12 Feb, 2019
8 commits
-
Bank0/Bank1 are not in ECC mode, so no need to check.
Each bank contains 8 words, so we check (phy_index > 15).Signed-off-by: Peng Fan
-
Add ULP1 OTP support.
No timing required for ULP1 OTP.
The CTRL_ADDR is 8 bits width.
When finished access to OTP, gate the power to OTP memory to save power.Fix store, when invalid args, not return 0, but return the error values.
To ULP, fuse only support being programmed once, so add a check before
program.Test log:
root@imx6qdlsolo:/sys/fsl_otp# cat HW_OCOTP_GP84
0x0
root@imx6qdlsolo:/sys/fsl_otp# echo 1 > HW_OCOTP_GP84
root@imx6qdlsolo:/sys/fsl_otp# cat HW_OCOTP_GP84
0x1
root@imx6qdlsolo:/sys/fsl_otp# echo 1 > HW_OCOTP_GP84
-sh: echo: write error: Operation not permitted
root@imx6qdlsolo:/sys/fsl_otp# echo fg > HW_OCOTP_GP84
-sh: echo: write error: Invalid argumentSigned-off-by: Peng Fan
-
Support i.MX6SLL OTP.
There are 4 works in bank7/bank8.
When read, use address offset.
When prog, use bank/index, note that bank7/bank8 we treat
them a single bank when prog.Tested GP41 and GP31 read/write on eng sample chip.
Signed-off-by: Peng Fan
(cherry picked from commit f8698b66fcbec7409b738a4c5b05ba87f0342cf8) -
Add ocotp support for i.MX6ULL.
Signed-off-by: Peng Fan
-
ENGR00292341 imx6sl hwrng
Add hwrng support for i.MX6SL.
1. Add RNG driver. This driver originated as fsl-rngc.c. It
has been modified to support device tree. The name has been
changed since it supports both b and c variants of RNG.
2. Added clock and compatible info to the device tree data.
3. Added the entry in the options in the Kconfig for hwrng.(cherry picked from commit 1f3f2c0647b7319c4e23293a61512e4191593513)
[: Edited to apply to 3.14]Signed-off-by: Dan Douglass
Signed-off-by: Victoria Milhoan -
Fix the out of bounds write, and the dereference before
null check.Signed-off-by: Richard Zhu
(cherry picked from commit 775ff0727166535e9b1ba1f70167e6a33fee5f13) -
This is porting of fsl_otp driver from imx_3.14.y to imx_4.1.y.
This patch mainly from the following:
commit:292eff6d2c9064ecf15ed457140c1d743c2ead67
"ENGR00269945: char: add fsl_otp deivce driver"
This is a porting of fsl_otp driver from 3.0.35 kernel to 3.10. It
cleans up the driver a little bit and adds device tree probe support.shawn.guo: cherry-pick commit 850237dccde7 from imx_3.10.y.
commit:057a50039fac872fd19fe6c129a94face4231ae8
"MLK-10979-4 imx: ocotp add i.MX7D support and fix hole"
1. Add i.MX7D support
2. Fix hole addressing.
There is a hole in shadow registers address map of size 0x100
between bank 5 and bank 6 on iMX6QP, iMX6DQ, iMX6SDL, iMX6SX and
iMX6UL. Bank 5 ends at 0x6F0 and Bank 6 starts at 0x800. When reading
the fuses, should account for this hole in address space.Similar hole exists between bank 14 and bank 15 of size 0x80 on
iMX6QP, iMX6DQ, iMX6SDL and iMX6SX.
Note: iMX6SL has only 0-7 banks and there is no hole.
Note: iMX6UL doesn't have this one.When reading, the hole need to be considered to calculated the physical
address offset.
When writing, since only word index for i.MX6 and bank
index for i.MX7, there is no need to take the hole into consideration,
still use the bank/word index from fuse map.
