commit 8034e99d1a010a795b979582c0b2370584d8abf4 Author: Greg Kroah-Hartman Date: Fri Feb 11 08:43:36 2022 +0100 Linux 4.14.266 Link: https://lore.kernel.org/r/20220209191248.659458918@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Slade Watkins Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d Author: Jon Maloy Date: Sat Feb 5 14:11:18 2022 -0500 tipc: improve size validations for received domain records commit 9aa422ad326634b76309e8ff342c246800621216 upstream. The function tipc_mon_rcv() allows a node to receive and process domain_record structs from peer nodes to track their views of the network topology. This patch verifies that the number of members in a received domain record does not exceed the limit defined by MAX_MON_DOMAIN, something that may otherwise lead to a stack overflow. tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where we are reading a 32 bit message data length field into a uint16. To avert any risk of bit overflow, we add an extra sanity check for this in that function. We cannot see that happen with the current code, but future designers being unaware of this risk, may introduce it by allowing delivery of very large (> 64k) sk buffers from the bearer layer. This potential problem was identified by Eric Dumazet. This fixes CVE-2022-0435 Reported-by: Samuel Page Reported-by: Eric Dumazet Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") Signed-off-by: Jon Maloy Reviewed-by: Xin Long Reviewed-by: Samuel Page Reviewed-by: Eric Dumazet Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 92f72aed87c029beed9e4093c4a13d1fc746ac90 Author: luofei Date: Mon Feb 7 22:20:28 2022 -0500 x86/mm, mm/hwpoison: Fix the unmap kernel 1:1 pages check condition When fd0e786d9d09 ("x86/mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages") was backported to 4.14.y, the logic was reversed when calling memory_failure() to determine whether it needs to unmap the kernel page. Only when memory_failure() returns successfully, the kernel page can be unmapped. Signed-off-by: luofei Cc: stable@vger.kernel.org #v4.14.x Cc: stable@vger.kernel.org #v4.15.x Signed-off-by: Greg Kroah-Hartman commit e6f580d0b3349646d4ee1ce0057eb273e8fb7e2e Author: Greg Kroah-Hartman Date: Thu Jan 27 08:16:38 2022 +0100 moxart: fix potential use-after-free on remove path commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream. It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of the device and using it instead of the pointer dereference. Cc: Ulf Hansson Cc: Xiyu Yang Cc: Xin Xiong Cc: Xin Tan Cc: Tony Lindgren Cc: Yang Li Cc: linux-mmc@vger.kernel.org Cc: stable Reported-by: whitehat002 Signed-off-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@linuxfoundation.org Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit b391bb3554dd6e04b7a8ede975dbd3342526a045 Author: Eric W. Biederman Date: Thu Jan 20 11:04:01 2022 -0600 cgroup-v1: Require capabilities to set release_agent commit 24f6008564183aa120d07c03d9289519c2fe02af upstream. The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent. Reported-by: Tabitha Sable Tested-by: Tabitha Sable Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" Signed-off-by: Tejun Heo [mkoutny: Adjust for pre-fs_context, duplicate mount/remount check, drop log messages.] Acked-by: Michal Koutný Signed-off-by: Greg Kroah-Hartman