From: Greg Kroah-Hartman Date: Wed, 26 Oct 2016 11:59:24 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.8.5~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6e1f88f783c948213587bc3fb6c47bfc8da55b06;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch ceph-fix-error-handling-in-ceph_read_iter.patch ext4-do-not-advertise-encryption-support-when-disabled.patch isofs-do-not-return-eacces-for-unknown-filesystems.patch jbd2-fix-incorrect-unlock-on-j_list_lock.patch memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch mmc-core-annotate-cmd_hdr-as-__le32.patch mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch ubifs-abort-readdir-upon-error.patch ubifs-fix-xattr_names-length-in-exit-paths.patch --- diff --git a/queue-4.4/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch b/queue-4.4/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch new file mode 100644 index 00000000000..f9e002aaa74 --- /dev/null +++ b/queue-4.4/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch @@ -0,0 +1,40 @@ +From 850540351bb1a4fa5f192e5ce55b89928cc57f42 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 17 Oct 2016 13:47:34 +0100 +Subject: arm64: kernel: Init MDCR_EL2 even in the absence of a PMU + +From: Marc Zyngier + +commit 850540351bb1a4fa5f192e5ce55b89928cc57f42 upstream. + +Commit f436b2ac90a0 ("arm64: kernel: fix architected PMU registers +unconditional access") made sure we wouldn't access unimplemented +PMU registers, but also left MDCR_EL2 uninitialized in that case, +leading to trap bits being potentially left set. + +Make sure we always write something in that register. + +Fixes: f436b2ac90a0 ("arm64: kernel: fix architected PMU registers unconditional access") +Cc: Lorenzo Pieralisi +Cc: Will Deacon +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/head.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -518,8 +518,9 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // C + b.lt 4f // Skip if no PMU present + mrs x0, pmcr_el0 // Disable debug access traps + ubfx x0, x0, #11, #5 // to EL2 and allow access to +- msr mdcr_el2, x0 // all PMU counters from EL1 + 4: ++ csel x0, xzr, x0, lt // all PMU counters from EL1 ++ msr mdcr_el2, x0 // (if they exist) + + /* Stage-2 translation */ + msr vttbr_el2, xzr diff --git a/queue-4.4/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch b/queue-4.4/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch new file mode 100644 index 00000000000..f2e6a06ef78 --- /dev/null +++ b/queue-4.4/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch @@ -0,0 +1,181 @@ +From 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 4 Jul 2016 17:44:48 +0100 +Subject: arm64: percpu: rewrite ll/sc loops in assembly + +From: Will Deacon + +commit 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 upstream. + +Writing the outer loop of an LL/SC sequence using do {...} while +constructs potentially allows the compiler to hoist memory accesses +between the STXR and the branch back to the LDXR. On CPUs that do not +guarantee forward progress of LL/SC loops when faced with memory +accesses to the same ERG (up to 2k) between the failed STXR and the +branch back, we may end up livelocking. + +This patch avoids this issue in our percpu atomics by rewriting the +outer loop as part of the LL/SC inline assembly block. + +Fixes: f97fc810798c ("arm64: percpu: Implement this_cpu operations") +Reviewed-by: Mark Rutland +Tested-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/percpu.h | 120 ++++++++++++++++++---------------------- + 1 file changed, 56 insertions(+), 64 deletions(-) + +--- a/arch/arm64/include/asm/percpu.h ++++ b/arch/arm64/include/asm/percpu.h +@@ -44,48 +44,44 @@ static inline unsigned long __percpu_##o + \ + switch (size) { \ + case 1: \ +- do { \ +- asm ("//__per_cpu_" #op "_1\n" \ +- "ldxrb %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_1\n" \ ++ "1: ldxrb %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxrb %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u8 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxrb %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u8 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 2: \ +- do { \ +- asm ("//__per_cpu_" #op "_2\n" \ +- "ldxrh %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_2\n" \ ++ "1: ldxrh %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxrh %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u16 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxrh %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u16 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 4: \ +- do { \ +- asm ("//__per_cpu_" #op "_4\n" \ +- "ldxr %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_4\n" \ ++ "1: ldxr %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxr %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u32 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxr %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u32 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 8: \ +- do { \ +- asm ("//__per_cpu_" #op "_8\n" \ +- "ldxr %[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_8\n" \ ++ "1: ldxr %[ret], %[ptr]\n" \ + #asm_op " %[ret], %[ret], %[val]\n" \ +- "stxr %w[loop], %[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u64 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxr %w[loop], %[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u64 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + default: \ + BUILD_BUG(); \ +@@ -150,44 +146,40 @@ static inline unsigned long __percpu_xch + + switch (size) { + case 1: +- do { +- asm ("//__percpu_xchg_1\n" +- "ldxrb %w[ret], %[ptr]\n" +- "stxrb %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u8 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_1\n" ++ "1: ldxrb %w[ret], %[ptr]\n" ++ " stxrb %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u8 *)ptr) ++ : [val] "r" (val)); + break; + case 2: +- do { +- asm ("//__percpu_xchg_2\n" +- "ldxrh %w[ret], %[ptr]\n" +- "stxrh %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u16 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_2\n" ++ "1: ldxrh %w[ret], %[ptr]\n" ++ " stxrh %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u16 *)ptr) ++ : [val] "r" (val)); + break; + case 4: +- do { +- asm ("//__percpu_xchg_4\n" +- "ldxr %w[ret], %[ptr]\n" +- "stxr %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u32 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_4\n" ++ "1: ldxr %w[ret], %[ptr]\n" ++ " stxr %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u32 *)ptr) ++ : [val] "r" (val)); + break; + case 8: +- do { +- asm ("//__percpu_xchg_8\n" +- "ldxr %[ret], %[ptr]\n" +- "stxr %w[loop], %[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u64 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_8\n" ++ "1: ldxr %[ret], %[ptr]\n" ++ " stxr %w[loop], %[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u64 *)ptr) ++ : [val] "r" (val)); + break; + default: + BUILD_BUG(); diff --git a/queue-4.4/ceph-fix-error-handling-in-ceph_read_iter.patch b/queue-4.4/ceph-fix-error-handling-in-ceph_read_iter.patch new file mode 100644 index 00000000000..5219eafa781 --- /dev/null +++ b/queue-4.4/ceph-fix-error-handling-in-ceph_read_iter.patch @@ -0,0 +1,38 @@ +From 0d7718f666be181fda1ba2d08f137d87c1419347 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Mon, 10 Oct 2016 15:38:18 +0300 +Subject: ceph: fix error handling in ceph_read_iter + +From: Nikolay Borisov + +commit 0d7718f666be181fda1ba2d08f137d87c1419347 upstream. + +In case __ceph_do_getattr returns an error and the retry_op in +ceph_read_iter is not READ_INLINE, then it's possible to invoke +__free_page on a page which is NULL, this naturally leads to a crash. +This can happen when, for example, a process waiting on a MDS reply +receives sigterm. + +Fix this by explicitly checking whether the page is set or not. + +Signed-off-by: Nikolay Borisov +Reviewed-by: Yan, Zheng +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -929,7 +929,8 @@ again: + statret = __ceph_do_getattr(inode, page, + CEPH_STAT_CAP_INLINE_DATA, !!page); + if (statret < 0) { +- __free_page(page); ++ if (page) ++ __free_page(page); + if (statret == -ENODATA) { + BUG_ON(retry_op != READ_INLINE); + goto again; diff --git a/queue-4.4/ext4-do-not-advertise-encryption-support-when-disabled.patch b/queue-4.4/ext4-do-not-advertise-encryption-support-when-disabled.patch new file mode 100644 index 00000000000..e4630769a31 --- /dev/null +++ b/queue-4.4/ext4-do-not-advertise-encryption-support-when-disabled.patch @@ -0,0 +1,47 @@ +From c4704a4fbe834eee4109ca064131d440941f6235 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 12 Oct 2016 23:24:51 -0400 +Subject: ext4: do not advertise encryption support when disabled + +From: Eric Biggers + +commit c4704a4fbe834eee4109ca064131d440941f6235 upstream. + +The sysfs file /sys/fs/ext4/features/encryption was present on kernels +compiled with CONFIG_EXT4_FS_ENCRYPTION=n. This was misleading because +such kernels do not actually support ext4 encryption. Therefore, only +provide this file on kernels compiled with CONFIG_EXT4_FS_ENCRYPTION=y. + +Note: since the ext4 feature files are all hardcoded to have a contents +of "supported", it really is the presence or absence of the file that is +significant, not the contents (and this change reflects that). + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -223,14 +223,18 @@ static struct attribute *ext4_attrs[] = + EXT4_ATTR_FEATURE(lazy_itable_init); + EXT4_ATTR_FEATURE(batched_discard); + EXT4_ATTR_FEATURE(meta_bg_resize); ++#ifdef CONFIG_EXT4_FS_ENCRYPTION + EXT4_ATTR_FEATURE(encryption); ++#endif + EXT4_ATTR_FEATURE(metadata_csum_seed); + + static struct attribute *ext4_feat_attrs[] = { + ATTR_LIST(lazy_itable_init), + ATTR_LIST(batched_discard), + ATTR_LIST(meta_bg_resize), ++#ifdef CONFIG_EXT4_FS_ENCRYPTION + ATTR_LIST(encryption), ++#endif + ATTR_LIST(metadata_csum_seed), + NULL, + }; diff --git a/queue-4.4/isofs-do-not-return-eacces-for-unknown-filesystems.patch b/queue-4.4/isofs-do-not-return-eacces-for-unknown-filesystems.patch new file mode 100644 index 00000000000..9d4fd80fbe4 --- /dev/null +++ b/queue-4.4/isofs-do-not-return-eacces-for-unknown-filesystems.patch @@ -0,0 +1,51 @@ +From a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 4 Oct 2016 13:44:06 +0200 +Subject: isofs: Do not return EACCES for unknown filesystems + +From: Jan Kara + +commit a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a upstream. + +When isofs_mount() is called to mount a device read-write, it returns +EACCES even before it checks that the device actually contains an isofs +filesystem. This may confuse mount(8) which then tries to mount all +subsequent filesystem types in read-only mode. + +Fix the problem by returning EACCES only once we verify that the device +indeed contains an iso9660 filesystem. + +Fixes: 17b7f7cf58926844e1dd40f5eb5348d481deca6a +Reported-by: Kent Overstreet +Reported-by: Karel Zak +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/inode.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -690,6 +690,11 @@ static int isofs_fill_super(struct super + pri_bh = NULL; + + root_found: ++ /* We don't support read-write mounts */ ++ if (!(s->s_flags & MS_RDONLY)) { ++ error = -EACCES; ++ goto out_freebh; ++ } + + if (joliet_level && (pri == NULL || !opt.rock)) { + /* This is the case of Joliet with the norock mount flag. +@@ -1503,9 +1508,6 @@ struct inode *__isofs_iget(struct super_ + static struct dentry *isofs_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) + { +- /* We don't support read-write mounts */ +- if (!(flags & MS_RDONLY)) +- return ERR_PTR(-EACCES); + return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super); + } + diff --git a/queue-4.4/jbd2-fix-incorrect-unlock-on-j_list_lock.patch b/queue-4.4/jbd2-fix-incorrect-unlock-on-j_list_lock.patch new file mode 100644 index 00000000000..03768d061b3 --- /dev/null +++ b/queue-4.4/jbd2-fix-incorrect-unlock-on-j_list_lock.patch @@ -0,0 +1,47 @@ +From 559cce698eaf4ccecb2213b2519ea3a0413e5155 Mon Sep 17 00:00:00 2001 +From: Taesoo Kim +Date: Wed, 12 Oct 2016 23:19:18 -0400 +Subject: jbd2: fix incorrect unlock on j_list_lock + +From: Taesoo Kim + +commit 559cce698eaf4ccecb2213b2519ea3a0413e5155 upstream. + +When 'jh->b_transaction == transaction' (asserted by below) + + J_ASSERT_JH(jh, (jh->b_transaction == transaction || ... + +'journal->j_list_lock' will be incorrectly unlocked, since +the the lock is aquired only at the end of if / else-if +statements (missing the else case). + +Signed-off-by: Taesoo Kim +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Fixes: 6e4862a5bb9d12be87e4ea5d9a60836ebed71d28 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1156,6 +1156,7 @@ int jbd2_journal_get_create_access(handl + JBUFFER_TRACE(jh, "file as BJ_Reserved"); + spin_lock(&journal->j_list_lock); + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved); ++ spin_unlock(&journal->j_list_lock); + } else if (jh->b_transaction == journal->j_committing_transaction) { + /* first access by this transaction */ + jh->b_modified = 0; +@@ -1163,8 +1164,8 @@ int jbd2_journal_get_create_access(handl + JBUFFER_TRACE(jh, "set next transaction"); + spin_lock(&journal->j_list_lock); + jh->b_next_transaction = transaction; ++ spin_unlock(&journal->j_list_lock); + } +- spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); + + /* diff --git a/queue-4.4/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch b/queue-4.4/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch new file mode 100644 index 00000000000..97bf44ecd6d --- /dev/null +++ b/queue-4.4/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch @@ -0,0 +1,60 @@ +From 9158cb29e7c2f10dd325eb1589f0fe745a271257 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Wed, 28 Sep 2016 11:33:28 -0700 +Subject: memstick: rtsx_usb_ms: Manage runtime PM when accessing the device + +From: Ulf Hansson + +commit 9158cb29e7c2f10dd325eb1589f0fe745a271257 upstream. + +Accesses to the rtsx usb device, which is the parent of the rtsx memstick +device, must not be done unless it's runtime resumed. This is currently not +the case and it could trigger various errors. + +Fix this by properly deal with runtime PM in this regards. This means +making sure the device is runtime resumed, when serving requests via the +->request() callback or changing settings via the ->set_param() callbacks. + +Cc: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/rtsx_usb_ms.