Merge android-4.4.154 (d762e28) into msm-4.4

* refs/heads/tmp-d762e28
  Linux 4.4.154
  cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
  iscsi target: fix session creation failure handling
  scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
  scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
  MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
  MIPS: Correct the 64-bit DSP accumulator register size
  kprobes: Make list and blacklist root user read only
  s390/pci: fix out of bounds access during irq setup
  s390/qdio: reset old sbal_state flags
  s390: fix br_r1_trampoline for machines without exrl
  x86/spectre: Add missing family 6 check to microcode check
  x86/irqflags: Mark native_restore_fl extern inline
  pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
  ASoC: sirf: Fix potential NULL pointer dereference
  ASoC: dpcm: don't merge format from invalid codec dai
  udl-kms: fix crash due to uninitialized memory
  udl-kms: handle allocation failure
  udl-kms: change down_interruptible to down
  fuse: Add missed unlock_page() to fuse_readpages_fill()
  fuse: Fix oops at process_init_reply()
  fuse: umount should wait for all requests
  fuse: fix unlocked access to processing queue
  fuse: fix double request_end()
  fuse: Don't access pipe->buffers without pipe_lock()
  x86/process: Re-export start_thread()
  x86/speculation/l1tf: Suggest what to do on systems with too much RAM
  x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
  x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
  KVM: arm/arm64: Skip updating PMD entry if no change
  KVM: arm/arm64: Skip updating PTE entry if no change
  arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
  ext4: reset error code in ext4_find_entry in fallback
  ext4: sysfs: print ext4_super_block fields as little-endian
  ext4: check for NUL characters in extended attribute's name
  s390/kvm: fix deadlock when killed by oom
  btrfs: don't leak ret from do_chunk_alloc
  smb3: don't request leases in symlink creation and query
  smb3: Do not send SMB3 SET_INFO if nothing changed
  cifs: check kmalloc before use
  cifs: add missing debug entries for kconfig options
  mm/memory.c: check return value of ioremap_prot
  scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
  scsi: fcoe: drop frames in ELS LOGO error path
  drivers: net: lmc: fix case value for target abort error
  arc: fix type warnings in arc/mm/cache.c
  arc: fix build errors in arc/include/asm/delay.h
  enic: handle mtu change for vf properly
  Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
  tools/power turbostat: Read extended processor family from CPUID
  zswap: re-check zswap_is_full() after do zswap_shrink()
  selftests/ftrace: Add snapshot and tracing_on test case
  cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
  cachefiles: Fix refcounting bug in backing-file read monitoring
  fscache: Allow cancelled operations to be enqueued
  net: axienet: Fix double deregister of mdio
  bnx2x: Fix invalid memory access in rss hash config path.
  media: staging: omap4iss: Include asm/cacheflush.h after generic includes
  i2c: davinci: Avoid zero value of CLKH
  can: mpc5xxx_can: check of_iomap return before use
  net: prevent ISA drivers from building on PPC32
  atl1c: reserve min skb headroom
  qed: Fix possible race for the link state value.
  net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
  tools/power turbostat: fix -S on UP systems
  usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
  tools: usb: ffs-test: Fix build on big endian systems
  usb/phy: fix PPC64 build errors in phy-fsl-usb.c
  usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
  usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
  drm/imx: imx-ldb: check if channel is enabled before printing warning
  drm/imx: imx-ldb: disable LDB on driver bind
  scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
  drm/bridge: adv7511: Reset registers on hotplug
  nl80211: Add a missing break in parse_station_flags
  mac80211: add stations tied to AP_VLANs during hw reconfig
  xfrm: free skb if nlsk pointer is NULL
  xfrm: fix missing dst_release() after policy blocking lbcast and multicast
  vti6: fix PMTU caching and reporting on xmit
  Cipso: cipso_v4_optptr enter infinite loop
  sched/sysctl: Check user input value of sysctl_sched_time_avg
  BACKPORT: zram: drop max_zpage_size and use zs_huge_class_size()
  BACKPORT: zsmalloc: introduce zs_huge_class_size()
  ANDROID: tracing: fix race condition reading saved tgids

Conflicts:
	mm/zsmalloc.c

Change-Id: I1add2f0311c887c135ddc6160963702beeb7bb88
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

7 files changed, 31 insertions, 13 deletions

diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index d730a0f68f46..a0443d40d677 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff *skb)
 	caifd = caif_get(skb->dev);
 
 	WARN_ON(caifd == NULL);
-	if (caifd == NULL)
+	if (!caifd) {
+		rcu_read_unlock();
 		return;
+	}
 
 	caifd_hold(caifd);
 	rcu_read_unlock();
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 5f3b81941a6f..5169b9b36b6a 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1593,9 +1593,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
 	int taglen;
 
 	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
-		if (optptr[0] == IPOPT_CIPSO)
+		switch (optptr[0]) {
+		case IPOPT_CIPSO:
 			return optptr;
-		taglen = optptr[1];
+		case IPOPT_END:
+			return NULL;
+		case IPOPT_NOOP:
+			taglen = 1;
+			break;
+		default:
+			taglen = optptr[1];
+		}
 		optlen -= taglen;
 		optptr += taglen;
 	}
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index b8bf123f7f79..060862a6f2f2 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -469,10 +469,6 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
 		goto tx_err_dst_release;
 	}
 
-	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
-	skb_dst_set(skb, dst);
-	skb->dev = skb_dst(skb)->dev;
-
 	mtu = dst_mtu(dst);
 	if (!skb->ignore_df && skb->len > mtu) {
 		skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
@@ -487,9 +483,14 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
 				  htonl(mtu));
 		}
 
-		return -EMSGSIZE;
+		err = -EMSGSIZE;
+		goto tx_err_dst_release;
 	}
 
+	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
+	skb_dst_set(skb, dst);
+	skb->dev = skb_dst(skb)->dev;
+
 	err = dst_output(t->net, skb->sk, skb);
 	if (net_xmit_eval(err) == 0) {
 		struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index f4b9f97af092..c8cc9bd7cac1 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2006,7 +2006,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
 		if (!sta->uploaded)
 			continue;
 
-		if (sta->sdata->vif.type != NL80211_IFTYPE_AP)
+		if (sta->sdata->vif.type != NL80211_IFTYPE_AP &&
+		    sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
 			continue;
 
 		for (state = IEEE80211_STA_NOTEXIST;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c0bdd8fb4c8d..0a13d55cb4d3 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3998,6 +3998,7 @@ static int parse_station_flags(struct genl_info *info,
 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
 					 BIT(NL80211_STA_FLAG_MFP) |
 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
+		break;
 	default:
 		return -EINVAL;
 	}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6173a55af214..4615138b104f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2327,6 +2327,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
 	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
 		return make_blackhole(net, dst_orig->ops->family, dst_orig);
 
+	if (IS_ERR(dst))
+		dst_release(dst_orig);
+
 	return dst;
 }
 EXPORT_SYMBOL(xfrm_lookup_route);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 8efc7c39275d..ee6037dd0a1c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -988,10 +988,12 @@ static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline size_t xfrm_spdinfo_msgsize(void)