From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 15:41:28 +0000 (+0100) Subject: 3.19-stable patches X-Git-Tag: v3.19.3~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b361e9afb3cfdea34833ed2c98e8494c238e6804;p=thirdparty%2Fkernel%2Fstable-queue.git 3.19-stable patches added patches: arm-at91-pm-fix-at91rm9200-standby.patch arm-dts-am33xx-clocks-fix-ehrpwm-tbclk-data-on-am33xx.patch arm-dts-am43xx-clocks-fix-ehrpwm-tbclk-data-on-am43xx.patch arm-dts-dra7x-fix-the-bypass-clock-source-for-dpll_iva-and-others.patch arm-exynos-don-t-use-ldrex-and-strex-after-disabling-cache-coherency.patch arm-imx6qdl-sabresd-set-swbst_reg-as-vbus-s-parent-reg.patch iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch target-fix-virtual-lun-0-target_configure_device-failure-oops.patch target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch --- diff --git a/queue-3.19/arm-at91-pm-fix-at91rm9200-standby.patch b/queue-3.19/arm-at91-pm-fix-at91rm9200-standby.patch new file mode 100644 index 00000000000..07d20d786ef --- /dev/null +++ b/queue-3.19/arm-at91-pm-fix-at91rm9200-standby.patch @@ -0,0 +1,36 @@ +From 84e871660bebfddb9a62ebd6f19d02536e782f0a Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Tue, 3 Mar 2015 19:58:22 +0100 +Subject: ARM: at91: pm: fix at91rm9200 standby + +From: Alexandre Belloni + +commit 84e871660bebfddb9a62ebd6f19d02536e782f0a upstream. + +at91rm9200 standby and suspend to ram has been broken since +00482a4078f4. It is wrongly using AT91_BASE_SYS which is a physical address +and actually doesn't correspond to any register on at91rm9200. + +Use the correct at91_ramc_base[0] instead. + +Fixes: 00482a4078f4 (ARM: at91: implement the standby function for pm/cpuidle) + +Signed-off-by: Alexandre Belloni +Signed-off-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-at91/pm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-at91/pm.h ++++ b/arch/arm/mach-at91/pm.h +@@ -44,7 +44,7 @@ static inline void at91rm9200_standby(vo + " mcr p15, 0, %0, c7, c0, 4\n\t" + " str %5, [%1, %2]" + : +- : "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR), ++ : "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR), + "r" (1), "r" (AT91RM9200_SDRAMC_SRR), + "r" (lpr)); + } diff --git a/queue-3.19/arm-dts-am33xx-clocks-fix-ehrpwm-tbclk-data-on-am33xx.patch b/queue-3.19/arm-dts-am33xx-clocks-fix-ehrpwm-tbclk-data-on-am33xx.patch new file mode 100644 index 00000000000..dc787e9edd4 --- /dev/null +++ b/queue-3.19/arm-dts-am33xx-clocks-fix-ehrpwm-tbclk-data-on-am33xx.patch @@ -0,0 +1,53 @@ +From 6e22616eba7e25fac5aa6cb6563471afa1815ec2 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Tue, 10 Feb 2015 11:05:41 +0530 +Subject: ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx + +From: Vignesh R + +commit 6e22616eba7e25fac5aa6cb6563471afa1815ec2 upstream. + +ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck. +The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the +functional clock of pwmss (l4ls_gclk). +Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk. + +Fixes: 9e100ebafb91: ("Fix ehrpwm tbclk data") +Signed-off-by: Vignesh R +Acked-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/am33xx-clocks.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/am33xx-clocks.dtsi ++++ b/arch/arm/boot/dts/am33xx-clocks.dtsi +@@ -99,7 +99,7 @@ + ehrpwm0_tbclk: ehrpwm0_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <0>; + reg = <0x0664>; + }; +@@ -107,7 +107,7 @@ + ehrpwm1_tbclk: ehrpwm1_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <1>; + reg = <0x0664>; + }; +@@ -115,7 +115,7 @@ + ehrpwm2_tbclk: ehrpwm2_tbclk@44e10664 { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <2>; + reg = <0x0664>; + }; diff --git a/queue-3.19/arm-dts-am43xx-clocks-fix-ehrpwm-tbclk-data-on-am43xx.patch b/queue-3.19/arm-dts-am43xx-clocks-fix-ehrpwm-tbclk-data-on-am43xx.patch new file mode 100644 index 00000000000..c697507833d --- /dev/null +++ b/queue-3.19/arm-dts-am43xx-clocks-fix-ehrpwm-tbclk-data-on-am43xx.patch @@ -0,0 +1,80 @@ +From 7d53d25578486d65bd7cd242bc7816b40e55e62b Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Tue, 10 Feb 2015 11:05:42 +0530 +Subject: ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx + +From: Vignesh R + +commit 7d53d25578486d65bd7cd242bc7816b40e55e62b upstream. + +ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck. +The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the +functional clock of pwmss (l4ls_gclk). +Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk. + +Fixes: 4da1c67719f61 ("add tbclk data for ehrpwm") +Signed-off-by: Vignesh R +Acked-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/am43xx-clocks.