Merge 4.9.90 into android-4.9

Changes in 4.9.90
	tpm: fix potential buffer overruns caused by bit glitches on the bus
	ASoC: rsnd: check src mod pointer for rsnd_mod_id()
	SMB3: Validate negotiate request must always be signed
	CIFS: Enable encryption during session setup phase
	staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
	Revert "led: core: Fix brightness setting when setting delay_off=0"
	led: core: Clear LED_BLINK_SW flag in led_blink_set()
	platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA
	bonding: handle link transition from FAIL to UP correctly
	regulator: anatop: set default voltage selector for pcie
	power: supply: bq24190_charger: Limit over/under voltage fault logging
	x86: i8259: export legacy_pic symbol
	rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs
	Input: ar1021_i2c - fix too long name in driver's device table
	time: Change posix clocks ops interfaces to use timespec64
	ACPI/processor: Fix error handling in __acpi_processor_start()
	ACPI/processor: Replace racy task affinity logic
	cpufreq/sh: Replace racy task affinity logic
	genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs
	i2c: i2c-scmi: add a MS HID
	net: ipv6: send unsolicited NA on admin up
	media/dvb-core: Race condition when writing to CAM
	btrfs: fix a bogus warning when converting only data or metadata
	ASoC: Intel: Atom: update Thinkpad 10 quirk
	tools/testing/nvdimm: fix nfit_test shutdown crash
	spi: dw: Disable clock after unregistering the host
	powerpc/64s: Remove SAO feature from Power9 DD1
	ath: Fix updating radar flags for coutry code India
	clk: ns2: Correct SDIO bits
	iwlwifi: split the handler and the wake parts of the notification infra
	iwlwifi: a000: fix memory offsets and lengths
	scsi: virtio_scsi: Always try to read VPD pages
	KVM: PPC: Book3S PR: Exit KVM on failed mapping
	mwifiex: don't leak 'chan_stats' on reset
	x86/reboot: Turn off KVM when halting a CPU
	ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER
	irqchip/mips-gic: Separate IPI reservation & usage tracking
	iommu/omap: Register driver before setting IOMMU ops
	md/raid10: wait up frozen array in handle_write_completed
	NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete()
	tcp: remove poll() flakes with FastOpen
	e1000e: fix timing for 82579 Gigabit Ethernet controller
	ALSA: hda - Fix headset microphone detection for ASUS N551 and N751
	IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
	IB/ipoib: Update broadcast object if PKey value was changed in index 0
	HSI: ssi_protocol: double free in ssip_pn_xmit()
	IB/mlx4: Take write semaphore when changing the vma struct
	IB/mlx4: Change vma from shared to private
	IB/mlx5: Take write semaphore when changing the vma struct
	IB/mlx5: Change vma from shared to private
	IB/mlx5: Set correct SL in completion for RoCE
	ASoC: Intel: Skylake: Uninitialized variable in probe_codec()
	ibmvnic: Disable irq prior to close
	netvsc: Deal with rescinded channels correctly
	Fix driver usage of 128B WQEs when WQ_CREATE is V1.
	Fix Express lane queue creation.
	gpio: gpio-wcove: fix irq pending status bit width
	netfilter: xt_CT: fix refcnt leak on error path
	openvswitch: Delete conntrack entry clashing with an expectation.
	netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink
	mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR()
	tipc: check return value of nlmsg_new
	wan: pc300too: abort path on failure
	qlcnic: fix unchecked return value
	netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded
	platform/x86: intel-vbtn: add volume up and down
	scsi: mac_esp: Replace bogus memory barrier with spinlock
	infiniband/uverbs: Fix integer overflows
	pNFS: Fix use after free issues in pnfs_do_read()
	xprtrdma: Cancel refresh worker during buffer shutdown
	NFS: don't try to cross a mountpount when there isn't one there.
	iio: st_pressure: st_accel: Initialise sensor platform data properly
	mt7601u: check return value of alloc_skb
	libertas: check return value of alloc_workqueue
	rndis_wlan: add return value validation
	Btrfs: fix incorrect space accounting after failure to insert inline extent
	Btrfs: send, fix file hole not being preserved due to inline extent
	Btrfs: fix extent map leak during fallocate error path
	orangefs: do not wait for timeout if umounting
	mac80211: don't parse encrypted management frames in ieee80211_frame_acked
	ACPICA: iasl: Fix IORT SMMU GSI disassembling
	iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value
	dt-bindings: mfd: axp20x: Add "xpowers,master-mode" property for AXP806 PMICs
	mfd: palmas: Reset the POWERHOLD mux during power off
	mtip32xx: use runtime tag to initialize command header
	x86/KASLR: Fix kexec kernel boot crash when KASLR randomization fails
	gpio: gpio-wcove: fix GPIO IRQ status mask
	staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y
