Merge 4.4.146 into android-4.4-p

Changes in 4.4.146
	MIPS: Fix off-by-one in pci_resource_to_user()
	Input: elan_i2c - add ACPI ID for lenovo ideapad 330
	Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
	Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
	tracing: Fix double free of event_trigger_data
	tracing: Fix possible double free in event_enable_trigger_func()
	tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
	tracing: Quiet gcc warning about maybe unused link variable
	xen/netfront: raise max number of slots in xennet_get_responses()
	ALSA: emu10k1: add error handling for snd_ctl_add
	ALSA: fm801: add error handling for snd_ctl_add
	nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
	mm: vmalloc: avoid racy handling of debugobjects in vunmap
	mm/slub.c: add __printf verification to slab_err()
	rtc: ensure rtc_set_alarm fails when alarms are not supported
	netfilter: ipset: List timing out entries with "timeout 1" instead of zero
	infiniband: fix a possible use-after-free bug
	hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
	powerpc/64s: Fix compiler store ordering to SLB shadow area
	RDMA/mad: Convert BUG_ONs to error flows
	disable loading f2fs module on PAGE_SIZE > 4KB
	f2fs: fix to don't trigger writeback during recovery
	usbip: usbip_detach: Fix memory, udev context and udev leak
	perf/x86/intel/uncore: Correct fixed counter index check in generic code
	perf/x86/intel/uncore: Correct fixed counter index check for NHM
	iwlwifi: pcie: fix race in Rx buffer allocator
	Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning
	Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
	ASoC: dpcm: fix BE dai not hw_free and shutdown
	mfd: cros_ec: Fail early if we cannot identify the EC
	mwifiex: handle race during mwifiex_usb_disconnect
	wlcore: sdio: check for valid platform device data before suspend
	media: videobuf2-core: don't call memop 'finish' when queueing
	btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups
	btrfs: qgroup: Finish rescan when hit the last leaf of extent tree
	PCI: Prevent sysfs disable of device while driver is attached
	ath: Add regulatory mapping for FCC3_ETSIC
	ath: Add regulatory mapping for ETSI8_WORLD
	ath: Add regulatory mapping for APL13_WORLD
	ath: Add regulatory mapping for APL2_FCCA
	ath: Add regulatory mapping for Uganda
	ath: Add regulatory mapping for Tanzania
	ath: Add regulatory mapping for Serbia
	ath: Add regulatory mapping for Bermuda
	ath: Add regulatory mapping for Bahamas
	powerpc/32: Add a missing include header
	powerpc/chrp/time: Make some functions static, add missing header include
	powerpc/powermac: Add missing prototype for note_bootable_part()
	powerpc/powermac: Mark variable x as unused
	powerpc/8xx: fix invalid register expression in head_8xx.S
	pinctrl: at91-pio4: add missing of_node_put
	PCI: pciehp: Request control of native hotplug only if supported
	mwifiex: correct histogram data with appropriate index
	scsi: ufs: fix exception event handling
	ALSA: emu10k1: Rate-limit error messages about page errors
	regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
	md: fix NULL dereference of mddev->pers in remove_and_add_spares()
	media: smiapp: fix timeout checking in smiapp_read_nvm
	ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback
	HID: hid-plantronics: Re-resend Update to map button for PTT products
	drm/radeon: fix mode_valid's return type
	powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet
	HID: i2c-hid: check if device is there before really probing
	tty: Fix data race in tty_insert_flip_string_fixed_flag
	dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA
	media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open()
	libata: Fix command retry decision
	media: saa7164: Fix driver name in debug output
	mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages
	brcmfmac: Add support for bcm43364 wireless chipset
	s390/cpum_sf: Add data entry sizes to sampling trailer entry
	perf: fix invalid bit in diagnostic entry
	scsi: 3w-9xxx: fix a missing-check bug
	scsi: 3w-xxxx: fix a missing-check bug
	scsi: megaraid: silence a static checker bug
	thermal: exynos: fix setting rising_threshold for Exynos5433
	bpf: fix references to free_bpf_prog_info() in comments
	media: siano: get rid of __le32/__le16 cast warnings
	drm/atomic: Handling the case when setting old crtc for plane
	ALSA: hda/ca0132: fix build failure when a local macro is defined
	memory: tegra: Do not handle spurious interrupts
	memory: tegra: Apply interrupts mask per SoC
	drm/gma500: fix psb_intel_lvds_mode_valid()'s return type
	ipconfig: Correctly initialise ic_nameservers
	rsi: Fix 'invalid vdd' warning in mmc
	audit: allow not equal op for audit by executable
	microblaze: Fix simpleImage format generation
	usb: hub: Don't wait for connect state at resume for powered-off ports
	crypto: authencesn - don't leak pointers to authenc keys
	crypto: authenc - don't leak pointers to authenc keys
	media: omap3isp: fix unbalanced dma_iommu_mapping
	scsi: scsi_dh: replace too broad "TP9" string with the exact models
	scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs
	media: si470x: fix __be16 annotations
	drm: Add DP PSR2 sink enable bit
	random: mix rdrand with entropy sent in from userspace
	squashfs: be more careful about metadata corruption
	ext4: fix inline data updates with checksums enabled
	ext4: check for allocation block validity with block group locked
	dmaengine: pxa_dma: remove duplicate const qualifier
	ASoC: pxa: Fix module autoload for platform drivers
	ipv4: remove BUG_ON() from fib_compute_spec_dst
	net: fix amd-xgbe flow-control issue
	net: lan78xx: fix rx handling before first packet is send
	xen-netfront: wait xenbus state change when load module manually
	NET: stmmac: align DMA stuff to largest cache line length
	tcp: do not force quickack when receiving out-of-order packets
	tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode
	tcp: do not aggressively quick ack after ECN events
	tcp: refactor tcp_ecn_check_ce to remove sk type cast
	tcp: add one more quick ack after after ECN events
	inet: frag: enforce memory limits earlier
	net: dsa: Do not suspend/resume closed slave_dev
	netlink: Fix spectre v1 gadget in netlink_create()
	squashfs: more metadata hardening
	squashfs: more metadata hardenings
	can: ems_usb: Fix memory leak on ems_usb_disconnect()
	net: socket: fix potential spectre v1 gadget in socketcall
	virtio_balloon: fix another race between migration and ballooning
	kvm: x86: vmx: fix vpid leak
	crypto: padlock-aes - Fix Nano workaround data corruption
	scsi: sg: fix minor memory leak in error path
	Linux 4.4.146

