]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 5.10
authorSasha Levin <sashal@kernel.org>
Tue, 14 Mar 2023 02:17:13 +0000 (22:17 -0400)
committerSasha Levin <sashal@kernel.org>
Tue, 14 Mar 2023 02:17:13 +0000 (22:17 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch [new file with mode: 0644]
queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch [new file with mode: 0644]
queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch [new file with mode: 0644]
queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch [new file with mode: 0644]
queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch [new file with mode: 0644]
queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch [new file with mode: 0644]
queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch [new file with mode: 0644]
queue-5.10/series
queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch [new file with mode: 0644]
queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch [new file with mode: 0644]

diff --git a/queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch b/queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch
new file mode 100644 (file)
index 0000000..fdd5ac2
--- /dev/null
@@ -0,0 +1,127 @@
+From a20364ca9253e0f6221bb798974272243bc2333d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:53 -0700
+Subject: block, bfq: fix possible uaf for 'bfqq->bic'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ]
+
+Our test report a uaf for 'bfqq->bic' in 5.10:
+
+==================================================================
+BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30
+
+CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014
+Call Trace:
+ bfq_select_queue+0x378/0xa30
+ bfq_dispatch_request+0xe8/0x130
+ blk_mq_do_dispatch_sched+0x62/0xb0
+ __blk_mq_sched_dispatch_requests+0x215/0x2a0
+ blk_mq_sched_dispatch_requests+0x8f/0xd0
+ __blk_mq_run_hw_queue+0x98/0x180
+ __blk_mq_delay_run_hw_queue+0x22b/0x240
+ blk_mq_run_hw_queue+0xe3/0x190
+ blk_mq_sched_insert_requests+0x107/0x200
+ blk_mq_flush_plug_list+0x26e/0x3c0
+ blk_finish_plug+0x63/0x90
+ __iomap_dio_rw+0x7b5/0x910
+ iomap_dio_rw+0x36/0x80
+ ext4_dio_read_iter+0x146/0x190 [ext4]
+ ext4_file_read_iter+0x1e2/0x230 [ext4]
+ new_sync_read+0x29f/0x400
+ vfs_read+0x24e/0x2d0
+ ksys_read+0xd5/0x1b0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+changes that move process to a new cgroup will allocate a new bfqq to
+use, however, the old bfqq and new bfqq can point to the same bic:
+
+1) Initial state, two process with io in the same cgroup.
+
+Process 1       Process 2
+ (BIC1)          (BIC2)
+  |  Λ            |  Λ
+  |  |            |  |
+  V  |            V  |
+  bfqq1           bfqq2
+
+2) bfqq1 is merged to bfqq2.
+
+Process 1       Process 2
+ (BIC1)          (BIC2)
+  |               |
+   \-------------\|
+                  V
+  bfqq1           bfqq2(coop)
+
+3) Process 1 exit, then issue new io(denoce IOA) from Process 2.
+
+ (BIC2)
+  |  Λ
+  |  |
+  V  |
+  bfqq2(coop)
+
+4) Before IOA is completed, move Process 2 to another cgroup and issue io.
+
+Process 2
+ (BIC2)
+   Λ
+   |\--------------\
+   |                V
+  bfqq2           bfqq3
+
+Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.
+If all the requests are completed, and Process 2 exit, BIC2 will be
+freed while there is no guarantee that bfqq2 will be freed before BIC2.
+
+Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
+
+Fixes: 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221214030430.3304151-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 7c4b8d0635ebd..afaededb3c49c 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -373,6 +373,12 @@ struct bfq_queue *bic_to_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ void bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync)
+ {
++      struct bfq_queue *old_bfqq = bic->bfqq[is_sync];
++
++      /* Clear bic pointer if bfqq is detached from this bic */
++      if (old_bfqq && old_bfqq->bic == bic)
++              old_bfqq->bic = NULL;
++
+       bic->bfqq[is_sync] = bfqq;
+ }
+@@ -4977,7 +4983,6 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+               unsigned long flags;
+               spin_lock_irqsave(&bfqd->lock, flags);
+-              bfqq->bic = NULL;
+               bfq_exit_bfqq(bfqd, bfqq);
+               bic_set_bfqq(bic, NULL, is_sync);
+               spin_unlock_irqrestore(&bfqd->lock, flags);
+-- 
+2.39.2
+
diff --git a/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch
new file mode 100644 (file)
index 0000000..290b052
--- /dev/null
@@ -0,0 +1,44 @@
+From 8d578c6a8eb0a4e63490fb7f8d2aa9bc5cee23d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:54 -0700
+Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ]
+
+Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
+can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.