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm/boot/dts/am43xx-clocks.dtsi ++++ b/arch/arm/boot/dts/am43xx-clocks.dtsi +@@ -107,7 +107,7 @@ + ehrpwm0_tbclk: ehrpwm0_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <0>; + reg = <0x0664>; + }; +@@ -115,7 +115,7 @@ + ehrpwm1_tbclk: ehrpwm1_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <1>; + reg = <0x0664>; + }; +@@ -123,7 +123,7 @@ + ehrpwm2_tbclk: ehrpwm2_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <2>; + reg = <0x0664>; + }; +@@ -131,7 +131,7 @@ + ehrpwm3_tbclk: ehrpwm3_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <4>; + reg = <0x0664>; + }; +@@ -139,7 +139,7 @@ + ehrpwm4_tbclk: ehrpwm4_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <5>; + reg = <0x0664>; + }; +@@ -147,7 +147,7 @@ + ehrpwm5_tbclk: ehrpwm5_tbclk { + #clock-cells = <0>; + compatible = "ti,gate-clock"; +- clocks = <&dpll_per_m2_ck>; ++ clocks = <&l4ls_gclk>; + ti,bit-shift = <6>; + reg = <0x0664>; + }; diff --git a/queue-3.19/arm-dts-dra7x-fix-the-bypass-clock-source-for-dpll_iva-and-others.patch b/queue-3.19/arm-dts-dra7x-fix-the-bypass-clock-source-for-dpll_iva-and-others.patch new file mode 100644 index 00000000000..e17d2c6b4dd --- /dev/null +++ b/queue-3.19/arm-dts-dra7x-fix-the-bypass-clock-source-for-dpll_iva-and-others.patch @@ -0,0 +1,221 @@ +From d2192ea09858a8535b056fcede1a41d824e0b3d8 Mon Sep 17 00:00:00 2001 +From: Ravikumar Kattekola +Date: Sat, 31 Jan 2015 22:36:44 +0530 +Subject: ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others + +From: Ravikumar Kattekola + +commit d2192ea09858a8535b056fcede1a41d824e0b3d8 upstream. + +Fixes: ee6c750761 (ARM: dts: dra7 clock data) + +On DRA7x, For DPLL_IVA, the ref clock(CLKINP) is connected to sys_clk1 and +the bypass input(CLKINPULOW) is connected to iva_dpll_hs_clk_div clock. +But the bypass input is not directly routed to bypass clkout instead +both CLKINP and CLKINPULOW are connected to bypass clkout via a mux. + +This mux is controlled by the bit - CM_CLKSEL_DPLL_IVA[23]:DPLL_BYP_CLKSEL +and it's POR value is zero which selects the CLKINP as bypass clkout. +which means iva_dpll_hs_clk_div is not the bypass clock for dpll_iva_ck + +Fix this by adding another mux clock as parent in bypass mode. + +This design is common to most of the PLLs and the rest have only one bypass +clock. Below is a list of the DPLLs that need this fix: + +DPLL_IVA, DPLL_DDR, +DPLL_DSP, DPLL_EVE, +DPLL_GMAC, DPLL_PER, +DPLL_USB and DPLL_CORE + +Signed-off-by: Ravikumar Kattekola +Acked-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7xx-clocks.dtsi | 90 +++++++++++++++++++++++++++++++---- + 1 file changed, 81 insertions(+), 9 deletions(-) + +--- a/arch/arm/boot/dts/dra7xx-clocks.dtsi ++++ b/arch/arm/boot/dts/dra7xx-clocks.dtsi +@@ -243,10 +243,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_core_byp_mux: dpll_core_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x012c>; ++ }; ++ + dpll_core_ck: dpll_core_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-core-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_core_byp_mux>; + reg = <0x0120>, <0x0124>, <0x012c>, <0x0128>; + }; + +@@ -309,10 +317,18 @@ + clock-div = <1>; + }; + ++ dpll_dsp_byp_mux: dpll_dsp_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0240>; ++ }; ++ + dpll_dsp_ck: dpll_dsp_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_dsp_byp_mux>; + reg = <0x0234>, <0x0238>, <0x0240>, <0x023c>; + }; + +@@ -335,10 +351,18 @@ + clock-div = <1>; + }; + ++ dpll_iva_byp_mux: dpll_iva_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x01ac>; ++ }; ++ + dpll_iva_ck: dpll_iva_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_iva_byp_mux>; + reg = <0x01a0>, <0x01a4>, <0x01ac>, <0x01a8>; + }; + +@@ -361,10 +385,18 @@ + clock-div = <1>; + }; + ++ dpll_gpu_byp_mux: dpll_gpu_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02e4>; ++ }; ++ + dpll_gpu_ck: dpll_gpu_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gpu_byp_mux>; + reg = <0x02d8>, <0x02dc>, <0x02e4>, <0x02e0>; + }; + +@@ -398,10 +430,18 @@ + clock-div = <1>; + }; + ++ dpll_ddr_byp_mux: dpll_ddr_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x021c>; ++ }; ++ + dpll_ddr_ck: dpll_ddr_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_ddr_byp_mux>; + reg = <0x0210>, <0x0214>, <0x021c>, <0x0218>; + }; + +@@ -416,10 +456,18 @@ + ti,invert-autoidle-bit; + }; + ++ dpll_gmac_byp_mux: dpll_gmac_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ ti,bit-shift = <23>; ++ reg = <0x02b4>; ++ }; ++ + dpll_gmac_ck: dpll_gmac_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>; ++ clocks = <&sys_clkin1>, <&dpll_gmac_byp_mux>; + reg = <0x02a8>, <0x02ac>, <0x02b4>, <0x02b0>; + }; + +@@ -482,10 +530,18 @@ + clock-div = <1>; + }; + ++ dpll_eve_byp_mux: dpll_eve_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x0290>; ++ }; ++ + dpll_eve_ck: dpll_eve_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_eve_byp_mux>; + reg = <0x0284>, <0x0288>, <0x0290>, <0x028c>; + }; + +@@ -1249,10 +1305,18 @@ + clock-div = <1>; + }; + ++ dpll_per_byp_mux: dpll_per_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x014c>; ++ }; ++ + dpll_per_ck: dpll_per_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-clock"; +- clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_per_byp_mux>; + reg = <0x0140>, <0x0144>, <0x014c>, <0x0148>; + }; + +@@ -1275,10 +1339,18 @@ + clock-div = <1>; + }; + ++ dpll_usb_byp_mux: dpll_usb_byp_mux { ++ #clock-cells = <0>; ++ compatible = "ti,mux-clock"; ++ clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ ti,bit-shift = <23>; ++ reg = <0x018c>; ++ }; ++ + dpll_usb_ck: dpll_usb_ck { + #clock-cells = <0>; + compatible = "ti,omap4-dpll-j-type-clock"; +- clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>; ++ clocks = <&sys_clkin1>, <&dpll_usb_byp_mux>; + reg = <0x0180>, <0x0184>, <0x018c>, <0x0188>; + }; + diff --git a/queue-3.19/arm-exynos-don-t-use-ldrex-and-strex-after-disabling-cache-coherency.patch b/queue-3.19/arm-exynos-don-t-use-ldrex-and-strex-after-disabling-cache-coherency.patch new file mode 100644 index 00000000000..9dbd7fc139b --- /dev/null +++ b/queue-3.19/arm-exynos-don-t-use-ldrex-and-strex-after-disabling-cache-coherency.patch @@ -0,0 +1,41 @@ +From ca489c58ef0b81cc9c9252fd92e6c9bb38d3c408 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 27 Feb 2015 05:50:41 +0900 +Subject: ARM: EXYNOS: Don't use LDREX and STREX after disabling cache coherency + +From: Krzysztof Kozlowski + +commit ca489c58ef0b81cc9c9252fd92e6c9bb38d3c408 upstream. + +During CPU shutdown the exynos_cpu_power_down() is called after +disabling cache coherency and it uses LDREX and STREX instructions (by +calling of_machine_is_compatible() -> kobject_get() -> kref_get()). + +The LDREX and STREX should not be used after disabling the cache +coherency so just use soc_is_exynos(). + +Fixes: adc548d77c22 ("ARM: EXYNOS: Use MCPM call-backs to support S2R +on exynos5420") + +Reported-by: Stephen Boyd +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Stephen Boyd +Signed-off-by: Kukjin Kim +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-exynos/platsmp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/mach-exynos/platsmp.c ++++ b/arch/arm/mach-exynos/platsmp.c +@@ -126,8 +126,7 @@ static inline void platform_do_lowpower( + */ + void exynos_cpu_power_down(int cpu) + { +- if (cpu == 0 && (of_machine_is_compatible("samsung,exynos5420") || +- of_machine_is_compatible("samsung,exynos5800"))) { ++ if (cpu == 0 && (soc_is_exynos5420() || soc_is_exynos5800())) { + /* + * Bypass power down for CPU0 during suspend. Check for + * the SYS_PWR_REG value to decide if we are suspending diff --git a/queue-3.19/arm-imx6qdl-sabresd-set-swbst_reg-as-vbus-s-parent-reg.patch b/queue-3.19/arm-imx6qdl-sabresd-set-swbst_reg-as-vbus-s-parent-reg.patch new file mode 100644 index 00000000000..9a56df188f7 --- /dev/null +++ b/queue-3.19/arm-imx6qdl-sabresd-set-swbst_reg-as-vbus-s-parent-reg.patch @@ -0,0 +1,39 @@ +From 40f737791d4dab26bf23a6331609c604142228bd Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Fri, 6 Mar 2015 16:04:20 +0800 +Subject: ARM: imx6qdl-sabresd: set swbst_reg as vbus's parent reg + +From: Peter Chen + +commit 40f737791d4dab26bf23a6331609c604142228bd upstream. + +USB vbus 5V is from PMIC SWBST, so set swbst_reg as vbus's +parent reg, it fixed a bug that the voltage of vbus is incorrect +due to swbst_reg is disabled after boots up. + +Signed-off-by: Peter Chen +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl-sabresd.