Merge android-4.4.132 (46155cc) into msm-4.4

* refs/heads/tmp-46155cc
  Linux 4.4.132
  perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
  perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
  perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
  perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
  perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
  tracing/uprobe_event: Fix strncpy corner case
  Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
  atm: zatm: Fix potential Spectre v1
  net: atm: Fix potential Spectre v1
  can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
  tracing: Fix regex_match_front() to not over compare the test string
  libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
  rfkill: gpio: fix memory leak in probe error path
  xfrm_user: fix return value from xfrm_user_rcv_msg
  f2fs: fix a dead loop in f2fs_fiemap()
  bdi: Fix oops in wb_workfn()
  tcp: fix TCP_REPAIR_QUEUE bound checking
  perf: Remove superfluous allocation error check
  soreuseport: initialise timewait reuseport field
  dccp: initialize ireq->ir_mark
  net: fix uninit-value in __hw_addr_add_ex()
  net: initialize skb->peeked when cloning
  net: fix rtnh_ok()
  netlink: fix uninit-value in netlink_sendmsg
  crypto: af_alg - fix possible uninit-value in alg_bind()
  ipvs: fix rtnl_lock lockups caused by start_sync_thread
  usb: musb: host: fix potential NULL pointer dereference
  USB: serial: option: adding support for ublox R410M
  USB: serial: option: reimplement interface masking
  USB: Accept bulk endpoints with 1024-byte maxpacket
  USB: serial: visor: handle potential invalid device configuration
  test_firmware: fix setting old custom fw path back on exit, second try
  drm/vmwgfx: Fix a buffer object leak
  IB/mlx5: Use unlimited rate when static rate is not supported
  NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
  RDMA/mlx5: Protect from shift operand overflow
  RDMA/ucma: Allow resolving address w/o specifying source address
  xfs: prevent creating negative-sized file via INSERT_RANGE
  Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
  Input: leds - fix out of bound access
  tracepoint: Do not warn on ENOMEM
  ALSA: aloop: Add missing cable lock to ctl API callbacks
  ALSA: aloop: Mark paused device as inactive
  ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
  ALSA: pcm: Check PCM state at xfern compat ioctl
  USB: serial: option: Add support for Quectel EP06
  gpmi-nand: Handle ECC Errors in erased pages
  ath10k: rebuild crypto header in rx data frames
  ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
  mac80211: Add RX flag to indicate ICV stripped
  mac80211: allow same PN for AMSDU sub-frames
  mac80211: allow not sending MIC up from driver for HW crypto
  percpu: include linux/sched.h for cond_resched()
  KVM: s390: Enable all facility bits that are known good for passthrough
  bpf: map_get_next_key to return first key on NULL
  perf/core: Fix the perf_cpu_time_max_percent check
  goldfish: pipe: ANDROID: mark local functions static
  Revert "goldfish: pipe: ANDROID: Allocate memory with GFP_KERNEL."
  UPSTREAM: ANDROID: binder: prevent transactions into own process.
  goldfish: pipe: ANDROID: Add DMA support
  UPSTREAM: f2fs: clear PageError on writepage - part 2
  UPSTREAM: f2fs: avoid fsync() failure caused by EAGAIN in writepage()
  ANDROID: build.config: enforce trace_printk check
  ANDROID: x86_64_cuttlefish_defconfig: Disable KPTI
  UPSTREAM: mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss()
  UPSTREAM: mac80211: Fix clang warning about constant operand in logical operation
  UPSTREAM: nl80211: Fix enum type of variable in nl80211_put_sta_rate()
  UPSTREAM: sysfs: remove signedness from sysfs_get_dirent
  UPSTREAM: tracing: Use cpumask_available() to check if cpumask variable may be used
  BACKPORT: clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK
  UPSTREAM: netpoll: Fix device name check in netpoll_setup()
  FROMLIST: staging: Fix sparse warnings in vsoc driver.
  FROMLIST: staging: vsoc: Fix a i386-randconfig warning.
  FROMLIST: staging: vsoc: Create wc kernel mapping for region shm.
  Revert "goldfish: pipe: ANDROID: remove a redundant target"
  goldfish: pipe: ANDROID: Replace writel with gf_write_ptr
  goldfish: pipe: ANDROID: Use dev_ logging instead of pr_
  goldfish: pipe: ANDROID: fix checkpatch warnings
  goldfish: pipe: ANDROID: Update module license

Conflicts:
	drivers/net/wireless/ath/ath10k/core.c
	drivers/net/wireless/ath/ath10k/core.h
	drivers/net/wireless/ath/ath10k/htt_rx.c

Change-Id: If2ede1dea6a07b3fd498724e83071fd547170e1c
[spathi@codeaurora.org: resolved compilation errors in ath10k
by rebuilding crypto header in rx data frames]
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

5 files changed, 39 insertions, 24 deletions

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 24ba31601fc9..08ac73b33947 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -427,7 +427,7 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
 	case NL80211_CHAN_WIDTH_5:
 	case NL80211_CHAN_WIDTH_10:
 		cfg80211_chandef_create(&chandef, cbss->channel,
-					NL80211_CHAN_WIDTH_20_NOHT);
+					NL80211_CHAN_NO_HT);
 		chandef.width = sdata->u.ibss.chandef.width;
 		break;
 	case NL80211_CHAN_WIDTH_80:
@@ -438,7 +438,7 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
 	default:
 		/* fall back to 20 MHz for unsupported modes */
 		cfg80211_chandef_create(&chandef, cbss->channel,
-					NL80211_CHAN_WIDTH_20_NOHT);
+					NL80211_CHAN_NO_HT);
 		break;
 	}
 
