Merge android-4.4.194 (a749771) into msm-4.4

* refs/heads/tmp-a749771
  Linux 4.4.194
  net_sched: let qdisc_put() accept NULL pointer
  ARC: export "abort" for modules
  media: technisat-usb2: break out of loop at end of buffer
  floppy: fix usercopy direction
  keys: Fix missing null pointer check in request_key_auth_describe()
  dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
  net: seeq: Fix the function used to release some memory in an error handling path
  tools/power turbostat: fix buffer overrun
  sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
  cifs: Use kzfree() to zero out the password
  cifs: set domainName when a domain-key is used in multiuser
  NFSv2: Fix write regression
  NFSv2: Fix eof handling
  netfilter: nf_conntrack_ftp: Fix debug output
  x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
  r8152: Set memory to all 0xFFs on failed reg reads
  ARM: 8874/1: mm: only adjust sections of valid mm structures
  Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
  NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
  NFSv4: Fix return values for nfs4_file_open()
  s390/bpf: use 32-bit index for tail calls
  ARM: OMAP2+: Fix omap4 errata warning on other SoCs
  s390/bpf: fix lcgr instruction encoding
  mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
  tty/serial: atmel: reschedule TX after RX was started
  serial: sprd: correct the wrong sequence of arguments
  KVM: coalesced_mmio: add bounds checking
  xen-netfront: do not assume sk_buff_head list is empty in error handling
  x86/boot: Add missing bootparam that breaks boot on some platforms
  media: tm6000: double free if usb disconnect while streaming
  USB: usbcore: Fix slab-out-of-bounds bug during device reset
  ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
  MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
  x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning
  crypto: talitos - check data blocksize in ablkcipher.
  crypto: talitos - check AES key size
  driver core: Fix use-after-free and double free on glue directory
  clk: rockchip: Don't yell about bad mmc phases when getting
  MIPS: VDSO: Use same -m%-float cflag as the kernel proper
  MIPS: VDSO: Prevent use of smp_processor_id()
  KVM: nVMX: handle page fault in vmread
  KVM: x86: work around leak of uninitialized stack contents
  KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
  genirq: Prevent NULL pointer dereference in resend_irqs()
  Btrfs: fix assertion failure during fsync and use of stale transaction
  Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
  tun: fix use-after-free when register netdev failed
  tipc: add NULL pointer check before calling kfree_rcu
  tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
  sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
  sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
  sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
  net: Fix null de-reference of device refcount
  isdn/capi: check message length in capi_write()
  ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
  cdc_ether: fix rndis support for Mediatek based smartphones
  bridge/mdb: remove wrong use of NLM_F_MULTI

Change-Id: I950778c771159febb721a4ebc2656c57ef40ad83
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

8 files changed, 48 insertions, 14 deletions

diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
index dcd72b2a3715..8ba9eadc2079 100644
--- a/drivers/net/ethernet/marvell/sky2.c
+++ b/drivers/net/ethernet/marvell/sky2.c
@@ -4946,6 +4946,13 @@ static const struct dmi_system_id msi_blacklist[] = {
 			DMI_MATCH(DMI_BOARD_NAME, "P6T"),
 		},
 	},
+	{
+		.ident = "ASUS P6X",
+		.matches = {
+			DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
+			DMI_MATCH(DMI_BOARD_NAME, "P6X"),
+		},
+	},
 	{}
 };
 
diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c
index ca7336605748..2e5f7bbd30bf 100644
--- a/drivers/net/ethernet/seeq/sgiseeq.c
+++ b/drivers/net/ethernet/seeq/sgiseeq.c
@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform_device *pdev)
 		printk(KERN_ERR "Sgiseeq: Cannot register net device, "
 		       "aborting.\n");
 		err = -ENODEV;
-		goto err_out_free_page;
+		goto err_out_free_attrs;
 	}
 
 	printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr);
 
 	return 0;
 
-err_out_free_page:
-	free_page((unsigned long) sp->srings);
+err_out_free_attrs:
+	dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings,
+		       sp->srings_dma, DMA_ATTR_NON_CONSISTENT);
 err_out_free_dev:
 	free_netdev(dev);
 
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index d235d186df5e..93c7024fcc67 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -597,7 +597,8 @@ static void tun_detach_all(struct net_device *dev)
 		module_put(THIS_MODULE);
 }
 
-static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filter)
+static int tun_attach(struct tun_struct *tun, struct file *file,
+		      bool skip_filter, bool publish_tun)
 {
 	struct tun_file *tfile = file->private_data;
 	int err;
@@ -630,7 +631,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte
 	}
 	tfile->queue_index = tun->numqueues;
 	tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
-	rcu_assign_pointer(tfile->tun, tun);
+	if (publish_tun)
+		rcu_assign_pointer(tfile->tun, tun);
 	rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
 	tun->numqueues++;
 
