From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 6 Dec 2024 13:11:24 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.6.64~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0790c554ccf197ba7f492f735e674587a1fb9e6;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	tpm-lock-tpm-chip-in-tpm_pm_suspend-first.patch
	udmabuf-use-vmf_insert_pfn-and-vm_pfnmap-for-handling-mmap.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 679b99012bc..b26fca80760 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -662,3 +662,5 @@ iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch
 powerpc-fix-stack-protector-kconfig-test-for-clang.patch
 powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch
 btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch
+tpm-lock-tpm-chip-in-tpm_pm_suspend-first.patch
+udmabuf-use-vmf_insert_pfn-and-vm_pfnmap-for-handling-mmap.patch
diff --git a/queue-6.6/tpm-lock-tpm-chip-in-tpm_pm_suspend-first.patch b/queue-6.6/tpm-lock-tpm-chip-in-tpm_pm_suspend-first.patch
new file mode 100644
index 00000000000..4aeb272773a
--- /dev/null
+++ b/queue-6.6/tpm-lock-tpm-chip-in-tpm_pm_suspend-first.patch
@@ -0,0 +1,109 @@
+From 9265fed6db601ee2ec47577815387458ef4f047a Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Thu, 31 Oct 2024 02:16:09 +0200
+Subject: tpm: Lock TPM chip in tpm_pm_suspend() first
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 9265fed6db601ee2ec47577815387458ef4f047a upstream.
+
+Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy
+according, as this leaves window for tpm_hwrng_read() to be called while
+the operation is in progress. The recent bug report gives also evidence of
+this behaviour.
+
+Aadress this by locking the TPM chip before checking any chip->flags both
+in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED
+check inside tpm_get_random() so that it will be always checked only when
+the lock is reserved.
+
+Cc: stable@vger.kernel.org # v6.4+
+Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume")
+Reported-by: Mike Seo <mikeseohyungjin@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Tested-by: Mike Seo <mikeseohyungjin@gmail.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+[ Don't call tpm2_end_auth_session() for this function does not exist in 6.6.y.]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-chip.c      |    4 ----
+ drivers/char/tpm/tpm-interface.c |   29 +++++++++++++++++++++--------
+ 2 files changed, 21 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -519,10 +519,6 @@ static int tpm_hwrng_read(struct hwrng *
+ {
+ 	struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng);
+ 
+-	/* Give back zero bytes, as TPM chip has not yet fully resumed: */
+-	if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
+-		return 0;
+-
+ 	return tpm_get_random(chip, data, max);
+ }
+ 
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -394,6 +394,13 @@ int tpm_pm_suspend(struct device *dev)
+ 	if (!chip)
+ 		return -ENODEV;
+ 
++	rc = tpm_try_get_ops(chip);
++	if (rc) {
++		/* Can be safely set out of locks, as no action cannot race: */
++		chip->flags |= TPM_CHIP_FLAG_SUSPENDED;
++		goto out;
++	}
++
+ 	if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED)
+ 		goto suspended;
+ 
+@@ -401,19 +408,18 @@ int tpm_pm_suspend(struct device *dev)
+ 	    !pm_suspend_via_firmware())
+ 		goto suspended;
+ 
+-	rc = tpm_try_get_ops(chip);
+-	if (!rc) {
+-		if (chip->flags & TPM_CHIP_FLAG_TPM2)
+-			tpm2_shutdown(chip, TPM2_SU_STATE);
+-		else
+-			rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
+-
+-		tpm_put_ops(chip);
++	if (chip->flags & TPM_CHIP_FLAG_TPM2) {
++		tpm2_shutdown(chip, TPM2_SU_STATE);
++		goto suspended;
+ 	}
+ 
++	rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
++
+ suspended:
+ 	chip->flags |= TPM_CHIP_FLAG_SUSPENDED;
++	tpm_put_ops(chip);
+ 
++out:
+ 	if (rc)
+ 		dev_err(dev, "Ignoring error %d while suspending\n", rc);
+ 	return 0;
+@@ -462,11 +468,18 @@ int tpm_get_random(struct tpm_chip *chip
+ 	if (!chip)
+ 		return -ENODEV;
+ 
++	/* Give back zero bytes, as TPM chip has not yet fully resumed: */
++	if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
++		rc = 0;
++		goto out;
++	}
++
+ 	if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ 		rc = tpm2_get_random(chip, out, max);
+ 	else
+ 		rc = tpm1_get_random(chip, out, max);
+ 
++out:
+ 	tpm_put_ops(chip);
+ 	return rc;
+ }
diff --git a/queue-6.6/udmabuf-use-vmf_insert_pfn-and-vm_pfnmap-for-handling-mmap.patch b/queue-6.6/udmabuf-use-vmf_insert_pfn-and-vm_pfnmap-for-handling-mmap.patch
new file mode 100644
index 00000000000..a3f163ce54b
--- /dev/null
+++ b/queue-6.6/udmabuf-use-vmf_insert_pfn-and-vm_pfnmap-for-handling-mmap.patch
@@ -0,0 +1,67 @@
+From 7d79cd784470395539bda91bf0b3505ff5b2ab6d Mon Sep 17 00:00:00 2001
+From: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Date: Sun, 23 Jun 2024 23:36:13 -0700
+Subject: udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
+
+From: Vivek Kasireddy <vivek.kasireddy@intel.com>
+
+commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d upstream.
+
+Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
+would be managed without using struct page.
+
+And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn
+to userspace instead of directly sharing the page (via struct page *).
+
+Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Suggested-by: David Hildenbrand <david@redhat.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Dave Airlie <airlied@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Dongwon Kim <dongwon.kim@intel.com>
+Cc: Junxiao Chang <junxiao.chang@intel.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/udmabuf.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -35,12 +35,13 @@ static vm_fault_t udmabuf_vm_fault(struc
+ 	struct vm_area_struct *vma = vmf->vma;
+ 	struct udmabuf *ubuf = vma->vm_private_data;
+ 	pgoff_t pgoff = vmf->pgoff;
++	unsigned long pfn;
+ 
+ 	if (pgoff >= ubuf->pagecount)
+ 		return VM_FAULT_SIGBUS;
+-	vmf->page = ubuf->pages[pgoff];
+-	get_page(vmf->page);
+-	return 0;
++
++	pfn = page_to_pfn(ubuf->pages[pgoff]);
++	return vmf_insert_pfn(vma, vmf->address, pfn);
+ }
+ 
+ static const struct vm_operations_struct udmabuf_vm_ops = {
+@@ -56,6 +57,7 @@ static int mmap_udmabuf(struct dma_buf *
+ 
+ 	vma->vm_ops = &udmabuf_vm_ops;
+ 	vma->vm_private_data = ubuf;
++	vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
+ 	return 0;
+ }
+