01 Jul, 2014
40 commits
-
commit 32d6b47fe6fc1714d5f1bba1b9f38e0ab0ad58a8 upstream.
If we fail to load a free space cache, we can rebuild it from the extent tree,
so it is not a serious error, we should not output a error message that
would make the users uncomfortable. This patch uses warning message instead
of it.Signed-off-by: Miao Xie
Signed-off-by: Chris Mason
Signed-off-by: Greg Kroah-Hartman -
commit 5a1972bd9fd4b2fb1bac8b7a0b636d633d8717e3 upstream.
Btrfs will send uevent to udev inform the device change,
but ctime/mtime for the block device inode is not udpated, which cause
libblkid used by btrfs-progs unable to detect device change and use old
cache, causing 'btrfs dev scan; btrfs dev rmove; btrfs dev scan' give an
error message.Reported-by: Tsutomu Itoh
Cc: Karel Zak
Signed-off-by: Qu Wenruo
Signed-off-by: Chris Mason
Signed-off-by: Greg Kroah-Hartman -
commit a1a50f60a6bf4f861eb94793420274bc1ccd409a upstream.
In a previous change, commit 12870f1c9b2de7d475d22e73fd7db1b418599725,
I accidentally moved the roundup of inode->i_size to outside of the
critical section delimited by the inode mutex, which is not atomic and
not correct since the size can be changed by other task before we acquire
the mutex. Therefore fix it.Signed-off-by: Filipe David Borba Manana
Signed-off-by: Chris Mason
Signed-off-by: Greg Kroah-Hartman -
commit 7d78874273463a784759916fc3e0b4e2eb141c70 upstream.
We need to NULL the cached_state after freeing it, otherwise
we might free it again if find_delalloc_range doesn't find anything.Signed-off-by: Chris Mason
Signed-off-by: Greg Kroah-Hartman -
commit fc19c5e73645f95d3eca12b4e91e7b56faf1e4a4 upstream.
While running a stress test with multiple threads writing to the same btrfs
file system, I ended up with a situation where a leaf was corrupted in that
it had 2 file extent item keys that had the same exact key. I was able to
detect this quickly thanks to the following patch which triggers an assertion
as soon as a leaf is marked dirty if there are duplicated keys or out of order
keys:Btrfs: check if items are ordered when a leaf is marked dirty
(https://patchwork.kernel.org/patch/3955431/)Basically while running the test, I got the following in dmesg:
[28877.415877] WARNING: CPU: 2 PID: 10706 at fs/btrfs/file.c:553 btrfs_drop_extent_cache+0x435/0x440 [btrfs]()
(...)
[28877.415917] Call Trace:
[28877.415922] [] dump_stack+0x4e/0x68
[28877.415926] [] warn_slowpath_common+0x8c/0xc0
[28877.415929] [] warn_slowpath_null+0x1a/0x20
[28877.415944] [] btrfs_drop_extent_cache+0x435/0x440 [btrfs]
[28877.415949] [] ? kmem_cache_alloc+0xfe/0x1c0
[28877.415962] [] fill_holes+0x229/0x3e0 [btrfs]
[28877.415972] [] ? block_rsv_add_bytes+0x55/0x80 [btrfs]
[28877.415984] [] btrfs_fallocate+0xb6b/0xc20 [btrfs]
(...)
[29854.132560] BTRFS critical (device sdc): corrupt leaf, bad key order: block=955232256,root=1, slot=24
[29854.132565] BTRFS info (device sdc): leaf 955232256 total ptrs 40 free space 778
(...)
