]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
3.10-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 4 Dec 2014 23:56:46 +0000 (15:56 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 4 Dec 2014 23:56:46 +0000 (15:56 -0800)
added patches:
arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch
arm-8222-1-mvebu-enable-strex-backoff-delay.patch
bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch
can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch
input-xpad-use-proper-endpoint-type.patch
iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch
nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch
nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch
rt2x00-do-not-align-payload-on-modern-h-w.patch
spi-dw-fix-dynamic-speed-change.patch
srp-target-retry-when-qp-creation-fails-with-enomem.patch
target-don-t-call-tfo-write_pending-if-data_length-0.patch

13 files changed:
queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch [new file with mode: 0644]
queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch [new file with mode: 0644]
queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch [new file with mode: 0644]
queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch [new file with mode: 0644]
queue-3.10/input-xpad-use-proper-endpoint-type.patch [new file with mode: 0644]
queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch [new file with mode: 0644]
queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch [new file with mode: 0644]
queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch [new file with mode: 0644]
queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch [new file with mode: 0644]
queue-3.10/series
queue-3.10/spi-dw-fix-dynamic-speed-change.patch [new file with mode: 0644]
queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch [new file with mode: 0644]
queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch [new file with mode: 0644]

diff --git a/queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch b/queue-3.10/arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch
new file mode 100644 (file)
index 0000000..bbb9804
--- /dev/null
@@ -0,0 +1,51 @@
+From ef59a20ba375aeb97b3150a118318884743452a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Fri, 21 Nov 2014 15:29:00 +0100
+Subject: ARM: 8216/1: xscale: correct auxiliary register in suspend/resume
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit ef59a20ba375aeb97b3150a118318884743452a8 upstream.
+
+According to the manuals I have, XScale auxiliary register should be
+reached with opc_2 = 1 instead of crn = 1. cpu_xscale_proc_init
+correctly uses c1, c0, 1 arguments, but cpu_xscale_do_suspend and
+cpu_xscale_do_resume use c1, c1, 0. Correct suspend/resume functions to
+also use c1, c0, 1.
+
+The issue was primarily noticed thanks to qemu reporing "unsupported
+instruction" on the pxa suspend path. Confirmed in PXA210/250 and PXA255
+XScale Core manuals and in PXA270 and PXA320 Developers Guides.
+
+Harware tested by me on tosa (pxa255). Robert confirmed on pxa270 board.
+
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/proc-xscale.S |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/proc-xscale.S
++++ b/arch/arm/mm/proc-xscale.S
+@@ -535,7 +535,7 @@ ENTRY(cpu_xscale_do_suspend)
+       mrc     p15, 0, r5, c15, c1, 0  @ CP access reg
+       mrc     p15, 0, r6, c13, c0, 0  @ PID
+       mrc     p15, 0, r7, c3, c0, 0   @ domain ID
+-      mrc     p15, 0, r8, c1, c1, 0   @ auxiliary control reg
++      mrc     p15, 0, r8, c1, c0, 1   @ auxiliary control reg
+       mrc     p15, 0, r9, c1, c0, 0   @ control reg
+       bic     r4, r4, #2              @ clear frequency change bit
+       stmia   r0, {r4 - r9}           @ store cp regs
+@@ -552,7 +552,7 @@ ENTRY(cpu_xscale_do_resume)
+       mcr     p15, 0, r6, c13, c0, 0  @ PID
+       mcr     p15, 0, r7, c3, c0, 0   @ domain ID
+       mcr     p15, 0, r1, c2, c0, 0   @ translation table base addr
+-      mcr     p15, 0, r8, c1, c1, 0   @ auxiliary control reg
++      mcr     p15, 0, r8, c1, c0, 1   @ auxiliary control reg
+       mov     r0, r9                  @ control register
+       b       cpu_resume_mmu
+ ENDPROC(cpu_xscale_do_resume)
diff --git a/queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch b/queue-3.10/arm-8222-1-mvebu-enable-strex-backoff-delay.patch
new file mode 100644 (file)
index 0000000..dfac329
--- /dev/null
@@ -0,0 +1,55 @@
+From 995ab5189d1d7264e79e665dfa032a19b3ac646e Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 25 Nov 2014 18:43:15 +0100
+Subject: ARM: 8222/1: mvebu: enable strex backoff delay
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit 995ab5189d1d7264e79e665dfa032a19b3ac646e upstream.
+
+Under extremely rare conditions, in an MPCore node consisting of at
+least 3 CPUs, two CPUs trying to perform a STREX to data on the same
+shared cache line can enter a livelock situation.
+
+This patch enables the HW mechanism that overcomes the bug. This fixes
+the incorrect setup of the STREX backoff delay bit due to a wrong
+description in the specification.
