mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-26 16:09:23 -05:00
More patches
This commit is contained in:
parent
3a5e68f927
commit
6ce51b2775
59
Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch
Normal file
59
Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 2bf336ed7ff29768b63fcf0d9528dd129f516643 Mon Sep 17 00:00:00 2001
|
||||
From: Siena Richard <sienar@codeaurora.org>
|
||||
Date: Tue, 31 Jan 2017 12:21:38 -0800
|
||||
Subject: ASoC: msm: qdsp6v2: return error when copy from userspace fails
|
||||
|
||||
A copy_from_user is not always expected to succeed. Therefore, check
|
||||
for an error before operating on the buffer post copy.
|
||||
|
||||
CRs-Fixed: 1116070
|
||||
Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b
|
||||
Signed-off-by: Siena Richard <sienar@codeaurora.org>
|
||||
---
|
||||
sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
|
||||
index c444a27..b2387a7 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
|
||||
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@@ -814,20 +814,25 @@ static int msm_pcm_playback_copy(struct snd_pcm_substream *substream, int a,
|
||||
if (prtd->mode == MODE_PCM) {
|
||||
ret = copy_from_user(&buf_node->frame.voc_pkt,
|
||||
buf, count);
|
||||
+ if (ret) {
|
||||
+ pr_err("%s: copy from user failed %d\n",
|
||||
+ __func__, ret);
|
||||
+ return -EFAULT;
|
||||
+ }
|
||||
buf_node->frame.pktlen = count;
|
||||
} else {
|
||||
ret = copy_from_user(&buf_node->frame,
|
||||
buf, count);
|
||||
+ if (ret) {
|
||||
+ pr_err("%s: copy from user failed %d\n",
|
||||
+ __func__, ret);
|
||||
+ return -EFAULT;
|
||||
+ }
|
||||
if (buf_node->frame.pktlen >= count)
|
||||
buf_node->frame.pktlen = count -
|
||||
(sizeof(buf_node->frame.frm_hdr) +
|
||||
sizeof(buf_node->frame.pktlen));
|
||||
}
|
||||
- if (ret) {
|
||||
- pr_err("%s: copy from user failed %d\n",
|
||||
- __func__, ret);
|
||||
- return -EFAULT;
|
||||
- }
|
||||
spin_lock_irqsave(&prtd->dsp_lock, dsp_flags);
|
||||
list_add_tail(&buf_node->list, &prtd->in_queue);
|
||||
spin_unlock_irqrestore(&prtd->dsp_lock, dsp_flags);
|
||||
--
|
||||
cgit v1.1
|
||||
|
54
Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch
Normal file
54
Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From da638cc248f0d692a89e26f788c43d6f641c81ef Mon Sep 17 00:00:00 2001
|
||||
From: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Date: Fri, 04 Nov 2016 14:35:58 +0800
|
||||
Subject: [PATCH] ASoC: soc: prevent risk of buffer overflow
|
||||
|
||||
In case of large value for bufcnt_t or bufcnt,
|
||||
cmd_size may overflow. Buffer size allocated by cmd_size might
|
||||
be not as expected.
|
||||
Possible buffer overflow could happen.
|
||||
|
||||
CRs-Fixed: 1084210
|
||||
Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
|
||||
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
index 31bd1d7..11a94e4 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
|
||||
@@ -4054,7 +4054,7 @@
|
||||
struct asm_buffer_node *buffer_node = NULL;
|
||||
int rc = 0;
|
||||
int i = 0;
|
||||
- int cmd_size = 0;
|
||||
+ uint32_t cmd_size = 0;
|
||||
uint32_t bufcnt_t;
|
||||
uint32_t bufsz_t;
|
||||
|
||||
@@ -4076,10 +4076,25 @@
|
||||
bufsz_t = PAGE_ALIGN(bufsz_t);
|
||||
}
|
||||
|
||||
+ if (bufcnt_t > (UINT_MAX
|
||||
+ - sizeof(struct avs_cmd_shared_mem_map_regions))
|
||||
+ / sizeof(struct avs_shared_map_region_payload)) {
|
||||
+ pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n",
|
||||
+ __func__, bufcnt_t);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions)
|
||||
+ (sizeof(struct avs_shared_map_region_payload)
|
||||
* bufcnt_t);
|
||||
|
||||
+
|
||||
+ if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) {
|
||||
+ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
|
||||
+ __func__, bufcnt);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt,
|
||||
GFP_KERNEL);
|
||||
if (!buffer_node) {
|
1
Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBkYTYzOGNjMjQ4ZjBkNjkyYTg5ZTI2Zjc4OGM0M2Q2ZjY0MWM4MWVmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBwcmV2ZW50IHJpc2sgb2YgYnVmZmVyIG92ZXJmbG93CgpJbiBjYXNlIG9mIGxhcmdlIHZhbHVlIGZvciBidWZjbnRfdCBvciBidWZjbnQsCmNtZF9zaXplIG1heSBvdmVyZmxvdy4gQnVmZmVyIHNpemUgYWxsb2NhdGVkIGJ5IGNtZF9zaXplIG1pZ2h0CmJlIG5vdCBhcyBleHBlY3RlZC4KUG9zc2libGUgYnVmZmVyIG92ZXJmbG93IGNvdWxkIGhhcHBlbi4KCkNScy1GaXhlZDogMTA4NDIxMApDaGFuZ2UtSWQ6IEk5NTU2ZjE4ZGQ2YTlmZGYzZjc2YzEzM2FlNzVjMDRlY2NlMTcxZjA4ClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggMzFiZDFkNy4uMTFhOTRlNCAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTQwNTQsNyArNDA1NCw3IEBACiAJc3RydWN0IGFzbV9idWZmZXJfbm9kZSAqYnVmZmVyX25vZGUgPSBOVUxMOwogCWludAlyYyA9IDA7CiAJaW50ICAgIGkgPSAwOwotCWludAljbWRfc2l6ZSA9IDA7CisJdWludDMyX3QgY21kX3NpemUgPSAwOwogCXVpbnQzMl90IGJ1ZmNudF90OwogCXVpbnQzMl90IGJ1ZnN6X3Q7CiAKQEAgLTQwNzYsMTAgKzQwNzYsMjUgQEAKIAkJYnVmc3pfdCA9IFBBR0VfQUxJR04oYnVmc3pfdCk7CiAJfQogCisJaWYgKGJ1ZmNudF90ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250X3QgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250X3QpOworCQlyZXR1cm4gLUVJTlZBTDsKKwl9CisKIAljbWRfc2l6ZSA9IHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKQogCQkJKyAoc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkKIAkJCQkJCQkqIGJ1ZmNudF90KTsKIAorCisJaWYgKGJ1ZmNudCA+IChVSU5UX01BWCAvIHNpemVvZihzdHJ1Y3QgYXNtX2J1ZmZlcl9ub2RlKSkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250ID0gJXVcbiIsCisJCQkJX19mdW5jX18sIGJ1ZmNudCk7CisJCXJldHVybiAtRUlOVkFMOworCX0KKwogCWJ1ZmZlcl9ub2RlID0ga3phbGxvYyhzaXplb2Yoc3RydWN0IGFzbV9idWZmZXJfbm9kZSkgKiBidWZjbnQsCiAJCQkJR0ZQX0tFUk5FTCk7CiAJaWYgKCFidWZmZXJfbm9kZSkgewo=
|
47
Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch
Normal file
47
Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 077614c9f2b9f9d062fed66e3ae7669937ea6b85 Mon Sep 17 00:00:00 2001
|
||||
From: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Date: Fri, 04 Nov 2016 14:35:58 +0800
|
||||
Subject: [PATCH] ASoC: soc: qdsp6: prevent risk of buffer overflow
|
||||
|
||||
In case of large value for bufcnt,
|
||||
cmd_size may overflow. Buffer size allocated by cmd_size might
|
||||
be not as expected.
|
||||
Possible buffer overflow could happen.
|
||||
|
||||
Backport reference:
|
||||
* Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08
|
||||
* CRs-Fixed: 1084210
|
||||
|
||||
Change-Id: I93f820e0344bfa05dee6a3e83d84ef688e23f761
|
||||
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
|
||||
Signed-off-by: Adrian DC <radian.dc@gmail.com>
|
||||
---
|
||||
|
||||
diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c
|
||||
index 2cde92a..c3bcdcd 100644
|
||||
--- a/sound/soc/msm/qdsp6/q6asm.c
|
||||
+++ b/sound/soc/msm/qdsp6/q6asm.c
|
||||
@@ -2893,7 +2893,7 @@
|
||||
void *payload = NULL;
|
||||
int rc = 0;
|
||||
int i = 0;
|
||||
- int cmd_size = 0;
|
||||
+ uint32_t cmd_size = 0;
|
||||
|
||||
if (!ac || ac->apr == NULL || this_mmap.apr == NULL) {
|
||||
pr_err("APR handle NULL\n");
|
||||
@@ -2901,6 +2901,14 @@
|
||||
}
|
||||
pr_debug("%s: Session[%d]\n", __func__, ac->session);
|
||||
|
||||
+ if (bufcnt > (UINT_MAX
|
||||
+ - sizeof(struct asm_stream_cmd_memory_map_regions))
|
||||
+ / sizeof(struct asm_memory_map_regions)) {
|
||||
+ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n",
|
||||
+ __func__, bufcnt);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
cmd_size = sizeof(struct asm_stream_cmd_memory_map_regions)
|
||||
+ sizeof(struct asm_memory_map_regions) * bufcnt;
|
||||
|
1
Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSAwNzc2MTRjOWYyYjlmOWQwNjJmZWQ2NmUzYWU3NjY5OTM3ZWE2Yjg1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBxZHNwNjogcHJldmVudCByaXNrIG9mIGJ1ZmZlciBvdmVyZmxvdwoKSW4gY2FzZSBvZiBsYXJnZSB2YWx1ZSBmb3IgYnVmY250LApjbWRfc2l6ZSBtYXkgb3ZlcmZsb3cuIEJ1ZmZlciBzaXplIGFsbG9jYXRlZCBieSBjbWRfc2l6ZSBtaWdodApiZSBub3QgYXMgZXhwZWN0ZWQuClBvc3NpYmxlIGJ1ZmZlciBvdmVyZmxvdyBjb3VsZCBoYXBwZW4uCgpCYWNrcG9ydCByZWZlcmVuY2U6CiAqIENoYW5nZS1JZDogSTk1NTZmMThkZDZhOWZkZjNmNzZjMTMzYWU3NWMwNGVjY2UxNzFmMDgKICogQ1JzLUZpeGVkOiAxMDg0MjEwCgpDaGFuZ2UtSWQ6IEk5M2Y4MjBlMDM0NGJmYTA1ZGVlNmEzZTgzZDg0ZWY2ODhlMjNmNzYxClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IEFkcmlhbiBEQyA8cmFkaWFuLmRjQGdtYWlsLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jCmluZGV4IDJjZGU5MmEuLmMzYmNkY2QgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vcWRzcDYvcTZhc20uYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2L3E2YXNtLmMKQEAgLTI4OTMsNyArMjg5Myw3IEBACiAJdm9pZAkqcGF5bG9hZCA9IE5VTEw7CiAJaW50CXJjID0gMDsKIAlpbnQJaSA9IDA7Ci0JaW50CWNtZF9zaXplID0gMDsKKwl1aW50MzJfdCBjbWRfc2l6ZSA9IDA7CiAKIAlpZiAoIWFjIHx8IGFjLT5hcHIgPT0gTlVMTCB8fCB0aGlzX21tYXAuYXByID09IE5VTEwpIHsKIAkJcHJfZXJyKCJBUFIgaGFuZGxlIE5VTExcbiIpOwpAQCAtMjkwMSw2ICsyOTAxLDE0IEBACiAJfQogCXByX2RlYnVnKCIlczogU2Vzc2lvblslZF1cbiIsIF9fZnVuY19fLCBhYy0+c2Vzc2lvbik7CiAKKwlpZiAoYnVmY250ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXNtX3N0cmVhbV9jbWRfbWVtb3J5X21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSkgeworCQlwcl9lcnIoIiVzOiBVbnNpZ25lZCBJbnRlZ2VyIE92ZXJmbG93LiBidWZjbnQgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250KTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJY21kX3NpemUgPSBzaXplb2Yoc3RydWN0IGFzbV9zdHJlYW1fY21kX21lbW9yeV9tYXBfcmVnaW9ucykKIAkJCSsgc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSAqIGJ1ZmNudDsKIAo=
|
45
Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch
Normal file
45
Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 9ffb3cdd7279b011a509267caa4a5119fd6346c0 Mon Sep 17 00:00:00 2001
|
||||
From: Siena Richard <sienar@codeaurora.org>
|
||||
Date: Wed, 11 Jan 2017 11:09:24 -0800
|
||||
Subject: ASoC: msm: qdsp6v2: extend validation of virtual address
|
||||
|
||||
Validate a buffer virtual address is fully within the region before
|
||||
returning the region to ensure functionality for an extended edge case.
