From cd74d7acd33b240b69494f32b72a29c122f94b5a Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Fri, 18 Oct 2019 15:31:23 -0400 Subject: Linux v5.3.7 --- ...35-audio-Fix-draining-behavior-regression.patch | 64 ------ ...5-Mark-contents-as-dirty-on-a-write-fault.patch | 54 ----- kernel.spec | 15 +- sources | 2 +- ...access-event--count-when-it-isn-t-mapped..patch | 233 --------------------- ...g_size-after-successful-event-log-parsing.patch | 190 ----------------- 6 files changed, 5 insertions(+), 553 deletions(-) delete mode 100644 bcm2835-audio-Fix-draining-behavior-regression.patch delete mode 100644 drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch delete mode 100644 v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch delete mode 100644 v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch diff --git a/bcm2835-audio-Fix-draining-behavior-regression.patch b/bcm2835-audio-Fix-draining-behavior-regression.patch deleted file mode 100644 index 6d63db3f8..000000000 --- a/bcm2835-audio-Fix-draining-behavior-regression.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 2eed19b99c8e95ff87afe6c140ed895c3fac5937 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Sat, 14 Sep 2019 17:24:05 +0200 -Subject: staging: bcm2835-audio: Fix draining behavior regression - -The PCM draining behavior got broken since the recent refactoring, and -this turned out to be the incorrect expectation of the firmware -behavior regarding "draining". While I expected the "drain" flag at -the stop operation would do processing the queued samples, it seems -rather dropping the samples. - -As a quick fix, just drop the SNDRV_PCM_INFO_DRAIN_TRIGGER flag, so -that the driver uses the normal PCM draining procedure. Also, put -some caution comment to the function for future readers not to fall -into the same pitfall. - -Fixes: d7ca3a71545b ("staging: bcm2835-audio: Operate non-atomic PCM ops") -BugLink: https://github.com/raspberrypi/linux/issues/2983 -Cc: stable@vger.kernel.org -Signed-off-by: Takashi Iwai -Acked-by: Stefan Wahren -Link: https://lore.kernel.org/r/20190914152405.7416-1-tiwai@suse.de -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 4 ++-- - drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 1 + - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -index bc1eaa3a0773..826016c3431a 100644 ---- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c -@@ -12,7 +12,7 @@ - static const struct snd_pcm_hardware snd_bcm2835_playback_hw = { - .info = (SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_BLOCK_TRANSFER | - SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID | -- SNDRV_PCM_INFO_DRAIN_TRIGGER | SNDRV_PCM_INFO_SYNC_APPLPTR), -+ SNDRV_PCM_INFO_SYNC_APPLPTR), - .formats = SNDRV_PCM_FMTBIT_U8 | SNDRV_PCM_FMTBIT_S16_LE, - .rates = SNDRV_PCM_RATE_CONTINUOUS | SNDRV_PCM_RATE_8000_48000, - .rate_min = 8000, -@@ -29,7 +29,7 @@ static const struct snd_pcm_hardware snd_bcm2835_playback_hw = { - static const struct snd_pcm_hardware snd_bcm2835_playback_spdif_hw = { - .info = (SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_BLOCK_TRANSFER | - SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID | -- SNDRV_PCM_INFO_DRAIN_TRIGGER | SNDRV_PCM_INFO_SYNC_APPLPTR), -+ SNDRV_PCM_INFO_SYNC_APPLPTR), - .formats = SNDRV_PCM_FMTBIT_S16_LE, - .rates = SNDRV_PCM_RATE_CONTINUOUS | SNDRV_PCM_RATE_44100 | - SNDRV_PCM_RATE_48000, -diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -index 23fba01107b9..c6f9cf1913d2 100644 ---- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c -@@ -289,6 +289,7 @@ int bcm2835_audio_stop(struct bcm2835_alsa_stream *alsa_stream) - VC_AUDIO_MSG_TYPE_STOP, false); - } - -+/* FIXME: this doesn't seem working as expected for "draining" */ - int bcm2835_audio_drain(struct bcm2835_alsa_stream *alsa_stream) - { - struct vc_audio_msg m = { --- -cgit 1.2-0.3.lf.el7 diff --git