September 2024 - Linux-stable-mirror

[PATCH v5.4-v4.19] gpio: prevent potential speculation leaks in gpio_device_get_desc()

by hsimeliere.opensource＠witekio.com

From: Hagar Hemdan <hagarhem(a)amazon.com> commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream. Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/gpio/gpiolib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index abdf448b11a3..f83b2214d704 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4,6 +4,7 @@ #include <linux/module.h> #include <linux/interrupt.h> #include <linux/irq.h> +#include <linux/nospec.h> #include <linux/spinlock.h> #include <linux/list.h> #include <linux/device.h> @@ -147,7 +148,7 @@ struct gpio_desc *gpiochip_get_desc(struct gpio_chip *chip, if (hwnum >= gdev->ngpio) return ERR_PTR(-EINVAL); - return &gdev->descs[hwnum]; + return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; } /** -- 2.43.0

3 months, 1 week

1
0
0 0

[PATCH v6.1-v5.10] gpio: prevent potential speculation leaks in gpio_device_get_desc()

by hsimeliere.opensource＠witekio.com

From: Hagar Hemdan <hagarhem(a)amazon.com> commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream. Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/gpio/gpiolib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 9d8c78312403..a0c1dabd2939 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -5,6 +5,7 @@ #include <linux/module.h> #include <linux/interrupt.h> #include <linux/irq.h> +#include <linux/nospec.h> #include <linux/spinlock.h> #include <linux/list.h> #include <linux/device.h> @@ -146,7 +147,7 @@ struct gpio_desc *gpiochip_get_desc(struct gpio_chip *gc, if (hwnum >= gdev->ngpio) return ERR_PTR(-EINVAL); - return &gdev->descs[hwnum]; + return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)]; } EXPORT_SYMBOL_GPL(gpiochip_get_desc); -- 2.43.0

3 months, 1 week

1
0
0 0

Re: [PATCH 6.10 000/121] 6.10.11-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

3 months, 1 week

1
0
0 0

[PATCH 6.10] LoongArch: KVM: Remove unnecessary definition of KVM_PRIVATE_MEM_SLOTS

by WangYuli

From: Yuli Wang <wangyuli(a)uniontech.com> [ Upstream commit 296b03ce389b4f7b3d7ea5664e53d432fb17e745 ] 1. "KVM_PRIVATE_MEM_SLOTS" is renamed as "KVM_INTERNAL_MEM_SLOTS". 2. "KVM_INTERNAL_MEM_SLOTS" defaults to zero, so it is not necessary to define it in LoongArch's asm/kvm_host.h. Link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… Link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Yuli Wang <wangyuli(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/kvm_host.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/loongarch/include/asm/kvm_host.h b/arch/loongarch/include/asm/kvm_host.h index c87b6ea0ec47..d348005d143e 100644 --- a/arch/loongarch/include/asm/kvm_host.h +++ b/arch/loongarch/include/asm/kvm_host.h @@ -26,8 +26,6 @@ #define KVM_MAX_VCPUS 256 #define KVM_MAX_CPUCFG_REGS 21 -/* memory slots that does not exposed to userspace */ -#define KVM_PRIVATE_MEM_SLOTS 0 #define KVM_HALT_POLL_NS_DEFAULT 500000 -- 2.43.0

3 months, 1 week

2
1
0 0

[PATCH v2 3/6] tpm: Return on tpm2_create_primary() failure in tpm2_load_null()

by Jarkko Sakkinen

tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index d63510ad44ab..9c0356d7ce5e 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -850,22 +850,32 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } /* an integrity failure may mean the TPM has been reset */ dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; + + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + /* * Fatal TPM failure: the NULL seed has actually changed, so * the TPM must have been illegally reset. All in-kernel TPM @@ -874,6 +884,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) * userspace programmes can't be compromised by it. */ dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); + tpm2_flush_context(chip, tmp_null_key); chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; -- 2.46.0

3 months, 1 week

1
0
0 0

[PATCH v2 2/6] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() ignores the return value of tpm2_create_null_primary(). Address this by returning on failure. Cc: stable(a)vger.kernel.org # v6.11+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6cc1ea81c57c..d63510ad44ab 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1288,8 +1288,10 @@ int tpm2_sessions_init(struct tpm_chip *chip) int rc; rc = tpm2_create_null_primary(chip); - if (rc) + if (rc) { dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; + } chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.46.0

3 months, 1 week

1
0
0 0

[PATCH 6.6] drm/amd/display: Fix subvp+drr logic errors

by Murad Masimov

From: Alvin Lee <alvin.lee2(a)amd.com> commit 8a0f02b7beed7b2b768dbdf3b79960de68f460c5 upstream. [Why] There is some logic error where the wrong variable was used to check for OTG_MASTER and DPP_PIPE. [How] Add booleans to confirm that the expected pipes were found before validating schedulability. Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Reviewed-by: Samson Tam <samson.tam(a)amd.com> Reviewed-by: Chaitanya Dhere <chaitanya.dhere(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- .../drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c index 3d82cbef1274..7160380d5690 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c @@ -879,6 +879,8 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) int16_t stretched_drr_us = 0; int16_t drr_stretched_vblank_us = 0; int16_t max_vblank_mallregion = 0; + bool subvp_found = false; + bool drr_found = false; // Find SubVP pipe for (i = 0; i < dc->res_pool->pipe_count; i++) { @@ -891,8 +893,10 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) continue; // Find the SubVP pipe - if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) + if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) { + subvp_found = true; break; + } } // Find the DRR pipe @@ -900,15 +904,20 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context) drr_pipe = &context->res_ctx.pipe_ctx[i]; // We check for master pipe only - if (!resource_is_pipe_type(pipe, OTG_MASTER) || - !resource_is_pipe_type(pipe, DPP_PIPE)) + if (!resource_is_pipe_type(drr_pipe, OTG_MASTER) || + !resource_is_pipe_type(drr_pipe, DPP_PIPE)) continue; if (drr_pipe->stream->mall_stream_config.type == SUBVP_NONE && drr_pipe->stream->ignore_msa_timing_param && - (drr_pipe->stream->allow_freesync || drr_pipe->stream->vrr_active_variable)) + (drr_pipe->stream->allow_freesync || drr_pipe->stream->vrr_active_variable)) { + drr_found = true; break; + } } + if (!subvp_found || !drr_found) + return false; + main_timing = &pipe->stream->timing; phantom_timing = &pipe->stream->mall_stream_config.paired_stream->timing; drr_timing = &drr_pipe->stream->timing; -- 2.39.2

