--- /dev/null
+From 7e6d3e5c70f13874fb06e6b67696ed90ce79bd48 Mon Sep 17 00:00:00 2001
+From: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Date: Fri, 2 May 2014 11:40:17 -0400
+Subject: IB/ipath: Translate legacy diagpkt into newer extended diagpkt
+
+From: Dennis Dalessandro <dennis.dalessandro@intel.com>
+
+commit 7e6d3e5c70f13874fb06e6b67696ed90ce79bd48 upstream.
+
+This patch addresses an issue where the legacy diagpacket is sent in
+from the user, but the driver operates on only the extended
+diagpkt. This patch specifically initializes the extended diagpkt
+based on the legacy packet.
+
+Reported-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ipath/ipath_diag.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/ipath/ipath_diag.c
++++ b/drivers/infiniband/hw/ipath/ipath_diag.c
+@@ -346,6 +346,10 @@ static ssize_t ipath_diagpkt_write(struc
+ ret = -EFAULT;
+ goto bail;
+ }
++ dp.len = odp.len;
++ dp.unit = odp.unit;
++ dp.data = odp.data;
++ dp.pbc_wd = 0;
+ } else {
+ ret = -EINVAL;
+ goto bail;
--- /dev/null
+From 911eccd284d13d78c92ec4f1f1092c03457d732a Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 2 May 2014 11:28:04 -0400
+Subject: IB/qib: Fix port in pkey change event
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 911eccd284d13d78c92ec4f1f1092c03457d732a upstream.
+
+The code used a literal 1 in dispatching an IB_EVENT_PKEY_CHANGE.
+
+As of the dual port qib QDR card, this is not necessarily correct.
+
+Change to use the port as specified in the call.
+
+Reported-by: Alex Estrin <alex.estrin@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib_mad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/qib/qib_mad.c
++++ b/drivers/infiniband/hw/qib/qib_mad.c
+@@ -1005,7 +1005,7 @@ static int set_pkeys(struct qib_devdata
+
+ event.event = IB_EVENT_PKEY_CHANGE;
+ event.device = &dd->verbs_dev.ibdev;
+- event.element.port_num = 1;
++ event.element.port_num = port;
+ ib_dispatch_event(&event);
+ }
+ return 0;
--- /dev/null
+From 024ca90151f5e4296d30f72c13ff9a075e23c9ec Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 20 May 2014 15:03:49 +0200
+Subject: IB/srp: Fix a sporadic crash triggered by cable pulling
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 024ca90151f5e4296d30f72c13ff9a075e23c9ec upstream.
+
+Avoid that the loops that iterate over the request ring can encounter
+a pointer to a SCSI command in req->scmnd that is no longer associated
+with that request. If the function srp_unmap_data() is invoked twice
+for a SCSI command that is not in flight then that would cause
+ib_fmr_pool_unmap() to be invoked with an invalid pointer as argument,
+resulting in a kernel oops.
+
+Reported-by: Sagi Grimberg <sagig@mellanox.com>
+Reference: http://thread.gmane.org/gmane.linux.drivers.rdma/19068/focus=19069
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -1371,6 +1371,12 @@ err_unmap:
+ err_iu:
+ srp_put_tx_iu(target, iu, SRP_IU_CMD);
+
++ /*
++ * Avoid that the loops that iterate over the request ring can
++ * encounter a dangling SCSI command pointer.
++ */
++ req->scmnd = NULL;
++
+ spin_lock_irqsave(&target->lock, flags);
+ list_add(&req->list, &target->free_reqs);
+
--- /dev/null
+From 8ec0a0e6b58218bdc1db91dd70ebfcd6ad8dd6cd Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 20 May 2014 10:33:41 +0200
+Subject: IB/umad: Fix error handling
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 8ec0a0e6b58218bdc1db91dd70ebfcd6ad8dd6cd upstream.
+
+Avoid leaking a kref count in ib_umad_open() if port->ib_dev == NULL
+or if nonseekable_open() fails.
+
+Avoid leaking a kref count, that sm_sem is kept down and also that the
+IB_PORT_SM capability mask is not cleared in ib_umad_sm_open() if
+nonseekable_open() fails.
