Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2018-04-16 14:16:00 +0200
committerJiri Kosina <jkosina@suse.cz>2018-04-16 14:16:19 +0200
commit3dac46e1c10b3ef70e3361125c2e2228e7ac69f8 (patch)
tree3a6ce2f914139f34ae307a825a3b5e8674bc1c99
parent75dad8a8328b800fb66fb7053164a082ba6ea722 (diff)
parent6372b2fc719969b82ee69a11424b60ff2efdb012 (diff)
Merge branch 'cve/linux-3.0' into SLE11-SP4rpm-3.0.101-108.38
Conflicts: series.conf
-rw-r--r--patches.drivers/ALSA-pcm-prevent-UAF-in-snd_pcm_info36
-rw-r--r--patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue159
-rw-r--r--patches.drivers/ALSA-seq-More-protection-for-concurrent-write-and-io177
-rw-r--r--patches.fixes/0001-kernel-exit.c-avoid-undefined-behaviour-when-calling.patch58
-rw-r--r--patches.fixes/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch42
-rw-r--r--series.conf7
6 files changed, 479 insertions, 0 deletions
diff --git a/patches.drivers/ALSA-pcm-prevent-UAF-in-snd_pcm_info b/patches.drivers/ALSA-pcm-prevent-UAF-in-snd_pcm_info
new file mode 100644
index 0000000000..5cac6f8832
--- /dev/null
+++ b/patches.drivers/ALSA-pcm-prevent-UAF-in-snd_pcm_info
@@ -0,0 +1,36 @@
+From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Tue, 5 Dec 2017 09:16:55 -0800
+Subject: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info
+Git-commit: 362bca57f5d78220f8b5907b875961af9436e229
+Patch-mainline: v4.15-rc3
+References: CVE-2017-0861,bsc#1088260
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Note: this fixes CVE-2017-0861
+
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -144,7 +144,9 @@ static int snd_pcm_control_ioctl(struct
+ err = -ENXIO;
+ goto _error;
+ }
++ mutex_lock(&pcm->open_mutex);
+ err = snd_pcm_info_user(substream, info);
++ mutex_unlock(&pcm->open_mutex);
+ _error:
+ mutex_unlock(&register_mutex);
+ return err;
diff --git a/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue b/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue
new file mode 100644
index 0000000000..9de8bfe24c
--- /dev/null
+++ b/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue
@@ -0,0 +1,159 @@
+From d0f833065221cbfcbadf19fd4102bcfa9330006a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Mar 2018 21:58:28 +0100
+Subject: [PATCH] ALSA: seq: Fix possible UAF in snd_seq_check_queue()
+Git-commit: d0f833065221cbfcbadf19fd4102bcfa9330006a
+Patch-mainline: v4.16-rc6
+References: CVE-2018-7566,bsc#1083483
+
+Although we've covered the races between concurrent write() and
+ioctl() in the previous patch series, there is still a possible UAF in
+the following scenario:
+
+A: user client closed B: timer irq -> snd_seq_release() -> snd_seq_timer_interrupt() -> snd_seq_free_client() -> snd_seq_check_queue() -> cell = snd_seq_prioq_cell_peek() -> snd_seq_prioq_leave() .... removing all cells -> snd_seq_pool_done() .... vfree() -> snd_seq_compare_tick_time(cell) ... Oops
+
+So the problem is that a cell is peeked and accessed without any
+protection until it's retrieved from the queue again via
+snd_seq_prioq_cell_out().
+
+This patch tries to address it, also cleans up the code by a slight
+refactoring. snd_seq_prioq_cell_out() now receives an extra pointer
+argument. When it's non-NULL, the function checks the event timestamp
+with the given pointer. The caller needs to pass the right reference
+either to snd_seq_tick or snd_seq_realtime depending on the event
+timestamp type.
+
+A good news is that the above change allows us to remove the
+snd_seq_prioq_cell_peek(), too, thus the patch actually reduces the
+code size.
