From e157d674592ba2908fc2f2d2fab7b0f49959438e Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Jul 26 2019 14:34:10 +0000 Subject: Linux v5.1.20 --- diff --git a/Input-gtco-bounds-check-collection-indent-level.patch b/Input-gtco-bounds-check-collection-indent-level.patch deleted file mode 100644 index f74c2df..0000000 --- a/Input-gtco-bounds-check-collection-indent-level.patch +++ /dev/null @@ -1,76 +0,0 @@ -From c9fcba15565f3db7232489366c87c298c4198b0a Mon Sep 17 00:00:00 2001 -From: Grant Hernandez -Date: Thu, 11 Jul 2019 15:22:32 -0700 -Subject: [PATCH] Input: gtco - bounds check collection indent level - -The GTCO tablet input driver configures itself from an HID report sent -via USB during the initial enumeration process. Some debugging messages -are generated during the parsing. A debugging message indentation -counter is not bounds checked, leading to the ability for a specially -crafted HID report to cause '-' and null bytes be written past the end -of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG -enabled, this code will not be optimized out. This was discovered -during code review after a previous syzkaller bug was found in this -driver. - -Cc: stable@vger.kernel.org -Signed-off-by: Grant Hernandez ---- - drivers/input/tablet/gtco.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c -index 4b8b9d7aa75e..9771052ed027 100644 ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com - - /* Max size of a single report */ - #define REPORT_MAX_SIZE 10 -+#define MAX_COLLECTION_LEVELS 10 - - - /* Bitmask whether pen is in range */ -@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - char maintype = 'x'; - char globtype[12]; - int indent = 0; -- char indentstr[10] = ""; -- -+ char indentstr[MAX_COLLECTION_LEVELS+1] = {0}; - - dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); - -@@ -350,6 +350,12 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - case TAG_MAIN_COL_START: - maintype = 'S'; - -+ if (indent == MAX_COLLECTION_LEVELS) { -+ dev_err(ddev, "Collection level %d would exceed limit of %d\n", -+ indent+1, MAX_COLLECTION_LEVELS); -+ break; -+ } -+ - if (data == 0) { - dev_dbg(ddev, "======>>>>>> Physical\n"); - strcpy(globtype, "Physical"); -@@ -369,8 +375,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, - break; - - case TAG_MAIN_COL_END: -- dev_dbg(ddev, "<<<<<<======\n"); - maintype = 'E'; -+ -+ if (indent == 0) { -+ dev_err(ddev, "Collection level already at zero\n"); -+ break; -+ } -+ -+ dev_dbg(ddev, "<<<<<<======\n"); -+ - indent--; - for (x = 0; x < indent; x++) - indentstr[x] = '-'; --- -2.21.0 - diff --git a/kernel.spec b/kernel.spec index 33ecb50..c812c18 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 19 +%define stable_update 20 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -621,20 +621,10 @@ Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2 Patch544: drm-panel-orientation-quirks.patch -# Accepted upstream; rhbz 1724357 -Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch - # rhbz 1716334 # https://patchwork.kernel.org/patch/11029027/ Patch547: iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch -# CVE-2019-13631 rhbz 1731000 1731001 -Patch548: Input-gtco-bounds-check-collection-indent-level.patch - -# XSA-300 rhbz 1731862 1731864 -# https://xenbits.xen.org/xsa/advisory-300.html -Patch549: xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch - # CVE-2019-????? rhbz 1731784 Patch550: 8250_lpss-check-null-return-when-calling-pci_ioremap.patch @@ -1879,6 +1869,9 @@ fi # # %changelog +* Fri Jul 26 2019 Jeremy Cline - 5.1.20-300 +- Linux v5.1.20 + * Mon Jul 22 2019 Laura Abbott - Bring in DMA fix (rhbz 1732045) diff --git a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch deleted file mode 100644 index 750d884..0000000 --- a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001 -From: Felix Kaechele -Date: Tue, 25 Jun 2019 16:48:59 -0400 -Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry - deletion - -Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack -L3-protocol flush regression") introduced a regression in which deletion -of conntrack entries would fail because the L3 protocol information -is replaced by AF_UNSPEC. As a result the search for the entry to be -deleted would turn up empty due to the tuple used to perform the search -is now different from the tuple used to initially set up the entry. - -For flushing the conntrack table we do however want