3. Add i.MX6SL i.MX6UL fuse map table.
4. Tested read/write on mx6ul-14x14-ddr3-arm2 and mx7d-12x12-lpddr3-arm2 board.
Tested read on mx6sxsabresd board.Signed-off-by: Shawn Guo
Signed-off-by: Peng Fan -
- add linux sema4 driver.
- use volatile types in sema4 structure.
- align the port definiton a9 is 1, m4 is 2.Signed-off-by: Anson Huang
Signed-off-by: Richard Zhu
31 Jan, 2019
1 commit
-
commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream.
ipcnum is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.This issue was detected with the help of Smatch:
drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap)
Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Greg Kroah-Hartman
26 Jan, 2019
2 commits
-
commit 7d6380cd40f7993f75c4bde5b36f6019237e8719 upstream.
The block number was not being compared right, it was off by one
when checking the response.Some statistics wouldn't be incremented properly in some cases.
Check to see if that middle-part messages always have 31 bytes of
data.Signed-off-by: Corey Minyard
Cc: stable@vger.kernel.org # 4.4
Signed-off-by: Greg Kroah-Hartman -
commit bc48fa1b9d3b04106055b27078da824cd209865a upstream.
Realtek has some sort of "Virtual" IPMI device on the PCI bus as a
KCS controller, but whatever it is, it's not one. Ignore it if seen.[ Commit 13d0b35c (ipmi_si: Move PCI setup to another file) from Linux
4.15-rc1 has not been back ported, so the PCI code is still in
`drivers/char/ipmi/ipmi_si_intf.c`, requiring to apply the commit
manually.This fixes a 100 s boot delay on the HP EliteDesk 705 G4 MT with Linux
4.14.94. ]Reported-by: Chris Chiu
Signed-off-by: Corey Minyard
Tested-by: Daniel Drake
Signed-off-by: Paul Menzel
Signed-off-by: Greg Kroah-Hartman
10 Jan, 2019
2 commits
-
commit 2ba5780ce30549cf57929b01d8cba6fe656e31c5 upstream.
tpm_i2c_nuvoton calculated commands duration using TPM 1.x
values via tpm_calc_ordinal_duration() also for TPM 2.x chips.
Call tpm2_calc_ordinal_duration() for retrieving ordinal
duration for TPM 2.X chips.Cc: stable@vger.kernel.org
Cc: Nayna Jain
Signed-off-by: Tomas Winkler
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain (For TPM 2.0)
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman -
commit 01f54664a4db0d612de0ece8e0022f21f9374e9b upstream.
First, rename out_no_locality to out_locality for bailing out on
both tpm_cmd_ready() and tpm_request_locality() failure.
Second, ignore the return value of go_to_idle() as it may override
the return value of the actual tpm operation, the go_to_idle() error
will be caught on any consequent command.
Last, fix the wrong 'goto out', that jumped back instead of forward.Cc: stable@vger.kernel.org
Fixes: 627448e85c76 ("tpm: separate cmd_ready/go_idle from runtime_pm")
Signed-off-by: Tomas Winkler
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman
14 Nov, 2018
3 commits
-
commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream.
