Re: [PATCH 10/31] Avoid that scsi_exit_rq() triggers a use-after-free

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Dereferencing shost from scsi_exit_rq() is not safe because the
> SCSI host may already have been freed when scsi_exit_rq() is
> called. Increasing the shost reference count in scsi_init_rq()
> and dropping that reference in scsi_exit_rq() is nontrivial since
> scsi_host_dev_release() may sleep and since scsi_exit_rq() may
> be called from interrupt context. Since scsi_exit_rq() only needs
> a single bit from shost, copy that bit into struct scsi_cmnd.
> 
> Reported-by: Scott Bauer 
> Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct 
> request")
> Signed-off-by: Bart Van Assche 
> Cc: Scott Bauer 
> Cc: Christoph Hellwig 
> Cc: Jan Kara 
> Cc: Hannes Reinecke 
> Cc: 
> ---
>  drivers/scsi/scsi_lib.c  | 43 +--
>  include/scsi/scsi_cmnd.h |  1 +
>  2 files changed, 26 insertions(+), 18 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 09/31] block: Avoid that blk_exit_rl() triggers a use-after-free

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Since the introduction of the .init_rq_fn() and .exit_rq_fn() it
> is essential that the memory allocated for struct request_queue
> stays around until all blk_exit_rl() calls have finished. Hence
> make blk_init_rl() take a reference on struct request_queue.
> 
> This patch fixes the following crash:
> 
> general protection fault:  [#2] SMP
> CPU: 3 PID: 28 Comm: ksoftirqd/3 Tainted: G  D 4.12.0-rc2-dbg+ #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
> 1.0.0-prebuilt.qemu-project.org 04/01/2014
> task: 88013a108040 task.stack: c971c000
> RIP: 0010:free_request_size+0x1a/0x30
> RSP: 0018:c971fd38 EFLAGS: 00010202
> RAX: 6b6b6b6b6b6b6b6b RBX: 880067362a88 RCX: 0003
> RDX: 880067464178 RSI: 880067362a88 RDI: 880135ea4418
> RBP: c971fd40 R08:  R09: 000100180009
> R10: c971fd38 R11: 81110800 R12: 88006752d3d8
> R13: 88006752d3d8 R14: 88013a108040 R15: 000a
> FS:  () GS:88013fd8() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 7fa8ec1edb00 CR3: 000138ee8000 CR4: 001406e0
> Call Trace:
>  mempool_destroy.part.10+0x21/0x40
>  mempool_destroy+0xe/0x10
>  blk_exit_rl+0x12/0x20
>  blkg_free+0x4d/0xa0
>  __blkg_release_rcu+0x59/0x170
>  rcu_process_callbacks+0x260/0x4e0
>  __do_softirq+0x116/0x250
>  smpboot_thread_fn+0x123/0x1e0
>  kthread+0x109/0x140
>  ret_from_fork+0x31/0x40
> 
> Fixes: commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of 
> struct request")
> Signed-off-by: Bart Van Assche 
> Cc: Jens Axboe 
> Cc: Christoph Hellwig 
> Cc: Tejun Heo 
> Cc: Jan Kara 
> Cc: Hannes Reinecke 
> Cc:  # v4.11+
> ---
>  block/blk-cgroup.c |  2 +-
>  block/blk-core.c   | 10 --
>  block/blk-sysfs.c  |  2 +-
>  block/blk.h|  2 +-
>  4 files changed, 11 insertions(+), 5 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 08/31] sd, sr: Convert two assignments into warning statements

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Before scsi_prep_fn() calls the ULP .init_command() callback
> function it stores the SCSI command pointer in request.special.
> This means that the SCpnt = rq->special assignments in the sd
> and sr drivers assign a pointer to itself. Hence convert these
> two assignment statements into warning statements.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Christoph Hellwig 
> Cc: Hannes Reinecke 
> Cc: Johannes Thumshirn 
> ---
>  drivers/scsi/sd.c | 2 +-
>  drivers/scsi/sr.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 07/31] scsi: Use blk_mq_rq_to_pdu() to convert a request to a SCSI command pointer

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Since commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as
> part of struct request") struct request and struct scsi_cmnd are
> adjacent. This means that there is now an alternative to reading
> req->special to convert a pointer to a prepared request into a
> SCSI command pointer, namely by using blk_mq_rq_to_pdu(). Make
> this change where appropriate. Although this patch does not
> change any functionality, it slightly improves performance and
> slightly improves readability.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Christoph Hellwig 
> Cc: Hannes Reinecke 
> Cc: Johannes Thumshirn 
> ---
>  drivers/scsi/scsi_error.c |  2 +-
>  drivers/scsi/scsi_lib.c   | 18 +-
>  include/scsi/scsi_tcq.h   |  2 +-
>  3 files changed, 11 insertions(+), 11 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 06/31] scmd_eh_abort_handler(): Add a comment

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> After the patch that introduced this function was posted on the
> linux-scsi mailing list an explanation was posted why this patch
> is correct. Since that explanation contains important information,
> add a summary of it above the code that explanation applies to.
> See also http://www.spinics.net/lists/linux-scsi/msg106326.html.
> 
> References: e494f6a72839 ("[SCSI] improve eh timeout handler")
> Signed-off-by: Bart Van Assche 
> Cc: Hannes Reinecke 
> ---
>  drivers/scsi/scsi_error.c | 6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
> index ac3196420435..19cafa3efb17 100644
> --- a/drivers/scsi/scsi_error.c
> +++ b/drivers/scsi/scsi_error.c
> @@ -116,6 +116,12 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
> *shost)
>  /**
>   * scmd_eh_abort_handler - Handle command aborts
>   * @work:command to be aborted.
> + *
> + * Note: this function must be called only for a command that has timed out.
> + * Because the block layer sets REQ_ATOM_COMPLETE before it calls
> + * scsi_times_out(), any .scsi_done() calls from the LLD for commands that
> + * have timed out do not have any effect. Hence it is safe to call
> + * scsi_finish_command() from this function.
>   */
>  void
>  scmd_eh_abort_handler(struct work_struct *work)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 05/31] Make __scsi_remove_device go straight from BLOCKED to DEL

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> If a device is blocked, make __scsi_remove_device() cause it to
> transition to the DEL state. This means that all the commands
> issued in .shutdown() will error in the mid-layer, thus making
> the removal proceed without being stopped.
> 
> This patch is a slightly modified version of a patch from James
> Bottomley. This patch avoids that the following lockup occurs:
> 
> Call Trace:
>  schedule+0x35/0x80
>  schedule_timeout+0x237/0x2d0
>  io_schedule_timeout+0xa6/0x110
>  wait_for_completion_io+0xa3/0x110
>  blk_execute_rq+0xdf/0x120
>  scsi_execute+0xce/0x150 [scsi_mod]
>  scsi_execute_req_flags+0x8f/0xf0 [scsi_mod]
>  sd_sync_cache+0xa9/0x190 [sd_mod]
>  sd_shutdown+0x6a/0x100 [sd_mod]
>  sd_remove+0x64/0xc0 [sd_mod]
>  __device_release_driver+0x8d/0x120
>  device_release_driver+0x1e/0x30
>  bus_remove_device+0xf9/0x170
>  device_del+0x127/0x240
>  __scsi_remove_device+0xc1/0xd0 [scsi_mod]
>  scsi_forget_host+0x57/0x60 [scsi_mod]
>  scsi_remove_host+0x72/0x110 [scsi_mod]
>  srp_remove_work+0x8b/0x200 [ib_srp]
> 
> Reported-by: Israel Rukshin 
> Signed-off-by: Bart Van Assche 
> Cc: James Bottomley 
> Cc: Israel Rukshin 
> Cc: Max Gurtovoy 
> Cc: Hannes Reinecke 
> Cc: Benjamin Block 
> ---
>  drivers/scsi/scsi_lib.c   |  2 +-
>  drivers/scsi/scsi_sysfs.c | 13 +
>  2 files changed, 14 insertions(+), 1 deletion(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 04/31] Introduce scsi_start_queue()

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> This patch does not change any functionality.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Israel Rukshin 
> Cc: Max Gurtovoy 
> Cc: Hannes Reinecke 
> Cc: Benjamin Block 
> ---
>  drivers/scsi/scsi_lib.c  | 25 +++--
>  drivers/scsi/scsi_priv.h |  1 +
>  2 files changed, 16 insertions(+), 10 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 03/31] Protect SCSI device state changes with a mutex

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Enable this mechanism for all scsi_target_*block() callers but not
> for the scsi_internal_device_unblock() calls from the mpt3sas driver
> because that driver can call scsi_internal_device_unblock() from
> atomic context.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Christoph Hellwig 
> Cc: Hannes Reinecke 
> Cc: Johannes Thumshirn 
> ---
>  drivers/scsi/scsi_error.c |  8 +++-
>  drivers/scsi/scsi_lib.c   | 27 +--
>  drivers/scsi/scsi_scan.c  | 16 +---
>  drivers/scsi/scsi_sysfs.c | 24 +++-
>  drivers/scsi/scsi_transport_srp.c |  7 ---
>  drivers/scsi/sd.c |  7 +--
>  include/scsi/scsi_device.h|  1 +
>  7 files changed, 66 insertions(+), 24 deletions(-)
> 
[ .. ]
> diff --git a/drivers/scsi/scsi_transport_srp.c 
> b/drivers/scsi/scsi_transport_srp.c
> index 3c5d89852e9f..f617021c94f7 100644
> --- a/drivers/scsi/scsi_transport_srp.c
> +++ b/drivers/scsi/scsi_transport_srp.c
> @@ -554,11 +554,12 @@ int srp_reconnect_rport(struct srp_rport *rport)
>* invoking scsi_target_unblock() won't change the state of
>* these devices into running so do that explicitly.
>*/
> - spin_lock_irq(shost->host_lock);
> - __shost_for_each_device(sdev, shost)
> + shost_for_each_device(sdev, shost) {
> + mutex_lock(>state_mutex);
>   if (sdev->sdev_state == SDEV_OFFLINE)
>   sdev->sdev_state = SDEV_RUNNING;
> - spin_unlock_irq(shost->host_lock);
> + mutex_unlock(>state_mutex);
> + }
>   } else if (rport->state == SRP_RPORT_RUNNING) {
>   /*
>* srp_reconnect_rport() has been invoked with fast_io_fail
Why do you drop the host lock here? I thought that the host lock is
needed to protect shost_for_each_device()?

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 02/31] Create two versions of scsi_internal_device_unblock()

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> This will make it easier to serialize SCSI device state changes
> through a mutex.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Christoph Hellwig 
> Cc: Hannes Reinecke 
> Cc: Johannes Thumshirn 
> Cc: Sreekanth Reddy 
> ---
>  drivers/scsi/mpt3sas/mpt3sas_scsih.c |  4 ++--
>  drivers/scsi/scsi_lib.c  | 46 
> +---
>  include/scsi/scsi_device.h   |  4 ++--
>  3 files changed, 36 insertions(+), 18 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 01/31] Split scsi_internal_device_block()

[Hannes Reinecke]

On 05/24/2017 02:33 AM, Bart Van Assche wrote:
> Instead of passing a "wait" argument to scsi_internal_device_block(),
> split this function into a function that waits and a function that
> doesn't wait. This will make it easier to serialize SCSI device state
> changes through a mutex.
> 
> Signed-off-by: Bart Van Assche 
> Cc: Christoph Hellwig 
> Cc: Hannes Reinecke 
> Cc: Johannes Thumshirn 
> Cc: Sreekanth Reddy 
> ---
>  drivers/scsi/mpt3sas/mpt3sas_scsih.c |  4 +-
>  drivers/scsi/scsi_lib.c  | 73 
> +++-
>  include/scsi/scsi_device.h   |  2 +-
>  3 files changed, 50 insertions(+), 29 deletions(-)
> 
Reviewed-by: Hannes Reinecke 

Cheers,

Hannes
-- 
Dr. Hannes ReineckeTeamlead Storage & Networking
h...@suse.de   +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)

Re: [PATCH 00/31] SCSI patches for kernel v4.13.

[Bart Van Assche]

On Tue, 2017-05-23 at 21:55 -0600, Jens Axboe wrote:
> On 05/23/2017 06:33 PM, Bart Van Assche wrote:
> > Hello Martin,
> > 
> > This patch series consists of the bug fixes I came up with during
> > the past two months. Please consider these patches for kernel v4.13.
> 
> Ehm, last I checked the block patches hadn't been reviewed/signed-off
> by anyone else. We still have that init addition in the hot path for
> request initialization, as Christoph pointed out.
> 
> So let's hold off on this a bit, at least on the block parts, until
> we have things properly signed off.

Hi Jens,

In case this wouldn't be clear, I fully agree with you that your approval
is required for the block layer patches. It's because there are several
block layer patches in this series that I have Cc-ed the block layer
mailing list for the whole series.

Bart.

Re: [PATCH 00/31] SCSI patches for kernel v4.13.

[Jens Axboe]

On 05/23/2017 06:33 PM, Bart Van Assche wrote:
> Hello Martin,
> 
> This patch series consists of the bug fixes I came up with during
> the past two months. Please consider these patches for kernel v4.13.

Ehm, last I checked the block patches hadn't been reviewed/signed-off
by anyone else. We still have that init addition in the hot path for
request initialization, as Christoph pointed out.

So let's hold off on this a bit, at least on the block parts, until
we have things properly signed off.

-- 
Jens Axboe

Re: [PATCH] ibmvscsis: Enable Logical Partition Migration Support

[Nicholas A. Bellinger]

On Tue, 2017-05-16 at 17:49 -0500, Bryant G. Ly wrote:
> From: Michael Cyr 
> 
> Changes to support a new mechanism from phyp to better synchronize the
> logical partition migration (LPM) of the client partition.
> This includes a new VIOCTL to register that we support this new
> functionality, and 2 new Transport Event types, and finally another
> new VIOCTL to let phyp know once we're ready for the Suspend.
> 
> Signed-off-by: Michael Cyr 
> Signed-off-by: Bryant G. Ly 
> ---
>  drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 148 
> ---
>  drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.h |  25 +-
>  drivers/scsi/ibmvscsi_tgt/libsrp.h   |   5 +-
>  3 files changed, 162 insertions(+), 16 deletions(-)
> 

Applied to target-pending/for-next.

Thanks Bryant & Co.

Re: [PATCH] target: remove dead code

[Nicholas A. Bellinger]

On Thu, 2017-05-11 at 13:39 -0700, Tyrel Datwyler wrote:
> On 05/09/2017 02:46 PM, Gustavo A. R. Silva wrote:
> > Local variable _ret_ is assigned to a constant value and it is never
> > updated again. Remove this variable and the dead code it guards.
> > 
> > Addresses-Coverity-ID: 140761
> > Signed-off-by: Gustavo A. R. Silva 
> > ---
> 
> Reviewed-by: Tyrel Datwyler 
> 

Applied to target-pending/for-next.

Thanks Gustavo + Tyrel.

Re: Need help with handling failed ATA pass-through command and sense data

[mail1]

Sorry, I don't have the experience to do this quickly. I'm out of practice 
building a kernel and will need time to re-learn a few things.

Can you please update the bug report and ask for someone else to try it? In the 
mean time, I'll do what I can.

--GeekGirl1

On 05/23/2017 02:34 PM, Alan Stern wrote:

On Thu, 18 May 2017, Ewan D. Milne wrote:


On Thu, 2017-05-18 at 13:37 -0400, Alan Stern wrote:

I had completely forgotten about this code.  :-(

Looks like you put your finger on the source of the problem.  So if the
device sends back essentially empty sense data (SK = No Sense, ASC =
ASCQ = 0), but the USB transport indicates command failure, how should
we inform the SCSI core in a way that won't cause infinite retries or
obnoxious log messages?

Should we be doing a better job of detecting empty sense data -- that
is, do we need to check for non-empty ATA status?

Or has the SCSI core improved so that it no longer does infinite
retries (see commit f1a0743bc0e7 "USB: storage: When a device returns
no sense data, call it a Hardware Error" and Bugzilla entry #14118),
meaning that this code can be removed entirely?

Alan Stern

We added:

commit ee60b2c52ec8ecdcbcd2f85cc117b525f649441f
Author: Eiichi Tsukata 
Date:   Tue Feb 11 14:29:52 2014 +0900

 [SCSI] Add timeout to avoid infinite command retry

but this may not give you the behavior you want, because it bounds
the execution time to (# of retries + 1) * timeout.  So if you get
an immediate error return it could still take a while for this code
to give up retrying, i.e. it does not have the same properties as
your commit f1a0743bc0e7.

I suppose you could decode the ATA Status Return sense data descriptor
but I don't know how good the compliance is among all the ATA devices.
Table 177 in section 1.2.2.8 of SAT-4 r06 seems to say that most of
the fields in the sense data are unspecified for ATA PASS-THROUGH
commands, so this probably explains why you see nothing else useful.
Perhaps the logging should be delegated to the USB or ATA code for
these commands, since they are not really part of SCSI?

I have seen a case of a Fibre Channel array returning all zeroes
in the sense data, but this was because it was malfunctioning.

All right, suppose we don't return DID_ERROR and don't call it a
hardware error.  I don't know if this will help at all, and I don't
know if it will cause any regressions.

GeekGirl1, can you try applying the patch below to see if it makes any
difference?  If you don't know how, I will attach it to the Bugzilla
report so somebody else can try it.

Alan Stern




Index: usb-4.x/drivers/usb/storage/transport.c
===
--- usb-4.x.orig/drivers/usb/storage/transport.c
+++ usb-4.x/drivers/usb/storage/transport.c
@@ -835,6 +835,7 @@ Retry_Sense:
srb->result = SAM_STAT_GOOD;
srb->sense_buffer[0] = 0x0;
  
+#if 0

/*
 * If there was a problem, report an unspecified
 * hardware error to prevent the higher layers from
@@ -846,6 +847,7 @@ Retry_Sense:
srb->sense_buffer[1] = HARDWARE_ERROR;
else
srb->sense_buffer[2] = HARDWARE_ERROR;
+#endif
}
}
}

Re: [PATCH] scsi: libcxgbi: fix skb use after free

[Martin K. Petersen]

Varun,

> skb->data is assigned to task->hdr in cxgbi_conn_alloc_pdu(),
> skb gets freed after tx but task->hdr is still dereferenced in
> iscsi_tcp_task_xmit() to avoid this call skb_get() after allocating
> skb and free the skb in cxgbi_cleanup_task() or before allocating new
> skb in cxgbi_conn_alloc_pdu().

Applied to 4.12/scsi-fixes, thank you!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] lpfc: nvmet_fc: fix format string

[Martin K. Petersen]

Arnd,

> The lpfc_nvmeio_data() tracing helper always takes a format string and
> three additional arguments. The latest caller has a format string with
> only two integer arguments, causing this harmless warning:

James?

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] qla2xxx: don't disable a not previously enabled PCI device

[Martin K. Petersen]

Johannes,

> When pci_enable_device() or pci_enable_device_mem() fail in
> qla2x00_probe_one() we bail out but do a call to
> pci_disable_device(). This causes the dev_WARN_ON() in
> pci_disable_device() to trigger, as the device wasn't enabled
> previously.
>
> So instead of taking the 'probe_out' error path we can directly return
> *iff* one of the pci_enable_device() calls fails.
>
> Additionally rename the 'probe_out' goto label's name to the more
> descriptive 'disable_device'.
>
> Signed-off-by: Johannes Thumshirn 
> Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure 
> refactoring")

Himanshu/Quinn: Please review!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 00/15] qedf: Update driver to version 8.18.22.0.

[Martin K. Petersen]

Chad,

> Please apply the following patches to the scsi tree at your earliest
> convenience.

Reviewers wanted!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 00/31] SCSI patches for kernel v4.13.

[Martin K. Petersen]

Bart,

> This patch series consists of the bug fixes I came up with during the
> past two months. Please consider these patches for kernel v4.13.

I'll have some time tomorrow to go through these.

It would be nice is somebody else would step up to review as well.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 00/25] qla2xxx: Bug fixes and cleanups

[Martin K. Petersen]

Himanshu,

> This series contains bug fixes and cleanups for the driver that we
> posted in 4.11.

