From c36e3aa1a4ea846a8976e37862d009573d810481 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 5 Nov 2013 07:59:57 -0800 Subject: [PATCH] 3.10-stable patches added patches: clockevents-sanitize-ticks-to-nsec-conversion.patch ecryptfs-fix-memory-leakage-in-keystore.c.patch libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch md-avoid-deadlock-when-md_set_badblocks.patch md-fix-skipping-recovery-for-read-only-arrays.patch parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch raid5-avoid-finding-discard-stripe.patch raid5-set-bio-bi_vcnt-0-for-discard-request.patch target-pscsi-fix-return-value-check.patch vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch --- ...ts-sanitize-ticks-to-nsec-conversion.patch | 162 ++++++++++++++++++ ...tfs-fix-memory-leakage-in-keystore.c.patch | 40 +++++ ...-bump-scmd-allowed-on-bogus-failures.patch | 49 ++++++ ...avoid-deadlock-when-md_set_badblocks.patch | 110 ++++++++++++ ...ipping-recovery-for-read-only-arrays.patch | 56 ++++++ ...smp-kernels-on-machines-with-4gb-ram.patch | 70 ++++++++ .../raid5-avoid-finding-discard-stripe.patch | 41 +++++ ...et-bio-bi_vcnt-0-for-discard-request.patch | 53 ++++++ queue-3.10/series | 10 ++ .../target-pscsi-fix-return-value-check.patch | 49 ++++++ ...-get_user_pages_fast-write-parameter.patch | 43 +++++ 11 files changed, 683 insertions(+) create mode 100644 queue-3.10/clockevents-sanitize-ticks-to-nsec-conversion.patch create mode 100644 queue-3.10/ecryptfs-fix-memory-leakage-in-keystore.c.patch create mode 100644 queue-3.10/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch create mode 100644 queue-3.10/md-avoid-deadlock-when-md_set_badblocks.patch create mode 100644 queue-3.10/md-fix-skipping-recovery-for-read-only-arrays.patch create mode 100644 queue-3.10/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch create mode 100644 queue-3.10/raid5-avoid-finding-discard-stripe.patch create mode 100644 queue-3.10/raid5-set-bio-bi_vcnt-0-for-discard-request.patch create mode 100644 queue-3.10/target-pscsi-fix-return-value-check.patch create mode 100644 queue-3.10/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch diff --git a/queue-3.10/clockevents-sanitize-ticks-to-nsec-conversion.patch b/queue-3.10/clockevents-sanitize-ticks-to-nsec-conversion.patch new file mode 100644 index 00000000000..2aa95569cbe --- /dev/null +++ b/queue-3.10/clockevents-sanitize-ticks-to-nsec-conversion.patch @@ -0,0 +1,162 @@ +From 97b9410643475d6557d2517c2aff9fd2221141a9 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 24 Sep 2013 21:50:23 +0200 +Subject: clockevents: Sanitize ticks to nsec conversion + +From: Thomas Gleixner + +commit 97b9410643475d6557d2517c2aff9fd2221141a9 upstream. + +Marc Kleine-Budde pointed out, that commit 77cc982 "clocksource: use +clockevents_config_and_register() where possible" caused a regression +for some of the converted subarchs. + +The reason is, that the clockevents core code converts the minimal +hardware tick delta to a nanosecond value for core internal +usage. This conversion is affected by integer math rounding loss, so +the backwards conversion to hardware ticks will likely result in a +value which is less than the configured hardware limitation. The +affected subarchs used their own workaround (SIGH!) which got lost in +the conversion. + +The solution for the issue at hand is simple: adding evt->mult - 1 to +the shifted value before the integer divison in the core conversion +function takes care of it. But this only works for the case