Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

5 files changed, 176 insertions, 176 deletions

diff --git a/drm-panel-orientation-quirks.patch b/drm-panel-orientation-quirks.patch
deleted file mode 100644
index d5e3bf361..000000000
--- a/drm-panel-orientation-quirks.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From aab65520447cb19e3be4a301b796dfb588e85873 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Sun, 2 Jun 2019 15:20:33 +0200
-Subject: [PATCH] drm: panel-orientation-quirks: Add extra quirk table entry
- for GPD MicroPC
-
-Newer GPD MicroPC BIOS versions have proper DMI strings, add an extra quirk
-table entry for these new strings. This is good news, as this means that we
-no longer have to update the BIOS dates list with every BIOS update.
-
-Fixes: 652b8b086538("drm: panel-orientation-quirks: Add quirk for GPD MicroPC")
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
-index d8a0bcd02f34..ffd95bfeaa94 100644
---- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
-+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
-@@ -90,6 +90,12 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = {
- 	.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
- };
- 
-+static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = {
-+	.width = 720,
-+	.height = 1280,
-+	.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
-+};
-+
- static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = {
- 	.width = 800,
- 	.height = 1280,
-@@ -123,6 +129,12 @@ static const struct dmi_system_id orientation_data[] = {
- 		  DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
- 		},
- 		.driver_data = (void *)&gpd_micropc,
-+	}, {	/* GPD MicroPC (later BIOS versions with proper DMI strings) */
-+		.matches = {
-+		  DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
-+		  DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "MicroPC"),
-+		},
-+		.driver_data = (void *)&lcd720x1280_rightside_up,
- 	}, {	/*
- 		 * GPD Pocket, note that the the DMI data is less generic then
- 		 * it seems, devices with a board-vendor of "AMI Corporation"
--- 
-2.21.0
-
diff --git a/dwc3-fix.patch b/dwc3-fix.patch
new file mode 100644
index 000000000..d741b9e2e
--- /dev/null
+++ b/dwc3-fix.patch
@@ -0,0 +1,80 @@
+From 4749e0e61241cc121de572520a39dab365b9ea1d Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Thu, 8 Aug 2019 16:39:42 -0700
+Subject: usb: dwc3: Update soft-reset wait polling rate
+
+Starting from DWC_usb31 version 1.90a and later, the DCTL.CSFRST bit
+will not be cleared until after all the internal clocks are synchronized
+during soft-reset. This may take a little more than 50ms. Set the
+polling rate at 20ms instead.
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+---
+ drivers/usb/dwc3/core.c | 23 ++++++++++++++++++-----
+ drivers/usb/dwc3/core.h |  2 ++
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 98bce85c29d0..252c397860ef 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -252,12 +252,25 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc)
+ 	reg |= DWC3_DCTL_CSFTRST;
+ 	dwc3_writel(dwc->regs, DWC3_DCTL, reg);
+ 
++	/*
++	 * For DWC_usb31 controller 1.90a and later, the DCTL.CSFRST bit
++	 * is cleared only after all the clocks are synchronized. This can
++	 * take a little more than 50ms. Set the polling rate at 20ms
++	 * for 10 times instead.
++	 */
++	if (dwc3_is_usb31(dwc) && dwc->revision >= DWC3_USB31_REVISION_190A)
++		retries = 10;
++
+ 	do {
+ 		reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+ 		if (!(reg & DWC3_DCTL_CSFTRST))
+ 			goto done;
+ 
+-		udelay(1);
++		if (dwc3_is_usb31(dwc) &&
++		    dwc->revision >= DWC3_USB31_REVISION_190A)
++			msleep(20);
++		else
++			udelay(1);
+ 	} while (--retries);
+ 
+ 	phy_exit(dwc->usb3_generic_phy);
+@@ -267,11 +280,11 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc)
+ 
+ done:
+ 	/*
+-	 * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared,
+-	 * we must wait at least 50ms before accessing the PHY domain
+-	 * (synchronization delay). DWC_usb31 programming guide section 1.3.2.