+
+Note that enabling the STREX backoff delay mechanism is done by
+leaving the bit *cleared*, while the bit was currently being set by
+the proc-v7.S code.
+
+[Thomas: adapt to latest mainline, slightly reword the commit log, add
+stable markers.]
+
+Fixes: de4901933f6d ("arm: mm: Add support for PJ4B cpu and init routines")
+
+Signed-off-by: Nadav Haklai <nadavh@marvell.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Acked-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/proc-v7.S |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/arm/mm/proc-v7.S
++++ b/arch/arm/mm/proc-v7.S
+@@ -201,7 +201,6 @@ __v7_pj4b_setup:
+ /* Auxiliary Debug Modes Control 1 Register */
+ #define PJ4B_STATIC_BP (1 << 2) /* Enable Static BP */
+ #define PJ4B_INTER_PARITY (1 << 8) /* Disable Internal Parity Handling */
+-#define PJ4B_BCK_OFF_STREX (1 << 5) /* Enable the back off of STREX instr */
+ #define PJ4B_CLEAN_LINE (1 << 16) /* Disable data transfer for clean line */
+ /* Auxiliary Debug Modes Control 2 Register */
+@@ -224,7 +223,6 @@ __v7_pj4b_setup:
+       /* Auxiliary Debug Modes Control 1 Register */
+       mrc     p15, 1, r0, c15, c1, 1
+       orr     r0, r0, #PJ4B_CLEAN_LINE
+-      orr     r0, r0, #PJ4B_BCK_OFF_STREX
+       orr     r0, r0, #PJ4B_INTER_PARITY
+       bic     r0, r0, #PJ4B_STATIC_BP
+       mcr     p15, 1, r0, c15, c1, 1
diff --git a/queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch b/queue-3.10/bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch
new file mode 100644 (file)
index 0000000..83d9046
--- /dev/null
@@ -0,0 +1,72 @@
+From 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Thu, 20 Nov 2014 11:17:33 +0100
+Subject: bnx2fc: do not add shared skbs to the fcoe_rx_list
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit 01a4cc4d0cd6a836c7b923760e8eb1cbb6a47258 upstream.
+
+In some cases, the fcoe_rx_list may contains multiple instances
+of the same skb (the so called "shared skbs").
+
+the bnx2fc_l2_rcv thread is a loop that extracts a skb from the list,
+modifies (and destroys) its content and then proceed to the next one.
+The problem is that if the skb is shared, the remaining instances will
+be corrupted.
+
+The solution is to use skb_share_check() before adding the skb to the
+fcoe_rx_list.
+
+[ 6286.808725] ------------[ cut here ]------------
+[ 6286.808729] WARNING: at include/scsi/fc_frame.h:173 bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]()
+[ 6286.808748] Modules linked in: bnx2x(-) mdio dm_service_time bnx2fc cnic uio fcoe libfcoe 8021q garp stp mrp libfc llc scsi_transport_fc scsi_tgt sg iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel e1000e ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ptp cryptd hpilo serio_raw hpwdt lpc_ich pps_core ipmi_si pcspkr mfd_core ipmi_msghandler shpchp pcc_cpufreq mperf nfsd auth_rpcgss nfs_acl lockd sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit ata_piix drm_kms_helper ttm drm libata i2c_core hpsa dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mdio]
+[ 6286.808750] CPU: 3 PID: 1304 Comm: bnx2fc_l2_threa Not tainted 3.10.0-121.el7.x86_64 #1
+[ 6286.808750] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013
+[ 6286.808752]  0000000000000000 000000000b36e715 ffff8800deba1e00 ffffffff815ec0ba
+[ 6286.808753]  ffff8800deba1e38 ffffffff8105dee1 ffffffffa05618c0 ffff8801e4c81888
+[ 6286.808754]  ffffe8ffff663868 ffff8801f402b180 ffff8801f56bc000 ffff8800deba1e48
+[ 6286.808754] Call Trace:
+[ 6286.808759]  [<ffffffff815ec0ba>] dump_stack+0x19/0x1b
+[ 6286.808762]  [<ffffffff8105dee1>] warn_slowpath_common+0x61/0x80
+[ 6286.808763]  [<ffffffff8105e00a>] warn_slowpath_null+0x1a/0x20
+[ 6286.808765]  [<ffffffffa054f415>] bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]
+[ 6286.808767]  [<ffffffffa054eff0>] ? bnx2fc_disable+0x90/0x90 [bnx2fc]
+[ 6286.808769]  [<ffffffff81085aef>] kthread+0xcf/0xe0
+[ 6286.808770]  [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
+[ 6286.808772]  [<ffffffff815fc76c>] ret_from_fork+0x7c/0xb0
+[ 6286.808773]  [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
+[ 6286.808774] ---[ end trace c6cdb939184ccb4e ]---
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Acked-by: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -411,6 +411,7 @@ static int bnx2fc_rcv(struct sk_buff *sk
+       struct fc_frame_header *fh;
+       struct fcoe_rcv_info *fr;
+       struct fcoe_percpu_s *bg;
++      struct sk_buff *tmp_skb;
+       unsigned short oxid;
+       interface = container_of(ptype, struct bnx2fc_interface,
+@@ -423,6 +424,12 @@ static int bnx2fc_rcv(struct sk_buff *sk
+               goto err;
+       }
++      tmp_skb = skb_share_check(skb, GFP_ATOMIC);
++      if (!tmp_skb)
++              goto err;
++
++      skb = tmp_skb;
++
+       if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
+               printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
+               goto err;
diff --git a/queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch b/queue-3.10/can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch
new file mode 100644 (file)
index 0000000..6728a21
--- /dev/null
@@ -0,0 +1,72 @@
+From 5247a589c24022ab34e780039cc8000c48f2035e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20K=C3=B6rper?= <thomas.koerper@esd.eu>
+Date: Fri, 31 Oct 2014 07:33:54 +0100
+Subject: can: dev: avoid calling kfree_skb() from interrupt context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Thomas=20K=C3=B6rper?= <thomas.koerper@esd.eu>
+
+commit 5247a589c24022ab34e780039cc8000c48f2035e upstream.
