From cdb1b87c869d6ea4044a6a51d938a2a4a7048355 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 May 2021 15:51:29 +0200 Subject: [PATCH] 5.10-stable patches added patches: acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch crypto-arm-curve25519-move-.fpu-after-.arch.patch crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch intel_th-pci-add-alder-lake-m-support.patch jffs2-fix-kasan-slab-out-of-bounds-problem.patch jffs2-hook-up-splice_write-callback.patch mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch powerpc-32-fix-boot-failure-with-config_stackprotector.patch powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch tpm-efi-use-local-variable-for-calculating-final-log-size.patch tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch --- ...t-mappings-on-watchdow-probe-failure.patch | 82 ++++++++++ ...arm-curve25519-move-.fpu-after-.arch.patch | 67 +++++++++ ..._reset-refcounting-when-crypto_stats.patch | 54 +++++++ ...tion-for-touch-indication-on-ili210x.patch | 33 ++++ ...ntel_th-pci-add-alder-lake-m-support.patch | 34 +++++ ...fix-kasan-slab-out-of-bounds-problem.patch | 138 +++++++++++++++++ .../jffs2-hook-up-splice_write-callback.patch | 45 ++++++ ...gress-rif-list-before-route-s-action.patch | 99 ++++++++++++ ...-segments-that-are-marked-for-return.patch | 43 ++++++ ...trans-to-prevent-shift-out-of-bounds.patch | 61 ++++++++ ...ed-for-return-in-_pnfs_return_layout.patch | 33 ++++ ...-read-while-fragmenting-ipv4-packets.patch | 116 ++++++++++++++ ...t-failure-with-config_stackprotector.patch | 45 ++++++ ...dling-for-hugepages-in-ioremap-space.patch | 119 +++++++++++++++ ...definition-error-in-uapi-asm-errno.h.patch | 53 +++++++ ...urrent-cpu-info-while-setting-up-fdt.patch | 142 ++++++++++++++++++ ...-hail-hv-ail-for-isa-v3.1-processors.patch | 73 +++++++++ queue-5.10/series | 19 +++ ...iable-for-calculating-final-log-size.patch | 119 +++++++++++++++ ...host-log-when-using-a-virtual-device.patch | 36 +++++ 20 files changed, 1411 insertions(+) create mode 100644 queue-5.10/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch create mode 100644 queue-5.10/crypto-arm-curve25519-move-.fpu-after-.arch.patch create mode 100644 queue-5.10/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch create mode 100644 queue-5.10/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch create mode 100644 queue-5.10/intel_th-pci-add-alder-lake-m-support.patch create mode 100644 queue-5.10/jffs2-fix-kasan-slab-out-of-bounds-problem.patch create mode 100644 queue-5.10/jffs2-hook-up-splice_write-callback.patch create mode 100644 queue-5.10/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch create mode 100644 queue-5.10/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch create mode 100644 queue-5.10/nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch create mode 100644 queue-5.10/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch create mode 100644 queue-5.10/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch create mode 100644 queue-5.10/powerpc-32-fix-boot-failure-with-config_stackprotector.patch create mode 100644 queue-5.10/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch create mode 100644 queue-5.10/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch create mode 100644 queue-5.10/powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch create mode 100644 queue-5.10/powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch create mode 100644 queue-5.10/tpm-efi-use-local-variable-for-calculating-final-log-size.patch create mode 100644 queue-5.10/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch diff --git a/queue-5.10/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch b/queue-5.10/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch new file mode 100644 index 00000000000..64a2fd752c1 --- /dev/null +++ b/queue-5.10/acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch @@ -0,0 +1,82 @@ +From 1ecd5b129252249b9bc03d7645a7bda512747277 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 21 Apr 2021 17:43:16 +0100 +Subject: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure + +From: Marc Zyngier + +commit 1ecd5b129252249b9bc03d7645a7bda512747277 upstream. + +When failing the driver probe because of invalid firmware properties, +the GTDT driver unmaps the interrupt that it mapped earlier. + +However, it never checks whether the mapping of the interrupt actially +succeeded. Even more, should the firmware report an illegal interrupt +number that overlaps with the GIC SGI range, this can result in an +IPI being unmapped, and subsequent fireworks (as reported by Dann +Frazier). + +Rework the driver to have a slightly saner behaviour and actually +check whether the interrupt has been mapped before unmapping things. + +Reported-by: dann frazier +Fixes: ca9ae5ec4ef0 ("acpi/arm64: Add SBSA Generic Watchdog support in GTDT driver") +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/YH87dtTfwYgavusz@xps13.dannf +Cc: +Cc: Fu Wei +Reviewed-by: Sudeep Holla +Tested-by: dann frazier +Tested-by: Hanjun Guo +Reviewed-by: Hanjun Guo +Reviewed-by: Lorenzo Pieralisi +Link: https://lore.kernel.org/r/20210421164317.1718831-2-maz@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/gtdt.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/arm64/gtdt.c ++++ b/drivers/acpi/arm64/gtdt.c +@@ -329,7 +329,7 @@ static int __init gtdt_import_sbsa_gwdt( + int index) + { + struct platform_device *pdev; +- int irq = map_gt_gsi(wd->timer_interrupt, wd->timer_flags); ++ int irq; + + /* + * According to SBSA specification the size of refresh and control +@@ -338,7 +338,7 @@ static int __init gtdt_import_sbsa_gwdt( + struct resource res[] = { + DEFINE_RES_MEM(wd->control_frame_address, SZ_4K), + DEFINE_RES_MEM(wd->refresh_frame_address, SZ_4K), +- DEFINE_RES_IRQ(irq), ++ {}, + }; + int nr_res = ARRAY_SIZE(res); + +@@ -348,10 +348,11 @@ static int __init gtdt_import_sbsa_gwdt( + + if (!(wd->refresh_frame_address && wd->control_frame_address)) { + pr_err(FW_BUG "failed to get the Watchdog base address.\n"); +- acpi_unregister_gsi(wd->timer_interrupt); + return -EINVAL; + } + ++ irq = map_gt_gsi(wd->timer_interrupt, wd->timer_flags); ++ res[2] = (struct resource)DEFINE_RES_IRQ(irq); + if (irq <= 0) { + pr_warn("failed to map the Watchdog interrupt.