Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora

8 files changed, 304 insertions, 338 deletions

diff --git a/CVE-2018-14633.patch b/CVE-2018-14633.patch
deleted file mode 100644
index 731903bdb..000000000
--- a/CVE-2018-14633.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-From 1816494330a83f2a064499d8ed2797045641f92c Mon Sep 17 00:00:00 2001
-From: Vincent Pelletier <plr.vincent@gmail.com>
-Date: Sun, 9 Sep 2018 04:09:26 +0000
-Subject: scsi: target: iscsi: Use hex2bin instead of a re-implementation
-
-This change has the following effects, in order of descreasing importance:
-
-1) Prevent a stack buffer overflow
-
-2) Do not append an unnecessary NULL to an anyway binary buffer, which
-   is writing one byte past client_digest when caller is:
-   chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
-
-The latter was found by KASAN (see below) when input value hes expected size
-(32 hex chars), and further analysis revealed a stack buffer overflow can
-happen when network-received value is longer, allowing an unauthenticated
-remote attacker to smash up to 17 bytes after destination buffer (16 bytes
-attacker-controlled and one null).  As switching to hex2bin requires
-specifying destination buffer length, and does not internally append any null,
-it solves both issues.
-
-This addresses CVE-2018-14633.
-
-Beyond this:
-
-- Validate received value length and check hex2bin accepted the input, to log
-  this rejection reason instead of just failing authentication.
-
-- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
-
-==================================================================
-BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
-Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
-
-CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G           O      4.17.8kasan.sess.connops+ #2
-Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
-Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
-Call Trace:
- dump_stack+0x71/0xac
- print_address_description+0x65/0x22e
- ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
- kasan_report.cold.6+0x241/0x2fd
- chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
- chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
- ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
- ? ftrace_caller_op_ptr+0xe/0xe
- ? __orc_find+0x6f/0xc0
- ? unwind_next_frame+0x231/0x850
- ? kthread+0x1a0/0x1c0
- ? ret_from_fork+0x35/0x40
- ? ret_from_fork+0x35/0x40
- ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
- ? deref_stack_reg+0xd0/0xd0
- ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
- ? is_module_text_address+0xa/0x11
- ? kernel_text_address+0x4c/0x110
- ? __save_stack_trace+0x82/0x100
- ? ret_from_fork+0x35/0x40
- ? save_stack+0x8c/0xb0
- ? 0xffffffffc1660000
- ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
- ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
- ? process_one_work+0x35c/0x640
- ? worker_thread+0x66/0x5d0
- ? kthread+0x1a0/0x1c0
- ? ret_from_fork+0x35/0x40
- ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
- ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
- chap_main_loop+0x172/0x570 [iscsi_target_mod]
- ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
- ? rx_data+0xd6/0x120 [iscsi_target_mod]
- ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
- ? cyc2ns_read_begin.part.2+0x90/0x90
- ? _raw_spin_lock_irqsave+0x25/0x50
- ? memcmp+0x45/0x70
- iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
- ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
- ? del_timer+0xe0/0xe0
- ? memset+0x1f/0x40
- ? flush_sigqueue+0x29/0xd0
- iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
- ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
- ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
- process_one_work+0x35c/0x640
- worker_thread+0x66/0x5d0
- ? flush_rcu_work+0x40/0x40
- kthread+0x1a0/0x1c0
- ? kthread_bind+0x30/0x30
- ret_from_fork+0x35/0x40
-
-The buggy address belongs to the page:
-page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
-flags: 0x17fffc000000000()
-raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
-raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
- ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
->ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
-                                              ^
- ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
- ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
-==================================================================
-
-Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
-Reviewed-by: Mike Christie <mchristi@redhat.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
- drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
-index 9518ffd8b8ba..6c3b4c022894 100644
---- a/drivers/target/iscsi/iscsi_target_auth.c
-+++ b/drivers/target/iscsi/iscsi_target_auth.c
-@@ -26,18 +26,6 @@
- #include "iscsi_target_nego.h"
- #include "iscsi_target_auth.h"
- 
--static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
--{
--	int j = DIV_ROUND_UP(len, 2), rc;
--
--	rc = hex2bin(dst, src, j);
--	if (rc < 0)
--		pr_debug("CHAP string contains non hex digit symbols\n");
--
--	dst[j] = '\0';
--	return j;
--}
--
- static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
- {
- 	int i;
-@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
- 		pr_err("Could not find CHAP_R.\n");
- 		goto out;
- 	}
-+	if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
-+		pr_err("Malformed CHAP_R\n");
-+		goto out;
-+	}
-+	if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
-+		pr_err("Malformed CHAP_R\n");
-+		goto out;
-+	}
- 
- 	pr_debug("[server] Got CHAP_R=%s\n", chap_r);
--	chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
- 
- 	tfm = crypto_alloc_shash("md5", 0, 0);
- 	if (IS_ERR(tfm)) {
-@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
- 		pr_err("Could not find CHAP_C.\n");
- 		goto out;
- 	}
--	pr_debug("[server] Got CHAP_C=%s\n", challenge);
--	challenge_len = chap_string_to_hex(challenge_binhex, challenge,
--				strlen(challenge));
-+	challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
- 	if (!challenge_len) {
- 		pr_err("Unable to convert incoming challenge\n");
- 		goto out;
-@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
- 		pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
- 		goto out;
- 	}
-+	if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
-+		pr_err("Malformed CHAP_C\n");
-+		goto out;
-+	}
-+	pr_debug("[server] Got CHAP_C=%s\n", challenge);
- 	/*
- 	 * During mutual authentication, the CHAP_C generated by the
- 	 * initiator must not match the original CHAP_C generated by
--- 
-cgit 1.2-0.3.lf.el7
-
-From 8c39e2699f8acb2e29782a834e56306da24937fe Mon Sep 17 00:00:00 2001
-From: Vincent Pelletier <plr.vincent@gmail.com>
-Date: Sun, 9 Sep 2018 04:09:27 +0000
-Subject: scsi: target: iscsi: Use bin2hex instead of a re-implementation
-
-Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
-Reviewed-by: Mike Christie <mchristi@redhat.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
- drivers/target/iscsi/iscsi_target_auth.c | 15 +++------------
- 1 file changed, 3 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
-index 6c3b4c022894..4e680d753941 100644
---- a/drivers/target/iscsi/iscsi_target_auth.c
-+++ b/drivers/target/iscsi/iscsi_target_auth.c
-@@ -26,15 +26,6 @@
- #include "iscsi_target_nego.h"
- #include "iscsi_target_auth.h"
- 
--static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
--{
--	int i;
--
--	for (i = 0; i < src_len; i++) {
--		sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff);
--	}
--}
--
- static int chap_gen_challenge(
- 	struct iscsi_conn *conn,
- 	int caller,
-@@ -50,7 +41,7 @@ static int chap_gen_challenge(
- 	ret = get_random_bytes_wait(chap->challenge, CHAP_CHALLENGE_LENGTH);
- 	if (unlikely(ret))
- 		return ret;
--	chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge,
-+	bin2hex(challenge_asciihex, chap->challenge,
- 				CHAP_CHALLENGE_LENGTH);
- 	/*
- 	 * Set CHAP_C, and copy the generated challenge into c_str.
-@@ -289,7 +280,7 @@ static int chap_server_compute_md5(
- 		goto out;
- 	}
- 
--	chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE);
-+	bin2hex(response, server_digest, MD5_SIGNATURE_SIZE);
- 	pr_debug("[server] MD5 Server Digest: %s\n", response);
- 
- 	if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) {
-@@ -411,7 +402,7 @@ static int chap_server_compute_md5(
- 	/*
- 	 * Convert response from binary hex to ascii hext.
