Mickaël Salaün [Wed, 10 May 2017 20:48:48 +0000 (22:48 +0200)]
LSM: Enable multiple calls to security_add_hooks() for the same LSM
The commit
d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm") extend
security_add_hooks() with a new parameter to register the LSM name,
which may be useful to make the list of currently loaded LSM available
to userspace. However, there is no clean way for an LSM to split its
hook declarations into multiple files, which may reduce the mess with
all the included files (needed for LSM hook argument types) and make the
source code easier to review and maintain.
This change allows an LSM to register multiple times its hook while
keeping a consistent list of LSM names as described in
Documentation/security/LSM.txt . The list reflects the order in which
checks are made. This patch only check for the last registered LSM. If
an LSM register multiple times its hooks, interleaved with other LSM
registrations (which should not happen), its name will still appear in
the same order that the hooks are called, hence multiple times.
To sum up, "capability,selinux,foo,foo" will be replaced with
"capability,selinux,foo", however "capability,foo,selinux,foo" will
remain as is.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Stefan Berger [Tue, 18 Apr 2017 01:58:26 +0000 (21:58 -0400)]
tpm: Fix reference count to main device
The main device is currently not properly released due to one additional
reference to the 'devs' device which is only released in case of a TPM 2.
So, also get the additional reference only in case of a TPM2.
Fixes:
fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jerry Snitselaar [Mon, 27 Mar 2017 15:46:04 +0000 (08:46 -0700)]
tpm_tis: convert to using locality callbacks
This patch converts tpm_tis to use of the new tpm class ops
request_locality, and relinquish_locality.
With the move to using the callbacks, release_locality is changed so
that we now release the locality even if there is no request pending.
This required some changes to the tpm_tis_core_init code path to
make sure locality is requested when needed:
- tpm2_probe code path will end up calling request/release through
callbacks, so request_locality prior to tpm2_probe not needed.
- probe_itpm makes calls to tpm_tis_send_data which no longer calls
request_locality, so add request_locality prior to tpm_tis_send_data
calls. Also drop release_locality call in middleof probe_itpm, and
keep locality until release_locality called at end of probe_itpm.
Cc: Peter Huewe <peterhuewe@gmx.de>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Marcel Selhorst <tpmdd@selhorst.net>
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Petr Vandrovec [Wed, 29 Mar 2017 07:43:30 +0000 (00:43 -0700)]
tpm: fix handling of the TPM 2.0 event logs
When TPM2 log has entries with more than 3 digests, or with digests
not listed in the log header, log gets misparsed, eventually
leading to kernel complaint that code tried to vmalloc 512MB of
memory (I have no idea what would happen on bigger system).
So code should not parse only first 3 digests: both event header
and event itself are already in memory, so we can parse any number
of digests, as long as we do not try to parse whole memory when
given count of 0xFFFFFFFF.
So this change:
* Rejects event entry with more digests than log header describes.
Digest types should be unique, and all should be described in
log header, so there cannot be more digests in the event than in
the header.
* Reject event entry with digest that is not described in the
log header. In theory code could hardcode information about
digest IDs already assigned by TCG, but if firmware authors
cannot get event log format right, why should anyone believe
that they got event log content right.
Cc: stable@vger.kernel.org
Fixes:
4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log")
Signed-off-by: Petr Vandrovec <petr@vmware.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Wed, 5 Apr 2017 11:07:24 +0000 (14:07 +0300)]
tpm_crb: remove a cruft constant
Remove a useless constant that slipped through me when I did the code
review. This commit fixes the issue.
Cc: Jiandi An <anjiandi@codeaurora.org>
Fixes:
69c558de63c7 ("tpm/tpm_crb: Enable TPM CRB interface for ARM64")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
James Morris [Wed, 19 Apr 2017 12:00:15 +0000 (22:00 +1000)]
Merge branch 'next' of git://git./linux/kernel/git/zohar/linux-integrity into next
James Morris [Tue, 18 Apr 2017 22:35:01 +0000 (08:35 +1000)]
Merge branch 'smack-for-4.12' of git://github.com/cschaufler/smack-next into next
James Morris [Tue, 18 Apr 2017 22:30:08 +0000 (08:30 +1000)]
Merge branch 'stable-4.12' of git://git.infradead.org/users/pcmoore/selinux into next
James Morris [Mon, 17 Apr 2017 21:37:51 +0000 (07:37 +1000)]
Merge tag 'keys-next-
20170412' of git://git./linux/kernel/git/dhowells/linux-fs into next
Stephan Müller [Tue, 11 Apr 2017 11:07:07 +0000 (13:07 +0200)]
keys: select CONFIG_CRYPTO when selecting DH / KDF
Select CONFIG_CRYPTO in addition to CONFIG_HASH to ensure that
also CONFIG_HASH2 is selected. Both are needed for the shash
cipher support required for the KDF operation.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
John Johansen [Thu, 6 Apr 2017 13:55:24 +0000 (06:55 -0700)]
apparmor: Make path_max parameter readonly
The path_max parameter determines the max size of buffers allocated
but it should not be setable at run time. If can be used to cause an
oops
root@ubuntu:~# echo
16777216 > /sys/module/apparmor/parameters/path_max
root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max
Killed
[ 122.141911] BUG: unable to handle kernel paging request at
ffff880080945fff
[ 122.143497] IP: [<
ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.144742] PGD
220c067 PUD 0
[ 122.145453] Oops: 0002 [#1] SMP
[ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect
[ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes
[ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu
[ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 122.168611] task:
ffff88003496aa00 ti:
ffff880076474000 task.ti:
ffff880076474000
[ 122.170018] RIP: 0010:[<
ffffffff81228844>] [<
ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.171525] RSP: 0018:
ffff880076477b90 EFLAGS:
00010206
[ 122.172462] RAX:
ffff880080945fff RBX:
0000000000000000 RCX:
0000000001000000
[ 122.173709] RDX:
0000000000ffffff RSI:
ffff880080946000 RDI:
ffff8800348a1010
[ 122.174978] RBP:
ffff880076477bb8 R08:
ffff880076477c80 R09:
0000000000000000
[ 122.176227] R10:
00007ffffffff000 R11:
ffff88007f946000 R12:
ffff88007f946000
[ 122.177496] R13:
ffff880076477c80 R14:
ffff8800348a1010 R15:
ffff8800348a2400
[ 122.178745] FS:
00007fd459eb4700(0000) GS:
ffff88007b6c0000(0000) knlGS:
0000000000000000
[ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 122.181186] CR2:
ffff880080945fff CR3:
0000000073422000 CR4:
00000000001406e0
[ 122.182469] Stack:
[ 122.182843]
00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000
[ 122.184409]
00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58
[ 122.185810]
0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000
[ 122.187231] Call Trace:
[ 122.187680] [<
ffffffff81385671>] aa_path_name+0x81/0x370
[ 122.188637] [<
ffffffff813875dd>] profile_transition+0xbd/0xb80
[ 122.190181] [<
ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0
[ 122.191674] [<
ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0
[ 122.193288] [<
ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220
[ 122.194793] [<
ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30
[ 122.196392] [<
ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110
[ 122.198004] [<
ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50
[ 122.199737] [<
ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600
[ 122.201377] [<
ffffffff81346e53>] security_bprm_set_creds+0x33/0x50
[ 122.203024] [<
ffffffff81214ce5>] prepare_binprm+0x85/0x190
[ 122.204515] [<
ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710
[ 122.206200] [<
ffffffff81216a6a>] SyS_execve+0x3a/0x50
[ 122.207615] [<
ffffffff81838795>] stub_execve+0x5/0x5
[ 122.208978] [<
ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8
[ 122.217320] RIP [<
ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.218860] RSP <
ffff880076477b90>
[ 122.219919] CR2:
ffff880080945fff
[ 122.220936] ---[ end trace
506cdbd85eb6c55e ]---
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
John Johansen [Thu, 6 Apr 2017 13:55:23 +0000 (06:55 -0700)]
apparmor: fix parameters so that the permission test is bypassed at boot
Boot parameters are written before apparmor is ready to answer whether
the user is policy_view_capable(). Setting the parameters at boot results
in an oops and failure to boot. Setting the parameters at boot is
obviously allowed so skip the permission check when apparmor is not
initialized.
