From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 31 Dec 2013 06:00:17 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.76~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a4a292fb105606631569380b81d9817013418481;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	iscsi-target-fix-up-all-zero-data-length-cdbs-with-r-w_bit-set.patch
	iser-target-fix-error-return-code-in-isert_create_device_ib_res.patch
	selinux-fix-broken-peer-recv-check.patch
	selinux-selinux_setprocattr-ptrace_parent-needs-rcu_read_lock.patch
	target-file-update-hw_max_sectors-based-on-current-block_size.patch
---

diff --git a/queue-3.10/iscsi-target-fix-up-all-zero-data-length-cdbs-with-r-w_bit-set.patch b/queue-3.10/iscsi-target-fix-up-all-zero-data-length-cdbs-with-r-w_bit-set.patch
new file mode 100644
index 00000000000..2ee269ee18e
--- /dev/null
+++ b/queue-3.10/iscsi-target-fix-up-all-zero-data-length-cdbs-with-r-w_bit-set.patch
@@ -0,0 +1,70 @@
+From 4454b66cb67f14c33cd70ddcf0ff4985b26324b7 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 25 Nov 2013 14:53:57 -0800
+Subject: iscsi-target: Fix-up all zero data-length CDBs with R/W_BIT set
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 4454b66cb67f14c33cd70ddcf0ff4985b26324b7 upstream.
+
+This patch changes special case handling for ISCSI_OP_SCSI_CMD
+where an initiator sends a zero length Expected Data Transfer
+Length (EDTL), but still sets the WRITE and/or READ flag bits
+when no payload transfer is requested.
+
+Many, many moons ago two special cases where added for an ancient
+version of ESX that has long since been fixed, so instead of adding
+a new special case for the reported bug with a Broadcom 57800 NIC,
+go ahead and always strip off the incorrect WRITE + READ flag bits.
+
+Also, avoid sending a reject here, as RFC-3720 does mandate this
+case be handled without protocol error.
+
+Reported-by: Witold Bazakbal <865perl@wp.pl>
+Tested-by: Witold Bazakbal <865perl@wp.pl>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c |   26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -838,24 +838,22 @@ int iscsit_setup_scsi_cmd(struct iscsi_c
+ 	if (((hdr->flags & ISCSI_FLAG_CMD_READ) ||
+ 	     (hdr->flags & ISCSI_FLAG_CMD_WRITE)) && !hdr->data_length) {
+ 		/*
+-		 * Vmware ESX v3.0 uses a modified Cisco Initiator (v3.4.2)
+-		 * that adds support for RESERVE/RELEASE.  There is a bug
+-		 * add with this new functionality that sets R/W bits when
+-		 * neither CDB carries any READ or WRITE datapayloads.
++		 * From RFC-3720 Section 10.3.1:
++		 *
++		 * "Either or both of R and W MAY be 1 when either the
++		 *  Expected Data Transfer Length and/or Bidirectional Read
++		 *  Expected Data Transfer Length are 0"
++		 *
++		 * For this case, go ahead and clear the unnecssary bits
++		 * to avoid any confusion with ->data_direction.
+ 		 */
+-		if ((hdr->cdb[0] == 0x16) || (hdr->cdb[0] == 0x17)) {
+-			hdr->flags &= ~ISCSI_FLAG_CMD_READ;
+-			hdr->flags &= ~ISCSI_FLAG_CMD_WRITE;
+-			goto done;
+-		}
++		hdr->flags &= ~ISCSI_FLAG_CMD_READ;
++		hdr->flags &= ~ISCSI_FLAG_CMD_WRITE;
+ 
+-		pr_err("ISCSI_FLAG_CMD_READ or ISCSI_FLAG_CMD_WRITE"
++		pr_warn("ISCSI_FLAG_CMD_READ or ISCSI_FLAG_CMD_WRITE"
+ 			" set when Expected Data Transfer Length is 0 for"
+-			" CDB: 0x%02x. Bad iSCSI Initiator.\n", hdr->cdb[0]);
+-		return iscsit_add_reject_cmd(cmd,
+-					     ISCSI_REASON_BOOKMARK_INVALID, buf);
++			" CDB: 0x%02x, Fixing up flags\n", hdr->cdb[0]);
+ 	}
+-done:
+ 
+ 	if (!(hdr->flags & ISCSI_FLAG_CMD_READ) &&
+ 	    !(hdr->flags & ISCSI_FLAG_CMD_WRITE) && (hdr->data_length != 0)) {
diff --git a/queue-3.10/iser-target-fix-error-return-code-in-isert_create_device_ib_res.patch b/queue-3.10/iser-target-fix-error-return-code-in-isert_create_device_ib_res.patch
new file mode 100644
index 00000000000..c4197ee6790
--- /dev/null
+++ b/queue-3.10/iser-target-fix-error-return-code-in-isert_create_device_ib_res.patch
@@ -0,0 +1,56 @@
+From 94a7111043d99819cd0a72d9b3174c7054adb2a0 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue, 29 Oct 2013 09:56:34 +0800
+Subject: iser-target: fix error return code in isert_create_device_ib_res()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 94a7111043d99819cd0a72d9b3174c7054adb2a0 upstream.
