From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 28 Jun 2014 00:17:19 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.96~22
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e684ecc25265048f28426608576baeaff28fbc44;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	target-explicitly-clear-ramdisk_mcp-backend-pages.patch
---

diff --git a/queue-3.10/scsi_cmnd-introduce-scsi_transfer_length-helper.patch b/queue-3.10/scsi_cmnd-introduce-scsi_transfer_length-helper.patch
deleted file mode 100644
index b3c7f650119..00000000000
--- a/queue-3.10/scsi_cmnd-introduce-scsi_transfer_length-helper.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 8846bab180fa2bcfe02d4ba5288fbaba12c8f4f3 Mon Sep 17 00:00:00 2001
-From: Sagi Grimberg <sagig@mellanox.com>
-Date: Wed, 11 Jun 2014 12:09:57 +0300
-Subject: scsi_cmnd: Introduce scsi_transfer_length helper
-
-From: Sagi Grimberg <sagig@mellanox.com>
-
-commit 8846bab180fa2bcfe02d4ba5288fbaba12c8f4f3 upstream.
-
-In case protection information exists on the wire
-scsi transports should include it in the transfer
-byte count (even if protection information does not
-exist in the host memory space). This helper will
-compute the total transfer length from the scsi
-command data length and protection attributes.
-
-Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- include/scsi/scsi_cmnd.h |   17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
---- a/include/scsi/scsi_cmnd.h
-+++ b/include/scsi/scsi_cmnd.h
-@@ -7,6 +7,7 @@
- #include <linux/types.h>
- #include <linux/timer.h>
- #include <linux/scatterlist.h>
-+#include <scsi/scsi_device.h>
- 
- struct Scsi_Host;
- struct scsi_device;
-@@ -309,4 +310,20 @@ static inline void set_driver_byte(struc
- 	cmd->result = (cmd->result & 0x00ffffff) | (status << 24);
- }
- 
-+static inline unsigned scsi_transfer_length(struct scsi_cmnd *scmd)
-+{
-+	unsigned int xfer_len = blk_rq_bytes(scmd->request);
-+	unsigned int prot_op = scsi_get_prot_op(scmd);
-+	unsigned int sector_size = scmd->device->sector_size;
-+
-+	switch (prot_op) {
-+	case SCSI_PROT_NORMAL:
-+	case SCSI_PROT_WRITE_STRIP:
-+	case SCSI_PROT_READ_INSERT:
-+		return xfer_len;
-+	}
-+
-+	return xfer_len + (xfer_len >> ilog2(sector_size)) * 8;
-+}
-+
- #endif /* _SCSI_SCSI_CMND_H */
diff --git a/queue-3.10/series b/queue-3.10/series
index 89b87a73719..db85729f378 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -53,4 +53,4 @@ target-set-cmd_t_active-bit-for-task-management-requests.patch
 target-use-complete_all-for-se_cmd-t_transport_stop_comp.patch
 iscsi-target-fix-abort_task-connection-reset-iscsi_queue_req-memory-leak.patch
 target-report-correct-response-length-for-some-commands.patch
-scsi_cmnd-introduce-scsi_transfer_length-helper.patch
+target-explicitly-clear-ramdisk_mcp-backend-pages.patch
diff --git a/queue-3.10/target-explicitly-clear-ramdisk_mcp-backend-pages.patch b/queue-3.10/target-explicitly-clear-ramdisk_mcp-backend-pages.patch
new file mode 100644
index 00000000000..348266e802f
--- /dev/null
+++ b/queue-3.10/target-explicitly-clear-ramdisk_mcp-backend-pages.patch
@@ -0,0 +1,42 @@
+From nab@linux-iscsi.org  Fri Jun 27 17:13:41 2014
+From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
+Date: Mon, 16 Jun 2014 20:59:52 +0000
+Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
+To: target-devel <target-devel@vger.kernel.org>
+Cc: Greg-KH <gregkh@linuxfoundation.org>, stable <stable@vger.kernel.org>, Nicholas Bellinger <nab@linux-iscsi.org>, Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Message-ID: <1402952392-30762-1-git-send-email-nab@linux-iscsi.org>
+
+
+[Note that a different patch to address the same issue went in during
+v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
+don't strictly apply to fixing the bug]
+
+This patch changes rd_allocate_sgl_table() to explicitly clear
+ramdisk_mcp backend memory pages by passing __GFP_ZERO into
+alloc_pages().
+
+This addresses a potential security issue where reading from a
+ramdisk_mcp could return sensitive information, and follows what
+>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
+device initialization time.
+
+Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_rd.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_rd.c
++++ b/drivers/target/target_core_rd.c
+@@ -174,7 +174,7 @@ static int rd_build_device_space(struct
+ 						- 1;
+ 
+ 		for (j = 0; j < sg_per_table; j++) {
+-			pg = alloc_pages(GFP_KERNEL, 0);
++			pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
+ 			if (!pg) {
+ 				pr_err("Unable to allocate scatterlist"
+ 					" pages for struct rd_dev_sg_table\n");