From b3a1d7ad85b7516666d23210eb6729799a075016 Mon Sep 17 00:00:00 2001 From: Jiri Kosina Date: Mar 16 2018 13:08:33 +0000 Subject: Merge remote-tracking branch 'origin/users/tiwai/SLE15/for-next' into SLE15 Pull assorted fixes from Takashi Iwai Conflicts: series.conf --- diff --git a/config/arm64/default b/config/arm64/default index 86b6df3..6a68e30 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -3589,6 +3589,7 @@ CONFIG_PINCTRL_BERLIN_BG4CT=y CONFIG_PINCTRL_INTEL=m # CONFIG_PINCTRL_BROXTON is not set CONFIG_PINCTRL_CANNONLAKE=m +# CONFIG_PINCTRL_DENVERTON is not set # CONFIG_PINCTRL_GEMINILAKE is not set # CONFIG_PINCTRL_SUNRISEPOINT is not set CONFIG_PINCTRL_ARMADA_37XX=y diff --git a/config/x86_64/default b/config/x86_64/default index 3821500..73faa46 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -3681,6 +3681,7 @@ CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m CONFIG_PINCTRL_CANNONLAKE=m +CONFIG_PINCTRL_DENVERTON=m CONFIG_PINCTRL_GEMINILAKE=m CONFIG_PINCTRL_SUNRISEPOINT=m CONFIG_GPIOLIB=y diff --git a/patches.drivers/ALSA-hda-Revert-power_save-option-default-value b/patches.drivers/ALSA-hda-Revert-power_save-option-default-value index 4402d5a..6ad96d4 100644 --- a/patches.drivers/ALSA-hda-Revert-power_save-option-default-value +++ b/patches.drivers/ALSA-hda-Revert-power_save-option-default-value @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Mon, 12 Mar 2018 13:55:48 +0100 Subject: [PATCH] ALSA: hda - Revert power_save option default value Git-commit: 40088dc4e1ead7df31728c73f5b51d71da18831d -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v4.16 or v4.16-rc6 (next release) References: bsc#1052235 With the commit 1ba8f9d30817 ("ALSA: hda: Add a power_save diff --git a/patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- b/patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- index 0cf747f..3f19ec5 100644 --- a/patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- +++ b/patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Fri, 9 Mar 2018 22:23:31 +0100 Subject: [PATCH] ALSA: seq: Clear client entry before deleting else at closing Git-commit: a2ff19f7b70118ced291a28d5313469914de451b -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v4.16 or v4.16-rc6 (next release) References: CVE-2018-1000004,bsc#1076017 When releasing a client, we need to clear the clienttab[] entry at diff --git a/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue b/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue index 5b6ed7b..f0e8398 100644 --- a/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue +++ b/patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue @@ -3,8 +3,7 @@ From: Takashi Iwai Date: Fri, 9 Mar 2018 21:58:28 +0100 Subject: [PATCH] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Git-commit: d0f833065221cbfcbadf19fd4102bcfa9330006a -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git -Patch-mainline: Queued in subsystem maintainer repo +Patch-mainline: v4.16 or v4.16-rc6 (next release) References: CVE-2018-1000004,bsc#1076017 Although we've covered the races between concurrent write() and diff --git a/patches.drivers/ima-do-not-update-security.ima-if-appraisal-status-i b/patches.drivers/ima-do-not-update-security.ima-if-appraisal-status-i new file mode 100644 index 0000000..81f826c --- /dev/null +++ b/patches.drivers/ima-do-not-update-security.ima-if-appraisal-status-i @@ -0,0 +1,46 @@ +From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 7 Nov 2017 11:37:07 +0100 +Subject: [PATCH] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS +Git-commit: 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb +Patch-mainline: v4.15-rc1 +References: bsc#1051510 + +Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") +moved the call of ima_file_check() from may_open() to do_filp_open() at a +point where the file descriptor is already opened. + +This breaks the assumption made by IMA that file descriptors being closed +belong to files whose access was granted by ima_file_check(). The +consequence is that security.ima and security.evm are updated with good +values, regardless of the current appraisal status. + +For example, if a file does not have security.ima, IMA will create it after +opening the file for writing, even if access is denied. Access to the file +will be allowed afterwards. + +Avoid this issue by checking the appraisal status before updating +security.ima. + +Cc: stable@vger.kernel.org +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: James Morris +Acked-by: Takashi Iwai + +--- + security/integrity/ima/ima_appraise.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -306,6 +306,9 @@ void ima_update_xattr(struct integrity_i + if (iint->flags & IMA_DIGSIG) + return; + ++ if (iint->ima_file_status != INTEGRITY_PASS) ++ return; ++ + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); + if (rc < 0) + return; diff --git a/patches.drivers/ima-fix-hash-algorithm-initialization b/patches.drivers/ima-fix-hash-algorithm-initialization new file mode 100644 index 0000000..a033dcb --- /dev/null +++ b/patches.drivers/ima-fix-hash-algorithm-initialization @@ -0,0 +1,43 @@ +From ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee Mon Sep 17 00:00:00 2001 +From: Boshi Wang +Date: Fri, 20 Oct 2017 16:01:03 +0800 +Subject: [PATCH] ima: fix hash algorithm initialization +Git-commit: ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee +Patch-mainline: v4.15-rc1 +References: bsc#1051510 + +The hash_setup function always sets the hash_setup_done flag, even +when the hash algorithm is invalid. This prevents the default hash +algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. + +This patch sets hash_setup_done flag only for valid hash algorithms. + +Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" +Signed-off-by: Boshi Wang +Signed-off-by: Mimi Zohar +Acked-by: Takashi Iwai + +--- + security/integrity/ima/ima_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -52,6 +52,8 @@ static int __init hash_setup(char *str) + ima_hash_algo = HASH_ALGO_SHA1; + else if (strncmp(str, "md5", 3) == 0) + ima_hash_algo = HASH_ALGO_MD5; ++ else ++ return 1; + goto out; + } + +@@ -61,6 +63,8 @@ static int __init hash_setup(char *str) + break; + } + } ++ if (i == HASH_ALGO__LAST) ++ return 1; + out: + hash_setup_done = 1; + return 1; diff --git a/patches.drivers/pinctrl-intel-Add-Intel-Denverton-pin-controller-sup.patch b/patches.drivers/pinctrl-intel-Add-Intel-Denverton-pin-controller-sup.patch new file mode 100644 index 0000000..e38e141 --- /dev/null +++ b/patches.drivers/pinctrl-intel-Add-Intel-Denverton-pin-controller-sup.patch @@ -0,0 +1,355 @@ +From 75bb10b479c33a8e15ab99d6f35a141e86df8547 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 3 Aug 2017 19:36:02 +0300 +Subject: [PATCH] pinctrl: intel: Add Intel Denverton pin controller support +Git-commit: 75bb10b479c33a8e15ab99d6f35a141e86df8547 +Patch-mainline: v4.14-rc1 +References: FATE#325124 + +This driver adds pinctrl/GPIO support for Intel Denverton SoC. The GPIO +controller is based on the same hardware design that is already used in +Intel Sunrisepoint so we leverage the core driver here. + +Signed-off-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Acked-by: Takashi Iwai + +--- + drivers/pinctrl/intel/Kconfig | 8 + drivers/pinctrl/intel/Makefile | 1 + drivers/pinctrl/intel/pinctrl-denverton.c | 302 ++++++++++++++++++++++++++++++ + 3 files changed, 311 insertions(+) + create mode 100644 drivers/pinctrl/intel/pinctrl-denverton.c + +--- a/drivers/pinctrl/intel/Kconfig ++++ b/drivers/pinctrl/intel/Kconfig +@@ -64,6 +64,14 @@ config PINCTRL_CANNONLAKE + This pinctrl driver provides an interface that allows configuring + of Intel Cannon Lake PCH pins and using them as GPIOs. + ++config PINCTRL_DENVERTON ++ tristate "Intel Denverton pinctrl and GPIO driver" ++ depends on ACPI ++ select PINCTRL_INTEL ++ help ++ This pinctrl driver provides an interface that allows configuring ++ of Intel Denverton SoC pins and using them as GPIOs. ++ + config PINCTRL_GEMINILAKE + tristate "Intel Gemini Lake SoC pinctrl and GPIO driver" + depends on ACPI +--- a/drivers/pinctrl/intel/Makefile ++++ b/drivers/pinctrl/intel/Makefile +@@ -6,5 +6,6 @@ obj-$(CONFIG_PINCTRL_MERRIFIELD) += pinc + obj-$(CONFIG_PINCTRL_INTEL) += pinctrl-intel.o + obj-$(CONFIG_PINCTRL_BROXTON) += pinctrl-broxton.o + obj-$(CONFIG_PINCTRL_CANNONLAKE) += pinctrl-cannonlake.o ++obj-$(CONFIG_PINCTRL_DENVERTON) += pinctrl-denverton.o + obj-$(CONFIG_PINCTRL_GEMINILAKE) += pinctrl-geminilake.o + obj-$(CONFIG_PINCTRL_SUNRISEPOINT) += pinctrl-sunrisepoint.o +--- /dev/null ++++ b/drivers/pinctrl/intel/pinctrl-denverton.c +@@ -0,0 +1,302 @@ ++/* ++ * Intel Denverton SoC pinctrl/GPIO driver ++ * ++ * Copyright (C) 2017, Intel Corporation ++ * Author: Mika Westerberg ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "pinctrl-intel.h" ++ ++#define DNV_PAD_OWN 0x020 ++#define DNV_HOSTSW_OWN 0x0C0 ++#define DNV_PADCFGLOCK 0x090 ++#define DNV_GPI_IE 0x120 ++ ++#define DNV_GPP(n, s, e) \ ++ { \ ++ .reg_num = (n), \ ++ .base = (s), \ ++ .size = ((e) - (s) + 1), \ ++ } ++ ++#define DNV_COMMUNITY(b, s, e, g) \ ++ { \ ++ .barno = (b), \ ++ .padown_offset = DNV_PAD_OWN, \ ++ .padcfglock_offset = DNV_PADCFGLOCK, \ ++ .hostown_offset = DNV_HOSTSW_OWN, \ ++ .ie_offset = DNV_GPI_IE, \ ++ .pin_base = (s), \ ++ .npins = ((e) - (s) + 1), \ ++ .gpps = (g), \ ++ .ngpps = ARRAY_SIZE(g), \ ++ } ++ ++static const struct pinctrl_pin_desc dnv_pins[] = { ++ /* North ALL */ ++ PINCTRL_PIN(0, "GBE0_SDP0"), ++ PINCTRL_PIN(1, "GBE1_SDP0"), ++ PINCTRL_PIN(2, "GBE0_SDP1"), ++ PINCTRL_PIN(3, "GBE1_SDP1"), ++ PINCTRL_PIN(4, "GBE0_SDP2"), ++ PINCTRL_PIN(5, "GBE1_SDP2"), ++ PINCTRL_PIN(6, "GBE0_SDP3"), ++ PINCTRL_PIN(7, "GBE1_SDP3"), ++ PINCTRL_PIN(8, "GBE2_LED0"), ++ PINCTRL_PIN(9, "GBE2_LED1"), ++ PINCTRL_PIN(10, "GBE0_I2C_CLK"), ++ PINCTRL_PIN(11, "GBE0_I2C_DATA"), ++ PINCTRL_PIN(12, "GBE1_I2C_CLK"), ++ PINCTRL_PIN(13, "GBE1_I2C_DATA"), ++ PINCTRL_PIN(14, "NCSI_RXD0"), ++ PINCTRL_PIN(15, "NCSI_CLK_IN"), ++ PINCTRL_PIN(16, "NCSI_RXD1"), ++ PINCTRL_PIN(17, "NCSI_CRS_DV"), ++ PINCTRL_PIN(18, "NCSI_ARB_IN"), ++ PINCTRL_PIN(19, "NCSI_TX_EN"), ++ PINCTRL_PIN(20, "NCSI_TXD0"), ++ PINCTRL_PIN(21, "NCSI_TXD1"), ++ PINCTRL_PIN(22, "NCSI_ARB_OUT"), ++ PINCTRL_PIN(23, "GBE0_LED0"), ++ PINCTRL_PIN(24, "GBE0_LED1"), ++ PINCTRL_PIN(25, "GBE1_LED0"), ++ PINCTRL_PIN(26, "GBE1_LED1"), ++ PINCTRL_PIN(27, "GPIO_0"), ++ PINCTRL_PIN(28, "PCIE_CLKREQ0_N"), ++ PINCTRL_PIN(29, "PCIE_CLKREQ1_N"), ++ PINCTRL_PIN(30, "PCIE_CLKREQ2_N"), ++ PINCTRL_PIN(31, "PCIE_CLKREQ3_N"), ++ PINCTRL_PIN(32, "PCIE_CLKREQ4_N"), ++ PINCTRL_PIN(33, "GPIO_1"), ++ PINCTRL_PIN(34, "GPIO_2"), ++ PINCTRL_PIN(35, "SVID_ALERT_N"), ++ PINCTRL_PIN(36, "SVID_DATA"), ++ PINCTRL_PIN(37, "SVID_CLK"), ++ PINCTRL_PIN(38, "THERMTRIP_N"), ++ PINCTRL_PIN(39, "PROCHOT_N"), ++ PINCTRL_PIN(40, "MEMHOT_N"), ++ /* South DFX */ ++ PINCTRL_PIN(41, "DFX_PORT_CLK0"), ++ PINCTRL_PIN(42, "DFX_PORT_CLK1"), ++ PINCTRL_PIN(43, "DFX_PORT0"), ++ PINCTRL_PIN(44, "DFX_PORT1"), ++ PINCTRL_PIN(45, "DFX_PORT2"), ++ PINCTRL_PIN(46, "DFX_PORT3"), ++ PINCTRL_PIN(47, "DFX_PORT4"), ++ PINCTRL_PIN(48, "DFX_PORT5"), ++ PINCTRL_PIN(49, "DFX_PORT6"), ++ PINCTRL_PIN(50, "DFX_PORT7"), ++ PINCTRL_PIN(51, "DFX_PORT8"), ++ PINCTRL_PIN(52, "DFX_PORT9"), ++ PINCTRL_PIN(53, "DFX_PORT10"), ++ PINCTRL_PIN(54, "DFX_PORT11"), ++ PINCTRL_PIN(55, "DFX_PORT12"), ++ PINCTRL_PIN(56, "DFX_PORT13"), ++ PINCTRL_PIN(57, "DFX_PORT14"), ++ PINCTRL_PIN(58, "DFX_PORT15"), ++ /* South GPP0 */ ++ PINCTRL_PIN(59, "GPIO_12"), ++ PINCTRL_PIN(60, "SMB5_GBE_ALRT_N"), ++ PINCTRL_PIN(61, "PCIE_CLKREQ5_N"), ++ PINCTRL_PIN(62, "PCIE_CLKREQ6_N"), ++ PINCTRL_PIN(63, "PCIE_CLKREQ7_N"), ++ PINCTRL_PIN(64, "UART0_RXD"), ++ PINCTRL_PIN(65, "UART0_TXD"), ++ PINCTRL_PIN(66, "SMB5_GBE_CLK"), ++ PINCTRL_PIN(67, "SMB5_GBE_DATA"), ++ PINCTRL_PIN(68, "ERROR2_N"), ++ PINCTRL_PIN(69, "ERROR1_N"), ++ PINCTRL_PIN(70, "ERROR0_N"), ++ PINCTRL_PIN(71, "IERR_N"), ++ PINCTRL_PIN(72, "MCERR_N"), ++ PINCTRL_PIN(73, "SMB0_LEG_CLK"), ++ PINCTRL_PIN(74, "SMB0_LEG_DATA"), ++ PINCTRL_PIN(75, "SMB0_LEG_ALRT_N"), ++ PINCTRL_PIN(76, "SMB1_HOST_DATA"), ++ PINCTRL_PIN(77, "SMB1_HOST_CLK"), ++ PINCTRL_PIN(78, "SMB2_PECI_DATA"), ++ PINCTRL_PIN(79, "SMB2_PECI_CLK"), ++ PINCTRL_PIN(80, "SMB4_CSME0_DATA"), ++ PINCTRL_PIN(81, "SMB4_CSME0_CLK"), ++ PINCTRL_PIN(82, "SMB4_CSME0_ALRT_N"), ++ PINCTRL_PIN(83, "USB_OC0_N"), ++ PINCTRL_PIN(84, "FLEX_CLK_SE0"), ++ PINCTRL_PIN(85, "FLEX_CLK_SE1"), ++ PINCTRL_PIN(86, "GPIO_4"), ++ PINCTRL_PIN(87, "GPIO_5"), ++ PINCTRL_PIN(88, "GPIO_6"), ++ PINCTRL_PIN(89, "GPIO_7"), ++ PINCTRL_PIN(90, "SATA0_LED_N"), ++ PINCTRL_PIN(91, "SATA1_LED_N"), ++ PINCTRL_PIN(92, "SATA_PDETECT0"), ++ PINCTRL_PIN(93, "SATA_PDETECT1"), ++ PINCTRL_PIN(94, "SATA0_SDOUT"), ++ PINCTRL_PIN(95, "SATA1_SDOUT"), ++ PINCTRL_PIN(96, "UART1_RXD"), ++ PINCTRL_PIN(97, "UART1_TXD"), ++ PINCTRL_PIN(98, "GPIO_8"), ++ PINCTRL_PIN(99, "GPIO_9"), ++ PINCTRL_PIN(100, "TCK"), ++ PINCTRL_PIN(101, "TRST_N"), ++ PINCTRL_PIN(102, "TMS"), ++ PINCTRL_PIN(103, "TDI"), ++ PINCTRL_PIN(104, "TDO"), ++ PINCTRL_PIN(105, "CX_PRDY_N"), ++ PINCTRL_PIN(106, "CX_PREQ_N"), ++ PINCTRL_PIN(107, "CTBTRIGINOUT"), ++ PINCTRL_PIN(108, "CTBTRIGOUT"), ++ PINCTRL_PIN(109, "DFX_SPARE2"), ++ PINCTRL_PIN(110, "DFX_SPARE3"), ++ PINCTRL_PIN(111, "DFX_SPARE4"), ++ /* South GPP1 */ ++ PINCTRL_PIN(112, "SUSPWRDNACK"), ++ PINCTRL_PIN(113, "PMU_SUSCLK"), ++ PINCTRL_PIN(114, "ADR_TRIGGER"), ++ PINCTRL_PIN(115, "PMU_SLP_S45_N"), ++ PINCTRL_PIN(116, "PMU_SLP_S3_N"), ++ PINCTRL_PIN(117, "PMU_WAKE_N"), ++ PINCTRL_PIN(118, "PMU_PWRBTN_N"), ++ PINCTRL_PIN(119, "PMU_RESETBUTTON_N"), ++ PINCTRL_PIN(120, "PMU_PLTRST_N"), ++ PINCTRL_PIN(121, "SUS_STAT_N"), ++ PINCTRL_PIN(122, "SLP_S0IX_N"), ++ PINCTRL_PIN(123, "SPI_CS0_N"), ++ PINCTRL_PIN(124, "SPI_CS1_N"), ++ PINCTRL_PIN(125, "SPI_MOSI_IO0"), ++ PINCTRL_PIN(126, "SPI_MISO_IO1"), ++ PINCTRL_PIN(127, "SPI_IO2"), ++ PINCTRL_PIN(128, "SPI_IO3"), ++ PINCTRL_PIN(129, "SPI_CLK"), ++ PINCTRL_PIN(130, "SPI_CLK_LOOPBK"), ++ PINCTRL_PIN(131, "ESPI_IO0"), ++ PINCTRL_PIN(132, "ESPI_IO1"), ++ PINCTRL_PIN(133, "ESPI_IO2"), ++ PINCTRL_PIN(134, "ESPI_IO3"), ++ PINCTRL_PIN(135, "ESPI_CS0_N"), ++ PINCTRL_PIN(136, "ESPI_CLK"), ++ PINCTRL_PIN(137, "ESPI_RST_N"), ++ PINCTRL_PIN(138, "ESPI_ALRT0_N"), ++ PINCTRL_PIN(139, "GPIO_10"), ++ PINCTRL_PIN(140, "GPIO_11"), ++ PINCTRL_PIN(141, "ESPI_CLK_LOOPBK"), ++ PINCTRL_PIN(142, "EMMC_CMD"), ++ PINCTRL_PIN(143, "EMMC_STROBE"), ++ PINCTRL_PIN(144, "EMMC_CLK"), ++ PINCTRL_PIN(145, "EMMC_D0"), ++ PINCTRL_PIN(146, "EMMC_D1"), ++ PINCTRL_PIN(147, "EMMC_D2"), ++ PINCTRL_PIN(148, "EMMC_D3"), ++ PINCTRL_PIN(149, "EMMC_D4"), ++ PINCTRL_PIN(150, "EMMC_D5"), ++ PINCTRL_PIN(151, "EMMC_D6"), ++ PINCTRL_PIN(152, "EMMC_D7"), ++ PINCTRL_PIN(153, "GPIO_3"), ++}; ++ ++static const unsigned int dnv_uart0_pins[] = { 60, 61, 64, 65 }; ++static const unsigned int dnv_uart0_modes[] = { 2, 3, 1, 1 }; ++static const unsigned int dnv_uart1_pins[] = { 94, 95, 96, 97 }; ++static const unsigned int dnv_uart2_pins[] = { 60, 61, 62, 63 }; ++static const unsigned int dnv_uart2_modes[] = { 1, 1, 2, 2 }; ++static const unsigned int dnv_emmc_pins[] = { ++ 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, ++}; ++ ++static const struct intel_pingroup dnv_groups[] = { ++ PIN_GROUP("uart0_grp", dnv_uart0_pins, dnv_uart0_modes), ++ PIN_GROUP("uart1_grp", dnv_uart1_pins, 1), ++ PIN_GROUP("uart2_grp", dnv_uart2_pins, dnv_uart2_modes), ++ PIN_GROUP("emmc_grp", dnv_emmc_pins, 1), ++}; ++ ++static const char * const dnv_uart0_groups[] = { "uart0_grp" }; ++static const char * const dnv_uart1_groups[] = { "uart1_grp" }; ++static const char * const dnv_uart2_groups[] = { "uart2_grp" }; ++static const char * const dnv_emmc_groups[] = { "emmc_grp" }; ++ ++static const struct intel_function dnv_functions[] = { ++ FUNCTION("uart0", dnv_uart0_groups), ++ FUNCTION("uart1", dnv_uart1_groups), ++ FUNCTION("uart2", dnv_uart2_groups), ++ FUNCTION("emmc", dnv_emmc_groups), ++}; ++ ++static const struct intel_padgroup dnv_north_gpps[] = { ++ DNV_GPP(0, 0, 31), /* North ALL_0 */ ++ DNV_GPP(1, 32, 40), /* North ALL_1 */ ++}; ++ ++static const struct intel_padgroup