Merge android-4.4.106 (2fea039) into msm-4.4

* refs/heads/tmp-2fea039
  Linux 4.4.106
  usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
  arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"
  Revert "x86/efi: Hoist page table switching code into efi_call_virt()"
  Revert "x86/efi: Build our own page table structures"
  net/packet: fix a race in packet_bind() and packet_notifier()
  packet: fix crash in fanout_demux_rollover()
  sit: update frag_off info
  rds: Fix NULL pointer dereference in __rds_rdma_map
  tipc: fix memory leak in tipc_accept_from_sock()
  more bio_map_user_iov() leak fixes
  s390: always save and restore all registers on context switch
  ipmi: Stop timers before cleaning up the module
  audit: ensure that 'audit=1' actually enables audit for PID 1
  ipvlan: fix ipv6 outbound device
  afs: Connect up the CB.ProbeUuid
  IB/mlx5: Assign send CQ and recv CQ of UMR QP
  IB/mlx4: Increase maximal message size under UD QP
  xfrm: Copy policy family in clone_policy
  jump_label: Invoke jump_label_test() via early_initcall()
  atm: horizon: Fix irq release error
  sctp: use the right sk after waking up from wait_buf sleep
  sctp: do not free asoc when it is already dead in sctp_sendmsg
  sparc64/mm: set fields in deferred pages
  block: wake up all tasks blocked in get_request()
  sunrpc: Fix rpc_task_begin trace point
  NFS: Fix a typo in nfs_rename()
  dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
  lib/genalloc.c: make the avail variable an atomic_long_t
  route: update fnhe_expires for redirect when the fnhe exists
  route: also update fnhe_genid when updating a route cache
  mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
  kbuild: pkg: use --transform option to prefix paths in tar
  EDAC, i5000, i5400: Fix definition of NRECMEMB register
  EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
  powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
  drm/amd/amdgpu: fix console deadlock if late init failed
  axonram: Fix gendisk handling
  netfilter: don't track fragmented packets
  zram: set physical queue limits to avoid array out of bounds accesses
  i2c: riic: fix restart condition
  crypto: s5p-sss - Fix completing crypto request in IRQ handler
  ipv6: reorder icmpv6_init() and ip6_mr_init()
  bnx2x: do not rollback VF MAC/VLAN filters we did not configure
  bnx2x: fix possible overrun of VFPF multicast addresses array
  bnx2x: prevent crash when accessing PTP with interface down
  spi_ks8995: fix "BUG: key accdaa28 not in .data!"
  arm64: KVM: Survive unknown traps from guests
  arm: KVM: Survive unknown traps from guests
  KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
  irqchip/crossbar: Fix incorrect type of register size
  scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
  workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
  libata: drop WARN from protocol error in ata_sff_qc_issue()
  kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
  USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
  usb: gadget: configs: plug memory leak
  HID: chicony: Add support for another ASUS Zen AiO keyboard
  gpio: altera: Use handle_level_irq when configured as a level_high
  ARM: OMAP2+: Release device node after it is no longer needed.
  ARM: OMAP2+: Fix device node reference counts
  module: set __jump_table alignment to 8
  selftest/powerpc: Fix false failures for skipped tests
  x86/hpet: Prevent might sleep splat on resume
  ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
  vti6: Don't report path MTU below IPV6_MIN_MTU.
  Revert "s390/kbuild: enable modversions for symbols exported from asm"
  Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
  Revert "drm/armada: Fix compile fail"
  mm: drop unused pmdp_huge_get_and_clear_notify()
  thp: fix MADV_DONTNEED vs. numa balancing race
  thp: reduce indentation level in change_huge_pmd()
  scsi: storvsc: Workaround for virtual DVD SCSI version
  ARM: avoid faulting on qemu
  ARM: BUG if jumping to usermode address in kernel mode
  arm64: fpsimd: Prevent registers leaking from dead tasks
  KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
  arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
  media: dvb: i2c transfers over usb cannot be done from stack
  drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  drm: extra printk() wrapper macros
  kdb: Fix handling of kallsyms_symbol_next() return value
  s390: fix compat system call table
  iommu/vt-d: Fix scatterlist offset handling
  ALSA: usb-audio: Add check return value for usb_string()
  ALSA: usb-audio: Fix out-of-bound error
  ALSA: seq: Remove spurious WARN_ON() at timer check
  ALSA: pcm: prevent UAF in snd_pcm_info
  x86/PCI: Make broadcom_postcore_init() check acpi_disabled
  X.509: reject invalid BIT STRING for subjectPublicKey
