From 1462ae280e677fc7bca2549fb6cb0ebcf9bde69e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 19 Sep 2019 10:21:45 -0500 Subject: Linux v5.2.16 --- drm-panel-orientation-quirks.patch | 49 ----------- fix-a-double-free-bug-in-rsi_91x_deinit.patch | 121 -------------------------- kernel.spec | 15 ++-- sources | 2 +- 4 files changed, 9 insertions(+), 178 deletions(-) delete mode 100644 drm-panel-orientation-quirks.patch delete mode 100644 fix-a-double-free-bug-in-rsi_91x_deinit.patch diff --git a/drm-panel-orientation-quirks.patch b/drm-panel-orientation-quirks.patch deleted file mode 100644 index d5e3bf361..000000000 --- a/drm-panel-orientation-quirks.patch +++ /dev/null @@ -1,49 +0,0 @@ -From aab65520447cb19e3be4a301b796dfb588e85873 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Sun, 2 Jun 2019 15:20:33 +0200 -Subject: [PATCH] drm: panel-orientation-quirks: Add extra quirk table entry - for GPD MicroPC - -Newer GPD MicroPC BIOS versions have proper DMI strings, add an extra quirk -table entry for these new strings. This is good news, as this means that we -no longer have to update the BIOS dates list with every BIOS update. - -Fixes: 652b8b086538("drm: panel-orientation-quirks: Add quirk for GPD MicroPC") -Signed-off-by: Hans de Goede ---- - drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c -index d8a0bcd02f34..ffd95bfeaa94 100644 ---- a/drivers/gpu/drm/drm_panel_orientation_quirks.c -+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c -@@ -90,6 +90,12 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = { - .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, - }; - -+static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = { -+ .width = 720, -+ .height = 1280, -+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, -+}; -+ - static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = { - .width = 800, - .height = 1280, -@@ -123,6 +129,12 @@ static const struct dmi_system_id orientation_data[] = { - DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), - }, - .driver_data = (void *)&gpd_micropc, -+ }, { /* GPD MicroPC (later BIOS versions with proper DMI strings) */ -+ .matches = { -+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), -+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "MicroPC"), -+ }, -+ .driver_data = (void *)&lcd720x1280_rightside_up, - }, { /* - * GPD Pocket, note that the the DMI data is less generic then - * it seems, devices with a board-vendor of "AMI Corporation" --- -2.21.0 - diff --git a/fix-a-double-free-bug-in-rsi_91x_deinit.patch b/fix-a-double-free-bug-in-rsi_91x_deinit.patch deleted file mode 100644 index 331817bda..000000000 --- a/fix-a-double-free-bug-in-rsi_91x_deinit.patch +++ /dev/null @@ -1,121 +0,0 @@ -From mboxrd@z Thu Jan 1 00:00:00 1970 -Return-Path: -X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on - aws-us-west-2-korg-lkml-1.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, - DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, - HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, - SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no - version=3.4.0 -Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) - by smtp.lore.kernel.org (Postfix) with ESMTP id EBD3AC3A5A0 - for ; Mon, 19 Aug 2019 22:02:45 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id BCC05214DA - for ; Mon, 19 Aug 2019 22:02:45 +0000 (UTC) -Authentication-Results: mail.kernel.org; - dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRgzkkQ0" -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1728637AbfHSWCp (ORCPT - ); - Mon, 19 Aug 2019 18:02:45 -0400 -Received: from mail-io1-f67.google.com ([209.85.166.67]:33900 "EHLO - mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1728494AbfHSWCo (ORCPT - ); - Mon, 19 Aug 2019 18:02:44 -0400 -Received: by mail-io1-f67.google.com with SMTP id s21so7791675ioa.1; - Mon, 19 Aug 2019 15:02:44 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20161025; - h=from:to:cc:subject:date:message-id:mime-version - :content-transfer-encoding; - bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=; - b=IRgzkkQ0QlYiIqgU9DslAGaSx9oz5wU5adcfTZWc60ibm3DHynGVVixJrWxAut0Pae - ARzqaY1/pxrAMSpTdcKfCBtRoFPMFS8+WZsScW495O7Pf7bJTCDAo3OOueleEgGs9Osv - 59921BouToXc5Ovc92CQFjNHP3+/kGBqZvxV+QK34IvNWzoIEU93UHsUIxSn6eVvrsFU - g5treQ50nJkKHPa8rwc0Oh9s6WWKODy8zKxExTJhdznLdHOm5T7muHcEccqX8YZQ5L7d - ADPOmA+sRvWN3t/z9HxtD4g/Lgj4kzEYFnWJ9k7ClZwbnzn02QUlkT8waxriC/Wpe9nP - q53A== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version - :content-transfer-encoding; - bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=; - b=oYozfHj6p7SMaYdxmSXvkqz3omwdyg+ftHjVBaHiAqBlnLj6x9531et8jUk50jueoT - y2cU/oVuoVQsCwOEu43hu26qlol2JSmB1xXJj0Za8nKZa3h3GF5CKG8/dexHz8TzCJX1 - vo/TNPdY3AlW7Sn9JLnWCqFK+QgbPhjdBs+6Hbh+5nkCxIG5dVn0FfYbLYATeh/888YB - pTCJ8dkbLQiWXEJam6b9NoOpcIzbpcb7rL3A355C/1AGZsCy/NlKmneuw0Va10AnswkK - KBYv+EisB1L8oCP9l6r5fp4PUqyMH3TjrBdJddx8EQ9cq8SORiLtmmRuF8e3kdImDEK4 - 6Gcw== -X-Gm-Message-State: APjAAAXB6U8H/6BuBUmOb6K7bk/qaEOOS1bw9RIpAgXyrExtL8rl/B99 - 17LNTRGgJKvcUB6qlr4ZRbY= -X-Google-Smtp-Source: APXvYqzjT1oN5/e8keSQCjVxoTzLRGG1vuf4kTYM+hq51sy7QzOV0GLDOYYsYVB78xsRtsZrFijh0Q== -X-Received: by 2002:a6b:f30b:: with SMTP id m11mr21952710ioh.214.1566252163559; - Mon, 19 Aug 2019 15:02:43 -0700 (PDT) -Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) - by smtp.googlemail.com with ESMTPSA id z9sm2850133ior.79.2019.08.19.15.02.42 - (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); - Mon, 19 Aug 2019 15:02:43 -0700 (PDT) -From: Hui Peng -To: security@kernel.org -Cc: Hui Peng , - Mathias Payer , - Kalle Valo , - "David S. Miller" , - linux-wireless@vger.kernel.org, netdev@vger.kernel.org, - linux-kernel@vger.kernel.org -Subject: [PATCH] Fix a double free bug in rsi_91x_deinit -Date: Mon, 19 Aug 2019 18:02:29 -0400 -Message-Id: <20190819220230.10597-1-benquike@gmail.com> -X-Mailer: git-send-email 2.22.1 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Archived-At: -List-Archive: -List-Post: - -`dev` (struct rsi_91x_usbdev *) field of adapter -(struct rsi_91x_usbdev *) is allocated and initialized in -`rsi_init_usb_interface`. If any error is detected in information -read from the device side, `rsi_init_usb_interface` will be -freed. However, in the higher level error handling code in -`rsi_probe`, if error is detected, `rsi_91x_deinit` is called -again, in which `dev` will be freed again, resulting double free. - -This patch fixes the double free by removing the free operation on -`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also -used in `rsi_disconnect`, in that code path, the `dev` field is not - (and thus needs to be) freed. - -This bug was found in v4.19, but is also present in the latest version -of kernel. - -Reported-by: Hui Peng -Reported-by: Mathias Payer -Signed-off-by: Hui Peng ---- - drivers/net/wireless/rsi/rsi_91x_usb.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c -index c0a163e40402..ac917227f708 100644 ---- a/drivers/net/wireless/rsi/rsi_91x_usb.c -+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c -@@ -640,7 +640,6 @@ static int rsi_init_usb_interface(struct rsi_hw *adapter, - kfree(rsi_dev->tx_buffer); - - fail_eps: -- kfree(rsi_dev); - - return status; - } --- -2.22.1 - - diff --git a/kernel.spec b/kernel.spec index 88a525706..107fcbccf 100644 --- a/kernel.spec +++ b/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 15 +%define stable_update 16 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -580,9 +580,6 @@ Patch507: 0001-Drop-that-for-now.patch # Submitted upstream at https://lkml.org/lkml/2019/4/23/89 Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch -# Fix the LCD panel orientation on the GPD MicroPC, pending as fix for 5.3 -Patch510: drm-panel-orientation-quirks.patch - # rhbz 1732045 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch @@ -590,12 +587,12 @@ Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch # rhbz 1744130 1744137 1744149 1746566 1746567 Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch -# CVE-2019-15504 rhbz 1746725 1746726 -Patch515: fix-a-double-free-bug-in-rsi_91x_deinit.patch - # CVE-2019-15505 rhbz 1746732 1746734 Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch +# CVE-2019-14821 rhbz 1746708 1753596 +Patch517: kvm-coalesced_mmio-add-bounds-checking.patch + # END OF PATCH DEFINITIONS %endif @@ -1833,6 +1830,10 @@ fi # # %changelog +* Thu Sep 19 2019 Justin M. Forbes - 5.2.16-200 +- Linux v5.2.16 +- Fix CVE-2019-14821 (rhbz 1746708 1753596) + * Mon Sep 16 2019 Justin M. Forbes - 5.2.15-200 - Linux v5.2.15 - Fixes rhbz 1751901 diff --git a/sources b/sources index c264f6933..05e75beef 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.2.tar.xz) = 5a28f8a34c4e0470617f5638b7112e6252109b78f23b1eed484a228530970c7ef5c130d6e5a09cf25ea2f6a0329602dcc1ec66ce893182e15b27d99bd228789c -SHA512 (patch-5.2.15.xz) = ff352654f91b3d35a6fd224bcd397a946d187c81f96b387ef8006a72e0f64d740a35278bd2005477eb3ba6bc9b0585a986c982d4a09fe121c2917f1ed178a224 +SHA512 (patch-5.2.16.xz) = e9f1157b46c953256883b3deeb5377bcf51ec0ee73e353b843353dfa178e913d0bea7c1dc94d3096612361bed47103d3665951439845c5d9934dbe9224512f54 -- cgit From 07b21bd4c2e66a0a761f9489f8d909919c752699 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 19 Sep 2019 10:35:02 -0500 Subject: Forgot patch --- kvm-coalesced_mmio-add-bounds-checking.patch | 83 ++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 kvm-coalesced_mmio-add-bounds-checking.patch diff --git a/kvm-coalesced_mmio-add-bounds-checking.patch b/kvm-coalesced_mmio-add-bounds-checking.patch new file mode 100644 index 000000000..ddd2568f9 --- /dev/null +++ b/kvm-coalesced_mmio-add-bounds-checking.patch @@ -0,0 +1,83 @@ +From b60fe990c6b07ef6d4df67bc0530c7c90a62623a Mon Sep 17 00:00:00 2001 +From: Matt Delco +Date: Mon, 16 Sep 2019 14:16:54 -0700 +Subject: KVM: coalesced_mmio: add bounds checking + +The first/last indexes are typically shared with a user app. +The app can change the 'last' index that the kernel uses +to store the next result. This change sanity checks the index +before using it for writing to a potentially arbitrary address. + +This fixes CVE-2019-14821. + +Cc: stable@vger.kernel.org +Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") +Signed-off-by: Matt Delco +Signed-off-by: Jim Mattson +Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com +[Use READ_ONCE. - Paolo] +Signed-off-by: Paolo Bonzini +--- + virt/kvm/coalesced_mmio.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c +index 5294abb3f178..8ffd07e2a160 100644 +--- a/virt/kvm/coalesced_mmio.c ++++ b/virt/kvm/coalesced_mmio.c +@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, + return 1; + } + +-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) ++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) + { + struct kvm_coalesced_mmio_ring *ring; + unsigned avail; +@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) + * there is always one unused entry in the buffer + */ + ring = dev->kvm->coalesced_mmio_ring; +- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; ++ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX; + if (avail == 0) { + /* full */ + return 0; +@@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu, + { + struct kvm_coalesced_mmio_dev *dev = to_mmio(this); + struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; ++ __u32 insert; + + if (!coalesced_mmio_in_range(dev, addr, len)) + return -EOPNOTSUPP; + + spin_lock(&dev->kvm->ring_lock); + +- if (!coalesced_mmio_has_room(dev)) { ++ insert = READ_ONCE(ring->last); ++ if (!coalesced_mmio_has_room(dev, insert) || ++ insert >= KVM_COALESCED_MMIO_MAX) { + spin_unlock(&dev->kvm->ring_lock); + return -EOPNOTSUPP; + } + + /* copy data in first free entry of the ring */ + +- ring->coalesced_mmio[ring->last].phys_addr = addr; +- ring->coalesced_mmio[ring->last].len = len; +- memcpy(ring->coalesced_mmio[ring->last].data, val, len); +- ring->coalesced_mmio[ring->last].pio = dev->zone.pio; ++ ring->coalesced_mmio[insert].phys_addr = addr; ++ ring->coalesced_mmio[insert].len = len; ++ memcpy(ring->coalesced_mmio[insert].data, val, len); ++ ring->coalesced_mmio[insert].pio = dev->zone.pio; + smp_wmb(); +- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX; ++ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX; + spin_unlock(&dev->kvm->ring_lock); + return 0; + } +-- +cgit 1.2-0.3.lf.el7 + -- cgit From d11a5a2269a993202800505ce21dd4805b0dc5fa Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Thu, 19 Sep 2019 17:36:19 -0400 Subject: Fix for dwc3 (rhbz 1753099) --- dwc3-fix.patch | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 6 +++++ 2 files changed, 86 insertions(+) create mode 100644 dwc3-fix.patch diff --git a/dwc3-fix.patch b/dwc3-fix.patch new file mode 100644 index 000000000..d741b9e2e --- /dev/null +++ b/dwc3-fix.patch @@ -0,0 +1,80 @@ +From 4749e0e61241cc121de572520a39dab365b9ea1d Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 8 Aug 2019 16:39:42 -0700 +Subject: usb: dwc3: Update soft-reset wait polling rate + +Starting from DWC_usb31 version 1.90a and later, the DCTL.CSFRST bit +will not be cleared until after all the internal clocks are synchronized +during soft-reset. This may take a little more than 50ms. Set the +polling rate at 20ms instead. + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +--- + drivers/usb/dwc3/core.c | 23 ++++++++++++++++++----- + drivers/usb/dwc3/core.h | 2 ++ + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 98bce85c29d0..252c397860ef 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -252,12 +252,25 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc) + reg |= DWC3_DCTL_CSFTRST; + dwc3_writel(dwc->regs, DWC3_DCTL, reg); + ++ /* ++ * For DWC_usb31 controller 1.90a and later, the DCTL.CSFRST bit ++ * is cleared only after all the clocks are synchronized. This can ++ * take a little more than 50ms. Set the polling rate at 20ms ++ * for 10 times instead. ++ */ ++ if (dwc3_is_usb31(dwc) && dwc->revision >= DWC3_USB31_REVISION_190A) ++ retries = 10; ++ + do { + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (!(reg & DWC3_DCTL_CSFTRST)) + goto done; + +- udelay(1); ++ if (dwc3_is_usb31(dwc) && ++ dwc->revision >= DWC3_USB31_REVISION_190A) ++ msleep(20); ++ else ++ udelay(1); + } while (--retries); + + phy_exit(dwc->usb3_generic_phy); +@@ -267,11 +280,11 @@ static int dwc3_core_soft_reset(struct dwc3 *dwc) + + done: + /* +- * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared, +- * we must wait at least 50ms before accessing the PHY domain +- * (synchronization delay). DWC_usb31 programming guide section 1.3.2. ++ * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit ++ * is cleared, we must wait at least 50ms before accessing the PHY ++ * domain (synchronization delay). + */ +- if (dwc3_is_usb31(dwc)) ++ if (dwc3_is_usb31(dwc) && dwc->revision <= DWC3_USB31_REVISION_180A) + msleep(50); + + return 0; +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 3dd783b889cb..1c8b349379af 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -1137,6 +1137,8 @@ struct dwc3 { + #define DWC3_USB31_REVISION_120A (0x3132302a | DWC3_REVISION_IS_DWC31) + #define DWC3_USB31_REVISION_160A (0x3136302a | DWC3_REVISION_IS_DWC31) + #define DWC3_USB31_REVISION_170A (0x3137302a | DWC3_REVISION_IS_DWC31) ++#define DWC3_USB31_REVISION_180A (0x3138302a | DWC3_REVISION_IS_DWC31) ++#define DWC3_USB31_REVISION_190A (0x3139302a | DWC3_REVISION_IS_DWC31) + + u32 version_type; + +-- +cgit 1.2-0.3.lf.el7 + diff --git a/kernel.spec b/kernel.spec index 107fcbccf..3520009a7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -593,6 +593,9 @@ Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch # CVE-2019-14821 rhbz 1746708 1753596 Patch517: kvm-coalesced_mmio-add-bounds-checking.patch +# rhbz 1753099 +Patch518: dwc3-fix.patch + # END OF PATCH DEFINITIONS %endif @@ -1830,6 +1833,9 @@ fi # # %changelog +* Thu Sep 19 2019 Laura Abbott +- Fix for dwc3 (rhbz 1753099) + * Thu Sep 19 2019 Justin M. Forbes - 5.2.16-200 - Linux v5.2.16 - Fix CVE-2019-14821 (rhbz 1746708 1753596) -- cgit