- 	 */
--	chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE);
-+	bin2hex(response, digest, MD5_SIGNATURE_SIZE);
- 	*nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s",
- 			response);
- 	*nr_out_len += 1;
--- 
-cgit 1.2-0.3.lf.el7
-
diff --git a/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch b/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch
new file mode 100644
index 000000000..7057843a6
--- /dev/null
+++ b/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch
@@ -0,0 +1,128 @@
+From patchwork Fri Aug 17 20:16:00 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Andreas Bosch <linux@progandy.de>
+X-Patchwork-Id: 10569347
+Return-Path: <linux-input-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E901E14BD
+	for <patchwork-linux-input@patchwork.kernel.org>;
+ Fri, 17 Aug 2018 20:16:47 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D84002BE82
+	for <patchwork-linux-input@patchwork.kernel.org>;
+ Fri, 17 Aug 2018 20:16:47 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id C8F6E2BE8A; Fri, 17 Aug 2018 20:16:47 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
+	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham
+ version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DBD32BE82
+	for <patchwork-linux-input@patchwork.kernel.org>;
+ Fri, 17 Aug 2018 20:16:47 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1725825AbeHQXV2 (ORCPT
+        <rfc822;patchwork-linux-input@patchwork.kernel.org>);
+        Fri, 17 Aug 2018 19:21:28 -0400
+Received: from mail-wr1-f67.google.com ([209.85.221.67]:32902 "EHLO
+        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S1726340AbeHQXVZ (ORCPT
+        <rfc822;linux-input@vger.kernel.org>);
+        Fri, 17 Aug 2018 19:21:25 -0400
+Received: by mail-wr1-f67.google.com with SMTP id v90-v6so4880416wrc.0
+        for <linux-input@vger.kernel.org>;
+ Fri, 17 Aug 2018 13:16:38 -0700 (PDT)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=progandy-de.20150623.gappssmtp.com; s=20150623;
+        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
+        bh=IJ8EglotdUjsPKwO9B0Nmn/N9+EameltWUM77Dxy0M4=;
+        b=rt2hYKBNvjEXfrvbOuPP6QJ+KtXVW+4g54jRTTyzuiFqqE60M9kSFwnVvQaTHRtoUq
+         cH0uV9utBhoUsH2vVl0lUSUWZ/Hi/dPtBjIT3dbKIvIwbwb8lW73NpHbftVy9Y2G+aXc
+         SDy6R8DnjfcWOEmXG02pBnEOivsUhrnjRGUnjiPbhJXRpxo5S85ZCBWjVQeRRDgyS/Hq
+         xI/C8Kupmdlu8AnoQlSie1GoClanvZncA45wBGUcIje35FhwicTahs37ij4dOADrkdyC
+         BtJsqLCXgdVnIsI7xKxthlW1dT6hTm6J5M5sMYyQlOcHeyk0LtWhLui0W6Ic3Mtup4cA
+         C/wA==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20161025;
+        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
+         :in-reply-to:references;
+        bh=IJ8EglotdUjsPKwO9B0Nmn/N9+EameltWUM77Dxy0M4=;
+        b=npuvfosGYdhu4I/kCuiJzBZZTOv5UN8fg69cS4ahQ2zvtqRKAgWSwDIaeJZeaxSHey
+         Vd2RWfK952o/Z/95sm+CvJ4o6FqNRHW7o4oiqPxoUN+ihfotfiMxGBxs08VPPj08tzOy
+         cigHD1fVZ2F+cJkQdj/FneSkwXWiy6CzHcqPLIytgv/l+HMixZbHTTUyOXbxJ1ySsjnm
+         qFXUAWA6zU6h67ulhIGCTWV42aMNBIpJ45vSJdQa02zvOU3zmFKkro57ns/IeQO80BwZ
+         ZeAH95swkPYydu/9KdDndUty2SyZWE/IWJp3YazyJpdwTd5oZdHzVisJDxRYVu+PHCT8
+         8N1A==
+X-Gm-Message-State: AOUpUlE0RNAbVUi/LSvupC7WR6/r+kPBbA+k4Bx2tii6smtZdqTW6umO
+        8IT5MRN5ae8CWhigs8hlXht+jA==
+X-Google-Smtp-Source: 
+ AA+uWPytoFgGk+AfiVYYdyHHaj0W645JTX4kXrozV+emI3TVthEIgCXHU02g61rjPAf+BcuhfF6rUw==
+X-Received: by 2002:adf:ed41:: with SMTP id
+ u1-v6mr23695053wro.262.1534536997694;
+        Fri, 17 Aug 2018 13:16:37 -0700 (PDT)
+Received: from pamobile.localdomain (p54A175A0.dip0.t-ipconnect.de.
+ [84.161.117.160])
+        by smtp.gmail.com with ESMTPSA id
+ u9-v6sm3124789wrc.43.2018.08.17.13.16.36
+        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+        Fri, 17 Aug 2018 13:16:37 -0700 (PDT)
+From: Andreas Bosch <linux@progandy.de>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
+        Jiri Kosina <jikos@kernel.org>,
+        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
+        Even Xu <even.xu@intel.com>, linux-input@vger.kernel.org,
+        linux-kernel@vger.kernel.org
+Subject: [PATCH] HID: intel-ish-hid: Enable Sunrise Point-H ish driver
+Date: Fri, 17 Aug 2018 22:16:00 +0200
+Message-Id: <20180817201614.11971-1-linux@progandy.de>
+X-Mailer: git-send-email 2.18.0
+In-Reply-To: <23171b1a3740407eac5d5c22548ce107d8edde59.camel@linux.intel.com>
+References: <23171b1a3740407eac5d5c22548ce107d8edde59.camel@linux.intel.com>
+To: unlisted-recipients:; (no To-header on input)
+Sender: linux-input-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-input.vger.kernel.org>
+X-Mailing-List: linux-input@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+Added PCI ID for Sunrise Point-H ISH.
