Merge 4.4.146 into android-4.4-p

Changes in 4.4.146
	MIPS: Fix off-by-one in pci_resource_to_user()
	Input: elan_i2c - add ACPI ID for lenovo ideapad 330
	Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
	Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
	tracing: Fix double free of event_trigger_data
	tracing: Fix possible double free in event_enable_trigger_func()
	tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
	tracing: Quiet gcc warning about maybe unused link variable
	xen/netfront: raise max number of slots in xennet_get_responses()
	ALSA: emu10k1: add error handling for snd_ctl_add
	ALSA: fm801: add error handling for snd_ctl_add
	nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
	mm: vmalloc: avoid racy handling of debugobjects in vunmap
	mm/slub.c: add __printf verification to slab_err()
	rtc: ensure rtc_set_alarm fails when alarms are not supported
	netfilter: ipset: List timing out entries with "timeout 1" instead of zero
	infiniband: fix a possible use-after-free bug
	hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
	powerpc/64s: Fix compiler store ordering to SLB shadow area
	RDMA/mad: Convert BUG_ONs to error flows
	disable loading f2fs module on PAGE_SIZE > 4KB
	f2fs: fix to don't trigger writeback during recovery
	usbip: usbip_detach: Fix memory, udev context and udev leak
	perf/x86/intel/uncore: Correct fixed counter index check in generic code
	perf/x86/intel/uncore: Correct fixed counter index check for NHM
	iwlwifi: pcie: fix race in Rx buffer allocator
	Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning
	Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
	ASoC: dpcm: fix BE dai not hw_free and shutdown
	mfd: cros_ec: Fail early if we cannot identify the EC
	mwifiex: handle race during mwifiex_usb_disconnect
	wlcore: sdio: check for valid platform device data before suspend
	media: videobuf2-core: don't call memop 'finish' when queueing
	btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups
	btrfs: qgroup: Finish rescan when hit the last leaf of extent tree
	PCI: Prevent sysfs disable of device while driver is attached
	ath: Add regulatory mapping for FCC3_ETSIC
	ath: Add regulatory mapping for ETSI8_WORLD
	ath: Add regulatory mapping for APL13_WORLD
	ath: Add regulatory mapping for APL2_FCCA
	ath: Add regulatory mapping for Uganda
	ath: Add regulatory mapping for Tanzania
	ath: Add regulatory mapping for Serbia
	ath: Add regulatory mapping for Bermuda
	ath: Add regulatory mapping for Bahamas
	powerpc/32: Add a missing include header
	powerpc/chrp/time: Make some functions static, add missing header include
	powerpc/powermac: Add missing prototype for note_bootable_part()
	powerpc/powermac: Mark variable x as unused
	powerpc/8xx: fix invalid register expression in head_8xx.S
	pinctrl: at91-pio4: add missing of_node_put
	PCI: pciehp: Request control of native hotplug only if supported
	mwifiex: correct histogram data with appropriate index
	scsi: ufs: fix exception event handling
	ALSA: emu10k1: Rate-limit error messages about page errors
	regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
	md: fix NULL dereference of mddev->pers in remove_and_add_spares()
	media: smiapp: fix timeout checking in smiapp_read_nvm
	ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback
	HID: hid-plantronics: Re-resend Update to map button for PTT products
	drm/radeon: fix mode_valid's return type
	powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet
	HID: i2c-hid: check if device is there before really probing
	tty: Fix data race in tty_insert_flip_string_fixed_flag
	dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA
	media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open()
	libata: Fix command retry decision
	media: saa7164: Fix driver name in debug output
	mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages
	brcmfmac: Add support for bcm43364 wireless chipset
	s390/cpum_sf: Add data entry sizes to sampling trailer entry
	perf: fix invalid bit in diagnostic entry
	scsi: 3w-9xxx: fix a missing-check bug
	scsi: 3w-xxxx: fix a missing-check bug
	scsi: megaraid: silence a static checker bug
	thermal: exynos: fix setting rising_threshold for Exynos5433
	bpf: fix references to free_bpf_prog_info() in comments
	media: siano: get rid of __le32/__le16 cast warnings
	drm/atomic: Handling the case when setting old crtc for plane
	ALSA: hda/ca0132: fix build failure when a local macro is defined
	memory: tegra: Do not handle spurious interrupts
	memory: tegra: Apply interrupts mask per SoC
	drm/gma500: fix psb_intel_lvds_mode_valid()'s return type
	ipconfig: Correctly initialise ic_nameservers
	rsi: Fix 'invalid vdd' warning in mmc
	audit: allow not equal op for audit by executable
	microblaze: Fix simpleImage format generation
	usb: hub: Don't wait for connect state at resume for powered-off ports
	crypto: authencesn - don't leak pointers to authenc keys
	crypto: authenc - don't leak pointers to authenc keys
	media: omap3isp: fix unbalanced dma_iommu_mapping
	scsi: scsi_dh: replace too broad "TP9" string with the exact models
	scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs
	media: si470x: fix __be16 annotations
	drm: Add DP PSR2 sink enable bit
	random: mix rdrand with entropy sent in from userspace
	squashfs: be more careful about metadata corruption
	ext4: fix inline data updates with checksums enabled
	ext4: check for allocation block validity with block group locked
	dmaengine: pxa_dma: remove duplicate const qualifier
	ASoC: pxa: Fix module autoload for platform drivers
	ipv4: remove BUG_ON() from fib_compute_spec_dst
	net: fix amd-xgbe flow-control issue
	net: lan78xx: fix rx handling before first packet is send
	xen-netfront: wait xenbus state change when load module manually
	NET: stmmac: align DMA stuff to largest cache line length
	tcp: do not force quickack when receiving out-of-order packets
	tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode
	tcp: do not aggressively quick ack after ECN events
	tcp: refactor tcp_ecn_check_ce to remove sk type cast
	tcp: add one more quick ack after after ECN events
	inet: frag: enforce memory limits earlier
	net: dsa: Do not suspend/resume closed slave_dev
	netlink: Fix spectre v1 gadget in netlink_create()
	squashfs: more metadata hardening
	squashfs: more metadata hardenings
	can: ems_usb: Fix memory leak on ems_usb_disconnect()
	net: socket: fix potential spectre v1 gadget in socketcall
	virtio_balloon: fix another race between migration and ballooning
	kvm: x86: vmx: fix vpid leak
	crypto: padlock-aes - Fix Nano workaround data corruption
	scsi: sg: fix minor memory leak in error path
	Linux 4.4.146