  ASN.1: check for error from ASN1_OP_END__ACT actions
  ASN.1: fix out-of-bounds read when parsing indefinite length item
  efi: Move some sysfs files to be read-only by root
  scsi: libsas: align sata_device's rps_resp on a cacheline
  isa: Prevent NULL dereference in isa_bus driver callbacks
  hv: kvp: Avoid reading past allocated blocks from KVP file
  virtio: release virtio index when fail to device_register
  can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  can: ems_usb: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: ratelimit errors if incomplete messages are received
  can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
  can: kvaser_usb: free buf in error paths
  can: ti_hecc: Fix napi poll return value for repoll
  BACKPORT: irq: Make the irqentry text section unconditional
  UPSTREAM: arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections
  UPSTREAM: x86, kasan, ftrace: Put APIC interrupt handlers into .irqentry.text
  UPSTREAM: kasan: make get_wild_bug_type() static
  UPSTREAM: kasan: separate report parts by empty lines
  UPSTREAM: kasan: improve double-free report format
  UPSTREAM: kasan: print page description after stacks
  UPSTREAM: kasan: improve slab object description
  UPSTREAM: kasan: change report header
  UPSTREAM: kasan: simplify address description logic
  UPSTREAM: kasan: change allocation and freeing stack traces headers
  UPSTREAM: kasan: unify report headers
  UPSTREAM: kasan: introduce helper functions for determining bug type
  BACKPORT: kasan: report only the first error by default
  UPSTREAM: kasan: fix races in quarantine_remove_cache()
  UPSTREAM: kasan: resched in quarantine_remove_cache()
  BACKPORT: kasan, sched/headers: Uninline kasan_enable/disable_current()
  BACKPORT: kasan: drain quarantine of memcg slab objects
  UPSTREAM: kasan: eliminate long stalls during quarantine reduction
  UPSTREAM: kasan: support panic_on_warn
  UPSTREAM: x86/suspend: fix false positive KASAN warning on suspend/resume
  UPSTREAM: kasan: support use-after-scope detection
  UPSTREAM: kasan/tests: add tests for user memory access functions
  UPSTREAM: mm, kasan: add a ksize() test
  UPSTREAM: kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2
  UPSTREAM: kasan: modify kmalloc_large_oob_right(), add kmalloc_pagealloc_oob_right()
  UPSTREAM: lib/stackdepot: export save/fetch stack for drivers
  UPSTREAM: lib/stackdepot.c: bump stackdepot capacity from 16MB to 128MB
  BACKPORT: kprobes: Unpoison stack in jprobe_return() for KASAN
  UPSTREAM: kasan: remove the unnecessary WARN_ONCE from quarantine.c
  UPSTREAM: kasan: avoid overflowing quarantine size on low memory systems
  UPSTREAM: kasan: improve double-free reports
  BACKPORT: mm: coalesce split strings
  BACKPORT: mm/kasan: get rid of ->state in struct kasan_alloc_meta
  UPSTREAM: mm/kasan: get rid of ->alloc_size in struct kasan_alloc_meta
  UPSTREAM: mm: kasan: remove unused 'reserved' field from struct kasan_alloc_meta
  UPSTREAM: mm/kasan, slub: don't disable interrupts when object leaves quarantine
  UPSTREAM: mm/kasan: don't reduce quarantine in atomic contexts
  UPSTREAM: mm/kasan: fix corruptions and false positive reports
  UPSTREAM: lib/stackdepot.c: use __GFP_NOWARN for stack allocations
  BACKPORT: mm, kasan: switch SLUB to stackdepot, enable memory quarantine for SLUB
  UPSTREAM: kasan/quarantine: fix bugs on qlist_move_cache()
  UPSTREAM: mm: mempool: kasan: don't poot mempool objects in quarantine
  UPSTREAM: kasan: change memory hot-add error messages to info messages
  BACKPORT: mm/kasan: add API to check memory regions
  UPSTREAM: mm/kasan: print name of mem[set,cpy,move]() caller in report
  UPSTREAM: mm: kasan: initial memory quarantine implementation
  UPSTREAM: lib/stackdepot: avoid to return 0 handle
  UPSTREAM: lib/stackdepot.c: allow the stack trace hash to be zero
  UPSTREAM: mm, kasan: fix compilation for CONFIG_SLAB
  BACKPORT: mm, kasan: stackdepot implementation. Enable stackdepot for SLAB
  BACKPORT: mm, kasan: add GFP flags to KASAN API
  UPSTREAM: mm, kasan: SLAB support
  UPSTREAM: mm/slab: align cache size first before determination of OFF_SLAB candidate
  UPSTREAM: mm/slab: use more appropriate condition check for debug_pagealloc
  UPSTREAM: mm/slab: factor out debugging initialization in cache_init_objs()
  UPSTREAM: mm/slab: remove object status buffer for DEBUG_SLAB_LEAK
  UPSTREAM: mm/slab: alternative implementation for DEBUG_SLAB_LEAK
  UPSTREAM: mm/slab: clean up DEBUG_PAGEALLOC processing code
  UPSTREAM: mm/slab: activate debug_pagealloc in SLAB when it is actually enabled
  sched: EAS/WALT: Don't take into account of running task's util
  BACKPORT: schedutil: Reset cached freq if it is not in sync with next_freq
  UPSTREAM: kasan: add functions to clear stack poison

