diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch new file mode 100644 index 00000000..d5e2e4dc --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch @@ -0,0 +1,71 @@ +From f569aee1087fa3da9712952fc00daa72b028424c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 07 Jan 2017 19:14:29 +0100 +Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE + +Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check +whether it is legal to read or write a file using splice. Both get +automatically set on regular files and are not checked when a 'struct +fileoperations' includes the splice_{read,write} methods. + +Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3 +Suggested-by: Linus Torvalds +Cc: Al Viro +Signed-off-by: Johannes Thumshirn +--- + +diff --git a/fs/open.c b/fs/open.c +index 9bf7fa0..e0e2a37 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -680,6 +680,10 @@ + return 0; + } + ++ if (S_ISREG(inode->i_mode)) ++ f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ; ++ ++ + f->f_op = fops_get(inode->i_fop); + + error = security_file_open(f, cred); +diff --git a/fs/splice.c b/fs/splice.c +index f183f13..8ba78ce 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -381,6 +381,9 @@ + index++; + } + ++ if (unlikely(!(in->f_mode & FMODE_SPLICE_READ))) ++ return -EINVAL; ++ + /* + * Now loop over the map and see if we need to start IO on any + * pages, fill in the partial map, etc. +@@ -1084,6 +1087,9 @@ + { + ssize_t ret; + ++ if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE))) ++ return -EINVAL; ++ + ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf); + if (ret > 0) + *ppos += ret; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index e6f1180..78300ef 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -125,6 +125,11 @@ + /* File was opened by fanotify and shouldn't generate fanotify events */ + #define FMODE_NONOTIFY ((__force fmode_t)0x1000000) + ++/* File can be read using splice */ ++#define FMODE_SPLICE_READ ((__force fmode_t)0x8000000) ++/* File can be written using splice */ ++#define FMODE_SPLICE_WRITE ((__force fmode_t)0x10000000) ++ + /* + * Flag for rw_copy_check_uvector and compat_rw_copy_check_uvector + * that indicates that they should check the contents of the iovec are diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64 new file mode 100644 index 00000000..843461d6 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSBmNTY5YWVlMTA4N2ZhM2RhOTcxMjk1MmZjMDBkYWE3MmIwMjg0MjRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA5YmY3ZmEwLi5lMGUyYTM3IDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODAsNiArNjgwLDEwIEBACiAJCXJldHVybiAwOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9maWxlX29wZW4oZiwgY3JlZCk7CmRpZmYgLS1naXQgYS9mcy9zcGxpY2UuYyBiL2ZzL3NwbGljZS5jCmluZGV4IGYxODNmMTMuLjhiYTc4Y2UgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zODEsNiArMzgxLDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDg0LDYgKzEwODcsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggZTZmMTE4MC4uNzgzMDBlZiAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTI1LDYgKzEyNSwxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBGbGFnIGZvciByd19jb3B5X2NoZWNrX3V2ZWN0b3IgYW5kIGNvbXBhdF9yd19jb3B5X2NoZWNrX3V2ZWN0b3IKICAqIHRoYXQgaW5kaWNhdGVzIHRoYXQgdGhleSBzaG91bGQgY2hlY2sgdGhlIGNvbnRlbnRzIG9mIHRoZSBpb3ZlYyBhcmUK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch new file mode 100644 index 00000000..869807a6 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch @@ -0,0 +1,71 @@ +From 741ab25b1f609f4ca11429b99811c4a427c60024 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 07 Jan 2017 19:14:29 +0100 +Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE + +Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check +whether it is legal to read or write a file using splice. Both get +automatically set on regular files and are not checked when a 'struct +fileoperations' includes the splice_{read,write} methods. + +Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3 +Suggested-by: Linus Torvalds +Cc: Al Viro +Signed-off-by: Johannes Thumshirn +--- + +diff --git a/fs/open.c b/fs/open.c +index 4c28c4f..7512d8a 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -683,6 +683,10 @@ + return f; + } + ++ if (S_ISREG(inode->i_mode)) ++ f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ; ++ ++ + f->f_op = fops_get(inode->i_fop); + + error = security_dentry_open(f, cred); +diff --git a/fs/splice.c b/fs/splice.c +index ea85353..bf597dc5 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -376,6 +376,9 @@ + index++; + } + ++ if (unlikely(!(in->f_mode & FMODE_SPLICE_READ))) ++ return -EINVAL; ++ + /* + * Now loop over the map and see if we need to start IO on any + * pages, fill in the partial map, etc. +@@ -1059,6 +1062,9 @@ + { + ssize_t ret; + ++ if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE))) ++ return -EINVAL; ++ + ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf); + if (ret > 0) + *ppos += ret; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 0e03633..ef0590d 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -117,6 +117,11 @@ + /* File was opened by fanotify and shouldn't generate fanotify events */ + #define FMODE_NONOTIFY ((__force fmode_t)0x1000000) + ++/* File can be read using splice */ ++#define FMODE_SPLICE_READ ((__force fmode_t)0x8000000) ++/* File can be written using splice */ ++#define FMODE_SPLICE_WRITE ((__force fmode_t)0x10000000) ++ + /* + * The below are the various read and write types that we support. Some of + * them include behavioral modifiers that send information down to the diff --git a/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64 new file mode 100644 index 00000000..324e9bc2 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSA3NDFhYjI1YjFmNjA5ZjRjYTExNDI5Yjk5ODExYzRhNDI3YzYwMDI0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA0YzI4YzRmLi43NTEyZDhhIDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODMsNiArNjgzLDEwIEBACiAJCXJldHVybiBmOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9kZW50cnlfb3BlbihmLCBjcmVkKTsKZGlmZiAtLWdpdCBhL2ZzL3NwbGljZS5jIGIvZnMvc3BsaWNlLmMKaW5kZXggZWE4NTM1My4uYmY1OTdkYzUgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zNzYsNiArMzc2LDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDU5LDYgKzEwNjIsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggMGUwMzYzMy4uZWYwNTkwZCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTE3LDYgKzExNywxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBUaGUgYmVsb3cgYXJlIHRoZSB2YXJpb3VzIHJlYWQgYW5kIHdyaXRlIHR5cGVzIHRoYXQgd2Ugc3VwcG9ydC4gU29tZSBvZgogICogdGhlbSBpbmNsdWRlIGJlaGF2aW9yYWwgbW9kaWZpZXJzIHRoYXQgc2VuZCBpbmZvcm1hdGlvbiBkb3duIHRvIHRoZQo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2016-9576/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-9576/ANY/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2016-9576/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2016-9576/ANY/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch new file mode 100644 index 00000000..a1d4210c --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch @@ -0,0 +1,383 @@ +From 60ebd48061949405fe6a69aa921d47b40f474a41 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 06 Jun 2014 07:57:37 -0600 +Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc() + +With the optimizations around not clearing the full request at alloc +time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC +up to the user allocating the request. + +Add a blk_rq_set_block_pc() that sets the command type to +REQ_TYPE_BLOCK_PC, and properly initializes the members associated +with this type of request. Update callers to use this function instead +of manipulating rq->cmd_type directly. + +Includes fixes from Christoph Hellwig for my half-assed +attempt. + +Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce +Signed-off-by: Jens Axboe +--- + +diff --git a/block/blk-core.c b/block/blk-core.c +index bce8d73..7cb3157 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1189,6 +1189,8 @@ + if (unlikely(!rq)) + return ERR_PTR(-ENOMEM); + ++ blk_rq_set_block_pc(rq); ++ + for_each_bio(bio) { + struct bio *bounce_bio = bio; + int ret; +@@ -1206,6 +1208,22 @@ + EXPORT_SYMBOL(blk_make_request); + + /** ++ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC ++ * @rq: request to be initialized ++ * ++ */ ++void blk_rq_set_block_pc(struct request *rq) ++{ ++ rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ rq->__data_len = 0; ++ rq->__sector = (sector_t) -1; ++ rq->bio = rq->biotail = NULL; ++ memset(rq->__cmd, 0, sizeof(rq->__cmd)); ++ rq->cmd = rq->__cmd; ++} ++EXPORT_SYMBOL(blk_rq_set_block_pc); ++ ++/** + * blk_requeue_request - put a request back on queue + * @q: request queue where request should be inserted + * @rq: request to be inserted +diff --git a/block/bsg.c b/block/bsg.c +index 76801e5..0ed26bc 100644 +--- a/block/bsg.c ++++ b/block/bsg.c +@@ -196,7 +196,6 @@ + * fill in request structure + */ + rq->cmd_len = hdr->request_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + rq->timeout = msecs_to_jiffies(hdr->timeout); + if (!rq->timeout) +@@ -273,6 +272,8 @@ + rq = blk_get_request(q, rw, GFP_KERNEL); + if (!rq) + return ERR_PTR(-ENOMEM); ++ blk_rq_set_block_pc(rq); ++ + ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm); + if (ret) + goto out; +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index 1b4988b..ddbcae2 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -233,7 +233,6 @@ + * fill in request structure + */ + rq->cmd_len = hdr->cmd_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + rq->timeout = msecs_to_jiffies(hdr->timeout); + if (!rq->timeout) +@@ -314,6 +313,7 @@ + rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL); + if (!rq) + return -ENOMEM; ++ blk_rq_set_block_pc(rq); + + if (blk_fill_sghdr_rq(q, rq, hdr, mode)) { + blk_put_request(rq); +@@ -512,7 +512,7 @@ + memset(sense, 0, sizeof(sense)); + rq->sense = sense; + rq->sense_len = 0; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(rq); + + blk_execute_rq(q, disk, rq, 0); + +@@ -544,7 +544,7 @@ + int err; + + rq = blk_get_request(q, WRITE, __GFP_WAIT); +- rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(rq); + rq->timeout = BLK_DEFAULT_SG_TIMEOUT; + rq->cmd[0] = cmd; + rq->cmd[4] = data; +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c +index f5d0ea1..caddb5d 100644 +--- a/drivers/block/pktcdvd.c ++++ b/drivers/block/pktcdvd.c +@@ -712,6 +712,7 @@ + + rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ? + WRITE : READ, __GFP_WAIT); ++ blk_rq_set_block_pc(rq); + + if (cgc->buflen) { + if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT)) +@@ -722,7 +723,6 @@ + memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE); + + rq->timeout = 60*HZ; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + if (cgc->quiet) + rq->cmd_flags |= REQ_QUIET; + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 8a3aff7..1ca0772 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2165,6 +2165,7 @@ + ret = -ENOMEM; + break; + } ++ blk_rq_set_block_pc(rq); + + ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL); + if (ret) { +@@ -2184,7 +2185,6 @@ + rq->cmd[9] = 0xf8; + + rq->cmd_len = 12; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->timeout = 60 * HZ; + bio = rq->bio; + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 68adb89..28bf7fb 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -120,6 +120,7 @@ + "%s: blk_get_request failed\n", __func__); + return NULL; + } ++ blk_rq_set_block_pc(rq); + + if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) { + blk_put_request(rq); +@@ -128,7 +129,6 @@ + return NULL; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->retries = ALUA_FAILOVER_RETRIES; +diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c +index e1c8be0..6f07f7f 100644 +--- a/drivers/scsi/device_handler/scsi_dh_emc.c ++++ b/drivers/scsi/device_handler/scsi_dh_emc.c +@@ -280,6 +280,7 @@ + return NULL; + } + ++ blk_rq_set_block_pc(rq); + rq->cmd_len = COMMAND_SIZE(cmd); + rq->cmd[0] = cmd; + +@@ -304,7 +305,6 @@ + break; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->timeout = CLARIION_TIMEOUT; +diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c +index 084062b..e9d9fea 100644 +--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c ++++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c +@@ -120,7 +120,7 @@ + if (!req) + return SCSI_DH_RES_TEMP_UNAVAIL; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY); +@@ -250,7 +250,7 @@ + if (!req) + return SCSI_DH_RES_TEMP_UNAVAIL; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + req->cmd_len = COMMAND_SIZE(START_STOP); +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index 69c915a..3916c31 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -279,6 +279,7 @@ + "get_rdac_req: blk_get_request failed.\n"); + return NULL; + } ++ blk_rq_set_block_pc(rq); + + if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) { + blk_put_request(rq); +@@ -287,7 +288,6 @@ + return NULL; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->retries = RDAC_RETRIES; +diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c +index aa66361..11bd87e 100644 +--- a/drivers/scsi/osd/osd_initiator.c ++++ b/drivers/scsi/osd/osd_initiator.c +@@ -1570,6 +1570,7 @@ + if (unlikely(!req)) + return ERR_PTR(-ENOMEM); + ++ blk_rq_set_block_pc(req); + return req; + } + } +@@ -1590,7 +1591,6 @@ + } + + or->request = req; +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= REQ_QUIET; + + req->timeout = or->timeout; +@@ -1608,7 +1608,7 @@ + ret = PTR_ERR(req); + goto out; + } +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + or->in.req = or->request->next_rq = req; + } + } else if (has_in) +diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c +index 21883a2..0727ea7 100644 +--- a/drivers/scsi/osst.c ++++ b/drivers/scsi/osst.c +@@ -365,7 +365,7 @@ + if (!req) + return DRIVER_ERROR << 24; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_QUIET; + + SRpnt->bio = NULL; +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 3668b1b..c1e4a74 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1653,6 +1653,8 @@ + */ + req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL); + ++ blk_rq_set_block_pc(req); ++ + req->cmd[0] = ALLOW_MEDIUM_REMOVAL; + req->cmd[1] = 0; + req->cmd[2] = 0; +@@ -1662,7 +1664,6 @@ + + req->cmd_len = COMMAND_SIZE(req->cmd[0]); + +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= REQ_QUIET; + req->timeout = 10 * HZ; + req->retries = 5; +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 9f3168e..49076d1 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -238,6 +238,7 @@ + req = blk_get_request(sdev->request_queue, write, __GFP_WAIT); + if (!req) + return ret; ++ blk_rq_set_block_pc(req); + + if (bufflen && blk_rq_map_kern(sdev->request_queue, req, + buffer, bufflen, __GFP_WAIT)) +@@ -249,7 +250,6 @@ + req->sense_len = 0; + req->retries = retries; + req->timeout = timeout; +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT; + + /* +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index e059ad4..5170506 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1656,10 +1656,9 @@ + if (!rq) + return -ENOMEM; + ++ blk_rq_set_block_pc(rq); + memcpy(rq->cmd, cmd, hp->cmd_len); +- + rq->cmd_len = hp->cmd_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + srp->rq = rq; + rq->end_io_data = srp; +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 2a32036..7d74f83 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -484,7 +484,7 @@ + if (!req) + return DRIVER_ERROR << 24; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_QUIET; + + mdata->null_mapped = 1; +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 