In that case, please tag the fixes patches with:

Cc:  # 4.11+

> Patches 1-10 needs to go in 4.12.0-rcX. Rest of the patches can be
> queued to for-next branch.  Please let me know if the series is okay
> to be included in 4.12.0-rcX. if we are too late for big series in rcX
> then would you please queue patches 10-25 for 4.13/scsi-queue.

Patches 1-10 look innocuous enough that they should be OK. Patch
descriptions could be better, though. Please repost these ASAP.

11-25 are less critical. We still have a couple of weeks left for "big
things" in the 4.13 submission window.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 0/7]qedi: Bug fixes.

[Martin K. Petersen]

Manish,

> Please apply this patch set to next 'scsi-fixes' series.

Applied to 4.12/scsi-fixes. Thank you!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] qla2xxx: Remove an unused structure member

[Martin K. Petersen]

Bart,

> qla_tgt_cmd.free_work is not used by the qla2xxx driver. Hence remove
> that member of struct qla_tgt_cmd.

Applied to 4.13/scsi-queue. Thanks, Bart!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] scsi: hisi_sas: add null check before indirect pointer dereference

[Martin K. Petersen]

Gustavo A.,

> Add null check before indirectly dereferencing pointer task->lldd_task
> in statement u32 tag = slot->idx;

Applied to 4.13/scsi-queue. Thanks!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 1/2] scsi: nsp32: add __printf attribute to logging functions

[Martin K. Petersen]

Joe,

> On Sat, 2017-05-20 at 13:16 +0200, Nicolas Iooss wrote:
>> nsp32_message() and nsp32_dmessage() use printf format strings in order
>> to format a message. Adding __printf attributes helps to detect errors
>> in such format strings at build time, like:

> Does anyone actually have or use these cards any longer?

I doubt it.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH v2] Use ctlr directly in rdac_failover_get()

[Martin K. Petersen]

Artem,

> rdac_failover_get references struct rdac_controller as
> ctlr->ms_sdev->handler_data->ctlr for no apparent reason. Besides being
> inefficient this also introduces a null-pointer dereference as
> send_mode_select() sets ctlr->ms_sdev to NULL before calling
> rdac_failover_get():

Applied to 4.12/scsi-fixes. Thank you!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] scsi: smartpqi: mark PM functions as __maybe_unused

[Martin K. Petersen]

Arnd,

> The newly added suspend/resume support causes harmless warnings when
> CONFIG_PM is disabled:

> We can avoid the warnings by removing the #ifdef around the handlers
> and instead marking them as __maybe_unused, which will let gcc drop
> the unused code silently.

Applied to 4.13/scsi-queue. Thank you!

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] csiostor: Avoid content leaks and casts

[Martin K. Petersen]

Kees,

> When copying attributes, the len argument was padded out and the
> resulting memcpy() would copy beyond the end of the source buffer.
> Avoid this, and use size_t for val_len to avoid all the
> casts. Similarly, avoid source buffer casts and use void *.
>
> Additionally enforces val_len can be represented by u16 and that the
> DMA buffer was not overflowed. Fixes the size of mfa, which is not
> FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN (but it will be padded up to
> 4). This was noticed by the future CONFIG_FORTIFY_SOURCE checks.

Applied to 4.13/scsi-queue, thanks!

-- 
Martin K. Petersen  Oracle Linux Engineering

[PATCH 13/31] pktcdvd: Check queue type before attaching to a queue

[Bart Van Assche]

Since the pktcdvd driver only supports request queues for which
struct scsi_request is the first member of their private request
data, refuse to register block layer queues for which struct
scsi_request is not the first member of the private data.

References: commit 82ed4db499b8 ("block: split scsi_request out of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-bl...@vger.kernel.org
---
 drivers/block/pktcdvd.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 205b865ebeb9..b8ce55d7911d 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2583,6 +2583,11 @@ static int pkt_new_dev(struct pktcdvd_device *pd, dev_t 
dev)
bdev = bdget(dev);
if (!bdev)
return -ENOMEM;
+   if (!blk_queue_scsi_sup(bdev_get_queue(bdev))) {
+   WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
+   bdput(bdev);
+   return -EINVAL;
+   }
ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
if (ret)
return ret;
-- 
2.12.2

[PATCH 28/31] scsi_setup_fs_cmnd(): Call scsi_req_init() instead of open-coding it

[Bart Van Assche]

The only functional change is that this patch causes scsi_setup_fs_cmnd()
to clear scsi_request.sense_len.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 612bf6c201dc..2d680d8ea80f 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1211,8 +1211,8 @@ static int scsi_setup_fs_cmnd(struct scsi_device *sdev, 
struct request *req)
return ret;
}
 
-   cmd->cmnd = scsi_req(req)->cmd = scsi_req(req)->__cmd;
-   memset(cmd->cmnd, 0, BLK_MAX_CDB);
+   scsi_req_init(>req);
+   cmd->cmnd = scsi_req(req)->cmd;
return scsi_cmd_to_driver(cmd)->init_command(cmd);
 }
 
-- 
2.12.2

[PATCH 22/31] scsi: Inline scsi_init_command()

[Bart Van Assche]

The two drivers that use the per-device command list, namely aacraid
and dpt_i2o, expect that that list contains only SCSI commands and
no task management functions. Hence only call scsi_add_cmd_to_list()
from the block layer prep callback functions and not from
scsi_ioctl_reset().

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_error.c |  1 -
 drivers/scsi/scsi_lib.c   | 10 ++
 drivers/scsi/scsi_priv.h  |  1 -
 3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index e2e614e990a8..374dea0885f6 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -2293,7 +2293,6 @@ scsi_ioctl_reset(struct scsi_device *dev, int __user *arg)
blk_rq_init(dev->request_queue, rq);
 
scmd = (struct scsi_cmnd *)(rq + 1);
-   scsi_init_command(dev, scmd);
scmd->request = rq;
scmd->cmnd = scsi_req(rq)->cmd;
 
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index d2e6b4c14e35..359f824ab78c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1170,13 +1170,6 @@ static void scsi_initialize_rq(struct request *rq)
cmd->jiffies_at_alloc = jiffies;
 }
 
-/* Called after a request has been started. */
-void scsi_init_command(struct scsi_device *dev, struct scsi_cmnd *cmd)
-{
-   memset(scsi_cmd_priv(cmd), 0, dev->host->hostt->cmd_size);
-   scsi_add_cmd_to_list(cmd);
-}
-
 static int scsi_setup_scsi_cmnd(struct scsi_device *sdev, struct request *req)
 {
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
@@ -1347,7 +1340,8 @@ static int scsi_prep_fn(struct request_queue *q, struct 
request *req)
goto out;
}
 
-   scsi_init_command(sdev, cmd);
+   memset(scsi_cmd_priv(cmd), 0, dev->host->hostt->cmd_size);
+   scsi_add_cmd_to_list(cmd);
req->special = cmd;
}
 
diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
index c11c1f9c912c..67d1550d8b64 100644
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -30,7 +30,6 @@ extern void scsi_exit_hosts(void);
 /* scsi.c */
 extern bool scsi_use_blk_mq;
 int scsi_init_sense_cache(struct Scsi_Host *shost);
-void scsi_init_command(struct scsi_device *dev, struct scsi_cmnd *cmd);
 #ifdef CONFIG_SCSI_LOGGING
 void scsi_log_send(struct scsi_cmnd *cmd);
 void scsi_log_completion(struct scsi_cmnd *cmd, int disposition);
-- 
2.12.2

[PATCH 23/31] scsi: Move sense buffer pointer initialization into scsi_initialize_rq()

[Bart Van Assche]

This patch is a preparation for the next patch that will zero
the struct scsi_request embedded in struct scsi_cmnd before
calling scsi_req_init().

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 359f824ab78c..10c6adb208dc 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1164,6 +1164,7 @@ static void scsi_initialize_rq(struct request *rq)
   sizeof(*cmd) - sizeof(cmd->req));
scsi_req_init(>req);
cmd->device = dev;
+   cmd->req.sense = cmd->sense_buffer;
cmd->sense_buffer = buf;
cmd->prot_sdb = prot;
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
@@ -2025,7 +2026,6 @@ static int scsi_init_request(struct blk_mq_tag_set *set, 
struct request *rq,
GFP_KERNEL, numa_node);
if (!cmd->sense_buffer)
return -ENOMEM;
-   cmd->req.sense = cmd->sense_buffer;
return 0;
 }
 
@@ -2123,7 +2123,6 @@ static int scsi_init_rq(struct request_queue *q, struct 
request *rq, gfp_t gfp)
NUMA_NO_NODE);
if (!cmd->sense_buffer)
goto fail;
-   cmd->req.sense = cmd->sense_buffer;
 
if (scsi_host_get_prot(shost) >= SHOST_DIX_TYPE0_PROTECTION) {
cmd->prot_sdb = kmem_cache_zalloc(scsi_sdb_cache, gfp);
-- 
2.12.2

[PATCH 17/31] block: Introduce request_queue.initialize_rq_fn()

[Bart Van Assche]

Several block drivers need to initialize the driver-private data
after having called blk_get_request() and before .prep_rq_fn() is
called, e.g. when submitting a REQ_OP_SCSI_* request. Avoid that
that initialization code has to be repeated after every
blk_get_request() call by adding a new callback function to struct
request_queue.

Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-bl...@vger.kernel.org
---
 block/blk-core.c   | 3 +++
 block/blk-mq.c | 3 +++
 include/linux/blkdev.h | 4 
 3 files changed, 10 insertions(+)

diff --git a/block/blk-core.c b/block/blk-core.c
index 55a7b76db7c2..8a680f7bb168 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -126,6 +126,9 @@ void blk_rq_init(struct request_queue *q, struct request 
*rq)
rq->start_time = jiffies;
set_start_time_ns(rq);
rq->part = NULL;
+
+   if (q->initialize_rq_fn)
+   q->initialize_rq_fn(rq);
 }
 EXPORT_SYMBOL(blk_rq_init);
 
diff --git a/block/blk-mq.c b/block/blk-mq.c
index a69ad122ed66..2af43d4e5b96 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -241,6 +241,9 @@ void blk_mq_rq_ctx_init(struct request_queue *q, struct 
blk_mq_ctx *ctx,
rq->end_io_data = NULL;
rq->next_rq = NULL;
 
+   if (q->initialize_rq_fn)
+   q->initialize_rq_fn(rq);
+
ctx->rq_dispatched[op_is_sync(op)]++;
 }
 EXPORT_SYMBOL_GPL(blk_mq_rq_ctx_init);
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 6416a5834b05..e3c03d429371 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -410,8 +410,12 @@ struct request_queue {
rq_timed_out_fn *rq_timed_out_fn;
dma_drain_needed_fn *dma_drain_needed;
lld_busy_fn *lld_busy_fn;
+   /* Called just after a request is allocated */
init_rq_fn  *init_rq_fn;
+   /* Called just before a request is freed */
exit_rq_fn  *exit_rq_fn;
+   /* Called from inside blk_get_request() */
+   void (*initialize_rq_fn)(struct request *rq);
 
const struct blk_mq_ops *mq_ops;
 
-- 
2.12.2

[PATCH 30/31] scsi: virtio: Remove code that zeroes driver-private command data

[Bart Van Assche]

Since the SCSI core zeroes driver-private command data, remove
that code from the virtio driver.

Signed-off-by: Bart Van Assche 
Cc: Michael S. Tsirkin 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/virtio_scsi.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index f8dbfeee6c63..dc2e97c543a5 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -547,7 +547,6 @@ static int virtscsi_queuecommand(struct virtio_scsi *vscsi,
dev_dbg(>device->sdev_gendev,
"cmd %p CDB: %#02x\n", sc, sc->cmnd[0]);
 
-   memset(cmd, 0, sizeof(*cmd));
cmd->sc = sc;
 
BUG_ON(sc->cmd_len > VIRTIO_SCSI_CDB_SIZE);
-- 
2.12.2

[PATCH 15/31] nfsd: Check private request size before submitting a SCSI request

[Bart Van Assche]

Since using scsi_req() is only allowed against request queues for
which struct scsi_request is the first member of their private
request data, refuse to submit SCSI commands against a queue for
which this is not the case.

References: commit 82ed4db499b8 ("block: split scsi_request out of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: J. Bruce Fields 
Cc: Jeff Layton 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-...@vger.kernel.org
Cc: linux-bl...@vger.kernel.org
---
 fs/nfsd/blocklayout.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c
index fb5213afc854..9ca0ca5efbc8 100644
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -219,6 +219,9 @@ static int nfsd4_scsi_identify_device(struct block_device 
*bdev,
u8 *buf, *d, type, assoc;
int error;
 
+   if (WARN_ON_ONCE(!blk_queue_scsi_sup(q)))
+   return -EINVAL;
+
buf = kzalloc(bufflen, GFP_KERNEL);
if (!buf)
return -ENOMEM;
-- 
2.12.2

[PATCH 18/31] block: Make scsi_req_init() calls implicit

[Bart Van Assche]

Instead of explicitly calling scsi_req_init(), let
blk_get_request() call that function from inside blk_rq_init().
Add an .initialize_rq_fn() callback function to the block drivers
that need it. Merge the IDE .init_rq_fn() function into
.initialize_rq_fn() because it is too small to keep it as a
separate function.

References: commit 82ed4db499b8 ("block: split scsi_request out of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-bl...@vger.kernel.org
---
 block/bsg.c|  1 -
 block/scsi_ioctl.c |  3 ---
 drivers/block/pktcdvd.c|  1 -
 drivers/cdrom/cdrom.c  |  1 -
 drivers/ide/ide-atapi.c|  2 --
 drivers/ide/ide-cd.c   |  1 -
 drivers/ide/ide-cd_ioctl.c |  1 -
 drivers/ide/ide-devsets.c  |  1 -
 drivers/ide/ide-disk.c |  1 -
 drivers/ide/ide-ioctls.c   |  2 --
 drivers/ide/ide-park.c |  2 --
 drivers/ide/ide-pm.c   |  2 --
 drivers/ide/ide-probe.c|  6 +++---
 drivers/ide/ide-tape.c |  1 -
 drivers/ide/ide-taskfile.c |  1 -
 drivers/scsi/osd/osd_initiator.c   |  2 --
 drivers/scsi/osst.c|  1 -
 drivers/scsi/scsi_error.c  |  1 -
 drivers/scsi/scsi_lib.c| 10 +-
 drivers/scsi/scsi_transport_sas.c  |  6 ++
 drivers/scsi/sg.c  |  2 --
 drivers/scsi/st.c  |  1 -
 drivers/target/target_core_pscsi.c |  2 --
 fs/nfsd/blocklayout.c  |  1 -
 24 files changed, 18 insertions(+), 34 deletions(-)

diff --git a/block/bsg.c b/block/bsg.c
index f7695bb141d9..3ca080be4c70 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -236,7 +236,6 @@ bsg_map_hdr(struct bsg_device *bd, struct sg_io_v4 *hdr, 
fmode_t has_write_perm)
rq = blk_get_request(q, op, GFP_KERNEL);
if (IS_ERR(rq))
return rq;
-   scsi_req_init(rq);
 
ret = blk_fill_sgv4_hdr_rq(q, rq, hdr, bd, has_write_perm);
if (ret)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index 4a294a5f7fab..f96c51f5df40 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -326,7 +326,6 @@ static int sg_io(struct request_queue *q, struct gendisk 
*bd_disk,
if (IS_ERR(rq))
return PTR_ERR(rq);
req = scsi_req(rq);
-   scsi_req_init(rq);
 
if (hdr->cmd_len > BLK_MAX_CDB) {
req->cmd = kzalloc(hdr->cmd_len, GFP_KERNEL);
@@ -456,7 +455,6 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk 
*disk, fmode_t mode,
goto error_free_buffer;
}
req = scsi_req(rq);
-   scsi_req_init(rq);
 
cmdlen = COMMAND_SIZE(opcode);
 
@@ -542,7 +540,6 @@ static int __blk_send_generic(struct request_queue *q, 
struct gendisk *bd_disk,
rq = blk_get_request(q, REQ_OP_SCSI_OUT, __GFP_RECLAIM);
if (IS_ERR(rq))
return PTR_ERR(rq);
-   scsi_req_init(rq);
rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
scsi_req(rq)->cmd[0] = cmd;
scsi_req(rq)->cmd[4] = data;
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index b8ce55d7911d..08e3e2fb649b 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -707,7 +707,6 @@ static int pkt_generic_packet(struct pktcdvd_device *pd, 
struct packet_command *
 REQ_OP_SCSI_OUT : REQ_OP_SCSI_IN, __GFP_RECLAIM);
if (IS_ERR(rq))
return PTR_ERR(rq);
-   scsi_req_init(rq);
 
if (cgc->buflen) {
ret = blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen,
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 070568d496dc..e643c9d7beec 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2199,7 +2199,6 @@ static int cdrom_read_cdda_bpc(struct cdrom_device_info 
*cdi, __u8 __user *ubuf,
break;
}
req = scsi_req(rq);
-   scsi_req_init(rq);
 
ret = blk_rq_map_user(q, rq, NULL, ubuf, len, GFP_KERNEL);
if (ret) {
diff --git a/drivers/ide/ide-atapi.c b/drivers/ide/ide-atapi.c
index 5901937284e7..7edebe0fb1eb 100644
--- a/drivers/ide/ide-atapi.c
+++ b/drivers/ide/ide-atapi.c
@@ -93,7 +93,6 @@ int ide_queue_pc_tail(ide_drive_t *drive, struct gendisk 
*disk,
int error;
 
rq = blk_get_request(drive->queue, REQ_OP_DRV_IN, __GFP_RECLAIM);
-   scsi_req_init(rq);
ide_req(rq)->type = ATA_PRIV_MISC;
rq->special = (char *)pc;
 
@@ -200,7 +199,6 @@ void ide_prep_sense(ide_drive_t *drive, struct request *rq)
memset(sense, 0, sizeof(*sense));
 
blk_rq_init(rq->q, sense_rq);
-   scsi_req_init(sense_rq);
 
err = blk_rq_map_kern(drive->queue, sense_rq, sense, sense_len,
 

[PATCH 25/31] scsi-mq: Make behavior scsi_mq_prep_fn() closer to that of scsi_prep_fn()

[Bart Van Assche]

Instead of clearing most of struct scsi_cmnd and reinitializing
it, rely on scsi_initialize_rq() for initialization of struct
scsi_cmnd. This patch fixes a bug, namely that it avoids that
jiffies_at_alloc gets overwritten if a request is requeued.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 12 +---
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 4b24c45fa113..12fd2bb0fe9c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1861,27 +1861,17 @@ static int scsi_mq_prep_fn(struct request *req)
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
struct scsi_device *sdev = req->q->queuedata;
struct Scsi_Host *shost = sdev->host;
-   unsigned char *sense_buf = cmd->sense_buffer;
struct scatterlist *sg;
 
-   /* zero out the cmd, except for the embedded scsi_request */
-   memset((char *)cmd + sizeof(cmd->req), 0,
-   sizeof(*cmd) - sizeof(cmd->req) + shost->hostt->cmd_size);
+   memset(scsi_cmd_priv(cmd), 0, shost->hostt->cmd_size);
 
req->special = cmd;
 
cmd->request = req;
-   cmd->device = sdev;
-   cmd->sense_buffer = sense_buf;
 
cmd->tag = req->tag;
-
cmd->prot_op = SCSI_PROT_NORMAL;
 
-   INIT_LIST_HEAD(>list);
-   INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
-   cmd->jiffies_at_alloc = jiffies;
-
scsi_add_cmd_to_list(cmd);
 
sg = (void *)cmd + sizeof(struct scsi_cmnd) + shost->hostt->cmd_size;
-- 
2.12.2

[PATCH 09/31] block: Avoid that blk_exit_rl() triggers a use-after-free

[Bart Van Assche]

Since the introduction of the .init_rq_fn() and .exit_rq_fn() it
is essential that the memory allocated for struct request_queue
stays around until all blk_exit_rl() calls have finished. Hence
make blk_init_rl() take a reference on struct request_queue.

