1. 30 3月, 2017 5 次提交
    • X
      tcmu: Fix possible overwrite of t_data_sg's last iov[] · ab22d260
      Xiubo Li 提交于
      If there has BIDI data, its first iov[] will overwrite the last
      iov[] for se_cmd->t_data_sg.
      
      To fix this, we can just increase the iov pointer, but this may
      introuduce a new memory leakage bug: If the se_cmd->data_length
      and se_cmd->t_bidi_data_sg->length are all not aligned up to the
      DATA_BLOCK_SIZE, the actual length needed maybe larger than just
      sum of them.
      
      So, this could be avoided by rounding all the data lengthes up
      to DATA_BLOCK_SIZE.
      Reviewed-by: NMike Christie <mchristi@redhat.com>
      Tested-by: NIlias Tsitsimpis <iliastsi@arrikto.com>
      Reviewed-by: NBryant G. Ly <bryantly@linux.vnet.ibm.com>
      Signed-off-by: NXiubo Li <lixiubo@cmss.chinamobile.com>
      Cc: stable@vger.kernel.org # 3.18+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      ab22d260
    • N
      target: Avoid mappedlun symlink creation during lun shutdown · 49cb77e2
      Nicholas Bellinger 提交于
      This patch closes a race between se_lun deletion during configfs
      unlink in target_fabric_port_unlink() -> core_dev_del_lun()
      -> core_tpg_remove_lun(), when transport_clear_lun_ref() blocks
      waiting for percpu_ref RCU grace period to finish, but a new
      NodeACL mappedlun is added before the RCU grace period has
      completed.
      
      This can happen in target_fabric_mappedlun_link() because it
      only checks for se_lun->lun_se_dev, which is not cleared until
      after transport_clear_lun_ref() percpu_ref RCU grace period
      finishes.
      
      This bug originally manifested as NULL pointer dereference
      OOPsen in target_stat_scsi_att_intr_port_show_attr_dev() on
      v4.1.y code, because it dereferences lun->lun_se_dev without
      a explicit NULL pointer check.
      
      In post v4.1 code with target-core RCU conversion, the code
      in target_stat_scsi_att_intr_port_show_attr_dev() no longer
      uses se_lun->lun_se_dev, but the same race still exists.
      
      To address the bug, go ahead and set se_lun>lun_shutdown as
      early as possible in core_tpg_remove_lun(), and ensure new
      NodeACL mappedlun creation in target_fabric_mappedlun_link()
      fails during se_lun shutdown.
      Reported-by: NJames Shen <jcs@datera.io>
      Cc: James Shen <jcs@datera.io>
      Tested-by: NJames Shen <jcs@datera.io>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      49cb77e2
    • N
      iscsi-target: Fix TMR reference leak during session shutdown · efb2ea77
      Nicholas Bellinger 提交于
      This patch fixes a iscsi-target specific TMR reference leak
      during session shutdown, that could occur when a TMR was
      quiesced before the hand-off back to iscsi-target code
      via transport_cmd_check_stop_to_fabric().
      
      The reference leak happens because iscsit_free_cmd() was
      incorrectly skipping the final target_put_sess_cmd() for
      TMRs when transport_generic_free_cmd() returned zero because
      the se_cmd->cmd_kref did not reach zero, due to the missing
      se_cmd assignment in original code.
      
      The result was iscsi_cmd and it's associated se_cmd memory
      would be freed once se_sess->sess_cmd_map where released,
      but the associated se_tmr_req was leaked and remained part
      of se_device->dev_tmr_list.
      
      This bug would manfiest itself as kernel paging request
      OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req
      attempted to dereference it's se_cmd pointer that had
      already been released during normal session shutdown.
      
