Merge android-4.4.185 (14e1196) into msm-4.4

* refs/heads/tmp-14e1196
  ANDROID: Communicates LMK events to userland where they can be logged
  Linux 4.4.185
  dmaengine: imx-sdma: remove BD_INTR for channel0
  KVM: x86: degrade WARN to pr_warn_ratelimited
  arm64, vdso: Define vdso_{start,end} as array
  ARC: handle gcc generated __builtin_trap for older compiler
  tty: rocket: fix incorrect forward declaration of 'rp_init()'
  btrfs: Ensure replaced device doesn't have pending chunk allocation
  lib/mpi: Fix karactx leak in mpi_powm
  ALSA: usb-audio: fix sign unintended sign extension on left shifts
  ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
  ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
  crypto: user - prevent operating on larval algorithms
  ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
  MIPS: Workaround GCC __builtin_unreachable reordering bug
  bug.h: work around GCC PR82365 in BUG()
  swiotlb: Make linux/swiotlb.h standalone includible
  mfd: omap-usb-tll: Fix register offsets
  MIPS: math-emu: do not use bools for arithmetic
  ARC: fix build warning in elf.h
  ARC: Assume multiplier is always present
  scsi: hpsa: correct ioaccel2 chaining
  usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
  usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
  ASoC: max98090: remove 24-bit format support if RJ is 0
  spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
  ASoC : cs4265 : readable register too low
  um: Compile with modern headers
  Bluetooth: Fix faulty expression for minimum encryption key size check
  net: check before dereferencing netdev_ops during busy poll
  bonding: Always enable vlan tx offload
  ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
  team: Always enable vlan tx offload
  tipc: check msg->req data len in tipc_nl_compat_bearer_disable
  tipc: change to use register_pernet_device
  sctp: change to hold sk after auth shkey is created successfully
  cpu/speculation: Warn on unsupported mitigations= parameter
  x86/speculation: Allow guests to use SSBD even if host does not
  ovl: modify ovl_permission() to do checks on two inodes
  KVM: X86: Fix scan ioapic use-before-initialization
  net/9p: include trans_common.h to fix missing prototype warning.
  9p: p9dirent_read: check network-provided name length
  9p/rdma: remove useless check in cm_event_handler
  9p: acl: fix uninitialized iattr access
  9p/rdma: do not disconnect on down_interruptible EAGAIN
  perf help: Remove needless use of strncpy()
  perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
  mac80211: drop robust management frames from unknown TA
  cfg80211: fix memory leak of wiphy device name
  SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write
  Bluetooth: Fix regression with minimum encryption key size alignment
  Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
  ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
  can: purge socket error queue on sock destruct
  can: flexcan: fix timeout when set small bitrate
  btrfs: start readahead also in seed devices
  Btrfs: fix race between readahead and device replace/removal
  hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
  s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
  scsi: ufs: Check that space was properly alloced in copy_query_response
  scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
  sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD
  net: hns: Fix loopback test failed at copper ports
  MIPS: uprobes: remove set but not used variable 'epc'
  IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
  parisc: Fix compiler warnings in float emulation code
  parport: Fix mem leak in parport_register_dev_model
  apparmor: enforce nullbyte at end of tag string
  Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
  usb: chipidea: udc: workaround for endpoint conflict issue
  gcc-9: silence 'address-of-packed-member' warning
  tracing: Silence GCC 9 array bounds warning
  scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
  mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
  fs/binfmt_flat.c: make load_flat_shared_library() work
  ANDROID: Fixes to locking around handle_lmk_event
  ANDROID: Avoid taking multiple locks in handle_lmk_event

Side effects from the commit "ANDROID: Communicates LMK events to userland
where they can be logged" is addressed here, so picking this commit which
ignored from 4.4.180 merge.

Conflicts:
	drivers/staging/android/lowmemorykiller.c

Change-Id: I1156dc21d0f35e74e86d2ad202f99b7bc173b874
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

12 files changed, 80 insertions, 28 deletions

diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 7f1b45c082c9..ed1e39ccaebf 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len,
 	if (ret) {
 		p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret);
 		trace_9p_protocol_dump(clnt, &fake_pdu);
-		goto out;
+		return ret;
 	}
 
-	strcpy(dirent->d_name, nameptr);
+	ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name));
+	if (ret < 0) {
+		p9_debug(P9_DEBUG_ERROR,
+			 "On the wire dirent name too long: %s\n",
+			 nameptr);
+		kfree(nameptr);
+		return ret;
+	}
 	kfree(nameptr);
 