+
+Reviewed-by: Nicolai Stange <nstange@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/seq/seq_prioq.c | 28 ++++++++++++++--------------
+ sound/core/seq/seq_prioq.h | 6 ++----
+ sound/core/seq/seq_queue.c | 28 +++++++++-------------------
+ 3 files changed, 25 insertions(+), 37 deletions(-)
+
+--- a/sound/core/seq/seq_prioq.c
++++ b/sound/core/seq/seq_prioq.c
+@@ -89,7 +89,7 @@ void snd_seq_prioq_delete(struct snd_seq
+ if (f->cells > 0) {
+ /* drain prioQ */
+ while (f->cells > 0)
+- snd_seq_cell_free(snd_seq_prioq_cell_out(f));
++ snd_seq_cell_free(snd_seq_prioq_cell_out(f, NULL));
+ }
+
+ kfree(f);
+@@ -216,8 +216,18 @@ int snd_seq_prioq_cell_in(struct snd_seq
+ return 0;
+ }
+
++/* return 1 if the current time >= event timestamp */
++static int event_is_ready(struct snd_seq_event *ev, void *current_time)
++{
++ if ((ev->flags & SNDRV_SEQ_TIME_STAMP_MASK) == SNDRV_SEQ_TIME_STAMP_TICK)
++ return snd_seq_compare_tick_time(current_time, &ev->time.tick);
++ else
++ return snd_seq_compare_real_time(current_time, &ev->time.time);
++}
++
+ /* dequeue cell from prioq */
+-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
++ void *current_time)
+ {
+ struct snd_seq_event_cell *cell;
+ unsigned long flags;
+@@ -229,6 +239,8 @@ struct snd_seq_event_cell *snd_seq_prioq
+ spin_lock_irqsave(&f->lock, flags);
+
+ cell = f->head;
++ if (cell && current_time && !event_is_ready(&cell->event, current_time))
++ cell = NULL;
+ if (cell) {
+ f->head = cell->next;
+
+@@ -254,18 +266,6 @@ int snd_seq_prioq_avail(struct snd_seq_p
+ return f->cells;
+ }
+
+-
+-/* peek at cell at the head of the prioq */
+-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq * f)
+-{
+- if (f == NULL) {
+- snd_printd("oops: snd_seq_prioq_cell_in() called with NULL prioq\n");
+- return NULL;
+- }
+- return f->head;
+-}
+-
+-
+ static inline int prioq_match(struct snd_seq_event_cell *cell,
+ int client, int timestamp)
+ {
+--- a/sound/core/seq/seq_prioq.h
++++ b/sound/core/seq/seq_prioq.h
+@@ -44,14 +44,12 @@ void snd_seq_prioq_delete(struct snd_seq
+ int snd_seq_prioq_cell_in(struct snd_seq_prioq *f, struct snd_seq_event_cell *cell);
+
+ /* dequeue cell from prioq */
+-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f);
++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
++ void *current_time);
+
+ /* return number of events available in prioq */
+ int snd_seq_prioq_avail(struct snd_seq_prioq *f);
+
+-/* peek at cell at the head of the prioq */
+-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq *f);
+-
+ /* client left queue */
+ void snd_seq_prioq_leave(struct snd_seq_prioq *f, int client, int timestamp);
+
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -273,30 +273,20 @@ void snd_seq_check_queue(struct snd_seq_
+
+ __again:
+ /* Process tick queue... */
+- while ((cell = snd_seq_prioq_cell_peek(q->tickq)) != NULL) {
+- if (snd_seq_compare_tick_time(&q->timer->tick.cur_tick,
+- &cell->event.time.tick)) {
+- cell = snd_seq_prioq_cell_out(q->tickq);
+- if (cell)
+- snd_seq_dispatch_event(cell, atomic, hop);
+- } else {
+- /* event remains in the queue */
++ for (;;) {
++ cell = snd_seq_prioq_cell_out(q->tickq,
++ &q->timer->tick.cur_tick);
++ if (!cell)
+ break;
+- }
++ snd_seq_dispatch_event(cell, atomic, hop);
+ }
+
+-
+ /* Process time queue... */
+- while ((cell = snd_seq_prioq_cell_peek(q->timeq)) != NULL) {
+- if (snd_seq_compare_real_time(&q->timer->cur_time,
+- &cell->event.time.time)) {
+- cell = snd_seq_prioq_cell_out(q->timeq);
+- if (cell)
+- snd_seq_dispatch_event(cell, atomic, hop);
+- } else {
+- /* event remains in the queue */
++ for (;;) {
++ cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time);
++ if (!cell)
