diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-07-22 20:59:48 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-07-22 20:59:48 +0200 |
commit | 92f288dc19819691127dfb4b300595913ca37424 (patch) | |
tree | 7585b87418c3fcfff4e2362cde7da20f2091b457 | |
parent | d123cf2cd9549224b77fc32d6e7169759fdd329c (diff) | |
parent | 178bfc71b023204441610ef8224228d9668d3c26 (diff) | |
download | kernel-92f288dc19819691127dfb4b300595913ca37424.tar.gz kernel-92f288dc19819691127dfb4b300595913ca37424.tar.xz kernel-92f288dc19819691127dfb4b300595913ca37424.zip |
Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora
-rw-r--r-- | 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch | 69 | ||||
-rw-r--r-- | 8250_lpss-check-null-return-when-calling-pci_ioremap.patch | 54 | ||||
-rw-r--r-- | efi-bgrt-acpi6.2-support.patch | 82 | ||||
-rw-r--r-- | kernel.spec | 19 | ||||
-rw-r--r-- | xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch | 70 |
5 files changed, 211 insertions, 83 deletions
diff --git a/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch b/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch new file mode 100644 index 000000000..3fabbdc99 --- /dev/null +++ b/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch @@ -0,0 +1,69 @@ +From 449fa54d6815be8c2c1f68fa9dbbae9384a7c03e Mon Sep 17 00:00:00 2001 +From: Fugang Duan <fugang.duan@nxp.com> +Date: Fri, 19 Jul 2019 17:26:48 +0800 +Subject: [PATCH] dma-direct: correct the physical addr in + dma_direct_sync_sg_for_cpu/device + +dma_map_sg() may use swiotlb buffer when the kernel command line includes +"swiotlb=force" or the dma_addr is out of dev->dma_mask range. After +DMA complete the memory moving from device to memory, then user call +dma_sync_sg_for_cpu() to sync with DMA buffer, and copy the original +virtual buffer to other space. + +So dma_direct_sync_sg_for_cpu() should use swiotlb physical addr, not +the original physical addr from sg_phys(sg). + +dma_direct_sync_sg_for_device() also has the same issue, correct it as +well. + +Fixes: 55897af63091("dma-direct: merge swiotlb_dma_ops into the dma_direct code") +Signed-off-by: Fugang Duan <fugang.duan@nxp.com> +Reviewed-by: Robin Murphy <robin.murphy@arm.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +--- + kernel/dma/direct.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c +index e269b6f9b444..59bdceea3737 100644 +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -234,12 +234,14 @@ void dma_direct_sync_sg_for_device(struct device *dev, + int i; + + for_each_sg(sgl, sg, nents, i) { +- if (unlikely(is_swiotlb_buffer(sg_phys(sg)))) +- swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length, ++ phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg)); ++ ++ if (unlikely(is_swiotlb_buffer(paddr))) ++ swiotlb_tbl_sync_single(dev, paddr, sg->length, + dir, SYNC_FOR_DEVICE); + + if (!dev_is_dma_coherent(dev)) +- arch_sync_dma_for_device(dev, sg_phys(sg), sg->length, ++ arch_sync_dma_for_device(dev, paddr, sg->length, + dir); + } + } +@@ -271,11 +273,13 @@ void dma_direct_sync_sg_for_cpu(struct device *dev, + int i; + + for_each_sg(sgl, sg, nents, i) { ++ phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg)); ++ + if (!dev_is_dma_coherent(dev)) +- arch_sync_dma_for_cpu(dev, sg_phys(sg), sg->length, dir); +- +- if (unlikely(is_swiotlb_buffer(sg_phys(sg)))) +- swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length, dir, ++ arch_sync_dma_for_cpu(dev, paddr, sg->length, dir); ++ ++ if (unlikely(is_swiotlb_buffer(paddr))) ++ swiotlb_tbl_sync_single(dev, paddr, sg->length, dir, + SYNC_FOR_CPU); + } + +-- +2.21.0 + diff --git a/8250_lpss-check-null-return-when-calling-pci_ioremap.patch b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch new file mode 100644 index 000000000..48ab8c9d2 --- /dev/null +++ b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch @@ -0,0 +1,54 @@ +From 6f6743d176ceb9aa5c2a744a2fd2f4caa17c225b Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Fri, 19 Jul 2019 12:48:45 -0500 +Subject: [PATCH 1/2] 8250_lpss: check null return when calling pci_ioremap_bar + +pci_ioremap_bar may return null. This is eventually de-referenced at +drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168. A null check +is needed to prevent null de-reference. I am adding the check and in case + of failure. Thanks to Andy Shevchenko for the hint on the necessity of +pci_iounmap when exiting. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +--- + drivers/tty/serial/8250/8250_lpss.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_lpss.c b/drivers/tty/serial/8250/8250_lpss.c +index 53ca9ba6ab4b..d07e431110d9 100644 +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -169,10 +169,12 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) + struct pci_dev *pdev = to_pci_dev(port->dev); + int ret; + ++ chip->pdata = &qrk_serial_dma_pdata; + chip->dev = &pdev->dev; + chip->irq = pci_irq_vector(pdev, 0); + chip->regs = pci_ioremap_bar(pdev, 1); +- chip->pdata = &qrk_serial_dma_pdata; ++ if (!chip->regs) ++ return; + + /* Falling back to PIO mode if DMA probing fails */ + ret = dw_dma_probe(chip); +@@ -195,11 +197,15 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) + + static void qrk_serial_exit_dma(struct lpss8250 *lpss) + { ++ struct dw_dma_chip *chip = &lpss->dma_chip; + struct dw_dma_slave *param = &lpss->dma_param; + + if (!param->dma_dev) + return; +- dw_dma_remove(&lpss->dma_chip); ++ ++ dw_dma_remove(chip); ++ ++ pci_iounmap(to_pci_dev(chip->dev), chip->regs); + } + #else /* CONFIG_SERIAL_8250_DMA */ + static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) {} +-- +2.21.0 + diff --git a/efi-bgrt-acpi6.2-support.patch b/efi-bgrt-acpi6.2-support.patch deleted file mode 100644 index 753c93577..000000000 --- a/efi-bgrt-acpi6.2-support.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 240090cb2d72f5de98f8fc2e3aa27803cab378b2 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 29 May 2019 14:50:17 +0200 -Subject: [PATCH] efi/bgrt: Drop BGRT status field reserved bits check - -Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer -reserved. These bits are now used to indicate if the image needs to be -rotated before being displayed. - -The first device using these bits has now shown up (the GPD MicroPC) and -the reserved bits check causes us to reject the valid BGRT table on this -device. - -Rather then changing the reserved bits check, allowing only the 2 new bits, -instead just completely remove it so that we do not end up with a similar -problem when more bits are added in the future. - -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/firmware/efi/efi-bgrt.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c -index a2384184a7de..b07c17643210 100644 ---- a/drivers/firmware/efi/efi-bgrt.c -+++ b/drivers/firmware/efi/efi-bgrt.c -@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table) - bgrt->version); - goto out; - } -- if (bgrt->status & 0xfe) { -- pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n", -- bgrt->status); -- goto out; -- } - if (bgrt->image_type != 0) { - pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n", - bgrt->image_type); --- -2.21.0 - -From 8f8d779bd966ef8af2279906772dec322220e73a Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 29 May 2019 15:44:09 +0200 -Subject: [PATCH] efifb: BGRT: Add check for new BGRT status field rotation - bits - -Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer -reserved. These bits are now used to indicate if the image needs to be -rotated before being displayed. - -The efifb code does not support rotating the image before copying it to -the screen. - -This commit adds a check for these new bits and if they are set leaves the -fb contents as is instead of trying to use the un-rotated BGRT image. - -Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/video/fbdev/efifb.