[29854.132637] item 23 key (3486 108 667648) itemoff 2694 itemsize 53
[29854.132638] extent data disk bytenr 14574411776 nr 286720
[29854.132639] extent data offset 0 nr 286720 ram 286720
[29854.132640] item 24 key (3486 108 954368) itemoff 2641 itemsize 53
[29854.132641] extent data disk bytenr 0 nr 0
[29854.132643] extent data offset 0 nr 0 ram 0
[29854.132644] item 25 key (3486 108 954368) itemoff 2588 itemsize 53
[29854.132645] extent data disk bytenr 8699670528 nr 77824
[29854.132646] extent data offset 0 nr 77824 ram 77824
[29854.132647] item 26 key (3486 108 1146880) itemoff 2535 itemsize 53
[29854.132648] extent data disk bytenr 8699670528 nr 77824
[29854.132649] extent data offset 0 nr 77824 ram 77824
(...)
[29854.132707] kernel BUG at fs/btrfs/ctree.h:3901!
(...)
[29854.132771] Call Trace:
[29854.132779] [] setup_items_for_insert+0x2dc/0x400 [btrfs]
[29854.132791] [] __btrfs_drop_extents+0xba7/0xdd0 [btrfs]
[29854.132794] [] ? trace_hardirqs_on_caller+0x16/0x1d0
[29854.132797] [] ? trace_hardirqs_on+0xd/0x10
[29854.132800] [] ? kmem_cache_alloc+0xfe/0x1c0
[29854.132810] [] insert_reserved_file_extent.constprop.66+0xab/0x310 [btrfs]
[29854.132820] [] __btrfs_prealloc_file_range+0x116/0x340 [btrfs]
[29854.132830] [] btrfs_prealloc_file_range+0x23/0x30 [btrfs]
(...)So this is caused by getting an -ENOSPC error while punching a file hole, more
specifically, we get -ENOSPC error from __btrfs_drop_extents in the while loop
of file.c:btrfs_punch_hole() when it's unable to modify the btree to delete one
or more file extent items due to lack of enough free space. When this happens,
in btrfs_punch_hole(), we attempt to reclaim free space by switching our transaction
block reservation object to root->fs_info->trans_block_rsv, end our transaction and
start a new transaction basically - and, we keep increasing our current offset
(cur_offset) as long as it's smaller than the end of the target range (lockend) -
this makes use leave the loop with cur_offset == drop_end which in turn makes us
call fill_holes() for inserting a file extent item that represents a 0 bytes range
hole (and this insertion succeeds, as in the meanwhile more space became available).This 0 bytes file hole extent item is a problem because any subsequent caller of
__btrfs_drop_extents (regular file writes, or fallocate calls for e.g.), with a
start file offset that is equal to the offset of the hole, will not remove this
extent item due to the following conditional in the while loop of
__btrfs_drop_extents:if (extent_end slots[0]++;
goto next_slot;
}This later makes the call to setup_items_for_insert() (at the very end of
__btrfs_drop_extents), insert a new file extent item with the same offset as
the 0 bytes file hole extent item that follows it. Needless is to say that this
causes chaos, either when reading the leaf from disk (btree_readpage_end_io_hook),
where we perform leaf sanity checks or in subsequent operations that manipulate
file extent items, as in the fallocate call as shown by the dmesg trace above.Without my other patch to perform the leaf sanity checks once a leaf is marked
as dirty (if the integrity checker is enabled), it would have been much harder
to debug this issue.This change might fix a few similar issues reported by users in the mailing
list regarding assertion failures in btrfs_set_item_key_safe calls performed
by __btrfs_drop_extents, such as the following report:http://comments.gmane.org/gmane.comp.file-systems.btrfs/32938
Asking fill_holes() to create a 0 bytes wide file hole item also produced the
first warning in the trace above, as we passed a range to btrfs_drop_extent_cache
that has an end smaller (by -1) than its start.On 3.14 kernels this issue manifests itself through leaf corruption, as we get
duplicated file extent item keys in a leaf when calling setup_items_for_insert(),
but on older kernels, setup_items_for_insert() isn't called by __btrfs_drop_extents(),
instead we have callers of __btrfs_drop_extents(), namely the functions
inode.c:insert_inline_extent() and inode.c:insert_reserved_file_extent(), calling
btrfs_insert_empty_item() to insert the new file extent item, which would fail with
error -EEXIST, instead of inserting a duplicated key - which is still a serious
issue as it would make all similar file extent item replace operations keep
failing if they target the same file range.Signed-off-by: Filipe David Borba Manana
Signed-off-by: Chris Mason
Signed-off-by: Greg Kroah-Hartman -
commit 663a962151593c69374776e8651238d0da072459 upstream.
