From 316813a25e661b34a63a28a051c075b43d9dd64d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Dec 2022 09:33:22 +0100 Subject: [PATCH] 6.0-stable patches added patches: char-tpm-protect-tpm_pm_suspend-with-locks.patch input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch powerpc-bpf-32-fix-oops-on-tail-call-tests.patch --- ...pm-protect-tpm_pm_suspend-with-locks.patch | 69 +++++++ ...-fix-memory-leak-in-raydium_i2c_send.patch | 85 ++++++++ ...c-bpf-32-fix-oops-on-tail-call-tests.patch | 193 ++++++++++++++++++ queue-6.0/series | 3 + 4 files changed, 350 insertions(+) create mode 100644 queue-6.0/char-tpm-protect-tpm_pm_suspend-with-locks.patch create mode 100644 queue-6.0/input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch create mode 100644 queue-6.0/powerpc-bpf-32-fix-oops-on-tail-call-tests.patch diff --git a/queue-6.0/char-tpm-protect-tpm_pm_suspend-with-locks.patch b/queue-6.0/char-tpm-protect-tpm_pm_suspend-with-locks.patch new file mode 100644 index 00000000000..af6ed23d367 --- /dev/null +++ b/queue-6.0/char-tpm-protect-tpm_pm_suspend-with-locks.patch @@ -0,0 +1,69 @@ +From 23393c6461422df5bf8084a086ada9a7e17dc2ba Mon Sep 17 00:00:00 2001 +From: Jan Dabros +Date: Mon, 28 Nov 2022 20:56:51 +0100 +Subject: char: tpm: Protect tpm_pm_suspend with locks + +From: Jan Dabros + +commit 23393c6461422df5bf8084a086ada9a7e17dc2ba upstream. + +Currently tpm transactions are executed unconditionally in +tpm_pm_suspend() function, which may lead to races with other tpm +accessors in the system. + +Specifically, the hw_random tpm driver makes use of tpm_get_random(), +and this function is called in a loop from a kthread, which means it's +not frozen alongside userspace, and so can race with the work done +during system suspend: + + tpm tpm0: tpm_transmit: tpm_recv: error -52 + tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics + CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 + Call Trace: + tpm_tis_status.cold+0x19/0x20 + tpm_transmit+0x13b/0x390 + tpm_transmit_cmd+0x20/0x80 + tpm1_pm_suspend+0xa6/0x110 + tpm_pm_suspend+0x53/0x80 + __pnp_bus_suspend+0x35/0xe0 + __device_suspend+0x10f/0x350 + +Fix this by calling tpm_try_get_ops(), which itself is a wrapper around +tpm_chip_start(), but takes the appropriate mutex. + +Signed-off-by: Jan Dabros +Reported-by: Vlastimil Babka +Tested-by: Jason A. Donenfeld +Tested-by: Vlastimil Babka +Link: https://lore.kernel.org/all/c5ba47ef-393f-1fba-30bd-1230d1b4b592@suse.cz/ +Cc: stable@vger.kernel.org +Fixes: e891db1a18bf ("tpm: turn on TPM on suspend for TPM 1.x") +[Jason: reworked commit message, added metadata] +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-interface.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -401,13 +401,14 @@ int tpm_pm_suspend(struct device *dev) + !pm_suspend_via_firmware()) + goto suspended; + +- if (!tpm_chip_start(chip)) { ++ rc = tpm_try_get_ops(chip); ++ if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) + tpm2_shutdown(chip, TPM2_SU_STATE); + else + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + +- tpm_chip_stop(chip); ++ tpm_put_ops(chip); + } + + suspended: diff --git a/queue-6.0/input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch b/queue-6.0/input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch new file mode 100644 index 00000000000..ba17fbf5e59 --- /dev/null +++ b/queue-6.0/input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch @@ -0,0 +1,85 @@ +From 8c9a59939deb4bfafdc451100c03d1e848b4169b Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Fri, 2 Dec 2022 15:37:46 -0800 +Subject: Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() + +From: Zhang Xiaoxu + +commit 8c9a59939deb4bfafdc451100c03d1e848b4169b upstream. + +There is a kmemleak when test the raydium_i2c_ts with bpf mock device: + + unreferenced object 0xffff88812d3675a0 (size 8): + comm "python3", pid 349, jiffies 4294741067 (age 95.695s) + hex dump (first 8 bytes): + 11 0e 10 c0 01 00 04 00 ........ + backtrace: + [<0000000068427125>] __kmalloc+0x46/0x1b0 + [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] + [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts] + [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] + [<00000000a310de16>] i2c_device_probe+0x651/0x680 + [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 + [<00000000096ba499>] __driver_probe_device+0xe3/0x170 + [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 + [<00000000264fe082>] __device_attach_driver+0xf7/0x150 + [<00000000f919423c>] bus_for_each_drv+0x114/0x180 + [<00000000e067feca>] __device_attach+0x1e5/0x2d0 + [<0000000054301fc2>] bus_probe_device+0x126/0x140 + [<00000000aad93b22>] device_add+0x810/0x1130 + [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 + [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 + [<00000000ffec4177>] of_i2c_notify+0x100/0x160 + unreferenced object 0xffff88812d3675c8 (size 8): + comm "python3", pid 349, jiffies 4294741070 (age 95.692s) + hex dump (first 8 bytes): + 22 00 36 2d 81 88 ff ff ".6-.... + backtrace: + [<0000000068427125>] __kmalloc+0x46/0x1b0 + [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] + [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts] + [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] + [<00000000a310de16>] i2c_device_probe+0x651/0x680 + [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 + [<00000000096ba499>] __driver_probe_device+0xe3/0x170 + [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 + [<00000000264fe082>] __device_attach_driver+0xf7/0x150 + [<00000000f919423c>] bus_for_each_drv+0x114/0x180 + [<00000000e067feca>] __device_attach+0x1e5/0x2d0 + [<0000000054301fc2>] bus_probe_device+0x126/0x140 + [<00000000aad93b22>] device_add+0x810/0x1130 + [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 + [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 + [<00000000ffec4177>] of_i2c_notify+0x100/0x160 + +After BANK_SWITCH command from i2c BUS, no matter success or error +happened, the tx_buf should be freed. + +Fixes: 3b384bd6c3f2 ("Input: raydium_ts_i2c - do not split tx transactions") +Signed-off-by: Zhang Xiaoxu +Link: https://lore.kernel.org/r/20221202103412.2120169-1-zhangxiaoxu5@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/raydium_i2c_ts.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/raydium_i2c_ts.c ++++ b/drivers/input/touchscreen/raydium_i2c_ts.c +@@ -211,12 +211,14 @@ static int raydium_i2c_send(struct i2c_c + + error = raydium_i2c_xfer(client, addr, xfer, ARRAY_SIZE(xfer)); + if (likely(!error)) +- return 0; ++ goto out; + + msleep(RM_RETRY_DELAY_MS); + } while (++tries < RM_MAX_RETRIES); + + dev_err(&client->dev, "%s failed: %d\n", __func__, error); ++out: ++ kfree(tx_buf); + return error; + } + diff --git a/queue-6.0/powerpc-bpf-32-fix-oops-on-tail-call-tests.patch b/queue-6.0/powerpc-bpf-32-fix-oops-on-tail-call-tests.patch new file mode 100644 index 00000000000..3b3ee9cd3c2 --- /dev/null +++ b/queue-6.0/powerpc-bpf-32-fix-oops-on-tail-call-tests.patch @@ -0,0 +1,193 @@ +From 89d21e259a94f7d5582ec675aa445f5a79f347e4 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 24 Nov 2022 09:37:27 +0100 +Subject: powerpc/bpf/32: Fix Oops on tail call tests + +From: Christophe Leroy + +commit 89d21e259a94f7d5582ec675aa445f5a79f347e4 upstream. + +test_bpf tail