Linux v4.20.7

3 files changed, 5 insertions, 199 deletions

diff --git a/CVE-2018-16880.patch b/CVE-2018-16880.patch
deleted file mode 100644
index 29bdf6909..000000000
--- a/CVE-2018-16880.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From mboxrd@z Thu Jan  1 00:00:00 1970
-Return-Path: <SRS0=BDae=QE=vger.kernel.org=netdev-owner@kernel.org>
-X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
-	aws-us-west-2-korg-lkml-1.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
-	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS
-	autolearn=unavailable autolearn_force=no version=3.4.0
-Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
-	by smtp.lore.kernel.org (Postfix) with ESMTP id 5590FC282CB
-	for <netdev@archiver.kernel.org>; Mon, 28 Jan 2019 07:05:21 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id 29A2B20881
-	for <netdev@archiver.kernel.org>; Mon, 28 Jan 2019 07:05:21 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1726913AbfA1HFQ (ORCPT <rfc822;netdev@archiver.kernel.org>);
-        Mon, 28 Jan 2019 02:05:16 -0500
-Received: from mx1.redhat.com ([209.132.183.28]:34448 "EHLO mx1.redhat.com"
-        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-        id S1726612AbfA1HFQ (ORCPT <rfc822;netdev@vger.kernel.org>);
-        Mon, 28 Jan 2019 02:05:16 -0500
-Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
-        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
-        (No client certificate requested)
-        by mx1.redhat.com (Postfix) with ESMTPS id 999BC81DE3;
-        Mon, 28 Jan 2019 07:05:15 +0000 (UTC)
-Received: from jason-ThinkPad-T450s.redhat.com (ovpn-12-212.pek2.redhat.com [10.72.12.212])
-        by smtp.corp.redhat.com (Postfix) with ESMTP id EF31253B21;
-        Mon, 28 Jan 2019 07:05:07 +0000 (UTC)
-From:   Jason Wang <jasowang@redhat.com>
-To:     mst@redhat.com, jasowang@redhat.com, stefanha@redhat.com
-Cc:     kvm@vger.kernel.org, virtualization@lists.linux-foundation.org,
-        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
-Subject: [PATCH net] vhost: fix OOB in get_rx_bufs()
-Date:   Mon, 28 Jan 2019 15:05:05 +0800
-Message-Id: <20190128070505.18335-1-jasowang@redhat.com>
-X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
-X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 28 Jan 2019 07:05:15 +0000 (UTC)
-Sender: netdev-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <netdev.vger.kernel.org>
-X-Mailing-List: netdev@vger.kernel.org
-Archived-At: <https://lore.kernel.org/netdev/20190128070505.18335-1-jasowang@redhat.com/>
-List-Archive: <https://lore.kernel.org/netdev/>
-List-Post: <mailto:netdev@vger.kernel.org>
-
-After batched used ring updating was introduced in commit e2b3b35eb989
-("vhost_net: batch used ring update in rx"). We tend to batch heads in
-vq->heads for more than one packet. But the quota passed to
-get_rx_bufs() was not correctly limited, which can result a OOB write
-in vq->heads.
-
-        headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
-                    vhost_len, &in, vq_log, &log,
-                    likely(mergeable) ? UIO_MAXIOV : 1);
-
-UIO_MAXIOV was still used which is wrong since we could have batched
-used in vq->heads, this will cause OOB if the next buffer needs more
-than 960 (1024 (UIO_MAXIOV) - 64 (VHOST_NET_BATCH)) heads after we've
-batched 64 (VHOST_NET_BATCH) heads:
-
-=============================================================================
-BUG kmalloc-8k (Tainted: G    B            ): Redzone overwritten
------------------------------------------------------------------------------
-
-INFO: 0x00000000fd93b7a2-0x00000000f0713384. First byte 0xa9 instead of 0xcc
-INFO: Allocated in alloc_pd+0x22/0x60 age=3933677 cpu=2 pid=2674
-    kmem_cache_alloc_trace+0xbb/0x140
-    alloc_pd+0x22/0x60
-    gen8_ppgtt_create+0x11d/0x5f0
-    i915_ppgtt_create+0x16/0x80
-    i915_gem_create_context+0x248/0x390
-    i915_gem_context_create_ioctl+0x4b/0xe0
-    drm_ioctl_kernel+0xa5/0xf0
-    drm_ioctl+0x2ed/0x3a0
-    do_vfs_ioctl+0x9f/0x620
-    ksys_ioctl+0x6b/0x80
-    __x64_sys_ioctl+0x11/0x20
-    do_syscall_64+0x43/0xf0
-    entry_SYSCALL_64_after_hwframe+0x44/0xa9
-INFO: Slab 0x00000000d13e87af objects=3 used=3 fp=0x          (null) flags=0x200000000010201
-INFO: Object 0x0000000003278802 @offset=17064 fp=0x00000000e2e6652b
-
-Fixing this by allocating UIO_MAXIOV + VHOST_NET_BATCH iovs for
-vhost-net. This is done through set the limitation through
-vhost_dev_init(), then set_owner can allocate the number of iov in a
-per device manner.
-
-This fixes CVE-2018-16880.
-
-Fixes: e2b3b35eb989 ("vhost_net: batch used ring update in rx")
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- drivers/vhost/net.c   | 3 ++-
- drivers/vhost/scsi.c  | 2 +-
- drivers/vhost/vhost.c | 7 ++++---
- drivers/vhost/vhost.h | 4 +++-