|
||||
|
||||
Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
|
||||
Signed-off-by: Siena Richard <sienar@codeaurora.org>
|
||||
CRs-fixed: 1108461
|
||||
|
||||
Bug: 38195131
|
||||
Change-Id: Ib527a380a857719bff8254be514133528bd64c75
|
||||
---
|
||||
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
|
||||
index 07de5a2..42a3ea7 100644
|
||||
--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
|
||||
+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/* Copyright (C) 2008 Google, Inc.
|
||||
* Copyright (C) 2008 HTC Corporation
|
||||
- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
|
||||
+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This software is licensed under the terms of the GNU General Public
|
||||
* License version 2, as published by the Free Software Foundation, and
|
||||
@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr,
|
||||
list_for_each_entry(region_elt, &audio->ion_region_queue, list) {
|
||||
if (addr >= region_elt->vaddr &&
|
||||
addr < region_elt->vaddr + region_elt->len &&
|
||||
- addr + len <= region_elt->vaddr + region_elt->len) {
|
||||
+ addr + len <= region_elt->vaddr + region_elt->len &&
|
||||
+ addr + len > addr) {
|
||||
+ /* to avoid integer addition overflow */
|
||||
+
|
||||
/* offset since we could pass vaddr inside a registerd
|
||||
* ion buffer
|
||||
*/
|
||||
--
|
||||
cgit v1.1
|
||||
|
25
Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch
Normal file
25
Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From b7b89be8d4ab0c5e6eb0cdfb1108af08a1cd088f Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 02 Oct 2015 11:43:29 -0700
|
||||
Subject: [PATCH] tcp: remove BUG_ON() in tcp_check_req()
|
||||
|
||||
Once listener is lockless, its sk_state can change anytime.
|
||||
|
||||
Change-Id: I3a8c4aa4974294b865d79ea997df4c8cee5ffbc2
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
|
||||
index 0f01788..28f72aa 100644
|
||||
--- a/net/ipv4/tcp_minisocks.c
|
||||
+++ b/net/ipv4/tcp_minisocks.c
|
||||
@@ -511,8 +511,6 @@
|
||||
__be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
|
||||
bool paws_reject = false;
|
||||
|
||||
- BUG_ON(fastopen == (sk->sk_state == TCP_LISTEN));
|
||||
-
|
||||
tmp_opt.saw_tstamp = 0;
|
||||
if (th->doff > (sizeof(struct tcphdr)>>2)) {
|
||||
tcp_parse_options(skb, &tmp_opt, 0, NULL);
|
1
Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBiN2I4OWJlOGQ0YWIwYzVlNmViMGNkZmIxMTA4YWYwOGExY2QwODhmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IEZyaSwgMDIgT2N0IDIwMTUgMTE6NDM6MjkgLTA3MDAKU3ViamVjdDogW1BBVENIXSB0Y3A6IHJlbW92ZSBCVUdfT04oKSBpbiB0Y3BfY2hlY2tfcmVxKCkKCk9uY2UgbGlzdGVuZXIgaXMgbG9ja2xlc3MsIGl0cyBza19zdGF0ZSBjYW4gY2hhbmdlIGFueXRpbWUuCgpDaGFuZ2UtSWQ6IEkzYThjNGFhNDk3NDI5NGI4NjVkNzllYTk5N2RmNGM4Y2VlNWZmYmMyClNpZ25lZC1vZmYtYnk6IEVyaWMgRHVtYXpldCA8ZWR1bWF6ZXRAZ29vZ2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogRGF2aWQgUy4gTWlsbGVyIDxkYXZlbUBkYXZlbWxvZnQubmV0PgotLS0KCmRpZmYgLS1naXQgYS9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMgYi9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMKaW5kZXggMGYwMTc4OC4uMjhmNzJhYSAxMDA2NDQKLS0tIGEvbmV0L2lwdjQvdGNwX21pbmlzb2Nrcy5jCisrKyBiL25ldC9pcHY0L3RjcF9taW5pc29ja3MuYwpAQCAtNTExLDggKzUxMSw2IEBACiAJX19iZTMyIGZsZyA9IHRjcF9mbGFnX3dvcmQodGgpICYgKFRDUF9GTEFHX1JTVHxUQ1BfRkxBR19TWU58VENQX0ZMQUdfQUNLKTsKIAlib29sIHBhd3NfcmVqZWN0ID0gZmFsc2U7CiAKLQlCVUdfT04oZmFzdG9wZW4gPT0gKHNrLT5za19zdGF0ZSA9PSBUQ1BfTElTVEVOKSk7Ci0KIAl0bXBfb3B0LnNhd190c3RhbXAgPSAwOwogCWlmICh0aC0+ZG9mZiA+IChzaXplb2Yoc3RydWN0IHRjcGhkcik+PjIpKSB7CiAJCXRjcF9wYXJzZV9vcHRpb25zKHNrYiwgJnRtcF9vcHQsIDAsIE5VTEwpOwo=
|
159
Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch
Normal file
159
Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch
Normal file
@ -0,0 +1,159 @@
|
||||
From 9eb0e01be831d0f37ea6278a92c32424141f55fb Mon Sep 17 00:00:00 2001
|
||||
From: Peter Zijlstra <peterz@infradead.org>
|
||||
Date: Wed, 11 Jan 2017 21:09:50 +0100
|
||||
Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
|
||||
|
||||
commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
|
||||
|
||||
Di Shen reported a race between two concurrent sys_perf_event_open()
|
||||
calls where both try and move the same pre-existing software group
|
||||
into a hardware context.
|
||||
|
||||
The problem is exactly that described in commit:
|
||||
|
||||
f63a8daa5812 ("perf: Fix event->ctx locking")
|
||||
|
||||
... where, while we wait for a ctx->mutex acquisition, the event->ctx
|
||||
relation can have changed under us.
|
||||
|
||||
That very same commit failed to recognise sys_perf_event_context() as an
|
||||
external access vector to the events and thereby didn't apply the
|
||||
established locking rules correctly.
|
||||
|
||||
So while one sys_perf_event_open() call is stuck waiting on
|
||||
mutex_lock_double(), the other (which owns said locks) moves the group
|
||||
about. So by the time the former sys_perf_event_open() acquires the
|
||||
locks, the context we've acquired is stale (and possibly dead).
|
||||
|
||||
Apply the established locking rules as per perf_event_ctx_lock_nested()
|
||||
to the mutex_lock_double() for the 'move_group' case. This obviously means
|
||||
we need to validate state after we acquire the locks.
|
||||
|
||||
Reported-by: Di Shen (Keen Lab)
|
||||
Tested-by: John Dias <joaodias@google.com>
|
||||
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
|
||||
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
|
||||
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
|
||||
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
|
||||
Cc: Jiri Olsa <jolsa@redhat.com>
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Min Chong <mchong@google.com>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Stephane Eranian <eranian@google.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Vince Weaver <vincent.weaver@maine.edu>
|
||||
Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
|
||||
Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
[bwh: Backported to 3.2:
|
||||
- Use ACCESS_ONCE() instead of READ_ONCE()
|
||||
- Test perf_event::group_flags instead of group_caps
|
||||
- Add the err_locked cleanup block, which we didn't need before
|
||||
- Adjust context]
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
kernel/events/core.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 57 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/kernel/events/core.c b/kernel/events/core.c
|
||||
index a301c68..49a1db4 100644
|
||||
--- a/kernel/events/core.c
|
||||
+++ b/kernel/events/core.c
|
||||
@@ -6474,6 +6474,37 @@ static void mutex_lock_double(struct mutex *a, struct mutex *b)
|
||||
mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Variation on perf_event_ctx_lock_nested(), except we take two context
|
||||
+ * mutexes.
|
||||
+ */
|
||||
+static struct perf_event_context *
|
||||
+__perf_event_ctx_lock_double(struct perf_event *group_leader,
|
||||
+ struct perf_event_context *ctx)
|
||||
+{
|
||||
+ struct perf_event_context *gctx;
|
||||
+
|
||||
+again:
|
||||
+ rcu_read_lock();
|
||||
+ gctx = ACCESS_ONCE(group_leader->ctx);
|
||||
+ if (!atomic_inc_not_zero(&gctx->refcount)) {
|
||||
+ rcu_read_unlock();
|
||||
+ goto again;
|
||||
+ }
|
||||
+ rcu_read_unlock();
|
||||
+
|
||||
+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
|
||||
+
|
||||
+ if (group_leader->ctx != gctx) {
|
||||
+ mutex_unlock(&ctx->mutex);
|
||||
+ mutex_unlock(&gctx->mutex);
|
||||
+ put_ctx(gctx);
|
||||
+ goto again;
|
||||
+ }
|
||||
+
|
||||
+ return gctx;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* sys_perf_event_open - open a performance event, associate it to a task/cpu
|
||||
*
|
||||
@@ -6661,14 +6692,31 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||
}
|
||||
|
||||
if (move_group) {
|
||||
- gctx = group_leader->ctx;
|
||||
+ gctx = __perf_event_ctx_lock_double(group_leader, ctx);
|
||||
+
|
||||
+ /*
|
||||
+ * Check if we raced against another sys_perf_event_open() call
|
||||
+ * moving the software group underneath us.
|
||||
+ */
|
||||
+ if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
|
||||
+ /*
|
||||
+ * If someone moved the group out from under us, check
|
||||
+ * if this new event wound up on the same ctx, if so
|
||||
+ * its the regular !move_group case, otherwise fail.
|
||||
+ */
|
||||
+ if (gctx != ctx) {
|
||||
+ err = -EINVAL;
|
||||
+ goto err_locked;
|
||||
+ } else {
|
||||
+ perf_event_ctx_unlock(group_leader, gctx);
|
||||
+ move_group = 0;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/*
|
||||
* See perf_event_ctx_lock() for comments on the details
|
||||
* of swizzling perf_event::ctx.
