aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/md/md.c4
-rw-r--r--include/net/sock.h1
-rw-r--r--kernel/ptrace.c2
-rw-r--r--mm/mlock.c4
-rw-r--r--net/ax25/af_ax25.c3
-rw-r--r--net/bluetooth/sco.c3
-rw-r--r--net/decnet/af_decnet.c3
-rw-r--r--net/ipv4/af_inet.c3
-rw-r--r--net/ipv4/tcp.c2
-rw-r--r--net/ipv6/addrconf.c17
-rw-r--r--net/ipv6/af_inet6.c3
-rw-r--r--net/irda/af_irda.c3
-rw-r--r--security/keys/encrypted-keys/encrypted.c2
-rw-r--r--security/keys/trusted.c5
-rw-r--r--security/keys/user_defined.c5
15 files changed, 51 insertions, 9 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 17e2f526457..83dba060525 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5431,9 +5431,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
int err = -ENOMEM;
if (md_allow_write(mddev))
- file = kmalloc(sizeof(*file), GFP_NOIO);
+ file = kzalloc(sizeof(*file), GFP_NOIO);
else
- file = kmalloc(sizeof(*file), GFP_KERNEL);
+ file = kzalloc(sizeof(*file), GFP_KERNEL);
if (!file)
goto out;
diff --git a/include/net/sock.h b/include/net/sock.h
index f673ba5b6b1..41c579ee3fb 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -328,6 +328,7 @@ struct sock {
sk_no_check : 2,
sk_userlocks : 4,
sk_protocol : 8,
+#define SK_PROTOCOL_MAX U8_MAX
sk_type : 16;
kmemcheck_bitfield_end(flags);
int sk_wmem_queued;
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index a1432369be5..931fd719377 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -233,7 +233,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
*/
int dumpable = 0;
/* Don't let security modules deny introspection */
- if (task == current)
+ if (same_thread_group(task, current))
return 0;
rcu_read_lock();
tcred = __task_cred(task);
diff --git a/mm/mlock.c b/mm/mlock.c
index 39a36dbfbe5..2747d81d6e0 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -23,10 +23,10 @@
int can_do_mlock(void)
{
- if (capable(CAP_IPC_LOCK))
- return 1;
if (rlimit(RLIMIT_MEMLOCK) != 0)
return 1;
+ if (capable(CAP_IPC_LOCK))
+ return 1;
return 0;
}
EXPORT_SYMBOL(can_do_mlock);
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ca1820cf22f..f59c8af13e5 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -811,6 +811,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk;
ax25_cb *ax25;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 3170190f83c..d214aa4a876 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -499,6 +499,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ if (alen < sizeof(struct sockaddr_sco))
+ return -EINVAL;
+
memset(&sa, 0, sizeof(sa));
len = min_t(unsigned int, sizeof(sa), alen);
memcpy(&sa, addr, len);
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 4136987d94d..4fa941ea4d6 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -680,6 +680,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
{
struct sock *sk;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 2cdd9e3697d..8e3061c146a 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -294,6 +294,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
if (!current_has_network())
return -EACCES;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 24140199303..c9013753ee9 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3409,7 +3409,7 @@ int tcp_nuke_addr(struct net *net, struct sockaddr *addr)
return -EAFNOSUPPORT;
}
- for (bucket = 0; bucket < tcp_hashinfo.ehash_mask; bucket++) {
+ for (bucket = 0; bucket <= tcp_hashinfo.ehash_mask; bucket++) {
struct hlist_nulls_node *node;
struct sock *sk;
spinlock_t *lock = inet_ehash_lockp(&tcp_hashinfo, bucket);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2b036ae1ad1..d95e0c521d6 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4424,6 +4424,21 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
return ret;
}
+static
+int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ struct inet6_dev *idev = ctl->extra1;
+ int min_mtu = IPV6_MIN_MTU;
+ struct ctl_table lctl;
+
+ lctl = *ctl;
+ lctl.extra1 = &min_mtu;
+ lctl.extra2 = idev ? &idev->dev->mtu : NULL;
+
+ return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
+}
+
static void dev_disable_change(struct inet6_dev *idev)
{
if (!idev || !idev->dev)
@@ -4533,7 +4548,7 @@ static struct addrconf_sysctl_table
.data = &ipv6_devconf.mtu6,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .proc_handler = addrconf_sysctl_mtu,
},
{
.procname = "accept_ra",
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 296886bff73..4192a478154 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -123,6 +123,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
if (!current_has_network())
return -EACCES;
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 12218f70531..ea79ff816ab 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1104,6 +1104,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk;
struct irda_sock *self;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
IRDA_DEBUG(2, "%s()\n", __func__);
if (net != &init_net)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index a02f92302a5..0685b15f2b0 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -843,6 +843,8 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen)
const char *format = NULL;
int ret = 0;
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ return -ENOKEY;
if (datalen <= 0 || datalen > 32767 || !data)
return -EINVAL;
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 2d5d041f204..9614dbcae8a 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1013,12 +1013,15 @@ static void trusted_rcu_free(struct rcu_head *rcu)
*/
static int trusted_update(struct key *key, const void *data, size_t datalen)
{
- struct trusted_key_payload *p = key->payload.data;
+ struct trusted_key_payload *p;
struct trusted_key_payload *new_p;
struct trusted_key_options *new_o;
char *datablob;
int ret = 0;
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ return -ENOKEY;
+ p = key->payload.data;
if (!p->migratable)
return -EPERM;
if (datalen <= 0 || datalen > 32767 || !data)
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index c7660a25a3e..f89846f6bd3 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -117,7 +117,10 @@ int user_update(struct key *key, const void *data, size_t datalen)
if (ret == 0) {
/* attach the new data, displacing the old */
- zap = key->payload.data;
+ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
+ zap = key->payload.data;
+ else
+ zap = NULL;
rcu_assign_keypointer(key, upayload);
key->expiry = 0;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 03:14:44 +0000