Signed-off-by: Pavel Shilovsky
Reviewed-by: Shirish Pargaonkar
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream.
A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
aio_read_events_ring() failed to correctly limit the index into
ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
an arbitrary page with a copy_to_user() to copy the contents into userspace.
This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
Petr for disclosing this issue.This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
Signed-off-by: Benjamin LaHaise
Cc: Mateusz Guzik
Cc: Petr Matousek
Cc: Kent Overstreet
Cc: Jeff Moyer
Signed-off-by: Greg Kroah-Hartman -
commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream.
The aio cleanups and optimizations by kmo that were merged into the 3.10
tree added a regression for userspace event reaping. Specifically, the
reference counts are not decremented if the event is reaped in userspace,
leading to the application being unable to submit further aio requests.
This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
This issue was uncovered as part of CVE-2014-0206.Signed-off-by: Benjamin LaHaise
Cc: Kent Overstreet
Cc: Mateusz Guzik
Cc: Petr Matousek
Signed-off-by: Greg Kroah-Hartman -
commit 1e77d0a1ed7417d2a5a52a7b8d32aea1833faa6c upstream.
Till reported that the spurious interrupt detection of threaded
interrupts is broken in two ways:- note_interrupt() is called for each action thread of a shared
interrupt line. That's wrong as we are only interested whether none
of the device drivers felt responsible for the interrupt, but by
calling multiple times for a single interrupt line we account
IRQ_NONE even if one of the drivers felt responsible.- note_interrupt() when called from the thread handler is not
serialized. That leaves the members of irq_desc which are used for
the spurious detection unprotected.To solve this we need to defer the spurious detection of a threaded
interrupt to the next hardware interrupt context where we have
implicit serialization.If note_interrupt is called with action_ret == IRQ_WAKE_THREAD, we
check whether the previous interrupt requested a deferred check. If
not, we request a deferred check for the next hardware interrupt and
return.If set, we check whether one of the interrupt threads signaled
success. Depending on this information we feed the result into the
spurious detector.If one primary handler of a shared interrupt returns IRQ_HANDLED we
disable the deferred check of irq threads on the same line, as we have
found at least one device driver who cared.Reported-by: Till Straumann
Signed-off-by: Thomas Gleixner
Tested-by: Austin Schuh
Cc: Oliver Hartkopp
Cc: Wolfgang Grandegger
Cc: Pavel Pisa
Cc: Marc Kleine-Budde
Cc: linux-can@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1303071450130.22263@ionos
Signed-off-by: Greg Kroah-Hartman -
commit 68986c9f0f4552c34c248501eb0c690553866d6e upstream.
This reverts commit e1edf18b20076da83dd231dbd2146cbbc31c0b14.
This patch was a misguided attempt at fixing offb for LE ppc64
kernels on BE qemu but is just wrong ... it breaks real LE/LE
setups, LE with real HW, and existing mixed endian systems
that did the fight thing with the appropriate device-tree
property. Bad reviewing on my part, sorry.The right fix is to either make qemu change its endian when
the guest changes endian (working on that) or to use the
existing foreign endian support.Signed-off-by: Benjamin Herrenschmidt
Signed-off-by: Greg Kroah-Hartman -
commit 0690a229c69f40a6c9c459ab455c85df49822525 upstream.
