Contents of /trunk/kernel-alx-legacy/patches-4.9/0400-4.9.301-all-fixes.patch
Parent Directory | Revision Log
Revision 3702 -
(show annotations)
(download)
Mon Oct 24 14:08:15 2022 UTC (18 months ago) by niro
File size: 3752 byte(s)
Mon Oct 24 14:08:15 2022 UTC (18 months ago) by niro
File size: 3752 byte(s)
-linux-4.9.301
1 | diff --git a/Makefile b/Makefile |
2 | index 52e73f525a442..776408b6c56e7 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,6 +1,6 @@ |
6 | VERSION = 4 |
7 | PATCHLEVEL = 9 |
8 | -SUBLEVEL = 300 |
9 | +SUBLEVEL = 301 |
10 | EXTRAVERSION = |
11 | NAME = Roaring Lionus |
12 | |
13 | diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c |
14 | index 41a5493cb68d8..a5b03fb7656d1 100644 |
15 | --- a/drivers/mmc/host/moxart-mmc.c |
16 | +++ b/drivers/mmc/host/moxart-mmc.c |
17 | @@ -698,12 +698,12 @@ static int moxart_remove(struct platform_device *pdev) |
18 | if (!IS_ERR(host->dma_chan_rx)) |
19 | dma_release_channel(host->dma_chan_rx); |
20 | mmc_remove_host(mmc); |
21 | - mmc_free_host(mmc); |
22 | |
23 | writel(0, host->base + REG_INTERRUPT_MASK); |
24 | writel(0, host->base + REG_POWER_CONTROL); |
25 | writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, |
26 | host->base + REG_CLOCK_CONTROL); |
27 | + mmc_free_host(mmc); |
28 | } |
29 | return 0; |
30 | } |
31 | diff --git a/kernel/cgroup.c b/kernel/cgroup.c |
32 | index 248b0bf5d6795..5702419c9f300 100644 |
33 | --- a/kernel/cgroup.c |
34 | +++ b/kernel/cgroup.c |
35 | @@ -1854,6 +1854,7 @@ static int cgroup_remount(struct kernfs_root *kf_root, int *flags, char *data) |
36 | { |
37 | int ret = 0; |
38 | struct cgroup_root *root = cgroup_root_from_kf(kf_root); |
39 | + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; |
40 | struct cgroup_sb_opts opts; |
41 | u16 added_mask, removed_mask; |
42 | |
43 | @@ -1873,6 +1874,13 @@ static int cgroup_remount(struct kernfs_root *kf_root, int *flags, char *data) |
44 | pr_warn("option changes via remount are deprecated (pid=%d comm=%s)\n", |
45 | task_tgid_nr(current), current->comm); |
46 | |
47 | + /* See cgroup_mount release_agent handling */ |
48 | + if (opts.release_agent && |
49 | + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { |
50 | + ret = -EINVAL; |
51 | + goto out_unlock; |
52 | + } |
53 | + |
54 | added_mask = opts.subsys_mask & ~root->subsys_mask; |
55 | removed_mask = root->subsys_mask & ~opts.subsys_mask; |
56 | |
57 | @@ -2248,6 +2256,16 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, |
58 | goto out_unlock; |
59 | } |
60 | |
61 | + /* |
62 | + * Release agent gets called with all capabilities, |
63 | + * require capabilities to set release agent. |
64 | + */ |
65 | + if (opts.release_agent && |
66 | + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { |
67 | + ret = -EINVAL; |
68 | + goto out_unlock; |
69 | + } |
70 | + |
71 | root = kzalloc(sizeof(*root), GFP_KERNEL); |
72 | if (!root) { |
73 | ret = -ENOMEM; |
74 | @@ -3026,6 +3044,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, |
75 | |
76 | BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); |
77 | |
78 | + /* |
79 | + * Release agent gets called with all capabilities, |
80 | + * require capabilities to set release agent. |
81 | + */ |
82 | + if ((of->file->f_cred->user_ns != &init_user_ns) || |
83 | + !capable(CAP_SYS_ADMIN)) |
84 | + return -EPERM; |
85 | + |
86 | cgrp = cgroup_kn_lock_live(of->kn, false); |
87 | if (!cgrp) |
88 | return -ENODEV; |
89 | diff --git a/net/tipc/link.c b/net/tipc/link.c |
90 | index 6fc2fa75503d2..2c1350e811e2e 100644 |
91 | --- a/net/tipc/link.c |
92 | +++ b/net/tipc/link.c |
93 | @@ -1441,12 +1441,15 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, |
94 | u16 peers_tol = msg_link_tolerance(hdr); |
95 | u16 peers_prio = msg_linkprio(hdr); |
96 | u16 rcv_nxt = l->rcv_nxt; |
97 | - u16 dlen = msg_data_sz(hdr); |
98 | + u32 dlen = msg_data_sz(hdr); |
99 | int mtyp = msg_type(hdr); |
100 | void *data; |
101 | char *if_name; |
102 | int rc = 0; |
103 | |
104 | + if (dlen > U16_MAX) |
105 | + goto exit; |
106 | + |
107 | if (tipc_link_is_blocked(l) || !xmitq) |
108 | goto exit; |
109 | |
110 | diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c |
111 | index 0fcfb3916dcf2..e1f4538b16532 100644 |
112 | --- a/net/tipc/monitor.c |
113 | +++ b/net/tipc/monitor.c |
114 | @@ -457,6 +457,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr, |
115 | state->probing = false; |
116 | |
117 | /* Sanity check received domain record */ |
118 | + if (new_member_cnt > MAX_MON_DOMAIN) |
119 | + return; |
120 | if (dlen < dom_rec_len(arrv_dom, 0)) |
121 | return; |
122 | if (dlen != dom_rec_len(arrv_dom, new_member_cnt)) |