From 7d82fa8c6f583af671891653d143d2e826723fb2 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 22 Jul 2019 15:57:48 +0000 Subject: Linux v5.1.19 --- ...heck-null-return-when-calling-pci_ioremap.patch | 54 ++++++++++++++ efi-bgrt-acpi6.2-support.patch | 82 ---------------------- kernel.spec | 15 +++- sources | 2 +- ...oc_xenballooned_pages-fail-if-not-enough-.patch | 70 ++++++++++++++++++ 5 files changed, 138 insertions(+), 85 deletions(-) create mode 100644 8250_lpss-check-null-return-when-calling-pci_ioremap.patch delete mode 100644 efi-bgrt-acpi6.2-support.patch create mode 100644 xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch diff --git a/8250_lpss-check-null-return-when-calling-pci_ioremap.patch b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch new file mode 100644 index 000000000..48ab8c9d2 --- /dev/null +++ b/8250_lpss-check-null-return-when-calling-pci_ioremap.patch @@ -0,0 +1,54 @@ +From 6f6743d176ceb9aa5c2a744a2fd2f4caa17c225b Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 19 Jul 2019 12:48:45 -0500 +Subject: [PATCH 1/2] 8250_lpss: check null return when calling pci_ioremap_bar + +pci_ioremap_bar may return null. This is eventually de-referenced at +drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168. A null check +is needed to prevent null de-reference. I am adding the check and in case + of failure. Thanks to Andy Shevchenko for the hint on the necessity of +pci_iounmap when exiting. + +Signed-off-by: Navid Emamdoost +--- + drivers/tty/serial/8250/8250_lpss.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_lpss.c b/drivers/tty/serial/8250/8250_lpss.c +index 53ca9ba6ab4b..d07e431110d9 100644 +--- a/drivers/tty/serial/8250/8250_lpss.c ++++ b/drivers/tty/serial/8250/8250_lpss.c +@@ -169,10 +169,12 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) + struct pci_dev *pdev = to_pci_dev(port->dev); + int ret; + ++ chip->pdata = &qrk_serial_dma_pdata; + chip->dev = &pdev->dev; + chip->irq = pci_irq_vector(pdev, 0); + chip->regs = pci_ioremap_bar(pdev, 1); +- chip->pdata = &qrk_serial_dma_pdata; ++ if (!chip->regs) ++ return; + + /* Falling back to PIO mode if DMA probing fails */ + ret = dw_dma_probe(chip); +@@ -195,11 +197,15 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) + + static void qrk_serial_exit_dma(struct lpss8250 *lpss) + { ++ struct dw_dma_chip *chip = &lpss->dma_chip; + struct dw_dma_slave *param = &lpss->dma_param; + + if (!param->dma_dev) + return; +- dw_dma_remove(&lpss->dma_chip); ++ ++ dw_dma_remove(chip); ++ ++ pci_iounmap(to_pci_dev(chip->dev), chip->regs); + } + #else /* CONFIG_SERIAL_8250_DMA */ + static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) {} +-- +2.21.0 + diff --git a/efi-bgrt-acpi6.2-support.patch b/efi-bgrt-acpi6.2-support.patch deleted file mode 100644 index 753c93577..000000000 --- a/efi-bgrt-acpi6.2-support.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 240090cb2d72f5de98f8fc2e3aa27803cab378b2 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Wed, 29 May 2019 14:50:17 +0200 -Subject: [PATCH] efi/bgrt: Drop BGRT status field reserved bits check - -Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer -reserved. These bits are now used to indicate if the image needs to be -rotated before being displayed. - -The first device using these bits has now shown up (the GPD MicroPC) and -the reserved bits check causes us to reject the valid BGRT table on this -device. - -Rather then changing the reserved bits check, allowing only the 2 new bits, -instead just completely remove it so that we do not end up with a similar -problem when more bits are added in the future. - -Signed-off-by: Hans de Goede ---- - drivers/firmware/efi/efi-bgrt.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c -index a2384184a7de..b07c17643210 100644 ---- a/drivers/firmware/efi/efi-bgrt.c -+++ b/drivers/firmware/efi/efi-bgrt.c -@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table) - bgrt->version); - goto out; - } -- if (bgrt->status & 0xfe) { -- pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n", -- bgrt->status); -- goto out; -- } - if (bgrt->image_type != 0) { - pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n", - bgrt->image_type); --- -2.21.0 - -From 8f8d779bd966ef8af2279906772dec322220e73a Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Wed, 29 May 2019 15:44:09 +0200 -Subject: [PATCH] efifb: BGRT: Add check for new BGRT status field rotation - bits - -Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer -reserved. These bits are now used to indicate if the image needs to be -rotated before being displayed. - -The efifb code does not support rotating the image before copying it to -the screen. - -This commit adds a check for these new bits and if they are set leaves the -fb contents as is instead of trying to use the un-rotated BGRT image. - -Acked-by: Ard Biesheuvel -Signed-off-by: Hans de Goede ---- - drivers/video/fbdev/efifb.