- drivers/vhost/vsock.c | 2 +-
- 5 files changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
-index bca86bf7189f..df51a35cf537 100644
---- a/drivers/vhost/net.c
-+++ b/drivers/vhost/net.c
-@@ -1337,7 +1337,8 @@ static int vhost_net_open(struct inode *inode, struct file *f)
- 		n->vqs[i].rx_ring = NULL;
- 		vhost_net_buf_init(&n->vqs[i].rxq);
- 	}
--	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
-+	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
-+		       UIO_MAXIOV + VHOST_NET_BATCH);
- 
- 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, EPOLLOUT, dev);
- 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, EPOLLIN, dev);
-diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
-index 344684f3e2e4..23593cb23dd0 100644
---- a/drivers/vhost/scsi.c
-+++ b/drivers/vhost/scsi.c
-@@ -1627,7 +1627,7 @@ static int vhost_scsi_open(struct inode *inode, struct file *f)
- 		vqs[i] = &vs->vqs[i].vq;
- 		vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick;
- 	}
--	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ);
-+	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, UIO_MAXIOV);
- 
- 	vhost_scsi_init_inflight(vs, NULL);
- 
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 15a216cdd507..24a129fcdd61 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -390,9 +390,9 @@ static long vhost_dev_alloc_iovecs(struct vhost_dev *dev)
- 		vq->indirect = kmalloc_array(UIO_MAXIOV,
- 					     sizeof(*vq->indirect),
- 					     GFP_KERNEL);
--		vq->log = kmalloc_array(UIO_MAXIOV, sizeof(*vq->log),
-+		vq->log = kmalloc_array(dev->iov_limit, sizeof(*vq->log),
- 					GFP_KERNEL);
--		vq->heads = kmalloc_array(UIO_MAXIOV, sizeof(*vq->heads),
-+		vq->heads = kmalloc_array(dev->iov_limit, sizeof(*vq->heads),
- 					  GFP_KERNEL);
- 		if (!vq->indirect || !vq->log || !vq->heads)
- 			goto err_nomem;
-@@ -414,7 +414,7 @@ static void vhost_dev_free_iovecs(struct vhost_dev *dev)
- }
- 
- void vhost_dev_init(struct vhost_dev *dev,
--		    struct vhost_virtqueue **vqs, int nvqs)
-+		    struct vhost_virtqueue **vqs, int nvqs, int iov_limit)
- {
- 	struct vhost_virtqueue *vq;
- 	int i;
-@@ -427,6 +427,7 @@ void vhost_dev_init(struct vhost_dev *dev,
- 	dev->iotlb = NULL;
- 	dev->mm = NULL;
- 	dev->worker = NULL;
-+	dev->iov_limit = iov_limit;
- 	init_llist_head(&dev->work_list);
- 	init_waitqueue_head(&dev->wait);
- 	INIT_LIST_HEAD(&dev->read_list);
-diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
-index 1b675dad5e05..9490e7ddb340 100644
---- a/drivers/vhost/vhost.h
-+++ b/drivers/vhost/vhost.h
-@@ -170,9 +170,11 @@ struct vhost_dev {
- 	struct list_head read_list;
- 	struct list_head pending_list;
- 	wait_queue_head_t wait;
-+	int iov_limit;
- };
- 
--void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs);
-+void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
-+		    int nvqs, int iov_limit);
- long vhost_dev_set_owner(struct vhost_dev *dev);
- bool vhost_dev_has_owner(struct vhost_dev *dev);
- long vhost_dev_check_owner(struct vhost_dev *);
-diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
-index 3fbc068eaa9b..bb5fc0e9fbc2 100644
---- a/drivers/vhost/vsock.c
-+++ b/drivers/vhost/vsock.c
-@@ -531,7 +531,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)
- 	vsock->vqs[VSOCK_VQ_TX].handle_kick = vhost_vsock_handle_tx_kick;
- 	vsock->vqs[VSOCK_VQ_RX].handle_kick = vhost_vsock_handle_rx_kick;
- 
--	vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs));
-+	vhost_dev_init(&vsock->dev, vqs, ARRAY_SIZE(vsock->vqs), UIO_MAXIOV);
- 
- 	file->private_data = vsock;
- 	spin_lock_init(&vsock->send_pkt_list_lock);
--- 
-2.17.1
-
-
diff --git a/kernel.spec b/kernel.spec
index 49de2c78b..ad1fec634 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -638,9 +638,6 @@ Patch507: CVE-2019-3459-and-CVE-2019-3460.patch
 # rhbz 1663613 patch merged into 5.0-rc#
 Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch
 
-# CVE-2018-16880 rhbz 1656472 1669545
-Patch509: CVE-2018-16880.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1926,6 +1923,9 @@ fi
 #
 #
 %changelog
+* Wed Feb 06 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.7-100
+- Linux v4.20.7
+
 * Thu Jan 31 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.6-100
 - Linux v4.20.6
 
diff --git a/sources b/sources
index 775a45d88..a2cc6ee69 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-4.20.tar.xz) = e282399beea5da539701aed2bc131abd5bc74a970dcd344163e9d295106dfd700180e672ed546ae5e55bc6b9ac95efd5ca1de2039015c1b7a6fc9c01ea6583d4
-SHA512 (patch-4.20.6.xz) = 3301b4bc29818b0edf8d1a69de8dddae2ba49617a08fadb4529e4c0275e40592520f45520846fc12a58c1af2565398c95809f652789a8b27ab3ad7bb792d9d6c
+SHA512 (patch-4.20.7.xz) = 7b3ea8f8880dfcc1f4f632ff5f30fe7a210eec9d36b76f4643d9864de1ce0daf65c1fd2ae0547c783f2b27ed2c0c01acd733bbf7e6c14ad57fe9dad2ed59385c