Many new CVE patches

Patches/Linux_CVEs/CVE-2013-7446/^4.3/0002.patch

@@ -0,0 +1,334 @@
+From 8a292b04183e82d59721ab0893e4216010aa3db9 Mon Sep 17 00:00:00 2001
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Fri, 20 Nov 2015 22:07:23 +0000
+Subject: [PATCH] BACKPORT: unix: avoid use-after-free in ep_remove_wait_queue
+
+Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
+An AF_UNIX datagram socket being the client in an n:1 association with
+some server socket is only allowed to send messages to the server if the
+receive queue of this socket contains at most sk_max_ack_backlog
+datagrams. This implies that prospective writers might be forced to go
+to sleep despite none of the message presently enqueued on the server
+receive queue were sent by them. In order to ensure that these will be
+woken up once space becomes again available, the present unix_dgram_poll
+routine does a second sock_poll_wait call with the peer_wait wait queue
+of the server socket as queue argument (unix_dgram_recvmsg does a wake
+up on this queue after a datagram was received). This is inherently
+problematic because the server socket is only guaranteed to remain alive
+for as long as the client still holds a reference to it. In case the
+connection is dissolved via connect or by the dead peer detection logic
+in unix_dgram_sendmsg, the server socket may be freed despite "the
+polling mechanism" (in particular, epoll) still has a pointer to the
+corresponding peer_wait queue. There's no way to forcibly deregister a
+wait queue with epoll.
+
+Based on an idea by Jason Baron, the patch below changes the code such
+that a wait_queue_t belonging to the client socket is enqueued on the
+peer_wait queue of the server whenever the peer receive queue full
+condition is detected by either a sendmsg or a poll. A wake up on the
+peer queue is then relayed to the ordinary wait queue of the client
+socket via wake function. The connection to the peer wait queue is again
+dissolved if either a wake up is about to be relayed or the client
+socket reconnects or a dead peer is detected or the client socket is
+itself closed. This enables removing the second sock_poll_wait from
+unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
+that no blocked writer sleeps forever.
+
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
+Reviewed-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Bug: 29119002
+(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c)
+Signed-off-by: Aarthi Thiruvengadam <athiru@google.com>
+
+Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
+---
+ include/net/af_unix.h |   1 +
+ net/unix/af_unix.c    | 183 ++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 165 insertions(+), 19 deletions(-)
+
+diff --git a/include/net/af_unix.h b/include/net/af_unix.h
+index dbdfd2b0f3b3d..9120783132e71 100644
+--- a/include/net/af_unix.h
++++ b/include/net/af_unix.h
+@@ -62,6 +62,7 @@ struct unix_sock {
+ #define UNIX_GC_CANDIDATE	0
+ #define UNIX_GC_MAYBE_CYCLE	1
+ 	struct socket_wq	peer_wq;
++	wait_queue_t		peer_wake;
+ };
+ #define unix_sk(__sk) ((struct unix_sock *)__sk)
+ 
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 924108f17b9a6..5e6323792a5e0 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -314,6 +314,118 @@ static struct sock *unix_find_socket_byinode(struct inode *i)
+ 	return s;
+ }
+ 
++/* Support code for asymmetrically connected dgram sockets
++ *
++ * If a datagram socket is connected to a socket not itself connected
++ * to the first socket (eg, /dev/log), clients may only enqueue more
++ * messages if the present receive queue of the server socket is not
++ * "too large". This means there's a second writeability condition
++ * poll and sendmsg need to test. The dgram recv code will do a wake
++ * up on the peer_wait wait queue of a socket upon reception of a
++ * datagram which needs to be propagated to sleeping would-be writers
++ * since these might not have sent anything so far. This can't be
++ * accomplished via poll_wait because the lifetime of the server
++ * socket might be less than that of its clients if these break their
++ * association with it or if the server socket is closed while clients
++ * are still connected to it and there's no way to inform "a polling
++ * implementation" that it should let go of a certain wait queue
++ *
++ * In order to propagate a wake up, a wait_queue_t of the client
++ * socket is enqueued on the peer_wait queue of the server socket
++ * whose wake function does a wake_up on the ordinary client socket
++ * wait queue. This connection is established whenever a write (or
++ * poll for write) hit the flow control condition and broken when the
++ * association to the server socket is dissolved or after a wake up
++ * was relayed.
++ */
++
++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
++				      void *key)
++{
++	struct unix_sock *u;
++	wait_queue_head_t *u_sleep;
++
++	u = container_of(q, struct unix_sock, peer_wake);
++
++	__remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
++			    q);
++	u->peer_wake.private = NULL;
++
++	/* relaying can only happen while the wq still exists */
++	u_sleep = sk_sleep(&u->sk);
++	if (u_sleep)
++		wake_up_interruptible_poll(u_sleep, key);
++
++	return 0;
++}
++
++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
++{
++	struct unix_sock *u, *u_other;
++	int rc;
++
++	u = unix_sk(sk);
++	u_other = unix_sk(other);
++	rc = 0;
++	spin_lock(&u_other->peer_wait.lock);
++
++	if (!u->peer_wake.private) {
++		u->peer_wake.private = other;
++		__add_wait_queue(&u_other->peer_wait, &u->peer_wake);
++
++		rc = 1;
++	}
++
++	spin_unlock(&u_other->peer_wait.lock);
++	return rc;
++}
++
++static void unix_dgram_peer_wake_disconnect(struct sock *sk,
++					    struct sock *other)
++{
++	struct unix_sock *u, *u_other;
++
++	u = unix_sk(sk);
++	u_other = unix_sk(other);
++	spin_lock(&u_other->peer_wait.lock);
++
++	if (u->peer_wake.private == other) {
++		__remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
++		u->peer_wake.private = NULL;
++	}
++
++	spin_unlock(&u_other->peer_wait.lock);
++}
++
++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
++						   struct sock *other)
++{
++	unix_dgram_peer_wake_disconnect(sk, other);
++	wake_up_interruptible_poll(sk_sleep(sk),
++				   POLLOUT |
++				   POLLWRNORM |
++				   POLLWRBAND);
++}
++
++/* preconditions:
++ *	- unix_peer(sk) == other
++ *	- association is stable
++ */
++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
++{
++	int connected;
++
++	connected = unix_dgram_peer_wake_connect(sk, other);
++
++	if (unix_recvq_full(other))
++		return 1;
++
++	if (connected)
++		unix_dgram_peer_wake_disconnect(sk, other);
++
++	return 0;
++}
++
+ static inline int unix_writable(struct sock *sk)
+ {
+ 	return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
+@@ -418,6 +530,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 			skpair->sk_state_change(skpair);
+ 			sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
+ 		}
++
++		unix_dgram_peer_wake_disconnect(sk, skpair);
+ 		sock_put(skpair); /* It may now die */
+ 		unix_peer(sk) = NULL;
+ 	}
+@@ -651,6 +765,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
+ 	INIT_LIST_HEAD(&u->link);
+ 	mutex_init(&u->readlock); /* single task reading lock */
+ 	init_waitqueue_head(&u->peer_wait);
++	init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
+ 	unix_insert_socket(unix_sockets_unbound(sk), sk);
+ out:
+ 	if (sk == NULL)
+@@ -1020,6 +1135,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ 	if (unix_peer(sk)) {
+ 		struct sock *old_peer = unix_peer(sk);
+ 		unix_peer(sk) = other;
++		unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
++
+ 		unix_state_double_unlock(sk, other);
+ 
+ 		if (other != old_peer)
+@@ -1459,6 +1576,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	struct scm_cookie tmp_scm;
+ 	int max_level;
+ 	int data_len = 0;
++	int sk_locked;
+ 
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
+@@ -1535,12 +1653,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 		goto out_free;
+ 	}
+ 
++	sk_locked = 0;
+ 	unix_state_lock(other);
++restart_locked:
+ 	err = -EPERM;
+ 	if (!unix_may_send(sk, other))
+ 		goto out_unlock;
+ 
+-	if (sock_flag(other, SOCK_DEAD)) {
++	if (unlikely(sock_flag(other, SOCK_DEAD))) {
+ 		/*
+ 		 *	Check with 1003.1g - what should
+ 		 *	datagram error
+@@ -1548,10 +1668,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 		unix_state_unlock(other);
+ 		sock_put(other);
+ 
++		if (!sk_locked)
++			unix_state_lock(sk);
++
+ 		err = 0;
+-		unix_state_lock(sk);
+ 		if (unix_peer(sk) == other) {
+ 			unix_peer(sk) = NULL;
++			unix_dgram_peer_wake_disconnect_wakeup(sk, other);
++
+ 			unix_state_unlock(sk);
+ 
+ 			unix_dgram_disconnected(sk, other);
+@@ -1577,21 +1701,38 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 			goto out_unlock;
+ 	}
+ 
+-	if (unix_peer(other) != sk && unix_recvq_full(other)) {
+-		if (!timeo) {
+-			err = -EAGAIN;
+-			goto out_unlock;
++	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
++		if (timeo) {
++			timeo = unix_wait_for_peer(other, timeo);
++
++			err = sock_intr_errno(timeo);
++			if (signal_pending(current))
++				goto out_free;
++
++			goto restart;
+ 		}
+ 
+-		timeo = unix_wait_for_peer(other, timeo);
++		if (!sk_locked) {
++			unix_state_unlock(other);
++			unix_state_double_lock(sk, other);
++		}
+ 
+-		err = sock_intr_errno(timeo);
+-		if (signal_pending(current))
+-			goto out_free;
++		if (unix_peer(sk) != other ||
++		    unix_dgram_peer_wake_me(sk, other)) {
++			err = -EAGAIN;
++			sk_locked = 1;
++			goto out_unlock;
++		}
+ 
+-		goto restart;
++		if (!sk_locked) {
++			sk_locked = 1;
++			goto restart_locked;
++		}
+ 	}
+ 
++	if (unlikely(sk_locked))
++		unix_state_unlock(sk);
++
+ 	if (sock_flag(other, SOCK_RCVTSTAMP))
+ 		__net_timestamp(skb);
+ 	maybe_add_creds(skb, sock, other);
+@@ -1605,6 +1746,8 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	return len;
+ 
+ out_unlock:
++	if (sk_locked)
++		unix_state_unlock(sk);
+ 	unix_state_unlock(other);
+ out_free:
+ 	kfree_skb(skb);
+@@ -2243,14 +2386,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
+ 		return mask;
+ 
+ 	writable = unix_writable(sk);
+-	other = unix_peer_get(sk);
+-	if (other) {
+-		if (unix_peer(other) != sk) {
+-			sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
+-			if (unix_recvq_full(other))
+-				writable = 0;
+-		}
+-		sock_put(other);
++	if (writable) {
++		unix_state_lock(sk);
++
++		other = unix_peer(sk);
++		if (other && unix_peer(other) != sk &&
++		    unix_recvq_full(other) &&
++		    unix_dgram_peer_wake_me(sk, other))
++			writable = 0;
++
++		unix_state_unlock(sk);
+ 	}
+ 
+ 	if (writable)

Patches/Linux_CVEs/CVE-2013-7446/^4.3/0003.patch

@@ -0,0 +1,56 @@
+From 5bed19c9f463f9078063363779548c50aea271a0 Mon Sep 17 00:00:00 2001
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Thu, 11 Feb 2016 19:37:27 +0000
+Subject: [PATCH] UPSTREAM: af_unix: Guard against other == sk in
+ unix_dgram_sendmsg
+
+(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1)
+
+The unix_dgram_sendmsg routine use the following test
+
+if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+
+to determine if sk and other are in an n:1 association (either
+established via connect or by using sendto to send messages to an
+unrelated socket identified by address). This isn't correct as the
+specified address could have been bound to the sending socket itself or
+because this socket could have been connected to itself by the time of
+the unix_peer_get but disconnected before the unix_state_lock(other). In
+both cases, the if-block would be entered despite other == sk which
+might either block the sender unintentionally or lead to trying to unlock
+the same spin lock twice for a non-blocking send. Add a other != sk
+check to guard against this.
+
+Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
+Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
+       ("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue")
+Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Bug: 29119002
+---
+ net/unix/af_unix.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 5e6323792a5e0..204bee47aa10c 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1701,7 +1701,12 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 			goto out_unlock;
+ 	}
+ 
+-	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
++	/* other == sk && unix_peer(other) != sk if
++	 * - unix_peer(sk) == NULL, destination address bound to sk
++	 * - unix_peer(sk) == sk by time of get but disconnected before lock
++	 */
++	if (other != sk &&
++	    unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ 		if (timeo) {
+ 			timeo = unix_wait_for_peer(other, timeo);
+ 

Patches/Linux_CVEs/CVE-2014-9922/3.10/0002.patch

@@ -0,0 +1,72 @@
+From 48a6c91c1d967cc8375621509676a9eabfac5777 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Fri, 24 Oct 2014 00:14:39 +0200
+Subject: [PATCH] BACKPORT: fs: limit filesystem stacking depth
+
+Add a simple read-only counter to super_block that indicates how deep this
+is in the stack of filesystems.  Previously ecryptfs was the only stackable
+filesystem and it explicitly disallowed multiple layers of itself.
+
+Overlayfs, however, can be stacked recursively and also may be stacked
+on top of ecryptfs or vice versa.
+
+To limit the kernel stack usage we must limit the depth of the
+filesystem stack.  Initially the limit is set to 2.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+
+(cherry picked from commit 69c433ed2ecd2d3264efd7afec4439524b319121)
+
+Bug: 32761463
+Change-Id: I69b2fba2112db2ece09a1bf61a44f8fc4db00820
+---
+ fs/ecryptfs/main.c |  7 +++++++
+ include/linux/fs.h | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
+index 329a9cc2b2ebe..8a041bb0753fa 100644
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -577,6 +577,13 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
+ 	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ 	s->s_blocksize = path.dentry->d_sb->s_blocksize;
+ 	s->s_magic = ECRYPTFS_SUPER_MAGIC;
++	s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
++
++	rc = -EINVAL;
++	if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
++		pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
++		goto out_free;
++	}
+ 
+ 	inode = ecryptfs_get_inode(path.dentry->d_inode, s);
+ 	rc = PTR_ERR(inode);
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 1bbd26958874f..0d1e1680f3657 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -244,6 +244,12 @@ struct iattr {
+  */
+ #include <linux/quota.h>
+ 
++/*
++ * Maximum number of layers of fs stack.  Needs to be limited to
++ * prevent kernel stack overflow
++ */
++#define FILESYSTEM_MAX_STACK_DEPTH 2
++
+ /** 
+  * enum positive_aop_returns - aop return codes with specific semantics
+  *
+@@ -1331,6 +1337,10 @@ struct super_block {
+ 
+ 	/* AIO completions deferred from interrupt context */
+ 	struct workqueue_struct *s_dio_done_wq;
++	/*
++	 * Indicates how deep in a filesystem stack this SB is
++	 */
++	int s_stack_depth;
+ };
+ 
+ /* superblock cache pruning functions */

Patches/Linux_CVEs/CVE-2014-9922/3.10/0003.patch

@@ -0,0 +1,32 @@
+From 57bc19ec472ab303209b2d96a59a619c5221594d Mon Sep 17 00:00:00 2001
+From: Andrew Chant <achant@google.com>
+Date: Wed, 8 Feb 2017 15:33:48 -0800
+Subject: [PATCH] sdcardfs: limit stacking depth
+
+Limit filesystem stacking to prevent stack overflow.
+
+Bug: 32761463
+Change-Id: I8b1462b9c0d6c7f00cf110724ffb17e7f307c51e
+Signed-off-by: Andrew Chant <achant@google.com>
+---
+ fs/sdcardfs/main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/sdcardfs/main.c b/fs/sdcardfs/main.c
+index a6522286d7314..8b51a124298f4 100755
+--- a/fs/sdcardfs/main.c
++++ b/fs/sdcardfs/main.c
+@@ -223,6 +223,13 @@ static int sdcardfs_read_super(struct super_block *sb, const char *dev_name,
+ 	atomic_inc(&lower_sb->s_active);
+ 	sdcardfs_set_lower_super(sb, lower_sb);
+ 
++	sb->s_stack_depth = lower_sb->s_stack_depth + 1;
++	if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
++		pr_err("sdcardfs: maximum fs stacking depth exceeded\n");
++		err = -EINVAL;
++		goto out_sput;
++	}
++
+ 	/* inherit maxbytes from lower file system */
+ 	sb->s_maxbytes = lower_sb->s_maxbytes;
+ 