+
+Signed-off-by: Andreas Bosch <linux@progandy.de>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+---
+I hope this patch arrives correctly.
+---
+ drivers/hid/intel-ish-hid/ipc/hw-ish.h  | 1 +
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ipc/hw-ish.h b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
+index 97869b7410eb..da133716bed0 100644
+--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h
++++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
+@@ -29,6 +29,7 @@
+ #define CNL_Ax_DEVICE_ID	0x9DFC
+ #define GLK_Ax_DEVICE_ID	0x31A2
+ #define CNL_H_DEVICE_ID		0xA37C
++#define SPT_H_DEVICE_ID		0xA135
+ 
+ #define	REVISION_ID_CHT_A0	0x6
+ #define	REVISION_ID_CHT_Ax_SI	0x0
+diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+index a2c53ea3b5ed..c7b8eb32b1ea 100644
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -38,6 +38,7 @@ static const struct pci_device_id ish_pci_tbl[] = {
+ 	{PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_Ax_DEVICE_ID)},
+ 	{PCI_DEVICE(PCI_VENDOR_ID_INTEL, GLK_Ax_DEVICE_ID)},
+ 	{PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_H_DEVICE_ID)},
++	{PCI_DEVICE(PCI_VENDOR_ID_INTEL, SPT_H_DEVICE_ID)},
+ 	{0, }
+ };
+ MODULE_DEVICE_TABLE(pci, ish_pci_tbl);
diff --git a/arm64_kvm_security.patch b/arm64_kvm_security.patch
new file mode 100644
index 000000000..71490d969
--- /dev/null
+++ b/arm64_kvm_security.patch
@@ -0,0 +1,155 @@
+From d26c25a9d19b5976b319af528886f89cf455692d Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 27 Sep 2018 16:53:21 +0100
+Subject: arm64: KVM: Tighten guest core register access from userspace
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit d26c25a9d19b5976b319af528886f89cf455692d upstream.
+
+We currently allow userspace to access the core register file
+in about any possible way, including straddling multiple
+registers and doing unaligned accesses.
+
+This is not the expected use of the ABI, and nobody is actually
+using it that way. Let's tighten it by explicitly checking
+the size and alignment for each field of the register file.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface")
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+[maz: rewrote Dave's initial patch to be more easily backported]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/guest.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+--- a/arch/arm64/kvm/guest.c
++++ b/arch/arm64/kvm/guest.c
+@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 i
+ 	return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE);
+ }
+ 
++static int validate_core_offset(const struct kvm_one_reg *reg)
++{
++	u64 off = core_reg_offset_from_id(reg->id);
++	int size;
++
++	switch (off) {
++	case KVM_REG_ARM_CORE_REG(regs.regs[0]) ...
++	     KVM_REG_ARM_CORE_REG(regs.regs[30]):
++	case KVM_REG_ARM_CORE_REG(regs.sp):
++	case KVM_REG_ARM_CORE_REG(regs.pc):
++	case KVM_REG_ARM_CORE_REG(regs.pstate):
++	case KVM_REG_ARM_CORE_REG(sp_el1):
++	case KVM_REG_ARM_CORE_REG(elr_el1):
++	case KVM_REG_ARM_CORE_REG(spsr[0]) ...
++	     KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]):
++		size = sizeof(__u64);
++		break;
++
++	case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ...
++	     KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]):
++		size = sizeof(__uint128_t);
++		break;
++
++	case KVM_REG_ARM_CORE_REG(fp_regs.fpsr):
++	case KVM_REG_ARM_CORE_REG(fp_regs.fpcr):
++		size = sizeof(__u32);
++		break;
++
++	default:
++		return -EINVAL;
++	}
++
++	if (KVM_REG_SIZE(reg->id) == size &&
++	    IS_ALIGNED(off, size / sizeof(__u32)))
++		return 0;
++
++	return -EINVAL;
++}
++
+ static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
+ {
+ 	/*
+@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu
+ 	    (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
+ 		return -ENOENT;
+ 
++	if (validate_core_offset(reg))
++		return -EINVAL;
++
+ 	if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id)))
+ 		return -EFAULT;
+ 
+@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu
+ 	    (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
+ 		return -ENOENT;
+ 
++	if (validate_core_offset(reg))
++		return -EINVAL;
++
+ 	if (KVM_REG_SIZE(reg->id) > sizeof(tmp))
+ 		return -EINVAL;
+ 
+From 2a3f93459d689d990b3ecfbe782fec89b97d3279 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 27 Sep 2018 16:53:22 +0100
+Subject: arm64: KVM: Sanitize PSTATE.M when being set from userspace
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 2a3f93459d689d990b3ecfbe782fec89b97d3279 upstream.
