Re: [PATCH] scsi: sr: fix oob access in get_capabilities

[Kefeng Wang]

On 2017/3/16 8:07, Martin K. Petersen wrote:
> Kefeng Wang  writes:
> 
> Kefeng,
> 
>> 'n = header_length + block_descriptor_length' could be greater than 512,
>> and will lead to oob access, so enlarge transfer buffer to fix it.
> 
> Can you share the output of sg_modes -p 0x2a /dev/srN for the offending
> drive?


root@localhost ~]# sg_modes -p 0x2a /dev/sr0
QEMU  QEMU DVD-ROM  0.15   peripheral_type: cd/dvd [0x5]
Mode parameter header from MODE SENSE(10):
Invalid block descriptor length=512, ignore
  Mode data length=36, medium type=0x70, specific param=0x00, longlba=0
  Block descriptor length=0
>> MM capabilities and mechanical status (obsolete), page_control: current
 00 2a 12 00 00 71 60 29 00  02 c2 00 02 02 00 02 c2
 10 00 00 00 00
Unexpectedly received extra mode page responses, ignore

note: the issue was found in guestos?  maybe some bugs exist in qemu?

Kefeng

> 
> This mode page is usually much smaller than 512 bytes (typically between
> 32 and 128 bytes).
> 

[PATCH v2 02/10] be2iscsi: Fix closing of connection

[Jitendra Bhivare]

CID needs to be freed even when invalidate or upload connection fails.
Attempt to close connection 3 times before freeing CID.

Set cleanup_type to INVALIDATE instead of force TCP_RST.
This unnecessarily is terminating connection with reset instead of
gracefully closing it.

Set save_cfg to 0 - session not to be saved on flash.

Add delay and process CQ before uploading connection.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be.h   |   1 -
 drivers/scsi/be2iscsi/be_cmds.h  |  63 +--
 drivers/scsi/be2iscsi/be_iscsi.c |  98 +-
 drivers/scsi/be2iscsi/be_mgmt.c  | 127 ---
 drivers/scsi/be2iscsi/be_mgmt.h  |  30 ++---
 5 files changed, 159 insertions(+), 160 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be.h b/drivers/scsi/be2iscsi/be.h
index ca9440f..4dd8de4 100644
--- a/drivers/scsi/be2iscsi/be.h
+++ b/drivers/scsi/be2iscsi/be.h
@@ -154,7 +154,6 @@ struct be_ctrl_info {
 #define PAGE_SHIFT_4K 12
 #define PAGE_SIZE_4K (1 << PAGE_SHIFT_4K)
 #define mcc_timeout12 /* 12s timeout */
-#define BEISCSI_LOGOUT_SYNC_DELAY  250
 
 /* Returns number of pages spanned by the data starting at the given addr */
 #define PAGES_4K_SPANNED(_address, size)   \
diff --git a/drivers/scsi/be2iscsi/be_cmds.h b/drivers/scsi/be2iscsi/be_cmds.h
index 1d40e83..88fe731 100644
--- a/drivers/scsi/be2iscsi/be_cmds.h
+++ b/drivers/scsi/be2iscsi/be_cmds.h
@@ -1145,24 +1145,49 @@ struct tcp_connect_and_offload_out {
 #define DB_DEF_PDU_EVENT_SHIFT 15
 #define DB_DEF_PDU_CQPROC_SHIFT16
 
-struct dmsg_cqe {
-   u32 dw[4];
+struct be_invalidate_connection_params_in {
+   struct be_cmd_req_hdr hdr;
+   u32 session_handle;
+   u16 cid;
+   u16 unused;
+#define BE_CLEANUP_TYPE_INVALIDATE 0x8001
+#define BE_CLEANUP_TYPE_ISSUE_TCP_RST  0x8002
+   u16 cleanup_type;
+   u16 save_cfg;
+} __packed;
+
+struct be_invalidate_connection_params_out {
+   u32 session_handle;
+   u16 cid;
+   u16 unused;
 } __packed;
 
-struct tcp_upload_params_in {
+union be_invalidate_connection_params {
+   struct be_invalidate_connection_params_in req;
+   struct be_invalidate_connection_params_out resp;
+} __packed;
+
+struct be_tcp_upload_params_in {
struct be_cmd_req_hdr hdr;
u16 id;
+#define BE_UPLOAD_TYPE_GRACEFUL1
+/* abortive upload with reset */
+#define BE_UPLOAD_TYPE_ABORT_RESET 2
+/* abortive upload without reset */
+#define BE_UPLOAD_TYPE_ABORT   3
+/* abortive upload with reset, sequence number by driver */
+#define BE_UPLOAD_TYPE_ABORT_WITH_SEQ  4
u16 upload_type;
u32 reset_seq;
 } __packed;
 
-struct tcp_upload_params_out {
+struct be_tcp_upload_params_out {
u32 dw[32];
 } __packed;
 
-union tcp_upload_params {
-   struct tcp_upload_params_in request;
-   struct tcp_upload_params_out response;
+union be_tcp_upload_params {
+   struct be_tcp_upload_params_in request;
+   struct be_tcp_upload_params_out response;
 } __packed;
 
 struct be_ulp_fw_cfg {
@@ -1243,10 +1268,7 @@ struct be_cmd_get_port_name {
 #define OPCODE_COMMON_WRITE_FLASH  96
 #define OPCODE_COMMON_READ_FLASH   97
 
-/* --- CMD_ISCSI_INVALIDATE_CONNECTION_TYPE --- */
 #define CMD_ISCSI_COMMAND_INVALIDATE   1
-#define CMD_ISCSI_CONNECTION_INVALIDATE0x8001
-#define CMD_ISCSI_CONNECTION_ISSUE_TCP_RST 0x8002
 
 #define INI_WR_CMD 1   /* Initiator write command */
 #define INI_TMF_CMD2   /* Initiator TMF command */
@@ -1269,27 +1291,6 @@ struct be_cmd_get_port_name {
 *  preparedby
 * driver should not be touched
 */
-/* --- CMD_CHUTE_TYPE --- */
-#define CMD_CONNECTION_CHUTE_0 1
-#define CMD_CONNECTION_CHUTE_1 2
-#define CMD_CONNECTION_CHUTE_2 3
-
-#define EQ_MAJOR_CODE_COMPLETION   0
-
-#define CMD_ISCSI_SESSION_DEL_CFG_FROM_FLASH 0
-#define CMD_ISCSI_SESSION_SAVE_CFG_ON_FLASH 1
-
-/* --- CONNECTION_UPLOAD_PARAMS --- */
-/* These parameters are used to define the type of upload desired.  */
-#define CONNECTION_UPLOAD_GRACEFUL  1  /* Graceful upload  */
-#define CONNECTION_UPLOAD_ABORT_RESET   2  /* Abortive upload with
-* reset
-*/
-#define CONNECTION_UPLOAD_ABORT3   /* Abortive upload 
without
-* reset
-*/
-#define CONNECTION_UPLOAD_ABORT_WITH_SEQ 4 /* Abortive upload with reset,
-* sequence number by driver  */
 
 /* 

[PATCH v2 07/10] be2iscsi: Remove free_list for ASYNC handles

[Jitendra Bhivare]

With previous patch adding ASYNC Rx buffers to free_list is not required.
Remove all free_list related operations.

Add in_use to track if buffer posted is being processed by driver and
purge all buffers received for connection if found so.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.c | 99 +
 drivers/scsi/be2iscsi/be_main.h |  8 +---
 2 files changed, 43 insertions(+), 64 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index 1cd9c2d..ee1f1c4 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -1453,15 +1453,28 @@ static inline void
 beiscsi_hdl_put_handle(struct hd_async_context *pasync_ctx,
 struct hd_async_handle *pasync_handle)
 {
-   if (pasync_handle->is_header) {
-   list_add_tail(_handle->link,
-   _ctx->async_header.free_list);
-   pasync_ctx->async_header.free_entries++;
-   } else {
-   list_add_tail(_handle->link,
-   _ctx->async_data.free_list);
-   pasync_ctx->async_data.free_entries++;
-   }
+   pasync_handle->is_final = 0;
+   pasync_handle->buffer_len = 0;
+   pasync_handle->in_use = 0;
+   list_del_init(_handle->link);
+}
+
+static void
+beiscsi_hdl_purge_handles(struct beiscsi_hba *phba,
+ struct hd_async_context *pasync_ctx,
+ u16 cri)
+{
+   struct hd_async_handle *pasync_handle, *tmp_handle;
+   struct list_head *plist;
+
+   plist  = _ctx->async_entry[cri].wq.list;
+   list_for_each_entry_safe(pasync_handle, tmp_handle, plist, link)
+   beiscsi_hdl_put_handle(pasync_ctx, pasync_handle);
+
+   INIT_LIST_HEAD(_ctx->async_entry[cri].wq.list);
+   pasync_ctx->async_entry[cri].wq.hdr_len = 0;
+   pasync_ctx->async_entry[cri].wq.bytes_received = 0;
+   pasync_ctx->async_entry[cri].wq.bytes_needed = 0;
 }
 
 static struct hd_async_handle *
@@ -1473,11 +1486,12 @@ beiscsi_hdl_get_handle(struct beiscsi_conn 
*beiscsi_conn,
struct beiscsi_hba *phba = beiscsi_conn->phba;
struct hd_async_handle *pasync_handle;
struct be_bus_address phys_addr;
+   u16 cid, code, ci, cri;
u8 final, error = 0;
-   u16 cid, code, ci;
u32 dpl;
 
cid = beiscsi_conn->beiscsi_conn_cid;
+   cri = BE_GET_ASYNC_CRI_FROM_CID(cid);
/**
 * This function is invoked to get the right async_handle structure
 * from a given DEF PDU CQ entry.
@@ -1525,15 +1539,7 @@ beiscsi_hdl_get_handle(struct beiscsi_conn *beiscsi_conn,
break;
/* called only for above codes */
default:
-   pasync_handle = NULL;
-   break;
-   }
-
-   if (!pasync_handle) {
-   beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
-   "BM_%d : cid %d async PDU handle not found - code 
%d ci %d addr %llx\n",
-   cid, code, ci, phys_addr.u.a64.address);
-   return pasync_handle;
+   return NULL;
}
 
if (pasync_handle->pa.u.a64.address != phys_addr.u.a64.address ||
@@ -1549,44 +1555,33 @@ beiscsi_hdl_get_handle(struct beiscsi_conn 
*beiscsi_conn,
/* FW has stale address - attempt continuing by dropping */
}
 
-   list_del_init(_handle->link);
-   /**
-* Each CID is associated with unique CRI.
-* ASYNC_CRI_FROM_CID mapping and CRI_FROM_CID are totaly different.
-**/
-   pasync_handle->cri = BE_GET_ASYNC_CRI_FROM_CID(cid);
-   pasync_handle->is_final = final;
-   pasync_handle->buffer_len = dpl;
-
/**
 * DEF PDU header and data buffers with errors should be simply
 * dropped as there are no consumers for it.
 */
if (error) {
beiscsi_hdl_put_handle(pasync_ctx, pasync_handle);
-   pasync_handle = NULL;
+   return NULL;
}
-   return pasync_handle;
-}
-
-static void
-beiscsi_hdl_purge_handles(struct beiscsi_hba *phba,
- struct hd_async_context *pasync_ctx,
- u16 cri)
-{
-   struct hd_async_handle *pasync_handle, *tmp_handle;
-   struct list_head *plist;
 
-   plist  = _ctx->async_entry[cri].wq.list;
-   list_for_each_entry_safe(pasync_handle, tmp_handle, plist, link) {
-   list_del(_handle->link);
-   beiscsi_hdl_put_handle(pasync_ctx, pasync_handle);
+   if (pasync_handle->in_use || !list_empty(_handle->link)) {
+   beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
+   "BM_%d : cid %d async PDU handle in use - code %d 
ci %d addr %llx\n",
+   cid, code, ci, phys_addr.u.a64.address);
+   

[PATCH v2 06/10] be2iscsi: Use num_cons field in Rx CQE

[Jitendra Bhivare]

FW runs out of buffer if buffers are not posted back soon.
ASYNC Rx CQE indicates that FW has consumed 8 RQEs.
Use it to post back buffers instead of waiting for buffers
to be processed and freed by driver.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.c | 124 
 drivers/scsi/be2iscsi/be_main.h |   1 +
 2 files changed, 51 insertions(+), 74 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index b76fd26..1cd9c2d 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -1467,7 +1467,8 @@ beiscsi_hdl_put_handle(struct hd_async_context 
*pasync_ctx,
 static struct hd_async_handle *
 beiscsi_hdl_get_handle(struct beiscsi_conn *beiscsi_conn,
   struct hd_async_context *pasync_ctx,
-  struct i_t_dpdu_cqe *pdpdu_cqe)
+  struct i_t_dpdu_cqe *pdpdu_cqe,
+  u8 *header)
 {
struct beiscsi_hba *phba = beiscsi_conn->phba;
struct hd_async_handle *pasync_handle;
@@ -1515,6 +1516,7 @@ beiscsi_hdl_get_handle(struct beiscsi_conn *beiscsi_conn,
switch (code) {
case UNSOL_HDR_NOTIFY:
pasync_handle = pasync_ctx->async_entry[ci].header;
+   *header = 1;
break;
case UNSOL_DATA_DIGEST_ERROR_NOTIFY:
error = 1;
@@ -1547,6 +1549,7 @@ beiscsi_hdl_get_handle(struct beiscsi_conn *beiscsi_conn,
/* FW has stale address - attempt continuing by dropping */
}
 
+   list_del_init(_handle->link);
/**
 * Each CID is associated with unique CRI.
 * ASYNC_CRI_FROM_CID mapping and CRI_FROM_CID are totaly different.
@@ -1554,11 +1557,6 @@ beiscsi_hdl_get_handle(struct beiscsi_conn *beiscsi_conn,
pasync_handle->cri = BE_GET_ASYNC_CRI_FROM_CID(cid);
pasync_handle->is_final = final;
pasync_handle->buffer_len = dpl;
-   /* empty the slot */
-   if (pasync_handle->is_header)
-   pasync_ctx->async_entry[ci].header = NULL;
-   else
-   pasync_ctx->async_entry[ci].data = NULL;
 
/**
 * DEF PDU header and data buffers with errors should be simply
@@ -1708,85 +1706,53 @@ beiscsi_hdl_gather_pdu(struct beiscsi_conn 
*beiscsi_conn,
 
 static void
 beiscsi_hdq_post_handles(struct beiscsi_hba *phba,
-u8 header, u8 ulp_num)
+u8 header, u8 ulp_num, u16 nbuf)
 {
-   struct hd_async_handle *pasync_handle, *tmp, **slot;
+   struct hd_async_handle *pasync_handle;
struct hd_async_context *pasync_ctx;
struct hwi_controller *phwi_ctrlr;
-   struct list_head *hfree_list;
struct phys_addr *pasync_sge;
u32 ring_id, doorbell = 0;
u32 doorbell_offset;
-   u16 prod = 0, cons;
-   u16 index;
+   u16 prod, pi;
 
phwi_ctrlr = phba->phwi_ctrlr;
pasync_ctx = HWI_GET_ASYNC_PDU_CTX(phwi_ctrlr, ulp_num);
if (header) {
-   cons = pasync_ctx->async_header.free_entries;
-   hfree_list = _ctx->async_header.free_list;
+   pasync_sge = pasync_ctx->async_header.ring_base;
+   pi = pasync_ctx->async_header.pi;
ring_id = phwi_ctrlr->default_pdu_hdr[ulp_num].id;
doorbell_offset = phwi_ctrlr->default_pdu_hdr[ulp_num].
doorbell_offset;
} else {
-   cons = pasync_ctx->async_data.free_entries;
-   hfree_list = _ctx->async_data.free_list;
+   pasync_sge = pasync_ctx->async_data.ring_base;
+   pi = pasync_ctx->async_data.pi;
ring_id = phwi_ctrlr->default_pdu_data[ulp_num].id;
doorbell_offset = phwi_ctrlr->default_pdu_data[ulp_num].
doorbell_offset;
}
-   /* number of entries posted must be in multiples of 8 */
-   if (cons % 8)
-   return;
 
-   list_for_each_entry_safe(pasync_handle, tmp, hfree_list, link) {
-   list_del_init(_handle->link);
-   pasync_handle->is_final = 0;
-   pasync_handle->buffer_len = 0;
-
-   /* handles can be consumed out of order, use index in handle */
-   index = pasync_handle->index;
-   WARN_ON(pasync_handle->is_header != header);
+   for (prod = 0; prod < nbuf; prod++) {
if (header)
-   slot = _ctx->async_entry[index].header;
+   pasync_handle = pasync_ctx->async_entry[pi].header;
else
-   slot = _ctx->async_entry[index].data;
-   /**
-* The slot just tracks handle's hold and release, so
-* overwriting at the same index won't do any harm but
-* needs to be caught.
-

[PATCH v2 09/10] be2iscsi: Update Copyright

[Jitendra Bhivare]

Update Broadcom Copyright markings in all files.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be.h   | 11 ---
 drivers/scsi/be2iscsi/be_cmds.c  | 11 ---
 drivers/scsi/be2iscsi/be_cmds.h  | 11 ---
 drivers/scsi/be2iscsi/be_iscsi.c | 13 -
 drivers/scsi/be2iscsi/be_iscsi.h | 13 -
 drivers/scsi/be2iscsi/be_main.c  | 13 -
 drivers/scsi/be2iscsi/be_main.h  | 13 -
 drivers/scsi/be2iscsi/be_mgmt.c  | 13 -
 drivers/scsi/be2iscsi/be_mgmt.h  | 13 -
 9 files changed, 36 insertions(+), 75 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be.h b/drivers/scsi/be2iscsi/be.h
index 4dd8de4..55e3f8b 100644
--- a/drivers/scsi/be2iscsi/be.h
+++ b/drivers/scsi/be2iscsi/be.h
@@ -1,18 +1,15 @@
-/**
- * Copyright (C) 2005 - 2016 Broadcom
- * All rights reserved.
+/*
+ * Copyright??2017 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Limited and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.  The full GNU General
+ * as published by the Free Software Foundation. The full GNU General
  * Public License is included in this distribution in the file called COPYING.
  *
  * Contact Information:
  * linux-driv...@broadcom.com
  *
- * Emulex
- *  Susan Street
- * Costa Mesa, CA 92626
  */
 
 #ifndef BEISCSI_H
diff --git a/drivers/scsi/be2iscsi/be_cmds.c b/drivers/scsi/be2iscsi/be_cmds.c
index d14ddb2..a79a5e7 100644
--- a/drivers/scsi/be2iscsi/be_cmds.c
+++ b/drivers/scsi/be2iscsi/be_cmds.c
@@ -1,18 +1,15 @@
-/**
- * Copyright (C) 2005 - 2016 Broadcom
- * All rights reserved.
+/*
+ * Copyright??2017 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Limited and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.  The full GNU General
+ * as published by the Free Software Foundation. The full GNU General
  * Public License is included in this distribution in the file called COPYING.
  *
  * Contact Information:
  * linux-driv...@broadcom.com
  *
- * Emulex
- *  Susan Street
- * Costa Mesa, CA 92626
  */
 
 #include 
diff --git a/drivers/scsi/be2iscsi/be_cmds.h b/drivers/scsi/be2iscsi/be_cmds.h
index 88fe731..d9b6773 100644
--- a/drivers/scsi/be2iscsi/be_cmds.h
+++ b/drivers/scsi/be2iscsi/be_cmds.h
@@ -1,18 +1,15 @@
-/**
- * Copyright (C) 2005 - 2016 Broadcom
- * All rights reserved.
+/*
+ * Copyright??2017 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Limited and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.  The full GNU General
+ * as published by the Free Software Foundation. The full GNU General
  * Public License is included in this distribution in the file called COPYING.
  *
  * Contact Information:
  * linux-driv...@broadcom.com
  *
- * Emulex
- *  Susan Street
- * Costa Mesa, CA 92626
  */
 
 #ifndef BEISCSI_CMDS_H
diff --git a/drivers/scsi/be2iscsi/be_iscsi.c b/drivers/scsi/be2iscsi/be_iscsi.c
index 2af714f..2e47b49 100644
--- a/drivers/scsi/be2iscsi/be_iscsi.c
+++ b/drivers/scsi/be2iscsi/be_iscsi.c
@@ -1,20 +1,15 @@
-/**
- * Copyright (C) 2005 - 2016 Broadcom
- * All rights reserved.
+/*
+ * Copyright??2017 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Limited and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.  The full GNU General
+ * as published by the Free Software Foundation. The full GNU General
  * Public License is included in this distribution in the file called COPYING.
  *
- * Written by: Jayamohan Kallickal (jayamohan.kallic...@broadcom.com)
- *
  * Contact Information:
  * linux-driv...@broadcom.com
  *
- * Emulex
- *  Susan Street
- * Costa Mesa, CA 92626
  */
 
 #include 
diff --git a/drivers/scsi/be2iscsi/be_iscsi.h b/drivers/scsi/be2iscsi/be_iscsi.h
index e4d67df..b9d459a 100644
--- a/drivers/scsi/be2iscsi/be_iscsi.h
+++ b/drivers/scsi/be2iscsi/be_iscsi.h
@@ -1,20 +1,15 @@
-/**
- * Copyright (C) 2005 - 2016 Broadcom
- * All rights reserved.
+/*
+ * Copyright??2017 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Limited and/or its subsidiaries.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.  The full GNU General
+ * as 

[PATCH v2 03/10] be2iscsi: Replace spin_unlock_bh with spin_lock

[Jitendra Bhivare]

spin_unlock_bh back_lock is used in beiscsi_eh_device_reset instead of
spin_lock.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index 32b2713..ff48573 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -337,7 +337,7 @@ static int beiscsi_eh_device_reset(struct scsi_cmnd *sc)
inv_tbl->task[nents] = task;
nents++;
}
-   spin_unlock_bh(>back_lock);
+   spin_unlock(>back_lock);
spin_unlock_bh(>frwd_lock);
 
rc = SUCCESS;
-- 
2.7.4

[PATCH v2 05/10] be2iscsi: Increase HDQ default queue size

[Jitendra Bhivare]

Currently, ASYNC PDU default queue size is set to max connections.
This leaves only one buffer per connection for any ASYNC PDUs from
targets.

