Merge android-4.4-p.194 (2b29211) into msm-4.4

* refs/heads/tmp-2b29211
  Revert "ANDROID: regression introduced override_creds=off"
  ANDROID: regression introduced override_creds=off
  Fix fallout from changes to bootparam_utils.h
  ANDROID: sched: Disallow WALT with CFS bandwidth control
  ANDROID: fiq_debugger: remove
  ANDROID: arm64: fix leftover RWX when using CONFIG_UNMAP_KERNEL_AT_EL0
  ANDROID: fix kernelci build-break in lowmemorykiller
  ANDROID: Avoid taking multiple locks in handle_lmk_event
  UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
  ANDROID: fix binder change in merge of 4.4.183
  Fix overlayfs build break
  binder: binder: fix possible UAF when freeing buffer
  ANDROID: Revert "f2fs: avoid out-of-range memory access"
  ANDROID: overlayfs: Fix a regression in commit b24be4acd
  ANDROID: enable CONFIG_RTC_DRV_TEST on cuttlefish
  ANDROID: xfrm: remove in_compat_syscall() checks
  BACKPORT: binder: Set end of SG buffer area properly.
  UPSTREAM: binder: check for overflow when alloc for security context
  BACKPORT: binder: fix race between munmap() and direct reclaim
  ANDROID: cuttlefish 4.4: enable CONFIG_CRYPTO_AES_NI_INTEL=y
  ANDROID: cuttlefish_defconfig: Disable DEVTMPFS
  ANDROID: cuttlefish_defconfig: Enable CONFIG_CPUSETS and CONFIG_CGROUP_SCHEDTUNE
  ANDROID: cuttlefish_defconfig: Drop dead CRYPTO options
  UPSTREAM: virtio: new feature to detect IOMMU device quirk
  UPSTREAM: vring: Use the DMA API on Xen
  UPSTREAM: virtio_ring: Support DMA APIs
  UPSTREAM: vring: Introduce vring_use_dma_api()
  ANDROID: cuttlefish_defconfig: L2TP/PPTP to OLAC/OPNS
  ANDROID: cuttlefish_defconfig: Enable DEBUG_SET_MODULE_RONX
  ANDROID: Fix cuttlefish redundant vsock connection.
  ANDROID: cuttlefish_defconfig: Enable CONFIG_RTC_HCTOSYS
  ANDROID: Move from clang r349610 to r353983c.
  Make arm64 serial port config compatible with crosvm
  UPSTREAM: virt_wifi: Remove REGULATORY_WIPHY_SELF_MANAGED
  ANDROID: cuttlefish_defconfig: Add support for AC97 audio
  ANDROID: Move from clang r346389b to r349610.
  ANDROID: cuttlefish_defconfig: Enable vsock options
  UPSTREAM: vhost/vsock: fix reset orphans race with close timeout
  UPSTREAM: vhost/vsock: fix use-after-free in network stack callers
  UPSTREAM: vhost: correctly check the iova range when waking virtqueue
  UPSTREAM: vhost: synchronize IOTLB message with dev cleanup
  UPSTREAM: vhost: fix info leak due to uninitialized memory
  UPSTREAM: vhost: fix vhost_vq_access_ok() log check
  UPSTREAM: vhost: validate log when IOTLB is enabled
  UPSTREAM: vhost_net: add missing lock nesting notation
  UPSTREAM: vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
  UPSTREAM: vhost/vsock: fix uninitialized vhost_vsock->guest_cid
  UPSTREAM: vhost_net: correctly check tx avail during rx busy polling
  UPSTREAM: vsock: use new wait API for vsock_stream_sendmsg()
  UPSTREAM: vsock: cancel packets when failing to connect
  UPSTREAM: vhost-vsock: add pkt cancel capability
  UPSTREAM: vsock: track pkt owner vsock
  UPSTREAM: vhost: fix initialization for vq->is_le