While we are at it move the more complicated check to last.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
John Johansen [Thu, 6 Apr 2017 13:55:22 +0000 (06:55 -0700)]
apparmor: fix invalid reference to index variable of iterator line 836
Once the loop on lines 836-853 is complete and exits normally, ent is a
pointer to the dummy list head value. The derefernces accessible from eg
the goto fail on line 860 or the various goto fail_lock's afterwards thus
seem incorrect.
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Nicolas Iooss [Thu, 6 Apr 2017 13:55:21 +0000 (06:55 -0700)]
apparmor: use SHASH_DESC_ON_STACK
When building the kernel with clang, the compiler fails to build
security/apparmor/crypto.c with the following error:
security/apparmor/crypto.c:36:8: error: fields must have a constant
size: 'variable length array in structure' extension will never be
supported
char ctx[crypto_shash_descsize(apparmor_tfm)];
^
Since commit
a0a77af14117 ("crypto: LLVMLinux: Add macro to remove use
of VLAIS in crypto code"), include/crypto/hash.h defines
SHASH_DESC_ON_STACK to work around this issue. Use it in aa_calc_hash()
and aa_calc_profile_hash().
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Valentin Rothberg [Thu, 6 Apr 2017 13:55:20 +0000 (06:55 -0700)]
security/apparmor/lsm.c: set debug messages
Add the _APPARMOR substring to reference the intended Kconfig option.
Signed-off-by: Valentin Rothberg <valentinrothberg@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
kbuild test robot [Thu, 6 Apr 2017 13:55:19 +0000 (06:55 -0700)]
apparmor: fix boolreturn.cocci warnings
security/apparmor/lib.c:132:9-10: WARNING: return of 0/1 in function 'aa_policy_init' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Tetsuo Handa [Mon, 14 Nov 2016 11:12:56 +0000 (20:12 +0900)]
Smack: Use GFP_KERNEL for smk_netlbl_mls().
Since all callers of smk_netlbl_mls() are GFP_KERNEL context
(smk_set_cipso() calls memdup_user_nul(), init_smk_fs() calls
__kernfs_new_node(), smk_import_entry() calls kzalloc(GFP_KERNEL)),
it is safe to use GFP_KERNEL from netlbl_catmap_setbit().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Tetsuo Handa [Fri, 24 Mar 2017 11:42:05 +0000 (20:42 +0900)]
smack: fix double free in smack_parse_opts_str()
smack_parse_opts_str() calls kfree(opts->mnt_opts) when kcalloc() for
opts->mnt_opts_flags failed. But it should not have called it because
security_free_mnt_opts() will call kfree(opts->mnt_opts).
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
fixes:
3bf2789cad9e6573 ("smack: allow mount opts setting over filesystems with binary mount data")
Cc: Vivek Trivedi <t.vivek@samsung.com>
Cc: Amit Sahrawat <a.sahrawat@samsung.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Stephan Mueller [Fri, 19 Aug 2016 18:39:09 +0000 (20:39 +0200)]
KEYS: add SP800-56A KDF support for DH
SP800-56A defines the use of DH with key derivation function based on a
counter. The input to the KDF is defined as (DH shared secret || other
information). The value for the "other information" is to be provided by
the caller.
The KDF is implemented using the hash support from the kernel crypto API.
The implementation uses the symmetric hash support as the input to the
hash operation is usually very small. The caller is allowed to specify
the hash name that he wants to use to derive the key material allowing
the use of all supported hashes provided with the kernel crypto API.
As the KDF implements the proper truncation of the DH shared secret to
the requested size, this patch fills the caller buffer up to its size.
The patch is tested with a new test added to the keyutils user space
code which uses a CAVS test vector testing the compliance with
SP800-56A.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Tue, 4 Apr 2017 21:33:00 +0000 (22:33 +0100)]
Merge branch 'keyctl-restrict' of git://git./linux/kernel/git/martineau/linux into keys-next
To quote Mat Martineau:
"""
Keyrings recently acquired the ability to validate keys before they are
linked using kernel internal APIs. This patch set enables configuration
of restricted keyrings from userspace.
These patches apply to linux-fs/keys-misc and are also available here:
https://git.kernel.org/cgit/linux/kernel/git/martineau/linux.git/log/?h=keyctl-restrict
v13: Detect and avoid cycles in restriction references, and change
restrictions to store a single key pointer rather than arbitrary data.
v12: Rework the KEYCTL_RESTRICT_KEYRING command to take an additional
parameter, renamed some functions based on feedback, and dropped an
unnecessary locking change (patch 1 in previous set).
v11: Configure restrictions using KEYCTL_RESTRICT_KEYRING instead of
using a keyring payload at creation time. Make the garbage collector
aware of restrictions.
v10: Fixups from maintainer feedback. Added some missing documentation.
v9: Rebased on linux-fs/keys-misc (v4.9-rc5)
v8: Add option to look for signing keys within the destination keyring.