|
||||
*/
|
||||
- mutex_lock_double(&gctx->mutex, &ctx->mutex);
|
||||
-
|
||||
perf_remove_from_context(group_leader, false);
|
||||
|
||||
/*
|
||||
@@ -6710,7 +6758,7 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||
perf_unpin_context(ctx);
|
||||
|
||||
if (move_group) {
|
||||
- mutex_unlock(&gctx->mutex);
|
||||
+ perf_event_ctx_unlock(group_leader, gctx);
|
||||
put_ctx(gctx);
|
||||
}
|
||||
mutex_unlock(&ctx->mutex);
|
||||
@@ -6737,6 +6785,11 @@ SYSCALL_DEFINE5(perf_event_open,
|
||||
fd_install(event_fd, event_file);
|
||||
return event_fd;
|
||||
|
||||
+err_locked:
|
||||
+ if (move_group)
|
||||
+ perf_event_ctx_unlock(group_leader, gctx);
|
||||
+ mutex_unlock(&ctx->mutex);
|
||||
+ fput(event_file);
|
||||
err_context:
|
||||
perf_unpin_context(ctx);
|
||||
put_ctx(ctx);
|
||||
--
|
||||
cgit v1.1
|
||||
|
53
Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch
Normal file
53
Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch
Normal file
@ -0,0 +1,53 @@
|
||||
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
|
||||
index 05cfee7..2ae5ae2 100644
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -1429,13 +1429,16 @@
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- if (!po->running)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- if (po->fanout)
|
||||
- return -EALREADY;
|
||||
-
|
||||
mutex_lock(&fanout_mutex);
|
||||
+
|
||||
+ err = -EINVAL;
|
||||
+ if (!po->running)
|
||||
+ goto out;
|
||||
+
|
||||
+ err = -EALREADY;
|
||||
+ if (po->fanout)
|
||||
+ goto out;
|
||||
+
|
||||
match = NULL;
|
||||
list_for_each_entry(f, &fanout_list, list) {
|
||||
if (f->id == id &&
|
||||
@@ -1491,17 +1494,16 @@
|
||||
struct packet_sock *po = pkt_sk(sk);
|
||||
struct packet_fanout *f;
|
||||
|
||||
- f = po->fanout;
|
||||
- if (!f)
|
||||
- return;
|
||||
-
|
||||
mutex_lock(&fanout_mutex);
|
||||
- po->fanout = NULL;
|
||||
+ f = po->fanout;
|
||||
+ if (f) {
|
||||
+ po->fanout = NULL;
|
||||
|
||||
- if (atomic_dec_and_test(&f->sk_ref)) {
|
||||
- list_del(&f->list);
|
||||
- dev_remove_pack(&f->prot_hook);
|
||||
- kfree(f);
|
||||
+ if (atomic_dec_and_test(&f->sk_ref)) {
|
||||
+ list_del(&f->list);
|
||||
+ dev_remove_pack(&f->prot_hook);
|
||||
+ kfree(f);
|
||||
+ }
|
||||
}
|
||||
mutex_unlock(&fanout_mutex);
|
||||
}
|
1
Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDA1Y2ZlZTcuLjJhZTVhZTIgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMTQyOSwxMyArMTQyOSwxNiBAQAogCQlyZXR1cm4gLUVJTlZBTDsKIAl9CiAKLQlpZiAoIXBvLT5ydW5uaW5nKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChwby0+ZmFub3V0KQotCQlyZXR1cm4gLUVBTFJFQURZOwotCiAJbXV0ZXhfbG9jaygmZmFub3V0X211dGV4KTsKKworCWVyciA9IC1FSU5WQUw7CisJaWYgKCFwby0+cnVubmluZykKKwkJZ290byBvdXQ7CisKKwllcnIgPSAtRUFMUkVBRFk7CisJaWYgKHBvLT5mYW5vdXQpCisJCWdvdG8gb3V0OworCiAJbWF0Y2ggPSBOVUxMOwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZiwgJmZhbm91dF9saXN0LCBsaXN0KSB7CiAJCWlmIChmLT5pZCA9PSBpZCAmJgpAQCAtMTQ5MSwxNyArMTQ5NCwxNiBAQAogCXN0cnVjdCBwYWNrZXRfc29jayAqcG8gPSBwa3Rfc2soc2spOwogCXN0cnVjdCBwYWNrZXRfZmFub3V0ICpmOwogCi0JZiA9IHBvLT5mYW5vdXQ7Ci0JaWYgKCFmKQotCQlyZXR1cm47Ci0KIAltdXRleF9sb2NrKCZmYW5vdXRfbXV0ZXgpOwotCXBvLT5mYW5vdXQgPSBOVUxMOworCWYgPSBwby0+ZmFub3V0OworCWlmIChmKSB7CisJCXBvLT5mYW5vdXQgPSBOVUxMOwogCi0JaWYgKGF0b21pY19kZWNfYW5kX3Rlc3QoJmYtPnNrX3JlZikpIHsKLQkJbGlzdF9kZWwoJmYtPmxpc3QpOwotCQlkZXZfcmVtb3ZlX3BhY2soJmYtPnByb3RfaG9vayk7Ci0JCWtmcmVlKGYpOworCQlpZiAoYXRvbWljX2RlY19hbmRfdGVzdCgmZi0+c2tfcmVmKSkgeworCQkJbGlzdF9kZWwoJmYtPmxpc3QpOworCQkJZGV2X3JlbW92ZV9wYWNrKCZmLT5wcm90X2hvb2spOworCQkJa2ZyZWUoZik7CisJCX0KIAl9CiAJbXV0ZXhfdW5sb2NrKCZmYW5vdXRfbXV0ZXgpOwogfQo=
|
50
Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch
Normal file
50
Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001
|
||||
From: Nishank Aggarwal <naggar@codeaurora.org>
|
||||
Date: Fri, 10 Feb 2017 15:48:13 +0530
|
||||
Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
|
||||
|
||||
qcacld-2.0 to prima propagation
|
||||
|
||||
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
|
||||
is user-controllable and never validates which uses as the length
|
||||
for a memory copy. This enables user-space applications to corrupt
|
||||
heap memory and potentially crash the kernel.
|
||||
|
||||
Fix is to validate the WPARSNIes length to its max before use as the
|
||||
length for a memory copy.
|
||||
|
||||
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
|
||||
CRs-Fixed: 1102648
|
||||
---
|
||||
CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||||
index 33f7d50..c0c5c14 100644
|
||||
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
|
||||
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
|
||||
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
@@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN)
|
||||
+ {
|
||||
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
|
||||
+ "%s: WPARSN Ie input length is more than max[%d]", __func__,
|
||||
+ wrqu->data.length);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
switch (genie[0])
|
||||
{
|
||||
case DOT11F_EID_WPA:
|
||||
--
|
||||
cgit v1.1
|
||||
|
45
Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch
Normal file
45
Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001
|
||||
From: Sungjun Park <sjpark@codeaurora.org>
|
||||
Date: Mon, 23 Jan 2017 13:28:44 -0800
|
||||
Subject: bluetooth: Fix free data pointer routine
|
||||
|
||||
Data pointer has been reused after freed it. So,
|
||||
it has been moved to after using the data pointer
|
||||
to clean up resource and freed it.
|
||||
|
||||
Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d
|
||||
Signed-off-by: Sungjun Park <sjpark@codeaurora.org>
|
||||
---
|
||||
drivers/bluetooth/btfm_slim.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c
|
||||
index 5fb00b9..1c6e256 100644
|
||||
--- a/drivers/bluetooth/btfm_slim.c
|
||||
+++ b/drivers/bluetooth/btfm_slim.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
|
||||
+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim)
|
||||
BTFMSLIM_DBG("");
|
||||
mutex_destroy(&btfm_slim->io_lock);
|
||||
mutex_destroy(&btfm_slim->xfer_lock);
|
||||
- kfree(btfm_slim);
|
||||
snd_soc_unregister_codec(&slim->dev);
|
||||
|
||||
BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd");
|
||||
@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim)
|
||||
|
||||
BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd");
|
||||
slim_remove_device(slim);
|
||||
+
|
||||
+ kfree(btfm_slim);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
33
Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch
Normal file
33
Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From eac4a77bb71750b02e91508b15c9aaf4fe2b94ae Mon Sep 17 00:00:00 2001
|
||||
From: Sachin Bhayare <sachin.bhayare@codeaurora.org>
|
||||
Date: Fri, 23 Dec 2016 11:22:44 +0530
|
||||
Subject: msm: mdss: Fix invalid dma attachment during fb shutdown
|
||||
|
||||
If DMA attachment fail during fb_mmap, all ION memory will get free. It
|
||||
is necessary to reset the fbmem and fb_attachemnt pointer to NULL,
|
||||
otherwise during shutdown will perform another free and causing issue.
|
||||
|
||||
CRs-Fixed: 1090244
|
||||
Change-Id: I92affcf2ce039eecfc72b7c191e058f37815c726
|
||||
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
|
||||
Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
|
||||
---
|
||||
drivers/video/msm/mdss/mdss_fb.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
|
||||
index 2e8092d..c2d1441 100644
|
||||
--- a/drivers/video/msm/mdss/mdss_fb.c
|
||||
+++ b/drivers/video/msm/mdss/mdss_fb.c
|
||||
@@ -1660,6 +1660,8 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
|
||||
|
||||
fb_mmap_failed:
|
||||
ion_free(mfd->fb_ion_client, mfd->fb_ion_handle);
|
||||
+ mfd->fb_ion_handle = NULL;
|
||||
+ mfd->fbmem_buf = NULL;
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
87
Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch
Normal file
87
Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From 3127779c064c6358310e542c725fe1f64dd6a60f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Mon, 17 Sep 2001 00:00:00 +0200
|
||||
Subject: [PATCH] ext4: fix data exposure after a crash
|
||||
|
||||
commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream.
|
||||
|
||||
Huang has reported that in his powerfail testing he is seeing stale
|
||||
block contents in some of recently allocated blocks although he mounts
|
||||
ext4 in data=ordered mode. After some investigation I have found out
|
||||
that indeed when delayed allocation is used, we don't add inode to
|
||||
transaction's list of inodes needing flushing before commit. Originally
|
||||
we were doing that but commit f3b59291a69d removed the logic with a
|
||||
flawed argument that it is not needed.
|
||||
|
||||
The problem is that although for delayed allocated blocks we write their
|
||||
contents immediately after allocating them, there is no guarantee that
|
||||
the IO scheduler or device doesn't reorder things and thus transaction
|
||||
allocating blocks and attaching them to inode can reach stable storage
|
||||
before actual block contents. Actually whenever we attach freshly
|
||||
allocated blocks to inode using a written extent, we should add inode to
|
||||
transaction's ordered inode list to make sure we properly wait for block
|
||||
contents to be written before committing the transaction. So that is
|
||||
what we do in this patch. This also handles other cases where stale data
|
||||
exposure was possible - like filling hole via mmap in
|
||||
data=ordered,nodelalloc mode.
|
||||
|
||||
The only exception to the above rule are extending direct IO writes where
|
||||
blkdev_direct_IO() waits for IO to complete before increasing i_size and
|
||||
thus stale data exposure is not possible. For now we don't complicate
|
||||
the code with optimizing this special case since the overhead is pretty
|
||||
low. In case this is observed to be a performance problem we can always
|
||||
handle it using a special flag to ext4_map_blocks().
|
||||
|
||||
Change-Id: I9f8b371c9fd716bf3d8af3780ce43e73d80cfb28
|
||||
Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
|
||||
Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
|
||||
Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
[bwh: Backported to 3.16:
|
||||
- Drop check for EXT4_GET_BLOCKS_ZERO flag
|
||||
- Adjust context]
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
|
||||
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
|
||||
index 9d358dc..f472aed 100644
|
||||
--- a/fs/ext4/inode.c
|
||||
+++ b/fs/ext4/inode.c
|
||||
@@ -661,6 +661,20 @@
|
||||
ret = check_block_validity(inode, map);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
+
|
||||
+ /*
|
||||
+ * Inodes with freshly allocated blocks where contents will be
|
||||
+ * visible after transaction commit must be on transaction's
|
||||
+ * ordered data list.
