This patch delays the (ACPI S3) suspend while the TPM is busy processing a
command and the TPM TIS driver is run in interrupt mode. This is the same
behavior as we already have it for the TPM TIS driver in polling mode.

Reasoning: Some of the TPM's commands advance the internal state of the TPM.
An example would be the extending of one of its PCR registers. Upper layers,
such as IMA or TSS (TrouSerS), would certainly want to be sure that the
command succeeded rather than getting an error code (-62 = -ETIME) that may
not give a conclusive answer as for what reason the command failed. Reissuing
such a command would put the TPM into the wrong state, so waiting for it to
finish is really the only option.

The downside is that some commands (key creation) can take a long time and
actually prevent the machine from entering S3 at all before the 20 second
timeout of the power management subsystem arrives.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch makes sure that if the TPM TIS interface is run in interrupt mode
(rather than polling mode) that all interrupts are enabled in the TPM's
interrupt enable register after a resume from ACPI S3 suspend. The registers
may either have been cleared by the TPM loosing its state during device sleep
or by the BIOS leaving the TPM in polling mode (after sending a command to
the TPM for starting it up again)

You may want to check if your TPM runs with interrupts by doing

cat /proc/interrupts | grep -i tpm

and see whether there is an entry or otherwise for it to use interrupts:

modprobe tpm_tis interrupts=1 [add 'itpm=1' for Intel TPM ]

v2:
  - the patch was adapted to work with the pnp and platform driver
    implementations in tpm_tis.c
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

This patch fixes the TPM's pubek sysfs entry that is accessible as long
as the TPM doesn't have an owner. It was necessary to shift the access to the
data by -10 -- the first byte immediately follows the 10 byte header. The
line

 	data = tpm_cmd.params.readpubek_out_buffer;

sets it at the offset '10' in the packet, so we can read the data array
starting at offset '0'.

Before:

Algorithm: 00 0C 00 00
Encscheme: 08 00
Sigscheme: 00 00
Parameters: 00 00 00 00 01 00 AC E2 5E 3C A0 78
Modulus length: -563306801
Modulus:
28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C
43 78 B1 24 EA 52 E2 FE 52 5C 3A 12 3B DC 61 71
[...]

After:

Algorithm: 00 00 00 01
Encscheme: 00 03
Sigscheme: 00 01
Parameters: 00 00 08 00 00 00 00 02 00 00 00 00
Modulus length: 256
Modulus:
AC E2 5E 3C A0 78 DE 6C 9E CF 28 21 08 0F 82 CD
F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52
[...]
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Display the TPM's interface timeouts in a 'timeouts' sysfs entry. Display
the entries as having been adjusted when they were scaled due to their values
being reported in milliseconds rather than microseconds.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adjust the interface timeouts if they are found to be too small, i.e., if
they are returned in milliseconds rather than microseconds as we heared
from Infineon that some (old) Infineon TPMs do.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

The TPM driver currently discards the interface timeout values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 4 interface timeout indicators of type u32.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Display the TPM's command timeouts in a 'durations' sysfs entry. Display
the entries as having been adjusted when they were scaled due to their values
being reported in milliseconds rather than microseconds.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

Adjust the durations if they are found to be too small, i.e., if they are
returned in milliseconds rather than microseconds as some Infineon TPMs are
reported to do.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

The TPM driver currently discards the durations values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 3 timeout indicators of type u32.

v4:
- sysfs entry 'durations' is now a patch of its own
- the work-around for TPMs reporting durations in milliseconds is now in a
  patch of its own

v3:
- sysfs entry now called 'durations' to resemble TPM-speak (previously
  was called 'timeouts')

v2:
- adjusting all timeouts for TPM devices reporting timeouts in msec rather
  than usec
- also displaying in sysfs whether the timeouts are 'original' or 'adjusted'
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: NGuillaume Chazarain <guichaz@gmail.com>
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>

When interrupts are delayed due to interrupt masking or due to other
interrupts being serviced the HPET periodic-emuation would fail.  This
happened because given an interval t and a time for the current interrupt
m we would compute the next time as t + m.  This works until we are
delayed for > t, in which case we would be writing a new value which is in
fact in the past.

This can be solved by computing the next time instead as (k * t) + m where
k is large enough to be in the future.  The exact computation of k is
described in a comment to the code.

More detail:

Assuming an interval of 5 between each expected interrupt we have a normal
case of

t0: interrupt, read t0 from comparator, set next interrupt t0 + 5
t5: interrupt, read t5 from comparator, set next interrupt t5 + 5
t10: interrupt, read t10 from comparator, set next interrupt t10 + 5
...

So, what happens when the interrupt is serviced too late?

t0: interrupt, read t0 from comparator, set next interrupt t0 + 5
t11: delayed interrupt serviced, read t5 from comparator, set next
interrupt t5 + 5, which is in the past!
... counter loops ...
t10: Much much later, get the next interrupt.

