--- /dev/null
+From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Mon, 20 Oct 2014 15:34:23 -0700
+Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler
+
+From: David Daney <david.daney@cavium.com>
+
+commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream.
+
+In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for
+HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets
+would work properly with huge pages. The change was incorrect in that
+it broke the OCTEON case.
+
+The problem is shown here:
+
+ xxx0: df7a0000 ld k0,0(k1)
+ .
+ .
+ .
+ xxxc0: df610000 ld at,0(k1)
+ xxxc4: 335a0ff0 andi k0,k0,0xff0
+ xxxc8: e825ffcd bbit1 at,0x5,0x0
+ xxxcc: 003ad82d daddu k1,at,k0
+ .
+ .
+ .
+
+In the non-octeon case there is a destructive test for the huge PTE
+bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609
+patch added).
+
+In the octeon case, we modify k1 in the branch delay slot, but we
+never need k0 again, so the new load is not needed, but since k1 is
+modified, if we do the load, we load from a garbage location and then
+get a nested TLB Refill, which is seen in userspace as either SIGBUS
+or SIGSEGV (depending on the garbage).
+
+The real fix is to only do this reloading if it is needed, and never
+where it is harmful.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8151/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/tlbex.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -1091,6 +1091,7 @@ static void __cpuinit build_update_entri
+ struct mips_huge_tlb_info {
+ int huge_pte;
+ int restore_scratch;
++ bool need_reload_pte;
+ };
+
+ static struct mips_huge_tlb_info __cpuinit
+@@ -1105,6 +1106,7 @@ build_fast_tlb_refill_handler (u32 **p,
+
+ rv.huge_pte = scratch;
+ rv.restore_scratch = 0;
++ rv.need_reload_pte = false;
+
+ if (check_for_high_segbits) {
+ UASM_i_MFC0(p, tmp, C0_BADVADDR);
+@@ -1293,6 +1295,7 @@ static void __cpuinit build_r4000_tlb_re
+ } else {
+ htlb_info.huge_pte = K0;
+ htlb_info.restore_scratch = 0;
++ htlb_info.need_reload_pte = true;
+ vmalloc_mode = refill_noscratch;
+ /*
+ * create the plain linear handler
+@@ -1329,7 +1332,8 @@ static void __cpuinit build_r4000_tlb_re
+ }
+ #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
+ uasm_l_tlb_huge_update(&l, p);
+- UASM_i_LW(&p, K0, 0, K1);
++ if (htlb_info.need_reload_pte)
++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1);
+ build_huge_update_entries(&p, htlb_info.huge_pte, K1);
+ build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random,
+ htlb_info.restore_scratch);
--- /dev/null
+From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001
+From: Joern Engel <joern@logfs.org>
+Date: Fri, 3 Oct 2014 14:35:56 -0700
+Subject: qla_target: don't delete changed nacls
+
+From: Joern Engel <joern@logfs.org>
+
+commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream.
+
+The code is currently riddled with "drop the hardware_lock to avoid a
+deadlock" bugs that expose races. One of those races seems to expose a
+valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some
+bandaid to it.
+
+Signed-off-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -762,7 +762,16 @@ static void tcm_qla2xxx_clear_nacl_from_
+ pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id);
+
+ node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id);
+- WARN_ON(node && (node != se_nacl));
++ if (WARN_ON(node && (node != se_nacl))) {
++ /*
++ * The nacl no longer matches what we think it should be.
++ * Most likely a new dynamic acl has been added while
++ * someone dropped the hardware lock. It clearly is a
++ * bug elsewhere, but this bit can't make things worse.
++ */
++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id,
++ node, GFP_ATOMIC);
++ }
+
+ pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n",
+ se_nacl, nacl->nport_wwnn, nacl->nport_id);
kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch
arc-allow-headless-models-to-boot.patch
arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch
+qla_target-don-t-delete-changed-nacls.patch
+target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch
+target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch
+mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch
--- /dev/null
+From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 4 Oct 2014 04:23:15 +0000
+Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit e24805637d2d270d7975502e9024d473de86afdb upstream.
