From c2120f08ea25ba553e4a835b34a85dec2b5e7b0f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Apr 2020 21:21:56 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-for-null-arg_name-in-parse_features.patch | 41 +++ ...ture-ssbd-doesn-t-imply-guest-featur.patch | 53 ++++ ...hang-when-multiple-threads-try-to-de.patch | 258 ++++++++++++++++++ .../scsi-target-remove-boilerplate-code.patch | 101 +++++++ queue-4.14/series | 4 + 5 files changed, 457 insertions(+) create mode 100644 queue-4.14/dm-flakey-check-for-null-arg_name-in-parse_features.patch create mode 100644 queue-4.14/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch create mode 100644 queue-4.14/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch create mode 100644 queue-4.14/scsi-target-remove-boilerplate-code.patch diff --git a/queue-4.14/dm-flakey-check-for-null-arg_name-in-parse_features.patch b/queue-4.14/dm-flakey-check-for-null-arg_name-in-parse_features.patch new file mode 100644 index 00000000000..26efd6e32b2 --- /dev/null +++ b/queue-4.14/dm-flakey-check-for-null-arg_name-in-parse_features.patch @@ -0,0 +1,41 @@ +From 7fa87121f832bd1ac20a0cc6dfdbc61ccd629e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Dec 2017 21:14:12 -0600 +Subject: dm flakey: check for null arg_name in parse_features() + +From: Goldwyn Rodrigues + +[ Upstream commit 7690e25302dc7d0cd42b349e746fe44b44a94f2b ] + +One can crash dm-flakey by specifying more feature arguments than the +number of features supplied. Checking for null in arg_name avoids +this. + +dmsetup create flakey-test --table "0 66076080 flakey /dev/sdb9 0 0 180 2 drop_writes" + +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-flakey.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index b1b68e01b889c..53cd31199f212 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -70,6 +70,11 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, + arg_name = dm_shift_arg(as); + argc--; + ++ if (!arg_name) { ++ ti->error = "Insufficient feature arguments"; ++ return -EINVAL; ++ } ++ + /* + * drop_writes + */ +-- +2.20.1 + diff --git a/queue-4.14/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch b/queue-4.14/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch new file mode 100644 index 00000000000..0d02c81b98d --- /dev/null +++ b/queue-4.14/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch @@ -0,0 +1,53 @@ +From def3b76706219356f930fd9b6849d0fb1f3677d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2019 16:15:15 -0800 +Subject: kvm: x86: Host feature SSBD doesn't imply guest feature + SPEC_CTRL_SSBD + +From: Jim Mattson + +commit 396d2e878f92ec108e4293f1c77ea3bc90b414ff upstream. + +The host reports support for the synthetic feature X86_FEATURE_SSBD +when any of the three following hardware features are set: + CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] + CPUID.80000008H:EBX.AMD_SSBD[bit 24] + CPUID.80000008H:EBX.VIRT_SSBD[bit 25] + +Either of the first two hardware features implies the existence of the +IA32_SPEC_CTRL MSR, but CPUID.80000008H:EBX.VIRT_SSBD[bit 25] does +not. Therefore, CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] should only be +set in the guest if CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] or +CPUID.80000008H:EBX.AMD_SSBD[bit 24] is set on the host. + +Fixes: 0c54914d0c52a ("KVM: x86: use Intel speculation bugs and features as derived in generic x86 code") +Signed-off-by: Jim Mattson +Reviewed-by: Jacob Xu +Reviewed-by: Peter Shier +Cc: Paolo Bonzini +Reported-by: Eric Biggers +Signed-off-by: Paolo Bonzini +[bwh: Backported to 4.x: adjust indentation] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/cpuid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index 1152afad524fe..6ec1cfd0addd8 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -494,7 +494,8 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, + entry->edx |= F(SPEC_CTRL); + if (boot_cpu_has(X86_FEATURE_STIBP)) + entry->edx |= F(INTEL_STIBP); +- if (boot_cpu_has(X86_FEATURE_SSBD)) ++ if (boot_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || ++ boot_cpu_has(X86_FEATURE_AMD_SSBD)) + entry->edx |= F(SPEC_CTRL_SSBD); + /* + * We emulate ARCH_CAPABILITIES in software even +-- +2.20.1 + diff --git a/queue-4.14/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch b/queue-4.14/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch new file mode 100644 index 00000000000..8355e07261f --- /dev/null +++ b/queue-4.14/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch @@ -0,0 +1,258 @@ +From 8abecd9f30cccd853266f2b66053867a2d549b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 18:06:55 +0100 +Subject: scsi: target: fix hang when multiple threads try to destroy the same + iscsi session + +From: Maurizio Lombardi + +[ Upstream commit 57c46e9f33da530a2485fa01aa27b6d18c28c796 ] + +A number of hangs have been reported against the target driver; they are +due to the fact that multiple threads may try to destroy the iscsi session +at the same time. This may be reproduced for example when a "targetcli +iscsi/iqn.../tpg1 disable" command is executed while a logout operation is +underway. + +When this happens, two or more threads may end up sleeping and waiting for +iscsit_close_connection() to execute "complete(session_wait_comp)". Only +one of the threads will wake up and proceed to destroy the session +structure, the remaining threads will hang forever. + +Note that if the blocked threads are somehow forced to wake up with +complete_all(), they will try to free the same iscsi session structure +destroyed by the first thread, causing double frees, memory corruptions +etc... + +With this patch, the threads that want to destroy the iscsi session will +increase the session refcount and will set the "session_close" flag to 1; +then they wait for the driver to close the remaining active connections. +When the last connection is closed, iscsit_close_connection() will wake up +all the threads and will wait for the session's refcount to reach zero; +when this happens, iscsit_close_connection() will destroy the session +structure because no one is referencing it anymore. + + INFO: task targetcli:5971 blocked for more than 120 seconds. + Tainted: P OE 4.15.0-72-generic #81~16.04.1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + targetcli D 0 5971 1 0x00000080 + Call Trace: + __schedule+0x3d6/0x8b0 + ? vprintk_func+0x44/0xe0 + schedule+0x36/0x80 + schedule_timeout+0x1db/0x370 + ? __dynamic_pr_debug+0x8a/0xb0 + wait_for_completion+0xb4/0x140 + ? wake_up_q+0x70/0x70 + iscsit_free_session+0x13d/0x1a0 [iscsi_target_mod] + iscsit_release_sessions_for_tpg+0x16b/0x1e0 [iscsi_target_mod] + iscsit_tpg_disable_portal_group+0xca/0x1c0 [iscsi_target_mod] + lio_target_tpg_enable_store+0x66/0xe0 [iscsi_target_mod] + configfs_write_file+0xb9/0x120 + __vfs_write+0x1b/0x40 + vfs_write+0xb8/0x1b0 + SyS_write+0x5c/0xe0 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Link: https://lore.kernel.org/r/20200313170656.9716-3-mlombard@redhat.com +Reported-by: Matt Coleman +Tested-by: Matt Coleman +Tested-by: Rahul Kundu +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 35 ++++++++++++-------- + drivers/target/iscsi/iscsi_target_configfs.c | 5 ++- + drivers/target/iscsi/iscsi_target_login.c | 5 +-- + include/target/iscsi/iscsi_target_core.h | 2 +- + 4 files changed, 30 insertions(+), 17 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 40993c575017f..ee49b227dc12b 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4314,30 +4314,37 @@ int iscsit_close_connection( + if (!atomic_read(&sess->session_reinstatement) && + atomic_read(&sess->session_fall_back_to_erl0)) { + spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); + iscsit_close_session(sess); + + return 0; + } else if (atomic_read(&sess->session_logout)) { + pr_debug("Moving to TARG_SESS_STATE_FREE.\n"); + sess->session_state = TARG_SESS_STATE_FREE; +- spin_unlock_bh(&sess->conn_lock); + +- if (atomic_read(&sess->sleep_on_sess_wait_comp)) +- complete(&sess->session_wait_comp); ++ if (atomic_read(&sess->session_close)) { ++ spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); ++ iscsit_close_session(sess); ++ } else { ++ spin_unlock_bh(&sess->conn_lock); ++ } + + return 0; + } else { + pr_debug("Moving to TARG_SESS_STATE_FAILED.