mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-14 00:49:38 -05:00
More patches
This commit is contained in:
parent
7c0049f494
commit
42e8062935
71
Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch
Normal file
71
Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From f569aee1087fa3da9712952fc00daa72b028424c Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Sat, 07 Jan 2017 19:14:29 +0100
|
||||
Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
|
||||
|
||||
Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
|
||||
whether it is legal to read or write a file using splice. Both get
|
||||
automatically set on regular files and are not checked when a 'struct
|
||||
fileoperations' includes the splice_{read,write} methods.
|
||||
|
||||
Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/fs/open.c b/fs/open.c
|
||||
index 9bf7fa0..e0e2a37 100644
|
||||
--- a/fs/open.c
|
||||
+++ b/fs/open.c
|
||||
@@ -680,6 +680,10 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (S_ISREG(inode->i_mode))
|
||||
+ f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
|
||||
+
|
||||
+
|
||||
f->f_op = fops_get(inode->i_fop);
|
||||
|
||||
error = security_file_open(f, cred);
|
||||
diff --git a/fs/splice.c b/fs/splice.c
|
||||
index f183f13..8ba78ce 100644
|
||||
--- a/fs/splice.c
|
||||
+++ b/fs/splice.c
|
||||
@@ -381,6 +381,9 @@
|
||||
index++;
|
||||
}
|
||||
|
||||
+ if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/*
|
||||
* Now loop over the map and see if we need to start IO on any
|
||||
* pages, fill in the partial map, etc.
|
||||
@@ -1084,6 +1087,9 @@
|
||||
{
|
||||
ssize_t ret;
|
||||
|
||||
+ if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
|
||||
if (ret > 0)
|
||||
*ppos += ret;
|
||||
diff --git a/include/linux/fs.h b/include/linux/fs.h
|
||||
index e6f1180..78300ef 100644
|
||||
--- a/include/linux/fs.h
|
||||
+++ b/include/linux/fs.h
|
||||
@@ -125,6 +125,11 @@
|
||||
/* File was opened by fanotify and shouldn't generate fanotify events */
|
||||
#define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
|
||||
|
||||
+/* File can be read using splice */
|
||||
+#define FMODE_SPLICE_READ ((__force fmode_t)0x8000000)
|
||||
+/* File can be written using splice */
|
||||
+#define FMODE_SPLICE_WRITE ((__force fmode_t)0x10000000)
|
||||
+
|
||||
/*
|
||||
* Flag for rw_copy_check_uvector and compat_rw_copy_check_uvector
|
||||
* that indicates that they should check the contents of the iovec are
|
1
Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2016-9576/3.10/0002.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBmNTY5YWVlMTA4N2ZhM2RhOTcxMjk1MmZjMDBkYWE3MmIwMjg0MjRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA5YmY3ZmEwLi5lMGUyYTM3IDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODAsNiArNjgwLDEwIEBACiAJCXJldHVybiAwOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9maWxlX29wZW4oZiwgY3JlZCk7CmRpZmYgLS1naXQgYS9mcy9zcGxpY2UuYyBiL2ZzL3NwbGljZS5jCmluZGV4IGYxODNmMTMuLjhiYTc4Y2UgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zODEsNiArMzgxLDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDg0LDYgKzEwODcsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggZTZmMTE4MC4uNzgzMDBlZiAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTI1LDYgKzEyNSwxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBGbGFnIGZvciByd19jb3B5X2NoZWNrX3V2ZWN0b3IgYW5kIGNvbXBhdF9yd19jb3B5X2NoZWNrX3V2ZWN0b3IKICAqIHRoYXQgaW5kaWNhdGVzIHRoYXQgdGhleSBzaG91bGQgY2hlY2sgdGhlIGNvbnRlbnRzIG9mIHRoZSBpb3ZlYyBhcmUK
|
71
Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch
Normal file
71
Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 741ab25b1f609f4ca11429b99811c4a427c60024 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Sat, 07 Jan 2017 19:14:29 +0100
|
||||
Subject: [PATCH] splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE
|
||||
|
||||
Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
|
||||
whether it is legal to read or write a file using splice. Both get
|
||||
automatically set on regular files and are not checked when a 'struct
|
||||
fileoperations' includes the splice_{read,write} methods.
|
||||
|
||||
Change-Id: Ice6a3fab20bf0ac131f8d908f4bb0f7dc34bf4e3
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/fs/open.c b/fs/open.c
|
||||
index 4c28c4f..7512d8a 100644
|
||||
--- a/fs/open.c
|
||||
+++ b/fs/open.c
|
||||
@@ -683,6 +683,10 @@
|
||||
return f;
|
||||
}
|
||||
|
||||
+ if (S_ISREG(inode->i_mode))
|
||||
+ f->f_mode |= FMODE_SPLICE_WRITE | FMODE_SPLICE_READ;
|
||||
+
|
||||
+
|
||||
f->f_op = fops_get(inode->i_fop);
|
||||
|
||||
error = security_dentry_open(f, cred);
|
||||
diff --git a/fs/splice.c b/fs/splice.c
|
||||
index ea85353..bf597dc5 100644
|
||||
--- a/fs/splice.c
|
||||
+++ b/fs/splice.c
|
||||
@@ -376,6 +376,9 @@
|
||||
index++;
|
||||
}
|
||||
|
||||
+ if (unlikely(!(in->f_mode & FMODE_SPLICE_READ)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/*
|
||||
* Now loop over the map and see if we need to start IO on any
|
||||
* pages, fill in the partial map, etc.
|
||||
@@ -1059,6 +1062,9 @@
|
||||
{
|
||||
ssize_t ret;
|
||||
|
||||
+ if (unlikely(!(out->f_mode & FMODE_SPLICE_WRITE)))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
|
||||
if (ret > 0)
|
||||
*ppos += ret;
|
||||
diff --git a/include/linux/fs.h b/include/linux/fs.h
|
||||
index 0e03633..ef0590d 100644
|
||||
--- a/include/linux/fs.h
|
||||
+++ b/include/linux/fs.h
|
||||
@@ -117,6 +117,11 @@
|
||||
/* File was opened by fanotify and shouldn't generate fanotify events */
|
||||
#define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
|
||||
|
||||
+/* File can be read using splice */
|
||||
+#define FMODE_SPLICE_READ ((__force fmode_t)0x8000000)
|
||||
+/* File can be written using splice */
|
||||
+#define FMODE_SPLICE_WRITE ((__force fmode_t)0x10000000)
|
||||
+
|
||||
/*
|
||||
* The below are the various read and write types that we support. Some of
|
||||
* them include behavioral modifiers that send information down to the
|
1
Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2016-9576/3.4/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSA3NDFhYjI1YjFmNjA5ZjRjYTExNDI5Yjk5ODExYzRhNDI3YzYwMDI0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkRhdGU6IFNhdCwgMDcgSmFuIDIwMTcgMTk6MTQ6MjkgKzAxMDAKU3ViamVjdDogW1BBVENIXSBzcGxpY2U6IGludHJvZHVjZSBGTU9ERV9TUExJQ0VfUkVBRCBhbmQgRk1PREVfU1BMSUNFX1dSSVRFCgpJbnRyb2R1Y2UgRk1PREVfU1BMSUNFX1JFQUQgYW5kIEZNT0RFX1NQTElDRV9XUklURS4gVGhlc2UgbW9kZXMgY2hlY2sKd2hldGhlciBpdCBpcyBsZWdhbCB0byByZWFkIG9yIHdyaXRlIGEgZmlsZSB1c2luZyBzcGxpY2UuIEJvdGggZ2V0CmF1dG9tYXRpY2FsbHkgc2V0IG9uIHJlZ3VsYXIgZmlsZXMgYW5kIGFyZSBub3QgY2hlY2tlZCB3aGVuIGEgJ3N0cnVjdApmaWxlb3BlcmF0aW9ucycgaW5jbHVkZXMgdGhlIHNwbGljZV97cmVhZCx3cml0ZX0gbWV0aG9kcy4KCkNoYW5nZS1JZDogSWNlNmEzZmFiMjBiZjBhYzEzMWY4ZDkwOGY0YmIwZjdkYzM0YmY0ZTMKU3VnZ2VzdGVkLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CkNjOiBBbCBWaXJvIDx2aXJvQHplbml2LmxpbnV4Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogSm9oYW5uZXMgVGh1bXNoaXJuIDxqdGh1bXNoaXJuQHN1c2UuZGU+Ci0tLQoKZGlmZiAtLWdpdCBhL2ZzL29wZW4uYyBiL2ZzL29wZW4uYwppbmRleCA0YzI4YzRmLi43NTEyZDhhIDEwMDY0NAotLS0gYS9mcy9vcGVuLmMKKysrIGIvZnMvb3Blbi5jCkBAIC02ODMsNiArNjgzLDEwIEBACiAJCXJldHVybiBmOwogCX0KIAorCWlmIChTX0lTUkVHKGlub2RlLT5pX21vZGUpKQorCQlmLT5mX21vZGUgfD0gRk1PREVfU1BMSUNFX1dSSVRFIHwgRk1PREVfU1BMSUNFX1JFQUQ7CisKKwogCWYtPmZfb3AgPSBmb3BzX2dldChpbm9kZS0+aV9mb3ApOwogCiAJZXJyb3IgPSBzZWN1cml0eV9kZW50cnlfb3BlbihmLCBjcmVkKTsKZGlmZiAtLWdpdCBhL2ZzL3NwbGljZS5jIGIvZnMvc3BsaWNlLmMKaW5kZXggZWE4NTM1My4uYmY1OTdkYzUgMTAwNjQ0Ci0tLSBhL2ZzL3NwbGljZS5jCisrKyBiL2ZzL3NwbGljZS5jCkBAIC0zNzYsNiArMzc2LDkgQEAKIAkJaW5kZXgrKzsKIAl9CiAKKwlpZiAodW5saWtlbHkoIShpbi0+Zl9tb2RlICYgRk1PREVfU1BMSUNFX1JFQUQpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAkvKgogCSAqIE5vdyBsb29wIG92ZXIgdGhlIG1hcCBhbmQgc2VlIGlmIHdlIG5lZWQgdG8gc3RhcnQgSU8gb24gYW55CiAJICogcGFnZXMsIGZpbGwgaW4gdGhlIHBhcnRpYWwgbWFwLCBldGMuCkBAIC0xMDU5LDYgKzEwNjIsOSBAQAogewogCXNzaXplX3QgcmV0OwogCisJaWYgKHVubGlrZWx5KCEob3V0LT5mX21vZGUgJiBGTU9ERV9TUExJQ0VfV1JJVEUpKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlyZXQgPSBzcGxpY2VfZnJvbV9waXBlKHBpcGUsIG91dCwgcHBvcywgbGVuLCBmbGFncywgd3JpdGVfcGlwZV9idWYpOwogCWlmIChyZXQgPiAwKQogCQkqcHBvcyArPSByZXQ7CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2ZzLmggYi9pbmNsdWRlL2xpbnV4L2ZzLmgKaW5kZXggMGUwMzYzMy4uZWYwNTkwZCAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9mcy5oCisrKyBiL2luY2x1ZGUvbGludXgvZnMuaApAQCAtMTE3LDYgKzExNywxMSBAQAogLyogRmlsZSB3YXMgb3BlbmVkIGJ5IGZhbm90aWZ5IGFuZCBzaG91bGRuJ3QgZ2VuZXJhdGUgZmFub3RpZnkgZXZlbnRzICovCiAjZGVmaW5lIEZNT0RFX05PTk9USUZZCQkoKF9fZm9yY2UgZm1vZGVfdCkweDEwMDAwMDApCiAKKy8qIEZpbGUgY2FuIGJlIHJlYWQgdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9SRUFEICAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4ODAwMDAwMCkKKy8qIEZpbGUgY2FuIGJlIHdyaXR0ZW4gdXNpbmcgc3BsaWNlICovCisjZGVmaW5lIEZNT0RFX1NQTElDRV9XUklURSAgICAgICgoX19mb3JjZSBmbW9kZV90KTB4MTAwMDAwMDApCisKIC8qCiAgKiBUaGUgYmVsb3cgYXJlIHRoZSB2YXJpb3VzIHJlYWQgYW5kIHdyaXRlIHR5cGVzIHRoYXQgd2Ugc3VwcG9ydC4gU29tZSBvZgogICogdGhlbSBpbmNsdWRlIGJlaGF2aW9yYWwgbW9kaWZpZXJzIHRoYXQgc2VuZCBpbmZvcm1hdGlvbiBkb3duIHRvIHRoZQo=
|
383
Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch
Normal file
383
Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch
Normal file
@ -0,0 +1,383 @@
|
||||
From 60ebd48061949405fe6a69aa921d47b40f474a41 Mon Sep 17 00:00:00 2001
|
||||
From: Jens Axboe <axboe@fb.com>
|
||||
Date: Fri, 06 Jun 2014 07:57:37 -0600
|
||||
Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
|
||||
|
||||
With the optimizations around not clearing the full request at alloc
|
||||
time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
|
||||
up to the user allocating the request.