+
+ikfree_skb() is Called in can_free_echo_skb(), which might be called from (TX
+Error) interrupt, which triggers the folloing warning:
+
+[ 1153.360705] ------------[ cut here ]------------
+[ 1153.360715] WARNING: CPU: 0 PID: 31 at net/core/skbuff.c:563 skb_release_head_state+0xb9/0xd0()
+[ 1153.360772] Call Trace:
+[ 1153.360778]  [<c167906f>] dump_stack+0x41/0x52
+[ 1153.360782]  [<c105bb7e>] warn_slowpath_common+0x7e/0xa0
+[ 1153.360784]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
+[ 1153.360786]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
+[ 1153.360788]  [<c105bc42>] warn_slowpath_null+0x22/0x30
+[ 1153.360791]  [<c158b909>] skb_release_head_state+0xb9/0xd0
+[ 1153.360793]  [<c158be90>] skb_release_all+0x10/0x30
+[ 1153.360795]  [<c158bf06>] kfree_skb+0x36/0x80
+[ 1153.360799]  [<f8486938>] ? can_free_echo_skb+0x28/0x40 [can_dev]
+[ 1153.360802]  [<f8486938>] can_free_echo_skb+0x28/0x40 [can_dev]
+[ 1153.360805]  [<f849a12c>] esd_pci402_interrupt+0x34c/0x57a [esd402]
+[ 1153.360809]  [<c10a75b5>] handle_irq_event_percpu+0x35/0x180
+[ 1153.360811]  [<c10a7623>] ? handle_irq_event_percpu+0xa3/0x180
+[ 1153.360813]  [<c10a7731>] handle_irq_event+0x31/0x50
+[ 1153.360816]  [<c10a9c7f>] handle_fasteoi_irq+0x6f/0x120
+[ 1153.360818]  [<c10a9c10>] ? handle_edge_irq+0x110/0x110
+[ 1153.360822]  [<c1011b61>] handle_irq+0x71/0x90
+[ 1153.360823]  <IRQ>  [<c168152c>] do_IRQ+0x3c/0xd0
+[ 1153.360829]  [<c1680b6c>] common_interrupt+0x2c/0x34
+[ 1153.360834]  [<c107d277>] ? finish_task_switch+0x47/0xf0
+[ 1153.360836]  [<c167c27b>] __schedule+0x35b/0x7e0
+[ 1153.360839]  [<c10a5334>] ? console_unlock+0x2c4/0x4d0
+[ 1153.360842]  [<c13df500>] ? n_tty_receive_buf_common+0x890/0x890
+[ 1153.360845]  [<c10707b6>] ? process_one_work+0x196/0x370
+[ 1153.360847]  [<c167c723>] schedule+0x23/0x60
+[ 1153.360849]  [<c1070de1>] worker_thread+0x161/0x460
+[ 1153.360852]  [<c1090fcf>] ? __wake_up_locked+0x1f/0x30
+[ 1153.360854]  [<c1070c80>] ? rescuer_thread+0x2f0/0x2f0
+[ 1153.360856]  [<c1074f01>] kthread+0xa1/0xc0
+[ 1153.360859]  [<c1680401>] ret_from_kernel_thread+0x21/0x30
+[ 1153.360861]  [<c1074e60>] ? kthread_create_on_node+0x110/0x110
+[ 1153.360863] ---[ end trace 5ff83639cbb74b35 ]---
+
+This patch replaces the kfree_skb() by dev_kfree_skb_any().
