--- /dev/null
+From 84e871660bebfddb9a62ebd6f19d02536e782f0a Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Date: Tue, 3 Mar 2015 19:58:22 +0100
+Subject: ARM: at91: pm: fix at91rm9200 standby
+
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+
+commit 84e871660bebfddb9a62ebd6f19d02536e782f0a upstream.
+
+at91rm9200 standby and suspend to ram has been broken since
+00482a4078f4. It is wrongly using AT91_BASE_SYS which is a physical address
+and actually doesn't correspond to any register on at91rm9200.
+
+Use the correct at91_ramc_base[0] instead.
+
+Fixes: 00482a4078f4 (ARM: at91: implement the standby function for pm/cpuidle)
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-at91/pm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-at91/pm.h
++++ b/arch/arm/mach-at91/pm.h
+@@ -37,7 +37,7 @@ static inline void at91rm9200_standby(vo
+ " mcr p15, 0, %0, c7, c0, 4\n\t"
+ " str %5, [%1, %2]"
+ :
+- : "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR),
++ : "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR),
+ "r" (1), "r" (AT91RM9200_SDRAMC_SRR),
+ "r" (lpr));
+ }
--- /dev/null
+From f068fbc82e7696d67b1bb8189306865bedf368b6 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 23 Feb 2015 00:57:51 -0800
+Subject: iscsi-target: Avoid early conn_logout_comp for iser connections
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit f068fbc82e7696d67b1bb8189306865bedf368b6 upstream.
+
+This patch fixes a iser specific logout bug where early complete()
+of conn->conn_logout_comp in iscsit_close_connection() was causing
+isert_wait4logout() to complete too soon, triggering a use after
+free NULL pointer dereference of iscsi_conn memory.
+
+The complete() was originally added for traditional iscsi-target
+when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given
+iser-target does not wait in logout failure, this special case needs
+to be avoided.
+
+Reported-by: Sagi Grimberg <sagig@mellanox.com>
+Cc: Sagi Grimberg <sagig@mellanox.com>
+Cc: Slava Shwartsman <valyushash@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4136,11 +4136,17 @@ int iscsit_close_connection(
+ pr_debug("Closing iSCSI connection CID %hu on SID:"
+ " %u\n", conn->cid, sess->sid);
+ /*
+- * Always up conn_logout_comp just in case the RX Thread is sleeping
+- * and the logout response never got sent because the connection
+- * failed.
++ * Always up conn_logout_comp for the traditional TCP case just in case
++ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout
++ * response never got sent because the connection failed.
++ *
++ * However for iser-target, isert_wait4logout() is using conn_logout_comp
++ * to signal logout response TX interrupt completion. Go ahead and skip
++ * this for iser since isert_rx_opcode() does not wait on logout failure,
++ * and to avoid iscsi_conn pointer dereference in iser-target code.
+ */
+- complete(&conn->conn_logout_comp);
++ if (conn->conn_transport->transport_type == ISCSI_TCP)
++ complete(&conn->conn_logout_comp);
+
+ iscsi_release_thread_set(conn);
+
powerpc-smp-wait-until-secondaries-are-active-online.patch
ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch
ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch
+arm-at91-pm-fix-at91rm9200-standby.patch
+target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch
+iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch
+target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch
+target-fix-r_holder-bit-usage-for-allregistrants.patch
+target-allow-allregistrants-to-re-reserve-existing-reservation.patch
+target-allow-write-exclusive-non-reservation-holders-to-read.patch
--- /dev/null
+From ae450e246e8540300699480a3780a420a028b73f Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 19 Dec 2014 00:49:23 +0000
+Subject: target: Allow AllRegistrants to re-RESERVE existing reservation
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit ae450e246e8540300699480a3780a420a028b73f upstream.
+
+This patch changes core_scsi3_pro_release() logic to allow an
+existing AllRegistrants type reservation to be re-reserved by
+any registered I_T nexus.
