From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 11 Mar 2015 14:31:30 +0000 (+0100)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.72~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5623a7f41f7478782b5b3869759dd14d7ca9fae1;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	target-add-missing-write_same-end-of-device-sanity-check.patch
	target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch
	target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch
---

diff --git a/queue-3.14/series b/queue-3.14/series
index d9d466d054b..9401f847950 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -25,3 +25,6 @@ mm-memory.c-actually-remap-enough-memory.patch
 drm-radeon-only-enable-kv-kb-dpm-interrupts-once-v3.patch
 drm-radeon-workaround-for-cp-hw-bug-on-cik.patch
 drm-radeon-fix-voltage-setup-on-hawaii.patch
+target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch
+target-add-missing-write_same-end-of-device-sanity-check.patch
+target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch
diff --git a/queue-3.14/target-add-missing-write_same-end-of-device-sanity-check.patch b/queue-3.14/target-add-missing-write_same-end-of-device-sanity-check.patch
new file mode 100644
index 00000000000..e27147308e4
--- /dev/null
+++ b/queue-3.14/target-add-missing-write_same-end-of-device-sanity-check.patch
@@ -0,0 +1,53 @@
+From 8e575c50a171f2579e367a7f778f86477dfdaf49 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 13 Feb 2015 22:09:47 +0000
+Subject: target: Add missing WRITE_SAME end-of-device sanity check
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 8e575c50a171f2579e367a7f778f86477dfdaf49 upstream.
+
+This patch adds a check to sbc_setup_write_same() to verify
+the incoming WRITE_SAME LBA + number of blocks does not exceed
+past the end-of-device.
+
+Also check for potential LBA wrap-around as well.
+
+Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Cc: Martin Petersen <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_sbc.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -266,6 +266,8 @@ static inline unsigned long long transpo
+ static sense_reason_t
+ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
+ {
++	struct se_device *dev = cmd->se_dev;
++	sector_t end_lba = dev->transport->get_blocks(dev) + 1;
+ 	unsigned int sectors = sbc_get_write_same_sectors(cmd);
+ 
+ 	if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
+@@ -279,6 +281,16 @@ sbc_setup_write_same(struct se_cmd *cmd,
+ 			sectors, cmd->se_dev->dev_attrib.max_write_same_len);
+ 		return TCM_INVALID_CDB_FIELD;
+ 	}
++	/*
++	 * Sanity check for LBA wrap and request past end of device.
++	 */
++	if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
++	    ((cmd->t_task_lba + sectors) > end_lba)) {
++		pr_err("WRITE_SAME exceeds last lba %llu (lba %llu, sectors %u)\n",
++		       (unsigned long long)end_lba, cmd->t_task_lba, sectors);
++		return TCM_ADDRESS_OUT_OF_RANGE;
++	}
++
+ 	/* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
+ 	if (flags[0] & 0x10) {
+ 		pr_warn("WRITE SAME with ANCHOR not supported\n");
diff --git a/queue-3.14/target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch b/queue-3.14/target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch
new file mode 100644
index 00000000000..67e2482b8a7
--- /dev/null
+++ b/queue-3.14/target-check-for-lba-sectors-wrap-around-in-sbc_parse_cdb.patch
@@ -0,0 +1,34 @@
+From aa179935edea9a64dec4b757090c8106a3907ffa Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 13 Feb 2015 22:27:40 +0000
+Subject: target: Check for LBA + sectors wrap-around in sbc_parse_cdb
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit aa179935edea9a64dec4b757090c8106a3907ffa upstream.
+
+This patch adds a check to sbc_parse_cdb() in order to detect when
+an LBA + sector vs. end-of-device calculation wraps when the LBA is
+sufficently large enough (eg: 0xFFFFFFFFFFFFFFFF).
+
+Cc: Martin Petersen <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_sbc.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -923,7 +923,8 @@ sbc_parse_cdb(struct se_cmd *cmd, struct
+ 		unsigned long long end_lba;
+ 
+ 		end_lba = dev->transport->get_blocks(dev) + 1;
+-		if (cmd->t_task_lba + sectors > end_lba) {
++		if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
++		    ((cmd->t_task_lba + sectors) > end_lba)) {
+ 			pr_err("cmd exceeds last lba %llu "
+ 				"(lba %llu, sectors %u)\n",
+ 				end_lba, cmd->t_task_lba, sectors);
diff --git a/queue-3.14/target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch b/queue-3.14/target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch
new file mode 100644
index 00000000000..91da043d42a
--- /dev/null
+++ b/queue-3.14/target-fix-pr_aptpl_buf_len-buffer-size-limitation.patch
@@ -0,0 +1,109 @@
+From f161d4b44d7cc1dc66b53365215227db356378b1 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 11 Feb 2015 18:34:40 -0800
+Subject: target: Fix PR_APTPL_BUF_LEN buffer size limitation
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit f161d4b44d7cc1dc66b53365215227db356378b1 upstream.
