From 6ce51b277548df193b59d5248898a19d6dd3ac82 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 7 Nov 2017 21:38:42 -0500 Subject: [PATCH] More patches --- .../CVE-2017-0570/{ANY => 3.10}/0001.patch | 0 .../CVE-2017-0571/{ANY => 3.10}/0001.patch | 0 .../Linux_CVEs/CVE-2017-0610/ANY/0002.patch | 59 + .../Linux_CVEs/CVE-2017-0611/3.10/0002.patch | 54 + .../CVE-2017-0611/3.10/0002.patch.base64 | 1 + .../Linux_CVEs/CVE-2017-0611/3.4/0001.patch | 47 + .../CVE-2017-0611/3.4/0001.patch.base64 | 1 + .../{ANY/0001.patch => 4.4/0003.patch} | 0 .../CVE-2017-10663/{ANY => 3.10}/0001.patch | 0 .../CVE-2017-10663/{ANY => 3.18}/0002.patch | 0 .../Linux_CVEs/CVE-2017-10998/3.10/0001.patch | 45 + .../{ANY/0001.patch => 3.18/0002.patch} | 0 .../{ANY/0002.patch => 3.18/0001.patch} | 0 .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../CVE-2017-11600/{ANY => 3.10}/0001.patch | 0 .../CVE-2017-12146/{ANY => 3.16+}/0001.patch | 0 .../CVE-2017-5970/{ANY => ^4.9}/0001.patch | 0 .../Linux_CVEs/CVE-2017-5972/ANY/0002.patch | 25 + .../CVE-2017-5972/ANY/0002.patch.base64 | 1 + .../CVE-2017-6001/3.2-3.4/0001.patch | 159 ++ .../{ANY/0001.patch => ^4.9/0002.patch} | 0 .../0002.patch.base64} | 0 .../CVE-2017-6074/{ANY => ^4.9}/0001.patch | 0 .../CVE-2017-6214/{ANY => ^4.9}/0001.patch | 0 .../Linux_CVEs/CVE-2017-6346/3.18/0001.patch | 53 + .../CVE-2017-6346/3.18/0001.patch.base64 | 1 + .../{ANY/0001.patch => ^4.9/0002.patch} | 0 .../Linux_CVEs/CVE-2017-6424/prima/0001.patch | 50 + .../qcacld-2.0/{0001.patch => 0002.patch} | 0 .../qcacld-3.0/{0002.patch => 0003.patch} | 0 .../{ANY => 3.7-^4.10}/0001.patch | 0 .../Linux_CVEs/CVE-2017-7371/3.18/0001.patch | 45 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../Linux_CVEs/CVE-2017-7373/3.10/0001.patch | 33 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../{ANY => 4.2-4.10}/0001.patch | 0 .../Linux_CVEs/CVE-2017-7495/3.18/0001.patch | 87 + .../CVE-2017-7495/3.18/0001.patch.base64 | 1 + .../Linux_CVEs/CVE-2017-7495/3.18/0002.patch | 77 + .../CVE-2017-7495/3.18/0002.patch.base64 | 1 + .../{ANY/0001.patch => ^4.6/0003.patch} | 0 .../CVE-2017-7616/{ANY => ^4.10}/0001.patch | 0 .../Linux_CVEs/CVE-2017-8251/3.10/0001.patch | 64 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../Linux_CVEs/CVE-2017-8260/3.10/0001.patch | 82 + .../3.18/{0001.patch => 0002.patch} | 0 .../4.4/{0002.patch => 0003.patch} | 0 .../CVE-2017-8261/{ANY => 3.10}/0001.patch | 0 .../Linux_CVEs/CVE-2017-8261/3.18/0002.patch | 33 + .../Linux_CVEs/CVE-2017-8262/3.10/0001.patch | 53 + .../CVE-2017-8262/3.10/0001.patch.base64 | 1 + .../3.18/{0001.patch => 0002.patch} | 0 .../4.4/{0002.patch => 0003.patch} | 0 .../Linux_CVEs/CVE-2017-8266/3.10/0001.patch | 182 ++ .../3.18/{0001.patch => 0002.patch} | 0 .../4.4/{0002.patch => 0003.patch} | 0 .../Linux_CVEs/CVE-2017-8890/3.4/0001.patch | 37 + .../CVE-2017-8890/3.4/0001.patch.base64 | 1 + .../{ANY/0001.patch => ^4.11/0002.patch} | 0 .../CVE-2017-9075/{ANY => ^4.11}/0001.patch | 0 .../CVE-2017-9076/{ANY => ^4.11}/0001.patch | 0 .../CVE-2017-9077/{ANY => ^4.11}/0001.patch | 0 .../CVE-2017-9150/{ANY => ^4.11}/0001.patch | 0 .../Linux_CVEs/CVE-2017-9676/3.0+/0001.patch | 272 +++ .../{ANY/0001.patch => 3.18/0002.patch} | 0 .../Linux_CVEs/CVE-2017-9677/3.10/0001.patch | 1858 +++++++++++++++++ .../{ANY/0001.patch => 3.18/0002.patch} | 0 .../Linux_CVEs/CVE-2017-9687/3.18/0001.patch | 58 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../Linux_CVEs/CVE-2017-9697/3.18/0001.patch | 55 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 .../Linux_CVEs/CVE-2017-9720/3.10/0001.patch | 30 + .../{ANY/0001.patch => 3.18/0002.patch} | 0 .../{ANY/0002.patch => 3.18/0003.patch} | 0 .../Linux_CVEs/CVE-2017-9725/3.10/0001.patch | 79 + .../{ANY/0001.patch => 4.4/0002.patch} | 0 Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt | 333 +-- 77 files changed, 3608 insertions(+), 270 deletions(-) rename Patches/Linux_CVEs/CVE-2017-0570/{ANY => 3.10}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-0571/{ANY => 3.10}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64 create mode 100644 Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64 rename Patches/Linux_CVEs/CVE-2017-0611/{ANY/0001.patch => 4.4/0003.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-10663/{ANY => 3.10}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-10663/{ANY => 3.18}/0002.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-10998/{ANY/0001.patch => 3.18/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-11029/{ANY/0002.patch => 3.18/0001.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-11029/{ANY/0001.patch => 4.4/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-11600/{ANY => 3.10}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-12146/{ANY => 3.16+}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-5970/{ANY => ^4.9}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64 create mode 100644 Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch rename Patches/Linux_CVEs/CVE-2017-6001/{ANY/0001.patch => ^4.9/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-6001/{ANY/0001.patch.base64 => ^4.9/0002.patch.base64} (100%) rename Patches/Linux_CVEs/CVE-2017-6074/{ANY => ^4.9}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-6214/{ANY => ^4.9}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64 rename Patches/Linux_CVEs/CVE-2017-6346/{ANY/0001.patch => ^4.9/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch rename Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/{0001.patch => 0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/{0002.patch => 0003.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-7187/{ANY => 3.7-^4.10}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch rename Patches/Linux_CVEs/CVE-2017-7371/{ANY/0001.patch => 4.4/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-7373/{ANY/0001.patch => 4.4/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-7374/{ANY => 4.2-4.10}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64 create mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64 rename Patches/Linux_CVEs/CVE-2017-7495/{ANY/0001.patch => ^4.6/0003.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-7616/{ANY => ^4.10}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-8251/{ANY/0001.patch => 4.4/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-8260/3.18/{0001.patch => 0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-8260/4.4/{0002.patch => 0003.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-8261/{ANY => 3.10}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64 rename Patches/Linux_CVEs/CVE-2017-8262/3.18/{0001.patch => 0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-8262/4.4/{0002.patch => 0003.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-8266/3.18/{0001.patch => 0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-8266/4.4/{0002.patch => 0003.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch create mode 100644 Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64 rename Patches/Linux_CVEs/CVE-2017-8890/{ANY/0001.patch => ^4.11/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-9075/{ANY => ^4.11}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-9076/{ANY => ^4.11}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-9077/{ANY => ^4.11}/0001.patch (100%) rename Patches/Linux_CVEs/CVE-2017-9150/{ANY => ^4.11}/0001.patch (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch rename Patches/Linux_CVEs/CVE-2017-9676/{ANY/0001.patch => 3.18/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-9677/{ANY/0001.patch => 3.18/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch rename Patches/Linux_CVEs/CVE-2017-9687/{ANY/0001.patch => 4.4/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch rename Patches/Linux_CVEs/CVE-2017-9697/{ANY/0001.patch => 4.4/0002.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-9720/{ANY/0001.patch => 3.18/0002.patch} (100%) rename Patches/Linux_CVEs/CVE-2017-9720/{ANY/0002.patch => 3.18/0003.patch} (100%) create mode 100644 Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch rename Patches/Linux_CVEs/CVE-2017-9725/{ANY/0001.patch => 4.4/0002.patch} (100%) diff --git a/Patches/Linux_CVEs/CVE-2017-0570/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0570/3.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-0570/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-0570/3.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-0571/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0571/3.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-0571/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-0571/3.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch new file mode 100644 index 00000000..88feecdf --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0610/ANY/0002.patch @@ -0,0 +1,59 @@ +From 2bf336ed7ff29768b63fcf0d9528dd129f516643 Mon Sep 17 00:00:00 2001 +From: Siena Richard +Date: Tue, 31 Jan 2017 12:21:38 -0800 +Subject: ASoC: msm: qdsp6v2: return error when copy from userspace fails + +A copy_from_user is not always expected to succeed. Therefore, check +for an error before operating on the buffer post copy. + +CRs-Fixed: 1116070 +Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b +Signed-off-by: Siena Richard +--- + sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c +index c444a27..b2387a7 100644 +--- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c ++++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -814,20 +814,25 @@ static int msm_pcm_playback_copy(struct snd_pcm_substream *substream, int a, + if (prtd->mode == MODE_PCM) { + ret = copy_from_user(&buf_node->frame.voc_pkt, + buf, count); ++ if (ret) { ++ pr_err("%s: copy from user failed %d\n", ++ __func__, ret); ++ return -EFAULT; ++ } + buf_node->frame.pktlen = count; + } else { + ret = copy_from_user(&buf_node->frame, + buf, count); ++ if (ret) { ++ pr_err("%s: copy from user failed %d\n", ++ __func__, ret); ++ return -EFAULT; ++ } + if (buf_node->frame.pktlen >= count) + buf_node->frame.pktlen = count - + (sizeof(buf_node->frame.frm_hdr) + + sizeof(buf_node->frame.pktlen)); + } +- if (ret) { +- pr_err("%s: copy from user failed %d\n", +- __func__, ret); +- return -EFAULT; +- } + spin_lock_irqsave(&prtd->dsp_lock, dsp_flags); + list_add_tail(&buf_node->list, &prtd->in_queue); + spin_unlock_irqrestore(&prtd->dsp_lock, dsp_flags); +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch new file mode 100644 index 00000000..7d417aec --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch @@ -0,0 +1,54 @@ +From da638cc248f0d692a89e26f788c43d6f641c81ef Mon Sep 17 00:00:00 2001 +From: Xiaojun Sang +Date: Fri, 04 Nov 2016 14:35:58 +0800 +Subject: [PATCH] ASoC: soc: prevent risk of buffer overflow + +In case of large value for bufcnt_t or bufcnt, +cmd_size may overflow. Buffer size allocated by cmd_size might +be not as expected. +Possible buffer overflow could happen. + +CRs-Fixed: 1084210 +Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08 +Signed-off-by: Xiaojun Sang +--- + +diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c +index 31bd1d7..11a94e4 100644 +--- a/sound/soc/msm/qdsp6v2/q6asm.c ++++ b/sound/soc/msm/qdsp6v2/q6asm.c +@@ -4054,7 +4054,7 @@ + struct asm_buffer_node *buffer_node = NULL; + int rc = 0; + int i = 0; +- int cmd_size = 0; ++ uint32_t cmd_size = 0; + uint32_t bufcnt_t; + uint32_t bufsz_t; + +@@ -4076,10 +4076,25 @@ + bufsz_t = PAGE_ALIGN(bufsz_t); + } + ++ if (bufcnt_t > (UINT_MAX ++ - sizeof(struct avs_cmd_shared_mem_map_regions)) ++ / sizeof(struct avs_shared_map_region_payload)) { ++ pr_err("%s: Unsigned Integer Overflow. bufcnt_t = %u\n", ++ __func__, bufcnt_t); ++ return -EINVAL; ++ } ++ + cmd_size = sizeof(struct avs_cmd_shared_mem_map_regions) + + (sizeof(struct avs_shared_map_region_payload) + * bufcnt_t); + ++ ++ if (bufcnt > (UINT_MAX / sizeof(struct asm_buffer_node))) { ++ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n", ++ __func__, bufcnt); ++ return -EINVAL; ++ } ++ + buffer_node = kzalloc(sizeof(struct asm_buffer_node) * bufcnt, + GFP_KERNEL); + if (!buffer_node) { diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64 new file mode 100644 index 00000000..054ba4fd --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0611/3.10/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSBkYTYzOGNjMjQ4ZjBkNjkyYTg5ZTI2Zjc4OGM0M2Q2ZjY0MWM4MWVmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBwcmV2ZW50IHJpc2sgb2YgYnVmZmVyIG92ZXJmbG93CgpJbiBjYXNlIG9mIGxhcmdlIHZhbHVlIGZvciBidWZjbnRfdCBvciBidWZjbnQsCmNtZF9zaXplIG1heSBvdmVyZmxvdy4gQnVmZmVyIHNpemUgYWxsb2NhdGVkIGJ5IGNtZF9zaXplIG1pZ2h0CmJlIG5vdCBhcyBleHBlY3RlZC4KUG9zc2libGUgYnVmZmVyIG92ZXJmbG93IGNvdWxkIGhhcHBlbi4KCkNScy1GaXhlZDogMTA4NDIxMApDaGFuZ2UtSWQ6IEk5NTU2ZjE4ZGQ2YTlmZGYzZjc2YzEzM2FlNzVjMDRlY2NlMTcxZjA4ClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+Ci0tLQoKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKaW5kZXggMzFiZDFkNy4uMTFhOTRlNCAxMDA2NDQKLS0tIGEvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL3E2YXNtLmMKQEAgLTQwNTQsNyArNDA1NCw3IEBACiAJc3RydWN0IGFzbV9idWZmZXJfbm9kZSAqYnVmZmVyX25vZGUgPSBOVUxMOwogCWludAlyYyA9IDA7CiAJaW50ICAgIGkgPSAwOwotCWludAljbWRfc2l6ZSA9IDA7CisJdWludDMyX3QgY21kX3NpemUgPSAwOwogCXVpbnQzMl90IGJ1ZmNudF90OwogCXVpbnQzMl90IGJ1ZnN6X3Q7CiAKQEAgLTQwNzYsMTAgKzQwNzYsMjUgQEAKIAkJYnVmc3pfdCA9IFBBR0VfQUxJR04oYnVmc3pfdCk7CiAJfQogCisJaWYgKGJ1ZmNudF90ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250X3QgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250X3QpOworCQlyZXR1cm4gLUVJTlZBTDsKKwl9CisKIAljbWRfc2l6ZSA9IHNpemVvZihzdHJ1Y3QgYXZzX2NtZF9zaGFyZWRfbWVtX21hcF9yZWdpb25zKQogCQkJKyAoc2l6ZW9mKHN0cnVjdCBhdnNfc2hhcmVkX21hcF9yZWdpb25fcGF5bG9hZCkKIAkJCQkJCQkqIGJ1ZmNudF90KTsKIAorCisJaWYgKGJ1ZmNudCA+IChVSU5UX01BWCAvIHNpemVvZihzdHJ1Y3QgYXNtX2J1ZmZlcl9ub2RlKSkpIHsKKwkJcHJfZXJyKCIlczogVW5zaWduZWQgSW50ZWdlciBPdmVyZmxvdy4gYnVmY250ID0gJXVcbiIsCisJCQkJX19mdW5jX18sIGJ1ZmNudCk7CisJCXJldHVybiAtRUlOVkFMOworCX0KKwogCWJ1ZmZlcl9ub2RlID0ga3phbGxvYyhzaXplb2Yoc3RydWN0IGFzbV9idWZmZXJfbm9kZSkgKiBidWZjbnQsCiAJCQkJR0ZQX0tFUk5FTCk7CiAJaWYgKCFidWZmZXJfbm9kZSkgewo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch new file mode 100644 index 00000000..83c190e0 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch @@ -0,0 +1,47 @@ +From 077614c9f2b9f9d062fed66e3ae7669937ea6b85 Mon Sep 17 00:00:00 2001 +From: Xiaojun Sang +Date: Fri, 04 Nov 2016 14:35:58 +0800 +Subject: [PATCH] ASoC: soc: qdsp6: prevent risk of buffer overflow + +In case of large value for bufcnt, +cmd_size may overflow. Buffer size allocated by cmd_size might +be not as expected. +Possible buffer overflow could happen. + +Backport reference: + * Change-Id: I9556f18dd6a9fdf3f76c133ae75c04ecce171f08 + * CRs-Fixed: 1084210 + +Change-Id: I93f820e0344bfa05dee6a3e83d84ef688e23f761 +Signed-off-by: Xiaojun Sang +Signed-off-by: Adrian DC +--- + +diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c +index 2cde92a..c3bcdcd 100644 +--- a/sound/soc/msm/qdsp6/q6asm.c ++++ b/sound/soc/msm/qdsp6/q6asm.c +@@ -2893,7 +2893,7 @@ + void *payload = NULL; + int rc = 0; + int i = 0; +- int cmd_size = 0; ++ uint32_t cmd_size = 0; + + if (!ac || ac->apr == NULL || this_mmap.apr == NULL) { + pr_err("APR handle NULL\n"); +@@ -2901,6 +2901,14 @@ + } + pr_debug("%s: Session[%d]\n", __func__, ac->session); + ++ if (bufcnt > (UINT_MAX ++ - sizeof(struct asm_stream_cmd_memory_map_regions)) ++ / sizeof(struct asm_memory_map_regions)) { ++ pr_err("%s: Unsigned Integer Overflow. bufcnt = %u\n", ++ __func__, bufcnt); ++ return -EINVAL; ++ } ++ + cmd_size = sizeof(struct asm_stream_cmd_memory_map_regions) + + sizeof(struct asm_memory_map_regions) * bufcnt; + diff --git a/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64 new file mode 100644 index 00000000..79fda34b --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-0611/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSAwNzc2MTRjOWYyYjlmOWQwNjJmZWQ2NmUzYWU3NjY5OTM3ZWE2Yjg1IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBYaWFvanVuIFNhbmcgPHhzYW5nQGNvZGVhdXJvcmEub3JnPgpEYXRlOiBGcmksIDA0IE5vdiAyMDE2IDE0OjM1OjU4ICswODAwClN1YmplY3Q6IFtQQVRDSF0gQVNvQzogc29jOiBxZHNwNjogcHJldmVudCByaXNrIG9mIGJ1ZmZlciBvdmVyZmxvdwoKSW4gY2FzZSBvZiBsYXJnZSB2YWx1ZSBmb3IgYnVmY250LApjbWRfc2l6ZSBtYXkgb3ZlcmZsb3cuIEJ1ZmZlciBzaXplIGFsbG9jYXRlZCBieSBjbWRfc2l6ZSBtaWdodApiZSBub3QgYXMgZXhwZWN0ZWQuClBvc3NpYmxlIGJ1ZmZlciBvdmVyZmxvdyBjb3VsZCBoYXBwZW4uCgpCYWNrcG9ydCByZWZlcmVuY2U6CiAqIENoYW5nZS1JZDogSTk1NTZmMThkZDZhOWZkZjNmNzZjMTMzYWU3NWMwNGVjY2UxNzFmMDgKICogQ1JzLUZpeGVkOiAxMDg0MjEwCgpDaGFuZ2UtSWQ6IEk5M2Y4MjBlMDM0NGJmYTA1ZGVlNmEzZTgzZDg0ZWY2ODhlMjNmNzYxClNpZ25lZC1vZmYtYnk6IFhpYW9qdW4gU2FuZyA8eHNhbmdAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IEFkcmlhbiBEQyA8cmFkaWFuLmRjQGdtYWlsLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jIGIvc291bmQvc29jL21zbS9xZHNwNi9xNmFzbS5jCmluZGV4IDJjZGU5MmEuLmMzYmNkY2QgMTAwNjQ0Ci0tLSBhL3NvdW5kL3NvYy9tc20vcWRzcDYvcTZhc20uYworKysgYi9zb3VuZC9zb2MvbXNtL3Fkc3A2L3E2YXNtLmMKQEAgLTI4OTMsNyArMjg5Myw3IEBACiAJdm9pZAkqcGF5bG9hZCA9IE5VTEw7CiAJaW50CXJjID0gMDsKIAlpbnQJaSA9IDA7Ci0JaW50CWNtZF9zaXplID0gMDsKKwl1aW50MzJfdCBjbWRfc2l6ZSA9IDA7CiAKIAlpZiAoIWFjIHx8IGFjLT5hcHIgPT0gTlVMTCB8fCB0aGlzX21tYXAuYXByID09IE5VTEwpIHsKIAkJcHJfZXJyKCJBUFIgaGFuZGxlIE5VTExcbiIpOwpAQCAtMjkwMSw2ICsyOTAxLDE0IEBACiAJfQogCXByX2RlYnVnKCIlczogU2Vzc2lvblslZF1cbiIsIF9fZnVuY19fLCBhYy0+c2Vzc2lvbik7CiAKKwlpZiAoYnVmY250ID4gKFVJTlRfTUFYCisJCQktIHNpemVvZihzdHJ1Y3QgYXNtX3N0cmVhbV9jbWRfbWVtb3J5X21hcF9yZWdpb25zKSkKKwkJCS8gc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSkgeworCQlwcl9lcnIoIiVzOiBVbnNpZ25lZCBJbnRlZ2VyIE92ZXJmbG93LiBidWZjbnQgPSAldVxuIiwKKwkJCQlfX2Z1bmNfXywgYnVmY250KTsKKwkJcmV0dXJuIC1FSU5WQUw7CisJfQorCiAJY21kX3NpemUgPSBzaXplb2Yoc3RydWN0IGFzbV9zdHJlYW1fY21kX21lbW9yeV9tYXBfcmVnaW9ucykKIAkJCSsgc2l6ZW9mKHN0cnVjdCBhc21fbWVtb3J5X21hcF9yZWdpb25zKSAqIGJ1ZmNudDsKIAo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-0611/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0611/4.4/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-0611/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-0611/4.4/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-10663/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10663/3.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-10663/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-10663/3.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-10663/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-10663/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-10663/ANY/0002.patch rename to Patches/Linux_CVEs/CVE-2017-10663/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch new file mode 100644 index 00000000..8429a974 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-10998/3.10/0001.patch @@ -0,0 +1,45 @@ +From 9ffb3cdd7279b011a509267caa4a5119fd6346c0 Mon Sep 17 00:00:00 2001 +From: Siena Richard +Date: Wed, 11 Jan 2017 11:09:24 -0800 +Subject: ASoC: msm: qdsp6v2: extend validation of virtual address + +Validate a buffer virtual address is fully within the region before +returning the region to ensure functionality for an extended edge case. + +Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654 +Signed-off-by: Siena Richard +CRs-fixed: 1108461 + +Bug: 38195131 +Change-Id: Ib527a380a857719bff8254be514133528bd64c75 +--- + drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c +index 07de5a2..42a3ea7 100644 +--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c ++++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c +@@ -1,6 +1,6 @@ + /* Copyright (C) 2008 Google, Inc. + * Copyright (C) 2008 HTC Corporation +- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved. + * + * This software is licensed under the terms of the GNU General Public + * License version 2, as published by the Free Software Foundation, and +@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr, + list_for_each_entry(region_elt, &audio->ion_region_queue, list) { + if (addr >= region_elt->vaddr && + addr < region_elt->vaddr + region_elt->len && +- addr + len <= region_elt->vaddr + region_elt->len) { ++ addr + len <= region_elt->vaddr + region_elt->len && ++ addr + len > addr) { ++ /* to avoid integer addition overflow */ ++ + /* offset since we could pass vaddr inside a registerd + * ion buffer + */ +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-10998/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-10998/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-10998/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-10998/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11029/3.18/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch rename to Patches/Linux_CVEs/CVE-2017-11029/3.18/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11029/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11029/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11600/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11600/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-12146/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-12146/3.16+/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-12146/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-12146/3.16+/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-5970/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-5970/^4.9/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-5970/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-5970/^4.9/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch new file mode 100644 index 00000000..7a08c666 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch @@ -0,0 +1,25 @@ +From b7b89be8d4ab0c5e6eb0cdfb1108af08a1cd088f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 02 Oct 2015 11:43:29 -0700 +Subject: [PATCH] tcp: remove BUG_ON() in tcp_check_req() + +Once listener is lockless, its sk_state can change anytime. + +Change-Id: I3a8c4aa4974294b865d79ea997df4c8cee5ffbc2 +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 0f01788..28f72aa 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -511,8 +511,6 @@ + __be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK); + bool paws_reject = false; + +- BUG_ON(fastopen == (sk->sk_state == TCP_LISTEN)); +- + tmp_opt.saw_tstamp = 0; + if (th->doff > (sizeof(struct tcphdr)>>2)) { + tcp_parse_options(skb, &tmp_opt, 0, NULL); diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64 new file mode 100644 index 00000000..4fa5d03d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSBiN2I4OWJlOGQ0YWIwYzVlNmViMGNkZmIxMTA4YWYwOGExY2QwODhmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IEZyaSwgMDIgT2N0IDIwMTUgMTE6NDM6MjkgLTA3MDAKU3ViamVjdDogW1BBVENIXSB0Y3A6IHJlbW92ZSBCVUdfT04oKSBpbiB0Y3BfY2hlY2tfcmVxKCkKCk9uY2UgbGlzdGVuZXIgaXMgbG9ja2xlc3MsIGl0cyBza19zdGF0ZSBjYW4gY2hhbmdlIGFueXRpbWUuCgpDaGFuZ2UtSWQ6IEkzYThjNGFhNDk3NDI5NGI4NjVkNzllYTk5N2RmNGM4Y2VlNWZmYmMyClNpZ25lZC1vZmYtYnk6IEVyaWMgRHVtYXpldCA8ZWR1bWF6ZXRAZ29vZ2xlLmNvbT4KU2lnbmVkLW9mZi1ieTogRGF2aWQgUy4gTWlsbGVyIDxkYXZlbUBkYXZlbWxvZnQubmV0PgotLS0KCmRpZmYgLS1naXQgYS9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMgYi9uZXQvaXB2NC90Y3BfbWluaXNvY2tzLmMKaW5kZXggMGYwMTc4OC4uMjhmNzJhYSAxMDA2NDQKLS0tIGEvbmV0L2lwdjQvdGNwX21pbmlzb2Nrcy5jCisrKyBiL25ldC9pcHY0L3RjcF9taW5pc29ja3MuYwpAQCAtNTExLDggKzUxMSw2IEBACiAJX19iZTMyIGZsZyA9IHRjcF9mbGFnX3dvcmQodGgpICYgKFRDUF9GTEFHX1JTVHxUQ1BfRkxBR19TWU58VENQX0ZMQUdfQUNLKTsKIAlib29sIHBhd3NfcmVqZWN0ID0gZmFsc2U7CiAKLQlCVUdfT04oZmFzdG9wZW4gPT0gKHNrLT5za19zdGF0ZSA9PSBUQ1BfTElTVEVOKSk7Ci0KIAl0bXBfb3B0LnNhd190c3RhbXAgPSAwOwogCWlmICh0aC0+ZG9mZiA+IChzaXplb2Yoc3RydWN0IHRjcGhkcik+PjIpKSB7CiAJCXRjcF9wYXJzZV9vcHRpb25zKHNrYiwgJnRtcF9vcHQsIDAsIE5VTEwpOwo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch new file mode 100644 index 00000000..a9442471 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6001/3.2-3.4/0001.patch @@ -0,0 +1,159 @@ +From 9eb0e01be831d0f37ea6278a92c32424141f55fb Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 11 Jan 2017 21:09:50 +0100 +Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race + +commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream. + +Di Shen reported a race between two concurrent sys_perf_event_open() +calls where both try and move the same pre-existing software group +into a hardware context. + +The problem is exactly that described in commit: + + f63a8daa5812 ("perf: Fix event->ctx locking") + +... where, while we wait for a ctx->mutex acquisition, the event->ctx +relation can have changed under us. + +That very same commit failed to recognise sys_perf_event_context() as an +external access vector to the events and thereby didn't apply the +established locking rules correctly. + +So while one sys_perf_event_open() call is stuck waiting on +mutex_lock_double(), the other (which owns said locks) moves the group +about. So by the time the former sys_perf_event_open() acquires the +locks, the context we've acquired is stale (and possibly dead). + +Apply the established locking rules as per perf_event_ctx_lock_nested() +to the mutex_lock_double() for the 'move_group' case. This obviously means +we need to validate state after we acquire the locks. + +Reported-by: Di Shen (Keen Lab) +Tested-by: John Dias +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Min Chong +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") +Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +[bwh: Backported to 3.2: + - Use ACCESS_ONCE() instead of READ_ONCE() + - Test perf_event::group_flags instead of group_caps + - Add the err_locked cleanup block, which we didn't need before + - Adjust context] +Signed-off-by: Ben Hutchings +--- + kernel/events/core.