Re: [PATCH] scsi: ibmvscsi: Improve strings handling
On 06/26/2018 01:35 PM, Breno Leitao wrote: The subject line should have been updated to [PATCH v2] to clue recipients to the fact that this is an updated version and not a resend or accidental duplicate send. > Currently an open firmware property is copied into partition_name variable > without keeping a room for \0. > > Later one, this variable (partition_name), which is 97 bytes long, is > strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which > is 96 bytes long, possibly truncating it 'again' and removing the \0. > > This patch simply decreases the partition name to 96 and just copy using > strlcpy() which guarantees that the string is \0 terminated. I think there > is no issue if this there is a truncation in this very first copy, i.e, > when the open firmware property is read and copied into the driver for the > very first time; > > This issue also causes the following warning on GCC 8: > > drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: ‘strncpy’ output may > be truncated copying 96 bytes from a string of length 96 > [-Wstringop-truncation] > ... > inlined from ‘ibmvscsi_probe’ at > drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: > drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: ‘strncpy’ specified > bound 97 equals destination size [-Wstringop-truncation] > > CC: Bart Van Assche > CC: Tyrel Datwyler > Signed-off-by: Breno Leitao > --- Also, it is generally recommended that you record your revision history here for the readers/reviewers to quickly see what changed, and to make sure once the patch is pulled this info isn't included in the commit log. ie. Changes in v2: - Addressed Bart's comment by replacing strncpy() with strlcpy() Otherwise, Acked-by: Tyrel Datwyler > drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c > b/drivers/scsi/ibmvscsi/ibmvscsi.c > index 17df76f0be3c..67a2c844e30d 100644 > --- a/drivers/scsi/ibmvscsi/ibmvscsi.c > +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c > @@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_REQUESTS_DEFAULT; > static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; > static int fast_fail = 1; > static int client_reserve = 1; > -static char partition_name[97] = "UNKNOWN"; > +static char partition_name[96] = "UNKNOWN"; > static unsigned int partition_number = -1; > static LIST_HEAD(ibmvscsi_head); > > @@ -262,7 +262,7 @@ static void gather_partition_info(void) > > ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL); > if (ppartition_name) > - strncpy(partition_name, ppartition_name, > + strlcpy(partition_name, ppartition_name, > sizeof(partition_name)); > p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL); > if (p_number_ptr) >
[PATCH] Avoid that SCSI device removal through sysfs triggers a deadlock
This patch avoids that self-removal triggers the following deadlock: == WARNING: possible circular locking dependency detected 4.18.0-rc2-dbg+ #5 Not tainted -- modprobe/6539 is trying to acquire lock: 8323c4cd (kn->count#202){}, at: kernfs_remove_by_name_ns+0x45/0x90 but task is already holding lock: a6ec2c69 (>scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (>scan_mutex){+.+.}: __mutex_lock+0xfe/0xc70 mutex_lock_nested+0x1b/0x20 scsi_remove_device+0x26/0x40 [scsi_mod] sdev_store_delete+0x27/0x30 [scsi_mod] dev_attr_store+0x3e/0x50 sysfs_kf_write+0x87/0xa0 kernfs_fop_write+0x190/0x230 __vfs_write+0xd2/0x3b0 vfs_write+0x101/0x270 ksys_write+0xab/0x120 __x64_sys_write+0x43/0x50 do_syscall_64+0x77/0x230 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (kn->count#202){}: lock_acquire+0xd2/0x260 __kernfs_remove+0x424/0x4a0 kernfs_remove_by_name_ns+0x45/0x90 remove_files.isra.1+0x3a/0x90 sysfs_remove_group+0x5c/0xc0 sysfs_remove_groups+0x39/0x60 device_remove_attrs+0x82/0xb0 device_del+0x251/0x580 __scsi_remove_device+0x19f/0x1d0 [scsi_mod] scsi_forget_host+0x37/0xb0 [scsi_mod] scsi_remove_host+0x9b/0x150 [scsi_mod] sdebug_driver_remove+0x4b/0x150 [scsi_debug] device_release_driver_internal+0x241/0x360 device_release_driver+0x12/0x20 bus_remove_device+0x1bc/0x290 device_del+0x259/0x580 device_unregister+0x1a/0x70 sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] scsi_debug_exit+0x76/0xe8 [scsi_debug] __x64_sys_delete_module+0x1c1/0x280 do_syscall_64+0x77/0x230 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0CPU1 lock(>scan_mutex); lock(kn->count#202); lock(>scan_mutex); lock(kn->count#202); *** DEADLOCK *** 2 locks held by modprobe/6539: #0: efaf9298 (>mutex){}, at: device_release_driver_internal+0x68/0x360 #1: a6ec2c69 (>scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] stack backtrace: CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0xa4/0xf5 print_circular_bug.isra.34+0x213/0x221 __lock_acquire+0x1a7e/0x1b50 lock_acquire+0xd2/0x260 __kernfs_remove+0x424/0x4a0 kernfs_remove_by_name_ns+0x45/0x90 remove_files.isra.1+0x3a/0x90 sysfs_remove_group+0x5c/0xc0 sysfs_remove_groups+0x39/0x60 device_remove_attrs+0x82/0xb0 device_del+0x251/0x580 __scsi_remove_device+0x19f/0x1d0 [scsi_mod] scsi_forget_host+0x37/0xb0 [scsi_mod] scsi_remove_host+0x9b/0x150 [scsi_mod] sdebug_driver_remove+0x4b/0x150 [scsi_debug] device_release_driver_internal+0x241/0x360 device_release_driver+0x12/0x20 bus_remove_device+0x1bc/0x290 device_del+0x259/0x580 device_unregister+0x1a/0x70 sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] scsi_debug_exit+0x76/0xe8 [scsi_debug] __x64_sys_delete_module+0x1c1/0x280 do_syscall_64+0x77/0x230 entry_SYSCALL_64_after_hwframe+0x49/0xbe See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html. Suggested-by: Eric W. Biederman Fixes: ac0ece9174ac ("scsi: use device_remove_file_self() instead of device_schedule_callback()") Signed-off-by: Bart Van Assche Cc: Eric W. Biederman Cc: Tejun Heo Cc: Hannes Reinecke Cc: Johannes Thumshirn Cc: Ingo Molnar Cc: Oleg Nesterov Cc: --- drivers/scsi/scsi_sysfs.c | 48 +++ kernel/task_work.c| 1 + 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index 7943b762c12d..f14e92f1d292 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include @@ -718,14 +719,53 @@ store_rescan_field (struct device *dev, struct device_attribute *attr, } static DEVICE_ATTR(rescan, S_IWUSR, NULL, store_rescan_field); +struct remove_dev_work { + struct callback_headhead; + struct scsi_device *sdev; +}; + +static void delete_sdev(struct callback_head *head) +{ + struct remove_dev_work *work = container_of(head, typeof(*work), head); + struct scsi_device *sdev = work->sdev; + + scsi_remove_device(sdev); + kfree(work); + scsi_device_put(sdev); +} + static ssize_t sdev_store_delete(struct device *dev, struct device_attribute
[PATCH] scsi: ibmvscsi: Improve strings handling
Currently an open firmware property is copied into partition_name variable without keeping a room for \0. Later one, this variable (partition_name), which is 97 bytes long, is strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is 96 bytes long, possibly truncating it 'again' and removing the \0. This patch simply decreases the partition name to 96 and just copy using strlcpy() which guarantees that the string is \0 terminated. I think there is no issue if this there is a truncation in this very first copy, i.e, when the open firmware property is read and copied into the driver for the very first time; This issue also causes the following warning on GCC 8: drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: ‘strncpy’ output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] ... inlined from ‘ibmvscsi_probe’ at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: ‘strncpy’ specified bound 97 equals destination size [-Wstringop-truncation] CC: Bart Van Assche CC: Tyrel Datwyler Signed-off-by: Breno Leitao --- drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c index 17df76f0be3c..67a2c844e30d 100644 --- a/drivers/scsi/ibmvscsi/ibmvscsi.c +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c @@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_REQUESTS_DEFAULT; static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; static int fast_fail = 1; static int client_reserve = 1; -static char partition_name[97] = "UNKNOWN"; +static char partition_name[96] = "UNKNOWN"; static unsigned int partition_number = -1; static LIST_HEAD(ibmvscsi_head); @@ -262,7 +262,7 @@ static void gather_partition_info(void) ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL); if (ppartition_name) - strncpy(partition_name, ppartition_name, + strlcpy(partition_name, ppartition_name, sizeof(partition_name)); p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL); if (p_number_ptr) -- 2.16.3
Re: [PATCH] scsi: ibmvscsi: Improve strings handling
On 06/26/18 12:10, Breno Leitao wrote: if (ppartition_name) strncpy(partition_name, ppartition_name, - sizeof(partition_name)); + sizeof(partition_name) - 1); Please use strlcpy() instead of trying to emulate it. Thanks, Bart.