Double the size of the default queue.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.c | 29 ++---
 drivers/scsi/be2iscsi/be_main.h |  4 +++-
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index ff48573..b76fd26 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -636,7 +636,6 @@ static void beiscsi_get_params(struct beiscsi_hba *phba)
(total_cid_count +
 BE2_TMFS + BE2_NOPOUT_REQ));
phba->params.cxns_per_ctrl = total_cid_count;
-   phba->params.asyncpdus_per_ctrl = total_cid_count;
phba->params.icds_per_ctrl = total_icd_count;
phba->params.num_sge_per_io = BE2_SGE;
phba->params.defpdu_hdr_sz = BE2_DEFPDU_HDR_SZ;
@@ -2407,22 +2406,22 @@ static void beiscsi_find_mem_req(struct beiscsi_hba 
*phba)
if (test_bit(ulp_num, >fw_config.ulp_supported)) {
 
num_async_pdu_buf_sgl_pages =
-   PAGES_REQUIRED(BEISCSI_GET_CID_COUNT(
+   PAGES_REQUIRED(BEISCSI_ASYNC_HDQ_SIZE(
   phba, ulp_num) *
   sizeof(struct phys_addr));
 
num_async_pdu_buf_pages =
-   PAGES_REQUIRED(BEISCSI_GET_CID_COUNT(
+   PAGES_REQUIRED(BEISCSI_ASYNC_HDQ_SIZE(
   phba, ulp_num) *
   phba->params.defpdu_hdr_sz);
 
num_async_pdu_data_pages =
-   PAGES_REQUIRED(BEISCSI_GET_CID_COUNT(
+   PAGES_REQUIRED(BEISCSI_ASYNC_HDQ_SIZE(
   phba, ulp_num) *
   phba->params.defpdu_data_sz);
 
num_async_pdu_data_sgl_pages =
-   PAGES_REQUIRED(BEISCSI_GET_CID_COUNT(
+   PAGES_REQUIRED(BEISCSI_ASYNC_HDQ_SIZE(
   phba, ulp_num) *
   sizeof(struct phys_addr));
 
@@ -2459,21 +2458,21 @@ static void beiscsi_find_mem_req(struct beiscsi_hba 
*phba)
mem_descr_index = (HWI_MEM_ASYNC_HEADER_HANDLE_ULP0 +
  (ulp_num * MEM_DESCR_OFFSET));
phba->mem_req[mem_descr_index] =
- BEISCSI_GET_CID_COUNT(phba, ulp_num) *
- sizeof(struct hd_async_handle);
+   BEISCSI_ASYNC_HDQ_SIZE(phba, ulp_num) *
+   sizeof(struct hd_async_handle);
 
mem_descr_index = (HWI_MEM_ASYNC_DATA_HANDLE_ULP0 +
  (ulp_num * MEM_DESCR_OFFSET));
phba->mem_req[mem_descr_index] =
- BEISCSI_GET_CID_COUNT(phba, ulp_num) *
- sizeof(struct hd_async_handle);
+   BEISCSI_ASYNC_HDQ_SIZE(phba, ulp_num) *
+   sizeof(struct hd_async_handle);
 
mem_descr_index = (HWI_MEM_ASYNC_PDU_CONTEXT_ULP0 +
  (ulp_num * MEM_DESCR_OFFSET));
phba->mem_req[mem_descr_index] =
- sizeof(struct hd_async_context) +
-(BEISCSI_GET_CID_COUNT(phba, ulp_num) *
- sizeof(struct hd_async_entry));
+   sizeof(struct hd_async_context) +
+   (BEISCSI_ASYNC_HDQ_SIZE(phba, ulp_num) *
+sizeof(struct hd_async_entry));
}
}
 }
@@ -2757,7 +2756,7 @@ static int hwi_init_async_pdu_ctx(struct beiscsi_hba 
*phba)
((long unsigned int)pasync_ctx +
sizeof(struct hd_async_context));
 
-   pasync_ctx->num_entries = BEISCSI_GET_CID_COUNT(phba,
+   pasync_ctx->num_entries = BEISCSI_ASYNC_HDQ_SIZE(phba,
  ulp_num);
/* setup header buffers */
mem_descr = (struct be_mem_descriptor *)phba->init_mem;
@@ -2895,7 +2894,7 @@ static int hwi_init_async_pdu_ctx(struct beiscsi_hba 
*phba)

[PATCH v2 04/10] scsi_transport_iscsi: Use flush_work in iscsi_remove_session

[Jitendra Bhivare]

scsi_flush_work flushes workqueue for the Scsi_Host.
In iSCSI offload enabled host, this would wait for all other
sessions under the host.

Use flush_work for the session being removed instead.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/scsi_transport_iscsi.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/scsi/scsi_transport_iscsi.c 
b/drivers/scsi/scsi_transport_iscsi.c
index 568c9f2..a424eae 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -2158,7 +2158,6 @@ static int iscsi_iter_destroy_conn_fn(struct device *dev, 
void *data)
 
 void iscsi_remove_session(struct iscsi_cls_session *session)
 {
-   struct Scsi_Host *shost = iscsi_session_to_shost(session);
unsigned long flags;
int err;
 
@@ -2185,7 +2184,7 @@ void iscsi_remove_session(struct iscsi_cls_session 
*session)
 
scsi_target_unblock(>dev, SDEV_TRANSPORT_OFFLINE);
/* flush running scans then delete devices */
-   scsi_flush_work(shost);
+   flush_work(>scan_work);
__iscsi_unbind_session(>unbind_work);
 
/* hw iscsi may not have removed all connections from session */
-- 
2.7.4

[PATCH v2 10/10] be2iscsi: Update driver version

[Jitendra Bhivare]

Version 11.4.0.0

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/be2iscsi/be_main.h b/drivers/scsi/be2iscsi/be_main.h
index c6b95dc..ee18a95 100644
--- a/drivers/scsi/be2iscsi/be_main.h
+++ b/drivers/scsi/be2iscsi/be_main.h
@@ -31,7 +31,7 @@
 #include 
 
 #define DRV_NAME   "be2iscsi"
-#define BUILD_STR  "11.2.1.0"
+#define BUILD_STR  "11.4.0.0"
 #define BE_NAME"Emulex OneConnect" \
"Open-iSCSI Driver version" BUILD_STR
 #define DRV_DESC   BE_NAME " " "Driver"
-- 
2.7.4

[PATCH v2 00/10] be2iscsi: driver update 11.4.0.0

[Jitendra Bhivare]

This patch is generated against for-next branch.

v2 changes:
 +be2iscsi: Update Copyright

Jitendra Bhivare (10):
  be2iscsi: Check tag in beiscsi_mccq_compl_wait
  be2iscsi: Fix closing of connection
  be2iscsi: Replace spin_unlock_bh with spin_lock
  scsi_transport_iscsi: Use flush_work in iscsi_remove_session
  be2iscsi: Increase HDQ default queue size
  be2iscsi: Use num_cons field in Rx CQE
  be2iscsi: Remove free_list for ASYNC handles
  be2iscsi: Check size before copying ASYNC handle
  be2iscsi: Update Copyright
  be2iscsi: Update driver version

 drivers/scsi/be2iscsi/be.h  |  12 +-
 drivers/scsi/be2iscsi/be_cmds.c |  17 ++-
 drivers/scsi/be2iscsi/be_cmds.h |  74 +-
 drivers/scsi/be2iscsi/be_iscsi.c| 111 ---
 drivers/scsi/be2iscsi/be_iscsi.h|  13 +-
 drivers/scsi/be2iscsi/be_main.c | 270 +++-
 drivers/scsi/be2iscsi/be_main.h |  28 ++--
 drivers/scsi/be2iscsi/be_mgmt.c | 140 +--
 drivers/scsi/be2iscsi/be_mgmt.h |  43 ++
 drivers/scsi/scsi_transport_iscsi.c |   3 +-
 10 files changed, 319 insertions(+), 392 deletions(-)

-- 
2.7.4

[PATCH v2 01/10] be2iscsi: Check tag in beiscsi_mccq_compl_wait

[Jitendra Bhivare]

scsi host12: BS_1377 : mgmt_invalidate_connection Failed for cid=256
BUG: unable to handle kernel NULL pointer dereference at 0008
IP: [] __list_add+0xf/0xc0
PGD 0
Oops:  [#1] SMP
Modules linked in:
...
CPU: 9 PID: 1542 Comm: iscsid Tainted: G    T 
3.10.0-514.el7.x86_64 #1
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 09/12/2016
task: 88076f310fb0 ti: 88076bba8000 task.ti: 88076bba8000
RIP: 0010:[]  [] __list_add+0xf/0xc0
RSP: 0018:88076bbab8e8  EFLAGS: 00010046
RAX: 0246 RBX: 88076bbab990 RCX: 
RDX:  RSI: 880468badf58 RDI: 88076bbab990
RBP: 88076bbab900 R08: 0246 R09: 20de
R10:  R11: 88076bbab5be R12: 
R13: 880468badf58 R14: 0001adb0 R15: 88076f310fb0
FS:  7f377124a880() GS:88046fa4() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 0008 CR3: 000771318000 CR4: 001407e0
DR0:  DR1:  DR2: 
DR3:  DR6: 0ff0 DR7: 0400
Stack:
88076bbab990 880468badf50 0001 88076bbab938
810b128b 0246 cf9b7040 880468bac7a0
 880468bac7a0 88076bbab9d0 a05a6ea3

Call Trace:
[] prepare_to_wait+0x7b/0x90
[] beiscsi_mccq_compl_wait+0x153/0x330 [be2iscsi]
[] ? wake_up_atomic_t+0x30/0x30
[] beiscsi_ep_disconnect+0x91/0x2d0 [be2iscsi]
[] iscsi_if_ep_disconnect.isra.14+0x5a/0x70 
[scsi_transport_iscsi]
[] iscsi_if_recv_msg+0x113b/0x14a0 [scsi_transport_iscsi]
[] ? __kmalloc_node_track_caller+0x58/0x290
[] iscsi_if_rx+0x8e/0x1f0 [scsi_transport_iscsi]
[] netlink_unicast+0xed/0x1b0
[] netlink_sendmsg+0x31e/0x690
[] ? netlink_rcv_wake+0x44/0x60
[] ? netlink_recvmsg+0x1e3/0x450

beiscsi_mccq_compl_wait gets called even when MCC tag allocation failed
for mgmt_invalidate_connection.
mcc_wait is not initialized for tag 0 so causes crash in prepare_to_wait.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_cmds.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/scsi/be2iscsi/be_cmds.c b/drivers/scsi/be2iscsi/be_cmds.c
index 5d59e263..d14ddb2 100644
--- a/drivers/scsi/be2iscsi/be_cmds.c
+++ b/drivers/scsi/be2iscsi/be_cmds.c
@@ -246,6 +246,12 @@ int beiscsi_mccq_compl_wait(struct beiscsi_hba *phba,
 {
int rc = 0;
 
+   if (!tag || tag > MAX_MCC_CMD) {
+   __beiscsi_log(phba, KERN_ERR,
+ "BC_%d : invalid tag %u\n", tag);
+   return -EINVAL;
+   }
+
if (beiscsi_hba_in_error(phba)) {
clear_bit(MCC_TAG_STATE_RUNNING,
  >ctrl.ptag_state[tag].tag_state);
-- 
2.7.4

[PATCH v2 08/10] be2iscsi: Check size before copying ASYNC handle

[Jitendra Bhivare]

Data in buffers are gathered into a single buffer before giving to
iSCSI layer. Though less likely to have payload more than 8K in
ASYNC PDU, the data length is provide by FW and check is missing
for overrun.

Signed-off-by: Jitendra Bhivare 
---
 drivers/scsi/be2iscsi/be_main.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index ee1f1c4..4b668c4 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -1611,6 +1611,10 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
dlen = pasync_handle->buffer_len;
continue;
}
+   if (!pasync_handle->buffer_len ||
+   (dlen + pasync_handle->buffer_len) >
+   pasync_ctx->async_data.buffer_size)
+   break;
memcpy(pdata + dlen, pasync_handle->pbuffer,
   pasync_handle->buffer_len);
dlen += pasync_handle->buffer_len;
@@ -1619,8 +1623,9 @@ beiscsi_hdl_fwd_pdu(struct beiscsi_conn *beiscsi_conn,
if (!plast_handle->is_final) {
/* last handle should have final PDU notification from FW */
beiscsi_log(phba, KERN_ERR, BEISCSI_LOG_ISCSI,
-   "BM_%d : cid %u %p fwd async PDU with last handle 
missing - HL%u:DN%u:DR%u\n",
+   "BM_%d : cid %u %p fwd async PDU opcode %x with 
last handle missing - HL%u:DN%u:DR%u\n",
beiscsi_conn->beiscsi_conn_cid, plast_handle,
+   AMAP_GET_BITS(struct amap_pdu_base, opcode, phdr),
pasync_ctx->async_entry[cri].wq.hdr_len,
pasync_ctx->async_entry[cri].wq.bytes_needed,
pasync_ctx->async_entry[cri].wq.bytes_received);
-- 
2.7.4

Re: [PATCH] scsi: sr: fix oob access in get_capabilities

[Martin K. Petersen]

Kefeng Wang  writes:

Kefeng,

> 'n = header_length + block_descriptor_length' could be greater than 512,
> and will lead to oob access, so enlarge transfer buffer to fix it.

Can you share the output of sg_modes -p 0x2a /dev/srN for the offending
drive?

This mode page is usually much smaller than 512 bytes (typically between
32 and 128 bytes).

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [patch] check length passed to SG_NEXT_CMD_LEN

[Martin K. Petersen]

Peter Chang  writes:

> now that i think i've got gmail not marking everything as spam...

Doug?

>From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001
From: peter chang 
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: [PATCH] [sg] check length passed to SG_NEXT_CMD_LEN

the user can control the size of the next command passed along, but
the value passed to the ioctl isn't checked against the usable
max command size.

Change-Id: I9ac2ae07c35cf5fda62d7afad32c8d9ab6a9ea1d
Tested: sanity checked w/ calling the ioctl w/ a bogus size
---
 drivers/scsi/sg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 9c5c5f2b3962..b47a369cb71c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -976,6 +976,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned 
long arg)
result = get_user(val, ip);
if (result)
return result;
+   if (val > SG_MAX_CDB_SIZE)
+   return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:
-- 
2.12.0.rc1.440.g5b76565f74-goog

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] enclosure: fix sysfs symlinks creation when using multipath

[Martin K. Petersen]

Maurizio Lombardi  writes:

> With multipath, it may happen that the same device is passed to
> enclosure_add_device() multiple times and that the
> enclosure_add_links() function fails to create the symlinks because
> the device's sysfs directory entry is still NULL.  In this case, the
> links will never be created because all the subsequent calls to
> enclosure_add_device() will immediately fail with EEXIST.

James?

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH v2] scsi_sysfs: fix hang when removing scsi device

[Bart Van Assche]

On Tue, 2017-03-14 at 16:23 +0200, Israel Rukshin wrote:
> Patch number 5 doesn't handle the case when device_for_each_child() is 
> called. device_for_each_child() calls to target_unblock() that uses also 
> starget_for_each_device(). After applying also the following change the
> hang disappeared but it didn't fix the warning. Those fixes are not enough
> because if fast_io_fail_tmo is set to infinity then the hang will remain,
> because only __rport_fail_io_fast() calls to scsi_target_unblock() and 
> terminate_rport_io() that free the sync cache command.
> 
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index e5d4b50..09f9566 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -3068,9 +3068,15 @@ void scsi_device_resume(struct scsi_device *sdev)
>   static int
>   target_unblock(struct device *dev, void *data)
>   {
> -   if (scsi_is_target_device(dev))
> -   starget_for_each_device(to_scsi_target(dev), data,
> -   device_unblock);
> +   if (scsi_is_target_device(dev)) {
> +   struct scsi_target *starget = to_scsi_target(dev);
> +   struct Scsi_Host *shost = dev_to_shost(dev->parent);
> +   unsigned long flags;
> +
> +   spin_lock_irqsave(shost->host_lock, flags);
> +   __starget_for_each_device(starget, data, device_unblock);
> +   spin_unlock_irqrestore(shost->host_lock, flags);
> +   }
>  return 0;
>   }

Hello Israel,

Regarding setting fast_io_fail_tmo to infinity: that does not prevent
kernel module unloading because srp_timed_out() stops resetting the
timer as soon as the SCSI device is unblocked. The above patch should
realize that but suffers from the same issue as a patch attached to
my previous e-mail, namely lock inversion. For at least the following
call chain the block layer queue lock is the outer lock and the SCSI
host lock is the inner lock:
ata_qc_schedule_eh()
-> blk_abort_request()
  -> blk_mq_rq_timed_out()
-> scsi_timeout()
  -> scsi_times_out()
-> scsi_eh_scmd_add()

So I think we should avoid introducing code with the SCSI host lock
as outer lock and the block layer queue lock as inner lock. How about
the attached four patches?

Thanks,

Bart.From 458959938476788710738039a7c195e9c48ff338 Mon Sep 17 00:00:00 2001
From: Bart Van Assche 
Date: Mon, 13 Mar 2017 10:06:13 -0700
Subject: [PATCH 1/4] Warn if __scsi_remove_device() is called for a stopped
 queue

Calling __scsi_remove_device() for a stopped queue is a bug because
the device_del() call can trigger I/O and will trigger e.g. the
following hang:

Call Trace:
[] schedule+0x35/0x80
[] schedule_timeout+0x237/0x2d0
[] io_schedule_timeout+0xa6/0x110
[] wait_for_completion_io+0xa3/0x110
[] blk_execute_rq+0xdf/0x120
[] scsi_execute+0xce/0x150 [scsi_mod]
[] scsi_execute_req_flags+0x8f/0xf0 [scsi_mod]
[] sd_sync_cache+0xa9/0x190 [sd_mod]
[] sd_shutdown+0x6a/0x100 [sd_mod]
[] sd_remove+0x64/0xc0 [sd_mod]
[] __device_release_driver+0x8d/0x120
[] device_release_driver+0x1e/0x30
[] bus_remove_device+0xf9/0x170
[] device_del+0x127/0x240
[] __scsi_remove_device+0xc1/0xd0 [scsi_mod]
[] scsi_forget_host+0x57/0x60 [scsi_mod]
[] scsi_remove_host+0x72/0x110 [scsi_mod]
[] srp_remove_work+0x8b/0x200 [ib_srp]

Reported-by: Israel Rukshin 
Signed-off-by: Bart Van Assche 
---
 drivers/scsi/scsi_sysfs.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 82dfe07b1d47..bbe7efd144b2 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1274,6 +1274,12 @@ void __scsi_remove_device(struct scsi_device *sdev)
 	struct device *dev = >sdev_gendev;
 
 	/*
+	 * Calling __scsi_remove_device() for a stopped queue is a bug because
+	 * the device_del() call can trigger I/O. See also sd_remove().
+	 */
+	WARN_ON_ONCE(blk_queue_stopped(sdev->request_queue));
+
+	/*
 	 * This cleanup path is not reentrant and while it is impossible
 	 * to get a new reference with scsi_device_get() someone can still
 	 * hold a previously acquired one.
-- 
2.12.0

From b86b5087698c73f5fdd8cc9fa18ed3f1e9e174bb Mon Sep 17 00:00:00 2001
From: Bart Van Assche 
Date: Wed, 15 Mar 2017 15:12:43 -0700
Subject: [PATCH 2/4] __scsi_iterate_devices(): Make the get and put functions
 arguments

This patch does not change any functionality.

Signed-off-by: Bart Van Assche 
Cc: 
---
 drivers/scsi/scsi.c|  8 +---
 include/scsi/scsi_device.h | 16 +++-
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index b3bb49d06943..45c266009f20 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -609,7 +609,9 @@ EXPORT_SYMBOL(scsi_device_put);
 
 /* helper for shost_for_each_device, 

mptsas doesn't detect hot-added disk drives in ESX guest

[Brian De Wolf]

Hello, I'm looking for some help tracking down why I can no longer
hot-add disks to my virtual machines.  They are guests on ESXi 6.0
using the LSI Logic SAS controller emulation, using the mptsas kernel
module.  At some point between 3.18.27 and 4.4.50, we lost the ability
to hot-add disks to the guest machines.  Even echoing "- - -"
into /sys/.../scan doesn't cause the new disks to show up.

I performed a bisect between 3.18 and 4.4.50 where I built the kernel,
rebooted, and attached a disk, marking it as bad if mptsas did not see
the new disk.  It ended at the commit:

1bd04bf timer: Remove FIFO "guarantee"

This commit mentions

It's a seperate patch so any (unlikely to happen) regression caused by
this can be identified clearly.

so I'm not sure if I've run into an unlikely regression or if my
testing procedure was buggy.

