<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/char, branch v6.18.4</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>char: applicom: fix NULL pointer dereference in ac_ioctl</title>
<updated>2026-01-02T11:57:14+00:00</updated>
<author>
<name>Tianchu Chen</name>
<email>flynnnchen@tencent.com</email>
</author>
<published>2025-11-28T07:53:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f83e3e9f89181b42f6076a115d767a7552c4a39e'/>
<id>f83e3e9f89181b42f6076a115d767a7552c4a39e</id>
<content type='text'>
commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.

Discovered by Atuin - Automated Vulnerability Discovery Engine.

In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.

If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.

Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.

Signed-off-by: Tianchu Chen &lt;flynnnchen@tencent.com&gt;
Acked-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Cc: stable &lt;stable@kernel.org&gt;
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.

Discovered by Atuin - Automated Vulnerability Discovery Engine.

In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.

If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.

Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.

Signed-off-by: Tianchu Chen &lt;flynnnchen@tencent.com&gt;
Acked-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Cc: stable &lt;stable@kernel.org&gt;
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tpm2-sessions: Fix tpm2_read_public range checks</title>
<updated>2026-01-02T11:57:11+00:00</updated>
<author>
<name>Jarkko Sakkinen</name>
<email>jarkko@kernel.org</email>
</author>
<published>2025-12-01T13:38:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20eda7c74b69fe9e1caf9b930a5c016bf8d755fa'/>
<id>20eda7c74b69fe9e1caf9b930a5c016bf8d755fa</id>
<content type='text'>
commit bda1cbf73c6e241267c286427f2ed52b5735d872 upstream.

tpm2_read_public() has some rudimentary range checks but the function does
not ensure that the response buffer has enough bytes for the full TPMT_HA
payload.

Re-implement the function with necessary checks and validation, and return
name and name size for all handle types back to the caller.

Cc: stable@vger.kernel.org # v6.10+
Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append")
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bda1cbf73c6e241267c286427f2ed52b5735d872 upstream.

tpm2_read_public() has some rudimentary range checks but the function does
not ensure that the response buffer has enough bytes for the full TPMT_HA
payload.

Re-implement the function with necessary checks and validation, and return
name and name size for all handle types back to the caller.

Cc: stable@vger.kernel.org # v6.10+
Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append")
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tpm2-sessions: Fix out of range indexing in name_size</title>
<updated>2026-01-02T11:57:11+00:00</updated>
<author>
<name>Jarkko Sakkinen</name>
<email>jarkko@kernel.org</email>
</author>
<published>2025-11-30T19:07:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43'/>
<id>04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43</id>
<content type='text'>
commit 6e9722e9a7bfe1bbad649937c811076acf86e1fd upstream.

'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.

Address the issue by only processing known values and returning -EINVAL for
unrecognized values.

Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.

End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.

Cc: stable@vger.kernel.org # v6.10+
Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6e9722e9a7bfe1bbad649937c811076acf86e1fd upstream.

'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.

Address the issue by only processing known values and returning -EINVAL for
unrecognized values.

Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.

End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.

Cc: stable@vger.kernel.org # v6.10+
Fixes: 1085b8276bb4 ("tpm: Add the rest of the session HMAC API")
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tpm: Cap the number of PCR banks</title>
<updated>2026-01-02T11:57:09+00:00</updated>
<author>
<name>Jarkko Sakkinen</name>
<email>jarkko.sakkinen@opinsys.com</email>
</author>
<published>2025-09-30T12:58:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=858344bc9210bea9ab2bdc7e9e331ba84c164e50'/>
<id>858344bc9210bea9ab2bdc7e9e331ba84c164e50</id>
<content type='text'>
commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream.

tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.

Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi &lt;yi1.lai@linux.intel.com&gt;
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Reviewed-by: Roberto Sassu &lt;roberto.sassu@huawei.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@opinsys.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream.

tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.

Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi &lt;yi1.lai@linux.intel.com&gt;
Reviewed-by: Jonathan McDowell &lt;noodles@meta.com&gt;
Reviewed-by: Roberto Sassu &lt;roberto.sassu@huawei.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@opinsys.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipmi: Fix __scan_channels() failing to rescan channels</title>
<updated>2026-01-02T11:56:59+00:00</updated>
<author>
<name>Jinhui Guo</name>
<email>guojinhui.liam@bytedance.com</email>
</author>
<published>2025-09-30T07:42:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb8d9fb6280dac6df702e0899b590b4daadf2e8a'/>
<id>eb8d9fb6280dac6df702e0899b590b4daadf2e8a</id>
<content type='text'>
[ Upstream commit 6bd30d8fc523fb880b4be548e8501bc0fe8f42d4 ]

channel_handler() sets intf-&gt;channels_ready to true but never
clears it, so __scan_channels() skips any rescan. When the BMC
firmware changes a rescan is required. Allow it by clearing
the flag before starting a new scan.

