18 Oct, 2018
1 commit
-
[ Upstream commit cbe3fd39d223f14b1c60c80fe9347a3dd08c2edb ]
We should first do the le16_to_cpu endian conversion and then apply the
FCP_CMD_LENGTH_MASK mask.Fixes: 5f35509db179 ("qla2xxx: Terminate exchange if corrupted")
Signed-off-by: Dan Carpenter
Acked-by: Quinn Tran
Acked-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
16 Aug, 2018
1 commit
-
commit 5e53be8e476a3397ed5383c23376f299555a2b43 upstream.
In the case of IOCB QFull, Initiator code can leave behind a stale pointer
to an SRB structure on the outstanding command array.Fixes: 82de802ad46e ("scsi: qla2xxx: Preparation for Target MQ.")
Cc: stable@vger.kernel.org #v4.16+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
09 Aug, 2018
4 commits
-
commit b4146c4929ef61d5afca011474d59d0918a0cd82 upstream.
Propagate the task management completion status properly to avoid
unnecessary waits for commands to complete.Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling")
Cc:
Signed-off-by: Anil Gurumurthy
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit b08abbd9f5996309f021684f9ca74da30dcca36a upstream.
During unload process, the chip can encounter problem where a FW dump would
be captured. For this case, the full reset sequence will be skip to bring
the chip back to full operational state.Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Cc:
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit efa93f48fa9d423fda166bc3b6c0cbb09682492e upstream.
Add wait for session deletion to finish before freeing an NPIV scsi host.
Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery")
Cc:
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit e3dde080ebbdbb4bda8eee35d770714fee8c59ac upstream.
In case of IOCB Queue full or system where memory is low and driver
receives large number of RSCN storm, the stale sp pointer can stay on
gpnid_list resulting in page_fault.This patch fixes this issue by initializing the sp->elem list head and
removing sp->elem before memory is freed.Following stack trace is seen
9 [ffff987b37d1bc60] page_fault at ffffffffad516768 [exception RIP: qla24xx_async_gpnid+496]
10 [ffff987b37d1bd10] qla24xx_async_gpnid at ffffffffc039866d [qla2xxx]
11 [ffff987b37d1bd80] qla2x00_do_work at ffffffffc036169c [qla2xxx]
12 [ffff987b37d1be38] qla2x00_do_dpc_all_vps at ffffffffc03adfed [qla2xxx]
13 [ffff987b37d1be78] qla2x00_do_dpc at ffffffffc036458a [qla2xxx]
14 [ffff987b37d1bec8] kthread at ffffffffacebae31Fixes: 2d73ac6102d9 ("scsi: qla2xxx: Serialize GPNID for multiple RSCN")
Cc: # v4.17+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
03 Jul, 2018
2 commits
-
commit 3cedc8797b9c0f2222fd45a01f849c57c088828b upstream.
Some newer target uses "Status Qualifier" response in a returned "Busy
Status". This new response code of 0x4001, which is "Scope" bits,
translates to "Affects all units accessible by target". Due to this new
value returned in the Scope bits, driver was using that value as timeout
value which resulted into driver waiting for 27min timeout.This patch masks off this Scope bits so that driver does not use this
value as retry delay time.Cc:
Signed-off-by: Anil Gurumurthy
Signed-off-by: Giridhar Malavali
Signed-off-by: Himanshu Madhani
Reviewed-by: Ewan D. Milne
Reviewed-by: Martin Wilck
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.
This patch prevents driver from setting lower default speed of 1 GB/sec,
if the switch does not support Get Port Speed Capabilities (GPSC)
command. Setting this default speed results into much lower write
performance for large sequential WRITE. This patch modifies driver to
check for gpsc_supported flags and prevents driver from issuing
MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
does not send this mailbox command, firmware assumes maximum supported
link speed and will operate at the max speed.Cc: stable@vger.kernel.org
Signed-off-by: Himanshu Madhani
Reported-by: Eda Zhou
Reviewed-by: Ewan D. Milne
Tested-by: Ewan D. Milne
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
25 May, 2018
2 commits
-
[ Upstream commit c02189e12ce3bf3808cb880569d3b10249f50bd9 ]
A left shift must shift less than the bit width of the left argument.