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 57 insertions(+), 4 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index a301c68..49a1db4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6474,6 +6474,37 @@ static void mutex_lock_double(struct mutex *a, struct mutex *b) + mutex_lock_nested(b, SINGLE_DEPTH_NESTING); + } + ++/* ++ * Variation on perf_event_ctx_lock_nested(), except we take two context ++ * mutexes. ++ */ ++static struct perf_event_context * ++__perf_event_ctx_lock_double(struct perf_event *group_leader, ++ struct perf_event_context *ctx) ++{ ++ struct perf_event_context *gctx; ++ ++again: ++ rcu_read_lock(); ++ gctx = ACCESS_ONCE(group_leader->ctx); ++ if (!atomic_inc_not_zero(&gctx->refcount)) { ++ rcu_read_unlock(); ++ goto again; ++ } ++ rcu_read_unlock(); ++ ++ mutex_lock_double(&gctx->mutex, &ctx->mutex); ++ ++ if (group_leader->ctx != gctx) { ++ mutex_unlock(&ctx->mutex); ++ mutex_unlock(&gctx->mutex); ++ put_ctx(gctx); ++ goto again; ++ } ++ ++ return gctx; ++} ++ + /** + * sys_perf_event_open - open a performance event, associate it to a task/cpu + * +@@ -6661,14 +6692,31 @@ SYSCALL_DEFINE5(perf_event_open, + } + + if (move_group) { +- gctx = group_leader->ctx; ++ gctx = __perf_event_ctx_lock_double(group_leader, ctx); ++ ++ /* ++ * Check if we raced against another sys_perf_event_open() call ++ * moving the software group underneath us. ++ */ ++ if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) { ++ /* ++ * If someone moved the group out from under us, check ++ * if this new event wound up on the same ctx, if so ++ * its the regular !move_group case, otherwise fail. ++ */ ++ if (gctx != ctx) { ++ err = -EINVAL; ++ goto err_locked; ++ } else { ++ perf_event_ctx_unlock(group_leader, gctx); ++ move_group = 0; ++ } ++ } + + /* + * See perf_event_ctx_lock() for comments on the details + * of swizzling perf_event::ctx. + */ +- mutex_lock_double(&gctx->mutex, &ctx->mutex); +- + perf_remove_from_context(group_leader, false); + + /* +@@ -6710,7 +6758,7 @@ SYSCALL_DEFINE5(perf_event_open, + perf_unpin_context(ctx); + + if (move_group) { +- mutex_unlock(&gctx->mutex); ++ perf_event_ctx_unlock(group_leader, gctx); + put_ctx(gctx); + } + mutex_unlock(&ctx->mutex); +@@ -6737,6 +6785,11 @@ SYSCALL_DEFINE5(perf_event_open, + fd_install(event_fd, event_file); + return event_fd; + ++err_locked: ++ if (move_group) ++ perf_event_ctx_unlock(group_leader, gctx); ++ mutex_unlock(&ctx->mutex); ++ fput(event_file); + err_context: + perf_unpin_context(ctx); + put_ctx(ctx); +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch.base64 similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64 rename to Patches/Linux_CVEs/CVE-2017-6001/^4.9/0002.patch.base64 diff --git a/Patches/Linux_CVEs/CVE-2017-6074/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6074/^4.9/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6074/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-6074/^4.9/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-6214/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6214/^4.9/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6214/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-6214/^4.9/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch new file mode 100644 index 00000000..665dc9ea --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch @@ -0,0 +1,53 @@ +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 05cfee7..2ae5ae2 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1429,13 +1429,16 @@ + return -EINVAL; + } + +- if (!po->running) +- return -EINVAL; +- +- if (po->fanout) +- return -EALREADY; +- + mutex_lock(&fanout_mutex); ++ ++ err = -EINVAL; ++ if (!po->running) ++ goto out; ++ ++ err = -EALREADY; ++ if (po->fanout) ++ goto out; ++ + match = NULL; + list_for_each_entry(f, &fanout_list, list) { + if (f->id == id && +@@ -1491,17 +1494,16 @@ + struct packet_sock *po = pkt_sk(sk); + struct packet_fanout *f; + +- f = po->fanout; +- if (!f) +- return; +- + mutex_lock(&fanout_mutex); +- po->fanout = NULL; ++ f = po->fanout; ++ if (f) { ++ po->fanout = NULL; + +- if (atomic_dec_and_test(&f->sk_ref)) { +- list_del(&f->list); +- dev_remove_pack(&f->prot_hook); +- kfree(f); ++ if (atomic_dec_and_test(&f->sk_ref)) { ++ list_del(&f->list); ++ dev_remove_pack(&f->prot_hook); ++ kfree(f); ++ } + } + mutex_unlock(&fanout_mutex); + } diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64 new file mode 100644 index 00000000..57eacd49 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6346/3.18/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDA1Y2ZlZTcuLjJhZTVhZTIgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMTQyOSwxMyArMTQyOSwxNiBAQAogCQlyZXR1cm4gLUVJTlZBTDsKIAl9CiAKLQlpZiAoIXBvLT5ydW5uaW5nKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChwby0+ZmFub3V0KQotCQlyZXR1cm4gLUVBTFJFQURZOwotCiAJbXV0ZXhfbG9jaygmZmFub3V0X211dGV4KTsKKworCWVyciA9IC1FSU5WQUw7CisJaWYgKCFwby0+cnVubmluZykKKwkJZ290byBvdXQ7CisKKwllcnIgPSAtRUFMUkVBRFk7CisJaWYgKHBvLT5mYW5vdXQpCisJCWdvdG8gb3V0OworCiAJbWF0Y2ggPSBOVUxMOwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZiwgJmZhbm91dF9saXN0LCBsaXN0KSB7CiAJCWlmIChmLT5pZCA9PSBpZCAmJgpAQCAtMTQ5MSwxNyArMTQ5NCwxNiBAQAogCXN0cnVjdCBwYWNrZXRfc29jayAqcG8gPSBwa3Rfc2soc2spOwogCXN0cnVjdCBwYWNrZXRfZmFub3V0ICpmOwogCi0JZiA9IHBvLT5mYW5vdXQ7Ci0JaWYgKCFmKQotCQlyZXR1cm47Ci0KIAltdXRleF9sb2NrKCZmYW5vdXRfbXV0ZXgpOwotCXBvLT5mYW5vdXQgPSBOVUxMOworCWYgPSBwby0+ZmFub3V0OworCWlmIChmKSB7CisJCXBvLT5mYW5vdXQgPSBOVUxMOwogCi0JaWYgKGF0b21pY19kZWNfYW5kX3Rlc3QoJmYtPnNrX3JlZikpIHsKLQkJbGlzdF9kZWwoJmYtPmxpc3QpOwotCQlkZXZfcmVtb3ZlX3BhY2soJmYtPnByb3RfaG9vayk7Ci0JCWtmcmVlKGYpOworCQlpZiAoYXRvbWljX2RlY19hbmRfdGVzdCgmZi0+c2tfcmVmKSkgeworCQkJbGlzdF9kZWwoJmYtPmxpc3QpOworCQkJZGV2X3JlbW92ZV9wYWNrKCZmLT5wcm90X2hvb2spOworCQkJa2ZyZWUoZik7CisJCX0KIAl9CiAJbXV0ZXhfdW5sb2NrKCZmYW5vdXRfbXV0ZXgpOwogfQo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-6346/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-6346/^4.9/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6346/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-6346/^4.9/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch new file mode 100644 index 00000000..a91f45c3 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-6424/prima/0001.patch @@ -0,0 +1,50 @@ +From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001 +From: Nishank Aggarwal +Date: Fri, 10 Feb 2017 15:48:13 +0530 +Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes() + +qcacld-2.0 to prima propagation + +Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen +is user-controllable and never validates which uses as the length +for a memory copy. This enables user-space applications to corrupt +heap memory and potentially crash the kernel. + +Fix is to validate the WPARSNIes length to its max before use as the +length for a memory copy. + +Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 +CRs-Fixed: 1102648 +--- + CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c +index 33f7d50..c0c5c14 100644 +--- a/CORE/HDD/src/wlan_hdd_hostapd.c ++++ b/CORE/HDD/src/wlan_hdd_hostapd.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved. ++ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * + * Previously licensed under the ISC license by Qualcomm Atheros, Inc. + * +@@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev, + return 0; + } + ++ if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) ++ { ++ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, ++ "%s: WPARSN Ie input length is more than max[%d]", __func__, ++ wrqu->data.length); ++ return -EINVAL; ++ } ++ + switch (genie[0]) + { + case DOT11F_EID_WPA: +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0001.patch rename to Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0002.patch rename to Patches/Linux_CVEs/CVE-2017-6424/qcacld-3.0/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7187/3.7-^4.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7187/3.7-^4.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch new file mode 100644 index 00000000..19b01e18 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7371/3.18/0001.patch @@ -0,0 +1,45 @@ +From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001 +From: Sungjun Park +Date: Mon, 23 Jan 2017 13:28:44 -0800 +Subject: bluetooth: Fix free data pointer routine + +Data pointer has been reused after freed it. So, +it has been moved to after using the data pointer +to clean up resource and freed it. + +Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d +Signed-off-by: Sungjun Park +--- + drivers/bluetooth/btfm_slim.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c +index 5fb00b9..1c6e256 100644 +--- a/drivers/bluetooth/btfm_slim.c ++++ b/drivers/bluetooth/btfm_slim.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim) + BTFMSLIM_DBG(""); + mutex_destroy(&btfm_slim->io_lock); + mutex_destroy(&btfm_slim->xfer_lock); +- kfree(btfm_slim); + snd_soc_unregister_codec(&slim->dev); + + BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd"); +@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim) + + BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd"); + slim_remove_device(slim); ++ ++ kfree(btfm_slim); + return 0; + } + +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-7371/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7371/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7371/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7371/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch new file mode 100644 index 00000000..d7b5ea41 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7373/3.10/0001.patch @@ -0,0 +1,33 @@ +From eac4a77bb71750b02e91508b15c9aaf4fe2b94ae Mon Sep 17 00:00:00 2001 +From: Sachin Bhayare +Date: Fri, 23 Dec 2016 11:22:44 +0530 +Subject: msm: mdss: Fix invalid dma attachment during fb shutdown + +If DMA attachment fail during fb_mmap, all ION memory will get free. It +is necessary to reset the fbmem and fb_attachemnt pointer to NULL, +otherwise during shutdown will perform another free and causing issue. + +CRs-Fixed: 1090244 +Change-Id: I92affcf2ce039eecfc72b7c191e058f37815c726 +Signed-off-by: Benjamin Chan +Signed-off-by: Sachin Bhayare +--- + drivers/video/msm/mdss/mdss_fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c +index 2e8092d..c2d1441 100644 +--- a/drivers/video/msm/mdss/mdss_fb.c ++++ b/drivers/video/msm/mdss/mdss_fb.c +@@ -1660,6 +1660,8 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size) + + fb_mmap_failed: + ion_free(mfd->fb_ion_client, mfd->fb_ion_handle); ++ mfd->fb_ion_handle = NULL; ++ mfd->fbmem_buf = NULL; + return rc; + } + +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-7373/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7373/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7373/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7373/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7374/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7374/4.2-4.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7374/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7374/4.2-4.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch new file mode 100644 index 00000000..6204174f --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch @@ -0,0 +1,87 @@ +From 3127779c064c6358310e542c725fe1f64dd6a60f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 17 Sep 2001 00:00:00 +0200 +Subject: [PATCH] ext4: fix data exposure after a crash + +commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream. + +Huang has reported that in his powerfail testing he is seeing stale +block contents in some of recently allocated blocks although he mounts +ext4 in data=ordered mode. After some investigation I have found out +that indeed when delayed allocation is used, we don't add inode to +transaction's list of inodes needing flushing before commit. Originally +we were doing that but commit f3b59291a69d removed the logic with a +flawed argument that it is not needed. + +The problem is that although for delayed allocated blocks we write their +contents immediately after allocating them, there is no guarantee that +the IO scheduler or device doesn't reorder things and thus transaction +allocating blocks and attaching them to inode can reach stable storage +before actual block contents. Actually whenever we attach freshly +allocated blocks to inode using a written extent, we should add inode to +transaction's ordered inode list to make sure we properly wait for block +contents to be written before committing the transaction. So that is +what we do in this patch. This also handles other cases where stale data +exposure was possible - like filling hole via mmap in +data=ordered,nodelalloc mode. + +The only exception to the above rule are extending direct IO writes where +blkdev_direct_IO() waits for IO to complete before increasing i_size and +thus stale data exposure is not possible. For now we don't complicate +the code with optimizing this special case since the overhead is pretty +low. In case this is observed to be a performance problem we can always +handle it using a special flag to ext4_map_blocks(). + +Change-Id: I9f8b371c9fd716bf3d8af3780ce43e73d80cfb28 +Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d +Reported-by: "HUANG Weller (CM/ESW12-CN)" +Tested-by: "HUANG Weller (CM/ESW12-CN)" +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +[bwh: Backported to 3.16: + - Drop check for EXT4_GET_BLOCKS_ZERO flag + - Adjust context] +Signed-off-by: Ben Hutchings +--- + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9d358dc..f472aed 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -661,6 +661,20 @@ + ret = check_block_validity(inode, map); + if (ret != 0) + return ret; ++ ++ /* ++ * Inodes with freshly allocated blocks where contents will be ++ * visible after transaction commit must be on transaction's ++ * ordered data list. ++ */ ++ if (map->m_flags & EXT4_MAP_NEW && ++ !(map->m_flags & EXT4_MAP_UNWRITTEN) && ++ !IS_NOQUOTA(inode) && ++ ext4_should_order_data(inode)) { ++ ret = ext4_jbd2_file_inode(handle, inode); ++ if (ret) ++ return ret; ++ } + } + return retval; + } +@@ -1116,15 +1130,6 @@ + int i_size_changed = 0; + + trace_ext4_write_end(inode, pos, len, copied); +- if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) { +- ret = ext4_jbd2_file_inode(handle, inode); +- if (ret) { +- unlock_page(page); +- page_cache_release(page); +- goto errout; +- } +- } +- + if (ext4_has_inline_data(inode)) { + ret = ext4_write_inline_data_end(inode, pos, len, + copied, page); diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64 new file mode 100644 index 00000000..9708ac07 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSAzMTI3Nzc5YzA2NGM2MzU4MzEwZTU0MmM3MjVmZTFmNjRkZDZhNjBmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDE3IFNlcCAyMDAxIDAwOjAwOjAwICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRhdGEgZXhwb3N1cmUgYWZ0ZXIgYSBjcmFzaAoKY29tbWl0IDA2YmQzYzM2YTczM2FjMjc5NjJmZWE3ZDZmNDcxNjg4NDEzNzY4MjQgdXBzdHJlYW0uCgpIdWFuZyBoYXMgcmVwb3J0ZWQgdGhhdCBpbiBoaXMgcG93ZXJmYWlsIHRlc3RpbmcgaGUgaXMgc2VlaW5nIHN0YWxlCmJsb2NrIGNvbnRlbnRzIGluIHNvbWUgb2YgcmVjZW50bHkgYWxsb2NhdGVkIGJsb2NrcyBhbHRob3VnaCBoZSBtb3VudHMKZXh0NCBpbiBkYXRhPW9yZGVyZWQgbW9kZS4gQWZ0ZXIgc29tZSBpbnZlc3RpZ2F0aW9uIEkgaGF2ZSBmb3VuZCBvdXQKdGhhdCBpbmRlZWQgd2hlbiBkZWxheWVkIGFsbG9jYXRpb24gaXMgdXNlZCwgd2UgZG9uJ3QgYWRkIGlub2RlIHRvCnRyYW5zYWN0aW9uJ3MgbGlzdCBvZiBpbm9kZXMgbmVlZGluZyBmbHVzaGluZyBiZWZvcmUgY29tbWl0LiBPcmlnaW5hbGx5CndlIHdlcmUgZG9pbmcgdGhhdCBidXQgY29tbWl0IGYzYjU5MjkxYTY5ZCByZW1vdmVkIHRoZSBsb2dpYyB3aXRoIGEKZmxhd2VkIGFyZ3VtZW50IHRoYXQgaXQgaXMgbm90IG5lZWRlZC4KClRoZSBwcm9ibGVtIGlzIHRoYXQgYWx0aG91Z2ggZm9yIGRlbGF5ZWQgYWxsb2NhdGVkIGJsb2NrcyB3ZSB3cml0ZSB0aGVpcgpjb250ZW50cyBpbW1lZGlhdGVseSBhZnRlciBhbGxvY2F0aW5nIHRoZW0sIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0CnRoZSBJTyBzY2hlZHVsZXIgb3IgZGV2aWNlIGRvZXNuJ3QgcmVvcmRlciB0aGluZ3MgYW5kIHRodXMgdHJhbnNhY3Rpb24KYWxsb2NhdGluZyBibG9ja3MgYW5kIGF0dGFjaGluZyB0aGVtIHRvIGlub2RlIGNhbiByZWFjaCBzdGFibGUgc3RvcmFnZQpiZWZvcmUgYWN0dWFsIGJsb2NrIGNvbnRlbnRzLiBBY3R1YWxseSB3aGVuZXZlciB3ZSBhdHRhY2ggZnJlc2hseQphbGxvY2F0ZWQgYmxvY2tzIHRvIGlub2RlIHVzaW5nIGEgd3JpdHRlbiBleHRlbnQsIHdlIHNob3VsZCBhZGQgaW5vZGUgdG8KdHJhbnNhY3Rpb24ncyBvcmRlcmVkIGlub2RlIGxpc3QgdG8gbWFrZSBzdXJlIHdlIHByb3Blcmx5IHdhaXQgZm9yIGJsb2NrCmNvbnRlbnRzIHRvIGJlIHdyaXR0ZW4gYmVmb3JlIGNvbW1pdHRpbmcgdGhlIHRyYW5zYWN0aW9uLiBTbyB0aGF0IGlzCndoYXQgd2UgZG8gaW4gdGhpcyBwYXRjaC4gVGhpcyBhbHNvIGhhbmRsZXMgb3RoZXIgY2FzZXMgd2hlcmUgc3RhbGUgZGF0YQpleHBvc3VyZSB3YXMgcG9zc2libGUgLSBsaWtlIGZpbGxpbmcgaG9sZSB2aWEgbW1hcCBpbgpkYXRhPW9yZGVyZWQsbm9kZWxhbGxvYyBtb2RlLgoKVGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoZSBhYm92ZSBydWxlIGFyZSBleHRlbmRpbmcgZGlyZWN0IElPIHdyaXRlcyB3aGVyZQpibGtkZXZfZGlyZWN0X0lPKCkgd2FpdHMgZm9yIElPIHRvIGNvbXBsZXRlIGJlZm9yZSBpbmNyZWFzaW5nIGlfc2l6ZSBhbmQKdGh1cyBzdGFsZSBkYXRhIGV4cG9zdXJlIGlzIG5vdCBwb3NzaWJsZS4gRm9yIG5vdyB3ZSBkb24ndCBjb21wbGljYXRlCnRoZSBjb2RlIHdpdGggb3B0aW1pemluZyB0aGlzIHNwZWNpYWwgY2FzZSBzaW5jZSB0aGUgb3ZlcmhlYWQgaXMgcHJldHR5Cmxvdy4gSW4gY2FzZSB0aGlzIGlzIG9ic2VydmVkIHRvIGJlIGEgcGVyZm9ybWFuY2UgcHJvYmxlbSB3ZSBjYW4gYWx3YXlzCmhhbmRsZSBpdCB1c2luZyBhIHNwZWNpYWwgZmxhZyB0byBleHQ0X21hcF9ibG9ja3MoKS4KCkNoYW5nZS1JZDogSTlmOGIzNzFjOWZkNzE2YmYzZDhhZjM3ODBjZTQzZTczZDgwY2ZiMjgKRml4ZXM6IGYzYjU5MjkxYTY5ZDBiNzM0YmUxZmM4YmU0ODlmZWYyZGQ4NDZkM2QKUmVwb3J0ZWQtYnk6ICJIVUFORyBXZWxsZXIgKENNL0VTVzEyLUNOKSIgPFdlbGxlci5IdWFuZ0Bjbi5ib3NjaC5jb20+ClRlc3RlZC1ieTogIkhVQU5HIFdlbGxlciAoQ00vRVNXMTItQ04pIiA8V2VsbGVyLkh1YW5nQGNuLmJvc2NoLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEthcmEgPGphY2tAc3VzZS5jej4KU2lnbmVkLW9mZi1ieTogVGhlb2RvcmUgVHMnbyA8dHl0c29AbWl0LmVkdT4KW2J3aDogQmFja3BvcnRlZCB0byAzLjE2OgogLSBEcm9wIGNoZWNrIGZvciBFWFQ0X0dFVF9CTE9DS1NfWkVSTyBmbGFnCiAtIEFkanVzdCBjb250ZXh0XQpTaWduZWQtb2ZmLWJ5OiBCZW4gSHV0Y2hpbmdzIDxiZW5AZGVjYWRlbnQub3JnLnVrPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggOWQzNThkYy4uZjQ3MmFlZCAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtNjYxLDYgKzY2MSwyMCBAQAogCQlyZXQgPSBjaGVja19ibG9ja192YWxpZGl0eShpbm9kZSwgbWFwKTsKIAkJaWYgKHJldCAhPSAwKQogCQkJcmV0dXJuIHJldDsKKworCQkvKgorCQkgKiBJbm9kZXMgd2l0aCBmcmVzaGx5IGFsbG9jYXRlZCBibG9ja3Mgd2hlcmUgY29udGVudHMgd2lsbCBiZQorCQkgKiB2aXNpYmxlIGFmdGVyIHRyYW5zYWN0aW9uIGNvbW1pdCBtdXN0IGJlIG9uIHRyYW5zYWN0aW9uJ3MKKwkJICogb3JkZXJlZCBkYXRhIGxpc3QuCisJCSAqLworCQlpZiAobWFwLT5tX2ZsYWdzICYgRVhUNF9NQVBfTkVXICYmCisJCSAgICAhKG1hcC0+bV9mbGFncyAmIEVYVDRfTUFQX1VOV1JJVFRFTikgJiYKKwkJICAgICFJU19OT1FVT1RBKGlub2RlKSAmJgorCQkgICAgZXh0NF9zaG91bGRfb3JkZXJfZGF0YShpbm9kZSkpIHsKKwkJCXJldCA9IGV4dDRfamJkMl9maWxlX2lub2RlKGhhbmRsZSwgaW5vZGUpOworCQkJaWYgKHJldCkKKwkJCQlyZXR1cm4gcmV0OworCQl9CiAJfQogCXJldHVybiByZXR2YWw7CiB9CkBAIC0xMTE2LDE1ICsxMTMwLDYgQEAKIAlpbnQgaV9zaXplX2NoYW5nZWQgPSAwOwogCiAJdHJhY2VfZXh0NF93cml0ZV9lbmQoaW5vZGUsIHBvcywgbGVuLCBjb3BpZWQpOwotCWlmIChleHQ0X3Rlc3RfaW5vZGVfc3RhdGUoaW5vZGUsIEVYVDRfU1RBVEVfT1JERVJFRF9NT0RFKSkgewotCQlyZXQgPSBleHQ0X2piZDJfZmlsZV9pbm9kZShoYW5kbGUsIGlub2RlKTsKLQkJaWYgKHJldCkgewotCQkJdW5sb2NrX3BhZ2UocGFnZSk7Ci0JCQlwYWdlX2NhY2hlX3JlbGVhc2UocGFnZSk7Ci0JCQlnb3RvIGVycm91dDsKLQkJfQotCX0KLQogCWlmIChleHQ0X2hhc19pbmxpbmVfZGF0YShpbm9kZSkpIHsKIAkJcmV0ID0gZXh0NF93cml0ZV9pbmxpbmVfZGF0YV9lbmQoaW5vZGUsIHBvcywgbGVuLAogCQkJCQkJIGNvcGllZCwgcGFnZSk7Cg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch new file mode 100644 index 00000000..b56d5a52 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch @@ -0,0 +1,77 @@ +From df6099279dc346ec77158d5f52d3176dbd0a1e4c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 04 Jul 2016 10:14:01 -0400 +Subject: [PATCH] ext4: fix deadlock during page writeback + +[ Upstream commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 ] + +Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a +deadlock in ext4_writepages() which was previously much harder to hit. +After this commit xfstest generic/130 reproduces the deadlock on small +filesystems. + +The problem happens when ext4_do_update_inode() sets LARGE_FILE feature +and marks current inode handle as synchronous. That subsequently results +in ext4_journal_stop() called from ext4_writepages() to block waiting for +transaction commit while still holding page locks, reference to io_end, +and some prepared bio in mpd structure each of which can possibly block +transaction commit from completing and thus results in deadlock. + +Fix the problem by releasing page locks, io_end reference, and +submitting prepared bio before calling ext4_journal_stop(). + +[ Changed to defer the call to ext4_journal_stop() only if the handle + is synchronous. --tytso ] + +Change-Id: I724640d96ffaa03e512cd0b48cea056b4030c382 +Reported-and-tested-by: Eryu Guan +Signed-off-by: Theodore Ts'o +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index f472aed..5aa499f 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2554,13 +2554,36 @@ + done = true; + } + } +- ext4_journal_stop(handle); ++ /* ++ * Caution: If the handle is synchronous, ++ * ext4_journal_stop() can wait for transaction commit ++ * to finish which may depend on writeback of pages to ++ * complete or on page lock to be released. In that ++ * case, we have to wait until after after we have ++ * submitted all the IO, released page locks we hold, ++ * and dropped io_end reference (for extent conversion ++ * to be able to complete) before stopping the handle. ++ */ ++ if (!ext4_handle_valid(handle) || handle->h_sync == 0) { ++ ext4_journal_stop(handle); ++ handle = NULL; ++ } + /* Submit prepared bio */ + ext4_io_submit(&mpd.io_submit); + /* Unlock pages we didn't use */ + mpage_release_unused_pages(&mpd, give_up_on_write); +- /* Drop our io_end reference we got from init */ +- ext4_put_io_end(mpd.io_submit.io_end); ++ /* ++ * Drop our io_end reference we got from init. We have ++ * to be careful and use deferred io_end finishing if ++ * we are still holding the transaction as we can ++ * release the last reference to io_end which may end ++ * up doing unwritten extent conversion. ++ */ ++ if (handle) { ++ ext4_put_io_end_defer(mpd.io_submit.io_end); ++ ext4_journal_stop(handle); ++ } else ++ ext4_put_io_end(mpd.io_submit.io_end); + + if (ret == -ENOSPC && sbi->s_journal) { + /* diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64 new file mode 100644 index 00000000..70d51e63 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-7495/3.18/0002.patch.base64 @@ -0,0 +1 @@ +RnJvbSBkZjYwOTkyNzlkYzM0NmVjNzcxNThkNWY1MmQzMTc2ZGJkMGExZTRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDA0IEp1bCAyMDE2IDEwOjE0OjAxIC0wNDAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRlYWRsb2NrIGR1cmluZyBwYWdlIHdyaXRlYmFjawoKWyBVcHN0cmVhbSBjb21taXQgNjQ2Y2FhOWM4ZTE5Njg4MGI0MWNkM2UzZDMzYTJlYmM3NTJiZGI4NSBdCgpDb21taXQgMDZiZDNjMzZhNzMzIChleHQ0OiBmaXggZGF0YSBleHBvc3VyZSBhZnRlciBhIGNyYXNoKSB1bmNvdmVyZWQgYQpkZWFkbG9jayBpbiBleHQ0X3dyaXRlcGFnZXMoKSB3aGljaCB3YXMgcHJldmlvdXNseSBtdWNoIGhhcmRlciB0byBoaXQuCkFmdGVyIHRoaXMgY29tbWl0IHhmc3Rlc3QgZ2VuZXJpYy8xMzAgcmVwcm9kdWNlcyB0aGUgZGVhZGxvY2sgb24gc21hbGwKZmlsZXN5c3RlbXMuCgpUaGUgcHJvYmxlbSBoYXBwZW5zIHdoZW4gZXh0NF9kb191cGRhdGVfaW5vZGUoKSBzZXRzIExBUkdFX0ZJTEUgZmVhdHVyZQphbmQgbWFya3MgY3VycmVudCBpbm9kZSBoYW5kbGUgYXMgc3luY2hyb25vdXMuIFRoYXQgc3Vic2VxdWVudGx5IHJlc3VsdHMKaW4gZXh0NF9qb3VybmFsX3N0b3AoKSBjYWxsZWQgZnJvbSBleHQ0X3dyaXRlcGFnZXMoKSB0byBibG9jayB3YWl0aW5nIGZvcgp0cmFuc2FjdGlvbiBjb21taXQgd2hpbGUgc3RpbGwgaG9sZGluZyBwYWdlIGxvY2tzLCByZWZlcmVuY2UgdG8gaW9fZW5kLAphbmQgc29tZSBwcmVwYXJlZCBiaW8gaW4gbXBkIHN0cnVjdHVyZSBlYWNoIG9mIHdoaWNoIGNhbiBwb3NzaWJseSBibG9jawp0cmFuc2FjdGlvbiBjb21taXQgZnJvbSBjb21wbGV0aW5nIGFuZCB0aHVzIHJlc3VsdHMgaW4gZGVhZGxvY2suCgpGaXggdGhlIHByb2JsZW0gYnkgcmVsZWFzaW5nIHBhZ2UgbG9ja3MsIGlvX2VuZCByZWZlcmVuY2UsIGFuZApzdWJtaXR0aW5nIHByZXBhcmVkIGJpbyBiZWZvcmUgY2FsbGluZyBleHQ0X2pvdXJuYWxfc3RvcCgpLgoKWyBDaGFuZ2VkIHRvIGRlZmVyIHRoZSBjYWxsIHRvIGV4dDRfam91cm5hbF9zdG9wKCkgb25seSBpZiB0aGUgaGFuZGxlCiAgaXMgc3luY2hyb25vdXMuICAtLXR5dHNvIF0KCkNoYW5nZS1JZDogSTcyNDY0MGQ5NmZmYWEwM2U1MTJjZDBiNDhjZWEwNTZiNDAzMGMzODIKUmVwb3J0ZWQtYW5kLXRlc3RlZC1ieTogRXJ5dSBHdWFuIDxlZ3VhbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBUaGVvZG9yZSBUcydvIDx0eXRzb0BtaXQuZWR1PgpDQzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpTaWduZWQtb2ZmLWJ5OiBTYXNoYSBMZXZpbiA8YWxleGFuZGVyLmxldmluQHZlcml6b24uY29tPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggZjQ3MmFlZC4uNWFhNDk5ZiAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtMjU1NCwxMyArMjU1NCwzNiBAQAogCQkJCWRvbmUgPSB0cnVlOwogCQkJfQogCQl9Ci0JCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCS8qCisJCSAqIENhdXRpb246IElmIHRoZSBoYW5kbGUgaXMgc3luY2hyb25vdXMsCisJCSAqIGV4dDRfam91cm5hbF9zdG9wKCkgY2FuIHdhaXQgZm9yIHRyYW5zYWN0aW9uIGNvbW1pdAorCQkgKiB0byBmaW5pc2ggd2hpY2ggbWF5IGRlcGVuZCBvbiB3cml0ZWJhY2sgb2YgcGFnZXMgdG8KKwkJICogY29tcGxldGUgb3Igb24gcGFnZSBsb2NrIHRvIGJlIHJlbGVhc2VkLiAgSW4gdGhhdAorCQkgKiBjYXNlLCB3ZSBoYXZlIHRvIHdhaXQgdW50aWwgYWZ0ZXIgYWZ0ZXIgd2UgaGF2ZQorCQkgKiBzdWJtaXR0ZWQgYWxsIHRoZSBJTywgcmVsZWFzZWQgcGFnZSBsb2NrcyB3ZSBob2xkLAorCQkgKiBhbmQgZHJvcHBlZCBpb19lbmQgcmVmZXJlbmNlIChmb3IgZXh0ZW50IGNvbnZlcnNpb24KKwkJICogdG8gYmUgYWJsZSB0byBjb21wbGV0ZSkgYmVmb3JlIHN0b3BwaW5nIHRoZSBoYW5kbGUuCisJCSAqLworCQlpZiAoIWV4dDRfaGFuZGxlX3ZhbGlkKGhhbmRsZSkgfHwgaGFuZGxlLT5oX3N5bmMgPT0gMCkgeworCQkJZXh0NF9qb3VybmFsX3N0b3AoaGFuZGxlKTsKKwkJCWhhbmRsZSA9IE5VTEw7CisJCX0KIAkJLyogU3VibWl0IHByZXBhcmVkIGJpbyAqLwogCQlleHQ0X2lvX3N1Ym1pdCgmbXBkLmlvX3N1Ym1pdCk7CiAJCS8qIFVubG9jayBwYWdlcyB3ZSBkaWRuJ3QgdXNlICovCiAJCW1wYWdlX3JlbGVhc2VfdW51c2VkX3BhZ2VzKCZtcGQsIGdpdmVfdXBfb25fd3JpdGUpOwotCQkvKiBEcm9wIG91ciBpb19lbmQgcmVmZXJlbmNlIHdlIGdvdCBmcm9tIGluaXQgKi8KLQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJLyoKKwkJICogRHJvcCBvdXIgaW9fZW5kIHJlZmVyZW5jZSB3ZSBnb3QgZnJvbSBpbml0LiBXZSBoYXZlCisJCSAqIHRvIGJlIGNhcmVmdWwgYW5kIHVzZSBkZWZlcnJlZCBpb19lbmQgZmluaXNoaW5nIGlmCisJCSAqIHdlIGFyZSBzdGlsbCBob2xkaW5nIHRoZSB0cmFuc2FjdGlvbiBhcyB3ZSBjYW4KKwkJICogcmVsZWFzZSB0aGUgbGFzdCByZWZlcmVuY2UgdG8gaW9fZW5kIHdoaWNoIG1heSBlbmQKKwkJICogdXAgZG9pbmcgdW53cml0dGVuIGV4dGVudCBjb252ZXJzaW9uLgorCQkgKi8KKwkJaWYgKGhhbmRsZSkgeworCQkJZXh0NF9wdXRfaW9fZW5kX2RlZmVyKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCX0gZWxzZQorCQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKIAogCQlpZiAocmV0ID09IC1FTk9TUEMgJiYgc2JpLT5zX2pvdXJuYWwpIHsKIAkJCS8qCg== \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-7495/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7495/^4.6/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7495/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7495/^4.6/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-7616/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7616/^4.