1. 20 Feb, 2015 40 commits
    • Ben Hutchings's avatar
      Linux 3.2.67 · fd623507
      Ben Hutchings authored
      fd623507
    • Myron Stowe's avatar
      PCI: Handle read-only BARs on AMD CS553x devices · a758de0e
      Myron Stowe authored
      commit 06cf35f9 upstream.
      
      Some AMD CS553x devices have read-only BARs because of a firmware or
      hardware defect.  There's a workaround in quirk_cs5536_vsa(), but it no
      longer works after 36e81648 ("PCI: Restore detection of read-only
      BARs").  Prior to 36e81648, we filled in res->start; afterwards we
      leave it zeroed out.  The quirk only updated the size, so the driver tried
      to use a region starting at zero, which didn't work.
      
      Expand quirk_cs5536_vsa() to read the base addresses from the BARs and
      hard-code the sizes.
      
      On Nix's system BAR 2's read-only value is 0x6200.  Prior to 36e81648,
      we interpret that as a 512-byte BAR based on the lowest-order bit set.  Per
      datasheet sec 5.6.1, that BAR (MFGPT) requires only 64 bytes; use that to
      avoid clearing any address bits if a platform uses only 64-byte alignment.
      
      [bhelgaas: changelog, reduce BAR 2 size to 64]
      Fixes: 36e81648 ("PCI: Restore detection of read-only BARs")
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=85991#c4
      Link: http://support.amd.com/TechDocs/31506_cs5535_databook.pdf
      Link: http://support.amd.com/TechDocs/33238G_cs5536_db.pdfReported-and-tested-by: default avatarNix <nix@esperi.org.uk>
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a758de0e
    • Nadav Amit's avatar
      KVM: x86: SYSENTER emulation is broken · 038911f3
      Nadav Amit authored
      commit f3747379 upstream.
      
      SYSENTER emulation is broken in several ways:
      1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
      2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
         still be set without causing #GP).
      3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
         legacy-mode.
      4. There is some unneeded code.
      
      Fix it.
      
      Cc: stable@vger.linux.org
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      038911f3
    • Avi Kivity's avatar
      KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD guests · d5616c08
      Avi Kivity authored
      commit 1a18a69b upstream.
      
      If the guest thinks it's an AMD, it will not have prepared the SYSENTER MSRs,
      and if the guest executes SYSENTER in compatibility mode, it will fails.
      
      Detect this condition and #UD instead, like the spec says.
      Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d5616c08
    • Florian Westphal's avatar
      netfilter: conntrack: disable generic tracking for known protocols · d7cde286
      Florian Westphal authored
      commit db29a950 upstream.
      
      Given following iptables ruleset:
      
      -P FORWARD DROP
      -A FORWARD -m sctp --dport 9 -j ACCEPT
      -A FORWARD -p tcp --dport 80 -j ACCEPT
      -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
      
      One would assume that this allows SCTP on port 9 and TCP on port 80.
      Unfortunately, if the SCTP conntrack module is not loaded, this allows
      *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
      which we think is a security issue.
      
      This is because on the first SCTP packet on port 9, we create a dummy
      "generic l4" conntrack entry without any port information (since
      conntrack doesn't know how to extract this information).
      
      All subsequent packets that are unknown will then be in established
      state since they will fallback to proto_generic and will match the
      'generic' entry.
      
      Our originally proposed version [1] completely disabled generic protocol
      tracking, but Jozsef suggests to not track protocols for which a more
      suitable helper is available, hence we now mitigate the issue for in
      tree known ct protocol helpers only, so that at least NAT and direction
      information will still be preserved for others.
      
       [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
      
      Joint work with Daniel Borkmann.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d7cde286
    • Ben Hutchings's avatar
      splice: Apply generic position and size checks to each write · 894c6350
      Ben Hutchings authored
      We need to check the position and size of file writes against various
      limits, using generic_write_check().  This was not being done for
      the splice write path.  It was fixed upstream by commit 8d020765
      ("->splice_write() via ->write_iter()") but we can't apply that.
      
      CVE-2014-7822
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      894c6350
    • Ben Hutchings's avatar
      vfs: Fix vfsmount_lock imbalance in path_init() · d8c8133e
      Ben Hutchings authored
      When backporting commit 4023bfc9 ("be careful with nd->inode in
      path_init() and follow_dotdot_rcu()"), I failed to account for the
      vfsmount_lock that is used in 3.2 but not upstream.  path_init() takes
      the lock if performing RCU lookup, but must drop it if (and only if)
      it subsequently fails.
      
      Reported-by: nuxi@vault24.org
      References: https://bugzilla.kernel.org/show_bug.cgi?id=92531Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Tested-by: nuxi@vault24.org
      d8c8133e
    • Jay Vosburgh's avatar
      net/core: Handle csum for CHECKSUM_COMPLETE VXLAN forwarding · 5fa7469e
      Jay Vosburgh authored
      [ Upstream commit 2c26d34b ]
      
      When using VXLAN tunnels and a sky2 device, I have experienced
      checksum failures of the following type:
      
      [ 4297.761899] eth0: hw csum failure
      [...]
      [ 4297.765223] Call Trace:
      [ 4297.765224]  <IRQ>  [<ffffffff8172f026>] dump_stack+0x46/0x58
      [ 4297.765235]  [<ffffffff8162ba52>] netdev_rx_csum_fault+0x42/0x50
      [ 4297.765238]  [<ffffffff8161c1a0>] ? skb_push+0x40/0x40
      [ 4297.765240]  [<ffffffff8162325c>] __skb_checksum_complete+0xbc/0xd0
      [ 4297.765243]  [<ffffffff8168c602>] tcp_v4_rcv+0x2e2/0x950
      [ 4297.765246]  [<ffffffff81666ca0>] ? ip_rcv_finish+0x360/0x360
      
      	These are reliably reproduced in a network topology of:
      
      container:eth0 == host(OVS VXLAN on VLAN) == bond0 == eth0 (sky2) -> switch
      
      	When VXLAN encapsulated traffic is received from a similarly
      configured peer, the above warning is generated in the receive
      processing of the encapsulated packet.  Note that the warning is
      associated with the container eth0.
      
              The skbs from sky2 have ip_summed set to CHECKSUM_COMPLETE, and
      because the packet is an encapsulated Ethernet frame, the checksum
      generated by the hardware includes the inner protocol and Ethernet
      headers.
      
      	The receive code is careful to update the skb->csum, except in
      __dev_forward_skb, as called by dev_forward_skb.  __dev_forward_skb
      calls eth_type_trans, which in turn calls skb_pull_inline(skb, ETH_HLEN)
      to skip over the Ethernet header, but does not update skb->csum when
      doing so.
      
      	This patch resolves the problem by adding a call to
      skb_postpull_rcsum to update the skb->csum after the call to
      eth_type_trans.
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5fa7469e
    • Govindarajulu Varadarajan's avatar
      enic: fix rx skb checksum · 58aa2f36
      Govindarajulu Varadarajan authored
      [ Upstream commit 17e96834 ]
      
      Hardware always provides compliment of IP pseudo checksum. Stack expects
      whole packet checksum without pseudo checksum if CHECKSUM_COMPLETE is set.
      
