Linux v5.7.13

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>

4 files changed, 118 insertions, 93 deletions

diff --git a/0001-ALSA-hda-Workaround-for-spurious-wakeups-on-some-Int.patch b/0001-ALSA-hda-Workaround-for-spurious-wakeups-on-some-Int.patch
deleted file mode 100644
index 1a3663270..000000000
--- a/0001-ALSA-hda-Workaround-for-spurious-wakeups-on-some-Int.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 2b796b34a3b9ade3307304121a726d318641415a Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 27 Jul 2020 17:19:18 +0200
-Subject: [PATCH] ALSA: hda: Workaround for spurious wakeups on some Intel
- platforms
-
-We've received a regression report on Intel HD-audio controller that
-wakes up immediately after S3 suspend.  The bisection leads to the
-commit c4c8dd6ef807 ("ALSA: hda: Skip controller resume if not
-needed").  This commit replaces the system-suspend to use
-pm_runtime_force_suspend() instead of the direct call of
-__azx_runtime_suspend().  However, by some really mysterious reason,
-pm_runtime_force_suspend() causes a spurious wakeup (although it calls
-the same __azx_runtime_suspend() internally).
-
-As an ugly workaround for now, revert the behavior to call
-__azx_runtime_suspend() and __azx_runtime_resume() for those old Intel
-platforms that may exhibit such a problem, while keeping the new
-standard pm_runtime_force_suspend() and pm_runtime_force_resume()
-pair for the remaining chips.
-
-Fixes: c4c8dd6ef807 ("ALSA: hda: Skip controller resume if not needed")
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208649
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/pci/hda/hda_controller.h |  2 +-
- sound/pci/hda/hda_intel.c      | 17 ++++++++++++++---
- 2 files changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h
-index fe171685492d..be63ead8161f 100644
---- a/sound/pci/hda/hda_controller.h
-+++ b/sound/pci/hda/hda_controller.h
-@@ -41,7 +41,7 @@
- /* 24 unused */
- #define AZX_DCAPS_COUNT_LPIB_DELAY  (1 << 25)	/* Take LPIB as delay */
- #define AZX_DCAPS_PM_RUNTIME	(1 << 26)	/* runtime PM support */
--/* 27 unused */
-+#define AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP (1 << 27) /* Workaround for spurious wakeups after suspend */
- #define AZX_DCAPS_CORBRP_SELF_CLEAR (1 << 28)	/* CORBRP clears itself after reset */
- #define AZX_DCAPS_NO_MSI64      (1 << 29)	/* Stick to 32-bit MSIs */
- #define AZX_DCAPS_SEPARATE_STREAM_TAG	(1 << 30) /* capture and playback use separate stream tag */
-diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
-index 9ba1fb8f0b7f..fb65450d8de1 100644
---- a/sound/pci/hda/hda_intel.c
-+++ b/sound/pci/hda/hda_intel.c
-@@ -297,7 +297,8 @@ enum {
- /* PCH for HSW/BDW; with runtime PM */
- /* no i915 binding for this as HSW/BDW has another controller for HDMI */
- #define AZX_DCAPS_INTEL_PCH \
--	(AZX_DCAPS_INTEL_PCH_BASE | AZX_DCAPS_PM_RUNTIME)
-+	(AZX_DCAPS_INTEL_PCH_BASE | AZX_DCAPS_PM_RUNTIME |\
-+	 AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP)
- 
- /* HSW HDMI */
- #define AZX_DCAPS_INTEL_HASWELL \
-@@ -1026,7 +1027,14 @@ static int azx_suspend(struct device *dev)
- 	chip = card->private_data;
- 	bus = azx_bus(chip);
- 	snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
--	pm_runtime_force_suspend(dev);
-+	/* An ugly workaround: direct call of __azx_runtime_suspend() and
-+	 * __azx_runtime_resume() for old Intel platforms that suffer from
-+	 * spurious wakeups after S3 suspend
-+	 */
-+	if (chip->driver_caps & AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP)
-+		__azx_runtime_suspend(chip);
-+	else
-+		pm_runtime_force_suspend(dev);
- 	if (bus->irq >= 0) {
- 		free_irq(bus->irq, chip);
- 		bus->irq = -1;
-@@ -1055,7 +1063,10 @@ static int azx_resume(struct device *dev)
- 	if (azx_acquire_irq(chip, 1) < 0)
- 		return -EIO;
- 
--	pm_runtime_force_resume(dev);
-+	if (chip->driver_caps & AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP)
-+		__azx_runtime_resume(chip, false);
-+	else
-+		pm_runtime_force_resume(dev);
- 	snd_power_change_state(card, SNDRV_CTL_POWER_D0);
- 
- 	trace_azx_resume(chip);
--- 
-2.26.2
-
diff --git a/kernel.spec b/kernel.spec
index 329f8b2ff..3b02a59d4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -883,12 +883,12 @@ Patch123: 0001-usb-fusb302-Convert-to-use-GPIO-descriptors.patch
 # Tegra194 ACPI PCI quirk - http://patchwork.ozlabs.org/patch/1221384/
 Patch124: 0001-PCI-Add-MCFG-quirks-for-Tegra194-host-controllers.patch
 