\n"); + sess->session_state = TARG_SESS_STATE_FAILED; + +- if (!atomic_read(&sess->session_continuation)) { +- spin_unlock_bh(&sess->conn_lock); ++ if (!atomic_read(&sess->session_continuation)) + iscsit_start_time2retain_handler(sess); +- } else +- spin_unlock_bh(&sess->conn_lock); + +- if (atomic_read(&sess->sleep_on_sess_wait_comp)) +- complete(&sess->session_wait_comp); ++ if (atomic_read(&sess->session_close)) { ++ spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); ++ iscsit_close_session(sess); ++ } else { ++ spin_unlock_bh(&sess->conn_lock); ++ } + + return 0; + } +@@ -4446,9 +4453,9 @@ static void iscsit_logout_post_handler_closesession( + complete(&conn->conn_logout_comp); + + iscsit_dec_conn_usage_count(conn); ++ atomic_set(&sess->session_close, 1); + iscsit_stop_session(sess, sleep, sleep); + iscsit_dec_session_usage_count(sess); +- iscsit_close_session(sess); + } + + static void iscsit_logout_post_handler_samecid( +@@ -4593,8 +4600,6 @@ void iscsit_stop_session( + int is_last; + + spin_lock_bh(&sess->conn_lock); +- if (session_sleep) +- atomic_set(&sess->sleep_on_sess_wait_comp, 1); + + if (connection_sleep) { + list_for_each_entry_safe(conn, conn_tmp, &sess->sess_conn_list, +@@ -4652,12 +4657,15 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + spin_lock(&sess->conn_lock); + if (atomic_read(&sess->session_fall_back_to_erl0) || + atomic_read(&sess->session_logout) || ++ atomic_read(&sess->session_close) || + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess->conn_lock); + continue; + } ++ iscsit_inc_session_usage_count(sess); + atomic_set(&sess->session_reinstatement, 1); + atomic_set(&sess->session_fall_back_to_erl0, 1); ++ atomic_set(&sess->session_close, 1); + spin_unlock(&sess->conn_lock); + + list_move_tail(&se_sess->sess_list, &free_list); +@@ -4667,8 +4675,9 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { + sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; + ++ list_del_init(&se_sess->sess_list); + iscsit_stop_session(sess, 1, 1); +- iscsit_close_session(sess); ++ iscsit_dec_session_usage_count(sess); + session_count++; + } + +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 0ebc4818e132a..4191e4a8a9ed6 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1503,20 +1503,23 @@ static void lio_tpg_close_session(struct se_session *se_sess) + spin_lock(&sess->conn_lock); + if (atomic_read(&sess->session_fall_back_to_erl0) || + atomic_read(&sess->session_logout) || ++ atomic_read(&sess->session_close) || + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess->conn_lock); + spin_unlock_bh(&se_tpg->session_lock); + return; + } ++ iscsit_inc_session_usage_count(sess); + atomic_set(&sess->session_reinstatement, 1); + atomic_set(&sess->session_fall_back_to_erl0, 1); ++ atomic_set(&sess->session_close, 1); + spin_unlock(&sess->conn_lock); + + iscsit_stop_time2retain_timer(sess); + spin_unlock_bh(&se_tpg->session_lock); + + iscsit_stop_session(sess, 1, 1); +- iscsit_close_session(sess); ++ iscsit_dec_session_usage_count(sess); + } + + static u32 lio_tpg_get_inst_index(struct se_portal_group *se_tpg) +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index 27893d90c4efa..55df6f99e6691 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -199,6 +199,7 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + spin_lock(&sess_p->conn_lock); + if (atomic_read(&sess_p->session_fall_back_to_erl0) || + atomic_read(&sess_p->session_logout) || ++ atomic_read(&sess_p->session_close) || + (sess_p->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess_p->conn_lock); + continue; +@@ -209,6 +210,7 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + (sess_p->sess_ops->SessionType == sessiontype))) { + atomic_set(&sess_p->session_reinstatement, 1); + atomic_set(&sess_p->session_fall_back_to_erl0, 1); ++ atomic_set(&sess_p->session_close, 1); + spin_unlock(&sess_p->conn_lock); + iscsit_inc_session_usage_count(sess_p); + iscsit_stop_time2retain_timer(sess_p); +@@ -233,7 +235,6 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + if (sess->session_state == TARG_SESS_STATE_FAILED) { + spin_unlock_bh(&sess->conn_lock); + iscsit_dec_session_usage_count(sess); +- iscsit_close_session(sess); + return 0; + } + spin_unlock_bh(&sess->conn_lock); +@@ -241,7 +242,6 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + iscsit_stop_session(sess, 1, 1); + iscsit_dec_session_usage_count(sess); + +- iscsit_close_session(sess); + return 0; + } + +@@ -534,6 +534,7 @@ static int iscsi_login_non_zero_tsih_s2( + sess_p = (struct iscsi_session *)se_sess->fabric_sess_ptr; + if (atomic_read(&sess_p->session_fall_back_to_erl0) || + atomic_read(&sess_p->session_logout) || ++ atomic_read(&sess_p->session_close) || + (sess_p->time2retain_timer_flags & ISCSI_TF_EXPIRED)) + continue; + if (!memcmp(sess_p->isid, pdu->isid, 6) && +diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h +index cf5f3fff1f1a7..fd7e4d1df9a15 100644 +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -673,7 +673,7 @@ struct iscsi_session { + atomic_t session_logout; + atomic_t session_reinstatement; + atomic_t session_stop_active; +- atomic_t sleep_on_sess_wait_comp; ++ atomic_t session_close; + /* connection list */ + struct list_head sess_conn_list; + struct list_head cr_active_list; +-- +2.20.1 + diff --git a/queue-4.14/scsi-target-remove-boilerplate-code.patch b/queue-4.14/scsi-target-remove-boilerplate-code.patch new file mode 100644 index 00000000000..4f19354b008 --- /dev/null +++ b/queue-4.14/scsi-target-remove-boilerplate-code.patch @@ -0,0 +1,101 @@ +From c0560b037c47acd0b62f3ca6beb4e29b750261bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 18:06:54 +0100 +Subject: scsi: target: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit e49a7d994379278d3353d7ffc7994672752fb0ad ] + +iscsit_free_session() is equivalent to iscsit_stop_session() followed by a +call to iscsit_close_session(). + +Link: https://lore.kernel.org/r/20200313170656.9716-2-mlombard@redhat.com +Tested-by: Rahul Kundu +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 46 ++--------------------------- + drivers/target/iscsi/iscsi_target.h | 1 - + 2 files changed, 2 insertions(+), 45 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index fb7bd422e2e1f..40993c575017f 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4583,49 +4583,6 @@ void iscsit_fail_session(struct iscsi_session *sess) + sess->session_state = TARG_SESS_STATE_FAILED; + } + +-int iscsit_free_session(struct iscsi_session *sess) +-{ +- u16 conn_count = atomic_read(&sess->nconn); +- struct iscsi_conn *conn, *conn_tmp = NULL; +- int is_last; +- +- spin_lock_bh(&sess->conn_lock); +- atomic_set(&sess->sleep_on_sess_wait_comp, 1); +- +- list_for_each_entry_safe(conn, conn_tmp, &sess->sess_conn_list, +- conn_list) { +- if (conn_count == 0) +- break; +- +- if (list_is_last(&conn->conn_list, &sess->sess_conn_list)) { +- is_last = 1; +- } else { +- iscsit_inc_conn_usage_count(conn_tmp); +- is_last = 0; +- } +- iscsit_inc_conn_usage_count(conn); +- +- spin_unlock_bh(&sess->conn_lock); +- iscsit_cause_connection_reinstatement(conn, 1); +- spin_lock_bh(&sess->conn_lock); +- +- iscsit_dec_conn_usage_count(conn); +- if (is_last == 0) +- iscsit_dec_conn_usage_count(conn_tmp); +- +- conn_count--; +- } +- +- if (atomic_read(&sess->nconn)) { +- spin_unlock_bh(&sess->conn_lock); +- wait_for_completion(&sess->session_wait_comp); +- } else +- spin_unlock_bh(&sess->conn_lock); +- +- iscsit_close_session(sess); +- return 0; +-} +- + void iscsit_stop_session( + struct iscsi_session *sess, + int session_sleep, +@@ -4710,7 +4667,8 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { + sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; + +- iscsit_free_session(sess); ++ iscsit_stop_session(sess, 1, 1); ++ iscsit_close_session(sess); + session_count++; + } + +diff --git a/drivers/target/iscsi/iscsi_target.h b/drivers/target/iscsi/iscsi_target.h +index 42de1843aa40d..f0d2cbf594c92 100644 +--- a/drivers/target/iscsi/iscsi_target.h ++++ b/drivers/target/iscsi/iscsi_target.h +@@ -43,7 +43,6 @@ extern int iscsi_target_rx_thread(void *); + extern int iscsit_close_connection(struct iscsi_conn *); + extern int iscsit_close_session(struct iscsi_session *); + extern void iscsit_fail_session(struct iscsi_session *); +-extern int iscsit_free_session(struct iscsi_session *); + extern void iscsit_stop_session(struct iscsi_session *, int, int); + extern int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *, int); + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index feef3903c9d..70f86d5a352 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -121,3 +121,7 @@ alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch btrfs-check-commit-root-generation-in-should_ignore_root.patch mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch +dm-flakey-check-for-null-arg_name-in-parse_features.patch +kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch +scsi-target-remove-boilerplate-code.patch +scsi-target-fix-hang-when-multiple-threads-try-to-de.patch -- 2.47.3