Fix a consistency issue with keyring locking and restriction checks.
v7: Rework key restriction payload syntax. Move key-type-specific payload
parsing to the key-type. Attach more restriction information to keyrings
(restriction function, data, and data free) so future restrictions are not
limited to storing a key ID to use for key validation. Validate key before
using it to verify another key. Modify key type locking model to allow key
type lookup during keyring creation.
v6: Return error if only restrict_key is supplied, address misc. review
comments.
v5: Fixed signature bypass problem in patch 3/6
v4: Added userspace restriction options based on builtin keyrings.
restrict_link_by_signature implementation is no longer modified. Split
up v3's patch 2/5 to isolate the change to key.h.
v3: Updated commit message for patch 2/5 (restrict_link_by_signature_indirect)
v2: Payload is now preparsed
"""
Signed-off-by: David Howells <dhowells@redhat.com>
Mat Martineau [Tue, 4 Oct 2016 23:42:45 +0000 (16:42 -0700)]
KEYS: Keyring asymmetric key restrict method with chaining
Add a restrict_link_by_key_or_keyring_chain link restriction that
searches for signing keys in the destination keyring in addition to the
signing key or keyring designated when the destination keyring was
created. Userspace enables this behavior by including the "chain" option
in the keyring restriction:
keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric",
"key_or_keyring:<signing key>:chain");
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Mon, 27 Jun 2016 23:45:16 +0000 (16:45 -0700)]
KEYS: Restrict asymmetric key linkage using a specific keychain
Adds restrict_link_by_signature_keyring(), which uses the restrict_key
member of the provided destination_keyring data structure as the
key or keyring to search for signing keys.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Fri, 6 May 2016 21:25:39 +0000 (14:25 -0700)]
KEYS: Add a lookup_restriction function for the asymmetric key type
Look up asymmetric keyring restriction information using the key-type
lookup_restrict hook.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Thu, 2 Mar 2017 00:44:09 +0000 (16:44 -0800)]
KEYS: Add KEYCTL_RESTRICT_KEYRING
Keyrings recently gained restrict_link capabilities that allow
individual keys to be validated prior to linking. This functionality
was only available using internal kernel APIs.
With the KEYCTL_RESTRICT_KEYRING command existing keyrings can be
configured to check the content of keys before they are linked, and
then allow or disallow linkage of that key to the keyring.
To restrict a keyring, call:
keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, const char *type,
const char *restriction)
where 'type' is the name of a registered key type and 'restriction' is a
string describing how key linkage is to be restricted. The restriction
option syntax is specific to each key type.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Tue, 4 Oct 2016 23:27:32 +0000 (16:27 -0700)]
KEYS: Consistent ordering for __key_link_begin and restrict check
The keyring restrict callback was sometimes called before
__key_link_begin and sometimes after, which meant that the keyring
semaphores were not always held during the restrict callback.
If the semaphores are consistently acquired before checking link
restrictions, keyring contents cannot be changed after the restrict
check is complete but before the evaluated key is linked to the keyring.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Fri, 6 May 2016 22:38:17 +0000 (15:38 -0700)]
KEYS: Add an optional lookup_restriction hook to key_type
The restrict_link functions used to validate keys as they are linked
to a keyring can be associated with specific key types. Each key type
may be loaded (or not) at runtime, so lookup of restrict_link
functions needs to be part of the key type implementation to ensure
that the requested keys can be examined.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Wed, 31 Aug 2016 23:05:43 +0000 (16:05 -0700)]
KEYS: Use structure to capture key restriction function and data
Replace struct key's restrict_link function pointer with a pointer to
the new struct key_restriction. The structure contains pointers to the
restriction function as well as relevant data for evaluating the
restriction.
The garbage collector checks restrict_link->keytype when key types are
unregistered. Restrictions involving a removed key type are converted
to use restrict_link_reject so that restrictions cannot be removed by
unregistering key types.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Jiandi An [Fri, 24 Mar 2017 09:55:45 +0000 (04:55 -0500)]
tpm/tpm_crb: Enable TPM CRB interface for ARM64
This enables TPM Command Response Buffer interface driver for
ARM64 and implements an ARM specific TPM CRB start method that
invokes a Secure Monitor Call (SMC) to request the TrustZone
Firmware to execute or cancel a TPM 2.0 command.
In ARM, TrustZone security extensions enable a secure software
environment with Secure Monitor mode. A Secure Monitor Call
(SMC) is used to enter the Secure Monitor mode and perform a
Secure Monitor service to communicate with TrustZone firmware
which has control over the TPM hardware.
Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (on x86/PTT)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jiandi An [Fri, 24 Mar 2017 09:55:44 +0000 (04:55 -0500)]
ACPICA: Update TPM2 ACPI table
TCG ACPI Specification Family "1.2" and "2.0" Version 1.2
Revision 8 introduces new start method for ARM SMC.
- Add new start method (type 11) for ARM SMC
- Add start method specific parameters offset for ARM SMC start method
Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (on x86/PTT)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 24 Mar 2017 09:45:49 +0000 (11:45 +0200)]
tpm_crb: request and relinquish locality 0
This commit adds support for requesting and relinquishing locality 0 in
tpm_crb for the course of command transmission.
In order to achieve this, two new callbacks are added to struct
tpm_class_ops:
- request_locality
- relinquish_locality
With CRB interface you first set either requestAccess or relinquish bit
from TPM_LOC_CTRL_x register and then wait for locAssigned and
tpmRegValidSts bits to be set in the TPM_LOC_STATE_x register.
The reason why were are doing this is to make sure that the driver
will work properly with Intel TXT that uses locality 2. There's no
explicit guarantee that it would relinquish this locality. In more
general sense this commit enables tpm_crb to be a well behaving
citizen in a multi locality environment.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com>
Jerry Snitselaar [Sat, 18 Mar 2017 08:59:57 +0000 (01:59 -0700)]
tpm: make check_locality return bool
Since check_locality is checking to see if a certain
locality is active, return true if active otherwise
return false.
Cc: Christophe Ricard <christophe.ricard@gmail.com>
Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Marcel Selhorst <tpmdd@selhorst.net>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jérémy Lefaure [Fri, 17 Mar 2017 01:51:33 +0000 (21:51 -0400)]
tpm/tpm_crb: fix unused warnings on suspend/resume functions
When PM_SLEEP is disabled crb_pm_suspend and crb_pm_resume are not used by
SET_SYSTEM_SLEEP_PM_OPS even if PM is enabled:
drvers/char/tpm/tpm_crb.c:540:12: warning: ‘crb_pm_suspend’ defined but not
used [-Wunused-function]
static int crb_pm_suspend(struct device *dev)
^
drivers/char/tpm/tpm_crb.c:551:12: warning: ‘crb_pm_resume’ defined but not
used [-Wunused-function]
static int crb_pm_resume(struct device *dev)
^
The preprocessor condition should be on CONFIG_PM_SLEEP, not on CONFIG_PM.
However, this patch fixes this warning by using __maybe_unused on function
that are in the preprocessor condition.
Fixes:
848efcfb560c ("tpm/tpm_crb: enter the low power state upon device suspend")
Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Nayna Jain [Fri, 10 Mar 2017 18:45:54 +0000 (13:45 -0500)]
tpm: add sleep only for retry in i2c_nuvoton_write_status()
Currently, there is an unnecessary 1 msec delay added in
i2c_nuvoton_write_status() for the successful case. This
function is called multiple times during send() and recv(),
which implies adding multiple extra delays for every TPM
operation.
This patch calls usleep_range() only if retry is to be done.
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org (linux-4.8)
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Andy Shevchenko [Wed, 15 Mar 2017 19:58:00 +0000 (21:58 +0200)]
tpm/st33zp24: Add GPIO ACPI mapping table
In order to make GPIO ACPI library stricter prepare users of
gpiod_get_index() to correctly behave when there no mapping is
provided by firmware.
