Merge 4.4.168 into android-4.4

Changes in 4.4.168
	ipv6: Check available headroom in ip6_xmit() even without options
	net: 8139cp: fix a BUG triggered by changing mtu with network traffic
	net: phy: don't allow __set_phy_supported to add unsupported modes
	net: Prevent invalid access to skb->prev in __qdisc_drop_all
	rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
	tcp: fix NULL ref in tail loss probe
	tun: forbid iface creation with rtnl ops
	neighbour: Avoid writing before skb->head in neigh_hh_output()
	ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup
	ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
	sysv: return 'err' instead of 0 in __sysv_write_inode
	s390/cpum_cf: Reject request for sampling in event initialization
	hwmon: (ina2xx) Fix current value calculation
	ASoC: dapm: Recalculate audio map forcely when card instantiated
	hwmon: (w83795) temp4_type has writable permission
	Btrfs: send, fix infinite loop due to directory rename dependencies
	ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
	ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
	exportfs: do not read dentry after free
	bpf: fix check of allowed specifiers in bpf_trace_printk
	USB: omap_udc: use devm_request_irq()
	USB: omap_udc: fix crashes on probe error and module removal
	USB: omap_udc: fix omap_udc_start() on 15xx machines
	USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
	KVM: x86: fix empty-body warnings
	net: thunderx: fix NULL pointer dereference in nic_remove
	ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
	net: hisilicon: remove unexpected free_netdev
	drm/ast: fixed reading monitor EDID not stable issue
	xen: xlate_mmu: add missing header to fix 'W=1' warning
	fscache: fix race between enablement and dropping of object
	fscache, cachefiles: remove redundant variable 'cache'
	ocfs2: fix deadlock caused by ocfs2_defrag_extent()
	hfs: do not free node before using
	hfsplus: do not free node before using
	debugobjects: avoid recursive calls with kmemleak
	ocfs2: fix potential use after free
	pstore: Convert console write to use ->write_buf
	ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
	KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
	KVM: nVMX: mark vmcs12 pages dirty on L2 exit
	KVM: nVMX: Eliminate vmcs02 pool
	KVM: VMX: introduce alloc_loaded_vmcs
	KVM: VMX: make MSR bitmaps per-VCPU
	KVM/x86: Add IBPB support
	KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
	KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
	KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
	KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
	x86: reorganize SMAP handling in user space accesses
	x86: fix SMAP in 32-bit environments
	x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
	x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
	x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
	x86/bugs, KVM: Support the combination of guest and host IBRS
	x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
	KVM: SVM: Move spec control call after restore of GS
	x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
	x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
	KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
	bpf: support 8-byte metafield access
	bpf/verifier: Add spi variable to check_stack_write()
	bpf/verifier: Pass instruction index to check_mem_access() and check_xadd()
	bpf: Prevent memory disambiguation attack
	wil6210: missing length check in wmi_set_ie
	posix-timers: Sanitize overrun handling
	mm/hugetlb.c: don't call region_abort if region_chg fails
	hugetlbfs: fix offset overflow in hugetlbfs mmap
	hugetlbfs: check for pgoff value overflow
	hugetlbfs: fix bug in pgoff overflow checking
	swiotlb: clean up reporting
	sr: pass down correctly sized SCSI sense buffer
	mm: remove write/force parameters from __get_user_pages_locked()
	mm: remove write/force parameters from __get_user_pages_unlocked()
	mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages()
	mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
	mm: replace get_user_pages_locked() write/force parameters with gup_flags
	mm: replace get_vaddr_frames() write/force parameters with gup_flags
	mm: replace get_user_pages() write/force parameters with gup_flags
	mm: replace __access_remote_vm() write parameter with gup_flags
	mm: replace access_remote_vm() write parameter with gup_flags
	proc: don't use FOLL_FORCE for reading cmdline and environment
	proc: do not access cmdline nor environ from file-backed areas
	media: dvb-frontends: fix i2c access helpers for KASAN
	matroxfb: fix size of memcpy
	staging: speakup: Replace strncpy with memcpy
	rocker: fix rocker_tlv_put_* functions for KASAN
	selftests: Move networking/timestamping from Documentation
	Linux 4.4.168

Change-Id: I71a633f645fada4b473abcff660a9ada3103592b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

1 files changed, 27 insertions, 3 deletions

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index a17da8b57fc6..ab34f613fa85 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -118,6 +118,16 @@ static void huge_pagevec_release(struct pagevec *pvec)
 	pagevec_reinit(pvec);
 }
 
+/*
+ * Mask used when checking the page offset value passed in via system
+ * calls.  This value will be converted to a loff_t which is signed.
+ * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
+ * value.  The extra bit (- 1 in the shift value) is to take the sign
+ * bit into account.
+ */
+#define PGOFF_LOFFT_MAX \
+	(((1UL << (PAGE_SHIFT + 1)) - 1) <<  (BITS_PER_LONG - (PAGE_SHIFT + 1)))
+
 static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 {
 	struct inode *inode = file_inode(file);
@@ -136,17 +146,31 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 	vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
 	vma->vm_ops = &hugetlb_vm_ops;
 
+	/*
+	 * page based offset in vm_pgoff could be sufficiently large to
+	 * overflow a loff_t when converted to byte offset.  This can
+	 * only happen on architectures where sizeof(loff_t) ==
+	 * sizeof(unsigned long).  So, only check in those instances.
+	 */
+	if (sizeof(unsigned long) == sizeof(loff_t)) {
+		if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
+			return -EINVAL;
+	}
+
+	/* must be huge page aligned */
 	if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
 		return -EINVAL;
 
 	vma_len = (loff_t)(vma->vm_end - vma->vm_start);
+	len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+	/* check for overflow */
+	if (len < vma_len)
+		return -EINVAL;
 
 	mutex_lock(&inode->i_mutex);
 	file_accessed(file);
 
 	ret = -ENOMEM;
-	len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
-
 	if (hugetlb_reserve_pages(inode,
 				vma->vm_pgoff >> huge_page_order(h),
 				len >> huge_page_shift(h), vma,
@@ -155,7 +179,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 
 	ret = 0;
 	if (vma->vm_flags & VM_WRITE && inode->i_size < len)
-		inode->i_size = len;
+		i_size_write(inode, len);
 out:
 	mutex_unlock(&inode->i_mutex);