From: Sasha Levin Date: Tue, 14 Mar 2023 02:17:13 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.310~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a47fec51b1668ab75402414823d62d5e5c50191;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch b/queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch new file mode 100644 index 00000000000..fdd5ac21357 --- /dev/null +++ b/queue-5.10/block-bfq-fix-possible-uaf-for-bfqq-bic.patch @@ -0,0 +1,127 @@ +From a20364ca9253e0f6221bb798974272243bc2333d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:27:53 -0700 +Subject: block, bfq: fix possible uaf for 'bfqq->bic' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ] + +Our test report a uaf for 'bfqq->bic' in 5.10: + +================================================================== +BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 + +CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 +Call Trace: + bfq_select_queue+0x378/0xa30 + bfq_dispatch_request+0xe8/0x130 + blk_mq_do_dispatch_sched+0x62/0xb0 + __blk_mq_sched_dispatch_requests+0x215/0x2a0 + blk_mq_sched_dispatch_requests+0x8f/0xd0 + __blk_mq_run_hw_queue+0x98/0x180 + __blk_mq_delay_run_hw_queue+0x22b/0x240 + blk_mq_run_hw_queue+0xe3/0x190 + blk_mq_sched_insert_requests+0x107/0x200 + blk_mq_flush_plug_list+0x26e/0x3c0 + blk_finish_plug+0x63/0x90 + __iomap_dio_rw+0x7b5/0x910 + iomap_dio_rw+0x36/0x80 + ext4_dio_read_iter+0x146/0x190 [ext4] + ext4_file_read_iter+0x1e2/0x230 [ext4] + new_sync_read+0x29f/0x400 + vfs_read+0x24e/0x2d0 + ksys_read+0xd5/0x1b0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") +changes that move process to a new cgroup will allocate a new bfqq to +use, however, the old bfqq and new bfqq can point to the same bic: + +1) Initial state, two process with io in the same cgroup. + +Process 1 Process 2 + (BIC1) (BIC2) + | Λ | Λ + | | | | + V | V | + bfqq1 bfqq2 + +2) bfqq1 is merged to bfqq2. + +Process 1 Process 2 + (BIC1) (BIC2) + | | + \-------------\| + V + bfqq1 bfqq2(coop) + +3) Process 1 exit, then issue new io(denoce IOA) from Process 2. + + (BIC2) + | Λ + | | + V | + bfqq2(coop) + +4) Before IOA is completed, move Process 2 to another cgroup and issue io. + +Process 2 + (BIC2) + Λ + |\--------------\ + | V + bfqq2 bfqq3 + +Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. +If all the requests are completed, and Process 2 exit, BIC2 will be +freed while there is no guarantee that bfqq2 will be freed before BIC2. + +Fix the problem by clearing bfqq->bic while bfqq is detached from bic. + +Fixes: 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") +Suggested-by: Jan Kara +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221214030430.3304151-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 7c4b8d0635ebd..afaededb3c49c 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -373,6 +373,12 @@ struct bfq_queue *bic_to_bfqq(struct bfq_io_cq *bic, bool is_sync) + + void bic_set_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq, bool is_sync) + { ++ struct bfq_queue *old_bfqq = bic->bfqq[is_sync]; ++ ++ /* Clear bic pointer if bfqq is detached from this bic */ ++ if (old_bfqq && old_bfqq->bic == bic) ++ old_bfqq->bic = NULL; ++ + bic->bfqq[is_sync] = bfqq; + } + +@@ -4977,7 +4983,6 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) + unsigned long flags; + + spin_lock_irqsave(&bfqd->lock, flags); +- bfqq->bic = NULL; + bfq_exit_bfqq(bfqd, bfqq); + bic_set_bfqq(bic, NULL, is_sync); + spin_unlock_irqrestore(&bfqd->lock, flags); +-- +2.39.2 + diff --git a/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch new file mode 100644 index 00000000000..290b0522437 --- /dev/null +++ b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch @@ -0,0 +1,44 @@ +From 8d578c6a8eb0a4e63490fb7f8d2aa9bc5cee23d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:27:54 -0700 +Subject: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq + +From: Yu Kuai + +[ Upstream commit 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 ] + +Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() +can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. + +Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). + +Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +Reported-by: Yi Zhang +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20221226030605.1437081-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index afaededb3c49c..0a53b653a7e2e 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -4983,8 +4983,8 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync) + unsigned long flags; + + spin_lock_irqsave(&bfqd->lock, flags); +- bfq_exit_bfqq(bfqd, bfqq); + bic_set_bfqq(bic, NULL, is_sync); ++ bfq_exit_bfqq(bfqd, bfqq); + spin_unlock_irqrestore(&bfqd->lock, flags); + } + } +-- +2.39.2 + diff --git a/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch new file mode 100644 index 00000000000..1a6e098f532 --- /dev/null +++ b/queue-5.10/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch @@ -0,0 +1,64 @@ +From 96bd4e91efc38daae342ac7c231dc356ab084822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:27:57 -0700 +Subject: block, bfq: fix uaf for bfqq in bic_set_bfqq() + +From: Yu Kuai + +[ Upstream commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 ] + +After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), +bic->bfqq will be accessed in bic_set_bfqq(), however, in some context +bic->bfqq will be freed, and bic_set_bfqq() is called with the freed +bic->bfqq. + +Fix the problem by always freeing bfqq after bic_set_bfqq(). + +Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +Reported-and-tested-by: Shinichiro Kawasaki +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + block/bfq-iosched.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 2f440b79183d3..1f9ccc661d574 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -748,8 +748,8 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + * request from the old cgroup. + */ + bfq_put_cooperator(sync_bfqq); +- bfq_release_process_ref(bfqd, sync_bfqq); + bic_set_bfqq(bic, NULL, true); ++ bfq_release_process_ref(bfqd, sync_bfqq); + } + } + } +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 016d7f32af9f1..6687b805bab3b 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5070,9 +5070,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) + + bfqq = bic_to_bfqq(bic, false); + if (bfqq) { +- bfq_release_process_ref(bfqd, bfqq); ++ struct bfq_queue *old_bfqq = bfqq; ++ + bfqq = bfq_get_queue(bfqd, bio, false, bic); + bic_set_bfqq(bic, bfqq, false); ++ bfq_release_process_ref(bfqd, old_bfqq); + } + + bfqq = bic_to_bfqq(bic, true); +-- +2.39.2 + diff --git a/queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch b/queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch new file mode 100644 index 00000000000..8bd62ae32c4 --- /dev/null +++ b/queue-5.10/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch @@ -0,0 +1,55 @@ +From 1e98b6da6bd182cf966673fcf2fa181d9af1ab31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:27:55 -0700 +Subject: block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC" + +From: NeilBrown + +[ Upstream commit f6bad159f5d5e5b33531aba3d9b860ad8618afe0 ] + +bfq_get_queue() expects a "bool" for the third arg, so pass "false" +rather than "BLK_RW_ASYNC" which will soon be removed. + +Link: https://lkml.kernel.org/r/164549983746.9187.7949730109246767909.stgit@noble.brown +Signed-off-by: NeilBrown +Acked-by: Jens Axboe +Cc: Anna Schumaker +Cc: Chao Yu +Cc: Darrick J. Wong +Cc: Ilya Dryomov +Cc: Jaegeuk Kim +Cc: Jan Kara +Cc: Jeff Layton +Cc: Lars Ellenberg +Cc: Miklos Szeredi +Cc: Paolo Valente +Cc: Philipp Reisner +Cc: Ryusuke Konishi +Cc: Trond Myklebust +Cc: Wu Fengguang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") +Signed-off-by: Sasha Levin +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 0a53b653a7e2e..35b240cba0926 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5071,7 +5071,7 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) + bfqq = bic_to_bfqq(bic, false); + if (bfqq) { + bfq_release_process_ref(bfqd, bfqq); +- bfqq = bfq_get_queue(bfqd, bio, BLK_RW_ASYNC, bic); ++ bfqq = bfq_get_queue(bfqd, bio, false, bic); + bic_set_bfqq(bic, bfqq, false); + } + +-- +2.39.2 + diff --git a/queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch b/queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch new file mode 100644 index 00000000000..f342cc5bcf3 --- /dev/null +++ b/queue-5.10/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch @@ -0,0 +1,81 @@ +From 2b9e5454554ac0cfe01c31bf7aa498a093bb8ca2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:27:56 -0700 +Subject: block, bfq: replace 0/1 with false/true in bic apis + +From: Yu Kuai + +[ Upstream commit 337366e02b370d2800110fbc99940f6ddddcbdfa ] + +Just to make the code a litter cleaner, there are no functional changes. + +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221214033155.3455754-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") +Signed-off-by: Sasha Levin +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 8 ++++---- + block/bfq-iosched.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index badb90352bf33..2f440b79183d3 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -705,15 +705,15 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + struct bfq_io_cq *bic, + struct bfq_group *bfqg) + { +- struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0); +- struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1); ++ struct bfq_queue *async_bfqq = bic_to_bfqq(bic, false); ++ struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, true); + struct bfq_entity *entity; + + if (async_bfqq) { + entity = &async_bfqq->entity; + + if (entity->sched_data != &bfqg->sched_data) { +- bic_set_bfqq(bic, NULL, 0); ++ bic_set_bfqq(bic, NULL, false); + bfq_release_process_ref(bfqd, async_bfqq); + } + } +@@ -749,7 +749,7 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + */ + bfq_put_cooperator(sync_bfqq); + bfq_release_process_ref(bfqd, sync_bfqq); +- bic_set_bfqq(bic, NULL, 1); ++ bic_set_bfqq(bic, NULL, true); + } + } + } +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 35b240cba0926..016d7f32af9f1 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2816,7 +2816,7 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, + /* + * Merge queues (that is, let bic redirect its requests to new_bfqq) + */ +- bic_set_bfqq(bic, new_bfqq, 1); ++ bic_set_bfqq(bic, new_bfqq, true); + bfq_mark_bfqq_coop(new_bfqq); + /* + * new_bfqq now belongs to at least two bics (it is a shared queue): +@@ -6014,7 +6014,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq) + return bfqq; + } + +- bic_set_bfqq(bic, NULL, 1); ++ bic_set_bfqq(bic, NULL, true); + + bfq_put_cooperator(bfqq); + +-- +2.39.2 + diff --git a/queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch b/queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch new file mode 100644 index 00000000000..1542bb50b51 --- /dev/null +++ b/queue-5.10/iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch @@ -0,0 +1,73 @@ +From 8c587a9111f9751e1e33887f738c7843a5ab4007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 08:26:56 +0000 +Subject: iommu/amd: Add a length limitation for the ivrs_acpihid command-line + parameter + +From: Gavrilov Ilia + +[ Upstream commit b6b26d86c61c441144c72f842f7469bb686e1211 ] + +The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, +because the string specifier in the format string sscanf() +has no width limitation. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Kim Phillips +Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index ce822347f7470..603f625a74e54 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -3124,15 +3124,26 @@ static int __init parse_ivrs_hpet(char *str) + return 1; + } + ++#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) ++ + static int __init parse_ivrs_acpihid(char *str) + { + u32 seg = 0, bus, dev, fn; + char *hid, *uid, *p, *addr; +- char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; ++ char acpiid[ACPIID_LEN] = {0}; + int i; + + addr = strchr(str, '@'); + if (!addr) { ++ addr = strchr(str, '='); ++ if (!addr) ++ goto not_found; ++ ++ ++addr; ++ ++ if (strlen(addr) > ACPIID_LEN) ++ goto not_found; ++ + if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || + sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { + pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", +@@ -3145,6 +3156,9 @@ static int __init parse_ivrs_acpihid(char *str) + /* We have the '@', make it the terminator to get just the acpiid */ + *addr++ = 0; + ++ if (strlen(str) > ACPIID_LEN + 1) ++ goto not_found; ++ + if (sscanf(str, "=%s", acpiid) != 1) + goto not_found; + +-- +2.39.2 + diff --git a/queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch b/queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch new file mode 100644 index 00000000000..6c3292365dd --- /dev/null +++ b/queue-5.10/pci-pm-define-pci_restore_standard_config-only-for-c.patch @@ -0,0 +1,84 @@ +From 6c5b3fa19f734213cada7f27fd08027ea142f5bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 16:11:35 +0200 +Subject: PCI/PM: Define pci_restore_standard_config() only for CONFIG_PM_SLEEP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 18a94192e20de31e7e495d7c805c8930c42e99ef ] + +pci_restore_standard_config() was defined under CONFIG_PM but called only +by pci_pm_resume() (defined under CONFIG_SUSPEND) and pci_pm_restore() +(defined under CONFIG_HIBERNATE_CALLBACKS). A configuration with only +CONFIG_PM leads to a warning: + + drivers/pci/pci-driver.c:533:12: error: ‘pci_restore_standard_config’ defined but not used [-Werror=unused-function] + +CONFIG_PM_SLEEP depends on CONFIG_SUSPEND and CONFIG_HIBERNATE_CALLBACKS, +so define pci_restore_standard_config() under that instead. + +Link: https://lore.kernel.org/r/20220420141135.444820-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Helgaas +Stable-dep-of: ac91e6980563 ("PCI: Unify delay handling for reset and resume") +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 8b587fc97f7bc..bbaecc2340371 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -499,9 +499,9 @@ static void pci_device_shutdown(struct device *dev) + pci_clear_master(pci_dev); + } + +-#ifdef CONFIG_PM ++#ifdef CONFIG_PM_SLEEP + +-/* Auxiliary functions used for system resume and run-time resume. */ ++/* Auxiliary functions used for system resume */ + + /** + * pci_restore_standard_config - restore standard config registers of PCI device +@@ -521,6 +521,11 @@ static int pci_restore_standard_config(struct pci_dev *pci_dev) + pci_pme_restore(pci_dev); + return 0; + } ++#endif /* CONFIG_PM_SLEEP */ ++ ++#ifdef CONFIG_PM ++ ++/* Auxiliary functions used for system resume and run-time resume */ + + static void pci_pm_default_resume(struct pci_dev *pci_dev) + { +@@ -528,10 +533,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev) + pci_enable_wake(pci_dev, PCI_D0, false); + } + +-#endif +- +-#ifdef CONFIG_PM_SLEEP +- + static void pci_pm_default_resume_early(struct pci_dev *pci_dev) + { + pci_power_up(pci_dev); +@@ -540,6 +541,10 @@ static void pci_pm_default_resume_early(struct pci_dev *pci_dev) + pci_pme_restore(pci_dev); + } + ++#endif /* CONFIG_PM */ ++ ++#ifdef CONFIG_PM_SLEEP ++ + /* + * Default "suspend" method for devices that have no driver provided suspend, + * or not even a driver at all (second part). +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index be04cbf632d..5768b6fd959 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -63,3 +63,12 @@ sunrpc-fix-a-server-shutdown-leak.patch riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch risc-v-don-t-check-text_mutex-during-stop_machine.patch ext4-fix-deadlock-during-directory-rename.patch +iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch +pci-pm-define-pci_restore_standard_config-only-for-c.patch +watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch +tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch +block-bfq-fix-possible-uaf-for-bfqq-bic.patch +block-bfq-fix-uaf-for-bfqq-in-bfq_exit_icq_bfqq.patch +block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch +block-bfq-replace-0-1-with-false-true-in-bic-apis.patch +block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch diff --git