call tests end up as: + + test_bpf: #0 Tail call leaf jited:1 85 PASS + test_bpf: #1 Tail call 2 jited:1 111 PASS + test_bpf: #2 Tail call 3 jited:1 145 PASS + test_bpf: #3 Tail call 4 jited:1 170 PASS + test_bpf: #4 Tail call load/store leaf jited:1 190 PASS + test_bpf: #5 Tail call load/store jited:1 + BUG: Unable to handle kernel data access on write at 0xf1b4e000 + Faulting instruction address: 0xbe86b710 + Oops: Kernel access of bad area, sig: 11 [#1] + BE PAGE_SIZE=4K MMU=Hash PowerMac + Modules linked in: test_bpf(+) + CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195 + Hardware name: PowerMac3,1 750CL 0x87210 PowerMac + NIP: be86b710 LR: be857e88 CTR: be86b704 + REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+) + MSR: 00009032 CR: 28008242 XER: 00000000 + DAR: f1b4e000 DSISR: 42000000 + GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000 + GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8 + GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000 + GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00 + NIP [be86b710] 0xbe86b710 + LR [be857e88] __run_one+0xec/0x264 [test_bpf] + Call Trace: + [f1b4dfe0] [00000002] 0x2 (unreliable) + Instruction dump: + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX + ---[ end trace 0000000000000000 ]--- + +This is a tentative to write above the stack. The problem is encoutered +with tests added by commit 38608ee7b690 ("bpf, tests: Add load store +test case for tail call") + +This happens because tail call is done to a BPF prog with a different +stack_depth. At the time being, the stack is kept as is when the caller +tail calls its callee. But at exit, the callee restores the stack based +on its own properties. Therefore here, at each run, r1 is erroneously +increased by 32 - 16 = 16 bytes. + +This was done that way in order to pass the tail call count from caller +to callee through the stack. As powerpc32 doesn't have a red zone in +the stack, it was necessary the maintain the stack as is for the tail +call. But it was not anticipated that the BPF frame size could be +different. + +Let's take a new approach. Use register r4 to carry the tail call count +during the tail call, and save it into the stack at function entry if +required. This means the input parameter must be in r3, which is more +correct as it is a 32 bits parameter, then tail call better match with +normal BPF function entry, the down side being that we move that input +parameter back and forth between r3 and r4. That can be optimised later. + +Doing that also has the advantage of maximising the common parts between +tail calls and a normal function exit. + +With the fix, tail call tests are now successfull: + + test_bpf: #0 Tail call leaf jited:1 53 PASS + test_bpf: #1 Tail call 2 jited:1 115 PASS + test_bpf: #2 Tail call 3 jited:1 154 PASS + test_bpf: #3 Tail call 4 jited:1 165 PASS + test_bpf: #4 Tail call load/store leaf jited:1 101 PASS + test_bpf: #5 Tail call load/store jited:1 141 PASS + test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS + test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS + test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS + test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS + test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] + +Suggested-by: Naveen N. Rao +Fixes: 51c66ad849a7 ("powerpc/bpf: Implement extended BPF on PPC32") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Tested-by: Naveen N. Rao +Link: https://lore.kernel.org/r/757acccb7fbfc78efa42dcf3c974b46678198905.1669278887.