Merge android-4.4.175 (08d5867) into msm-4.4

* refs/heads/tmp-08d5867
  Linux 4.4.175
  uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
  pinctrl: msm: fix gpio-hog related boot issues
  usb: dwc2: Remove unnecessary kfree
  kaweth: use skb_cow_head() to deal with cloned skbs
  ch9200: use skb_cow_head() to deal with cloned skbs
  smsc95xx: Use skb_cow_head to deal with cloned skbs
  dm thin: fix bug where bio that overwrites thin block ignores FUA
  x86/a.out: Clear the dump structure initially
  signal: Restore the stop PTRACE_EVENT_EXIT
  x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
  tracing/uprobes: Fix output for multiple string arguments
  alpha: Fix Eiger NR_IRQS to 128
  alpha: fix page fault handling for r16-r18 targets
  Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
  Input: bma150 - register input device after setting private data
  ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
  ALSA: hda - Add quirk for HP EliteBook 840 G5
  perf/core: Fix impossible ring-buffer sizes warning
  Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
  Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
  Documentation/network: reword kernel version reference
  cifs: Limit memory used by lock request calls to a page
  gpio: pl061: handle failed allocations
  ARM: dts: kirkwood: Fix polarity of GPIO fan lines
  ARM: dts: da850-evm: Correct the sound card name
  uapi/if_ether.h: prevent redefinition of struct ethhdr
  Revert "exec: load_script: don't blindly truncate shebang string"
  batman-adv: Force mac header to start of data on xmit
  batman-adv: Avoid WARN on net_device without parent in netns
  xfrm: refine validation of template and selector families
  libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
  Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)"
  NFC: nxp-nci: Include unaligned.h instead of access_ok.h
  HID: debug: fix the ring buffer implementation
  drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
  drm/vmwgfx: Fix setting of dma masks
  drm/modes: Prevent division by zero htotal
  mac80211: ensure that mgmt tx skbs have tailroom for encryption
  ARM: iop32x/n2100: fix PCI IRQ mapping
  MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
  MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
  mips: cm: reprime error cause
  debugfs: fix debugfs_rename parameter checking
  misc: vexpress: Off by one in vexpress_syscfg_exec()
  signal: Better detection of synchronous signals
  signal: Always notice exiting tasks
  mtd: rawnand: gpmi: fix MX28 bus master lockup problem
  perf tests evsel-tp-sched: Fix bitwise operator
  perf/core: Don't WARN() for impossible ring-buffer sizes
  x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()
  perf/x86/intel/uncore: Add Node ID mask
  KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
  KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
  usb: gadget: udc: net2272: Fix bitwise and boolean operations
  usb: phy: am335x: fix race condition in _probe
  dmaengine: imx-dma: fix wrong callback invoke
  fuse: handle zero sized retrieve correctly
  fuse: decrement NR_WRITEBACK_TEMP on the right page
  fuse: call pipe_buf_release() under pipe lock
  ALSA: hda - Serialize codec registrations
  ALSA: compress: Fix stop handling on compressed capture streams
  net: dsa: slave: Don't propagate flag changes on down slave interfaces
  net: systemport: Fix WoL with password after deep sleep
  skge: potential memory corruption in skge_get_regs()
  net: dp83640: expire old TX-skb
  enic: fix checksum validation for IPv6
  dccp: fool proof ccid_hc_[rt]x_parse_options()
  string: drop __must_check from strscpy() and restore strscpy() usages in cgroup
  tipc: use destination length for copy string
  test_hexdump: use memcpy instead of strncpy
  thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
  exec: load_script: don't blindly truncate shebang string
  fs/epoll: drop ovflist branch prediction
  kernel/hung_task.c: break RCU locks based on jiffies
  HID: lenovo: Add checks to fix of_led_classdev_register
