From c3352583f8225781f814c5dbda499f0ef90f5196 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Apr 2020 21:21:57 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...-for-null-arg_name-in-parse_features.patch | 41 +++ ...ture-ssbd-doesn-t-imply-guest-featur.patch | 53 ++++ ...hang-when-multiple-threads-try-to-de.patch | 258 ++++++++++++++++++ .../scsi-target-remove-boilerplate-code.patch | 101 +++++++ queue-4.9/series | 4 + 5 files changed, 457 insertions(+) create mode 100644 queue-4.9/dm-flakey-check-for-null-arg_name-in-parse_features.patch create mode 100644 queue-4.9/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch create mode 100644 queue-4.9/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch create mode 100644 queue-4.9/scsi-target-remove-boilerplate-code.patch diff --git a/queue-4.9/dm-flakey-check-for-null-arg_name-in-parse_features.patch b/queue-4.9/dm-flakey-check-for-null-arg_name-in-parse_features.patch new file mode 100644 index 00000000000..162ad1a87c4 --- /dev/null +++ b/queue-4.9/dm-flakey-check-for-null-arg_name-in-parse_features.patch @@ -0,0 +1,41 @@ +From f2b3f5bd3fcc37e7e5e08290cf21ab16ddd85e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Dec 2017 21:14:12 -0600 +Subject: dm flakey: check for null arg_name in parse_features() + +From: Goldwyn Rodrigues + +[ Upstream commit 7690e25302dc7d0cd42b349e746fe44b44a94f2b ] + +One can crash dm-flakey by specifying more feature arguments than the +number of features supplied. Checking for null in arg_name avoids +this. + +dmsetup create flakey-test --table "0 66076080 flakey /dev/sdb9 0 0 180 2 drop_writes" + +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-flakey.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index 742c1fa870dae..36a98f4db0564 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -69,6 +69,11 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, + arg_name = dm_shift_arg(as); + argc--; + ++ if (!arg_name) { ++ ti->error = "Insufficient feature arguments"; ++ return -EINVAL; ++ } ++ + /* + * drop_writes + */ +-- +2.20.1 + diff --git a/queue-4.9/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch b/queue-4.9/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch new file mode 100644 index 00000000000..5ce09f0bc83 --- /dev/null +++ b/queue-4.9/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch @@ -0,0 +1,53 @@ +From aed1de6f488795c1223beb1f2f9df04265bb5efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2019 16:15:15 -0800 +Subject: kvm: x86: Host feature SSBD doesn't imply guest feature + SPEC_CTRL_SSBD + +From: Jim Mattson + +commit 396d2e878f92ec108e4293f1c77ea3bc90b414ff upstream. + +The host reports support for the synthetic feature X86_FEATURE_SSBD +when any of the three following hardware features are set: + CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] + CPUID.80000008H:EBX.AMD_SSBD[bit 24] + CPUID.80000008H:EBX.VIRT_SSBD[bit 25] + +Either of the first two hardware features implies the existence of the +IA32_SPEC_CTRL MSR, but CPUID.80000008H:EBX.VIRT_SSBD[bit 25] does +not. Therefore, CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] should only be +set in the guest if CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] or +CPUID.80000008H:EBX.AMD_SSBD[bit 24] is set on the host. + +Fixes: 0c54914d0c52a ("KVM: x86: use Intel speculation bugs and features as derived in generic x86 code") +Signed-off-by: Jim Mattson +Reviewed-by: Jacob Xu +Reviewed-by: Peter Shier +Cc: Paolo Bonzini +Reported-by: Eric Biggers +Signed-off-by: Paolo Bonzini +[bwh: Backported to 4.x: adjust indentation] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/cpuid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index c57dab0884fed..63c3ff9e74d42 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -479,7 +479,8 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, + entry->edx |= F(SPEC_CTRL); + if (boot_cpu_has(X86_FEATURE_STIBP)) + entry->edx |= F(INTEL_STIBP); +- if (boot_cpu_has(X86_FEATURE_SSBD)) ++ if (boot_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || ++ boot_cpu_has(X86_FEATURE_AMD_SSBD)) + entry->edx |= F(SPEC_CTRL_SSBD); + /* + * We emulate ARCH_CAPABILITIES in software even +-- +2.20.1 + diff --git a/queue-4.9/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch b/queue-4.9/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch new file mode 