From bef5c23d692cc5a44d1c59ecad53fa1217e7f6da Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 May 2021 15:51:12 +0200 Subject: [PATCH] 5.4-stable patches added patches: acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch intel_th-pci-add-alder-lake-m-support.patch jffs2-fix-kasan-slab-out-of-bounds-problem.patch mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch tpm-efi-use-local-variable-for-calculating-final-log-size.patch tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch --- ...t-mappings-on-watchdow-probe-failure.patch | 82 +++++++++++ ..._reset-refcounting-when-crypto_stats.patch | 54 +++++++ ...tion-for-touch-indication-on-ili210x.patch | 33 +++++ ...ntel_th-pci-add-alder-lake-m-support.patch | 34 +++++ ...fix-kasan-slab-out-of-bounds-problem.patch | 138 ++++++++++++++++++ ...gress-rif-list-before-route-s-action.patch | 99 +++++++++++++ ...-segments-that-are-marked-for-return.patch | 43 ++++++ ...ed-for-return-in-_pnfs_return_layout.patch | 33 +++++ ...-read-while-fragmenting-ipv4-packets.patch | 116 +++++++++++++++ ...dling-for-hugepages-in-ioremap-space.patch | 119 +++++++++++++++ ...definition-error-in-uapi-asm-errno.h.patch | 53 +++++++ queue-5.4/series | 13 ++ ...iable-for-calculating-final-log-size.patch | 119 +++++++++++++++ ...host-log-when-using-a-virtual-device.patch | 36 +++++ 14 files changed, 972 insertions(+) create mode 100644 queue-5.4/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch create mode 100644 queue-5.4/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch create mode 100644 queue-5.4/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch create mode 100644 queue-5.4/intel_th-pci-add-alder-lake-m-support.patch create mode 100644 queue-5.4/jffs2-fix-kasan-slab-out-of-bounds-problem.patch create mode 100644 queue-5.4/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch create mode 100644 queue-5.4/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch create mode 100644 queue-5.4/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch create mode 100644 queue-5.4/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch create mode 100644 queue-5.4/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch create mode 100644 queue-5.4/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch create mode 100644 queue-5.4/tpm-efi-use-local-variable-for-calculating-final-log-size.patch create mode 100644 queue-5.4/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch diff --git a/queue-5.4/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch b/queue-5.4/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch new file mode 100644 index 00000000000..64a2fd752c1 --- /dev/null +++ b/queue-5.4/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch @@ -0,0 +1,82 @@ +From 1ecd5b129252249b9bc03d7645a7bda512747277 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 21 Apr 2021 17:43:16 +0100 +Subject: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure + +From: Marc Zyngier + +commit 1ecd5b129252249b9bc03d7645a7bda512747277 upstream. + +When failing the driver probe because of invalid firmware properties, +the GTDT driver unmaps the interrupt that it mapped earlier. + +However, it never checks whether the mapping of the interrupt actially +succeeded. Even more, should the firmware report an illegal interrupt +number that overlaps with the GIC SGI range, this can result in an +IPI being unmapped, and subsequent fireworks (as reported by Dann +Frazier). + +Rework the driver to have a slightly saner behaviour and actually +check whether the interrupt has been mapped before unmapping things. + +Reported-by: dann frazier +Fixes: ca9ae5ec4ef0 ("acpi/arm64: Add SBSA Generic Watchdog support in GTDT driver") +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/YH87dtTfwYgavusz@xps13.dannf +Cc: +Cc: Fu Wei +Reviewed-by: Sudeep Holla +Tested-by: dann frazier +Tested-by: Hanjun Guo +Reviewed-by: Hanjun Guo +Reviewed-by: Lorenzo Pieralisi +Link: https://lore.kernel.org/r/20210421164317.1718831-2-maz@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/gtdt.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/arm64/gtdt.c ++++ b/drivers/acpi/arm64/gtdt.c +@@ -329,7 +329,7 @@ static int __init gtdt_import_sbsa_gwdt( + int index) + { + struct platform_device *pdev; +- int irq = map_gt_gsi(wd->timer_interrupt, wd->timer_flags); ++ int irq; + + /* + * According to SBSA specification the size of refresh and control +@@ -338,7 +338,7 @@ static int __init gtdt_import_sbsa_gwdt( + struct resource res[] = { + DEFINE_RES_MEM(wd->control_frame_address, SZ_4K), + DEFINE_RES_MEM(wd->refresh_frame_address, SZ_4K), +- DEFINE_RES_IRQ(irq), ++ {}, + }; + int nr_res = ARRAY_SIZE(res); + +@@ -348,10 +348,11 @@ static int __init gtdt_import_sbsa_gwdt( + + if (!(wd->refresh_frame_address && wd->control_frame_address)) { + pr_err(FW_BUG "failed to get the Watchdog base address.