where for +the scaled math mult/shift pair "mult <= 1 << shift" is true. For the +case where "mult > 1 << shift" we can apply the rounding add only for +the minimum delta value to make sure that the backward conversion is +not less than the given hardware limit. For the upper bound we need to +omit the rounding add, because the backwards conversion is always +larger than the original latch value. That would violate the upper +bound of the hardware device. + +Though looking closer at the details of that function reveals another +bogosity: The upper bounds check is broken as well. Checking for a +resulting "clc" value greater than KTIME_MAX after the conversion is +pointless. The conversion does: + + u64 clc = (latch << evt->shift) / evt->mult; + +So there is no sanity check for (latch << evt->shift) exceeding the +64bit boundary. The latch argument is "unsigned long", so on a 64bit +arch the handed in argument could easily lead to an unnoticed shift +overflow. With the above rounding fix applied the calculation before +the divison is: + + u64 clc = (latch << evt->shift) + evt->mult - 1; + +So we need to make sure, that neither the shift nor the rounding add +is overflowing the u64 boundary. + +[ukl: move assignment to rnd after eventually changing mult, fix build + issue and correct comment with the right math] + +Signed-off-by: Thomas Gleixner +Cc: Russell King - ARM Linux +Cc: Marc Kleine-Budde +Cc: nicolas.ferre@atmel.com +Cc: Marc Pignat +Cc: john.stultz@linaro.org +Cc: kernel@pengutronix.de +Cc: Ronald Wahl +Cc: LAK +Cc: Ludovic Desroches +Link: http://lkml.kernel.org/r/1380052223-24139-1-git-send-email-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clockevents.c | 65 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 50 insertions(+), 15 deletions(-) + +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -30,29 +30,64 @@ static RAW_NOTIFIER_HEAD(clockevents_cha + /* Protection for the above */ + static DEFINE_RAW_SPINLOCK(clockevents_lock); + +-/** +- * clockevents_delta2ns - Convert a latch value (device ticks) to nanoseconds +- * @latch: value to convert +- * @evt: pointer to clock event device descriptor +- * +- * Math helper, returns latch value converted to nanoseconds (bound checked) +- */ +-u64 clockevent_delta2ns(unsigned long latch, struct clock_event_device *evt) ++static u64 cev_delta2ns(unsigned long latch, struct clock_event_device *evt, ++ bool ismax) + { + u64 clc = (u64) latch << evt->shift; ++ u64 rnd; + + if (unlikely(!evt->mult)) { + evt->mult = 1; + WARN_ON(1); + } ++ rnd = (u64) evt->mult - 1; ++ ++ /* ++ * Upper bound sanity check. If the backwards conversion is ++ * not equal latch, we know that the above shift overflowed. ++ */ ++ if ((clc >> evt->shift) != (u64)latch) ++ clc = ~0ULL; ++ ++ /* ++ * Scaled math oddities: ++ * ++ * For mult <= (1 << shift) we can safely add mult - 1 to ++ * prevent integer rounding loss. So the backwards conversion ++ * from nsec to device ticks will be correct. ++ * ++ * For mult > (1 << shift), i.e. device frequency is > 1GHz we ++ * need to be careful. Adding mult - 1 will result in a value ++ * which when converted back to device ticks can be larger ++ * than latch by up to (mult - 1) >> shift. For the min_delta ++ * calculation we still want to apply this in order to stay ++ * above the minimum device ticks limit. For the upper limit ++ * we would end up with a latch value larger than the upper ++ * limit of the device, so we omit the add to stay below the ++ * device upper