|
||||
+ */
|
||||
+ if (map->m_flags & EXT4_MAP_NEW &&
|
||||
+ !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
|
||||
+ !IS_NOQUOTA(inode) &&
|
||||
+ ext4_should_order_data(inode)) {
|
||||
+ ret = ext4_jbd2_file_inode(handle, inode);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
return retval;
|
||||
}
|
||||
@@ -1116,15 +1130,6 @@
|
||||
int i_size_changed = 0;
|
||||
|
||||
trace_ext4_write_end(inode, pos, len, copied);
|
||||
- if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
|
||||
- ret = ext4_jbd2_file_inode(handle, inode);
|
||||
- if (ret) {
|
||||
- unlock_page(page);
|
||||
- page_cache_release(page);
|
||||
- goto errout;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (ext4_has_inline_data(inode)) {
|
||||
ret = ext4_write_inline_data_end(inode, pos, len,
|
||||
copied, page);
|
1
Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSAzMTI3Nzc5YzA2NGM2MzU4MzEwZTU0MmM3MjVmZTFmNjRkZDZhNjBmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDE3IFNlcCAyMDAxIDAwOjAwOjAwICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRhdGEgZXhwb3N1cmUgYWZ0ZXIgYSBjcmFzaAoKY29tbWl0IDA2YmQzYzM2YTczM2FjMjc5NjJmZWE3ZDZmNDcxNjg4NDEzNzY4MjQgdXBzdHJlYW0uCgpIdWFuZyBoYXMgcmVwb3J0ZWQgdGhhdCBpbiBoaXMgcG93ZXJmYWlsIHRlc3RpbmcgaGUgaXMgc2VlaW5nIHN0YWxlCmJsb2NrIGNvbnRlbnRzIGluIHNvbWUgb2YgcmVjZW50bHkgYWxsb2NhdGVkIGJsb2NrcyBhbHRob3VnaCBoZSBtb3VudHMKZXh0NCBpbiBkYXRhPW9yZGVyZWQgbW9kZS4gQWZ0ZXIgc29tZSBpbnZlc3RpZ2F0aW9uIEkgaGF2ZSBmb3VuZCBvdXQKdGhhdCBpbmRlZWQgd2hlbiBkZWxheWVkIGFsbG9jYXRpb24gaXMgdXNlZCwgd2UgZG9uJ3QgYWRkIGlub2RlIHRvCnRyYW5zYWN0aW9uJ3MgbGlzdCBvZiBpbm9kZXMgbmVlZGluZyBmbHVzaGluZyBiZWZvcmUgY29tbWl0LiBPcmlnaW5hbGx5CndlIHdlcmUgZG9pbmcgdGhhdCBidXQgY29tbWl0IGYzYjU5MjkxYTY5ZCByZW1vdmVkIHRoZSBsb2dpYyB3aXRoIGEKZmxhd2VkIGFyZ3VtZW50IHRoYXQgaXQgaXMgbm90IG5lZWRlZC4KClRoZSBwcm9ibGVtIGlzIHRoYXQgYWx0aG91Z2ggZm9yIGRlbGF5ZWQgYWxsb2NhdGVkIGJsb2NrcyB3ZSB3cml0ZSB0aGVpcgpjb250ZW50cyBpbW1lZGlhdGVseSBhZnRlciBhbGxvY2F0aW5nIHRoZW0sIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0CnRoZSBJTyBzY2hlZHVsZXIgb3IgZGV2aWNlIGRvZXNuJ3QgcmVvcmRlciB0aGluZ3MgYW5kIHRodXMgdHJhbnNhY3Rpb24KYWxsb2NhdGluZyBibG9ja3MgYW5kIGF0dGFjaGluZyB0aGVtIHRvIGlub2RlIGNhbiByZWFjaCBzdGFibGUgc3RvcmFnZQpiZWZvcmUgYWN0dWFsIGJsb2NrIGNvbnRlbnRzLiBBY3R1YWxseSB3aGVuZXZlciB3ZSBhdHRhY2ggZnJlc2hseQphbGxvY2F0ZWQgYmxvY2tzIHRvIGlub2RlIHVzaW5nIGEgd3JpdHRlbiBleHRlbnQsIHdlIHNob3VsZCBhZGQgaW5vZGUgdG8KdHJhbnNhY3Rpb24ncyBvcmRlcmVkIGlub2RlIGxpc3QgdG8gbWFrZSBzdXJlIHdlIHByb3Blcmx5IHdhaXQgZm9yIGJsb2NrCmNvbnRlbnRzIHRvIGJlIHdyaXR0ZW4gYmVmb3JlIGNvbW1pdHRpbmcgdGhlIHRyYW5zYWN0aW9uLiBTbyB0aGF0IGlzCndoYXQgd2UgZG8gaW4gdGhpcyBwYXRjaC4gVGhpcyBhbHNvIGhhbmRsZXMgb3RoZXIgY2FzZXMgd2hlcmUgc3RhbGUgZGF0YQpleHBvc3VyZSB3YXMgcG9zc2libGUgLSBsaWtlIGZpbGxpbmcgaG9sZSB2aWEgbW1hcCBpbgpkYXRhPW9yZGVyZWQsbm9kZWxhbGxvYyBtb2RlLgoKVGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoZSBhYm92ZSBydWxlIGFyZSBleHRlbmRpbmcgZGlyZWN0IElPIHdyaXRlcyB3aGVyZQpibGtkZXZfZGlyZWN0X0lPKCkgd2FpdHMgZm9yIElPIHRvIGNvbXBsZXRlIGJlZm9yZSBpbmNyZWFzaW5nIGlfc2l6ZSBhbmQKdGh1cyBzdGFsZSBkYXRhIGV4cG9zdXJlIGlzIG5vdCBwb3NzaWJsZS4gRm9yIG5vdyB3ZSBkb24ndCBjb21wbGljYXRlCnRoZSBjb2RlIHdpdGggb3B0aW1pemluZyB0aGlzIHNwZWNpYWwgY2FzZSBzaW5jZSB0aGUgb3ZlcmhlYWQgaXMgcHJldHR5Cmxvdy4gSW4gY2FzZSB0aGlzIGlzIG9ic2VydmVkIHRvIGJlIGEgcGVyZm9ybWFuY2UgcHJvYmxlbSB3ZSBjYW4gYWx3YXlzCmhhbmRsZSBpdCB1c2luZyBhIHNwZWNpYWwgZmxhZyB0byBleHQ0X21hcF9ibG9ja3MoKS4KCkNoYW5nZS1JZDogSTlmOGIzNzFjOWZkNzE2YmYzZDhhZjM3ODBjZTQzZTczZDgwY2ZiMjgKRml4ZXM6IGYzYjU5MjkxYTY5ZDBiNzM0YmUxZmM4YmU0ODlmZWYyZGQ4NDZkM2QKUmVwb3J0ZWQtYnk6ICJIVUFORyBXZWxsZXIgKENNL0VTVzEyLUNOKSIgPFdlbGxlci5IdWFuZ0Bjbi5ib3NjaC5jb20+ClRlc3RlZC1ieTogIkhVQU5HIFdlbGxlciAoQ00vRVNXMTItQ04pIiA8V2VsbGVyLkh1YW5nQGNuLmJvc2NoLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEthcmEgPGphY2tAc3VzZS5jej4KU2lnbmVkLW9mZi1ieTogVGhlb2RvcmUgVHMnbyA8dHl0c29AbWl0LmVkdT4KW2J3aDogQmFja3BvcnRlZCB0byAzLjE2OgogLSBEcm9wIGNoZWNrIGZvciBFWFQ0X0dFVF9CTE9DS1NfWkVSTyBmbGFnCiAtIEFkanVzdCBjb250ZXh0XQpTaWduZWQtb2ZmLWJ5OiBCZW4gSHV0Y2hpbmdzIDxiZW5AZGVjYWRlbnQub3JnLnVrPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggOWQzNThkYy4uZjQ3MmFlZCAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtNjYxLDYgKzY2MSwyMCBAQAogCQlyZXQgPSBjaGVja19ibG9ja192YWxpZGl0eShpbm9kZSwgbWFwKTsKIAkJaWYgKHJldCAhPSAwKQogCQkJcmV0dXJuIHJldDsKKworCQkvKgorCQkgKiBJbm9kZXMgd2l0aCBmcmVzaGx5IGFsbG9jYXRlZCBibG9ja3Mgd2hlcmUgY29udGVudHMgd2lsbCBiZQorCQkgKiB2aXNpYmxlIGFmdGVyIHRyYW5zYWN0aW9uIGNvbW1pdCBtdXN0IGJlIG9uIHRyYW5zYWN0aW9uJ3MKKwkJICogb3JkZXJlZCBkYXRhIGxpc3QuCisJCSAqLworCQlpZiAobWFwLT5tX2ZsYWdzICYgRVhUNF9NQVBfTkVXICYmCisJCSAgICAhKG1hcC0+bV9mbGFncyAmIEVYVDRfTUFQX1VOV1JJVFRFTikgJiYKKwkJICAgICFJU19OT1FVT1RBKGlub2RlKSAmJgorCQkgICAgZXh0NF9zaG91bGRfb3JkZXJfZGF0YShpbm9kZSkpIHsKKwkJCXJldCA9IGV4dDRfamJkMl9maWxlX2lub2RlKGhhbmRsZSwgaW5vZGUpOworCQkJaWYgKHJldCkKKwkJCQlyZXR1cm4gcmV0OworCQl9CiAJfQogCXJldHVybiByZXR2YWw7CiB9CkBAIC0xMTE2LDE1ICsxMTMwLDYgQEAKIAlpbnQgaV9zaXplX2NoYW5nZWQgPSAwOwogCiAJdHJhY2VfZXh0NF93cml0ZV9lbmQoaW5vZGUsIHBvcywgbGVuLCBjb3BpZWQpOwotCWlmIChleHQ0X3Rlc3RfaW5vZGVfc3RhdGUoaW5vZGUsIEVYVDRfU1RBVEVfT1JERVJFRF9NT0RFKSkgewotCQlyZXQgPSBleHQ0X2piZDJfZmlsZV9pbm9kZShoYW5kbGUsIGlub2RlKTsKLQkJaWYgKHJldCkgewotCQkJdW5sb2NrX3BhZ2UocGFnZSk7Ci0JCQlwYWdlX2NhY2hlX3JlbGVhc2UocGFnZSk7Ci0JCQlnb3RvIGVycm91dDsKLQkJfQotCX0KLQogCWlmIChleHQ0X2hhc19pbmxpbmVfZGF0YShpbm9kZSkpIHsKIAkJcmV0ID0gZXh0NF93cml0ZV9pbmxpbmVfZGF0YV9lbmQoaW5vZGUsIHBvcywgbGVuLAogCQkJCQkJIGNvcGllZCwgcGFnZSk7Cg==
|
77
Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch
Normal file
77
Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From df6099279dc346ec77158d5f52d3176dbd0a1e4c Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Mon, 04 Jul 2016 10:14:01 -0400
|
||||
Subject: [PATCH] ext4: fix deadlock during page writeback
|
||||
|
||||
[ Upstream commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 ]
|
||||
|
||||
Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
|
||||
deadlock in ext4_writepages() which was previously much harder to hit.
|
||||
After this commit xfstest generic/130 reproduces the deadlock on small
|
||||
filesystems.
|
||||
|
||||
The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
|
||||
and marks current inode handle as synchronous. That subsequently results
|
||||
in ext4_journal_stop() called from ext4_writepages() to block waiting for
|
||||
transaction commit while still holding page locks, reference to io_end,
|
||||
and some prepared bio in mpd structure each of which can possibly block
|
||||
transaction commit from completing and thus results in deadlock.
|
||||
|
||||
Fix the problem by releasing page locks, io_end reference, and
|
||||
submitting prepared bio before calling ext4_journal_stop().
|
||||
|
||||
[ Changed to defer the call to ext4_journal_stop() only if the handle
|
||||
is synchronous. --tytso ]
|
||||
|
||||
Change-Id: I724640d96ffaa03e512cd0b48cea056b4030c382
|
||||
Reported-and-tested-by: Eryu Guan <eguan@redhat.com>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
CC: stable@vger.kernel.org
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
|
||||
---
|
||||
|
||||
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
|
||||
index f472aed..5aa499f 100644
|
||||
--- a/fs/ext4/inode.c
|
||||
+++ b/fs/ext4/inode.c
|
||||
@@ -2554,13 +2554,36 @@
|
||||
done = true;
|
||||
}
|
||||
}
|
||||
- ext4_journal_stop(handle);
|
||||
+ /*
|
||||
+ * Caution: If the handle is synchronous,
|
||||
+ * ext4_journal_stop() can wait for transaction commit
|
||||
+ * to finish which may depend on writeback of pages to
|
||||
+ * complete or on page lock to be released. In that
|
||||
+ * case, we have to wait until after after we have
|
||||
+ * submitted all the IO, released page locks we hold,
|
||||
+ * and dropped io_end reference (for extent conversion
|
||||
+ * to be able to complete) before stopping the handle.
|
||||
+ */
|
||||
+ if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
|
||||
+ ext4_journal_stop(handle);
|
||||
+ handle = NULL;
|
||||
+ }
|
||||
/* Submit prepared bio */
|
||||
ext4_io_submit(&mpd.io_submit);
|
||||
/* Unlock pages we didn't use */
|
||||
mpage_release_unused_pages(&mpd, give_up_on_write);
|
||||
- /* Drop our io_end reference we got from init */
|
||||
- ext4_put_io_end(mpd.io_submit.io_end);
|
||||
+ /*
|
||||
+ * Drop our io_end reference we got from init. We have
|
||||
+ * to be careful and use deferred io_end finishing if
|
||||
+ * we are still holding the transaction as we can
|
||||
+ * release the last reference to io_end which may end
|
||||
+ * up doing unwritten extent conversion.