Patches/Linux_CVEs/CVE-2016-7097/3.10/0002.patch

@@ -0,0 +1,425 @@
+From 6b0c893dc08060d6999b07136391d8a298678dae Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 19 Sep 2016 17:39:09 +0200
+Subject: [PATCH] BACKPORT: posix_acl: Clear SGID bit when setting file
+ permissions
+
+(cherry pick from commit 073931017b49d9458aa351605b43a7e34598caef)
+
+When file permissions are modified via chmod(2) and the user is not in
+the owning group or capable of CAP_FSETID, the setgid bit is cleared in
+inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
+permissions as well as the new ACL, but doesn't clear the setgid bit in
+a similar way; this allows to bypass the check in chmod(2).  Fix that.
+
+NB: conflicts resolution included extending the change to all visible
+    users of the near deprecated function posix_acl_equiv_mode
+    replaced with posix_acl_update_mode. We did not resolve the ACL
+    leak in this CL, require additional upstream fixes.
+
+References: CVE-2016-7097
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Bug: 32458736
+Change-Id: I19591ad452cc825ac282b3cfd2daaa72aa9a1ac1
+---
+ fs/9p/acl.c               | 40 +++++++++++++++++-----------------------
+ fs/btrfs/acl.c            |  6 ++----
+ fs/ext2/acl.c             | 12 ++++--------
+ fs/ext3/acl.c             | 12 ++++--------
+ fs/ext4/acl.c             | 12 ++++--------
+ fs/f2fs/acl.c             |  6 ++----
+ fs/generic_acl.c          |  8 ++------
+ fs/gfs2/acl.c             | 11 +++--------
+ fs/jffs2/acl.c            |  9 ++++-----
+ fs/jfs/xattr.c            |  6 +++---
+ fs/ocfs2/acl.c            | 18 ++++++------------
+ fs/posix_acl.c            | 31 +++++++++++++++++++++++++++++++
+ fs/reiserfs/xattr_acl.c   |  8 ++------
+ fs/xfs/xfs_acl.c          | 13 +++----------
+ include/linux/posix_acl.h |  1 +
+ 15 files changed, 88 insertions(+), 105 deletions(-)
+
+diff --git a/fs/9p/acl.c b/fs/9p/acl.c
+index 7af425f53beef..9686c1f17653f 100644
+--- a/fs/9p/acl.c
++++ b/fs/9p/acl.c
+@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
+ 	case ACL_TYPE_ACCESS:
+ 		name = POSIX_ACL_XATTR_ACCESS;
+ 		if (acl) {
+-			umode_t mode = inode->i_mode;
+-			retval = posix_acl_equiv_mode(acl, &mode);
+-			if (retval < 0)
++			struct iattr iattr;
++
++			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
++			if (retval)
+ 				goto err_out;
+-			else {
+-				struct iattr iattr;
+-				if (retval == 0) {
+-					/*
+-					 * ACL can be represented
+-					 * by the mode bits. So don't
+-					 * update ACL.
+-					 */
+-					acl = NULL;
+-					value = NULL;
+-					size = 0;
+-				}
+-				/* Updte the mode bits */
+-				iattr.ia_mode = ((mode & S_IALLUGO) |
+-						 (inode->i_mode & ~S_IALLUGO));
+-				iattr.ia_valid = ATTR_MODE;
+-				/* FIXME should we update ctime ?
+-				 * What is the following setxattr update the
+-				 * mode ?
++			if (!acl) {
++				/*
++				 * ACL can be represented
++				 * by the mode bits. So don't
++				 * update ACL.
+ 				 */
+-				v9fs_vfs_setattr_dotl(dentry, &iattr);
++				value = NULL;
++				size = 0;
+ 			}
++			iattr.ia_valid = ATTR_MODE;
++			/* FIXME should we update ctime ?
++			 * What is the following setxattr update the
++			 * mode ?
++			 */
++			v9fs_vfs_setattr_dotl(dentry, &iattr);
+ 		}
+ 		break;
+ 	case ACL_TYPE_DEFAULT:
+diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
+index 0890c83643e94..d6d53e5e7945d 100644
+--- a/fs/btrfs/acl.c
++++ b/fs/btrfs/acl.c
+@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
+ 	case ACL_TYPE_ACCESS:
+ 		name = POSIX_ACL_XATTR_ACCESS;
+ 		if (acl) {
+-			ret = posix_acl_equiv_mode(acl, &inode->i_mode);
+-			if (ret < 0)
++			ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++			if (ret)
+ 				return ret;
+-			if (ret == 0)
+-				acl = NULL;
+ 		}
+ 		ret = 0;
+ 		break;
+diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
+index 110b6b371a4ed..48c3c2d7d2619 100644
+--- a/fs/ext2/acl.c
++++ b/fs/ext2/acl.c
+@@ -206,15 +206,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+ 		case ACL_TYPE_ACCESS:
+ 			name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
+ 			if (acl) {
+-				error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-				if (error < 0)
++				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++				if (error)
+ 					return error;
+-				else {
+-					inode->i_ctime = CURRENT_TIME_SEC;
+-					mark_inode_dirty(inode);
+-					if (error == 0)
+-						acl = NULL;
+-				}
++				inode->i_ctime = CURRENT_TIME_SEC;
++				mark_inode_dirty(inode);
+ 			}
+ 			break;
+ 
+diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
+index dbb5ad59a7fc3..bb2f60a62d82a 100644
+--- a/fs/ext3/acl.c
++++ b/fs/ext3/acl.c
+@@ -205,15 +205,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type,
+ 		case ACL_TYPE_ACCESS:
+ 			name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
+ 			if (acl) {
+-				error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-				if (error < 0)
++				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++				if (error)
+ 					return error;
+-				else {
+-					inode->i_ctime = CURRENT_TIME_SEC;
+-					ext3_mark_inode_dirty(handle, inode);
+-					if (error == 0)
+-						acl = NULL;
+-				}
++				inode->i_ctime = CURRENT_TIME_SEC;
++				ext3_mark_inode_dirty(handle, inode);
+ 			}
+ 			break;
+ 
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index d40c8dbbb0d66..87d9bbf6a53f3 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -201,15 +201,11 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type,
+ 	case ACL_TYPE_ACCESS:
+ 		name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
+ 		if (acl) {
+-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-			if (error < 0)
++			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++			if (error)
+ 				return error;
+-			else {
+-				inode->i_ctime = ext4_current_time(inode);
+-				ext4_mark_inode_dirty(handle, inode);
+-				if (error == 0)
+-					acl = NULL;
+-			}
++			inode->i_ctime = ext4_current_time(inode);
++			ext4_mark_inode_dirty(handle, inode);
+ 		}
+ 		break;
+ 
+diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
+index 44abc2f286e00..9c4f3c732bce4 100644
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -223,12 +223,10 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+ 	case ACL_TYPE_ACCESS:
+ 		name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
+ 		if (acl) {
+-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-			if (error < 0)
++			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++			if (error)
+ 				return error;
+ 			set_acl_inode(fi, inode->i_mode);
+-			if (error == 0)
+-				acl = NULL;
+ 		}
+ 		break;
+ 
+diff --git a/fs/generic_acl.c b/fs/generic_acl.c
+index b3f3676796d31..21408084c3b34 100644
+--- a/fs/generic_acl.c
++++ b/fs/generic_acl.c
+@@ -87,14 +87,10 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
+ 			goto failed;
+ 		switch (type) {
+ 		case ACL_TYPE_ACCESS:
+-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-			if (error < 0)
++			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++			if (error)
+ 				goto failed;
+ 			inode->i_ctime = CURRENT_TIME;
+-			if (error == 0) {
+-				posix_acl_release(acl);
+-				acl = NULL;
+-			}
+ 			break;
+ 		case ACL_TYPE_DEFAULT:
+ 			if (!S_ISDIR(inode->i_mode)) {
+diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
+index f69ac0af5496c..e7b330ef4dfda 100644
+--- a/fs/gfs2/acl.c
++++ b/fs/gfs2/acl.c
+@@ -268,15 +268,10 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
+ 
+ 	if (type == ACL_TYPE_ACCESS) {
+ 		umode_t mode = inode->i_mode;
+-		error = posix_acl_equiv_mode(acl, &mode);
++		error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ 
+-		if (error <= 0) {
+-			posix_acl_release(acl);
+-			acl = NULL;
+-
+-			if (error < 0)
+-				return error;
+-		}
++		if (error)
++			goto out_release;
+ 
+ 		error = gfs2_set_mode(inode, mode);
+ 		if (error)
+diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
+index 223283c301116..9335b8d3cf521 100644
+--- a/fs/jffs2/acl.c
++++ b/fs/jffs2/acl.c
+@@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+ 	case ACL_TYPE_ACCESS:
+ 		xprefix = JFFS2_XPREFIX_ACL_ACCESS;
+ 		if (acl) {
+-			umode_t mode = inode->i_mode;
+-			rc = posix_acl_equiv_mode(acl, &mode);
+-			if (rc < 0)
++			umode_t mode;
++
++			rc = posix_acl_update_mode(inode, &mode, &acl);
++			if (rc)
+ 				return rc;
+ 			if (inode->i_mode != mode) {
+ 				struct iattr attr;
+@@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+ 				if (rc < 0)
+ 					return rc;
+ 			}
+-			if (rc == 0)
+-				acl = NULL;
+ 		}
+ 		break;
+ 	case ACL_TYPE_DEFAULT:
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index 42d67f9757bf6..c79b1d7a53e24 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -693,11 +693,11 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
+ 			return rc;
+ 		}
+ 		if (acl) {
+-			rc = posix_acl_equiv_mode(acl, &inode->i_mode);
++			rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ 			posix_acl_release(acl);
+-			if (rc < 0) {
++			if (rc) {
+ 				printk(KERN_ERR
+-				       "posix_acl_equiv_mode returned %d\n",
++				       "posix_acl_update_mode returned %d\n",
+ 				       rc);
+ 				return rc;
+ 			}
+diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
+index 8a404576fb265..2fe643160cf73 100644
+--- a/fs/ocfs2/acl.c
++++ b/fs/ocfs2/acl.c
+@@ -275,19 +275,13 @@ static int ocfs2_set_acl(handle_t *handle,
+ 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
+ 		if (acl) {
+ 			umode_t mode = inode->i_mode;
+-			ret = posix_acl_equiv_mode(acl, &mode);
+-			if (ret < 0)
++			ret = posix_acl_update_mode(inode, &mode, &acl);
++			if (ret)
++				return ret;
++			ret = ocfs2_acl_set_mode(inode, di_bh,
++						 handle, mode);
++			if (ret)
+ 				return ret;
+-			else {
+-				if (ret == 0)
+-					acl = NULL;
+-
+-				ret = ocfs2_acl_set_mode(inode, di_bh,
+-							 handle, mode);
+-				if (ret)
+-					return ret;
+-
+-			}
+ 		}
+ 		break;
+ 	case ACL_TYPE_DEFAULT:
+diff --git a/fs/posix_acl.c b/fs/posix_acl.c
+index 3542f1f814e2a..35cc1f40b82df 100644
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -341,6 +341,37 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
+         return not_equiv;
+ }
+ 
++/**
++ * posix_acl_update_mode  -  update mode in set_acl
++ *
++ * Update the file mode when setting an ACL: compute the new file permission
++ * bits based on the ACL.  In addition, if the ACL is equivalent to the new
++ * file mode, set *acl to NULL to indicate that no ACL should be set.
++ *
++ * As with chmod, clear the setgit bit if the caller is not in the owning group
++ * or capable of CAP_FSETID (see inode_change_ok).
++ *
++ * Called from set_acl inode operations.
++ */
++int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
++			  struct posix_acl **acl)
++{
++	umode_t mode = inode->i_mode;
++	int error;
++
++	error = posix_acl_equiv_mode(*acl, &mode);
++	if (error < 0)
++		return error;
++	if (error == 0)
++		*acl = NULL;
++	if (!in_group_p(inode->i_gid) &&
++	    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
++		mode &= ~S_ISGID;
++	*mode_p = mode;
++	return 0;
++}
++EXPORT_SYMBOL(posix_acl_update_mode);
++
+ /*
+  * Modify the ACL for the chmod syscall.
+  */
+diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
+index 6c8767fdfc6a2..2d73589f37d64 100644
+--- a/fs/reiserfs/xattr_acl.c
++++ b/fs/reiserfs/xattr_acl.c
+@@ -286,13 +286,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
+ 	case ACL_TYPE_ACCESS:
+ 		name = POSIX_ACL_XATTR_ACCESS;
+ 		if (acl) {
+-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-			if (error < 0)
++			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
++			if (error)
+ 				return error;
+-			else {
+-				if (error == 0)
+-					acl = NULL;
+-			}
+ 		}
+ 		break;
+ 	case ACL_TYPE_DEFAULT:
+diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
+index 306d883d89bc7..4f8e4770229cf 100644
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -389,16 +389,9 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
+ 
+ 	if (type == ACL_TYPE_ACCESS) {
+ 		umode_t mode = inode->i_mode;
+-		error = posix_acl_equiv_mode(acl, &mode);
+-
+-		if (error <= 0) {
+-			posix_acl_release(acl);
+-			acl = NULL;
+-
+-			if (error < 0)
+-				return error;
+-		}
+-
++		error = posix_acl_update_mode(inode, &mode, &acl);
++		if (error)
++			goto out_release;
+ 		error = xfs_set_mode(inode, mode);
+ 		if (error)
+ 			goto out_release;
+diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
+index 7931efe711755..2ae0bba45f124 100644
+--- a/include/linux/posix_acl.h
++++ b/include/linux/posix_acl.h
+@@ -90,6 +90,7 @@ extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
+ extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
+ extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
+ extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
++extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
+ 
+ extern struct posix_acl *get_posix_acl(struct inode *, int);
+ extern int set_posix_acl(struct inode *, int, struct posix_acl *);

Patches/Linux_CVEs/CVE-2016-7097/3.10/0003.patch

@@ -0,0 +1,45 @@
+From aedf77d56472d1fddf050c61c1017d4f51149fb1 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 13 Dec 2016 10:33:34 -0800
+Subject: [PATCH] FROMLIST: 9p: fix a potential acl leak
+
+(https://lkml.org/lkml/2016/12/13/579)
+
+posix_acl_update_mode() could possibly clear 'acl', if so
+we leak the memory pointed by 'acl'. Save this pointer
+before calling posix_acl_update_mode() and release the memory
+if 'acl' really gets cleared.
+
+Reported-by: Mark Salyzyn <salyzyn@android.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Bug: 32458736
+Change-Id: Ia78da401e6fd1bfd569653bd2cd0ebd3f9c737a0
+---
+ fs/9p/acl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/9p/acl.c b/fs/9p/acl.c
+index 9686c1f17653f..c19a66472d2eb 100644
+--- a/fs/9p/acl.c
++++ b/fs/9p/acl.c
+@@ -321,6 +321,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
+ 		name = POSIX_ACL_XATTR_ACCESS;
+ 		if (acl) {
+ 			struct iattr iattr;
++			struct posix_acl *old_acl = acl;
+ 
+ 			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ 			if (retval)
+@@ -331,6 +332,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
+ 				 * by the mode bits. So don't
+ 				 * update ACL.
+ 				 */
++				posix_acl_release(old_acl);
+ 				value = NULL;
+ 				size = 0;
+ 			}

Patches/Linux_CVEs/CVE-2016-7117/^4.5/0002.patch

@@ -0,0 +1,49 @@
+From 0b5240c45e2029986526b1405ab24906c708f770 Mon Sep 17 00:00:00 2001
+From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Date: Tue, 21 Feb 2017 18:35:51 +0100
+Subject: net: socket: fix recvmmsg not returning error from sock_error
+
+commit e623a9e9dec29ae811d11f83d0074ba254aba374 upstream.
+
+Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
+changed the exit path of recvmmsg to always return the datagrams
+variable and modified the error paths to set the variable to the error
+code returned by recvmsg if necessary.
+
+However in the case sock_error returned an error, the error code was
+then ignored, and recvmmsg returned 0.
+
+Change the error path of recvmmsg to correctly return the error code
+of sock_error.
+
+The bug was triggered by using recvmmsg on a CAN interface which was
+not up. Linux 4.6 and later return 0 in this case while earlier
+releases returned -ENETDOWN.
+
+Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
+Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ net/socket.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index e91e8ed..773ba3a 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2326,8 +2326,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ 		return err;
+ 
+ 	err = sock_error(sock->sk);
+-	if (err)
++	if (err) {
++		datagrams = err;
+ 		goto out_put;
++	}
+ 
+ 	entry = mmsg;
+ 	compat_entry = (struct compat_mmsghdr __user *)mmsg;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-0630/3.10/0001.patch

@@ -0,0 +1,80 @@
+From 28fb06421ab3d9256d32611138306470996cc4c1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 22 Mar 2016 17:30:58 -0400
+Subject: [PATCH] UPSTREAM: tracing: Fix trace_printk() to print when not using
+ bprintk()
+
+The trace_printk() code will allocate extra buffers if the compile detects
+that a trace_printk() is used. To do this, the format of the trace_printk()
+is saved to the __trace_printk_fmt section, and if that section is bigger
+than zero, the buffers are allocated (along with a message that this has
+happened).
+
+If trace_printk() uses a format that is not a constant, and thus something
+not guaranteed to be around when the print happens, the compiler optimizes
+the fmt out, as it is not used, and the __trace_printk_fmt section is not
+filled. This means the kernel will not allocate the special buffers needed
+for the trace_printk() and the trace_printk() will not write anything to the
+tracing buffer.
+
+Adding a "__used" to the variable in the __trace_printk_fmt section will
+keep it around, even though it is set to NULL. This will keep the string
+from being printed in the debugfs/tracing/printk_formats section as it is
+not needed.
+
+Reported-by: Vlastimil Babka <vbabka@suse.cz>
+Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()"
+Cc: stable@vger.kernel.org # v3.5+
+Bug: 34277115
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Change-Id: I10ce56caa41c7644d9d290d9ed272a6d156c938c
+---
+ include/linux/kernel.h      | 6 +++---
+ kernel/trace/trace_printk.c | 3 +++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 44d0a02224897..0d1fa1b442209 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -554,7 +554,7 @@ do {							\
+ 
+ #define do_trace_printk(fmt, args...)					\
+ do {									\
+-	static const char *trace_printk_fmt				\
++	static const char *trace_printk_fmt __used			\
+ 		__attribute__((section("__trace_printk_fmt"))) =	\
+ 		__builtin_constant_p(fmt) ? fmt : NULL;			\
+ 									\
+@@ -601,7 +601,7 @@ extern int __trace_puts(unsigned long ip, const char *str, int size);
+  */
+ 
+ #define trace_puts(str) ({						\
+-	static const char *trace_printk_fmt				\
++	static const char *trace_printk_fmt __used			\
+ 		__attribute__((section("__trace_printk_fmt"))) =	\
+ 		__builtin_constant_p(str) ? str : NULL;			\
+ 									\
+@@ -621,7 +621,7 @@ extern void trace_dump_stack(int skip);
+ #define ftrace_vprintk(fmt, vargs)					\
+ do {									\
+ 	if (__builtin_constant_p(fmt)) {				\
+-		static const char *trace_printk_fmt			\
++		static const char *trace_printk_fmt __used		\
+ 		  __attribute__((section("__trace_printk_fmt"))) =	\
+ 			__builtin_constant_p(fmt) ? fmt : NULL;		\
+ 									\
+diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
+index a9077c1b4ad3f..fdb23e84b011b 100644
+--- a/kernel/trace/trace_printk.c
++++ b/kernel/trace/trace_printk.c
+@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v)
+ 	const char *str = *fmt;
+ 	int i;
+ 
++	if (!*fmt)
++		return 0;
++
+ 	seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
+ 
+ 	/*

Patches/Linux_CVEs/CVE-2017-0630/3.10/0002.patch

@@ -0,0 +1,27 @@
+From 45e5a5e1b85f23843b90f3cddcfc26fa862ff80c Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Fri, 3 Mar 2017 15:40:12 -0800
+Subject: [PATCH] tracing: do not leak kernel addresses
+
+This likely breaks tracing tools like trace-cmd.  It logs in the same
+format but now addresses are all 0x0.
+
+Bug: 34277115
+Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
+---
+ kernel/trace/trace_printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
+index fdb23e84b011b..f423e8d551c0a 100644
+--- a/kernel/trace/trace_printk.c
++++ b/kernel/trace/trace_printk.c
+@@ -275,7 +275,7 @@ static int t_show(struct seq_file *m, void *v)
+ 	if (!*fmt)
+ 		return 0;
+ 
+-	seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
++	seq_printf(m, "0x%lx : \"", 0L);
+ 
+ 	/*
+ 	 * Tabs and new lines need to be converted.

