Merge 4.4.168 into android-4.4

Changes in 4.4.168
	ipv6: Check available headroom in ip6_xmit() even without options
	net: 8139cp: fix a BUG triggered by changing mtu with network traffic
	net: phy: don't allow __set_phy_supported to add unsupported modes
	net: Prevent invalid access to skb->prev in __qdisc_drop_all
	rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
	tcp: fix NULL ref in tail loss probe
	tun: forbid iface creation with rtnl ops
	neighbour: Avoid writing before skb->head in neigh_hh_output()
	ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup
	ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
	sysv: return 'err' instead of 0 in __sysv_write_inode
	s390/cpum_cf: Reject request for sampling in event initialization
	hwmon: (ina2xx) Fix current value calculation
	ASoC: dapm: Recalculate audio map forcely when card instantiated
	hwmon: (w83795) temp4_type has writable permission
	Btrfs: send, fix infinite loop due to directory rename dependencies
	ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
	ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
	exportfs: do not read dentry after free
	bpf: fix check of allowed specifiers in bpf_trace_printk
	USB: omap_udc: use devm_request_irq()
	USB: omap_udc: fix crashes on probe error and module removal
	USB: omap_udc: fix omap_udc_start() on 15xx machines
	USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
	KVM: x86: fix empty-body warnings
	net: thunderx: fix NULL pointer dereference in nic_remove
	ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
	net: hisilicon: remove unexpected free_netdev
	drm/ast: fixed reading monitor EDID not stable issue
	xen: xlate_mmu: add missing header to fix 'W=1' warning
	fscache: fix race between enablement and dropping of object
	fscache, cachefiles: remove redundant variable 'cache'
	ocfs2: fix deadlock caused by ocfs2_defrag_extent()
	hfs: do not free node before using
	hfsplus: do not free node before using
	debugobjects: avoid recursive calls with kmemleak
	ocfs2: fix potential use after free
	pstore: Convert console write to use ->write_buf
	ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
	KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
	KVM: nVMX: mark vmcs12 pages dirty on L2 exit
	KVM: nVMX: Eliminate vmcs02 pool
	KVM: VMX: introduce alloc_loaded_vmcs
	KVM: VMX: make MSR bitmaps per-VCPU
	KVM/x86: Add IBPB support
	KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
	KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
	KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
	KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
	x86: reorganize SMAP handling in user space accesses
	x86: fix SMAP in 32-bit environments
	x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
	x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
	x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
	x86/bugs, KVM: Support the combination of guest and host IBRS
	x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
	KVM: SVM: Move spec control call after restore of GS
	x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
	x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
	KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
	bpf: support 8-byte metafield access
	bpf/verifier: Add spi variable to check_stack_write()
	bpf/verifier: Pass instruction index to check_mem_access() and check_xadd()
	bpf: Prevent memory disambiguation attack
	wil6210: missing length check in wmi_set_ie
	posix-timers: Sanitize overrun handling
	mm/hugetlb.c: don't call region_abort if region_chg fails
	hugetlbfs: fix offset overflow in hugetlbfs mmap
	hugetlbfs: check for pgoff value overflow
	hugetlbfs: fix bug in pgoff overflow checking
	swiotlb: clean up reporting
	sr: pass down correctly sized SCSI sense buffer
	mm: remove write/force parameters from __get_user_pages_locked()
	mm: remove write/force parameters from __get_user_pages_unlocked()
	mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages()
	mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
	mm: replace get_user_pages_locked() write/force parameters with gup_flags
	mm: replace get_vaddr_frames() write/force parameters with gup_flags
	mm: replace get_user_pages() write/force parameters with gup_flags
	mm: replace __access_remote_vm() write parameter with gup_flags
	mm: replace access_remote_vm() write parameter with gup_flags
	proc: don't use FOLL_FORCE for reading cmdline and environment
	proc: do not access cmdline nor environ from file-backed areas
	media: dvb-frontends: fix i2c access helpers for KASAN
	matroxfb: fix size of memcpy
	staging: speakup: Replace strncpy with memcpy
	rocker: fix rocker_tlv_put_* functions for KASAN
	selftests: Move networking/timestamping from Documentation
	Linux 4.4.168

Change-Id: I71a633f645fada4b473abcff660a9ada3103592b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

1 files changed, 19 insertions, 10 deletions

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index fc7c37ad90a0..0e6ed2e7d066 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -355,6 +355,17 @@ static __init int init_posix_timers(void)
 
 __initcall(init_posix_timers);
 
+/*
+ * The siginfo si_overrun field and the return value of timer_getoverrun(2)
+ * are of type int. Clamp the overrun value to INT_MAX
+ */
+static inline int timer_overrun_to_int(struct k_itimer *timr, int baseval)
+{
+	s64 sum = timr->it_overrun_last + (s64)baseval;
+
+	return sum > (s64)INT_MAX ? INT_MAX : (int)sum;
+}
+
 static void schedule_next_timer(struct k_itimer *timr)
 {
 	struct hrtimer *timer = &timr->it.real.timer;
@@ -362,12 +373,11 @@ static void schedule_next_timer(struct k_itimer *timr)
 	if (timr->it.real.interval.tv64 == 0)
 		return;
 
-	timr->it_overrun += (unsigned int) hrtimer_forward(timer,
-						timer->base->get_time(),
-						timr->it.real.interval);
+	timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
+					    timr->it.real.interval);
 
 	timr->it_overrun_last = timr->it_overrun;
-	timr->it_overrun = -1;
+	timr->it_overrun = -1LL;
 	++timr->it_requeue_pending;
 	hrtimer_restart(timer);
 }
@@ -396,7 +406,7 @@ void do_schedule_next_timer(struct siginfo *info)
 		else
 			schedule_next_timer(timr);
 
-		info->si_overrun += timr->it_overrun_last;
+		info->si_overrun = timer_overrun_to_int(timr, info->si_overrun);
 	}
 
 	if (timr)
@@ -491,8 +501,7 @@ static enum hrtimer_restart posix_timer_fn(struct hrtimer *timer)
 					now = ktime_add(now, kj);
 			}
 #endif
-			timr->it_overrun += (unsigned int)
-				hrtimer_forward(timer, now,
+			timr->it_overrun += hrtimer_forward(timer, now,
 						timr->it.real.interval);
 			ret = HRTIMER_RESTART;
 			++timr->it_requeue_pending;
@@ -633,7 +642,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
 	it_id_set = IT_ID_SET;
 	new_timer->it_id = (timer_t) new_timer_id;
 	new_timer->it_clock = which_clock;
-	new_timer->it_overrun = -1;
+	new_timer->it_overrun = -1LL;
 
 	if (timer_event_spec) {
 		if (copy_from_user(&event, timer_event_spec, sizeof (event))) {
@@ -762,7 +771,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
 	 */
 	if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
 			timr->it_sigev_notify == SIGEV_NONE))
-		timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
+		timr->it_overrun += hrtimer_forward(timer, now, iv);
 
 	remaining = __hrtimer_expires_remaining_adjusted(timer, now);
 	/* Return 0 only, when the timer is expired and not pending */
@@ -824,7 +833,7 @@ SYSCALL_DEFINE1(timer_getoverrun, timer_t, timer_id)
 	if (!timr)
 		return -EINVAL;
 
-	overrun = timr->it_overrun_last;
+	overrun = timer_overrun_to_int(timr, 0);
 	unlock_timer(timr, flags);
 
 	return overrun;