|
||||
+ */
|
||||
+ if (handle) {
|
||||
+ ext4_put_io_end_defer(mpd.io_submit.io_end);
|
||||
+ ext4_journal_stop(handle);
|
||||
+ } else
|
||||
+ ext4_put_io_end(mpd.io_submit.io_end);
|
||||
|
||||
if (ret == -ENOSPC && sbi->s_journal) {
|
||||
/*
|
1
Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBkZjYwOTkyNzlkYzM0NmVjNzcxNThkNWY1MmQzMTc2ZGJkMGExZTRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDA0IEp1bCAyMDE2IDEwOjE0OjAxIC0wNDAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRlYWRsb2NrIGR1cmluZyBwYWdlIHdyaXRlYmFjawoKWyBVcHN0cmVhbSBjb21taXQgNjQ2Y2FhOWM4ZTE5Njg4MGI0MWNkM2UzZDMzYTJlYmM3NTJiZGI4NSBdCgpDb21taXQgMDZiZDNjMzZhNzMzIChleHQ0OiBmaXggZGF0YSBleHBvc3VyZSBhZnRlciBhIGNyYXNoKSB1bmNvdmVyZWQgYQpkZWFkbG9jayBpbiBleHQ0X3dyaXRlcGFnZXMoKSB3aGljaCB3YXMgcHJldmlvdXNseSBtdWNoIGhhcmRlciB0byBoaXQuCkFmdGVyIHRoaXMgY29tbWl0IHhmc3Rlc3QgZ2VuZXJpYy8xMzAgcmVwcm9kdWNlcyB0aGUgZGVhZGxvY2sgb24gc21hbGwKZmlsZXN5c3RlbXMuCgpUaGUgcHJvYmxlbSBoYXBwZW5zIHdoZW4gZXh0NF9kb191cGRhdGVfaW5vZGUoKSBzZXRzIExBUkdFX0ZJTEUgZmVhdHVyZQphbmQgbWFya3MgY3VycmVudCBpbm9kZSBoYW5kbGUgYXMgc3luY2hyb25vdXMuIFRoYXQgc3Vic2VxdWVudGx5IHJlc3VsdHMKaW4gZXh0NF9qb3VybmFsX3N0b3AoKSBjYWxsZWQgZnJvbSBleHQ0X3dyaXRlcGFnZXMoKSB0byBibG9jayB3YWl0aW5nIGZvcgp0cmFuc2FjdGlvbiBjb21taXQgd2hpbGUgc3RpbGwgaG9sZGluZyBwYWdlIGxvY2tzLCByZWZlcmVuY2UgdG8gaW9fZW5kLAphbmQgc29tZSBwcmVwYXJlZCBiaW8gaW4gbXBkIHN0cnVjdHVyZSBlYWNoIG9mIHdoaWNoIGNhbiBwb3NzaWJseSBibG9jawp0cmFuc2FjdGlvbiBjb21taXQgZnJvbSBjb21wbGV0aW5nIGFuZCB0aHVzIHJlc3VsdHMgaW4gZGVhZGxvY2suCgpGaXggdGhlIHByb2JsZW0gYnkgcmVsZWFzaW5nIHBhZ2UgbG9ja3MsIGlvX2VuZCByZWZlcmVuY2UsIGFuZApzdWJtaXR0aW5nIHByZXBhcmVkIGJpbyBiZWZvcmUgY2FsbGluZyBleHQ0X2pvdXJuYWxfc3RvcCgpLgoKWyBDaGFuZ2VkIHRvIGRlZmVyIHRoZSBjYWxsIHRvIGV4dDRfam91cm5hbF9zdG9wKCkgb25seSBpZiB0aGUgaGFuZGxlCiAgaXMgc3luY2hyb25vdXMuICAtLXR5dHNvIF0KCkNoYW5nZS1JZDogSTcyNDY0MGQ5NmZmYWEwM2U1MTJjZDBiNDhjZWEwNTZiNDAzMGMzODIKUmVwb3J0ZWQtYW5kLXRlc3RlZC1ieTogRXJ5dSBHdWFuIDxlZ3VhbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBUaGVvZG9yZSBUcydvIDx0eXRzb0BtaXQuZWR1PgpDQzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpTaWduZWQtb2ZmLWJ5OiBTYXNoYSBMZXZpbiA8YWxleGFuZGVyLmxldmluQHZlcml6b24uY29tPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggZjQ3MmFlZC4uNWFhNDk5ZiAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtMjU1NCwxMyArMjU1NCwzNiBAQAogCQkJCWRvbmUgPSB0cnVlOwogCQkJfQogCQl9Ci0JCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCS8qCisJCSAqIENhdXRpb246IElmIHRoZSBoYW5kbGUgaXMgc3luY2hyb25vdXMsCisJCSAqIGV4dDRfam91cm5hbF9zdG9wKCkgY2FuIHdhaXQgZm9yIHRyYW5zYWN0aW9uIGNvbW1pdAorCQkgKiB0byBmaW5pc2ggd2hpY2ggbWF5IGRlcGVuZCBvbiB3cml0ZWJhY2sgb2YgcGFnZXMgdG8KKwkJICogY29tcGxldGUgb3Igb24gcGFnZSBsb2NrIHRvIGJlIHJlbGVhc2VkLiAgSW4gdGhhdAorCQkgKiBjYXNlLCB3ZSBoYXZlIHRvIHdhaXQgdW50aWwgYWZ0ZXIgYWZ0ZXIgd2UgaGF2ZQorCQkgKiBzdWJtaXR0ZWQgYWxsIHRoZSBJTywgcmVsZWFzZWQgcGFnZSBsb2NrcyB3ZSBob2xkLAorCQkgKiBhbmQgZHJvcHBlZCBpb19lbmQgcmVmZXJlbmNlIChmb3IgZXh0ZW50IGNvbnZlcnNpb24KKwkJICogdG8gYmUgYWJsZSB0byBjb21wbGV0ZSkgYmVmb3JlIHN0b3BwaW5nIHRoZSBoYW5kbGUuCisJCSAqLworCQlpZiAoIWV4dDRfaGFuZGxlX3ZhbGlkKGhhbmRsZSkgfHwgaGFuZGxlLT5oX3N5bmMgPT0gMCkgeworCQkJZXh0NF9qb3VybmFsX3N0b3AoaGFuZGxlKTsKKwkJCWhhbmRsZSA9IE5VTEw7CisJCX0KIAkJLyogU3VibWl0IHByZXBhcmVkIGJpbyAqLwogCQlleHQ0X2lvX3N1Ym1pdCgmbXBkLmlvX3N1Ym1pdCk7CiAJCS8qIFVubG9jayBwYWdlcyB3ZSBkaWRuJ3QgdXNlICovCiAJCW1wYWdlX3JlbGVhc2VfdW51c2VkX3BhZ2VzKCZtcGQsIGdpdmVfdXBfb25fd3JpdGUpOwotCQkvKiBEcm9wIG91ciBpb19lbmQgcmVmZXJlbmNlIHdlIGdvdCBmcm9tIGluaXQgKi8KLQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJLyoKKwkJICogRHJvcCBvdXIgaW9fZW5kIHJlZmVyZW5jZSB3ZSBnb3QgZnJvbSBpbml0LiBXZSBoYXZlCisJCSAqIHRvIGJlIGNhcmVmdWwgYW5kIHVzZSBkZWZlcnJlZCBpb19lbmQgZmluaXNoaW5nIGlmCisJCSAqIHdlIGFyZSBzdGlsbCBob2xkaW5nIHRoZSB0cmFuc2FjdGlvbiBhcyB3ZSBjYW4KKwkJICogcmVsZWFzZSB0aGUgbGFzdCByZWZlcmVuY2UgdG8gaW9fZW5kIHdoaWNoIG1heSBlbmQKKwkJICogdXAgZG9pbmcgdW53cml0dGVuIGV4dGVudCBjb252ZXJzaW9uLgorCQkgKi8KKwkJaWYgKGhhbmRsZSkgeworCQkJZXh0NF9wdXRfaW9fZW5kX2RlZmVyKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCX0gZWxzZQorCQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKIAogCQlpZiAocmV0ID09IC1FTk9TUEMgJiYgc2JpLT5zX2pvdXJuYWwpIHsKIAkJCS8qCg==
|
64
Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch
Normal file
64
Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 3a42f1b79ed696f29350f170c00f27712ae84a36 Mon Sep 17 00:00:00 2001
|
||||
From: Maggie White <maggiewhite@google.com>
|
||||
Date: Wed, 5 Jul 2017 13:00:40 -0700
|
||||
Subject: msm: camera: isp: fix for out of bound access array
|
||||
|
||||
There is no bound check in stream_cfg_cmd->num_streams and it's used in
|
||||
several places as a maximum index into the stream_cfg_cmd->stream_handle
|
||||
array which has a size of 15. Current code didn't check the maximum
|
||||
index to make sure it didn't exceed the array size.
|
||||
|
||||
Bug: 62379525
|
||||
Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0
|
||||
Signed-off-by: Maggie White <maggiewhite@google.com>
|
||||
---
|
||||
.../platform/msm/camera_v2/isp/msm_isp_stats_util.c | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
index 82da3e0..43a2c77 100644
|
||||
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
@@ -550,6 +550,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
|
||||
int i;
|
||||
uint32_t stats_mask = 0, idx;
|
||||
|
||||
+ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
|
||||
+ pr_err("%s invalid num_streams %d\n", __func__,
|
||||
+ stream_cfg_cmd->num_streams);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
||||
idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
|
||||
|
||||
@@ -630,6 +636,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
|
||||
stats_data->stream_info);
|
||||
if (rc < 0)
|
||||
return rc;
|
||||
+
|
||||
+ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
|
||||
+ pr_err("%s invalid num_streams %d\n", __func__,
|
||||
+ stream_cfg_cmd->num_streams);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
||||
idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
|
||||
|
||||
@@ -702,6 +715,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
|
||||
num_stats_comp_mask =
|
||||
vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;
|
||||
|
||||
+ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
|
||||
+ pr_err("%s invalid num_streams %d\n", __func__,
|
||||
+ stream_cfg_cmd->num_streams);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
||||
|
||||
idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
|
||||
--
|
||||
cgit v1.1
|
||||
|
82
Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch
Normal file
82
Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch
Normal file
@ -0,0 +1,82 @@
|
||||
From 52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7 Mon Sep 17 00:00:00 2001
|
||||
From: Gaoxiang Chen <gaochen@codeaurora.org>
|
||||
Date: Fri, 31 Mar 2017 14:28:33 +0800
|
||||
Subject: msm: camera: don't cut to 8bits for validating enum variable
|
||||
|
||||
In msm_ispif_is_intf_valid(),
|
||||
we convert a enum variable msm_ispif_vfe_intf,
|
||||
to uint8_t type for validating.
|
||||
|
||||
This could cause potential issue,
|
||||
if the value is crafted in such a way that lower 8bits pass the validation.
|
||||
|
||||
Don't use uint8_t as input parm to avoid such vulnerability.
|
||||
|
||||
CRs-Fixed: 2008469
|
||||
Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a
|
||||
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
|
||||
---
|
||||
drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
|
||||
index 4e07d4d..8409a64 100644
|
||||
--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
|
||||
+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
|
||||
@@ -64,7 +64,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
|
||||
|
||||
|
||||
static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
|
||||
- uint8_t intf_type)
|
||||
+ enum msm_ispif_vfe_intf intf_type)
|
||||
{
|
||||
return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
|
||||
(intf_type >= VFE_MAX)) ? false : true;
|
||||
@@ -347,7 +347,7 @@ static int msm_ispif_subdev_g_chip_ident(struct v4l2_subdev *sd,
|
||||
}
|
||||
|
||||
static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
|
||||
- uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
|
||||
+ uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
|
||||
{
|
||||
uint32_t data;
|
||||
|
||||
@@ -387,7 +387,7 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
|
||||
}
|
||||
|
||||
static void msm_ispif_enable_crop(struct ispif_device *ispif,
|
||||
- uint8_t intftype, uint8_t vfe_intf, uint16_t start_pixel,
|
||||
+ uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf, uint16_t start_pixel,
|
||||
uint16_t end_pixel)
|
||||
{
|
||||
uint32_t data;
|
||||
@@ -419,7 +419,7 @@ static void msm_ispif_enable_crop(struct ispif_device *ispif,
|
||||
}
|
||||
|
||||
static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
|
||||
- uint8_t intftype, uint16_t cid_mask, uint8_t vfe_intf, uint8_t enable)
|
||||
+ uint8_t intftype, uint16_t cid_mask, enum msm_ispif_vfe_intf vfe_intf, uint8_t enable)
|
||||
{
|
||||
uint32_t intf_addr, data;
|
||||
|
||||
@@ -461,7 +461,7 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
|
||||
}
|
||||
|
||||
static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
|
||||
- uint8_t intftype, uint8_t vfe_intf)
|
||||
+ uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf)
|
||||
{
|
||||
int rc = 0;
|
||||
uint32_t data = 0;
|
||||
@@ -501,7 +501,7 @@ static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
|
||||
}
|
||||
|
||||
static void msm_ispif_select_clk_mux(struct ispif_device *ispif,
|
||||
- uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
|
||||
+ uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
|
||||
{
|
||||
uint32_t data = 0;
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
33
Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch
Normal file
33
Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001
|
||||
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
|
||||
Date: Tue, 18 Apr 2017 14:44:43 +0530
|
||||
Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl
|
||||
|
||||
Assign address of buf_info into ioctl_ptr.
