Merge 4.4.210 into android-4.4-p

Changes in 4.4.210
	kobject: Export kobject_get_unless_zero()
	chardev: Avoid potential use-after-free in 'chrdev_open()'
	usb: chipidea: host: Disable port power only if previously enabled
	ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
	kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
	tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
	HID: Fix slab-out-of-bounds read in hid_field_extract
	HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
	HID: hid-input: clear unmapped usages
	Input: add safety guards to input_set_keycode()
	drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
	can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
	can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
	can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
	staging: vt6656: set usb_set_intfdata on driver fail.
	USB: serial: option: add ZLP support for 0x1bc7/0x9010
	usb: musb: Disable pullup at init
	usb: musb: dma: Correct parameter passed to IRQ handler
	staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
	tty: link tty and port before configuring it as console
	tty: always relink the port
	mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
	mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
	scsi: bfa: release allocated memory in case of error
	rtl8xxxu: prevent leaking urb
	USB: Fix: Don't skip endpoint descriptors with maxpacket=0
	netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
	netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
	drm/i915/gen9: Clear residual context state on context switch
	Linux 4.4.210

Change-Id: I5ee00026c7108d6a3a1a2711e7413f05defc64ce
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

2 files changed, 18 insertions, 12 deletions

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index cbe630aab44a..574697326ebc 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -488,11 +488,12 @@ next:
 	return 1;
 }
 
-static inline int check_target(struct arpt_entry *e, const char *name)
+static int check_target(struct arpt_entry *e, struct net *net, const char *name)
 {
 	struct xt_entry_target *t = arpt_get_target(e);
 	int ret;
 	struct xt_tgchk_param par = {
+		.net       = net,
 		.table     = name,
 		.entryinfo = e,
 		.target    = t->u.kernel.target,
@@ -510,8 +511,9 @@ static inline int check_target(struct arpt_entry *e, const char *name)
 	return 0;
 }
 
-static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
+static int
+find_check_entry(struct arpt_entry *e, struct net *net, const char *name,
+		 unsigned int size,
 		 struct xt_percpu_counter_alloc_state *alloc_state)
 {
 	struct xt_entry_target *t;
@@ -531,7 +533,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
 	}
 	t->u.kernel.target = target;
 
-	ret = check_target(e, name);
+	ret = check_target(e, net, name);
 	if (ret)
 		goto err;
 	return 0;
@@ -632,7 +634,9 @@ static inline void cleanup_entry(struct arpt_entry *e)
 /* Checks and translates the user-supplied table segment (held in
  * newinfo).
  */
-static int translate_table(struct xt_table_info *newinfo, void *entry0,
+static int translate_table(struct net *net,
+			   struct xt_table_info *newinfo,
+			   void *entry0,
 			   const struct arpt_replace *repl)
 {
 	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
@@ -709,7 +713,7 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
 	/* Finally, each sanity check must pass */
 	i = 0;
 	xt_entry_foreach(iter, entry0, newinfo->size) {
-		ret = find_check_entry(iter, repl->name, repl->size,
+		ret = find_check_entry(iter, net, repl->name, repl->size,
 				       &alloc_state);
 		if (ret != 0)
 			break;
@@ -1114,7 +1118,7 @@ static int do_replace(struct net *net, const void __user *user,
 		goto free_newinfo;
 	}
 
-	ret = translate_table(newinfo, loc_cpu_entry, &tmp);
+	ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
 	if (ret != 0)
 		goto free_newinfo;
 
@@ -1301,7 +1305,8 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
 	}
 }
 
-static int translate_compat_table(struct xt_table_info **pinfo,
+static int translate_compat_table(struct net *net,
+				  struct xt_table_info **pinfo,
 				  void **pentry0,
 				  const struct compat_arpt_replace *compatr)
 {
@@ -1371,7 +1376,7 @@ static int translate_compat_table(struct xt_table_info **pinfo,
 	repl.num_counters = 0;
 	repl.counters = NULL;
 	repl.size = newinfo->size;
-	ret = translate_table(newinfo, entry1, &repl);
+	ret = translate_table(net, newinfo, entry1, &repl);
 	if (ret)
 		goto free_newinfo;
 
@@ -1426,7 +1431,7 @@ static int compat_do_replace(struct net *net, void __user *user,
 		goto free_newinfo;
 	}
 
-	ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
+	ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
 	if (ret != 0)
 		goto free_newinfo;
 
@@ -1696,7 +1701,7 @@ struct xt_table *arpt_register_table(struct net *net,
 	loc_cpu_entry = newinfo->entries;
 	memcpy(loc_cpu_entry, repl->entries, repl->size);
 
-	ret = translate_table(newinfo, loc_cpu_entry, repl);
+	ret = translate_table(net, newinfo, loc_cpu_entry, repl);
 	duprintf("arpt_register_table: translate table gives %d\n", ret);
 	if (ret != 0)
 		goto out_free;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index caa26184f7e3..0583e2491770 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1619,6 +1619,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
 	struct ip_set *set;
 	struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
 	int ret = 0;
+	u32 lineno;
 
 	if (unlikely(protocol_failed(attr) ||
 		     !attr[IPSET_ATTR_SETNAME] ||
@@ -1635,7 +1636,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
 		return -IPSET_ERR_PROTOCOL;
 
 	rcu_read_lock_bh();
-	ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
+	ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0);
 	rcu_read_unlock_bh();
 	/* Userspace can't trigger element to be re-added */
 	if (ret == -EAGAIN)