+ break;
+- }
++ snd_seq_dispatch_event(cell, atomic, hop);
+ }
+
+ /* free lock */
diff --git a/patches.drivers/ALSA-seq-More-protection-for-concurrent-write-and-io b/patches.drivers/ALSA-seq-More-protection-for-concurrent-write-and-io
new file mode 100644
index 0000000000..4ee127da96
--- /dev/null
+++ b/patches.drivers/ALSA-seq-More-protection-for-concurrent-write-and-io
@@ -0,0 +1,177 @@
+From 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 5 Mar 2018 22:06:09 +0100
+Subject: [PATCH] ALSA: seq: More protection for concurrent write and ioctl races
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9
+Patch-mainline: v4.16-rc5
+References: CVE-2018-7566,bsc#1083483
+
+This patch is an attempt for further hardening against races between
+the concurrent write and ioctls. The previous fix d15d662e89fc
+("alsa: seq: Fix racy pool initializations") covered the race of the
+pool initialization at writer and the pool resize ioctl by the
+client->ioctl_mutex (CVE-2018-1000004). However, basically this mutex
+should be applied more widely to the whole write operation for
+avoiding the unexpected pool operations by another thread.
+
+The only change outside snd_seq_write() is the additional mutex
+argument to helper functions, so that we can unlock / relock the given
+mutex temporarily during schedule() call for blocking write.
+
+Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
+Reported-by: 范龙飞 <long7573@126.com>
+Reported-by: Nicolai Stange <nstange@suse.de>
+Reviewed-and-tested-by: Nicolai Stange <nstange@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/seq/seq_clientmgr.c | 18 +++++++++++-------
+ sound/core/seq/seq_fifo.c | 2 +-
+ sound/core/seq/seq_memory.c | 14 ++++++++++----
+ sound/core/seq/seq_memory.h | 3 ++-
+ 4 files changed, 24 insertions(+), 13 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -903,7 +903,8 @@ int snd_seq_dispatch_event(struct snd_se
+ static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
+ struct snd_seq_event *event,
+ struct file *file, int blocking,
+- int atomic, int hop)
++ int atomic, int hop,
++ struct mutex *mutexp)
+ {
+ struct snd_seq_event_cell *cell;
+ int err;
+@@ -941,7 +942,8 @@ static int snd_seq_client_enqueue_event(
+ return -ENXIO; /* queue is not allocated */
+
+ /* allocate an event cell */
+- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
++ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
++ file, mutexp);
+ if (err < 0)
+ return err;
+
+@@ -1010,12 +1012,11 @@ static ssize_t snd_seq_write(struct file
+ return -ENXIO;
+
+ /* allocate the pool now if the pool is not allocated yet */
++ mutex_lock(&client->ioctl_mutex);
+ if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+- mutex_lock(&client->ioctl_mutex);
+ err = snd_seq_pool_init(client->pool);
+- mutex_unlock(&client->ioctl_mutex);
+ if (err < 0)
+- return -ENOMEM;
++ goto out;
+ }
+
+ /* only process whole events */
+@@ -1066,7 +1067,7 @@ static ssize_t snd_seq_write(struct file
+ /* ok, enqueue it */
+ err = snd_seq_client_enqueue_event(client, &event, file,
+ !(file->f_flags & O_NONBLOCK),
+- 0, 0);
++ 0, 0, &client->ioctl_mutex);
+ if (err < 0)
+ break;
+
+@@ -1077,6 +1078,8 @@ static ssize_t snd_seq_write(struct file
+ written += len;
+ }
+
++ out:
++ mutex_unlock(&client->ioctl_mutex);
+ return written ? written : err;
+ }
+
+@@ -2335,7 +2338,8 @@ static int kernel_client_enqueue(int cli
+ if (! cptr->accept_output)
+ result = -EPERM;
+ else /* send it */
+- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
++ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
++ atomic, hop, NULL);
+
+ snd_seq_client_unlock(cptr);
+ return result;