      This causes checksum error in nf & ovs.
      
      kernel: qg-19546f09-f2: hw csum failure
      kernel: CPU: 9 PID: 0 Comm: swapper/9 Tainted: GF          O--------------   3.10.0-123.8.1.el7.x86_64 #1
      kernel: Hardware name: Cisco Systems Inc UCSB-B200-M3/UCSB-B200-M3, BIOS B200M3.2.2.3.0.080820141339 08/08/2014
      kernel: ffff881218f40000 df68243feb35e3a8 ffff881237a43ab8 ffffffff815e237b
      kernel: ffff881237a43ad0 ffffffff814cd4ca ffff8829ec71eb00 ffff881237a43af0
      kernel: ffffffff814c6232 0000000000000286 ffff8829ec71eb00 ffff881237a43b00
      kernel: Call Trace:
      kernel: <IRQ>  [<ffffffff815e237b>] dump_stack+0x19/0x1b
      kernel: [<ffffffff814cd4ca>] netdev_rx_csum_fault+0x3a/0x40
      kernel: [<ffffffff814c6232>] __skb_checksum_complete_head+0x62/0x70
      kernel: [<ffffffff814c6251>] __skb_checksum_complete+0x11/0x20
      kernel: [<ffffffff8155a20c>] nf_ip_checksum+0xcc/0x100
      kernel: [<ffffffffa049edc7>] icmp_error+0x1f7/0x35c [nf_conntrack_ipv4]
      kernel: [<ffffffff814cf419>] ? netif_rx+0xb9/0x1d0
      kernel: [<ffffffffa040eb7b>] ? internal_dev_recv+0xdb/0x130 [openvswitch]
      kernel: [<ffffffffa04c8330>] nf_conntrack_in+0xf0/0xa80 [nf_conntrack]
      kernel: [<ffffffff81509380>] ? inet_del_offload+0x40/0x40
      kernel: [<ffffffffa049e302>] ipv4_conntrack_in+0x22/0x30 [nf_conntrack_ipv4]
      kernel: [<ffffffff815005ca>] nf_iterate+0xaa/0xc0
      kernel: [<ffffffff81509380>] ? inet_del_offload+0x40/0x40
      kernel: [<ffffffff81500664>] nf_hook_slow+0x84/0x140
      kernel: [<ffffffff81509380>] ? inet_del_offload+0x40/0x40
      kernel: [<ffffffff81509dd4>] ip_rcv+0x344/0x380
      
      Hardware verifies IP & tcp/udp header checksum but does not provide payload
      checksum, use CHECKSUM_UNNECESSARY. Set it only if its valid IP tcp/udp packet.
      
      Cc: Jiri Benc <jbenc@redhat.com>
      Cc: Stefan Assmann <sassmann@redhat.com>
      Reported-by: default avatarSunil Choudhary <schoudha@redhat.com>
      Signed-off-by: default avatarGovindarajulu Varadarajan <_govind@gmx.com>
      Reviewed-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      58aa2f36
    • Prashant Sreedharan's avatar
      tg3: tg3_disable_ints using uninitialized mailbox value to disable interrupts · 1da9db7a
      Prashant Sreedharan authored
      [ Upstream commit 05b0aa57 ]
      
      During driver load in tg3_init_one, if the driver detects DMA activity before
      intializing the chip tg3_halt is called. As part of tg3_halt interrupts are
      disabled using routine tg3_disable_ints. This routine was using mailbox value
      which was not initialized (default value is 0). As a result driver was writing
      0x00000001 to pci config space register 0, which is the vendor id / device id.
      
      This driver bug was exposed because of the commit a7877b17a667 (PCI: Check only
      the Vendor ID to identify Configuration Request Retry). Also this issue is only
      seen in older generation chipsets like 5722 because config space write to offset
      0 from driver is possible. The newer generation chips ignore writes to offset 0.
      Also without commit a7877b17a667, for these older chips when a GRC reset is
      issued the Bootcode would reprogram the vendor id/device id, which is the reason
      this bug was masked earlier.
      
      Fixed by initializing the interrupt mailbox registers before calling tg3_halt.
      
      Please queue for -stable.
      Reported-by: default avatarNils Holland <nholland@tisys.org>
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1da9db7a
    • Ben Hutchings's avatar
      dcache: Fix locking bugs in backported "deal with deadlock in d_walk()" · 20defcec
      Ben Hutchings authored
      Steven Rostedt reported:
      > Porting -rt to the latest 3.2 stable tree I triggered this bug:
      > 
      > =====================================
      > [ BUG: bad unlock balance detected! ]
      > -------------------------------------
      > rm/1638 is trying to release lock (rcu_read_lock) at:
      > [<c04fde6c>] rcu_read_unlock+0x0/0x23
      > but there are no more locks to release!
      > 
      > other info that might help us debug this:
      > 2 locks held by rm/1638:
      >  #0:  (&sb->s_type->i_mutex_key#9/1){+.+.+.}, at: [<c04f93eb>] do_rmdir+0x5f/0xd2
      >  #1:  (&sb->s_type->i_mutex_key#9){+.+.+.}, at: [<c04f9329>] vfs_rmdir+0x49/0xac
      > 
      > stack backtrace:
      > Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2
      > Call Trace:
      >  [<c083f390>] ? printk+0x1d/0x1f
      >  [<c0463cdf>] print_unlock_inbalance_bug+0xc3/0xcd
      >  [<c04653a8>] lock_release_non_nested+0x98/0x1ec
      >  [<c046228d>] ? trace_hardirqs_off_caller+0x18/0x90
      >  [<c0456f1c>] ? local_clock+0x2d/0x50
      >  [<c04fde6c>] ? d_hash+0x2f/0x2f
      >  [<c04fde6c>] ? d_hash+0x2f/0x2f
      >  [<c046568e>] lock_release+0x192/0x1ad
      >  [<c04fde83>] rcu_read_unlock+0x17/0x23
      >  [<c04ff344>] shrink_dcache_parent+0x227/0x270
      >  [<c04f9348>] vfs_rmdir+0x68/0xac
      >  [<c04f9424>] do_rmdir+0x98/0xd2
      >  [<c04f03ad>] ? fput+0x1a3/0x1ab
      >  [<c084dd42>] ? sysenter_exit+0xf/0x1a
      >  [<c0465b58>] ? trace_hardirqs_on_caller+0x118/0x149
      >  [<c04fa3e0>] sys_unlinkat+0x2b/0x35
      >  [<c084dd13>] sysenter_do_call+0x12/0x12
      > 
      > 
      > 
      > 
      > There's a path to calling rcu_read_unlock() without calling
      > rcu_read_lock() in have_submounts().
      > 
      > 	goto positive;
      > 
      > positive:
      > 	if (!locked && read_seqretry(&rename_lock, seq))
      > 		goto rename_retry;
      > 
      > rename_retry:
      > 	rcu_read_unlock();
      > 
      > in the above path, rcu_read_lock() is never done before calling
      > rcu_read_unlock();
      
      I reviewed locking contexts in all three functions that I changed when
      backporting "deal with deadlock in d_walk()".  It's actually worse
      than this:
      
      - We don't hold this_parent->d_lock at the 'positive' label in
        have_submounts(), but it is unlocked after 'rename_retry'.
      - There is an rcu_read_unlock() after the 'out' label in
        select_parent(), but it's not held at the 'goto out'.
      