a/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch b/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch deleted file mode 100644 index fd85fd874..000000000 --- a/drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7a78f4f0497f903756183f8b227f6fddaba8cdb0 Mon Sep 17 00:00:00 2001 -From: Chris Wilson -Date: Fri, 20 Sep 2019 13:18:21 +0100 -Subject: [PATCH] drm/i915: Mark contents as dirty on a write fault -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since dropping the set-to-gtt-domain in commit a679f58d0510 ("drm/i915: -Flush pages on acquisition"), we no longer mark the contents as dirty on -a write fault. This has the issue of us then not marking the pages as -dirty on releasing the buffer, which means the contents are not written -out to the swap device (should we ever pick that buffer as a victim). -Notably, this is visible in the dumb buffer interface used for cursors. -Having updated the cursor contents via mmap, and swapped away, if the -shrinker should evict the old cursor, upon next reuse, the cursor would -be invisible. - -E.g. echo 80 > /proc/sys/kernel/sysrq ; echo f > /proc/sysrq-trigger - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111541 -Fixes: a679f58d0510 ("drm/i915: Flush pages on acquisition") -Signed-off-by: Chris Wilson -Cc: Matthew Auld -Cc: Ville Syrjälä -Cc: # v5.2+ -Reviewed-by: Matthew Auld -Link: https://patchwork.freedesktop.org/patch/msgid/20190920121821.7223-1-chris@chris-wilson.co.uk -(cherry picked from commit 5028851cdfdf78dc22eacbc44a0ab0b3f599ee4a) -Signed-off-by: Rodrigo Vivi ---- - drivers/gpu/drm/i915/gem/i915_gem_mman.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/i915/gem/i915_gem_mman.c b/drivers/gpu/drm/i915/gem/i915_gem_mman.c -index 39a661927d8e..c201289039fe 100644 ---- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c -+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c -@@ -317,7 +317,11 @@ vm_fault_t i915_gem_fault(struct vm_fault *vmf) - msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); - GEM_BUG_ON(!obj->userfault_count); - -- i915_vma_set_ggtt_write(vma); -+ if (write) { -+ GEM_BUG_ON(!i915_gem_object_has_pinned_pages(obj)); -+ i915_vma_set_ggtt_write(vma); -+ obj->mm.dirty = true; -+ } - - err_fence: - i915_vma_unpin_fence(vma); --- -2.21.0 - diff --git a/kernel.spec b/kernel.spec index 6c928d0bc..09c7d18f0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -571,9 +571,6 @@ Patch325: arm64-tegra186-enable-USB-on-Jetson-TX2.patch # https://patchwork.kernel.org/patch/11133293/ Patch332: arm64-dts-qcom-Add-Lenovo-Yoga-C630.patch -# Raspberry Pi bits -Patch340: bcm2835-audio-Fix-draining-behavior-regression.patch - # This is typical rpi, we have a driver but it has problems because ¯\_(ツ)_/¯ but this revert makes pictures work again. # https://patchwork.kernel.org/patch/11136979/ Patch341: Revert-ARM-bcm283x-Switch-V3D-over-to-using-the-PM-driver-instead-of-firmware.patch @@ -597,18 +594,11 @@ Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch # rhbz 1753099 Patch504: dwc3-fix.patch -# rhbz 1752961 -Patch507: v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch -Patch508: v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch - Patch509: PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch Patch510: iwlwifi-exclude-GEO-SAR-support-for-3168.patch Patch511: iwlwifi-pcie-change-qu-with-jf-devices-to-use-qu-configuration.patch -# rhbz 1738614 -Patch512: drm-i915-Mark-contents-as-dirty-on-a-write-fault.patch - # it seems CONFIG_OPTIMIZE_INLINING has been forced now and is causing issues on ARMv7 # https://lore.kernel.org/patchwork/patch/1132459/ # https://lkml.org/lkml/2019/8/29/1772 @@ -1815,6 +1805,9 @@ fi # # %changelog +* Fri Oct 18 2019 Laura Abbott - 5.3.7-300 +- Linux v5.3.7 + * Mon Oct 14 2019 Laura Abbott - 5.3.6-300 - Linux v5.3.6 diff --git a/sources b/sources index 