Change-Id: I7b8ad5e297804f92b3e3a8c5daf8a26ba684029b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

8 files changed, 57 insertions, 32 deletions

diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 554c2a961ad5..48b28a7ecc7a 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1099,6 +1099,9 @@ int dsa_slave_suspend(struct net_device *slave_dev)
 {
 	struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+	if (!netif_running(slave_dev))
+		return 0;
+
 	netif_device_detach(slave_dev);
 
 	if (p->phy) {
@@ -1116,6 +1119,9 @@ int dsa_slave_resume(struct net_device *slave_dev)
 {
 	struct dsa_slave_priv *p = netdev_priv(slave_dev);
 
+	if (!netif_running(slave_dev))
+		return 0;
+
 	netif_device_attach(slave_dev);
 
 	if (p->phy) {
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 65a2adfa451f..249a89491353 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -289,19 +289,19 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb)
 		return ip_hdr(skb)->daddr;
 
 	in_dev = __in_dev_get_rcu(dev);
-	BUG_ON(!in_dev);
 
 	net = dev_net(dev);
 
 	scope = RT_SCOPE_UNIVERSE;
 	if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
+		bool vmark = in_dev && IN_DEV_SRC_VMARK(in_dev);
 		struct flowi4 fl4 = {
 			.flowi4_iif = LOOPBACK_IFINDEX,
 			.flowi4_oif = l3mdev_master_ifindex_rcu(dev),
 			.daddr = ip_hdr(skb)->saddr,
 			.flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
 			.flowi4_scope = scope,
-			.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0,
+			.flowi4_mark = vmark ? skb->mark : 0,
 		};
 		if (!fib_lookup(net, &fl4, &res, 0))
 			return FIB_RES_PREFSRC(net, res);
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index b34fa1bb278f..b2001b20e029 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -364,11 +364,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
 {
 	struct inet_frag_queue *q;
 
-	if (frag_mem_limit(nf) > nf->high_thresh) {
-		inet_frag_schedule_worker(f);
-		return NULL;
-	}
-
 	q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
 	if (!q)
 		return NULL;
@@ -405,6 +400,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
 	struct inet_frag_queue *q;
 	int depth = 0;
 
