From: Greg Kroah-Hartman Date: Fri, 26 Jul 2013 17:39:13 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.88~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01289cdc5c1ea446dd0d5d98ea27592c386cb974;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: bcache-advertise-that-flushes-are-supported.patch bcache-fix-a-dumb-race.patch bcache-fix-a-sysfs-splat-on-shutdown.patch bcache-fix-gc_sectors_used-calculation.patch bcache-journal-replay-fix.patch bcache-shutdown-fix.patch edac-fix-lockdep-splat.patch fuse-readdirplus-fix-dentry-leak.patch fuse-readdirplus-fix-instantiate.patch fuse-readdirplus-sanity-checks.patch scsi-megaraid_sas-fix-memory-leak-if-sgl-has-zero-length-entries.patch scsi-mpt3sas-fix-for-kernel-panic-when-driver-loads-with-hba-conected-to-non-lun-0-configured-expander.patch scsi-mpt3sas-infinite-loops-can-occur-if-mpi2_iocstatus_config_invalid_page-is-not-returned.patch --- diff --git a/queue-3.10/bcache-advertise-that-flushes-are-supported.patch b/queue-3.10/bcache-advertise-that-flushes-are-supported.patch new file mode 100644 index 00000000000..787523fbf3e --- /dev/null +++ b/queue-3.10/bcache-advertise-that-flushes-are-supported.patch @@ -0,0 +1,55 @@ +From 54d12f2b4fd0f218590d1490b41a18d0e2328a9a Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Wed, 10 Jul 2013 18:44:40 -0700 +Subject: bcache: Advertise that flushes are supported + +From: Kent Overstreet + +commit 54d12f2b4fd0f218590d1490b41a18d0e2328a9a upstream. + +Whoops - bcache's flush/FUA was mostly correct, but flushes get filtered +out unless we say we support them... + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 8 +++++++- + drivers/md/bcache/super.c | 2 ++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -489,6 +489,12 @@ static void bch_insert_data_loop(struct + bch_queue_gc(op->c); + } + ++ /* ++ * Journal writes are marked REQ_FLUSH; if the original write was a ++ * flush, it'll wait on the journal write. ++ */ ++ bio->bi_rw &= ~(REQ_FLUSH|REQ_FUA); ++ + do { + unsigned i; + struct bkey *k; +@@ -716,7 +722,7 @@ static struct search *search_alloc(struc + s->task = current; + s->orig_bio = bio; + s->write = (bio->bi_rw & REQ_WRITE) != 0; +- s->op.flush_journal = (bio->bi_rw & REQ_FLUSH) != 0; ++ s->op.flush_journal = (bio->bi_rw & (REQ_FLUSH|REQ_FUA)) != 0; + s->op.skip = (bio->bi_rw & REQ_DISCARD) != 0; + s->recoverable = 1; + s->start_time = jiffies; +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -781,6 +781,8 @@ static int bcache_device_init(struct bca + set_bit(QUEUE_FLAG_NONROT, &d->disk->queue->queue_flags); + set_bit(QUEUE_FLAG_DISCARD, &d->disk->queue->queue_flags); + ++ blk_queue_flush(q, REQ_FLUSH|REQ_FUA); ++ + return 0; + } + diff --git a/queue-3.10/bcache-fix-a-dumb-race.patch b/queue-3.10/bcache-fix-a-dumb-race.patch new file mode 100644 index 00000000000..9665d7532e0 --- /dev/null +++ b/queue-3.10/bcache-fix-a-dumb-race.patch @@ -0,0 +1,50 @@ +From 6aa8f1a6ca41c49721d2de4e048d3da8d06411f9 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Wed, 10 Jul 2013 18:04:21 -0700 +Subject: bcache: Fix a dumb race + +From: Kent Overstreet + +commit 6aa8f1a6ca41c49721d2de4e048d3da8d06411f9 upstream. + +In the far-too-complicated closure code - closures can have destructors, +for probably dubious reasons; they get run after the closure is no +longer waiting on anything but before dropping the parent ref, intended +just for freeing whatever memory the closure is embedded in. + +Trouble is, when remaining goes to 0 and we've got nothing more to run - +we also have to unlock the closure, setting remaining to -1. If there's +a destructor, that unlock isn't doing anything - nobody could be trying +to lock it if we're about to free it - but if the unlock _is needed... +that check for a destructor was racy. Argh. + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/closure.