Merge 4.4.154 into android-4.4

Changes in 4.4.154
	sched/sysctl: Check user input value of sysctl_sched_time_avg
	Cipso: cipso_v4_optptr enter infinite loop
	vti6: fix PMTU caching and reporting on xmit
	xfrm: fix missing dst_release() after policy blocking lbcast and multicast
	xfrm: free skb if nlsk pointer is NULL
	mac80211: add stations tied to AP_VLANs during hw reconfig
	nl80211: Add a missing break in parse_station_flags
	drm/bridge: adv7511: Reset registers on hotplug
	scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
	drm/imx: imx-ldb: disable LDB on driver bind
	drm/imx: imx-ldb: check if channel is enabled before printing warning
	usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
	usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
	usb/phy: fix PPC64 build errors in phy-fsl-usb.c
	tools: usb: ffs-test: Fix build on big endian systems
	usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
	tools/power turbostat: fix -S on UP systems
	net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
	qed: Fix possible race for the link state value.
	atl1c: reserve min skb headroom
	net: prevent ISA drivers from building on PPC32
	can: mpc5xxx_can: check of_iomap return before use
	i2c: davinci: Avoid zero value of CLKH
	media: staging: omap4iss: Include asm/cacheflush.h after generic includes
	bnx2x: Fix invalid memory access in rss hash config path.
	net: axienet: Fix double deregister of mdio
	fscache: Allow cancelled operations to be enqueued
	cachefiles: Fix refcounting bug in backing-file read monitoring
	cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
	selftests/ftrace: Add snapshot and tracing_on test case
	zswap: re-check zswap_is_full() after do zswap_shrink()
	tools/power turbostat: Read extended processor family from CPUID
	Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
	enic: handle mtu change for vf properly
	arc: fix build errors in arc/include/asm/delay.h
	arc: fix type warnings in arc/mm/cache.c
	drivers: net: lmc: fix case value for target abort error
	scsi: fcoe: drop frames in ELS LOGO error path
	scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
	mm/memory.c: check return value of ioremap_prot
	cifs: add missing debug entries for kconfig options
	cifs: check kmalloc before use
	smb3: Do not send SMB3 SET_INFO if nothing changed
	smb3: don't request leases in symlink creation and query
	btrfs: don't leak ret from do_chunk_alloc
	s390/kvm: fix deadlock when killed by oom
	ext4: check for NUL characters in extended attribute's name
	ext4: sysfs: print ext4_super_block fields as little-endian
	ext4: reset error code in ext4_find_entry in fallback
	arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
	KVM: arm/arm64: Skip updating PTE entry if no change
	KVM: arm/arm64: Skip updating PMD entry if no change
	x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
	x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
	x86/speculation/l1tf: Suggest what to do on systems with too much RAM
	x86/process: Re-export start_thread()
	fuse: Don't access pipe->buffers without pipe_lock()
	fuse: fix double request_end()
	fuse: fix unlocked access to processing queue
	fuse: umount should wait for all requests
	fuse: Fix oops at process_init_reply()
	fuse: Add missed unlock_page() to fuse_readpages_fill()
	udl-kms: change down_interruptible to down
	udl-kms: handle allocation failure
	udl-kms: fix crash due to uninitialized memory
	ASoC: dpcm: don't merge format from invalid codec dai
	ASoC: sirf: Fix potential NULL pointer dereference
	pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
	x86/irqflags: Mark native_restore_fl extern inline
	x86/spectre: Add missing family 6 check to microcode check
	s390: fix br_r1_trampoline for machines without exrl
	s390/qdio: reset old sbal_state flags
	s390/pci: fix out of bounds access during irq setup
	kprobes: Make list and blacklist root user read only
	MIPS: Correct the 64-bit DSP accumulator register size
	MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
	scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
	scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
	iscsi target: fix session creation failure handling
	cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
	Linux 4.4.154

Change-Id: Ia008eef23c91fbd095f7b3343737cb2864875c52
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

7 files changed, 31 insertions, 13 deletions

diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index d730a0f68f46..a0443d40d677 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff *skb)
 	caifd = caif_get(skb->dev);
 
 	WARN_ON(caifd == NULL);
-	if (caifd == NULL)
+	if (!caifd) {
+		rcu_read_unlock();
 		return;
+	}
 
 	caifd_hold(caifd);
 	rcu_read_unlock();
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 5f3b81941a6f..5169b9b36b6a 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1593,9 +1593,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
 	int taglen;
 
 	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
-		if (optptr[0] == IPOPT_CIPSO)
+		switch (optptr[0]) {
+		case IPOPT_CIPSO:
 			return optptr;
-		taglen = optptr[1];
+		case IPOPT_END:
+			return NULL;
+		case IPOPT_NOOP:
+			taglen = 1;
+			break;
+		default:
+			taglen = optptr[1];
+		}
 		optlen -= taglen;
 		optptr += taglen;
 	}
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index b8bf123f7f79..060862a6f2f2 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -469,10 +469,6 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
 		goto tx_err_dst_release;
 	}
 
-	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
-	skb_dst_set(skb, dst);
-	skb->dev = skb_dst(skb)->dev;
-
 	mtu = dst_mtu(dst);
 	if (!skb->ignore_df && skb->len > mtu) {
 		skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
@@ -487,9 +483,14 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
 				  htonl(mtu));
 		}
 
-		return -EMSGSIZE;
+		err = -EMSGSIZE;
+		goto tx_err_dst_release;
 	}
 
+	skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
+	skb_dst_set(skb, dst);
+	skb->dev = skb_dst(skb)->dev;
+
 	err = dst_output(t->net, skb->sk, skb);
 	if (net_xmit_eval(err) == 0) {
 		struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index ec26a84b00e2..2214c77d4172 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2006,7 +2006,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
 		if (!sta->uploaded)
 			continue;
 
-		if (sta->sdata->vif.type != NL80211_IFTYPE_AP)
+		if (sta->sdata->vif.type != NL80211_IFTYPE_AP &&
+		    sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
 			continue;
 
 		for (state = IEEE80211_STA_NOTEXIST;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f20aa7c2c9c2..fc92c8e47743 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3578,6 +3578,7 @@ static int parse_station_flags(struct genl_info *info,
 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
 					 BIT(NL80211_STA_FLAG_MFP) |
 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
+		break;
 	default:
 		return -EINVAL;
 	}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6173a55af214..4615138b104f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2327,6 +2327,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
 	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
 		return make_blackhole(net, dst_orig->ops->family, dst_orig);
 
+	if (IS_ERR(dst))
+		dst_release(dst_orig);
+
 	return dst;
 }
 EXPORT_SYMBOL(xfrm_lookup_route);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 8efc7c39275d..ee6037dd0a1c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -988,10 +988,12 @@ static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline size_t xfrm_spdinfo_msgsize(void)