1. 09 11月, 2020 2 次提交
    • D
      xfrm/compat: memset(0) 64-bit padding at right place · d1949d04
      Dmitry Safonov 提交于
      32-bit messages translated by xfrm_compat can have attributes attached.
      For all, but XFRMA_SA, XFRMA_POLICY the size of payload is the same
      in 32-bit UABI and 64-bit UABI. For XFRMA_SA (struct xfrm_usersa_info)
      and XFRMA_POLICY (struct xfrm_userpolicy_info) it's only tail-padding
      that is present in 64-bit payload, but not in 32-bit.
      The proper size for destination nlattr is already calculated by
      xfrm_user_rcv_calculate_len64() and allocated with kvmalloc().
      
      xfrm_attr_cpy32() copies 32-bit copy_len into 64-bit attribute
      translated payload, zero-filling possible padding for SA/POLICY.
      Due to a typo, *pos already has 64-bit payload size, in a result next
      memset(0) is called on the memory after the translated attribute, not on
      the tail-padding of it.
      
      Fixes: 5106f4a8 ("xfrm/compat: Add 32=>64-bit messages translator")
      Reported-by: syzbot+c43831072e7df506a646@syzkaller.appspotmail.com
      Signed-off-by: NDmitry Safonov <dima@arista.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      d1949d04
    • D
      xfrm/compat: Translate by copying XFRMA_UNSPEC attribute · dbd7ae51
      Dmitry Safonov 提交于
      xfrm_xlate32() translates 64-bit message provided by kernel to be sent
      for 32-bit listener (acknowledge or monitor). Translator code doesn't
      expect XFRMA_UNSPEC attribute as it doesn't know its payload.
      Kernel never attaches such attribute, but a user can.
      
      I've searched if any opensource does it and the answer is no.
      Nothing on github and google finds only tfcproject that has such code
      commented-out.
      
      What will happen if a user sends a netlink message with XFRMA_UNSPEC
      attribute? Ipsec code ignores this attribute. But if there is a
      monitor-process or 32-bit user requested ack - kernel will try to
      translate such message and will hit WARN_ONCE() in xfrm_xlate64_attr().
      
      Deal with XFRMA_UNSPEC by copying the attribute payload with
      xfrm_nla_cpy(). In result, the default switch-case in xfrm_xlate64_attr()
      becomes an unused code. Leave those 3 lines in case a new xfrm attribute
      will be added.
      
      Fixes: 5461fc0c ("xfrm/compat: Add 64=>32-bit messages translator")
      Reported-by: syzbot+a7e701c8385bd8543074@syzkaller.appspotmail.com
      Signed-off-by: NDmitry Safonov <dima@arista.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      dbd7ae51
  2. 08 11月, 2020 4 次提交
  3. 07 11月, 2020 15 次提交
    • J
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 86bbf019
      Jakub Kicinski 提交于
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-11-06
      
      1) Pre-allocated per-cpu hashmap needs to zero-fill reused element, from David.
      
      2) Tighten bpf_lsm function check, from KP.
      
      3) Fix bpftool attaching to flow dissector, from Lorenz.
      
      4) Use -fno-gcse for the whole kernel/bpf/core.c instead of function attribute, from Ard.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf: Update verification logic for LSM programs
        bpf: Zero-fill re-used per-cpu map element
        bpf: BPF_PRELOAD depends on BPF_SYSCALL
        tools/bpftool: Fix attaching flow dissector
        libbpf: Fix possible use after free in xsk_socket__delete
        libbpf: Fix null dereference in xsk_socket__delete
        libbpf, hashmap: Fix undefined behavior in hash_bits
        bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE
        tools, bpftool: Remove two unused variables.
        tools, bpftool: Avoid array index warnings.
        xsk: Fix possible memory leak at socket close
        bpf: Add struct bpf_redir_neigh forward declaration to BPF helper defs
        samples/bpf: Set rlimit for memlock to infinity in all samples
        bpf: Fix -Wshadow warnings
        selftest/bpf: Fix profiler test using CO-RE relocation for enums
      ====================
      
      Link: https://lore.kernel.org/r/20201106221759.24143-1-alexei.starovoitov@gmail.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      86bbf019
    • K
      bpf: Update verification logic for LSM programs · 6f64e477
      KP Singh 提交于
      The current logic checks if the name of the BTF type passed in
      attach_btf_id starts with "bpf_lsm_", this is not sufficient as it also
      allows attachment to non-LSM hooks like the very function that performs
      this check, i.e. bpf_lsm_verify_prog.
      