100644 index 00000000000..a8fbf4c879d --- /dev/null +++ b/queue-4.9/scsi-target-fix-hang-when-multiple-threads-try-to-de.patch @@ -0,0 +1,258 @@ +From f95b8da0c223b8dc838f3e6fc3e4ae7dc5ab4b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 18:06:55 +0100 +Subject: scsi: target: fix hang when multiple threads try to destroy the same + iscsi session + +From: Maurizio Lombardi + +[ Upstream commit 57c46e9f33da530a2485fa01aa27b6d18c28c796 ] + +A number of hangs have been reported against the target driver; they are +due to the fact that multiple threads may try to destroy the iscsi session +at the same time. This may be reproduced for example when a "targetcli +iscsi/iqn.../tpg1 disable" command is executed while a logout operation is +underway. + +When this happens, two or more threads may end up sleeping and waiting for +iscsit_close_connection() to execute "complete(session_wait_comp)". Only +one of the threads will wake up and proceed to destroy the session +structure, the remaining threads will hang forever. + +Note that if the blocked threads are somehow forced to wake up with +complete_all(), they will try to free the same iscsi session structure +destroyed by the first thread, causing double frees, memory corruptions +etc... + +With this patch, the threads that want to destroy the iscsi session will +increase the session refcount and will set the "session_close" flag to 1; +then they wait for the driver to close the remaining active connections. +When the last connection is closed, iscsit_close_connection() will wake up +all the threads and will wait for the session's refcount to reach zero; +when this happens, iscsit_close_connection() will destroy the session +structure because no one is referencing it anymore. + + INFO: task targetcli:5971 blocked for more than 120 seconds. + Tainted: P OE 4.15.0-72-generic #81~16.04.1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + targetcli D 0 5971 1 0x00000080 + Call Trace: + __schedule+0x3d6/0x8b0 + ? vprintk_func+0x44/0xe0 + schedule+0x36/0x80 + schedule_timeout+0x1db/0x370 + ? __dynamic_pr_debug+0x8a/0xb0 + wait_for_completion+0xb4/0x140 + ? wake_up_q+0x70/0x70 + iscsit_free_session+0x13d/0x1a0 [iscsi_target_mod] + iscsit_release_sessions_for_tpg+0x16b/0x1e0 [iscsi_target_mod] + iscsit_tpg_disable_portal_group+0xca/0x1c0 [iscsi_target_mod] + lio_target_tpg_enable_store+0x66/0xe0 [iscsi_target_mod] + configfs_write_file+0xb9/0x120 + __vfs_write+0x1b/0x40 + vfs_write+0xb8/0x1b0 + SyS_write+0x5c/0xe0 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Link: https://lore.kernel.org/r/20200313170656.9716-3-mlombard@redhat.com +Reported-by: Matt Coleman +Tested-by: Matt Coleman +Tested-by: Rahul Kundu +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 35 ++++++++++++-------- + drivers/target/iscsi/iscsi_target_configfs.c | 5 ++- + drivers/target/iscsi/iscsi_target_login.c | 5 +-- + include/target/iscsi/iscsi_target_core.h | 2 +- + 4 files changed, 30 insertions(+), 17 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 9134ea8fc0878..2b8fbcd8dde24 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4321,30 +4321,37 @@ int iscsit_close_connection( + if (!atomic_read(&sess->session_reinstatement) && + atomic_read(&sess->session_fall_back_to_erl0)) { + spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); + iscsit_close_session(sess); + + return 0; + } else if (atomic_read(&sess->session_logout)) { + pr_debug("Moving to TARG_SESS_STATE_FREE.\n"); + sess->session_state = TARG_SESS_STATE_FREE; +- spin_unlock_bh(&sess->conn_lock); + +- if (atomic_read(&sess->sleep_on_sess_wait_comp)) +- complete(&sess->session_wait_comp); ++ if (atomic_read(&sess->session_close)) { ++ spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); ++ iscsit_close_session(sess); ++ } else { ++ spin_unlock_bh(&sess->conn_lock); ++ } + + return 0; + } else { + pr_debug("Moving to TARG_SESS_STATE_FAILED.