Patches/Linux_CVEs/CVE-2017-0861/3.10/0001.patch

@@ -0,0 +1,32 @@
+From 93533f313a1bf465ff8c33032e91b88315dcf9bf Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Fri, 11 Aug 2017 11:33:31 -0700
+Subject: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Bug: 36006981
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/core/pcm.c b/sound/core/pcm.c
+index 0ad1231c15372..6548b3af383fa 100644
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
+ 				err = -ENXIO;
+ 				goto _error;
+ 			}
++			mutex_lock(&pcm->open_mutex);
+ 			err = snd_pcm_info_user(substream, info);
++			mutex_unlock(&pcm->open_mutex);
+ 		_error:
+ 			mutex_unlock(&register_mutex);
+ 			return err;

Patches/Linux_CVEs/CVE-2017-0862/3.10/0001.patch

@@ -0,0 +1,28 @@
+From 19384322b5b51987bd6037f7a6b18a62a5d4d654 Mon Sep 17 00:00:00 2001
+From: Jianqiang Zhao <zhaojianqiang1@gmail.com>
+Date: Mon, 6 Mar 2017 16:33:42 +0800
+Subject: [PATCH] ANDROID: input: keychord: fix race condition bug
+
+Change-Id: I9c7c759c99e21cad9a7f9a09128122bf6ae11302
+Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
+Bug: 36006779
+---
+ drivers/input/misc/keychord.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/misc/keychord.c b/drivers/input/misc/keychord.c
+index a5ea27ad0e16c..f580edf1c87ce 100644
+--- a/drivers/input/misc/keychord.c
++++ b/drivers/input/misc/keychord.c
+@@ -300,8 +300,10 @@ static ssize_t keychord_write(struct file *file, const char __user *buffer,
+ 
+ 	ret = input_register_handler(&kdev->input_handler);
+ 	if (ret) {
+-		kfree(keychords);
++		spin_lock_irqsave(&kdev->lock, flags);
++		kfree(kdev->keychords);
+ 		kdev->keychords = 0;
++		spin_unlock_irqrestore(&kdev->lock, flags);
+ 		return ret;
+ 	}
+ 	kdev->registered = 1;

Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch

@@ -0,0 +1,25 @@
+diff --git a/drivers/gpu/drm/nouveau/nouveau_usif.c b/drivers/gpu/drm/nouveau/nouveau_usif.c
+index cb1182d..8d4fcc1 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_usif.c
++++ b/drivers/gpu/drm/nouveau/nouveau_usif.c
+@@ -316,6 +316,12 @@
+ 	} else
+ 		goto done;
+ 
++	object = (void *)(unsigned long)argv->v0.token;
++	if (!access_ok(VERIFY_READ, object, sizeof(struct usif_object))) {
++		ret = -EINVAL;
++		goto done;
++	}
++
+ 	mutex_lock(&cli->mutex);
+ 	switch (argv->v0.type) {
+ 	case NVIF_IOCTL_V0_NEW:
+@@ -340,7 +346,6 @@
+ 		break;
+ 	}
+ 	if (argv->v0.route == NVDRM_OBJECT_USIF) {
+-		object = (void *)(unsigned long)argv->v0.token;
+ 		argv->v0.route = object->route;
+ 		argv->v0.token = object->token;
+ 		if (ret == 0 && argv->v0.type == NVIF_IOCTL_V0_DEL) {

Patches/Linux_CVEs/CVE-2017-0866/3.18/0001.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L25vdXZlYXVfdXNpZi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKaW5kZXggY2IxMTgyZC4uOGQ0ZmNjMSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbm91dmVhdV91c2lmLmMKQEAgLTMxNiw2ICszMTYsMTIgQEAKIAl9IGVsc2UKIAkJZ290byBkb25lOwogCisJb2JqZWN0ID0gKHZvaWQgKikodW5zaWduZWQgbG9uZylhcmd2LT52MC50b2tlbjsKKwlpZiAoIWFjY2Vzc19vayhWRVJJRllfUkVBRCwgb2JqZWN0LCBzaXplb2Yoc3RydWN0IHVzaWZfb2JqZWN0KSkpIHsKKwkJcmV0ID0gLUVJTlZBTDsKKwkJZ290byBkb25lOworCX0KKwogCW11dGV4X2xvY2soJmNsaS0+bXV0ZXgpOwogCXN3aXRjaCAoYXJndi0+djAudHlwZSkgewogCWNhc2UgTlZJRl9JT0NUTF9WMF9ORVc6CkBAIC0zNDAsNyArMzQ2LDYgQEAKIAkJYnJlYWs7CiAJfQogCWlmIChhcmd2LT52MC5yb3V0ZSA9PSBOVkRSTV9PQkpFQ1RfVVNJRikgewotCQlvYmplY3QgPSAodm9pZCAqKSh1bnNpZ25lZCBsb25nKWFyZ3YtPnYwLnRva2VuOwogCQlhcmd2LT52MC5yb3V0ZSA9IG9iamVjdC0+cm91dGU7CiAJCWFyZ3YtPnYwLnRva2VuID0gb2JqZWN0LT50b2tlbjsKIAkJaWYgKHJldCA9PSAwICYmIGFyZ3YtPnYwLnR5cGUgPT0gTlZJRl9JT0NUTF9WMF9ERUwpIHsK

Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch

@@ -0,0 +1,63 @@
+diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
+index 111c093..10f1872 100644
+--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h
+@@ -24,7 +24,6 @@
+  * under proprietary terms before Copyright ownership was assigned
+  * to the Linux Foundation.
+  */
+-
+ #ifndef DOT11F_H
+ #define DOT11F_H
+ /**
+@@ -37,7 +36,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Tue Sep 29 17:32:33 2015 from the following file(s):
++  * Tue Jul  4 11:07:27 2017 from the following file(s):
+   *
+   * dot11f.frms
+   *
+@@ -91,8 +90,8 @@
+ #define DOT11F_BUFFER_OVERFLOW       ( 0x10000005 )
+ #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 )
+ #define DOT11F_FAILED(code)          ( (code) & 0x10000000 )
+-#define DOT11F_WARNED(code)          ( ( ( 0 == (code) ) & 0x10000000 ) && code)
+ #define DOT11F_SUCCEEDED(code)       ( (code) == 0 )
++#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
+ 
+ /*********************************************************************
+  * Fixed Fields                                                      *
+diff --git a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
+index 0f542d0..c19e9c0 100644
+--- a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
++++ b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c
+@@ -35,7 +35,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Tue Sep 29 17:32:33 2015 from the following file(s):
++  * Tue Jul  4 11:07:27 2017 from the following file(s):
+   *
+   * dot11f.frms
+   *
+@@ -18778,6 +18778,10 @@
+                 }
+ 
+         countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset)));
++        if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
++            status |= DOT11F_DUPLICATE_IE;
++            goto skip_dup_ie;
++        }
+                 switch (pIe->sig)
+                 {
+                 case SigIeCondensedCountryStr:
+@@ -19215,6 +19219,7 @@
+             status |= DOT11F_UNKNOWN_IES;
+         }
+ 
++skip_dup_ie:
+         pBufRemaining += len;
+ 
+          if (len > nBufRemaining)

Patches/Linux_CVEs/CVE-2017-11013/qcacld-2.0/0002.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvTUFDL3NyYy9pbmNsdWRlL2RvdDExZi5oIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKaW5kZXggMTExYzA5My4uMTBmMTg3MiAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKKysrIGIvZHJpdmVycy9zdGFnaW5nL3FjYWNsZC0yLjAvQ09SRS9NQUMvc3JjL2luY2x1ZGUvZG90MTFmLmgKQEAgLTI0LDcgKzI0LDYgQEAKICAqIHVuZGVyIHByb3ByaWV0YXJ5IHRlcm1zIGJlZm9yZSBDb3B5cmlnaHQgb3duZXJzaGlwIHdhcyBhc3NpZ25lZAogICogdG8gdGhlIExpbnV4IEZvdW5kYXRpb24uCiAgKi8KLQogI2lmbmRlZiBET1QxMUZfSAogI2RlZmluZSBET1QxMUZfSAogLyoqCkBAIC0zNyw3ICszNiw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTkxLDggKzkwLDggQEAKICNkZWZpbmUgRE9UMTFGX0JVRkZFUl9PVkVSRkxPVyAgICAgICAoIDB4MTAwMDAwMDUgKQogI2RlZmluZSBET1QxMUZfTUFOREFUT1JZX1RMVl9NSVNTSU5HICggMHgwMDAwMTAwMCApCiAjZGVmaW5lIERPVDExRl9GQUlMRUQoY29kZSkgICAgICAgICAgKCAoY29kZSkgJiAweDEwMDAwMDAwICkKLSNkZWZpbmUgRE9UMTFGX1dBUk5FRChjb2RlKSAgICAgICAgICAoICggKCAwID09IChjb2RlKSApICYgMHgxMDAwMDAwMCApICYmIGNvZGUpCiAjZGVmaW5lIERPVDExRl9TVUNDRUVERUQoY29kZSkgICAgICAgKCAoY29kZSkgPT0gMCApCisjZGVmaW5lIERPVDExRl9XQVJORUQoY29kZSkgICAgICAgICAgKCFET1QxMUZfU1VDQ0VFREVEKGNvZGUpICYmICFET1QxMUZfRkFJTEVEKGNvZGUpKQogCiAvKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCiAgKiBGaXhlZCBGaWVsZHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqCmRpZmYgLS1naXQgYS9kcml2ZXJzL3N0YWdpbmcvcWNhY2xkLTIuMC9DT1JFL1NZUy9sZWdhY3kvc3JjL3V0aWxzL3NyYy9kb3QxMWYuYyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCmluZGV4IDBmNTQyZDAuLmMxOWU5YzAgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCisrKyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvU1lTL2xlZ2FjeS9zcmMvdXRpbHMvc3JjL2RvdDExZi5jCkBAIC0zNSw3ICszNSw3IEBACiAgICoKICAgKgogICAqIFRoaXMgZmlsZSB3YXMgYXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgJ2ZyYW1lc2MnCi0gICogVHVlIFNlcCAyOSAxNzozMjozMyAyMDE1IGZyb20gdGhlIGZvbGxvd2luZyBmaWxlKHMpOgorICAqIFR1ZSBKdWwgIDQgMTE6MDc6MjcgMjAxNyBmcm9tIHRoZSBmb2xsb3dpbmcgZmlsZShzKToKICAgKgogICAqIGRvdDExZi5mcm1zCiAgICoKQEAgLTE4Nzc4LDYgKzE4Nzc4LDEwIEBACiAgICAgICAgICAgICAgICAgfQogCiAgICAgICAgIGNvdW50T2Zmc2V0ID0gKCAoMCAhPSBwSWUtPmFycmF5Ym91bmQpICogKCAqKHRBTklfVTE2KiApKHBGcm0gKyBwSWUtPmNvdW50T2Zmc2V0KSkpOworICAgICAgICBpZiAoMCAhPSBwSWUtPmFycmF5Ym91bmQgJiYgY291bnRPZmZzZXQgPj0gcEllLT5hcnJheWJvdW5kKSB7CisgICAgICAgICAgICBzdGF0dXMgfD0gRE9UMTFGX0RVUExJQ0FURV9JRTsKKyAgICAgICAgICAgIGdvdG8gc2tpcF9kdXBfaWU7CisgICAgICAgIH0KICAgICAgICAgICAgICAgICBzd2l0Y2ggKHBJZS0+c2lnKQogICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBjYXNlIFNpZ0llQ29uZGVuc2VkQ291bnRyeVN0cjoKQEAgLTE5MjE1LDYgKzE5MjE5LDcgQEAKICAgICAgICAgICAgIHN0YXR1cyB8PSBET1QxMUZfVU5LTk9XTl9JRVM7CiAgICAgICAgIH0KIAorc2tpcF9kdXBfaWU6CiAgICAgICAgIHBCdWZSZW1haW5pbmcgKz0gbGVuOwogCiAgICAgICAgICBpZiAobGVuID4gbkJ1ZlJlbWFpbmluZykK

Patches/Linux_CVEs/CVE-2017-11014/qcacld-2.0/0001.patch

@@ -0,0 +1,49 @@
+From adb96af5b080dfe4ee29961a17ed3f04c87d5519 Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@codeaurora.org>
+Date: Mon, 21 Aug 2017 16:56:01 -0700
+Subject: [PATCH] qcacld-2.0: Add bound check before writing to channel list
+
+qcacld-3.0 to qcacld-2.0 propagation
+
+In function rrm_process_beacon_report_req, add bound check before
+writing to channel list which is of fixed size.
+
+Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
+CRs-Fixed: 2060138
+Bug: 64438727
+Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+index 3fb65c45c2925..ddf22cd957db2 100644
+--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+@@ -628,14 +628,21 @@ rrmProcessBeaconReportReq( tpAniSirGlobal pMac,
+    pSmeBcnReportReq->channelList.numChannels = num_channels;
+    if( pBeaconReq->measurement_request.Beacon.num_APChannelReport )
+    {
+-      tANI_U8 *pChanList = pSmeBcnReportReq->channelList.channelNumber;
++      tANI_U8 *ch_lst = pSmeBcnReportReq->channelList.channelNumber;
++      uint8_t len;
++      uint16_t ch_ctr = 0;
+       for( num_APChanReport = 0 ; num_APChanReport < pBeaconReq->measurement_request.Beacon.num_APChannelReport ; num_APChanReport++ )
+       {
+-         vos_mem_copy(pChanList,
+-          pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].channelList,
+-          pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList);
++         len = pBeaconReq->measurement_request.Beacon.
++                            APChannelReport[num_APChanReport].num_channelList;
++         if(ch_ctr + len > sizeof(pSmeBcnReportReq->channelList.channelNumber))
++            break;
++
++         vos_mem_copy(&ch_lst[ch_ctr],
++                      pBeaconReq->measurement_request.Beacon.
++                      APChannelReport[num_APChanReport].channelList, len);
+ 
+-         pChanList += pBeaconReq->measurement_request.Beacon.APChannelReport[num_APChanReport].num_channelList;
++         ch_ctr += len;
+       }
+    }
+ 

Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0003.patch

@@ -0,0 +1,54 @@
+From d7285900f6fa28b0be51f5d18c52bd06385f8aee Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@codeaurora.org>
+Date: Mon, 21 Aug 2017 18:23:29 -0700
+Subject: [PATCH] qcacld-2.0: Update limComputeCrc32 to pass uint16_t
+
+qcacld-3.0 to qcacld-2.0 propagation
+
+Update limComputeCrc32() to pass uint16_t as a length type.
+Currently uint8_t is being passed as length and there will be type
+mismatch when authentication frame to be encrypted will be larger
+than 255 bytes.
+
+Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
+CRs-Fixed: 2072937
+Bug: 64438728
+Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c | 2 +-
+ drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
+index 0241dc010adce..049c86aa55f78 100644
+--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.c
+@@ -647,7 +647,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
+  */
+ 
+ void
+-limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U8 len)
++limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U16 len)
+ {
+     tANI_U32 crc;
+     int i;
+diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
+index 4ede5005b556f..9139ce20f3b4c 100644
+--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
++++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limSecurityUtils.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -59,7 +59,7 @@ tANI_U8 limDeleteOpenAuthPreAuthNode(tpAniSirGlobal pMac);
+ 
+ // Encryption/Decryption related functions
+ tCfgWepKeyEntry    *limLookUpKeyMappings(tSirMacAddr);
+-void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U8);
++void               limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U16);
+ void               limRC4(tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);
+ void               limEncryptAuthFrame(tpAniSirGlobal, tANI_U8, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32);
+ tANI_U8                 limDecryptAuthFrame(tpAniSirGlobal, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16);