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -242,21 +242,29 @@ isert_create_device_ib_res(struct isert_
+ 						isert_cq_event_callback,
+ 						(void *)&cq_desc[i],
+ 						ISER_MAX_RX_CQ_LEN, i);
+-		if (IS_ERR(device->dev_rx_cq[i]))
++		if (IS_ERR(device->dev_rx_cq[i])) {
++			ret = PTR_ERR(device->dev_rx_cq[i]);
++			device->dev_rx_cq[i] = NULL;
+ 			goto out_cq;
++		}
+ 
+ 		device->dev_tx_cq[i] = ib_create_cq(device->ib_device,
+ 						isert_cq_tx_callback,
+ 						isert_cq_event_callback,
+ 						(void *)&cq_desc[i],
+ 						ISER_MAX_TX_CQ_LEN, i);
+-		if (IS_ERR(device->dev_tx_cq[i]))
++		if (IS_ERR(device->dev_tx_cq[i])) {
++			ret = PTR_ERR(device->dev_tx_cq[i]);
++			device->dev_tx_cq[i] = NULL;
+ 			goto out_cq;
++		}
+ 
+-		if (ib_req_notify_cq(device->dev_rx_cq[i], IB_CQ_NEXT_COMP))
++		ret = ib_req_notify_cq(device->dev_rx_cq[i], IB_CQ_NEXT_COMP);
++		if (ret)
+ 			goto out_cq;
+ 
+-		if (ib_req_notify_cq(device->dev_tx_cq[i], IB_CQ_NEXT_COMP))
++		ret = ib_req_notify_cq(device->dev_tx_cq[i], IB_CQ_NEXT_COMP);
++		if (ret)
+ 			goto out_cq;
+ 	}
+ 
diff --git a/queue-3.10/selinux-fix-broken-peer-recv-check.patch b/queue-3.10/selinux-fix-broken-peer-recv-check.patch
new file mode 100644
index 00000000000..8511ffcc73a
--- /dev/null
+++ b/queue-3.10/selinux-fix-broken-peer-recv-check.patch
@@ -0,0 +1,35 @@
+From 46d01d63221c3508421dd72ff9c879f61053cffc Mon Sep 17 00:00:00 2001
+From: Chad Hanson <chanson@trustedcs.com>
+Date: Mon, 23 Dec 2013 17:45:01 -0500
+Subject: selinux: fix broken peer recv check
+
+From: Chad Hanson <chanson@trustedcs.com>
+
+commit 46d01d63221c3508421dd72ff9c879f61053cffc upstream.
+
+Fix a broken networking check. Return an error if peer recv fails.  If
+secmark is active and the packet recv succeeds the peer recv error is
+ignored.
+
+Signed-off-by: Chad Hanson <chanson@trustedcs.com>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4228,8 +4228,10 @@ static int selinux_socket_sock_rcv_skb(s
+ 		}
+ 		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
+ 				   PEER__RECV, &ad);
+-		if (err)
++		if (err) {
+ 			selinux_netlbl_err(skb, err, 0);
++			return err;
++		}
+ 	}
+ 
+ 	if (secmark_active) {
diff --git a/queue-3.10/selinux-selinux_setprocattr-ptrace_parent-needs-rcu_read_lock.patch b/queue-3.10/selinux-selinux_setprocattr-ptrace_parent-needs-rcu_read_lock.patch
new file mode 100644
index 00000000000..0607399a84a
--- /dev/null
+++ b/queue-3.10/selinux-selinux_setprocattr-ptrace_parent-needs-rcu_read_lock.patch
@@ -0,0 +1,43 @@
+From c0c1439541f5305b57a83d599af32b74182933fe Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 23 Dec 2013 17:45:01 -0500
+Subject: selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit c0c1439541f5305b57a83d599af32b74182933fe upstream.
+
+selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
+but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
+this looks confusing and triggers the "suspicious RCU usage"
+warning because ptrace_parent() does rcu_dereference_check().
+
+And in theory this is wrong, spin_lock()->preempt_disable()
+doesn't necessarily imply rcu_read_lock() we need to access
+the ->parent.
+
+Reported-by: Evan McNabb <emcnabb@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5454,11 +5454,11 @@ static int selinux_setprocattr(struct ta
+ 		/* Check for ptracing, and update the task SID if ok.