Here we add explicit mapping between _CRS GpioIo() resources and
their names used in the driver.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Hon Ching \(Vicky\) Lo [Wed, 15 Mar 2017 05:28:07 +0000 (01:28 -0400)]
vTPM: Fix missing NULL check
The current code passes the address of tpm_chip as the argument to
dev_get_drvdata() without prior NULL check in
tpm_ibmvtpm_get_desired_dma. This resulted an oops during kernel
boot when vTPM is enabled in Power partition configured in active
memory sharing mode.
The vio_driver's get_desired_dma() is called before the probe(), which
for vtpm is tpm_ibmvtpm_probe, and it's this latter function that
initializes the driver and set data. Attempting to get data before
the probe() caused the problem.
This patch adds a NULL check to the tpm_ibmvtpm_get_desired_dma.
fixes:
9e0d39d8a6a0 ("tpm: Remove useless priv field in struct tpm_vendor_specific")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkine <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jerry Snitselaar [Sat, 11 Mar 2017 00:46:04 +0000 (17:46 -0700)]
tpm_crb: check for bad response size
Make sure size of response buffer is at least 6 bytes, or
we will underflow and pass large size_t to memcpy_fromio().
This was encountered while testing earlier version of
locality patchset.
Cc: stable@vger.kernel.org
Fixes:
30fc8d138e912 ("tpm: TPM 2.0 CRB Interface")
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
James Bottomley [Tue, 31 Jan 2017 23:47:31 +0000 (15:47 -0800)]
tpm2: add session handle context saving and restoring to the space code
Sessions are different from transient objects in that their handles
may not be virtualized (because they're used for some hmac
calculations). Additionally when a session is context saved, a
vestigial memory remains in the TPM and if it is also flushed, that
will be lost and the session context will refuse to load next time, so
the code is updated to flush only transient objects after a context
save. Add a separate array (chip->session_tbl) to save and restore
sessions by handle. Use the failure of a context save or load to
signal that the session has been flushed from the TPM and we can
remove its memory from chip->session_tbl.
Sessions are also isolated during each instance of a tpm space. This
means that spaces shouldn't be able to see each other's sessions and
is enforced by ensuring that a space user may only refer to sessions
handles that are present in their own chip->session_tbl. Finally when
a space is closed, all the sessions belonging to it should be flushed
so the handles may be re-used by other spaces.
Note that if we get a session save or load error, all sessions are
effectively flushed. Even though we restore the session buffer, all
the old sessions will refuse to load after the flush and they'll be
purged from our session memory. This means that while transient
context handling is still soft in the face of errors, session handling
is hard (any failure of the model means all sessions are lost).
Fixes-from: Colin Ian King <colin.king@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
James Bottomley [Tue, 3 Jan 2017 17:07:32 +0000 (09:07 -0800)]
tpm: expose spaces via a device link /dev/tpmrm<n>
Currently the tpm spaces are not exposed to userspace. Make this
exposure via a separate device, which can now be opened multiple times
because each read/write transaction goes separately via the space.
Concurrency is protected by the chip->tpm_mutex for each read/write
transaction separately. The TPM is cleared of all transient objects
by the time the mutex is dropped, so there should be no interference
between the kernel and userspace.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
James Bottomley [Wed, 11 Jan 2017 03:08:53 +0000 (19:08 -0800)]
tpm: split out tpm-dev.c into tpm-dev.c and tpm-common-dev.c
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 6 Jan 2017 12:03:45 +0000 (14:03 +0200)]
tpm: infrastructure for TPM spaces
Added an ability to virtualize TPM commands into an isolated context
that we call a TPM space because the word context is already heavily
used in the TPM specification. Both the handle areas and bodies (where
necessary) are virtualized.
The mechanism works by adding a new parameter struct tpm_space to the
tpm_transmit() function. This new structure contains the list of virtual
handles and a buffer of page size (currently) for backing storage.
When tpm_transmit() is called with a struct tpm_space instance it will
execute the following sequence:
1. Take locks.
2. Load transient objects from the backing storage by using ContextLoad
and map virtual handles to physical handles.
3. Perform the transaction.
4. Save transient objects to backing storage by using ContextSave and
map resulting physical handle to virtual handle if there is such.
This commit does not implement virtualization support for hmac and
policy sessions.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Jarkko Sakkinen [Fri, 11 Nov 2016 04:42:07 +0000 (20:42 -0800)]
tpm: validate TPM 2.0 commands
Check for every TPM 2.0 command that the command code is supported and
the command buffer has at least the length that can contain the header
and the handle area.
For ContextSave and FlushContext we mark the body to be part of the
handle area. This gives validation for these commands at zero
cost, including the body of the command.
The more important reason for this is that we can virtualize these
commands in the same way as you would virtualize the handle area of a
command.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Jarkko Sakkinen [Sat, 26 Nov 2016 11:39:35 +0000 (13:39 +0200)]
tpm: export tpm2_flush_context_cmd
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Jarkko Sakkinen [Tue, 14 Feb 2017 19:57:42 +0000 (21:57 +0200)]
tpm: move length validation to tpm_transmit()
Check that the length matches the length reported by the response
header already in tpm_transmit() to improve validation.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Jarkko Sakkinen [Wed, 8 Feb 2017 11:11:36 +0000 (13:11 +0200)]
tpm_crb: encapsulate crb_wait_for_reg_32
Encapsulated crb_wait_for_reg32() so that state changes in other CRB
registers than TPM_CRB_CTRL_REQ_x can be waited.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Tested-by: Gang Wei <gang.wei@intel.com>
Jarkko Sakkinen [Wed, 8 Feb 2017 11:11:35 +0000 (13:11 +0200)]
tpm_crb: map locality registers
In order to provide access to locality registers, this commits adds
mapping of the head of the CRB registers, which are located right
before the control area.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Tested-by: Gang Wei <gang.wei@intel.com>
Peter Huewe [Thu, 2 Mar 2017 13:03:15 +0000 (13:03 +0000)]
tpm_tis_spi: Add small delay after last transfer
Testing the implementation with a Raspberry Pi 2 showed that under some
circumstances its SPI master erroneously releases the CS line before the
transfer is complete, i.e. before the end of the last clock. In this case
the TPM ignores the transfer and misses for example the GO command. The
driver is unable to detect this communication problem and will wait for a
command response that is never going to arrive, timing out eventually.
As a workaround, the small delay ensures that the CS line is held long
enough, even with a faulty SPI master. Other SPI masters are not affected,
except for a negligible performance penalty.
Cc: <stable@vger.kernel.org>
Fixes:
0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Benoit Houyere <benoit.houyere@st.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Peter Huewe [Thu, 2 Mar 2017 13:03:14 +0000 (13:03 +0000)]
tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes
Limiting transfers to MAX_SPI_FRAMESIZE was not expected by the upper
layers, as tpm_tis has no such limitation. Add a loop to hide that
limitation.
v2: Moved scope of spi_message to the top as requested by Jarkko
Cc: <stable@vger.kernel.org>
Fixes:
0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Benoit Houyere <benoit.houyere@st.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Peter Huewe [Thu, 2 Mar 2017 13:03:13 +0000 (13:03 +0000)]
tpm_tis_spi: Check correct byte for wait state indicator
Wait states are signaled in the last byte received from the TPM in
response to the header, not the first byte. Check rx_buf[3] instead of
rx_buf[0].
