If a user provides a buffer larger than a tty->write_buf chunk and
passes '\r' at the end of the buffer, we touch an out-of-bound memory.

Add a check there to prevent this.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: stable@vger.kernel.org (everything maintained past v2.6.37)
Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When the tty_printk driver fails to create a node in sysfs, the system
crashes. It is because the driver registers a tty driver and frees it
without deregistering it first. The fix is easy: add a call to
tty_unregister_driver to the fail path.

This is very unlikely to happen in usual environment => no need for
stable.

The crash occurs at some place where we iterate over tty drivers
first. It may look like this:
BUG: unable to handle kernel paging request at ffffffffffffff84
IP: [<ffffffff81278d56>] tty_open+0xd6/0x650
PGD 1a0d067 PUD 1a0e067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in:
CPU 0
Pid: 1183, comm: boot.localnet Tainted: G        W    3.5.0-rc7-next-20120716+ #369 Bochs Bochs
RIP: 0010:[<ffffffff81278d56>]  [<ffffffff81278d56>] tty_open+0xd6/0x650
RSP: 0018:ffff8800162b3b98  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff880016ba6200 RCX: 0000000000002208
RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffffffff81a35080
RBP: ffff8800162b3c08 R08: ffffffff81276f42 R09: 0000000000400040
R10: ffff8800161dc005 R11: ffff8800188ee048 R12: 0000000000000000
R13: ffffffffffffff58 R14: 0000000000400040 R15: 0000000000008000
FS:  00007f3684abd700(0000) GS:ffff880018e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff84 CR3: 000000001503e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process boot.localnet (pid: 1183, threadinfo ffff8800162b2000, task ffff8800188c5880)
Stack:
 ffff8800162b3c08 ffffffff81363d63 ffffffff81a62940 ffff8800189b4e88
 ffff8800188c5880 ffffffff81123180 0000000000000000 ffffffff18b20600
 0000000000000000 ffff8800189b4e88 ffff880016ba6200 ffff880018b20600
Call Trace:
 [<ffffffff81363d63>] ? kobj_lookup+0x103/0x160
 [<ffffffff81123180>] ? mount_fs+0x110/0x110
 [<ffffffff81123a9c>] chrdev_open+0x9c/0x1a0
 [<ffffffff81123a00>] ? cdev_put+0x30/0x30
 [<ffffffff8111de76>] do_dentry_open.isra.19+0x1e6/0x270
 [<ffffffff8111df65>] finish_open+0x65/0xa0
 [<ffffffff8112dc9e>] do_last.isra.52+0x26e/0xd80
 [<ffffffff8112b163>] ? inode_permission+0x13/0x50
 [<ffffffff8112b203>] ? link_path_walk+0x63/0x940
 [<ffffffff8112e85b>] path_openat+0xab/0x3d0
 [<ffffffff8112ef5d>] do_filp_open+0x3d/0xa0
 [<ffffffff8113ba72>] ? alloc_fd+0xd2/0x120
 [<ffffffff8111eee3>] do_sys_open+0xf3/0x1d0
 [<ffffffff8111efdc>] sys_open+0x1c/0x20
 [<ffffffff815b5fe2>] system_call_fastpath+0x16/0x1b
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Unregister from the hwrng interface and remove the vq before entering
the S3 or S4 states.  Add the vq and re-register with hwrng on restore.
Signed-off-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

The freeze/restore s3/s4 operations will use code that's common to the
probe and remove routines.  Put the common code in separate funcitons.
Signed-off-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

No use waiting for input from host when the module is being removed.
We're going to remove the vq in the next step anyway, so just perform
any other steps for cleanup (currently none).
Signed-off-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

Use wait_for_completion_killable() instead of wait_for_completion() when
waiting for the host to send us entropy.  Without this,

  # cat /dev/hwrng
  ^C

just hangs.
Signed-off-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

Mix in any architectural randomness in extract_buf() instead of
xfer_secondary_buf().  This allows us to mix in more architectural
randomness, and it also makes xfer_secondary_buf() faster, moving a
tiny bit of additional CPU overhead to process which is extracting the
randomness.