+
+Since container_of() never returns NULL, remove the code that tests
+whether container_of() returns NULL.
+
+Moving the kref_get() call from the start of ib_umad_*open() to the
+end is safe since it is the responsibility of the caller of these
+functions to ensure that the cdev pointer remains valid until at least
+when these functions return.
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+
+[ydroneaud@opteya.com: rework a bit to reduce the amount of code changed]
+
+Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
+
+[ nonseekable_open() can't actually fail, but.... - Roland ]
+
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/user_mad.c | 49 ++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 22 deletions(-)
+
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -780,27 +780,19 @@ static int ib_umad_open(struct inode *in
+ {
+ struct ib_umad_port *port;
+ struct ib_umad_file *file;
+- int ret;
++ int ret = -ENXIO;
+
+ port = container_of(inode->i_cdev, struct ib_umad_port, cdev);
+- if (port)
+- kref_get(&port->umad_dev->ref);
+- else
+- return -ENXIO;
+
+ mutex_lock(&port->file_mutex);
+
+- if (!port->ib_dev) {
+- ret = -ENXIO;
++ if (!port->ib_dev)
+ goto out;
+- }
+
++ ret = -ENOMEM;
+ file = kzalloc(sizeof *file, GFP_KERNEL);
+- if (!file) {
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
+- ret = -ENOMEM;
++ if (!file)
+ goto out;
+- }
+
+ mutex_init(&file->mutex);
+ spin_lock_init(&file->send_lock);
+@@ -814,6 +806,13 @@ static int ib_umad_open(struct inode *in
+ list_add_tail(&file->port_list, &port->file_list);
+
+ ret = nonseekable_open(inode, filp);
++ if (ret) {
++ list_del(&file->port_list);
++ kfree(file);
++ goto out;
++ }
++
++ kref_get(&port->umad_dev->ref);
+
+ out:
+ mutex_unlock(&port->file_mutex);
+@@ -880,10 +879,6 @@ static int ib_umad_sm_open(struct inode
+ int ret;
+
+ port = container_of(inode->i_cdev, struct ib_umad_port, sm_cdev);
+- if (port)
+- kref_get(&port->umad_dev->ref);
+- else
+- return -ENXIO;
+
+ if (filp->f_flags & O_NONBLOCK) {
+ if (down_trylock(&port->sm_sem)) {
+@@ -898,17 +893,27 @@ static int ib_umad_sm_open(struct inode
+ }
+
+ ret = ib_modify_port(port->ib_dev, port->port_num, 0, &props);
+- if (ret) {
+- up(&port->sm_sem);
+- goto fail;
+- }
++ if (ret)
++ goto err_up_sem;
+
+ filp->private_data = port;
+
+- return nonseekable_open(inode, filp);
++ ret = nonseekable_open(inode, filp);
++ if (ret)
++ goto err_clr_sm_cap;
++
++ kref_get(&port->umad_dev->ref);
++
++ return 0;
++
++err_clr_sm_cap:
++ swap(props.set_port_cap_mask, props.clr_port_cap_mask);
++ ib_modify_port(port->ib_dev, port->port_num, 0, &props);
++
++err_up_sem:
++ up(&port->sm_sem);
+
+ fail:
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
+ return ret;
+ }
+
--- /dev/null
+From 60e1751cb52cc6d1ae04b6bd3c2b96e770b5823f Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 6 Jun 2014 18:25:04 +0200
+Subject: IB/umad: Fix use-after-free on close
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 60e1751cb52cc6d1ae04b6bd3c2b96e770b5823f upstream.
