From: Greg Kroah-Hartman Date: Mon, 15 Oct 2012 17:29:57 +0000 (-0700) Subject: 3.6-stable patches X-Git-Tag: v3.0.47~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b465274b7bb8200684cb555f19fc1909d56f6ea4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.6-stable patches added patches: autofs4-fix-reset-pending-flag-on-mount-fail.patch block-fix-request_queue-flags-initialization.patch qla2xxx-fix-endianness-of-task-management-response-code.patch target-file-re-enable-optional-fd_buffered_io-1-operation.patch target-fix-return-code-in-target_core_init_configfs-error-path.patch target-fix-truncation-of-mode-data-support-zero-allocation-length.patch target-support-zero-allocation-length-in-inquiry.patch vfio-fix-pci-intx-disable-consistency.patch vfio-move-pci-intx-eventfd-setting-earlier.patch xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch xen-bootup-allow-read-write-_cr8-pvops-call.patch xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch --- diff --git a/queue-3.6/autofs4-fix-reset-pending-flag-on-mount-fail.patch b/queue-3.6/autofs4-fix-reset-pending-flag-on-mount-fail.patch new file mode 100644 index 00000000000..8110333c01d --- /dev/null +++ b/queue-3.6/autofs4-fix-reset-pending-flag-on-mount-fail.patch @@ -0,0 +1,41 @@ +From 49999ab27eab6289a8e4f450e148bdab521361b2 Mon Sep 17 00:00:00 2001 +From: Ian Kent +Date: Thu, 11 Oct 2012 08:00:33 +0800 +Subject: autofs4 - fix reset pending flag on mount fail + +From: Ian Kent + +commit 49999ab27eab6289a8e4f450e148bdab521361b2 upstream. + +In autofs4_d_automount(), if a mount fail occurs the AUTOFS_INF_PENDING +mount pending flag is not cleared. + +One effect of this is when using the "browse" option, directory entry +attributes show up with all "?"s due to the incorrect callback and +subsequent failure return (when in fact no callback should be made). + +Signed-off-by: Ian Kent +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/root.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/autofs4/root.c ++++ b/fs/autofs4/root.c +@@ -392,10 +392,12 @@ static struct vfsmount *autofs4_d_automo + ino->flags |= AUTOFS_INF_PENDING; + spin_unlock(&sbi->fs_lock); + status = autofs4_mount_wait(dentry); +- if (status) +- return ERR_PTR(status); + spin_lock(&sbi->fs_lock); + ino->flags &= ~AUTOFS_INF_PENDING; ++ if (status) { ++ spin_unlock(&sbi->fs_lock); ++ return ERR_PTR(status); ++ } + } + done: + if (!(ino->flags & AUTOFS_INF_EXPIRING)) { diff --git a/queue-3.6/block-fix-request_queue-flags-initialization.patch b/queue-3.6/block-fix-request_queue-flags-initialization.patch new file mode 100644 index 00000000000..322442d3cd1 --- /dev/null +++ b/queue-3.6/block-fix-request_queue-flags-initialization.patch @@ -0,0 +1,38 @@ +From 60ea8226cbd5c8301f9a39edc574ddabcb8150e0 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 20 Sep 2012 14:09:30 -0700 +Subject: block: fix request_queue->flags initialization + +From: Tejun Heo + +commit 60ea8226cbd5c8301f9a39edc574ddabcb8150e0 upstream. + +A queue newly allocated with blk_alloc_queue_node() has only +QUEUE_FLAG_BYPASS set. For request-based drivers, +blk_init_allocated_queue() is called and q->queue_flags is overwritten +with QUEUE_FLAG_DEFAULT which doesn't include BYPASS even though the +initial bypass is still in effect. + +In blk_init_allocated_queue(), or QUEUE_FLAG_DEFAULT to q->queue_flags +instead of overwriting. + +Signed-off-by: Tejun Heo +Acked-by: Vivek Goyal +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -696,7 +696,7 @@ blk_init_allocated_queue(struct request_ + q->request_fn = rfn; + q->prep_rq_fn = NULL; + q->unprep_rq_fn = NULL; +- q->queue_flags = QUEUE_FLAG_DEFAULT; ++ q->queue_flags |= QUEUE_FLAG_DEFAULT; + + /* Override internal queue lock with supplied lock pointer */ + if (lock) diff --git a/queue-3.6/qla2xxx-fix-endianness-of-task-management-response-code.patch b/queue-3.6/qla2xxx-fix-endianness-of-task-management-response-code.patch new file mode 100644 index 00000000000..80111ca85de --- /dev/null +++ b/queue-3.6/qla2xxx-fix-endianness-of-task-management-response-code.patch @@ -0,0 +1,39 @@ +From e4b11b89f9039ca97b2ed1b6efeb6749fbdeb252 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Tue, 18 Sep 2012 15:10:56 -0700 +Subject: qla2xxx: Fix endianness of task management response code + +From: Roland Dreier + +commit e4b11b89f9039ca97b2ed1b6efeb6749fbdeb252 upstream. + +The qla2xxx firmware actually expects the task management response +code in a CTIO IOCB with SCSI status mode 1 to be in little-endian +byte order, ie the response code should be the first byte in the +sense_data[] array. The old code erroneously byte-swapped the +response code, which puts it in the wrong place on the wire and leads +to initiators thinking every task management request succeeds (since +they see 0 in the byte where they look for the response code). + +Signed-off-by: Roland Dreier +Cc: Chad Dupuis +Cc: Arun Easi +Acked-by: Saurav Kashyap +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1403,7 +1403,7 @@ static void qlt_24xx_send_task_mgmt_ctio + ctio->u.status1.scsi_status = + __constant_cpu_to_le16(SS_RESPONSE_INFO_LEN_VALID); + ctio->u.status1.response_len = __constant_cpu_to_le16(8); +- ((uint32_t *)ctio->u.status1.sense_data)[0] = cpu_to_be32(resp_code); ++ ctio->u.status1.sense_data[0] = resp_code; + + qla2x00_start_iocbs(ha, ha->req); + } diff --git a/queue-3.6/series b/queue-3.6/series index 3501413ff3b..d8d94e190be 100644 --- a/queue-3.6/series +++ b/queue-3.6/series @@ -26,3 +26,15 @@ arm-7541-1-add-arm-errata-775420-workaround.patch arm-omap-counter-add-locking-to-read_persistent_clock.patch firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch +target-support-zero-allocation-length-in-inquiry.patch +target-fix-truncation-of-mode-data-support-zero-allocation-length.patch +target-fix-return-code-in-target_core_init_configfs-error-path.patch +target-file-re-enable-optional-fd_buffered_io-1-operation.patch +qla2xxx-fix-endianness-of-task-management-response-code.patch +vfio-move-pci-intx-eventfd-setting-earlier.patch +vfio-fix-pci-intx-disable-consistency.patch +xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch +xen-bootup-allow-read-write-_cr8-pvops-call.patch +xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch +block-fix-request_queue-flags-initialization.patch +autofs4-fix-reset-pending-flag-on-mount-fail.patch diff --git a/queue-3.6/target-file-re-enable-optional-fd_buffered_io-1-operation.patch b/queue-3.6/target-file-re-enable-optional-fd_buffered_io-1-operation.patch new file mode 100644 index 00000000000..249ad8deff7 --- /dev/null +++ b/queue-3.6/target-file-re-enable-optional-fd_buffered_io-1-operation.patch @@ -0,0 +1,133 @@ +From b32f4c7ed85c5cee2a21a55c9f59ebc9d57a2463 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 29 Sep 2012 17:15:37 -0700 +Subject: target/file: Re-enable optional fd_buffered_io=1 operation + +From: Nicholas Bellinger + +commit b32f4c7ed85c5cee2a21a55c9f59ebc9d57a2463 upstream. + +This patch re-adds the ability to optionally run in buffered FILEIO mode +(eg: w/o O_DSYNC) for device backends in order to once again use the +Linux buffered cache as a write-back storage mechanism. + +This logic was originally