1. 13 Apr, 2015 23 commits
  2. 26 Mar, 2015 17 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.10.73 · 73895725
      Greg Kroah-Hartman authored
      73895725
    • Lee Duncan's avatar
      target: Allow Write Exclusive non-reservation holders to READ · 362684ea
      Lee Duncan authored
      commit 1ecc7586 upstream.
      
      For PGR reservation of type Write Exclusive Access, allow all non
      reservation holding I_T nexuses with active registrations to READ
      from the device.
      
      This addresses a bug where active registrations that attempted
      to READ would result in an reservation conflict.
      Signed-off-by: default avatarLee Duncan <lduncan@suse.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      362684ea
    • Nicholas Bellinger's avatar
      target: Allow AllRegistrants to re-RESERVE existing reservation · 5e15feee
      Nicholas Bellinger authored
      commit ae450e24 upstream.
      
      This patch changes core_scsi3_pro_release() logic to allow an
      existing AllRegistrants type reservation to be re-reserved by
      any registered I_T nexus.
      
      This addresses a issue where AllRegistrants type RESERVE was
      receiving RESERVATION_CONFLICT status if dev_pr_res_holder did
      not match the same I_T nexus, instead of just returning GOOD
      status following spc4r34 Section 5.9.9:
      
      "If the device server receives a PERSISTENT RESERVE OUT command
       with RESERVE service action where the TYPE field and the SCOPE
       field contain the same values as the existing type and scope
       from a persistent reservation holder, it shall not make any
       change to the existing persistent reservation and shall complete
       the command with GOOD status."
      Reported-by: default avatarIlias Tsitsimpis <i.tsitsimpis@gmail.com>
      Cc: Ilias Tsitsimpis <i.tsitsimpis@gmail.com>
      Cc: Lee Duncan <lduncan@suse.com>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e15feee
    • Nicholas Bellinger's avatar
      target: Fix R_HOLDER bit usage for AllRegistrants · dba66c15
      Nicholas Bellinger authored
      commit d16ca7c5 upstream.
      
      This patch fixes the usage of R_HOLDER bit for an All Registrants
      reservation in READ_FULL_STATUS, where only the registration who
      issued RESERVE was being reported as having an active reservation.
      
      It changes core_scsi3_pri_read_full_status() to check ahead of the
      list walk of active registrations to see if All Registrants is active,
      and if so set R_HOLDER bit and scope/type fields for all active
      registrations.
      Reported-by: default avatarIlias Tsitsimpis <i.tsitsimpis@gmail.com>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dba66c15
    • Nicholas Bellinger's avatar
      target/pscsi: Fix NULL pointer dereference in get_device_type · 3bb09afb
      Nicholas Bellinger authored
      commit 215a8fe4 upstream.
      
      This patch fixes a NULL pointer dereference OOPs with pSCSI backends
      within target_core_stat.c code.  The bug is caused by a configfs attr
      read if no pscsi_dev_virt->pdv_sd has been configured.
      Reported-by: default avatarOlaf Hering <olaf@aepfle.de>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bb09afb
    • Nicholas Bellinger's avatar
      iscsi-target: Avoid early conn_logout_comp for iser connections · 20781616
      Nicholas Bellinger authored
      commit f068fbc8 upstream.
      
      This patch fixes a iser specific logout bug where early complete()
      of conn->conn_logout_comp in iscsit_close_connection() was causing
      isert_wait4logout() to complete too soon, triggering a use after
      free NULL pointer dereference of iscsi_conn memory.
      
      The complete() was originally added for traditional iscsi-target
      when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given
      iser-target does not wait in logout failure, this special case needs
      to be avoided.
      Reported-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Slava Shwartsman <valyushash@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20781616
    • Bart Van Assche's avatar
      target: Fix reference leak in target_get_sess_cmd() error path · 99360ec8
      Bart Van Assche authored
      commit 7544e597 upstream.
      
      This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down
      is true within target_get_sess_cmd() submission path code.
      
      This se_cmd reference leak can occur during active session shutdown when
      ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers.
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99360ec8
    • Alexandre Belloni's avatar
      ARM: at91: pm: fix at91rm9200 standby · d1d3eb6c
      Alexandre Belloni authored
      commit 84e87166 upstream.
      
      at91rm9200 standby and suspend to ram has been broken since
      00482a40. It is wrongly using AT91_BASE_SYS which is a physical address
      and actually doesn't correspond to any register on at91rm9200.
      
      Use the correct at91_ramc_base[0] instead.
      
      Fixes: 00482a40 (ARM: at91: implement the standby function for pm/cpuidle)
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1d3eb6c
    • Julian Anastasov's avatar
      ipvs: rerouting to local clients is not needed anymore · 96b077b4
      Julian Anastasov authored
      commit 579eb62a upstream.
      
      commit f5a41847 ("ipvs: move ip_route_me_harder for ICMP")
      from 2.6.37 introduced ip_route_me_harder() call for responses to
      local clients, so that we can provide valid rt_src after SNAT.
      It was used by TCP to provide valid daddr for ip_send_reply().
      After commit 0a5ebb80 ("ipv4: Pass explicit daddr arg to
      ip_send_reply()." from 3.0 this rerouting is not needed anymore
      and should be avoided, especially in LOCAL_IN.
      
      Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
      "3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"
      Reported-by: default avatarSmart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
      Tested-by: default avatarSmart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96b077b4
    • Julian Anastasov's avatar
      ipvs: add missing ip_vs_pe_put in sync code · 2fd83573
      Julian Anastasov authored
      commit 528c943f upstream.
      
      ip_vs_conn_fill_param_sync() gets in param.pe a module
      reference for persistence engine from __ip_vs_pe_getbyname()
      but forgets to put it. Problem occurs in backup for
      sync protocol v1 (2.6.39).
      
      Also, pe_data usually comes in sync messages for
      connection templates and ip_vs_conn_new() copies
      the pointer only in this case. Make sure pe_data
      is not leaked if it comes unexpectedly for normal
      connections. Leak can happen only if bogus messages
      are sent to backup server.
      
      Fixes: fe5e7a1e ("IPVS: Backup, Adding Version 1 receive capability")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fd83573
    • Michael Ellerman's avatar
      powerpc/smp: Wait until secondaries are active & online · 7f18d652
      Michael Ellerman authored
      commit 875ebe94 upstream.
      
      Anton has a busy ppc64le KVM box where guests sometimes hit the infamous
      "kernel BUG at kernel/smpboot.c:134!" issue during boot:
      
        BUG_ON(td->cpu != smp_processor_id());
      
      Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops
      output confirms it:
      
        CPU: 0
        Comm: watchdog/130
      
      The problem is that we aren't ensuring the CPU active bit is set for the
      secondary before allowing the master to continue on. The master unparks
      the secondary CPU's kthreads and the scheduler looks for a CPU to run
      on. It calls select_task_rq() and realises the suggested CPU is not in
      the cpus_allowed mask. It then ends up in select_fallback_rq(), and
      since the active bit isnt't set we choose some other CPU to run on.
      
      This seems to have been introduced by 6acbfb96 "sched: Fix hotplug
      vs. set_cpus_allowed_ptr()", which changed from setting active before
      online to setting active after online. However that was in turn fixing a
      bug where other code assumed an active CPU was also online, so we can't
      just revert that fix.
      
      The simplest fix is just to spin waiting for both active & online to be
      set. We already have a barrier prior to set_cpu_online() (which also
      sets active), to ensure all other setup is completed before online &
      active are set.
      
      Fixes: 6acbfb96 ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f18d652
    • Jiri Slaby's avatar
      x86/vdso: Fix the build on GCC5 · 99a9adca
      Jiri Slaby authored
      commit e8932869 upstream.
      
      On gcc5 the kernel does not link:
      
        ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.
      
      Because prior GCC versions always emitted NOPs on ALIGN directives, but
      gcc5 started omitting them.
      
      .LSTARTFDEDLSI1 says:
      
              /* HACK: The dwarf2 unwind routines will subtract 1 from the
                 return address to get an address in the middle of the
                 presumed call instruction.  Since we didn't get here via
                 a call, we need to include the nop before the real start
                 to make up for it.  */
              .long .LSTART_sigreturn-1-.     /* PC-relative start address */
      
      But commit 69d0627a ("x86 vDSO: reorder vdso32 code") from 2.6.25
      replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
      __kernel_sigreturn.
      
      Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
      vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".
      
      So fix this by adding to that point at least a single NOP and make the
      function ALIGN possibly with more NOPs then.
      
      Kudos for reporting and diagnosing should go to Richard.
      Reported-by: default avatarRichard Biener <rguenther@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.czSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99a9adca
    • Oleg Nesterov's avatar
      x86/fpu: Drop_fpu() should not assume that tsk equals current · 16329d3d
      Oleg Nesterov authored
      commit f4c36863 upstream.
      
      drop_fpu() does clear_used_math() and usually this is correct
      because tsk == current.
      
      However switch_fpu_finish()->restore_fpu_checking() is called before
      __switch_to() updates the "current_task" variable. If it fails,
      we will wrongly clear the PF_USED_MATH flag of the previous task.
      
      So use clear_stopped_child_used_math() instead.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16329d3d
    • Oleg Nesterov's avatar
      x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() · 1e6d9ee0
      Oleg Nesterov authored
      commit a7c80ebc upstream.
      
      math_state_restore() assumes it is called with irqs disabled,
      but this is not true if the caller is __restore_xstate_sig().
      
      This means that if ia32_fxstate == T and __copy_from_user()
      fails, __restore_xstate_sig() returns with irqs disabled too.
      
      This triggers:
      
        BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
         dump_stack
         ___might_sleep
         ? _raw_spin_unlock_irqrestore
         __might_sleep
         down_read
         ? _raw_spin_unlock_irqrestore
         print_vma_addr
         signal_fault
         sys32_rt_sigreturn
      
      Change __restore_xstate_sig() to call set_used_math()
      unconditionally. This avoids enabling and disabling interrupts
      in math_state_restore(). If copy_from_user() fails, we can
      simply do fpu_finit() by hand.
      