409d113b2..52c5ae7f6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.3.tar.xz) = 6b5edef47c319a3fa7f6c20a3e0903a5acd89ec75e32dc5f99adcb60c9fe118ea312722d9c3d27e2e3900afa2455afb86e83a8b6bb131009bc79ddbe6fb0595d -SHA512 (patch-5.3.6.xz) = 71ee140d7650189dcc824eb962e78b6f3d790369376b9b32d41babd55f57240ea5620bbeeef62164d0436e857ca772706d6b9202bac94c7ecbce78c3fd9860d2 +SHA512 (patch-5.3.7.xz) = bf2717b721b3acfd423537a6a520388e6a596ae65605ed8c029a67c117a002e9a21c324de0dd41407bfdc8ef95263687764f4f46aa59cbb50f68ab21b96c29d6 diff --git a/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch b/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch deleted file mode 100644 index d0ec73a2a..000000000 --- a/v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch +++ /dev/null @@ -1,233 +0,0 @@ -From patchwork Wed Sep 25 10:16:18 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jarkko Sakkinen -X-Patchwork-Id: 11160381 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 43E0E112B - for ; - Wed, 25 Sep 2019 10:16:35 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 2BB5521D7A - for ; - Wed, 25 Sep 2019 10:16:35 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2389040AbfIYKQe (ORCPT - ); - Wed, 25 Sep 2019 06:16:34 -0400 -Received: from mga06.intel.com ([134.134.136.31]:40402 "EHLO mga06.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1727141AbfIYKQe (ORCPT ); - Wed, 25 Sep 2019 06:16:34 -0400 -X-Amp-Result: SKIPPED(no attachment in message) -X-Amp-File-Uploaded: False -Received: from orsmga006.jf.intel.com ([10.7.209.51]) - by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; - 25 Sep 2019 03:16:33 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="5.64,547,1559545200"; - d="scan'208";a="193723106" -Received: from dariusvo-mobl.ger.corp.intel.com (HELO localhost) - ([10.249.39.150]) - by orsmga006.jf.intel.com with ESMTP; 25 Sep 2019 03:16:27 -0700 -From: Jarkko Sakkinen -To: linux-integrity@vger.kernel.org -Cc: Peter Jones , linux-efi@vger.kernel.org, - stable@vger.kernel.org, Lyude Paul , - Jarkko Sakkinen , - Matthew Garrett , - Ard Biesheuvel , - Roberto Sassu , - Bartosz Szczepanek , - linux-kernel@vger.kernel.org (open list) -Subject: [PATCH v2 1/2] efi+tpm: Don't access event->count when it isn't - mapped. -Date: Wed, 25 Sep 2019 13:16:18 +0300 -Message-Id: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -X-Mailer: git-send-email 2.20.1 -MIME-Version: 1.0 -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -From: Peter Jones - -Some machines generate a lot of event log entries. When we're -iterating over them, the code removes the old mapping and adds a -new one, so once we cross the page boundary we're unmapping the page -with the count on it. Hilarity ensues. - -This patch keeps the info from the header in local variables so we don't -need to access that page again or keep track of if it's mapped. - -Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Signed-off-by: Peter Jones -Tested-by: Lyude Paul -Reviewed-by: Jarkko Sakkinen -Acked-by: Matthew Garrett -Acked-by: Ard Biesheuvel -Signed-off-by: Jarkko Sakkinen ---- - include/linux/tpm_eventlog.h | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h -index 63238c84dc0b..12584b69a3f3 100644 ---- a/include/linux/tpm_eventlog.h -+++ b/include/linux/tpm_eventlog.h -@@ -170,6 +170,7 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - u16 halg; - int i; - int j; -+ u32 count, event_type; - - marker = event; - marker_start = marker; -@@ -190,16 +191,22 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - } - - event = (struct tcg_pcr_event2_head *)mapping; -+ /* -+ * the loop below will unmap these fields if the log is larger than -+ * one page, so save them here for reference. -+ */ -+ count = READ_ONCE(event->count); -+ event_type = READ_ONCE(event->event_type); - - efispecid = (struct tcg_efi_specid_event_head *)event_header->event; - - /* Check