Patches/Linux_CVEs/CVE-2017-11015/qcacld-2.0/0004.patch

@@ -0,0 +1,35 @@
+From a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@codeaurora.org>
+Date: Mon, 21 Aug 2017 21:25:55 -0700
+Subject: [PATCH] qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE
+ spec
+
+qcacld-3.0 to qcacld-2.0 propagation
+
+Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
+Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
+This may result in potential buffer overflow since frame parser
+allows challenge text of length upto 253 but driver can not handle
+challenge text longer than 128 bytes.
+
+Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
+CRs-Fixed: 2072937
+Bug: 64438728
+Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
+index bb43167c255cc..c5d8ad5dbcbc0 100644
+--- a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
++++ b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirMacProtDef.h
+@@ -584,7 +584,7 @@
+ #define SIR_MAC_MAX_NUMBER_OF_RATES          12
+ #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS      4
+ #define SIR_MAC_KEY_LENGTH                   13   // WEP Maximum key length size
+-#define SIR_MAC_AUTH_CHALLENGE_LENGTH        128
++#define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
+ #define SIR_MAC_WEP_IV_LENGTH                4
+ #define SIR_MAC_WEP_ICV_LENGTH               4
+ 

Patches/Linux_CVEs/CVE-2017-11023/3.18/0001.patch

@@ -0,0 +1,178 @@
+From 17ef83c708be034454df7914ef5484c36515eece Mon Sep 17 00:00:00 2001
+From: Jonathan Solnit <jsolnit@google.com>
+Date: Fri, 1 Sep 2017 15:19:29 -0700
+Subject: [PATCH] diag: Add protection while processing non-hdlc packets
+
+Currently, there is possibility of out-of-bound accesses during
+handling of data in non-hdlc path. The patch adds proper protection
+when processing non-hdlc packet information to fix the issue.
+
+Bug: 64434485
+CRs-Fixed: 2029216
+Change-Id: I07c466f85bd8ac08226948fea86b1d8567e68431
+Signed-off-by: Hardik Arya <harya@codeaurora.org>
+Signed-off-by: Mishra Mahima <mahima@codeaurora.org>
+Signed-off-by: Jonathan Solnit <jsolnit@google.com>
+---
+ drivers/char/diag/diagchar.h      |  1 +
+ drivers/char/diag/diagchar_core.c |  1 +
+ drivers/char/diag/diagfwd.c       | 44 ++++++++++++++++++++++++++++++---------
+ 3 files changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
+index de3e160762e9f..c1749d3435732 100644
+--- a/drivers/char/diag/diagchar.h
++++ b/drivers/char/diag/diagchar.h
+@@ -537,6 +537,7 @@ struct diagchar_dev {
+ 	unsigned char *buf_feature_mask_update;
+ 	uint8_t hdlc_disabled;
+ 	struct mutex hdlc_disable_mutex;
++	struct mutex hdlc_recovery_mutex;
+ 	struct timer_list hdlc_reset_timer;
+ 	struct mutex diag_hdlc_mutex;
+ 	unsigned char *hdlc_buf;
+diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
+index 590f53c36e511..048e1fd60b805 100644
+--- a/drivers/char/diag/diagchar_core.c
++++ b/drivers/char/diag/diagchar_core.c
+@@ -3392,6 +3392,7 @@ static int __init diagchar_init(void)
+ 	mutex_init(&apps_data_mutex);
+ 	mutex_init(&driver->msg_mask_lock);
+ 	mutex_init(&driver->diagfwd_channel_mutex);
++	mutex_init(&driver->hdlc_recovery_mutex);
+ 	init_waitqueue_head(&driver->wait_q);
+ 	INIT_WORK(&(driver->diag_drain_work), diag_drain_work_fn);
+ 	INIT_WORK(&(driver->update_user_clients),
+diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
+index 65bbe7cdd8347..60d126acae99a 100644
+--- a/drivers/char/diag/diagfwd.c
++++ b/drivers/char/diag/diagfwd.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -1348,7 +1348,9 @@ static void diag_hdlc_start_recovery(unsigned char *buf, int len,
+ 
+ 	if (start_ptr) {
+ 		/* Discard any partial packet reads */
++		mutex_lock(&driver->hdlc_recovery_mutex);
+ 		driver->incoming_pkt.processing = 0;
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		diag_process_non_hdlc_pkt(start_ptr, len - i, info);
+ 	}
+ }
+@@ -1362,18 +1364,24 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 	const uint32_t header_len = sizeof(struct diag_pkt_frame_t);
+ 	struct diag_pkt_frame_t *actual_pkt = NULL;
+ 	unsigned char *data_ptr = NULL;
+-	struct diag_partial_pkt_t *partial_pkt = &driver->incoming_pkt;
++	struct diag_partial_pkt_t *partial_pkt = NULL;
+ 
+-	if (!buf || len <= 0)
++	mutex_lock(&driver->hdlc_recovery_mutex);
++	if (!buf || len <= 0) {
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		return;
+-
+-	if (!partial_pkt->processing)
++	}
++	partial_pkt = &driver->incoming_pkt;
++	if (!partial_pkt->processing) {
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		goto start;
++	}
+ 
+ 	if (partial_pkt->remaining > len) {
+ 		if ((partial_pkt->read_len + len) > partial_pkt->capacity) {
+ 			pr_err("diag: Invalid length %d, %d received in %s\n",
+ 			       partial_pkt->read_len, len, __func__);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		memcpy(partial_pkt->data + partial_pkt->read_len, buf, len);
+@@ -1387,6 +1395,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 			pr_err("diag: Invalid length during partial read %d, %d received in %s\n",
+ 			       partial_pkt->read_len,
+ 			       partial_pkt->remaining, __func__);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		memcpy(partial_pkt->data + partial_pkt->read_len, buf,
+@@ -1400,20 +1409,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 	if (partial_pkt->remaining == 0) {
+ 		actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data);
+ 		data_ptr = partial_pkt->data + header_len;
+-		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
++		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
++						CONTROL_CHAR) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
++			mutex_lock(&driver->hdlc_recovery_mutex);
++		}
+ 		err = diag_process_apps_pkt(data_ptr,
+ 					    actual_pkt->length, info);
+ 		if (err) {
+ 			pr_err("diag: In %s, unable to process incoming data packet, err: %d\n",
+ 			       __func__, err);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		partial_pkt->read_len = 0;
+ 		partial_pkt->total_len = 0;
+ 		partial_pkt->processing = 0;
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		goto start;
+ 	}
++	mutex_unlock(&driver->hdlc_recovery_mutex);
+ 	goto end;
+ 
+ start:
+@@ -1426,14 +1442,14 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 			diag_send_error_rsp(buf, len);
+ 			goto end;
+ 		}
+-
++		mutex_lock(&driver->hdlc_recovery_mutex);
+ 		if (pkt_len + header_len > partial_pkt->capacity) {
+ 			pr_err("diag: In %s, incoming data is too large for the request buffer %d\n",
+ 			       __func__, pkt_len);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
+ 			break;
+ 		}
+-
+ 		if ((pkt_len + header_len) > (len - read_bytes)) {
+ 			partial_pkt->read_len = len - read_bytes;
+ 			partial_pkt->total_len = pkt_len + header_len;
+@@ -1441,19 +1457,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 						 partial_pkt->read_len;
+ 			partial_pkt->processing = 1;
+ 			memcpy(partial_pkt->data, buf, partial_pkt->read_len);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			break;
+ 		}
+ 		data_ptr = buf + header_len;
+-		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
++		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
++						CONTROL_CHAR) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
++			mutex_lock(&driver->hdlc_recovery_mutex);
++		}
+ 		else
+ 			hdlc_reset = 0;
+ 		err = diag_process_apps_pkt(data_ptr,
+ 					    actual_pkt->length, info);
+-		if (err)
++		if (err) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			break;
++		}
+ 		read_bytes += header_len + pkt_len + 1;
+ 		buf += header_len + pkt_len + 1; /* advance to next pkt */
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 	}
+ end:
+ 	return;

Patches/Linux_CVEs/CVE-2017-11028/3.18/0001.patch

@@ -0,0 +1,42 @@
+From a96e06fac09e182b5211f20dd6311f93a5d056af Mon Sep 17 00:00:00 2001
+From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Date: Mon, 10 Apr 2017 16:53:33 +0530
+Subject: [PATCH] msm: camera: isp: Initialize stream info
+
+Initialize the Stream info before passing as an
+argument to msm_isp_request_frame and add bound check to the
+stream index
+CRs-fixed: 2008683
+
+Bug: 64453533
+Change-Id: I0039a5d01f4f376060c8b0ba3baf4ce55acc9446
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+index 5e0b685aec801..54ab560f09137 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -3488,6 +3488,14 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
+ 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
+ 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
+ 			&update_cmd->req_frm_ver2;
++		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
++			pr_err("%s: Invalid stream handle \n", __func__);
++			rc = -EINVAL;
++			break;
++		}
++		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
++			req_frm->stream_handle)];
++
+ 		rc = msm_isp_request_frame(vfe_dev, stream_info,
+ 			req_frm->user_stream_id,
+ 			req_frm->frame_id,

Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch

@@ -1,57 +0,0 @@
-From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001
-From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Date: Mon, 10 Apr 2017 15:11:14 +0530
-Subject: msm: camera: isp: add bound check to handle array out of access
-
-The pointer req_frm comes from userspace,
-req_frm->stream_handle is passed as an argument to
-the function msm_isp_get_stream_common_data,
-stream_idx can overflow common_data->streams[] and
-the code ends up copying an out of bound
-kernel address into stream_info. Adding bound check to
-handle the same.
-
-CRs-fixed: 2008683
-Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
-Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++
- drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-index dce474e..8ab2e85 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
-@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 			&update_cmd->req_frm_ver2;
- 		stream_info = msm_isp_get_stream_common_data(vfe_dev,
- 				HANDLE_TO_IDX(req_frm->stream_handle));
-+		if (stream_info == NULL) {
-+			pr_err_ratelimited("%s: stream_info is NULL\n",
-+				__func__);
-+			rc = -EINVAL;
-+			break;
-+		}
- 		rc = msm_isp_request_frame(vfe_dev, stream_info,
- 			req_frm->user_stream_id,
- 			req_frm->frame_id,
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-index 65009cb..a8d4cfb 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
-@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
- 	struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
- 	struct msm_vfe_axi_stream *stream_info;
- 
-+	if (stream_idx >= VFE_AXI_SRC_MAX) {
-+		pr_err("invalid stream_idx %d\n", stream_idx);
-+		return NULL;
-+	}
-+
- 	if (vfe_dev->is_split &&  stream_idx < RDI_INTF_0)
- 		stream_info = &common_data->streams[stream_idx];
- 	else
--- 
-cgit v1.1
-

Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch

@@ -1,36 +1,57 @@
-From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
-From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
-Date: Fri, 30 Jun 2017 13:14:28 +0530
-Subject: msm: camera: isp: Handle array out of bound access
+From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001
+From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Date: Mon, 10 Apr 2017 15:11:14 +0530
+Subject: msm: camera: isp: add bound check to handle array out of access
 
-The pointer req_frm is coming from userspace, it may overflow stream_info.
-Adding a bound check to prevent the same.
+The pointer req_frm comes from userspace,
+req_frm->stream_handle is passed as an argument to
+the function msm_isp_get_stream_common_data,
+stream_idx can overflow common_data->streams[] and
+the code ends up copying an out of bound
+kernel address into stream_info. Adding bound check to
+handle the same.
 
 CRs-fixed: 2008683
-Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
+Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
 Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
-Signed-off-by: Andy Sun <bins@codeaurora.org>
 ---
- drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
- 1 file changed, 6 insertions(+)
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++
+ 2 files changed, 11 insertions(+)
 
-diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-index 373a963..a85ee30 100644
---- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
-@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
- 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
- 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+index dce474e..8ab2e85 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
  			&update_cmd->req_frm_ver2;
-+		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
-+			pr_err("%s: Invalid stream handle\n", __func__);
+ 		stream_info = msm_isp_get_stream_common_data(vfe_dev,
+ 				HANDLE_TO_IDX(req_frm->stream_handle));
++		if (stream_info == NULL) {
++			pr_err_ratelimited("%s: stream_info is NULL\n",
++				__func__);
 +			rc = -EINVAL;
 +			break;
 +		}
-+
- 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
- 				req_frm->stream_handle)];
  		rc = msm_isp_request_frame(vfe_dev, stream_info,
+ 			req_frm->user_stream_id,
+ 			req_frm->frame_id,
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
+index 65009cb..a8d4cfb 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
+@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
+ 	struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
+ 	struct msm_vfe_axi_stream *stream_info;
+ 
++	if (stream_idx >= VFE_AXI_SRC_MAX) {
++		pr_err("invalid stream_idx %d\n", stream_idx);
++		return NULL;
++	}
++
+ 	if (vfe_dev->is_split &&  stream_idx < RDI_INTF_0)
+ 		stream_info = &common_data->streams[stream_idx];
+ 	else
 -- 
 cgit v1.1
 

Patches/Linux_CVEs/CVE-2017-11028/ANY/0003.patch

@@ -0,0 +1,36 @@
+From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
+From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
+Date: Fri, 30 Jun 2017 13:14:28 +0530
+Subject: msm: camera: isp: Handle array out of bound access
+
+The pointer req_frm is coming from userspace, it may overflow stream_info.
+Adding a bound check to prevent the same.
+
+CRs-fixed: 2008683
+Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Signed-off-by: Andy Sun <bins@codeaurora.org>
+---
+ drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+index 373a963..a85ee30 100644
+--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
+ 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
+ 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
+ 			&update_cmd->req_frm_ver2;
++		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
++			pr_err("%s: Invalid stream handle\n", __func__);
++			rc = -EINVAL;
++			break;
++		}
++
+ 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
+ 				req_frm->stream_handle)];
+ 		rc = msm_isp_request_frame(vfe_dev, stream_info,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-11029/3.10/0001.patch

@@ -0,0 +1,108 @@
+From e13a16c079cf8f5c758f5c31fbd72edca2656e54 Mon Sep 17 00:00:00 2001
+From: Jonathan Solnit <jsolnit@google.com>
+Date: Fri, 1 Sep 2017 17:21:05 -0700
+Subject: [PATCH] msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue
+
+When the Camera application exercises the  V4L2  ioctl operations, CPP
+driver would attempt to the copy  user space buffer  contents into the
+internal kernel buffer.  If an invalid length of the user space buffer
+is passed onto the driver, it could trigger buffer overflow condition.
+
+Thus, fix this by copying user space buffer contents into kernel space
+buffer of the  driver for further processing,  only after checking for
+proper length of user space buffer.
+
+Bug: 64433362
+CRs-fixed: 2025367
+Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
+Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
+Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
+Signed-off-by: Jonathan Solnit <jsolnit@google.com>
+---
+ .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 23 ++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 1dfe7f6abc312..9d7e51c37f486 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -2288,11 +2288,13 @@ static void msm_cpp_fw_version(struct cpp_device *cpp_dev)
+ 	msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_TRAILER);
+ }
+ 
+-static int msm_cpp_validate_input(unsigned int cmd, void *arg,
++static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
+ 	struct msm_camera_v4l2_ioctl_t **ioctl_ptr)
+ {
+ 	switch (cmd) {
+ 	case MSM_SD_SHUTDOWN:
++	case VIDIOC_MSM_CPP_IOMMU_ATTACH:
++	case VIDIOC_MSM_CPP_IOMMU_DETACH:
+ 		break;
+ 	default: {
+ 		if (ioctl_ptr == NULL) {
+@@ -2301,8 +2303,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
+ 		}
+ 
+ 		*ioctl_ptr = arg;
+-		if ((*ioctl_ptr == NULL) ||
+-			(*ioctl_ptr)->ioctl_ptr == NULL) {
++		if (((*ioctl_ptr) == NULL) ||
++			((*ioctl_ptr)->ioctl_ptr == NULL) ||
++			((*ioctl_ptr)->len == 0)) {
+ 			pr_err("Error invalid ioctl argument cmd %u", cmd);
+ 			return -EINVAL;
+ 		}
+@@ -2334,7 +2337,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 		return -EINVAL;
+ 	}
+ 
+-	rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
++	rc = msm_cpp_validate_ioctl_input(cmd, arg, &ioctl_ptr);
+ 	if (rc != 0) {
+ 		pr_err("input validation failed\n");
+ 		return rc;
+@@ -2799,6 +2802,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 				pr_err("%s:%dError iommu_attach_device failed\n",
+ 					__func__, __LINE__);
+ 				rc = -EINVAL;
++				break;
+ 			}
+ 			cpp_dev->iommu_state = CPP_IOMMU_STATE_ATTACHED;
+ 		} else {
+@@ -2813,10 +2817,17 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 			(cpp_dev->stream_cnt == 0)) {
+ 			iommu_detach_device(cpp_dev->domain,
+ 				cpp_dev->iommu_ctx);
++			if (rc < 0) {
++				pr_err("%s:%dError iommu detach failed\n",
++					__func__, __LINE__);
++				rc = -EINVAL;
++				break;
++			}
+ 			cpp_dev->iommu_state = CPP_IOMMU_STATE_DETACHED;
+ 		} else {
+ 			pr_err("%s:%d IOMMMU attach triggered in invalid state\n",
+ 				__func__, __LINE__);
++			rc = -EINVAL;
+ 		}
+ 		break;
+ 	}
+@@ -3422,7 +3433,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	default:
+ 		pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n",
+ 				__func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE);
+-		break;
++		return -EINVAL;
+ 	}
+ 
+ 	switch (cmd) {
+@@ -3448,7 +3459,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	default:
+ 		pr_err_ratelimited("%s: unsupported compat type :%d\n",
+ 				__func__, cmd);
+-		break;
++		return -EINVAL;
+ 	}
+ 
+ 	up32_ioctl.id = kp_ioctl.id;