dropped with mainline v3.5-rc commit: + +commit a4dff3043c231d57f982af635c9d2192ee40e5ae +Author: Nicholas Bellinger +Date: Wed May 30 16:25:41 2012 -0700 + + target/file: Use O_DSYNC by default for FILEIO backends + +This difference with this patch is that fd_create_virtdevice() now +forces the explicit setting of emulate_write_cache=1 when buffered FILEIO +operation has been enabled. + +(v2: Switch to FDBD_HAS_BUFFERED_IO_WCE + add more detailed + comment as requested by hch) + +Reported-by: Ferry +Cc: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_file.c | 41 +++++++++++++++++++++++++++++++++++--- + drivers/target/target_core_file.h | 1 + 2 files changed, 39 insertions(+), 3 deletions(-) + +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -125,6 +125,19 @@ static struct se_device *fd_create_virtd + * of pure timestamp updates. + */ + flags = O_RDWR | O_CREAT | O_LARGEFILE | O_DSYNC; ++ /* ++ * Optionally allow fd_buffered_io=1 to be enabled for people ++ * who want use the fs buffer cache as an WriteCache mechanism. ++ * ++ * This means that in event of a hard failure, there is a risk ++ * of silent data-loss if the SCSI client has *not* performed a ++ * forced unit access (FUA) write, or issued SYNCHRONIZE_CACHE ++ * to write-out the entire device cache. ++ */ ++ if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) { ++ pr_debug("FILEIO: Disabling O_DSYNC, using buffered FILEIO\n"); ++ flags &= ~O_DSYNC; ++ } + + file = filp_open(fd_dev->fd_dev_name, flags, 0600); + if (IS_ERR(file)) { +@@ -188,6 +201,12 @@ static struct se_device *fd_create_virtd + if (!dev) + goto fail; + ++ if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) { ++ pr_debug("FILEIO: Forcing setting of emulate_write_cache=1" ++ " with FDBD_HAS_BUFFERED_IO_WCE\n"); ++ dev->se_sub_dev->se_dev_attrib.emulate_write_cache = 1; ++ } ++ + fd_dev->fd_dev_id = fd_host->fd_host_dev_id_count++; + fd_dev->fd_queue_depth = dev->queue_depth; + +@@ -407,6 +426,7 @@ enum { + static match_table_t tokens = { + {Opt_fd_dev_name, "fd_dev_name=%s"}, + {Opt_fd_dev_size, "fd_dev_size=%s"}, ++ {Opt_fd_buffered_io, "fd_buffered_io=%d"}, + {Opt_err, NULL} + }; + +@@ -418,7 +438,7 @@ static ssize_t fd_set_configfs_dev_param + struct fd_dev *fd_dev = se_dev->se_dev_su_ptr; + char *orig, *ptr, *arg_p, *opts; + substring_t args[MAX_OPT_ARGS]; +- int ret = 0, token; ++ int ret = 0, arg, token; + + opts = kstrdup(page, GFP_KERNEL); + if (!opts) +@@ -459,6 +479,19 @@ static ssize_t fd_set_configfs_dev_param + " bytes\n", fd_dev->fd_dev_size); + fd_dev->fbd_flags |= FBDF_HAS_SIZE; + break; ++ case Opt_fd_buffered_io: ++ match_int(args, &arg); ++ if (arg != 1) { ++ pr_err("bogus fd_buffered_io=%d value\n", arg); ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ pr_debug("FILEIO: Using buffered I/O" ++ " operations for struct fd_dev\n"); ++ ++ fd_dev->fbd_flags |= FDBD_HAS_BUFFERED_IO_WCE; ++ break; + default: + break; + } +@@ -490,8 +523,10 @@ static ssize_t fd_show_configfs_dev_para + ssize_t bl = 0; + + bl = sprintf(b + bl, "TCM FILEIO ID: %u", fd_dev->fd_dev_id); +- bl += sprintf(b + bl, " File: %s Size: %llu Mode: O_DSYNC\n", +- fd_dev->fd_dev_name, fd_dev->fd_dev_size); ++ bl += sprintf(b + bl, " File: %s Size: %llu Mode: %s\n", ++ fd_dev->fd_dev_name, fd_dev->fd_dev_size, ++ (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) ? ++ "Buffered-WCE" : "O_DSYNC"); + return bl; + } + +--- a/drivers/target/target_core_file.h ++++ b/drivers/target/target_core_file.h +@@ -14,6 +14,7 @@ + + #define FBDF_HAS_PATH 0x01 + #define FBDF_HAS_SIZE 0x02 ++#define FDBD_HAS_BUFFERED_IO_WCE 0x04 + + struct fd_dev { + u32 fbd_flags; diff --git a/queue-3.6/target-fix-return-code-in-target_core_init_configfs-error-path.patch b/queue-3.6/target-fix-return-code-in-target_core_init_configfs-error-path.patch new file mode 100644 index 00000000000..0a1d0ccd6d5 --- /dev/null +++ b/queue-3.6/target-fix-return-code-in-target_core_init_configfs-error-path.patch @@ -0,0 +1,90 @@ +From 37bb7899ca366dc212b71b150e78566d04808cc0 Mon Sep 17 00:00:00 2001 +From: Peter Senna Tschudin +Date: Mon, 17 Sep 2012 20:05:33 +0200 +Subject: target: fix return code in target_core_init_configfs error path + +From: Peter Senna Tschudin + +commit 37bb7899ca366dc212b71b150e78566d04808cc0 upstream. + +This patch fixes error cases within target_core_init_configfs() to +properly set ret = -ENOMEM before jumping to the out_global exception +path. + +This was originally discovered with the following Coccinelle semantic +match information: + +Convert a nonnegative error return code to a negative one, as returned +elsewhere in the function. A simplified version of the semantic match +that finds this problem is as follows: (http://coccinelle.lip6.fr/) + +// +( +if@p1 (\(ret < 0\|ret != 0\)) + { ... return ret; } +| +ret@p1 = 0 +) +... when != ret = e1 + when != &ret +*if(...) +{ + ... when != ret = e2 + when forall + return ret; +} +// + +Signed-off-by: Peter Senna Tschudin +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_configfs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -3132,6 +3132,7 @@ static int __init target_core_init_confi + GFP_KERNEL); + if (!target_cg->default_groups) { + pr_err("Unable to allocate target_cg->default_groups\n"); ++ ret = -ENOMEM; + goto out_global; + } + +@@ -3147,6 +3148,7 @@ static int __init target_core_init_confi + GFP_KERNEL); + if (!hba_cg->default_groups) { + pr_err("Unable to allocate hba_cg->default_groups\n"); ++ ret = -ENOMEM; + goto out_global; + } + config_group_init_type_name(&alua_group, +@@ -3162,6 +3164,7 @@ static int __init target_core_init_confi + GFP_KERNEL); + if (!alua_cg->default_groups) { + pr_err("Unable to allocate alua_cg->default_groups\n"); ++ ret = -ENOMEM; + goto out_global; + } + +@@ -3173,14 +3176,17 @@ static int __init target_core_init_confi + * Add core/alua/lu_gps/default_lu_gp + */ + lu_gp = core_alua_allocate_lu_gp("default_lu_gp", 1); +- if (IS_ERR(lu_gp)) ++ if (IS_ERR(lu_gp)) { ++ ret = -ENOMEM; + goto out_global; ++ } + + lu_gp_cg = &alua_lu_gps_group; + lu_gp_cg->default_groups = kzalloc(sizeof(struct config_group) * 2, + GFP_KERNEL); + if (!lu_gp_cg->default_groups) { + pr_err("Unable to allocate lu_gp_cg->default_groups\n"); ++ ret = -ENOMEM; + goto out_global; + } + diff --git a/queue-3.6/target-fix-truncation-of-mode-data-support-zero-allocation-length.patch b/queue-3.6/target-fix-truncation-of-mode-data-support-zero-allocation-length.patch new file mode 100644 index 00000000000..000e2642a45 --- /dev/null +++ b/queue-3.6/target-fix-truncation-of-mode-data-support-zero-allocation-length.patch @@ -0,0 +1,82 @@ +From 7a3f369ce31694017996524a1cdb08208a839077 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 7 Sep 2012 17:30:39 +0200 +Subject: target: fix truncation of mode data, support zero allocation length + +From: Paolo Bonzini + +commit 7a3f369ce31694017996524a1cdb08208a839077 upstream. + +The offset was not bumped back to the full size after writing the +header of the MODE SENSE response, so the last 1 or 2 bytes were +not copied. + +On top of this, support zero-length requests by checking for the +return value of transport_kmap_data_sg. + +Testcase: sg_raw -r20 /dev/sdb 5a 00 0a 00 00 00 00 00 14 00 + last byte should be 0x1e + it is 0x00 without the patch + it is correct with the patch + +Signed-off-by: Paolo Bonzini +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_spc.