3 months, 1 week

1
0
0 0

[PATCH 6.1] drm/amd/display: Fix subvp+drr logic errors

by Murad Masimov

From: Alvin Lee <alvin.lee2(a)amd.com> commit 8a0f02b7beed7b2b768dbdf3b79960de68f460c5 upstream. [Why] There is some logic error where the wrong variable was used to check for OTG_MASTER and DPP_PIPE. [How] Add booleans to confirm that the expected pipes were found before validating schedulability. Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Acked-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Reviewed-by: Samson Tam <samson.tam(a)amd.com> Reviewed-by: Chaitanya Dhere <chaitanya.dhere(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [m.masimov(a)maxima.ru: In order to adapt this patch to branch 6.1 only changes related to finding the SubVP pipe were applied as in 6.1 drr_pipe is passed as a function argument.] Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c index 85e0d1c2a908..4b0719392d28 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c @@ -862,6 +862,7 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context, struc int16_t stretched_drr_us = 0; int16_t drr_stretched_vblank_us = 0; int16_t max_vblank_mallregion = 0; + bool subvp_found = false; // Find SubVP pipe for (i = 0; i < dc->res_pool->pipe_count; i++) { @@ -873,10 +874,15 @@ static bool subvp_drr_schedulable(struct dc *dc, struct dc_state *context, struc continue; // Find the SubVP pipe - if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) + if (pipe->stream->mall_stream_config.type == SUBVP_MAIN) { + subvp_found = true; break; + } } + if (!subvp_found) + return false; + main_timing = &pipe->stream->timing; phantom_timing = &pipe->stream->mall_stream_config.paired_stream->timing; drr_timing = &drr_pipe->stream->timing; -- 2.39.2

3 months, 1 week

1
0
0 0

[PATCH 6.10] LoongArch: KVM: Remove undefined a6 argument comment for kvm_hypercall()

by WangYuli

From: Dandan Zhang <zhangdandan(a)uniontech.com> The kvm_hypercall() set for LoongArch is limited to a1-a5. So the mention of a6 in the comment is undefined that needs to be rectified. Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> Signed-off-by: Dandan Zhang <zhangdandan(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- arch/loongarch/include/asm/kvm_para.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/include/asm/kvm_para.h b/arch/loongarch/include/asm/kvm_para.h index 4ba2312e5f8c..6d5e9b6c5714 100644 --- a/arch/loongarch/include/asm/kvm_para.h +++ b/arch/loongarch/include/asm/kvm_para.h @@ -28,9 +28,9 @@ * Hypercall interface for KVM hypervisor * * a0: function identifier - * a1-a6: args + * a1-a5: args * Return value will be placed in a0. - * Up to 6 arguments are passed in a1, a2, a3, a4, a5, a6. + * Up to 5 arguments are passed in a1, a2, a3, a4, a5. */ static __always_inline long kvm_hypercall0(u64 fid) { -- 2.43.0

3 months, 1 week

2
2
0 0

[PATCH] HID: plantronics: Additional PID for double volume key presses quirk

by Wade Wang

Add the below headsets for double volume key presses quirk Plantronics EncorePro 500 Series (047f:431e) Plantronics Blackwire_3325 Series (047f:430c) Quote from previous patch by Maxim Mikityanskiy and Terry Junge 'commit f567d6ef8606 ("HID: plantronics: Workaround for double volume key presses")' 'commit 3d57f36c89d8 ("HID: plantronics: Additional PIDs for double volume key presses quirk")' These Plantronics Series headset sends an opposite volume key following each volume key press. This patch adds a quirk to hid-plantronics for this product ID, which will ignore the second opposite volume key press if it happens within 250 ms from the last one that was handled. Cc: stable(a)vger.kernel.org Signed-off-by: Wade Wang <wade.wang(a)hp.com> --- drivers/hid/hid-ids.h | 2 ++ drivers/hid/hid-plantronics.c | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 781c5aa29859..a0aaac98a891 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -1050,6 +1050,8 @@ #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058 +#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES 0x430c +#define USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES 0x431e #define USB_VENDOR_ID_PANASONIC 0x04da #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 3d414ae194ac..2a19f3646ecb 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -38,8 +38,10 @@ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) #define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) +#define PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS BIT(1) #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ +#define PLT_FOLLOWED_KEY_TIMEOUT 250 /* ms */ struct plt_drv_data { unsigned long device_type; @@ -134,6 +136,9 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, cur_ts = jiffies; if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) return 1; /* Ignore the repeated key. */ + if ((drv_data->quirks & PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS) + && jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_KEY_TIMEOUT) + return 1; /* Ignore the followed volume key. */ drv_data->last_volume_key_ts = cur_ts; } @@ -210,6 +215,12 @@ static const struct hid_device_id plantronics_devices[] = { { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS|PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), + .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS|PLT_QUIRK_FOLLOWED_VOLUME_UP_DN_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; -- 2.34.1

3 months, 1 week

4
5
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024