Functionality of the xen-tpmfront driver was lost secondary to
the introduction of xenbus multi-page support in commit ccc9d90a9a8b
("xenbus_client: Extend interface to support multi-page ring").In this commit pointer to location of where the shared page address
is stored was being passed to the xenbus_grant_ring() function rather
then the address of the shared page itself. This resulted in a situation
where the driver would attach to the vtpm-stubdom but any attempt
to send a command to the stub domain would timeout.A diagnostic finding for this regression is the following error
message being generated when the xen-tpmfront driver probes for a
device:vtpm vtpm-0: tpm_transmit: tpm_send: error -62
vtpm vtpm-0: A TPM error (-62) occurred attempting to determine
the timeoutsThis fix is relevant to all kernels from 4.1 forward which is the
release in which multi-page xenbus support was introduced.Daniel De Graaf formulated the fix by code inspection after the
regression point was located.Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring")
Signed-off-by: Dr. Greg Wettstein
Signed-off-by: Greg Kroah-Hartman[boris: Updated commit message, added Fixes tag]
Signed-off-by: Boris Ostrovsky
Cc: stable@vger.kernel.org # v4.1+
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen -
[ Upstream commit 0d6d0d62d9505a9816716aa484ebd0b04c795063 ]
For TPM 1.2 chips the system setup utility allows to set the TPM device in
one of the following states:* Active: Security chip is functional
* Inactive: Security chip is visible, but is not functional
* Disabled: Security chip is hidden and is not functionalWhen choosing the "Inactive" state, the TPM 1.2 device is enumerated and
registered, but sending TPM commands fail with either TPM_DEACTIVATED or
TPM_DISABLED depending if the firmware deactivated or disabled the TPM.Since these TPM 1.2 error codes don't have special treatment, inactivating
the TPM leads to a very noisy kernel log buffer that shows messages like
the following:tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
tpm tpm0: TPM is disabled/deactivated (0x6)
tpm tpm0: A TPM error (6) occurred attempting get random
tpm tpm0: A TPM error (6) occurred attempting to read a pcr value
ima: No TPM chip found, activating TPM-bypass! (rc=6)
tpm tpm0: A TPM error (6) occurred attempting get random
tpm tpm0: A TPM error (6) occurred attempting get random
tpm tpm0: A TPM error (6) occurred attempting get random
tpm tpm0: A TPM error (6) occurred attempting get randomLet's just suppress error log messages for the TPM_{DEACTIVATED,DISABLED}
return codes, since this is expected when the TPM 1.2 is set to Inactive.In that case the kernel log is cleaner and less confusing for users, i.e:
tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78)
tpm tpm0: TPM is disabled/deactivated (0x6)
ima: No TPM chip found, activating TPM-bypass! (rc=6)Reported-by: Hans de Goede
Signed-off-by: Javier Martinez Canillas
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman -
commit 0711e8c1b4572d076264e71b0002d223f2666ed7 upstream.
Please note that below oops is from an older kernel, but the same
race seems to be present in the upstream kernel too.---8
Cc: # 3.19
Signed-off-by: Corey Minyard
Signed-off-by: Greg Kroah-Hartman
04 Nov, 2018
2 commits
-
[ Upstream commit 1fbad3028664e114d210dc65d768947a3a553eaa ]
In crb_map_io() function, __crb_request_locality() is called prior
to crb_cmd_ready(), but if one of the consecutive function fails
the flow bails out instead of trying to relinquish locality.
This patch adds goto jump to __crb_relinquish_locality() on the error path.Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
Signed-off-by: Tomas Winkler
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Sasha Levin -
[ Upstream commit 92980756979a9c51be0275f395f4e89c42cf199a ]
Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to
handle the TPM2_RC_RETRY error. The loop retries the command after
sleeping for the specified time, which is incremented exponentially in
every iteration.Unfortunately, the loop doubles the time before sleeping, causing the
initial sleep to be doubled. This patch fixes the initial sleep time.Fixes: commit e2fb992d82c6 ("tpm: add retry logic")
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Sasha Levin
26 Sep, 2018
1 commit
-
commit 0745dde62835be7e2afe62fcdb482fcad79cb743 upstream.