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index a4e2f4e67f94..24033c81f3d0 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -173,9 +173,11 @@ ieee80211_rate_control_ops_get(const char *name)
 		/* try default if specific alg requested but not found */
 		ops = ieee80211_try_rate_control_ops_get(ieee80211_default_rc_algo);
 
-	/* try built-in one if specific alg requested but not found */
-	if (!ops && strlen(CONFIG_MAC80211_RC_DEFAULT))
+	/* Note: check for > 0 is intentional to avoid clang warning */
+	if (!ops && (strlen(CONFIG_MAC80211_RC_DEFAULT) > 0))
+		/* try built-in one if specific alg requested but not found */
 		ops = ieee80211_try_rate_control_ops_get(CONFIG_MAC80211_RC_DEFAULT);
+
 	kernel_param_unlock(THIS_MODULE);
 
 	return ops;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index bc799a4b7cd1..f4b9f97af092 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2663,8 +2663,9 @@ u64 ieee80211_calculate_rx_timestamp(struct ieee80211_local *local,
 
 	rate = cfg80211_calculate_bitrate(&ri);
 	if (WARN_ONCE(!rate,
-		      "Invalid bitrate: flags=0x%x, idx=%d, vht_nss=%d\n",
-		      status->flag, status->rate_idx, status->vht_nss))
+		      "Invalid bitrate: flags=0x%llx, idx=%d, vht_nss=%d\n",
+		      (unsigned long long)status->flag, status->rate_idx,
+		      status->vht_nss))
 		return 0;
 
 	/* rewind from end of MPDU */
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index efa3f48f1ec5..73e8f347802e 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -293,7 +293,8 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx)
 			return RX_DROP_UNUSABLE;
 		ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key);
 		/* remove ICV */
-		if (pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN))
+		if (!(status->flag & RX_FLAG_ICV_STRIPPED) &&
+		    pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN))
 			return RX_DROP_UNUSABLE;
 	}
 
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index e19ea1c53afa..cb439e06919f 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -298,7 +298,8 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
 		return RX_DROP_UNUSABLE;
 
 	/* Trim ICV */
-	skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
+	if (!(status->flag & RX_FLAG_ICV_STRIPPED))
+		skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
 
 	/* Remove IV */
 	memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
@@ -508,25 +509,31 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
 	    !ieee80211_is_robust_mgmt_frame(skb))
 		return RX_CONTINUE;
 
-	data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
-	if (!rx->sta || data_len < 0)
-		return RX_DROP_UNUSABLE;
-
 	if (status->flag & RX_FLAG_DECRYPTED) {
 		if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
 			return RX_DROP_UNUSABLE;
+		if (status->flag & RX_FLAG_MIC_STRIPPED)
+			mic_len = 0;
 	} else {
 		if (skb_linearize(rx->skb))
 			return RX_DROP_UNUSABLE;
 	}
 
+	data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
+	if (!rx->sta || data_len < 0)
+		return RX_DROP_UNUSABLE;
+
 	if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
+		int res;
+
 		ccmp_hdr2pn(pn, skb->data + hdrlen);
 
 		queue = rx->security_idx;
 
-		if (memcmp(pn, key->u.ccmp.rx_pn[queue],
-			   IEEE80211_CCMP_PN_LEN) <= 0) {
+		res = memcmp(pn, key->u.ccmp.rx_pn[queue],
+			     IEEE80211_CCMP_PN_LEN);
+		if (res < 0 ||
+		    (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
 			key->u.ccmp.replays++;
 			return RX_DROP_UNUSABLE;
 		}
@@ -724,8 +731,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
 	struct sk_buff *skb = rx->skb;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 	u8 pn[IEEE80211_GCMP_PN_LEN];
-	int data_len;
-	int queue;
+	int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
 
 	hdrlen = ieee80211_hdrlen(hdr->frame_control);
 
@@ -733,26 +739,31 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
 	    !ieee80211_is_robust_mgmt_frame(skb))
 		return RX_CONTINUE;
 
-	data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN -
-		   IEEE80211_GCMP_MIC_LEN;
-	if (!rx->sta || data_len < 0)
-		return RX_DROP_UNUSABLE;
-
 	if (status->flag & RX_FLAG_DECRYPTED) {
 		if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
 			return RX_DROP_UNUSABLE;
+		if (status->flag & RX_FLAG_MIC_STRIPPED)
+			mic_len = 0;
 	} else {
 		if (skb_linearize(rx->skb))
 			return RX_DROP_UNUSABLE;
 	}
 
+	data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
+	if (!rx->sta || data_len < 0)
+		return RX_DROP_UNUSABLE;
+
 	if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
+		int res;
+
 		gcmp_hdr2pn(pn, skb->data + hdrlen);
 
 		queue = rx->security_idx;
 
-		if (memcmp(pn, key->u.gcmp.rx_pn[queue],
-			   IEEE80211_GCMP_PN_LEN) <= 0) {
+		res = memcmp(pn, key->u.gcmp.rx_pn[queue],
+			     IEEE80211_GCMP_PN_LEN);
+		if (res < 0 ||
+		    (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
 			key->u.gcmp.replays++;
 			return RX_DROP_UNUSABLE;
 		}
@@ -776,7 +787,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
 	}
 
 	/* Remove GCMP header and MIC */
-	if (pskb_trim(skb, skb->len - IEEE80211_GCMP_MIC_LEN))
+	if (pskb_trim(skb, skb->len - mic_len))
 		return RX_DROP_UNUSABLE;
 	memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
 	skb_pull(skb, IEEE80211_GCMP_HDR_LEN);