[PATCH] efi/tpm: return -EINVAL when determining tpm final events log size fails
Currently nothing checks the return value of efi_tpm_eventlog_init, but in case that changes in the future make sure an error is returned when it fails to determine the tpm final events log size. Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Cc: linux-efi@vger.kernel.org Cc: linux-integr...@vger.kernel.org Fixes: e658c82be556 ("efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing") Suggested-by: Dan Carpenter Signed-off-by: Jerry Snitselaar --- drivers/firmware/efi/tpm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index ebd7977653a8..31f9f0e369b9 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -88,6 +88,7 @@ int __init efi_tpm_eventlog_init(void) if (tbl_size < 0) { pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); + ret = -EINVAL; goto out_calc; } -- 2.23.0
Re: [PATCH][next] efi/tpm: fix sanity check of unsigned tbl_size being less than zero
On Tue Oct 08 19, Dan Carpenter wrote: On Tue, Oct 08, 2019 at 11:01:53AM +0100, Colin King wrote: From: Colin Ian King Currently the check for tbl_size being less than zero is always false because tbl_size is unsigned. Fix this by making it a signed int. Addresses-Coverity: ("Unsigned compared against 0") Fixes: e658c82be556 ("efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing") Signed-off-by: Colin Ian King --- drivers/firmware/efi/tpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 703469c1ab8e..ebd7977653a8 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -40,7 +40,7 @@ int __init efi_tpm_eventlog_init(void) { struct linux_efi_tpm_eventlog *log_tbl; struct efi_tcg2_final_events_table *final_tbl; - unsigned int tbl_size; + int tbl_size; int ret = 0; Do we need to do a "ret = tbl_size;"? Currently we return success. It's a pitty that tpm2_calc_event_log_size() returns a -1 instead of -EINVAL. regards, dan carpenter perhaps "ret = -EINVAL;"? Currently nothing checks the return value of efi_tpm_eventlog_init though.
Re: [PATCH][next] efi/tpm: fix sanity check of unsigned tbl_size being less than zero
On Tue Oct 08 19, Colin King wrote: From: Colin Ian King Currently the check for tbl_size being less than zero is always false because tbl_size is unsigned. Fix this by making it a signed int. Addresses-Coverity: ("Unsigned compared against 0") Fixes: e658c82be556 ("efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing") Signed-off-by: Colin Ian King --- drivers/firmware/efi/tpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 703469c1ab8e..ebd7977653a8 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -40,7 +40,7 @@ int __init efi_tpm_eventlog_init(void) { struct linux_efi_tpm_eventlog *log_tbl; struct efi_tcg2_final_events_table *final_tbl; - unsigned int tbl_size; + int tbl_size; int ret = 0; if (efi.tpm_log == EFI_INVALID_TABLE_ADDR) { -- 2.20.1 Thanks for catching that. Somehow I dropped it from v2 to v3.
[tip: efi/urgent] efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing
The following commit has been merged into the efi/urgent branch of tip: Commit-ID: e658c82be5561412c5e83b5e74e9da4830593f3e Gitweb: https://git.kernel.org/tip/e658c82be5561412c5e83b5e74e9da4830593f3e Author:Jerry Snitselaar AuthorDate:Wed, 02 Oct 2019 18:59:02 +02:00 Committer: Ingo Molnar CommitterDate: Mon, 07 Oct 2019 15:24:36 +02:00 efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing If __calc_tpm2_event_size() fails to parse an event it will return 0, resulting tpm2_calc_event_log_size() returning -1. Currently there is no check of this return value, and 'efi_tpm_final_log_size' can end up being set to this negative value resulting in a crash like this one: BUG: unable to handle page fault for address: bc8fc00866ad #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page RIP: 0010:memcpy_erms+0x6/0x10 Call Trace: tpm_read_log_efi() tpm_bios_log_setup() tpm_chip_register() tpm_tis_core_init.cold.9+0x28c/0x466 tpm_tis_plat_probe() platform_drv_probe() ... Also __calc_tpm2_event_size() returns a size of 0 when it fails to parse an event, so update function documentation to reflect this. The root cause of the issue that caused the failure of event parsing in this case is resolved by Peter Jone's patchset dealing with large event logs where crossing over a page boundary causes the page with the event count to be unmapped. Signed-off-by: Jerry Snitselaar Signed-off-by: Ard Biesheuvel Cc: Ben Dooks Cc: Dave Young Cc: Jarkko Sakkinen Cc: Linus Torvalds Cc: Lukas Wunner Cc: Lyude Paul Cc: Matthew Garrett Cc: Octavian Purdila Cc: Peter Jones Cc: Peter Zijlstra Cc: Scott Talbert Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Cc: linux-integr...