Merge branch 'android11-5.4' into 'android11-5.4-lts'

Sync up with android11-5.4 for the following commits:

d8789c9d2e Merge tag 'android11-5.4.180_r00' into android11-5.4
e12150c5be UPSTREAM: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
9f9386182f UPSTREAM: usb: gadget: rndis: prevent integer overflow in rndis_set_response()
09809e2b27 UPSTREAM: fixup for "arm64 entry: Add macro for reading symbol address from the trampoline"
194240faf6 UPSTREAM: arm64: Use the clearbhb instruction in mitigations
4900c32514 UPSTREAM: KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated
18ee502110 UPSTREAM: arm64: Mitigate spectre style branch history side channels
f734ff58b6 UPSTREAM: KVM: arm64: Add templates for BHB mitigation sequences
66ef49ca32 UPSTREAM: arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2
36b454a8d4 UPSTREAM: arm64: Add percpu vectors for EL1
df875dc844 UPSTREAM: arm64: entry: Add macro for reading symbol addresses from the trampoline
a04f5e2607 UPSTREAM: arm64: entry: Add vectors that have the bhb mitigation sequences
e545c71992 UPSTREAM: arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations
ef5fb0f94d UPSTREAM: arm64: entry: Allow the trampoline text to occupy multiple pages
363341f5bf UPSTREAM: arm64: entry: Make the kpti trampoline's kpti sequence optional
25cd0ee5ae UPSTREAM: arm64: entry: Move trampoline macros out of ifdef'd section
41285e5a05 UPSTREAM: arm64: entry: Don't assume tramp_vectors is the start of the vectors
f1529317ea UPSTREAM: arm64: entry: Allow tramp_alias to access symbols after the 4K boundary
52e174ea59 UPSTREAM: arm64: entry: Move the trampoline data page before the text page
491224d402 UPSTREAM: arm64: entry: Free up another register on kpti's tramp_exit path
0955db3b69 UPSTREAM: arm64: entry: Make the trampoline cleanup optional
289accc54c UPSTREAM: arm64: entry.S: Add ventry overflow sanity checks
990f43d447 UPSTREAM: arm64: Add Cortex-X2 CPU part definition
a08470635c UPSTREAM: arm64: add ID_AA64ISAR2_EL1 sys register
473d08011d UPSTREAM: arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
b1c011e721 UPSTREAM: arm64: Add part number for Arm Cortex-A77
7d1d2de33e UPSTREAM: sctp: fix the processing for INIT chunk
b94d6fe4ce ANDROID: dm-bow: Protect Ranges fetched and erased from the RB tree
6cfc86a0f8 UPSTREAM: ARM: fix Thumb2 regression with Spectre BHB
e491469b29 UPSTREAM: ARM: Spectre-BHB: provide empty stub for non-config
383c8eb200 UPSTREAM: ARM: fix build warning in proc-v7-bugs.c
244fecd055 UPSTREAM: ARM: Do not use NOCROSSREFS directive with ld.lld
33ecfe789b UPSTREAM: ARM: fix co-processor register typo
a25723033c UPSTREAM: ARM: fix build error when BPF_SYSCALL is disabled
dc0445910f UPSTREAM: ARM: include unprivileged BPF status in Spectre V2 reporting
9ff274f531 UPSTREAM: ARM: Spectre-BHB workaround
21e0a096a0 UPSTREAM: ARM: use LOADADDR() to get load address of sections
0013389a4f UPSTREAM: ARM: early traps initialisation
3aa8448c5d UPSTREAM: ARM: report Spectre v2 status through sysfs
57927cab04 UPSTREAM: arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit()
123e80fe59 UPSTREAM: arm/arm64: Provide a wrapper for SMCCC 1.1 calls
398beb5677 UPSTREAM: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT
c8803feb8c UPSTREAM: x86/speculation: Warn about Spectre v2 LFENCE mitigation
69aa4eee4d UPSTREAM: x86/speculation: Update link to AMD speculation whitepaper
9ad2b9b20f UPSTREAM: x86/speculation: Use generic retpoline by default on AMD
4e9fffdc89 UPSTREAM: x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting
4318c0c64f UPSTREAM: Documentation/hw-vuln: Update spectre doc
b9eb6a3cb2 UPSTREAM: x86/speculation: Add eIBRS + Retpoline options
f86fd59049 UPSTREAM: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
0b8fa4c67e UPSTREAM: x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
951cd7f645 UPSTREAM: x86/speculation: Merge one test in spectre_v2_user_select_mitigation()
508711cf30 UPSTREAM: bpf: Add kconfig knob for disabling unpriv bpf by default
2aea7dc18f UPSTREAM: mmc: block: fix read single on recovery logic
5d7a491ae4 UPSTREAM: lib/iov_iter: initialize "flags" in new pipe_buffer
88e1302769 Revert "ANDROID: incremental-fs: remove index and incomplete dir on umount"
2b144ea90c Revert "ANDROID: incremental-fs: fix mount_fs issue"
46778c889e FROMGIT: f2fs: avoid EINVAL by SBI_NEED_FSCK when pinning a file
9a4b39bd76 UPSTREAM: usb: gadget: rndis: check size of RNDIS_MSG_SET command
0d1f1d4375 UPSTREAM: USB: gadget: validate interface OS descriptor requests
f5fe46103f Revert "tracefs: Have tracefs directories not set OTH permission bits by default"
717add4ec8 UPSTREAM: tipc: improve size validations for received domain records