Signed-off-by: Jinhui Guo &lt;guojinhui.liam@bytedance.com&gt;
Message-ID: &lt;20250930074239.2353-3-guojinhui.liam@bytedance.com&gt;
Signed-off-by: Corey Minyard &lt;corey@minyard.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6bd30d8fc523fb880b4be548e8501bc0fe8f42d4 ]

channel_handler() sets intf-&gt;channels_ready to true but never
clears it, so __scan_channels() skips any rescan. When the BMC
firmware changes a rescan is required. Allow it by clearing
the flag before starting a new scan.

Signed-off-by: Jinhui Guo &lt;guojinhui.liam@bytedance.com&gt;
Message-ID: &lt;20250930074239.2353-3-guojinhui.liam@bytedance.com&gt;
Signed-off-by: Corey Minyard &lt;corey@minyard.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipmi: Fix the race between __scan_channels() and deliver_response()</title>
<updated>2026-01-02T11:56:59+00:00</updated>
<author>
<name>Jinhui Guo</name>
<email>guojinhui.liam@bytedance.com</email>
</author>
<published>2025-09-30T07:42:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=235ae3fc9e9c9fbcd4245ec6f6b5423ed47fcda9'/>
<id>235ae3fc9e9c9fbcd4245ec6f6b5423ed47fcda9</id>
<content type='text'>
[ Upstream commit 936750fdba4c45e13bbd17f261bb140dd55f5e93 ]

The race window between __scan_channels() and deliver_response() causes
the parameters of some channels to be set to 0.

1.[CPUA] __scan_channels() issues an IPMI request and waits with
         wait_event() until all channels have been scanned.
         wait_event() internally calls might_sleep(), which might
         yield the CPU. (Moreover, an interrupt can preempt
         wait_event() and force the task to yield the CPU.)
2.[CPUB] deliver_response() is invoked when the CPU receives the
         IPMI response. After processing a IPMI response,
         deliver_response() directly assigns intf-&gt;wchannels to
         intf-&gt;channel_list and sets intf-&gt;channels_ready to true.
         However, not all channels are actually ready for use.
3.[CPUA] Since intf-&gt;channels_ready is already true, wait_event()
         never enters __wait_event(). __scan_channels() immediately
         clears intf-&gt;null_user_handler and exits.
4.[CPUB] Once intf-&gt;null_user_handler is set to NULL, deliver_response()
         ignores further IPMI responses, leaving the remaining
	 channels zero-initialized and unusable.

CPUA                             CPUB
-------------------------------  -----------------------------
__scan_channels()
 intf-&gt;null_user_handler
       = channel_handler;
 send_channel_info_cmd(intf,
       0);
 wait_event(intf-&gt;waitq,
       intf-&gt;channels_ready);
  do {
   might_sleep();
                                 deliver_response()
                                  channel_handler()
                                   intf-&gt;channel_list =
				         intf-&gt;wchannels + set;
                                   intf-&gt;channels_ready = true;
                                   send_channel_info_cmd(intf,
                                         intf-&gt;curr_channel);
   if (condition)
    break;
   __wait_event(wq_head,
          condition);
  } while(0)
 intf-&gt;null_user_handler
       = NULL;
                                 deliver_response()
                                  if (!msg-&gt;user)
                                   if (intf-&gt;null_user_handler)
                                    rv = -EINVAL;
                                  return rv;
-------------------------------  -----------------------------

Fix the race between __scan_channels() and deliver_response() by
deferring both the assignment intf-&gt;channel_list = intf-&gt;wchannels
and the flag intf-&gt;channels_ready = true until all channels have
been successfully scanned or until the IPMI request has failed.

Signed-off-by: Jinhui Guo &lt;guojinhui.liam@bytedance.com&gt;
Message-ID: &lt;20250930074239.2353-2-guojinhui.liam@bytedance.com&gt;
Signed-off-by: Corey Minyard &lt;corey@minyard.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 936750fdba4c45e13bbd17f261bb140dd55f5e93 ]

The race window between __scan_channels() and deliver_response() causes
the parameters of some channels to be set to 0.