+
+This addresses a issue where AllRegistrants type RESERVE was
+receiving RESERVATION_CONFLICT status if dev_pr_res_holder did
+not match the same I_T nexus, instead of just returning GOOD
+status following spc4r34 Section 5.9.9:
+
+"If the device server receives a PERSISTENT RESERVE OUT command
+ with RESERVE service action where the TYPE field and the SCOPE
+ field contain the same values as the existing type and scope
+ from a persistent reservation holder, it shall not make any
+ change to the existing persistent reservation and shall complete
+ the command with GOOD status."
+
+Reported-by: Ilias Tsitsimpis <i.tsitsimpis@gmail.com>
+Cc: Ilias Tsitsimpis <i.tsitsimpis@gmail.com>
+Cc: Lee Duncan <lduncan@suse.com>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -2397,6 +2397,7 @@ core_scsi3_pro_reserve(struct se_cmd *cm
+ spin_lock(&dev->dev_reservation_lock);
+ pr_res_holder = dev->dev_pr_res_holder;
+ if (pr_res_holder) {
++ int pr_res_type = pr_res_holder->pr_res_type;
+ /*
+ * From spc4r17 Section 5.7.9: Reserving:
+ *
+@@ -2407,7 +2408,9 @@ core_scsi3_pro_reserve(struct se_cmd *cm
+ * the logical unit, then the command shall be completed with
+ * RESERVATION CONFLICT status.
+ */
+- if (pr_res_holder != pr_reg) {
++ if ((pr_res_holder != pr_reg) &&
++ (pr_res_type != PR_TYPE_WRITE_EXCLUSIVE_ALLREG) &&
++ (pr_res_type != PR_TYPE_EXCLUSIVE_ACCESS_ALLREG)) {
+ struct se_node_acl *pr_res_nacl = pr_res_holder->pr_reg_nacl;
+ pr_err("SPC-3 PR: Attempted RESERVE from"
+ " [%s]: %s while reservation already held by"
--- /dev/null
+From 1ecc7586922662e3ca2f3f0c3f17fec8749fc621 Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Mon, 5 Jan 2015 10:49:44 -0800
+Subject: target: Allow Write Exclusive non-reservation holders to READ
+
+From: Lee Duncan <lduncan@suse.com>
+
+commit 1ecc7586922662e3ca2f3f0c3f17fec8749fc621 upstream.
+
+For PGR reservation of type Write Exclusive Access, allow all non
+reservation holding I_T nexuses with active registrations to READ
+from the device.
+
+This addresses a bug where active registrations that attempted
+to READ would result in an reservation conflict.
+
+Signed-off-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pr.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -518,6 +518,18 @@ static int core_scsi3_pr_seq_non_holder(
+
+ return 0;
+ }
++ } else if (we && registered_nexus) {
++ /*
++ * Reads are allowed for Write Exclusive locks
++ * from all registrants.
++ */
++ if (cmd->data_direction == DMA_FROM_DEVICE) {
++ pr_debug("Allowing READ CDB: 0x%02x for %s"
++ " reservation\n", cdb[0],
++ core_scsi3_pr_dump_type(pr_reg_type));
++
++ return 0;
++ }
+ }
+ pr_debug("%s Conflict for %sregistered nexus %s CDB: 0x%2x"
+ " for %s reservation\n", transport_dump_cmd_direction(cmd),
--- /dev/null
+From d16ca7c5198fd668db10d2c7b048ed3359c12c54 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 14 Dec 2014 01:47:19 -0800
+Subject: target: Fix R_HOLDER bit usage for AllRegistrants
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit d16ca7c5198fd668db10d2c7b048ed3359c12c54 upstream.
+
+This patch fixes the usage of R_HOLDER bit for an All Registrants
+reservation in READ_FULL_STATUS, where only the registration who
+issued RESERVE was being reported as having an active reservation.
+
+It changes core_scsi3_pri_read_full_status() to check ahead of the
+list walk of active registrations to see if All Registrants is active,
+and if so set R_HOLDER bit and scope/type fields for all active
+registrations.