Cc: <stable@vger.kernel.org>
Fixes:
0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Benoit Houyere <benoit.houyere@st.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Peter Huewe [Thu, 2 Mar 2017 13:03:12 +0000 (13:03 +0000)]
tpm_tis_spi: Abort transfer when too many wait states are signaled
Abort the transfer with ETIMEDOUT when the TPM signals more than
TPM_RETRY wait states. Continuing with the transfer in this state
will only lead to arbitrary failures in other parts of the code.
Cc: <stable@vger.kernel.org>
Fixes:
0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Benoit Houyere <benoit.houyere@st.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Peter Huewe [Thu, 2 Mar 2017 13:03:11 +0000 (13:03 +0000)]
tpm_tis_spi: Use single function to transfer data
The algorithm for sending data to the TPM is mostly identical to the
algorithm for receiving data from the TPM, so a single function is
sufficient to handle both cases.
This is a prequisite for all the other fixes, so we don't have to fix
everything twice (send/receive)
v2: u16 instead of u8 for the length.
Cc: <stable@vger.kernel.org>
Fixes:
0edbfea537d1 ("tpm/tpm_tis_spi: Add support for spi phy")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Benoit Houyere <benoit.houyere@st.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Winkler, Tomas [Sun, 5 Mar 2017 23:53:35 +0000 (01:53 +0200)]
tpm/tpm_crb: enter the low power state upon device suspend
This fix enables a platform to enter the idle state (suspend-to-idle)
The driver needs to request explicitly go_idle upon completion
from the pm suspend handler.
The runtime pm is disabled on suspend during prepare state by calling
pm_runtime_get_noresume, hence we cannot relay on runtime pm to leave
the device in low power state. Symmetrically cmdReady is called
upon resume.
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Siged-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Arnd Bergmann [Tue, 28 Feb 2017 21:12:55 +0000 (22:12 +0100)]
tpm: select CONFIG_CRYPTO
We get a newly introduced harmless warning when CONFIG_CRYPTO is disabled:
warning: (TCG_TPM && TRUSTED_KEYS && IMA) selects CRYPTO_HASH_INFO which has unmet direct dependencies (CRYPTO)
This adds another select to avoid the warning, consistent with other users
of the crypto code.
Fixes:
c1f92b4b04ad ("tpm: enhance TPM 2.0 PCR extend to support multiple banks")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Nayna Jain [Fri, 10 Mar 2017 18:45:53 +0000 (13:45 -0500)]
tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
Commit
500462a9de65 "timers: Switch to a non-cascading wheel" replaced
the 'classic' timer wheel, which aimed for near 'exact' expiry of the
timers. Their analysis was that the vast majority of timeout timers
are used as safeguards, not as real timers, and are cancelled or
rearmed before expiration. The only exception noted to this were
networking timers with a small expiry time.
Not included in the analysis was the TPM polling timer, which resulted
in a longer normal delay and, every so often, a very long delay. The
non-cascading wheel delay is based on CONFIG_HZ. For a description of
the different rings and their delays, refer to the comments in
kernel/time/timer.c.
Below are the delays given for rings 0 - 2, which explains the longer
"normal" delays and the very, long delays as seen on systems with
CONFIG_HZ 250.
* HZ 1000 steps
* Level Offset Granularity Range
* 0 0 1 ms 0 ms - 63 ms
* 1 64 8 ms 64 ms - 511 ms
* 2 128 64 ms 512 ms - 4095 ms (512ms - ~4s)
* HZ 250
* Level Offset Granularity Range
* 0 0 4 ms 0 ms - 255 ms
* 1 64 32 ms 256 ms - 2047 ms (256ms - ~2s)
* 2 128 256 ms 2048 ms - 16383 ms (~2s - ~16s)
Below is a comparison of extending the TPM with 1000 measurements,
using msleep() vs. usleep_delay() when configured for 1000 hz vs. 250
hz, before and after commit
500462a9de65.
linux-4.7 | msleep() usleep_range()
1000 hz: 0m44.628s | 1m34.497s 29.243s
250 hz: 1m28.510s | 4m49.269s 32.386s
linux-4.7 | min-max (msleep) min-max (usleep_range)
1000 hz: 0:017 - 2:760s | 0:015 - 3:967s 0:014 - 0:418s
250 hz: 0:028 - 1:954s | 0:040 - 4:096s 0:016 - 0:816s
This patch replaces the msleep() with usleep_range() calls in the
i2c nuvoton driver with a consistent max range value.
Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org (linux-4.8)
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jason Gunthorpe [Tue, 21 Feb 2017 21:14:24 +0000 (14:14 -0700)]
tpm crb: Work around BIOS's that report the wrong ACPI region size
The expectation is that the if the CRB cmd/rsp buffer falls within the
ACPI region that the entire buffer will be within the reason. Otherwise
resource reservation will fail when it crosses regions.
Work around this BIOS bug by limiting the cmd/rsp buffer to the length
of the declared ACPI region. BIOS vendors should fix this by making
the ACPI and register length declarations consistent.
Reported-by: Davide Guerri <davide.guerri@gmail.com>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Davide Guerri <davide.guerri@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Alexander Steffen [Thu, 16 Feb 2017 15:33:36 +0000 (15:33 +0000)]
tpm_tis_core: Choose appropriate timeout for reading burstcount
TIS v1.3 for TPM 1.2 and PTP for TPM 2.0 disagree about which timeout
value applies to reading a valid burstcount. It is TIMEOUT_D according to
TIS, but TIMEOUT_A according to PTP, so choose the appropriate value
depending on whether we deal with a TPM 1.2 or a TPM 2.0.
This is important since according to the PTP TIMEOUT_D is much smaller
than TIMEOUT_A. So the previous implementation could run into timeouts
with a TPM 2.0, even though the TPM was behaving perfectly fine.
During tpm2_probe TIMEOUT_D will be used even with a TPM 2.0, because
TPM_CHIP_FLAG_TPM2 is not yet set. This is fine, since the timeout values
will only be changed afterwards by tpm_get_timeouts. Until then
TIS_TIMEOUT_D_MAX applies, which is large enough.
Cc: stable@vger.kernel.org
Fixes:
aec04cbdf723 ("tpm: TPM 2.0 FIFO Interface")
Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
Signed-off-by: Peter Huewe <peter.huewe@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Mat Martineau [Mon, 27 Jun 2016 23:10:59 +0000 (16:10 -0700)]
KEYS: Add a key restriction struct
Key link restrictions require restriction-specific data as well as a
restriction-specific function pointer. As a first step toward replacing
the restrict_link pointer in struct key, define a more general
key_restriction structure that captures the required function, key, and
key type pointers. Key type modules should not be pinned on account of
this key type pointer because the pointer will be cleared by the garbage
collector if the key type is unregistered.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Tue, 30 Aug 2016 18:33:13 +0000 (11:33 -0700)]
KEYS: Split role of the keyring pointer for keyring restrict functions
The first argument to the restrict_link_func_t functions was a keyring
pointer. These functions are called by the key subsystem with this
argument set to the destination keyring, but restrict_link_by_signature
expects a pointer to the relevant trusted keyring.