This patch fixes the following crash:

general protection fault:  [#2] SMP
CPU: 3 PID: 28 Comm: ksoftirqd/3 Tainted: G  D 4.12.0-rc2-dbg+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.0.0-prebuilt.qemu-project.org 04/01/2014
task: 88013a108040 task.stack: c971c000
RIP: 0010:free_request_size+0x1a/0x30
RSP: 0018:c971fd38 EFLAGS: 00010202
RAX: 6b6b6b6b6b6b6b6b RBX: 880067362a88 RCX: 0003
RDX: 880067464178 RSI: 880067362a88 RDI: 880135ea4418
RBP: c971fd40 R08:  R09: 000100180009
R10: c971fd38 R11: 81110800 R12: 88006752d3d8
R13: 88006752d3d8 R14: 88013a108040 R15: 000a
FS:  () GS:88013fd8() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fa8ec1edb00 CR3: 000138ee8000 CR4: 001406e0
Call Trace:
 mempool_destroy.part.10+0x21/0x40
 mempool_destroy+0xe/0x10
 blk_exit_rl+0x12/0x20
 blkg_free+0x4d/0xa0
 __blkg_release_rcu+0x59/0x170
 rcu_process_callbacks+0x260/0x4e0
 __do_softirq+0x116/0x250
 smpboot_thread_fn+0x123/0x1e0
 kthread+0x109/0x140
 ret_from_fork+0x31/0x40

Fixes: commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of 
struct request")
Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Tejun Heo 
Cc: Jan Kara 
Cc: Hannes Reinecke 
Cc:  # v4.11+
---
 block/blk-cgroup.c |  2 +-
 block/blk-core.c   | 10 --
 block/blk-sysfs.c  |  2 +-
 block/blk.h|  2 +-
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 7c2947128f58..0480892e97e5 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -74,7 +74,7 @@ static void blkg_free(struct blkcg_gq *blkg)
blkcg_policy[i]->pd_free_fn(blkg->pd[i]);
 
if (blkg->blkcg != _root)
-   blk_exit_rl(>rl);
+   blk_exit_rl(blkg->q, >rl);
 
blkg_rwstat_exit(>stat_ios);
blkg_rwstat_exit(>stat_bytes);
diff --git a/block/blk-core.c b/block/blk-core.c
index c7068520794b..55a7b76db7c2 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -648,13 +648,19 @@ int blk_init_rl(struct request_list *rl, struct 
request_queue *q,
if (!rl->rq_pool)
return -ENOMEM;
 
+   if (rl != >root_rl)
+   blk_get_queue(q);
+
return 0;
 }
 
-void blk_exit_rl(struct request_list *rl)
+void blk_exit_rl(struct request_queue *q, struct request_list *rl)
 {
-   if (rl->rq_pool)
+   if (rl->rq_pool) {
mempool_destroy(rl->rq_pool);
+   if (rl != >root_rl)
+   blk_put_queue(q);
+   }
 }
 
 struct request_queue *blk_alloc_queue(gfp_t gfp_mask)
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index 504fee940052..2ff8842f0dc1 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -809,7 +809,7 @@ static void blk_release_queue(struct kobject *kobj)
 
blk_free_queue_stats(q->stats);
 
-   blk_exit_rl(>root_rl);
+   blk_exit_rl(q, >root_rl);
 
if (q->queue_tags)
__blk_queue_free_tags(q);
diff --git a/block/blk.h b/block/blk.h
index 2ed70228e44f..83c8e1100525 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -59,7 +59,7 @@ void blk_free_flush_queue(struct blk_flush_queue *q);
 
 int blk_init_rl(struct request_list *rl, struct request_queue *q,
gfp_t gfp_mask);
-void blk_exit_rl(struct request_list *rl);
+void blk_exit_rl(struct request_queue *q, struct request_list *rl);
 void blk_rq_bio_prep(struct request_queue *q, struct request *rq,
struct bio *bio);
 void blk_queue_bypass_start(struct request_queue *q);
-- 
2.12.2

[PATCH 19/31] scsi: Change argument type of scsi_req_init()

[Bart Van Assche]

Since scsi_req_init() works on a struct scsi_request, change the
argument type into struct scsi_request *.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 block/scsi_ioctl.c| 10 +++---
 drivers/ide/ide-probe.c   |  2 +-
 drivers/scsi/scsi_lib.c   |  4 +++-
 drivers/scsi/scsi_transport_sas.c |  2 +-
 include/scsi/scsi_request.h   |  2 +-
 5 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index f96c51f5df40..7440de44dd85 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -741,10 +741,14 @@ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t 
mode,
 }
 EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
 
-void scsi_req_init(struct request *rq)
+/**
+ * scsi_req_init - initialize certain fields of a scsi_request structure
+ * @req: Pointer to a scsi_request structure.
+ * Initializes .__cmd[], .cmd, .cmd_len and .sense_len but no other members
+ * of struct scsi_request.
+ */
+void scsi_req_init(struct scsi_request *req)
 {
-   struct scsi_request *req = scsi_req(rq);
-
memset(req->__cmd, 0, sizeof(req->__cmd));
req->cmd = req->__cmd;
req->cmd_len = BLK_MAX_CDB;
diff --git a/drivers/ide/ide-probe.c b/drivers/ide/ide-probe.c
index 6b979f27584c..c5c4050f5bbc 100644
--- a/drivers/ide/ide-probe.c
+++ b/drivers/ide/ide-probe.c
@@ -745,7 +745,7 @@ static void ide_initialize_rq(struct request *rq)
 {
struct ide_request *req = blk_mq_rq_to_pdu(rq);
 
-   scsi_req_init(rq);
+   scsi_req_init(>sreq);
req->sreq.sense = req->sense;
 }
 
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 01ddf05e741e..31d2b9cd20e5 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1135,7 +1135,9 @@ EXPORT_SYMBOL(scsi_init_io);
 /* Called from inside blk_get_request() */
 static void scsi_initialize_rq(struct request *rq)
 {
-   scsi_req_init(rq);
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
+
+   scsi_req_init(>req);
 }
 
 /* Called after a request has been started. */
diff --git a/drivers/scsi/scsi_transport_sas.c 
b/drivers/scsi/scsi_transport_sas.c
index 2512242812d6..7c3c7682569d 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -215,7 +215,7 @@ static void sas_host_release(struct device *dev)
 
 static void sas_initialize_rq(struct request *rq)
 {
-   scsi_req_init(rq);
+   scsi_req_init(scsi_req(rq));
 }
 
 static int sas_bsg_initialize(struct Scsi_Host *shost, struct sas_rphy *rphy)
diff --git a/include/scsi/scsi_request.h b/include/scsi/scsi_request.h
index f0c76f9dc285..e0afa445ee4e 100644
--- a/include/scsi/scsi_request.h
+++ b/include/scsi/scsi_request.h
@@ -27,6 +27,6 @@ static inline void scsi_req_free_cmd(struct scsi_request *req)
kfree(req->cmd);
 }
 
-void scsi_req_init(struct request *);
+void scsi_req_init(struct scsi_request *req);
 
 #endif /* _SCSI_SCSI_REQUEST_H */
-- 
2.12.2

[PATCH 26/31] scsi: Move the code for clearing private command data into scsi_dispatch_cmd()

[Bart Van Assche]

This patch does not change any functionality but avoids duplication
of the code for clearing driver-private command data.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 12fd2bb0fe9c..f131964ecb51 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1339,7 +1339,6 @@ static int scsi_prep_fn(struct request_queue *q, struct 
request *req)
goto out;
}
 
-   memset(scsi_cmd_priv(cmd), 0, dev->host->hostt->cmd_size);
scsi_add_cmd_to_list(cmd);
req->special = cmd;
}
@@ -1677,6 +1676,8 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
 
}
 
+   memset(scsi_cmd_priv(cmd), 0, host->hostt->cmd_size);
+
trace_scsi_dispatch_cmd_start(cmd);
rtn = host->hostt->queuecommand(host, cmd);
if (rtn) {
@@ -1863,8 +1864,6 @@ static int scsi_mq_prep_fn(struct request *req)
struct Scsi_Host *shost = sdev->host;
struct scatterlist *sg;
 
-   memset(scsi_cmd_priv(cmd), 0, shost->hostt->cmd_size);
-
req->special = cmd;
 
cmd->request = req;
-- 
2.12.2

[PATCH 01/31] Split scsi_internal_device_block()

[Bart Van Assche]

Instead of passing a "wait" argument to scsi_internal_device_block(),
split this function into a function that waits and a function that
doesn't wait. This will make it easier to serialize SCSI device state
changes through a mutex.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Cc: Sreekanth Reddy 
---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c |  4 +-
 drivers/scsi/scsi_lib.c  | 73 +++-
 include/scsi/scsi_device.h   |  2 +-
 3 files changed, 50 insertions(+), 29 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c 
b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index a5d872664257..c63bc5ccce37 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -2859,7 +2859,7 @@ _scsih_internal_device_block(struct scsi_device *sdev,
sas_device_priv_data->sas_target->handle);
sas_device_priv_data->block = 1;
 
-   r = scsi_internal_device_block(sdev, false);
+   r = scsi_internal_device_block_nowait(sdev);
if (r == -EINVAL)
sdev_printk(KERN_WARNING, sdev,
"device_block failed with return(%d) for handle(0x%04x)\n",
@@ -2895,7 +2895,7 @@ _scsih_internal_device_unblock(struct scsi_device *sdev,
"performing a block followed by an unblock\n",
r, sas_device_priv_data->sas_target->handle);
sas_device_priv_data->block = 1;
-   r = scsi_internal_device_block(sdev, false);
+   r = scsi_internal_device_block_nowait(sdev);
if (r)
sdev_printk(KERN_WARNING, sdev, "retried device_block "
"failed with return(%d) for handle(0x%04x)\n",
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index e3f89b0e7027..74618f47a28e 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2932,28 +2932,20 @@ scsi_target_resume(struct scsi_target *starget)
 EXPORT_SYMBOL(scsi_target_resume);
 
 /**
- * scsi_internal_device_block - internal function to put a device temporarily 
into the SDEV_BLOCK state
- * @sdev:  device to block
- * @wait:  Whether or not to wait until ongoing .queuecommand() /
- * .queue_rq() calls have finished.
+ * scsi_internal_device_block_nowait - try to transition to the SDEV_BLOCK 
state
+ * @sdev: device to block
  *
- * Block request made by scsi lld's to temporarily stop all
- * scsi commands on the specified device. May sleep.
+ * Pause SCSI command processing on the specified device. Does not sleep.
  *
- * Returns zero if successful or error if not
+ * Returns zero if successful or a negative error code upon failure.
  *
- * Notes:   
- * This routine transitions the device to the SDEV_BLOCK state
- * (which must be a legal transition).  When the device is in this
- * state, all commands are deferred until the scsi lld reenables
- * the device with scsi_device_unblock or device_block_tmo fires.
- *
- * To do: avoid that scsi_send_eh_cmnd() calls queuecommand() after
- * scsi_internal_device_block() has blocked a SCSI device and also
- * remove the rport mutex lock and unlock calls from srp_queuecommand().
+ * Notes:
+ * This routine transitions the device to the SDEV_BLOCK state (which must be
+ * a legal transition). When the device is in this state, command processing
+ * is paused until the device leaves the SDEV_BLOCK state. See also
+ * scsi_internal_device_unblock_nowait().
  */
-int
-scsi_internal_device_block(struct scsi_device *sdev, bool wait)
+int scsi_internal_device_block_nowait(struct scsi_device *sdev)
 {
struct request_queue *q = sdev->request_queue;
unsigned long flags;
@@ -2973,21 +2965,50 @@ scsi_internal_device_block(struct scsi_device *sdev, 
bool wait)
 * request queue. 
 */
if (q->mq_ops) {
-   if (wait)
-   blk_mq_quiesce_queue(q);
-   else
-   blk_mq_stop_hw_queues(q);
+   blk_mq_stop_hw_queues(q);
} else {
spin_lock_irqsave(q->queue_lock, flags);
blk_stop_queue(q);
spin_unlock_irqrestore(q->queue_lock, flags);
-   if (wait)
-   scsi_wait_for_queuecommand(sdev);
}
 
return 0;
 }
-EXPORT_SYMBOL_GPL(scsi_internal_device_block);
+EXPORT_SYMBOL_GPL(scsi_internal_device_block_nowait);
+
+/**
+ * scsi_internal_device_block - try to transition to the SDEV_BLOCK state
+ * @sdev: device to block
+ *
+ * Pause SCSI command processing on the specified device and wait until all
+ * ongoing scsi_request_fn() / scsi_queue_rq() calls have finished. May sleep.
+ *
+ * Returns zero if successful or a negative error code upon failure.
+ *
+ * Note:
+ * This routine 

[PATCH 10/31] Avoid that scsi_exit_rq() triggers a use-after-free

[Bart Van Assche]

Dereferencing shost from scsi_exit_rq() is not safe because the
SCSI host may already have been freed when scsi_exit_rq() is
called. Increasing the shost reference count in scsi_init_rq()
and dropping that reference in scsi_exit_rq() is nontrivial since
scsi_host_dev_release() may sleep and since scsi_exit_rq() may
be called from interrupt context. Since scsi_exit_rq() only needs
a single bit from shost, copy that bit into struct scsi_cmnd.

Reported-by: Scott Bauer 
Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: Scott Bauer 
Cc: Christoph Hellwig 
Cc: Jan Kara 
Cc: Hannes Reinecke 
Cc: 
---
 drivers/scsi/scsi_lib.c  | 43 +--
 include/scsi/scsi_cmnd.h |  1 +
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 30a7900d331c..59400033aba8 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -44,23 +44,23 @@ static struct kmem_cache *scsi_sense_isadma_cache;
 static DEFINE_MUTEX(scsi_sense_cache_mutex);
 
 static inline struct kmem_cache *
-scsi_select_sense_cache(struct Scsi_Host *shost)
+scsi_select_sense_cache(bool unchecked_isa_dma)
 {
-   return shost->unchecked_isa_dma ?
-   scsi_sense_isadma_cache : scsi_sense_cache;
+   return unchecked_isa_dma ? scsi_sense_isadma_cache : scsi_sense_cache;
 }
 
-static void scsi_free_sense_buffer(struct Scsi_Host *shost,
-   unsigned char *sense_buffer)
+static void scsi_free_sense_buffer(bool unchecked_isa_dma,
+  unsigned char *sense_buffer)
 {
-   kmem_cache_free(scsi_select_sense_cache(shost), sense_buffer);
+   kmem_cache_free(scsi_select_sense_cache(unchecked_isa_dma),
+   sense_buffer);
 }
 
-static unsigned char *scsi_alloc_sense_buffer(struct Scsi_Host *shost,
+static unsigned char *scsi_alloc_sense_buffer(bool unchecked_isa_dma,
gfp_t gfp_mask, int numa_node)
 {
-   return kmem_cache_alloc_node(scsi_select_sense_cache(shost), gfp_mask,
-   numa_node);
+   return kmem_cache_alloc_node(scsi_select_sense_cache(unchecked_isa_dma),
+gfp_mask, numa_node);
 }
 
 int scsi_init_sense_cache(struct Scsi_Host *shost)
@@ -68,7 +68,7 @@ int scsi_init_sense_cache(struct Scsi_Host *shost)
struct kmem_cache *cache;
int ret = 0;
 
-   cache = scsi_select_sense_cache(shost);
+   cache = scsi_select_sense_cache(shost->unchecked_isa_dma);
if (cache)
return 0;
 
@@ -2003,10 +2003,13 @@ static int scsi_init_request(struct blk_mq_tag_set 
*set, struct request *rq,
unsigned int hctx_idx, unsigned int numa_node)
 {
struct Scsi_Host *shost = set->driver_data;
+   const bool unchecked_isa_dma = shost->unchecked_isa_dma;
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
 
-   cmd->sense_buffer =
-   scsi_alloc_sense_buffer(shost, GFP_KERNEL, numa_node);
+   if (unchecked_isa_dma)
+   cmd->flags |= SCMD_UNCHECKED_ISA_DMA;
+   cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma,
+   GFP_KERNEL, numa_node);
if (!cmd->sense_buffer)
return -ENOMEM;
cmd->req.sense = cmd->sense_buffer;
@@ -2016,10 +2019,10 @@ static int scsi_init_request(struct blk_mq_tag_set 
*set, struct request *rq,
 static void scsi_exit_request(struct blk_mq_tag_set *set, struct request *rq,
unsigned int hctx_idx)
 {
-   struct Scsi_Host *shost = set->driver_data;
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
 
-   scsi_free_sense_buffer(shost, cmd->sense_buffer);
+   scsi_free_sense_buffer(cmd->flags & SCMD_UNCHECKED_ISA_DMA,
+  cmd->sense_buffer);
 }
 
 static int scsi_map_queues(struct blk_mq_tag_set *set)
@@ -2092,11 +2095,15 @@ EXPORT_SYMBOL_GPL(__scsi_init_queue);
 static int scsi_init_rq(struct request_queue *q, struct request *rq, gfp_t gfp)
 {
struct Scsi_Host *shost = q->rq_alloc_data;
+   const bool unchecked_isa_dma = shost->unchecked_isa_dma;
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
 
memset(cmd, 0, sizeof(*cmd));
 
-   cmd->sense_buffer = scsi_alloc_sense_buffer(shost, gfp, NUMA_NO_NODE);
+   if (unchecked_isa_dma)
+   cmd->flags |= SCMD_UNCHECKED_ISA_DMA;
+   cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma, gfp,
+   NUMA_NO_NODE);
if (!cmd->sense_buffer)
goto fail;
cmd->req.sense = cmd->sense_buffer;
@@ -2110,19 +2117,19 @@ static int scsi_init_rq(struct request_queue *q, struct 
request *rq, 

[PATCH 12/31] bsg: Check queue type before attaching to a queue

[Bart Van Assche]

Since BSG only supports request queues for which struct scsi_request
is the first member of their private request data, refuse to register
block layer queues for which struct scsi_request is not the first
member of their private data.

References: commit bd1599d931ca ("scsi_transport_sas: fix BSG ioctl memory 
corruption")
References: commit 82ed4db499b8 ("block: split scsi_request out of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-bl...@vger.kernel.org
---
 block/bsg.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/block/bsg.c b/block/bsg.c
index 6fd08544d77e..f7695bb141d9 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -750,6 +750,12 @@ static struct bsg_device *bsg_add_device(struct inode 
*inode,
 #ifdef BSG_DEBUG
unsigned char buf[32];
 #endif
+
+   if (!blk_queue_scsi_sup(rq)) {
+   WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
+   return ERR_PTR(-EINVAL);
+   }
+
if (!blk_get_queue(rq))
return ERR_PTR(-ENXIO);
 
-- 
2.12.2

[PATCH 29/31] scsi: snic: Remove code that zeroes driver-private command data

[Bart Van Assche]

Since the SCSI core zeroes driver-private command data, remove
that code from the snic driver.

Signed-off-by: Bart Van Assche 
Cc: Narsimhulu Musini 
Cc: Sesidhar Baddela 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/snic/snic_scsi.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/scsi/snic/snic_scsi.c b/drivers/scsi/snic/snic_scsi.c
index da979a73baa0..05c3a7282d4a 100644
--- a/drivers/scsi/snic/snic_scsi.c
+++ b/drivers/scsi/snic/snic_scsi.c
@@ -359,8 +359,6 @@ snic_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd 
*sc)
SNIC_SCSI_DBG(shost, "sc %p Tag %d (sc %0x) lun %lld in snic_qcmd\n",
  sc, snic_cmd_tag(sc), sc->cmnd[0], sc->device->lun);
 
-   memset(scsi_cmd_priv(sc), 0, sizeof(struct snic_internal_io_state));
-
ret = snic_issue_scsi_req(snic, tgt, sc);
if (ret) {
SNIC_HOST_ERR(shost, "Failed to Q, Scsi Req w/ err %d.\n", ret);
-- 
2.12.2

[PATCH 31/31] xen/scsifront: Remove code that zeroes driver-private command data

[Bart Van Assche]

Since the SCSI core zeroes driver-private command data, remove
that code from the xen-scsifront driver.

