Merge android-4.4.137 (a2e2217) into msm-4.4

* refs/heads/tmp-a2e2217
  Linux 4.4.137
  net: metrics: add proper netlink validation
  net: phy: broadcom: Fix bcm_write_exp()
  rtnetlink: validate attributes in do_setlink()
  team: use netdev_features_t instead of u32
  net/mlx4: Fix irq-unsafe spinlock usage
  qed: Fix mask for physical address in ILT entry
  packet: fix reserve calculation
  net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
  net/packet: refine check for priv area size
  netdev-FAQ: clarify DaveM's position for stable backports
  isdn: eicon: fix a missing-check bug
  ipv4: remove warning in ip_recv_error
  ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
  enic: set DMA mask to 47 bit
  dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
  bnx2x: use the right constant
  brcmfmac: Fix check for ISO3166 code
  drm: set FMODE_UNSIGNED_OFFSET for drm files
  xfs: fix incorrect log_flushed on fsync
  kconfig: Avoid format overflow warning from GCC 8.1
  mmap: relax file size limit for regular files
  mmap: introduce sane default mmap limits
  tpm: self test failure should not cause suspend to fail
  tpm: do not suspend/resume if power stays on
  ANDROID: Update arm64 ranchu64_defconfig
  Linux 4.4.136
  sparc64: Fix build warnings with gcc 7.
  mm: fix the NULL mapping case in __isolate_lru_page()
  fix io_destroy()/aio_complete() race
  Kbuild: change CC_OPTIMIZE_FOR_SIZE definition
  drm/i915: Disable LVDS on Radiant P845
  hwtracing: stm: fix build error on some arches
  stm class: Use vmalloc for the master map
  scsi: scsi_transport_srp: Fix shost to rport translation
  MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests
  MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs
  iio:kfifo_buf: check for uint overflow
  dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all()
  i2c: rcar: revoke START request early
  i2c: rcar: check master irqs before slave irqs
  i2c: rcar: don't issue stop when HW does it automatically
  i2c: rcar: init new messages in irq
  i2c: rcar: refactor setup of a msg
  i2c: rcar: remove spinlock
  i2c: rcar: remove unused IOERROR state
  i2c: rcar: rework hw init
  i2c: rcar: make sure clocks are on when doing clock calculation
  tcp: avoid integer overflows in tcp_rcv_space_adjust()
  irda: fix overly long udelay()
  ASoC: Intel: sst: remove redundant variable dma_dev_name
  rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c
  cfg80211: further limit wiphy names to 64 bytes
  selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
  tracing: Fix crash when freeing instances with event triggers
  Input: elan_i2c_smbus - fix corrupted stack
  Revert "ima: limit file hash setting by user to fix and log modes"
  xfs: detect agfl count corruption and reset agfl
  sh: New gcc support
  USB: serial: cp210x: use tcflag_t to fix incompatible pointer type
  powerpc/64s: Clear PCR on boot
  arm64: lse: Add early clobbers to some input/output asm operands
  FROMLIST: f2fs: run fstrim asynchronously if runtime discard is on
  goldfish: pipe: ANDROID: address must be written as __pa(x), not x
  goldfish: pipe: ANDROID: add missing check for memory allocated
  goldfish: pipe: ANDROID: remove redundant blank lines
  Update arch/x86/configs/x86_64_ranchu_defconfig
  ANDROID: x86_64_cuttlefish_defconfig: Enable F2FS
  ANDROID: Update x86_64_cuttlefish_defconfig
  FROMLIST: f2fs: early updates queued for v4.18-rc1

Change-Id: I314254168cd5ad06a7c6bca2fa68c8a6ae6c257d
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

7 files changed, 16 insertions, 15 deletions

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5b3d611d8b5f..2017ffa5197a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1691,6 +1691,10 @@ static int do_setlink(const struct sk_buff *skb,
 	const struct net_device_ops *ops = dev->netdev_ops;
 	int err;
 