\n"); + nr_res--; +@@ -364,7 +365,8 @@ static int __init gtdt_import_sbsa_gwdt( + */ + pdev = platform_device_register_simple("sbsa-gwdt", index, res, nr_res); + if (IS_ERR(pdev)) { +- acpi_unregister_gsi(wd->timer_interrupt); ++ if (irq > 0) ++ acpi_unregister_gsi(wd->timer_interrupt); + return PTR_ERR(pdev); + } + diff --git a/queue-5.10/crypto-arm-curve25519-move-.fpu-after-.arch.patch b/queue-5.10/crypto-arm-curve25519-move-.fpu-after-.arch.patch new file mode 100644 index 00000000000..e448a42539e --- /dev/null +++ b/queue-5.10/crypto-arm-curve25519-move-.fpu-after-.arch.patch @@ -0,0 +1,67 @@ +From 44200f2d9b8b52389c70e6c7bbe51e0dc6eaf938 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 9 Apr 2021 15:11:55 -0700 +Subject: crypto: arm/curve25519 - Move '.fpu' after '.arch' + +From: Nathan Chancellor + +commit 44200f2d9b8b52389c70e6c7bbe51e0dc6eaf938 upstream. + +Debian's clang carries a patch that makes the default FPU mode +'vfp3-d16' instead of 'neon' for 'armv7-a' to avoid generating NEON +instructions on hardware that does not support them: + +https://salsa.debian.org/pkg-llvm-team/llvm-toolchain/-/raw/5a61ca6f21b4ad8c6ac4970e5ea5a7b5b4486d22/debian/patches/clang-arm-default-vfp3-on-armv7a.patch +https://bugs.debian.org/841474 +https://bugs.debian.org/842142 +https://bugs.debian.org/914268 + +This results in the following build error when clang's integrated +assembler is used because the '.arch' directive overrides the '.fpu' +directive: + +arch/arm/crypto/curve25519-core.S:25:2: error: instruction requires: NEON + vmov.i32 q0, #1 + ^ +arch/arm/crypto/curve25519-core.S:26:2: error: instruction requires: NEON + vshr.u64 q1, q0, #7 + ^ +arch/arm/crypto/curve25519-core.S:27:2: error: instruction requires: NEON + vshr.u64 q0, q0, #8 + ^ +arch/arm/crypto/curve25519-core.S:28:2: error: instruction requires: NEON + vmov.i32 d4, #19 + ^ + +Shuffle the order of the '.arch' and '.fpu' directives so that the code +builds regardless of the default FPU mode. This has been tested against +both clang with and without Debian's patch and GCC. + +Cc: stable@vger.kernel.org +Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation") +Link: https://github.com/ClangBuiltLinux/continuous-integration2/issues/118 +Reported-by: Arnd Bergmann +Suggested-by: Arnd Bergmann +Suggested-by: Jessica Clarke +Signed-off-by: Nathan Chancellor +Acked-by: Jason A. Donenfeld +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/crypto/curve25519-core.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/crypto/curve25519-core.S ++++ b/arch/arm/crypto/curve25519-core.S +@@ -10,8 +10,8 @@ + #include + + .text +-.fpu neon + .arch armv7-a ++.fpu neon + .align 4 + + ENTRY(curve25519_neon) diff --git a/queue-5.10/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch b/queue-5.10/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch new file mode 100644 index 00000000000..a5cc234e52d --- /dev/null +++ b/queue-5.10/crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch @@ -0,0 +1,54 @@ +From 30d0f6a956fc74bb2e948398daf3278c6b08c7e9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 21 Mar 2021 22:07:48 -0700 +Subject: crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS + +From: Eric Biggers + +commit 30d0f6a956fc74bb2e948398daf3278c6b08c7e9 upstream. + +crypto_stats_get() is a no-op when the kernel is compiled without +CONFIG_CRYPTO_STATS, so pairing it with crypto_alg_put() unconditionally +(as crypto_rng_reset() does) is wrong. + +Fix this by moving the call to crypto_stats_get() to just before the +actual algorithm operation which might need it. This makes it always +paired with crypto_stats_rng_seed(). + +Fixes: eed74b3eba9e ("crypto: rng - Fix a refcounting bug in crypto_rng_reset()") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rng.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/crypto/rng.c ++++ b/crypto/rng.c +@@ -34,22 +34,18 @@ int crypto_rng_reset(struct crypto_rng * + u8 *buf = NULL; + int err; + +- crypto_stats_get(alg); + if (!seed && slen) { + buf = kmalloc(slen, GFP_KERNEL); +- if (!buf) { +- crypto_alg_put(alg); ++ if (!buf) + return -ENOMEM; +- } + + err = get_random_bytes_wait(buf, slen); +- if (err) { +- crypto_alg_put(alg); ++ if (err) + goto out; +- } + seed = buf; + } + ++ crypto_stats_get(alg); + err = crypto_rng_alg(tfm)->seed(tfm, seed, slen); + crypto_stats_rng_seed(alg, err); + out: diff --git a/queue-5.10/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch b/queue-5.10/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch new file mode 100644 index 00000000000..faa7430cd1e --- /dev/null +++ b/queue-5.10/input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch @@ -0,0 +1,33 @@ +From ac05a8a927e5a1027592d8f98510a511dadeed14 Mon Sep 17 00:00:00 2001 +From: Hansem Ro +Date: Thu, 6 May 2021 13:27:10 -0700 +Subject: Input: ili210x - add missing negation for touch indication on ili210x + +From: Hansem Ro + +commit ac05a8a927e5a1027592d8f98510a511dadeed14 upstream. + +This adds the negation needed for proper finger detection on Ilitek +ili2107/ili210x. This fixes polling issues (on Amazon Kindle Fire) +caused by returning false for the cooresponding finger on the touchscreen. + +Signed-off-by: Hansem Ro +Fixes: e3559442afd2a ("ili210x - rework the touchscreen sample processing") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ili210x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ili210x.c ++++ b/drivers/input/touchscreen/ili210x.c +@@ -87,7 +87,7 @@ static bool ili210x_touchdata_to_coords( + unsigned int *x, unsigned int *y, + unsigned int *z) + { +- if (touchdata[0] & BIT(finger)) ++ if (!(touchdata[0] & BIT(finger))) + return false; + + *x = get_unaligned_be16(touchdata + 1 + (finger * 4) + 0); diff --git a/queue-5.10/intel_th-pci-add-alder-lake-m-support.patch b/queue-5.10/intel_th-pci-add-alder-lake-m-support.patch new file mode 100644 index 00000000000..e6b93669aff --- /dev/null +++ b/queue-5.10/intel_th-pci-add-alder-lake-m-support.patch @@ -0,0 +1,34 @@ +From 48cb17531b15967d9d3f34c770a25cc6c4ca6ad1 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 14 Apr 2021 20:12:51 +0300 +Subject: intel_th: pci: Add Alder Lake-M support + +From: Alexander Shishkin + +commit 48cb17531b15967d9d3f34c770a25cc6c4ca6ad1 upstream. + +This adds support for the Trace Hub in Alder Lake-M PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20210414171251.14672-8-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -274,6 +274,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Alder Lake-M */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x54a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Alder Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.10/jffs2-fix-kasan-slab-out-of-bounds-problem.patch b/queue-5.10/jffs2-fix-kasan-slab-out-of-bounds-problem.patch new file mode 100644 index 00000000000..82e9868603d --- /dev/null +++ b/queue-5.10/jffs2-fix-kasan-slab-out-of-bounds-problem.patch @@ -0,0 +1,138 @@ +From 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 Mon Sep 17 00:00:00 2001 +From: lizhe +Date: Thu, 18 Mar 2021 11:06:57 +0800 +Subject: jffs2: Fix kasan slab-out-of-bounds problem + +From: lizhe + +commit 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 upstream. + +KASAN report a slab-out-of-bounds problem. The logs are listed below. +It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1" +bytes for fd->name and we check crc with length rd->nsize. If checkedlen +is less than rd->nsize, it will cause the slab-out-of-bounds problem. + +jffs2: Dirent at *** has zeroes in name. Truncating to %d char +================================================================== +BUG: KASAN: slab-out-of-bounds in crc32_le+0x1ce/0x260 at addr