The SSIF driver was removing any client that came in through the
platform interface, but it should only remove clients that it
added. On a failure in the probe function, this could result
in the following oops when the driver is removed and the
client gets unregistered twice:CPU: 107 PID: 30266 Comm: rmmod Not tainted 4.18.0+ #80
Hardware name: Cavium Inc. Saber/Saber, BIOS Cavium reference firmware version 7.0 08/04/2018
pstate: 60400009 (nZCv daif +PAN -UAO)
pc : kernfs_find_ns+0x28/0x120
lr : kernfs_find_and_get_ns+0x40/0x60
sp : ffff00002310fb50
x29: ffff00002310fb50 x28: ffff800a8240f800
x27: 0000000000000000 x26: 0000000000000000
x25: 0000000056000000 x24: ffff000009073000
x23: ffff000008998b38 x22: 0000000000000000
x21: ffff800ed86de820 x20: 0000000000000000
x19: ffff00000913a1d8 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 5300737265766972
x13: 643d4d4554535953 x12: 0000000000000030
x11: 0000000000000030 x10: 0101010101010101
x9 : ffff800ea06cc3f9 x8 : 0000000000000000
x7 : 0000000000000141 x6 : ffff000009073000
x5 : ffff800adb706b00 x4 : 0000000000000000
x3 : 00000000ffffffff x2 : 0000000000000000
x1 : ffff000008998b38 x0 : ffff000008356760
Process rmmod (pid: 30266, stack limit = 0x00000000e218418d)
Call trace:
kernfs_find_ns+0x28/0x120
kernfs_find_and_get_ns+0x40/0x60
sysfs_unmerge_group+0x2c/0x6c
dpm_sysfs_remove+0x34/0x70
device_del+0x58/0x30c
device_unregister+0x30/0x7c
i2c_unregister_device+0x84/0x90 [i2c_core]
ssif_platform_remove+0x38/0x98 [ipmi_ssif]
platform_drv_remove+0x2c/0x6c
device_release_driver_internal+0x168/0x1f8
driver_detach+0x50/0xbc
bus_remove_driver+0x74/0xe8
driver_unregister+0x34/0x5c
platform_driver_unregister+0x20/0x2c
cleanup_ipmi_ssif+0x50/0xd82c [ipmi_ssif]
__arm64_sys_delete_module+0x1b4/0x220
el0_svc_handler+0x104/0x160
el0_svc+0x8/0xc
Code: aa1e03e0 aa0203f6 aa0103f7 d503201f (7940e280)
---[ end trace 09f0e34cce8e2d8c ]---
Kernel panic - not syncing: Fatal exception
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x23800c38So track the clients that the SSIF driver adds and only remove
those.Reported-by: George Cherian
Signed-off-by: Corey Minyard
Tested-by: George Cherian
Cc: # 4.14.x
Signed-off-by: Greg Kroah-Hartman
20 Sep, 2018
3 commits
-
[ Upstream commit bb853aac2c478ce78116128263801189408ad2a8 ]
Locking the root adapter for __i2c_transfer will deadlock if the
device sits behind a mux-locked I2C mux. Switch to the finer-grained
i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not
sit behind a mux-locked mux, the two locking variants are equivalent.Signed-off-by: Peter Rosin
Reviewed-by: Jarkko Sakkinen
Tested-by: Alexander Steffen
Signed-off-by: Wolfram Sang
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 1a339b658d9dbe1471f67b78237cf8fa08bbbeb5 ]
An SPI TPM device managed directly on an embedded board using
the SPI bus and some GPIO or similar line as IRQ handler will
pass the IRQn from the TPM device associated with the SPI
device. This is already handled by the SPI core, so make sure
to pass this down to the core as well.(The TPM core habit of using -1 to signal no IRQ is dubious
(as IRQ 0 is NO_IRQ) but I do not want to mess with that
semantic in this patch.)Cc: Mark Brown
Signed-off-by: Linus Walleij
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman -
commit 627448e85c766587f6fdde1ea3886d6615081c77 upstream.
Fix tpm ptt initialization error:
tpm tpm0: A TPM error (378) occurred get tpm pcr allocation.We cannot use go_idle cmd_ready commands via runtime_pm handles
as with the introduction of localities this is no longer an optional
feature, while runtime pm can be not enabled.
Though cmd_ready/go_idle provides a power saving, it's also a part of
TPM2 protocol and should be called explicitly.
This patch exposes cmd_read/go_idle via tpm class ops and removes
runtime pm support as it is not used by any driver.When calling from nested context always use both flags:
TPM_TRANSMIT_UNLOCKED and TPM_TRANSMIT_RAW. Both are needed to resolve
tpm spaces and locality request recursive calls to tpm_transmit().