Patches/Linux_CVEs/CVE-2017-11073/3.10/0001.patch

@@ -0,0 +1,143 @@
+From 120d28bad9890eca3a6451a83a7c71cb650dfef7 Mon Sep 17 00:00:00 2001
+From: "Poddar, Siddarth" <siddpodd@codeaurora.org>
+Date: Wed, 5 Jul 2017 12:31:03 +0530
+Subject: [PATCH] qcacld-2.0: Remove code related to mmap functionality for
+ pktlog
+
+Remove the code related to mmap functionality for pktlog
+as it is no longer used/required.
+
+Bug: 62084791
+Change-Id: I06767f108c0ff6462a9e20e7b50d08bf4ac9555f
+CRs-Fixed: 2064767
+Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
+---
+ .../qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c        | 102 ---------------------
+ 1 file changed, 102 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
+index 173ed4e8eec1a..ec61b77e827cf 100644
+--- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
++++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
+@@ -82,14 +82,12 @@ static int pktlog_attach(struct ol_softc *sc);
+ static void pktlog_detach(struct ol_softc *sc);
+ static int pktlog_open(struct inode *i, struct file *f);
+ static int pktlog_release(struct inode *i, struct file *f);
+-static int pktlog_mmap(struct file *f, struct vm_area_struct *vma);
+ static ssize_t pktlog_read(struct file *file, char *buf, size_t nbytes,
+ 			   loff_t * ppos);
+ 
+ static struct file_operations pktlog_fops = {
+ 	open:pktlog_open,
+ 	release:pktlog_release,
+-	mmap:pktlog_mmap,
+ 	read:pktlog_read,
+ };
+ 
+@@ -921,106 +919,6 @@ static volatile void *pktlog_virt_to_logical(volatile void *addr)
+ }
+ #endif
+ 
+-/* vma operations for mapping vmalloced area to user space */
+-static void pktlog_vopen(struct vm_area_struct *vma)
+-{
+-	PKTLOG_MOD_INC_USE_COUNT;
+-}
+-
+-static void pktlog_vclose(struct vm_area_struct *vma)
+-{
+-	PKTLOG_MOD_DEC_USE_COUNT;
+-}
+-
+-#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25)
+-int pktlog_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
+-{
+-	unsigned long address = (unsigned long)vmf->virtual_address;
+-
+-	if (address == 0UL)
+-		return VM_FAULT_NOPAGE;
+-
+-	if (vmf->pgoff > vma->vm_end)
+-		return VM_FAULT_SIGBUS;
+-
+-	get_page(virt_to_page((void *)address));
+-	vmf->page = virt_to_page((void *)address);
+-	return VM_FAULT_MINOR;
+-}
+-#else
+-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
+-struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr,
+-			  int *type)
+-#else
+-struct page *pktlog_vmmap(struct vm_area_struct *vma, unsigned long addr,
+-			  int write_access)
+-#endif
+-{
+-	unsigned long offset, vaddr;
+-	struct proc_dir_entry *proc_entry;
+-	struct ath_pktlog_info *pl_info =
+-
+-	proc_entry = PDE(vma->vm_file->f_dentry->d_inode);
+-	pl_info = (struct ath_pktlog_info *)proc_entry->data;
+-
+-	offset = addr - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT);
+-	vaddr = (unsigned long) pktlog_virt_to_logical(
+-					(void *)(pl_info->buf) + offset);
+-
+-	if (vaddr == 0UL) {
+-		printk(PKTLOG_TAG "%s: page fault out of range\n", __func__);
+-		return ((struct page *) 0UL);
+-	}
+-
+-	/* increment the usage count of the page */
+-	get_page(virt_to_page((void*)vaddr));
+-
+-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
+-	if (type)
+-		*type = VM_FAULT_MINOR;
+-#endif
+-
+-	return virt_to_page((void *)vaddr);
+-}
+-#endif /* LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25) */
+-
+-static struct vm_operations_struct pktlog_vmops = {
+-	open:pktlog_vopen,
+-	close:pktlog_vclose,
+-#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,25)
+-	fault:pktlog_fault,
+-#else
+-	nopage:pktlog_vmmap,
+-#endif
+-};
+-
+-static int pktlog_mmap(struct file *file, struct vm_area_struct *vma)
+-{
+-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,10,0)
+-	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
+-					  PDE_DATA(file->f_path.dentry->d_inode);
+-#else
+-	struct proc_dir_entry *proc_entry = PDE(file->f_dentry->d_inode);
+-	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
+-					  proc_entry->data;
+-#endif
+-
+-	if (vma->vm_pgoff != 0) {
+-		/* Entire buffer should be mapped */
+-		return -EINVAL;
+-	}
+-
+-	if (!pl_info->buf) {
+-		printk(PKTLOG_TAG "%s: Log buffer unavailable\n", __func__);
+-		return -ENOMEM;
+-	}
+-
+-	vma->vm_flags |= VM_LOCKED;
+-	vma->vm_ops = &pktlog_vmops;
+-	pktlog_vopen(vma);
+-	return 0;
+-}
+-
+ int pktlogmod_init(void *context)
+ {
+ 	int ret;

Patches/Linux_CVEs/CVE-2017-11085/3.10/0001.patch

@@ -0,0 +1,274 @@
+From dc8f7a19762df2c84678482b60f6b807b919eb44 Mon Sep 17 00:00:00 2001
+From: Weiyin Jiang <wjiang@codeaurora.org>
+Date: Fri, 28 Jul 2017 11:01:40 +0800
+Subject: [PATCH] SoC: msm: audio-effects: return directly to avoid integer
+ overflow
+
+Return error code directly to avoid further integer overflow leading
+to buffer overflow.
+
+Bug: 62952032
+Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b
+CRs-Fixed: 2077909
+Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
+Signed-off-by: Paresh Purabhiya <ppurab@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 56 ++++++++++++-------------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+index 2bcd339f1ff59..95c382ddb77b9 100644
+--- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+@@ -175,7 +175,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"VIRT ENABLE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 				AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+@@ -203,7 +203,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"VIRT STRENGTH", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+@@ -231,7 +231,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"VIRT OUT_TYPE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+@@ -259,7 +259,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"VIRT GAIN_ADJUST", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 				AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+@@ -338,7 +338,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_ENABLE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -366,7 +366,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_MODE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -394,7 +394,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_PRESET", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -422,7 +422,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_WET_MIX", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -450,7 +450,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_GAIN_ADJUST", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -478,7 +478,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_ROOM_LEVEL", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -506,7 +506,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_ROOM_HF_LEVEL", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -534,7 +534,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_DECAY_TIME", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -562,7 +562,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_DECAY_HF_RATIO", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -590,7 +590,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_REFLECTIONS_LEVEL", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 				AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -618,7 +618,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_REFLECTIONS_DELAY", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 				AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -646,7 +646,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_LEVEL", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -674,7 +674,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_DELAY", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -702,7 +702,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_DIFFUSION", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -730,7 +730,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"REVERB_DENSITY", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+@@ -810,7 +810,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"BASS_BOOST_ENABLE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+@@ -838,7 +838,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"BASS_BOOST_MODE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+@@ -866,7 +866,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"BASS_BOOST_STRENGTH", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+@@ -947,7 +947,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"EQ_ENABLE", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+@@ -1015,7 +1015,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"EQ_CONFIG", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+@@ -1066,7 +1066,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"EQ_BAND_INDEX", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+@@ -1098,7 +1098,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 						MAX_INBAND_PARAM_SZ,
+ 						"EQ_SINGLE_BAND_FREQ", rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+@@ -1188,7 +1188,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 						"VOLUME/VOLUME2_GAIN_2CH",
+ 						rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+ 						ASM_MODULE_ID_VOL_CTRL2;
+@@ -1237,7 +1237,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 						"VOLUME/VOLUME2_GAIN_MASTER",
+ 						rc);
+ 				if (rc != 0)
+-					break;
++					goto invalid_config;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+ 						ASM_MODULE_ID_VOL_CTRL2;

Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch

@@ -0,0 +1,12 @@
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 78b6f74..f927434 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -365,6 +365,7 @@
+ 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
+ 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
+ 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
++	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
+ 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
+ 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
+ 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },

Patches/Linux_CVEs/CVE-2017-11089/ANY/0001.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDc4YjZmNzQuLmY5Mjc0MzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzY1LDYgKzM2NSw3IEBACiAJW05MODAyMTFfQVRUUl9TQ0FOX0ZMQUdTXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9QMlBfQ1RXSU5ET1ddID0geyAudHlwZSA9IE5MQV9VOCB9LAogCVtOTDgwMjExX0FUVFJfUDJQX09QUFBTXSA9IHsgLnR5cGUgPSBOTEFfVTggfSwKKwlbTkw4MDIxMV9BVFRSX0xPQ0FMX01FU0hfUE9XRVJfTU9ERV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfQUNMX1BPTElDWV0gPSB7LiB0eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfTUFDX0FERFJTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCiAJW05MODAyMTFfQVRUUl9TVEFfQ0FQQUJJTElUWV0gPSB7IC50eXBlID0gTkxBX1UxNiB9LAo=

Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch

@@ -0,0 +1,14 @@
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 5112673..78b6f74 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -310,8 +310,7 @@
+ 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
+ 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
+ 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
+-	[NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
+-				 .len = WLAN_PMKID_LEN },
++	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
+ 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
+ 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
+ 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },

Patches/Linux_CVEs/CVE-2017-11090/ANY/0001.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMgYi9uZXQvd2lyZWxlc3Mvbmw4MDIxMS5jCmluZGV4IDUxMTI2NzMuLjc4YjZmNzQgMTAwNjQ0Ci0tLSBhL25ldC93aXJlbGVzcy9ubDgwMjExLmMKKysrIGIvbmV0L3dpcmVsZXNzL25sODAyMTEuYwpAQCAtMzEwLDggKzMxMCw3IEBACiAJW05MODAyMTFfQVRUUl9XUEFfVkVSU0lPTlNdID0geyAudHlwZSA9IE5MQV9VMzIgfSwKIAlbTkw4MDIxMV9BVFRSX1BJRF0gPSB7IC50eXBlID0gTkxBX1UzMiB9LAogCVtOTDgwMjExX0FUVFJfNEFERFJdID0geyAudHlwZSA9IE5MQV9VOCB9LAotCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAudHlwZSA9IE5MQV9CSU5BUlksCi0JCQkJIC5sZW4gPSBXTEFOX1BNS0lEX0xFTiB9LAorCVtOTDgwMjExX0FUVFJfUE1LSURdID0geyAubGVuID0gV0xBTl9QTUtJRF9MRU4gfSwKIAlbTkw4MDIxMV9BVFRSX0RVUkFUSU9OXSA9IHsgLnR5cGUgPSBOTEFfVTMyIH0sCiAJW05MODAyMTFfQVRUUl9DT09LSUVdID0geyAudHlwZSA9IE5MQV9VNjQgfSwKIAlbTkw4MDIxMV9BVFRSX1RYX1JBVEVTXSA9IHsgLnR5cGUgPSBOTEFfTkVTVEVEIH0sCg==

Patches/Linux_CVEs/CVE-2017-11091/3.18/0001.patch

@@ -0,0 +1,61 @@
+From 10b0cb47e92abe52c5372ded0fe80a5a5f18586f Mon Sep 17 00:00:00 2001
+From: Harsh Sahu <hsahu@codeaurora.org>
+Date: Thu, 29 Jun 2017 18:50:20 -0700
+Subject: [PATCH] msm: mdss: fix the use after free problem in rotator ioctl
+
+Currently the fence fd is installed too early. This can cause a
+use after free problem if the fence fd is closed in some other thread.
+This change will install the fence fd where it is required and
+eliminates the problem.
+
+Bug: 37478866
+Change-Id: I5cf585ea87ef75fccae06da6cb5a6c16fc74eff3
+Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_rotator.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c
+index 95ca5b74e2369..5910a69bc844b 100644
+--- a/drivers/video/msm/mdss/mdss_rotator.c
++++ b/drivers/video/msm/mdss/mdss_rotator.c
+@@ -375,6 +375,15 @@ static bool mdss_rotator_is_work_pending(struct mdss_rot_mgr *mgr,
+ 	return false;
+ }
+ 
++static void mdss_rotator_install_fence_fd(struct mdss_rot_entry_container *req)
++{
++	int i = 0;
++
++	for (i = 0; i < req->count; i++)
++		sync_fence_install(req->entries[i].output_fence,
++				req->entries[i].output_fence_fd);
++}
++
+ static int mdss_rotator_create_fence(struct mdss_rot_entry *entry)
+ {
+ 	int ret = 0, fd;
+@@ -413,7 +422,6 @@ static int mdss_rotator_create_fence(struct mdss_rot_entry *entry)
+ 		goto get_fd_err;
+ 	}
+ 
+-	sync_fence_install(fence, fd);
+ 	rot_timeline->next_value++;
+ 	mutex_unlock(&rot_timeline->lock);
+ 
+@@ -2248,6 +2256,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
+ 		goto handle_request_err1;
+ 	}
+ 
++	mdss_rotator_install_fence_fd(req);
+ 	mdss_rotator_queue_request(mgr, private, req);
+ 
+ 	mutex_unlock(&mgr->lock);
+@@ -2408,6 +2417,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
+ 		goto handle_request32_err1;
+ 	}
+ 
++	mdss_rotator_install_fence_fd(req);
+ 	mdss_rotator_queue_request(mgr, private, req);
+ 
+ 	mutex_unlock(&mgr->lock);

Patches/Linux_CVEs/CVE-2017-11092/ANY/0001.patch

@@ -0,0 +1,164 @@
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 350ad08..44f981c 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -1609,6 +1609,7 @@
+ 	struct kgsl_device *device;
+ 	struct kgsl_cmdbatch *cmdbatch = (struct kgsl_cmdbatch *) data;
+ 	struct kgsl_cmdbatch_sync_event *event;
++	unsigned long flags;
+ 
+ 	if (cmdbatch == NULL || cmdbatch->context == NULL)
+ 		return;
+@@ -1623,14 +1624,14 @@
+ 	kgsl_context_dump(cmdbatch->context);
+ 	clear_bit(CMDBATCH_FLAG_FENCE_LOG, &cmdbatch->priv);
+ 
+-	spin_lock(&cmdbatch->lock);
++	spin_lock_irqsave(&cmdbatch->lock, flags);
+ 	/* Print all the fences */
+ 	list_for_each_entry(event, &cmdbatch->synclist, node) {
+ 		if (KGSL_CMD_SYNCPOINT_TYPE_FENCE == event->type &&
+ 			event->handle && event->handle->fence)
+ 			kgsl_sync_fence_log(event->handle->fence);
+ 	}
+-	spin_unlock(&cmdbatch->lock);
++	spin_unlock_irqrestore(&cmdbatch->lock, flags);
+ 	dev_err(device->dev, "--gpu syncpoint deadlock print end--\n");
+ }
+ /**
+@@ -1685,15 +1686,16 @@
+ 	struct kgsl_cmdbatch_sync_event *event)
+ {
+ 	struct kgsl_cmdbatch_sync_event *e, *tmp;
++	unsigned long flags;
+ 	int sched = 0;
+ 	int removed = 0;
+ 
+ 	/*
+-	 * We may have cmdbatch timer running, which also uses same lock,
+-	 * take a lock with software interrupt disabled (bh) to avoid
+-	 * spin lock recursion.
++	 * cmdbatch timer or event callback might run at
++	 * this time in interrupt context and uses same lock.
++	 * So use irq-save version of spin lock.
+ 	 */
+-	spin_lock_bh(&event->cmdbatch->lock);
++	spin_lock_irqsave(&event->cmdbatch->lock, flags);
+ 
+ 	/*
+ 	 * sync events that are contained by a cmdbatch which has been
+@@ -1708,8 +1710,9 @@
+ 		}
+ 	}
+ 
++	event->handle = NULL;
+ 	sched = list_empty(&event->cmdbatch->synclist) ? 1 : 0;
+-	spin_unlock_bh(&event->cmdbatch->lock);
++	spin_unlock_irqrestore(&event->cmdbatch->lock, flags);
+ 
+ 	/* If the list is empty delete the canary timer */
+ 	if (sched)
+@@ -1771,16 +1774,20 @@
+ 	struct kgsl_cmdbatch_sync_event *event, *tmpsync;
+ 	LIST_HEAD(cancel_synclist);
+ 	int sched = 0;
++	unsigned long flags;
+ 
+ 	/* Zap the canary timer */
+ 	del_timer_sync(&cmdbatch->timer);
+ 
+-	/* non-bh because we just destroyed timer */
+-	spin_lock(&cmdbatch->lock);
++	/*
++	 * callback might run in interrupt context
++	 * so need to use irqsave version of spinlocks.
++	 */
++	spin_lock_irqsave(&cmdbatch->lock, flags);
+ 
+ 	/* Empty the synclist before canceling events */
+ 	list_splice_init(&cmdbatch->synclist, &cancel_synclist);
+-	spin_unlock(&cmdbatch->lock);
++	spin_unlock_irqrestore(&cmdbatch->lock, flags);
+ 
+ 	/*
+ 	 * Finish canceling events outside the cmdbatch spinlock and
+@@ -1802,8 +1809,15 @@
+ 				kgsl_cmdbatch_sync_func, event);
+ 		} else if (event->type == KGSL_CMD_SYNCPOINT_TYPE_FENCE) {
+ 			/* Put events that are successfully canceled */
+-			if (kgsl_sync_fence_async_cancel(event->handle))
++			spin_lock_irqsave(&cmdbatch->lock, flags);
++
++			if (kgsl_sync_fence_async_cancel(event->handle)) {
++				event->handle = NULL;
++				spin_unlock_irqrestore(&cmdbatch->lock, flags);
+ 				kgsl_cmdbatch_sync_event_put(event);
++			} else {
++				spin_unlock_irqrestore(&cmdbatch->lock, flags);
++			}
+ 		}
+ 
+ 		/* Put events that have been removed from the synclist */
+@@ -1864,6 +1878,7 @@
+ {
+ 	struct kgsl_cmd_syncpoint_fence *sync = priv;
+ 	struct kgsl_cmdbatch_sync_event *event;
++	unsigned long flags;
+ 
+ 	event = kzalloc(sizeof(*event), GFP_KERNEL);
+ 
+@@ -1892,11 +1907,6 @@
+ 
+ 	kref_get(&event->refcount);
+ 
+-	/* non-bh because, we haven't started cmdbatch timer yet */
+-	spin_lock(&cmdbatch->lock);
+-	list_add(&event->node, &cmdbatch->synclist);
+-	spin_unlock(&cmdbatch->lock);
+-
+ 	/*
+ 	 * Increment the reference count for the async callback.
+ 	 * Decrement when the callback is successfully canceled, when
+@@ -1904,6 +1914,10 @@
+ 	 */
+ 
+ 	kref_get(&event->refcount);
++
++	spin_lock_irqsave(&cmdbatch->lock, flags);
++	list_add(&event->node, &cmdbatch->synclist);
++
+ 	event->handle = kgsl_sync_fence_async_wait(sync->fd,
+ 		kgsl_cmdbatch_sync_fence_func, event);
+ 
+@@ -1911,17 +1925,14 @@
+ 		int ret = PTR_ERR(event->handle);
+ 
+ 		event->handle = NULL;
+-
+-		/* Failed to add the event to the async callback */
+-		kgsl_cmdbatch_sync_event_put(event);
+-
+ 		/* Remove event from the synclist */
+-		spin_lock(&cmdbatch->lock);
+ 		list_del(&event->node);
+-		spin_unlock(&cmdbatch->lock);
++		spin_unlock_irqrestore(&cmdbatch->lock, flags);
++		/* Put for event removal from the synclist */
+ 		kgsl_cmdbatch_sync_event_put(event);
+-
+-		/* Event no longer needed by this function */
++		/* Unable to add event to the async callback so a put */
++		kgsl_cmdbatch_sync_event_put(event);
++		/* Put since event no longer needed by this function */
+ 		kgsl_cmdbatch_sync_event_put(event);
+ 
+ 		/*
+@@ -1935,6 +1946,7 @@
+ 	}
+ 
+ 	trace_syncpoint_fence(cmdbatch, event->handle->name);
++	spin_unlock_irqrestore(&cmdbatch->lock, flags);
+ 
+ 	/*
+ 	 * Event was successfully added to the synclist, the async