	staging: wilc1000: fix unchecked return value
	ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled
	mac80211: Fix possible sband related NULL pointer de-reference
	mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a
	netfilter: x_tables: unlock on error in xt_find_table_lock()
	ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP
	IB/rdmavt: restore IRQs on error path in rvt_create_ah()
	IB/hfi1: Fix softlockup issue
	platform/x86: asus-wmi: try to set als by default
	ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
	ACPI / PMIC: xpower: Fix power_table addresses
	drm/amdgpu: fix gpu reset crash
	drm/nouveau/kms: Increase max retries in scanout position queries.
	jbd2: Fix lockdep splat with generic/270 test
	ixgbevf: fix size of queue stats length
	net: ethernet: ucc_geth: fix MEM_PART_MURAM mode
	soc/fsl/qe: round brg_freq to 1kHz granularity
	Bluetooth: hci_ldisc: Add protocol check to hci_uart_dequeue()
	Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup()
	vxlan: correctly handle ipv6.disable module parameter
	qed: Unlock on error in qed_vf_pf_acquire()
	bnx2x: Align RX buffers
	power: supply: bq24190_charger: Add disable-reset device-property
	power: supply: isp1704: Fix unchecked return value of devm_kzalloc
	power: supply: pda_power: move from timer to delayed_work
	Input: twl4030-pwrbutton - use correct device for irq request
	IB/rxe: Don't clamp residual length to mtu
	md/raid10: skip spare disk as 'first' disk
	ACPI / power: Delay turning off unused power resources after suspend
	ia64: fix module loading for gcc-5.4
	tcm_fileio: Prevent information leak for short reads
	x86/xen: split xen_smp_prepare_boot_cpu()
	video: fbdev: udlfb: Fix buffer on stack
	sm501fb: don't return zero on failure path in sm501fb_start()
	pNFS: Fix a deadlock when coalescing writes and returning the layout
	net: hns: fix ethtool_get_strings overflow in hns driver
	cifs: small underflow in cnvrtDosUnixTm()
	mm: fix check for reclaimable pages in PF_MEMALLOC reclaim throttling
	mm, vmstat: suppress pcp stats for unpopulated zones in zoneinfo
	mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page
	rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks
	rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL
	ath10k: fix out of bounds access to local buffer
	perf tests kmod-path: Don't fail if compressed modules aren't supported
	block/mq: Cure cpu hotplug lock inversion
	Bluetooth: hci_qca: Avoid setup failure on missing rampatch
	Bluetooth: btqcomsmd: Fix skb double free corruption
	media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt
	drm/msm: fix leak in failed get_pages
	RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
	rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
	media: bt8xx: Fix err 'bt878_probe()'
	ath10k: handling qos at STA side based on AP WMM enable/disable
	media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart
	qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect
	serial: 8250_dw: Disable clock on error
	cros_ec: fix nul-termination for firmware build info
	watchdog: Fix potential kref imbalance when opening watchdog
	platform/chrome: Use proper protocol transfer function
	dmaengine: zynqmp_dma: Fix race condition in the probe
	drm/tilcdc: ensure nonatomic iowrite64 is not used
	mmc: avoid removing non-removable hosts during suspend
	IB/ipoib: Avoid memory leak if the SA returns a different DGID
	RDMA/cma: Use correct size when writing netlink stats
	IB/umem: Fix use of npages/nmap fields
	iser-target: avoid reinitializing rdma contexts for isert commands
	vgacon: Set VGA struct resource types
	omapdrm: panel: fix compatible vendor string for td028ttec1
	drm/omap: DMM: Check for DMM readiness after successful transaction commit
	pty: cancel pty slave port buf's work in tty_release
	coresight: Fix disabling of CoreSight TPIU
	pinctrl: Really force states during suspend/resume
	pinctrl: rockchip: enable clock when reading pin direction register
	iommu/vt-d: clean up pr_irq if request_threaded_irq fails
	ip6_vti: adjust vti mtu according to mtu of lower device
	RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
	ARM: dts: aspeed-evb: Add unit name to memory node
	nfsd4: permit layoutget of executable-only files
	clk: Don't touch hardware when reparenting during registration
	clk: axi-clkgen: Correctly handle nocount bit in recalc_rate()
	clk: si5351: Rename internal plls to avoid name collisions
	dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63
	IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
	IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
	clk: migrate the count of orphaned clocks at init
	RDMA/ucma: Fix access to non-initialized CM_ID object
	RDMA/ucma: Don't allow join attempts for unsupported AF family
	usb: gadget: f_hid: fix: Move IN request allocation to set_alt()
	Linux 4.9.90