244776b..dff91ee 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1059,6 +1059,8 @@ + ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + goto fail; + } ++ ++ blk_rq_set_block_pc(req); + } else { + BUG_ON(!cmd->data_length); + +@@ -1075,7 +1077,6 @@ + } + } + +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->end_io = pscsi_req_done; + req->end_io_data = cmd; + req->cmd_len = scsi_command_size(pt->pscsi_cdb); +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index e9b04cd..cce84e5 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -742,6 +742,7 @@ + extern struct request *blk_get_request(struct request_queue *, int, gfp_t); + extern struct request *blk_make_request(struct request_queue *, struct bio *, + gfp_t); ++extern void blk_rq_set_block_pc(struct request *); + extern void blk_requeue_request(struct request_queue *, struct request *); + extern int blk_reinsert_request(struct request_queue *q, struct request *rq); + extern bool blk_reinsert_req_sup(struct request_queue *q); diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64 new file mode 100644 index 00000000..514d017e --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64 @@ -0,0 +1 @@ +RnJvbSA2MGViZDQ4MDYxOTQ5NDA1ZmU2YTY5YWE5MjFkNDdiNDBmNDc0YTQxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+CkRhdGU6IEZyaSwgMDYgSnVuIDIwMTQgMDc6NTc6MzcgLTA2MDAKU3ViamVjdDogW1BBVENIXSBCQUNLUE9SVDogYmxvY2s6IGFkZCBibGtfcnFfc2V0X2Jsb2NrX3BjKCkKCldpdGggdGhlIG9wdGltaXphdGlvbnMgYXJvdW5kIG5vdCBjbGVhcmluZyB0aGUgZnVsbCByZXF1ZXN0IGF0IGFsbG9jCnRpbWUsIHdlIGFyZSBsZWF2aW5nIHNvbWUgb2YgdGhlIG5lZWRlZCBpbml0IGZvciBSRVFfVFlQRV9CTE9DS19QQwp1cCB0byB0aGUgdXNlciBhbGxvY2F0aW5nIHRoZSByZXF1ZXN0LgoKQWRkIGEgYmxrX3JxX3NldF9ibG9ja19wYygpIHRoYXQgc2V0cyB0aGUgY29tbWFuZCB0eXBlIHRvClJFUV9UWVBFX0JMT0NLX1BDLCBhbmQgcHJvcGVybHkgaW5pdGlhbGl6ZXMgdGhlIG1lbWJlcnMgYXNzb2NpYXRlZAp3aXRoIHRoaXMgdHlwZSBvZiByZXF1ZXN0LiBVcGRhdGUgY2FsbGVycyB0byB1c2UgdGhpcyBmdW5jdGlvbiBpbnN0ZWFkCm9mIG1hbmlwdWxhdGluZyBycS0+Y21kX3R5cGUgZGlyZWN0bHkuCgpJbmNsdWRlcyBmaXhlcyBmcm9tIENocmlzdG9waCBIZWxsd2lnIDxoY2hAbHN0LmRlPiBmb3IgbXkgaGFsZi1hc3NlZAphdHRlbXB0LgoKQ2hhbmdlLUlkOiBJZmMzODZkZmI5NTFjNWQ2YWRlYmY0OGZmMzgxMzVkZGEyOGU0YjFjZQpTaWduZWQtb2ZmLWJ5OiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL2Jsb2NrL2Jsay1jb3JlLmMgYi9ibG9jay9ibGstY29yZS5jCmluZGV4IGJjZThkNzMuLjdjYjMxNTcgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2Jsay1jb3JlLmMKKysrIGIvYmxvY2svYmxrLWNvcmUuYwpAQCAtMTE4OSw2ICsxMTg5LDggQEAKIAlpZiAodW5saWtlbHkoIXJxKSkKIAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCWZvcl9lYWNoX2JpbyhiaW8pIHsKIAkJc3RydWN0IGJpbyAqYm91bmNlX2JpbyA9IGJpbzsKIAkJaW50IHJldDsKQEAgLTEyMDYsNiArMTIwOCwyMiBAQAogRVhQT1JUX1NZTUJPTChibGtfbWFrZV9yZXF1ZXN0KTsKIAogLyoqCisgKiBibGtfcnFfc2V0X2Jsb2NrX3BjIC0gaW5pdGlhbGl6ZSBhIHJlcXVlZXN0IHRvIHR5cGUgQkxPQ0tfUEMKKyAqIEBycToJCXJlcXVlc3QgdG8gYmUgaW5pdGlhbGl6ZWQKKyAqCisgKi8KK3ZvaWQgYmxrX3JxX3NldF9ibG9ja19wYyhzdHJ1Y3QgcmVxdWVzdCAqcnEpCit7CisJcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJcnEtPl9fZGF0YV9sZW4gPSAwOworCXJxLT5fX3NlY3RvciA9IChzZWN0b3JfdCkgLTE7CisJcnEtPmJpbyA9IHJxLT5iaW90YWlsID0gTlVMTDsKKwltZW1zZXQocnEtPl9fY21kLCAwLCBzaXplb2YocnEtPl9fY21kKSk7CisJcnEtPmNtZCA9IHJxLT5fX2NtZDsKK30KK0VYUE9SVF9TWU1CT0woYmxrX3JxX3NldF9ibG9ja19wYyk7CisKKy8qKgogICogYmxrX3JlcXVldWVfcmVxdWVzdCAtIHB1dCBhIHJlcXVlc3QgYmFjayBvbiBxdWV1ZQogICogQHE6CQlyZXF1ZXN0IHF1ZXVlIHdoZXJlIHJlcXVlc3Qgc2hvdWxkIGJlIGluc2VydGVkCiAgKiBAcnE6CQlyZXF1ZXN0IHRvIGJlIGluc2VydGVkCmRpZmYgLS1naXQgYS9ibG9jay9ic2cuYyBiL2Jsb2NrL2JzZy5jCmluZGV4IDc2ODAxZTUuLjBlZDI2YmMgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2JzZy5jCisrKyBiL2Jsb2NrL2JzZy5jCkBAIC0xOTYsNyArMTk2LDYgQEAKIAkgKiBmaWxsIGluIHJlcXVlc3Qgc3RydWN0dXJlCiAJICovCiAJcnEtPmNtZF9sZW4gPSBoZHItPnJlcXVlc3RfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTI3Myw2ICsyNzIsOCBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfS0VSTkVMKTsKIAlpZiAoIXJxKQogCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCXJldCA9IGJsa19maWxsX3NndjRfaGRyX3JxKHEsIHJxLCBoZHIsIGJkLCBoYXNfd3JpdGVfcGVybSk7CiAJaWYgKHJldCkKIAkJZ290byBvdXQ7CmRpZmYgLS1naXQgYS9ibG9jay9zY3NpX2lvY3RsLmMgYi9ibG9jay9zY3NpX2lvY3RsLmMKaW5kZXggMWI0OTg4Yi4uZGRiY2FlMiAxMDA2NDQKLS0tIGEvYmxvY2svc2NzaV9pb2N0bC5jCisrKyBiL2Jsb2NrL3Njc2lfaW9jdGwuYwpAQCAtMjMzLDcgKzIzMyw2IEBACiAJICogZmlsbCBpbiByZXF1ZXN0IHN0cnVjdHVyZQogCSAqLwogCXJxLT5jbWRfbGVuID0gaGRyLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTMxNCw2ICszMTMsNyBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHdyaXRpbmcgPyBXUklURSA6IFJFQUQsIEdGUF9LRVJORUwpOwogCWlmICghcnEpCiAJCXJldHVybiAtRU5PTUVNOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJsa19maWxsX3NnaGRyX3JxKHEsIHJxLCBoZHIsIG1vZGUpKSB7CiAJCWJsa19wdXRfcmVxdWVzdChycSk7CkBAIC01MTIsNyArNTEyLDcgQEAKIAltZW1zZXQoc2Vuc2UsIDAsIHNpemVvZihzZW5zZSkpOwogCXJxLT5zZW5zZSA9IHNlbnNlOwogCXJxLT5zZW5zZV9sZW4gPSAwOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJYmxrX2V4ZWN1dGVfcnEocSwgZGlzaywgcnEsIDApOwogCkBAIC01NDQsNyArNTQ0LDcgQEAKIAlpbnQgZXJyOwogCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgV1JJVEUsIF9fR0ZQX1dBSVQpOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT50aW1lb3V0ID0gQkxLX0RFRkFVTFRfU0dfVElNRU9VVDsKIAlycS0+Y21kWzBdID0gY21kOwogCXJxLT5jbWRbNF0gPSBkYXRhOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ibG9jay9wa3RjZHZkLmMgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwppbmRleCBmNWQwZWExLi5jYWRkYjVkIDEwMDY0NAotLS0gYS9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYworKysgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwpAQCAtNzEyLDYgKzcxMiw3IEBACiAKIAlycSA9IGJsa19nZXRfcmVxdWVzdChxLCAoY2djLT5kYXRhX2RpcmVjdGlvbiA9PSBDR0NfREFUQV9XUklURSkgPwogCQkJICAgICBXUklURSA6IFJFQUQsIF9fR0ZQX1dBSVQpOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGNnYy0+YnVmbGVuKSB7CiAJCWlmIChibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGNnYy0+YnVmZmVyLCBjZ2MtPmJ1ZmxlbiwgX19HRlBfV0FJVCkpCkBAIC03MjIsNyArNzIzLDYgQEAKIAltZW1jcHkocnEtPmNtZCwgY2djLT5jbWQsIENEUk9NX1BBQ0tFVF9TSVpFKTsKIAogCXJxLT50aW1lb3V0ID0gNjAqSFo7Ci0JcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJaWYgKGNnYy0+cXVpZXQpCiAJCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCmRpZmYgLS1naXQgYS9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMgYi9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMKaW5kZXggOGEzYWZmNy4uMWNhMDc3MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9jZHJvbS9jZHJvbS5jCisrKyBiL2RyaXZlcnMvY2Ryb20vY2Ryb20uYwpAQCAtMjE2NSw2ICsyMTY1LDcgQEAKIAkJCXJldCA9IC1FTk9NRU07CiAJCQlicmVhazsKIAkJfQorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAogCQlyZXQgPSBibGtfcnFfbWFwX3VzZXIocSwgcnEsIE5VTEwsIHVidWYsIGxlbiwgR0ZQX0tFUk5FTCk7CiAJCWlmIChyZXQpIHsKQEAgLTIxODQsNyArMjE4NSw2IEBACiAJCXJxLT5jbWRbOV0gPSAweGY4OwogCiAJCXJxLT5jbWRfbGVuID0gMTI7Ci0JCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCQlycS0+dGltZW91dCA9IDYwICogSFo7CiAJCWJpbyA9IHJxLT5iaW87CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYwppbmRleCA2OGFkYjg5Li4yOGJmN2ZiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9hbHVhLmMKKysrIGIvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfYWx1YS5jCkBAIC0xMjAsNiArMTIwLDcgQEAKIAkJCSAgICAiJXM6IGJsa19nZXRfcmVxdWVzdCBmYWlsZWRcbiIsIF9fZnVuY19fKTsKIAkJcmV0dXJuIE5VTEw7CiAJfQorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJ1ZmxlbiAmJiBibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGJ1ZmZlciwgYnVmbGVuLCBHRlBfTk9JTykpIHsKIAkJYmxrX3B1dF9yZXF1ZXN0KHJxKTsKQEAgLTEyOCw3ICsxMjksNiBAQAogCQlyZXR1cm4gTlVMTDsKIAl9CiAKLQlycS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlycS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJxLT5yZXRyaWVzID0gQUxVQV9GQUlMT1ZFUl9SRVRSSUVTOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfZW1jLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwppbmRleCBlMWM4YmUwLi42ZjA3ZjdmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwpAQCAtMjgwLDYgKzI4MCw3IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT5jbWRfbGVuID0gQ09NTUFORF9TSVpFKGNtZCk7CiAJcnEtPmNtZFswXSA9IGNtZDsKIApAQCAtMzA0LDcgKzMwNSw2IEBACiAJCWJyZWFrOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnRpbWVvdXQgPSBDTEFSSUlPTl9USU1FT1VUOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2hwX3N3LmMKaW5kZXggMDg0MDYyYi4uZTlkOWZlYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9ocF9zdy5jCkBAIC0xMjAsNyArMTIwLDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIFNDU0lfREhfUkVTX1RFTVBfVU5BVkFJTDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJICBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShURVNUX1VOSVRfUkVBRFkpOwpAQCAtMjUwLDcgKzI1MCw3IEBACiAJaWYgKCFyZXEpCiAJCXJldHVybiBTQ1NJX0RIX1JFU19URU1QX1VOQVZBSUw7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCXJlcS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSAgUkVRX0ZBSUxGQVNUX0RSSVZFUjsKIAlyZXEtPmNtZF9sZW4gPSBDT01NQU5EX1NJWkUoU1RBUlRfU1RPUCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMKaW5kZXggNjljOTE1YS4uMzkxNmMzMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfcmRhYy5jCisrKyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX3JkYWMuYwpAQCAtMjc5LDYgKzI3OSw3IEBACiAJCQkJImdldF9yZGFjX3JlcTogYmxrX2dldF9yZXF1ZXN0IGZhaWxlZC5cbiIpOwogCQlyZXR1cm4gTlVMTDsKIAl9CisJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CiAKIAlpZiAoYnVmbGVuICYmIGJsa19ycV9tYXBfa2VybihxLCBycSwgYnVmZmVyLCBidWZsZW4sIEdGUF9OT0lPKSkgewogCQlibGtfcHV0X3JlcXVlc3QocnEpOwpAQCAtMjg3LDcgKzI4OCw2IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnJldHJpZXMgPSBSREFDX1JFVFJJRVM7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvb3NkL29zZF9pbml0aWF0b3IuYyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCmluZGV4IGFhNjYzNjEuLjExYmQ4N2UgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCkBAIC0xNTcwLDYgKzE1NzAsNyBAQAogCQlpZiAodW5saWtlbHkoIXJlcSkpCiAJCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKIAorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJCXJldHVybiByZXE7CiAJfQogfQpAQCAtMTU5MCw3ICsxNTkxLDYgQEAKIAl9CiAKIAlvci0+cmVxdWVzdCA9IHJlcTsKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJcmVxLT50aW1lb3V0ID0gb3ItPnRpbWVvdXQ7CkBAIC0xNjA4LDcgKzE2MDgsNyBAQAogCQkJCXJldCA9IFBUUl9FUlIocmVxKTsKIAkJCQlnb3RvIG91dDsKIAkJCX0KLQkJCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwkJCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAkJCW9yLT5pbi5yZXEgPSBvci0+cmVxdWVzdC0+bmV4dF9ycSA9IHJlcTsKIAkJfQogCX0gZWxzZSBpZiAoaGFzX2luKQpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL29zc3QuYyBiL2RyaXZlcnMvc2NzaS9vc3N0LmMKaW5kZXggMjE4ODNhMi4uMDcyN2VhNyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL29zc3QuYworKysgYi9kcml2ZXJzL3Njc2kvb3NzdC5jCkBAIC0zNjUsNyArMzY1LDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIERSSVZFUl9FUlJPUiA8PCAyNDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJU1JwbnQtPmJpbyA9IE5VTEw7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jIGIvZHJpdmVycy9zY3NpL3Njc2lfZXJyb3IuYwppbmRleCAzNjY4YjFiLi5jMWU0YTc0IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9zY3NpX2Vycm9yLmMKQEAgLTE2NTMsNiArMTY1Myw4IEBACiAJICovCiAJcmVxID0gYmxrX2dldF9yZXF1ZXN0KHNkZXYtPnJlcXVlc3RfcXVldWUsIFJFQUQsIEdGUF9LRVJORUwpOwogCisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOworCiAJcmVxLT5jbWRbMF0gPSBBTExPV19NRURJVU1fUkVNT1ZBTDsKIAlyZXEtPmNtZFsxXSA9IDA7CiAJcmVxLT5jbWRbMl0gPSAwOwpAQCAtMTY2Miw3ICsxNjY0LDYgQEAKIAogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShyZXEtPmNtZFswXSk7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCXJlcS0+dGltZW91dCA9IDEwICogSFo7CiAJcmVxLT5yZXRyaWVzID0gNTsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zY3NpX2xpYi5jIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKaW5kZXggOWYzMTY4ZS4uNDkwNzZkMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKKysrIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKQEAgLTIzOCw2ICsyMzgsNyBAQAogCXJlcSA9IGJsa19nZXRfcmVxdWVzdChzZGV2LT5yZXF1ZXN0X3F1ZXVlLCB3cml0ZSwgX19HRlBfV0FJVCk7CiAJaWYgKCFyZXEpCiAJCXJldHVybiByZXQ7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCiAJaWYgKGJ1ZmZsZW4gJiYJYmxrX3JxX21hcF9rZXJuKHNkZXYtPnJlcXVlc3RfcXVldWUsIHJlcSwKIAkJCQkJYnVmZmVyLCBidWZmbGVuLCBfX0dGUF9XQUlUKSkKQEAgLTI0OSw3ICsyNTAsNiBAQAogCXJlcS0+c2Vuc2VfbGVuID0gMDsKIAlyZXEtPnJldHJpZXMgPSByZXRyaWVzOwogCXJlcS0+dGltZW91dCA9IHRpbWVvdXQ7Ci0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+Y21kX2ZsYWdzIHw9IGZsYWdzIHwgUkVRX1FVSUVUIHwgUkVRX1BSRUVNUFQ7CiAKIAkvKgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCBlMDU5YWQ0Li41MTcwNTA2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtMTY1NiwxMCArMTY1Niw5IEBACiAJaWYgKCFycSkKIAkJcmV0dXJuIC1FTk9NRU07CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7Ci0KIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJc3JwLT5ycSA9IHJxOwogCXJxLT5lbmRfaW9fZGF0YSA9IHNycDsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zdC5jIGIvZHJpdmVycy9zY3NpL3N0LmMKaW5kZXggMmEzMjAzNi4uN2Q3NGY4MyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3N0LmMKKysrIGIvZHJpdmVycy9zY3NpL3N0LmMKQEAgLTQ4NCw3ICs0ODQsNyBAQAogCWlmICghcmVxKQogCQlyZXR1cm4gRFJJVkVSX0VSUk9SIDw8IDI0OwogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAlyZXEtPmNtZF9mbGFncyB8PSBSRVFfUVVJRVQ7CiAKIAltZGF0YS0+bnVsbF9tYXBwZWQgPSAxOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYyBiL2RyaXZlcnMvdGFyZ2V0L3RhcmdldF9jb3JlX3BzY3NpLmMKaW5kZXggMjQ0Nzc2Yi4uZGZmOTFlZSAxMDA2NDQKLS0tIGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYworKysgYi9kcml2ZXJzL3RhcmdldC90YXJnZXRfY29yZV9wc2NzaS5jCkBAIC0xMDU5LDYgKzEwNTksOCBAQAogCQkJcmV0ID0gVENNX0xPR0lDQUxfVU5JVF9DT01NVU5JQ0FUSU9OX0ZBSUxVUkU7CiAJCQlnb3RvIGZhaWw7CiAJCX0KKworCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJfSBlbHNlIHsKIAkJQlVHX09OKCFjbWQtPmRhdGFfbGVuZ3RoKTsKIApAQCAtMTA3NSw3ICsxMDc3LDYgQEAKIAkJfQogCX0KIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlyZXEtPmVuZF9pbyA9IHBzY3NpX3JlcV9kb25lOwogCXJlcS0+ZW5kX2lvX2RhdGEgPSBjbWQ7CiAJcmVxLT5jbWRfbGVuID0gc2NzaV9jb21tYW5kX3NpemUocHQtPnBzY3NpX2NkYik7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oIGIvaW5jbHVkZS9saW51eC9ibGtkZXYuaAppbmRleCBlOWIwNGNkLi5jY2U4NGU1IDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oCisrKyBiL2luY2x1ZGUvbGludXgvYmxrZGV2LmgKQEAgLTc0Miw2ICs3NDIsNyBAQAogZXh0ZXJuIHN0cnVjdCByZXF1ZXN0ICpibGtfZ2V0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgaW50LCBnZnBfdCk7CiBleHRlcm4gc3RydWN0IHJlcXVlc3QgKmJsa19tYWtlX3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgc3RydWN0IGJpbyAqLAogCQkJCQlnZnBfdCk7CitleHRlcm4gdm9pZCBibGtfcnFfc2V0X2Jsb2NrX3BjKHN0cnVjdCByZXF1ZXN0ICopOwogZXh0ZXJuIHZvaWQgYmxrX3JlcXVldWVfcmVxdWVzdChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqLCBzdHJ1Y3QgcmVxdWVzdCAqKTsKIGV4dGVybiBpbnQgYmxrX3JlaW5zZXJ0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEsIHN0cnVjdCByZXF1ZXN0ICpycSk7CiBleHRlcm4gYm9vbCBibGtfcmVpbnNlcnRfcmVxX3N1cChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7Cg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch new file mode 100644 index 00000000..36d3c6a7 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch @@ -0,0 +1,263 @@ +From 2c5b488b49d92c02ac28f45e68f366c6a51a8949 Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert +Date: Tue, 03 Jun 2014 13:18:18 -0400 +Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction + + - remove the 16 byte CDB (SCSI command) length limit from the sg driver + by handling longer CDBs the same way as the bsg driver. Remove comment + from sg.h public interface about the cmd_len field being limited to 16 + bytes. + - remove some dead code caused by this change + - cleanup comment block at the top of sg.h, fix urls + +Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755 +Signed-off-by: Douglas Gilbert +Reviewed-by: Mike Christie +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +--- + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 5170506..96d635e 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -7,9 +7,7 @@ + * Original driver (sg.c): + * Copyright (C) 1992 Lawrence Foard + * Version 2 and 3 extensions