Conflicts:
	arch/arm/include/asm/kvm_arm.h
	arch/arm64/kernel/vmlinux.lds.S
	include/linux/kasan.h
	kernel/softirq.c
	lib/Kconfig
	lib/Kconfig.kasan
	lib/Makefile
	lib/stackdepot.c
	mm/kasan/kasan.c
	sound/usb/mixer.c

Change-Id: If70ced6da5f19be3dd92d10a8d8cd4d5841e5870
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 59 insertions, 26 deletions

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 8f3769ec8575..d64d48ca789c 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -135,8 +135,7 @@ static void set_recommended_min_free_kbytes(void)
 
 	if (recommended_min > min_free_kbytes) {
 		if (user_min_free_kbytes >= 0)
-			pr_info("raising min_free_kbytes from %d to %lu "
-				"to help transparent hugepage allocations\n",
+			pr_info("raising min_free_kbytes from %d to %lu to help transparent hugepage allocations\n",
 				min_free_kbytes, recommended_min);
 
 		min_free_kbytes = recommended_min;
@@ -1566,35 +1565,69 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
 {
 	struct mm_struct *mm = vma->vm_mm;
 	spinlock_t *ptl;
+	pmd_t entry;
+	bool preserve_write;
+
 	int ret = 0;
 
-	if (__pmd_trans_huge_lock(pmd, vma, &ptl) == 1) {
-		pmd_t entry;
-		bool preserve_write = prot_numa && pmd_write(*pmd);
-		ret = 1;
+	if (__pmd_trans_huge_lock(pmd, vma, &ptl) != 1)
+		return 0;
 
-		/*
-		 * Avoid trapping faults against the zero page. The read-only
-		 * data is likely to be read-cached on the local CPU and
-		 * local/remote hits to the zero page are not interesting.
-		 */
-		if (prot_numa && is_huge_zero_pmd(*pmd)) {
-			spin_unlock(ptl);
-			return ret;
-		}
+	preserve_write = prot_numa && pmd_write(*pmd);
+	ret = 1;
 
-		if (!prot_numa || !pmd_protnone(*pmd)) {
-			entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
-			entry = pmd_modify(entry, newprot);
-			if (preserve_write)
-				entry = pmd_mkwrite(entry);
-			ret = HPAGE_PMD_NR;
-			set_pmd_at(mm, addr, pmd, entry);
-			BUG_ON(!preserve_write && pmd_write(entry));
-		}
-		spin_unlock(ptl);
-	}
+	/*
+	 * Avoid trapping faults against the zero page. The read-only
+	 * data is likely to be read-cached on the local CPU and
+	 * local/remote hits to the zero page are not interesting.
+	 */
+	if (prot_numa && is_huge_zero_pmd(*pmd))
+		goto unlock;
 
+	if (prot_numa && pmd_protnone(*pmd))
+		goto unlock;
+
+	/*
+	 * In case prot_numa, we are under down_read(mmap_sem). It's critical
+	 * to not clear pmd intermittently to avoid race with MADV_DONTNEED
+	 * which is also under down_read(mmap_sem):
+	 *
+	 *	CPU0:				CPU1:
+	 *				change_huge_pmd(prot_numa=1)
+	 *				 pmdp_huge_get_and_clear_notify()
+	 * madvise_dontneed()
+	 *  zap_pmd_range()
+	 *   pmd_trans_huge(*pmd) == 0 (without ptl)
+	 *   // skip the pmd
+	 *				 set_pmd_at();
+	 *				 // pmd is re-established
+	 *
+	 * The race makes MADV_DONTNEED miss the huge pmd and don't clear it
+	 * which may break userspace.
+	 *
+	 * pmdp_invalidate() is required to make sure we don't miss
+	 * dirty/young flags set by hardware.
+	 */
+	entry = *pmd;
+	pmdp_invalidate(vma, addr, pmd);
+
+	/*
+	 * Recover dirty/young flags.  It relies on pmdp_invalidate to not
+	 * corrupt them.
+	 */
+	if (pmd_dirty(*pmd))
+		entry = pmd_mkdirty(entry);
+	if (pmd_young(*pmd))
+		entry = pmd_mkyoung(entry);
+
+	entry = pmd_modify(entry, newprot);
+	if (preserve_write)
+		entry = pmd_mkwrite(entry);
+	ret = HPAGE_PMD_NR;
+	set_pmd_at(mm, addr, pmd, entry);
+	BUG_ON(!preserve_write && pmd_write(entry));
+unlock:
+	spin_unlock(ptl);
 	return ret;
 }