Merge android-4.4.106 (2fea039) into msm-4.4

* refs/heads/tmp-2fea039
  Linux 4.4.106
  usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
  arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"
  Revert "x86/efi: Hoist page table switching code into efi_call_virt()"
  Revert "x86/efi: Build our own page table structures"
  net/packet: fix a race in packet_bind() and packet_notifier()
  packet: fix crash in fanout_demux_rollover()
  sit: update frag_off info
  rds: Fix NULL pointer dereference in __rds_rdma_map
  tipc: fix memory leak in tipc_accept_from_sock()
  more bio_map_user_iov() leak fixes
  s390: always save and restore all registers on context switch
  ipmi: Stop timers before cleaning up the module
  audit: ensure that 'audit=1' actually enables audit for PID 1
  ipvlan: fix ipv6 outbound device
  afs: Connect up the CB.ProbeUuid
  IB/mlx5: Assign send CQ and recv CQ of UMR QP
  IB/mlx4: Increase maximal message size under UD QP
  xfrm: Copy policy family in clone_policy
  jump_label: Invoke jump_label_test() via early_initcall()
  atm: horizon: Fix irq release error
  sctp: use the right sk after waking up from wait_buf sleep
  sctp: do not free asoc when it is already dead in sctp_sendmsg
  sparc64/mm: set fields in deferred pages
  block: wake up all tasks blocked in get_request()
  sunrpc: Fix rpc_task_begin trace point
  NFS: Fix a typo in nfs_rename()
  dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
  lib/genalloc.c: make the avail variable an atomic_long_t
  route: update fnhe_expires for redirect when the fnhe exists
  route: also update fnhe_genid when updating a route cache
  mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
  kbuild: pkg: use --transform option to prefix paths in tar
  EDAC, i5000, i5400: Fix definition of NRECMEMB register
  EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
  powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
  drm/amd/amdgpu: fix console deadlock if late init failed
  axonram: Fix gendisk handling
  netfilter: don't track fragmented packets
  zram: set physical queue limits to avoid array out of bounds accesses
  i2c: riic: fix restart condition
  crypto: s5p-sss - Fix completing crypto request in IRQ handler
  ipv6: reorder icmpv6_init() and ip6_mr_init()
  bnx2x: do not rollback VF MAC/VLAN filters we did not configure
  bnx2x: fix possible overrun of VFPF multicast addresses array
  bnx2x: prevent crash when accessing PTP with interface down
  spi_ks8995: fix "BUG: key accdaa28 not in .data!"
  arm64: KVM: Survive unknown traps from guests
  arm: KVM: Survive unknown traps from guests
  KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
  irqchip/crossbar: Fix incorrect type of register size
  scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
  workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
  libata: drop WARN from protocol error in ata_sff_qc_issue()
  kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
  USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
  usb: gadget: configs: plug memory leak
  HID: chicony: Add support for another ASUS Zen AiO keyboard
  gpio: altera: Use handle_level_irq when configured as a level_high
  ARM: OMAP2+: Release device node after it is no longer needed.
  ARM: OMAP2+: Fix device node reference counts
  module: set __jump_table alignment to 8
  selftest/powerpc: Fix false failures for skipped tests
  x86/hpet: Prevent might sleep splat on resume
  ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
  vti6: Don't report path MTU below IPV6_MIN_MTU.
  Revert "s390/kbuild: enable modversions for symbols exported from asm"
  Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
  Revert "drm/armada: Fix compile fail"
  mm: drop unused pmdp_huge_get_and_clear_notify()
  thp: fix MADV_DONTNEED vs. numa balancing race
  thp: reduce indentation level in change_huge_pmd()
  scsi: storvsc: Workaround for virtual DVD SCSI version
  ARM: avoid faulting on qemu
  ARM: BUG if jumping to usermode address in kernel mode
  arm64: fpsimd: Prevent registers leaking from dead tasks
  KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
  arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
  media: dvb: i2c transfers over usb cannot be done from stack
  drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  drm: extra printk() wrapper macros
  kdb: Fix handling of kallsyms_symbol_next() return value
  s390: fix compat system call table
  iommu/vt-d: Fix scatterlist offset handling
  ALSA: usb-audio: Add check return value for usb_string()
  ALSA: usb-audio: Fix out-of-bound error
  ALSA: seq: Remove spurious WARN_ON() at timer check
  ALSA: pcm: prevent UAF in snd_pcm_info
  x86/PCI: Make broadcom_postcore_init() check acpi_disabled
  X.509: reject invalid BIT STRING for subjectPublicKey
