Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

5 files changed, 211 insertions, 83 deletions

diff --git a/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch b/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
new file mode 100644
index 000000000..3fabbdc99
--- /dev/null
+++ b/0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
@@ -0,0 +1,69 @@
+From 449fa54d6815be8c2c1f68fa9dbbae9384a7c03e Mon Sep 17 00:00:00 2001
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Fri, 19 Jul 2019 17:26:48 +0800
+Subject: [PATCH] dma-direct: correct the physical addr in
+ dma_direct_sync_sg_for_cpu/device
+
+dma_map_sg() may use swiotlb buffer when the kernel command line includes
+"swiotlb=force" or the dma_addr is out of dev->dma_mask range.  After
+DMA complete the memory moving from device to memory, then user call
+dma_sync_sg_for_cpu() to sync with DMA buffer, and copy the original
+virtual buffer to other space.
+
+So dma_direct_sync_sg_for_cpu() should use swiotlb physical addr, not
+the original physical addr from sg_phys(sg).
+
+dma_direct_sync_sg_for_device() also has the same issue, correct it as
+well.
+
+Fixes: 55897af63091("dma-direct: merge swiotlb_dma_ops into the dma_direct code")
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+---
+ kernel/dma/direct.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
+index e269b6f9b444..59bdceea3737 100644
+--- a/kernel/dma/direct.c
++++ b/kernel/dma/direct.c
+@@ -234,12 +234,14 @@ void dma_direct_sync_sg_for_device(struct device *dev,
+ 	int i;
+ 
+ 	for_each_sg(sgl, sg, nents, i) {
+-		if (unlikely(is_swiotlb_buffer(sg_phys(sg))))
+-			swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length,
++		phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg));
++
++		if (unlikely(is_swiotlb_buffer(paddr)))
++			swiotlb_tbl_sync_single(dev, paddr, sg->length,
+ 					dir, SYNC_FOR_DEVICE);
+ 
+ 		if (!dev_is_dma_coherent(dev))
+-			arch_sync_dma_for_device(dev, sg_phys(sg), sg->length,
++			arch_sync_dma_for_device(dev, paddr, sg->length,
+ 					dir);
+ 	}
+ }
+@@ -271,11 +273,13 @@ void dma_direct_sync_sg_for_cpu(struct device *dev,
+ 	int i;
+ 
+ 	for_each_sg(sgl, sg, nents, i) {
++		phys_addr_t paddr = dma_to_phys(dev, sg_dma_address(sg));
++
+ 		if (!dev_is_dma_coherent(dev))
+-			arch_sync_dma_for_cpu(dev, sg_phys(sg), sg->length, dir);
+-	
+-		if (unlikely(is_swiotlb_buffer(sg_phys(sg))))
+-			swiotlb_tbl_sync_single(dev, sg_phys(sg), sg->length, dir,
++			arch_sync_dma_for_cpu(dev, paddr, sg->length, dir);
++
++		if (unlikely(is_swiotlb_buffer(paddr)))
++			swiotlb_tbl_sync_single(dev, paddr, sg->length, dir,
+ 					SYNC_FOR_CPU);
+ 	}
+ 
+-- 
+2.21.0
+
diff --git a/8250_lpss-check-null-return-when-calling-pci_ioremap.patch b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch
new file mode 100644
index 000000000..48ab8c9d2
--- /dev/null
+++ b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch
@@ -0,0 +1,54 @@
+From 6f6743d176ceb9aa5c2a744a2fd2f4caa17c225b Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 19 Jul 2019 12:48:45 -0500
+Subject: [PATCH 1/2] 8250_lpss: check null return when calling pci_ioremap_bar
+
+pci_ioremap_bar may return null. This is eventually de-referenced at
+drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168. A null check
+is needed to prevent null de-reference. I am adding the check and in case
+ of failure. Thanks to Andy Shevchenko for the hint on the necessity of
+pci_iounmap when exiting.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+---
+ drivers/tty/serial/8250/8250_lpss.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_lpss.c b/drivers/tty/serial/8250/8250_lpss.c
+index 53ca9ba6ab4b..d07e431110d9 100644
+--- a/drivers/tty/serial/8250/8250_lpss.c
++++ b/drivers/tty/serial/8250/8250_lpss.c
+@@ -169,10 +169,12 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
