| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We do use rcu to protect the pid pointer. Mark it as such and
adopt all code to use the proper access methods.
This was detected by sparse.
"virt/kvm/kvm_main.c:2248:15: error: incompatible types in comparison
expression (different address spaces)"
Signed-off-by: Christian Borntraeger <[email protected]>
Reviewed-by: Paolo Bonzini <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
pull-request: mac80211 2017-07-07
Just got a set of fixes in from Jouni/QCA, all netlink validation
fixes. I assume they ran some kind of checker, but I don't know what
kind :)
Please pull and let me know if there's any problem.
====================
Signed-off-by: David S. Miller <[email protected]>
|
|
A number of irqchip implementations are (ab)using the irqdomain allocator
by passing a fwnode that is neither a FWNODE_OF or a FWNODE_IRQCHIP.
This is pretty bad, but it also feels pretty crap to force these drivers to
allocate their own irqchip_fwid when they already have a proper fwnode.
Instead, let's teach the irqdomain allocator about ACPI device nodes, and
add some lovely name generation code... Tested on an arm64 D05 system.
Reported-and-tested-by: John Garry <[email protected]>
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Cc: Agustin Vega-Frias <[email protected]>
Cc: Ma Jun <[email protected]>
Cc: Hanjun Guo <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
|
|
validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.
Validate size of each attribute before parsing to avoid potential buffer
overread.
Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Cc: [email protected]
Signed-off-by: Srinivas Dasari <[email protected]>
Signed-off-by: Jouni Malinen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
|
|
Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.
Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: [email protected]
Signed-off-by: Srinivas Dasari <[email protected]>
Signed-off-by: Jouni Malinen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
|
|
nla policy checks for only maximum length of the attribute data when the
attribute type is NLA_BINARY. If userspace sends less data than
specified, cfg80211 may access illegal memory. When type is NLA_UNSPEC,
nla policy check ensures that userspace sends minimum specified length
number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_NAN_FUNC_SERVICE_ID to make these NLA_UNSPEC and to make sure
minimum NL80211_NAN_FUNC_SERVICE_ID_LEN bytes are received from
userspace with NL80211_NAN_FUNC_SERVICE_ID.
Fixes: a442b761b24 ("cfg80211: add add_nan_func / del_nan_func")
Cc: [email protected]
Signed-off-by: Srinivas Dasari <[email protected]>
Signed-off-by: Jouni Malinen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
|
|
nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.
Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
Cc: [email protected]
Signed-off-by: Srinivas Dasari <[email protected]>
Signed-off-by: Jouni Malinen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
|
|
* might_fault() is better checked in caller (and e.g. fault-in + kmap_atomic
codepath also needs might_fault() coverage)
* we have already done object size checks
* we have *NOT* done access_ok() recently enough; we rely upon the
iovec array having passed sanity checks back when it had been created
and not nothing having buggered it since. However, that's very much
non-local, so we'd better recheck that.
So the thing we want does not match anything in uaccess - we need
access_ok + kasan checks + raw copy without any zeroing. Just define
such helpers and use them here.
Signed-off-by: Al Viro <[email protected]>
|
|
Also use correct function name spelling (stub_segv_handler) for better grepping
Signed-off-by: Thomas Meyer <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
|
|
Signed-off-by: Thomas Meyer <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
|
|
Signed-off-by: Thomas Meyer <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
|
|
When ptrace fails to set GP/FP regs for the target process,
log the error before crashing the UML kernel.
Signed-off-by: Thomas Meyer <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
|
|
If this memory allocation fails, we should go through the error handling
path as done everywhere else in this function before returning.
Signed-off-by: Christophe JAILLET <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
nfp_flower_metadata_cleanup() is defined but never invoked,
not calling it will cause us to leak mask and statistics
queue memory on the host.
Fixes: 43f84b72c50d ("nfp: add metadata to each flow offload")
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
debugfs_remove() can be called with a NULL pointer.
