SCTP_DISPOSITION_CONSUME;
-	}
 
 	/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
 	 * the peer has restarted (Action A), it MUST NOT setup a new
@@ -1828,6 +1833,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
 			       GFP_ATOMIC))
 		goto nomem;
 
+	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+		return SCTP_DISPOSITION_DISCARD;
+
 	/* Update the content of current association.  */
 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
@@ -1920,6 +1928,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
 	 * a COOKIE ACK.
 	 */
 
+	if (!sctp_auth_chunk_verify(net, chunk, asoc))
+		return SCTP_DISPOSITION_DISCARD;
+
 	/* Don't accidentally move back into established state. */
 	if (asoc->state < SCTP_STATE_ESTABLISHED) {
 		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
@@ -1959,7 +1970,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
 		}
 	}
 
-	repl = sctp_make_cookie_ack(new_asoc, chunk);
+	repl = sctp_make_cookie_ack(asoc, chunk);
 	if (!repl)
 		goto nomem;
 
@@ -3985,10 +3996,8 @@ gen_shutdown:
  *
  * The return value is the disposition of the chunk.
  */
-static sctp_ierror_t sctp_sf_authenticate(struct net *net,
-				    const struct sctp_endpoint *ep,
+static sctp_ierror_t sctp_sf_authenticate(
 				    const struct sctp_association *asoc,
-				    const sctp_subtype_t type,
 				    struct sctp_chunk *chunk)
 {
 	struct sctp_authhdr *auth_hdr;
@@ -4087,7 +4096,7 @@ sctp_disposition_t sctp_sf_eat_auth(struct net *net,
 						  commands);
 
 	auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
-	error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
+	error = sctp_sf_authenticate(asoc, chunk);
 	switch (error) {
 	case SCTP_IERROR_AUTH_BAD_HMAC:
 		/* Generate the ERROR chunk and discard the rest