@@ -1642,7 +1644,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		if (err < 0)
 			return err;
 
-		err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER);
+		err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER, true);
 		if (err < 0)
 			return err;
 
@@ -1723,13 +1725,17 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 				       NETIF_F_HW_VLAN_STAG_TX);
 
 		INIT_LIST_HEAD(&tun->disabled);
-		err = tun_attach(tun, file, false);
+		err = tun_attach(tun, file, false, false);
 		if (err < 0)
 			goto err_free_flow;
 
 		err = register_netdevice(tun->dev);
 		if (err < 0)
 			goto err_detach;
+		/* free_netdev() won't check refcnt, to aovid race
+		 * with dev_put() we need publish tun after registration.
+		 */
+		rcu_assign_pointer(tfile->tun, tun);
 	}
 
 	netif_carrier_on(tun->dev);
@@ -1868,7 +1874,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr)
 		ret = security_tun_dev_attach_queue(tun->security);
 		if (ret < 0)
 			goto unlock;
-		ret = tun_attach(tun, file, false);
+		ret = tun_attach(tun, file, false, true);
 	} else if (ifr->ifr_flags & IFF_DETACH_QUEUE) {
 		tun = rtnl_dereference(tfile->tun);
 		if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached)
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index f71abe50ea6f..3707aab2423b 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -212,9 +212,16 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 		goto bad_desc;
 	}
 skip:
-	if (	rndis &&
-		header.usb_cdc_acm_descriptor &&
-		header.usb_cdc_acm_descriptor->bmCapabilities) {
+	/* Communcation class functions with bmCapabilities are not
+	 * RNDIS.  But some Wireless class RNDIS functions use
+	 * bmCapabilities for their own purpose. The failsafe is
+	 * therefore applied only to Communication class RNDIS
+	 * functions.  The rndis test is redundant, but a cheap
+	 * optimization.
+	 */
+	if (rndis && is_rndis(&intf->cur_altsetting->desc) &&
+	    header.usb_cdc_acm_descriptor &&
+	    header.usb_cdc_acm_descriptor->bmCapabilities) {
 			dev_dbg(&intf->dev,
 				"ACM capabilities %02x, not really RNDIS?\n",
 				header.usb_cdc_acm_descriptor->bmCapabilities);
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 2d83689374bb..10dd307593e8 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -671,8 +671,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
 	ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0),
 			      RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
 			      value, index, tmp, size, 500);
+	if (ret < 0)
+		memset(data, 0xff, size);
+	else
+		memcpy(data, tmp, size);
 
-	memcpy(data, tmp, size);
 	kfree(tmp);
 
 	return ret;
diff --git a/drivers/net/wireless/mwifiex/ie.c b/drivers/net/wireless/mwifiex/ie.c
index de8435709735..4255fb8dd58a 100644
--- a/drivers/net/wireless/mwifiex/ie.c
+++ b/drivers/net/wireless/mwifiex/ie.c
@@ -240,6 +240,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len,
 		}
 
 		vs_ie = (struct ieee_types_header *)vendor_ie;
+		if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
+			IEEE_MAX_IE_SIZE)
+			return -EINVAL;
 		memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
 		       vs_ie, vs_ie->len + 2);
 		le16_add_cpu(&ie->ie_length, vs_ie->len + 2);
diff --git a/drivers/net/wireless/mwifiex/uap_cmd.c b/drivers/net/wireless/mwifiex/uap_cmd.c
index 759a6ada5b0f..60bba1ca24e6 100644
--- a/drivers/net/wireless/mwifiex/uap_cmd.c
+++ b/drivers/net/wireless/mwifiex/uap_cmd.c
@@ -286,6 +286,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
 
 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
 	if (rate_ie) {
+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
+			return;
 		memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
 		rate_len = rate_ie->len;
 	}
@@ -293,8 +295,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
 					   params->beacon.tail,
 					   params->beacon.tail_len);
-	if (rate_ie)
+	if (rate_ie) {
+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
+			return;
 		memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
+	}
 
 	return;
 }
@@ -412,6 +417,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
 					    params->beacon.tail_len);
 	if (vendor_ie) {
 		wmm_ie = (struct ieee_types_header *)vendor_ie;
+		if (*(vendor_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
+			return;
 		memcpy(&bss_cfg->wmm_info, wmm_ie + 1,
 		       sizeof(bss_cfg->wmm_info));
 		priv->wmm_enabled = 1;
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 6f55ab4f7959..574c93a24180 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -893,7 +893,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
 		}
 		if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
-			queue->rx.rsp_cons = ++cons;
+			queue->rx.rsp_cons = ++cons + skb_queue_len(list);
 			kfree_skb(nskb);
 			return ~0U;
 		}