[ Commit description modified by tytso to remove an extended
  advertisement for the RDRAND instruction. ]
Signed-off-by: NH. Peter Anvin <hpa@linux.intel.com>
Acked-by: NIngo Molnar <mingo@kernel.org>
Cc: DJ Johnston <dj.johnston@intel.com>
Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org

The following build error occured during a ia64 build with
swap-over-NFS patches applied.

net/core/sock.c:274:36: error: initializer element is not constant
net/core/sock.c:274:36: error: (near initialization for 'memalloc_socks')
net/core/sock.c:274:36: error: initializer element is not constant

This is identical to a parisc build error. Fengguang Wu, Mel Gorman
and James Bottomley did all the legwork to track the root cause of
the problem. This fix and entire commit log is shamelessly copied
from them with one extra detail to change a dubious runtime use of
ATOMIC_INIT() to atomic_set() in drivers/char/mspec.c

Dave Anglin says:
> Here is the line in sock.i:
>
> struct static_key memalloc_socks = ((struct static_key) { .enabled =
> ((atomic_t) { (0) }) });

The above line contains two compound literals.  It also uses a designated
initializer to initialize the field enabled.  A compound literal is not a
constant expression.

The location of the above statement isn't fully clear, but if a compound
literal occurs outside the body of a function, the initializer list must
consist of constant expressions.

Cc: <stable@vger.kernel.org>
Signed-off-by: NTony Luck <tony.luck@intel.com>

Many platforms have per-machine instance data (serial numbers,
asset tags, etc.) squirreled away in areas that are accessed
during early system bringup. Mixing this data into the random
pools has a very high value in providing better random data,
so we should allow (and even encourage) architecture code to
call add_device_randomness() from the setup_arch() paths.

However, this limits our options for internal structure of
the random driver since random_initialize() is not called
until long after setup_arch().

Add a big fat comment to rand_initialize() spelling out
this requirement.
Suggested-by: NTheodore Ts'o <tytso@mit.edu>
Signed-off-by: NTony Luck <tony.luck@intel.com>
Signed-off-by: NTheodore Ts'o <tytso@mit.edu>

Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
Cc: linux-mips@linux-mips.org
Cc: mpm@selenic.com
Cc: herbert@gondor.apana.org.au
Patchwork: https://patchwork.linux-mips.org/patch/3327/
Patchwork: https://patchwork.linux-mips.org/patch/4072/Signed-off-by: NRalf Baechle <ralf@linux-mips.org>

This watchdog driver had ioctl defines introduced locally
for pre timeout handling, marked to be removed as soon as
a generic replacement would become available.

The latter has actually occurred in 2006, at e05b59fe.

Remove the local duplicates for pre timeout handling.
Signed-off-by: NOskar Schirmer <oskar@scara.com>
Acked-by: NCorey Minyard <cminyard@mvista.com>
Signed-off-by: NWim Van Sebroeck <wim@iguana.be>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>

Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

With the new interrupt sampling system, we are no longer using the
timer_rand_state structure in the irq descriptor, so we can stop
initializing it now.

[ Merged in fixes from Sedat to find some last missing references to
  rand_initialize_irq() ]
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: NSedat Dilek <sedat.dilek@gmail.com>

class_create if succeeded returns a pointer to the struct class,
and if it fails, it returns a value enclosed by the pointer, which
can be read by using PTR_ERR.

Handle the error and return it.

result is for error checking of the alloc_chrdev_region, instead
ret can be used, and also if the alloc_chrdev_region fail,
we are still returning -ENODEV, use ret and the error path will
take care of returning of the ret.
Signed-off-by: NDevendra Naga <develkernel412222@gmail.com>
Acked-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This resolves the differences between the original 8250 patch, the revised 8250 patch
and the independant clean up of the octeon driver (to use platform devices properly yay!)
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>

Create a new function, get_random_bytes_arch() which will use the
architecture-specific hardware random number generator if it is
present.  Change get_random_bytes() to not use the HW RNG, even if it
is avaiable.

The reason for this is that the hw random number generator is fast (if
it is present), but it requires that we trust the hardware
manufacturer to have not put in a back door.  (For example, an
increasing counter encrypted by an AES key known to the NSA.)