Signed-off-by: Bart Van Assche 
Cc: Juergen Gross 
Cc: xen-de...@lists.xenproject.org
---
 drivers/scsi/xen-scsifront.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/scsi/xen-scsifront.c b/drivers/scsi/xen-scsifront.c
index a6a8b60d4902..36f59a1be7e9 100644
--- a/drivers/scsi/xen-scsifront.c
+++ b/drivers/scsi/xen-scsifront.c
@@ -534,7 +534,6 @@ static int scsifront_queuecommand(struct Scsi_Host *shost,
int err;
 
sc->result = 0;
-   memset(shadow, 0, sizeof(*shadow));
 
shadow->sc  = sc;
shadow->act = VSCSIIF_ACT_SCSI_CDB;
-- 
2.12.2

[PATCH 20/31] scsi: Only add commands to the device command list if required by the LLD

[Bart Van Assche]

Just like for the scsi-mq code path, in the single queue SCSI code
path only add commands to the per-device command list if required
by the SCSI LLD. This patch will make it easier to merge the
single-queue and multiqueue command initialization code.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi.c  |  9 +
 drivers/scsi/scsi_lib.c  | 52 +---
 drivers/scsi/scsi_priv.h |  2 ++
 3 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index 7bfbcfa7af40..485684aafb9b 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -108,14 +108,7 @@ EXPORT_SYMBOL(scsi_sd_pm_domain);
  */
 void scsi_put_command(struct scsi_cmnd *cmd)
 {
-   unsigned long flags;
-
-   /* serious error if the command hasn't come from a device list */
-   spin_lock_irqsave(>device->list_lock, flags);
-   BUG_ON(list_empty(>list));
-   list_del_init(>list);
-   spin_unlock_irqrestore(>device->list_lock, flags);
-
+   scsi_del_cmd_from_list(cmd);
BUG_ON(delayed_work_pending(>abort_work));
 }
 
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 31d2b9cd20e5..5e2f26524475 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -582,19 +582,9 @@ static void scsi_mq_free_sgtables(struct scsi_cmnd *cmd)
 
 static void scsi_mq_uninit_cmd(struct scsi_cmnd *cmd)
 {
-   struct scsi_device *sdev = cmd->device;
-   struct Scsi_Host *shost = sdev->host;
-   unsigned long flags;
-
scsi_mq_free_sgtables(cmd);
scsi_uninit_cmd(cmd);
-
-   if (shost->use_cmd_list) {
-   BUG_ON(list_empty(>list));
-   spin_lock_irqsave(>list_lock, flags);
-   list_del_init(>list);
-   spin_unlock_irqrestore(>list_lock, flags);
-   }
+   scsi_del_cmd_from_list(cmd);
 }
 
 /*
@@ -1132,6 +1122,35 @@ int scsi_init_io(struct scsi_cmnd *cmd)
 }
 EXPORT_SYMBOL(scsi_init_io);
 
+/* Add a command to the list used by the aacraid and dpt_i2o drivers */
+void scsi_add_cmd_to_list(struct scsi_cmnd *cmd)
+{
+   struct scsi_device *sdev = cmd->device;
+   struct Scsi_Host *shost = sdev->host;
+   unsigned long flags;
+
+   if (shost->use_cmd_list) {
+   spin_lock_irqsave(>list_lock, flags);
+   list_add_tail(>list, >cmd_list);
+   spin_unlock_irqrestore(>list_lock, flags);
+   }
+}
+
+/* Remove a command from the list used by the aacraid and dpt_i2o drivers */
+void scsi_del_cmd_from_list(struct scsi_cmnd *cmd)
+{
+   struct scsi_device *sdev = cmd->device;
+   struct Scsi_Host *shost = sdev->host;
+   unsigned long flags;
+
+   if (shost->use_cmd_list) {
+   spin_lock_irqsave(>list_lock, flags);
+   BUG_ON(list_empty(>list));
+   list_del_init(>list);
+   spin_unlock_irqrestore(>list_lock, flags);
+   }
+}
+
 /* Called from inside blk_get_request() */
 static void scsi_initialize_rq(struct request *rq)
 {
@@ -1145,7 +1164,6 @@ void scsi_init_command(struct scsi_device *dev, struct 
scsi_cmnd *cmd)
 {
void *buf = cmd->sense_buffer;
void *prot = cmd->prot_sdb;
-   unsigned long flags;
 
/* zero out the cmd, except for the embedded scsi_request */
memset((char *)cmd + sizeof(cmd->req), 0,
@@ -1157,9 +1175,7 @@ void scsi_init_command(struct scsi_device *dev, struct 
scsi_cmnd *cmd)
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
cmd->jiffies_at_alloc = jiffies;
 
-   spin_lock_irqsave(>list_lock, flags);
-   list_add_tail(>list, >cmd_list);
-   spin_unlock_irqrestore(>list_lock, flags);
+   scsi_add_cmd_to_list(cmd);
 }
 
 static int scsi_setup_scsi_cmnd(struct scsi_device *sdev, struct request *req)
@@ -1874,11 +1890,7 @@ static int scsi_mq_prep_fn(struct request *req)
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
cmd->jiffies_at_alloc = jiffies;
 
-   if (shost->use_cmd_list) {
-   spin_lock_irq(>list_lock);
-   list_add_tail(>list, >cmd_list);
-   spin_unlock_irq(>list_lock);
-   }
+   scsi_add_cmd_to_list(cmd);
 
sg = (void *)cmd + sizeof(struct scsi_cmnd) + shost->hostt->cmd_size;
cmd->sdb.table.sgl = sg;
diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
index f86057842f9a..c11c1f9c912c 100644
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -80,6 +80,8 @@ int scsi_eh_get_sense(struct list_head *work_q,
 int scsi_noretry_cmd(struct scsi_cmnd *scmd);
 
 /* scsi_lib.c */
+extern void scsi_add_cmd_to_list(struct scsi_cmnd *cmd);
+extern void scsi_del_cmd_from_list(struct scsi_cmnd *cmd);
 extern int scsi_maybe_unblock_host(struct scsi_device *sdev);
 extern void scsi_device_unbusy(struct scsi_device 

[PATCH 04/31] Introduce scsi_start_queue()

[Bart Van Assche]

This patch does not change any functionality.

Signed-off-by: Bart Van Assche 
Cc: Israel Rukshin 
Cc: Max Gurtovoy 
Cc: Hannes Reinecke 
Cc: Benjamin Block 
---
 drivers/scsi/scsi_lib.c  | 25 +++--
 drivers/scsi/scsi_priv.h |  1 +
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 3d82cbe605cd..0ee5c2133e4c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -3019,6 +3019,20 @@ static int scsi_internal_device_block(struct scsi_device 
*sdev)
return err;
 }
  
+void scsi_start_queue(struct scsi_device *sdev)
+{
+   struct request_queue *q = sdev->request_queue;
+   unsigned long flags;
+
+   if (q->mq_ops) {
+   blk_mq_start_stopped_hw_queues(q, false);
+   } else {
+   spin_lock_irqsave(q->queue_lock, flags);
+   blk_start_queue(q);
+   spin_unlock_irqrestore(q->queue_lock, flags);
+   }
+}
+
 /**
  * scsi_internal_device_unblock_nowait - resume a device after a block request
  * @sdev:  device to resume
@@ -3037,9 +3051,6 @@ static int scsi_internal_device_block(struct scsi_device 
*sdev)
 int scsi_internal_device_unblock_nowait(struct scsi_device *sdev,
enum scsi_device_state new_state)
 {
-   struct request_queue *q = sdev->request_queue; 
-   unsigned long flags;
-
/*
 * Try to transition the scsi device to SDEV_RUNNING or one of the
 * offlined states and goose the device queue if successful.
@@ -3057,13 +3068,7 @@ int scsi_internal_device_unblock_nowait(struct 
scsi_device *sdev,
 sdev->sdev_state != SDEV_OFFLINE)
return -EINVAL;
 
-   if (q->mq_ops) {
-   blk_mq_start_stopped_hw_queues(q, false);
-   } else {
-   spin_lock_irqsave(q->queue_lock, flags);
-   blk_start_queue(q);
-   spin_unlock_irqrestore(q->queue_lock, flags);
-   }
+   scsi_start_queue(sdev);
 
return 0;
 }
diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
index 59ebc1795bb3..f86057842f9a 100644
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -88,6 +88,7 @@ extern void scsi_run_host_queues(struct Scsi_Host *shost);
 extern void scsi_requeue_run_queue(struct work_struct *work);
 extern struct request_queue *scsi_alloc_queue(struct scsi_device *sdev);
 extern struct request_queue *scsi_mq_alloc_queue(struct scsi_device *sdev);
+extern void scsi_start_queue(struct scsi_device *sdev);
 extern int scsi_mq_setup_tags(struct Scsi_Host *shost);
 extern void scsi_mq_destroy_tags(struct Scsi_Host *shost);
 extern int scsi_init_queue(void);
-- 
2.12.2

[PATCH 21/31] scsi: Move most of scsi_init_command() into scsi_initialize_rq()

[Bart Van Assche]

Move the initializations that only have to be performed once and
not every time a request is prepared from scsi_init_command()
into scsi_initialize_rq(). This patch also moves the
jiffies_at_alloc assignment such that it gets back the meaning it
had before commit e9c787e65c0c, namely the value of the jiffies
counter at request allocation time.

Fixes: commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of 
struct request")
Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 17 -
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 5e2f26524475..d2e6b4c14e35 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1155,26 +1155,25 @@ void scsi_del_cmd_from_list(struct scsi_cmnd *cmd)
 static void scsi_initialize_rq(struct request *rq)
 {
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
-
-   scsi_req_init(>req);
-}
-
-/* Called after a request has been started. */
-void scsi_init_command(struct scsi_device *dev, struct scsi_cmnd *cmd)
-{
+   struct scsi_device *dev = rq->q->queuedata;
void *buf = cmd->sense_buffer;
void *prot = cmd->prot_sdb;
 
/* zero out the cmd, except for the embedded scsi_request */
memset((char *)cmd + sizeof(cmd->req), 0,
-   sizeof(*cmd) - sizeof(cmd->req) + dev->host->hostt->cmd_size);
-
+  sizeof(*cmd) - sizeof(cmd->req));
+   scsi_req_init(>req);
cmd->device = dev;
cmd->sense_buffer = buf;
cmd->prot_sdb = prot;
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
cmd->jiffies_at_alloc = jiffies;
+}
 
+/* Called after a request has been started. */
+void scsi_init_command(struct scsi_device *dev, struct scsi_cmnd *cmd)
+{
+   memset(scsi_cmd_priv(cmd), 0, dev->host->hostt->cmd_size);
scsi_add_cmd_to_list(cmd);
 }
 
-- 
2.12.2

[PATCH 08/31] sd, sr: Convert two assignments into warning statements

[Bart Van Assche]

Before scsi_prep_fn() calls the ULP .init_command() callback
function it stores the SCSI command pointer in request.special.
This means that the SCpnt = rq->special assignments in the sd
and sr drivers assign a pointer to itself. Hence convert these
two assignment statements into warning statements.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
---
 drivers/scsi/sd.c | 2 +-
 drivers/scsi/sr.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index aea55f5afed0..916f6e9dac18 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -990,7 +990,7 @@ static int sd_setup_read_write_cmnd(struct scsi_cmnd *SCpnt)
ret = scsi_init_io(SCpnt);
if (ret != BLKPREP_OK)
goto out;
-   SCpnt = rq->special;
+   WARN_ON_ONCE(SCpnt != rq->special);
 
/* from here on until we're complete, any goto out
 * is used for a killable error condition */
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index a8f630213a1a..9be34d37c356 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -393,7 +393,7 @@ static int sr_init_command(struct scsi_cmnd *SCpnt)
ret = scsi_init_io(SCpnt);
if (ret != BLKPREP_OK)
goto out;
-   SCpnt = rq->special;
+   WARN_ON_ONCE(SCpnt != rq->special);
cd = scsi_cd(rq->rq_disk);
 
/* from here on until we're complete, any goto out
-- 
2.12.2

[PATCH 14/31] cdrom: Check private request size before attaching to a queue

[Bart Van Assche]

Since the cdrom driver only supports request queues for which
struct scsi_request is the first member of their private request
data, refuse to register block layer queues for which this is
not the case.

References: commit 82ed4db499b8 ("block: split scsi_request out of struct 
request")
Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
Cc: linux-bl...@vger.kernel.org
---
 drivers/cdrom/cdrom.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 76c952fd9ab9..070568d496dc 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -594,6 +594,10 @@ int register_cdrom(struct cdrom_device_info *cdi)
 
if (cdo->open == NULL || cdo->release == NULL)
return -EINVAL;
+   if (!blk_queue_scsi_sup(cdi->disk->queue)) {
+   WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
+   return -EINVAL;
+   }
if (!banner_printed) {
pr_info("Uniform CD-ROM driver " REVISION "\n");
banner_printed = 1;
-- 
2.12.2

[PATCH 24/31] scsi: Make scsi_initialize_rq() zero the entire struct scsi_cmnd

[Bart Van Assche]

This simplifies the memset() call in scsi_initialize_rq() and avoids
that any stale data is left behind in struct scsi_request.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_lib.c | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 10c6adb208dc..4b24c45fa113 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1159,12 +1159,10 @@ static void scsi_initialize_rq(struct request *rq)
void *buf = cmd->sense_buffer;
void *prot = cmd->prot_sdb;
 
-   /* zero out the cmd, except for the embedded scsi_request */
-   memset((char *)cmd + sizeof(cmd->req), 0,
-  sizeof(*cmd) - sizeof(cmd->req));
+   memset(cmd, 0, sizeof(*cmd));
scsi_req_init(>req);
cmd->device = dev;
-   cmd->req.sense = cmd->sense_buffer;
+   cmd->req.sense = buf;
cmd->sense_buffer = buf;
cmd->prot_sdb = prot;
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
-- 
2.12.2

[PATCH 05/31] Make __scsi_remove_device go straight from BLOCKED to DEL

[Bart Van Assche]

If a device is blocked, make __scsi_remove_device() cause it to
transition to the DEL state. This means that all the commands
issued in .shutdown() will error in the mid-layer, thus making
the removal proceed without being stopped.

This patch is a slightly modified version of a patch from James
Bottomley. This patch avoids that the following lockup occurs:

Call Trace:
 schedule+0x35/0x80
 schedule_timeout+0x237/0x2d0
 io_schedule_timeout+0xa6/0x110
 wait_for_completion_io+0xa3/0x110
 blk_execute_rq+0xdf/0x120
 scsi_execute+0xce/0x150 [scsi_mod]
 scsi_execute_req_flags+0x8f/0xf0 [scsi_mod]
 sd_sync_cache+0xa9/0x190 [sd_mod]
 sd_shutdown+0x6a/0x100 [sd_mod]
 sd_remove+0x64/0xc0 [sd_mod]
 __device_release_driver+0x8d/0x120
 device_release_driver+0x1e/0x30
 bus_remove_device+0xf9/0x170
 device_del+0x127/0x240
 __scsi_remove_device+0xc1/0xd0 [scsi_mod]
 scsi_forget_host+0x57/0x60 [scsi_mod]
 scsi_remove_host+0x72/0x110 [scsi_mod]
 srp_remove_work+0x8b/0x200 [ib_srp]

Reported-by: Israel Rukshin 
Signed-off-by: Bart Van Assche 
Cc: James Bottomley 
Cc: Israel Rukshin 
Cc: Max Gurtovoy 
Cc: Hannes Reinecke 
Cc: Benjamin Block 
---
 drivers/scsi/scsi_lib.c   |  2 +-
 drivers/scsi/scsi_sysfs.c | 13 +
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 0ee5c2133e4c..5c6874cf4388 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2613,7 +2613,6 @@ scsi_device_set_state(struct scsi_device *sdev, enum 
scsi_device_state state)
case SDEV_QUIESCE:
case SDEV_OFFLINE:
case SDEV_TRANSPORT_OFFLINE:
-   case SDEV_BLOCK:
break;
default:
goto illegal;
@@ -2627,6 +2626,7 @@ scsi_device_set_state(struct scsi_device *sdev, enum 
scsi_device_state state)
case SDEV_OFFLINE:
case SDEV_TRANSPORT_OFFLINE:
case SDEV_CANCEL:
+   case SDEV_BLOCK:
case SDEV_CREATED_BLOCK:
break;
default:
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index a91537a3abbf..1f243ac16010 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1290,7 +1290,20 @@ void __scsi_remove_device(struct scsi_device *sdev)
 * wait until it has finished before changing the device state.
 */
mutex_lock(>state_mutex);
+   /*
+* If blocked, we go straight to DEL and restart the queue so
+* any commands issued during driver shutdown (like sync
+* cache) are errored immediately.
+*/
res = scsi_device_set_state(sdev, SDEV_CANCEL);
+   if (res != 0) {
+   res = scsi_device_set_state(sdev, SDEV_DEL);
+   if (res == 0) {
+   scsi_start_queue(sdev);
+   sdev_printk(KERN_DEBUG, sdev,
+   "Changed state from BLOCKED to DEL\n");
+   }
+   }
mutex_unlock(>state_mutex);
 
if (res != 0)
-- 
2.12.2

[PATCH 16/31] scsi: Make scsi_ioctl_reset() pass the request queue pointer to blk_rq_init()

[Bart Van Assche]

A later patch will add a call to a request initialization function
into blk_rq_init(). Hence make sure that all blk_rq_init() calls
specify the request queue pointer. Since TMF callback functions in
SCSI LLD drivers do not use request.q, this patch does not change
the behavior of any SCSI driver.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_error.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 7ba5f988426c..bbcc269f0ec1 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -2286,7 +2286,12 @@ scsi_ioctl_reset(struct scsi_device *dev, int __user 
*arg)
shost->hostt->cmd_size, GFP_KERNEL);
if (!rq)
goto out_put_autopm_host;
-   blk_rq_init(NULL, rq);
+   /*
+* Although blk_rq_init() is intended for single queue block
+* drivers, this code path even uses blk_rq_init() when @dev is
+* a scsi-mq device.
+*/
+   blk_rq_init(dev->request_queue, rq);
 
scmd = (struct scsi_cmnd *)(rq + 1);
scsi_init_command(dev, scmd);
-- 
2.12.2

[PATCH 11/31] block: Introduce queue flag QUEUE_FLAG_SCSI_SUP

[Bart Van Assche]

>From the context where a SCSI command is submitted it is not always
possible to figure out whether or not the queue the command is
submitted to has struct scsi_request as the first member of its
private data. Hence introduce the flag QUEUE_FLAG_SCSI_SUP.

