patching CVE

CVE.md

@@ -0,0 +1,72 @@
+| ID               | STATUS/COMMIT                            |
+|------------------|------------------------------------------|
+| CVE-2010-5321    | no patch available                       |
+| CVE-2014-9410    | not affected                             |
+| CVE-2015-0568    | not affected                             |
+| CVE-2015-0569    | not affected                             |
+| CVE-2015-0570    | not affected                             |
+| CVE-2015-0571    | not affected                             |
+| CVE-2015-0572    | not affected                             |
+| CVE-2015-0573    | not affected                             |
+| CVE-2015-1350    | not affected                             |
+| CVE-2015-2877    | no patch available                       |
+| CVE-2016-2059    | not affected                             |
+| CVE-2016-2061    | not affected                             |
+| CVE-2016-2062    | not affected                             |
+| CVE-2016-2063    | not affected                             |
+| CVE-2016-2064    | not affected                             |
+| CVE-2016-2065    | not affected                             |
+| CVE-2016-2066    | not affected                             |
+| CVE-2016-2067    | not affected                             |
+| CVE-2016-2068    | not affected                             |
+| CVE-2016-5340    | not affected                             |
+| CVE-2016-5342    | not affected                             |
+| CVE-2016-5343    | not affected                             |
+| CVE-2016-5344    | not affected                             |
+| CVE-2016-5870    | not affected                             |
+| CVE-2017-1000251 | not affected                             |
+| CVE-2017-1000405 | not affected                             |
+| CVE-2017-1000407 | not affected                             |
+| CVE-2017-1000410 | 06e7e776ca4d36547e503279aeff996cbb292c16 |
+| CVE-2017-12193   | not affected                             |
+| CVE-2017-15102   | 2fae9e5a7babada041e2e161699ade2447a01989 |
+| CVE-2017-15115   | df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 |
+| CVE-2017-15116   | not affected                             |
+| CVE-2017-15127   | not affected                             |
+| CVE-2017-15129   | not affected                             |
+| CVE-2017-15868   | 71bb99a02b32b4cc4265118e85f6035ca72923f0 |
+| CVE-2017-16939   | open                                     |
+| CVE-2017-16994   | 373c4557d2aa362702c4c2d41288fb1e54990b7c |
+| CVE-2017-17052   | 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a |
+| CVE-2017-17053   | not affected                             |
+| CVE-2017-17805   | ecaaab5649781c5a0effdaf298a925063020500e |
+| CVE-2017-17806   | af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 |
+| CVE-2017-17807   | 4dca6ea1d9432052afb06baf2e3ae78188a4410b |
+| CVE-2017-18075   | not affected                             |
+| CVE-2017-18079   | 340d394a789518018f834ff70f7534fc463d3226 |
+| CVE-2017-18174   | not affected                             |
+| CVE-2017-18193   | not affected                             |
+| CVE-2017-18203   | b9a41d21dceadf8104812626ef85dc56ee8a60ed |
+| CVE-2017-18204   | 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 |
+| CVE-2017-18208   | 6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 |
+| CVE-2017-18216   | 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 |
+| CVE-2017-18218   | not affected                             |
+| CVE-2017-18224   | not affected                             |
+| CVE-2017-18241   | d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 |
+| CVE-2017-18255   | 1572e45a924f254d9570093abde46430c3172e3d |
+| CVE-2017-18257   | b86e33075ed1909d8002745b56ecf73b833db143 |
+| CVE-2017-18261   | not affected                             |
+| CVE-2017-18270   | open                                     |
+| CVE-2017-5972    | not affected                             |
+| CVE-2018-10021   | 318aaf34f1179b39fa9c30fa0f3288b645beee39 |
+| CVE-2018-10074   | dd83c161fbcc5d8be637ab159c0de015cbff5ba4 |
+| CVE-2018-10087   | not affected                             |
+| CVE-2018-10124   | 4ea77014af0d6205b05503d1c7aac6eace11d473 |
+| CVE-2018-10675   | 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 |
+| CVE-2018-10940   | not affected                             |
+| CVE-2018-11232   | not affected                             |
+| CVE-2018-1130    | 67f93df79aeefc3add4e4b31a752600f834236e2 |
+| CVE-2018-11508   | not affected                             |
+| CVE-2018-6927    | fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a |
+| CVE-2018-7480    | not affected                             |
+| CVE-2018-8781    | 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 |

arch/arm/configs/kminilte_00_defconfig

@@ -40,7 +40,7 @@ CONFIG_EXPERIMENTAL=y
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
 CONFIG_LOCALVERSION=""
-# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_LOCALVERSION_AUTO=y
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_LZMA=y
 CONFIG_HAVE_KERNEL_XZ=y

arch/x86/crypto/salsa20_glue.c

@@ -64,13 +64,6 @@ static int encrypt(struct blkcipher_desc *desc,
 
 	salsa20_ivsetup(ctx, walk.iv);
 
