Linux v4.19.5

Fix CVE-2018-16862 (rhbz 1649017 1653122)
Fix CVE-2018-19407 (rhbz 1652656 1652658)

5 files changed, 177 insertions, 110 deletions

diff --git a/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch b/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch
deleted file mode 100644
index 822e497af..000000000
--- a/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 5afcaee5ee71ba730fde8f66da7e320fb7e674d2 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Mon, 19 Nov 2018 17:38:59 +0100
-Subject: [PATCH 4.20 regression fix] ACPI / platform: Add SMB0001 HID to
- forbidden_id_list
-
-Many HP AMD based laptops contain an SMB0001 device like this:
-
-Device (SMBD)
-{
-    Name (_HID, "SMB0001")  // _HID: Hardware ID
-    Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
-    {
-        IO (Decode16,
-            0x0B20,             // Range Minimum
-            0x0B20,             // Range Maximum
-            0x20,               // Alignment
-            0x20,               // Length
-            )
-        IRQ (Level, ActiveLow, Shared, )
-            {7}
-    })
-}
-
-The legacy style IRQ resource here causes acpi_dev_get_irqresource() to
-be called with legacy=true and this message to show in dmesg:
-ACPI: IRQ 7 override to edge, high
-
-This causes issues when later on the AMD0030 GPIO device gets enumerated:
-
-Device (GPIO)
-{
-    Name (_HID, "AMDI0030")  // _HID: Hardware ID
-    Name (_CID, "AMDI0030")  // _CID: Compatible ID
-    Name (_UID, Zero)  // _UID: Unique ID
-    Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
-    {
-	Name (RBUF, ResourceTemplate ()
-	{
-	    Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, )
-	    {
-		0x00000007,
-	    }
-	    Memory32Fixed (ReadWrite,
-		0xFED81500,         // Address Base
-		0x00000400,         // Address Length
-		)
-	})
-	Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */
-    }
-}
-
-Now acpi_dev_get_irqresource() gets called with legacy=false, but because
-of the earlier override of the trigger-type acpi_register_gsi() returns
--EBUSY (because we try to register the same interrupt with a different
-trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.
-
-The setting of IORESOURCE_DISABLED causes platform_get_irq() to call
-acpi_irq_get() which is not implemented on x86 and returns -EINVAL.
-resulting in the following in dmesg:
-
-amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22
-amd_gpio: probe of AMDI0030:00 failed with error -22
-
-The SMB0001 is a "virtual" device in the sense that the only way the OS
-interacts with it is through calling a couple of methods to do SMBus
-transfers. As such it is weird that it has IO and IRQ resources at all,
-because the driver for it is not expected to ever access the hardware
-directly.
-
-The Linux driver for the SMB0001 device directly binds to the acpi_device
-through the acpi_bus, so we do not need to instantiate a platform_device
-for this ACPI device. This commit adds the SMB0001 HID to the
-forbidden_id_list, avoiding the instantiating of a platform_device for it.
-Not instantiating a platform_device means we will no longer call
-acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of
-the AMDI0030 device failing.
-
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523
-Reported-by: Lukas Kahnert <openproggerfreak@gmail.com>
-Tested-by: Marc <suaefar@googlemail.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/acpi/acpi_platform.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/acpi/acpi_platform.c b/drivers/acpi/acpi_platform.c
-index eaa60c94205a..1f32caa87686 100644
---- a/drivers/acpi/acpi_platform.c
-+++ b/drivers/acpi/acpi_platform.c
-@@ -30,6 +30,7 @@ static const struct acpi_device_id forbidden_id_list[] = {
- 	{"PNP0200",  0},	/* AT DMA Controller */
- 	{"ACPI0009", 0},	/* IOxAPIC */
- 	{"ACPI000A", 0},	/* IOAPIC */
-+	{"SMB0001",  0},	/* ACPI SMBUS virtual device */
- 	{"", 0},
- };
- 
--- 
-2.19.1
-
diff --git a/CVE-2018-19407.patch b/CVE-2018-19407.patch
new file mode 100644
index 000000000..9f84db7be
--- /dev/null
+++ b/CVE-2018-19407.patch
@@ -0,0 +1,104 @@
+From: Wanpeng Li <kernellwp@gmail.com>
+Date: Tue, 27 Nov 2018 14:01:04 -0500
+Subject: [PATCH] KVM: X86: Fix scan ioapic use-before-initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by syzkaller:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
+ PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP PTI
+ CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
+ RIP: 0010:__lock_acquire+0x1a6/0x1990
+ Call Trace:
+  lock_acquire+0xdb/0x210
+  _raw_spin_lock+0x38/0x70
+  kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
+  vcpu_enter_guest+0x167e/0x1910 [kvm]
+  kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
+  kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
+  do_vfs_ioctl+0xa5/0x690
+  ksys_ioctl+0x6d/0x80
+  __x64_sys_ioctl+0x1a/0x20
+  do_syscall_64+0x83/0x6e0
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
+and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
+However, irqchip is not initialized by this simple testcase, ioapic/apic
+objects should not be accessed.
+This can be triggered by the following program:
+
+    #define _GNU_SOURCE
+
+    #include <endian.h>
+    #include <stdint.h>
+    #include <stdio.h>
+    #include <stdlib.h>
+    #include <string.h>
+    #include <sys/syscall.h>
+    #include <sys/types.h>
+    #include <unistd.h>
+
+    uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
+
+    int main(void)
+    {
+    	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+    	long res = 0;
+    	memcpy((void*)0x20000040, "/dev/kvm", 9);
+    	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
+    	if (res != -1)
+    		r[0] = res;
+    	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
+    	if (res != -1)
+    		r[1] = res;
+    	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
+    	if (res != -1)
+    		r[2] = res;
+    	memcpy(
+    			(void*)0x20000080,
+    			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
+    			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
+    			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
+    			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
+    			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
+    			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
+    			106);
+    	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
+    	syscall(__NR_ioctl, r[2], 0xae80, 0);
+    	return 0;
+    }
+
+This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
+kernel.
+
+Reported-by: Wei Wu <ww9210@gmail.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Wei Wu <ww9210@gmail.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ arch/x86/kvm/x86.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index ca717737347e..89694cbf84cf 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7313,7 +7313,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
+ 	else {
+ 		if (vcpu->arch.apicv_active)
+ 			kvm_x86_ops->sync_pir_to_irr(vcpu);
+-		kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
++		if (ioapic_in_kernel(vcpu->kvm))
++			kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
+ 	}
+ 
+ 	if (is_guest_mode(vcpu))
+-- 
+2.19.1
+
diff --git a/kernel.spec b/kernel.spec
index fb01d6a77..975a6acc1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -626,15 +626,18 @@ Patch507: 0001-HID-i2c-hid-override-HID-descriptors-for-certain-dev.patch
 # Patches from 4.20 fixing black screen on CHT devices with i915.fastboot=1
 Patch508: cherrytrail-pwm-lpss-fixes.patch
 