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -122,7 +122,7 @@ int snd_seq_fifo_event_in(struct snd_seq
+ return -EINVAL;
+
+ snd_use_lock_use(&f->use_lock);
+- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
++ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
+ if (err < 0) {
+ if (err == -ENOMEM)
+ atomic_inc(&f->overflow);
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -220,7 +220,8 @@ void snd_seq_cell_free(struct snd_seq_ev
+ */
+ static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
+ struct snd_seq_event_cell **cellp,
+- int nonblock, struct file *file)
++ int nonblock, struct file *file,
++ struct mutex *mutexp)
+ {
+ struct snd_seq_event_cell *cell;
+ unsigned long flags;
+@@ -244,7 +245,11 @@ static int snd_seq_cell_alloc(struct snd
+ set_current_state(TASK_INTERRUPTIBLE);
+ add_wait_queue(&pool->output_sleep, &wait);
+ spin_unlock_irq(&pool->lock);
++ if (mutexp)
++ mutex_unlock(mutexp);
+ schedule();
++ if (mutexp)
++ mutex_lock(mutexp);
+ spin_lock_irq(&pool->lock);
+ remove_wait_queue(&pool->output_sleep, &wait);
+ /* interrupted? */
+@@ -287,7 +292,7 @@ __error:
+ */
+ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
+ struct snd_seq_event_cell **cellp, int nonblock,
+- struct file *file)
++ struct file *file, struct mutex *mutexp)
+ {
+ int ncells, err;
+ unsigned int extlen;
+@@ -304,7 +309,7 @@ int snd_seq_event_dup(struct snd_seq_poo
+ if (ncells >= pool->total_elements)
+ return -ENOMEM;
+
+- err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
++ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
+ if (err < 0)
+ return err;
+
+@@ -330,7 +335,8 @@ int snd_seq_event_dup(struct snd_seq_poo
+ int size = sizeof(struct snd_seq_event);
+ if (len < size)
+ size = len;
+- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
++ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
++ mutexp);
+ if (err < 0)
+ goto __error;
+ if (cell->event.data.ext.ptr == NULL)
+--- a/sound/core/seq/seq_memory.h
++++ b/sound/core/seq/seq_memory.h
+@@ -66,7 +66,8 @@ struct snd_seq_pool {
+ void snd_seq_cell_free(struct snd_seq_event_cell *cell);
+
+ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
+- struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
++ struct snd_seq_event_cell **cellp, int nonblock,
++ struct file *file, struct mutex *mutexp);
+
+ /* return number of unused (free) cells */
+ static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
diff --git a/patches.fixes/0001-kernel-exit.c-avoid-undefined-behaviour-when-calling.patch b/patches.fixes/0001-kernel-exit.c-avoid-undefined-behaviour-when-calling.patch
new file mode 100644
index 0000000000..74706d7cef
--- /dev/null
+++ b/patches.fixes/0001-kernel-exit.c-avoid-undefined-behaviour-when-calling.patch
@@ -0,0 +1,58 @@
+From dd83c161fbcc5d8be637ab159c0de015cbff5ba4 Mon Sep 17 00:00:00 2001
+From: zhongjiang <zhongjiang@huawei.com>
+Date: Mon, 10 Jul 2017 15:53:01 -0700
+Subject: [PATCH] kernel/exit.c: avoid undefined behaviour when calling wait4()
+Git-commit: dd83c161fbcc5d8be637ab159c0de015cbff5ba4
+Patch-mainline: 4.13-rc1
+References: bnc#1089608, CVE-2018-10087
+
+wait4(-2147483648, 0x20, 0, 0xdd0000) triggers:
+Ubsan: Undefined behaviour in kernel/exit.c:1651:9
+
+The related calltrace is as follows:
+
+ negation of -2147483648 cannot be represented in type 'int':
+ CPU: 9 PID: 16482 Comm: zj Tainted: G B ---- ------- 3.10.0-327.53.58.71.x86_64+ #66
+ Hardware name: Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA , BIOS CTSAV036 04/27/2011
+ Call Trace:
+ dump_stack+0x19/0x1b
+ ubsan_epilogue+0xd/0x50
+ __ubsan_handle_negate_overflow+0x109/0x14e
+ SyS_wait4+0x1cb/0x1e0
+ system_call_fastpath+0x16/0x1b
+
+Exclude the overflow to avoid the UBSAN warning.
