--- /dev/null
+From 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <christof.schmitt@de.ibm.com>
+Date: Wed, 6 Oct 2010 13:19:44 +0200
+Subject: [SCSI] Fix race when removing SCSI devices
+
+From: Christof Schmitt <christof.schmitt@de.ibm.com>
+
+commit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream.
+
+Removing SCSI devices through
+echo 1 > /sys/bus/scsi/devices/ ... /delete
+
+while the FC transport class removes the SCSI target can lead to an
+oops:
+
+Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000
+Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan]
+CPU: 1 Not tainted 2.6.35.5-45.x.20100924-s390xdefault #1
+Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0)
+Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0)
+ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
+Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0
+ 00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80
+ ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0
+ 00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8
+Krnl Code: 00000000003ff6d6: a7840001 brc 8,3ff6d8
+ 00000000003ff6da: a7fbffd8 aghi %r15,-40
+ 00000000003ff6de: e3e0f0980024 stg %r14,152(%r15)
+ >00000000003ff6e4: e31021200004 lg %r1,288(%r2)
+ 00000000003ff6ea: a71f0000 cghi %r1,0
+ 00000000003ff6ee: a7a40011 brc 10,3ff710
+ 00000000003ff6f2: a7390003 lghi %r3,3
+ 00000000003ff6f6: c0e5ffffc8b1 brasl %r14,3f8858
+Call Trace:
+([<0000000000001000>] 0x1000)
+ [<00000000003ff7d2>] scsi_remove_device+0x42/0x54
+ [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc
+ [<00000000003ff99a>] __remove_child+0x3a/0x48
+ [<00000000003e3246>] device_for_each_child+0x72/0xbc
+ [<00000000003ff93a>] scsi_remove_target+0x4e/0x74
+ [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c
+ [<000000000015d080>] worker_thread+0x200/0x344
+ [<000000000016330c>] kthread+0xa0/0xa8
+ [<0000000000106c1a>] kernel_thread_starter+0x6/0xc
+ [<0000000000106c14>] kernel_thread_starter+0x0/0xc
+INFO: lockdep is turned off.
+Last Breaking-Event-Address:
+ [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54
+
+The function __scsi_remove_target iterates through the SCSI devices on
+the host, but it drops the host_lock before calling
+scsi_remove_device. When the SCSI device is deleted from another
+thread, the pointer to the SCSI device in scsi_remove_device can
+become invalid. Fix this by getting a reference to the SCSI device
+before dropping the host_lock to keep the SCSI device alive for the
+call to scsi_remove_device.
+
+Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_sysfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -962,10 +962,11 @@ static void __scsi_remove_target(struct
+ list_for_each_entry(sdev, &shost->__devices, siblings) {
+ if (sdev->channel != starget->channel ||
+ sdev->id != starget->id ||
+- sdev->sdev_state == SDEV_DEL)
++ scsi_device_get(sdev))
+ continue;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ scsi_remove_device(sdev);
++ scsi_device_put(sdev);
+ spin_lock_irqsave(shost->host_lock, flags);
+ goto restart;
+ }
--- /dev/null
+From 986fe6c7f50974e871b8ab5a800f5310ea25b361 Mon Sep 17 00:00:00 2001
+From: Mike Christie <michaelc@cs.wisc.edu>
+Date: Wed, 6 Oct 2010 03:10:59 -0500
+Subject: [SCSI] Fix regressions in scsi_internal_device_block
+
+From: Mike Christie <michaelc@cs.wisc.edu>
+
+commit 986fe6c7f50974e871b8ab5a800f5310ea25b361 upstream.
+
+Deleting a SCSI device on a blocked fc_remote_port (before
+fast_io_fail_tmo fires) results in a hanging thread:
+
+ STACK:
+ 0 schedule+1108 [0x5cac48]
+ 1 schedule_timeout+528 [0x5cb7fc]
+ 2 wait_for_common+266 [0x5ca6be]
+ 3 blk_execute_rq+160 [0x354054]
+ 4 scsi_execute+324 [0x3b7ef4]
+ 5 scsi_execute_req+162 [0x3b80ca]
+ 6 sd_sync_cache+138 [0x3cf662]
+ 7 sd_shutdown+138 [0x3cf91a]
+ 8 sd_remove+112 [0x3cfe4c]
+ 9 __device_release_driver+124 [0x3a08b8]
+10 device_release_driver+60 [0x3a0a5c]
+11 bus_remove_device+266 [0x39fa76]
+12 device_del+340 [0x39d818]
+13 __scsi_remove_device+204 [0x3bcc48]
+14 scsi_remove_device+66 [0x3bcc8e]
+15 sysfs_schedule_callback_work+50 [0x260d66]
+16 worker_thread+622 [0x162326]
+17 kthread+160 [0x1680b0]
+18 kernel_thread_starter+6 [0x10aaea]
+
+During the delete, the SCSI device is in moved to SDEV_CANCEL. When
+the FC transport class later calls scsi_target_unblock, this has no
+effect, since scsi_internal_device_unblock ignores SCSI devics in this
+state.