Avoid triggering undefined behavior if ha->mbx_count == 32.This patch avoids that UBSAN reports the following complaint:
UBSAN: Undefined behaviour in drivers/scsi/qla2xxx/qla_isr.c:275:14
shift exponent 32 is too large for 32-bit type 'int'
Call Trace:
dump_stack+0x4e/0x6c
ubsan_epilogue+0xd/0x3b
__ubsan_handle_shift_out_of_bounds+0x112/0x14c
qla2x00_mbx_completion+0x1c5/0x25d [qla2xxx]
qla2300_intr_handler+0x1ea/0x3bb [qla2xxx]
qla2x00_mailbox_command+0x77b/0x139a [qla2xxx]
qla2x00_mbx_reg_test+0x83/0x114 [qla2xxx]
qla2x00_chip_diag+0x354/0x45f [qla2xxx]
qla2x00_initialize_adapter+0x2c2/0xa4e [qla2xxx]
qla2x00_probe_one+0x1681/0x392e [qla2xxx]
pci_device_probe+0x10b/0x1f1
driver_probe_device+0x21f/0x3a4
__driver_attach+0xa9/0xe1
bus_for_each_dev+0x6e/0xb5
driver_attach+0x22/0x3c
bus_add_driver+0x1d1/0x2ae
driver_register+0x78/0x130
__pci_register_driver+0x75/0xa8
qla2x00_module_init+0x21b/0x267 [qla2xxx]
do_one_initcall+0x5a/0x1e2
do_init_module+0x9d/0x285
load_module+0x20db/0x38e3
SYSC_finit_module+0xa8/0xbc
SyS_finit_module+0x9/0xb
do_syscall_64+0x77/0x271
entry_SYSCALL64_slow_path+0x25/0x25Reported-by: Meelis Roos
Signed-off-by: Bart Van Assche
Cc: Himanshu Madhani
Reviewed-by: Laurence Oberman
Acked-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 2ce87cc5b269510de9ca1185ca8a6e10ec78c069 ]
This patch fixes memory corrpution while performing HBA Reset test.
Following stack trace is seen:
[ 466.397219] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 466.433669] IP: [] qlt_free_session_done+0x260/0x5f0 [qla2xxx]
[ 466.467731] PGD 0
[ 466.476718] Oops: 0000 [#1] SMPSigned-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Johannes Thumshirn
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
26 Apr, 2018
1 commit
-
[ Upstream commit 7ac0c332f96bb9688560726f5e80c097ed8de59a ]
This patch fixes following Smatch warning:
drivers/scsi/qla2xxx/qla_init.c:130 qla2x00_async_iocb_timeout() error: we previously assumed 'fcport' could be null (see line 107)
Fixes: 5c25d451163c ("scsi: qla2xxx: Fix NULL pointer access for fcport structure")
Reported by: Dan Carpenter
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
19 Apr, 2018
1 commit
-
commit 6d6340672ba3a99c4cf7af79c2edf7aa25595c84 upstream.
The code that fixes the crashes in the following commit introduced a small
memory leak:commit 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
Fixing this requires a bit of reworking, which I've explained. Also provide
some code cleanup.There is a small window in qla2x00_probe_one where if qla2x00_alloc_queues
fails, we end up never freeing req and rsp and leak 0xc0 and 0xc8 bytes
respectively (the sizes of req and rsp).I originally put in checks to test for this condition which were based on
the incorrect assumption that if ha->rsp_q_map and ha->req_q_map were
allocated, then rsp and req were allocated as well. This is incorrect.