[PATCH] scsi: ibmvscsi: Improve strings handling
Currently an open firmware property is copied into partition_name variable without keeping a room for \0. Later one, this variable (partition_name), which is 97 bytes long, is strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is 96 bytes long, possibly truncating it 'again' and removing the \0. This patch simply decreases the partition name to 96 and just copy up to 95 bits from the openfirmware property into it, keeping room for \0. I think there is no issue if this there is a truncation in this very first copy, i.e, when the open firmware property is read and copied into the driver for the very first time; This causes the following warning on GCC 8: drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: ‘strncpy’ output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] ... inlined from ‘ibmvscsi_probe’ at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: ‘strncpy’ specified bound 97 equals destination size [-Wstringop-truncation] CC: Tyrel Datwyler Signed-off-by: Breno Leitao --- drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c index 17df76f0be3c..56107f74ac5e 100644 --- a/drivers/scsi/ibmvscsi/ibmvscsi.c +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c @@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_REQUESTS_DEFAULT; static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; static int fast_fail = 1; static int client_reserve = 1; -static char partition_name[97] = "UNKNOWN"; +static char partition_name[96] = "UNKNOWN"; static unsigned int partition_number = -1; static LIST_HEAD(ibmvscsi_head); @@ -263,7 +263,7 @@ static void gather_partition_info(void) ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL); if (ppartition_name) strncpy(partition_name, ppartition_name, - sizeof(partition_name)); + sizeof(partition_name) - 1); p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL); if (p_number_ptr) partition_number = of_read_number(p_number_ptr, 1); -- 2.16.3
Re: [PATCH 1/1] tcmu: Don't pass KERN_ERR to pr_err
Mike, > Fix warning: > > smatch warnings: > drivers/target/target_core_user.c:301 tcmu_genl_cmd_done() warn: KERN_* > level not at start of string Applied to 4.19/scsi-queue. -- Martin K. Petersen Oracle Linux Engineering
[PATCH 1/1] tcmu: Don't pass KERN_ERR to pr_err
Fix warning: smatch warnings: drivers/target/target_core_user.c:301 tcmu_genl_cmd_done() warn: KERN_* level not at start of string Signed-off-by: Mike Christie --- drivers/target/target_core_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c index 9555981..847707a 100644 --- a/drivers/target/target_core_user.c +++ b/drivers/target/target_core_user.c @@ -383,7 +383,7 @@ static int tcmu_genl_cmd_done(struct genl_info *info, int completed_cmd) } if (!udev) { - pr_err(KERN_ERR "tcmu nl cmd %u/%d completion could not find device with dev id %u.\n", + pr_err("tcmu nl cmd %u/%d completion could not find device with dev id %u.\n", completed_cmd, rc, dev_id); ret = -ENODEV; goto unlock; -- 2.7.2
Re: [PATCH-next] scsi: libsas: dynamically allocate and free ata host
John, >> Took a while for all the prerequisites to materialize. I just rebased >> 4.19/scsi-queue to v4.18-rc1 and applied your patch. Thanks! > > Is it possible to add this patch to the 4.18 fixes? I was on the fence on this but felt it was an intricate enough change to warrant a bit of soak time before ending up in a stable release. That's why it went into 4.19. -- Martin K. Petersen Oracle Linux Engineering
Re: [PATCH] sd: Remove a superfluous assignment
Bart, > Since blk_rq_bytes(req) returns req->__data_len, assigning that value > to req->__data_len is superfluous. Hence remove that assignment. Applied to 4.19/scsi-queue, thanks! -- Martin K. Petersen Oracle Linux Engineering
Re: [PATCH] qedi: Fix misleading indentation
Bart, > This patch avoids that smatch reports the following warnings: > > drivers/scsi/qedi/qedi_fw_api.c:129: init_sqe() warn: inconsistent indenting > drivers/scsi/qedi/qedi_fw_api.c:137: init_sqe() warn: inconsistent indenting Applied to 4.19/scsi-queue, thank you! -- Martin K. Petersen Oracle Linux Engineering
Re: [PATCH v6 0/7] scsi_io_completion cleanup
Douglas, > This patch refactors scsi_io_completion() by taking the bulk of its > error processing code into three static helper functions, leaving only > the 20 or so code lines that constitute the fastpath. In this process > comments were added and tweaked, plus variables renamed. The last two > patches in this set are optional: adding conditional hints along the > fastpath and converting 3 BUG() calls in scsi_io_completion() to WARNs > as requested by a reviewer. > > There is no attempt in this patchset to change the logic of the > original scsi_io_completion() although the last patch attempts to > continue from awkward situations rather than crashing the calling > thread (and possibly the kernel). Some conditional checks are saved by > reducing the number of redundant tests (e.g. multiple checks that the > 'result' variable is non-zero). Also De Morgan's laws are applied to > some complex conditions to simplify them from the reader's > perspective. The fact remains, this is a very complex function. Applied to 4.19/scsi-queue, thanks! -- Martin K. Petersen Oracle Linux Engineering
Re: tcmu: fix hung netlink requests and nl related cleanup V2
Mike, > The following patches fix the issues where the userspace daemon has > crashed and left netlink requests dangling. The daemon can now block > the interface, kill outstanding requests, reopen the netlink socket > and then unblock and execute new requests. Applied to 4.19/scsi-queue, thanks! -- Martin K. Petersen Oracle Linux Engineering
Re: [PATCH] scsi: aacraid: Fix PD performance regression over incorrect qd being set
Raghava, > The driver fails to set the correct queue depth for native devices, > due to failing to set the device type prior to calling > aac_set_safw_target_qd(). This results in slave configure setting the > queue depth to 1. > > This causes around 30% performance degradation. Fixed by setting the > dev type before trying to set queue depth. Applied to 4.18/scsi-fixes. Thank you! -- Martin K. Petersen Oracle Linux Engineering
[PATCH 07/10] lpfc: Fix NVME Target crash in defer rcv logic
