May 2023 - Linux-stable-mirror

WARNING trace at kvm_nx_huge_page_recovery_worker on 6.3.4

by Fabio Coatti

Hi all, I'm using vanilla kernels on a gentoo-based laptop and since 6.3.2 I'm getting the kernel log below when using kvm VM on my box. I know, kernel is tainted but avoiding to load nvidia driver could make things complicated on my side; if needed for debug I can try to avoid it. Not sure which other infos can be relevant in this context; if you need more details just let me know, happy to provide them. [Fri May 26 09:16:35 2023] ------------[ cut here ]------------ [Fri May 26 09:16:35 2023] WARNING: CPU: 5 PID: 4684 at kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm] [Fri May 26 09:16:35 2023] Modules linked in: vhost_net vhost vhost_iotlb tap tun tls rfcomm snd_hrtimer snd_seq xt_CHECKSUM algif_skcipher xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat iptable_filter ip_tables bpfilter bridge stp llc rmi_smbus rmi_core bnep squashfs sch_fq_codel nvidia_drm(POE) intel_rapl_msr vboxnetadp(OE) vboxnetflt(OE) nvidia_modeset(POE) mei_pxp mei_hdcp rtsx_pci_sdmmc vboxdrv(OE) mmc_core intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core snd_ctl_led intel_tcc_cooling snd_hda_codec_realtek snd_hda_codec_generic x86_pkg_temp_thermal intel_powerclamp btusb btrtl snd_usb_audio btbcm btmtk kvm_intel btintel snd_hda_intel snd_intel_dspcfg snd_usbmidi_lib snd_hda_codec snd_rawmidi snd_hwdep bluetooth snd_hda_core snd_seq_device kvm snd_pcm thinkpad_acpi iwlmvm mousedev ledtrig_audio uvcvideo snd_timer ecdh_generic irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni snd think_lmi joydev mei_me ecc uvc [Fri May 26 09:16:35 2023] polyval_generic rtsx_pci iwlwifi firmware_attributes_class psmouse wmi_bmof soundcore intel_pch_thermal mei platform_profile input_leds evdev nvidia(POE) coretemp hwmon akvcam(OE) videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common mc loop nfsd auth_rpcgss nfs_acl efivarfs dmi_sysfs dm_zero dm_thin_pool dm_persistent_data dm_bio_prison dm_service_time dm_round_robin dm_queue_length dm_multipath dm_delay virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio_blk virtio_console virtio_balloon vxlan ip6_udp_tunnel udp_tunnel macvlan virtio_net net_failover failover virtio_ring virtio fuse overlay nfs lockd grace sunrpc linear raid10 raid1 raid0 dm_raid raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx md_mod dm_snapshot dm_bufio dm_crypt trusted asn1_encoder tpm rng_core dm_mirror dm_region_hash dm_log firewire_core crc_itu_t hid_apple usb_storage ehci_pci ehci_hcd sr_mod cdrom ahci libahci libata [Fri May 26 09:16:35 2023] CPU: 5 PID: 4684 Comm: kvm-nx-lpage-re Tainted: P U OE 6.3.4-cova #1 [Fri May 26 09:16:35 2023] Hardware name: LENOVO 20EQS58500/20EQS58500, BIOS N1EET98W (1.71 ) 12/06/2022 [Fri May 26 09:16:35 2023] RIP: 0010:kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm] [Fri May 26 09:16:35 2023] Code: 48 8b 44 24 30 4c 39 e0 0f 85 1b fe ff ff 48 89 df e8 2e ab fb ff e9 23 fe ff ff 49 bc ff ff ff ff ff ff ff 7f e9 fb fc ff ff <0f> 0b e9 1b ff ff ff 48 8b 44 24 40 65 48 2b 04 25 28 00 00 00 75 [Fri May 26 09:16:35 2023] RSP: 0018:ffff8e1a4403fe68 EFLAGS: 00010246 [Fri May 26 09:16:35 2023] RAX: 0000000000000000 RBX: ffff8e1a42bbd000 RCX: 0000000000000000 [Fri May 26 09:16:35 2023] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [Fri May 26 09:16:35 2023] RBP: ffff8b4e9a56d930 R08: 0000000000000000 R09: ffff8b4e9a56d8a0 [Fri May 26 09:16:35 2023] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8e1a4403fe98 [Fri May 26 09:16:35 2023] R13: 0000000000000001 R14: ffff8b4d9c432e80 R15: 0000000000000010 [Fri May 26 09:16:35 2023] FS: 0000000000000000(0000) GS:ffff8b5cdf740000(0000) knlGS:0000000000000000 [Fri May 26 09:16:35 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri May 26 09:16:35 2023] CR2: 00007efeac53d000 CR3: 0000000978c2c003 CR4: 00000000003726e0 [Fri May 26 09:16:35 2023] Call Trace: [Fri May 26 09:16:35 2023] <TASK> [Fri May 26 09:16:35 2023] ? __pfx_kvm_nx_huge_page_recovery_worker+0x10/0x10 [kvm] [Fri May 26 09:16:35 2023] kvm_vm_worker_thread+0x106/0x1c0 [kvm] [Fri May 26 09:16:35 2023] ? __pfx_kvm_vm_worker_thread+0x10/0x10 [kvm] [Fri May 26 09:16:35 2023] kthread+0xd9/0x100 [Fri May 26 09:16:35 2023] ? __pfx_kthread+0x10/0x10 [Fri May 26 09:16:35 2023] ret_from_fork+0x2c/0x50 [Fri May 26 09:16:35 2023] </TASK> [Fri May 26 09:16:35 2023] ---[ end trace 0000000000000000 ]--- -- Fabio