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/memstick/host/rtsx_usb_ms.c ++++ b/drivers/memstick/host/rtsx_usb_ms.c +@@ -524,6 +524,7 @@ static void rtsx_usb_ms_handle_req(struc + int rc; + + if (!host->req) { ++ pm_runtime_get_sync(ms_dev(host)); + do { + rc = memstick_next_req(msh, &host->req); + dev_dbg(ms_dev(host), "next req %d\n", rc); +@@ -544,6 +545,7 @@ static void rtsx_usb_ms_handle_req(struc + host->req->error); + } + } while (!rc); ++ pm_runtime_put(ms_dev(host)); + } + + } +@@ -570,6 +572,7 @@ static int rtsx_usb_ms_set_param(struct + dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n", + __func__, param, value); + ++ pm_runtime_get_sync(ms_dev(host)); + mutex_lock(&ucr->dev_mutex); + + err = rtsx_usb_card_exclusive_check(ucr, RTSX_USB_MS_CARD); +@@ -635,6 +638,7 @@ static int rtsx_usb_ms_set_param(struct + } + out: + mutex_unlock(&ucr->dev_mutex); ++ pm_runtime_put(ms_dev(host)); + + /* power-on delay */ + if (param == MEMSTICK_POWER && value == MEMSTICK_POWER_ON) diff --git a/queue-4.4/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch b/queue-4.4/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch new file mode 100644 index 00000000000..062c109c81f --- /dev/null +++ b/queue-4.4/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch @@ -0,0 +1,44 @@ +From 796aa46adf1d90eab36ae06a42e6d3f10b28a75c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 26 Sep 2016 15:45:41 -0700 +Subject: memstick: rtsx_usb_ms: Runtime resume the device when polling for cards + +From: Alan Stern + +commit 796aa46adf1d90eab36ae06a42e6d3f10b28a75c upstream. + +Accesses to the rtsx usb device, which is the parent of the rtsx memstick +device, must not be done unless it's runtime resumed. + +Therefore when the rtsx_usb_ms driver polls for inserted memstick cards, +let's add pm_runtime_get|put*() to make sure accesses is done when the +rtsx usb device is runtime resumed. + +Reported-by: Ritesh Raj Sarraf +Tested-by: Ritesh Raj Sarraf +Signed-off-by: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/rtsx_usb_ms.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/memstick/host/rtsx_usb_ms.c ++++ b/drivers/memstick/host/rtsx_usb_ms.c +@@ -681,6 +681,7 @@ static int rtsx_usb_detect_ms_card(void + int err; + + for (;;) { ++ pm_runtime_get_sync(ms_dev(host)); + mutex_lock(&ucr->dev_mutex); + + /* Check pending MS card changes */ +@@ -703,6 +704,7 @@ static int rtsx_usb_detect_ms_card(void + } + + poll_again: ++ pm_runtime_put(ms_dev(host)); + if (host->eject) + break; + diff --git a/queue-4.4/mmc-core-annotate-cmd_hdr-as-__le32.patch b/queue-4.4/mmc-core-annotate-cmd_hdr-as-__le32.patch new file mode 100644 index 00000000000..168f86db7cd --- /dev/null +++ b/queue-4.4/mmc-core-annotate-cmd_hdr-as-__le32.patch @@ -0,0 +1,53 @@ +From 3f2d26643595973e835e8356ea90c7c15cb1b0f1 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 3 Oct 2016 10:58:28 +0200 +Subject: mmc: core: Annotate cmd_hdr as __le32 + +From: Jiri Slaby + +commit 3f2d26643595973e835e8356ea90c7c15cb1b0f1 upstream. + +Commit f68381a70bb2 (mmc: block: fix packed command header endianness) +correctly fixed endianness handling of packed_cmd_hdr in +mmc_blk_packed_hdr_wrq_prep. + +But now, sparse complains about incorrect types: +drivers/mmc/card/block.c:1613:27: sparse: incorrect type in assignment (different base types) +drivers/mmc/card/block.c:1613:27: expected unsigned int [unsigned] [usertype] +drivers/mmc/card/block.c:1613:27: got restricted __le32 [usertype] +... + +So annotate cmd_hdr properly using __le32 to make everyone happy. + +Signed-off-by: Jiri Slaby +Fixes: f68381a70bb2 (mmc: block: fix packed command header endianness) +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 2 +- + drivers/mmc/card/queue.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -1755,7 +1755,7 @@ static void mmc_blk_packed_hdr_wrq_prep( + struct mmc_blk_data *md = mq->data; + struct mmc_packed *packed = mqrq->packed; + bool do_rel_wr, do_data_tag; +- u32 *packed_cmd_hdr; ++ __le32 *packed_cmd_hdr; + u8 hdr_blocks; + u8 i = 1; + +--- a/drivers/mmc/card/queue.h ++++ b/drivers/mmc/card/queue.h +@@ -25,7 +25,7 @@ enum mmc_packed_type { + + struct mmc_packed { + struct list_head list; +- u32 cmd_hdr[1024]; ++ __le32 cmd_hdr[1024]; + unsigned int blocks; + u8 nr_entries; + u8 retries; diff --git a/queue-4.4/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch b/queue-4.4/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch new file mode 100644 