+	if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+		inet_frag_schedule_worker(f);
+		return NULL;
+	}
+
 	if (frag_mem_limit(nf) > nf->low_thresh)
 		inet_frag_schedule_worker(f);
 
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 9d6b9c4c5f82..60f564db25a3 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -790,6 +790,11 @@ static void __init ic_bootp_init_ext(u8 *e)
  */
 static inline void __init ic_bootp_init(void)
 {
+	/* Re-initialise all name servers to NONE, in case any were set via the
+	 * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses
+	 * specified there will already have been decoded but are no longer
+	 * needed
+	 */
 	ic_nameservers_predef();
 
 	dev_add_pack(&bootp_packet_type);
@@ -1423,6 +1428,13 @@ static int __init ip_auto_config(void)
 	int err;
 	unsigned int i;
 
+	/* Initialise all name servers to NONE (but only if the "ip=" or
+	 * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise
+	 * we'll overwrite the IP addresses specified there)
+	 */
+	if (ic_set_manually == 0)
+		ic_nameservers_predef();
+
 #ifdef CONFIG_PROC_FS
 	proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops);
 #endif /* CONFIG_PROC_FS */
@@ -1640,6 +1652,7 @@ static int __init ip_auto_config_setup(char *addrs)
 		return 1;
 	}
 
+	/* Initialise all name servers to NONE */
 	ic_nameservers_predef();
 
 	/* Parse string for static IP assignment.  */
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
index e63b764e55ea..6300edf90e60 100644
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -138,7 +138,7 @@ static void dctcp_ce_state_0_to_1(struct sock *sk)
 		 */
 		if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
 			__tcp_send_ack(sk, ca->prior_rcv_nxt);
-		tcp_enter_quickack_mode(sk);
+		tcp_enter_quickack_mode(sk, 1);
 	}
 
 	ca->prior_rcv_nxt = tp->rcv_nxt;
@@ -159,7 +159,7 @@ static void dctcp_ce_state_1_to_0(struct sock *sk)
 		 */
 		if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
 			__tcp_send_ack(sk, ca->prior_rcv_nxt);
-		tcp_enter_quickack_mode(sk);
+		tcp_enter_quickack_mode(sk, 1);
 	}
 
 	ca->prior_rcv_nxt = tp->rcv_nxt;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 51e8f1c32836..cbfc8581295a 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -177,21 +177,23 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb)
 	}
 }
 
-static void tcp_incr_quickack(struct sock *sk)
+static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks)
 {
 	struct inet_connection_sock *icsk = inet_csk(sk);
 	unsigned int quickacks = tcp_sk(sk)->rcv_wnd / (2 * icsk->icsk_ack.rcv_mss);
 
 	if (quickacks == 0)
 		quickacks = 2;
+	quickacks = min(quickacks, max_quickacks);
 	if (quickacks > icsk->icsk_ack.quick)
-		icsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS);
+		icsk->icsk_ack.quick = quickacks;
 }
 
-void tcp_enter_quickack_mode(struct sock *sk)
+void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks)
 {
 	struct inet_connection_sock *icsk = inet_csk(sk);
-	tcp_incr_quickack(sk);
+
+	tcp_incr_quickack(sk, max_quickacks);
 	icsk->icsk_ack.pingpong = 0;
 	icsk->icsk_ack.ato = TCP_ATO_MIN;
 }
@@ -227,8 +229,10 @@ static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp)
 	tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
 }
 
-static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
+	struct tcp_sock *tp = tcp_sk(sk);
+
 	switch (TCP_SKB_CB(skb)->ip_dsfield & INET_ECN_MASK) {
 	case INET_ECN_NOT_ECT:
 		/* Funny extension: if ECT is not set on a segment,
@@ -236,31 +240,31 @@ static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
 		 * it is probably a retransmit.
 		 */
 		if (tp->ecn_flags & TCP_ECN_SEEN)
-			tcp_enter_quickack_mode((struct sock *)tp);
+			tcp_enter_quickack_mode(sk, 2);
 		break;
 	case INET_ECN_CE:
-		if (tcp_ca_needs_ecn((struct sock *)tp))
-			tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_IS_CE);
+		if (tcp_ca_needs_ecn(sk))
+			tcp_ca_event(sk, CA_EVENT_ECN_IS_CE);
 
 		if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
 			/* Better not delay acks, sender can have a very low cwnd */
-			tcp_enter_quickack_mode((struct sock *)tp);
+			tcp_enter_quickack_mode(sk, 2);
 			tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
 		}
 		tp->ecn_flags |= TCP_ECN_SEEN;
 		break;
 	default:
-		if (tcp_ca_needs_ecn((struct sock *)tp))
-			tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_NO_CE);
+		if (tcp_ca_needs_ecn(sk))
+			tcp_ca_event(sk, CA_EVENT_ECN_NO_CE);
 		tp->ecn_flags |= TCP_ECN_SEEN;
 		break;
 	}
 }
 
