Fixes queuing issues where mfi_release_command blindly sets the cm_flags = 0 without first removing the command from the relavent queue. This was causing panics in the queue functions which check to ensure a command is not on another queue. Fixed some cases where the error from mfi_mapcmd was lost and where the command was never released / dequeued in error cases. Ensure that all failures to mfi_mapcmd are logged. Fixed possible null pointer exception in mfi_aen_setup if mfi_get_log_state failed. Fixed mfi_parse_entries & mfi_aen_setup not returning possible errors. Corrected MFI_DUMP_CMDS calls with invalid vars SC vs sc. Commands which have timed out now set cm_error to ETIMEDOUT and call mfi_complete which prevents them getting stuck in the busy queue forever. Fixed possible use of NULL pointer in mfi_tbolt_get_cmd. Changed output formats to be more easily recognisable when debugging. Optimised mfi_cmd_pool_tbolt cleanup. Made information about driver limiting commands always display as for modern cards this can be severe. Fixed mfi_tbolt_alloc_cmd out of memory case which previously didnt return an error. Added malloc checks for request_desc_pool including free when subsiquent errors are detected. Fixed overflow error in SIMD reply descriptor check. Fixed tbolt_cmd leak in mfi_build_and_issue_cmd if there's an error during IO build. Elimintated double checks on sc->mfi_aen_cm & sc->mfi_map_sync_cm in mfi_shutdown. Move local hdr calculation after error check in mfi_aen_complete. Fixed wakeup on NULL in mfi_aen_complete. Fixed mfi_aen_cm cleanup in mfi_process_fw_state_chg_isr not checking if it was NULL. Changed mfi_alloc_commands to error if bus_dmamap_create fails. Previously we would try to continue with the number of allocated commands but lots of places in the driver assume sc->mfi_max_fw_cmds is whats available so its unsafe to do this without lots of changes. Removed mfi_total_cmds as its no longer used due the above change. Corrected mfi_tbolt_alloc_cmd to return ENOMEM where appropriate. Fixed timeouts actually firing at double what they should. Setting hw.mfi.max_cmds=-1 now configures to use the controller max. A few style (9) fixes e.g. braced single line conditions and double blank lines --- sys/dev/mfi/mfi.c.orig 2012-11-07 23:00:24.540112877 +0000 +++ sys/dev/mfi/mfi.c 2012-11-09 14:10:12.288110349 +0000 @@ -143,7 +143,7 @@ static int mfi_max_cmds = 128; TUNABLE_INT("hw.mfi.max_cmds", &mfi_max_cmds); SYSCTL_INT(_hw_mfi, OID_AUTO, max_cmds, CTLFLAG_RD, &mfi_max_cmds, - 0, "Max commands"); + 0, "Max commands limit (-1 = controller limit)"); static int mfi_detect_jbod_change = 1; TUNABLE_INT("hw.mfi.detect_jbod_change", &mfi_detect_jbod_change); @@ -366,7 +366,7 @@ { uint32_t status; int error, commsz, framessz, sensesz; - int