index 00000000000..f14d1edcb2a --- /dev/null +++ b/queue-4.4/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch @@ -0,0 +1,36 @@ +From 31cf742f515c275d22843c4c756e048d2b6d716c Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 27 Sep 2016 08:44:33 -0700 +Subject: mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused + +From: Ulf Hansson + +commit 31cf742f515c275d22843c4c756e048d2b6d716c upstream. + +The rtsx_usb_sdmmc driver may bail out in its ->set_ios() callback when no +SD card is inserted. This is wrong, as it could cause the device to remain +runtime resumed when it's unused. Fix this behaviour. + +Tested-by: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1138,11 +1138,6 @@ static void sdmmc_set_ios(struct mmc_hos + dev_dbg(sdmmc_dev(host), "%s\n", __func__); + mutex_lock(&ucr->dev_mutex); + +- if (rtsx_usb_card_exclusive_check(ucr, RTSX_USB_SD_CARD)) { +- mutex_unlock(&ucr->dev_mutex); +- return; +- } +- + sd_set_power_mode(host, ios->power_mode); + sd_set_bus_width(host, ios->bus_width); + sd_set_timing(host, ios->timing, &host->ddr_mode); diff --git a/queue-4.4/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch b/queue-4.4/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch new file mode 100644 index 00000000000..81dedec354f --- /dev/null +++ b/queue-4.4/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch @@ -0,0 +1,42 @@ +From 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Thu, 15 Sep 2016 14:46:21 +0200 +Subject: mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led + +From: Ulf Hansson + +commit 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 upstream. + +Accesses of the rtsx sdmmc's parent device, which is the rtsx usb device, +must be done when it's runtime resumed. Currently this isn't case when +changing the led, so let's fix this by adding a pm_runtime_get_sync() and +a pm_runtime_put() around those operations. + +Reported-by: Ritesh Raj Sarraf +Tested-by: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1309,6 +1309,7 @@ static void rtsx_usb_update_led(struct w + container_of(work, struct rtsx_usb_sdmmc, led_work); + struct rtsx_ucr *ucr = host->ucr; + ++ pm_runtime_get_sync(sdmmc_dev(host)); + mutex_lock(&ucr->dev_mutex); + + if (host->led.brightness == LED_OFF) +@@ -1317,6 +1318,7 @@ static void rtsx_usb_update_led(struct w + rtsx_usb_turn_on_led(ucr); + + mutex_unlock(&ucr->dev_mutex); ++ pm_runtime_put(sdmmc_dev(host)); + } + #endif + diff --git a/queue-4.4/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch b/queue-4.4/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch new file mode 100644 index 00000000000..61025b4971e --- /dev/null +++ b/queue-4.4/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch @@ -0,0 +1,37 @@ +From d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Fri, 17 Jun 2016 18:53:28 +0200 +Subject: powerpc/mm: Prevent unlikely crash in copro_calculate_slb() + +From: Frederic Barrat + +commit d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 upstream. + +If a cxl adapter faults on an invalid address for a kernel context, we +may enter copro_calculate_slb() with a NULL mm pointer (kernel +context) and an effective address which looks like a user +address. Which will cause a crash when dereferencing mm. It is clearly +an AFU bug, but there's no reason to crash either. So return an error, +so that cxl can ack the interrupt with an address error. + +Fixes: 73d16a6e0e51 ("powerpc/cell: Move data segment faulting code out of cell platform") +Signed-off-by: Frederic Barrat +Acked-by: Ian Munsie +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/copro_fault.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/mm/copro_fault.c ++++ b/arch/powerpc/mm/copro_fault.c +@@ -106,6 +106,8 @@ int copro_calculate_slb(struct mm_struct + switch (REGION_ID(ea)) { + case USER_REGION_ID: + pr_devel("%s: 0x%llx -- USER_REGION_ID\n", __func__, ea); ++ if (mm == NULL) ++ return 1; + psize = get_slice_psize(mm, ea); + ssize = user_segment_size(ea); + vsid = get_vsid(mm->context.id, ea, ssize); diff --git a/queue-4.4/series b/queue-4.4/series index cab5c4e17fa..ab1760958b1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -93,3 +93,20 @@ mm-filemap-fix-mapping-nrpages-double-accounting-in-fuse.patch using-bug_on-as-an-assert-is-_never_-acceptable.patch s390-mm-fix-gmap-tlb-flush-issues.patch irqchip-gic-v3-its-fix-entry-size-mask-for-gits_baser.patch +isofs-do-not-return-eacces-for-unknown-filesystems.patch +memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch +memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch +arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch +arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch +ceph-fix-error-handling-in-ceph_read_iter.patch +powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch +mmc-core-annotate-cmd_hdr-as-__le32.patch +mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch +mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch +ext4-do-not-advertise-encryption-support-when-disabled.patch +jbd2-fix-incorrect-unlock-on-j_list_lock.patch +ubifs-fix-xattr_names-length-in-exit-paths.patch +ubifs-abort-readdir-upon-error.patch +target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch +target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch +target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch diff --git a/queue-4.4/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch b/queue-4.4/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch new file mode 100644 index 00000000000..79c6877a423 --- /dev/null +++ b/queue-4.4/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch @@ -0,0 +1,86 @@ +From 926317de33998c112c5510301868ea9aa34097e2 Mon Sep 17 00:00:00 2001 +From: Dinesh Israni +Date: Mon, 10 Oct 2016 20:22:03 -0700 +Subject: target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code + +From: Dinesh Israni + +commit 926317de33998c112c5510301868ea9aa34097e2 upstream. + +This patch addresses a bug where a local EXTENDED_COPY WRITE or READ +backend I/O request would always return SAM_STAT_CHECK_CONDITION, +even if underlying xcopy_pt_cmd->se_cmd generated a different +SCSI status code. + +ESX host environments expect to hit SAM_STAT_RESERVATION_CONFLICT +for certain scenarios, and SAM_STAT_CHECK_CONDITION results in +non-retriable status for these cases. + +Tested on v4.1.y with ESX v5.5u2+ with local IBLOCK backend copy. + +Reported-by: Nixon Vincent +Tested-by: Nixon Vincent +Cc: Nixon Vincent +Tested-by: Dinesh Israni +Signed-off-by: Dinesh Israni +Cc: Dinesh Israni +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_xcopy.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -662,6 +662,7 @@ static int target_xcopy_read_source( + rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0], + remote_port, true); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + transport_generic_free_cmd(se_cmd, 0); + return rc; + } +@@ -673,6 +674,7 @@ static int target_xcopy_read_source( + + rc = target_xcopy_issue_pt_cmd(xpt_cmd); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + transport_generic_free_cmd(se_cmd, 0); + return rc; + } +@@ -723,6 +725,7 @@ static int target_xcopy_write_destinatio + remote_port, false); + if (rc < 0) { + struct se_cmd *src_cmd = &xop->src_pt_cmd->se_cmd; ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + /* + * If the failure happened before the t_mem_list hand-off in + * target_xcopy_setup_pt_cmd(), Reset memory + clear flag so that +@@ -738,6 +741,7 @@ static int target_xcopy_write_destinatio + + rc = target_xcopy_issue_pt_cmd(xpt_cmd); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + se_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC; + transport_generic_free_cmd(se_cmd, 0); + return rc; +@@ -824,10 +828,14 @@ static void target_xcopy_do_work(struct + out: + xcopy_pt_undepend_remotedev(xop); + kfree(xop); +- +- pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION" +- " -> sending response\n", rc); +- ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; ++ /* ++ * Don't override an error scsi status if it has already been set ++ */ ++ if (ec_cmd->scsi_status == SAM_STAT_GOOD) { ++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY" ++ " CHECK_CONDITION -> sending response\n", rc); ++ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; ++ } + target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); + } + diff --git a/queue-4.4/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch b/queue-4.4/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch new file mode 100644 index 00000000000..23b9db8c2bc --- /dev/null +++ b/queue-4.4/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch @@ -0,0 +1,145 @@ +From 449a137846c84829a328757cd21fd9ca65c08519 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 8 Oct 2016 17:26:44 -0700 +Subject: target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE + +From: Nicholas Bellinger + +commit 449a137846c84829a328757cd21fd9ca65c08519 upstream. + +This patch addresses a bug where EXTENDED_COPY across multiple LUNs +results in a CHECK_CONDITION when the source + destination are not +located on the same physical node. + +ESX Host environments expect sense COPY_ABORTED w/ COPY TARGET DEVICE +NOT REACHABLE to be returned when this occurs, in order to signal +fallback to local copy method. + +As described in section 6.3.3 of spc4r22: + + "If it is not possible to complete processing of a segment because the + copy manager is unable to establish communications