++	 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
++	 * is cleared, we must wait at least 50ms before accessing the PHY
++	 * domain (synchronization delay).
+ 	 */
+-	if (dwc3_is_usb31(dwc))
++	if (dwc3_is_usb31(dwc) && dwc->revision <= DWC3_USB31_REVISION_180A)
+ 		msleep(50);
+ 
+ 	return 0;
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 3dd783b889cb..1c8b349379af 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -1137,6 +1137,8 @@ struct dwc3 {
+ #define DWC3_USB31_REVISION_120A	(0x3132302a | DWC3_REVISION_IS_DWC31)
+ #define DWC3_USB31_REVISION_160A	(0x3136302a | DWC3_REVISION_IS_DWC31)
+ #define DWC3_USB31_REVISION_170A	(0x3137302a | DWC3_REVISION_IS_DWC31)
++#define DWC3_USB31_REVISION_180A	(0x3138302a | DWC3_REVISION_IS_DWC31)
++#define DWC3_USB31_REVISION_190A	(0x3139302a | DWC3_REVISION_IS_DWC31)
+ 
+ 	u32			version_type;
+ 
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/fix-a-double-free-bug-in-rsi_91x_deinit.patch b/fix-a-double-free-bug-in-rsi_91x_deinit.patch
deleted file mode 100644
index 331817bda..000000000
--- a/fix-a-double-free-bug-in-rsi_91x_deinit.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From mboxrd@z Thu Jan  1 00:00:00 1970
-Return-Path: <SRS0=+RQC=WP=vger.kernel.org=linux-kernel-owner@kernel.org>
-X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
-	aws-us-west-2-korg-lkml-1.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
-	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
-	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
-	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
-	version=3.4.0
-Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
-	by smtp.lore.kernel.org (Postfix) with ESMTP id EBD3AC3A5A0
-	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id BCC05214DA
-	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
-	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRgzkkQ0"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1728637AbfHSWCp (ORCPT
-        <rfc822;linux-kernel@archiver.kernel.org>);
-        Mon, 19 Aug 2019 18:02:45 -0400
-Received: from mail-io1-f67.google.com ([209.85.166.67]:33900 "EHLO
-        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
-        with ESMTP id S1728494AbfHSWCo (ORCPT
-        <rfc822;linux-kernel@vger.kernel.org>);
-        Mon, 19 Aug 2019 18:02:44 -0400
-Received: by mail-io1-f67.google.com with SMTP id s21so7791675ioa.1;
-        Mon, 19 Aug 2019 15:02:44 -0700 (PDT)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=gmail.com; s=20161025;
-        h=from:to:cc:subject:date:message-id:mime-version
-         :content-transfer-encoding;
-        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
-        b=IRgzkkQ0QlYiIqgU9DslAGaSx9oz5wU5adcfTZWc60ibm3DHynGVVixJrWxAut0Pae
-         ARzqaY1/pxrAMSpTdcKfCBtRoFPMFS8+WZsScW495O7Pf7bJTCDAo3OOueleEgGs9Osv
-         59921BouToXc5Ovc92CQFjNHP3+/kGBqZvxV+QK34IvNWzoIEU93UHsUIxSn6eVvrsFU
-         g5treQ50nJkKHPa8rwc0Oh9s6WWKODy8zKxExTJhdznLdHOm5T7muHcEccqX8YZQ5L7d