Signed-off-by: Bart Van Assche 
Cc: Jens Axboe 
Cc: Christoph Hellwig 
Cc: Omar Sandoval 
Cc: Hannes Reinecke 
---
 block/bsg-lib.c   | 1 +
 drivers/block/cciss.c | 1 +
 drivers/ide/ide-probe.c   | 1 +
 drivers/scsi/scsi_lib.c   | 2 ++
 drivers/scsi/scsi_transport_sas.c | 1 +
 include/linux/blkdev.h| 2 ++
 6 files changed, 8 insertions(+)

diff --git a/block/bsg-lib.c b/block/bsg-lib.c
index 0a23dbba2d30..420ac014b49c 100644
--- a/block/bsg-lib.c
+++ b/block/bsg-lib.c
@@ -246,6 +246,7 @@ struct request_queue *bsg_setup_queue(struct device *dev, 
char *name,
q->bsg_job_size = dd_job_size;
q->bsg_job_fn = job_fn;
queue_flag_set_unlocked(QUEUE_FLAG_BIDI, q);
+   queue_flag_set_unlocked(QUEUE_FLAG_SCSI_SUP, q);
blk_queue_softirq_done(q, bsg_softirq_done);
blk_queue_rq_timeout(q, BLK_DEFAULT_SG_TIMEOUT);
 
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index cd375503f7b0..9706718749e5 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1956,6 +1956,7 @@ static int cciss_add_disk(ctlr_info_t *h, struct gendisk 
*disk,
disk->queue->cmd_size = sizeof(struct scsi_request);
disk->queue->request_fn = do_cciss_request;
disk->queue->queue_lock = >lock;
+   queue_flag_set_unlocked(QUEUE_FLAG_SCSI_SUP, disk->queue);
if (blk_init_allocated_queue(disk->queue) < 0)
goto cleanup_queue;
 
diff --git a/drivers/ide/ide-probe.c b/drivers/ide/ide-probe.c
index 023562565d11..fdfa11f80dda 100644
--- a/drivers/ide/ide-probe.c
+++ b/drivers/ide/ide-probe.c
@@ -773,6 +773,7 @@ static int ide_init_queue(ide_drive_t *drive)
q->request_fn = do_ide_request;
q->init_rq_fn = ide_init_rq;
q->cmd_size = sizeof(struct ide_request);
+   queue_flag_set_unlocked(QUEUE_FLAG_SCSI_SUP, q);
if (blk_init_allocated_queue(q) < 0) {
blk_cleanup_queue(q);
return 1;
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 59400033aba8..4cecf82960b7 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2059,6 +2059,8 @@ void __scsi_init_queue(struct Scsi_Host *shost, struct 
request_queue *q)
 {
struct device *dev = shost->dma_dev;
 
+   queue_flag_set_unlocked(QUEUE_FLAG_SCSI_SUP, q);
+
/*
 * this limit is imposed by hardware restrictions
 */
diff --git a/drivers/scsi/scsi_transport_sas.c 
b/drivers/scsi/scsi_transport_sas.c
index 0ebe2f1bb908..e5eab2685ecf 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -264,6 +264,7 @@ static int sas_bsg_initialize(struct Scsi_Host *shost, 
struct sas_rphy *rphy)
q->queuedata = shost;
 
queue_flag_set_unlocked(QUEUE_FLAG_BIDI, q);
+   queue_flag_set_unlocked(QUEUE_FLAG_SCSI_SUP, q);
return 0;
 
 out_cleanup_queue:
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index b5d1e27631ee..6416a5834b05 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -618,6 +618,7 @@ struct request_queue {
 #define QUEUE_FLAG_STATS   27  /* track rq completion times */
 #define QUEUE_FLAG_POLL_STATS  28  /* collecting stats for hybrid polling 
*/
 #define QUEUE_FLAG_REGISTERED  29  /* queue has been registered to a disk 
*/
+#define QUEUE_FLAG_SCSI_SUP30  /* queue supports SCSI commands */
 
 #define QUEUE_FLAG_DEFAULT ((1 << QUEUE_FLAG_IO_STAT) |\
 (1 << QUEUE_FLAG_STACKABLE)|   \
@@ -708,6 +709,7 @@ static inline void queue_flag_clear(unsigned int flag, 
struct request_queue *q)
 #define blk_queue_secure_erase(q) \
(test_bit(QUEUE_FLAG_SECERASE, &(q)->queue_flags))
 #define blk_queue_dax(q)   test_bit(QUEUE_FLAG_DAX, &(q)->queue_flags)
+#define blk_queue_scsi_sup(q)  test_bit(QUEUE_FLAG_SCSI_SUP, &(q)->queue_flags)
 
 #define blk_noretry_request(rq) \
((rq)->cmd_flags & (REQ_FAILFAST_DEV|REQ_FAILFAST_TRANSPORT| \
-- 
2.12.2

[PATCH 00/31] SCSI patches for kernel v4.13.

[Bart Van Assche]

Hello Martin,

This patch series consists of the bug fixes I came up with during
the past two months. Please consider these patches for kernel v4.13.

Thanks,

Bart.

Bart Van Assche (31):
  Split scsi_internal_device_block()
  Create two versions of scsi_internal_device_unblock()
  Protect SCSI device state changes with a mutex
  Introduce scsi_start_queue()
  Make __scsi_remove_device go straight from BLOCKED to DEL
  scmd_eh_abort_handler(): Add a comment
  scsi: Use blk_mq_rq_to_pdu() to convert a request to a SCSI command
pointer
  sd, sr: Convert two assignments into warning statements
  block: Avoid that blk_exit_rl() triggers a use-after-free
  Avoid that scsi_exit_rq() triggers a use-after-free
  block: Introduce queue flag QUEUE_FLAG_SCSI_SUP
  bsg: Check queue type before attaching to a queue
  pktcdvd: Check queue type before attaching to a queue
  cdrom: Check private request size before attaching to a queue
  nfsd: Check private request size before submitting a SCSI request
  scsi: Make scsi_ioctl_reset() pass the request queue pointer to
blk_rq_init()
  block: Introduce request_queue.initialize_rq_fn()
  block: Make scsi_req_init() calls implicit
  scsi: Change argument type of scsi_req_init()
  scsi: Only add commands to the device command list if required by the
LLD
  scsi: Move most of scsi_init_command() into scsi_initialize_rq()
  scsi: Inline scsi_init_command()
  scsi: Move sense buffer pointer initialization into
scsi_initialize_rq()
  scsi: Make scsi_initialize_rq() zero the entire struct scsi_cmnd
  scsi-mq: Make behavior scsi_mq_prep_fn() closer to that of
scsi_prep_fn()
  scsi: Move the code for clearing private command data into
scsi_dispatch_cmd()
  scsi: Consolidate more initialization code
  scsi_setup_fs_cmnd(): Call scsi_req_init() instead of open-coding it
  scsi: snic: Remove code that zeroes driver-private command data
  scsi: virtio: Remove code that zeroes driver-private command data
  xen/scsifront: Remove code that zeroes driver-private command data

 block/blk-cgroup.c   |   2 +-
 block/blk-core.c |  13 +-
 block/blk-mq.c   |   3 +
 block/blk-sysfs.c|   2 +-
 block/blk.h  |   2 +-
 block/bsg-lib.c  |   1 +
 block/bsg.c  |   7 +-
 block/scsi_ioctl.c   |  13 +-
 drivers/block/cciss.c|   1 +
 drivers/block/pktcdvd.c  |   6 +-
 drivers/cdrom/cdrom.c|   5 +-
 drivers/ide/ide-atapi.c  |   2 -
 drivers/ide/ide-cd.c |   1 -
 drivers/ide/ide-cd_ioctl.c   |   1 -
 drivers/ide/ide-devsets.c|   1 -
 drivers/ide/ide-disk.c   |   1 -
 drivers/ide/ide-ioctls.c |   2 -
 drivers/ide/ide-park.c   |   2 -
 drivers/ide/ide-pm.c |   2 -
 drivers/ide/ide-probe.c  |   7 +-
 drivers/ide/ide-tape.c   |   1 -
 drivers/ide/ide-taskfile.c   |   1 -
 drivers/scsi/mpt3sas/mpt3sas_scsih.c |   8 +-
 drivers/scsi/osd/osd_initiator.c |   2 -
 drivers/scsi/osst.c  |   1 -
 drivers/scsi/scsi.c  |   9 +-
 drivers/scsi/scsi_error.c|  26 ++-
 drivers/scsi/scsi_lib.c  | 327 +--
 drivers/scsi/scsi_priv.h |   4 +-
 drivers/scsi/scsi_scan.c |  16 +-
 drivers/scsi/scsi_sysfs.c|  37 +++-
 drivers/scsi/scsi_transport_sas.c|   7 +
 drivers/scsi/scsi_transport_srp.c|   7 +-
 drivers/scsi/sd.c|   9 +-
 drivers/scsi/sg.c|   2 -
 drivers/scsi/snic/snic_scsi.c|   2 -
 drivers/scsi/sr.c|   2 +-
 drivers/scsi/st.c|   1 -
 drivers/scsi/virtio_scsi.c   |   1 -
 drivers/scsi/xen-scsifront.c |   1 -
 drivers/target/target_core_pscsi.c   |   2 -
 fs/nfsd/blocklayout.c|   4 +-
 include/linux/blkdev.h   |   6 +
 include/scsi/scsi_cmnd.h |   1 +
 include/scsi/scsi_device.h   |   7 +-
 include/scsi/scsi_request.h  |   2 +-
 include/scsi/scsi_tcq.h  |   2 +-
 47 files changed, 345 insertions(+), 217 deletions(-)

-- 
2.12.2

[PATCH 02/31] Create two versions of scsi_internal_device_unblock()

[Bart Van Assche]

This will make it easier to serialize SCSI device state changes
through a mutex.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Cc: Sreekanth Reddy 
---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c |  4 ++--
 drivers/scsi/scsi_lib.c  | 46 +---
 include/scsi/scsi_device.h   |  4 ++--
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c 
b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index c63bc5ccce37..22998cbd538f 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -2883,7 +2883,7 @@ _scsih_internal_device_unblock(struct scsi_device *sdev,
sdev_printk(KERN_WARNING, sdev, "device_unblock and setting to running, 
"
"handle(0x%04x)\n", sas_device_priv_data->sas_target->handle);
sas_device_priv_data->block = 0;
-   r = scsi_internal_device_unblock(sdev, SDEV_RUNNING);
+   r = scsi_internal_device_unblock_nowait(sdev, SDEV_RUNNING);
if (r == -EINVAL) {
/* The device has been set to SDEV_RUNNING by SD layer during
 * device addition but the request queue is still stopped by
@@ -2902,7 +2902,7 @@ _scsih_internal_device_unblock(struct scsi_device *sdev,
r, sas_device_priv_data->sas_target->handle);
 
sas_device_priv_data->block = 0;
-   r = scsi_internal_device_unblock(sdev, SDEV_RUNNING);
+   r = scsi_internal_device_unblock_nowait(sdev, SDEV_RUNNING);
if (r)
sdev_printk(KERN_WARNING, sdev, "retried device_unblock"
" failed with return(%d) for handle(0x%04x)\n",
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 74618f47a28e..7ed71db8c38a 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -3011,24 +3011,22 @@ static int scsi_internal_device_block(struct 
scsi_device *sdev)
 }
  
 /**
- * scsi_internal_device_unblock - resume a device after a block request
+ * scsi_internal_device_unblock_nowait - resume a device after a block request
  * @sdev:  device to resume
- * @new_state: state to set devices to after unblocking
+ * @new_state: state to set the device to after unblocking
  *
- * Called by scsi lld's or the midlayer to restart the device queue
- * for the previously suspended scsi device.  Called from interrupt or
- * normal process context.
+ * Restart the device queue for a previously suspended SCSI device. Does not
+ * sleep.
  *
- * Returns zero if successful or error if not.
+ * Returns zero if successful or a negative error code upon failure.
  *
- * Notes:   
- * This routine transitions the device to the SDEV_RUNNING state
- * or to one of the offline states (which must be a legal transition)
- * allowing the midlayer to goose the queue for this device.
+ * Notes:
+ * This routine transitions the device to the SDEV_RUNNING state or to one of
+ * the offline states (which must be a legal transition) allowing the midlayer
+ * to goose the queue for this device.
  */
-int
-scsi_internal_device_unblock(struct scsi_device *sdev,
-enum scsi_device_state new_state)
+int scsi_internal_device_unblock_nowait(struct scsi_device *sdev,
+   enum scsi_device_state new_state)
 {
struct request_queue *q = sdev->request_queue; 
unsigned long flags;
@@ -3060,7 +3058,27 @@ scsi_internal_device_unblock(struct scsi_device *sdev,
 
return 0;
 }
-EXPORT_SYMBOL_GPL(scsi_internal_device_unblock);
+EXPORT_SYMBOL_GPL(scsi_internal_device_unblock_nowait);
+
+/**
+ * scsi_internal_device_unblock - resume a device after a block request
+ * @sdev:  device to resume
+ * @new_state: state to set the device to after unblocking
+ *
+ * Restart the device queue for a previously suspended SCSI device. May sleep.
+ *
+ * Returns zero if successful or a negative error code upon failure.
+ *
+ * Notes:
+ * This routine transitions the device to the SDEV_RUNNING state or to one of
+ * the offline states (which must be a legal transition) allowing the midlayer
+ * to goose the queue for this device.
+ */
+static int scsi_internal_device_unblock(struct scsi_device *sdev,
+   enum scsi_device_state new_state)
+{
+   return scsi_internal_device_unblock_nowait(sdev, new_state);
+}
 
 static void
 device_block(struct scsi_device *sdev, void *data)
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index 6ce6888f3c69..5f24dae2a8e1 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -473,8 +473,8 @@ static inline int scsi_device_created(struct scsi_device 
*sdev)
 }
 
 int scsi_internal_device_block_nowait(struct scsi_device 

[PATCH 03/31] Protect SCSI device state changes with a mutex

[Bart Van Assche]

Enable this mechanism for all scsi_target_*block() callers but not
for the scsi_internal_device_unblock() calls from the mpt3sas driver
because that driver can call scsi_internal_device_unblock() from
atomic context.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
---
 drivers/scsi/scsi_error.c |  8 +++-
 drivers/scsi/scsi_lib.c   | 27 +--
 drivers/scsi/scsi_scan.c  | 16 +---
 drivers/scsi/scsi_sysfs.c | 24 +++-
 drivers/scsi/scsi_transport_srp.c |  7 ---
 drivers/scsi/sd.c |  7 +--
 include/scsi/scsi_device.h|  1 +
 7 files changed, 66 insertions(+), 24 deletions(-)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index ecc07dab893d..ac3196420435 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -1628,11 +1628,17 @@ static void scsi_eh_offline_sdevs(struct list_head 
*work_q,
  struct list_head *done_q)
 {
struct scsi_cmnd *scmd, *next;
+   struct scsi_device *sdev;
 
list_for_each_entry_safe(scmd, next, work_q, eh_entry) {
sdev_printk(KERN_INFO, scmd->device, "Device offlined - "
"not ready after error recovery\n");
-   scsi_device_set_state(scmd->device, SDEV_OFFLINE);
+   sdev = scmd->device;
+
+   mutex_lock(>state_mutex);
+   scsi_device_set_state(sdev, SDEV_OFFLINE);
+   mutex_unlock(>state_mutex);
+
scsi_eh_finish_cmd(scmd, done_q);
}
return;
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 7ed71db8c38a..3d82cbe605cd 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2870,7 +2870,12 @@ static void scsi_wait_for_queuecommand(struct 
scsi_device *sdev)
 int
 scsi_device_quiesce(struct scsi_device *sdev)
 {
-   int err = scsi_device_set_state(sdev, SDEV_QUIESCE);
+   int err;
+
+   mutex_lock(>state_mutex);
+   err = scsi_device_set_state(sdev, SDEV_QUIESCE);
+   mutex_unlock(>state_mutex);
+
if (err)
return err;
 
@@ -2898,10 +2903,11 @@ void scsi_device_resume(struct scsi_device *sdev)
 * so assume the state is being managed elsewhere (for example
 * device deleted during suspend)
 */
-   if (sdev->sdev_state != SDEV_QUIESCE ||
-   scsi_device_set_state(sdev, SDEV_RUNNING))
-   return;
-   scsi_run_queue(sdev->request_queue);
+   mutex_lock(>state_mutex);
+   if (sdev->sdev_state == SDEV_QUIESCE &&
+   scsi_device_set_state(sdev, SDEV_RUNNING) == 0)
+   scsi_run_queue(sdev->request_queue);
+   mutex_unlock(>state_mutex);
 }
 EXPORT_SYMBOL(scsi_device_resume);
 
@@ -3000,6 +3006,7 @@ static int scsi_internal_device_block(struct scsi_device 
*sdev)
struct request_queue *q = sdev->request_queue;
int err;
 
+   mutex_lock(>state_mutex);
err = scsi_internal_device_block_nowait(sdev);
if (err == 0) {
if (q->mq_ops)
@@ -3007,6 +3014,8 @@ static int scsi_internal_device_block(struct scsi_device 
*sdev)
else
scsi_wait_for_queuecommand(sdev);
}
+   mutex_unlock(>state_mutex);
+
return err;
 }
  
@@ -3077,7 +3086,13 @@ EXPORT_SYMBOL_GPL(scsi_internal_device_unblock_nowait);
 static int scsi_internal_device_unblock(struct scsi_device *sdev,
enum scsi_device_state new_state)
 {
-   return scsi_internal_device_unblock_nowait(sdev, new_state);
+   int ret;
+
+   mutex_lock(>state_mutex);
+   ret = scsi_internal_device_unblock_nowait(sdev, new_state);
+   mutex_unlock(>state_mutex);
+
+   return ret;
 }
 
 static void
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index 6f7128f49c30..e6de4eee97a3 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -231,6 +231,7 @@ static struct scsi_device *scsi_alloc_sdev(struct 
scsi_target *starget,
sdev->id = starget->id;
sdev->lun = lun;
sdev->channel = starget->channel;
+   mutex_init(>state_mutex);
sdev->sdev_state = SDEV_CREATED;
INIT_LIST_HEAD(>siblings);
INIT_LIST_HEAD(>same_target_siblings);
@@ -943,16 +944,17 @@ static int scsi_add_lun(struct scsi_device *sdev, 
unsigned char *inq_result,
 
/* set the device running here so that slave configure
 * may do I/O */
+   mutex_lock(>state_mutex);
ret = scsi_device_set_state(sdev, SDEV_RUNNING);
-   if (ret) {
+   if (ret)
ret = scsi_device_set_state(sdev, SDEV_BLOCK);
+   mutex_unlock(>state_mutex);
 
-   if (ret) {
-   

[PATCH 06/31] scmd_eh_abort_handler(): Add a comment

[Bart Van Assche]

After the patch that introduced this function was posted on the
linux-scsi mailing list an explanation was posted why this patch
is correct. Since that explanation contains important information,
add a summary of it above the code that explanation applies to.
See also http://www.spinics.net/lists/linux-scsi/msg106326.html.

References: e494f6a72839 ("[SCSI] improve eh timeout handler")
Signed-off-by: Bart Van Assche 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_error.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index ac3196420435..19cafa3efb17 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -116,6 +116,12 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
*shost)
 /**
  * scmd_eh_abort_handler - Handle command aborts
  * @work:  command to be aborted.
+ *
+ * Note: this function must be called only for a command that has timed out.
+ * Because the block layer sets REQ_ATOM_COMPLETE before it calls
+ * scsi_times_out(), any .scsi_done() calls from the LLD for commands that
+ * have timed out do not have any effect. Hence it is safe to call
+ * scsi_finish_command() from this function.
  */
 void
 scmd_eh_abort_handler(struct work_struct *work)
-- 
2.12.2

[PATCH 07/31] scsi: Use blk_mq_rq_to_pdu() to convert a request to a SCSI command pointer

[Bart Van Assche]

Since commit e9c787e65c0c ("scsi: allocate scsi_cmnd structures as
part of struct request") struct request and struct scsi_cmnd are
adjacent. This means that there is now an alternative to reading
req->special to convert a pointer to a prepared request into a
SCSI command pointer, namely by using blk_mq_rq_to_pdu(). Make
this change where appropriate. Although this patch does not
change any functionality, it slightly improves performance and
slightly improves readability.