with a copy target + device, because the copy target device does not respond to INQUIRY, + or because the data returned in response to INQUIRY indicates + an unsupported logical unit, then the EXTENDED COPY command shall be + terminated with CHECK CONDITION status, with the sense key set to + COPY ABORTED, and the additional sense code set to COPY TARGET DEVICE + NOT REACHABLE." + +Tested on v4.1.y with ESX v5.5u2+ with BlockCopy across multiple nodes. + +Reported-by: Nixon Vincent +Tested-by: Nixon Vincent +Cc: Nixon Vincent +Tested-by: Dinesh Israni +Signed-off-by: Dinesh Israni +Cc: Dinesh Israni +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 7 +++++++ + drivers/target/target_core_xcopy.c | 22 ++++++++++++++++------ + include/target/target_core_base.h | 1 + + 3 files changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1680,6 +1680,7 @@ void transport_generic_request_failure(s + case TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED: + case TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED: + case TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED: ++ case TCM_COPY_TARGET_DEVICE_NOT_REACHABLE: + break; + case TCM_OUT_OF_RESOURCES: + sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; +@@ -2835,6 +2836,12 @@ static const struct sense_info sense_inf + .ascq = 0x03, /* LOGICAL BLOCK REFERENCE TAG CHECK FAILED */ + .add_sector_info = true, + }, ++ [TCM_COPY_TARGET_DEVICE_NOT_REACHABLE] = { ++ .key = COPY_ABORTED, ++ .asc = 0x0d, ++ .ascq = 0x02, /* COPY TARGET DEVICE NOT REACHABLE */ ++ ++ }, + [TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE] = { + /* + * Returning ILLEGAL REQUEST would cause immediate IO errors on +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -104,7 +104,7 @@ static int target_xcopy_locate_se_dev_e4 + } + mutex_unlock(&g_device_mutex); + +- pr_err("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n"); ++ pr_debug_ratelimited("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n"); + return -EINVAL; + } + +@@ -185,7 +185,7 @@ static int target_xcopy_parse_tiddesc_e4 + + static int target_xcopy_parse_target_descriptors(struct se_cmd *se_cmd, + struct xcopy_op *xop, unsigned char *p, +- unsigned short tdll) ++ unsigned short tdll, sense_reason_t *sense_ret) + { + struct se_device *local_dev = se_cmd->se_dev; + unsigned char *desc = p; +@@ -193,6 +193,8 @@ static int target_xcopy_parse_target_des + unsigned short start = 0; + bool src = true; + ++ *sense_ret = TCM_INVALID_PARAMETER_LIST; ++ + if (offset != 0) { + pr_err("XCOPY target descriptor list length is not" + " multiple of %d\n", XCOPY_TARGET_DESC_LEN); +@@ -243,9 +245,16 @@ static int target_xcopy_parse_target_des + rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, true); + else + rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, false); +- +- if (rc < 0) ++ /* ++ * If a matching IEEE NAA 0x83 descriptor for the requested device ++ * is not located on this node, return COPY_ABORTED with ASQ/ASQC ++ * 0x0d/0x02 - COPY_TARGET_DEVICE_NOT_REACHABLE to request the ++ * initiator to fall back to normal copy method. ++ */ ++ if (rc < 0) { ++ *sense_ret = TCM_COPY_TARGET_DEVICE_NOT_REACHABLE; + goto out; ++ } + + pr_debug("XCOPY TGT desc: Source dev: %p NAA IEEE WWN: 0x%16phN\n", + xop->src_dev, &xop->src_tid_wwn[0]); +@@ -816,7 +825,8 @@ out: + xcopy_pt_undepend_remotedev(xop); + kfree(xop); + +- pr_warn("target_xcopy_do_work: Setting X-COPY CHECK_CONDITION -> sending response\n"); ++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION" ++ " -> sending response\n", rc); + ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; + target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); + } +@@ -875,7 +885,7 @@ sense_reason_t target_do_xcopy(struct se + " tdll: %hu sdll: %u inline_dl: %u\n", list_id, list_id_usage, + tdll, sdll, inline_dl); + +- rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll); ++ rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll, &ret); + if (rc <= 0) + goto out; + +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -180,6 +180,7 @@ enum tcm_sense_reason_table { + TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED = R(0x15), + TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED = R(0x16), + TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED = R(0x17), ++ TCM_COPY_TARGET_DEVICE_NOT_REACHABLE = R(0x18), + #undef R + }; + diff --git a/queue-4.4/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch b/queue-4.4/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch new file mode 100644 index 00000000000..a949111e5ed --- /dev/null +++ b/queue-4.4/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch @@ -0,0 +1,45 @@ +From 527268df31e57cf2b6d417198717c6d6afdb1e3e Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 