-         ADPOmA+sRvWN3t/z9HxtD4g/Lgj4kzEYFnWJ9k7ClZwbnzn02QUlkT8waxriC/Wpe9nP
-         q53A==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20161025;
-        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
-         :content-transfer-encoding;
-        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
-        b=oYozfHj6p7SMaYdxmSXvkqz3omwdyg+ftHjVBaHiAqBlnLj6x9531et8jUk50jueoT
-         y2cU/oVuoVQsCwOEu43hu26qlol2JSmB1xXJj0Za8nKZa3h3GF5CKG8/dexHz8TzCJX1
-         vo/TNPdY3AlW7Sn9JLnWCqFK+QgbPhjdBs+6Hbh+5nkCxIG5dVn0FfYbLYATeh/888YB
-         pTCJ8dkbLQiWXEJam6b9NoOpcIzbpcb7rL3A355C/1AGZsCy/NlKmneuw0Va10AnswkK
-         KBYv+EisB1L8oCP9l6r5fp4PUqyMH3TjrBdJddx8EQ9cq8SORiLtmmRuF8e3kdImDEK4
-         6Gcw==
-X-Gm-Message-State: APjAAAXB6U8H/6BuBUmOb6K7bk/qaEOOS1bw9RIpAgXyrExtL8rl/B99
-        17LNTRGgJKvcUB6qlr4ZRbY=
-X-Google-Smtp-Source: APXvYqzjT1oN5/e8keSQCjVxoTzLRGG1vuf4kTYM+hq51sy7QzOV0GLDOYYsYVB78xsRtsZrFijh0Q==
-X-Received: by 2002:a6b:f30b:: with SMTP id m11mr21952710ioh.214.1566252163559;
-        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
-Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27])
-        by smtp.googlemail.com with ESMTPSA id z9sm2850133ior.79.2019.08.19.15.02.42
-        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
-        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
-From:   Hui Peng <benquike@gmail.com>
-To:     security@kernel.org
-Cc:     Hui Peng <benquike@gmail.com>,
-        Mathias Payer <mathias.payer@nebelwelt.net>,
-        Kalle Valo <kvalo@codeaurora.org>,
-        "David S. Miller" <davem@davemloft.net>,
-        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
-        linux-kernel@vger.kernel.org
-Subject: [PATCH] Fix a double free bug in rsi_91x_deinit
-Date:   Mon, 19 Aug 2019 18:02:29 -0400
-Message-Id: <20190819220230.10597-1-benquike@gmail.com>
-X-Mailer: git-send-email 2.22.1
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Sender: linux-kernel-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-kernel.vger.kernel.org>
-X-Mailing-List: linux-kernel@vger.kernel.org
-Archived-At: <https://lore.kernel.org/lkml/20190819220230.10597-1-benquike@gmail.com/>
-List-Archive: <https://lore.kernel.org/lkml/>
-List-Post: <mailto:linux-kernel@vger.kernel.org>
-
-`dev` (struct rsi_91x_usbdev *) field of adapter
-(struct rsi_91x_usbdev *) is allocated  and initialized in
-`rsi_init_usb_interface`. If any error is detected in information
-read from the device side,  `rsi_init_usb_interface` will be
-freed. However, in the higher level error handling code in
-`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
-again, in which `dev` will be freed again, resulting double free.
-
-This patch fixes the double free by removing the free operation on
-`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
-used in `rsi_disconnect`, in that code path, the `dev` field is not
- (and thus needs to be) freed.
-
-This bug was found in v4.19, but is also present in the latest version
-of kernel.