I also reproduced the issue using an Arch linux live CD running
4.9.11.  I suspect this issue hasn't been noticed in the more stable
distros yet because they're still mostly pre-4.0.

The issue doesn't show up if I use pvscsi, which will probably be our
long-term solution.

Anyone know if this is a known issue?  Is there anything else I should
try or anyone I should notify?

Re: [PATCH] aacraid: Fix potential null access

[Martin K. Petersen]

Raghava Aditya Renukunta  writes:

> Reported-by: Tomas Henzl 

...and another mangled email address.

Fixed it up.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] drivers, scsi: convert iscsi_task.refcount from atomic_t to refcount_t

[Martin K. Petersen]

Elena Reshetova  writes:

> refcount_t type and corresponding API should be used instead of
> atomic_t when the variable is used as a reference counter. This allows
> to avoid accidental refcounter overflows that might lead to
> use-after-free situations.

Applied to 4.12/scsi-queue.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH] drivers, scsi: convert fc_fcp_pkt.ref_cnt from atomic_t to refcount_t

[Martin K. Petersen]

Elena Reshetova  writes:

> refcount_t type and corresponding API should be used instead of
> atomic_t when the variable is used as a reference counter. This allows
> to avoid accidental refcounter overflows that might lead to
> use-after-free situations.

Applied to 4.12/scsi-queue.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [scsi] scsi: ufshcd-platform: remove the useless cast in ERR_PTR/IS_ERR

[Martin K. Petersen]

Tomas Winkler  writes:

> IS_ERR and ERR_PTR already forcefully cast their argument, hence there
> is no need for additional (complex) casting.

Applied to 4.11/scsi-fixes.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [scsi] scsi: ufshcd-platform: remove the useless cast in ERR_PTR/IS_ERR

[Subhash Jadavani]

On 2017-03-14 05:19, Tomas Winkler wrote:

IS_ERR and ERR_PTR already forcefully cast their argument,
hence there is no need for additional (complex) casting.

Signed-off-by: Tomas Winkler 
---
 drivers/scsi/ufs/ufshcd-pltfrm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c 
b/drivers/scsi/ufs/ufshcd-pltfrm.c

index a72a4ba78125..8e5e6c04c035 100644
--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
+++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
@@ -309,8 +309,8 @@ int ufshcd_pltfrm_init(struct platform_device 
*pdev,


mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
mmio_base = devm_ioremap_resource(dev, mem_res);
-   if (IS_ERR(*(void **)_base)) {
-   err = PTR_ERR(*(void **)_base);
+   if (IS_ERR(mmio_base)) {
+   err = PTR_ERR(mmio_base);
goto out;
}


LGTM.
Reviewed-by: Subhash Jadavani 

--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

Re: [PATCH] qedi: Add PCI device-ID for QL41xxx adapters.

[Martin K. Petersen]

Manish Rangankar  writes:

Applied to 4.11/scsi-fixes.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [scsi] scsi: ufs: don't check unsigned type for a negative value

[Subhash Jadavani]

On 2017-03-15 10:26, James Bottomley wrote:

On Mon, 2017-03-13 at 17:19 -0700, Subhash Jadavani wrote:

On 2017-03-12 03:22, Tomas Winkler wrote:
> Fix compilation warning
>
> drivers/scsi/ufs/ufshcd.c:7645:13: warning: comparison of unsigned
> expression < 0 is always false [-Wtype-limits]
> if ((value < UFS_PM_LVL_0) || (value >= UFS_PM_LVL_MAX))
>
> Signed-off-by: Tomas Winkler 
> ---
>  drivers/scsi/ufs/ufshcd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> index 1359913bf840..e8c26e6e6237 100644
> --- a/drivers/scsi/ufs/ufshcd.c
> +++ b/drivers/scsi/ufs/ufshcd.c
> @@ -7642,7 +7642,7 @@ static inline ssize_t
> ufshcd_pm_lvl_store(struct
> device *dev,
>if (kstrtoul(buf, 0, ))
>return -EINVAL;
>
> -  if ((value < UFS_PM_LVL_0) || (value >= UFS_PM_LVL_MAX))
> +  if (value >= UFS_PM_LVL_MAX)
>return -EINVAL;
>
>spin_lock_irqsave(hba->host->host_lock, flags);

LGTM.
Reviewed-by: Subhash Jadavani 


Mis-spelling someone else's email can be cut and paste; mis-spelling
your own might be the early indications of an identity crisis.

We do cut and paste these tags, so getting your own name right for the
purposes of git history is useful.

James


Oops, sorry for this. If you haven't already corrected this:
Reviewed-by: Subhash Jadavani 



--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

Re: [PATCH] aacraid: Fix potential null access

[Martin K. Petersen]

Raghava Aditya Renukunta  writes:

> Currently command threads fails to return ioctls commands for older
> controller versions, since it returns when all the fibs have been
> allocated. Another issue is even all the fibs have not been allocated,
> the correct allocated fibs is not updated nor freed.

Applied to 4.11/scsi-fixes.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH V2] qla2xxx: Fix crash in qla2xxx_eh_abort on bad ptr

[Martin K. Petersen]

Bill Kuzeja  writes:

> After a Qlogic card breaks when initializing (test case), the system can
> crash in qla2xxx_eh_abort if processing anything but a scsi command type 
> srb.

Applied to 4.11/scsi-fixes.

-- 
Martin K. Petersen  Oracle Linux Engineering

RE: [PATCH] aacraid: Fix potential null access

[Dave Carroll]

> -Original Message-
> From: Raghava Aditya Renukunta
> [mailto:raghavaaditya.renuku...@microsemi.com]
> Sent: Tuesday, March 14, 2017 10:20 AM
> To: j...@linux.vnet.ibm.com; martin.peter...@oracle.com; linux-
> s...@vger.kernel.org
> Cc: Dave Carroll; Gana Sridaran; Scott Benesh; Tomas Henzl
> Subject: [PATCH] aacraid: Fix potential null access
> 
> Currently command threads fails to return ioctls commands for older
> controller versions, since it returns when all the fibs have been allocated.
> Another issue is even all the fibs have not been allocated, the correct
> allocated fibs is not updated nor freed.
> 
> Fixes: 113156bcea9ef1e6 (scsi: aacraid: Reworked aac_command_thread)
> Reported-by: Tomas Henzl 
> 
> Signed-off-by: Raghava Aditya Renukunta
> 
> ---
>  drivers/scsi/aacraid/commsup.c | 14 ++
>  1 file changed, 6 insertions(+), 8 deletions(-)
> 
Reviewed-by: Dave Carroll 

[PATCH 1/6] ipr: Fix missed EH wakeup

[Brian King]

Following a command abort or device reset, ipr's EH handlers wait
for the commands getting aborted to get sent back from the adapter
prior to returning from the EH handler. This fixes up some cases
where the completion handler was not getting called, which would
have resulted in the EH thread waiting until it timed out, greatly
extending EH time.

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.c |   16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_fix_missed_eh_wakeup drivers/scsi/ipr.c
--- linux-2.6.git/drivers/scsi/ipr.c~ipr_fix_missed_eh_wakeup   2017-03-13 
14:52:17.974545318 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.c2017-03-13 17:03:13.635568644 
-0500
@@ -836,8 +836,10 @@ static void ipr_sata_eh_done(struct ipr_
 
qc->err_mask |= AC_ERR_OTHER;
sata_port->ioasa.status |= ATA_BUSY;
-   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
ata_qc_complete(qc);
+   if (ipr_cmd->eh_comp)
+   complete(ipr_cmd->eh_comp);
+   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
 }
 
 /**
@@ -5947,8 +5949,10 @@ static void ipr_erp_done(struct ipr_cmnd
res->in_erp = 0;
}
scsi_dma_unmap(ipr_cmd->scsi_cmd);
-   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
scsi_cmd->scsi_done(scsi_cmd);
+   if (ipr_cmd->eh_comp)
+   complete(ipr_cmd->eh_comp);
+   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
 }
 
 /**
@@ -6338,8 +6342,10 @@ static void ipr_erp_start(struct ipr_ioa
}
 
scsi_dma_unmap(ipr_cmd->scsi_cmd);
-   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
scsi_cmd->scsi_done(scsi_cmd);
+   if (ipr_cmd->eh_comp)
+   complete(ipr_cmd->eh_comp);
+   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
 }
 
 /**
@@ -6365,8 +6371,10 @@ static void ipr_scsi_done(struct ipr_cmn
scsi_dma_unmap(scsi_cmd);
 
spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
-   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
scsi_cmd->scsi_done(scsi_cmd);
+   if (ipr_cmd->eh_comp)
+   complete(ipr_cmd->eh_comp);
+   list_add_tail(_cmd->queue, _cmd->hrrq->hrrq_free_q);
spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
} else {
spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
_

[PATCH 3/6] ipr: Fix abort path race condition

[Brian King]

This fixes a race condition in the error handlomg paths of ipr. While a command 
is
outstanding to the adapter, it is placed on a pending queue for the hrrq it is
associated with, while holding the HRRQ lock. When a command is completed,
it is removed from the pending queue, under HRRQ lock, and placed on a local 
list.
This list is then iterated through without any locks and each command's done 
function
is invoked, inside of which, the command gets returned to the free list while 
grabbing
the HRRQ lock. This fixes two race conditions when commands have been removed 
from the
pending list but have not yet been added to the free list. Both of these changes
fix race conditions that could result in returning success from eh_abort_handler
and then later calling scsi_done for the same request.

The first race condition is in ipr_cancel_op. It looks through each pending 
queue
to see if the command to be aborted is still outstanding or not. Rather than
looking on the pending queue, reverse the logic to check to look for commands
that are NOT on the free queue.  The second race condition can occur when in
ipr_wait_for_ops where we are waiting for responses for commands we've aborted.

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.c |   64 ++---
 1 file changed, 47 insertions(+), 17 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_wait_for_ops_fixup2 drivers/scsi/ipr.c
--- linux-2.6.git/drivers/scsi/ipr.c~ipr_wait_for_ops_fixup22017-03-13 
15:55:24.902123623 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.c2017-03-13 15:55:24.908123599 
-0500
@@ -5008,6 +5008,25 @@ static int ipr_match_lun(struct ipr_cmnd
 }
 
 /**
+ * ipr_cmnd_is_free - Check if a command is free or not
+ * @ipr_cmdipr command struct
+ *
+ * Returns:
+ * true / false
+ **/
+static bool ipr_cmnd_is_free(struct ipr_cmnd *ipr_cmd)
+{
+   struct ipr_cmnd *loop_cmd;
+
+   list_for_each_entry(loop_cmd, _cmd->hrrq->hrrq_free_q, queue) {
+   if (loop_cmd == ipr_cmd)
+   return true;
+   }
+
+   return false;
+}
+
+/**
  * ipr_wait_for_ops - Wait for matching commands to complete
  * @ipr_cmd:   ipr command struct
  * @device:device to match (sdev)
@@ -5020,7 +5039,7 @@ static int ipr_wait_for_ops(struct ipr_i
int (*match)(struct ipr_cmnd *, void *))
 {
struct ipr_cmnd *ipr_cmd;
-   int wait;
+   int wait, i;
unsigned long flags;
struct ipr_hrr_queue *hrrq;
signed long timeout = IPR_ABORT_TASK_TIMEOUT;
@@ -5032,10 +5051,13 @@ static int ipr_wait_for_ops(struct ipr_i
 
for_each_hrrq(hrrq, ioa_cfg) {
spin_lock_irqsave(hrrq->lock, flags);
-   list_for_each_entry(ipr_cmd, >hrrq_pending_q, 
queue) {
-   if (match(ipr_cmd, device)) {
-   ipr_cmd->eh_comp = 
-   wait++;
+   for (i = hrrq->min_cmd_id; i <= hrrq->max_cmd_id; i++) {
+   ipr_cmd = ioa_cfg->ipr_cmnd_list[i];
+   if (!ipr_cmnd_is_free(ipr_cmd)) {
+   if (match(ipr_cmd, device)) {
+   ipr_cmd->eh_comp = 
+   wait++;
+   }
}
}
spin_unlock_irqrestore(hrrq->lock, flags);
@@ -5049,10 +5071,13 @@ static int ipr_wait_for_ops(struct ipr_i
 
for_each_hrrq(hrrq, ioa_cfg) {
spin_lock_irqsave(hrrq->lock, flags);
-   list_for_each_entry(ipr_cmd, 
>hrrq_pending_q, queue) {
-   if (match(ipr_cmd, device)) {
-   ipr_cmd->eh_comp = NULL;
-   wait++;
+   for (i = hrrq->min_cmd_id; i <= 
hrrq->max_cmd_id; i++) {
+   ipr_cmd = 
ioa_cfg->ipr_cmnd_list[i];
+   if (!ipr_cmnd_is_free(ipr_cmd)) 
{
+   if (match(ipr_cmd, 
device)) {
+   
ipr_cmd->eh_comp = NULL;
+   wait++;
+   }
}
}
spin_unlock_irqrestore(hrrq->lock, 
flags);
@@ -5219,7 +5244,7 @@ static int __ipr_eh_dev_reset(struct scs
struct ipr_ioa_cfg 

[PATCH 2/6] ipr: Remove redundant initialization

[Brian King]

Removes some code in __ipr_eh_dev_reset which was modifying the
ipr_cmd done function. This should have already been setup at
command allocation time and if its since been changed, it means
we are in the ipr_erp* functions and need to wait for them to
complete and don't want to override that here.

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.c |   11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_eh_dev_reset_unnecessary_reinit 
drivers/scsi/ipr.c
--- linux-2.6.git/drivers/scsi/ipr.c~ipr_eh_dev_reset_unnecessary_reinit
2017-03-13 15:53:29.636591281 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.c2017-03-13 15:53:29.642591257 
-0500
@@ -5243,12 +5243,11 @@ static int __ipr_eh_dev_reset(struct scs
spin_lock(>_lock);
list_for_each_entry(ipr_cmd, >hrrq_pending_q, queue) {
if (ipr_cmd->ioarcb.res_handle == res->res_handle) {
-   if (ipr_cmd->scsi_cmd)
-   ipr_cmd->done = ipr_scsi_eh_done;
-   if (ipr_cmd->qc)
-   ipr_cmd->done = ipr_sata_eh_done;
-   if (ipr_cmd->qc &&
-   !(ipr_cmd->qc->flags & ATA_QCFLAG_FAILED)) {
+   if (!ipr_cmd->qc)
+   continue;
+
+   ipr_cmd->done = ipr_sata_eh_done;
+   if (!(ipr_cmd->qc->flags & ATA_QCFLAG_FAILED)) {
ipr_cmd->qc->err_mask |= AC_ERR_TIMEOUT;
ipr_cmd->qc->flags |= ATA_QCFLAG_FAILED;
}
_

Re: [PATCH] efct: fix compilation warning about atomic_t usage

[Bart Van Assche]

On Wed, 2017-03-15 at 22:27 +0100, Sebastian Herbszt wrote:
> Use kref_read() instead of accessing the counter inside a kref.

Hello Sebastian,

It is a good habit for a patch that fixes a compilation warning to mention
the warning message that has been fixed in the patch description.

> @@ -3821,7 +3821,7 @@ efct_hw_io_free(struct efct_hw_s *hw, struct 
> efct_hw_io_s *io)
>  uint8_t
>  efct_hw_io_inuse(struct efct_hw_s *hw, struct efct_hw_io_s *io)
>  {
> - return (atomic_read(>ref.refcount) > 0);
> + return (kref_read(>ref) > 0);
>  }

A minor style comment: checkpatch should have told you that parentheses are
not necessary in a return statement ("return is not a function, parentheses
are not required").

Otherwise this patch looks fine to me.

Bart.

[PATCH 4/6] ipr: Error path locking fixes

[Brian King]

This patch closes up some potential race conditions observed in
the error handling paths in ipr while debugging an issue resulting
in a hang with SATA error handling. These patches ensure we are
holding the correct lock when adding and removing commands from
the free and pending queues in some error scenarios.

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.c |  106 ++---
 1 file changed, 93 insertions(+), 13 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_eh_locking_fixes drivers/scsi/ipr.c
--- linux-2.6.git/drivers/scsi/ipr.c~ipr_eh_locking_fixes   2017-03-13 
14:56:49.994452448 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.c2017-03-13 14:56:50.000452424 
-0500
@@ -820,7 +820,7 @@ static int ipr_set_pcix_cmd_reg(struct i
 }
 
 /**
- * ipr_sata_eh_done - done function for aborted SATA commands
+ * __ipr_sata_eh_done - done function for aborted SATA commands
  * @ipr_cmd:   ipr command struct
  *
  * This function is invoked for ops generated to SATA
@@ -829,7 +829,7 @@ static int ipr_set_pcix_cmd_reg(struct i
  * Return value:
  * none
  **/
-static void ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd)
+static void __ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd)
 {
struct ata_queued_cmd *qc = ipr_cmd->qc;
struct ipr_sata_port *sata_port = qc->ap->private_data;
@@ -843,7 +843,27 @@ static void ipr_sata_eh_done(struct ipr_
 }
 
 /**
- * ipr_scsi_eh_done - mid-layer done function for aborted ops
+ * ipr_sata_eh_done - done function for aborted SATA commands
+ * @ipr_cmd:   ipr command struct
+ *
+ * This function is invoked for ops generated to SATA
+ * devices which are being aborted.
+ *
+ * Return value:
+ * none
+ **/
+static void ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd)
+{
+   struct ipr_hrr_queue *hrrq = ipr_cmd->hrrq;
+   unsigned long hrrq_flags;
+
+   spin_lock_irqsave(>_lock, hrrq_flags);
+   __ipr_sata_eh_done(ipr_cmd);
+   spin_unlock_irqrestore(>_lock, hrrq_flags);
+}
+
+/**
+ * __ipr_scsi_eh_done - mid-layer done function for aborted ops
  * @ipr_cmd:   ipr command struct
  *
  * This function is invoked by the interrupt handler for
@@ -852,7 +872,7 @@ static void ipr_sata_eh_done(struct ipr_
  * Return value:
  * none
  **/
-static void ipr_scsi_eh_done(struct ipr_cmnd *ipr_cmd)
+static void __ipr_scsi_eh_done(struct ipr_cmnd *ipr_cmd)
 {
struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd;
 
@@ -866,6 +886,26 @@ static void ipr_scsi_eh_done(struct ipr_
 }
 
 /**
+ * ipr_scsi_eh_done - mid-layer done function for aborted ops
+ * @ipr_cmd:   ipr command struct
+ *
+ * This function is invoked by the interrupt handler for
+ * ops generated by the SCSI mid-layer which are being aborted.
+ *
+ * Return value:
+ * none
+ **/
+static void ipr_scsi_eh_done(struct ipr_cmnd *ipr_cmd)
+{
+   unsigned long hrrq_flags;
+   struct ipr_hrr_queue *hrrq = ipr_cmd->hrrq;
+
+   spin_lock_irqsave(>_lock, hrrq_flags);
+   __ipr_scsi_eh_done(ipr_cmd);
+   spin_unlock_irqrestore(>_lock, hrrq_flags);
+}
+
+/**
  * ipr_fail_all_ops - Fails all outstanding ops.
  * @ioa_cfg:   ioa config struct
  *
@@ -892,9 +932,9 @@ static void ipr_fail_all_ops(struct ipr_
cpu_to_be32(IPR_DRIVER_ILID);
 
if (ipr_cmd->scsi_cmd)
-   ipr_cmd->done = ipr_scsi_eh_done;
+   ipr_cmd->done = __ipr_scsi_eh_done;
else if (ipr_cmd->qc)
-   ipr_cmd->done = ipr_sata_eh_done;
+   ipr_cmd->done = __ipr_sata_eh_done;
 
ipr_trc_hook(ipr_cmd, IPR_TRACE_FINISH,
 IPR_IOASC_IOA_WAS_RESET);
@@ -5948,7 +5988,7 @@ static int ipr_build_ioadl(struct ipr_io
 }
 
 /**
- * ipr_erp_done - Process completion of ERP for a device
+ * __ipr_erp_done - Process completion of ERP for a device
  * @ipr_cmd:   ipr command struct
  *
  * This function copies the sense buffer into the scsi_cmd
@@ -5957,7 +5997,7 @@ static int ipr_build_ioadl(struct ipr_io
  * Return value:
  * nothing
  **/
-static void ipr_erp_done(struct ipr_cmnd *ipr_cmd)
+static void __ipr_erp_done(struct ipr_cmnd *ipr_cmd)
 {
struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd;
struct ipr_resource_entry *res = scsi_cmd->device->hostdata;
@@ -5985,6 +6025,26 @@ static void ipr_erp_done(struct ipr_cmnd
 }
 
 /**
+ * ipr_erp_done - Process completion of ERP for a device
+ * @ipr_cmd:   ipr command struct
+ *
+ * This function copies the sense buffer into the scsi_cmd
+ * struct and pushes the scsi_done function.
+ *
+ * Return value:
+ * nothing
+ **/
+static void ipr_erp_done(struct ipr_cmnd *ipr_cmd)
+{
+   struct ipr_hrr_queue *hrrq = ipr_cmd->hrrq;
+   unsigned long hrrq_flags;
+
+   spin_lock_irqsave(>_lock, hrrq_flags);
+   

[PATCH 6/6] ipr: Driver version 2.6.4

[Brian King]

Bump driver version

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.h |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff -puN drivers/scsi/ipr.h~ipr_version_2_6_4 drivers/scsi/ipr.h
--- linux-2.6.git/drivers/scsi/ipr.h~ipr_version_2_6_4  2017-03-14 
16:31:59.381210940 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.h2017-03-14 16:32:13.630137789 
-0500
@@ -39,8 +39,8 @@
 /*
  * Literals
  */
-#define IPR_DRIVER_VERSION "2.6.3"
-#define IPR_DRIVER_DATE "(October 17, 2015)"
+#define IPR_DRIVER_VERSION "2.6.4"
+#define IPR_DRIVER_DATE "(March 14, 2017)"
 
 /*
  * IPR_MAX_CMD_PER_LUN: This defines the maximum number of outstanding
_

[PATCH 5/6] ipr: Fix SATA EH hang

[Brian King]

This patch fixes a hang that can occur in ATA EH with ipr. With ipr's usage of
libata, commands should never end up on ap->eh_done_q. The timeout function we 
use
for ipr, even for SATA devices, is scsi_times_out, so ATA_QCFLAG_EH_SCHEDULED
never gets set for ipr and EH is driven completely by ipr and SCSI. The SCSI
EH thread ends up calling ipr's eh_device_reset_handler,
which then calls ata_std_error_handler. This ends up calling ipr_sata_reset,
which issues a reset to the device. This should result in all pending commands
getting failed back and having ata_qc_complete called for them, which should
end up clearing ATA_QCFLAG_FAILED as qc->flags gets zeroed in ata_qc_free.
This ensures that when we end up in ata_eh_finish, we don't do anything more
with the command.