      In order to ensure that this verification logic allows attachment to
      only LSM hooks, the LSM_HOOK definitions in lsm_hook_defs.h are used to
      generate a BTF_ID set. Upon verification, the attach_btf_id of the
      program being attached is checked for presence in this set.
      
      Fixes: 9e4e01df ("bpf: lsm: Implement attach, detach and execution")
      Signed-off-by: NKP Singh <kpsingh@google.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20201105230651.2621917-1-kpsingh@chromium.org
      6f64e477
    • L
      Merge branch 'mtd/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · bf3e7628
      Linus Torvalds 提交于
      Pull mtd fixes from Miquel Raynal.
      
      * 'mtd/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: rawnand: stm32_fmc2: fix broken ECC
        mtd: spi-nor: Fix address width on flash chips > 16MB
        mtd: spi-nor: Don't copy self-pointing struct around
        mtd: rawnand: ifc: Move the ECC engine initialization to the right place
        mtd: rawnand: mxc: Move the ECC engine initialization to the right place
      bf3e7628
    • L
      Merge tag 'spi-fix-v5.10-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 44d80621
      Linus Torvalds 提交于
      Pull spi fix from Mark Brown:
       "This is an additional fix on top of 5e31ba0c ('spi: bcm2835: fix
        gpio cs level inversion') - when sending my prior pull request I had
        misremembred the status of that patch, apologies for the noise here"
      
      * tag 'spi-fix-v5.10-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: bcm2835: remove use of uninitialized gpio flags variable
      44d80621
    • L
      Merge tag 'sound-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · bb72bbe8
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Quite a bunch of small fixes that have been gathered since the last
        pull, including changes like below:
      
         - HD-audio runtime PM fixes and refactoring
      
         - HD-audio and USB-audio quirks
      
         - SOF warning fix
      
         - Various ASoC device-specific fixes for Intel, Qualcomm, etc"
      
      * tag 'sound-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (26 commits)
        ALSA: usb-audio: Add implicit feedback quirk for Qu-16
        ASoC: mchp-spdiftx: Do not set Validity bit(s)
        ALSA: usb-audio: Add implicit feedback quirk for MODX
        ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices
        ALSA: hda/realtek - Enable headphone for ASUS TM420
        ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
        ASoC: qcom: lpass-cpu: Fix clock disable failure
        ASoC: qcom: lpass-sc7180: Fix MI2S bitwidth field bit positions
        ASoC: codecs: wcd9335: Set digital gain range correctly
        ASoC: codecs: wcd934x: Set digital gain range correctly
        ALSA: hda: Reinstate runtime_allow() for all hda controllers
        ALSA: hda: Separate runtime and system suspend
        ALSA: hda: Refactor codec PM to use direct-complete optimization
        ALSA: hda/realtek - Fixed HP headset Mic can't be detected
        ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2
        ALSA: make snd_kcontrol_new name a normal string
        ALSA: fix kernel-doc markups
        ASoC: SOF: loader: handle all SOF_IPC_EXT types
        ASoC: cs42l51: manage mclk shutdown delay
        ASoC: qcom: sdm845: set driver name correctly
        ...
      bb72bbe8
    • L
      Merge tag 'drm-fixes-2020-11-06-1' of git://anongit.freedesktop.org/drm/drm · fc7b66ef
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "It's Friday here so that means another installment of drm fixes to
        distract you from the counting process.
      
        Changes all over the place, the amdgpu changes contain support for a
        new GPU that is close to current one already in the tree (Green
        Sardine) so it shouldn't have much side effects.
      
        Otherwise imx has a few cleanup patches and fixes, amdgpu and i915
        have around the usual smattering of fixes, fonts got constified, and
        vc4/panfrost has some minor fixes. All in all a fairly regular rc3.
      
        We have an outstanding nouveau regression, but the author is looking
        into the fix, so should be here next week.
      
        I now return you to counting.
      
        fonts:
         - constify font structures.
      
        MAINTAINERS:
         - Fix path for amdgpu power management
      
        amdgpu:
         - Add support for more navi1x SKUs
         - Fix for suspend on CI dGPUs
         - VCN DPG fix for Picasso
         - Sienna Cichlid fixes
         - Polaris DPM fix
         - Add support for Green Sardine
      
        amdkfd:
         - Fix an allocation failure check
      
        i915:
         - Fix set domain's cache coherency
         - Fixes around breadcrumbs
         - Fix encoder lookup during PSR atomic
         - Hold onto an explicit ref to i915_vma_work.pinned
         - gvt: HWSP reset handling fix
         - gvt: flush workaround
         - gvt: vGPU context pin/unpin
         - gvt: mmio cmd access fix for bxt/apl
      
        imx:
         - drop unused functions and callbacks
         - reuse imx_drm_encoder_parse_of
         - spinlock rework
         - memory leak fix
         - minor cleanups
      
        vc4:
         - resource cleanup fix
      
        panfrost:
         - madvise/shrinker fix"
      