ffff8800842cf2d1 +Read of size 1 by task test_JFFS2/915 +============================================================================= +BUG kmalloc-64 (Tainted: G B O ): kasan: bad access detected +----------------------------------------------------------------------------- +INFO: Allocated in jffs2_alloc_full_dirent+0x2a/0x40 age=0 cpu=1 pid=915 + ___slab_alloc+0x580/0x5f0 + __slab_alloc.isra.24+0x4e/0x64 + __kmalloc+0x170/0x300 + jffs2_alloc_full_dirent+0x2a/0x40 + jffs2_scan_eraseblock+0x1ca4/0x3b64 + jffs2_scan_medium+0x285/0xfe0 + jffs2_do_mount_fs+0x5fb/0x1bbc + jffs2_do_fill_super+0x245/0x6f0 + jffs2_fill_super+0x287/0x2e0 + mount_mtd_aux.isra.0+0x9a/0x144 + mount_mtd+0x222/0x2f0 + jffs2_mount+0x41/0x60 + mount_fs+0x63/0x230 + vfs_kern_mount.part.6+0x6c/0x1f4 + do_mount+0xae8/0x1940 + SyS_mount+0x105/0x1d0 +INFO: Freed in jffs2_free_full_dirent+0x22/0x40 age=27 cpu=1 pid=915 + __slab_free+0x372/0x4e4 + kfree+0x1d4/0x20c + jffs2_free_full_dirent+0x22/0x40 + jffs2_build_remove_unlinked_inode+0x17a/0x1e4 + jffs2_do_mount_fs+0x1646/0x1bbc + jffs2_do_fill_super+0x245/0x6f0 + jffs2_fill_super+0x287/0x2e0 + mount_mtd_aux.isra.0+0x9a/0x144 + mount_mtd+0x222/0x2f0 + jffs2_mount+0x41/0x60 + mount_fs+0x63/0x230 + vfs_kern_mount.part.6+0x6c/0x1f4 + do_mount+0xae8/0x1940 + SyS_mount+0x105/0x1d0 + entry_SYSCALL_64_fastpath+0x1e/0x97 +Call Trace: + [] dump_stack+0x59/0x7e + [] print_trailer+0x125/0x1b0 + [] object_err+0x34/0x40 + [] kasan_report.part.1+0x21f/0x534 + [] ? vprintk+0x2d/0x40 + [] ? crc32_le+0x1ce/0x260 + [] kasan_report+0x26/0x30 + [] __asan_load1+0x3d/0x50 + [] crc32_le+0x1ce/0x260 + [] ? jffs2_alloc_full_dirent+0x2a/0x40 + [] jffs2_scan_eraseblock+0x1d0c/0x3b64 + [] ? jffs2_scan_medium+0xccf/0xfe0 + [] ? jffs2_scan_make_ino_cache+0x14c/0x14c + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? kmem_cache_alloc_trace+0x10c/0x2cc + [] ? mtd_point+0xf7/0x130 + [] jffs2_scan_medium+0x285/0xfe0 + [] ? jffs2_scan_eraseblock+0x3b64/0x3b64 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_unpoison_shadow+0x35/0x50 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? __kmalloc+0x12b/0x300 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? jffs2_sum_init+0x9f/0x240 + [] jffs2_do_mount_fs+0x5fb/0x1bbc + [] ? jffs2_del_noinode_dirent+0x640/0x640 + [] ? kasan_kmalloc+0x5e/0x70 + [] ? __init_rwsem+0x97/0xac + [] jffs2_do_fill_super+0x245/0x6f0 + [] jffs2_fill_super+0x287/0x2e0 + [] ? jffs2_parse_options+0x594/0x594 + [] mount_mtd_aux.isra.0+0x9a/0x144 + [] mount_mtd+0x222/0x2f0 + [] ? jffs2_parse_options+0x594/0x594 + [] ? mount_mtd_aux.isra.0+0x144/0x144 + [] ? free_pages+0x13/0x1c + [] ? selinux_sb_copy_data+0x278/0x2e0 + [] jffs2_mount+0x41/0x60 + [] mount_fs+0x63/0x230 + [] ? alloc_vfsmnt+0x32f/0x3b0 + [] vfs_kern_mount.part.6+0x6c/0x1f4 + [] do_mount+0xae8/0x1940 + [] ? audit_filter_rules.constprop.6+0x1d10/0x1d10 + [] ? copy_mount_string+0x40/0x40 + [] ? alloc_pages_current+0xa4/0x1bc + [] ? __get_free_pages+0x25/0x50 + [] ? copy_mount_options.part.17+0x183/0x264 + [] SyS_mount+0x105/0x1d0 + [] ? copy_mnt_ns+0x560/0x560 + [] ? msa_space_switch_handler+0x13d/0x190 + [] entry_SYSCALL_64_fastpath+0x1e/0x97 + [] ? msa_space_switch+0xb0/0xe0 +Memory state around the buggy address: + ffff8800842cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8800842cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8800842cf280: fc fc fc fc fc fc 00 00 00 00 01 fc fc fc fc fc + ^ + ffff8800842cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8800842cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Cc: stable@vger.kernel.org +Reported-by: Kunkun Xu +Signed-off-by: lizhe +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -1079,7 +1079,7 @@ static int jffs2_scan_dirent_node(struct + memcpy(&fd->name, rd->name, checkedlen); + fd->name[checkedlen] = 0; + +- crc = crc32(0, fd->name, rd->nsize); ++ crc = crc32(0, fd->name, checkedlen); + if (crc != je32_to_cpu(rd->name_crc)) { + pr_notice("%s(): Name CRC failed on node at 0x%08x: Read 0x%08x, calculated 0x%08x\n", + __func__, ofs, je32_to_cpu(rd->name_crc), crc); diff --git a/queue-5.10/jffs2-hook-up-splice_write-callback.patch b/queue-5.10/jffs2-hook-up-splice_write-callback.patch new file mode 100644 index 00000000000..8e00ddc6eb8 --- /dev/null +++ b/queue-5.10/jffs2-hook-up-splice_write-callback.patch @@ -0,0 +1,45 @@ +From 42984af09afc414d540fcc8247f42894b0378a91 Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Wed, 31 Mar 2021 00:15:37 +1030 +Subject: jffs2: Hook up splice_write callback + +From: Joel Stanley + +commit 42984af09afc414d540fcc8247f42894b0378a91 upstream. + +overlayfs using jffs2 as the upper filesystem would fail in some cases +since moving to v5.10. The test case used was to run 'touch' on a file +that exists in the lower fs, causing the modification time to be +updated. It returns EINVAL when the bug is triggered. + +A bisection showed this was introduced in v5.9-rc1, with commit +36e2c7421f02 ("fs: don't allow splice read/write without explicit ops"). +Reverting that commit restores the expected behaviour. + +Some digging showed that this was due to jffs2 lacking an implementation +of splice_write. (For unknown reasons the warn_unsupported that should +trigger was not displaying any output). + +Adding this patch resolved the issue and the test now passes. + +Cc: stable@vger.kernel.org +Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") +Signed-off-by: Joel Stanley +Reviewed-by: Christoph Hellwig +Tested-by: Lei YU +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -57,6 +57,7 @@ const struct file_operations jffs2_file_ + .mmap = generic_file_readonly_mmap, + .fsync = jffs2_fsync, + .splice_read = generic_file_splice_read, ++ .splice_write = iter_file_splice_write, + }; + + /* jffs2_file_inode_operations */ diff --git a/queue-5.10/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch b/queue-5.10/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch new file mode 100644 index 00000000000..fb731117a01 --- /dev/null +++ b/queue-5.10/mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch @@ -0,0 +1,99 @@ +From cbaf3f6af9c268caf558c8e7ec52bcb35c5455dd Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Thu, 6 May 2021 10:23:08 +0300 +Subject: mlxsw: spectrum_mr: Update egress RIF list before route's action + +From: Ido Schimmel + +commit cbaf3f6af9c268caf558c8e7ec52bcb35c5455dd upstream. + +Each multicast route that is forwarding packets (as opposed to trapping +them) points to a list of egress router interfaces (RIFs) through which +packets are replicated. + +A route's action can transition from trap to forward when a RIF is +created for one of the route's egress virtual interfaces (eVIF). When +this happens, the route's action is first updated and only later the +list of egress RIFs is committed to the device. + +This results in the route pointing to an invalid list. In case the list +pointer is out of range (due to uninitialized memory), the device will +complain: + +mlxsw_spectrum2 0000:06:00.0: EMAD reg access failed (tid=5733bf490000905c,reg_id=300f(pefa),type=write,status=7(bad parameter)) + +Fix this by first committing the list of egress RIFs to the device and +only later update the route's action. + +Note that a fix is not needed in the reverse function (i.e., +mlxsw_sp_mr_route_evif_unresolve()), as there the route's action is +first updated and only later the RIF is removed from the list. + +Cc: stable@vger.kernel.org +Fixes: c011ec1bbfd6 ("mlxsw: spectrum: Add the multicast routing offloading logic") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Link: https://lore.kernel.org/r/20210506072308.3834303-1-idosch@idosch.