On adapters that only support a single interrupt and when running with two MSI-X
vectors or less, the adapter firmware guarantees that responses to all 
outstanding
commands are sent back prior to sending the response to the SATA reset command.
On newer adapters supporting multiple HRRQs, however, this can no longer be 
guaranteed,
since the command responses and reset response may be processed on different 
HRRQs.

If ipr returns from ipr_sata_reset before the outstanding command was returned,
this sends us down the path of __ata_eh_qc_complete which then moves the 
associated
scsi_cmd from the work_q in scsi_eh_bus_device_reset to ap->eh_done_q,
which then will sit there forever and we will be wedged. 

This patch fixes this up by ensuring that any outstanding commands are flushed
before returning from eh_device_reset_handler for a SATA device.

Reported-by: David Jeffery 

Signed-off-by: Brian King 
---

 drivers/scsi/ipr.c |   62 +++--
 1 file changed, 41 insertions(+), 21 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_fix_sata_eh_hang2 drivers/scsi/ipr.c
--- linux-2.6.git/drivers/scsi/ipr.c~ipr_fix_sata_eh_hang2  2017-03-13 
16:32:37.663087624 -0500
+++ linux-2.6.git-bjking1/drivers/scsi/ipr.c2017-03-13 16:32:37.670087596 
-0500
@@ -5067,6 +5067,23 @@ static bool ipr_cmnd_is_free(struct ipr_
 }
 
 /**
+ * ipr_match_res - Match function for specified resource entry
+ * @ipr_cmd:   ipr command struct
+ * @resource:  resource entry to match
+ *
+ * Returns:
+ * 1 if command matches sdev / 0 if command does not match sdev
+ **/
+static int ipr_match_res(struct ipr_cmnd *ipr_cmd, void *resource)
+{
+   struct ipr_resource_entry *res = resource;
+
+   if (res && ipr_cmd->ioarcb.res_handle == res->res_handle)
+   return 1;
+   return 0;
+}
+
+/**
  * ipr_wait_for_ops - Wait for matching commands to complete
  * @ipr_cmd:   ipr command struct
  * @device:device to match (sdev)
@@ -5246,7 +5263,7 @@ static int ipr_sata_reset(struct ata_lin
struct ipr_ioa_cfg *ioa_cfg = sata_port->ioa_cfg;
struct ipr_resource_entry *res;
unsigned long lock_flags = 0;
-   int rc = -ENXIO;
+   int rc = -ENXIO, ret;
 
ENTER;
spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
@@ -5260,9 +5277,19 @@ static int ipr_sata_reset(struct ata_lin
if (res) {
rc = ipr_device_reset(ioa_cfg, res);
*classes = res->ata_class;
-   }
+   spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+
+   ret = ipr_wait_for_ops(ioa_cfg, res, ipr_match_res);
+   if (ret != SUCCESS) {
+   spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
+   ipr_initiate_ioa_reset(ioa_cfg, IPR_SHUTDOWN_ABBREV);
+   spin_unlock_irqrestore(ioa_cfg->host->host_lock, 
lock_flags);
+
+   wait_event(ioa_cfg->reset_wait_q, 
!ioa_cfg->in_reset_reload);
+   }
+   } else
+   spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
 
-   spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
LEAVE;
return rc;
 }
@@ -5291,9 +5318,6 @@ static int __ipr_eh_dev_reset(struct scs
ioa_cfg = (struct ipr_ioa_cfg *) scsi_cmd->device->host->hostdata;
res = scsi_cmd->device->hostdata;
 
-   if (!res)
-   return FAILED;
-
/*
 * If we are currently going through reset/reload, return failed. This 
will force the
 * mid-layer to call ipr_eh_host_reset, which will then go to sleep and 
wait for the
@@ -5332,19 +5356,6 @@ static int __ipr_eh_dev_reset(struct scs
spin_unlock_irq(scsi_cmd->device->host->host_lock);
ata_std_error_handler(ap);
spin_lock_irq(scsi_cmd->device->host->host_lock);
-
-   for_each_hrrq(hrrq, ioa_cfg) {
-   spin_lock(>_lock);
-   list_for_each_entry(ipr_cmd,
-   >hrrq_pending_q, queue) {
-   

[PATCH] efct: fix compilation warning about atomic_t usage

[Sebastian Herbszt]

Use kref_read() instead of accessing the counter inside a kref.

Signed-off-by: Sebastian Herbszt 
---
 efct/efct_ddump.c | 5 ++---
 efct/efct_hw.c| 6 +++---
 efct/efct_io.c| 3 +--
 efct/efct_lio.c   | 2 +-
 efct/efct_scsi.c  | 4 ++--
 5 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/efct/efct_ddump.c b/efct/efct_ddump.c
index e91a838..faea9a0 100644
--- a/efct/efct_ddump.c
+++ b/efct/efct_ddump.c
@@ -340,8 +340,7 @@ efct_ddump_hw_io(struct efct_textbuf_s *textbuf, struct 
efct_hw_io_s *io)
efct_ddump_value(textbuf, "tag", "0x%x", io->reqtag);
efct_ddump_value(textbuf, "abort_reqtag",
"0x%x", io->abort_reqtag);
-   efct_ddump_value(textbuf, "ref_count", "%d",
-   atomic_read(>ref.refcount));
+   efct_ddump_value(textbuf, "ref_count", "%d", kref_read(>ref));
 
/* just to make it obvious, display abort bit from tag */
efct_ddump_value(textbuf, "abort", "0x%x", io->abort_in_progress);
@@ -606,7 +605,7 @@ efct_ddump_hw(struct efct_textbuf_s *textbuf, struct 
efct_hw_s *hw,
io = >io[i];
 
if (efct_hw_is_xri_port_owned(hw, io->indicator)) {
-   if (atomic_read(>ref.refcount)) {
+   if (kref_read(>ref)) {
/* only display free ios if they're active */
efct_ddump_hw_io(textbuf, io);
}
diff --git a/efct/efct_hw.c b/efct/efct_hw.c
index e52a505..cf37dc9 100644
--- a/efct/efct_hw.c
+++ b/efct/efct_hw.c
@@ -3647,7 +3647,7 @@ efct_hw_io_alloc(struct efct_hw_s *hw)
 struct efct_hw_io_s *
 efct_hw_io_activate_port_owned(struct efct_hw_s *hw, struct efct_hw_io_s *io)
 {
-   if (atomic_read(>ref.refcount) > 0) {
+   if (kref_read(>ref) > 0) {
efct_log_err(hw->os, "Bad parameter: refcount > 0\n");
return NULL;
}
@@ -3794,7 +3794,7 @@ int32_t
 efct_hw_io_free(struct efct_hw_s *hw, struct efct_hw_io_s *io)
 {
/* just put refcount */
-   if (atomic_read(>ref.refcount) <= 0) {
+   if (kref_read(>ref) <= 0) {
efct_log_err(hw->os,
"Bad parameter: refcount <= 0 xri=%x tag=%x\n",
io->indicator, io->reqtag);
@@ -3821,7 +3821,7 @@ efct_hw_io_free(struct efct_hw_s *hw, struct efct_hw_io_s 
*io)
 uint8_t
 efct_hw_io_inuse(struct efct_hw_s *hw, struct efct_hw_io_s *io)
 {
-   return (atomic_read(>ref.refcount) > 0);
+   return (kref_read(>ref) > 0);
 }
 
 /**
diff --git a/efct/efct_io.c b/efct/efct_io.c
index 988ec28..9ee9932 100644
--- a/efct/efct_io.c
+++ b/efct/efct_io.c
@@ -332,8 +332,7 @@ efct_ddump_io(struct efct_textbuf_s *textbuf, struct 
efct_io_s *io)
efct_ddump_value(textbuf, "display_name", "%s", io->display_name);
efct_ddump_value(textbuf, "node_name", "%s", io->node->display_name);
 
-   efct_ddump_value(textbuf, "ref_count", "%d",
-   atomic_read(>ref.refcount));
+   efct_ddump_value(textbuf, "ref_count", "%d", kref_read(>ref));
efct_ddump_value(textbuf, "io_type", "%d", io->io_type);
efct_ddump_value(textbuf, "hio_type", "%d", io->hio_type);
efct_ddump_value(textbuf, "cmd_tgt", "%d", io->cmd_tgt);
diff --git a/efct/efct_lio.c b/efct/efct_lio.c
index f5c7a70..74b48ad 100644
--- a/efct/efct_lio.c
+++ b/efct/efct_lio.c
@@ -2276,7 +2276,7 @@ efct_scsi_tgt_ddump(struct efct_textbuf_s *textbuf,
efct_ddump_value(textbuf, "se_cmd.state_active", "%d",
io->tgt_io.cmd.state_active);
efct_ddump_value(textbuf, "se_cmd.cmd_kref.refcount", "%d",
-   atomic_read(>tgt_io.cmd.cmd_kref.refcount));
+   kref_read(>tgt_io.cmd.cmd_kref));
efct_ddump_value(textbuf, "se_cmd.se_cmd_flags", "%#x",
io->tgt_io.cmd.se_cmd_flags);
efct_ddump_value(textbuf, "se_cmd.t_state", "%d",
diff --git a/efct/efct_scsi.c b/efct/efct_scsi.c
index c2f5a35..ad49aa6 100644
--- a/efct/efct_scsi.c
+++ b/efct/efct_scsi.c
@@ -301,7 +301,7 @@ void
 efct_scsi_io_free(struct efct_io_s *io)
 {
scsi_io_trace(io, "freeing io 0x%p %s\n", io, io->display_name);
-   efct_assert(atomic_read(>ref.refcount) > 0);
+   efct_assert(kref_read(>ref) > 0);
kref_put(>ref, io->release);
 }
 
@@ -2320,7 +2320,7 @@ efct_scsi_io_complete(struct efct_io_s *io)
}
 
scsi_io_trace(io, "freeing io 0x%p %s\n", io, io->display_name);
-   efct_assert(atomic_read(>ref.refcount) > 0);
+   efct_assert(kref_read(>ref) > 0);
kref_put(>ref, io->release);
 }
 
-- 
2.7.3

[Bug 188061] On quad port QLE2564 can't add in target only 2 ports

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188061

--- Comment #9 from himanshu.madh...@cavium.com (himanshu.madh...@qlogic.com) 
---
(In reply to Anthony from comment #8)
> I added output in text attachment. By construction this card have 3 PCI-E
> switches onboard.

Checking with our hardware/firmware team on what is going on with these cards. 

Thanks,
Himanshu

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 108621] kernel BUG in drivers/scsi/scsi_lib.c

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108621

Martin Ziegler (zieg...@uni-freiburg.de) changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |UNREPRODUCIBLE

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[PATCH] efct: add missing include file

[Sebastian Herbszt]

After the split of linux/sched.h, linux/sched/signal.h is required.

Signed-off-by: Sebastian Herbszt 
---
 efct/efct_os.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/efct/efct_os.h b/efct/efct_os.h
index 16f7dc3..5ae269e 100644
--- a/efct/efct_os.h
+++ b/efct/efct_os.h
@@ -56,6 +56,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
-- 
2.7.3

Re: [PATCH V3 2/3] hpsa: limit outstanding rescans

[Martin K. Petersen]

Don Brace  writes:

> My bad. I'll send up a V4.  Sorry about that.

I already fixed it up and James pulled the new tree. So we're all set.

-- 
Martin K. Petersen  Oracle Linux Engineering

RE: [PATCH V3 2/3] hpsa: limit outstanding rescans

[Don Brace]

> -Original Message-
> From: James Bottomley [mailto:j...@linux.vnet.ibm.com]
> Sent: Wednesday, March 15, 2017 12:24 PM
> To: Don Brace ; joseph.szczy...@hpe.com;
> Gerry Morong ; John Hall
> ; Kevin Barnett
> ; Mahesh Rajashekhara
> ; Bader Ali - Saleh
> ; h...@infradead.org; Scott Teel
> ; Viswas G ; Justin
> Lindley ; Scott Benesh
> ; posw...@suse.com
> Cc: linux-scsi@vger.kernel.org
> Subject: Re: [PATCH V3 2/3] hpsa: limit outstanding rescans
> 
> EXTERNAL EMAIL
> 
> 
> On Fri, 2017-03-10 at 14:35 -0600, Don Brace wrote:
> > avoid rescan storms. No need to queue another
> > if one is pending.
> >
> > Reviewed-by: Scott Benesh 
> > Reviewed-by: Scott Teel 
> > Reviewed-by: Tomas Henzl  review
> 
> Guys, what is this additional "review" for?  I just noticed because my
> reply scripts barfed on it.  Please don't add extra junk after an email
> address in a tag line.
> 
> Thanks,
> 
> James

My bad. I'll send up a V4.
Sorry about that.

Thanks,
Don Brace
ESC - Smart Storage
Microsemi Corporation

Re: [PATCHv3 6/6] scsi: make asynchronous aborts mandatory

[Benjamin Block]

On Wed, Mar 15, 2017 at 02:54:09PM +0100, Hannes Reinecke wrote:
> On 03/14/2017 06:33 PM, Benjamin Block wrote:
> > Hello Hannes,
> >
> > On Wed, Mar 01, 2017 at 10:15:20AM +0100, Hannes Reinecke wrote:
> >> There hasn't been any reports for HBAs where asynchronous abort
> >> would not work, so we should make it mandatory and remove
> >> the fallback.
> >>
> >> Signed-off-by: Hannes Reinecke 
> >> Reviewed-by: Johannes Thumshirn 
> >> Reviewed-by: Bart Van Assche 
> >> ---
> >>  Documentation/scsi/scsi_eh.txt | 18 --
> >>  drivers/scsi/scsi_error.c  | 81 
> >> --
> >>  drivers/scsi/scsi_lib.c|  2 +-
> >>  drivers/scsi/scsi_priv.h   |  3 +-
> >>  include/scsi/scsi_host.h   |  5 ---
> >>  5 files changed, 15 insertions(+), 94 deletions(-)
> >>
> >> diff --git a/Documentation/scsi/scsi_eh.txt 
> >> b/Documentation/scsi/scsi_eh.txt
> >> index 4edb9c1c..11e447b 100644
> >> --- a/Documentation/scsi/scsi_eh.txt
> >> +++ b/Documentation/scsi/scsi_eh.txt
> >> @@ -70,7 +70,7 @@ with the command.
> >>scmd is requeued to blk queue.
> >>
> >>   - otherwise
> >> -  scsi_eh_scmd_add(scmd, 0) is invoked for the command.  See
> >> +  scsi_eh_scmd_add(scmd) is invoked for the command.  See
> >>[1-3] for details of this function.
> >>
> >>
> >> @@ -103,9 +103,7 @@ function
> >>  eh_timed_out() callback did not handle the command.
> >>Step #2 is taken.
> >>
> >> - 2. If the host supports asynchronous completion (as indicated by the
> >> -no_async_abort setting in the host template) scsi_abort_command()
> >> -is invoked to schedule an asynchrous abort.
> >> + 2. scsi_abort_command() is invoked to schedule an asynchrous abort.
> >>  Asynchronous abort are not invoked for commands which the
> >>  SCSI_EH_ABORT_SCHEDULED flag is set (this indicates that the command
> >>  already had been aborted once, and this is a retry which failed),
> >> @@ -127,16 +125,13 @@ function
> >>
> >>   scmds enter EH via scsi_eh_scmd_add(), which does the following.
> >>
> >> - 1. Turns on scmd->eh_eflags as requested.  It's 0 for error
> >> -completions and SCSI_EH_CANCEL_CMD for timeouts.
> >> + 1. Links scmd->eh_entry to shost->eh_cmd_q
> >>
> >> - 2. Links scmd->eh_entry to shost->eh_cmd_q
> >> + 2. Sets SHOST_RECOVERY bit in shost->shost_state
> >>
> >> - 3. Sets SHOST_RECOVERY bit in shost->shost_state
> >> + 3. Increments shost->host_failed
> >>
> >> - 4. Increments shost->host_failed
> >> -
> >> - 5. Wakes up SCSI EH thread if shost->host_busy == shost->host_failed
> >> + 4. Wakes up SCSI EH thread if shost->host_busy == shost->host_failed
> >>
> >>   As can be seen above, once any scmd is added to shost->eh_cmd_q,
> >>  SHOST_RECOVERY shost_state bit is turned on.  This prevents any new
> >> @@ -252,7 +247,6 @@ scmd->allowed.
> >>
> >>   1. Error completion / time out
> >>  ACTION: scsi_eh_scmd_add() is invoked for scmd
> >> -  - set scmd->eh_eflags
> >>- add scmd to shost->eh_cmd_q
> >>- set SHOST_RECOVERY
> >>- shost->host_failed++
> >> diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
> >> index 802a081..7b70ee9 100644
> >> --- a/drivers/scsi/scsi_error.c
> >> +++ b/drivers/scsi/scsi_error.c
> >> @@ -163,7 +163,7 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
> >> *shost)
> >>}
> >>}
> >>
> >> -  scsi_eh_scmd_add(scmd, 0);
> >> +  scsi_eh_scmd_add(scmd);
> >>  }
> >>
> >>  /**
> >> @@ -217,9 +217,8 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
> >> *shost)
> >>  /**
> >>   * scsi_eh_scmd_add - add scsi cmd to error handling.
> >>   * @scmd: scmd to run eh on.
> >> - * @eh_flag:  optional SCSI_EH flag.
> >>   */
> >> -void scsi_eh_scmd_add(struct scsi_cmnd *scmd, int eh_flag)
> >> +void scsi_eh_scmd_add(struct scsi_cmnd *scmd)
> >>  {
> >>struct Scsi_Host *shost = scmd->device->host;
> >>unsigned long flags;
> >> @@ -235,9 +234,6 @@ void scsi_eh_scmd_add(struct scsi_cmnd *scmd, int 
> >> eh_flag)
> >>if (shost->eh_deadline != -1 && !shost->last_reset)
> >>shost->last_reset = jiffies;
> >>
> >> -  if (scmd->eh_eflags & SCSI_EH_ABORT_SCHEDULED)
> >> -  eh_flag &= ~SCSI_EH_CANCEL_CMD;
> >> -  scmd->eh_eflags |= eh_flag;
> >>scsi_eh_reset(scmd);
> >>list_add_tail(>eh_entry, >eh_cmd_q);
> >>shost->host_failed++;
> >> @@ -271,10 +267,9 @@ enum blk_eh_timer_return scsi_times_out(struct 
> >> request *req)
> >>rtn = host->hostt->eh_timed_out(scmd);
> >>
> >>if (rtn == BLK_EH_NOT_HANDLED) {
> >> -  if (host->hostt->no_async_abort ||
> >> -  scsi_abort_command(scmd) != SUCCESS) {
> >> +  if (scsi_abort_command(scmd) != SUCCESS) {
> >>set_host_byte(scmd, DID_TIME_OUT);
> >> -  scsi_eh_scmd_add(scmd, SCSI_EH_CANCEL_CMD);
> >> +  scsi_eh_scmd_add(scmd);
> >>

Re: [scsi] scsi: ufs: don't check unsigned type for a negative value

[James Bottomley]

On Mon, 2017-03-13 at 17:19 -0700, Subhash Jadavani wrote:
> On 2017-03-12 03:22, Tomas Winkler wrote:
> > Fix compilation warning
> > 
> > drivers/scsi/ufs/ufshcd.c:7645:13: warning: comparison of unsigned
> > expression < 0 is always false [-Wtype-limits]
> > if ((value < UFS_PM_LVL_0) || (value >= UFS_PM_LVL_MAX))
> > 
> > Signed-off-by: Tomas Winkler 
> > ---
> >  drivers/scsi/ufs/ufshcd.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> > index 1359913bf840..e8c26e6e6237 100644
> > --- a/drivers/scsi/ufs/ufshcd.c
> > +++ b/drivers/scsi/ufs/ufshcd.c
> > @@ -7642,7 +7642,7 @@ static inline ssize_t
> > ufshcd_pm_lvl_store(struct
> > device *dev,
> > if (kstrtoul(buf, 0, ))
> > return -EINVAL;
> > 
> > -   if ((value < UFS_PM_LVL_0) || (value >= UFS_PM_LVL_MAX))
> > +   if (value >= UFS_PM_LVL_MAX)
> > return -EINVAL;
> > 
> > spin_lock_irqsave(hba->host->host_lock, flags);
> 
> LGTM.
> Reviewed-by: Subhash Jadavani 

Mis-spelling someone else's email can be cut and paste; mis-spelling
your own might be the early indications of an identity crisis.

