This is the 4.14.266 stable release

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIGE64ACgkQONu9yGCS
 aT7W4BAAh3B9cQS8F1zLMpcGpe5sSHXrKYleNvjWd/sv61bhyDEF8igfTJBOiRja
 RQkZw3vewEbfs7Q+0VAt17a4ySGpj96T6m/S7+X0eADv4mF9XOigf0D6u/1cl8so
 21kPjyfw1qRntipIKfuFtLmQOHf5gFR35I4WcFclrBaqpIC5Th6UOzrSkO2K9K43
 aDEGGX7fXCvubQiIYfI2cmv8dv08H4HtvXmN0txu/LYJBQfeQYZhIQQVfPudM58K
 B4r4aifv9L1e0morGLuEsFTamO6Vf9DlrWC8PAlz1+PFIdAWRNPburCeowU2En2T
 ZTSikm/1ScoTS83yeYeewDvFKqAIyj7UBTlBZfWOq8+U6poLgjYXymVxQJamgIqM
 GxW56DKyEJDR4mL01ZQKBiSy5KWCYyGFHIDhY707pzxDfURwu++38kB4sBR+ltTK
 upUZPpYdeRXGlh2U6HE7v7Xo6fIW++gz7vA1MxBMKqO8Dj56+/hx/0rsIL6p1QX5
 6qE4v8mAvV+FQk6o9SzazBnS7uf5pKB5hQe1uF0uGeoR9VDqRxt+3jU2VwJ5f7a8
 v03VJQDCWUyGK5eQbwmHzQMCtxk02IAY+Sr4UpR3smjPo4Z0IVHVVucgXaOP+Xx+
 +8MRjrXAOESiCBozayU3daL8WW7VXu64cXq4o7evYrh1n24njRI=
 =JxkR
 -----END PGP SIGNATURE-----

Merge 4.14.266 into android-4.14-stable

Changes in 4.14.266
	cgroup-v1: Require capabilities to set release_agent
	moxart: fix potential use-after-free on remove path
	x86/mm, mm/hwpoison: Fix the unmap kernel 1:1 pages check condition
	tipc: improve size validations for received domain records
	Linux 4.14.266

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id5f654da1b01e5d79f58678f06caaab832538bf2

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 4
 PATCHLEVEL = 14
-SUBLEVEL = 265
+SUBLEVEL = 266
 EXTRAVERSION =
 NAME = Petit Gorille
 

arch/x86/kernel/cpu/mcheck/mce.c

@@ -589,7 +589,7 @@ static int srao_decode_notifier(struct notifier_block *nb, unsigned long val,
 
 	if (mce_usable_address(mce) && (mce->severity == MCE_AO_SEVERITY)) {
 		pfn = mce->addr >> PAGE_SHIFT;
-		if (memory_failure(pfn, MCE_VECTOR, 0))
+		if (!memory_failure(pfn, MCE_VECTOR, 0))
 			mce_unmap_kpfn(pfn);
 	}
 

drivers/mmc/host/moxart-mmc.c

@@ -696,12 +696,12 @@ static int moxart_remove(struct platform_device *pdev)
 		if (!IS_ERR(host->dma_chan_rx))
 			dma_release_channel(host->dma_chan_rx);
 		mmc_remove_host(mmc);
-		mmc_free_host(mmc);
 
 		writel(0, host->base + REG_INTERRUPT_MASK);
 		writel(0, host->base + REG_POWER_CONTROL);
 		writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
 		       host->base + REG_CLOCK_CONTROL);
+		mmc_free_host(mmc);
 	}
 	return 0;
 }

kernel/cgroup/cgroup-v1.c

@@ -578,6 +578,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
 
 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
 
+	/*
+	 * Release agent gets called with all capabilities,
+	 * require capabilities to set release agent.
+	 */
+	if ((of->file->f_cred->user_ns != &init_user_ns) ||
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	cgrp = cgroup_kn_lock_live(of->kn, false);
 	if (!cgrp)
 		return -ENODEV;
@@ -1061,6 +1069,7 @@ static int cgroup1_remount(struct kernfs_root *kf_root, int *flags, char *data)
 {
 	int ret = 0;
 	struct cgroup_root *root = cgroup_root_from_kf(kf_root);
+	struct cgroup_namespace *ns = current->nsproxy->cgroup_ns;
 	struct cgroup_sb_opts opts;
 	u16 added_mask, removed_mask;
 
@@ -1074,6 +1083,12 @@ static int cgroup1_remount(struct kernfs_root *kf_root, int *flags, char *data)
 	if (opts.subsys_mask != root->subsys_mask || opts.release_agent)
 		pr_warn("option changes via remount are deprecated (pid=%d comm=%s)\n",
 			task_tgid_nr(current), current->comm);
+	/* See cgroup1_mount release_agent handling */
+	if (opts.release_agent &&
+	    ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) {
+		ret = -EINVAL;
+		goto out_unlock;
+	}
 
 	added_mask = opts.subsys_mask & ~root->subsys_mask;
 	removed_mask = root->subsys_mask & ~opts.subsys_mask;
@@ -1237,6 +1252,15 @@ struct dentry *cgroup1_mount(struct file_system_type *fs_type, int flags,
 		ret = -EPERM;
 		goto out_unlock;
 	}
+	/*
+	 * Release agent gets called with all capabilities,
+	 * require capabilities to set release agent.
+	 */
+	if (opts.release_agent &&
+	    ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) {
+		ret = -EINVAL;
+		goto out_unlock;
+	}
 
 	root = kzalloc(sizeof(*root), GFP_KERNEL);
 	if (!root) {

net/tipc/link.c

@@ -1462,12 +1462,15 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 	u16 peers_tol = msg_link_tolerance(hdr);
 	u16 peers_prio = msg_linkprio(hdr);
 	u16 rcv_nxt = l->rcv_nxt;
-	u16 dlen = msg_data_sz(hdr);
+	u32 dlen = msg_data_sz(hdr);
 	int mtyp = msg_type(hdr);
 	void *data;
 	char *if_name;
 	int rc = 0;
 
+	if (dlen > U16_MAX)
+		goto exit;
+
 	if (tipc_link_is_blocked(l) || !xmitq)
 		goto exit;
 

net/tipc/monitor.c

@@ -457,6 +457,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
 	state->probing = false;
 
 	/* Sanity check received domain record */
+	if (new_member_cnt > MAX_MON_DOMAIN)
+		return;
 	if (dlen < dom_rec_len(arrv_dom, 0))
 		return;
 	if (dlen != dom_rec_len(arrv_dom, new_member_cnt))