\n"); +- acpi_unregister_gsi(wd->timer_interrupt); + return -EINVAL; + } + ++ irq = map_gt_gsi(wd->timer_interrupt, wd->timer_flags); ++ res[2] = (struct resource)DEFINE_RES_IRQ(irq); + if (irq <= 0) { + pr_warn("failed to map the Watchdog interrupt.\n"); + nr_res--; +@@ -364,7 +365,8 @@ static int __init gtdt_import_sbsa_gwdt( + */ + pdev = platform_device_register_simple("sbsa-gwdt", index, res, nr_res); + if (IS_ERR(pdev)) { +- acpi_unregister_gsi(wd->timer_interrupt); ++ if (irq > 0) ++ acpi_unregister_gsi(wd->timer_interrupt); + return PTR_ERR(pdev); + } + diff --git a/queue-5.4/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch b/queue-5.4/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch new file mode 100644 index 00000000000..a5cc234e52d --- /dev/null +++ b/queue-5.4/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch @@ -0,0 +1,54 @@ +From 30d0f6a956fc74bb2e948398daf3278c6b08c7e9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 21 Mar 2021 22:07:48 -0700 +Subject: crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS + +From: Eric Biggers + +commit 30d0f6a956fc74bb2e948398daf3278c6b08c7e9 upstream. + +crypto_stats_get() is a no-op when the kernel is compiled without +CONFIG_CRYPTO_STATS, so pairing it with crypto_alg_put() unconditionally +(as crypto_rng_reset() does) is wrong. + +Fix this by moving the call to crypto_stats_get() to just before the +actual algorithm operation which might need it. This makes it always +paired with crypto_stats_rng_seed(). + +Fixes: eed74b3eba9e ("crypto: rng - Fix a refcounting bug in crypto_rng_reset()") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rng.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/crypto/rng.c ++++ b/crypto/rng.c +@@ -34,22 +34,18 @@ int crypto_rng_reset(struct crypto_rng * + u8 *buf = NULL; + int err; + +- crypto_stats_get(alg); + if (!seed && slen) { + buf = kmalloc(slen, GFP_KERNEL); +- if (!buf) { +- crypto_alg_put(alg); ++ if (!buf) + return -ENOMEM; +- } + + err = get_random_bytes_wait(buf, slen); +- if (err) { +- crypto_alg_put(alg); ++ if (err) + goto out; +- } + seed = buf; + } + ++ crypto_stats_get(alg); + err = crypto_rng_alg(tfm)->seed(tfm, seed, slen); + crypto_stats_rng_seed(alg, err); + out: diff --git a/queue-5.4/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch b/queue-5.4/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch new file mode 100644 index 00000000000..16dee1c2284 --- /dev/null +++ b/queue-5.4/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch @@ -0,0 +1,33 @@ +From ac05a8a927e5a1027592d8f98510a511dadeed14 Mon Sep 17 00:00:00 2001 +From: Hansem Ro +Date: Thu, 6 May 2021 13:27:10 -0700 +Subject: Input: ili210x - add missing negation for touch indication on ili210x + +From: Hansem Ro + +commit ac05a8a927e5a1027592d8f98510a511dadeed14 upstream. + +This adds the negation needed for proper finger detection on Ilitek +ili2107/ili210x. This fixes polling issues (on Amazon Kindle Fire) +caused by returning false for the cooresponding finger on the touchscreen. + +Signed-off-by: Hansem Ro +Fixes: e3559442afd2a ("ili210x - rework the touchscreen sample processing") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ili210x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ili210x.c ++++ b/drivers/input/touchscreen/ili210x.c +@@ -109,7 +109,7 @@ static bool ili210x_touchdata_to_coords( + if (finger >= ILI210X_TOUCHES) + return false; + +- if (touchdata[0] & BIT(finger)) ++ if (!(touchdata[0] & BIT(finger))) + return false; + + *x = get_unaligned_be16(touchdata + 1 + (finger * 4) + 0); diff --git a/queue-5.4/intel_th-pci-add-alder-lake-m-support.patch b/queue-5.4/intel_th-pci-add-alder-lake-m-support.patch new file mode 100644 index 00000000000..0e83ca3c512 --- /dev/null +++ b/queue-5.4/intel_th-pci-add-alder-lake-m-support.patch @@ -0,0 +1,34 @@ +From 48cb17531b15967d9d3f34c770a25cc6c4ca6ad1 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 14 Apr 2021 20:12:51 +0300 +Subject: intel_th: pci: Add Alder Lake-M support + +From: Alexander Shishkin + +commit 48cb17531b15967d9d3f34c770a25cc6c4ca6ad1 upstream. + +This adds support for the Trace Hub in Alder Lake-M PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20210414171251.14672-8-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -269,6 +269,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Alder Lake-M */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x54a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Rocket Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4c19), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.4/jffs2-fix-kasan-slab-out-of-bounds-problem.patch b/queue-5.4/jffs2-fix-kasan-slab-out-of-bounds-problem.patch new file mode 100644 index 00000000000..6711db4d68f --- /dev/null +++ b/queue-5.4/jffs2-fix-kasan-slab-out-of-bounds-problem.patch @@ -0,0 +1,138 @@ +From 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 Mon Sep 17 00:00:00 2001 +From: lizhe +Date: Thu, 18 Mar 2021 11:06:57 +0800 +Subject: jffs2: Fix kasan slab-out-of-bounds problem + +From: lizhe + +commit 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 upstream. + +KASAN report a slab-out-of-bounds problem. The logs are listed below. +It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1" +bytes for fd->name and we check crc with length rd->nsize. If checkedlen +is less than rd->nsize, it will cause the slab-out-of-bounds problem. + +jffs2: Dirent at *** has zeroes in name. Truncating to %d char +================================================================== +BUG: KASAN: slab-out-of-bounds in crc32_le+0x1ce/0x260 at addr ffff8800842cf2d1 +Read of size 1 by task test_JFFS2/915 +============================================================================= +BUG kmalloc-64 (Tainted: G B O ): kasan: bad access detected +----------------------------------------------------------------------------- +INFO: Allocated in jffs2_alloc_full_dirent+0x2a/0x40 age=0 cpu=1 pid=915 + ___slab_alloc+0x580/0x5f0 + __slab_alloc.isra.24+0x4e/0x64 + __kmalloc+0x170/0x300 + jffs2_alloc_full_dirent+0x2a/0x40 + jffs2_scan_eraseblock+0x1ca4/0x3b64 + jffs2_scan_medium+0x285/0xfe0 + jffs2_do_mount_fs+0x5fb/0x1bbc + jffs2_do_fill_super+0x245/0x6f0 + jffs2_fill_super+0x287/0x2e0 + mount_mtd_aux.isra.0+0x9a/0x144 + mount_mtd+0x222/0x2f0 + jffs2_mount+0x41/0x60 + mount_fs+0x63/0x230 + vfs_kern_mount.part.6+0x6c/0x1f4 + do_mount+0xae8/0x1940 + SyS_mount+0x105/0x1d0 +INFO: Freed in jffs2_free_full_dirent+0x22/0x40 age=27 cpu=1 pid=915 + __slab_free+0x372/0x4e4 + kfree+0x1d4/0x20c + jffs2_free_full_dirent+0x22/0x40 + jffs2_build_remove_unlinked_inode+0x17a/0x1e4 + jffs2_do_mount_fs+0x1646/0x1bbc + jffs2_do_fill_super+0x245/0x6f0 + jffs2_fill_super+0x287/0x2e0 + mount_mtd_aux.isra.0+0x9a/0x144 + mount_mtd+0x222/0x2f0 + jffs2_mount+0x41/0x60 + mount_fs+0x63/0x230 + vfs_kern_mount.part.6+0x6c/0x1f4 + do_mount+0xae8/0x1940 + SyS_mount+0x105/0x1d0 + entry_SYSCALL_64_fastpath+0x1e/0x97 +Call Trace: + [] dump_stack+0x59/0x7e + [] print_trailer+0x125/0x1b0 + [] object_err+0x34/0x40 + [] kasan_report.part.1+0x21f/0x534 + [] ? vprintk+0x2d/0x40 + [] ? crc32_le+0x1ce/0x260 + [] kasan_report+0x26/0x30 + [] __asan_load1+0x3d/0x50 + [] crc32_le+0x1ce/0x260 + [] ? jffs2_alloc_full_dirent+0x2a/0x40 + [] jffs2_scan_eraseblock+0x1d0c/0x3b64 + [] ? jffs2_scan_medium+0xccf/0xfe0 + [] ? jffs2_scan_make_ino_cache+0x14c/0x14c + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? kmem_cache_alloc_trace+0x10c/0x2cc + [] ? mtd_point+0xf7/0x130 + [] jffs2_scan_medium+0x285/0xfe0 + [] ? jffs2_scan_eraseblock+0x3b64/0x3b64 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? __kmalloc+0x12b/0x300 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? jffs2_sum_init+0x9f/0x240 + [] jffs2_do_mount_fs+0x5fb/0x1bbc + [] ? jffs2_del_noinode_dirent+0x640/0x640 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? __init_rwsem+0x97/0xac + [] jffs2_do_fill_super+0x245/0x6f0 + [] jffs2_fill_super+0x287/0x2e0 + [] ? jffs2_parse_options+0x594/0x594 + [] mount_mtd_aux.isra.0+0x9a/0x144 + [] mount_mtd+0x222/0x2f0 + [] ? jffs2_parse_options+0x594/0x594 + [] ? mount_mtd_aux.isra.0+0x144/0x144 + [] ? free_pages+0x13/0x1c + [] ? selinux_sb_copy_data+0x278/0x2e0 + [] jffs2_mount+0x41/0x60 + [] mount_fs+0x63/0x230 + [] ? alloc_vfsmnt+0x32f/0x3b0 + [] vfs_kern_mount.part.6+0x6c/0x1f4 + [] do_mount+0xae8/0x1940 + [] ? audit_filter_rules.constprop.6+0x1d10/0x1d10 + [] ? copy_mount_string+0x40/0x40 + [] ? alloc_pages_current+0xa4/0x1bc + [] ? __get_free_pages+0x25/0x50 + [] ? copy_mount_options.part.17+0x183/0x264 + [] SyS_mount+0x105/0x1d0 + [] ? copy_mnt_ns+0x560/0x560 + [] ? msa_space_switch_handler+0x13d/0x190 + [] entry_SYSCALL_64_fastpath+0x1e/0x97 + [] ? msa_space_switch+0xb0/0xe0 +Memory state around the buggy address: + ffff8800842cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8800842cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8800842cf280: fc fc fc fc fc fc 00 00 00 00 01 fc fc fc fc fc + ^ + ffff8800842cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8800842cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Cc: stable@vger.kernel.org +Reported-by: Kunkun Xu +Signed-off-by: lizhe +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -1078,7 +1078,7 @@ static int jffs2_scan_dirent_node(struct + memcpy(&fd->name, rd->name, checkedlen); + fd->name[checkedlen] = 0; + +- crc = crc32(0, fd->name, rd->nsize); ++ crc = crc32(0, fd->name, checkedlen); + if (crc != je32_to_cpu(rd->name_crc)) { + pr_notice("%s(): Name CRC failed on node at 0x%08x: Read 0x%08x, calculated 0x%08x\n", + __func__, ofs, je32_to_cpu(rd->name_crc), crc); diff --git