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 30 +++++++++++----------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c +@@ -535,6 +535,16 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + u16 erif_index = 0; + int err; + ++ /* Add the eRIF */ ++ if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) { ++ erif_index = mlxsw_sp_rif_index(rve->mr_vif->rif); ++ err = mr->mr_ops->route_erif_add(mlxsw_sp, ++ rve->mr_route->route_priv, ++ erif_index); ++ if (err) ++ return err; ++ } ++ + /* Update the route action, as the new eVIF can be a tunnel or a pimreg + * device which will require updating the action. + */ +@@ -544,17 +554,7 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + rve->mr_route->route_priv, + route_action); + if (err) +- return err; +- } +- +- /* Add the eRIF */ +- if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) { +- erif_index = mlxsw_sp_rif_index(rve->mr_vif->rif); +- err = mr->mr_ops->route_erif_add(mlxsw_sp, +- rve->mr_route->route_priv, +- erif_index); +- if (err) +- goto err_route_erif_add; ++ goto err_route_action_update; + } + + /* Update the minimum MTU */ +@@ -572,14 +572,14 @@ mlxsw_sp_mr_route_evif_resolve(struct ml + return 0; + + err_route_min_mtu_update: +- if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) +- mr->mr_ops->route_erif_del(mlxsw_sp, rve->mr_route->route_priv, +- erif_index); +-err_route_erif_add: + if (route_action != rve->mr_route->route_action) + mr->mr_ops->route_action_update(mlxsw_sp, + rve->mr_route->route_priv, + rve->mr_route->route_action); ++err_route_action_update: ++ if (mlxsw_sp_mr_vif_valid(rve->mr_vif)) ++ mr->mr_ops->route_erif_del(mlxsw_sp, rve->mr_route->route_priv, ++ erif_index); + return err; + } + diff --git a/queue-5.10/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch b/queue-5.10/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch new file mode 100644 index 00000000000..bf16abbc68c --- /dev/null +++ b/queue-5.10/nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch @@ -0,0 +1,43 @@ +From 39fd01863616964f009599e50ca5c6ea9ebf88d6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 15 Apr 2021 15:41:57 -0400 +Subject: NFS: Don't discard pNFS layout segments that are marked for return + +From: Trond Myklebust + +commit 39fd01863616964f009599e50ca5c6ea9ebf88d6 upstream. + +If the pNFS layout segment is marked with the NFS_LSEG_LAYOUTRETURN +flag, then the assumption is that it has some reporting requirement +to perform through a layoutreturn (e.g. flexfiles layout stats or error +information). + +Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2470,6 +2470,9 @@ pnfs_mark_matching_lsegs_return(struct p + + assert_spin_locked(&lo->plh_inode->i_lock); + ++ if (test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) ++ tmp_list = &lo->plh_return_segs; ++ + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + if (pnfs_match_lseg_recall(lseg, return_range, seq)) { + dprintk("%s: marking lseg %p iomode %d " +@@ -2477,6 +2480,8 @@ pnfs_mark_matching_lsegs_return(struct p + lseg, lseg->pls_range.iomode, + lseg->pls_range.offset, + lseg->pls_range.length); ++ if (test_bit(NFS_LSEG_LAYOUTRETURN, &lseg->pls_flags)) ++ tmp_list = &lo->plh_return_segs; + if (mark_lseg_invalid(lseg, tmp_list)) + continue; + remaining++; diff --git a/queue-5.10/nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch b/queue-5.10/nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch new file mode 100644 index 00000000000..77bbdf194cc --- /dev/null +++ b/queue-5.10/nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch @@ -0,0 +1,61 @@ +From c09f11ef35955785f92369e25819bf0629df2e59 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 1 Mar 2021 16:19:30 -0800 +Subject: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds + +From: Randy Dunlap + +commit c09f11ef35955785f92369e25819bf0629df2e59 upstream. + +Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused +by a garbage timeout (retrans) mount option being passed to nfs mount, +in this case from syzkaller. + +If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift +value for a 64-bit long integer, so 'retrans' cannot be >= 64. +If it is >= 64, fail the mount and return an error. + +Fixes: 9954bf92c0cd ("NFS: Move mount parameterisation bits into their own file") +Reported-by: syzbot+ba2e91df8f74809417fa@syzkaller.appspotmail.com +Reported-by: syzbot+f3a0fa110fd630ab56c8@syzkaller.appspotmail.com +Signed-off-by: Randy Dunlap +Cc: Trond Myklebust +Cc: Anna Schumaker +Cc: linux-nfs@vger.kernel.org +Cc: David Howells +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/fs_context.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/nfs/fs_context.c ++++ b/fs/nfs/fs_context.c +@@ -938,6 +938,15 @@ static int nfs23_parse_monolithic(struct + sizeof(mntfh->data) - mntfh->size); + + /* ++ * for proto == XPRT_TRANSPORT_UDP, which is what uses ++ * to_exponential, implying shift: limit the shift value ++ * to BITS_PER_LONG (majortimeo is unsigned long) ++ */ ++ if (!(data->flags & NFS_MOUNT_TCP)) /* this will be UDP */ ++ if (data->retrans >= 64) /* shift value is too large */ ++ goto out_invalid_data; ++ ++ /* + * Translate to nfs_fs_context, which nfs_fill_super + * can deal with. + */ +@@ -1037,6 +1046,9 @@ out_no_address: + + out_invalid_fh: + return nfs_invalf(fc, "NFS: invalid root filehandle"); ++ ++out_invalid_data: ++ return nfs_invalf(fc, "NFS: invalid binary mount data"); + } + + #if IS_ENABLED(CONFIG_NFS_V4) diff --git a/queue-5.10/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch b/queue-5.10/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch new file mode 100644 index 00000000000..a081d5cd78e --- /dev/null +++ b/queue-5.10/nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch @@ -0,0 +1,33 @@ +From de144ff4234f935bd2150108019b5d87a90a8a96 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 18 Apr 2021 15:00:45 -0400 +Subject: NFSv4: Don't discard segments marked for return in _pnfs_return_layout() + +From: Trond Myklebust + +commit de144ff4234f935bd2150108019b5d87a90a8a96 upstream. + +If the pNFS layout segment is marked with the NFS_LSEG_LAYOUTRETURN +flag, then the assumption is that it has some reporting requirement +to perform through a layoutreturn (e.g. flexfiles layout stats or error +information). + +Fixes: 6d597e175012 ("pnfs: only tear down lsegs that precede seqid