@vger.kernel.org Cc: sta...@vger.kernel.org Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Link: https://lkml.kernel.org/r/20191002165904.8819-6-ard.biesheu...@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/tpm.c | 9 - include/linux/tpm_eventlog.h | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index b9ae5c6..703469c 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) final_tbl->nr_events, log_tbl->log); } + + if (tbl_size < 0) { + pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); + goto out_calc; + } + memblock_reserve((unsigned long)final_tbl, tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); efi_tpm_final_log_size = tbl_size; +out_calc: + early_memunmap(final_tbl, sizeof(*final_tbl)); out: early_memunmap(log_tbl, sizeof(*log_tbl)); return ret; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index b50cc3a..131ea1b 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -152,7 +152,7 @@ struct tcg_algorithm_info { * total. Once we've done this we know the offset of the data length field, * and can calculate the total size of the event. * - * Return: size of the event on success, <0 on failure + * Return: size of the event on success, 0 on failure */ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event,
[PATCH v3] tpm: only set efi_tpm_final_log_size after successful event log parsing
692de ("tpm: Reserve the TPM final events table") Cc: linux-efi@vger.kernel.org Cc: linux-integr...@vger.kernel.org Cc: sta...@vger.kernel.org Cc: Matthew Garrett Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Signed-off-by: Jerry Snitselaar --- v3: rebase on top of Peter Jone's patchset v2: added FW_BUG to pr_err, and renamed label to out_calc. Updated doc comment for __calc_tpm2_event_size. drivers/firmware/efi/tpm.c | 9 - include/linux/tpm_eventlog.h | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index b9ae5c6f9b9c..703469c1ab8e 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) final_tbl->nr_events, log_tbl->log); } + + if (tbl_size < 0) { + pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); + goto out_calc; + } + memblock_reserve((unsigned long)final_tbl, tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); efi_tpm_final_log_size = tbl_size; +out_calc: + early_memunmap(final_tbl, sizeof(*final_tbl)); out: early_memunmap(log_tbl, sizeof(*log_tbl)); return ret; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 12584b69a3f3..2dfdd63ac034 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -152,7 +152,7 @@ struct tcg_algorithm_info { * total. Once we've done this we know the offset of the data length field, * and can calculate the total size of the event. * - * Return: size of the event on success, <0 on failure + * Return: size of the event on success, 0 on failure */ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, -- 2.23.0
Re: [PATCH v2 1/2] efi+tpm: Don't access event->count when it isn't mapped.
On Wed Sep 25 19, Jerry Snitselaar wrote: On Wed Sep 25 19, Jarkko Sakkinen wrote: On Wed, Sep 25, 2019 at 12:25:05PM +0200, Ard Biesheuvel wrote: On Wed, 25 Sep 2019 at 12:16, Jarkko Sakkinen wrote: From: Peter Jones Some machines generate a lot of event log entries. When we're iterating over them, the code removes the old mapping and adds a new one, so once we cross the page boundary we're unmapping the page with the count on it. Hilarity ensues. This patch keeps the info from the header in local variables so we don't need to access that page again or keep track of if it's mapped. Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") Cc: linux-efi@vger.kernel.org Cc: linux-integr...@vger.kernel.org Cc: sta...@vger.kernel.org Signed-off-by: Peter Jones Tested-by: Lyude Paul Reviewed-by: Jarkko Sakkinen Acked-by: Matthew Garrett Acked-by: Ard Biesheuvel Signed-off-by: Jarkko Sakkinen Thanks Jarkko. Shall I take these through the EFI tree? Would be great, if you could because I already sent one PR with fixes for v5.4-rc1 yesterday. /Jarkko My patch collides with this, so I will submit a v3 that applies on top of these once I've run a test with all 3 applied on this t480s. Tested with Peter's patches, and that was the root cause on this 480s. I think there should still be a check for tbl_size to make sure we aren't sticking -1 into efi_tpm_final_log_size though, which will be the case right now if it fails to parse an event.