|
||||
Previously we were copying first 8 bytes of buf_info (content)
|
||||
into ioctl_ptr. Which is dereferenced and written later causing
|
||||
kernel overwrite vulnerability.
|
||||
|
||||
Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
|
||||
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
|
||||
---
|
||||
drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
||||
index 882ab03..d0b265a 100644
|
||||
--- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
||||
+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
||||
@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
|
||||
sizeof(struct msm_buf_mngr_info))) {
|
||||
return -EFAULT;
|
||||
}
|
||||
- MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
|
||||
- &buf_info, sizeof(void *));
|
||||
+ k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
|
||||
argp = &k_ioctl;
|
||||
rc = msm_cam_buf_mgr_ops(cmd, argp);
|
||||
}
|
||||
--
|
||||
cgit v1.1
|
||||
|
53
Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch
Normal file
53
Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch
Normal file
@ -0,0 +1,53 @@
|
||||
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
|
||||
index 640e6c1..57e3ea3 100644
|
||||
--- a/drivers/gpu/msm/kgsl.c
|
||||
+++ b/drivers/gpu/msm/kgsl.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
|
||||
+/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@@ -167,8 +167,11 @@
|
||||
{
|
||||
struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
|
||||
|
||||
- if (entry)
|
||||
+ if (entry) {
|
||||
kref_init(&entry->refcount);
|
||||
+ /* put this ref in the caller functions after init */
|
||||
+ kref_get(&entry->refcount);
|
||||
+ }
|
||||
|
||||
return entry;
|
||||
}
|
||||
@@ -3019,6 +3022,9 @@
|
||||
trace_kgsl_mem_map(entry, param->fd);
|
||||
|
||||
kgsl_mem_entry_commit_process(private, entry);
|
||||
+
|
||||
+ /* put the extra refcount for kgsl_mem_entry_create() */
|
||||
+ kgsl_mem_entry_put(entry);
|
||||
return result;
|
||||
|
||||
error_attach:
|
||||
@@ -3343,6 +3349,9 @@
|
||||
param->flags = entry->memdesc.flags;
|
||||
|
||||
kgsl_mem_entry_commit_process(private, entry);
|
||||
+
|
||||
+ /* put the extra refcount for kgsl_mem_entry_create() */
|
||||
+ kgsl_mem_entry_put(entry);
|
||||
return result;
|
||||
err:
|
||||
kgsl_sharedmem_free(&entry->memdesc);
|
||||
@@ -3382,6 +3391,9 @@
|
||||
param->gpuaddr = entry->memdesc.gpuaddr;
|
||||
|
||||
kgsl_mem_entry_commit_process(private, entry);
|
||||
+
|
||||
+ /* put the extra refcount for kgsl_mem_entry_create() */
|
||||
+ kgsl_mem_entry_put(entry);
|
||||
return result;
|
||||
err:
|
||||
if (entry)
|
1
Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDY0MGU2YzEuLjU3ZTNlYTMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMSw0ICsxLDQgQEAKLS8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE2LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KKy8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE3LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqCiAgKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYW5kCkBAIC0xNjcsOCArMTY3LDExIEBACiB7CiAJc3RydWN0IGtnc2xfbWVtX2VudHJ5ICplbnRyeSA9IGt6YWxsb2Moc2l6ZW9mKCplbnRyeSksIEdGUF9LRVJORUwpOwogCi0JaWYgKGVudHJ5KQorCWlmIChlbnRyeSkgewogCQlrcmVmX2luaXQoJmVudHJ5LT5yZWZjb3VudCk7CisJCS8qIHB1dCB0aGlzIHJlZiBpbiB0aGUgY2FsbGVyIGZ1bmN0aW9ucyBhZnRlciBpbml0ICovCisJCWtyZWZfZ2V0KCZlbnRyeS0+cmVmY291bnQpOworCX0KIAogCXJldHVybiBlbnRyeTsKIH0KQEAgLTMwMTksNiArMzAyMiw5IEBACiAJdHJhY2Vfa2dzbF9tZW1fbWFwKGVudHJ5LCBwYXJhbS0+ZmQpOwogCiAJa2dzbF9tZW1fZW50cnlfY29tbWl0X3Byb2Nlc3MocHJpdmF0ZSwgZW50cnkpOworCisJLyogcHV0IHRoZSBleHRyYSByZWZjb3VudCBmb3Iga2dzbF9tZW1fZW50cnlfY3JlYXRlKCkgKi8KKwlrZ3NsX21lbV9lbnRyeV9wdXQoZW50cnkpOwogCXJldHVybiByZXN1bHQ7CiAKIGVycm9yX2F0dGFjaDoKQEAgLTMzNDMsNiArMzM0OSw5IEBACiAJcGFyYW0tPmZsYWdzID0gZW50cnktPm1lbWRlc2MuZmxhZ3M7CiAKIAlrZ3NsX21lbV9lbnRyeV9jb21taXRfcHJvY2Vzcyhwcml2YXRlLCBlbnRyeSk7CisKKwkvKiBwdXQgdGhlIGV4dHJhIHJlZmNvdW50IGZvciBrZ3NsX21lbV9lbnRyeV9jcmVhdGUoKSAqLworCWtnc2xfbWVtX2VudHJ5X3B1dChlbnRyeSk7CiAJcmV0dXJuIHJlc3VsdDsKIGVycjoKIAlrZ3NsX3NoYXJlZG1lbV9mcmVlKCZlbnRyeS0+bWVtZGVzYyk7CkBAIC0zMzgyLDYgKzMzOTEsOSBAQAogCXBhcmFtLT5ncHVhZGRyID0gZW50cnktPm1lbWRlc2MuZ3B1YWRkcjsKIAogCWtnc2xfbWVtX2VudHJ5X2NvbW1pdF9wcm9jZXNzKHByaXZhdGUsIGVudHJ5KTsKKworCS8qIHB1dCB0aGUgZXh0cmEgcmVmY291bnQgZm9yIGtnc2xfbWVtX2VudHJ5X2NyZWF0ZSgpICovCisJa2dzbF9tZW1fZW50cnlfcHV0KGVudHJ5KTsKIAlyZXR1cm4gcmVzdWx0OwogZXJyOgogCWlmIChlbnRyeSkK
|
182
Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch
Normal file
182
Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch
Normal file
@ -0,0 +1,182 @@
|
||||
From aa23820b001ab1cfb86b79014e9fc44cd2be9ece Mon Sep 17 00:00:00 2001
|
||||
From: Ingrid Gallardo <ingridg@codeaurora.org>
|
||||
Date: Wed, 1 Mar 2017 12:24:06 -0800
|
||||
Subject: msm: mdss: fix race condition in mdp debugfs
|
||||
|
||||
Fix race condition in mdp debugfs properties
|
||||
during the read and write of the panel and
|
||||
mdp registers. This race condition can cause
|
||||
accessing memory out bounderies.
|
||||
|
||||
Change-Id: I97a90a154237343d4aaf237c11f525bcc2c3a8e3
|
||||
Signed-off-by: Ingrid Gallardo <ingridg@codeaurora.org>
|
||||
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
|
||||
---
|
||||
drivers/video/msm/mdss/mdss_debug.c | 48 ++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 40 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
|
||||
index a95fa43..cedd40cd 100644
|
||||
--- a/drivers/video/msm/mdss/mdss_debug.c
|
||||
+++ b/drivers/video/msm/mdss/mdss_debug.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
|
||||
+/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@@ -39,6 +39,8 @@
|
||||
#define PANEL_CMD_MIN_TX_COUNT 2
|
||||
#define PANEL_DATA_NODE_LEN 80
|
||||
|
||||
+static DEFINE_MUTEX(mdss_debug_lock);
|
||||
+
|
||||
static char panel_reg[2] = {DEFAULT_READ_PANEL_POWER_MODE_REG, 0x00};
|
||||
|
||||
static int panel_debug_base_open(struct inode *inode, struct file *file)
|
||||
@@ -88,8 +90,10 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
|
||||
if (cnt > (dbg->max_offset - off))
|
||||
cnt = dbg->max_offset - off;
|
||||
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
dbg->off = off;
|
||||
dbg->cnt = cnt;
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
|
||||
pr_debug("offset=%x cnt=%d\n", off, cnt);
|
||||
|
||||
@@ -109,15 +113,21 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
|
||||
if (*ppos)
|
||||
return 0; /* the end */
|
||||
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
|
||||
- if (len < 0 || len >= sizeof(buf))
|
||||
+ if (len < 0 || len >= sizeof(buf)) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
- if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
|
||||
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return -EFAULT;
|
||||
+ }
|
||||
|
||||
*ppos += len; /* increase offset */
|
||||
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return len;
|
||||
}
|
||||
|
||||
@@ -206,11 +216,16 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
|
||||
if (!dbg)
|
||||
return -ENODEV;
|
||||
|
||||
- if (!dbg->cnt)
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
+ if (!dbg->cnt) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
- if (*ppos)
|
||||
+ if (*ppos) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return 0; /* the end */
|
||||
+ }
|
||||
|
||||
/* '0x' + 2 digit + blank = 5 bytes for each number */
|
||||
reg_buf_len = (dbg->cnt * PANEL_REG_FORMAT_LEN)
|
||||
@@ -251,11 +266,13 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
|
||||
kfree(panel_reg_buf);
|
||||
|
||||
*ppos += len; /* increase offset */
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return len;
|
||||
|
||||
read_reg_fail:
|
||||
kfree(rx_buf);
|
||||
kfree(panel_reg_buf);
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -386,8 +403,10 @@ static ssize_t mdss_debug_base_offset_write(struct file *file,
|
||||
if (cnt > (dbg->max_offset - off))
|
||||
cnt = dbg->max_offset - off;
|
||||
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
dbg->off = off;
|
||||
dbg->cnt = cnt;
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
|
||||
pr_debug("offset=%x cnt=%x\n", off, cnt);
|
||||
|
||||
@@ -407,15 +426,21 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
|
||||
if (*ppos)
|
||||
return 0; /* the end */
|
||||
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
|
||||
- if (len < 0 || len >= sizeof(buf))
|
||||
+ if (len < 0 || len >= sizeof(buf)) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
- if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
|
||||
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return -EFAULT;
|
||||
+ }
|
||||
|
||||
*ppos += len; /* increase offset */
|
||||
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return len;
|
||||
}
|
||||
|
||||
@@ -472,6 +497,8 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
|
||||
return -ENODEV;
|
||||
}
|
||||
|
||||
+ mutex_lock(&mdss_debug_lock);
|
||||
+
|
||||
if (!dbg->buf) {
|
||||
char dump_buf[64];
|
||||
char *ptr;
|
||||
@@ -483,6 +510,7 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
|
||||
|
||||
if (!dbg->buf) {
|
||||
pr_err("not enough memory to hold reg dump\n");
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
@@ -513,17 +541,21 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
|
||||
dbg->buf_len = tot;
|
||||
}
|
||||
|
||||
- if (*ppos >= dbg->buf_len)
|
||||
+ if (*ppos >= dbg->buf_len) {
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return 0; /* done reading */
|
||||
+ }
|
||||
|
||||
len = min(count, dbg->buf_len - (size_t) *ppos);
|
||||
if (copy_to_user(user_buf, dbg->buf + *ppos, len)) {
|
||||
pr_err("failed to copy to user\n");
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
*ppos += len; /* increase offset */
|
||||
|
||||
+ mutex_unlock(&mdss_debug_lock);
|
||||
return len;
|
||||
}
|
||||
|
||||
--
|
||||
cgit v1.1
|
||||
|
37
Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch
Normal file
37
Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From f52d6739f6a67cf1c918a4557e88b519b9135930 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Tue, 09 May 2017 06:29:19 -0700
|
||||
Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent
|
||||
|
||||
syzkaller found a way to trigger double frees from ip_mc_drop_socket()
|
||||
|
||||
It turns out that leave a copy of parent mc_list at accept() time,
|
||||
which is very bad.
|
||||
|
||||
Very similar to commit 8b485ce69876 ("tcp: do not inherit
|
||||
fastopen_req from parent")
|
||||
|
||||
Initial report from Pray3r, completed by Andrey one.
|
||||
Thanks a lot to them !