We do cut and paste these tags, so getting your own name right for the
purposes of git history is useful.

James

Re: [PATCH V3 2/3] hpsa: limit outstanding rescans

[James Bottomley]

On Fri, 2017-03-10 at 14:35 -0600, Don Brace wrote:
> avoid rescan storms. No need to queue another
> if one is pending.
> 
> Reviewed-by: Scott Benesh 
> Reviewed-by: Scott Teel 
> Reviewed-by: Tomas Henzl  review

Guys, what is this additional "review" for?  I just noticed because my
reply scripts barfed on it.  Please don't add extra junk after an email
address in a tag line.

Thanks,

James

[GIT PULL] SCSI fixes for 4.11-rc2

[James Bottomley]

This is a rather large set of fixes.  The bulk are for lpfc correcting
a lot of issues in the new NVME driver code which just went in in the
merge window.  The others are: fix a hang in the vmware paravirt driver
caused by incorrect handling of the new MSI vector allocation.  A long
standing bug in storvsc, which recent block changes turned from being a
harmless annoyance into a hang and yet more fallout (in mpt3sas) from
the changes to device blocking.  The remainder are small fixes and
updates.

The patch is available here:

git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git scsi-fixes

The short changelog is:

Anton Blanchard (1):
  scsi: lpfc: Add shutdown method for kexec

Arnd Bergmann (1):
  scsi: qedi: fix build error without DEBUG_FS

Bart Van Assche (1):
  scsi: mpt3sas: Avoid sleeping in interrupt context

Chris Leech (1):
  scsi: libiscsi: add lock around task lists to fix list corruption 
regression

Christoph Hellwig (1):
  scsi: vmw_pvscsi: handle the return value from pci_alloc_irq_vectors 
correctly

Colin Ian King (1):
  scsi: qedi: fix missing return error code check on call to qedi_setup_int

Damien Le Moal (1):
  scsi: sd: Check for unaligned partial completion

James Smart (20):
  scsi: lpfc: revise version number to 11.2.0.10
  scsi: lpfc: code cleanups in NVME initiator discovery
  scsi: lpfc: code cleanups in NVME initiator base
  scsi: lpfc: correct rdp diag portnames
  scsi: lpfc: remove dead sli3 nvme code
  scsi: lpfc: correct double print
  scsi: lpfc: Rename LPFC_MAX_EQ_DELAY to LPFC_MAX_EQ_DELAY_EQID_CNT
  scsi: lpfc: Rework lpfc Kconfig for NVME options
  scsi: lpfc: add transport eh_timed_out reference
  scsi: lpfc: Fix eh_deadline setting for sli3 adapters.
  scsi: lpfc: add NVME exchange aborts
  scsi: lpfc: Fix nvme allocation bug on failed nvme_fc_register_localport
  scsi: lpfc: Fix IO submission if WQ is full
  scsi: lpfc: Fix NVME CMD IU byte swapped word 1 problem
  scsi: lpfc: Fix RCTL value on NVME LS request and response
  scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
  scsi: lpfc: fix missing spin_unlock on sql_list_lock
  scsi: lpfc: don't dereference dma_buf->iocbq before null check
  scsi: lpfc: sanity check hrq is null before dereferencing it
  scsi: lpfc: remove redundant assignment of sgel

Joe Perches (3):
  scsi: qedf: Use vsprintf extension %pad
  scsi: qedf: Fix defective logging format and argument mismatches
  scsi: qla2xxx: Fix ql_dump_buffer

Potomski, MichalX (1):
  scsi: ufs: Factor out ufshcd_read_desc_param

Raghava Aditya Renukunta (1):
  scsi: aacraid: Fix typo in blink status

Stephen Hemminger (1):
  scsi: storvsc: Workaround for virtual DVD SCSI version

Tomas Jasek (1):
  scsi: lpfc: replace init_timer by setup_timer

And the diffstat:

 drivers/scsi/Kconfig |  19 ++-
 drivers/scsi/aacraid/src.c   |   2 +-
 drivers/scsi/libiscsi.c  |  26 +++-
 drivers/scsi/lpfc/lpfc.h |   4 +-
 drivers/scsi/lpfc/lpfc_attr.c|   9 +-
 drivers/scsi/lpfc/lpfc_crtn.h|   4 +-
 drivers/scsi/lpfc/lpfc_ct.c  |   2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c |  22 
 drivers/scsi/lpfc/lpfc_els.c |  22 ++--
 drivers/scsi/lpfc/lpfc_hbadisc.c |  24 ++--
 drivers/scsi/lpfc/lpfc_hw4.h |   4 +-
 drivers/scsi/lpfc/lpfc_init.c| 128 ---
 drivers/scsi/lpfc/lpfc_mem.c |   2 +-
 drivers/scsi/lpfc/lpfc_nvme.c| 107 
 drivers/scsi/lpfc/lpfc_nvme.h|   1 +
 drivers/scsi/lpfc/lpfc_nvmet.c   |  43 +--
 drivers/scsi/lpfc/lpfc_scsi.c|   4 +-
 drivers/scsi/lpfc/lpfc_sli.c |  68 +--
 drivers/scsi/lpfc/lpfc_sli4.h|   6 +
 drivers/scsi/lpfc/lpfc_version.h |   2 +-
 drivers/scsi/mpt3sas/mpt3sas_base.h  |   3 -
 drivers/scsi/mpt3sas/mpt3sas_scsih.c |  19 +--
 drivers/scsi/qedf/qedf_dbg.h |  13 +-
 drivers/scsi/qedf/qedf_fip.c |   2 +-
 drivers/scsi/qedf/qedf_io.c  |   4 +-
 drivers/scsi/qedf/qedf_main.c|   4 +-
 drivers/scsi/qedi/qedi_debugfs.c |  16 +--
 drivers/scsi/qedi/qedi_fw.c  |   4 +-
 drivers/scsi/qedi/qedi_gbl.h |   8 +-
 drivers/scsi/qedi/qedi_iscsi.c   |   8 +-
 drivers/scsi/qedi/qedi_main.c|   2 +-
 drivers/scsi/qla2xxx/qla_dbg.c   |  12 +-
 drivers/scsi/scsi_lib.c  |  14 ++-
 drivers/scsi/scsi_priv.h |   3 -
 drivers/scsi/sd.c|  17 +++
 drivers/scsi/storvsc_drv.c   |  27 ++--
 drivers/scsi/ufs/ufs.h   |  22 ++--
 drivers/scsi/ufs/ufshcd.c| 231 ++-
 drivers/scsi/ufs/ufshcd.h|  15 +++
 drivers/scsi/vmw_pvscsi.c|   2 +-
 include/scsi/libiscsi.h  |   1 +
 include/scsi/scsi_device.h   |   4 +
 42 files 

[PATCH v4 11/14] qla2xxx: Add DebugFS node to display Port Database

[Himanshu Madhani]

Signed-off-by: Himanshu Madhani 
Signed-off-by: Giridhar Malavali 
---
 drivers/scsi/qla2xxx/qla_def.h |  2 +
 drivers/scsi/qla2xxx/qla_dfs.c | 92 --
 2 files changed, 90 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index ae38b7a789b1..089480280558 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3300,6 +3300,8 @@ struct qlt_hw_data {
uint8_t tgt_node_name[WWN_SIZE];
 
struct dentry *dfs_tgt_sess;
+   struct dentry *dfs_tgt_port_database;
+
struct list_head q_full_list;
uint32_t num_pend_cmds;
uint32_t num_qfull_cmds_alloc;
diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c
index 3b35905619b0..989e17b0758c 100644
--- a/drivers/scsi/qla2xxx/qla_dfs.c
+++ b/drivers/scsi/qla2xxx/qla_dfs.c
@@ -19,11 +19,11 @@ qla2x00_dfs_tgt_sess_show(struct seq_file *s, void *unused)
struct qla_hw_data *ha = vha->hw;
unsigned long flags;
struct fc_port *sess = NULL;
-   struct qla_tgt *tgt= vha->vha_tgt.qla_tgt;
+   struct qla_tgt *tgt = vha->vha_tgt.qla_tgt;
 
-   seq_printf(s, "%s\n",vha->host_str);
+   seq_printf(s, "%s\n", vha->host_str);
if (tgt) {
-   seq_printf(s, "Port ID   Port NameHandle\n");
+   seq_puts(s, "Port ID   Port NameHandle\n");
 
spin_lock_irqsave(>tgt.sess_lock, flags);
list_for_each_entry(sess, >vp_fcports, list)
@@ -44,7 +44,6 @@ qla2x00_dfs_tgt_sess_open(struct inode *inode, struct file 
*file)
return single_open(file, qla2x00_dfs_tgt_sess_show, vha);
 }
 
-
 static const struct file_operations dfs_tgt_sess_ops = {
.open   = qla2x00_dfs_tgt_sess_open,
.read   = seq_read,
@@ -53,6 +52,78 @@ static const struct file_operations dfs_tgt_sess_ops = {
 };
 
 static int
+qla2x00_dfs_tgt_port_database_show(struct seq_file *s, void *unused)
+{
+   scsi_qla_host_t *vha = s->private;
+   struct qla_hw_data *ha = vha->hw;
+   struct gid_list_info *gid_list;
+   dma_addr_t gid_list_dma;
+   fc_port_t fc_port;
+   char *id_iter;
+   int rc, i;
+   uint16_t entries, loop_id;
+   struct qla_tgt *tgt = vha->vha_tgt.qla_tgt;
+
+   seq_printf(s, "%s\n", vha->host_str);
+   if (tgt) {
+   gid_list = dma_alloc_coherent(>pdev->dev,
+   qla2x00_gid_list_size(ha),
+   _list_dma, GFP_KERNEL);
+   if (!gid_list) {
+   ql_dbg(ql_dbg_user, vha, 0x705c,
+   "DMA allocation failed for %u\n",
+qla2x00_gid_list_size(ha));
+   return 0;
+   }
+
+   rc = qla24xx_gidlist_wait(vha, gid_list, gid_list_dma,
+   );
+   if (rc != QLA_SUCCESS)
+   goto out_free_id_list;
+
+   id_iter = (char *)gid_list;
+
+   seq_puts(s, "Port Name  Port ID Loop ID\n");
+
+   for (i = 0; i < entries; i++) {
+   struct gid_list_info *gid =
+   (struct gid_list_info *)id_iter;
+   loop_id = le16_to_cpu(gid->loop_id);
+   memset(_port, 0, sizeof(fc_port_t));
+
+   fc_port.loop_id = loop_id;
+
+   rc = qla24xx_gpdb_wait(vha, _port, 0);
+   seq_printf(s, "%8phC  %02x%02x%02x  %d\n",
+   fc_port.port_name, fc_port.d_id.b.domain,
+   fc_port.d_id.b.area, fc_port.d_id.b.al_pa,
+   fc_port.loop_id);
+   id_iter += ha->gid_list_info_size;
+   }
+out_free_id_list:
+   dma_free_coherent(>pdev->dev, qla2x00_gid_list_size(ha),
+   gid_list, gid_list_dma);
+   }
+
+   return 0;
+}
+
+static int
+qla2x00_dfs_tgt_port_database_open(struct inode *inode, struct file *file)
+{
+   scsi_qla_host_t *vha = inode->i_private;
+
+   return single_open(file, qla2x00_dfs_tgt_port_database_show, vha);
+}
+
+static const struct file_operations dfs_tgt_port_database_ops = {
+   .open   = qla2x00_dfs_tgt_port_database_open,
+   .read   = seq_read,
+   .llseek = seq_lseek,
+   .release= single_release,
+};
+
+static int
 qla_dfs_fw_resource_cnt_show(struct seq_file *s, void *unused)
 {
struct scsi_qla_host *vha = s->private;
@@ -296,6 +367,14 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha)
goto out;
}
 
+   ha->tgt.dfs_tgt_port_database = debugfs_create_file("tgt_port_database",
+   S_IRUSR,  ha->dfs_dir, vha, _tgt_port_database_ops);
+   if 

[PATCH v4 09/14] qla2xxx: Add async new target notification

[Himanshu Madhani]

From: Quinn Tran 

Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_target.c | 6 +++---
 drivers/scsi/qla2xxx/qla_target.h | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_target.c 
b/drivers/scsi/qla2xxx/qla_target.c
index 532004981dbd..563116188c43 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -6005,13 +6005,13 @@ int qlt_add_target(struct qla_hw_data *ha, struct 
scsi_qla_host *base_vha)
tgt->datasegs_per_cmd = QLA_TGT_DATASEGS_PER_CMD_24XX;
tgt->datasegs_per_cont = QLA_TGT_DATASEGS_PER_CONT_24XX;
 
-   if (base_vha->fc_vport)
-   return 0;
-
mutex_lock(_tgt_mutex);
list_add_tail(>tgt_list_entry, _tgt_glist);
mutex_unlock(_tgt_mutex);
 
+   if (ha->tgt.tgt_ops && ha->tgt.tgt_ops->add_target)
+   ha->tgt.tgt_ops->add_target(base_vha);
+
return 0;
 }
 
diff --git a/drivers/scsi/qla2xxx/qla_target.h 
b/drivers/scsi/qla2xxx/qla_target.h
index c35f889b94a6..d64420251194 100644
--- a/drivers/scsi/qla2xxx/qla_target.h
+++ b/drivers/scsi/qla2xxx/qla_target.h
@@ -693,6 +693,7 @@ struct qla_tgt_func_tmpl {
void (*shutdown_sess)(struct fc_port *);
int (*get_dif_tags)(struct qla_tgt_cmd *cmd, uint16_t *pfw_prot_opts);
int (*chk_dif_tags)(uint32_t tag);
+   void (*add_target)(struct scsi_qla_host *);
 };
 
 int qla2x00_wait_for_hba_online(struct scsi_qla_host *);
-- 
2.12.0

[PATCH v4 02/14] qla2xxx: Fix memory leak for abts processing

[Himanshu Madhani]

From: Quinn Tran 

Cc: 
Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_target.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_target.c 
b/drivers/scsi/qla2xxx/qla_target.c
index 45f5077684f0..ecf97c5993e8 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -6642,6 +6642,8 @@ qlt_handle_abts_recv_work(struct work_struct *work)
spin_lock_irqsave(>hardware_lock, flags);
qlt_response_pkt_all_vps(vha, (response_t *)>atio);
spin_unlock_irqrestore(>hardware_lock, flags);
+
+   kfree(op);
 }
 
 void
-- 
2.12.0

[PATCH v4 00/14] qla2xxx: Bug Fixes and updates for target.

[Himanshu Madhani]

Hi Nic,

Please consider this series for inclusion in target-pending.

This series contains following changes.

o Fix for the deadlock because of inconsistent lock usage reported by Bart.
o Added patch to submit non-critical MBX command via IOCB path.
o Improved T10-DIF/PI handling with target stack.
o Changed scsi host lookup method.
o Some minor bug fixes.

Changes from v3 --> v4

o Fixed regression repored by Bart in following patch.
"qla2xxx: Fix delayed response to command for loop mode/direct connect."

Note: Patch order has been changed as well from last series. This is to
isolate bug-fixes in front of improvements to narrow down offending patch.
Let me know if you would prefer me to submit series with same patch order
as v3.

Changes from v2 --> v3

o Updated patch to use waitq instead of while loop for waiting.
o Removed duplication of Target stack definitations for T10-DIF/PI.
o In addition, addressed review comments from Bart & Christoph.

Changes from v1 -> v2

o Rebased series based on scsi-target-for-v4.11 branch.

Please apply to target-pending.

Thanks,
Himanshu
 

Anil Gurumurthy (1):
  qla2xxx: Export DIF stats via debugfs

Himanshu Madhani (2):
  qla2xxx: Add DebugFS node to display Port Database
  qla2xxx: Update driver version to 9.00.00.00-k

Joe Carnuccio (1):
  qla2xxx: Allow vref count to timeout on vport delete.

Quinn Tran (10):
  qla2xxx: Fix memory leak for abts processing
  qla2xxx: Fix request queue corruption.
  qla2xxx: Fix inadequate lock protection for ABTS.
  qla2xxx: Fix sess_lock & hardware_lock lock order problem.
  qla2xxx: Allow relogin to proceed if remote login did not finish
  qla2xxx: Improve T10-DIF/PI handling in driver.
  qla2xxx: Add async new target notification
  qla2xxx: Use IOCB interface to submit non-critical MBX.
  qla2xxx: Change scsi host lookup method.
  qla2xxx: Fix delayed response to command for loop mode/direct connect.

 drivers/scsi/qla2xxx/Kconfig   |   1 +
 drivers/scsi/qla2xxx/qla_attr.c|   4 +-
 drivers/scsi/qla2xxx/qla_dbg.h |   1 +
 drivers/scsi/qla2xxx/qla_def.h |  56 ++-
 drivers/scsi/qla2xxx/qla_dfs.c | 107 +-
 drivers/scsi/qla2xxx/qla_gbl.h |  18 +-
 drivers/scsi/qla2xxx/qla_init.c|  85 ++---
 drivers/scsi/qla2xxx/qla_iocb.c|  13 +-
 drivers/scsi/qla2xxx/qla_isr.c |  41 +-
 drivers/scsi/qla2xxx/qla_mbx.c | 304 +--
 drivers/scsi/qla2xxx/qla_mid.c |  14 +-
 drivers/scsi/qla2xxx/qla_os.c  |  23 +-
 drivers/scsi/qla2xxx/qla_target.c  | 748 +++--
 drivers/scsi/qla2xxx/qla_target.h  |  39 +-
 drivers/scsi/qla2xxx/qla_version.h |   6 +-
 drivers/scsi/qla2xxx/tcm_qla2xxx.c |  49 ++-
 16 files changed, 1077 insertions(+), 432 deletions(-)

-- 
2.12.0

[PATCH v4 01/14] qla2xxx: Allow vref count to timeout on vport delete.

[Himanshu Madhani]

From: Joe Carnuccio 

Cc: 
Signed-off-by: Joe Carnuccio 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_attr.c |  4 +---
 drivers/scsi/qla2xxx/qla_def.h  |  6 +-
 drivers/scsi/qla2xxx/qla_init.c |  1 +
 drivers/scsi/qla2xxx/qla_mid.c  | 14 --
 drivers/scsi/qla2xxx/qla_os.c   |  1 +
 5 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
index f610103994af..435ff7fd6384 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -2154,8 +2154,6 @@ qla24xx_vport_delete(struct fc_vport *fc_vport)
"Timer for the VP[%d] has stopped\n", vha->vp_idx);
}
 
-   BUG_ON(atomic_read(>vref_count));
-
qla2x00_free_fcports(vha);
 
mutex_lock(>vport_lock);
@@ -2166,7 +2164,7 @@ qla24xx_vport_delete(struct fc_vport *fc_vport)
dma_free_coherent(>pdev->dev, vha->gnl.size, vha->gnl.l,
vha->gnl.ldma);
 
-   if (vha->qpair->vp_idx == vha->vp_idx) {
+   if (vha->qpair && vha->qpair->vp_idx == vha->vp_idx) {
if (qla2xxx_delete_qpair(vha, vha->qpair) != QLA_SUCCESS)
ql_log(ql_log_warn, vha, 0x7087,
"Queue Pair delete failed.\n");
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 625d438e3cce..8662ef4192db 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -4076,6 +4076,7 @@ typedef struct scsi_qla_host {
/* Count of active session/fcport */
int fcport_count;
wait_queue_head_t fcport_waitQ;
+   wait_queue_head_t vref_waitq;
 } scsi_qla_host_t;
 
 struct qla27xx_image_status {
@@ -4131,14 +4132,17 @@ struct qla2_sgx {
mb();   \
if (__vha->flags.delete_progress) { \
atomic_dec(&__vha->vref_count); \
+   wake_up(&__vha->vref_waitq);\
__bail = 1; \
} else {\
__bail = 0; \
}   \
 } while (0)
 
-#define QLA_VHA_MARK_NOT_BUSY(__vha)   \
+#define QLA_VHA_MARK_NOT_BUSY(__vha) do {  \
atomic_dec(&__vha->vref_count); \
+   wake_up(&__vha->vref_waitq);\
+} while (0)\
 
 #define QLA_QPAIR_MARK_BUSY(__qpair, __bail) do {  \
atomic_inc(&__qpair->ref_count);\
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 32fb9007f137..9f3740c68cc8 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -5148,6 +5148,7 @@ qla2x00_update_fcports(scsi_qla_host_t *base_vha)
}
}
atomic_dec(>vref_count);
+   wake_up(>vref_waitq);
}
spin_unlock_irqrestore(>vport_slock, flags);
 }
diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
index c6d6f0d912ff..09a490c98763 100644
--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -74,13 +74,14 @@ qla24xx_deallocate_vp_id(scsi_qla_host_t *vha)
 * ensures no active vp_list traversal while the vport is removed
 * from the queue)
 */
-   spin_lock_irqsave(>vport_slock, flags);
-   while (atomic_read(>vref_count)) {
-   spin_unlock_irqrestore(>vport_slock, flags);
-
-   msleep(500);
+   wait_event_timeout(vha->vref_waitq, atomic_read(>vref_count),
+   10*HZ);
 
-   spin_lock_irqsave(>vport_slock, flags);
+   spin_lock_irqsave(>vport_slock, flags);
+   if (atomic_read(>vref_count)) {
+   ql_dbg(ql_dbg_vport, vha, 0xfffa,
+   "vha->vref_count=%u timeout\n", vha->vref_count.counter);
+   vha->vref_count = (atomic_t)ATOMIC_INIT(0);
}
list_del(>list);
qlt_update_vp_map(vha, RESET_VP_IDX);
@@ -269,6 +270,7 @@ qla2x00_alert_all_vps(struct rsp_que *rsp, uint16_t *mb)
 
spin_lock_irqsave(>vport_slock, flags);
atomic_dec(>vref_count);
+   wake_up(>vref_waitq);
}
i++;
}
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 1fed235a1b4a..54d4e802bde0 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4268,6 +4268,7 @@ struct scsi_qla_host *qla2x00_create_host(struct 
scsi_host_template *sht,
spin_lock_init(>work_lock);
spin_lock_init(>cmd_list_lock);
init_waitqueue_head(>fcport_waitQ);
+   

[PATCH v4 03/14] qla2xxx: Fix request queue corruption.