      To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD
      and ISCSI_OP_SCSI_TMFUNC the same when there is an extra
      se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use
      op_scsi to signal __iscsit_free_cmd() when the former
      needs to clear any further iscsi related I/O state.
      Reported-by: NRob Millner <rlm@daterainc.com>
      Cc: Rob Millner <rlm@daterainc.com>
      Reported-by: NChu Yuan Lin <cyl@datera.io>
      Cc: Chu Yuan Lin <cyl@datera.io>
      Tested-by: NChu Yuan Lin <cyl@datera.io>
      Cc: stable@vger.kernel.org # 3.10+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      efb2ea77
    • M
      usb: gadget: Correct usb EP argument for BOT status request · afea03fc
      Manish Narani 提交于
      This patch corrects the argument in usb_ep_free_request as it is
      mistakenly set to ep_out. It should be ep_in for status request.
      Signed-off-by: NManish Narani <mnarani@xilinx.com>
      Acked-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      afea03fc
    • N
      tcmu: Allow cmd_time_out to be set to zero (disabled) · 740372b7
      Nicholas Bellinger 提交于
      The new cmd_time_out configfs attribute for TCMU is allowed to
      be disabled, so go ahead and drop the tcmu_cmd_time_out_store()
      check.
      Reported-by: NMike Christie <mchristi@redhat.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      740372b7
  2. 19 3月, 2017 26 次提交
  3. 08 3月, 2017 2 次提交
    • M
      target: Fix VERIFY_16 handling in sbc_parse_cdb · 13603685
      Max Lohrmann 提交于
      As reported by Max, the Windows 2008 R2 chkdsk utility expects
      VERIFY_16 to be supported, and does not handle the returned
      CHECK_CONDITION properly, resulting in an infinite loop.
      
      The kernel will log huge amounts of this error:
      
      kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
      CHECK_CONDITION.
      Signed-off-by: NMax Lohrmann <post@wickenrode.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      13603685
    • N
      target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export · a04e54f2
      Nicholas Bellinger 提交于
      The following fixes a divide by zero OOPs with TYPE_TAPE
      due to pscsi_tape_read_blocksize() failing causing a zero
      sd->sector_size being propigated up via dev_attrib.hw_block_size.
      
      It also fixes another long-standing bug where TYPE_TAPE and
      TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
      which does not call scsi_device_get() to take the device
      reference.  Instead, rename pscsi_create_type_rom() to
      pscsi_create_type_nondisk() and use it for all cases.
      
      Finally, also drop a dump_stack() in pscsi_get_blocks() for
      non TYPE_DISK, which in modern target-core can get invoked
      via target_sense_desc_format() during CHECK_CONDITION.
      Reported-by: NMalcolm Haak <insanemal@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      a04e54f2
  4. 06 3月, 2017 1 次提交
  5. 05 3月, 2017 5 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8d70eeb8
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix double-free in batman-adv, from Sven Eckelmann.
      
       2) Fix packet stats for fast-RX path, from Joannes Berg.
      
       3) Netfilter's ip_route_me_harder() doesn't handle request sockets
          properly, fix from Florian Westphal.
      
       4) Fix sendmsg deadlock in rxrpc, from David Howells.
      
       5) Add missing RCU locking to transport hashtable scan, from Xin Long.
      
       6) Fix potential packet loss in mlxsw driver, from Ido Schimmel.
      
       7) Fix race in NAPI handling between poll handlers and busy polling,
          from Eric Dumazet.
      
       8) TX path in vxlan and geneve need proper RCU locking, from Jakub
          Kicinski.
      
       9) SYN processing in DCCP and TCP need to disable BH, from Eric
          Dumazet.
      
      10) Properly handle net_enable_timestamp() being invoked from IRQ
          context, also from Eric Dumazet.
      
      11) Fix crash on device-tree systems in xgene driver, from Alban Bedel.
      
      12) Do not call sk_free() on a locked socket, from Arnaldo Carvalho de
          Melo.
      
      13) Fix use-after-free in netvsc driver, from Dexuan Cui.
      
      14) Fix max MTU setting in bonding driver, from WANG Cong.
      
      15) xen-netback hash table can be allocated from softirq context, so use
          GFP_ATOMIC. From Anoob Soman.
      
      16) Fix MAC address change bug in bgmac driver, from Hari Vyas.
      
      17) strparser needs to destroy strp_wq on module exit, from WANG Cong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
        strparser: destroy workqueue on module exit
        sfc: fix IPID endianness in TSOv2
        sfc: avoid max() in array size
        rds: remove unnecessary returned value check
        rxrpc: Fix potential NULL-pointer exception
        nfp: correct DMA direction in XDP DMA sync
        nfp: don't tell FW about the reserved buffer space
        net: ethernet: bgmac: mac address change bug
        net: ethernet: bgmac: init sequence bug
        xen-netback: don't vfree() queues under spinlock
        xen-netback: keep a local pointer for vif in backend_disconnect()
        netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails
        netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
        netfilter: nf_conntrack_sip: fix wrong memory initialisation
        can: flexcan: fix typo in comment
        can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
        can: gs_usb: fix coding style
        can: gs_usb: Don't use stack memory for USB transfers
        ixgbe: Limit use of 2K buffers on architectures with 256B or larger cache lines
        ixgbe: update the rss key on h/w, when ethtool ask for it
        ...
      8d70eeb8
    • L
      Merge tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2d62e076
      Linus Torvalds 提交于
      Pull more KVM updates from Radim Krčmář:
       "Second batch of KVM changes for the 4.11 merge window:
      