Kernel occasionally crashed with the following ops on NVME Target: BUG: unable to handle kernel NULL pointer dereference at 0058 IP: [] lpfc_nvmet_defer_rcv+0x50/0x70 [lpfc] Callback routine was called for deferred rcv when it should be treated as a normal rcv. Added code in callback routine to detect this condition and log a message, then bail. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_nvmet.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c index 3330973bd9c5..bc3c19f2338b 100644 --- a/drivers/scsi/lpfc/lpfc_nvmet.c +++ b/drivers/scsi/lpfc/lpfc_nvmet.c @@ -402,6 +402,7 @@ lpfc_nvmet_ctxbuf_post(struct lpfc_hba *phba, struct lpfc_nvmet_ctxbuf *ctx_buf) /* Process FCP command */ if (rc == 0) { + ctxp->rqb_buffer = NULL; atomic_inc(>rcv_fcp_cmd_out); nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); return; @@ -1116,8 +1117,17 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_target_port *tgtport, lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n", ctxp->oxid, ctxp->size, smp_processor_id()); + if (!nvmebuf) { + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR, + "6425 Defer rcv: no buffer xri x%x: " + "flg %x ste %x\n", + ctxp->oxid, ctxp->flag, ctxp->state); + return; + } + tgtp = phba->targetport->private; - atomic_inc(>rcv_fcp_cmd_defer); + if (tgtp) + atomic_inc(>rcv_fcp_cmd_defer); /* Free the nvmebuf since a new buffer already replaced it */ nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); -- 2.13.1
[PATCH 09/10] lpfc: update driver version to 12.0.0.5
Update the driver version to 12.0.0.5 Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_version.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_version.h b/drivers/scsi/lpfc/lpfc_version.h index 18c23afcf46b..30591e6364ec 100644 --- a/drivers/scsi/lpfc/lpfc_version.h +++ b/drivers/scsi/lpfc/lpfc_version.h @@ -20,7 +20,7 @@ * included with this package. * ***/ -#define LPFC_DRIVER_VERSION "12.0.0.4" +#define LPFC_DRIVER_VERSION "12.0.0.5" #define LPFC_DRIVER_NAME "lpfc" /* Used for SLI 2/3 */ -- 2.13.1
[PATCH 08/10] lpfc: devloss timeout race condition caused null pointer reference
A race condition between the context of devloss timeout handler and I/O completion caused devloss timeout handler de-referencing pointer that had been released. Added the check in lpfc_sli_validate_fcp_iocb() on LPFC_IO_ON_TXCMPLQ to capture the race condition of I/O completion and devloss timeout handler attemption for aborting the I/O. Also, added check on lpfc_cmd->rdata pointer before de-referenceing lpfc_cmd->rdata->pnode. Also, added protection in lpfc_sli_abort_iocb() routine on driver performed FCP I/O FLUSHING already under way before proceeding to aborting I/Os. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_scsi.c | 5 + drivers/scsi/lpfc/lpfc_sli.c | 13 + 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c index c31c43f43553..5e4cad6a531a 100644 --- a/drivers/scsi/lpfc/lpfc_scsi.c +++ b/drivers/scsi/lpfc/lpfc_scsi.c @@ -4538,6 +4538,11 @@ lpfc_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *cmnd) int err; rdata = lpfc_rport_data_from_scsi_device(cmnd->device); + + /* sanity check on references */ + if (unlikely(!rdata) || unlikely(!rport)) + goto out_fail_command; + err = fc_remote_port_chkready(rport); if (err) { cmnd->result = err; diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 3299913876ce..d4078fda11a5 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -11097,10 +11097,11 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport, struct lpfc_scsi_buf *lpfc_cmd; int rc = 1; - if (!(iocbq->iocb_flag & LPFC_IO_FCP)) + if (iocbq->vport != vport) return rc; - if (iocbq->vport != vport) + if (!(iocbq->iocb_flag & LPFC_IO_FCP) || + !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ)) return rc; lpfc_cmd = container_of(iocbq, struct lpfc_scsi_buf, cur_iocbq); @@ -0,13 +1,13 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport, switch (ctx_cmd) { case LPFC_CTX_LUN: - if ((lpfc_cmd->rdata->pnode) && + if ((lpfc_cmd->rdata) && (lpfc_cmd->rdata->pnode) && (lpfc_cmd->rdata->pnode->nlp_sid == tgt_id) && (scsilun_to_int(_cmd->fcp_cmnd->fcp_lun) == lun_id)) rc = 0; break; case LPFC_CTX_TGT: - if ((lpfc_cmd->rdata->pnode) && + if ((lpfc_cmd->rdata) && (lpfc_cmd->rdata->pnode) && (lpfc_cmd->rdata->pnode->nlp_sid == tgt_id)) rc = 0; break; @@ -11231,6 +11232,10 @@ lpfc_sli_abort_iocb(struct lpfc_vport *vport, struct lpfc_sli_ring *pring, int errcnt = 0, ret_val = 0; int i; + /* all I/Os are in process of being flushed */ + if (phba->hba_flag & HBA_FCP_IOQ_FLUSH) + return errcnt; + for (i = 1; i <= phba->sli.last_iotag; i++) { iocbq = phba->sli.iocbq_lookup[i]; -- 2.13.1
[PATCH 10/10] lpfc: Revise copyright for new company language
Change references from "Broadcom Limited" to "Broadcom Inc." in the copyright message. Update copyright duration if not yet updated for 2018. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/Makefile | 4 ++-- drivers/scsi/lpfc/lpfc.h | 2 +- drivers/scsi/lpfc/lpfc_attr.h | 4 ++-- drivers/scsi/lpfc/lpfc_bsg.c | 2 +- drivers/scsi/lpfc/lpfc_bsg.h | 4 ++-- drivers/scsi/lpfc/lpfc_compat.h| 4 ++-- drivers/scsi/lpfc/lpfc_crtn.h | 2 +- drivers/scsi/lpfc/lpfc_ct.c| 2 +- drivers/scsi/lpfc/lpfc_debugfs.h | 2 +- drivers/scsi/lpfc/lpfc_disc.h | 4 ++-- drivers/scsi/lpfc/lpfc_els.c | 2 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- drivers/scsi/lpfc/lpfc_hw.h| 2 +- drivers/scsi/lpfc/lpfc_ids.h | 2 +- drivers/scsi/lpfc/lpfc_logmsg.h| 4 ++-- drivers/scsi/lpfc/lpfc_mbox.c | 2 +- drivers/scsi/lpfc/lpfc_mem.c | 2 +- drivers/scsi/lpfc/lpfc_nl.h| 4 ++-- drivers/scsi/lpfc/lpfc_nportdisc.c | 2 +- drivers/scsi/lpfc/lpfc_nvmet.c | 2 +- drivers/scsi/lpfc/lpfc_nvmet.h | 2 +- drivers/scsi/lpfc/lpfc_sli.h | 4 ++-- drivers/scsi/lpfc/lpfc_sli4.h | 2 +- drivers/scsi/lpfc/lpfc_version.h | 4 ++-- drivers/scsi/lpfc/lpfc_vport.c | 4 ++-- drivers/scsi/lpfc/lpfc_vport.h | 4 ++-- 26 files changed, 37 insertions(+), 37 deletions(-) diff --git a/drivers/scsi/lpfc/Makefile b/drivers/scsi/lpfc/Makefile index cb6aa802c48e..092a971d066b 100644 --- a/drivers/scsi/lpfc/Makefile +++ b/drivers/scsi/lpfc/Makefile @@ -1,8 +1,8 @@ #/*** # * This file is part of the Emulex Linux Device Driver for * # * Fibre Channel Host Bus Adapters.* -# * Copyright (C) 2017 Broadcom. All Rights Reserved. The term * -# * “Broadcom” refers to Broadcom Limited and/or its subsidiaries. * +# * Copyright (C) 2017-2018 Broadcom. All Rights Reserved. The term * +# * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * # * Copyright (C) 2004-2012 Emulex. All rights reserved. * # * EMULEX and SLI are trademarks of Emulex.* # * www.broadcom.com* diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h index fc580a9b2bae..e0d0da5f43d6 100644 --- a/drivers/scsi/lpfc/lpfc.h +++ b/drivers/scsi/lpfc/lpfc.h @@ -2,7 +2,7 @@ * This file is part of the Emulex Linux Device Driver for * * Fibre Channel Host Bus Adapters.* * Copyright (C) 2017-2018 Broadcom. All Rights Reserved. The term * - * “Broadcom” refers to Broadcom Limited and/or its subsidiaries. * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Copyright (C) 2004-2016 Emulex. All rights reserved. * * EMULEX and SLI are trademarks of Emulex.