This caused reduced performance for some users with advanced post
processing enabled. We need a better method to pick the
UVD state based on the amount of post processing required or tune
the advanced post processing to fit within the lower power state
envelope.This reverts commit 14a9579ddbf15dd1992a9481a4ec80b0b91656d5.
Signed-off-by: Greg Kroah-Hartman
-
commit 7fd44dacdd803c0bbf38bf478d51d280902bb0f1 upstream.
The io_setup takes a pointer to a context id of type aio_context_t.
This in turn is typed to a __kernel_ulong_t. We could tweak the
exported headers to define this as a 64bit quantity for specific
ABIs, but since we already have a 32bit compat shim for the x86 ABI,
let's just re-use that logic. The libaio package is also written to
expect this as a pointer type, so a compat shim would simplify that.The io_submit func operates on an array of pointers to iocb structs.
Padding out the array to be 64bit aligned is a huge pain, so convert
it over to the existing compat shim too.We don't convert io_getevents to the compat func as its only purpose
is to handle the timespec struct, and the x32 ABI uses 64bit times.With this change, the libaio package can now pass its testsuite when
built for the x32 ABI.Signed-off-by: Mike Frysinger
Link: http://lkml.kernel.org/r/1399250595-5005-1-git-send-email-vapier@gentoo.org
Cc: H.J. Lu
Signed-off-by: H. Peter Anvin
Signed-off-by: Greg Kroah-Hartman -
commit 246f2d2ee1d715e1077fc47d61c394569c8ee692 upstream.
It is not safe to use LAR to filter when to go down the espfix path,
because the LDT is per-process (rather than per-thread) and another
thread might change the descriptors behind our back. Fortunately it
is always *safe* (if a bit slow) to go down the espfix path, and a
32-bit LDT stack segment is extremely rare.Signed-off-by: H. Peter Anvin
Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com
Signed-off-by: Greg Kroah-Hartman -
commit e3a920afc3482e954834a4ed95908c4bc5e4c000 upstream.
This should be a plain old '&' and could easily lead to undefined
behaviour if the target of a pmd_mknotpresent invocation was the same
as the parameter.Fixes: 9c7e535fcc17 (arm64: mm: Route pmd thp functions through pte equivalents)
Signed-off-by: Will Deacon
Signed-off-by: Catalin Marinas
Signed-off-by: Greg Kroah-Hartman -
commit f3a183cb422574014538017b5b291a416396f97e upstream.
Arm64 does not define dma_get_required_mask() function.
Therefore, it should not define the ARCH_HAS_DMA_GET_REQUIRED_MASK.
This causes build errors in some device drivers (e.g. mpt2sas)Signed-off-by: Suravee Suthikulpanit
Signed-off-by: Catalin Marinas
Signed-off-by: Greg Kroah-Hartman -
commit 34c65c43f1518bf85f93526ad373adc6a683b4c5 upstream.
Whilst native arm64 applications don't have the 16-bit UID/GID syscalls
wired up, compat tasks can still access them. The 16-bit wrappers for
these syscalls use __kernel_old_uid_t and __kernel_old_gid_t, which must
be 16-bit data types to maintain compatibility with the 16-bit UIDs used
by compat applications.This patch defines 16-bit __kernel_old_{gid,uid}_t types for arm64
instead of using the 32-bit types provided by asm-generic.Signed-off-by: Will Deacon
Acked-by: Arnd Bergmann
Signed-off-by: Catalin Marinas
Signed-off-by: Greg Kroah-Hartman -
commit e47043aea3853a74a9aa5726a1faa916d7462ab7 upstream.