+
+This patch addresses the original PR_APTPL_BUF_LEN = 8k limitiation
+for write-out of PR APTPL metadata that Martin has recently been
+running into.
+
+It changes core_scsi3_update_and_write_aptpl() to use vzalloc'ed
+memory instead of kzalloc, and increases the default hardcoded
+length to 256k.
+
+It also adds logic in core_scsi3_update_and_write_aptpl() to double
+the original length upon core_scsi3_update_aptpl_buf() failure, and
+retries until the vzalloc'ed buffer is large enough to accommodate
+the outgoing APTPL metadata.
+
+Reported-by: Martin Svec <martin.svec@zoner.cz>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pr.c   |   25 +++++++++++++------------
+ include/target/target_core_base.h |    2 +-
+ 2 files changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1877,8 +1877,8 @@ static int core_scsi3_update_aptpl_buf(
+ 		}
+ 
+ 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
+-			pr_err("Unable to update renaming"
+-				" APTPL metadata\n");
++			pr_err("Unable to update renaming APTPL metadata,"
++			       " reallocating larger buffer\n");
+ 			ret = -EMSGSIZE;
+ 			goto out;
+ 		}
+@@ -1895,8 +1895,8 @@ static int core_scsi3_update_aptpl_buf(
+ 			lun->lun_sep->sep_rtpi, lun->unpacked_lun, reg_count);
+ 
+ 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
+-			pr_err("Unable to update renaming"
+-				" APTPL metadata\n");
++			pr_err("Unable to update renaming APTPL metadata,"
++			       " reallocating larger buffer\n");
+ 			ret = -EMSGSIZE;
+ 			goto out;
+ 		}
+@@ -1959,7 +1959,7 @@ static int __core_scsi3_write_aptpl_to_f
+ static sense_reason_t core_scsi3_update_and_write_aptpl(struct se_device *dev, bool aptpl)
+ {
+ 	unsigned char *buf;
+-	int rc;
++	int rc, len = PR_APTPL_BUF_LEN;
+ 
+ 	if (!aptpl) {
+ 		char *null_buf = "No Registrations or Reservations\n";
+@@ -1973,25 +1973,26 @@ static sense_reason_t core_scsi3_update_
+ 
+ 		return 0;
+ 	}
+-
+-	buf = kzalloc(PR_APTPL_BUF_LEN, GFP_KERNEL);
++retry:
++	buf = vzalloc(len);
+ 	if (!buf)
+ 		return TCM_OUT_OF_RESOURCES;
+ 
+-	rc = core_scsi3_update_aptpl_buf(dev, buf, PR_APTPL_BUF_LEN);
++	rc = core_scsi3_update_aptpl_buf(dev, buf, len);
+ 	if (rc < 0) {
+-		kfree(buf);
+-		return TCM_OUT_OF_RESOURCES;
++		vfree(buf);
++		len *= 2;
++		goto retry;
+ 	}
+ 
+ 	rc = __core_scsi3_write_aptpl_to_file(dev, buf);
+ 	if (rc != 0) {
+ 		pr_err("SPC-3 PR: Could not update APTPL\n");
+-		kfree(buf);
++		vfree(buf);
+ 		return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ 	}
+ 	dev->t10_pr.pr_aptpl_active = 1;
+-	kfree(buf);
++	vfree(buf);
+ 	pr_debug("SPC-3 PR: Set APTPL Bit Activated\n");
+ 	return 0;
+ }
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -407,7 +407,7 @@ struct t10_reservation {
+ 	/* Activate Persistence across Target Power Loss enabled
+ 	 * for SCSI device */
+ 	int pr_aptpl_active;
+-#define PR_APTPL_BUF_LEN			8192
++#define PR_APTPL_BUF_LEN			262144
+ 	u32 pr_generation;
+ 	spinlock_t registration_lock;
+ 	spinlock_t aptpl_reg_lock;