      Fix all three lock imbalances.
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Tested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      20defcec
    • Dan Carpenter's avatar
      netfilter: ipset: small potential read beyond the end of buffer · d64fba0d
      Dan Carpenter authored
      commit 2196937e upstream.
      
      We could be reading 8 bytes into a 4 byte buffer here.  It seems
      harmless but adding a check is the right thing to do and it silences a
      static checker warning.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d64fba0d
    • Sasha Levin's avatar
      KEYS: close race between key lookup and freeing · dc4a2f40
      Sasha Levin authored
      commit a3a87844 upstream.
      
      When a key is being garbage collected, it's key->user would get put before
      the ->destroy() callback is called, where the key is removed from it's
      respective tracking structures.
      
      This leaves a key hanging in a semi-invalid state which leaves a window open
      for a different task to try an access key->user. An example is
      find_keyring_by_name() which would dereference key->user for a key that is
      in the process of being garbage collected (where key->user was freed but
      ->destroy() wasn't called yet - so it's still present in the linked list).
      
      This would cause either a panic, or corrupt memory.
      
      Fixes CVE-2014-9529.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      [bwh: Backported to 3.2: adjust indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dc4a2f40
    • Jerry Hoemann's avatar
      fsnotify: next_i is freed during fsnotify_unmount_inodes. · 38edb97e
      Jerry Hoemann authored
      commit 6424babf upstream.
      
      During file system stress testing on 3.10 and 3.12 based kernels, the
      umount command occasionally hung in fsnotify_unmount_inodes in the
      section of code:
      
                      spin_lock(&inode->i_lock);
                      if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) {
                              spin_unlock(&inode->i_lock);
                              continue;
                      }
      
      As this section of code holds the global inode_sb_list_lock, eventually
      the system hangs trying to acquire the lock.
      
      Multiple crash dumps showed:
      
      The inode->i_state == 0x60 and i_count == 0 and i_sb_list would point
      back at itself.  As this is not the value of list upon entry to the
      function, the kernel never exits the loop.
      
      To help narrow down problem, the call to list_del_init in
      inode_sb_list_del was changed to list_del.  This poisons the pointers in
      the i_sb_list and causes a kernel to panic if it transverse a freed
      inode.
      
      Subsequent stress testing paniced in fsnotify_unmount_inodes at the
      bottom of the list_for_each_entry_safe loop showing next_i had become
      free.
      
      We believe the root cause of the problem is that next_i is being freed
      during the window of time that the list_for_each_entry_safe loop
      temporarily releases inode_sb_list_lock to call fsnotify and
      fsnotify_inode_delete.
      
      The code in fsnotify_unmount_inodes attempts to prevent the freeing of
      inode and next_i by calling __iget.  However, the code doesn't do the
      __iget call on next_i
      
      	if i_count == 0 or
      	if i_state & (I_FREEING | I_WILL_FREE)
      
      The patch addresses this issue by advancing next_i in the above two cases
      until we either find a next_i which we can __iget or we reach the end of
      the list.  This makes the handling of next_i more closely match the
      handling of the variable "inode."
      
      The time to reproduce the hang is highly variable (from hours to days.) We
      ran the stress test on a 3.10 kernel with the proposed patch for a week
      without failure.
      
      During list_for_each_entry_safe, next_i is becoming free causing
      the loop to never terminate.  Advance next_i in those cases where
      __iget is not done.
      Signed-off-by: default avatarJerry Hoemann <jerry.hoemann@hp.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Cc: Ken Helias <kenhelias@firemail.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Jan Kara <jack@suse.cz>
      38edb97e
    • Borislav Petkov's avatar
      x86, cpu, amd: Add workaround for family 16h, erratum 793 · 9ec2b315
      Borislav Petkov authored
      commit 3b564968 upstream.
      
      This adds the workaround for erratum 793 as a precaution in case not
      every BIOS implements it.  This addresses CVE-2013-6885.
      
      Erratum text:
      
      [Revision Guide for AMD Family 16h Models 00h-0Fh Processors,
      document 51810 Rev. 3.04 November 2013]
      
      793 Specific Combination of Writes to Write Combined Memory Types and
      Locked Instructions May Cause Core Hang
      
      Description
      
      Under a highly specific and detailed set of internal timing
      conditions, a locked instruction may trigger a timing sequence whereby
      the write to a write combined memory type is not flushed, causing the
      locked instruction to stall indefinitely.
      
      Potential Effect on System
      
      Processor core hang.
      
      Suggested Workaround
      
      BIOS should set MSR
      C001_1020[15] = 1b.
      
      Fix Planned
      
      No fix planned
      
      [ hpa: updated description, fixed typo in MSR name ]
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/20140114230711.GS29865@pd.tnicTested-by: default avatarAravind Gopalakrishnan <aravind.gopalakrishnan@amd.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      [bwh: Backported to 3.2:
       - Adjust filename
       - Venkatesh Srinivas pointed out we should use {rd,wr}msrl_safe() to
         avoid crashing on KVM.  This was fixed upstream by commit 8f86a737
         ("x86, AMD: Convert to the new bit access MSR accessors") but that's too
         much trouble to backport.  Here we must use {rd,wr}msrl_amd_safe().]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Moritz Muehlenhoff <jmm@debian.org>
      Cc: Venkatesh Srinivas <venkateshs@google.com>
      9ec2b315
    • Martin Schwidefsky's avatar
      s390/3215: fix tty output containing tabs · 308246b8
      Martin Schwidefsky authored
      commit e512d56c upstream.
      
      git commit 37f81fa1
      "n_tty: do O_ONLCR translation as a single write"
      surfaced a bug in the 3215 device driver. In combination this
      broke tab expansion for tty ouput.
      
      The cause is an asymmetry in the behaviour of tty3215_ops->write
      vs tty3215_ops->put_char. The put_char function scans for '\t'
      but the write function does not.
      
      As the driver has logic for the '\t' expansion remove XTABS
      from c_oflag of the initial termios as well.
      Reported-by: default avatarStephen Powell <zlinuxman@wowway.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      308246b8
    • Lv Zheng's avatar
      ACPI / EC: Fix regression due to conflicting firmware behavior between Samsung and Acer. · bb5850b1
      Lv Zheng authored
      commit 79149001 upstream.
      
      It is reported that Samsung laptops that need to poll events are broken by
      the following commit:
       Commit 3afcf2ec
       Subject: ACPI / EC: Add support to disallow QR_EC to be issued when SCI_EVT isn't set
      
      The behaviors of the 2 vendor firmwares are conflict:
       1. Acer: OSPM shouldn't issue QR_EC unless SCI_EVT is set, firmware
               automatically sets SCI_EVT as long as there is event queued up.
       2. Samsung: OSPM should issue QR_EC whatever SCI_EVT is set, firmware
                  returns 0 when there is no event queued up.
      
