From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 15:39:43 +0000 (+0100) Subject: 3.10-stable patches X-Git-Tag: v3.19.3~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f066d31d81ce9cf6f6c8611cd364730cfd8b7cff;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-at91-pm-fix-at91rm9200-standby.patch iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch target-allow-allregistrants-to-re-reserve-existing-reservation.patch target-allow-write-exclusive-non-reservation-holders-to-read.patch target-fix-r_holder-bit-usage-for-allregistrants.patch target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch --- diff --git a/queue-3.10/arm-at91-pm-fix-at91rm9200-standby.patch b/queue-3.10/arm-at91-pm-fix-at91rm9200-standby.patch new file mode 100644 index 00000000000..4988bcc184c --- /dev/null +++ b/queue-3.10/arm-at91-pm-fix-at91rm9200-standby.patch @@ -0,0 +1,36 @@ +From 84e871660bebfddb9a62ebd6f19d02536e782f0a Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Tue, 3 Mar 2015 19:58:22 +0100 +Subject: ARM: at91: pm: fix at91rm9200 standby + +From: Alexandre Belloni + +commit 84e871660bebfddb9a62ebd6f19d02536e782f0a upstream. + +at91rm9200 standby and suspend to ram has been broken since +00482a4078f4. It is wrongly using AT91_BASE_SYS which is a physical address +and actually doesn't correspond to any register on at91rm9200. + +Use the correct at91_ramc_base[0] instead. + +Fixes: 00482a4078f4 (ARM: at91: implement the standby function for pm/cpuidle) + +Signed-off-by: Alexandre Belloni +Signed-off-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-at91/pm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-at91/pm.h ++++ b/arch/arm/mach-at91/pm.h +@@ -37,7 +37,7 @@ static inline void at91rm9200_standby(vo + " mcr p15, 0, %0, c7, c0, 4\n\t" + " str %5, [%1, %2]" + : +- : "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR), ++ : "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR), + "r" (1), "r" (AT91RM9200_SDRAMC_SRR), + "r" (lpr)); + } diff --git a/queue-3.10/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch b/queue-3.10/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch new file mode 100644 index 00000000000..a41e4d4d9ef --- /dev/null +++ b/queue-3.10/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch @@ -0,0 +1,53 @@ +From f068fbc82e7696d67b1bb8189306865bedf368b6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 23 Feb 2015 00:57:51 -0800 +Subject: iscsi-target: Avoid early conn_logout_comp for iser connections + +From: Nicholas Bellinger + +commit f068fbc82e7696d67b1bb8189306865bedf368b6 upstream. + +This patch fixes a iser specific logout bug where early complete() +of conn->conn_logout_comp in iscsit_close_connection() was causing +isert_wait4logout() to complete too soon, triggering a use after +free NULL pointer dereference of iscsi_conn memory. + +The complete() was originally added for traditional iscsi-target +when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given +iser-target does not wait in logout failure, this special case needs +to be avoided. + +Reported-by: Sagi Grimberg +Cc: Sagi Grimberg +Cc: Slava Shwartsman +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4136,11 +4136,17 @@ int iscsit_close_connection( + pr_debug("Closing iSCSI connection CID %hu on SID:" + " %u\n", conn->cid, sess->sid); + /* +- * Always up conn_logout_comp just in case the RX Thread is sleeping +- * and the logout response never got sent because the connection +- * failed. ++ * Always up conn_logout_comp for the traditional TCP case just in case ++ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout ++ * response never got sent because the connection failed. ++ * ++ * However for iser-target, isert_wait4logout() is using conn_logout_comp ++ * to signal logout response TX interrupt completion. Go ahead and skip ++ * this for iser since isert_rx_opcode() does not wait on logout failure, ++ * and to avoid iscsi_conn pointer dereference in iser-target code. + */ +- complete(&conn->conn_logout_comp); ++ if (conn->conn_transport->transport_type == ISCSI_TCP) ++ complete(&conn->conn_logout_comp); + + iscsi_release_thread_set(conn); + diff --git a/queue-3.10/series b/queue-3.10/series index e33112474ae..9471c84d712 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -46,3 +46,10 @@ x86-vdso-fix-the-build-on-gcc5.patch powerpc-smp-wait-until-secondaries-are-active-online.patch ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch +arm-at91-pm-fix-at91rm9200-standby.patch +target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch +iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch +target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch +target-fix-r_holder-bit-usage-for-allregistrants.patch +target-allow-allregistrants-to-re-reserve-existing-reservation.patch +target-allow-write-exclusive-non-reservation-holders-to-read.patch diff --git a/queue-3.10/target-allow-allregistrants-to-re-reserve-existing-reservation.patch b/queue-3.10/target-allow-allregistrants-to-re-reserve-existing-reservation.patch new file mode 100644 index 00000000000..5c13eb59e8c --- /dev/null +++ b/queue-3.10/target-allow-allregistrants-to-re-reserve-existing-reservation.patch @@ -0,0 +1,57 @@ +From ae450e246e8540300699480a3780a420a028b73f Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 19 Dec 2014 00:49:23 +0000 +Subject: target: Allow AllRegistrants to re-RESERVE existing reservation + +From: Nicholas Bellinger + +commit ae450e246e8540300699480a3780a420a028b73f upstream. + +This patch changes core_scsi3_pro_release() logic to allow an +existing AllRegistrants type reservation to be re-reserved by +any registered I_T nexus. + +This addresses a issue where AllRegistrants type RESERVE was +receiving RESERVATION_CONFLICT status if dev_pr_res_holder did +not match the same I_T nexus, instead of just returning GOOD +status following spc4r34 Section 5.9.9: + +"If the device server receives a PERSISTENT RESERVE OUT command + with RESERVE service action where the TYPE field and the SCOPE + field contain the same values as the existing type and scope + from a persistent reservation holder, it shall not make any + change to the existing persistent reservation and shall complete + the command with GOOD status." + +Reported-by: Ilias Tsitsimpis +Cc: Ilias Tsitsimpis +Cc: Lee Duncan +Cc: James Bottomley +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -2397,6 +2397,7 @@ core_scsi3_pro_reserve(struct se_cmd *cm + spin_lock(&dev->dev_reservation_lock); + pr_res_holder = dev->dev_pr_res_holder; + if (pr_res_holder) { ++ int pr_res_type = pr_res_holder->pr_res_type; + /* + * From spc4r17 Section 5.7.9: Reserving: + * +@@ -2407,7 +2408,9 @@ core_scsi3_pro_reserve(struct se_cmd *cm + * the logical unit, then the command shall be completed with + * RESERVATION CONFLICT status. + */ +- if (pr_res_holder != pr_reg) { ++ if ((pr_res_holder != pr_reg) && ++ (pr_res_type != PR_TYPE_WRITE_EXCLUSIVE_ALLREG) && ++ (pr_res_type != PR_TYPE_EXCLUSIVE_ACCESS_ALLREG)) { + struct se_node_acl *pr_res_nacl = pr_res_holder->pr_reg_nacl; + pr_err("SPC-3 PR: Attempted RESERVE from" + " [%s]: %s while reservation already held by" diff --git a/queue-3.10/target-allow-write-exclusive-non-reservation-holders-to-read.patch b/queue-3.10/target-allow-write-exclusive-non-reservation-holders-to-read.patch new file mode 100644 index 00000000000..c1de70bdfd3 --- /dev/null +++ b/queue-3.10/target-allow-write-exclusive-non-reservation-holders-to-read.patch @@ -0,0 +1,45 @@ +From 1ecc7586922662e3ca2f3f0c3f17fec8749fc621 Mon Sep 17 00:00:00 2001 +From: Lee Duncan +Date: Mon, 5 Jan 2015 10:49:44 -0800 +Subject: target: Allow Write Exclusive non-reservation holders to READ + +From: Lee Duncan + +commit 1ecc7586922662e3ca2f3f0c3f17fec8749fc621 upstream. + +For PGR reservation of type Write Exclusive Access, allow all non +reservation holding I_T nexuses with active registrations to READ +from the device. + +This addresses a bug where active registrations that attempted +to READ would result in an reservation conflict. + +Signed-off-by: Lee Duncan +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -518,6 +518,18 @@ static int core_scsi3_pr_seq_non_holder( + + return 0; + } ++ } else if (we && registered_nexus) { ++ /* ++ * Reads are allowed for Write Exclusive locks ++ * from all registrants. ++ */ ++ if (cmd->data_direction == DMA_FROM_DEVICE) { ++ pr_debug("Allowing READ CDB: 0x%02x for %s" ++ " reservation\n", cdb[0], ++ core_scsi3_pr_dump_type(pr_reg_type)); ++ ++ return 0; ++ } + } + pr_debug("%s Conflict for %sregistered nexus %s CDB: 0x%2x" + " for %s reservation\n", transport_dump_cmd_direction(cmd), diff --git a/queue-3.10/target-fix-r_holder-bit-usage-for-allregistrants.patch b/queue-3.10/target-fix-r_holder-bit-usage-for-allregistrants.patch new file mode 100644 index 00000000000..fb75cc8d3ed --- /dev/null +++ b/queue-3.10/target-fix-r_holder-bit-usage-for-allregistrants.patch @@ -0,0 +1,82 @@ +From d16ca7c5198fd668db10d2c7b048ed3359c12c54 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 14 Dec 2014 01:47:19 -0800 +Subject: target: Fix R_HOLDER bit usage for AllRegistrants + +From: Nicholas Bellinger + +commit d16ca7c5198fd668db10d2c7b048ed3359c12c54 upstream. + +This patch fixes the usage of R_HOLDER bit for an All Registrants +reservation in READ_FULL_STATUS, where only the registration who +issued RESERVE was being reported as having an active reservation. + +It changes core_scsi3_pri_read_full_status() to check ahead of the +list walk of active registrations to see if All Registrants is active, +and if so set R_HOLDER bit and scope/type fields for all active +registrations. + +Reported-by: Ilias Tsitsimpis +Cc: James Bottomley +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pr.