dnv_south_gpps[] = { ++ DNV_GPP(0, 41, 58), /* South DFX */ ++ DNV_GPP(1, 59, 90), /* South GPP0_0 */ ++ DNV_GPP(2, 91, 111), /* South GPP0_1 */ ++ DNV_GPP(3, 112, 143), /* South GPP1_0 */ ++ DNV_GPP(4, 144, 153), /* South GPP1_1 */ ++}; ++ ++static const struct intel_community dnv_communities[] = { ++ DNV_COMMUNITY(0, 0, 40, dnv_north_gpps), ++ DNV_COMMUNITY(1, 41, 153, dnv_south_gpps), ++}; ++ ++static const struct intel_pinctrl_soc_data dnv_soc_data = { ++ .pins = dnv_pins, ++ .npins = ARRAY_SIZE(dnv_pins), ++ .groups = dnv_groups, ++ .ngroups = ARRAY_SIZE(dnv_groups), ++ .functions = dnv_functions, ++ .nfunctions = ARRAY_SIZE(dnv_functions), ++ .communities = dnv_communities, ++ .ncommunities = ARRAY_SIZE(dnv_communities), ++}; ++ ++static int dnv_pinctrl_probe(struct platform_device *pdev) ++{ ++ return intel_pinctrl_probe(pdev, &dnv_soc_data); ++} ++ ++static const struct dev_pm_ops dnv_pinctrl_pm_ops = { ++ SET_LATE_SYSTEM_SLEEP_PM_OPS(intel_pinctrl_suspend, ++ intel_pinctrl_resume) ++}; ++ ++static const struct acpi_device_id dnv_pinctrl_acpi_match[] = { ++ { "INTC3000" }, ++ { } ++}; ++MODULE_DEVICE_TABLE(acpi, dnv_pinctrl_acpi_match); ++ ++static struct platform_driver dnv_pinctrl_driver = { ++ .probe = dnv_pinctrl_probe, ++ .driver = { ++ .name = "denverton-pinctrl", ++ .acpi_match_table = dnv_pinctrl_acpi_match, ++ .pm = &dnv_pinctrl_pm_ops, ++ }, ++}; ++ ++static int __init dnv_pinctrl_init(void) ++{ ++ return platform_driver_register(&dnv_pinctrl_driver); ++} ++subsys_initcall(dnv_pinctrl_init); ++ ++static void __exit dnv_pinctrl_exit(void) ++{ ++ platform_driver_unregister(&dnv_pinctrl_driver); ++} ++module_exit(dnv_pinctrl_exit); ++ ++MODULE_AUTHOR("Mika Westerberg "); ++MODULE_DESCRIPTION("Intel Denverton SoC pinctrl/GPIO driver"); ++MODULE_LICENSE("GPL v2"); diff --git a/patches.drivers/security-keys-BIG_KEY-requires-CONFIG_CRYPTO b/patches.drivers/security-keys-BIG_KEY-requires-CONFIG_CRYPTO new file mode 100644 index 0000000..54f3dcd --- /dev/null +++ b/patches.drivers/security-keys-BIG_KEY-requires-CONFIG_CRYPTO @@ -0,0 +1,44 @@ +From 3cd18d1981731d5f74b8e437009124ac99905d14 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 4 Oct 2017 12:27:00 +0200 +Subject: [PATCH] security/keys: BIG_KEY requires CONFIG_CRYPTO +Git-commit: 3cd18d1981731d5f74b8e437009124ac99905d14 +Patch-mainline: v4.14-rc6 +References: bsc#1051510 + +The recent rework introduced a possible randconfig build failure +when CONFIG_CRYPTO configured to only allow modules: + +Security/keys/big_key.o: In function `big_key_crypt': +big_key.c:(.text+0x29f): undefined reference to `crypto_aead_setkey' +Security/keys/big_key.o: In function `big_key_init': +big_key.c:(.init.text+0x1a): undefined reference to `crypto_alloc_aead' +big_key.c:(.init.text+0x45): undefined reference to `crypto_aead_setauthsize' +big_key.c:(.init.text+0x77): undefined reference to `crypto_destroy_tfm' +Crypto/gcm.o: In function `gcm_hash_crypt_remain_continue': +gcm.c:(.text+0x167): undefined reference to `crypto_ahash_finup' +Crypto/gcm.o: In function `crypto_gcm_exit_tfm': +gcm.c:(.text+0x847): undefined reference to `crypto_destroy_tfm' + +When we 'select CRYPTO' like the other users, we always get a +configuration that builds. + +Fixes: 428490e38b2e ("security/keys: rewrite all of big_key crypto") +Signed-off-by: Arnd Bergmann +Signed-off-by: David Howells +Acked-by: Takashi Iwai + +--- + security/keys/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/keys/Kconfig ++++ b/security/keys/Kconfig +@@ -45,6 +45,7 @@ config BIG_KEYS + bool "Large payload keys" + depends on KEYS + depends on TMPFS ++ select CRYPTO + select CRYPTO_AES + select CRYPTO_GCM + help diff --git a/patches.drivers/security-keys-properly-zero-out-sensitive-key-materi b/patches.drivers/security-keys-properly-zero-out-sensitive-key-materi new file mode 100644 index 0000000..af36043 --- /dev/null +++ b/patches.drivers/security-keys-properly-zero-out-sensitive-key-materi @@ -0,0 +1,74 @@ +From 910801809b2e40a4baedd080ef5d80b4a180e70e Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Wed, 20 Sep 2017 16:58:38 +0200 +Subject: [PATCH] security/keys: properly zero out sensitive key material in big_key +Git-commit: 910801809b2e40a4baedd080ef5d80b4a180e70e +Patch-mainline: v4.14-rc3 +References: bsc#1051510 + +Error paths forgot to zero out sensitive material, so this patch changes +some kfrees into a kzfrees. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David Howells +Reviewed-by: Eric Biggers +Cc: Herbert Xu +Cc: Kirill Marinushkin +Cc: security@kernel.org +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + security/keys/big_key.