      This patch is a quick fix to distinguish the behaviors to make Acer
      behavior only effective for Acer EC firmware so that the breakages on
      Samsung EC firmware can be avoided.
      
      Fixes: 3afcf2ec (ACPI / EC: Add support to disallow QR_EC to be issued ...)
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161Reported-and-tested-by: default avatarOrtwin Glück <odi@odi.ch>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      [ rjw : Subject ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Kamal Mostafa <kamal@canonical.com>
      bb5850b1
    • Ben Hutchings's avatar
      Revert "x86, 64bit, mm: Mark data/bss/brk to nx" · 309adf3c
      Ben Hutchings authored
      This reverts commit e105c818 which
      was commit 72212675 upstream.
      
      This caused suspend/resume to stop working on at least some systems -
      specifically, the system would reboot when woken.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      309adf3c
    • Ben Hutchings's avatar
      Revert "x86, mm: Set NX across entire PMD at boot" · dc705052
      Ben Hutchings authored
      This reverts commit a5c187d9 which
      was commit 45e2a9d4 upstream.
      
      The previous commit caused suspend/resume to stop working on at least
      some systems - specifically, the system would reboot when woken.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      dc705052
    • Linus Torvalds's avatar
      vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS · a8467a7a
      Linus Torvalds authored
      commit 9c145c56 upstream.
      
      The stack guard page error case has long incorrectly caused a SIGBUS
      rather than a SIGSEGV, but nobody actually noticed until commit
      fee7e49d ("mm: propagate error from stack expansion even for guard
      page") because that error case was never actually triggered in any
      normal situations.
      
      Now that we actually report the error, people noticed the wrong signal
      that resulted.  So far, only the test suite of libsigsegv seems to have
      actually cared, but there are real applications that use libsigsegv, so
      let's not wait for any of those to break.
      Reported-and-tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
      Cc: linux-arch@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a8467a7a
    • Linus Torvalds's avatar
      vm: add VM_FAULT_SIGSEGV handling support · 219a047e
      Linus Torvalds authored
      commit 33692f27 upstream.
      
      The core VM already knows about VM_FAULT_SIGBUS, but cannot return a
      "you should SIGSEGV" error, because the SIGSEGV case was generally
      handled by the caller - usually the architecture fault handler.
      
      That results in lots of duplication - all the architecture fault
      handlers end up doing very similar "look up vma, check permissions, do
      retries etc" - but it generally works.  However, there are cases where
      the VM actually wants to SIGSEGV, and applications _expect_ SIGSEGV.
      
      In particular, when accessing the stack guard page, libsigsegv expects a
      SIGSEGV.  And it usually got one, because the stack growth is handled by
      that duplicated architecture fault handler.
      
      However, when the generic VM layer started propagating the error return
      from the stack expansion in commit fee7e49d ("mm: propagate error
      from stack expansion even for guard page"), that now exposed the
      existing VM_FAULT_SIGBUS result to user space.  And user space really
      expected SIGSEGV, not SIGBUS.
      
      To fix that case, we need to add a VM_FAULT_SIGSEGV, and teach all those
      duplicate architecture fault handlers about it.  They all already have
      the code to handle SIGSEGV, so it's about just tying that new return
      value to the existing code, but it's all a bit annoying.
      
      This is the mindless minimal patch to do this.  A more extensive patch
      would be to try to gather up the mostly shared fault handling logic into
      one generic helper routine, and long-term we really should do that
      cleanup.
      
      Just from this patch, you can generally see that most architectures just
      copied (directly or indirectly) the old x86 way of doing things, but in
      the meantime that original x86 model has been improved to hold the VM
      semaphore for shorter times etc and to handle VM_FAULT_RETRY and other
      "newer" things, so it would be a good idea to bring all those
      improvements to the generic case and teach other architectures about
      them too.
      Reported-and-tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
      Cc: linux-arch@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust filenames, context
       - Drop arc, metag, nios2 and lustre changes
       - For sh, patch both 32-bit and 64-bit implementations to use goto bad_area
       - For s390, pass int_code and trans_exc_code as arguments to do_no_context()
         and do_sigsegv()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      219a047e
    • Daniel Borkmann's avatar
      net: sctp: fix slab corruption from use after free on INIT collisions · 8662a896
      Daniel Borkmann authored
      commit 600ddd68 upstream.
      
      When hitting an INIT collision case during the 4WHS with AUTH enabled, as
      already described in detail in commit 1be9a950 ("net: sctp: inherit
      auth_capable on INIT collisions"), it can happen that we occasionally
      still remotely trigger the following panic on server side which seems to
      have been uncovered after the fix from commit 1be9a950 ...
      
      [  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
      [  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
      [  533.940559] PGD 5030f2067 PUD 0
      [  533.957104] Oops: 0000 [#1] SMP
      [  533.974283] Modules linked in: sctp mlx4_en [...]
      [  534.939704] Call Trace:
      [  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
      [  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
      [  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
      [  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
      [  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
      [  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
      [  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
      [  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      ... or depending on the the application, for example this one:
      
      [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
      [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
      [ 1370.054568] PGD 633c94067 PUD 0
      [ 1370.070446] Oops: 0000 [#1] SMP
      [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
      [ 1370.963431] Call Trace:
      [ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
      [ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
      [ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
      [ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
      [ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
      
      With slab debugging enabled, we can see that the poison has been overwritten:
      
      [  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
      [  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
      [  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
      [  669.826424]  __slab_alloc+0x4bf/0x566
      [  669.826433]  __kmalloc+0x280/0x310
      [  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
      [  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
      [  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
      [  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
      [  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
      [  669.826635]  __slab_free+0x39/0x2a8
      [  669.826643]  kfree+0x1d6/0x230
      [  669.826650]  kzfree+0x31/0x40
      [  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
      [  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
      [  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
      
      Since this only triggers in some collision-cases with AUTH, the problem at
      heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
      when having refcnt 1, once directly in sctp_assoc_update() and yet again
      from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
      the already kzfree'd memory, which is also consistent with the observation
      of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
      at a later point in time when poison is checked on new allocation).
      
      Reference counting of auth keys revisited:
      
      Shared keys for AUTH chunks are being stored in endpoints and associations
      in endpoint_shared_keys list. On endpoint creation, a null key is being
      added; on association creation, all endpoint shared keys are being cached
      and thus cloned over to the association. struct sctp_shared_key only holds
      a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
      keeps track of users internally through refcounting. Naturally, on assoc
      or enpoint destruction, sctp_shared_key are being destroyed directly and
      the reference on sctp_auth_bytes dropped.
      