+
+Reported-by: Ilias Tsitsimpis <i.tsitsimpis@gmail.com>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pr.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -4012,7 +4012,8 @@ core_scsi3_pri_read_full_status(struct s
+ unsigned char *buf;
+ u32 add_desc_len = 0, add_len = 0, desc_len, exp_desc_len;
+ u32 off = 8; /* off into first Full Status descriptor */
+- int format_code = 0;
++ int format_code = 0, pr_res_type = 0, pr_res_scope = 0;
++ bool all_reg = false;
+
+ if (cmd->data_length < 8) {
+ pr_err("PRIN SA READ_FULL_STATUS SCSI Data Length: %u"
+@@ -4029,6 +4030,19 @@ core_scsi3_pri_read_full_status(struct s
+ buf[2] = ((dev->t10_pr.pr_generation >> 8) & 0xff);
+ buf[3] = (dev->t10_pr.pr_generation & 0xff);
+
++ spin_lock(&dev->dev_reservation_lock);
++ if (dev->dev_pr_res_holder) {
++ struct t10_pr_registration *pr_holder = dev->dev_pr_res_holder;
++
++ if (pr_holder->pr_res_type == PR_TYPE_WRITE_EXCLUSIVE_ALLREG ||
++ pr_holder->pr_res_type == PR_TYPE_EXCLUSIVE_ACCESS_ALLREG) {
++ all_reg = true;
++ pr_res_type = pr_holder->pr_res_type;
++ pr_res_scope = pr_holder->pr_res_scope;
++ }
++ }
++ spin_unlock(&dev->dev_reservation_lock);
++
+ spin_lock(&pr_tmpl->registration_lock);
+ list_for_each_entry_safe(pr_reg, pr_reg_tmp,
+ &pr_tmpl->registration_list, pr_reg_list) {
+@@ -4078,14 +4092,20 @@ core_scsi3_pri_read_full_status(struct s
+ * reservation holder for PR_HOLDER bit.
+ *
+ * Also, if this registration is the reservation
+- * holder, fill in SCOPE and TYPE in the next byte.
++ * holder or there is an All Registrants reservation
++ * active, fill in SCOPE and TYPE in the next byte.
+ */
+ if (pr_reg->pr_res_holder) {
+ buf[off++] |= 0x01;
+ buf[off++] = (pr_reg->pr_res_scope & 0xf0) |
+ (pr_reg->pr_res_type & 0x0f);
+- } else
++ } else if (all_reg) {
++ buf[off++] |= 0x01;
++ buf[off++] = (pr_res_scope & 0xf0) |
++ (pr_res_type & 0x0f);
++ } else {
+ off += 2;
++ }
+
+ off += 4; /* Skip over reserved area */
+ /*
--- /dev/null
+From 7544e597343e2166daba3f32e4708533aa53c233 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Wed, 18 Feb 2015 15:33:58 +0100
+Subject: target: Fix reference leak in target_get_sess_cmd() error path
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 7544e597343e2166daba3f32e4708533aa53c233 upstream.
+
+This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down
+is true within target_get_sess_cmd() submission path code.
+
+This se_cmd reference leak can occur during active session shutdown when
+ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2222,6 +2222,10 @@ int target_get_sess_cmd(struct se_sessio
+
+ out:
+ spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
++
++ if (ret && ack_kref)
++ target_put_sess_cmd(se_sess, se_cmd);
++
+ return ret;
+ }
+ EXPORT_SYMBOL(target_get_sess_cmd);
--- /dev/null
+From 215a8fe4198f607f34ecdbc9969dae783d8b5a61 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Feb 2015 03:54:13 -0800
+Subject: target/pscsi: Fix NULL pointer dereference in get_device_type
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 215a8fe4198f607f34ecdbc9969dae783d8b5a61 upstream.
+
+This patch fixes a NULL pointer dereference OOPs with pSCSI backends
+within target_core_stat.c code. The bug is caused by a configfs attr
+read if no pscsi_dev_virt->pdv_sd has been configured.
+
+Reported-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -1112,7 +1112,7 @@ static u32 pscsi_get_device_type(struct
+ struct pscsi_dev_virt *pdv = PSCSI_DEV(dev);
+ struct scsi_device *sd = pdv->pdv_sd;
+
+- return sd->type;
++ return (sd) ? sd->type : TYPE_NO_LUN;
+ }
+
+ static sector_t pscsi_get_blocks(struct se_device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
