--- /dev/null
+From 23393c6461422df5bf8084a086ada9a7e17dc2ba Mon Sep 17 00:00:00 2001
+From: Jan Dabros <jsd@semihalf.com>
+Date: Mon, 28 Nov 2022 20:56:51 +0100
+Subject: char: tpm: Protect tpm_pm_suspend with locks
+
+From: Jan Dabros <jsd@semihalf.com>
+
+commit 23393c6461422df5bf8084a086ada9a7e17dc2ba upstream.
+
+Currently tpm transactions are executed unconditionally in
+tpm_pm_suspend() function, which may lead to races with other tpm
+accessors in the system.
+
+Specifically, the hw_random tpm driver makes use of tpm_get_random(),
+and this function is called in a loop from a kthread, which means it's
+not frozen alongside userspace, and so can race with the work done
+during system suspend:
+
+ tpm tpm0: tpm_transmit: tpm_recv: error -52
+ tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
+ CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
+ Call Trace:
+ tpm_tis_status.cold+0x19/0x20
+ tpm_transmit+0x13b/0x390
+ tpm_transmit_cmd+0x20/0x80
+ tpm1_pm_suspend+0xa6/0x110
+ tpm_pm_suspend+0x53/0x80
+ __pnp_bus_suspend+0x35/0xe0
+ __device_suspend+0x10f/0x350
+
+Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
+tpm_chip_start(), but takes the appropriate mutex.
+
+Signed-off-by: Jan Dabros <jsd@semihalf.com>
+Reported-by: Vlastimil Babka <vbabka@suse.cz>
+Tested-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Tested-by: Vlastimil Babka <vbabka@suse.cz>
+Link: https://lore.kernel.org/all/c5ba47ef-393f-1fba-30bd-1230d1b4b592@suse.cz/
+Cc: stable@vger.kernel.org
+Fixes: e891db1a18bf ("tpm: turn on TPM on suspend for TPM 1.x")
+[Jason: reworked commit message, added metadata]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-interface.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -401,13 +401,14 @@ int tpm_pm_suspend(struct device *dev)
+ !pm_suspend_via_firmware())
+ goto suspended;
+
+- if (!tpm_chip_start(chip)) {
++ rc = tpm_try_get_ops(chip);
++ if (!rc) {
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ tpm2_shutdown(chip, TPM2_SU_STATE);
+ else
+ rc = tpm1_pm_suspend(chip, tpm_suspend_pcr);
+
+- tpm_chip_stop(chip);
++ tpm_put_ops(chip);
+ }
+
+ suspended:
--- /dev/null
+From 8c9a59939deb4bfafdc451100c03d1e848b4169b Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Fri, 2 Dec 2022 15:37:46 -0800
+Subject: Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit 8c9a59939deb4bfafdc451100c03d1e848b4169b upstream.
+
+There is a kmemleak when test the raydium_i2c_ts with bpf mock device:
+
+ unreferenced object 0xffff88812d3675a0 (size 8):
+ comm "python3", pid 349, jiffies 4294741067 (age 95.695s)
+ hex dump (first 8 bytes):
+ 11 0e 10 c0 01 00 04 00 ........
+ backtrace:
+ [<0000000068427125>] __kmalloc+0x46/0x1b0
+ [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
+ [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]
+ [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
+ [<00000000a310de16>] i2c_device_probe+0x651/0x680
+ [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
+ [<00000000096ba499>] __driver_probe_device+0xe3/0x170
+ [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
+ [<00000000264fe082>] __device_attach_driver+0xf7/0x150
+ [<00000000f919423c>] bus_for_each_drv+0x114/0x180
+ [<00000000e067feca>] __device_attach+0x1e5/0x2d0
+ [<0000000054301fc2>] bus_probe_device+0x126/0x140
+ [<00000000aad93b22>] device_add+0x810/0x1130
+ [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
+ [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
+ [<00000000ffec4177>] of_i2c_notify+0x100/0x160
+ unreferenced object 0xffff88812d3675c8 (size 8):
+ comm "python3", pid 349, jiffies 4294741070 (age 95.692s)
+ hex dump (first 8 bytes):
+ 22 00 36 2d 81 88 ff ff ".6-....
+ backtrace:
+ [<0000000068427125>] __kmalloc+0x46/0x1b0
+ [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
+ [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]
+ [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
+ [<00000000a310de16>] i2c_device_probe+0x651/0x680
+ [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
+ [<00000000096ba499>] __driver_probe_device+0xe3/0x170
+ [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
+ [<00000000264fe082>] __device_attach_driver+0xf7/0x150
+ [<00000000f919423c>] bus_for_each_drv+0x114/0x180
+ [<00000000e067feca>] __device_attach+0x1e5/0x2d0
+ [<0000000054301fc2>] bus_probe_device+0x126/0x140
+ [<00000000aad93b22>] device_add+0x810/0x1130
+ [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
+ [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
+ [<00000000ffec4177>] of_i2c_notify+0x100/0x160
+
+After BANK_SWITCH command from i2c BUS, no matter success or error
+happened, the tx_buf should be freed.