1.[CPUA] __scan_channels() issues an IPMI request and waits with
         wait_event() until all channels have been scanned.
         wait_event() internally calls might_sleep(), which might
         yield the CPU. (Moreover, an interrupt can preempt
         wait_event() and force the task to yield the CPU.)
2.[CPUB] deliver_response() is invoked when the CPU receives the
         IPMI response. After processing a IPMI response,
         deliver_response() directly assigns intf-&gt;wchannels to
         intf-&gt;channel_list and sets intf-&gt;channels_ready to true.
         However, not all channels are actually ready for use.
3.[CPUA] Since intf-&gt;channels_ready is already true, wait_event()
         never enters __wait_event(). __scan_channels() immediately
         clears intf-&gt;null_user_handler and exits.
4.[CPUB] Once intf-&gt;null_user_handler is set to NULL, deliver_response()
         ignores further IPMI responses, leaving the remaining
	 channels zero-initialized and unusable.

CPUA                             CPUB
-------------------------------  -----------------------------
__scan_channels()
 intf-&gt;null_user_handler
       = channel_handler;
 send_channel_info_cmd(intf,
       0);
 wait_event(intf-&gt;waitq,
       intf-&gt;channels_ready);
  do {
   might_sleep();
                                 deliver_response()
                                  channel_handler()
                                   intf-&gt;channel_list =
				         intf-&gt;wchannels + set;
                                   intf-&gt;channels_ready = true;
                                   send_channel_info_cmd(intf,
                                         intf-&gt;curr_channel);
   if (condition)
    break;
   __wait_event(wq_head,
          condition);
  } while(0)
 intf-&gt;null_user_handler
       = NULL;
                                 deliver_response()
                                  if (!msg-&gt;user)
                                   if (intf-&gt;null_user_handler)
                                    rv = -EINVAL;
                                  return rv;
-------------------------------  -----------------------------

Fix the race between __scan_channels() and deliver_response() by
deferring both the assignment intf-&gt;channel_list = intf-&gt;wchannels
and the flag intf-&gt;channels_ready = true until all channels have
been successfully scanned or until the IPMI request has failed.

Signed-off-by: Jinhui Guo &lt;guojinhui.liam@bytedance.com&gt;
Message-ID: &lt;20250930074239.2353-2-guojinhui.liam@bytedance.com&gt;
Signed-off-by: Corey Minyard &lt;corey@minyard.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>random: use offstack cpumask when necessary</title>
<updated>2025-12-18T13:02:44+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2025-06-10T09:27:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cbd5021199db356c6dc1928d48e3fb132dbbc9bb'/>
<id>cbd5021199db356c6dc1928d48e3fb132dbbc9bb</id>
<content type='text'>
[ Upstream commit 5d49f1a5bd358d24e5f88b23b46da833de1dbec8 ]

The entropy generation function keeps a local cpu mask on the stack,
which can trigger warnings in configurations with a large number of
CPUs:

    drivers/char/random.c:1292:20: error: stack frame size (1288)
    exceeds limit (1280) in 'try_to_generate_entropy' [-Werror,-Wframe-larger-than]

Use the cpumask interface to dynamically allocate it in those
configurations.

Fixes: 1c21fe00eda7 ("random: spread out jitter callback to different CPUs")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5d49f1a5bd358d24e5f88b23b46da833de1dbec8 ]

The entropy generation function keeps a local cpu mask on the stack,
which can trigger warnings in configurations with a large number of
CPUs:

    drivers/char/random.c:1292:20: error: stack frame size (1288)
    exceeds limit (1280) in 'try_to_generate_entropy' [-Werror,-Wframe-larger-than]

Use the cpumask interface to dynamically allocate it in those
configurations.

Fixes: 1c21fe00eda7 ("random: spread out jitter callback to different CPUs")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tpm_crb: Add idle support for the Arm FF-A start method</title>
<updated>2025-10-18T11:33:22+00:00</updated>
<author>
<name>Stuart Yoder</name>
<email>stuart.yoder@arm.com</email>
</author>
<published>2025-10-18T11:25:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dbfdaeb381a49a7bc753d18e2876bc56a15e01cc'/>
<id>dbfdaeb381a49a7bc753d18e2876bc56a15e01cc</id>
<content type='text'>
According to the CRB over FF-A specification [1], a TPM that implements
the ABI must comply with the TCG PTP specification. This requires support
for the Idle and Ready states.

This patch implements CRB control area requests for goIdle and
cmdReady on FF-A based TPMs.

The FF-A message used to notify the TPM of CRB updates includes a
locality parameter, which provides a hint to the TPM about which
locality modified the CRB.  This patch adds a locality parameter
to __crb_go_idle() and __crb_cmd_ready() to support this.