4 Oct 2016 16:37:05 -0700 +Subject: target: Re-add missing SCF_ACK_KREF assignment in v4.1.y + +From: Nicholas Bellinger + +commit 527268df31e57cf2b6d417198717c6d6afdb1e3e upstream. + +This patch fixes a regression in >= v4.1.y code where the original +SCF_ACK_KREF assignment in target_get_sess_cmd() was dropped upstream +in commit 054922bb, but the series for addressing TMR ABORT_TASK + +LUN_RESET with fabric session reinstatement in commit febe562c20 still +depends on this code in transport_cmd_finish_abort(). + +The regression manifests itself as a se_cmd->cmd_kref +1 leak, where +ABORT_TASK + LUN_RESET can hang indefinately for a specific I_T session +for drivers using SCF_ACK_KREF, resulting in hung kthreads. + +This patch has been verified with v4.1.y code. + +Reported-by: Vaibhav Tandon +Tested-by: Vaibhav Tandon +Cc: Vaibhav Tandon +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2509,8 +2509,10 @@ int target_get_sess_cmd(struct se_cmd *s + * fabric acknowledgement that requires two target_put_sess_cmd() + * invocations before se_cmd descriptor release. + */ +- if (ack_kref) ++ if (ack_kref) { + kref_get(&se_cmd->cmd_kref); ++ se_cmd->se_cmd_flags |= SCF_ACK_KREF; ++ } + + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + if (se_sess->sess_tearing_down) { diff --git a/queue-4.4/ubifs-abort-readdir-upon-error.patch b/queue-4.4/ubifs-abort-readdir-upon-error.patch new file mode 100644 index 00000000000..3159ea12b6e --- /dev/null +++ b/queue-4.4/ubifs-abort-readdir-upon-error.patch @@ -0,0 +1,59 @@ +From c83ed4c9dbb358b9e7707486e167e940d48bfeed Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Wed, 19 Oct 2016 12:43:07 +0200 +Subject: ubifs: Abort readdir upon error + +From: Richard Weinberger + +commit c83ed4c9dbb358b9e7707486e167e940d48bfeed upstream. + +If UBIFS is facing an error while walking a directory, it reports this +error and ubifs_readdir() returns the error code. But the VFS readdir +logic does not make the getdents system call fail in all cases. When the +readdir cursor indicates that more entries are present, the system call +will just return and the libc wrapper will try again since it also +knows that more entries are present. +This causes the libc wrapper to busy loop for ever when a directory is +corrupted on UBIFS. +A common approach do deal with corrupted directory entries is +skipping them by setting the cursor to the next entry. On UBIFS this +approach is not possible since we cannot compute the next directory +entry cursor position without reading the current entry. So all we can +do is setting the cursor to the "no more entries" position and make +getdents exit. + +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/dir.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -350,7 +350,7 @@ static unsigned int vfs_dent_type(uint8_ + */ + static int ubifs_readdir(struct file *file, struct dir_context *ctx) + { +- int err; ++ int err = 0; + struct qstr nm; + union ubifs_key key; + struct ubifs_dent_node *dent; +@@ -452,14 +452,12 @@ out: + kfree(file->private_data); + file->private_data = NULL; + +- if (err != -ENOENT) { ++ if (err != -ENOENT) + ubifs_err(c, "cannot find next direntry, error %d", err); +- return err; +- } + + /* 2 is a special value indicating that there are no more direntries */ + ctx->pos = 2; +- return 0; ++ return err; + } + + /* Free saved readdir() state when the directory is closed */ diff --git a/queue-4.4/ubifs-fix-xattr_names-length-in-exit-paths.patch b/queue-4.4/ubifs-fix-xattr_names-length-in-exit-paths.patch new file mode 100644 index 00000000000..8fdc987073e --- /dev/null +++ b/queue-4.4/ubifs-fix-xattr_names-length-in-exit-paths.patch @@ -0,0 +1,38 @@ +From 843741c5778398ea67055067f4cc65ae6c80ca0e Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 20 Sep 2016 10:08:30 +0200 +Subject: ubifs: Fix xattr_names length in exit paths + +From: Richard Weinberger + +commit 843741c5778398ea67055067f4cc65ae6c80ca0e upstream. + +When the operation fails we also have to undo the changes +we made to ->xattr_names. Otherwise listxattr() will report +wrong lengths. + +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -173,6 +173,7 @@ out_cancel: + host_ui->xattr_cnt -= 1; + host_ui->xattr_size -= CALC_DENT_SIZE(nm->len); + host_ui->xattr_size -= CALC_XATTR_BYTES(size); ++ host_ui->xattr_names -= nm->len; + mutex_unlock(&host_ui->ui_mutex); + out_free: + make_bad_inode(inode); +@@ -533,6 +534,7 @@ out_cancel: + host_ui->xattr_cnt += 1; + host_ui->xattr_size += CALC_DENT_SIZE(nm->len); + host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len); ++ host_ui->xattr_names += nm->len; + mutex_unlock(&host_ui->ui_mutex); + ubifs_release_budget(c, &req); + make_bad_inode(inode);