- 25 Nov, 2022 2 commits
-
-
Yang Yingliang authored
hpsa_sas_port_add_phy() does: ... sas_phy_add() -> may return error here sas_port_add_phy() ... Whereas hpsa_free_sas_phy() does: ... sas_port_delete_phy() sas_phy_delete() ... If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be called to free the memory because the port and the phy have not been added yet. Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel crash in this case. Fixes: d04e62b9 ("hpsa: add in sas transport class") Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.comSigned-off-by:
Martin K. Petersen <martin.petersen@oracle.com>
-
Yang Yingliang authored
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas] Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens. Fixes: f92363d1 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") Signed-off-by:
-
- 24 Nov, 2022 11 commits
-
-
Yuan Can authored
The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. Fixes: 8b834bff ("scsi: hpsa: fix selection of reply queue") Signed-off-by:
Yuan Can <yuancan@huawei.com> Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.comReviewed-by:
Ming Lei <ming.lei@redhat.com> Signed-off-by:
-
Wenchao Hao authored
If scsi_dispatch_cmd() failed, the SCSI command was not sent to the target. scsi_queue_rq() would return BLK_STS_RESOURCE if scsi_dispatch_cmd() failed, and the related request would be requeued. The timeout of this request would not fire, so noone would increase iodone_cnt. Signed-off-by:
Wenchao Hao <haowenchao@huawei.com> Link: https://lore.kernel.org/r/20221123122137.150776-3-haowenchao@huawei.comReviewed-by:
Mike Christie <michael.christie@oracle.com> Signed-off-by:
-
Wenchao Hao authored
If a SCSI command times out and is going to be aborted, we should increase the iodone_cnt of the related scsi_device. Otherwise the iodone_cnt would be smaller than iorequest_cnt. Increasing iodone_cnt in scsi_timeout() would not cause a double accounting issue. Brief analysis follows: - We add the iodone_cnt when BLK_EH_DONE is returned in scsi_timeout(). The related command's timeout event would not happen. - If the abort succeeds and the command is not retried, the command would be completed with scsi_finish_command() which would not increase iodone_cnt. - If the abort succeeds and the command is retried, it would be requeue. A scsi_dispatch_cmd() would be called and iorequest_cnt would be increased again. - If the abort fails, the error handler successfully recovers the device, and the command is not retried, the command would be completed with scsi_finish_command() which would not increase iodone_cnt. - If the abort fails, the error handler successfully recovers the device, and the command is retried, the iorequest_cnt would be increased again. Signed-off-by:
-
Wenchao Hao authored
There are two iscsi_set_param() functions defined in libiscsi.c and scsi_transport_iscsi.c respectively which is confusing. Rename the one in scsi_transport_iscsi.c to iscsi_if_set_param(). Signed-off-by:
Lee Duncan <lduncan@suse.com> Signed-off-by:
-
Maurizio Lombardi authored
While handling an I/O completion for the compare portion of a COMPARE_AND_WRITE command, it may happen that the compare_and_write_callback function submits new bio structs while still in softirq context. Low level drivers like md raid5 do not expect their make_request call to be used in softirq context, they call into schedule() and create a deadlocked system. __schedule at ffffffff873a0807 schedule at ffffffff873a0cc5 raid5_get_active_stripe at ffffffffc0875744 [raid456] raid5_make_request at ffffffffc0875a50 [raid456] md_handle_request at ffffffff8713b9f9 md_make_request at ffffffff8713bacb generic_make_request at ffffffff86e6f14b submit_bio at ffffffff86e6f27c iblock_submit_bios at ffffffffc0b4e4dc [target_core_iblock] iblock_execute_rw at ffffffffc0b4f3ce [target_core_iblock] __target_execute_cmd at ffffffffc1090079 [target_core_mod] compare_and_write_callback at ffffffffc1093602 [target_core_mod] target_cmd_interrupted at ffffffffc108d1ec [target_core_mod] target_complete_cmd_with_sense at ffffffffc108d27c [target_core_mod] iblock_complete_cmd at ffffffffc0b4e23a [target_core_iblock] dm_io_dec_pending at ffffffffc00db29e [dm_mod] clone_endio at ffffffffc00dbf07 [dm_mod] raid5_align_endio at ffffffffc086d6c2 [raid456] blk_update_request at ffffffff86e6d950 scsi_end_request at ffffffff87063d48 scsi_io_completion at ffffffff87063ee8 blk_complete_reqs at ffffffff86e77b05 __softirqentry_text_start at ffffffff876000d7 This problem appears to be an issue between target_cmd_interrupted() and compare_and_write_callback(). target_cmd_interrupted() calls the se_cmd's transport_complete_callback function pointer if the se_cmd is being stopped or aborted, and CMD_T_ABORTED was set on the se_cmd. When calling compare_and_write_callback(), the success parameter was set to false. target_cmd_interrupted() seems to expect this means the callback will do cleanup that does not require a process context. But compare_and_write_callback() ignores the parameter if there was I/O done for the compare part of COMPARE_AND_WRITE. Since there was data, the function continued on, passed the compare, and issued a write while ignoring the value of the success parameter. The submit of a bio for the write portion of the COMPARE_AND_WRITE then causes schedule to be unsafely called from the softirq context. Fix the bug in compare_and_write_callback by jumping to the out label if success == "false", after checking if we have been called by transport_generic_request_failure(); The command is being aborted or stopped so there is no need to submit the write bio for the write part of the COMPARE_AND_WRITE command. Signed-off-by:
Maurizio Lombardi <mlombard@redhat.com> Link: https://lore.kernel.org/r/20221121092703.316489-1-mlombard@redhat.comReviewed-by:
-
Maurizio Lombardi authored
In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are required to complete the login). The login has been completed but the login_work function will find the LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling itself; at this point, if the initiator drops the connection, the iscsit_conn structure will be freed, login_work will dereference a released socket structure and the kernel crashes. BUG: kernel NULL pointer dereference, address: 0000000000000230 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] RIP: 0010:_raw_read_lock_bh+0x15/0x30 Call trace: iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] process_one_work+0x1e8/0x3c0 Fix this bug by forcing login_work to stop after the login has been completed and the socket callbacks have been restored. Add a comment to clearify the return values of iscsi_target_do_login() Signed-off-by:
-
Anastasia Kovaleva authored
To determine how many blocks sends in one command, the minimum value is selected from the hw_max_sectors of both devices. In target_xcopy_do_work, hw_max_sectors are used as blocks, not sectors; it also ignores the fact that sectors can be of different sizes, for example 512 and 4096 bytes. Because of this, a number of blocks can be transmitted that the device will not be able to accept. Change the selection of max transmission size into bytes. Reviewed-by:
Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by:
Dmitriy Bogdanov <d.bogdanov@yadro.com> Signed-off-by:
Anastasia Kovaleva <a.kovaleva@yadro.com> Link: https://lore.kernel.org/r/20221114102500.88892-4-a.kovaleva@yadro.comReviewed-by:
-
Anastasia Kovaleva authored
By default, hw_max_sectors stores its value in 512 blocks in iblock, despite the fact that the block size can be 4096 bytes. Change hw_max_sectors to store the number of sectors in hw_block_size blocks. Reviewed-by:
-
Anastasia Kovaleva authored