|
||||
|
||||
Add a blk_rq_set_block_pc() that sets the command type to
|
||||
REQ_TYPE_BLOCK_PC, and properly initializes the members associated
|
||||
with this type of request. Update callers to use this function instead
|
||||
of manipulating rq->cmd_type directly.
|
||||
|
||||
Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
|
||||
attempt.
|
||||
|
||||
Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
|
||||
Signed-off-by: Jens Axboe <axboe@fb.com>
|
||||
---
|
||||
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index bce8d73..7cb3157 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -1189,6 +1189,8 @@
|
||||
if (unlikely(!rq))
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
+
|
||||
for_each_bio(bio) {
|
||||
struct bio *bounce_bio = bio;
|
||||
int ret;
|
||||
@@ -1206,6 +1208,22 @@
|
||||
EXPORT_SYMBOL(blk_make_request);
|
||||
|
||||
/**
|
||||
+ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
|
||||
+ * @rq: request to be initialized
|
||||
+ *
|
||||
+ */
|
||||
+void blk_rq_set_block_pc(struct request *rq)
|
||||
+{
|
||||
+ rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ rq->__data_len = 0;
|
||||
+ rq->__sector = (sector_t) -1;
|
||||
+ rq->bio = rq->biotail = NULL;
|
||||
+ memset(rq->__cmd, 0, sizeof(rq->__cmd));
|
||||
+ rq->cmd = rq->__cmd;
|
||||
+}
|
||||
+EXPORT_SYMBOL(blk_rq_set_block_pc);
|
||||
+
|
||||
+/**
|
||||
* blk_requeue_request - put a request back on queue
|
||||
* @q: request queue where request should be inserted
|
||||
* @rq: request to be inserted
|
||||
diff --git a/block/bsg.c b/block/bsg.c
|
||||
index 76801e5..0ed26bc 100644
|
||||
--- a/block/bsg.c
|
||||
+++ b/block/bsg.c
|
||||
@@ -196,7 +196,6 @@
|
||||
* fill in request structure
|
||||
*/
|
||||
rq->cmd_len = hdr->request_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
rq->timeout = msecs_to_jiffies(hdr->timeout);
|
||||
if (!rq->timeout)
|
||||
@@ -273,6 +272,8 @@
|
||||
rq = blk_get_request(q, rw, GFP_KERNEL);
|
||||
if (!rq)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
+
|
||||
ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
|
||||
if (ret)
|
||||
goto out;
|
||||
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
|
||||
index 1b4988b..ddbcae2 100644
|
||||
--- a/block/scsi_ioctl.c
|
||||
+++ b/block/scsi_ioctl.c
|
||||
@@ -233,7 +233,6 @@
|
||||
* fill in request structure
|
||||
*/
|
||||
rq->cmd_len = hdr->cmd_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
rq->timeout = msecs_to_jiffies(hdr->timeout);
|
||||
if (!rq->timeout)
|
||||
@@ -314,6 +313,7 @@
|
||||
rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
|
||||
if (!rq)
|
||||
return -ENOMEM;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
|
||||
blk_put_request(rq);
|
||||
@@ -512,7 +512,7 @@
|
||||
memset(sense, 0, sizeof(sense));
|
||||
rq->sense = sense;
|
||||
rq->sense_len = 0;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
blk_execute_rq(q, disk, rq, 0);
|
||||
|
||||
@@ -544,7 +544,7 @@
|
||||
int err;
|
||||
|
||||
rq = blk_get_request(q, WRITE, __GFP_WAIT);
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
|
||||
rq->cmd[0] = cmd;
|
||||
rq->cmd[4] = data;
|
||||
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
|
||||
index f5d0ea1..caddb5d 100644
|
||||
--- a/drivers/block/pktcdvd.c
|
||||
+++ b/drivers/block/pktcdvd.c
|
||||
@@ -712,6 +712,7 @@
|
||||
|
||||
rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
|
||||
WRITE : READ, __GFP_WAIT);
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (cgc->buflen) {
|
||||
if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
|
||||
@@ -722,7 +723,6 @@
|
||||
memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
|
||||
|
||||
rq->timeout = 60*HZ;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
if (cgc->quiet)
|
||||
rq->cmd_flags |= REQ_QUIET;
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index 8a3aff7..1ca0772 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2165,6 +2165,7 @@
|
||||
ret = -ENOMEM;
|
||||
break;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
|
||||
if (ret) {
|
||||
@@ -2184,7 +2185,6 @@
|
||||
rq->cmd[9] = 0xf8;
|
||||
|
||||
rq->cmd_len = 12;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->timeout = 60 * HZ;
|
||||
bio = rq->bio;
|
||||
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
index 68adb89..28bf7fb 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
@@ -120,6 +120,7 @@
|
||||
"%s: blk_get_request failed\n", __func__);
|
||||
return NULL;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
|
||||
blk_put_request(rq);
|
||||
@@ -128,7 +129,6 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->retries = ALUA_FAILOVER_RETRIES;
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
index e1c8be0..6f07f7f 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
@@ -280,6 +280,7 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
rq->cmd_len = COMMAND_SIZE(cmd);
|
||||
rq->cmd[0] = cmd;
|
||||
|
||||
@@ -304,7 +305,6 @@
|
||||
break;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->timeout = CLARIION_TIMEOUT;
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
index 084062b..e9d9fea 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
@@ -120,7 +120,7 @@
|
||||
if (!req)
|
||||
return SCSI_DH_RES_TEMP_UNAVAIL;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
|
||||
@@ -250,7 +250,7 @@
|
||||
if (!req)
|
||||
return SCSI_DH_RES_TEMP_UNAVAIL;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
req->cmd_len = COMMAND_SIZE(START_STOP);
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
index 69c915a..3916c31 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
@@ -279,6 +279,7 @@
|
||||
"get_rdac_req: blk_get_request failed.\n");
|
||||
return NULL;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
|
||||
blk_put_request(rq);
|
||||
@@ -287,7 +288,6 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->retries = RDAC_RETRIES;
|
||||
diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
|
||||
index aa66361..11bd87e 100644
|
||||
--- a/drivers/scsi/osd/osd_initiator.c
|
||||
+++ b/drivers/scsi/osd/osd_initiator.c
|
||||
@@ -1570,6 +1570,7 @@
|
||||
if (unlikely(!req))
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
+ blk_rq_set_block_pc(req);
|
||||
return req;
|
||||
}
|
||||
}
|
||||
@@ -1590,7 +1591,6 @@
|
||||
}
|
||||
|
||||
or->request = req;
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
req->timeout = or->timeout;
|
||||
@@ -1608,7 +1608,7 @@
|
||||
ret = PTR_ERR(req);
|
||||
goto out;
|
||||
}
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
or->in.req = or->request->next_rq = req;
|
||||
}
|
||||
} else if (has_in)
|
||||
diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
|
||||
index 21883a2..0727ea7 100644
|
||||
--- a/drivers/scsi/osst.c
|
||||
+++ b/drivers/scsi/osst.c
|
||||
@@ -365,7 +365,7 @@
|
||||
if (!req)
|
||||
return DRIVER_ERROR << 24;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
SRpnt->bio = NULL;
|
||||
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
|
||||
index 3668b1b..c1e4a74 100644
|
||||
--- a/drivers/scsi/scsi_error.c
|
||||
+++ b/drivers/scsi/scsi_error.c
|
||||
@@ -1653,6 +1653,8 @@
|
||||
*/
|
||||
req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
|
||||
|
||||
+ blk_rq_set_block_pc(req);
|
||||
+
|
||||
req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
|
||||
req->cmd[1] = 0;
|
||||
req->cmd[2] = 0;
|
||||
@@ -1662,7 +1664,6 @@
|
||||
|
||||
req->cmd_len = COMMAND_SIZE(req->cmd[0]);
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
req->timeout = 10 * HZ;
|
||||
req->retries = 5;
|
||||
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
|
||||
index 9f3168e..49076d1 100644
|
||||
--- a/drivers/scsi/scsi_lib.c
|
||||
+++ b/drivers/scsi/scsi_lib.c
|
||||
@@ -238,6 +238,7 @@
|
||||
req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
|
||||
if (!req)
|
||||
return ret;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
|
||||
if (bufflen && blk_rq_map_kern(sdev->request_queue, req,
|
||||
buffer, bufflen, __GFP_WAIT))
|
||||
@@ -249,7 +250,6 @@
|
||||
req->sense_len = 0;
|
||||
req->retries = retries;
|
||||
req->timeout = timeout;
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
|
||||
|
||||
/*
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index e059ad4..5170506 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -1656,10 +1656,9 @@
|
||||
if (!rq)
|
||||
return -ENOMEM;
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
memcpy(rq->cmd, cmd, hp->cmd_len);
|
||||
-
|
||||
rq->cmd_len = hp->cmd_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
srp->rq = rq;
|
||||
rq->end_io_data = srp;
|
||||
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
|
||||
index 2a32036..7d74f83 100644
|
||||
--- a/drivers/scsi/st.c
|
||||
+++ b/drivers/scsi/st.c
|
||||
@@ -484,7 +484,7 @@
|
||||
if (!req)
|
||||
return DRIVER_ERROR << 24;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
mdata->null_mapped = 1;
|
||||
diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
|
||||
index 244776b..dff91ee 100644
|
||||
--- a/drivers/target/target_core_pscsi.c
|
||||
+++ b/drivers/target/target_core_pscsi.c
|
||||
@@ -1059,6 +1059,8 @@
|
||||
ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
|
||||
goto fail;
|
||||
}
|
||||
+
|
||||
+ blk_rq_set_block_pc(req);
|
||||
} else {
|
||||
BUG_ON(!cmd->data_length);
|
||||
|
||||
@@ -1075,7 +1077,6 @@
|
||||
}
|
||||
}
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->end_io = pscsi_req_done;
|
||||
req->end_io_data = cmd;
|
||||
req->cmd_len = scsi_command_size(pt->pscsi_cdb);
|
||||
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
|
||||
index e9b04cd..cce84e5 100644
|
||||
--- a/include/linux/blkdev.h
|
||||
+++ b/include/linux/blkdev.h
|
||||
@@ -742,6 +742,7 @@
|
||||
extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
|
||||
extern struct request *blk_make_request(struct request_queue *, struct bio *,
|
||||
gfp_t);
|
||||
+extern void blk_rq_set_block_pc(struct request *);
|
||||
extern void blk_requeue_request(struct request_queue *, struct request *);
|
||||
extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
|
||||
extern bool blk_reinsert_req_sup(struct request_queue *q);
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0004.patch.base64
Normal file
File diff suppressed because one or more lines are too long
263
Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch
Normal file
263
Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch
Normal file
@ -0,0 +1,263 @@
|
||||
From 2c5b488b49d92c02ac28f45e68f366c6a51a8949 Mon Sep 17 00:00:00 2001
|
||||
From: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Date: Tue, 03 Jun 2014 13:18:18 -0400
|
||||
Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
|
||||
|
||||
- remove the 16 byte CDB (SCSI command) length limit from the sg driver
|
||||
by handling longer CDBs the same way as the bsg driver. Remove comment
|
||||
from sg.h public interface about the cmd_len field being limited to 16
|
||||
bytes.