to keep the option -for nfgenmsg->version to have a non-zero value to allow for newer -user-space tools to request treatment under the new behavior. With that -it is possible to independently flush tables for a defined L3 protocol. -This was introduced with the enhancements in in commit 59c08c69c278 -("netfilter: ctnetlink: Support L3 protocol-filter on flush"). - -Older user-space tools will retain the behavior of flushing all tables -regardless of defined L3 protocol. - -Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression") -Suggested-by: Pablo Neira Ayuso -Signed-off-by: Felix Kaechele -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/nf_conntrack_netlink.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c -index 7db79c1b8084..1b77444d5b52 100644 ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, - struct nf_conntrack_tuple tuple; - struct nf_conn *ct; - struct nfgenmsg *nfmsg = nlmsg_data(nlh); -- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; - struct nf_conntrack_zone zone; - int err; - -@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, - - if (cda[CTA_TUPLE_ORIG]) - err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, -- u3, &zone); -+ nfmsg->nfgen_family, &zone); - else if (cda[CTA_TUPLE_REPLY]) - err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, -- u3, &zone); -+ nfmsg->nfgen_family, &zone); - else { -+ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC; -+ - return ctnetlink_flush_conntrack(net, cda, - NETLINK_CB(skb).portid, - nlmsg_report(nlh), u3); --- -2.21.0 - diff --git a/sources b/sources index 3243c6a..1b29d43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236 -SHA512 (patch-5.1.19.xz) = 0c3eb6f140b4248ec332cfdbe2babfde556c5e6c784667ac268a88c5491fdeac3ea7e00158585f37fd283d3aae5c18cde5e9437ec88d784d16f73f9230ded57a +SHA512 (patch-5.1.20.xz) = 3e34637b0ba16d1c5af2344a6b478b27377bf181e60ce2ede2114d5f31b79363d8005a374c9f8d2c0e7db01306079010e4053504107e8045b1b2904a04aed8ee diff --git a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch b/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch deleted file mode 100644 index 9017a3f..0000000 --- a/xen-let-alloc_xenballooned_pages-fail-if-not-enough-.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 2bb6248308c9e2b8bfd13791c8b36fe21d230ed3 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Wed, 19 Jun 2019 11:00:56 +0200 -Subject: [PATCH 2/2] xen: let alloc_xenballooned_pages() fail if not enough - memory free - -Instead of trying to allocate pages with GFP_USER in -add_ballooned_pages() check the available free memory via -si_mem_available(). GFP_USER is far less limiting memory exhaustion -than the test via si_mem_available(). - -This will avoid dom0 running out of memory due to excessive foreign -page mappings especially on ARM and on x86 in PVH mode, as those don't -have a pre-ballooned area which can be used for foreign mappings. - -As the normal ballooning suffers from the same problem don't balloon -down more than si_mem_available() pages in one iteration. At the same -time limit the default maximum number of retries. - -This is part of XSA-300. - -Signed-off-by: Juergen Gross ---- - drivers/xen/balloon.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c -index d37dd5bb7a8f..559768dc2567 100644 ---- a/drivers/xen/balloon.c -+++ b/drivers/xen/balloon.c -@@ -538,8 +538,15 @@ static void balloon_process(struct work_struct *work) - state = reserve_additional_memory(); - } - -- if (credit < 0) -- state = decrease_reservation(-credit, GFP_BALLOON); -+ if (credit < 0) { -+ long n_pages; -+ -+ n_pages = min(-credit, si_mem_available()); -+ state = decrease_reservation(n_pages, GFP_BALLOON); -+ if (state == BP_DONE && n_pages != -credit && -+ n_pages < totalreserve_pages) -+ state = BP_EAGAIN; -+ } - - state = update_schedule(state); - -@@ -578,6 +585,9 @@ static int add_ballooned_pages(int nr_pages) - } - } - -+ if (si_mem_available() < nr_pages) -+ return -ENOMEM; -+ - st = decrease_reservation(nr_pages, GFP_USER); - if (st != BP_DONE) - return -ENOMEM; -@@ -710,7 +720,7 @@ static int __init balloon_init(void) - balloon_stats.schedule_delay = 1; - balloon_stats.max_schedule_delay = 32; - balloon_stats.retry_count = 1; -- balloon_stats.max_retry_count = RETRY_UNLIMITED; -+ balloon_stats.max_retry_count = 4; - - #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG - set_online_page_callback(&xen_online_page); --- -2.21.0 -