!368 Backport CVEs and bugfixes (4c0bc9e5) · Commits · EulixOS / Software / Kernel

drivers/net/wireless/rndis_wlan.c

+6 −13

Original line number	Diff line number	Diff line
		@@ -694,8 +694,8 @@ static int rndis_query_oid(struct usbnet dev, u32 oid, void data, int *len)
		struct rndis_query *get;
		struct rndis_query_c *get_c;
		} u;
		int ret, buflen;
		int resplen, respoffs, copylen;
		int ret;
		size_t buflen, resplen, respoffs, copylen;

		buflen = len + sizeof(u.get);
		if (buflen < CONTROL_BUFFER_SIZE)
		@@ -730,22 +730,15 @@ static int rndis_query_oid(struct usbnet dev, u32 oid, void data, int *len)

		if (respoffs > buflen) {
		/* Device returned data offset outside buffer, error. */
		netdev_dbg(dev->net, "%s(%s): received invalid "
		"data offset: %d > %d\n", __func__,
		oid_to_string(oid), respoffs, buflen);
		netdev_dbg(dev->net,
		"%s(%s): received invalid data offset: %zu > %zu\n",
		__func__, oid_to_string(oid), respoffs, buflen);

		ret = -EINVAL;
		goto exit_unlock;
		}

		if ((resplen + respoffs) > buflen) {
		/* Device would have returned more data if buffer would
		* have been big enough. Copy just the bits that we got.
		*/
		copylen = buflen - respoffs;
		} else {
		copylen = resplen;
		}
		copylen = min(resplen, buflen - respoffs);

		if (copylen > *len)
		copylen = *len;

+2 −0

Original line number	Diff line number	Diff line
		@@ -885,6 +885,8 @@ static void __init early_init_dt_check_for_initrd(unsigned long node)
		if (!prop)
		return;
		end = of_read_number(prop, len/4);
		if (start > end)
		return;

		__early_init_dt_declare_initrd(start, end);
		phys_initrd_start = start;

+3 −3

Original line number	Diff line number	Diff line
		@@ -556,11 +556,11 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
		struct enclosure_component *ecomp;

		if (desc_ptr) {
		if (desc_ptr >= buf + page7_len) {
		desc_ptr = NULL;
		} else {
		len = (desc_ptr[2] << 8) + desc_ptr[3];
		desc_ptr += 4;
		if (desc_ptr + len > buf + page7_len) {
		desc_ptr = NULL;
		} else {
		/* Add trailing zero - pushes into
		* reserved space */
		desc_ptr[len] = '\0';

+10 −0

Original line number	Diff line number	Diff line
		@@ -1879,12 +1879,20 @@ xfs_inodegc_worker(
		work);
		struct llist_node *node = llist_del_all(&gc->list);
		struct xfs_inode ip, n;
		unsigned int nofs_flag;

		WRITE_ONCE(gc->items, 0);

		if (!node)
		return;

		/*
		* We can allocate memory here while doing writeback on behalf of
		* memory reclaim. To avoid memory allocation deadlocks set the
		* task-wide nofs context for the following operations.
		*/
		nofs_flag = memalloc_nofs_save();

		ip = llist_entry(node, struct xfs_inode, i_gclist);
		trace_xfs_inodegc_worker(ip->i_mount, READ_ONCE(gc->shrinker_hits));

		@@ -1893,6 +1901,8 @@ xfs_inodegc_worker(
		xfs_iflags_set(ip, XFS_INACTIVATING);
		xfs_inodegc_inactivate(ip);
		}

		memalloc_nofs_restore(nofs_flag);
		}

		/*

+1 −1

Original line number	Diff line number	Diff line
		@@ -1921,7 +1921,7 @@ static inline bool mem_cgroup_under_socket_pressure(struct mem_cgroup *memcg)
		if (!cgroup_subsys_on_dfl(memory_cgrp_subsys) && memcg->tcpmem_pressure)
		return true;
		do {
		if (time_before(jiffies, memcg->socket_pressure))
		if (time_before(jiffies, READ_ONCE(memcg->socket_pressure)))
		return true;
		} while ((memcg = parent_mem_cgroup(memcg)));
		return false;