|
||||
- remove some dead code caused by this change
|
||||
- cleanup comment block at the top of sg.h, fix urls
|
||||
|
||||
Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
|
||||
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
|
||||
Reviewed-by: Hannes Reinecke <hare@suse.de>
|
||||
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index 5170506..96d635e 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -7,9 +7,7 @@
|
||||
* Original driver (sg.c):
|
||||
* Copyright (C) 1992 Lawrence Foard
|
||||
* Version 2 and 3 extensions to driver:
|
||||
- * Copyright (C) 1998 - 2005 Douglas Gilbert
|
||||
- *
|
||||
- * Modified 19-JAN-1998 Richard Gooch <rgooch@atnf.csiro.au> Devfs support
|
||||
+ * Copyright (C) 1998 - 2014 Douglas Gilbert
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@@ -18,11 +16,11 @@
|
||||
*
|
||||
*/
|
||||
|
||||
-static int sg_version_num = 30534; /* 2 digits for each component */
|
||||
-#define SG_VERSION_STR "3.5.34"
|
||||
+static int sg_version_num = 30536; /* 2 digits for each component */
|
||||
+#define SG_VERSION_STR "3.5.36"
|
||||
|
||||
/*
|
||||
- * D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
|
||||
+ * D. P. Gilbert (dgilbert@interlog.com), notes:
|
||||
* - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
|
||||
* the kernel/module needs to be built with CONFIG_SCSI_LOGGING
|
||||
* (otherwise the macros compile to empty statements).
|
||||
@@ -64,7 +62,7 @@
|
||||
|
||||
#ifdef CONFIG_SCSI_PROC_FS
|
||||
#include <linux/proc_fs.h>
|
||||
-static char *sg_version_date = "20061027";
|
||||
+static char *sg_version_date = "20140603";
|
||||
|
||||
static int sg_proc_init(void);
|
||||
static void sg_proc_cleanup(void);
|
||||
@@ -73,6 +71,12 @@
|
||||
#define SG_ALLOW_DIO_DEF 0
|
||||
|
||||
#define SG_MAX_DEVS 32768
|
||||
+
|
||||
+/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
|
||||
+ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
|
||||
+ * than 16 bytes are "variable length" whose length is a multiple of 4
|
||||
+ */
|
||||
+#define SG_MAX_CDB_SIZE 252
|
||||
|
||||
/*
|
||||
* Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
|
||||
@@ -161,7 +165,7 @@
|
||||
char low_dma; /* as in parent but possibly overridden to 1 */
|
||||
char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
|
||||
char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
|
||||
- char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */
|
||||
+ unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
|
||||
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
|
||||
char mmap_called; /* 0 -> mmap() never called on this fd */
|
||||
struct kref f_ref;
|
||||
@@ -566,7 +570,7 @@
|
||||
Sg_request *srp;
|
||||
struct sg_header old_hdr;
|
||||
sg_io_hdr_t *hp;
|
||||
- unsigned char cmnd[MAX_COMMAND_SIZE];
|
||||
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
|
||||
|
||||
if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
|
||||
return -EINVAL;
|
||||
@@ -601,12 +605,6 @@
|
||||
buf += SZ_SG_HEADER;
|
||||
__get_user(opcode, buf);
|
||||
if (sfp->next_cmd_len > 0) {
|
||||
- if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
|
||||
- SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
|
||||
- sfp->next_cmd_len = 0;
|
||||
- sg_remove_request(sfp, srp);
|
||||
- return -EIO;
|
||||
- }
|
||||
cmd_size = sfp->next_cmd_len;
|
||||
sfp->next_cmd_len = 0; /* reset so only this write() effected */
|
||||
} else {
|
||||
@@ -678,7 +676,7 @@
|
||||
int k;
|
||||
Sg_request *srp;
|
||||
sg_io_hdr_t *hp;
|
||||
- unsigned char cmnd[MAX_COMMAND_SIZE];
|
||||
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
|
||||
int timeout;
|
||||
unsigned long ul_timeout;
|
||||
|
||||
@@ -1648,15 +1646,27 @@
|
||||
struct request_queue *q = sfp->parentdp->device->request_queue;
|
||||
struct rq_map_data *md, map_data;
|
||||
int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
|
||||
+ unsigned char *long_cmdp = NULL;
|
||||
|
||||
SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
|
||||
dxfer_len));
|
||||
|
||||
+ if (hp->cmd_len > BLK_MAX_CDB) {
|
||||
+ long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
|
||||
+ if (!long_cmdp)
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
rq = blk_get_request(q, rw, GFP_ATOMIC);
|
||||
- if (!rq)
|
||||
+ if (!rq) {
|
||||
+ kfree(long_cmdp);
|
||||
return -ENOMEM;
|
||||
+ }
|
||||
|
||||
blk_rq_set_block_pc(rq);
|
||||
+
|
||||
+ if (hp->cmd_len > BLK_MAX_CDB)
|
||||
+ rq->cmd = long_cmdp;
|
||||
memcpy(rq->cmd, cmd, hp->cmd_len);
|
||||
rq->cmd_len = hp->cmd_len;
|
||||
|
||||
@@ -1741,6 +1751,8 @@
|
||||
if (srp->bio)
|
||||
ret = blk_rq_unmap_user(srp->bio);
|
||||
|
||||
+ if (srp->rq->cmd != srp->rq->__cmd)
|
||||
+ kfree(srp->rq->cmd);
|
||||
blk_put_request(srp->rq);
|
||||
}
|
||||
|
||||
diff --git a/include/uapi/scsi/sg.h b/include/uapi/scsi/sg.h
|
||||
index a9f3c6f..d8c0c43 100644
|
||||
--- a/include/uapi/scsi/sg.h
|
||||
+++ b/include/uapi/scsi/sg.h
|
||||
@@ -4,77 +4,34 @@
|
||||
#include <linux/compiler.h>
|
||||
|
||||
/*
|
||||
- History:
|
||||
- Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
|
||||
- process control of SCSI devices.
|
||||
- Development Sponsored by Killy Corp. NY NY
|
||||
-Original driver (sg.h):
|
||||
-* Copyright (C) 1992 Lawrence Foard
|
||||
-Version 2 and 3 extensions to driver:
|
||||
-* Copyright (C) 1998 - 2006 Douglas Gilbert
|
||||
-
|
||||
- Version: 3.5.34 (20060920)
|
||||
- This version is for 2.6 series kernels.
|
||||
-
|
||||
- For a full changelog see http://www.torque.net/sg
|
||||
-
|
||||
-Map of SG verions to the Linux kernels in which they appear:
|
||||
- ---------- ----------------------------------
|
||||
- original all kernels < 2.2.6
|
||||
- 2.1.40 2.2.20
|
||||
- 3.0.x optional version 3 sg driver for 2.2 series
|
||||
- 3.1.17++ 2.4.0++
|
||||
- 3.5.30++ 2.6.0++
|
||||
-
|
||||
-Major new features in SG 3.x driver (cf SG 2.x drivers)
|
||||
- - SG_IO ioctl() combines function if write() and read()
|
||||
- - new interface (sg_io_hdr_t) but still supports old interface
|
||||
- - scatter/gather in user space, direct IO, and mmap supported
|
||||
-
|
||||
- The normal action of this driver is to use the adapter (HBA) driver to DMA
|
||||
- data into kernel buffers and then use the CPU to copy the data into the
|
||||
- user space (vice versa for writes). That is called "indirect" IO due to
|
||||
- the double handling of data. There are two methods offered to remove the
|
||||
- redundant copy: 1) direct IO and 2) using the mmap() system call to map
|
||||
- the reserve buffer (this driver has one reserve buffer per fd) into the
|
||||
- user space. Both have their advantages.
|
||||
- In terms of absolute speed mmap() is faster. If speed is not a concern,
|
||||
- indirect IO should be fine. Read the documentation for more information.
|
||||
-
|
||||
- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
|
||||
- 'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
|
||||
- That attribute is 0 by default. **
|
||||
-
|
||||
- Historical note: this SCSI pass-through driver has been known as "sg" for
|
||||
- a decade. In broader kernel discussions "sg" is used to refer to scatter
|
||||
- gather techniques. The context should clarify which "sg" is referred to.
|
||||
-
|
||||
- Documentation
|
||||
- =============
|
||||
- A web site for the SG device driver can be found at:
|
||||
- http://www.torque.net/sg [alternatively check the MAINTAINERS file]
|
||||
- The documentation for the sg version 3 driver can be found at:
|
||||
- http://www.torque.net/sg/p/sg_v3_ho.html
|
||||
- This is a rendering from DocBook source [change the extension to "sgml"
|
||||
- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
|
||||
- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
|
||||
- For more information see http://www.torque.net/sg/sg_io.html
|
||||
-
|
||||
- The older, version 2 documents discuss the original sg interface in detail:
|
||||
- http://www.torque.net/sg/p/scsi-generic.txt
|
||||
- http://www.torque.net/sg/p/scsi-generic_long.txt
|
||||
- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
|
||||
-
|
||||
- Utility and test programs are available at the sg web site. They are
|
||||
- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
|
||||
- (for the lk 2.2 series).
|
||||
-*/
|
||||
+ * History:
|
||||
+ * Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
|
||||
+ * process control of SCSI devices.
|
||||
+ * Development Sponsored by Killy Corp. NY NY
|
||||
+ *
|
||||
+ * Original driver (sg.h):
|
||||
+ * Copyright (C) 1992 Lawrence Foard
|
||||
+ * Version 2 and 3 extensions to driver:
|
||||
+ * Copyright (C) 1998 - 2014 Douglas Gilbert
|
||||
+ *
|
||||
+ * Version: 3.5.36 (20140603)
|
||||
+ * This version is for 2.6 and 3 series kernels.