Restrict functions may need something other than a single struct key
pointer to allow or reject key linkage, so the data used to make that
decision (such as the trust keyring) is moved to a new, fourth
argument. The first argument is now always the destination keyring.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Mat Martineau [Mon, 25 Apr 2016 18:30:39 +0000 (11:30 -0700)]
KEYS: Use a typedef for restrict_link function pointers
This pointer type needs to be returned from a lookup function, and
without a typedef the syntax gets cumbersome.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
David Howells [Mon, 3 Apr 2017 16:17:09 +0000 (17:17 +0100)]
Merge branch 'keys-blacklist' into keys-next
David Howells [Mon, 3 Apr 2017 15:07:25 +0000 (16:07 +0100)]
PKCS#7: Handle blacklisted certificates
PKCS#7: Handle certificates that are blacklisted when verifying the chain
of trust on the signatures on a PKCS#7 message.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Mon, 3 Apr 2017 15:07:25 +0000 (16:07 +0100)]
X.509: Allow X.509 certs to be blacklisted
Allow X.509 certs to be blacklisted based on their TBSCertificate hash.
This is convenient since we have to determine this anyway to be able to
check the signature on an X.509 certificate. This is also what UEFI uses
in its blacklist.
If a certificate built into the kernel is blacklisted, something like the
following might then be seen during boot:
X.509: Cert
123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 is blacklisted
Problem loading in-kernel X.509 certificate (-129)
where the hex string shown is the blacklisted hash.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Mon, 3 Apr 2017 15:07:24 +0000 (16:07 +0100)]
KEYS: Add a system blacklist keyring
Add the following:
(1) A new system keyring that is used to store information about
blacklisted certificates and signatures.
(2) A new key type (called 'blacklist') that is used to store a
blacklisted hash in its description as a hex string. The key accepts
no payload.
(3) The ability to configure a list of blacklisted hashes into the kernel
at build time. This is done by setting
CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
that are in the form:
"<hash>", "<hash>", ..., "<hash>"
where each <hash> is a hex string representation of the hash and must
include all necessary leading zeros to pad the hash to the right size.
The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.
Once the kernel is booted, the blacklist keyring can be listed:
root@andromeda ~]# keyctl show %:.blacklist
Keyring
723359729 ---lswrv 0 0 keyring: .blacklist
676257228 ---lswrv 0 0 \_ blacklist:
123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46
The blacklist cannot currently be modified by userspace, but it will be
possible to load it, for example, from the UEFI blacklist database.
A later commit will make it possible to load blacklisted asymmetric keys in
here too.
Signed-off-by: David Howells <dhowells@redhat.com>
Elena Reshetova [Fri, 31 Mar 2017 12:20:49 +0000 (15:20 +0300)]
security, keys: convert key_user.usage from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Elena Reshetova [Fri, 31 Mar 2017 12:20:48 +0000 (15:20 +0300)]
security, keys: convert key.usage from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Dan Carpenter [Fri, 31 Mar 2017 15:21:18 +0000 (18:21 +0300)]
selinux: Fix an uninitialized variable bug
We removed this initialization as a cleanup but it is probably required.
The concern is that "nel" can be zero. I'm not an expert on SELinux
code but I think it looks possible to write an SELinux policy which
triggers this bug. GCC doesn't catch this, but my static checker does.
Fixes:
9c312e79d6af ("selinux: Delete an unnecessary variable initialisation in range_read()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Kees Cook [Wed, 29 Mar 2017 23:52:58 +0000 (16:52 -0700)]
TOMOYO: Use designated initializers
Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Matthias Kaehlcke [Thu, 16 Mar 2017 22:26:52 +0000 (15:26 -0700)]
selinux: Remove unnecessary check of array base in selinux_set_mapping()
'perms' will never be NULL since it isn't a plain pointer but an array
of u32 values.
This fixes the following warning when building with clang:
security/selinux/ss/services.c:158:16: error: address of array
'p_in->perms' will always evaluate to 'true'
[-Werror,-Wpointer-bool-conversion]
while (p_in->perms && p_in->perms[k]) {
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Stephen Smalley [Fri, 10 Mar 2017 17:14:18 +0000 (12:14 -0500)]
fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 13:04:53 +0000 (14:04 +0100)]
selinuxfs: Use seq_puts() in sel_avc_stats_seq_show()
A string which did not contain data format specifications should be put
into a sequence. Thus use the corresponding function "seq_puts".
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 12:30:20 +0000 (13:30 +0100)]
selinux: Adjust two checks for null pointers
The script "checkpatch.pl" pointed information out like the following.
Comparison to NULL could be written !…
Thus fix affected source code places.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 12:13:19 +0000 (13:13 +0100)]
selinux: Use kmalloc_array() in sidtab_init()
A multiplication for the size determination of a memory allocation
indicated that an array data structure should be processed.
Thus use the corresponding function "kmalloc_array".
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 11:10:09 +0000 (12:10 +0100)]
selinux: Return directly after a failed kzalloc() in roles_init()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 10:20:13 +0000 (11:20 +0100)]
selinux: Return directly after a failed kzalloc() in perm_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sun, 15 Jan 2017 10:15:19 +0000 (11:15 +0100)]
selinux: Return directly after a failed kzalloc() in common_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 21:30:51 +0000 (22:30 +0100)]
selinux: Return directly after a failed kzalloc() in class_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 21:20:25 +0000 (22:20 +0100)]
selinux: Return directly after a failed kzalloc() in role_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 21:15:54 +0000 (22:15 +0100)]
selinux: Return directly after a failed kzalloc() in type_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 21:08:22 +0000 (22:08 +0100)]
selinux: Return directly after a failed kzalloc() in user_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 20:52:55 +0000 (21:52 +0100)]
selinux: Improve another size determination in sens_read()
Replace the specification of a data type by a pointer dereference
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer according to the Linux coding style convention.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 20:42:02 +0000 (21:42 +0100)]
selinux: Return directly after a failed kzalloc() in sens_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Markus Elfring [Sat, 14 Jan 2017 20:20:43 +0000 (21:20 +0100)]
selinux: Return directly after a failed kzalloc() in cat_read()
Return directly after a call of the function "kzalloc" failed
at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Tetsuo Handa [Fri, 24 Mar 2017 11:46:33 +0000 (20:46 +0900)]
LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob.
We switched from "struct task_struct"->security to "struct cred"->security
in Linux 2.6.29. But not all LSM modules were happy with that change.
TOMOYO LSM module is an example which want to use per "struct task_struct"
security blob, for TOMOYO's security context is defined based on "struct
task_struct" rather than "struct cred". AppArmor LSM module is another
example which want to use it, for AppArmor is currently abusing the cred
a little bit to store the change_hat and setexeccon info. Although
security_task_free() hook was revived in Linux 3.4 because Yama LSM module
wanted to release per "struct task_struct" security blob,
security_task_alloc() hook and "struct task_struct"->security field were
not revived. Nowadays, we are getting proposals of lightweight LSM modules
which want to use per "struct task_struct" security blob.