[Himanshu Madhani]

From: Quinn Tran 

When FW notify driver or driver detects low FW resource,
driver tries to send out Busy SCSI Status to tell Initiator
side to back off. During the send process, the lock was not held.

Cc: 
Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_target.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_target.c 
b/drivers/scsi/qla2xxx/qla_target.c
index ecf97c5993e8..a463bcc57902 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -5079,16 +5079,22 @@ qlt_send_busy(struct scsi_qla_host *vha,
 
 static int
 qlt_chk_qfull_thresh_hold(struct scsi_qla_host *vha,
-   struct atio_from_isp *atio)
+   struct atio_from_isp *atio, bool ha_locked)
 {
struct qla_hw_data *ha = vha->hw;
uint16_t status;
+   unsigned long flags;
 
if (ha->tgt.num_pend_cmds < Q_FULL_THRESH_HOLD(ha))
return 0;
 
+   if (!ha_locked)
+   spin_lock_irqsave(>hardware_lock, flags);
status = temp_sam_status;
qlt_send_busy(vha, atio, status);
+   if (!ha_locked)
+   spin_unlock_irqrestore(>hardware_lock, flags);
+
return 1;
 }
 
@@ -5133,7 +5139,7 @@ static void qlt_24xx_atio_pkt(struct scsi_qla_host *vha,
 
 
if (likely(atio->u.isp24.fcp_cmnd.task_mgmt_flags == 0)) {
-   rc = qlt_chk_qfull_thresh_hold(vha, atio);
+   rc = qlt_chk_qfull_thresh_hold(vha, atio, ha_locked);
if (rc != 0) {
tgt->atio_irq_cmd_count--;
return;
@@ -5256,7 +5262,7 @@ static void qlt_response_pkt(struct scsi_qla_host *vha, 
response_t *pkt)
break;
}
 
-   rc = qlt_chk_qfull_thresh_hold(vha, atio);
+   rc = qlt_chk_qfull_thresh_hold(vha, atio, true);
if (rc != 0) {
tgt->irq_cmd_count--;
return;
-- 
2.12.0

[PATCH v4 06/14] qla2xxx: Allow relogin to proceed if remote login did not finish

[Himanshu Madhani]

From: Quinn Tran 

If the remote port have started the login process, then the
PLOGI and PRLI should be back to back. Driver will allow
the remote port to complete the process. For the case where
the remote port decide to back off from sending PRLI, this
local port sets an expiration timer for the PRLI. Once the
expiration time passes, the relogin retry logic is allowed
to go through and perform login with the remote port.

Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_def.h|  2 ++
 drivers/scsi/qla2xxx/qla_init.c   | 12 ++--
 drivers/scsi/qla2xxx/qla_isr.c| 25 +++--
 drivers/scsi/qla2xxx/qla_target.c |  1 +
 4 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 8662ef4192db..56cd45fc600a 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -2300,6 +2300,8 @@ typedef struct fc_port {
struct ct_sns_desc ct_desc;
enum discovery_state disc_state;
enum login_state fw_login_state;
+   unsigned long plogi_nack_done_deadline;
+
u32 login_gen, last_login_gen;
u32 rscn_gen, last_rscn_gen;
u32 chip_reset;
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 9f3740c68cc8..a7865a5d556d 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -876,10 +876,14 @@ int qla24xx_fcport_handle_login(struct scsi_qla_host 
*vha, fc_port_t *fcport)
fcport->login_retry--;
 
if ((fcport->fw_login_state == DSC_LS_PLOGI_PEND) ||
-   (fcport->fw_login_state == DSC_LS_PLOGI_COMP) ||
(fcport->fw_login_state == DSC_LS_PRLI_PEND))
return 0;
 
+   if (fcport->fw_login_state == DSC_LS_PLOGI_COMP) {
+   if (time_before_eq(jiffies, fcport->plogi_nack_done_deadline))
+   return 0;
+   }
+
/* for pure Target Mode. Login will not be initiated */
if (vha->host->active_mode == MODE_TARGET)
return 0;
@@ -1041,10 +1045,14 @@ void qla24xx_handle_relogin_event(scsi_qla_host_t *vha,
fcport->flags);
 
if ((fcport->fw_login_state == DSC_LS_PLOGI_PEND) ||
-   (fcport->fw_login_state == DSC_LS_PLOGI_COMP) ||
(fcport->fw_login_state == DSC_LS_PRLI_PEND))
return;
 
+   if (fcport->fw_login_state == DSC_LS_PLOGI_COMP) {
+   if (time_before_eq(jiffies, fcport->plogi_nack_done_deadline))
+   return;
+   }
+
if (fcport->flags & FCF_ASYNC_SENT) {
fcport->login_retry++;
set_bit(RELOGIN_NEEDED, >dpc_flags);
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 3c66ea29de27..b2c6da752edd 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1620,9 +1620,9 @@ qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que 
*req,
QLA_LOGIO_LOGIN_RETRIED : 0;
if (logio->entry_status) {
ql_log(ql_log_warn, fcport->vha, 0x5034,
-   "Async-%s error entry - hdl=%x"
+   "Async-%s error entry - %8phC hdl=%x"
"portid=%02x%02x%02x entry-status=%x.\n",
-   type, sp->handle, fcport->d_id.b.domain,
+   type, fcport->port_name, sp->handle, fcport->d_id.b.domain,
fcport->d_id.b.area, fcport->d_id.b.al_pa,
logio->entry_status);
ql_dump_buffer(ql_dbg_async + ql_dbg_buffer, vha, 0x504d,
@@ -1633,8 +1633,9 @@ qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que 
*req,
 
if (le16_to_cpu(logio->comp_status) == CS_COMPLETE) {
ql_dbg(ql_dbg_async, fcport->vha, 0x5036,
-   "Async-%s complete - hdl=%x portid=%02x%02x%02x "
-   "iop0=%x.\n", type, sp->handle, fcport->d_id.b.domain,
+   "Async-%s complete - %8phC hdl=%x portid=%02x%02x%02x "
+   "iop0=%x.\n", type, fcport->port_name, sp->handle,
+   fcport->d_id.b.domain,
fcport->d_id.b.area, fcport->d_id.b.al_pa,
le32_to_cpu(logio->io_parameter[0]));
 
@@ -1674,6 +1675,17 @@ qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que 
*req,
case LSC_SCODE_NPORT_USED:
data[0] = MBS_LOOP_ID_USED;
break;
+   case LSC_SCODE_CMD_FAILED:
+   if (iop[1] == 0x0606) {
+   /*
+* PLOGI/PRLI Completed. We must have Recv PLOGI/PRLI,
+* Target side acked.
+*/
+   data[0] = MBS_COMMAND_COMPLETE;
+   goto logio_done;
+   }
+   data[0] = 

[PATCH v4 07/14] qla2xxx: Improve T10-DIF/PI handling in driver.

[Himanshu Madhani]

From: Quinn Tran 

Add routines to support T10 DIF tag.

Signed-off-by: Quinn Tran 
Signed-off-by: Anil Gurumurthy 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_dbg.h |   1 +
 drivers/scsi/qla2xxx/qla_def.h |  10 +
 drivers/scsi/qla2xxx/qla_gbl.h |   6 +-
 drivers/scsi/qla2xxx/qla_iocb.c|  13 +-
 drivers/scsi/qla2xxx/qla_target.c  | 540 ++---
 drivers/scsi/qla2xxx/qla_target.h  |  38 ++-
 drivers/scsi/qla2xxx/tcm_qla2xxx.c |  49 ++--
 7 files changed, 406 insertions(+), 251 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_dbg.h b/drivers/scsi/qla2xxx/qla_dbg.h
index e1fc4e66966a..c6bffe929fe7 100644
--- a/drivers/scsi/qla2xxx/qla_dbg.h
+++ b/drivers/scsi/qla2xxx/qla_dbg.h
@@ -348,6 +348,7 @@ ql_log_pci(uint32_t, struct pci_dev *pdev, int32_t, const 
char *fmt, ...);
 #define ql_dbg_tgt 0x4000 /* Target mode */
 #define ql_dbg_tgt_mgt 0x2000 /* Target mode management */
 #define ql_dbg_tgt_tmr 0x1000 /* Target mode task management */
+#define ql_dbg_tgt_dif  0x0800 /* Target mode dif */
 
 extern int qla27xx_dump_mpi_ram(struct qla_hw_data *, uint32_t, uint32_t *,
uint32_t, void **);
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 56cd45fc600a..9d1d3dcf1c87 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3127,6 +3127,16 @@ struct bidi_statistics {
unsigned long long transfer_bytes;
 };
 
+struct qla_tc_param {
+   struct scsi_qla_host *vha;
+   uint32_t blk_sz;
+   uint32_t bufflen;
+   struct scatterlist *sg;
+   struct scatterlist *prot_sg;
+   struct crc_context *ctx;
+   uint8_t *ctx_dsd_alloced;
+};
+
 /* Multi queue support */
 #define MBC_INITIALIZE_MULTIQ 0x1f
 #define QLA_QUE_PAGE 0X1000
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index b3d6441d1d90..ca6f122e5865 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -256,11 +256,11 @@ extern unsigned long qla2x00_get_async_timeout(struct 
scsi_qla_host *);
 extern void *qla2x00_alloc_iocbs(scsi_qla_host_t *, srb_t *);
 extern int qla2x00_issue_marker(scsi_qla_host_t *, int);
 extern int qla24xx_walk_and_build_sglist_no_difb(struct qla_hw_data *, srb_t *,
-   uint32_t *, uint16_t, struct qla_tgt_cmd *);
+   uint32_t *, uint16_t, struct qla_tc_param *);
 extern int qla24xx_walk_and_build_sglist(struct qla_hw_data *, srb_t *,
-   uint32_t *, uint16_t, struct qla_tgt_cmd *);
+   uint32_t *, uint16_t, struct qla_tc_param *);
 extern int qla24xx_walk_and_build_prot_sglist(struct qla_hw_data *, srb_t *,
-   uint32_t *, uint16_t, struct qla_tgt_cmd *);
+   uint32_t *, uint16_t, struct qla_tc_param *);
 extern int qla24xx_get_one_block_sg(uint32_t, struct qla2_sgx *, uint32_t *);
 extern int qla24xx_configure_prot_mode(srb_t *, uint16_t *);
 extern int qla24xx_build_scsi_crc_2_iocbs(srb_t *,
diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index 535079280288..ea027f6a7fd4 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -889,7 +889,7 @@ qla24xx_get_one_block_sg(uint32_t blk_sz, struct qla2_sgx 
*sgx,
 
 int
 qla24xx_walk_and_build_sglist_no_difb(struct qla_hw_data *ha, srb_t *sp,
-   uint32_t *dsd, uint16_t tot_dsds, struct qla_tgt_cmd *tc)
+   uint32_t *dsd, uint16_t tot_dsds, struct qla_tc_param *tc)
 {
void *next_dsd;
uint8_t avail_dsds = 0;
@@ -898,7 +898,6 @@ qla24xx_walk_and_build_sglist_no_difb(struct qla_hw_data 
*ha, srb_t *sp,
struct scatterlist *sg_prot;
uint32_t *cur_dsd = dsd;
uint16_tused_dsds = tot_dsds;
-
uint32_tprot_int; /* protection interval */
uint32_tpartial;
struct qla2_sgx sgx;
@@ -966,7 +965,7 @@ qla24xx_walk_and_build_sglist_no_difb(struct qla_hw_data 
*ha, srb_t *sp,
} else {
list_add_tail(_ptr->list,
&(tc->ctx->dsd_list));
-   tc->ctx_dsd_alloced = 1;
+   *tc->ctx_dsd_alloced = 1;
}
 
 
@@ -1005,7 +1004,7 @@ qla24xx_walk_and_build_sglist_no_difb(struct qla_hw_data 
*ha, srb_t *sp,
 
 int
 qla24xx_walk_and_build_sglist(struct qla_hw_data *ha, srb_t *sp, uint32_t *dsd,
-   uint16_t tot_dsds, struct qla_tgt_cmd *tc)
+   uint16_t tot_dsds, struct qla_tc_param *tc)
 {
void *next_dsd;
uint8_t avail_dsds = 0;
@@ -1066,7 +1065,7 @@ qla24xx_walk_and_build_sglist(struct qla_hw_data *ha, 
srb_t *sp, uint32_t *dsd,
} else {
list_add_tail(_ptr->list,
&(tc->ctx->dsd_list));
-   

[PATCH v4 04/14] qla2xxx: Fix inadequate lock protection for ABTS.

[Himanshu Madhani]

From: Quinn Tran 

Normally, ABTS is sent to Target Core as Task MGMT command.
In the case of error, qla2xxx needs to send response, hardware_lock
is required to prevent request queue corruption.

Cc: 
Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_target.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_target.c 
b/drivers/scsi/qla2xxx/qla_target.c
index a463bcc57902..a78c3e9bcb57 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -130,6 +130,9 @@ static void qlt_send_term_imm_notif(struct scsi_qla_host 
*vha,
 static struct fc_port *qlt_create_sess(struct scsi_qla_host *vha,
fc_port_t *fcport, bool local);
 void qlt_unreg_sess(struct fc_port *sess);
+static void qlt_24xx_handle_abts(struct scsi_qla_host *,
+   struct abts_recv_from_24xx *);
+
 /*
  * Global Variables
  */
@@ -389,6 +392,8 @@ static bool qlt_24xx_atio_pkt_all_vps(struct scsi_qla_host 
*vha,
(struct abts_recv_from_24xx *)atio;
struct scsi_qla_host *host = qlt_find_host_by_vp_idx(vha,
entry->vp_index);
+   unsigned long flags;
+
if (unlikely(!host)) {
ql_dbg(ql_dbg_tgt, vha, 0x,
"qla_target(%d): Response pkt (ABTS_RECV_24XX) "
@@ -396,9 +401,12 @@ static bool qlt_24xx_atio_pkt_all_vps(struct scsi_qla_host 
*vha,
vha->vp_idx, entry->vp_index);
break;
}
-   qlt_response_pkt(host, (response_t *)atio);
+   if (!ha_locked)
+   spin_lock_irqsave(>hw->hardware_lock, flags);
+   qlt_24xx_handle_abts(host, (struct abts_recv_from_24xx *)atio);
+   if (!ha_locked)
+   spin_unlock_irqrestore(>hw->hardware_lock, flags);
break;
-
}
 
/* case PUREX_IOCB_TYPE: ql2xmvasynctoatio */
-- 
2.12.0

[PATCH v4 10/14] qla2xxx: Use IOCB interface to submit non-critical MBX.

[Himanshu Madhani]

From: Quinn Tran 

The Mailbox interface is currently over subscribed. We like
to reserve the Mailbox interface for the chip managment and
link initialization. Any non essential Mailbox command will
be routed through the IOCB interface. The IOCB interface is
able to absorb more commands.

Following commands are being routed through IOCB interface

- Get ID List (007Ch)
- Get Port DB (0064h)
- Get Link Priv Stats (006Dh)

Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_def.h|  12 +-
 drivers/scsi/qla2xxx/qla_gbl.h|  10 +-
 drivers/scsi/qla2xxx/qla_init.c   |  46 +--
 drivers/scsi/qla2xxx/qla_isr.c|   2 +-
 drivers/scsi/qla2xxx/qla_mbx.c| 270 --
 drivers/scsi/qla2xxx/qla_target.c |   4 +-
 6 files changed, 279 insertions(+), 65 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 8228dfac6a31..ae38b7a789b1 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -395,11 +395,15 @@ struct srb_iocb {
struct completion comp;
} abt;
struct ct_arg ctarg;
+#define MAX_IOCB_MB_REG 28
+#define SIZEOF_IOCB_MB_REG (MAX_IOCB_MB_REG * sizeof(uint16_t))
struct {
-   __le16 in_mb[28];   /* fr fw */
-   __le16 out_mb[28];  /* to fw */
+   __le16 in_mb[MAX_IOCB_MB_REG];  /* from FW */
+   __le16 out_mb[MAX_IOCB_MB_REG]; /* to FW */
void *out, *in;
dma_addr_t out_dma, in_dma;
+   struct completion comp;
+   int rc;
} mbx;
struct {
struct imm_ntfy_from_isp *ntfy;
@@ -437,7 +441,7 @@ typedef struct srb {
uint32_t handle;
uint16_t flags;
uint16_t type;
-   char *name;
+   const char *name;
int iocbs;
struct qla_qpair *qpair;
u32 gen1;   /* scratch */
@@ -3364,6 +3368,8 @@ struct qla_hw_data {
uint32_texlogins_enabled:1;
uint32_texchoffld_enabled:1;
/* 35 bits */
+
+   uint32_tfw_started:1;
} flags;
 
/* This spinlock is used to protect "io transactions", you must
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index ca6f122e5865..323b912b47f7 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -193,6 +193,7 @@ extern int qla24xx_post_upd_fcport_work(struct 
scsi_qla_host *, fc_port_t *);
 void qla2x00_handle_login_done_event(struct scsi_qla_host *, fc_port_t *,
uint16_t *);
 int qla24xx_post_gnl_work(struct scsi_qla_host *, fc_port_t *);
+int qla24xx_async_abort_cmd(srb_t *);
 
 /*
  * Global Functions in qla_mid.c source file.
@@ -368,7 +369,7 @@ qla2x00_get_link_status(scsi_qla_host_t *, uint16_t, struct 
link_statistics *,
 
 extern int
 qla24xx_get_isp_stats(scsi_qla_host_t *, struct link_statistics *,
-dma_addr_t, uint);
+dma_addr_t, uint16_t);
 
 extern int qla24xx_abort_command(srb_t *);
 extern int qla24xx_async_abort_command(srb_t *);
@@ -472,6 +473,13 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *, dma_addr_t, 
uint32_t, uint32_t);
 extern int
 qla26xx_dport_diagnostics(scsi_qla_host_t *, void *, uint, uint);
 
+int qla24xx_send_mb_cmd(struct scsi_qla_host *, mbx_cmd_t *);
+int qla24xx_gpdb_wait(struct scsi_qla_host *, fc_port_t *, u8);
+int qla24xx_gidlist_wait(struct scsi_qla_host *, void *, dma_addr_t,
+uint16_t *);
+int __qla24xx_parse_gpdb(struct scsi_qla_host *, fc_port_t *,
+   struct port_database_24xx *);
+
 /*
  * Global Function Prototypes in qla_isr.c source file.
  */
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index a7865a5d556d..b1bfa63f7d4e 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -629,7 +629,6 @@ void qla24xx_async_gpdb_sp_done(void *s, int res)
struct srb *sp = s;
struct scsi_qla_host *vha = sp->vha;
struct qla_hw_data *ha = vha->hw;
-   uint64_t zero = 0;
struct port_database_24xx *pd;
fc_port_t *fcport = sp->fcport;
u16 *mb = sp->u.iocb_cmd.u.mbx.in_mb;
@@ -649,48 +648,7 @@ void qla24xx_async_gpdb_sp_done(void *s, int res)
 
pd = (struct port_database_24xx *)sp->u.iocb_cmd.u.mbx.in;
 
-   /* Check for logged in state. */
-   if (pd->current_login_state != PDS_PRLI_COMPLETE &&
-   pd->last_login_state != PDS_PRLI_COMPLETE) {
-   ql_dbg(ql_dbg_mbx, vha, 0x,
-   "Unable to verify login-state (%x/%x) for "
-   "loop_id %x.\n", pd->current_login_state,
-   pd->last_login_state, fcport->loop_id);
-   

[PATCH v4 08/14] qla2xxx: Export DIF stats via debugfs

[Himanshu Madhani]

From: Anil Gurumurthy 

Signed-off-by: Anil Gurumurthy 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_def.h | 12 
 drivers/scsi/qla2xxx/qla_dfs.c | 15 +++
 2 files changed, 27 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 9d1d3dcf1c87..8228dfac6a31 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3108,6 +3108,16 @@ struct qla_chip_state_84xx {
uint32_t gold_fw_version;
 };
 
+struct qla_dif_statistics {
+   uint64_t dif_input_bytes;
+   uint64_t dif_output_bytes;
+   uint64_t dif_input_requests;
+   uint64_t dif_output_requests;
+   uint32_t dif_guard_err;
+   uint32_t dif_ref_tag_err;
+   uint32_t dif_app_tag_err;
+};
+
 struct qla_statistics {
uint32_t total_isp_aborts;
uint64_t input_bytes;
@@ -3120,6 +3130,8 @@ struct qla_statistics {
uint32_t stat_max_pend_cmds;
uint32_t stat_max_qfull_cmds_alloc;
uint32_t stat_max_qfull_cmds_dropped;
+
+   struct qla_dif_statistics qla_dif_stats;
 };
 
 struct bidi_statistics {
diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c
index b48cce696bac..3b35905619b0 100644
--- a/drivers/scsi/qla2xxx/qla_dfs.c
+++ b/drivers/scsi/qla2xxx/qla_dfs.c
@@ -114,6 +114,21 @@ qla_dfs_tgt_counters_show(struct seq_file *s, void *unused)
seq_printf(s, "num Q full sent = %lld\n",
vha->tgt_counters.num_q_full_sent);
 
+   /* DIF stats */
+   seq_printf(s, "DIF Inp Bytes = %lld\n",
+   vha->qla_stats.qla_dif_stats.dif_input_bytes);
+   seq_printf(s, "DIF Outp Bytes = %lld\n",
+   vha->qla_stats.qla_dif_stats.dif_output_bytes);
+   seq_printf(s, "DIF Inp Req = %lld\n",
+   vha->qla_stats.qla_dif_stats.dif_input_requests);
+   seq_printf(s, "DIF Outp Req = %lld\n",
+   vha->qla_stats.qla_dif_stats.dif_output_requests);
+   seq_printf(s, "DIF Guard err = %d\n",
+   vha->qla_stats.qla_dif_stats.dif_guard_err);
+   seq_printf(s, "DIF Ref tag err = %d\n",
+   vha->qla_stats.qla_dif_stats.dif_ref_tag_err);
+   seq_printf(s, "DIF App tag err = %d\n",
+   vha->qla_stats.qla_dif_stats.dif_app_tag_err);
return 0;
 }
 
-- 
2.12.0

[PATCH v4 05/14] qla2xxx: Fix sess_lock & hardware_lock lock order problem.