1 year, 8 months

3
10
0 0

[PATCH] scsi: stex: Fix gcc 13 warnings

by Bart Van Assche

gcc 13 may assign another type to enumeration constants than gcc 12. Split the large enum at the top of source file stex.c such that the type of the constants used in time expressions is changed back to the same type chosen by gcc 12. This patch suppresses compiler warnings like this one: In file included from ./include/linux/bitops.h:7, from ./include/linux/kernel.h:22, from drivers/scsi/stex.c:13: drivers/scsi/stex.c: In function ‘stex_common_handshake’: ./include/linux/typecheck.h:12:25: error: comparison of distinct pointer types lacks a cast [-Werror] 12 | (void)(&__dummy == &__dummy2); \ | ^~ ./include/linux/jiffies.h:106:10: note: in expansion of macro ‘typecheck’ 106 | typecheck(unsigned long, b) && \ | ^~~~~~~~~ drivers/scsi/stex.c:1035:29: note: in expansion of macro ‘time_after’ 1035 | if (time_after(jiffies, before + MU_MAX_DELAY * HZ)) { | ^~~~~~~~~~ See also https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107405. Cc: stable(a)vger.kernel.org Acked-by: Randy Dunlap <rdunlap(a)infradead.org> Tested-by: Randy Dunlap <rdunlap(a)infradead.org> # build-tested Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/scsi/stex.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c index 5b230e149c3d..8ffb75be99bc 100644 --- a/drivers/scsi/stex.c +++ b/drivers/scsi/stex.c @@ -109,7 +109,9 @@ enum { TASK_ATTRIBUTE_HEADOFQUEUE = 0x1, TASK_ATTRIBUTE_ORDERED = 0x2, TASK_ATTRIBUTE_ACA = 0x4, +}; +enum { SS_STS_NORMAL = 0x80000000, SS_STS_DONE = 0x40000000, SS_STS_HANDSHAKE = 0x20000000, @@ -121,7 +123,9 @@ enum { SS_I2H_REQUEST_RESET = 0x2000, SS_MU_OPERATIONAL = 0x80000000, +}; +enum { STEX_CDB_LENGTH = 16, STATUS_VAR_LEN = 128,

1 year, 8 months

2
1
0 0

[PATCH] mpi3mr: propagate sense data for admin queue SCSI IO

by Sumit Saxena

Copy the sense data to internal driver buffer when the firmware completes any SCSI IO command sent through admin queue with sense data for further use. Fixes: 506bc1a0d6ba ("scsi: mpi3mr: Add support for MPT commands") Cc: <stable(a)vger.kernel.org> Signed-off-by: Sathya Prakash <sathya.prakash(a)broadcom.com> Signed-off-by: Sumit Saxena <sumit.saxena(a)broadcom.com> --- drivers/scsi/mpi3mr/mpi3mr_fw.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c index 9b56d13821c6..945783c30985 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_fw.c +++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c @@ -402,6 +402,11 @@ static void mpi3mr_process_admin_reply_desc(struct mpi3mr_ioc *mrioc, memcpy((u8 *)cmdptr->reply, (u8 *)def_reply, mrioc->reply_sz); } + if (sense_buf && cmdptr->sensebuf) { + cmdptr->is_sense = 1; + memcpy(cmdptr->sensebuf, sense_buf, + MPI3MR_SENSE_BUF_SZ); + } if (cmdptr->is_waiting) { complete(&cmdptr->done); cmdptr->is_waiting = 0; -- 2.18.1