|
||||
|
||||
Change-Id: I2eac7b825a5b597af14a0573b76b685131c46726
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Pray3r <pray3r.z@gmail.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
|
||||
index fb10d58..325edfe 100644
|
||||
--- a/net/ipv4/inet_connection_sock.c
|
||||
+++ b/net/ipv4/inet_connection_sock.c
|
||||
@@ -618,6 +618,8 @@
|
||||
inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
|
||||
newsk->sk_write_space = sk_stream_write_space;
|
||||
|
||||
+ inet_sk(newsk)->mc_list = NULL;
|
||||
+
|
||||
newsk->sk_mark = inet_rsk(req)->ir_mark;
|
||||
|
||||
newicsk->icsk_retransmits = 0;
|
1
Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64
Normal file
1
Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64
Normal file
@ -0,0 +1 @@
|
||||
RnJvbSBmNTJkNjczOWY2YTY3Y2YxYzkxOGE0NTU3ZTg4YjUxOWI5MTM1OTMwIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IFR1ZSwgMDkgTWF5IDIwMTcgMDY6Mjk6MTkgLTA3MDAKU3ViamVjdDogW1BBVENIXSBkY2NwL3RjcDogZG8gbm90IGluaGVyaXQgbWNfbGlzdCBmcm9tIHBhcmVudAoKc3l6a2FsbGVyIGZvdW5kIGEgd2F5IHRvIHRyaWdnZXIgZG91YmxlIGZyZWVzIGZyb20gaXBfbWNfZHJvcF9zb2NrZXQoKQoKSXQgdHVybnMgb3V0IHRoYXQgbGVhdmUgYSBjb3B5IG9mIHBhcmVudCBtY19saXN0IGF0IGFjY2VwdCgpIHRpbWUsCndoaWNoIGlzIHZlcnkgYmFkLgoKVmVyeSBzaW1pbGFyIHRvIGNvbW1pdCA4YjQ4NWNlNjk4NzYgKCJ0Y3A6IGRvIG5vdCBpbmhlcml0CmZhc3RvcGVuX3JlcSBmcm9tIHBhcmVudCIpCgpJbml0aWFsIHJlcG9ydCBmcm9tIFByYXkzciwgY29tcGxldGVkIGJ5IEFuZHJleSBvbmUuClRoYW5rcyBhIGxvdCB0byB0aGVtICEKCkNoYW5nZS1JZDogSTJlYWM3YjgyNWE1YjU5N2FmMTRhMDU3M2I3NmI2ODUxMzFjNDY3MjYKU2lnbmVkLW9mZi1ieTogRXJpYyBEdW1hemV0IDxlZHVtYXpldEBnb29nbGUuY29tPgpSZXBvcnRlZC1ieTogUHJheTNyIDxwcmF5M3IuekBnbWFpbC5jb20+ClJlcG9ydGVkLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+ClRlc3RlZC1ieTogQW5kcmV5IEtvbm92YWxvdiA8YW5kcmV5a252bEBnb29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBEYXZpZCBTLiBNaWxsZXIgPGRhdmVtQGRhdmVtbG9mdC5uZXQ+Ci0tLQoKZGlmZiAtLWdpdCBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMgYi9uZXQvaXB2NC9pbmV0X2Nvbm5lY3Rpb25fc29jay5jCmluZGV4IGZiMTBkNTguLjMyNWVkZmUgMTAwNjQ0Ci0tLSBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMKKysrIGIvbmV0L2lwdjQvaW5ldF9jb25uZWN0aW9uX3NvY2suYwpAQCAtNjE4LDYgKzYxOCw4IEBACiAJCWluZXRfc2sobmV3c2spLT5pbmV0X3Nwb3J0ID0gaW5ldF9yc2socmVxKS0+bG9jX3BvcnQ7CiAJCW5ld3NrLT5za193cml0ZV9zcGFjZSA9IHNrX3N0cmVhbV93cml0ZV9zcGFjZTsKIAorCQlpbmV0X3NrKG5ld3NrKS0+bWNfbGlzdCA9IE5VTEw7CisKIAkJbmV3c2stPnNrX21hcmsgPSBpbmV0X3JzayhyZXEpLT5pcl9tYXJrOwogCiAJCW5ld2ljc2stPmljc2tfcmV0cmFuc21pdHMgPSAwOwo=
|
272
Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch
Normal file
272
Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch
Normal file
@ -0,0 +1,272 @@
|
||||
From d109d8d7e2998a635406215a559e298fa7ef4bb8 Mon Sep 17 00:00:00 2001
|
||||
From: "lianwei.wang" <lian-wei.wang@motorola.com>
|
||||
Date: Fri, 30 Mar 2012 12:05:50 +0800
|
||||
Subject: [PATCH] IKHSS7-18791 msm:fix the list usage in msm_bus_dbg
|
||||
|
||||
The list usage in msm_bus_dbg driver are not correct which will cause
|
||||
kernel panic.
|
||||
. The list operation should be protected by a lock, e.g. mutex_lock.
|
||||
. The list entry should only be operated on a valid entry.
|
||||
|
||||
Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc
|
||||
Signed-off-by: Lianwei Wang <lian-wei.wang@motorola.com>
|
||||
Reviewed-on: http://gerrit.pcs.mot.com/384275
|
||||
Reviewed-by: Guo-Jian Chen <A21757@motorola.com>
|
||||
Reviewed-by: Ke Lv <a2435c@motorola.com>
|
||||
Tested-by: Jira Key <JIRAKEY@motorola.com>
|
||||
Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
|
||||
Reviewed-by: Check Patch <CHEKPACH@motorola.com>
|
||||
Reviewed-by: Klocwork kwcheck <klocwork-kwcheck@sourceforge.mot.com>
|
||||
Reviewed-by: Tao Hu <taohu@motorola.com>
|
||||
---
|
||||
arch/arm/mach-msm/msm_bus/msm_bus_dbg.c | 74 ++++++++++++++++++++++++++-------
|
||||
1 file changed, 58 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
|
||||
index abd986bca68..76173529d35 100644
|
||||
--- a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
|
||||
+++ b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
|
||||
@@ -28,6 +28,7 @@
|
||||
static struct dentry *clients;
|
||||
static struct dentry *dir;
|
||||
static DEFINE_MUTEX(msm_bus_dbg_fablist_lock);
|
||||
+static DEFINE_MUTEX(msm_bus_dbg_cllist_lock);
|
||||
struct msm_bus_dbg_state {
|
||||
uint32_t cl;
|
||||
uint8_t enable;
|
||||
@@ -271,16 +272,21 @@ static ssize_t client_data_read(struct file *file, char __user *buf,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
int bsize = 0;
|
||||
+ ssize_t read_count = 0;
|
||||
uint32_t cl = (uint32_t)file->private_data;
|
||||
struct msm_bus_cldata *cldata = NULL;
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry(cldata, &cl_list, list) {
|
||||
- if (cldata->clid == cl)
|
||||
+ if (cldata->clid == cl) {
|
||||
+ bsize = cldata->size;
|
||||
+ read_count = simple_read_from_buffer(buf, count, ppos,
|
||||
+ cldata->buffer, bsize);
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
- bsize = cldata->size;
|
||||
- return simple_read_from_buffer(buf, count, ppos,
|
||||
- cldata->buffer, bsize);
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
+ return read_count;
|
||||
}
|
||||
|
||||
static int client_data_open(struct inode *inode, struct file *file)
|
||||
@@ -310,9 +316,11 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
|
||||
{
|
||||
struct msm_bus_cldata *cldata;
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
cldata = kmalloc(sizeof(struct msm_bus_cldata), GFP_KERNEL);
|
||||
if (!cldata) {
|
||||
MSM_BUS_DBG("Failed to allocate memory for client data\n");
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
return -ENOMEM;
|
||||
}
|
||||
cldata->pdata = pdata;
|
||||
@@ -321,6 +329,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
|
||||
cldata->file = file;
|
||||
cldata->size = 0;
|
||||
list_add_tail(&cldata->list, &cl_list);
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -328,6 +337,7 @@ static void msm_bus_dbg_free_client(uint32_t clid)
|
||||
{
|
||||
struct msm_bus_cldata *cldata = NULL;
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry(cldata, &cl_list, list) {
|
||||
if (cldata->clid == clid) {
|
||||
debugfs_remove(cldata->file);
|
||||
@@ -336,23 +346,34 @@ static void msm_bus_dbg_free_client(uint32_t clid)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
}
|
||||
|
||||
static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
|
||||
int index, uint32_t clid)
|
||||
{
|
||||
- int i = 0, j;
|
||||
+ int i = 0, j, found = 0;
|
||||
char *buf = NULL;
|
||||
struct msm_bus_cldata *cldata = NULL;
|
||||
struct timespec ts;
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry(cldata, &cl_list, list) {
|
||||
- if (cldata->clid == clid)
|
||||
+ if (cldata->clid == clid) {
|
||||
+ found = 1;
|
||||
break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!found) {
|
||||
+ MSM_BUS_DBG("Client(clid=%d) doesn't exist\n", clid);
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
+ return -EINVAL;
|
||||
}
|
||||
if (cldata->file == NULL) {
|
||||
if (pdata->name == NULL) {
|
||||
MSM_BUS_DBG("Client doesn't have a name\n");
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
return -EINVAL;
|
||||
}
|
||||
cldata->file = msm_bus_dbg_create(pdata->name, S_IRUGO,
|
||||
@@ -390,6 +411,9 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
|
||||
i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
|
||||
|
||||
cldata->size = i;
|
||||
+
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
+
|
||||
return i;
|
||||
}
|
||||
|
||||
@@ -426,6 +450,7 @@ static ssize_t msm_bus_dbg_update_request_write(struct file *file,
|
||||
chid = buf;
|
||||
MSM_BUS_DBG("buffer: %s\n size: %d\n", buf, sizeof(ubuf));
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry(cldata, &cl_list, list) {
|
||||
if (strstr(chid, cldata->pdata->name)) {
|
||||
cldata = cldata;
|
||||
@@ -435,16 +460,19 @@ static ssize_t msm_bus_dbg_update_request_write(struct file *file,
|
||||
if (ret) {
|
||||
MSM_BUS_DBG("Index conversion"
|
||||
" failed\n");
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
return -EFAULT;
|
||||
}
|
||||
} else
|
||||
MSM_BUS_DBG("Error parsing input. Index not"
|
||||
" found\n");
|
||||
+ msm_bus_dbg_update_request(cldata, index);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
- msm_bus_dbg_update_request(cldata, index);
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
+
|
||||
kfree(buf);
|
||||
return cnt;
|
||||
}
|
||||
@@ -458,17 +486,18 @@ static ssize_t fabric_data_read(struct file *file, char __user *buf,
|
||||
{
|
||||
struct msm_bus_fab_list *fablist = NULL;
|
||||
int bsize = 0;
|
||||
- ssize_t ret;
|
||||
+ ssize_t ret = 0;
|
||||
const char *name = file->private_data;
|
||||
|
||||
mutex_lock(&msm_bus_dbg_fablist_lock);
|
||||
list_for_each_entry(fablist, &fabdata_list, list) {
|
||||
- if (strcmp(fablist->name, name) == 0)
|
||||
+ if (strcmp(fablist->name, name) == 0) {
|
||||
+ bsize = fablist->size;
|
||||
+ ret = simple_read_from_buffer(buf, count, ppos,
|
||||
+ fablist->buffer, bsize);
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
- bsize = fablist->size;
|
||||
- ret = simple_read_from_buffer(buf, count, ppos,
|
||||
- fablist->buffer, bsize);
|
||||
mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
return ret;
|
||||
}
|
||||
@@ -519,16 +548,25 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
|
||||
void *cdata, int nmasters, int nslaves,
|
||||
int ntslaves)
|
||||
{
|
||||
- int i;
|
||||
+ int i, found = 0;
|
||||
char *buf = NULL;
|
||||
struct msm_bus_fab_list *fablist = NULL;
|
||||
struct timespec ts;
|
||||
|
||||
mutex_lock(&msm_bus_dbg_fablist_lock);
|
||||
list_for_each_entry(fablist, &fabdata_list, list) {
|
||||
- if (strcmp(fablist->name, fabname) == 0)
|
||||
+ if (strcmp(fablist->name, fabname) == 0) {
|
||||
+ found = 1;
|
||||
break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!found) {
|
||||
+ MSM_BUS_DBG("Fabric dbg entry %s does not exist, fabname\n");
|
||||
+ mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
+ return -EINVAL;
|
||||
}
|
||||
+
|
||||
if (fablist->file == NULL) {
|
||||
MSM_BUS_DBG("Fabric dbg entry does not exist\n");
|
||||
mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
@@ -542,7 +580,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
|
||||
fablist->size = 0;
|
||||
}
|
||||
buf = fablist->buffer;
|
||||
- mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
ts = ktime_to_timespec(ktime_get());
|
||||
i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n%d.%d\n",
|
||||
(int)ts.tv_sec, (int)ts.tv_nsec);
|
||||
@@ -550,7 +587,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
|
||||
msm_bus_rpm_fill_cdata_buffer(&i, buf + i, MAX_BUFF_SIZE, cdata,
|
||||
nmasters, nslaves, ntslaves);
|
||||
i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
|
||||
- mutex_lock(&msm_bus_dbg_fablist_lock);
|
||||
fablist->size = i;
|
||||
mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
return 0;
|
||||
@@ -660,6 +696,7 @@ static int __init msm_bus_debugfs_init(void)
|
||||
clients, NULL, &msm_bus_dbg_update_request_fops) == NULL)
|
||||
goto err;
|
||||
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry(cldata, &cl_list, list) {
|
||||
if (cldata->pdata->name == NULL) {
|
||||
MSM_BUS_DBG("Client name not found\n");
|
||||
@@ -668,6 +705,7 @@ static int __init msm_bus_debugfs_init(void)
|
||||
cldata->file = msm_bus_dbg_create(cldata->
|
||||
pdata->name, S_IRUGO, clients, cldata->clid);
|
||||
}
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
|
||||
mutex_lock(&msm_bus_dbg_fablist_lock);
|
||||
list_for_each_entry(fablist, &fabdata_list, list) {
|
||||
@@ -675,6 +713,7 @@ static int __init msm_bus_debugfs_init(void)
|
||||
commit, (void *)fablist->name, &fabric_data_fops);
|
||||
if (fablist->file == NULL) {
|
||||
MSM_BUS_DBG("Cannot create files for commit data\n");
|
||||
+ mutex_unlock(&msm_bus_dbg_fablist_lock);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
@@ -694,10 +733,13 @@ static void __exit msm_bus_dbg_teardown(void)
|
||||
struct msm_bus_cldata *cldata = NULL, *cldata_temp;
|
||||
|
||||
debugfs_remove_recursive(dir);
|
||||
+ mutex_lock(&msm_bus_dbg_cllist_lock);
|
||||
list_for_each_entry_safe(cldata, cldata_temp, &cl_list, list) {
|
||||
list_del(&cldata->list);
|
||||
kfree(cldata);
|
||||
}
|
||||
+ mutex_unlock(&msm_bus_dbg_cllist_lock);
|
||||
+
|
||||
mutex_lock(&msm_bus_dbg_fablist_lock);
|
||||
list_for_each_entry_safe(fablist, fablist_temp, &fabdata_list, list) {
|
||||
list_del(&fablist->list);
|
1858
Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch
Normal file
1858
Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch
Normal file
File diff suppressed because it is too large
Load Diff
58
Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch
Normal file
58
Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 34cff2eb2adc663de32ca682b57551c50c9253c6 Mon Sep 17 00:00:00 2001
|
||||
From: Skylar Chang <chiaweic@codeaurora.org>
|
||||
Date: Fri, 21 Apr 2017 10:42:57 -0700
|
||||
Subject: [PATCH] msm: ipa: fix IPC low priority logging
|
||||
|
||||
Allocate IPC low priority on first usage only.