Patches/Linux_CVEs/CVE-2017-11093/3.18/0001.patch

@@ -0,0 +1,35 @@
+From 072d53b2ca00ac57ca4e0ebe2315b431256cf786 Mon Sep 17 00:00:00 2001
+From: Narender Ankam <nankam@codeaurora.org>
+Date: Wed, 23 Aug 2017 15:55:50 +0530
+Subject: [PATCH] msm: mdss: hdmi: validate HDMI EDID's max number of CEA
+ blocks
+
+No upper-bound validation is performed when reading number of
+extended CEA blocks from the untrusted source (EDID). Add a check
+to limit the number of CEA extension blocks.
+
+Bug: 37625232
+Change-Id: I69f09ed0ad28a4c267cf3e8f7a12efe46f75e244
+Signed-off-by: Narender Ankam <nankam@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_hdmi_edid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/video/msm/mdss/mdss_hdmi_edid.c b/drivers/video/msm/mdss/mdss_hdmi_edid.c
+index 36c24302658d8..5c8f52c42302c 100644
+--- a/drivers/video/msm/mdss/mdss_hdmi_edid.c
++++ b/drivers/video/msm/mdss/mdss_hdmi_edid.c
+@@ -2180,6 +2180,13 @@ int hdmi_edid_parser(void *input)
+ 		goto bail;
+ 	}
+ 
++	/* Find out if CEA extension blocks exceeding max limit */
++	if (num_of_cea_blocks >= MAX_EDID_BLOCKS) {
++		DEV_WARN("%s: HDMI EDID exceeded max CEA blocks limit\n",
++				__func__);
++		num_of_cea_blocks = MAX_EDID_BLOCKS - 1;
++	}
++
+ 	/* check for valid CEA block */
+ 	if (edid_buf[EDID_BLOCK_SIZE] != 2) {
+ 		DEV_ERR("%s: Invalid CEA block\n", __func__);

Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch

@@ -1,44 +1,67 @@
-From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Wed, 2 Aug 2017 19:50:14 +0200
-Subject: xfrm: policy: check policy direction value
+From 0af5440977299a17a0f226ce00d872572a426c14 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Tue, 15 Aug 2017 15:12:24 -0700
+Subject: [PATCH] ANDROID: check dir value of xfrm_userpolicy_id
 
-The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
-as an array index. This can lead to an out-of-bound access, kernel lockup and
-DoS. Add a check for the 'dir' value.
+Check user provided dir value to prevent out-of-bound access
+which may occur if dir is not less than XFRM_POLICY_MAX.
 
-This fixes CVE-2017-11600.
+(url: http://seclists.org/bugtraq/2017/Jul/30)
 
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
-Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
-Cc: <stable@vger.kernel.org> # v2.6.21-rc1
-Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Bug: 64257838
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0
 ---
- net/xfrm/xfrm_policy.c | 6 ++++++
- 1 file changed, 6 insertions(+)
+ net/xfrm/xfrm_user.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
 
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index ff61d85..6f5a0dad 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
- 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];
- 	struct xfrm_migrate *mp;
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 3f565e495ac6..0cc105403826 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1583,6 +1583,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
+ 	struct sk_buff *skb;
+ 	int err;
  
-+	/* Stage 0 - sanity checks */
- 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
- 		goto out;
- 
-+	if (dir >= XFRM_POLICY_MAX) {
-+		err = -EINVAL;
-+		goto out;
-+	}
++	err = verify_policy_dir(dir);
++	if (err)
++		return ERR_PTR(err);
 +
- 	/* Stage 1 - find policy */
- 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
- 		err = -ENOENT;
--- 
-cgit v1.1
-
+ 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ 	if (!skb)
+ 		return ERR_PTR(-ENOMEM);
+@@ -2129,6 +2133,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+ 	int err;
+ 	int n = 0;
+ 
++	err = verify_policy_dir(pi->dir);
++	if (err)
++		return err;
++
+ 	if (attrs[XFRMA_MIGRATE] == NULL)
+ 		return -EINVAL;
+ 
+@@ -2243,6 +2251,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ {
+ 	struct net *net = &init_net;
+ 	struct sk_buff *skb;
++	int err;
++
++	err = verify_policy_dir(dir);
++	if (err)
++		return err;
+ 
+ 	skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC);
+ 	if (skb == NULL)
+@@ -2871,6 +2884,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
+ 
+ static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
+ {
++	int err;
++
++	err = verify_policy_dir(dir);
++	if (err)
++		return err;
+ 
+ 	switch (c->event) {
+ 	case XFRM_MSG_NEWPOLICY:

Patches/Linux_CVEs/CVE-2017-11600/3.10/0002.patch

@@ -0,0 +1,44 @@
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Cc: <stable@vger.kernel.org> # v2.6.21-rc1
+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index ff61d85..6f5a0dad 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ 	struct xfrm_migrate *mp;
+ 
++	/* Stage 0 - sanity checks */
+ 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ 		goto out;
+ 
++	if (dir >= XFRM_POLICY_MAX) {
++		err = -EINVAL;
++		goto out;
++	}
++
+ 	/* Stage 1 - find policy */
+ 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
+ 		err = -ENOENT;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-16537/^4.13/0001.patch

@@ -0,0 +1,32 @@
+From 58fd55e838276a0c13d1dc7c387f90f25063cbf3 Mon Sep 17 00:00:00 2001
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Mon, 9 Oct 2017 20:14:48 +0200
+Subject: [PATCH] media: imon: Fix null-ptr-deref in imon_probe
+
+It seems that the return value of usb_ifnum_to_if() can be NULL and
+needs to be checked.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/rc/imon.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
+index 9724fe8110e3d..9fef8cc171140 100644
+--- a/drivers/media/rc/imon.c
++++ b/drivers/media/rc/imon.c
+@@ -2515,6 +2515,11 @@ static int imon_probe(struct usb_interface *interface,
+ 	mutex_lock(&driver_lock);
+ 
+ 	first_if = usb_ifnum_to_if(usbdev, 0);
++	if (!first_if) {
++		ret = -ENODEV;
++		goto fail;
++	}
++
+ 	first_if_ctx = usb_get_intfdata(first_if);
+ 
+ 	if (ifnum == 0) {

Patches/Linux_CVEs/CVE-2017-16648/ANY/0001.patch

@@ -0,0 +1,182 @@
+From b1cb7372fa822af6c06c8045963571d13ad6348b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Tue, 7 Nov 2017 08:39:39 -0500
+Subject: [PATCH] dvb_frontend: don't use-after-free the frontend struct
+
+dvb_frontend_invoke_release() may free the frontend struct.
+So, the free logic can't update it anymore after calling it.
+
+That's OK, as __dvb_frontend_free() is called only when the
+krefs are zeroed, so nobody is using it anymore.
+
+That should fix the following KASAN error:
+
+The KASAN report looks like this (running on kernel 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+)):
+==================================================================
+BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
+Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24
+
+CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x23d/0x350 mm/kasan/report.c:409
+ __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
+ __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
+ dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
+ dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
+ dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
+ dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
+ dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
+ dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
+ usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
+ __device_release_driver drivers/base/dd.c:861
+ device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
+ device_release_driver+0x1e/0x30 drivers/base/dd.c:918
+ bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
+ device_del+0x5c4/0xab0 drivers/base/core.c:1985
+ usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
+ usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
+ hub_port_connect drivers/usb/core/hub.c:4754
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x363/0x440 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Allocated by task 24:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
+ kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
+ kmalloc ./include/linux/slab.h:493
+ kzalloc ./include/linux/slab.h:666
+ dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212
+ dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136
+ dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
+ dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
+ dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
+ dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
+ dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155
+ usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x363/0x440 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+Freed by task 24:
+ save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459
+ kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
+ slab_free_hook mm/slub.c:1390
+ slab_free_freelist_hook mm/slub.c:1412
+ slab_free mm/slub.c:2988
+ kfree+0xf6/0x2f0 mm/slub.c:3919
+ dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202
+ dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790
+ dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789
+ __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153
+ dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
+ dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
+ dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
+ dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
+ dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
+ dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
+ usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
+ __device_release_driver drivers/base/dd.c:861
+ device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
+ device_release_driver+0x1e/0x30 drivers/base/dd.c:918
+ bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
+ device_del+0x5c4/0xab0 drivers/base/core.c:1985
+ usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
+ usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
+ hub_port_connect drivers/usb/core/hub.c:4754
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x363/0x440 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+The buggy address belongs to the object at ffff880067d45500
+ which belongs to the cache kmalloc-2048 of size 2048
+The buggy address is located 1280 bytes inside of
+ 2048-byte region [ffff880067d45500, ffff880067d45d00)
+The buggy address belongs to the page:
+page:ffffea00019f5000 count:1 mapcount:0 mapping:          (null)
+index:0x0 compound_mapcount: 0
+flags: 0x100000000008100(slab|head)
+raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f
+raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                   ^
+ ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: ead666000a5f ("media: dvb_frontend: only use kref after initialized")
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Suggested-by: Matthias Schwarzott <zzam@gentoo.org>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index d485d5f6cc887..3ad83359098bd 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -150,11 +150,8 @@ static void __dvb_frontend_free(struct dvb_frontend *fe)
+ 
+ 	dvb_frontend_invoke_release(fe, fe->ops.release);
+ 
+-	if (!fepriv)
+-		return;
+-
+-	kfree(fepriv);
+-	fe->frontend_priv = NULL;
++	if (fepriv)
++		kfree(fepriv);
+ }
+ 
+ static void dvb_frontend_free(struct kref *ref)

Patches/Linux_CVEs/CVE-2017-16USB/ANY/0006.patch

@@ -0,0 +1,96 @@
+From f9a1c372299fed53d4b72bb601f7f3bfe6f9999c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 6 Nov 2017 10:47:14 +0100
+Subject: [PATCH] ALSA: usx2y: Fix invalid stream URBs
+
+The us122l driver creates URBs per the fixed endpoints, and this may
+end up with URBs with inconsistent pipes when a fuzzer or a malicious
+program deals with the manipulated endpoints.  It ends up with a
+kernel warning like:
+
+  usb 1-1: BOGUS urb xfer, pipe 0 != type 3
+  ------------[ cut here ]------------
+  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471
+  usb_submit_urb+0x113e/0x1400
+  Call Trace:
+   usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690
+   us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365
+   us122l_create_card sound/usb/usx2y/us122l.c:502
+   us122l_usb_probe sound/usb/usx2y/us122l.c:588
+   ....
+
+For avoiding the bad access, this patch adds a few sanity checks of
+the validity of created URBs like previous similar fixes using the new
+usb_urb_ep_type_check() helper function.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/usx2y/usb_stream.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
+index e229abd216526..b0f8979ff2d2f 100644
+--- a/sound/usb/usx2y/usb_stream.c
++++ b/sound/usb/usx2y/usb_stream.c
+@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb)
+ 		    lb, s->period_size);
+ }
+ 
+-static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
++static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+ 			   struct urb **urbs, char *transfer,
+ 			   struct usb_device *dev, int pipe)
+ {
+@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+ 		urb->interval = 1;
+ 		if (usb_pipeout(pipe))
+ 			continue;
++		if (usb_urb_ep_type_check(urb))
++			return -EINVAL;
+ 
+ 		urb->transfer_buffer_length = transfer_length;
+ 		desc = urb->iso_frame_desc;
+@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+ 			desc[p].length = maxpacket;
+ 		}
+ 	}
++
++	return 0;
+ }
+ 
+-static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
++static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+ 		      struct usb_device *dev, int in_pipe, int out_pipe)
+ {
+ 	struct usb_stream	*s = sk->s;
+@@ -103,9 +107,12 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+ 		sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL);
+ 	}
+ 
+-	init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe);
+-	init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
+-		       out_pipe);
++	if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) ||
++	    init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
++			   out_pipe))
++		return -EINVAL;
++
++	return 0;
+ }
+ 
+ 
+@@ -226,7 +233,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
+ 	else
+ 		sk->freqn = get_usb_high_speed_rate(sample_rate);
+ 
+-	init_urbs(sk, use_packsize, dev, in_pipe, out_pipe);
++	if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) {
++		usb_stream_free(sk);
++		return NULL;
++	}
++
+ 	sk->s->state = usb_stream_stopped;
+ out:
+ 	return sk->s;

Patches/Linux_CVEs/CVE-2017-16USB/ANY/0007.patch

@@ -0,0 +1,51 @@
+From 58fc7f73a85d45a47057dad2af53502fdf6cf778 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Oct 2017 15:07:21 +0200
+Subject: [PATCH] ALSA: caiaq: Add a sanity check for invalid EPs
+
+As syzkaller spotted, currently caiaq driver submits a URB with the
+fixed EP without checking whether it's actually available, which may
+result in a kernel warning like:
+  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+  ------------[ cut here ]------------
+  WARNING: CPU: 1 PID: 1150 at drivers/usb/core/urb.c:449
+  usb_submit_urb+0xf8a/0x11d0
+  Modules linked in:
+  CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
+  4.14.0-rc2-42660-g24b7bd59eec0 #277
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+  Workqueue: usb_hub_wq hub_event
+  Call Trace:
+   init_card sound/usb/caiaq/device.c:467
+   snd_probe+0x81c/0x1150 sound/usb/caiaq/device.c:525
+   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+   ....
+
+This patch adds a sanity check of validity of EPs at the device
+initialization phase for avoiding the call with an invalid EP.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/caiaq/device.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
+index 0fb6b1b792617..a29674bf96e57 100644
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -461,6 +461,13 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
+ 			  cdev->midi_out_buf, EP1_BUFSIZE,
+ 			  snd_usb_caiaq_midi_output_done, cdev);
+ 
++	/* sanity checks of EPs before actually submitting */
++	if (usb_urb_ep_type_check(&cdev->ep1_in_urb) ||
++	    usb_urb_ep_type_check(&cdev->midi_out_urb)) {
++		dev_err(dev, "invalid EPs\n");
++		return -EINVAL;
++	}
++
+ 	init_waitqueue_head(&cdev->ep1_wait_queue);
+ 	init_waitqueue_head(&cdev->prepare_wait_queue);
+ 