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
---
 drivers/scsi/scsi_error.c |  2 +-
 drivers/scsi/scsi_lib.c   | 18 +-
 include/scsi/scsi_tcq.h   |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 19cafa3efb17..7ba5f988426c 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -265,7 +265,7 @@ void scsi_eh_scmd_add(struct scsi_cmnd *scmd)
  */
 enum blk_eh_timer_return scsi_times_out(struct request *req)
 {
-   struct scsi_cmnd *scmd = req->special;
+   struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(req);
enum blk_eh_timer_return rtn = BLK_EH_NOT_HANDLED;
struct Scsi_Host *host = scmd->device->host;
 
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 5c6874cf4388..30a7900d331c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -637,7 +637,7 @@ static void scsi_release_bidi_buffers(struct scsi_cmnd *cmd)
 static bool scsi_end_request(struct request *req, int error,
unsigned int bytes, unsigned int bidi_bytes)
 {
-   struct scsi_cmnd *cmd = req->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
struct scsi_device *sdev = cmd->device;
struct request_queue *q = sdev->request_queue;
 
@@ -1156,7 +1156,7 @@ void scsi_init_command(struct scsi_device *dev, struct 
scsi_cmnd *cmd)
 
 static int scsi_setup_scsi_cmnd(struct scsi_device *sdev, struct request *req)
 {
-   struct scsi_cmnd *cmd = req->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
 
/*
 * Passthrough requests may transfer data, in which case they must
@@ -1187,7 +1187,7 @@ static int scsi_setup_scsi_cmnd(struct scsi_device *sdev, 
struct request *req)
  */
 static int scsi_setup_fs_cmnd(struct scsi_device *sdev, struct request *req)
 {
-   struct scsi_cmnd *cmd = req->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
 
if (unlikely(sdev->handler && sdev->handler->prep_fn)) {
int ret = sdev->handler->prep_fn(sdev, req);
@@ -1202,7 +1202,7 @@ static int scsi_setup_fs_cmnd(struct scsi_device *sdev, 
struct request *req)
 
 static int scsi_setup_cmnd(struct scsi_device *sdev, struct request *req)
 {
-   struct scsi_cmnd *cmd = req->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
 
if (!blk_rq_bytes(req))
cmd->sc_data_direction = DMA_NONE;
@@ -1339,7 +1339,7 @@ static int scsi_prep_fn(struct request_queue *q, struct 
request *req)
 
 static void scsi_unprep_fn(struct request_queue *q, struct request *req)
 {
-   scsi_uninit_cmd(req->special);
+   scsi_uninit_cmd(blk_mq_rq_to_pdu(req));
 }
 
 /*
@@ -1530,7 +1530,7 @@ static int scsi_lld_busy(struct request_queue *q)
  */
 static void scsi_kill_request(struct request *req, struct request_queue *q)
 {
-   struct scsi_cmnd *cmd = req->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(req);
struct scsi_device *sdev;
struct scsi_target *starget;
struct Scsi_Host *shost;
@@ -1561,7 +1561,7 @@ static void scsi_kill_request(struct request *req, struct 
request_queue *q)
 
 static void scsi_softirq_done(struct request *rq)
 {
-   struct scsi_cmnd *cmd = rq->special;
+   struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
unsigned long wait_for = (cmd->allowed + 1) * rq->timeout;
int disposition;
 
@@ -1749,8 +1749,8 @@ static void scsi_request_fn(struct request_queue *q)
blk_start_request(req);
 
spin_unlock_irq(q->queue_lock);
-   cmd = req->special;
-   if (unlikely(cmd == NULL)) {
+   cmd = blk_mq_rq_to_pdu(req);
+   if (cmd != req->special) {
printk(KERN_CRIT "impossible request in %s.\n"
 "please mail a stack trace to "
 "linux-scsi@vger.kernel.org\n",
diff --git a/include/scsi/scsi_tcq.h b/include/scsi/scsi_tcq.h
index 4416b1026189..5b416debf101 100644
--- a/include/scsi/scsi_tcq.h
+++ b/include/scsi/scsi_tcq.h
@@ -39,7 +39,7 @@ static inline struct scsi_cmnd *scsi_host_find_tag(struct 
Scsi_Host *shost,
 
if (!req)
return NULL;
-   return req->special;
+   return blk_mq_rq_to_pdu(req);
 }
 

[PATCH 27/31] scsi: Consolidate more initialization code

[Bart Van Assche]

Initialize struct scsi_cmnd.request from inside scsi_initialize_rq()
instead of every time a request is prepared. Note: moving the tag
initialization into scsi_initialize_rq() is not possible because
the single-queue block layer only assigns a tag to a request after
a request has been started.

Signed-off-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Cc: Hannes Reinecke 
---
 drivers/scsi/scsi_error.c | 1 -
 drivers/scsi/scsi_lib.c   | 4 +---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index 374dea0885f6..46c51f9f73fa 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -2293,7 +2293,6 @@ scsi_ioctl_reset(struct scsi_device *dev, int __user *arg)
blk_rq_init(dev->request_queue, rq);
 
scmd = (struct scsi_cmnd *)(rq + 1);
-   scmd->request = rq;
scmd->cmnd = scsi_req(rq)->cmd;
 
scmd->scsi_done = scsi_reset_provider_done_command;
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index f131964ecb51..612bf6c201dc 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1165,6 +1165,7 @@ static void scsi_initialize_rq(struct request *rq)
cmd->req.sense = buf;
cmd->sense_buffer = buf;
cmd->prot_sdb = prot;
+   cmd->request = rq;
INIT_DELAYED_WORK(>abort_work, scmd_eh_abort_handler);
cmd->jiffies_at_alloc = jiffies;
 }
@@ -1344,7 +1345,6 @@ static int scsi_prep_fn(struct request_queue *q, struct 
request *req)
}
 
cmd->tag = req->tag;
-   cmd->request = req;
cmd->prot_op = SCSI_PROT_NORMAL;
 
ret = scsi_setup_cmnd(sdev, req);
@@ -1866,8 +1866,6 @@ static int scsi_mq_prep_fn(struct request *req)
 
req->special = cmd;
 
-   cmd->request = req;
-
cmd->tag = req->tag;
cmd->prot_op = SCSI_PROT_NORMAL;
 
-- 
2.12.2

Re: Need help with handling failed ATA pass-through command and sense data

[Alan Stern]

On Thu, 18 May 2017, Ewan D. Milne wrote:

> On Thu, 2017-05-18 at 13:37 -0400, Alan Stern wrote:
> > 
> > I had completely forgotten about this code.  :-(
> > 
> > Looks like you put your finger on the source of the problem.  So if the 
> > device sends back essentially empty sense data (SK = No Sense, ASC = 
> > ASCQ = 0), but the USB transport indicates command failure, how should 
> > we inform the SCSI core in a way that won't cause infinite retries or 
> > obnoxious log messages?
> > 
> > Should we be doing a better job of detecting empty sense data -- that 
> > is, do we need to check for non-empty ATA status?
> > 
> > Or has the SCSI core improved so that it no longer does infinite
> > retries (see commit f1a0743bc0e7 "USB: storage: When a device returns
> > no sense data, call it a Hardware Error" and Bugzilla entry #14118),
> > meaning that this code can be removed entirely?
> > 
> > Alan Stern
> 
> We added:
> 
> commit ee60b2c52ec8ecdcbcd2f85cc117b525f649441f
> Author: Eiichi Tsukata 
> Date:   Tue Feb 11 14:29:52 2014 +0900
> 
> [SCSI] Add timeout to avoid infinite command retry
> 
> but this may not give you the behavior you want, because it bounds
> the execution time to (# of retries + 1) * timeout.  So if you get
> an immediate error return it could still take a while for this code
> to give up retrying, i.e. it does not have the same properties as
> your commit f1a0743bc0e7.
> 
> I suppose you could decode the ATA Status Return sense data descriptor
> but I don't know how good the compliance is among all the ATA devices.
> Table 177 in section 1.2.2.8 of SAT-4 r06 seems to say that most of
> the fields in the sense data are unspecified for ATA PASS-THROUGH
> commands, so this probably explains why you see nothing else useful.
> Perhaps the logging should be delegated to the USB or ATA code for
> these commands, since they are not really part of SCSI?
> 
> I have seen a case of a Fibre Channel array returning all zeroes
> in the sense data, but this was because it was malfunctioning.

All right, suppose we don't return DID_ERROR and don't call it a
hardware error.  I don't know if this will help at all, and I don't
know if it will cause any regressions.

GeekGirl1, can you try applying the patch below to see if it makes any 
difference?  If you don't know how, I will attach it to the Bugzilla 
report so somebody else can try it.

Alan Stern




Index: usb-4.x/drivers/usb/storage/transport.c
===
--- usb-4.x.orig/drivers/usb/storage/transport.c
+++ usb-4.x/drivers/usb/storage/transport.c
@@ -835,6 +835,7 @@ Retry_Sense:
srb->result = SAM_STAT_GOOD;
srb->sense_buffer[0] = 0x0;
 
+#if 0
/*
 * If there was a problem, report an unspecified
 * hardware error to prevent the higher layers from
@@ -846,6 +847,7 @@ Retry_Sense:
srb->sense_buffer[1] = HARDWARE_ERROR;
else
srb->sense_buffer[2] = HARDWARE_ERROR;
+#endif
}
}
}

[PATCH] scsi: lpfc: prevent potential null pointer dereference

[Gustavo A. R. Silva]

Null check at line 966: if (ndlp) {,  implies that ndlp might be NULL.
Functions lpfc_nlp_set_state() and lpfc_issue_els_prli() dereference
pointer ndlp. Include these function calls inside the IF block that
tests pointer ndlp.

Addresses-Coverity-ID: 1401856
Signed-off-by: Gustavo A. R. Silva 
---
 drivers/scsi/lpfc/lpfc_ct.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index c7962da..ecb174b 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -978,9 +978,10 @@ lpfc_cmpl_ct_cmd_gft_id(struct lpfc_hba *phba, struct 
lpfc_iocbq *cmdiocb,
 ndlp, did, ndlp->nlp_fc4_type,
 FC_TYPE_FCP, FC_TYPE_NVME);
ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+
+   lpfc_nlp_set_state(vport, ndlp, NLP_STE_PRLI_ISSUE);
+   lpfc_issue_els_prli(vport, ndlp, 0);
}
-   lpfc_nlp_set_state(vport, ndlp, NLP_STE_PRLI_ISSUE);
-   lpfc_issue_els_prli(vport, ndlp, 0);
} else
lpfc_printf_vlog(vport, KERN_ERR, LOG_DISCOVERY,
 "3065 GFT_ID failed x%08x\n", irsp->ulpStatus);
-- 
2.5.0

Re: [PATCH v9 06/15] mlx5: Replace PCI pool old API

[David Miller]

From: Romain Perier 
Date: Tue, 23 May 2017 10:53:36 +0200

> Hello,
> 
> 
> Le 23/05/2017 à 09:27, Leon Romanovsky a écrit :
>> On Mon, May 22, 2017 at 06:48:58PM +0200, Romain Perier wrote:
>>> The PCI pool API is deprecated. This commit replaces the PCI pool old
>>> API by the appropriate function with the DMA pool API.
>>>
>>> Signed-off-by: Romain Perier 
>>> Reviewed-by: Peter Senna Tschudin 
>>> Acked-by: Doug Ledford 
>>> Tested-by: Doug Ledford 
>>> ---
>>>  drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++-
>>>  include/linux/mlx5/driver.h   |  2 +-
>>>  2 files changed, 7 insertions(+), 6 deletions(-)
>>>
>> Who is supposed to merge this patch series?
>>
>> Acked-by: Leon Romanovsky 
> Each maintainer of the corresponding subsystem, can take a patch, I
> guess. No ?

It might be easier to accumulate acks and you submit them as a series,
in my opinion.

[PATCH] qla2xxx: don't disable a not previously enabled PCI device

[Johannes Thumshirn]

When pci_enable_device() or pci_enable_device_mem() fail in
qla2x00_probe_one() we bail out but do a call to
pci_disable_device(). This causes the dev_WARN_ON() in
pci_disable_device() to trigger, as the device wasn't enabled
previously.

So instead of taking the 'probe_out' error path we can directly return
*iff* one of the pci_enable_device() calls fails.

Additionally rename the 'probe_out' goto label's name to the more
descriptive 'disable_device'.

Signed-off-by: Johannes Thumshirn 
Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure 
refactoring")
---
 drivers/scsi/qla2xxx/qla_os.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 1c7957903283..af25d8afd42a 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -2623,10 +2623,10 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct 
pci_device_id *id)
 
if (mem_only) {
if (pci_enable_device_mem(pdev))
-   goto probe_out;
+   return ret;
} else {
if (pci_enable_device(pdev))
-   goto probe_out;
+   return ret;
}
 
/* This may fail but that's ok */
@@ -2636,7 +2636,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct 
pci_device_id *id)
if (!ha) {
ql_log_pci(ql_log_fatal, pdev, 0x0009,
"Unable to allocate memory for ha.\n");
-   goto probe_out;
+   goto disable_device;
}
ql_dbg_pci(ql_dbg_init, pdev, 0x000a,
"Memory allocated for ha=%p.\n", ha);
@@ -3254,7 +3254,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct 
pci_device_id *id)
pci_release_selected_regions(ha->pdev, ha->bars);
kfree(ha);
 
-probe_out:
+disable_device:
pci_disable_device(pdev);
return ret;
 }
-- 
2.12.0

Re: [PATCH blktests v2 3/3] sg/001: add regression test for syzcaller generated GPF in sg_read path

[Johannes Thumshirn]

On 05/23/2017 04:39 PM, Jens Axboe wrote:
> I tried to look up that commit:
> 
>  48ae8484e9fc ("scsi: sg: don't return bogus Sg_requests")
> 
> but that isn't in Linus' tree. Even searched for just the title, still
> didn't find anything.

It's queued up in Martin's tree [1].

> 
> I'm assuming this is a bug in the sg.c driver, in which case the 2/3
> prep and real test case looks fine. For generic device testing, we
> should just use SG_IO and not bother with sg.c at all. The world would
> be a better place if we could just get rid of sg.c...

Agreed. Yes the bug is in the sg.c driver and we did have quite some of
these lately thanks to the syzcaller folks.

My intention with these tests was to have a place where we can throw in
the syzcaller reproducers and run it in nicely Qemu.

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.12/scsi-fixes=48ae8484e9fc324b4968d33c585e54bc98e44d61

-- 
Johannes Thumshirn  Storage
jthumsh...@suse.de+49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

Re: [PATCH blktests v2 3/3] sg/001: add regression test for syzcaller generated GPF in sg_read path

[Jens Axboe]

On 05/23/2017 08:25 AM, Johannes Thumshirn wrote:
> On 05/23/2017 04:15 PM, Jens Axboe wrote:
>> Add some code to the framework that allows you to get the corresponding
>> SG device for a SCSI block device? Make that part of the prepare, skip
>> the test if the block device isn't a SCSI dev.
> 
> Well the code is already there (in patch 2/3).
> 
> I'll pack it into the prepare stage.

I tried to look up that commit:

 48ae8484e9fc ("scsi: sg: don't return bogus Sg_requests")

but that isn't in Linus' tree. Even searched for just the title, still
didn't find anything.

I'm assuming this is a bug in the sg.c driver, in which case the 2/3
prep and real test case looks fine. For generic device testing, we
should just use SG_IO and not bother with sg.c at all. The world would
be a better place if we could just get rid of sg.c...

-- 
Jens Axboe

Re: [PATCH blktests v2 3/3] sg/001: add regression test for syzcaller generated GPF in sg_read path

[Johannes Thumshirn]

On 05/23/2017 04:15 PM, Jens Axboe wrote:
> Add some code to the framework that allows you to get the corresponding
> SG device for a SCSI block device? Make that part of the prepare, skip
> the test if the block device isn't a SCSI dev.

Well the code is already there (in patch 2/3).

I'll pack it into the prepare stage.

-- 
Johannes Thumshirn  Storage
jthumsh...@suse.de+49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

Re: [PATCH blktests v2 3/3] sg/001: add regression test for syzcaller generated GPF in sg_read path

[Jens Axboe]

On 05/23/2017 12:58 AM, Johannes Thumshirn wrote:
> On 05/22/2017 07:59 PM, Omar Sandoval wrote:
>> This looks much better, thanks! One question for you: is there any value
>> in running this on specific test devices (i.e., changing test() to
>> test_device() and using "$TEST_DEV" instead of a scsi-debug device), or
>> would it be a waste of time since it's just exercising generic code?
> 
> That's just generic code. All I need is a SCSI device so I get a /dev/sg
> device node.
> 
> One could do a check if $TEST_DEV is a SCSI device and have a fall-back
> to scsi_debug if it isn't, but I'm not sure if this isn't just a waste
> of time.

Add some code to the framework that allows you to get the corresponding
SG device for a SCSI block device? Make that part of the prepare, skip
the test if the block device isn't a SCSI dev.


-- 
Jens Axboe

[PATCH 09/15] qedf: Add bus_reset No-op.

[Dupuis, Chad]

We need to add a bus reset no-op as without it some of the LUNs attached to a
vport may go offline when the error handler escalates to host reset due to not
having a bus reset handler in the driver. What happens is we escalate to host
reset which does a soft link down/link up to reset the adapter. However with
multiple vports attached it's been observed that if the vports do log back into
the target within 5 seconds, the SCSI layer offlines the devices most likely
due to a TUR timing out to verify that the device is online. Adding a bus
reset handler will cause the TUR to be sent after the bus reset handler where
the devices will still be online if the bus reset is initiated by sg_reset
(which is the case in the test that was failing). The bus reset will succeed
and not needlessly bring the device offline/online.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index fa5a2f8..7dae915 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -628,6 +628,16 @@ static int qedf_eh_device_reset(struct scsi_cmnd *sc_cmd)
return qedf_initiate_tmf(sc_cmd, FCP_TMF_LUN_RESET);
 }
 
+static int qedf_eh_bus_reset(struct scsi_cmnd *sc_cmd)
+{
+   QEDF_ERR(NULL, "BUS RESET Issued...\n");
+   /*
+* Essentially a no-op but return SUCCESS to prevent
+* unnecessary escalation to the host reset handler.
+*/
+   return SUCCESS;
+}
+
 void qedf_wait_for_upload(struct qedf_ctx *qedf)
 {
while (1) {
@@ -705,6 +715,7 @@ static int qedf_slave_configure(struct scsi_device *sdev)
.eh_abort_handler   = qedf_eh_abort,
.eh_device_reset_handler = qedf_eh_device_reset, /* lun reset */
.eh_target_reset_handler = qedf_eh_target_reset, /* target reset */
+   .eh_bus_reset_handler = qedf_eh_bus_reset,
.eh_host_reset_handler  = qedf_eh_host_reset,
.slave_configure= qedf_slave_configure,
.dma_boundary = QED_HW_DMA_BOUNDARY,
-- 
1.8.5.6

[PATCH 15/15] qedf: Update version number to 8.18.22.0.

[Dupuis, Chad]

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_version.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_version.h b/drivers/scsi/qedf/qedf_version.h
index d46c487..6fa4420 100644
--- a/drivers/scsi/qedf/qedf_version.h
+++ b/drivers/scsi/qedf/qedf_version.h
@@ -7,9 +7,9 @@
  *  this source tree.
  */
 
-#define QEDF_VERSION   "8.10.7.0"
+#define QEDF_VERSION   "8.18.22.0"
 #define QEDF_DRIVER_MAJOR_VER  8
-#define QEDF_DRIVER_MINOR_VER  10
-#define QEDF_DRIVER_REV_VER7
+#define QEDF_DRIVER_MINOR_VER  18
+#define QEDF_DRIVER_REV_VER22
 #define QEDF_DRIVER_ENG_VER0
 
-- 
1.8.5.6

[PATCH 13/15] qedf: Change cmd_per_lun in scsi_host_template to 32 to increase performance.

[Dupuis, Chad]

Increase the default number of commands that the driver tells the
SCSI mid-layer it can do to increase the default performance of the
driver.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 340cf74..bc85c56 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -708,7 +708,7 @@ static int qedf_slave_configure(struct scsi_device *sdev)
.module = THIS_MODULE,
.name   = QEDF_MODULE_NAME,
.this_id= -1,
-   .cmd_per_lun= 3,
+   .cmd_per_lun= 32,
.use_clustering = ENABLE_CLUSTERING,
.max_sectors= 0x,
.queuecommand   = qedf_queuecommand,
-- 
1.8.5.6

[PATCH 10/15] qedf: Add non-offload receive filters.