1 year, 8 months

2
1
0 0

[PATCH RESEND] epoll: ep_autoremove_wake_function should use list_del_init_careful

by Benjamin Segall

autoremove_wake_function uses list_del_init_careful, so should epoll's more aggressive variant. It only doesn't because it was copied from an older wait.c rather than the most recent. Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively") Signed-off-by: Ben Segall <bsegall(a)google.com> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 52954d4637b5..081df056398a 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -1756,11 +1756,11 @@ static struct timespec64 *ep_timeout_to_timespec(struct timespec64 *to, long ms) static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry, unsigned int mode, int sync, void *key) { int ret = default_wake_function(wq_entry, mode, sync, key); - list_del_init(&wq_entry->entry); + list_del_init_careful(&wq_entry->entry); return ret; } /** * ep_poll - Retrieves ready events, and delivers them to the caller-supplied -- 2.39.0.rc0.267.gcb52ba06e7-goog

1 year, 8 months

4
5
0 0

[PATCH] btrfs: add block-group tree to lockdep classes

by David Sterba

The block group tree was not present among the lockdep classes. We could get potentially lockdep warnings but so far none has been seen, also because block-group-tree is a relatively new feature. CC: stable(a)vger.kernel.org # 6.1+ Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/locking.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/locking.c b/fs/btrfs/locking.c index 3a496b0d3d2b..7979449a58d6 100644 --- a/fs/btrfs/locking.c +++ b/fs/btrfs/locking.c @@ -57,8 +57,8 @@ static struct btrfs_lockdep_keyset { u64 id; /* root objectid */ - /* Longest entry: btrfs-free-space-00 */ - char names[BTRFS_MAX_LEVEL][20]; + /* Longest entry: btrfs-block-group-00 */ + char names[BTRFS_MAX_LEVEL][24]; struct lock_class_key keys[BTRFS_MAX_LEVEL]; } btrfs_lockdep_keysets[] = { { .id = BTRFS_ROOT_TREE_OBJECTID, DEFINE_NAME("root") }, @@ -72,6 +72,7 @@ static struct btrfs_lockdep_keyset { { .id = BTRFS_DATA_RELOC_TREE_OBJECTID, DEFINE_NAME("dreloc") }, { .id = BTRFS_UUID_TREE_OBJECTID, DEFINE_NAME("uuid") }, { .id = BTRFS_FREE_SPACE_TREE_OBJECTID, DEFINE_NAME("free-space") }, + { .id = BTRFS_BLOCK_GROUP_TREE_OBJECTID, DEFINE_NAME("block-group") }, { .id = 0, DEFINE_NAME("tree") }, }; -- 2.40.0

1 year, 8 months

1
0
0 0

[PATCH v7 1/5] block: Don't invalidate pagecache for invalid falloc modes

by Sarthak Kukreti

Only call truncate_bdev_range() if the fallocate mode is supported. This fixes a bug where data in the pagecache could be invalidated if the fallocate() was called on the block device with an invalid mode. Fixes: 25f4c41415e5 ("block: implement (some of) fallocate for block devices") Cc: stable(a)vger.kernel.org Reported-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Sarthak Kukreti <sarthakkukreti(a)chromium.org> --- block/fops.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/block/fops.c b/block/fops.c index d2e6be4e3d1c..4c70fdc546e7 100644 --- a/block/fops.c +++ b/block/fops.c @@ -648,24 +648,35 @@ static long blkdev_fallocate(struct file *file, int mode, loff_t start, filemap_invalidate_lock(inode->i_mapping); - /* Invalidate the page cache, including dirty pages. */ - error = truncate_bdev_range(bdev, file->f_mode, start, end); - if (error) - goto fail; - + /* + * Invalidate the page cache, including dirty pages, for valid + * de-allocate mode calls to fallocate(). + */ switch (mode) { case FALLOC_FL_ZERO_RANGE: case FALLOC_FL_ZERO_RANGE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file->f_mode, start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOUNMAP); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE: + error = truncate_bdev_range(bdev, file->f_mode, start, end); + if (error) + goto fail; + error = blkdev_issue_zeroout(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL, BLKDEV_ZERO_NOFALLBACK); break; case FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE | FALLOC_FL_NO_HIDE_STALE: + error = truncate_bdev_range(bdev, file->f_mode, start, end); + if (error) + goto fail; + error = blkdev_issue_discard(bdev, start >> SECTOR_SHIFT, len >> SECTOR_SHIFT, GFP_KERNEL); break; -- 2.40.1.698.g37aff9b760-goog