in LAYOUTRETURN args") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1344,7 +1344,7 @@ _pnfs_return_layout(struct inode *ino) + } + valid_layout = pnfs_layout_is_valid(lo); + pnfs_clear_layoutcommit(ino, &tmp_list); +- pnfs_mark_matching_lsegs_invalid(lo, &tmp_list, NULL, 0); ++ pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0); + + if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) { + struct pnfs_layout_range range = { diff --git a/queue-5.10/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch b/queue-5.10/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch new file mode 100644 index 00000000000..9cd1ce2302b --- /dev/null +++ b/queue-5.10/openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch @@ -0,0 +1,116 @@ +From 7c0ea5930c1c211931819d83cfb157bff1539a4c Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Wed, 28 Apr 2021 15:23:07 +0200 +Subject: openvswitch: fix stack OOB read while fragmenting IPv4 packets + +From: Davide Caratti + +commit 7c0ea5930c1c211931819d83cfb157bff1539a4c upstream. + +running openvswitch on kernels built with KASAN, it's possible to see the +following splat while testing fragmentation of IPv4 packets: + + BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 + Read of size 1 at addr ffff888112fc713c by task handler2/1367 + + CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 + Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 + Call Trace: + dump_stack+0x92/0xc1 + print_address_description.constprop.7+0x1a/0x150 + kasan_report.cold.13+0x7f/0x111 + ip_do_fragment+0x1b03/0x1f60 + ovs_fragment+0x5bf/0x840 [openvswitch] + do_execute_actions+0x1bd5/0x2400 [openvswitch] + ovs_execute_actions+0xc8/0x3d0 [openvswitch] + ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] + genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 + genl_rcv_msg+0x287/0x490 + netlink_rcv_skb+0x120/0x380 + genl_rcv+0x24/0x40 + netlink_unicast+0x439/0x630 + netlink_sendmsg+0x719/0xbf0 + sock_sendmsg+0xe2/0x110 + ____sys_sendmsg+0x5ba/0x890 + ___sys_sendmsg+0xe9/0x160 + __sys_sendmsg+0xd3/0x170 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f957079db07 + Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 + RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 + RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 + RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 + R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 + R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 + + The buggy address belongs to the page: + page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 + flags: 0x17ffffc0000000() + raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: + ovs_fragment+0x0/0x840 [openvswitch] + + this frame has 2 objects: + [32, 144) 'ovs_dst' + [192, 424) 'ovs_rt' + + Memory state around the buggy address: + ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 + >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 + ^ + ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 + +for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, +in the following call graph: + + ip_do_fragment() + ip_skb_dst_mtu() + ip_dst_mtu_maybe_forward() + ip_mtu_locked() + +the pointer to struct dst_entry is used as pointer to struct rtable: this +turns the access to struct members like rt_mtu_locked into an OOB read in +the stack. Fix this changing the temporary variable used for IPv4 packets +in ovs_fragment(), similarly to what is done for IPv6 few lines below. + +Fixes: d52e5a7e7ca4 ("ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmt") +Cc: +Acked-by: Eelco Chaudron +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/actions.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -827,17 +827,17 @@ static void ovs_fragment(struct net *net + } + + if (key->eth.type == htons(ETH_P_IP)) { +- struct dst_entry ovs_dst; ++ struct rtable ovs_rt = { 0 }; + unsigned long orig_dst; + + prepare_frag(vport, skb, orig_network_offset, + ovs_key_mac_proto(key)); +- dst_init(&ovs_dst, &ovs_dst_ops, NULL, 1, ++ dst_init(&ovs_rt.dst, &ovs_dst_ops, NULL, 1, + DST_OBSOLETE_NONE, DST_NOCOUNT); +- ovs_dst.dev = vport->dev; ++ ovs_rt.dst.dev = vport->dev; + + orig_dst = skb->_skb_refdst; +- skb_dst_set_noref(skb, &ovs_dst); ++ skb_dst_set_noref(skb, &ovs_rt.dst); + IPCB(skb)->frag_max_size = mru; + + ip_do_fragment(net, skb->sk, skb, ovs_vport_output); diff --git a/queue-5.10/powerpc-32-fix-boot-failure-with-config_stackprotector.patch b/queue-5.10/powerpc-32-fix-boot-failure-with-config_stackprotector.patch new file mode 100644 index 00000000000..e12b11f5e6f --- /dev/null +++ b/queue-5.10/powerpc-32-fix-boot-failure-with-config_stackprotector.patch @@ -0,0 +1,45 @@ +From f5668260b872e89b8d3942a8b7d4278aa9c2c981 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 29 Apr 2021 16:52:09 +0000 +Subject: powerpc/32: Fix boot failure with CONFIG_STACKPROTECTOR + +From: Christophe Leroy + +commit f5668260b872e89b8d3942a8b7d4278aa9c2c981 upstream. + +Commit 7c95d8893fb5 ("powerpc: Change calling convention for +create_branch() et. al.") complexified the frame of function +do_feature_fixups(), leading to GCC setting up a stack +guard when CONFIG_STACKPROTECTOR is selected. + +The problem is that do_feature_fixups() is called very early +while 'current' in r2 is not set up yet and the code is still +not at the final address used at link time. + +So, like other instrumentation, stack protection needs to be +deactivated for feature-fixups.c and code-patching.c + +Fixes: 7c95d8893fb5 ("powerpc: Change calling convention for create_branch() et. al.") +Cc: stable@vger.kernel.org # v5.8+ +Reported-by: Jonathan Neuschaefer +Signed-off-by: Christophe Leroy +Tested-by: Jonathan Neuschaefer +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/b688fe82927b330349d9e44553363fa451ea4d95.1619715114.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/lib/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/lib/Makefile ++++ b/arch/powerpc/lib/Makefile +@@ -5,6 +5,9 @@ + + ccflags-$(CONFIG_PPC64) := $(NO_MINIMAL_TOC) + ++CFLAGS_code-patching.o += -fno-stack-protector ++CFLAGS_feature-fixups.o += -fno-stack-protector ++ + CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE) + CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE) + diff --git a/queue-5.10/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch b/queue-5.10/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch new file mode 100644 index 00000000000..47a041bd5f0 --- /dev/null +++ b/queue-5.10/powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch @@ -0,0 +1,119 @@ +From 5ae5bc12d0728db60a0aa9b62160ffc038875f1a Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Mon, 12 Apr 2021 13:22:50 +0530 +Subject: powerpc/eeh: Fix EEH handling for hugepages in ioremap space. + +From: Mahesh Salgaonkar + +commit 5ae5bc12d0728db60a0aa9b62160ffc038875f1a upstream. + +During the EEH MMIO error checking, the current implementation fails to map +the (virtual) MMIO address back to the pci device on radix with