CVE-2019-11487

If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it.  One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times.  This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(backported from commit 8fde12ca)
[ Connor Kuehl: updated follow_hugetlb_page() to use a local variable
  for storing error code like upstream does in a later commit to
  accommodate this patch. Different patch context required manual
  placement of the try_get_page hunks from the original patch. ]
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>