+
+Not all execution modes are valid for a guest, and some of them
+depend on what the HW actually supports. Let's verify that what
+userspace provides is compatible with both the VM settings and
+the HW capabilities.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu")
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/guest.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/guest.c
++++ b/arch/arm64/kvm/guest.c
+@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu
+ 	}
+ 
+ 	if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) {
+-		u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK;
++		u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK;
+ 		switch (mode) {
+ 		case COMPAT_PSR_MODE_USR:
++			if (!system_supports_32bit_el0())
++				return -EINVAL;
++			break;
+ 		case COMPAT_PSR_MODE_FIQ:
+ 		case COMPAT_PSR_MODE_IRQ:
+ 		case COMPAT_PSR_MODE_SVC:
+ 		case COMPAT_PSR_MODE_ABT:
+ 		case COMPAT_PSR_MODE_UND:
++			if (!vcpu_el1_is_32bit(vcpu))
++				return -EINVAL;
++			break;
+ 		case PSR_MODE_EL0t:
+ 		case PSR_MODE_EL1t:
+ 		case PSR_MODE_EL1h:
++			if (vcpu_el1_is_32bit(vcpu))
++				return -EINVAL;
+ 			break;
+ 		default:
+ 			err = -EINVAL;
diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP b/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP
index 7b0c6490a..ee59b965f 100644
--- a/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP
+++ b/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP
@@ -1 +1 @@
-CONFIG_CRYPTO_DEV_SP_PSP=y
+# CONFIG_CRYPTO_DEV_SP_PSP is not set
diff --git a/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch b/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch
deleted file mode 100644
index 195ced13b..000000000
--- a/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From patchwork Wed Jul 25 12:29:07 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: drm/vc4: Fix the "no scaling" case on multi-planar YUV formats
-From: Boris Brezillon <boris.brezillon@bootlin.com>
-X-Patchwork-Id: 240917
-Message-Id: <20180725122907.13702-1-boris.brezillon@bootlin.com>
-To: Eric Anholt <eric@anholt.net>
-Cc: David Airlie <airlied@linux.ie>,
- Boris Brezillon <boris.brezillon@bootlin.com>, stable@vger.kernel.org,
- dri-devel@lists.freedesktop.org
-Date: Wed, 25 Jul 2018 14:29:07 +0200
-
-When there's no scaling requested ->is_unity should be true no matter
-the format.
-
-Also, when no scaling is requested and we have a multi-planar YUV
-format, we should leave ->y_scaling[0] to VC4_SCALING_NONE and only
-set ->x_scaling[0] to VC4_SCALING_PPF.
-
-Doing this fixes an hardly visible artifact (seen when using modetest
-and a rather big overlay plane in YUV420).
-
-Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
-Reviewed-by: Eric Anholt <eric@anholt.net>
----
- drivers/gpu/drm/vc4/vc4_plane.c | 25 ++++++++++++-------------
- 1 file changed, 12 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
-index cfb50fedfa2b..a3275fa66b7b 100644
---- a/drivers/gpu/drm/vc4/vc4_plane.c
-+++ b/drivers/gpu/drm/vc4/vc4_plane.c
-@@ -297,6 +297,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
- 	vc4_state->y_scaling[0] = vc4_get_scaling_mode(vc4_state->src_h[0],
- 						       vc4_state->crtc_h);
- 
-+	vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
-+			       vc4_state->y_scaling[0] == VC4_SCALING_NONE);
-+
- 	if (num_planes > 1) {
- 		vc4_state->is_yuv = true;
- 
-@@ -312,24 +315,17 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
- 			vc4_get_scaling_mode(vc4_state->src_h[1],
- 					     vc4_state->crtc_h);
- 
--		/* YUV conversion requires that scaling be enabled,
--		 * even on a plane that's otherwise 1:1.  Choose TPZ
--		 * for simplicity.
-+		/* YUV conversion requires that horizontal scaling be enabled,
-+		 * even on a plane that's otherwise 1:1. Looks like only PPF
-+		 * works in that case, so let's pick that one.