      User space can add keys to either list via setsockopt(2) through struct
      sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
      adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
      with refcount 1 and in case of replacement drops the reference on the old
      sctp_auth_bytes. A key can be set active from user space through setsockopt()
      on the id via sctp_auth_set_active_key(), which iterates through either
      endpoint_shared_keys and in case of an assoc, invokes (one of various places)
      sctp_auth_asoc_init_active_key().
      
      sctp_auth_asoc_init_active_key() computes the actual secret from local's
      and peer's random, hmac and shared key parameters and returns a new key
      directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
      the reference if there was a previous one. The secret, which where we
      eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
      intitial refcount of 1, which also stays unchanged eventually in
      sctp_assoc_update(). This key is later being used for crypto layer to
      set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
      
      To close the loop: asoc->asoc_shared_key is freshly allocated secret
      material and independant of the sctp_shared_key management keeping track
      of only shared keys in endpoints and assocs. Hence, also commit 4184b2a7
      ("net: sctp: fix memory leak in auth key management") is independant of
      this bug here since it concerns a different layer (though same structures
      being used eventually). asoc->asoc_shared_key is reference dropped correctly
      on assoc destruction in sctp_association_free() and when active keys are
      being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
      of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
      to remove that sctp_auth_key_put() from there which fixes these panics.
      
      Fixes: 730fc3d0 ("[SCTP]: Implete SCTP-AUTH parameter processing")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8662a896
    • Clemens Ladisch's avatar
      ALSA: seq-dummy: remove deadlock-causing events on close · 3df24449
      Clemens Ladisch authored
      commit 0767e95b upstream.
      
      When the last subscriber to a "Through" port has been removed, the
      subscribed destination ports might still be active, so it would be
      wrong to send "all sounds off" and "reset controller" events to them.
      The proper place for such a shutdown would be the closing of the actual
      MIDI port (and close_substream() in rawmidi.c already can do this).
      
      This also fixes a deadlock when dummy_unuse() tries to send events to
      its own port that is already locked because it is being freed.
      Reported-by: default avatarPeter Billam <peter@www.pjb.com.au>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3df24449
    • Bob Paauwe's avatar
      drm/i915: Only fence tiled region of object. · 875cf1b6
      Bob Paauwe authored
      commit af1a7301 upstream.
      
      When creating a fence for a tiled object, only fence the area that
      makes up the actual tiles.  The object may be larger than the tiled
      area and if we allow those extra addresses to be fenced, they'll
      get converted to addresses beyond where the object is mapped. This
      opens up the possiblity of writes beyond the end of object.
      
      To prevent this, we adjust the size of the fence to only encompass
      the area that makes up the actual tiles.  The extra space is considered
      un-tiled and now behaves as if it was a linear object.
      
      Testcase: igt/gem_tiled_fence_overflow
      Reported-by: default avatarDan Hettena <danh@ghs.com>
      Signed-off-by: default avatarBob Paauwe <bob.j.paauwe@intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      [bwh: Backported to 3.2:
       - Adjust context, indentation
       - Apply to both i965_write_fence_reg() and sandybridge_write_fence_reg(),
         which have been combined into one function upstream]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      875cf1b6
    • Macpaul Lin's avatar
      USB: Add OTG PET device to TPL · 4e5cc195
      Macpaul Lin authored
      commit e5dff0e8 upstream.
      
      OTG device shall support this device for allowing compliance automated testing.
      The modification is derived from Pavankumar and Vijayavardhans' previous work.
      Signed-off-by: default avatarMacpaul Lin <macpaul@gmail.com>
      Cc: Pavankumar Kondeti <pkondeti@codeaurora.org>
      Cc: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e5cc195
    • James P Michels III's avatar
      usb-core bInterval quirk · cca4d731
      James P Michels III authored
      commit cd83ce9e upstream.
      
      This patch adds a usb quirk to support devices with interupt endpoints
      and bInterval values expressed as microframes. The quirk causes the
      parse endpoint function to modify the reported bInterval to a standards
      conforming value.
      
      There is currently code in the endpoint parser that checks for
      bIntervals that are outside of the valid range (1-16 for USB 2+ high
      speed and super speed interupt endpoints). In this case, the code assumes
      the bInterval is being reported in 1ms frames. As well, the correction
      is only applied if the original bInterval value is out of the 1-16 range.
      
      With this quirk applied to the device, the bInterval will be
      accurately adjusted from microframes to an exponent.
      Signed-off-by: default avatarJames P Michels III <james.p.michels@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cca4d731
    • Dmitry Nezhevenko's avatar
      usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller · 4fe697c2
      Dmitry Nezhevenko authored
      commit bf5c4136 upstream.
      
      It looks like FUA support is broken on JMicron 152d:2566 bridge:
      
      [223159.885704] sd 7:0:0:0: [sdc] Write Protect is off
      [223159.885706] sd 7:0:0:0: [sdc] Mode Sense: 47 00 10 08
      [223159.885942] sd 7:0:0:0: [sdc] Write cache: enabled, read cache: enabled, supports DPO and FUA
      
      [223283.691677] sd 7:0:0:0: [sdc]
      [223283.691680] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [223283.691681] sd 7:0:0:0: [sdc]
      [223283.691682] Sense Key : Illegal Request [current]
      [223283.691684] sd 7:0:0:0: [sdc]
      [223283.691685] Add. Sense: Invalid field in cdb
      [223283.691686] sd 7:0:0:0: [sdc] CDB:
      [223283.691687] Write(10): 2a 08 15 d0 83 0d 00 00 01 00
      [223283.691690] blk_update_request: critical target error, dev sdc, sector 2927892584
      
      This patch adds blacklist flag so that sd will not use FUA
      Signed-off-by: default avatarDmitry Nezhevenko <dion@dion.org.ua>
      Cc: Phil Dibowitz <phil@ipom.com>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4fe697c2
    • Johannes Berg's avatar
      nl80211: fix per-station group key get/del and memory leak · eadde1b4
      Johannes Berg authored
      commit 0fa7b391 upstream.
      
      In case userspace attempts to obtain key information for or delete a
      unicast key, this is currently erroneously rejected unless the driver
      sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
      was never noticed.
      
      Fix that, and while at it fix a potential memory leak: the error path
      in the get_key() function was placed after allocating a message but
      didn't free it - move it to a better place. Luckily admin permissions
      are needed to call this operation.
      
      Fixes: e31b8213 ("cfg80211/mac80211: allow per-station GTKs")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eadde1b4
    • Andy Lutomirski's avatar
      x86, tls: Interpret an all-zero struct user_desc as "no segment" · 3175b4cb
      Andy Lutomirski authored
      commit 3669ef9f upstream.
      
      The Witcher 2 did something like this to allocate a TLS segment index:
      
              struct user_desc u_info;
              bzero(&u_info, sizeof(u_info));
              u_info.entry_number = (uint32_t)-1;
      
              syscall(SYS_set_thread_area, &u_info);
      
      Strictly speaking, this code was never correct.  It should have set
      read_exec_only and seg_not_present to 1 to indicate that it wanted
      to find a free slot without putting anything there, or it should
      have put something sensible in the TLS slot if it wanted to allocate
      a TLS entry for real.  The actual effect of this code was to
      allocate a bogus segment that could be used to exploit espfix.
      
      The set_thread_area hardening patches changed the behavior, causing
      set_thread_area to return -EINVAL and crashing the game.
      
      This changes set_thread_area to interpret this as a request to find
      a free slot and to leave it empty, which isn't *quite* what the game
      expects but should be close enough to keep it working.  In
      particular, using the code above to allocate two segments will
      allocate the same segment both times.
      