1 year, 8 months

4
3
0 0

FAILED: patch "[PATCH] platform/x86: ISST: Remove 8 socket limit" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023052848-preset-slapping-3df7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: bbb320bfe2c3 ("platform/x86: ISST: Remove 8 socket limit") 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff Mon Sep 17 00:00:00 2001 From: Steve Wahl <steve.wahl(a)hpe.com> Date: Fri, 19 May 2023 11:04:20 -0500 Subject: [PATCH] platform/x86: ISST: Remove 8 socket limit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stop restricting the PCI search to a range of PCI domains fed to pci_get_domain_bus_and_slot(). Instead, use for_each_pci_dev() and look at all PCI domains in one pass. On systems with more than 8 sockets, this avoids error messages like "Information: Invalid level, Can't get TDP control information at specified levels on cpu 480" from the intel speed select utility. Fixes: aa2ddd242572 ("platform/x86: ISST: Use numa node id for cpu pci dev mapping") Signed-off-by: Steve Wahl <steve.wahl(a)hpe.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Link: https://lore.kernel.org/r/20230519160420.2588475-1-steve.wahl@hpe.com Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c index e0572a29212e..02fe360a59c7 100644 --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c @@ -304,14 +304,13 @@ struct isst_if_pkg_info { static struct isst_if_cpu_info *isst_cpu_info; static struct isst_if_pkg_info *isst_pkg_info; -#define ISST_MAX_PCI_DOMAINS 8 - static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn) { struct pci_dev *matched_pci_dev = NULL; struct pci_dev *pci_dev = NULL; + struct pci_dev *_pci_dev = NULL; int no_matches = 0, pkg_id; - int i, bus_number; + int bus_number; if (bus_no < 0 || bus_no >= ISST_MAX_BUS_NUMBER || cpu < 0 || cpu >= nr_cpu_ids || cpu >= num_possible_cpus()) @@ -323,12 +322,11 @@ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn if (bus_number < 0) return NULL; - for (i = 0; i < ISST_MAX_PCI_DOMAINS; ++i) { - struct pci_dev *_pci_dev; + for_each_pci_dev(_pci_dev) { int node; - _pci_dev = pci_get_domain_bus_and_slot(i, bus_number, PCI_DEVFN(dev, fn)); - if (!_pci_dev) + if (_pci_dev->bus->number != bus_number || + _pci_dev->devfn != PCI_DEVFN(dev, fn)) continue; ++no_matches;

1 year, 8 months

2
1
0 0

S0ix guard rails for amdgpu in 6.1

by Limonciello, Mario

Hi, There is a commit in 6.3 that adds some guard rails to ensure amdgpu doesn’t run s2idle flows unless the hardware really supports it. Can you please take this into 6.1.y? ca4751866397 ("drm/amd: Don't allow s0ix on APUs older than Raven") It is not necessary to take the commit it marks “a fix” in it’s commit message, as a problem was found in that commit and it will be reverted in the near future. Thanks,