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

3 files changed, 15 insertions, 4 deletions

diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
index 909311016108..055d2ce378a7 100644
--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -515,7 +515,7 @@ static void panic_halt_ipmi_heartbeat(void)
 	msg.cmd = IPMI_WDOG_RESET_TIMER;
 	msg.data = NULL;
 	msg.data_len = 0;
-	atomic_add(2, &panic_done_count);
+	atomic_add(1, &panic_done_count);
 	rv = ipmi_request_supply_msgs(watchdog_user,
 				      (struct ipmi_addr *) &addr,
 				      0,
@@ -525,7 +525,7 @@ static void panic_halt_ipmi_heartbeat(void)
 				      &panic_halt_heartbeat_recv_msg,
 				      1);
 	if (rv)
-		atomic_sub(2, &panic_done_count);
+		atomic_sub(1, &panic_done_count);
 }
 
 static struct ipmi_smi_msg panic_halt_smi_msg = {
@@ -549,12 +549,12 @@ static void panic_halt_ipmi_set_timeout(void)
 	/* Wait for the messages to be free. */
 	while (atomic_read(&panic_done_count) != 0)
 		ipmi_poll_interface(watchdog_user);
-	atomic_add(2, &panic_done_count);
+	atomic_add(1, &panic_done_count);
 	rv = i_ipmi_set_timeout(&panic_halt_smi_msg,
 				&panic_halt_recv_msg,
 				&send_heartbeat_now);
 	if (rv) {
-		atomic_sub(2, &panic_done_count);
+		atomic_sub(1, &panic_done_count);
 		printk(KERN_WARNING PFX
 		       "Unable to extend the watchdog timeout.");
 	} else {
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index d0ac2d56520f..830d7e30e508 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1078,6 +1078,11 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
 			break;
 
 		recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
+		if (recd > num_bytes) {
+			total = -EFAULT;
+			break;
+		}
+
 		memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
 
 		dest += recd;
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 17896d654033..a5780ebe15ef 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -668,6 +668,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
 	if (!rc) {
 		data_len = be16_to_cpup(
 			(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
+		if (data_len < MIN_KEY_SIZE ||  data_len > MAX_KEY_SIZE + 1) {
+			rc = -EFAULT;
+			goto out;
+		}
+
 		data = &buf.data[TPM_HEADER_SIZE + 6];
 
 		memcpy(payload->key, data, data_len - 1);
@@ -675,6 +680,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
 		payload->migratable = data[data_len - 1];
 	}
 
+out:
 	tpm_buf_destroy(&buf);
 	return rc;
 }