      According to FrostbittenKing on Github, this fixes The Witcher 2.
      
      If this somehow still causes problems, we could instead allocate
      a limit==0 32-bit data segment, but that seems rather ugly to me.
      
      Fixes: 41bdc785 x86/tls: Validate TLS entries to protect espfix
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: torvalds@linux-foundation.org
      Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3175b4cb
    • Jochen Hein's avatar
      Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) · 3668afd7
      Jochen Hein authored
      commit 1d90d6d5 upstream.
      
      Without this the aux port does not get detected, and consequently the touchpad
      will not work.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(SYN|i8042|serio)"
      pnp 00:03: Plug and Play ACPI device, IDs SYN1d22 PNP0f13 (active)
      i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      serio: i8042 KBD port at 0x60,0x64 irq 1
      serio: i8042 AUX port at 0x60,0x64 irq 12
      input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      psmouse serio1: synaptics: Touchpad model: 1, fw: 8.1, id: 0x1e2b1, caps: 0xd00123/0x840300/0x126800, board id: 2863, fw id: 1473085
      input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio1/input/input6
      
      dmidecode excerpt for this laptop is:
      
      Handle 0x0001, DMI type 1, 27 bytes
      System Information
              Manufacturer: Medion
              Product Name: Akoya E7225
              Version: 1.0
      Signed-off-by: default avatarJochen Hein <jochen@jochen.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3668afd7
    • Andy Lutomirski's avatar
      x86, tls, ldt: Stop checking lm in LDT_empty · f62570cb
      Andy Lutomirski authored
      commit e30ab185 upstream.
      
      32-bit programs don't have an lm bit in their ABI, so they can't
      reliably cause LDT_empty to return true without resorting to memset.
      They shouldn't need to do this.
      
      This should fix a longstanding, if minor, issue in all 64-bit kernels
      as well as a potential regression in the TLS hardening code.
      
      Fixes: 41bdc785 x86/tls: Validate TLS entries to protect espfix
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: torvalds@linux-foundation.org
      Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f62570cb
    • K. Y. Srinivasan's avatar
      x86, hyperv: Mark the Hyper-V clocksource as being continuous · cea62dbd
      K. Y. Srinivasan authored
      commit 32c6590d upstream.
      
      The Hyper-V clocksource is continuous; mark it accordingly.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Acked-by: jasowang@redhat.com
      Cc: gregkh@linuxfoundation.org
      Cc: devel@linuxdriverproject.org
      Cc: olaf@aepfle.de
      Cc: apw@canonical.com
      Link: http://lkml.kernel.org/r/1421108762-3331-1-git-send-email-kys@microsoft.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cea62dbd
    • David Jeffery's avatar
      libata: prevent HSM state change race between ISR and PIO · a06e5037
      David Jeffery authored
      commit ce751452 upstream.
      
      It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
      HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
      and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
      
      This problem is hard to reproduce making this patch hard to verify, but this
      fix will prevent the race.
      
      I have not been able to reproduce the problem, but here is a crash dump from
      a 2.6.32 kernel.
      
      On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
      
      crash> struct ata_port.hsm_task_state ffff881c1121c000
        hsm_task_state = 0
      
      Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
      which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
      
      PID: 11053  TASK: ffff8816e846cae0  CPU: 0   COMMAND: "sshd"
       #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
       #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
       #2 [ffff88008ba03a90] oops_end at ffffffff8152b510
       #3 [ffff88008ba03ac0] die at ffffffff81010e0b
       #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
       #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
       #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
          [exception RIP: ata_sff_hsm_move+317]
          RIP: ffffffff813a77ad  RSP: ffff88008ba03ca0  RFLAGS: 00010097
          RAX: 0000000000000000  RBX: ffff881c1121dc60  RCX: 0000000000000000
          RDX: ffff881c1121dd10  RSI: ffff881c1121dc60  RDI: ffff881c1121c000
          RBP: ffff88008ba03d00   R8: 0000000000000000   R9: 000000000000002e
          R10: 000000000001003f  R11: 000000000000009b  R12: ffff881c1121c000
          R13: 0000000000000000  R14: 0000000000000050  R15: ffff881c1121dd78
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
       #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
       #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
      >--- <IRQ stack> ---
          [exception RIP: pipe_poll+48]
          RIP: ffffffff81192780  RSP: ffff880f26d459b8  RFLAGS: 00000246
          RAX: 0000000000000000  RBX: ffff880f26d459c8  RCX: 0000000000000000
          RDX: 0000000000000001  RSI: 0000000000000000  RDI: ffff881a0539fa80
          RBP: ffffffff8100bb8e   R8: ffff8803b23324a0   R9: 0000000000000000
          R10: ffff880f26d45dd0  R11: 0000000000000008  R12: ffffffff8109b646
          R13: ffff880f26d45948  R14: 0000000000000246  R15: 0000000000000246
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
          RIP: 00007f26017435c3  RSP: 00007fffe020c420  RFLAGS: 00000206
          RAX: 0000000000000017  RBX: ffffffff8100b072  RCX: 00007fffe020c45c
          RDX: 00007f2604a3f120  RSI: 00007f2604a3f140  RDI: 000000000000000d
          RBP: 0000000000000000   R8: 00007fffe020e570   R9: 0101010101010101
          R10: 0000000000000000  R11: 0000000000000246  R12: 00007fffe020e5f0
          R13: 00007fffe020e5f4  R14: 00007f26045f373c  R15: 00007fffe020e5e0
          ORIG_RAX: 0000000000000017  CS: 0033  SS: 002b
      
      Somewhere between the ata_sff_hsm_move() check and the ata_sff_host_intr() check, the value changed.
      On examining the other cpus to see what else was running, another cpu was running the error handler
      routines:
      
      PID: 326    TASK: ffff881c11014aa0  CPU: 1   COMMAND: "scsi_eh_1"
       #0 [ffff88008ba27e90] crash_nmi_callback at ffffffff8102fee6
       #1 [ffff88008ba27ea0] notifier_call_chain at ffffffff8152d515
       #2 [ffff88008ba27ee0] atomic_notifier_call_chain at ffffffff8152d57a
       #3 [ffff88008ba27ef0] notify_die at ffffffff810a154e
       #4 [ffff88008ba27f20] do_nmi at ffffffff8152b1db
       #5 [ffff88008ba27f50] nmi at ffffffff8152aaa0
          [exception RIP: _spin_lock_irqsave+47]
          RIP: ffffffff8152a1ff  RSP: ffff881c11a73aa0  RFLAGS: 00000006
          RAX: 0000000000000001  RBX: ffff881c1121deb8  RCX: 0000000000000000
          RDX: 0000000000000246  RSI: 0000000000000020  RDI: ffff881c122612d8
          RBP: ffff881c11a73aa0   R8: ffff881c17083800   R9: 0000000000000000
          R10: 0000000000000000  R11: 0000000000000000  R12: ffff881c1121c000
          R13: 000000000000001f  R14: ffff881c1121dd50  R15: ffff881c1121dc60
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
      >--- <NMI exception stack> ---
       #6 [ffff881c11a73aa0] _spin_lock_irqsave at ffffffff8152a1ff
       #7 [ffff881c11a73aa8] ata_exec_internal_sg at ffffffff81396fb5
       #8 [ffff881c11a73b58] ata_exec_internal at ffffffff81397109
       #9 [ffff881c11a73bd8] atapi_eh_request_sense at ffffffff813a34eb
      
