From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Sep 2018 11:11:44 +0000 (+0200)
Subject: 4.18-stable patches
X-Git-Tag: v3.18.123~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6cfa6d46ef2f5770652323abd2f641fc094dad2a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.18-stable patches

added patches:
	crypto-ccp-add-timeout-support-in-the-sev-command.patch
	mei-bus-type-promotion-bug-in-mei_nfc_if_version.patch
---

diff --git a/queue-4.18/crypto-ccp-add-timeout-support-in-the-sev-command.patch b/queue-4.18/crypto-ccp-add-timeout-support-in-the-sev-command.patch
new file mode 100644
index 00000000000..2f570bbc2c3
--- /dev/null
+++ b/queue-4.18/crypto-ccp-add-timeout-support-in-the-sev-command.patch
@@ -0,0 +1,121 @@
+From 3702a0585e64d70d5bf73bf3e943b8d6005b72c1 Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Wed, 15 Aug 2018 16:11:25 -0500
+Subject: crypto: ccp - add timeout support in the SEV command
+
+From: Brijesh Singh <brijesh.singh@amd.com>
+
+commit 3702a0585e64d70d5bf73bf3e943b8d6005b72c1 upstream.
+
+Currently, the CCP driver assumes that the SEV command issued to the PSP
+will always return (i.e. it will never hang).  But recently, firmware bugs
+have shown that a command can hang.  Since of the SEV commands are used
+in probe routines, this can cause boot hangs and/or loss of virtualization
+capabilities.
+
+To protect against firmware bugs, add a timeout in the SEV command
+execution flow.  If a command does not complete within the specified
+timeout then return -ETIMEOUT and stop the driver from executing any
+further commands since the state of the SEV firmware is unknown.
+
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Gary Hook <Gary.Hook@amd.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[Brijesh: Backported to 4.18..4.19 - offset change in few hunks]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/psp-dev.c |   46 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 41 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/ccp/psp-dev.c
++++ b/drivers/crypto/ccp/psp-dev.c
+@@ -38,6 +38,17 @@ static DEFINE_MUTEX(sev_cmd_mutex);
+ static struct sev_misc_dev *misc_dev;
+ static struct psp_device *psp_master;
+ 
++static int psp_cmd_timeout = 100;
++module_param(psp_cmd_timeout, int, 0644);
++MODULE_PARM_DESC(psp_cmd_timeout, " default timeout value, in seconds, for PSP commands");
++
++static int psp_probe_timeout = 5;
++module_param(psp_probe_timeout, int, 0644);
++MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during PSP device probe");
++
++static bool psp_dead;
++static int psp_timeout;
++
+ static struct psp_device *psp_alloc_struct(struct sp_device *sp)
+ {
+ 	struct device *dev = sp->dev;
+@@ -82,10 +93,19 @@ done:
+ 	return IRQ_HANDLED;
+ }
+ 
+-static void sev_wait_cmd_ioc(struct psp_device *psp, unsigned int *reg)
++static int sev_wait_cmd_ioc(struct psp_device *psp,
++			    unsigned int *reg, unsigned int timeout)
+ {
+-	wait_event(psp->sev_int_queue, psp->sev_int_rcvd);
++	int ret;
++
++	ret = wait_event_timeout(psp->sev_int_queue,
++			psp->sev_int_rcvd, timeout * HZ);
++	if (!ret)
++		return -ETIMEDOUT;
++
+ 	*reg = ioread32(psp->io_regs + PSP_CMDRESP);
++
++	return 0;
+ }
+ 
+ static int sev_cmd_buffer_len(int cmd)
+@@ -133,12 +153,15 @@ static int __sev_do_cmd_locked(int cmd,
+ 	if (!psp)
+ 		return -ENODEV;
+ 
++	if (psp_dead)
++		return -EBUSY;
++
+ 	/* Get the physical address of the command buffer */
+ 	phys_lsb = data ? lower_32_bits(__psp_pa(data)) : 0;
+ 	phys_msb = data ? upper_32_bits(__psp_pa(data)) : 0;
+ 
+-	dev_dbg(psp->dev, "sev command id %#x buffer 0x%08x%08x\n",
+-		cmd, phys_msb, phys_lsb);
++	dev_dbg(psp->dev, "sev command id %#x buffer 0x%08x%08x timeout %us\n",
++		cmd, phys_msb, phys_lsb, psp_timeout);
+ 
+ 	print_hex_dump_debug("(in):  ", DUMP_PREFIX_OFFSET, 16, 2, data,
+ 			     sev_cmd_buffer_len(cmd), false);
+@@ -154,7 +177,18 @@ static int __sev_do_cmd_locked(int cmd,
+ 	iowrite32(reg, psp->io_regs + PSP_CMDRESP);
+ 
+ 	/* wait for command completion */
+-	sev_wait_cmd_ioc(psp, &reg);
++	ret = sev_wait_cmd_ioc(psp, &reg, psp_timeout);
++	if (ret) {
++		if (psp_ret)
++			*psp_ret = 0;
++
++		dev_err(psp->dev, "sev command %#x timed out, disabling PSP \n", cmd);
++		psp_dead = true;
++
++		return ret;
++	}
++
++	psp_timeout = psp_cmd_timeout;
+ 
+ 	if (psp_ret)
+ 		*psp_ret = reg & PSP_CMDRESP_ERR_MASK;
+@@ -886,6 +920,8 @@ void psp_pci_init(void)
+ 
+ 	psp_master = sp->psp_data;
+ 
++	psp_timeout = psp_probe_timeout;
++
+ 	if (sev_get_api_version())
+ 		goto err;
+ 
diff --git a/queue-4.18/mei-bus-type-promotion-bug-in-mei_nfc_if_version.patch b/queue-4.18/mei-bus-type-promotion-bug-in-mei_nfc_if_version.patch
new file mode 100644
index 00000000000..283b77412d8
--- /dev/null
+++ b/queue-4.18/mei-bus-type-promotion-bug-in-mei_nfc_if_version.patch
@@ -0,0 +1,37 @@
+From b40b3e9358fbafff6a4ba0f4b9658f6617146f9c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 11 Jul 2018 15:29:31 +0300
+Subject: mei: bus: type promotion bug in mei_nfc_if_version()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream.
+
+We accidentally removed the check for negative returns
+without considering the issue of type promotion.
+The "if_version_length" variable is type size_t so if __mei_cl_recv()
+returns a negative then "bytes_recv" is type promoted
+to a high positive value and treated as success.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/misc/mei/bus-fixup.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -267,7 +267,7 @@ static int mei_nfc_if_version(struct mei
+ 
+ 	ret = 0;
+ 	bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0);
+-	if (bytes_recv < if_version_length) {
++	if (bytes_recv < 0 || bytes_recv < if_version_length) {
+ 		dev_err(bus->dev, "Could not read IF version\n");
+ 		ret = -EIO;
+ 		goto err;
diff --git a/queue-4.18/series b/queue-4.18/series
index 1b11e25a15c..2a264ef4e28 100644
--- a/queue-4.18/series
+++ b/queue-4.18/series
@@ -231,3 +231,5 @@ gpiolib-respect-error-code-of-get_direction.patch
 pinctrl-msm-fix-msm_config_group_get-to-be-compliant.patch
 pinctrl-qcom-spmi-gpio-fix-pmic_gpio_config_get-to-be-compliant.patch
 clk-tegra-bpmp-don-t-crash-when-a-clock-fails-to-register.patch
+mei-bus-type-promotion-bug-in-mei_nfc_if_version.patch
+crypto-ccp-add-timeout-support-in-the-sev-command.patch