[1] https://developer.arm.com/documentation/den0138/latest/

Signed-off-by: Stuart Yoder &lt;stuart.yoder@arm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
According to the CRB over FF-A specification [1], a TPM that implements
the ABI must comply with the TCG PTP specification. This requires support
for the Idle and Ready states.

This patch implements CRB control area requests for goIdle and
cmdReady on FF-A based TPMs.

The FF-A message used to notify the TPM of CRB updates includes a
locality parameter, which provides a hint to the TPM about which
locality modified the CRB.  This patch adds a locality parameter
to __crb_go_idle() and __crb_cmd_ready() to support this.

[1] https://developer.arm.com/documentation/den0138/latest/

Signed-off-by: Stuart Yoder &lt;stuart.yoder@arm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'for-linus-6.18-2' of https://github.com/cminyard/linux-ipmi</title>
<updated>2025-10-14T16:15:45+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2025-10-14T16:15:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5bd0116d92a7849b12f0b4c8199d53aa80e449bc'/>
<id>5bd0116d92a7849b12f0b4c8199d53aa80e449bc</id>
<content type='text'>
Pull IPMI fixes from Corey Minyard:
 "A few bug fixes for patches that went in this release: a refcount
  error and some missing or incorrect error checks"

* tag 'for-linus-6.18-2' of https://github.com/cminyard/linux-ipmi:
  ipmi: Fix handling of messages with provided receive message pointer
  mfd: ls2kbmc: check for devm_mfd_add_devices() failure
  mfd: ls2kbmc: Fix an IS_ERR() vs NULL check in probe()
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull IPMI fixes from Corey Minyard:
 "A few bug fixes for patches that went in this release: a refcount
  error and some missing or incorrect error checks"

* tag 'for-linus-6.18-2' of https://github.com/cminyard/linux-ipmi:
  ipmi: Fix handling of messages with provided receive message pointer
  mfd: ls2kbmc: check for devm_mfd_add_devices() failure
  mfd: ls2kbmc: Fix an IS_ERR() vs NULL check in probe()
</pre>
</div>
</content>
</entry>
<entry>
<title>tpm: Prevent local DOS via tpm/tpm0/ppi/*operations</title>
<updated>2025-10-10T05:21:45+00:00</updated>
<author>
<name>Denis Aleksandrov</name>
<email>daleksan@redhat.com</email>
</author>
<published>2025-09-15T21:08:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a29ad21b988652dc60aa99c6d3b1e3d52dc69c30'/>
<id>a29ad21b988652dc60aa99c6d3b1e3d52dc69c30</id>
<content type='text'>
Reads on tpm/tpm0/ppi/*operations can become very long on
misconfigured systems. Reading the TPM is a blocking operation,
thus a user could effectively trigger a DOS.

Resolve this by caching the results and avoiding the blocking
operations after the first read.

[ jarkko: fixed atomic sleep:
  sed -i 's/spin_/mutex_/g' drivers/char/tpm/tpm_ppi.c
  sed -i 's/DEFINE_SPINLOCK/DEFINE_MUTEX/g' drivers/char/tpm/tpm_ppi.c ]

Signed-off-by: Denis Aleksandrov &lt;daleksan@redhat.com&gt;
Reported-by: Jan Stancek &lt;jstancek@redhat.com&gt;
Closes: https://lore.kernel.org/linux-integrity/20250915210829.6661-1-daleksan@redhat.com/T/#u
Suggested-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Reviewed-by: Paul Menzel &lt;pmenzel@molgen.mpg.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Reads on tpm/tpm0/ppi/*operations can become very long on
misconfigured systems. Reading the TPM is a blocking operation,
thus a user could effectively trigger a DOS.

Resolve this by caching the results and avoiding the blocking
operations after the first read.

[ jarkko: fixed atomic sleep:
  sed -i 's/spin_/mutex_/g' drivers/char/tpm/tpm_ppi.c
  sed -i 's/DEFINE_SPINLOCK/DEFINE_MUTEX/g' drivers/char/tpm/tpm_ppi.c ]

Signed-off-by: Denis Aleksandrov &lt;daleksan@redhat.com&gt;
Reported-by: Jan Stancek &lt;jstancek@redhat.com&gt;
Closes: https://lore.kernel.org/linux-integrity/20250915210829.6661-1-daleksan@redhat.com/T/#u
Suggested-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Reviewed-by: Paul Menzel &lt;pmenzel@molgen.mpg.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