a/queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch b/queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch new file mode 100644 index 00000000000..bb92fb07776 --- /dev/null +++ b/queue-5.10/tpm-eventlog-don-t-abort-tpm_read_log-on-faulty-acpi.patch @@ -0,0 +1,73 @@ +From 8b969f52e05a2be328d44872f8602f73743de726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 10:25:52 +0100 +Subject: tpm/eventlog: Don't abort tpm_read_log on faulty ACPI address + +From: Morten Linderud + +[ Upstream commit 80a6c216b16d7f5c584d2148c2e4345ea4eb06ce ] + +tpm_read_log_acpi() should return -ENODEV when no eventlog from the ACPI +table is found. If the firmware vendor includes an invalid log address +we are unable to map from the ACPI memory and tpm_read_log() returns -EIO +which would abort discovery of the eventlog. + +Change the return value from -EIO to -ENODEV when acpi_os_map_iomem() +fails to map the event log. + +The following hardware was used to test this issue: + Framework Laptop (Pre-production) + BIOS: INSYDE Corp, Revision: 3.2 + TPM Device: NTC, Firmware Revision: 7.2 + +Dump of the faulty ACPI TPM2 table: + [000h 0000 4] Signature : "TPM2" [Trusted Platform Module hardware interface Table] + [004h 0004 4] Table Length : 0000004C + [008h 0008 1] Revision : 04 + [009h 0009 1] Checksum : 2B + [00Ah 0010 6] Oem ID : "INSYDE" + [010h 0016 8] Oem Table ID : "TGL-ULT" + [018h 0024 4] Oem Revision : 00000002 + [01Ch 0028 4] Asl Compiler ID : "ACPI" + [020h 0032 4] Asl Compiler Revision : 00040000 + + [024h 0036 2] Platform Class : 0000 + [026h 0038 2] Reserved : 0000 + [028h 0040 8] Control Address : 0000000000000000 + [030h 0048 4] Start Method : 06 [Memory Mapped I/O] + + [034h 0052 12] Method Parameters : 00 00 00 00 00 00 00 00 00 00 00 00 + [040h 0064 4] Minimum Log Length : 00010000 + [044h 0068 8] Log Address : 000000004053D000 + +Fixes: 0cf577a03f21 ("tpm: Fix handling of missing event log") +Tested-by: Erkki Eilonen +Signed-off-by: Morten Linderud +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/eventlog/acpi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c +index 0913d3eb8d518..cd266021d0103 100644 +--- a/drivers/char/tpm/eventlog/acpi.c ++++ b/drivers/char/tpm/eventlog/acpi.c +@@ -143,8 +143,12 @@ int tpm_read_log_acpi(struct tpm_chip *chip) + + ret = -EIO; + virt = acpi_os_map_iomem(start, len); +- if (!virt) ++ if (!virt) { ++ dev_warn(&chip->dev, "%s: Failed to map ACPI memory\n", __func__); ++ /* try EFI log next */ ++ ret = -ENODEV; + goto err; ++ } + + memcpy_fromio(log->bios_event_log, virt, len); + +-- +2.39.2 + diff --git a/queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch b/queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch new file mode 100644 index 00000000000..a3e94024af9 --- /dev/null +++ b/queue-5.10/watch_queue-fix-ioc_watch_queue_set_size-alloc-error.patch @@ -0,0 +1,39 @@ +From 2e5449946102b24a8231dfe4f8738236d7654509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 16:21:06 +0100 +Subject: watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths + +From: David Disseldorp + +[ Upstream commit 03e1d60e177eedbd302b77af4ea5e21b5a7ade31 ] + +The watch_queue_set_size() allocation error paths return the ret value +set via the prior pipe_resize_ring() call, which will always be zero. + +As a result, IOC_WATCH_QUEUE_SET_SIZE callers such as "keyctl watch" +fail to detect kernel wqueue->notes allocation failures and proceed to +KEYCTL_WATCH_KEY, with any notifications subsequently lost. + +Fixes: c73be61cede58 ("pipe: Add general notification queue support") +Signed-off-by: David Disseldorp +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Sasha Levin +--- + kernel/watch_queue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c +index d29731a30b8e1..73717917d8164 100644 +--- a/kernel/watch_queue.c ++++ b/kernel/watch_queue.c +@@ -274,6 +274,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes) + if (ret < 0) + goto error; + ++ ret = -ENOMEM; + pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL); + if (!pages) + goto error; +-- +2.39.2 +