From 0faada1694e122859ae318ae97310d1a9995ca5d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Jan 2023 12:05:35 +0100 Subject: [PATCH] 5.4-stable patches added patches: sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch --- queue-5.4/series | 3 + ...emory-when-gss_read_proxy_verf-fails.patch | 46 ++++++++++ ...ed-acpi_put_table-to-fix-memory-leak.patch | 85 +++++++++++++++++++ ...ed-acpi_put_table-to-fix-memory-leak.patch | 55 ++++++++++++ 4 files changed, 189 insertions(+) create mode 100644 queue-5.4/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch create mode 100644 queue-5.4/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch create mode 100644 queue-5.4/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch diff --git a/queue-5.4/series b/queue-5.4/series index 7ff46c62c0e..6393ddf1eb2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -471,3 +471,6 @@ md-fix-a-crash-in-mempool_free.patch mm-compaction-fix-fast_isolate_around-to-stay-within-boundaries.patch f2fs-should-put-a-page-when-checking-the-summary-info.patch mmc-vub300-fix-warning-do-not-call-blocking-ops-when-task_running.patch +tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch +tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch +sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch diff --git a/queue-5.4/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch b/queue-5.4/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch new file mode 100644 index 00000000000..3a987b2e34a --- /dev/null +++ b/queue-5.4/sunrpc-don-t-leak-netobj-memory-when-gss_read_proxy_verf-fails.patch @@ -0,0 +1,46 @@ +From da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sat, 26 Nov 2022 15:55:18 -0500 +Subject: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + +From: Chuck Lever + +commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream. + +Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.") +Signed-off-by: Chuck Lever +Cc: +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/auth_gss/svcauth_gss.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1104,18 +1104,23 @@ static int gss_read_proxy_verf(struct sv + return res; + + inlen = svc_getnl(argv); +- if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) ++ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) { ++ kfree(in_handle->data); + return SVC_DENIED; ++ } + + pages = DIV_ROUND_UP(inlen, PAGE_SIZE); + in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL); +- if (!in_token->pages) ++ if (!in_token->pages) { ++ kfree(in_handle->data); + return SVC_DENIED; ++ } + in_token->page_base = 0; + in_token->page_len = inlen; + for (i = 0; i < pages; i++) { + in_token->pages[i] = alloc_page(GFP_KERNEL); + if (!in_token->pages[i]) { ++ kfree(in_handle->data); + gss_free_in_token_pages(in_token); + return SVC_DENIED; + } diff --git a/queue-5.4/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch b/queue-5.4/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch new file mode 100644 index 00000000000..217674c09e1 --- /dev/null +++ b/queue-5.4/tpm-tpm_crb-add-the-missed-acpi_put_table-to-fix-memory-leak.patch @@ -0,0 +1,85 @@ +From 37e90c374dd11cf4919c51e847c6d6ced0abc555 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Thu, 17 Nov 2022 19:23:41 +0800 +Subject: tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak + +From: Hanjun Guo + +commit 37e90c374dd11cf4919c51e847c6d6ced0abc555 upstream. + +In crb_acpi_add(), we get the TPM2 table to retrieve information +like start method, and then assign them to the priv data, so the +TPM2 table is not used after the init, should be freed, call +acpi_put_table() to fix the memory leak. + +Fixes: 30fc8d138e91 ("tpm: TPM 2.0 CRB Interface") +Cc: stable@vger.kernel.org +Signed-off-by: Hanjun Guo +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_crb.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -676,12 +676,16 @@ static int crb_acpi_add(struct acpi_devi + + /* Should the FIFO driver handle this? */ + sm = buf->start_method; +- if (sm == ACPI_TPM2_MEMORY_MAPPED) +- return -ENODEV; ++ if (sm == ACPI_TPM2_MEMORY_MAPPED) { ++ rc = -ENODEV; ++ goto out; ++ } + + priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL); +- if (!priv) +- return -ENOMEM; ++ if (!priv) { ++ rc = -ENOMEM; ++ goto out; ++ } + + if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) { + if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) { +@@ -689,7 +693,8 @@ static int crb_acpi_add(struct acpi_devi + FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n", + buf->header.length, + ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC); +- return -EINVAL; ++ rc = -EINVAL; ++ goto out; + } + crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf)); + priv->smc_func_id = crb_smc->smc_func_id; +@@ -700,17 +705,23 @@ static int crb_acpi_add(struct acpi_devi + + rc = crb_map_io(device, priv, buf); + if (rc) +- return rc; ++ goto out; + + chip = tpmm_chip_alloc(dev, &tpm_crb); +- if (IS_ERR(chip)) +- return PTR_ERR(chip); ++ if (IS_ERR(chip)) { ++ rc = PTR_ERR(chip); ++ goto out; ++ } + + dev_set_drvdata(&chip->dev, priv); + chip->acpi_dev_handle = device->handle; + chip->flags = TPM_CHIP_FLAG_TPM2; + +- return tpm_chip_register(chip); ++ rc = tpm_chip_register(chip); ++ ++out: ++ acpi_put_table((struct acpi_table_header *)buf); ++ return rc; + } + + static int crb_acpi_remove(struct acpi_device *device) diff --git a/queue-5.4/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch b/queue-5.4/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch new file mode 100644 index 00000000000..8456c587ac9 --- /dev/null +++ b/queue-5.4/tpm-tpm_tis-add-the-missed-acpi_put_table-to-fix-memory-leak.patch @@ -0,0 +1,55 @@ +From db9622f762104459ff87ecdf885cc42c18053fd9 Mon Sep 17 00:00:00 2001 +From: Hanjun Guo +Date: Thu, 17 Nov 2022 19:23:42 +0800 +Subject: tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak + +From: Hanjun Guo + +commit db9622f762104459ff87ecdf885cc42c18053fd9 upstream. + +In check_acpi_tpm2(), we get the TPM2 table just to make +sure the table is there, not used after the init, so the +acpi_put_table() should be added to release the ACPI memory. + +Fixes: 4cb586a188d4 ("tpm_tis: Consolidate the platform and acpi probe flow") +Cc: stable@vger.kernel.org +Signed-off-by: Hanjun Guo +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -125,6 +125,7 @@ static int check_acpi_tpm2(struct device + const struct acpi_device_id *aid = acpi_match_device(tpm_acpi_tbl, dev); + struct acpi_table_tpm2 *tbl; + acpi_status st; ++ int ret = 0; + + if (!aid || aid->driver_data != DEVICE_IS_TPM2) + return 0; +@@ -132,8 +133,7 @@ static int check_acpi_tpm2(struct device + /* If the ACPI TPM2 signature is matched then a global ACPI_SIG_TPM2 + * table is mandatory + */ +- st = +- acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl); ++ st = acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl); + if (ACPI_FAILURE(st) || tbl->header.length < sizeof(*tbl)) { + dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n"); + return -EINVAL; +@@ -141,9 +141,10 @@ static int check_acpi_tpm2(struct device + + /* The tpm2_crb driver handles this device */ + if (tbl->start_method != ACPI_TPM2_MEMORY_MAPPED) +- return -ENODEV; ++ ret = -ENODEV; + +- return 0; ++ acpi_put_table((struct acpi_table_header *)tbl); ++ return ret; + } + #else + static int check_acpi_tpm2(struct device *dev) -- 2.47.3