+
+Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
+
+Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index afaededb3c49c..0a53b653a7e2e 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -4983,8 +4983,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+               unsigned long flags;
+               spin_lock_irqsave(&bfqd->lock, flags);
+-              bfq_exit_bfqq(bfqd, bfqq);
+               bic_set_bfqq(bic, NULL, is_sync);
++              bfq_exit_bfqq(bfqd, bfqq);
+               spin_unlock_irqrestore(&bfqd->lock, flags);
+       }
+ }
+-- 
+2.39.2
+
diff --git a/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch
new file mode 100644 (file)
index 0000000..1a6e098
--- /dev/null
@@ -0,0 +1,64 @@
+From 96bd4e91efc38daae342ac7c231dc356ab084822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:57 -0700
+Subject: block, bfq: fix uaf for bfqq in bic_set_bfqq()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 ]
+
+After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
+bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
+bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
+bic->bfqq.
+
+Fix the problem by always freeing bfqq after bic_set_bfqq().
+
+Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
+Reported-and-tested-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-cgroup.c  | 2 +-
+ block/bfq-iosched.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
+index 2f440b79183d3..1f9ccc661d574 100644
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -748,8 +748,8 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+                                * request from the old cgroup.
+                                */
+                               bfq_put_cooperator(sync_bfqq);
+-                              bfq_release_process_ref(bfqd, sync_bfqq);
+                               bic_set_bfqq(bic, NULL, true);
++                              bfq_release_process_ref(bfqd, sync_bfqq);
+                       }
+               }
+       }
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 016d7f32af9f1..6687b805bab3b 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5070,9 +5070,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
+       bfqq = bic_to_bfqq(bic, false);
+       if (bfqq) {
+-              bfq_release_process_ref(bfqd, bfqq);
++              struct bfq_queue *old_bfqq = bfqq;
++
+               bfqq = bfq_get_queue(bfqd, bio, false, bic);
+               bic_set_bfqq(bic, bfqq, false);
++              bfq_release_process_ref(bfqd, old_bfqq);
+       }
+       bfqq = bic_to_bfqq(bic, true);
+-- 
+2.39.2
+
diff --git a/queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch b/queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch
new file mode 100644 (file)
index 0000000..8bd62ae
--- /dev/null
@@ -0,0 +1,55 @@
+From 1e98b6da6bd182cf966673fcf2fa181d9af1ab31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:55 -0700
+Subject: block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC"
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit f6bad159f5d5e5b33531aba3d9b860ad8618afe0 ]
+
+bfq_get_queue() expects a "bool" for the third arg, so pass "false"
+rather than "BLK_RW_ASYNC" which will soon be removed.