Patches/Linux_CVEs/CVE-2017-16USB/ANY/0008.patch

@@ -0,0 +1,52 @@
+From 2a4340c57717162c6bf07a0860d05711d4de994b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Oct 2017 15:09:24 +0200
+Subject: [PATCH] ALSA: line6: Add a sanity check for invalid EPs
+
+As syzkaller spotted, currently line6 drivers submit a URB with the
+fixed EP without checking whether it's actually available, which may
+result in a kernel warning like:
+  usb 1-1: BOGUS urb xfer, pipe 3 != type 1
+  ------------[ cut here ]------------
+  WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:449
+  usb_submit_urb+0xf8a/0x11d0
+  Modules linked in:
+  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #238
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+  Workqueue: usb_hub_wq hub_event
+  Call Trace:
+   line6_start_listen+0x55f/0x9e0 sound/usb/line6/driver.c:82
+   line6_init_cap_control sound/usb/line6/driver.c:690
+   line6_probe+0x7c9/0x1310 sound/usb/line6/driver.c:764
+   podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474
+   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+   ....
+
+This patch adds a sanity check of validity of EPs at the device
+initialization phase for avoiding the call with an invalid EP.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/line6/driver.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
+index 0ff5a7d2e19fe..0da6f68761e3e 100644
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -78,6 +78,13 @@ static int line6_start_listen(struct usb_line6 *line6)
+ 			line6->buffer_listen, LINE6_BUFSIZE_LISTEN,
+ 			line6_data_received, line6);
+ 	}
++
++	/* sanity checks of EP before actually submitting */
++	if (usb_urb_ep_type_check(line6->urb_listen)) {
++		dev_err(line6->ifcdev, "invalid control EP\n");
++		return -EINVAL;
++	}
++
+ 	line6->urb_listen->actual_length = 0;
+ 	err = usb_submit_urb(line6->urb_listen, GFP_ATOMIC);
+ 	return err;

Patches/Linux_CVEs/CVE-2017-16USB/ANY/0009.patch

@@ -0,0 +1,52 @@
+From 6815a0b444572527256f0d0efd8efe3ddede6018 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 4 Oct 2017 15:03:40 +0200
+Subject: [PATCH] ALSA: bcd2000: Add a sanity check for invalid EPs
+
+As syzkaller spotted, currently bcd2000 driver submits a URB with the
+fixed EP without checking whether it's actually available, which may
+result in a kernel warning like:
+  usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+  ------------[ cut here ]------------
+  WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
+  usb_submit_urb+0xf8a/0x11d0
+  Modules linked in:
+  CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
+  4.14.0-rc2-42613-g1488251d1a98 #238
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+  Workqueue: usb_hub_wq hub_event
+  Call Trace:
+   bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
+   bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
+   bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
+   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+   ....
+
+This patch adds a sanity check of validity of EPs at the device
+initialization phase for avoiding the call with an invalid EP.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/bcd2000/bcd2000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
+index 7371e5b060356..a6408209d7f1d 100644
+--- a/sound/usb/bcd2000/bcd2000.c
++++ b/sound/usb/bcd2000/bcd2000.c
+@@ -342,6 +342,13 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
+ 				bcd2k->midi_out_buf, BUFSIZE,
+ 				bcd2000_output_complete, bcd2k, 1);
+ 
++	/* sanity checks of EPs before actually submitting */
++	if (usb_urb_ep_type_check(bcd2k->midi_in_urb) ||
++	    usb_urb_ep_type_check(bcd2k->midi_out_urb)) {
++		dev_err(&bcd2k->dev->dev, "invalid MIDI EP\n");
++		return -EINVAL;
++	}
++
+ 	bcd2000_init_device(bcd2k);
+ 
+ 	return 0;

Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch

@@ -0,0 +1,61 @@
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
+index 1dcaba4..e08cf95 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
+@@ -1613,6 +1613,9 @@
+ 	int tstate, throt_cur_tstate, edp_cur_tstate;
+ 	unsigned long freq, cur_freq = ULONG_MAX;
+ 
++	if (cur_state > bthrot_ins->throt_tab_size)
++		return -EINVAL;
++
+ 	if (bthrot_ins->cur_state == cur_state)
+ 		return 0;
+ 
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
+index a18e4c9..1243d21 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
+@@ -314,6 +314,9 @@
+ 	struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata;
+ 	struct nvkm_volt *volt = &priv->base;
+ 
++	if (cur_state >= MAX_THERMAL_LIMITS)
++		return -EINVAL;
++
+ 	mutex_lock(&volt->therm_lock);
+ 
+ 	if (priv->therm_idx == cur_state)
+diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c
+index 5c0af3b..990cd61 100644
+--- a/drivers/soc/tegra/tegra-dvfs.c
++++ b/drivers/soc/tegra/tegra-dvfs.c
+@@ -1068,6 +1068,14 @@
+ 	if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready)
+ 		return -EINVAL;
+ 
++	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
++		if (new_idx >= rail->therm_floors_size)
++			return -EINVAL;
++	} else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) {
++		if (new_idx > rail->therm_caps_size)
++			return -EINVAL;
++	}
++
+ 	mutex_lock(&dvfs_lock);
+ 	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
+ 		if (rail->therm_floor_idx != new_idx) {
+diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c
+index 39a913e..e9991db 100644
+--- a/drivers/thermal/tegra/tegra_throttle.c
++++ b/drivers/thermal/tegra/tegra_throttle.c
+@@ -198,6 +198,9 @@
+ 	if (bthrot->cpu_freq_table == NULL)
+ 		return 0;
+ 
++	if (cur_state > bthrot_ins->throt_tab_size)
++		return -EINVAL;
++
+ 	if (bthrot_ins->cur_state == cur_state)
+ 		return 0;
+ 

Patches/Linux_CVEs/CVE-2017-6274/3.18/0001.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo=

Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch

@@ -0,0 +1,61 @@
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
+index 1dcaba4..e08cf95 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/gm20b.c
+@@ -1613,6 +1613,9 @@
+ 	int tstate, throt_cur_tstate, edp_cur_tstate;
+ 	unsigned long freq, cur_freq = ULONG_MAX;
+ 
++	if (cur_state > bthrot_ins->throt_tab_size)
++		return -EINVAL;
++
+ 	if (bthrot_ins->cur_state == cur_state)
+ 		return 0;
+ 
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
+index a18e4c9..1243d21 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gk20a.c
+@@ -314,6 +314,9 @@
+ 	struct gk20a_volt_priv *priv = (struct gk20a_volt_priv *)cdev->devdata;
+ 	struct nvkm_volt *volt = &priv->base;
+ 
++	if (cur_state >= MAX_THERMAL_LIMITS)
++		return -EINVAL;
++
+ 	mutex_lock(&volt->therm_lock);
+ 
+ 	if (priv->therm_idx == cur_state)
+diff --git a/drivers/soc/tegra/tegra-dvfs.c b/drivers/soc/tegra/tegra-dvfs.c
+index 5c0af3b..990cd61 100644
+--- a/drivers/soc/tegra/tegra-dvfs.c
++++ b/drivers/soc/tegra/tegra-dvfs.c
+@@ -1068,6 +1068,14 @@
+ 	if (IS_ERR_OR_NULL(tegra_core_rail) || !tegra_core_rail->is_ready)
+ 		return -EINVAL;
+ 
++	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
++		if (new_idx >= rail->therm_floors_size)
++			return -EINVAL;
++	} else if (type == TEGRA_DVFS_CORE_THERMAL_CAP) {
++		if (new_idx > rail->therm_caps_size)
++			return -EINVAL;
++	}
++
+ 	mutex_lock(&dvfs_lock);
+ 	if (type == TEGRA_DVFS_CORE_THERMAL_FLOOR) {
+ 		if (rail->therm_floor_idx != new_idx) {
+diff --git a/drivers/thermal/tegra/tegra_throttle.c b/drivers/thermal/tegra/tegra_throttle.c
+index 39a913e..e9991db 100644
+--- a/drivers/thermal/tegra/tegra_throttle.c
++++ b/drivers/thermal/tegra/tegra_throttle.c
+@@ -198,6 +198,9 @@
+ 	if (bthrot->cpu_freq_table == NULL)
+ 		return 0;
+ 
++	if (cur_state > bthrot_ins->throt_tab_size)
++		return -EINVAL;
++
+ 	if (bthrot_ins->cur_state == cur_state)
+ 		return 0;
+ 

Patches/Linux_CVEs/CVE-2017-6275/3.18/0001.patch.base64

@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L2Nsay9nbTIwYi5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKaW5kZXggMWRjYWJhNC4uZTA4Y2Y5NSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvY2xrL2dtMjBiLmMKQEAgLTE2MTMsNiArMTYxMyw5IEBACiAJaW50IHRzdGF0ZSwgdGhyb3RfY3VyX3RzdGF0ZSwgZWRwX2N1cl90c3RhdGU7CiAJdW5zaWduZWQgbG9uZyBmcmVxLCBjdXJfZnJlcSA9IFVMT05HX01BWDsKIAorCWlmIChjdXJfc3RhdGUgPiBidGhyb3RfaW5zLT50aHJvdF90YWJfc2l6ZSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoYnRocm90X2lucy0+Y3VyX3N0YXRlID09IGN1cl9zdGF0ZSkKIAkJcmV0dXJuIDA7CiAKZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYyBiL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3ZvbHQvZ2syMGEuYwppbmRleCBhMThlNGM5Li4xMjQzZDIxIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi92b2x0L2drMjBhLmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvdm9sdC9nazIwYS5jCkBAIC0zMTQsNiArMzE0LDkgQEAKIAlzdHJ1Y3QgZ2syMGFfdm9sdF9wcml2ICpwcml2ID0gKHN0cnVjdCBnazIwYV92b2x0X3ByaXYgKiljZGV2LT5kZXZkYXRhOwogCXN0cnVjdCBudmttX3ZvbHQgKnZvbHQgPSAmcHJpdi0+YmFzZTsKIAorCWlmIChjdXJfc3RhdGUgPj0gTUFYX1RIRVJNQUxfTElNSVRTKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCW11dGV4X2xvY2soJnZvbHQtPnRoZXJtX2xvY2spOwogCiAJaWYgKHByaXYtPnRoZXJtX2lkeCA9PSBjdXJfc3RhdGUpCmRpZmYgLS1naXQgYS9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMgYi9kcml2ZXJzL3NvYy90ZWdyYS90ZWdyYS1kdmZzLmMKaW5kZXggNWMwYWYzYi4uOTkwY2Q2MSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zb2MvdGVncmEvdGVncmEtZHZmcy5jCisrKyBiL2RyaXZlcnMvc29jL3RlZ3JhL3RlZ3JhLWR2ZnMuYwpAQCAtMTA2OCw2ICsxMDY4LDE0IEBACiAJaWYgKElTX0VSUl9PUl9OVUxMKHRlZ3JhX2NvcmVfcmFpbCkgfHwgIXRlZ3JhX2NvcmVfcmFpbC0+aXNfcmVhZHkpCiAJCXJldHVybiAtRUlOVkFMOwogCisJaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfRkxPT1IpIHsKKwkJaWYgKG5ld19pZHggPj0gcmFpbC0+dGhlcm1fZmxvb3JzX3NpemUpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwl9IGVsc2UgaWYgKHR5cGUgPT0gVEVHUkFfRFZGU19DT1JFX1RIRVJNQUxfQ0FQKSB7CisJCWlmIChuZXdfaWR4ID4gcmFpbC0+dGhlcm1fY2Fwc19zaXplKQorCQkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJbXV0ZXhfbG9jaygmZHZmc19sb2NrKTsKIAlpZiAodHlwZSA9PSBURUdSQV9EVkZTX0NPUkVfVEhFUk1BTF9GTE9PUikgewogCQlpZiAocmFpbC0+dGhlcm1fZmxvb3JfaWR4ICE9IG5ld19pZHgpIHsKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdGhlcm1hbC90ZWdyYS90ZWdyYV90aHJvdHRsZS5jIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKaW5kZXggMzlhOTEzZS4uZTk5OTFkYiAxMDA2NDQKLS0tIGEvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKKysrIGIvZHJpdmVycy90aGVybWFsL3RlZ3JhL3RlZ3JhX3Rocm90dGxlLmMKQEAgLTE5OCw2ICsxOTgsOSBAQAogCWlmIChidGhyb3QtPmNwdV9mcmVxX3RhYmxlID09IE5VTEwpCiAJCXJldHVybiAwOwogCisJaWYgKGN1cl9zdGF0ZSA+IGJ0aHJvdF9pbnMtPnRocm90X3RhYl9zaXplKQorCQlyZXR1cm4gLUVJTlZBTDsKKwogCWlmIChidGhyb3RfaW5zLT5jdXJfc3RhdGUgPT0gY3VyX3N0YXRlKQogCQlyZXR1cm4gMDsKIAo=

Patches/Linux_CVEs/CVE-2017-7541/3.10/0002.patch

@@ -0,0 +1,50 @@
+From 7136ca73ff3496758b56f60b6fe76d675e69cd21 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable@vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[wt: s/cfg80211.c/wl_cfg80211.c in 3.10]
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+index 2c52430..8afb609 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+@@ -4019,6 +4019,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-8890/3.10/0002.patch

@@ -0,0 +1,42 @@
+From 1853870b216d3446efd39190a8ff0006c54dfd46 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 9 May 2017 06:29:19 -0700
+Subject: [PATCH] BACKPORT: dccp/tcp: do not inherit mc_list from parent
+
+syzkaller found a way to trigger double frees from ip_mc_drop_socket()
+
+It turns out that leave a copy of parent mc_list at accept() time,
+which is very bad.
+
+Very similar to commit 8b485ce69876 ("tcp: do not inherit
+fastopen_req from parent")
+
+Initial report from Pray3r, completed by Andrey one.
+Thanks a lot to them !
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Pray3r <pray3r.z@gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Roberto Pereira <rpere@google.com>
+(cherry picked from commit 657831ffc38e30092a2d5f03d385d710eb88b09a)
+Bug:38413975
+Change-Id: Icf89ad025cb8225e806e52c573d68533912111ad
+---
+ net/ipv4/inet_connection_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 64198a381ddca..008b52bc99a3d 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -697,6 +697,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
+ 		inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
+ 		newsk->sk_write_space = sk_stream_write_space;
+ 
++		inet_sk(newsk)->mc_list = NULL;
++
+ 		newsk->sk_mark = inet_rsk(req)->ir_mark;
+ 
+ 		newicsk->icsk_retransmits = 0;

Patches/Linux_CVEs/CVE-2017-9690/3.18/0001.patch

@@ -0,0 +1,29 @@
+From b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74 Mon Sep 17 00:00:00 2001
+From: Siarhei Vishniakou <svv@google.com>
+Date: Thu, 16 Mar 2017 16:26:53 -0700
+Subject: [PATCH] arm64: dts: marlin: remove QBT1000 from device tree
+
+Marlin does not use QBT1000.
+
+Bug: 36575870
+Bug: 36227548
+Test: Tested on marlin and sailfish.
+
+Change-Id: I48a2b75f1cd678a673a8706e8d3304b25f45d3cd
+Signed-off-by: Siarhei Vishniakou <svv@google.com>
+---
+ arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
+index 831a99c32c0aa..4fedb4b6149c4 100644
+--- a/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
++++ b/arch/arm64/boot/dts/htc/msm8996-htc-common.dtsi
+@@ -109,6 +109,7 @@
+ 			qcom,mitigation-freq-khz = <1132800>;
+ 		};
+ 	};
++	/delete-node/ qcom,qbt1000;
+ };
+ 
+ &wdog {

Patches/Linux_CVEs/CVE-2017-9696/3.10/0001.patch

@@ -0,0 +1,34 @@
+From 8b44a684139301fa31548e8120b7e6299965572a Mon Sep 17 00:00:00 2001
+From: Alok Kediya <kediya@codeaurora.org>
+Date: Thu, 2 Mar 2017 15:51:35 +0530
+Subject: [PATCH] msm: camera: Bound check for num_of_stream.
+
+- num of stream comes from userspace and used without
+any bound check.It may result to overflow update_info.
+
+CRs-Fixed: 2006829
+
+Bug: 36232584
+Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2
+Signed-off-by: Alok Kediya <kediya@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+index 43a2c77dcc8da..490ab13e4e607 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+@@ -817,6 +817,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ 	struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL;
+ 	struct msm_isp_sw_framskip *sw_skip_info = NULL;
+ 
++	if (update_cmd->num_streams > MSM_ISP_STATS_MAX) {
++		pr_err("%s: Invalid num_streams %d\n",
++			__func__, update_cmd->num_streams);
++		return -EINVAL;
++	}
++
+ 	/*validate request*/
+ 	for (i = 0; i < update_cmd->num_streams; i++) {
+ 		update_info = &update_cmd->update_info[i];

Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch

@@ -0,0 +1,43 @@
+From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001
+From: Haibin Liu <haibinl@codeaurora.org>
+Date: Wed, 17 May 2017 18:52:30 +0800
+Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting
+
+When getting power down setting, there is an untrusted pointer
+from a user space pointer.Need to copy to the kernel space first.
+
+CRs-Fixed: 2037398
+Bug: 36492827
+Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148
+Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
+---
+ .../platform/msm/camera_v2/sensor/msm_sensor_driver.c    | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+index 87e741b651c4a..5d3c56191e0d4 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+@@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting,
+ 
+ #ifdef CONFIG_COMPAT
+ 	if (is_compat_task()) {
+-		int i = 0;
+-		struct msm_sensor_power_setting32 *power_setting_iter =
+-		(struct msm_sensor_power_setting32 *)compat_ptr((
+-		(struct msm_camera_sensor_slave_info32 *)setting)->
+-		power_setting_array.power_setting);
+-
+-		for (i = 0; i < size_down; i++) {
+-			pd[i].config_val = power_setting_iter[i].config_val;
+-			pd[i].delay = power_setting_iter[i].delay;
+-			pd[i].seq_type = power_setting_iter[i].seq_type;
+-			pd[i].seq_val = power_setting_iter[i].seq_val;
++		rc = msm_sensor_get_pw_settings_compat(
++			pd, pu, size_down);
++		if (rc < 0) {
++			pr_err("failed");
++			return -EFAULT;
+ 		}
+ 	} else
+ #endif