+
+Avoid that closing /dev/infiniband/umad<n> or /dev/infiniband/issm<n>
+triggers a use-after-free. __fput() invokes f_op->release() before it
+invokes cdev_put(). Make sure that the ib_umad_device structure is
+freed by the cdev_put() call instead of f_op->release(). This avoids
+that changing the port mode from IB into Ethernet and back to IB
+followed by restarting opensmd triggers the following kernel oops:
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ RIP: 0010:[<ffffffff810cc65c>] [<ffffffff810cc65c>] module_put+0x2c/0x170
+ Call Trace:
+ [<ffffffff81190f20>] cdev_put+0x20/0x30
+ [<ffffffff8118e2ce>] __fput+0x1ae/0x1f0
+ [<ffffffff8118e35e>] ____fput+0xe/0x10
+ [<ffffffff810723bc>] task_work_run+0xac/0xe0
+ [<ffffffff81002a9f>] do_notify_resume+0x9f/0xc0
+ [<ffffffff814b8398>] int_signal+0x12/0x17
+
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=75051
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Yann Droneaud <ydroneaud@opteya.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/user_mad.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -98,7 +98,7 @@ struct ib_umad_port {
+
+ struct ib_umad_device {
+ int start_port, end_port;
+- struct kref ref;
++ struct kobject kobj;
+ struct ib_umad_port port[0];
+ };
+
+@@ -134,14 +134,18 @@ static DECLARE_BITMAP(dev_map, IB_UMAD_M
+ static void ib_umad_add_one(struct ib_device *device);
+ static void ib_umad_remove_one(struct ib_device *device);
+
+-static void ib_umad_release_dev(struct kref *ref)
++static void ib_umad_release_dev(struct kobject *kobj)
+ {
+ struct ib_umad_device *dev =
+- container_of(ref, struct ib_umad_device, ref);
++ container_of(kobj, struct ib_umad_device, kobj);
+
+ kfree(dev);
+ }
+
++static struct kobj_type ib_umad_dev_ktype = {
++ .release = ib_umad_release_dev,
++};
++
+ static int hdr_size(struct ib_umad_file *file)
+ {
+ return file->use_pkey_index ? sizeof (struct ib_user_mad_hdr) :
+@@ -812,7 +816,7 @@ static int ib_umad_open(struct inode *in
+ goto out;
+ }
+
+- kref_get(&port->umad_dev->ref);
++ kobject_get(&port->umad_dev->kobj);
+
+ out:
+ mutex_unlock(&port->file_mutex);
+@@ -851,7 +855,7 @@ static int ib_umad_close(struct inode *i
+ mutex_unlock(&file->port->file_mutex);
+
+ kfree(file);
+- kref_put(&dev->ref, ib_umad_release_dev);
++ kobject_put(&dev->kobj);
+
+ return 0;
+ }
+@@ -902,7 +906,7 @@ static int ib_umad_sm_open(struct inode
+ if (ret)
+ goto err_clr_sm_cap;
+
+- kref_get(&port->umad_dev->ref);
++ kobject_get(&port->umad_dev->kobj);
+
+ return 0;
+
+@@ -932,7 +936,7 @@ static int ib_umad_sm_close(struct inode
+
+ up(&port->sm_sem);
+
+- kref_put(&port->umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&port->umad_dev->kobj);
+
+ return ret;
+ }
+@@ -1000,6 +1004,7 @@ static int find_overflow_devnum(void)
+ }
+
+ static int ib_umad_init_port(struct ib_device *device, int port_num,
++ struct ib_umad_device *umad_dev,
+ struct ib_umad_port *port)
+ {
+ int devnum;
+@@ -1032,6 +1037,7 @@ static int ib_umad_init_port(struct ib_d
+
+ cdev_init(&port->cdev, &umad_fops);
+ port->cdev.owner = THIS_MODULE;
++ port->cdev.kobj.parent = &umad_dev->kobj;
+ kobject_set_name(&port->cdev.kobj, "umad%d", port->dev_num);
+ if (cdev_add(&port->cdev, base, 1))
+ goto err_cdev;
+@@ -1050,6 +1056,7 @@ static int ib_umad_init_port(struct ib_d
+ base += IB_UMAD_MAX_PORTS;
+ cdev_init(&port->sm_cdev, &umad_sm_fops);
+ port->sm_cdev.owner = THIS_MODULE;
++ port->sm_cdev.kobj.parent = &umad_dev->kobj;