+
+Signed-off-by: Thomas Körper <thomas.koerper@esd.eu>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -385,7 +385,7 @@ void can_free_echo_skb(struct net_device
+       BUG_ON(idx >= priv->echo_skb_max);
+       if (priv->echo_skb[idx]) {
+-              kfree_skb(priv->echo_skb[idx]);
++              dev_kfree_skb_any(priv->echo_skb[idx]);
+               priv->echo_skb[idx] = NULL;
+       }
+ }
diff --git a/queue-3.10/input-xpad-use-proper-endpoint-type.patch b/queue-3.10/input-xpad-use-proper-endpoint-type.patch
new file mode 100644 (file)
index 0000000..68d1044
--- /dev/null
@@ -0,0 +1,50 @@
+From a1f9a4072655843fc03186acbad65990cc05dd2d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 25 Nov 2014 00:38:17 -0800
+Subject: Input: xpad - use proper endpoint type
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit a1f9a4072655843fc03186acbad65990cc05dd2d upstream.
+
+The xpad wireless endpoint is not a bulk endpoint on my devices, but
+rather an interrupt one, so the USB core complains when it is submitted.
+I'm guessing that the author really did mean that this should be an
+interrupt urb, but as there are a zillion different xpad devices out
+there, let's cover out bases and handle both bulk and interrupt
+endpoints just as easily.
+
+Signed-off-by: "Pierre-Loup A. Griffais" <pgriffais@valvesoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c |   16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1002,9 +1002,19 @@ static int xpad_probe(struct usb_interfa
+               }
+               ep_irq_in = &intf->cur_altsetting->endpoint[1].desc;
+-              usb_fill_bulk_urb(xpad->bulk_out, udev,
+-                              usb_sndbulkpipe(udev, ep_irq_in->bEndpointAddress),
+-                              xpad->bdata, XPAD_PKT_LEN, xpad_bulk_out, xpad);
++              if (usb_endpoint_is_bulk_out(ep_irq_in)) {
++                      usb_fill_bulk_urb(xpad->bulk_out, udev,
++                                        usb_sndbulkpipe(udev,
++                                                        ep_irq_in->bEndpointAddress),
++                                        xpad->bdata, XPAD_PKT_LEN,
++                                        xpad_bulk_out, xpad);
++              } else {
++                      usb_fill_int_urb(xpad->bulk_out, udev,
++                                       usb_sndintpipe(udev,
++                                                      ep_irq_in->bEndpointAddress),
++                                       xpad->bdata, XPAD_PKT_LEN,
++                                       xpad_bulk_out, xpad, 0);
++              }
+               /*
+                * Submit the int URB immediately rather than waiting for open
diff --git a/queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch b/queue-3.10/iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch
new file mode 100644 (file)
index 0000000..b6c6184
--- /dev/null
@@ -0,0 +1,96 @@
+From 3b726ae2de02a406cc91903f80132daee37b6f1b Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@dev.mellanox.co.il>
+Date: Tue, 28 Oct 2014 13:45:03 -0700
+Subject: iser-target: Handle DEVICE_REMOVAL event on network portal listener correctly
+
+From: Sagi Grimberg <sagig@dev.mellanox.co.il>
+
+commit 3b726ae2de02a406cc91903f80132daee37b6f1b upstream.
+
+In this case the cm_id->context is the isert_np, and the cm_id->qp
+is NULL, so use that to distinct the cases.
