Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

4 files changed, 3 insertions, 218 deletions

diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch
deleted file mode 100644
index f74c2dfcf..000000000
--- a/Input-gtco-bounds-check-collection-indent-level.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001
-From: Grant Hernandez <granthernandez@google.com>
-Date: Thu, 11 Jul 2019 15:22:32 -0700
-Subject: [PATCH] Input: gtco - bounds check collection indent level
-
-The GTCO tablet input driver configures itself from an HID report sent
-via USB during the initial enumeration process. Some debugging messages
-are generated during the parsing. A debugging message indentation
-counter is not bounds checked, leading to the ability for a specially
-crafted HID report to cause '-' and null bytes be written past the end
-of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG
-enabled, this code will not be optimized out.  This was discovered
-during code review after a previous syzkaller bug was found in this
-driver.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Grant Hernandez <granthernandez@google.com>
----
- drivers/input/tablet/gtco.c | 19 ++++++++++++++++---
- 1 file changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
-index 4b8b9d7aa75e..9771052ed027 100644
---- a/drivers/input/tablet/gtco.c
-+++ b/drivers/input/tablet/gtco.c
-@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
- 
- /* Max size of a single report */
- #define REPORT_MAX_SIZE       10
-+#define MAX_COLLECTION_LEVELS  10
- 
- 
- /* Bitmask whether pen is in range */
-@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
- 	char  maintype = 'x';
- 	char  globtype[12];
- 	int   indent = 0;
--	char  indentstr[10] = "";
--
-+	char  indentstr[MAX_COLLECTION_LEVELS+1] = {0};
- 
- 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
- 
-@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
- 			case TAG_MAIN_COL_START:
- 				maintype = 'S';
- 
-+				if (indent == MAX_COLLECTION_LEVELS) {
-+					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
-+						indent+1, MAX_COLLECTION_LEVELS);
-+					break;
-+				}
-+
- 				if (data == 0) {
- 					dev_dbg(ddev, "======>>>>>> Physical\n");
- 					strcpy(globtype, "Physical");
-@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
- 				break;
- 
- 			case TAG_MAIN_COL_END:
--				dev_dbg(ddev, "<<<<<<======\n");
- 				maintype = 'E';
-+
-+				if (indent == 0) {
-+					dev_err(ddev, "Collection level already at zero\n");
-+					break;
-+				}
-+
-+				dev_dbg(ddev, "<<<<<<======\n");
-+
- 				indent--;
- 				for (x = 0; x < indent; x++)
- 					indentstr[x] = '-';
--- 
-2.21.0
-
diff --git a/kernel.spec b/kernel.spec
index 00d163de1..a44e874f5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -640,20 +640,10 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch
 # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2
 Patch544: drm-panel-orientation-quirks.patch
 
-# Accepted upstream; rhbz 1724357
-Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
-
 # rhbz 1716334
 # https://patchwork.kernel.org/patch/11029027/
 Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
 
-# CVE-2019-13631 rhbz 1731000 1731001
-Patch548: Input-gtco-bounds-check-collection-indent-level.patch
-
-# XSA-300 rhbz 1731862 1731864
-# https://xenbits.xen.org/xsa/advisory-300.html
-Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
-
 # CVE-2019-????? rhbz 1731784
 Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch
 
@@ -1901,6 +1891,9 @@ fi
 #
 #
 %changelog
+* Fri Jul 26 2019 Jeremy Cline <jcline@redhat.com> - 5.1.20-300
+- Linux v5.1.20
+
 * Mon Jul 22 2019 Laura Abbott <labbott@redhat.com>
 - Bring in DMA fix (rhbz 1732045)
 
