merge origin

3 files changed, 181 insertions, 0 deletions

diff --git a/kernel.spec b/kernel.spec
index 3e203b02d..4f1908906 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -888,6 +888,11 @@ Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch
 # CVE-2020-14385 rhbz 1874800 1874811
 Patch108: 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
 
+# CVE-2020-14386 rhbz 1875699 1876349
+Patch109: net-packet-fix-overflow-in-tpacket_rcv.patch
+
+Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2995,6 +3000,10 @@ fi
 #
 #
 %changelog
+* Mon Sep 07 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.7-300
+- Linux v5.8.7
+- Fix CVE-2020-14386 (rhbz 1875699 1876349)
+
 * Thu Sep 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.6-301
 - Linux v5.8.6
 - Fix CVE-2020-14385 (rhbz 1874800 1874811)
diff --git a/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
new file mode 100644
index 000000000..7b30b78b2
--- /dev/null
+++ b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
@@ -0,0 +1,113 @@
+From patchwork Tue Sep  1 15:32:48 2020
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Thierry Reding <thierry.reding@gmail.com>
+X-Patchwork-Id: 1355200
+Return-Path: <linux-tegra-owner@vger.kernel.org>
+X-Original-To: incoming@patchwork.ozlabs.org
+Delivered-To: patchwork-incoming@bilbo.ozlabs.org
+Authentication-Results: ozlabs.org;
+ spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
+ (client-ip=23.128.96.18; helo=vger.kernel.org;
+ envelope-from=linux-tegra-owner@vger.kernel.org; receiver=<UNKNOWN>)
+Authentication-Results: ozlabs.org;
+ dmarc=pass (p=none dis=none) header.from=gmail.com
+Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
+ unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
+ header.s=20161025 header.b=InCwqcJT; dkim-atps=neutral
+Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
+ by ozlabs.org (Postfix) with ESMTP id 4BgrgN1Rpfz9sWM
+ for <incoming@patchwork.ozlabs.org>; Wed,  2 Sep 2020 01:33:04 +1000 (AEST)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+ id S1729968AbgIAPdC (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
+ Tue, 1 Sep 2020 11:33:02 -0400
+Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54580 "EHLO
+ lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+ with ESMTP id S1729209AbgIAPc4 (ORCPT
+ <rfc822;linux-tegra@vger.kernel.org>); Tue, 1 Sep 2020 11:32:56 -0400
+Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com
+ [IPv6:2a00:1450:4864:20::642])
+ by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7BF6C061244;
+ Tue,  1 Sep 2020 08:32:54 -0700 (PDT)
+Received: by mail-ej1-x642.google.com with SMTP id d11so2241288ejt.13;
+ Tue, 01 Sep 2020 08:32:54 -0700 (PDT)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
+ h=from:to:cc:subject:date:message-id:mime-version
+ :content-transfer-encoding;
+ bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=;
+ b=InCwqcJTR/4A4+EuZFsM5xaKx0nFq9NH/7wDwaCpNHNzYmfW1s67o66afdrgjeT+42
+ 3/IBsOzuQmvbcTIMqzeilMo8jynJopsDvJ04YORoFPrNoteMPeOR9CGnYRn5sTCTx/F8
+ MExLqETfRiiBnfdt5p4S8Fw+UhsQjMtDLGVO+SktivIJKL0jgOtiulaSQfPNJxhuvalA
+ YnMxjXkFrVLYsf7Q9rHbGANzrB4pQCOFOXTTolGhIm/OgJ1H1t2modzQdKwRXUsADB8L
+ Wr95PT8IW7Kyqe+GrX2iD2azK1Ul6M6Ln7WgHWIYOkYGFRrhvMpSiRjMe9w0F1HwAjjO
+ 5qzQ==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20161025;
+ h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
+ :content-transfer-encoding;
+ bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=;
+ b=kZZAjUtuN3hiPdfltUcr+jhnrz7c9rru5yMEq/CkI9aBm/ETez84EH3hV1B78K5P7L
+ hNmGrJSHJ5IWuxDnUZQfaEPySWbcOwFUhahKgCeHLV/pbdTdosT0dhbnN1YfuCqO0dzc
+ iPOvOI7WM/A19xKHKPCspaPpluPkBiUabwFLCWWVb06ZBUUNgVhy/7Dx7Ju8GP3kNUaA
+ Pt0XvSw/Mp/rm2gKvnuDO9QKteP66lw5hvCUTUEIh76d8jMRMY8378JiysKz2wdaz8Fd
+ BYHMvMGbdRy6TAA/Uez3CT9nV1OyhEST03ttXC1lJTpyHbNiA34oKyeRtqCxxOXza5yA
+ k22g==
+X-Gm-Message-State: AOAM5312YM/x/KVL6Su0HEVLMkmVlAUpCOSazQK4PIdtRtPsaThSHihn
+ RPsOkzFPKcz36DsW5eZOFaE=
