From 18879fd2f51c8508fc81ca94f67f1176d0820f6d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Mar 2013 12:22:14 +0800 Subject: [PATCH] 3.0-stable patches added patches: btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch cifs-ensure-that-cifs_get_root-only-traverses-directories.patch scsi-dc395x-uninitialized-variable-in-device_alloc.patch sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch target-pscsi-fix-page-increment.patch --- ...ck-after-cloning-btrfs-device-struct.patch | 37 ++++++++ ..._get_root-only-traverses-directories.patch | 92 +++++++++++++++++++ ...initialized-variable-in-device_alloc.patch | 38 ++++++++ queue-3.0/series | 5 + ...ssion-timer-when-out-of-socket-space.patch | 45 +++++++++ .../target-pscsi-fix-page-increment.patch | 31 +++++++ 6 files changed, 248 insertions(+) create mode 100644 queue-3.0/btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch create mode 100644 queue-3.0/cifs-ensure-that-cifs_get_root-only-traverses-directories.patch create mode 100644 queue-3.0/scsi-dc395x-uninitialized-variable-in-device_alloc.patch create mode 100644 queue-3.0/sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch create mode 100644 queue-3.0/target-pscsi-fix-page-increment.patch diff --git a/queue-3.0/btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch b/queue-3.0/btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch new file mode 100644 index 00000000000..fdb5b4de287 --- /dev/null +++ b/queue-3.0/btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch @@ -0,0 +1,37 @@ +From 1cba0cdf5e4dbcd9e5fa5b54d7a028e55e2ca057 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 20 Feb 2013 14:06:20 -0500 +Subject: btrfs: Init io_lock after cloning btrfs device struct + +From: Thomas Gleixner + +commit 1cba0cdf5e4dbcd9e5fa5b54d7a028e55e2ca057 upstream. + +__btrfs_close_devices() clones btrfs device structs with +memcpy(). Some of the fields in the clone are reinitialized, but it's +missing to init io_lock. In mainline this goes unnoticed, but on RT it +leaves the plist pointing to the original about to be freed lock +struct. + +Initialize io_lock after cloning, so no references to the original +struct are left. + +Reported-and-tested-by: Mike Galbraith +Signed-off-by: Thomas Gleixner +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/volumes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -512,6 +512,7 @@ static int __btrfs_close_devices(struct + new_device->writeable = 0; + new_device->in_fs_metadata = 0; + new_device->can_discard = 0; ++ spin_lock_init(&new_device->io_lock); + list_replace_rcu(&device->dev_list, &new_device->dev_list); + + call_rcu(&device->rcu, free_device); diff --git a/queue-3.0/cifs-ensure-that-cifs_get_root-only-traverses-directories.patch b/queue-3.0/cifs-ensure-that-cifs_get_root-only-traverses-directories.patch new file mode 100644 index 00000000000..966e8382383 --- /dev/null +++ b/queue-3.0/cifs-ensure-that-cifs_get_root-only-traverses-directories.patch @@ -0,0 +1,92 @@ +From ce2ac52105aa663056dfc17966ebed1bf93e6e64 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 1 Feb 2013 15:11:01 -0500 +Subject: cifs: ensure that cifs_get_root() only traverses directories + +From: Jeff Layton + +commit ce2ac52105aa663056dfc17966ebed1bf93e6e64 upstream. + +Kjell Braden reported this oops: + +[ 833.211970] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 833.212816] IP: [< (null)>] (null) +[ 833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0 +[ 833.213874] Oops: 0010 [#1] SMP +[ 833.214344] CPU 0 +[ 833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000 +[ 833.215629] +[ 833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9a0+ #18 innotek GmbH VirtualBox/VirtualBox +[ 833.215629] RIP: 0010:[<0000000000000000>] [< (null)>] (null) +[ 833.215629] RSP: 0018:ffff8800119c9c50 EFLAGS: 00010282 +[ 833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000 +[ 833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8 +[ 833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7 +[ 833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8 +[ 833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6 +[ 833.215629] FS: 00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 +[ 833.215629] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0 +[ 833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0) +[ 833.215629] Stack: +[ 833.215629] ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286 +[ 833.215629] 0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8 +[ 833.215629] ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0 +[ 833.215629] Call Trace: +[ 833.215629] [] ? d_alloc_and_lookup+0x45/0x90 +[ 833.215629] [] ? d_lookup+0x35/0x60 +[ 833.215629] [] __lookup_hash.part.14+0x9e/0xc0 +[ 833.215629] [] lookup_one_len+0x146/0x1e0 +[ 833.215629] [] ? _raw_spin_lock+0xe/0x20 +[ 833.215629] [] cifs_do_mount+0x26d/0x500 [cifs] +[ 833.215629] [] mount_fs+0x43/0x1b0 +[ 833.215629] [] vfs_kern_mount+0x6a/0xd0 +[ 833.215629] [] do_kern_mount+0x54/0x110 +[ 833.215629] [] do_mount+0x262/0x840 +[ 833.215629] [] ? __get_free_pages+0xe/0x50 +[ 833.215629] [] ? copy_mount_options+0x3a/0x180 +[ 833.215629] [] sys_mount+0x8d/0xe0 +[ 833.215629] [] system_call_fastpath+0x16/0x1b +[ 833.215629] Code: Bad RIP value. +[ 833.215629] RIP [< (null)>] (null) +[ 833.215629] RSP +[ 833.215629] CR2: 0000000000000000 +[ 