if event is malformed. */ -- if (event->count > efispecid->num_algs) { -+ if (count > efispecid->num_algs) { - size = 0; - goto out; - } - -- for (i = 0; i < event->count; i++) { -+ for (i = 0; i < count; i++) { - halg_size = sizeof(event->digests[i].alg_id); - - /* Map the digest's algorithm identifier */ -@@ -256,8 +263,9 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, - + event_field->event_size; - size = marker - marker_start; - -- if ((event->event_type == 0) && (event_field->event_size == 0)) -+ if (event_type == 0 && event_field->event_size == 0) - size = 0; -+ - out: - if (do_mapping) - TPM_MEMUNMAP(mapping, mapping_size); - -From patchwork Wed Sep 25 10:16:19 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jarkko Sakkinen -X-Patchwork-Id: 11160383 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 363B114DB - for ; - Wed, 25 Sep 2019 10:16:40 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 1DCE921D7C - for ; - Wed, 25 Sep 2019 10:16:40 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2389138AbfIYKQj (ORCPT - ); - Wed, 25 Sep 2019 06:16:39 -0400 -Received: from mga18.intel.com ([134.134.136.126]:21948 "EHLO mga18.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1727141AbfIYKQj (ORCPT ); - Wed, 25 Sep 2019 06:16:39 -0400 -X-Amp-Result: SKIPPED(no attachment in message) -X-Amp-File-Uploaded: False -Received: from orsmga004.jf.intel.com ([10.7.209.38]) - by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; - 25 Sep 2019 03:16:38 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="5.64,547,1559545200"; - d="scan'208";a="340366339" -Received: from dariusvo-mobl.ger.corp.intel.com (HELO localhost) - ([10.249.39.150]) - by orsmga004.jf.intel.com with ESMTP; 25 Sep 2019 03:16:35 -0700 -From: Jarkko Sakkinen -To: linux-integrity@vger.kernel.org -Cc: Peter Jones , linux-efi@vger.kernel.org, - stable@vger.kernel.org, Lyude Paul , - Jarkko Sakkinen , - Matthew Garrett , - Ard Biesheuvel , - linux-kernel@vger.kernel.org (open list) -Subject: [PATCH v2 2/2] efi+tpm: don't traverse an event log with no events -Date: Wed, 25 Sep 2019 13:16:19 +0300 -Message-Id: <20190925101622.31457-2-jarkko.sakkinen@linux.intel.com> -X-Mailer: git-send-email 2.20.1 -In-Reply-To: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -References: <20190925101622.31457-1-jarkko.sakkinen@linux.intel.com> -MIME-Version: 1.0 -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -From: Peter Jones - -When there are no entries to put into the final event log, some machines -will return the template they would have populated anyway. In this case -the nr_events field is 0, but the rest of the log is just garbage. - -This patch stops us from trying to iterate the table with -__calc_tpm2_event_size() when the number of events in the table is 0. - -Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Signed-off-by: Peter Jones -Tested-by: Lyude Paul -Reviewed-by: Jarkko Sakkinen -Acked-by: Matthew Garrett -Acked-by: Ard Biesheuvel -Signed-off-by: Jarkko Sakkinen ---- - drivers/firmware/efi/tpm.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c -index 1d3f5ca3eaaf..b9ae5c6f9b9c 100644 ---- a/drivers/firmware/efi/tpm.c -+++ b/drivers/firmware/efi/tpm.c -@@ -75,11 +75,16 @@ int __init efi_tpm_eventlog_init(void) - goto out; - } - -- tbl_size = tpm2_calc_event_log_size((void *)efi.tpm_final_log -- + sizeof(final_tbl->version) -- + sizeof(final_tbl->nr_events), -- final_tbl->nr_events, -- log_tbl->log); -+ tbl_size = 0; -+ if (final_tbl->nr_events != 0) { -+ void *events = (void *)efi.tpm_final_log -+ + sizeof(final_tbl->version) -+ + sizeof(final_tbl->nr_events); -+ -+ tbl_size = tpm2_calc_event_log_size(events, -+ final_tbl->nr_events, -+ log_tbl->log); -+ } - memblock_reserve((unsigned long)final_tbl, - tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); diff --git