+ 	struct pci_dev *pdev = to_pci_dev(port->dev);
+ 	int ret;
+ 
++	chip->pdata = &qrk_serial_dma_pdata;
+ 	chip->dev = &pdev->dev;
+ 	chip->irq = pci_irq_vector(pdev, 0);
+ 	chip->regs = pci_ioremap_bar(pdev, 1);
+-	chip->pdata = &qrk_serial_dma_pdata;
++	if (!chip->regs)
++		return;
+ 
+ 	/* Falling back to PIO mode if DMA probing fails */
+ 	ret = dw_dma_probe(chip);
+@@ -195,11 +197,15 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
+ 
+ static void qrk_serial_exit_dma(struct lpss8250 *lpss)
+ {
++	struct dw_dma_chip *chip = &lpss->dma_chip;
+ 	struct dw_dma_slave *param = &lpss->dma_param;
+ 
+ 	if (!param->dma_dev)
+ 		return;
+-	dw_dma_remove(&lpss->dma_chip);
++
++	dw_dma_remove(chip);
++
++	pci_iounmap(to_pci_dev(chip->dev), chip->regs);
+ }
+ #else	/* CONFIG_SERIAL_8250_DMA */
+ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) {}
+-- 
+2.21.0
+
diff --git a/efi-bgrt-acpi6.2-support.patch b/efi-bgrt-acpi6.2-support.patch
deleted file mode 100644
index 753c93577..000000000
--- a/efi-bgrt-acpi6.2-support.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 240090cb2d72f5de98f8fc2e3aa27803cab378b2 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 29 May 2019 14:50:17 +0200
-Subject: [PATCH] efi/bgrt: Drop BGRT status field reserved bits check
-
-Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
-reserved. These bits are now used to indicate if the image needs to be
-rotated before being displayed.
-
-The first device using these bits has now shown up (the GPD MicroPC) and
-the reserved bits check causes us to reject the valid BGRT table on this
-device.
-
-Rather then changing the reserved bits check, allowing only the 2 new bits,
-instead just completely remove it so that we do not end up with a similar
-problem when more bits are added in the future.
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/firmware/efi/efi-bgrt.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c
-index a2384184a7de..b07c17643210 100644
---- a/drivers/firmware/efi/efi-bgrt.c
-+++ b/drivers/firmware/efi/efi-bgrt.c
-@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table)
- 		       bgrt->version);
- 		goto out;
- 	}
--	if (bgrt->status & 0xfe) {
--		pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n",
--		       bgrt->status);
--		goto out;
--	}
- 	if (bgrt->image_type != 0) {
- 		pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n",
- 		       bgrt->image_type);
--- 
-2.21.0
-
-From 8f8d779bd966ef8af2279906772dec322220e73a Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 29 May 2019 15:44:09 +0200
-Subject: [PATCH] efifb: BGRT: Add check for new BGRT status field rotation
- bits
-
-Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
-reserved. These bits are now used to indicate if the image needs to be
-rotated before being displayed.
-
-The efifb code does not support rotating the image before copying it to
-the screen.
-
-This commit adds a check for these new bits and if they are set leaves the
-fb contents as is instead of trying to use the un-rotated BGRT image.
-
-Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/video/fbdev/efifb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
-index 9f39f0c360e0..dfa8dd47d19d 100644
---- a/drivers/video/fbdev/efifb.c
-+++ b/drivers/video/fbdev/efifb.c
-@@ -169,6 +169,11 @@ static void efifb_show_boot_graphics(struct fb_info *info)
- 		return;
- 	}
- 
-+	if (bgrt_tab.status & 0x06) {
-+		pr_info("efifb: BGRT rotation bits set, not showing boot graphics\n");
-+		return;
-+	}
-+
- 	/* Avoid flashing the logo if we're going to print std probe messages */
- 	if (console_loglevel > CONSOLE_LOGLEVEL_QUIET)
- 		return;
--- 
-2.21.0
-
diff --git a/kernel.spec b/kernel.spec
index 836b971b0..079693df8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -639,7 +639,6 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch
 
 # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2
 Patch544: drm-panel-orientation-quirks.patch
-Patch545: efi-bgrt-acpi6.2-support.patch
 
 # Accepted upstream; rhbz 1724357
 Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
@@ -651,6 +650,16 @@ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
 # CVE-2019-13631 rhbz 1731000 1731001
 Patch548: Input-gtco-bounds-check-collection-indent-level.patch
 
+# XSA-300 rhbz 1731862 1731864
+# https://xenbits.xen.org/xsa/advisory-300.html
+Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
+
+# CVE-2019-????? rhbz 1731784
+Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch
+
+# rhbz 1732045
+Patch551: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1892,6 +1901,14 @@ fi
 #
 #
 %changelog
+* Mon Jul 22 2019 Laura Abbott <labbott@redhat.com>
+- Bring in DMA fix (rhbz 1732045)
+
+* Mon Jul 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.19-300
+- Linux v5.1.19
+- Fix Xen Security Advisory 300 (rhbz 1731862 1731864)
+- Fix a null pointer dereference in the 8250_lpss serial driver (rhbz 1731784)
+
 * Thu Jul 18 2019 Jeremy Cline <jcline@redhat.com>
 - Fix CVE-2019-13631 (rhbz 1731000 1731001)
 
diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
new file mode 100644
index 000000000..9017a3fbe
--- /dev/null
+++ b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch
@@ -0,0 +1,70 @@
+From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 19 Jun 2019 11:00:56 +0200
+Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough
+ memory free
+
+Instead of trying to allocate pages with GFP_USER in
+add_ballooned_pages() check the available free memory via
+si_mem_available(). GFP_USER is far less limiting memory exhaustion
+than the test via si_mem_available().
+
+This will avoid dom0 running out of memory due to excessive foreign
+page mappings especially on ARM and on x86 in PVH mode, as those don't
+have a pre-ballooned area which can be used for foreign mappings.
+
+As the normal ballooning suffers from the same problem don't balloon
+down more than si_mem_available() pages in one iteration. At the same
+time limit the default maximum number of retries.
+
+This is part of XSA-300.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/xen/balloon.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index d37dd5bb7a8f..559768dc2567 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work)
+ 				state = reserve_additional_memory();
+ 		}
+ 
+-		if (credit < 0)
+-			state = decrease_reservation(-credit, GFP_BALLOON);
++		if (credit < 0) {
++			long n_pages;
++
++			n_pages = min(-credit, si_mem_available());
++			state = decrease_reservation(n_pages, GFP_BALLOON);
++			if (state == BP_DONE && n_pages != -credit &&
++			    n_pages < totalreserve_pages)
++				state = BP_EAGAIN;
++		}
+ 
+ 		state = update_schedule(state);
+ 
+@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages)
+ 		}
+ 	}
+ 
++	if (si_mem_available() < nr_pages)
++		return -ENOMEM;
++
+ 	st = decrease_reservation(nr_pages, GFP_USER);
+ 	if (st != BP_DONE)
+ 		return -ENOMEM;
+@@ -710,7 +720,7 @@ static int __init balloon_init(void)
+ 	balloon_stats.schedule_delay = 1;
+ 	balloon_stats.max_schedule_delay = 32;
+ 	balloon_stats.retry_count = 1;
+-	balloon_stats.max_retry_count = RETRY_UNLIMITED;
++	balloon_stats.max_retry_count = 4;
+ 
+ #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+ 	set_online_page_callback(&xen_online_page);
+-- 
+2.21.0
+