\n"); + sess->session_state = TARG_SESS_STATE_FAILED; + +- if (!atomic_read(&sess->session_continuation)) { +- spin_unlock_bh(&sess->conn_lock); ++ if (!atomic_read(&sess->session_continuation)) + iscsit_start_time2retain_handler(sess); +- } else +- spin_unlock_bh(&sess->conn_lock); + +- if (atomic_read(&sess->sleep_on_sess_wait_comp)) +- complete(&sess->session_wait_comp); ++ if (atomic_read(&sess->session_close)) { ++ spin_unlock_bh(&sess->conn_lock); ++ complete_all(&sess->session_wait_comp); ++ iscsit_close_session(sess); ++ } else { ++ spin_unlock_bh(&sess->conn_lock); ++ } + + return 0; + } +@@ -4453,9 +4460,9 @@ static void iscsit_logout_post_handler_closesession( + complete(&conn->conn_logout_comp); + + iscsit_dec_conn_usage_count(conn); ++ atomic_set(&sess->session_close, 1); + iscsit_stop_session(sess, sleep, sleep); + iscsit_dec_session_usage_count(sess); +- iscsit_close_session(sess); + } + + static void iscsit_logout_post_handler_samecid( +@@ -4600,8 +4607,6 @@ void iscsit_stop_session( + int is_last; + + spin_lock_bh(&sess->conn_lock); +- if (session_sleep) +- atomic_set(&sess->sleep_on_sess_wait_comp, 1); + + if (connection_sleep) { + list_for_each_entry_safe(conn, conn_tmp, &sess->sess_conn_list, +@@ -4659,12 +4664,15 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + spin_lock(&sess->conn_lock); + if (atomic_read(&sess->session_fall_back_to_erl0) || + atomic_read(&sess->session_logout) || ++ atomic_read(&sess->session_close) || + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess->conn_lock); + continue; + } ++ iscsit_inc_session_usage_count(sess); + atomic_set(&sess->session_reinstatement, 1); + atomic_set(&sess->session_fall_back_to_erl0, 1); ++ atomic_set(&sess->session_close, 1); + spin_unlock(&sess->conn_lock); + + list_move_tail(&se_sess->sess_list, &free_list); +@@ -4674,8 +4682,9 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { + sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; + ++ list_del_init(&se_sess->sess_list); + iscsit_stop_session(sess, 1, 1); +- iscsit_close_session(sess); ++ iscsit_dec_session_usage_count(sess); + session_count++; + } + +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 8a4bc15bc3f56..0718f688277a8 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1527,20 +1527,23 @@ static void lio_tpg_close_session(struct se_session *se_sess) + spin_lock(&sess->conn_lock); + if (atomic_read(&sess->session_fall_back_to_erl0) || + atomic_read(&sess->session_logout) || ++ atomic_read(&sess->session_close) || + (sess->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess->conn_lock); + spin_unlock_bh(&se_tpg->session_lock); + return; + } ++ iscsit_inc_session_usage_count(sess); + atomic_set(&sess->session_reinstatement, 1); + atomic_set(&sess->session_fall_back_to_erl0, 1); ++ atomic_set(&sess->session_close, 1); + spin_unlock(&sess->conn_lock); + + iscsit_stop_time2retain_timer(sess); + spin_unlock_bh(&se_tpg->session_lock); + + iscsit_stop_session(sess, 1, 1); +- iscsit_close_session(sess); ++ iscsit_dec_session_usage_count(sess); + } + + static u32 lio_tpg_get_inst_index(struct se_portal_group *se_tpg) +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index d2f82aaf6a851..985e600908e0e 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -195,6 +195,7 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + spin_lock(&sess_p->conn_lock); + if (atomic_read(&sess_p->session_fall_back_to_erl0) || + atomic_read(&sess_p->session_logout) || ++ atomic_read(&sess_p->session_close) || + (sess_p->time2retain_timer_flags & ISCSI_TF_EXPIRED)) { + spin_unlock(&sess_p->conn_lock); + continue; +@@ -205,6 +206,7 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + (sess_p->sess_ops->SessionType == sessiontype))) { + atomic_set(&sess_p->session_reinstatement, 1); + atomic_set(&sess_p->session_fall_back_to_erl0, 1); ++ atomic_set(&sess_p->session_close, 1); + spin_unlock(&sess_p->conn_lock); + iscsit_inc_session_usage_count(sess_p); + iscsit_stop_time2retain_timer(sess_p); +@@ -229,7 +231,6 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + if (sess->session_state == TARG_SESS_STATE_FAILED) { + spin_unlock_bh(&sess->conn_lock); + iscsit_dec_session_usage_count(sess); +- iscsit_close_session(sess); + return 0; + } + spin_unlock_bh(&sess->conn_lock); +@@ -237,7 +238,6 @@ int iscsi_check_for_session_reinstatement(struct iscsi_conn *conn) + iscsit_stop_session(sess, 1, 1); + iscsit_dec_session_usage_count(sess); + +- iscsit_close_session(sess); + return 0; + } + +@@ -525,6 +525,7 @@ static int iscsi_login_non_zero_tsih_s2( + sess_p = (struct iscsi_session *)se_sess->fabric_sess_ptr; + if (atomic_read(&sess_p->session_fall_back_to_erl0) || + atomic_read(&sess_p->session_logout) || ++ atomic_read(&sess_p->session_close) || + (sess_p->time2retain_timer_flags & ISCSI_TF_EXPIRED)) + continue; + if (!memcmp(sess_p->isid, pdu->isid, 