      * tag 'drm-fixes-2020-11-06-1' of git://anongit.freedesktop.org/drm/drm: (55 commits)
        drm/amdgpu/display: remove DRM_AMD_DC_GREEN_SARDINE
        drm/amd/display: Add green_sardine support to DM
        drm/amd/display: Add green_sardine support to DC
        drm/amdgpu: enable vcn support for green_sardine (v2)
        drm/amdgpu: enable green_sardine_asd.bin loading (v2)
        drm/amdgpu/sdma: add sdma engine support for green_sardine (v2)
        drm/amdgpu: add gfx support for green_sardine (v2)
        drm/amdgpu: add soc15 common ip block support for green_sardine (v3)
        drm/amdgpu: add green_sardine support for gpu_info and ip block setting (v2)
        drm/amdgpu: add Green_Sardine APU flag
        drm/amdgpu: resolved ASD loading issue on sienna
        amdkfd: Check kvmalloc return before memcpy
        drm/amdgpu: update golden setting for sienna_cichlid
        amd/amdgpu: Disable VCN DPG mode for Picasso
        drm/amdgpu/swsmu: remove duplicate call to smu_set_default_dpm_table
        drm/i915: Hold onto an explicit ref to i915_vma_work.pinned
        drm/i915/gt: Flush xcs before tgl breadcrumbs
        drm/i915/gt: Expose more parameters for emitting writes into the ring
        drm/i915: Fix encoder lookup during PSR atomic check
        drm/i915/gt: Use the local HWSP offset during submission
        ...
      fc7b66ef
    • L
      Merge tag 'tpmdd-next-v5.10-rc4' of... · 28ced768
      Linus Torvalds 提交于
      Merge tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd
      
      Pull tpm fixes from Jarkko Sakkinen:
       "Two critical tpm driver bug fixes"
      
      * tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
        tpm: efi: Don't create binary_bios_measurements file for an empty log
        tpm_tis: Disable interrupts on ThinkPad T490s
      28ced768
    • L
      Merge tag 'iommu-fixes-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 02a2aa35
      Linus Torvalds 提交于
      Pull iommu fixes from Joerg Roedel:
      
       - Fix a NULL-ptr dereference in the Intel VT-d driver
      
       - Two fixes for Intel SVM support
      
       - Increase IRQ remapping table size in the AMD IOMMU driver. The old
         number of 128 turned out to be too low for some recent devices.
      
       - Fix a mask check in generic IOMMU code
      
      * tag 'iommu-fixes-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu: Fix a check in iommu_check_bind_data()
        iommu/vt-d: Fix a bug for PDP check in prq_event_thread
        iommu/vt-d: Fix sid not set issue in intel_svm_bind_gpasid()
        iommu/vt-d: Fix kernel NULL pointer dereference in find_domain()
        iommu/amd: Increase interrupt remapping table limit to 512 entries
      02a2aa35
    • L
      Merge tag 'vfio-v5.10-rc3' of git://github.com/awilliam/linux-vfio · 1669ecf9
      Linus Torvalds 提交于
      Pull VFIO fixes from Alex Williamson:
      
       - Remove code by using existing helper (Zenghui Yu)
      
       - fsl-mc copy-user return and underflow fixes (Dan Carpenter)
      
       - fsl-mc static function declaration (Diana Craciun)
      
       - Fix ioeventfd sleeping under spinlock (Alex Williamson)
      
       - Fix pm reference count leak in vfio-platform (Zhang Qilong)
      
       - Allow opening IGD device w/o OpRegion support (Fred Gao)
      
      * tag 'vfio-v5.10-rc3' of git://github.com/awilliam/linux-vfio:
        vfio/pci: Bypass IGD init in case of -ENODEV
        vfio: platform: fix reference leak in vfio_platform_open
        vfio/pci: Implement ioeventfd thread handler for contended memory lock
        vfio/fsl-mc: Make vfio_fsl_mc_irqs_allocate static
        vfio/fsl-mc: prevent underflow in vfio_fsl_mc_mmap()
        vfio/fsl-mc: return -EFAULT if copy_to_user() fails
        vfio/type1: Use the new helper to find vfio_group
      1669ecf9
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 30f3f68e
      Linus Torvalds 提交于
      Pull arm64 fixes from Will Deacon:
       "Here's the weekly batch of fixes for arm64. Not an awful lot here, but
        there are still a few unresolved issues relating to CPU hotplug, RCU
        and IRQ tracing that I hope to queue fixes for next week.
      