|
||||
+ *
|
||||
+ * Documentation
|
||||
+ * =============
|
||||
+ * A web site for the SG device driver can be found at:
|
||||
+ * http://sg.danny.cz/sg [alternatively check the MAINTAINERS file]
|
||||
+ * The documentation for the sg version 3 driver can be found at:
|
||||
+ * http://sg.danny.cz/sg/p/sg_v3_ho.html
|
||||
+ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
|
||||
+ *
|
||||
+ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
|
||||
+ */
|
||||
|
||||
#ifdef __KERNEL__
|
||||
extern int sg_big_buff; /* for sysctl */
|
||||
#endif
|
||||
|
||||
-/* New interface introduced in the 3.x SG drivers follows */
|
||||
|
||||
typedef struct sg_iovec /* same structure as used by readv() Linux system */
|
||||
{ /* call. It defines one scatter-gather element. */
|
||||
@@ -87,7 +44,7 @@
|
||||
{
|
||||
int interface_id; /* [i] 'S' for SCSI generic (required) */
|
||||
int dxfer_direction; /* [i] data transfer direction */
|
||||
- unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */
|
||||
+ unsigned char cmd_len; /* [i] SCSI command length */
|
||||
unsigned char mx_sb_len; /* [i] max length to write to sbp */
|
||||
unsigned short iovec_count; /* [i] 0 implies no scatter gather */
|
||||
unsigned int dxfer_len; /* [i] byte count of data transfer */
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0005.patch.base64
Normal file
File diff suppressed because one or more lines are too long
29
Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch
Normal file
29
Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 0bf5dc993cf6be1b1dd716fb05c1fa84623093e5 Mon Sep 17 00:00:00 2001
|
||||
From: peter chang <dpf@google.com>
|
||||
Date: Wed, 15 Feb 2017 14:11:54 -0800
|
||||
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
|
||||
|
||||
The user can control the size of the next command passed along, but the
|
||||
value passed to the ioctl isn't checked against the usable max command
|
||||
size.
|
||||
|
||||
Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Chang <dpf@google.com>
|
||||
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index 96d635e..4a6b13b 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -978,6 +978,8 @@
|
||||
result = get_user(val, ip);
|
||||
if (result)
|
||||
return result;
|
||||
+ if (val > SG_MAX_CDB_SIZE)
|
||||
+ return -ENOMEM;
|
||||
sfp->next_cmd_len = (val > 0) ? val : 0;
|
||||
return 0;
|
||||
case SG_GET_VERSION_NUM:
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.10/0006.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSAwYmY1ZGM5OTNjZjZiZTFiMWRkNzE2ZmIwNWMxZmE4NDYyMzA5M2U1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSTllOGViOGNhMDU4YzAxMDNhMjJmNWQ5OWQ3NzkxOTQzMjg5M2FhNGMKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA5NmQ2MzVlLi40YTZiMTNiIDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTc4LDYgKzk3OCw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=
|
383
Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch
Normal file
383
Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch
Normal file
@ -0,0 +1,383 @@
|
||||
From 1f0843591703c3d664a236e2d3a7a855fa9451d6 Mon Sep 17 00:00:00 2001
|
||||
From: Jens Axboe <axboe@fb.com>
|
||||
Date: Fri, 06 Jun 2014 07:57:37 -0600
|
||||
Subject: [PATCH] BACKPORT: block: add blk_rq_set_block_pc()
|
||||
|
||||
With the optimizations around not clearing the full request at alloc
|
||||
time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC
|
||||
up to the user allocating the request.
|
||||
|
||||
Add a blk_rq_set_block_pc() that sets the command type to
|
||||
REQ_TYPE_BLOCK_PC, and properly initializes the members associated
|
||||
with this type of request. Update callers to use this function instead
|
||||
of manipulating rq->cmd_type directly.
|
||||
|
||||
Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed
|
||||
attempt.
|
||||
|
||||
Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce
|
||||
Signed-off-by: Jens Axboe <axboe@fb.com>
|
||||
---
|
||||
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index eb0ec60..c7f7637 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -1043,6 +1043,8 @@
|
||||
if (unlikely(!rq))
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
+
|
||||
for_each_bio(bio) {
|
||||
struct bio *bounce_bio = bio;
|
||||
int ret;
|
||||
@@ -1060,6 +1062,22 @@
|
||||
EXPORT_SYMBOL(blk_make_request);
|
||||
|
||||
/**
|
||||
+ * blk_rq_set_block_pc - initialize a requeest to type BLOCK_PC
|
||||
+ * @rq: request to be initialized
|
||||
+ *
|
||||
+ */
|
||||
+void blk_rq_set_block_pc(struct request *rq)
|
||||
+{
|
||||
+ rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ rq->__data_len = 0;
|
||||
+ rq->__sector = (sector_t) -1;
|
||||
+ rq->bio = rq->biotail = NULL;
|
||||
+ memset(rq->__cmd, 0, sizeof(rq->__cmd));
|
||||
+ rq->cmd = rq->__cmd;
|
||||
+}
|
||||
+EXPORT_SYMBOL(blk_rq_set_block_pc);
|
||||
+
|
||||
+/**
|
||||
* blk_requeue_request - put a request back on queue
|
||||
* @q: request queue where request should be inserted
|
||||
* @rq: request to be inserted
|
||||
diff --git a/block/bsg.c b/block/bsg.c
|
||||
index b1c1d54..8c750d5 100644
|
||||
--- a/block/bsg.c
|
||||
+++ b/block/bsg.c
|
||||
@@ -196,7 +196,6 @@
|
||||
* fill in request structure
|
||||
*/
|
||||
rq->cmd_len = hdr->request_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
rq->timeout = msecs_to_jiffies(hdr->timeout);
|
||||
if (!rq->timeout)
|
||||
@@ -273,6 +272,8 @@
|
||||
rq = blk_get_request(q, rw, GFP_KERNEL);
|
||||
if (!rq)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
+
|
||||
ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
|
||||
if (ret)
|
||||
goto out;
|
||||
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
|
||||
index 260fa80..4118a81 100644
|
||||
--- a/block/scsi_ioctl.c
|
||||
+++ b/block/scsi_ioctl.c
|
||||
@@ -232,7 +232,6 @@
|
||||
* fill in request structure
|
||||
*/
|
||||
rq->cmd_len = hdr->cmd_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
rq->timeout = msecs_to_jiffies(hdr->timeout);
|
||||
if (!rq->timeout)
|
||||
@@ -313,6 +312,7 @@
|
||||
rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
|
||||
if (!rq)
|
||||
return -ENOMEM;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
|
||||
blk_put_request(rq);
|
||||
@@ -511,7 +511,7 @@
|
||||
memset(sense, 0, sizeof(sense));
|
||||
rq->sense = sense;
|
||||
rq->sense_len = 0;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
blk_execute_rq(q, disk, rq, 0);
|
||||
|
||||
@@ -544,7 +544,7 @@
|
||||
int err;
|
||||
|
||||
rq = blk_get_request(q, WRITE, __GFP_WAIT);
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
|
||||
rq->cmd[0] = cmd;
|
||||
rq->cmd[4] = data;
|
||||
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
|
||||
index ba66e44..39ffe9c 100644
|
||||
--- a/drivers/block/pktcdvd.c
|
||||
+++ b/drivers/block/pktcdvd.c
|
||||
@@ -742,6 +742,7 @@
|
||||
|
||||
rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
|
||||
WRITE : READ, __GFP_WAIT);
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (cgc->buflen) {
|
||||
if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
|
||||
@@ -752,7 +753,6 @@
|
||||
memcpy(rq->cmd, cgc->cmd, CDROM_PACKET_SIZE);
|
||||
|
||||
rq->timeout = 60*HZ;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
if (cgc->quiet)
|
||||
rq->cmd_flags |= REQ_QUIET;
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index d620b44..7ab528d 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2165,6 +2165,7 @@
|
||||
ret = -ENOMEM;
|
||||
break;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
|
||||
if (ret) {
|
||||
@@ -2184,7 +2185,6 @@
|
||||
rq->cmd[9] = 0xf8;
|
||||
|
||||
rq->cmd_len = 12;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->timeout = 60 * HZ;
|
||||
bio = rq->bio;
|
||||
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
index 04c5cea..36fb68c 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
|
||||
@@ -111,6 +111,7 @@
|
||||
"%s: blk_get_request failed\n", __func__);
|
||||
return NULL;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
|
||||
blk_put_request(rq);
|
||||
@@ -119,7 +120,6 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->retries = ALUA_FAILOVER_RETRIES;
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_emc.c b/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
index e1c8be0..6f07f7f 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_emc.c
|
||||
@@ -280,6 +280,7 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
rq->cmd_len = COMMAND_SIZE(cmd);
|
||||
rq->cmd[0] = cmd;
|
||||
|
||||
@@ -304,7 +305,6 @@
|
||||
break;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->timeout = CLARIION_TIMEOUT;
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_hp_sw.c b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
index 084062b..e9d9fea 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_hp_sw.c
|
||||
@@ -120,7 +120,7 @@
|
||||
if (!req)
|
||||
return SCSI_DH_RES_TEMP_UNAVAIL;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
req->cmd_len = COMMAND_SIZE(TEST_UNIT_READY);
|
||||
@@ -250,7 +250,7 @@
|
||||
if (!req)
|
||||
return SCSI_DH_RES_TEMP_UNAVAIL;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
req->cmd_len = COMMAND_SIZE(START_STOP);
|
||||
diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
index 20c4557..0439652 100644
|
||||
--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
+++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
|
||||
@@ -279,6 +279,7 @@
|
||||
"get_rdac_req: blk_get_request failed.\n");
|
||||
return NULL;
|
||||
}
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
|
||||
if (buflen && blk_rq_map_kern(q, rq, buffer, buflen, GFP_NOIO)) {
|
||||
blk_put_request(rq);
|
||||
@@ -287,7 +288,6 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
rq->cmd_flags |= REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
|
||||
REQ_FAILFAST_DRIVER;
|
||||
rq->retries = RDAC_RETRIES;
|
||||
diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
|
||||
index c06b8e5..9ad3ac7 100644
|
||||
--- a/drivers/scsi/osd/osd_initiator.c
|
||||
+++ b/drivers/scsi/osd/osd_initiator.c
|
||||
@@ -1566,6 +1566,7 @@
|
||||
if (unlikely(!req))
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
+ blk_rq_set_block_pc(req);