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/target/target_core_spc.c ++++ b/drivers/target/target_core_spc.c +@@ -784,7 +784,7 @@ static int spc_emulate_modesense(struct + unsigned char *rbuf; + int type = dev->transport->get_device_type(dev); + int ten = (cmd->t_task_cdb[0] == MODE_SENSE_10); +- int offset = ten ? 8 : 4; ++ u32 offset = ten ? 8 : 4; + int length = 0; + unsigned char buf[SE_MODE_PAGE_BUF]; + +@@ -817,6 +817,7 @@ static int spc_emulate_modesense(struct + offset -= 2; + buf[0] = (offset >> 8) & 0xff; + buf[1] = offset & 0xff; ++ offset += 2; + + if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) || + (cmd->se_deve && +@@ -826,13 +827,10 @@ static int spc_emulate_modesense(struct + if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) && + (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0)) + spc_modesense_dpofua(&buf[3], type); +- +- if ((offset + 2) > cmd->data_length) +- offset = cmd->data_length; +- + } else { + offset -= 1; + buf[0] = offset & 0xff; ++ offset += 1; + + if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) || + (cmd->se_deve && +@@ -842,14 +840,13 @@ static int spc_emulate_modesense(struct + if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) && + (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0)) + spc_modesense_dpofua(&buf[2], type); +- +- if ((offset + 1) > cmd->data_length) +- offset = cmd->data_length; + } + + rbuf = transport_kmap_data_sg(cmd); +- memcpy(rbuf, buf, offset); +- transport_kunmap_data_sg(cmd); ++ if (rbuf) { ++ memcpy(rbuf, buf, min(offset, cmd->data_length)); ++ transport_kunmap_data_sg(cmd); ++ } + + target_complete_cmd(cmd, GOOD); + return 0; diff --git a/queue-3.6/target-support-zero-allocation-length-in-inquiry.patch b/queue-3.6/target-support-zero-allocation-length-in-inquiry.patch new file mode 100644 index 00000000000..9a331c553c1 --- /dev/null +++ b/queue-3.6/target-support-zero-allocation-length-in-inquiry.patch @@ -0,0 +1,79 @@ +From ffe7b0e9326d9c68f5688bef691dd49f1e0d3651 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 7 Sep 2012 17:30:38 +0200 +Subject: target: support zero allocation length in INQUIRY + +From: Paolo Bonzini + +commit ffe7b0e9326d9c68f5688bef691dd49f1e0d3651 upstream. + +INQUIRY processing already uses an on-heap bounce buffer for loopback, +but not for other fabrics. Switch this to a cheaper on-stack bounce +buffer, similar to the one used by MODE SENSE and REQUEST SENSE, and +use it unconditionally. With this in place, zero allocation length is +handled simply by checking the return address of transport_kmap_data_sg. + +Testcase: sg_raw /dev/sdb 12 00 83 00 00 00 + should fail with ILLEGAL REQUEST / INVALID FIELD IN CDB sense + does not fail without the patch + fails correctly with the series + +Signed-off-by: Paolo Bonzini +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_spc.c | 31 ++++++------------------------- + 1 file changed, 6 insertions(+), 25 deletions(-) + +--- a/drivers/target/target_core_spc.c ++++ b/drivers/target/target_core_spc.c +@@ -600,30 +600,11 @@ static int spc_emulate_inquiry(struct se + { + struct se_device *dev = cmd->se_dev; + struct se_portal_group *tpg = cmd->se_lun->lun_sep->sep_tpg; +- unsigned char *buf, *map_buf; ++ unsigned char *rbuf; + unsigned char *cdb = cmd->t_task_cdb; ++ unsigned char buf[SE_INQUIRY_BUF]; + int p, ret; + +- map_buf = transport_kmap_data_sg(cmd); +- /* +- * If SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is not set, then we +- * know we actually allocated a full page. Otherwise, if the +- * data buffer is too small, allocate a temporary buffer so we +- * don't have to worry about overruns in all our INQUIRY +- * emulation handling. +- */ +- if (cmd->data_length < SE_INQUIRY_BUF && +- (cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC)) { +- buf = kzalloc(SE_INQUIRY_BUF, GFP_KERNEL); +- if (!buf) { +- transport_kunmap_data_sg(cmd); +- cmd->scsi_sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; +- return -ENOMEM; +- } +- } else { +- buf = map_buf; +- } +- + if (dev == tpg->tpg_virt_lun0.lun_se_dev) + buf[0] = 0x3f; /* Not connected */ + else +@@ -655,11 +636,11 @@ static int spc_emulate_inquiry(struct se + ret = -EINVAL; + + out: +- if (buf != map_buf) { +- memcpy(map_buf, buf, cmd->data_length); +- kfree(buf); ++ rbuf = transport_kmap_data_sg(cmd); ++ if (rbuf) { ++ memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length)); ++ transport_kunmap_data_sg(cmd); + } +- transport_kunmap_data_sg(cmd); + + if (!ret) + target_complete_cmd(cmd, GOOD); diff --git a/queue-3.6/vfio-fix-pci-intx-disable-consistency.patch b/queue-3.6/vfio-fix-pci-intx-disable-consistency.patch new file mode 100644 index 00000000000..a55f1a21cbc --- /dev/null +++ b/queue-3.6/vfio-fix-pci-intx-disable-consistency.patch @@ -0,0 +1,54 @@ +From 899649b7d4ead76c19e39251ca886eebe3f811a8 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 10 Oct 2012 09:10:32 -0600 +Subject: vfio: Fix PCI INTx disable consistency + +From: Alex Williamson + +commit 899649b7d4ead76c19e39251ca886eebe3f811a8 upstream. + +The virq_disabled flag tracks the userspace view of INTx masking +across interrupt mode changes, but we're not consistently applying +this to the interrupt and masking handler notion of the device. +Currently if the user sets DisINTx while in MSI or MSIX mode, then +returns to INTx mode (ex. rebooting a qemu guest), the hardware has +DisINTx+, but the management of INTx thinks it's enabled, making it +impossible to actually clear DisINTx. Fix this by updating the +handler state when INTx is re-enabled. + +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_intrs.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -366,6 +366,17 @@ static int vfio_intx_enable(struct vfio_ + return -ENOMEM; + + vdev->num_ctx = 1; ++ ++ /* ++ * If the virtual interrupt is masked, restore it. Devices ++ * supporting DisINTx can be masked at the hardware level ++ * here, non-PCI-2.3 devices will have to wait until the ++ * interrupt is enabled. ++ */ ++ vdev->ctx[0].masked = vdev->virq_disabled; ++ if (vdev->pci_2_3) ++ pci_intx(vdev->pdev, !vdev->ctx[0].masked); ++ + vdev->irq_type = VFIO_PCI_INTX_IRQ_INDEX; + + return 0; +@@ -419,7 +430,7 @@ static int vfio_intx_set_signal(struct v + * disable_irq won't. + */ + spin_lock_irqsave(&vdev->irqlock, flags); +- if (!vdev->pci_2_3 && (vdev->ctx[0].masked || vdev->virq_disabled)) ++ if (!vdev->pci_2_3 && vdev->ctx[0].masked) + disable_irq_nosync(pdev->irq); + spin_unlock_irqrestore(&vdev->irqlock, flags); + diff --git a/queue-3.6/vfio-move-pci-intx-eventfd-setting-earlier.patch b/queue-3.6/vfio-move-pci-intx-eventfd-setting-earlier.patch new file mode 100644 index 00000000000..ecf0ae08da8 --- /dev/null +++ b/queue-3.6/vfio-move-pci-intx-eventfd-setting-earlier.patch @@ -0,0 +1,47 @@ +From 9dbdfd23b7638d054f3b0e70c64dfb9f297f2a9f Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 10 Oct 2012 09:10:32 -0600 +Subject: vfio: Move PCI INTx eventfd setting earlier + +From: Alex Williamson + +commit 