-out:
 	return fake_pdu.offset;
 }
 EXPORT_SYMBOL(p9dirent_read);
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index 38aa6345bdfa..9c0c894b56f8 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -14,6 +14,7 @@
 
 #include <linux/mm.h>
 #include <linux/module.h>
+#include "trans_common.h"
 
 /**
  *  p9_release_req_pages - Release pages after the transaction.
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index f42550dd3560..83d2e7722ebf 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -255,8 +255,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event)
 	case RDMA_CM_EVENT_DISCONNECTED:
 		if (rdma)
 			rdma->state = P9_RDMA_CLOSED;
-		if (c)
-			c->status = Disconnected;
+		c->status = Disconnected;
 		break;
 
 	case RDMA_CM_EVENT_TIMEWAIT_EXIT:
@@ -476,7 +475,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
 
 	err = post_recv(client, rpl_context);
 	if (err) {
-		p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n");
+		p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err);
 		goto recv_error;
 	}
 	/* remove posted receive buffer from request structure */
@@ -544,7 +543,7 @@ dont_need_post_recv:
  recv_error:
 	kfree(rpl_context);
 	spin_lock_irqsave(&rdma->req_lock, flags);
-	if (rdma->state < P9_RDMA_CLOSING) {
+	if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) {
 		rdma->state = P9_RDMA_CLOSING;
 		spin_unlock_irqrestore(&rdma->req_lock, flags);
 		rdma_disconnect(rdma->cm_id);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 1588d913c7a0..211c2599ab96 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1293,8 +1293,16 @@ auth:
 		return 0;
 
 encrypt:
-	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
+		/* Ensure that the encryption key size has been read,
+		 * otherwise stall the upper layer responses.
+		 */
+		if (!conn->enc_key_size)
+			return 0;
+
+		/* Nothing else needed, all requirements are met */
 		return 1;
+	}
 
 	hci_conn_encrypt(conn);
 	return 0;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 86d7b9fb5543..ad00753adef7 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1329,6 +1329,21 @@ static void l2cap_request_info(struct l2cap_conn *conn)
 		       sizeof(req), &req);
 }
 
+static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
+{
+	/* The minimum encryption key size needs to be enforced by the
+	 * host stack before establishing any L2CAP connections. The
+	 * specification in theory allows a minimum of 1, but to align
+	 * BR/EDR and LE transports, a minimum of 7 is chosen.
+	 *
+	 * This check might also be called for unencrypted connections
+	 * that have no key size requirements. Ensure that the link is
+	 * actually encrypted before enforcing a key size.
+	 */
+	return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
+		hcon->enc_key_size >= HCI_MIN_ENC_KEY_SIZE);
+}
+
 static void l2cap_do_start(struct l2cap_chan *chan)
 {
 	struct l2cap_conn *conn = chan->conn;
@@ -1346,9 +1361,14 @@ static void l2cap_do_start(struct l2cap_chan *chan)
 	if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
 		return;
 
-	if (l2cap_chan_check_security(chan, true) &&
-	    __l2cap_no_conn_pending(chan))
+	if (!l2cap_chan_check_security(chan, true) ||
+	    !__l2cap_no_conn_pending(chan))
+		return;
+
+	if (l2cap_check_enc_key_size(conn->hcon))
 		l2cap_start_connection(chan);
+	else
+		__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
 }
 
 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
@@ -1427,7 +1447,10 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
 				continue;
 			}
 
-			l2cap_start_connection(chan);
+			if (l2cap_check_enc_key_size(conn->hcon))
+				l2cap_start_connection(chan);
+			else
+				l2cap_chan_close(chan, ECONNREFUSED);
 
 		} else if (chan->state == BT_CONNECT2) {
 			struct l2cap_conn_rsp rsp;
@@ -7433,7 +7456,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 		}
 
 		if (chan->state == BT_CONNECT) {
-			if (!status)
+			if (!status && l2cap_check_enc_key_size(hcon))
 				l2cap_start_connection(chan);
 			else
 				__set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
@@ -7442,7 +7465,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 			struct l2cap_conn_rsp rsp;
 			__u16 res, stat;
 
