From: Greg Kroah-Hartman Date: Mon, 2 Jan 2023 11:06:02 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v6.0.17~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3fb55dd1d43b27b97cf1ae598d40875547f67d7f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: kcsan-instrument-memcpy-memset-memmove-with-newer-clang.patch sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch tpm-acpi-call-acpi_put_table-to-fix-memory-leak.patch tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch --- diff --git a/queue-6.0/kcsan-instrument-memcpy-memset-memmove-with-newer-clang.patch b/queue-6.0/kcsan-instrument-memcpy-memset-memmove-with-newer-clang.patch new file mode 100644 index 00000000000..8ffc0e3f178 --- /dev/null +++ b/queue-6.0/kcsan-instrument-memcpy-memset-memmove-with-newer-clang.patch @@ -0,0 +1,92 @@ +From 7c201739beef1a586d806463f1465429cdce34c5 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Mon, 12 Sep 2022 11:45:40 +0200 +Subject: kcsan: Instrument memcpy/memset/memmove with newer Clang + +From: Marco Elver + +commit 7c201739beef1a586d806463f1465429cdce34c5 upstream. + +With Clang version 16+, -fsanitize=thread will turn +memcpy/memset/memmove calls in instrumented functions into +__tsan_memcpy/__tsan_memset/__tsan_memmove calls respectively. + +Add these functions to the core KCSAN runtime, so that we (a) catch data +races with mem* functions, and (b) won't run into linker errors with +such newer compilers. + +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Marco Elver +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kcsan/core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +--- a/kernel/kcsan/core.c ++++ b/kernel/kcsan/core.c +@@ -14,10 +14,12 @@ + #include + #include + #include ++#include + #include + #include + #include + #include ++#include + #include + + #include "encoding.h" +@@ -1308,3 +1310,51 @@ noinline void __tsan_atomic_signal_fence + } + } + EXPORT_SYMBOL(__tsan_atomic_signal_fence); ++ ++#ifdef __HAVE_ARCH_MEMSET ++void *__tsan_memset(void *s, int c, size_t count); ++noinline void *__tsan_memset(void *s, int c, size_t count) ++{ ++ /* ++ * Instead of not setting up watchpoints where accessed size is greater ++ * than MAX_ENCODABLE_SIZE, truncate checked size to MAX_ENCODABLE_SIZE. ++ */ ++ size_t check_len = min_t(size_t, count, MAX_ENCODABLE_SIZE); ++ ++ check_access(s, check_len, KCSAN_ACCESS_WRITE, _RET_IP_); ++ return memset(s, c, count); ++} ++#else ++void *__tsan_memset(void *s, int c, size_t count) __alias(memset); ++#endif ++EXPORT_SYMBOL(__tsan_memset); ++ ++#ifdef __HAVE_ARCH_MEMMOVE ++void *__tsan_memmove(void *dst, const void *src, size_t len); ++noinline void *__tsan_memmove(void *dst, const void *src, size_t len) ++{ ++ size_t check_len = min_t(size_t, len, MAX_ENCODABLE_SIZE); ++ ++ check_access(dst, check_len, KCSAN_ACCESS_WRITE, _RET_IP_); ++ check_access(src, check_len, 0, _RET_IP_); ++ return memmove(dst, src, len); ++} ++#else ++void *__tsan_memmove(void *dst, const void *src, size_t len) __alias(memmove); ++#endif ++EXPORT_SYMBOL(__tsan_memmove); ++ ++#ifdef __HAVE_ARCH_MEMCPY ++void *__tsan_memcpy(void *dst, const void *src, size_t len); ++noinline void *__tsan_memcpy(void *dst, const void *src, size_t len) ++{ ++ size_t check_len = min_t(size_t, len, MAX_ENCODABLE_SIZE); ++ ++ check_access(dst, check_len, KCSAN_ACCESS_WRITE, _RET_IP_); ++ check_access(src, check_len, 0, _RET_IP_); ++ return memcpy(dst, src, len); ++} ++#else ++void *__tsan_memcpy(void *dst, const void *src, size_t len) __alias(memcpy); ++#endif ++EXPORT_SYMBOL(__tsan_memcpy); diff --git a/queue-6.0/series b/queue-6.0/series index a365597a428..b6c92f37cba 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -67,3 +67,8 @@ f2fs-should-put-a-page-when-checking-the-summary-info.patch f2fs-allow-to-read-node-block-after-shutdown.patch block-do-not-reread-partition-table-on-exclusively-open-device.patch mmc-vub300-fix-warning-do-not-call-blocking-ops-when-task_running.patch +tpm-acpi-call-acpi_put_table-to-fix-memory-leak.patch +tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch +tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch +sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch +kcsan-instrument-memcpy-memset-memmove-with-newer-clang.patch diff --git a/queue-6.0/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch b/queue-6.0/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch new file mode 100644 index 00000000000..d783859b9ca --- /dev/null +++ b/queue-6.0/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch @@ -0,0 +1,46 @@ +From da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sat, 26 Nov 2022 15:55:18 -0500 +Subject: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + +From: Chuck Lever + +commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream. + +Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.") +Signed-off-by: Chuck Lever +Cc: +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/auth_gss/svcauth_gss.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1162,18 +1162,23 @@ static int gss_read_proxy_verf(struct sv + return res; + + inlen = svc_getnl(argv); +- if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) ++ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) { ++ kfree(in_handle->data); + return SVC_DENIED; ++ } + + pages = DIV_ROUND_UP(inlen, PAGE_SIZE); + in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL); +- if (!in_token->pages) ++ if (!in_token->pages) { ++ kfree(in_handle->data); + return SVC_DENIED; ++ } + in_token->page_base = 0; + in_token->page_len = inlen; + for (i = 0; i < pages; i++) { + in_token->pages[i] = alloc_page(GFP_KERNEL); + if (!in_token->pages[i]) { ++ kfree(in_handle->data); + gss_free_in_token_pages(in_token); + return SVC_DENIED; + } diff --git a/queue-6.0/tpm-acpi-call-acpi_put_table-to-fix-memory-leak.patch b/queue-6.0/tpm-acpi-call-acpi_put_table-to-fix-memory-leak.patch new file mode 100644 index 00000000000..4e5987d093f --- /dev/null +++ b/queue-6.0/tpm-acpi-call-acpi_put_table-to-fix-memory-leak.patch @@ -0,0 +1,72 @@ +From 8740a12ca2e2959531ad253bac99ada338b33d80 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Thu, 17 Nov 2022 19:23:40 +0800 +Subject: tpm: acpi: Call acpi_put_table() to fix memory leak + +From: Hanjun Guo + +commit 8740a12ca2e2959531ad253bac99ada338b33d80 upstream. + +The start and length of the event log area are obtained from +TPM2 or TCPA table, so we call acpi_get_table() to get the +ACPI information, but the acpi_get_table() should be coupled with +acpi_put_table() to release the ACPI memory, add the acpi_put_table() +properly to fix the memory leak. + +While we are at it, remove the redundant empty line at the +end of the tpm_read_log_acpi(). + +Fixes: 0bfb23746052 ("tpm: Move eventlog files to a subdirectory") +Fixes: 85467f63a05c ("tpm: Add support for event log pointer found in TPM2 ACPI table") +Cc: stable@vger.kernel.org +Signed-off-by: Hanjun Guo +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/acpi.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/char/tpm/eventlog/acpi.c ++++ b/drivers/char/tpm/eventlog/acpi.c +@@ -90,16 +90,21 @@ int tpm_read_log_acpi(struct tpm_chip *c + return -ENODEV; + + if (tbl->header.length < +- sizeof(*tbl) + sizeof(struct acpi_tpm2_phy)) ++ sizeof(*tbl) + sizeof(struct acpi_tpm2_phy)) { ++ acpi_put_table((struct acpi_table_header *)tbl); + return -ENODEV; ++ } + + tpm2_phy = (void *)tbl + sizeof(*tbl); + len = tpm2_phy->log_area_minimum_length; + + start = tpm2_phy->log_area_start_address; +- if (!start || !len) ++ if (!start || !len) { ++ acpi_put_table((struct acpi_table_header *)tbl); + return -ENODEV; ++ } + ++ acpi_put_table((struct acpi_table_header *)tbl); + format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; + } else { + /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */ +@@ -120,8 +125,10 @@ int tpm_read_log_acpi(struct tpm_chip *c + break; + } + ++ acpi_put_table((struct acpi_table_header *)buff); + format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; + } ++ + if (!len) { + dev_warn(&chip->dev, "%s: TCPA log area empty\n", __func__); + return -EIO; +@@ -156,5 +163,4 @@ err: + kfree(log->bios_event_log); + log->bios_event_log = NULL; + return ret; +- + } diff --git a/queue-6.0/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch b/queue-6.0/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch new file mode 100644 index 00000000000..217674c09e1 --- /dev/null +++ b/queue-6.0/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch @@ -0,0 +1,85 @@ +From 37e90c374dd11cf4919c51e847c6d6ced0abc555 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Thu, 17 Nov 2022 19:23:41 +0800 +Subject: tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak + +From: Hanjun Guo + +commit 37e90c374dd11cf4919c51e847c6d6ced0abc555 upstream. + +In crb_acpi_add(), we get the TPM2 table to retrieve information +like start method, and then assign them to the priv data, so the +TPM2 table is not used after the init, should be freed, call +acpi_put_table() to fix the memory leak. + +Fixes: 30fc8d138e91 ("tpm: TPM 2.0 CRB Interface") +Cc: stable@vger.kernel.org +Signed-off-by: Hanjun Guo +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_crb.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -676,12 +676,16 @@ static int crb_acpi_add(struct acpi_devi + + /* Should the FIFO driver handle this? */ + sm = buf->start_method; +- if (sm == ACPI_TPM2_MEMORY_MAPPED) +- return -ENODEV; ++ if (sm == ACPI_TPM2_MEMORY_MAPPED) { ++ rc = -ENODEV; ++ goto out; ++ } + + priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL); +- if (!priv) +- return -ENOMEM; ++ if (!priv) { ++ rc = -ENOMEM; ++ goto out; ++ } + + if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) { + if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) { +@@ -689,7 +693,8 @@ static int crb_acpi_add(struct acpi_devi + FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n", + buf->header.length, + ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf)); + priv->smc_func_id = crb_smc->smc_func_id; +@@ -700,17 +705,23 @@ static int crb_acpi_add(struct acpi_devi + + rc = crb_map_io(device, priv, buf); + if (rc) +- return rc; ++ goto out; + + chip = tpmm_chip_alloc(dev, &tpm_crb); +- if (IS_ERR(chip)) +- return PTR_ERR(chip); ++ if (IS_ERR(chip)) { ++ rc = PTR_ERR(chip); ++ goto out; ++ } + + dev_set_drvdata(&chip->dev, priv); + chip->acpi_dev_handle = device->handle; + chip->flags = TPM_CHIP_FLAG_TPM2; + +- return tpm_chip_register(chip); ++ rc = tpm_chip_register(chip); ++ ++out: ++ acpi_put_table((struct acpi_table_header *)buf); ++ return rc; + } + + static int crb_acpi_remove(struct acpi_device *device) diff --git a/queue-6.0/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch b/queue-6.0/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch new file mode 100644 index 00000000000..8456c587ac9 --- /dev/null +++ b/queue-6.0/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch @@ -0,0 +1,55 @@ +From db9622f762104459ff87ecdf885cc42c18053fd9 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Thu, 17 Nov 2022 19:23:42 +0800 +Subject: tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak + +From: Hanjun Guo + +commit db9622f762104459ff87ecdf885cc42c18053fd9 upstream. + +In check_acpi_tpm2(), we get the TPM2 table just to make +sure the table is there, not used after the init, so the +acpi_put_table() should be added to release the ACPI memory. + +Fixes: 4cb586a188d4 ("tpm_tis: Consolidate the platform and acpi probe flow") +Cc: stable@vger.kernel.org +Signed-off-by: Hanjun Guo +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -125,6 +125,7 @@ static int check_acpi_tpm2(struct device + const struct acpi_device_id *aid = acpi_match_device(tpm_acpi_tbl, dev); + struct acpi_table_tpm2 *tbl; + acpi_status st; ++ int ret = 0; + + if (!aid || aid->driver_data != DEVICE_IS_TPM2) + return 0; +@@ -132,8 +133,7 @@ static int check_acpi_tpm2(struct device + /* If the ACPI TPM2 signature is matched then a global ACPI_SIG_TPM2 + * table is mandatory + */ +- st = +- acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl); ++ st = acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl); + if (ACPI_FAILURE(st) || tbl->header.length < sizeof(*tbl)) { + dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n"); + return -EINVAL; +@@ -141,9 +141,10 @@ static int check_acpi_tpm2(struct device + + /* The tpm2_crb driver handles this device */ + if (tbl->start_method != ACPI_TPM2_MEMORY_MAPPED) +- return -ENODEV; ++ ret = -ENODEV; + +- return 0; ++ acpi_put_table((struct acpi_table_header *)tbl); ++ return ret; + } + #else + static int check_acpi_tpm2(struct device *dev)