Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.12 2017-01-19T19:18:03Z 2017-01-19T19:18:03Z Robin Murphy robin.murphy@arm.com 2017-01-05T17:15:01Z urn:sha1:3fbaff3adc763d999fa803bc1aeb5e49c48ce5c0 commit 488debb9971bc7d0edd6d8080ba78ca02a04f6c4 upstream. When borrowing the pfn_valid() check from mmap_kmem(), somebody managed to get physical and virtual addresses spectacularly muddled up, such that we've ended up with checks for one being the other. Whilst this does indeed prevent out-of-bounds accesses crashing, on most systems it also prevents the more desirable use-case of working at all ever. Check the *virtual* offset correctly for what it is. Furthermore, do so in the right place - a read or write may span multiple pages, so a single up-front check is insufficient. High memory accesses already have a similar validity check just before the copy_to_user() call, so just make the low memory path fully consistent with that. Reported-by: Jason A. Donenfeld <Jason@zx2c4.com> Fixes: 148a1bc84398 ("drivers: char: mem: Check {read,write}_kmem() addresses") Signed-off-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-12T10:39:38Z Josh Zimmerman joshz@google.com 2016-10-27T21:50:09Z urn:sha1:56d22b9125421217fdea41250cce9dfa0013b483 commit 26a137e31ffe6fbfdb008554a8d9b3d55bd5c86e upstream. If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access) Signed-off-by: Josh Zimmerman <joshz@google.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-06T09:40:17Z Jason Gunthorpe jgunthorpe@obsidianresearch.com 2016-10-26T22:28:45Z urn:sha1:b7bbf06c21aac5c91d3c7f73db291648232dfb39 commit 1f0f30e404b3d8f4597a2d9b77fba55452f8fd0e upstream. tpm_chip_unregister can only be called after tpm_chip_register. devm manages the allocation so no unwind is needed here. Fixes: afb5abc262e96 ("tpm: two-phase chip management functions") Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-18T00:31:09Z Cédric Le Goater clg@kaod.org 2016-11-02T07:57:04Z urn:sha1:1c8018f7a7a60a649260fdd7e8645a356299e920 The Aspeed SoCs have two BT interfaces : one is IPMI compliant and the other is H8S/2168 compliant. The current ipmi/bt-bmc driver implements the IPMI version and we should reflect its nature in the compatible node name using 'aspeed,ast2400-ibt-bmc' instead of 'aspeed,ast2400-bt-bmc'. The latter should be used for a H8S interface driver if it is implemented one day. Signed-off-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Olof Johansson <olof@lixom.net> 2016-11-13T18:24:08Z Linus Torvalds torvalds@linux-foundation.org 2016-11-13T18:24:08Z urn:sha1:acb57b7548cb84680f4f5263e63736ced8c2e257 Pull char/misc fixes from Greg KH: "Here are three small driver fixes for some reported issues for 4.9-rc5. One for the hyper-v subsystem, fixing up a naming issue that showed up in 4.9-rc1, one mei driver fix, and one fix for parallel ports, resolving a reported regression. All have been in linux-next with no reported issues" * tag 'char-misc-4.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: ppdev: fix double-free of pp->pdev->name vmbus: make sysfs names consistent with PCI mei: bus: fix received data size check in NFC fixup 2016-11-10T14:24:02Z Jann Horn jann@thejh.net 2016-10-30T22:19:24Z urn:sha1:b13d14339baaaa720e7e5448855f33ba501917aa free_pardevice() is called by parport_unregister_device() and already frees pp->pdev->name, don't try to do it again. This bug causes kernel crashes. I found and verified this with KASAN and some added pr_emerg()s: [ 60.316568] pp_release: pp->pdev->name == ffff88039cb264c0 [ 60.316692] free_pardevice: freeing par_dev->name at ffff88039cb264c0 [ 60.316706] pp_release: kfree(ffff88039cb264c0) [ 60.316714] ========================================================== [ 60.316722] BUG: Double free or freeing an invalid pointer [ 60.316731] Unexpected shadow byte: 0xFB [ 60.316801] Object at ffff88039cb264c0, in cache kmalloc-32 size: 32 [ 60.316813] Allocated: [ 60.316824] PID = 1695 [ 60.316869] Freed: [ 60.316880] PID = 1695 [ 60.316935] ========================================================== Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-01T22:56:05Z Linus Torvalds torvalds@linux-foundation.org 2016-11-01T22:56:05Z urn:sha1:04659febcb074de61ae80dbb1fb62f56c08a2b91 Pull virtio updates from Michael Tsirkin: "Tests, fixes and cleanups. Just minor tweaks, there's nothing major in this cycle" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_ring: mark vring_dma_dev inline virtio/vhost: add Jason to list of maintainers virtio_blk: Delete an unnecessary initialisation in init_vq() virtio_blk: Use kmalloc_array() in init_vq() virtio: remove config.c virtio: console: Unlock vqs while freeing buffers ringtest: poll for new buffers once before updating event index ringtest: commonize implementation of poll_avail/poll_used ringtest: use link-time optimization virtio: update balloon size in balloon "probe" virtio_ring: Make interrupt suppression spec compliant virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices 2016-10-31T15:15:27Z Jarkko Sakkinen jarkko.sakkinen@linux.intel.com 2016-10-04T06:49:47Z urn:sha1:befd99656c5eb765fe9d96045c4cba099fd938db Removal of this check was not properly amended to the original commit. Cc: stable@vger.kernel.org Fixes: 0c541332231e ("tpm: use tpm_pcr_read_dev() in tpm_do_selftest()") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 2016-10-30T22:21:44Z Matt Redfearn matt.redfearn@imgtec.com 2016-10-11T11:05:15Z urn:sha1:34563769e438d2881f62cf4d9badc4e589ac0ec0 Commit c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path") added locking around the freeing of buffers in the vq. However, when free_buf() is called with can_sleep = true and rproc is enabled, it calls dma_free_coherent() directly, requiring interrupts to be enabled. Currently a WARNING is triggered due to the spin locking around free_buf, with a call stack like this: WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433 free_buf+0x1a8/0x288 Call Trace: [<8040c538>] show_stack+0x74/0xc0 [<80757240>] dump_stack+0xd0/0x110 [<80430d98>] __warn+0xfc/0x130 [<80430ee0>] warn_slowpath_null+0x2c/0x3c [<807e7c6c>] free_buf+0x1a8/0x288 [<807ea590>] remove_port_data+0x50/0xac [<807ea6a0>] unplug_port+0xb4/0x1bc [<807ea858>] virtcons_remove+0xb0/0xfc [<807b6734>] virtio_dev_remove+0x58/0xc0 [<807f918c>] __device_release_driver+0xac/0x134 [<807f924c>] device_release_driver+0x38/0x50 [<807f7edc>] bus_remove_device+0xfc/0x130 [<807f4b74>] device_del+0x17c/0x21c [<807f4c38>] device_unregister+0x24/0x38 [<807b6b50>] unregister_virtio_device+0x28/0x44 Fix this by restructuring the loops to allow the locks to only be taken where it is necessary to protect the vqs, and release it while the buffer is being freed. Fixes: c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path") Cc: stable@vger.kernel.org Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> 2016-10-25T04:34:13Z Linus Torvalds torvalds@linux-foundation.org 2016-10-25T04:34:13Z urn:sha1:9fe68cad6e74967b88d0c6aeca7d9cd6b6e91942 Pull crypto fix from Herbert Xu: "This fixes a regression caused by the stack vmalloc change" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: hwrng: core - Don't use a stack buffer in add_early_randomness()