boundary. ++ * ++ * Also omit the add if it would overflow the u64 boundary. ++ */ ++ if ((~0ULL - clc > rnd) && ++ (!ismax || evt->mult <= (1U << evt->shift))) ++ clc += rnd; + + do_div(clc, evt->mult); +- if (clc < 1000) +- clc = 1000; +- if (clc > KTIME_MAX) +- clc = KTIME_MAX; + +- return clc; ++ /* Deltas less than 1usec are pointless noise */ ++ return clc > 1000 ? clc : 1000; ++} ++ ++/** ++ * clockevents_delta2ns - Convert a latch value (device ticks) to nanoseconds ++ * @latch: value to convert ++ * @evt: pointer to clock event device descriptor ++ * ++ * Math helper, returns latch value converted to nanoseconds (bound checked) ++ */ ++u64 clockevent_delta2ns(unsigned long latch, struct clock_event_device *evt) ++{ ++ return cev_delta2ns(latch, evt, false); + } + EXPORT_SYMBOL_GPL(clockevent_delta2ns); + +@@ -317,8 +352,8 @@ void clockevents_config(struct clock_eve + sec = 600; + + clockevents_calc_mult_shift(dev, freq, sec); +- dev->min_delta_ns = clockevent_delta2ns(dev->min_delta_ticks, dev); +- dev->max_delta_ns = clockevent_delta2ns(dev->max_delta_ticks, dev); ++ dev->min_delta_ns = cev_delta2ns(dev->min_delta_ticks, dev, false); ++ dev->max_delta_ns = cev_delta2ns(dev->max_delta_ticks, dev, true); + } + + /** diff --git a/queue-3.10/ecryptfs-fix-memory-leakage-in-keystore.c.patch b/queue-3.10/ecryptfs-fix-memory-leakage-in-keystore.c.patch new file mode 100644 index 00000000000..e0971376c19 --- /dev/null +++ b/queue-3.10/ecryptfs-fix-memory-leakage-in-keystore.c.patch @@ -0,0 +1,40 @@ +From 3edc8376c06133e3386265a824869cad03a4efd4 Mon Sep 17 00:00:00 2001 +From: "Geyslan G. Bem" +Date: Fri, 11 Oct 2013 16:49:16 -0300 +Subject: ecryptfs: Fix memory leakage in keystore.c + +From: "Geyslan G. Bem" + +commit 3edc8376c06133e3386265a824869cad03a4efd4 upstream. + +In 'decrypt_pki_encrypted_session_key' function: + +Initializes 'payload' pointer and releases it on exit. + +Signed-off-by: Geyslan G. Bem +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/keystore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1149,7 +1149,7 @@ decrypt_pki_encrypted_session_key(struct + struct ecryptfs_msg_ctx *msg_ctx; + struct ecryptfs_message *msg = NULL; + char *auth_tok_sig; +- char *payload; ++ char *payload = NULL; + size_t payload_len = 0; + int rc; + +@@ -1203,6 +1203,7 @@ decrypt_pki_encrypted_session_key(struct + } + out: + kfree(msg); ++ kfree(payload); + return rc; + } + diff --git a/queue-3.10/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch b/queue-3.10/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch new file mode 100644 index 00000000000..66fda1e937e --- /dev/null +++ b/queue-3.10/libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch @@ -0,0 +1,49 @@ +From f13e220161e738c2710b9904dcb3cf8bb0bcce61 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Fri, 7 Aug 2009 16:17:49 -0700 +Subject: libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures + +From: Gwendal Grignou + +commit f13e220161e738c2710b9904dcb3cf8bb0bcce61 upstream. + +libata EH decrements scmd->retries when the command failed for reasons +unrelated to the command itself so that, for example, commands aborted +due to suspend / resume cycle don't get penalized; however, +decrementing scmd->retries isn't enough for ATA passthrough commands. + +Without this fix, ATA passthrough commands are not resend to the +drive, and no error is signalled to the caller because: + +- allowed retry count is 1 +- ata_eh_qc_complete fill the sense data, so result is valid +- sense data is filled with untouched ATA registers. + +Signed-off-by: Gwendal Grignou +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1322,14 +1322,14 @@ void ata_eh_qc_complete(struct ata_queue + * should be retried. To be used from EH. + * + * SCSI midlayer limits the number of retries to scmd->allowed. +- * scmd->retries is decremented for commands which get retried ++ * scmd->allowed is incremented for commands which get retried + * due to unrelated failures (qc->err_mask is zero). + */ + void ata_eh_qc_retry(struct ata_queued_cmd *qc) + { + struct scsi_cmnd *scmd = qc->scsicmd; +- if (!qc->err_mask && scmd->retries) +- scmd->retries--; ++ if (!qc->err_mask) ++ scmd->allowed++; + __ata_eh_qc_complete(qc); + } + diff --git a/queue-3.10/md-avoid-deadlock-when-md_set_badblocks.patch b/queue-3.10/md-avoid-deadlock-when-md_set_badblocks.patch new file mode 100644 index 00000000000..0516356ee8e --- /dev/null +++ b/queue-3.10/md-avoid-deadlock-when-md_set_badblocks.patch @@ -0,0 +1,110 @@ +From 905b0297a9533d7a6ee00a01a990456636877dd6 Mon Sep 17 00:00:00 2001 +From: Bian Yu +Date: Sat, 12 Oct 2013 01:10:03 -0400 +Subject: md: avoid deadlock when md_set_badblocks. + +From: Bian Yu + +commit 905b0297a9533d7a6ee00a01a990456636877dd6 upstream. + +When operate harddisk and hit errors, md_set_badblocks is called after +scsi_restart_operations which already disabled the irq. but md_set_badblocks +will call write_sequnlock_irq and enable irq. so softirq can preempt the +current thread and that may cause a deadlock. I think this situation should +use write_sequnlock_irqsave/irqrestore instead. + +I met the situation and the call trace is below: +[ 638.919974] BUG: spinlock recursion on CPU#0, scsi_eh_13/1010 +[ 638.921923] lock: 0xffff8800d4d51fc8, .magic: dead4ead, .owner: scsi_eh_13/1010, .owner_cpu: 0 +[ 638.923890] CPU: 0 PID: 1010 Comm: scsi_eh_13 Not tainted 3.12.0-rc5+ #37 +[ 638.925844] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS 4.6.5 03/05/2013 +[ 638.927816] ffff880037ad4640 ffff880118c03d50 ffffffff8172ff85 0000000000000007 +[ 638.929829] ffff8800d4d51fc8 ffff880118c03d70 ffffffff81730030 ffff8800d4d51fc8 +[ 638.931848] ffffffff81a72eb0 ffff880118c03d90 ffffffff81730056 ffff8800d4d51fc8 +[ 638.933884] Call Trace: +[ 638.935867] [] dump_stack+0x55/0x76 +[ 638.937878] [] spin_dump+0x8a/0x8f +[ 638.939861] [] spin_bug+0x21/0x26 +[ 638.941836] [] do_raw_spin_lock+0xa4/0xc0 +[ 638.943801] [] _raw_spin_lock+0x66/0x80 +[ 638.945747] [] ? scsi_device_unbusy+0x9d/0xd0 +[ 638.947672] [] ? _raw_spin_unlock+0x2b/0x50 +[ 638.949595] [] scsi_device_unbusy+0x9d/0xd0 +[ 638.951504] [] scsi_finish_command+0x37/0xe0 +[ 638.953388] [] scsi_softirq_done+0xa8/0x140 +[ 638.955248] [] blk_done_softirq+0x7b/0x90 +[ 638.957116] [] __do_softirq+0xfd/0x330 +[ 638.958987] [] ? __lock_release+0x6f/0x100 +[ 638.960861] [] call_softirq+0x1c/0x30 +[ 638.962724] [] do_softirq+0x8d/0xc0 +[ 638.964565] [] irq_exit+0x10e/0x150 +[ 638.966390] [] smp_apic_timer_interrupt+0x4a/0x60 +[ 638.968223] [] apic_timer_interrupt+0x6f/0x80 +[ 638.970079] [] ? __lock_release+0x6f/0x100 +[ 638.971899] [] ? _raw_spin_unlock_irq+0x3a/0x50 +[ 638.973691] [] ? _raw_spin_unlock_irq+0x30/0x50 +[ 638.975475] [] md_set_badblocks+0x1f3/0x4a0 +[ 638.977243] [] rdev_set_badblocks+0x27/0x80 +[ 638.978988] [] raid5_end_read_request+0x36b/0x4e0 [raid456] +[ 638.980723] [] bio_endio+0x1d/0x40 +[ 638.982463] [] req_bio_endio.isra.65+0x83/0xa0 +[ 638.984214] [] blk_update_request+0x7f/0x350 +[ 