There is a window between these allocations:ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
goto probe_hw_failed;[if successful, both rsp and req allocated]
base_vha = qla2x00_create_host(sht, ha);
goto probe_hw_failed;ret = qla2x00_request_irqs(ha, rsp);
goto probe_failed;if (qla2x00_alloc_queues(ha, req, rsp)) {
goto probe_failed;[if successful, now ha->rsp_q_map and ha->req_q_map allocated]
To simplify this, we should just set req and rsp to NULL after we free
them. Sounds simple enough? The problem is that req and rsp are pointers
defined in the qla2x00_probe_one and they are not always passed by reference
to the routines that free them.Here are paths which can free req and rsp:
PATH 1:
qla2x00_probe_one
ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
[req and rsp are passed by reference, but if this fails, we currently
do not NULL out req and rsp. Easily fixed]PATH 2:
qla2x00_probe_one
failing in qla2x00_request_irqs or qla2x00_alloc_queues
probe_failed:
qla2x00_free_device(base_vha);
qla2x00_free_req_que(ha, req)
qla2x00_free_rsp_que(ha, rsp)PATH 3:
qla2x00_probe_one:
failing in qla2x00_mem_alloc or qla2x00_create_host
probe_hw_failed:
qla2x00_free_req_que(ha, req)
qla2x00_free_rsp_que(ha, rsp)PATH 1: This should currently work, but it doesn't because rsp and rsp are
not set to NULL in qla2x00_mem_alloc. Easily remedied.PATH 2: req and rsp aren't passed in at all to qla2x00_free_device but are
derived from ha->req_q_map[0] and ha->rsp_q_map[0]. These are only set up if
qla2x00_alloc_queues succeeds.In qla2x00_free_queues, we are protected from crashing if these don't exist
because req_qid_map and rsp_qid_map are only set on their allocation. We are
guarded in this way:for (cnt = 0; cnt < ha->max_req_queues; cnt++) {
if (!test_bit(cnt, ha->req_qid_map))
continue;PATH 3: This works. We haven't freed req or rsp yet (or they were never
allocated if qla2x00_mem_alloc failed), so we'll attempt to free them here.To summarize, there are a few small changes to make this work correctly and
(and for some cleanup):1) (For PATH 1) Set *rsp and *req to NULL in case of failure in
qla2x00_mem_alloc so these are correctly set to NULL back in
qla2x00_probe_one2) After jumping to probe_failed: and calling qla2x00_free_device,
explicitly set rsp and req to NULL so further calls with these pointers do
not crash, i.e. the free queue calls in the probe_hw_failed section we fall
through to.3) Fix return code check in the call to qla2x00_alloc_queues. We currently
drop the return code on the floor. The probe fails but the caller of the
probe doesn't have an error code, so it attaches to pci. This can result in
a crash on module shutdown.4) Remove unnecessary NULL checks in qla2x00_free_req_que,
qla2x00_free_rsp_que, and the egregious NULL checks before kfrees and vfrees
in qla2x00_mem_free.I tested this out running a scenario where the card breaks at various times
during initialization. I made sure I forced every error exit path in
qla2x00_probe_one.Cc: # v4.16
Fixes: 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
Signed-off-by: Bill Kuzeja
Acked-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
21 Mar, 2018
4 commits
-
commit 6a2cf8d3663e13e19af636c2a8d92e766261dc45 upstream.
Because of the shifting around of code in qla2x00_probe_one recently,
failures during adapter initialization can lead to problems, i.e. NULL
pointer crashes and doubly freed data structures which cause eventual
panics.This V2 version makes the relevant memory free routines idempotent, so
repeat calls won't cause any harm. I also removed the problematic
probe_init_failed exit point as it is not needed.Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure")
Signed-off-by: Bill Kuzeja
Acked-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit a2390348c19d0819d525d375414a7cfdacb51a68 upstream.
Commit 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target
re-login.")fixed the target re-login after session relogin is complete,
but missed out the qlt_free_session_done() path.This patch clears send_els_logo flag in qlt_free_session_done()
callback.[mkp: checkpatch]
Fixes: 3515832cc614 ("scsi: qla2xxx: Reset the logo flag, after target re-login.")
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 5c25d451163cab9be80744cbc5448d6b95ab8d1a upstream.
when processing iocb in a timeout case, driver was trying to log messages
without verifying if the fcport structure could have valid data. This
results in a NULL pointer access.Fixes: 726b85487067("qla2xxx: Add framework for async fabric discovery")
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 62aa281470fdb7c0796d63a1cc918a8c1f02dde2 upstream.
This patch fixes following warnings reported by smatch:
drivers/scsi/qla2xxx/qla_mid.c:586 qla25xx_delete_req_que()
error: we previously assumed 'req' could be null (see line 580)drivers/scsi/qla2xxx/qla_mid.c:602 qla25xx_delete_rsp_que()
error: we previously assumed 'rsp' could be null (see line 596)Fixes: 7867b98dceb7 ("scsi: qla2xxx: Fix memory leak in dual/target mode")
Reported-by: Dan Carpenter
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
15 Mar, 2018
22 commits
-
commit 3efc31f76dd7fc8a71cd86683909f637e9b7cadb upstream.