* * www.broadcom.com* diff --git a/drivers/scsi/lpfc/lpfc_attr.h b/drivers/scsi/lpfc/lpfc_attr.h index 931db52692f5..9659a8fff971 100644 --- a/drivers/scsi/lpfc/lpfc_attr.h +++ b/drivers/scsi/lpfc/lpfc_attr.h @@ -1,8 +1,8 @@ /*** * This file is part of the Emulex Linux Device Driver for * * Fibre Channel Host Bus Adapters.* - * Copyright (C) 2017 Broadcom. All Rights Reserved. The term * - * “Broadcom” refers to Broadcom Limited and/or its subsidiaries. * + * Copyright (C) 2017-2018 Broadcom. All Rights Reserved. The term * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Copyright (C) 2004-2016 Emulex. All rights reserved. * * EMULEX and SLI are trademarks of Emulex.* * www.broadcom.com* diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c index edb1a18a6414..90745feca808 100644 --- a/drivers/scsi/lpfc/lpfc_bsg.c +++ b/drivers/scsi/lpfc/lpfc_bsg.c @@ -2,7 +2,7 @@ * This file is part of the Emulex Linux Device Driver for * * Fibre Channel Host Bus Adapters.* * Copyright (C) 2017-2018 Broadcom. All Rights Reserved. The term * - * “Broadcom” refers to Broadcom Limited and/or its subsidiaries. * + * “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. * * Copyright (C) 2009-2015 Emulex. All rights reserved. * * EMULEX and SLI are trademarks of Emulex.* * www.broadcom.com* diff --git a/drivers/scsi/lpfc/lpfc_bsg.h b/drivers/scsi/lpfc/lpfc_bsg.h index e7d95a4e8042..32347c87e3b4 100644 --- a/drivers/scsi/lpfc/lpfc_bsg.h +++ b/drivers/scsi/lpfc/lpfc_bsg.h @@ -1,8 +1,8 @@ /*** * This file is part of
[PATCH 06/10] lpfc: Support duration field in Link Cable Beacon V1 command
Current implementation missed setting the duration field. Correct the code to set the field. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_els.c | 64 +++ drivers/scsi/lpfc/lpfc_hw.h | 18 +++- drivers/scsi/lpfc/lpfc_hw4.h | 46 --- drivers/scsi/lpfc/lpfc_init.c | 1 + drivers/scsi/lpfc/lpfc_sli4.h | 3 ++ 5 files changed, 104 insertions(+), 28 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index 6d84a10fef07..4683154842f5 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -5640,8 +5640,9 @@ lpfc_els_lcb_rsp(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) " mbx status x%x\n", shdr_status, shdr_add_status, mb->mbxStatus); - if (mb->mbxStatus && !(shdr_status && - shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE)) { + if ((mb->mbxStatus != MBX_SUCCESS) || shdr_status || + (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE) || + (shdr_add_status == ADD_STATUS_INVALID_REQUEST)) { mempool_free(pmb, phba->mbox_mem_pool); goto error; } @@ -5670,6 +5671,7 @@ lpfc_els_lcb_rsp(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) lcb_res->lcb_sub_command = lcb_context->sub_command; lcb_res->lcb_type = lcb_context->type; lcb_res->lcb_frequency = lcb_context->frequency; + lcb_res->lcb_duration = lcb_context->duration; elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp; phba->fc_stat.elsXmitACC++; rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); @@ -5712,6 +5714,7 @@ lpfc_sli4_set_beacon(struct lpfc_vport *vport, uint32_t beacon_state) { struct lpfc_hba *phba = vport->phba; + union lpfc_sli4_cfg_shdr *cfg_shdr; LPFC_MBOXQ_t *mbox = NULL; uint32_t len; int rc; @@ -5720,6 +5723,7 @@ lpfc_sli4_set_beacon(struct lpfc_vport *vport, if (!mbox) return 1; + cfg_shdr = >u.mqe.un.sli4_config.header.cfg_shdr; len = sizeof(struct lpfc_mbx_set_beacon_config) - sizeof(struct lpfc_sli4_cfg_mhdr); lpfc_sli4_config(phba, mbox, LPFC_MBOX_SUBSYSTEM_COMMON, @@ -5732,8 +5736,40 @@ lpfc_sli4_set_beacon(struct lpfc_vport *vport, phba->sli4_hba.physical_port); bf_set(lpfc_mbx_set_beacon_state, >u.mqe.un.beacon_config, beacon_state); - bf_set(lpfc_mbx_set_beacon_port_type, >u.mqe.un.beacon_config, 1); - bf_set(lpfc_mbx_set_beacon_duration, >u.mqe.un.beacon_config, 0); + mbox->u.mqe.un.beacon_config.word5 = 0; /* Reserved */ + + /* +* Check bv1s bit before issuing the mailbox +* if bv1s == 1, LCB V1 supported +* else, LCB V0 supported +*/ + + if (phba->sli4_hba.pc_sli4_params.bv1s) { + /* COMMON_SET_BEACON_CONFIG_V1 */ + cfg_shdr->request.word9 = BEACON_VERSION_V1; + lcb_context->capability |= LCB_CAPABILITY_DURATION; + bf_set(lpfc_mbx_set_beacon_port_type, + >u.mqe.un.beacon_config, 0); + bf_set(lpfc_mbx_set_beacon_duration_v1, + >u.mqe.un.beacon_config, + be16_to_cpu(lcb_context->duration)); + } else { + /* COMMON_SET_BEACON_CONFIG_V0 */ + if (be16_to_cpu(lcb_context->duration) != 0) { + mempool_free(mbox, phba->mbox_mem_pool); + return 1; + } + cfg_shdr->request.word9 = BEACON_VERSION_V0; + lcb_context->capability &= ~(LCB_CAPABILITY_DURATION); + bf_set(lpfc_mbx_set_beacon_state, + >u.mqe.un.beacon_config, beacon_state); + bf_set(lpfc_mbx_set_beacon_port_type, + >u.mqe.un.beacon_config, 1); + bf_set(lpfc_mbx_set_beacon_duration, + >u.mqe.un.beacon_config, + be16_to_cpu(lcb_context->duration)); + } + rc = lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT); if (rc == MBX_NOT_FINISHED) { mempool_free(mbox, phba->mbox_mem_pool); @@ -5784,24 +5820,16 @@ lpfc_els_rcv_lcb(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, beacon->lcb_frequency, be16_to_cpu(beacon->lcb_duration)); - if (phba->sli_rev < LPFC_SLI_REV4 || - (bf_get(lpfc_sli_intf_if_type, >sli4_hba.sli_intf) != - LPFC_SLI_INTF_IF_TYPE_2)) { - rjt_err = LSRJT_CMD_UNSUPPORTED; - goto rjt; - } - - if (phba->hba_flag & HBA_FCOE_MODE) { - rjt_err = LSRJT_CMD_UNSUPPORTED; - goto rjt; - } if
[PATCH 05/10] lpfc: Make PBDE optimizations configurable
the PBDE optimizations aren't supported in all firmware revs. Make to optimizations configurable in case there's a side effect on old firmware. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc.h | 3 +-- drivers/scsi/lpfc/lpfc_attr.c | 10 ++ drivers/scsi/lpfc/lpfc_init.c | 22 +++--- drivers/scsi/lpfc/lpfc_nvme.c | 8 drivers/scsi/lpfc/lpfc_nvmet.c | 23 +-- drivers/scsi/lpfc/lpfc_scsi.c | 14 +++--- drivers/scsi/lpfc/lpfc_sli.c | 8 7 files changed, 50 insertions(+), 38 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h index 20b249a649dd..fc580a9b2bae 100644 --- a/drivers/scsi/lpfc/lpfc.h +++ b/drivers/scsi/lpfc/lpfc.h @@ -840,8 +840,7 @@ struct lpfc_hba { #define LPFC_ENABLE_FCP 1 #define LPFC_ENABLE_NVME 2 #define LPFC_ENABLE_BOTH 3 - uint32_t nvme_embed_pbde; - uint32_t fcp_embed_pbde; + uint32_t cfg_enable_pbde; uint32_t io_channel_irqs; /* number of irqs for io channels */ struct nvmet_fc_target_port *targetport; lpfc_vpd_t vpd; /* vital product data */ diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c index 3b839237ab50..ec537052bec4 100644 --- a/drivers/scsi/lpfc/lpfc_attr.c +++ b/drivers/scsi/lpfc/lpfc_attr.c @@ -5387,6 +5387,14 @@ LPFC_BBCR_ATTR_RW(enable_bbcr, 1, 0, 1, "Enable BBC Recovery"); */ LPFC_ATTR_RW(enable_dpp, 1, 0, 1, "Enable Direct Packet Push"); +/* + * lpfc_enable_pbde: Enable PBDE on PRISM - G7 + * 0 = PBDE on G7 disabled + * 1 = PBDE on G7 enabled (default) + * Value range is [0,1]. Default value is 1 + */ +LPFC_ATTR_R(enable_pbde, 1, 0, 1, "Enable PBDE support on PRISM"); + struct device_attribute *lpfc_hba_attrs[] = { _attr_nvme_info, _attr_bg_info, @@ -5498,6 +5506,7 @@ struct device_attribute *lpfc_hba_attrs[] = { _attr_lpfc_enable_mds_diags, _attr_lpfc_enable_bbcr, _attr_lpfc_enable_dpp, + _attr_lpfc_enable_pbde, NULL, }; @@ -6520,6 +6529,7 @@ lpfc_get_cfgparam(struct lpfc_hba *phba) lpfc_nvme_io_channel_init(phba, lpfc_nvme_io_channel); lpfc_enable_bbcr_init(phba, lpfc_enable_bbcr); lpfc_enable_dpp_init(phba, lpfc_enable_dpp); + lpfc_enable_pbde_init(phba, lpfc_enable_pbde); if (phba->sli_rev != LPFC_SLI_REV4) { /* NVME only supported on SLI4 */ diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 139a8baa6e4c..1bbf56efa07c 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -10672,18 +10672,10 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) phba->cfg_enable_fc4_type = LPFC_ENABLE_FCP; } - /* Only embed PBDE for if_type 6 */ - if (bf_get(lpfc_sli_intf_if_type, >sli4_hba.sli_intf) == - LPFC_SLI_INTF_IF_TYPE_6) { - phba->fcp_embed_pbde = 1; - phba->nvme_embed_pbde = 1; - } - - /* PBDE support requires xib be set */ - if (!bf_get(cfg_xib, mbx_sli4_parameters)) { - phba->fcp_embed_pbde = 0; - phba->nvme_embed_pbde = 0; - } + /* Only embed PBDE for if_type 6, PBDE support requires xib be set */ + if ((bf_get(lpfc_sli_intf_if_type, >sli4_hba.sli_intf) != + LPFC_SLI_INTF_IF_TYPE_6) || (!bf_get(cfg_xib, mbx_sli4_parameters))) + phba->cfg_enable_pbde = 0; /* * To support Suppress Response feature we must satisfy 3 conditions. @@ -10717,10 +10709,10 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) phba->fcp_embed_io = 0; lpfc_printf_log(phba, KERN_INFO, LOG_INIT | LOG_NVME, - "6422 XIB %d: FCP %d %d NVME %d %d %d %d\n", + "6422 XIB %d PBDE %d: FCP %d NVME %d %d %d\n", bf_get(cfg_xib, mbx_sli4_parameters), - phba->fcp_embed_pbde, phba->fcp_embed_io, - phba->nvme_support, phba->nvme_embed_pbde, + phba->cfg_enable_pbde, + phba->fcp_embed_io, phba->nvme_support, phba->cfg_nvme_embed_cmd, phba->cfg_suppress_rsp); if ((bf_get(lpfc_sli_intf_if_type, >sli4_hba.sli_intf) == diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c index ada5a2aaee82..4cc6783b6a9f 100644 --- a/drivers/scsi/lpfc/lpfc_nvme.c +++ b/drivers/scsi/lpfc/lpfc_nvme.c @@ -1279,6 +1279,8 @@ lpfc_nvme_prep_io_cmd(struct lpfc_vport *vport, /* Word 9 */ bf_set(wqe_reqtag, >generic.wqe_com, pwqeq->iotag); + /* Words 13 14 15 are for PBDE support */ + pwqeq->vport = vport; return 0; } @@ -1378,7 +1380,7 @@ lpfc_nvme_prep_io_dma(struct lpfc_vport *vport, data_sg = sg_next(data_sg);
[PATCH 00/10] lpfc updates for 12.0.0.5
This patch contains lpfc bug fixes and some minor functional additions. The patches were cut against the Martin's 4.18/scsi-queue tree James Smart (10): lpfc: Add Buffer overflow check, when nvme_info larger than PAGE_SIZE lpfc: Fix driver not setting dpp bits correctly in doorbell word lpfc: Fix panic if driver unloaded when port is offline lpfc: Fix abort error path for NVMET lpfc: Make PBDE optimizations configurable lpfc: Support duration field in Link Cable Beacon V1 command lpfc: Fix NVME Target crash in defer rcv logic lpfc: devloss timeout race condition caused null pointer reference lpfc: update driver version to 12.0.0.5 lpfc: Revise copyright for new company language drivers/scsi/lpfc/Makefile | 4 +- drivers/scsi/lpfc/lpfc.h | 5 +- drivers/scsi/lpfc/lpfc_attr.c | 442 ++--- drivers/scsi/lpfc/lpfc_attr.h | 4 +- drivers/scsi/lpfc/lpfc_bsg.c | 2 +- drivers/scsi/lpfc/lpfc_bsg.h | 4 +- drivers/scsi/lpfc/lpfc_compat.h| 4 +- drivers/scsi/lpfc/lpfc_crtn.h | 2 +- drivers/scsi/lpfc/lpfc_ct.c| 2 +- drivers/scsi/lpfc/lpfc_debugfs.h | 2 +- drivers/scsi/lpfc/lpfc_disc.h | 4 +- drivers/scsi/lpfc/lpfc_els.c | 66 -- drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- drivers/scsi/lpfc/lpfc_hw.h| 20 +- drivers/scsi/lpfc/lpfc_hw4.h | 46 +++- drivers/scsi/lpfc/lpfc_ids.h | 2 +- drivers/scsi/lpfc/lpfc_init.c | 28 ++- drivers/scsi/lpfc/lpfc_logmsg.h| 4 +- drivers/scsi/lpfc/lpfc_mbox.c | 2 +- drivers/scsi/lpfc/lpfc_mem.c | 2 +- drivers/scsi/lpfc/lpfc_nl.h| 4 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 2 +- drivers/scsi/lpfc/lpfc_nvme.c | 13 +- drivers/scsi/lpfc/lpfc_nvmet.c | 52 +++-- drivers/scsi/lpfc/lpfc_nvmet.h | 2 +- drivers/scsi/lpfc/lpfc_scsi.c | 19 +- drivers/scsi/lpfc/lpfc_sli.c | 30 ++- drivers/scsi/lpfc/lpfc_sli.h | 4 +- drivers/scsi/lpfc/lpfc_sli4.h | 5 +- drivers/scsi/lpfc/lpfc_version.h | 6 +- drivers/scsi/lpfc/lpfc_vport.c | 4 +- drivers/scsi/lpfc/lpfc_vport.h | 4 +- 32 files changed, 502 insertions(+), 290 deletions(-) -- 2.13.1
[PATCH 04/10] lpfc: Fix abort error path for NVMET
rmmod of driver hangs As driver instances were being unloaded, the NVME target port was unloaded first. During the unload, the NVME initiator port sent a heartbeat IO. Because of the target port state, that IO was scheduled for an Abort; however, that abort subseqentially failed. The failure was not cleaned up properly and lpfc_sli4_xri_exchange_busy_wait silently hung forever. Clean failed abort properly and make lpfc_sli4_xri_exchange_busy_wait not hangs silently while waiting for aborts to complete. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_init.c | 5 + drivers/scsi/lpfc/lpfc_nvmet.c | 15 +++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 7ae343b14630..139a8baa6e4c 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -10386,6 +10386,11 @@ lpfc_sli4_xri_exchange_busy_wait(struct lpfc_hba *phba) while (!fcp_xri_cmpl || !els_xri_cmpl || !nvme_xri_cmpl || !nvmet_xri_cmpl) { if (wait_time > LPFC_XRI_EXCH_BUSY_WAIT_TMO) { + if (!nvmet_xri_cmpl) + lpfc_printf_log(phba, KERN_ERR, LOG_INIT, + "6424 NVMET XRI exchange busy " + "wait time: %d seconds.\n", + wait_time/1000); if (!nvme_xri_cmpl) lpfc_printf_log(phba, KERN_ERR, LOG_INIT, "6100 NVME XRI exchange busy " diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c index 7271c9d885dd..102c970a00e6 100644 --- a/drivers/scsi/lpfc/lpfc_nvmet.c +++ b/drivers/scsi/lpfc/lpfc_nvmet.c @@ -1732,9 +1732,12 @@ lpfc_nvmet_unsol_ls_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, uint32_t *payload; uint32_t size, oxid, sid, rc; + fc_hdr = (struct fc_frame_header *)(nvmebuf->hbuf.virt); + oxid = be16_to_cpu(fc_hdr->fh_ox_id); + if (!nvmebuf || !phba->targetport) { lpfc_printf_log(phba, KERN_ERR, LOG_NVME_IOERR, - "6154 LS Drop IO\n"); + "6154 LS Drop IO x%x\n", oxid); oxid = 0; size = 0; sid = 0; @@ -1744,9 +1747,7 @@ lpfc_nvmet_unsol_ls_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, tgtp = (struct lpfc_nvmet_tgtport *)phba->targetport->private; payload = (uint32_t *)(nvmebuf->dbuf.virt); - fc_hdr = (struct fc_frame_header *)(nvmebuf->hbuf.virt); size = bf_get(lpfc_rcqe_length, >cq_event.cqe.rcqe_cmpl); - oxid = be16_to_cpu(fc_hdr->fh_ox_id); sid = sli4_sid_from_fc_hdr(fc_hdr); ctxp = kzalloc(sizeof(struct lpfc_nvmet_rcv_ctx), GFP_ATOMIC); @@ -3105,11 +3106,17 @@ lpfc_nvmet_unsol_fcp_issue_abort(struct lpfc_hba *phba, } aerr: - ctxp->flag &= ~LPFC_NVMET_ABORT_OP; + spin_lock_irqsave(>ctxlock, flags); + if (ctxp->flag & LPFC_NVMET_CTX_RLS) + list_del(>list); + ctxp->flag &= ~(LPFC_NVMET_ABORT_OP | LPFC_NVMET_CTX_RLS); + spin_unlock_irqrestore(>ctxlock, flags); + atomic_inc(>xmt_abort_rsp_error); lpfc_printf_log(phba, KERN_ERR, LOG_NVME_ABTS, "6135 Failed to Issue ABTS for oxid x%x. Status x%x\n", ctxp->oxid, rc); + lpfc_nvmet_ctxbuf_post(phba, ctxp->ctxbuf); return 1; } -- 2.13.1