+X-Google-Smtp-Source: ABdhPJx8pgbFxwX4+nQIkeKINcUC4+itTbYvBBHcPVcN6ZtaYmSEFVcT5J21t8xvkFqrlVQX3t3VOg==
+X-Received: by 2002:a17:907:9c3:: with SMTP id
+ bx3mr2005039ejc.164.1598974373583;
+ Tue, 01 Sep 2020 08:32:53 -0700 (PDT)
+Received: from localhost ([62.96.65.119]) by smtp.gmail.com with ESMTPSA id
+ r23sm1371455edt.57.2020.09.01.08.32.52
+ (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+ Tue, 01 Sep 2020 08:32:52 -0700 (PDT)
+From: Thierry Reding <thierry.reding@gmail.com>
+To: Krzysztof Kozlowski <krzk@kernel.org>,
+ Thierry Reding <thierry.reding@gmail.com>
+Cc: Jonathan Hunter <jonathanh@nvidia.com>, Dmitry Osipenko <digetx@gmail.com>,
+ linux-tegra@vger.kernel.org, linux-kernel@vger.kernel.org,
+ Matias Zuniga <matias.nicolas.zc@gmail.com>
+Subject: [PATCH] memory: tegra: Remove GPU from DRM IOMMU group
+Date: Tue,  1 Sep 2020 17:32:48 +0200
+Message-Id: <20200901153248.1831263-1-thierry.reding@gmail.com>
+X-Mailer: git-send-email 2.28.0
+MIME-Version: 1.0
+Sender: linux-tegra-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-tegra.vger.kernel.org>
+X-Mailing-List: linux-tegra@vger.kernel.org
+
+From: Thierry Reding <treding@nvidia.com>
+
+Commit 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU
+group") added the GPU to the DRM IOMMU group, which doesn't make any
+sense. This causes problems when Nouveau tries to attach to the SMMU
+and causes it to fall back to using the DMA API.
+
+Remove the GPU from the DRM groups to restore the old behaviour. The
+GPU should always have its own IOMMU domain to make sure it can map
+buffers into contiguous chunks (for big page support) without getting
+in the way of mappings from the DRM group.
+
+Fixes: 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU group")
+Reported-by: Matias Zuniga <matias.nicolas.zc@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+---
+ drivers/memory/tegra/tegra124.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/memory/tegra/tegra124.c b/drivers/memory/tegra/tegra124.c
+index 493b5dc3a4b3..0cede24479bf 100644
+--- a/drivers/memory/tegra/tegra124.c
++++ b/drivers/memory/tegra/tegra124.c
+@@ -957,7 +957,6 @@ static const struct tegra_smmu_swgroup tegra124_swgroups[] = {
+ static const unsigned int tegra124_group_drm[] = {
+ 	TEGRA_SWGROUP_DC,
+ 	TEGRA_SWGROUP_DCB,
+-	TEGRA_SWGROUP_GPU,
+ 	TEGRA_SWGROUP_VIC,
+ };
+ 
diff --git a/net-packet-fix-overflow-in-tpacket_rcv.patch b/net-packet-fix-overflow-in-tpacket_rcv.patch
new file mode 100644
index 000000000..6c6868f5c
--- /dev/null
+++ b/net-packet-fix-overflow-in-tpacket_rcv.patch
@@ -0,0 +1,59 @@
+From 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 21:05:28 -0700
+Subject: net/packet: fix overflow in tpacket_rcv
+
+From: Or Cohen <orcohen@paloaltonetworks.com>
+
+[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ]
+
+Using tp_reserve to calculate netoff can overflow as
+tp_reserve is unsigned int and netoff is unsigned short.
+
+This may lead to macoff receving a smaller value then
+sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
+is set, an out-of-bounds write will occur when
+calling virtio_net_hdr_from_skb.
+
+The bug is fixed by converting netoff to unsigned int
+and checking if it exceeds USHRT_MAX.
+
+This addresses CVE-2020-14386
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 301f41d4929bd..82f7802983797 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ 	int skb_len = skb->len;
+ 	unsigned int snaplen, res;
+ 	unsigned long status = TP_STATUS_USER;
+-	unsigned short macoff, netoff, hdrlen;
++	unsigned short macoff, hdrlen;
++	unsigned int netoff;
+ 	struct sk_buff *copy_skb = NULL;
+ 	struct timespec64 ts;
+ 	__u32 ts_status;
+@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ 		}
+ 		macoff = netoff - maclen;
+ 	}
++	if (netoff > USHRT_MAX) {
++		atomic_inc(&po->tp_drops);
++		goto drop_n_restore;
++	}
+ 	if (po->tp_version <= TPACKET_V2) {
+ 		if (macoff + snaplen > po->rx_ring.frame_size) {
+ 			if (po->copy_thresh &&
+-- 
+2.25.1
+