From 34597fed7b4308339dbdd1761da4608444b4320e Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 9 Jan 2020 10:46:47 -0500 Subject: Linux v5.4.10 --- ...-Move-the-declaration-of-struct-nouveau_c.patch | 158 --------------------- ...-fix-memory-leak-in-af9005_identify_state.patch | 36 ----- ...-Fix-drm-core-using-atomic-code-paths-on-.patch | 115 --------------- ...rt-support-for-execute-only-user-mappings.patch | 119 ---------------- kernel.spec | 15 +- sources | 2 +- 6 files changed, 5 insertions(+), 440 deletions(-) delete mode 100644 0001-drm-nouveau-Move-the-declaration-of-struct-nouveau_c.patch delete mode 100644 0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch delete mode 100644 0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch delete mode 100644 arm64-revert-support-for-execute-only-user-mappings.patch diff --git a/0001-drm-nouveau-Move-the-declaration-of-struct-nouveau_c.patch b/0001-drm-nouveau-Move-the-declaration-of-struct-nouveau_c.patch deleted file mode 100644 index 548304eab..000000000 --- a/0001-drm-nouveau-Move-the-declaration-of-struct-nouveau_c.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Thu, 24 Oct 2019 10:52:52 +0200 -Subject: [PATCH v2 1/2] drm/nouveau: Move the declaration of struct - nouveau_conn_atom up a bit - -Place the declaration of struct nouveau_conn_atom above that of -struct nouveau_connector. This commit makes no changes to the moved -block what so ever, it just moves it up a bit. - -This is a preparation patch to fix some issues with connector handling -on pre nv50 displays (which do not use atomic modesetting). - -Signed-off-by: Hans de Goede -Reviewed-by: Lyude Paul -Signed-off-by: Ben Skeggs ---- - drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++---------- - 1 file changed, 55 insertions(+), 55 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h -index f43a8d63aef8..de9588420884 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.h -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.h -@@ -29,6 +29,7 @@ - - #include - -+#include - #include - #include - #include -@@ -44,6 +45,60 @@ struct dcb_output; - struct nouveau_backlight; - #endif - -+#define nouveau_conn_atom(p) \ -+ container_of((p), struct nouveau_conn_atom, state) -+ -+struct nouveau_conn_atom { -+ struct drm_connector_state state; -+ -+ struct { -+ /* The enum values specifically defined here match nv50/gf119 -+ * hw values, and the code relies on this. -+ */ -+ enum { -+ DITHERING_MODE_OFF = 0x00, -+ DITHERING_MODE_ON = 0x01, -+ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, -+ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, -+ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, -+ DITHERING_MODE_AUTO -+ } mode; -+ enum { -+ DITHERING_DEPTH_6BPC = 0x00, -+ DITHERING_DEPTH_8BPC = 0x02, -+ DITHERING_DEPTH_AUTO -+ } depth; -+ } dither; -+ -+ struct { -+ int mode; /* DRM_MODE_SCALE_* */ -+ struct { -+ enum { -+ UNDERSCAN_OFF, -+ UNDERSCAN_ON, -+ UNDERSCAN_AUTO, -+ } mode; -+ u32 hborder; -+ u32 vborder; -+ } underscan; -+ bool full; -+ } scaler; -+ -+ struct { -+ int color_vibrance; -+ int vibrant_hue; -+ } procamp; -+ -+ union { -+ struct { -+ bool dither:1; -+ bool scaler:1; -+ bool procamp:1; -+ }; -+ u8 mask; -+ } set; -+}; -+ - struct nouveau_connector { - struct drm_connector base; - enum dcb_connector_type type; -@@ -121,61 +176,6 @@ extern int nouveau_ignorelid; - extern int nouveau_duallink; - extern int nouveau_hdmimhz; - --#include --#define nouveau_conn_atom(p) \ -- container_of((p), struct nouveau_conn_atom, state) -- --struct nouveau_conn_atom { -- struct drm_connector_state state; -- -- struct { -- /* The enum values specifically defined here match nv50/gf119 -- * hw values, and the code relies on this. -- */ -- enum { -- DITHERING_MODE_OFF = 0x00, -- DITHERING_MODE_ON = 0x01, -- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON, -- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON, -- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON, -- DITHERING_MODE_AUTO -- } mode; -- enum { -- DITHERING_DEPTH_6BPC = 0x00, -- DITHERING_DEPTH_8BPC = 0x02, -- DITHERING_DEPTH_AUTO -- } depth; -- } dither; -- -- struct { -- int mode; /* DRM_MODE_SCALE_* */ -- struct { -- enum { -- UNDERSCAN_OFF, -- UNDERSCAN_ON, -- UNDERSCAN_AUTO, -- } mode; -- u32 