08 Sep, 2012
2 commits
-
Several places were not checking that the parameter list length
was large enough, and thus accessing invalid memory. Zero-length
parameter lists are just a special case of this.Signed-off-by: Paolo Bonzini
Signed-off-by: Nicholas Bellinger -
Right now, commands with a zero-size payload are skipped completely.
This is wrong; such commands should be passed down to the device and
processed normally.For physical backends, this ignores completely things such as START
STOP UNIT. For virtual backends, we have a hack in place to clear a
unit attention state on a zero-size REQUEST SENSE, but we still do
not report errors properly on zero-length commands---out-of-bounds
0-block reads and writes, too small parameter list lengths, etc.This patch fixes this for PSCSI. Uses of transport_kmap_data_sg are
guarded with a check for non-zero cmd->data_length; for all other
commands a zero length is handled properly in pscsi_execute_cmd.
The sole exception will be for now REPORT LUNS, which is handled
through the normal SPC emulation.Signed-off-by: Paolo Bonzini
Signed-off-by: Nicholas Bellinger
06 Sep, 2012
3 commits
-
The pointer to the sense buffer is fetched by transport_get_sense_data,
but this is called by target_complete_ok_work long after pscsi_req_done
has freed the struct that contains it.Pass instead the fabric's sense buffer to transport_complete,
and copy the data to it directly in transport_complete. Setting
SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete.Signed-off-by: Paolo Bonzini
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger -
The error conditions in transport_get_sense_data are superfluous
and complicate the code unnecessarily:* SCF_TRANSPORT_TASK_SENSE is checked in the caller;
* it's simply part of the invariants of dev->transport->get_sense_buffer
that it must be there if transport_complete ever returns 1, and that
it must not return NULL. Besides, the entire callback will disappear
with the next patch.* similarly in the caller we can expect that sense data is only sent
for non-zero cmd->scsi_status.Signed-off-by: Paolo Bonzini
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger -
We will be calling it from transport_complete_cmd, avoid forward
declarations. No semantic change.Signed-off-by: Paolo Bonzini
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger
27 Aug, 2012
1 commit
-
This patch updates iscsi_login_zero_tsih_s1() usage for generating
iscsi_session->session_index to properly check the return value from
idr_get_new(), and reject the iSCSI login attempt with exception
status ISCSI_LOGIN_STATUS_NO_RESOURCES in the event of a failure.Signed-off-by: Benjamin Wang
Signed-off-by: Nicholas Bellinger
24 Aug, 2012
1 commit
-
This patch fixes a long-standing bug with SCSI overflow handling
where se_cmd->data_length was incorrectly being re-assigned to
the larger CDB extracted allocation length, resulting in a number
of fabric level errors that would end up causing a session reset
in most cases. So instead now:- Only re-assign se_cmd->data_length durining UNDERFLOW (to use the
smaller value)
- Use existing se_cmd->data_length for OVERFLOW (to use the smaller
value)This fix has been tested with the following CDB to generate an
SCSI overflow:sg_raw -r512 /dev/sdc 28 0 0 0 0 0 0 0 9 0
Tested using iscsi-target, tcm_qla2xxx, loopback and tcm_vhost fabric
ports. Here is a bit more detail on each case:- iscsi-target: Bug with open-iscsi with overflow, sg_raw returns
-3584 bytes of data.
- tcm_qla2xxx: Working as expected, returnins 512 bytes of data
- loopback: sg_raw returns CHECK_CONDITION, from overflow rejection
in transport_generic_map_mem_to_cmd()
- tcm_vhost: Same as loopbackReported-by: Roland Dreier
Cc: Roland Dreier
Cc: Christoph Hellwig
Cc: Boaz Harrosh
Cc:
Signed-off-by: Nicholas Bellinger
22 Aug, 2012
1 commit
-
This was originally for helping fabrics to determine overflow/underflow
status, and has been superceeded by SCF_OVERFLOW_BIT + SCF_UNDERFLOW_BIT.Signed-off-by: Roland Dreier
Signed-off-by: Nicholas Bellinger
21 Aug, 2012
2 commits
-
Use rcu_dereference_protected in order to prevent lockdep
complaint. Sequel of the patch 863555beFound by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Denis Efremov
Acked-by: Mark D. Rustad
Signed-off-by: Nicholas Bellinger -
Here TRANSPORT_IQN_LEN is 224, which is a multiple of 4.