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/imx6qdl-sabresd.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-sabresd.dtsi +@@ -35,6 +35,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio3 22 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_usb_h1_vbus: regulator@1 { +@@ -45,6 +46,7 @@ + regulator-max-microvolt = <5000000>; + gpio = <&gpio1 29 0>; + enable-active-high; ++ vin-supply = <&swbst_reg>; + }; + + reg_audio: regulator@2 { diff --git a/queue-3.19/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch b/queue-3.19/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch new file mode 100644 index 00000000000..e58ebe7f824 --- /dev/null +++ b/queue-3.19/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch @@ -0,0 +1,53 @@ +From f068fbc82e7696d67b1bb8189306865bedf368b6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 23 Feb 2015 00:57:51 -0800 +Subject: iscsi-target: Avoid early conn_logout_comp for iser connections + +From: Nicholas Bellinger + +commit f068fbc82e7696d67b1bb8189306865bedf368b6 upstream. + +This patch fixes a iser specific logout bug where early complete() +of conn->conn_logout_comp in iscsit_close_connection() was causing +isert_wait4logout() to complete too soon, triggering a use after +free NULL pointer dereference of iscsi_conn memory. + +The complete() was originally added for traditional iscsi-target +when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given +iser-target does not wait in logout failure, this special case needs +to be avoided. + +Reported-by: Sagi Grimberg +Cc: Sagi Grimberg +Cc: Slava Shwartsman +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4221,11 +4221,17 @@ int iscsit_close_connection( + pr_debug("Closing iSCSI connection CID %hu on SID:" + " %u\n", conn->cid, sess->sid); + /* +- * Always up conn_logout_comp just in case the RX Thread is sleeping +- * and the logout response never got sent because the connection +- * failed. ++ * Always up conn_logout_comp for the traditional TCP case just in case ++ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout ++ * response never got sent because the connection failed. ++ * ++ * However for iser-target, isert_wait4logout() is using conn_logout_comp ++ * to signal logout response TX interrupt completion. Go ahead and skip ++ * this for iser since isert_rx_opcode() does not wait on logout failure, ++ * and to avoid iscsi_conn pointer dereference in iser-target code. + */ +- complete(&conn->conn_logout_comp); ++ if (conn->conn_transport->transport_type == ISCSI_TCP) ++ complete(&conn->conn_logout_comp); + + iscsi_release_thread_set(conn); + diff --git a/queue-3.19/series b/queue-3.19/series index b0da84abaa7..aaa0bbfcb36 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -111,3 +111,13 @@ netfilter-nf_tables-fix-transaction-race-condition.patch netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch arm-imx6sl-evk-set-swbst_reg-as-vbus-s-parent-reg.patch b43-fix-support-for-5-ghz-only-bcm43228-model.patch +arm-exynos-don-t-use-ldrex-and-strex-after-disabling-cache-coherency.patch +arm-imx6qdl-sabresd-set-swbst_reg-as-vbus-s-parent-reg.patch +arm-at91-pm-fix-at91rm9200-standby.patch +arm-dts-dra7x-fix-the-bypass-clock-source-for-dpll_iva-and-others.patch +arm-dts-am33xx-clocks-fix-ehrpwm-tbclk-data-on-am33xx.patch +arm-dts-am43xx-clocks-fix-ehrpwm-tbclk-data-on-am43xx.patch +target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch +target-fix-virtual-lun-0-target_configure_device-failure-oops.patch +iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch +target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch diff --git a/queue-3.19/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch b/queue-3.19/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch new file mode 100644 index 00000000000..63a77848790 --- /dev/null +++ b/queue-3.19/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch @@ -0,0 +1,36 @@ +From 7544e597343e2166daba3f32e4708533aa53c233 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 18 Feb 2015 15:33:58 +0100 +Subject: target: Fix reference leak in target_get_sess_cmd() error path + +From: Bart Van Assche + +commit 7544e597343e2166daba3f32e4708533aa53c233 upstream. + +This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down +is true within target_get_sess_cmd() submission path code. + +This se_cmd reference leak can occur during active session shutdown when +ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers. + +Signed-off-by: Bart Van Assche +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2389,6 +2389,10 @@ int target_get_sess_cmd(struct se_sessio + list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ ++ if (ret && ack_kref) ++ target_put_sess_cmd(se_sess, se_cmd); ++ + return ret; + } + EXPORT_SYMBOL(target_get_sess_cmd); diff --git a/queue-3.19/target-fix-virtual-lun-0-target_configure_device-failure-oops.patch b/queue-3.19/target-fix-virtual-lun-0-target_configure_device-failure-oops.patch new file mode 100644 index 00000000000..2a4157bf4af --- /dev/null +++ b/queue-3.19/target-fix-virtual-lun-0-target_configure_device-failure-oops.patch @@ -0,0 +1,52 @@ +From 5f7da044f8bc1cfb21c962edf34bd5699a76e7ae Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 5 Mar 2015 03:28:24 +0000 +Subject: target: Fix virtual LUN=0 target_configure_device failure OOPs + +From: Nicholas Bellinger + +commit 5f7da044f8bc1cfb21c962edf34bd5699a76e7ae upstream. + +This patch fixes a NULL pointer dereference triggered by a late +target_configure_device() -> alloc_workqueue() failure that results +in target_free_device() being called with DF_CONFIGURED already set, +which subsequently OOPses in destroy_workqueue() code. + +Currently this only happens at modprobe target_core_mod time when +core_dev_setup_virtual_lun0() -> target_configure_device() fails, +and the explicit target_free_device() gets called. + +To address this bug originally introduced by commit 0fd97ccf45, go +ahead and move DF_CONFIGURED to end of target_configure_device() +code to handle this special failure case. + +Reported-by: Claudio Fleiner +Cc: Claudio Fleiner +Cc: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1534,8 +1534,6 @@ int target_configure_device(struct se_de + ret = dev->transport->configure_device(dev); + if (ret) + goto out; +- dev->dev_flags |= DF_CONFIGURED; +- + /* + * XXX: there is not much point to have two different values here.. + */ +@@ -1597,6 +1595,8 @@ int target_configure_device(struct se_de + list_add_tail(&dev->g_dev_node, &g_device_list); + mutex_unlock(&g_device_mutex); + ++ dev->dev_flags |= DF_CONFIGURED; ++ + return 0; + + out_free_alua: diff --git a/queue-3.19/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch b/queue-3.19/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch new file mode 100644 index 00000000000..192e14ceeb7 --- /dev/null +++ b/queue-3.19/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch @@ -0,0 +1,32 @@ +From 215a8fe4198f607f34ecdbc9969dae783d8b5a61 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Feb 2015 03:54:13 -0800 +Subject: target/pscsi: Fix NULL pointer dereference in get_device_type + +From: Nicholas Bellinger + +commit 215a8fe4198f607f34ecdbc9969dae783d8b5a61 upstream. + +This patch fixes a NULL pointer dereference OOPs with pSCSI backends +within target_core_stat.c code. The bug is caused by a configfs attr +read if no pscsi_dev_virt->pdv_sd has been configured. + +Reported-by: Olaf Hering +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1121,7 +1121,7 @@ static u32 pscsi_get_device_type(struct + struct pscsi_dev_virt *pdv = PSCSI_DEV(dev); + struct scsi_device *sd = pdv->pdv_sd; + +- return sd->type; ++ return (sd) ? sd->type : TYPE_NO_LUN; + } + + static sector_t pscsi_get_blocks(struct se_device *dev)