From 48e0ef3b5893eed1661fbaa5e7eecbbf136ea331 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Dec 2022 09:32:50 +0100 Subject: [PATCH] 5.4-stable patches added patches: char-tpm-protect-tpm_pm_suspend-with-locks.patch --- ...pm-protect-tpm_pm_suspend-with-locks.patch | 69 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 70 insertions(+) create mode 100644 queue-5.4/char-tpm-protect-tpm_pm_suspend-with-locks.patch diff --git a/queue-5.4/char-tpm-protect-tpm_pm_suspend-with-locks.patch b/queue-5.4/char-tpm-protect-tpm_pm_suspend-with-locks.patch new file mode 100644 index 00000000000..d5d11cae995 --- /dev/null +++ b/queue-5.4/char-tpm-protect-tpm_pm_suspend-with-locks.patch @@ -0,0 +1,69 @@ +From 23393c6461422df5bf8084a086ada9a7e17dc2ba Mon Sep 17 00:00:00 2001 +From: Jan Dabros +Date: Mon, 28 Nov 2022 20:56:51 +0100 +Subject: char: tpm: Protect tpm_pm_suspend with locks + +From: Jan Dabros + +commit 23393c6461422df5bf8084a086ada9a7e17dc2ba upstream. + +Currently tpm transactions are executed unconditionally in +tpm_pm_suspend() function, which may lead to races with other tpm +accessors in the system. + +Specifically, the hw_random tpm driver makes use of tpm_get_random(), +and this function is called in a loop from a kthread, which means it's +not frozen alongside userspace, and so can race with the work done +during system suspend: + + tpm tpm0: tpm_transmit: tpm_recv: error -52 + tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics + CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 + Call Trace: + tpm_tis_status.cold+0x19/0x20 + tpm_transmit+0x13b/0x390 + tpm_transmit_cmd+0x20/0x80 + tpm1_pm_suspend+0xa6/0x110 + tpm_pm_suspend+0x53/0x80 + __pnp_bus_suspend+0x35/0xe0 + __device_suspend+0x10f/0x350 + +Fix this by calling tpm_try_get_ops(), which itself is a wrapper around +tpm_chip_start(), but takes the appropriate mutex. + +Signed-off-by: Jan Dabros +Reported-by: Vlastimil Babka +Tested-by: Jason A. Donenfeld +Tested-by: Vlastimil Babka +Link: https://lore.kernel.org/all/c5ba47ef-393f-1fba-30bd-1230d1b4b592@suse.cz/ +Cc: stable@vger.kernel.org +Fixes: e891db1a18bf ("tpm: turn on TPM on suspend for TPM 1.x") +[Jason: reworked commit message, added metadata] +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-interface.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -396,13 +396,14 @@ int tpm_pm_suspend(struct device *dev) + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) + return 0; + +- if (!tpm_chip_start(chip)) { ++ rc = tpm_try_get_ops(chip); ++ if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) + tpm2_shutdown(chip, TPM2_SU_STATE); + else + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + +- tpm_chip_stop(chip); ++ tpm_put_ops(chip); + } + + return rc; diff --git a/queue-5.4/series b/queue-5.4/series index e93fdb0d833..ac34bb0403a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -155,3 +155,4 @@ x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch x86-ioremap-fix-page-aligned-size-calculation-in-__i.patch revert-clocksource-drivers-riscv-events-are-stopped-.patch +char-tpm-protect-tpm_pm_suspend-with-locks.patch -- 2.47.3