+ 		   Otherwise, leave SID unchanged and fail. */
+ 		ptsid = 0;
+-		task_lock(p);
++		rcu_read_lock();
+ 		tracer = ptrace_parent(p);
+ 		if (tracer)
+ 			ptsid = task_sid(tracer);
+-		task_unlock(p);
++		rcu_read_unlock();
+ 
+ 		if (tracer) {
+ 			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
diff --git a/queue-3.10/series b/queue-3.10/series
index 3478a422400..65d31168f2b 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -16,3 +16,8 @@ serial-8250_dw-add-new-acpi-ids.patch
 usb-serial-zte_ev-move-support-for-zte-ac2726-from-zte_ev-back-to-option.patch
 can-peak_usb-fix-mem-leak-in-pcan_usb_pro_init.patch
 usb-cdc-wdm-manage_power-should-always-set-needs_remote_wakeup.patch
+selinux-fix-broken-peer-recv-check.patch
+selinux-selinux_setprocattr-ptrace_parent-needs-rcu_read_lock.patch
+iser-target-fix-error-return-code-in-isert_create_device_ib_res.patch
+iscsi-target-fix-up-all-zero-data-length-cdbs-with-r-w_bit-set.patch
+target-file-update-hw_max_sectors-based-on-current-block_size.patch
diff --git a/queue-3.10/target-file-update-hw_max_sectors-based-on-current-block_size.patch b/queue-3.10/target-file-update-hw_max_sectors-based-on-current-block_size.patch
new file mode 100644
index 00000000000..625fa1ed492
--- /dev/null
+++ b/queue-3.10/target-file-update-hw_max_sectors-based-on-current-block_size.patch
@@ -0,0 +1,93 @@
+From 95cadace8f3959282e76ebf8b382bd0930807d2c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 12 Dec 2013 12:24:11 -0800
+Subject: target/file: Update hw_max_sectors based on current block_size
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 95cadace8f3959282e76ebf8b382bd0930807d2c upstream.
+
+This patch allows FILEIO to update hw_max_sectors based on the current
+max_bytes_per_io.  This is required because vfs_[writev,readv]() can accept
+a maximum of 2048 iovecs per call, so the enforced hw_max_sectors really
+needs to be calculated based on block_size.
+
+This addresses a >= v3.5 bug where block_size=512 was rejecting > 1M
+sized I/O requests, because FD_MAX_SECTORS was hardcoded to 2048 for
+the block_size=4096 case.
+
+(v2: Use max_bytes_per_io instead of ->update_hw_max_sectors)
+
+Reported-by: Henrik Goldman <hg@x-formation.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c |    5 +++++
+ drivers/target/target_core_file.c   |    8 ++++----
+ drivers/target/target_core_file.h   |    5 ++++-
+ include/target/target_core_base.h   |    1 +
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -1078,6 +1078,11 @@ int se_dev_set_block_size(struct se_devi
+ 	dev->dev_attrib.block_size = block_size;
+ 	pr_debug("dev[%p]: SE Device block_size changed to %u\n",
+ 			dev, block_size);
++
++	if (dev->dev_attrib.max_bytes_per_io)
++		dev->dev_attrib.hw_max_sectors =
++			dev->dev_attrib.max_bytes_per_io / block_size;
++
+ 	return 0;
+ }
+ 
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -66,9 +66,8 @@ static int fd_attach_hba(struct se_hba *
+ 	pr_debug("CORE_HBA[%d] - TCM FILEIO HBA Driver %s on Generic"
+ 		" Target Core Stack %s\n", hba->hba_id, FD_VERSION,
+ 		TARGET_CORE_MOD_VERSION);
+-	pr_debug("CORE_HBA[%d] - Attached FILEIO HBA: %u to Generic"
+-		" MaxSectors: %u\n",
+-		hba->hba_id, fd_host->fd_host_id, FD_MAX_SECTORS);
++	pr_debug("CORE_HBA[%d] - Attached FILEIO HBA: %u to Generic\n",
++		hba->hba_id, fd_host->fd_host_id);
+ 
+ 	return 0;
+ }
+@@ -220,7 +219,8 @@ static int fd_configure_device(struct se
+ 	}
+ 
+ 	dev->dev_attrib.hw_block_size = fd_dev->fd_block_size;
+-	dev->dev_attrib.hw_max_sectors = FD_MAX_SECTORS;
++	dev->dev_attrib.max_bytes_per_io = FD_MAX_BYTES;
++	dev->dev_attrib.hw_max_sectors = FD_MAX_BYTES / fd_dev->fd_block_size;
+ 	dev->dev_attrib.hw_queue_depth = FD_MAX_DEVICE_QUEUE_DEPTH;
+ 
+ 	if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) {
+--- a/drivers/target/target_core_file.h
++++ b/drivers/target/target_core_file.h
+@@ -7,7 +7,10 @@
+ #define FD_DEVICE_QUEUE_DEPTH	32
+ #define FD_MAX_DEVICE_QUEUE_DEPTH 128
+ #define FD_BLOCKSIZE		512
+-#define FD_MAX_SECTORS		2048
++/*
++ * Limited by the number of iovecs (2048) per vfs_[writev,readv] call
++ */
++#define FD_MAX_BYTES		8388608
+ 
+ #define RRF_EMULATE_CDB		0x01
+ #define RRF_GOT_LBA		0x02
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -614,6 +614,7 @@ struct se_dev_attrib {
+ 	u32		unmap_granularity;
+ 	u32		unmap_granularity_alignment;
+ 	u32		max_write_same_len;
++	u32		max_bytes_per_io;
+ 	struct se_device *da_dev;
+ 	struct config_group da_group;
+ };