        Summary:
      
         - Fix early use of kprobes
      
         - Fix kernel placement in kexec_file_load()
      
         - Bump maximum number of NUMA nodes"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: kexec_file: try more regions if loading segments fails
        arm64: kprobes: Use BRK instead of single-step when executing instructions out-of-line
        arm64: NUMA: Kconfig: Increase NODES_SHIFT to 4
      30f3f68e
    • L
      Merge tag 'arc-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 4257087e
      Linus Torvalds 提交于
      Pull ARC fixes from Vineet Gupta:
      
       - Unbork HSDKv1 platform (won't boot) due to memory map issue
      
       - Prevent stack unwinder from infinite looping
      
      * tag 'arc-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: [plat-hsdk] Remap CCMs super early in asm boot trampoline
        ARC: stack unwinding: avoid indefinite looping
      4257087e
    • L
      Merge tag 's390-5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · ee518148
      Linus Torvalds 提交于
      Pull s390 fixes from Heiko Carstens:
      
       - fix reference counting for ap devices
      
       - fix paes selftest
      
       - fix pmd_deref()/pud_deref() so they can also handle large pages
      
       - remove unused vdso file and defines
      
       - update defconfigs
      
       - call rcu_cpu_starting() early in smp init code to avoid lockdep
         warnings
      
       - fix hotplug of PCI function missing bus
      
      * tag 's390-5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/pci: fix hot-plug of PCI function missing bus
        s390/smp: move rcu_cpu_starting() earlier
        s390/pkey: fix paes selftest failure with paes and pkey static build
        s390: update defconfigs
        s390/vdso: remove unused constants
        s390/vdso: remove empty unused file
        s390/mm: make pmd/pud_deref() large page aware
        s390/ap: fix ap devices reference counting
      ee518148
    • L
      Merge tag 'net-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 41f16530
      Linus Torvalds 提交于
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes for 5.10-rc3, including fixes from wireless, can, and
        netfilter subtrees.
      
        Current merge window - bugs in new features:
      
         - can: isotp: isotp_rcv_cf(): enable RX timeout handling in
           listen-only mode
      
        Previous releases - regressions:
      
         - mac80211:
            - don't require VHT elements for HE on 2.4 GHz
            - fix regression where EAPOL frames were sent in plaintext
      
         - netfilter:
            - ipset: Update byte and packet counters regardless of whether
              they match
      
         - ip_tunnel: fix over-mtu packet send by allowing fragmenting even if
           inner packet has IP_DF (don't fragment) set in its header (when
           TUNNEL_DONT_FRAGMENT flag is not set on the tunnel dev)
      
         - net: fec: fix MDIO probing for some FEC hardware blocks
      
         - ip6_tunnel: set inner ipproto before ip6_tnl_encap to un-break gso
           support
      
         - sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian
           platforms, sparse-related fix used the wrong integer size
      
        Previous releases - always broken:
      
         - netfilter: use actual socket sk rather than skb sk when routing
           harder
      
         - r8169: work around short packet hw bug on RTL8125 by padding frames
      
         - net: ethernet: ti: cpsw: disable PTPv1 hw timestamping
           advertisement, the hardware does not support it
      
         - chelsio/chtls: fix always leaking ctrl_skb and another leak caused
           by a race condition
      
         - fix drivers incorrectly writing into skbs on TX:
            - cadence: force nonlinear buffers to be cloned
            - gianfar: Account for Tx PTP timestamp in the skb headroom
            - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP
      
         - can: flexcan:
            - remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A
            - add ECC initialization for VF610 and LX2160A
            - flexcan_remove(): disable wakeup completely
      
         - can: fix packet echo functionality:
            - peak_canfd: fix echo management when loopback is on
            - make sure skbs are not freed in IRQ context in case they need to
              be dropped
            - always clone the skbs to make sure they have a reference on the
              socket, and prevent it from disappearing
            - fix real payload length return value for RTR frames
      
         - can: j1939: return failure on bind if netdev is down, rather than
           waiting indefinitely
      
        Misc:
      
         - IPv6: reply ICMP error if the first fragment don't include all
           headers to improve compliance with RFC 8200"
      
