From 5068c48dd37bf7000d386062a434ec636923ff9f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 14 May 2021 15:46:42 +0200 Subject: [PATCH] 5.12-stable patches added patches: btrfs-fix-unmountable-seed-device-after-fstrim.patch keys-trusted-fix-memory-leak-on-object-td.patch tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch --- ...unmountable-seed-device-after-fstrim.patch | 104 ++++++++++++++++++ ...trusted-fix-memory-leak-on-object-td.patch | 46 ++++++++ ...return-code-in-tpm2_get_cc_attrs_tbl.patch | 36 ++++++ ...ing-to-tpm2-in-tpm_tis_gen_interrupt.patch | 49 +++++++++ ...s-reserve-locality-in-tpm_tis_resume.patch | 47 ++++++++ 5 files changed, 282 insertions(+) create mode 100644 queue-5.12/btrfs-fix-unmountable-seed-device-after-fstrim.patch create mode 100644 queue-5.12/keys-trusted-fix-memory-leak-on-object-td.patch create mode 100644 queue-5.12/tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch create mode 100644 queue-5.12/tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch create mode 100644 queue-5.12/tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch diff --git a/queue-5.12/btrfs-fix-unmountable-seed-device-after-fstrim.patch b/queue-5.12/btrfs-fix-unmountable-seed-device-after-fstrim.patch new file mode 100644 index 00000000000..8a8eef2b5ae --- /dev/null +++ b/queue-5.12/btrfs-fix-unmountable-seed-device-after-fstrim.patch @@ -0,0 +1,104 @@ +From 5e753a817b2d5991dfe8a801b7b1e8e79a1c5a20 Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Fri, 30 Apr 2021 19:59:51 +0800 +Subject: btrfs: fix unmountable seed device after fstrim + +From: Anand Jain + +commit 5e753a817b2d5991dfe8a801b7b1e8e79a1c5a20 upstream. + +The following test case reproduces an issue of wrongly freeing in-use +blocks on the readonly seed device when fstrim is called on the rw sprout +device. As shown below. + +Create a seed device and add a sprout device to it: + + $ mkfs.btrfs -fq -dsingle -msingle /dev/loop0 + $ btrfstune -S 1 /dev/loop0 + $ mount /dev/loop0 /btrfs + $ btrfs dev add -f /dev/loop1 /btrfs + BTRFS info (device loop0): relocating block group 290455552 flags system + BTRFS info (device loop0): relocating block group 1048576 flags system + BTRFS info (device loop0): disk added /dev/loop1 + $ umount /btrfs + +Mount the sprout device and run fstrim: + + $ mount /dev/loop1 /btrfs + $ fstrim /btrfs + $ umount /btrfs + +Now try to mount the seed device, and it fails: + + $ mount /dev/loop0 /btrfs + mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. + +Block 5292032 is missing on the readonly seed device: + + $ dmesg -kt | tail + + BTRFS error (device loop0): bad tree block start, want 5292032 have 0 + BTRFS warning (device loop0): couldn't read-tree root + BTRFS error (device loop0): open_ctree failed + +From the dump-tree of the seed device (taken before the fstrim). Block +5292032 belonged to the block group starting at 5242880: + + $ btrfs inspect dump-tree -e /dev/loop0 | grep -A1 BLOCK_GROUP + + item 3 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16169 itemsize 24 + block group used 114688 chunk_objectid 256 flags METADATA + + +From the dump-tree of the sprout device (taken before the fstrim). +fstrim used block-group 5242880 to find the related free space to free: + + $ btrfs inspect dump-tree -e /dev/loop1 | grep -A1 BLOCK_GROUP + + item 1 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16226 itemsize 24 + block group used 32768 chunk_objectid 256 flags METADATA + + +BPF kernel tracing the fstrim command finds the missing block 5292032 +within the range of the discarded blocks as below: + + kprobe:btrfs_discard_extent { + printf("freeing start %llu end %llu num_bytes %llu:\n", + arg1, arg1+arg2, arg2); + } + + freeing start 5259264 end 5406720 num_bytes 147456 + + +Fix this by avoiding the discard command to the readonly seed device. + +Reported-by: Chris Murphy +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -1340,12 +1340,16 @@ int btrfs_discard_extent(struct btrfs_fs + stripe = bbio->stripes; + for (i = 0; i < bbio->num_stripes; i++, stripe++) { + u64 bytes; ++ struct btrfs_device *device = stripe->dev; + +- if (!stripe->dev->bdev) { ++ if (!device->bdev) { + ASSERT(btrfs_test_opt(fs_info, DEGRADED)); + continue; + } + ++ if (!test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) ++ continue; ++ + ret = do_discard_extent(stripe, &bytes); + if (!ret) { + discarded_bytes += bytes; diff --git a/queue-5.12/keys-trusted-fix-memory-leak-on-object-td.patch b/queue-5.12/keys-trusted-fix-memory-leak-on-object-td.patch new file mode 100644 index 00000000000..fa092195e12 --- /dev/null +++ b/queue-5.12/keys-trusted-fix-memory-leak-on-object-td.patch @@ -0,0 +1,46 @@ +From 83a775d5f9bfda95b1c295f95a3a041a40c7f321 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 30 Apr 2021 12:37:24 +0100 +Subject: KEYS: trusted: Fix memory leak on object td + +From: Colin Ian King + +commit 83a775d5f9bfda95b1c295f95a3a041a40c7f321 upstream. + +Two error return paths are neglecting to free allocated object td, +causing a memory leak. Fix this by returning via the error return +path that securely kfree's td. + +Fixes clang scan-build warning: +security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential +memory leak [unix.Malloc] + +Cc: stable@vger.kernel.org +Fixes: 5df16caada3f ("KEYS: trusted: Fix incorrect handling of tpm_get_random()") +Signed-off-by: Colin Ian King +Reviewed-by: Nick Desaulniers +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm1.