--- /dev/null
+From 5e753a817b2d5991dfe8a801b7b1e8e79a1c5a20 Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Fri, 30 Apr 2021 19:59:51 +0800
+Subject: btrfs: fix unmountable seed device after fstrim
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 5e753a817b2d5991dfe8a801b7b1e8e79a1c5a20 upstream.
+
+The following test case reproduces an issue of wrongly freeing in-use
+blocks on the readonly seed device when fstrim is called on the rw sprout
+device. As shown below.
+
+Create a seed device and add a sprout device to it:
+
+ $ mkfs.btrfs -fq -dsingle -msingle /dev/loop0
+ $ btrfstune -S 1 /dev/loop0
+ $ mount /dev/loop0 /btrfs
+ $ btrfs dev add -f /dev/loop1 /btrfs
+ BTRFS info (device loop0): relocating block group 290455552 flags system
+ BTRFS info (device loop0): relocating block group 1048576 flags system
+ BTRFS info (device loop0): disk added /dev/loop1
+ $ umount /btrfs
+
+Mount the sprout device and run fstrim:
+
+ $ mount /dev/loop1 /btrfs
+ $ fstrim /btrfs
+ $ umount /btrfs
+
+Now try to mount the seed device, and it fails:
+
+ $ mount /dev/loop0 /btrfs
+ mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.
+
+Block 5292032 is missing on the readonly seed device:
+
+ $ dmesg -kt | tail
+ <snip>
+ BTRFS error (device loop0): bad tree block start, want 5292032 have 0
+ BTRFS warning (device loop0): couldn't read-tree root
+ BTRFS error (device loop0): open_ctree failed
+
+From the dump-tree of the seed device (taken before the fstrim). Block
+5292032 belonged to the block group starting at 5242880:
+
+ $ btrfs inspect dump-tree -e /dev/loop0 | grep -A1 BLOCK_GROUP
+ <snip>
+ item 3 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16169 itemsize 24
+ block group used 114688 chunk_objectid 256 flags METADATA
+ <snip>
+
+From the dump-tree of the sprout device (taken before the fstrim).
+fstrim used block-group 5242880 to find the related free space to free:
+
+ $ btrfs inspect dump-tree -e /dev/loop1 | grep -A1 BLOCK_GROUP
+ <snip>
+ item 1 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16226 itemsize 24
+ block group used 32768 chunk_objectid 256 flags METADATA
+ <snip>
+
+BPF kernel tracing the fstrim command finds the missing block 5292032
+within the range of the discarded blocks as below:
+
+ kprobe:btrfs_discard_extent {
+ printf("freeing start %llu end %llu num_bytes %llu:\n",
+ arg1, arg1+arg2, arg2);
+ }
+
+ freeing start 5259264 end 5406720 num_bytes 147456
+ <snip>
+
+Fix this by avoiding the discard command to the readonly seed device.
+
+Reported-by: Chris Murphy <lists@colorremedies.com>
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1340,12 +1340,16 @@ int btrfs_discard_extent(struct btrfs_fs
+ stripe = bbio->stripes;
+ for (i = 0; i < bbio->num_stripes; i++, stripe++) {
+ u64 bytes;
++ struct btrfs_device *device = stripe->dev;
+
+- if (!stripe->dev->bdev) {
++ if (!device->bdev) {
+ ASSERT(btrfs_test_opt(fs_info, DEGRADED));
+ continue;
+ }
+
++ if (!test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state))
++ continue;
++
+ ret = do_discard_extent(stripe, &bytes);
+ if (!ret) {
+ discarded_bytes += bytes;
--- /dev/null
+From 83a775d5f9bfda95b1c295f95a3a041a40c7f321 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 30 Apr 2021 12:37:24 +0100
+Subject: KEYS: trusted: Fix memory leak on object td
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 83a775d5f9bfda95b1c295f95a3a041a40c7f321 upstream.
+
+Two error return paths are neglecting to free allocated object td,
+causing a memory leak. Fix this by returning via the error return
+path that securely kfree's td.