The OpenBlocks AX3-4 has a non-DT bootloader. It also comes with 1GB of
soldered on RAM, and a DIMM slot for expansion.Unfortunately, atags_to_fdt() doesn't work in big-endian mode, so we see
the following failure when attempting to boot a big-endian kernel:686 slab pages
17 pages shared
0 pages swap cached
[ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name
Kernel panic - not syncing: Out of memory and no killable processes...CPU: 1 PID: 351 Comm: kworker/u4:0 Not tainted 3.15.0-rc8-next-20140603 #1
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0x78/0x94)
[] (dump_stack) from [] (panic+0x90/0x21c)
[] (panic) from [] (out_of_memory+0x320/0x340)
[] (out_of_memory) from [] (__alloc_pages_nodemask+0x874/0x930)
[] (__alloc_pages_nodemask) from [] (handle_mm_fault+0x744/0x96c)
[] (handle_mm_fault) from [] (__get_user_pages+0xd0/0x4c0)
[] (__get_user_pages) from [] (get_arg_page+0x54/0xbc)
[] (get_arg_page) from [] (copy_strings+0x278/0x29c)
[] (copy_strings) from [] (copy_strings_kernel+0x20/0x28)
[] (copy_strings_kernel) from [] (do_execve+0x3a8/0x4c8)
[] (do_execve) from [] (____call_usermodehelper+0x15c/0x194)
[] (____call_usermodehelper) from [] (ret_from_fork+0x14/0x3c)
CPU0: stopping
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.15.0-rc8-next-20140603 #1
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0x78/0x94)
[] (dump_stack) from [] (handle_IPI+0x138/0x174)
[] (handle_IPI) from [] (armada_370_xp_handle_irq+0xb0/0xcc)
[] (armada_370_xp_handle_irq) from [] (__irq_svc+0x40/0x50)
Exception stack(0xc0b6bf68 to 0xc0b6bfb0)
bf60: e9fad598 00000000 00f509a3 00000000 c0b6a000 c0b724c4
bf80: c0b72458 c0b6a000 00000000 00000000 c0b66da0 c0b6a000 00000000 c0b6bfb0
bfa0: c027bb94 c027bb24 60000313 ffffffff
[] (__irq_svc) from [] (cpu_startup_entry+0x54/0x214)
[] (cpu_startup_entry) from [] (start_kernel+0x318/0x37c)
[] (start_kernel) from [] (0x208078)
---[ end Kernel panic - not syncing: Out of memory and no killable processes...A similar failure will also occur if ARM_ATAG_DTB_COMPAT isn't selected.
Fix this by setting a sane default (1 GB) in the dts file.
Signed-off-by: Jason Cooper
Tested-by: Kevin Hilman
Signed-off-by: Arnd Bergmann
Signed-off-by: Greg Kroah-Hartman -
commit 2aea39eca6b68d6ae7eb545332df0695f56a3d3f upstream.
If f2fs_write_data_page is called through the reclaim path, we should submit
the bio right away.This patch resolves the following issue that Marc Dietrich reported.
"It took me a while to bisect a problem which causes my ARM (tegra2) netbook to
frequently stall for 5-10 seconds when I enable EXA acceleration (opentegra
experimental ddx)."
And this patch fixes that.Reported-by: Marc Dietrich
Signed-off-by: Jaegeuk Kim
Signed-off-by: Greg Kroah-Hartman -
commit e2a4f55c6498b59a17a85a1bb6db122a993ffe02 upstream.
In various areas of the code, it is assumed that
se_cmd->data_length describes pure data. In case
that protection information exists over the wire
(protect bits is are on) the target core re-calculates
the data length from the CDB and the backed device
block size (instead of each transport peeking in the cdb).Modify loopback device to include protection information
in the transferred data length (like other scsi transports).Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit d77e65350f2d82dfa0557707d505711f5a43c8fd upstream.
In case protection information exists over the wire
iscsi header data length is required to include it.
Use protection information aware scsi helpers to set
the correct transfer length.In order to avoid breakage, remove iser transfer length
checks for each task as they are not always true and
somewhat redundant anyway.Signed-off-by: Sagi Grimberg
Reviewed-by: Mike Christie
Acked-by: Mike Christie
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 8846bab180fa2bcfe02d4ba5288fbaba12c8f4f3 upstream.