-# rhbz 1857101
-Patch125: 0001-ALSA-hda-Workaround-for-spurious-wakeups-on-some-Int.patch
-
 # Work around a bug in gcc https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96377
 Patch126: 0001-Work-around-for-gcc-bug-https-gcc.gnu.org-bugzilla-s.patch
 
+# CVE-2020-16166 rhbz 1865751 1865752
+Patch127: random32-update-the-net-random-state-on-interrupt-and-activity.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2993,6 +2993,10 @@ fi
 #
 #
 %changelog
+* Wed Aug 05 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.13-200
+- Linux v5.7.13
+- Fix CVE-2020-16166 (rhbz 1865751 1865752)
+
 * Sat Aug 01 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.12-200
 - Linux v5.7.12
 
diff --git a/random32-update-the-net-random-state-on-interrupt-and-activity.patch b/random32-update-the-net-random-state-on-interrupt-and-activity.patch
new file mode 100644
index 000000000..e929c9976
--- /dev/null
+++ b/random32-update-the-net-random-state-on-interrupt-and-activity.patch
@@ -0,0 +1,109 @@
+From f227e3ec3b5cad859ad15666874405e8c1bbc1d4 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Fri, 10 Jul 2020 15:23:19 +0200
+Subject: random32: update the net random state on interrupt and activity
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit f227e3ec3b5cad859ad15666874405e8c1bbc1d4 upstream.
+
+This modifies the first 32 bits out of the 128 bits of a random CPU's
+net_rand_state on interrupt or CPU activity to complicate remote
+observations that could lead to guessing the network RNG's internal
+state.
+
+Note that depending on some network devices' interrupt rate moderation
+or binding, this re-seeding might happen on every packet or even almost
+never.
+
+In addition, with NOHZ some CPUs might not even get timer interrupts,
+leaving their local state rarely updated, while they are running
+networked processes making use of the random state.  For this reason, we
+also perform this update in update_process_times() in order to at least
+update the state when there is user or system activity, since it's the
+only case we care about.
+
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c  |    1 +
+ include/linux/random.h |    3 +++
+ kernel/time/timer.c    |    8 ++++++++
+ lib/random32.c         |    2 +-
+ 4 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1277,6 +1277,7 @@ void add_interrupt_randomness(int irq, i
+ 
+ 	fast_mix(fast_pool);
+ 	add_interrupt_bench(cycles);
++	this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]);
+ 
+ 	if (unlikely(crng_init == 0)) {
+ 		if ((fast_pool->count >= 64) &&
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -11,6 +11,7 @@
+ #include <linux/kernel.h>
+ #include <linux/list.h>
+ #include <linux/once.h>
++#include <linux/percpu.h>
+ 
+ #include <uapi/linux/random.h>
+ 
+@@ -119,6 +120,8 @@ struct rnd_state {
+ 	__u32 s1, s2, s3, s4;
+ };
+ 
++DECLARE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
++
+ u32 prandom_u32_state(struct rnd_state *state);
+ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
+ void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state);
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -43,6 +43,7 @@
+ #include <linux/sched/debug.h>
+ #include <linux/slab.h>
+ #include <linux/compat.h>
++#include <linux/random.h>
+ 
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -1743,6 +1744,13 @@ void update_process_times(int user_tick)
+ 	scheduler_tick();
+ 	if (IS_ENABLED(CONFIG_POSIX_TIMERS))
+ 		run_posix_cpu_timers();
++
++	/* The current CPU might make use of net randoms without receiving IRQs
++	 * to renew them often enough. Let's update the net_rand_state from a
++	 * non-constant value that's not affine to the number of calls to make
++	 * sure it's updated when there's some activity (we don't care in idle).
++	 */
++	this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick);
+ }
+ 
+ /**
+--- a/lib/random32.c
++++ b/lib/random32.c
+@@ -48,7 +48,7 @@ static inline void prandom_state_selftes
+ }
+ #endif
+ 
+-static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
++DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
+ 
+ /**
+  *	prandom_u32_state - seeded pseudo-random number generator.
diff --git a/sources b/sources
index 89bdde96a..b2914981f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.7.tar.xz) = 45bde01593f6147c8c169b9e46b4b56eee998142552ae0ff82f1dd21b1fd54f3b32f6283f6bd77ea717d374672167849e468c157f235d2f12f7d7816e4623bf6
-SHA512 (patch-5.7.12.xz) = 86bbdd23e0ace2273ca03868a3414f943c9e7759945ee2c6c7171acb286e25366137ba4d9a65c89c3dcca12b03e1c32c6e9fdcbd5f6a85a4025ef00ae65a1c28
+SHA512 (patch-5.7.13.xz) = cc0df5bcbc9b566455bfebd3f297a63f956d4f92546ded4dd2150b012ba9b100c1735257c17225ad30f8c01c000f870056dabe9d8b06945449b7514375b70a91