From 7e8aa048989bf7e0604996a3e2068fb1a81f81bd Mon Sep 17 00:00:00 2001 From: Thomas Meyer Date: Thu, 25 Aug 2011 15:59:09 -0700 Subject: drivers/char/msm_smd_pkt.c: don't use IS_ERR() The various basic memory allocation function return NULL, not an ERR_PTR. The semantic patch that makes this change is available in scripts/coccinelle/null/eno.cocci. More information about semantic patching is available at http://coccinelle.lip6.fr/ Signed-off-by: Thomas Meyer Cc: Niranjana Vishwanathapura Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/msm_smd_pkt.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/msm_smd_pkt.c b/drivers/char/msm_smd_pkt.c index b6f8a65..8eca55d 100644 --- a/drivers/char/msm_smd_pkt.c +++ b/drivers/char/msm_smd_pkt.c @@ -379,9 +379,8 @@ static int __init smd_pkt_init(void) for (i = 0; i < NUM_SMD_PKT_PORTS; ++i) { smd_pkt_devp[i] = kzalloc(sizeof(struct smd_pkt_dev), GFP_KERNEL); - if (IS_ERR(smd_pkt_devp[i])) { - r = PTR_ERR(smd_pkt_devp[i]); - pr_err("kmalloc() failed %d\n", r); + if (!smd_pkt_devp[i]) { + pr_err("kmalloc() failed\n"); goto clean_cdevs; } -- cgit v1.1 From 5ce5ed35939ece8a9c7e0f10c7f3d5bc000c6b64 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Mon, 8 Aug 2011 13:08:19 +0200 Subject: TPM: TCG_ATMEL should depend on HAS_IOPORT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On m68k, I get: drivers/char/tpm/tpm_atmel.h: In function ‘atmel_get_base_addr’: drivers/char/tpm/tpm_atmel.h:129: error: implicit declaration of function ‘ioport_map’ drivers/char/tpm/tpm_atmel.h:129: warning: return makes pointer from integer without a cast The code in tpm_atmel.h supports PPC64 (using the device tree and ioremap()) and "anything else" (using ioport_map()). However, ioportmap() is only available on platforms that set HAS_IOPORT. Although PC64 seems to have HAS_IOPORT, a "depends on HAS_IOPORT" should work, but I think it's better to expose the special PPC64 handling explicit using "depends on PPC64 || HAS_IOPORT". Signed-off-by: Geert Uytterhoeven Signed-off-by: Rajiv Andrade Signed-off-by: James Morris --- drivers/char/tpm/Kconfig | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/char') diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index f6595ab..fa567f1 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -43,6 +43,7 @@ config TCG_NSC config TCG_ATMEL tristate "Atmel TPM Interface" + depends on PPC64 || HAS_IOPORT ---help--- If you have a TPM security chip from Atmel say Yes and it will be accessible from within Linux. To compile this driver -- cgit v1.1 From de69113ec1896443c732e8b812e8005fb44eeeeb Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Thu, 4 Aug 2011 07:58:07 +0800 Subject: TPM: tpm_nsc: Fix a double free of pdev in cleanup_nsc platform_device_unregister() will release all resources and remove it from the subsystem, then drop reference count by calling platform_device_put(). We should not call kfree(pdev) after platform_device_unregister(pdev). Signed-off-by: Axel Lin Signed-off-by: Rajiv Andrade Signed-off-by: James Morris --- drivers/char/tpm/tpm_nsc.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/tpm_nsc.c b/drivers/char/tpm/tpm_nsc.c index 82facc9..4d24648 100644 --- a/drivers/char/tpm/tpm_nsc.c +++ b/drivers/char/tpm/tpm_nsc.c @@ -396,8 +396,6 @@ static void __exit cleanup_nsc(void) if (pdev) { tpm_nsc_remove(&pdev->dev); platform_device_unregister(pdev); - kfree(pdev); - pdev = NULL; } platform_driver_unregister(&nsc_drv); -- cgit v1.1 From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 15 Sep 2011 14:37:43 -0300 Subject: TPM: Call tpm_transmit with correct size This patch changes the call of tpm_transmit