a/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch b/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch deleted file mode 100644 index a828cb294..000000000 --- a/v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch +++ /dev/null @@ -1,190 +0,0 @@ -From patchwork Wed Sep 25 17:27:05 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Jerry Snitselaar -X-Patchwork-Id: 11161161 -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 88B8A1747 - for ; - Wed, 25 Sep 2019 17:27:13 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 66F4F217F4 - for ; - Wed, 25 Sep 2019 17:27:13 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2505171AbfIYR1J (ORCPT - ); - Wed, 25 Sep 2019 13:27:09 -0400 -Received: from mx1.redhat.com ([209.132.183.28]:41496 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S2505170AbfIYR1J (ORCPT ); - Wed, 25 Sep 2019 13:27:09 -0400 -Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com - [10.5.11.22]) - (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) - (No client certificate requested) - by mx1.redhat.com (Postfix) with ESMTPS id 4CE7C1056FB1; - Wed, 25 Sep 2019 17:27:08 +0000 (UTC) -Received: from cantor.redhat.com (ovpn-117-191.phx2.redhat.com [10.3.117.191]) - by smtp.corp.redhat.com (Postfix) with ESMTP id D081B1001B12; - Wed, 25 Sep 2019 17:27:07 +0000 (UTC) -From: Jerry Snitselaar -To: linux-efi@vger.kernel.org -Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, - stable@vger.kernel.org, Matthew Garrett , - Ard Biesheuvel , - Jarkko Sakkinen -Subject: [PATCH v3] tpm: only set efi_tpm_final_log_size after successful - event log parsing -Date: Wed, 25 Sep 2019 10:27:05 -0700 -Message-Id: <20190925172705.17358-1-jsnitsel@redhat.com> -MIME-Version: 1.0 -X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 -X-Greylist: Sender IP whitelisted, - not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.64]); - Wed, 25 Sep 2019 17:27:08 +0000 (UTC) -Sender: linux-integrity-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-integrity@vger.kernel.org - -If __calc_tpm2_event_size fails to parse an event it will return 0, -resulting tpm2_calc_event_log_size returning -1. Currently there is -no check of this return value, and efi_tpm_final_log_size can end up -being set to this negative value resulting in a panic like the -the one given below. - -Also __calc_tpm2_event_size returns a size of 0 when it fails -to parse an event, so update function documentation to reflect this. - -[ 0.774340] BUG: unable to handle page fault for address: ffffbc8fc00866ad -[ 0.774788] #PF: supervisor read access in kernel mode -[ 0.774788] #PF: error_code(0x0000) - not-present page -[ 0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0 -[ 0.774788] Oops: 0000 [#1] SMP PTI -[ 0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1 -[ 0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018 -[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 -[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe -[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 -[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 -[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 -[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 -[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 -[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 -[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 -[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 -[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 0.774788] Call Trace: -[ 0.774788] tpm_read_log_efi+0x156/0x1a0 -[ 0.774788] tpm_bios_log_setup+0xc8/0x190 -[ 0.774788] tpm_chip_register+0x50/0x1c0 -[ 0.774788] tpm_tis_core_init.cold.9+0x28c/0x466 -[ 0.774788] tpm_tis_plat_probe+0xcc/0xea -[ 0.774788] platform_drv_probe+0x35/0x80 -[ 0.774788] really_probe+0xef/0x390 -[ 0.774788] driver_probe_device+0xb4/0x100 -[ 0.774788] device_driver_attach+0x4f/0x60 -[ 