A MAXIMUM TRANSFER LENGTH value indicates the maximum transfer length in logical blocks that the device server accepts for a single command. Fix function sending the length in sectors instead of blocks. This patch also removes the special casing for fileio in block_size_store since this logic in now unified in spc_emulate_evpd_b0() for all backends. Reviewed-by:
-
Thomas Gleixner authored
Nothing in this file needs anything from linux/msi.h Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20221113202428.436270297@linutronix.de Cc: James Smart <james.smart@broadcom.com> Cc: Dick Kennedy <dick.kennedy@broadcom.com> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: linux-scsi@vger.kernel.org Reviewed-by:
James Smart <jsmart2021@gmail.com> Signed-off-by:
-
Justin Tee authored
Update lpfc version to 14.2.0.9. Signed-off-by:
Justin Tee <justin.tee@broadcom.com> Link: https://lore.kernel.org/r/20221116011921.105995-7-justintee8345@gmail.comSigned-off-by:
-
- 17 Nov, 2022 17 commits
-
-
Justin Tee authored
When a FLOGI completes with a sequence timeout error, a freed kref ptr dereference crash can occur due to a timing race involving ndlp referencing in lpfc_dev_loss_tmo_callbk. Fix by ensuring the driver accounts for an outstanding FLOGI when dev_loss is active. Also, don't remove the HBA_FLOGI_OUTSTANDING flag when the FLOGI is retried to allow the driver to handle the reference counts correctly in lpfc_dev_loss_tmo_handler. Reported-by:
Dietmar Hahn <dietmar.hahn@fujitsu.com> Tested-by:
-
Justin Tee authored
The dynamic mi_ver value holds the currently configured MI setting. mi_ver was being displayed as part of the cmf_info sysfs attribute, when the output string meant to display MI capabilities instead. Add a mi_cap member in the lpfc_pc_sli4_params structure that will store MI capabilities during initialization so that cmf_info prints out capabilities instead of current configuration. Signed-off-by:
-
Justin Tee authored
The lpfc_cmf_timer adjusts phba->cmf_link_byte_count periodically and can artifically inflate bandwidth percent. During bandwidth calculation, correct for this by setting a cap of logging a maximum of 100%. Bandwidth calculation is only used for display under LOG_CGN_MGMT so there is no expectation of impacts on performance. Signed-off-by:
-
Justin Tee authored
Adapter configurations with limited EQ resources may fail to initialize. Firmware resources are queried in lpfc_sli4_read_config(). The driver parameters cfg_irq_chann and cfg_hdw_queue are adjusted from defaults if constrained by firmware resources. The minimum resource check includes a special allocation for queues such as ELS, MBOX, NVME LS. However the additional reservation was also incorrectly applied to EQ resources. Reordered WQ|CQ|EQ resource checks to apply the special allocation adjustment to WQ and CQ resources only. Signed-off-by:
-
Gustavo A. R. Silva authored
One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element array with flexible-array member in struct fdmi_attr_s. Important to mention is that doing a build before/after this patch results in no binary output differences. This helps with the ongoing efforts to tighten the FORTIFY_SOURCE routines on memcpy() and help us make progress towards globally enabling -fstrict-flex-arrays=3 [1]. Link: https://github.com/KSPP/linux/issues/209 Link: https://github.com/KSPP/linux/issues/79 Link: https://gcc.gnu.org/pipermail/gcc-patches/2022-October/602902.html [1] Signed-off-by:
Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/Y3P1rEEBq7HzJygq@workReviewed-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
-
Colin Ian King authored
Variable ev_qual is being assigned and modified but the end result is never used. The variable is redundant and can be removed. Signed-off-by:
Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20221111170824.558250-1-colin.i.king@gmail.comSigned-off-by:
-
Xiu Jianfeng authored