  block/swim3: Fix -EBUSY error when re-opening device after unmount
  gdrom: fix a memory leak bug
  isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()
  ocfs2: don't clear bh uptodate for block read
  scripts/decode_stacktrace: only strip base path when a prefix of the path
  niu: fix missing checks of niu_pci_eeprom_read
  um: Avoid marking pages with "changed protection"
  cifs: check ntwrk_buf_start for NULL before dereferencing it
  crypto: ux500 - Use proper enum in hash_set_dma_transfer
  crypto: ux500 - Use proper enum in cryp_set_dma_transfer
  seq_buf: Make seq_buf_puts() null-terminate the buffer
  hwmon: (lm80) fix a missing check of bus read in lm80 probe
  hwmon: (lm80) fix a missing check of the status of SMBus read
  NFS: nfs_compare_mount_options always compare auth flavors.
  KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
  fbdev: fbcon: Fix unregister crash when more than one framebuffer
  igb: Fix an issue that PME is not enabled during runtime suspend
  fbdev: fbmem: behave better with small rotated displays and many CPUs
  video: clps711x-fb: release disp device node in probe()
  drbd: Avoid Clang warning about pointless switch statment
  drbd: skip spurious timeout (ping-timeo) when failing promote
  drbd: disconnect, if the wrong UUIDs are attached on a connected peer
  drbd: narrow rcu_read_lock in drbd_sync_handshake
  cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
  Bluetooth: Fix unnecessary error message for HCI request completion
  xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
  mac80211: fix radiotap vendor presence bitmap handling
  powerpc/uaccess: fix warning/error with access_ok()
  arm64: KVM: Skip MMIO insn after emulation
  tty: serial: samsung: Properly set flags in autoCTS mode
  memstick: Prevent memstick host from getting runtime suspended during card detection
  ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
  ARM: pxa: avoid section mismatch warning
  udf: Fix BUG on corrupted inode
  i2c-axxia: check for error conditions first
  cpuidle: big.LITTLE: fix refcount leak
  clk: imx6sl: ensure MMDC CH0 handshake is bypassed
  sata_rcar: fix deferred probing
  iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
  mips: bpf: fix encoding bug for mm_srlv32_op
  ARM: dts: Fix OMAP4430 SDP Ethernet startup
  timekeeping: Use proper seqcount initializer
  usb: hub: delay hub autosuspend if USB3 port is still link training
  smack: fix access permissions for keyring
  media: DaVinci-VPBE: fix error handling in vpbe_initialize()
  x86/fpu: Add might_fault() to user_insn()
  ARM: dts: mmp2: fix TWSI2
  arm64: ftrace: don't adjust the LR value
  nfsd4: fix crash on writing v4_end_grace before nfsd startup
  sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN
  f2fs: fix wrong return value of f2fs_acl_create
  f2fs: move dir data flush to write checkpoint process
  soc/tegra: Don't leak device tree node reference
  perf tools: Add Hygon Dhyana support
  modpost: validate symbol names also in find_elf_symbol
  ARM: OMAP2+: hwmod: Fix some section annotations
  staging: iio: ad7780: update voltage on read
  staging:iio:ad2s90: Make probe handle spi_setup failure
  ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
  serial: fsl_lpuart: clear parity enable bit when disable parity
  powerpc/pseries: add of_node_put() in dlpar_detach_node()
  x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
  dlm: Don't swamp the CPU with callbacks queued during recovery
  ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
  scsi: lpfc: Correct LCB RJT handling
  ASoC: Intel: mrfld: fix uninitialized variable access
  staging: iio: adc: ad7280a: handle error from __ad7280_read32()
  drm/bufs: Fix Spectre v1 vulnerability
  BACKPORT: userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
  ANDROID: cuttlefish_defconfig: Enable DEBUG_SET_MODULE_RONX
  ANDROID: Move from clang r346389b to r349610.
  UPSTREAM: virt_wifi: fix error return code in virt_wifi_newlink()
  ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG

Change-Id: I8456a2f1d229a2d454295d660f749a2b436c6440
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

5 files changed, 78 insertions, 7 deletions

diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index f4b9a369c8c3..424f5a5fa5a2 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -639,6 +639,9 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
 	size = sizeof(struct ring_buffer);
 	size += nr_pages * sizeof(void *);
 
+	if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+		goto fail;
+
 	rb = kzalloc(size, GFP_KERNEL);
 	if (!rb)
 		goto fail;
diff --git a/kernel/hung_task.c b/kernel/hung_task.c
index e0f90c2b57aa..cc05b97ba569 100644
--- a/kernel/hung_task.c
+++ b/kernel/hung_task.c
@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT;
  * is disabled during the critical section. It also controls the size of
  * the RCU grace period. So it needs to be upper-bound.
  */
-#define HUNG_TASK_BATCHING 1024
+#define HUNG_TASK_LOCK_BREAK (HZ / 10)
 
 /*
  * Zero means infinite timeout - no checking done:
@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t)
 static void check_hung_uninterruptible_tasks(unsigned long timeout)
 {
 	int max_count = sysctl_hung_task_check_count;
-	int batch_count = HUNG_TASK_BATCHING;
+	unsigned long last_break = jiffies;
 	struct task_struct *g, *t;
 
 	/*
@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout)
 	for_each_process_thread(g, t) {
 		if (!max_count--)
 			goto unlock;
-		if (!--batch_count) {
-			batch_count = HUNG_TASK_BATCHING;
+		if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) {
 			if (!rcu_lock_break(g, t))
 				goto unlock;
+			last_break = jiffies;
 		}
 		/* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */
 		if (t->state == TASK_UNINTERRUPTIBLE)
diff --git a/kernel/signal.c b/kernel/signal.c
index 5b1313309356..96e8c3cbfa38 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -696,6 +696,48 @@ static inline bool si_fromuser(const struct siginfo *info)
 		(!is_si_special(info) && SI_FROMUSER(info));
 }
 
+static int dequeue_synchronous_signal(siginfo_t *info)
+{
+	struct task_struct *tsk = current;
+	struct sigpending *pending = &tsk->pending;
+	struct sigqueue *q, *sync = NULL;
+
+	/*
+	 * Might a synchronous signal be in the queue?
+	 */
+	if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
+		return 0;
+
+	/*
+	 * Return the first synchronous signal in the queue.
+	 */
+	list_for_each_entry(q, &pending->list, list) {
+		/* Synchronous signals have a postive si_code */
+		if ((q->info.si_code > SI_USER) &&
+		    (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
+			sync = q;
+			goto next;
+		}
+	}
+	return 0;
+next:
+	/*
+	 * Check if there is another siginfo for the same signal.
+	 */
+	list_for_each_entry_continue(q, &pending->list, list) {
+		if (q->info.si_signo == sync->info.si_signo)
+			goto still_pending;
+	}
+
+	sigdelset(&pending->signal, sync->info.si_signo);
+	recalc_sigpending();
+still_pending:
+	list_del_init(&sync->list);
+	copy_siginfo(info, &sync->info);
+	__sigqueue_free(sync);
+	return info->si_signo;
+}
+
 /*
  * called with RCU read lock from check_kill_permission()
  */
@@ -2198,6 +2240,14 @@ relock:
 		goto relock;
 	}
 
+	/* Has this task already been marked for death? */
+	if (signal_group_exit(signal)) {
+		ksig->info.si_signo = signr = SIGKILL;
+		sigdelset(&current->pending.signal, SIGKILL);
+		recalc_sigpending();
+		goto fatal;
+	}
+
 	for (;;) {
 		struct k_sigaction *ka;
 
@@ -2211,7 +2261,15 @@ relock:
 			goto relock;
 		}
 
-		signr = dequeue_signal(current, &current->blocked, &ksig->info);
+		/*
+		 * Signals generated by the execution of an instruction
+		 * need to be delivered before any other pending signals
+		 * so that the instruction pointer in the signal stack
+		 * frame points to the faulting instruction.
+		 */
+		signr = dequeue_synchronous_signal(&ksig->info);
+		if (!signr)
+			signr = dequeue_signal(current, &current->blocked, &ksig->info);
 
 		if (!signr)
 			break; /* will return 0 */
@@ -2293,6 +2351,7 @@ relock:
 			continue;
 		}
 
+	fatal:
 		spin_unlock_irq(&sighand->siglock);
 
 		/*
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 0651c7f47932..790988e66289 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -39,7 +39,9 @@
 static struct {
 	seqcount_t		seq;
 	struct timekeeper	timekeeper;
-} tk_core ____cacheline_aligned;
+} tk_core ____cacheline_aligned = {
+	.seq = SEQCNT_ZERO(tk_core.seq),
+};
 
 static DEFINE_RAW_SPINLOCK(timekeeper_lock);
 static struct timekeeper shadow_timekeeper;
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index 31a436f9f13b..0839129fbbd8 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs,
 
 	ret = strncpy_from_user(dst, src, maxlen);
 	if (ret == maxlen)
-		dst[--ret] = '\0';
+		dst[ret - 1] = '\0';
+	else if (ret >= 0)
+		/*
+		 * Include the terminating null byte. In this case it
+		 * was copied by strncpy_from_user but not accounted
+		 * for in ret.
+		 */
+		ret++;
 
 	if (ret < 0) {	/* Failed to fetch string */
 		((u8 *)get_rloc_data(dest))[0] = '\0';