0.774788] __driver_attach+0x86/0x140 -[ 0.774788] ? device_driver_attach+0x60/0x60 -[ 0.774788] bus_for_each_dev+0x76/0xc0 -[ 0.774788] ? klist_add_tail+0x3b/0x70 -[ 0.774788] bus_add_driver+0x14a/0x1e0 -[ 0.774788] ? tpm_init+0xea/0xea -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] driver_register+0x6b/0xb0 -[ 0.774788] ? tpm_init+0xea/0xea -[ 0.774788] init_tis+0x86/0xd8 -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] ? driver_register+0x94/0xb0 -[ 0.774788] do_one_initcall+0x46/0x1e4 -[ 0.774788] ? do_early_param+0x8e/0x8e -[ 0.774788] kernel_init_freeable+0x199/0x242 -[ 0.774788] ? rest_init+0xaa/0xaa -[ 0.774788] kernel_init+0xa/0x106 -[ 0.774788] ret_from_fork+0x35/0x40 -[ 0.774788] Modules linked in: -[ 0.774788] CR2: ffffbc8fc00866ad -[ 0.774788] ---[ end trace 42930799f8d6eaea ]--- -[ 0.774788] RIP: 0010:memcpy_erms+0x6/0x10 -[ 0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe -[ 0.774788] RSP: 0000:ffffbc8fc0073b30 EFLAGS: 00010286 -[ 0.774788] RAX: ffff9b1fc7c5b367 RBX: ffff9b1fc8390000 RCX: ffffffffffffe962 -[ 0.774788] RDX: ffffffffffffe962 RSI: ffffbc8fc00866ad RDI: ffff9b1fc7c5b367 -[ 0.774788] RBP: ffff9b1c10ca7018 R08: ffffbc8fc0085fff R09: 8000000000000063 -[ 0.774788] R10: 0000000000001000 R11: 000fffffffe00000 R12: 0000000000003367 -[ 0.774788] R13: ffff9b1fcc47c010 R14: ffffbc8fc0085000 R15: 0000000000000002 -[ 0.774788] FS: 0000000000000000(0000) GS:ffff9b1fce200000(0000) knlGS:0000000000000000 -[ 0.774788] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 0.774788] CR2: ffffbc8fc00866ad CR3: 000000029f60a001 CR4: 00000000003606f0 -[ 0.774788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 0.774788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 0.774788] Kernel panic - not syncing: Fatal exception -[ 0.774788] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) -[ 0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]--- - -The root cause of the issue that caused the failure of event parsing -in this case is resolved by Peter Jone's patchset dealing with large -event logs where crossing over a page boundary causes the page with -the event count to be unmapped. - -Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") -Cc: linux-efi@vger.kernel.org -Cc: linux-integrity@vger.kernel.org -Cc: stable@vger.kernel.org -Cc: Matthew Garrett -Cc: Ard Biesheuvel -Cc: Jarkko Sakkinen -Signed-off-by: Jerry Snitselaar -Reviewed-by: ---- -v3: rebase on top of Peter Jone's patchset -v2: added FW_BUG to pr_err, and renamed label to out_calc. - Updated doc comment for __calc_tpm2_event_size. - - drivers/firmware/efi/tpm.c | 9 ++++++++- - include/linux/tpm_eventlog.h | 2 +- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c -index b9ae5c6f9b9c..703469c1ab8e 100644 ---- a/drivers/firmware/efi/tpm.c -+++ b/drivers/firmware/efi/tpm.c -@@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) - final_tbl->nr_events, - log_tbl->log); - } -+ -+ if (tbl_size < 0) { -+ pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); -+ goto out_calc; -+ } -+ - memblock_reserve((unsigned long)final_tbl, - tbl_size + sizeof(*final_tbl)); -- early_memunmap(final_tbl, sizeof(*final_tbl)); - efi_tpm_final_log_size = tbl_size; - -+out_calc: -+ early_memunmap(final_tbl, sizeof(*final_tbl)); - out: - early_memunmap(log_tbl, sizeof(*log_tbl)); - return ret; -diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h -index 12584b69a3f3..2dfdd63ac034 100644 ---- a/include/linux/tpm_eventlog.h -+++ b/include/linux/tpm_eventlog.h -@@ -152,7 +152,7 @@ struct tcg_algorithm_info { - * total. Once we've done this we know the offset of the data length field, - * and can calculate the total size of the event. - * -- * Return: size of the event on success, <0 on failure -+ * Return: size of the event on success, 0 on failure - */ - - static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, -- cgit