We are already allowing multiple concurrent LSM modules (up to one fully
armored module which uses "struct cred"->security field or exclusive hooks
like security_xfrm_state_pol_flow_match(), plus unlimited number of
lightweight modules which do not use "struct cred"->security nor exclusive
hooks) as long as they are built into the kernel. But this patch does not
implement variable length "struct task_struct"->security field which will
become needed when multiple LSM modules want to use "struct task_struct"->
security field. Although it won't be difficult to implement variable length
"struct task_struct"->security field, let's think about it after we merged
this patch.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Tested-by: Djalal Harouni <tixxdz@gmail.com>
Acked-by: José Bollo <jobol@nonadev.net>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: José Bollo <jobol@nonadev.net>
Signed-off-by: James Morris <james.l.morris@oracle.com>
James Morris [Tue, 28 Mar 2017 00:03:35 +0000 (11:03 +1100)]
update to v4.11-rc4 due to memory corruption bug in rc2
Linus Torvalds [Sun, 26 Mar 2017 21:15:16 +0000 (14:15 -0700)]
Linux 4.11-rc4
Linus Torvalds [Sun, 26 Mar 2017 18:15:54 +0000 (11:15 -0700)]
Merge tag 'char-misc-4.11-rc4' of git://git./linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"A smattering of different small fixes for some random driver
subsystems. Nothing all that major, just resolutions for reported
issues and bugs.
All have been in linux-next with no reported issues"
* tag 'char-misc-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (21 commits)
extcon: int3496: Set the id pin to direction-input if necessary
extcon: int3496: Use gpiod_get instead of gpiod_get_index
extcon: int3496: Add dependency on X86 as it's Intel specific
extcon: int3496: Add GPIO ACPI mapping table
extcon: int3496: Rename GPIO pins in accordance with binding
vmw_vmci: handle the return value from pci_alloc_irq_vectors correctly
ppdev: fix registering same device name
parport: fix attempt to write duplicate procfiles
auxdisplay: img-ascii-lcd: add missing sentinel entry in img_ascii_lcd_matches
Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
Drivers: hv: vmbus: Don't leak channel ids
Drivers: hv: util: don't forget to init host_ts.lock
Drivers: hv: util: move waiting for release to hv_utils_transport itself
vmbus: remove hv_event_tasklet_disable/enable
vmbus: use rcu for per-cpu channel list
mei: don't wait for os version message reply
mei: fix deadlock on mei reset
intel_th: pci: Add Gemini Lake support
intel_th: pci: Add Denverton SOC support
intel_th: Don't leak module refcount on failure to activate
...
Linus Torvalds [Sun, 26 Mar 2017 18:05:42 +0000 (11:05 -0700)]
Merge tag 'driver-core-4.11-rc4' of git://git./linux/kernel/git/gregkh/driver-core
Pull driver core fix from Greg KH:
"Here is a single kernfs fix for 4.11-rc4 that resolves a reported
issue.
It has been in linux-next with no reported issues"
* tag 'driver-core-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
kernfs: Check KERNFS_HAS_RELEASE before calling kernfs_release_file()
Linus Torvalds [Sun, 26 Mar 2017 18:03:42 +0000 (11:03 -0700)]
Merge tag 'tty-4.11-rc4' of git://git./linux/kernel/git/gregkh/tty
Pull tty/serial driver fixes from Greg KH:
"Here are some tty and serial driver fixes for 4.11-rc4.
One of these fix a long-standing issue in the ldisc code that was
found by Dmitry Vyukov with his great fuzzing work. The other fixes
resolve other reported issues, and there is one revert of a patch in
4.11-rc1 that wasn't correct.
All of these have been in linux-next for a while with no reported
issues"
* tag 'tty-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: fix data race in tty_ldisc_ref_wait()
tty: don't panic on OOM in tty_set_ldisc()
Revert "tty: serial: pl011: add ttyAMA for matching pl011 console"
tty: acpi/spcr: QDF2400 E44 checks for wrong OEM revision
serial: 8250_dw: Fix breakage when HAVE_CLK=n
serial: 8250_dw: Honor clk_round_rate errors in dw8250_set_termios
Linus Torvalds [Sun, 26 Mar 2017 18:02:00 +0000 (11:02 -0700)]
Merge tag 'staging-4.11-rc4' of git://git./linux/kernel/git/gregkh/staging
Pull IIO driver fixes from Greg KH:
"Here are some small IIO driver fixes for 4.11-rc4 that resolve a
number of tiny reported issues. All of these have been in linux-next
for a while with no reported issues"
* tag 'staging-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
iio: imu: st_lsm6dsx: fix FIFO_CTRL2 overwrite during watermark configuration
iio: adc: ti_am335x_adc: fix fifo overrun recovery
iio: sw-device: Fix config group initialization
iio: magnetometer: ak8974: remove incorrect __exit markups
iio: hid-sensor-trigger: Change get poll value function order to avoid sensor properties losing after resume from S3
Linus Torvalds [Sun, 26 Mar 2017 17:52:52 +0000 (10:52 -0700)]
Merge tag 'usb-4.11-rc4' of git://git./linux/kernel/git/gregkh/usb
Pull USB/PHY fixes from Greg KH:
"Here are a number of small USB and PHY driver fixes for 4.11-rc4.
Nothing major here, just an bunch of small fixes, and a handfull of
good fixes from Johan for devices with crazy descriptors. There are a
few new device ids in here as well.
All of these have been in linux-next with no reported issues"
* tag 'usb-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
usb: gadget: f_hid: fix: Don't access hidg->req without spinlock held
usb: gadget: udc: remove pointer dereference after free
usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval
usb: gadget: acm: fix endianness in notifications
usb: dwc3: gadget: delay unmap of bounced requests
USB: serial: qcserial: add Dell DW5811e
usb: hub: Fix crash after failure to read BOS descriptor
ACM gadget: fix endianness in notifications
USB: usbtmc: fix probe error path
USB: usbtmc: add missing endpoint sanity check
USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
usb: musb: fix possible spinlock deadlock
usb: musb: dsps: fix iounmap in error and exit paths
usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
uwb: i1480-dfu: fix NULL-deref at probe
uwb: hwa-rc: fix NULL-deref at probe
USB: wusbcore: fix NULL-deref at probe
USB: uss720: fix NULL-deref at probe
...
Linus Torvalds [Sun, 26 Mar 2017 17:34:10 +0000 (10:34 -0700)]
Merge tag 'powerpc-4.11-6' of git://git./linux/kernel/git/powerpc/linux
Pull more powerpc fixes from Michael Ellerman:
"These are all pretty minor. The fix for idle wakeup would be a bad bug
but has not been observed in practice.
The update to the gcc-plugins docs was Cc'ed to Kees and Jon, Kees
OK'ed it going via powerpc and I didn't hear from Jon.
