From 28718ce234f99f5857202d314ce5e6483368c42d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 20 Mar 2014 15:12:37 -0700 Subject: [PATCH] 3.4-stable patches added patches: can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch scsi-isci-correct-erroneous-for_each_isci_host-macro.patch scsi-isci-fix-reset-timeout-handling.patch scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch scsi-storvsc-null-pointer-dereference-fix.patch --- ...ror-path-if-flexcan_chip_start-fails.patch | 39 ++++++++++ ...t-erroneous-for_each_isci_host-macro.patch | 75 +++++++++++++++++++ ...scsi-isci-fix-reset-timeout-handling.patch | 62 +++++++++++++++ ...itialization-for-isp25xx-and-isp83xx.patch | 30 ++++++++ ...storvsc-null-pointer-dereference-fix.patch | 51 +++++++++++++ queue-3.4/series | 5 ++ 6 files changed, 262 insertions(+) create mode 100644 queue-3.4/can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch create mode 100644 queue-3.4/scsi-isci-correct-erroneous-for_each_isci_host-macro.patch create mode 100644 queue-3.4/scsi-isci-fix-reset-timeout-handling.patch create mode 100644 queue-3.4/scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch create mode 100644 queue-3.4/scsi-storvsc-null-pointer-dereference-fix.patch diff --git a/queue-3.4/can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch b/queue-3.4/can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch new file mode 100644 index 00000000000..c3662d03605 --- /dev/null +++ b/queue-3.4/can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch @@ -0,0 +1,39 @@ +From 7e9e148af01ef388efb6e2490805970be4622792 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 28 Feb 2014 14:52:01 +0100 +Subject: can: flexcan: flexcan_open(): fix error path if flexcan_chip_start() fails + +From: Marc Kleine-Budde + +commit 7e9e148af01ef388efb6e2490805970be4622792 upstream. + +If flexcan_chip_start() in flexcan_open() fails, the interrupt is not freed, +this patch adds the missing cleanup. + +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -805,7 +805,7 @@ static int flexcan_open(struct net_devic + + err = request_irq(dev->irq, flexcan_irq, IRQF_SHARED, dev->name, dev); + if (err) +- goto out_close; ++ goto out_free_irq; + + /* start chip and queuing */ + err = flexcan_chip_start(dev); +@@ -816,6 +816,8 @@ static int flexcan_open(struct net_devic + + return 0; + ++ out_free_irq: ++ free_irq(dev->irq, dev); + out_close: + close_candev(dev); + out: diff --git a/queue-3.4/scsi-isci-correct-erroneous-for_each_isci_host-macro.patch b/queue-3.4/scsi-isci-correct-erroneous-for_each_isci_host-macro.patch new file mode 100644 index 00000000000..9353ac86408 --- /dev/null +++ b/queue-3.4/scsi-isci-correct-erroneous-for_each_isci_host-macro.patch @@ -0,0 +1,75 @@ +From c59053a23d586675c25d789a7494adfdc02fba57 Mon Sep 17 00:00:00 2001 +From: Lukasz Dorau +Date: Thu, 6 Feb 2014 12:23:20 -0800 +Subject: SCSI: isci: correct erroneous for_each_isci_host macro + +From: Lukasz Dorau + +commit c59053a23d586675c25d789a7494adfdc02fba57 upstream. + +In the first place, the loop 'for' in the macro 'for_each_isci_host' +(drivers/scsi/isci/host.h:314) is incorrect, because it accesses +the 3rd element of 2 element array. After the 2nd iteration it executes +the instruction: + ihost = to_pci_info(pdev)->hosts[2] +(while the size of the 'hosts' array equals 2) and reads an +out of range element. + +In the second place, this loop is incorrectly optimized by GCC v4.8 +(see http://marc.info/?l=linux-kernel&m=138998871911336&w=2). +As a result, on platforms with two SCU controllers, +the loop is executed more times than it can be (for i=0,1 and 2). +It causes kernel panic during entering the S3 state +and the following oops after 'rmmod