From 6103759559d959599312bd3701933f97942d14ab Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 May 2024 13:19:19 +0200 Subject: [PATCH] 6.6-stable patches added patches: keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch mmc-core-add-hs400-tuning-in-hs400es-initialization.patch --- ...d-fix-memory-leak-in-tpm2_key_encode.patch | 76 +++++++++++++++++++ ...400-tuning-in-hs400es-initialization.patch | 40 ++++++++++ queue-6.6/series | 2 + 3 files changed, 118 insertions(+) create mode 100644 queue-6.6/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch create mode 100644 queue-6.6/mmc-core-add-hs400-tuning-in-hs400es-initialization.patch diff --git a/queue-6.6/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch b/queue-6.6/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch new file mode 100644 index 0000000000..ddd0917991 --- /dev/null +++ b/queue-6.6/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch @@ -0,0 +1,76 @@ +From ffcaa2172cc1a85ddb8b783de96d38ca8855e248 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 20 May 2024 02:31:53 +0300 +Subject: KEYS: trusted: Fix memory leak in tpm2_key_encode() + +From: Jarkko Sakkinen + +commit ffcaa2172cc1a85ddb8b783de96d38ca8855e248 upstream. + +'scratch' is never freed. Fix this by calling kfree() in the success, and +in the error case. + +Cc: stable@vger.kernel.org # +v5.13 +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -38,6 +38,7 @@ static int tpm2_key_encode(struct truste + u8 *end_work = scratch + SCRATCH_SIZE; + u8 *priv, *pub; + u16 priv_len, pub_len; ++ int ret; + + priv_len = get_unaligned_be16(src) + 2; + priv = src; +@@ -57,8 +58,10 @@ static int tpm2_key_encode(struct truste + unsigned char bool[3], *w = bool; + /* tag 0 is emptyAuth */ + w = asn1_encode_boolean(w, w + sizeof(bool), true); +- if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) +- return PTR_ERR(w); ++ if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { ++ ret = PTR_ERR(w); ++ goto err; ++ } + work = asn1_encode_tag(work, end_work, 0, bool, w - bool); + } + +@@ -69,8 +72,10 @@ static int tpm2_key_encode(struct truste + * trigger, so if it does there's something nefarious going on + */ + if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, +- "BUG: scratch buffer is too small")) +- return -EINVAL; ++ "BUG: scratch buffer is too small")) { ++ ret = -EINVAL; ++ goto err; ++ } + + work = asn1_encode_integer(work, end_work, options->keyhandle); + work = asn1_encode_octet_string(work, end_work, pub, pub_len); +@@ -79,10 +84,17 @@ static int tpm2_key_encode(struct truste + work1 = payload->blob; + work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), + scratch, work - scratch); +- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) +- return PTR_ERR(work1); ++ if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { ++ ret = PTR_ERR(work1); ++ goto err; ++ } + ++ kfree(scratch); + return work1 - payload->blob; ++ ++err: ++ kfree(scratch); ++ return ret; + } + + struct tpm2_key_context { diff --git a/queue-6.6/mmc-core-add-hs400-tuning-in-hs400es-initialization.patch b/queue-6.6/mmc-core-add-hs400-tuning-in-hs400es-initialization.patch new file mode 100644 index 0000000000..7f752510df --- /dev/null +++ b/queue-6.6/mmc-core-add-hs400-tuning-in-hs400es-initialization.patch @@ -0,0 +1,40 @@ +From 77e01b49e35f24ebd1659096d5fc5c3b75975545 Mon Sep 17 00:00:00 2001 +From: Mengqi Zhang +Date: Mon, 25 Dec 2023 17:38:40 +0800 +Subject: mmc: core: Add HS400 tuning in HS400es initialization + +From: Mengqi Zhang + +commit 77e01b49e35f24ebd1659096d5fc5c3b75975545 upstream. + +During the initialization to HS400es stage, add a HS400 tuning flow as an +optional process. For Mediatek IP, the HS400es mode requires a specific +tuning to ensure the correct HS400 timing setting. + +Signed-off-by: Mengqi Zhang +Link: https://lore.kernel.org/r/20231225093839.22931-2-mengqi.zhang@mediatek.com +Signed-off-by: Ulf Hansson +Cc: "Lin Gui (桂林)" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1819,8 +1819,13 @@ static int mmc_init_card(struct mmc_host + + if (err) + goto free_card; +- +- } else if (!mmc_card_hs400es(card)) { ++ } else if (mmc_card_hs400es(card)) { ++ if (host->ops->execute_hs400_tuning) { ++ err = host->ops->execute_hs400_tuning(host, card); ++ if (err) ++ goto free_card; ++ } ++ } else { + /* Select the desired bus width optionally */ + err = mmc_select_bus_width(card); + if (err > 0 && mmc_card_hs(card)) { diff --git a/queue-6.6/series b/queue-6.6/series index 75a59dc538..5c9025ad01 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -83,3 +83,5 @@ ice-pass-vsi-pointer-into-ice_vc_isvalid_q_id.patch ice-remove-unnecessary-duplicate-checks-for-vf-vsi-id.patch bluetooth-l2cap-fix-slab-use-after-free-in-l2cap_connect.patch bluetooth-l2cap-fix-div-by-zero-in-l2cap_le_flowctl_init.patch +keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch +mmc-core-add-hs400-tuning-in-hs400es-initialization.patch -- 2.39.2