From: Greg Kroah-Hartman Date: Thu, 8 Jan 2026 10:48:39 +0000 (+0100) Subject: drop tpm patch that broke the build X-Git-Tag: v6.1.160~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33bb91329a084b89d41cef804a99b0de1dd23af7;p=thirdparty%2Fkernel%2Fstable-queue.git drop tpm patch that broke the build --- diff --git a/queue-5.10/series b/queue-5.10/series index 911e6af536..578122bde1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -335,4 +335,3 @@ net-nfc-fix-deadlock-between-nfc_unregister_device-and-rfkill_fop_write.patch net-macb-relocate-mog_init_rings-callback-from-macb_mac_link_up-to-macb_open.patch drm-msm-a6xx-fix-out-of-bound-io-access-in-a6xx_get_gmu_registers.patch drm-nouveau-dispnv50-don-t-call-drm_atomic_get_crtc_state-in-prepare_fb.patch -tpm-cap-the-number-of-pcr-banks.patch diff --git a/queue-5.10/tpm-cap-the-number-of-pcr-banks.patch b/queue-5.10/tpm-cap-the-number-of-pcr-banks.patch deleted file mode 100644 index d92ab33afe..0000000000 --- a/queue-5.10/tpm-cap-the-number-of-pcr-banks.patch +++ /dev/null @@ -1,99 +0,0 @@ -From faf07e611dfa464b201223a7253e9dc5ee0f3c9e Mon Sep 17 00:00:00 2001 -From: Jarkko Sakkinen -Date: Tue, 30 Sep 2025 15:58:02 +0300 -Subject: tpm: Cap the number of PCR banks - -From: Jarkko Sakkinen - -commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream. - -tpm2_get_pcr_allocation() does not cap any upper limit for the number of -banks. Cap the limit to eight banks so that out of bounds values coming -from external I/O cause on only limited harm. - -Cc: stable@vger.kernel.org # v5.10+ -Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array") -Tested-by: Lai Yi -Reviewed-by: Jonathan McDowell -Reviewed-by: Roberto Sassu -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/tpm/tpm-chip.c | 1 - - drivers/char/tpm/tpm1-cmd.c | 5 ----- - drivers/char/tpm/tpm2-cmd.c | 8 +++----- - include/linux/tpm.h | 8 +++++--- - 4 files changed, 8 insertions(+), 14 deletions(-) - ---- a/drivers/char/tpm/tpm-chip.c -+++ b/drivers/char/tpm/tpm-chip.c -@@ -269,7 +269,6 @@ static void tpm_dev_release(struct devic - - kfree(chip->work_space.context_buf); - kfree(chip->work_space.session_buf); -- kfree(chip->allocated_banks); - kfree(chip); - } - ---- a/drivers/char/tpm/tpm1-cmd.c -+++ b/drivers/char/tpm/tpm1-cmd.c -@@ -794,11 +794,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi - */ - int tpm1_get_pcr_allocation(struct tpm_chip *chip) - { -- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks), -- GFP_KERNEL); -- if (!chip->allocated_banks) -- return -ENOMEM; -- - chip->allocated_banks[0].alg_id = TPM_ALG_SHA1; - chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1]; - chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1; ---- a/drivers/char/tpm/tpm2-cmd.c -+++ b/drivers/char/tpm/tpm2-cmd.c -@@ -574,11 +574,9 @@ ssize_t tpm2_get_pcr_allocation(struct t - - nr_possible_banks = be32_to_cpup( - (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); -- -- chip->allocated_banks = kcalloc(nr_possible_banks, -- sizeof(*chip->allocated_banks), -- GFP_KERNEL); -- if (!chip->allocated_banks) { -+ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) { -+ pr_err("tpm: out of bank capacity: %u > %u\n", -+ nr_possible_banks, TPM2_MAX_PCR_BANKS); - rc = -ENOMEM; - goto out; - } ---- a/include/linux/tpm.h -+++ b/include/linux/tpm.h -@@ -25,7 +25,9 @@ - #include - - #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ --#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE -+ -+#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE -+#define TPM2_MAX_PCR_BANKS 8 - - struct tpm_chip; - struct trusted_key_payload; -@@ -44,7 +46,7 @@ enum tpm_algorithms { - - struct tpm_digest { - u16 alg_id; -- u8 digest[TPM_MAX_DIGEST_SIZE]; -+ u8 digest[TPM2_MAX_DIGEST_SIZE]; - } __packed; - - struct tpm_bank_info { -@@ -150,7 +152,7 @@ struct tpm_chip { - unsigned int groups_cnt; - - u32 nr_allocated_banks; -- struct tpm_bank_info *allocated_banks; -+ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS]; - #ifdef CONFIG_ACPI - acpi_handle acpi_dev_handle; - char ppi_version[TPM_PPI_VERSION_LEN + 1]; diff --git a/queue-5.15/series b/queue-5.15/series index 879503ccb9..ed0f4a128f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -409,4 +409,3 @@ net-macb-relocate-mog_init_rings-callback-from-macb_mac_link_up-to-macb_open.pat drm-msm-a6xx-fix-out-of-bound-io-access-in-a6xx_get_gmu_registers.patch drm-ttm-avoid-null-pointer-deref-for-evicted-bos.patch drm-nouveau-dispnv50-don-t-call-drm_atomic_get_crtc_state-in-prepare_fb.patch -tpm-cap-the-number-of-pcr-banks.patch diff --git a/queue-5.15/tpm-cap-the-number-of-pcr-banks.patch b/queue-5.15/tpm-cap-the-number-of-pcr-banks.patch deleted file mode 100644 index 223846fa6a..0000000000 --- a/queue-5.15/tpm-cap-the-number-of-pcr-banks.patch +++ /dev/null @@ -1,99 +0,0 @@ -From faf07e611dfa464b201223a7253e9dc5ee0f3c9e Mon Sep 17 00:00:00 2001 -From: Jarkko Sakkinen -Date: Tue, 30 Sep 2025 15:58:02 +0300 -Subject: tpm: Cap the number of PCR banks - -From: Jarkko Sakkinen - -commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream. - -tpm2_get_pcr_allocation() does not cap any upper limit for the number of -banks. Cap the limit to eight banks so that out of bounds values coming -from external I/O cause on only limited harm. - -Cc: stable@vger.kernel.org # v5.10+ -Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array") -Tested-by: Lai Yi -Reviewed-by: Jonathan McDowell -Reviewed-by: Roberto Sassu -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/tpm/tpm-chip.c | 1 - - drivers/char/tpm/tpm1-cmd.c | 5 ----- - drivers/char/tpm/tpm2-cmd.c | 8 +++----- - include/linux/tpm.h | 8 +++++--- - 4 files changed, 8 insertions(+), 14 deletions(-) - ---- a/drivers/char/tpm/tpm-chip.c -+++ b/drivers/char/tpm/tpm-chip.c -@@ -269,7 +269,6 @@ static void tpm_dev_release(struct devic - - kfree(chip->work_space.context_buf); - kfree(chip->work_space.session_buf); -- kfree(chip->allocated_banks); - kfree(chip); - } - ---- a/drivers/char/tpm/tpm1-cmd.c -+++ b/drivers/char/tpm/tpm1-cmd.c -@@ -794,11 +794,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi - */ - int tpm1_get_pcr_allocation(struct tpm_chip *chip) - { -- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks), -- GFP_KERNEL); -- if (!chip->allocated_banks) -- return -ENOMEM; -- - chip->allocated_banks[0].alg_id = TPM_ALG_SHA1; - chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1]; - chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1; ---- a/drivers/char/tpm/tpm2-cmd.c -+++ b/drivers/char/tpm/tpm2-cmd.c -@@ -574,11 +574,9 @@ ssize_t tpm2_get_pcr_allocation(struct t - - nr_possible_banks = be32_to_cpup( - (__be32 *)&buf.data[TPM_HEADER_SIZE + 5]); -- -- chip->allocated_banks = kcalloc(nr_possible_banks, -- sizeof(*chip->allocated_banks), -- GFP_KERNEL); -- if (!chip->allocated_banks) { -+ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) { -+ pr_err("tpm: out of bank capacity: %u > %u\n", -+ nr_possible_banks, TPM2_MAX_PCR_BANKS); - rc = -ENOMEM; - goto out; - } ---- a/include/linux/tpm.h -+++ b/include/linux/tpm.h -@@ -25,7 +25,9 @@ - #include - - #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */ --#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE -+ -+#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE -+#define TPM2_MAX_PCR_BANKS 8 - - struct tpm_chip; - struct trusted_key_payload; -@@ -51,7 +53,7 @@ enum tpm_algorithms { - - struct tpm_digest { - u16 alg_id; -- u8 digest[TPM_MAX_DIGEST_SIZE]; -+ u8 digest[TPM2_MAX_DIGEST_SIZE]; - } __packed; - - struct tpm_bank_info { -@@ -157,7 +159,7 @@ struct tpm_chip { - unsigned int groups_cnt; - - u32 nr_allocated_banks; -- struct tpm_bank_info *allocated_banks; -+ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS]; - #ifdef CONFIG_ACPI - acpi_handle acpi_dev_handle; - char ppi_version[TPM_PPI_VERSION_LEN + 1];