-	if (likely(walk.nbytes == nbytes))
-	{
-		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
-				      walk.dst.virt.addr, nbytes);
-		return blkcipher_walk_done(desc, &walk, 0);
-	}
-
 	while (walk.nbytes >= 64) {
 		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
 				      walk.dst.virt.addr,

crypto/hmac.c

@@ -197,11 +197,15 @@ static int hmac_create(struct crypto_template *tmpl, struct rtattr **tb)
 	salg = shash_attr_alg(tb[1], 0, 0);
 	if (IS_ERR(salg))
 		return PTR_ERR(salg);
+	alg = &salg->base;
 
+	/* The underlying hash algorithm must be unkeyed */
 	err = -EINVAL;
+	if (crypto_shash_alg_has_setkey(salg))
+		goto out_put_alg;
+
 	ds = salg->digestsize;
 	ss = salg->statesize;
-	alg = &salg->base;
 	if (ds > alg->cra_blocksize ||
 	    ss < alg->cra_blocksize)
 		goto out_put_alg;

crypto/salsa20_generic.c

@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
 
 	salsa20_ivsetup(ctx, walk.iv);
 
-	if (likely(walk.nbytes == nbytes))
-	{
-		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
-				      walk.src.virt.addr, nbytes);
-		return blkcipher_walk_done(desc, &walk, 0);
-	}
-
 	while (walk.nbytes >= 64) {
 		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
 				      walk.src.virt.addr,

crypto/shash.c

@@ -24,11 +24,12 @@
 
 static const struct crypto_type crypto_shash_type;
 
-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-			   unsigned int keylen)
+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+		    unsigned int keylen)
 {
 	return -ENOSYS;
 }
+EXPORT_SYMBOL_GPL(shash_no_setkey);
 
 static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
 				  unsigned int keylen)

drivers/gpu/drm/udl/udl_fb.c

@@ -247,10 +247,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;

drivers/input/serio/i8042.c

@@ -390,8 +390,10 @@ static int i8042_start(struct serio *serio)
 {
 	struct i8042_port *port = serio->port_data;
 
+	spin_lock_irq(&i8042_lock);
 	port->exists = true;
-	mb();
+	spin_unlock_irq(&i8042_lock);
+
 	return 0;
 }
 
@@ -404,16 +406,20 @@ static void i8042_stop(struct serio *serio)
 {
 	struct i8042_port *port = serio->port_data;
 
+	spin_lock_irq(&i8042_lock);
 	port->exists = false;
+	port->serio = NULL;
+	spin_unlock_irq(&i8042_lock);
 
 	/*
+	 * We need to make sure that interrupt handler finishes using
+	 * our serio port before we return from this function.
 	 * We synchronize with both AUX and KBD IRQs because there is
 	 * a (very unlikely) chance that AUX IRQ is raised for KBD port
 	 * and vice versa.
 	 */
 	synchronize_irq(I8042_AUX_IRQ);
 	synchronize_irq(I8042_KBD_IRQ);
-	port->serio = NULL;
 }
 
 /*
@@ -530,7 +536,7 @@ static irqreturn_t i8042_interrupt(int irq, void *dev_id)
 
 	spin_unlock_irqrestore(&i8042_lock, flags);
 
-	if (likely(port->exists && !filtered))
+	if (likely(serio && !filtered))
 		serio_interrupt(serio, data, dfl);
 
  out:

drivers/md/dm.c

@@ -2691,11 +2691,15 @@ struct mapped_device *dm_get_from_kobject(struct kobject *kobj)
 
 	md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
 
-	if (test_bit(DMF_FREEING, &md->flags) ||
-	    dm_deleting_md(md))
-		return NULL;
-
+	spin_lock(&_minor_lock);
+	if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
+		md = NULL;
+		goto out;
+	}
 	dm_get(md);
+out:
+	spin_unlock(&_minor_lock);
+
 	return md;
 }
 

drivers/scsi/libsas/sas_scsi_host.c

@@ -250,6 +250,7 @@ int sas_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
 static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
 {
 	struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host);
+	struct domain_device *dev = cmd_to_domain_dev(cmd);
 	struct sas_task *task = TO_SAS_TASK(cmd);
 
 	/* At this point, we only get called following an actual abort
@@ -258,37 +259,29 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
 	 */
 	sas_end_task(cmd, task);
 
+	if (dev_is_sata(dev)) {
+		/* defer commands to libata so that libata EH can
+		 * handle ata qcs correctly
+		 */
+		list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q);
+		return;
+	}
+
 	/* now finish the command and move it on to the error
 	 * handler done list, this also takes it off the
 	 * error handler pending list.
 	 */
 	scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q);
 }
 