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm1.c ++++ b/security/keys/trusted-keys/trusted_tpm1.c +@@ -500,10 +500,12 @@ static int tpm_seal(struct tpm_buf *tb, + + ret = tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); + if (ret < 0) +- return ret; ++ goto out; + +- if (ret != TPM_NONCE_SIZE) +- return -EIO; ++ if (ret != TPM_NONCE_SIZE) { ++ ret = -EIO; ++ goto out; ++ } + + ordinal = htonl(TPM_ORD_SEAL); + datsize = htonl(datalen); diff --git a/queue-5.12/tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch b/queue-5.12/tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch new file mode 100644 index 00000000000..7de5f409842 --- /dev/null +++ b/queue-5.12/tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch @@ -0,0 +1,36 @@ +From 1df83992d977355177810c2b711afc30546c81ce Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Wed, 12 May 2021 21:39:26 +0800 +Subject: tpm: fix error return code in tpm2_get_cc_attrs_tbl() + +From: Zhen Lei + +commit 1df83992d977355177810c2b711afc30546c81ce upstream. + +If the total number of commands queried through TPM2_CAP_COMMANDS is +different from that queried through TPM2_CC_GET_CAPABILITY, it indicates +an unknown error. In this case, an appropriate error code -EFAULT should +be returned. However, we currently do not explicitly assign this error +code to 'rc'. As a result, 0 was incorrectly returned. + +Cc: stable@vger.kernel.org +Fixes: 58472f5cd4f6("tpm: validate TPM 2.0 commands") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-cmd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/tpm/tpm2-cmd.c ++++ b/drivers/char/tpm/tpm2-cmd.c +@@ -656,6 +656,7 @@ int tpm2_get_cc_attrs_tbl(struct tpm_chi + + if (nr_commands != + be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) { ++ rc = -EFAULT; + tpm_buf_destroy(&buf); + goto out; + } diff --git a/queue-5.12/tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch b/queue-5.12/tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch new file mode 100644 index 00000000000..0f0a9ddf236 --- /dev/null +++ b/queue-5.12/tpm-tpm_tis-extend-locality-handling-to-tpm2-in-tpm_tis_gen_interrupt.patch @@ -0,0 +1,49 @@ +From e630af7dfb450d1c00c30077314acf33032ff9e4 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 10 May 2021 15:28:30 +0300 +Subject: tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() + +From: Jarkko Sakkinen + +commit e630af7dfb450d1c00c30077314acf33032ff9e4 upstream. + +The earlier fix (linked) only partially fixed the locality handling bug +in tpm_tis_gen_interrupt(), i.e. only for TPM 1.x. + +Extend the locality handling to cover TPM2. + +Cc: Hans de Goede +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-integrity/20210220125534.20707-1-jarkko@kernel.org/ +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Reported-by: Lino Sanfilippo +Signed-off-by: Jarkko Sakkinen +Tested-by: Lino Sanfilippo +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -709,16 +709,14 @@ static int tpm_tis_gen_interrupt(struct + cap_t cap; + int ret; + +- /* TPM 2.0 */ +- if (chip->flags & TPM_CHIP_FLAG_TPM2) +- return tpm2_get_tpm_pt(chip, 0x100, &cap2, desc); +- +- /* TPM 1.2 */ + ret = request_locality(chip, 0); + if (ret < 0) + return ret; + +- ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0); ++ if (chip->flags & TPM_CHIP_FLAG_TPM2) ++ ret = tpm2_get_tpm_pt(chip, 0x100, &cap2, desc); ++ else ++ ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0); + + release_locality(chip, 0); + diff --git a/queue-5.12/tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch b/queue-5.12/tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch new file mode 100644 index 00000000000..b3d10adeab9 --- /dev/null +++ b/queue-5.12/tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch @@ -0,0 +1,47 @@ +From 8a2d296aaebadd68d9c1f6908667df1d1c84c051 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 10 May 2021 15:28:31 +0300 +Subject: tpm, tpm_tis: Reserve locality in tpm_tis_resume() + +From: Jarkko Sakkinen + +commit 8a2d296aaebadd68d9c1f6908667df1d1c84c051 upstream. + +Reserve locality in tpm_tis_resume(), as it could be unsert after waking +up from a sleep state. + +Cc: stable@vger.kernel.org +Cc: Lino Sanfilippo +Reported-by: Hans de Goede +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -1125,12 +1125,20 @@ int tpm_tis_resume(struct device *dev) + if (ret) + return ret; + +- /* TPM 1.2 requires self-test on resume. This function actually returns ++ /* ++ * TPM 1.2 requires self-test on resume. This function actually returns + * an error code but for unknown reason it isn't handled. + */ +- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) ++ if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { ++ ret = request_locality(chip, 0); ++ if (ret < 0) ++ return ret; ++ + tpm1_do_selftest(chip); + ++ release_locality(chip, 0); ++ } ++ + return 0; + } + EXPORT_SYMBOL_GPL(tpm_tis_resume); -- 2.47.3