a/queue-5.4/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch b/queue-5.4/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch new file mode 100644 index 00000000000..3812ff3122c --- /dev/null +++ b/queue-5.4/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch @@ -0,0 +1,99 @@ +From cbaf3f6af9c268caf558c8e7ec52bcb35c5455dd Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Thu, 6 May 2021 10:23:08 +0300 +Subject: mlxsw: spectrum_mr: Update egress RIF list before route's action + +From: Ido Schimmel + +commit cbaf3f6af9c268caf558c8e7ec52bcb35c5455dd upstream. + +Each multicast route that is forwarding packets (as opposed to trapping +them) points to a list of egress router interfaces (RIFs) through which +packets are replicated. + +A route's action can transition from trap to forward when a RIF is +created for one of the route's egress virtual interfaces (eVIF). When +this happens, the route's action is first updated and only later the +list of egress RIFs is committed to the device. + +This results in the route pointing to an invalid list. In case the list +pointer is out of range (due to uninitialized memory), the device will +complain: + +mlxsw_spectrum2 0000:06:00.0: EMAD reg access failed (tid=5733bf490000905c,reg_id=300f(pefa),type=write,status=7(bad parameter)) + +Fix this by first committing the list of egress RIFs to the device and +only later update the route's action. + +Note that a fix is not needed in the reverse function (i.e., +mlxsw_sp_mr_route_evif_unresolve()), as there the route's action is +first updated and only later the RIF is removed from the list. + +Cc: stable@vger.kernel.org +Fixes: c011ec1bbfd6 ("mlxsw: spectrum: Add the multicast routing offloading logic") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Link: https://lore.kernel.org/r/20210506072308.3834303-1-idosch@idosch.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 30 +++++++++++----------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c +@@ -524,6 +524,16 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + u16 erif_index = 0; + int err; + ++ /* Add the eRIF */ ++ if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) { ++ erif_index = mlxsw_sp_rif_index(rve->mr_vif->rif); ++ err = mr->mr_ops->route_erif_add(mlxsw_sp, ++ rve->mr_route->route_priv, ++ erif_index); ++ if (err) ++ return err; ++ } ++ + /* Update the route action, as the new eVIF can be a tunnel or a pimreg + * device which will require updating the action. + */ +@@ -533,17 +543,7 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + rve->mr_route->route_priv, + route_action); + if (err) +- return err; +- } +- +- /* Add the eRIF */ +- if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) { +- erif_index = mlxsw_sp_rif_index(rve->mr_vif->rif); +- err = mr->mr_ops->route_erif_add(mlxsw_sp, +- rve->mr_route->route_priv, +- erif_index); +- if (err) +- goto err_route_erif_add; ++ goto err_route_action_update; + } + + /* Update the minimum MTU */ +@@ -561,14 +561,14 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + return 0; + + err_route_min_mtu_update: +- if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) +- mr->mr_ops->route_erif_del(mlxsw_sp, rve->mr_route->route_priv, +- erif_index); +-err_route_erif_add: + if (route_action != rve->mr_route->route_action) + mr->mr_ops->route_action_update(mlxsw_sp, + rve->mr_route->route_priv, + rve->mr_route->route_action); ++err_route_action_update: ++ if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) ++ mr->mr_ops->route_erif_del(mlxsw_sp, rve->mr_route->route_priv, ++ erif_index); + return err; + } + diff --git a/queue-5.4/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch b/queue-5.4/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch new file mode 100644 index 00000000000..49a459f426e --- /dev/null +++ b/queue-5.4/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch @@ -0,0 +1,43 @@ +From 39fd01863616964f009599e50ca5c6ea9ebf88d6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 15 Apr 2021 15:41:57 -0400 +Subject: NFS: Don't discard pNFS layout segments that are marked for return + +From: Trond Myklebust + +commit 39fd01863616964f009599e50ca5c6ea9ebf88d6 upstream. + +If the pNFS layout segment is marked with the NFS_LSEG_LAYOUTRETURN +flag, then the assumption is that it has some reporting requirement +to perform through a layoutreturn (e.g. flexfiles layout stats or error +information). + +Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2427,6 +2427,9 @@ pnfs_mark_matching_lsegs_return(struct p + + assert_spin_locked(&lo->plh_inode->i_lock); + ++ if (test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) ++ tmp_list = &lo->plh_return_segs; ++ + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + if (pnfs_match_lseg_recall(lseg, return_range, seq)) { + dprintk("%s: marking lseg %p iomode %d " +@@ -2434,6 +2437,8 @@ pnfs_mark_matching_lsegs_return(struct p + lseg, lseg->pls_range.iomode, + lseg->pls_range.offset, + lseg->pls_range.length); ++ if (test_bit(NFS_LSEG_LAYOUTRETURN, &lseg->pls_flags)) ++ tmp_list = &lo->plh_return_segs; + if (mark_lseg_invalid(lseg, tmp_list)) + continue; + remaining++; diff --git a/queue-5.4/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch b/queue-5.4/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch new file mode 100644 index 00000000000..dc094c711de --- /dev/null +++ b/queue-5.4/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch @@ -0,0 +1,33 @@ +From de144ff4234f935bd2150108019b5d87a90a8a96 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 18 Apr 2021 15:00:45 -0400 +Subject: NFSv4: Don't discard segments marked for return in _pnfs_return_layout() + +From: Trond Myklebust + +commit de144ff4234f935bd2150108019b5d87a90a8a96 upstream. + +If the pNFS layout segment is marked with the NFS_LSEG_LAYOUTRETURN +flag, then the assumption is that it has some reporting requirement +to perform through a layoutreturn (e.g. flexfiles layout stats or error +information). + +Fixes: 6d597e175012 ("pnfs: only tear down lsegs that precede seqid in LAYOUTRETURN args") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1311,7 +1311,7 @@ _pnfs_return_layout(struct inode *ino) + } + valid_layout = pnfs_layout_is_valid(lo); + pnfs_clear_layoutcommit(ino, &tmp_list); +- pnfs_mark_matching_lsegs_invalid(lo, &tmp_list, NULL, 0); ++ pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0); + + if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) { + struct pnfs_layout_range range = { diff --git a/queue-5.4/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch b/queue-5.4/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch new file mode 100644 index 00000000000..19baf516f86 --- /dev/null +++ b/queue-5.4/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch @@ -0,0 +1,116 @@ +From 7c0ea5930c1c211931819d83cfb157bff1539a4c Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Wed, 28 Apr 2021 15:23:07 +0200 +Subject: openvswitch: fix stack OOB read while fragmenting IPv4 packets + +From: Davide Caratti + +commit 7c0ea5930c1c211931819d83cfb157bff1539a4c upstream. + +running openvswitch on kernels built with KASAN, it's possible to see the +following splat while testing fragmentation of IPv4 packets: + + BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 + Read of size 1 at addr ffff888112fc713c by task handler2/1367 + + CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + Call Trace: + dump_stack+0x92/0xc1 + print_address_description.constprop.7+0x1a/0x150 + kasan_report.cold.13+0x7f/0x111 + ip_do_fragment+0x1b03/0x1f60 + ovs_fragment+0x5bf/0x840 [openvswitch] + do_execute_actions+0x1bd5/0x2400 [openvswitch] + ovs_execute_actions+0xc8/0x3d0 [openvswitch] + ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] + genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 + genl_rcv_msg+0x287/0x490 + netlink_rcv_skb+0x120/0x380 + genl_rcv+0x24/0x40 + netlink_unicast+0x439/0x630 + netlink_sendmsg+0x719/0xbf0 + sock_sendmsg+0xe2/0x110 + ____sys_sendmsg+0x5ba/0x890 + ___sys_sendmsg+0xe9/0x160 + __sys_sendmsg+0xd3/0x170 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f957079db07 + Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 + RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 + RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 + RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 + R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 + R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 + + The buggy address belongs to the page: + page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 + flags: 0x17ffffc0000000() + raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: + ovs_fragment+0x0/0x840 [openvswitch] + + this frame has 2 objects: + [32, 144) 'ovs_dst' + [192, 424) 'ovs_rt' + + Memory state around the buggy address: + ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 + >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 + ^ + ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 + +for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, +in the following call graph: + + ip_do_fragment() + ip_skb_dst_mtu() + ip_dst_mtu_maybe_forward() + ip_mtu_locked() + +the pointer to struct dst_entry is used as pointer to struct rtable: this +turns the access to struct members like rt_mtu_locked into an OOB read in +the stack. Fix this changing the temporary variable used for IPv4 packets +in ovs_fragment(), similarly to what is done for IPv6 few lines below. + +Fixes: d52e5a7e7ca4 ("ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmt") +Cc: +Acked-by: Eelco Chaudron +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/actions.