+
+Fixes: 3b384bd6c3f2 ("Input: raydium_ts_i2c - do not split tx transactions")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Link: https://lore.kernel.org/r/20221202103412.2120169-1-zhangxiaoxu5@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/raydium_i2c_ts.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/raydium_i2c_ts.c
++++ b/drivers/input/touchscreen/raydium_i2c_ts.c
+@@ -211,12 +211,14 @@ static int raydium_i2c_send(struct i2c_c
+
+ error = raydium_i2c_xfer(client, addr, xfer, ARRAY_SIZE(xfer));
+ if (likely(!error))
+- return 0;
++ goto out;
+
+ msleep(RM_RETRY_DELAY_MS);
+ } while (++tries < RM_MAX_RETRIES);
+
+ dev_err(&client->dev, "%s failed: %d\n", __func__, error);
++out:
++ kfree(tx_buf);
+ return error;
+ }
+
--- /dev/null
+From 89d21e259a94f7d5582ec675aa445f5a79f347e4 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Thu, 24 Nov 2022 09:37:27 +0100
+Subject: powerpc/bpf/32: Fix Oops on tail call tests
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 89d21e259a94f7d5582ec675aa445f5a79f347e4 upstream.
+
+test_bpf tail call tests end up as:
+
+ test_bpf: #0 Tail call leaf jited:1 85 PASS
+ test_bpf: #1 Tail call 2 jited:1 111 PASS
+ test_bpf: #2 Tail call 3 jited:1 145 PASS
+ test_bpf: #3 Tail call 4 jited:1 170 PASS
+ test_bpf: #4 Tail call load/store leaf jited:1 190 PASS
+ test_bpf: #5 Tail call load/store jited:1
+ BUG: Unable to handle kernel data access on write at 0xf1b4e000
+ Faulting instruction address: 0xbe86b710
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ BE PAGE_SIZE=4K MMU=Hash PowerMac
+ Modules linked in: test_bpf(+)
+ CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195
+ Hardware name: PowerMac3,1 750CL 0x87210 PowerMac
+ NIP: be86b710 LR: be857e88 CTR: be86b704
+ REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+)
+ MSR: 00009032 <EE,ME,IR,DR,RI> CR: 28008242 XER: 00000000
+ DAR: f1b4e000 DSISR: 42000000
+ GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000
+ GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8
+ GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000
+ GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00
+ NIP [be86b710] 0xbe86b710
+ LR [be857e88] __run_one+0xec/0x264 [test_bpf]
+ Call Trace:
+ [f1b4dfe0] [00000002] 0x2 (unreliable)
+ Instruction dump:
+ XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
+ XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
+ ---[ end trace 0000000000000000 ]---
+
+This is a tentative to write above the stack. The problem is encoutered
+with tests added by commit 38608ee7b690 ("bpf, tests: Add load store
+test case for tail call")
+
+This happens because tail call is done to a BPF prog with a different
+stack_depth. At the time being, the stack is kept as is when the caller
+tail calls its callee. But at exit, the callee restores the stack based
+on its own properties. Therefore here, at each run, r1 is erroneously
+increased by 32 - 16 = 16 bytes.
+
+This was done that way in order to pass the tail call count from caller
+to callee through the stack. As powerpc32 doesn't have a red zone in
+the stack, it was necessary the maintain the stack as is for the tail
+call. But it was not anticipated that the BPF frame size could be
+different.
+
+Let's take a new approach. Use register r4 to carry the tail call count
+during the tail call, and save it into the stack at function entry if
+required. This means the input parameter must be in r3, which is more
+correct as it is a 32 bits parameter, then tail call better match with
+normal BPF function entry, the down side being that we move that input
+parameter back and forth between r3 and r4. That can be optimised later.
+
+Doing that also has the advantage of maximising the common parts between
+tail calls and a normal function exit.