9dbdfd23b7638d054f3b0e70c64dfb9f297f2a9f upstream. + +We need to be ready to recieve an interrupt as soon as we call +request_irq, so our eventfd context setting needs to be moved +earlier. Without this, an interrupt from our device or one +sharing the interrupt line can pass a NULL into eventfd_signal +and oops. + +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_intrs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -400,19 +400,20 @@ static int vfio_intx_set_signal(struct v + return PTR_ERR(trigger); + } + ++ vdev->ctx[0].trigger = trigger; ++ + if (!vdev->pci_2_3) + irqflags = 0; + + ret = request_irq(pdev->irq, vfio_intx_handler, + irqflags, vdev->ctx[0].name, vdev); + if (ret) { ++ vdev->ctx[0].trigger = NULL; + kfree(vdev->ctx[0].name); + eventfd_ctx_put(trigger); + return ret; + } + +- vdev->ctx[0].trigger = trigger; +- + /* + * INTx disable will stick across the new irq setup, + * disable_irq won't. diff --git a/queue-3.6/xen-bootup-allow-read-write-_cr8-pvops-call.patch b/queue-3.6/xen-bootup-allow-read-write-_cr8-pvops-call.patch new file mode 100644 index 00000000000..7558f1bb91f --- /dev/null +++ b/queue-3.6/xen-bootup-allow-read-write-_cr8-pvops-call.patch @@ -0,0 +1,67 @@ +From 1a7bbda5b1ab0e02622761305a32dc38735b90b2 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 10 Oct 2012 13:25:48 -0400 +Subject: xen/bootup: allow {read|write}_cr8 pvops call. + +From: Konrad Rzeszutek Wilk + +commit 1a7bbda5b1ab0e02622761305a32dc38735b90b2 upstream. + +We actually do not do anything about it. Just return a default +value of zero and if the kernel tries to write anything but 0 +we BUG_ON. + +This fixes the case when an user tries to suspend the machine +and it blows up in save_processor_state b/c 'read_cr8' is set +to NULL and we get: + +kernel BUG at /home/konrad/ssd/linux/arch/x86/include/asm/paravirt.h:100! +invalid opcode: 0000 [#1] SMP +Pid: 2687, comm: init.late Tainted: G O 3.6.0upstream-00002-gac264ac-dirty #4 Bochs Bochs +RIP: e030:[] [] save_processor_state+0x212/0x270 + +.. snip.. +Call Trace: + [] do_suspend_lowlevel+0xf/0xac + [] ? x86_acpi_suspend_lowlevel+0x10c/0x150 + [] acpi_suspend_enter+0x57/0xd5 + +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/enlighten.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -984,7 +984,16 @@ static void xen_write_cr4(unsigned long + + native_write_cr4(cr4); + } +- ++#ifdef CONFIG_X86_64 ++static inline unsigned long xen_read_cr8(void) ++{ ++ return 0; ++} ++static inline void xen_write_cr8(unsigned long val) ++{ ++ BUG_ON(val); ++} ++#endif + static int xen_write_msr_safe(unsigned int msr, unsigned low, unsigned high) + { + int ret; +@@ -1153,6 +1162,11 @@ static const struct pv_cpu_ops xen_cpu_o + .read_cr4_safe = native_read_cr4_safe, + .write_cr4 = xen_write_cr4, + ++#ifdef CONFIG_X86_64 ++ .read_cr8 = xen_read_cr8, ++ .write_cr8 = xen_write_cr8, ++#endif ++ + .wbinvd = native_wbinvd, + + .read_msr = native_read_msr_safe, diff --git a/queue-3.6/xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch b/queue-3.6/xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch new file mode 100644 index 00000000000..f72f486214c --- /dev/null +++ b/queue-3.6/xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch @@ -0,0 +1,31 @@ +From cd0608e71e9757f4dae35bcfb4e88f4d1a03a8ab Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 10 Oct 2012 13:30:47 -0400 +Subject: xen/bootup: allow read_tscp call for Xen PV guests. + +From: Konrad Rzeszutek Wilk + +commit cd0608e71e9757f4dae35bcfb4e88f4d1a03a8ab upstream. + +The hypervisor will trap it. However without this patch, +we would crash as the .read_tscp is set to NULL. This patch +fixes it and sets it to the native_read_tscp call. + +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/enlighten.