  UPSTREAM: vhost/vsock: handle vhost_vq_init_access() error
  UPSTREAM: vsock: lookup and setup guest_cid inside vhost_vsock_lock
  UPSTREAM: vhost-vsock: fix orphan connection reset
  UPSTREAM: vsock/virtio: fix src/dst cid format
  UPSTREAM: VSOCK: Don't dec ack backlog twice for rejected connections
  UPSTREAM: vhost/vsock: drop space available check for TX vq
  UPSTREAM: virtio-vsock: fix include guard typo
  UPSTREAM: vhost/vsock: fix vhost virtio_vsock_pkt use-after-free
  UPSTREAM: VSOCK: Use kvfree()
  BACKPORT: vhost: split out vringh Kconfig
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: detect 32 bit integer wrap around
  UPSTREAM: VSOCK: Add Makefile and Kconfig
  UPSTREAM: VSOCK: Introduce vhost_vsock.ko
  UPSTREAM: VSOCK: Introduce virtio_transport.ko
  BACKPORT: VSOCK: Introduce virtio_vsock_common.ko
  UPSTREAM: VSOCK: defer sock removal to transports
  UPSTREAM: VSOCK: transport-specific vsock_transport functions
  UPSTREAM: vsock: make listener child lock ordering explicit
  UPSTREAM: vhost: new device IOTLB API
  BACKPORT: vhost: convert pre sorted vhost memory array to interval tree
  UPSTREAM: vhost: introduce vhost memory accessors
  UPSTREAM: vhost_net: stop polling socket during rx processing
  UPSTREAM: VSOCK: constify vsock_transport structure
  UPSTREAM: vhost: lockless enqueuing
  UPSTREAM: vhost: simplify work flushing
  UPSTREAM: VSOCK: Only check error on skb_recv_datagram when skb is NULL
  BACKPORT: AF_VSOCK: Shrink the area influenced by prepare_to_wait
  UPSTREAM: vhost_net: basic polling support
  UPSTREAM: vhost: introduce vhost_vq_avail_empty()
  UPSTREAM: vhost: introduce vhost_has_work()
  UPSTREAM: vhost: rename vhost_init_used()
  UPSTREAM: vhost: rename cross-endian helpers
  UPSTREAM: vhost: fix error path in vhost_init_used()
  UPSTREAM: virtio: make find_vqs() checkpatch.pl-friendly
  UPSTREAM: net: move napi_hash[] into read mostly section
  ANDROID: cuttlefish_defconfig: Enable VIRTIO_INPUT
  ANDROID: cuttlefish_defconfig: Enable VIRT_WIFI
  FROMGIT, BACKPORT: mac80211-next: rtnetlink wifi simulation device
  ANDROID: Move from clang r328903 to r346389b.
  ANDROID: arm64 defconfig / build config for cuttlefish
  ANDROID: Communicates LMK events to userland where they can be logged
  Fix merge issue with 4.4.178
  Fix merge issue with 4.4.177
  FROMGIT: binder: create node flag to request sender's security context
  ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG
  ANDROID: uid_sys_stats: Copy task_struct comm field to bigger buffer
  UPSTREAM: binder: fix race that allows malicious free of live buffer
  Makefile: Tidy up 4.4.165 merge
  ANDROID: sdcardfs: Change current->fs under lock
  ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro
  arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
  ANDROID: arm64: mm: fix 4.4.154 merge
  Fix backport of "tcp: detect malicious patterns in tcp_collapse_ofo_queue()"
  tcp: detect malicious patterns in tcp_collapse_ofo_queue()
  tcp: avoid collapses in tcp_prune_queue() if possible