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -831,17 +831,17 @@ static void ovs_fragment(struct net *net + } + + if (key->eth.type == htons(ETH_P_IP)) { +- struct dst_entry ovs_dst; ++ struct rtable ovs_rt = { 0 }; + unsigned long orig_dst; + + prepare_frag(vport, skb, orig_network_offset, + ovs_key_mac_proto(key)); +- dst_init(&ovs_dst, &ovs_dst_ops, NULL, 1, ++ dst_init(&ovs_rt.dst, &ovs_dst_ops, NULL, 1, + DST_OBSOLETE_NONE, DST_NOCOUNT); +- ovs_dst.dev = vport->dev; ++ ovs_rt.dst.dev = vport->dev; + + orig_dst = skb->_skb_refdst; +- skb_dst_set_noref(skb, &ovs_dst); ++ skb_dst_set_noref(skb, &ovs_rt.dst); + IPCB(skb)->frag_max_size = mru; + + ip_do_fragment(net, skb->sk, skb, ovs_vport_output); diff --git a/queue-5.4/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch b/queue-5.4/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch new file mode 100644 index 00000000000..62c7c0eadb4 --- /dev/null +++ b/queue-5.4/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch @@ -0,0 +1,119 @@ +From 5ae5bc12d0728db60a0aa9b62160ffc038875f1a Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Mon, 12 Apr 2021 13:22:50 +0530 +Subject: powerpc/eeh: Fix EEH handling for hugepages in ioremap space. + +From: Mahesh Salgaonkar + +commit 5ae5bc12d0728db60a0aa9b62160ffc038875f1a upstream. + +During the EEH MMIO error checking, the current implementation fails to map +the (virtual) MMIO address back to the pci device on radix with hugepage +mappings for I/O. This results into failure to dispatch EEH event with no +recovery even when EEH capability has been enabled on the device. + +eeh_check_failure(token) # token = virtual MMIO address + addr = eeh_token_to_phys(token); + edev = eeh_addr_cache_get_dev(addr); + if (!edev) + return 0; + eeh_dev_check_failure(edev); <= Dispatch the EEH event + +In case of hugepage mappings, eeh_token_to_phys() has a bug in virt -> phys +translation that results in wrong physical address, which is then passed to +eeh_addr_cache_get_dev() to match it against cached pci I/O address ranges +to get to a PCI device. Hence, it fails to find a match and the EEH event +never gets dispatched leaving the device in failed state. + +The commit 33439620680be ("powerpc/eeh: Handle hugepages in ioremap space") +introduced following logic to translate virt to phys for hugepage mappings: + +eeh_token_to_phys(): ++ pa = pte_pfn(*ptep); ++ ++ /* On radix we can do hugepage mappings for io, so handle that */ ++ if (hugepage_shift) { ++ pa <<= hugepage_shift; <= This is wrong ++ pa |= token & ((1ul << hugepage_shift) - 1); ++ } + +This patch fixes the virt -> phys translation in eeh_token_to_phys() +function. + + $ cat /sys/kernel/debug/powerpc/eeh_address_cache + mem addr range [0x0000040080000000-0x00000400807fffff]: 0030:01:00.1 + mem addr range [0x0000040080800000-0x0000040080ffffff]: 0030:01:00.1 + mem addr range [0x0000040081000000-0x00000400817fffff]: 0030:01:00.0 + mem addr range [0x0000040081800000-0x0000040081ffffff]: 0030:01:00.0 + mem addr range [0x0000040082000000-0x000004008207ffff]: 0030:01:00.1 + mem addr range [0x0000040082080000-0x00000400820fffff]: 0030:01:00.0 + mem addr range [0x0000040082100000-0x000004008210ffff]: 0030:01:00.1 + mem addr range [0x0000040082110000-0x000004008211ffff]: 0030:01:00.0 + +Above is the list of cached io address ranges of pci 0030:01:00.. + +Before this patch: + +Tracing 'arg1' of function eeh_addr_cache_get_dev() during error injection +clearly shows that 'addr=' contains wrong physical address: + + kworker/u16:0-7 [001] .... 108.883775: eeh_addr_cache_get_dev: + (eeh_addr_cache_get_dev+0xc/0xf0) addr=0x80103000a510 + +dmesg shows no EEH recovery messages: + + [ 108.563768] bnx2x: [bnx2x_timer:5801(eth2)]MFW seems hanged: drv_pulse (0x9ae) != mcp_pulse (0x7fff) + [ 108.563788] bnx2x: [bnx2x_hw_stats_update:870(eth2)]NIG timer max (4294967295) + [ 108.883788] bnx2x: [bnx2x_acquire_hw_lock:2013(eth1)]lock_status 0xffffffff resource_bit 0x1 + [ 108.884407] bnx2x 0030:01:00.0 eth1: MDC/MDIO access timeout + [ 108.884976] bnx2x 0030:01:00.0 eth1: MDC/MDIO access timeout + <..> + +After this patch: + +eeh_addr_cache_get_dev() trace shows correct physical address: + + -0 [001] ..s. 1043.123828: eeh_addr_cache_get_dev: + (eeh_addr_cache_get_dev+0xc/0xf0) addr=0x40080bc7cd8 + +dmesg logs shows EEH recovery getting triggerred: + + [ 964.323980] bnx2x: [bnx2x_timer:5801(eth2)]MFW seems hanged: drv_pulse (0x746f) != mcp_pulse (0x7fff) + [ 964.323991] EEH: Recovering PHB#30-PE#10000 + [ 964.324002] EEH: PE location: N/A, PHB location: N/A + [ 964.324006] EEH: Frozen PHB#30-PE#10000 detected + <..> + +Fixes: 33439620680b ("powerpc/eeh: Handle hugepages in ioremap space") +Cc: stable@vger.kernel.org # v5.3+ +Reported-by: Dominic DeMarco +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/161821396263.48361.2796709239866588652.stgit@jupiter +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/eeh.