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/closure.c ++++ b/drivers/md/bcache/closure.c +@@ -66,16 +66,18 @@ static inline void closure_put_after_sub + } else { + struct closure *parent = cl->parent; + struct closure_waitlist *wait = closure_waitlist(cl); ++ closure_fn *destructor = cl->fn; + + closure_debug_destroy(cl); + ++ smp_mb(); + atomic_set(&cl->remaining, -1); + + if (wait) + closure_wake_up(wait); + +- if (cl->fn) +- cl->fn(cl); ++ if (destructor) ++ destructor(cl); + + if (parent) + closure_put(parent); diff --git a/queue-3.10/bcache-fix-a-sysfs-splat-on-shutdown.patch b/queue-3.10/bcache-fix-a-sysfs-splat-on-shutdown.patch new file mode 100644 index 00000000000..772c47ddcd8 --- /dev/null +++ b/queue-3.10/bcache-fix-a-sysfs-splat-on-shutdown.patch @@ -0,0 +1,61 @@ +From c9502ea4424b31728703d113fc6b30bfead14633 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Wed, 10 Jul 2013 21:25:02 -0700 +Subject: bcache: Fix a sysfs splat on shutdown + +From: Kent Overstreet + +commit c9502ea4424b31728703d113fc6b30bfead14633 upstream. + +If we stopped a bcache device when we were already detaching (or +something like that), bcache_device_unlink() would try to remove a +symlink from sysfs that was already gone because the bcache dev kobject +had already been removed from sysfs. + +So keep track of whether we've removed stuff from sysfs. + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/super.c | 11 ++++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -437,6 +437,7 @@ struct bcache_device { + + /* If nonzero, we're detaching/unregistering from cache set */ + atomic_t detaching; ++ int flush_done; + + atomic_long_t sectors_dirty; + unsigned long sectors_dirty_gc; +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -704,7 +704,8 @@ static void bcache_device_detach(struct + atomic_set(&d->detaching, 0); + } + +- bcache_device_unlink(d); ++ if (!d->flush_done) ++ bcache_device_unlink(d); + + d->c->devices[d->id] = NULL; + closure_put(&d->c->caching); +@@ -1016,6 +1017,14 @@ static void cached_dev_flush(struct clos + struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl); + struct bcache_device *d = &dc->disk; + ++ mutex_lock(&bch_register_lock); ++ d->flush_done = 1; ++ ++ if (d->c) ++ bcache_device_unlink(d); ++ ++ mutex_unlock(&bch_register_lock); ++ + bch_cache_accounting_destroy(&dc->accounting); + kobject_del(&d->kobj); + diff --git a/queue-3.10/bcache-fix-gc_sectors_used-calculation.patch b/queue-3.10/bcache-fix-gc_sectors_used-calculation.patch new file mode 100644 index 00000000000..2b2e0453163 --- /dev/null +++ b/queue-3.10/bcache-fix-gc_sectors_used-calculation.patch @@ -0,0 +1,38 @@ +From 29ebf465b9050f241c4433a796a32e6c896a9dcd Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Thu, 11 Jul 2013 19:43:21 -0700 +Subject: bcache: Fix GC_SECTORS_USED() calculation + +From: Kent Overstreet + +commit 29ebf465b9050f241c4433a796a32e6c896a9dcd upstream. + +Part of the job of garbage collection is to add up however many sectors +of live data it finds in each bucket, but that doesn't work very well if +it doesn't reset GC_SECTORS_USED() when it starts. Whoops. + +This wouldn't have broken anything horribly, but allocation tries to +preferentially reclaim buckets that are mostly empty and that's not +gonna work with an incorrect GC_SECTORS_USED() value. + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1419,8 +1419,10 @@ static void btree_gc_start(struct cache_ + for_each_cache(ca, c, i) + for_each_bucket(b, ca) { + b->gc_gen = b->gen; +- if (!atomic_read(&b->pin)) ++ if (!atomic_read(&b->pin)) { + SET_GC_MARK(b, GC_MARK_RECLAIMABLE); ++ SET_GC_SECTORS_USED(b, 0); ++ } + } + + for (d = c->devices; diff --git a/queue-3.10/bcache-journal-replay-fix.patch