Since vhost_tpgt is 2 bytes and abi_version is 4, the total size would
be 230. But gcc needs struct size be aligned to first field size, which
is 4 bytes, so it pads the structure by extra 2 bytes to the total of
232.This padding is very undesirable in an ABI:
- it can not be initialized easily
- it can not be checked easily
- it can leak information between kernel and userspaceSimplest solution is probably just to make the padding
explicit.(v2: Add check for zero'ed backend->reserved field for VHOST_SCSI_SET_ENDPOINT
and VHOST_SCSI_CLEAR_ENDPOINT ops as requested by MST)Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Nicholas Bellinger
18 Aug, 2012
1 commit
-
This patch fixes a regression bug with the handling of zero-length
data CDBs within transport_generic_new_cmd() code. The bug was introduced
with the following commit as part of the single task conversion work:commit 4101f0a89d4eb13f04cb0344d59a335b862ca5f9
Author: Christoph Hellwig
Date: Tue Apr 24 00:25:03 2012 -0400target: always allocate a single task
where the zero-length check for SCF_SCSI_DATA_SG_IO_CDB was incorrectly
changed to SCF_SCSI_CONTROL_SG_IO_CDB because of the seperate comment
in transport_generic_new_cmd() wrt to control CDBs zero-length handling
introduced in:commit 91ec1d3535b2acf12c599045cc19ad9be3c6a47b
Author: Nicholas Bellinger
Date: Fri Jan 13 12:01:34 2012 -0800target: Add workaround for zero-length control CDB handling
So go ahead and change transport_generic_new_cmd() to handle control+data
zero-length CDBs in the same manner for this special case.Tested with iscsi-target + loopback fabric port LUNs on 3.6-rc0 code.
This patch will also need to be picked up for 3.5-stable.
(hch: Add proper comment in transport_generic_new_cmd)
Cc: Christoph Hellwig
Cc: Roland Dreier
Cc: Andy Grover
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger
17 Aug, 2012
16 commits
-
This patch fixes a regression bug in pscsi_transport_complete() callback
code where *pt was being NULL dereferenced during REPORT_LUNS handling,
that was introduced with the spc/sbc refactoring in:commit 1fd032ee10d2816c947f5d5b9abda95e728f0a8f
Author: Christoph Hellwig
Date: Sun May 20 11:59:15 2012 -0400target: move code for CDB emulation
As this is a special case for pscsi_parse_cdb() to call spc_parse_cdb() to
allow TCM to handle REPORT_LUN emulation, pscsi_plugin_task will have not
been allocated..So now in pscsi_transport_complete() just check for existence of *pt and
return for this special case.Reported-by: Alex Elsayed
Cc: Alex Elsayed
Cc: Christoph Hellwig
Signed-off-by: Nicholas Bellinger -
This patch changes the vhost_scsi_target->vhost_wwpn[] type used
by VHOST_SCSI_* ioctls to 'char *' as requested by Blue Swirl in
order to match the latest QEMU vhost-scsi RFC-v3 userspace code.Queuing this up into target-pending/master for a -rc3 PULL.
Reported-by: Blue Swirl
Cc: Michael S. Tsirkin
Cc: Stefan Hajnoczi
Cc: Paolo Bonzini
Signed-off-by: Nicholas Bellinger -
I am hitting this bug when the target is low in memory that fails the
alloc_page() for the newly submitted command. This is a sort of off-by-one
bug causing NULL pointer dereference in __free_page() since 'i' here is
really the counter of total pages that have been successfully allocated here.Signed-off-by: Yi Zou
Cc: Andy Grover
Cc: Nicholas Bellinger
Cc: Open-FCoE.org
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger -
Stop doing a pile of work related to debugging messages when
the ft_debug_logging flag is not set. Use unlikely to add the
check in a way that the check can be inlined without inlining the
whole thing.Signed-off-by: Mark Rustad
Signed-off-by: Nicholas Bellinger -
This patch contains the post RFC-v5 (post-merge) changes, this includes:
- Add locking comment
- Move vhost_scsi_complete_cmd ahead of TFO callbacks in order to
drop forward declarations
- Drop extra '!= NULL' usage in vhost_scsi_complete_cmd_work()
- Change vhost_scsi_*_handle_kick() to use pr_debug
- Fix possible race in vhost_scsi_set_endpoint() for vs->vs_tpg checking
+ assignment.
- Convert tv_tpg->tpg_vhost_count + ->tv_tpg_port_count from atomic_t ->
int, and make sure reference is protected by ->tv_tpg_mutex.