638.985967] [] blk_update_bidi_request+0x31/0x90 +[ 638.987710] [] __blk_end_bidi_request+0x20/0x50 +[ 638.989439] [] __blk_end_request_all+0x1f/0x30 +[ 638.991149] [] blk_peek_request+0x106/0x250 +[ 638.992861] [] ? scsi_kill_request.isra.32+0xe9/0x130 +[ 638.994561] [] scsi_request_fn+0x4a/0x3d0 +[ 638.996251] [] __blk_run_queue+0x37/0x50 +[ 638.997900] [] blk_run_queue+0x2f/0x50 +[ 638.999553] [] scsi_run_queue+0xe0/0x1c0 +[ 639.001185] [] scsi_run_host_queues+0x21/0x40 +[ 639.002798] [] scsi_restart_operations+0x177/0x200 +[ 639.004391] [] scsi_error_handler+0xc9/0xe0 +[ 639.005996] [] ? scsi_unjam_host+0xd0/0xd0 +[ 639.007600] [] kthread+0xdb/0xe0 +[ 639.009205] [] ? flush_kthread_worker+0x170/0x170 +[ 639.010821] [] ret_from_fork+0x7c/0xb0 +[ 639.012437] [] ? flush_kthread_worker+0x170/0x170 + +This bug was introduce in commit 2e8ac30312973dd20e68073653 +(the first time rdev_set_badblock was call from interrupt context), +so this patch is appropriate for 3.5 and subsequent kernels. + +Signed-off-by: Bian Yu +Reviewed-by: Jianpeng Ma +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8072,6 +8072,7 @@ static int md_set_badblocks(struct badbl + u64 *p; + int lo, hi; + int rv = 1; ++ unsigned long flags; + + if (bb->shift < 0) + /* badblocks are disabled */ +@@ -8086,7 +8087,7 @@ static int md_set_badblocks(struct badbl + sectors = next - s; + } + +- write_seqlock_irq(&bb->lock); ++ write_seqlock_irqsave(&bb->lock, flags); + + p = bb->page; + lo = 0; +@@ -8202,7 +8203,7 @@ static int md_set_badblocks(struct badbl + bb->changed = 1; + if (!acknowledged) + bb->unacked_exist = 1; +- write_sequnlock_irq(&bb->lock); ++ write_sequnlock_irqrestore(&bb->lock, flags); + + return rv; + } diff --git a/queue-3.10/md-fix-skipping-recovery-for-read-only-arrays.patch b/queue-3.10/md-fix-skipping-recovery-for-read-only-arrays.patch new file mode 100644 index 00000000000..83e32773508 --- /dev/null +++ b/queue-3.10/md-fix-skipping-recovery-for-read-only-arrays.patch @@ -0,0 +1,56 @@ +From 61e4947c99c4494336254ec540c50186d186150b Mon Sep 17 00:00:00 2001 +From: Lukasz Dorau +Date: Thu, 24 Oct 2013 12:55:17 +1100 +Subject: md: Fix skipping recovery for read-only arrays. + +From: Lukasz Dorau + +commit 61e4947c99c4494336254ec540c50186d186150b upstream. + +Since: + commit 7ceb17e87bde79d285a8b988cfed9eaeebe60b86 + md: Allow devices to be re-added to a read-only array. + +spares are activated on a read-only array. In case of raid1 and raid10 +personalities it causes that not-in-sync devices are marked in-sync +without checking if recovery has been finished. + +If a read-only array is degraded and one of its devices is not in-sync +(because the array has been only partially recovered) recovery will be skipped. + +This patch adds checking if recovery has been finished before marking a device +in-sync for raid1 and raid10 personalities. In case of raid5 personality +such condition is already present (at raid5.c:6029). + +Bug was introduced in 3.10 and causes data corruption. + +Signed-off-by: Pawel Baldysiak +Signed-off-by: Lukasz Dorau +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 1 + + drivers/md/raid10.