Merge tag 'ASB-2018-08-05_3.18-o-mr1' into XOS-8.1

https://source.android.com/security/bulletin/2018-08-01
CVE-2017-18249*
CVE-2018-9465
CVE-2018-9439
CVE-2018-1068

* currently no 4.4 backports exist for CVE-2017-18249 on android-4.4
  release branches. This affects only devices using f2fs running
  4.4 kernels.

* tag 'ASB-2018-08-05_3.18-o-mr1':
  netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
  FROMLIST: binder: fix proc->files use-after-free
  x86/MCE: Serialize sysfs changes
  scsi: sg: don't return bogus Sg_requests
  futex: Prevent overflow by strengthen input validation
  usb: gadget: f_hid: fix: Prevent accessing released memory
  futex: Remove requirement for lock_page() in get_futex_key()
  usb: gadget: define free_ep_req as universal function

Signed-off-by: Harsh Shandilya <[email protected]>

arch/x86/kernel/cpu/mcheck/mce.c

@@ -2240,6 +2240,9 @@ static ssize_t store_int_with_restart(struct device *s,
 	if (check_interval == old_check_interval)
 		return ret;
 
+	if (check_interval < 1)
+		check_interval = 1;
+
 	mutex_lock(&mce_sysfs_mutex);
 	mce_restart();
 	mutex_unlock(&mce_sysfs_mutex);

drivers/usb/gadget/u_f.h

@@ -62,7 +62,7 @@ struct usb_request;
  */
 struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len);
 
-/* Frees a usb_request previously allocated by alloc_ep_req() */
+/* Requests allocated via alloc_ep_req() must be freed by free_ep_req(). */
 static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
 {
 	kfree(req->buf);

net/bridge/netfilter/ebtables.c

@@ -2102,7 +2102,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
 	for (i = 0; i < 4 ; ++i) {
-		if (offsets[i] > *total)
+		if (offsets[i] >= *total)
 			return -EINVAL;
 
 		if (i < 3 && offsets[i] == *total)