[PATCH 02/10] lpfc: Fix driver not setting dpp bits correctly in doorbell word
Driver is incorrectly formatting a register on new hardware, using a format for an older chip. This can result in non-deterministic behavior. Ensure driver is not setting "workqueue index" in the WQ doorbell when making a non-dpp doorbell write. The field must be zero when non-dpp. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_sli.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 4b70d53acb72..74547f437813 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -145,6 +145,7 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, union lpfc_wqe128 *wqe) uint32_t idx; uint32_t i = 0; uint8_t *tmp; + u32 if_type; /* sanity check on queue memory */ if (unlikely(!q)) @@ -199,8 +200,14 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, union lpfc_wqe128 *wqe) q->queue_id); } else { bf_set(lpfc_wq_db_list_fm_num_posted, , 1); - bf_set(lpfc_wq_db_list_fm_index, , host_index); bf_set(lpfc_wq_db_list_fm_id, , q->queue_id); + + /* Leave bits <23:16> clear for if_type 6 dpp */ + if_type = bf_get(lpfc_sli_intf_if_type, +>phba->sli4_hba.sli_intf); + if (if_type != LPFC_SLI_INTF_IF_TYPE_6) + bf_set(lpfc_wq_db_list_fm_index, , + host_index); } } else if (q->db_format == LPFC_DB_RING_FORMAT) { bf_set(lpfc_wq_db_ring_fm_num_posted, , 1); -- 2.13.1
[PATCH 03/10] lpfc: Fix panic if driver unloaded when port is offline
System crashes when the lpfc module is unloaded after making the port offline The nvme queue pointers were freed during port offline, but were later accessed in pci remove path. Validate the pointers in pci remove path before accessing them. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_nvme.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c index 76a5a99605aa..ada5a2aaee82 100644 --- a/drivers/scsi/lpfc/lpfc_nvme.c +++ b/drivers/scsi/lpfc/lpfc_nvme.c @@ -2970,7 +2970,7 @@ lpfc_nvme_wait_for_io_drain(struct lpfc_hba *phba) struct lpfc_sli_ring *pring; u32 i, wait_cnt = 0; - if (phba->sli_rev < LPFC_SLI_REV4) + if (phba->sli_rev < LPFC_SLI_REV4 || !phba->sli4_hba.nvme_wq) return; /* Cycle through all NVME rings and make sure all outstanding @@ -2979,6 +2979,9 @@ lpfc_nvme_wait_for_io_drain(struct lpfc_hba *phba) for (i = 0; i < phba->cfg_nvme_io_channel; i++) { pring = phba->sli4_hba.nvme_wq[i]->pring; + if (!pring) + continue; + /* Retrieve everything on the txcmplq */ while (!list_empty(>txcmplq)) { msleep(LPFC_XRI_EXCH_BUSY_WAIT_T1); -- 2.13.1
[PATCH 01/10] lpfc: Add Buffer overflow check, when nvme_info larger than PAGE_SIZE
Kernel crashes during fill_read_buffer when nvme_info sysfs file read. With multiple NVME targets, approx 40, nvme_info may grow larger than PAGE_SIZE bytes. snprintf(buf + len, PAGE_SIZE - len, ...) logic is flawed as PAGE_SIZE - len can be < 0 and is accepted by snprintf. This results in buffer overflow, and is detected with check from dev_attr_show and fill_read_buffer. Change to use scnprintf to a tmp array, before calling strlcat to ensure no buffer overflow over PAGE_SIZE bytes. Message "6314" created as a new message indicating when there is more nvme info, but is truncated to fit within PAGE_SIZE bytes. Signed-off-by: Dick Kennedy Signed-off-by: James Smart --- drivers/scsi/lpfc/lpfc_attr.c | 432 +- 1 file changed, 257 insertions(+), 175 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c index 729d343861f4..3b839237ab50 100644 --- a/drivers/scsi/lpfc/lpfc_attr.c +++ b/drivers/scsi/lpfc/lpfc_attr.c @@ -64,6 +64,9 @@ #define LPFC_MIN_MRQ_POST 512 #define LPFC_MAX_MRQ_POST 2048 +#define LPFC_MAX_NVME_INFO_TMP_LEN 100 +#define LPFC_NVME_INFO_MORE_STR"\nCould be more info...\n" + /* * Write key size should be multiple of 4. If write key is changed * make sure that library write key is also changed. @@ -158,14 +161,15 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, char *statep; int i; int len = 0; + char tmp[LPFC_MAX_NVME_INFO_TMP_LEN] = {0}; if (!(phba->cfg_enable_fc4_type & LPFC_ENABLE_NVME)) { - len += snprintf(buf, PAGE_SIZE, "NVME Disabled\n"); + len = scnprintf(buf, PAGE_SIZE, "NVME Disabled\n"); return len; } if (phba->nvmet_support) { if (!phba->targetport) { - len = snprintf(buf, PAGE_SIZE, + len = scnprintf(buf, PAGE_SIZE, "NVME Target: x%llx is not allocated\n", wwn_to_u64(vport->fc_portname.u.wwn)); return len; @@ -175,135 +179,169 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, statep = "REGISTERED"; else statep = "INIT"; - len += snprintf(buf + len, PAGE_SIZE - len, - "NVME Target Enabled State %s\n", - statep); - len += snprintf(buf + len, PAGE_SIZE - len, - "%s%d WWPN x%llx WWNN x%llx DID x%06x\n", - "NVME Target: lpfc", - phba->brd_no, - wwn_to_u64(vport->fc_portname.u.wwn), - wwn_to_u64(vport->fc_nodename.u.wwn), - phba->targetport->port_id); - - len += snprintf(buf + len, PAGE_SIZE - len, - "\nNVME Target: Statistics\n"); + scnprintf(tmp, sizeof(tmp), + "NVME Target Enabled State %s\n", + statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) + goto buffer_done; + + scnprintf(tmp, sizeof(tmp), + "%s%d WWPN x%llx WWNN x%llx DID x%06x\n", + "NVME Target: lpfc", + phba->brd_no, + wwn_to_u64(vport->fc_portname.u.wwn), + wwn_to_u64(vport->fc_nodename.u.wwn), + phba->targetport->port_id); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) + goto buffer_done; + + if (strlcat(buf, "\nNVME Target: Statistics\n", PAGE_SIZE) + >= PAGE_SIZE) + goto buffer_done; + tgtp = (struct lpfc_nvmet_tgtport *)phba->targetport->private; - len += snprintf(buf+len, PAGE_SIZE-len, - "LS: Rcv %08x Drop %08x Abort %08x\n", - atomic_read(>rcv_ls_req_in), - atomic_read(>rcv_ls_req_drop), - atomic_read(>xmt_ls_abort)); + scnprintf(tmp, sizeof(tmp), + "LS: Rcv %08x Drop %08x Abort %08x\n", + atomic_read(>rcv_ls_req_in), + atomic_read(>rcv_ls_req_drop), + atomic_read(>xmt_ls_abort)); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) + goto buffer_done; + if (atomic_read(>rcv_ls_req_in) != atomic_read(>rcv_ls_req_out)) { - len += snprintf(buf+len, PAGE_SIZE-len, - "Rcv LS: in %08x != out
RE: mpt3sas regression...