-static void sas_eh_defer_cmd(struct scsi_cmnd *cmd)
-{
-	struct domain_device *dev = cmd_to_domain_dev(cmd);
-	struct sas_ha_struct *ha = dev->port->ha;
-	struct sas_task *task = TO_SAS_TASK(cmd);
-
-	if (!dev_is_sata(dev)) {
-		sas_eh_finish_cmd(cmd);
-		return;
-	}
-
-	/* report the timeout to libata */
-	sas_end_task(cmd, task);
-	list_move_tail(&cmd->eh_entry, &ha->eh_ata_q);
-}
-
 static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd)
 {
 	struct scsi_cmnd *cmd, *n;
 
 	list_for_each_entry_safe(cmd, n, error_q, eh_entry) {
 		if (cmd->device->sdev_target == my_cmd->device->sdev_target &&
 		    cmd->device->lun == my_cmd->device->lun)
-			sas_eh_defer_cmd(cmd);
+			sas_eh_finish_cmd(cmd);
 	}
 }
 
@@ -581,12 +574,12 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
 		case TASK_IS_DONE:
 			SAS_DPRINTK("%s: task 0x%p is done\n", __func__,
 				    task);
-			sas_eh_defer_cmd(cmd);
+			sas_eh_finish_cmd(cmd);
 			continue;
 		case TASK_IS_ABORTED:
 			SAS_DPRINTK("%s: task 0x%p is aborted\n",
 				    __func__, task);
-			sas_eh_defer_cmd(cmd);
+			sas_eh_finish_cmd(cmd);
 			continue;
 		case TASK_IS_AT_LU:
 			SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task);
@@ -597,7 +590,7 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
 					    "recovered\n",
 					    SAS_ADDR(task->dev),
 					    cmd->device->lun);
-				sas_eh_defer_cmd(cmd);
+				sas_eh_finish_cmd(cmd);
 				sas_scsi_clear_queue_lu(work_q, cmd);
 				goto Again;
 			}

drivers/usb/misc/legousbtower.c

@@ -951,24 +951,6 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
 	dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
 	dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
 
-	/* we can register the device now, as it is ready */
-	usb_set_intfdata (interface, dev);
-
-	retval = usb_register_dev (interface, &tower_class);
-
-	if (retval) {
-		/* something prevented us from registering this driver */
-		err ("Not able to get a minor for this device.");
-		usb_set_intfdata (interface, NULL);
-		goto error;
-	}
-	dev->minor = interface->minor;
-
-	/* let the user know what node this device is now attached to */
-	dev_info(&interface->dev, "LEGO USB Tower #%d now attached to major "
-		 "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE),
-		 USB_MAJOR, dev->minor);
-
 	/* get the firmware version and log it */
 	result = usb_control_msg (udev,
 				  usb_rcvctrlpipe(udev, 0),
@@ -989,6 +971,23 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
 		 get_version_reply.minor,
 		 le16_to_cpu(get_version_reply.build_no));
 
+	/* we can register the device now, as it is ready */
+	usb_set_intfdata (interface, dev);
+
+	retval = usb_register_dev (interface, &tower_class);
+
+	if (retval) {
+		/* something prevented us from registering this driver */
+		err ("Not able to get a minor for this device.");
+		usb_set_intfdata (interface, NULL);
+		goto error;
+	}
+	dev->minor = interface->minor;
+
+	/* let the user know what node this device is now attached to */
+	dev_info(&interface->dev, "LEGO USB Tower #%d now attached to major "
+		 "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE),
+		 USB_MAJOR, dev->minor);
 
 exit:
 	dbg(2, "%s: leave, return value 0x%.8lx (dev)", __func__, (long) dev);

fs/f2fs/data.c

@@ -722,7 +722,7 @@ static int __get_data_block(struct inode *inode, sector_t iblock,
 	if (!ret) {
 		map_bh(bh, inode->i_sb, map.m_pblk);
 		bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags;
-		bh->b_size = map.m_len << inode->i_blkbits;
+		bh->b_size = (u64)map.m_len << inode->i_blkbits;
 	}
 	return ret;
 }

fs/f2fs/segment.c

@@ -488,6 +488,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi)
 	init_waitqueue_head(&fcc->flush_wait_queue);
 	init_llist_head(&fcc->issue_list);
 	SM_I(sbi)->cmd_control_info = fcc;
+	if (!test_opt(sbi, FLUSH_MERGE))
+		return err;
+
 	fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi,
 				"f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev));
 	if (IS_ERR(fcc->f2fs_issue_flush)) {
@@ -2386,7 +2389,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi)
 
 	INIT_LIST_HEAD(&sm_info->sit_entry_set);
 
-	if (test_opt(sbi, FLUSH_MERGE) && !f2fs_readonly(sbi->sb)) {
+	if (!f2fs_readonly(sbi->sb)) {
 		err = create_flush_cmd_control(sbi);
 		if (err)
 			return err;