Merge remote-tracking branch 'origin/f29' into f29-user-thl-vanilla-fedora

4 files changed, 259 insertions, 0 deletions

diff --git a/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch b/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch
new file mode 100644
index 000000000..8a2e8751b
--- /dev/null
+++ b/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch
@@ -0,0 +1,75 @@
+From 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 12 Dec 2018 11:49:47 +0000
+Subject: ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
+
+If we have a kernel configured for periodic timer interrupts, and we
+have cpuidle enabled, then we end up with CPU1 losing timer interupts
+after a hotplug.
+
+This can manifest itself in RCU stall warnings, or userspace becoming
+unresponsive.
+
+The problem is that the kernel initially wants to use the TWD timer
+for interrupts, but the TWD loses context when we enter the C3 cpuidle
+state.  Nothing reprograms the TWD after idle.
+
+We have solved this in the past by switching to broadcast timer ticks,
+and cpuidle44xx switches to that mode at boot time.  However, there is
+nothing to switch from periodic mode local timers after a hotplug
+operation.
+
+We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
+would expect would take care of the issue, but internally this only
+deals with one-shot local timers - tick_broadcast_enable() on the other
+hand only deals with periodic local timers.  So, we need to call both.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+[tony@atomide.com: just standardized the subject line]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+---
+ arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c
+index a8b291f00109..dae514c8276a 100644
+--- a/arch/arm/mach-omap2/cpuidle44xx.c
++++ b/arch/arm/mach-omap2/cpuidle44xx.c
+@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ 	mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) &&
+ 				 (cx->mpu_logic_state == PWRDM_POWER_OFF);
+ 
++	/* Enter broadcast mode for periodic timers */
++	tick_broadcast_enable();
++
++	/* Enter broadcast mode for one-shot timers */
+ 	tick_broadcast_enter();
+ 
+ 	/*
+@@ -218,15 +222,6 @@ fail:
+ 	return index;
+ }
+ 
+-/*
+- * For each cpu, setup the broadcast timer because local timers
+- * stops for the states above C1.
+- */
+-static void omap_setup_broadcast_timer(void *arg)
+-{
+-	tick_broadcast_enable();
+-}
+-
+ static struct cpuidle_driver omap4_idle_driver = {
+ 	.name				= "omap4_idle",
+ 	.owner				= THIS_MODULE,
+@@ -319,8 +314,5 @@ int __init omap4_idle_init(void)
+ 	if (!cpu_clkdm[0] || !cpu_clkdm[1])
+ 		return -ENODEV;
+ 
+-	/* Configure the broadcast timer on each cpu */
+-	on_each_cpu(omap_setup_broadcast_timer, NULL, 1);
+-
+ 	return cpuidle_register(idle_driver, cpu_online_mask);
+ }
+-- 
+cgit 1.2-0.3.lf.el7
diff --git a/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch b/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch
new file mode 100644
index 000000000..1b5bdc30c
--- /dev/null
+++ b/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch
@@ -0,0 +1,44 @@
+From dc30e70391376ba3987aeb856ae6d9c0706534f1 Mon Sep 17 00:00:00 2001
+From: Yizhuo <yzhai003@ucr.edu>
+Date: Fri, 25 Jan 2019 22:32:20 -0800
+Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be
+ uninitialized
+
+In function omap4_dsi_mux_pads(), local variable "reg" could
+be uninitialized if function regmap_read() returns -EINVAL.
+However, it will be used directly in the later context, which
+is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+---
+ arch/arm/mach-omap2/display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c
+index f86b72d1d59e..1444b4b4bd9f 100644
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -83,6 +83,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ 	u32 enable_mask, enable_shift;
+ 	u32 pipd_mask, pipd_shift;
+ 	u32 reg;
++	int ret;
+ 
+ 	if (dsi_id == 0) {
+ 		enable_mask = OMAP4_DSI1_LANEENABLE_MASK;
+@@ -98,7 +99,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ 		return -ENODEV;
+ 	}
+ 
+-	regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, &reg);
++	ret = regmap_read(omap4_dsi_mux_syscon,
++					  OMAP4_DSIPHY_SYSCON_OFFSET,
++					  &reg);
++	if (ret)
++		return ret;
+ 
+ 	reg &= ~enable_mask;
+ 	reg &= ~pipd_mask;
+-- 
+cgit 1.2-0.3.lf.el7
diff --git a/kernel.spec b/kernel.spec
index 679dfb0bc..927f6c6c7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -600,6 +600,10 @@ Patch307: wlcore-sdio-Fixup-power-on-off-sequence.patch
 # https://patchwork.kernel.org/patch/10778815/
 Patch308: drm-enable-uncached-DMA-optimization-for-ARM-and-arm64.patch
 
+# omap4 fixes
+Patch309: arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch
+Patch310: arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch
+
 # https://patchwork.kernel.org/patch/10686407/
 Patch331: raspberrypi-Fix-firmware-calls-with-large-buffers.patch
 