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/security/keys/big_key.c ++++ b/security/keys/big_key.c +@@ -195,7 +195,7 @@ int big_key_preparse(struct key_preparse + *path = file->f_path; + path_get(path); + fput(file); +- kfree(data); ++ kzfree(data); + } else { + /* Just store the data in a buffer */ + void *data = kmalloc(datalen, GFP_KERNEL); +@@ -211,9 +211,9 @@ int big_key_preparse(struct key_preparse + err_fput: + fput(file); + err_enckey: +- kfree(enckey); ++ kzfree(enckey); + error: +- kfree(data); ++ kzfree(data); + return ret; + } + +@@ -227,7 +227,7 @@ void big_key_free_preparse(struct key_pr + + path_put(path); + } +- kfree(prep->payload.data[big_key_data]); ++ kzfree(prep->payload.data[big_key_data]); + } + + /* +@@ -259,7 +259,7 @@ void big_key_destroy(struct key *key) + path->mnt = NULL; + path->dentry = NULL; + } +- kfree(key->payload.data[big_key_data]); ++ kzfree(key->payload.data[big_key_data]); + key->payload.data[big_key_data] = NULL; + } + +@@ -327,7 +327,7 @@ long big_key_read(const struct key *key, + err_fput: + fput(file); + error: +- kfree(data); ++ kzfree(data); + } else { + ret = datalen; + if (copy_to_user(buffer, key->payload.data[big_key_data], diff --git a/patches.drivers/security-keys-rewrite-all-of-big_key-crypto b/patches.drivers/security-keys-rewrite-all-of-big_key-crypto new file mode 100644 index 0000000..e1b9862 --- /dev/null +++ b/patches.drivers/security-keys-rewrite-all-of-big_key-crypto @@ -0,0 +1,298 @@ +From 428490e38b2e352812e0b765d8bceafab0ec441d Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Wed, 20 Sep 2017 16:58:39 +0200 +Subject: [PATCH] security/keys: rewrite all of big_key crypto +Git-commit: 428490e38b2e352812e0b765d8bceafab0ec441d +Patch-mainline: v4.14-rc3 +References: bsc#1051510 + +This started out as just replacing the use of crypto/rng with +get_random_bytes_wait, so that we wouldn't use bad randomness at boot +time. But, upon looking further, it appears that there were even deeper +underlying cryptographic problems, and that this seems to have been +committed with very little crypto review. So, I rewrote the whole thing, +trying to keep to the conventions introduced by the previous author, to +fix these cryptographic flaws. + +It makes no sense to seed crypto/rng at boot time and then keep +using it like this, when in fact there's already get_random_bytes_wait, +which can ensure there's enough entropy and be a much more standard way +of generating keys. Since this sensitive material is being stored +untrusted, using ECB and no authentication is simply not okay at all. I +find it surprising and a bit horrifying that this code even made it past +basic crypto review, which perhaps points to some larger issues. This +patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely +generated each time, we can set the nonce to zero. There was also a race +condition in which the same key would be reused at the same time in +different threads. A mutex fixes this issue now. + +So, to summarize, this commit fixes the following vulnerabilities: + + * Low entropy key generation, allowing an attacker to potentially + guess or predict keys. + * Unauthenticated encryption, allowing an attacker to modify the + cipher text in particular ways in order to manipulate the plaintext, + which is is even more frightening considering the next point. + * Use of ECB mode, allowing an attacker to trivially swap blocks or + compare identical plaintext blocks. + * Key re-use. + * Faulty memory zeroing. + +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Eric Biggers +Signed-off-by: David Howells +Cc: Herbert Xu +Cc: Kirill Marinushkin +Cc: security@kernel.org +Cc: stable@vger.kernel.org +Acked-by: Takashi Iwai + +--- + security/keys/Kconfig | 4 - + security/keys/big_key.c | 125 ++++++++++++++++++++++-------------------------- + 2 files changed, 59 insertions(+), 70 deletions(-) + +--- a/security/keys/Kconfig ++++ b/security/keys/Kconfig +@@ -45,10 +45,8 @@ config BIG_KEYS + bool "Large payload keys" + depends on KEYS + depends on TMPFS +- depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y) + select CRYPTO_AES +- select CRYPTO_ECB +- select CRYPTO_RNG ++ select CRYPTO_GCM + help + This option provides support for holding large keys within the kernel + (for example Kerberos ticket caches). The data may be stored out to +--- a/security/keys/big_key.c ++++ b/security/keys/big_key.c +@@ -1,5 +1,6 @@ + /* Large capacity key type + * ++ * Copyright (C) 2017 Jason A. Donenfeld . All Rights Reserved. + * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * +@@ -16,10 +17,10 @@ + #include + #include + #include ++#include + #include + #include +-#include +-#include ++#include + + /* + * Layout of key payload words. +@@ -49,7 +50,12 @@ enum big_key_op { + /* + * Key size for big_key data encryption + */ +-#define ENC_KEY_SIZE 16 ++#define ENC_KEY_SIZE 32 ++ ++/* ++ * Authentication tag length ++ */ ++#define ENC_AUTHTAG_SIZE 16 + + /* + * big_key defined keys take an arbitrary string as the description and an +@@ -64,57 +70,62 @@ struct key_type key_type_big_key = { + .destroy = big_key_destroy, + .describe = big_key_describe, + .read = big_key_read, ++ /* no ->update(); don't add it without changing big_key_crypt() nonce */ + }; + + /* +- * Crypto names for big_key data encryption ++ * Crypto names for big_key data authenticated encryption + */ +-static const char big_key_rng_name[] = "stdrng"; +-static const char big_key_alg_name[] = "ecb(aes)"; ++static const char big_key_alg_name[] = "gcm(aes)"; + + /* +- * Crypto algorithms for big_key data encryption ++ * Crypto algorithms for big_key data authenticated encryption + */ +-static struct crypto_rng *big_key_rng; +-static struct crypto_skcipher *big_key_skcipher; ++static struct crypto_aead *big_key_aead; + + /* +- * Generate random key to encrypt big_key data ++ * Since changing the key affects the entire object, we need a mutex. + */ +-static inline int big_key_gen_enckey(u8 *key) +-{ +- return crypto_rng_get_bytes(big_key_rng, key, ENC_KEY_SIZE); +-} ++static DEFINE_MUTEX(big_key_aead_lock); + + /* + * Encrypt/decrypt big_key data + */ + static int