        PPC:
         - correct assumption about ASDR on POWER9
         - fix MMIO emulation on POWER9
      
        x86:
         - add a simple test for ioperm
         - cleanup TSS (going through KVM tree as the whole undertaking was
           caused by VMX's use of TSS)
         - fix nVMX interrupt delivery
         - fix some performance counters in the guest
      
        ... and two cleanup patches"
      
      * tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: nVMX: Fix pending events injection
        x86/kvm/vmx: remove unused variable in segment_base()
        selftests/x86: Add a basic selftest for ioperm
        x86/asm: Tidy up TSS limit code
        kvm: convert kvm.users_count from atomic_t to refcount_t
        KVM: x86: never specify a sample period for virtualized in_tx_cp counters
        KVM: PPC: Book3S HV: Don't use ASDR for real-mode HPT faults on POWER9
        KVM: PPC: Book3S HV: Fix software walk of guest process page tables
      2d62e076
    • L
      Merge tag 'docs-4.11-fixes' of git://git.lwn.net/linux · be834aaf
      Linus Torvalds 提交于
      Pull documentation fixes from Jonathan Corbet:
       "A few fixes for the docs tree, including one for a 4.11 build
        regression"
      
      * tag 'docs-4.11-fixes' of git://git.lwn.net/linux:
        Documentation/sphinx: fix primary_domain configuration
        docs: Fix htmldocs build failure
        doc/ko_KR/memory-barriers: Update control-dependencies section
        pcieaer doc: update the link
        Documentation: Update path to sysrq.txt
      be834aaf
    • L
      Merge tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 91aff98b
      Linus Torvalds 提交于
      Pull staging/IIO driver fixes from Greg KH:
       "Here are a few small staging and IIO driver fixes for issues that
        showed up after the big set if changes you merged last week.
      
        Nothing major, just small bugs resolved in some IIO drivers, a lustre
        allocation fix, and some RaspberryPi driver fixes for reported
        problems, as well as a MAINTAINERS entry update.
      
        All of these have been in linux-next for a week with no reported
        issues"
      
      * tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: fsl-mc: fix warning in DT ranges parser
        MAINTAINERS: Remove Noralf Trønnes as fbtft maintainer
        staging: vchiq_2835_arm: Make cache-line-size a required DT property
        staging: bcm2835/mmal-vchiq: unlock on error in buffer_from_host()
        staging/lustre/lnet: Fix allocation size for sv_cpt_data
        iio: adc: xilinx: Fix error handling
        iio: 104-quad-8: Fix off-by-one error when addressing flag register
        iio: adc: handle unknow of_device_id data
      91aff98b
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 33a8b3e9
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
      
       - vmalloc stack regression in CCM
      
       - Build problem in CRC32 on ARM
      
       - Memory leak in cavium
      
       - Missing Kconfig dependencies in atmel and mediatek
      
       - XTS Regression on some platforms (s390 and ppc)
      
       - Memory overrun in CCM test vector
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: vmx - Use skcipher for xts fallback
        crypto: vmx - Use skcipher for cbc fallback
        crypto: testmgr - Pad aes_ccm_enc_tv_template vector
        crypto: arm/crc32 - add build time test for CRC instruction support
        crypto: arm/crc32 - fix build error with outdated binutils
        crypto: ccm - move cbcmac input off the stack
        crypto: xts - Propagate NEED_FALLBACK bit
        crypto: api - Add crypto_requires_off helper
        crypto: atmel - CRYPTO_DEV_MEDIATEK should depend on HAS_DMA
        crypto: atmel - CRYPTO_DEV_ATMEL_TDES and CRYPTO_DEV_ATMEL_SHA should depend on HAS_DMA
        crypto: cavium - fix leak on curr if curr->head fails to be allocated
        crypto: cavium - Fix couple of static checker errors
      33a8b3e9
  6. 04 3月, 2017 1 次提交