--- /dev/null
+From 9265fed6db601ee2ec47577815387458ef4f047a Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Thu, 31 Oct 2024 02:16:09 +0200
+Subject: tpm: Lock TPM chip in tpm_pm_suspend() first
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 9265fed6db601ee2ec47577815387458ef4f047a upstream.
+
+Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy
+according, as this leaves window for tpm_hwrng_read() to be called while
+the operation is in progress. The recent bug report gives also evidence of
+this behaviour.
+
+Aadress this by locking the TPM chip before checking any chip->flags both
+in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED
+check inside tpm_get_random() so that it will be always checked only when
+the lock is reserved.
+
+Cc: stable@vger.kernel.org # v6.4+
+Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume")
+Reported-by: Mike Seo <mikeseohyungjin@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Tested-by: Mike Seo <mikeseohyungjin@gmail.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+[ Don't call tpm2_end_auth_session() for this function does not exist in 6.6.y.]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-chip.c | 4 ----
+ drivers/char/tpm/tpm-interface.c | 29 +++++++++++++++++++++--------
+ 2 files changed, 21 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -519,10 +519,6 @@ static int tpm_hwrng_read(struct hwrng *
+ {
+ struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng);
+
+- /* Give back zero bytes, as TPM chip has not yet fully resumed: */
+- if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
+- return 0;
+-
+ return tpm_get_random(chip, data, max);
+ }
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -394,6 +394,13 @@ int tpm_pm_suspend(struct device *dev)
+ if (!chip)
+ return -ENODEV;
+
++ rc = tpm_try_get_ops(chip);
++ if (rc) {
++ /* Can be safely set out of locks, as no action cannot race: */
++ chip->flags |= TPM_CHIP_FLAG_SUSPENDED;
++ goto out;
++ }
++
+ if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED)
+ goto suspended;
+
+@@ -401,19 +408,18 @@ int tpm_pm_suspend(struct device *dev)
+ !pm_suspend_via_firmware())
+ goto suspended;
+
+- rc = tpm_try_get_ops(chip);
+- if (!rc) {
+- if (chip->flags & TPM_CHIP_FLAG_TPM2)
+- tpm2_shutdown(chip, TPM2_SU_STATE);
+- else
+- rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
+-
+- tpm_put_ops(chip);
++ if (chip->flags & TPM_CHIP_FLAG_TPM2) {
++ tpm2_shutdown(chip, TPM2_SU_STATE);
++ goto suspended;
+ }
+
++ rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
++
+ suspended:
+ chip->flags |= TPM_CHIP_FLAG_SUSPENDED;
++ tpm_put_ops(chip);
+
++out:
+ if (rc)
+ dev_err(dev, "Ignoring error %d while suspending\n", rc);
+ return 0;
+@@ -462,11 +468,18 @@ int tpm_get_random(struct tpm_chip *chip
+ if (!chip)
+ return -ENODEV;
+
++ /* Give back zero bytes, as TPM chip has not yet fully resumed: */
++ if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
++ rc = 0;
++ goto out;
++ }
++
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ rc = tpm2_get_random(chip, out, max);
+ else
+ rc = tpm1_get_random(chip, out, max);
+
++out:
+ tpm_put_ops(chip);
+ return rc;
+ }
--- /dev/null
+From 7d79cd784470395539bda91bf0b3505ff5b2ab6d Mon Sep 17 00:00:00 2001
+From: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Date: Sun, 23 Jun 2024 23:36:13 -0700
+Subject: udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
+
+From: Vivek Kasireddy <vivek.kasireddy@intel.com>
+
+commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d upstream.
+
+Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
+would be managed without using struct page.
+
+And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn
+to userspace instead of directly sharing the page (via struct page *).
+
+Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Suggested-by: David Hildenbrand <david@redhat.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Dave Airlie <airlied@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Dongwon Kim <dongwon.kim@intel.com>
+Cc: Junxiao Chang <junxiao.chang@intel.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/udmabuf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -35,12 +35,13 @@ static vm_fault_t udmabuf_vm_fault(struc
+ struct vm_area_struct *vma = vmf->vma;
+ struct udmabuf *ubuf = vma->vm_private_data;
+ pgoff_t pgoff = vmf->pgoff;
++ unsigned long pfn;
+
+ if (pgoff >= ubuf->pagecount)
+ return VM_FAULT_SIGBUS;
+- vmf->page = ubuf->pages[pgoff];
+- get_page(vmf->page);
+- return 0;
++
++ pfn = page_to_pfn(ubuf->pages[pgoff]);
++ return vmf_insert_pfn(vma, vmf->address, pfn);
+ }
+
+ static const struct vm_operations_struct udmabuf_vm_ops = {
+@@ -56,6 +57,7 @@ static int mmap_udmabuf(struct dma_buf *
+
+ vma->vm_ops = &udmabuf_vm_ops;
+ vma->vm_private_data = ubuf;
++ vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