-
-Reported-by: Hui Peng <benquike@gmail.com>
-Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
-Signed-off-by: Hui Peng <benquike@gmail.com>
----
- drivers/net/wireless/rsi/rsi_91x_usb.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
-index c0a163e40402..ac917227f708 100644
---- a/drivers/net/wireless/rsi/rsi_91x_usb.c
-+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
-@@ -640,7 +640,6 @@ static int rsi_init_usb_interface(struct rsi_hw *adapter,
- 	kfree(rsi_dev->tx_buffer);
- 
- fail_eps:
--	kfree(rsi_dev);
- 
- 	return status;
- }
--- 
-2.22.1
-
-
diff --git a/kernel.spec b/kernel.spec
index 3e8e7084e..19b020e8c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -598,9 +598,6 @@ Patch507: 0001-Drop-that-for-now.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
 Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
-# Fix the LCD panel orientation on the GPD MicroPC, pending as fix for 5.3
-Patch510: drm-panel-orientation-quirks.patch
-
 # rhbz 1732045
 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
 
@@ -608,12 +605,15 @@ Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
 # rhbz 1744130 1744137 1744149 1746566 1746567 
 Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
 
-# CVE-2019-15504 rhbz 1746725 1746726
-Patch515: fix-a-double-free-bug-in-rsi_91x_deinit.patch
-
 # CVE-2019-15505 rhbz 1746732 1746734
 Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
 
+# CVE-2019-14821 rhbz 1746708 1753596
+Patch517: kvm-coalesced_mmio-add-bounds-checking.patch
+
+# rhbz 1753099
+Patch518: dwc3-fix.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1854,6 +1854,13 @@ fi
 #
 #
 %changelog
+* Thu Sep 19 2019 Laura Abbott <labbott@redhat.com>
+- Fix for dwc3 (rhbz 1753099)
+
+* Thu Sep 19 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.16-200
+- Linux v5.2.16
+- Fix CVE-2019-14821 (rhbz 1746708 1753596)
+
 * Mon Sep 16 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.15-200
 - Linux v5.2.15
 - Fixes rhbz 1751901
diff --git a/kvm-coalesced_mmio-add-bounds-checking.patch b/kvm-coalesced_mmio-add-bounds-checking.patch
new file mode 100644
index 000000000..ddd2568f9
--- /dev/null
+++ b/kvm-coalesced_mmio-add-bounds-checking.patch
@@ -0,0 +1,83 @@
+From b60fe990c6b07ef6d4df67bc0530c7c90a62623a Mon Sep 17 00:00:00 2001
+From: Matt Delco <delco@chromium.org>
+Date: Mon, 16 Sep 2019 14:16:54 -0700
+Subject: KVM: coalesced_mmio: add bounds checking
+
+The first/last indexes are typically shared with a user app.
+The app can change the 'last' index that the kernel uses
+to store the next result.  This change sanity checks the index
+before using it for writing to a potentially arbitrary address.
+
+This fixes CVE-2019-14821.
+
+Cc: stable@vger.kernel.org
+Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
+Signed-off-by: Matt Delco <delco@chromium.org>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
+[Use READ_ONCE. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
+index 5294abb3f178..8ffd07e2a160 100644
+--- a/virt/kvm/coalesced_mmio.c
++++ b/virt/kvm/coalesced_mmio.c
+@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
+ 	return 1;
+ }
+ 
+-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
+ {
+ 	struct kvm_coalesced_mmio_ring *ring;
+ 	unsigned avail;
+@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
+ 	 * there is always one unused entry in the buffer
+ 	 */
+ 	ring = dev->kvm->coalesced_mmio_ring;
+-	avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
++	avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
+ 	if (avail == 0) {
+ 		/* full */
+ 		return 0;
+@@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
+ {
+ 	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
+ 	struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
++	__u32 insert;
+ 
+ 	if (!coalesced_mmio_in_range(dev, addr, len))
+ 		return -EOPNOTSUPP;
+ 
+ 	spin_lock(&dev->kvm->ring_lock);
+ 
+-	if (!coalesced_mmio_has_room(dev)) {
++	insert = READ_ONCE(ring->last);
++	if (!coalesced_mmio_has_room(dev, insert) ||
++	    insert >= KVM_COALESCED_MMIO_MAX) {
+ 		spin_unlock(&dev->kvm->ring_lock);
+ 		return -EOPNOTSUPP;
+ 	}
+ 
+ 	/* copy data in first free entry of the ring */
+ 
+-	ring->coalesced_mmio[ring->last].phys_addr = addr;
+-	ring->coalesced_mmio[ring->last].len = len;
+-	memcpy(ring->coalesced_mmio[ring->last].data, val, len);
+-	ring->coalesced_mmio[ring->last].pio = dev->zone.pio;
++	ring->coalesced_mmio[insert].phys_addr = addr;
++	ring->coalesced_mmio[insert].len = len;
++	memcpy(ring->coalesced_mmio[insert].data, val, len);
++	ring->coalesced_mmio[insert].pio = dev->zone.pio;
+ 	smp_wmb();
+-	ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
++	ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
+ 	spin_unlock(&dev->kvm->ring_lock);
+ 	return 0;
+ }
+-- 
+cgit 1.2-0.3.lf.el7
+