      Before it tried to acquire a spinlock, ata_exec_internal_sg() called ata_sff_flush_pio_task().
      This function will set ap->hsm_task_state to HSM_ST_IDLE, and has no locking around setting this
      value. ata_sff_flush_pio_task() can then race with the interrupt handler and potentially set
      HSM_ST_IDLE at a fatal moment, which will trigger a kernel BUG.
      
      v2: Fixup comment in ata_sff_flush_pio_task()
      
      tj: Further updated comment.  Use ap->lock instead of shost lock and
          use the [un]lock_irq variant instead of the irqsave/restore one.
      Signed-off-by: default avatarDavid Milburn <dmilburn@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a06e5037
    • Michael Karcher's avatar
      scripts/recordmcount.pl: There is no -m32 gcc option on Super-H anymore · b31512a1
      Michael Karcher authored
      commit 1caf6aaa upstream.
      
      Compiling SH with gcc-4.8 fails due to the -m32 option not being
      supported.
      
      From http://buildd.debian-ports.org/status/fetch.php?pkg=linux&arch=sh4&ver=3.16.7-ckt4-1&stamp=1421425783
      
            CC      init/main.o
          gcc-4.8: error: unrecognized command line option '-m32'
          ld: cannot find init/.tmp_mc_main.o: No such file or directory
          objcopy: 'init/.tmp_mx_main.o': No such file
          rm: cannot remove 'init/.tmp_mx_main.o': No such file or directory
          rm: cannot remove 'init/.tmp_mc_main.o': No such file or directory
      
      Link: http://lkml.kernel.org/r/1421537778-29001-1-git-send-email-kernel@mkarcher.dialup.fu-berlin.de
      Link: http://lkml.kernel.org/r/54BCBDD4.10102@physik.fu-berlin.de
      
      Cc: Matt Fleming <matt@console-pimps.org>
      Reported-by: default avatarJohn Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
      Signed-off-by: default avatarMichael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b31512a1
    • Dan Williams's avatar
      libata: allow sata_sil24 to opt-out of tag ordered submission · 4396fd99
      Dan Williams authored
      commit 72dd299d upstream.
      
      Ronny reports: https://bugzilla.kernel.org/show_bug.cgi?id=87101
          "Since commit 8a4aeec8 "libata/ahci: accommodate tag ordered
          controllers" the access to the harddisk on the first SATA-port is
          failing on its first access. The access to the harddisk on the
          second port is working normal.
      
          When reverting the above commit, access to both harddisks is working
          fine again."
      
      Maintain tag ordered submission as the default, but allow sata_sil24 to
      continue with the old behavior.
      
      Cc: Tejun Heo <tj@kernel.org>
      Reported-by: default avatarRonny Hegewald <Ronny.Hegewald@online.de>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4396fd99
    • Jason Lee Cragg's avatar
      370a4f54
    • Daniel Borkmann's avatar
      net: sctp: fix race for one-to-many sockets in sendmsg's auto associate · 560473dd
      Daniel Borkmann authored
      commit 2061dcd6 upstream.
      
      I.e. one-to-many sockets in SCTP are not required to explicitly
      call into connect(2) or sctp_connectx(2) prior to data exchange.
      Instead, they can directly invoke sendmsg(2) and the SCTP stack
      will automatically trigger connection establishment through 4WHS
      via sctp_primitive_ASSOCIATE(). However, this in its current
      implementation is racy: INIT is being sent out immediately (as
      it cannot be bundled anyway) and the rest of the DATA chunks are
      queued up for later xmit when connection is established, meaning
      sendmsg(2) will return successfully. This behaviour can result
      in an undesired side-effect that the kernel made the application
      think the data has already been transmitted, although none of it
      has actually left the machine, worst case even after close(2)'ing
      the socket.
      
      Instead, when the association from client side has been shut down
      e.g. first gracefully through SCTP_EOF and then close(2), the
      client could afterwards still receive the server's INIT_ACK due
      to a connection with higher latency. This INIT_ACK is then considered
      out of the blue and hence responded with ABORT as there was no
      alive assoc found anymore. This can be easily reproduced f.e.
      with sctp_test application from lksctp. One way to fix this race
      is to wait for the handshake to actually complete.
      
      The fix defers waiting after sctp_primitive_ASSOCIATE() and
      sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
      from sctp_sendmsg() have already been placed into the output
      queue through the side-effect interpreter, and therefore can then
      be bundeled together with COOKIE_ECHO control chunks.
      
      strace from example application (shortened):
      
      socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
      sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
                 msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
                 msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
      close(3) = 0
      
      tcpdump before patch (fooling the application):
      
      22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
      22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
      22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
      
      tcpdump after patch:
      
      14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
      14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
      14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
      14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
      14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
      14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
      14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
      14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
      14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
      14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
      14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
      
      Looks like this bug is from the pre-git history museum. ;)
      
      Fixes: 08707d54 ("lksctp-2_5_31-0_5_1.patch")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      560473dd
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio attribute-creation race · a10ff58e
      Johan Hovold authored
      commit ebbeba12 upstream.
      
      Fix attribute-creation race with userspace by using the default group
      to create also the contingent gpio device attributes.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [bwh: Backported to 3.2:
       - Adjust filenames, context
       - Use gpio_to_desc(), not gpiod_to_desc(), in gpio_is_visible()
       - gpio_is_visible() must return mode_t]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a10ff58e
    • Johan Hovold's avatar
      gpio: sysfs: fix gpio device-attribute leak · 91111b53
      Johan Hovold authored
      commit 0915e6fe upstream.
      
      The gpio device attributes were never destroyed when the gpio was
      unexported (or on export failures).
      
      Use device_create_with_groups() to create the default device attributes
      of the gpio class device. Note that this also fixes the
      attribute-creation race with userspace for these attributes.
      
      Remove contingent attributes in export error path and on unexport.
      
      Fixes: d8f388d8 ("gpio: sysfs interface")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      [bwh: Backported to 3.2: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      91111b53
    • Ming Lei's avatar
      Fix circular locking dependency (3.3-rc2) · 2465975f
      Ming Lei authored
      commit 864533ce upstream.
      