to driver: +- * Copyright (C) 1998 - 2005 Douglas Gilbert +- * +- * Modified 19-JAN-1998 Richard Gooch Devfs support ++ * Copyright (C) 1998 - 2014 Douglas Gilbert + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -18,11 +16,11 @@ + * + */ + +-static int sg_version_num = 30534; /* 2 digits for each component */ +-#define SG_VERSION_STR "3.5.34" ++static int sg_version_num = 30536; /* 2 digits for each component */ ++#define SG_VERSION_STR "3.5.36" + + /* +- * D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes: ++ * D. P. Gilbert (dgilbert@interlog.com), notes: + * - scsi logging is available via SCSI_LOG_TIMEOUT macros. First + * the kernel/module needs to be built with CONFIG_SCSI_LOGGING + * (otherwise the macros compile to empty statements). +@@ -64,7 +62,7 @@ + + #ifdef CONFIG_SCSI_PROC_FS + #include +-static char *sg_version_date = "20061027"; ++static char *sg_version_date = "20140603"; + + static int sg_proc_init(void); + static void sg_proc_cleanup(void); +@@ -73,6 +71,12 @@ + #define SG_ALLOW_DIO_DEF 0 + + #define SG_MAX_DEVS 32768 ++ ++/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type ++ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater ++ * than 16 bytes are "variable length" whose length is a multiple of 4 ++ */ ++#define SG_MAX_CDB_SIZE 252 + + /* + * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d) +@@ -161,7 +165,7 @@ + char low_dma; /* as in parent but possibly overridden to 1 */ + char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */ + char cmd_q; /* 1 -> allow command queuing, 0 -> don't */ +- char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */ ++ unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */ + char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */ + char mmap_called; /* 0 -> mmap() never called on this fd */ + struct kref f_ref; +@@ -566,7 +570,7 @@ + Sg_request *srp; + struct sg_header old_hdr; + sg_io_hdr_t *hp; +- unsigned char cmnd[MAX_COMMAND_SIZE]; ++ unsigned char cmnd[SG_MAX_CDB_SIZE]; + + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; +@@ -601,12 +605,6 @@ + buf += SZ_SG_HEADER; + __get_user(opcode, buf); + if (sfp->next_cmd_len > 0) { +- if (sfp->next_cmd_len > MAX_COMMAND_SIZE) { +- SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n")); +- sfp->next_cmd_len = 0; +- sg_remove_request(sfp, srp); +- return -EIO; +- } + cmd_size = sfp->next_cmd_len; + sfp->next_cmd_len = 0; /* reset so only this write() effected */ + } else { +@@ -678,7 +676,7 @@ + int k; + Sg_request *srp; + sg_io_hdr_t *hp; +- unsigned char cmnd[MAX_COMMAND_SIZE]; ++ unsigned char cmnd[SG_MAX_CDB_SIZE]; + int timeout; + unsigned long ul_timeout; + +@@ -1648,15 +1646,27 @@ + struct request_queue *q = sfp->parentdp->device->request_queue; + struct rq_map_data *md, map_data; + int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ; ++ unsigned char *long_cmdp = NULL; + + SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n", + dxfer_len)); + ++ if (hp->cmd_len > BLK_MAX_CDB) { ++ long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL); ++ if (!long_cmdp) ++ return -ENOMEM; ++ } ++ + rq = blk_get_request(q, rw, GFP_ATOMIC); +- if (!rq) ++ if (!rq) { ++ kfree(long_cmdp); + return -ENOMEM; ++ } + + blk_rq_set_block_pc(rq); ++ ++ if (hp->cmd_len > BLK_MAX_CDB) ++ rq->cmd = long_cmdp; + memcpy(rq->cmd, cmd, hp->cmd_len); + rq->cmd_len = hp->cmd_len; + +@@ -1741,6 +1751,8 @@ + if (srp->bio) + ret = blk_rq_unmap_user(srp->bio); + ++ if (srp->rq->cmd != srp->rq->__cmd) ++ kfree(srp->rq->cmd); + blk_put_request(srp->rq); + } + +diff --git a/include/uapi/scsi/sg.h b/include/uapi/scsi/sg.h +index a9f3c6f..d8c0c43 100644 +--- a/include/uapi/scsi/sg.h ++++ b/include/uapi/scsi/sg.h +@@ -4,77 +4,34 @@ + #include + + /* +- History: +- Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user +- process control of SCSI devices. +- Development Sponsored by Killy Corp. NY NY +-Original driver (sg.h): +-* Copyright (C) 1992 Lawrence Foard +-Version 2 and 3 extensions to driver: +-* Copyright (C) 1998 - 2006 Douglas Gilbert +- +- Version: 3.5.34 (20060920) +- This version is for 2.6 series kernels. +- +- For a full changelog see http://www.torque.net/sg +- +-Map of SG verions to the Linux kernels in which they appear: +- ---------- ---------------------------------- +- original all kernels < 2.2.6 +- 2.1.40 2.2.20 +- 3.0.x optional version 3 sg driver for 2.2 series +- 3.1.17++ 2.4.0++ +- 3.5.30++ 2.6.0++ +- +-Major new features in SG 3.x driver (cf SG 2.x drivers) +- - SG_IO ioctl() combines function if write() and read() +- - new interface (sg_io_hdr_t) but still supports old interface +- - scatter/gather in user space, direct IO, and mmap supported +- +- The normal action of this driver is to use the adapter (HBA) driver to DMA +- data into kernel buffers and then use the CPU to copy the data into the +- user space (vice versa for writes). That is called "indirect" IO due to +- the double handling of data. There are two methods offered to remove the +- redundant copy: 1) direct IO and 2) using the mmap() system call to map +- the reserve buffer (this driver has one reserve buffer per fd) into the +- user space. Both have their advantages. +- In terms of absolute speed mmap() is faster. If speed is not a concern, +- indirect IO should be fine. Read the documentation for more information. +- +- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or +- 'echo 1 > /sys/module/sg/parameters/allow_dio' is needed. +- That attribute is 0 by default. ** +- +- Historical note: this SCSI pass-through driver has been known as "sg" for +- a decade. In broader kernel discussions "sg" is used to refer to scatter +- gather techniques. The context should clarify which "sg" is referred to. +- +- Documentation +- ============= +- A web site for the SG device driver can be found at: +- http://www.torque.net/sg [alternatively check the MAINTAINERS file] +- The documentation for the sg version 3 driver can be found at: +- http://www.torque.net/sg/p/sg_v3_ho.html +- This is a rendering from DocBook source [change the extension to "sgml" +- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon). +- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer). +- For more information see http://www.torque.net/sg/sg_io.html +- +- The older, version 2 documents discuss the original sg interface in detail: +- http://www.torque.net/sg/p/scsi-generic.txt +- http://www.torque.net/sg/p/scsi-generic_long.txt +- Also available: /Documentation/scsi/scsi-generic.txt +- +- Utility and test programs are available at the sg web site. They are +- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils +- (for the lk 2.2 series). +-*/ ++ * History: ++ * Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user ++ * process control of SCSI devices. ++ * Development Sponsored by Killy Corp. NY NY ++ * ++ * Original driver (sg.h): ++ * Copyright (C) 1992 Lawrence Foard ++ * Version 2 and 3 extensions to driver: ++ * Copyright (C) 1998 - 2014 Douglas Gilbert ++ * ++ * Version: 3.5.36 (20140603) ++ * This version is for 2.6 and 3 series kernels. ++ * ++ * Documentation ++ * ============= ++ * A web site for the SG device driver can be found at: ++ * http://sg.danny.cz/sg [alternatively check the MAINTAINERS file] ++ * The documentation for the sg version 3 driver can be found at: ++ * http://sg.danny.cz/sg/p/sg_v3_ho.html ++ * Also see: /Documentation/scsi/scsi-generic.txt ++ * ++ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html ++ */ + + #ifdef __KERNEL__ + extern int sg_big_buff; /* for sysctl */ + #endif + +-/* New interface introduced in the 3.x SG drivers follows */ + + typedef struct sg_iovec /* same structure as used by readv() Linux system */ + { /* call. It defines one scatter-gather element. */ +@@ -87,7 +44,7 @@ + { + int interface_id; /* [i] 'S' for SCSI generic (required) */ + int dxfer_direction; /* [i] data transfer direction */ +- unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */ ++ unsigned char cmd_len; /* [i] SCSI command length */ + unsigned char mx_sb_len; /* [i] max length to write to sbp */ + unsigned short iovec_count; /* [i] 0 implies no scatter gather */ + unsigned int dxfer_len; /* [i] byte count of data transfer */ diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64 new file mode 100644 index 00000000..e3b54463 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64 @@ -0,0 +1 @@ +RnJvbSAyYzViNDg4YjQ5ZDkyYzAyYWMyOGY0NWU2OGYzNjZjNmE1MWE4OTQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KRGF0ZTogVHVlLCAwMyBKdW4gMjAxNCAxMzoxODoxOCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIEJBQ0tQT1JUOiBzZzogcmVsYXggMTYgYnl0ZSBjZGIgcmVzdHJpY3Rpb24KCiAtIHJlbW92ZSB0aGUgMTYgYnl0ZSBDREIgKFNDU0kgY29tbWFuZCkgbGVuZ3RoIGxpbWl0IGZyb20gdGhlIHNnIGRyaXZlcgogICBieSBoYW5kbGluZyBsb25nZXIgQ0RCcyB0aGUgc2FtZSB3YXkgYXMgdGhlIGJzZyBkcml2ZXIuIFJlbW92ZSBjb21tZW50CiAgIGZyb20gc2cuaCBwdWJsaWMgaW50ZXJmYWNlIGFib3V0IHRoZSBjbWRfbGVuIGZpZWxkIGJlaW5nIGxpbWl0ZWQgdG8gMTYKICAgYnl0ZXMuCiAtIHJlbW92ZSBzb21lIGRlYWQgY29kZSBjYXVzZWQgYnkgdGhpcyBjaGFuZ2UKIC0gY2xlYW51cCBjb21tZW50IGJsb2NrIGF0IHRoZSB0b3Agb2Ygc2cuaCwgZml4IHVybHMKCkNoYW5nZS1JZDogSWU4MTUwZTUzNzViMzMxNmQ1ZDUyMDZmMDc5YzRhNTBmMWM1MGI3NTUKU2lnbmVkLW9mZi1ieTogRG91Z2xhcyBHaWxiZXJ0IDxkZ2lsYmVydEBpbnRlcmxvZy5jb20+ClJldmlld2VkLWJ5OiBNaWtlIENocmlzdGllIDxtaWNoYWVsY0Bjcy53aXNjLmVkdT4KUmV2aWV3ZWQtYnk6IEhhbm5lcyBSZWluZWNrZSA8aGFyZUBzdXNlLmRlPgpTaWduZWQtb2ZmLWJ5OiBDaHJpc3RvcGggSGVsbHdpZyA8aGNoQGxzdC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1MTcwNTA2Li45NmQ2MzVlIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtNyw5ICs3LDcgQEAKICAqIE9yaWdpbmFsIGRyaXZlciAoc2cuYyk6CiAgKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTkyIExhd3JlbmNlIEZvYXJkCiAgKiBWZXJzaW9uIDIgYW5kIDMgZXh0ZW5zaW9ucyB0byBkcml2ZXI6Ci0gKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNSBEb3VnbGFzIEdpbGJlcnQKLSAqCi0gKiAgTW9kaWZpZWQgIDE5LUpBTi0xOTk4ICBSaWNoYXJkIEdvb2NoIDxyZ29vY2hAYXRuZi5jc2lyby5hdT4gIERldmZzIHN1cHBvcnQKKyAqICAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDE0IERvdWdsYXMgR2lsYmVydAogICoKICAqIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CiAgKiBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieQpAQCAtMTgsMTEgKzE2LDExIEBACiAgKgogICovCiAKLXN0YXRpYyBpbnQgc2dfdmVyc2lvbl9udW0gPSAzMDUzNDsJLyogMiBkaWdpdHMgZm9yIGVhY2ggY29tcG9uZW50ICovCi0jZGVmaW5lIFNHX1ZFUlNJT05fU1RSICIzLjUuMzQiCitzdGF0aWMgaW50IHNnX3ZlcnNpb25fbnVtID0gMzA1MzY7CS8qIDIgZGlnaXRzIGZvciBlYWNoIGNvbXBvbmVudCAqLworI2RlZmluZSBTR19WRVJTSU9OX1NUUiAiMy41LjM2IgogCiAvKgotICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSwgZG91Z2dAdHJpb2RlLm5ldC5hdSksIG5vdGVzOgorICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSksIG5vdGVzOgogICogICAgICAtIHNjc2kgbG9nZ2luZyBpcyBhdmFpbGFibGUgdmlhIFNDU0lfTE9HX1RJTUVPVVQgbWFjcm9zLiBGaXJzdAogICogICAgICAgIHRoZSBrZXJuZWwvbW9kdWxlIG5lZWRzIHRvIGJlIGJ1aWx0IHdpdGggQ09ORklHX1NDU0lfTE9HR0lORwogICogICAgICAgIChvdGhlcndpc2UgdGhlIG1hY3JvcyBjb21waWxlIHRvIGVtcHR5IHN0YXRlbWVudHMpLgpAQCAtNjQsNyArNjIsNyBAQAogCiAjaWZkZWYgQ09ORklHX1NDU0lfUFJPQ19GUwogI2luY2x1ZGUgPGxpbnV4L3Byb2NfZnMuaD4KLXN0YXRpYyBjaGFyICpzZ192ZXJzaW9uX2RhdGUgPSAiMjAwNjEwMjciOworc3RhdGljIGNoYXIgKnNnX3ZlcnNpb25fZGF0ZSA9ICIyMDE0MDYwMyI7CiAKIHN0YXRpYyBpbnQgc2dfcHJvY19pbml0KHZvaWQpOwogc3RhdGljIHZvaWQgc2dfcHJvY19jbGVhbnVwKHZvaWQpOwpAQCAtNzMsNiArNzEsMTIgQEAKICNkZWZpbmUgU0dfQUxMT1dfRElPX0RFRiAwCiAKICNkZWZpbmUgU0dfTUFYX0RFVlMgMzI3NjgKKworLyogU0dfTUFYX0NEQl9TSVpFIHNob3VsZCBiZSAyNjAgKHNwYzRyMzcgc2VjdGlvbiAzLjEuMzApIGhvd2V2ZXIgdGhlIHR5cGUKKyAqIG9mIHNnX2lvX2hkcjo6Y21kX2xlbiBjYW4gb25seSByZXByZXNlbnQgMjU1LiBBbGwgU0NTSSBjb21tYW5kcyBncmVhdGVyCisgKiB0aGFuIDE2IGJ5dGVzIGFyZSAidmFyaWFibGUgbGVuZ3RoIiB3aG9zZSBsZW5ndGggaXMgYSBtdWx0aXBsZSBvZiA0CisgKi8KKyNkZWZpbmUgU0dfTUFYX0NEQl9TSVpFIDI1MgogCiAvKgogICogU3VwcG9zZSB5b3Ugd2FudCB0byBjYWxjdWxhdGUgdGhlIGZvcm11bGEgbXVsZGl2KHgsbSxkKT1pbnQoeCAqIG0gLyBkKQpAQCAtMTYxLDcgKzE2NSw3IEBACiAJY2hhciBsb3dfZG1hOwkJLyogYXMgaW4gcGFyZW50IGJ1dCBwb3NzaWJseSBvdmVycmlkZGVuIHRvIDEgKi8KIAljaGFyIGZvcmNlX3BhY2tpZDsJLyogMSAtPiBwYWNrX2lkIGlucHV0IHRvIHJlYWQoKSwgMCAtPiBpZ25vcmVkICovCiAJY2hhciBjbWRfcTsJCS8qIDEgLT4gYWxsb3cgY29tbWFuZCBxdWV1aW5nLCAwIC0+IGRvbid0ICovCi0JY2hhciBuZXh0X2NtZF9sZW47CS8qIDAgLT4gYXV0b21hdGljIChkZWYpLCA+MCAtPiB1c2Ugb24gbmV4dCB3cml0ZSgpICovCisJdW5zaWduZWQgY2hhciBuZXh0X2NtZF9sZW47IC8qIDA6IGF1dG9tYXRpYywgPjA6IHVzZSBvbiBuZXh0IHdyaXRlKCkgKi8KIAljaGFyIGtlZXBfb3JwaGFuOwkvKiAwIC0+IGRyb3Agb3JwaGFuIChkZWYpLCAxIC0+IGtlZXAgZm9yIHJlYWQoKSAqLwogCWNoYXIgbW1hcF9jYWxsZWQ7CS8qIDAgLT4gbW1hcCgpIG5ldmVyIGNhbGxlZCBvbiB0aGlzIGZkICovCiAJc3RydWN0IGtyZWYgZl9yZWY7CkBAIC01NjYsNyArNTcwLDcgQEAKIAlTZ19yZXF1ZXN0ICpzcnA7CiAJc3RydWN0IHNnX2hlYWRlciBvbGRfaGRyOwogCXNnX2lvX2hkcl90ICpocDsKLQl1bnNpZ25lZCBjaGFyIGNtbmRbTUFYX0NPTU1BTkRfU0laRV07CisJdW5zaWduZWQgY2hhciBjbW5kW1NHX01BWF9DREJfU0laRV07CiAKIAlpZiAodW5saWtlbHkoc2VnbWVudF9lcShnZXRfZnMoKSwgS0VSTkVMX0RTKSkpCiAJCXJldHVybiAtRUlOVkFMOwpAQCAtNjAxLDEyICs2MDUsNiBAQAogCWJ1ZiArPSBTWl9TR19IRUFERVI7CiAJX19nZXRfdXNlcihvcGNvZGUsIGJ1Zik7CiAJaWYgKHNmcC0+bmV4dF9jbWRfbGVuID4gMCkgewotCQlpZiAoc2ZwLT5uZXh0X2NtZF9sZW4gPiBNQVhfQ09NTUFORF9TSVpFKSB7Ci0JCQlTQ1NJX0xPR19USU1FT1VUKDEsIHByaW50aygic2dfd3JpdGU6IGNvbW1hbmQgbGVuZ3RoIHRvbyBsb25nXG4iKSk7Ci0JCQlzZnAtPm5leHRfY21kX2xlbiA9IDA7Ci0JCQlzZ19yZW1vdmVfcmVxdWVzdChzZnAsIHNycCk7Ci0JCQlyZXR1cm4gLUVJTzsKLQkJfQogCQljbWRfc2l6ZSA9IHNmcC0+bmV4dF9jbWRfbGVuOwogCQlzZnAtPm5leHRfY21kX2xlbiA9IDA7CS8qIHJlc2V0IHNvIG9ubHkgdGhpcyB3cml0ZSgpIGVmZmVjdGVkICovCiAJfSBlbHNlIHsKQEAgLTY3OCw3ICs2NzYsNyBAQAogCWludCBrOwogCVNnX3JlcXVlc3QgKnNycDsKIAlzZ19pb19oZHJfdCAqaHA7Ci0JdW5zaWduZWQgY2hhciBjbW5kW01BWF9DT01NQU5EX1NJWkVdOworCXVuc2lnbmVkIGNoYXIgY21uZFtTR19NQVhfQ0RCX1NJWkVdOwogCWludCB0aW1lb3V0OwogCXVuc2lnbmVkIGxvbmcgdWxfdGltZW91dDsKIApAQCAtMTY0OCwxNSArMTY0NiwyNyBAQAogCXN0cnVjdCByZXF1ZXN0X3F1ZXVlICpxID0gc2ZwLT5wYXJlbnRkcC0+ZGV2aWNlLT5yZXF1ZXN0X3F1ZXVlOwogCXN0cnVjdCBycV9tYXBfZGF0YSAqbWQsIG1hcF9kYXRhOwogCWludCBydyA9IGhwLT5keGZlcl9kaXJlY3Rpb24gPT0gU0dfRFhGRVJfVE9fREVWID8gV1JJVEUgOiBSRUFEOworCXVuc2lnbmVkIGNoYXIgKmxvbmdfY21kcCA9IE5VTEw7CiAKIAlTQ1NJX0xPR19USU1FT1VUKDQsIHByaW50ayhLRVJOX0lORk8gInNnX3N0YXJ0X3JlcTogZHhmZXJfbGVuPSVkXG4iLAogCQkJCSAgIGR4ZmVyX2xlbikpOwogCisJaWYgKGhwLT5jbWRfbGVuID4gQkxLX01BWF9DREIpIHsKKwkJbG9uZ19jbWRwID0ga3phbGxvYyhocC0+Y21kX2xlbiwgR0ZQX0tFUk5FTCk7CisJCWlmICghbG9uZ19jbWRwKQorCQkJcmV0dXJuIC1FTk9NRU07CisJfQorCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgcncsIEdGUF9BVE9NSUMpOwotCWlmICghcnEpCisJaWYgKCFycSkgeworCQlrZnJlZShsb25nX2NtZHApOwogCQlyZXR1cm4gLUVOT01FTTsKKwl9CiAKIAlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKworCWlmIChocC0+Y21kX2xlbiA+IEJMS19NQVhfQ0RCKQorCQlycS0+Y21kID0gbG9uZ19jbWRwOwogCW1lbWNweShycS0+Y21kLCBjbWQsIGhwLT5jbWRfbGVuKTsKIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwogCkBAIC0xNzQxLDYgKzE3NTEsOCBAQAogCQlpZiAoc3JwLT5iaW8pCiAJCQlyZXQgPSBibGtfcnFfdW5tYXBfdXNlcihzcnAtPmJpbyk7CiAKKwkJaWYgKHNycC0+cnEtPmNtZCAhPSBzcnAtPnJxLT5fX2NtZCkKKwkJCWtmcmVlKHNycC0+cnEtPmNtZCk7CiAJCWJsa19wdXRfcmVxdWVzdChzcnAtPnJxKTsKIAl9CiAKZGlmZiAtLWdpdCBhL2luY2x1ZGUvdWFwaS9zY3NpL3NnLmggYi9pbmNsdWRlL3VhcGkvc2NzaS9zZy5oCmluZGV4IGE5ZjNjNmYuLmQ4YzBjNDMgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvdWFwaS9zY3NpL3NnLmgKKysrIGIvaW5jbHVkZS91YXBpL3Njc2kvc2cuaApAQCAtNCw3NyArNCwzNCBAQAogI2luY2x1ZGUgPGxpbnV4L2NvbXBpbGVyLmg+CiAKIC8qCi0gICBIaXN0b3J5OgotICAgIFN0YXJ0ZWQ6IEF1ZyA5IGJ5IExhd3JlbmNlIEZvYXJkIChlbnRyb3B5QHdvcmxkLnN0ZC5jb20pLCB0byBhbGxvdyB1c2VyCi0gICAgIHByb2Nlc3MgY29udHJvbCBvZiBTQ1NJIGRldmljZXMuCi0gICAgRGV2ZWxvcG1lbnQgU3BvbnNvcmVkIGJ5IEtpbGx5IENvcnAuIE5ZIE5ZCi1PcmlnaW5hbCBkcml2ZXIgKHNnLmgpOgotKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTIgTGF3cmVuY2UgRm9hcmQKLVZlcnNpb24gMiBhbmQgMyBleHRlbnNpb25zIHRvIGRyaXZlcjoKLSogICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNiBEb3VnbGFzIEdpbGJlcnQKLQotICAgIFZlcnNpb246IDMuNS4zNCAoMjAwNjA5MjApCi0gICAgVGhpcyB2ZXJzaW9uIGlzIGZvciAyLjYgc2VyaWVzIGtlcm5lbHMuCi0KLSAgICBGb3IgYSBmdWxsIGNoYW5nZWxvZyBzZWUgaHR0cDovL3d3dy50b3JxdWUubmV0L3NnCi0KLU1hcCBvZiBTRyB2ZXJpb25zIHRvIHRoZSBMaW51eCBrZXJuZWxzIGluIHdoaWNoIHRoZXkgYXBwZWFyOgotICAgICAgIC0tLS0tLS0tLS0gICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLSAgICAgICBvcmlnaW5hbCAgICAgICAgICBhbGwga2VybmVscyA8IDIuMi42Ci0gICAgICAgMi4xLjQwICAgICAgICAgICAgMi4yLjIwCi0gICAgICAgMy4wLnggICAgICAgICAgICAgb3B0aW9uYWwgdmVyc2lvbiAzIHNnIGRyaXZlciBmb3IgMi4yIHNlcmllcwotICAgICAgIDMuMS4xNysrICAgICAgICAgIDIuNC4wKysKLSAgICAgICAzLjUuMzArKyAgICAgICAgICAyLjYuMCsrCi0KLU1ham9yIG5ldyBmZWF0dXJlcyBpbiBTRyAzLnggZHJpdmVyIChjZiBTRyAyLnggZHJpdmVycykKLQktIFNHX0lPIGlvY3RsKCkgY29tYmluZXMgZnVuY3Rpb24gaWYgd3JpdGUoKSBhbmQgcmVhZCgpCi0JLSBuZXcgaW50ZXJmYWNlIChzZ19pb19oZHJfdCkgYnV0IHN0aWxsIHN1cHBvcnRzIG9sZCBpbnRlcmZhY2UKLQktIHNjYXR0ZXIvZ2F0aGVyIGluIHVzZXIgc3BhY2UsIGRpcmVjdCBJTywgYW5kIG1tYXAgc3VwcG9ydGVkCi0KLSBUaGUgbm9ybWFsIGFjdGlvbiBvZiB0aGlzIGRyaXZlciBpcyB0byB1c2UgdGhlIGFkYXB0ZXIgKEhCQSkgZHJpdmVyIHRvIERNQQotIGRhdGEgaW50byBrZXJuZWwgYnVmZmVycyBhbmQgdGhlbiB1c2UgdGhlIENQVSB0byBjb3B5IHRoZSBkYXRhIGludG8gdGhlIAotIHVzZXIgc3BhY2UgKHZpY2UgdmVyc2EgZm9yIHdyaXRlcykuIFRoYXQgaXMgY2FsbGVkICJpbmRpcmVjdCIgSU8gZHVlIHRvIAotIHRoZSBkb3VibGUgaGFuZGxpbmcgb2YgZGF0YS4gVGhlcmUgYXJlIHR3byBtZXRob2RzIG9mZmVyZWQgdG8gcmVtb3ZlIHRoZQotIHJlZHVuZGFudCBjb3B5OiAxKSBkaXJlY3QgSU8gYW5kIDIpIHVzaW5nIHRoZSBtbWFwKCkgc3lzdGVtIGNhbGwgdG8gbWFwCi0gdGhlIHJlc2VydmUgYnVmZmVyICh0aGlzIGRyaXZlciBoYXMgb25lIHJlc2VydmUgYnVmZmVyIHBlciBmZCkgaW50byB0aGUKLSB1c2VyIHNwYWNlLiBCb3RoIGhhdmUgdGhlaXIgYWR2YW50YWdlcy4KLSBJbiB0ZXJtcyBvZiBhYnNvbHV0ZSBzcGVlZCBtbWFwKCkgaXMgZmFzdGVyLiBJZiBzcGVlZCBpcyBub3QgYSBjb25jZXJuLCAKLSBpbmRpcmVjdCBJTyBzaG91bGQgYmUgZmluZS4gUmVhZCB0aGUgZG9jdW1lbnRhdGlvbiBmb3IgbW9yZSBpbmZvcm1hdGlvbi4KLQotICoqIE4uQi4gVG8gdXNlIGRpcmVjdCBJTyAnZWNobyAxID4gL3Byb2Mvc2NzaS9zZy9hbGxvd19kaW8nIG9yCi0gICAgICAgICAnZWNobyAxID4gL3N5cy9tb2R1bGUvc2cvcGFyYW1ldGVycy9hbGxvd19kaW8nIGlzIG5lZWRlZC4KLSAgICAgICAgIFRoYXQgYXR0cmlidXRlIGlzIDAgYnkgZGVmYXVsdC4gKioKLSAKLSBIaXN0b3JpY2FsIG5vdGU6IHRoaXMgU0NTSSBwYXNzLXRocm91Z2ggZHJpdmVyIGhhcyBiZWVuIGtub3duIGFzICJzZyIgZm9yIAotIGEgZGVjYWRlLiBJbiBicm9hZGVyIGtlcm5lbCBkaXNjdXNzaW9ucyAic2ciIGlzIHVzZWQgdG8gcmVmZXIgdG8gc2NhdHRlcgotIGdhdGhlciB0ZWNobmlxdWVzLiBUaGUgY29udGV4dCBzaG91bGQgY2xhcmlmeSB3aGljaCAic2ciIGlzIHJlZmVycmVkIHRvLgotCi0gRG9jdW1lbnRhdGlvbgotID09PT09PT09PT09PT0KLSBBIHdlYiBzaXRlIGZvciB0aGUgU0cgZGV2aWNlIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6Ci0JaHR0cDovL3d3dy50b3JxdWUubmV0L3NnICBbYWx0ZXJuYXRpdmVseSBjaGVjayB0aGUgTUFJTlRBSU5FUlMgZmlsZV0KLSBUaGUgZG9jdW1lbnRhdGlvbiBmb3IgdGhlIHNnIHZlcnNpb24gMyBkcml2ZXIgY2FuIGJlIGZvdW5kIGF0OgotIAlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zZ192M19oby5odG1sCi0gVGhpcyBpcyBhIHJlbmRlcmluZyBmcm9tIERvY0Jvb2sgc291cmNlIFtjaGFuZ2UgdGhlIGV4dGVuc2lvbiB0byAic2dtbCIKLSBvciAieG1sIl0uIFRoZXJlIGFyZSByZW5kZXJpbmdzIGluICJwcyIsICJwZGYiLCAicnRmIiBhbmQgInR4dCIgKHNvb24pLgotIFRoZSBTR19JTyBpb2N0bCBpcyBub3cgZm91bmQgaW4gb3RoZXIgcGFydHMga2VybmVsIChlLmcuIHRoZSBibG9jayBsYXllcikuCi0gRm9yIG1vcmUgaW5mb3JtYXRpb24gc2VlIGh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9zZ19pby5odG1sCi0KLSBUaGUgb2xkZXIsIHZlcnNpb24gMiBkb2N1bWVudHMgZGlzY3VzcyB0aGUgb3JpZ2luYWwgc2cgaW50ZXJmYWNlIGluIGRldGFpbDoKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zY3NpLWdlbmVyaWMudHh0Ci0JaHR0cDovL3d3dy50b3JxdWUubmV0L3NnL3Avc2NzaS1nZW5lcmljX2xvbmcudHh0Ci0gQWxzbyBhdmFpbGFibGU6IDxrZXJuZWxfc291cmNlPi9Eb2N1bWVudGF0aW9uL3Njc2kvc2NzaS1nZW5lcmljLnR4dAotCi0gVXRpbGl0eSBhbmQgdGVzdCBwcm9ncmFtcyBhcmUgYXZhaWxhYmxlIGF0IHRoZSBzZyB3ZWIgc2l0ZS4gVGhleSBhcmUgCi0gcGFja2FnZWQgYXMgc2czX3V0aWxzIChmb3IgdGhlIGxrIDIuNCBhbmQgMi42IHNlcmllcykgYW5kIHNnX3V0aWxzCi0gKGZvciB0aGUgbGsgMi4yIHNlcmllcykuCi0qLworICogSGlzdG9yeToKKyAqICBTdGFydGVkOiBBdWcgOSBieSBMYXdyZW5jZSBGb2FyZCAoZW50cm9weUB3b3JsZC5zdGQuY29tKSwgdG8gYWxsb3cgdXNlcgorICogICBwcm9jZXNzIGNvbnRyb2wgb2YgU0NTSSBkZXZpY2VzLgorICogIERldmVsb3BtZW50IFNwb25zb3JlZCBieSBLaWxseSBDb3JwLiBOWSBOWQorICoKKyAqIE9yaWdpbmFsIGRyaXZlciAoc2cuaCk6CisgKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTIgTGF3cmVuY2UgRm9hcmQKKyAqIFZlcnNpb24gMiBhbmQgMyBleHRlbnNpb25zIHRvIGRyaXZlcjoKKyAqCUNvcHlyaWdodCAoQykgMTk5OCAtIDIwMTQgRG91Z2xhcyBHaWxiZXJ0CisgKgorICogIFZlcnNpb246IDMuNS4zNiAoMjAxNDA2MDMpCisgKiAgVGhpcyB2ZXJzaW9uIGlzIGZvciAyLjYgYW5kIDMgc2VyaWVzIGtlcm5lbHMuCisgKgorICogRG9jdW1lbnRhdGlvbgorICogPT09PT09PT09PT09PQorICogQSB3ZWIgc2l0ZSBmb3IgdGhlIFNHIGRldmljZSBkcml2ZXIgY2FuIGJlIGZvdW5kIGF0OgorICoJaHR0cDovL3NnLmRhbm55LmN6L3NnICBbYWx0ZXJuYXRpdmVseSBjaGVjayB0aGUgTUFJTlRBSU5FUlMgZmlsZV0KKyAqIFRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgc2cgdmVyc2lvbiAzIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6CisgKglodHRwOi8vc2cuZGFubnkuY3ovc2cvcC9zZ192M19oby5odG1sCisgKiBBbHNvIHNlZTogPGtlcm5lbF9zb3VyY2U+L0RvY3VtZW50YXRpb24vc2NzaS9zY3NpLWdlbmVyaWMudHh0CisgKgorICogRm9yIHV0aWxpdHkgYW5kIHRlc3QgcHJvZ3JhbXMgc2VlOiBodHRwOi8vc2cuZGFubnkuY3ovc2cvc2czX3V0aWxzLmh0bWwKKyAqLwogCiAjaWZkZWYgX19LRVJORUxfXwogZXh0ZXJuIGludCBzZ19iaWdfYnVmZjsgLyogZm9yIHN5c2N0bCAqLwogI2VuZGlmCiAKLS8qIE5ldyBpbnRlcmZhY2UgaW50cm9kdWNlZCBpbiB0aGUgMy54IFNHIGRyaXZlcnMgZm9sbG93cyAqLwogCiB0eXBlZGVmIHN0cnVjdCBzZ19pb3ZlYyAvKiBzYW1lIHN0cnVjdHVyZSBhcyB1c2VkIGJ5IHJlYWR2KCkgTGludXggc3lzdGVtICovCiB7ICAgICAgICAgICAgICAgICAgICAgICAvKiBjYWxsLiBJdCBkZWZpbmVzIG9uZSBzY2F0dGVyLWdhdGhlciBlbGVtZW50LiAqLwpAQCAtODcsNyArNDQsNyBAQAogewogICAgIGludCBpbnRlcmZhY2VfaWQ7ICAgICAgICAgICAvKiBbaV0gJ1MnIGZvciBTQ1NJIGdlbmVyaWMgKHJlcXVpcmVkKSAqLwogICAgIGludCBkeGZlcl9kaXJlY3Rpb247ICAgICAgICAvKiBbaV0gZGF0YSB0cmFuc2ZlciBkaXJlY3Rpb24gICovCi0gICAgdW5zaWduZWQgY2hhciBjbWRfbGVuOyAgICAgIC8qIFtpXSBTQ1NJIGNvbW1hbmQgbGVuZ3RoICggPD0gMTYgYnl0ZXMpICovCisgICAgdW5zaWduZWQgY2hhciBjbWRfbGVuOyAgICAgIC8qIFtpXSBTQ1NJIGNvbW1hbmQgbGVuZ3RoICovCiAgICAgdW5zaWduZWQgY2hhciBteF9zYl9sZW47ICAgIC8qIFtpXSBtYXggbGVuZ3RoIHRvIHdyaXRlIHRvIHNicCAqLwogICAgIHVuc2lnbmVkIHNob3J0IGlvdmVjX2NvdW50OyAvKiBbaV0gMCBpbXBsaWVzIG5vIHNjYXR0ZXIgZ2F0aGVyICovCiAgICAgdW5zaWduZWQgaW50IGR4ZmVyX2xlbjsgICAgIC8qIFtpXSBieXRlIGNvdW50IG9mIGRhdGEgdHJhbnNmZXIgKi8K \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch new file mode 100644 index 00000000..218df720 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch @@ -0,0 +1,29 @@ +From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001 +From: peter chang +Date: Wed, 15 Feb 2017 14:11:54 -0800 +Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN + +The user can control the size of the next command passed along, but the +value passed to the ioctl isn't checked against the usable max command +size. + +Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c +Cc: +Signed-off-by: Peter Chang +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +--- + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 96d635e..4a6b13b 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -978,6 +978,8 @@ + result = get_user(val, ip); + if (result) + return result; ++ if (val > SG_MAX_CDB_SIZE) ++ return -ENOMEM; + sfp->next_cmd_len = (val > 0) ? val : 0; + return 0; + case SG_GET_VERSION_NUM: diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64 new file mode 100644 index 00000000..dfa5014d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64 @@ -0,0 +1 @@ +RnJvbSAwYmY1ZGM5OTNjZjZiZTFiMWRkNzE2ZmIwNWMxZmE4NDYyMzA5M2U1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSTllOGViOGNhMDU4YzAxMDNhMjJmNWQ5OWQ3NzkxOTQzMjg5M2FhNGMKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA5NmQ2MzVlLi40YTZiMTNiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTc4LDYgKzk3OCw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch new file mode 100644 index 00000000..a6938be5 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch @@ -0,0 +1,383 @@ +From 1f0843591703c3d664a236e2d3a7a855fa9451d6 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 06 Jun 2014 07:57:37 -0600 +Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc() + +With the optimizations around not clearing the full request at alloc +time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC +up to the user allocating the request. + +Add a blk_rq_set_block_pc() that sets the command type to +REQ_TYPE_BLOCK_PC, and properly initializes the members associated +with this type of request. Update callers to use this function instead +of manipulating rq->cmd_type directly. + +Includes fixes from Christoph Hellwig for my half-assed +attempt. + +Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce +Signed-off-by: Jens Axboe +--- + +diff --git a/block/blk-core.c b/block/blk-core.c +index eb0ec60..c7f7637 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1043,6 +1043,8 @@ + if (unlikely(!rq)) + return ERR_PTR(-ENOMEM); + ++ blk_rq_set_block_pc(rq); ++ + for_each_bio(bio) { + struct bio *bounce_bio = bio; + int ret; +@@ -1060,6 +1062,22 @@ + EXPORT_SYMBOL(blk_make_request); + + /** ++ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC ++ * @rq: request to be initialized ++ * ++ */ ++void blk_rq_set_block_pc(struct request *rq) ++{ ++ rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ rq->__data_len = 0; ++ rq->__sector = (sector_t) -1; ++ rq->bio = rq->biotail = NULL; ++ memset(rq->__cmd, 0, sizeof(rq->__cmd)); ++ rq->cmd = rq->__cmd; ++} ++EXPORT_SYMBOL(blk_rq_set_block_pc); ++ ++/** + * blk_requeue_request - put a request back on queue + * @q: request queue where request should be inserted + * @rq: request to be inserted +diff --git a/block/bsg.c b/block/bsg.c +index b1c1d54..8c750d5 100644 +--- a/block/bsg.c ++++ b/block/bsg.c +@@ -196,7 +196,6 @@ + * fill in request structure + */ + rq->cmd_len = hdr->request_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + rq->timeout = msecs_to_jiffies(hdr->timeout); + if (!rq->timeout) +@@ -273,6 +272,8 @@ + rq = blk_get_request(q, rw, GFP_KERNEL); + if (!rq) + return ERR_PTR(-ENOMEM); ++ blk_rq_set_block_pc(rq); ++ + ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm); + if (ret) + goto out; +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c +index 260fa80..4118a81 100644 +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -232,7 +232,6 @@ + * fill in request structure + */ + rq->cmd_len = hdr->cmd_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + rq->timeout = msecs_to_jiffies(hdr->timeout); + if (!rq->timeout) +@@ -313,6 +312,7 @@ + rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL); + if (!rq) + return -ENOMEM; ++ blk_rq_set_block_pc(rq); + + if (blk_fill_sghdr_rq(q, rq, hdr, mode)) { + blk_put_request(rq); +@@ -511,7 +511,7 @@ + memset(sense, 0, sizeof(sense)); + rq->sense = sense; + rq->sense_len = 0; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(rq); + + blk_execute_rq(q, disk, rq, 0); + +@@ -544,7 +544,7 @@ + int err; + + rq = blk_get_request(q, WRITE, __GFP_WAIT); +- rq->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(rq); + rq->timeout = BLK_DEFAULT_SG_TIMEOUT; + rq->cmd[0] = cmd; + rq->cmd[4] = data; +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c +index ba66e44..39ffe9c 100644 +--- a/drivers/block/pktcdvd.c ++++ b/drivers/block/pktcdvd.c +@@ -742,6 +742,7 @@ + + rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ? + WRITE : READ, __GFP_WAIT); ++ blk_rq_set_block_pc(rq); + + if (cgc->buflen) { + if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT)) +@@ -752,7 +753,6 @@ + memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE); + + rq->timeout = 60*HZ; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + if (cgc->quiet) + rq->cmd_flags |= REQ_QUIET; + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d620b44..7ab528d 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2165,6 +2165,7 @@ + ret = -ENOMEM; + break; + } ++ blk_rq_set_block_pc(rq); + + ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL); + if (ret) { +@@ -2184,7 +2185,6 @@ + rq->cmd[9] = 0xf8; + + rq->cmd_len = 12; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->timeout = 60 * HZ; + bio = rq->bio; + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 04c5cea..36fb68c 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -111,6 +111,7 @@ + "%s: blk_get_request failed\n", __func__); + return NULL; + } ++ blk_rq_set_block_pc(rq); + + if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) { + blk_put_request(rq); +@@ -119,7 +120,6 @@ + return NULL; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->retries = ALUA_FAILOVER_RETRIES; +diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c +index e1c8be0..6f07f7f 100644 +--- a/drivers/scsi/device_handler/scsi_dh_emc.c ++++ b/drivers/scsi/device_handler/scsi_dh_emc.c +@@ -280,6 +280,7 @@ + return NULL; + } + ++ blk_rq_set_block_pc(rq); + rq->cmd_len = COMMAND_SIZE(cmd); + rq->cmd[0] = cmd; + +@@ -304,7 +305,6 @@ + break; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->timeout = CLARIION_TIMEOUT; +diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c +index 084062b..e9d9fea 100644 +--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c ++++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c +@@ -120,7 +120,7 @@ + if (!req) + return SCSI_DH_RES_TEMP_UNAVAIL; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY); +@@ -250,7 +250,7 @@ + if (!req) + return SCSI_DH_RES_TEMP_UNAVAIL; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + req->cmd_len = COMMAND_SIZE(START_STOP); +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index 20c4557..0439652 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -279,6 +279,7 @@ + "get_rdac_req: blk_get_request failed.