-			if (!status) {
+			if (!status && l2cap_check_enc_key_size(hcon)) {
 				if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
 					res = L2CAP_CR_PEND;
 					stat = L2CAP_CS_AUTHOR_PEND;
diff --git a/net/can/af_can.c b/net/can/af_can.c
index c866e761651a..b06ab2f05991 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -113,6 +113,7 @@ EXPORT_SYMBOL(can_ioctl);
 static void can_sock_destruct(struct sock *sk)
 {
 	skb_queue_purge(&sk->sk_receive_queue);
+	skb_queue_purge(&sk->sk_error_queue);
 }
 
 static const struct can_proto *can_get_proto(int protocol)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 69e1a11f4ca8..01f8d24f3af7 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -195,7 +195,7 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
 		}
 		sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol,
 				     iph->saddr, iph->daddr,
-				     skb->dev->ifindex);
+				     dif);
 	}
 out:
 	read_unlock(&raw_v4_hashinfo.lock);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index a26f55f86129..6676b413d049 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3325,6 +3325,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
 	case NL80211_IFTYPE_STATION:
 		if (!bssid && !sdata->u.mgd.use_4addr)
 			return false;
+		if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
+			return false;
 		if (multicast)
 			return true;
 		return ether_addr_equal(sdata->vif.addr, hdr->addr1);
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 9da76ba4d10f..3550f0784306 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -126,10 +126,6 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
 	/* Initialize the bind addr area */
 	sctp_bind_addr_init(&ep->base.bind_addr, 0);
 
-	/* Remember who we are attached to.  */
-	ep->base.sk = sk;
-	sock_hold(ep->base.sk);
-
 	/* Create the lists of associations.  */
 	INIT_LIST_HEAD(&ep->asocs);
 
@@ -165,6 +161,10 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
 	ep->auth_hmacs_list = auth_hmacs;
 	ep->auth_chunk_list = auth_chunks;
 
+	/* Remember who we are attached to.  */
+	ep->base.sk = sk;
+	sock_hold(ep->base.sk);
+
 	return ep;
 
 nomem_hmacs:
diff --git a/net/tipc/core.c b/net/tipc/core.c
index c306e9bc1621..35b376f58f21 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -129,7 +129,7 @@ static int __init tipc_init(void)
 	if (err)
 		goto out_sysctl;
 
-	err = register_pernet_subsys(&tipc_net_ops);
+	err = register_pernet_device(&tipc_net_ops);
 	if (err)
 		goto out_pernet;
 
@@ -137,7 +137,7 @@ static int __init tipc_init(void)
 	if (err)
 		goto out_socket;
 
-	err = register_pernet_subsys(&tipc_topsrv_net_ops);
+	err = register_pernet_device(&tipc_topsrv_net_ops);
 	if (err)
 		goto out_pernet_topsrv;
 
@@ -148,11 +148,11 @@ static int __init tipc_init(void)
 	pr_info("Started in single node mode\n");
 	return 0;
 out_bearer:
-	unregister_pernet_subsys(&tipc_topsrv_net_ops);
+	unregister_pernet_device(&tipc_topsrv_net_ops);
 out_pernet_topsrv:
 	tipc_socket_stop();
 out_socket:
-	unregister_pernet_subsys(&tipc_net_ops);
+	unregister_pernet_device(&tipc_net_ops);
 out_pernet:
 	tipc_unregister_sysctl();
 out_sysctl:
@@ -167,9 +167,9 @@ out_netlink:
 static void __exit tipc_exit(void)
 {
 	tipc_bearer_cleanup();
-	unregister_pernet_subsys(&tipc_topsrv_net_ops);
+	unregister_pernet_device(&tipc_topsrv_net_ops);
 	tipc_socket_stop();
-	unregister_pernet_subsys(&tipc_net_ops);
+	unregister_pernet_device(&tipc_net_ops);
 	tipc_netlink_stop();
 	tipc_netlink_compat_stop();
 	tipc_unregister_sysctl();
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 8400211537a2..9a65664f749c 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -430,7 +430,11 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
 	if (!bearer)
 		return -EMSGSIZE;
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_BEARER_NAME);
 	if (!string_is_valid(name, len))
 		return -EINVAL;
 
@@ -505,7 +509,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
 
 	name = (char *)TLV_DATA(msg->req);
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_BEARER_NAME);
 	if (!string_is_valid(name, len))
 		return -EINVAL;
 
@@ -776,7 +784,11 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
 	if (!link)
 		return -EMSGSIZE;
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_BEARER_NAME);
 	if (!string_is_valid(name, len))
 		return -EINVAL;
 
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 27d5fadddf97..eafc34b27013 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -450,7 +450,7 @@ use_default_name:
 				   &rdev->rfkill_ops, rdev);
 
 	if (!rdev->rfkill) {
-		kfree(rdev);
+		wiphy_free(&rdev->wiphy);
 		return NULL;
 	}