frames, unit, max_fw_sge; + int frames, unit, max_fw_sge, max_fw_cmds; uint32_t tb_mem_size = 0; if (sc == NULL) @@ -461,7 +461,13 @@ * instead of compile time. */ status = sc->mfi_read_fw_status(sc); - sc->mfi_max_fw_cmds = status & MFI_FWSTATE_MAXCMD_MASK; + max_fw_cmds = status & MFI_FWSTATE_MAXCMD_MASK; + if (mfi_max_cmds > 0 && mfi_max_cmds < max_fw_cmds) { + device_printf(sc->mfi_dev, "FW MaxCmds = %d, limiting to %d\n", + max_fw_cmds, mfi_max_cmds); + sc->mfi_max_fw_cmds = mfi_max_cmds; + } else + sc->mfi_max_fw_cmds = max_fw_cmds; max_fw_sge = (status & MFI_FWSTATE_MAXSGL_MASK) >> 16; sc->mfi_max_sge = min(max_fw_sge, ((MFI_MAXPHYS / PAGE_SIZE) + 1)); @@ -469,7 +475,8 @@ if (sc->mfi_flags & MFI_FLAGS_TBOLT) { mfi_tbolt_init_globals(sc); - device_printf(sc->mfi_dev, "MaxCmd = %x MaxSgl = %x state = %x \n", + device_printf(sc->mfi_dev, "MaxCmd = %d, Drv MaxCmd = %d, " + "MaxSgl = %d, state = %#x\n", max_fw_cmds, sc->mfi_max_fw_cmds, sc->mfi_max_sge, status); tb_mem_size = mfi_tbolt_get_memory_requirement(sc); @@ -779,21 +786,16 @@ mfi_alloc_commands(struct mfi_softc *sc) { struct mfi_command *cm; - int i, ncmds; + int i, j; /* * XXX Should we allocate all the commands up front, or allocate on * demand later like 'aac' does? */ - ncmds = MIN(mfi_max_cmds, sc->mfi_max_fw_cmds); - if (bootverbose) - device_printf(sc->mfi_dev, "Max fw cmds= %d, sizing driver " - "pool to %d\n", sc->mfi_max_fw_cmds, ncmds); - - sc->mfi_commands = malloc(sizeof(struct mfi_command) * ncmds, M_MFIBUF, - M_WAITOK | M_ZERO); + sc->mfi_commands = malloc(sizeof(struct mfi_command) * + sc->mfi_max_fw_cmds, M_MFIBUF, M_WAITOK | M_ZERO); - for (i = 0; i < ncmds; i++) { + for (i = 0; i < sc->mfi_max_fw_cmds; i++) { cm = &sc->mfi_commands[i]; cm->cm_frame = (union mfi_frame *)((uintptr_t)sc->mfi_frames + sc->mfi_cmd_size * i); @@ -809,10 +811,20 @@ mtx_lock(&sc->mfi_io_lock); mfi_release_command(cm); mtx_unlock(&sc->mfi_io_lock); + } else { + device_printf(sc->mfi_dev, "Failed to allocate %d " + "command blocks, only allocated %d\n", + sc->mfi_max_fw_cmds, i - 1); + for (j = 0; j < i; j++) { + cm = &sc->mfi_commands[i]; + bus_dmamap_destroy(sc->mfi_buffer_dmat, + cm->cm_dmamap); + } + free(sc->mfi_commands, M_MFIBUF); + sc->mfi_commands = NULL; + + return (ENOMEM); } - else - break; - sc->mfi_total_cmds++; } return (0); @@ -837,6 +849,23 @@ cm->cm_sg->sg32[0].addr = 0; } + /* + * Command may be on other queues e.g. busy queue depending on the + * flow of a previous call to mfi_mapcmd, so ensure its dequeued + * properly + */ + if ((cm->cm_flags & MFI_ON_MFIQ_BUSY) != 0) + mfi_remove_busy(cm); + if ((cm->cm_flags & MFI_ON_MFIQ_READY) != 0) + mfi_remove_ready(cm); + + /* We're not expecting it to be on any other queue but check */ + if ((cm->cm_flags & MFI_ON_MFIQ_MASK) != 0) { + printf("command %p is still on another queue, flags = %#x\n", + cm, cm->cm_flags); + panic("command is still on a queue"); + } + hdr_data = (uint32_t *)cm->cm_frame; hdr_data[0] = 0; /* cmd, sense_len, cmd_status, scsi_status */ hdr_data[1] = 0; /* target_id, lun_id, cdb_len, sg_count */ @@ -950,15 +979,12 @@ cm->cm_data = NULL; cm->cm_flags = MFI_CMD_POLLED; - if ((error = mfi_mapcmd(sc, cm)) != 0) { + if ((error = mfi_mapcmd(sc, cm)) != 0) device_printf(sc->mfi_dev, "failed to send init command\n"); - mtx_unlock(&sc->mfi_io_lock); - return (error); - } mfi_release_command(cm); mtx_unlock(&sc->mfi_io_lock); - return (0); + return (error); } static int @@ -1046,27 +1072,26 @@ class_locale.members.evt_class = mfi_event_class; if (seq_start == 0) { - error = mfi_get_log_state(sc, &log_state); + if((error = mfi_get_log_state(sc, &log_state)) != 0) + goto out; sc->mfi_boot_seq_num = log_state->boot_seq_num; - if (error) { - if (log_state) - free(log_state, M_MFIBUF); - return (error); - } /* * Walk through any events that fired since the last * shutdown. */ - mfi_parse_entries(sc, log_state->shutdown_seq_num, - log_state->newest_seq_num); + if((error = mfi_parse_entries(sc, log_state->shutdown_seq_num, + log_state->newest_seq_num)) != 0) + goto out; seq = log_state->newest_seq_num; } else seq = seq_start; - mfi_aen_register(sc, seq, class_locale.word); - free(log_state, M_MFIBUF); + error = mfi_aen_register(sc, seq, class_locale.word); +out: + if (log_state) + free(log_state, M_MFIBUF); - return 0; + return (error); } int @@ -1076,7 +1101,6 @@ mtx_assert(&sc->mfi_io_lock, MA_OWNED); cm->cm_complete = NULL; - /* * MegaCli can issue a DCMD of 0. In this case do nothing * and return 0 to it as status @@ -1104,12 +1128,13 @@ if (sc->mfi_cdev != NULL) destroy_dev(sc->mfi_cdev); - if (sc->mfi_total_cmds != 0) { - for (i = 0; i < sc->mfi_total_cmds; i++) { + if (sc->mfi_commands != NULL) { + for (i = 0; i < sc->mfi_max_fw_cmds; i++) { cm = &sc->mfi_commands[i]; bus_dmamap_destroy(sc->mfi_buffer_dmat, cm->cm_dmamap); } free(sc->mfi_commands, M_MFIBUF); + sc->mfi_commands = NULL; } if (sc->mfi_intr) @@ -1165,7 +1190,8 @@ /* End LSIP200113393 */ /* ThunderBolt INIT packet memory Free */ if (sc->mfi_tb_init_busaddr != 0) - bus_dmamap_unload(sc->mfi_tb_init_dmat, sc->mfi_tb_init_dmamap); + bus_dmamap_unload(sc->mfi_tb_init_dmat, + sc->mfi_tb_init_dmamap); if (sc->mfi_tb_init != NULL) bus_dmamem_free(sc->mfi_tb_init_dmat, sc->mfi_tb_init, sc->mfi_tb_init_dmamap); @@ -1182,16 +1208,14 @@ sc->mfi_tb_ioc_init_dmamap); if (sc->mfi_tb_ioc_init_dmat != NULL) bus_dma_tag_destroy(sc->mfi_tb_ioc_init_dmat); - for (int i = 0; i < sc->mfi_max_fw_cmds; i++) { - if (sc->mfi_cmd_pool_tbolt != NULL) { + if (sc->mfi_cmd_pool_tbolt != NULL) { + for (int i = 0; i < sc->mfi_max_fw_cmds; i++) { if (sc->mfi_cmd_pool_tbolt[i] != NULL) { free(sc->mfi_cmd_pool_tbolt[i], M_MFIBUF); sc->mfi_cmd_pool_tbolt[i] = NULL; } } - } - if (sc->mfi_cmd_pool_tbolt != NULL) { free(sc->mfi_cmd_pool_tbolt, M_MFIBUF); sc->mfi_cmd_pool_tbolt = NULL; } @@ -1256,9 +1280,8 @@ cm->cm_error = 0; mfi_complete(sc, cm); } - if (++ci == (sc->mfi_max_fw_cmds + 1)) { + if (++ci == (sc->mfi_max_fw_cmds + 1)) ci = 0; - } } sc->mfi_comms->hw_ci = ci; @@ -1288,15 +1311,15 @@ int error; - if (sc->mfi_aen_cm) + if (sc->mfi_aen_cm != NULL) { sc->cm_aen_abort = 1; - if (sc->mfi_aen_cm != NULL) mfi_abort(sc, &sc->mfi_aen_cm); + } - if (sc->mfi_map_sync_cm) + if (sc->mfi_map_sync_cm != NULL) { sc->cm_map_abort = 1; - if (sc->mfi_map_sync_cm != NULL) mfi_abort(sc, &sc->mfi_map_sync_cm); + } mtx_lock(&sc->mfi_io_lock); error = mfi_dcmd_command(sc, &cm, MFI_DCMD_CTRL_SHUTDOWN, NULL, 0); @@ -1310,9 +1333,8 @@ cm->cm_flags = MFI_CMD_POLLED; cm->cm_data = NULL; - if ((error = mfi_mapcmd(sc, cm)) != 0) { + if ((error = mfi_mapcmd(sc, cm)) != 0) device_printf(sc->mfi_dev, "Failed to shutdown controller\n"); - } mfi_release_command(cm); mtx_unlock(&sc->mfi_io_lock); @@ -1683,11 +1705,11 @@ sc = cm->cm_sc; mtx_assert(&sc->mfi_io_lock, MA_OWNED); - hdr = &cm->cm_frame->header; - if (sc->mfi_aen_cm == NULL) return; + hdr = &cm->cm_frame->header; + if (sc->cm_aen_abort || hdr->cmd_status == MFI_STAT_INVALID_STATUS) { sc->cm_aen_abort = 0; @@ -1713,8 +1735,8 @@ } free(cm->cm_data, M_MFIBUF); - sc->mfi_aen_cm = NULL; wakeup(&sc->mfi_aen_cm); + sc->mfi_aen_cm = NULL; mfi_release_command(cm); /* set it up again so the driver can catch more events */ @@ -1796,6 +1818,7 @@ mtx_lock(&sc->mfi_io_lock); mfi_release_command(cm); mtx_unlock(&sc->mfi_io_lock); + error = EIO; break; } mtx_lock(&sc->mfi_io_lock); @@ -1824,7 +1847,7 @@ } free(el, M_MFIBUF); - return (0); + return (error); } static int @@ -1941,11 +1964,12 @@ dcmd->mbox[0]=id; dcmd->header.scsi_status = 0; dcmd->header.pad0 = 0; - if (mfi_mapcmd(sc, cm) != 0) { + if ((error = mfi_mapcmd(sc, cm)) != 0) { device_printf(sc->mfi_dev, "Failed to get physical drive info %d\n", id); free(pd_info, M_MFIBUF); - return (0); + mfi_release_command(cm); + return (error); } bus_dmamap_sync(sc->mfi_buffer_dmat, cm->cm_dmamap, BUS_DMASYNC_POSTREAD); @@ -2211,11 +2235,14 @@ if ((hdr->cmd_status != MFI_STAT_OK) || (hdr->scsi_status != 0)) { bio->bio_flags |= BIO_ERROR; bio->bio_error = EIO; - device_printf(sc->mfi_dev, "I/O error, status= %d " - "scsi_status= %d\n", hdr->cmd_status, hdr->scsi_status); + device_printf(sc->mfi_dev, "I/O error, status=%#x " + "scsi_status=%#x\n", hdr->cmd_status, hdr->scsi_status); mfi_print_sense(cm->cm_sc, cm->cm_sense); } else if (cm->cm_error != 0) { bio->bio_flags |= BIO_ERROR; + bio->bio_error = cm->cm_error; + device_printf(sc->mfi_dev, "I/O error, error=%#x\n", + cm->cm_error); } mfi_release_command(cm); @@ -2251,6 +2278,9 @@ /* Send the command to the controller */ if (mfi_mapcmd(sc, cm) != 0) { + device_printf(sc->mfi_dev, "Failed to startio\n"); + if ((cm->cm_flags & MFI_ON_MFIQ_BUSY) != 0) + mfi_remove_busy(cm); mfi_requeue_ready(cm); break; } @@ -2374,7 +2404,7 @@ cm->cm_extra_frames = (cm->cm_total_frame_size - 1) / MFI_FRAME_SIZE; if (sc->MFA_enabled) - mfi_tbolt_send_frame(sc, cm); + mfi_tbolt_send_frame(sc, cm); else mfi_send_frame(sc, cm); @@ -2466,7 +2496,7 @@ { struct mfi_command *cm; struct mfi_abort_frame *abort; - int i = 0; + int i = 0, error; uint32_t context = 0; mtx_lock(&sc->mfi_io_lock); @@ -2490,7 +2520,8 @@ cm->cm_data = NULL; cm->cm_flags = MFI_CMD_POLLED; - mfi_mapcmd(sc, cm); + if ((error = mfi_mapcmd(sc, cm)) != 0) + device_printf(sc->mfi_dev, "failed to abort command\n"); mfi_release_command(cm); mtx_unlock(&sc->mfi_io_lock); @@ -2506,7 +2537,7 @@ mtx_unlock(&sc->mfi_io_lock); } - return (0); + return (error); } int @@ -2544,7 +2575,8 @@ cm->cm_total_frame_size = MFI_IO_FRAME_SIZE; cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT; - error = mfi_mapcmd(sc, cm); + if ((error = mfi_mapcmd(sc, cm)) != 0) + device_printf(sc->mfi_dev, "failed dump blocks\n"); bus_dmamap_sync(sc->mfi_buffer_dmat, cm->cm_dmamap, BUS_DMASYNC_POSTWRITE); bus_dmamap_unload(sc->mfi_buffer_dmat, cm->cm_dmamap); @@ -2587,7 +2619,8 @@ cm->cm_total_frame_size = MFI_PASS_FRAME_SIZE; cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT | MFI_CMD_SCSI; - error = mfi_mapcmd(sc, cm); + if ((error = mfi_mapcmd(sc, cm)) != 0) + device_printf(sc->mfi_dev, "failed dump blocks\n"); bus_dmamap_sync(sc->mfi_buffer_dmat, cm->cm_dmamap, BUS_DMASYNC_POSTWRITE); bus_dmamap_unload(sc->mfi_buffer_dmat, cm->cm_dmamap); @@ -3632,7 +3665,7 @@ deadline = time_uptime - mfi_cmd_timeout; mtx_lock(&sc->mfi_io_lock); TAILQ_FOREACH(cm, &sc->mfi_busy, cm_link) { - if (cm->cm_timestamp < deadline) { + if (cm->cm_timestamp <= deadline) { device_printf(sc->mfi_dev, "COMMAND %p TIMEOUT AFTER %d SECONDS\n", cm, (int)(time_uptime - cm->cm_timestamp)); @@ -3643,7 +3676,7 @@ #if 0 if (timedout) - MFI_DUMP_CMDS(SC); + MFI_DUMP_CMDS(sc); #endif mtx_unlock(&sc->mfi_io_lock); @@ -3656,7 +3689,7 @@ mfi_timeout(void *data) { struct mfi_softc *sc = (struct mfi_softc *)data; - struct mfi_command *cm; + struct mfi_command *cm, *tmp; time_t deadline; int timedout = 0; @@ -3669,10 +3702,10 @@ } } mtx_lock(&sc->mfi_io_lock); - TAILQ_FOREACH(cm, &sc->mfi_busy, cm_link) { + TAILQ_FOREACH_SAFE(cm, &sc->mfi_busy, cm_link, tmp) { if (sc->mfi_aen_cm == cm || sc->mfi_map_sync_cm == cm) continue; - if (cm->cm_timestamp < deadline) { + if (cm->cm_timestamp <= deadline) { if (sc->adpreset != 0 && sc->issuepend_done == 0) { cm->cm_timestamp = time_uptime; } else { @@ -3682,6 +3715,13 @@ ); MFI_PRINT_CMD(cm); MFI_VALIDATE_CMD(sc, cm); + /* + * Fail the command instead of leaving it on + * the queue where it could remain stuck forever + */ + mfi_remove_busy(cm); + cm->cm_error = ETIMEDOUT; + mfi_complete(sc, cm); timedout++; } } @@ -3689,7 +3729,7 @@ #if 0 if (timedout) - MFI_DUMP_CMDS(SC); + MFI_DUMP_CMDS(sc); #endif mtx_unlock(&sc->mfi_io_lock); --- sys/dev/mfi/mfi_tbolt.c.orig 2012-11-07 23:00:24.542124476 +0000 +++ sys/dev/mfi/mfi_tbolt.c 2012-11-09 14:16:13.036767564 +0000 @@ -162,14 +162,14 @@ while (!( HostDiag & DIAG_WRITE_ENABLE)) { for (i = 0; i < 1000; i++); HostDiag = (uint32_t)MFI_READ4(sc, MFI_HDR); - device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: retry time=%x, " - "hostdiag=%x\n", retry, HostDiag); + device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: retry time=%d, " + "hostdiag=%#x\n", retry, HostDiag); if (retry++ >= 100) return 1; } - device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: HostDiag=%x\n", HostDiag); + device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: HostDiag=%#x\n", HostDiag); MFI_WRITE4(sc, MFI_HDR, (HostDiag | DIAG_RESET_ADAPTER)); @@ -181,8 +181,8 @@ while (HostDiag & DIAG_RESET_ADAPTER) { for (i = 0; i < 1000; i++) ; HostDiag = (uint32_t)MFI_READ4(sc, MFI_RSR); - device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: retry time=%x, " - "hostdiag=%x\n", retry, HostDiag); + device_printf(sc->mfi_dev, "ADP_RESET_TBOLT: retry time=%d, " + "hostdiag=%#x\n", retry, HostDiag); if (retry++ >= 1000) return 1; @@ -447,13 +447,21 @@ sc->request_desc_pool = malloc(sizeof( union mfi_mpi2_request_descriptor) * sc->mfi_max_fw_cmds, M_MFIBUF, M_NOWAIT|M_ZERO); + + if (sc->request_desc_pool == NULL) { + device_printf(sc->mfi_dev, "Could not alloc " + "memory for request_desc_pool\n"); + return (ENOMEM); + } + sc->mfi_cmd_pool_tbolt = malloc(sizeof(struct mfi_cmd_tbolt*) * sc->mfi_max_fw_cmds, M_MFIBUF, M_NOWAIT|M_ZERO); - if (!sc->mfi_cmd_pool_tbolt) { - device_printf(sc->mfi_dev, "out of memory. Could not alloc " - "memory for cmd_list_fusion\n"); - return 1; + if (sc->mfi_cmd_pool_tbolt == NULL) { + free(sc->request_desc_pool, M_MFIBUF); + device_printf(sc->mfi_dev, "Could not alloc " + "memory for cmd_pool_tbolt\n"); + return (ENOMEM); } for (i = 0; i < sc->mfi_max_fw_cmds; i++) { @@ -461,20 +469,24 @@ struct mfi_cmd_tbolt),M_MFIBUF, M_NOWAIT|M_ZERO); if (!sc->mfi_cmd_pool_tbolt[i]) { - device_printf(sc->mfi_dev, "Could not alloc cmd list " - "fusion\n"); + device_printf(sc->mfi_dev, "Could not alloc " + "cmd_pool_tbolt entry\n"); for (j = 0; j < i; j++) free(sc->mfi_cmd_pool_tbolt[j], M_MFIBUF); + free(sc->request_desc_pool, M_MFIBUF); + sc->request_desc_pool = NULL; free(sc->mfi_cmd_pool_tbolt, M_MFIBUF); sc->mfi_cmd_pool_tbolt = NULL; + + return (ENOMEM); } } /* * The first 256 bytes (SMID 0) is not used. Don't add to the cmd - *list + * list */ io_req_base = sc->request_message_pool_align + MEGASAS_THUNDERBOLT_NEW_MSG_SIZE; @@ -614,9 +626,16 @@ static inline void mfi_tbolt_return_cmd(struct mfi_softc *sc, struct mfi_cmd_tbolt *cmd) { +/* TODO: remove this debugging */ +struct mfi_cmd_tbolt *tbolt_cmd; mtx_assert(&sc->mfi_io_lock, MA_OWNED); cmd->sync_cmd_idx = sc->mfi_max_fw_cmds; +/* TODO: remove this debugging */ +TAILQ_FOREACH(tbolt_cmd, &sc->mfi_cmd_tbolt_tqh, next) { + if (tbolt_cmd == cmd) + panic("returning tbolt cmd=%p thats already present", cmd); +} TAILQ_INSERT_TAIL(&sc->mfi_cmd_tbolt_tqh, cmd, next); } @@ -652,13 +671,19 @@ /* Read Reply descriptor */ while ((val.u.low != 0xFFFFFFFF) && (val.u.high != 0xFFFFFFFF)) { smid = reply_desc->SMID; - if (!smid || smid > sc->mfi_max_fw_cmds + 1) { - device_printf(sc->mfi_dev, "smid is %x. Cannot " + if (!smid || smid > sc->mfi_max_fw_cmds) { + device_printf(sc->mfi_dev, "smid is %d. Cannot " "proceed. Returning \n", smid); return; } cmd_tbolt = sc->mfi_cmd_pool_tbolt[smid - 1]; + if (cmd_tbolt->sync_cmd_idx == sc->mfi_max_fw_cmds) { + device_printf(sc->mfi_dev, "cmd_tbolt %p " + "has invalid sync_cmd_idx=%d - returning\n", + cmd_tbolt, cmd_tbolt->sync_cmd_idx); + return; + } cmd_mfi = &sc->mfi_commands[cmd_tbolt->sync_cmd_idx]; scsi_io_req = cmd_tbolt->io_request; @@ -666,10 +691,9 @@ extStatus = cmd_mfi->cm_frame->dcmd.header.scsi_status; map_tbolt_cmd_status(cmd_mfi, status, extStatus); - if (cmd_mfi->cm_flags & MFI_CMD_SCSI && + if ((cmd_mfi->cm_flags & MFI_CMD_SCSI) != 0 && (cmd_mfi->cm_flags & MFI_CMD_POLLED) != 0) { /* polled LD/SYSPD IO command */ - mfi_tbolt_return_cmd(sc, cmd_tbolt); /* XXX mark okay for now DJA */ cmd_mfi->cm_frame->header.cmd_status = MFI_STAT_OK; } else { @@ -684,8 +708,8 @@ /* complete the command */ mfi_complete(sc, cmd_mfi); - mfi_tbolt_return_cmd(sc, cmd_tbolt); } + mfi_tbolt_return_cmd(sc, cmd_tbolt); sc->last_reply_idx++; if (sc->last_reply_idx >= sc->mfi_max_fw_cmds) { @@ -734,7 +758,8 @@ mtx_assert(&sc->mfi_io_lock, MA_OWNED); - cmd = TAILQ_FIRST(&sc->mfi_cmd_tbolt_tqh); + if ((cmd = TAILQ_FIRST(&sc->mfi_cmd_tbolt_tqh)) == NULL) + return NULL; TAILQ_REMOVE(&sc->mfi_cmd_tbolt_tqh, cmd, next); memset((uint8_t *)cmd->sg_frame, 0, MEGASAS_MAX_SZ_CHAIN_FRAME); memset((uint8_t *)cmd->io_request, 0, @@ -988,8 +1013,10 @@ index = cmd->index; req_desc = mfi_tbolt_get_request_descriptor(sc, index-1); - if (mfi_tbolt_build_io(sc, mfi_cmd, cmd)) + if (mfi_tbolt_build_io(sc, mfi_cmd, cmd) != 0) { + mfi_tbolt_return_cmd(sc, cmd); return