+
+Link: https://lkml.kernel.org/r/164549983746.9187.7949730109246767909.stgit@noble.brown
+Signed-off-by: NeilBrown <neilb@suse.de>
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Cc: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Cc: Chao Yu <chao@kernel.org>
+Cc: Darrick J. Wong <djwong@kernel.org>
+Cc: Ilya Dryomov <idryomov@gmail.com>
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jeff Layton <jlayton@kernel.org>
+Cc: Lars Ellenberg <lars.ellenberg@linbit.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Cc: Paolo Valente <paolo.valente@linaro.org>
+Cc: Philipp Reisner <philipp.reisner@linbit.com>
+Cc: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: Wu Fengguang <fengguang.wu@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 0a53b653a7e2e..35b240cba0926 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5071,7 +5071,7 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio)
+       bfqq = bic_to_bfqq(bic, false);
+       if (bfqq) {
+               bfq_release_process_ref(bfqd, bfqq);
+-              bfqq = bfq_get_queue(bfqd, bio, BLK_RW_ASYNC, bic);
++              bfqq = bfq_get_queue(bfqd, bio, false, bic);
+               bic_set_bfqq(bic, bfqq, false);
+       }
+-- 
+2.39.2
+
diff --git a/queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch b/queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch
new file mode 100644 (file)
index 0000000..f342cc5
--- /dev/null
@@ -0,0 +1,81 @@
+From 2b9e5454554ac0cfe01c31bf7aa498a093bb8ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:27:56 -0700
+Subject: block, bfq: replace 0/1 with false/true in bic apis
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 337366e02b370d2800110fbc99940f6ddddcbdfa ]
+
+Just to make the code a litter cleaner, there are no functional changes.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20221214033155.3455754-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-cgroup.c  | 8 ++++----
+ block/bfq-iosched.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
+index badb90352bf33..2f440b79183d3 100644
+--- a/block/bfq-cgroup.c
++++ b/block/bfq-cgroup.c
+@@ -705,15 +705,15 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+                                    struct bfq_io_cq *bic,
+                                    struct bfq_group *bfqg)
+ {
+-      struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0);
+-      struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1);
++      struct bfq_queue *async_bfqq = bic_to_bfqq(bic, false);
++      struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, true);
+       struct bfq_entity *entity;
+       if (async_bfqq) {
+               entity = &async_bfqq->entity;
+               if (entity->sched_data != &bfqg->sched_data) {
+-                      bic_set_bfqq(bic, NULL, 0);
++                      bic_set_bfqq(bic, NULL, false);
+                       bfq_release_process_ref(bfqd, async_bfqq);
+               }
+       }
+@@ -749,7 +749,7 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd,
+                                */
+                               bfq_put_cooperator(sync_bfqq);
+                               bfq_release_process_ref(bfqd, sync_bfqq);
+-                              bic_set_bfqq(bic, NULL, 1);
++                              bic_set_bfqq(bic, NULL, true);
+                       }
+               }
+       }
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 35b240cba0926..016d7f32af9f1 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2816,7 +2816,7 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+       /*
+        * Merge queues (that is, let bic redirect its requests to new_bfqq)
+        */
+-      bic_set_bfqq(bic, new_bfqq, 1);
++      bic_set_bfqq(bic, new_bfqq, true);
+       bfq_mark_bfqq_coop(new_bfqq);
+       /*
+        * new_bfqq now belongs to at least two bics (it is a shared queue):
+@@ -6014,7 +6014,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)
+               return bfqq;
+       }
+-      bic_set_bfqq(bic, NULL, 1);
++      bic_set_bfqq(bic, NULL, true);
+       bfq_put_cooperator(bfqq);
+-- 
+2.39.2
+
diff --git a/queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch b/queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch
new file mode 100644 (file)
index 0000000..1542bb5
--- /dev/null
@@ -0,0 +1,73 @@
+From 8c587a9111f9751e1e33887f738c7843a5ab4007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 08:26:56 +0000
+Subject: iommu/amd: Add a length limitation for the ivrs_acpihid command-line
+ parameter
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit b6b26d86c61c441144c72f842f7469bb686e1211 ]
+
+The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
+because the string specifier in the format string sscanf()
+has no width limitation.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Kim Phillips <kim.phillips@amd.com>
+Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index ce822347f7470..603f625a74e54 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3124,15 +3124,26 @@ static int __init parse_ivrs_hpet(char *str)
+       return 1;
+ }
++#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
++
+ static int __init parse_ivrs_acpihid(char *str)
+ {
+       u32 seg = 0, bus, dev, fn;