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -4012,7 +4012,8 @@ core_scsi3_pri_read_full_status(struct s + unsigned char *buf; + u32 add_desc_len = 0, add_len = 0, desc_len, exp_desc_len; + u32 off = 8; /* off into first Full Status descriptor */ +- int format_code = 0; ++ int format_code = 0, pr_res_type = 0, pr_res_scope = 0; ++ bool all_reg = false; + + if (cmd->data_length < 8) { + pr_err("PRIN SA READ_FULL_STATUS SCSI Data Length: %u" +@@ -4029,6 +4030,19 @@ core_scsi3_pri_read_full_status(struct s + buf[2] = ((dev->t10_pr.pr_generation >> 8) & 0xff); + buf[3] = (dev->t10_pr.pr_generation & 0xff); + ++ spin_lock(&dev->dev_reservation_lock); ++ if (dev->dev_pr_res_holder) { ++ struct t10_pr_registration *pr_holder = dev->dev_pr_res_holder; ++ ++ if (pr_holder->pr_res_type == PR_TYPE_WRITE_EXCLUSIVE_ALLREG || ++ pr_holder->pr_res_type == PR_TYPE_EXCLUSIVE_ACCESS_ALLREG) { ++ all_reg = true; ++ pr_res_type = pr_holder->pr_res_type; ++ pr_res_scope = pr_holder->pr_res_scope; ++ } ++ } ++ spin_unlock(&dev->dev_reservation_lock); ++ + spin_lock(&pr_tmpl->registration_lock); + list_for_each_entry_safe(pr_reg, pr_reg_tmp, + &pr_tmpl->registration_list, pr_reg_list) { +@@ -4078,14 +4092,20 @@ core_scsi3_pri_read_full_status(struct s + * reservation holder for PR_HOLDER bit. + * + * Also, if this registration is the reservation +- * holder, fill in SCOPE and TYPE in the next byte. ++ * holder or there is an All Registrants reservation ++ * active, fill in SCOPE and TYPE in the next byte. + */ + if (pr_reg->pr_res_holder) { + buf[off++] |= 0x01; + buf[off++] = (pr_reg->pr_res_scope & 0xf0) | + (pr_reg->pr_res_type & 0x0f); +- } else ++ } else if (all_reg) { ++ buf[off++] |= 0x01; ++ buf[off++] = (pr_res_scope & 0xf0) | ++ (pr_res_type & 0x0f); ++ } else { + off += 2; ++ } + + off += 4; /* Skip over reserved area */ + /* diff --git a/queue-3.10/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch b/queue-3.10/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch new file mode 100644 index 00000000000..825b576f064 --- /dev/null +++ b/queue-3.10/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch @@ -0,0 +1,36 @@ +From 7544e597343e2166daba3f32e4708533aa53c233 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 18 Feb 2015 15:33:58 +0100 +Subject: target: Fix reference leak in target_get_sess_cmd() error path + +From: Bart Van Assche + +commit 7544e597343e2166daba3f32e4708533aa53c233 upstream. + +This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down +is true within target_get_sess_cmd() submission path code. + +This se_cmd reference leak can occur during active session shutdown when +ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers. + +Signed-off-by: Bart Van Assche +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2222,6 +2222,10 @@ int target_get_sess_cmd(struct se_sessio + + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); ++ ++ if (ret && ack_kref) ++ target_put_sess_cmd(se_sess, se_cmd); ++ + return ret; + } + EXPORT_SYMBOL(target_get_sess_cmd); diff --git a/queue-3.10/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch b/queue-3.10/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch new file mode 100644 index 00000000000..657f5afcbbd --- /dev/null +++ b/queue-3.10/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch @@ -0,0 +1,32 @@ +From 215a8fe4198f607f34ecdbc9969dae783d8b5a61 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Feb 2015 03:54:13 -0800 +Subject: target/pscsi: Fix NULL pointer dereference in get_device_type + +From: Nicholas Bellinger + +commit 215a8fe4198f607f34ecdbc9969dae783d8b5a61 upstream. + +This patch fixes a NULL pointer dereference OOPs with pSCSI backends +within target_core_stat.c code. The bug is caused by a configfs attr +read if no pscsi_dev_virt->pdv_sd has been configured. + +Reported-by: Olaf Hering +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1112,7 +1112,7 @@ static u32 pscsi_get_device_type(struct + struct pscsi_dev_virt *pdv = PSCSI_DEV(dev); + struct scsi_device *sd = pdv->pdv_sd; + +- return sd->type; ++ return (sd) ? sd->type : TYPE_NO_LUN; + } + + static sector_t pscsi_get_blocks(struct se_device *dev)