|
||||
return req;
|
||||
}
|
||||
}
|
||||
@@ -1586,7 +1587,6 @@
|
||||
}
|
||||
|
||||
or->request = req;
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
req->timeout = or->timeout;
|
||||
@@ -1604,7 +1604,7 @@
|
||||
ret = PTR_ERR(req);
|
||||
goto out;
|
||||
}
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
or->in.req = or->request->next_rq = req;
|
||||
}
|
||||
} else if (has_in)
|
||||
diff --git a/drivers/scsi/osst.c b/drivers/scsi/osst.c
|
||||
index 21883a2..0727ea7 100644
|
||||
--- a/drivers/scsi/osst.c
|
||||
+++ b/drivers/scsi/osst.c
|
||||
@@ -365,7 +365,7 @@
|
||||
if (!req)
|
||||
return DRIVER_ERROR << 24;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
SRpnt->bio = NULL;
|
||||
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
|
||||
index 386f0c5..d4c31d4 100644
|
||||
--- a/drivers/scsi/scsi_error.c
|
||||
+++ b/drivers/scsi/scsi_error.c
|
||||
@@ -1624,6 +1624,8 @@
|
||||
*/
|
||||
req = blk_get_request(sdev->request_queue, READ, GFP_KERNEL);
|
||||
|
||||
+ blk_rq_set_block_pc(req);
|
||||
+
|
||||
req->cmd[0] = ALLOW_MEDIUM_REMOVAL;
|
||||
req->cmd[1] = 0;
|
||||
req->cmd[2] = 0;
|
||||
@@ -1633,7 +1635,6 @@
|
||||
|
||||
req->cmd_len = COMMAND_SIZE(req->cmd[0]);
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
req->timeout = 10 * HZ;
|
||||
req->retries = 5;
|
||||
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
|
||||
index 5dfd749..725b405 100644
|
||||
--- a/drivers/scsi/scsi_lib.c
|
||||
+++ b/drivers/scsi/scsi_lib.c
|
||||
@@ -217,6 +217,7 @@
|
||||
req = blk_get_request(sdev->request_queue, write, __GFP_WAIT);
|
||||
if (!req)
|
||||
return ret;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
|
||||
if (bufflen && blk_rq_map_kern(sdev->request_queue, req,
|
||||
buffer, bufflen, __GFP_WAIT))
|
||||
@@ -228,7 +229,6 @@
|
||||
req->sense_len = 0;
|
||||
req->retries = retries;
|
||||
req->timeout = timeout;
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->cmd_flags |= flags | REQ_QUIET | REQ_PREEMPT;
|
||||
|
||||
/*
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index 3ec5b33..216d31f 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -1655,10 +1655,9 @@
|
||||
if (!rq)
|
||||
return -ENOMEM;
|
||||
|
||||
+ blk_rq_set_block_pc(rq);
|
||||
memcpy(rq->cmd, cmd, hp->cmd_len);
|
||||
-
|
||||
rq->cmd_len = hp->cmd_len;
|
||||
- rq->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
|
||||
srp->rq = rq;
|
||||
rq->end_io_data = srp;
|
||||
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
|
||||
index e41998c..08ad530 100644
|
||||
--- a/drivers/scsi/st.c
|
||||
+++ b/drivers/scsi/st.c
|
||||
@@ -488,7 +488,7 @@
|
||||
if (!req)
|
||||
return DRIVER_ERROR << 24;
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
+ blk_rq_set_block_pc(req);
|
||||
req->cmd_flags |= REQ_QUIET;
|
||||
|
||||
mdata->null_mapped = 1;
|
||||
diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
|
||||
index 94c905f..d28f8d1 100644
|
||||
--- a/drivers/target/target_core_pscsi.c
|
||||
+++ b/drivers/target/target_core_pscsi.c
|
||||
@@ -1083,6 +1083,8 @@
|
||||
TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
|
||||
return -ENODEV;
|
||||
}
|
||||
+
|
||||
+ blk_rq_set_block_pc(req);
|
||||
} else {
|
||||
BUG_ON(!task->task_size);
|
||||
|
||||
@@ -1104,7 +1106,6 @@
|
||||
}
|
||||
}
|
||||
|
||||
- req->cmd_type = REQ_TYPE_BLOCK_PC;
|
||||
req->end_io = pscsi_req_done;
|
||||
req->end_io_data = task;
|
||||
req->cmd_len = scsi_command_size(pt->pscsi_cdb);
|
||||
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
|
||||
index 21dc2aa..f37d1f0 100644
|
||||
--- a/include/linux/blkdev.h
|
||||
+++ b/include/linux/blkdev.h
|
||||
@@ -675,6 +675,7 @@
|
||||
extern struct request *blk_get_request(struct request_queue *, int, gfp_t);
|
||||
extern struct request *blk_make_request(struct request_queue *, struct bio *,
|
||||
gfp_t);
|
||||
+extern void blk_rq_set_block_pc(struct request *);
|
||||
extern void blk_requeue_request(struct request_queue *, struct request *);
|
||||
extern int blk_reinsert_request(struct request_queue *q, struct request *rq);
|
||||
extern bool blk_reinsert_req_sup(struct request_queue *q);
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0001.patch.base64
Normal file
File diff suppressed because one or more lines are too long
263
Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch
Normal file
263
Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch
Normal file
@ -0,0 +1,263 @@
|
||||
From 8093bf02878aa659cfcf8cbfc272b2ad45eef24f Mon Sep 17 00:00:00 2001
|
||||
From: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Date: Tue, 03 Jun 2014 13:18:18 -0400
|
||||
Subject: [PATCH] BACKPORT: sg: relax 16 byte cdb restriction
|
||||
|
||||
- remove the 16 byte CDB (SCSI command) length limit from the sg driver
|
||||
by handling longer CDBs the same way as the bsg driver. Remove comment
|
||||
from sg.h public interface about the cmd_len field being limited to 16
|
||||
bytes.
|
||||
- remove some dead code caused by this change
|
||||
- cleanup comment block at the top of sg.h, fix urls
|
||||
|
||||
Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755
|
||||
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
|
||||
Reviewed-by: Hannes Reinecke <hare@suse.de>
|
||||
Signed-off-by: Christoph Hellwig <hch@lst.de>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index 216d31f..56178bc 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -7,9 +7,7 @@
|
||||
* Original driver (sg.c):
|
||||
* Copyright (C) 1992 Lawrence Foard
|
||||
* Version 2 and 3 extensions to driver:
|
||||
- * Copyright (C) 1998 - 2005 Douglas Gilbert
|
||||
- *
|
||||
- * Modified 19-JAN-1998 Richard Gooch <rgooch@atnf.csiro.au> Devfs support
|
||||
+ * Copyright (C) 1998 - 2014 Douglas Gilbert
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@@ -18,11 +16,11 @@
|
||||
*
|
||||
*/
|
||||
|
||||
-static int sg_version_num = 30534; /* 2 digits for each component */
|
||||
-#define SG_VERSION_STR "3.5.34"
|
||||
+static int sg_version_num = 30536; /* 2 digits for each component */
|
||||
+#define SG_VERSION_STR "3.5.36"
|
||||
|
||||
/*
|
||||
- * D. P. Gilbert (dgilbert@interlog.com, dougg@triode.net.au), notes:
|
||||
+ * D. P. Gilbert (dgilbert@interlog.com), notes:
|
||||
* - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
|
||||
* the kernel/module needs to be built with CONFIG_SCSI_LOGGING
|
||||
* (otherwise the macros compile to empty statements).
|
||||
@@ -63,7 +61,7 @@
|
||||
|
||||
#ifdef CONFIG_SCSI_PROC_FS
|
||||
#include <linux/proc_fs.h>
|
||||
-static char *sg_version_date = "20061027";
|
||||
+static char *sg_version_date = "20140603";
|
||||
|
||||
static int sg_proc_init(void);
|
||||
static void sg_proc_cleanup(void);
|
||||
@@ -72,6 +70,12 @@
|
||||
#define SG_ALLOW_DIO_DEF 0
|
||||
|
||||
#define SG_MAX_DEVS 32768
|
||||
+
|
||||
+/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
|
||||
+ * of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
|
||||
+ * than 16 bytes are "variable length" whose length is a multiple of 4
|
||||
+ */
|
||||
+#define SG_MAX_CDB_SIZE 252
|
||||
|
||||
/*
|
||||
* Suppose you want to calculate the formula muldiv(x,m,d)=int(x * m / d)
|
||||
@@ -159,7 +163,7 @@
|
||||
char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
|
||||
volatile char closed; /* 1 -> fd closed but request(s) outstanding */
|
||||
char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
|
||||
- char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */
|
||||
+ unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
|
||||
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
|
||||
char mmap_called; /* 0 -> mmap() never called on this fd */
|
||||
struct kref f_ref;
|
||||
@@ -542,7 +546,7 @@
|
||||
Sg_request *srp;
|
||||
struct sg_header old_hdr;
|
||||
sg_io_hdr_t *hp;
|
||||
- unsigned char cmnd[MAX_COMMAND_SIZE];
|
||||
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
|
||||
|
||||
if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
|
||||
return -EINVAL;
|
||||
@@ -577,12 +581,6 @@
|
||||
buf += SZ_SG_HEADER;
|
||||
__get_user(opcode, buf);
|
||||
if (sfp->next_cmd_len > 0) {
|
||||
- if (sfp->next_cmd_len > MAX_COMMAND_SIZE) {
|
||||
- SCSI_LOG_TIMEOUT(1, printk("sg_write: command length too long\n"));
|
||||
- sfp->next_cmd_len = 0;
|
||||
- sg_remove_request(sfp, srp);
|
||||
- return -EIO;
|
||||
- }
|
||||
cmd_size = sfp->next_cmd_len;
|
||||
sfp->next_cmd_len = 0; /* reset so only this write() effected */
|
||||
} else {
|
||||
@@ -654,7 +652,7 @@
|
||||
int k;
|
||||
Sg_request *srp;
|
||||
sg_io_hdr_t *hp;
|
||||
- unsigned char cmnd[MAX_COMMAND_SIZE];
|
||||
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
|
||||
int timeout;
|
||||
unsigned long ul_timeout;
|
||||
|
||||
@@ -1647,15 +1645,27 @@
|
||||
struct request_queue *q = sfp->parentdp->device->request_queue;
|
||||
struct rq_map_data *md, map_data;
|
||||
int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
|
||||
+ unsigned char *long_cmdp = NULL;
|
||||
|
||||
SCSI_LOG_TIMEOUT(4, printk(KERN_INFO "sg_start_req: dxfer_len=%d\n",
|
||||
dxfer_len));
|
||||
|
||||
+ if (hp->cmd_len > BLK_MAX_CDB) {
|
||||
+ long_cmdp = kzalloc(hp->cmd_len, GFP_KERNEL);
|
||||
+ if (!long_cmdp)
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
rq = blk_get_request(q, rw, GFP_ATOMIC);
|
||||
- if (!rq)
|
||||
+ if (!rq) {
|
||||
+ kfree(long_cmdp);
|
||||
return -ENOMEM;
|
||||
+ }
|
||||
|
||||
blk_rq_set_block_pc(rq);
|
||||
+
|
||||
+ if (hp->cmd_len > BLK_MAX_CDB)
|
||||
+ rq->cmd = long_cmdp;
|
||||
memcpy(rq->cmd, cmd, hp->cmd_len);
|
||||
rq->cmd_len = hp->cmd_len;
|
||||
|
||||
@@ -1740,6 +1750,8 @@
|
||||
if (srp->bio)
|
||||
ret = blk_rq_unmap_user(srp->bio);
|
||||
|
||||
+ if (srp->rq->cmd != srp->rq->__cmd)
|
||||
+ kfree(srp->rq->cmd);
|
||||
blk_put_request(srp->rq);
|
||||
}
|
||||
|
||||
diff --git a/include/scsi/sg.h b/include/scsi/sg.h
|
||||
index a9f3c6f..d8c0c43 100644
|
||||
--- a/include/scsi/sg.h
|
||||
+++ b/include/scsi/sg.h
|
||||
@@ -4,77 +4,34 @@
|
||||
#include <linux/compiler.h>
|
||||
|
||||
/*
|
||||
- History:
|
||||
- Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
|
||||
- process control of SCSI devices.