[Dupuis, Chad]

Drop invalid or unexpected FCoE frames that come into the non-offload path
since the FCoE firmware would not do the filtering for us.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 46 +++
 1 file changed, 46 insertions(+)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 7dae915..7d1a953 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -2088,6 +2088,8 @@ static void qedf_recv_frame(struct qedf_ctx *qedf,
u8 *dest_mac = NULL;
struct fcoe_hdr *hp;
struct qedf_rport *fcport;
+   struct fc_lport *vn_port;
+   u32 f_ctl;
 
lport = qedf->lport;
if (lport == NULL || lport->state == LPORT_ST_DISABLED) {
@@ -2124,6 +2126,10 @@ static void qedf_recv_frame(struct qedf_ctx *qedf,
 
fh = fc_frame_header_get(fp);
 
+   /*
+* Invalid frame filters.
+*/
+
if (fh->fh_r_ctl == FC_RCTL_DD_SOL_DATA &&
fh->fh_type == FC_TYPE_FCP) {
/* Drop FCP data. We dont this in L2 path */
@@ -2149,6 +2155,46 @@ static void qedf_recv_frame(struct qedf_ctx *qedf,
return;
}
 
+   if (ntoh24(_mac[3]) != ntoh24(fh->fh_d_id)) {
+   QEDF_ERR(&(qedf->dbg_ctx), "FC frame d_id mismatch with MAC "
+   "%pM.\n", dest_mac);
+   return;
+   }
+
+   if (qedf->ctlr.state) {
+   if (!ether_addr_equal(mac, qedf->ctlr.dest_addr)) {
+   QEDF_ERR(&(qedf->dbg_ctx), "Wrong source address: "
+   "mac:%pM dest_addr:%pM.\n", mac,
+   qedf->ctlr.dest_addr);
+   kfree_skb(skb);
+   return;
+   }
+   }
+
+   vn_port = fc_vport_id_lookup(lport, ntoh24(fh->fh_d_id));
+
+   /*
+* If the destination ID from the frame header does not match what we
+* have on record for lport and the search for a NPIV port came up
+* empty then this is not addressed to our port so simply drop it.
+*/
+   if (lport->port_id != ntoh24(fh->fh_d_id) && !vn_port) {
+   QEDF_ERR(&(qedf->dbg_ctx), "Dropping frame due to "
+   "destination mismatch: lport->port_id=%x "
+   "fh->d_id=%x.\n",
+   lport->port_id, ntoh24(fh->fh_d_id));
+   kfree_skb(skb);
+   return;
+   }
+
+   f_ctl = ntoh24(fh->fh_f_ctl);
+   if ((fh->fh_type == FC_TYPE_BLS) && (f_ctl & FC_FC_SEQ_CTX) &&
+   (f_ctl & FC_FC_EX_CTX)) {
+   /* Drop incoming ABTS response that has both SEQ/EX CTX set */
+   kfree_skb(skb);
+   return;
+   }
+
/*
 * If a connection is uploading, drop incoming FCoE frames as there
 * is a small window where we could try to return a frame while libfc
-- 
1.8.5.6

[PATCH 11/15] qedf: Fixup unnecessary paratheses around test_bit operations.

[Dupuis, Chad]

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_els.c | 6 +++---
 drivers/scsi/qedf/qedf_io.c  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c
index e197fd6..78d9f1c 100644
--- a/drivers/scsi/qedf/qedf_els.c
+++ b/drivers/scsi/qedf/qedf_els.c
@@ -44,7 +44,7 @@ static int qedf_initiate_els(struct qedf_rport *fcport, 
unsigned int op,
goto els_err;
}
 
-   if (!(test_bit(QEDF_RPORT_SESSION_READY, >flags))) {
+   if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
QEDF_ERR(&(qedf->dbg_ctx), "els 0x%x: fcport not ready\n", op);
rc = -EINVAL;
goto els_err;
@@ -225,7 +225,7 @@ int qedf_send_rrq(struct qedf_ioreq *aborted_io_req)
fcport = aborted_io_req->fcport;
 
/* Check that fcport is still offloaded */
-   if (!(test_bit(QEDF_RPORT_SESSION_READY, >flags))) {
+   if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
QEDF_ERR(NULL, "fcport is no longer offloaded.\n");
return -EINVAL;
}
@@ -550,7 +550,7 @@ static int qedf_send_srr(struct qedf_ioreq *orig_io_req, 
u32 offset, u8 r_ctl)
fcport = orig_io_req->fcport;
 
/* Check that fcport is still offloaded */
-   if (!(test_bit(QEDF_RPORT_SESSION_READY, >flags))) {
+   if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
QEDF_ERR(NULL, "fcport is no longer offloaded.\n");
return -EINVAL;
}
diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
index db16004..ea37c78 100644
--- a/drivers/scsi/qedf/qedf_io.c
+++ b/drivers/scsi/qedf/qedf_io.c
@@ -1847,7 +1847,7 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, 
struct scsi_cmnd *sc_cmd,
return FAILED;
}
 
-   if (!(test_bit(QEDF_RPORT_SESSION_READY, >flags))) {
+   if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
QEDF_ERR(&(qedf->dbg_ctx), "fcport not offloaded\n");
rc = FAILED;
return FAILED;
-- 
1.8.5.6

[PATCH 12/15] qedf: Move some prints to a debug level so they do not print when no debugging is enabled.

[Dupuis, Chad]

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 19 ++-
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 7d1a953..340cf74 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -442,7 +442,8 @@ static void qedf_link_update(void *dev, struct 
qed_link_output *link)
qedf_update_link_speed(qedf, link);
 
if (atomic_read(>dcbx) == QEDF_DCBX_DONE) {
-   QEDF_ERR(&(qedf->dbg_ctx), "DCBx done.\n");
+   QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_DISC,
+"DCBx done.\n");
if (atomic_read(>link_down_tmo_valid) > 0)
queue_delayed_work(qedf->link_update_wq,
>link_recovery, 0);
@@ -2156,16 +2157,16 @@ static void qedf_recv_frame(struct qedf_ctx *qedf,
}
 
if (ntoh24(_mac[3]) != ntoh24(fh->fh_d_id)) {
-   QEDF_ERR(&(qedf->dbg_ctx), "FC frame d_id mismatch with MAC "
-   "%pM.\n", dest_mac);
+   QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
+   "FC frame d_id mismatch with MAC %pM.\n", dest_mac);
return;
}
 
if (qedf->ctlr.state) {
if (!ether_addr_equal(mac, qedf->ctlr.dest_addr)) {
-   QEDF_ERR(&(qedf->dbg_ctx), "Wrong source address: "
-   "mac:%pM dest_addr:%pM.\n", mac,
-   qedf->ctlr.dest_addr);
+   QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
+   "Wrong source address: mac:%pM dest_addr:%pM.\n",
+   mac, qedf->ctlr.dest_addr);
kfree_skb(skb);
return;
}
@@ -2179,9 +2180,9 @@ static void qedf_recv_frame(struct qedf_ctx *qedf,
 * empty then this is not addressed to our port so simply drop it.
 */
if (lport->port_id != ntoh24(fh->fh_d_id) && !vn_port) {
-   QEDF_ERR(&(qedf->dbg_ctx), "Dropping frame due to "
-   "destination mismatch: lport->port_id=%x "
-   "fh->d_id=%x.\n",
+   QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
+   "Dropping frame due to destination mismatch: "
+   "lport->port_id=%x fh->d_id=%x.\n",
lport->port_id, ntoh24(fh->fh_d_id));
kfree_skb(skb);
return;
-- 
1.8.5.6

[PATCH 06/15] qedf: Add fka_period SCSI host attribute to show fip keep alive period.

[Dupuis, Chad]

Expose this information for interested applications.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_attr.c | 60 +--
 1 file changed, 41 insertions(+), 19 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_attr.c b/drivers/scsi/qedf/qedf_attr.c
index 1349f8a..68e2b77 100644
--- a/drivers/scsi/qedf/qedf_attr.c
+++ b/drivers/scsi/qedf/qedf_attr.c
@@ -8,6 +8,25 @@
  */
 #include "qedf.h"
 
+inline bool qedf_is_vport(struct qedf_ctx *qedf)
+{
+   return (!(qedf->lport->vport == NULL));
+}
+
+/* Get base qedf for physical port from vport */
+static struct qedf_ctx *qedf_get_base_qedf(struct qedf_ctx *qedf)
+{
+   struct fc_lport *lport;
+   struct fc_lport *base_lport;
+
+   if (!(qedf_is_vport(qedf)))
+   return NULL;
+
+   lport = qedf->lport;
+   base_lport = shost_priv(vport_to_shost(lport->vport));
+   return (struct qedf_ctx *)(lport_priv(base_lport));
+}
+
 static ssize_t
 qedf_fcoe_mac_show(struct device *dev,
struct device_attribute *attr, char *buf)
@@ -26,34 +45,37 @@
return scnprintf(buf, PAGE_SIZE, "%pM\n", fcoe_mac);
 }
 
+static ssize_t
+qedf_fka_period_show(struct device *dev,
+   struct device_attribute *attr, char *buf)
+{
+   struct fc_lport *lport = shost_priv(class_to_shost(dev));
+   struct qedf_ctx *qedf = lport_priv(lport);
+   int fka_period = -1;
+
+   if (qedf_is_vport(qedf))
+   qedf = qedf_get_base_qedf(qedf);
+
+   if (!qedf->ctlr.sel_fcf)
+   goto out;
+
+   fka_period = qedf->ctlr.sel_fcf->fka_period;
+
+out:
+   return scnprintf(buf, PAGE_SIZE, "%d\n", fka_period);
+}
+
 static DEVICE_ATTR(fcoe_mac, S_IRUGO, qedf_fcoe_mac_show, NULL);
+static DEVICE_ATTR(fka_period, S_IRUGO, qedf_fka_period_show, NULL);
 
 struct device_attribute *qedf_host_attrs[] = {
_attr_fcoe_mac,
+   _attr_fka_period,
NULL,
 };
 
 extern const struct qed_fcoe_ops *qed_ops;
 
-inline bool qedf_is_vport(struct qedf_ctx *qedf)
-{
-   return (!(qedf->lport->vport == NULL));
-}
-
-/* Get base qedf for physical port from vport */
-static struct qedf_ctx *qedf_get_base_qedf(struct qedf_ctx *qedf)
-{
-   struct fc_lport *lport;
-   struct fc_lport *base_lport;
-
-   if (!(qedf_is_vport(qedf)))
-   return NULL;
-
-   lport = qedf->lport;
-   base_lport = shost_priv(vport_to_shost(lport->vport));
-   return (struct qedf_ctx *)(lport_priv(base_lport));
-}
-
 void qedf_capture_grc_dump(struct qedf_ctx *qedf)
 {
struct qedf_ctx *base_qedf;
-- 
1.8.5.6

[PATCH 03/15] qedf: Honor qed_ops->common->set_fp_int() return code.

[Dupuis, Chad]

We need to check the return code the set_fp_int() callback in case we were
not allocated any fastpath interrupts or there was an error setting up the
fastpath interrupts from the qed perspective.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index c8d1688..f703801 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -2036,6 +2036,8 @@ static int qedf_setup_int(struct qedf_ctx *qedf)
 * Learn interrupt configuration
 */
rc = qed_ops->common->set_fp_int(qedf->cdev, num_online_cpus());
+   if (rc <= 0)
+   return 0;
 
rc  = qed_ops->common->get_fp_int(qedf->cdev, >int_info);
if (rc)
-- 
1.8.5.6

[PATCH 14/15] qedf: Add change_queue_depth member to scsi_host_template().

[Dupuis, Chad]

Add the change_queue_depth member to our SCSI host template so the queue
depth of devices attached to qedf can be changed dynamically.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index bc85c56..5610803 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -722,6 +722,7 @@ static int qedf_slave_configure(struct scsi_device *sdev)
.dma_boundary = QED_HW_DMA_BOUNDARY,
.sg_tablesize = QEDF_MAX_BDS_PER_CMD,
.can_queue = FCOE_PARAMS_NUM_TASKS,
+   .change_queue_depth = scsi_change_queue_depth,
 };
 
 static int qedf_get_paged_crc_eof(struct sk_buff *skb, int tlen)
-- 
1.8.5.6

[PATCH 02/15] qedf: Update copyright to 2017.

[Dupuis, Chad]

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/drv_fcoe_fw_funcs.c | 2 +-
 drivers/scsi/qedf/drv_fcoe_fw_funcs.h | 2 +-
 drivers/scsi/qedf/drv_scsi_fw_funcs.c | 2 +-
 drivers/scsi/qedf/drv_scsi_fw_funcs.h | 2 +-
 drivers/scsi/qedf/qedf.h  | 2 +-
 drivers/scsi/qedf/qedf_attr.c | 2 +-
 drivers/scsi/qedf/qedf_dbg.h  | 2 +-
 drivers/scsi/qedf/qedf_debugfs.c  | 2 +-
 drivers/scsi/qedf/qedf_els.c  | 2 +-
 drivers/scsi/qedf/qedf_fip.c  | 2 +-
 drivers/scsi/qedf/qedf_hsi.h  | 2 +-
 drivers/scsi/qedf/qedf_io.c   | 2 +-
 drivers/scsi/qedf/qedf_main.c | 2 +-
 drivers/scsi/qedf/qedf_version.h  | 2 +-
 14 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/drivers/scsi/qedf/drv_fcoe_fw_funcs.c 
b/drivers/scsi/qedf/drv_fcoe_fw_funcs.c
index 8c65e3b..7d91e53 100644
--- a/drivers/scsi/qedf/drv_fcoe_fw_funcs.c
+++ b/drivers/scsi/qedf/drv_fcoe_fw_funcs.c
@@ -1,5 +1,5 @@
 /* QLogic FCoE Offload Driver
- * Copyright (c) 2016 Cavium Inc.
+ * Copyright (c) 2016-2017 Cavium Inc.
  *
  * This software is available under the terms of the GNU General Public License
  * (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/drv_fcoe_fw_funcs.h 
b/drivers/scsi/qedf/drv_fcoe_fw_funcs.h
index 617529b..f9c50fa 100644
--- a/drivers/scsi/qedf/drv_fcoe_fw_funcs.h
+++ b/drivers/scsi/qedf/drv_fcoe_fw_funcs.h
@@ -1,5 +1,5 @@
 /* QLogic FCoE Offload Driver
- * Copyright (c) 2016 Cavium Inc.
+ * Copyright (c) 2016-2017 Cavium Inc.
  *
  * This software is available under the terms of the GNU General Public License
  * (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/drv_scsi_fw_funcs.c 
b/drivers/scsi/qedf/drv_scsi_fw_funcs.c
index 11e0cc0..5d5095e 100644
--- a/drivers/scsi/qedf/drv_scsi_fw_funcs.c
+++ b/drivers/scsi/qedf/drv_scsi_fw_funcs.c
@@ -1,5 +1,5 @@
 /* QLogic FCoE Offload Driver
- * Copyright (c) 2016 Cavium Inc.
+ * Copyright (c) 2016-2017 Cavium Inc.
  *
  * This software is available under the terms of the GNU General Public License
  * (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/drv_scsi_fw_funcs.h 
b/drivers/scsi/qedf/drv_scsi_fw_funcs.h
index 9cb4541..8fbe6e4 100644
--- a/drivers/scsi/qedf/drv_scsi_fw_funcs.h
+++ b/drivers/scsi/qedf/drv_scsi_fw_funcs.h
@@ -1,5 +1,5 @@
 /* QLogic FCoE Offload Driver
- * Copyright (c) 2016 Cavium Inc.
+ * Copyright (c) 2016-2017 Cavium Inc.
  *
  * This software is available under the terms of the GNU General Public License
  * (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/qedf.h b/drivers/scsi/qedf/qedf.h
index 40aeb6b..a5b89b0 100644
--- a/drivers/scsi/qedf/qedf.h
+++ b/drivers/scsi/qedf/qedf.h
@@ -1,6 +1,6 @@
 /*
  *  QLogic FCoE Offload Driver
- *  Copyright (c) 2016 Cavium Inc.
+ *  Copyright (c) 2016-2017 Cavium Inc.
  *
  *  This software is available under the terms of the GNU General Public 
License
  *  (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/qedf_attr.c b/drivers/scsi/qedf/qedf_attr.c
index 4772061..1349f8a 100644
--- a/drivers/scsi/qedf/qedf_attr.c
+++ b/drivers/scsi/qedf/qedf_attr.c
@@ -1,6 +1,6 @@
 /*
  *  QLogic FCoE Offload Driver
- *  Copyright (c) 2016 Cavium Inc.
+ *  Copyright (c) 2016-2017 Cavium Inc.
  *
  *  This software is available under the terms of the GNU General Public 
License
  *  (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h
index 7d173f48..50083ca 100644
--- a/drivers/scsi/qedf/qedf_dbg.h
+++ b/drivers/scsi/qedf/qedf_dbg.h
@@ -1,6 +1,6 @@
 /*
  *  QLogic FCoE Offload Driver
- *  Copyright (c) 2016 Cavium Inc.
+ *  Copyright (c) 2016-2017 Cavium Inc.
  *
  *  This software is available under the terms of the GNU General Public 
License
  *  (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index 00a1d64..2b1ef30 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -1,6 +1,6 @@
 /*
  *  QLogic FCoE Offload Driver
- *  Copyright (c) 2016 QLogic Corporation
+ *  Copyright (c) 2016-2017 QLogic Corporation
  *
  *  This software is available under the terms of the GNU General Public 
License
  *  (GPL) Version 2, available from the file COPYING in the main directory of
diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c
index c505d41..e197fd6 100644
--- a/drivers/scsi/qedf/qedf_els.c
+++ b/drivers/scsi/qedf/qedf_els.c
@@ -1,6 +1,6 @@
 /*
  *  QLogic FCoE Offload Driver
- *  Copyright (c) 2016 Cavium Inc.
+ *  Copyright (c) 2016-2017 Cavium Inc.
  *
  *  This software is available under the terms of the GNU General 

[PATCH 01/15] qedf: Enable basic FDMI information.

[Dupuis, Chad]

For libfc to register FDMI attributes we need to do two things:

- Set the appropriate fc_host attributes that libfc will use to form the
  FDMI registration commands
- Set lport->fdmi_enabled to 1

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 57 +++
 1 file changed, 57 insertions(+)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index cceddd9..2949932 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -22,6 +22,7 @@
 #include 
 #include 
 #include "qedf.h"
+#include 
 
 const struct qed_fcoe_ops *qed_ops;
 
@@ -1334,6 +1335,60 @@ static void qedf_fcoe_ctlr_setup(struct qedf_ctx *qedf)
ether_addr_copy(qedf->ctlr.ctl_src_addr, qedf->mac);
 }
 
+static void qedf_setup_fdmi(struct qedf_ctx *qedf)
+{
+   struct fc_lport *lport = qedf->lport;
+   u8 buf[8];
+   int i, pos;
+
+   /*
+* fdmi_enabled needs to be set for libfc to execute FDMI registration.
+*/
+   lport->fdmi_enabled = 1;
+
+   /*
+* Setup the necessary fc_host attributes to that will be used to fill
+* in the FDMI information.
+*/
+
+   /* Get the PCI-e Device Serial Number Capability */
+   pos = pci_find_ext_capability(qedf->pdev, PCI_EXT_CAP_ID_DSN);
+   if (pos) {
+   pos += 4;
+   for (i = 0; i < 8; i++)
+   pci_read_config_byte(qedf->pdev, pos + i, [i]);
+
+   snprintf(fc_host_serial_number(lport->host),
+   FC_SERIAL_NUMBER_SIZE,
+   "%02X%02X%02X%02X%02X%02X%02X%02X",
+   buf[7], buf[6], buf[5], buf[4],
+   buf[3], buf[2], buf[1], buf[0]);
+   } else
+   snprintf(fc_host_serial_number(lport->host),
+   FC_SERIAL_NUMBER_SIZE, "Unknown");
+
+   snprintf(fc_host_manufacturer(lport->host),
+   FC_SERIAL_NUMBER_SIZE, "%s", "Cavium Inc.");
+
+   snprintf(fc_host_model(lport->host),
+   FC_SYMBOLIC_NAME_SIZE, "%s", "QL41000");
+
+   snprintf(fc_host_model_description(lport->host),
+   FC_SYMBOLIC_NAME_SIZE, "%s", "QLogic FastLinQ QL41000 Series "
+   "10/25/40/50GGbE Controller (FCoE)");
+
+   snprintf(fc_host_hardware_version(lport->host),
+   FC_VERSION_STRING_SIZE, "Rev %d", qedf->pdev->revision);
+
+   snprintf(fc_host_driver_version(lport->host),
+   FC_VERSION_STRING_SIZE, "%s", QEDF_VERSION);
+
+   snprintf(fc_host_firmware_version(lport->host),
+   FC_VERSION_STRING_SIZE, "%d.%d.%d.%d",
+   FW_MAJOR_VERSION, FW_MINOR_VERSION, FW_REVISION_VERSION,
+   FW_ENGINEERING_VERSION);
+}
+
 static int qedf_lport_setup(struct qedf_ctx *qedf)
 {
struct fc_lport *lport = qedf->lport;
@@ -1377,6 +1432,8 @@ static int qedf_lport_setup(struct qedf_ctx *qedf)
snprintf(fc_host_symbolic_name(lport->host), 256,
"QLogic %s v%s", QEDF_MODULE_NAME, QEDF_VERSION);
 
+   qedf_setup_fdmi(qedf);
+
return 0;
 }
 
-- 
1.8.5.6

[PATCH 08/15] qedf: Use same logic for SCSI host reset and FC lip_reset.