Hi David, Sorry for the inconvenience caused. Yes, "scsi: mpt3sas: Bug fix for big endian systems." patch was posted to fix sparse warnings. I missed the testing. Currently we are testing on sparc64 system and soon I will be reposting the patch based on the findings. Thanks, Chaitra -Original Message- From: David Miller [mailto:da...@davemloft.net] Sent: Sunday, June 24, 2018 10:17 AM To: linux-scsi@vger.kernel.org Cc: chaitra.basa...@broadcom.com; sparcli...@vger.kernel.org Subject: mpt3sas regression... Commit: commit cf6bf9710cabba1fe94a4349f4eb8db623c77ebc Author: Chaitra P B Date: Tue Apr 24 05:28:30 2018 -0400 scsi: mpt3sas: Bug fix for big endian systems. actually breaks big-endian. This driver has been working perfectly fine for more a decade or so on my sparc64 test systems up until this point. If you are just responding to sparse warnings, please do not do that. What big-endian system did you test this change on? Meanwhile, I'd like to ask that this change be reverted. Thank you.
[PATCH V2 2/2] ata: Fix ZBC_OUT all bit handling
If the ALL bit is set in the ZBC_OUT command, the command zone ID field (block) should be ignored. Reported-by: David Butterfield Signed-off-by: Damien Le Moal Cc: sta...@vger.kernel.org --- drivers/ata/libata-scsi.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index a5543751f446..aad1b01447de 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3805,7 +3805,14 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) */ goto invalid_param_len; } - if (block >= dev->n_sectors) { + + all = cdb[14] & 0x1; + if (all) { + /* +* Ignore the block address (zone ID) as defined by ZBC. +*/ + block = 0; + } else if (block >= dev->n_sectors) { /* * Block must be a valid zone ID (a zone start LBA). */ @@ -3813,8 +3820,6 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) goto invalid_fld; } - all = cdb[14] & 0x1; - if (ata_ncq_enabled(qc->dev) && ata_fpdma_zac_mgmt_out_supported(qc->dev)) { tf->protocol = ATA_PROT_NCQ_NODATA; -- 2.17.1
[PATCH V2 1/2] ata: Fix ZBC_OUT command block check
The block (LBA) specified must not exceed the last addressable LBA, which is dev->nr_sectors - 1. So fix the correct check is "if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)". Additionally, the asc/ascq to return for an LBA that is not a zone start LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of range. Reported-by: David Butterfield Signed-off-by: Damien Le Moal Cc: sta...@vger.kernel.org --- drivers/ata/libata-scsi.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 6a91d04351d9..a5543751f446 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3805,8 +3805,13 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) */ goto invalid_param_len; } - if (block > dev->n_sectors) - goto out_of_range; + if (block >= dev->n_sectors) { + /* +* Block must be a valid zone ID (a zone start LBA). +*/ + fp = 2; + goto invalid_fld; + } all = cdb[14] & 0x1; @@ -3837,10 +3842,6 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) invalid_fld: ata_scsi_set_invalid_field(qc->dev, scmd, fp, 0xff); return 1; - out_of_range: - /* "Logical Block Address out of range" */ - ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x21, 0x00); - return 1; invalid_param_len: /* "Parameter list length error" */ ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x1a, 0x0); -- 2.17.1
[PATCH V2 0/2] ZBC_OUT command translation fixes
Tejun, These two patches fix problems with the checks of the ZBC_OUT command fields prior to its translation to ZAC MANAGEMENT OUT. The first patch fixes an incorrect out-of-range check and changes the returned asc/ascq to the ZBC defined INVALID FIELD IN CDB instead of (the more natural but incorrect) LBA OUT OF RANGE. The second patch disables the ZBC_OUT command block address check if the ALL bit is set, as defined by the ZBC specifications. Thank you for considering these patches for inclusion in 4.18 fixes (and CC stable). Damien Le Moal (2): ata: Fix ZBC_OUT command block check ata: Fix ZBC_OUT all bit handling drivers/ata/libata-scsi.c | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) Changes from V1: Added "Cc: stable" -- 2.17.1
[PATCH V2 0/2] ZBC_OUT command translation fixes
Tejun, These two patches fix problems with the checks of the ZBC_OUT command fields prior to its translation to ZAC MANAGEMENT OUT. The first patch fixes an incorrect out-of-range check and changes the returned asc/ascq to the ZBC defined INVALID FIELD IN CDB instead of (the more natural but incorrect) LBA OUT OF RANGE. The second patch disables the ZBC_OUT command block address check if the ALL bit is set, as defined by the ZBC specifications. Thank you for considering these patches for inclusion in 4.18 fixes (and CC stable). Damien Le Moal (2): ata: Fix ZBC_OUT command block check ata: Fix ZBC_OUT all bit handling drivers/ata/libata-scsi.c | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) Changes from V1: Added "Cc: stable" -- 2.17.1
Re: [PATCH 2/2] ata: Fix ZBC_OUT all bit handling
On Tue, Jun 26, 2018 at 04:18:38PM +0900, Damien Le Moal wrote: > If the ALL bit is set in the ZBC_OUT command, the command zone ID field > (block) should be ignored. > > Reported-by: David Butterfield > Signed-off-by: Damien Le Moal > --- > drivers/ata/libata-scsi.c | 11 --- > 1 file changed, 8 insertions(+), 3 deletions(-) This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
Re: [PATCH 1/2] ata: Fix ZBC_OUT command block check
On Tue, Jun 26, 2018 at 04:18:37PM +0900, Damien Le Moal wrote: > The block (LBA) specified must not exceed the last addressable LBA, > which is dev->nr_sectors - 1. So fix the correct check is > "if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)". > > Additionally, the asc/ascq to return for an LBA that is not a zone start > LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of > range. > > Reported-by: David Butterfield > Signed-off-by: Damien Le Moal This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
[Bug 199703] HPSA blocking boot on HP smart Array P400
https://bugzilla.kernel.org/show_bug.cgi?id=199703 --- Comment #15 from Roberto M. (roby_program...@fastwebnet.it) --- Hi, my answer below (In reply to Don from comment #14) > I'm wondering how you updated. It is a prolian ML350 G5 with Ubuntu 16.04 LTS, I upgraded to 18.04 LTS, after upgrade at first boot with his own official 4.15 kernel, it crashed, I tryed to choose 4.4 kernel (from grub, the previous LTS kernel from 16.04) and it boot that's all I tested all kernels from ubuntu kernel PPA, all <= 4.13.16 boot, from 4.14 not..Also tested kernels from kernel.org (compiled by myself), before open this bug, same results > > If you were booted from a cciss block driver before, the disk mapping would > be to a /dev/cciss/c0dX boot device. > > Do you use by-label, by-uuid, ...? by uuid > > If not and you simply updated the kernel and the kernel switched to hpsa, > your disk mapping would not be changed over to /dev/sdX, it would still be > to /dev/cciss/... > > Can you boot into rescue mode? If so, can you post your grub.cfg, /etc/fstab > files? I will post here and add as attachment asap (I already know that migrating from cciss to hpsa I have to change fstab, but I tryed some live cd, to check and test with fdisk new partition, but no any luck to boot, with card inside, removing it, it boot with live cd like video on youtube) > > > Also, do you know how to obtain ilo vsp console output? > > IE. In RBSU enabling VSP logging and setting the BIOS console and > BAUD(115200), then > updating the boot line with console=ttyS0,11500 console=tty0 > > Then script -c "ssh /tmp/E200boot.log from another machine? > > This will capture what is happening and you can post E200boot.log No, I will surely try it, please give me time, if I can ask, before start I think that I have to do it booting with newest kernel from kernel.org? 4.17.2?? (Ubuntu official kernel are patched) no any problem for me to download and compile it Really thank you for your answers (from RHEL faq page only solution is to buy a supported hp scsi card ) thanks again, bye -- You are receiving this mail because: You are the assignee for the bug.