hborder; -- u32 vborder; -- } underscan; -- bool full; -- } scaler; -- -- struct { -- int color_vibrance; -- int vibrant_hue; -- } procamp; -- -- union { -- struct { -- bool dither:1; -- bool scaler:1; -- bool procamp:1; -- }; -- u8 mask; -- } set; --}; -- - void nouveau_conn_attach_properties(struct drm_connector *); - void nouveau_conn_reset(struct drm_connector *); - struct drm_connector_state * --- -2.23.0 - diff --git a/0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch b/0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch deleted file mode 100644 index 13aae5af8..000000000 --- a/0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2289adbfa559050d2a38bcd9caac1c18b800e928 Mon Sep 17 00:00:00 2001 -From: Navid Emamdoost -Date: Wed, 9 Oct 2019 12:01:47 -0300 -Subject: [PATCH] media: usb: fix memory leak in af9005_identify_state - -In af9005_identify_state when returning -EIO the allocated buffer should -be released. Replace the "return -EIO" with assignment into ret and move -deb_info() under a check. - -Fixes: af4e067e1dcf ("V4L/DVB (5625): Add support for the AF9005 demodulator from Afatech") -Signed-off-by: Navid Emamdoost -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/usb/dvb-usb/af9005.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c -index 02697d86e8c1..ac93e88d7038 100644 ---- a/drivers/media/usb/dvb-usb/af9005.c -+++ b/drivers/media/usb/dvb-usb/af9005.c -@@ -976,8 +976,9 @@ static int af9005_identify_state(struct usb_device *udev, - else if (reply == 0x02) - *cold = 0; - else -- return -EIO; -- deb_info("Identify state cold = %d\n", *cold); -+ ret = -EIO; -+ if (!ret) -+ deb_info("Identify state cold = %d\n", *cold); - - err: - kfree(buf); --- -2.23.0 - diff --git a/0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch b/0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch deleted file mode 100644 index 077f391ca..000000000 --- a/0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 64d17f25dcad518461ccf0c260544e1e379c5b35 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Thu, 24 Oct 2019 10:52:53 +0200 -Subject: [PATCH v2 2/2] drm/nouveau: Fix drm-core using atomic code-paths on - pre-nv50 hardware - -We do not support atomic modesetting on pre-nv50 hardware, but until now -our connector code was setting drm_connector->state on pre-nv50 hardware. - -This causes the core to enter atomic modesetting paths in at least: - -1. drm_connector_get_encoder(), returning connector->state->best_encoder -which is always 0, causing us to always report 0 as encoder_id in -the drmModeConnector struct returned by drmModeGetConnector(). - -2. drm_encoder_get_crtc(), returning NULL because uses_atomic get set, -causing us to always report 0 as crtc_id in the drmModeEncoder struct -returned by drmModeGetEncoder() - -Which in turn confuses userspace, at least plymouth thinks that the pipe -has changed because of this and tries to reconfigure it unnecessarily. - -More in general we should not set drm_connector->state in the non-atomic -code as this violates the drm-core's expectations. - -This commit fixes this by using a nouveau_conn_atom struct embedded in the -nouveau_connector struct for property handling in the non-atomic case. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1706557 -Signed-off-by: Hans de Goede -Signed-off-by: Ben Skeggs ---- - drivers/gpu/drm/nouveau/nouveau_connector.c | 28 +++++++++++++++------ - drivers/gpu/drm/nouveau/nouveau_connector.h | 6 +++++ - 2 files changed, 27 insertions(+), 7 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c -index 5b413588b823..9a9a7f5003d3 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.c -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c -@@ -245,14 +245,22 @@ nouveau_conn_atomic_duplicate_state(struct drm_connector *connector) - void - nouveau_conn_reset(struct drm_connector *connector) - { -+ struct nouveau_connector *nv_connector = nouveau_connector(connector); - struct nouveau_conn_atom *asyc; - -- if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) -- return; -+ if (drm_drv_uses_atomic_modeset(connector->dev)) { -+ if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL)))) -+ return; -+ -+ if (connector->state) -+ nouveau_conn_atomic_destroy_state(connector, -+ connector->state); -+ -+ __drm_atomic_helper_connector_reset(connector, &asyc->state); -+ } else { -+ asyc = &nv_connector->properties_state; -+ } - -- if (connector->state) -- nouveau_conn_atomic_destroy_state(connector, connector->state); -- __drm_atomic_helper_connector_reset(connector, &asyc->state); - asyc->dither.mode = DITHERING_MODE_AUTO; - asyc->dither.depth = DITHERING_DEPTH_AUTO; - asyc->scaler.mode = DRM_MODE_SCALE_NONE; -@@ -276,8 +284,14 @@ void - nouveau_conn_attach_properties(struct drm_connector *connector) - { - struct drm_device *dev = connector->dev; -- struct nouveau_conn_atom *armc = nouveau_conn_atom(connector->state); - struct nouveau_display *disp = nouveau_display(dev); -+ struct nouveau_connector *nv_connector = nouveau_connector(connector); -+ struct nouveau_conn_atom *armc; -+ -+ if (drm_drv_uses_atomic_modeset(connector->dev)) -+ armc = nouveau_conn_atom(connector->state); -+ else -+ armc = &nv_connector->properties_state; - - /* Init DVI-I specific properties. */ - if (connector->connector_type == DRM_MODE_CONNECTOR_DVII) -@@ -748,9 +762,9 @@ static int - nouveau_connector_set_property(struct drm_connector *connector, - struct drm_property *property, uint64_t value) - { -- struct nouveau_conn_atom *asyc = nouveau_conn_atom(connector->state); - struct nouveau_connector *nv_connector = nouveau_connector(connector); - struct nouveau_encoder *nv_encoder = nv_connector->detected_encoder; -+ struct nouveau_conn_atom *asyc = &nv_connector->properties_state; - struct drm_encoder *encoder = to_drm_encoder(nv_encoder); - int ret; - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h -index de9588420884..de84fb4708c7 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.h -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.h -@@ -118,6 +118,12 @@ struct nouveau_connector { - #ifdef CONFIG_DRM_NOUVEAU_BACKLIGHT - struct nouveau_backlight *backlight; - #endif -+ /* -+ * Our connector property code expects a nouveau_conn_atom struct -+ * even on pre-nv50 where we do not support atomic. This embedded -+ * version gets used in the non atomic modeset case. -+ */ -+ struct nouveau_conn_atom properties_state; - }; - - static inline struct nouveau_connector *nouveau_connector( --- -2.23.0 - diff --git a/arm64-revert-support-for-execute-only-user-mappings.patch b/arm64-revert-support-for-execute-only-user-mappings.patch deleted file mode 100644 index 8ca23e6c9..000000000 --- a/arm64-revert-support-for-execute-only-user-mappings.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 24cecc37746393432d994c0dbc251fb9ac7c5d72 Mon Sep 17 00:00:00 2001 -From: Catalin Marinas -Date: Mon, 6 Jan 2020 14:35:39 +0000 -Subject: arm64: Revert support for execute-only user mappings - -The ARMv8 64-bit architecture supports execute-only user permissions by -clearing the PTE_USER and PTE_UXN bits, practically making it a mostly -privileged mapping but from which user running at EL0 can still execute. - -The downside, however, is that the kernel at EL1 inadvertently reading -such mapping would not trip over the PAN (privileged access never) -protection. - -Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce -execute-only page access permissions") so that PROT_EXEC implies -PROT_READ (and therefore PTE_USER) until the architecture gains proper -support for execute-only user mappings. - -Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") -Cc: # 4.9.x- -Acked-by: Will Deacon -Signed-off-by: Catalin Marinas -Signed-off-by: Linus Torvalds ---- - arch/arm64/include/asm/pgtable-prot.h | 5 ++--- - arch/arm64/include/asm/pgtable.h | 10 +++------- - arch/arm64/mm/fault.c | 2 +- - mm/mmap.c | 6 ------ - 4 files changed, 6 insertions(+), 17 deletions(-) - -diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h -index 8dc6c5c..baf52ba 100644 ---- a/arch/arm64/include/asm/pgtable-prot.h -+++ b/arch/arm64/include/asm/pgtable-prot.h -@@ -85,13 +85,12 @@ - #define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) - #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) - #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) --#define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) - - #define __P000 PAGE_NONE - #define __P001 PAGE_READONLY - #define __P010 PAGE_READONLY - #define __P011 PAGE_READONLY --#define __P100 PAGE_EXECONLY -+#define __P100 