  ASN.1: check for error from ASN1_OP_END__ACT actions
  ASN.1: fix out-of-bounds read when parsing indefinite length item
  efi: Move some sysfs files to be read-only by root
  scsi: libsas: align sata_device's rps_resp on a cacheline
  isa: Prevent NULL dereference in isa_bus driver callbacks
  hv: kvp: Avoid reading past allocated blocks from KVP file
  virtio: release virtio index when fail to device_register
  can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  can: ems_usb: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: ratelimit errors if incomplete messages are received
  can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
  can: kvaser_usb: free buf in error paths
  can: ti_hecc: Fix napi poll return value for repoll
  BACKPORT: irq: Make the irqentry text section unconditional
  UPSTREAM: arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections
  UPSTREAM: x86, kasan, ftrace: Put APIC interrupt handlers into .irqentry.text
  UPSTREAM: kasan: make get_wild_bug_type() static
  UPSTREAM: kasan: separate report parts by empty lines
  UPSTREAM: kasan: improve double-free report format
  UPSTREAM: kasan: print page description after stacks
  UPSTREAM: kasan: improve slab object description
  UPSTREAM: kasan: change report header
  UPSTREAM: kasan: simplify address description logic
  UPSTREAM: kasan: change allocation and freeing stack traces headers
  UPSTREAM: kasan: unify report headers
  UPSTREAM: kasan: introduce helper functions for determining bug type
  BACKPORT: kasan: report only the first error by default
  UPSTREAM: kasan: fix races in quarantine_remove_cache()
  UPSTREAM: kasan: resched in quarantine_remove_cache()
  BACKPORT: kasan, sched/headers: Uninline kasan_enable/disable_current()
  BACKPORT: kasan: drain quarantine of memcg slab objects
  UPSTREAM: kasan: eliminate long stalls during quarantine reduction
  UPSTREAM: kasan: support panic_on_warn
  UPSTREAM: x86/suspend: fix false positive KASAN warning on suspend/resume
  UPSTREAM: kasan: support use-after-scope detection
  UPSTREAM: kasan/tests: add tests for user memory access functions
  UPSTREAM: mm, kasan: add a ksize() test
  UPSTREAM: kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2
  UPSTREAM: kasan: modify kmalloc_large_oob_right(), add kmalloc_pagealloc_oob_right()
  UPSTREAM: lib/stackdepot: export save/fetch stack for drivers
  UPSTREAM: lib/stackdepot.c: bump stackdepot capacity from 16MB to 128MB
  BACKPORT: kprobes: Unpoison stack in jprobe_return() for KASAN
  UPSTREAM: kasan: remove the unnecessary WARN_ONCE from quarantine.c
  UPSTREAM: kasan: avoid overflowing quarantine size on low memory systems
  UPSTREAM: kasan: improve double-free reports
  BACKPORT: mm: coalesce split strings
  BACKPORT: mm/kasan: get rid of ->state in struct kasan_alloc_meta
  UPSTREAM: mm/kasan: get rid of ->alloc_size in struct kasan_alloc_meta
  UPSTREAM: mm: kasan: remove unused 'reserved' field from struct kasan_alloc_meta
  UPSTREAM: mm/kasan, slub: don't disable interrupts when object leaves quarantine
  UPSTREAM: mm/kasan: don't reduce quarantine in atomic contexts
  UPSTREAM: mm/kasan: fix corruptions and false positive reports
  UPSTREAM: lib/stackdepot.c: use __GFP_NOWARN for stack allocations
  BACKPORT: mm, kasan: switch SLUB to stackdepot, enable memory quarantine for SLUB
  UPSTREAM: kasan/quarantine: fix bugs on qlist_move_cache()
  UPSTREAM: mm: mempool: kasan: don't poot mempool objects in quarantine
  UPSTREAM: kasan: change memory hot-add error messages to info messages
  BACKPORT: mm/kasan: add API to check memory regions
  UPSTREAM: mm/kasan: print name of mem[set,cpy,move]() caller in report
  UPSTREAM: mm: kasan: initial memory quarantine implementation
  UPSTREAM: lib/stackdepot: avoid to return 0 handle
  UPSTREAM: lib/stackdepot.c: allow the stack trace hash to be zero
  UPSTREAM: mm, kasan: fix compilation for CONFIG_SLAB
  BACKPORT: mm, kasan: stackdepot implementation. Enable stackdepot for SLAB
  BACKPORT: mm, kasan: add GFP flags to KASAN API
  UPSTREAM: mm, kasan: SLAB support
  UPSTREAM: mm/slab: align cache size first before determination of OFF_SLAB candidate
  UPSTREAM: mm/slab: use more appropriate condition check for debug_pagealloc
  UPSTREAM: mm/slab: factor out debugging initialization in cache_init_objs()
  UPSTREAM: mm/slab: remove object status buffer for DEBUG_SLAB_LEAK
  UPSTREAM: mm/slab: alternative implementation for DEBUG_SLAB_LEAK
  UPSTREAM: mm/slab: clean up DEBUG_PAGEALLOC processing code
  UPSTREAM: mm/slab: activate debug_pagealloc in SLAB when it is actually enabled
  sched: EAS/WALT: Don't take into account of running task's util
  BACKPORT: schedutil: Reset cached freq if it is not in sync with next_freq
  UPSTREAM: kasan: add functions to clear stack poison

