From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 02:37:33 +0000 (+0900) Subject: 3.10-stable patches X-Git-Tag: v3.10.60~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a2245c2cc1ee00376259f2621532073c1349c64;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch qla_target-don-t-delete-changed-nacls.patch target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch --- diff --git a/queue-3.10/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch b/queue-3.10/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch new file mode 100644 index 00000000000..354cb2a563c --- /dev/null +++ b/queue-3.10/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch @@ -0,0 +1,90 @@ +From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Mon, 20 Oct 2014 15:34:23 -0700 +Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler + +From: David Daney + +commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream. + +In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for +HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets +would work properly with huge pages. The change was incorrect in that +it broke the OCTEON case. + +The problem is shown here: + + xxx0: df7a0000 ld k0,0(k1) + . + . + . + xxxc0: df610000 ld at,0(k1) + xxxc4: 335a0ff0 andi k0,k0,0xff0 + xxxc8: e825ffcd bbit1 at,0x5,0x0 + xxxcc: 003ad82d daddu k1,at,k0 + . + . + . + +In the non-octeon case there is a destructive test for the huge PTE +bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609 +patch added). + +In the octeon case, we modify k1 in the branch delay slot, but we +never need k0 again, so the new load is not needed, but since k1 is +modified, if we do the load, we load from a garbage location and then +get a nested TLB Refill, which is seen in userspace as either SIGBUS +or SIGSEGV (depending on the garbage). + +The real fix is to only do this reloading if it is needed, and never +where it is harmful. + +Signed-off-by: David Daney +Cc: Huacai Chen +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1091,6 +1091,7 @@ static void __cpuinit build_update_entri + struct mips_huge_tlb_info { + int huge_pte; + int restore_scratch; ++ bool need_reload_pte; + }; + + static struct mips_huge_tlb_info __cpuinit +@@ -1105,6 +1106,7 @@ build_fast_tlb_refill_handler (u32 **p, + + rv.huge_pte = scratch; + rv.restore_scratch = 0; ++ rv.need_reload_pte = false; + + if (check_for_high_segbits) { + UASM_i_MFC0(p, tmp, C0_BADVADDR); +@@ -1293,6 +1295,7 @@ static void __cpuinit build_r4000_tlb_re + } else { + htlb_info.huge_pte = K0; + htlb_info.restore_scratch = 0; ++ htlb_info.need_reload_pte = true; + vmalloc_mode = refill_noscratch; + /* + * create the plain linear handler +@@ -1329,7 +1332,8 @@ static void __cpuinit build_r4000_tlb_re + } + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT + uasm_l_tlb_huge_update(&l, p); +- UASM_i_LW(&p, K0, 0, K1); ++ if (htlb_info.need_reload_pte) ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); + build_huge_update_entries(&p, htlb_info.huge_pte, K1); + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, + htlb_info.restore_scratch); diff --git a/queue-3.10/qla_target-don-t-delete-changed-nacls.patch b/queue-3.10/qla_target-don-t-delete-changed-nacls.patch new file mode 100644 index 00000000000..5a0cd165447 --- /dev/null +++ b/queue-3.10/qla_target-don-t-delete-changed-nacls.patch @@ -0,0 +1,42 @@ +From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001 +From: Joern Engel +Date: Fri, 3 Oct 2014 14:35:56 -0700 +Subject: qla_target: don't delete changed nacls + +From: Joern Engel + +commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream. + +The code is currently riddled with "drop the hardware_lock to avoid a +deadlock" bugs that expose races. One of those races seems to expose a +valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some +bandaid to it. + +Signed-off-by: Joern Engel +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -762,7 +762,16 @@ static void tcm_qla2xxx_clear_nacl_from_ + pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id); + + node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id); +- WARN_ON(node && (node != se_nacl)); ++ if (WARN_ON(node && (node != se_nacl))) { ++ /* ++ * The nacl no longer matches what we think it should be. ++ * Most likely a new dynamic acl has been added while ++ * someone dropped the hardware lock. It clearly is a ++ * bug elsewhere, but this bit can't make things worse. ++ */ ++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id, ++ node, GFP_ATOMIC); ++ } + + pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n", + se_nacl, nacl->nport_wwnn, nacl->nport_id); diff --git a/queue-3.10/series b/queue-3.10/series index f156db46f71..8bd3d942398 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -57,3 +57,7 @@ kvm-x86-fix-wrong-masking-on-relative-jump-call.patch kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch arc-allow-headless-models-to-boot.patch arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch +qla_target-don-t-delete-changed-nacls.patch +target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch +target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch +mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch diff --git a/queue-3.10/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch b/queue-3.10/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch new file mode 100644 index 00000000000..c2d2b3149f3 --- /dev/null +++ b/queue-3.10/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch @@ -0,0 +1,93 @@ +From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 4 Oct 2014 04:23:15 +0000 +Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs + +From: Nicholas Bellinger + +commit e24805637d2d270d7975502e9024d473de86afdb upstream. + +This patch fixes a bug in handling of SPC-3 PR Activate Persistence +across Target Power Loss (APTPL) logic where re-creation of state for +MappedLUNs from dynamically generated NodeACLs did not occur during +I_T Nexus establishment. + +It adds the missing core_scsi3_check_aptpl_registration() call during +core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in +order to replay any pre-loaded APTPL metadata state associated with +the newly connected SCSI Initiator Port. + +Cc: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 3 ++- + drivers/target/target_core_pr.c | 6 +++--- + drivers/target/target_core_pr.h | 2 +- + drivers/target/target_core_tpg.c | 8 ++++++++ + 4 files changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1293,7 +1293,8 @@ int core_dev_add_initiator_node_lun_acl( + * Check to see if there are any existing persistent reservation APTPL + * pre-registrations that need to be enabled for this LUN ACL.. + */ +- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl); ++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl, ++ lacl->mapped_lun); + return 0; + } + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -945,10 +945,10 @@ int core_scsi3_check_aptpl_registration( + struct se_device *dev, + struct se_portal_group *tpg, + struct se_lun *lun, +- struct se_lun_acl *lun_acl) ++ struct se_node_acl *nacl, ++ u32 mapped_lun) + { +- struct se_node_acl *nacl = lun_acl->se_lun_nacl; +- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun]; ++ struct se_dev_entry *deve = nacl->device_list[mapped_lun]; + + if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS) + return 0; +--- a/drivers/target/target_core_pr.h ++++ b/drivers/target/target_core_pr.h +@@ -55,7 +55,7 @@ extern int core_scsi3_alloc_aptpl_regist + unsigned char *, u16, u32, int, int, u8); + extern int core_scsi3_check_aptpl_registration(struct se_device *, + struct se_portal_group *, struct se_lun *, +- struct se_lun_acl *); ++ struct se_node_acl *, u32); + extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *, + struct se_node_acl *); + extern void core_scsi3_free_all_registrations(struct se_device *); +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -40,6 +40,7 @@ + #include + + #include "target_core_internal.h" ++#include "target_core_pr.h" + + extern struct se_device *g_lun0_dev; + +@@ -165,6 +166,13 @@ void core_tpg_add_node_to_devs( + + core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun, + lun_access, acl, tpg); ++ /* ++ * Check to see if there are any existing persistent reservation ++ * APTPL pre-registrations that need to be enabled for this dynamic ++ * LUN ACL now.. ++ */ ++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl, ++ lun->unpacked_lun); + spin_lock(&tpg->tpg_lun_lock); + } + spin_unlock(&tpg->tpg_lun_lock); diff --git a/queue-3.10/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch b/queue-3.10/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch new file mode 100644 index 00000000000..b64b6ef8372 --- /dev/null +++ b/queue-3.10/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch @@ -0,0 +1,45 @@ +From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Thu, 25 Sep 2014 06:22:28 -0400 +Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE + +From: Quinn Tran + +commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream. + +During temporary resource starvation at lower transport layer, command +is placed on queue full retry path, which expose this problem. The TCM +queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same +cmd twice to lower layer. The 1st time led to cmd normal free path. +The 2nd time cause Null pointer access. + +This regression bug was originally introduced v3.1-rc code in the +following commit: + +commit e057f53308a5f071556ee80586b99ee755bf07f5 +Author: Christoph Hellwig +Date: Mon Oct 17 13:56:41 2011 -0400 + + target: remove the transport_qf_callback se_cmd callback + +Signed-off-by: Quinn Tran +Signed-off-by: Saurav Kashyap +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1788,8 +1788,7 @@ static void transport_complete_qf(struct + + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) { + ret = cmd->se_tfo->queue_status(cmd); +- if (ret) +- goto out; ++ goto out; + } + + switch (cmd->data_direction) {