      [ Note: this is only the first step. math_state_restore() should
              not check used_math(), it should set this flag. While
      	init_fpu() should simply die. ]
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Pekka Riikonen <priikone@iki.fi>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Suresh Siddha <sbsiddha@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e6d9ee0
    • Stephan Mueller's avatar
      crypto: aesni - fix memory usage in GCM decryption · 31c06b94
      Stephan Mueller authored
      commit ccfe8c3f upstream.
      
      The kernel crypto API logic requires the caller to provide the
      length of (ciphertext || authentication tag) as cryptlen for the
      AEAD decryption operation. Thus, the cipher implementation must
      calculate the size of the plaintext output itself and cannot simply use
      cryptlen.
      
      The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
      in req->dst. As the destination buffer for decryption only needs to hold
      the plaintext memory but cryptlen references the input buffer holding
      (ciphertext || authentication tag), the assumption of the destination
      buffer length in RFC4106 GCM operation leads to a too large size. This
      patch simply uses the already calculated plaintext size.
      
      In addition, this patch fixes the offset calculation of the AAD buffer
      pointer: as mentioned before, cryptlen already includes the size of the
      tag. Thus, the tag does not need to be added. With the addition, the AAD
      will be written beyond the already allocated buffer.
      
      Note, this fixes a kernel crash that can be triggered from user space
      via AF_ALG(aead) -- simply use the libkcapi test application
      from [1] and update it to use rfc4106-gcm-aes.
      
      Using [1], the changes were tested using CAVS vectors to demonstrate
      that the crypto operation still delivers the right results.
      
      [1] http://www.chronox.de/libkcapi.html
      
      CC: Tadeusz Struk <tadeusz.struk@intel.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31c06b94
    • James Bottomley's avatar
      libsas: Fix Kernel Crash in smp_execute_task · e2e35381
      James Bottomley authored
      commit 6302ce4d upstream.
      
      This crash was reported:
      
      [  366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
      [  368.804046] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804098] PGD 0
      [  368.804114] Oops: 0002 [#1] SMP
      [  368.804143] CPU 1
      [  368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
      [  368.804749]
      [  368.804764] Pid: 392, comm: kworker/u:3 Tainted: P        W  O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
      [  368.804802] RIP: 0010:[<ffffffff81358457>]  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.804827] RSP: 0018:ffff880117001cc0  EFLAGS: 00010246
      [  368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
      [  368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
      [  368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
      [  368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
      [  368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
      [  368.804916] FS:  0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
      [  368.804931] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
      [  368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
      [  368.805009] Stack:
      [  368.805017]  ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
      [  368.805062]  000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
      [  368.805100]  ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
      [  368.805135] Call Trace:
      [  368.805153]  [<ffffffff81056f7c>] ? up+0xb/0x33
      [  368.805168]  [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
      [  368.805194]  [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
      [  368.805217]  [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
      [  368.805240]  [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
      [  368.805264]  [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
      [  368.805280]  [<ffffffff81355a2a>] ? printk+0x43/0x48
      [  368.805296]  [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
      [  368.805318]  [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
      [  368.805336]  [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
      [  368.805351]  [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
      [  368.805366]  [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
      [  368.805382]  [<ffffffff81052c4e>] ? kthread+0x79/0x81
      [  368.805399]  [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
      [  368.805416]  [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
      [  368.805431]  [<ffffffff8135fea0>] ? gs_change+0x13/0x13
      [  368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
      [  368.805851] RIP  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
      [  368.805877]  RSP <ffff880117001cc0>
      [  368.805886] CR2: 0000000000000000
      [  368.805899] ---[ end trace b720682065d8f4cc ]---
      
      It's directly caused by 89d3cf6a [SCSI] libsas: add mutex for SMP task
      execution, but shows a deeper cause: expander functions expect to be able to
      cast to and treat domain devices as expanders.  The correct fix is to only do
      expander discover when we know we've got an expander device to avoid wrongly
      casting a non-expander device.
      Reported-by: default avatarPraveen Murali <pmurali@logicube.com>
      Tested-by: default avatarPraveen Murali <pmurali@logicube.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2e35381
    • Jan Beulich's avatar
      xen-pciback: limit guest control of command register · 1c335229
      Jan Beulich authored
      commit af6fc858 upstream.
      
      Otherwise the guest can abuse that control to cause e.g. PCIe
      Unsupported Request responses by disabling memory and/or I/O decoding
      and subsequently causing (CPU side) accesses to the respective address
      ranges, which (depending on system configuration) may be fatal to the
      host.
      
      Note that to alter any of the bits collected together as
      PCI_COMMAND_GUEST permissive mode is now required to be enabled
      globally or on the specific device.
      
      This is CVE-2015-2150 / XSA-120.
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c335229