1 year, 8 months

2
1
0 0

[PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory

by Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko.sakkinen(a)tuni.fi> The driver has two issues (in priority order) in the locality change: 1. The driver uses __user pointer and copy_to_user() and copy_from_user() with a kernel address during the locality change. 2. For invalid locality change request from user space, the driver sets errno to EFAULT, while for invalid input data EINVAL should be used. Address this by: 1. Introduce __vtpm_proxy_read_unlocked(), __vtpm_proxy_write_unlocked() and __vtpm_proxy_read_write_locked(). 2. Make locality change atomic by calling __vtpm_proxy_read_write_locked(), instead of tpm_transmit_cmd(). Cc: stable(a)vger.kernel.org Fixes: be4c9acfe297 ("tpm: vtpm_proxy: Implement request_locality function.") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)tuni.fi> --- v2: * Acquiring and releasing mutex in-between should not be an issue because they are executed with the chip locked. --- drivers/char/tpm/tpm_vtpm_proxy.c | 162 ++++++++++++++---------------- 1 file changed, 73 insertions(+), 89 deletions(-) diff --git a/drivers/char/tpm/tpm_vtpm_proxy.c b/drivers/char/tpm/tpm_vtpm_proxy.c index 30e953988cab..8f43a82e5590 100644 --- a/drivers/char/tpm/tpm_vtpm_proxy.c +++ b/drivers/char/tpm/tpm_vtpm_proxy.c @@ -38,7 +38,6 @@ struct proxy_dev { #define STATE_OPENED_FLAG BIT(0) #define STATE_WAIT_RESPONSE_FLAG BIT(1) /* waiting for emulator response */ #define STATE_REGISTERED_FLAG BIT(2) -#define STATE_DRIVER_COMMAND BIT(3) /* sending a driver specific command */ size_t req_len; /* length of queued TPM request */ size_t resp_len; /* length of queued TPM response */ @@ -58,106 +57,112 @@ static void vtpm_proxy_delete_device(struct proxy_dev *proxy_dev); * Functions related to 'server side' */ -/** - * vtpm_proxy_fops_read - Read TPM commands on 'server side' - * - * @filp: file pointer - * @buf: read buffer - * @count: number of bytes to read - * @off: offset - * - * Return: - * Number of bytes read or negative error code - */ -static ssize_t vtpm_proxy_fops_read(struct file *filp, char __user *buf, - size_t count, loff_t *off) +static ssize_t __vtpm_proxy_read_unlocked(struct proxy_dev *proxy_dev, char __user *buf, + size_t count) { - struct proxy_dev *proxy_dev = filp->private_data; size_t len; - int sig, rc; - - sig = wait_event_interruptible(proxy_dev->wq, - proxy_dev->req_len != 0 || - !(proxy_dev->state & STATE_OPENED_FLAG)); - if (sig) - return -EINTR; - - mutex_lock(&proxy_dev->buf_lock); + int rc; - if (!(proxy_dev->state & STATE_OPENED_FLAG)) { - mutex_unlock(&proxy_dev->buf_lock); + if (!(proxy_dev->state & STATE_OPENED_FLAG)) return -EPIPE; - } len = proxy_dev->req_len; if (count < len || len > sizeof(proxy_dev->buffer)) { - mutex_unlock(&proxy_dev->buf_lock); pr_debug("Invalid size in recv: count=%zd, req_len=%zd\n", count, len); return -EIO; } - rc = copy_to_user(buf, proxy_dev->buffer, len); + if (buf) + rc = copy_to_user(buf, proxy_dev->buffer, len); + memset(proxy_dev->buffer, 0, len); proxy_dev->req_len = 0; if (!rc) proxy_dev->state |= STATE_WAIT_RESPONSE_FLAG; - mutex_unlock(&proxy_dev->buf_lock); - if (rc) return -EFAULT; return len; } -/** - * vtpm_proxy_fops_write - Write TPM responses on 'server side' - * - * @filp: file pointer - * @buf: write buffer - * @count: number of bytes to write - * @off: offset - * - * Return: - * Number of bytes read or negative error value - */ -static ssize_t vtpm_proxy_fops_write(struct file *filp, const char __user *buf, - size_t count, loff_t *off) +static ssize_t __vtpm_proxy_write_unlocked(struct proxy_dev *proxy_dev, const char __user *buf, + size_t count) { - struct proxy_dev *proxy_dev = filp->private_data; - - mutex_lock(&proxy_dev->buf_lock); - - if (!(proxy_dev->state & STATE_OPENED_FLAG)) { - mutex_unlock(&proxy_dev->buf_lock); + if (!(proxy_dev->state & STATE_OPENED_FLAG)) return -EPIPE; - } if (count > sizeof(proxy_dev->buffer) || - !