From bcf7511badf20cdf8af0fa354502a8560b4d4caf Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Wed, 6 Jan 2021 15:32:23 -0600
Subject: Linux v5.10.5

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 ...A-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch | 86 ++++++++++++++++++++++
 ...-possible-buffer-overflows-in-mwifiex_cmd.patch | 35 +++++++++
 kernel.spec                                        | 11 ++-
 sources                                            |  2 +-
 4 files changed, 132 insertions(+), 2 deletions(-)
 create mode 100644 0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch
 create mode 100644 0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch

diff --git a/0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch b/0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch
new file mode 100644
index 000000000..fb9b5f538
--- /dev/null
+++ b/0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch
@@ -0,0 +1,86 @@
+From 4bfd6247fa9164c8e193a55ef9c0ea3ee22f82d8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 4 Jan 2021 16:30:46 +0100
+Subject: [PATCH] ALSA: hda/via: Fix runtime PM for Clevo W35xSS
+
+Clevo W35xSS_370SS with VIA codec has had the runtime PM problem that
+looses the power state of some nodes after the runtime resume.  This
+was worked around by disabling the default runtime PM via a denylist
+entry.  Since 5.10.x made the runtime PM applied (casually) even
+though it's disabled in the denylist, this problem was revisited.  The
+result was that disabling power_save_node feature suffices for the
+runtime PM problem.
+
+This patch implements the disablement of power_save_node feature in
+VIA codec for the device.  It also drops the former denylist entry,
+too, as the runtime PM should work in the codec side properly now.
+
+Fixes: b529ef2464ad ("ALSA: hda: Add Clevo W35xSS_370SS to the power_save blacklist")
+Reported-by: Christian Labisch <clnetbox@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210104153046.19993-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/pci/hda/hda_intel.c |  2 --
+ sound/pci/hda/patch_via.c | 13 +++++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 6852668f1bcb..770ad25f1907 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2220,8 +2220,6 @@ static const struct snd_pci_quirk power_save_denylist[] = {
+ 	SND_PCI_QUIRK(0x1849, 0x7662, "Asrock H81M-HDS", 0),
+ 	/* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+ 	SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0),
+-	/* https://bugzilla.redhat.com/show_bug.cgi?id=1581607 */
+-	SND_PCI_QUIRK(0x1558, 0x3501, "Clevo W35xSS_370SS", 0),
+ 	/* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+ 	SND_PCI_QUIRK(0x1558, 0x6504, "Clevo W65_67SB", 0),
+ 	/* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
+index 7ef8f3105cdb..0ab40a8a68fb 100644
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -1002,6 +1002,7 @@ static const struct hda_verb vt1802_init_verbs[] = {
+ enum {
+ 	VIA_FIXUP_INTMIC_BOOST,
+ 	VIA_FIXUP_ASUS_G75,
++	VIA_FIXUP_POWER_SAVE,
+ };
+
+ static void via_fixup_intmic_boost(struct hda_codec *codec,
+@@ -1011,6 +1012,13 @@ static void via_fixup_intmic_boost(struct hda_codec *codec,
+ 		override_mic_boost(codec, 0x30, 0, 2, 40);
+ }
+
++static void via_fixup_power_save(struct hda_codec *codec,
++				 const struct hda_fixup *fix, int action)
++{
++	if (action == HDA_FIXUP_ACT_PRE_PROBE)
++		codec->power_save_node = 0;
++}
++
+ static const struct hda_fixup via_fixups[] = {
+ 	[VIA_FIXUP_INTMIC_BOOST] = {
+ 		.type = HDA_FIXUP_FUNC,
+@@ -1025,11 +1033,16 @@ static const struct hda_fixup via_fixups[] = {
+ 			{ }
+ 		}
+ 	},
++	[VIA_FIXUP_POWER_SAVE] = {
++		.type = HDA_FIXUP_FUNC,
++		.v.func = via_fixup_power_save,
++	},
+ };
+
+ static const struct snd_pci_quirk vt2002p_fixups[] = {
+ 	SND_PCI_QUIRK(0x1043, 0x1487, "Asus G75", VIA_FIXUP_ASUS_G75),
+ 	SND_PCI_QUIRK(0x1043, 0x8532, "Asus X202E", VIA_FIXUP_INTMIC_BOOST),
++	SND_PCI_QUIRK(0x1558, 0x3501, "Clevo W35xSS_370SS", VIA_FIXUP_POWER_SAVE),
+ 	{}
+ };
+
+-- 
+2.29.2
+
diff --git a/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch
new file mode 100644
index 000000000..48ef5911c
--- /dev/null
+++ b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch
@@ -0,0 +1,35 @@
+From 5c455c5ab332773464d02ba17015acdca198f03d Mon Sep 17 00:00:00 2001
+From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Date: Sun, 6 Dec 2020 16:48:01 +0800
+Subject: [PATCH] mwifiex: Fix possible buffer overflows in
+ mwifiex_cmd_802_11_ad_hoc_start
+
+mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
+the destination size may trigger a buffer overflower,
+which a local user could use to cause denial of service
+or the execution of arbitrary code.
+Fix it by putting the length check before calling memcpy().
+
+Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
+---
+ drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
+index 5934f7147547..173ccf79cbfc 100644
+--- a/drivers/net/wireless/marvell/mwifiex/join.c
++++ b/drivers/net/wireless/marvell/mwifiex/join.c
+@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
+
+ 	memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+
++	if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
++		req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
+ 	memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
+
+ 	mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
+-- 
+2.29.2
+
diff --git a/kernel.spec b/kernel.spec
index 703c71c40..7c7ca988e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -94,7 +94,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -847,6 +847,11 @@ Patch102: 0001-update-phy-on-pine64-a64-devices.patch
 # OMAP Pandaboard fix
 Patch103: arm-pandaboard-fix-add-bluetooth.patch
 
+# Fix CVE-2020-36158 rhbz 1913348 1913349
+Patch104: 0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch
+
+Patch105: 0001-ALSA-hda-via-Fix-runtime-PM-for-Clevo-W35xSS.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2960,6 +2965,10 @@ fi
 #
 #
 %changelog
+* Wed Jan  6 12:53:15 CST 2021 Justin M. Forbes <jforbes@fedoraproject.org> - 5.10.5-200
+- Linux v5.10.5
+- Fix CVE-2020-36158 (rhbz 1913348 1913349)
+
 * Wed Dec 30 11:51:28 CST 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.10.4-200
 - Linux v5.10.4
 
diff --git a/sources b/sources
index 325926de6..74ac8eb0b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.10.tar.xz) = c28d52bc0c1e2c99017ceeca0bf2e622427f3416e0692090b01f65e3b3a5bce0e3e52ce3cee15d71e84fcb965bd48bdfcccb818c0105035d712ebd07afde9452
-SHA512 (patch-5.10.4.xz) = 893733c9b9290f7a91bfb31ca9baa762a6460665b59efad6ee194b67807ae3990cf44464a32ea4a7e9620b58d7810ff15a30a7d92f0bf1b14cff3b5730fce49c
+SHA512 (patch-5.10.5.xz) = a6f240134f82b15a368a3348880764ee0289d8bf898a20e79298faad050a5426a87627233602f6cc7629f68070bf14e34bfe2ee72a9ff5c24e36ce18f3fc8e3a
-- 
cgit