by supplying the size of the userspace buffer instead of TPM_BUFSIZE. This got assigned CVE-2011-1161. [The first hunk didn't make sense given one could expect way less data than TPM_BUFSIZE, so added tpm_transmit boundary check over bufsiz instead The last parameter of tpm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it. It isn't ideal to parse it directly, so we just set it to the maximum the input buffer can handle and let the userspace API to do such job.] Signed-off-by: Rajiv Andrade Cc: Stable Kernel Signed-off-by: James Morris --- drivers/char/tpm/tpm.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers/char') diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index caf8012..1fe9793 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, u32 count, ordinal; unsigned long stop; + if (bufsiz > TPM_BUFSIZE) + bufsiz = TPM_BUFSIZE; + count = be32_to_cpu(*((__be32 *) (buf + 2))); ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); if (count == 0) -- cgit v1.1 From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Thu, 15 Sep 2011 14:47:42 -0300 Subject: TPM: Zero buffer after copying to userspace Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade Cc: Stable Kernel Signed-off-by: James Morris --- drivers/char/tpm/tpm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'drivers/char') diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index 1fe9793..9ca5c02 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf, { struct tpm_chip *chip = file->private_data; ssize_t ret_size; + int rc; del_singleshot_timer_sync(&chip->user_read_timer); flush_work_sync(&chip->work); @@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf, ret_size = size; mutex_lock(&chip->buffer_mutex); - if (copy_to_user(buf, chip->data_buffer, ret_size)) + rc = copy_to_user(buf, chip->data_buffer, ret_size); + memset(chip->data_buffer, 0, ret_size); + if (rc) ret_size = -EFAULT; + mutex_unlock(&chip->buffer_mutex); } -- cgit v1.1 From 677d3e2f07d1b3d6d2f76fd5552d16a53b9236a0 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Thu, 6 Oct 2011 19:56:30 +0200 Subject: hw_random: add driver for atmel true hardware random number generator For the IP block on 9g45/9g46/9m10/9m11. Signed-off-by: Peter Korsgaard Reviewed-by: Jamie Iles Acked-by: Nicolas Ferre Acked-by: Herbert Xu --- drivers/char/hw_random/Kconfig | 13 +++ drivers/char/hw_random/Makefile | 1 + drivers/char/hw_random/atmel-rng.c | 158 +++++++++++++++++++++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 drivers/char/hw_random/atmel-rng.c (limited to 'drivers/char') diff --git a/drivers/char/hw_random/Kconfig b/drivers/char/hw_random/Kconfig index 1d2ebc7..e013587 100644 --- a/drivers/char/hw_random/Kconfig +++ b/drivers/char/hw_random/Kconfig @@ -60,6 +60,19 @@ config HW_RANDOM_AMD If unsure, say Y. +config HW_RANDOM_ATMEL + tristate "Atmel Random Number Generator support" + depends on HW_RANDOM && ARCH_AT91SAM9G45 + default HW_RANDOM + ---help--- + This driver provides kernel-side support for the Random Number + Generator hardware found on Atmel AT91 devices. + + To compile this driver as a module, choose M here: the + module will be called atmel-rng. + + If unsure, say Y. + config HW_RANDOM_GEODE tristate "AMD Geode HW Random Number Generator support" depends on HW_RANDOM && X86_32 && PCI diff --git a/drivers/char/hw_random/Makefile b/drivers/char/hw_random/Makefile index c88f244..b2ff526 100644 --- a/drivers/char/hw_random/Makefile +++ b/drivers/char/hw_random/Makefile @@ -7,6 +7,7 @@ rng-core-y := core.o obj-$(CONFIG_HW_RANDOM_TIMERIOMEM) += timeriomem-rng.o obj-$(CONFIG_HW_RANDOM_INTEL) += intel-rng.o obj-$(CONFIG_HW_RANDOM_AMD) += amd-rng.o +obj-$(CONFIG_HW_RANDOM_ATMEL) += atmel-rng.o obj-$(CONFIG_HW_RANDOM_GEODE) += geode-rng.o obj-$(CONFIG_HW_RANDOM_N2RNG) += n2-rng.o n2-rng-y := n2-drv.o n2-asm.o diff --git a/drivers/char/hw_random/atmel-rng.c b/drivers/char/hw_random/atmel-rng.c new file mode 100644 index 0000000..241df2e --- /dev/null +++ b/drivers/char/hw_random/atmel-rng.c @@ -0,0 +1,158 @@ +/* + * Copyright (c) 2011 Peter Korsgaard + * + * This file is licensed under the terms of the GNU General Public + * License version 2. This program is licensed "as is" without any + * warranty of any kind, whether express or implied. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define TRNG_CR 0x00 +#define TRNG_ISR 0x1c +#define TRNG_ODATA 0x50 + +#define TRNG_KEY 0x524e4700 /* RNG */ + +struct atmel_trng { + struct clk *clk; + void __iomem *base; + struct hwrng rng; +}; + +static int atmel_trng_read(struct hwrng *rng, void *buf, size_t max, + bool wait) +{ + struct atmel_trng *trng = container_of(rng, struct atmel_trng, rng); + u32 *data = buf; + + /* data ready? */ + if (readl(trng->base + TRNG_ODATA) & 1) { + *data = readl(trng->base + TRNG_ODATA); + return 4; + } else + return 0; +} + +static int atmel_trng_probe(struct platform_device *pdev) +{ + struct atmel_trng *trng; + struct resource *res; + int ret; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) + return -EINVAL; + + trng = devm_kzalloc(&pdev->dev, sizeof(*trng), GFP_KERNEL); + if (!trng) + return -ENOMEM; + + if (!devm_request_mem_region(&pdev->dev, res->start, + resource_size(res), pdev->name)) + return -EBUSY; + + trng->base = devm_ioremap(&pdev->dev, res->start, resource_size(res)); + if (!trng->base) + return -EBUSY; + + trng->clk = clk_get(&pdev->dev, NULL); + if (IS_ERR(trng->clk)) + return PTR_ERR(trng->clk); + + ret = clk_enable(trng->clk); + if (ret) + goto err_enable; + + writel(TRNG_KEY | 1, trng->base + TRNG_CR); + trng->rng.name = pdev->name; + trng->rng.read = atmel_trng_read; + + ret = hwrng_register(&trng->rng); + if (ret) + goto err_register; + + platform_set_drvdata(pdev, trng); + + return 0; + +err_register: + clk_disable(trng->clk); +err_enable: + clk_put(trng->clk); + + return ret; +} + +static int __devexit atmel_trng_remove(struct platform_device *pdev) +{ + struct atmel_trng *trng = platform_get_drvdata(pdev); + + hwrng_unregister(&trng->rng); + + writel(TRNG_KEY, trng->base + TRNG_CR); + clk_disable(trng->clk); + clk_put(trng->clk); + + platform_set_drvdata(pdev, NULL); + + return 0; +} + +#ifdef CONFIG_PM +static int atmel_trng_suspend(struct device *dev) +{ + struct atmel_trng *trng = dev_get_drvdata(dev); + + clk_disable(trng->clk); + + return 0; +} + +static int atmel_trng_resume(struct device *dev) +{ + struct atmel_trng *trng = dev_get_drvdata(dev); + + return clk_enable(trng->clk); +} + +static const struct dev_pm_ops atmel_trng_pm_ops = { + .suspend = atmel_trng_suspend, + .resume = atmel_trng_resume, +}; +#endif /* CONFIG_PM */ + +static struct platform_driver atmel_trng_driver = { + .probe = atmel_trng_probe, + .remove = __devexit_p(atmel_trng_remove), + .driver = { + .name = "atmel-trng", + .owner = THIS_MODULE, +#ifdef CONFIG_PM + .pm = &atmel_trng_pm_ops, +#endif /* CONFIG_PM */ + }, +}; + +static int __init atmel_trng_init(void) +{ + return platform_driver_register(&atmel_trng_driver); +} +module_init(atmel_trng_init); + +static void __exit atmel_trng_exit(void) +{ + platform_driver_unregister(&atmel_trng_driver); +} +module_exit(atmel_trng_exit); + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Peter Korsgaard "); +MODULE_DESCRIPTION("Atmel true random number generator driver"); -- cgit v1.1