Conflicts:
	arch/arm/include/asm/kvm_arm.h
	arch/arm64/kernel/vmlinux.lds.S
	include/linux/kasan.h
	kernel/softirq.c
	lib/Kconfig
	lib/Kconfig.kasan
	lib/Makefile
	lib/stackdepot.c
	mm/kasan/kasan.c
	sound/usb/mixer.c

Change-Id: If70ced6da5f19be3dd92d10a8d8cd4d5841e5870
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

1 files changed, 204 insertions, 58 deletions

diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index b4e31f78ae69..04bb1d3eb9ec 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -13,12 +13,15 @@
  *
  */
 
+#include <linux/bitops.h>
 #include <linux/ftrace.h>
+#include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/printk.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
+#include <linux/stackdepot.h>
 #include <linux/stacktrace.h>
 #include <linux/string.h>
 #include <linux/types.h>
@@ -48,7 +51,13 @@ static const void *find_first_bad_addr(const void *addr, size_t size)
 	return first_bad_addr;
 }
 
-static void print_error_description(struct kasan_access_info *info)
+static bool addr_has_shadow(struct kasan_access_info *info)
+{
+	return (info->access_addr >=
+		kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
+}
+
+static const char *get_shadow_bug_type(struct kasan_access_info *info)
 {
 	const char *bug_type = "unknown-crash";
 	u8 *shadow_addr;
@@ -90,14 +99,44 @@ static void print_error_description(struct kasan_access_info *info)
 	case KASAN_KMALLOC_FREE:
 		bug_type = "use-after-free";
 		break;
+	case KASAN_USE_AFTER_SCOPE:
+		bug_type = "use-after-scope";
+		break;
 	}
 
-	pr_err("BUG: KASAN: %s in %pS at addr %p\n",
-		bug_type, (void *)info->ip,
-		info->access_addr);
-	pr_err("%s of size %zu by task %s/%d\n",
-		info->is_write ? "Write" : "Read",
-		info->access_size, current->comm, task_pid_nr(current));
+	return bug_type;
+}
+
+static const char *get_wild_bug_type(struct kasan_access_info *info)
+{
+	const char *bug_type = "unknown-crash";
+
+	if ((unsigned long)info->access_addr < PAGE_SIZE)
+		bug_type = "null-ptr-deref";
+	else if ((unsigned long)info->access_addr < TASK_SIZE)
+		bug_type = "user-memory-access";
+	else
+		bug_type = "wild-memory-access";
+
+	return bug_type;
+}
+
+static const char *get_bug_type(struct kasan_access_info *info)
+{
+	if (addr_has_shadow(info))
+		return get_shadow_bug_type(info);
+	return get_wild_bug_type(info);
+}
+
+static void print_error_description(struct kasan_access_info *info)
+{
+	const char *bug_type = get_bug_type(info);
+
+	pr_err("BUG: KASAN: %s in %pS\n",
+		bug_type, (void *)info->ip);
+	pr_err("%s of size %zu at addr %p by task %s/%d\n",
+		info->is_write ? "Write" : "Read", info->access_size,
+		info->access_addr, current->comm, task_pid_nr(current));
 }
 