Fixes: 087cdfb662ae5 ("genirq/debugfs: Add proper debugfs interface")
Reported-by: Fengguang Wu <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
|
|
TYPE_ZBC host managed zoned block devices are also block devices
despite the non-standard device type (14h). Handle them similarly to
regular TYPE_DISK devices.
Signed-off-by: Damien Le Moal <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Add WRITE_VERIFY_32 definition to scsi prototypes and use this macro
definition isntead of the hard coded value.
(Drop WRITE_VERIFY_16 that's already part of another patch - nab)
Signed-off-by: Damien Le Moal <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
If the scsi status was not SAM_STAT_GOOD or there was no transport
sense, we would ignore the scsi status and do a generic not ready
LUN communication failure check condition failure.
The problem is that LUN COMM failure is treated as a hard error
sometimes and will cause apps to get IO errors instead of the OS's SCSI
layer retrying. For example, the tcmu daemon will return SAM_STAT_QUEUE_FULL
when memory runs low and can still make progress but wants the initiator to
reduce the work load. Windows will fail this error directly the app
instead of retrying.
This patch is based on Nick's "target/iblock: Use -EAGAIN/-ENOMEM to
propigate SAM BUSY/TASK_SET_FULL" patch here:
http://comments.gmane.org/gmane.linux.scsi.target.devel/11301
but instead of only setting SAM_STAT_GOOD, SAM_STAT_TASK_SET_FULL
and SAM_STAT_BUSY as success, it sets all non check condition status
as success so they are passed back to the initiator, so passthrough
type backends can return all SCSI status codes. Since only passthrough
uses this, I was not sure if we wanted to add checks for non-passthrough
and specific codes.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
transport_complete is no longer used, so drop the code.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This patch performs the pscsi_transport_complete operations from
pscsi_req_done. It looks like the only difference the transport_complete
callout provides is that it is called under t_state_lock which seems to
only be needed for the SCF_TRANSPORT_TASK_SENSE bit handling. We can
now use transport_copy_sense_to_cmd to handle the se_cmd sense bits, and
we can then drop the code where we have to copy the request info to
the pscsi_plugin_task for transport_complete use.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
We were just copying the sense to the cmd sense_buffer and
did not implement a transport_complete or set the
SCF_TRANSPORT_TASK_SENSE, so the sense was ignored.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This adds a helper to copy sense from backend module buffer to
the se_cmd's sense buffer.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
tcmu needs to pass raw sense to target_complete_cmd, but a a
transport_complete callout is akward to implement for it.
This moves the check for SCF_TRANSPORT_TASK_SENSE so any backend
can pass sense.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Variables device_mutex and device_list static are local to the source,
so make them static.
Cleans up sparse warnings:
"symbol 'device_list' was not declared. Should it be static?"
"symbol 'device_mutex' was not declared. Should it be static?"
Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
When feeding the tcmu's cmd ring, we need to flush the dcache page
for the cmd entry to make sure these kernel stores are visible to
user space mappings of that page.
For the none PAD cmd entry, this will be flushed at the end of the
tcmu_queue_cmd_ring().
Signed-off-by: Xiubo Li <[email protected]>
Reviewed-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
If the uio device is open and closed multiple times, the
kref count will be off due to tcmu_release getting called
multiple times for each close. This patch integrates
Wenji Tang's patch to add a kref_get on open that now
matches the kref_put done on tcmu_release and adds
a kref_put in tcmu_destroy_device to match the kref_get
done in succesful tcmu_configure_device calls.
Signed-off-by: Mike Christie <[email protected]>
Cc: Wenji Tang <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
destroy_device is only called if we have successfully run
configure_device, so drop the duplicate tcmu_dev_configured check.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
g_device_list is no longer needed because we now use the idr code
for lookups and seaches.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This converts the xcopy code to use the idr helper. The next patch
will drop the g_device_list and make g_device_mutex local to the
target_core_device.c file.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This adds a wrapper around idr_for_each so the xcopy code can loop over
the devices in the next patch.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This makes the device add, del reconfig operations sync. It fixes
the issue where for add and reconfig, we do not know if userspace
successfully completely the operation, so we leave invalid kernel
structs or report incorrect status for the config/reconfig operations.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This adds a helper to find a se_device by dev_index. It will
be used in the next patches so tcmu's netlink interface can
execute commands on specific devices.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
In the next patches we will add tcmu netlink support that allows
userspace to send commands to target_core_user. To execute operations
on a se_device/tcmu_dev we need to be able to look up a dev by any old
id. This patch replaces the se_device->dev_index with a idr created
id.