- Drop unnecessary vhost_scsi->vhost_ref_cnt
- Add 'err:' label for exception path in vhost_scsi_clear_endpoint()
- Add enum for VQ numbers, add usage in vhost_scsi_open()
- Add vhost_scsi_flush() + vhost_scsi_flush_vq() following
drivers/vhost/net.c
- Add smp_wmb() + vhost_scsi_flush() call during vhost_scsi_set_features()
- Drop unnecessary copy_from_user() usage with GET_ABI_VERSION ioctl
- Add missing vhost_scsi_compat_ioctl() caller for vhost_scsi_fops
- Fix function parameter definition first line to follow existing
vhost code style
- Change 'vHost' usage -> 'vhost' in handful of locations
- Change -EPERM -> -EBUSY usage for two failures in tcm_vhost_drop_nexus()
- Add comment for tcm_vhost_workqueue in tcm_vhost_init()
- Make GET_ABI_VERSION return 'int' + add comment in tcm_vhost.hReported-by: Michael S. Tsirkin
Cc: Michael S. Tsirkin
Cc: Stefan Hajnoczi
Cc: Anthony Liguori
Cc: Zhi Yong Wu
Cc: Paolo Bonzini
Signed-off-by: Nicholas Bellinger -
Fix up a new coccinelle warnings reported by Fengguang Wu + Intel
0-DAY kernel build testing backend:drivers/vhost/tcm_vhost.c:537:23-29: ERROR: allocation function on line
533 returns NULL not ERR_PTR on failurevim +537 drivers/vhost/tcm_vhost.c
534 if (!sg)
535 return -ENOMEM;
536 pr_debug("%s sg %p sgl_count %u is_err %ld\n", __func__,
> 537 sg, sgl_count, IS_ERR(sg));
538 sg_init_table(sg, sgl_count);
539
540 tv_cmd->tvc_sgl = sg;Signed-off-by: Fengguang Wu
Signed-off-by: Nicholas Bellinger -
Following a report of a crash during an automount expire I found that
the locking in fs/autofs4/expire.c:get_next_positive_subdir() was wrong.
Not only is the locking wrong but the function is more complex than it
needs to be.The function is meant to calculate (and dget) the next entry in the list
of directories contained in the root of an autofs mount point (an autofs
indirect mount to be precise). The main problem was that the d_lock of
the owner of the list was not being taken when walking the list, which
lead to list corruption under load. The only other lock that needs to
be taken is against the next dentry candidate so it can be checked for
usability.Signed-off-by: Ian Kent
Signed-off-by: Linus Torvalds -
Pull VFIO fix from Alex Williamson:
"Just a trivial patch to include vfio.h in the installed headers so we
can complete userspace integration into QEMU."* tag 'vfio-for-v3.6-rc1' of git://github.com/awilliam/linux-vfio:
vfio: Include vfio.h in installed headers -
Pull fuse updates from Miklos Szeredi.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: verify all ioctl retry iov elements
fuse: add missing INIT flag descriptions
fuse: add missing INIT flags
fuse: update attributes on aio_read
fuse: invalidate inode mapping if mtime changes
fuse: add FUSE_AUTO_INVAL_DATA init flag -
Pull Xen fix from Konrad Rzeszutek Wilk:
"Way back in v3.5 we added a mechanism to populate back pages that were
released (they overlapped with MMIO regions), but neglected to reserve
the proper amount of virtual space for extend_brk to work properly.Coincidentally some other commit aligned the _brk space to larger area
so I didn't trigger this until it was run on a machine with more than
2GB of MMIO space."* On machines with large MMIO/PCI E820 spaces we fail to boot b/c
we failed to pre-allocate large enough virtual space for extend_brk.* tag 'stable/for-linus-3.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/p2m: Reserve 8MB of _brk space for P2M leafs when populating back. -
Pull SuperH fixes from Paul Mundt.
* tag 'sh-for-linus' of git://github.com/pmundt/linux-sh:
sh: intc: Handle domain association for sparseirq pre-allocated vectors.