|
||||
- Development Sponsored by Killy Corp. NY NY
|
||||
-Original driver (sg.h):
|
||||
-* Copyright (C) 1992 Lawrence Foard
|
||||
-Version 2 and 3 extensions to driver:
|
||||
-* Copyright (C) 1998 - 2006 Douglas Gilbert
|
||||
-
|
||||
- Version: 3.5.34 (20060920)
|
||||
- This version is for 2.6 series kernels.
|
||||
-
|
||||
- For a full changelog see http://www.torque.net/sg
|
||||
-
|
||||
-Map of SG verions to the Linux kernels in which they appear:
|
||||
- ---------- ----------------------------------
|
||||
- original all kernels < 2.2.6
|
||||
- 2.1.40 2.2.20
|
||||
- 3.0.x optional version 3 sg driver for 2.2 series
|
||||
- 3.1.17++ 2.4.0++
|
||||
- 3.5.30++ 2.6.0++
|
||||
-
|
||||
-Major new features in SG 3.x driver (cf SG 2.x drivers)
|
||||
- - SG_IO ioctl() combines function if write() and read()
|
||||
- - new interface (sg_io_hdr_t) but still supports old interface
|
||||
- - scatter/gather in user space, direct IO, and mmap supported
|
||||
-
|
||||
- The normal action of this driver is to use the adapter (HBA) driver to DMA
|
||||
- data into kernel buffers and then use the CPU to copy the data into the
|
||||
- user space (vice versa for writes). That is called "indirect" IO due to
|
||||
- the double handling of data. There are two methods offered to remove the
|
||||
- redundant copy: 1) direct IO and 2) using the mmap() system call to map
|
||||
- the reserve buffer (this driver has one reserve buffer per fd) into the
|
||||
- user space. Both have their advantages.
|
||||
- In terms of absolute speed mmap() is faster. If speed is not a concern,
|
||||
- indirect IO should be fine. Read the documentation for more information.
|
||||
-
|
||||
- ** N.B. To use direct IO 'echo 1 > /proc/scsi/sg/allow_dio' or
|
||||
- 'echo 1 > /sys/module/sg/parameters/allow_dio' is needed.
|
||||
- That attribute is 0 by default. **
|
||||
-
|
||||
- Historical note: this SCSI pass-through driver has been known as "sg" for
|
||||
- a decade. In broader kernel discussions "sg" is used to refer to scatter
|
||||
- gather techniques. The context should clarify which "sg" is referred to.
|
||||
-
|
||||
- Documentation
|
||||
- =============
|
||||
- A web site for the SG device driver can be found at:
|
||||
- http://www.torque.net/sg [alternatively check the MAINTAINERS file]
|
||||
- The documentation for the sg version 3 driver can be found at:
|
||||
- http://www.torque.net/sg/p/sg_v3_ho.html
|
||||
- This is a rendering from DocBook source [change the extension to "sgml"
|
||||
- or "xml"]. There are renderings in "ps", "pdf", "rtf" and "txt" (soon).
|
||||
- The SG_IO ioctl is now found in other parts kernel (e.g. the block layer).
|
||||
- For more information see http://www.torque.net/sg/sg_io.html
|
||||
-
|
||||
- The older, version 2 documents discuss the original sg interface in detail:
|
||||
- http://www.torque.net/sg/p/scsi-generic.txt
|
||||
- http://www.torque.net/sg/p/scsi-generic_long.txt
|
||||
- Also available: <kernel_source>/Documentation/scsi/scsi-generic.txt
|
||||
-
|
||||
- Utility and test programs are available at the sg web site. They are
|
||||
- packaged as sg3_utils (for the lk 2.4 and 2.6 series) and sg_utils
|
||||
- (for the lk 2.2 series).
|
||||
-*/
|
||||
+ * History:
|
||||
+ * Started: Aug 9 by Lawrence Foard (entropy@world.std.com), to allow user
|
||||
+ * process control of SCSI devices.
|
||||
+ * Development Sponsored by Killy Corp. NY NY
|
||||
+ *
|
||||
+ * Original driver (sg.h):
|
||||
+ * Copyright (C) 1992 Lawrence Foard
|
||||
+ * Version 2 and 3 extensions to driver:
|
||||
+ * Copyright (C) 1998 - 2014 Douglas Gilbert
|
||||
+ *
|
||||
+ * Version: 3.5.36 (20140603)
|
||||
+ * This version is for 2.6 and 3 series kernels.
|
||||
+ *
|
||||
+ * Documentation
|
||||
+ * =============
|
||||
+ * A web site for the SG device driver can be found at:
|
||||
+ * http://sg.danny.cz/sg [alternatively check the MAINTAINERS file]
|
||||
+ * The documentation for the sg version 3 driver can be found at:
|
||||
+ * http://sg.danny.cz/sg/p/sg_v3_ho.html
|
||||
+ * Also see: <kernel_source>/Documentation/scsi/scsi-generic.txt
|
||||
+ *
|
||||
+ * For utility and test programs see: http://sg.danny.cz/sg/sg3_utils.html
|
||||
+ */
|
||||
|
||||
#ifdef __KERNEL__
|
||||
extern int sg_big_buff; /* for sysctl */
|
||||
#endif
|
||||
|
||||
-/* New interface introduced in the 3.x SG drivers follows */
|
||||
|
||||
typedef struct sg_iovec /* same structure as used by readv() Linux system */
|
||||
{ /* call. It defines one scatter-gather element. */
|
||||
@@ -87,7 +44,7 @@
|
||||
{
|
||||
int interface_id; /* [i] 'S' for SCSI generic (required) */
|
||||
int dxfer_direction; /* [i] data transfer direction */
|
||||
- unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */
|
||||
+ unsigned char cmd_len; /* [i] SCSI command length */
|
||||
unsigned char mx_sb_len; /* [i] max length to write to sbp */
|
||||
unsigned short iovec_count; /* [i] 0 implies no scatter gather */
|
||||
unsigned int dxfer_len; /* [i] byte count of data transfer */
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0002.patch.base64
Normal file
File diff suppressed because one or more lines are too long
29
Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch
Normal file
29
Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From c38b9d2d38678815745eae28512a03d5e1a3dcf1 Mon Sep 17 00:00:00 2001
|
||||
From: peter chang <dpf@google.com>
|
||||
Date: Wed, 15 Feb 2017 14:11:54 -0800
|
||||
Subject: [PATCH] scsi: sg: check length passed to SG_NEXT_CMD_LEN
|
||||
|
||||
The user can control the size of the next command passed along, but the
|
||||
value passed to the ioctl isn't checked against the usable max command
|
||||
size.
|
||||
|
||||
Change-Id: Icbb33a63776954de662eb858ede300fbcb3710f4
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Chang <dpf@google.com>
|
||||
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
|
||||
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
|
||||
index 56178bc..84f5a76 100644
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -959,6 +959,8 @@
|
||||
result = get_user(val, ip);
|
||||
if (result)
|
||||
return result;
|
||||
+ if (val > SG_MAX_CDB_SIZE)
|
||||
+ return -ENOMEM;
|
||||
sfp->next_cmd_len = (val > 0) ? val : 0;
|
||||
return 0;
|
||||
case SG_GET_VERSION_NUM:
|
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7187/3.4/0003.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBjMzhiOWQyZDM4Njc4ODE1NzQ1ZWFlMjg1MTJhMDNkNWUxYTNkY2YxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBwZXRlciBjaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkRhdGU6IFdlZCwgMTUgRmViIDIwMTcgMTQ6MTE6NTQgLTA4MDAKU3ViamVjdDogW1BBVENIXSBzY3NpOiBzZzogY2hlY2sgbGVuZ3RoIHBhc3NlZCB0byBTR19ORVhUX0NNRF9MRU4KClRoZSB1c2VyIGNhbiBjb250cm9sIHRoZSBzaXplIG9mIHRoZSBuZXh0IGNvbW1hbmQgcGFzc2VkIGFsb25nLCBidXQgdGhlCnZhbHVlIHBhc3NlZCB0byB0aGUgaW9jdGwgaXNuJ3QgY2hlY2tlZCBhZ2FpbnN0IHRoZSB1c2FibGUgbWF4IGNvbW1hbmQKc2l6ZS4KCkNoYW5nZS1JZDogSWNiYjMzYTYzNzc2OTU0ZGU2NjJlYjg1OGVkZTMwMGZiY2IzNzEwZjQKQ2M6IDxzdGFibGVAdmdlci5rZXJuZWwub3JnPgpTaWduZWQtb2ZmLWJ5OiBQZXRlciBDaGFuZyA8ZHBmQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBEb3VnbGFzIEdpbGJlcnQgPGRnaWxiZXJ0QGludGVybG9nLmNvbT4KU2lnbmVkLW9mZi1ieTogTWFydGluIEsuIFBldGVyc2VuIDxtYXJ0aW4ucGV0ZXJzZW5Ab3JhY2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9zY3NpL3NnLmMgYi9kcml2ZXJzL3Njc2kvc2cuYwppbmRleCA1NjE3OGJjLi44NGY1YTc2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3Njc2kvc2cuYworKysgYi9kcml2ZXJzL3Njc2kvc2cuYwpAQCAtOTU5LDYgKzk1OSw4IEBACiAJCXJlc3VsdCA9IGdldF91c2VyKHZhbCwgaXApOwogCQlpZiAocmVzdWx0KQogCQkJcmV0dXJuIHJlc3VsdDsKKwkJaWYgKHZhbCA+IFNHX01BWF9DREJfU0laRSkKKwkJCXJldHVybiAtRU5PTUVNOwogCQlzZnAtPm5leHRfY21kX2xlbiA9ICh2YWwgPiAwKSA/IHZhbCA6IDA7CiAJCXJldHVybiAwOwogCWNhc2UgU0dfR0VUX1ZFUlNJT05fTlVNOgo=
|
90
Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch
Normal file
90
Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From ac8b4b8f6976c6f63704c2f1e3dc464bfa6a5256 Mon Sep 17 00:00:00 2001
|
||||
From: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Date: Fri, 24 Feb 2017 16:13:20 +0800
|
||||
Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6v2: set pointer to NULL after free.
|
||||
|
||||
Pointer after kfree is not sanitized.
|
||||
Set pointer to NULL.