In case protection information exists on the wire
scsi transports should include it in the transfer
byte count (even if protection information does not
exist in the host memory space). This helper will
compute the total transfer length from the scsi
command data length and protection attributes.Signed-off-by: Sagi Grimberg
Signed-off-by: Martin K. Petersen
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 2426bd456a61407388b6e61fc5f98dbcbebc50e2 upstream.
When an initiator sends an allocation length bigger than what its
command consumes, the target should only return the actual response data
and set the residual length to the unused part of the allocation length.Add a helper function that command handlers (INQUIRY, READ CAPACITY,
etc) can use to do this correctly, and use this code to get the correct
residual for commands that don't use the full initiator allocation in the
handlers for READ CAPACITY, READ CAPACITY(16), INQUIRY, MODE SENSE and
REPORT LUNS.This addresses a handful of failures as reported by Christophe with
the Windows Certification Kit:http://permalink.gmane.org/gmane.linux.scsi.target.devel/6515
Signed-off-by: Roland Dreier
Tested-by: Christophe Vu-Brugier
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 22c7aaa57e80853b4904a46c18f97db0036a3b97 upstream.
In case the transport is iser we should not include the
iscsi target info in the sendtargets text response pdu.
This causes sendtargets response to include the target
info twice.Modify iscsit_build_sendtargets_response to filter
transport types that don't match.Signed-off-by: Sagi Grimberg
Reported-by: Slava Shwartsman
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit e0546fc1ba66c90cb38a5764357366267d3e58e4 upstream.
In case the discovery session is carried over iser, we can't
access the assumed network portal since the default portal is
used. In this case we don't really need to allocate the fastreg
pool, just prepare to the text pdu that will follow.Signed-off-by: Sagi Grimberg
Reported-by: Alex Tabachnik
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit bbc050488525e1ab1194c27355f63c66814385b8 upstream.
This patch fixes a iscsi_queue_req memory leak when ABORT_TASK response
has been queued by TFO->queue_tm_rsp() -> lio_queue_tm_rsp() after a
long standing I/O completes, but the connection has already reset and
waiting for cleanup to complete in iscsit_release_commands_from_conn()
-> transport_generic_free_cmd() -> transport_wait_for_tasks() code.It moves iscsit_free_queue_reqs_for_conn() after the per-connection command
list has been released, so that the associated se_cmd tag can be completed +
released by target-core before freeing any remaining iscsi_queue_req memory
for the connection generated by lio_queue_tm_rsp().Cc: Thomas Glanzmann
Cc: Charalampos Pournaris
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit a95d6511303b848da45ee27b35018bb58087bdc6 upstream.
This patch fixes a bug where multiple waiters on ->t_transport_stop_comp
occurs due to a concurrent ABORT_TASK and session reset both invoking
transport_wait_for_tasks(), while waiting for the associated se_cmd
descriptor backend processing to complete.For this case, complete_all() should be invoked in order to wake up
both waiters in core_tmr_abort_task() + transport_generic_free_cmd()
process contexts.Cc: Thomas Glanzmann
Cc: Charalampos Pournaris
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit f15e9cd910c4d9da7de43f2181f362082fc45f0f upstream.
This patch fixes a bug where se_cmd descriptors associated with a
Task Management Request (TMR) where not setting CMD_T_ACTIVE before
being dispatched into target_tmr_work() process context.This is required in order for transport_generic_free_cmd() ->
transport_wait_for_tasks() to wait on se_cmd->t_transport_stop_comp
if a session reset event occurs while an ABORT_TASK is outstanding
waiting for another I/O to complete.Cc: Thomas Glanzmann
Cc: Charalampos Pournaris
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 5f80ff8eccba50832dcc640ac89add4c7fced963 upstream.
In case user chose to set T10-PI enable on the target while
the IB device does not support it, gracefully reject the request.Reported-by: Slava Shwartsman
Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit f5ebec9629cf78eeeea4b8258882a9f439ab2404 upstream.
disconnected_handler works are scheduled on system_wq.