sh: sh7269: Fix LCD pinmux
sh: dma: fix request_irq usage -
Moved to djbw@fb.com
Cc: Dave Jiang
Cc: Vinod Koul
Signed-off-by: Dan Williams
Signed-off-by: Linus Torvalds -
When dumping "Code: " sections from an oops, the trapping instruction
%rip points to can be a string copy2b:* f3 a5 rep movsl %ds:(%rsi),%es:(%rdi)
and the line contain a bunch of ":". Current "cut" selects only the and
the second field output looks funnily overlaid this:2b:* f3 a5 rep movsl %ds
Cc: Linus Torvalds
Cc: linux-kbuild@vger.kernel.org
Signed-off-by: Borislav Petkov
Signed-off-by: Linus Torvalds -
Pull two slave-dmaengine fixes from Vinod Koul:
"One fixes the correct use of clock API in imx driver and the other
enables clock for tegra driver, which is used for other tegra driver
conversion to dmanegine in -next."* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
dma: tegra: enable/disable dma clock
dma: imx-dma: Fix kernel crash due to missing clock conversion -
Pull more drm fixes from Dave Airlie:
"Just some intel and nouveau ones this time, intel has more edp panel
fixes for macbooks and nouveau has a suspend/resume regression fix in
there."* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/i915: Apply post-sync write for pipe control invalidates
drm/i915: reorder edp disabling to fix ivb MacBook Air
drm/nv86/fifo: suspend fix
drm/nouveau: disable copy engine on NVAF
nouveau: fixup scanout enable in nvc0_pm
drm/nouveau/aux: mask off higher bits of auxch index in i2c table entry
drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate
drm/i915: ensure i2c adapter is all set before adding it
drm/i915: ignore eDP bpc settings from vbt
drm/i915: Fix blank panel at reopening lid
drm/nve0/fifo: add support for the flip completion swmthd
16 Aug, 2012
1 commit
-
Pull two sparc fixes from David S. Miller.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Be less verbose during vmemmap population.
sparc64: do not clobber personality flags in sys_sparc64_personality()
15 Aug, 2012
3 commits
-
* 'drm-nouveau-fixes' of git://git.freedesktop.org/git/nouveau/linux-2.6:
drm/nv86/fifo: suspend fix
drm/nouveau: disable copy engine on NVAF
nouveau: fixup scanout enable in nvc0_pm
drm/nouveau/aux: mask off higher bits of auxch index in i2c table entry
drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate
drm/nve0/fifo: add support for the flip completion swmthd -
Daniel Vetter writes:
"A few important fixers:
- fix various lvds backlight issues, regressed in 3.6 (Takashi Iwai)
- make the retina mbp work (ignore bogus edp bpc value in vbt)
- fix a gmbus regression introduced in (iirc) 3.4 (Jani Nikula)
- fix an edp panel power sequence regression, fixes the new macbook air
- apply the tlb invalidate w/aOtherwise we still have another gmbus regression (patches are awaiting
tested-bys) and there's something odd going with some rare systems not
entering rc6 often enough (and hence blowing through too much power). It
seems to be a timing-related issue and can be mitigated by frobbing the
magic tuning parameters. We're still working on that one. Also, we still
have some fallout from the hw context support, but you can only hit that
with mesa master."* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
drm/i915: Apply post-sync write for pipe control invalidates
drm/i915: reorder edp disabling to fix ivb MacBook Air
drm/i915: ensure i2c adapter is all set before adding it
drm/i915: ignore eDP bpc settings from vbt
drm/i915: Fix blank panel at reopening lid -
On a 2-node machine with 256GB of ram we get 512 lines of
console output, which is just too much.This mimicks Yinghai Lu's x86 commit c2b91e2eec9678dbda274e906cc32ea8f711da3b
(x86_64/mm: check and print vmemmap allocation continuous) except that
we aren't ever going to get contiguous block pointers in between calls
so just print when the virtual address or node changes.This decreases the output by an order of 16.
Also demote this to KERN_DEBUG.
Signed-off-by: David S. Miller
14 Aug, 2012
9 commits
-
When invalidating the TLBs it is documentated as requiring a post-sync
write. Failure to do so seems to result in a GPU hang.Exposure to this hang on IVB seems to be a result of removing the extra
stalls required for SNB pipecontrol workarounds:commit 6c6cf5aa9c583478b19e23149feaa92d01fb8c2d
Author: Chris Wilson
Date: Fri Jul 20 18:02:28 2012 +0100drm/i915: Only apply the SNB pipe control w/a to gen6
Note: Manually switch the pipe_control cmd to 4 dwords to avoid a
(silent) functional conflict with -next. This way will get a loud (but
conflict with next (since the scratch_addr has been deleted there).Reported-and-tested-by: yex.tian@intel.com
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=53322
Acked-by: Ben Widawsky
Signed-off-by: Chris Wilson
[danvet: added note about merge conflict with -next.]
Signed-off-by: Daniel Vetter -
eDP is tons of fun. It turns out that at least the new MacBook Air 5,1
model absolutely doesn't like the new force vdd dance we've introduced
incommit 6cb49835da0426f69a2931bc2a0a8156344b0e41
Author: Daniel Vetter
Date: Sun May 20 17:14:50 2012 +0200drm/i915: enable vdd when switching off the eDP panel
But that patch also tried to fix some neat edp sequence issue with the
force_vdd timings. Closer inspection reveals that we've raised
force_vdd only to do the aux channel communication dp_sink_dpms. If we
move the edp_panel_off below that, we don't need any force_vdd for the
disable sequence, which makes the Air happy.Unfortunately the reporter of the original bug that the above commit
fixed is travelling, so we can't test whether this regresses things.