- 		 */
--		if (vc4_state->x_scaling[0] == VC4_SCALING_NONE)
--			vc4_state->x_scaling[0] = VC4_SCALING_TPZ;
--		if (vc4_state->y_scaling[0] == VC4_SCALING_NONE)
--			vc4_state->y_scaling[0] = VC4_SCALING_TPZ;
-+		if (vc4_state->is_unity)
-+			vc4_state->x_scaling[0] = VC4_SCALING_PPF;
- 	} else {
- 		vc4_state->x_scaling[1] = VC4_SCALING_NONE;
- 		vc4_state->y_scaling[1] = VC4_SCALING_NONE;
- 	}
- 
--	vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE &&
--			       vc4_state->y_scaling[0] == VC4_SCALING_NONE &&
--			       vc4_state->x_scaling[1] == VC4_SCALING_NONE &&
--			       vc4_state->y_scaling[1] == VC4_SCALING_NONE);
--
- 	/* No configuring scaling on the cursor plane, since it gets
- 	   non-vblank-synced updates, and scaling requires requires
- 	   LBM changes which have to be vblank-synced.
-@@ -672,7 +668,10 @@ static int vc4_plane_mode_set(struct drm_plane *plane,
- 		vc4_dlist_write(vc4_state, SCALER_CSC2_ITR_R_601_5);
- 	}
- 
--	if (!vc4_state->is_unity) {
-+	if (vc4_state->x_scaling[0] != VC4_SCALING_NONE ||
-+	    vc4_state->x_scaling[1] != VC4_SCALING_NONE ||
-+	    vc4_state->y_scaling[0] != VC4_SCALING_NONE ||
-+	    vc4_state->y_scaling[1] != VC4_SCALING_NONE) {
- 		/* LBM Base Address. */
- 		if (vc4_state->y_scaling[0] != VC4_SCALING_NONE ||
- 		    vc4_state->y_scaling[1] != VC4_SCALING_NONE) {
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index a3c92fb47..60372261d 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -976,7 +976,7 @@ CONFIG_CRYPTO_DEV_QAT_C62XVF=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SP_PSP=y
+# CONFIG_CRYPTO_DEV_SP_PSP is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 8524bbd3d..0adf36f04 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -972,7 +972,7 @@ CONFIG_CRYPTO_DEV_QAT_C62XVF=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
 # CONFIG_CRYPTO_DEV_SP_CCP is not set
-CONFIG_CRYPTO_DEV_SP_PSP=y
+# CONFIG_CRYPTO_DEV_SP_PSP is not set
 CONFIG_CRYPTO_DEV_VIRTIO=m
 CONFIG_CRYPTO_DH=y
 CONFIG_CRYPTO_DRBG_CTR=y
diff --git a/kernel.spec b/kernel.spec
index 7f94e5137..e35b73b9a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -618,8 +618,6 @@ Patch311: arm64-ZynqMP-firmware-clock-drivers-core.patch
 # Enabling Patches for the RPi3+
 Patch330: bcm2837-enable-pmu.patch
 
-# https://patchwork.freedesktop.org/patch/240917/
-Patch334: drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch
 
 # Fix for AllWinner A64 Timer Errata, still not final
 # https://patchwork.kernel.org/patch/10392891/
@@ -643,12 +641,15 @@ Patch504: xsa270.patch
 Patch506: 0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch
 Patch507: 0001-random-make-CPU-trust-a-boot-parameter.patch
 
-# CVE-2018-14633 rhbz 1626035 1632185
-Patch508: CVE-2018-14633.patch
-
 # rhbz 1628394
 Patch509: powerpc-ipv6.patch
 
+# rhbz 1634250
+Patch510: HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch
+
+# rhbz 1635475 1635476
+Patch511: arm64_kvm_security.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1901,6 +1902,18 @@ fi
 #
 #
 %changelog
+* Wed Oct 03 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix arm64 kvm priv escalation (rhbz 1635475 1635476)
+
+* Mon Oct 01 2018 Laura Abbott <labbott@redhat.com>
+- Disable CONFIG_CRYPTO_DEV_SP_PSP (rhbz 1608242)
+
+* Mon Oct  1 2018 Laura Abbott <labbott@redhat.com>
+- Fix for Intel Sensor Hub (rhbz 1634250)
+
+* Sun Sep 30 2018 Laura Abbott <labbott@redhat.com> - 4.18.11-200
+- Linux v4.18.11
+
 * Wed Sep 26 2018 Laura Abbott <labbott@redhat.com> - 4.18.10-200
 - Linux v4.18.10