TPM_TRANSMIT_RAW should never be used standalone as it will fail
on double locking. While TPM_TRANSMIT_UNLOCKED standalone should be
called from non-recursive locked contexts.New wrappers are added tpm_cmd_ready() and tpm_go_idle() to
streamline tpm_try_transmit code.tpm_crb no longer needs own power saving functions and can drop using
tpm_pm_suspend/resume.This patch cannot be really separated from the locality fix.
Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)Cc: stable@vger.kernel.org
Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality)
Signed-off-by: Tomas Winkler
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman
05 Sep, 2018
1 commit
-
commit 36a11029b07ee30bdc4553274d0efea645ed9d91 upstream.
The userpace expects to read the number of bytes stated in the header.
Returning the size of the buffer instead would be unexpected.Cc: stable@vger.kernel.org
Fixes: 095531f891e6 ("tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented")
Signed-off-by: Ricardo Schwarzmeier
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman
03 Aug, 2018
1 commit
-
commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream.
Fedora has integrated the jitter entropy daemon to work around slow
boot problems, especially on VM's that don't support virtio-rng:https://bugzilla.redhat.com/show_bug.cgi?id=1572944
It's understandable why they did this, but the Jitter entropy daemon
works fundamentally on the principle: "the CPU microarchitecture is
**so** complicated and we can't figure it out, so it *must* be
random". Yes, it uses statistical tests to "prove" it is secure, but
AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
flying colors.So if RDRAND is available, mix it into entropy submitted from
userspace. It can't hurt, and if you believe the NSA has backdoored
RDRAND, then they probably have enough details about the Intel
microarchitecture that they can reverse engineer how the Jitter
entropy daemon affects the microarchitecture, and attack its output
stream. And if RDRAND is in fact an honest DRNG, it will immeasurably
improve on what the Jitter entropy daemon might produce.This also provides some protection against someone who is able to read
or set the entropy seed file.Signed-off-by: Theodore Ts'o
Cc: stable@vger.kernel.org
Cc: Arnd Bergmann
Signed-off-by: Greg Kroah-Hartman
03 Jul, 2018
3 commits
-
commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.
There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm, or two different applications
on the same /dev/tpmrm to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman -
commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream.
If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0
then we have use after free in line 114 and double free in 117.Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk
Reviewed-by: Jarkko Sakkinen
Signed-off--by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman -
commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.
There was one place where the timeout value for an operation was
not being set, if a capabilities request was done from idle. Move
the timeout value setting to before where that change might be
requested.IMHO the cause here is the invisible returns in the macros. Maybe
that's a job for later, though.Reported-by: Nordmark Claes
Signed-off-by: Corey Minyard
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman
21 Jun, 2018
1 commit
-
[ Upstream commit dec60f3a9b7251f2657d743d96ba9a83dca02351 ]
Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made
static. So make them.Silence the following gcc warning (W=1):
drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes]
and
drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes]
Signed-off-by: Mathieu Malaterre
Signed-off-by: Dave Airlie
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
30 May, 2018
2 commits
-
[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ]
Avoid issue when probing the RNG without
reset if bad status has been detected previouslySigned-off-by: Lionel Debieve
Signed-off-by: Herbert Xu
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ]
This happens when BMC doesn't return any data and the code is trying
to print the value of data[2].Getting following crash:
[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002
[ 484.736496] pgd = ffff0000094a2000
[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000
[ 484.748158] Internal error: Oops: 96000005 [#1] SMP
[...]
[ 485.101451] Call trace:
[...]
[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif]
[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif]
[ 485.202038] [] kthread+0x108/0x138
[ 485.206994] [] ret_from_fork+0x10/0x30
[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3)Adding a check to validate the data len before printing data[2] to fix this issue.
Signed-off-by: Kamlakant Patel
Signed-off-by: Corey Minyard
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
02 May, 2018
8 commits
-
commit 5c60300d68da32ca77f7f978039dc72bfc78b06b upstream.
When out of memory and we can't add ctrl vq buffers,
probe fails. Unfortunately the error handling is
out of spec: it calls del_vqs without bothering
to reset the device first.To fix, call the full cleanup function in this case.
