From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Jun 2023 18:46:01 +0000 (+0200)
Subject: 6.3-stable patches
X-Git-Tag: v4.14.320~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=620877b50be653dc513a27d57bd22d63fccc6c11;p=thirdparty%2Fkernel%2Fstable-queue.git

6.3-stable patches

added patches:
	mm-fix-copy_from_user_nofault.patch
	tpm-tpm_tis-claim-locality-in-interrupt-handler.patch
---

diff --git a/queue-6.3/mm-fix-copy_from_user_nofault.patch b/queue-6.3/mm-fix-copy_from_user_nofault.patch
new file mode 100644
index 00000000000..d0bd8c16850
--- /dev/null
+++ b/queue-6.3/mm-fix-copy_from_user_nofault.patch
@@ -0,0 +1,86 @@
+From d319f344561de23e810515d109c7278919bff7b0 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Mon, 10 Apr 2023 19:43:44 +0200
+Subject: mm: Fix copy_from_user_nofault().
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+commit d319f344561de23e810515d109c7278919bff7b0 upstream.
+
+There are several issues with copy_from_user_nofault():
+
+- access_ok() is designed for user context only and for that reason
+it has WARN_ON_IN_IRQ() which triggers when bpf, kprobe, eprobe
+and perf on ppc are calling it from irq.
+
+- it's missing nmi_uaccess_okay() which is a nop on all architectures
+except x86 where it's required.
+The comment in arch/x86/mm/tlb.c explains the details why it's necessary.
+Calling copy_from_user_nofault() from bpf, [ke]probe without this check is not safe.
+
+- __copy_from_user_inatomic() under CONFIG_HARDENED_USERCOPY is calling
+check_object_size()->__check_object_size()->check_heap_object()->find_vmap_area()->spin_lock()
+which is not safe to do from bpf, [ke]probe and perf due to potential deadlock.
+
+Fix all three issues. At the end the copy_from_user_nofault() becomes
+equivalent to copy_from_user_nmi() from safety point of view with
+a difference in the return value.
+
+Reported-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Florian Lehner <dev@der-flo.net>
+Tested-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Tested-by: Florian Lehner <dev@der-flo.net>
+Link: https://lore.kernel.org/r/20230410174345.4376-2-dev@der-flo.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Javier Honduvilla Coto <javierhonduco@gmail.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/maccess.c  |   16 +++++++++++-----
+ mm/usercopy.c |    2 +-
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/mm/maccess.c
++++ b/mm/maccess.c
+@@ -5,6 +5,7 @@
+ #include <linux/export.h>
+ #include <linux/mm.h>
+ #include <linux/uaccess.h>
++#include <asm/tlb.h>
+ 
+ bool __weak copy_from_kernel_nofault_allowed(const void *unsafe_src,
+ 		size_t size)
+@@ -113,11 +114,16 @@ Efault:
+ long copy_from_user_nofault(void *dst, const void __user *src, size_t size)
+ {
+ 	long ret = -EFAULT;
+-	if (access_ok(src, size)) {
+-		pagefault_disable();
+-		ret = __copy_from_user_inatomic(dst, src, size);
+-		pagefault_enable();
+-	}
++
++	if (!__access_ok(src, size))
++		return ret;
++
++	if (!nmi_uaccess_okay())
++		return ret;
++
++	pagefault_disable();
++	ret = __copy_from_user_inatomic(dst, src, size);
++	pagefault_enable();
+ 
+ 	if (ret)
+ 		return -EFAULT;
+--- a/mm/usercopy.c
++++ b/mm/usercopy.c
+@@ -173,7 +173,7 @@ static inline void check_heap_object(con
+ 		return;
+ 	}
+ 
+-	if (is_vmalloc_addr(ptr)) {
++	if (is_vmalloc_addr(ptr) && !pagefault_disabled()) {
+ 		struct vmap_area *area = find_vmap_area(addr);
+ 
+ 		if (!area)
diff --git a/queue-6.3/series b/queue-6.3/series
index cea5f55a552..0f9ba3423d2 100644
--- a/queue-6.3/series
+++ b/queue-6.3/series
@@ -3,3 +3,5 @@ drm-amd-display-use-dc_update_planes_and_stream.patch
 drm-amd-display-add-wrapper-to-call-planes-and-strea.patch
 drm-amd-display-fix-the-system-hang-while-disable-ps.patch
 ata-libata-scsi-avoid-deadlock-on-rescan-after-devic.patch
+mm-fix-copy_from_user_nofault.patch
+tpm-tpm_tis-claim-locality-in-interrupt-handler.patch
diff --git a/queue-6.3/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch b/queue-6.3/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch
new file mode 100644
index 00000000000..a6b92015f59
--- /dev/null
+++ b/queue-6.3/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch
@@ -0,0 +1,39 @@
+From 0e069265bce5a40c4eee52e2364bbbd4dabee94a Mon Sep 17 00:00:00 2001
+From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Date: Thu, 24 Nov 2022 14:55:35 +0100
+Subject: tpm, tpm_tis: Claim locality in interrupt handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+
+commit 0e069265bce5a40c4eee52e2364bbbd4dabee94a upstream.
+
+Writing the TPM_INT_STATUS register in the interrupt handler to clear the
+interrupts only has effect if a locality is held. Since this is not
+guaranteed at the time the interrupt is fired, claim the locality
+explicitly in the handler.
+
+Signed-off-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Tested-by: Michael NiewÃ¶hner <linux@mniewoehner.de>
+Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -772,7 +772,9 @@ static irqreturn_t tis_int_handler(int d
+ 		wake_up_interruptible(&priv->int_queue);
+ 
+ 	/* Clear interrupts handled with TPM_EOI */
++	tpm_tis_request_locality(chip, 0);
+ 	rc = tpm_tis_write32(priv, TPM_INT_STATUS(priv->locality), interrupt);
++	tpm_tis_relinquish_locality(chip, 0);
+ 	if (rc < 0)
+ 		return IRQ_NONE;
+