833.238525] ---[ end trace ec00758b8d44f529 ]--- + +When walking down the path on the server, it's possible to hit a +symlink. The path walking code assumes that the caller will handle that +situation properly, but cifs_get_root() isn't set up for it. This patch +prevents the oops by simply returning an error. + +A better solution would be to try and chase the symlinks here, but that's +fairly complicated to handle. + +Fixes: + + https://bugzilla.kernel.org/show_bug.cgi?id=53221 + +Reported-and-tested-by: Kjell Braden +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -571,6 +571,11 @@ cifs_get_root(struct smb_vol *vol, struc + dentry = ERR_PTR(-ENOENT); + break; + } ++ if (!S_ISDIR(dir->i_mode)) { ++ dput(dentry); ++ dentry = ERR_PTR(-ENOTDIR); ++ break; ++ } + + /* skip separators */ + while (*s == sep) diff --git a/queue-3.0/scsi-dc395x-uninitialized-variable-in-device_alloc.patch b/queue-3.0/scsi-dc395x-uninitialized-variable-in-device_alloc.patch new file mode 100644 index 00000000000..9bed4a20aeb --- /dev/null +++ b/queue-3.0/scsi-dc395x-uninitialized-variable-in-device_alloc.patch @@ -0,0 +1,38 @@ +From 208afec4f3be8c51ad6eebe6611dd6d2ad2fa298 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 11 Feb 2013 22:03:18 +0300 +Subject: SCSI: dc395x: uninitialized variable in device_alloc() + +From: Dan Carpenter + +commit 208afec4f3be8c51ad6eebe6611dd6d2ad2fa298 upstream. + +This bug was introduced back in bitkeeper days in 2003. We use +"dcb->dev_mode" before it has been initialized. + +Signed-off-by: Dan Carpenter +Acked-by: Oliver Neukum +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/dc395x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc + dcb->max_command = 1; + dcb->target_id = target; + dcb->target_lun = lun; ++ dcb->dev_mode = eeprom->target[target].cfg0; + #ifndef DC395x_NO_DISCONNECT + dcb->identify_msg = + IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun); + #else + dcb->identify_msg = IDENTIFY(0, lun); + #endif +- dcb->dev_mode = eeprom->target[target].cfg0; + dcb->inquiry7 = 0; + dcb->sync_mode = 0; + dcb->min_nego_period = clock_period[period_index]; diff --git a/queue-3.0/series b/queue-3.0/series index c1c383c8e7c..d3df148fe69 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -1,2 +1,7 @@ arm-vfp-fix-emulation-of-second-vfp-instruction.patch arm-fix-scheduling-while-atomic-warning-in-alignment-handling-code.patch +scsi-dc395x-uninitialized-variable-in-device_alloc.patch +target-pscsi-fix-page-increment.patch +btrfs-init-io_lock-after-cloning-btrfs-device-struct.patch +cifs-ensure-that-cifs_get_root-only-traverses-directories.patch +sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch diff --git a/queue-3.0/sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch b/queue-3.0/sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch new file mode 100644 index 00000000000..0ae2b203286 --- /dev/null +++ b/queue-3.0/sunrpc-don-t-start-the-retransmission-timer-when-out-of-socket-space.patch @@ -0,0 +1,45 @@ +From a9a6b52ee1baa865283a91eb8d443ee91adfca56 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 22 Feb 2013 14:57:57 -0500 +Subject: SUNRPC: Don't start the retransmission timer when out of socket space + +From: Trond Myklebust + +commit a9a6b52ee1baa865283a91eb8d443ee91adfca56 upstream. + +If the socket is full, we're better off just waiting until it empties, +or until the connection is broken. The reason why we generally don't +want to time out is that the call to xprt->ops->release_xprt() will +trigger a connection reset, which isn't helpful... + +Let's make an exception for soft RPC calls, since they have to provide +timeout guarantees. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -471,13 +471,17 @@ EXPORT_SYMBOL_GPL(xprt_wake_pending_task + * xprt_wait_for_buffer_space - wait for transport output buffer to clear + * @task: task to be put to sleep + * @action: function pointer to be executed after wait ++ * ++ * Note that we only set the timer for the case of RPC_IS_SOFT(), since ++ * we don't in general want to force a socket disconnection due to ++ * an incomplete RPC call transmission. + */ + void xprt_wait_for_buffer_space(struct rpc_task *task, rpc_action action) + { + struct rpc_rqst *req = task->tk_rqstp; + struct rpc_xprt *xprt = req->rq_xprt; + +- task->tk_timeout = req->rq_timeout; ++ task->tk_timeout = RPC_IS_SOFT(task) ? req->rq_timeout : 0; + rpc_sleep_on(&xprt->pending, task, action); + } + EXPORT_SYMBOL_GPL(xprt_wait_for_buffer_space); diff --git a/queue-3.0/target-pscsi-fix-page-increment.patch b/queue-3.0/target-pscsi-fix-page-increment.patch new file mode 100644 index 00000000000..0e50fd48045 --- /dev/null +++ b/queue-3.0/target-pscsi-fix-page-increment.patch @@ -0,0 +1,31 @@ +From 472b72f2db7831d7dbe22ffdff4adee3bd49b05d Mon Sep 17 00:00:00 2001 +From: Asias He +Date: Wed, 27 Feb 2013 13:29:29 +0800 +Subject: target/pscsi: Fix page increment + +From: Asias He + +commit 472b72f2db7831d7dbe22ffdff4adee3bd49b05d upstream. + +The page++ is wrong. It makes bio_add_pc_page() pointing to a wrong page +address if the 'while (len > 0 && data_len > 0) { ... }' loop is +executed more than one once. + +Signed-off-by: Asias He +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -1210,7 +1210,6 @@ static int __pscsi_map_task_SG( + bio = NULL; + } + +- page++; + len -= bytes; + data_len -= bytes; + off = 0; -- 2.47.3