During error test case where switch port status is toggled from enable to
disable, following stack trace is seen which indicates recursion trying to
send terminate exchange. This regression was introduced by commit
82de802ad46e ("scsi: qla2xxx: Preparation for Target MQ.")BUG: stack guard page was hit at ffffb96488383ff8 (stack is ffffb96488384000..ffffb96488387fff)
BUG: stack guard page was hit at ffffb964886c3ff8 (stack is ffffb964886c4000..ffffb964886c7fff)
kernel stack overflow (double-fault): 0000 [#1] SMP
qlt_term_ctio_exchange+0x9c/0xb0 [qla2xxx]
qlt_term_ctio_exchange+0x9c/0xb0 [qla2xxx]
qlt_term_ctio_exchange+0x9c/0xb0 [qla2xxx]
qlt_term_ctio_exchange+0x9c/0xb0 [qla2xxx]
qlt_term_ctio_exchange+0x9c/0xb0 [qla2xxx]Fixes: 82de802ad46e ("scsi: qla2xxx: Preparation for Target MQ.")
Cc: #4.10
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit d64d6c5671db5e693a0caaee79f2571b098749c9 upstream.
This patch fixes regression added by commit d74595278f4ab
("scsi: qla2xxx: Add multiple queue pair functionality.").When driver is not able to get reqeusted IRQs from the system, driver will
attempt tp clean up memory before failing hardware probe. During this cleanup,
driver assigns NULL value to the pointer which has not been allocated by
driver yet. This results in a NULL pointer access.Log file will show following message and stack trace
qla2xxx [0000:a3:00.1]-00c7:21: MSI-X: Failed to enable support, giving up -- 32/-1.
qla2xxx [0000:a3:00.1]-0037:21: Falling back-to MSI mode --1.
qla2xxx [0000:a3:00.1]-003a:21: Failed to reserve interrupt 821 already in use.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [] qla2x00_probe_one+0x18b6/0x2730 [qla2xxx]
PGD 0
Oops: 0002 [#1] SMPFixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.").
Cc: # 4.10
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 1514839b366417934e2f1328edb50ed1e8a719f5 upstream.
This patch fixes NULL pointer crash due to active timer running for abort
IOCB.From crash dump analysis it was discoverd that get_next_timer_interrupt()
encountered a corrupted entry on the timer list.#9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8
[exception RIP: get_next_timer_interrupt+440]
RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013
RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600
RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6
RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001
R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6
R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018Looking at the assembly of get_next_timer_interrupt(), address came
from %r8 (ffff95e1f6451188) which is pointing to list_head with single
entry at ffff95e5ff621178.0xffffffff90ea307a : mov (%r8),%rdx
0xffffffff90ea307d : cmp %r8,%rdx
0xffffffff90ea3080 : je 0xffffffff90ea30a7
0xffffffff90ea3082 : nopw 0x0(%rax,%rax,1)
0xffffffff90ea3088 : testb $0x1,0x18(%rdx)crash> rd ffff95e1f6451188 10
ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b.....
ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E.....
ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E.....
ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...|.......|....
ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E.....crash> rd ffff95e5ff621178 10
ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y....
ffff95e5ff621188: 0000000000000000 00000000ffffffff ................
ffff95e5ff621198: 00000000000000a0 0000000000000010 ................
ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b.............
ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q....ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE
ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k
SLAB MEMORY NODE TOTAL ALLOCATED FREE
ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13
FREE / [ALLOCATED]
ffff95e5ff621080 (cpu 6 cache)Examining the contents of that memory reveals a pointer to a constant string
in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().crash> rd ffffffffc059277c 20
ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt.
ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i
ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi
ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx
ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod
ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip..
ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A
ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking
ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl
ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-macrash> struct -ox srb_iocb
struct srb_iocb {
union {
struct {...} logio;
struct {...} els_logo;
struct {...} tmf;
struct {...} fxiocb;
struct {...} abt;
struct ct_arg ctarg;
struct {...} mbx;
struct {...} nack;
[0x0 ] } u;
[0xb8] struct timer_list timer;
[0x108] void (*timeout)(void *);
}
SIZE: 0x110crash> ! bc
ibase=16
obase=10
B8+40
F8The object is a srb_t, and at offset 0xf8 within that structure
(i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.Cc: #4.4+
Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.")
Signed-off-by: Himanshu Madhani
Reviewed-by: Johannes Thumshirn
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 7867b98dceb7741065c9c1b645136facad5c2e93 upstream.