big_key_crypt(enum big_key_op op, u8 *data, size_t datalen, u8 *key) + { +- int ret = -EINVAL; ++ int ret; + struct scatterlist sgio; +- SKCIPHER_REQUEST_ON_STACK(req, big_key_skcipher); ++ struct aead_request *aead_req; ++ /* We always use a zero nonce. The reason we can get away with this is ++ * because we're using a different randomly generated key for every ++ * different encryption. Notably, too, key_type_big_key doesn't define ++ * an .update function, so there's no chance we'll wind up reusing the ++ * key to encrypt updated data. Simply put: one key, one encryption. ++ */ ++ u8 zero_nonce[crypto_aead_ivsize(big_key_aead)]; ++ ++ aead_req = aead_request_alloc(big_key_aead, GFP_KERNEL); ++ if (!aead_req) ++ return -ENOMEM; ++ ++ memset(zero_nonce, 0, sizeof(zero_nonce)); ++ sg_init_one(&sgio, data, datalen + (op == BIG_KEY_ENC ? ENC_AUTHTAG_SIZE : 0)); ++ aead_request_set_crypt(aead_req, &sgio, &sgio, datalen, zero_nonce); ++ aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); ++ aead_request_set_ad(aead_req, 0); + +- if (crypto_skcipher_setkey(big_key_skcipher, key, ENC_KEY_SIZE)) { ++ mutex_lock(&big_key_aead_lock); ++ if (crypto_aead_setkey(big_key_aead, key, ENC_KEY_SIZE)) { + ret = -EAGAIN; + goto error; + } +- +- skcipher_request_set_tfm(req, big_key_skcipher); +- skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, +- NULL, NULL); +- +- sg_init_one(&sgio, data, datalen); +- skcipher_request_set_crypt(req, &sgio, &sgio, datalen, NULL); +- + if (op == BIG_KEY_ENC) +- ret = crypto_skcipher_encrypt(req); ++ ret = crypto_aead_encrypt(aead_req); + else +- ret = crypto_skcipher_decrypt(req); +- +- skcipher_request_zero(req); +- ++ ret = crypto_aead_decrypt(aead_req); + error: ++ mutex_unlock(&big_key_aead_lock); ++ aead_request_free(aead_req); + return ret; + } + +@@ -146,16 +157,13 @@ int big_key_preparse(struct key_preparse + * + * File content is stored encrypted with randomly generated key. + */ +- size_t enclen = ALIGN(datalen, crypto_skcipher_blocksize(big_key_skcipher)); ++ size_t enclen = datalen + ENC_AUTHTAG_SIZE; + loff_t pos = 0; + +- /* prepare aligned data to encrypt */ + data = kmalloc(enclen, GFP_KERNEL); + if (!data) + return -ENOMEM; +- + memcpy(data, prep->data, datalen); +- memset(data + datalen, 0x00, enclen - datalen); + + /* generate random key */ + enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL); +@@ -163,13 +171,12 @@ int big_key_preparse(struct key_preparse + ret = -ENOMEM; + goto error; + } +- +- ret = big_key_gen_enckey(enckey); +- if (ret) ++ ret = get_random_bytes_wait(enckey, ENC_KEY_SIZE); ++ if (unlikely(ret)) + goto err_enckey; + + /* encrypt aligned data */ +- ret = big_key_crypt(BIG_KEY_ENC, data, enclen, enckey); ++ ret = big_key_crypt(BIG_KEY_ENC, data, datalen, enckey); + if (ret) + goto err_enckey; + +@@ -295,7 +302,7 @@ long big_key_read(const struct key *key, + struct file *file; + u8 *data; + u8 *enckey = (u8 *)key->payload.data[big_key_data]; +- size_t enclen = ALIGN(datalen, crypto_skcipher_blocksize(big_key_skcipher)); ++ size_t enclen = datalen + ENC_AUTHTAG_SIZE; + + data = kmalloc(enclen, GFP_KERNEL); + if (!data) +@@ -343,47 +350,31 @@ error: + */ + static int __init big_key_init(void) + { +- struct crypto_skcipher *cipher; +- struct crypto_rng *rng; + int ret; + +- rng = crypto_alloc_rng(big_key_rng_name, 0, 0); +- if (IS_ERR(rng)) { +- pr_err("Can't alloc rng: %ld\n", PTR_ERR(rng)); +- return PTR_ERR(rng); +- } +- +- big_key_rng = rng; +- +- /* seed RNG */ +- ret = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng)); +- if (ret) { +- pr_err("Can't reset rng: %d\n", ret); +- goto error_rng; +- } +- + /* init block cipher */ +- cipher = crypto_alloc_skcipher(big_key_alg_name, 0, CRYPTO_ALG_ASYNC); +- if (IS_ERR(cipher)) { +- ret = PTR_ERR(cipher); ++ big_key_aead = crypto_alloc_aead(big_key_alg_name, 0, CRYPTO_ALG_ASYNC); ++ if (IS_ERR(big_key_aead)) { ++ ret = PTR_ERR(big_key_aead); + pr_err("Can't alloc crypto: %d\n", ret); +- goto error_rng; ++ return ret; ++ } ++ ret = crypto_aead_setauthsize(big_key_aead, ENC_AUTHTAG_SIZE); ++ if (ret < 0) { ++ pr_err("Can't set crypto auth tag len: %d\n", ret); ++ goto free_aead; + } +- +- big_key_skcipher = cipher; + + ret = register_key_type(&key_type_big_key); + if (ret < 0) { + pr_err("Can't register type: %d\n", ret); +- goto error_cipher; ++ goto free_aead; + } + + return 0; + +-error_cipher: +- crypto_free_skcipher(big_key_skcipher); +-error_rng: +- crypto_free_rng(big_key_rng); ++free_aead: ++ crypto_free_aead(big_key_aead); + return ret; + } + diff --git a/patches.drivers/staging-bcm2835-audio-Fix-memory-corruption b/patches.drivers/staging-bcm2835-audio-Fix-memory-corruption new file mode 100644 index 0000000..3f5a5b6 --- /dev/null +++ b/patches.drivers/staging-bcm2835-audio-Fix-memory-corruption @@ -0,0 +1,83 @@ +From c97d96b4e612c7dc1b37d7afc61b598a9a25994d Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Sun, 24 Sep 2017 15:20:49 +0100 +Subject: [PATCH] staging: bcm2835-audio: Fix memory corruption +Git-commit: c97d96b4e612c7dc1b37d7afc61b598a9a25994d +Patch-mainline: v4.14-rc6 +References: bsc#1051510 + +The previous commit (0adbfd46) fixed a memory leak but also freed a +block in the success case, causing a stale pointer to be used with +potentially fatal results. Only free the vchi_instance block in the +case that vchi_connect fails; once connected, the instance is +retained for subsequent connections. + +Simplifying the code by removing a bunch of gotos and returning errors +directly. + +Signed-off-by: Phil Elwell +Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") +Cc: stable # 4.12+ +Tested-by: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 19 ++++-------- + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c +@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection + __func__, instance); + instance->alsa_stream = alsa_stream; + alsa_stream->instance = instance; +- ret = 0; // xxx todo -1; +- goto err_free_mem; ++ return 0; + } + + /* Initialize and create a VCHI connection */ +@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection + LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n", + __func__, ret); + +- ret = -EIO; +- goto err_free_mem; ++ return -EIO; + } + ret = vchi_connect(NULL, 0, vchi_instance); + if (ret) { + LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n", + __func__, ret); + +- ret = -EIO; +- goto err_free_mem; ++ kfree(vchi_instance); ++ return -EIO; + } + initted = 1; + } +@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection + if (IS_ERR(instance)) { + LOG_ERR("%s: failed to initialize audio service\n", __func__); + +- ret = PTR_ERR(instance); +- goto err_free_mem; ++ /* vchi_instance is retained for use the next time. */ ++ return PTR_ERR(instance); + } + + instance->alsa_stream = alsa_stream; + alsa_stream->instance = instance; + + LOG_DBG(" success !\n"); +- ret = 0; +-err_free_mem: +- kfree(vchi_instance); + +- return ret; ++ return 0; + } + + int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream) diff --git a/patches.drivers/staging-rtl8188eu-Fix-incorrect-response-to-SIOCGIWE b/patches.drivers/staging-rtl8188eu-Fix-incorrect-response-to-SIOCGIWE new file mode 100644 index 0000000..295c649 --- /dev/null +++ b/patches.drivers/staging-rtl8188eu-Fix-incorrect-response-to-SIOCGIWE @@ -0,0 +1,53 @@ +From b77992d2df9e47144354d1b25328b180afa33442 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sat, 25 Nov 2017 13:32:38 -0600 +Subject: [PATCH] staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID +Git-commit: b77992d2df9e47144354d1b25328b180afa33442 +Patch-mainline: v4.15-rc3 +References: bsc#1051510 + +When not associated with an AP, wifi device drivers should respond to the +SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the +behavior expected by dhcpcd. + +Currently, this driver returns an error code (-1) from the ioctl call, +which causes dhcpcd to assume that the device is not a wireless interface +and therefore it fails to work correctly with it thereafter. + +This problem was reported and tested at +https://github.com/lwfinger/rtl8188eu/issues/234. + +Signed-off-by: Larry Finger +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -1395,19 +1395,13 @@ static int rtw_wx_get_essid(struct net_d + if ((check_fwstate(pmlmepriv, _FW_LINKED)) || + (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { + len = pcur_bss->Ssid.SsidLength; +- +- wrqu->essid.length = len; +- + memcpy(extra, pcur_bss->Ssid.Ssid, len); +- +- wrqu->essid.flags = 1; + } else { +- ret = -1; +- goto exit; ++ len = 0; ++ *extra = 0; + } +- +-exit: +- ++ wrqu->essid.length = len; ++ wrqu->essid.flags = 1; + + return ret; + } diff --git a/patches.drivers/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmep b/patches.drivers/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmep new file mode 100644 index 0000000..3dbc53c --- /dev/null +++ b/patches.drivers/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmep @@ -0,0 +1,41 @@ +From 123c0aab0050cd0e07ce18e453389fbbb0a5a425 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 20 Oct 2017 20:40:24 +0200 +Subject: [PATCH] staging: rtl8188eu: avoid a null dereference on pmlmepriv +Git-commit: 123c0aab0050cd0e07ce18e453389fbbb0a5a425 +Patch-mainline: v4.15-rc1 +References: bsc#1051510 + +There is a check on pmlmepriv before dereferencing it when +vfree'ing pmlmepriv->free_bss_buf however the previous call +to rtw_free_mlme_priv_ie_data deferences pmlmepriv causing +a null pointer deference if it is null. Avoid this by also +calling rtw_free_mlme_priv_ie_data if the pointer is non-null. + +Detected by CoverityScan, CID#1230262 ("Dereference before null check") + +Fixes: 7b464c9fa5cc ("staging: r8188eu: Add files for new driver - part 4") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + drivers/staging/rtl8188eu/core/rtw_mlme.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c ++++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c +@@ -106,10 +106,10 @@ void rtw_free_mlme_priv_ie_data(struct m + + void rtw_free_mlme_priv(struct mlme_priv *pmlmepriv) + { +- rtw_free_mlme_priv_ie_data(pmlmepriv); +- +- if (pmlmepriv) ++ if (pmlmepriv) { ++ rtw_free_mlme_priv_ie_data(pmlmepriv); + vfree(pmlmepriv->free_bss_buf); ++ } + } + + struct wlan_network *_rtw_alloc_network(struct mlme_priv *pmlmepriv) diff --git a/series.conf b/series.conf index 4444ef3..fd93415 100644 --- a/series.conf +++ b/series.conf @@ -5031,6 +5031,7 @@ patches.drivers/0001-regulator-fan53555-Use-of_device_get_match_data-to-s.patch patches.drivers/0002-regulator-fan53555-fix-I2C-device-ids.patch patches.drivers/0010-pinctrl-rockchip-Use-common-interface-for-recalced-i.patch + patches.drivers/pinctrl-intel-Add-Intel-Denverton-pin-controller-sup.patch