+
+With the fix, tail call tests are now successfull:
+
+ test_bpf: #0 Tail call leaf jited:1 53 PASS
+ test_bpf: #1 Tail call 2 jited:1 115 PASS
+ test_bpf: #2 Tail call 3 jited:1 154 PASS
+ test_bpf: #3 Tail call 4 jited:1 165 PASS
+ test_bpf: #4 Tail call load/store leaf jited:1 101 PASS
+ test_bpf: #5 Tail call load/store jited:1 141 PASS
+ test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS
+ test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS
+ test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS
+ test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS
+ test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]
+
+Suggested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Fixes: 51c66ad849a7 ("powerpc/bpf: Implement extended BPF on PPC32")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/757acccb7fbfc78efa42dcf3c974b46678198905.1669278887.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp32.c | 52 +++++++++++++++-----------------------
+ 1 file changed, 21 insertions(+), 31 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp32.c
++++ b/arch/powerpc/net/bpf_jit_comp32.c
+@@ -113,23 +113,19 @@ void bpf_jit_build_prologue(u32 *image,
+ {
+ int i;
+
+- /* First arg comes in as a 32 bits pointer. */
+- EMIT(PPC_RAW_MR(bpf_to_ppc(BPF_REG_1), _R3));
+- EMIT(PPC_RAW_LI(bpf_to_ppc(BPF_REG_1) - 1, 0));
++ /* Initialize tail_call_cnt, to be skipped if we do tail calls. */
++ EMIT(PPC_RAW_LI(_R4, 0));
++
++#define BPF_TAILCALL_PROLOGUE_SIZE 4
++
+ EMIT(PPC_RAW_STWU(_R1, _R1, -BPF_PPC_STACKFRAME(ctx)));
+
+- /*
+- * Initialize tail_call_cnt in stack frame if we do tail calls.
+- * Otherwise, put in NOPs so that it can be skipped when we are
+- * invoked through a tail call.
+- */
+ if (ctx->seen & SEEN_TAILCALL)
+- EMIT(PPC_RAW_STW(bpf_to_ppc(BPF_REG_1) - 1, _R1,
+- bpf_jit_stack_offsetof(ctx, BPF_PPC_TC)));
+- else
+- EMIT(PPC_RAW_NOP());
++ EMIT(PPC_RAW_STW(_R4, _R1, bpf_jit_stack_offsetof(ctx, BPF_PPC_TC)));
+
+-#define BPF_TAILCALL_PROLOGUE_SIZE 16
++ /* First arg comes in as a 32 bits pointer. */
++ EMIT(PPC_RAW_MR(bpf_to_ppc(BPF_REG_1), _R3));
++ EMIT(PPC_RAW_LI(bpf_to_ppc(BPF_REG_1) - 1, 0));
+
+ /*
+ * We need a stack frame, but we don't necessarily need to
+@@ -170,24 +166,24 @@ static void bpf_jit_emit_common_epilogue
+ for (i = BPF_PPC_NVR_MIN; i <= 31; i++)
+ if (bpf_is_seen_register(ctx, i))
+ EMIT(PPC_RAW_LWZ(i, _R1, bpf_jit_stack_offsetof(ctx, i)));
+-}
+-
+-void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
+-{
+- EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_0)));
+-
+- bpf_jit_emit_common_epilogue(image, ctx);
+-
+- /* Tear down our stack frame */
+
+ if (ctx->seen & SEEN_FUNC)
+ EMIT(PPC_RAW_LWZ(_R0, _R1, BPF_PPC_STACKFRAME(ctx) + PPC_LR_STKOFF));
+
++ /* Tear down our stack frame */
+ EMIT(PPC_RAW_ADDI(_R1, _R1, BPF_PPC_STACKFRAME(ctx)));
+
+ if (ctx->seen & SEEN_FUNC)
+ EMIT(PPC_RAW_MTLR(_R0));
+
++}
++
++void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
++{
++ EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_0)));
++
++ bpf_jit_emit_common_epilogue(image, ctx);
++
+ EMIT(PPC_RAW_BLR());
+ }
+
+@@ -244,7 +240,6 @@ static int bpf_jit_emit_tail_call(u32 *i
+ EMIT(PPC_RAW_RLWINM(_R3, b2p_index, 2, 0, 29));
+ EMIT(PPC_RAW_ADD(_R3, _R3, b2p_bpf_array));
+ EMIT(PPC_RAW_LWZ(_R3, _R3, offsetof(struct bpf_array, ptrs)));
+- EMIT(PPC_RAW_STW(_R0, _R1, bpf_jit_stack_offsetof(ctx, BPF_PPC_TC)));
+
+ /*
+ * if (prog == NULL)
+@@ -255,19 +250,14 @@ static int bpf_jit_emit_tail_call(u32 *i
+
+ /* goto *(prog->bpf_func + prologue_size); */
+ EMIT(PPC_RAW_LWZ(_R3, _R3, offsetof(struct bpf_prog, bpf_func)));
+-
+- if (ctx->seen & SEEN_FUNC)
+- EMIT(PPC_RAW_LWZ(_R0, _R1, BPF_PPC_STACKFRAME(ctx) + PPC_LR_STKOFF));
+-
+ EMIT(PPC_RAW_ADDIC(_R3, _R3, BPF_TAILCALL_PROLOGUE_SIZE));
+-
+- if (ctx->seen & SEEN_FUNC)
+- EMIT(PPC_RAW_MTLR(_R0));
+-
+ EMIT(PPC_RAW_MTCTR(_R3));
+
+ EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_1)));
+
++ /* Put tail_call_cnt in r4 */
++ EMIT(PPC_RAW_MR(_R4, _R0));
++
+ /* tear restore NVRs, ... */
+ bpf_jit_emit_common_epilogue(image, ctx);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