(proxy_dev->state & STATE_WAIT_RESPONSE_FLAG)) { - mutex_unlock(&proxy_dev->buf_lock); + !(proxy_dev->state & STATE_WAIT_RESPONSE_FLAG)) return -EIO; - } proxy_dev->state &= ~STATE_WAIT_RESPONSE_FLAG; proxy_dev->req_len = 0; - if (copy_from_user(proxy_dev->buffer, buf, count)) { - mutex_unlock(&proxy_dev->buf_lock); + if (buf && copy_from_user(proxy_dev->buffer, buf, count)) return -EFAULT; - } proxy_dev->resp_len = count; + return count; +} +static ssize_t __vtpm_proxy_read_write_unlocked(struct proxy_dev *proxy_dev, char __user *buf, + size_t count) +{ + ssize_t rc; + + do { + rc = __vtpm_proxy_write_unlocked(proxy_dev, buf, count); + if (rc < 0) + break; + rc = __vtpm_proxy_read_unlocked(proxy_dev, buf, rc); + } while (0); + + return rc; +} + +/* + * See struct file_operations. + */ +static ssize_t vtpm_proxy_fops_read(struct file *filp, char __user *buf, + size_t count, loff_t *off) +{ + struct proxy_dev *proxy_dev = filp->private_data; + ssize_t rc; + int sig; + + sig = wait_event_interruptible(proxy_dev->wq, + proxy_dev->req_len != 0 || + !(proxy_dev->state & STATE_OPENED_FLAG)); + if (sig) + return -EINTR; + + mutex_lock(&proxy_dev->buf_lock); + rc = __vtpm_proxy_read_unlocked(proxy_dev, buf, count); mutex_unlock(&proxy_dev->buf_lock); + return rc; +} + +/* + * See struct file_operations. + */ +static ssize_t vtpm_proxy_fops_write(struct file *filp, const char __user *buf, + size_t count, loff_t *off) +{ + struct proxy_dev *proxy_dev = filp->private_data; + int rc; + + mutex_lock(&proxy_dev->buf_lock); + rc = __vtpm_proxy_write_unlocked(proxy_dev, buf, count); + mutex_unlock(&proxy_dev->buf_lock); wake_up_interruptible(&proxy_dev->wq); - return count; + return rc; } /* @@ -295,28 +300,6 @@ static int vtpm_proxy_tpm_op_recv(struct tpm_chip *chip, u8 *buf, size_t count) return len; } -static int vtpm_proxy_is_driver_command(struct tpm_chip *chip, - u8 *buf, size_t count) -{ - struct tpm_header *hdr = (struct tpm_header *)buf; - - if (count < sizeof(struct tpm_header)) - return 0; - - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - switch (be32_to_cpu(hdr->ordinal)) { - case TPM2_CC_SET_LOCALITY: - return 1; - } - } else { - switch (be32_to_cpu(hdr->ordinal)) { - case TPM_ORD_SET_LOCALITY: - return 1; - } - } - return 0; -} - /* * Called when core TPM driver forwards TPM requests to 'server side'. * @@ -330,6 +313,7 @@ static int vtpm_proxy_is_driver_command(struct tpm_chip *chip, static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t count) { struct proxy_dev *proxy_dev = dev_get_drvdata(&chip->dev); + unsigned int ord = ((struct tpm_header *)buf)->ordinal; if (count > sizeof(proxy_dev->buffer)) { dev_err(&chip->dev, @@ -338,9 +322,11 @@ static int vtpm_proxy_tpm_op_send(struct tpm_chip *chip, u8 *buf, size_t count) return -EIO; } - if (!(proxy_dev->state & STATE_DRIVER_COMMAND) && - vtpm_proxy_is_driver_command(chip, buf, count)) - return -EFAULT; + if ((chip->flags & TPM_CHIP_FLAG_TPM2) && ord == TPM2_CC_SET_LOCALITY) + return -EINVAL; + + if (ord == TPM_ORD_SET_LOCALITY) + return -EINVAL; mutex_lock(&proxy_dev->buf_lock); @@ -409,12 +395,10 @@ static int vtpm_proxy_request_locality(struct tpm_chip *chip, int locality) return rc; tpm_buf_append_u8(&buf, locality); - proxy_dev->state |= STATE_DRIVER_COMMAND; - - rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to set locality"); - - proxy_dev->state &= ~STATE_DRIVER_COMMAND; - + mutex_lock(&proxy_dev->buf_lock); + memcpy(proxy_dev->buffer, buf.data, tpm_buf_length(&buf)); + rc = __vtpm_proxy_read_write_unlocked(proxy_dev, NULL, tpm_buf_length(&buf)); + mutex_unlock(&proxy_dev->buf_lock); if (rc < 0) { locality = rc; goto out; -- 2.39.2

1 year, 8 months

3
5
0 0

[PATCH 5.10 0/1] ovl: fail on invalid uid/gid mapping at copy up

by Danila Chernetsov

This patch is needed to fix CVE-2023-0386

1 year, 8 months

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2023