\n"); + return NULL; + } ++ blk_rq_set_block_pc(rq); + + if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) { + blk_put_request(rq); +@@ -287,7 +288,6 @@ + return NULL; + } + +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT | + REQ_FAILFAST_DRIVER; + rq->retries = RDAC_RETRIES; +diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c +index c06b8e5..9ad3ac7 100644 +--- a/drivers/scsi/osd/osd_initiator.c ++++ b/drivers/scsi/osd/osd_initiator.c +@@ -1566,6 +1566,7 @@ + if (unlikely(!req)) + return ERR_PTR(-ENOMEM); + ++ blk_rq_set_block_pc(req); + return req; + } + } +@@ -1586,7 +1587,6 @@ + } + + or->request = req; +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= REQ_QUIET; + + req->timeout = or->timeout; +@@ -1604,7 +1604,7 @@ + ret = PTR_ERR(req); + goto out; + } +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + or->in.req = or->request->next_rq = req; + } + } else if (has_in) +diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c +index 21883a2..0727ea7 100644 +--- a/drivers/scsi/osst.c ++++ b/drivers/scsi/osst.c +@@ -365,7 +365,7 @@ + if (!req) + return DRIVER_ERROR << 24; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_QUIET; + + SRpnt->bio = NULL; +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 386f0c5..d4c31d4 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1624,6 +1624,8 @@ + */ + req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL); + ++ blk_rq_set_block_pc(req); ++ + req->cmd[0] = ALLOW_MEDIUM_REMOVAL; + req->cmd[1] = 0; + req->cmd[2] = 0; +@@ -1633,7 +1635,6 @@ + + req->cmd_len = COMMAND_SIZE(req->cmd[0]); + +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= REQ_QUIET; + req->timeout = 10 * HZ; + req->retries = 5; +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 5dfd749..725b405 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -217,6 +217,7 @@ + req = blk_get_request(sdev->request_queue, write, __GFP_WAIT); + if (!req) + return ret; ++ blk_rq_set_block_pc(req); + + if (bufflen && blk_rq_map_kern(sdev->request_queue, req, + buffer, bufflen, __GFP_WAIT)) +@@ -228,7 +229,6 @@ + req->sense_len = 0; + req->retries = retries; + req->timeout = timeout; +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT; + + /* +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 3ec5b33..216d31f 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1655,10 +1655,9 @@ + if (!rq) + return -ENOMEM; + ++ blk_rq_set_block_pc(rq); + memcpy(rq->cmd, cmd, hp->cmd_len); +- + rq->cmd_len = hp->cmd_len; +- rq->cmd_type = REQ_TYPE_BLOCK_PC; + + srp->rq = rq; + rq->end_io_data = srp; +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index e41998c..08ad530 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -488,7 +488,7 @@ + if (!req) + return DRIVER_ERROR << 24; + +- req->cmd_type = REQ_TYPE_BLOCK_PC; ++ blk_rq_set_block_pc(req); + req->cmd_flags |= REQ_QUIET; + + mdata->null_mapped = 1; +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 94c905f..d28f8d1 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1083,6 +1083,8 @@ + TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + return -ENODEV; + } ++ ++ blk_rq_set_block_pc(req); + } else { + BUG_ON(!task->task_size); + +@@ -1104,7 +1106,6 @@ + } + } + +- req->cmd_type = REQ_TYPE_BLOCK_PC; + req->end_io = pscsi_req_done; + req->end_io_data = task; + req->cmd_len = scsi_command_size(pt->pscsi_cdb); +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 21dc2aa..f37d1f0 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -675,6 +675,7 @@ + extern struct request *blk_get_request(struct request_queue *, int, gfp_t); + extern struct request *blk_make_request(struct request_queue *, struct bio *, + gfp_t); ++extern void blk_rq_set_block_pc(struct request *); + extern void blk_requeue_request(struct request_queue *, struct request *); + extern int blk_reinsert_request(struct request_queue *q, struct request *rq); + extern bool blk_reinsert_req_sup(struct request_queue *q); diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64 new file mode 100644 index 00000000..a3326fea --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSAxZjA4NDM1OTE3MDNjM2Q2NjRhMjM2ZTJkM2E3YTg1NWZhOTQ1MWQ2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+CkRhdGU6IEZyaSwgMDYgSnVuIDIwMTQgMDc6NTc6MzcgLTA2MDAKU3ViamVjdDogW1BBVENIXSBCQUNLUE9SVDogYmxvY2s6IGFkZCBibGtfcnFfc2V0X2Jsb2NrX3BjKCkKCldpdGggdGhlIG9wdGltaXphdGlvbnMgYXJvdW5kIG5vdCBjbGVhcmluZyB0aGUgZnVsbCByZXF1ZXN0IGF0IGFsbG9jCnRpbWUsIHdlIGFyZSBsZWF2aW5nIHNvbWUgb2YgdGhlIG5lZWRlZCBpbml0IGZvciBSRVFfVFlQRV9CTE9DS19QQwp1cCB0byB0aGUgdXNlciBhbGxvY2F0aW5nIHRoZSByZXF1ZXN0LgoKQWRkIGEgYmxrX3JxX3NldF9ibG9ja19wYygpIHRoYXQgc2V0cyB0aGUgY29tbWFuZCB0eXBlIHRvClJFUV9UWVBFX0JMT0NLX1BDLCBhbmQgcHJvcGVybHkgaW5pdGlhbGl6ZXMgdGhlIG1lbWJlcnMgYXNzb2NpYXRlZAp3aXRoIHRoaXMgdHlwZSBvZiByZXF1ZXN0LiBVcGRhdGUgY2FsbGVycyB0byB1c2UgdGhpcyBmdW5jdGlvbiBpbnN0ZWFkCm9mIG1hbmlwdWxhdGluZyBycS0+Y21kX3R5cGUgZGlyZWN0bHkuCgpJbmNsdWRlcyBmaXhlcyBmcm9tIENocmlzdG9waCBIZWxsd2lnIDxoY2hAbHN0LmRlPiBmb3IgbXkgaGFsZi1hc3NlZAphdHRlbXB0LgoKQ2hhbmdlLUlkOiBJZmMzODZkZmI5NTFjNWQ2YWRlYmY0OGZmMzgxMzVkZGEyOGU0YjFjZQpTaWduZWQtb2ZmLWJ5OiBKZW5zIEF4Ym9lIDxheGJvZUBmYi5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL2Jsb2NrL2Jsay1jb3JlLmMgYi9ibG9jay9ibGstY29yZS5jCmluZGV4IGViMGVjNjAuLmM3Zjc2MzcgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2Jsay1jb3JlLmMKKysrIGIvYmxvY2svYmxrLWNvcmUuYwpAQCAtMTA0Myw2ICsxMDQzLDggQEAKIAlpZiAodW5saWtlbHkoIXJxKSkKIAkJcmV0dXJuIEVSUl9QVFIoLUVOT01FTSk7CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCWZvcl9lYWNoX2JpbyhiaW8pIHsKIAkJc3RydWN0IGJpbyAqYm91bmNlX2JpbyA9IGJpbzsKIAkJaW50IHJldDsKQEAgLTEwNjAsNiArMTA2MiwyMiBAQAogRVhQT1JUX1NZTUJPTChibGtfbWFrZV9yZXF1ZXN0KTsKIAogLyoqCisgKiBibGtfcnFfc2V0X2Jsb2NrX3BjIC0gaW5pdGlhbGl6ZSBhIHJlcXVlZXN0IHRvIHR5cGUgQkxPQ0tfUEMKKyAqIEBycToJCXJlcXVlc3QgdG8gYmUgaW5pdGlhbGl6ZWQKKyAqCisgKi8KK3ZvaWQgYmxrX3JxX3NldF9ibG9ja19wYyhzdHJ1Y3QgcmVxdWVzdCAqcnEpCit7CisJcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJcnEtPl9fZGF0YV9sZW4gPSAwOworCXJxLT5fX3NlY3RvciA9IChzZWN0b3JfdCkgLTE7CisJcnEtPmJpbyA9IHJxLT5iaW90YWlsID0gTlVMTDsKKwltZW1zZXQocnEtPl9fY21kLCAwLCBzaXplb2YocnEtPl9fY21kKSk7CisJcnEtPmNtZCA9IHJxLT5fX2NtZDsKK30KK0VYUE9SVF9TWU1CT0woYmxrX3JxX3NldF9ibG9ja19wYyk7CisKKy8qKgogICogYmxrX3JlcXVldWVfcmVxdWVzdCAtIHB1dCBhIHJlcXVlc3QgYmFjayBvbiBxdWV1ZQogICogQHE6CQlyZXF1ZXN0IHF1ZXVlIHdoZXJlIHJlcXVlc3Qgc2hvdWxkIGJlIGluc2VydGVkCiAgKiBAcnE6CQlyZXF1ZXN0IHRvIGJlIGluc2VydGVkCmRpZmYgLS1naXQgYS9ibG9jay9ic2cuYyBiL2Jsb2NrL2JzZy5jCmluZGV4IGIxYzFkNTQuLjhjNzUwZDUgMTAwNjQ0Ci0tLSBhL2Jsb2NrL2JzZy5jCisrKyBiL2Jsb2NrL2JzZy5jCkBAIC0xOTYsNyArMTk2LDYgQEAKIAkgKiBmaWxsIGluIHJlcXVlc3Qgc3RydWN0dXJlCiAJICovCiAJcnEtPmNtZF9sZW4gPSBoZHItPnJlcXVlc3RfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTI3Myw2ICsyNzIsOCBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfS0VSTkVMKTsKIAlpZiAoIXJxKQogCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKKwogCXJldCA9IGJsa19maWxsX3NndjRfaGRyX3JxKHEsIHJxLCBoZHIsIGJkLCBoYXNfd3JpdGVfcGVybSk7CiAJaWYgKHJldCkKIAkJZ290byBvdXQ7CmRpZmYgLS1naXQgYS9ibG9jay9zY3NpX2lvY3RsLmMgYi9ibG9jay9zY3NpX2lvY3RsLmMKaW5kZXggMjYwZmE4MC4uNDExOGE4MSAxMDA2NDQKLS0tIGEvYmxvY2svc2NzaV9pb2N0bC5jCisrKyBiL2Jsb2NrL3Njc2lfaW9jdGwuYwpAQCAtMjMyLDcgKzIzMiw2IEBACiAJICogZmlsbCBpbiByZXF1ZXN0IHN0cnVjdHVyZQogCSAqLwogCXJxLT5jbWRfbGVuID0gaGRyLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJcnEtPnRpbWVvdXQgPSBtc2Vjc190b19qaWZmaWVzKGhkci0+dGltZW91dCk7CiAJaWYgKCFycS0+dGltZW91dCkKQEAgLTMxMyw2ICszMTIsNyBAQAogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHdyaXRpbmcgPyBXUklURSA6IFJFQUQsIEdGUF9LRVJORUwpOwogCWlmICghcnEpCiAJCXJldHVybiAtRU5PTUVNOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJsa19maWxsX3NnaGRyX3JxKHEsIHJxLCBoZHIsIG1vZGUpKSB7CiAJCWJsa19wdXRfcmVxdWVzdChycSk7CkBAIC01MTEsNyArNTExLDcgQEAKIAltZW1zZXQoc2Vuc2UsIDAsIHNpemVvZihzZW5zZSkpOwogCXJxLT5zZW5zZSA9IHNlbnNlOwogCXJxLT5zZW5zZV9sZW4gPSAwOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJYmxrX2V4ZWN1dGVfcnEocSwgZGlzaywgcnEsIDApOwogCkBAIC01NDQsNyArNTQ0LDcgQEAKIAlpbnQgZXJyOwogCiAJcnEgPSBibGtfZ2V0X3JlcXVlc3QocSwgV1JJVEUsIF9fR0ZQX1dBSVQpOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT50aW1lb3V0ID0gQkxLX0RFRkFVTFRfU0dfVElNRU9VVDsKIAlycS0+Y21kWzBdID0gY21kOwogCXJxLT5jbWRbNF0gPSBkYXRhOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ibG9jay9wa3RjZHZkLmMgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwppbmRleCBiYTY2ZTQ0Li4zOWZmZTljIDEwMDY0NAotLS0gYS9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYworKysgYi9kcml2ZXJzL2Jsb2NrL3BrdGNkdmQuYwpAQCAtNzQyLDYgKzc0Miw3IEBACiAKIAlycSA9IGJsa19nZXRfcmVxdWVzdChxLCAoY2djLT5kYXRhX2RpcmVjdGlvbiA9PSBDR0NfREFUQV9XUklURSkgPwogCQkJICAgICBXUklURSA6IFJFQUQsIF9fR0ZQX1dBSVQpOworCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGNnYy0+YnVmbGVuKSB7CiAJCWlmIChibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGNnYy0+YnVmZmVyLCBjZ2MtPmJ1ZmxlbiwgX19HRlBfV0FJVCkpCkBAIC03NTIsNyArNzUzLDYgQEAKIAltZW1jcHkocnEtPmNtZCwgY2djLT5jbWQsIENEUk9NX1BBQ0tFVF9TSVpFKTsKIAogCXJxLT50aW1lb3V0ID0gNjAqSFo7Ci0JcnEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJaWYgKGNnYy0+cXVpZXQpCiAJCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCmRpZmYgLS1naXQgYS9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMgYi9kcml2ZXJzL2Nkcm9tL2Nkcm9tLmMKaW5kZXggZDYyMGI0NC4uN2FiNTI4ZCAxMDA2NDQKLS0tIGEvZHJpdmVycy9jZHJvbS9jZHJvbS5jCisrKyBiL2RyaXZlcnMvY2Ryb20vY2Ryb20uYwpAQCAtMjE2NSw2ICsyMTY1LDcgQEAKIAkJCXJldCA9IC1FTk9NRU07CiAJCQlicmVhazsKIAkJfQorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAogCQlyZXQgPSBibGtfcnFfbWFwX3VzZXIocSwgcnEsIE5VTEwsIHVidWYsIGxlbiwgR0ZQX0tFUk5FTCk7CiAJCWlmIChyZXQpIHsKQEAgLTIxODQsNyArMjE4NSw2IEBACiAJCXJxLT5jbWRbOV0gPSAweGY4OwogCiAJCXJxLT5jbWRfbGVuID0gMTI7Ci0JCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCQlycS0+dGltZW91dCA9IDYwICogSFo7CiAJCWJpbyA9IHJxLT5iaW87CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2FsdWEuYwppbmRleCAwNGM1Y2VhLi4zNmZiNjhjIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9hbHVhLmMKKysrIGIvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfYWx1YS5jCkBAIC0xMTEsNiArMTExLDcgQEAKIAkJCSAgICAiJXM6IGJsa19nZXRfcmVxdWVzdCBmYWlsZWRcbiIsIF9fZnVuY19fKTsKIAkJcmV0dXJuIE5VTEw7CiAJfQorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCiAJaWYgKGJ1ZmxlbiAmJiBibGtfcnFfbWFwX2tlcm4ocSwgcnEsIGJ1ZmZlciwgYnVmbGVuLCBHRlBfTk9JTykpIHsKIAkJYmxrX3B1dF9yZXF1ZXN0KHJxKTsKQEAgLTExOSw3ICsxMjAsNiBAQAogCQlyZXR1cm4gTlVMTDsKIAl9CiAKLQlycS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKIAlycS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJxLT5yZXRyaWVzID0gQUxVQV9GQUlMT1ZFUl9SRVRSSUVTOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfZW1jLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwppbmRleCBlMWM4YmUwLi42ZjA3ZjdmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9lbWMuYwpAQCAtMjgwLDYgKzI4MCw3IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAorCWJsa19ycV9zZXRfYmxvY2tfcGMocnEpOwogCXJxLT5jbWRfbGVuID0gQ09NTUFORF9TSVpFKGNtZCk7CiAJcnEtPmNtZFswXSA9IGNtZDsKIApAQCAtMzA0LDcgKzMwNSw2IEBACiAJCWJyZWFrOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnRpbWVvdXQgPSBDTEFSSUlPTl9USU1FT1VUOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX2hwX3N3LmMKaW5kZXggMDg0MDYyYi4uZTlkOWZlYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfaHBfc3cuYworKysgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9ocF9zdy5jCkBAIC0xMjAsNyArMTIwLDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIFNDU0lfREhfUkVTX1RFTVBfVU5BVkFJTDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJICBSRVFfRkFJTEZBU1RfRFJJVkVSOwogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShURVNUX1VOSVRfUkVBRFkpOwpAQCAtMjUwLDcgKzI1MCw3IEBACiAJaWYgKCFyZXEpCiAJCXJldHVybiBTQ1NJX0RIX1JFU19URU1QX1VOQVZBSUw7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCXJlcS0+Y21kX2ZsYWdzIHw9IFJFUV9GQUlMRkFTVF9ERVYgfCBSRVFfRkFJTEZBU1RfVFJBTlNQT1JUIHwKIAkJCSAgUkVRX0ZBSUxGQVNUX0RSSVZFUjsKIAlyZXEtPmNtZF9sZW4gPSBDT01NQU5EX1NJWkUoU1RBUlRfU1RPUCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMgYi9kcml2ZXJzL3Njc2kvZGV2aWNlX2hhbmRsZXIvc2NzaV9kaF9yZGFjLmMKaW5kZXggMjBjNDU1Ny4uMDQzOTY1MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL2RldmljZV9oYW5kbGVyL3Njc2lfZGhfcmRhYy5jCisrKyBiL2RyaXZlcnMvc2NzaS9kZXZpY2VfaGFuZGxlci9zY3NpX2RoX3JkYWMuYwpAQCAtMjc5LDYgKzI3OSw3IEBACiAJCQkJImdldF9yZGFjX3JlcTogYmxrX2dldF9yZXF1ZXN0IGZhaWxlZC5cbiIpOwogCQlyZXR1cm4gTlVMTDsKIAl9CisJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CiAKIAlpZiAoYnVmbGVuICYmIGJsa19ycV9tYXBfa2VybihxLCBycSwgYnVmZmVyLCBidWZsZW4sIEdGUF9OT0lPKSkgewogCQlibGtfcHV0X3JlcXVlc3QocnEpOwpAQCAtMjg3LDcgKzI4OCw2IEBACiAJCXJldHVybiBOVUxMOwogCX0KIAotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJxLT5jbWRfZmxhZ3MgfD0gUkVRX0ZBSUxGQVNUX0RFViB8IFJFUV9GQUlMRkFTVF9UUkFOU1BPUlQgfAogCQkJIFJFUV9GQUlMRkFTVF9EUklWRVI7CiAJcnEtPnJldHJpZXMgPSBSREFDX1JFVFJJRVM7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvb3NkL29zZF9pbml0aWF0b3IuYyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCmluZGV4IGMwNmI4ZTUuLjlhZDNhYzcgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9vc2Qvb3NkX2luaXRpYXRvci5jCkBAIC0xNTY2LDYgKzE1NjYsNyBAQAogCQlpZiAodW5saWtlbHkoIXJlcSkpCiAJCQlyZXR1cm4gRVJSX1BUUigtRU5PTUVNKTsKIAorCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJCXJldHVybiByZXE7CiAJfQogfQpAQCAtMTU4Niw3ICsxNTg3LDYgQEAKIAl9CiAKIAlvci0+cmVxdWVzdCA9IHJlcTsKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJcmVxLT50aW1lb3V0ID0gb3ItPnRpbWVvdXQ7CkBAIC0xNjA0LDcgKzE2MDQsNyBAQAogCQkJCXJldCA9IFBUUl9FUlIocmVxKTsKIAkJCQlnb3RvIG91dDsKIAkJCX0KLQkJCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwkJCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAkJCW9yLT5pbi5yZXEgPSBvci0+cmVxdWVzdC0+bmV4dF9ycSA9IHJlcTsKIAkJfQogCX0gZWxzZSBpZiAoaGFzX2luKQpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL29zc3QuYyBiL2RyaXZlcnMvc2NzaS9vc3N0LmMKaW5kZXggMjE4ODNhMi4uMDcyN2VhNyAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL29zc3QuYworKysgYi9kcml2ZXJzL3Njc2kvb3NzdC5jCkBAIC0zNjUsNyArMzY1LDcgQEAKIAlpZiAoIXJlcSkKIAkJcmV0dXJuIERSSVZFUl9FUlJPUiA8PCAyNDsKIAotCXJlcS0+Y21kX3R5cGUgPSBSRVFfVFlQRV9CTE9DS19QQzsKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCiAJU1JwbnQtPmJpbyA9IE5VTEw7CmRpZmYgLS1naXQgYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jIGIvZHJpdmVycy9zY3NpL3Njc2lfZXJyb3IuYwppbmRleCAzODZmMGM1Li5kNGMzMWQ0IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2NzaV9lcnJvci5jCisrKyBiL2RyaXZlcnMvc2NzaS9zY3NpX2Vycm9yLmMKQEAgLTE2MjQsNiArMTYyNCw4IEBACiAJICovCiAJcmVxID0gYmxrX2dldF9yZXF1ZXN0KHNkZXYtPnJlcXVlc3RfcXVldWUsIFJFQUQsIEdGUF9LRVJORUwpOwogCisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOworCiAJcmVxLT5jbWRbMF0gPSBBTExPV19NRURJVU1fUkVNT1ZBTDsKIAlyZXEtPmNtZFsxXSA9IDA7CiAJcmVxLT5jbWRbMl0gPSAwOwpAQCAtMTYzMyw3ICsxNjM1LDYgQEAKIAogCXJlcS0+Y21kX2xlbiA9IENPTU1BTkRfU0laRShyZXEtPmNtZFswXSk7CiAKLQlyZXEtPmNtZF90eXBlID0gUkVRX1RZUEVfQkxPQ0tfUEM7CiAJcmVxLT5jbWRfZmxhZ3MgfD0gUkVRX1FVSUVUOwogCXJlcS0+dGltZW91dCA9IDEwICogSFo7CiAJcmVxLT5yZXRyaWVzID0gNTsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zY3NpX2xpYi5jIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKaW5kZXggNWRmZDc0OS4uNzI1YjQwNSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKKysrIGIvZHJpdmVycy9zY3NpL3Njc2lfbGliLmMKQEAgLTIxNyw2ICsyMTcsNyBAQAogCXJlcSA9IGJsa19nZXRfcmVxdWVzdChzZGV2LT5yZXF1ZXN0X3F1ZXVlLCB3cml0ZSwgX19HRlBfV0FJVCk7CiAJaWYgKCFyZXEpCiAJCXJldHVybiByZXQ7CisJYmxrX3JxX3NldF9ibG9ja19wYyhyZXEpOwogCiAJaWYgKGJ1ZmZsZW4gJiYJYmxrX3JxX21hcF9rZXJuKHNkZXYtPnJlcXVlc3RfcXVldWUsIHJlcSwKIAkJCQkJYnVmZmVyLCBidWZmbGVuLCBfX0dGUF9XQUlUKSkKQEAgLTIyOCw3ICsyMjksNiBAQAogCXJlcS0+c2Vuc2VfbGVuID0gMDsKIAlyZXEtPnJldHJpZXMgPSByZXRyaWVzOwogCXJlcS0+dGltZW91dCA9IHRpbWVvdXQ7Ci0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+Y21kX2ZsYWdzIHw9IGZsYWdzIHwgUkVRX1FVSUVUIHwgUkVRX1BSRUVNUFQ7CiAKIAkvKgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCAzZWM1YjMzLi4yMTZkMzFmIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtMTY1NSwxMCArMTY1NSw5IEBACiAJaWYgKCFycSkKIAkJcmV0dXJuIC1FTk9NRU07CiAKKwlibGtfcnFfc2V0X2Jsb2NrX3BjKHJxKTsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7Ci0KIAlycS0+Y21kX2xlbiA9IGhwLT5jbWRfbGVuOwotCXJxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCiAJc3JwLT5ycSA9IHJxOwogCXJxLT5lbmRfaW9fZGF0YSA9IHNycDsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9zdC5jIGIvZHJpdmVycy9zY3NpL3N0LmMKaW5kZXggZTQxOTk4Yy4uMDhhZDUzMCAxMDA2NDQKLS0tIGEvZHJpdmVycy9zY3NpL3N0LmMKKysrIGIvZHJpdmVycy9zY3NpL3N0LmMKQEAgLTQ4OCw3ICs0ODgsNyBAQAogCWlmICghcmVxKQogCQlyZXR1cm4gRFJJVkVSX0VSUk9SIDw8IDI0OwogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOworCWJsa19ycV9zZXRfYmxvY2tfcGMocmVxKTsKIAlyZXEtPmNtZF9mbGFncyB8PSBSRVFfUVVJRVQ7CiAKIAltZGF0YS0+bnVsbF9tYXBwZWQgPSAxOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYyBiL2RyaXZlcnMvdGFyZ2V0L3RhcmdldF9jb3JlX3BzY3NpLmMKaW5kZXggOTRjOTA1Zi4uZDI4ZjhkMSAxMDA2NDQKLS0tIGEvZHJpdmVycy90YXJnZXQvdGFyZ2V0X2NvcmVfcHNjc2kuYworKysgYi9kcml2ZXJzL3RhcmdldC90YXJnZXRfY29yZV9wc2NzaS5jCkBAIC0xMDgzLDYgKzEwODMsOCBAQAogCQkJCVRDTV9MT0dJQ0FMX1VOSVRfQ09NTVVOSUNBVElPTl9GQUlMVVJFOwogCQkJcmV0dXJuIC1FTk9ERVY7CiAJCX0KKworCQlibGtfcnFfc2V0X2Jsb2NrX3BjKHJlcSk7CiAJfSBlbHNlIHsKIAkJQlVHX09OKCF0YXNrLT50YXNrX3NpemUpOwogCkBAIC0xMTA0LDcgKzExMDYsNiBAQAogCQl9CiAJfQogCi0JcmVxLT5jbWRfdHlwZSA9IFJFUV9UWVBFX0JMT0NLX1BDOwogCXJlcS0+ZW5kX2lvID0gcHNjc2lfcmVxX2RvbmU7CiAJcmVxLT5lbmRfaW9fZGF0YSA9IHRhc2s7CiAJcmVxLT5jbWRfbGVuID0gc2NzaV9jb21tYW5kX3NpemUocHQtPnBzY3NpX2NkYik7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oIGIvaW5jbHVkZS9saW51eC9ibGtkZXYuaAppbmRleCAyMWRjMmFhLi5mMzdkMWYwIDEwMDY0NAotLS0gYS9pbmNsdWRlL2xpbnV4L2Jsa2Rldi5oCisrKyBiL2luY2x1ZGUvbGludXgvYmxrZGV2LmgKQEAgLTY3NSw2ICs2NzUsNyBAQAogZXh0ZXJuIHN0cnVjdCByZXF1ZXN0ICpibGtfZ2V0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgaW50LCBnZnBfdCk7CiBleHRlcm4gc3RydWN0IHJlcXVlc3QgKmJsa19tYWtlX3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKiwgc3RydWN0IGJpbyAqLAogCQkJCQlnZnBfdCk7CitleHRlcm4gdm9pZCBibGtfcnFfc2V0X2Jsb2NrX3BjKHN0cnVjdCByZXF1ZXN0ICopOwogZXh0ZXJuIHZvaWQgYmxrX3JlcXVldWVfcmVxdWVzdChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqLCBzdHJ1Y3QgcmVxdWVzdCAqKTsKIGV4dGVybiBpbnQgYmxrX3JlaW5zZXJ0X3JlcXVlc3Qoc3RydWN0IHJlcXVlc3RfcXVldWUgKnEsIHN0cnVjdCByZXF1ZXN0ICpycSk7CiBleHRlcm4gYm9vbCBibGtfcmVpbnNlcnRfcmVxX3N1cChzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSk7Cg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch new file mode 100644 index 00000000..b9a7bd36 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch @@ -0,0 +1,263 @@ +From 8093bf02878aa659cfcf8cbfc272b2ad45eef24f Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert +Date: Tue, 03 Jun 2014 13:18:18 -0400 +Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction + + - remove the 16 byte CDB (SCSI command) length limit from the sg driver + by handling longer CDBs the same way as the bsg driver. Remove comment + from sg.h public interface about the cmd_len field being limited to 16 + bytes. + - remove some dead code caused by this change + - cleanup comment block at the top of sg.h, fix urls + +Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755 +Signed-off-by: Douglas Gilbert +Reviewed-by: Mike Christie +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +--- + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 216d31f..56178bc 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -7,9 +7,7 @@ + * Original driver (sg.c): + * Copyright (C) 1992 Lawrence Foard + * Version 2 and 3 extensions to driver: +- * Copyright (C) 1998 - 2005 Douglas Gilbert +- * +- * Modified 19-JAN-1998 Richard Gooch Devfs support ++ * Copyright (C) 1998 - 2014 Douglas Gilbert + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -18,11 +16,11 @@ + * + */ + +-static int sg_version_num = 30534; /* 2 digits for each component */ +-#define SG_VERSION_STR "3.5.34" ++static int sg_version_num = 30536; /* 2 digits for each component */ ++#define SG_VERSION_STR "3.5.36" + + /* +- * D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes: ++ * D. P. Gilbert (dgilbert@interlog.com), notes: + * - scsi logging is available via SCSI_LOG_TIMEOUT macros. First + * the kernel/module needs to be built with CONFIG_SCSI_LOGGING + * (otherwise the macros compile to empty statements). +@@ -63,7 +61,7 @@ + + #ifdef CONFIG_SCSI_PROC_FS + #include +-static char *sg_version_date = "20061027"; ++static char *sg_version_date = "20140603"; + + static int sg_proc_init(void); + static void sg_proc_cleanup(void); +@@ -72,6 +70,12 @@ + #define SG_ALLOW_DIO_DEF 0 + + #define SG_MAX_DEVS 32768 ++ ++/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type ++ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater ++ * than 16 bytes are "variable length" whose length is a multiple of 4 ++ */ ++#define SG_MAX_CDB_SIZE 252 + + /* + * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d) +@@ -159,7 +163,7 @@ + char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */ + volatile char closed; /* 1 -> fd closed but request(s) outstanding */ + char cmd_q; /* 1 -> allow command queuing, 0 -> don't */ +- char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */ ++ unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */ + char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */ + char mmap_called; /* 0 -> mmap() never called on this fd */ + struct kref f_ref; +@@ -542,7 +546,7 @@ + Sg_request *srp; + struct sg_header old_hdr; + sg_io_hdr_t *hp; +- unsigned char cmnd[MAX_COMMAND_SIZE]; ++ unsigned char cmnd[SG_MAX_CDB_SIZE]; + + if (unlikely(segment_eq(get_fs(), KERNEL_DS))) + return -EINVAL; +@@ -577,12 +581,6 @@ + buf += SZ_SG_HEADER; + __get_user(opcode, buf); + if (sfp->next_cmd_len > 0) { +- if (sfp->next_cmd_len > MAX_COMMAND_SIZE) { +- SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n")); +- sfp->next_cmd_len = 0; +- sg_remove_request(sfp, srp); +- return -EIO; +- } + cmd_size = sfp->next_cmd_len; + sfp->next_cmd_len = 0; /* reset so only this write() effected */ + } else { +@@ -654,7 +652,7 @@ + int k; + Sg_request *srp; + sg_io_hdr_t *hp; +- unsigned char cmnd[MAX_COMMAND_SIZE]; ++ unsigned char cmnd[SG_MAX_CDB_SIZE]; + int timeout; + unsigned long ul_timeout; + +@@ -1647,15 +1645,27 @@ + struct request_queue *q = sfp->parentdp->device->request_queue; + struct rq_map_data *md, map_data; + int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ; ++ unsigned char *long_cmdp = NULL; + + SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n", + dxfer_len)); + ++ if (hp->cmd_len > BLK_MAX_CDB) { ++ long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL); ++ if (!long_cmdp) ++ return -ENOMEM; ++ } ++ + rq = blk_get_request(q, rw, GFP_ATOMIC); +- if (!rq) ++ if (!rq) { ++ kfree(long_cmdp); + return -ENOMEM; ++ } + + blk_rq_set_block_pc(rq); ++ ++ if (hp->cmd_len > BLK_MAX_CDB) ++ rq->cmd = long_cmdp; + memcpy(rq->cmd, cmd, hp->cmd_len); + rq->cmd_len = hp->cmd_len; + +@@ -1740,6 +1750,8 @@ + if (srp->bio) + ret = blk_rq_unmap_user(srp->bio); + ++ if (srp->rq->cmd != srp->rq->__cmd) ++ kfree(srp->rq->cmd); + blk_put_request(srp->rq); + } + +diff --git a/include/scsi/sg.h b/include/scsi/sg.h +index a9f3c6f..d8c0c43 100644 +--- a/include/scsi/sg.h ++++ b/include/scsi/sg.h +@@ -4,77 +4,34 @@ + #include + + /* +- History: +- Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user +- process control of SCSI devices. +- Development Sponsored by Killy Corp. NY NY +-Original driver (sg.h): +-* Copyright (C) 1992 Lawrence Foard +-Version 2 and 3 extensions to driver: +-* Copyright (C) 1998 - 2006 Douglas Gilbert +- +- Version: 3.5.34 (20060920) +- This version is for 2.6 series kernels. +- +- For a full changelog see http://www.torque.net/sg +- +-Map of SG verions to the Linux kernels in which they appear: +- ---------- ---------------------------------- +- original all kernels < 2.2.6 +- 2.1.40 2.2.20 +- 3.0.x optional version 3 sg driver for 2.2 series +- 3.1.17++ 2.4.0++ +- 3.5.30++ 2.6.0++ +- +-Major new features in SG 3.x driver (cf SG 2.x drivers) +- - SG_IO ioctl() combines function if write() and read() +- - new interface (sg_io_hdr_t) but still supports old interface +- - scatter/gather in user space, direct IO, and mmap supported +- +- The normal action of this driver is to use the adapter (HBA) driver to DMA +- data into kernel buffers and then use the CPU to copy the data into the +- user space (vice versa for writes). That is called "indirect" IO due to +- the double handling of data. There are two methods offered to remove the +- redundant copy: 1) direct IO and 2) using the mmap() system call to map +- the reserve buffer (this driver has one reserve buffer per fd) into the +- user space. Both have their advantages. +- In terms of absolute speed mmap() is faster. If speed is not a concern, +- indirect IO should be fine. Read the documentation for more information. +- +- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or +- 'echo 1 > /sys/module/sg/parameters/allow_dio' is needed. +- That attribute is 0 by default. ** +- +- Historical note: this SCSI pass-through driver has been known as "sg" for +- a decade. In broader kernel discussions "sg" is used to refer to scatter +- gather techniques. The context should clarify which "sg" is referred to. +- +- Documentation +- ============= +- A web site for the SG device driver can be found at: +- http://www.torque.net/sg [alternatively check the MAINTAINERS file] +- The documentation for the sg version 3 driver can be found at: +- http://www.torque.net/sg/p/sg_v3_ho.html +- This is a rendering from DocBook source [change the extension to "sgml" +- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon). +- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer). +- For more information see http://www.torque.net/sg/sg_io.html +- +- The older, version 2 documents discuss the original sg interface in detail: +- http://www.torque.net/sg/p/scsi-generic.txt +- http://www.torque.net/sg/p/scsi-generic_long.txt +- Also available: /Documentation/scsi/scsi-generic.txt +- +- Utility and test programs are available at the sg web site. They are +- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils +- (for the lk 2.2 series). +-*/ ++ * History: ++ * Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user ++ * process control of SCSI devices. ++ * Development Sponsored by Killy Corp. NY NY ++ * ++ * Original driver (sg.h): ++ * Copyright (C) 1992 Lawrence Foard ++ * Version 2 and 3 extensions to driver: ++ * Copyright (C) 1998 - 2014 Douglas Gilbert ++ * ++ * Version: 3.5.36 (20140603) ++ * This version is for 2.6 and 3 series kernels. ++ * ++ * Documentation ++ * ============= ++ * A web site for the SG device driver can be found at: ++ * http://sg.danny.cz/sg [alternatively check the MAINTAINERS file] ++ * The documentation for the sg version 3 driver can be found at: ++ * http://sg.danny.cz/sg/p/sg_v3_ho.html ++ * Also see: /Documentation/scsi/scsi-generic.txt ++ * ++ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html ++ */ + + #ifdef __KERNEL__ + extern int sg_big_buff; /* for sysctl */ + #endif + +-/* New interface introduced in the 3.x SG drivers follows */ + + typedef struct sg_iovec /* same structure as used by readv() Linux system */ + { /* call. It defines one scatter-gather element. */ +@@ -87,7 +44,7 @@ + { + int interface_id; /* [i] 'S' for SCSI generic (required) */ + int dxfer_direction; /* [i] data transfer direction */ +- unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */ ++ unsigned char cmd_len; /* [i] SCSI command length */ + unsigned char mx_sb_len; /* [i] max length to write to sbp */ + unsigned short iovec_count; /* [i] 0 implies no scatter gather */ + unsigned int dxfer_len; /* [i] byte count of data transfer */ diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64 new file mode 100644 index 00000000..6ff090c2 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSA4MDkzYmYwMjg3OGFhNjU5Y2ZjZjhjYmZjMjcyYjJhZDQ1ZWVmMjRmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KRGF0ZTogVHVlLCAwMyBKdW4gMjAxNCAxMzoxODoxOCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIEJBQ0tQT1JUOiBzZzogcmVsYXggMTYgYnl0ZSBjZGIgcmVzdHJpY3Rpb24KCiAtIHJlbW92ZSB0aGUgMTYgYnl0ZSBDREIgKFNDU0kgY29tbWFuZCkgbGVuZ3RoIGxpbWl0IGZyb20gdGhlIHNnIGRyaXZlcgogICBieSBoYW5kbGluZyBsb25nZXIgQ0RCcyB0aGUgc2FtZSB3YXkgYXMgdGhlIGJzZyBkcml2ZXIuIFJlbW92ZSBjb21tZW50CiAgIGZyb20gc2cuaCBwdWJsaWMgaW50ZXJmYWNlIGFib3V0IHRoZSBjbWRfbGVuIGZpZWxkIGJlaW5nIGxpbWl0ZWQgdG8gMTYKICAgYnl0ZXMuCiAtIHJlbW92ZSBzb21lIGRlYWQgY29kZSBjYXVzZWQgYnkgdGhpcyBjaGFuZ2UKIC0gY2xlYW51cCBjb21tZW50IGJsb2NrIGF0IHRoZSB0b3Agb2Ygc2cuaCwgZml4IHVybHMKCkNoYW5nZS1JZDogSWU4MTUwZTUzNzViMzMxNmQ1ZDUyMDZmMDc5YzRhNTBmMWM1MGI3NTUKU2lnbmVkLW9mZi1ieTogRG91Z2xhcyBHaWxiZXJ0IDxkZ2lsYmVydEBpbnRlcmxvZy5jb20+ClJldmlld2VkLWJ5OiBNaWtlIENocmlzdGllIDxtaWNoYWVsY0Bjcy53aXNjLmVkdT4KUmV2aWV3ZWQtYnk6IEhhbm5lcyBSZWluZWNrZSA8aGFyZUBzdXNlLmRlPgpTaWduZWQtb2ZmLWJ5OiBDaHJpc3RvcGggSGVsbHdpZyA8aGNoQGxzdC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCAyMTZkMzFmLi41NjE3OGJjIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtNyw5ICs3LDcgQEAKICAqIE9yaWdpbmFsIGRyaXZlciAoc2cuYyk6CiAgKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTkyIExhd3JlbmNlIEZvYXJkCiAgKiBWZXJzaW9uIDIgYW5kIDMgZXh0ZW5zaW9ucyB0byBkcml2ZXI6Ci0gKiAgICAgICAgQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAwNSBEb3VnbGFzIEdpbGJlcnQKLSAqCi0gKiAgTW9kaWZpZWQgIDE5LUpBTi0xOTk4ICBSaWNoYXJkIEdvb2NoIDxyZ29vY2hAYXRuZi5jc2lyby5hdT4gIERldmZzIHN1cHBvcnQKKyAqICAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDE0IERvdWdsYXMgR2lsYmVydAogICoKICAqIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CiAgKiBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieQpAQCAtMTgsMTEgKzE2LDExIEBACiAgKgogICovCiAKLXN0YXRpYyBpbnQgc2dfdmVyc2lvbl9udW0gPSAzMDUzNDsJLyogMiBkaWdpdHMgZm9yIGVhY2ggY29tcG9uZW50ICovCi0jZGVmaW5lIFNHX1ZFUlNJT05fU1RSICIzLjUuMzQiCitzdGF0aWMgaW50IHNnX3ZlcnNpb25fbnVtID0gMzA1MzY7CS8qIDIgZGlnaXRzIGZvciBlYWNoIGNvbXBvbmVudCAqLworI2RlZmluZSBTR19WRVJTSU9OX1NUUiAiMy41LjM2IgogCiAvKgotICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSwgZG91Z2dAdHJpb2RlLm5ldC5hdSksIG5vdGVzOgorICogIEQuIFAuIEdpbGJlcnQgKGRnaWxiZXJ0QGludGVybG9nLmNvbSksIG5vdGVzOgogICogICAgICAtIHNjc2kgbG9nZ2luZyBpcyBhdmFpbGFibGUgdmlhIFNDU0lfTE9HX1RJTUVPVVQgbWFjcm9zLiBGaXJzdAogICogICAgICAgIHRoZSBrZXJuZWwvbW9kdWxlIG5lZWRzIHRvIGJlIGJ1aWx0IHdpdGggQ09ORklHX1NDU0lfTE9HR0lORwogICogICAgICAgIChvdGhlcndpc2UgdGhlIG1hY3JvcyBjb21waWxlIHRvIGVtcHR5IHN0YXRlbWVudHMpLgpAQCAtNjMsNyArNjEsNyBAQAogCiAjaWZkZWYgQ09ORklHX1NDU0lfUFJPQ19GUwogI2luY2x1ZGUgPGxpbnV4L3Byb2NfZnMuaD4KLXN0YXRpYyBjaGFyICpzZ192ZXJzaW9uX2RhdGUgPSAiMjAwNjEwMjciOworc3RhdGljIGNoYXIgKnNnX3ZlcnNpb25fZGF0ZSA9ICIyMDE0MDYwMyI7CiAKIHN0YXRpYyBpbnQgc2dfcHJvY19pbml0KHZvaWQpOwogc3RhdGljIHZvaWQgc2dfcHJvY19jbGVhbnVwKHZvaWQpOwpAQCAtNzIsNiArNzAsMTIgQEAKICNkZWZpbmUgU0dfQUxMT1dfRElPX0RFRiAwCiAKICNkZWZpbmUgU0dfTUFYX0RFVlMgMzI3NjgKKworLyogU0dfTUFYX0NEQl9TSVpFIHNob3VsZCBiZSAyNjAgKHNwYzRyMzcgc2VjdGlvbiAzLjEuMzApIGhvd2V2ZXIgdGhlIHR5cGUKKyAqIG9mIHNnX2lvX2hkcjo6Y21kX2xlbiBjYW4gb25seSByZXByZXNlbnQgMjU1LiBBbGwgU0NTSSBjb21tYW5kcyBncmVhdGVyCisgKiB0aGFuIDE2IGJ5dGVzIGFyZSAidmFyaWFibGUgbGVuZ3RoIiB3aG9zZSBsZW5ndGggaXMgYSBtdWx0aXBsZSBvZiA0CisgKi8KKyNkZWZpbmUgU0dfTUFYX0NEQl9TSVpFIDI1MgogCiAvKgogICogU3VwcG9zZSB5b3Ugd2FudCB0byBjYWxjdWxhdGUgdGhlIGZvcm11bGEgbXVsZGl2KHgsbSxkKT1pbnQoeCAqIG0gLyBkKQpAQCAtMTU5LDcgKzE2Myw3IEBACiAJY2hhciBmb3JjZV9wYWNraWQ7CS8qIDEgLT4gcGFja19pZCBpbnB1dCB0byByZWFkKCksIDAgLT4gaWdub3JlZCAqLwogCXZvbGF0aWxlIGNoYXIgY2xvc2VkOwkvKiAxIC0+IGZkIGNsb3NlZCBidXQgcmVxdWVzdChzKSBvdXRzdGFuZGluZyAqLwogCWNoYXIgY21kX3E7CQkvKiAxIC0+IGFsbG93IGNvbW1hbmQgcXVldWluZywgMCAtPiBkb24ndCAqLwotCWNoYXIgbmV4dF9jbWRfbGVuOwkvKiAwIC0+IGF1dG9tYXRpYyAoZGVmKSwgPjAgLT4gdXNlIG9uIG5leHQgd3JpdGUoKSAqLworCXVuc2lnbmVkIGNoYXIgbmV4dF9jbWRfbGVuOyAvKiAwOiBhdXRvbWF0aWMsID4wOiB1c2Ugb24gbmV4dCB3cml0ZSgpICovCiAJY2hhciBrZWVwX29ycGhhbjsJLyogMCAtPiBkcm9wIG9ycGhhbiAoZGVmKSwgMSAtPiBrZWVwIGZvciByZWFkKCkgKi8KIAljaGFyIG1tYXBfY2FsbGVkOwkvKiAwIC0+IG1tYXAoKSBuZXZlciBjYWxsZWQgb24gdGhpcyBmZCAqLwogCXN0cnVjdCBrcmVmIGZfcmVmOwpAQCAtNTQyLDcgKzU0Niw3IEBACiAJU2dfcmVxdWVzdCAqc3JwOwogCXN0cnVjdCBzZ19oZWFkZXIgb2xkX2hkcjsKIAlzZ19pb19oZHJfdCAqaHA7Ci0JdW5zaWduZWQgY2hhciBjbW5kW01BWF9DT01NQU5EX1NJWkVdOworCXVuc2lnbmVkIGNoYXIgY21uZFtTR19NQVhfQ0RCX1NJWkVdOwogCiAJaWYgKHVubGlrZWx5KHNlZ21lbnRfZXEoZ2V0X2ZzKCksIEtFUk5FTF9EUykpKQogCQlyZXR1cm4gLUVJTlZBTDsKQEAgLTU3NywxMiArNTgxLDYgQEAKIAlidWYgKz0gU1pfU0dfSEVBREVSOwogCV9fZ2V0X3VzZXIob3Bjb2RlLCBidWYpOwogCWlmIChzZnAtPm5leHRfY21kX2xlbiA+IDApIHsKLQkJaWYgKHNmcC0+bmV4dF9jbWRfbGVuID4gTUFYX0NPTU1BTkRfU0laRSkgewotCQkJU0NTSV9MT0dfVElNRU9VVCgxLCBwcmludGsoInNnX3dyaXRlOiBjb21tYW5kIGxlbmd0aCB0b28gbG9uZ1xuIikpOwotCQkJc2ZwLT5uZXh0X2NtZF9sZW4gPSAwOwotCQkJc2dfcmVtb3ZlX3JlcXVlc3Qoc2ZwLCBzcnApOwotCQkJcmV0dXJuIC1FSU87Ci0JCX0KIAkJY21kX3NpemUgPSBzZnAtPm5leHRfY21kX2xlbjsKIAkJc2ZwLT5uZXh0X2NtZF9sZW4gPSAwOwkvKiByZXNldCBzbyBvbmx5IHRoaXMgd3JpdGUoKSBlZmZlY3RlZCAqLwogCX0gZWxzZSB7CkBAIC02NTQsNyArNjUyLDcgQEAKIAlpbnQgazsKIAlTZ19yZXF1ZXN0ICpzcnA7CiAJc2dfaW9faGRyX3QgKmhwOwotCXVuc2lnbmVkIGNoYXIgY21uZFtNQVhfQ09NTUFORF9TSVpFXTsKKwl1bnNpZ25lZCBjaGFyIGNtbmRbU0dfTUFYX0NEQl9TSVpFXTsKIAlpbnQgdGltZW91dDsKIAl1bnNpZ25lZCBsb25nIHVsX3RpbWVvdXQ7CiAKQEAgLTE2NDcsMTUgKzE2NDUsMjcgQEAKIAlzdHJ1Y3QgcmVxdWVzdF9xdWV1ZSAqcSA9IHNmcC0+cGFyZW50ZHAtPmRldmljZS0+cmVxdWVzdF9xdWV1ZTsKIAlzdHJ1Y3QgcnFfbWFwX2RhdGEgKm1kLCBtYXBfZGF0YTsKIAlpbnQgcncgPSBocC0+ZHhmZXJfZGlyZWN0aW9uID09IFNHX0RYRkVSX1RPX0RFViA/IFdSSVRFIDogUkVBRDsKKwl1bnNpZ25lZCBjaGFyICpsb25nX2NtZHAgPSBOVUxMOwogCiAJU0NTSV9MT0dfVElNRU9VVCg0LCBwcmludGsoS0VSTl9JTkZPICJzZ19zdGFydF9yZXE6IGR4ZmVyX2xlbj0lZFxuIiwKIAkJCQkgICBkeGZlcl9sZW4pKTsKIAorCWlmIChocC0+Y21kX2xlbiA+IEJMS19NQVhfQ0RCKSB7CisJCWxvbmdfY21kcCA9IGt6YWxsb2MoaHAtPmNtZF9sZW4sIEdGUF9LRVJORUwpOworCQlpZiAoIWxvbmdfY21kcCkKKwkJCXJldHVybiAtRU5PTUVNOworCX0KKwogCXJxID0gYmxrX2dldF9yZXF1ZXN0KHEsIHJ3LCBHRlBfQVRPTUlDKTsKLQlpZiAoIXJxKQorCWlmICghcnEpIHsKKwkJa2ZyZWUobG9uZ19jbWRwKTsKIAkJcmV0dXJuIC1FTk9NRU07CisJfQogCiAJYmxrX3JxX3NldF9ibG9ja19wYyhycSk7CisKKwlpZiAoaHAtPmNtZF9sZW4gPiBCTEtfTUFYX0NEQikKKwkJcnEtPmNtZCA9IGxvbmdfY21kcDsKIAltZW1jcHkocnEtPmNtZCwgY21kLCBocC0+Y21kX2xlbik7CiAJcnEtPmNtZF9sZW4gPSBocC0+Y21kX2xlbjsKIApAQCAtMTc0MCw2ICsxNzUwLDggQEAKIAkJaWYgKHNycC0+YmlvKQogCQkJcmV0ID0gYmxrX3JxX3VubWFwX3VzZXIoc3JwLT5iaW8pOwogCisJCWlmIChzcnAtPnJxLT5jbWQgIT0gc3JwLT5ycS0+X19jbWQpCisJCQlrZnJlZShzcnAtPnJxLT5jbWQpOwogCQlibGtfcHV0X3JlcXVlc3Qoc3JwLT5ycSk7CiAJfQogCmRpZmYgLS1naXQgYS9pbmNsdWRlL3Njc2kvc2cuaCBiL2luY2x1ZGUvc2NzaS9zZy5oCmluZGV4IGE5ZjNjNmYuLmQ4YzBjNDMgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvc2NzaS9zZy5oCisrKyBiL2luY2x1ZGUvc2NzaS9zZy5oCkBAIC00LDc3ICs0LDM0IEBACiAjaW5jbHVkZSA8bGludXgvY29tcGlsZXIuaD4KIAogLyoKLSAgIEhpc3Rvcnk6Ci0gICAgU3RhcnRlZDogQXVnIDkgYnkgTGF3cmVuY2UgRm9hcmQgKGVudHJvcHlAd29ybGQuc3RkLmNvbSksIHRvIGFsbG93IHVzZXIKLSAgICAgcHJvY2VzcyBjb250cm9sIG9mIFNDU0kgZGV2aWNlcy4KLSAgICBEZXZlbG9wbWVudCBTcG9uc29yZWQgYnkgS2lsbHkgQ29ycC4gTlkgTlkKLU9yaWdpbmFsIGRyaXZlciAoc2cuaCk6Ci0qICAgICAgIENvcHlyaWdodCAoQykgMTk5MiBMYXdyZW5jZSBGb2FyZAotVmVyc2lvbiAyIGFuZCAzIGV4dGVuc2lvbnMgdG8gZHJpdmVyOgotKiAgICAgICBDb3B5cmlnaHQgKEMpIDE5OTggLSAyMDA2IERvdWdsYXMgR2lsYmVydAotCi0gICAgVmVyc2lvbjogMy41LjM0ICgyMDA2MDkyMCkKLSAgICBUaGlzIHZlcnNpb24gaXMgZm9yIDIuNiBzZXJpZXMga2VybmVscy4KLQotICAgIEZvciBhIGZ1bGwgY2hhbmdlbG9nIHNlZSBodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cKLQotTWFwIG9mIFNHIHZlcmlvbnMgdG8gdGhlIExpbnV4IGtlcm5lbHMgaW4gd2hpY2ggdGhleSBhcHBlYXI6Ci0gICAgICAgLS0tLS0tLS0tLSAgICAgICAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotICAgICAgIG9yaWdpbmFsICAgICAgICAgIGFsbCBrZXJuZWxzIDwgMi4yLjYKLSAgICAgICAyLjEuNDAgICAgICAgICAgICAyLjIuMjAKLSAgICAgICAzLjAueCAgICAgICAgICAgICBvcHRpb25hbCB2ZXJzaW9uIDMgc2cgZHJpdmVyIGZvciAyLjIgc2VyaWVzCi0gICAgICAgMy4xLjE3KysgICAgICAgICAgMi40LjArKwotICAgICAgIDMuNS4zMCsrICAgICAgICAgIDIuNi4wKysKLQotTWFqb3IgbmV3IGZlYXR1cmVzIGluIFNHIDMueCBkcml2ZXIgKGNmIFNHIDIueCBkcml2ZXJzKQotCS0gU0dfSU8gaW9jdGwoKSBjb21iaW5lcyBmdW5jdGlvbiBpZiB3cml0ZSgpIGFuZCByZWFkKCkKLQktIG5ldyBpbnRlcmZhY2UgKHNnX2lvX2hkcl90KSBidXQgc3RpbGwgc3VwcG9ydHMgb2xkIGludGVyZmFjZQotCS0gc2NhdHRlci9nYXRoZXIgaW4gdXNlciBzcGFjZSwgZGlyZWN0IElPLCBhbmQgbW1hcCBzdXBwb3J0ZWQKLQotIFRoZSBub3JtYWwgYWN0aW9uIG9mIHRoaXMgZHJpdmVyIGlzIHRvIHVzZSB0aGUgYWRhcHRlciAoSEJBKSBkcml2ZXIgdG8gRE1BCi0gZGF0YSBpbnRvIGtlcm5lbCBidWZmZXJzIGFuZCB0aGVuIHVzZSB0aGUgQ1BVIHRvIGNvcHkgdGhlIGRhdGEgaW50byB0aGUgCi0gdXNlciBzcGFjZSAodmljZSB2ZXJzYSBmb3Igd3JpdGVzKS4gVGhhdCBpcyBjYWxsZWQgImluZGlyZWN0IiBJTyBkdWUgdG8gCi0gdGhlIGRvdWJsZSBoYW5kbGluZyBvZiBkYXRhLiBUaGVyZSBhcmUgdHdvIG1ldGhvZHMgb2ZmZXJlZCB0byByZW1vdmUgdGhlCi0gcmVkdW5kYW50IGNvcHk6IDEpIGRpcmVjdCBJTyBhbmQgMikgdXNpbmcgdGhlIG1tYXAoKSBzeXN0ZW0gY2FsbCB0byBtYXAKLSB0aGUgcmVzZXJ2ZSBidWZmZXIgKHRoaXMgZHJpdmVyIGhhcyBvbmUgcmVzZXJ2ZSBidWZmZXIgcGVyIGZkKSBpbnRvIHRoZQotIHVzZXIgc3BhY2UuIEJvdGggaGF2ZSB0aGVpciBhZHZhbnRhZ2VzLgotIEluIHRlcm1zIG9mIGFic29sdXRlIHNwZWVkIG1tYXAoKSBpcyBmYXN0ZXIuIElmIHNwZWVkIGlzIG5vdCBhIGNvbmNlcm4sIAotIGluZGlyZWN0IElPIHNob3VsZCBiZSBmaW5lLiBSZWFkIHRoZSBkb2N1bWVudGF0aW9uIGZvciBtb3JlIGluZm9ybWF0aW9uLgotCi0gKiogTi5CLiBUbyB1c2UgZGlyZWN0IElPICdlY2hvIDEgPiAvcHJvYy9zY3NpL3NnL2FsbG93X2Rpbycgb3IKLSAgICAgICAgICdlY2hvIDEgPiAvc3lzL21vZHVsZS9zZy9wYXJhbWV0ZXJzL2FsbG93X2RpbycgaXMgbmVlZGVkLgotICAgICAgICAgVGhhdCBhdHRyaWJ1dGUgaXMgMCBieSBkZWZhdWx0LiAqKgotIAotIEhpc3RvcmljYWwgbm90ZTogdGhpcyBTQ1NJIHBhc3MtdGhyb3VnaCBkcml2ZXIgaGFzIGJlZW4ga25vd24gYXMgInNnIiBmb3IgCi0gYSBkZWNhZGUuIEluIGJyb2FkZXIga2VybmVsIGRpc2N1c3Npb25zICJzZyIgaXMgdXNlZCB0byByZWZlciB0byBzY2F0dGVyCi0gZ2F0aGVyIHRlY2huaXF1ZXMuIFRoZSBjb250ZXh0IHNob3VsZCBjbGFyaWZ5IHdoaWNoICJzZyIgaXMgcmVmZXJyZWQgdG8uCi0KLSBEb2N1bWVudGF0aW9uCi0gPT09PT09PT09PT09PQotIEEgd2ViIHNpdGUgZm9yIHRoZSBTRyBkZXZpY2UgZHJpdmVyIGNhbiBiZSBmb3VuZCBhdDoKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cgIFthbHRlcm5hdGl2ZWx5IGNoZWNrIHRoZSBNQUlOVEFJTkVSUyBmaWxlXQotIFRoZSBkb2N1bWVudGF0aW9uIGZvciB0aGUgc2cgdmVyc2lvbiAzIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6Ci0gCWh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9wL3NnX3YzX2hvLmh0bWwKLSBUaGlzIGlzIGEgcmVuZGVyaW5nIGZyb20gRG9jQm9vayBzb3VyY2UgW2NoYW5nZSB0aGUgZXh0ZW5zaW9uIHRvICJzZ21sIgotIG9yICJ4bWwiXS4gVGhlcmUgYXJlIHJlbmRlcmluZ3MgaW4gInBzIiwgInBkZiIsICJydGYiIGFuZCAidHh0IiAoc29vbikuCi0gVGhlIFNHX0lPIGlvY3RsIGlzIG5vdyBmb3VuZCBpbiBvdGhlciBwYXJ0cyBrZXJuZWwgKGUuZy4gdGhlIGJsb2NrIGxheWVyKS4KLSBGb3IgbW9yZSBpbmZvcm1hdGlvbiBzZWUgaHR0cDovL3d3dy50b3JxdWUubmV0L3NnL3NnX2lvLmh0bWwKLQotIFRoZSBvbGRlciwgdmVyc2lvbiAyIGRvY3VtZW50cyBkaXNjdXNzIHRoZSBvcmlnaW5hbCBzZyBpbnRlcmZhY2UgaW4gZGV0YWlsOgotCWh0dHA6Ly93d3cudG9ycXVlLm5ldC9zZy9wL3Njc2ktZ2VuZXJpYy50eHQKLQlodHRwOi8vd3d3LnRvcnF1ZS5uZXQvc2cvcC9zY3NpLWdlbmVyaWNfbG9uZy50eHQKLSBBbHNvIGF2YWlsYWJsZTogPGtlcm5lbF9zb3VyY2U+L0RvY3VtZW50YXRpb24vc2NzaS9zY3NpLWdlbmVyaWMudHh0Ci0KLSBVdGlsaXR5IGFuZCB0ZXN0IHByb2dyYW1zIGFyZSBhdmFpbGFibGUgYXQgdGhlIHNnIHdlYiBzaXRlLiBUaGV5IGFyZSAKLSBwYWNrYWdlZCBhcyBzZzNfdXRpbHMgKGZvciB0aGUgbGsgMi40IGFuZCAyLjYgc2VyaWVzKSBhbmQgc2dfdXRpbHMKLSAoZm9yIHRoZSBsayAyLjIgc2VyaWVzKS4KLSovCisgKiBIaXN0b3J5OgorICogIFN0YXJ0ZWQ6IEF1ZyA5IGJ5IExhd3JlbmNlIEZvYXJkIChlbnRyb3B5QHdvcmxkLnN0ZC5jb20pLCB0byBhbGxvdyB1c2VyCisgKiAgIHByb2Nlc3MgY29udHJvbCBvZiBTQ1NJIGRldmljZXMuCisgKiAgRGV2ZWxvcG1lbnQgU3BvbnNvcmVkIGJ5IEtpbGx5IENvcnAuIE5ZIE5ZCisgKgorICogT3JpZ2luYWwgZHJpdmVyIChzZy5oKToKKyAqICAgICAgIENvcHlyaWdodCAoQykgMTk5MiBMYXdyZW5jZSBGb2FyZAorICogVmVyc2lvbiAyIGFuZCAzIGV4dGVuc2lvbnMgdG8gZHJpdmVyOgorICoJQ29weXJpZ2h0IChDKSAxOTk4IC0gMjAxNCBEb3VnbGFzIEdpbGJlcnQKKyAqCisgKiAgVmVyc2lvbjogMy41LjM2ICgyMDE0MDYwMykKKyAqICBUaGlzIHZlcnNpb24gaXMgZm9yIDIuNiBhbmQgMyBzZXJpZXMga2VybmVscy4KKyAqCisgKiBEb2N1bWVudGF0aW9uCisgKiA9PT09PT09PT09PT09CisgKiBBIHdlYiBzaXRlIGZvciB0aGUgU0cgZGV2aWNlIGRyaXZlciBjYW4gYmUgZm91bmQgYXQ6CisgKglodHRwOi8vc2cuZGFubnkuY3ovc2cgIFthbHRlcm5hdGl2ZWx5IGNoZWNrIHRoZSBNQUlOVEFJTkVSUyBmaWxlXQorICogVGhlIGRvY3VtZW50YXRpb24gZm9yIHRoZSBzZyB2ZXJzaW9uIDMgZHJpdmVyIGNhbiBiZSBmb3VuZCBhdDoKKyAqCWh0dHA6Ly9zZy5kYW5ueS5jei9zZy9wL3NnX3YzX2hvLmh0bWwKKyAqIEFsc28gc2VlOiA8a2VybmVsX3NvdXJjZT4vRG9jdW1lbnRhdGlvbi9zY3NpL3Njc2ktZ2VuZXJpYy50eHQKKyAqCisgKiBGb3IgdXRpbGl0eSBhbmQgdGVzdCBwcm9ncmFtcyBzZWU6IGh0dHA6Ly9zZy5kYW5ueS5jei9zZy9zZzNfdXRpbHMuaHRtbAorICovCiAKICNpZmRlZiBfX0tFUk5FTF9fCiBleHRlcm4gaW50IHNnX2JpZ19idWZmOyAvKiBmb3Igc3lzY3RsICovCiAjZW5kaWYKIAotLyogTmV3IGludGVyZmFjZSBpbnRyb2R1Y2VkIGluIHRoZSAzLnggU0cgZHJpdmVycyBmb2xsb3dzICovCiAKIHR5cGVkZWYgc3RydWN0IHNnX2lvdmVjIC8qIHNhbWUgc3RydWN0dXJlIGFzIHVzZWQgYnkgcmVhZHYoKSBMaW51eCBzeXN0ZW0gKi8KIHsgICAgICAgICAgICAgICAgICAgICAgIC8qIGNhbGwuIEl0IGRlZmluZXMgb25lIHNjYXR0ZXItZ2F0aGVyIGVsZW1lbnQuICovCkBAIC04Nyw3ICs0NCw3IEBACiB7CiAgICAgaW50IGludGVyZmFjZV9pZDsgICAgICAgICAgIC8qIFtpXSAnUycgZm9yIFNDU0kgZ2VuZXJpYyAocmVxdWlyZWQpICovCiAgICAgaW50IGR4ZmVyX2RpcmVjdGlvbjsgICAgICAgIC8qIFtpXSBkYXRhIHRyYW5zZmVyIGRpcmVjdGlvbiAgKi8KLSAgICB1bnNpZ25lZCBjaGFyIGNtZF9sZW47ICAgICAgLyogW2ldIFNDU0kgY29tbWFuZCBsZW5ndGggKCA8PSAxNiBieXRlcykgKi8KKyAgICB1bnNpZ25lZCBjaGFyIGNtZF9sZW47ICAgICAgLyogW2ldIFNDU0kgY29tbWFuZCBsZW5ndGggKi8KICAgICB1bnNpZ25lZCBjaGFyIG14X3NiX2xlbjsgICAgLyogW2ldIG1heCBsZW5ndGggdG8gd3JpdGUgdG8gc2JwICovCiAgICAgdW5zaWduZWQgc2hvcnQgaW92ZWNfY291bnQ7IC8qIFtpXSAwIGltcGxpZXMgbm8gc2NhdHRlciBnYXRoZXIgKi8KICAgICB1bnNpZ25lZCBpbnQgZHhmZXJfbGVuOyAgICAgLyogW2ldIGJ5dGUgY291bnQgb2YgZGF0YSB0cmFuc2ZlciAqLwo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch new file mode 100644 index 00000000..5bf99fee --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch @@ -0,0 +1,29 @@ +From c38b9d2d38678815745eae28512a03d5e1a3dcf1 Mon Sep 17 00:00:00 2001 +From: peter chang +Date: Wed, 15 Feb 2017 14:11:54 -0800 +Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN + +The user can control the size of the next command passed along, but the +value passed to the ioctl isn't checked against the usable max command +size. + +Change-Id: Icbb33a63776954de662eb858ede300fbcb3710f4 +Cc: +Signed-off-by: Peter Chang +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +--- + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 56178bc..84f5a76 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -959,6 +959,8 @@ + result = get_user(val, ip); + if (result) + return result; ++ if (val > SG_MAX_CDB_SIZE) ++ return -ENOMEM; + sfp->next_cmd_len = (val > 0) ? val : 0; + return 0; + case SG_GET_VERSION_NUM: diff --git a/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64 new file mode 100644 index 00000000..fafd941c --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64 @@ -0,0 +1 @@ +RnJvbSBjMzhiOWQyZDM4Njc4ODE1NzQ1ZWFlMjg1MTJhMDNkNWUxYTNkY2YxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSWNiYjMzYTYzNzc2OTU0ZGU2NjJlYjg1OGVkZTMwMGZiY2IzNzEwZjQKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1NjE3OGJjLi44NGY1YTc2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTU5LDYgKzk1OSw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7187/^4.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7187/^4.10/0007.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7187/^4.10/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7187/^4.10/0007.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.10/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8246/3.10/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8246/3.10/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.18/0004.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8246/3.18/0002.patch rename to Patches/Linux_CVEs/CVE-2017-8246/3.18/0004.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch new file mode 100644 index 00000000..6f911bbb --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch @@ -0,0 +1,90 @@ +From ac8b4b8f6976c6f63704c2f1e3dc464bfa6a5256 Mon Sep 17 00:00:00 2001 +From: Xiaojun Sang +Date: Fri, 24 Feb 2017 16:13:20 +0800 +Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6v2: set pointer to NULL after free. + +Pointer after kfree is not sanitized. +Set pointer to NULL. + +CRs-Fixed: 2008031 +Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4 +Signed-off-by: Xiaojun Sang +Signed-off-by: Bikshapathi Kothapeta +--- + +diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c +index 3284380..f4a9a4d 100644 +--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c +@@ -391,6 +391,7 @@ + SNDRV_PCM_STREAM_PLAYBACK); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ compr->prtd = NULL; + return 0; + } + +diff --git a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c +index 98401d9..f93029c 100644 +--- a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c +@@ -503,6 +503,7 @@ + multi_ch_pcm_audio.prtd = NULL; + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +@@ -595,6 +596,7 @@ + SNDRV_PCM_STREAM_CAPTURE); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c +index b6ecaa6..68a6b3d 100644 +--- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c +@@ -396,6 +396,7 @@ + mutex_unlock(&prtd->lock); + prtd->prepared--; + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + static int msm_afe_prepare(struct snd_pcm_substream *substream) +diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c +index a6c8f16..9c575a5 100644 +--- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c +@@ -391,6 +391,7 @@ + pr_debug("%s\n", __func__); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c +index 57ccea1..f5846ca 100644 +--- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c +@@ -446,6 +446,7 @@ + SNDRV_PCM_STREAM_PLAYBACK); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +@@ -538,6 +539,7 @@ + SNDRV_PCM_STREAM_CAPTURE); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64 new file mode 100644 index 00000000..75310d3e --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSBhYzhiNGI4ZjY5NzZjNmY2MzcwNGMyZjFlM2RjNDY0YmZhNmE1MjU2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDZ2Mjogc2V0IHBvaW50ZXIgdG8gTlVMTCBhZnRlciBmcmVlLgoKUG9pbnRlciBhZnRlciBrZnJlZSBpcyBub3Qgc2FuaXRpemVkLgpTZXQgcG9pbnRlciB0byBOVUxMLgoKQ1JzLUZpeGVkOiAyMDA4MDMxCkNoYW5nZS1JZDogSWE1OWE1N2ZjZDE0MmE2ZWQxOGQxNjg5OTJiOGRhNDAxOTMxNGFmYTQKU2lnbmVkLW9mZi1ieTogWGlhb2p1biBTYW5nIDx4c2FuZ0Bjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogQmlrc2hhcGF0aGkgS290aGFwZXRhIDxia290aGFAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYwppbmRleCAzMjg0MzgwLi5mNGE5YTRkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLWNvbXByLXE2LXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1jb21wci1xNi12Mi5jCkBAIC0zOTEsNiArMzkxLDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCWNvbXByLT5wcnRkID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tbXVsdGktY2gtcGNtLXE2LXYyLmMKaW5kZXggOTg0MDFkOS4uZjkzMDI5YyAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLW11bHRpLWNoLXBjbS1xNi12Mi5jCkBAIC01MDMsNiArNTAzLDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTUsNiArNTk2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tYWZlLXYyLmMgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwppbmRleCBiNmVjYWE2Li42OGE2YjNkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwpAQCAtMzk2LDYgKzM5Niw3IEBACiAJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAlwcnRkLT5wcmVwYXJlZC0tOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiBzdGF0aWMgaW50IG1zbV9hZmVfcHJlcGFyZShzdHJ1Y3Qgc25kX3BjbV9zdWJzdHJlYW0gKnN1YnN0cmVhbSkKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLWxwYS12Mi5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKaW5kZXggYTZjOGYxNi4uOWM1NzVhNSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKQEAgLTM5MSw2ICszOTEsNyBAQAogCXByX2RlYnVnKCIlc1xuIiwgX19mdW5jX18pOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLXE2LXYyLmMKaW5kZXggNTdjY2VhMS4uZjU4NDZjYSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1xNi12Mi5jCkBAIC00NDYsNiArNDQ2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiAKQEAgLTUzOCw2ICs1MzksNyBAQAogCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch new file mode 100644 index 00000000..112437e7 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch @@ -0,0 +1,162 @@ +From 5b3fcb8c073ea1762744eeb74d2e8301a8728d7b Mon Sep 17 00:00:00 2001 +From: Xiaojun Sang +Date: Fri, 24 Feb 2017 16:13:20 +0800 +Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6: set pointer to NULL after free. + +Pointer after kfree is not sanitized. +Set pointer to NULL. + +CRs-Fixed: 2008031 +Change-Id: I765a59a2059ba7a0fc16f70a1a8b92f57297a907 +Signed-off-by: Xiaojun Sang +Signed-off-by: Bikshapathi Kothapeta +--- + +diff --git a/sound/soc/msm/msm-lowlatency-pcm-q6.c b/sound/soc/msm/msm-lowlatency-pcm-q6.c +index ad7ae1f..0f323c4 100644 +--- a/sound/soc/msm/msm-lowlatency-pcm-q6.c ++++ b/sound/soc/msm/msm-lowlatency-pcm-q6.c +@@ -504,6 +504,7 @@ + SNDRV_PCM_STREAM_PLAYBACK); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +@@ -596,6 +597,7 @@ + SNDRV_PCM_STREAM_CAPTURE); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/msm-multi-ch-pcm-q6.c b/sound/soc/msm/msm-multi-ch-pcm-q6.c +index 999683e..59072ec 100644 +--- a/sound/soc/msm/msm-multi-ch-pcm-q6.c ++++ b/sound/soc/msm/msm-multi-ch-pcm-q6.c +@@ -576,6 +576,7 @@ + multi_ch_pcm_audio.prtd = NULL; + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +@@ -668,6 +669,7 @@ + SNDRV_PCM_STREAM_CAPTURE); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/msm-pcm-afe.c b/sound/soc/msm/msm-pcm-afe.c +index 66043d1..a93d58b 100644 +--- a/sound/soc/msm/msm-pcm-afe.c ++++ b/sound/soc/msm/msm-pcm-afe.c +@@ -326,6 +326,7 @@ + pr_debug("%s: Could not allocate memory\n", __func__); + mutex_unlock(&prtd->lock); + kfree(prtd); ++ runtime->private_data = NULL; + return -ENOMEM; + } + hrtimer_init(&prtd->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL); +@@ -409,6 +410,7 @@ + mutex_unlock(&prtd->lock); + prtd->prepared--; + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + static int msm_afe_prepare(struct snd_pcm_substream *substream) +diff --git a/sound/soc/msm/msm-pcm-q6.c b/sound/soc/msm/msm-pcm-q6.c +index 16e1415..da696d0 100644 +--- a/sound/soc/msm/msm-pcm-q6.c ++++ b/sound/soc/msm/msm-pcm-q6.c +@@ -509,6 +509,7 @@ + SNDRV_PCM_STREAM_PLAYBACK); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +@@ -604,6 +605,7 @@ + msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id, + SNDRV_PCM_STREAM_CAPTURE); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/msm7k-pcm.c b/sound/soc/msm/msm7k-pcm.c +index a9193a2..50983a0 100644 +--- a/sound/soc/msm/msm7k-pcm.c ++++ b/sound/soc/msm/msm7k-pcm.c +@@ -393,6 +393,7 @@ + msm_adsp_put(prtd->audrec); + msm_adsp_put(prtd->audpre); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +@@ -449,6 +450,7 @@ + + out: + kfree(prtd); ++ runtime->private_data = NULL; + return ret; + } + +@@ -492,6 +494,7 @@ + alsa_audio_disable(prtd); + audmgr_close(&prtd->audmgr); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +diff --git a/sound/soc/msm/msm7kv2-pcm.c b/sound/soc/msm/msm7kv2-pcm.c +index 2b7a438..252e1f0 100644 +--- a/sound/soc/msm/msm7kv2-pcm.c ++++ b/sound/soc/msm/msm7kv2-pcm.c +@@ -520,6 +520,7 @@ + alsa_audio_disable(prtd); + auddev_unregister_evt_listner(AUDDEV_CLNT_DEC, prtd->session_id); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +@@ -574,6 +575,7 @@ + audpreproc_aenc_free(prtd->session_id); + msm_adsp_put(prtd->audrec); + kfree(prtd); ++ runtime->private_data = NULL; + return 0; + } + +diff --git a/sound/soc/msm/msm8x60-pcm.c b/sound/soc/msm/msm8x60-pcm.c +index 7993435..bfbea5c 100644 +--- a/sound/soc/msm/msm8x60-pcm.c ++++ b/sound/soc/msm/msm8x60-pcm.c +@@ -534,6 +534,7 @@ + msm_clear_session_id(prtd->session_id); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } +@@ -627,6 +628,7 @@ + msm_clear_session_id(prtd->session_id); + q6asm_audio_client_free(prtd->audio_client); + kfree(prtd); ++ runtime->private_data = NULL; + + return 0; + } diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64 new file mode 100644 index 00000000..961efb82 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSA1YjNmY2I4YzA3M2VhMTc2Mjc0NGVlYjc0ZDJlODMwMWE4NzI4ZDdiIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDY6IHNldCBwb2ludGVyIHRvIE5VTEwgYWZ0ZXIgZnJlZS4KClBvaW50ZXIgYWZ0ZXIga2ZyZWUgaXMgbm90IHNhbml0aXplZC4KU2V0IHBvaW50ZXIgdG8gTlVMTC4KCkNScy1GaXhlZDogMjAwODAzMQpDaGFuZ2UtSWQ6IEk3NjVhNTlhMjA1OWJhN2EwZmMxNmY3MGExYThiOTJmNTcyOTdhOTA3ClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IEJpa3NoYXBhdGhpIEtvdGhhcGV0YSA8YmtvdGhhQGNvZGVhdXJvcmEub3JnPgotLS0KCmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1sb3dsYXRlbmN5LXBjbS1xNi5jIGIvc291bmQvc29jL21zbS9tc20tbG93bGF0ZW5jeS1wY20tcTYuYwppbmRleCBhZDdhZTFmLi4wZjMyM2M0IDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL21zbS1sb3dsYXRlbmN5LXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLWxvd2xhdGVuY3ktcGNtLXE2LmMKQEAgLTUwNCw2ICs1MDQsNyBAQAogCQkJU05EUlZfUENNX1NUUkVBTV9QTEFZQkFDSyk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTYsNiArNTk3LDcgQEAKIAkJCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1tdWx0aS1jaC1wY20tcTYuYyBiL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCmluZGV4IDk5OTY4M2UuLjU5MDcyZWMgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLW11bHRpLWNoLXBjbS1xNi5jCkBAIC01NzYsNiArNTc2LDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC02NjgsNiArNjY5LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9tc20tcGNtLWFmZS5jIGIvc291bmQvc29jL21zbS9tc20tcGNtLWFmZS5jCmluZGV4IDY2MDQzZDEuLmE5M2Q1OGIgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1hZmUuYworKysgYi9zb3VuZC9zb2MvbXNtL21zbS1wY20tYWZlLmMKQEAgLTMyNiw2ICszMjYsNyBAQAogCQlwcl9kZWJ1ZygiJXM6IENvdWxkIG5vdCBhbGxvY2F0ZSBtZW1vcnlcbiIsIF9fZnVuY19fKTsKIAkJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAkJa2ZyZWUocHJ0ZCk7CisJCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJCXJldHVybiAtRU5PTUVNOwogCX0KIAlocnRpbWVyX2luaXQoJnBydGQtPmhydCwgQ0xPQ0tfTU9OT1RPTklDLCBIUlRJTUVSX01PREVfUkVMKTsKQEAgLTQwOSw2ICs0MTAsNyBAQAogCW11dGV4X3VubG9jaygmcHJ0ZC0+bG9jayk7CiAJcHJ0ZC0+cHJlcGFyZWQtLTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogc3RhdGljIGludCBtc21fYWZlX3ByZXBhcmUoc3RydWN0IHNuZF9wY21fc3Vic3RyZWFtICpzdWJzdHJlYW0pCmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbS1wY20tcTYuYyBiL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCmluZGV4IDE2ZTE0MTUuLmRhNjk2ZDAgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtLXBjbS1xNi5jCkBAIC01MDksNiArNTA5LDcgQEAKIAkJCVNORFJWX1BDTV9TVFJFQU1fUExBWUJBQ0spOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApAQCAtNjA0LDYgKzYwNSw3IEBACiAJbXNtX3BjbV9yb3V0aW5nX2RlcmVnX3BoeV9zdHJlYW0oc29jX3BydGQtPmRhaV9saW5rLT5iZV9pZCwKIAkJU05EUlZfUENNX1NUUkVBTV9DQVBUVVJFKTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbTdrLXBjbS5jIGIvc291bmQvc29jL21zbS9tc203ay1wY20uYwppbmRleCBhOTE5M2EyLi41MDk4M2EwIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL21zbTdrLXBjbS5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtN2stcGNtLmMKQEAgLTM5Myw2ICszOTMsNyBAQAogCW1zbV9hZHNwX3B1dChwcnRkLT5hdWRyZWMpOwogCW1zbV9hZHNwX3B1dChwcnRkLT5hdWRwcmUpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAKIAlyZXR1cm4gMDsKIH0KQEAgLTQ0OSw2ICs0NTAsNyBAQAogCiAgb3V0OgogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIHJldDsKIH0KIApAQCAtNDkyLDYgKzQ5NCw3IEBACiAJYWxzYV9hdWRpb19kaXNhYmxlKHBydGQpOwogCWF1ZG1ncl9jbG9zZSgmcHJ0ZC0+YXVkbWdyKTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9CmRpZmYgLS1naXQgYS9zb3VuZC9zb2MvbXNtL21zbTdrdjItcGNtLmMgYi9zb3VuZC9zb2MvbXNtL21zbTdrdjItcGNtLmMKaW5kZXggMmI3YTQzOC4uMjUyZTFmMCAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9tc203a3YyLXBjbS5jCisrKyBiL3NvdW5kL3NvYy9tc20vbXNtN2t2Mi1wY20uYwpAQCAtNTIwLDYgKzUyMCw3IEBACiAJYWxzYV9hdWRpb19kaXNhYmxlKHBydGQpOwogCWF1ZGRldl91bnJlZ2lzdGVyX2V2dF9saXN0bmVyKEFVRERFVl9DTE5UX0RFQywgcHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpAQCAtNTc0LDYgKzU3NSw3IEBACiAJYXVkcHJlcHJvY19hZW5jX2ZyZWUocHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJbXNtX2Fkc3BfcHV0KHBydGQtPmF1ZHJlYyk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9tc204eDYwLXBjbS5jIGIvc291bmQvc29jL21zbS9tc204eDYwLXBjbS5jCmluZGV4IDc5OTM0MzUuLmJmYmVhNWMgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vbXNtOHg2MC1wY20uYworKysgYi9zb3VuZC9zb2MvbXNtL21zbTh4NjAtcGNtLmMKQEAgLTUzNCw2ICs1MzQsNyBAQAogCW1zbV9jbGVhcl9zZXNzaW9uX2lkKHBydGQtPnNlc3Npb25faWQpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpAQCAtNjI3LDYgKzYyOCw3IEBACiAJbXNtX2NsZWFyX3Nlc3Npb25faWQocHJ0ZC0+c2Vzc2lvbl9pZCk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8246/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-8246/4.4/0005.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8246/4.4/0003.patch rename to Patches/Linux_CVEs/CVE-2017-8246/4.4/0005.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch new file mode 100644 index 00000000..24e650c5 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch @@ -0,0 +1,47 @@ +From 338a5cecf0f839331f0a58bff8aaae79e134799e Mon Sep 17 00:00:00 2001 +From: Fred Oh +Date: Tue, 07 Apr 2015 19:22:29 -0700 +Subject: [PATCH] ASoC: msm: qdsp6v2: validate audio client in callback + +In case of single stream multiple device(SSMD) use-case audio session is +freed on first EOS. There are some chance to crash when 2nd EOS event is +reached with some delay. This make sure return properly if audio client +is not valid. + +Bug: 36252027 +Change-Id: I3711d8e039fc37e654ca5230f3dc8784c6dba071 +Signed-off-by: Fred Oh +Signed-off-by: Siqi Lin +--- + +diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c +index b17a440..4f486b1 100644 +--- a/sound/soc/msm/qdsp6v2/q6asm.c ++++ b/sound/soc/msm/qdsp6v2/q6asm.c +@@ -329,6 +329,16 @@ + return -ENOMEM; + } + ++static bool q6asm_is_valid_audio_client(struct audio_client *ac) ++{ ++ int n; ++ for (n = 1; n <= SESSION_MAX; n++) { ++ if (session[n] == ac) ++ return 1; ++ } ++ return 0; ++} ++ + static void q6asm_session_free(struct audio_client *ac) + { + pr_debug("%s: sessionid[%d]\n", __func__, ac->session); +@@ -905,7 +915,8 @@ + pr_err("ac or priv NULL\n"); + return -EINVAL; + } +- if (ac->session <= 0 || ac->session > 8) { ++ if (ac->session <= 0 || ac->session > 8 || ++ !q6asm_is_valid_audio_client(ac)) { + pr_err("%s:Session ID is invalid, session = %d\n", __func__, + ac->session); + return -EINVAL; diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64 new file mode 100644 index 00000000..ab8dbc81 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSAzMzhhNWNlY2YwZjgzOTMzMWYwYTU4YmZmOGFhYWU3OWUxMzQ3OTllIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBGcmVkIE9oIDxmcmVkQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBUdWUsIDA3IEFwciAyMDE1IDE5OjIyOjI5IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiB2YWxpZGF0ZSBhdWRpbyBjbGllbnQgaW4gY2FsbGJhY2sKCkluIGNhc2Ugb2Ygc2luZ2xlIHN0cmVhbSBtdWx0aXBsZSBkZXZpY2UoU1NNRCkgdXNlLWNhc2UgYXVkaW8gc2Vzc2lvbiBpcwpmcmVlZCBvbiBmaXJzdCBFT1MuIFRoZXJlIGFyZSBzb21lIGNoYW5jZSB0byBjcmFzaCB3aGVuIDJuZCBFT1MgZXZlbnQgaXMKcmVhY2hlZCB3aXRoIHNvbWUgZGVsYXkuIFRoaXMgbWFrZSBzdXJlIHJldHVybiBwcm9wZXJseSBpZiBhdWRpbyBjbGllbnQKaXMgbm90IHZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDaGFuZ2UtSWQ6IEkzNzExZDhlMDM5ZmMzN2U2NTRjYTUyMzBmM2RjODc4NGM2ZGJhMDcxClNpZ25lZC1vZmYtYnk6IEZyZWQgT2ggPGZyZWRAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggYjE3YTQ0MC4uNGY0ODZiMSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTMyOSw2ICszMjksMTYgQEAKIAlyZXR1cm4gLUVOT01FTTsKIH0KIAorc3RhdGljIGJvb2wgcTZhc21faXNfdmFsaWRfYXVkaW9fY2xpZW50KHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQoreworCWludCBuOworCWZvciAobiA9IDE7IG4gPD0gU0VTU0lPTl9NQVg7IG4rKykgeworCQlpZiAoc2Vzc2lvbltuXSA9PSBhYykKKwkJCXJldHVybiAxOworCX0KKwlyZXR1cm4gMDsKK30KKwogc3RhdGljIHZvaWQgcTZhc21fc2Vzc2lvbl9mcmVlKHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQogewogCXByX2RlYnVnKCIlczogc2Vzc2lvbmlkWyVkXVxuIiwgX19mdW5jX18sIGFjLT5zZXNzaW9uKTsKQEAgLTkwNSw3ICs5MTUsOCBAQAogCQlwcl9lcnIoImFjIG9yIHByaXYgTlVMTFxuIik7CiAJCXJldHVybiAtRUlOVkFMOwogCX0KLQlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDgpIHsKKwlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDggfHwKKwkJIXE2YXNtX2lzX3ZhbGlkX2F1ZGlvX2NsaWVudChhYykpIHsKIAkJcHJfZXJyKCIlczpTZXNzaW9uIElEIGlzIGludmFsaWQsIHNlc3Npb24gPSAlZFxuIiwgX19mdW5jX18sCiAJCQlhYy0+c2Vzc2lvbik7CiAJCXJldHVybiAtRUlOVkFMOwo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch new file mode 100644 index 00000000..81d9a798 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch @@ -0,0 +1,38 @@ +From fd6890b6c55c2ced15b7165cc658eb83dafc7eb1 Mon Sep 17 00:00:00 2001 +From: Aravind Kumar +Date: Mon, 11 May 2015 15:26:27 +0530 +Subject: [PATCH] ASoC: msm: qdsp6v2: check audio client pointer before accessing + +In the registered callback for q6asm, we are checking if +the audio client pointer is valid and also, dereferencing it +to get the session ID even though it could be invalid or expired. +Return and exit immediately if the audio client pointer is +invalid. + +Bug: 36252027 +CRs-Fixed: 832914 +Change-Id: I96b722b584a4b5adf8a33891abd75a320e76ea25 +Signed-off-by: Aravind Kumar +Signed-off-by: Siqi Lin +--- + +diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c +index 4f486b1..20e2cef 100644 +--- a/sound/soc/msm/qdsp6v2/q6asm.c ++++ b/sound/soc/msm/qdsp6v2/q6asm.c +@@ -915,8 +915,13 @@ + pr_err("ac or priv NULL\n"); + return -EINVAL; + } +- if (ac->session <= 0 || ac->session > 8 || +- !q6asm_is_valid_audio_client(ac)) { ++ if (!q6asm_is_valid_audio_client(ac)) { ++ pr_err("%s: audio client pointer is invalid, ac = %p\n", ++ __func__, ac); ++ return -EINVAL; ++ } ++ ++ if (ac->session <= 0 || ac->session > 8) { + pr_err("%s:Session ID is invalid, session = %d\n", __func__, + ac->session); + return -EINVAL; diff --git a/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64 new file mode 100644 index 00000000..eaed2539 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSBmZDY4OTBiNmM1NWMyY2VkMTViNzE2NWNjNjU4ZWI4M2RhZmM3ZWIxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBcmF2aW5kIEt1bWFyIDxha3VtYXJrQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBNb24sIDExIE1heSAyMDE1IDE1OjI2OjI3ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiBjaGVjayBhdWRpbyBjbGllbnQgcG9pbnRlciBiZWZvcmUgYWNjZXNzaW5nCgpJbiB0aGUgcmVnaXN0ZXJlZCBjYWxsYmFjayBmb3IgcTZhc20sIHdlIGFyZSBjaGVja2luZyBpZgp0aGUgYXVkaW8gY2xpZW50IHBvaW50ZXIgaXMgdmFsaWQgYW5kIGFsc28sIGRlcmVmZXJlbmNpbmcgaXQKdG8gZ2V0IHRoZSBzZXNzaW9uIElEIGV2ZW4gdGhvdWdoIGl0IGNvdWxkIGJlIGludmFsaWQgb3IgZXhwaXJlZC4KUmV0dXJuIGFuZCBleGl0IGltbWVkaWF0ZWx5IGlmIHRoZSBhdWRpbyBjbGllbnQgcG9pbnRlciBpcwppbnZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDUnMtRml4ZWQ6IDgzMjkxNApDaGFuZ2UtSWQ6IEk5NmI3MjJiNTg0YTRiNWFkZjhhMzM4OTFhYmQ3NWEzMjBlNzZlYTI1ClNpZ25lZC1vZmYtYnk6IEFyYXZpbmQgS3VtYXIgPGFrdW1hcmtAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggNGY0ODZiMS4uMjBlMmNlZiAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTkxNSw4ICs5MTUsMTMgQEAKIAkJcHJfZXJyKCJhYyBvciBwcml2IE5VTExcbiIpOwogCQlyZXR1cm4gLUVJTlZBTDsKIAl9Ci0JaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4IHx8Ci0JCSFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJaWYgKCFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJCXByX2VycigiJXM6IGF1ZGlvIGNsaWVudCBwb2ludGVyIGlzIGludmFsaWQsIGFjID0gJXBcbiIsCisJCQkJX19mdW5jX18sIGFjKTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCisJaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4KSB7CiAJCXByX2VycigiJXM6U2Vzc2lvbiBJRCBpcyBpbnZhbGlkLCBzZXNzaW9uID0gJWRcbiIsIF9fZnVuY19fLAogCQkJYWMtPnNlc3Npb24pOwogCQlyZXR1cm4gLUVJTlZBTDsK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8254/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8254/ANY/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8254/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8254/ANY/0003.patch diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt index d86299b9..2c0d2de6 100644 --- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt +++ b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt @@ -1107,6 +1107,8 @@ CVE-2016-9191 CVE-2016-9555 Link - https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 CVE-2016-9576 + Link - 3.4 - https://review.lineageos.org/#/c/176402/ + Link - 3.10 - https://review.lineageos.org/#/c/175603/ Link - https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 CVE-2016-9604 Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44c037827f0aeddbbbb323930fa3d09a7b4fffca @@ -1581,6 +1583,12 @@ CVE-2017-7184 Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df CVE-2017-7187 + Link - 3.4 - https://review.lineageos.org/#/c/182338/ + Link - 3.4 - https://review.lineageos.org/#/c/182339/ + Link - 3.4 - https://review.lineageos.org/#/c/182340/ + Link - 3.10 - https://review.lineageos.org/#/c/175571/ + Link - 3.10 - https://review.lineageos.org/#/c/175572/ + Link - 3.10 - https://review.lineageos.org/#/c/175573/ Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124 CVE-2017-7277 Depends @@ -1666,6 +1674,8 @@ CVE-2017-8245 Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=f53af3805879292423465cd0877cc7a75131ce10 Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5b2f6e011ba92f28e8d7dbeb11c4ee7344c33186 CVE-2017-8246 + Link - 3.4 - https://review.lineageos.org/#/c/185429/ + Link - 3.4 - https://review.lineageos.org/#/c/185430/ Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=578eb74435eccdc3df516fd744941a7d872fac6c Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=30baaec8afb05abf9f794c631ad944838d498ab8 Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9734b72ae21eca557540c3c42d356dd131a20004 @@ -1679,6 +1689,8 @@ CVE-2017-8251 CVE-2017-8253 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5f07894058c4198f61e533d727b343c5be879b0 CVE-2017-8254 + Link - 3.4 - https://review.lineageos.org/#/c/188837/ + Link - 3.4 - https://review.lineageos.org/#/c/188838/ Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=70afce1d9be745005c48fd565c01ce452a565e7e CVE-2017-8256 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=75e1e00d6b3cd4cb89fd5314a60c333aa0b03230