+
+Since we don't expect any other events on this cm_id we can
+just return -1 for explicit termination of the cm_id by the
+cma layer.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c |   29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -585,14 +585,25 @@ wake_up:
+       complete(&isert_conn->conn_wait);
+ }
+-static void
++static int
+ isert_disconnected_handler(struct rdma_cm_id *cma_id, bool disconnect)
+ {
+-      struct isert_conn *isert_conn = (struct isert_conn *)cma_id->context;
++      struct isert_conn *isert_conn;
++
++      if (!cma_id->qp) {
++              struct isert_np *isert_np = cma_id->context;
++
++              isert_np->np_cm_id = NULL;
++              return -1;
++      }
++
++      isert_conn = (struct isert_conn *)cma_id->context;
+       isert_conn->disconnect = disconnect;
+       INIT_WORK(&isert_conn->conn_logout_work, isert_disconnect_work);
+       schedule_work(&isert_conn->conn_logout_work);
++
++      return 0;
+ }
+ static int
+@@ -607,6 +618,9 @@ isert_cma_handler(struct rdma_cm_id *cma
+       switch (event->event) {
+       case RDMA_CM_EVENT_CONNECT_REQUEST:
+               ret = isert_connect_request(cma_id, event);
++              if (ret)
++                      pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
++                              event->event, ret);
+               break;
+       case RDMA_CM_EVENT_ESTABLISHED:
+               isert_connected_handler(cma_id);
+@@ -616,7 +630,7 @@ isert_cma_handler(struct rdma_cm_id *cma
+       case RDMA_CM_EVENT_DEVICE_REMOVAL: /* FALLTHRU */
+               disconnect = true;
+       case RDMA_CM_EVENT_TIMEWAIT_EXIT:  /* FALLTHRU */
+-              isert_disconnected_handler(cma_id, disconnect);
++              ret = isert_disconnected_handler(cma_id, disconnect);
+               break;
+       case RDMA_CM_EVENT_CONNECT_ERROR:
+       default:
+@@ -624,12 +638,6 @@ isert_cma_handler(struct rdma_cm_id *cma
+               break;
+       }
+-      if (ret != 0) {
+-              pr_err("isert_cma_handler failed RDMA_CM_EVENT: 0x%08x %d\n",
+-                     event->event, ret);
+-              dump_stack();
+-      }
+-
+       return ret;
+ }
+@@ -2233,7 +2241,8 @@ isert_free_np(struct iscsi_np *np)
+ {
+       struct isert_np *isert_np = (struct isert_np *)np->np_context;
+-      rdma_destroy_id(isert_np->np_cm_id);
++      if (isert_np->np_cm_id)
++              rdma_destroy_id(isert_np->np_cm_id);
+       np->np_context = NULL;
+       kfree(isert_np);
diff --git a/queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch b/queue-3.10/nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch
new file mode 100644 (file)
index 0000000..bdecf30
--- /dev/null
@@ -0,0 +1,50 @@
+From c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Wed, 19 Nov 2014 12:47:50 -0500
+Subject: nfsd: Fix slot wake up race in the nfsv4.1 callback code
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit c6c15e1ed303ffc47e696ea1c9a9df1761c1f603 upstream.
+
+The currect code for nfsd41_cb_get_slot() and nfsd4_cb_done() has no
+locking in order to guarantee atomicity, and so allows for races of
+the form.
+
+Task 1                                  Task 2
+======                                  ======
+if (test_and_set_bit(0) != 0) {
+                                        clear_bit(0)
+                                        rpc_wake_up_next(queue)
+        rpc_sleep_on(queue)
+        return false;
+}
+
+This patch breaks the race condition by adding a retest of the bit
+after the call to rpc_sleep_on().
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4callback.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -784,8 +784,12 @@ static bool nfsd41_cb_get_slot(struct nf
+ {
+       if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
+               rpc_sleep_on(&clp->cl_cb_waitq, task, NULL);
+-              dprintk("%s slot is busy\n", __func__);
+-              return false;
++              /* Race breaker */
++              if (test_and_set_bit(0, &clp->cl_cb_slot_busy) != 0) {
++                      dprintk("%s slot is busy\n", __func__);
++                      return false;
++              }
++              rpc_wake_up_queued_task(&clp->cl_cb_waitq, task);
+       }
+       return true;
+ }
diff --git a/queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch b/queue-3.10/nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch
new file mode 100644 (file)
index 0000000..1960c58
--- /dev/null
@@ -0,0 +1,122 @@
+From bf7bd3e98be5c74813bee6ad496139fb0a011b3b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 15 Aug 2013 16:55:26 -0400
+Subject: nfsd4: fix leak of inode reference on delegation failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit bf7bd3e98be5c74813bee6ad496139fb0a011b3b upstream.
+
+This fixes a regression from 68a3396178e6688ad7367202cdf0af8ed03c8727
+"nfsd4: shut down more of delegation earlier".
+
+After that commit, nfs4_set_delegation() failures result in
+nfs4_put_delegation being called, but nfs4_put_delegation doesn't free
+the nfs4_file that has already been set by alloc_init_deleg().
+
+This can result in an oops on later unmounting the exported filesystem.
+
+Note also delaying the fi_had_conflict check we're able to return a
+better error (hence give 4.1 clients a better idea why the delegation
+failed; though note CONFLICT isn't an exact match here, as that's
+supposed to indicate a current conflict, but all we know here is that
+there was one recently).
+
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Tested-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+[tuomasjjrasanen: backported to 3.10
+   Conflicts fs/nfsd/nfs4state.c:
+     Delegation type flags have been removed from upstream code. In 3.10-series,
+     they still exists and therefore the commit caused few conflicts in function
+     signatures.