But my theory is that since we don't check for any power-off ->
force_vdd-on delays in edp_panel_vdd_on, this was the actual
root-cause of this failure. With that force_vdd dance completely
eliminated, I'm hopeful the original bug stays fixed, too.For reference the old bug, which hopefully doesn't get broken by this:
https://bugzilla.kernel.org/show_bug.cgi?id=43163
In any case, regression fixers win over plain bugfixes, so this needs
to go in asap.v2: The crucial pieces seems to be to clear the force_vdd flag
uncoditionally, too, in edp_panel_off. Looks like this is left behind
by the firmware somehow.v3: The Apple firmware seems to switch off the panel on it's own, hence
we still need to keep force_vdd on, but properly clear it when switching
the panel off.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=45671
Tested-by: Roberto Romer
Tested-by: Daniel Wagner
Tested-by: Keith Packard
Cc: stable@vger.kernel.org
Cc: Keith Packard
Signed-off-by: Daniel Vetter -
Pull s390 patches from Martin Schwidefsky:
"Included are bug fixes and a patch to enable system call filtering
with BPF."* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/compat: fix mmap compat system calls
s390/compat: fix compat wrappers for process_vm system calls
s390: do not clobber personality flags in sys_32_personality()
s390/seccomp: add support for system call filtering using BPF
s390/sclp_sdias: Add missing break and "fall through"
s390/mm: remove MAX_PHYSADDR_BITS define -
Pull drm fixes from Dave Airlie:
"Radeon and intel fixes mostly, one fix to the mgag200 driver to not
hang on certain server variants."* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (32 commits)
drm/radeon: fix typo in function header comment
drm/radeon/kms: implement timestamp userspace query (v2)
drm/radeon/kms: add MSAA texture support for r600-evergreen
drm/radeon/kms: reorder code in r600_check_texture_resource
drm/radeon: fence virtual address and free it once idle v4
drm/radeon: fix some missing parens in asic macros
drm/radeon: add some new SI pci ids
drm/radeon: fix ordering in pll picking on dce4+
drm/radeon: do not reenable crtc after moving vram start address
drm/radeon: fix bank tiling parameters on cayman
drm/radeon: fix bank tiling parameters on evergreen
drm/radeon: fix bank tiling parameters on SI
drm/radeon: properly handle crtc powergating
drm/radeon: properly handle SS overrides on TN (v2)
drm/radeon/dce4+: set a more reasonable cursor watermark
drm/radeon: fix handling for ddc type 5 on combios
drm/mgag200: fix G200ER pll picking algorithm
drm/edid: Fix potential memory leak in edid_load()
drm/udl: Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(.. [1]
drm/radeon/kms: allow "invalid" DB formats as a means to disable DB
... -
Commit 7212157267 ("GPIO: gpio-pxa: fix devicetree functions") added an
"xlate" function pointer to the irq_domain_ops, but this function is nor
declared or defined anywhere when CONFIG_OF is disabled, causing the
build error:drivers/gpio/gpio-pxa.c:532:11: error: 'irq_domain_xlate_twocell' undeclared here (not in a function)
Extending the DT-only code section to cover the irq_domain_ops and the
pxa_gpio_dt_ids solves this problem and makes it clearer which code is
actually used without DT.Signed-off-by: Arnd Bergmann
Signed-off-by: Linus Torvalds -
This fix is a backport from the reworked nouveau driver. It masks off the
engines we're not expecting to use before attempting a channel kickoff.Signed-off-by: Maxim Levitsky
Signed-off-by: Ben Skeggs -
The copy engine exhibits random memory corruption in at least one case, the
GeForce 320M (nv50, 0xaf) in the MacBookAir3,1.This patch omits creating the engine for the specific chipset, falling back
to M2MF, which kills the symptoms.Signed-off-by: Henrik Rydberg
Signed-off-by: Ben Skeggs -
Fixes screen being black after changing performance level.
Signed-off-by: Maarten Lankhorst
Cc: stable@vger.kernel.org [3.5+]
Signed-off-by: Ben Skeggs -
At least partially fixes DP output detection on W530. Not sure if more
issues remain, or if my adaptor is just behaving weirdly (it does that
sometimes).In any case, this patch is necessary.
Signed-off-by: Ben Skeggs
