linux-toradex.git/drivers/firmware/google, branch v4.13-rc7 Linux kernel for Apalis and Colibri modules Merge 4.12-rc5 into char-misc-next 2017-06-12T06:18:10+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2017-06-12T06:18:10+00:00 069a0f32c9ca75ec7f02146711ec1f5840a68cbf We want the char/misc driver fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We want the char/misc driver fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "firmware: vpd: remove platform driver" 2017-05-27T09:46:26+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-26T20:57:49+00:00 46505c802a55189955d97195c8567ee263168747 This reverts commit 7975bd4cca05a99aa14964cfa22366ee64da50ad, because VPD relies on driver core to handle deferrals returned by coreboot_table_find(). Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This reverts commit 7975bd4cca05a99aa14964cfa22366ee64da50ad, because
VPD relies on driver core to handle deferrals returned by
coreboot_table_find().

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: remove platform driver 2017-05-25T13:41:20+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:47+00:00 7975bd4cca05a99aa14964cfa22366ee64da50ad There is no reason why VPD should register platform device and driver, given that we do not use their respective kobjects to attach attributes, nor do we need suspend/resume hooks, or any other features of device core. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
There is no reason why VPD should register platform device and driver,
given that we do not use their respective kobjects to attach attributes,
nor do we need suspend/resume hooks, or any other features of device
core.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: do not clear statically allocated data 2017-05-25T13:41:20+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:46+00:00 dd246486f94694edb86e898a24a61ebf2f2fdba4 ro_vpd and rw_vpd are static module-scope variables that are guaranteed to be initialized with zeroes, there is no need for explicit memset(). Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
ro_vpd and rw_vpd are static module-scope variables that are guaranteed
to be initialized with zeroes, there is no need for explicit memset().

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: use kasprintf() when forming name of 'raw' attribute 2017-05-25T13:41:20+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:45+00:00 9920a33e3573a207cd49895080e2806134e5e56f When creating name for the "raw" attribute, let's switch to using kaspeintf() instead of doing it by hand. Also make sure we handle errors. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When creating name for the "raw" attribute, let's switch to using
kaspeintf() instead of doing it by hand. Also make sure we handle
errors.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: use kdtrndup when copying section key 2017-05-25T13:41:20+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:42+00:00 3eec6a1c0cf31b982cad560c16e19fdb1851ae91 Instead of open-coding kstrndup with kzalloc + memcpy, let's use the helper. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Instead of open-coding kstrndup with kzalloc + memcpy, let's use
the helper.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: do not leak kobjects 2017-05-25T13:37:16+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:44+00:00 2ee1cc70552e5520a275254427c0c37fc81728d2 kobject_del() only unlinks kobject, we need to use kobject_put() to make sure kobject will go away completely. Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver") Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
kobject_del() only unlinks kobject, we need to use kobject_put() to
make sure kobject will go away completely.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: avoid potential use-after-free when destroying section 2017-05-25T13:37:16+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:43+00:00 ce57cba37f3721c21e46adf21c61292dfd7a9c04 We should not free info->key before we remove sysfs attribute that uses this data as its name. Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver") Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We should not free info->key before we remove sysfs attribute that uses
this data as its name.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: vpd: do not leave freed section attributes to the list 2017-05-25T13:37:16+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-05-24T00:07:41+00:00 7f53de2069c801776f0f5d1a1d665324967a4fab We should only add section attribute to the list of section attributes if we successfully created corresponding sysfs attribute. Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver") Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We should only add section attribute to the list of section attributes
if we successfully created corresponding sysfs attribute.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware: google: memconsole: Prevent overrun attack on coreboot console 2017-05-25T13:35:19+00:00 Julius Werner jwerner@chromium.org 2017-05-23T23:48:17+00:00 40fbb23881291bb57e4e25e859de8e2287426dac The recent coreboot memory console update (firmware: google: memconsole: Adapt to new coreboot ring buffer format) introduced a small security issue in the driver: The new driver implementation parses the memory console structure again on every access. This is intentional so that additional lines added concurrently by runtime firmware can be read out. However, if an attacker can write to the structure, they could increase the size value to a point where the driver would read potentially sensitive memory areas from outside the original console buffer during the next access. This can be done through /dev/mem, since the console buffer usually resides in firmware-reserved memory that is not covered by STRICT_DEVMEM. This patch resolves that problem by reading the buffer's size value only once during boot (where we can still trust the structure). Other parts of the structure can still be modified at runtime, but the driver's bounds checks make sure that it will never read outside the buffer. Fixes: a5061d028 ("firmware: google: memconsole: Adapt to new coreboot ring buffer format") Signed-off-by: Julius Werner <jwerner@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The recent coreboot memory console update (firmware: google: memconsole:
Adapt to new coreboot ring buffer format) introduced a small security
issue in the driver: The new driver implementation parses the memory
console structure again on every access. This is intentional so that
additional lines added concurrently by runtime firmware can be read out.

However, if an attacker can write to the structure, they could increase
the size value to a point where the driver would read potentially
sensitive memory areas from outside the original console buffer during
the next access. This can be done through /dev/mem, since the console
buffer usually resides in firmware-reserved memory that is not covered
by STRICT_DEVMEM.

This patch resolves that problem by reading the buffer's size value only
once during boot (where we can still trust the structure). Other parts
of the structure can still be modified at runtime, but the driver's
bounds checks make sure that it will never read outside the buffer.

Fixes: a5061d028 ("firmware: google: memconsole: Adapt to new coreboot ring buffer format")
Signed-off-by: Julius Werner <jwerner@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>