jfs: fix uaf in jfs_evict_inode

[platform/kernel/linux-rpi.git] / fs / binfmt_elf.c

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 1033fbd..7b3d2d4 100644 (file)
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -320,10 +320,10 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
         * Grow the stack manually; some architectures have a limit on how
         * far ahead a user-space access may be in order to grow the stack.
         */
-       if (mmap_read_lock_killable(mm))
+       if (mmap_write_lock_killable(mm))
                return -EINTR;
-       vma = find_extend_vma(mm, bprm->p);
-       mmap_read_unlock(mm);
+       vma = find_extend_vma_locked(mm, bprm->p);
+       mmap_write_unlock(mm);
        if (!vma)
                return -EFAULT;
 
@@ -1517,7 +1517,7 @@ static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
        phdr->p_filesz = sz;
        phdr->p_memsz = 0;
        phdr->p_flags = 0;
-       phdr->p_align = 0;
+       phdr->p_align = 4;
 }
 
 static void fill_note(struct memelfnote *note, const char *name, int type,
@@ -1773,7 +1773,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
        /*
         * NT_PRSTATUS is the one special case, because the regset data
         * goes into the pr_reg field inside the note contents, rather
-        * than being the whole note contents.  We fill the reset in here.
+        * than being the whole note contents.  We fill the regset in here.
         * We assume that regset 0 is NT_PRSTATUS.
         */
        fill_prstatus(&t->prstatus.common, t->task, signr);