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8f950d67b05ff95523e4a59f59ed6a376f2ad674

drivers/md/dm-bow.c

@@ -236,6 +236,7 @@ static void set_type(struct bow_context *bc, struct bow_range **br, int type)
 
 	(*br)->type = type;
 
+	mutex_lock(&bc->ranges_lock);
 	if (next->type == type) {
 		if (type == TRIMMED)
 			list_del(&next->trimmed_list);
@@ -249,6 +250,7 @@ static void set_type(struct bow_context *bc, struct bow_range **br, int type)
 		rb_erase(&(*br)->node, &bc->ranges);
 		kfree(*br);
 	}
+	mutex_unlock(&bc->ranges_lock);
 
 	*br = NULL;
 }
@@ -599,6 +601,7 @@ static void dm_bow_dtr(struct dm_target *ti)
 	struct bow_context *bc = (struct bow_context *) ti->private;
 	struct kobject *kobj;
 
+	mutex_lock(&bc->ranges_lock);
 	while (rb_first(&bc->ranges)) {
 		struct bow_range *br = container_of(rb_first(&bc->ranges),
 						    struct bow_range, node);
@@ -606,6 +609,8 @@ static void dm_bow_dtr(struct dm_target *ti)
 		rb_erase(&br->node, &bc->ranges);
 		kfree(br);
 	}
+	mutex_unlock(&bc->ranges_lock);
+
 	if (bc->workqueue)
 		destroy_workqueue(bc->workqueue);
 	if (bc->bufio)
@@ -1182,6 +1187,7 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result,
 		return;
 	}
 
+	mutex_lock(&bc->ranges_lock);
 	for (i = rb_first(&bc->ranges); i; i = rb_next(i)) {
 		struct bow_range *br = container_of(i, struct bow_range, node);
 
@@ -1189,11 +1195,11 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result,
 				    readable_type[br->type],
 				    (unsigned long long)br->sector);
 		if (result >= end)
-			return;
+			goto unlock;
 
 		result += scnprintf(result, end - result, "\n");
 		if (result >= end)
-			return;
+			goto unlock;
 
 		if (br->type == TRIMMED)
 			++trimmed_range_count;
@@ -1215,19 +1221,22 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result,
 		if (!rb_next(i)) {
 			scnprintf(result, end - result,
 				  "\nERROR: Last range not of type TOP");
-			return;
+			goto unlock;
 		}
 
 		if (br->sector > range_top(br)) {
 			scnprintf(result, end - result,
 				  "\nERROR: sectors out of order");
-			return;
+			goto unlock;
 		}
 	}
 
 	if (trimmed_range_count != trimmed_list_length)
 		scnprintf(result, end - result,
 			  "\nERROR: not all trimmed ranges in trimmed list");
+
+unlock:
+	mutex_unlock(&bc->ranges_lock);
 }
 
 static void dm_bow_status(struct dm_target *ti, status_type_t type,

drivers/usb/gadget/function/rndis.c

@@ -642,6 +642,7 @@ static int rndis_set_response(struct rndis_params *params,
 	BufLength = le32_to_cpu(buf->InformationBufferLength);
 	BufOffset = le32_to_cpu(buf->InformationBufferOffset);
 	if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
+	    (BufOffset > RNDIS_MAX_TOTAL_SIZE) ||
 	    (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
 		    return -EINVAL;
 

drivers/usb/gadget/udc/core.c

@@ -1303,7 +1303,6 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
 	usb_gadget_udc_stop(udc);
 
 	udc->driver = NULL;
-	udc->dev.driver = NULL;
 	udc->gadget->dev.driver = NULL;
 }
 
