aio: make sure the input "timeout" value is valid

euler inclusion
category: bugfix
bugzilla: NA
CVE: NA
-------------------------------------------------------------------------

UBSAN: Undefined behaviour in include/linux/ktime.h:55:34
signed integer overflow:
-4971973988617027584 * 1000000000 cannot be represented in type 'long int'
......
[<ffff80000072ca28>] timespec_to_ktime include/linux/ktime.h:55 [inline]
[<ffff80000072ca28>] read_events+0x4c8/0x5d0 fs/aio.c:1269
[<ffff8000007305bc>] SYSC_io_getevents fs/aio.c:1733 [inline]
[<ffff8000007305bc>] SyS_io_getevents+0xd4/0x218 fs/aio.c:1722
Signed-off-by: NZhen Lei <thunder.leizhen@huawei.com>

[Conflicts:
	fs/aio.c
	fs/compat.c
Rebuild patch to apply for 4.19.
]
Signed-off-by: Nyangerkun <yangerkun@huawei.com>
Reviewed-by: NYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

fs/aio.c

@@ -2040,16 +2040,25 @@ static long do_io_getevents(aio_context_t ctx_id,
 		struct io_event __user *events,
 		struct timespec64 *ts)
 {
-	ktime_t until = ts ? timespec64_to_ktime(*ts) : KTIME_MAX;
 	struct kioctx *ioctx = lookup_ioctx(ctx_id);
 	long ret = -EINVAL;
 
 	if (likely(ioctx)) {
+		ktime_t until;
+
+		if (!ts)
+			until = KTIME_MAX;
+		else if (!timespec64_valid(ts))
+			goto out;
+		else
+			until = timespec64_to_ktime(*ts);
+
 		if (likely(min_nr <= nr && min_nr >= 0))
 			ret = read_events(ioctx, min_nr, nr, events, until);
 		percpu_ref_put(&ioctx->users);
 	}
 
+out:
 	return ret;
 }