tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"Six small fixes.

Four in drivers and the two core changes should be read together as a
correction to a prior iorequest_cnt fix that exposed us to a potential
use after free"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
scsi: Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed"
scsi: storvsc: Don't pass unused PFNs to Hyper-V host
scsi: ufs: core: Fix MCQ nr_hw_queues
scsi: ufs: core: Rename symbol sizeof_utp_transfer_cmd_desc()
scsi: ufs: core: Fix MCQ tag calculation

Linus Torvalds 5565ec4e a5948745

+17 -13
+4 -1
drivers/scsi/scsi_lib.c
··· 1463 1463 struct Scsi_Host *host = cmd->device->host; 1464 1464 int rtn = 0; 1465 1465 1466 + atomic_inc(&cmd->device->iorequest_cnt); 1467 + 1466 1468 /* check if the device is still usable */ 1467 1469 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { 1468 1470 /* in SDEV_DEL we error all commands. DID_NO_CONNECT ··· 1485 1483 */ 1486 1484 SCSI_LOG_MLQUEUE(3, scmd_printk(KERN_INFO, cmd, 1487 1485 "queuecommand : device blocked\n")); 1486 + atomic_dec(&cmd->device->iorequest_cnt); 1488 1487 return SCSI_MLQUEUE_DEVICE_BUSY; 1489 1488 } 1490 1489 ··· 1518 1515 trace_scsi_dispatch_cmd_start(cmd); 1519 1516 rtn = host->hostt->queuecommand(host, cmd); 1520 1517 if (rtn) { 1518 + atomic_dec(&cmd->device->iorequest_cnt); 1521 1519 trace_scsi_dispatch_cmd_error(cmd, rtn); 1522 1520 if (rtn != SCSI_MLQUEUE_DEVICE_BUSY && 1523 1521 rtn != SCSI_MLQUEUE_TARGET_BUSY) ··· 1765 1761 goto out_dec_host_busy; 1766 1762 } 1767 1763 1768 - atomic_inc(&cmd->device->iorequest_cnt); 1769 1764 return BLK_STS_OK; 1770 1765 1771 1766 out_dec_host_busy:
+4 -4
drivers/scsi/storvsc_drv.c
··· 1780 1780 1781 1781 length = scsi_bufflen(scmnd); 1782 1782 payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; 1783 - payload_sz = sizeof(cmd_request->mpb); 1783 + payload_sz = 0; 1784 1784 1785 1785 if (scsi_sg_count(scmnd)) { 1786 1786 unsigned long offset_in_hvpg = offset_in_hvpage(sgl->offset); ··· 1789 1789 unsigned long hvpfn, hvpfns_to_add; 1790 1790 int j, i = 0, sg_count; 1791 1791 1792 - if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { 1792 + payload_sz = (hvpg_count * sizeof(u64) + 1793 + sizeof(struct vmbus_packet_mpb_array)); 1793 1794 1794 - payload_sz = (hvpg_count * sizeof(u64) + 1795 - sizeof(struct vmbus_packet_mpb_array)); 1795 + if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { 1796 1796 payload = kzalloc(payload_sz, GFP_ATOMIC); 1797 1797 if (!payload) 1798 1798 return SCSI_MLQUEUE_DEVICE_BUSY;
+3 -2
drivers/ufs/core/ufs-mcq.c
··· 150 150 u32 hba_maxq, rem, tot_queues; 151 151 struct Scsi_Host *host = hba->host; 152 152 153 - hba_maxq = FIELD_GET(MAX_QUEUE_SUP, hba->mcq_capabilities); 153 + /* maxq is 0 based value */ 154 + hba_maxq = FIELD_GET(MAX_QUEUE_SUP, hba->mcq_capabilities) + 1; 154 155 155 156 tot_queues = UFS_MCQ_NUM_DEV_CMD_QUEUES + read_queues + poll_queues + 156 157 rw_queues; ··· 266 265 addr = (le64_to_cpu(cqe->command_desc_base_addr) & CQE_UCD_BA) - 267 266 hba->ucdl_dma_addr; 268 267 269 - return div_u64(addr, sizeof(struct utp_transfer_cmd_desc)); 268 + return div_u64(addr, ufshcd_get_ucd_size(hba)); 270 269 } 271 270 272 271 static void ufshcd_mcq_process_cqe(struct ufs_hba *hba,
+5 -5
drivers/ufs/core/ufshcd.c
··· 2849 2849 static void ufshcd_init_lrb(struct ufs_hba *hba, struct ufshcd_lrb *lrb, int i) 2850 2850 { 2851 2851 struct utp_transfer_cmd_desc *cmd_descp = (void *)hba->ucdl_base_addr + 2852 - i * sizeof_utp_transfer_cmd_desc(hba); 2852 + i * ufshcd_get_ucd_size(hba); 2853 2853 struct utp_transfer_req_desc *utrdlp = hba->utrdl_base_addr; 2854 2854 dma_addr_t cmd_desc_element_addr = hba->ucdl_dma_addr + 2855 - i * sizeof_utp_transfer_cmd_desc(hba); 2855 + i * ufshcd_get_ucd_size(hba); 2856 2856 u16 response_offset = offsetof(struct utp_transfer_cmd_desc, 2857 2857 response_upiu); 2858 2858 u16 prdt_offset = offsetof(struct utp_transfer_cmd_desc, prd_table); ··· 3761 3761 size_t utmrdl_size, utrdl_size, ucdl_size; 3762 3762 3763 3763 /* Allocate memory for UTP command descriptors */ 3764 - ucdl_size = sizeof_utp_transfer_cmd_desc(hba) * hba->nutrs; 3764 + ucdl_size = ufshcd_get_ucd_size(hba) * hba->nutrs; 3765 3765 hba->ucdl_base_addr = dmam_alloc_coherent(hba->dev, 3766 3766 ucdl_size, 3767 3767 &hba->ucdl_dma_addr, ··· 3861 3861 prdt_offset = 3862 3862 offsetof(struct utp_transfer_cmd_desc, prd_table); 3863 3863 3864 - cmd_desc_size = sizeof_utp_transfer_cmd_desc(hba); 3864 + cmd_desc_size = ufshcd_get_ucd_size(hba); 3865 3865 cmd_desc_dma_addr = hba->ucdl_dma_addr; 3866 3866 3867 3867 for (i = 0; i < hba->nutrs; i++) { ··· 8452 8452 { 8453 8453 size_t ucdl_size, utrdl_size; 8454 8454 8455 - ucdl_size = sizeof(struct utp_transfer_cmd_desc) * nutrs; 8455 + ucdl_size = ufshcd_get_ucd_size(hba) * nutrs; 8456 8456 dmam_free_coherent(hba->dev, ucdl_size, hba->ucdl_base_addr, 8457 8457 hba->ucdl_dma_addr); 8458 8458
+1 -1
include/ufs/ufshcd.h
··· 1133 1133 ({ (void)(hba); BUILD_BUG_ON(sg_entry_size != sizeof(struct ufshcd_sg_entry)); }) 1134 1134 #endif 1135 1135 1136 - static inline size_t sizeof_utp_transfer_cmd_desc(const struct ufs_hba *hba) 1136 + static inline size_t ufshcd_get_ucd_size(const struct ufs_hba *hba) 1137 1137 { 1138 1138 return sizeof(struct utp_transfer_cmd_desc) + SG_ALL * ufshcd_sg_entry_size(hba); 1139 1139 }