Linux v5.1.19

5 files changed, 138 insertions, 85 deletions

diff --git a/8250_lpss-check-null-return-when-calling-pci_ioremap.patch b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch
new file mode 100644
index 000000000..48ab8c9d2
--- /dev/null
+++ b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch
@@ -0,0 +1,54 @@
+From 6f6743d176ceb9aa5c2a744a2fd2f4caa17c225b Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 19 Jul 2019 12:48:45 -0500
+Subject: [PATCH 1/2] 8250_lpss: check null return when calling pci_ioremap_bar
+
+pci_ioremap_bar may return null. This is eventually de-referenced at
+drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168. A null check
+is needed to prevent null de-reference. I am adding the check and in case
+ of failure. Thanks to Andy Shevchenko for the hint on the necessity of
+pci_iounmap when exiting.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+---
+ drivers/tty/serial/8250/8250_lpss.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_lpss.c b/drivers/tty/serial/8250/8250_lpss.c
+index 53ca9ba6ab4b..d07e431110d9 100644
+--- a/drivers/tty/serial/8250/8250_lpss.c
++++ b/drivers/tty/serial/8250/8250_lpss.c
+@@ -169,10 +169,12 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
+ 	struct pci_dev *pdev = to_pci_dev(port->dev);
+ 	int ret;
+ 
++	chip->pdata = &qrk_serial_dma_pdata;
+ 	chip->dev = &pdev->dev;
+ 	chip->irq = pci_irq_vector(pdev, 0);
+ 	chip->regs = pci_ioremap_bar(pdev, 1);
+-	chip->pdata = &qrk_serial_dma_pdata;
++	if (!chip->regs)
++		return;
+ 
+ 	/* Falling back to PIO mode if DMA probing fails */
+ 	ret = dw_dma_probe(chip);
+@@ -195,11 +197,15 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
+ 
+ static void qrk_serial_exit_dma(struct lpss8250 *lpss)
+ {
++	struct dw_dma_chip *chip = &lpss->dma_chip;
+ 	struct dw_dma_slave *param = &lpss->dma_param;
+ 
+ 	if (!param->dma_dev)
+ 		return;
+-	dw_dma_remove(&lpss->dma_chip);
++
++	dw_dma_remove(chip);
++
++	pci_iounmap(to_pci_dev(chip->dev), chip->regs);
+ }
+ #else	/* CONFIG_SERIAL_8250_DMA */
+ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) {}
+-- 
+2.21.0
+
diff --git a/efi-bgrt-acpi6.2-support.patch b/efi-bgrt-acpi6.2-support.patch
deleted file mode 100644
index 753c93577..000000000
--- a/efi-bgrt-acpi6.2-support.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 240090cb2d72f5de98f8fc2e3aa27803cab378b2 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 29 May 2019 14:50:17 +0200
-Subject: [PATCH] efi/bgrt: Drop BGRT status field reserved bits check
-
-Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
-reserved. These bits are now used to indicate if the image needs to be
-rotated before being displayed.
-
-The first device using these bits has now shown up (the GPD MicroPC) and
-the reserved bits check causes us to reject the valid BGRT table on this
-device.
-
-Rather then changing the reserved bits check, allowing only the 2 new bits,
-instead just completely remove it so that we do not end up with a similar
-problem when more bits are added in the future.
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/firmware/efi/efi-bgrt.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c
-index a2384184a7de..b07c17643210 100644
---- a/drivers/firmware/efi/efi-bgrt.c
-+++ b/drivers/firmware/efi/efi-bgrt.c
-@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table)
- 		       bgrt->version);
- 		goto out;
- 	}
--	if (bgrt->status & 0xfe) {
--		pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n",
--		       bgrt->status);
--		goto out;
--	}
- 	if (bgrt->image_type != 0) {
- 		pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n",
- 		       bgrt->image_type);
--- 
-2.21.0
-
-From 8f8d779bd966ef8af2279906772dec322220e73a Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 29 May 2019 15:44:09 +0200
-Subject: [PATCH] efifb: BGRT: Add check for new BGRT status field rotation
- bits
-
-Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
-reserved. These bits are now used to indicate if the image needs to be
-rotated before being displayed.
-
-The efifb code does not support rotating the image before copying it to
-the screen.
-
-This commit adds a check for these new bits and if they are set leaves the
-fb contents as is instead of trying to use the un-rotated BGRT image.
-
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/video/fbdev/efifb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
-index 9f39f0c360e0..dfa8dd47d19d 100644
---- a/drivers/video/fbdev/efifb.c
-+++ b/drivers/video/fbdev/efifb.c
-@@ -169,6 +169,11 @@ static void efifb_show_boot_graphics(struct fb_info *info)
- 		return;
- 	}
- 
-+	if (bgrt_tab.status & 0x06) {
-+		pr_info("efifb: BGRT rotation bits set, not showing boot graphics\n");
-+		return;
-+	}
-+
- 	/* Avoid flashing the logo if we're going to print std probe messages */
- 	if (console_loglevel > CONSOLE_LOGLEVEL_QUIET)
- 		return;
--- 
-2.21.0
-
diff --git a/kernel.spec b/kernel.spec
index 0d5dbc796..bf3fe6203 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 18
+%define stable_update 19
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -620,7 +620,6 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch
 
 # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2
 Patch544: drm-panel-orientation-quirks.patch
-Patch545: efi-bgrt-acpi6.2-support.patch
 
 # Accepted upstream; rhbz 1724357
 Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
@@ -632,6 +631,13 @@ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
 # CVE-2019-13631 rhbz 1731000 1731001
 Patch548: Input-gtco-bounds-check-collection-indent-level.patch
 
+# XSA-300 rhbz 1731862 1731864
+# https://xenbits.xen.org/xsa/advisory-300.html
+Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
+
+# CVE-2019-????? rhbz 1731784
+Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1870,6 +1876,11 @@ fi
 #
 #
 %changelog
+* Mon Jul 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.19-300
+- Linux v5.1.19
+- Fix Xen Security Advisory 300 (rhbz 1731862 1731864)
+- Fix a null pointer dereference in the 8250_lpss serial driver (rhbz 1731784)
+
 * Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com>
 - Fix CVE-2019-13631 (rhbz 1731000 1731001)
 
diff --git a/sources b/sources
index 6ba5e2be3..3243c6a0c 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236
-SHA512 (patch-5.1.18.xz) = 5efb26c4937b38d80e3b2f3b57a352839e6ed46d29552350128ff8db0fc7e1c08d419198da975044aa18ede4675c8f4be63b9a1c302660294e218f022ccab026
+SHA512 (patch-5.1.19.xz) = 0c3eb6f140b4248ec332cfdbe2babfde556c5e6c784667ac268a88c5491fdeac3ea7e00158585f37fd283d3aae5c18cde5e9437ec88d784d16f73f9230ded57a
diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
new file mode 100644
index 000000000..9017a3fbe
--- /dev/null
+++ b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
@@ -0,0 +1,70 @@
+From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 19 Jun 2019 11:00:56 +0200
+Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough
+ memory free
+
+Instead of trying to allocate pages with GFP_USER in
+add_ballooned_pages() check the available free memory via
+si_mem_available(). GFP_USER is far less limiting memory exhaustion
+than the test via si_mem_available().
+
+This will avoid dom0 running out of memory due to excessive foreign
+page mappings especially on ARM and on x86 in PVH mode, as those don't
+have a pre-ballooned area which can be used for foreign mappings.
+
+As the normal ballooning suffers from the same problem don't balloon
+down more than si_mem_available() pages in one iteration. At the same
+time limit the default maximum number of retries.
+
+This is part of XSA-300.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/xen/balloon.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index d37dd5bb7a8f..559768dc2567 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work)
+ 				state = reserve_additional_memory();
+ 		}
+ 
+-		if (credit < 0)
+-			state = decrease_reservation(-credit, GFP_BALLOON);
++		if (credit < 0) {
++			long n_pages;
++
++			n_pages = min(-credit, si_mem_available());
++			state = decrease_reservation(n_pages, GFP_BALLOON);
++			if (state == BP_DONE && n_pages != -credit &&
++			    n_pages < totalreserve_pages)
++				state = BP_EAGAIN;
++		}
+ 
+ 		state = update_schedule(state);
+ 
+@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages)
+ 		}
+ 	}
+ 
++	if (si_mem_available() < nr_pages)
++		return -ENOMEM;
++
+ 	st = decrease_reservation(nr_pages, GFP_USER);
+ 	if (st != BP_DONE)
+ 		return -ENOMEM;
+@@ -710,7 +720,7 @@ static int __init balloon_init(void)
+ 	balloon_stats.schedule_delay = 1;
+ 	balloon_stats.max_schedule_delay = 32;
+ 	balloon_stats.retry_count = 1;
+-	balloon_stats.max_retry_count = RETRY_UNLIMITED;
++	balloon_stats.max_retry_count = 4;
+ 
+ #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+ 	set_online_page_callback(&xen_online_page);
+-- 
+2.21.0
+