NULL; + } req_desc->header.SMID = index; return req_desc; } @@ -1119,9 +1146,9 @@ * should be performed on the controller */ if (cm->retry_for_fw_reset == 3) { - device_printf(sc->mfi_dev, "megaraid_sas: command %d " - "was tried multiple times during adapter reset" - "Shutting down the HBA\n", cm->cm_index); + device_printf(sc->mfi_dev, "megaraid_sas: command %p " + "index=%d was tried multiple times during adapter " + "reset - Shutting down the HBA\n", cm, cm->cm_index); mfi_kill_hba(sc); sc->hw_crit_error = 1; return; @@ -1130,15 +1157,14 @@ if ((cm->cm_flags & MFI_ON_MFIQ_BUSY) != 0) { struct mfi_cmd_tbolt *cmd; mfi_remove_busy(cm); - cmd = sc->mfi_cmd_pool_tbolt[cm->cm_extra_frames - - 1 ]; + cmd = sc->mfi_cmd_pool_tbolt[cm->cm_extra_frames - 1]; mfi_tbolt_return_cmd(sc, cmd); if ((cm->cm_flags & MFI_ON_MFIQ_MASK) == 0) { if (cm->cm_frame->dcmd.opcode != MFI_DCMD_CTRL_EVENT_WAIT) { device_printf(sc->mfi_dev, - "APJ ****requeue command %d \n", - cm->cm_index); + "APJ ****requeue command %p " + "index=%d\n", cm, cm->cm_index); mfi_requeue_ready(cm); } } @@ -1196,22 +1222,22 @@ } mtx_unlock(&sc->mfi_io_lock); if ((error = mfi_tbolt_init_MFI_queue(sc)) != 0) - return; + return; mtx_lock(&sc->mfi_io_lock); sc->mfi_enable_intr(sc); sc->adpreset = 0; - free(sc->mfi_aen_cm->cm_data, M_MFIBUF); - mfi_remove_busy(sc->mfi_aen_cm); - cmd = sc->mfi_cmd_pool_tbolt[sc->mfi_aen_cm->cm_extra_frames - - 1]; - mfi_tbolt_return_cmd(sc, cmd); - if (sc->mfi_aen_cm) { + if (sc->mfi_aen_cm != NULL) { + free(sc->mfi_aen_cm->cm_data, M_MFIBUF); + mfi_remove_busy(sc->mfi_aen_cm); + cmd = sc->mfi_cmd_pool_tbolt[ + sc->mfi_aen_cm->cm_extra_frames - 1]; + mfi_tbolt_return_cmd(sc, cmd); mfi_release_command(sc->mfi_aen_cm); sc->mfi_aen_cm = NULL; } - if (sc->mfi_map_sync_cm) { + if (sc->mfi_map_sync_cm != NULL) { mfi_release_command(sc->mfi_map_sync_cm); sc->mfi_map_sync_cm = NULL; } @@ -1357,6 +1383,8 @@ device_printf(sc->mfi_dev, "failed to send map sync\n"); free(ld_sync, M_MFIBUF); sc->mfi_map_sync_cm = NULL; + if ((cmd->cm_flags & MFI_ON_MFIQ_BUSY) != 0) + mfi_remove_busy(cmd); mfi_requeue_ready(cmd); goto out; } --- sys/dev/mfi/mfi_debug.c.orig 2012-11-09 00:56:43.485019300 +0000 +++ sys/dev/mfi/mfi_debug.c 2012-11-09 02:24:35.569778892 +0000 @@ -271,7 +271,7 @@ { int i; - for (i = 0; i < sc->mfi_total_cmds; i++) + for (i = 0; i < sc->mfi_max_fw_cmds; i++) mfi_print_generic_frame(sc, &sc->mfi_commands[i]); } --- sys/dev/mfi/mfivar.h.orig 2012-11-09 00:55:55.000000000 +0000 +++ sys/dev/mfi/mfivar.h 2012-11-09 14:36:01.203796033 +0000 @@ -267,10 +267,6 @@ */ struct mfi_command *mfi_commands; /* - * How many commands were actually allocated - */ - int mfi_total_cmds; - /* * How many commands the firmware can handle. Also how big the reply * queue is, minus 1. */