+       char *hid, *uid, *p, *addr;
+-      char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
++      char acpiid[ACPIID_LEN] = {0};
+       int i;
+       addr = strchr(str, '@');
+       if (!addr) {
++              addr = strchr(str, '=');
++              if (!addr)
++                      goto not_found;
++
++              ++addr;
++
++              if (strlen(addr) > ACPIID_LEN)
++                      goto not_found;
++
+               if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
+                   sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
+                       pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
+@@ -3145,6 +3156,9 @@ static int __init parse_ivrs_acpihid(char *str)
+       /* We have the '@', make it the terminator to get just the acpiid */
+       *addr++ = 0;
++      if (strlen(str) > ACPIID_LEN + 1)
++              goto not_found;
++
+       if (sscanf(str, "=%s", acpiid) != 1)
+               goto not_found;
+-- 
+2.39.2
+
diff --git a/queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch b/queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch
new file mode 100644 (file)
index 0000000..6c32923
--- /dev/null
@@ -0,0 +1,84 @@
+From 6c5b3fa19f734213cada7f27fd08027ea142f5bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 16:11:35 +0200
+Subject: PCI/PM: Define pci_restore_standard_config() only for CONFIG_PM_SLEEP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 18a94192e20de31e7e495d7c805c8930c42e99ef ]
+
+pci_restore_standard_config() was defined under CONFIG_PM but called only
+by pci_pm_resume() (defined under CONFIG_SUSPEND) and pci_pm_restore()
+(defined under CONFIG_HIBERNATE_CALLBACKS).  A configuration with only
+CONFIG_PM leads to a warning:
+
+  drivers/pci/pci-driver.c:533:12: error: ‘pci_restore_standard_config’ defined but not used [-Werror=unused-function]
+
+CONFIG_PM_SLEEP depends on CONFIG_SUSPEND and CONFIG_HIBERNATE_CALLBACKS,
+so define pci_restore_standard_config() under that instead.
+
+Link: https://lore.kernel.org/r/20220420141135.444820-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: ac91e6980563 ("PCI: Unify delay handling for reset and resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-driver.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 8b587fc97f7bc..bbaecc2340371 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -499,9 +499,9 @@ static void pci_device_shutdown(struct device *dev)
+               pci_clear_master(pci_dev);
+ }
+-#ifdef CONFIG_PM
++#ifdef CONFIG_PM_SLEEP
+-/* Auxiliary functions used for system resume and run-time resume. */
++/* Auxiliary functions used for system resume */
+ /**
+  * pci_restore_standard_config - restore standard config registers of PCI device
+@@ -521,6 +521,11 @@ static int pci_restore_standard_config(struct pci_dev *pci_dev)
+       pci_pme_restore(pci_dev);
+       return 0;
+ }
++#endif /* CONFIG_PM_SLEEP */
++
++#ifdef CONFIG_PM
++
++/* Auxiliary functions used for system resume and run-time resume */
+ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+ {
+@@ -528,10 +533,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+       pci_enable_wake(pci_dev, PCI_D0, false);
+ }
+-#endif
+-
+-#ifdef CONFIG_PM_SLEEP
+-
+ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+ {
+       pci_power_up(pci_dev);
+@@ -540,6 +541,10 @@ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+       pci_pme_restore(pci_dev);
+ }
++#endif /* CONFIG_PM */
++
++#ifdef CONFIG_PM_SLEEP
++
+ /*
+  * Default "suspend" method for devices that have no driver provided suspend,
+  * or not even a driver at all (second part).
+-- 
+2.39.2
+
index be04cbf632d22e856b94c5b142c450cfb83917dc..5768b6fd959d6ab328816f7c20fbd14d178da9d8 100644 (file)
@@ -63,3 +63,12 @@ sunrpc-fix-a-server-shutdown-leak.patch
 riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch
 risc-v-don-t-check-text_mutex-during-stop_machine.patch
 ext4-fix-deadlock-during-directory-rename.patch
+iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch
+pci-pm-define-pci_restore_standard_config-only-for-c.patch
+watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch
+tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic.patch
+block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch
+block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch
+block-bfq-replace-0-1-with-false-true-in-bic-apis.patch
+block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch
diff --git a/queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch b/queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch
new file mode 100644 (file)
index 0000000..bb92fb0
--- /dev/null
@@ -0,0 +1,73 @@
+From 8b969f52e05a2be328d44872f8602f73743de726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 10:25:52 +0100
+Subject: tpm/eventlog: Don't abort tpm_read_log on faulty ACPI address
+
+From: Morten Linderud <morten@linderud.pw>
+
+[ Upstream commit 80a6c216b16d7f5c584d2148c2e4345ea4eb06ce ]
+
+tpm_read_log_acpi() should return -ENODEV when no eventlog from the ACPI
+table is found. If the firmware vendor includes an invalid log address
+we are unable to map from the ACPI memory and tpm_read_log() returns -EIO
+which would abort discovery of the eventlog.