+
+This patch fixes a bug in handling of SPC-3 PR Activate Persistence
+across Target Power Loss (APTPL) logic where re-creation of state for
+MappedLUNs from dynamically generated NodeACLs did not occur during
+I_T Nexus establishment.
+
+It adds the missing core_scsi3_check_aptpl_registration() call during
+core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in
+order to replay any pre-loaded APTPL metadata state associated with
+the newly connected SCSI Initiator Port.
+
+Cc: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 3 ++-
+ drivers/target/target_core_pr.c | 6 +++---
+ drivers/target/target_core_pr.h | 2 +-
+ drivers/target/target_core_tpg.c | 8 ++++++++
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -1293,7 +1293,8 @@ int core_dev_add_initiator_node_lun_acl(
+ * Check to see if there are any existing persistent reservation APTPL
+ * pre-registrations that need to be enabled for this LUN ACL..
+ */
+- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl);
++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl,
++ lacl->mapped_lun);
+ return 0;
+ }
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -945,10 +945,10 @@ int core_scsi3_check_aptpl_registration(
+ struct se_device *dev,
+ struct se_portal_group *tpg,
+ struct se_lun *lun,
+- struct se_lun_acl *lun_acl)
++ struct se_node_acl *nacl,
++ u32 mapped_lun)
+ {
+- struct se_node_acl *nacl = lun_acl->se_lun_nacl;
+- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun];
++ struct se_dev_entry *deve = nacl->device_list[mapped_lun];
+
+ if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS)
+ return 0;
+--- a/drivers/target/target_core_pr.h
++++ b/drivers/target/target_core_pr.h
+@@ -55,7 +55,7 @@ extern int core_scsi3_alloc_aptpl_regist
+ unsigned char *, u16, u32, int, int, u8);
+ extern int core_scsi3_check_aptpl_registration(struct se_device *,
+ struct se_portal_group *, struct se_lun *,
+- struct se_lun_acl *);
++ struct se_node_acl *, u32);
+ extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *,
+ struct se_node_acl *);
+ extern void core_scsi3_free_all_registrations(struct se_device *);
+--- a/drivers/target/target_core_tpg.c
++++ b/drivers/target/target_core_tpg.c
+@@ -40,6 +40,7 @@
+ #include <target/target_core_fabric.h>
+
+ #include "target_core_internal.h"
++#include "target_core_pr.h"
+
+ extern struct se_device *g_lun0_dev;
+
+@@ -165,6 +166,13 @@ void core_tpg_add_node_to_devs(
+
+ core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun,
+ lun_access, acl, tpg);
++ /*
++ * Check to see if there are any existing persistent reservation
++ * APTPL pre-registrations that need to be enabled for this dynamic
++ * LUN ACL now..
++ */
++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl,
++ lun->unpacked_lun);
+ spin_lock(&tpg->tpg_lun_lock);
+ }
+ spin_unlock(&tpg->tpg_lun_lock);
--- /dev/null
+From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@qlogic.com>
+Date: Thu, 25 Sep 2014 06:22:28 -0400
+Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
+
+From: Quinn Tran <quinn.tran@qlogic.com>
+
+commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream.
+
+During temporary resource starvation at lower transport layer, command
+is placed on queue full retry path, which expose this problem. The TCM
+queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
+cmd twice to lower layer. The 1st time led to cmd normal free path.
+The 2nd time cause Null pointer access.
+
+This regression bug was originally introduced v3.1-rc code in the
+following commit:
+
+commit e057f53308a5f071556ee80586b99ee755bf07f5
+Author: Christoph Hellwig <hch@infradead.org>
+Date: Mon Oct 17 13:56:41 2011 -0400
+
+ target: remove the transport_qf_callback se_cmd callback
+
+Signed-off-by: Quinn Tran <quinn.tran@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1788,8 +1788,7 @@ static void transport_complete_qf(struct
+
+ if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
+ ret = cmd->se_tfo->queue_status(cmd);
+- if (ret)
+- goto out;
++ goto out;
+ }
+
+ switch (cmd->data_direction) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