Conflicts:
	Makefile
	arch/arm64/configs/cuttlefish_defconfig
	arch/arm64/include/asm/cpufeature.h
	arch/x86/configs/x86_64_cuttlefish_defconfig
	arch/x86/include/asm/uaccess_32.h
	drivers/net/wireless/virt_wifi.c
	drivers/staging/android/lowmemorykiller.c
	fs/f2fs/checkpoint.c
	fs/f2fs/data.c
	fs/f2fs/dir.c
	fs/f2fs/f2fs.h
	fs/f2fs/file.c
	fs/f2fs/inline.c
	fs/f2fs/inode.c
	fs/f2fs/node.c
	fs/f2fs/recovery.c
	fs/f2fs/segment.c
	fs/f2fs/segment.h
	fs/f2fs/super.c
	fs/squashfs/block.c
	include/linux/f2fs_fs.h
	include/linux/msm_mdp.h
	include/uapi/linux/android/binder.h
	include/uapi/linux/virtio_ids.h
	kernel/cpu.c

Change-Id: I3d8da865a81161d356b11f84344c27e172c3add3
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

arch/arm64/configs/cuttlefish_defconfig

@@ -78,7 +78,6 @@ CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_ADVANCED_ROUTER=y
 CONFIG_IP_MULTIPLE_TABLES=y
-CONFIG_NET_IPGRE_DEMUX=y
 CONFIG_NET_IPVTI=y
 CONFIG_INET_ESP=y
 # CONFIG_INET_XFRM_MODE_BEET is not set
@@ -170,7 +169,6 @@ CONFIG_IP6_NF_FILTER=y
 CONFIG_IP6_NF_TARGET_REJECT=y
 CONFIG_IP6_NF_MANGLE=y
 CONFIG_IP6_NF_RAW=y
-CONFIG_L2TP=y
 CONFIG_NET_SCHED=y
 CONFIG_NET_SCH_HTB=y
 CONFIG_NET_CLS_U32=y
@@ -216,8 +214,8 @@ CONFIG_PPP=y
 CONFIG_PPP_BSDCOMP=y
 CONFIG_PPP_DEFLATE=y
 CONFIG_PPP_MPPE=y
-CONFIG_PPTP=y
-CONFIG_PPPOL2TP=y
+CONFIG_PPPOLAC=y
+CONFIG_PPPOPNS=y
 CONFIG_USB_USBNET=y
 # CONFIG_USB_NET_AX8817X is not set
 # CONFIG_USB_NET_AX88179_178A is not set
@@ -414,6 +412,5 @@ CONFIG_HARDENED_USERCOPY=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_LZ4=y
-CONFIG_CRYPTO_ZSTD=y
 CONFIG_CRYPTO_ANSI_CPRNG=y
 CONFIG_XZ_DEC=y

arch/arm64/mm/mmu.c

@@ -505,7 +505,7 @@ static int __init map_entry_trampoline(void)
 {
 	extern char __entry_tramp_text_start[];
 
-	pgprot_t prot = PAGE_KERNEL_EXEC;
+	pgprot_t prot = PAGE_KERNEL_ROX;
 	phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
 
 	/* The trampoline is always mapped and can therefore be global */

arch/x86/configs/x86_64_cuttlefish_defconfig

@@ -13,10 +13,13 @@ CONFIG_IKCONFIG_PROC=y
 CONFIG_CGROUPS=y
 CONFIG_CGROUP_DEBUG=y
 CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
 CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_SCHEDTUNE=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_RT_GROUP_SCHED=y
 CONFIG_NAMESPACES=y
+CONFIG_SCHED_TUNE=y
 CONFIG_BLK_DEV_INITRD=y
 # CONFIG_RD_LZ4 is not set
 CONFIG_KALLSYMS_ALL=y
@@ -462,6 +465,7 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_LZ4=y
 CONFIG_CRYPTO_ZSTD=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_X509_CERTIFICATE_PARSER=y

drivers/android/binder.c

@@ -528,7 +528,8 @@ struct binder_priority {
  * @requested_threads_started: number binder threads started
  *                        (protected by @inner_lock)
  * @tmp_ref:              temporary reference to indicate proc is in use
- *                        (protected by @inner_lock)
+ *                        (atomic since @proc->inner_lock cannot
+ *                        always be acquired)
  * @default_priority:     default scheduler priority
  *                        (invariant after initialized)
  * @debugfs_entry:        debugfs node
@@ -562,7 +563,7 @@ struct binder_proc {
 	int max_threads;
 	int requested_threads;
 	int requested_threads_started;
-	int tmp_ref;
+	atomic_t tmp_ref;
 	struct binder_priority default_priority;
 	struct dentry *debugfs_entry;
 	struct binder_alloc alloc;
@@ -2053,9 +2054,9 @@ static void binder_thread_dec_tmpref(struct binder_thread *thread)
 static void binder_proc_dec_tmpref(struct binder_proc *proc)
 {
 	binder_inner_proc_lock(proc);
-	proc->tmp_ref--;
+	atomic_dec(&proc->tmp_ref);
 	if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
-			!proc->tmp_ref) {
+			!atomic_read(&proc->tmp_ref)) {
 		binder_inner_proc_unlock(proc);
 		binder_free_proc(proc);
 		return;
@@ -2117,8 +2118,26 @@ static struct binder_thread *binder_get_txn_from_and_acq_inner(
 
