Skip to content

cloud-kernel
cloud-kernel

bug2833 / cloud-kernel
与 Fork 源项目一致

Fork自 openanolis / cloud-kernel

通知 1
Star 0
Fork 0
cloud-kernel
cloud-kernel

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 12 1月, 2008 6 次提交
  3. 10 1月, 2008 1 次提交
    • F
      [SCSI] qla1280: fix 32 bit segment code · 3a43e69c
      FUJITA Tomonori 提交于 
      There's an error remaining in the 32 bit descriptor code after the
conversion to dma accessors:  req_cnt is left uninitialised.

qla1280_32bit_start_scsi gives the following warnings:

drivers/scsi/qla1280.c: In function 'qla1280_32bit_start_scsi':
drivers/scsi/qla1280.c:3044: warning: unused variable 'dma_handle'
drivers/scsi/qla1280.c: In function 'qla1280_queuecommand':
drivers/scsi/qla1280.c:3060: warning: 'req_cnt' is used uninitialized in this function
drivers/scsi/qla1280.c:3042: note: 'req_cnt' was declared here
Signed-off-by: NFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      3a43e69c
  5. 07 1月, 2008 1 次提交
    • L
      Revert "scsi: revert "[SCSI] Get rid of scsi_cmnd->done"" · 7b3d9545
      Linus Torvalds 提交于 
      This reverts commit ac40532e, which gets
us back the original cleanup of 6f5391c2.

It turns out that the bug that was triggered by that commit was
apparently not actually triggered by that commit at all, and just the
testing conditions had changed enough to make it appear to be due to it.

The real problem seems to have been found by Peter Osterlund:

  "pktcdvd sets it [block device size] when opening the /dev/pktcdvd
   device, but when the drive is later opened as /dev/scd0, there is
   nothing that sets it back.  (Btw, 40944 is possible if the disk is a
   CDRW that was formatted with "cdrwtool -m 10236".)

   The problem is that pktcdvd opens the cd device in non-blocking mode
   when pktsetup is run, and doesn't close it again until pktsetup -d is
   run.  The effect is that if you meanwhile open the cd device,
   blkdev.c:do_open() doesn't call bd_set_size() because
   bdev->bd_openers is non-zero."

In particular, to repeat the bug (regardless of whether commit
6f5391c2 is applied or not):

  " 1. Start with an empty drive.
    2. pktsetup 0 /dev/scd0
    3. Insert a CD containing an isofs filesystem.
    4. mount /dev/pktcdvd/0 /mnt/tmp
    5. umount /mnt/tmp
    6. Press the eject button.
    7. Insert a DVD containing a non-writable filesystem.
    8. mount /dev/scd0 /mnt/tmp
    9. find /mnt/tmp -type f -print0 | xargs -0 sha1sum >/dev/null
    10. If the DVD contains data beyond the physical size of a CD, you
        get I/O errors in the terminal, and dmesg reports lots of
        "attempt to access beyond end of device" errors."

which in turn is because the nested open after the media change won't
cause the size to be set properly (because the original open still holds
the block device, and we only do the bd_set_size() when we don't have
other people holding the device open).

The proper fix for that is probably to just do something like

	bdev->bd_inode->i_size = (loff_t)get_capacity(disk)<<9;

in fs/block_dev.c:do_open() even for the cases where we're not the
original opener (but *not* call bd_set_size(), since that will also
change the block size of the device).

Cc: Peter Osterlund <petero2@telia.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Matthew Wilcox <matthew@wil.cx>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7b3d9545
  7. 05 1月, 2008 1 次提交
  9. 03 1月, 2008 2 次提交
  11. 19 12月, 2007 6 次提交
  13. 13 12月, 2007 1 次提交
  15. 11 12月, 2007 2 次提交
  17. 30 11月, 2007 1 次提交
  19. 28 11月, 2007 1 次提交
  21. 25 11月, 2007 1 次提交
    • J
      [SCSI] NCR5380: Fix bugs and canonicalize irq handler usage · 1e641664
      Jeff Garzik 提交于 
      * Always pass the same value to free_irq() that we pass to
  request_irq().  This fixes several bugs.

* Always call NCR5380_intr() with 'irq' and 'dev_id' arguments.

  Note, scsi_falcon_intr() is the only case now where dev_id is not the
  scsi_host.

* Always pass Scsi_Host to request_irq().  For most cases, the drivers
  already did so, and I merely neated the source code line.  In other
  cases, either NULL or a non-sensical value was passed, verified to be
  unused, then changed to be Scsi_Host in anticipation of the future.