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp32.c | 52 +++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 31 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp32.c ++++ b/arch/powerpc/net/bpf_jit_comp32.c +@@ -113,23 +113,19 @@ void bpf_jit_build_prologue(u32 *image, + { + int i; + +- /* First arg comes in as a 32 bits pointer. */ +- EMIT(PPC_RAW_MR(bpf_to_ppc(BPF_REG_1), _R3)); +- EMIT(PPC_RAW_LI(bpf_to_ppc(BPF_REG_1) - 1, 0)); ++ /* Initialize tail_call_cnt, to be skipped if we do tail calls. */ ++ EMIT(PPC_RAW_LI(_R4, 0)); ++ ++#define BPF_TAILCALL_PROLOGUE_SIZE 4 ++ + EMIT(PPC_RAW_STWU(_R1, _R1, -BPF_PPC_STACKFRAME(ctx))); + +- /* +- * Initialize tail_call_cnt in stack frame if we do tail calls. +- * Otherwise, put in NOPs so that it can be skipped when we are +- * invoked through a tail call. +- */ + if (ctx->seen & SEEN_TAILCALL) +- EMIT(PPC_RAW_STW(bpf_to_ppc(BPF_REG_1) - 1, _R1, +- bpf_jit_stack_offsetof(ctx, BPF_PPC_TC))); +- else +- EMIT(PPC_RAW_NOP()); ++ EMIT(PPC_RAW_STW(_R4, _R1, bpf_jit_stack_offsetof(ctx, BPF_PPC_TC))); + +-#define BPF_TAILCALL_PROLOGUE_SIZE 16 ++ /* First arg comes in as a 32 bits pointer. */ ++ EMIT(PPC_RAW_MR(bpf_to_ppc(BPF_REG_1), _R3)); ++ EMIT(PPC_RAW_LI(bpf_to_ppc(BPF_REG_1) - 1, 0)); + + /* + * We need a stack frame, but we don't necessarily need to +@@ -170,24 +166,24 @@ static void bpf_jit_emit_common_epilogue + for (i = BPF_PPC_NVR_MIN; i <= 31; i++) + if (bpf_is_seen_register(ctx, i)) + EMIT(PPC_RAW_LWZ(i, _R1, bpf_jit_stack_offsetof(ctx, i))); +-} +- +-void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx) +-{ +- EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_0))); +- +- bpf_jit_emit_common_epilogue(image, ctx); +- +- /* Tear down our stack frame */ + + if (ctx->seen & SEEN_FUNC) + EMIT(PPC_RAW_LWZ(_R0, _R1, BPF_PPC_STACKFRAME(ctx) + PPC_LR_STKOFF)); + ++ /* Tear down our stack frame */ + EMIT(PPC_RAW_ADDI(_R1, _R1, BPF_PPC_STACKFRAME(ctx))); + + if (ctx->seen & SEEN_FUNC) + EMIT(PPC_RAW_MTLR(_R0)); + ++} ++ ++void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx) ++{ ++ EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_0))); ++ ++ bpf_jit_emit_common_epilogue(image, ctx); ++ + EMIT(PPC_RAW_BLR()); + } + +@@ -244,7 +240,6 @@ static int bpf_jit_emit_tail_call(u32 *i + EMIT(PPC_RAW_RLWINM(_R3, b2p_index, 2, 0, 29)); + EMIT(PPC_RAW_ADD(_R3, _R3, b2p_bpf_array)); + EMIT(PPC_RAW_LWZ(_R3, _R3, offsetof(struct bpf_array, ptrs))); +- EMIT(PPC_RAW_STW(_R0, _R1, bpf_jit_stack_offsetof(ctx, BPF_PPC_TC))); + + /* + * if (prog == NULL) +@@ -255,19 +250,14 @@ static int bpf_jit_emit_tail_call(u32 *i + + /* goto *(prog->bpf_func + prologue_size); */ + EMIT(PPC_RAW_LWZ(_R3, _R3, offsetof(struct bpf_prog, bpf_func))); +- +- if (ctx->seen & SEEN_FUNC) +- EMIT(PPC_RAW_LWZ(_R0, _R1, BPF_PPC_STACKFRAME(ctx) + PPC_LR_STKOFF)); +- + EMIT(PPC_RAW_ADDIC(_R3, _R3, BPF_TAILCALL_PROLOGUE_SIZE)); +- +- if (ctx->seen & SEEN_FUNC) +- EMIT(PPC_RAW_MTLR(_R0)); +- + EMIT(PPC_RAW_MTCTR(_R3)); + + EMIT(PPC_RAW_MR(_R3, bpf_to_ppc(BPF_REG_1))); + ++ /* Put tail_call_cnt in r4 */ ++ EMIT(PPC_RAW_MR(_R4, _R0)); ++ + /* tear restore NVRs, ... */ + bpf_jit_emit_common_epilogue(image, ctx); + diff --git a/queue-6.0/series b/queue-6.0/series index ed3a5b721dd..96d1cedd439 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -119,3 +119,6 @@ i2c-imx-only-dma-messages-with-i2c_m_dma_safe-flag-s.patch acpi-hmat-remove-unnecessary-variable-initialization.patch acpi-hmat-fix-initiator-registration-for-single-init.patch revert-clocksource-drivers-riscv-events-are-stopped-.patch +char-tpm-protect-tpm_pm_suspend-with-locks.patch +input-raydium_ts_i2c-fix-memory-leak-in-raydium_i2c_send.patch +powerpc-bpf-32-fix-oops-on-tail-call-tests.patch -- 2.47.3