Contents of /trunk/kernel-alx-legacy/patches-4.9/0400-4.9.301-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3702 -
(show annotations)
(download)
Mon Oct 24 14:08:15 2022 UTC (18 months ago) by niro
File size: 3752 byte(s)
Mon Oct 24 14:08:15 2022 UTC (18 months ago) by niro
File size: 3752 byte(s)
-linux-4.9.301
| 1 | diff --git a/Makefile b/Makefile |
| 2 | index 52e73f525a442..776408b6c56e7 100644 |
| 3 | --- a/Makefile |
| 4 | +++ b/Makefile |
| 5 | @@ -1,6 +1,6 @@ |
| 6 | VERSION = 4 |
| 7 | PATCHLEVEL = 9 |
| 8 | -SUBLEVEL = 300 |
| 9 | +SUBLEVEL = 301 |
| 10 | EXTRAVERSION = |
| 11 | NAME = Roaring Lionus |
| 12 | |
| 13 | diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c |
| 14 | index 41a5493cb68d8..a5b03fb7656d1 100644 |
| 15 | --- a/drivers/mmc/host/moxart-mmc.c |
| 16 | +++ b/drivers/mmc/host/moxart-mmc.c |
| 17 | @@ -698,12 +698,12 @@ static int moxart_remove(struct platform_device *pdev) |
| 18 | if (!IS_ERR(host->dma_chan_rx)) |
| 19 | dma_release_channel(host->dma_chan_rx); |
| 20 | mmc_remove_host(mmc); |
| 21 | - mmc_free_host(mmc); |
| 22 | |
| 23 | writel(0, host->base + REG_INTERRUPT_MASK); |
| 24 | writel(0, host->base + REG_POWER_CONTROL); |
| 25 | writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, |
| 26 | host->base + REG_CLOCK_CONTROL); |
| 27 | + mmc_free_host(mmc); |
| 28 | } |
| 29 | return 0; |
| 30 | } |
| 31 | diff --git a/kernel/cgroup.c b/kernel/cgroup.c |
| 32 | index 248b0bf5d6795..5702419c9f300 100644 |
| 33 | --- a/kernel/cgroup.c |
| 34 | +++ b/kernel/cgroup.c |
| 35 | @@ -1854,6 +1854,7 @@ static int cgroup_remount(struct kernfs_root *kf_root, int *flags, char *data) |
| 36 | { |
| 37 | int ret = 0; |
| 38 | struct cgroup_root *root = cgroup_root_from_kf(kf_root); |
| 39 | + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; |
| 40 | struct cgroup_sb_opts opts; |
| 41 | u16 added_mask, removed_mask; |
| 42 | |
| 43 | @@ -1873,6 +1874,13 @@ static int cgroup_remount(struct kernfs_root *kf_root, int *flags, char *data) |
| 44 | pr_warn("option changes via remount are deprecated (pid=%d comm=%s)\n", |
| 45 | task_tgid_nr(current), current->comm); |
| 46 | |
| 47 | + /* See cgroup_mount release_agent handling */ |
| 48 | + if (opts.release_agent && |
| 49 | + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { |
| 50 | + ret = -EINVAL; |
| 51 | + goto out_unlock; |
| 52 | + } |
| 53 | + |
| 54 | added_mask = opts.subsys_mask & ~root->subsys_mask; |
| 55 | removed_mask = root->subsys_mask & ~opts.subsys_mask; |
| 56 | |
| 57 | @@ -2248,6 +2256,16 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, |
| 58 | goto out_unlock; |
| 59 | } |
| 60 | |
| 61 | + /* |
| 62 | + * Release agent gets called with all capabilities, |
| 63 | + * require capabilities to set release agent. |
| 64 | + */ |
| 65 | + if (opts.release_agent && |
| 66 | + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { |
| 67 | + ret = -EINVAL; |
| 68 | + goto out_unlock; |
| 69 | + } |
| 70 | + |
| 71 | root = kzalloc(sizeof(*root), GFP_KERNEL); |
| 72 | if (!root) { |
| 73 | ret = -ENOMEM; |
| 74 | @@ -3026,6 +3044,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, |
| 75 | |
| 76 | BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); |
| 77 | |
| 78 | + /* |
| 79 | + * Release agent gets called with all capabilities, |
| 80 | + * require capabilities to set release agent. |
| 81 | + */ |
| 82 | + if ((of->file->f_cred->user_ns != &init_user_ns) || |
| 83 | + !capable(CAP_SYS_ADMIN)) |
| 84 | + return -EPERM; |
| 85 | + |
| 86 | cgrp = cgroup_kn_lock_live(of->kn, false); |
| 87 | if (!cgrp) |
| 88 | return -ENODEV; |
| 89 | diff --git a/net/tipc/link.c b/net/tipc/link.c |
| 90 | index 6fc2fa75503d2..2c1350e811e2e 100644 |
| 91 | --- a/net/tipc/link.c |
| 92 | +++ b/net/tipc/link.c |
| 93 | @@ -1441,12 +1441,15 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, |
| 94 | u16 peers_tol = msg_link_tolerance(hdr); |
| 95 | u16 peers_prio = msg_linkprio(hdr); |
| 96 | u16 rcv_nxt = l->rcv_nxt; |
| 97 | - u16 dlen = msg_data_sz(hdr); |
| 98 | + u32 dlen = msg_data_sz(hdr); |
| 99 | int mtyp = msg_type(hdr); |
| 100 | void *data; |
| 101 | char *if_name; |
| 102 | int rc = 0; |
| 103 | |
| 104 | + if (dlen > U16_MAX) |
| 105 | + goto exit; |
| 106 | + |
| 107 | if (tipc_link_is_blocked(l) || !xmitq) |
| 108 | goto exit; |
| 109 | |
| 110 | diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c |
| 111 | index 0fcfb3916dcf2..e1f4538b16532 100644 |
| 112 | --- a/net/tipc/monitor.c |
| 113 | +++ b/net/tipc/monitor.c |
| 114 | @@ -457,6 +457,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr, |
| 115 | state->probing = false; |
| 116 | |
| 117 | /* Sanity check received domain record */ |
| 118 | + if (new_member_cnt > MAX_MON_DOMAIN) |
| 119 | + return; |
| 120 | if (dlen < dom_rec_len(arrv_dom, 0)) |
| 121 | return; |
| 122 | if (dlen != dom_rec_len(arrv_dom, new_member_cnt)) |