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-7616/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-7616/^4.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch new file mode 100644 index 00000000..8a334400 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8251/3.10/0001.patch @@ -0,0 +1,64 @@ +From 3a42f1b79ed696f29350f170c00f27712ae84a36 Mon Sep 17 00:00:00 2001 +From: Maggie White +Date: Wed, 5 Jul 2017 13:00:40 -0700 +Subject: msm: camera: isp: fix for out of bound access array + +There is no bound check in stream_cfg_cmd->num_streams and it's used in +several places as a maximum index into the stream_cfg_cmd->stream_handle +array which has a size of 15. Current code didn't check the maximum +index to make sure it didn't exceed the array size. + +Bug: 62379525 +Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0 +Signed-off-by: Maggie White +--- + .../platform/msm/camera_v2/isp/msm_isp_stats_util.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +index 82da3e0..43a2c77 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +@@ -550,6 +550,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev, + int i; + uint32_t stats_mask = 0, idx; + ++ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) { ++ pr_err("%s invalid num_streams %d\n", __func__, ++ stream_cfg_cmd->num_streams); ++ return -EINVAL; ++ } ++ + for (i = 0; i < stream_cfg_cmd->num_streams; i++) { + idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); + +@@ -630,6 +636,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev, + stats_data->stream_info); + if (rc < 0) + return rc; ++ ++ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) { ++ pr_err("%s invalid num_streams %d\n", __func__, ++ stream_cfg_cmd->num_streams); ++ return -EINVAL; ++ } ++ + for (i = 0; i < stream_cfg_cmd->num_streams; i++) { + idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); + +@@ -702,6 +715,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev, + num_stats_comp_mask = + vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask; + ++ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) { ++ pr_err("%s invalid num_streams %d\n", __func__, ++ stream_cfg_cmd->num_streams); ++ return -EINVAL; ++ } ++ + for (i = 0; i < stream_cfg_cmd->num_streams; i++) { + + idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch new file mode 100644 index 00000000..4dcd6ac3 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8260/3.10/0001.patch @@ -0,0 +1,82 @@ +From 52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7 Mon Sep 17 00:00:00 2001 +From: Gaoxiang Chen +Date: Fri, 31 Mar 2017 14:28:33 +0800 +Subject: msm: camera: don't cut to 8bits for validating enum variable + +In msm_ispif_is_intf_valid(), +we convert a enum variable msm_ispif_vfe_intf, +to uint8_t type for validating. + +This could cause potential issue, +if the value is crafted in such a way that lower 8bits pass the validation. + +Don't use uint8_t as input parm to avoid such vulnerability. + +CRs-Fixed: 2008469 +Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a +Signed-off-by: Gaoxiang Chen +--- + drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c +index 4e07d4d..8409a64 100644 +--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c ++++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c +@@ -64,7 +64,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif) + + + static inline int msm_ispif_is_intf_valid(uint32_t csid_version, +- uint8_t intf_type) ++ enum msm_ispif_vfe_intf intf_type) + { + return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) || + (intf_type >= VFE_MAX)) ? false : true; +@@ -347,7 +347,7 @@ static int msm_ispif_subdev_g_chip_ident(struct v4l2_subdev *sd, + } + + static void msm_ispif_sel_csid_core(struct ispif_device *ispif, +- uint8_t intftype, uint8_t csid, uint8_t vfe_intf) ++ uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf) + { + uint32_t data; + +@@ -387,7 +387,7 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif, + } + + static void msm_ispif_enable_crop(struct ispif_device *ispif, +- uint8_t intftype, uint8_t vfe_intf, uint16_t start_pixel, ++ uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf, uint16_t start_pixel, + uint16_t end_pixel) + { + uint32_t data; +@@ -419,7 +419,7 @@ static void msm_ispif_enable_crop(struct ispif_device *ispif, + } + + static void msm_ispif_enable_intf_cids(struct ispif_device *ispif, +- uint8_t intftype, uint16_t cid_mask, uint8_t vfe_intf, uint8_t enable) ++ uint8_t intftype, uint16_t cid_mask, enum msm_ispif_vfe_intf vfe_intf, uint8_t enable) + { + uint32_t intf_addr, data; + +@@ -461,7 +461,7 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif, + } + + static int msm_ispif_validate_intf_status(struct ispif_device *ispif, +- uint8_t intftype, uint8_t vfe_intf) ++ uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf) + { + int rc = 0; + uint32_t data = 0; +@@ -501,7 +501,7 @@ static int msm_ispif_validate_intf_status(struct ispif_device *ispif, + } + + static void msm_ispif_select_clk_mux(struct ispif_device *ispif, +- uint8_t intftype, uint8_t csid, uint8_t vfe_intf) ++ uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf) + { + uint32_t data = 0; + +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8260/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8260/4.4/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch rename to Patches/Linux_CVEs/CVE-2017-8260/4.4/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8261/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8261/3.10/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8261/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8261/3.10/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch new file mode 100644 index 00000000..8480a4d8 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch @@ -0,0 +1,33 @@ +From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001 +From: Trishansh Bhardwaj +Date: Tue, 18 Apr 2017 14:44:43 +0530 +Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl + +Assign address of buf_info into ioctl_ptr. +Previously we were copying first 8 bytes of buf_info (content) +into ioctl_ptr. Which is dereferenced and written later causing +kernel overwrite vulnerability. + +Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd +Signed-off-by: Trishansh Bhardwaj +--- + drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c +index 882ab03..d0b265a 100644 +--- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c ++++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c +@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, + sizeof(struct msm_buf_mngr_info))) { + return -EFAULT; + } +- MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr, +- &buf_info, sizeof(void *)); ++ k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; + argp = &k_ioctl; + rc = msm_cam_buf_mgr_ops(cmd, argp); + } +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch new file mode 100644 index 00000000..62263ec7 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch @@ -0,0 +1,53 @@ +diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c +index 640e6c1..57e3ea3 100644 +--- a/drivers/gpu/msm/kgsl.c ++++ b/drivers/gpu/msm/kgsl.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -167,8 +167,11 @@ + { + struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL); + +- if (entry) ++ if (entry) { + kref_init(&entry->refcount); ++ /* put this ref in the caller functions after init */ ++ kref_get(&entry->refcount); ++ } + + return entry; + } +@@ -3019,6 +3022,9 @@ + trace_kgsl_mem_map(entry, param->fd); + + kgsl_mem_entry_commit_process(private, entry); ++ ++ /* put the extra refcount for kgsl_mem_entry_create() */ ++ kgsl_mem_entry_put(entry); + return result; + + error_attach: +@@ -3343,6 +3349,9 @@ + param->flags = entry->memdesc.flags; + + kgsl_mem_entry_commit_process(private, entry); ++ ++ /* put the extra refcount for kgsl_mem_entry_create() */ ++ kgsl_mem_entry_put(entry); + return result; + err: + kgsl_sharedmem_free(&entry->memdesc); +@@ -3382,6 +3391,9 @@ + param->gpuaddr = entry->memdesc.gpuaddr; + + kgsl_mem_entry_commit_process(private, entry); ++ ++ /* put the extra refcount for kgsl_mem_entry_create() */ ++ kgsl_mem_entry_put(entry); + return result; + err: + if (entry) diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64 new file mode 100644 index 00000000..126f126e --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8262/3.10/0001.patch.base64 @@ -0,0 +1 @@ +ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDY0MGU2YzEuLjU3ZTNlYTMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMSw0ICsxLDQgQEAKLS8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE2LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KKy8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE3LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqCiAgKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYW5kCkBAIC0xNjcsOCArMTY3LDExIEBACiB7CiAJc3RydWN0IGtnc2xfbWVtX2VudHJ5ICplbnRyeSA9IGt6YWxsb2Moc2l6ZW9mKCplbnRyeSksIEdGUF9LRVJORUwpOwogCi0JaWYgKGVudHJ5KQorCWlmIChlbnRyeSkgewogCQlrcmVmX2luaXQoJmVudHJ5LT5yZWZjb3VudCk7CisJCS8qIHB1dCB0aGlzIHJlZiBpbiB0aGUgY2FsbGVyIGZ1bmN0aW9ucyBhZnRlciBpbml0ICovCisJCWtyZWZfZ2V0KCZlbnRyeS0+cmVmY291bnQpOworCX0KIAogCXJldHVybiBlbnRyeTsKIH0KQEAgLTMwMTksNiArMzAyMiw5IEBACiAJdHJhY2Vfa2dzbF9tZW1fbWFwKGVudHJ5LCBwYXJhbS0+ZmQpOwogCiAJa2dzbF9tZW1fZW50cnlfY29tbWl0X3Byb2Nlc3MocHJpdmF0ZSwgZW50cnkpOworCisJLyogcHV0IHRoZSBleHRyYSByZWZjb3VudCBmb3Iga2dzbF9tZW1fZW50cnlfY3JlYXRlKCkgKi8KKwlrZ3NsX21lbV9lbnRyeV9wdXQoZW50cnkpOwogCXJldHVybiByZXN1bHQ7CiAKIGVycm9yX2F0dGFjaDoKQEAgLTMzNDMsNiArMzM0OSw5IEBACiAJcGFyYW0tPmZsYWdzID0gZW50cnktPm1lbWRlc2MuZmxhZ3M7CiAKIAlrZ3NsX21lbV9lbnRyeV9jb21taXRfcHJvY2Vzcyhwcml2YXRlLCBlbnRyeSk7CisKKwkvKiBwdXQgdGhlIGV4dHJhIHJlZmNvdW50IGZvciBrZ3NsX21lbV9lbnRyeV9jcmVhdGUoKSAqLworCWtnc2xfbWVtX2VudHJ5X3B1dChlbnRyeSk7CiAJcmV0dXJuIHJlc3VsdDsKIGVycjoKIAlrZ3NsX3NoYXJlZG1lbV9mcmVlKCZlbnRyeS0+bWVtZGVzYyk7CkBAIC0zMzgyLDYgKzMzOTEsOSBAQAogCXBhcmFtLT5ncHVhZGRyID0gZW50cnktPm1lbWRlc2MuZ3B1YWRkcjsKIAogCWtnc2xfbWVtX2VudHJ5X2NvbW1pdF9wcm9jZXNzKHByaXZhdGUsIGVudHJ5KTsKKworCS8qIHB1dCB0aGUgZXh0cmEgcmVmY291bnQgZm9yIGtnc2xfbWVtX2VudHJ5X2NyZWF0ZSgpICovCisJa2dzbF9tZW1fZW50cnlfcHV0KGVudHJ5KTsKIAlyZXR1cm4gcmVzdWx0OwogZXJyOgogCWlmIChlbnRyeSkK \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8262/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8262/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8262/4.4/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8262/4.4/0002.patch rename to Patches/Linux_CVEs/CVE-2017-8262/4.4/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch new file mode 100644 index 00000000..c620412f --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8266/3.10/0001.patch @@ -0,0 +1,182 @@ +From aa23820b001ab1cfb86b79014e9fc44cd2be9ece Mon Sep 17 00:00:00 2001 +From: Ingrid Gallardo +Date: Wed, 1 Mar 2017 12:24:06 -0800 +Subject: msm: mdss: fix race condition in mdp debugfs + +Fix race condition in mdp debugfs properties +during the read and write of the panel and +mdp registers. This race condition can cause +accessing memory out bounderies. + +Change-Id: I97a90a154237343d4aaf237c11f525bcc2c3a8e3 +Signed-off-by: Ingrid Gallardo +Signed-off-by: Nirmal Abraham +--- + drivers/video/msm/mdss/mdss_debug.c | 48 ++++++++++++++++++++++++++++++------- + 1 file changed, 40 insertions(+), 8 deletions(-) + +diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c +index a95fa43..cedd40cd 100644 +--- a/drivers/video/msm/mdss/mdss_debug.c ++++ b/drivers/video/msm/mdss/mdss_debug.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -39,6 +39,8 @@ + #define PANEL_CMD_MIN_TX_COUNT 2 + #define PANEL_DATA_NODE_LEN 80 + ++static DEFINE_MUTEX(mdss_debug_lock); ++ + static char panel_reg[2] = {DEFAULT_READ_PANEL_POWER_MODE_REG, 0x00}; + + static int panel_debug_base_open(struct inode *inode, struct file *file) +@@ -88,8 +90,10 @@ static ssize_t panel_debug_base_offset_write(struct file *file, + if (cnt > (dbg->max_offset - off)) + cnt = dbg->max_offset - off; + ++ mutex_lock(&mdss_debug_lock); + dbg->off = off; + dbg->cnt = cnt; ++ mutex_unlock(&mdss_debug_lock); + + pr_debug("offset=%x cnt=%d\n", off, cnt); + +@@ -109,15 +113,21 @@ static ssize_t panel_debug_base_offset_read(struct file *file, + if (*ppos) + return 0; /* the end */ + ++ mutex_lock(&mdss_debug_lock); + len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt); +- if (len < 0 || len >= sizeof(buf)) ++ if (len < 0 || len >= sizeof(buf)) { ++ mutex_unlock(&mdss_debug_lock); + return 0; ++ } + +- if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) ++ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) { ++ mutex_unlock(&mdss_debug_lock); + return -EFAULT; ++ } + + *ppos += len; /* increase offset */ + ++ mutex_unlock(&mdss_debug_lock); + return len; + } + +@@ -206,11 +216,16 @@ static ssize_t panel_debug_base_reg_read(struct file *file, + if (!dbg) + return -ENODEV; + +- if (!dbg->cnt) ++ mutex_lock(&mdss_debug_lock); ++ if (!dbg->cnt) { ++ mutex_unlock(&mdss_debug_lock); + return 0; ++ } + +- if (*ppos) ++ if (*ppos) { ++ mutex_unlock(&mdss_debug_lock); + return 0; /* the end */ ++ } + + /* '0x' + 2 digit + blank = 5 bytes for each number */ + reg_buf_len = (dbg->cnt * PANEL_REG_FORMAT_LEN) +@@ -251,11 +266,13 @@ static ssize_t panel_debug_base_reg_read(struct file *file, + kfree(panel_reg_buf); + + *ppos += len; /* increase offset */ ++ mutex_unlock(&mdss_debug_lock); + return len; + + read_reg_fail: + kfree(rx_buf); + kfree(panel_reg_buf); ++ mutex_unlock(&mdss_debug_lock); + return rc; + } + +@@ -386,8 +403,10 @@ static ssize_t mdss_debug_base_offset_write(struct file *file, + if (cnt > (dbg->max_offset - off)) + cnt = dbg->max_offset - off; + ++ mutex_lock(&mdss_debug_lock); + dbg->off = off; + dbg->cnt = cnt; ++ mutex_unlock(&mdss_debug_lock); + + pr_debug("offset=%x cnt=%x\n", off, cnt); + +@@ -407,15 +426,21 @@ static ssize_t mdss_debug_base_offset_read(struct file *file, + if (*ppos) + return 0; /* the end */ + ++ mutex_lock(&mdss_debug_lock); + len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt); +- if (len < 0 || len >= sizeof(buf)) ++ if (len < 0 || len >= sizeof(buf)) { ++ mutex_unlock(&mdss_debug_lock); + return 0; ++ } + +- if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) ++ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) { ++ mutex_unlock(&mdss_debug_lock); + return -EFAULT; ++ } + + *ppos += len; /* increase offset */ + ++ mutex_unlock(&mdss_debug_lock); + return len; + } + +@@ -472,6 +497,8 @@ static ssize_t mdss_debug_base_reg_read(struct file *file, + return -ENODEV; + } + ++ mutex_lock(&mdss_debug_lock); ++ + if (!dbg->buf) { + char dump_buf[64]; + char *ptr; +@@ -483,6 +510,7 @@ static ssize_t mdss_debug_base_reg_read(struct file *file, + + if (!dbg->buf) { + pr_err("not enough memory to hold reg dump\n"); ++ mutex_unlock(&mdss_debug_lock); + return -ENOMEM; + } + +@@ -513,17 +541,21 @@ static ssize_t mdss_debug_base_reg_read(struct file *file, + dbg->buf_len = tot; + } + +- if (*ppos >= dbg->buf_len) ++ if (*ppos >= dbg->buf_len) { ++ mutex_unlock(&mdss_debug_lock); + return 0; /* done reading */ ++ } + + len = min(count, dbg->buf_len - (size_t) *ppos); + if (copy_to_user(user_buf, dbg->buf + *ppos, len)) { + pr_err("failed to copy to user\n"); ++ mutex_unlock(&mdss_debug_lock); + return -EFAULT; + } + + *ppos += len; /* increase offset */ + ++ mutex_unlock(&mdss_debug_lock); + return len; + } + +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8266/3.18/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8266/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8266/4.4/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch rename to Patches/Linux_CVEs/CVE-2017-8266/4.4/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch new file mode 100644 index 00000000..f2e74280 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch @@ -0,0 +1,37 @@ +From f52d6739f6a67cf1c918a4557e88b519b9135930 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 09 May 2017 06:29:19 -0700 +Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent + +syzkaller found a way to trigger double frees from ip_mc_drop_socket() + +It turns out that leave a copy of parent mc_list at accept() time, +which is very bad. + +Very similar to commit 8b485ce69876 ("tcp: do not inherit +fastopen_req from parent") + +Initial report from Pray3r, completed by Andrey one. +Thanks a lot to them ! + +Change-Id: I2eac7b825a5b597af14a0573b76b685131c46726 +Signed-off-by: Eric Dumazet +Reported-by: Pray3r +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +--- + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index fb10d58..325edfe 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -618,6 +618,8 @@ + inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port; + newsk->sk_write_space = sk_stream_write_space; + ++ inet_sk(newsk)->mc_list = NULL; ++ + newsk->sk_mark = inet_rsk(req)->ir_mark; + + newicsk->icsk_retransmits = 0; diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64 new file mode 100644 index 00000000..8f12cd9d --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0001.patch.base64 @@ -0,0 +1 @@ +RnJvbSBmNTJkNjczOWY2YTY3Y2YxYzkxOGE0NTU3ZTg4YjUxOWI5MTM1OTMwIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IFR1ZSwgMDkgTWF5IDIwMTcgMDY6Mjk6MTkgLTA3MDAKU3ViamVjdDogW1BBVENIXSBkY2NwL3RjcDogZG8gbm90IGluaGVyaXQgbWNfbGlzdCBmcm9tIHBhcmVudAoKc3l6a2FsbGVyIGZvdW5kIGEgd2F5IHRvIHRyaWdnZXIgZG91YmxlIGZyZWVzIGZyb20gaXBfbWNfZHJvcF9zb2NrZXQoKQoKSXQgdHVybnMgb3V0IHRoYXQgbGVhdmUgYSBjb3B5IG9mIHBhcmVudCBtY19saXN0IGF0IGFjY2VwdCgpIHRpbWUsCndoaWNoIGlzIHZlcnkgYmFkLgoKVmVyeSBzaW1pbGFyIHRvIGNvbW1pdCA4YjQ4NWNlNjk4NzYgKCJ0Y3A6IGRvIG5vdCBpbmhlcml0CmZhc3RvcGVuX3JlcSBmcm9tIHBhcmVudCIpCgpJbml0aWFsIHJlcG9ydCBmcm9tIFByYXkzciwgY29tcGxldGVkIGJ5IEFuZHJleSBvbmUuClRoYW5rcyBhIGxvdCB0byB0aGVtICEKCkNoYW5nZS1JZDogSTJlYWM3YjgyNWE1YjU5N2FmMTRhMDU3M2I3NmI2ODUxMzFjNDY3MjYKU2lnbmVkLW9mZi1ieTogRXJpYyBEdW1hemV0IDxlZHVtYXpldEBnb29nbGUuY29tPgpSZXBvcnRlZC1ieTogUHJheTNyIDxwcmF5M3IuekBnbWFpbC5jb20+ClJlcG9ydGVkLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+ClRlc3RlZC1ieTogQW5kcmV5IEtvbm92YWxvdiA8YW5kcmV5a252bEBnb29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBEYXZpZCBTLiBNaWxsZXIgPGRhdmVtQGRhdmVtbG9mdC5uZXQ+Ci0tLQoKZGlmZiAtLWdpdCBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMgYi9uZXQvaXB2NC9pbmV0X2Nvbm5lY3Rpb25fc29jay5jCmluZGV4IGZiMTBkNTguLjMyNWVkZmUgMTAwNjQ0Ci0tLSBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMKKysrIGIvbmV0L2lwdjQvaW5ldF9jb25uZWN0aW9uX3NvY2suYwpAQCAtNjE4LDYgKzYxOCw4IEBACiAJCWluZXRfc2sobmV3c2spLT5pbmV0X3Nwb3J0ID0gaW5ldF9yc2socmVxKS0+bG9jX3BvcnQ7CiAJCW5ld3NrLT5za193cml0ZV9zcGFjZSA9IHNrX3N0cmVhbV93cml0ZV9zcGFjZTsKIAorCQlpbmV0X3NrKG5ld3NrKS0+bWNfbGlzdCA9IE5VTEw7CisKIAkJbmV3c2stPnNrX21hcmsgPSBpbmV0X3JzayhyZXEpLT5pcl9tYXJrOwogCiAJCW5ld2ljc2stPmljc2tfcmV0cmFuc21pdHMgPSAwOwo= \ No newline at end of file diff --git a/Patches/Linux_CVEs/CVE-2017-8890/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8890/^4.11/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-8890/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-8890/^4.11/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9075/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9075/^4.11/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9075/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9075/^4.11/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9076/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9076/^4.11/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9076/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9076/^4.11/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9077/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9077/^4.11/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9077/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9077/^4.11/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9150/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9150/^4.11/0001.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9150/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9150/^4.11/0001.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch b/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch new file mode 100644 index 00000000..44facbac --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9676/3.0+/0001.patch @@ -0,0 +1,272 @@ +From d109d8d7e2998a635406215a559e298fa7ef4bb8 Mon Sep 17 00:00:00 2001 +From: "lianwei.wang" +Date: Fri, 30 Mar 2012 12:05:50 +0800 +Subject: [PATCH] IKHSS7-18791 msm:fix the list usage in msm_bus_dbg + +The list usage in msm_bus_dbg driver are not correct which will cause +kernel panic. + . The list operation should be protected by a lock, e.g. mutex_lock. + . The list entry should only be operated on a valid entry. + +Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc +Signed-off-by: Lianwei Wang +Reviewed-on: http://gerrit.pcs.mot.com/384275 +Reviewed-by: Guo-Jian Chen +Reviewed-by: Ke Lv +Tested-by: Jira Key +Reviewed-by: Jeffrey Carlyle +Reviewed-by: Check Patch +Reviewed-by: Klocwork kwcheck +Reviewed-by: Tao Hu +--- + arch/arm/mach-msm/msm_bus/msm_bus_dbg.c | 74 ++++++++++++++++++++++++++------- + 1 file changed, 58 insertions(+), 16 deletions(-) + +diff --git a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c +index abd986bca68..76173529d35 100644 +--- a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c ++++ b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c +@@ -28,6 +28,7 @@ + static struct dentry *clients; + static struct dentry *dir; + static DEFINE_MUTEX(msm_bus_dbg_fablist_lock); ++static DEFINE_MUTEX(msm_bus_dbg_cllist_lock); + struct msm_bus_dbg_state { + uint32_t cl; + uint8_t enable; +@@ -271,16 +272,21 @@ static ssize_t client_data_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { + int bsize = 0; ++ ssize_t read_count = 0; + uint32_t cl = (uint32_t)file->private_data; + struct msm_bus_cldata *cldata = NULL; + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry(cldata, &cl_list, list) { +- if (cldata->clid == cl) ++ if (cldata->clid == cl) { ++ bsize = cldata->size; ++ read_count = simple_read_from_buffer(buf, count, ppos, ++ cldata->buffer, bsize); + break; ++ } + } +- bsize = cldata->size; +- return simple_read_from_buffer(buf, count, ppos, +- cldata->buffer, bsize); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); ++ return read_count; + } + + static int client_data_open(struct inode *inode, struct file *file) +@@ -310,9 +316,11 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata, + { + struct msm_bus_cldata *cldata; + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + cldata = kmalloc(sizeof(struct msm_bus_cldata), GFP_KERNEL); + if (!cldata) { + MSM_BUS_DBG("Failed to allocate memory for client data\n"); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + return -ENOMEM; + } + cldata->pdata = pdata; +@@ -321,6 +329,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata, + cldata->file = file; + cldata->size = 0; + list_add_tail(&cldata->list, &cl_list); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + return 0; + } + +@@ -328,6 +337,7 @@ static void msm_bus_dbg_free_client(uint32_t clid) + { + struct msm_bus_cldata *cldata = NULL; + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry(cldata, &cl_list, list) { + if (cldata->clid == clid) { + debugfs_remove(cldata->file); +@@ -336,23 +346,34 @@ static void msm_bus_dbg_free_client(uint32_t clid) + break; + } + } ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + } + + static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata, + int index, uint32_t clid) + { +- int i = 0, j; ++ int i = 0, j, found = 0; + char *buf = NULL; + struct msm_bus_cldata *cldata = NULL; + struct timespec ts; + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry(cldata, &cl_list, list) { +- if (cldata->clid == clid) ++ if (cldata->clid == clid) { ++ found = 1; + break; ++ } ++ } ++ ++ if (!found) { ++ MSM_BUS_DBG("Client(clid=%d) doesn't exist\n", clid); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); ++ return -EINVAL; + } + if (cldata->file == NULL) { + if (pdata->name == NULL) { + MSM_BUS_DBG("Client doesn't have a name\n"); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + return -EINVAL; + } + cldata->file = msm_bus_dbg_create(pdata->name, S_IRUGO, +@@ -390,6 +411,9 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata, + i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n"); + + cldata->size = i; ++ ++ mutex_unlock(&msm_bus_dbg_cllist_lock); ++ + return i; + } + +@@ -426,6 +450,7 @@ static ssize_t msm_bus_dbg_update_request_write(struct file *file, + chid = buf; + MSM_BUS_DBG("buffer: %s\n size: %d\n", buf, sizeof(ubuf)); + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry(cldata, &cl_list, list) { + if (strstr(chid, cldata->pdata->name)) { + cldata = cldata; +@@ -435,16 +460,19 @@ static ssize_t msm_bus_dbg_update_request_write(struct file *file, + if (ret) { + MSM_BUS_DBG("Index conversion" + " failed\n"); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + return -EFAULT; + } + } else + MSM_BUS_DBG("Error parsing input. Index not" + " found\n"); ++ msm_bus_dbg_update_request(cldata, index); + break; + } + } + +- msm_bus_dbg_update_request(cldata, index); ++ mutex_unlock(&msm_bus_dbg_cllist_lock); ++ + kfree(buf); + return cnt; + } +@@ -458,17 +486,18 @@ static ssize_t fabric_data_read(struct file *file, char __user *buf, + { + struct msm_bus_fab_list *fablist = NULL; + int bsize = 0; +- ssize_t ret; ++ ssize_t ret = 0; + const char *name = file->private_data; + + mutex_lock(&msm_bus_dbg_fablist_lock); + list_for_each_entry(fablist, &fabdata_list, list) { +- if (strcmp(fablist->name, name) == 0) ++ if (strcmp(fablist->name, name) == 0) { ++ bsize = fablist->size; ++ ret = simple_read_from_buffer(buf, count, ppos, ++ fablist->buffer, bsize); + break; ++ } + } +- bsize = fablist->size; +- ret = simple_read_from_buffer(buf, count, ppos, +- fablist->buffer, bsize); + mutex_unlock(&msm_bus_dbg_fablist_lock); + return ret; + } +@@ -519,16 +548,25 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname, + void *cdata, int nmasters, int nslaves, + int ntslaves) + { +- int i; ++ int i, found = 0; + char *buf = NULL; + struct msm_bus_fab_list *fablist = NULL; + struct timespec ts; + + mutex_lock(&msm_bus_dbg_fablist_lock); + list_for_each_entry(fablist, &fabdata_list, list) { +- if (strcmp(fablist->name, fabname) == 0) ++ if (strcmp(fablist->name, fabname) == 0) { ++ found = 1; + break; ++ } ++ } ++ ++ if (!found) { ++ MSM_BUS_DBG("Fabric dbg entry %s does not exist, fabname\n"); ++ mutex_unlock(&msm_bus_dbg_fablist_lock); ++ return -EINVAL; + } ++ + if (fablist->file == NULL) { + MSM_BUS_DBG("Fabric dbg entry does not exist\n"); + mutex_unlock(&msm_bus_dbg_fablist_lock); +@@ -542,7 +580,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname, + fablist->size = 0; + } + buf = fablist->buffer; +- mutex_unlock(&msm_bus_dbg_fablist_lock); + ts = ktime_to_timespec(ktime_get()); + i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n%d.