[Himanshu Madhani]

From: Quinn Tran 

The main lock that needs to be held for CMD or TMR submission
to upper layer is the sess_lock. The sess_lock is used to
serialize cmd submission and session deletion. The addition
of hardware_lock being held is not necessary. This patch removes
hardware_lock dependency from CMD/TMR submission.

Use hardware_lock only for error response in this case.

Path1
   CPU0CPU1
   
  lock(&(>tgt.sess_lock)->rlock);
   lock(&(>hardware_lock)->rlock);
   lock(&(>tgt.sess_lock)->rlock);
  lock(&(>hardware_lock)->rlock);

Path2/deadlock
*** DEADLOCK ***
Call Trace:
dump_stack+0x85/0xc2
print_circular_bug+0x1e3/0x250
__lock_acquire+0x1425/0x1620
lock_acquire+0xbf/0x210
_raw_spin_lock_irqsave+0x53/0x70
qlt_sess_work_fn+0x21d/0x480 [qla2xxx]
process_one_work+0x1f4/0x6e0

Cc: 
Cc: Bart Van Assche 
Reported-by: Bart Van Assche 
Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_target.c | 41 +--
 1 file changed, 18 insertions(+), 23 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_target.c 
b/drivers/scsi/qla2xxx/qla_target.c
index a78c3e9bcb57..989f931af156 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -5727,30 +5727,23 @@ static void qlt_abort_work(struct qla_tgt *tgt,
}
}
 
-   spin_lock_irqsave(>hardware_lock, flags);
-
-   if (tgt->tgt_stop)
-   goto out_term;
-
rc = __qlt_24xx_handle_abts(vha, >abts, sess);
+   ha->tgt.tgt_ops->put_sess(sess);
+   spin_unlock_irqrestore(>tgt.sess_lock, flags2);
+
if (rc != 0)
goto out_term;
-   spin_unlock_irqrestore(>hardware_lock, flags);
-   if (sess)
-   ha->tgt.tgt_ops->put_sess(sess);
-   spin_unlock_irqrestore(>tgt.sess_lock, flags2);
return;
 
 out_term2:
-   spin_lock_irqsave(>hardware_lock, flags);
+   if (sess)
+   ha->tgt.tgt_ops->put_sess(sess);
+   spin_unlock_irqrestore(>tgt.sess_lock, flags2);
 
 out_term:
+   spin_lock_irqsave(>hardware_lock, flags);
qlt_24xx_send_abts_resp(vha, >abts, FCP_TMF_REJECTED, false);
spin_unlock_irqrestore(>hardware_lock, flags);
-
-   if (sess)
-   ha->tgt.tgt_ops->put_sess(sess);
-   spin_unlock_irqrestore(>tgt.sess_lock, flags2);
 }
 
 static void qlt_tmr_work(struct qla_tgt *tgt,
@@ -5770,7 +5763,7 @@ static void qlt_tmr_work(struct qla_tgt *tgt,
spin_lock_irqsave(>tgt.sess_lock, flags);
 
if (tgt->tgt_stop)
-   goto out_term;
+   goto out_term2;
 
s_id = prm->tm_iocb2.u.isp24.fcp_hdr.s_id;
sess = ha->tgt.tgt_ops->find_sess_by_s_id(vha, s_id);
@@ -5782,11 +5775,11 @@ static void qlt_tmr_work(struct qla_tgt *tgt,
 
spin_lock_irqsave(>tgt.sess_lock, flags);
if (!sess)
-   goto out_term;
+   goto out_term2;
} else {
if (sess->deleted) {
sess = NULL;
-   goto out_term;
+   goto out_term2;
}
 
if (!kref_get_unless_zero(>sess_kref)) {
@@ -5794,7 +5787,7 @@ static void qlt_tmr_work(struct qla_tgt *tgt,
"%s: kref_get fail %8phC\n",
 __func__, sess->port_name);
sess = NULL;
-   goto out_term;
+   goto out_term2;
}
}
 
@@ -5804,17 +5797,19 @@ static void qlt_tmr_work(struct qla_tgt *tgt,
unpacked_lun = scsilun_to_int((struct scsi_lun *));
 
rc = qlt_issue_task_mgmt(sess, unpacked_lun, fn, iocb, 0);
-   if (rc != 0)
-   goto out_term;
-
ha->tgt.tgt_ops->put_sess(sess);
spin_unlock_irqrestore(>tgt.sess_lock, flags);
+
+   if (rc != 0)
+   goto out_term;
return;
 
+out_term2:
+   if (sess)
+   ha->tgt.tgt_ops->put_sess(sess);
+   spin_unlock_irqrestore(>tgt.sess_lock, flags);
 out_term:
qlt_send_term_exchange(vha, NULL, >tm_iocb2, 1, 0);
-   ha->tgt.tgt_ops->put_sess(sess);
-   spin_unlock_irqrestore(>tgt.sess_lock, flags);
 }
 
 static void qlt_sess_work_fn(struct work_struct *work)
-- 
2.12.0

[PATCH v4 12/14] qla2xxx: Change scsi host lookup method.

[Himanshu Madhani]

From: Quinn Tran 

For target mode, when new scsi command arrive, driver first performs
a look up of the SCSI Host. The current look up method is based on
the ALPA portion of the NPort ID. For Cisco switch, the ALPA can
not be used as the index. Instead, the new search method is based
on the full value of the Nport_ID via btree lib.

Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/Kconfig  |  1 +
 drivers/scsi/qla2xxx/qla_def.h|  2 +
 drivers/scsi/qla2xxx/qla_gbl.h|  2 +
 drivers/scsi/qla2xxx/qla_init.c   | 14 +++---
 drivers/scsi/qla2xxx/qla_mbx.c| 28 
 drivers/scsi/qla2xxx/qla_os.c |  1 +
 drivers/scsi/qla2xxx/qla_target.c | 92 +--
 7 files changed, 100 insertions(+), 40 deletions(-)

diff --git a/drivers/scsi/qla2xxx/Kconfig b/drivers/scsi/qla2xxx/Kconfig
index 67c0d5aa3212..de952935b5d2 100644
--- a/drivers/scsi/qla2xxx/Kconfig
+++ b/drivers/scsi/qla2xxx/Kconfig
@@ -3,6 +3,7 @@ config SCSI_QLA_FC
depends on PCI && SCSI
depends on SCSI_FC_ATTRS
select FW_LOADER
+   select BTREE
---help---
This qla2xxx driver supports all QLogic Fibre Channel
PCI and PCIe host adapters.
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 089480280558..9251918773b1 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -25,6 +25,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -3311,6 +3312,7 @@ struct qlt_hw_data {
spinlock_t sess_lock;
int rspq_vector_cpuid;
spinlock_t atio_lock cacheline_aligned;
+   struct btree_head32 host_map;
 };
 
 #define MAX_QFULL_CMDS_ALLOC   8192
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index 323b912b47f7..5b2451745e9f 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -854,5 +854,7 @@ extern struct fc_port 
*qlt_find_sess_invalidate_other(scsi_qla_host_t *,
uint64_t wwn, port_id_t port_id, uint16_t loop_id, struct fc_port **);
 void qla24xx_delete_sess_fn(struct work_struct *);
 void qlt_unknown_atio_work_fn(struct work_struct *);
+void qlt_update_host_map(struct scsi_qla_host *, port_id_t);
+void qlt_remove_target_resources(struct qla_hw_data *);
 
 #endif /* _QLA_GBL_H */
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index b1bfa63f7d4e..b0f6ad3020d3 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -3340,8 +3340,8 @@ qla2x00_configure_hba(scsi_qla_host_t *vha)
uint8_t   domain;
charconnect_type[22];
struct qla_hw_data *ha = vha->hw;
-   unsigned long flags;
scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev);
+   port_id_t id;
 
/* Get host addresses. */
rval = qla2x00_get_adapter_id(vha,
@@ -3419,13 +3419,11 @@ qla2x00_configure_hba(scsi_qla_host_t *vha)
 
/* Save Host port and loop ID. */
/* byte order - Big Endian */
-   vha->d_id.b.domain = domain;
-   vha->d_id.b.area = area;
-   vha->d_id.b.al_pa = al_pa;
-
-   spin_lock_irqsave(>vport_slock, flags);
-   qlt_update_vp_map(vha, SET_AL_PA);
-   spin_unlock_irqrestore(>vport_slock, flags);
+   id.b.domain = domain;
+   id.b.area = area;
+   id.b.al_pa = al_pa;
+   id.b.rsvd_1 = 0;
+   qlt_update_host_map(vha, id);
 
if (!vha->flags.init_done)
ql_log(ql_log_info, vha, 0x2010,
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index e40ed570d3c1..53d9579acc74 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -3623,6 +3623,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
scsi_qla_host_t *vp = NULL;
unsigned long   flags;
int found;
+   port_id_t id;
 
ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10b6,
"Entered %s.\n", __func__);
@@ -3630,6 +3631,11 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
if (rptid_entry->entry_status != 0)
return;
 
+   id.b.domain = rptid_entry->port_id[2];
+   id.b.area   = rptid_entry->port_id[1];
+   id.b.al_pa  = rptid_entry->port_id[0];
+   id.b.rsvd_1 = 0;
+
if (rptid_entry->format == 0) {
/* loop */
ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10b7,
@@ -3641,13 +3647,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
rptid_entry->port_id[2], rptid_entry->port_id[1],
rptid_entry->port_id[0]);
 
-   vha->d_id.b.domain = rptid_entry->port_id[2];
-   vha->d_id.b.area = rptid_entry->port_id[1];
-   vha->d_id.b.al_pa = rptid_entry->port_id[0];
-
-   spin_lock_irqsave(>vport_slock, 

[PATCH v4 13/14] qla2xxx: Fix delayed response to command for loop mode/direct connect.

[Himanshu Madhani]

From: Quinn Tran 

Current driver wait for FW to be in the ready state before
processing in-coming commands. For Arbitrated Loop or
Point-to- Point (not switch), FW Ready state can take a while.
FW will transition to ready state after all Nports have been
logged in. In the mean time, certain initiators have completed
the login and starts IO. Driver needs to start processing all
queues if FW is already started.

Signed-off-by: Quinn Tran 
Signed-off-by: Himanshu Madhani 
---
 drivers/scsi/qla2xxx/qla_def.h| 10 --
 drivers/scsi/qla2xxx/qla_init.c   | 12 
 drivers/scsi/qla2xxx/qla_isr.c| 14 +-
 drivers/scsi/qla2xxx/qla_mbx.c|  6 +++---
 drivers/scsi/qla2xxx/qla_os.c | 21 -
 drivers/scsi/qla2xxx/qla_target.c | 38 +-
 6 files changed, 81 insertions(+), 20 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 9251918773b1..ae119018dfaa 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3322,6 +3322,10 @@ struct qlt_hw_data {
 
 #define LEAK_EXCHG_THRESH_HOLD_PERCENT 75  /* 75 percent */
 
+#define QLA_EARLY_LINKUP(_ha) \
+   ((_ha->flags.n2n_ae || _ha->flags.lip_ae) && \
+_ha->flags.fw_started && !_ha->flags.fw_init_done)
+
 /*
  * Qlogic host adapter specific data structure.
 */
@@ -3371,9 +3375,11 @@ struct qla_hw_data {
uint32_tfawwpn_enabled:1;
uint32_texlogins_enabled:1;
uint32_texchoffld_enabled:1;
-   /* 35 bits */
 
+   uint32_tlip_ae:1;
+   uint32_tn2n_ae:1;
uint32_tfw_started:1;
+   uint32_tfw_init_done:1;
} flags;
 
/* This spinlock is used to protect "io transactions", you must
@@ -3466,7 +3472,6 @@ struct qla_hw_data {
 #define P2P_LOOP  3
uint8_t interrupts_on;
uint32_tisp_abort_cnt;
-
 #define PCI_DEVICE_ID_QLOGIC_ISP25320x2532
 #define PCI_DEVICE_ID_QLOGIC_ISP84320x8432
 #define PCI_DEVICE_ID_QLOGIC_ISP8001   0x8001
@@ -3947,6 +3952,7 @@ typedef struct scsi_qla_host {
struct list_head vp_fcports;/* list of fcports */
struct list_head work_list;
spinlock_t work_lock;
+   struct work_struct iocb_work;
 
/* Commonly used flags and state information. */
struct Scsi_Host *host;
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index b0f6ad3020d3..f9d2fe7b1ade 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -3178,6 +3178,7 @@ qla2x00_init_rings(scsi_qla_host_t *vha)
} else {
ql_dbg(ql_dbg_init, vha, 0x00d3,
"Init Firmware -- success.\n");
+   ha->flags.fw_started = 1;
}
 
return (rval);
@@ -4000,6 +4001,7 @@ qla2x00_configure_loop(scsi_qla_host_t *vha)
atomic_set(>loop_state, LOOP_READY);
ql_dbg(ql_dbg_disc, vha, 0x2069,
"LOOP READY.\n");
+   ha->flags.fw_init_done = 1;
 
/*
 * Process any ATIO queue entries that came in
@@ -5491,6 +5493,11 @@ qla2x00_abort_isp_cleanup(scsi_qla_host_t *vha)
if (!(IS_P3P_TYPE(ha)))
ha->isp_ops->reset_chip(vha);
 
+   ha->flags.n2n_ae = 0;
+   ha->flags.lip_ae = 0;
+   ha->current_topology = 0;
+   ha->flags.fw_started = 0;
+   ha->flags.fw_init_done = 0;
ha->chip_reset++;
 
atomic_set(>loop_down_timer, LOOP_DOWN_TIME);
@@ -6767,6 +6774,8 @@ qla2x00_try_to_stop_firmware(scsi_qla_host_t *vha)
return;
if (!ha->fw_major_version)
return;
+   if (!ha->flags.fw_started)
+   return;
 
ret = qla2x00_stop_firmware(vha);
for (retries = 5; ret != QLA_SUCCESS && ret != QLA_FUNCTION_TIMEOUT &&
@@ -6780,6 +6789,9 @@ qla2x00_try_to_stop_firmware(scsi_qla_host_t *vha)
"Attempting retry of stop-firmware command.\n");
ret = qla2x00_stop_firmware(vha);
}
+
+   ha->flags.fw_started = 0;
+   ha->flags.fw_init_done = 0;
 }
 
 int
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 3953c8d6af69..3203367a4f42 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -708,6 +708,8 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que 
*rsp, uint16_t *mb)
"mbx7=%xh.\n", mb[1], mb[2], mb[3], mbx);
 
ha->isp_ops->fw_dump(vha, 1);
+   ha->flags.fw_init_done = 0;
+   ha->flags.fw_started = 0;
 
if (IS_FWI2_CAPABLE(ha)) {
if (mb[1] == 0 && mb[2] == 

[PATCH v4 14/14] qla2xxx: Update driver version to 9.00.00.00-k

[Himanshu Madhani]

Signed-off-by: Himanshu Madhani 
signed-off-by: Giridhar Malavali 
---
 drivers/scsi/qla2xxx/qla_version.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_version.h 
b/drivers/scsi/qla2xxx/qla_version.h
index 3cb1964b7786..45bc84e8e3bf 100644
--- a/drivers/scsi/qla2xxx/qla_version.h
+++ b/drivers/scsi/qla2xxx/qla_version.h
@@ -7,9 +7,9 @@
 /*
  * Driver version
  */
-#define QLA2XXX_VERSION  "8.07.00.38-k"
+#define QLA2XXX_VERSION  "9.00.00.00-k"
 
-#define QLA_DRIVER_MAJOR_VER   8
-#define QLA_DRIVER_MINOR_VER   7
+#define QLA_DRIVER_MAJOR_VER   9
+#define QLA_DRIVER_MINOR_VER   0
 #define QLA_DRIVER_PATCH_VER   0
 #define QLA_DRIVER_BETA_VER0
-- 
2.12.0

[PATCH] [SCSI] esas2r: remove redundant NULL check on buffer

[Colin King]

From: Colin Ian King 

buffer is a pointer to the static char array event_buffer and
therefore can never be null, so the check is redundant. Remove it.

Detected by CoverityScan, CID#1077556 ("Logically Dead Code")

Signed-off-by: Colin Ian King 
---
 drivers/scsi/esas2r/esas2r_log.c | 5 -
 1 file changed, 5 deletions(-)

diff --git a/drivers/scsi/esas2r/esas2r_log.c b/drivers/scsi/esas2r/esas2r_log.c
index a82030a..65fdf22 100644
--- a/drivers/scsi/esas2r/esas2r_log.c
+++ b/drivers/scsi/esas2r/esas2r_log.c
@@ -130,11 +130,6 @@ static int esas2r_log_master(const long level,
 
spin_lock_irqsave(_buffer_lock, flags);
 
-   if (buffer == NULL) {
-   spin_unlock_irqrestore(_buffer_lock, flags);
-   return -1;
-   }
-
memset(buffer, 0, buflen);
 
/*
-- 
2.10.2

Re: Getting "Wrong diagnostic page; asked for 7 got 0" error message on HBA's virtual SES device

[James Bottomley]

On Mon, 2017-03-13 at 12:13 +0530, Sreekanth Reddy wrote:
> Hi,
> 
> Our LSI(Broadcom) SAS3.5 HBA device's support virtual SES device.
> 
> Whenever we load the mpt3sas driver then we are observing below error
> message,
> 
> "Wrong diagnostic page; asked for 7 got 0"
> 
> Our virtual SES device doesn't support Diagnostic page 7, it supports
> only below diagnostic pages,
> 
> • 00h List of Supported Diagnostic Pages
> • 01h SES Configuration Diagnostic Page
> • 02h SES Enclosure Control/Enclosure Status Diagnostic Page
> • 0Ah SES Additional Element Status Diagnostic Page
> 
> Page Code 07 is Element Descriptor Diagnostic Page
> Per SES3 spec (see table 10) this page is optional and not supported
> by our internal VSES.
> 
> But 'ses' kernel module is issuing a RECEIVE_DIAGNOSTIC command for
> diagnostic page 7 without checking whether target device supports
> this
> page or not (i.e. without looking into 00h page) as shown below,
> 
> result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
> if (result)
> goto simple_populate;
> 
> As the virtual SES devices doesn't support this page 7, so it has
> failed this RECEIVE_DIAGNOSTIC command with illegal request sense key
> as shown below,
> 
> ses 11:0:0:0: tag#0 Send: scmd 0x883fee898000
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> mpt3sas_cm1:sas_address(0x510600b012345600), phy(16)
> mpt3sas_cm1:enclosure_logical_id(0x500605b012345600),slot(16)
> mpt3sas_cm1:enclosure level(0x), connector name( )
> mpt3sas_cm1:handle(0x0011), ioc_status(success)(0x), smid(1)
> mpt3sas_cm1:request_len(32), underflow(0), resid(32)
> mpt3sas_cm1:tag(0), transfer_count(0), sc->result(0x0002)
> mpt3sas_cm1:scsi_status(check condition)(0x02),
> scsi_state(autosense valid )(0x01)
> mpt3sas_cm1:[sense_key,asc,ascq]: [0x05,0x26,0x00], count(18)
> mpt3sas_cm1: log_info(0x31200205): originator(PL), code(0x20),
> sub_code(0x0205)
> ses 11:0:0:0: tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE
> driverbyte=DRIVER_OK
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 Sense Key : Illegal Request [current]
> ses 11:0:0:0: tag#0 Add. Sense: Invalid field in parameter list
> ses 11:0:0:0: tag#0 scsi host busy 1 failed 0
> ses 11:0:0:0: Notifying upper driver of completion (result 812)
> ses 11:0:0:0: tag#0 0 sectors total, 32 bytes done.
> ses 11:0:0:0: Wrong diagnostic page; asked for 7 got 0
> 
> As the command is failed with illegal request sense key, so the
> buffer
> used In function 'ses_recv_diag' will be not updated and so it will
> have all zero's. so the page_code will be zero and we observe below
> wrong error message even though vSES device has failed the command
> with illegal request error message and it has not returned any wrong
> diagnostic page.
> 
> sdev_printk(KERN_ERR, sdev,
> "Wrong diagnostic page; asked for %d got %u\n",
> page_code, recv_page_code);

But this should all work, correct?  It was tested with an EMC array
that likewise didn't support the controller electronics page.