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c -index 9f39f0c360e0..dfa8dd47d19d 100644 ---- a/drivers/video/fbdev/efifb.c -+++ b/drivers/video/fbdev/efifb.c -@@ -169,6 +169,11 @@ static void efifb_show_boot_graphics(struct fb_info *info) - return; - } - -+ if (bgrt_tab.status & 0x06) { -+ pr_info("efifb: BGRT rotation bits set, not showing boot graphics\n"); -+ return; -+ } -+ - /* Avoid flashing the logo if we're going to print std probe messages */ - if (console_loglevel > CONSOLE_LOGLEVEL_QUIET) - return; --- -2.21.0 - diff --git a/kernel.spec b/kernel.spec index 0d5dbc796..bf3fe6203 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 18 +%define stable_update 19 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -620,7 +620,6 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2 Patch544: drm-panel-orientation-quirks.patch -Patch545: efi-bgrt-acpi6.2-support.patch # Accepted upstream; rhbz 1724357 Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch @@ -632,6 +631,13 @@ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch # CVE-2019-13631 rhbz 1731000 1731001 Patch548: Input-gtco-bounds-check-collection-indent-level.patch +# XSA-300 rhbz 1731862 1731864 +# https://xenbits.xen.org/xsa/advisory-300.html +Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch + +# CVE-2019-????? rhbz 1731784 +Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch + # END OF PATCH DEFINITIONS %endif @@ -1870,6 +1876,11 @@ fi # # %changelog +* Mon Jul 22 2019 Jeremy Cline - 5.1.19-300 +- Linux v5.1.19 +- Fix Xen Security Advisory 300 (rhbz 1731862 1731864) +- Fix a null pointer dereference in the 8250_lpss serial driver (rhbz 1731784) + * Thu Jul 18 2019 Jeremy Cline - Fix CVE-2019-13631 (rhbz 1731000 1731001) diff --git a/sources b/sources index 6ba5e2be3..3243c6a0c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236 -SHA512 (patch-5.1.18.xz) = 5efb26c4937b38d80e3b2f3b57a352839e6ed46d29552350128ff8db0fc7e1c08d419198da975044aa18ede4675c8f4be63b9a1c302660294e218f022ccab026 +SHA512 (patch-5.1.19.xz) = 0c3eb6f140b4248ec332cfdbe2babfde556c5e6c784667ac268a88c5491fdeac3ea7e00158585f37fd283d3aae5c18cde5e9437ec88d784d16f73f9230ded57a diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch new file mode 100644 index 000000000..9017a3fbe --- /dev/null +++ b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch @@ -0,0 +1,70 @@ +From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Wed, 19 Jun 2019 11:00:56 +0200 +Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough + memory free + +Instead of trying to allocate pages with GFP_USER in +add_ballooned_pages() check the available free memory via +si_mem_available(). GFP_USER is far less limiting memory exhaustion +than the test via si_mem_available(). + +This will avoid dom0 running out of memory due to excessive foreign +page mappings especially on ARM and on x86 in PVH mode, as those don't +have a pre-ballooned area which can be used for foreign mappings. + +As the normal ballooning suffers from the same problem don't balloon +down more than si_mem_available() pages in one iteration. At the same +time limit the default maximum number of retries. + +This is part of XSA-300. + +Signed-off-by: Juergen Gross +--- + drivers/xen/balloon.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index d37dd5bb7a8f..559768dc2567 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work) + state = reserve_additional_memory(); + } + +- if (credit < 0) +- state = decrease_reservation(-credit, GFP_BALLOON); ++ if (credit < 0) { ++ long n_pages; ++ ++ n_pages = min(-credit, si_mem_available()); ++ state = decrease_reservation(n_pages, GFP_BALLOON); ++ if (state == BP_DONE && n_pages != -credit && ++ n_pages < totalreserve_pages) ++ state = BP_EAGAIN; ++ } + + state = update_schedule(state); + +@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages) + } + } + ++ if (si_mem_available() < nr_pages) ++ return -ENOMEM; ++ + st = decrease_reservation(nr_pages, GFP_USER); + if (st != BP_DONE) + return -ENOMEM; +@@ -710,7 +720,7 @@ static int __init balloon_init(void) + balloon_stats.schedule_delay = 1; + balloon_stats.max_schedule_delay = 32; + balloon_stats.retry_count = 1; +- balloon_stats.max_retry_count = RETRY_UNLIMITED; ++ balloon_stats.max_retry_count = 4; + + #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG + set_online_page_callback(&xen_online_page); +-- +2.21.0 + -- cgit