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Greg Kroah-Hartman -
commit aa44ec867030a72e8aa127977e37dec551d8df19 upstream.
Will make it reusable for error handling.
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Greg Kroah-Hartman -
commit 61a8950c5c5708cf2068b29ffde94e454e528208 upstream.
We now cleanup all VQs on device removal - no need
to handle the control VQ specially.Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Greg Kroah-Hartman -
commit a7a69ec0d8e4a58be7db88d33cbfa2912807bb2b upstream.
Console driver is out of spec. The spec says:
A driver MUST NOT decrement the available idx on a live
virtqueue (ie. there is no way to “unexpose” buffers).
and it does exactly that by trying to detach unused buffers
without doing a device reset first.Defer detaching the buffers until device unplug.
Of course this means we might get an interrupt for
a vq without an attached port now. Handle that by
discarding the consumed buffer.Reported-by: Tiwei Bie
Fixes: b3258ff1d6 ("virtio: Decrement avail idx on buffer detach")
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Greg Kroah-Hartman -
commit 2855b33514d290c51d52d94e25d3ef942cd4d578 upstream.
an allocated buffer doesn't need to be tied to a vq -
only vq->vdev is ever used. Pass the function the
just what it needs - the vdev.Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Greg Kroah-Hartman -
commit 4e00b339e264802851aff8e73cde7d24b57b18ce upstream.
On systems without sufficient boot randomness, no point spamming dmesg.
Signed-off-by: Theodore Ts'o
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman -
commit 6c1e851c4edc13a43adb3ea4044e3fc8f43ccf7d upstream.
We can do a sleeping allocation from an irq context when CONFIG_NUMA
is enabled. Fix this by initializing the NUMA crng instances in a
workqueue.Reported-by: Tetsuo Handa
Reported-by: syzbot+9de458f6a5e713ee8c1a@syzkaller.appspotmail.com
Fixes: 8ef35c866f8862df ("random: set up the NUMA crng instances...")
Cc: stable@vger.kernel.org
Signed-off-by: Theodore Ts'o
Signed-off-by: Greg Kroah-Hartman -
commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream.
Until the primary_crng is fully initialized, don't initialize the NUMA
crng nodes. Otherwise users of /dev/urandom on NUMA systems before
the CRNG is fully initialized can get very bad quality randomness. Of
course everyone should move to getrandom(2) where this won't be an
issue, but there's a lot of legacy code out there. This related to
CVE-2018-1108.Reported-by: Jann Horn
Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
Cc: stable@kernel.org # 4.8+
Signed-off-by: Theodore Ts'o
Signed-off-by: Greg Kroah-Hartman
29 Apr, 2018
2 commits
-
commit e2fb992d82c626c43ed0566e07c410e56a087af3 upstream.
TPM2 can return TPM2_RC_RETRY to any command and when it does we get
unexpected failures inside the kernel that surprise users (this is
mostly observed in the trusted key handling code). The UEFI 2.6 spec
has advice on how to handle this:The firmware SHALL not return TPM2_RC_RETRY prior to the completion
of the call to ExitBootServices().Implementer’s Note: the implementation of this function should check
the return value in the TPM response and, if it is TPM2_RC_RETRY,
resend the command. The implementation may abort if a sufficient
number of retries has been done.So we follow that advice in our tpm_transmit() code using
TPM2_DURATION_SHORT as the initial wait duration and
TPM2_DURATION_LONG as the maximum wait time. This should fix all the
in-kernel use cases and also means that user space TSS implementations
don't have to have their own retry handling.Signed-off-by: James Bottomley
Cc: stable@vger.kernel.org
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman -
commit 65520d46a4adbf7f23bbb6d9b1773513f7bc7821 upstream.
Fix tmp_ -> tpm_ typo and add reference to 'space' parameter
in kdoc for tpm_transmit and tpm_transmit_cmd functions.Signed-off-by: Tomas Winkler
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
Signed-off-by: Greg Kroah-Hartman