The next patches will also remove the g_device_list and replace it with
the idr.
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
With this patch free_device is now used to free what is allocated in the
alloc_device callback and destroy_device tears down the resources that are
setup in the configure_device callback.
This patch will be needed in the next patch where tcmu needs
to be able to look up the device in the destroy callback.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
1. TCMU_ATTR_TYPE is too generic when it describes only the
reconfiguration type, so rename to TCMU_ATTR_RECONFIG_TYPE.
2. Only return the reconfig type when it is a
TCMU_CMD_RECONFIG_DEVICE command.
3. CONFIG_* type is not needed. We can pass the value along with an
ATTR to userspace, so it does not need to read sysfs/configfs.
4. Fix leak in tcmu_dev_path_store and rename to dev_config to
reflect it is more than just a path that can be changed.
6. Don't update kernel struct value if netlink sending fails.
Signed-off-by: Mike Christie <[email protected]>
Reviewed-by: "Bryant G. Ly" <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This patch drops two incorrect usages of tcm_qla2xxx_free_cmd()
during TMR ABORT within tcm_qla2xxx_handle_data_work() and
tcm_qla2xxx_aborted_task(), which where attempting to dispatch
into workqueue context to do tcm_qla2xxx_complete_free() and
subsequently invoke transport_generic_free_cmd().
This is incorrect because during TMR ABORT target-core will
drop the outstanding se_cmd->cmd_kref references once it has
quiesced the se_cmd via transport_wait_for_tasks(), and in
the case of qla2xxx it should not attempt to do it's own
transport_generic_free_cmd() once the abort has occured.
As reported by Pascal, this was originally manifesting as a
BUG_ON(cmd->cmd_in_wq) in qlt_free_cmd() during TMR ABORT,
with a LIO backend that had sufficently high enough WRITE
latency to trigger a host side TMR ABORT_TASK.
In addition, for the case in tcm_qla2xxx_write_pending_status()
and tcm_qla2xxx_handle_data_work() that waits for outstanding
FCP WRITE data transfer to complete before preceeding with a
TMR ABORT, avoid se_cmd->t_transport_stop_comp that is already
used by transport_wait_for_tasks() and use a qla2xxx internal
struct completion instead.
Reported-by: Pascal de Bruijn <[email protected]>
Tested-by: Pascal de Bruijn <[email protected]>
Acked-by: Himanshu Madhani <[email protected]>
Cc: Quinn Tran <[email protected]>
Cc: <[email protected]> # 3.10+
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This patch fixes a NULL pointer dereference in isert_login_recv_done()
of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
resetting isert_conn->cm_id = NULL during a failed login attempt.
As per Sagi, we will always see the completion of all recv wrs posted
on the qp (given that we assigned a ->done handler), this is a FLUSH
error completion, we just don't get to verify that because we deref
NULL before.
The issue here, was the assumption that dereferencing the connection
cm_id is always safe, which is not true since:
commit 4a579da2586bd3b79b025947ea24ede2bbfede62
Author: Sagi Grimberg <[email protected]>
Date: Sun Mar 29 15:52:04 2015 +0300
iser-target: Fix possible deadlock in RDMA_CM connection error
As I see it, we have a direct reference to the isert_device from
isert_conn which is the one-liner fix that we actually need like
we do in isert_rdma_read_done() and isert_rdma_write_done().
Reported-by: Andrea Righi <[email protected]>
Tested-by: Andrea Righi <[email protected]>
Reviewed-by: Sagi Grimberg <[email protected]>
Cc: <[email protected]> # 3.10+
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
The array tcmu_attrib_attrs does not need to be in global scope, so make
it static.