|
||||
|
||||
CRs-Fixed: 2008031
|
||||
Change-Id: Ia59a57fcd142a6ed18d168992b8da4019314afa4
|
||||
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||||
index 3284380..f4a9a4d 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
|
||||
@@ -391,6 +391,7 @@
|
||||
SNDRV_PCM_STREAM_PLAYBACK);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ compr->prtd = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
|
||||
index 98401d9..f93029c 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-multi-ch-pcm-q6-v2.c
|
||||
@@ -503,6 +503,7 @@
|
||||
multi_ch_pcm_audio.prtd = NULL;
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -595,6 +596,7 @@
|
||||
SNDRV_PCM_STREAM_CAPTURE);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
|
||||
index b6ecaa6..68a6b3d 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-afe-v2.c
|
||||
@@ -396,6 +396,7 @@
|
||||
mutex_unlock(&prtd->lock);
|
||||
prtd->prepared--;
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
static int msm_afe_prepare(struct snd_pcm_substream *substream)
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
|
||||
index a6c8f16..9c575a5 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-lpa-v2.c
|
||||
@@ -391,6 +391,7 @@
|
||||
pr_debug("%s\n", __func__);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
|
||||
index 57ccea1..f5846ca 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c
|
||||
@@ -446,6 +446,7 @@
|
||||
SNDRV_PCM_STREAM_PLAYBACK);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -538,6 +539,7 @@
|
||||
SNDRV_PCM_STREAM_CAPTURE);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
1
Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8246/3.4/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBhYzhiNGI4ZjY5NzZjNmY2MzcwNGMyZjFlM2RjNDY0YmZhNmE1MjU2IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDI0IEZlYiAyMDE3IDE2OjEzOjIwICswODAwClN1YmplY3Q6IFtQQVRDSF0gQkFDS1BPUlQ6IEFTb0M6IG1zbTogcWRzcDZ2Mjogc2V0IHBvaW50ZXIgdG8gTlVMTCBhZnRlciBmcmVlLgoKUG9pbnRlciBhZnRlciBrZnJlZSBpcyBub3Qgc2FuaXRpemVkLgpTZXQgcG9pbnRlciB0byBOVUxMLgoKQ1JzLUZpeGVkOiAyMDA4MDMxCkNoYW5nZS1JZDogSWE1OWE1N2ZjZDE0MmE2ZWQxOGQxNjg5OTJiOGRhNDAxOTMxNGFmYTQKU2lnbmVkLW9mZi1ieTogWGlhb2p1biBTYW5nIDx4c2FuZ0Bjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogQmlrc2hhcGF0aGkgS290aGFwZXRhIDxia290aGFAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tY29tcHItcTYtdjIuYwppbmRleCAzMjg0MzgwLi5mNGE5YTRkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLWNvbXByLXE2LXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1jb21wci1xNi12Mi5jCkBAIC0zOTEsNiArMzkxLDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCWNvbXByLT5wcnRkID0gTlVMTDsKIAlyZXR1cm4gMDsKIH0KIApkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tbXVsdGktY2gtcGNtLXE2LXYyLmMKaW5kZXggOTg0MDFkOS4uZjkzMDI5YyAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1tdWx0aS1jaC1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLW11bHRpLWNoLXBjbS1xNi12Mi5jCkBAIC01MDMsNiArNTAzLDcgQEAKIAltdWx0aV9jaF9wY21fYXVkaW8ucHJ0ZCA9IE5VTEw7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCXJldHVybiAwOwogfQogCkBAIC01OTUsNiArNTk2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX0NBUFRVUkUpOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tYWZlLXYyLmMgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwppbmRleCBiNmVjYWE2Li42OGE2YjNkIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1hZmUtdjIuYwpAQCAtMzk2LDYgKzM5Niw3IEBACiAJbXV0ZXhfdW5sb2NrKCZwcnRkLT5sb2NrKTsKIAlwcnRkLT5wcmVwYXJlZC0tOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiBzdGF0aWMgaW50IG1zbV9hZmVfcHJlcGFyZShzdHJ1Y3Qgc25kX3BjbV9zdWJzdHJlYW0gKnN1YnN0cmVhbSkKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLWxwYS12Mi5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKaW5kZXggYTZjOGYxNi4uOWM1NzVhNSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tbHBhLXYyLmMKQEAgLTM5MSw2ICszOTEsNyBAQAogCXByX2RlYnVnKCIlc1xuIiwgX19mdW5jX18pOwogCXE2YXNtX2F1ZGlvX2NsaWVudF9mcmVlKHBydGQtPmF1ZGlvX2NsaWVudCk7CiAJa2ZyZWUocHJ0ZCk7CisJcnVudGltZS0+cHJpdmF0ZV9kYXRhID0gTlVMTDsKIAogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYyBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9tc20tcGNtLXE2LXYyLmMKaW5kZXggNTdjY2VhMS4uZjU4NDZjYSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL21zbS1wY20tcTYtdjIuYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvbXNtLXBjbS1xNi12Mi5jCkBAIC00NDYsNiArNDQ2LDcgQEAKIAlTTkRSVl9QQ01fU1RSRUFNX1BMQVlCQUNLKTsKIAlxNmFzbV9hdWRpb19jbGllbnRfZnJlZShwcnRkLT5hdWRpb19jbGllbnQpOwogCWtmcmVlKHBydGQpOworCXJ1bnRpbWUtPnByaXZhdGVfZGF0YSA9IE5VTEw7CiAJcmV0dXJuIDA7CiB9CiAKQEAgLTUzOCw2ICs1MzksNyBAQAogCVNORFJWX1BDTV9TVFJFQU1fQ0FQVFVSRSk7CiAJcTZhc21fYXVkaW9fY2xpZW50X2ZyZWUocHJ0ZC0+YXVkaW9fY2xpZW50KTsKIAlrZnJlZShwcnRkKTsKKwlydW50aW1lLT5wcml2YXRlX2RhdGEgPSBOVUxMOwogCiAJcmV0dXJuIDA7CiB9Cg==
|
162
Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch
Normal file
162
Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch
Normal file
@ -0,0 +1,162 @@
|
||||
From 5b3fcb8c073ea1762744eeb74d2e8301a8728d7b Mon Sep 17 00:00:00 2001
|
||||
From: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Date: Fri, 24 Feb 2017 16:13:20 +0800
|
||||
Subject: [PATCH] BACKPORT: ASoC: msm: qdsp6: set pointer to NULL after free.
|
||||
|
||||
Pointer after kfree is not sanitized.
|
||||
Set pointer to NULL.
|
||||
|
||||
CRs-Fixed: 2008031
|
||||
Change-Id: I765a59a2059ba7a0fc16f70a1a8b92f57297a907
|
||||
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Signed-off-by: Bikshapathi Kothapeta <bkotha@codeaurora.org>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/msm-lowlatency-pcm-q6.c b/sound/soc/msm/msm-lowlatency-pcm-q6.c
|
||||
index ad7ae1f..0f323c4 100644
|
||||
--- a/sound/soc/msm/msm-lowlatency-pcm-q6.c
|
||||
+++ b/sound/soc/msm/msm-lowlatency-pcm-q6.c
|
||||
@@ -504,6 +504,7 @@
|
||||
SNDRV_PCM_STREAM_PLAYBACK);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -596,6 +597,7 @@
|
||||
SNDRV_PCM_STREAM_CAPTURE);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/msm-multi-ch-pcm-q6.c b/sound/soc/msm/msm-multi-ch-pcm-q6.c
|
||||
index 999683e..59072ec 100644
|
||||
--- a/sound/soc/msm/msm-multi-ch-pcm-q6.c
|
||||
+++ b/sound/soc/msm/msm-multi-ch-pcm-q6.c
|
||||
@@ -576,6 +576,7 @@
|
||||
multi_ch_pcm_audio.prtd = NULL;
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -668,6 +669,7 @@
|
||||
SNDRV_PCM_STREAM_CAPTURE);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/msm-pcm-afe.c b/sound/soc/msm/msm-pcm-afe.c
|
||||
index 66043d1..a93d58b 100644
|
||||
--- a/sound/soc/msm/msm-pcm-afe.c
|
||||
+++ b/sound/soc/msm/msm-pcm-afe.c
|
||||
@@ -326,6 +326,7 @@
|
||||
pr_debug("%s: Could not allocate memory\n", __func__);
|
||||
mutex_unlock(&prtd->lock);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return -ENOMEM;
|
||||
}
|
||||
hrtimer_init(&prtd->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
|
||||
@@ -409,6 +410,7 @@
|
||||
mutex_unlock(&prtd->lock);
|
||||
prtd->prepared--;
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
static int msm_afe_prepare(struct snd_pcm_substream *substream)
|
||||
diff --git a/sound/soc/msm/msm-pcm-q6.c b/sound/soc/msm/msm-pcm-q6.c
|
||||
index 16e1415..da696d0 100644
|
||||
--- a/sound/soc/msm/msm-pcm-q6.c
|
||||
+++ b/sound/soc/msm/msm-pcm-q6.c
|
||||
@@ -509,6 +509,7 @@
|
||||
SNDRV_PCM_STREAM_PLAYBACK);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -604,6 +605,7 @@
|
||||
msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
|
||||
SNDRV_PCM_STREAM_CAPTURE);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/msm7k-pcm.c b/sound/soc/msm/msm7k-pcm.c
|
||||
index a9193a2..50983a0 100644
|
||||
--- a/sound/soc/msm/msm7k-pcm.c
|
||||
+++ b/sound/soc/msm/msm7k-pcm.c
|
||||
@@ -393,6 +393,7 @@
|
||||
msm_adsp_put(prtd->audrec);
|
||||
msm_adsp_put(prtd->audpre);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -449,6 +450,7 @@
|
||||
|
||||
out:
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -492,6 +494,7 @@
|
||||
alsa_audio_disable(prtd);
|
||||
audmgr_close(&prtd->audmgr);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/soc/msm/msm7kv2-pcm.c b/sound/soc/msm/msm7kv2-pcm.c
|
||||
index 2b7a438..252e1f0 100644
|
||||
--- a/sound/soc/msm/msm7kv2-pcm.c
|
||||
+++ b/sound/soc/msm/msm7kv2-pcm.c
|
||||
@@ -520,6 +520,7 @@
|
||||
alsa_audio_disable(prtd);
|
||||
auddev_unregister_evt_listner(AUDDEV_CLNT_DEC, prtd->session_id);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -574,6 +575,7 @@
|
||||
audpreproc_aenc_free(prtd->session_id);
|
||||
msm_adsp_put(prtd->audrec);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/sound/soc/msm/msm8x60-pcm.c b/sound/soc/msm/msm8x60-pcm.c
|
||||
index 7993435..bfbea5c 100644
|
||||
--- a/sound/soc/msm/msm8x60-pcm.c
|
||||
+++ b/sound/soc/msm/msm8x60-pcm.c
|
||||
@@ -534,6 +534,7 @@
|
||||
msm_clear_session_id(prtd->session_id);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -627,6 +628,7 @@
|
||||
msm_clear_session_id(prtd->session_id);
|
||||
q6asm_audio_client_free(prtd->audio_client);
|
||||
kfree(prtd);
|
||||
+ runtime->private_data = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
1
Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8246/3.4/0002.patch.base64
Normal file
File diff suppressed because one or more lines are too long
47
Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch
Normal file
47
Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 338a5cecf0f839331f0a58bff8aaae79e134799e Mon Sep 17 00:00:00 2001
|
||||
From: Fred Oh <fred@codeaurora.org>
|
||||
Date: Tue, 07 Apr 2015 19:22:29 -0700
|
||||
Subject: [PATCH] ASoC: msm: qdsp6v2: validate audio client in callback
|
||||
|
||||
In case of single stream multiple device(SSMD) use-case audio session is
|
||||
freed on first EOS. There are some chance to crash when 2nd EOS event is
|
||||
reached with some delay. This make sure return properly if audio client
|
||||
is not valid.