+
+Change the return value from -EIO to -ENODEV when acpi_os_map_iomem()
+fails to map the event log.
+
+The following hardware was used to test this issue:
+    Framework Laptop (Pre-production)
+    BIOS: INSYDE Corp, Revision: 3.2
+    TPM Device: NTC, Firmware Revision: 7.2
+
+Dump of the faulty ACPI TPM2 table:
+    [000h 0000   4]                    Signature : "TPM2"    [Trusted Platform Module hardware interface Table]
+    [004h 0004   4]                 Table Length : 0000004C
+    [008h 0008   1]                     Revision : 04
+    [009h 0009   1]                     Checksum : 2B
+    [00Ah 0010   6]                       Oem ID : "INSYDE"
+    [010h 0016   8]                 Oem Table ID : "TGL-ULT"
+    [018h 0024   4]                 Oem Revision : 00000002
+    [01Ch 0028   4]              Asl Compiler ID : "ACPI"
+    [020h 0032   4]        Asl Compiler Revision : 00040000
+
+    [024h 0036   2]               Platform Class : 0000
+    [026h 0038   2]                     Reserved : 0000
+    [028h 0040   8]              Control Address : 0000000000000000
+    [030h 0048   4]                 Start Method : 06 [Memory Mapped I/O]
+
+    [034h 0052  12]            Method Parameters : 00 00 00 00 00 00 00 00 00 00 00 00
+    [040h 0064   4]           Minimum Log Length : 00010000
+    [044h 0068   8]                  Log Address : 000000004053D000
+
+Fixes: 0cf577a03f21 ("tpm: Fix handling of missing event log")
+Tested-by: Erkki Eilonen <erkki@bearmetal.eu>
+Signed-off-by: Morten Linderud <morten@linderud.pw>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/eventlog/acpi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
+index 0913d3eb8d518..cd266021d0103 100644
+--- a/drivers/char/tpm/eventlog/acpi.c
++++ b/drivers/char/tpm/eventlog/acpi.c
+@@ -143,8 +143,12 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
+       ret = -EIO;
+       virt = acpi_os_map_iomem(start, len);
+-      if (!virt)
++      if (!virt) {
++              dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__);
++              /* try EFI log next */
++              ret = -ENODEV;
+               goto err;
++      }
+       memcpy_fromio(log->bios_event_log, virt, len);
+-- 
+2.39.2
+
diff --git a/queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch b/queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch
new file mode 100644 (file)
index 0000000..a3e9402
--- /dev/null
@@ -0,0 +1,39 @@
+From 2e5449946102b24a8231dfe4f8738236d7654509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:21:06 +0100
+Subject: watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit 03e1d60e177eedbd302b77af4ea5e21b5a7ade31 ]
+
+The watch_queue_set_size() allocation error paths return the ret value
+set via the prior pipe_resize_ring() call, which will always be zero.
+
+As a result, IOC_WATCH_QUEUE_SET_SIZE callers such as "keyctl watch"
+fail to detect kernel wqueue->notes allocation failures and proceed to
+KEYCTL_WATCH_KEY, with any notifications subsequently lost.
+
+Fixes: c73be61cede58 ("pipe: Add general notification queue support")
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watch_queue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
+index d29731a30b8e1..73717917d8164 100644
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -274,6 +274,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
+       if (ret < 0)
+               goto error;
++      ret = -ENOMEM;
+       pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL);
+       if (!pages)
+               goto error;
+-- 
+2.39.2
+