Cleans up sparse warning:
"symbol 'tcmu_attrib_attrs' was not declared. Should it be static?"
Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Because the unmap code just after the schdule() returned may take
a long time and if the kthread_stop() is fired just when in this
routine, the module removal maybe stuck too.
Signed-off-by: Xiubo Li <[email protected]>
Reviewed-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
that would be triggered during normal se_cmd shutdown or abort
via __transport_wait_for_tasks().
This would occur because target_complete_cmd() would catch this
early and do complete_all(&cmd->t_transport_stop_comp), but since
target_complete_ok_work() or target_complete_failure_work() are
never called to invoke se_cmd->transport_complete_callback(),
the COMPARE_AND_WRITE specific callbacks never release caw_sem.
To address this special case, go ahead and release caw_sem
directly from target_complete_cmd().
(Remove '&& success' from check, to release caw_sem regardless
of scsi_status - nab)
Signed-off-by: Jiang Yi <[email protected]>
Cc: <[email protected]> # 3.14+
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This patch adds more info about the attribute being changed,
so that usersapce can easily figure out what is happening.
Signed-off-by: Bryant G. Ly <[email protected]>
Reviewed-By: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This allows for userspace to change the device path after
it has been created. Thus giving the user the ability to change
the path. The use case for this is to allow for virtual optical
to have media change.
Signed-off-by: Bryant G. Ly <[email protected]>
Reviewed-By: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Allow tcmu backstores to be able to set the device size
after it has been configured via set attribute.
Part of support in userspace to support certain backstores
changing device size.
Signed-off-by: Bryant G. Ly <[email protected]>
Reviewed-By: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This gives tcmu the ability to handle events that can cause
reconfiguration, such as resize, path changes, write_cache, etc...
Signed-off-by: Bryant G. Ly <[email protected]>
Reviewed-By: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
This will enable the toggling of write_cache in tcmu through targetcli-fb
Signed-off-by: Bryant G. Ly <[email protected]>
Reviewed-By: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
ibmvscsis always returned 0 for the tpg/tag, since it did not
parse the value passed in by the user.
When functions like ALUA members exports the value, it will
be incorrect because targetcli/rtslib starts the tpg numbering
at 1.
Signed-off-by: Bryant G. Ly <[email protected]>
Signed-off-by: Mike Christie <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
If an iSCSI command is rejected before iscsit_process_scsi_cmd()
is called, .reject_reason is set but iscsit_process_scsi_cmd() is
not called. This means that the "if (cmd->reject_reason) ..." code
in this function can be removed without changing the behavior of
this function.
Signed-off-by: Bart Van Assche <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Andy Grover <[email protected]>
Cc: David Disseldorp <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Since .se_tfo is only set if a command has been submitted to
the LIO core, check .se_tfo instead of .iscsi_opcode. Since
__iscsit_free_cmd() only affects SCSI commands but not TMFs,
calling that function for TMFs does not change behavior. This
patch does not change the behavior of iscsit_free_cmd().
Signed-off-by: Bart Van Assche <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Andy Grover <[email protected]>
Cc: David Disseldorp <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Initialize .data_direction to DMA_NONE in iscsit_allocate_cmd()
such that the second argument of __iscsit_free_cmd() can be left
out. Note: this patch causes the first part of __iscsit_free_cmd()
no longer to be skipped for TMFs. That's fine since no data
segments are associated with TMFs.
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Andy Grover <[email protected]>
Cc: David Disseldorp <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|
|
Target drivers must guarantee that struct se_cmd and struct se_tmr_req
exist as long as target_tmr_work() is in progress. This is why the
tcm_loop driver today passes 1 as second argument to
transport_generic_free_cmd() from inside the TMF code. Instead of
making the TMF code wait, make the TMF code obtain two references
(SCF_ACK_KREF) and drop one reference from inside the .check_stop_free()
callback.
Signed-off-by: Bart Van Assche <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Hannes Reinecke <[email protected]>
Cc: David Disseldorp <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
|