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -1175,6 +1175,8 @@ static const struct pv_cpu_ops xen_cpu_o + .read_tsc = native_read_tsc, + .read_pmc = native_read_pmc, + ++ .read_tscp = native_read_tscp, ++ + .iret = xen_iret, + .irq_enable_sysexit = xen_sysexit, + #ifdef CONFIG_X86_64 diff --git a/queue-3.6/xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch b/queue-3.6/xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch new file mode 100644 index 00000000000..99fbe2f1893 --- /dev/null +++ b/queue-3.6/xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch @@ -0,0 +1,97 @@ +From cb6b6df111e46b9d0f79eb971575fd50555f43f4 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 10 Oct 2012 13:23:36 -0400 +Subject: xen/pv-on-hvm kexec: add quirk for Xen 3.4 and shutdown watches. + +From: Konrad Rzeszutek Wilk + +commit cb6b6df111e46b9d0f79eb971575fd50555f43f4 upstream. + +The commit 254d1a3f02ebc10ccc6e4903394d8d3f484f715e, titled +"xen/pv-on-hvm kexec: shutdown watches from old kernel" assumes that the +XenBus backend can deal with reading of values from: + "control/platform-feature-xs_reset_watches": + + ... a patch for xenstored is required so that it + accepts the XS_RESET_WATCHES request from a client (see changeset + 23839:42a45baf037d in xen-unstable.hg). Without the patch for xenstored + the registration of watches will fail and some features of a PVonHVM + guest are not available. The guest is still able to boot, but repeated + kexec boots will fail." + +Sadly this is not true when using a Xen 3.4 hypervisor and booting a PVHVM +guest. We end up hanging at: + + err = xenbus_scanf(XBT_NIL, "control", + "platform-feature-xs_reset_watches", "%d", &supported); + +This can easily be seen with guests hanging at xenbus_init: + +NX (Execute Disable) protection: active +SMBIOS 2.4 present. +DMI: Xen HVM domU, BIOS 3.4.0 05/13/2011 +Hypervisor detected: Xen HVM +Xen version 3.4. +Xen Platform PCI: I/O protocol version 1 +... snip .. +calling xenbus_init+0x0/0x27e @ 1 + +Reverting the commit or using the attached patch fixes the issue. This fix +checks whether the hypervisor is older than 4.0 and if so does not try to +perform the read. + +Fixes-Oracle-Bug: 14708233 +Acked-by: Olaf Hering +[v2: Added a comment in the source code] +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_xs.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -47,6 +47,7 @@ + #include + #include + #include "xenbus_comms.h" ++#include + + struct xs_stored_msg { + struct list_head list; +@@ -617,7 +618,24 @@ static struct xenbus_watch *find_watch(c + + return NULL; + } ++/* ++ * Certain older XenBus toolstack cannot handle reading values that are ++ * not populated. Some Xen 3.4 installation are incapable of doing this ++ * so if we are running on anything older than 4 do not attempt to read ++ * control/platform-feature-xs_reset_watches. ++ */ ++static bool xen_strict_xenbus_quirk() ++{ ++ uint32_t eax, ebx, ecx, edx, base; ++ ++ base = xen_cpuid_base(); ++ cpuid(base + 1, &eax, &ebx, &ecx, &edx); + ++ if ((eax >> 16) < 4) ++ return true; ++ return false; ++ ++} + static void xs_reset_watches(void) + { + int err, supported = 0; +@@ -625,6 +643,9 @@ static void xs_reset_watches(void) + if (!xen_hvm_domain()) + return; + ++ if (xen_strict_xenbus_quirk()) ++ return; ++ + err = xenbus_scanf(XBT_NIL, "control", + "platform-feature-xs_reset_watches", "%d", &supported); + if (err != 1 || !supported)