In addition to the bugs fixes, this change makes the interface usage
consistent, which in turn enables the possibility of directly
referencing Scsi_Host from all NCR5380_intr() invocations.
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      1e641664
  23. 15 11月, 2007 4 次提交
    • A
      aic94xx_sds: rename FLASH_SIZE · d297a5d5
      Andrew Morton 提交于 
      arm:

drivers/scsi/aic94xx/aic94xx_sds.c:381:1: warning: "FLASH_SIZE" redefined
In file included from include/asm/arch/irqs.h:22,
                 from include/asm/irq.h:4,
                 from include/asm/hardirq.h:6,
                 from include/linux/hardirq.h:7,
                 from include/asm-generic/local.h:5,
                 from include/asm/local.h:1,
                 from include/linux/module.h:19,
                 from include/linux/device.h:21,
                 from include/linux/pci.h:52,
                 from drivers/scsi/aic94xx/aic94xx_sds.c:28:
include/asm/arch/platform.h:444:1: warning: this is the location of the previous definition

Cc: Gilbert Wu <gilbert_wu@adaptec.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d297a5d5
    • J
      [SCSI] qla1280: convert to use the data buffer accessors · 5c1da582
      Jes Sorensen 提交于 
      - remove the unnecessary map_single path.
- convert to use the new accessors for the sg lists and the parameters.

Fixed to missing initialization of sg lists before calling
for_each_sg() by Jes Sorensen - sg list needs to be initialized before
trying to pull the elements out of it.
Signed-off-by: NFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: NJes Sorensen <jes@sgi.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      5c1da582
    • T
      [SCSI] iscsi: return data transfer residual for data-out commands · 6ee6a2f0
      Tony Battersby 提交于 
      Currently, the iSCSI driver returns the data transfer residual for
data-in commands (e.g. read) but not data-out commands (e.g. write).
This patch makes it return the data transfer residual for both types of
commands.
Signed-off-by: NTony Battersby <tonyb@cybernetics.com>
Signed-off-by: NMike Christie <michaelc@cs.wisc.edu>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      6ee6a2f0
    • T
      [SCSI] iscsi_tcp: fix potential lockup with write commands · 505f76b3
      Tony Battersby 提交于 
      There is a race condition in iscsi_tcp.c that may cause it to forget
that it received a R2T from the target.  This race may cause a data-out
command (such as a write) to lock up.  The race occurs here:

static int
iscsi_send_unsol_pdu(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
{
	struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
	int rc;

	if (tcp_ctask->xmstate & XMSTATE_UNS_HDR) {
		BUG_ON(!ctask->unsol_count);
		tcp_ctask->xmstate &= ~XMSTATE_UNS_HDR; <---- RACE
		...

static int
iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
{
	...
	tcp_ctask->xmstate |= XMSTATE_SOL_HDR_INIT; <---- RACE
	...

While iscsi_xmitworker() (called from scsi_queue_work()) is preparing to
send unsolicited data, iscsi_tcp_data_recv() (called from
tcp_read_sock()) interrupts it upon receipt of a R2T from the target.
Both contexts do read-modify-write of tcp_ctask->xmstate.  Usually, gcc
on x86 will make &= and |= atomic on UP (not guaranteed of course), but
in this case iscsi_send_unsol_pdu() reads the value of xmstate before
clearing the bit, which causes gcc to read xmstate into a CPU register,
test it, clear the bit, and then store it back to memory.  If the recv
interrupt happens during this sequence, then the XMSTATE_SOL_HDR_INIT
bit set by the recv interrupt will be lost, and the R2T will be
forgotten.

The patch below (against 2.6.24-rc1) converts accesses of xmstate to use
set_bit, clear_bit, and test_bit instead of |= and &=.  I have tested
this patch and verified that it fixes the problem.  Another possible
approach would be to hold a lock during most of the rx/tx setup and
post-processing, and drop the lock only for the actual rx/tx.
Signed-off-by: NTony Battersby <tonyb@cybernetics.com>
Signed-off-by: NMike Christie <michaelc@cs.wisc.edu>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      505f76b3
  25. 12 11月, 2007 1 次提交
    • A
      [SCSI] aacraid: fix security weakness · 5f78e89b
      Alan Cox 提交于 
      Actually there are several but one is trivially fixed

1.	FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list
but needs to
2.	Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB
3.	It is possible to construct an attack via the SRB ioctls where
the user obtains assorted elevated privileges. Various approaches are
possible, the trivial ones being things like writing to the raw media
via scsi commands and the swap image of other executing programs with
higher privileges.

So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating
ones. This is a bandaid fix for #3 but probably the ioctls should grow
their own capable checks. The other two bugs need someone competent in that
driver to fix them.
Signed-off-by: NAlan Cox <alan@redhat.com>
Acked-by: NMark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      5f78e89b
  27. 08 11月, 2007 3 次提交
  29. 06 11月, 2007 1 次提交
  31. 04 11月, 2007 3 次提交
  33. 02 11月, 2007 1 次提交
    • J
      [SG] Get rid of __sg_mark_end() · c46f2334
      Jens Axboe 提交于 
      sg_mark_end() overwrites the page_link information, but all users want
__sg_mark_end() behaviour where we just set the end bit. That is the most
natural way to use the sg list, since you'll fill it in and then mark the
end point.

So change sg_mark_end() to only set the termination bit. Add a sg_magic
debug check as well, and clear a chain pointer if it is set.
Signed-off-by: NJens Axboe <jens.axboe@oracle.com>
      c46f2334
  35. 31 10月, 2007 2 次提交
  37. 29 10月, 2007 2 次提交