- cxl: Route eeh events to all slices for pci_channel_io_perm_failure state
- powerpc/64s: Fix idle wakeup potential to clobber registers
- Revert "powerpc/64: Disable use of radix under a hypervisor"
- gcc-plugins: update architecture list in documentation
Thanks to: Andrew Donnellan, Nicholas Piggin, Paul Mackerras, Vaibhav
Jain"
* tag 'powerpc-4.11-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
gcc-plugins: update architecture list in documentation
Revert "powerpc/64: Disable use of radix under a hypervisor"
powerpc/64s: Fix idle wakeup potential to clobber registers
cxl: Route eeh events to all slices for pci_channel_io_perm_failure state
Linus Torvalds [Sun, 26 Mar 2017 17:29:21 +0000 (10:29 -0700)]
Merge tag 'ext4_for_linus_stable' of git://git./linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"Fix a memory leak on an error path, and two races when modifying
inodes relating to the inline_data and metadata checksum features"
* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: fix two spelling nits
ext4: lock the xattr block before checksuming it
jbd2: don't leak memory if setting up journal fails
ext4: mark inode dirty after converting inline directory
Linus Torvalds [Sat, 25 Mar 2017 22:36:56 +0000 (15:36 -0700)]
Merge tag 'fscrypt-for-linus_stable' of git://git./linux/kernel/git/tytso/fscrypt
Pull fscrypto fixes from Ted Ts'o:
"A code cleanup and bugfix for fs/crypto"
* tag 'fscrypt-for-linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt:
fscrypt: eliminate ->prepare_context() operation
fscrypt: remove broken support for detecting keyring key revocation
Linus Torvalds [Sat, 25 Mar 2017 22:31:50 +0000 (15:31 -0700)]
Merge tag 'hwmon-for-linus-v4.11-rc4' of git://git./linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
- bug fixes in asus_atk0110, it87 and max31790 drivers
- added missing API definition to hwmon core
* tag 'hwmon-for-linus-v4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (asus_atk0110) fix uninitialized data access
hwmon: Add missing HWMON_T_ALARM
hwmon: (it87) Avoid registering the same chip on both SIO addresses
hwmon: (max31790) Set correct PWM value
Linus Torvalds [Sat, 25 Mar 2017 22:25:58 +0000 (15:25 -0700)]
Merge tag 'for-linus' of git://git./linux/kernel/git/dledford/rdma
Pull rdma fixes from Doug Ledford:
"This has been a slow -rc cycle for the RDMA subsystem. We really
haven't had a lot of rc fixes come in. This pull request is the first
of this entire rc cycle and it has all of the suitable fixes so far
and it's still only about 20 patches. The fix for the minor breakage
cause by the dma mapping patchset is in here, as well as a couple
other potential oops fixes, but the rest is more minor.
Summary:
- fix for dma_ops change in this kernel, resolving the s390, powerpc,
and IOMMU operation
- a few other oops fixes
- the rest are all minor fixes"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
IB/qib: fix false-postive maybe-uninitialized warning
RDMA/iser: Fix possible mr leak on device removal event
IB/device: Convert ib-comp-wq to be CPU-bound
IB/cq: Don't process more than the given budget
IB/rxe: increment msn only when completing a request
uapi: fix rdma/mlx5-abi.h userspace compilation errors
IB/core: Restore I/O MMU, s390 and powerpc support
IB/rxe: Update documentation link
RDMA/ocrdma: fix a type issue in ocrdma_put_pd_num()
IB/rxe: double free on error
RDMA/vmw_pvrdma: Activate device on ethernet link up
RDMA/vmw_pvrdma: Dont hardcode QP header page
RDMA/vmw_pvrdma: Cleanup unused variables
infiniband: Fix alignment of mmap cookies to support VIPT caching
IB/core: Protect against self-requeue of a cq work item
i40iw: Receive netdev events post INET_NOTIFIER state
Linus Torvalds [Sat, 25 Mar 2017 22:13:55 +0000 (15:13 -0700)]
Merge branch 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit
Pull audit fix from Paul Moore:
"We've got an audit fix, and unfortunately it is big.
While I'm not excited that we need to be sending you something this
large during the -rcX phase, it does fix some very real, and very
tangled, problems relating to locking, backlog queues, and the audit
daemon connection.
This code has passed our testsuite without problem and it has held up
to my ad-hoc stress tests (arguably better than the existing code),
please consider pulling this as fix for the next v4.11-rcX tag"
* 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit:
audit: fix auditd/kernel connection state tracking
Theodore Ts'o [Sat, 25 Mar 2017 21:33:31 +0000 (17:33 -0400)]
ext4: fix two spelling nits
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Sat, 25 Mar 2017 21:22:47 +0000 (17:22 -0400)]
ext4: lock the xattr block before checksuming it
We must lock the xattr block before calculating or verifying the
checksum in order to avoid spurious checksum failures.
https://bugzilla.kernel.org/show_bug.cgi?id=193661
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Linus Torvalds [Sat, 25 Mar 2017 17:34:56 +0000 (10:34 -0700)]
Merge tag 'clk-fixes-for-linus' of git://git./linux/kernel/git/clk/linux
Pull clk fixes from Stephen Boyd:
"A handful of Sunxi and Rockchip clk driver fixes and a core framework
one where we need to copy a string because we can't guarantee it isn't
freed sometime later"
* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
clk: sunxi-ng: fix recalc_rate formula of NKMP clocks
clk: sunxi-ng: Fix div/mult settings for osc12M on A64
clk: rockchip: Make uartpll a child of the gpll on rk3036
clk: rockchip: add "," to mux_pll_src_apll_dpll_gpll_usb480m_p on rk3036
clk: core: Copy connection id
dt-bindings: arm: update Armada CP110 system controller binding
clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module clock
clk: sunxi: ccu-sun5i needs nkmp
clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
Arnd Bergmann [Tue, 14 Mar 2017 12:18:45 +0000 (13:18 +0100)]
IB/qib: fix false-postive maybe-uninitialized warning
aarch64-linux-gcc-7 complains about code it doesn't fully understand:
drivers/infiniband/hw/qib/qib_iba7322.c: In function 'qib_7322_txchk_change':
include/asm-generic/bitops/non-atomic.h:105:35: error: 'shadow' may be used uninitialized in this function [-Werror=maybe-uninitialized]
The code is right, and despite trying hard, I could not come up with a version
that I liked better than just adding a fake initialization here to shut up the
warning.
Fixes:
f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Sagi Grimberg [Mon, 27 Feb 2017 18:16:33 +0000 (20:16 +0200)]
RDMA/iser: Fix possible mr leak on device removal event
When the rdma device is removed, we must cleanup all
the rdma resources within the DEVICE_REMOVAL event
handler to let the device teardown gracefully. When
this happens with live I/O, some memory regions are
occupied. Thus, track them too and dereg all the mr's.
We are safe with mr access by iscsi_iser_cleanup_task.
Reported-by: Raju Rangoju <rajur@chelsio.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>