More patches

Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch

@@ -0,0 +1,71 @@
+From f569aee1087fa3da9712952fc00daa72b028424c Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 07 Jan 2017 19:14:29 +0100
+Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
+
+Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
+whether it is legal to read or write a file using splice. Both get
+automatically set on regular files and are not checked when a 'struct
+fileoperations' includes the splice_{read,write} methods.
+
+Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+
+diff --git a/fs/open.c b/fs/open.c
+index 9bf7fa0..e0e2a37 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -680,6 +680,10 @@
+ 		return 0;
+ 	}
+ 
++	if (S_ISREG(inode->i_mode))
++		f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
++
++
+ 	f->f_op = fops_get(inode->i_fop);
+ 
+ 	error = security_file_open(f, cred);
+diff --git a/fs/splice.c b/fs/splice.c
+index f183f13..8ba78ce 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -381,6 +381,9 @@
+ 		index++;
+ 	}
+ 
++	if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
++		return -EINVAL;
++
+ 	/*
+ 	 * Now loop over the map and see if we need to start IO on any
+ 	 * pages, fill in the partial map, etc.
+@@ -1084,6 +1087,9 @@
+ {
+ 	ssize_t ret;
+ 
++	if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
++		return -EINVAL;
++
+ 	ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
+ 	if (ret > 0)
+ 		*ppos += ret;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index e6f1180..78300ef 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -125,6 +125,11 @@
+ /* File was opened by fanotify and shouldn't generate fanotify events */
+ #define FMODE_NONOTIFY		((__force fmode_t)0x1000000)
+ 
++/* File can be read using splice */
++#define FMODE_SPLICE_READ       ((__force fmode_t)0x8000000)
++/* File can be written using splice */
++#define FMODE_SPLICE_WRITE      ((__force fmode_t)0x10000000)
++
+ /*
+  * Flag for rw_copy_check_uvector and compat_rw_copy_check_uvector
+  * that indicates that they should check the contents of the iovec are

Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64

@@ -0,0 +1 @@
+RnJvbSBmNTY5YWVlMTA4N2ZhM2RhOTcxMjk1MmZjMDBkYWE3MmIwMjg0MjRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA5YmY3ZmEwLi5lMGUyYTM3IDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODAsNiArNjgwLDEwIEBACiAJCXJldHVybiAwOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9maWxlX29wZW4oZiwgY3JlZCk7CmRpZmYgLS1naXQgYS9mcy9zcGxpY2UuYyBiL2ZzL3NwbGljZS5jCmluZGV4IGYxODNmMTMuLjhiYTc4Y2UgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zODEsNiArMzgxLDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDg0LDYgKzEwODcsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggZTZmMTE4MC4uNzgzMDBlZiAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTI1LDYgKzEyNSwxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBGbGFnIGZvciByd19jb3B5X2NoZWNrX3V2ZWN0b3IgYW5kIGNvbXBhdF9yd19jb3B5X2NoZWNrX3V2ZWN0b3IKICAqIHRoYXQgaW5kaWNhdGVzIHRoYXQgdGhleSBzaG91bGQgY2hlY2sgdGhlIGNvbnRlbnRzIG9mIHRoZSBpb3ZlYyBhcmUK

Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch

@@ -0,0 +1,71 @@
+From 741ab25b1f609f4ca11429b99811c4a427c60024 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 07 Jan 2017 19:14:29 +0100
+Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
+
+Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
+whether it is legal to read or write a file using splice. Both get
+automatically set on regular files and are not checked when a 'struct
+fileoperations' includes the splice_{read,write} methods.
+
+Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+
+diff --git a/fs/open.c b/fs/open.c
+index 4c28c4f..7512d8a 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -683,6 +683,10 @@
+ 		return f;
+ 	}
+ 
++	if (S_ISREG(inode->i_mode))
++		f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
++
++
+ 	f->f_op = fops_get(inode->i_fop);
+ 
+ 	error = security_dentry_open(f, cred);
+diff --git a/fs/splice.c b/fs/splice.c
+index ea85353..bf597dc5 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -376,6 +376,9 @@
+ 		index++;
+ 	}
+ 
++	if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
++		return -EINVAL;
++
+ 	/*
+ 	 * Now loop over the map and see if we need to start IO on any
+ 	 * pages, fill in the partial map, etc.
+@@ -1059,6 +1062,9 @@
+ {
+ 	ssize_t ret;
+ 
++	if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
++		return -EINVAL;
++
+ 	ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
+ 	if (ret > 0)
+ 		*ppos += ret;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 0e03633..ef0590d 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -117,6 +117,11 @@
+ /* File was opened by fanotify and shouldn't generate fanotify events */
+ #define FMODE_NONOTIFY		((__force fmode_t)0x1000000)
+ 
++/* File can be read using splice */
++#define FMODE_SPLICE_READ       ((__force fmode_t)0x8000000)
++/* File can be written using splice */
++#define FMODE_SPLICE_WRITE      ((__force fmode_t)0x10000000)
++
+ /*
+  * The below are the various read and write types that we support. Some of
+  * them include behavioral modifiers that send information down to the

Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64

@@ -0,0 +1 @@
+RnJvbSA3NDFhYjI1YjFmNjA5ZjRjYTExNDI5Yjk5ODExYzRhNDI3YzYwMDI0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA0YzI4YzRmLi43NTEyZDhhIDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODMsNiArNjgzLDEwIEBACiAJCXJldHVybiBmOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9kZW50cnlfb3BlbihmLCBjcmVkKTsKZGlmZiAtLWdpdCBhL2ZzL3NwbGljZS5jIGIvZnMvc3BsaWNlLmMKaW5kZXggZWE4NTM1My4uYmY1OTdkYzUgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zNzYsNiArMzc2LDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDU5LDYgKzEwNjIsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggMGUwMzYzMy4uZWYwNTkwZCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTE3LDYgKzExNywxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBUaGUgYmVsb3cgYXJlIHRoZSB2YXJpb3VzIHJlYWQgYW5kIHdyaXRlIHR5cGVzIHRoYXQgd2Ugc3VwcG9ydC4gU29tZSBvZgogICogdGhlbSBpbmNsdWRlIGJlaGF2aW9yYWwgbW9kaWZpZXJzIHRoYXQgc2VuZCBpbmZvcm1hdGlvbiBkb3duIHRvIHRoZQo=

Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch

@@ -0,0 +1,383 @@
+From 60ebd48061949405fe6a69aa921d47b40f474a41 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@fb.com>
+Date: Fri, 06 Jun 2014 07:57:37 -0600
+Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
+
+With the optimizations around not clearing the full request at alloc
+time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
+up to the user allocating the request.
+
+Add a blk_rq_set_block_pc() that sets the command type to
+REQ_TYPE_BLOCK_PC, and properly initializes the members associated
+with this type of request. Update callers to use this function instead
+of manipulating rq->cmd_type directly.
+
+Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
+attempt.
+
+Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index bce8d73..7cb3157 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1189,6 +1189,8 @@
+ 	if (unlikely(!rq))
+ 		return ERR_PTR(-ENOMEM);
+ 
++	blk_rq_set_block_pc(rq);
++
+ 	for_each_bio(bio) {
+ 		struct bio *bounce_bio = bio;
+ 		int ret;
+@@ -1206,6 +1208,22 @@
+ EXPORT_SYMBOL(blk_make_request);
+ 
+ /**
++ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
++ * @rq:		request to be initialized
++ *
++ */
++void blk_rq_set_block_pc(struct request *rq)
++{
++	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	rq->__data_len = 0;
++	rq->__sector = (sector_t) -1;
++	rq->bio = rq->biotail = NULL;
++	memset(rq->__cmd, 0, sizeof(rq->__cmd));
++	rq->cmd = rq->__cmd;
++}
++EXPORT_SYMBOL(blk_rq_set_block_pc);
++
++/**
+  * blk_requeue_request - put a request back on queue
+  * @q:		request queue where request should be inserted
+  * @rq:		request to be inserted
+diff --git a/block/bsg.c b/block/bsg.c
+index 76801e5..0ed26bc 100644
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -196,7 +196,6 @@
+ 	 * fill in request structure
+ 	 */
+ 	rq->cmd_len = hdr->request_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	rq->timeout = msecs_to_jiffies(hdr->timeout);
+ 	if (!rq->timeout)
+@@ -273,6 +272,8 @@
+ 	rq = blk_get_request(q, rw, GFP_KERNEL);
+ 	if (!rq)
+ 		return ERR_PTR(-ENOMEM);
++	blk_rq_set_block_pc(rq);
++
+ 	ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
+ 	if (ret)
+ 		goto out;
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 1b4988b..ddbcae2 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -233,7 +233,6 @@
+ 	 * fill in request structure
+ 	 */
+ 	rq->cmd_len = hdr->cmd_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	rq->timeout = msecs_to_jiffies(hdr->timeout);
+ 	if (!rq->timeout)
+@@ -314,6 +313,7 @@
+ 	rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
+ 	if (!rq)
+ 		return -ENOMEM;
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
+ 		blk_put_request(rq);
+@@ -512,7 +512,7 @@
+ 	memset(sense, 0, sizeof(sense));
+ 	rq->sense = sense;
+ 	rq->sense_len = 0;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(rq);
+ 
+ 	blk_execute_rq(q, disk, rq, 0);
+ 
+@@ -544,7 +544,7 @@
+ 	int err;
+ 
+ 	rq = blk_get_request(q, WRITE, __GFP_WAIT);
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(rq);
+ 	rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
+ 	rq->cmd[0] = cmd;
+ 	rq->cmd[4] = data;
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index f5d0ea1..caddb5d 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -712,6 +712,7 @@
+ 
+ 	rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
+ 			     WRITE : READ, __GFP_WAIT);
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (cgc->buflen) {
+ 		if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
+@@ -722,7 +723,6 @@
+ 	memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
+ 
+ 	rq->timeout = 60*HZ;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	if (cgc->quiet)
+ 		rq->cmd_flags |= REQ_QUIET;
+ 
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 8a3aff7..1ca0772 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2165,6 +2165,7 @@
+ 			ret = -ENOMEM;
+ 			break;
+ 		}
++		blk_rq_set_block_pc(rq);
+ 
+ 		ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
+ 		if (ret) {
+@@ -2184,7 +2185,6 @@
+ 		rq->cmd[9] = 0xf8;
+ 
+ 		rq->cmd_len = 12;
+-		rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 		rq->timeout = 60 * HZ;
+ 		bio = rq->bio;
+ 
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 68adb89..28bf7fb 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -120,6 +120,7 @@
+ 			    "%s: blk_get_request failed\n", __func__);
+ 		return NULL;
+ 	}
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
+ 		blk_put_request(rq);
+@@ -128,7 +129,6 @@
+ 		return NULL;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->retries = ALUA_FAILOVER_RETRIES;
+diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
+index e1c8be0..6f07f7f 100644
+--- a/drivers/scsi/device_handler/scsi_dh_emc.c
++++ b/drivers/scsi/device_handler/scsi_dh_emc.c
+@@ -280,6 +280,7 @@
+ 		return NULL;
+ 	}
+ 
++	blk_rq_set_block_pc(rq);
+ 	rq->cmd_len = COMMAND_SIZE(cmd);
+ 	rq->cmd[0] = cmd;
+ 
+@@ -304,7 +305,6 @@
+ 		break;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->timeout = CLARIION_TIMEOUT;
+diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
+index 084062b..e9d9fea 100644
+--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
++++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
+@@ -120,7 +120,7 @@
+ 	if (!req)
+ 		return SCSI_DH_RES_TEMP_UNAVAIL;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			  REQ_FAILFAST_DRIVER;
+ 	req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
+@@ -250,7 +250,7 @@
+ 	if (!req)
+ 		return SCSI_DH_RES_TEMP_UNAVAIL;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			  REQ_FAILFAST_DRIVER;
+ 	req->cmd_len = COMMAND_SIZE(START_STOP);
+diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
+index 69c915a..3916c31 100644
+--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
+@@ -279,6 +279,7 @@
+ 				"get_rdac_req: blk_get_request failed.\n");
+ 		return NULL;
+ 	}
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
+ 		blk_put_request(rq);
+@@ -287,7 +288,6 @@
+ 		return NULL;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->retries = RDAC_RETRIES;
+diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
+index aa66361..11bd87e 100644
+--- a/drivers/scsi/osd/osd_initiator.c
++++ b/drivers/scsi/osd/osd_initiator.c
+@@ -1570,6 +1570,7 @@
+ 		if (unlikely(!req))
+ 			return ERR_PTR(-ENOMEM);
+ 
++		blk_rq_set_block_pc(req);
+ 		return req;
+ 	}
+ }
+@@ -1590,7 +1591,6 @@
+ 	}
+ 
+ 	or->request = req;
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	req->timeout = or->timeout;
+@@ -1608,7 +1608,7 @@
+ 				ret = PTR_ERR(req);
+ 				goto out;
+ 			}
+-			req->cmd_type = REQ_TYPE_BLOCK_PC;
++			blk_rq_set_block_pc(req);
+ 			or->in.req = or->request->next_rq = req;
+ 		}
+ 	} else if (has_in)
+diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
+index 21883a2..0727ea7 100644
+--- a/drivers/scsi/osst.c
++++ b/drivers/scsi/osst.c
+@@ -365,7 +365,7 @@
+ 	if (!req)
+ 		return DRIVER_ERROR << 24;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	SRpnt->bio = NULL;
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 3668b1b..c1e4a74 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1653,6 +1653,8 @@
+ 	 */
+ 	req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
+ 
++	blk_rq_set_block_pc(req);
++
+ 	req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
+ 	req->cmd[1] = 0;
+ 	req->cmd[2] = 0;
+@@ -1662,7 +1664,6 @@
+ 
+ 	req->cmd_len = COMMAND_SIZE(req->cmd[0]);
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= REQ_QUIET;
+ 	req->timeout = 10 * HZ;
+ 	req->retries = 5;
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 9f3168e..49076d1 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -238,6 +238,7 @@
+ 	req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
+ 	if (!req)
+ 		return ret;
++	blk_rq_set_block_pc(req);
+ 
+ 	if (bufflen &&	blk_rq_map_kern(sdev->request_queue, req,
+ 					buffer, bufflen, __GFP_WAIT))
+@@ -249,7 +250,6 @@
+ 	req->sense_len = 0;
+ 	req->retries = retries;
+ 	req->timeout = timeout;
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
+ 
+ 	/*
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index e059ad4..5170506 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1656,10 +1656,9 @@
+ 	if (!rq)
+ 		return -ENOMEM;
+ 
++	blk_rq_set_block_pc(rq);
+ 	memcpy(rq->cmd, cmd, hp->cmd_len);
+-
+ 	rq->cmd_len = hp->cmd_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	srp->rq = rq;
+ 	rq->end_io_data = srp;
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index 2a32036..7d74f83 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -484,7 +484,7 @@
+ 	if (!req)
+ 		return DRIVER_ERROR << 24;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	mdata->null_mapped = 1;
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index 244776b..dff91ee 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -1059,6 +1059,8 @@
+ 			ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ 			goto fail;
+ 		}
++
++		blk_rq_set_block_pc(req);
+ 	} else {
+ 		BUG_ON(!cmd->data_length);
+ 
+@@ -1075,7 +1077,6 @@
+ 		}
+ 	}
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->end_io = pscsi_req_done;
+ 	req->end_io_data = cmd;
+ 	req->cmd_len = scsi_command_size(pt->pscsi_cdb);
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index e9b04cd..cce84e5 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -742,6 +742,7 @@
+ extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
+ extern struct request *blk_make_request(struct request_queue *, struct bio *,
+ 					gfp_t);
++extern void blk_rq_set_block_pc(struct request *);
+ extern void blk_requeue_request(struct request_queue *, struct request *);
+ extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
+ extern bool blk_reinsert_req_sup(struct request_queue *q);

Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch

@@ -0,0 +1,263 @@
+From 2c5b488b49d92c02ac28f45e68f366c6a51a8949 Mon Sep 17 00:00:00 2001
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Tue, 03 Jun 2014 13:18:18 -0400
+Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
+
+ - remove the 16 byte CDB (SCSI command) length limit from the sg driver
+   by handling longer CDBs the same way as the bsg driver. Remove comment
+   from sg.h public interface about the cmd_len field being limited to 16
+   bytes.
+ - remove some dead code caused by this change
+ - cleanup comment block at the top of sg.h, fix urls
+
+Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+---
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 5170506..96d635e 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -7,9 +7,7 @@
+  * Original driver (sg.c):
+  *        Copyright (C) 1992 Lawrence Foard
+  * Version 2 and 3 extensions to driver:
+- *        Copyright (C) 1998 - 2005 Douglas Gilbert
+- *
+- *  Modified  19-JAN-1998  Richard Gooch <rgooch@atnf.csiro.au>  Devfs support
++ *        Copyright (C) 1998 - 2014 Douglas Gilbert
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -18,11 +16,11 @@
+  *
+  */
+ 
+-static int sg_version_num = 30534;	/* 2 digits for each component */
+-#define SG_VERSION_STR "3.5.34"
++static int sg_version_num = 30536;	/* 2 digits for each component */
++#define SG_VERSION_STR "3.5.36"
+ 
+ /*
+- *  D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
++ *  D. P. Gilbert (dgilbert@interlog.com), notes:
+  *      - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
+  *        the kernel/module needs to be built with CONFIG_SCSI_LOGGING
+  *        (otherwise the macros compile to empty statements).
+@@ -64,7 +62,7 @@
+ 
+ #ifdef CONFIG_SCSI_PROC_FS
+ #include <linux/proc_fs.h>
+-static char *sg_version_date = "20061027";
++static char *sg_version_date = "20140603";
+ 
+ static int sg_proc_init(void);
+ static void sg_proc_cleanup(void);
+@@ -73,6 +71,12 @@
+ #define SG_ALLOW_DIO_DEF 0
+ 
+ #define SG_MAX_DEVS 32768
++
++/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
++ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
++ * than 16 bytes are "variable length" whose length is a multiple of 4
++ */
++#define SG_MAX_CDB_SIZE 252
+ 
+ /*
+  * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
+@@ -161,7 +165,7 @@
+ 	char low_dma;		/* as in parent but possibly overridden to 1 */
+ 	char force_packid;	/* 1 -> pack_id input to read(), 0 -> ignored */
+ 	char cmd_q;		/* 1 -> allow command queuing, 0 -> don't */
+-	char next_cmd_len;	/* 0 -> automatic (def), >0 -> use on next write() */
++	unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
+ 	char keep_orphan;	/* 0 -> drop orphan (def), 1 -> keep for read() */
+ 	char mmap_called;	/* 0 -> mmap() never called on this fd */
+ 	struct kref f_ref;
+@@ -566,7 +570,7 @@
+ 	Sg_request *srp;
+ 	struct sg_header old_hdr;
+ 	sg_io_hdr_t *hp;
+-	unsigned char cmnd[MAX_COMMAND_SIZE];
++	unsigned char cmnd[SG_MAX_CDB_SIZE];
+ 
+ 	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ 		return -EINVAL;
+@@ -601,12 +605,6 @@
+ 	buf += SZ_SG_HEADER;
+ 	__get_user(opcode, buf);
+ 	if (sfp->next_cmd_len > 0) {
+-		if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
+-			SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
+-			sfp->next_cmd_len = 0;
+-			sg_remove_request(sfp, srp);
+-			return -EIO;
+-		}
+ 		cmd_size = sfp->next_cmd_len;
+ 		sfp->next_cmd_len = 0;	/* reset so only this write() effected */
+ 	} else {
+@@ -678,7 +676,7 @@
+ 	int k;
+ 	Sg_request *srp;
+ 	sg_io_hdr_t *hp;
+-	unsigned char cmnd[MAX_COMMAND_SIZE];
++	unsigned char cmnd[SG_MAX_CDB_SIZE];
+ 	int timeout;
+ 	unsigned long ul_timeout;
+ 
+@@ -1648,15 +1646,27 @@
+ 	struct request_queue *q = sfp->parentdp->device->request_queue;
+ 	struct rq_map_data *md, map_data;
+ 	int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
++	unsigned char *long_cmdp = NULL;
+ 
+ 	SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
+ 				   dxfer_len));
+ 
++	if (hp->cmd_len > BLK_MAX_CDB) {
++		long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
++		if (!long_cmdp)
++			return -ENOMEM;
++	}
++
+ 	rq = blk_get_request(q, rw, GFP_ATOMIC);
+-	if (!rq)
++	if (!rq) {
++		kfree(long_cmdp);
+ 		return -ENOMEM;
++	}
+ 
+ 	blk_rq_set_block_pc(rq);
++
++	if (hp->cmd_len > BLK_MAX_CDB)
++		rq->cmd = long_cmdp;
+ 	memcpy(rq->cmd, cmd, hp->cmd_len);
+ 	rq->cmd_len = hp->cmd_len;
+ 
+@@ -1741,6 +1751,8 @@
+ 		if (srp->bio)
+ 			ret = blk_rq_unmap_user(srp->bio);
+ 
++		if (srp->rq->cmd != srp->rq->__cmd)
++			kfree(srp->rq->cmd);
+ 		blk_put_request(srp->rq);
+ 	}
+ 
+diff --git a/include/uapi/scsi/sg.h b/include/uapi/scsi/sg.h
+index a9f3c6f..d8c0c43 100644
+--- a/include/uapi/scsi/sg.h
++++ b/include/uapi/scsi/sg.h
+@@ -4,77 +4,34 @@
+ #include <linux/compiler.h>
+ 
+ /*
+-   History:
+-    Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
+-     process control of SCSI devices.
+-    Development Sponsored by Killy Corp. NY NY
+-Original driver (sg.h):
+-*       Copyright (C) 1992 Lawrence Foard
+-Version 2 and 3 extensions to driver:
+-*       Copyright (C) 1998 - 2006 Douglas Gilbert
+-
+-    Version: 3.5.34 (20060920)
+-    This version is for 2.6 series kernels.
+-
+-    For a full changelog see http://www.torque.net/sg
+-
+-Map of SG verions to the Linux kernels in which they appear:
+-       ----------        ----------------------------------
+-       original          all kernels < 2.2.6
+-       2.1.40            2.2.20
+-       3.0.x             optional version 3 sg driver for 2.2 series
+-       3.1.17++          2.4.0++
+-       3.5.30++          2.6.0++
+-
+-Major new features in SG 3.x driver (cf SG 2.x drivers)
+-	- SG_IO ioctl() combines function if write() and read()
+-	- new interface (sg_io_hdr_t) but still supports old interface
+-	- scatter/gather in user space, direct IO, and mmap supported
+-
+- The normal action of this driver is to use the adapter (HBA) driver to DMA
+- data into kernel buffers and then use the CPU to copy the data into the 
+- user space (vice versa for writes). That is called "indirect" IO due to 
+- the double handling of data. There are two methods offered to remove the
+- redundant copy: 1) direct IO and 2) using the mmap() system call to map
+- the reserve buffer (this driver has one reserve buffer per fd) into the
+- user space. Both have their advantages.
+- In terms of absolute speed mmap() is faster. If speed is not a concern, 
+- indirect IO should be fine. Read the documentation for more information.
+-
+- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
+-         'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
+-         That attribute is 0 by default. **
+- 
+- Historical note: this SCSI pass-through driver has been known as "sg" for 
+- a decade. In broader kernel discussions "sg" is used to refer to scatter
+- gather techniques. The context should clarify which "sg" is referred to.
+-
+- Documentation
+- =============
+- A web site for the SG device driver can be found at:
+-	http://www.torque.net/sg  [alternatively check the MAINTAINERS file]
+- The documentation for the sg version 3 driver can be found at:
+- 	http://www.torque.net/sg/p/sg_v3_ho.html
+- This is a rendering from DocBook source [change the extension to "sgml"
+- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
+- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
+- For more information see http://www.torque.net/sg/sg_io.html
+-
+- The older, version 2 documents discuss the original sg interface in detail:
+-	http://www.torque.net/sg/p/scsi-generic.txt
+-	http://www.torque.net/sg/p/scsi-generic_long.txt
+- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
+-
+- Utility and test programs are available at the sg web site. They are 
+- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
+- (for the lk 2.2 series).
+-*/
++ * History:
++ *  Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
++ *   process control of SCSI devices.
++ *  Development Sponsored by Killy Corp. NY NY
++ *
++ * Original driver (sg.h):
++ *       Copyright (C) 1992 Lawrence Foard
++ * Version 2 and 3 extensions to driver:
++ *	Copyright (C) 1998 - 2014 Douglas Gilbert
++ *
++ *  Version: 3.5.36 (20140603)
++ *  This version is for 2.6 and 3 series kernels.
++ *
++ * Documentation
++ * =============
++ * A web site for the SG device driver can be found at:
++ *	http://sg.danny.cz/sg  [alternatively check the MAINTAINERS file]
++ * The documentation for the sg version 3 driver can be found at:
++ *	http://sg.danny.cz/sg/p/sg_v3_ho.html
++ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
++ *
++ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
++ */
+ 
+ #ifdef __KERNEL__
+ extern int sg_big_buff; /* for sysctl */
+ #endif
+ 
+-/* New interface introduced in the 3.x SG drivers follows */
+ 
+ typedef struct sg_iovec /* same structure as used by readv() Linux system */
+ {                       /* call. It defines one scatter-gather element. */
+@@ -87,7 +44,7 @@
+ {
+     int interface_id;           /* [i] 'S' for SCSI generic (required) */
+     int dxfer_direction;        /* [i] data transfer direction  */
+-    unsigned char cmd_len;      /* [i] SCSI command length ( <= 16 bytes) */
++    unsigned char cmd_len;      /* [i] SCSI command length */
+     unsigned char mx_sb_len;    /* [i] max length to write to sbp */
+     unsigned short iovec_count; /* [i] 0 implies no scatter gather */
+     unsigned int dxfer_len;     /* [i] byte count of data transfer */

Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch

@@ -0,0 +1,29 @@
+From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 96d635e..4a6b13b 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -978,6 +978,8 @@
+ 		result = get_user(val, ip);
+ 		if (result)
+ 			return result;
++		if (val > SG_MAX_CDB_SIZE)
++			return -ENOMEM;
+ 		sfp->next_cmd_len = (val > 0) ? val : 0;
+ 		return 0;
+ 	case SG_GET_VERSION_NUM:

Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64

@@ -0,0 +1 @@
+RnJvbSAwYmY1ZGM5OTNjZjZiZTFiMWRkNzE2ZmIwNWMxZmE4NDYyMzA5M2U1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSTllOGViOGNhMDU4YzAxMDNhMjJmNWQ5OWQ3NzkxOTQzMjg5M2FhNGMKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA5NmQ2MzVlLi40YTZiMTNiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTc4LDYgKzk3OCw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=

Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch

@@ -0,0 +1,383 @@
+From 1f0843591703c3d664a236e2d3a7a855fa9451d6 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@fb.com>
+Date: Fri, 06 Jun 2014 07:57:37 -0600
+Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
+
+With the optimizations around not clearing the full request at alloc
+time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
+up to the user allocating the request.
+
+Add a blk_rq_set_block_pc() that sets the command type to
+REQ_TYPE_BLOCK_PC, and properly initializes the members associated
+with this type of request. Update callers to use this function instead
+of manipulating rq->cmd_type directly.
+
+Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
+attempt.
+
+Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index eb0ec60..c7f7637 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1043,6 +1043,8 @@
+ 	if (unlikely(!rq))
+ 		return ERR_PTR(-ENOMEM);
+ 
++	blk_rq_set_block_pc(rq);
++
+ 	for_each_bio(bio) {
+ 		struct bio *bounce_bio = bio;
+ 		int ret;
+@@ -1060,6 +1062,22 @@
+ EXPORT_SYMBOL(blk_make_request);
+ 
+ /**
++ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
++ * @rq:		request to be initialized
++ *
++ */
++void blk_rq_set_block_pc(struct request *rq)
++{
++	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	rq->__data_len = 0;
++	rq->__sector = (sector_t) -1;
++	rq->bio = rq->biotail = NULL;
++	memset(rq->__cmd, 0, sizeof(rq->__cmd));
++	rq->cmd = rq->__cmd;
++}
++EXPORT_SYMBOL(blk_rq_set_block_pc);
++
++/**
+  * blk_requeue_request - put a request back on queue
+  * @q:		request queue where request should be inserted
+  * @rq:		request to be inserted
+diff --git a/block/bsg.c b/block/bsg.c
+index b1c1d54..8c750d5 100644
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -196,7 +196,6 @@
+ 	 * fill in request structure
+ 	 */
+ 	rq->cmd_len = hdr->request_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	rq->timeout = msecs_to_jiffies(hdr->timeout);
+ 	if (!rq->timeout)
+@@ -273,6 +272,8 @@
+ 	rq = blk_get_request(q, rw, GFP_KERNEL);
+ 	if (!rq)
+ 		return ERR_PTR(-ENOMEM);
++	blk_rq_set_block_pc(rq);
++
+ 	ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
+ 	if (ret)
+ 		goto out;
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 260fa80..4118a81 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -232,7 +232,6 @@
+ 	 * fill in request structure
+ 	 */
+ 	rq->cmd_len = hdr->cmd_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	rq->timeout = msecs_to_jiffies(hdr->timeout);
+ 	if (!rq->timeout)
+@@ -313,6 +312,7 @@
+ 	rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
+ 	if (!rq)
+ 		return -ENOMEM;
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
+ 		blk_put_request(rq);
+@@ -511,7 +511,7 @@
+ 	memset(sense, 0, sizeof(sense));
+ 	rq->sense = sense;
+ 	rq->sense_len = 0;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(rq);
+ 
+ 	blk_execute_rq(q, disk, rq, 0);
+ 
+@@ -544,7 +544,7 @@
+ 	int err;
+ 
+ 	rq = blk_get_request(q, WRITE, __GFP_WAIT);
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(rq);
+ 	rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
+ 	rq->cmd[0] = cmd;
+ 	rq->cmd[4] = data;
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index ba66e44..39ffe9c 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -742,6 +742,7 @@
+ 
+ 	rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
+ 			     WRITE : READ, __GFP_WAIT);
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (cgc->buflen) {
+ 		if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
+@@ -752,7 +753,6 @@
+ 	memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
+ 
+ 	rq->timeout = 60*HZ;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	if (cgc->quiet)
+ 		rq->cmd_flags |= REQ_QUIET;
+ 
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index d620b44..7ab528d 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2165,6 +2165,7 @@
+ 			ret = -ENOMEM;
+ 			break;
+ 		}
++		blk_rq_set_block_pc(rq);
+ 
+ 		ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
+ 		if (ret) {
+@@ -2184,7 +2185,6 @@
+ 		rq->cmd[9] = 0xf8;
+ 
+ 		rq->cmd_len = 12;
+-		rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 		rq->timeout = 60 * HZ;
+ 		bio = rq->bio;
+ 
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 04c5cea..36fb68c 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -111,6 +111,7 @@
+ 			    "%s: blk_get_request failed\n", __func__);
+ 		return NULL;
+ 	}
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
+ 		blk_put_request(rq);
+@@ -119,7 +120,6 @@
+ 		return NULL;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->retries = ALUA_FAILOVER_RETRIES;
+diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
+index e1c8be0..6f07f7f 100644
+--- a/drivers/scsi/device_handler/scsi_dh_emc.c
++++ b/drivers/scsi/device_handler/scsi_dh_emc.c
+@@ -280,6 +280,7 @@
+ 		return NULL;
+ 	}
+ 
++	blk_rq_set_block_pc(rq);
+ 	rq->cmd_len = COMMAND_SIZE(cmd);
+ 	rq->cmd[0] = cmd;
+ 
+@@ -304,7 +305,6 @@
+ 		break;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->timeout = CLARIION_TIMEOUT;
+diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
+index 084062b..e9d9fea 100644
+--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
++++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
+@@ -120,7 +120,7 @@
+ 	if (!req)
+ 		return SCSI_DH_RES_TEMP_UNAVAIL;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			  REQ_FAILFAST_DRIVER;
+ 	req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
+@@ -250,7 +250,7 @@
+ 	if (!req)
+ 		return SCSI_DH_RES_TEMP_UNAVAIL;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			  REQ_FAILFAST_DRIVER;
+ 	req->cmd_len = COMMAND_SIZE(START_STOP);
+diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
+index 20c4557..0439652 100644
+--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
+@@ -279,6 +279,7 @@
+ 				"get_rdac_req: blk_get_request failed.\n");
+ 		return NULL;
+ 	}
++	blk_rq_set_block_pc(rq);
+ 
+ 	if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
+ 		blk_put_request(rq);
+@@ -287,7 +288,6 @@
+ 		return NULL;
+ 	}
+ 
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
+ 			 REQ_FAILFAST_DRIVER;
+ 	rq->retries = RDAC_RETRIES;
+diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
+index c06b8e5..9ad3ac7 100644
+--- a/drivers/scsi/osd/osd_initiator.c
++++ b/drivers/scsi/osd/osd_initiator.c
+@@ -1566,6 +1566,7 @@
+ 		if (unlikely(!req))
+ 			return ERR_PTR(-ENOMEM);
+ 
++		blk_rq_set_block_pc(req);
+ 		return req;
+ 	}
+ }
+@@ -1586,7 +1587,6 @@
+ 	}
+ 
+ 	or->request = req;
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	req->timeout = or->timeout;
+@@ -1604,7 +1604,7 @@
+ 				ret = PTR_ERR(req);
+ 				goto out;
+ 			}
+-			req->cmd_type = REQ_TYPE_BLOCK_PC;
++			blk_rq_set_block_pc(req);
+ 			or->in.req = or->request->next_rq = req;
+ 		}
+ 	} else if (has_in)
+diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
+index 21883a2..0727ea7 100644
+--- a/drivers/scsi/osst.c
++++ b/drivers/scsi/osst.c
+@@ -365,7 +365,7 @@
+ 	if (!req)
+ 		return DRIVER_ERROR << 24;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	SRpnt->bio = NULL;
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 386f0c5..d4c31d4 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1624,6 +1624,8 @@
+ 	 */
+ 	req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
+ 
++	blk_rq_set_block_pc(req);
++
+ 	req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
+ 	req->cmd[1] = 0;
+ 	req->cmd[2] = 0;
+@@ -1633,7 +1635,6 @@
+ 
+ 	req->cmd_len = COMMAND_SIZE(req->cmd[0]);
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= REQ_QUIET;
+ 	req->timeout = 10 * HZ;
+ 	req->retries = 5;
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 5dfd749..725b405 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -217,6 +217,7 @@
+ 	req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
+ 	if (!req)
+ 		return ret;
++	blk_rq_set_block_pc(req);
+ 
+ 	if (bufflen &&	blk_rq_map_kern(sdev->request_queue, req,
+ 					buffer, bufflen, __GFP_WAIT))
+@@ -228,7 +229,6 @@
+ 	req->sense_len = 0;
+ 	req->retries = retries;
+ 	req->timeout = timeout;
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
+ 
+ 	/*
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 3ec5b33..216d31f 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1655,10 +1655,9 @@
+ 	if (!rq)
+ 		return -ENOMEM;
+ 
++	blk_rq_set_block_pc(rq);
+ 	memcpy(rq->cmd, cmd, hp->cmd_len);
+-
+ 	rq->cmd_len = hp->cmd_len;
+-	rq->cmd_type = REQ_TYPE_BLOCK_PC;
+ 
+ 	srp->rq = rq;
+ 	rq->end_io_data = srp;
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index e41998c..08ad530 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -488,7 +488,7 @@
+ 	if (!req)
+ 		return DRIVER_ERROR << 24;
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
++	blk_rq_set_block_pc(req);
+ 	req->cmd_flags |= REQ_QUIET;
+ 
+ 	mdata->null_mapped = 1;
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index 94c905f..d28f8d1 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -1083,6 +1083,8 @@
+ 				TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ 			return -ENODEV;
+ 		}
++
++		blk_rq_set_block_pc(req);
+ 	} else {
+ 		BUG_ON(!task->task_size);
+ 
+@@ -1104,7 +1106,6 @@
+ 		}
+ 	}
+ 
+-	req->cmd_type = REQ_TYPE_BLOCK_PC;
+ 	req->end_io = pscsi_req_done;
+ 	req->end_io_data = task;
+ 	req->cmd_len = scsi_command_size(pt->pscsi_cdb);
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 21dc2aa..f37d1f0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -675,6 +675,7 @@
+ extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
+ extern struct request *blk_make_request(struct request_queue *, struct bio *,
+ 					gfp_t);
++extern void blk_rq_set_block_pc(struct request *);
+ extern void blk_requeue_request(struct request_queue *, struct request *);
+ extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
+ extern bool blk_reinsert_req_sup(struct request_queue *q);

Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch

@@ -0,0 +1,263 @@
+From 8093bf02878aa659cfcf8cbfc272b2ad45eef24f Mon Sep 17 00:00:00 2001
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Tue, 03 Jun 2014 13:18:18 -0400
+Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
+
+ - remove the 16 byte CDB (SCSI command) length limit from the sg driver
+   by handling longer CDBs the same way as the bsg driver. Remove comment
+   from sg.h public interface about the cmd_len field being limited to 16
+   bytes.
+ - remove some dead code caused by this change
+ - cleanup comment block at the top of sg.h, fix urls
+
+Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+---
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 216d31f..56178bc 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -7,9 +7,7 @@
+  * Original driver (sg.c):
+  *        Copyright (C) 1992 Lawrence Foard
+  * Version 2 and 3 extensions to driver:
+- *        Copyright (C) 1998 - 2005 Douglas Gilbert
+- *
+- *  Modified  19-JAN-1998  Richard Gooch <rgooch@atnf.csiro.au>  Devfs support
++ *        Copyright (C) 1998 - 2014 Douglas Gilbert
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -18,11 +16,11 @@
+  *
+  */
+ 
+-static int sg_version_num = 30534;	/* 2 digits for each component */
+-#define SG_VERSION_STR "3.5.34"
++static int sg_version_num = 30536;	/* 2 digits for each component */
++#define SG_VERSION_STR "3.5.36"
+ 
+ /*
+- *  D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
++ *  D. P. Gilbert (dgilbert@interlog.com), notes:
+  *      - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
+  *        the kernel/module needs to be built with CONFIG_SCSI_LOGGING
+  *        (otherwise the macros compile to empty statements).
+@@ -63,7 +61,7 @@
+ 
+ #ifdef CONFIG_SCSI_PROC_FS
+ #include <linux/proc_fs.h>
+-static char *sg_version_date = "20061027";
++static char *sg_version_date = "20140603";
+ 
+ static int sg_proc_init(void);
+ static void sg_proc_cleanup(void);
+@@ -72,6 +70,12 @@
+ #define SG_ALLOW_DIO_DEF 0
+ 
+ #define SG_MAX_DEVS 32768
++
++/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
++ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
++ * than 16 bytes are "variable length" whose length is a multiple of 4
++ */
++#define SG_MAX_CDB_SIZE 252
+ 
+ /*
+  * Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
+@@ -159,7 +163,7 @@
+ 	char force_packid;	/* 1 -> pack_id input to read(), 0 -> ignored */
+ 	volatile char closed;	/* 1 -> fd closed but request(s) outstanding */
+ 	char cmd_q;		/* 1 -> allow command queuing, 0 -> don't */
+-	char next_cmd_len;	/* 0 -> automatic (def), >0 -> use on next write() */
++	unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
+ 	char keep_orphan;	/* 0 -> drop orphan (def), 1 -> keep for read() */
+ 	char mmap_called;	/* 0 -> mmap() never called on this fd */
+ 	struct kref f_ref;
+@@ -542,7 +546,7 @@
+ 	Sg_request *srp;
+ 	struct sg_header old_hdr;
+ 	sg_io_hdr_t *hp;
+-	unsigned char cmnd[MAX_COMMAND_SIZE];
++	unsigned char cmnd[SG_MAX_CDB_SIZE];
+ 
+ 	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ 		return -EINVAL;
+@@ -577,12 +581,6 @@
+ 	buf += SZ_SG_HEADER;
+ 	__get_user(opcode, buf);
+ 	if (sfp->next_cmd_len > 0) {
+-		if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
+-			SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
+-			sfp->next_cmd_len = 0;
+-			sg_remove_request(sfp, srp);
+-			return -EIO;
+-		}
+ 		cmd_size = sfp->next_cmd_len;
+ 		sfp->next_cmd_len = 0;	/* reset so only this write() effected */
+ 	} else {
+@@ -654,7 +652,7 @@
+ 	int k;
+ 	Sg_request *srp;
+ 	sg_io_hdr_t *hp;
+-	unsigned char cmnd[MAX_COMMAND_SIZE];
++	unsigned char cmnd[SG_MAX_CDB_SIZE];
+ 	int timeout;
+ 	unsigned long ul_timeout;
+ 
+@@ -1647,15 +1645,27 @@
+ 	struct request_queue *q = sfp->parentdp->device->request_queue;
+ 	struct rq_map_data *md, map_data;
+ 	int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
++	unsigned char *long_cmdp = NULL;
+ 
+ 	SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
+ 				   dxfer_len));
+ 
++	if (hp->cmd_len > BLK_MAX_CDB) {
++		long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
++		if (!long_cmdp)
++			return -ENOMEM;
++	}
++
+ 	rq = blk_get_request(q, rw, GFP_ATOMIC);
+-	if (!rq)
++	if (!rq) {
++		kfree(long_cmdp);
+ 		return -ENOMEM;
++	}
+ 
+ 	blk_rq_set_block_pc(rq);
++
++	if (hp->cmd_len > BLK_MAX_CDB)
++		rq->cmd = long_cmdp;
+ 	memcpy(rq->cmd, cmd, hp->cmd_len);
+ 	rq->cmd_len = hp->cmd_len;
+ 
+@@ -1740,6 +1750,8 @@
+ 		if (srp->bio)
+ 			ret = blk_rq_unmap_user(srp->bio);
+ 
++		if (srp->rq->cmd != srp->rq->__cmd)
++			kfree(srp->rq->cmd);
+ 		blk_put_request(srp->rq);
+ 	}
+ 
+diff --git a/include/scsi/sg.h b/include/scsi/sg.h
+index a9f3c6f..d8c0c43 100644
+--- a/include/scsi/sg.h
++++ b/include/scsi/sg.h
+@@ -4,77 +4,34 @@
+ #include <linux/compiler.h>
+ 
+ /*
+-   History:
+-    Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
+-     process control of SCSI devices.
+-    Development Sponsored by Killy Corp. NY NY
+-Original driver (sg.h):
+-*       Copyright (C) 1992 Lawrence Foard
+-Version 2 and 3 extensions to driver:
+-*       Copyright (C) 1998 - 2006 Douglas Gilbert
+-
+-    Version: 3.5.34 (20060920)
+-    This version is for 2.6 series kernels.
+-
+-    For a full changelog see http://www.torque.net/sg
+-
+-Map of SG verions to the Linux kernels in which they appear:
+-       ----------        ----------------------------------
+-       original          all kernels < 2.2.6
+-       2.1.40            2.2.20
+-       3.0.x             optional version 3 sg driver for 2.2 series
+-       3.1.17++          2.4.0++
+-       3.5.30++          2.6.0++
+-
+-Major new features in SG 3.x driver (cf SG 2.x drivers)
+-	- SG_IO ioctl() combines function if write() and read()
+-	- new interface (sg_io_hdr_t) but still supports old interface
+-	- scatter/gather in user space, direct IO, and mmap supported
+-
+- The normal action of this driver is to use the adapter (HBA) driver to DMA
+- data into kernel buffers and then use the CPU to copy the data into the 
+- user space (vice versa for writes). That is called "indirect" IO due to 
+- the double handling of data. There are two methods offered to remove the
+- redundant copy: 1) direct IO and 2) using the mmap() system call to map
+- the reserve buffer (this driver has one reserve buffer per fd) into the
+- user space. Both have their advantages.
+- In terms of absolute speed mmap() is faster. If speed is not a concern, 
+- indirect IO should be fine. Read the documentation for more information.
+-
+- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
+-         'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
+-         That attribute is 0 by default. **
+- 
+- Historical note: this SCSI pass-through driver has been known as "sg" for 
+- a decade. In broader kernel discussions "sg" is used to refer to scatter
+- gather techniques. The context should clarify which "sg" is referred to.
+-
+- Documentation
+- =============
+- A web site for the SG device driver can be found at:
+-	http://www.torque.net/sg  [alternatively check the MAINTAINERS file]
+- The documentation for the sg version 3 driver can be found at:
+- 	http://www.torque.net/sg/p/sg_v3_ho.html
+- This is a rendering from DocBook source [change the extension to "sgml"
+- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
+- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
+- For more information see http://www.torque.net/sg/sg_io.html
+-
+- The older, version 2 documents discuss the original sg interface in detail:
+-	http://www.torque.net/sg/p/scsi-generic.txt
+-	http://www.torque.net/sg/p/scsi-generic_long.txt
+- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
+-
+- Utility and test programs are available at the sg web site. They are 
+- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
+- (for the lk 2.2 series).
+-*/
++ * History:
++ *  Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
++ *   process control of SCSI devices.
++ *  Development Sponsored by Killy Corp. NY NY
++ *
++ * Original driver (sg.h):
++ *       Copyright (C) 1992 Lawrence Foard
++ * Version 2 and 3 extensions to driver:
++ *	Copyright (C) 1998 - 2014 Douglas Gilbert
++ *
++ *  Version: 3.5.36 (20140603)
++ *  This version is for 2.6 and 3 series kernels.
++ *
++ * Documentation
++ * =============
++ * A web site for the SG device driver can be found at:
++ *	http://sg.danny.cz/sg  [alternatively check the MAINTAINERS file]
++ * The documentation for the sg version 3 driver can be found at:
++ *	http://sg.danny.cz/sg/p/sg_v3_ho.html
++ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
++ *
++ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
++ */
+ 
+ #ifdef __KERNEL__
+ extern int sg_big_buff; /* for sysctl */
+ #endif
+ 
+-/* New interface introduced in the 3.x SG drivers follows */
+ 
+ typedef struct sg_iovec /* same structure as used by readv() Linux system */
+ {                       /* call. It defines one scatter-gather element. */
+@@ -87,7 +44,7 @@
+ {
+     int interface_id;           /* [i] 'S' for SCSI generic (required) */
+     int dxfer_direction;        /* [i] data transfer direction  */
+-    unsigned char cmd_len;      /* [i] SCSI command length ( <= 16 bytes) */
++    unsigned char cmd_len;      /* [i] SCSI command length */
+     unsigned char mx_sb_len;    /* [i] max length to write to sbp */
+     unsigned short iovec_count; /* [i] 0 implies no scatter gather */
+     unsigned int dxfer_len;     /* [i] byte count of data transfer */

Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch

@@ -0,0 +1,29 @@
+From c38b9d2d38678815745eae28512a03d5e1a3dcf1 Mon Sep 17 00:00:00 2001
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Change-Id: Icbb33a63776954de662eb858ede300fbcb3710f4
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 56178bc..84f5a76 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -959,6 +959,8 @@
+ 		result = get_user(val, ip);
+ 		if (result)
+ 			return result;
++		if (val > SG_MAX_CDB_SIZE)
++			return -ENOMEM;
+ 		sfp->next_cmd_len = (val > 0) ? val : 0;
+ 		return 0;
+ 	case SG_GET_VERSION_NUM:

Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64

@@ -0,0 +1 @@
+RnJvbSBjMzhiOWQyZDM4Njc4ODE1NzQ1ZWFlMjg1MTJhMDNkNWUxYTNkY2YxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSWNiYjMzYTYzNzc2OTU0ZGU2NjJlYjg1OGVkZTMwMGZiY2IzNzEwZjQKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1NjE3OGJjLi44NGY1YTc2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTU5LDYgKzk1OSw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=

Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch

@@ -0,0 +1,90 @@
+From ac8b4b8f6976c6f63704c2f1e3dc464bfa6a5256 Mon Sep 17 00:00:00 2001
+From: Xiaojun Sang <xsang@codeaurora.org>
+Date: Fri, 24 Feb 2017 16:13:20 +0800
+Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6v2: set pointer to NULL after free.
+
+Pointer after kfree is not sanitized.
+Set pointer to NULL.
+
+CRs-Fixed: 2008031
+Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
+Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
+Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
+---
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
+index 3284380..f4a9a4d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
+@@ -391,6 +391,7 @@
+ 	SNDRV_PCM_STREAM_PLAYBACK);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	compr->prtd = NULL;
+ 	return 0;
+ }
+ 
+diff --git a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
+index 98401d9..f93029c 100644
+--- a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
+@@ -503,6 +503,7 @@
+ 	multi_ch_pcm_audio.prtd = NULL;
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+@@ -595,6 +596,7 @@
+ 	SNDRV_PCM_STREAM_CAPTURE);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
+index b6ecaa6..68a6b3d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
+@@ -396,6 +396,7 @@
+ 	mutex_unlock(&prtd->lock);
+ 	prtd->prepared--;
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ static int msm_afe_prepare(struct snd_pcm_substream *substream)
+diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
+index a6c8f16..9c575a5 100644
+--- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
+@@ -391,6 +391,7 @@
+ 	pr_debug("%s\n", __func__);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
+index 57ccea1..f5846ca 100644
+--- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
+@@ -446,6 +446,7 @@
+ 	SNDRV_PCM_STREAM_PLAYBACK);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+@@ -538,6 +539,7 @@
+ 	SNDRV_PCM_STREAM_CAPTURE);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }

Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64

@@ -0,0 +1 @@
+RnJvbSBhYzhiNGI4ZjY5NzZjNmY2MzcwNGMyZjFlM2RjNDY0YmZhNmE1MjU2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDZ2Mjogc2V0IHBvaW50ZXIgdG8gTlVMTCBhZnRlciBmcmVlLgoKUG9pbnRlciBhZnRlciBrZnJlZSBpcyBub3Qgc2FuaXRpemVkLgpTZXQgcG9pbnRlciB0byBOVUxMLgoKQ1JzLUZpeGVkOiAyMDA4MDMxCkNoYW5nZS1JZDogSWE1OWE1N2ZjZDE0MmE2ZWQxOGQxNjg5OTJiOGRhNDAxOTMxNGFmYTQKU2lnbmVkLW9mZi1ieTogWGlhb2p1biBTYW5nIDx4c2FuZ0Bjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogQmlrc2hhcGF0aGkgS290aGFwZXRhIDxia290aGFAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYwppbmRleCAzMjg0MzgwLi5mNGE5YTRkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLWNvbXByLXE2LXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1jb21wci1xNi12Mi5jCkBAIC0zOTEsNiArMzkxLDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCWNvbXByLT5wcnRkID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tbXVsdGktY2gtcGNtLXE2LXYyLmMKaW5kZXggOTg0MDFkOS4uZjkzMDI5YyAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLW11bHRpLWNoLXBjbS1xNi12Mi5jCkBAIC01MDMsNiArNTAzLDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTUsNiArNTk2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tYWZlLXYyLmMgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwppbmRleCBiNmVjYWE2Li42OGE2YjNkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwpAQCAtMzk2LDYgKzM5Niw3IEBACiAJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAlwcnRkLT5wcmVwYXJlZC0tOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiBzdGF0aWMgaW50IG1zbV9hZmVfcHJlcGFyZShzdHJ1Y3Qgc25kX3BjbV9zdWJzdHJlYW0gKnN1YnN0cmVhbSkKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLWxwYS12Mi5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKaW5kZXggYTZjOGYxNi4uOWM1NzVhNSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKQEAgLTM5MSw2ICszOTEsNyBAQAogCXByX2RlYnVnKCIlc1xuIiwgX19mdW5jX18pOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLXE2LXYyLmMKaW5kZXggNTdjY2VhMS4uZjU4NDZjYSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1xNi12Mi5jCkBAIC00NDYsNiArNDQ2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiAKQEAgLTUzOCw2ICs1MzksNyBAQAogCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg==

Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch

@@ -0,0 +1,162 @@
+From 5b3fcb8c073ea1762744eeb74d2e8301a8728d7b Mon Sep 17 00:00:00 2001
+From: Xiaojun Sang <xsang@codeaurora.org>
+Date: Fri, 24 Feb 2017 16:13:20 +0800
+Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6: set pointer to NULL after free.
+
+Pointer after kfree is not sanitized.
+Set pointer to NULL.
+
+CRs-Fixed: 2008031
+Change-Id: I765a59a2059ba7a0fc16f70a1a8b92f57297a907
+Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
+Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
+---
+
+diff --git a/sound/soc/msm/msm-lowlatency-pcm-q6.c b/sound/soc/msm/msm-lowlatency-pcm-q6.c
+index ad7ae1f..0f323c4 100644
+--- a/sound/soc/msm/msm-lowlatency-pcm-q6.c
++++ b/sound/soc/msm/msm-lowlatency-pcm-q6.c
+@@ -504,6 +504,7 @@
+ 			SNDRV_PCM_STREAM_PLAYBACK);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+@@ -596,6 +597,7 @@
+ 			SNDRV_PCM_STREAM_CAPTURE);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/msm-multi-ch-pcm-q6.c b/sound/soc/msm/msm-multi-ch-pcm-q6.c
+index 999683e..59072ec 100644
+--- a/sound/soc/msm/msm-multi-ch-pcm-q6.c
++++ b/sound/soc/msm/msm-multi-ch-pcm-q6.c
+@@ -576,6 +576,7 @@
+ 	multi_ch_pcm_audio.prtd = NULL;
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+@@ -668,6 +669,7 @@
+ 	SNDRV_PCM_STREAM_CAPTURE);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/msm-pcm-afe.c b/sound/soc/msm/msm-pcm-afe.c
+index 66043d1..a93d58b 100644
+--- a/sound/soc/msm/msm-pcm-afe.c
++++ b/sound/soc/msm/msm-pcm-afe.c
+@@ -326,6 +326,7 @@
+ 		pr_debug("%s: Could not allocate memory\n", __func__);
+ 		mutex_unlock(&prtd->lock);
+ 		kfree(prtd);
++		runtime->private_data = NULL;
+ 		return -ENOMEM;
+ 	}
+ 	hrtimer_init(&prtd->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+@@ -409,6 +410,7 @@
+ 	mutex_unlock(&prtd->lock);
+ 	prtd->prepared--;
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ static int msm_afe_prepare(struct snd_pcm_substream *substream)
+diff --git a/sound/soc/msm/msm-pcm-q6.c b/sound/soc/msm/msm-pcm-q6.c
+index 16e1415..da696d0 100644
+--- a/sound/soc/msm/msm-pcm-q6.c
++++ b/sound/soc/msm/msm-pcm-q6.c
+@@ -509,6 +509,7 @@
+ 			SNDRV_PCM_STREAM_PLAYBACK);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+@@ -604,6 +605,7 @@
+ 	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
+ 		SNDRV_PCM_STREAM_CAPTURE);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/msm7k-pcm.c b/sound/soc/msm/msm7k-pcm.c
+index a9193a2..50983a0 100644
+--- a/sound/soc/msm/msm7k-pcm.c
++++ b/sound/soc/msm/msm7k-pcm.c
+@@ -393,6 +393,7 @@
+ 	msm_adsp_put(prtd->audrec);
+ 	msm_adsp_put(prtd->audpre);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+@@ -449,6 +450,7 @@
+ 
+  out:
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return ret;
+ }
+ 
+@@ -492,6 +494,7 @@
+ 	alsa_audio_disable(prtd);
+ 	audmgr_close(&prtd->audmgr);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+diff --git a/sound/soc/msm/msm7kv2-pcm.c b/sound/soc/msm/msm7kv2-pcm.c
+index 2b7a438..252e1f0 100644
+--- a/sound/soc/msm/msm7kv2-pcm.c
++++ b/sound/soc/msm/msm7kv2-pcm.c
+@@ -520,6 +520,7 @@
+ 	alsa_audio_disable(prtd);
+ 	auddev_unregister_evt_listner(AUDDEV_CLNT_DEC, prtd->session_id);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+@@ -574,6 +575,7 @@
+ 	audpreproc_aenc_free(prtd->session_id);
+ 	msm_adsp_put(prtd->audrec);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 	return 0;
+ }
+ 
+diff --git a/sound/soc/msm/msm8x60-pcm.c b/sound/soc/msm/msm8x60-pcm.c
+index 7993435..bfbea5c 100644
+--- a/sound/soc/msm/msm8x60-pcm.c
++++ b/sound/soc/msm/msm8x60-pcm.c
+@@ -534,6 +534,7 @@
+ 	msm_clear_session_id(prtd->session_id);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+@@ -627,6 +628,7 @@
+ 	msm_clear_session_id(prtd->session_id);
+ 	q6asm_audio_client_free(prtd->audio_client);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }

Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch

@@ -0,0 +1,47 @@
+From 338a5cecf0f839331f0a58bff8aaae79e134799e Mon Sep 17 00:00:00 2001
+From: Fred Oh <fred@codeaurora.org>
+Date: Tue, 07 Apr 2015 19:22:29 -0700
+Subject: [PATCH] ASoC: msm: qdsp6v2: validate audio client in callback
+
+In case of single stream multiple device(SSMD) use-case audio session is
+freed on first EOS. There are some chance to crash when 2nd EOS event is
+reached with some delay. This make sure return properly if audio client
+is not valid.
+
+Bug: 36252027
+Change-Id: I3711d8e039fc37e654ca5230f3dc8784c6dba071
+Signed-off-by: Fred Oh <fred@codeaurora.org>
+Signed-off-by: Siqi Lin <siqilin@google.com>
+---
+
+diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
+index b17a440..4f486b1 100644
+--- a/sound/soc/msm/qdsp6v2/q6asm.c
++++ b/sound/soc/msm/qdsp6v2/q6asm.c
+@@ -329,6 +329,16 @@
+ 	return -ENOMEM;
+ }
+ 
++static bool q6asm_is_valid_audio_client(struct audio_client *ac)
++{
++	int n;
++	for (n = 1; n <= SESSION_MAX; n++) {
++		if (session[n] == ac)
++			return 1;
++	}
++	return 0;
++}
++
+ static void q6asm_session_free(struct audio_client *ac)
+ {
+ 	pr_debug("%s: sessionid[%d]\n", __func__, ac->session);
+@@ -905,7 +915,8 @@
+ 		pr_err("ac or priv NULL\n");
+ 		return -EINVAL;
+ 	}
+-	if (ac->session <= 0 || ac->session > 8) {
++	if (ac->session <= 0 || ac->session > 8 ||
++		!q6asm_is_valid_audio_client(ac)) {
+ 		pr_err("%s:Session ID is invalid, session = %d\n", __func__,
+ 			ac->session);
+ 		return -EINVAL;

Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64

@@ -0,0 +1 @@
+RnJvbSAzMzhhNWNlY2YwZjgzOTMzMWYwYTU4YmZmOGFhYWU3OWUxMzQ3OTllIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBGcmVkIE9oIDxmcmVkQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBUdWUsIDA3IEFwciAyMDE1IDE5OjIyOjI5IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiB2YWxpZGF0ZSBhdWRpbyBjbGllbnQgaW4gY2FsbGJhY2sKCkluIGNhc2Ugb2Ygc2luZ2xlIHN0cmVhbSBtdWx0aXBsZSBkZXZpY2UoU1NNRCkgdXNlLWNhc2UgYXVkaW8gc2Vzc2lvbiBpcwpmcmVlZCBvbiBmaXJzdCBFT1MuIFRoZXJlIGFyZSBzb21lIGNoYW5jZSB0byBjcmFzaCB3aGVuIDJuZCBFT1MgZXZlbnQgaXMKcmVhY2hlZCB3aXRoIHNvbWUgZGVsYXkuIFRoaXMgbWFrZSBzdXJlIHJldHVybiBwcm9wZXJseSBpZiBhdWRpbyBjbGllbnQKaXMgbm90IHZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDaGFuZ2UtSWQ6IEkzNzExZDhlMDM5ZmMzN2U2NTRjYTUyMzBmM2RjODc4NGM2ZGJhMDcxClNpZ25lZC1vZmYtYnk6IEZyZWQgT2ggPGZyZWRAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggYjE3YTQ0MC4uNGY0ODZiMSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTMyOSw2ICszMjksMTYgQEAKIAlyZXR1cm4gLUVOT01FTTsKIH0KIAorc3RhdGljIGJvb2wgcTZhc21faXNfdmFsaWRfYXVkaW9fY2xpZW50KHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQoreworCWludCBuOworCWZvciAobiA9IDE7IG4gPD0gU0VTU0lPTl9NQVg7IG4rKykgeworCQlpZiAoc2Vzc2lvbltuXSA9PSBhYykKKwkJCXJldHVybiAxOworCX0KKwlyZXR1cm4gMDsKK30KKwogc3RhdGljIHZvaWQgcTZhc21fc2Vzc2lvbl9mcmVlKHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQogewogCXByX2RlYnVnKCIlczogc2Vzc2lvbmlkWyVkXVxuIiwgX19mdW5jX18sIGFjLT5zZXNzaW9uKTsKQEAgLTkwNSw3ICs5MTUsOCBAQAogCQlwcl9lcnIoImFjIG9yIHByaXYgTlVMTFxuIik7CiAJCXJldHVybiAtRUlOVkFMOwogCX0KLQlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDgpIHsKKwlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDggfHwKKwkJIXE2YXNtX2lzX3ZhbGlkX2F1ZGlvX2NsaWVudChhYykpIHsKIAkJcHJfZXJyKCIlczpTZXNzaW9uIElEIGlzIGludmFsaWQsIHNlc3Npb24gPSAlZFxuIiwgX19mdW5jX18sCiAJCQlhYy0+c2Vzc2lvbik7CiAJCXJldHVybiAtRUlOVkFMOwo=

Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch

@@ -0,0 +1,38 @@
+From fd6890b6c55c2ced15b7165cc658eb83dafc7eb1 Mon Sep 17 00:00:00 2001
+From: Aravind Kumar <akumark@codeaurora.org>
+Date: Mon, 11 May 2015 15:26:27 +0530
+Subject: [PATCH] ASoC: msm: qdsp6v2: check audio client pointer before accessing
+
+In the registered callback for q6asm, we are checking if
+the audio client pointer is valid and also, dereferencing it
+to get the session ID even though it could be invalid or expired.
+Return and exit immediately if the audio client pointer is
+invalid.
+
+Bug: 36252027
+CRs-Fixed: 832914
+Change-Id: I96b722b584a4b5adf8a33891abd75a320e76ea25
+Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
+Signed-off-by: Siqi Lin <siqilin@google.com>
+---
+
+diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
+index 4f486b1..20e2cef 100644
+--- a/sound/soc/msm/qdsp6v2/q6asm.c
++++ b/sound/soc/msm/qdsp6v2/q6asm.c
+@@ -915,8 +915,13 @@
+ 		pr_err("ac or priv NULL\n");
+ 		return -EINVAL;
+ 	}
+-	if (ac->session <= 0 || ac->session > 8 ||
+-		!q6asm_is_valid_audio_client(ac)) {
++	if (!q6asm_is_valid_audio_client(ac)) {
++		pr_err("%s: audio client pointer is invalid, ac = %p\n",
++				__func__, ac);
++		return -EINVAL;
++	}
++
++	if (ac->session <= 0 || ac->session > 8) {
+ 		pr_err("%s:Session ID is invalid, session = %d\n", __func__,
+ 			ac->session);
+ 		return -EINVAL;

Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64

@@ -0,0 +1 @@
+RnJvbSBmZDY4OTBiNmM1NWMyY2VkMTViNzE2NWNjNjU4ZWI4M2RhZmM3ZWIxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBcmF2aW5kIEt1bWFyIDxha3VtYXJrQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBNb24sIDExIE1heSAyMDE1IDE1OjI2OjI3ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiBjaGVjayBhdWRpbyBjbGllbnQgcG9pbnRlciBiZWZvcmUgYWNjZXNzaW5nCgpJbiB0aGUgcmVnaXN0ZXJlZCBjYWxsYmFjayBmb3IgcTZhc20sIHdlIGFyZSBjaGVja2luZyBpZgp0aGUgYXVkaW8gY2xpZW50IHBvaW50ZXIgaXMgdmFsaWQgYW5kIGFsc28sIGRlcmVmZXJlbmNpbmcgaXQKdG8gZ2V0IHRoZSBzZXNzaW9uIElEIGV2ZW4gdGhvdWdoIGl0IGNvdWxkIGJlIGludmFsaWQgb3IgZXhwaXJlZC4KUmV0dXJuIGFuZCBleGl0IGltbWVkaWF0ZWx5IGlmIHRoZSBhdWRpbyBjbGllbnQgcG9pbnRlciBpcwppbnZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDUnMtRml4ZWQ6IDgzMjkxNApDaGFuZ2UtSWQ6IEk5NmI3MjJiNTg0YTRiNWFkZjhhMzM4OTFhYmQ3NWEzMjBlNzZlYTI1ClNpZ25lZC1vZmYtYnk6IEFyYXZpbmQgS3VtYXIgPGFrdW1hcmtAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggNGY0ODZiMS4uMjBlMmNlZiAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTkxNSw4ICs5MTUsMTMgQEAKIAkJcHJfZXJyKCJhYyBvciBwcml2IE5VTExcbiIpOwogCQlyZXR1cm4gLUVJTlZBTDsKIAl9Ci0JaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4IHx8Ci0JCSFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJaWYgKCFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJCXByX2VycigiJXM6IGF1ZGlvIGNsaWVudCBwb2ludGVyIGlzIGludmFsaWQsIGFjID0gJXBcbiIsCisJCQkJX19mdW5jX18sIGFjKTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCisJaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4KSB7CiAJCXByX2VycigiJXM6U2Vzc2lvbiBJRCBpcyBpbnZhbGlkLCBzZXNzaW9uID0gJWRcbiIsIF9fZnVuY19fLAogCQkJYWMtPnNlc3Npb24pOwogCQlyZXR1cm4gLUVJTlZBTDsK

Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt

@@ -1107,6 +1107,8 @@ CVE-2016-9191
 CVE-2016-9555
 	Link - https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
 CVE-2016-9576
+	Link - 3.4 - https://review.lineageos.org/#/c/176402/
+	Link - 3.10 - https://review.lineageos.org/#/c/175603/
 	Link - https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
 CVE-2016-9604
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44c037827f0aeddbbbb323930fa3d09a7b4fffca
@@ -1581,6 +1583,12 @@ CVE-2017-7184
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df
 CVE-2017-7187
+	Link - 3.4 - https://review.lineageos.org/#/c/182338/
+	Link - 3.4 - https://review.lineageos.org/#/c/182339/
+	Link - 3.4 - https://review.lineageos.org/#/c/182340/
+	Link - 3.10 - https://review.lineageos.org/#/c/175571/
+	Link - 3.10 - https://review.lineageos.org/#/c/175572/
+	Link - 3.10 - https://review.lineageos.org/#/c/175573/
 	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124
 CVE-2017-7277
 	Depends
@@ -1666,6 +1674,8 @@ CVE-2017-8245
 	Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=f53af3805879292423465cd0877cc7a75131ce10
 	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5b2f6e011ba92f28e8d7dbeb11c4ee7344c33186
 CVE-2017-8246
+	Link - 3.4 - https://review.lineageos.org/#/c/185429/
+	Link - 3.4 - https://review.lineageos.org/#/c/185430/
 	Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=578eb74435eccdc3df516fd744941a7d872fac6c
 	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=30baaec8afb05abf9f794c631ad944838d498ab8
 	Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9734b72ae21eca557540c3c42d356dd131a20004
@@ -1679,6 +1689,8 @@ CVE-2017-8251
 CVE-2017-8253
 	Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5f07894058c4198f61e533d727b343c5be879b0
 CVE-2017-8254
+	Link - 3.4 - https://review.lineageos.org/#/c/188837/
+	Link - 3.4 - https://review.lineageos.org/#/c/188838/
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=70afce1d9be745005c48fd565c01ce452a565e7e
 CVE-2017-8256
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=75e1e00d6b3cd4cb89fd5314a60c333aa0b03230