Merge 4.14.264 into android-4.14-stable
Linux 4.14.264
drm/vmwgfx: Fix stale file descriptors on failed usercopy
can: bcm: fix UAF of bcm op
drm/i915: Flush TLBs before releasing backing store
Merge 4.14.263 into android-4.14-stable
Linux 4.14.263
NFSv4: Initialise connection to the server in nfs4_alloc_client()
gianfar: fix jumbo packets+napi+rx overrun crash
gianfar: simplify FCS handling and fix memory leak
* fuse: fix live lock in fuse_iget()
fs/fuse/fuse_i.h
* fuse: fix bad inode
fs/fuse/acl.c
fs/fuse/dir.c
fs/fuse/file.c
fs/fuse/fuse_i.h
fs/fuse/inode.c
fs/fuse/xattr.c
drm/ttm/nouveau: don't call tt destroy callback on alloc failure.
mips,s390,sh,sparc: gup: Work around the "COW can break either way" issue
lib82596: Fix IRQ check in sni_82596_probe
scripts/dtc: dtx_diff: remove broken example from help text
bcmgenet: add WOL IRQ check
* net_sched: restore "mpu xxx" handling
include/net/sch_generic.h
net/sched/sch_generic.c
dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
dmaengine: at_xdmac: Fix lld view setting
dmaengine: at_xdmac: Print debug message after realeasing the lock
dmaengine: at_xdmac: Don't start transactions at tx_submit level
libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
* netns: add schedule point in ops_exit_list()
net/core/net_namespace.c
net: axienet: fix number of TX ring slots for available check
net: axienet: Wait for PhyRstCmplt after core reset
* af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
net/unix/garbage.c
net/unix/scm.c
parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
powerpc/cell: Fix clang -Wimplicit-fallthrough warning
RDMA/rxe: Fix a typo in opcode name
RDMA/hns: Modify the mapping attribute of doorbell to device
Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization
* firmware: Update Kconfig help text for Google firmware
drivers/firmware/google/Kconfig
drm/radeon: fix error handling in radeon_driver_open_kms
crypto: stm32/crc32 - Fix kernel BUG triggered in probe()
* ext4: don't use the orphan list when migrating an inode
fs/ext4/migrate.c
* ext4: Fix BUG_ON in ext4_bread when write quota data
fs/ext4/super.c
* ext4: set csum seed in tmp inode while migrating to extents
fs/ext4/migrate.c
* ext4: make sure quota gets properly shutdown on error
fs/ext4/super.c
iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
* cputime, cpuacct: Include guest time in user time in cpuacct.stat
kernel/sched/cputime.c
* serial: Fix incorrect rs485 polarity on uart open
drivers/tty/serial/serial_core.c
ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
power: bq25890: Enable continuous conversion for ADC at charging
ASoC: mediatek: mt8173: fix device_node leak
scsi: sr: Don't use GFP_DMA
MIPS: Octeon: Fix build errors using clang
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
MIPS: OCTEON: add put_device() after of_find_device_by_node()
ALSA: seq: Set upper limit of processed events
w1: Misuse of get_user()/put_user() reported by sparse
i2c: mpc: Correct I2C reset procedure
powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
i2c: i801: Don't silently correct invalid transfer size
powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
powerpc/btext: add missing of_node_put
powerpc/cell: add missing of_node_put
powerpc/powernv: add missing of_node_put
powerpc/6xx: add missing of_node_put
parisc: Avoid calling faulthandler_disabled() twice
* serial: core: Keep mctrl register state and cached copy in sync
drivers/tty/serial/serial_core.c
serial: pl010: Drop CR register reset on set_termios
net: phy: marvell: configure RGMII delays for 88E1118
dm space map common: add bounds check to sm_ll_lookup_bitmap()
dm btree: add a defensive bounds check to insert_at()
mac80211: allow non-standard VHT MCS-10/11
* net: mdio: Demote probed message to debug print
drivers/net/phy/mdio_bus.c
btrfs: remove BUG_ON(!eie) in find_parent_nodes
btrfs: remove BUG_ON() in find_parent_nodes()
ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
ACPICA: Utilities: Avoid deleting the same object twice in a row
* ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
include/acpi/actypes.h
jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
um: registers: Rename function names to avoid conflicts and build problems
iwlwifi: remove module loading failure message
iwlwifi: fix leaks/bad data after failed firmware load
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
* usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
drivers/usb/core/hub.c
arm64: tegra: Adjust length of CCPLEX cluster MMIO region
mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
media: igorplugusb: receiver overflow should be reported
* bpf: Do not WARN in bpf_warn_invalid_xdp_action()
net/core/filter.c
* net: bonding: debug: avoid printing debug logs when bond is not notifying peers
drivers/net/bonding/bond_main.c
ath10k: Fix tx hanging
iwlwifi: mvm: synchronize with FW after multicast commands
media: m920x: don't use stack on USB reads
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
* media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
drivers/media/usb/uvc/uvcvideo.h
floppy: Add max size check for user space request
usb: uhci: add aspeed ast2600 uhci support
mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
HSI: core: Fix return freed object in hsi_new_client
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
drm/bridge: megachips: Ensure both bridges are probed before registration
mlxsw: pci: Add shutdown method in PCI driver
media: b2c2: Add missing check in flexcop_pci_isr:
* HID: apple: Do not reset quirks when the Fn key is not found
drivers/hid/hid-apple.c
* usb: gadget: f_fs: Use stream_open() for endpoint files
drivers/usb/gadget/function/f_fs.c
drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
fs: dlm: filter user dlm messages for kernel locks
* Bluetooth: Fix debugfs entry leak in hci_register_dev()
net/bluetooth/hci_core.c
RDMA/cxgb4: Set queue pair state when being queried
mips: bcm63xx: add support for clk_set_parent()
mips: lantiq: add support for clk_set_parent()
misc: lattice-ecp3-config: Fix task hung when firmware load failed
ASoC: samsung: idma: Check of ioremap return value
* iommu/iova: Fix race between FQ timeout and teardown
drivers/iommu/iova.c
dmaengine: pxa/mmp: stop referencing config->slave_id
RDMA/core: Let ib_find_gid() continue search even after empty entry
* scsi: ufs: Fix race conditions related to driver data
drivers/scsi/ufs/ufshcd-pltfrm.c
drivers/scsi/ufs/ufshcd.c
char/mwave: Adjust io port register size
ALSA: oss: fix compile error when OSS_DEBUG is enabled
powerpc/prom_init: Fix improper check of prom_getprop()
RDMA/hns: Validate the pkey index
ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
* ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
sound/core/pcm.c
* ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
sound/core/jack.c
* ext4: avoid trim error on fs with small groups
fs/ext4/ioctl.c
fs/ext4/mballoc.c
net: mcs7830: handle usb read errors properly
pcmcia: fix setting of kthread task states
can: xilinx_can: xcan_probe(): check for error irq
can: softing: softing_startstop(): fix set but not used variable warning
tpm: add request_locality before write TPM_INT_ENABLE
spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
fsl/fman: Check for null pointer after calling devm_ioremap
* ppp: ensure minimum packet size in ppp_write()
drivers/net/ppp/ppp_generic.c
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
x86/mce/inject: Avoid out-of-bounds write when setting flags
usb: ftdi-elan: fix memory leak on device disconnect
media: msi001: fix possible null-ptr-deref in msi001_probe()
media: dw2102: Fix use after free
* sched/rt: Try to restart rt period timer when rt runtime exceeded
kernel/sched/rt.c
media: si2157: Fix "warm" tuner state detection
media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
media: dib8000: Fix a memleak in dib8000_init()
floppy: Fix hang in watchdog when disk is ejected
serial: amba-pl011: do not request memory region twice
drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
arm64: dts: qcom: msm8916: fix MMC controller aliases
* netfilter: bridge: add support for pppoe filtering
net/bridge/br_netfilter_hooks.c