When attempting to unload, first make sure all works
have cleaned up.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 88c4015fda6d014392f76d3b1688347950d7a12d upstream.
There are 4 RDMA_CM events that all basically mean that
the user should teardown the IB connection:
- DISCONNECTED
- ADDR_CHANGE
- DEVICE_REMOVAL
- TIMEWAIT_EXITOnly in DISCONNECTED/ADDR_CHANGE it makes sense to
call rdma_disconnect (send DREQ/DREP to our initiator).
So we keep the same teardown handler for all of them
but only indicate calling rdma_disconnect for the relevant
events.This patch also removes redundant debug prints for each single
event.v2 changes:
- Call isert_disconnected_handler() for DEVICE_REMOVAL (Or + Sag)Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit 9d49f5e284e700576f3b65f1e28dea8539da6661 upstream.
In ungraceful teardowns isert close flows seem racy such that
isert_wait_conn hangs as RDMA_CM_EVENT_DISCONNECTED never
gets invoked (no one called rdma_disconnect).Both graceful and ungraceful teardowns will have rx flush errors
(isert posts a batch once connection is established). Once all
flush errors are consumed we invoke isert_wait_conn and it will
be responsible for calling rdma_disconnect. This way it can be
sure that rdma_disconnect was called and it won't wait forever.This patch also removes the logout_posted indicator. either the
logout completion was consumed and no problem decrementing the
post_send_buf_count, or it was consumed as a flush error. no point
of keeping it for isert_wait_conn as there is no danger that
isert_conn will be accidentally removed while it is running.(Drop unnecessary sleep_on_conn_wait_comp check in
isert_cq_rx_comp_err - nab)Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit e346ab343f4f58c12a96725c7b13df9cc2ad56f6 upstream.
In case np_thread state is in RESET/SHUTDOWN/EXIT states,
no point for isert to stall there as we may get a hang in
case no one will wake it up later.Signed-off-by: Sagi Grimberg
Signed-off-by: Nicholas Bellinger
Signed-off-by: Greg Kroah-Hartman -
commit f3fb0b58c85666f73139963a7a04d7878f3d22c9 upstream.
When checking whether a legacy link key provides at least HIGH security
level we also need to check for FIPS level which is one step above HIGH.
This patch fixes a missing check in the hci_link_key_request_evt()
function.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman -
commit 79897d2097a629179e142014ecd3cdce6eac7f0e upstream.
Due to recent changes to the way that the MITM requirement is set for
outgoing pairing attempts we can no longer rely on the hcon->auth_type
variable (which is actually good since it was formed from BR/EDR
concepts that don't really exist for SMP).To match the logic that BR/EDR now uses simply rely on the local IO
capability and/or needed security level to set the MITM requirement for
outgoing pairing requests.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman -
commit 7e3691e13ab51f3491e996e2edaf99b173621288 upstream.
When checking whether we need to request authentication or not we should
include HCI_SECURITY_FIPS to the levels that always need authentication.
This patch fixes check for it in the hci_outgoing_auth_needed()
function.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman -
commit 8a96f3cd22878fc0bb564a8478a6e17c0b8dca73 upstream.
-[0x01 Introduction
We have found a programming error causing a deadlock in Bluetooth subsystem
of Linux kernel. The problem is caused by missing release_sock() call when
L2CAP connection creation fails due full accept queue.The issue can be reproduced with 3.15-rc5 kernel and is also present in
earlier kernels.-[0x02 Details
The problem occurs when multiple L2CAP connections are created to a PSM which
contains listening socket (like SDP) and left pending, for example,
configuration (the underlying ACL link is not disconnected between
connections).When L2CAP connection request is received and listening socket is found the
l2cap_sock_new_connection_cb() function (net/bluetooth/l2cap_sock.c) is called.