|
||||
|
||||
Bug: 62827190
|
||||
Change-Id: Icea7f0fad9ed34c93641296f68736bbaf2e6eaa9
|
||||
CRs-Fixed: 2016076
|
||||
Acked-by: Ady Abraham <adya@qti,qualcomm.com>
|
||||
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
|
||||
---
|
||||
drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c | 17 ++++++++---------
|
||||
1 file changed, 8 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
|
||||
index 12127a2304bbc..66482e2dc0634 100644
|
||||
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
|
||||
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
|
||||
@@ -105,6 +105,7 @@ static char dbg_buff[IPA_MAX_MSG_LEN];
|
||||
static char *active_clients_buf;
|
||||
|
||||
static s8 ep_reg_idx;
|
||||
+static void *ipa_ipc_low_buff;
|
||||
|
||||
|
||||
static ssize_t ipa3_read_gen_reg(struct file *file, char __user *ubuf,
|
||||
@@ -1610,22 +1611,20 @@ static ssize_t ipa3_enable_ipc_low(struct file *file,
|
||||
if (kstrtos8(dbg_buff, 0, &option))
|
||||
return -EFAULT;
|
||||
|
||||
+ mutex_lock(&ipa3_ctx->lock);
|
||||
if (option) {
|
||||
- if (!ipa3_ctx->logbuf_low) {
|
||||
- ipa3_ctx->logbuf_low =
|
||||
+ if (!ipa_ipc_low_buff) {
|
||||
+ ipa_ipc_low_buff =
|
||||
ipc_log_context_create(IPA_IPC_LOG_PAGES,
|
||||
"ipa_low", 0);
|
||||
}
|
||||
-
|
||||
- if (ipa3_ctx->logbuf_low == NULL) {
|
||||
- IPAERR("failed to get logbuf_low\n");
|
||||
- return -EFAULT;
|
||||
- }
|
||||
+ if (ipa_ipc_low_buff == NULL)
|
||||
+ IPAERR("failed to get logbuf_low\n");
|
||||
+ ipa3_ctx->logbuf_low = ipa_ipc_low_buff;
|
||||
} else {
|
||||
- if (ipa3_ctx->logbuf_low)
|
||||
- ipc_log_context_destroy(ipa3_ctx->logbuf_low);
|
||||
ipa3_ctx->logbuf_low = NULL;
|
||||
}
|
||||
+ mutex_unlock(&ipa3_ctx->lock);
|
||||
|
||||
return count;
|
||||
}
|
55
Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch
Normal file
55
Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 4b788ca419ec37e4cdb421fef9edc208a491ce30 Mon Sep 17 00:00:00 2001
|
||||
From: Mohit Aggarwal <maggarwa@codeaurora.org>
|
||||
Date: Thu, 25 May 2017 20:21:12 +0530
|
||||
Subject: [PATCH] diag: Synchronize command registration table access
|
||||
|
||||
Currently, command registration table is being read
|
||||
in debugfs without any protection which may lead to
|
||||
access of stale entries. The patch takes care of the
|
||||
issue by adding proper protection.
|
||||
|
||||
CRs-Fixed: 2032672
|
||||
Bug: 63868628
|
||||
Change-Id: I6ae058c16873f9ed52ae6516a1a70fd6d2d0da80
|
||||
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
|
||||
---
|
||||
drivers/char/diag/diag_debugfs.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
|
||||
index f5e4eba1e96bc..b66c8cb8257c2 100644
|
||||
--- a/drivers/char/diag/diag_debugfs.c
|
||||
+++ b/drivers/char/diag/diag_debugfs.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
|
||||
+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
@@ -268,8 +268,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||||
struct list_head *temp;
|
||||
struct diag_cmd_reg_t *item = NULL;
|
||||
|
||||
+ mutex_lock(&driver->cmd_reg_mutex);
|
||||
if (diag_dbgfs_table_index == driver->cmd_reg_count) {
|
||||
diag_dbgfs_table_index = 0;
|
||||
+ mutex_unlock(&driver->cmd_reg_mutex);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -278,6 +280,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||||
buf = kzalloc(sizeof(char) * buf_size, GFP_KERNEL);
|
||||
if (ZERO_OR_NULL_PTR(buf)) {
|
||||
pr_err("diag: %s, Error allocating memory\n", __func__);
|
||||
+ mutex_unlock(&driver->cmd_reg_mutex);
|
||||
return -ENOMEM;
|
||||
}
|
||||
buf_size = ksize(buf);
|
||||
@@ -322,6 +325,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||||
break;
|
||||
}
|
||||
diag_dbgfs_table_index = i;
|
||||
+ mutex_unlock(&driver->cmd_reg_mutex);
|
||||
|
||||
*ppos = 0;
|
||||
ret = simple_read_from_buffer(ubuf, count, ppos, buf, bytes_in_buffer);
|
30
Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch
Normal file
30
Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From c74dbab508c7c07d8e2cf8230cc78bff4b710272 Mon Sep 17 00:00:00 2001
|
||||
From: Fei Zhang <feizhang@codeaurora.org>
|
||||
Date: Wed, 17 May 2017 15:33:02 +0800
|
||||
Subject: msm:camera: correct stats query out of boundary
|
||||
|
||||
fix one potential out of boundary query of stats info.
|
||||
|
||||
Bug: 36264696
|
||||
Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
|
||||
Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
|
||||
---
|
||||
drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
index a0eed95..82da3e0 100644
|
||||
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||||
@@ -803,7 +803,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
|
||||
update_info = &update_cmd->update_info[i];
|
||||
/*check array reference bounds*/
|
||||
if (STATS_IDX(update_info->stream_handle)
|
||||
- > vfe_dev->hw_info->stats_hw_info->num_stats_type) {
|
||||
+ >= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
|
||||
pr_err("%s: stats idx %d out of bound!", __func__,
|
||||
STATS_IDX(update_info->stream_handle));
|
||||
return -EINVAL;
|
||||
--
|
||||
cgit v1.1
|
||||
|
79
Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch
Normal file
79
Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 5479a3c164c8762b5bf91c5fae452882366adb6a Mon Sep 17 00:00:00 2001
|
||||
From: Maggie White <maggiewhite@google.com>
|
||||
Date: Wed, 5 Jul 2017 16:47:15 -0700
|
||||
Subject: mm: Fix incorrect type conversion for size during dma allocation
|
||||
|
||||
This was found during userspace fuzzing test when a large size
|
||||
allocation is made from ion
|
||||
|
||||
[<ffffffc00008a098>] show_stack+0x10/0x1c
|
||||
[<ffffffc00119c390>] dump_stack+0x74/0xc8
|
||||
[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
|
||||
[<ffffffc00020dbd4>] kasan_report+0x34/0x40
|
||||
[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
|
||||
[<ffffffc00020d228>] memset+0x20/0x44
|
||||
[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
|
||||
[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
|
||||
[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
|
||||
[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
|
||||
[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
|
||||
[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
|
||||
[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
|
||||
[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
|
||||
|
||||
Bug: 38195738
|
||||
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
|
||||
Signed-off-by: Maggie White <maggiewhite@google.com>
|
||||
Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
|
||||
---
|
||||
drivers/base/dma-contiguous.c | 4 ++--
|
||||
include/linux/dma-contiguous.h | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c
|
||||
index f6e779e..9313bfc1 100644
|
||||
--- a/drivers/base/dma-contiguous.c
|
||||
+++ b/drivers/base/dma-contiguous.c
|
||||
@@ -589,7 +589,7 @@ static void clear_cma_bitmap(struct cma *cma, unsigned long pfn, int count)
|
||||
* global one. Requires architecture specific get_dev_cma_area() helper
|
||||
* function.
|
||||
*/
|
||||
-unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
|
||||
+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
|
||||
unsigned int align)
|
||||
{
|
||||
unsigned long mask, pfn = 0, pageno, start = 0;
|
||||
@@ -604,7 +604,7 @@ unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
|
||||
if (align > CONFIG_CMA_ALIGNMENT)
|
||||
align = CONFIG_CMA_ALIGNMENT;
|
||||
|
||||
- pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma,
|
||||
+ pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma,
|
||||
count, align);
|
||||
|
||||
if (!count)
|
||||
diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h
|
||||
index 9e6fee9..d8d124e 100644
|
||||
--- a/include/linux/dma-contiguous.h
|
||||
+++ b/include/linux/dma-contiguous.h
|
||||
@@ -117,7 +117,7 @@ static inline int dma_declare_contiguous_reserved(struct device *dev,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
|
||||
+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
|
||||
unsigned int order);
|
||||
bool dma_release_from_contiguous(struct device *dev, unsigned long pfn,
|
||||
int count);
|
||||
@@ -136,7 +136,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size,
|
||||
}
|
||||
|
||||
static inline
|
||||
-unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
|
||||
+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
|
||||
unsigned int order)
|
||||
{
|
||||
return 0;
|
||||
--
|
||||
cgit v1.1
|
||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user