+
+It looks like all these are regressions caused by:
+5c10e63c943b4c67561ddc6bf61e01d4141f881f
+[SCSI] limit state transitions in scsi_internal_device_unblock
+
+Fix by rejecting offline and cancel in the state transition.
+
+Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
+[jejb: Original patch by Christof Schmitt, modified by Mike Christie]
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_lib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2428,7 +2428,8 @@ scsi_internal_device_unblock(struct scsi
+ sdev->sdev_state = SDEV_RUNNING;
+ else if (sdev->sdev_state == SDEV_CREATED_BLOCK)
+ sdev->sdev_state = SDEV_CREATED;
+- else
++ else if (sdev->sdev_state != SDEV_CANCEL &&
++ sdev->sdev_state != SDEV_OFFLINE)
+ return -EINVAL;
+
+ spin_lock_irqsave(q->queue_lock, flags);
--- /dev/null
+From 568a810d7edd58bd505222dd1c7e48895532290b Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Thu, 28 Oct 2010 08:17:54 -0400
+Subject: Fixed Regression in NFS Direct I/O path
+
+From: Steve Dickson <steved@redhat.com>
+
+commit 568a810d7edd58bd505222dd1c7e48895532290b upstream.
+
+A typo, introduced by commit f11ac8db, in the nfs_direct_write()
+routine causes writes with O_DIRECT set to fail with a ENOMEM error.
+
+Found-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/direct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -873,7 +873,7 @@ static ssize_t nfs_direct_write(struct k
+ dreq->inode = inode;
+ dreq->ctx = get_nfs_open_context(nfs_file_open_context(iocb->ki_filp));
+ dreq->l_ctx = nfs_get_lock_context(dreq->ctx);
+- if (dreq->l_ctx != NULL)
++ if (dreq->l_ctx == NULL)
+ goto out_release;
+ if (!is_sync_kiocb(iocb))
+ dreq->iocb = iocb;
--- /dev/null
+From f63ae56e4e97fb12053590e41a4fa59e7daa74a4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Fri, 8 Oct 2010 09:03:07 +0200
+Subject: [SCSI] gdth: integer overflow in ioctl
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.
+
+gdth_ioctl_alloc() takes the size variable as an int.
+copy_from_user() takes the size variable as an unsigned long.
+gen.data_len and gen.sense_len are unsigned longs.
+On x86_64 longs are 64 bit and ints are 32 bit.
+
+We could pass in a very large number and the allocation would truncate
+the size to 32 bits and allocate a small buffer. Then when we do the
+copy_from_user(), it would result in a memory corruption.
+
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/gdth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/scsi/gdth.c
++++ b/drivers/scsi/gdth.c
+@@ -4175,6 +4175,14 @@ static int ioc_general(void __user *arg,
+ ha = gdth_find_ha(gen.ionode);
+ if (!ha)
+ return -EFAULT;
++
++ if (gen.data_len > INT_MAX)
++ return -EINVAL;
++ if (gen.sense_len > INT_MAX)
++ return -EINVAL;
++ if (gen.data_len + gen.sense_len > INT_MAX)
++ return -EINVAL;
++
+ if (gen.data_len + gen.sense_len != 0) {
+ if (!(buf = gdth_ioctl_alloc(ha, gen.data_len + gen.sense_len,
+ FALSE, &paddr)))
--- /dev/null
+From f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 Mon Sep 17 00:00:00 2001
+From: David Milburn <dmilburn@redhat.com>
+Date: Fri, 3 Sep 2010 17:13:03 -0500
+Subject: [SCSI] libsas: fix NCQ mixing with non-NCQ
+
+From: David Milburn <dmilburn@redhat.com>
+
+commit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream.
+
+Some cards (like mvsas) have issue troubles if non-NCQ commands are
+mixed with NCQ ones. Fix this by using the libata default NCQ check
+routine which waits until all NCQ commands are complete before issuing
+a non-NCQ one. The impact to cards (like aic94xx) which don't need
+this logic should be minimal
+
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/libsas/sas_ata.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -347,6 +347,7 @@ static int sas_ata_scr_read(struct ata_l
+ static struct ata_port_operations sas_sata_ops = {
+ .phy_reset = sas_ata_phy_reset,
+ .post_internal_cmd = sas_ata_post_internal,
++ .qc_defer = ata_std_qc_defer,
+ .qc_prep = ata_noop_qc_prep,
+ .qc_issue = sas_ata_qc_issue,
+ .qc_fill_rtf = sas_ata_qc_fill_rtf,
--- /dev/null
+From df30e5059681ed0671c9cc6ff702fe9ca7f20042 Mon Sep 17 00:00:00 2001
+From: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
+Date: Mon, 25 Oct 2010 15:41:54 -0700
+Subject: [SCSI] pmcraid: remove duplicate struct member
+
+From: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
+
+commit df30e5059681ed0671c9cc6ff702fe9ca7f20042 upstream.