When driver is loaded in Target/Dual mode, it creates QPair to support
MQ and allocates resources for each QPair. This Qpair initialization is
delayed until the FW personality is changed to Dual/Target mode by
issuing chip reset. At the time of chip reset firmware is re-initilized
in correct personality all the QPairs are initialized by sending
MBC_INITIALIZE_MULTIQ (001Fh).This patch fixes memory leak by adding check to issue
MBC_INITIALIZE_MULTIQ command only while deleting rsp/req queue when the
flag is set for initiator mode, and clean up QPair resources correctly
during the driver unload. This MBX does not need to be issued for
Target/Dual mode because chip reset will reset ISP.Fixes: d65237c7f0860 ("scsi: qla2xxx: Fix mailbox failure while deleting Queue pairs")
Cc: # 4.10+
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 19759033e0d0beed70421ab9258f5ede79e070ae upstream.
Fix system crash due to NULL pointer access.
qlt_plogi_ack_t and fc_port structures were not properly bound before
calling qlt_plogi_ack_unref().RIP: 0010:qlt_plogi_ack_unref+0xa1/0x150 [qla2xxx]
Call Trace:
qla24xx_create_new_sess+0xb1/0x320 [qla2xxx]
qla2x00_do_work+0x123/0x260 [qla2xxx]
qla2x00_iocb_work_fn+0x30/0x40 [qla2xxx]
process_one_work+0x1f3/0x530
worker_thread+0x4e/0x480
kthread+0x10c/0x140Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Giridhar Malavali
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit bf07ef86e882013522876f7c834c8eea085f35b4 upstream.
This fix the spinlock recursion issue seen while unloading the driver.
14 [ffff9f2e21e03db8] native_queued_spin_lock_slowpath at ffffffffad0d8802
15 [ffff9f2e21e03dc0] do_raw_spin_lock at ffffffffad0d99e4
16 [ffff9f2e21e03dd8] _raw_spin_lock_irqsave at ffffffffad652471
17 [ffff9f2e21e03e00] qla2x00_els_dcmd_iocb_timeout at ffffffffc070cd63
18 [ffff9f2e21e03e40] qla2x00_sp_timeout at ffffffffc06f06d3 [qla2xxx]
19 [ffff9f2e21e03e68] call_timer_fn at ffffffffad0f97d8
20 [ffff9f2e21e03ed8] run_timer_softirq at ffffffffad0faf47
21 [ffff9f2e21e03f68] __softirqentry_text_start at ffffffffad655f32Fixes: 6eb54715b54bb ("qla2xxx: Added interface to send explicit LOGO.")
Cc: # 4.10+
Signed-off-by: Giridhar Malavali
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 5d3300a9b8b122b4743aed5a178bf12c87e2b8c9 upstream.
This patch defers processing of GS IOCB calls from interrupt context to
avoid hardware spinlock recursion.Following stack trace is seen
? mod_timer+0x193/0x330
? ql_dbg+0xa7/0xf0 [qla2xxx]
_raw_spin_lock_irqsave+0x31/0x40
qla2x00_start_sp+0x3b/0x250 [qla2xxx]
qla24xx_async_gnl+0x1d3/0x240 [qla2xxx]
qla24xx_fcport_handle_login+0x285/0x290 [qla2xxx]
? vprintk_func+0x20/0x50Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Giridhar Malavali
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit ba743f9148e951abe1c94f89c174ec8e44fb145b upstream.
Clear loop id after delete to prevent session invalidation of stale
session.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 76f9a2dd4c60183879a1898bcd56a1dbab19a85d upstream.
Add correct value of scan_state field indicating state of the FC port
Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 063b36d6b0ad74c748d536f5cb47bac2f850a0fa upstream.
Current code manually allocate an fcport structure that is not properly
initialize. Replace kzalloc with qla2x00_alloc_fcport, so that all
fields are initialized. Also set set scan flag to port foundCc:
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit b0dcce746b32ac573343ad39cb3dc485030de95e upstream.
Original code acquires hardware_lock to add Abort IOCB onto driver
request queue for processing. However, abort_command() will also acquire
hardware lock to look up sp pointer before issuing abort IOCB command
resulting into a deadlock. This patch safely removes the possible
deadlock scenario by removing extra spinlock.Fixes: 6eb54715b54bb ("qla2xxx: Added interface to send explicit LOGO.")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 23c645595dab7b414f23639d0a428a07515807df upstream.