+ kobject_set_name(&port->sm_cdev.kobj, "issm%d", port->dev_num);
+ if (cdev_add(&port->sm_cdev, base, 1))
+ goto err_sm_cdev;
+@@ -1143,7 +1150,7 @@ static void ib_umad_add_one(struct ib_de
+ if (!umad_dev)
+ return;
+
+- kref_init(&umad_dev->ref);
++ kobject_init(&umad_dev->kobj, &ib_umad_dev_ktype);
+
+ umad_dev->start_port = s;
+ umad_dev->end_port = e;
+@@ -1151,7 +1158,8 @@ static void ib_umad_add_one(struct ib_de
+ for (i = s; i <= e; ++i) {
+ umad_dev->port[i - s].umad_dev = umad_dev;
+
+- if (ib_umad_init_port(device, i, &umad_dev->port[i - s]))
++ if (ib_umad_init_port(device, i, umad_dev,
++ &umad_dev->port[i - s]))
+ goto err;
+ }
+
+@@ -1163,7 +1171,7 @@ err:
+ while (--i >= s)
+ ib_umad_kill_port(&umad_dev->port[i - s]);
+
+- kref_put(&umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&umad_dev->kobj);
+ }
+
+ static void ib_umad_remove_one(struct ib_device *device)
+@@ -1177,7 +1185,7 @@ static void ib_umad_remove_one(struct ib
+ for (i = 0; i <= umad_dev->end_port - umad_dev->start_port; ++i)
+ ib_umad_kill_port(&umad_dev->port[i]);
+
+- kref_put(&umad_dev->ref, ib_umad_release_dev);
++ kobject_put(&umad_dev->kobj);
+ }
+
+ static char *umad_devnode(struct device *dev, umode_t *mode)
--- /dev/null
+From 12337901d654415d9f764b5f5ba50052e9700f37 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 28 May 2014 10:46:13 +0200
+Subject: nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 12337901d654415d9f764b5f5ba50052e9700f37 upstream.
+
+Note nobody's ever noticed because the typical client probably never
+requests FILES_AVAIL without also requesting something else on the list.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2032,8 +2032,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
+ err = vfs_getattr(exp->ex_path.mnt, dentry, &stat);
+ if (err)
+ goto out_nfserr;
+- if ((bmval0 & (FATTR4_WORD0_FILES_FREE | FATTR4_WORD0_FILES_TOTAL |
+- FATTR4_WORD0_MAXNAME)) ||
++ if ((bmval0 & (FATTR4_WORD0_FILES_AVAIL | FATTR4_WORD0_FILES_FREE |
++ FATTR4_WORD0_FILES_TOTAL | FATTR4_WORD0_MAXNAME)) ||
+ (bmval1 & (FATTR4_WORD1_SPACE_AVAIL | FATTR4_WORD1_SPACE_FREE |
+ FATTR4_WORD1_SPACE_TOTAL))) {
+ err = vfs_statfs(&path, &statfs);
--- /dev/null
+From 48385408b45523d9a432c66292d47ef43efcbb94 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 27 May 2014 11:14:26 -0400
+Subject: nfsd4: fix FREE_STATEID lockowner leak
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 48385408b45523d9a432c66292d47ef43efcbb94 upstream.
+
+27b11428b7de ("nfsd4: remove lockowner when removing lock stateid")
+introduced a memory leak.
+
+Reported-by: Jeff Layton <jeff.layton@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3485,7 +3485,7 @@ nfsd4_free_lock_stateid(struct nfs4_ol_s
+ * correspondance, and we have to delete the lockowner when we
+ * delete the lock stateid:
+ */
+- unhash_lockowner(lo);
++ release_lockowner(lo);
+ return nfs_ok;
+ }
+
mips-msc-prevent-out-of-bounds-writes-to-mips-sc-ioremap-d-region.patch
ubifs-remove-incorrect-assertion-in-shrink_tnc.patch
watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch
+ib-qib-fix-port-in-pkey-change-event.patch
+ib-ipath-translate-legacy-diagpkt-into-newer-extended-diagpkt.patch
+ib-srp-fix-a-sporadic-crash-triggered-by-cable-pulling.patch
+ib-umad-fix-error-handling.patch
+ib-umad-fix-use-after-free-on-close.patch
+nfsd4-fix-free_stateid-lockowner-leak.patch
+nfsd-getattr-for-fattr4_word0_files_avail-needs-the-statfs-buffer.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