This can happen either because we have interrupts masked for too long
(some stupid driver goes on a printk rampage) or just because we are
pushing the limits of the interval (too small a period), or both most
probably.

My solution is to read the main counter as well and set the next interrupt
to occur at the right interval, for example:

t0: interrupt, read t0 from comparator, set next interrupt t0 + 5
t11: delayed interrupt serviced, read t5 from comparator, set next
interrupt t15 as t10 has been missed.
t15: back on track.
Signed-off-by: NNils Carlson <nils.carlson@ericsson.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

That's already been done by the virtio infrastructure before the probe
function is called.

Reported-by: alexey.kardashevskiy@au1.ibm.com
Acked-by: NAmit Shah <amit.shah@redhat.com>
Tested-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

parport_find_number() calls parport_get_port() on its result, so there
should be a corresponding call to parport_put_port() before dropping the
reference.  Similar code is found in the function register_device() in the
same file.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

  // <smpl>
  @exists@
  local idexpression struct parport * x;
  expression ra,rr;
  statement S1,S2;
  @@

  x = parport_find_number(...)
  ... when != x = rr
      when any
      when != parport_put_port(x,...)
      when != if (...) { ... parport_put_port(x,...) ...}
  (
  if(<+...x...+>) S1 else S2
  |
  if(...) { ... when != x = ra
       when forall
       when != parport_put_port(x,...)
  *return...;
  }
  )
  // </smpl>
Signed-off-by: NJulia Lawall <julia@diku.dk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Let memory allocator initialize the allocated memory as null, thus remove
the use of memset.
Signed-off-by: NRakib Mullick <rakib.mullick@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The ->read_proc interface is going away, convert to seq_file.
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Cc:Corey Minyard <minyard@acm.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Let i8k create an hwmon class device so that libsensors will expose
the CPU temperature and fan speeds to monitoring applications.
Signed-off-by: NJean Delvare <khali@linux-fr.org>
Acked-by: NGuenter Roeck <guenter.roeck@ericsson.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Massimo Dal Zotto <dz@debian.org>

i8k uses lahf to read the flag register in 64-bit code; early x86-64
CPUs, however, lack this instruction and we get an invalid opcode
exception at runtime.
Use pushf to load the flag register into the stack instead.
Signed-off-by: NLuca Tettamanti <kronos.it@gmail.com>
Reported-by: NJeff Rickman <jrickman@myamigos.us>
Tested-by: NJeff Rickman <jrickman@myamigos.us>
Tested-by: NHarry G McGavran Jr <w5pny@arrl.net>
Cc: stable@kernel.org
Cc: Massimo Dal Zotto <dz@debian.org>
Signed-off-by: NJean Delvare <khali@linux-fr.org>

apm_mutex is locked by a process (e.g. apm -s) at the start of apm_ioctl() and
remains locked while pm_suspend() is called. Any subsequent process trying to
ACK the suspend (e.g. apmd) is then blocked at the start of apm_ioctl(),
causing the suspend to be delayed for 5 seconds in apm_suspend_notifier()
while the ACK times out. In short, ACKs don't work.

The driver's data structures are sufficiently protected by assorted locks. And
pm_suspend() has its own mutex to prevent reentrancy. Consequently there is no
obvious requirement for apm_mutex, which evolved from earlier BKL calls. So
let's remove it.
Signed-off-by: NPaul Parsons <lost.distance@yahoo.com>
Acked-by: NRafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

This was based on a description by Ben Herrenschmidt:

> I've removed that SBA reset from the normal TLB invalidation path and
> left it only once after turning AGP on.

About six months ago, he said:

> I did it a bit differently, but yeah, you get the idea. I'm doing a
> patch series so don't bother pushing things too hard yet.

But I haven't seen anything from him about this since then, and people are
regularly hitting these lockups, so here we are...
Signed-off-by: NMichel Dänzer <daenzer@vmware.com>
Acked-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NDave Airlie <airlied@gmail.com>

Commit b826291c, "drivercore/dt: add a match table pointer to struct
device" added an of_match pointer to struct device to cache the
of_match_table entry discovered at driver match time.  This was unsafe
because matching is not an atomic operation with probing a driver.  If
two or more drivers are attempted to be matched to a driver at the
same time, then the cached matching entry pointer could get
overwritten.

This patch reverts the of_match cache pointer and reworks all users to
call of_match_device() directly instead.
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>

Just use the Sandy Bridge routines.
Signed-off-by: NJesse Barnes <jbarnes@virtuousgeek.org>
Reviewed-by: NKeith Packard <keithp@keithp.com>
Signed-off-by: NKeith Packard <keithp@keithp.com>

If cdev_add() fails, there is no justification for subsequently
calling kobject_put().
Signed-off-by: NRobert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Allow setting of maximal number of raw devices as a module parameter. This
requires changing of static array into a vmalloced one (the array is going to
be too large for kmalloc).
Signed-off-by: NJan Kara <jack@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Saves about 50KB of data.

