Merge 4.19.206 into android-4.19-stable

Changes in 4.19.206
	net: qrtr: fix another OOB Read in qrtr_endpoint_post
	bpf: Do not use ax register in interpreter on div/mod
	bpf: Fix 32 bit src register truncation on div/mod
	bpf: Fix truncation handling for mod32 dst reg wrt zero
	ARC: Fix CONFIG_STACKDEPOT
	netfilter: conntrack: collect all entries in one cycle
	once: Fix panic when module unload
	can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
	Revert "USB: serial: ch341: fix character loss at high transfer rates"
	USB: serial: option: add new VID/PID to support Fibocom FG150
	usb: dwc3: gadget: Fix dwc3_calc_trbs_left()
	usb: dwc3: gadget: Stop EP0 transfers during pullup disable
	IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs()
	e1000e: Fix the max snoop/no-snoop latency for 10M
	ip_gre: add validation for csum_start
	xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()'
	net: marvell: fix MVNETA_TX_IN_PRGRS bit number
	net: hns3: fix get wrong pfc_en when query PFC configuration
	usb: gadget: u_audio: fix race condition on endpoint stop
	opp: remove WARN when no valid OPPs remain
	virtio: Improve vq->broken access to avoid any compiler optimization
	virtio_pci: Support surprise removal of virtio pci device
	vringh: Use wiov->used to check for read/write desc order
	qed: qed ll2 race condition fixes
	qed: Fix null-pointer dereference in qed_rdma_create_qp()
	drm: Copy drm_wait_vblank to user before returning
	drm/nouveau/disp: power down unused DP links during init
	net/rds: dma_map_sg is entitled to merge entries
	vt_kdsetmode: extend console locking
	fbmem: add margin check to fb_check_caps()
	KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
	Revert "floppy: reintroduce O_NDELAY fix"
	net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
	Linux 4.19.206

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I04e05680c5e311bc4cd79daae49d654b66f774a0

kernel/bpf/core.c

@@ -714,9 +714,6 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
 	 * below.
 	 *
 	 * Constant blinding is only used by JITs, not in the interpreter.
-	 * The interpreter uses AX in some occasions as a local temporary
-	 * register e.g. in DIV or MOD instructions.
-	 *
 	 * In restricted circumstances, the verifier can also use the AX
 	 * register for rewrites as long as they do not interfere with
 	 * the above cases!
@@ -1066,6 +1063,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
 #undef BPF_INSN_3_LBL
 #undef BPF_INSN_2_LBL
 	u32 tail_call_cnt = 0;
+	u64 tmp;
 
 #define CONT	 ({ insn++; goto select_insn; })
 #define CONT_JMP ({ insn++; goto select_insn; })
@@ -1126,36 +1124,36 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
 		(*(s64 *) &DST) >>= IMM;
 		CONT;
 	ALU64_MOD_X:
-		div64_u64_rem(DST, SRC, &AX);
-		DST = AX;
+		div64_u64_rem(DST, SRC, &tmp);
+		DST = tmp;
 		CONT;
 	ALU_MOD_X:
-		AX = (u32) DST;
-		DST = do_div(AX, (u32) SRC);
+		tmp = (u32) DST;
+		DST = do_div(tmp, (u32) SRC);
 		CONT;
 	ALU64_MOD_K:
-		div64_u64_rem(DST, IMM, &AX);
-		DST = AX;
+		div64_u64_rem(DST, IMM, &tmp);
+		DST = tmp;
 		CONT;
 	ALU_MOD_K:
-		AX = (u32) DST;
-		DST = do_div(AX, (u32) IMM);
+		tmp = (u32) DST;
+		DST = do_div(tmp, (u32) IMM);
 		CONT;
 	ALU64_DIV_X:
 		DST = div64_u64(DST, SRC);
 		CONT;
 	ALU_DIV_X:
-		AX = (u32) DST;
-		do_div(AX, (u32) SRC);
-		DST = (u32) AX;
+		tmp = (u32) DST;
+		do_div(tmp, (u32) SRC);
+		DST = (u32) tmp;
 		CONT;
 	ALU64_DIV_K:
 		DST = div64_u64(DST, IMM);
 		CONT;
 	ALU_DIV_K:
-		AX = (u32) DST;
-		do_div(AX, (u32) IMM);
-		DST = (u32) AX;
+		tmp = (u32) DST;
+		do_div(tmp, (u32) IMM);
+		DST = (u32) tmp;
 		CONT;
 	ALU_END_TO_BE:
 		switch (IMM) {