patches.drivers/0001-pinctrl-check-ops-pin_config_set-in-pinconf_set_conf.patch patches.drivers/0011-pinctrl-intel-Add-Intel-Cannon-Lake-PCH-H-pin-contro.patch patches.suse/cpufreq-intel_pstate-Improve-IO-performance-with-per-core-P-states.patch @@ -6424,6 +6425,8 @@ patches.drivers/keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read patches.fixes/0001-KEYS-prevent-creating-a-different-user-s-keyrings.patch patches.drivers/keys-prevent-keyctl_read-on-negative-key + patches.drivers/security-keys-properly-zero-out-sensitive-key-materi + patches.drivers/security-keys-rewrite-all-of-big_key-crypto patches.arch/18.2-kvm-nvmx-fix-host_cr3-host_cr4-cache.patch patches.suse/KVM-PPC-Book3S-HV-Check-for-updated-HDSISR-on-P9-HDS.patch patches.suse/KVM-VMX-extract-__pi_post_block.patch @@ -6662,6 +6665,7 @@ patches.fixes/keys-encrypted-fix-dereference-of-null-user_key_payload patches.fixes/lib-digsig-fix-dereference-of-null-user_key_payload patches.fixes/ecryptfs-fix-dereference-of-NULL-user_key_payload.patch + patches.drivers/security-keys-BIG_KEY-requires-CONFIG_CRYPTO patches.fixes/KEYS-Fix-the-wrong-index-when-checking-the-existence patches.fixes/KEYS-Fix-race-between-updating-and-finding-a-negativ.patch patches.fixes/KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch @@ -6731,6 +6735,7 @@ patches.fixes/0001-USB-core-fix-out-of-bounds-access-bug-in-usb_get_bos.patch patches.suse/msft-hv-1485-vmbus-hvsock-add-proper-sync-for-vmbus_hvsock_device.patch patches.drivers/iio-dummy-events-Add-missing-break.patch + patches.drivers/staging-bcm2835-audio-Fix-memory-corruption patches.fixes/workqueue-replace-pool-manager_arb-mutex-with-a-flag.patch patches.arch/KVM-PPC-Fix-oops-when-checking-KVM_CAP_PPC_HTM.patch patches.arch/KVM-PPC-Book3S-HV-POWER9-more-doorbell-fixes.patch @@ -6886,6 +6891,7 @@ patches.drivers/0020-tpm-tpm_crb-Use-start-method-value-from-ACPI-table-d.patch patches.drivers/tpm-185-tis_spi-Use-DMA-safe-memory-for-SPI-transfers.patch patches.drivers/tpm-dev-common-Reject-too-short-writes.patch + patches.drivers/ima-fix-hash-algorithm-initialization patches.drivers/s390-runtime-instrumention-fix-possible-memory-corru.patch patches.drivers/s390-guarded-storage-fix-possible-memory-corruption.patch patches.arch/s390-sles15-02-03-dis-end-marker.patch @@ -7035,6 +7041,7 @@ patches.drivers/ACPI-x86-Extend-KIOX000A-quirk-to-cover-all-affected patches.drivers/ACPI-EC-Fix-regression-related-to-triggering-source- patches.drivers/rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_ + patches.drivers/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmep patches.drivers/0002-tty-xilinx_uartps-move-to-arch_initcall-for-earlier-.patch patches.drivers/serial-8250_fintek-Fix-rs485-disablement-on-invalid- patches.drivers/0045-phy-rockchip-typec-Avoid-magic-numbers-add-delays-in.patch @@ -8561,6 +8568,7 @@ patches.drivers/platform-x86-intel_punit_ipc-Fix-resource-ioremap-wa patches.fixes/0003-lockd-double-unregister-of-inetaddr-notifiers.patch patches.fixes/0001-svcrdma-Preserve-CB-send-buffer-across-retransmits.patch + patches.drivers/ima-do-not-update-security.ima-if-appraisal-status-i patches.drivers/video-udlfb-Fix-read-EDID-timeout patches.suse/0002-ceph-keep-auth-cap-when-inode-has-flocks-or-posix-locks.patch patches.suse/0003-ceph-make-lock_to_ceph_filelock-static.patch @@ -8802,6 +8810,7 @@ patches.fixes/tcp-use-IPCB-instead-of-TCP_SKB_CB-in-inet_exact_dif.patch patches.fixes/0001-xhci-Don-t-show-incorrect-WARN-message-about-events-.patch patches.drivers/serial-8250_pci-Add-Amazon-PCI-serial-device-ID + patches.drivers/staging-rtl8188eu-Fix-incorrect-response-to-SIOCGIWE patches.drivers/isa-Prevent-NULL-dereference-in-isa_bus-driver-callb patches.suse/msft-hv-1518-Drivers-hv-vmbus-Fix-a-rescind-issue.patch patches.suse/msft-hv-1519-hv-kvp-Avoid-reading-past-allocated-blocks-from-KVP-.patch @@ -10880,6 +10889,9 @@ patches.drivers/watchdog-sbsa-use-32-bit-read-for-WCV.patch patches.drivers/scsi-qla2xxx-Fix-crashes-in-qla2x00_probe_one-on-pro.patch patches.drivers/dm-mpath-fix-passing-integrity-data.patch + patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue + patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- + patches.drivers/ALSA-hda-Revert-power_save-option-default-value # davem/net patches.drivers/e1000e-Remove-Other-from-EIAC.patch @@ -11422,9 +11434,6 @@ ########################################################## # Sound ########################################################## - patches.drivers/ALSA-hda-Revert-power_save-option-default-value - patches.drivers/ALSA-seq-Fix-possible-UAF-in-snd_seq_check_queue - patches.drivers/ALSA-seq-Clear-client-entry-before-deleting-else-at- patches.drivers/ASoC-cx2072x-Add-DT-bingings-documentation-for-CX207 patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 diff --git a/supported.conf b/supported.conf index 6bd46a0..3ea3d39 100644 --- a/supported.conf +++ b/supported.conf @@ -1574,7 +1574,13 @@ drivers/phy/rockchip/phy-rockchip-pcie drivers/phy/rockchip/phy-rockchip-typec - drivers/phy/rockchip/phy-rockchip-usb + drivers/pinctrl/intel/pinctrl-broxton + drivers/pinctrl/intel/pinctrl-cannonlake drivers/pinctrl/intel/pinctrl-cherryview + drivers/pinctrl/intel/pinctrl-denverton + drivers/pinctrl/intel/pinctrl-geminilake + drivers/pinctrl/intel/pinctrl-intel + drivers/pinctrl/intel/pinctrl-sunrisepoint - drivers/pinctrl/* - drivers/platform/chrome/* drivers/platform/x86/acer-wmi