hugepage +mappings for I/O. This results into failure to dispatch EEH event with no +recovery even when EEH capability has been enabled on the device. + +eeh_check_failure(token) # token = virtual MMIO address + addr = eeh_token_to_phys(token); + edev = eeh_addr_cache_get_dev(addr); + if (!edev) + return 0; + eeh_dev_check_failure(edev); <= Dispatch the EEH event + +In case of hugepage mappings, eeh_token_to_phys() has a bug in virt -> phys +translation that results in wrong physical address, which is then passed to +eeh_addr_cache_get_dev() to match it against cached pci I/O address ranges +to get to a PCI device. Hence, it fails to find a match and the EEH event +never gets dispatched leaving the device in failed state. + +The commit 33439620680be ("powerpc/eeh: Handle hugepages in ioremap space") +introduced following logic to translate virt to phys for hugepage mappings: + +eeh_token_to_phys(): ++ pa = pte_pfn(*ptep); ++ ++ /* On radix we can do hugepage mappings for io, so handle that */ ++ if (hugepage_shift) { ++ pa <<= hugepage_shift; <= This is wrong ++ pa |= token & ((1ul << hugepage_shift) - 1); ++ } + +This patch fixes the virt -> phys translation in eeh_token_to_phys() +function. + + $ cat /sys/kernel/debug/powerpc/eeh_address_cache + mem addr range [0x0000040080000000-0x00000400807fffff]: 0030:01:00.1 + mem addr range [0x0000040080800000-0x0000040080ffffff]: 0030:01:00.1 + mem addr range [0x0000040081000000-0x00000400817fffff]: 0030:01:00.0 + mem addr range [0x0000040081800000-0x0000040081ffffff]: 0030:01:00.0 + mem addr range [0x0000040082000000-0x000004008207ffff]: 0030:01:00.1 + mem addr range [0x0000040082080000-0x00000400820fffff]: 0030:01:00.0 + mem addr range [0x0000040082100000-0x000004008210ffff]: 0030:01:00.1 + mem addr range [0x0000040082110000-0x000004008211ffff]: 0030:01:00.0 + +Above is the list of cached io address ranges of pci 0030:01:00.. + +Before this patch: + +Tracing 'arg1' of function eeh_addr_cache_get_dev() during error injection +clearly shows that 'addr=' contains wrong physical address: + + kworker/u16:0-7 [001] .... 108.883775: eeh_addr_cache_get_dev: + (eeh_addr_cache_get_dev+0xc/0xf0) addr=0x80103000a510 + +dmesg shows no EEH recovery messages: + + [ 108.563768] bnx2x: [bnx2x_timer:5801(eth2)]MFW seems hanged: drv_pulse (0x9ae) != mcp_pulse (0x7fff) + [ 108.563788] bnx2x: [bnx2x_hw_stats_update:870(eth2)]NIG timer max (4294967295) + [ 108.883788] bnx2x: [bnx2x_acquire_hw_lock:2013(eth1)]lock_status 0xffffffff resource_bit 0x1 + [ 108.884407] bnx2x 0030:01:00.0 eth1: MDC/MDIO access timeout + [ 108.884976] bnx2x 0030:01:00.0 eth1: MDC/MDIO access timeout + <..> + +After this patch: + +eeh_addr_cache_get_dev() trace shows correct physical address: + + -0 [001] ..s. 1043.123828: eeh_addr_cache_get_dev: + (eeh_addr_cache_get_dev+0xc/0xf0) addr=0x40080bc7cd8 + +dmesg logs shows EEH recovery getting triggerred: + + [ 964.323980] bnx2x: [bnx2x_timer:5801(eth2)]MFW seems hanged: drv_pulse (0x746f) != mcp_pulse (0x7fff) + [ 964.323991] EEH: Recovering PHB#30-PE#10000 + [ 964.324002] EEH: PE location: N/A, PHB location: N/A + [ 964.324006] EEH: Frozen PHB#30-PE#10000 detected + <..> + +Fixes: 33439620680b ("powerpc/eeh: Handle hugepages in ioremap space") +Cc: stable@vger.kernel.org # v5.3+ +Reported-by: Dominic DeMarco +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/161821396263.48361.2796709239866588652.stgit@jupiter +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/eeh.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -362,14 +362,11 @@ static inline unsigned long eeh_token_to + pa = pte_pfn(*ptep); + + /* On radix we can do hugepage mappings for io, so handle that */ +- if (hugepage_shift) { +- pa <<= hugepage_shift; +- pa |= token & ((1ul << hugepage_shift) - 1); +- } else { +- pa <<= PAGE_SHIFT; +- pa |= token & (PAGE_SIZE - 1); +- } ++ if (!hugepage_shift) ++ hugepage_shift = PAGE_SHIFT; + ++ pa <<= PAGE_SHIFT; ++ pa |= token & ((1ul << hugepage_shift) - 1); + return pa; + } + diff --git a/queue-5.10/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch b/queue-5.10/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch new file mode 100644 index 00000000000..ffb5455f263 --- /dev/null +++ b/queue-5.10/powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch @@ -0,0 +1,53 @@ +From 7de21e679e6a789f3729e8402bc440b623a28eae Mon Sep 17 00:00:00 2001 +From: Tony Ambardar +Date: Thu, 17 Sep 2020 06:54:37 -0700 +Subject: powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h + +From: Tony Ambardar + +commit 7de21e679e6a789f3729e8402bc440b623a28eae upstream. + +A few archs like powerpc have different errno.h values for macros +EDEADLOCK and EDEADLK. In code including both libc and linux versions of +errno.h, this can result in multiple definitions of EDEADLOCK in the +include chain. Definitions to the same value (e.g. seen with mips) do +not raise warnings, but on powerpc there are redefinitions changing the +value, which raise warnings and errors (if using "-Werror"). + +Guard against these redefinitions to avoid build errors like the following, +first seen cross-compiling libbpf v5.8.9 for powerpc using GCC 8.4.0 with +musl 1.1.24: + + In file included from ../../arch/powerpc/include/uapi/asm/errno.h:5, + from ../../include/linux/err.h:8, + from libbpf.c:29: + ../../include/uapi/asm-generic/errno.h:40: error: "EDEADLOCK" redefined [-Werror] + #define EDEADLOCK EDEADLK + + In file included from toolchain-powerpc_8540_gcc-8.4.0_musl/include/errno.h:10, + from libbpf.c:26: + toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/errno.h:58: note: this is the location of the previous definition + #define EDEADLOCK 58 + + cc1: all warnings being treated as errors + +Cc: Stable +Reported-by: Rosen Penev +Signed-off-by: Tony Ambardar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200917135437.1238787-1-Tony.Ambardar@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/uapi/asm/errno.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/uapi/asm/errno.h ++++ b/arch/powerpc/include/uapi/asm/errno.h +@@ -2,6 +2,7 @@ + #ifndef _ASM_POWERPC_ERRNO_H + #define _ASM_POWERPC_ERRNO_H + ++#undef EDEADLOCK + #include + + #undef EDEADLOCK diff --git a/queue-5.10/powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch b/queue-5.10/powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch new file mode 100644 index 00000000000..b151b8b6db1 --- /dev/null +++ b/queue-5.10/powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch @@ -0,0 +1,142 @@ +From 40c753993e3aad51a12c21233486e2037417a4d6 Mon Sep 17 00:00:00 2001 +From: Sourabh Jain +Date: Thu, 29 Apr 2021 11:32:56 +0530 +Subject: powerpc/kexec_file: Use current CPU info while setting up FDT + +From: Sourabh Jain + +commit 40c753993e3aad51a12c21233486e2037417a4d6 upstream. + +kexec_file_load() uses initial_boot_params in setting up the device tree +for the kernel to be loaded. Though initial_boot_params holds info about +CPUs at the time of boot, it doesn't account for hot added CPUs. + +So, kexec'ing