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c -index 9f39f0c360e0..dfa8dd47d19d 100644 ---- a/drivers/video/fbdev/efifb.c -+++ b/drivers/video/fbdev/efifb.c -@@ -169,6 +169,11 @@ static void efifb_show_boot_graphics(struct fb_info *info) - return; - } - -+ if (bgrt_tab.status & 0x06) { -+ pr_info("efifb: BGRT rotation bits set, not showing boot graphics\n"); -+ return; -+ } -+ - /* Avoid flashing the logo if we're going to print std probe messages */ - if (console_loglevel > CONSOLE_LOGLEVEL_QUIET) - return; --- -2.21.0 - diff --git a/kernel.spec b/kernel.spec index 836b971b0..079693df8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -639,7 +639,6 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2 Patch544: drm-panel-orientation-quirks.patch -Patch545: efi-bgrt-acpi6.2-support.patch # Accepted upstream; rhbz 1724357 Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch @@ -651,6 +650,16 @@ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch # CVE-2019-13631 rhbz 1731000 1731001 Patch548: Input-gtco-bounds-check-collection-indent-level.patch +# XSA-300 rhbz 1731862 1731864 +# https://xenbits.xen.org/xsa/advisory-300.html +Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch + +# CVE-2019-????? rhbz 1731784 +Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch + +# rhbz 1732045 +Patch551: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch + # END OF PATCH DEFINITIONS %endif @@ -1892,6 +1901,14 @@ fi # # %changelog +* Mon Jul 22 2019 Laura Abbott <labbott@redhat.com> +- Bring in DMA fix (rhbz 1732045) + +* Mon Jul 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.19-300 +- Linux v5.1.19 +- Fix Xen Security Advisory 300 (rhbz 1731862 1731864) +- Fix a null pointer dereference in the 8250_lpss serial driver (rhbz 1731784) + * Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com> - Fix CVE-2019-13631 (rhbz 1731000 1731001) diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch new file mode 100644 index 000000000..9017a3fbe --- /dev/null +++ b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch @@ -0,0 +1,70 @@ +From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001 +From: Juergen Gross <jgross@suse.com> +Date: Wed, 19 Jun 2019 11:00:56 +0200 +Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough + memory free + +Instead of trying to allocate pages with GFP_USER in +add_ballooned_pages() check the available free memory via +si_mem_available(). GFP_USER is far less limiting memory exhaustion +than the test via si_mem_available(). + +This will avoid dom0 running out of memory due to excessive foreign +page mappings especially on ARM and on x86 in PVH mode, as those don't +have a pre-ballooned area which can be used for foreign mappings. + +As the normal ballooning suffers from the same problem don't balloon +down more than si_mem_available() pages in one iteration. At the same +time limit the default maximum number of retries. + +This is part of XSA-300. + +Signed-off-by: Juergen Gross <jgross@suse.com> +--- + drivers/xen/balloon.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index d37dd5bb7a8f..559768dc2567 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work) + state = reserve_additional_memory(); + } + +- if (credit < 0) +- state = decrease_reservation(-credit, GFP_BALLOON); ++ if (credit < 0) { ++ long n_pages; ++ ++ n_pages = min(-credit, si_mem_available()); ++ state = decrease_reservation(n_pages, GFP_BALLOON); ++ if (state == BP_DONE && n_pages != -credit && ++ n_pages < totalreserve_pages) ++ state = BP_EAGAIN; ++ } + + state = update_schedule(state); + +@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages) + } + } + ++ if (si_mem_available() < nr_pages) ++ return -ENOMEM; ++ + st = decrease_reservation(nr_pages, GFP_USER); + if (st != BP_DONE) + return -ENOMEM; +@@ -710,7 +720,7 @@ static int __init balloon_init(void) + balloon_stats.schedule_delay = 1; + balloon_stats.max_schedule_delay = 32; + balloon_stats.retry_count = 1; +- balloon_stats.max_retry_count = RETRY_UNLIMITED; ++ balloon_stats.max_retry_count = 4; + + #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG + set_online_page_callback(&xen_online_page); +-- +2.21.0 + |