Patches/Linux_CVEs/CVE-2017-9702/3.10/0002.patch

@@ -0,0 +1,122 @@
+From c46b2ecd901a12867d0dd91ae019f4b7256bcfec Mon Sep 17 00:00:00 2001
+From: Haibin Liu <haibinl@codeaurora.org>
+Date: Wed, 9 Aug 2017 16:26:41 +0800
+Subject: [PATCH] msm: sensor: Fix crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG
+
+Issue:
+the invalid slave_info is used by msm_sensor_driver_probe.
+This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.
+
+Fix:
+1) avoid the same msm_sd_subdev added into the ordered_sd_list.
+2) enlarge the buffer size for i2c addr and data.
+
+Bug: 36492827
+Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
+Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/msm.c         |  5 +++++
+ .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  5 +++--
+ .../msm/camera_v2/sensor/msm_sensor_driver.c       | 25 ++++++++++++++--------
+ 3 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c
+index e517f0f589ce6..47ba2f99dd001 100644
+--- a/drivers/media/platform/msm/camera_v2/msm.c
++++ b/drivers/media/platform/msm/camera_v2/msm.c
+@@ -334,6 +334,11 @@ static void msm_add_sd_in_position(struct msm_sd_subdev *msm_subdev,
+ 	struct msm_sd_subdev *temp_sd;
+ 
+ 	list_for_each_entry(temp_sd, sd_list, list) {
++		if (temp_sd == msm_subdev) {
++			pr_err("%s :Fail to add the same sd %d\n",
++				__func__, __LINE__);
++			return;
++		}
+ 		if (msm_subdev->close_seq < temp_sd->close_seq) {
+ 			list_add_tail(&msm_subdev->list, &temp_sd->list);
+ 			return;
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+index 877021edc776d..4243005beff50 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+@@ -17,7 +17,8 @@
+ #undef CDBG
+ #define CDBG(fmt, args...) pr_debug(fmt, ##args)
+ #define S_I2C_DBG(fmt, args...) pr_debug(fmt, ##args)
+-
++#define MAX_I2C_ADDR_TYPE_SIZE (MSM_CAMERA_I2C_3B_ADDR + 1)
++#define MAX_I2C_DATA_TYPE_SIZE (MSM_CAMERA_I2C_SET_BYTE_WRITE_MASK_DATA + 1)
+ #define I2C_COMPARE_MATCH 0
+ #define I2C_COMPARE_MISMATCH 1
+ #define I2C_POLL_MAX_ITERATION 20
+@@ -27,7 +28,7 @@ int32_t msm_camera_cci_i2c_read(struct msm_camera_i2c_client *client,
+ 	enum msm_camera_i2c_data_type data_type)
+ {
+ 	int32_t rc = -EFAULT;
+-	unsigned char buf[client->addr_type+data_type];
++	unsigned char buf[MAX_I2C_ADDR_TYPE_SIZE + MAX_I2C_DATA_TYPE_SIZE];
+ 	struct msm_camera_cci_ctrl cci_ctrl;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+index 5d3c56191e0d4..bd376ffa28c10 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2015,2017 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -103,7 +103,11 @@ static int32_t msm_sensor_driver_create_i2c_v4l_subdev
+ 	s_ctrl->msm_sd.sd.entity.name =	s_ctrl->msm_sd.sd.name;
+ 	s_ctrl->sensordata->sensor_info->session_id = session_id;
+ 	s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
+-	msm_sd_register(&s_ctrl->msm_sd);
++	rc = msm_sd_register(&s_ctrl->msm_sd);
++	if (rc < 0) {
++		pr_err("failed: msm_sd_register rc %d", rc);
++		return rc;
++	}
+ 	CDBG("%s:%d\n", __func__, __LINE__);
+ 	return rc;
+ }
+@@ -133,7 +137,11 @@ static int32_t msm_sensor_driver_create_v4l_subdev
+ 	s_ctrl->msm_sd.sd.entity.group_id = MSM_CAMERA_SUBDEV_SENSOR;
+ 	s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name;
+ 	s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
+-	msm_sd_register(&s_ctrl->msm_sd);
++	rc = msm_sd_register(&s_ctrl->msm_sd);
++	if (rc < 0) {
++		pr_err("failed: msm_sd_register rc %d", rc);
++		return rc;
++	}
+ 	msm_sensor_v4l2_subdev_fops = v4l2_subdev_fops;
+ #ifdef CONFIG_COMPAT
+ 	msm_sensor_v4l2_subdev_fops.compat_ioctl32 =
+@@ -885,12 +893,6 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 	pr_err("%s probe succeeded", slave_info->sensor_name);
+ 
+-	/*
+-	  Set probe succeeded flag to 1 so that no other camera shall
+-	 * probed on this slot
+-	 */
+-	s_ctrl->is_probe_succeed = 1;
+-
+ 	/*
+ 	 * Update the subdevice id of flash-src based on availability in kernel.
+ 	 */
+@@ -940,6 +942,11 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 	msm_sensor_fill_sensor_info(s_ctrl, probed_info, entity_name);
+ 
++	/*
++	 * Set probe succeeded flag to 1 so that no other camera shall
++	 * probed on this slot
++	 */
++	s_ctrl->is_probe_succeed = 1;
+ 	return rc;
+ 
+ camera_power_down:

Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt

@@ -1,7 +1,8 @@
+#Last checked 2017-11-25
 #This is a combined list from the following sources
 #	https://source.android.com/security/bulletin
 #	https://source.android.com/security/advisory
-#	https://cve.lineageos.org
+#	https://cve.lineageos.org/api/v1/cves
 #	https://www.codeaurora.org/security-advisories
 #	https://www.codeaurora.org/security-advisories/security-bulletins
 #	https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
@@ -71,7 +72,9 @@ CVE-2013-6123
 CVE-2013-6282
 	Link - https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483
 CVE-2013-7446
-	Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c
+	Link - ^4.3 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c
+	Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/8a292b04183e82d59721ab0893e4216010aa3db9
+	Link - ^4.3 - https://github.com/aosp-mirror/kernel_msm/commit/5bed19c9f463f9078063363779548c50aea271a0
 CVE-2014-0196
 	Link - https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00
 	Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1e5099713ce
@@ -293,7 +296,10 @@ CVE-2014-9904
 CVE-2014-9914
 	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9709674e68646cee5a24e3000b3558d25412203a
 CVE-2014-9922
+	Depends
 	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69c433ed2ecd2d3264efd7afec4439524b319121
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/48a6c91c1d967cc8375621509676a9eabfac5777
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/57bc19ec472ab303209b2d96a59a619c5221594d
 CVE-2014-9940
 	Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=60a2362f769cf549dc466134efe71c8bf9fbaaba
 CVE-2015-3636
@@ -968,9 +974,13 @@ CVE-2016-6828
 CVE-2016-7042
 	Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=03dab869b7b239c4e013ec82aea22e181e441cfc
 CVE-2016-7097
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073931017b49d9458aa351605b43a7e34598caef
+	Depends
+	Link - ^4.8 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=073931017b49d9458aa351605b43a7e34598caef
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/6b0c893dc08060d6999b07136391d8a298678dae
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/aedf77d56472d1fddf050c61c1017d4f51149fb1
 CVE-2016-7117
-	Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d
+	Link - ^4.5 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d
+	Link - ^4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=0b5240c45e2029986526b1405ab24906c708f770
 CVE-2016-7910
 	Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84
 CVE-2016-7911
@@ -1339,6 +1349,9 @@ CVE-2017-0628
 	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f
 CVE-2017-0629
 	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f
+CVE-2017-0630
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/28fb06421ab3d9256d32611138306470996cc4c1
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/45e5a5e1b85f23843b90f3cddcfc26fa862ff80c
 CVE-2017-0631
 	Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=8236d6ebc7e26361ca7078cbeba01509f10941d8
 CVE-2017-0632
@@ -1393,6 +1406,12 @@ CVE-2017-0824
 	Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3d6c7b39db34369e28b0581be26f57e9467f8408
 CVE-2017-0825
 	Link - https://github.com/android/kernel_msm/commit/83366dd9ddb9337450f704ceef750a06c69df9ff
+CVE-2017-0861
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/93533f313a1bf465ff8c33032e91b88315dcf9bf
+CVE-2017-0862
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/19384322b5b51987bd6037f7a6b18a62a5d4d654
+CVE-2017-0866
+	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/40286163f84a29993c2f552a237256541875a1b4
 CVE-2017-1000251
 	Link - 3.0 - https://review.lineageos.org/#/c/189602/
 	Link - 3.4 - https://review.lineageos.org/#/c/189415/
@@ -1443,12 +1462,16 @@ CVE-2017-11012
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7d0e40d328fa092c36b9585516ed29fc6041be55
 CVE-2017-11013
 	Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64297e4caffdf6b1a90807bbdb65a66b43582228
+	Link - qcacld-2.0 - https://android.googlesource.com/kernel/msm/+/bb3c16f2e001eef9dcdd73e8c6ed6331e5fdd86b
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c9f8654b11a1e693022ad7f163b3bc477fea8ce8
 CVE-2017-11014
+	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/adb96af5b080dfe4ee29961a17ed3f04c87d5519
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754
 CVE-2017-11015
 	Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/ac39bfffe109a6cffcaf3b537505130712161dce
 	Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be
+	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/d7285900f6fa28b0be51f5d18c52bd06385f8aee
+	Link - qcacld-2.0 - https://github.com/aosp-mirror/kernel_msm/commit/a50ca3ce494ab6bb6b2e37cdd0428aa6d6260bef
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=1ef6add65a36de6c4da788f776de2b5b5c528d8e
 CVE-2017-11018
@@ -1457,23 +1480,26 @@ CVE-2017-11022
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1379bfb6c09ee2ad5969db45c27fb675602b4ed0
 	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f41e3dbc92d448d3d56cae5517e41a4bafafdf3f
 CVE-2017-11023
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c36e61af0f770125d0061a8d988d0987cc8d116a
+	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/17ef83c708be034454df7914ef5484c36515eece
+	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=c36e61af0f770125d0061a8d988d0987cc8d116a
 CVE-2017-11024
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f2a482422fefadfa0fa9b4146fc0e2b46ac04922
 CVE-2017-11025
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=95e72ae9281b77abc3ed0cc6a33c17b989241efa
 CVE-2017-11028
 	Depends
+	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/a96e06fac09e182b5211f20dd6311f93a5d056af
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fd70b655d901e626403f132b65fc03d993f0a09b
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6724296d3f3b2821b83219768c1b9e971e380a9f
 CVE-2017-11029
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/e13a16c079cf8f5c758f5c31fbd72edca2656e54
 	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=74ab23917b82769644a3299da47b58e080aa63f2
 	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=86f0d207d478e1681f6711b46766cfb3c6a30fb5
 CVE-2017-11032
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2720294757d0ad5294283c15dc837852f7b2329a
 CVE-2017-11035
-	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=cc1896424ae7a346090f601bc69c6ca51d9c3e04
+	Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156
 CVE-2017-11040
 	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7a4d0eea0ca0c8a72111ae58d9829be817f102c9
 CVE-2017-11046
@@ -1510,7 +1536,22 @@ CVE-2017-11064
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=38d6f16b8583bae6a1881c744ae08d609c99cb7e
 CVE-2017-11067
 	Link - https://github.com/aosp-mirror/kernel_msm/commit/3fabdcba3a09ce8f3cc757bf6240e53421a1e363
+CVE-2017-11073
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/120d28bad9890eca3a6451a83a7c71cb650dfef7
+CVE-2017-11085
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/dc8f7a19762df2c84678482b60f6b807b919eb44
+CVE-2017-11089
+	Link - https://android.googlesource.com/kernel/msm/+/a30bdf229ab1efd96e500c43aabbff20e223128a
+CVE-2017-11090
+	Link - https://android.googlesource.com/kernel/msm/+/98f7c17df33355e78417e6bb2395f810a903bb64
+CVE-2017-11091
+	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/10b0cb47e92abe52c5372ded0fe80a5a5f18586f
+CVE-2017-11092
+	Link - https://android.googlesource.com/kernel/msm/+/d78717de292b114f388e900e3e7947ae44630982
+CVE-2017-11093
+	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/072d53b2ca00ac57ca4e0ebe2315b431256cf786
 CVE-2017-11600
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_common/commit/0af5440977299a17a0f226ce00d872572a426c14
 	Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
 CVE-2017-12146
 	Link - 3.16+ - https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git/commit/?h=driver-core-next&id=6265539776a0810b7ce6398c27866ddb9c6bd154
@@ -1563,6 +1604,10 @@ CVE-2017-6074
 	Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
 CVE-2017-6214
 	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82
+CVE-2017-6274
+	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc
+CVE-2017-6275
+	Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/0f08eca74276e7ebab4b712d98970c6425207ccc
 CVE-2017-6345
 	Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b74d439e1697110c5e5c600643e823eb1dd0762
 CVE-2017-6346
@@ -1645,7 +1690,8 @@ CVE-2017-7495
 	Link - 3.18 - https://review.lineageos.org/#/c/175289
 	Link - ^4.6 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824
 CVE-2017-7541
-	Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c
+	Link - ^4.12 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c
+	Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.108&id=7136ca73ff3496758b56f60b6fe76d675e69cd21
 CVE-2017-7616
 	Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
 CVE-2017-7618
@@ -1757,6 +1803,7 @@ CVE-2017-8281
 	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c
 CVE-2017-8890
 	Link - 3.4 - https://review.lineageos.org/#/c/173325/
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/1853870b216d3446efd39190a8ff0006c54dfd46
 	Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=657831ffc38e30092a2d5f03d385d710eb88b09a
 CVE-2017-9074
 	Depends
@@ -1798,6 +1845,8 @@ CVE-2017-9686
 CVE-2017-9687
 	Link - 3.18 - https://github.com/android/kernel_msm/commit/34cff2eb2adc663de32ca682b57551c50c9253c6
 	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=8f1a77f5da53edd2b5a1c42ddd766712a90109d6
+CVE-2017-9690
+	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/b59b67fbd2f1d4f71e7a4f9e6723f04b717efc74
 CVE-2017-9691
 	Depends
 	Link - https://github.com/android/kernel_msm/commit/869bd2cd3d6c17826b6f162e0d721174224b867a
@@ -1808,9 +1857,14 @@ CVE-2017-9693
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05a5abb21e4d97001f77d344444a3ec2f9c275f9
 CVE-2017-9694
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef
+CVE-2017-9696
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/8b44a684139301fa31548e8120b7e6299965572a
 CVE-2017-9697
 	Link - 3.18 - https://github.com/android/kernel_msm/commit/4b788ca419ec37e4cdb421fef9edc208a491ce30
 	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225
+CVE-2017-9702
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/2ae1eab54e874553c078e5275421398597401ac9
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/c46b2ecd901a12867d0dd91ae019f4b7256bcfec
 CVE-2017-9706
 	Link - https://github.com/android/kernel_msm/commit/7489a0a8f68d0f018d0f9df5df157bb20f83b05e
 CVE-2017-9714
@@ -1820,8 +1874,8 @@ CVE-2017-9715
 CVE-2017-9717
 	Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bf7486fb6d82fb9ad02e303b6fdf4061cfc0375d
 CVE-2017-9719
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807
-	Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0
+	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807
+	Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0
 CVE-2017-9720
 	Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c74dbab508c7c07d8e2cf8230cc78bff4b710272
 	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d
@@ -1857,7 +1911,7 @@ CVE-2017-16535
 CVE-2017-16536
 	Link - ^4.13 - https://patchwork.kernel.org/patch/9963527/
 CVE-2017-16537
-	Link - ^4.13 - https://patchwork.kernel.org/patch/9994017/
+	Link - ^4.13 - https://github.com/torvalds/linux/commit/58fd55e838276a0c13d1dc7c387f90f25063cbf3
 CVE-2017-16538
 	Link - ^4.13 - https://patchwork.linuxtv.org/patch/44566/
 	Link - ^4.13 - https://patchwork.linuxtv.org/patch/44567/
@@ -1872,7 +1926,7 @@ CVE-2017-16646
 CVE-2017-16647
 	Link - https://patchwork.ozlabs.org/patch/834686/
 CVE-2017-16648
-	Link - https://patchwork.kernel.org/patch/10046189/
+	Link - https://github.com/torvalds/linux/commit/b1cb7372fa822af6c06c8045963571d13ad6348b
 CVE-2017-16649
 	Link - https://patchwork.ozlabs.org/patch/834771/
 CVE-2017-16650
@@ -1883,6 +1937,10 @@ CVE-2017-16USB
 	Link - https://github.com/torvalds/linux/commit/70e743e4cec3733dc13559f6184b35d358b9ef3f
 	Link - https://github.com/torvalds/linux/commit/122d6a347329818419b032c5a1776e6b3866d9b9
 	Link - https://github.com/torvalds/linux/commit/0a8fd1346254974c3a852338508e4a4cddbb35f1
+	Link - https://github.com/torvalds/linux/commit/f9a1c372299fed53d4b72bb601f7f3bfe6f9999c
+	Link - https://github.com/torvalds/linux/commit/58fc7f73a85d45a47057dad2af53502fdf6cf778
+	Link - https://github.com/torvalds/linux/commit/2a4340c57717162c6bf07a0860d05711d4de994b
+	Link - https://github.com/torvalds/linux/commit/6815a0b444572527256f0d0efd8efe3ddede6018
 CVE-2016-GadgetFS
 	Link - https://github.com/torvalds/linux/commit/0173a68bfb0ad1c72a6ee39cc485aa2c97540b98
 	Link - https://github.com/torvalds/linux/commit/520b72fc64debf8a86c3853b8e486aa5982188f0