@@ -650,6 +654,9 @@ Patch507: CVE-2019-3459-and-CVE-2019-3460.patch
 # rhbz 1663613 patch merged into 5.0-rc#
 Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch
 
+# CVE-2019-8912 rhbz 1678685 1678686
+Patch509: net-crypto-set-sk-to-NULL-when-af_alg_release.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1924,6 +1931,12 @@ fi
 #
 #
 %changelog
+* Tue Feb 19 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-8912 (rhbz 1678685 1678686)
+
+* Fri Feb 15 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.10-200
+- Linux v4.20.10
+
 * Tue Feb 12 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.8-200
 - Linux v4.20.8
 - Fixes CVE-2019-7221 (rhbz 1671904 1673676)
diff --git a/net-crypto-set-sk-to-NULL-when-af_alg_release.patch b/net-crypto-set-sk-to-NULL-when-af_alg_release.patch
new file mode 100644
index 000000000..dffeac0bb
--- /dev/null
+++ b/net-crypto-set-sk-to-NULL-when-af_alg_release.patch
@@ -0,0 +1,127 @@
+From patchwork Fri Feb 15 14:24:15 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [net-next] net: crypto set sk to NULL when af_alg_release.
+X-Patchwork-Submitter: Mao Wenan <maowenan@huawei.com>
+X-Patchwork-Id: 1042902
+X-Patchwork-Delegate: davem@davemloft.net
+Message-Id: <20190215142415.149153-1-maowenan@huawei.com>
+To: <netdev@vger.kernel.org>, <davem@davemloft.net>,
+ <xiyou.wangcong@gmail.com>, <linux-kernel@vger.kernel.org>
+Date: Fri, 15 Feb 2019 22:24:15 +0800
+From: Mao Wenan <maowenan@huawei.com>
+List-Id: <netdev.vger.kernel.org>
+
+KASAN has found use-after-free in sockfs_setattr.
+The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
+and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
+that crypto module forgets to set the sk to NULL after af_alg_release.
+
+KASAN report details as below:
+BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
+Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
+
+CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description+0x79/0x330
+ ? vprintk_func+0x5e/0xf0
+ kasan_report+0x18a/0x2e0
+ ? sockfs_setattr+0x120/0x150
+ sockfs_setattr+0x120/0x150
+ ? sock_register+0x2d0/0x2d0
+ notify_change+0x90c/0xd40
+ ? chown_common+0x2ef/0x510
+ chown_common+0x2ef/0x510
+ ? chmod_common+0x3b0/0x3b0
+ ? __lock_is_held+0xbc/0x160
+ ? __sb_start_write+0x13d/0x2b0
+ ? __mnt_want_write+0x19a/0x250
+ do_fchownat+0x15c/0x190
+ ? __ia32_sys_chmod+0x80/0x80
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ __x64_sys_fchownat+0xbf/0x160
+ ? lockdep_hardirqs_on+0x39a/0x5e0
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462589
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
+f7 48 89 d6 48 89
+ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
+48 c7 c1 bc ff ff
+ff f7 d8 64 89 01 48
+RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
+RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
+RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
+RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
+R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
+
+Allocated by task 4185:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc+0x14a/0x350
+ sk_prot_alloc+0xf6/0x290
+ sk_alloc+0x3d/0xc00
+ af_alg_accept+0x9e/0x670
+ hash_accept+0x4a3/0x650
+ __sys_accept4+0x306/0x5c0
+ __x64_sys_accept4+0x98/0x100
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 4184:
+ __kasan_slab_free+0x12e/0x180
+ kfree+0xeb/0x2f0
+ __sk_destruct+0x4e6/0x6a0
+ sk_destruct+0x48/0x70
+ __sk_free+0xa9/0x270
+ sk_free+0x2a/0x30
+ af_alg_release+0x5c/0x70
+ __sock_release+0xd3/0x280
+ sock_close+0x1a/0x20
+ __fput+0x27f/0x7f0
+ task_work_run+0x136/0x1b0
+ exit_to_usermode_loop+0x1a7/0x1d0
+ do_syscall_64+0x461/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Syzkaller reproducer:
+r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
+0xffffffffffffffff, 0x0)
+r1 = socket$alg(0x26, 0x5, 0x0)
+getrusage(0x0, 0x0)
+bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
+'sha256-ssse3\x00'}, 0x80)
+r2 = accept(r1, 0x0, 0x0)
+r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
+r4 = dup3(r3, r0, 0x0)
+fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
+
+Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+---
+ crypto/af_alg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 17eb09d222ff..ec78a04eb136 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
+ 
+ int af_alg_release(struct socket *sock)
+ {
+-	if (sock->sk)
++	if (sock->sk) {
+ 		sock_put(sock->sk);
++		sock->sk = NULL;
++	}
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(af_alg_release);