Re: [PATCH v2 1/2] efi+tpm: Don't access event->count when it isn't mapped.
On Wed Sep 25 19, Jarkko Sakkinen wrote: On Wed, Sep 25, 2019 at 12:25:05PM +0200, Ard Biesheuvel wrote: On Wed, 25 Sep 2019 at 12:16, Jarkko Sakkinen wrote: > > From: Peter Jones > > Some machines generate a lot of event log entries. When we're > iterating over them, the code removes the old mapping and adds a > new one, so once we cross the page boundary we're unmapping the page > with the count on it. Hilarity ensues. > > This patch keeps the info from the header in local variables so we don't > need to access that page again or keep track of if it's mapped. > > Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") > Cc: linux-efi@vger.kernel.org > Cc: linux-integr...@vger.kernel.org > Cc: sta...@vger.kernel.org > Signed-off-by: Peter Jones > Tested-by: Lyude Paul > Reviewed-by: Jarkko Sakkinen > Acked-by: Matthew Garrett > Acked-by: Ard Biesheuvel > Signed-off-by: Jarkko Sakkinen Thanks Jarkko. Shall I take these through the EFI tree? Would be great, if you could because I already sent one PR with fixes for v5.4-rc1 yesterday. /Jarkko My patch collides with this, so I will submit a v3 that applies on top of these once I've run a test with all 3 applied on this t480s.
[PATCH v2] tpm: only set efi_tpm_final_log_size after successful event log parsing
end Kernel panic - not syncing: Fatal exception ]--- Also __calc_tpm2_event_size returns a size of 0 when it fails to parse an event, so update function documentation to reflect this. Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Cc: linux-efi@vger.kernel.org Cc: linux-integr...@vger.kernel.org Cc: sta...@vger.kernel.org Cc: Matthew Garrett Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Signed-off-by: Jerry Snitselaar --- v2: added FW_BUG to pr_err, and renamed label to out_calc. Also updated comment for __calc_tpm2_event_size to properly state that returning 0 is failure. drivers/firmware/efi/tpm.c | 11 --- include/linux/tpm_eventlog.h | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 1d3f5ca3eaaf..284da9242a4f 100644 --- a/drivers/firmware/efi/tpm.c +++ b/drivers/firmware/efi/tpm.c @@ -40,8 +40,7 @@ int __init efi_tpm_eventlog_init(void) { struct linux_efi_tpm_eventlog *log_tbl; struct efi_tcg2_final_events_table *final_tbl; - unsigned int tbl_size; - int ret = 0; + int tbl_size, ret = 0; if (efi.tpm_log == EFI_INVALID_TABLE_ADDR) { /* @@ -80,11 +79,17 @@ int __init efi_tpm_eventlog_init(void) + sizeof(final_tbl->nr_events), final_tbl->nr_events, log_tbl->log); + if (tbl_size < 0) { + pr_err(FW_BUG "Failed to parse event in TPM Final Event log\n"); + goto out_calc; + } + memblock_reserve((unsigned long)final_tbl, tbl_size + sizeof(*final_tbl)); - early_memunmap(final_tbl, sizeof(*final_tbl)); efi_tpm_final_log_size = tbl_size; +out_calc: + early_memunmap(final_tbl, sizeof(*final_tbl)); out: early_memunmap(log_tbl, sizeof(*log_tbl)); return ret; diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h index 63238c84dc0b..7388ef0ce483 100644 --- a/include/linux/tpm_eventlog.h +++ b/include/linux/tpm_eventlog.h @@ -152,7 +152,7 @@ struct tcg_algorithm_info { * total. Once we've done this we know the offset of the data length field, * and can calculate the total size of the event. * - * Return: size of the event on success, <0 on failure + * Return: size of the event on success, 0 on failure */ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, -- 2.23.0
Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
Any thoughts on this? I know of at least 2 Lenovo models that are running into this problem. In the case of the one I have currently have access to the problem is that the hash algorithm id for an event isn't one that is currently in the TCG registry, and it fails to find a match when walking the digest_sizes array. That seems like an issue for the vendor to fix in the bios, but we should look at the return value of tpm2_calc_event_log_size and not stick a negative value in efi_tpm_final_log_size.