@@ -1352,7 +1351,6 @@ static int udc_bind_to_driver(struct usb_udc *udc, struct usb_gadget_driver *dri
 			driver->function);
 
 	udc->driver = driver;
-	udc->dev.driver = &driver->driver;
 	udc->gadget->dev.driver = &driver->driver;
 
 	usb_gadget_udc_set_speed(udc, driver->max_speed);
@@ -1374,7 +1372,6 @@ err1:
 		dev_err(&udc->dev, "failed to start %s: %d\n",
 			udc->driver->function, ret);
 	udc->driver = NULL;
-	udc->dev.driver = NULL;
 	udc->gadget->dev.driver = NULL;
 	return ret;
 }

fs/f2fs/data.c

@@ -2577,6 +2577,11 @@ bool f2fs_should_update_outplace(struct inode *inode, struct f2fs_io_info *fio)
 {
 	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
 
+	/* The below cases were checked when setting it. */
+	if (f2fs_is_pinned_file(inode))
+		return false;
+	if (fio && is_sbi_flag_set(sbi, SBI_NEED_FSCK))
+		return true;
 	if (f2fs_lfs_mode(sbi))
 		return true;
 	if (S_ISDIR(inode->i_mode))

fs/f2fs/file.c

@@ -3235,17 +3235,17 @@ static int f2fs_ioc_set_pin_file(struct file *filp, unsigned long arg)
 
 	inode_lock(inode);
 
-	if (f2fs_should_update_outplace(inode, NULL)) {
-		ret = -EINVAL;
-		goto out;
-	}
-
 	if (!pin) {
 		clear_inode_flag(inode, FI_PIN_FILE);
 		f2fs_i_gc_failures_write(inode, 0);
 		goto done;
 	}
 
+	if (f2fs_should_update_outplace(inode, NULL)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	if (f2fs_pin_file_control(inode, false)) {
 		ret = -EAGAIN;
 		goto out;

fs/incfs/vfs.c

@@ -319,6 +319,7 @@ static struct mount_info *get_mount_info(struct super_block *sb)
 {
 	struct mount_info *result = sb->s_fs_info;
 
+	WARN_ON(!result);
 	return result;
 }
 
@@ -677,7 +678,7 @@ static int iterate_incfs_dir(struct file *file, struct dir_context *ctx)
 	struct mount_info *mi = get_mount_info(file_superblock(file));
 	bool root;
 
-	if (!dir || !mi) {
+	if (!dir) {
 		error = -EBADF;
 		goto out;
 	}
@@ -1841,9 +1842,6 @@ static int dir_rename(struct inode *old_dir, struct dentry *old_dentry,
 	struct dentry *trap;
 	int error = 0;
 
-	if (!mi)
-		return -EBADF;
-
 	error = mutex_lock_interruptible(&mi->mi_dir_struct_mutex);
 	if (error)
 		return error;
@@ -2091,9 +2089,6 @@ static ssize_t incfs_getxattr(struct dentry *d, const char *name,
 	char *stored_value;
 	size_t stored_size;
 
-	if (!mi)
-		return -EBADF;
-
 	if (di && di->backing_path.dentry)
 		return vfs_getxattr(di->backing_path.dentry, name, value, size);
 
@@ -2130,9 +2125,6 @@ static ssize_t incfs_setxattr(struct dentry *d, const char *name,
 	void **stored_value;
 	size_t *stored_size;
 
-	if (!mi)
-		return -EBADF;
-
 	if (di && di->backing_path.dentry)
 		return vfs_setxattr(di->backing_path.dentry, name, value, size,
 				    flags);
@@ -2173,11 +2165,6 @@ static ssize_t incfs_listxattr(struct dentry *d, char *list, size_t size)
 	return vfs_listxattr(di->backing_path.dentry, list, size);
 }
 