PAGE_READONLY_EXEC - #define __P101 PAGE_READONLY_EXEC - #define __P110 PAGE_READONLY_EXEC - #define __P111 PAGE_READONLY_EXEC -@@ -100,7 +99,7 @@ - #define __S001 PAGE_READONLY - #define __S010 PAGE_SHARED - #define __S011 PAGE_SHARED --#define __S100 PAGE_EXECONLY -+#define __S100 PAGE_READONLY_EXEC - #define __S101 PAGE_READONLY_EXEC - #define __S110 PAGE_SHARED_EXEC - #define __S111 PAGE_SHARED_EXEC -diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h -index 5d15b47..cd5de0e 100644 ---- a/arch/arm64/include/asm/pgtable.h -+++ b/arch/arm64/include/asm/pgtable.h -@@ -96,12 +96,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; - #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) - - #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) --/* -- * Execute-only user mappings do not have the PTE_USER bit set. All valid -- * kernel mappings have the PTE_UXN bit set. -- */ - #define pte_valid_not_user(pte) \ -- ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) -+ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) - #define pte_valid_young(pte) \ - ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) - #define pte_valid_user(pte) \ -@@ -117,8 +113,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; - - /* - * p??_access_permitted() is true for valid user mappings (subject to the -- * write permission check) other than user execute-only which do not have the -- * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. -+ * write permission check). PROT_NONE mappings do not have the PTE_VALID bit -+ * set. - */ - #define pte_access_permitted(pte, write) \ - (pte_valid_user(pte) && (!(write) || pte_write(pte))) -diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c -index 077b02a..85566d3 100644 ---- a/arch/arm64/mm/fault.c -+++ b/arch/arm64/mm/fault.c -@@ -445,7 +445,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr, - const struct fault_info *inf; - struct mm_struct *mm = current->mm; - vm_fault_t fault, major = 0; -- unsigned long vm_flags = VM_READ | VM_WRITE; -+ unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; - unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; - - if (kprobe_page_fault(regs, esr)) -diff --git a/mm/mmap.c b/mm/mmap.c -index 9c64852..71e4ffc 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -90,12 +90,6 @@ static void unmap_region(struct mm_struct *mm, - * MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes - * w: (no) no w: (no) no w: (copy) copy w: (no) no - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes -- * -- * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and -- * MAP_PRIVATE: -- * r: (no) no -- * w: (no) no -- * x: (yes) yes - */ - pgprot_t protection_map[16] __ro_after_init = { - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111, --- -cgit v1.1 diff --git a/kernel.spec b/kernel.spec index a237082f9..a3a321935 100644 --- a/kernel.spec +++ b/kernel.spec @@ -89,7 +89,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -841,16 +841,6 @@ Patch529: ath10k-fix-memory-leak.patch # CVE-2019-18808 rhbz 1777418 1777421 Patch531: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch -# CVE-2019-18809 rhbz 1777449 1777451 -Patch532: 0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch - -# Arm64 regression fix - rhbz 1788624 -Patch533: arm64-revert-support-for-execute-only-user-mappings.patch - -# rhbz 1706557, both patches are upstream in v5.5-rc2 -Patch608: 0001-drm-nouveau-Move-the-declaration-of-struct-nouveau_c.patch -Patch609: 0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch - # rhbz 1781288 Patch610: 0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch @@ -2555,6 +2545,9 @@ fi # # %changelog +* Thu Jan 09 2020 Jeremy Cline - 5.4.10-200 +- Linux v5.4.10 + * Mon Jan 06 2020 Laura Abbott - Fix for tpm usercopy (rhbz 1788653) diff --git a/sources b/sources index d8c9013ef..48bd4bb44 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.4.tar.xz) = 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f -SHA512 (patch-5.4.8.xz) = 6356d1bd003b415b0c65a09f8e793a2d923efe43555c40dbbea4f9fcf60d01e5e8be0c6a11cf799ff0fdaf546e283cff55336ee97fab20a2d6c4a6ef9c55f1cf +SHA512 (patch-5.4.10.xz) = 7e707be8e24ceb41331dff4e6bb2cf33ce3e4908d8059e39e67c1774e6a86ca4f56934f90a7336cdc2b207fab84d09257055f6130bb0f560f26f4668428cc71d -- cgit