diff --git a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
deleted file mode 100644
index 750d884df..000000000
--- a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001
-From: Felix Kaechele <felix@kaechele.ca>
-Date: Tue, 25 Jun 2019 16:48:59 -0400
-Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry
- deletion
-
-Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack
-L3-protocol flush regression") introduced a regression in which deletion
-of conntrack entries would fail because the L3 protocol information
-is replaced by AF_UNSPEC. As a result the search for the entry to be
-deleted would turn up empty due to the tuple used to perform the search
-is now different from the tuple used to initially set up the entry.
-
-For flushing the conntrack table we do however want to keep the option
-for nfgenmsg->version to have a non-zero value to allow for newer
-user-space tools to request treatment under the new behavior. With that
-it is possible to independently flush tables for a defined L3 protocol.
-This was introduced with the enhancements in in commit 59c08c69c278
-("netfilter: ctnetlink: Support L3 protocol-filter on flush").
-
-Older user-space tools will retain the behavior of flushing all tables
-regardless of defined L3 protocol.
-
-Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression")
-Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Felix Kaechele <felix@kaechele.ca>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nf_conntrack_netlink.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
-index 7db79c1b8084..1b77444d5b52 100644
---- a/net/netfilter/nf_conntrack_netlink.c
-+++ b/net/netfilter/nf_conntrack_netlink.c
-@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
- 	struct nf_conntrack_tuple tuple;
- 	struct nf_conn *ct;
- 	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
--	u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
- 	struct nf_conntrack_zone zone;
- 	int err;
- 
-@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
- 
- 	if (cda[CTA_TUPLE_ORIG])
- 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
--					    u3, &zone);
-+					    nfmsg->nfgen_family, &zone);
- 	else if (cda[CTA_TUPLE_REPLY])
- 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
--					    u3, &zone);
-+					    nfmsg->nfgen_family, &zone);
- 	else {
-+		u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
-+
- 		return ctnetlink_flush_conntrack(net, cda,
- 						 NETLINK_CB(skb).portid,
- 						 nlmsg_report(nlh), u3);
--- 
-2.21.0
-
diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
deleted file mode 100644
index 9017a3fbe..000000000
--- a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001
-From: Juergen Gross <jgross@suse.com>
-Date: Wed, 19 Jun 2019 11:00:56 +0200
-Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough
- memory free
-
-Instead of trying to allocate pages with GFP_USER in
-add_ballooned_pages() check the available free memory via
-si_mem_available(). GFP_USER is far less limiting memory exhaustion
-than the test via si_mem_available().
-
-This will avoid dom0 running out of memory due to excessive foreign
-page mappings especially on ARM and on x86 in PVH mode, as those don't
-have a pre-ballooned area which can be used for foreign mappings.
-
-As the normal ballooning suffers from the same problem don't balloon
-down more than si_mem_available() pages in one iteration. At the same
-time limit the default maximum number of retries.
-
-This is part of XSA-300.
-
-Signed-off-by: Juergen Gross <jgross@suse.com>
----
- drivers/xen/balloon.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
-index d37dd5bb7a8f..559768dc2567 100644
---- a/drivers/xen/balloon.c
-+++ b/drivers/xen/balloon.c
-@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work)
- 				state = reserve_additional_memory();
- 		}
- 
--		if (credit < 0)
--			state = decrease_reservation(-credit, GFP_BALLOON);
-+		if (credit < 0) {
-+			long n_pages;
-+
-+			n_pages = min(-credit, si_mem_available());
-+			state = decrease_reservation(n_pages, GFP_BALLOON);
-+			if (state == BP_DONE && n_pages != -credit &&
-+			    n_pages < totalreserve_pages)
-+				state = BP_EAGAIN;
-+		}
- 
- 		state = update_schedule(state);
- 
-@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages)
- 		}
- 	}
- 
-+	if (si_mem_available() < nr_pages)
-+		return -ENOMEM;
-+
- 	st = decrease_reservation(nr_pages, GFP_USER);
- 	if (st != BP_DONE)
- 		return -ENOMEM;
-@@ -710,7 +720,7 @@ static int __init balloon_init(void)
- 	balloon_stats.schedule_delay = 1;
- 	balloon_stats.max_schedule_delay = 32;
- 	balloon_stats.retry_count = 1;
--	balloon_stats.max_retry_count = RETRY_UNLIMITED;
-+	balloon_stats.max_retry_count = 4;
- 
- #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
- 	set_online_page_callback(&xen_online_page);
--- 
-2.21.0
-