b/queue-3.10/bcache-journal-replay-fix.patch new file mode 100644 index 00000000000..de1623ae9be --- /dev/null +++ b/queue-3.10/bcache-journal-replay-fix.patch @@ -0,0 +1,46 @@ +From faa5673617656ee58369a3cfe4a312cfcdc59c81 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Thu, 11 Jul 2013 22:42:14 -0700 +Subject: bcache: Journal replay fix + +From: Kent Overstreet + +commit faa5673617656ee58369a3cfe4a312cfcdc59c81 upstream. + +The journal replay code starts by finding something that looks like a +valid journal entry, then it does a binary search over the unchecked +region of the journal for the journal entries with the highest sequence +numbers. + +Trouble is, the logic was wrong - journal_read_bucket() returns true if +it found journal entries we need, but if the range of journal entries +we're looking for loops around the end of the journal - in that case +journal_read_bucket() could return true when it hadn't found the highest +sequence number we'd seen yet, and in that case the binary search did +the wrong thing. Whoops. + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/journal.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -182,9 +182,14 @@ bsearch: + pr_debug("starting binary search, l %u r %u", l, r); + + while (l + 1 < r) { ++ seq = list_entry(list->prev, struct journal_replay, ++ list)->j.seq; ++ + m = (l + r) >> 1; ++ read_bucket(m); + +- if (read_bucket(m)) ++ if (seq != list_entry(list->prev, struct journal_replay, ++ list)->j.seq) + l = m; + else + r = m; diff --git a/queue-3.10/bcache-shutdown-fix.patch b/queue-3.10/bcache-shutdown-fix.patch new file mode 100644 index 00000000000..3edff119b7e --- /dev/null +++ b/queue-3.10/bcache-shutdown-fix.patch @@ -0,0 +1,52 @@ +From 5caa52afc5abd1396e4af720469abb5843a71eb8 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Wed, 10 Jul 2013 21:03:25 -0700 +Subject: bcache: Shutdown fix + +From: Kent Overstreet + +commit 5caa52afc5abd1396e4af720469abb5843a71eb8 upstream. + +Stopping a cache set is supposed to make it stop attached backing +devices, but somewhere along the way that code got lost. Fixing this +mainly has the effect of fixing our reboot notifier. + +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1305,18 +1305,22 @@ static void cache_set_flush(struct closu + static void __cache_set_unregister(struct closure *cl) + { + struct cache_set *c = container_of(cl, struct cache_set, caching); +- struct cached_dev *dc, *t; ++ struct cached_dev *dc; + size_t i; + + mutex_lock(&bch_register_lock); + +- if (test_bit(CACHE_SET_UNREGISTERING, &c->flags)) +- list_for_each_entry_safe(dc, t, &c->cached_devs, list) +- bch_cached_dev_detach(dc); +- + for (i = 0; i < c->nr_uuids; i++) +- if (c->devices[i] && UUID_FLASH_ONLY(&c->uuids[i])) +- bcache_device_stop(c->devices[i]); ++ if (c->devices[i]) { ++ if (!UUID_FLASH_ONLY(&c->uuids[i]) && ++ test_bit(CACHE_SET_UNREGISTERING, &c->flags)) { ++ dc = container_of(c->devices[i], ++ struct cached_dev, disk); ++ bch_cached_dev_detach(dc); ++ } else { ++ bcache_device_stop(c->devices[i]); ++ } ++ } + + mutex_unlock(&bch_register_lock); + diff --git a/queue-3.10/edac-fix-lockdep-splat.patch b/queue-3.10/edac-fix-lockdep-splat.patch new file mode 100644 index 00000000000..d45ddb6726e --- /dev/null +++ b/queue-3.10/edac-fix-lockdep-splat.patch @@ -0,0 +1,219 @@ +From 88d84ac97378c2f1d5fec9af1e8b7d9a662d6b00 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 19 Jul 2013 12:28:25 +0200 +Subject: EDAC: Fix lockdep splat + +From: Borislav Petkov + +commit 88d84ac97378c2f1d5fec9af1e8b7d9a662d6b00 upstream. + +Fix the following: + +BUG: key ffff88043bdd0330 not in .data! +------------[ cut here ]------------ +WARNING: at kernel/lockdep.c:2987 lockdep_init_map+0x565/0x5a0() +DEBUG_LOCKS_WARN_ON(1) +Modules linked in: glue_helper sb_edac(+) edac_core snd acpi_cpufreq lrw gf128mul ablk_helper iTCO_wdt evdev i2c_i801 dcdbas button cryptd pcspkr iTCO_vendor_support usb_common lpc_ich mfd_core soundcore mperf processor microcode +CPU: 2 PID: 599 Comm: modprobe Not tainted 3.10.0 #1 +Hardware name: Dell Inc. Precision T3600/0PTTT9, BIOS A08 01/24/2013 + 0000000000000009 ffff880439a1d920 ffffffff8160a9a9 ffff880439a1d958 + ffffffff8103d9e0 ffff88043af4a510 ffffffff81a16e11 0000000000000000 + ffff88043bdd0330 0000000000000000 ffff880439a1d9b8 ffffffff8103dacc +Call Trace: + dump_stack + warn_slowpath_common + warn_slowpath_fmt + lockdep_init_map + ? trace_hardirqs_on_caller + ? trace_hardirqs_on + debug_mutex_init + __mutex_init + bus_register + edac_create_sysfs_mci_device + edac_mc_add_mc + sbridge_probe + pci_device_probe + driver_probe_device + __driver_attach + ? driver_probe_device + bus_for_each_dev + driver_attach + bus_add_driver + driver_register + __pci_register_driver + ? 0xffffffffa0010fff + sbridge_init + ? 0xffffffffa0010fff + do_one_initcall + load_module + ? unset_module_init_ro_nx + SyS_init_module + tracesys +---[ end trace d24a70b0d3ddf733 ]--- +EDAC MC0: Giving out device to 'sbridge_edac.c' 'Sandy Bridge Socket#0': DEV 0000:3f:0e.0 +EDAC sbridge: Driver loaded. + +What happens is that bus_register needs a statically allocated lock_key +because the last is handed in to lockdep. However, struct mem_ctl_info +embeds struct bus_type (the whole struct, not a pointer to it) and the +whole thing gets dynamically allocated. + +Fix this by using a statically allocated struct bus_type for the MC bus. + +Signed-off-by: Borislav Petkov +Acked-by: Mauro Carvalho Chehab +Cc: Markus Trippelsdorf +Signed-off-by: Tony Luck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/edac_mc.c | 9 +++++++++ + drivers/edac/edac_mc_sysfs.c | 28 +++++++++++++++------------- + drivers/edac/i5100_edac.c | 2 +- + include/linux/edac.h | 7 ++++++- + 4 files changed, 31 insertions(+), 15 deletions(-) + +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -48,6 +48,8 @@ static LIST_HEAD(mc_devices); + */ + static void const *edac_mc_owner; + ++static struct bus_type mc_bus[EDAC_MAX_MCS]; ++ + unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf, + unsigned len) + { +@@ -723,6 +725,11 @@ int edac_mc_add_mc(struct mem_ctl_info * + int ret = -EINVAL; + edac_dbg(0, "\n"); + ++ if (mci->mc_idx >= EDAC_MAX_MCS) { ++ pr_warn_once("Too many memory controllers: %d\n", mci->mc_idx); ++ return -ENODEV; ++ } ++ + #ifdef CONFIG_EDAC_DEBUG + if (edac_debug_level >= 3) + edac_mc_dump_mci(mci); +@@ -762,6 +769,8 @@ int edac_mc_add_mc(struct mem_ctl_info * + /* set load time so that error rate can be tracked */ + mci->start_time = jiffies; + ++ mci->bus = &mc_bus[mci->mc_idx]; ++ + if (edac_create_sysfs_mci_device(mci)) { + edac_mc_printk(mci, KERN_WARNING, + "failed to create sysfs device\n"); +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -370,7 +370,7 @@ static int edac_create_csrow_object(stru + return -ENODEV; + + csrow->dev.type = &csrow_attr_type; +- csrow->dev.bus = &mci->bus; ++ csrow->dev.bus = mci->bus; + device_initialize(&csrow->dev); + csrow->dev.parent = &mci->dev; + csrow->mci = mci; +@@ -605,7 +605,7 @@ static int edac_create_dimm_object(struc + dimm->mci = mci; + + dimm->dev.type = &dimm_attr_type; +- dimm->dev.bus = &mci->bus; ++ dimm->dev.bus = mci->bus; + device_initialize(&dimm->dev); + + dimm->dev.parent = &mci->dev; +@@ -975,11 +975,13 @@ int edac_create_sysfs_mci_device(struct + * The memory controller needs its own bus, in order to avoid + * namespace conflicts at /sys/bus/edac. + */ +- mci->bus.name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); +- if (!mci->bus.name) ++ mci->bus->name = kasprintf(GFP_KERNEL, "mc%d", mci->mc_idx); ++ if (!mci->bus->name) + return -ENOMEM; +- edac_dbg(0, "creating bus %s\n", mci->bus.name); +- err = bus_register(&mci->bus); ++ ++ edac_dbg(0, "creating bus %s\n", mci->bus->name); ++ ++ err = bus_register(mci->bus); + if (err < 0) + return err; + +@@ -988,7 +990,7 @@ int edac_create_sysfs_mci_device(struct + device_initialize(&mci->dev); + + mci->dev.parent = mci_pdev; +- mci->dev.bus = &mci->bus; ++ mci->dev.bus = mci->bus; + dev_set_name(&mci->dev, "mc%d", mci->mc_idx); + dev_set_drvdata(&mci->dev, mci); + pm_runtime_forbid(&mci->dev); +@@ -997,8 +999,8 @@ int edac_create_sysfs_mci_device(struct + err = device_add(&mci->dev); + if (err < 0) { + edac_dbg(1, "failure: create device %s\n", dev_name(&mci->dev)); +- bus_unregister(&mci->bus); +- kfree(mci->bus.name); ++ bus_unregister(mci->bus); ++ kfree(mci->bus->name); + return err; + } + +@@ -1064,8 +1066,8 @@ fail: + } + fail2: + device_unregister(&mci->dev); +- bus_unregister(&mci->bus); +- kfree(mci->bus.name); ++ bus_unregister(mci->bus); ++ kfree(mci->bus->name); + return err; + } + +@@ -1098,8 +1100,8 @@ void edac_unregister_sysfs(struct mem_ct + { + edac_dbg(1, "Unregistering device %s\n", dev_name(&mci->dev)); + device_unregister(&mci->dev); +- bus_unregister(&mci->bus); +- kfree(mci->bus.name); ++ bus_unregister(mci->bus); ++ kfree(mci->bus->name); + } + + static void mc_attr_release(struct device *dev) +--- a/drivers/edac/i5100_edac.c ++++ b/drivers/edac/i5100_edac.c +@@ -974,7 +974,7 @@ static int i5100_setup_debugfs(struct me + if (!i5100_debugfs) + return -ENODEV; + +- priv->debugfs = debugfs_create_dir(mci->bus.name, i5100_debugfs); ++ priv->debugfs = debugfs_create_dir(mci->bus->name, i5100_debugfs); + + if (!priv->debugfs) + return -ENOMEM; +--- a/include/linux/edac.h ++++ b/include/linux/edac.h +@@ -622,7 +622,7 @@ struct edac_raw_error_desc { + */ + struct mem_ctl_info { + struct device dev; +- struct bus_type bus; ++ struct bus_type *bus; + + struct list_head link; /* for global list of mem_ctl_info structs */ + +@@ -742,4 +742,9 @@ struct mem_ctl_info { + #endif + }; + ++/* ++ * Maximum number of memory controllers in the coherent fabric. ++ */ ++#define EDAC_MAX_MCS 16 ++ + #endif diff --git a/queue-3.10/fuse-readdirplus-fix-dentry-leak.patch b/queue-3.10/fuse-readdirplus-fix-dentry-leak.patch new file mode 100644 index 00000000000..a59a6c6b178 --- /dev/null +++ b/queue-3.10/fuse-readdirplus-fix-dentry-leak.patch @@ -0,0 +1,58 @@ +From 53ce9a3364de0723b27d861de93bfc882f7db050 Mon Sep 17 00:00:00 2001 +From: Niels de Vos +Date: Wed, 17 Jul 2013 14:53:53 +0200 +Subject: fuse: readdirplus: fix dentry leak + +From: Niels de Vos + +commit 53ce9a3364de0723b27d861de93bfc882f7db050 upstream. + +In case d_lookup() returns a dentry with d_inode == NULL, the dentry is not +returned with dput(). This results in triggering a BUG() in +shrink_dcache_for_umount_subtree(): + + BUG: Dentry ...{i=0,n=...} still in use (1) [unmount of fuse fuse] + +[SzM: need to d_drop() as well] + +Reported-by: Justin Clift +Signed-off-by: Niels de Vos +Signed-off-by: Miklos Szeredi +Tested-by: Brian Foster +Tested-by: Niels de Vos +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1229,9 +1229,15 @@ static int fuse_direntplus_link(struct f + + name.hash = full_name_hash(name.name, name.len); + dentry = d_lookup(parent, &name); +- if (dentry && dentry->d_inode) { ++ if (dentry) { + inode = dentry->d_inode; +- if (get_node_id(inode) == o->nodeid) { ++ if (!inode) { ++ d_drop(dentry); ++ } else if (get_node_id(inode) != o->nodeid) { ++ err = d_invalidate(dentry); ++ if (err) ++ goto out; ++ } else { + struct fuse_inode *fi; + fi = get_fuse_inode(inode); + spin_lock(&fc->lock); +@@ -1244,9 +1250,6 @@ static int fuse_direntplus_link(struct f + */ + goto found; + } +- err = d_invalidate(dentry); +- if (err) +- goto out; + dput(dentry); + dentry = NULL; + } diff --git a/queue-3.10/fuse-readdirplus-fix-instantiate.patch b/queue-3.10/fuse-readdirplus-fix-instantiate.patch new file mode 100644 index 00000000000..21a715e5b08 --- /dev/null +++ b/queue-3.10/fuse-readdirplus-fix-instantiate.patch @@ -0,0 +1,45 @@ +From 2914941e3178d84a216fc4eb85292dfef3b6d628 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 17 Jul 2013 14:53:53 +0200 +Subject: fuse: readdirplus: fix instantiate + +From: Miklos Szeredi + +commit 2914941e3178d84a216fc4eb85292dfef3b6d628 upstream. + +Fuse does instantiation slightly differently from NFS/CIFS which use +d_materialise_unique(). + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1264,10 +1264,19 @@ static int fuse_direntplus_link(struct f + if (!inode) + goto out; + +- alias = d_materialise_unique(dentry, inode); +- err = PTR_ERR(alias); +- if (IS_ERR(alias)) +- goto out; ++ if (S_ISDIR(inode->i_mode)) { ++ mutex_lock(&fc->inst_mutex); ++ alias = fuse_d_add_directory(dentry, inode); ++ mutex_unlock(&fc->inst_mutex); ++ err = PTR_ERR(alias); ++ if (IS_ERR(alias)) { ++ iput(inode); ++ goto out; ++ } ++ } else { ++ alias = d_splice_alias(inode, dentry); ++ } ++ + if (alias) { + dput(dentry); + dentry = alias; diff --git a/queue-3.10/fuse-readdirplus-sanity-checks.patch b/queue-3.10/fuse-readdirplus-sanity-checks.patch new file mode 100644 index 00000000000..4b418a5e9ab --- /dev/null +++ b/queue-3.10/fuse-readdirplus-sanity-checks.patch @@ -0,0 +1,50 @@ +From a28ef45cbb1e7fadd5159deb17b02de15c6e4aaf Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 17 Jul 2013 14:53:53 +0200 +Subject: fuse: readdirplus: sanity checks + +From: Miklos Szeredi + +commit a28ef45cbb1e7fadd5159deb17b02de15c6e4aaf upstream. + +Add sanity checks before adding or updating an entry with data received +from readdirplus. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1225,6 +1225,12 @@ static int fuse_direntplus_link(struct f + if (name.name[1] == '.' && name.len == 2) + return 0; + } ++ ++ if (invalid_nodeid(o->nodeid)) ++ return -EIO; ++ if (!fuse_valid_type(o->attr.mode)) ++ return -EIO; ++ + fc = get_fuse_conn(dir); + + name.hash = full_name_hash(name.name, name.len); +@@ -1233,10 +1239,14 @@ static int fuse_direntplus_link(struct f + inode = dentry->d_inode; + if (!inode) { + d_drop(dentry); +- } else if (get_node_id(inode) != o->nodeid) { ++ } else if (get_node_id(inode) != o->nodeid || ++ ((o->attr.mode ^ inode->i_mode) & S_IFMT)) { + err = d_invalidate(dentry); + if (err) + goto out; ++ } else if (is_bad_inode(inode)) { ++ err = -EIO; ++ goto out; + } else { + struct fuse_inode *fi; + fi = get_fuse_inode(inode); diff --git a/queue-3.10/scsi-megaraid_sas-fix-memory-leak-if-sgl-has-zero-length-entries.patch b/queue-3.10/scsi-megaraid_sas-fix-memory-leak-if-sgl-has-zero-length-entries.patch new file mode 100644 index 00000000000..f6f877edbba --- /dev/null +++ b/queue-3.10/scsi-megaraid_sas-fix-memory-leak-if-sgl-has-zero-length-entries.patch @@ -0,0 +1,44 @@ +From 7a6a731bd00ca90d0e250867c3b9c05b5ff0fa49 Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Wed, 21 Nov 2012 09:54:48 +0100 +Subject: SCSI: megaraid_sas: fix memory leak if SGL has zero length entries + +From: Bjørn Mork + +commit 7a6a731bd00ca90d0e250867c3b9c05b5ff0fa49 upstream. + +commit 98cb7e44 ([SCSI] megaraid_sas: Sanity check user +supplied length before passing it to dma_alloc_coherent()) +introduced a memory leak. Memory allocated for entries +following zero length SGL entries will not be freed. + +Reference: http://bugs.debian.org/688198 + +Signed-off-by: Bjørn Mork +Acked-by: Adam Radford +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -4852,10 +4852,12 @@ megasas_mgmt_fw_ioctl(struct megasas_ins + sense, sense_handle); + } + +- for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) { +- dma_free_coherent(&instance->pdev->dev, +- kern_sge32[i].length, +- kbuff_arr[i], kern_sge32[i].phys_addr); ++ for (i = 0; i < ioc->sge_count; i++) { ++ if (kbuff_arr[i]) ++ dma_free_coherent(&instance->pdev->dev, ++ kern_sge32[i].length, ++ kbuff_arr[i], ++ kern_sge32[i].phys_addr); + } + + megasas_return_cmd(instance, cmd); diff --git a/queue-3.10/scsi-mpt3sas-fix-for-kernel-panic-when-driver-loads-with-hba-conected-to-non-lun-0-configured-expander.patch b/queue-3.10/scsi-mpt3sas-fix-for-kernel-panic-when-driver-loads-with-hba-conected-to-non-lun-0-configured-expander.patch new file mode 100644 index 00000000000..e6f860ea19a --- /dev/null +++ b/queue-3.10/scsi-mpt3sas-fix-for-kernel-panic-when-driver-loads-with-hba-conected-to-non-lun-0-configured-expander.patch @@ -0,0 +1,60 @@ +From b65cfedf4560af65305bd7b3b9f26c02c6fb3660 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Sat, 29 Jun 2013 03:52:03 +0530 +Subject: SCSI: mpt3sas: fix for kernel panic when driver loads with HBA conected to non LUN 0 configured expander + +From: Sreekanth Reddy + +commit b65cfedf4560af65305bd7b3b9f26c02c6fb3660 upstream. + +With some enclosures when LUN 0 is not created but LUN 1 or LUN X is created +then SCSI scan procedure calls target_alloc, slave_alloc call back functions +for LUN 0 and slave_destory() for same LUN 0. + +In these kind of cases within slave_destroy, pointer to scsi_target in +_sas_device structure is set to NULL, following which when slave_alloc for LUN +1 is called then starget would not be set properly for this LUN. So, +scsi_target pointer pointing to NULL value would lead to a crash later in the +discovery procedure. + +To solve this issue set the sas_device's scsi_target pointer to scsi_device's +scsi_target if it is NULL earlier in slave_alloc callback function. + +Signed-off-by: Sreekanth Reddy +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -1273,6 +1273,7 @@ _scsih_slave_alloc(struct scsi_device *s + struct MPT3SAS_DEVICE *sas_device_priv_data; + struct scsi_target *starget; + struct _raid_device *raid_device; ++ struct _sas_device *sas_device; + unsigned long flags; + + sas_device_priv_data = kzalloc(sizeof(struct scsi_device), GFP_KERNEL); +@@ -1301,6 +1302,19 @@ _scsih_slave_alloc(struct scsi_device *s + spin_unlock_irqrestore(&ioc->raid_device_lock, flags); + } + ++ if (!(sas_target_priv_data->flags & MPT_TARGET_FLAGS_VOLUME)) { ++ spin_lock_irqsave(&ioc->sas_device_lock, flags); ++ sas_device = mpt3sas_scsih_sas_device_find_by_sas_address(ioc, ++ sas_target_priv_data->sas_address); ++ if (sas_device && (sas_device->starget == NULL)) { ++ sdev_printk(KERN_INFO, sdev, ++ "%s : sas_device->starget set to starget @ %d\n", ++ __func__, __LINE__); ++ sas_device->starget = starget; ++ } ++ spin_unlock_irqrestore(&ioc->sas_device_lock, flags); ++ } ++ + return 0; + } + diff --git a/queue-3.10/scsi-mpt3sas-infinite-loops-can-occur-if-mpi2_iocstatus_config_invalid_page-is-not-returned.patch b/queue-3.10/scsi-mpt3sas-infinite-loops-can-occur-if-mpi2_iocstatus_config_invalid_page-is-not-returned.patch new file mode 100644 index 00000000000..149c26a50fb --- /dev/null +++ b/queue-3.10/scsi-mpt3sas-infinite-loops-can-occur-if-mpi2_iocstatus_config_invalid_page-is-not-returned.patch @@ -0,0 +1,101 @@ +From 14be49ac965ebd3f8561d57e01ddb22f93f9b454 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Sat, 29 Jun 2013 03:53:02 +0530 +Subject: SCSI: mpt3sas: Infinite loops can occur if MPI2_IOCSTATUS_CONFIG_INVALID_PAGE is not returned + +From: Sreekanth Reddy + +commit 14be49ac965ebd3f8561d57e01ddb22f93f9b454 upstream. + +Infinite loop can occur if IOCStatus is not equal to +MPI2_IOCSTATUS_CONFIG_INVALID_PAGE value in the while loops in functions +_scsih_search_responding_sas_devices, +_scsih_search_responding_raid_devices and +_scsih_search_responding_expanders + +So, Instead of checking for MPI2_IOCSTATUS_CONFIG_INVALID_PAGE value, +in this patch code is modified to check for IOCStatus not equals to +MPI2_IOCSTATUS_SUCCESS to break the while loop. + +Signed-off-by: Sreekanth Reddy +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -6392,7 +6392,7 @@ _scsih_search_responding_sas_devices(str + handle))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) ++ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) + break; + handle = le16_to_cpu(sas_device_pg0.DevHandle); + device_info = le32_to_cpu(sas_device_pg0.DeviceInfo); +@@ -6494,7 +6494,7 @@ _scsih_search_responding_raid_devices(st + &volume_pg1, MPI2_RAID_VOLUME_PGAD_FORM_GET_NEXT_HANDLE, handle))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) ++ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) + break; + handle = le16_to_cpu(volume_pg1.DevHandle); + +@@ -6518,7 +6518,7 @@ _scsih_search_responding_raid_devices(st + phys_disk_num))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) ++ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) + break; + phys_disk_num = pd_pg0.PhysDiskNum; + handle = le16_to_cpu(pd_pg0.DevHandle); +@@ -6597,7 +6597,7 @@ _scsih_search_responding_expanders(struc + + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) ++ if (ioc_status != MPI2_IOCSTATUS_SUCCESS) + break; + + handle = le16_to_cpu(expander_pg0.DevHandle); +@@ -6742,8 +6742,6 @@ _scsih_scan_for_devices_after_reset(stru + MPI2_SAS_EXPAND_PGAD_FORM_GET_NEXT_HNDL, handle))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) +- break; + if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { + pr_info(MPT3SAS_FMT "\tbreak from expander scan: " \ + "ioc_status(0x%04x), loginfo(0x%08x)\n", +@@ -6787,8 +6785,6 @@ _scsih_scan_for_devices_after_reset(stru + phys_disk_num))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) +- break; + if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { + pr_info(MPT3SAS_FMT "\tbreak from phys disk scan: "\ + "ioc_status(0x%04x), loginfo(0x%08x)\n", +@@ -6854,8 +6850,6 @@ _scsih_scan_for_devices_after_reset(stru + &volume_pg1, MPI2_RAID_VOLUME_PGAD_FORM_GET_NEXT_HANDLE, handle))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) +- break; + if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { + pr_info(MPT3SAS_FMT "\tbreak from volume scan: " \ + "ioc_status(0x%04x), loginfo(0x%08x)\n", +@@ -6914,8 +6908,6 @@ _scsih_scan_for_devices_after_reset(stru + handle))) { + ioc_status = le16_to_cpu(mpi_reply.IOCStatus) & + MPI2_IOCSTATUS_MASK; +- if (ioc_status == MPI2_IOCSTATUS_CONFIG_INVALID_PAGE) +- break; + if (ioc_status != MPI2_IOCSTATUS_SUCCESS) { + pr_info(MPT3SAS_FMT "\tbreak from end device scan:"\ + " ioc_status(0x%04x), loginfo(0x%08x)\n", diff --git a/queue-3.10/series b/queue-3.10/series index 148e28737b1..0b3e471d33d 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -42,3 +42,16 @@ vlan-mask-vlan-prio-bits.patch vlan-fix-a-race-in-egress-prio-management.patch mips-oceton-fix-build-error.patch rapidio-idt_gen2-fix-build-error.patch +fuse-readdirplus-fix-dentry-leak.patch +fuse-readdirplus-fix-instantiate.patch +fuse-readdirplus-sanity-checks.patch +bcache-fix-a-dumb-race.patch +bcache-advertise-that-flushes-are-supported.patch +bcache-shutdown-fix.patch +bcache-fix-a-sysfs-splat-on-shutdown.patch +bcache-fix-gc_sectors_used-calculation.patch +bcache-journal-replay-fix.patch +edac-fix-lockdep-splat.patch +scsi-mpt3sas-infinite-loops-can-occur-if-mpi2_iocstatus_config_invalid_page-is-not-returned.patch +scsi-mpt3sas-fix-for-kernel-panic-when-driver-loads-with-hba-conected-to-non-lun-0-configured-expander.patch +scsi-megaraid_sas-fix-memory-leak-if-sgl-has-zero-length-entries.patch