Old/new size of all objects:
   text	   data	    bss	    dec	    hex	filename
 563015	  80096	 130684	 773795	  bcea3	(TOTALS)
 610916	  32256	 130632	 773804	  bceac	(TOTALS)
Signed-off-by: NJoe Perches <joe@perches.com>
Acked-by: Kurt Van Dijck <kurt.van.dijck@eia.be> (for drivers/net/can/softing/softing_cs.c)
Signed-off-by: NDominik Brodowski <linux@dominikbrodowski.net>

Remove the unnecessary initialization of "dev_t bsr_dev" since it's
subsequently used in an "alloc_chrdev_region()" call which uses that
variable in an output-only fashion.
Signed-off-by: NRobert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>

PPC 970FX Evaluation kit (Maple) boards bear AMD8111 southbridge.
Allow this driver to be compiled in if PPC_MAPLE is selected.
Signed-off-by: NDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Acked-by: NMatt Mackall <mpm@selenic.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

As amd driver doesn't bind to PCI device, we'd better manage reource
allocation on our own to disallow (possible) conflicts.
Signed-off-by: NDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Acked-by: NMatt Mackall <mpm@selenic.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This call was disabled as hot-unplugging one virtconsole port led to
another virtconsole port freezing.

Upon testing it again, this now works, so enable it.

In addition, a bug was found in qemu wherein removing a port of one type
caused the guest output from another port to stop working.  I doubt it
was just this bug that caused it (since disabling the hvc_remove() call
did allow other ports to continue working), but since it's all solved
now, we're fine with hot-unplugging of virtconsole ports.
Signed-off-by: NAmit Shah <amit.shah@redhat.com>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>

pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl
cmds of agp_ioctl() and passed to agpioc_bind_wrap().  As said in the
comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND,
and it is not checked at all in case of AGPIOC_UNBIND.  As a result, user
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.
Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

page_count is copied from userspace.  agp_allocate_memory() tries to
check whether this number is too big, but doesn't take into account the
wrap case.  Also agp_create_user_memory() doesn't check whether
alloc_size is calculated from num_agp_pages variable without overflow.
This may lead to allocation of too small buffer with following buffer
overflow.

Another problem in agp code is not addressed in the patch - kernel memory
exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls).  It is not checked
whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()).
Each allocation is limited to 16KB, though, there is no per-process limit.
This might lead to OOM situation, which is not even solved in case of the
caller death by OOM killer - the memory is allocated for another (faked) process.
Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

make `len' size_t, avoid multiple-assignments.

Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Lennart Poettering <lennart@poettering.net>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

printk: /dev/kmsg - properly support writev() to avoid interleaved printk lines

We should avoid calling printk() in a loop, when we pass a single
string to /dev/kmsg with writev().

Cc: Lennart Poettering <lennart@poettering.net>
Signed-off-by: NKay Sievers <kay.sievers@vrfy.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: NLucas De Marchi <lucas.demarchi@profusion.mobi>

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.
Reported-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NMarcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Reduce the lines of code and simplify the logic.
Signed-off-by: NChangli Gao <xiaosuo@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Add smd_pkt driver which provides device interface to smd packet ports.
Signed-off-by: NNiranjana Vishwanathapura <nvishwan@codeaurora.org>
Cc: Brian Swetland <swetland@google.com>
Cc: Greg KH <gregkh@suse.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: David Brown <davidb@codeaurora.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

commit d2478521 ("char/ipmi: fix OOPS caused by
pnp_unregister_driver on unregistered driver") introduced a section
mismatch by calling __exit cleanup_ipmi_si from __devinit init_ipmi_si.

Remove __exit annotation from cleanup_ipmi_si.
Signed-off-by: NSergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: NCorey Minyard <cminyard@mvista.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Replace EXTRA_CFLAGS with ccflags-y.
Signed-off-by: Nmatt mooney <mfm@muteddisk.com>
Acked-by: NWANG Cong <xiyou.wangcong@gmail.com>
Signed-off-by: NMichal Marek <mmarek@suse.cz>

This patch fixes an issue in OpenIPMI module where sometimes an ABORT command
is sent after sending an IPMI request to BMC causing the IPMI request to fail.
Signed-off-by: NYiCheng Doe <yicheng.doe@hp.com>
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
Acked-by: NTom Mingarelli <thomas.mingarelli@hp.com>
Tested-by: NAndy Cress <andy.cress@us.kontron.com>
Tested-by: NMika Lansirine <Mika.Lansirinne@stonesoft.com>
Tested-by: NBrian De Wolf <bldewolf@csupomona.edu>
Cc: Jean Michel Audet <Jean-Michel.Audet@ca.Kontron.com>
Cc: Jozef Sudelsky <jozef.sudolsky@elbiahosting.sk>
Acked-by: NMatthew Garrett <mjg@redhat.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The file is required by the specialix driver, which was
moved to drivers/staging/.
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

I forgot to move the digi*.h files from drivers/char/ to
drivers/staging/tty/

Thanks to Randy for pointing out the issue.
Reported-by: NRandy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>