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -368,14 +368,11 @@ static inline unsigned long eeh_token_to + pa = pte_pfn(*ptep); + + /* On radix we can do hugepage mappings for io, so handle that */ +- if (hugepage_shift) { +- pa <<= hugepage_shift; +- pa |= token & ((1ul << hugepage_shift) - 1); +- } else { +- pa <<= PAGE_SHIFT; +- pa |= token & (PAGE_SIZE - 1); +- } ++ if (!hugepage_shift) ++ hugepage_shift = PAGE_SHIFT; + ++ pa <<= PAGE_SHIFT; ++ pa |= token & ((1ul << hugepage_shift) - 1); + return pa; + } + diff --git a/queue-5.4/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch b/queue-5.4/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch new file mode 100644 index 00000000000..ffb5455f263 --- /dev/null +++ b/queue-5.4/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch @@ -0,0 +1,53 @@ +From 7de21e679e6a789f3729e8402bc440b623a28eae Mon Sep 17 00:00:00 2001 +From: Tony Ambardar +Date: Thu, 17 Sep 2020 06:54:37 -0700 +Subject: powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h + +From: Tony Ambardar + +commit 7de21e679e6a789f3729e8402bc440b623a28eae upstream. + +A few archs like powerpc have different errno.h values for macros +EDEADLOCK and EDEADLK. In code including both libc and linux versions of +errno.h, this can result in multiple definitions of EDEADLOCK in the +include chain. Definitions to the same value (e.g. seen with mips) do +not raise warnings, but on powerpc there are redefinitions changing the +value, which raise warnings and errors (if using "-Werror"). + +Guard against these redefinitions to avoid build errors like the following, +first seen cross-compiling libbpf v5.8.9 for powerpc using GCC 8.4.0 with +musl 1.1.24: + + In file included from ../../arch/powerpc/include/uapi/asm/errno.h:5, + from ../../include/linux/err.h:8, + from libbpf.c:29: + ../../include/uapi/asm-generic/errno.h:40: error: "EDEADLOCK" redefined [-Werror] + #define EDEADLOCK EDEADLK + + In file included from toolchain-powerpc_8540_gcc-8.4.0_musl/include/errno.h:10, + from libbpf.c:26: + toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/errno.h:58: note: this is the location of the previous definition + #define EDEADLOCK 58 + + cc1: all warnings being treated as errors + +Cc: Stable +Reported-by: Rosen Penev +Signed-off-by: Tony Ambardar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200917135437.1238787-1-Tony.Ambardar@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/uapi/asm/errno.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/uapi/asm/errno.h ++++ b/arch/powerpc/include/uapi/asm/errno.h +@@ -2,6 +2,7 @@ + #ifndef _ASM_POWERPC_ERRNO_H + #define _ASM_POWERPC_ERRNO_H + ++#undef EDEADLOCK + #include + + #undef EDEADLOCK diff --git a/queue-5.4/series b/queue-5.4/series index a5666e75dc3..99a7e529778 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -138,3 +138,16 @@ makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch virtiofs-fix-memory-leak-in-virtio_fs_probe.patch ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch f2fs-fix-to-avoid-out-of-bounds-memory-access.patch +mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch +openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch +acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch +nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch +nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch +input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch +jffs2-fix-kasan-slab-out-of-bounds-problem.patch +powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch +powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch +intel_th-pci-add-alder-lake-m-support.patch +tpm-efi-use-local-variable-for-calculating-final-log-size.patch +tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch +crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch diff --git a/queue-5.4/tpm-efi-use-local-variable-for-calculating-final-log-size.patch b/queue-5.4/tpm-efi-use-local-variable-for-calculating-final-log-size.patch new file mode 100644 index 00000000000..206c80ab5fe --- /dev/null +++ b/queue-5.4/tpm-efi-use-local-variable-for-calculating-final-log-size.patch @@ -0,0 +1,119 @@ +From 48cff270b037022e37835d93361646205ca25101 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 10 Mar 2021 17:19:14 -0500 +Subject: tpm: efi: Use local variable for calculating final log size + +From: Stefan Berger + +commit 48cff270b037022e37835d93361646205ca25101 upstream. + +When tpm_read_log_efi is called multiple times, which happens when +one loads and unloads a TPM2 driver multiple times, then the global +variable efi_tpm_final_log_size will at some point become a negative +number due to the subtraction of final_events_preboot_size occurring +each time. Use a local variable to avoid this integer underflow. + +The following issue is now resolved: + +Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] +Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 +Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 +Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 +Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f +Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d +Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 +Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 +Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 +Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 +Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 +Mar 8 15:35:12 hibinst kernel: Call Trace: +Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 +Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 +Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 +Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] +Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 +Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 +Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370 + +Cc: stable@vger.kernel.org +Fixes: 166a2809d65b ("tpm: Don't duplicate events from the final event log in the TCG2 log") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/efi.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/char/tpm/eventlog/efi.c ++++ b/drivers/char/tpm/eventlog/efi.c +@@ -17,6 +17,7 @@ int tpm_read_log_efi(struct tpm_chip *ch + { + + struct efi_tcg2_final_events_table *final_tbl = NULL; ++ int final_events_log_size = efi_tpm_final_log_size; + struct linux_efi_tpm_eventlog *log_tbl; + struct tpm_bios_log *log; + u32 log_size; +@@ -66,12 +67,12 @@ int tpm_read_log_efi(struct tpm_chip *ch + ret = tpm_log_version; + + if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR || +- efi_tpm_final_log_size == 0 || ++ final_events_log_size == 0 || + tpm_log_version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) + goto out; + + final_tbl = memremap(efi.tpm_final_log, +- sizeof(*final_tbl) + efi_tpm_final_log_size, ++ sizeof(*final_tbl) + final_events_log_size, + MEMREMAP_WB); + if (!final_tbl) { + pr_err("Could not map UEFI TPM final log\n"); +@@ -80,10 +81,18 @@ int tpm_read_log_efi(struct tpm_chip *ch + goto out; + } + +- efi_tpm_final_log_size -= log_tbl->final_events_preboot_size; ++ /* ++ * The 'final events log' size excludes the 'final events preboot log' ++ * at its beginning. ++ */ ++ final_events_log_size -= log_tbl->final_events_preboot_size; + ++ /* ++ * Allocate memory for the 'combined log' where we will append the ++ * 'final events log' to. ++ */ + tmp = krealloc(log->bios_event_log, +- log_size + efi_tpm_final_log_size, ++ log_size + final_events_log_size, + GFP_KERNEL); + if (!tmp) { + kfree(log->bios_event_log); +@@ -94,15 +103,19 @@ int tpm_read_log_efi(struct tpm_chip *ch + log->bios_event_log = tmp; + + /* +- * Copy any of the final events log that didn't also end up in the +- * main log. Events can be logged in both if events are generated ++ * Append any of the 'final events log' that didn't also end up in the ++ * 'main log'. Events can be logged in both if events are generated + * between GetEventLog() and ExitBootServices(). + */ + memcpy((void *)log->bios_event_log + log_size, + final_tbl->events + log_tbl->final_events_preboot_size, +- efi_tpm_final_log_size); ++ final_events_log_size); ++ /* ++ * The size of the 'combined log' is the size of the 'main log' plus ++ * the size of the 'final events log'. ++ */ + log->bios_event_log_end = log->bios_event_log + +- log_size + efi_tpm_final_log_size; ++ log_size + final_events_log_size; + + out: + memunmap(final_tbl); diff --git a/queue-5.4/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch b/queue-5.4/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch new file mode 100644 index 00000000000..6542f564207 --- /dev/null +++ b/queue-5.4/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch @@ -0,0 +1,36 @@ +From 9716ac65efc8f780549b03bddf41e60c445d4709 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 10 Mar 2021 17:19:16 -0500 +Subject: tpm: vtpm_proxy: Avoid reading host log when using a virtual device + +From: Stefan Berger + +commit 9716ac65efc8f780549b03bddf41e60c445d4709 upstream. + +Avoid allocating memory and reading the host log when a virtual device +is used since this log is of no use to that driver. A virtual +device can be identified through the flag TPM_CHIP_FLAG_VIRTUAL, which +is only set for the tpm_vtpm_proxy driver. + +Cc: stable@vger.kernel.org +Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/common.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/eventlog/common.c ++++ b/drivers/char/tpm/eventlog/common.c +@@ -107,6 +107,9 @@ void tpm_bios_log_setup(struct tpm_chip + int log_version; + int rc = 0; + ++ if (chip->flags & TPM_CHIP_FLAG_VIRTUAL) ++ return; ++ + rc = tpm_read_log(chip); + if (rc < 0) + return; -- 2.47.3