-static int incfs_test_super(struct super_block *s, void *p)
-{
-	return s->s_fs_info != NULL;
-}
-
 struct dentry *incfs_mount_fs(struct file_system_type *type, int flags,
 			      const char *dev_name, void *data)
 {
@@ -2187,8 +2174,7 @@ struct dentry *incfs_mount_fs(struct file_system_type *type, int flags,
 	struct dentry *index_dir;
 	struct super_block *src_fs_sb = NULL;
 	struct inode *root_inode = NULL;
-	struct super_block *sb = sget(type, incfs_test_super, set_anon_super,
-				      flags, NULL);
+	struct super_block *sb = sget(type, NULL, set_anon_super, flags, NULL);
 	int error = 0;
 
 	if (IS_ERR(sb))
@@ -2229,18 +2215,13 @@ struct dentry *incfs_mount_fs(struct file_system_type *type, int flags,
 	src_fs_sb = backing_dir_path.dentry->d_sb;
 	sb->s_maxbytes = src_fs_sb->s_maxbytes;
 
-	if (!sb->s_fs_info) {
-		mi = incfs_alloc_mount_info(sb, &options, &backing_dir_path);
+	mi = incfs_alloc_mount_info(sb, &options, &backing_dir_path);
 
-		if (IS_ERR_OR_NULL(mi)) {
-			error = PTR_ERR(mi);
-			pr_err("incfs: Error allocating mount info. %d\n", error);
-			mi = NULL;
-			goto err;
-		}
-		sb->s_fs_info = mi;
-	} else {
-		mi = sb->s_fs_info;
+	if (IS_ERR_OR_NULL(mi)) {
+		error = PTR_ERR(mi);
+		pr_err("incfs: Error allocating mount info. %d\n", error);
+		mi = NULL;
+		goto err;
 	}
 
 	index_dir = open_or_create_index_dir(backing_dir_path.dentry);
@@ -2252,24 +2233,23 @@ struct dentry *incfs_mount_fs(struct file_system_type *type, int flags,
 	}
 	mi->mi_index_dir = index_dir;
 
+	sb->s_fs_info = mi;
 	root_inode = fetch_regular_inode(sb, backing_dir_path.dentry);
 	if (IS_ERR(root_inode)) {
 		error = PTR_ERR(root_inode);
 		goto err;
 	}
 
+	sb->s_root = d_make_root(root_inode);
 	if (!sb->s_root) {
-		sb->s_root = d_make_root(root_inode);
-		if (!sb->s_root) {
-			error = -ENOMEM;
-			goto err;
-		}
-		error = incfs_init_dentry(sb->s_root, &backing_dir_path);
-		if (error)
-			goto err;
+		error = -ENOMEM;
+		goto err;
 	}
+	error = incfs_init_dentry(sb->s_root, &backing_dir_path);
+	if (error)
+		goto err;
 
-	mi->mi_backing_dir_path = backing_dir_path;
+	path_put(&backing_dir_path);
 	sb->s_flags |= SB_ACTIVE;
 
 	pr_debug("incfs: mount\n");
@@ -2288,9 +2268,6 @@ static int incfs_remount_fs(struct super_block *sb, int *flags, char *data)
 	struct mount_info *mi = get_mount_info(sb);
 	int err = 0;
 
-	if (!mi)
-		return err;
-
 	sync_filesystem(sb);
 	err = parse_options(&options, (char *)data);
 	if (err)
@@ -2309,9 +2286,8 @@ void incfs_kill_sb(struct super_block *sb)
 	struct mount_info *mi = sb->s_fs_info;
 
 	pr_debug("incfs: unmount\n");
-	vfs_rmdir(d_inode(mi->mi_backing_dir_path.dentry), mi->mi_index_dir);
-	kill_anon_super(sb);
 	incfs_free_mount_info(mi);
+	generic_shutdown_super(sb);
 	sb->s_fs_info = NULL;
 }
 
@@ -2319,9 +2295,6 @@ static int show_options(struct seq_file *m, struct dentry *root)
 {
 	struct mount_info *mi = get_mount_info(root->d_sb);
 
-	if (!mi)
-		return -EBADF;
-
 	seq_printf(m, ",read_timeout_ms=%u", mi->mi_options.read_timeout_ms);
 	seq_printf(m, ",readahead=%u", mi->mi_options.readahead_pages);
 	if (mi->mi_options.read_log_pages != 0) {

fs/tracefs/inode.c

@@ -502,8 +502,7 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent,
 	if (unlikely(!inode))
 		return failed_creating(dentry);
 
-	/* Do not set bits for OTH */
-	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
+	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
 	inode->i_op = ops;
 	inode->i_fop = &simple_dir_operations;
 	inode->i_uid = d_inode(dentry->d_parent)->i_uid;