It's unlikely that Intel (for example) was paid off by the US
Government to do this, but it's impossible for them to prove otherwise
--- especially since Bull Mountain is documented to use AES as a
whitener.  Hence, the output of an evil, trojan-horse version of
RDRAND is statistically indistinguishable from an RDRAND implemented
to the specifications claimed by Intel.  Short of using a tunnelling
electronic microscope to reverse engineer an Ivy Bridge chip and
disassembling and analyzing the CPU microcode, there's no way for us
to tell for sure.

Since users of get_random_bytes() in the Linux kernel need to be able
to support hardware systems where the HW RNG is not present, most
time-sensitive users of this interface have already created their own
cryptographic RNG interface which uses get_random_bytes() as a seed.
So it's much better to use the HW RNG to improve the existing random
number generator, by mixing in any entropy returned by the HW RNG into
/dev/random's entropy pool, but to always _use_ /dev/random's entropy
pool.

This way we get almost of the benefits of the HW RNG without any
potential liabilities.  The only benefits we forgo is the
speed/performance enhancements --- and generic kernel code can't
depend on depend on get_random_bytes() having the speed of a HW RNG
anyway.

For those places that really want access to the arch-specific HW RNG,
if it is available, we provide get_random_bytes_arch().
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

If the CPU supports a hardware random number generator, use it in
xfer_secondary_pool(), where it will significantly improve things and
where we can afford it.

Also, remove the use of the arch-specific rng in
add_timer_randomness(), since the call is significantly slower than
get_cycles(), and we're much better off using it in
xfer_secondary_pool() anyway.
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

Add a new interface, add_device_randomness() for adding data to the
random pool that is likely to differ between two devices (or possibly
even per boot).  This would be things like MAC addresses or serial
numbers, or the read-out of the RTC. This does *not* add any actual
entropy to the pool, but it initializes the pool to different values
for devices that might otherwise be identical and have very little
entropy available to them (particularly common in the embedded world).

[ Modified by tytso to mix in a timestamp, since there may be some
  variability caused by the time needed to detect/configure the hardware
  in question. ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

The real-time Linux folks don't like add_interrupt_randomness() taking
a spinlock since it is called in the low-level interrupt routine.
This also allows us to reduce the overhead in the fast path, for the
random driver, which is the interrupt collection path.
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

We've been moving away from add_interrupt_randomness() for various
reasons: it's too expensive to do on every interrupt, and flooding the
CPU with interrupts could theoretically cause bogus floods of entropy
from a somewhat externally controllable source.

This solves both problems by limiting the actual randomness addition
to just once a second or after 64 interrupts, whicever comes first.
During that time, the interrupt cycle data is buffered up in a per-cpu
pool.  Also, we make sure the the nonblocking pool used by urandom is
initialized before we start feeding the normal input pool.  This
assures that /dev/urandom is returning unpredictable data as soon as
possible.

(Based on an original patch by Linus, but significantly modified by
tytso.)
Tested-by: NEric Wustrow <ewust@umich.edu>
Reported-by: NEric Wustrow <ewust@umich.edu>
Reported-by: NNadia Heninger <nadiah@cs.ucsd.edu>
Reported-by: NZakir Durumeric <zakir@umich.edu>
Reported-by: J. Alex Halderman <jhalderm@umich.edu>.
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

Some power systems do not have legacy ISA devices. So, /dev/port is not
a valid interface on these systems. User level tools such as kbdrate is
trying to access the device using this interface which is causing the
system crash.

This patch will fix this issue by not creating this interface on these
powerpc systems.
Signed-off-by: NHaren Myneni <haren@us.ibm.com>
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>

This patch supports Exynos SOC's PRNG driver. Exynos's PRNG has 5 seeds and
5 random number outputs. Module is excuted under runtime power management control,
so it activates only while it's in use. Otherwise it will be suspended generally.
It was tested on PQ board by rngtest program.
Signed-off-by: NJonghwa Lee <jonghwa3.lee@samsung.com>
Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com>
Reviewed-by: NStephen Boyd <sboyd@codeaurora.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The legacy PM callbacks provided by the IPMI PCI driver are
empty routines returning 0, so they can be safely dropped.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>
Acked-by: NCorey Minyard <cminyard@mvista.com>

Make the tpm_nsc driver define its PM callbacks through
a struct dev_pm_ops object rather than by using legacy PM hooks
in struct platform_driver.