Change-Id: I7b8ad5e297804f92b3e3a8c5daf8a26ba684029b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

2 files changed, 26 insertions, 7 deletions

diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 2172dd61577e..b8a894adab2c 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -663,6 +663,8 @@ event_trigger_callback(struct event_command *cmd_ops,
 		goto out_free;
 
  out_reg:
+	/* Up the trigger_data count to make sure reg doesn't free it on failure */
+	event_trigger_init(trigger_ops, trigger_data);
 	ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
 	/*
 	 * The above returns on success the # of functions enabled,
@@ -670,11 +672,13 @@ event_trigger_callback(struct event_command *cmd_ops,
 	 * Consider no functions a failure too.
 	 */
 	if (!ret) {
+		cmd_ops->unreg(glob, trigger_ops, trigger_data, file);
 		ret = -ENOENT;
-		goto out_free;
-	} else if (ret < 0)
-		goto out_free;
-	ret = 0;
+	} else if (ret > 0)
+		ret = 0;
+
+	/* Down the counter of trigger_data or free it if not used anymore */
+	event_trigger_free(trigger_ops, trigger_data);
  out:
 	return ret;
 
@@ -1227,6 +1231,9 @@ event_enable_trigger_func(struct event_command *cmd_ops,
 		goto out;
 	}
 
+	/* Up the trigger_data count to make sure nothing frees it on failure */
+	event_trigger_init(trigger_ops, trigger_data);
+
 	if (trigger) {
 		number = strsep(&trigger, ":");
 
@@ -1277,6 +1284,7 @@ event_enable_trigger_func(struct event_command *cmd_ops,
 		goto out_disable;
 	/* Just return zero, not the number of enabled functions */
 	ret = 0;
+	event_trigger_free(trigger_ops, trigger_data);
  out:
 	return ret;
 
@@ -1287,7 +1295,7 @@ event_enable_trigger_func(struct event_command *cmd_ops,
  out_free:
 	if (cmd_ops->set_filter)
 		cmd_ops->set_filter(NULL, trigger_data, NULL);
-	kfree(trigger_data);
+	event_trigger_free(trigger_ops, trigger_data);
 	kfree(enable_data);
 	goto out;
 }
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index f2682799c215..f0ee722be520 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -349,11 +349,10 @@ static struct trace_kprobe *find_trace_kprobe(const char *event,
 static int
 enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
 {
+	struct event_file_link *link = NULL;
 	int ret = 0;
 
 	if (file) {
-		struct event_file_link *link;
-
 		link = kmalloc(sizeof(*link), GFP_KERNEL);
 		if (!link) {
 			ret = -ENOMEM;
@@ -373,6 +372,18 @@ enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
 		else
 			ret = enable_kprobe(&tk->rp.kp);
 	}
+
+	if (ret) {
+		if (file) {
+			/* Notice the if is true on not WARN() */
+			if (!WARN_ON_ONCE(!link))
+				list_del_rcu(&link->list);
+			kfree(link);
+			tk->tp.flags &= ~TP_FLAG_TRACE;
+		} else {
+			tk->tp.flags &= ~TP_FLAG_PROFILE;
+		}
+	}
  out:
 	return ret;
 }