 static void binder_free_transaction(struct binder_transaction *t)
 {
-	if (t->buffer)
-		t->buffer->transaction = NULL;
+	struct binder_proc *target_proc;
+
+	spin_lock(&t->lock);
+	target_proc = t->to_proc;
+	if (target_proc) {
+		atomic_inc(&target_proc->tmp_ref);
+		spin_unlock(&t->lock);
+
+		binder_inner_proc_lock(target_proc);
+		if (t->buffer)
+			t->buffer->transaction = NULL;
+		binder_inner_proc_unlock(target_proc);
+		binder_proc_dec_tmpref(target_proc);
+	} else {
+		/*
+		 * If the transaction has no target_proc, then
+		 * t->buffer->transaction * has already been cleared.
+		 */
+		spin_unlock(&t->lock);
+	}
 	kfree(t);
 	binder_stats_deleted(BINDER_STAT_TRANSACTION);
 }
@@ -2871,7 +2890,7 @@ static struct binder_node *binder_get_node_refs_for_txn(
 		target_node = node;
 		binder_inc_node_nilocked(node, 1, 0, NULL);
 		binder_inc_node_tmpref_ilocked(node);
-		node->proc->tmp_ref++;
+		atomic_inc(&node->proc->tmp_ref);
 		*procp = node->proc;
 	} else
 		*error = BR_DEAD_REPLY;
@@ -2967,7 +2986,7 @@ static void binder_transaction(struct binder_proc *proc,
 			goto err_dead_binder;
 		}
 		target_proc = target_thread->proc;
-		target_proc->tmp_ref++;
+		atomic_inc(&target_proc->tmp_ref);
 		binder_inner_proc_unlock(target_thread->proc);
 	} else {
 		if (tr->target.handle) {
@@ -3700,10 +3719,12 @@ static int binder_thread_write(struct binder_proc *proc,
 				     buffer->debug_id,
 				     buffer->transaction ? "active" : "finished");
 
+			binder_inner_proc_lock(proc);
 			if (buffer->transaction) {
 				buffer->transaction->buffer = NULL;
 				buffer->transaction = NULL;
 			}
+			binder_inner_proc_unlock(proc);
 			if (buffer->async_transaction && buffer->target_node) {
 				struct binder_node *buf_node;
 				struct binder_work *w;
@@ -4565,7 +4586,7 @@ static int binder_thread_release(struct binder_proc *proc,
 	 * The corresponding dec is when we actually
 	 * free the thread in binder_free_thread()
 	 */
-	proc->tmp_ref++;
+	atomic_inc(&proc->tmp_ref);
 	/*
 	 * take a ref on this thread to ensure it
 	 * survives while we are releasing it
@@ -5060,6 +5081,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
 		return -ENOMEM;
 	spin_lock_init(&proc->inner_lock);
 	spin_lock_init(&proc->outer_lock);
+	atomic_set(&proc->tmp_ref, 0);
 	get_task_struct(current->group_leader);
 	proc->tsk = current->group_leader;
 	mutex_init(&proc->files_lock);
@@ -5239,7 +5261,7 @@ static void binder_deferred_release(struct binder_proc *proc)
 	 * Make sure proc stays alive after we
 	 * remove all the threads
 	 */
-	proc->tmp_ref++;
+	atomic_inc(&proc->tmp_ref);
 
 	proc->is_dead = true;
 	threads = 0;

drivers/staging/android/lowmemorykiller.c

@@ -52,6 +52,7 @@
 #include <linux/circ_buf.h>
 #include <linux/proc_fs.h>
 #include <linux/slab.h>
+#include <linux/poll.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/almk.h>

fs/f2fs/segment.c

@@ -3524,11 +3524,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
 		seg_i = CURSEG_I(sbi, i);
 		segno = le32_to_cpu(ckpt->cur_data_segno[i]);
 		blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
-		if (blk_off > ENTRIES_IN_SUM) {
-			f2fs_bug_on(sbi, 1);
-			f2fs_put_page(page, 1);
-			return -EFAULT;
-		}
 		seg_i->next_segno = segno;
 		reset_curseg(sbi, i, 0);
 		seg_i->alloc_type = ckpt->alloc_type[i];

fs/f2fs/super.c

@@ -2562,6 +2562,12 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
 		return -EFSCORRUPTED;
 	}
 
+	if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
+		f2fs_info(sbi, "Invalid segment count (%u)",
+			le32_to_cpu(raw_super->segment_count));
+		return 1;
+	}
+
 	/* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
 	if (sanity_check_area_boundary(sbi, bh))
 		return -EFSCORRUPTED;
@@ -2677,6 +2683,7 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi)
 
 	sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
 	nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize);
+	log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
 
 	if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 ||
 		nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) {