+++ /dev/null
-From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001
-From: Sagi Grimberg <sagig@mellanox.com>
-Date: Thu, 4 Jun 2015 19:49:21 +0300
-Subject: iser-target: Fix possible use-after-free
-
-From: Sagi Grimberg <sagig@mellanox.com>
-
-commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream.
-
-iser connection termination process happens in 2 stages:
-- isert_wait_conn:
- - resumes rdma disconnect
- - wait for session commands
- - wait for flush completions (post a marked wr to signal we are done)
- - wait for logout completion
- - queue work for connection cleanup (depends on disconnected/timewait
- events)
-- isert_free_conn
- - last reference put on the connection
-
-In case we are terminating during IOs, we might be posting send/recv
-requests after we posted the last work request which might lead
-to a use-after-free condition in isert_handle_wc.
-After we posted the last wr in isert_wait_conn we are guaranteed that
-no successful completions will follow (meaning no new work request posts
-may happen) but other flush errors might still come. So before we
-put the last reference on the connection, we repeat the process of
-posting a marked work request (isert_wait4flush) in order to make sure all
-pending completions were flushed.
-
-Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
-Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/infiniband/ulp/isert/ib_isert.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/infiniband/ulp/isert/ib_isert.c
-+++ b/drivers/infiniband/ulp/isert/ib_isert.c
-@@ -2426,6 +2426,7 @@ static void isert_free_conn(struct iscsi
- {
- struct isert_conn *isert_conn = conn->context;
-
-+ isert_wait4flush(isert_conn);
- isert_put_conn(isert_conn);
- }
-
crypto-caam-fix-rng-buffer-cache-alignment.patch
tracing-have-filter-check-for-balanced-ops.patch
-iser-target-fix-possible-use-after-free.patch
drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+[ luis: backported to 3.16:
+ - unconditionally decrement cnt as the OP_NOT logic was introduced only
+ by e12c09cf3087 ("tracing: Add NOT to filtering logic") ]
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
- kernel/trace/trace_events_filter.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
+ kernel/trace/trace_events_filter.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
-@@ -1328,19 +1328,26 @@ static int check_preds(struct filter_par
+@@ -1328,19 +1328,24 @@ static int check_preds(struct filter_par
{
int n_normal_preds = 0, n_logical_preds = 0;
struct postfix_elt *elt;
continue;
+ }
++ cnt--;
if (elt->op == OP_AND || elt->op == OP_OR) {
n_logical_preds++;
-+ cnt--;
continue;
}
-+ if (elt->op != OP_NOT)
-+ cnt--;
n_normal_preds++;
+ WARN_ON_ONCE(cnt < 0);
}
+++ /dev/null
-From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001
-From: Sagi Grimberg <sagig@mellanox.com>
-Date: Thu, 4 Jun 2015 19:49:21 +0300
-Subject: iser-target: Fix possible use-after-free
-
-From: Sagi Grimberg <sagig@mellanox.com>
-
-commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream.
-
-iser connection termination process happens in 2 stages:
-- isert_wait_conn:
- - resumes rdma disconnect
- - wait for session commands
- - wait for flush completions (post a marked wr to signal we are done)
- - wait for logout completion
- - queue work for connection cleanup (depends on disconnected/timewait
- events)
-- isert_free_conn
- - last reference put on the connection
-
-In case we are terminating during IOs, we might be posting send/recv
-requests after we posted the last work request which might lead
-to a use-after-free condition in isert_handle_wc.
-After we posted the last wr in isert_wait_conn we are guaranteed that
-no successful completions will follow (meaning no new work request posts
-may happen) but other flush errors might still come. So before we
-put the last reference on the connection, we repeat the process of
-posting a marked work request (isert_wait4flush) in order to make sure all
-pending completions were flushed.
-
-Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
-Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/infiniband/ulp/isert/ib_isert.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/infiniband/ulp/isert/ib_isert.c
-+++ b/drivers/infiniband/ulp/isert/ib_isert.c
-@@ -2952,6 +2952,7 @@ static void isert_free_conn(struct iscsi
- {
- struct isert_conn *isert_conn = conn->context;
-
-+ isert_wait4flush(isert_conn);
- isert_put_conn(isert_conn);
- }
-
crypto-caam-fix-rng-buffer-cache-alignment.patch
tracing-have-filter-check-for-balanced-ops.patch
-iser-target-fix-possible-use-after-free.patch
drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+[ luis: backported to 3.16:
+ - unconditionally decrement cnt as the OP_NOT logic was introduced only
+ by e12c09cf3087 ("tracing: Add NOT to filtering logic") ]
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
- kernel/trace/trace_events_filter.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
+ kernel/trace/trace_events_filter.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
-@@ -1399,19 +1399,26 @@ static int check_preds(struct filter_par
+@@ -1399,19 +1399,24 @@ static int check_preds(struct filter_par
{
int n_normal_preds = 0, n_logical_preds = 0;
struct postfix_elt *elt;
continue;
+ }
++ cnt--;
if (elt->op == OP_AND || elt->op == OP_OR) {
n_logical_preds++;
-+ cnt--;
continue;
}
-+ if (elt->op != OP_NOT)
-+ cnt--;
n_normal_preds++;
+ WARN_ON_ONCE(cnt < 0);
}
projects / thirdparty / kernel / stable-queue.git / commitdiff