-static void tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
-	if (tp->ecn_flags & TCP_ECN_OK)
-		__tcp_ecn_check_ce(tp, skb);
+	if (tcp_sk(sk)->ecn_flags & TCP_ECN_OK)
+		__tcp_ecn_check_ce(sk, skb);
 }
 
 static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th)
@@ -652,7 +656,7 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)
 		/* The _first_ data packet received, initialize
 		 * delayed ACK engine.
 		 */
-		tcp_incr_quickack(sk);
+		tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
 		icsk->icsk_ack.ato = TCP_ATO_MIN;
 	} else {
 		int m = now - icsk->icsk_ack.lrcvtime;
@@ -668,13 +672,13 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)
 			/* Too long gap. Apparently sender failed to
 			 * restart window, so that we send ACKs quickly.
 			 */
-			tcp_incr_quickack(sk);
+			tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
 			sk_mem_reclaim(sk);
 		}
 	}
 	icsk->icsk_ack.lrcvtime = now;
 
-	tcp_ecn_check_ce(tp, skb);
+	tcp_ecn_check_ce(sk, skb);
 
 	if (skb->len >= 128)
 		tcp_grow_window(sk, skb);
@@ -4137,7 +4141,7 @@ static void tcp_send_dupack(struct sock *sk, const struct sk_buff *skb)
 	if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&
 	    before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);
-		tcp_enter_quickack_mode(sk);
+		tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
 
 		if (tcp_is_sack(tp) && sysctl_tcp_dsack) {
 			u32 end_seq = TCP_SKB_CB(skb)->end_seq;
@@ -4365,7 +4369,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
 	struct sk_buff *skb1;
 	u32 seq, end_seq;
 
-	tcp_ecn_check_ce(tp, skb);
+	tcp_ecn_check_ce(sk, skb);
 
 	if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) {
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPOFODROP);
@@ -4639,7 +4643,7 @@ queue_and_out:
 		tcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq);
 
 out_of_window:
-		tcp_enter_quickack_mode(sk);
+		tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
 		inet_csk_schedule_ack(sk);
 drop:
 		__kfree_skb(skb);
@@ -4650,8 +4654,6 @@ drop:
 	if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt + tcp_receive_window(tp)))
 		goto out_of_window;
 
-	tcp_enter_quickack_mode(sk);
-
 	if (before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
 		/* Partial packet, seq < rcv_next < end_seq */
 		SOCK_DEBUG(sk, "partial packet: rcv_next %X seq %X - %X\n",
@@ -5677,7 +5679,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
 			 * to stand against the temptation 8)     --ANK
 			 */
 			inet_csk_schedule_ack(sk);
-			tcp_enter_quickack_mode(sk);
+			tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
 			inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,
 						  TCP_DELACK_MAX, TCP_RTO_MAX);
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 818400fddc9b..9708fff318d5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -62,6 +62,7 @@
 #include <asm/cacheflush.h>
 #include <linux/hash.h>
 #include <linux/genetlink.h>
+#include <linux/nospec.h>
 
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -654,6 +655,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
 
 	if (protocol < 0 || protocol >= MAX_LINKS)
 		return -EPROTONOSUPPORT;
+	protocol = array_index_nospec(protocol, MAX_LINKS);
 
 	netlink_lock_table();
 #ifdef CONFIG_MODULES
diff --git a/net/socket.c b/net/socket.c
index 9684fd34b013..b75a537807b5 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/nospec.h>
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
@@ -2338,6 +2339,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
 
 	if (call < 1 || call > SYS_SENDMMSG)
 		return -EINVAL;
+	call = array_index_nospec(call, SYS_SENDMMSG + 1);
 
 	len = nargs[call];
 	if (len > sizeof(a))