Get Port Database MBX cmd is to validate current Login state upon PRLI
completion. Current code looks at the last login state for re-validation
which was incorrect. This patch removed incorrect state check.Fixes: 15f30a5752287 ("qla2xxx: Use IOCB interface to submit non-critical MBX.")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 4005a995668b8fd58f4cf1460dd4cf63efa18363 upstream.
Current driver design schedules relogin process via DPC thread every 1
second. In a large fabric, this DPC thread tries to schedule too many
jobs and might get overloaded. As a result of this processing of DPC
thread, it can schedule relogin earlier than 1 second.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 3be63b1e1838e35ce93e83f19573e949f4b389b4 upstream.
Add check to make sure we are cleaning up global target host list only
for NPIV hostsFixes: bdbe24de281e2 ("scsi: qla2xxx: Cleanup NPIV host in target mode during config teardown")
Cc: # 4.10+
Signed-off-by: Sawan Chandak
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 414d9ff3f8039f85d23f619dcbbd1ba2628a1a67 upstream.
This patch returns discovery state machine back to Login Complete.
Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 2d73ac6102d943c4be4945735a338005359c6abc upstream.
GPNID is triggered by RSCN. For multiple RSCNs of the same affected
NPORT ID, serialize the GPNID to prevent confusion.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 25ad76b703d9ad536f3411b15b1070aeb059ab55 upstream.
Retry GID_PN & GPN_ID switch commands for time out case.
Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit a084fd68e1d26174c4cc1a13fbb0112f468ff7f4 upstream.
When NPort Handle is in use, driver needs to mark the handle as used and
pick another. Instead, the code clears the handle and re-pick the same
handle.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit d68b850e1bfb9afb24b888a946165a186a710195 upstream.
Fix co-existence between Block MQ and Target Mode. Block MQ and
initiator mode requires midlayer queue mapping to check for IRQ to be
affinitized. For target mode, it's not the case.Fixes: 09620eeb62c41 ("scsi: qla2xxx: Add debug knob for user control workload")
Cc: # 4.12+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit a01c77d2cbc45ba527e884e5c30363a1200a4130 upstream.
Move session delete from system work queue to driver's work queue for in
time processing.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 22e786ea47f8795c561e1a01b6a66bb2cae2fc20 upstream.
Stop GPNID command from advancing if command has failed.
Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman -
commit 2e01d0ba868ec1d4d55ddcba519339e072b0bf4d upstream.
Fix NULL pointer crash due to missing timeout handling callback for
Notify Ack IOCB.Fixes: 726b85487067d ("qla2xxx: Add framework for async fabric discovery")
Cc: # 4.10+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Hannes Reinecke
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
30 Nov, 2017
1 commit
-
commit 8653188763b56e0bcbdcab30cc7b059672c900ac upstream.
Avoid that the following is reported while loading the qla2xxx
kernel module:BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/783
caller is debug_smp_processor_id+0x17/0x20
CPU: 7 PID: 783 Comm: modprobe Not tainted 4.14.0-rc8-dbg+ #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x8e/0xce
check_preemption_disabled+0xe3/0xf0
debug_smp_processor_id+0x17/0x20
qla2x00_probe_one+0xf43/0x26c0 [qla2xxx]
pci_device_probe+0xca/0x140
driver_probe_device+0x2e2/0x440
__driver_attach+0xa3/0xe0
bus_for_each_dev+0x5f/0x90
driver_attach+0x19/0x20
bus_add_driver+0x1c0/0x260
driver_register+0x5b/0xd0
__pci_register_driver+0x63/0x70
qla2x00_module_init+0x1d6/0x222 [qla2xxx]
do_one_initcall+0x3c/0x163
do_init_module+0x55/0x1eb
load_module+0x20a2/0x2890
SYSC_finit_module+0xd7/0xf0
SyS_finit_module+0x9/0x10
entry_SYSCALL_64_fastpath+0x23/0xc2Fixes: commit 8abfa9e22683 ("scsi: qla2xxx: Add function call to qpair for door bell")
Signed-off-by: Bart Van Assche
Cc: Quinn Tran
Cc: Himanshu Madhani
Acked-by: Himanshu Madhani
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
04 Nov, 2017
1 commit
-
Pull SCSI fix from James Bottomley:
"One minor fix in the error leg of the qla2xxx driver (it oopses the
system if we get an error trying to start the internal kernel thread).The fix is minor because the problem isn't often encountered in the
field (although it can be induced by inserting the module in a low
memory environment)"* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: qla2xxx: Fix oops in qla2x00_probe_one error path