      Hi,
      
      On Wed, Feb 8, 2012 at 8:41 PM, Felipe Balbi <balbi@ti.com> wrote:
      > Hi guys,
      >
      > I have just triggered the folllowing:
      >
      > [   84.860321] ======================================================
      > [   84.860321] [ INFO: possible circular locking dependency detected ]
      > [   84.860321] 3.3.0-rc2-00026-ge4e8a39 #474 Not tainted
      > [   84.860321] -------------------------------------------------------
      > [   84.860321] bash/949 is trying to acquire lock:
      > [   84.860321]  (sysfs_lock){+.+.+.}, at: [<c0275358>] gpio_value_store+0x24/0xcc
      > [   84.860321]
      > [   84.860321] but task is already holding lock:
      > [   84.860321]  (s_active#22){++++.+}, at: [<c016996c>] sysfs_write_file+0xdc/0x184
      > [   84.911468]
      > [   84.911468] which lock already depends on the new lock.
      > [   84.911468]
      > [   84.920043]
      > [   84.920043] the existing dependency chain (in reverse order) is:
      > [   84.920043]
      > [   84.927886] -> #1 (s_active#22){++++.+}:
      > [   84.927886]        [<c008f640>] check_prevs_add+0xdc/0x150
      > [   84.927886]        [<c008fc18>] validate_chain.clone.24+0x564/0x694
      > [   84.927886]        [<c0090cdc>] __lock_acquire+0x49c/0x980
      > [   84.951660]        [<c0091838>] lock_acquire+0x98/0x100
      > [   84.951660]        [<c016a8e8>] sysfs_deactivate+0xb0/0x100
      > [   84.962982]        [<c016b1b4>] sysfs_addrm_finish+0x2c/0x6c
      > [   84.962982]        [<c016b8bc>] sysfs_remove_dir+0x84/0x98
      > [   84.962982]        [<c02590d8>] kobject_del+0x10/0x78
      > [   84.974670]        [<c02c29e8>] device_del+0x140/0x170
      > [   84.974670]        [<c02c2a24>] device_unregister+0xc/0x18
      > [   84.985382]        [<c0276894>] gpio_unexport+0xbc/0xdc
      > [   84.985382]        [<c02768c8>] gpio_free+0x14/0xfc
      > [   85.001708]        [<c0276a28>] unexport_store+0x78/0x8c
      > [   85.001708]        [<c02c5af8>] class_attr_store+0x18/0x24
      > [   85.007293]        [<c0169990>] sysfs_write_file+0x100/0x184
      > [   85.018981]        [<c0109d48>] vfs_write+0xb4/0x148
      > [   85.018981]        [<c0109fd0>] sys_write+0x40/0x70
      > [   85.018981]        [<c0013cc0>] ret_fast_syscall+0x0/0x3c
      > [   85.035003]
      > [   85.035003] -> #0 (sysfs_lock){+.+.+.}:
      > [   85.035003]        [<c008f54c>] check_prev_add+0x680/0x698
      > [   85.035003]        [<c008f640>] check_prevs_add+0xdc/0x150
      > [   85.052093]        [<c008fc18>] validate_chain.clone.24+0x564/0x694
      > [   85.052093]        [<c0090cdc>] __lock_acquire+0x49c/0x980
      > [   85.052093]        [<c0091838>] lock_acquire+0x98/0x100
      > [   85.069885]        [<c047e280>] mutex_lock_nested+0x3c/0x2f4
      > [   85.069885]        [<c0275358>] gpio_value_store+0x24/0xcc
      > [   85.069885]        [<c02c18dc>] dev_attr_store+0x18/0x24
      > [   85.087158]        [<c0169990>] sysfs_write_file+0x100/0x184
      > [   85.087158]        [<c0109d48>] vfs_write+0xb4/0x148
      > [   85.098297]        [<c0109fd0>] sys_write+0x40/0x70
      > [   85.098297]        [<c0013cc0>] ret_fast_syscall+0x0/0x3c
      > [   85.109069]
      > [   85.109069] other info that might help us debug this:
      > [   85.109069]
      > [   85.117462]  Possible unsafe locking scenario:
      > [   85.117462]
      > [   85.117462]        CPU0                    CPU1
      > [   85.128417]        ----                    ----
      > [   85.128417]   lock(s_active#22);
      > [   85.128417]                                lock(sysfs_lock);
      > [   85.128417]                                lock(s_active#22);
      > [   85.142486]   lock(sysfs_lock);
      > [   85.151794]
      > [   85.151794]  *** DEADLOCK ***
      > [   85.151794]
      > [   85.151794] 2 locks held by bash/949:
      > [   85.158020]  #0:  (&buffer->mutex){+.+.+.}, at: [<c01698b8>] sysfs_write_file+0x28/0x184
      > [   85.170349]  #1:  (s_active#22){++++.+}, at: [<c016996c>] sysfs_write_file+0xdc/0x184
      > [   85.170349]
      > [   85.178588] stack backtrace:
      > [   85.178588] [<c001b824>] (unwind_backtrace+0x0/0xf0) from [<c008de64>] (print_circular_bug+0x100/0x114)
      > [   85.193023] [<c008de64>] (print_circular_bug+0x100/0x114) from [<c008f54c>] (check_prev_add+0x680/0x698)
      > [   85.193023] [<c008f54c>] (check_prev_add+0x680/0x698) from [<c008f640>] (check_prevs_add+0xdc/0x150)
      > [   85.212524] [<c008f640>] (check_prevs_add+0xdc/0x150) from [<c008fc18>] (validate_chain.clone.24+0x564/0x694)
      > [   85.212524] [<c008fc18>] (validate_chain.clone.24+0x564/0x694) from [<c0090cdc>] (__lock_acquire+0x49c/0x980)
      > [   85.233306] [<c0090cdc>] (__lock_acquire+0x49c/0x980) from [<c0091838>] (lock_acquire+0x98/0x100)
      > [   85.233306] [<c0091838>] (lock_acquire+0x98/0x100) from [<c047e280>] (mutex_lock_nested+0x3c/0x2f4)
      > [   85.242614] [<c047e280>] (mutex_lock_nested+0x3c/0x2f4) from [<c0275358>] (gpio_value_store+0x24/0xcc)
      > [   85.261840] [<c0275358>] (gpio_value_store+0x24/0xcc) from [<c02c18dc>] (dev_attr_store+0x18/0x24)
      > [   85.261840] [<c02c18dc>] (dev_attr_store+0x18/0x24) from [<c0169990>] (sysfs_write_file+0x100/0x184)
      > [   85.271240] [<c0169990>] (sysfs_write_file+0x100/0x184) from [<c0109d48>] (vfs_write+0xb4/0x148)
      > [   85.290008] [<c0109d48>] (vfs_write+0xb4/0x148) from [<c0109fd0>] (sys_write+0x40/0x70)
      > [   85.298400] [<c0109fd0>] (sys_write+0x40/0x70) from [<c0013cc0>] (ret_fast_syscall+0x0/0x3c)
      > -bash: echo: write error: Operation not permitted
      >
      > the way to trigger is:
      >
      > root@legolas:~# cd /sys/class/gpio/
      > root@legolas:/sys/class/gpio# echo 2 > export
      > root@legolas:/sys/class/gpio# echo 2 > unexport
      > root@legolas:/sys/class/gpio# echo 2 > export
      > root@legolas:/sys/class/gpio# cd gpio2/
      > root@legolas:/sys/class/gpio/gpio2# echo 1 > value
      
      Looks 'sysfs_lock' needn't to be held for unregister, so the patch below may
      fix the problem.
      Acked-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGrant Likely <grant.likely@secretlab.ca>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2465975f