      * tag 'net-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (66 commits)
        ionic: check port ptr before use
        r8169: work around short packet hw bug on RTL8125
        net: openvswitch: silence suspicious RCU usage warning
        chelsio/chtls: fix always leaking ctrl_skb
        chelsio/chtls: fix memory leaks caused by a race
        can: flexcan: flexcan_remove(): disable wakeup completely
        can: flexcan: add ECC initialization for VF610
        can: flexcan: add ECC initialization for LX2160A
        can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A
        can: mcp251xfd: remove unneeded break
        can: mcp251xfd: mcp251xfd_regmap_nocrc_read(): fix semicolon.cocci warnings
        can: mcp251xfd: mcp251xfd_regmap_crc_read(): increase severity of CRC read error messages
        can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on
        can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
        can: peak_usb: add range checking in decode operations
        can: xilinx_can: handle failure cases of pm_runtime_get_sync
        can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in error path
        can: isotp: padlen(): make const array static, makes object smaller
        can: isotp: isotp_rcv_cf(): enable RX timeout handling in listen-only mode
        can: isotp: Explain PDU in CAN_ISOTP help text
        ...
      41f16530
    • T
      tpm: efi: Don't create binary_bios_measurements file for an empty log · 8ffd778a
      Tyler Hicks 提交于
      Mimic the pre-existing ACPI and Device Tree event log behavior by not
      creating the binary_bios_measurements file when the EFI TPM event log is
      empty.
      
      This fixes the following NULL pointer dereference that can occur when
      reading /sys/kernel/security/tpm0/binary_bios_measurements after the
      kernel received an empty event log from the firmware:
      
       BUG: kernel NULL pointer dereference, address: 000000000000002c
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
       PGD 0 P4D 0
       Oops: 0000 [#1] SMP PTI
       CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17
       Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019
       RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550
       Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49
       RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246
       RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010
       RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258
       RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300
       R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280
       R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258
       FS:  00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        ? __kmalloc_node+0x113/0x320
        ? kvmalloc_node+0x31/0x80
        seq_read+0x94/0x420
        vfs_read+0xa7/0x190
        ksys_read+0xa7/0xe0
        __x64_sys_read+0x1a/0x20
        do_syscall_64+0x37/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      In this situation, the bios_event_log pointer in the tpm_bios_log struct
      was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was
      due to the following kmemdup() in tpm_read_log_efi():
      
      int tpm_read_log_efi(struct tpm_chip *chip)
      {
      ...
      	/* malloc EventLog space */
      	log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL);
      	if (!log->bios_event_log) {
      		ret = -ENOMEM;
      		goto out;
      	}
      ...
      }
      
      When log_size is zero, due to an empty event log from firmware,
      ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the
      binary_bios_measurements file, the tpm2_bios_measurements_start()
      function does not perform a ZERO_OR_NULL_PTR() check on the
      bios_event_log pointer before dereferencing it.
      
      Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of
      the bios_event_log pointer, simply avoid creating the
      binary_bios_measurements_file as is done in other event log retrieval
      backends.
      
      Explicitly ignore all of the events in the final event log when the main
      event log is empty. The list of events in the final event log cannot be
      accurately parsed without referring to the first event in the main event
      log (the event log header) so the final event log is useless in such a
      situation.
      
      Fixes: 58cc1e4f ("tpm: parse TPM event logs based on EFI table")
      Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/Reported-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Reported-by: NKenneth R. Crudup <kenny@panix.com>
      Reported-by: NMimi Zohar <zohar@linux.ibm.com>
      Cc: Thiébaud Weksteen <tweek@google.com>
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Signed-off-by: NTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: NJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: NJarkko Sakkinen <jarkko@kernel.org>
      8ffd778a
    • J
      tpm_tis: Disable interrupts on ThinkPad T490s · b154ce11
      Jerry Snitselaar 提交于
      There is a misconfiguration in the bios of the gpio pin used for the
      interrupt in the T490s. When interrupts are enabled in the tpm_tis
      driver code this results in an interrupt storm. This was initially
      reported when we attempted to enable the interrupt code in the tpm_tis
      driver, which previously wasn't setting a flag to enable it. Due to
      the reports of the interrupt storm that code was reverted and we went back
      to polling instead of using interrupts. Now that we know the T490s problem
      is a firmware issue, add code to check if the system is a T490s and
      disable interrupts if that is the case. This will allow us to enable
      interrupts for everyone else. If the user has a fixed bios they can
      force the enabling of interrupts with tpm_tis.interrupts=1 on the
      kernel command line.
      
      Cc: Peter Huewe <peterhuewe@gmx.de>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Signed-off-by: NJerry Snitselaar <jsnitsel@redhat.com>
      Reviewed-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      Reviewed-by: NHans de Goede <hdegoede@redhat.com>
      Reviewed-by: NJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: NJarkko Sakkinen <jarkko@kernel.org>
      b154ce11
  4. 06 11月, 2020 19 次提交