[Dupuis, Chad]

We should be using the same logic to do a soft reset of the FCoE function
whether it is initiated via sg_reset or the fc_host issue_lip attribute.
Refactor the host reset and fcoe reset handlers to use the preferred logic
which is currently contained in qedf_eh_host_reset().

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 39 +++
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index d6049cd..fa5a2f8 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -640,27 +640,17 @@ void qedf_wait_for_upload(struct qedf_ctx *qedf)
}
 }
 
-/* Reset the host by gracefully logging out and then logging back in */
-static int qedf_eh_host_reset(struct scsi_cmnd *sc_cmd)
+/* Performs soft reset of qedf_ctx by simulating a link down/up */
+static void qedf_ctx_soft_reset(struct fc_lport *lport)
 {
-   struct fc_lport *lport;
struct qedf_ctx *qedf;
 
-   lport = shost_priv(sc_cmd->device->host);
-
if (lport->vport) {
QEDF_ERR(NULL, "Cannot issue host reset on NPIV port.\n");
-   return SUCCESS;
+   return;
}
 
-   qedf = (struct qedf_ctx *)lport_priv(lport);
-
-   if (atomic_read(>link_state) == QEDF_LINK_DOWN ||
-   test_bit(QEDF_UNLOADING, >flags) ||
-   test_bit(QEDF_DBG_STOP_IO, >flags))
-   return FAILED;
-
-   QEDF_ERR(&(qedf->dbg_ctx), "HOST RESET Issued...");
+   qedf = lport_priv(lport);
 
/* For host reset, essentially do a soft link up/down */
atomic_set(>link_state, QEDF_LINK_DOWN);
@@ -672,6 +662,24 @@ static int qedf_eh_host_reset(struct scsi_cmnd *sc_cmd)
qedf->vlan_id  = 0;
queue_delayed_work(qedf->link_update_wq, >link_update,
0);
+}
+
+/* Reset the host by gracefully logging out and then logging back in */
+static int qedf_eh_host_reset(struct scsi_cmnd *sc_cmd)
+{
+   struct fc_lport *lport;
+   struct qedf_ctx *qedf;
+
+   lport = shost_priv(sc_cmd->device->host);
+   qedf = lport_priv(lport);
+
+   if (atomic_read(>link_state) == QEDF_LINK_DOWN ||
+   test_bit(QEDF_UNLOADING, >flags))
+   return FAILED;
+
+   QEDF_ERR(&(qedf->dbg_ctx), "HOST RESET Issued...");
+
+   qedf_ctx_soft_reset(lport);
 
return SUCCESS;
 }
@@ -1670,8 +1678,7 @@ static int qedf_fcoe_reset(struct Scsi_Host *shost)
 {
struct fc_lport *lport = shost_priv(shost);
 
-   fc_fabric_logoff(lport);
-   fc_fabric_login(lport);
+   qedf_ctx_soft_reset(lport);
return 0;
 }
 
-- 
1.8.5.6

[PATCH 00/15] qedf: Update driver to version 8.18.22.0.

[Dupuis, Chad]

Hi Martin,

Please apply the following patches to the scsi tree at your earliest 
convenience.

Thanks,
Chad

Dupuis, Chad (15):
  qedf: Enable basic FDMI information.
  qedf: Update copyright to 2017.
  qedf: Honor qed_ops->common->set_fp_int() return code.
  qedf: Look at all descriptors when processing a clear virtual link.
  qedf: Check that fcport is offloaded before dereferencing pointers in
initiate_abts|cleanup.
  qedf: Add fka_period SCSI host attribute to show fip keep alive
period.
  qedf: Set qed logging level to QED_LEVEL_NOTICE.
  qedf: Use same logic for SCSI host reset and FC lip_reset.
  qedf: Add bus_reset No-op.
  qedf: Add non-offload receive filters.
  qedf: Fixup unnecessary paratheses around test_bit operations.
  qedf: Move some prints to a debug level so they do not print when no
debugging is enabled.
  qedf: Change cmd_per_lun in scsi_host_template to 32 to increase
performance.
  qedf: Add change_queue_depth member to scsi_host_template().
  qedf: Update version number to 8.18.22.0.

 drivers/scsi/qedf/drv_fcoe_fw_funcs.c |   2 +-
 drivers/scsi/qedf/drv_fcoe_fw_funcs.h |   2 +-
 drivers/scsi/qedf/drv_scsi_fw_funcs.c |   2 +-
 drivers/scsi/qedf/drv_scsi_fw_funcs.h |   2 +-
 drivers/scsi/qedf/qedf.h  |   2 +-
 drivers/scsi/qedf/qedf_attr.c |  62 -
 drivers/scsi/qedf/qedf_dbg.h  |   2 +-
 drivers/scsi/qedf/qedf_debugfs.c  |   2 +-
 drivers/scsi/qedf/qedf_els.c  |   8 +-
 drivers/scsi/qedf/qedf_fip.c  |  22 +++--
 drivers/scsi/qedf/qedf_hsi.h  |   2 +-
 drivers/scsi/qedf/qedf_io.c   |  26 --
 drivers/scsi/qedf/qedf_main.c | 165 +-
 drivers/scsi/qedf/qedf_version.h  |   8 +-
 14 files changed, 231 insertions(+), 76 deletions(-)

-- 
1.8.5.6

[PATCH 07/15] qedf: Set qed logging level to QED_LEVEL_NOTICE.

[Dupuis, Chad]

Reduce the logging level we set for qed messages pertaining to this PCI
function so that unnecessary messages are not printed in the kernel
message log.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index f703801..d6049cd 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -95,7 +95,7 @@
 MODULE_PARM_DESC(dp_module, " bit flags control for verbose printk passed "
"qed module during probe.");
 
-static uint qedf_dp_level;
+static uint qedf_dp_level = QED_LEVEL_NOTICE;
 module_param_named(dp_level, qedf_dp_level, uint, S_IRUGO);
 MODULE_PARM_DESC(dp_level, " printk verbosity control passed to qed module  "
"during probe (0-3: 0 more verbose).");
-- 
1.8.5.6

[PATCH 05/15] qedf: Check that fcport is offloaded before dereferencing pointers in initiate_abts|cleanup.

[Dupuis, Chad]

If an fcport is not offloaded then the members of the qedf_rport struct
are undefined which may cause a system crash.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_io.c | 22 --
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
index ca9097b..db16004 100644
--- a/drivers/scsi/qedf/qedf_io.c
+++ b/drivers/scsi/qedf/qedf_io.c
@@ -1476,8 +1476,8 @@ int qedf_initiate_abts(struct qedf_ioreq *io_req, bool 
return_scsi_cmd_on_abts)
 {
struct fc_lport *lport;
struct qedf_rport *fcport = io_req->fcport;
-   struct fc_rport_priv *rdata = fcport->rdata;
-   struct qedf_ctx *qedf = fcport->qedf;
+   struct fc_rport_priv *rdata;
+   struct qedf_ctx *qedf;
u16 xid;
u32 r_a_tov = 0;
int rc = 0;
@@ -1485,15 +1485,18 @@ int qedf_initiate_abts(struct qedf_ioreq *io_req, bool 
return_scsi_cmd_on_abts)
struct fcoe_wqe *sqe;
u16 sqe_idx;
 
-   r_a_tov = rdata->r_a_tov;
-   lport = qedf->lport;
-
+   /* Sanity check qedf_rport before dereferencing any pointers */
if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
-   QEDF_ERR(&(qedf->dbg_ctx), "tgt not offloaded\n");
+   QEDF_ERR(NULL, "tgt not offloaded\n");
rc = 1;
goto abts_err;
}
 
+   rdata = fcport->rdata;
+   r_a_tov = rdata->r_a_tov;
+   qedf = fcport->qedf;
+   lport = qedf->lport;
+
if (lport->state != LPORT_ST_READY || !(lport->link_up)) {
QEDF_ERR(&(qedf->dbg_ctx), "link is not ready\n");
rc = 1;
@@ -1729,6 +1732,13 @@ int qedf_initiate_cleanup(struct qedf_ioreq *io_req,
return SUCCESS;
}
 
+   /* Sanity check qedf_rport before dereferencing any pointers */
+   if (!test_bit(QEDF_RPORT_SESSION_READY, >flags)) {
+   QEDF_ERR(NULL, "tgt not offloaded\n");
+   rc = 1;
+   return SUCCESS;
+   }
+
qedf = fcport->qedf;
if (!qedf) {
QEDF_ERR(NULL, "qedf is NULL.\n");
-- 
1.8.5.6

[PATCH 04/15] qedf: Look at all descriptors when processing a clear virtual link.

[Dupuis, Chad]

If there are multiple descriptors for a particular type in a clear virtual
link we receive, we will not process it correctly but rather take the last
value. This can cause us not to not flap the virtual link as the value from
the descriptors that we compare against the our stored FCF or fc_lport values
may not match.

Change is to do a comparison when processing the each descriptor instead of at
the end and then set a bool if we need to do the reset.

Signed-off-by: Chad Dupuis 
---
 drivers/scsi/qedf/qedf_fip.c | 20 +---
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_fip.c b/drivers/scsi/qedf/qedf_fip.c
index 2dfb817..64b04f2 100644
--- a/drivers/scsi/qedf/qedf_fip.c
+++ b/drivers/scsi/qedf/qedf_fip.c
@@ -156,10 +156,9 @@ void qedf_fip_recv(struct qedf_ctx *qedf, struct sk_buff 
*skb)
struct fip_wwn_desc *wp;
struct fip_vn_desc *vp;
size_t rlen, dlen;
-   uint32_t cvl_port_id;
-   __u8 cvl_mac[ETH_ALEN];
u16 op;
u8 sub;
+   bool do_reset = false;
 
eth_hdr = (struct ethhdr *)skb_mac_header(skb);
fiph = (struct fip_header *) ((void *)skb->data + 2 * ETH_ALEN + 2);
@@ -190,8 +189,6 @@ void qedf_fip_recv(struct qedf_ctx *qedf, struct sk_buff 
*skb)
return;
}
 
-   cvl_port_id = 0;
-   memset(cvl_mac, 0, ETH_ALEN);
/*
 * We need to loop through the CVL descriptors to determine
 * if we want to reset the fcoe link
@@ -205,7 +202,9 @@ void qedf_fip_recv(struct qedf_ctx *qedf, struct sk_buff 
*skb)
mp = (struct fip_mac_desc *)desc;
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
"fd_mac=%pM\n", mp->fd_mac);
-   ether_addr_copy(cvl_mac, mp->fd_mac);
+   if (ether_addr_equal(mp->fd_mac,
+   qedf->ctlr.sel_fcf->fcf_mac))
+   do_reset = true;
break;
case FIP_DT_NAME:
wp = (struct fip_wwn_desc *)desc;
@@ -217,7 +216,9 @@ void qedf_fip_recv(struct qedf_ctx *qedf, struct sk_buff 
*skb)
vp = (struct fip_vn_desc *)desc;
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
"fd_fc_id=%x.\n", ntoh24(vp->fd_fc_id));
-   cvl_port_id = ntoh24(vp->fd_fc_id);
+   if (ntoh24(vp->fd_fc_id) ==
+   qedf->lport->port_id)
+   do_reset = true;
break;
default:
/* Ignore anything else */
@@ -228,11 +229,8 @@ void qedf_fip_recv(struct qedf_ctx *qedf, struct sk_buff 
*skb)
}
 
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_LL2,
-   "cvl_port_id=%06x cvl_mac=%pM.\n", cvl_port_id,
-   cvl_mac);
-   if (cvl_port_id == qedf->lport->port_id &&
-   ether_addr_equal(cvl_mac,
-   qedf->ctlr.sel_fcf->fcf_mac)) {
+   "do_reset=%d.\n", do_reset);
+   if (do_reset) {
fcoe_ctlr_link_down(>ctlr);
qedf_wait_for_upload(qedf);
fcoe_ctlr_link_up(>ctlr);
-- 
1.8.5.6

Re: [PATCH] csiostor: Avoid content leaks and casts

[Varun Prakash]

On Mon, May 22, 2017 at 09:29:41AM -0700, Kees Cook wrote:
> On Mon, May 22, 2017 at 8:05 AM, Varun Prakash  wrote:
> > On Tue, May 09, 2017 at 03:34:44PM -0700, Kees Cook wrote:
> >> When copying attributes, the len argument was padded out and the resulting
> >> memcpy() would copy beyond the end of the source buffer.  Avoid this,
> >> and use size_t for val_len to avoid all the casts. Similarly, avoid source
> >> buffer casts and use void *.
> >>
> >> Additionally enforces val_len can be represented by u16 and that
> >> the DMA buffer was not overflowed. Fixes the size of mfa, which is not
> >> FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN (but it will be padded up to 4). This
> >> was noticed by the future CONFIG_FORTIFY_SOURCE checks.
> >>
> >> Cc: Daniel Micay 
> >> Signed-off-by: Kees Cook 
> >> ---
> >>  drivers/scsi/csiostor/csio_lnode.c | 43 
> >> +++---
> >>  1 file changed, 26 insertions(+), 17 deletions(-)
> >>
> >> diff --git a/drivers/scsi/csiostor/csio_lnode.c 
> >> b/drivers/scsi/csiostor/csio_lnode.c
> >> index c00b2ff72b55..be5ee2d37815 100644
> >> --- a/drivers/scsi/csiostor/csio_lnode.c
> >> +++ b/drivers/scsi/csiostor/csio_lnode.c
> >> @@ -238,14 +238,23 @@ csio_osname(uint8_t *buf, size_t buf_len)
> >>  }
> >>
> >
> >
> >>
> >>   csio_append_attrib(, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD,
> >> -(uint8_t *),
> >> -FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
> >> +, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
> >>   len = (uint32_t)(pld - (uint8_t *)cmd);
> >>   numattrs++;
> >>   attrib_blk->numattrs = htonl(numattrs);
> >> @@ -1794,6 +1801,8 @@ csio_ln_mgmt_submit_req(struct csio_ioreq *io_req,
> >>   struct csio_mgmtm *mgmtm = csio_hw_to_mgmtm(hw);
> >>   int rv;
> >>
> >> + BUG_ON(pld_len > pld->len);
> >> +
> >
> > I think WARN_ON() is better than BUG_ON() in this case
> >
> > if (WARN_ON(pld_len > pld->len))
> > return -EINVAL;
> >
> >>   io_req->io_cbfn = io_cbfn;  /* Upper layer callback handler */
> >>   io_req->fw_handle = (uintptr_t) (io_req);
> >>   io_req->eq_idx = mgmtm->eq_idx;
> 
> I chose BUG_ON here because the damage has already been done. If this
> assertion is hit, the heap buffers have already been overrun. This
> isn't a state we should only warn about...
> 

Ok.

Acked-by: Varun Prakash 

Re: [PATCH v9 06/15] mlx5: Replace PCI pool old API

[Leon Romanovsky]

On Tue, May 23, 2017 at 10:53:36AM +0200, Romain Perier wrote:
> Hello,
>
>
> Le 23/05/2017 à 09:27, Leon Romanovsky a écrit :
> > On Mon, May 22, 2017 at 06:48:58PM +0200, Romain Perier wrote:
> >> The PCI pool API is deprecated. This commit replaces the PCI pool old
> >> API by the appropriate function with the DMA pool API.
> >>
> >> Signed-off-by: Romain Perier 
> >> Reviewed-by: Peter Senna Tschudin 
> >> Acked-by: Doug Ledford 
> >> Tested-by: Doug Ledford 
> >> ---
> >>  drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++-
> >>  include/linux/mlx5/driver.h   |  2 +-
> >>  2 files changed, 7 insertions(+), 6 deletions(-)
> >>
> > Who is supposed to merge this patch series?
> >
> > Acked-by: Leon Romanovsky 
> Each maintainer of the corresponding subsystem, can take a patch, I
> guess. No ?

I wonder if they know that.

Dave,

Do you want us to resubmit mlx4/mlx5 patches as part of our general series,
or do you prefer to grab them from this patch series?

Thanks


>
> Romain


signature.asc
Description: PGP signature

Re: [PATCH v9 06/15] mlx5: Replace PCI pool old API

[Romain Perier]

Hello,


Le 23/05/2017 à 09:27, Leon Romanovsky a écrit :
> On Mon, May 22, 2017 at 06:48:58PM +0200, Romain Perier wrote:
>> The PCI pool API is deprecated. This commit replaces the PCI pool old
>> API by the appropriate function with the DMA pool API.
>>
>> Signed-off-by: Romain Perier 
>> Reviewed-by: Peter Senna Tschudin 
>> Acked-by: Doug Ledford 
>> Tested-by: Doug Ledford 
>> ---
>>  drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++-
>>  include/linux/mlx5/driver.h   |  2 +-
>>  2 files changed, 7 insertions(+), 6 deletions(-)
>>
> Who is supposed to merge this patch series?
>
> Acked-by: Leon Romanovsky 
Each maintainer of the corresponding subsystem, can take a patch, I
guess. No ?

Romain

Re: [PATCH] scsi: hisi_sas: add null check before indirect pointer dereference

[John Garry]

On 22/05/2017 19:00, Gustavo A. R. Silva wrote:

Add null check before indirectly dereferencing pointer task->lldd_task
in statement u32 tag = slot->idx;



I don't think that this is a valid scenario, but protecting against a 
possible NULL dereference is prudent. Thanks



Addresses-Coverity-ID: 1373843
Signed-off-by: Gustavo A. R. Silva 


Reviewed-by: John Garry 

Re: [PATCH v9 06/15] mlx5: Replace PCI pool old API

[Leon Romanovsky]

On Mon, May 22, 2017 at 06:48:58PM +0200, Romain Perier wrote:
> The PCI pool API is deprecated. This commit replaces the PCI pool old
> API by the appropriate function with the DMA pool API.
>
> Signed-off-by: Romain Perier 
> Reviewed-by: Peter Senna Tschudin 
> Acked-by: Doug Ledford 
> Tested-by: Doug Ledford 
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++-
>  include/linux/mlx5/driver.h   |  2 +-
>  2 files changed, 7 insertions(+), 6 deletions(-)
>

Who is supposed to merge this patch series?

Acked-by: Leon Romanovsky 


signature.asc
Description: PGP signature

Re: [PATCH] qla2xxx: Remove an unused structure member

[Christoph Hellwig]

On Mon, May 22, 2017 at 01:10:53PM -0700, Bart Van Assche wrote:
> qla_tgt_cmd.free_work is not used by the qla2xxx driver. Hence
> remove that member of struct qla_tgt_cmd.

Looks fine,

Reviewed-by: Christoph Hellwig 

Re: [PATCH blktests v2 3/3] sg/001: add regression test for syzcaller generated GPF in sg_read path

[Johannes Thumshirn]

On 05/22/2017 07:59 PM, Omar Sandoval wrote:
> This looks much better, thanks! One question for you: is there any value
> in running this on specific test devices (i.e., changing test() to
> test_device() and using "$TEST_DEV" instead of a scsi-debug device), or
> would it be a waste of time since it's just exercising generic code?

That's just generic code. All I need is a SCSI device so I get a /dev/sg
device node.

One could do a check if $TEST_DEV is a SCSI device and have a fall-back
to scsi_debug if it isn't, but I'm not sure if this isn't just a waste
of time.

Byte,
Johannes

-- 
Johannes Thumshirn  Storage
jthumsh...@suse.de+49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

Re: [PATCH 1/2] libsas: Don't process sas events in static works

[wangyijing]

>>
> 
> I have seen this scenario on our development board when we have a bad 
> physical cable connection - the PHY continually goes up and down in a loop.
> 
> So, in this regard, it is worth safeguarding against this scenario.

OK, I will reconsider this case.

Thanks!
Yijing.


> 
> John
> 
> 
> .
>