media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released
tty: serial: atmel: Call dma_async_issue_pending()
tty: serial: atmel: Check return code of dmaengine_submit()
crypto: qce - fix uaf on qce_ahash_register_one
* media: dmxdev: fix UAF when dvb_register_device() fails
drivers/media/dvb-core/dmxdev.c
* Bluetooth: stop proccessing malicious adv data
net/bluetooth/hci_event.c
media: em28xx: fix memory leak in em28xx_init_dev
wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
clk: bcm-2835: Remove rounding up the dividers
clk: bcm-2835: Pick the closest clock rate
Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
* PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
drivers/pci/quirks.c
* shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
mm/shmem.c
can: softing_cs: softingcs_probe(): fix memleak on registration failure
media: stk1160: fix control-message timeouts
media: pvrusb2: fix control-message timeouts
media: redrat3: fix control-message timeouts
media: dib0700: fix undefined behavior in tuner shutdown
media: s2255: fix control-message timeouts
media: cpia2: fix control-message timeouts
media: em28xx: fix control-message timeouts
media: mceusb: fix control-message timeouts
media: flexcop-usb: fix control-message timeouts
rtc: cmos: take rtc_lock while reading from CMOS
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
* HID: wacom: Avoid using stale array indicies to read contact count
drivers/hid/wacom_wac.c
* HID: wacom: Ignore the confidence flag when a touch is removed
drivers/hid/wacom_wac.c
* HID: uhid: Fix worker destroying device without any protection
drivers/hid/uhid.c
* Bluetooth: fix init and cleanup of sco_conn.timeout_work
net/bluetooth/sco.c
* Bluetooth: schedule SCO timeouts with delayed_work
net/bluetooth/sco.c
rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled
* media: uvcvideo: fix division by zero at stream start
drivers/media/usb/uvc/uvc_video.c
orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()
drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn()
* random: fix data race on crng init time
drivers/char/random.c
* random: fix data race on crng_node_pool
drivers/char/random.c
can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
* USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
drivers/usb/core/hcd.c
* USB: core: Fix bug in resuming hub's handling of wakeup requests
drivers/usb/core/hub.c
Bluetooth: bfusb: fix division by zero in send path
* ANDROID: incremental-fs: fix mount_fs issue
fs/incfs/vfs.c
* UPSTREAM: drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...) functions
drivers/base/power/wakeup_stats.c
Merge 4.14.262 into android-4.14-stable
Linux 4.14.262
mISDN: change function names to avoid conflicts
* net: udp: fix alignment problem in udp4_seq_show()
net/ipv4/udp.c
* ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
net/ipv6/ip6_vti.c
scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
* ipv6: Do cleanup if attribute validation fails in multipath route
net/ipv6/route.c
* ipv6: Continue processing multipath route even if gateway attribute is invalid
net/ipv6/route.c
phonet: refcount leak in pep_sock_accep
rndis_host: support Hytera digital radios
power: reset: ltc2952: Fix use of floating point literals
xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
* ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
net/ipv6/route.c
* ipv6: Check attribute length for RTA_GATEWAY in multipath route
net/ipv6/route.c
i40e: Fix incorrect netdev's real number of RX/TX queues
i40e: fix use-after-free in i40e_sync_filters_subtask()
mac80211: initialize variable have_higher_than_11mbit
RDMA/core: Don't infoleak GRH fields
ieee802154: atusb: fix uninit value in atusb_set_extended_addr
virtio_pci: Support surprise removal of virtio pci device
* tracing: Tag trace_percpu_buffer as a percpu pointer
kernel/trace/trace.c
* tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
kernel/trace/trace.c
Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models
Bug: 218597355
Change-Id: I0e4ea06483386bf64155243791d1f949eabbe98c
Signed-off-by: Lucas Wei <lucaswei@google.com>
9d9d7fda11