The odd thing about this trace is that the failure result didn't get
returned to scsi_execute_req() (is that a driver issue?) so the ses
driver actually saw a success value but then changed it to failure
anyway when the diagnostic page mismatch was detected.

Usually the illegal request is invisible unless tracing is active, and
everything supporting SES seems to be nicely standards compliant, which
is why we just ask for page 7.

James

Re: [PATCHv3 4/6] scsi_error: do not escalate failed EH command

[Hannes Reinecke]

On 03/14/2017 06:56 PM, Benjamin Block wrote:
> Hello Hannes,
> 
> On Wed, Mar 01, 2017 at 10:15:18AM +0100, Hannes Reinecke wrote:
>> When a command is sent as part of the error handling there
>> is not point whatsoever to start EH escalation when that
>> command fails; we are _already_ in the error handler,
>> and the escalation is about to commence anyway.
>> So just call 'scsi_try_to_abort_cmd()' to abort outstanding
>> commands and let the main EH routine handle the rest.
>>
>> Signed-off-by: Hannes Reinecke 
>> Reviewed-by: Johannes Thumshirn 
>> Reviewed-by: Bart Van Assche 
>> ---
>>  drivers/scsi/scsi_error.c | 11 +--
>>  1 file changed, 1 insertion(+), 10 deletions(-)
>>
>> diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
>> index e1ca3b8..4613aa1 100644
>> --- a/drivers/scsi/scsi_error.c
>> +++ b/drivers/scsi/scsi_error.c
>> @@ -889,15 +889,6 @@ static int scsi_try_to_abort_cmd(struct 
>> scsi_host_template *hostt,
>>  return hostt->eh_abort_handler(scmd);
>>  }
>>
>> -static void scsi_abort_eh_cmnd(struct scsi_cmnd *scmd)
>> -{
>> -if (scsi_try_to_abort_cmd(scmd->device->host->hostt, scmd) != SUCCESS)
>> -if (scsi_try_bus_device_reset(scmd) != SUCCESS)
>> -if (scsi_try_target_reset(scmd) != SUCCESS)
>> -if (scsi_try_bus_reset(scmd) != SUCCESS)
>> -scsi_try_host_reset(scmd);
>> -}
>> -
>>  /**
>>   * scsi_eh_prep_cmnd  - Save a scsi command info as part of error recovery
>>   * @scmd:   SCSI command structure to hijack
>> @@ -1082,7 +1073,7 @@ static int scsi_send_eh_cmnd(struct scsi_cmnd *scmd, 
>> unsigned char *cmnd,
>>  break;
>>  }
>>  } else if (rtn != FAILED) {
>> -scsi_abort_eh_cmnd(scmd);
>> +scsi_try_to_abort_cmd(shost->hostt, scmd);
>>  rtn = FAILED;
>>  }
> 
> The idea is sound, but this implementation would cause "use-after-free"s.
> 
> I only know our own LLD well enough to judge, but with zFCP there will
> always be a chance that an abort fails - be it memory pressure,
> hardware/firmware behavior or internal EH in zFCP.
> 
> Calling queuecommand() will mean for us in the LLD, that we allocate a
> unique internal request struct for the scsi_cmnd (struct
> zfcp_fsf_request) and add that to our internal hash-table with
> outstanding commands. We assume this scsi_cmnd-pointer is ours till we
> complete it via scsi_done are yield it via successful EH-actions.
> 
> In case the abort fails, you fail to take back the ownership over the
> scsi command. Which in turn means possible "use-after-free"s when we
> still thinks the scsi command is ours, but EH has already overwritten
> the scsi-command with the original one. When we still get an answer or
> otherwise use the scsi_cmnd-pointer we would access an invalid one.
> 
That is actually not try.
As soon as we're calling 'scsi_try_to_abort_command()' ownership is
assumed to reside in the SCSI midlayer; also, the command used for
recovery here is actually using the same structure than the failed
command, so if the command abort failed the command is already in the
list of failed commands, and will be recovered after SCSI EH returned.

So no use-after-free here.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke   zSeries & Storage
h...@suse.de  +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)

Re: [PATCHv3 6/6] scsi: make asynchronous aborts mandatory

[Hannes Reinecke]

On 03/14/2017 06:33 PM, Benjamin Block wrote:
> Hello Hannes,
> 
> On Wed, Mar 01, 2017 at 10:15:20AM +0100, Hannes Reinecke wrote:
>> There hasn't been any reports for HBAs where asynchronous abort
>> would not work, so we should make it mandatory and remove
>> the fallback.
>>
>> Signed-off-by: Hannes Reinecke 
>> Reviewed-by: Johannes Thumshirn 
>> Reviewed-by: Bart Van Assche 
>> ---
>>  Documentation/scsi/scsi_eh.txt | 18 --
>>  drivers/scsi/scsi_error.c  | 81 
>> --
>>  drivers/scsi/scsi_lib.c|  2 +-
>>  drivers/scsi/scsi_priv.h   |  3 +-
>>  include/scsi/scsi_host.h   |  5 ---
>>  5 files changed, 15 insertions(+), 94 deletions(-)
>>
>> diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt
>> index 4edb9c1c..11e447b 100644
>> --- a/Documentation/scsi/scsi_eh.txt
>> +++ b/Documentation/scsi/scsi_eh.txt
>> @@ -70,7 +70,7 @@ with the command.
>>  scmd is requeued to blk queue.
>>
>>   - otherwise
>> -scsi_eh_scmd_add(scmd, 0) is invoked for the command.  See
>> +scsi_eh_scmd_add(scmd) is invoked for the command.  See
>>  [1-3] for details of this function.
>>
>>
>> @@ -103,9 +103,7 @@ function
>>  eh_timed_out() callback did not handle the command.
>>  Step #2 is taken.
>>
>> - 2. If the host supports asynchronous completion (as indicated by the
>> -no_async_abort setting in the host template) scsi_abort_command()
>> -is invoked to schedule an asynchrous abort.
>> + 2. scsi_abort_command() is invoked to schedule an asynchrous abort.
>>  Asynchronous abort are not invoked for commands which the
>>  SCSI_EH_ABORT_SCHEDULED flag is set (this indicates that the command
>>  already had been aborted once, and this is a retry which failed),
>> @@ -127,16 +125,13 @@ function
>>
>>   scmds enter EH via scsi_eh_scmd_add(), which does the following.
>>
>> - 1. Turns on scmd->eh_eflags as requested.  It's 0 for error
>> -completions and SCSI_EH_CANCEL_CMD for timeouts.
>> + 1. Links scmd->eh_entry to shost->eh_cmd_q
>>
>> - 2. Links scmd->eh_entry to shost->eh_cmd_q
>> + 2. Sets SHOST_RECOVERY bit in shost->shost_state
>>
>> - 3. Sets SHOST_RECOVERY bit in shost->shost_state
>> + 3. Increments shost->host_failed
>>
>> - 4. Increments shost->host_failed
>> -
>> - 5. Wakes up SCSI EH thread if shost->host_busy == shost->host_failed
>> + 4. Wakes up SCSI EH thread if shost->host_busy == shost->host_failed
>>
>>   As can be seen above, once any scmd is added to shost->eh_cmd_q,
>>  SHOST_RECOVERY shost_state bit is turned on.  This prevents any new
>> @@ -252,7 +247,6 @@ scmd->allowed.
>>
>>   1. Error completion / time out
>>  ACTION: scsi_eh_scmd_add() is invoked for scmd
>> -- set scmd->eh_eflags
>>  - add scmd to shost->eh_cmd_q
>>  - set SHOST_RECOVERY
>>  - shost->host_failed++
>> diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
>> index 802a081..7b70ee9 100644
>> --- a/drivers/scsi/scsi_error.c
>> +++ b/drivers/scsi/scsi_error.c
>> @@ -163,7 +163,7 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
>> *shost)
>>  }
>>  }
>>
>> -scsi_eh_scmd_add(scmd, 0);
>> +scsi_eh_scmd_add(scmd);
>>  }
>>
>>  /**
>> @@ -217,9 +217,8 @@ static int scsi_host_eh_past_deadline(struct Scsi_Host 
>> *shost)
>>  /**
>>   * scsi_eh_scmd_add - add scsi cmd to error handling.
>>   * @scmd:   scmd to run eh on.
>> - * @eh_flag:optional SCSI_EH flag.
>>   */
>> -void scsi_eh_scmd_add(struct scsi_cmnd *scmd, int eh_flag)
>> +void scsi_eh_scmd_add(struct scsi_cmnd *scmd)
>>  {
>>  struct Scsi_Host *shost = scmd->device->host;
>>  unsigned long flags;
>> @@ -235,9 +234,6 @@ void scsi_eh_scmd_add(struct scsi_cmnd *scmd, int 
>> eh_flag)
>>  if (shost->eh_deadline != -1 && !shost->last_reset)
>>  shost->last_reset = jiffies;
>>
>> -if (scmd->eh_eflags & SCSI_EH_ABORT_SCHEDULED)
>> -eh_flag &= ~SCSI_EH_CANCEL_CMD;
>> -scmd->eh_eflags |= eh_flag;
>>  scsi_eh_reset(scmd);
>>  list_add_tail(>eh_entry, >eh_cmd_q);
>>  shost->host_failed++;
>> @@ -271,10 +267,9 @@ enum blk_eh_timer_return scsi_times_out(struct request 
>> *req)
>>  rtn = host->hostt->eh_timed_out(scmd);
>>
>>  if (rtn == BLK_EH_NOT_HANDLED) {
>> -if (host->hostt->no_async_abort ||
>> -scsi_abort_command(scmd) != SUCCESS) {
>> +if (scsi_abort_command(scmd) != SUCCESS) {
>>  set_host_byte(scmd, DID_TIME_OUT);
>> -scsi_eh_scmd_add(scmd, SCSI_EH_CANCEL_CMD);
>> +scsi_eh_scmd_add(scmd);
>>  }
>>  }
>>
>> @@ -327,7 +322,7 @@ static inline void scsi_eh_prt_fail_stats(struct 
>> Scsi_Host *shost,
>>  list_for_each_entry(scmd, work_q, eh_entry) {
>>  if (scmd->device == sdev) {
>> 

[Bug 108621] kernel BUG in drivers/scsi/scsi_lib.c

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108621

--- Comment #4 from Martin Ziegler (zieg...@uni-freiburg.de) ---
The bug did not appear in later kernels. I should have 
report this earlier. Sorry


(Martin Ziegler)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 108621] kernel BUG in drivers/scsi/scsi_lib.c

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=108621

--- Comment #5 from Szőgyényi Gábor (szg0...@freemail.hu) ---
Can you close this bug, please?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Re: Getting "Wrong diagnostic page; asked for 7 got 0" error message on HBA's virtual SES device

[Jack Wang]

2017-03-13 7:43 GMT+01:00 Sreekanth Reddy :
> Hi,
>
> Our LSI(Broadcom) SAS3.5 HBA device's support virtual SES device.
>
> Whenever we load the mpt3sas driver then we are observing below error message,
>
> "Wrong diagnostic page; asked for 7 got 0"
>
> Our virtual SES device doesn't support Diagnostic page 7, it supports
> only below diagnostic pages,
>
> • 00h List of Supported Diagnostic Pages
> • 01h SES Configuration Diagnostic Page
> • 02h SES Enclosure Control/Enclosure Status Diagnostic Page
> • 0Ah SES Additional Element Status Diagnostic Page
>
> Page Code 07 is Element Descriptor Diagnostic Page
> Per SES3 spec (see table 10) this page is optional and not supported
> by our internal VSES.
>
> But 'ses' kernel module is issuing a RECEIVE_DIAGNOSTIC command for
> diagnostic page 7 without checking whether target device supports this
> page or not (i.e. without looking into 00h page) as shown below,
>
> result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
> if (result)
> goto simple_populate;
>
> As the virtual SES devices doesn't support this page 7, so it has
> failed this RECEIVE_DIAGNOSTIC command with illegal request sense key
> as shown below,
>
> ses 11:0:0:0: tag#0 Send: scmd 0x883fee898000
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> mpt3sas_cm1:sas_address(0x510600b012345600), phy(16)
> mpt3sas_cm1:enclosure_logical_id(0x500605b012345600),slot(16)
> mpt3sas_cm1:enclosure level(0x), connector name( )
> mpt3sas_cm1:handle(0x0011), ioc_status(success)(0x), smid(1)
> mpt3sas_cm1:request_len(32), underflow(0), resid(32)
> mpt3sas_cm1:tag(0), transfer_count(0), sc->result(0x0002)
> mpt3sas_cm1:scsi_status(check condition)(0x02),
> scsi_state(autosense valid )(0x01)
> mpt3sas_cm1:[sense_key,asc,ascq]: [0x05,0x26,0x00], count(18)
> mpt3sas_cm1: log_info(0x31200205): originator(PL), code(0x20), 
> sub_code(0x0205)
> ses 11:0:0:0: tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE
> driverbyte=DRIVER_OK
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 Sense Key : Illegal Request [current]
> ses 11:0:0:0: tag#0 Add. Sense: Invalid field in parameter list
> ses 11:0:0:0: tag#0 scsi host busy 1 failed 0
> ses 11:0:0:0: Notifying upper driver of completion (result 812)
> ses 11:0:0:0: tag#0 0 sectors total, 32 bytes done.
> ses 11:0:0:0: Wrong diagnostic page; asked for 7 got 0
>
> As the command is failed with illegal request sense key, so the buffer
> used In function 'ses_recv_diag' will be not updated and so it will
> have all zero's. so the page_code will be zero and we observe below
> wrong error message even though vSES device has failed the command
> with illegal request error message and it has not returned any wrong
> diagnostic page.
>
> sdev_printk(KERN_ERR, sdev,
> "Wrong diagnostic page; asked for %d got %u\n",
> page_code, recv_page_code);
>
> Thanks,
> Sreekanth

Hi Sreekanth,

To me, we should fix ses module to check  00h List of Supported
Diagnostic Pages first before ask for 07h.
Add James in CC.

Cheers,
Jack Wang

Re: Getting "Wrong diagnostic page; asked for 7 got 0" error message on HBA's virtual SES device

[Sreekanth Reddy]

Hi,

Any Update?

Thanks,
Sreekanth

On Mon, Mar 13, 2017 at 12:13 PM, Sreekanth Reddy
 wrote:
> Hi,
>
> Our LSI(Broadcom) SAS3.5 HBA device's support virtual SES device.
>
> Whenever we load the mpt3sas driver then we are observing below error message,
>
> "Wrong diagnostic page; asked for 7 got 0"
>
> Our virtual SES device doesn't support Diagnostic page 7, it supports
> only below diagnostic pages,
>
> • 00h List of Supported Diagnostic Pages
> • 01h SES Configuration Diagnostic Page
> • 02h SES Enclosure Control/Enclosure Status Diagnostic Page
> • 0Ah SES Additional Element Status Diagnostic Page
>
> Page Code 07 is Element Descriptor Diagnostic Page
> Per SES3 spec (see table 10) this page is optional and not supported
> by our internal VSES.
>
> But 'ses' kernel module is issuing a RECEIVE_DIAGNOSTIC command for
> diagnostic page 7 without checking whether target device supports this
> page or not (i.e. without looking into 00h page) as shown below,
>
> result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
> if (result)
> goto simple_populate;
>
> As the virtual SES devices doesn't support this page 7, so it has
> failed this RECEIVE_DIAGNOSTIC command with illegal request sense key
> as shown below,
>
> ses 11:0:0:0: tag#0 Send: scmd 0x883fee898000
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> mpt3sas_cm1:sas_address(0x510600b012345600), phy(16)
> mpt3sas_cm1:enclosure_logical_id(0x500605b012345600),slot(16)
> mpt3sas_cm1:enclosure level(0x), connector name( )
> mpt3sas_cm1:handle(0x0011), ioc_status(success)(0x), smid(1)
> mpt3sas_cm1:request_len(32), underflow(0), resid(32)
> mpt3sas_cm1:tag(0), transfer_count(0), sc->result(0x0002)
> mpt3sas_cm1:scsi_status(check condition)(0x02),
> scsi_state(autosense valid )(0x01)
> mpt3sas_cm1:[sense_key,asc,ascq]: [0x05,0x26,0x00], count(18)
> mpt3sas_cm1: log_info(0x31200205): originator(PL), code(0x20), 
> sub_code(0x0205)
> ses 11:0:0:0: tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE
> driverbyte=DRIVER_OK
> ses 11:0:0:0: tag#0 CDB: Receive Diagnostic 1c 01 07 00 20 00
> ses 11:0:0:0: tag#0 Sense Key : Illegal Request [current]
> ses 11:0:0:0: tag#0 Add. Sense: Invalid field in parameter list
> ses 11:0:0:0: tag#0 scsi host busy 1 failed 0
> ses 11:0:0:0: Notifying upper driver of completion (result 812)
> ses 11:0:0:0: tag#0 0 sectors total, 32 bytes done.
> ses 11:0:0:0: Wrong diagnostic page; asked for 7 got 0
>
> As the command is failed with illegal request sense key, so the buffer
> used In function 'ses_recv_diag' will be not updated and so it will
> have all zero's. so the page_code will be zero and we observe below
> wrong error message even though vSES device has failed the command
> with illegal request error message and it has not returned any wrong
> diagnostic page.
>
> sdev_printk(KERN_ERR, sdev,
> "Wrong diagnostic page; asked for %d got %u\n",
> page_code, recv_page_code);
>
> Thanks,
> Sreekanth

[PATCH] qedi: Add PCI device-ID for QL41xxx adapters.

[Manish Rangankar]

Signed-off-by: Manish Rangankar 
---
 drivers/scsi/qedi/qedi_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index 8e3d928..92775a8 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -2007,6 +2007,7 @@ static void qedi_remove(struct pci_dev *pdev)
 
 static struct pci_device_id qedi_pci_tbl[] = {
{ PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, 0x165E) },
+   { PCI_DEVICE(PCI_VENDOR_ID_QLOGIC, 0x8084) },
{ 0 },
 };
 MODULE_DEVICE_TABLE(pci, qedi_pci_tbl);
-- 
1.8.3.1

[Bug 194837] VM with virtio-scsi drive often crashes during boot with kernel 4.11rc1

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=194837

--- Comment #12 from Thorsten Leemhuis (li...@leemhuis.info) ---
(In reply to Omar Sandoval from comment #11)

> The fix was [...]

Thx for providing details!

> If you are still seeing crashes on -rc2,

Yes, but different ones every few boot attempts. But I just noticed those
crashes happen without virtio-scsi as well. So definitely something else now.
4.10 otoh works well; just retested to be sure. Sigh, I guess I need to take a
closer look to find out what's wrong; that might take a day or two.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 194837] VM with virtio-scsi drive often crashes during boot with kernel 4.11rc1

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=194837

--- Comment #11 from Omar Sandoval (osan...@osandov.com) ---
The fix was
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df23de55615fa7a190a85f49a950ccecdd9102f3,
which was part of this patch series:

c01228db4ba9 Revert "scsi, block: fix duplicate bdi name registration crashes"
90f16fddcc28 block: Make del_gendisk() safer for disks without queues
df23de55615f bdi: Fix use-after-free in wb_congested_put()
b6f8fec4448a block: Allow bdi re-registration

If you are still seeing crashes on -rc2, could you please report it to
linux-bl...@vger.kernel.org?

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 194837] VM with virtio-scsi drive often crashes during boot with kernel 4.11rc1

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=194837

--- Comment #10 from Thorsten Leemhuis (li...@leemhuis.info) ---
(In reply to Thorsten Leemhuis from comment #9)
> (In reply to Omar Sandoval from comment #8)
>> This was fixed in v4.11-rc2.
> Care to provide a few more details and a commit that fixes this?

Okay, now assuming you mean
https://git.kernel.org/torvalds/c/737f98cfe7de8df7433a4d846850aa8efa44bd48 Will
investigate…

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 194837] VM with virtio-scsi drive often crashes during boot with kernel 4.11rc1

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=194837

--- Comment #9 from Thorsten Leemhuis (li...@leemhuis.info) ---
(In reply to Omar Sandoval from comment #8)
> This was fixed in v4.11-rc2.

Care to provide a few more details and a commit that fixes this? Because I'm
still seeing crashes with 4.11-rc2; but a few details looks fishy and I more
and more wonder if I'm dealing with two bugs here :-/

-- 
You are receiving this mail because:
You are the assignee for the bug.