%d\n", + (int)ts.tv_sec, (int)ts.tv_nsec); +@@ -550,7 +587,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname, + msm_bus_rpm_fill_cdata_buffer(&i, buf + i, MAX_BUFF_SIZE, cdata, + nmasters, nslaves, ntslaves); + i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n"); +- mutex_lock(&msm_bus_dbg_fablist_lock); + fablist->size = i; + mutex_unlock(&msm_bus_dbg_fablist_lock); + return 0; +@@ -660,6 +696,7 @@ static int __init msm_bus_debugfs_init(void) + clients, NULL, &msm_bus_dbg_update_request_fops) == NULL) + goto err; + ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry(cldata, &cl_list, list) { + if (cldata->pdata->name == NULL) { + MSM_BUS_DBG("Client name not found\n"); +@@ -668,6 +705,7 @@ static int __init msm_bus_debugfs_init(void) + cldata->file = msm_bus_dbg_create(cldata-> + pdata->name, S_IRUGO, clients, cldata->clid); + } ++ mutex_unlock(&msm_bus_dbg_cllist_lock); + + mutex_lock(&msm_bus_dbg_fablist_lock); + list_for_each_entry(fablist, &fabdata_list, list) { +@@ -675,6 +713,7 @@ static int __init msm_bus_debugfs_init(void) + commit, (void *)fablist->name, &fabric_data_fops); + if (fablist->file == NULL) { + MSM_BUS_DBG("Cannot create files for commit data\n"); ++ mutex_unlock(&msm_bus_dbg_fablist_lock); + goto err; + } + } +@@ -694,10 +733,13 @@ static void __exit msm_bus_dbg_teardown(void) + struct msm_bus_cldata *cldata = NULL, *cldata_temp; + + debugfs_remove_recursive(dir); ++ mutex_lock(&msm_bus_dbg_cllist_lock); + list_for_each_entry_safe(cldata, cldata_temp, &cl_list, list) { + list_del(&cldata->list); + kfree(cldata); + } ++ mutex_unlock(&msm_bus_dbg_cllist_lock); ++ + mutex_lock(&msm_bus_dbg_fablist_lock); + list_for_each_entry_safe(fablist, fablist_temp, &fabdata_list, list) { + list_del(&fablist->list); diff --git a/Patches/Linux_CVEs/CVE-2017-9676/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9676/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9676/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9676/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch new file mode 100644 index 00000000..a367d6ff --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9677/3.10/0001.patch @@ -0,0 +1,1858 @@ +From b62291edb424281ed31a4e15140b16972ce9eef1 Mon Sep 17 00:00:00 2001 +From: Xiaojun Sang +Date: Thu, 27 Apr 2017 14:44:25 +0800 +Subject: ASoC: msm: remove unused msm-compr-q6-v2 + +msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used. + +CRs-Fixed: 2022953 +Bug: 62379475 +Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7 +Signed-off-by: Xiaojun Sang +--- + sound/soc/msm/apq8084-i2s.c | 2 +- + sound/soc/msm/apq8084.c | 2 +- + sound/soc/msm/msm8226.c | 2 +- + sound/soc/msm/msm8974.c | 2 +- + sound/soc/msm/msm8994.c | 2 +- + sound/soc/msm/qdsp6v2/Makefile | 2 +- + sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1707 ------------------------------- + sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h | 36 - + 8 files changed, 6 insertions(+), 1749 deletions(-) + delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c + delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h + +diff --git a/sound/soc/msm/apq8084-i2s.c b/sound/soc/msm/apq8084-i2s.c +index 794aa25..5897e9c 100644 +--- a/sound/soc/msm/apq8084-i2s.c ++++ b/sound/soc/msm/apq8084-i2s.c +@@ -1826,7 +1826,7 @@ static struct snd_soc_dai_link apq8084_dai_links[] = { + .name = "APQ8084 Compr8", + .stream_name = "COMPR8", + .cpu_dai_name = "MultiMedia8", +- .platform_name = "msm-compr-dsp", ++ .platform_name = "msm-compress-dsp", + .dynamic = 1, + .trigger = {SND_SOC_DPCM_TRIGGER_POST, + SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/msm/apq8084.c b/sound/soc/msm/apq8084.c +index aa2e25f..2b02e5d 100644 +--- a/sound/soc/msm/apq8084.c ++++ b/sound/soc/msm/apq8084.c +@@ -3046,7 +3046,7 @@ static struct snd_soc_dai_link apq8084_common_dai_links[] = { + .name = "APQ8084 Compr8", + .stream_name = "COMPR8", + .cpu_dai_name = "MultiMedia8", +- .platform_name = "msm-compr-dsp", ++ .platform_name = "msm-compress-dsp", + .dynamic = 1, + .async_ops = ASYNC_DPCM_SND_SOC_PREPARE + | ASYNC_DPCM_SND_SOC_HW_PARAMS, +diff --git a/sound/soc/msm/msm8226.c b/sound/soc/msm/msm8226.c +index 4095c12..113d77b 100644 +--- a/sound/soc/msm/msm8226.c ++++ b/sound/soc/msm/msm8226.c +@@ -1495,7 +1495,7 @@ static struct snd_soc_dai_link msm8226_common_dai[] = { + .name = "MSM8226 Compr8", + .stream_name = "COMPR8", + .cpu_dai_name = "MultiMedia8", +- .platform_name = "msm-compr-dsp", ++ .platform_name = "msm-compress-dsp", + .dynamic = 1, + .trigger = {SND_SOC_DPCM_TRIGGER_POST, + SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/msm/msm8974.c b/sound/soc/msm/msm8974.c +index fd69611..4cfd7c3 100644 +--- a/sound/soc/msm/msm8974.c ++++ b/sound/soc/msm/msm8974.c +@@ -2164,7 +2164,7 @@ static struct snd_soc_dai_link msm8974_common_dai_links[] = { + .name = "MSM8974 Compr8", + .stream_name = "COMPR8", + .cpu_dai_name = "MultiMedia8", +- .platform_name = "msm-compr-dsp", ++ .platform_name = "msm-compress-dsp", + .dynamic = 1, + .trigger = {SND_SOC_DPCM_TRIGGER_POST, + SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/msm/msm8994.c b/sound/soc/msm/msm8994.c +index 1285c59..8678fb1 100644 +--- a/sound/soc/msm/msm8994.c ++++ b/sound/soc/msm/msm8994.c +@@ -2684,7 +2684,7 @@ static struct snd_soc_dai_link msm8994_common_dai_links[] = { + .name = "MSM8994 Compr8", + .stream_name = "COMPR8", + .cpu_dai_name = "MultiMedia8", +- .platform_name = "msm-compr-dsp", ++ .platform_name = "msm-compress-dsp", + .dynamic = 1, + .trigger = {SND_SOC_DPCM_TRIGGER_POST, + SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/msm/qdsp6v2/Makefile b/sound/soc/msm/qdsp6v2/Makefile +index 5865eb9..41f3984 100644 +--- a/sound/soc/msm/qdsp6v2/Makefile ++++ b/sound/soc/msm/qdsp6v2/Makefile +@@ -1,5 +1,5 @@ + snd-soc-qdsp6v2-objs += msm-dai-q6-v2.o msm-pcm-q6-v2.o msm-pcm-routing-v2.o \ +- msm-compress-q6-v2.o msm-compr-q6-v2.o \ ++ msm-compress-q6-v2.o \ + msm-pcm-lpa-v2.o \ + msm-pcm-afe-v2.o msm-pcm-voip-v2.o \ + msm-pcm-voice-v2.o msm-dai-q6-hdmi-v2.o \ +diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c +deleted file mode 100644 +index 5fe5f24..0000000 +--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c ++++ /dev/null +@@ -1,1707 +0,0 @@ +-/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 and +- * only version 2 as published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- */ +- +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include +- +-#include "msm-compr-q6-v2.h" +-#include "msm-pcm-routing-v2.h" +-#include "audio_ocmem.h" +-#include +- +-#define COMPRE_CAPTURE_NUM_PERIODS 16 +-/* Allocate the worst case frame size for compressed audio */ +-#define COMPRE_CAPTURE_HEADER_SIZE (sizeof(struct snd_compr_audio_info)) +-/* Changing period size to 4032. 4032 will make sure COMPRE_CAPTURE_PERIOD_SIZE +- * is 4096 with meta data size of 64 and MAX_NUM_FRAMES_PER_BUFFER 1 +- */ +-#define COMPRE_CAPTURE_MAX_FRAME_SIZE (4032) +-#define COMPRE_CAPTURE_PERIOD_SIZE ((COMPRE_CAPTURE_MAX_FRAME_SIZE + \ +- COMPRE_CAPTURE_HEADER_SIZE) * \ +- MAX_NUM_FRAMES_PER_BUFFER) +-#define COMPRE_OUTPUT_METADATA_SIZE (sizeof(struct output_meta_data_st)) +-#define COMPRESSED_LR_VOL_MAX_STEPS 0x20002000 +- +-#define MAX_AC3_PARAM_SIZE (18*2*sizeof(int)) +-#define AMR_WB_BAND_MODE 8 +-#define AMR_WB_DTX_MODE 0 +- +- +-const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0, +- COMPRESSED_LR_VOL_MAX_STEPS); +-struct snd_msm { +- atomic_t audio_ocmem_req; +-}; +-static struct snd_msm compressed_audio; +- +-static struct audio_locks the_locks; +- +-static struct snd_pcm_hardware msm_compr_hardware_capture = { +- .info = (SNDRV_PCM_INFO_MMAP | +- SNDRV_PCM_INFO_BLOCK_TRANSFER | +- SNDRV_PCM_INFO_MMAP_VALID | +- SNDRV_PCM_INFO_INTERLEAVED | +- SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME), +- .formats = SNDRV_PCM_FMTBIT_S16_LE, +- .rates = SNDRV_PCM_RATE_8000_48000, +- .rate_min = 8000, +- .rate_max = 48000, +- .channels_min = 1, +- .channels_max = 8, +- .buffer_bytes_max = +- COMPRE_CAPTURE_PERIOD_SIZE * COMPRE_CAPTURE_NUM_PERIODS , +- .period_bytes_min = COMPRE_CAPTURE_PERIOD_SIZE, +- .period_bytes_max = COMPRE_CAPTURE_PERIOD_SIZE, +- .periods_min = COMPRE_CAPTURE_NUM_PERIODS, +- .periods_max = COMPRE_CAPTURE_NUM_PERIODS, +- .fifo_size = 0, +-}; +- +-static struct snd_pcm_hardware msm_compr_hardware_playback = { +- .info = (SNDRV_PCM_INFO_MMAP | +- SNDRV_PCM_INFO_BLOCK_TRANSFER | +- SNDRV_PCM_INFO_MMAP_VALID | +- SNDRV_PCM_INFO_INTERLEAVED | +- SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME), +- .formats = SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE, +- .rates = SNDRV_PCM_RATE_8000_48000 | SNDRV_PCM_RATE_KNOT, +- .rate_min = 8000, +- .rate_max = 48000, +- .channels_min = 1, +- .channels_max = 8, +- .buffer_bytes_max = 1024 * 1024, +- .period_bytes_min = 128 * 1024, +- .period_bytes_max = 256 * 1024, +- .periods_min = 4, +- .periods_max = 8, +- .fifo_size = 0, +-}; +- +-/* Conventional and unconventional sample rate supported */ +-static unsigned int supported_sample_rates[] = { +- 8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000 +-}; +- +-/* Add supported codecs for compress capture path */ +-static uint32_t supported_compr_capture_codecs[] = { +- SND_AUDIOCODEC_AMRWB +-}; +- +-static struct snd_pcm_hw_constraint_list constraints_sample_rates = { +- .count = ARRAY_SIZE(supported_sample_rates), +- .list = supported_sample_rates, +- .mask = 0, +-}; +- +-static bool msm_compr_capture_codecs(uint32_t req_codec) +-{ +- int i; +- pr_debug("%s req_codec:%d\n", __func__, req_codec); +- if (req_codec == 0) +- return false; +- for (i = 0; i < ARRAY_SIZE(supported_compr_capture_codecs); i++) { +- if (req_codec == supported_compr_capture_codecs[i]) +- return true; +- } +- return false; +-} +- +-static void compr_event_handler(uint32_t opcode, +- uint32_t token, uint32_t *payload, void *priv) +-{ +- struct compr_audio *compr = priv; +- struct msm_audio *prtd = &compr->prtd; +- struct snd_pcm_substream *substream = prtd->substream; +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct audio_aio_write_param param; +- struct audio_aio_read_param read_param; +- struct audio_buffer *buf = NULL; +- phys_addr_t temp; +- struct output_meta_data_st output_meta_data; +- uint32_t *ptrmem = (uint32_t *)payload; +- int i = 0; +- int time_stamp_flag = 0; +- int buffer_length = 0; +- int stop_playback = 0; +- +- pr_debug("%s opcode =%08x\n", __func__, opcode); +- switch (opcode) { +- case ASM_DATA_EVENT_WRITE_DONE_V2: { +- uint32_t *ptrmem = (uint32_t *)¶m; +- pr_debug("ASM_DATA_EVENT_WRITE_DONE\n"); +- pr_debug("Buffer Consumed = 0x%08x\n", *ptrmem); +- prtd->pcm_irq_pos += prtd->pcm_count; +- if (atomic_read(&prtd->start)) +- snd_pcm_period_elapsed(substream); +- else +- if (substream->timer_running) +- snd_timer_interrupt(substream->timer, 1); +- atomic_inc(&prtd->out_count); +- wake_up(&the_locks.write_wait); +- if (!atomic_read(&prtd->start)) { +- atomic_set(&prtd->pending_buffer, 1); +- break; +- } else +- atomic_set(&prtd->pending_buffer, 0); +- +- /* +- * check for underrun +- */ +- snd_pcm_stream_lock_irq(substream); +- if (runtime->status->hw_ptr >= runtime->control->appl_ptr) { +- runtime->render_flag |= SNDRV_RENDER_STOPPED; +- stop_playback = 1; +- } +- snd_pcm_stream_unlock_irq(substream); +- +- if (stop_playback) { +- pr_err("underrun! render stopped\n"); +- break; +- } +- +- buf = prtd->audio_client->port[IN].buf; +- pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n", +- __func__, prtd->pcm_count, prtd->out_head); +- temp = buf[0].phys + (prtd->out_head * prtd->pcm_count); +- pr_debug("%s:writing buffer[%d] from 0x%pa\n", +- __func__, prtd->out_head, &temp); +- +- if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE) +- time_stamp_flag = SET_TIMESTAMP; +- else +- time_stamp_flag = NO_TIMESTAMP; +- memcpy(&output_meta_data, (char *)(buf->data + +- prtd->out_head * prtd->pcm_count), +- COMPRE_OUTPUT_METADATA_SIZE); +- +- buffer_length = output_meta_data.frame_size; +- pr_debug("meta_data_length: %d, frame_length: %d\n", +- output_meta_data.meta_data_length, +- output_meta_data.frame_size); +- pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n", +- output_meta_data.timestamp_msw, +- output_meta_data.timestamp_lsw); +- if (buffer_length == 0) { +- pr_debug("Recieved a zero length buffer-break out"); +- break; +- } +- param.paddr = temp + output_meta_data.meta_data_length; +- param.len = buffer_length; +- param.msw_ts = output_meta_data.timestamp_msw; +- param.lsw_ts = output_meta_data.timestamp_lsw; +- param.flags = time_stamp_flag; +- param.uid = prtd->session_id; +- for (i = 0; i < sizeof(struct audio_aio_write_param)/4; +- i++, ++ptrmem) +- pr_debug("cmd[%d]=0x%08x\n", i, *ptrmem); +- if (q6asm_async_write(prtd->audio_client, +- ¶m) < 0) +- pr_err("%s:q6asm_async_write failed\n", +- __func__); +- else +- prtd->out_head = +- (prtd->out_head + 1) & (runtime->periods - 1); +- break; +- } +- case ASM_DATA_EVENT_RENDERED_EOS: +- pr_debug("ASM_DATA_CMDRSP_EOS\n"); +- if (atomic_read(&prtd->eos)) { +- pr_debug("ASM_DATA_CMDRSP_EOS wake up\n"); +- prtd->cmd_ack = 1; +- wake_up(&the_locks.eos_wait); +- atomic_set(&prtd->eos, 0); +- } +- break; +- case ASM_DATA_EVENT_READ_DONE_V2: { +- pr_debug("ASM_DATA_EVENT_READ_DONE\n"); +- pr_debug("buf = %pK, data = 0x%X, *data = %pK,\n" +- "prtd->pcm_irq_pos = %d\n", +- prtd->audio_client->port[OUT].buf, +- *(uint32_t *)prtd->audio_client->port[OUT].buf->data, +- prtd->audio_client->port[OUT].buf->data, +- prtd->pcm_irq_pos); +- +- memcpy(prtd->audio_client->port[OUT].buf->data + +- prtd->pcm_irq_pos, (ptrmem + READDONE_IDX_SIZE), +- COMPRE_CAPTURE_HEADER_SIZE); +- pr_debug("buf = %pK, updated data = 0x%X, *data = %pK\n", +- prtd->audio_client->port[OUT].buf, +- *(uint32_t *)(prtd->audio_client->port[OUT].buf->data + +- prtd->pcm_irq_pos), +- prtd->audio_client->port[OUT].buf->data); +- if (!atomic_read(&prtd->start)) +- break; +- pr_debug("frame size=%d, buffer = 0x%X\n", +- ptrmem[READDONE_IDX_SIZE], +- ptrmem[READDONE_IDX_BUFADD_LSW]); +- if (ptrmem[READDONE_IDX_SIZE] > COMPRE_CAPTURE_MAX_FRAME_SIZE) { +- pr_err("Frame length exceeded the max length"); +- break; +- } +- buf = prtd->audio_client->port[OUT].buf; +- +- pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pa\n", +- prtd->pcm_irq_pos, &buf[0].phys); +- read_param.len = prtd->pcm_count - COMPRE_CAPTURE_HEADER_SIZE; +- read_param.paddr = buf[0].phys + +- prtd->pcm_irq_pos + COMPRE_CAPTURE_HEADER_SIZE; +- prtd->pcm_irq_pos += prtd->pcm_count; +- +- if (atomic_read(&prtd->start)) +- snd_pcm_period_elapsed(substream); +- +- q6asm_async_read(prtd->audio_client, &read_param); +- break; +- } +- case APR_BASIC_RSP_RESULT: { +- switch (payload[0]) { +- case ASM_SESSION_CMD_RUN_V2: { +- if (substream->stream +- != SNDRV_PCM_STREAM_PLAYBACK) { +- atomic_set(&prtd->start, 1); +- break; +- } +- if (!atomic_read(&prtd->pending_buffer)) +- break; +- pr_debug("%s: writing %d bytes of buffer[%d] to dsp\n", +- __func__, prtd->pcm_count, prtd->out_head); +- buf = prtd->audio_client->port[IN].buf; +- pr_debug("%s: writing buffer[%d] from 0x%pa head %d count %d\n", +- __func__, prtd->out_head, &buf[0].phys, +- prtd->pcm_count, prtd->out_head); +- if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE) +- time_stamp_flag = SET_TIMESTAMP; +- else +- time_stamp_flag = NO_TIMESTAMP; +- memcpy(&output_meta_data, (char *)(buf->data + +- prtd->out_head * prtd->pcm_count), +- COMPRE_OUTPUT_METADATA_SIZE); +- buffer_length = output_meta_data.frame_size; +- pr_debug("meta_data_length: %d, frame_length: %d\n", +- output_meta_data.meta_data_length, +- output_meta_data.frame_size); +- pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n", +- output_meta_data.timestamp_msw, +- output_meta_data.timestamp_lsw); +- param.paddr = buf[prtd->out_head].phys +- + output_meta_data.meta_data_length; +- param.len = buffer_length; +- param.msw_ts = output_meta_data.timestamp_msw; +- param.lsw_ts = output_meta_data.timestamp_lsw; +- param.flags = time_stamp_flag; +- param.uid = prtd->session_id; +- param.metadata_len = COMPRE_OUTPUT_METADATA_SIZE; +- if (q6asm_async_write(prtd->audio_client, +- ¶m) < 0) +- pr_err("%s:q6asm_async_write failed\n", +- __func__); +- else +- prtd->out_head = +- (prtd->out_head + 1) +- & (runtime->periods - 1); +- atomic_set(&prtd->pending_buffer, 0); +- } +- break; +- case ASM_STREAM_CMD_FLUSH: +- pr_debug("ASM_STREAM_CMD_FLUSH\n"); +- prtd->cmd_ack = 1; +- wake_up(&the_locks.flush_wait); +- break; +- default: +- break; +- } +- break; +- } +- default: +- pr_debug("Not Supported Event opcode[0x%x]\n", opcode); +- break; +- } +-} +- +-static int msm_compr_send_ddp_cfg(struct audio_client *ac, +- struct snd_dec_ddp *ddp) +-{ +- int i, rc; +- pr_debug("%s\n", __func__); +- for (i = 0; i < ddp->params_length/2; i++) { +- rc = q6asm_ds1_set_endp_params(ac, ddp->params_id[i], +- ddp->params_value[i]); +- if (rc) { +- pr_err("sending params_id: %d failed\n", +- ddp->params_id[i]); +- return rc; +- } +- } +- return 0; +-} +- +-static int msm_compr_playback_prepare(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct snd_soc_pcm_runtime *soc_prtd = substream->private_data; +- struct msm_audio *prtd = &compr->prtd; +- struct snd_pcm_hw_params *params; +- struct asm_aac_cfg aac_cfg; +- uint16_t bits_per_sample = 16; +- int ret; +- +- struct asm_softpause_params softpause = { +- .enable = SOFT_PAUSE_ENABLE, +- .period = SOFT_PAUSE_PERIOD, +- .step = SOFT_PAUSE_STEP, +- .rampingcurve = SOFT_PAUSE_CURVE_LINEAR, +- }; +- struct asm_softvolume_params softvol = { +- .period = SOFT_VOLUME_PERIOD, +- .step = SOFT_VOLUME_STEP, +- .rampingcurve = SOFT_VOLUME_CURVE_LINEAR, +- }; +- +- pr_debug("%s\n", __func__); +- +- params = &soc_prtd->dpcm[substream->stream].hw_params; +- if (runtime->format == SNDRV_PCM_FORMAT_S24_LE) +- bits_per_sample = 24; +- +- ret = q6asm_open_write_v2(prtd->audio_client, +- compr->codec, bits_per_sample); +- if (ret < 0) { +- pr_err("%s: Session out open failed\n", +- __func__); +- return -ENOMEM; +- } +- msm_pcm_routing_reg_phy_stream( +- soc_prtd->dai_link->be_id, +- prtd->audio_client->perf_mode, +- prtd->session_id, +- substream->stream); +- /* +- * the number of channels are required to call volume api +- * accoridngly. So, get channels from hw params +- */ +- if ((params_channels(params) > 0) && +- (params_periods(params) <= runtime->hw.channels_max)) +- prtd->channel_mode = params_channels(params); +- +- ret = q6asm_set_softpause(prtd->audio_client, &softpause); +- if (ret < 0) +- pr_err("%s: Send SoftPause Param failed ret=%d\n", +- __func__, ret); +- ret = q6asm_set_softvolume(prtd->audio_client, &softvol); +- if (ret < 0) +- pr_err("%s: Send SoftVolume Param failed ret=%d\n", +- __func__, ret); +- +- ret = q6asm_set_io_mode(prtd->audio_client, +- (COMPRESSED_IO | ASYNC_IO_MODE)); +- if (ret < 0) { +- pr_err("%s: Set IO mode failed\n", __func__); +- return -ENOMEM; +- } +- +- prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream); +- prtd->pcm_count = snd_pcm_lib_period_bytes(substream); +- prtd->pcm_irq_pos = 0; +- /* rate and channels are sent to audio driver */ +- prtd->samp_rate = runtime->rate; +- prtd->channel_mode = runtime->channels; +- prtd->out_head = 0; +- atomic_set(&prtd->out_count, runtime->periods); +- +- if (prtd->enabled) +- return 0; +- +- switch (compr->info.codec_param.codec.id) { +- case SND_AUDIOCODEC_MP3: +- /* No media format block for mp3 */ +- break; +- case SND_AUDIOCODEC_AAC: +- pr_debug("%s: SND_AUDIOCODEC_AAC\n", __func__); +- memset(&aac_cfg, 0x0, sizeof(struct asm_aac_cfg)); +- aac_cfg.aot = AAC_ENC_MODE_EAAC_P; +- aac_cfg.format = 0x03; +- aac_cfg.ch_cfg = runtime->channels; +- aac_cfg.sample_rate = runtime->rate; +- ret = q6asm_media_format_block_aac(prtd->audio_client, +- &aac_cfg); +- if (ret < 0) +- pr_err("%s: CMD Format block failed\n", __func__); +- break; +- case SND_AUDIOCODEC_AC3: { +- struct snd_dec_ddp *ddp = +- &compr->info.codec_param.codec.options.ddp; +- pr_debug("%s: SND_AUDIOCODEC_AC3\n", __func__); +- ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp); +- if (ret < 0) +- pr_err("%s: DDP CMD CFG failed\n", __func__); +- break; +- } +- case SND_AUDIOCODEC_EAC3: { +- struct snd_dec_ddp *ddp = +- &compr->info.codec_param.codec.options.ddp; +- pr_debug("%s: SND_AUDIOCODEC_EAC3\n", __func__); +- ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp); +- if (ret < 0) +- pr_err("%s: DDP CMD CFG failed\n", __func__); +- break; +- } +- default: +- return -EINVAL; +- } +- +- prtd->enabled = 1; +- prtd->cmd_ack = 0; +- prtd->cmd_interrupt = 0; +- +- return 0; +-} +- +-static int msm_compr_capture_prepare(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- struct audio_buffer *buf = prtd->audio_client->port[OUT].buf; +- struct snd_codec *codec = &compr->info.codec_param.codec; +- struct snd_soc_pcm_runtime *soc_prtd = substream->private_data; +- struct audio_aio_read_param read_param; +- uint16_t bits_per_sample = 16; +- int ret = 0; +- int i; +- +- prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream); +- prtd->pcm_count = snd_pcm_lib_period_bytes(substream); +- prtd->pcm_irq_pos = 0; +- +- if (runtime->format == SNDRV_PCM_FORMAT_S24_LE) +- bits_per_sample = 24; +- +- if (!msm_compr_capture_codecs( +- compr->info.codec_param.codec.id)) { +- /* +- * request codec invalid or not supported, +- * use default compress format +- */ +- compr->info.codec_param.codec.id = +- SND_AUDIOCODEC_AMRWB; +- } +- switch (compr->info.codec_param.codec.id) { +- case SND_AUDIOCODEC_AMRWB: +- pr_debug("q6asm_open_read(FORMAT_AMRWB)\n"); +- ret = q6asm_open_read(prtd->audio_client, +- FORMAT_AMRWB); +- if (ret < 0) { +- pr_err("%s: compressed Session out open failed\n", +- __func__); +- return -ENOMEM; +- } +- pr_debug("msm_pcm_routing_reg_phy_stream\n"); +- msm_pcm_routing_reg_phy_stream( +- soc_prtd->dai_link->be_id, +- prtd->audio_client->perf_mode, +- prtd->session_id, substream->stream); +- break; +- default: +- pr_debug("q6asm_open_read_compressed(COMPRESSED_META_DATA_MODE)\n"); +- /* +- ret = q6asm_open_read_compressed(prtd->audio_client, +- MAX_NUM_FRAMES_PER_BUFFER, +- COMPRESSED_META_DATA_MODE); +- */ +- ret = -EINVAL; +- break; +- } +- +- if (ret < 0) { +- pr_err("%s: compressed Session out open failed\n", +- __func__); +- return -ENOMEM; +- } +- +- ret = q6asm_set_io_mode(prtd->audio_client, +- (COMPRESSED_IO | ASYNC_IO_MODE)); +- if (ret < 0) { +- pr_err("%s: Set IO mode failed\n", __func__); +- return -ENOMEM; +- } +- +- if (!msm_compr_capture_codecs(codec->id)) { +- /* +- * request codec invalid or not supported, +- * use default compress format +- */ +- codec->id = SND_AUDIOCODEC_AMRWB; +- } +- /* rate and channels are sent to audio driver */ +- prtd->samp_rate = runtime->rate; +- prtd->channel_mode = runtime->channels; +- +- if (prtd->enabled) +- return ret; +- read_param.len = prtd->pcm_count; +- +- switch (codec->id) { +- case SND_AUDIOCODEC_AMRWB: +- pr_debug("SND_AUDIOCODEC_AMRWB\n"); +- ret = q6asm_enc_cfg_blk_amrwb(prtd->audio_client, +- MAX_NUM_FRAMES_PER_BUFFER, +- /* +- * use fixed band mode and dtx mode +- * band mode - 23.85 kbps +- */ +- AMR_WB_BAND_MODE, +- /* dtx mode - disable */ +- AMR_WB_DTX_MODE); +- if (ret < 0) +- pr_err("%s: CMD Format block failed: %d\n", +- __func__, ret); +- break; +- default: +- pr_debug("No config for codec %d\n", codec->id); +- } +- pr_debug("%s: Samp_rate = %d, Channel = %d, pcm_size = %d,\n" +- "pcm_count = %d, periods = %d\n", +- __func__, prtd->samp_rate, prtd->channel_mode, +- prtd->pcm_size, prtd->pcm_count, runtime->periods); +- +- for (i = 0; i < runtime->periods; i++) { +- read_param.uid = i; +- switch (codec->id) { +- case SND_AUDIOCODEC_AMRWB: +- read_param.len = prtd->pcm_count +- - COMPRE_CAPTURE_HEADER_SIZE; +- read_param.paddr = buf[i].phys +- + COMPRE_CAPTURE_HEADER_SIZE; +- pr_debug("Push buffer [%d] to DSP, paddr: %pa, vaddr: %pK\n", +- i, &read_param.paddr, +- buf[i].data); +- q6asm_async_read(prtd->audio_client, &read_param); +- break; +- default: +- read_param.paddr = buf[i].phys; +- /*q6asm_async_read_compressed(prtd->audio_client, +- &read_param);*/ +- pr_debug("%s: To add support for read compressed\n", +- __func__); +- ret = -EINVAL; +- break; +- } +- } +- prtd->periods = runtime->periods; +- +- prtd->enabled = 1; +- +- return ret; +-} +- +-static int msm_compr_trigger(struct snd_pcm_substream *substream, int cmd) +-{ +- int ret = 0; +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct snd_soc_pcm_runtime *soc_prtd = substream->private_data; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- +- pr_debug("%s\n", __func__); +- switch (cmd) { +- case SNDRV_PCM_TRIGGER_START: +- prtd->pcm_irq_pos = 0; +- +- if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) { +- if (!msm_compr_capture_codecs( +- compr->info.codec_param.codec.id)) { +- /* +- * request codec invalid or not supported, +- * use default compress format +- */ +- compr->info.codec_param.codec.id = +- SND_AUDIOCODEC_AMRWB; +- } +- switch (compr->info.codec_param.codec.id) { +- case SND_AUDIOCODEC_AMRWB: +- break; +- default: +- msm_pcm_routing_reg_psthr_stream( +- soc_prtd->dai_link->be_id, +- prtd->session_id, substream->stream); +- break; +- } +- } +- atomic_set(&prtd->pending_buffer, 1); +- case SNDRV_PCM_TRIGGER_RESUME: +- case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: +- pr_debug("%s: Trigger start\n", __func__); +- q6asm_run_nowait(prtd->audio_client, 0, 0, 0); +- atomic_set(&prtd->start, 1); +- break; +- case SNDRV_PCM_TRIGGER_STOP: +- pr_debug("SNDRV_PCM_TRIGGER_STOP\n"); +- if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) { +- switch (compr->info.codec_param.codec.id) { +- case SND_AUDIOCODEC_AMRWB: +- break; +- default: +- msm_pcm_routing_reg_psthr_stream( +- soc_prtd->dai_link->be_id, +- prtd->session_id, substream->stream); +- break; +- } +- } +- atomic_set(&prtd->start, 0); +- runtime->render_flag &= ~SNDRV_RENDER_STOPPED; +- break; +- case SNDRV_PCM_TRIGGER_SUSPEND: +- case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- pr_debug("SNDRV_PCM_TRIGGER_PAUSE\n"); +- q6asm_cmd_nowait(prtd->audio_client, CMD_PAUSE); +- atomic_set(&prtd->start, 0); +- runtime->render_flag &= ~SNDRV_RENDER_STOPPED; +- break; +- default: +- ret = -EINVAL; +- break; +- } +- +- return ret; +-} +- +-static void populate_codec_list(struct compr_audio *compr, +- struct snd_pcm_runtime *runtime) +-{ +- pr_debug("%s\n", __func__); +- /* MP3 Block */ +- compr->info.compr_cap.num_codecs = 5; +- compr->info.compr_cap.min_fragment_size = runtime->hw.period_bytes_min; +- compr->info.compr_cap.max_fragment_size = runtime->hw.period_bytes_max; +- compr->info.compr_cap.min_fragments = runtime->hw.periods_min; +- compr->info.compr_cap.max_fragments = runtime->hw.periods_max; +- compr->info.compr_cap.codecs[0] = SND_AUDIOCODEC_MP3; +- compr->info.compr_cap.codecs[1] = SND_AUDIOCODEC_AAC; +- compr->info.compr_cap.codecs[2] = SND_AUDIOCODEC_AC3; +- compr->info.compr_cap.codecs[3] = SND_AUDIOCODEC_EAC3; +- compr->info.compr_cap.codecs[4] = SND_AUDIOCODEC_AMRWB; +- /* Add new codecs here */ +-} +- +-static int msm_compr_open(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr; +- struct msm_audio *prtd; +- int ret = 0; +- +- pr_debug("%s\n", __func__); +- compr = kzalloc(sizeof(struct compr_audio), GFP_KERNEL); +- if (compr == NULL) { +- pr_err("Failed to allocate memory for msm_audio\n"); +- return -ENOMEM; +- } +- prtd = &compr->prtd; +- prtd->substream = substream; +- runtime->render_flag = SNDRV_DMA_MODE; +- prtd->audio_client = q6asm_audio_client_alloc( +- (app_cb)compr_event_handler, compr); +- if (!prtd->audio_client) { +- pr_info("%s: Could not allocate memory\n", __func__); +- kfree(prtd); +- return -ENOMEM; +- } +- +- prtd->audio_client->perf_mode = false; +- pr_info("%s: session ID %d\n", __func__, prtd->audio_client->session); +- +- prtd->session_id = prtd->audio_client->session; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +- runtime->hw = msm_compr_hardware_playback; +- prtd->cmd_ack = 1; +- } else { +- runtime->hw = msm_compr_hardware_capture; +- } +- +- +- ret = snd_pcm_hw_constraint_list(runtime, 0, +- SNDRV_PCM_HW_PARAM_RATE, +- &constraints_sample_rates); +- if (ret < 0) +- pr_info("snd_pcm_hw_constraint_list failed\n"); +- /* Ensure that buffer size is a multiple of period size */ +- ret = snd_pcm_hw_constraint_integer(runtime, +- SNDRV_PCM_HW_PARAM_PERIODS); +- if (ret < 0) +- pr_info("snd_pcm_hw_constraint_integer failed\n"); +- +- prtd->dsp_cnt = 0; +- atomic_set(&prtd->pending_buffer, 1); +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- compr->codec = FORMAT_MP3; +- populate_codec_list(compr, runtime); +- runtime->private_data = compr; +- atomic_set(&prtd->eos, 0); +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +- if (!atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 0, 1)) +- audio_ocmem_process_req(AUDIO, true); +- else +- atomic_inc(&compressed_audio.audio_ocmem_req); +- pr_debug("%s: req: %d\n", __func__, +- atomic_read(&compressed_audio.audio_ocmem_req)); +- } +- return 0; +-} +- +-static int compressed_set_volume(struct msm_audio *prtd, uint32_t volume) +-{ +- int rc = 0; +- int avg_vol = 0; +- int lgain = (volume >> 16) & 0xFFFF; +- int rgain = volume & 0xFFFF; +- if (prtd && prtd->audio_client) { +- pr_debug("%s: channels %d volume 0x%x\n", __func__, +- prtd->channel_mode, volume); +- if ((prtd->channel_mode == 2) && +- (lgain != rgain)) { +- pr_debug("%s: call q6asm_set_lrgain\n", __func__); +- rc = q6asm_set_lrgain(prtd->audio_client, lgain, rgain); +- } else { +- avg_vol = (lgain + rgain)/2; +- pr_debug("%s: call q6asm_set_volume\n", __func__); +- rc = q6asm_set_volume(prtd->audio_client, avg_vol); +- } +- if (rc < 0) { +- pr_err("%s: Send Volume command failed rc=%d\n", +- __func__, rc); +- } +- } +- return rc; +-} +- +-static int msm_compr_playback_close(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct snd_soc_pcm_runtime *soc_prtd = substream->private_data; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- int dir = 0; +- +- pr_debug("%s\n", __func__); +- +- dir = IN; +- atomic_set(&prtd->pending_buffer, 0); +- +- if (atomic_read(&compressed_audio.audio_ocmem_req) > 1) +- atomic_dec(&compressed_audio.audio_ocmem_req); +- else if (atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 1, 0)) +- audio_ocmem_process_req(AUDIO, false); +- +- pr_debug("%s: req: %d\n", __func__, +- atomic_read(&compressed_audio.audio_ocmem_req)); +- prtd->pcm_irq_pos = 0; +- q6asm_cmd(prtd->audio_client, CMD_CLOSE); +- q6asm_audio_client_buf_free_contiguous(dir, +- prtd->audio_client); +- msm_pcm_routing_dereg_phy_stream( +- soc_prtd->dai_link->be_id, +- SNDRV_PCM_STREAM_PLAYBACK); +- q6asm_audio_client_free(prtd->audio_client); +- kfree(prtd); +- return 0; +-} +- +-static int msm_compr_capture_close(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct snd_soc_pcm_runtime *soc_prtd = substream->private_data; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- int dir = OUT; +- +- pr_debug("%s\n", __func__); +- atomic_set(&prtd->pending_buffer, 0); +- q6asm_cmd(prtd->audio_client, CMD_CLOSE); +- q6asm_audio_client_buf_free_contiguous(dir, +- prtd->audio_client); +- msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id, +- SNDRV_PCM_STREAM_CAPTURE); +- q6asm_audio_client_free(prtd->audio_client); +- kfree(prtd); +- return 0; +-} +- +-static int msm_compr_close(struct snd_pcm_substream *substream) +-{ +- int ret = 0; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- ret = msm_compr_playback_close(substream); +- else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) +- ret = msm_compr_capture_close(substream); +- return ret; +-} +- +-static int msm_compr_prepare(struct snd_pcm_substream *substream) +-{ +- int ret = 0; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- ret = msm_compr_playback_prepare(substream); +- else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) +- ret = msm_compr_capture_prepare(substream); +- return ret; +-} +- +-static snd_pcm_uframes_t msm_compr_pointer(struct snd_pcm_substream *substream) +-{ +- +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- +- if (prtd->pcm_irq_pos >= prtd->pcm_size) +- prtd->pcm_irq_pos = 0; +- +- pr_debug("%s: pcm_irq_pos = %d, pcm_size = %d, sample_bits = %d,\n" +- "frame_bits = %d\n", __func__, prtd->pcm_irq_pos, +- prtd->pcm_size, runtime->sample_bits, +- runtime->frame_bits); +- return bytes_to_frames(runtime, (prtd->pcm_irq_pos)); +-} +- +-static int msm_compr_mmap(struct snd_pcm_substream *substream, +- struct vm_area_struct *vma) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct msm_audio *prtd = runtime->private_data; +- struct audio_client *ac = prtd->audio_client; +- struct audio_port_data *apd = ac->port; +- struct audio_buffer *ab; +- int dir = -1; +- +- prtd->mmap_flag = 1; +- runtime->render_flag = SNDRV_NON_DMA_MODE; +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- dir = IN; +- else +- dir = OUT; +- ab = &(apd[dir].buf[0]); +- +- return msm_audio_ion_mmap(ab, vma); +-} +- +-static int msm_compr_hw_params(struct snd_pcm_substream *substream, +- struct snd_pcm_hw_params *params) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- struct snd_dma_buffer *dma_buf = &substream->dma_buffer; +- struct audio_buffer *buf; +- int dir, ret; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- dir = IN; +- else +- dir = OUT; +- /* Modifying kernel hardware params based on userspace config */ +- if (params_periods(params) > 0 && +- (params_periods(params) != runtime->hw.periods_max)) { +- runtime->hw.periods_max = params_periods(params); +- } +- if (params_period_bytes(params) > 0 && +- (params_period_bytes(params) != runtime->hw.period_bytes_min)) { +- runtime->hw.period_bytes_min = params_period_bytes(params); +- } +- runtime->hw.buffer_bytes_max = +- runtime->hw.period_bytes_min * runtime->hw.periods_max; +- pr_debug("allocate %zd buffers each of size %d\n", +- runtime->hw.period_bytes_min, +- runtime->hw.periods_max); +- ret = q6asm_audio_client_buf_alloc_contiguous(dir, +- prtd->audio_client, +- runtime->hw.period_bytes_min, +- runtime->hw.periods_max); +- if (ret < 0) { +- pr_err("Audio Start: Buffer Allocation failed rc = %d\n", +- ret); +- return -ENOMEM; +- } +- buf = prtd->audio_client->port[dir].buf; +- +- dma_buf->dev.type = SNDRV_DMA_TYPE_DEV; +- dma_buf->dev.dev = substream->pcm->card->dev; +- dma_buf->private_data = NULL; +- dma_buf->area = buf[0].data; +- dma_buf->addr = buf[0].phys; +- dma_buf->bytes = runtime->hw.buffer_bytes_max; +- +- pr_debug("%s: buf[%pK]dma_buf->area[%pK]dma_buf->addr[%pa]\n" +- "dma_buf->bytes[%zd]\n", __func__, +- (void *)buf, (void *)dma_buf->area, +- &dma_buf->addr, dma_buf->bytes); +- if (!dma_buf->area) +- return -ENOMEM; +- +- snd_pcm_set_runtime_buffer(substream, &substream->dma_buffer); +- return 0; +-} +- +-static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream, +- unsigned int cmd, void *arg) +-{ +- int rc = 0; +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- uint64_t timestamp; +- uint64_t temp; +- +- switch (cmd) { +- case SNDRV_COMPRESS_TSTAMP: { +- struct snd_compr_tstamp *tstamp; +- pr_debug("SNDRV_COMPRESS_TSTAMP\n"); +- tstamp = arg; +- memset(tstamp, 0x0, sizeof(*tstamp)); +- rc = q6asm_get_session_time(prtd->audio_client, ×tamp); +- if (rc < 0) { +- pr_err("%s: Get Session Time return value =%lld\n", +- __func__, timestamp); +- return -EAGAIN; +- } +- temp = (timestamp * 2 * runtime->channels); +- temp = temp * (runtime->rate/1000); +- temp = div_u64(temp, 1000); +- tstamp->sampling_rate = runtime->rate; +- tstamp->timestamp = timestamp; +- pr_debug("%s: bytes_consumed:,timestamp = %lld,\n", +- __func__, +- tstamp->timestamp); +- return 0; +- } +- case SNDRV_COMPRESS_GET_CAPS: { +- struct snd_compr_caps *caps; +- caps = arg; +- memset(caps, 0, sizeof(*caps)); +- pr_debug("SNDRV_COMPRESS_GET_CAPS\n"); +- memcpy(caps, &compr->info.compr_cap, sizeof(*caps)); +- return 0; +- } +- case SNDRV_COMPRESS_SET_PARAMS: +- pr_debug("SNDRV_COMPRESS_SET_PARAMS:\n"); +- memcpy(&compr->info.codec_param, (void *) arg, +- sizeof(struct snd_compr_params)); +- switch (compr->info.codec_param.codec.id) { +- case SND_AUDIOCODEC_MP3: +- /* For MP3 we dont need any other parameter */ +- pr_debug("SND_AUDIOCODEC_MP3\n"); +- compr->codec = FORMAT_MP3; +- break; +- case SND_AUDIOCODEC_AAC: +- pr_debug("SND_AUDIOCODEC_AAC\n"); +- compr->codec = FORMAT_MPEG4_AAC; +- break; +- case SND_AUDIOCODEC_AC3: { +- char params_value[MAX_AC3_PARAM_SIZE]; +- int *params_value_data = (int *)params_value; +- /* 36 is the max param length for ddp */ +- int i; +- struct snd_dec_ddp *ddp = +- &compr->info.codec_param.codec.options.ddp; +- uint32_t params_length = 0; +- memset(params_value, 0, MAX_AC3_PARAM_SIZE); +- /* check integer overflow */ +- if (ddp->params_length > UINT_MAX/sizeof(int)) { +- pr_err("%s: Integer overflow ddp->params_length %d\n", +- __func__, ddp->params_length); +- return -EINVAL; +- } +- params_length = ddp->params_length*sizeof(int); +- if (params_length > MAX_AC3_PARAM_SIZE) { +- /*MAX is 36*sizeof(int) this should not happen*/ +- pr_err("%s: params_length(%d) is greater than %zd\n", +- __func__, params_length, MAX_AC3_PARAM_SIZE); +- return -EINVAL; +- } +- pr_debug("SND_AUDIOCODEC_AC3\n"); +- compr->codec = FORMAT_AC3; +- pr_debug("params_length: %d\n", ddp->params_length); +- for (i = 0; i < params_length/sizeof(int); i++) +- pr_debug("params_value[%d]: %x\n", i, +- params_value_data[i]); +- for (i = 0; i < ddp->params_length/2; i++) { +- ddp->params_id[i] = params_value_data[2*i]; +- ddp->params_value[i] = params_value_data[2*i+1]; +- } +- if (atomic_read(&prtd->start)) { +- rc = msm_compr_send_ddp_cfg(prtd->audio_client, +- ddp); +- if (rc < 0) +- pr_err("%s: DDP CMD CFG failed\n", +- __func__); +- } +- break; +- } +- case SND_AUDIOCODEC_EAC3: { +- char params_value[MAX_AC3_PARAM_SIZE]; +- int *params_value_data = (int *)params_value; +- /* 36 is the max param length for ddp */ +- int i; +- struct snd_dec_ddp *ddp = +- &compr->info.codec_param.codec.options.ddp; +- uint32_t params_length = 0; +- memset(params_value, 0, MAX_AC3_PARAM_SIZE); +- /* check integer overflow */ +- if (ddp->params_length > UINT_MAX/sizeof(int)) { +- pr_err("%s: Integer overflow ddp->params_length %d\n", +- __func__, ddp->params_length); +- return -EINVAL; +- } +- params_length = ddp->params_length*sizeof(int); +- if (params_length > MAX_AC3_PARAM_SIZE) { +- /*MAX is 36*sizeof(int) this should not happen*/ +- pr_err("%s: params_length(%d) is greater than %zd\n", +- __func__, params_length, MAX_AC3_PARAM_SIZE); +- return -EINVAL; +- } +- pr_debug("SND_AUDIOCODEC_EAC3\n"); +- compr->codec = FORMAT_EAC3; +- pr_debug("params_length: %d\n", ddp->params_length); +- for (i = 0; i < ddp->params_length; i++) +- pr_debug("params_value[%d]: %x\n", i, +- params_value_data[i]); +- for (i = 0; i < ddp->params_length/2; i++) { +- ddp->params_id[i] = params_value_data[2*i]; +- ddp->params_value[i] = params_value_data[2*i+1]; +- } +- if (atomic_read(&prtd->start)) { +- rc = msm_compr_send_ddp_cfg(prtd->audio_client, +- ddp); +- if (rc < 0) +- pr_err("%s: DDP CMD CFG failed\n", +- __func__); +- } +- break; +- } +- default: +- pr_debug("FORMAT_LINEAR_PCM\n"); +- compr->codec = FORMAT_LINEAR_PCM; +- break; +- } +- return 0; +- case SNDRV_PCM_IOCTL1_RESET: +- pr_debug("SNDRV_PCM_IOCTL1_RESET\n"); +- /* Flush only when session is started during CAPTURE, +- while PLAYBACK has no such restriction. */ +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK || +- (substream->stream == SNDRV_PCM_STREAM_CAPTURE && +- atomic_read(&prtd->start))) { +- if (atomic_read(&prtd->eos)) { +- prtd->cmd_interrupt = 1; +- wake_up(&the_locks.eos_wait); +- atomic_set(&prtd->eos, 0); +- } +- +- /* A unlikely race condition possible with FLUSH +- DRAIN if ack is set by flush and reset by drain */ +- prtd->cmd_ack = 0; +- rc = q6asm_cmd(prtd->audio_client, CMD_FLUSH); +- if (rc < 0) { +- pr_err("%s: flush cmd failed rc=%d\n", +- __func__, rc); +- return rc; +- } +- rc = wait_event_timeout(the_locks.flush_wait, +- prtd->cmd_ack, 5 * HZ); +- if (!rc) +- pr_err("Flush cmd timeout\n"); +- prtd->pcm_irq_pos = 0; +- } +- break; +- case SNDRV_COMPRESS_DRAIN: +- pr_debug("%s: SNDRV_COMPRESS_DRAIN\n", __func__); +- if (atomic_read(&prtd->pending_buffer)) { +- pr_debug("%s: no pending writes, drain would block\n", +- __func__); +- return -EWOULDBLOCK; +- } +- +- atomic_set(&prtd->eos, 1); +- atomic_set(&prtd->pending_buffer, 0); +- prtd->cmd_ack = 0; +- q6asm_cmd_nowait(prtd->audio_client, CMD_EOS); +- /* Wait indefinitely for DRAIN. Flush can also signal this*/ +- rc = wait_event_interruptible(the_locks.eos_wait, +- (prtd->cmd_ack || prtd->cmd_interrupt)); +- +- if (rc < 0) +- pr_err("EOS cmd interrupted\n"); +- pr_debug("%s: SNDRV_COMPRESS_DRAIN out of wait\n", __func__); +- +- if (prtd->cmd_interrupt) +- rc = -EINTR; +- +- prtd->cmd_interrupt = 0; +- return rc; +- default: +- break; +- } +- return snd_pcm_lib_ioctl(substream, cmd, arg); +-} +-#ifdef CONFIG_COMPAT +-struct snd_enc_wma32 { +- u32 super_block_align; /* WMA Type-specific data */ +- u32 encodeopt1; +- u32 encodeopt2; +-}; +- +-struct snd_enc_vorbis32 { +- s32 quality; +- u32 managed; +- u32 max_bit_rate; +- u32 min_bit_rate; +- u32 downmix; +-}; +- +-struct snd_enc_real32 { +- u32 quant_bits; +- u32 start_region; +- u32 num_regions; +-}; +- +-struct snd_enc_flac32 { +- u32 num; +- u32 gain; +-}; +- +-struct snd_enc_generic32 { +- u32 bw; /* encoder bandwidth */ +- s32 reserved[15]; +-}; +-struct snd_dec_ddp32 { +- u32 params_length; +- u32 params_id[18]; +- u32 params_value[18]; +-}; +- +-union snd_codec_options32 { +- struct snd_enc_wma32 wma; +- struct snd_enc_vorbis32 vorbis; +- struct snd_enc_real32 real; +- struct snd_enc_flac32 flac; +- struct snd_enc_generic32 generic; +- struct snd_dec_ddp32 ddp; +-}; +- +-struct snd_codec32 { +- u32 id; +- u32 ch_in; +- u32 ch_out; +- u32 sample_rate; +- u32 bit_rate; +- u32 rate_control; +- u32 profile; +- u32 level; +- u32 ch_mode; +- u32 format; +- u32 align; +- union snd_codec_options32 options; +- u32 reserved[3]; +-}; +- +-struct snd_compressed_buffer32 { +- u32 fragment_size; +- u32 fragments; +-}; +- +-struct snd_compr_params32 { +- struct snd_compressed_buffer32 buffer; +- struct snd_codec32 codec; +- u8 no_wake_mode; +-}; +- +-struct snd_compr_caps32 { +- u32 num_codecs; +- u32 direction; +- u32 min_fragment_size; +- u32 max_fragment_size; +- u32 min_fragments; +- u32 max_fragments; +- u32 codecs[MAX_NUM_CODECS]; +- u32 reserved[11]; +-}; +-struct snd_compr_tstamp32 { +- u32 byte_offset; +- u32 copied_total; +- compat_ulong_t pcm_frames; +- compat_ulong_t pcm_io_frames; +- u32 sampling_rate; +- compat_u64 timestamp; +-}; +-enum { +- SNDRV_COMPRESS_TSTAMP32 = _IOR('C', 0x20, struct snd_compr_tstamp32), +- SNDRV_COMPRESS_GET_CAPS32 = _IOWR('C', 0x10, struct snd_compr_caps32), +- SNDRV_COMPRESS_SET_PARAMS32 = +- _IOW('C', 0x12, struct snd_compr_params32), +-}; +-static int msm_compr_compat_ioctl(struct snd_pcm_substream *substream, +- unsigned int cmd, void *arg) +-{ +- int err = 0; +- switch (cmd) { +- case SNDRV_COMPRESS_TSTAMP32: { +- struct snd_compr_tstamp tstamp; +- struct snd_compr_tstamp32 tstamp32; +- memset(&tstamp, 0, sizeof(tstamp)); +- memset(&tstamp32, 0, sizeof(tstamp32)); +- cmd = SNDRV_COMPRESS_TSTAMP; +- err = msm_compr_ioctl_shared(substream, cmd, &tstamp); +- if (err) { +- pr_err("%s: COMPRESS_TSTAMP failed rc %d\n", +- __func__, err); +- goto bail_out; +- } +- tstamp32.byte_offset = tstamp.byte_offset; +- tstamp32.copied_total = tstamp.copied_total; +- tstamp32.pcm_frames = tstamp.pcm_frames; +- tstamp32.pcm_io_frames = tstamp.pcm_io_frames; +- tstamp32.sampling_rate = tstamp.sampling_rate; +- tstamp32.timestamp = tstamp.timestamp; +- if (copy_to_user(arg, &tstamp32, sizeof(tstamp32))) { +- pr_err("%s: copytouser failed COMPRESS_TSTAMP32\n", +- __func__); +- err = -EFAULT; +- } +- break; +- } +- case SNDRV_COMPRESS_GET_CAPS32: { +- struct snd_compr_caps caps; +- struct snd_compr_caps32 caps32; +- u32 i; +- memset(&caps, 0, sizeof(caps)); +- memset(&caps32, 0, sizeof(caps32)); +- cmd = SNDRV_COMPRESS_GET_CAPS; +- err = msm_compr_ioctl_shared(substream, cmd, &caps); +- if (err) { +- pr_err("%s: GET_CAPS failed rc %d\n", +- __func__, err); +- goto bail_out; +- } +- pr_debug("SNDRV_COMPRESS_GET_CAPS_32\n"); +- if (!err && caps.num_codecs >= MAX_NUM_CODECS) { +- pr_err("%s: Invalid number of codecs\n", __func__); +- err = -EINVAL; +- goto bail_out; +- } +- caps32.direction = caps.direction; +- caps32.max_fragment_size = caps.max_fragment_size; +- caps32.max_fragments = caps.max_fragments; +- caps32.min_fragment_size = caps.min_fragment_size; +- caps32.num_codecs = caps.num_codecs; +- for (i = 0; i < caps.num_codecs; i++) +- caps32.codecs[i] = caps.codecs[i]; +- if (copy_to_user(arg, &caps32, sizeof(caps32))) { +- pr_err("%s: copytouser failed COMPRESS_GETCAPS32\n", +- __func__); +- err = -EFAULT; +- } +- break; +- } +- case SNDRV_COMPRESS_SET_PARAMS32: { +- struct snd_compr_params32 params32; +- struct snd_compr_params params; +- memset(¶ms32, 0 , sizeof(params32)); +- memset(¶ms, 0 , sizeof(params)); +- cmd = SNDRV_COMPRESS_SET_PARAMS; +- if (copy_from_user(¶ms32, arg, sizeof(params32))) { +- pr_err("%s: copyfromuser failed SET_PARAMS32\n", +- __func__); +- err = -EFAULT; +- goto bail_out; +- } +- params.no_wake_mode = params32.no_wake_mode; +- params.codec.id = params32.codec.id; +- params.codec.ch_in = params32.codec.ch_in; +- params.codec.ch_out = params32.codec.ch_out; +- params.codec.sample_rate = params32.codec.sample_rate; +- params.codec.bit_rate = params32.codec.bit_rate; +- params.codec.rate_control = params32.codec.rate_control; +- params.codec.profile = params32.codec.profile; +- params.codec.level = params32.codec.level; +- params.codec.ch_mode = params32.codec.ch_mode; +- params.codec.format = params32.codec.format; +- params.codec.align = params32.codec.align; +- +- switch (params.codec.id) { +- case SND_AUDIOCODEC_WMA: +- case SND_AUDIOCODEC_WMA_PRO: +- params.codec.options.wma.encodeopt1 = +- params32.codec.options.wma.encodeopt1; +- params.codec.options.wma.encodeopt2 = +- params32.codec.options.wma.encodeopt2; +- params.codec.options.wma.super_block_align = +- params32.codec.options.wma.super_block_align; +- break; +- case SND_AUDIOCODEC_VORBIS: +- params.codec.options.vorbis.downmix = +- params32.codec.options.vorbis.downmix; +- params.codec.options.vorbis.managed = +- params32.codec.options.vorbis.managed; +- params.codec.options.vorbis.max_bit_rate = +- params32.codec.options.vorbis.max_bit_rate; +- params.codec.options.vorbis.min_bit_rate = +- params32.codec.options.vorbis.min_bit_rate; +- params.codec.options.vorbis.quality = +- params32.codec.options.vorbis.quality; +- break; +- case SND_AUDIOCODEC_REAL: +- params.codec.options.real.num_regions = +- params32.codec.options.real.num_regions; +- params.codec.options.real.quant_bits = +- params32.codec.options.real.quant_bits; +- params.codec.options.real.start_region = +- params32.codec.options.real.start_region; +- break; +- case SND_AUDIOCODEC_FLAC: +- params.codec.options.flac.gain = +- params32.codec.options.flac.gain; +- params.codec.options.flac.num = +- params32.codec.options.flac.num; +- break; +- case SND_AUDIOCODEC_DTS: +- case SND_AUDIOCODEC_DTS_PASS_THROUGH: +- case SND_AUDIOCODEC_DTS_LBR: +- case SND_AUDIOCODEC_DTS_LBR_PASS_THROUGH: +- case SND_AUDIOCODEC_DTS_TRANSCODE_LOOPBACK: +- break; +- case SND_AUDIOCODEC_AC3: +- case SND_AUDIOCODEC_EAC3: +- params.codec.options.ddp.params_length = +- params32.codec.options.ddp.params_length; +- memcpy(params.codec.options.ddp.params_value, +- params32.codec.options.ddp.params_value, +- sizeof(params32.codec.options.ddp.params_value)); +- memcpy(params.codec.options.ddp.params_id, +- params32.codec.options.ddp.params_id, +- sizeof(params32.codec.options.ddp.params_id)); +- break; +- default: +- params.codec.options.generic.bw = +- params32.codec.options.generic.bw; +- break; +- } +- if (!err) +- err = msm_compr_ioctl_shared(substream, cmd, ¶ms); +- break; +- } +- default: +- err = msm_compr_ioctl_shared(substream, cmd, arg); +- } +-bail_out: +- return err; +- +-} +-#endif +-static int msm_compr_ioctl(struct snd_pcm_substream *substream, +- unsigned int cmd, void *arg) +-{ +- int err = 0; +- if (!substream) { +- pr_err("%s: Invalid params\n", __func__); +- return -EINVAL; +- } +- pr_debug("%s called with cmd = %d\n", __func__, cmd); +- switch (cmd) { +- case SNDRV_COMPRESS_TSTAMP: { +- struct snd_compr_tstamp tstamp; +- if (!arg) { +- pr_err("%s: Invalid params Tstamp\n", __func__); +- return -EINVAL; +- } +- err = msm_compr_ioctl_shared(substream, cmd, &tstamp); +- if (err) +- pr_err("%s: COMPRESS_TSTAMP failed rc %d\n", +- __func__, err); +- if (!err && copy_to_user(arg, &tstamp, sizeof(tstamp))) { +- pr_err("%s: copytouser failed COMPRESS_TSTAMP\n", +- __func__); +- err = -EFAULT; +- } +- break; +- } +- case SNDRV_COMPRESS_GET_CAPS: { +- struct snd_compr_caps cap; +- if (!arg) { +- pr_err("%s: Invalid params getcaps\n", __func__); +- return -EINVAL; +- } +- pr_debug("SNDRV_COMPRESS_GET_CAPS\n"); +- err = msm_compr_ioctl_shared(substream, cmd, &cap); +- if (err) +- pr_err("%s: GET_CAPS failed rc %d\n", +- __func__, err); +- if (!err && copy_to_user(arg, &cap, sizeof(cap))) { +- pr_err("%s: copytouser failed GET_CAPS\n", +- __func__); +- err = -EFAULT; +- } +- break; +- } +- case SNDRV_COMPRESS_SET_PARAMS: { +- struct snd_compr_params params; +- if (!arg) { +- pr_err("%s: Invalid params setparam\n", __func__); +- return -EINVAL; +- } +- if (copy_from_user(¶ms, arg, +- sizeof(struct snd_compr_params))) { +- pr_err("%s: SET_PARAMS\n", __func__); +- return -EFAULT; +- } +- err = msm_compr_ioctl_shared(substream, cmd, ¶ms); +- if (err) +- pr_err("%s: SET_PARAMS failed rc %d\n", +- __func__, err); +- break; +- } +- default: +- err = msm_compr_ioctl_shared(substream, cmd, arg); +- } +- return err; +-} +- +-static int msm_compr_restart(struct snd_pcm_substream *substream) +-{ +- struct snd_pcm_runtime *runtime = substream->runtime; +- struct compr_audio *compr = runtime->private_data; +- struct msm_audio *prtd = &compr->prtd; +- struct audio_aio_write_param param; +- struct audio_buffer *buf = NULL; +- struct output_meta_data_st output_meta_data; +- int time_stamp_flag = 0; +- int buffer_length = 0; +- +- pr_debug("%s, trigger restart\n", __func__); +- +- if (runtime->render_flag & SNDRV_RENDER_STOPPED) { +- buf = prtd->audio_client->port[IN].buf; +- pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n", +- __func__, prtd->pcm_count, prtd->out_head); +- pr_debug("%s:writing buffer[%d] from 0x%08x\n", +- __func__, prtd->out_head, +- ((unsigned int)buf[0].phys +- + (prtd->out_head * prtd->pcm_count))); +- +- if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE) +- time_stamp_flag = SET_TIMESTAMP; +- else +- time_stamp_flag = NO_TIMESTAMP; +- memcpy(&output_meta_data, (char *)(buf->data + +- prtd->out_head * prtd->pcm_count), +- COMPRE_OUTPUT_METADATA_SIZE); +- +- buffer_length = output_meta_data.frame_size; +- pr_debug("meta_data_length: %d, frame_length: %d\n", +- output_meta_data.meta_data_length, +- output_meta_data.frame_size); +- pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n", +- output_meta_data.timestamp_msw, +- output_meta_data.timestamp_lsw); +- +- param.paddr = (unsigned long)buf[0].phys +- + (prtd->out_head * prtd->pcm_count) +- + output_meta_data.meta_data_length; +- param.len = buffer_length; +- param.msw_ts = output_meta_data.timestamp_msw; +- param.lsw_ts = output_meta_data.timestamp_lsw; +- param.flags = time_stamp_flag; +- param.uid = prtd->session_id; +- if (q6asm_async_write(prtd->audio_client, +- ¶m) < 0) +- pr_err("%s:q6asm_async_write failed\n", +- __func__); +- else +- prtd->out_head = +- (prtd->out_head + 1) & (runtime->periods - 1); +- +- runtime->render_flag &= ~SNDRV_RENDER_STOPPED; +- return 0; +- } +- return 0; +-} +- +-static int msm_compr_volume_ctl_put(struct snd_kcontrol *kcontrol, +- struct snd_ctl_elem_value *ucontrol) +-{ +- int rc = 0; +- struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol); +- struct snd_pcm_substream *substream = +- vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream; +- struct msm_audio *prtd; +- int volume = ucontrol->value.integer.value[0]; +- +- pr_debug("%s: volume : %x\n", __func__, volume); +- if (!substream) +- return -ENODEV; +- if (!substream->runtime) +- return 0; +- prtd = substream->runtime->private_data; +- if (prtd) +- rc = compressed_set_volume(prtd, volume); +- +- return rc; +-} +- +-static int msm_compr_volume_ctl_get(struct snd_kcontrol *kcontrol, +- struct snd_ctl_elem_value *ucontrol) +-{ +- struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol); +- struct snd_pcm_substream *substream = +- vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream; +- struct msm_audio *prtd; +- +- pr_debug("%s\n", __func__); +- if (!substream) +- return -ENODEV; +- if (!substream->runtime) +- return 0; +- prtd = substream->runtime->private_data; +- if (prtd) +- ucontrol->value.integer.value[0] = prtd->volume; +- return 0; +-} +- +-static int msm_compr_add_controls(struct snd_soc_pcm_runtime *rtd) +-{ +- int ret = 0; +- struct snd_pcm *pcm = rtd->pcm; +- struct snd_pcm_volume *volume_info; +- struct snd_kcontrol *kctl; +- +- dev_dbg(rtd->dev, "%s, Volume cntrl add\n", __func__); +- ret = snd_pcm_add_volume_ctls(pcm, SNDRV_PCM_STREAM_PLAYBACK, +- NULL, 1, rtd->dai_link->be_id, +- &volume_info); +- if (ret < 0) +- return ret; +- kctl = volume_info->kctl; +- kctl->put = msm_compr_volume_ctl_put; +- kctl->get = msm_compr_volume_ctl_get; +- kctl->tlv.p = compr_rx_vol_gain; +- return 0; +-} +- +-static struct snd_pcm_ops msm_compr_ops = { +- .open = msm_compr_open, +- .hw_params = msm_compr_hw_params, +- .close = msm_compr_close, +- .ioctl = msm_compr_ioctl, +- .prepare = msm_compr_prepare, +- .trigger = msm_compr_trigger, +- .pointer = msm_compr_pointer, +- .mmap = msm_compr_mmap, +- .restart = msm_compr_restart, +-#ifdef CONFIG_COMPAT +- .compat_ioctl = msm_compr_compat_ioctl, +-#endif +-}; +- +-static int msm_asoc_pcm_new(struct snd_soc_pcm_runtime *rtd) +-{ +- struct snd_card *card = rtd->card->snd_card; +- int ret = 0; +- +- if (!card->dev->coherent_dma_mask) +- card->dev->coherent_dma_mask = DMA_BIT_MASK(32); +- +- ret = msm_compr_add_controls(rtd); +- if (ret) +- pr_err("%s, kctl add failed\n", __func__); +- return ret; +-} +- +-static struct snd_soc_platform_driver msm_soc_platform = { +- .ops = &msm_compr_ops, +- .pcm_new = msm_asoc_pcm_new, +-}; +- +-static int msm_compr_probe(struct platform_device *pdev) +-{ +- +- dev_info(&pdev->dev, "%s: dev name %s\n", +- __func__, dev_name(&pdev->dev)); +- +- atomic_set(&compressed_audio.audio_ocmem_req, 0); +- return snd_soc_register_platform(&pdev->dev, +- &msm_soc_platform); +-} +- +-static int msm_compr_remove(struct platform_device *pdev) +-{ +- snd_soc_unregister_platform(&pdev->dev); +- return 0; +-} +- +-static const struct of_device_id msm_compr_dt_match[] = { +- {.compatible = "qcom,msm-compr-dsp"}, +- {} +-}; +-MODULE_DEVICE_TABLE(of, msm_compr_dt_match); +- +-static struct platform_driver msm_compr_driver = { +- .driver = { +- .name = "msm-compr-dsp", +- .owner = THIS_MODULE, +- .of_match_table = msm_compr_dt_match, +- }, +- .probe = msm_compr_probe, +- .remove = msm_compr_remove, +-}; +- +-static int __init msm_soc_platform_init(void) +-{ +- init_waitqueue_head(&the_locks.enable_wait); +- init_waitqueue_head(&the_locks.eos_wait); +- init_waitqueue_head(&the_locks.write_wait); +- init_waitqueue_head(&the_locks.read_wait); +- init_waitqueue_head(&the_locks.flush_wait); +- +- return platform_driver_register(&msm_compr_driver); +-} +-module_init(msm_soc_platform_init); +- +-static void __exit msm_soc_platform_exit(void) +-{ +- platform_driver_unregister(&msm_compr_driver); +-} +-module_exit(msm_soc_platform_exit); +- +-MODULE_DESCRIPTION("PCM module platform driver"); +-MODULE_LICENSE("GPL v2"); +diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h +deleted file mode 100644 +index d6e3ec6..0000000 +--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h ++++ /dev/null +@@ -1,36 +0,0 @@ +-/* +- * Copyright (c) 2012, The Linux Foundation. All rights reserved. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 and +- * only version 2 as published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- */ +- +-#ifndef _MSM_COMPR_H +-#define _MSM_COMPR_H +-#include +-#include +-#include +-#include +-#include +- +-#include "msm-pcm-q6-v2.h" +- +-struct compr_info { +- struct snd_compr_caps compr_cap; +- struct snd_compr_codec_caps codec_caps; +- struct snd_compr_params codec_param; +-}; +- +-struct compr_audio { +- struct msm_audio prtd; +- struct compr_info info; +- uint32_t codec; +-}; +- +-#endif /*_MSM_COMPR_H*/ +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-9677/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9677/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9677/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9677/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch new file mode 100644 index 00000000..8ad40b53 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9687/3.18/0001.patch @@ -0,0 +1,58 @@ +From 34cff2eb2adc663de32ca682b57551c50c9253c6 Mon Sep 17 00:00:00 2001 +From: Skylar Chang +Date: Fri, 21 Apr 2017 10:42:57 -0700 +Subject: [PATCH] msm: ipa: fix IPC low priority logging + +Allocate IPC low priority on first usage only. + +Bug: 62827190 +Change-Id: Icea7f0fad9ed34c93641296f68736bbaf2e6eaa9 +CRs-Fixed: 2016076 +Acked-by: Ady Abraham +Signed-off-by: Skylar Chang +--- + drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c +index 12127a2304bbc..66482e2dc0634 100644 +--- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c ++++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c +@@ -105,6 +105,7 @@ static char dbg_buff[IPA_MAX_MSG_LEN]; + static char *active_clients_buf; + + static s8 ep_reg_idx; ++static void *ipa_ipc_low_buff; + + + static ssize_t ipa3_read_gen_reg(struct file *file, char __user *ubuf, +@@ -1610,22 +1611,20 @@ static ssize_t ipa3_enable_ipc_low(struct file *file, + if (kstrtos8(dbg_buff, 0, &option)) + return -EFAULT; + ++ mutex_lock(&ipa3_ctx->lock); + if (option) { +- if (!ipa3_ctx->logbuf_low) { +- ipa3_ctx->logbuf_low = ++ if (!ipa_ipc_low_buff) { ++ ipa_ipc_low_buff = + ipc_log_context_create(IPA_IPC_LOG_PAGES, + "ipa_low", 0); + } +- +- if (ipa3_ctx->logbuf_low == NULL) { +- IPAERR("failed to get logbuf_low\n"); +- return -EFAULT; +- } ++ if (ipa_ipc_low_buff == NULL) ++ IPAERR("failed to get logbuf_low\n"); ++ ipa3_ctx->logbuf_low = ipa_ipc_low_buff; + } else { +- if (ipa3_ctx->logbuf_low) +- ipc_log_context_destroy(ipa3_ctx->logbuf_low); + ipa3_ctx->logbuf_low = NULL; + } ++ mutex_unlock(&ipa3_ctx->lock); + + return count; + } diff --git a/Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9687/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9687/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch new file mode 100644 index 00000000..ec34d811 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9697/3.18/0001.patch @@ -0,0 +1,55 @@ +From 4b788ca419ec37e4cdb421fef9edc208a491ce30 Mon Sep 17 00:00:00 2001 +From: Mohit Aggarwal +Date: Thu, 25 May 2017 20:21:12 +0530 +Subject: [PATCH] diag: Synchronize command registration table access + +Currently, command registration table is being read +in debugfs without any protection which may lead to +access of stale entries. The patch takes care of the +issue by adding proper protection. + +CRs-Fixed: 2032672 +Bug: 63868628 +Change-Id: I6ae058c16873f9ed52ae6516a1a70fd6d2d0da80 +Signed-off-by: Mohit Aggarwal +--- + drivers/char/diag/diag_debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c +index f5e4eba1e96bc..b66c8cb8257c2 100644 +--- a/drivers/char/diag/diag_debugfs.c ++++ b/drivers/char/diag/diag_debugfs.c +@@ -1,4 +1,4 @@ +-/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved. ++/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and +@@ -268,8 +268,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, + struct list_head *temp; + struct diag_cmd_reg_t *item = NULL; + ++ mutex_lock(&driver->cmd_reg_mutex); + if (diag_dbgfs_table_index == driver->cmd_reg_count) { + diag_dbgfs_table_index = 0; ++ mutex_unlock(&driver->cmd_reg_mutex); + return 0; + } + +@@ -278,6 +280,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, + buf = kzalloc(sizeof(char) * buf_size, GFP_KERNEL); + if (ZERO_OR_NULL_PTR(buf)) { + pr_err("diag: %s, Error allocating memory\n", __func__); ++ mutex_unlock(&driver->cmd_reg_mutex); + return -ENOMEM; + } + buf_size = ksize(buf); +@@ -322,6 +325,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, + break; + } + diag_dbgfs_table_index = i; ++ mutex_unlock(&driver->cmd_reg_mutex); + + *ppos = 0; + ret = simple_read_from_buffer(ubuf, count, ppos, buf, bytes_in_buffer); diff --git a/Patches/Linux_CVEs/CVE-2017-9697/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9697/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9697/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9697/4.4/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch new file mode 100644 index 00000000..ef6036d0 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9720/3.10/0001.patch @@ -0,0 +1,30 @@ +From c74dbab508c7c07d8e2cf8230cc78bff4b710272 Mon Sep 17 00:00:00 2001 +From: Fei Zhang +Date: Wed, 17 May 2017 15:33:02 +0800 +Subject: msm:camera: correct stats query out of boundary + +fix one potential out of boundary query of stats info. + +Bug: 36264696 +Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f +Signed-off-by: Fei Zhang +--- + drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +index a0eed95..82da3e0 100644 +--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c ++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +@@ -803,7 +803,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg) + update_info = &update_cmd->update_info[i]; + /*check array reference bounds*/ + if (STATS_IDX(update_info->stream_handle) +- > vfe_dev->hw_info->stats_hw_info->num_stats_type) { ++ >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s: stats idx %d out of bound!", __func__, + STATS_IDX(update_info->stream_handle)); + return -EINVAL; +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-9720/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.18/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9720/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9720/3.18/0002.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9720/3.18/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch rename to Patches/Linux_CVEs/CVE-2017-9720/3.18/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch new file mode 100644 index 00000000..d34ee8d6 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-9725/3.10/0001.patch @@ -0,0 +1,79 @@ +From 5479a3c164c8762b5bf91c5fae452882366adb6a Mon Sep 17 00:00:00 2001 +From: Maggie White +Date: Wed, 5 Jul 2017 16:47:15 -0700 +Subject: mm: Fix incorrect type conversion for size during dma allocation + +This was found during userspace fuzzing test when a large size +allocation is made from ion + +[] show_stack+0x10/0x1c +[] dump_stack+0x74/0xc8 +[] kasan_report_error+0x2b0/0x408 +[] kasan_report+0x34/0x40 +[] __asan_storeN+0x15c/0x168 +[] memset+0x20/0x44 +[] __dma_alloc_coherent+0x114/0x18c +[] __dma_alloc_noncoherent+0xbc/0x19c +[] ion_cma_allocate+0x178/0x2f0 +[] ion_secure_cma_allocate+0xdc/0x190 +[] ion_alloc+0x264/0xb88 +[] ion_ioctl+0x1f4/0x480 +[] do_vfs_ioctl+0x67c/0x764 +[] SyS_ioctl+0x58/0x8c + +Bug: 38195738 +Signed-off-by: Rohit Vaswani +Signed-off-by: Maggie White +Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5 +--- + drivers/base/dma-contiguous.c | 4 ++-- + include/linux/dma-contiguous.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c +index f6e779e..9313bfc1 100644 +--- a/drivers/base/dma-contiguous.c ++++ b/drivers/base/dma-contiguous.c +@@ -589,7 +589,7 @@ static void clear_cma_bitmap(struct cma *cma, unsigned long pfn, int count) + * global one. Requires architecture specific get_dev_cma_area() helper + * function. + */ +-unsigned long dma_alloc_from_contiguous(struct device *dev, int count, ++unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count, + unsigned int align) + { + unsigned long mask, pfn = 0, pageno, start = 0; +@@ -604,7 +604,7 @@ unsigned long dma_alloc_from_contiguous(struct device *dev, int count, + if (align > CONFIG_CMA_ALIGNMENT) + align = CONFIG_CMA_ALIGNMENT; + +- pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma, ++ pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma, + count, align); + + if (!count) +diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h +index 9e6fee9..d8d124e 100644 +--- a/include/linux/dma-contiguous.h ++++ b/include/linux/dma-contiguous.h +@@ -117,7 +117,7 @@ static inline int dma_declare_contiguous_reserved(struct device *dev, + return ret; + } + +-unsigned long dma_alloc_from_contiguous(struct device *dev, int count, ++unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count, + unsigned int order); + bool dma_release_from_contiguous(struct device *dev, unsigned long pfn, + int count); +@@ -136,7 +136,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size, + } + + static inline +-unsigned long dma_alloc_from_contiguous(struct device *dev, int count, ++unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count, + unsigned int order) + { + return 0; +-- +cgit v1.1 + diff --git a/Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9725/4.4/0002.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch rename to Patches/Linux_CVEs/CVE-2017-9725/4.4/0002.patch diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt index e967c7e0..c5a422c4 100644 --- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt +++ b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt @@ -10,26 +10,20 @@ CVE-2012-4221 CVE-2012-4222 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=1e76f61bb001b93795a227f8f808104b6c10b048 CVE-2012-6657 - Pulled Link - ^3.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e10986d1d698140747fcfc2761ec9cb64c1d582 CVE-2012-6689 - Pulled Link - ^3.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=20e1db19db5d6b9e4e83021595eab0dc8f107bef CVE-2012-6701 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893 CVE-2012-6701 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893 CVE-2012-6703 - Pulled Depends Link - https://github.com/torvalds/linux/commit/b35cc8225845112a616e3a2266d2fde5ab13d3ab Link - https://github.com/torvalds/linux/commit/4dc040a0b34890d2adc0d63da6e9bfb4eb791b19 CVE-2012-6704 - Pulled Link - ^3.5 - https://github.com/torvalds/linux/commit/82981930125abfd39d7c8378a9cfdf5e1be2002b CVE-2013-2015 - Pulled Link - ^3.8 - https://github.com/android/kernel_common/commit/016a3592cc34fa349235b5a8b48af5cece2cbfeb CVE-2013-2596 Link - https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=24b51892b863ad23a9fcb2a28a45e5cc15c2f3b5 @@ -39,7 +33,6 @@ CVE-2013-2597 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=abd0d7da5cab6057dba752486e347b9d568e5f58 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=76fb3e419e2b149292c3adf1e9171e2b542831bf CVE-2013-4312 - Pulled Depends Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a5a6cf8c405e826ff7ed1308dde72560c0ed4854 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=5ea820046ee399214221c0bb817eb35d304c9604 @@ -68,7 +61,6 @@ CVE-2013-6282 CVE-2013-7446 Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/unix/af_unix.c?id=7d267278a9ece963d77eefec61630223fce08c6c CVE-2014-0196 - Pulled Link - https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1e5099713ce Link - 3.4 - https://source.codeaurora.org/quic/la/kernel/msm/commit/?h=LA.BF.1.1.3_rb1.12&id=9aabfc9e7775abbbcf534cdecccc4f12ee423b27 @@ -84,13 +76,11 @@ CVE-2014-0976 CVE-2014-1739 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6a623460e5fc960ac3ee9f946d3106233fd28d8 CVE-2014-2523 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=5b866eaa34e Link - ^3.13 - https://github.com/torvalds/linux/commit/b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 CVE-2014-2706 Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba CVE-2014-2851 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/patch/?id=b04c46190219a4f845e46a459e3102137b7f6cac CVE-2014-3145 Dupe @@ -112,32 +102,25 @@ CVE-2014-4655 CVE-2014-4656 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e CVE-2014-4943 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=1179c8f1cac Link - ^3.15 - https://github.com/torvalds/linux/commit/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf CVE-2014-5206 - Pulled Link - ^3.16 - https://github.com/torvalds/linux/commit/a6138db815df5ee542d848318e5dae681590fccd CVE-2014-7822 - Pulled Link - 3.2-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=894c6350eaa CVE-2014-7825 - Pulled Depends Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6f25b4e75a8 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=8043761416d Link - ^3.17 - https://github.com/torvalds/linux/commit/086ba77a6db00ed858ff07451bedee197df868c9 CVE-2014-7970 - Pulled Link - 3.0 - https://github.com/LineageOS/android_kernel_samsung_smdk4412/commit/c88f7bbd8026761a615c9969d186ffa2a1a3da3c Link - 3.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=9f7d53c09a1f87ebe228b55a83c1b8f952d76260 Link - ^3.17 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0d0826019e529f21c84687521d03f60cd241ca7d CVE-2014-8160 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=d7cde286daa Link - ^3.18 - https://github.com/torvalds/linux/commit/db29a9508a9246e77087c5531e45b2c88ec6988b CVE-2014-8173 - Pulled Link - 3.9-^3.12 - https://github.com/torvalds/linux/commit/ee53664bda169f519ce3c6a22d378f0b946c8178 CVE-2014-8709 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=338f977f4eb441e69bb9a46eaa0ac715c931a67f @@ -159,11 +142,9 @@ CVE-2014-9420 CVE-2014-9529 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c CVE-2014-9683 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=f2d130454e4 Link - ^3.18 - https://github.com/torvalds/linux/commit/942080643bce061c3dd9d5718d3b745dcb39a8bc CVE-2014-9715 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=33eedfe8ecb Link - ^3.14 - https://github.com/torvalds/linux/commit/223b02d923ecd7c84cf9780bb3686f455d279279 CVE-2014-9731 @@ -301,15 +282,12 @@ CVE-2014-9940 CVE-2015-3636 Link - https://github.com/torvalds/linux/commit/a134f083e79f CVE-2015-0569 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a079d716b5481223f0166c644e9ec7c75a31b02c Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=0ffca4f7bca3a8157d8dbaddbcea292c267fb5aa CVE-2015-0570 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=606babd474290e84e5a86f94480f62f4a5ff92ac CVE-2015-0571 - Pulled Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6feb2faf80a05940618aa2eef2b62e4e2e54f148 Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fe4208157c899a5de4d6769d13f6620fc32ebfa9 Link - qcacld-2.0 - https://www.codeaurora.org/cgit/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0e53a89bfe0dbb50e0dde9a6960d274386247cd9 @@ -328,12 +306,10 @@ CVE-2015-0572 CVE-2015-0573 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=e20f20aaed6b6d2fd1667bad9be9ef35103a51df CVE-2015-1420 - Pulled Link - 3.2-^3.19 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=8dfc8b9e8432f50606820b40a7d63618d9d61a07 CVE-2015-1465 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0 CVE-2015-1534 - Pulled Link - https://android.googlesource.com/kernel/msm/+/b3226d8ea5a2d968b1a841fc54b48f5ebdb16846 CVE-2015-1593 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 @@ -343,7 +319,6 @@ CVE-2015-1805 Link - 3.14 - https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f Link - 3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a39bf4a8e29c7336c0c72652b7d0dd1cd1b13c51 CVE-2015-2041 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=88fe14be08a475ad0eea4ca7c51f32437baf41af Link - ^3.19 - https://github.com/torvalds/linux/commit/6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 CVE-2015-2686 @@ -353,24 +328,19 @@ CVE-2015-2922 CVE-2015-3288 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d CVE-2015-3339 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=470e517be17dd6ef8670bec7bd7831ea0d3ad8a6 Link - ^3.19 - https://github.com/torvalds/linux/commit/8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 CVE-2015-4170 - Pulled Link - 3.10^ - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae CVE-2015-4177 - Pulled Link - 4.0 - https://github.com/torvalds/linux/commit/cd4a40174b71acd021877341684d8bb1dc8ea4ae CVE-2015-5364 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 CVE-2015-5366 - Pulled Link - 3.10 - https://review.lineageos.org/163292 Link - 3.18 - https://review.lineageos.org/170669 Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 CVE-2015-5697 - Pulled Link - ^4.1 - https://github.com/torvalds/linux/commit/b6878d9e03043695dbf3fa1caa6dfc09db225b16 CVE-2015-5706 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 @@ -385,40 +355,30 @@ CVE-2015-6640 CVE-2015-6642 Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=4ad825ba2968666069740c3e80fe31ed3d0e29ba CVE-2015-7509 - Pulled Link - ^3.7 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9b92530a723ac5ef8e352885a1862b18f31b2f5 CVE-2015-7515 - Pulled Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=90eb3c037fe3f0f25f01713a92725a8daa2b41f3 Link - ^4.4 - https://github.com/torvalds/linux/commit/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 CVE-2015-7550 - Pulled Link - ^4.3 - https://github.com/torvalds/linux/commit/b4a1b4f5047e4f54e194681125c74c0aa64d637d CVE-2015-7872 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 CVE-2015-8019 - Pulled Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/patch/?id=813658e0c448f2f5fb3301762076ba5e0f61411c Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/patch/?id=f1c121b78e68c03f7fe5e9fa7319e53ad29392f3 Link - 4.3 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191 CVE-2015-8539 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd CVE-2015-8543 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 CVE-2015-8575 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4 CVE-2015-8785 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ca8138f014a913f98e6ef40e939868e1e9ea876 CVE-2015-8830 - Pulled Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4c185ce06dca14f5cea192f5a2c981ef50663f2b Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893 CVE-2015-8839 - Pulled Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea3d7209ca01da209cda6f0dea8be9cc4b7a933b Link - https://github.com/aosp-mirror/kernel_msm/commit/f0ac071fc6660c1d8d4b0d0dbe7642dd1274e4a5 CVE-2015-8937 @@ -470,14 +430,12 @@ CVE-2016-0758 CVE-2016-0774 Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/fs/pipe.c?id=b381fbc509052d07ccf8641fd7560a25d46aaf1e CVE-2016-0774 - Pulled Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/fs/pipe.c?id=b381fbc509052d07ccf8641fd7560a25d46aaf1e CVE-2016-0801 Link - https://android.googlesource.com/kernel/msm/+/68cdc8df1cb6622980b791ce03e99c255c9888af CVE-2016-0802 Link - https://android.googlesource.com/kernel/msm/+/3fffc78f70dc101add8b82af878d53457713d005 CVE-2016-0805 - Pulled Link - https://github.com/android/kernel_msm/commit/b3f0b1f694258b3b3debc5256eec94bb2a9eb454 CVE-2016-0806 Link - prima - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2&id=1fac73337080712109029302599945d1ac36c799 @@ -519,23 +477,18 @@ CVE-2016-0843 CVE-2016-0844 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=90a9da2ea95e86b4f0ff493cd891a11da0ee67aa CVE-2016-10044 - Pulled Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a Link - https://android.googlesource.com/kernel/msm/+/689ea150ab61cb193268d4b7f68de68acf207db4 Link - https://android.googlesource.com/kernel/msm/+/bc02d1d9f5d0e0610504c24b05fef54726ba1a1b CVE-2016-10088 - Pulled Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=128394eff343fc6d2f32172f03e24829539c5835 CVE-2016-10153 - Pulled Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a45f795c65b479b4ba107b6ccde29b896d51ee98 CVE-2016-10154 - Pulled Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06deeec77a5a689cc94b21a8a91a76e42176685d CVE-2016-10200 Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=32c231164b762dddefa13af5a0101032c70b50ef CVE-2016-10208 - Pulled FIXME Link - 3.10-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.16.44&id=cde863587b6809fdf61ea3c5391ecf06884b5516 CVE-2016-10229 @@ -596,7 +549,6 @@ CVE-2016-2059 CVE-2016-2060 Link - https://source.codeaurora.org/quic/la/platform/system/netd/commit/?id=e9925f5acb4401588e23ea8a27c3e318f71b5cf8 CVE-2016-2061 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=79db14ca9f791a14be9376a0340ad3b9b9a4d603 CVE-2016-2062 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/drivers/gpu/msm/adreno_perfcounter.c?id=27c95b64b2e4b5ff1288cbaa6e353dd803d71576 @@ -609,7 +561,6 @@ CVE-2016-2065 CVE-2016-2066 Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88 CVE-2016-2066 - Pulled Link - https://us.codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88 CVE-2016-2067 Link - https://us.codeaurora.org/cgit/quic/la//kernel/msm-3.18/commit/?id=410cfa95f0a1cf58819cbfbd896f9aa45b004ac0 @@ -618,21 +569,16 @@ CVE-2016-2068 CVE-2016-2184 Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=836b34a935abc91e13e63053d0a83b24dfb5ea78 CVE-2016-2185 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d CVE-2016-2186 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c6ba456711687b794dcf285856fc14e2c76074f CVE-2016-2187 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=162f98dea487206d9ab79fc12ed64700667a894d CVE-2016-2188 - Pulled Depends Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ec0ef3a82125efc36173062a50624550a900ae0 Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7321e81fc369abe353cf094d4f0dc2fe11ab95f CVE-2016-2384 - Pulled Link - ^4.5 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=07d86ca93db7e5cdf4743564d98292042ec21af7 CVE-2016-2411 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=43e6938f37be0386fff4117e8aefff9be49bfe8a @@ -643,26 +589,21 @@ CVE-2016-2441 CVE-2016-2442 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=6fb29c4773f632b7b6c31a8de56f55c32de3d350 CVE-2016-2443 - Pulled Link - https://android.googlesource.com/kernel/msm/+/d22e409d672101e837d95c944161f072f894e682 CVE-2016-2465 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=09dc4abecb0da388aedb37a57889c1ce2b267807 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=240f3bd82840fe6df7989339e465e9558f42fb85 CVE-2016-2466 - Pulled Link - https://android.googlesource.com/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6 CVE-2016-2467 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=38b6131d78cecec5d970230aeee3cef485103d82 CVE-2016-2468 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b5eb67744215b3434a36b9251e28da3dc2a638a6 Link - https://android.googlesource.com/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c CVE-2016-2469 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e CVE-2016-2469 - Pulled Link - https://android.googlesource.com/kernel/msm/+/4029268991f478b98b6d37106af8f1f635c0b595 CVE-2016-2470 Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=05ce237387c6e1d101bbb4b825e56757576748e6 @@ -678,7 +619,6 @@ CVE-2016-2474 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d541aecce07c65fee3ad3a4d900016e4d22f2b3d Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=681c310490e49adc43065d1d11006c5a5dc43568 CVE-2016-2475 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/9f0aa0c3fede9abb0b5ccadeca95f848cc791fba CVE-2016-2477 Link - https://android.googlesource.com/platform/hardware/qcom/media/+/f22c2a0f0f9e030c240468d9d18b9297f001bcf0 @@ -689,7 +629,6 @@ CVE-2016-2480 CVE-2016-2482 Link - https://android.googlesource.com/platform/hardware/qcom/media/+/46e305be6e670a5a0041b0b4861122a0f1aabefa CVE-2016-2488 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=91ea960b91250eca57d8fbdb8aafa11d80695d46 CVE-2016-2498 Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=1d23dacdbd6b3a2b59b952f2fa3a578f9d15f60f @@ -707,46 +646,34 @@ CVE-2016-2504 CVE-2016-2544 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3567eb6af614dac436c4b16a8d426f9faed639b3 CVE-2016-2545 - Pulled Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee8413b01045c74340aa13ad5bdf905de32be736 CVE-2016-2546 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=af368027a49a751d6ff4ee9e3f9961f35bb4fede CVE-2016-2547 - Pulled Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d CVE-2016-2549 - Pulled Link - ^4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 CVE-2016-2847 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52 CVE-2016-3070 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=af110cc4b24250faafd4f3b9879cf51e350d7799 CVE-2016-3134 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309 CVE-2016-3135 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d157bd761585605b7882935ffb86286919f62ea1 CVE-2016-3136 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4e9a0b05257f29cf4b75f3209243ed71614d062e CVE-2016-3137 - Pulled Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 CVE-2016-3138 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8835ba4a39cf53f705417b3b3a94eb067673f2c9 CVE-2016-3140 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f CVE-2016-3156 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2 CVE-2016-3672 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b8addf891de8a00e4d39fc32f93f7c5eb8feceb CVE-2016-3689 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff CVE-2016-3746 Link - https://source.codeaurora.org/quic/la//platform/hardware/qcom/media/commit/?id=c2e66c4ee83b4264d691d8aaabb2e94744df1e25 @@ -756,7 +683,6 @@ CVE-2016-3768 Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=d75be03af111fb5a31eba82f665242e6d8b07008 Link - https://github.com/android/kernel_msm/commit/84d8c81420aaa7c6cd6f57cb52daccf07b1f7a50 CVE-2016-3775 - Pulled Link - 3.4 - https://github.com/android/kernel_msm/commit/dc18eac80caaa12ff7072df9fe857b921e8c26c7 Link - 3.4 - https://review.lineageos.org/81123 Link - 3.10 - https://github.com/android/kernel_msm/commit/8096090858689395a75bbf696ff8276c3c236b98 @@ -766,7 +692,6 @@ CVE-2016-3792 CVE-2016-3797 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=fdda9c0af64d6e5cdf006e2d8dd57e655821a962 CVE-2016-3809 - Pulled Link - https://android.googlesource.com/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935 CVE-2016-3813 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=3c0add95808fdada98ba0ab465c0b4ba49e71d26 @@ -774,12 +699,10 @@ CVE-2016-3813 CVE-2016-3841 Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45f6fad84cc305103b28d73482b344d7f5b76f39 CVE-2016-3842 - Pulled Link - 3.4 - https://github.com/aosp-mirror/kernel_msm/commit/15701ca335357e98a0eb98ef079fe45e3b830591 Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/f5f0a2fe84b589793baa5713ea2aa16779e00d5e Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/905de01dda0bc6663f8ce5c8f0f3831dae49bb36 CVE-2016-3843 - Pulled Depends Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=e65cc8f9c46c6b8119826fbc22ffeb4e96e80e8a Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=149cf87192059fab0cb49ec5c691783c3565c215 @@ -792,7 +715,6 @@ CVE-2016-3854 CVE-2016-3855 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ab3f46119ca10de87a11fe966b0723c48f27acd4 CVE-2016-3857 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.107&id=d948109df11c8485e972b4cc0eb4820d4b754615 CVE-2016-3858 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cab2ba71f13f04aa73c8b8dadc3fc184205c9474 @@ -802,13 +724,11 @@ CVE-2016-3859 CVE-2016-3860 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/sound/soc/msm/qdsp6v2/audio_calibration.c?id=528976f54be246ec93a71ac53aa4faf3e3791c48 CVE-2016-3865 - Pulled Link - https://github.com/android/kernel_msm/commit/a92e71c20f4e6b2aa94b7614fd494833ea76b8b9 Link - https://github.com/android/kernel_msm/commit/92242610894d1dc26759e486af1d11f2eb78c922 CVE-2016-3866 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=5180cefe0eeb6f3e6e0c4967652facd20f07c20c CVE-2016-3867 - Pulled Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=816da3d19cfee937f5add485a112bb1cdfcb72c8 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b518b33d4b7da7df5a0348a97ffb4f35be819937 CVE-2016-3868 @@ -900,7 +820,6 @@ CVE-2016-5349 CVE-2016-5696 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758 CVE-2016-5829 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/drivers/hid/usbhid/hiddev.c?h=LA.UM.5.5.r1-04000-8x96.0&id=af37375834fe1dd7a7a08c6042664ffc2a1a3beb CVE-2016-5853 Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=e879fc7eca7e3ba0ab9dcf24d2f717e49718a01e @@ -946,7 +865,6 @@ CVE-2016-5870 CVE-2016-6136 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c CVE-2016-6672 - Pulled Link - https://github.com/android/kernel_msm/commit/d8649432b96bd361de20168372c10269e88e1258 CVE-2016-6675 Link - prima - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09 @@ -963,7 +881,6 @@ CVE-2016-6681 CVE-2016-6682 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395 CVE-2016-6683 - Pulled Link - https://android.googlesource.com/kernel/tegra.git/+/android-7.0.0_r0.20 CVE-2016-6692 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3 @@ -982,13 +899,11 @@ CVE-2016-6725 Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cc95d644ee8a043f2883d65dda20e16f95041de3 Link - 3.18 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=a8bfc6888280ac70c9c13b1802c1e962522714a4 CVE-2016-6728 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=37b3cefe6c01bed2e048d7a42b1c4021f4ba279d Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=a3fe90fbd3500e7ecaa32b9da5e582d78cb5cef9 CVE-2016-6738 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a829c54236b455885c3e9c7c77ac528b62045e79 CVE-2016-6739 - Pulled Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ac8242269094729c464ac042a58603e01427e509 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c4af572a7ad59c0f07fd316a08055bc86dfb5f0d CVE-2016-6740 @@ -998,10 +913,8 @@ CVE-2016-6741 Link - 3.10 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=80a1d9978c11f76bbe6d2e622bf2ded18f27e34f Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=d291eebd8e43bba3229ae7ef9146a132894dc293 CVE-2016-6742 - Pulled Link - https://github.com/android/kernel_msm/commit/94f4b81da69ec72486476adb59d7c818bd4ffbd0 CVE-2016-6745 - Pulled Depends Link - https://github.com/android/kernel_msm/commit/80dd4267f644c7ba9657df52f6bce42f0bef1b4e Link - https://github.com/android/kernel_msm/commit/9397e20764da2fdffdfe20e35cb78211753b83cc @@ -1020,7 +933,6 @@ CVE-2016-6751 CVE-2016-6752 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?h=0de2c7600c8f1f0152a2f421c6593f931186400a CVE-2016-6753 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5ee75a32931dc70a7af2be42650ac5f14db99674 CVE-2016-6755 Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=b5df02edbcdf53dbbab77903d28162772edcf6e0 @@ -1069,37 +981,27 @@ CVE-2016-8392 Link - https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79 CVE-2016-8393 - Pulled Link - https://github.com/android/kernel_msm/commit/9397e20764da2fdffdfe20e35cb78211753b83cc Link - https://github.com/android/kernel_msm/commit/fd11eb5c433743c87bebe699604adfd7e7e805cf Link - https://github.com/android/kernel_msm/commit/8a950b2d64cec7b8022b7572c2d3d9221b2dbab2 CVE-2016-8394 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/4b9ae9048d63ef9fe9f8cc9d0e33cc38148b268d CVE-2016-8399 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0eab121ef8750a5c8637d51534d5e9143fb0633f CVE-2016-8401 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/44a8e527e156245eff04ff36f426cb1ba8d23e34 CVE-2016-8402 - Pulled Link - 3.4 - https://source.codeaurora.org/quic/la/kernel/msm/commit/drivers?id=8e145d45fdff30cb6471b7cc9717c30b21a0ec6b Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/de51c6f363b8ba7c513e8a5bbae3459571966bfd CVE-2016-8403 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/de55d30d3ed76ab8b5c61f2ccf730ce86fd59592 CVE-2016-8404 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=232ec805c7cc4150f05aa06a98335378ab272ec7 CVE-2016-8405 - Pulled Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dc705a9930b4806250fbf5a76e55266e59389f2 CVE-2016-8406 - Pulled Link - https://github.com/android/kernel_msm/commit/d7a15270ad80aff21d09aaea9c0e98e03e541b50 CVE-2016-8407 - Pulled Link - https://github.com/android/kernel_msm/commit/c01b4ad61a7e4291ea3db18baaf6c3532eff7e38 CVE-2016-8410 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?h=e2bbf665187a1f0a1248e4a088823cb182153ba9 @@ -1128,66 +1030,51 @@ CVE-2016-8434 CVE-2016-8436 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=228e8d17b9f5d22cf9896ab8eff88dc6737c2ced CVE-2016-8444 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/78506ab75e0cbbfbf372867cc24282d7e739f4d6 CVE-2016-8450 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e909d159ad1998ada853ed35be27c7b6ba241bdb CVE-2016-8452 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=39fa8e972fa1b10dc68a066f4f9432753d8a2526 CVE-2016-8453 - Pulled Link - https://github.com/android/kernel_msm/commit/f10f4e420dddc35dfef53965c55ffd5bdec41a45 CVE-2016-8454 - Pulled Link - https://github.com/android/kernel_msm/commit/39bd1fc23040a441628884588b19bc4d199b59c2 CVE-2016-8455 - Pulled Link - https://github.com/android/kernel_msm/commit/068427b76963929b220a4be40cdf77856374df55 CVE-2016-8456 - Pulled Link - https://github.com/android/kernel_msm/commit/e5c1b001a822e8b38680655c400e7b3f67cc3323 CVE-2016-8457 - Pulled Link - https://github.com/android/kernel_msm/commit/e5c1b001a822e8b38680655c400e7b3f67cc3323 CVE-2016-8458 - Pulled Link - 3.10 - https://github.com/android/kernel_msm/commit/d567c744898f67e1c54db5339f41815d02f3d59e Link - 3.18 - https://github.com/android/kernel_msm/commit/11ab3add6cfb1ef752ac38adf1b4bf15617772e9 CVE-2016-8463 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=cd0fa86de6ca1d40c0a93d86d1c0f7846e8a9a10 CVE-2016-8464 - Pulled Link - 3.10 - https://github.com/android/kernel_msm/commit/cbf66a616bb08cc6c932e4122f3271df83e253bb Link - 3.18 - https://android.googlesource.com/kernel/tegra/+/ffbad101e158cea6b93965302b2a3c3f8ef11bf8 CVE-2016-8465 - Pulled Depends Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e Link - 3.10 - https://github.com/android/kernel_msm/commit/50ba575e9cd28ab9537f0961bbc051a6a727da74 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4add5112babf94dbc0f86e93395b6622d5080d16 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3619fd91b831f184d2e544e23cb54d20eed2531e CVE-2016-8465 - Pulled Depends Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e Link - 3.10 - https://github.com/android/kernel_msm/commit/8f1621cd0d0ca0bc494a926a1331f582b27b913e Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4add5112babf94dbc0f86e93395b6622d5080d16 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3619fd91b831f184d2e544e23cb54d20eed2531e CVE-2016-8466 - Pulled Link - 3.10 - https://github.com/android/kernel_msm/commit/67d429b1cb87879c33df58febc0b7bf6712bc7c0 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=4af032a458109027c88c478c800aac97a7105250 CVE-2016-8468 - Pulled Link - 3.18 - https://github.com/android/kernel_msm/commit/0d37d64f02e18a301867ae7684c3801bd99c5df2 CVE-2016-8473 - Pulled Link - https://github.com/android/kernel_msm/commit/900b8b72c57cefebb39c150dfddfdd493a1cea79 CVE-2016-8474 - Pulled Link - https://github.com/android/kernel_msm/commit/900b8b72c57cefebb39c150dfddfdd493a1cea79 CVE-2016-8475 - Pulled Link - https://github.com/android/kernel_msm/commit/d906945fc287f9df48b99349fea962b921d4d39e CVE-2016-8476 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bfe8035bce6fec72ed1d064b94529fce8fb09799 @@ -1204,7 +1091,6 @@ CVE-2016-8480 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=cd70f6025a7bbce89af7a7abf4c40a219fdea406 Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=420d51e0733e72830fa591f1e67f5a40ce11dc51 CVE-2016-8481 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02 Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=c8c16b7406c68a5a9f35c5afbfcafd893e197425 Link - https://github.com/android/kernel_msm/commit/831da5d113d214db6894e9fd0ce98762ee8a544a @@ -1217,16 +1103,12 @@ CVE-2016-8655 CVE-2016-9120 Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 CVE-2016-9191 - Pulled Link - 3.11-^4.8 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93362fa47fe98b62e4a34ab408c4a418432e7939 CVE-2016-9555 - Pulled Link - https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 CVE-2016-9576 - Pulled Link - https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 CVE-2016-9604 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44c037827f0aeddbbbb323930fa3d09a7b4fffca CVE-2016-9754 Link - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=59643d1535eb220668692a5359de22545af579f6 @@ -1237,31 +1119,23 @@ CVE-2016-9794 CVE-2016-9806 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92964c79b357efd980812c4de5c1fd2ec8bb5520 CVE-2017-0403 - Pulled Link - 3.0-^3.18 - https://github.com/android/kernel_msm/commit/2c5c1fd0d2a2a96fab750fa332cb703022c16c04 CVE-2017-0404 - Pulled Link - ^3.18 - https://github.com/android/kernel_msm/commit/4faa6d2e9b53546823882d8889820ff9ce3c372f CVE-2017-0427 - Pulled Link - 3.10 - https://github.com/android/kernel_msm/commit/5db4167c9924c68ab9554bba3a98ecfd14b91a8e Link - 3.18 - https://github.com/android/kernel_msm/commit/1d6d364ee174676a225a77dc7ca8dac887199718 CVE-2017-0430 - Pulled Link - https://github.com/android/kernel_msm/commit/709105c301aa53fb86c46b36f882998558b19652 CVE-2017-0433 - Pulled Link - https://github.com/android/kernel_msm/commit/fe160e51f02ee5db529c2e84ac8364c89cce005e Link - https://github.com/android/kernel_msm/commit/2615c5f302441568e6dd20007bc5246d72837e80 CVE-2017-0434 - Pulled Link - 3.18 - https://github.com/android/kernel_msm/commit/d740e7228bd1578ed01762998b2a86e7df56e608 CVE-2017-0435 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02 Link - https://github.com/android/kernel_msm/commit/831da5d113d214db6894e9fd0ce98762ee8a544a CVE-2017-0436 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=ce9db0874906f6aedd80bb28d457eadfe38bdd02 CVE-2017-0437 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 @@ -1281,29 +1155,23 @@ CVE-2017-0443 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f1081e78eff75ca665c662493736b17cb792b46d Link - qcacld-3.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a4c5eefd5dd761445784963f3b6605d24d2bc3af CVE-2017-0444 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=230f280dd4046a227665ff07c9afaa7b9aa1e061 CVE-2017-0445 - Pulled Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749 Link - https://github.com/android/kernel_msm/commit/367e64520dba1652d8f6d0ac1ebda3cab0f9e374 Link - https://github.com/android/kernel_msm/commit/2615c5f302441568e6dd20007bc5246d72837e80 Link - https://github.com/android/kernel_msm/commit/fe160e51f02ee5db529c2e84ac8364c89cce005e CVE-2017-0446 - Pulled Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749 CVE-2017-0447 - Pulled Link - https://github.com/android/kernel_msm/commit/773179468893965c2b81aa7ffe3722b6868ef749 CVE-2017-0449 - Pulled Link - https://github.com/android/kernel_msm/commit/323a28bf14c622bdd1b9ecf09a339b00af98c965 CVE-2017-0451 Depends Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=59f55cd40b5f44941afc78b78e5bf81ad3dd723e Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=35346beb2d8882115f698ab22a96803552b5c57e CVE-2017-0452 - Pulled Link - https://github.com/android/kernel_msm/commit/4fa7499742c56c7f7064c9dc14c3a34f4be38851 CVE-2017-0453 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=29c4ddb447b2d49409a9d0b93631f84a9d2e922e @@ -1318,7 +1186,6 @@ CVE-2017-0455 CVE-2017-0456 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=dfb170e243a3082a668f77ec0190af2c2bed9161 CVE-2017-0457 - Pulled Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d Link - 3.18 - https://github.com/android/kernel_msm/commit/f6e21d2a3778bcbbef7320ffbf31631d76679175 CVE-2017-0458 @@ -1342,24 +1209,19 @@ CVE-2017-0464 CVE-2017-0465 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=3823f0f8d0bbbbd675a42a54691f4051b3c7e544 CVE-2017-0507 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/03c26a1d8c8687131da151c2e4bd5a04d08e0dec CVE-2017-0509 - Pulled Link - https://github.com/android/kernel_msm/commit/9c5e11d70f209553d023ea2b79efe7b2bf85fd5e CVE-2017-0510 - Pulled Link - 3.4 - https://review.lineageos.org/#/c/179097 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d4dfd82835bb6f92de3bfb8a1cbf6beaf892ad08 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=7a4fd6fb0df85d16db29561e0063b41a62f11e4d CVE-2017-0516 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0dba52cf7955306c71fb76d16437d848c953e462 CVE-2017-0518 - Pulled Link - 3.18 - https://github.com/android/kernel_msm/commit/015d1d5dc8c42d6ab92a31b99cd9f089fae1d27e Link - 3.18 - https://github.com/android/kernel_msm/commit/a064a44e03158dbf655a866ba21f5d1baa2dee9e CVE-2017-0519 - Pulled Link - 3.18 - https://github.com/android/kernel_msm/commit/2f264730e26a73da973c6eef0e1ee252294ec740 CVE-2017-0520 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=eb2aad752c43f57e88ab9b0c3c5ee7b976ee31dd @@ -1370,7 +1232,6 @@ CVE-2017-0523 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5bb646471da76d3d5cd02cf3da7a03ce6e3cb582 Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2c7b4349b858398caf0ae146e87554c3502d20a5 CVE-2017-0524 - Pulled Link - https://github.com/android/kernel_msm/commit/e1fb1600fc222337989e3084d68df929882deae5 Link - https://github.com/android/kernel_msm/commit/0ab30d91fb178c5967753343029581983a4e9b67 Link - https://github.com/android/kernel_msm/commit/e6430a4da1fb0212a546379eadbe986f629c3ae9 @@ -1386,39 +1247,28 @@ CVE-2017-0533 CVE-2017-0534 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f CVE-2017-0535 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/fb2e6cf549dcbdcc10f9c3115ba5123bdd5a307e CVE-2017-0536 - Pulled Link - https://github.com/android/kernel_msm/commit/e6430a4da1fb0212a546379eadbe986f629c3ae9 CVE-2017-0537 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=389b185cb2f17fff994dbdf8d4bac003d4b2b6b3 CVE-2017-0564 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/941a80cf3340804e488c6ee2742e7a771bd01272 CVE-2017-0568 - Pulled Depends Link - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18 Link - https://github.com/android/kernel_msm/commit/a3f3e7ed54aaa4f5f6929f1ed460363fdc8964d6 CVE-2017-0569 - Pulled Link - 3.10 - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18 CVE-2017-0570 - Pulled - Link - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18 + Link - 3.10 - https://github.com/android/kernel_msm/commit/b7fb46c77af4623291f53a5453df733b8fb1fe18 CVE-2017-0571 - Pulled - Link - https://github.com/android/kernel_msm/commit/4b29d0111186ebef75a9af7da8257697386ac4a4 + Link - 3.10 - https://github.com/android/kernel_msm/commit/4b29d0111186ebef75a9af7da8257697386ac4a4 CVE-2017-0572 - Pulled Link - https://github.com/android/kernel_msm/commit/3afb019c44d750086f8d5228f8c934da2910d8df CVE-2017-0573 - Pulled Link - https://github.com/android/kernel_msm/commit/3d9f2799fd13d1125ab4b3d74a523bd7f2e566f3 CVE-2017-0574 - Pulled Link - https://github.com/android/kernel_msm/commit/e55ddf68568a33288d76f5e00c93f8157cb9a632 CVE-2017-0575 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=a4f790c140d9813c3af66a9b367b4568e053278a @@ -1428,10 +1278,8 @@ CVE-2017-0583 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8f70068650a6e6bef0a41de2e30c17087d3a84d Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=452d2ad331d20b19e8a0768c4b6e7fe1b65abe8f CVE-2017-0584 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b83b9057d56c057d1dfca79ae197583a83766245 CVE-2017-0586 - Pulled Link - https://github.com/android/kernel_msm/commit/05bacdc0f9c16c58326a4be9e88afa870cf1024e CVE-2017-0604 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=6975e2dd5f37de965093ba3a8a08635a77a960f7 @@ -1445,9 +1293,13 @@ CVE-2017-0608 CVE-2017-0609 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=38a83df036084c00e8c5a4599c8ee7880b4ee567 CVE-2017-0610 + Depends Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=65009746a6e649779f73d665934561ea983892fe + Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=2bf336ed7ff29768b63fcf0d9528dd129f516643 CVE-2017-0611 - Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=1aa5df9246557a98181f03e98530ffd509b954c8 + Link - 3.4 - https://review.lineageos.org/#/c/179797/ + Link - 3.10 - https://review.lineageos.org/#/c/171424/ + Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=1aa5df9246557a98181f03e98530ffd509b954c8 CVE-2017-0612 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=05efafc998dc86c3b75af9803ca71255ddd7a8eb CVE-2017-0613 @@ -1468,7 +1320,6 @@ CVE-2017-0624 CVE-2017-0626 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=64551bccab9b5b933757f6256b58f9ca0544f004 CVE-2017-0627 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=fcca203d8e6aa0ef22fa41d72a06dea393d6d148 CVE-2017-0628 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=012e37bf91490c5b59ba2ab68a4d214b632b613f @@ -1479,86 +1330,60 @@ CVE-2017-0631 CVE-2017-0632 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=970d6933e53c1f7ca8c8b67f49147b18505c3b8f CVE-2017-0633 - Pulled Link - https://github.com/android/kernel_msm/commit/4e38c573e81eb76f09bae425f035be392fbab370 CVE-2017-0648 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/34597d088801ad8060b45026df2435f52136032f CVE-2017-0650 - Pulled Link - https://github.com/android/kernel_msm/commit/c6d874fd2c515406bc33ab78d60df70a47bddae2 CVE-2017-0651 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/c555ed3d0a8133c30731f25263b44d878844e277 CVE-2017-0705 - Pulled Link - https://github.com/android/kernel_msm/commit/e58dd312d3d28331b2e28674c6a49f815a55d4bc CVE-2017-0706 - Pulled Link - https://android.googlesource.com/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a CVE-2017-0710 - Pulled Link - https://android.googlesource.com/kernel/msm/+/f37e859ab4c55c6c56e3c157bbed3024fc8d0dc6 CVE-2017-0740 - Pulled Link - https://github.com/android/kernel_msm/commit/e7fdc1ca00f1e589df8542af7e7acaaa87370625 CVE-2017-0744 - Pulled Link - https://android.googlesource.com/kernel/tegra/+/8054a1fe453e8114bbb56c424e1ea80639bb6b54 CVE-2017-0746 - Pulled Link - https://github.com/android/kernel_msm/commit/a793531b751d8c3609e2bf1a5dc2c0f10e003632 CVE-2017-0747 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7 CVE-2017-0748 - Pulled Link - https://github.com/android/kernel_msm/commit/43ff88a8336310e665941dea6ffec77cc8314706 CVE-2017-0749 - Pulled Link - https://android.googlesource.com/kernel/mediatek/+/7116d306da66de0de21e982024b4d3a3056f4461 CVE-2017-0750 - Pulled Link - https://github.com/android/kernel_msm/commit/3f0531e5775303091a1ff975cdd572cc6a935321 CVE-2017-0751 - Pulled Link - https://github.com/android/kernel_msm/commit/ee4aa31b9f24c28064e509e22c1f9013df768f5f CVE-2017-0786 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=68acc6ab1474e9dde68880a7856e8a74ff86aa19 CVE-2017-0787 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 CVE-2017-0788 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 CVE-2017-0789 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=58168423faa39f5062047eb1d16d294902f0f48b CVE-2017-0790 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5575ff40a53a954ec942ff0c17b193433e72c132 CVE-2017-0791 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2935fde98001eca0f8dafad827933ce60d44ffba CVE-2017-0792 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f35ce58f516c15c022745d687bb1c59ffab63293 CVE-2017-0794 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/47b3a105cc4cec0d912345d27d9743b97691b21c CVE-2017-0824 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/tegra/commit/?id=3d6c7b39db34369e28b0581be26f57e9467f8408 CVE-2017-0825 - Pulled Link - https://github.com/android/kernel_msm/commit/83366dd9ddb9337450f704ceef750a06c69df9ff CVE-2017-1000251 - Pulled Link - 3.0 - https://review.lineageos.org/#/c/189602/ Link - 3.4 - https://review.lineageos.org/#/c/189415/ Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 CVE-2017-1000364 - Pulled Depends Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=640c7dfdc7c723143b1ce42f5569ec8565cbbde7 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=a7d519473a32267e52f1f92141240451e5403dd3 @@ -1571,11 +1396,10 @@ CVE-2017-1000364 Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?h=linux-3.18.y&id=c6aeba66df8743478d7b9f64fa76d88ed4100c67 Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?h=linux-3.18.y&id=509f8f1772ec2972898771ecc376572b6efd184a CVE-2017-1000365 - Pulled Link - 3.10 - https://review.lineageos.org/#/c/179178/1 Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.18.59&id=2dff2164d171e9c27f2f7fa778d408ecf4d1e1ea CVE-2017-1000380 - Pulled + Depends Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ba3021b2c79b2fa9114f92790a99deb27a65b728 Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d11662f4f798b50d8c8743f433842c3e40fe3378 CVE-2017-10661 @@ -1583,24 +1407,21 @@ CVE-2017-10661 CVE-2017-10662 Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=b9dd46188edc2f0d1f37328637860bb65a771124 CVE-2017-10663 - Dupe - Link - https://github.com/aosp-mirror/kernel_msm/commit/2b97ce290c589827e21838c70c9c5601b663037a - Link - https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-stable.git/commit/?h=linux-3.18.y&id=deaeed5b8acdd10c388616bbc57416cf3db213ff + Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/2b97ce290c589827e21838c70c9c5601b663037a + Link - 3.18 - https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-stable.git/commit/?h=linux-3.18.y&id=deaeed5b8acdd10c388616bbc57416cf3db213ff CVE-2017-10996 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9f261e5dfe101bbe35043822a89bffa78e080b3b CVE-2017-10997 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=fae242db5e1943ba878b4fb215fe6e7f1c387a20 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=a395a070880acc679e3832b21d96504edbbe4af2 CVE-2017-10998 - Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=208e72e59c8411e75d4118b48648a5b7d42b1682 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=9ffb3cdd7279b011a509267caa4a5119fd6346c0 + Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=208e72e59c8411e75d4118b48648a5b7d42b1682 CVE-2017-10999 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=f51a152ad52108457ae6b1caf7a04857f25c4bed CVE-2017-11000 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=af787fdedeb62964efaf9e969ad17e3b6c232082 CVE-2017-11001 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d5d2c9baff89932e822ceae74b1569af07d55f19 CVE-2017-11002 Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=64c0865bb0c5a642ba420967b23e0f66e035b300 @@ -1634,70 +1455,54 @@ CVE-2017-11028 Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fd70b655d901e626403f132b65fc03d993f0a09b Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6724296d3f3b2821b83219768c1b9e971e380a9f CVE-2017-11029 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=86f0d207d478e1681f6711b46766cfb3c6a30fb5 - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=74ab23917b82769644a3299da47b58e080aa63f2 + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=74ab23917b82769644a3299da47b58e080aa63f2 + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=86f0d207d478e1681f6711b46766cfb3c6a30fb5 CVE-2017-11032 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2720294757d0ad5294283c15dc837852f7b2329a CVE-2017-11035 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c5060da3e741577578d66dfadb7922d853da6156 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=cc1896424ae7a346090f601bc69c6ca51d9c3e04 CVE-2017-11040 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7a4d0eea0ca0c8a72111ae58d9829be817f102c9 CVE-2017-11046 - Pulled Link - https://github.com/android/kernel_msm/commit/5ff192e2c758298680b0c6cd364a55c59850901f CVE-2017-11048 - Pulled Link - https://github.com/android/kernel_msm/commit/a42f6e19316e9e5aaaf8bd2c3bec25fde136dcaa CVE-2017-11050 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=725674586f5bc009ef5175d29eb0fd677e0ef1f2 CVE-2017-11051 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c8f263f0e3b0b6cba38fae9b2330d77f802c51d8 CVE-2017-11052 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c1ea8487f35d3f4dea574552afda6a1637f98bbb CVE-2017-11053 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=99c00329bc13c526305dc826950c2cc117e6725d CVE-2017-11054 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4d9812973e8b12700afd8c3d6f36a94506ffb6fc CVE-2017-11055 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=708633ca627031373f5cc3ca2e8994e7d694905a CVE-2017-11056 - Pulled Link - https://github.com/android/kernel_msm/commit/d5481967f73c5448b9b2ae528a75faa0b040bc42 CVE-2017-11057 - Pulled Link - https://github.com/android/kernel_msm/commit/270bb9351889878dbfc87a6797886cb3caf42430 CVE-2017-11058 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=4d9812973e8b12700afd8c3d6f36a94506ffb6fc CVE-2017-11059 - Pulled Link - https://github.com/android/kernel_msm/commit/be632ce97422dfe533944186e2f4420b87b87ad5 CVE-2017-11060 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=657bb41463b837b2681e1fed310bd97970b09b83 CVE-2017-11061 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=e08628a3cfe039bc4bdd7fc66f5ec7a59a97b404 CVE-2017-11062 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=954bdf216ce56a860092fd9549229b036e08c97b CVE-2017-11064 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=38d6f16b8583bae6a1881c744ae08d609c99cb7e CVE-2017-11067 - Pulled Link - https://github.com/aosp-mirror/kernel_msm/commit/3fabdcba3a09ce8f3cc757bf6240e53421a1e363 CVE-2017-11600 - Link - https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e + Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e CVE-2017-12146 - Link - https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git/commit/?h=driver-core-next&id=6265539776a0810b7ce6398c27866ddb9c6bd154 + Link - 3.16+ - https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git/commit/?h=driver-core-next&id=6265539776a0810b7ce6398c27866ddb9c6bd154 CVE-2017-12153 - Pulled Link - 3.2-^3.16 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.2.94&id=082d8a6a55d2b6583d9e93ac9796efdf4c412658 CVE-2017-13080 Link - https://github.com/torvalds/linux/commit/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e @@ -1709,72 +1514,60 @@ CVE-2017-13080-Extra Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/dc0c59d66b8679dc870c9aa568647d0be71501b7 Link - https://github.com/LineageOS/android_kernel_lge_hammerhead/commit/706ccb5adc54e349c491ebeb462c121d6467c863 CVE-2017-15265 - Pulled Link - ^4.14 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.18.76&id=035e6d0b5b192ff5e168ed322304d29db108d790 CVE-2017-2618 - Pulled Link - 3.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.10.107&id=a71b4196a72f09ed223d8140de7fd47ccdaf6e2b CVE-2017-2636 - Pulled Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b CVE-2017-2671 - Pulled Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/net/ipv4/ping.c?id=43a6684519ab0a6c52024b5e25322476cabad893 CVE-2017-5546 - Pulled Link - 4.7-^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4e490cf148e85ead0d1b1c2caaba833f1d5b29f CVE-2017-5547 - Pulled Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6d104af38b570d37aa32a5803b04c354f8ed513d CVE-2017-5550 - Pulled Link - 4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb CVE-2017-5551 - Pulled Link - 3.14-^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=497de07d89c1410d76a15bec2bb41f24a2a89f31 CVE-2017-5669 - Pulled Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95e91b831f87ac8e1f8ed50c14d709089b4e01b8 CVE-2017-5897 Link - https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a8fbaf33756 CVE-2017-5967 - Pulled Link - 3.10 - https://review.lineageos.org/163292 Link - 3.18 - https://review.lineageos.org/170669 Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 CVE-2017-5970 - Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b2cef20f19c87999fff3da4071e66937db9644 + Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b2cef20f19c87999fff3da4071e66937db9644 CVE-2017-5972 - Pulled Link - https://github.com/android/kernel_msm/commit/e994b2f0fb9229aeff5eea9541320bd7b2ca8714 + Link - https://review.lineageos.org/#/c/181001/ CVE-2017-5986 - Pulled Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dcab598484185dea7ec22219c76dcdd59e3cb90 CVE-2017-6001 - Link - https://android-review.googlesource.com/#/c/438399/ + Link - 3.2-3.4 - http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=9eb0e01be831d0f37ea6278a92c32424141f55fb + Link - ^4.9 - https://android-review.googlesource.com/#/c/438399/ CVE-2017-6074 - Link - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 + Link - ^4.9 - https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 CVE-2017-6214 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82 + Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82 CVE-2017-6345 - Pulled Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b74d439e1697110c5e5c600643e823eb1dd0762 CVE-2017-6346 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d199fab63c11998a602205f7ee7ff7c05c97164b + Link - 3.18 - https://android.googlesource.com/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791%5E%21/#F0 + Link - ^4.9 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d199fab63c11998a602205f7ee7ff7c05c97164b CVE-2017-6347 - Pulled Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 CVE-2017-6348 - Pulled Link - ^4.9 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c03b862b12f980456f9de92db6d508a4999b788 CVE-2017-6353 - Pulled Link - ^4.10 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 CVE-2017-6421 Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=be42c7ff1f0396484882451fd18f47144c8f1b6b CVE-2017-6423 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0f264f812b61884390b432fdad081a3e995ba768 CVE-2017-6424 + Link - prima - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=8cac3c4aac106b917e60e7aa7d4c4189e376913c Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=5cc2ac840e36a3342c5194c20b314f0bb95ef7e1 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=4e44b25b26a594aa818 CVE-2017-6425 @@ -1782,19 +1575,16 @@ CVE-2017-6425 CVE-2017-6426 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=80decd6365deec08c35ecb902a58f9210599b39a CVE-2017-6874 - Pulled Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=040757f738e13caaa9c5078bca79aa97e11dde88 CVE-2017-6951 - Pulled Link - ^3.14 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=44d6e10f77095133e3882529a16b686b2305e6b0 CVE-2017-7184 Depends Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=677e806da4d916052585301785d847c3b3e6186a Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f843ee6dd019bcece3e74e76ad9df0155655d0df CVE-2017-7187 - Link - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124 + Link - 3.7-^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.11/scsi-fixes&id=bf33f87dd04c371ea33feb821b60d63d754e3124 CVE-2017-7277 - Pulled Depends Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ef1b2869447411ad3ef91ad7d4891a83c1a509a Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8605330aac5a5785630aec8f64378a54891937cc @@ -1817,33 +1607,34 @@ CVE-2017-7369 CVE-2017-7370 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=970edf007fbe64b094437541a42477d653802d85 CVE-2017-7371 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=e02e63b8014f7a0a5ea17a5196fb4ef1283fd1fd + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=e02e63b8014f7a0a5ea17a5196fb4ef1283fd1fd CVE-2017-7372 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=1806be003731d6d4be55e5b940d14ab772839e13 CVE-2017-7373 - Link - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=e5eb0d3aa6fe62ee437a2269a1802b1a72f61b75 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=caf/linux-next/akpm&id=eac4a77bb71750b02e91508b15c9aaf4fe2b94ae + Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=e5eb0d3aa6fe62ee437a2269a1802b1a72f61b75 CVE-2017-7374 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1b53cf9815bb4744958d41f3795d5d5a1d365e2d + Link - 4.2-4.10 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1b53cf9815bb4744958d41f3795d5d5a1d365e2d CVE-2017-7472 - Pulled Link - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=6efda2501976288f10895834ba2782d0df093441 CVE-2017-7487 Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee0d8d8482345ff97a75a7d747efc309f13b0d80 CVE-2017-7495 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824 + Depends + Link - 3.18 - https://review.lineageos.org/#/c/175288 + Link - 3.18 - https://review.lineageos.org/#/c/175289 + Link - ^4.6 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824 CVE-2017-7541 Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c CVE-2017-7616 - Link - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 + Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 CVE-2017-7618 - Pulled Link - 3.0 - https://github.com/fourkbomb/linux/commits/4a0d9b8d06893c56c7e66fcf8d91ef67770cf9ef Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c2798145e731005fa1e6ee2a489940c1dd8f03e4 CVE-2017-7889 - Pulled Link - ^4.10 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4866aa812518ed1a37d8ea0c881dc946409de94 CVE-2017-7979 - Pulled Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e0535ce58b92d7baf0b33284a6c4f8f0338f943e CVE-2017-8233 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385 @@ -1885,7 +1676,8 @@ CVE-2017-8247 CVE-2017-8250 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37 CVE-2017-8251 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=771254edea3486535453dbb76d090cd6bcf92af9 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=3a42f1b79ed696f29350f170c00f27712ae84a36 + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=771254edea3486535453dbb76d090cd6bcf92af9 CVE-2017-8253 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=a5f07894058c4198f61e533d727b343c5be879b0 CVE-2017-8254 @@ -1899,22 +1691,25 @@ CVE-2017-8258 CVE-2017-8259 Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=68020103af00280393da10039b968c95d68e526c CVE-2017-8260 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8f236391e5187c05f7f4b937856944be0af7aaa5 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=7b7534d96813ffe502271b0b3fae0d0d12e3e05b CVE-2017-8261 - Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c + Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=8576feebaf688dadf0548b9a16d2b90b76ed714c CVE-2017-8262 + Link - 3.10 - https://android.googlesource.com/kernel/msm/+/6e95883e47953902ff6a5125a12cf83aa0a7de69 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=20c8f1c393ec2726ac46642ae8883643f2427c4f Link - 4.4 - https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=9ef4ee8e3dfaf4e796bda781826851deebbd89bd CVE-2017-8263 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2a2f0b7463f4de9ca225769204ff62c71760709c CVE-2017-8264 - Pulled Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=4268b75208ca04bc63dcfadbb9a1eca8e964a697 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?h=LA.UM.5.5.r1-05100-8x96.0&id=53c6b89349730765a71722d274fc3fa41287d21f CVE-2017-8265 Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=193813a21453ccc7fb6b04bedf881a6feaaa015f CVE-2017-8266 + Link - 3.10 - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=aa23820b001ab1cfb86b79014e9fc44cd2be9ece Link - 3.18 - https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=42627c94cf8c189332a6f5bfdd465ea662777911 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=64e4e29356928bea60ae4be5b387eb7d8d7a7f45 CVE-2017-8267 @@ -1923,7 +1718,6 @@ CVE-2017-8268 Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5f3b68da4c8f6474df2497b6d912465d640904b8 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=fab64410d005a7dee8ed02557a0ca26e4c5242ff CVE-2017-8269 - Pulled Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b925d9f76164475abb6f6a557327095156c9b249 CVE-2017-8270 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ff96565f1dbabfeb7fb2c1604f40af768579d9df @@ -1939,33 +1733,33 @@ CVE-2017-8281 Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9be5b16de622c2426408425e3df29e945cd21d37 Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=9b209c4552779edb86221787fb8681dd212e3a0c CVE-2017-8890 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=657831ffc38e30092a2d5f03d385d710eb88b09a + Link - 3.4 - https://review.lineageos.org/#/c/173325/ + Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=657831ffc38e30092a2d5f03d385d710eb88b09a CVE-2017-9074 - Pulled Depends Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=ad8a4d9d3f255a783d534a47d4b4ac611bb291d8 Link - 3.2 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=f7c2d2d7ebf9a110cafbe53199457c318f61a192 Link - ^4.11 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2423496af35d94a87156b063ea5cedffc10a70a1 CVE-2017-9075 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 + Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 CVE-2017-9076 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52 + Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9077 - Link - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52 + Link - ^4.11 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9150 - Link - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0e57697f162da4aa218b5feafe614fb666db07 + Link - ^4.11 - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0e57697f162da4aa218b5feafe614fb666db07 CVE-2017-9242 - Pulled Link - ^4.11 - https://github.com/torvalds/linux/commit/232cd35d0804cc241eb887bb8d4d9b3b9881c64a CVE-2017-9676 - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c1f749639030305a3b02185c180240a8195fb715 + Link - 3.0+ - https://github.com/LineageOS/android_kernel_motorola_msm8960-common/commit/d109d8d7e2998a635406215a559e298fa7ef4bb8 + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c1f749639030305a3b02185c180240a8195fb715 CVE-2017-9677 - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b62291edb424281ed31a4e15140b16972ce9eef1 + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b CVE-2017-9678 Link - 3.18 - https://github.com/android/kernel_msm/commit/420d0dc1b4563880f962002e8cb21e733bf074eb Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=ad8e758d30164290a71d9c59fbf7854029556a3e CVE-2017-9679 - Pulled Link - https://github.com/android/kernel_msm/commit/31f54e33d88c676bedb64127b5ae0c60d06f9518 CVE-2017-9680 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dcd0a696c33dd3ab824151833d787f3ff90abbba @@ -1973,17 +1767,16 @@ CVE-2017-9682 Link - 3.18 - https://github.com/android/kernel_msm/commit/cd821a40b76919b0815a9a7c09d0f6cf1f15a7ee Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9 CVE-2017-9684 - Pulled + Depends Link - https://github.com/android/kernel_msm/commit/d3d636627c8bb57a64bfadcc5d282c35d152f563 Link - https://github.com/android/kernel_msm/commit/83cf9f50cda5ab3f99055242bebbcb26d96319ad Link - https://github.com/android/kernel_msm/commit/b2fa897c8e86362946ec524ed47300164a33453d CVE-2017-9686 Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.18.git;a=commit;h=de875dd095d3ec0906c77518d28f793e6c69a9da CVE-2017-9687 - Pulled - Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=8f1a77f5da53edd2b5a1c42ddd766712a90109d6 + Link - 3.18 - https://github.com/android/kernel_msm/commit/34cff2eb2adc663de32ca682b57551c50c9253c6 + Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=8f1a77f5da53edd2b5a1c42ddd766712a90109d6 CVE-2017-9691 - Pulled Depends Link - https://github.com/android/kernel_msm/commit/869bd2cd3d6c17826b6f162e0d721174224b867a Link - https://github.com/android/kernel_msm/commit/04468bc1d72f15e6b8f19014e8c6203038dd6b23 @@ -1994,28 +1787,28 @@ CVE-2017-9693 CVE-2017-9694 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef CVE-2017-9697 - Link - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225 + Link - 3.18 - https://github.com/android/kernel_msm/commit/4b788ca419ec37e4cdb421fef9edc208a491ce30 + Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225 CVE-2017-9706 - Pulled Link - https://github.com/android/kernel_msm/commit/7489a0a8f68d0f018d0f9df5df157bb20f83b05e CVE-2017-9714 Link - qcacld-2.0 - https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3 CVE-2017-9715 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=58350a7bcb827c0ac81f0750a62d5c5a8ed3a469 CVE-2017-9717 - Pulled Link - qcacld-2.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=bf7486fb6d82fb9ad02e303b6fdf4061cfc0375d CVE-2017-9719 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a491499c3490999555b7ccf8ad1a7d6455625807 Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d815f54f15d765b5e0035a9d208d71567bcaace0 CVE-2017-9720 - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d - Link - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2c5616295a5411812188f515d6ecf1984b9c1798 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c74dbab508c7c07d8e2cf8230cc78bff4b710272 + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=737f415a5c637802786ec6d36288220cb4d3ae4d + Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2c5616295a5411812188f515d6ecf1984b9c1798 CVE-2017-9724 Link - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5328a92fa26eabe2ba259b1d813f9de488efc9ec CVE-2017-9725 - Link - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?h=aosp/android-4.4&id=1f8f9b566e8446c13b954220c226c58d22076f88 + Link - 3.10 - https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=5479a3c164c8762b5bf91c5fae452882366adb6a + Link - 4.4 - https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?h=aosp/android-4.4&id=1f8f9b566e8446c13b954220c226c58d22076f88 LVT-2017-0001 Link - 3.0 - https://review.lineageos.org/#/c/171511 Link - 3.4 - https://review.lineageos.org/#/c/170648