Merge remote-tracking branch 'origin/f29' into f29-user-thl-vanilla-fedora

6 files changed, 6 insertions, 144 deletions

diff --git a/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch b/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
deleted file mode 100644
index 0f2eacbc9..000000000
--- a/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From a4176ec356c73a46c07c181c6d04039fafa34a9f Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Thu, 14 Feb 2019 13:43:48 +0100
-Subject: [PATCH] brcmfmac: add subtype check for event handling in data path
-
-For USB there is no separate channel being used to pass events
-from firmware to the host driver and as such are passed over the
-data path. In order to detect mock event messages an additional
-check is needed on event subtype. This check is added conditionally
-using unlikely() keyword.
-
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/core.c  |  5 +++--
- .../wireless/broadcom/brcm80211/brcmfmac/fweh.h  | 16 ++++++++++++----
- .../broadcom/brcm80211/brcmfmac/msgbuf.c         |  2 +-
- 3 files changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-index e772c0845638..a368ba6e7344 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event)
- 	} else {
- 		/* Process special event packets */
- 		if (handle_event)
--			brcmf_fweh_process_skb(ifp->drvr, skb);
-+			brcmf_fweh_process_skb(ifp->drvr, skb,
-+					       BCMILCP_SUBTYPE_VENDOR_LONG);
-
- 		brcmf_netif_rx(ifp, skb);
- 	}
-@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
- 	if (brcmf_rx_hdrpull(drvr, skb, &ifp))
- 		return;
-
--	brcmf_fweh_process_skb(ifp->drvr, skb);
-+	brcmf_fweh_process_skb(ifp->drvr, skb, 0);
- 	brcmu_pkt_buf_free_skb(skb);
- }
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-index 31f3e8e83a21..7027243db17e 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code {
-  */
- #define BRCM_OUI				"\x00\x10\x18"
- #define BCMILCP_BCM_SUBTYPE_EVENT		1
--
-+#define BCMILCP_SUBTYPE_VENDOR_LONG		32769
-
- /**
-  * struct brcm_ethhdr - broadcom specific ether header.
-@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
- void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
-
- static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
--					  struct sk_buff *skb)
-+					  struct sk_buff *skb, u16 stype)
- {
- 	struct brcmf_event *event_packet;
--	u16 usr_stype;
-+	u16 subtype, usr_stype;
-
- 	/* only process events when protocol matches */
- 	if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
-@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
- 	if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
- 		return;
-
--	/* check for BRCM oui match */
- 	event_packet = (struct brcmf_event *)skb_mac_header(skb);
-+
-+	/* check subtype if needed */
-+	if (unlikely(stype)) {
-+		subtype = get_unaligned_be16(&event_packet->hdr.subtype);
-+		if (subtype != stype)
-+			return;
-+	}
-+
-+	/* check for BRCM oui match */
- 	if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
- 		   sizeof(event_packet->hdr.oui)))
- 		return;
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-index 4e8397a0cbc8..ee922b052561 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf)
-
- 	skb->protocol = eth_type_trans(skb, ifp->ndev);
-
--	brcmf_fweh_process_skb(ifp->drvr, skb);
-+	brcmf_fweh_process_skb(ifp->drvr, skb, 0);
-
- exit:
- 	brcmu_pkt_buf_free_skb(skb);
--- 
-2.20.1
-
diff --git a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
deleted file mode 100644
index 23d43d725..000000000
--- a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Thu, 14 Feb 2019 13:43:47 +0100
-Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited
-
-The SSID length as received from firmware should not exceed
-IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
-
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index b5e291ed9496..012275fc3bf7 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
- 	}
-
- 	netinfo = brcmf_get_netinfo_array(pfn_result);
-+	if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
-+		netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
- 	memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
- 	cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
- 	cfg->wowl.nd->n_channels = 1;
--- 
-2.20.1
-
diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225 b/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225
new file mode 100644
index 000000000..3e0b01e04
--- /dev/null
+++ b/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225
@@ -0,0 +1 @@
+CONFIG_ARM64_ERRATUM_1463225=y
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 581b418c3..290802969 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -282,6 +282,7 @@ CONFIG_ARM64_ERRATUM_1024718=y
 CONFIG_ARM64_ERRATUM_1165522=y
 CONFIG_ARM64_ERRATUM_1188873=y
 CONFIG_ARM64_ERRATUM_1286807=y
+CONFIG_ARM64_ERRATUM_1463225=y
 CONFIG_ARM64_ERRATUM_819472=y
 CONFIG_ARM64_ERRATUM_824069=y
 CONFIG_ARM64_ERRATUM_826319=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 06ff18b97..0105b898b 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -282,6 +282,7 @@ CONFIG_ARM64_ERRATUM_1024718=y
 CONFIG_ARM64_ERRATUM_1165522=y
 CONFIG_ARM64_ERRATUM_1188873=y
 CONFIG_ARM64_ERRATUM_1286807=y
+CONFIG_ARM64_ERRATUM_1463225=y
 CONFIG_ARM64_ERRATUM_819472=y
 CONFIG_ARM64_ERRATUM_824069=y
 CONFIG_ARM64_ERRATUM_826319=y
diff --git a/kernel.spec b/kernel.spec
index 1197d621c..f6a0e3a96 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -620,12 +620,6 @@ Patch513: 0001-virt-vbox-Implement-passing-requestor-info-to-the-ho.patch
 # rhbz 1683382
 Patch515: nfsv4.1-avoid-false-retries.patch
 
-# CVE-2019-9500 rhbz 1701224 1701226
-Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
-
-# CVE-2019-9503 rhbz 1701842 1701843
-Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
-
 # https://bugzilla.redhat.com/show_bug.cgi?id=1701096
 Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
 Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
@@ -1914,6 +1908,9 @@ fi
 #
 #
 %changelog
+* Fri May 31 2019 Laura Abbott <labbott@redhat.com> - 5.0.20-200
+- Linux v5.0.20
+
 * Tue May 28 2019 Laura Abbott <labbott@redhat.com> - 5.0.19-200
 - Linux v5.0.19