Use memset_startat() helper to simplify the code, no functional changes in this patch. Signed-off-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Link: https://lore.kernel.org/r/20221111074310.132125-1-xiujianfeng@huawei.comReviewed-by:
-
Harshit Mogalapalli authored
As 'lbdof_blen' is coming from user, if the size in kzalloc() is >= MAX_ORDER then we hit a warning. Call trace: sg_ioctl sg_ioctl_common scsi_ioctl sg_scsi_ioctl blk_execute_rq blk_mq_sched_insert_request blk_mq_run_hw_queue __blk_mq_delay_run_hw_queue __blk_mq_run_hw_queue blk_mq_sched_dispatch_requests __blk_mq_sched_dispatch_requests blk_mq_dispatch_rq_list scsi_queue_rq scsi_dispatch_cmd scsi_debug_queuecommand schedule_resp resp_write_scat If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc() will definitely fail. It creates a stack trace and messes up dmesg. The user controls the size here so if they specify a too large size it will fail. Add __GFP_NOWARN in order to avoid too large allocation warning. This is detected by static analysis using smatch. Fixes: 481b5e5c ("scsi: scsi_debug: add resp_write_scat function") Signed-off-by:Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Link: https://lore.kernel.org/r/20221111100526.1790533-1-harshit.m.mogalapalli@oracle.comAcked-by:
Douglas Gilbert <dgilbert@interlog.com> Signed-off-by:
-
Don Brace authored
Reviewed-by:
Scott Benesh <scott.benesh@microchip.com> Reviewed-by:
Scott Teel <scott.teel@microchip.com> Reviewed-by:
Gerry Morong <gerry.morong@microchip.com> Reviewed-by:
Kevin Barnett <kevin.barnett@microchip.com> Signed-off-by:
Don Brace <don.brace@microchip.com> Link: https://lore.kernel.org/r/166793533417.322537.3074216622272955440.stgit@brunhildaSigned-off-by:
-
Don Brace authored
Initialize features to 0 before processing. Reviewed-by:
Mike Mcgowan <mike.mcgowan@microchip.com> Reviewed-by:
-
Gilbert Wu authored
Add in a call to flush the controller cache during driver removal. Reviewed-by:
Gilbert Wu <Gilbert.Wu@microchip.com> Signed-off-by:
-
Kumar Meiyappan authored
Correct device count for multi-actuator drives which can cause kernel panics. Reviewed-by:
Kumar Meiyappan <Kumar.Meiyappan@microchip.com> Signed-off-by:
-
Kevin Barnett authored
Change the sysfs raid_level attribute from "RAID-0" to N/A. Reviewed-by:
-
Kevin Barnett authored
Correct maximum LUN number for multi-actuator devices. When multi-actuator support was added to smartpqi, the maximum number of LUNs supported for multi-actuator devices was supposed to be changed from unlimited to 256, but the setting was inadvertently left at unlimited. Reviewed-by:
-
Mike McGowen authored
All PCI ID entries in Hex. Add PCI IDs for ByteDance controllers: VID / DID / SVID / SDID ---- ---- ---- ---- ByteHBA JGH43024-8 9005 / 028f / 1e93 / 1000 ByteHBA JGH43034-8 9005 / 028f / 1e93 / 1001 ByteHBA JGH44014-8 9005 / 028f / 1e93 / 1002 Add PCI IDs for new Inspur controllers: VID / DID / SVID / SDID ---- ---- ---- ---- INSPUR RT0800M7E 9005 / 028f / 1bd4 / 0086 INSPUR RT0800M7H 9005 / 028f / 1bd4 / 0087 INSPUR RT0804M7R 9005 / 028f / 1bd4 / 0088 INSPUR RT0808M7R 9005 / 028f / 1bd4 / 0089 Add PCI IDs for new FAB A controllers: VID / DID / SVID / SDID ---- ---- ---- ---- Adaptec SmartRAID 3254-16e /e 9005 / 028f / 9005 / 1475 Adaptec HBA 1200-16e 9005 / 028f / 9005 / 14c3 Adaptec HBA 1200-8e 9005 / 028f / 9005 / 14c4 Add H3C controller PCI IDs: VID / DID / SVID / SDID ---- ---- ---- ---- H3C H4508-Mf-8i 9005 / 028f / 193d / 110b Reviewed-by:Mike McGowen <mike.mcgowen@microchip.com> Signed-off-by:
-
Don Brace authored
Add support for host_tagset. Also move the reserved command slots to the end of the pool to eliminate an addition operation for every SCSI request. This patch was originally authored by Hannes Reinecke here: Link: https://lore.kernel.org/linux-block/20191126131009.71726-8-hare@suse.de/ But we NAKed this patch because we wanted to fully test multipath failover operations. Suggested-by:
Hannes Reinecke <hare@suse.de> Reviewed-by:
Mahesh Rajashekhara <Mahesh.Rajashekhara@microchip.com> Reviewed-by:
-
Colin Ian King authored
Pointer lp is being initialized and incremented but the result is never read. The pointer is redundant and can be removed. Once lp is removed, pcmd is not longer used. So remove pcmd as well Signed-off-by:
-
- 08 Nov, 2022 10 commits
-
-
Christophe JAILLET authored
strtobool() is the same as kstrtobool(). However, the latter is more used within the kernel. In order to remove strtobool() and slightly simplify kstrtox.h, switch to the other function name. While at it, include the corresponding header file (<linux/kstrtox.h>) Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/fcddc0a53b4fc6e3c2e93592d3f61c5c63121855.1667336095.git.christophe.jaillet@wanadoo.frReviewed-by:
Chaitanya Kulkarni <kch@nvidia.com> Signed-off-by:
-
Colin Ian King authored
Variable 'unit_serial_len' is just being assigned and it's never used anywhere else. Remove it. Signed-off-by:
-
Colin Ian King authored
Variable 'n' is just being incremented and it's never used anywhere else. Remove it. Signed-off-by:
-
Colin Ian King authored
Variable 'found_devs' is just being incremented and it's never used anywhere else. Remove it. Signed-off-by:
-
Bart Van Assche authored
Fix the following two compiler warnings: drivers/scsi/qla2xxx/qla_init.c: In function ‘qla24xx_async_abort_cmd’: drivers/scsi/qla2xxx/qla_init.c:171:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable] 171 | uint8_t bail; | ^~~~ drivers/scsi/qla2xxx/qla_init.c: In function ‘qla2x00_async_tm_cmd’: drivers/scsi/qla2xxx/qla_init.c:2023:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable] 2023 | uint8_t bail; | ^~~~ Cc: Arun Easi <arun.easi@qlogic.com> Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> Fixes: feafb7b1 ("[SCSI] qla2xxx: Fix vport delete issues") Signed-off-by:Bart Van Assche <bvanassche@acm.org> Link: https://lore.kernel.org/r/20221031224818.2607882-1-bvanassche@acm.orgSigned-off-by:
-
Bart Van Assche authored
Since commit f93ed747 ("scsi: core: Release SCSI devices synchronously") it is no longer allowed to call scsi_device_put() from atomic context. Rework bfad_reset_sdev_bflags() such that scsi_device_put() is no longer called. This fixes the following smatch warning: drivers/scsi/bfa/bfad_bsg.c:2551 bfad_iocmd_lunmask_reset_lunscan_mode() warn: sleeping in atomic context bfad_iocmd_lunmask() <- disables preempt -> bfad_iocmd_lunmask_reset_lunscan_mode() -> scsi_device_put() Cc: Anil Gurumurthy <anil.gurumurthy@qlogic.com> Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Bart Van Assche authored
Before modifying bfad_reset_sdev_bflags(), convert it from a macro into a function. Cc: Anil Gurumurthy <anil.gurumurthy@qlogic.com> Cc: Sudarsana Kalluru <sudarsana.kalluru@qlogic.com> Signed-off-by:
-
Bart Van Assche authored
Move a scsi_device_put() call from alua_rtpg_select_sdev() to its callers. Fixes the following smatch complaint: drivers/scsi/device_handler/scsi_dh_alua.c:853 alua_rtpg_select_sdev() warn: sleeping in atomic context alua_rtpg_work() <- disables preempt -> alua_rtpg_select_sdev() -> scsi_device_put() Cc: Hannes Reinecke <hare@suse.de> Cc: Dan Carpenter <dan.carpenter@oracle.com> Reported-by:
-
Bart Van Assche authored
Fix the following smatch warning: drivers/scsi/device_handler/scsi_dh_alua.c:1013 alua_rtpg_queue() warn: sleeping in atomic context alua_check_vpd() <- disables preempt -> alua_rtpg_queue() -> scsi_device_put() Cc: Hannes Reinecke <hare@suse.de> Cc: Dan Carpenter <dan.carpenter@oracle.com> Reported-by:
-
Keoseong Park authored
Commit 68078d5c ("[SCSI] ufs: Set fDeviceInit flag to initiate device initialization") added check_upiu_size(), but no caller. Cc: Dolev Raviv <draviv@codeaurora.org> Link: https://lore.kernel.org/r/20221103055349epcms2p338f2550c2dd78d00231a83b24719a3d4@epcms2p3Signed-off-by:
Keoseong Park <keosung.park@samsung.com> Reviewed-by:
Avri Altman <avri.altman@wdc.com> Signed-off-by:
-