Re: [RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
On Wed Sep 18 19, Jerry Snitselaar wrote: If __calc_tpm2_event_size fails to parse an event it will return 0, resulting tpm2_calc_event_log_size returning -1. Currently there is no check of this return value, and efi_tpm_final_log_size can end up being set to this negative value resulting in a panic like the following: [0.774340] BUG: unable to handle page fault for address: bc8fc00866ad [0.774788] #PF: supervisor read access in kernel mode [0.774788] #PF: error_code(0x) - not-present page [0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0 [0.774788] Oops: [#1] SMP PTI [0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1 [0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018 [0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286 [0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962 [0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367 [0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063 [0.774788] R10: 1000 R11: 000fffe0 R12: 3367 [0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002 [0.774788] FS: () GS:9b1fce20() knlGS: [0.774788] CS: 0010 DS: ES: CR0: 80050033 [0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0 [0.774788] DR0: DR1: DR2: [0.774788] DR3: DR6: fffe0ff0 DR7: 0400 [0.774788] Call Trace: [0.774788] tpm_read_log_efi+0x156/0x1a0 [0.774788] tpm_bios_log_setup+0xc8/0x190 [0.774788] tpm_chip_register+0x50/0x1c0 [0.774788] tpm_tis_core_init.cold.9+0x28c/0x466 [0.774788] tpm_tis_plat_probe+0xcc/0xea [0.774788] platform_drv_probe+0x35/0x80 [0.774788] really_probe+0xef/0x390 [0.774788] driver_probe_device+0xb4/0x100 [0.774788] device_driver_attach+0x4f/0x60 [0.774788] __driver_attach+0x86/0x140 [0.774788] ? device_driver_attach+0x60/0x60 [0.774788] bus_for_each_dev+0x76/0xc0 [0.774788] ? klist_add_tail+0x3b/0x70 [0.774788] bus_add_driver+0x14a/0x1e0 [0.774788] ? tpm_init+0xea/0xea [0.774788] ? do_early_param+0x8e/0x8e [0.774788] driver_register+0x6b/0xb0 [0.774788] ? tpm_init+0xea/0xea [0.774788] init_tis+0x86/0xd8 [0.774788] ? do_early_param+0x8e/0x8e [0.774788] ? driver_register+0x94/0xb0 [0.774788] do_one_initcall+0x46/0x1e4 [0.774788] ? do_early_param+0x8e/0x8e [0.774788] kernel_init_freeable+0x199/0x242 [0.774788] ? rest_init+0xaa/0xaa [0.774788] kernel_init+0xa/0x106 [0.774788] ret_from_fork+0x35/0x40 [0.774788] Modules linked in: [0.774788] CR2: bc8fc00866ad [0.774788] ---[ end trace 42930799f8d6eaea ]--- [0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286 [0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962 [0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367 [0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063 [0.774788] R10: 1000 R11: 000fffe0 R12: 3367 [0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002 [0.774788] FS: () GS:9b1fce20() knlGS: [0.774788] CS: 0010 DS: ES: CR0: 80050033 [0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0 [0.774788] DR0: DR1: DR2: [0.774788] DR3: DR6: fffe0ff0 DR7: 0400 [0.774788] Kernel panic - not syncing: Fatal exception [0.774788] Kernel Offset: 0x1d00 from 0x8100 (relocation range: 0x8000-0xbfff) [0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]--- Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Cc: Matthew Garrett Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Signed-off-by: Jerry Snitselaar --- drivers/firmware/efi/tpm.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 1d3f5ca3eaaf..5c
[RFC PATCH] tpm: only set efi_tpm_final_log_size after successful event log parsing
