--- /dev/null
+From 3702a0585e64d70d5bf73bf3e943b8d6005b72c1 Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Wed, 15 Aug 2018 16:11:25 -0500
+Subject: crypto: ccp - add timeout support in the SEV command
+
+From: Brijesh Singh <brijesh.singh@amd.com>
+
+commit 3702a0585e64d70d5bf73bf3e943b8d6005b72c1 upstream.
+
+Currently, the CCP driver assumes that the SEV command issued to the PSP
+will always return (i.e. it will never hang). But recently, firmware bugs
+have shown that a command can hang. Since of the SEV commands are used
+in probe routines, this can cause boot hangs and/or loss of virtualization
+capabilities.
+
+To protect against firmware bugs, add a timeout in the SEV command
+execution flow. If a command does not complete within the specified
+timeout then return -ETIMEOUT and stop the driver from executing any
+further commands since the state of the SEV firmware is unknown.
+
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Gary Hook <Gary.Hook@amd.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[Brijesh: Backported to 4.18..4.19 - offset change in few hunks]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/psp-dev.c | 46 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 41 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/ccp/psp-dev.c
++++ b/drivers/crypto/ccp/psp-dev.c
+@@ -38,6 +38,17 @@ static DEFINE_MUTEX(sev_cmd_mutex);
+ static struct sev_misc_dev *misc_dev;
+ static struct psp_device *psp_master;
+
++static int psp_cmd_timeout = 100;
++module_param(psp_cmd_timeout, int, 0644);
++MODULE_PARM_DESC(psp_cmd_timeout, " default timeout value, in seconds, for PSP commands");
++
++static int psp_probe_timeout = 5;
++module_param(psp_probe_timeout, int, 0644);
++MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during PSP device probe");
++
++static bool psp_dead;
++static int psp_timeout;
++
+ static struct psp_device *psp_alloc_struct(struct sp_device *sp)
+ {
+ struct device *dev = sp->dev;
+@@ -82,10 +93,19 @@ done:
+ return IRQ_HANDLED;
+ }
+
+-static void sev_wait_cmd_ioc(struct psp_device *psp, unsigned int *reg)
++static int sev_wait_cmd_ioc(struct psp_device *psp,
++ unsigned int *reg, unsigned int timeout)
+ {
+- wait_event(psp->sev_int_queue, psp->sev_int_rcvd);
++ int ret;
++
++ ret = wait_event_timeout(psp->sev_int_queue,
++ psp->sev_int_rcvd, timeout * HZ);
++ if (!ret)
++ return -ETIMEDOUT;
++
+ *reg = ioread32(psp->io_regs + PSP_CMDRESP);
++
++ return 0;
+ }
+
+ static int sev_cmd_buffer_len(int cmd)
+@@ -133,12 +153,15 @@ static int __sev_do_cmd_locked(int cmd,
+ if (!psp)
+ return -ENODEV;
+
++ if (psp_dead)
++ return -EBUSY;
++
+ /* Get the physical address of the command buffer */
+ phys_lsb = data ? lower_32_bits(__psp_pa(data)) : 0;
+ phys_msb = data ? upper_32_bits(__psp_pa(data)) : 0;
+
+- dev_dbg(psp->dev, "sev command id %#x buffer 0x%08x%08x\n",
+- cmd, phys_msb, phys_lsb);
++ dev_dbg(psp->dev, "sev command id %#x buffer 0x%08x%08x timeout %us\n",
++ cmd, phys_msb, phys_lsb, psp_timeout);
+
+ print_hex_dump_debug("(in): ", DUMP_PREFIX_OFFSET, 16, 2, data,
+ sev_cmd_buffer_len(cmd), false);
+@@ -154,7 +177,18 @@ static int __sev_do_cmd_locked(int cmd,
+ iowrite32(reg, psp->io_regs + PSP_CMDRESP);
+
+ /* wait for command completion */
+- sev_wait_cmd_ioc(psp, ®);
++ ret = sev_wait_cmd_ioc(psp, ®, psp_timeout);
++ if (ret) {
++ if (psp_ret)
++ *psp_ret = 0;
++
++ dev_err(psp->dev, "sev command %#x timed out, disabling PSP \n", cmd);
++ psp_dead = true;
++
++ return ret;
++ }
++
++ psp_timeout = psp_cmd_timeout;
+
+ if (psp_ret)
+ *psp_ret = reg & PSP_CMDRESP_ERR_MASK;
+@@ -886,6 +920,8 @@ void psp_pci_init(void)
+
+ psp_master = sp->psp_data;
+
++ psp_timeout = psp_probe_timeout;
++
+ if (sev_get_api_version())
+ goto err;
+
--- /dev/null
+From b40b3e9358fbafff6a4ba0f4b9658f6617146f9c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 11 Jul 2018 15:29:31 +0300
+Subject: mei: bus: type promotion bug in mei_nfc_if_version()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream.
+
+We accidentally removed the check for negative returns
+without considering the issue of type promotion.
+The "if_version_length" variable is type size_t so if __mei_cl_recv()
+returns a negative then "bytes_recv" is type promoted
+to a high positive value and treated as success.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/misc/mei/bus-fixup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -267,7 +267,7 @@ static int mei_nfc_if_version(struct mei
+
+ ret = 0;
+ bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0);
+- if (bytes_recv < if_version_length) {
++ if (bytes_recv < 0 || bytes_recv < if_version_length) {
+ dev_err(bus->dev, "Could not read IF version\n");
+ ret = -EIO;
+ goto err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