 static inline bool kernel_or_module_addr(const void *addr)
@@ -116,39 +155,119 @@ static inline bool init_task_stack_addr(const void *addr)
 			sizeof(init_thread_union.stack));
 }
 
-static void print_address_description(struct kasan_access_info *info)
+static DEFINE_SPINLOCK(report_lock);
+
+static void kasan_start_report(unsigned long *flags)
+{
+	/*
+	 * Make sure we don't end up in loop.
+	 */
+	kasan_disable_current();
+	spin_lock_irqsave(&report_lock, *flags);
+	pr_err("==================================================================\n");
+}
+
+static void kasan_end_report(unsigned long *flags)
+{
+	pr_err("==================================================================\n");
+	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
+	spin_unlock_irqrestore(&report_lock, *flags);
+	if (panic_on_warn)
+		panic("panic_on_warn set ...\n");
+	kasan_enable_current();
+}
+
+static void print_track(struct kasan_track *track, const char *prefix)
 {
-	const void *addr = info->access_addr;
+	pr_err("%s by task %u:\n", prefix, track->pid);
+	if (track->stack) {
+		struct stack_trace trace;
 
+		depot_fetch_stack(track->stack, &trace);
+		print_stack_trace(&trace, 0);
+	} else {
+		pr_err("(stack is not available)\n");
+	}
+}
+
+static struct page *addr_to_page(const void *addr)
+{
 	if ((addr >= (void *)PAGE_OFFSET) &&
-		(addr < high_memory)) {
-		struct page *page = virt_to_head_page(addr);
+			(addr < high_memory))
+		return virt_to_head_page(addr);
+	return NULL;
+}
 
-		if (PageSlab(page)) {
-			void *object;
-			struct kmem_cache *cache = page->slab_cache;
-			void *last_object;
+static void describe_object_addr(struct kmem_cache *cache, void *object,
+				const void *addr)
+{
+	unsigned long access_addr = (unsigned long)addr;
+	unsigned long object_addr = (unsigned long)object;
+	const char *rel_type;
+	int rel_bytes;
 
-			object = virt_to_obj(cache, page_address(page), addr);
-			last_object = page_address(page) +
-				page->objects * cache->size;
+	pr_err("The buggy address belongs to the object at %p\n"
+	       " which belongs to the cache %s of size %d\n",
+		object, cache->name, cache->object_size);
 
-			if (unlikely(object > last_object))
-				object = last_object; /* we hit into padding */
+	if (!addr)
+		return;
 
-			object_err(cache, page, object,
-				"kasan: bad access detected");
-			return;
-		}
-		dump_page(page, "kasan: bad access detected");
+	if (access_addr < object_addr) {
+		rel_type = "to the left";
+		rel_bytes = object_addr - access_addr;
+	} else if (access_addr >= object_addr + cache->object_size) {
+		rel_type = "to the right";
+		rel_bytes = access_addr - (object_addr + cache->object_size);
+	} else {
+		rel_type = "inside";
+		rel_bytes = access_addr - object_addr;
 	}
 
-	if (kernel_or_module_addr(addr)) {
-		if (!init_task_stack_addr(addr))
-			pr_err("Address belongs to variable %pS\n", addr);
+	pr_err("The buggy address is located %d bytes %s of\n"
+	       " %d-byte region [%p, %p)\n",
+		rel_bytes, rel_type, cache->object_size, (void *)object_addr,
+		(void *)(object_addr + cache->object_size));
+}
+
+static void describe_object(struct kmem_cache *cache, void *object,
+				const void *addr)
+{
+	struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
+
+	if (cache->flags & SLAB_KASAN) {
+		print_track(&alloc_info->alloc_track, "Allocated");
+		pr_err("\n");
+		print_track(&alloc_info->free_track, "Freed");
+		pr_err("\n");
 	}
 