If __calc_tpm2_event_size fails to parse an event it will return 0, resulting tpm2_calc_event_log_size returning -1. Currently there is no check of this return value, and efi_tpm_final_log_size can end up being set to this negative value resulting in a panic like the following: [0.774340] BUG: unable to handle page fault for address: bc8fc00866ad [0.774788] #PF: supervisor read access in kernel mode [0.774788] #PF: error_code(0x) - not-present page [0.774788] PGD 107d36067 P4D 107d36067 PUD 107d37067 PMD 107d38067 PTE 0 [0.774788] Oops: [#1] SMP PTI [0.774788] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.0-0.rc2.1.elrdy.x86_64 #1 [0.774788] Hardware name: LENOVO 20HGS22D0W/20HGS22D0W, BIOS N1WET51W (1.30 ) 09/14/2018 [0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286 [0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962 [0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367 [0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063 [0.774788] R10: 1000 R11: 000fffe0 R12: 3367 [0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002 [0.774788] FS: () GS:9b1fce20() knlGS: [0.774788] CS: 0010 DS: ES: CR0: 80050033 [0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0 [0.774788] DR0: DR1: DR2: [0.774788] DR3: DR6: fffe0ff0 DR7: 0400 [0.774788] Call Trace: [0.774788] tpm_read_log_efi+0x156/0x1a0 [0.774788] tpm_bios_log_setup+0xc8/0x190 [0.774788] tpm_chip_register+0x50/0x1c0 [0.774788] tpm_tis_core_init.cold.9+0x28c/0x466 [0.774788] tpm_tis_plat_probe+0xcc/0xea [0.774788] platform_drv_probe+0x35/0x80 [0.774788] really_probe+0xef/0x390 [0.774788] driver_probe_device+0xb4/0x100 [0.774788] device_driver_attach+0x4f/0x60 [0.774788] __driver_attach+0x86/0x140 [0.774788] ? device_driver_attach+0x60/0x60 [0.774788] bus_for_each_dev+0x76/0xc0 [0.774788] ? klist_add_tail+0x3b/0x70 [0.774788] bus_add_driver+0x14a/0x1e0 [0.774788] ? tpm_init+0xea/0xea [0.774788] ? do_early_param+0x8e/0x8e [0.774788] driver_register+0x6b/0xb0 [0.774788] ? tpm_init+0xea/0xea [0.774788] init_tis+0x86/0xd8 [0.774788] ? do_early_param+0x8e/0x8e [0.774788] ? driver_register+0x94/0xb0 [0.774788] do_one_initcall+0x46/0x1e4 [0.774788] ? do_early_param+0x8e/0x8e [0.774788] kernel_init_freeable+0x199/0x242 [0.774788] ? rest_init+0xaa/0xaa [0.774788] kernel_init+0xa/0x106 [0.774788] ret_from_fork+0x35/0x40 [0.774788] Modules linked in: [0.774788] CR2: bc8fc00866ad [0.774788] ---[ end trace 42930799f8d6eaea ]--- [0.774788] RIP: 0010:memcpy_erms+0x6/0x10 [0.774788] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [0.774788] RSP: :bc8fc0073b30 EFLAGS: 00010286 [0.774788] RAX: 9b1fc7c5b367 RBX: 9b1fc839 RCX: e962 [0.774788] RDX: e962 RSI: bc8fc00866ad RDI: 9b1fc7c5b367 [0.774788] RBP: 9b1c10ca7018 R08: bc8fc0085fff R09: 8063 [0.774788] R10: 1000 R11: 000fffe0 R12: 3367 [0.774788] R13: 9b1fcc47c010 R14: bc8fc0085000 R15: 0002 [0.774788] FS: () GS:9b1fce20() knlGS: [0.774788] CS: 0010 DS: ES: CR0: 80050033 [0.774788] CR2: bc8fc00866ad CR3: 00029f60a001 CR4: 003606f0 [0.774788] DR0: DR1: DR2: [0.774788] DR3: DR6: fffe0ff0 DR7: 0400 [0.774788] Kernel panic - not syncing: Fatal exception [0.774788] Kernel Offset: 0x1d00 from 0x8100 (relocation range: 0x8000-0xbfff) [0.774788] ---[ end Kernel panic - not syncing: Fatal exception ]--- Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Cc: Matthew Garrett Cc: Ard Biesheuvel Cc: Jarkko Sakkinen Signed-off-by: Jerry Snitselaar --- drivers/firmware/efi/tpm.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c index 1d3f5ca3eaaf..5cd00a7833c2 100644 --- a/drivers/firmware