+]
+Signed-off-by: Tuomas Räsänen <tuomasjjrasanen@opinsys.fi>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c |   31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -367,7 +367,6 @@ static struct nfs4_delegation *
+ alloc_init_deleg(struct nfs4_client *clp, struct nfs4_ol_stateid *stp, struct svc_fh *current_fh, u32 type)
+ {
+       struct nfs4_delegation *dp;
+-      struct nfs4_file *fp = stp->st_file;
+       dprintk("NFSD alloc_init_deleg\n");
+       /*
+@@ -377,8 +376,6 @@ alloc_init_deleg(struct nfs4_client *clp
+        */
+       if (type != NFS4_OPEN_DELEGATE_READ)
+               return NULL;
+-      if (fp->fi_had_conflict)
+-              return NULL;
+       if (num_delegations > max_delegations)
+               return NULL;
+       dp = delegstateid(nfs4_alloc_stid(clp, deleg_slab));
+@@ -395,8 +392,7 @@ alloc_init_deleg(struct nfs4_client *clp
+       INIT_LIST_HEAD(&dp->dl_perfile);
+       INIT_LIST_HEAD(&dp->dl_perclnt);
+       INIT_LIST_HEAD(&dp->dl_recall_lru);
+-      get_nfs4_file(fp);
+-      dp->dl_file = fp;
++      dp->dl_file = NULL;
+       dp->dl_type = type;
+       fh_copy_shallow(&dp->dl_fh, &current_fh->fh_handle);
+       dp->dl_time = 0;
+@@ -2965,22 +2961,35 @@ static int nfs4_setlease(struct nfs4_del
+       return 0;
+ }
+-static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag)
++static int nfs4_set_delegation(struct nfs4_delegation *dp, int flag, struct nfs4_file *fp)
+ {
+-      struct nfs4_file *fp = dp->dl_file;
++      int status;
+-      if (!fp->fi_lease)
+-              return nfs4_setlease(dp, flag);
++      if (fp->fi_had_conflict)
++              return -EAGAIN;
++      get_nfs4_file(fp);
++      dp->dl_file = fp;
++      if (!fp->fi_lease) {
++              status = nfs4_setlease(dp, flag);
++              if (status)
++                      goto out_free;
++              return 0;
++      }
+       spin_lock(&recall_lock);
+       if (fp->fi_had_conflict) {
+               spin_unlock(&recall_lock);
+-              return -EAGAIN;
++              status = -EAGAIN;
++              goto out_free;
+       }
+       atomic_inc(&fp->fi_delegees);
+       list_add(&dp->dl_perfile, &fp->fi_delegations);
+       spin_unlock(&recall_lock);
+       list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations);
+       return 0;
++out_free:
++      put_nfs4_file(fp);
++      dp->dl_file = fp;
++      return status;
+ }
+ static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status)
+@@ -3046,7 +3055,7 @@ nfs4_open_delegation(struct net *net, st
+       dp = alloc_init_deleg(oo->oo_owner.so_client, stp, fh, flag);
+       if (dp == NULL)
+               goto out_no_deleg;
+-      status = nfs4_set_delegation(dp, flag);
++      status = nfs4_set_delegation(dp, flag, stp->st_file);
+       if (status)
+               goto out_free;
diff --git a/queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch b/queue-3.10/rt2x00-do-not-align-payload-on-modern-h-w.patch
new file mode 100644 (file)
index 0000000..b79f984
--- /dev/null
@@ -0,0 +1,117 @@
+From cfd9167af14eb4ec21517a32911d460083ee3d59 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Tue, 11 Nov 2014 14:28:47 +0100
+Subject: rt2x00: do not align payload on modern H/W
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit cfd9167af14eb4ec21517a32911d460083ee3d59 upstream.
+
+RT2800 and newer hardware require padding between header and payload if
+header length is not multiple of 4.
+
+For historical reasons we also align payload to to 4 bytes boundary, but
+such alignment is not needed on modern H/W.
+
+Patch fixes skb_under_panic problems reported from time to time:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=84911
+https://bugzilla.kernel.org/show_bug.cgi?id=72471
+http://marc.info/?l=linux-wireless&m=139108549530402&w=2
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591
+
+Panic happened because we eat 4 bytes of skb headroom on each
+(re)transmission when sending frame without the payload and the header
+length not being multiple of 4 (i.e. QoS header has 26 bytes). On such
+case because paylad_aling=2 is bigger than header_align=0 we increase
+header_align by 4 bytes. To prevent that we could change the check to:
+
+       if (payload_length && payload_align > header_align)
+               header_align += 4;
+
+but not aligning payload at all is more effective and alignment is not
+really needed by H/W (that has been tested on OpenWrt project for few
+years now).
+
+Reported-and-tested-by: Antti S. Lankila <alankila@bel.fi>
+Debugged-by: Antti S. Lankila <alankila@bel.fi>
+Reported-by: Henrik Asp <solenskiner@gmail.com>
+Originally-From: Helmut Schaa <helmut.schaa@googlemail.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00queue.c |   50 +++++++-----------------------
+ 1 file changed, 12 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
+@@ -160,55 +160,29 @@ void rt2x00queue_align_frame(struct sk_b
+       skb_trim(skb, frame_length);
+ }
+-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
++/*
++ * H/W needs L2 padding between the header and the paylod if header size
++ * is not 4 bytes aligned.