-# rhbz 1644013, patch pending upstream
-Patch509: 0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch
-
 # rhbz 1526312 (accelerometer part of the bug), patches pending upstream
 Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch
 
 # rhbz 1650224, patch in subsystem tree and Cc'd for stable
 Patch511: drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch
 
+# CVE-2018-16862 (rhbz 1649017 1653122)
+Patch512: mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch
+
+# CVE-2018-19407 (rhbz 1652656 1652658)
+Patch513: CVE-2018-19407.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1896,10 +1899,15 @@ fi
 #
 #
 %changelog
+* Tue Nov 27 2018 Jeremy Cline <jcline@redhat.com> - 4.19.5-300
+- Linux v4.19.5
+- Fix CVE-2018-16862 (rhbz 1649017 1653122)
+- Fix CVE-2018-19407 (rhbz 1652656 1652658)
+
 * Mon Nov 26 2018 Jeremy Cline <jeremy@jcline.org>
 - Fixes a null pointer dereference with Nvidia and vmwgfx drivers (rhbz 1650224)
 
-* Fri Nov 23 2018 Peter Robinson <pbrobinson@fedoraproject.org> 4.19.4-300
+* Fri Nov 23 2018 Peter Robinson <pbrobinson@fedoraproject.org> - 4.19.4-300
 - Linux v4.19.4
 
 * Thu Nov 22 2018 Peter Robinson <pbrobinson@fedoraproject.org>
diff --git a/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch b/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch
new file mode 100644
index 000000000..dd6934daf
--- /dev/null
+++ b/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch
@@ -0,0 +1,59 @@
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Subject: mm: cleancache: fix corruption on missed inode invalidation
+
+If all pages are deleted from the mapping by memory reclaim and also
+moved to the cleancache:
+
+__delete_from_page_cache
+  (no shadow case)
+  unaccount_page_cache_page
+    cleancache_put_page
+  page_cache_delete
+    mapping->nrpages -= nr
+    (nrpages becomes 0)
+
+We don't clean the cleancache for an inode after final file truncation
+(removal).
+
+truncate_inode_pages_final
+  check (nrpages || nrexceptional) is false
+    no truncate_inode_pages
+      no cleancache_invalidate_inode(mapping)
+
+These way when reading the new file created with same inode we may get
+these trash leftover pages from cleancache and see wrong data instead of
+the contents of the new file.
+
+Fix it by always doing truncate_inode_pages which is already ready for
+nrpages == 0 && nrexceptional == 0 case and just invalidates inode.
+
+Link: http://lkml.kernel.org/r/20181112095734.17979-1-ptikhomirov@virtuozzo.com
+Fixes: commit 91b0abe36a7b ("mm + fs: store shadow entries in page cache")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Reviewed-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+
+
+--- a/mm/truncate.c~mm-cleancache-fix-corruption-on-missed-inode-invalidation
++++ a/mm/truncate.c
+@@ -517,9 +517,9 @@ void truncate_inode_pages_final(struct a
+ 		 */
+ 		xa_lock_irq(&mapping->i_pages);
+ 		xa_unlock_irq(&mapping->i_pages);
+-
+-		truncate_inode_pages(mapping, 0);
+ 	}
++
++	truncate_inode_pages(mapping, 0);
+ }
+ EXPORT_SYMBOL(truncate_inode_pages_final);
+ 
+_
diff --git a/sources b/sources
index 213ed8538..117919cad 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4
-SHA512 (patch-4.19.4.xz) = 247039e297325a5db63df4400844a800e209d1b652512e3640ef4031d7ecad1f3e49477863fddf02b4d1d105530650363d0d03f57e02cd4d70ce4addb2085b34
+SHA512 (patch-4.19.5.xz) = 2d127b9bce3f176732b0a60feec1cf21ace28962ef2a7c468d25332631f87dd766c72706383d72461112f7dfc09742ff3c2092e162aa5923d220f2a1d4a390e4