+
+Link: http://lkml.kernel.org/r/1497264618-20212-1-git-send-email-zhongjiang@huawei.com
+Signed-off-by: zhongjiang <zhongjiang@huawei.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Xishi Qiu <qiuxishi@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+
+---
+ kernel/exit.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 608c9775a37b..c5548faa9f37 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1639,6 +1639,10 @@ long kernel_wait4(pid_t upid, int __user *stat_addr, int options,
+ __WNOTHREAD|__WCLONE|__WALL))
+ return -EINVAL;
+
++ /* -INT_MIN is not defined */
++ if (upid == INT_MIN)
++ return -ESRCH;
++
+ if (upid == -1)
+ type = PIDTYPE_MAX;
+ else if (upid < 0) {
+--
+1.8.5.6
+
diff --git a/patches.fixes/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch b/patches.fixes/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
new file mode 100644
index 0000000000..b31a9e12a9
--- /dev/null
+++ b/patches.fixes/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
@@ -0,0 +1,42 @@
+From: Jason Yan <yanaijie@huawei.com>
+Date: Thu, 4 Jan 2018 21:04:31 +0800
+Subject: [PATCH] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+Git-commit: 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4
+Patch-Mainline: v4.16-rc1
+References: bsc#1084536,CVE-2018-7757
+
+We've got a memory leak with the following producer:
+
+while true;
+do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
+done
+
+The buffer req is allocated and not freed after we return. Fix it.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+CC: John Garry <john.garry@huawei.com>
+CC: chenqilin <chenqilin2@huawei.com>
+CC: chenxiang <chenxiang66@hisilicon.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/libsas/sas_expander.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index ca1566237ae7..1de59c0fdbc0 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -695,6 +695,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
+ phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
+
+ out:
++ kfree(req);
+ kfree(resp);
+ return res;
+
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index f6767a7a87..31550d2fb2 100644
--- a/series.conf
+++ b/series.conf
@@ -578,6 +578,8 @@
patches.suse/0005-p54-prevent-speculative-execution.patch
patches.suse/0007-udf-prevent-speculative-execution.patch
+ patches.fixes/0001-kernel-exit.c-avoid-undefined-behaviour-when-calling.patch
+
########################################################
# futex
########################################################
@@ -9253,6 +9255,7 @@
patches.fixes/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch
patches.suse/scsi-sr-workaround-VMware-ESXi-cdrom-emulation-bug.patch
patches.suse/ide-cd-workaround-VMware-ESXi-cdrom-emulation-bug.patch
+ patches.fixes/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
########################################################
# DRM/Video, AGP, graphics related stuff
@@ -21511,6 +21514,10 @@
patches.fixes/ALSA-pcm-Remove-yet-superfluous-WARN_ON
patches.drivers/ALSA-seq-Make-ioctls-race-free
patches.drivers/ALSA-seq-Fix-racy-pool-initializations
+ patches.drivers/ALSA-seq-More-protection-for-concurrent-write-and-io
+ patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue
+
+ patches.drivers/ALSA-pcm-prevent-UAF-in-snd_pcm_info
##########################################################
# Char + Serial