with kexec_file_load() syscall leaves the kexec'ed kernel +with inaccurate CPU info. + +If kdump kernel is loaded with kexec_file_load() syscall and the system +crashes on a hot added CPU, the capture kernel hangs failing to identify +the boot CPU, with no output. + +To avoid this from happening, extract current CPU info from of_root +device node and use it for setting up the fdt in kexec_file_load case. + +Fixes: 6ecd0163d360 ("powerpc/kexec_file: Add appropriate regions for memory reserve map") +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Sourabh Jain +Reviewed-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210429060256.199714-1-sourabhjain@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kexec/file_load_64.c | 92 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +--- a/arch/powerpc/kexec/file_load_64.c ++++ b/arch/powerpc/kexec/file_load_64.c +@@ -961,6 +961,93 @@ unsigned int kexec_fdt_totalsize_ppc64(s + } + + /** ++ * add_node_props - Reads node properties from device node structure and add ++ * them to fdt. ++ * @fdt: Flattened device tree of the kernel ++ * @node_offset: offset of the node to add a property at ++ * @dn: device node pointer ++ * ++ * Returns 0 on success, negative errno on error. ++ */ ++static int add_node_props(void *fdt, int node_offset, const struct device_node *dn) ++{ ++ int ret = 0; ++ struct property *pp; ++ ++ if (!dn) ++ return -EINVAL; ++ ++ for_each_property_of_node(dn, pp) { ++ ret = fdt_setprop(fdt, node_offset, pp->name, pp->value, pp->length); ++ if (ret < 0) { ++ pr_err("Unable to add %s property: %s\n", pp->name, fdt_strerror(ret)); ++ return ret; ++ } ++ } ++ return ret; ++} ++ ++/** ++ * update_cpus_node - Update cpus node of flattened device tree using of_root ++ * device node. ++ * @fdt: Flattened device tree of the kernel. ++ * ++ * Returns 0 on success, negative errno on error. ++ */ ++static int update_cpus_node(void *fdt) ++{ ++ struct device_node *cpus_node, *dn; ++ int cpus_offset, cpus_subnode_offset, ret = 0; ++ ++ cpus_offset = fdt_path_offset(fdt, "/cpus"); ++ if (cpus_offset < 0 && cpus_offset != -FDT_ERR_NOTFOUND) { ++ pr_err("Malformed device tree: error reading /cpus node: %s\n", ++ fdt_strerror(cpus_offset)); ++ return cpus_offset; ++ } ++ ++ if (cpus_offset > 0) { ++ ret = fdt_del_node(fdt, cpus_offset); ++ if (ret < 0) { ++ pr_err("Error deleting /cpus node: %s\n", fdt_strerror(ret)); ++ return -EINVAL; ++ } ++ } ++ ++ /* Add cpus node to fdt */ ++ cpus_offset = fdt_add_subnode(fdt, fdt_path_offset(fdt, "/"), "cpus"); ++ if (cpus_offset < 0) { ++ pr_err("Error creating /cpus node: %s\n", fdt_strerror(cpus_offset)); ++ return -EINVAL; ++ } ++ ++ /* Add cpus node properties */ ++ cpus_node = of_find_node_by_path("/cpus"); ++ ret = add_node_props(fdt, cpus_offset, cpus_node); ++ of_node_put(cpus_node); ++ if (ret < 0) ++ return ret; ++ ++ /* Loop through all subnodes of cpus and add them to fdt */ ++ for_each_node_by_type(dn, "cpu") { ++ cpus_subnode_offset = fdt_add_subnode(fdt, cpus_offset, dn->full_name); ++ if (cpus_subnode_offset < 0) { ++ pr_err("Unable to add %s subnode: %s\n", dn->full_name, ++ fdt_strerror(cpus_subnode_offset)); ++ ret = cpus_subnode_offset; ++ goto out; ++ } ++ ++ ret = add_node_props(fdt, cpus_subnode_offset, dn); ++ if (ret < 0) ++ goto out; ++ } ++out: ++ of_node_put(dn); ++ return ret; ++} ++ ++/** + * setup_new_fdt_ppc64 - Update the flattend device-tree of the kernel + * being loaded. + * @image: kexec image being loaded. +@@ -1020,6 +1107,11 @@ int setup_new_fdt_ppc64(const struct kim + } + } + ++ /* Update cpus nodes information to account hotplug CPUs. */ ++ ret = update_cpus_node(fdt); ++ if (ret < 0) ++ goto out; ++ + /* Update memory reserve map */ + ret = get_reserved_memory_ranges(&rmem); + if (ret) diff --git a/queue-5.10/powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch b/queue-5.10/powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch new file mode 100644 index 00000000000..a85d249737b --- /dev/null +++ b/queue-5.10/powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch @@ -0,0 +1,73 @@ +From 49c1d07fd04f54eb588c4a1dfcedc8d22c5ffd50 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 2 Apr 2021 12:41:24 +1000 +Subject: powerpc/powernv: Enable HAIL (HV AIL) for ISA v3.1 processors + +From: Nicholas Piggin + +commit 49c1d07fd04f54eb588c4a1dfcedc8d22c5ffd50 upstream. + +Starting with ISA v3.1, LPCR[AIL] no longer controls the interrupt +mode for HV=1 interrupts. Instead, a new LPCR[HAIL] bit is defined +which behaves like AIL=3 for HV interrupts when set. + +Set HAIL on bare metal to give us mmu-on interrupts and improve +performance. + +This also fixes an scv bug: we don't implement scv real mode (AIL=0) +vectors because they are at an inconvenient location, so we just +disable scv support when AIL can not be set. However powernv assumes +that LPCR[AIL] will enable AIL mode so it enables scv support despite +HV interrupts being AIL=0, which causes scv interrupts to go off into +the weeds. + +Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions") +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210402024124.545826-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/kernel/setup_64.c | 19 ++++++++++++++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -444,6 +444,7 @@ + #define LPCR_VRMA_LP1 ASM_CONST(0x0000800000000000) + #define LPCR_RMLS 0x1C000000 /* Implementation dependent RMO limit sel */ + #define LPCR_RMLS_SH 26 ++#define LPCR_HAIL ASM_CONST(0x0000000004000000) /* HV AIL (ISAv3.1) */ + #define LPCR_ILE ASM_CONST(0x0000000002000000) /* !HV irqs set MSR:LE */ + #define LPCR_AIL ASM_CONST(0x0000000001800000) /* Alternate interrupt location */ + #define LPCR_AIL_0 ASM_CONST(0x0000000000000000) /* MMU off exception offset 0x0 */ +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -231,10 +231,23 @@ static void cpu_ready_for_interrupts(voi + * If we are not in hypervisor mode the job is done once for + * the whole partition in configure_exceptions(). + */ +- if (cpu_has_feature(CPU_FTR_HVMODE) && +- cpu_has_feature(CPU_FTR_ARCH_207S)) { ++ if (cpu_has_feature(CPU_FTR_HVMODE)) { + unsigned long lpcr = mfspr(SPRN_LPCR); +- mtspr(SPRN_LPCR, lpcr | LPCR_AIL_3); ++ unsigned long new_lpcr = lpcr; ++ ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) { ++ /* P10 DD1 does not have HAIL */ ++ if (pvr_version_is(PVR_POWER10) && ++ (mfspr(SPRN_PVR) & 0xf00) == 0x100) ++ new_lpcr |= LPCR_AIL_3; ++ else ++ new_lpcr |= LPCR_HAIL; ++ } else if (cpu_has_feature(CPU_FTR_ARCH_207S)) { ++ new_lpcr |= LPCR_AIL_3; ++ } ++ ++ if (new_lpcr != lpcr) ++ mtspr(SPRN_LPCR, new_lpcr); + } + + /* diff --git a/queue-5.10/series b/queue-5.10/series index c8d867fee98..efbf8f4f50a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -228,3 +228,22 @@ kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch f2fs-fix-to-avoid-out-of-bounds-memory-access.patch +mlxsw-spectrum_mr-update-egress-rif-list-before-route-s-action.patch +openvswitch-fix-stack-oob-read-while-fragmenting-ipv4-packets.patch +acpi-gtdt-don-t-corrupt-interrupt-mappings-on-watchdow-probe-failure.patch +nfs-fs_context-validate-udp-retrans-to-prevent-shift-out-of-bounds.patch +nfs-don-t-discard-pnfs-layout-segments-that-are-marked-for-return.patch +nfsv4-don-t-discard-segments-marked-for-return-in-_pnfs_return_layout.patch +input-ili210x-add-missing-negation-for-touch-indication-on-ili210x.patch +jffs2-fix-kasan-slab-out-of-bounds-problem.patch +jffs2-hook-up-splice_write-callback.patch +powerpc-powernv-enable-hail-hv-ail-for-isa-v3.1-processors.patch +powerpc-eeh-fix-eeh-handling-for-hugepages-in-ioremap-space.patch +powerpc-kexec_file-use-current-cpu-info-while-setting-up-fdt.patch +powerpc-32-fix-boot-failure-with-config_stackprotector.patch +powerpc-fix-edeadlock-redefinition-error-in-uapi-asm-errno.h.patch +intel_th-pci-add-alder-lake-m-support.patch +tpm-efi-use-local-variable-for-calculating-final-log-size.patch +tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch +crypto-arm-curve25519-move-.fpu-after-.arch.patch +crypto-rng-fix-crypto_rng_reset-refcounting-when-crypto_stats.patch diff --git a/queue-5.10/tpm-efi-use-local-variable-for-calculating-final-log-size.patch b/queue-5.10/tpm-efi-use-local-variable-for-calculating-final-log-size.patch new file mode 100644 index 00000000000..206c80ab5fe --- /dev/null +++ b/queue-5.10/tpm-efi-use-local-variable-for-calculating-final-log-size.patch @@ -0,0 +1,119 @@ +From 48cff270b037022e37835d93361646205ca25101 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 10 Mar 2021 17:19:14 -0500 +Subject: tpm: efi: Use local variable for calculating final log size + +From: Stefan Berger + +commit 48cff270b037022e37835d93361646205ca25101 upstream. + +When tpm_read_log_efi is called multiple times, which happens when +one loads and unloads a TPM2 driver multiple times, then the global +variable efi_tpm_final_log_size will at some point become a negative +number due to the subtraction of final_events_preboot_size occurring +each time. Use a local variable to avoid this integer underflow. + +The following issue is now resolved: + +Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] +Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 +Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 +Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 +Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f +Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d +Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 +Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 +Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 +Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 +Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 +Mar 8 15:35:12 hibinst kernel: Call Trace: +Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 +Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 +Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 +Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] +Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 +Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 +Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370 + +Cc: stable@vger.kernel.org +Fixes: 166a2809d65b ("tpm: Don't duplicate events from the final event log in the TCG2 log") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/efi.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/char/tpm/eventlog/efi.c ++++ b/drivers/char/tpm/eventlog/efi.c +@@ -17,6 +17,7 @@ int tpm_read_log_efi(struct tpm_chip *ch + { + + struct efi_tcg2_final_events_table *final_tbl = NULL; ++ int final_events_log_size = efi_tpm_final_log_size; + struct linux_efi_tpm_eventlog *log_tbl; + struct tpm_bios_log *log; + u32 log_size; +@@ -66,12 +67,12 @@ int tpm_read_log_efi(struct tpm_chip *ch + ret = tpm_log_version; + + if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR || +- efi_tpm_final_log_size == 0 || ++ final_events_log_size == 0 || + tpm_log_version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) + goto out; + + final_tbl = memremap(efi.tpm_final_log, +- sizeof(*final_tbl) + efi_tpm_final_log_size, ++ sizeof(*final_tbl) + final_events_log_size, + MEMREMAP_WB); + if (!final_tbl) { + pr_err("Could not map UEFI TPM final log\n"); +@@ -80,10 +81,18 @@ int tpm_read_log_efi(struct tpm_chip *ch + goto out; + } + +- efi_tpm_final_log_size -= log_tbl->final_events_preboot_size; ++ /* ++ * The 'final events log' size excludes the 'final events preboot log' ++ * at its beginning. ++ */ ++ final_events_log_size -= log_tbl->final_events_preboot_size; + ++ /* ++ * Allocate memory for the 'combined log' where we will append the ++ * 'final events log' to. ++ */ + tmp = krealloc(log->bios_event_log, +- log_size + efi_tpm_final_log_size, ++ log_size + final_events_log_size, + GFP_KERNEL); + if (!tmp) { + kfree(log->bios_event_log); +@@ -94,15 +103,19 @@ int tpm_read_log_efi(struct tpm_chip *ch + log->bios_event_log = tmp; + + /* +- * Copy any of the final events log that didn't also end up in the +- * main log. Events can be logged in both if events are generated ++ * Append any of the 'final events log' that didn't also end up in the ++ * 'main log'. Events can be logged in both if events are generated + * between GetEventLog() and ExitBootServices(). + */ + memcpy((void *)log->bios_event_log + log_size, + final_tbl->events + log_tbl->final_events_preboot_size, +- efi_tpm_final_log_size); ++ final_events_log_size); ++ /* ++ * The size of the 'combined log' is the size of the 'main log' plus ++ * the size of the 'final events log'. ++ */ + log->bios_event_log_end = log->bios_event_log + +- log_size + efi_tpm_final_log_size; ++ log_size + final_events_log_size; + + out: + memunmap(final_tbl); diff --git a/queue-5.10/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch b/queue-5.10/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch new file mode 100644 index 00000000000..6542f564207 --- /dev/null +++ b/queue-5.10/tpm-vtpm_proxy-avoid-reading-host-log-when-using-a-virtual-device.patch @@ -0,0 +1,36 @@ +From 9716ac65efc8f780549b03bddf41e60c445d4709 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 10 Mar 2021 17:19:16 -0500 +Subject: tpm: vtpm_proxy: Avoid reading host log when using a virtual device + +From: Stefan Berger + +commit 9716ac65efc8f780549b03bddf41e60c445d4709 upstream. + +Avoid allocating memory and reading the host log when a virtual device +is used since this log is of no use to that driver. A virtual +device can be identified through the flag TPM_CHIP_FLAG_VIRTUAL, which +is only set for the tpm_vtpm_proxy driver. + +Cc: stable@vger.kernel.org +Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/common.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/eventlog/common.c ++++ b/drivers/char/tpm/eventlog/common.c +@@ -107,6 +107,9 @@ void tpm_bios_log_setup(struct tpm_chip + int log_version; + int rc = 0; + ++ if (chip->flags & TPM_CHIP_FLAG_VIRTUAL) ++ return; ++ + rc = tpm_read_log(chip); + if (rc < 0) + return; -- 2.47.3