6) && +diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h +index 6021c3acb6c5a..b1814d2762bdb 100644 +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -671,7 +671,7 @@ struct iscsi_session { + atomic_t session_logout; + atomic_t session_reinstatement; + atomic_t session_stop_active; +- atomic_t sleep_on_sess_wait_comp; ++ atomic_t session_close; + /* connection list */ + struct list_head sess_conn_list; + struct list_head cr_active_list; +-- +2.20.1 + diff --git a/queue-4.9/scsi-target-remove-boilerplate-code.patch b/queue-4.9/scsi-target-remove-boilerplate-code.patch new file mode 100644 index 00000000000..2f3c56ef000 --- /dev/null +++ b/queue-4.9/scsi-target-remove-boilerplate-code.patch @@ -0,0 +1,101 @@ +From 443b9fadd0674c33a2094f8f084b10529fd55a4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 18:06:54 +0100 +Subject: scsi: target: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit e49a7d994379278d3353d7ffc7994672752fb0ad ] + +iscsit_free_session() is equivalent to iscsit_stop_session() followed by a +call to iscsit_close_session(). + +Link: https://lore.kernel.org/r/20200313170656.9716-2-mlombard@redhat.com +Tested-by: Rahul Kundu +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 46 ++--------------------------- + drivers/target/iscsi/iscsi_target.h | 1 - + 2 files changed, 2 insertions(+), 45 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index b6c4f55f79e7a..9134ea8fc0878 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4590,49 +4590,6 @@ void iscsit_fail_session(struct iscsi_session *sess) + sess->session_state = TARG_SESS_STATE_FAILED; + } + +-int iscsit_free_session(struct iscsi_session *sess) +-{ +- u16 conn_count = atomic_read(&sess->nconn); +- struct iscsi_conn *conn, *conn_tmp = NULL; +- int is_last; +- +- spin_lock_bh(&sess->conn_lock); +- atomic_set(&sess->sleep_on_sess_wait_comp, 1); +- +- list_for_each_entry_safe(conn, conn_tmp, &sess->sess_conn_list, +- conn_list) { +- if (conn_count == 0) +- break; +- +- if (list_is_last(&conn->conn_list, &sess->sess_conn_list)) { +- is_last = 1; +- } else { +- iscsit_inc_conn_usage_count(conn_tmp); +- is_last = 0; +- } +- iscsit_inc_conn_usage_count(conn); +- +- spin_unlock_bh(&sess->conn_lock); +- iscsit_cause_connection_reinstatement(conn, 1); +- spin_lock_bh(&sess->conn_lock); +- +- iscsit_dec_conn_usage_count(conn); +- if (is_last == 0) +- iscsit_dec_conn_usage_count(conn_tmp); +- +- conn_count--; +- } +- +- if (atomic_read(&sess->nconn)) { +- spin_unlock_bh(&sess->conn_lock); +- wait_for_completion(&sess->session_wait_comp); +- } else +- spin_unlock_bh(&sess->conn_lock); +- +- iscsit_close_session(sess); +- return 0; +-} +- + void iscsit_stop_session( + struct iscsi_session *sess, + int session_sleep, +@@ -4717,7 +4674,8 @@ int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *tpg, int force) + list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) { + sess = (struct iscsi_session *)se_sess->fabric_sess_ptr; + +- iscsit_free_session(sess); ++ iscsit_stop_session(sess, 1, 1); ++ iscsit_close_session(sess); + session_count++; + } + +diff --git a/drivers/target/iscsi/iscsi_target.h b/drivers/target/iscsi/iscsi_target.h +index 4cf2c0f2ba2f9..cfe87b629a8bd 100644 +--- a/drivers/target/iscsi/iscsi_target.h ++++ b/drivers/target/iscsi/iscsi_target.h +@@ -30,7 +30,6 @@ extern int iscsi_target_rx_thread(void *); + extern int iscsit_close_connection(struct iscsi_conn *); + extern int iscsit_close_session(struct iscsi_session *); + extern void iscsit_fail_session(struct iscsi_session *); +-extern int iscsit_free_session(struct iscsi_session *); + extern void iscsit_stop_session(struct iscsi_session *, int, int); + extern int iscsit_release_sessions_for_tpg(struct iscsi_portal_group *, int); + +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index b32efb6e066..cd520409f40 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -76,3 +76,7 @@ asoc-intel-mrfld-return-error-codes-when-an-error-occurs.patch alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch btrfs-check-commit-root-generation-in-should_ignore_root.patch mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch +dm-flakey-check-for-null-arg_name-in-parse_features.patch +kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch +scsi-target-remove-boilerplate-code.patch +scsi-target-fix-hang-when-multiple-threads-try-to-de.patch -- 2.47.3