Re: [PATCH v6 7/7] scsi_io_completion convert BUGs to WARNs
On Tue, Jun 26, 2018 at 12:53:32PM +0200, Douglas Gilbert wrote: > The SCSI subsystem may not be the primary storage medium on a system, so > bringing down the system because the SCSI mid-level has an unrecoverable > error may be overkill. Think an embedded system with the rootfs on a > /dev/mmcblkp device with the only "SCSI" device being an external > USB port for a memory key (I was fighting with a 3D printer was just that > config a few days ago). Then the user plugs in the world's worst USB > key (billion of candidates). Isn't one error strategy just to report, > ignore and continue? Exactly and even if SCSI is the primary storage medium BUG_ON()s are just bad, sorry. It's always better to do error recovery then hard crashing a machine as it may be able to write out logs when doing error recovery so one actually has a chance debugging the reasons why it happened. Byte, Johannes -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
Re: [PATCH v6 7/7] scsi_io_completion convert BUGs to WARNs
On 2018-06-26 07:28 AM, Hannes Reinecke wrote: On 06/23/2018 12:22 PM, Douglas Gilbert wrote: The scsi_io_completion function contains three BUG() and BUG_ON() calls. Replace them with WARN variants. Signed-off-by: Douglas Gilbert Reviewed-by: Johannes Thumshirn Reviewed-by: Bart Van Assche --- drivers/scsi/scsi_lib.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 19ed11abe886..252edd61a688 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1060,13 +1060,21 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) scsi_req(req->next_rq)->resid_len = scsi_in(cmd)->resid; if (scsi_end_request(req, BLK_STS_OK, blk_rq_bytes(req), blk_rq_bytes(req->next_rq))) - BUG(); + WARN_ONCE(true, + "Bidi command with remaining bytes"); return; } } /* no bidi support yet, other than in pass-through */ - BUG_ON(blk_bidi_rq(req)); + if (unlikely(blk_bidi_rq(req))) { + WARN_ONCE(true, "Only support bidi command in passthrough"); + scmd_printk(KERN_ERR, cmd, "Killing bidi command\n"); + if (scsi_end_request(req, BLK_STS_IOERR, blk_rq_bytes(req), + blk_rq_bytes(req->next_rq))) + WARN_ONCE(true, "Bidi command with remaining bytes"); + return; + } /* * Next deal with any sectors which we were able to correctly @@ -1089,7 +1097,8 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) /* Kill remainder if no retries. */ if (unlikely(blk_stat && scsi_noretry_cmd(cmd))) { if (scsi_end_request(req, blk_stat, blk_rq_bytes(req), 0)) - BUG(); + WARN_ONCE(true, + "Bytes remaining after failed, no-retry command"); return; } So what happens to these requests if not all bytes could be finished? Do we have an error recovery strategy? Changing to WARN_ON would only makes sense if we have a way of recovering the failed request, otherwise we'd have to reboot anyway, hence there wouldn't be much difference to the BUG() statement... It's been a while now, but I think these BUGs were changed to WARNs due to checkpatch.pl nagging. Not that I added the BUG statements, but my patch moved them so checkpatch.pl felt that I owned them. Ahhh no, it was your colleague Johannes Thumshirn. The SCSI subsystem may not be the primary storage medium on a system, so bringing down the system because the SCSI mid-level has an unrecoverable error may be overkill. Think an embedded system with the rootfs on a /dev/mmcblkp device with the only "SCSI" device being an external USB port for a memory key (I was fighting with a 3D printer was just that config a few days ago). Then the user plugs in the world's worst USB key (billion of candidates). Isn't one error strategy just to report, ignore and continue? Doug Gilbert
PROCUREMENT DEPARTMENT
Thanks for your mail. please follow our page below to confirm details http://pronotioncn.com/draftoffer/po/ We wish to get the delivery date on all as listed and your payment details in regards. Thanks Jendrics Anikó JEMOLIMPEX Kft. 1089 Bp. Orczy út 46 - 48
Re: [PATCH] qedi: Fix static checker warning
On 6/25/18, 8:31 PM, "Bart Van Assche" wrote: >External Email > >On 06/25/18 05:32, Nilesh Javali wrote: >> This patch fixes the static checker warning, >> >> drivers/scsi/qedi/qedi_main.c:891 qedi_get_boot_tgt_info() >> error: snprintf() is printing too much 256 vs 255 > >Which static checker produced this warning? > >> Signed-off-by: Nilesh Javali >> --- >> drivers/scsi/qedi/qedi_main.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/scsi/qedi/qedi_main.c >>b/drivers/scsi/qedi/qedi_main.c >> index cf274a7..85491da 100644 >> --- a/drivers/scsi/qedi/qedi_main.c >> +++ b/drivers/scsi/qedi/qedi_main.c >> @@ -888,8 +888,8 @@ static void qedi_get_boot_tgt_info(struct >>nvm_iscsi_block *block, >> ipv6_en = !!(block->generic.ctrl_flags & >>NVM_ISCSI_CFG_GEN_IPV6_ENABLED); >> >> - snprintf(tgt->iscsi_name, NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN, >>"%s\n", >> - block->target[index].target_name.byte); >> + sprintf(tgt->iscsi_name, "%.*s\n", >>NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN, >> + block->target[index].target_name.byte); >> >> tgt->ipv6_en = ipv6_en; > >Since sizeof(tgt->iscsi_name) == 255, since >NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN == 256 and since >sizeof(block->target[index].target_name.byte) == 256, I think you are >making a potential buffer overflow worse instead of just suppressing a >static checker warning. > >Bart. I will send another patch set fixing the sizeof target name (tgt->iscsi_name) along with the above fix. Thanks for the review. Thanks, Nilesh
Re: [PATCH] qedi: Fix misleading indentation
Looks good, Reviewed-by: Johannes Thumshirn -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
[PATCH 1/2] ata: Fix ZBC_OUT command block check
The block (LBA) specified must not exceed the last addressable LBA, which is dev->nr_sectors - 1. So fix the correct check is "if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)". Additionally, the asc/ascq to return for an LBA that is not a zone start LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of range. Reported-by: David Butterfield Signed-off-by: Damien Le Moal --- drivers/ata/libata-scsi.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 6a91d04351d9..a5543751f446 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3805,8 +3805,13 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) */ goto invalid_param_len; } - if (block > dev->n_sectors) - goto out_of_range; + if (block >= dev->n_sectors) { + /* +* Block must be a valid zone ID (a zone start LBA). +*/ + fp = 2; + goto invalid_fld; + } all = cdb[14] & 0x1; @@ -3837,10 +3842,6 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) invalid_fld: ata_scsi_set_invalid_field(qc->dev, scmd, fp, 0xff); return 1; - out_of_range: - /* "Logical Block Address out of range" */ - ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x21, 0x00); - return 1; invalid_param_len: /* "Parameter list length error" */ ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x1a, 0x0); -- 2.17.1
[PATCH 2/2] ata: Fix ZBC_OUT all bit handling
If the ALL bit is set in the ZBC_OUT command, the command zone ID field (block) should be ignored. Reported-by: David Butterfield Signed-off-by: Damien Le Moal --- drivers/ata/libata-scsi.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index a5543751f446..aad1b01447de 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3805,7 +3805,14 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) */ goto invalid_param_len; } - if (block >= dev->n_sectors) { + + all = cdb[14] & 0x1; + if (all) { + /* +* Ignore the block address (zone ID) as defined by ZBC. +*/ + block = 0; + } else if (block >= dev->n_sectors) { /* * Block must be a valid zone ID (a zone start LBA). */ @@ -3813,8 +3820,6 @@ static unsigned int ata_scsi_zbc_out_xlat(struct ata_queued_cmd *qc) goto invalid_fld; } - all = cdb[14] & 0x1; - if (ata_ncq_enabled(qc->dev) && ata_fpdma_zac_mgmt_out_supported(qc->dev)) { tf->protocol = ATA_PROT_NCQ_NODATA; -- 2.17.1
[PATCH 0/2] ZBC_OUT command translation fixes
Tejun, These two patches fix problems with the checks of the ZBC_OUT command fields prior to its translation to ZAC MANAGEMENT OUT. The first patch fixes an incorrect out-of-range check and changes the returned asc/ascq to the ZBC defined INVALID FIELD IN CDB instead of (the more natural but incorrect) LBA OUT OF RANGE. The second patch disables the ZBC_OUT command block address check if the ALL bit is set, as defined by the ZBC specifications. Thank you for considering these patches for inclusion in 4.18 fixes (and CC stable). Damien Le Moal (2): ata: Fix ZBC_OUT command block check ata: Fix ZBC_OUT all bit handling drivers/ata/libata-scsi.c | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) -- 2.17.1