+
+Fixes clang scan-build warning:
+security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential
+memory leak [unix.Malloc]
+
+Cc: stable@vger.kernel.org
+Fixes: 5df16caada3f ("KEYS: trusted: Fix incorrect handling of tpm_get_random()")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_tpm1.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_tpm1.c
++++ b/security/keys/trusted-keys/trusted_tpm1.c
+@@ -500,10 +500,12 @@ static int tpm_seal(struct tpm_buf *tb,
+
+ ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- if (ret != TPM_NONCE_SIZE)
+- return -EIO;
++ if (ret != TPM_NONCE_SIZE) {
++ ret = -EIO;
++ goto out;
++ }
+
+ ordinal = htonl(TPM_ORD_SEAL);
+ datsize = htonl(datalen);
--- /dev/null
+From 1df83992d977355177810c2b711afc30546c81ce Mon Sep 17 00:00:00 2001
+From: Zhen Lei <thunder.leizhen@huawei.com>
+Date: Wed, 12 May 2021 21:39:26 +0800
+Subject: tpm: fix error return code in tpm2_get_cc_attrs_tbl()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+commit 1df83992d977355177810c2b711afc30546c81ce upstream.
+
+If the total number of commands queried through TPM2_CAP_COMMANDS is
+different from that queried through TPM2_CC_GET_CAPABILITY, it indicates
+an unknown error. In this case, an appropriate error code -EFAULT should
+be returned. However, we currently do not explicitly assign this error
+code to 'rc'. As a result, 0 was incorrectly returned.
+
+Cc: stable@vger.kernel.org
+Fixes: 58472f5cd4f6("tpm: validate TPM 2.0 commands")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm2-cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/char/tpm/tpm2-cmd.c
++++ b/drivers/char/tpm/tpm2-cmd.c
+@@ -656,6 +656,7 @@ int tpm2_get_cc_attrs_tbl(struct tpm_chi
+
+ if (nr_commands !=
+ be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) {
++ rc = -EFAULT;
+ tpm_buf_destroy(&buf);
+ goto out;
+ }
--- /dev/null
+From e630af7dfb450d1c00c30077314acf33032ff9e4 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 10 May 2021 15:28:30 +0300
+Subject: tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt()
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit e630af7dfb450d1c00c30077314acf33032ff9e4 upstream.
+
+The earlier fix (linked) only partially fixed the locality handling bug
+in tpm_tis_gen_interrupt(), i.e. only for TPM 1.x.
+
+Extend the locality handling to cover TPM2.
+
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/linux-integrity/20210220125534.20707-1-jarkko@kernel.org/
+Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()")
+Reported-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Tested-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -709,16 +709,14 @@ static int tpm_tis_gen_interrupt(struct
+ cap_t cap;
+ int ret;
+
+- /* TPM 2.0 */
+- if (chip->flags & TPM_CHIP_FLAG_TPM2)
+- return tpm2_get_tpm_pt(chip, 0x100, &cap2, desc);
+-
+- /* TPM 1.2 */
+ ret = request_locality(chip, 0);
+ if (ret < 0)
+ return ret;
+
+- ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0);
++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
++ ret = tpm2_get_tpm_pt(chip, 0x100, &cap2, desc);
++ else
++ ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0);
+
+ release_locality(chip, 0);
+
--- /dev/null
+From 8a2d296aaebadd68d9c1f6908667df1d1c84c051 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 10 May 2021 15:28:31 +0300
+Subject: tpm, tpm_tis: Reserve locality in tpm_tis_resume()
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 8a2d296aaebadd68d9c1f6908667df1d1c84c051 upstream.
+
+Reserve locality in tpm_tis_resume(), as it could be unsert after waking
+up from a sleep state.
+
+Cc: stable@vger.kernel.org
+Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()")
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -1125,12 +1125,20 @@ int tpm_tis_resume(struct device *dev)
+ if (ret)
+ return ret;
+
+- /* TPM 1.2 requires self-test on resume. This function actually returns
++ /*
++ * TPM 1.2 requires self-test on resume. This function actually returns
+ * an error code but for unknown reason it isn't handled.
+ */
+- if (!(chip->flags & TPM_CHIP_FLAG_TPM2))
++ if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
++ ret = request_locality(chip, 0);
++ if (ret < 0)
++ return ret;
++
+ tpm1_do_selftest(chip);
+
++ release_locality(chip, 0);
++ }
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(tpm_tis_resume);
projects / thirdparty / kernel / stable-queue.git / commitdiff