This allows the driver to use tpm_pm_suspend() and tpm_pm_resume()
as its PM callbacks directly, without defining its own PM callback
routines.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

Make the tpm_tis driver define its PM callbacks through
a struct dev_pm_ops object rather than by using legacy PM hooks
in struct platform_driver.

This allows the driver to use tpm_pm_suspend() as its suspend
callback directly, without defining its own suspend callback
routine.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

Make the tpm_atmel driver define its PM callbacks through
a struct dev_pm_ops object rather than by using legacy PM hooks
in struct platform_driver.

This allows the driver to use tpm_pm_suspend() and tpm_pm_resume()
as its PM callbacks directly, without defining its own PM callback
routines.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

The tpm_pm_suspend()'s second argument of type pm_message_t is not
used, so remove it.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

Make the omap-rng driver define its PM callbacks through
a struct dev_pm_ops object rather than by using legacy PM hooks
in struct platform_driver.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>

Add extern and static declarations to suppress sparse warnings
Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>

Make the sonypi driver define its PM callbacks through
a struct dev_pm_ops object rather than by using legacy PM hooks
in struct acpi_device_ops.
Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>
Acked-by: NMattia Dongili <malattia@linux.it>

Commit 45001e92, which added support for RNGA, ignored the previous commit
984e976f, which changed the data_present API.

Cc: Matt Mackall <mpm@selenic.com>
Cc: Sascha Hauer <kernel@pengutronix.de>
Cc: Alan Carvalho de Assis <acassis@gmail.com>
Cc: <linux-arm-kernel@lists.infradead.org>
Signed-off-by: NBenoît Thébaudeau <benoit.thebaudeau@advansee.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

drm/i915 now takes care itself of setting up the gtt for
these chips.
Reviewed-by: NEugeni Dodonov <eugeni.dodonov@intel.com>
Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>

VLV is a gen7 device, but we don't currently handle that in the switch.
So add it and write the PTEs correctly.
Signed-off-by: NJesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>

The PTE format is similar to SNB, but we don't support an MLC and don't
need chipset flushing.

Note: I have my questions whether this is right, given that MLC died
for snb & ivb, that ivb has grown a L3$ cache instead (which vlv seems
to have, too) and that the LLC bit here isn't actually LLC, but just
means 'snoop cpu caches'.

But I plan to burn this all with the heat of a thousands suns in my
gtt rework, so who cares ;-)
Signed-off-by: NJesse Barnes <jbarnes@virtuousgeek.org>
[danvet: Added note.]
Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>

If a driver calls tpm_dev_vendor_release for a device already released
then the driver will oops.
Signed-off-by: NAndi Shyti <andi.shyti@gmail.com>
Signed-off-by: NPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adding proper kfree() before returning.
Signed-off-by: NWanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

tpm_do_selftest() attempts to read a PCR in order to
decide if one can rely on the TPM being used or not.
The function that's used by __tpm_pcr_read() does not
expect the TPM to be disabled or deactivated, and if so,
reports an error.

It's fine if the TPM returns this error when trying to
use it for the first time after a power cycle, but it's
definitely not if it already returned success for a
previous attempt to read one of its PCRs.

The tpm_do_selftest() was modified so that the driver only
reports this return code as an error when it really is.
Reported-and-tested-by: NPaul Bolle <pebolle@tiscali.nl>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Usual contact update, Debora Velarde role resign, and the new
co-maintainer inclusion, Kent Yoder. He's accepted to contribute
more actively to this driver's maintainership given the current
maintainer's slight career change that will affect his contribution
time.

[Replacing Debora Velarde by Kent Yoder]
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

When drm/i915 is in control of the gtt, we need to call
the enable function at all the relevant places ourselves.
Reviewed-by: NJani Nikula <jani.nikula@linux.intel.com>
Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>