|
||||
|
||||
Bug: 36252027
|
||||
Change-Id: I3711d8e039fc37e654ca5230f3dc8784c6dba071
|
||||
Signed-off-by: Fred Oh <fred@codeaurora.org>
|
||||
Signed-off-by: Siqi Lin <siqilin@google.com>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
index b17a440..4f486b1 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
@@ -329,6 +329,16 @@
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
+static bool q6asm_is_valid_audio_client(struct audio_client *ac)
|
||||
+{
|
||||
+ int n;
|
||||
+ for (n = 1; n <= SESSION_MAX; n++) {
|
||||
+ if (session[n] == ac)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static void q6asm_session_free(struct audio_client *ac)
|
||||
{
|
||||
pr_debug("%s: sessionid[%d]\n", __func__, ac->session);
|
||||
@@ -905,7 +915,8 @@
|
||||
pr_err("ac or priv NULL\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
- if (ac->session <= 0 || ac->session > 8) {
|
||||
+ if (ac->session <= 0 || ac->session > 8 ||
|
||||
+ !q6asm_is_valid_audio_client(ac)) {
|
||||
pr_err("%s:Session ID is invalid, session = %d\n", __func__,
|
||||
ac->session);
|
||||
return -EINVAL;
|
1
Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8254/3.4/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSAzMzhhNWNlY2YwZjgzOTMzMWYwYTU4YmZmOGFhYWU3OWUxMzQ3OTllIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBGcmVkIE9oIDxmcmVkQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBUdWUsIDA3IEFwciAyMDE1IDE5OjIyOjI5IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiB2YWxpZGF0ZSBhdWRpbyBjbGllbnQgaW4gY2FsbGJhY2sKCkluIGNhc2Ugb2Ygc2luZ2xlIHN0cmVhbSBtdWx0aXBsZSBkZXZpY2UoU1NNRCkgdXNlLWNhc2UgYXVkaW8gc2Vzc2lvbiBpcwpmcmVlZCBvbiBmaXJzdCBFT1MuIFRoZXJlIGFyZSBzb21lIGNoYW5jZSB0byBjcmFzaCB3aGVuIDJuZCBFT1MgZXZlbnQgaXMKcmVhY2hlZCB3aXRoIHNvbWUgZGVsYXkuIFRoaXMgbWFrZSBzdXJlIHJldHVybiBwcm9wZXJseSBpZiBhdWRpbyBjbGllbnQKaXMgbm90IHZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDaGFuZ2UtSWQ6IEkzNzExZDhlMDM5ZmMzN2U2NTRjYTUyMzBmM2RjODc4NGM2ZGJhMDcxClNpZ25lZC1vZmYtYnk6IEZyZWQgT2ggPGZyZWRAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggYjE3YTQ0MC4uNGY0ODZiMSAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTMyOSw2ICszMjksMTYgQEAKIAlyZXR1cm4gLUVOT01FTTsKIH0KIAorc3RhdGljIGJvb2wgcTZhc21faXNfdmFsaWRfYXVkaW9fY2xpZW50KHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQoreworCWludCBuOworCWZvciAobiA9IDE7IG4gPD0gU0VTU0lPTl9NQVg7IG4rKykgeworCQlpZiAoc2Vzc2lvbltuXSA9PSBhYykKKwkJCXJldHVybiAxOworCX0KKwlyZXR1cm4gMDsKK30KKwogc3RhdGljIHZvaWQgcTZhc21fc2Vzc2lvbl9mcmVlKHN0cnVjdCBhdWRpb19jbGllbnQgKmFjKQogewogCXByX2RlYnVnKCIlczogc2Vzc2lvbmlkWyVkXVxuIiwgX19mdW5jX18sIGFjLT5zZXNzaW9uKTsKQEAgLTkwNSw3ICs5MTUsOCBAQAogCQlwcl9lcnIoImFjIG9yIHByaXYgTlVMTFxuIik7CiAJCXJldHVybiAtRUlOVkFMOwogCX0KLQlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDgpIHsKKwlpZiAoYWMtPnNlc3Npb24gPD0gMCB8fCBhYy0+c2Vzc2lvbiA+IDggfHwKKwkJIXE2YXNtX2lzX3ZhbGlkX2F1ZGlvX2NsaWVudChhYykpIHsKIAkJcHJfZXJyKCIlczpTZXNzaW9uIElEIGlzIGludmFsaWQsIHNlc3Npb24gPSAlZFxuIiwgX19mdW5jX18sCiAJCQlhYy0+c2Vzc2lvbik7CiAJCXJldHVybiAtRUlOVkFMOwo=
|
38
Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch
Normal file
38
Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From fd6890b6c55c2ced15b7165cc658eb83dafc7eb1 Mon Sep 17 00:00:00 2001
|
||||
From: Aravind Kumar <akumark@codeaurora.org>
|
||||
Date: Mon, 11 May 2015 15:26:27 +0530
|
||||
Subject: [PATCH] ASoC: msm: qdsp6v2: check audio client pointer before accessing
|
||||
|
||||
In the registered callback for q6asm, we are checking if
|
||||
the audio client pointer is valid and also, dereferencing it
|
||||
to get the session ID even though it could be invalid or expired.
|
||||
Return and exit immediately if the audio client pointer is
|
||||
invalid.
|
||||
|
||||
Bug: 36252027
|
||||
CRs-Fixed: 832914
|
||||
Change-Id: I96b722b584a4b5adf8a33891abd75a320e76ea25
|
||||
Signed-off-by: Aravind Kumar <akumark@codeaurora.org>
|
||||
Signed-off-by: Siqi Lin <siqilin@google.com>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
index 4f486b1..20e2cef 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
@@ -915,8 +915,13 @@
|
||||
pr_err("ac or priv NULL\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
- if (ac->session <= 0 || ac->session > 8 ||
|
||||
- !q6asm_is_valid_audio_client(ac)) {
|
||||
+ if (!q6asm_is_valid_audio_client(ac)) {
|
||||
+ pr_err("%s: audio client pointer is invalid, ac = %p\n",
|
||||
+ __func__, ac);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (ac->session <= 0 || ac->session > 8) {
|
||||
pr_err("%s:Session ID is invalid, session = %d\n", __func__,
|
||||
ac->session);
|
||||
return -EINVAL;
|
1
Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8254/3.4/0002.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBmZDY4OTBiNmM1NWMyY2VkMTViNzE2NWNjNjU4ZWI4M2RhZmM3ZWIxIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBBcmF2aW5kIEt1bWFyIDxha3VtYXJrQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBNb24sIDExIE1heSAyMDE1IDE1OjI2OjI3ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogbXNtOiBxZHNwNnYyOiBjaGVjayBhdWRpbyBjbGllbnQgcG9pbnRlciBiZWZvcmUgYWNjZXNzaW5nCgpJbiB0aGUgcmVnaXN0ZXJlZCBjYWxsYmFjayBmb3IgcTZhc20sIHdlIGFyZSBjaGVja2luZyBpZgp0aGUgYXVkaW8gY2xpZW50IHBvaW50ZXIgaXMgdmFsaWQgYW5kIGFsc28sIGRlcmVmZXJlbmNpbmcgaXQKdG8gZ2V0IHRoZSBzZXNzaW9uIElEIGV2ZW4gdGhvdWdoIGl0IGNvdWxkIGJlIGludmFsaWQgb3IgZXhwaXJlZC4KUmV0dXJuIGFuZCBleGl0IGltbWVkaWF0ZWx5IGlmIHRoZSBhdWRpbyBjbGllbnQgcG9pbnRlciBpcwppbnZhbGlkLgoKQnVnOiAzNjI1MjAyNwpDUnMtRml4ZWQ6IDgzMjkxNApDaGFuZ2UtSWQ6IEk5NmI3MjJiNTg0YTRiNWFkZjhhMzM4OTFhYmQ3NWEzMjBlNzZlYTI1ClNpZ25lZC1vZmYtYnk6IEFyYXZpbmQgS3VtYXIgPGFrdW1hcmtAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFNpcWkgTGluIDxzaXFpbGluQGdvb2dsZS5jb20+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggNGY0ODZiMS4uMjBlMmNlZiAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTkxNSw4ICs5MTUsMTMgQEAKIAkJcHJfZXJyKCJhYyBvciBwcml2IE5VTExcbiIpOwogCQlyZXR1cm4gLUVJTlZBTDsKIAl9Ci0JaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4IHx8Ci0JCSFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJaWYgKCFxNmFzbV9pc192YWxpZF9hdWRpb19jbGllbnQoYWMpKSB7CisJCXByX2VycigiJXM6IGF1ZGlvIGNsaWVudCBwb2ludGVyIGlzIGludmFsaWQsIGFjID0gJXBcbiIsCisJCQkJX19mdW5jX18sIGFjKTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCisJaWYgKGFjLT5zZXNzaW9uIDw9IDAgfHwgYWMtPnNlc3Npb24gPiA4KSB7CiAJCXByX2VycigiJXM6U2Vzc2lvbiBJRCBpcyBpbnZhbGlkLCBzZXNzaW9uID0gJWRcbiIsIF9fZnVuY19fLAogCQkJYWMtPnNlc3Npb24pOwogCQlyZXR1cm4gLUVJTlZBTDsK
|
@ -1107,6 +1107,8 @@ CVE-2016-9191
|
||||
CVE-2016-9555
|
||||
Link - https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
|
||||
CVE-2016-9576
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/176402/
|
||||
Link - 3.10 - https://review.lineageos.org/#/c/175603/
|
||||
Link - https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
|
||||
CVE-2016-9604
|
||||
Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44c037827f0aeddbbbb323930fa3d09a7b4fffca
|
||||
@ -1581,6 +1583,12 @@ CVE-2017-7184
|
||||
Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a
|
||||
Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df
|
||||
CVE-2017-7187
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/182338/
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/182339/
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/182340/
|
||||
Link - 3.10 - https://review.lineageos.org/#/c/175571/
|
||||
Link - 3.10 - https://review.lineageos.org/#/c/175572/
|
||||
Link - 3.10 - https://review.lineageos.org/#/c/175573/
|
||||
Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124
|
||||
CVE-2017-7277
|
||||
Depends
|
||||
@ -1666,6 +1674,8 @@ CVE-2017-8245
|
||||
Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=f53af3805879292423465cd0877cc7a75131ce10
|
||||
Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=5b2f6e011ba92f28e8d7dbeb11c4ee7344c33186
|
||||
CVE-2017-8246
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/185429/
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/185430/
|
||||
Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=578eb74435eccdc3df516fd744941a7d872fac6c
|
||||
Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=30baaec8afb05abf9f794c631ad944838d498ab8
|
||||
Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9734b72ae21eca557540c3c42d356dd131a20004
|
||||
@ -1679,6 +1689,8 @@ CVE-2017-8251
|
||||
CVE-2017-8253
|
||||
Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5f07894058c4198f61e533d727b343c5be879b0
|
||||
CVE-2017-8254
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/188837/
|
||||
Link - 3.4 - https://review.lineageos.org/#/c/188838/
|
||||
Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=70afce1d9be745005c48fd565c01ce452a565e7e
|
||||
CVE-2017-8256
|
||||
Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=75e1e00d6b3cd4cb89fd5314a60c333aa0b03230
|
||||
|
Loading…
Reference in New Issue
Block a user