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1479,6 +1479,7 @@ static int raid1_spare_active(struct mdd + } + } + if (rdev ++ && rdev->recovery_offset == MaxSector + && !test_bit(Faulty, &rdev->flags) + && !test_and_set_bit(In_sync, &rdev->flags)) { + count++; +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1762,6 +1762,7 @@ static int raid10_spare_active(struct md + } + sysfs_notify_dirent_safe(tmp->replacement->sysfs_state); + } else if (tmp->rdev ++ && tmp->rdev->recovery_offset == MaxSector + && !test_bit(Faulty, &tmp->rdev->flags) + && !test_and_set_bit(In_sync, &tmp->rdev->flags)) { + count++; diff --git a/queue-3.10/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch b/queue-3.10/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch new file mode 100644 index 00000000000..8c0780acb1a --- /dev/null +++ b/queue-3.10/parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch @@ -0,0 +1,70 @@ +From 54e181e073fc1415e41917d725ebdbd7de956455 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 26 Oct 2013 23:19:25 +0200 +Subject: parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM + +From: Helge Deller + +commit 54e181e073fc1415e41917d725ebdbd7de956455 upstream. + +Since the beginning of the parisc-linux port, sometimes 64bit SMP kernels were +not able to bring up other CPUs than the monarch CPU and instead crashed the +kernel. The reason was unclear, esp. since it involved various machines (e.g. +J5600, J6750 and SuperDome). Testing showed, that those crashes didn't happened +when less than 4GB were installed, or if a 32bit Linux kernel was booted. + +In the end, the fix for those SMP problems is trivial: +During the early phase of the initialization of the CPUs, including the monarch +CPU, the PDC_PSW firmware function to enable WIDE (=64bit) mode is called. +It's documented that this firmware function may clobber various registers, and +one one of those possibly clobbered registers is %cr30 which holds the task +thread info pointer. + +Now, if %cr30 would always have been clobbered, then this bug would have been +detected much earlier. But lots of testing finally showed, that - at least for +%cr30 - on some machines only the upper 32bits of the 64bit register suddenly +turned zero after the firmware call. + +So, after finding the root cause, the explanation for the various crashes +became clear: +- On 32bit SMP Linux kernels all upper 32bit were zero, so we didn't faced this + problem. +- Monarch CPUs in 64bit mode always booted sucessfully, because the inital task + thread info pointer was below 4GB. +- Secondary CPUs booted sucessfully on machines with less than 4GB RAM because + the upper 32bit were zero anyay. +- Secondary CPus failed to boot if we had more than 4GB RAM and the task thread + info pointer was located above the 4GB boundary. + +Finally, the patch to fix this problem is trivial by saving the %cr30 register +before the firmware call and restoring it afterwards. + +Signed-off-by: Helge Deller +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/head.S | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -195,6 +195,8 @@ common_stext: + ldw MEM_PDC_HI(%r0),%r6 + depd %r6, 31, 32, %r3 /* move to upper word */ + ++ mfctl %cr30,%r6 /* PCX-W2 firmware bug */ ++ + ldo PDC_PSW(%r0),%arg0 /* 21 */ + ldo PDC_PSW_SET_DEFAULTS(%r0),%arg1 /* 2 */ + ldo PDC_PSW_WIDE_BIT(%r0),%arg2 /* 2 */ +@@ -203,6 +205,8 @@ common_stext: + copy %r0,%arg3 + + stext_pdc_ret: ++ mtctl %r6,%cr30 /* restore task thread info */ ++ + /* restore rfi target address*/ + ldd TI_TASK-THREAD_SZ_ALGN(%sp), %r10 + tophys_r1 %r10 diff --git a/queue-3.10/raid5-avoid-finding-discard-stripe.patch b/queue-3.10/raid5-avoid-finding-discard-stripe.patch new file mode 100644 index 00000000000..fc48f6dab4b --- /dev/null +++ b/queue-3.10/raid5-avoid-finding-discard-stripe.patch @@ -0,0 +1,41 @@ +From