+	describe_object_addr(cache, object, addr);
+}
+
+static void print_address_description(void *addr)
+{
+	struct page *page = addr_to_page(addr);
+
 	dump_stack();
+	pr_err("\n");
+
+	if (page && PageSlab(page)) {
+		struct kmem_cache *cache = page->slab_cache;
+		void *object = nearest_obj(cache, page,	addr);
+
+		describe_object(cache, object, addr);
+	}
+
+	if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
+		pr_err("The buggy address belongs to the variable:\n");
+		pr_err(" %pS\n", addr);
+	}
+
+	if (page) {
+		pr_err("The buggy address belongs to the page:\n");
+		dump_page(page, "kasan: bad access detected");
+	}
 }
 
 static bool row_is_guilty(const void *row, const void *guilty)
@@ -203,45 +322,72 @@ static void print_shadow_for_address(const void *addr)
 	}
 }
 
-static DEFINE_SPINLOCK(report_lock);
+void kasan_report_double_free(struct kmem_cache *cache, void *object,
+				void *ip)
+{
+	unsigned long flags;
+
+	kasan_start_report(&flags);
+	pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+	pr_err("\n");
+	print_address_description(object);
+	pr_err("\n");
+	print_shadow_for_address(object);
+	kasan_end_report(&flags);
+}
 
 static void kasan_report_error(struct kasan_access_info *info)
 {
 	unsigned long flags;
-	const char *bug_type;
 
-	/*
-	 * Make sure we don't end up in loop.
-	 */
-	kasan_disable_current();
-	spin_lock_irqsave(&report_lock, flags);
-	pr_err("================================="
-		"=================================\n");
-	if (info->access_addr <
-			kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) {
-		if ((unsigned long)info->access_addr < PAGE_SIZE)
-			bug_type = "null-ptr-deref";
-		else if ((unsigned long)info->access_addr < TASK_SIZE)
-			bug_type = "user-memory-access";
-		else
-			bug_type = "wild-memory-access";
-		pr_err("BUG: KASAN: %s on address %p\n",
-			bug_type, info->access_addr);
-		pr_err("%s of size %zu by task %s/%d\n",
-			info->is_write ? "Write" : "Read",
-			info->access_size, current->comm,
-			task_pid_nr(current));
+	kasan_start_report(&flags);
+
+	print_error_description(info);
+	pr_err("\n");
+
+	if (!addr_has_shadow(info)) {
 		dump_stack();
 	} else {
-		print_error_description(info);
-		print_address_description(info);
+		print_address_description((void *)info->access_addr);
+		pr_err("\n");
 		print_shadow_for_address(info->first_bad_addr);
 	}
-	pr_err("================================="
-		"=================================\n");
-	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
-	spin_unlock_irqrestore(&report_lock, flags);
-	kasan_enable_current();
+
+	kasan_end_report(&flags);
+}
+
+static unsigned long kasan_flags;
+
+#define KASAN_BIT_REPORTED	0
+#define KASAN_BIT_MULTI_SHOT	1
+
+bool kasan_save_enable_multi_shot(void)
+{
+	return test_and_set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
+}
+EXPORT_SYMBOL_GPL(kasan_save_enable_multi_shot);
+
+void kasan_restore_multi_shot(bool enabled)
+{
+	if (!enabled)
+		clear_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
+}
+EXPORT_SYMBOL_GPL(kasan_restore_multi_shot);
+
+static int __init kasan_set_multi_shot(char *str)
+{
+	set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
+	return 1;
+}
+__setup("kasan_multi_shot", kasan_set_multi_shot);
+
+static inline bool kasan_report_enabled(void)
+{
+	if (current->kasan_depth)
+		return false;
+	if (test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
+		return true;
+	return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags);
 }
 
 void kasan_report(unsigned long addr, size_t size,