+
+sense_buffer is both a direct member of struct pmcraid_cmd as well as
+an indirect one via an anonymous union and struct. Fix this clash by
+eliminating the direct member in favour of the anonymous struct/union
+one. The name duplication apparently isn't noticed by gcc versions
+earlier than 4.4
+
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/pmcraid.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/pmcraid.h
++++ b/drivers/scsi/pmcraid.h
+@@ -568,7 +568,6 @@ struct pmcraid_cmd {
+ struct pmcraid_control_block *ioa_cb;
+ dma_addr_t ioa_cb_bus_addr;
+ dma_addr_t dma_handle;
+- u8 *sense_buffer;
+
+ /* pointer to mid layer structure of SCSI commands */
+ struct scsi_cmnd *scsi_cmd;
--- /dev/null
+From a6751ccb9ba85180c84135cc921eea11d83d5689 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Tue, 14 Sep 2010 14:12:54 +0200
+Subject: [SCSI] qla4xxx: fix build on PPC
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit a6751ccb9ba85180c84135cc921eea11d83d5689 upstream.
+
+We use read/write[bslq] but do not include linux/io.h. This causes
+build failures on PPC. Include that file.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Vikas Chaudhary <vikas.chaudhary@qlogic.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/qla4xxx/ql4_nx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla4xxx/ql4_nx.c
++++ b/drivers/scsi/qla4xxx/ql4_nx.c
+@@ -5,6 +5,7 @@
+ * See LICENSE.qla4xxx for copyright and licensing details.
+ */
+ #include <linux/delay.h>
++#include <linux/io.h>
+ #include <linux/pci.h>
+ #include "ql4_def.h"
+ #include "ql4_glbl.h"
--- /dev/null
+From 1a03ae0f556a931aa3747b70e44b78308f5b0590 Mon Sep 17 00:00:00 2001
+From: Michael Reed <mdr@sgi.com>
+Date: Mon, 20 Sep 2010 11:20:22 -0500
+Subject: [SCSI] sd name space exhaustion causes system hang
+
+From: Michael Reed <mdr@sgi.com>
+
+commit 1a03ae0f556a931aa3747b70e44b78308f5b0590 upstream.
+
+Following a site power outage which re-enabled all the ports on my FC
+switches, my system subsequently booted with far too many luns! I had
+let it run hoping it would make multi-user. It didn't. :( It hung solid
+after exhausting the last sd device, sdzzz, and attempting to create sdaaaa
+and beyond. I was unable to get a dump.
+
+Discovered using a 2.6.32.13 based system.
+
+correct this by detecting when the last index is utilized and failing
+the sd probe of the device. Patch applies to scsi-misc-2.6.
+
+Signed-off-by: Michael Reed <mdr@sgi.com>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/sd.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2252,11 +2252,10 @@ static void sd_probe_async(void *data, a
+ index = sdkp->index;
+ dev = &sdp->sdev_gendev;
+
+- if (index < SD_MAX_DISKS) {
+- gd->major = sd_major((index & 0xf0) >> 4);
+- gd->first_minor = ((index & 0xf) << 4) | (index & 0xfff00);
+- gd->minors = SD_MINORS;
+- }
++ gd->major = sd_major((index & 0xf0) >> 4);
++ gd->first_minor = ((index & 0xf) << 4) | (index & 0xfff00);
++ gd->minors = SD_MINORS;
++
+ gd->fops = &sd_fops;
+ gd->private_data = &sdkp->driver;
+ gd->queue = sdkp->device->request_queue;
+@@ -2346,6 +2345,12 @@ static int sd_probe(struct device *dev)
+ if (error)
+ goto out_put;
+
++ if (index >= SD_MAX_DISKS) {
++ error = -ENODEV;
++ sdev_printk(KERN_WARNING, sdp, "SCSI disk (sd) name space exhausted.\n");
++ goto out_free_index;
++ }
++
+ error = sd_format_disk_name("sd", index, gd->disk_name, DISK_NAME_LEN);
+ if (error)
+ goto out_free_index;
usb-accept-some-invalid-ep0-maxpacket-values.patch
ohci-work-around-for-nvidia-shutdown-problem.patch
asus-laptop-fix-gps-rfkill.patch
+sd-name-space-exhaustion-causes-system-hang.patch
+libsas-fix-ncq-mixing-with-non-ncq.patch
+qla4xxx-fix-build-on-ppc.patch
+pmcraid-remove-duplicate-struct-member.patch
+gdth-integer-overflow-in-ioctl.patch
+fix-race-when-removing-scsi-devices.patch
+fix-regressions-in-scsi_internal_device_block.patch
+fixed-regression-in-nfs-direct-i-o-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