d47648fcf0611812286f68131b40251c6fa54f5e Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Sat, 19 Oct 2013 14:51:42 +0800 +Subject: raid5: avoid finding "discard" stripe + +From: Shaohua Li + +commit d47648fcf0611812286f68131b40251c6fa54f5e upstream. + +SCSI discard will damage discard stripe bio setting, eg, some fields are +changed. If the stripe is reused very soon, we have wrong bios setting. We +remove discard stripe from hash list, so next time the strip will be fully +initialized. + +Suitable for backport to 3.7+. + +Signed-off-by: Shaohua Li +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2812,6 +2812,14 @@ static void handle_stripe_clean_event(st + } + /* now that discard is done we can proceed with any sync */ + clear_bit(STRIPE_DISCARD, &sh->state); ++ /* ++ * SCSI discard will change some bio fields and the stripe has ++ * no updated data, so remove it from hash list and the stripe ++ * will be reinitialized ++ */ ++ spin_lock_irq(&conf->device_lock); ++ remove_hash(sh); ++ spin_unlock_irq(&conf->device_lock); + if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state)) + set_bit(STRIPE_HANDLE, &sh->state); + diff --git a/queue-3.10/raid5-set-bio-bi_vcnt-0-for-discard-request.patch b/queue-3.10/raid5-set-bio-bi_vcnt-0-for-discard-request.patch new file mode 100644 index 00000000000..7f1d018001d --- /dev/null +++ b/queue-3.10/raid5-set-bio-bi_vcnt-0-for-discard-request.patch @@ -0,0 +1,53 @@ +From 37c61ff31e9b5e3fcf3cc6579f5c68f6ad40c4b1 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Sat, 19 Oct 2013 14:50:28 +0800 +Subject: raid5: set bio bi_vcnt 0 for discard request + +From: Shaohua Li + +commit 37c61ff31e9b5e3fcf3cc6579f5c68f6ad40c4b1 upstream. + +SCSI layer will add new payload for discard request. If two bios are merged +to one, the second bio has bi_vcnt 1 which is set in raid5. This will confuse +SCSI and cause oops. + +Suitable for backport to 3.7+ + +Reported-by: Jes Sorensen +Signed-off-by: Shaohua Li +Signed-off-by: NeilBrown +Acked-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -668,6 +668,12 @@ static void ops_run_io(struct stripe_hea + bi->bi_io_vec[0].bv_len = STRIPE_SIZE; + bi->bi_io_vec[0].bv_offset = 0; + bi->bi_size = STRIPE_SIZE; ++ /* ++ * If this is discard request, set bi_vcnt 0. We don't ++ * want to confuse SCSI because SCSI will replace payload ++ */ ++ if (rw & REQ_DISCARD) ++ bi->bi_vcnt = 0; + if (rrdev) + set_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags); + +@@ -706,6 +712,12 @@ static void ops_run_io(struct stripe_hea + rbi->bi_io_vec[0].bv_len = STRIPE_SIZE; + rbi->bi_io_vec[0].bv_offset = 0; + rbi->bi_size = STRIPE_SIZE; ++ /* ++ * If this is discard request, set bi_vcnt 0. We don't ++ * want to confuse SCSI because SCSI will replace payload ++ */ ++ if (rw & REQ_DISCARD) ++ rbi->bi_vcnt = 0; + if (conf->mddev->gendisk) + trace_block_bio_remap(bdev_get_queue(rbi->bi_bdev), + rbi, disk_devt(conf->mddev->gendisk), diff --git a/queue-3.10/series b/queue-3.10/series index d58393fbdbb..8faa2edee31 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -22,3 +22,13 @@ can-at91-can-fix-device-to-driver-data-mapping-for-platform-devices.patch can-flexcan-fix-mx28-detection-by-rearanging-of-match-table.patch can-flexcan-flexcan_chip_start-fix-regression-mark-one-mb-for-tx-and-abort-pending-tx.patch scsi-sd-call-blk_pm_runtime_init-before-add_disk.patch +ecryptfs-fix-memory-leakage-in-keystore.c.patch +raid5-set-bio-bi_vcnt-0-for-discard-request.patch +raid5-avoid-finding-discard-stripe.patch +libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch +md-avoid-deadlock-when-md_set_badblocks.patch +md-fix-skipping-recovery-for-read-only-arrays.patch +target-pscsi-fix-return-value-check.patch +vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch +clockevents-sanitize-ticks-to-nsec-conversion.patch +parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch diff --git a/queue-3.10/target-pscsi-fix-return-value-check.patch b/queue-3.10/target-pscsi-fix-return-value-check.patch new file mode 100644 index 00000000000..8a8c74de4a9 --- /dev/null +++ b/queue-3.10/target-pscsi-fix-return-value-check.patch @@ -0,0 +1,49 @@ +From 58932e96e438cd78f75e765d7b87ef39d3533d15 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 25 Oct 2013 21:53:33 +0800 +Subject: target/pscsi: fix return value check + +From: Wei Yongjun + +commit 58932e96e438cd78f75e765d7b87ef39d3533d15 upstream. + +In case of error, the function scsi_host_lookup() returns NULL +pointer not ERR_PTR(). The IS_ERR() test in the return value check +should be replaced with NULL test. + +Signed-off-by: Wei Yongjun +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -134,10 +134,10 @@ static int pscsi_pmode_enable_hba(struct + * pSCSI Host ID and enable for phba mode + */ + sh = scsi_host_lookup(phv->phv_host_id); +- if (IS_ERR(sh)) { ++ if (!sh) { + pr_err("pSCSI: Unable to locate SCSI Host for" + " phv_host_id: %d\n", phv->phv_host_id); +- return PTR_ERR(sh); ++ return -EINVAL; + } + + phv->phv_lld_host = sh; +@@ -515,10 +515,10 @@ static int pscsi_configure_device(struct + sh = phv->phv_lld_host; + } else { + sh = scsi_host_lookup(pdv->pdv_host_id); +- if (IS_ERR(sh)) { ++ if (!sh) { + pr_err("pSCSI: Unable to locate" + " pdv_host_id: %d\n", pdv->pdv_host_id); +- return PTR_ERR(sh); ++ return -EINVAL; + } + } + } else { diff --git a/queue-3.10/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch b/queue-3.10/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch new file mode 100644 index 00000000000..09dd067dc64 --- /dev/null +++ b/queue-3.10/vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch @@ -0,0 +1,43 @@ +From 60a01f558af9c48b0bb31f303c479e32721add3f Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 25 Oct 2013 10:44:15 -0700 +Subject: vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter + +From: Nicholas Bellinger + +commit 60a01f558af9c48b0bb31f303c479e32721add3f upstream. + +This patch addresses a long-standing bug where the get_user_pages_fast() +write parameter used for setting the underlying page table entry permission +bits was incorrectly set to write=1 for data_direction=DMA_TO_DEVICE, and +passed into get_user_pages_fast() via vhost_scsi_map_iov_to_sgl(). + +However, this parameter is intended to signal WRITEs to pinned userspace +PTEs for the virtio-scsi DMA_FROM_DEVICE -> READ payload case, and *not* +for the virtio-scsi DMA_TO_DEVICE -> WRITE payload case. + +This bug would manifest itself as random process segmentation faults on +KVM host after repeated vhost starts + stops and/or with lots of vhost +endpoints + LUNs. + +Cc: Stefan Hajnoczi +Cc: Michael S. Tsirkin +Cc: Asias He +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1017,7 +1017,7 @@ static void vhost_scsi_handle_vq(struct + if (data_direction != DMA_NONE) { + ret = vhost_scsi_map_iov_to_sgl(tv_cmd, + &vq->iov[data_first], data_num, +- data_direction == DMA_TO_DEVICE); ++ data_direction == DMA_FROM_DEVICE); + if (unlikely(ret)) { + vq_err(vq, "Failed to map iov to sgl\n"); + goto err_free; -- 2.47.3