isci': + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] __list_add+0x1b/0xc0 +Oops: 0000 [#1] SMP +RIP: 0010:[] [] __list_add+0x1b/0xc0 +Call Trace: + [] __mutex_lock_slowpath+0x114/0x1b0 + [] mutex_lock+0x1f/0x30 + [] sas_disable_events+0x1b/0x50 [libsas] + [] sas_unregister_ha+0x18/0x60 [libsas] + [] isci_unregister+0x1e/0x40 [isci] + [] isci_pci_remove+0x5d/0x100 [isci] + [] pci_device_remove+0x3b/0xb0 + [] __device_release_driver+0x7f/0xf0 + [] driver_detach+0xa8/0xb0 + [] bus_remove_driver+0x9b/0x120 + [] driver_unregister+0x2c/0x50 + [] pci_unregister_driver+0x23/0x80 + [] isci_exit+0x10/0x1e [isci] + [] SyS_delete_module+0x16b/0x2d0 + [] ? do_notify_resume+0x61/0xa0 + [] system_call_fastpath+0x16/0x1b + +The loop has been corrected. +This patch fixes kernel panic during entering the S3 state +and the above oops. + +Signed-off-by: Lukasz Dorau +Reviewed-by: Maciej Patelczyk +Tested-by: Lukasz Dorau +Signed-off-by: Dan Williams +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/host.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/isci/host.h ++++ b/drivers/scsi/isci/host.h +@@ -310,9 +310,8 @@ static inline struct isci_pci_info *to_p + } + + #define for_each_isci_host(id, ihost, pdev) \ +- for (id = 0, ihost = to_pci_info(pdev)->hosts[id]; \ +- id < ARRAY_SIZE(to_pci_info(pdev)->hosts) && ihost; \ +- ihost = to_pci_info(pdev)->hosts[++id]) ++ for (id = 0; id < SCI_MAX_CONTROLLERS && \ ++ (ihost = to_pci_info(pdev)->hosts[id]); id++) + + static inline enum isci_status isci_host_get_state(struct isci_host *isci_host) + { diff --git a/queue-3.4/scsi-isci-fix-reset-timeout-handling.patch b/queue-3.4/scsi-isci-fix-reset-timeout-handling.patch new file mode 100644 index 00000000000..c0c5144747b --- /dev/null +++ b/queue-3.4/scsi-isci-fix-reset-timeout-handling.patch @@ -0,0 +1,62 @@ +From ddfadd7736b677de2d4ca2cd5b4b655368c85a7a Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 6 Feb 2014 12:23:01 -0800 +Subject: SCSI: isci: fix reset timeout handling + +From: Dan Williams + +commit ddfadd7736b677de2d4ca2cd5b4b655368c85a7a upstream. + +Remove an erroneous BUG_ON() in the case of a hard reset timeout. The +reset timeout handler puts the port into the "awaiting link-up" state. +The timeout causes the device to be disconnected and we need to be in +the awaiting link-up state to re-connect the port. The BUG_ON() made +the incorrect assumption that resets never timeout and we always +complete the reset in the "resetting" state. + +Testing this patch also uncovered that libata continues to attempt to +reset the port long after the driver has torn down the context. Once +the driver has committed to abandoning the link it must indicate to +libata that recovery ends by returning -ENODEV from +->lldd_I_T_nexus_reset(). + +Acked-by: Lukasz Dorau +Reported-by: David Milburn +Reported-by: Xun Ni +Tested-by: Xun Ni +Signed-off-by: Dan Williams +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/port_config.c | 7 ------- + drivers/scsi/isci/task.c | 2 +- + 2 files changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/scsi/isci/port_config.c ++++ b/drivers/scsi/isci/port_config.c +@@ -619,13 +619,6 @@ static void sci_apc_agent_link_up(struct + SCIC_SDS_APC_WAIT_LINK_UP_NOTIFICATION); + } else { + /* the phy is already the part of the port */ +- u32 port_state = iport->sm.current_state_id; +- +- /* if the PORT'S state is resetting then the link up is from +- * port hard reset in this case, we need to tell the port +- * that link up is recieved +- */ +- BUG_ON(port_state != SCI_PORT_RESETTING); + port_agent->phy_ready_mask |= 1 << phy_index; + sci_port_link_up(iport, iphy); + } +--- a/drivers/scsi/isci/task.c ++++ b/drivers/scsi/isci/task.c +@@ -1312,7 +1312,7 @@ int isci_task_I_T_nexus_reset(struct dom + /* XXX: need to cleanup any ireqs targeting this + * domain_device + */ +- ret = TMF_RESP_FUNC_COMPLETE; ++ ret = -ENODEV; + goto out; + } + diff --git a/queue-3.4/scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch b/queue-3.4/scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch new file mode 100644 index 00000000000..a264862936a --- /dev/null +++ b/queue-3.4/scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch @@ -0,0 +1,30 @@ +From b77ed25c9f8402e8b3e49e220edb4ef09ecfbb53 Mon Sep 17 00:00:00 2001 +From: Giridhar Malavali +Date: Wed, 26 Feb 2014 04:15:12 -0500 +Subject: SCSI: qla2xxx: Poll during initialization for ISP25xx and ISP83xx + +From: Giridhar Malavali + +commit b77ed25c9f8402e8b3e49e220edb4ef09ecfbb53 upstream. + +Signed-off-by: Giridhar Malavali +Signed-off-by: Saurav Kashyap +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_def.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -2600,8 +2600,7 @@ struct qla_hw_data { + IS_QLA25XX(ha) || IS_QLA81XX(ha) || \ + IS_QLA82XX(ha) || IS_QLA83XX(ha)) + #define IS_MSIX_NACK_CAPABLE(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha)) +-#define IS_NOPOLLING_TYPE(ha) ((IS_QLA25XX(ha) || IS_QLA81XX(ha) || \ +- IS_QLA83XX(ha)) && (ha)->flags.msix_enabled) ++#define IS_NOPOLLING_TYPE(ha) (IS_QLA81XX(ha) && (ha)->flags.msix_enabled) + #define IS_FAC_REQUIRED(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha)) + #define IS_NOCACHE_VPD_TYPE(ha) (IS_QLA81XX(ha) || IS_QLA83XX(ha)) + #define IS_ALOGIO_CAPABLE(ha) (IS_QLA23XX(ha) || IS_FWI2_CAPABLE(ha)) diff --git a/queue-3.4/scsi-storvsc-null-pointer-dereference-fix.patch b/queue-3.4/scsi-storvsc-null-pointer-dereference-fix.patch new file mode 100644 index 00000000000..8aeb50635df --- /dev/null +++ b/queue-3.4/scsi-storvsc-null-pointer-dereference-fix.patch @@ -0,0 +1,51 @@ +From b12bb60d6c350b348a4e1460cd68f97ccae9822e Mon Sep 17 00:00:00 2001 +From: Ales Novak +Date: Thu, 27 Feb 2014 11:03:30 +0100 +Subject: SCSI: storvsc: NULL pointer dereference fix + +From: Ales Novak + +commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream. + +If the initialization of storvsc fails, the storvsc_device_destroy() +causes NULL pointer dereference. + +storvsc_bus_scan() + scsi_scan_target() + __scsi_scan_target() + scsi_probe_and_add_lun(hostdata=NULL) + scsi_alloc_sdev(hostdata=NULL) + + sdev->hostdata = hostdata + + now the host allocation fails + + __scsi_remove_device(sdev) + + calls sdev->host->hostt->slave_destroy() == + storvsc_device_destroy(sdev) + access of sdev->hostdata->request_mempool + +Signed-off-by: Ales Novak +Signed-off-by: Thomas Abraham +Reviewed-by: Jiri Kosina +Acked-by: K. Y. Srinivasan +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/storvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1131,6 +1131,9 @@ static void storvsc_device_destroy(struc + { + struct stor_mem_pools *memp = sdevice->hostdata; + ++ if (!memp) ++ return; ++ + mempool_destroy(memp->request_mempool); + kmem_cache_destroy(memp->request_pool); + kfree(memp); diff --git a/queue-3.4/series b/queue-3.4/series index 4b4e94df705..266cb2cbd9c 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -26,3 +26,8 @@ drm-radeon-atom-select-the-proper-number-of-lanes-in.patch kvm-svm-fix-cr8-intercept-window.patch vmxnet3-fix-netpoll-race-condition.patch vmxnet3-fix-building-without-config_pci_msi.patch +can-flexcan-flexcan_open-fix-error-path-if-flexcan_chip_start-fails.patch +scsi-isci-fix-reset-timeout-handling.patch +scsi-isci-correct-erroneous-for_each_isci_host-macro.patch +scsi-qla2xxx-poll-during-initialization-for-isp25xx-and-isp83xx.patch +scsi-storvsc-null-pointer-dereference-fix.patch -- 2.47.3