+	err = validate_linkmsg(dev, tb);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
 		struct net *net = rtnl_link_get_net(dev_net(dev), tb);
 		if (IS_ERR(net)) {
@@ -1982,10 +1986,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh)
 		goto errout;
 	}
 
-	err = validate_linkmsg(dev, tb);
-	if (err < 0)
-		goto errout;
-
 	err = do_setlink(skb, dev, ifm, tb, ifname, 0);
 errout:
 	return err;
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index ff3b058cf58c..936dab12f99f 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -280,9 +280,7 @@ int dccp_disconnect(struct sock *sk, int flags)
 
 	dccp_clear_xmit_timers(sk);
 	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
 	dp->dccps_hc_rx_ccid = NULL;
-	dp->dccps_hc_tx_ccid = NULL;
 
 	__skb_queue_purge(&sk->sk_receive_queue);
 	__skb_queue_purge(&sk->sk_write_queue);
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 44abc52bae13..9d144cbd4e62 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -979,6 +979,8 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
 			if (val == TCP_CA_UNSPEC)
 				return -EINVAL;
 		} else {
+			if (nla_len(nla) != sizeof(u32))
+				return false;
 			val = nla_get_u32(nla);
 		}
 		if (type == RTAX_ADVMSS && val > 65535 - 40)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 1b93ea766916..ce9a7fbb7c5f 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -493,8 +493,6 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
 	int err;
 	int copied;
 
-	WARN_ON_ONCE(sk->sk_family == AF_INET6);
-
 	err = -EAGAIN;
 	skb = sock_dequeue_err_skb(sk);
 	if (!skb)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b1cfce7f8e85..b4e95494b05b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -558,8 +558,8 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk,
 void tcp_rcv_space_adjust(struct sock *sk)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
+	u32 copied;
 	int time;
-	int copied;
 
 	time = tcp_time_stamp - tp->rcvq_space.time;
 	if (time < (tp->rcv_rtt_est.rtt >> 3) || tp->rcv_rtt_est.rtt == 0)
@@ -581,12 +581,13 @@ void tcp_rcv_space_adjust(struct sock *sk)
 
 	if (sysctl_tcp_moderate_rcvbuf &&
 	    !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
-		int rcvwin, rcvmem, rcvbuf;
+		int rcvmem, rcvbuf;
+		u64 rcvwin;
 
 		/* minimal window to cope with packet losses, assuming
 		 * steady state. Add some cushion because of small variations.
 		 */
-		rcvwin = (copied << 1) + 16 * tp->advmss;
+		rcvwin = ((u64)copied << 1) + 16 * tp->advmss;
 
 		/* If rate increased by 25%,
 		 *	assume slow start, rcvwin = 3 * copied
@@ -606,7 +607,8 @@ void tcp_rcv_space_adjust(struct sock *sk)
 		while (tcp_win_from_space(rcvmem) < tp->advmss)
 			rcvmem += 128;
 
-		rcvbuf = min(rcvwin / tp->advmss * rcvmem, sysctl_tcp_rmem[2]);
+		do_div(rcvwin, tp->advmss);
+		rcvbuf = min_t(u64, rcvwin * rcvmem, sysctl_tcp_rmem[2]);
 		if (rcvbuf > sk->sk_rcvbuf) {
 			sk->sk_rcvbuf = rcvbuf;
 
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index e5846d1f9b55..9b92960f024d 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1787,7 +1787,8 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 		ret = 0;
 		if (!ip6mr_new_table(net, v))
 			ret = -ENOMEM;
-		raw6_sk(sk)->ip6mr_table = v;
+		else
+			raw6_sk(sk)->ip6mr_table = v;
 		rtnl_unlock();
 		return ret;
 	}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e9a2ff863d9b..7814e5f744e6 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2779,7 +2779,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
 		if (unlikely(offset < 0))
 			goto out_free;
 	} else if (reserve) {
-		skb_push(skb, reserve);
+		skb_reserve(skb, -reserve);
 	}
 
 	/* Returns -EFAULT on error */
@@ -4199,7 +4199,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
 		    req->tp_block_size <=
-			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+		    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))