Linux kernel source tree https://git.amat.us/linux/atom/drivers/scsi?h=v2.6.29.3 2009-04-27T17:37:02Z 2009-04-27T17:37:02Z FUJITA Tomonori fujita.tomonori@lab.ntt.co.jp 2009-04-06T20:55:06Z urn:sha1:43fce3f341cbe7c6d7a58699655b954bb4f7689c upstream commit: 015640edb1f346e0b2eda703587c4cd1c310ec1d sg_rq_end_io() is called via rq->end_io. In some rare cases, sg_rq_end_io calls blk_put_request/blk_rq_unmap_user (when a program issuing a command has gone before the command completion; e.g. by interrupting a program issuing a command before the command completes). We can't call blk_put_request/blk_rq_unmap_user in interrupt so the commit c96952ed7031e7c576ecf90cf95b8ec099d5295a uses execute_in_process_context(). The problem is that scsi_error_handler() calls rq->end_io too. We can't call blk_put_request/blk_rq_unmap_user too in this path (we hold q->queue_lock). To avoid the above problem, in these rare cases, this patch always uses schedule_work() instead of execute_in_process_context(). Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Cc: Stable Tree <stable@kernel.org> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:37:02Z FUJITA Tomonori fujita.tomonori@lab.ntt.co.jp 2009-02-04T02:36:27Z urn:sha1:74c646d9ca31798ec2bf862f5b7e1737b543d066 upstream commit: c96952ed7031e7c576ecf90cf95b8ec099d5295a This fixes the following oops: http://marc.info/?l=linux-kernel&m=123316111415677&w=2 You can reproduce this bug by interrupting a program before a sg response completes. This leads to the special sg state (the orphan state), then sg calls blk_put_request in interrupt (rq->end_io). The above bug report shows the recursive lock problem because sg calls blk_put_request in interrupt. We could call __blk_put_request here instead however we also need to handle blk_rq_unmap_user here, which can't be called in interrupt too. In the orphan state, we don't need to care about the data transfer (the program revoked the command) so adding 'just free the resource' mode to blk_rq_unmap_user is a possible option. I prefer to avoid complicating the blk mapping API when possible. I change the orphan state to call sg_finish_rem_req via execute_in_process_context. We hold sg_fd->kref so sg_fd doesn't go away until keventd_wq finishes our work. copy_from_user/to_user fails so blk_rq_unmap_user just frees the resource without the data transfer. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:37:02Z Tony Battersby tonyb@cybernetics.com 2009-01-20T22:00:09Z urn:sha1:d4845ceede8c4087233198d2847b788a4e6f65b5 upstream commit: a2dd3b4cea335713b58996bb07b3abcde1175f47 sg_io_owned needs to be set before the command is sent to the midlevel; otherwise, a quickly-completing command may cause a different CPU to see "srp->done == 1 && !srp->sg_io_owned", which would lead to incorrect behavior. Check srp->done and set srp->orphan while holding rq_list_lock to prevent races with sg_rq_end_io(). There is no need to check sfp->closed from read/write/ioctl/poll/etc. since the kernel guarantees that this won't happen. The usefulness of sg_srp_done() was questionable before; now it is definitely not needed. Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:37:02Z Tony Battersby tonyb@cybernetics.com 2009-01-21T19:45:50Z urn:sha1:b21c6d2897cd455fa396f4041a0c8165784e949f upstream commit: c6517b7942fad663cc1cf3235cbe4207cf769332 sg has the following problems related to device removal: * opening a sg fd races with removing a device * closing a sg fd races with removing a device * /proc/scsi/sg/* access races with removing a device * command completion races with removing a device * command completion races with closing a sg fd * can rmmod sg with active commands These problems can cause kernel oopses, memory-use-after-free, or double-free errors. This patch fixes these problems by using krefs to manage the lifetime of sg_device and sg_fd. Each command submitted to the midlevel holds a reference to sg_fd until the completion callback. This ensures that sg_fd doesn't go away if the fd is closed with commands still outstanding. sg_fd gets the reference of sg_device (with scsi_device) and also makes sure that the sg module doesn't go away. /proc/scsi/sg/* functions don't play nicely with krefs because they give information about sg_fds which have been closed but not yet freed due to still having outstanding commands and sg_devices which have been removed but not yet freed due to still being referenced by one or more sg_fds. To deal with this safely without removing functionality, /proc functions now access sg_device and sg_fd while holding a lock instead of using kref_get()/kref_put(). Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> [chrisw: big for -stable, helps fix real bug, and made it through rc2 upstream] Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:36:59Z Jean Delvare jdelvare@suse.de 2009-04-01T18:11:29Z urn:sha1:b76d2b612cd5c0c6fb82340f9ec241ca75b942f9 upstream commit: fd6e1c14b73dbab89cb76af895d5612e4a8b5522 Le lundi 30 mars 2009, Chris Wright a écrit : > q->queue could be ERR_PTR(-ENOMEM) which will break unwinding > on error. Make iscsi_pool_free more defensive. > Making the freeing of q->queue dependent on q->pool being set looks really weird (although it is correct at the moment. But this seems to be fixable in a much simpler way. With the benefit that only the error case is slowed down. In both cases we have a problem if q->queue contains an error value but it's not -ENOMEM. Apparently this can't happen today, but it doesn't feel right to assume this will always be true. Maybe it's the right time to fix this as well. Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> [chrisw: this is a fixlet to f474a37b, also in -stable] Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:36:59Z Jean Delvare jdelvare@suse.de 2009-03-05T20:45:55Z urn:sha1:10b9c3cd8848919561d16570759c0146988cb8d5 upstream commit: f474a37bc48667595b5653a983b635c95ed82a3b Memory freeing in iscsi_pool_free() looks wrong to me. Either q->pool can be NULL and this should be tested before dereferencing it, or it can't be NULL and it shouldn't be tested at all. As far as I can see, the only case where q->pool is NULL is on early error in iscsi_pool_init(). One possible way to fix the bug is thus to not call iscsi_pool_free() in this case (nothing needs to be freed anyway) and then we can get rid of the q->pool check. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-27T17:36:53Z FUJITA Tomonori fujita.tomonori@lab.ntt.co.jp 2009-04-06T20:55:08Z urn:sha1:517f1a189b6c263965774adaf523adefa74c6778 upstream commit: 0fdf96b67ac2649cc1ddb29b316a0db11586c6a8 - needs to use copy_from_user for iovec before passing it to blk_rq_map_user_iov(). - before the block layer conversion, if ->dxfer_len and sum of iovec disagrees, the shorter one wins. However, currently sg returns -EINVAL. This restores the old behavior. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Cc: stable@kernel.org Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-04-02T20:55:18Z Alan Cox alan@lxorguk.ukuu.org.uk 2009-03-23T10:37:57Z urn:sha1:86046cf121d09c4513f1c79c8726a761777988f0 upstream commit: ecbf61e7357d5c7047c813edd6983902d158688c Should be using strncmp as the data from user space may be unterminated (Bug #8004) Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2009-03-14T19:01:37Z Linus Torvalds torvalds@linux-foundation.org 2009-03-14T19:01:37Z urn:sha1:228b5b7e840f79c8751614ae2b83e97e361634ce * git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: (31 commits) [SCSI] qla2xxx: Update version number to 8.03.00-k4. [SCSI] qla2xxx: Correct overwrite of pre-assigned init-control-block structure size. [SCSI] qla2xxx: Correct truncation in return-code status checking. [SCSI] qla2xxx: Correct vport delete bug. [SCSI] qla2xxx: Use correct value for max vport in LOOP topology. [SCSI] qla2xxx: Correct address range checking for option-rom updates. [SCSI] fcoe: Change fcoe receive thread nice value from 19 (lowest priority) to -20 [SCSI] fcoe: fix handling of pending queue, prevent out of order frames (v3) [SCSI] fcoe: Out of order tx frames was causing several check condition SCSI status [SCSI] fcoe: fix kfree(skb) [SCSI] fcoe: ETH_P_8021Q is already in if_ether and fcoe is not using it anyway [SCSI] libfc: do not change the fh_rx_id of a recevied frame [SCSI] fcoe: Correct fcoe_transports initialization vs. registration [SCSI] fcoe: Use setup_timer() and mod_timer() [SCSI] libfc, fcoe: Remove unnecessary cast by removing inline wrapper [SCSI] libfc, fcoe: Cleanup function formatting and minor typos [SCSI] libfc, fcoe: Fix kerneldoc comments [SCSI] libfc: Cleanup libfc_function_template comments [SCSI] libfc: check for err when recv and state is incorrect [SCSI] libfc: rename rp to rdata in fc_disc_new_target() ... 2009-03-13T05:18:14Z Helge Deller deller@gmx.de 2009-01-13T20:14:51Z urn:sha1:7f384ce780c6091968fc848b14f17b45cb849e14 Fix compile warnings: drivers/scsi/zalon.c: In function `zalon_probe': drivers/scsi/zalon.c:140: warning: passing arg 1 of `dev_driver_string' from incompatible pointer type drivers/scsi/zalon.c:140: warning: passing arg 1 of `dev_name' from incompatible pointer type Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>