This function locks the 'parent' socket and then checks if the accept queue
is full.1178 lock_sock(parent);
1179
1180 /* Check for backlog size */
1181 if (sk_acceptq_is_full(parent)) {
1182 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1183 return NULL;
1184 }If case the accept queue is full NULL is returned, but the 'parent' socket
is not released. Thus when next L2CAP connection request is received the code
blocks on lock_sock() since the parent is still locked.Also note that for connections already established and waiting for
configuration to complete a timeout will occur and l2cap_chan_timeout()
(net/bluetooth/l2cap_core.c) will be called. All threads calling this
function will also be blocked waiting for the channel mutex since the thread
which is waiting on lock_sock() alread holds the channel mutex.We were able to reproduce this by sending continuously L2CAP connection
request followed by disconnection request containing invalid CID. This left
the created connections pending configuration.After the deadlock occurs it is impossible to kill bluetoothd, btmon will not
get any more data etc. requiring reboot to recover.-[0x03 Fix
Releasing the 'parent' socket when l2cap_sock_new_connection_cb() returns NULL
seems to fix the issue.Signed-off-by: Jukka Taimisto
Reported-by: Tommi Mäkilä
Signed-off-by: Johan Hedberg
Signed-off-by: Greg Kroah-Hartman -
commit 62bbd5b35994eaf30519f126765d7f6af9cd3526 upstream.
The universal/local bit handling was incorrectly done in the code.
So when setting EUI address from BD address we do this:
- If BD address type is PUBLIC, then we clear the universal bit
in EUI address. If the address type is RANDOM, then the universal
bit is set (BT 6lowpan draft chapter 3.2.2)
- After this we invert the universal/local bit according to RFC 2464When figuring out BD address we do the reverse:
- Take EUI address from stateless IPv6 address, invert the
universal/local bit according to RFC 2464
- If universal bit is 1 in this modified EUI address, then address
type is set to RANDOM, otherwise it is PUBLICNote that 6lowpan_iphc.[ch] does the final toggling of U/L bit
before sending or receiving the network packet.Signed-off-by: Jukka Rissanen
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman -
commit da64c27d3c93ee9f89956b9de86c4127eb244494 upstream.
LDISCs shouldn't call tty->ops->write() from within
->write_wakeup().->write_wakeup() is called with port lock taken and
IRQs disabled, tty->ops->write() will try to acquire
the same port lock and we will deadlock.Acked-by: Marcel Holtmann
Reviewed-by: Peter Hurley
Reported-by: Huang Shijie
Signed-off-by: Felipe Balbi
Tested-by: Andreas Bießmann
Signed-off-by: Greg Kroah-Hartman -
commit 086abb58590a4df73e8a6ed71fd418826937cd46 upstream.
In of_init_opp_table function, if a failure to add an OPP is
detected, the count of OPPs, yet to be added is not updated.
Fix this by decrementing this count on failure as well.Signed-off-by: Chander Kashyap
Signed-off-by: Inderpal Singh
Acked-by: Viresh Kumar
Acked-by: Nishanth Menon
Signed-off-by: Rafael J. Wysocki
Signed-off-by: Greg Kroah-Hartman -
commit 2e091d13e65d26f21159323b95b426e5bc42670c upstream.
Fixes: commit 0611c41934ab35ce84dea34ab291897ad3cbc7be
ARM: OMAP2+: gpmc: update gpmc_hwecc_bch_capable() for new platforms and ECC schemesThough the commit log of above commit mentions AM43xx platforms, but code change
missed AM43xx. This patch adds AM43xx to list of those SoC which have built-in
ELM hardware engine, so that BCH ecc-schemes with hardware error-correction can
be enabled on AM43xx devices.Reported-by: Roger Quadros
Signed-off-by: Pekon Gupta
Signed-off-by: Tony Lindgren
Signed-off-by: Greg Kroah-Hartman