++ */
++void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+-      unsigned int payload_length = skb->len - header_length;
+-      unsigned int header_align = ALIGN_SIZE(skb, 0);
+-      unsigned int payload_align = ALIGN_SIZE(skb, header_length);
+-      unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
+-
+-      /*
+-       * Adjust the header alignment if the payload needs to be moved more
+-       * than the header.
+-       */
+-      if (payload_align > header_align)
+-              header_align += 4;
++      unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+-      /* There is nothing to do if no alignment is needed */
+-      if (!header_align)
++      if (!l2pad)
+               return;
+-      /* Reserve the amount of space needed in front of the frame */
+-      skb_push(skb, header_align);
+-
+-      /*
+-       * Move the header.
+-       */
+-      memmove(skb->data, skb->data + header_align, header_length);
+-
+-      /* Move the payload, if present and if required */
+-      if (payload_length && payload_align)
+-              memmove(skb->data + header_length + l2pad,
+-                      skb->data + header_length + l2pad + payload_align,
+-                      payload_length);
+-
+-      /* Trim the skb to the correct size */
+-      skb_trim(skb, header_length + l2pad + payload_length);
++      skb_push(skb, l2pad);
++      memmove(skb->data, skb->data + l2pad, hdr_len);
+ }
+-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
++void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
+ {
+-      /*
+-       * L2 padding is only present if the skb contains more than just the
+-       * IEEE 802.11 header.
+-       */
+-      unsigned int l2pad = (skb->len > header_length) ?
+-                              L2PAD_SIZE(header_length) : 0;
++      unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
+       if (!l2pad)
+               return;
+-      memmove(skb->data + l2pad, skb->data, header_length);
++      memmove(skb->data + l2pad, skb->data, hdr_len);
+       skb_pull(skb, l2pad);
+ }
index 2896f9ee7ba7e1ba58d46f973b048531184867a7..a5529b0a043e32d471da814c230580addf592689 100644 (file)
@@ -29,3 +29,15 @@ usb-quirks-add-reset-resume-quirk-for-ms-wireless-laser-mouse-6000.patch
 usb-xhci-don-t-start-a-halted-endpoint-before-its-new-dequeue-is-set.patch
 can-esd_usb2-fix-memory-leak-on-disconnect.patch
 alsa-usb-audio-add-ctrl-message-delay-quirk-for.patch
+arm-8216-1-xscale-correct-auxiliary-register-in-suspend-resume.patch
+arm-8222-1-mvebu-enable-strex-backoff-delay.patch
+input-xpad-use-proper-endpoint-type.patch
+srp-target-retry-when-qp-creation-fails-with-enomem.patch
+target-don-t-call-tfo-write_pending-if-data_length-0.patch
+iser-target-handle-device_removal-event-on-network-portal-listener-correctly.patch
+spi-dw-fix-dynamic-speed-change.patch
+can-dev-avoid-calling-kfree_skb-from-interrupt-context.patch
+rt2x00-do-not-align-payload-on-modern-h-w.patch
+nfsd-fix-slot-wake-up-race-in-the-nfsv4.1-callback-code.patch
+nfsd4-fix-leak-of-inode-reference-on-delegation-failure.patch
+bnx2fc-do-not-add-shared-skbs-to-the-fcoe_rx_list.patch
diff --git a/queue-3.10/spi-dw-fix-dynamic-speed-change.patch b/queue-3.10/spi-dw-fix-dynamic-speed-change.patch
new file mode 100644 (file)
index 0000000..0586e6c
--- /dev/null
@@ -0,0 +1,67 @@
+From 0a8727e69778683495058852f783eeda141a754e Mon Sep 17 00:00:00 2001
+From: Thor Thayer <tthayer@opensource.altera.com>
+Date: Thu, 6 Nov 2014 13:54:27 -0600
+Subject: spi: dw: Fix dynamic speed change.
+
+From: Thor Thayer <tthayer@opensource.altera.com>
+
+commit 0a8727e69778683495058852f783eeda141a754e upstream.
+
+An IOCTL call that calls spi_setup() and then dw_spi_setup() will
+overwrite the persisted last transfer speed. On each transfer, the
+SPI speed is compared to the last transfer speed to determine if the
+clock divider registers need to be updated (did the speed change?).
+This bug was observed with the spidev driver using spi-config to
+update the max transfer speed.
+
+This fix: Don't overwrite the persisted last transaction clock speed
+when updating the SPI parameters in dw_spi_setup(). On the next
+transaction, the new speed won't match the persisted last speed
+and the hardware registers will be updated.
