Merge 4.14.184 into android-4.14-stable

Changes in 4.14.184
	scsi: scsi_devinfo: fixup string compare
	libnvdimm: Fix endian conversion issues 
	scsi: hisi_sas: Check sas_port before using it
	spi: dw: use "smp_mb()" to avoid sending spi data error
	s390/ftrace: save traced function caller
	pppoe: only process PADT targeted at local interfaces
	ARC: Fix ICCM & DCCM runtime size checks
	ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT
	i2c: altera: Fix race between xfer_msg and isr thread
	x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
	net: bmac: Fix read of MAC address from ROM
	net/ethernet/freescale: rework quiesce/activate for ucc_geth
	net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x
	net: smsc911x: Fix runtime PM imbalance on error
	mm: Fix mremap not considering huge pmd devmap
	HID: sony: Fix for broken buttons on DS3 USB dongles
	HID: i2c-hid: add Schneider SCL142ALM to descriptor override
	p54usb: add AirVasT USB stick device-id
	kernel/relay.c: handle alloc_percpu returning NULL in relay_open
	mmc: fix compilation of user API
	scsi: ufs: Release clock if DMA map fails
	airo: Fix read overflows sending packets
	devinet: fix memleak in inetdev_init()
	l2tp: do not use inet_hash()/inet_unhash()
	net: usb: qmi_wwan: add Telit LE910C1-EUX composition
	NFC: st21nfca: add missed kfree_skb() in an error path
	vsock: fix timeout in vsock_accept()
	net: check untrusted gso_size at kernel entry
	l2tp: add sk_family checks to l2tp_validate_socket
	USB: serial: qcserial: add DW5816e QDL support
	USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
	USB: serial: option: add Telit LE910C1-EUX compositions
	usb: musb: start session in resume for host port
	usb: musb: Fix runtime PM imbalance on error
	vt: keyboard: avoid signed integer overflow in k_ascii
	tty: hvc_console, fix crashes on parallel open/close
	staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
	CDC-ACM: heed quirk also in error handling
	nvmem: qfprom: remove incorrect write support
	x86/cpu: Add a steppings field to struct x86_cpu_id
	x86/cpu: Add 'table' argument to cpu_matches()
	x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
	x86/speculation: Add SRBDS vulnerability and mitigation documentation
	x86/speculation: Add Ivy Bridge to affected list
	iio: vcnl4000: Fix i2c swapped word reading.
	uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned
	Linux 4.14.184

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3d4d0f186e858b744255fcbd1d3eb9ee89603774

2 files changed, 15 insertions, 4 deletions

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index c74fc9826250..82270a41acce 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -612,10 +612,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file,
 	if (ret)
 		goto out;
 
-	/* uprobe_write_opcode() assumes we don't cross page boundary */
-	BUG_ON((uprobe->offset & ~PAGE_MASK) +
-			UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
-
 	smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
 	set_bit(UPROBE_COPY_INSN, &uprobe->flags);
 
@@ -894,6 +890,13 @@ int uprobe_register(struct inode *inode, loff_t offset, struct uprobe_consumer *
 	if (offset > i_size_read(inode))
 		return -EINVAL;
 
+	/*
+	 * This ensures that copy_from_page() and copy_to_page()
+	 * can't cross page boundary.
+	 */
+	if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE))
+		return -EINVAL;
+
  retry:
 	uprobe = alloc_uprobe(inode, offset);
 	if (!uprobe)
@@ -1704,6 +1707,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
 	uprobe_opcode_t opcode;
 	int result;
 
+	if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE)))
+		return -EINVAL;
+
 	pagefault_disable();
 	result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr);
 	pagefault_enable();
diff --git a/kernel/relay.c b/kernel/relay.c
index 61d37e6da22d..b141ce697679 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -580,6 +580,11 @@ struct rchan *relay_open(const char *base_filename,
 		return NULL;
 
 	chan->buf = alloc_percpu(struct rchan_buf *);
+	if (!chan->buf) {
+		kfree(chan);
+		return NULL;
+	}
+
 	chan->version = RELAYFS_CHANNEL_VERSION;
 	chan->n_subbufs = n_subbufs;
 	chan->subbuf_size = subbuf_size;