+On initialization, the persisted last transaction clock
+speed will be 0 but will be updated after the first SPI
+transaction.
+
+Move zeroed clock divider check into clock change test because
+chip->clk_div is zero on startup and would cause a divide-by-zero
+error. The calculation was wrong as well (can't support odd #).
+
+Reported-by: Vlastimil Setka <setka@vsis.cz>
+Signed-off-by: Vlastimil Setka <setka@vsis.cz>
+Signed-off-by: Thor Thayer <tthayer@opensource.altera.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-dw.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -394,9 +394,6 @@ static void pump_transfers(unsigned long
+       chip = dws->cur_chip;
+       spi = message->spi;
+-      if (unlikely(!chip->clk_div))
+-              chip->clk_div = dws->max_freq / chip->speed_hz;
+-
+       if (message->state == ERROR_STATE) {
+               message->status = -EIO;
+               goto early_exit;
+@@ -438,7 +435,7 @@ static void pump_transfers(unsigned long
+       if (transfer->speed_hz) {
+               speed = chip->speed_hz;
+-              if (transfer->speed_hz != speed) {
++              if ((transfer->speed_hz != speed) || (!chip->clk_div)) {
+                       speed = transfer->speed_hz;
+                       if (speed > dws->max_freq) {
+                               printk(KERN_ERR "MRST SPI0: unsupported"
+@@ -677,7 +674,6 @@ static int dw_spi_setup(struct spi_devic
+               dev_err(&spi->dev, "No max speed HZ parameter\n");
+               return -EINVAL;
+       }
+-      chip->speed_hz = spi->max_speed_hz;
+       chip->tmode = 0; /* Tx & Rx */
+       /* Default SPI mode is SCPOL = 0, SCPH = 0 */
diff --git a/queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch b/queue-3.10/srp-target-retry-when-qp-creation-fails-with-enomem.patch
new file mode 100644 (file)
index 0000000..59f503f
--- /dev/null
@@ -0,0 +1,48 @@
+From ab477c1ff5e0a744c072404bf7db51bfe1f05b6e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sun, 19 Oct 2014 18:05:33 +0300
+Subject: srp-target: Retry when QP creation fails with ENOMEM
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ab477c1ff5e0a744c072404bf7db51bfe1f05b6e upstream.
+
+It is not guaranteed to that srp_sq_size is supported
+by the HCA. So if we failed to create the QP with ENOMEM,
+try with a smaller srp_sq_size. Keep it up until we hit
+MIN_SRPT_SQ_SIZE, then fail the connection.
+
+Reported-by: Mark Lehrer <lehrer@gmail.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2101,6 +2101,7 @@ static int srpt_create_ch_ib(struct srpt
+       if (!qp_init)
+               goto out;
++retry:
+       ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch,
+                             ch->rq_size + srp_sq_size, 0);
+       if (IS_ERR(ch->cq)) {
+@@ -2124,6 +2125,13 @@ static int srpt_create_ch_ib(struct srpt
+       ch->qp = ib_create_qp(sdev->pd, qp_init);
+       if (IS_ERR(ch->qp)) {
+               ret = PTR_ERR(ch->qp);
++              if (ret == -ENOMEM) {
++                      srp_sq_size /= 2;
++                      if (srp_sq_size >= MIN_SRPT_SQ_SIZE) {
++                              ib_destroy_cq(ch->cq);
++                              goto retry;
++                      }
++              }
+               printk(KERN_ERR "failed to create_qp ret= %d\n", ret);
+               goto err_destroy_cq;
+       }
diff --git a/queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch b/queue-3.10/target-don-t-call-tfo-write_pending-if-data_length-0.patch
new file mode 100644 (file)
index 0000000..b1f77b2
--- /dev/null
@@ -0,0 +1,35 @@
+From 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Tue, 14 Oct 2014 14:16:24 -0700
+Subject: target: Don't call TFO->write_pending if data_length == 0
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 885e7b0e181c14e4d0ddd26c688bad2b84c1ada9 upstream.
+
+If an initiator sends a zero-length command (e.g. TEST UNIT READY) but
+sets the transfer direction in the transport layer to indicate a
+data-out phase, we still shouldn't try to transfer data.  At best it's
+a NOP, and depending on the transport, we might crash on an
+uninitialized sg list.
+
+Reported-by: Craig Watson <craig.watson@vanguard-rugged.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2128,7 +2128,7 @@ transport_generic_new_cmd(struct se_cmd
+        * and let it call back once the write buffers are ready.
+        */
+       target_add_to_state_list(cmd);
+-      if (cmd->data_direction != DMA_TO_DEVICE) {
++      if (cmd->data_direction != DMA_TO_DEVICE || cmd->data_length == 0) {
+               target_execute_cmd(cmd);
+               return 0;
+       }