tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
"Seven fixes, six of which are fairly obvious driver fixes.

The one core change to the device budget depth is to try to ensure
that if the default depth is large (which can produce quite a sizeable
bitmap allocation per device), we give back the memory we don't need
if there's a queue size reduction in slave_configure (which happens to
a lot of devices)"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: hisi_sas: Fix setting of hisi_sas_slot.is_internal
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
scsi: pm8001: Fix use-after-free for aborted TMF sas_task
scsi: pm8001: Fix warning for undescribed param in process_one_iomb()
scsi: core: Reallocate device's budget map on queue depth change
scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe
scsi: pm80xx: Fix double completion for SATA devices

Linus Torvalds fc93310c e09e1a40

+77 -67
+13 -8
drivers/scsi/bnx2fc/bnx2fc_fcoe.c
··· 508 508 509 509 static void bnx2fc_recv_frame(struct sk_buff *skb) 510 510 { 511 - u32 fr_len; 511 + u64 crc_err; 512 + u32 fr_len, fr_crc; 512 513 struct fc_lport *lport; 513 514 struct fcoe_rcv_info *fr; 514 515 struct fc_stats *stats; ··· 542 541 fh = (struct fc_frame_header *) skb_transport_header(skb); 543 542 skb_pull(skb, sizeof(struct fcoe_hdr)); 544 543 fr_len = skb->len - sizeof(struct fcoe_crc_eof); 544 + 545 + stats = per_cpu_ptr(lport->stats, get_cpu()); 546 + stats->RxFrames++; 547 + stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; 548 + put_cpu(); 545 549 546 550 fp = (struct fc_frame *)skb; 547 551 fc_frame_init(fp); ··· 630 624 return; 631 625 } 632 626 633 - stats = per_cpu_ptr(lport->stats, smp_processor_id()); 634 - stats->RxFrames++; 635 - stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; 627 + fr_crc = le32_to_cpu(fr_crc(fp)); 636 628 637 - if (le32_to_cpu(fr_crc(fp)) != 638 - ~crc32(~0, skb->data, fr_len)) { 639 - if (stats->InvalidCRCCount < 5) 629 + if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) { 630 + stats = per_cpu_ptr(lport->stats, get_cpu()); 631 + crc_err = (stats->InvalidCRCCount++); 632 + put_cpu(); 633 + if (crc_err < 5) 640 634 printk(KERN_WARNING PFX "dropping frame with " 641 635 "CRC error\n"); 642 - stats->InvalidCRCCount++; 643 636 kfree_skb(skb); 644 637 return; 645 638 }
+6 -8
drivers/scsi/hisi_sas/hisi_sas_main.c
··· 400 400 struct hisi_sas_slot *slot, 401 401 struct hisi_sas_dq *dq, 402 402 struct hisi_sas_device *sas_dev, 403 - struct hisi_sas_internal_abort *abort, 404 - struct hisi_sas_tmf_task *tmf) 403 + struct hisi_sas_internal_abort *abort) 405 404 { 406 405 struct hisi_sas_cmd_hdr *cmd_hdr_base; 407 406 int dlvry_queue_slot, dlvry_queue; ··· 426 427 cmd_hdr_base = hisi_hba->cmd_hdr[dlvry_queue]; 427 428 slot->cmd_hdr = &cmd_hdr_base[dlvry_queue_slot]; 428 429 429 - slot->tmf = tmf; 430 - slot->is_internal = tmf; 431 430 task->lldd_task = slot; 432 431 433 432 memset(slot->cmd_hdr, 0, sizeof(struct hisi_sas_cmd_hdr)); ··· 584 587 slot->is_internal = tmf; 585 588 586 589 /* protect task_prep and start_delivery sequence */ 587 - hisi_sas_task_deliver(hisi_hba, slot, dq, sas_dev, NULL, tmf); 590 + hisi_sas_task_deliver(hisi_hba, slot, dq, sas_dev, NULL); 588 591 589 592 return 0; 590 593 ··· 1377 1380 struct hisi_hba *hisi_hba = dev_to_hisi_hba(device); 1378 1381 struct device *dev = hisi_hba->dev; 1379 1382 int s = sizeof(struct host_to_dev_fis); 1383 + struct hisi_sas_tmf_task tmf = {}; 1380 1384 1381 1385 ata_for_each_link(link, ap, EDGE) { 1382 1386 int pmp = sata_srst_pmp(link); 1383 1387 1384 1388 hisi_sas_fill_ata_reset_cmd(link->device, 1, pmp, fis); 1385 - rc = hisi_sas_exec_internal_tmf_task(device, fis, s, NULL); 1389 + rc = hisi_sas_exec_internal_tmf_task(device, fis, s, &tmf); 1386 1390 if (rc != TMF_RESP_FUNC_COMPLETE) 1387 1391 break; 1388 1392 } ··· 1394 1396 1395 1397 hisi_sas_fill_ata_reset_cmd(link->device, 0, pmp, fis); 1396 1398 rc = hisi_sas_exec_internal_tmf_task(device, fis, 1397 - s, NULL); 1399 + s, &tmf); 1398 1400 if (rc != TMF_RESP_FUNC_COMPLETE) 1399 1401 dev_err(dev, "ata disk %016llx de-reset failed\n", 1400 1402 SAS_ADDR(device->sas_addr)); ··· 2065 2067 slot->port = port; 2066 2068 slot->is_internal = true; 2067 2069 2068 - hisi_sas_task_deliver(hisi_hba, slot, dq, sas_dev, abort, NULL); 2070 + hisi_sas_task_deliver(hisi_hba, slot, dq, sas_dev, abort); 2069 2071 2070 2072 return 0; 2071 2073
-18
drivers/scsi/pm8001/pm8001_hwi.c
··· 2692 2692 u32 tag = le32_to_cpu(psataPayload->tag); 2693 2693 u32 port_id = le32_to_cpu(psataPayload->port_id); 2694 2694 u32 dev_id = le32_to_cpu(psataPayload->device_id); 2695 - unsigned long flags; 2696 2695 2697 2696 if (event) 2698 2697 pm8001_dbg(pm8001_ha, FAIL, "SATA EVENT 0x%x\n", event); ··· 2723 2724 ts->resp = SAS_TASK_COMPLETE; 2724 2725 ts->stat = SAS_DATA_OVERRUN; 2725 2726 ts->residual = 0; 2726 - if (pm8001_dev) 2727 - atomic_dec(&pm8001_dev->running_req); 2728 2727 break; 2729 2728 case IO_XFER_ERROR_BREAK: 2730 2729 pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_BREAK\n"); ··· 2764 2767 IO_OPEN_CNX_ERROR_IT_NEXUS_LOSS); 2765 2768 ts->resp = SAS_TASK_COMPLETE; 2766 2769 ts->stat = SAS_QUEUE_FULL; 2767 - pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); 2768 2770 return; 2769 2771 } 2770 2772 break; ··· 2848 2852 ts->resp = SAS_TASK_COMPLETE; 2849 2853 ts->stat = SAS_OPEN_TO; 2850 2854 break; 2851 - } 2852 - spin_lock_irqsave(&t->task_state_lock, flags); 2853 - t->task_state_flags &= ~SAS_TASK_STATE_PENDING; 2854 - t->task_state_flags &= ~SAS_TASK_AT_INITIATOR; 2855 - t->task_state_flags |= SAS_TASK_STATE_DONE; 2856 - if (unlikely((t->task_state_flags & SAS_TASK_STATE_ABORTED))) { 2857 - spin_unlock_irqrestore(&t->task_state_lock, flags); 2858 - pm8001_dbg(pm8001_ha, FAIL, 2859 - "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", 2860 - t, event, ts->resp, ts->stat); 2861 - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 2862 - } else { 2863 - spin_unlock_irqrestore(&t->task_state_lock, flags); 2864 - pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); 2865 2855 } 2866 2856 } 2867 2857
+5
drivers/scsi/pm8001/pm8001_sas.c
··· 769 769 res = -TMF_RESP_FUNC_FAILED; 770 770 /* Even TMF timed out, return direct. */ 771 771 if (task->task_state_flags & SAS_TASK_STATE_ABORTED) { 772 + struct pm8001_ccb_info *ccb = task->lldd_task; 773 + 772 774 pm8001_dbg(pm8001_ha, FAIL, "TMF task[%x]timeout.\n", 773 775 tmf->tmf); 776 + 777 + if (ccb) 778 + ccb->task = NULL; 774 779 goto ex_err; 775 780 } 776 781
+3 -28
drivers/scsi/pm8001/pm80xx_hwi.c
··· 2185 2185 pm8001_dbg(pm8001_ha, FAIL, 2186 2186 "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", 2187 2187 t, status, ts->resp, ts->stat); 2188 + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 2188 2189 if (t->slow_task) 2189 2190 complete(&t->slow_task->completion); 2190 - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 2191 2191 } else { 2192 2192 spin_unlock_irqrestore(&t->task_state_lock, flags); 2193 2193 pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); ··· 2794 2794 pm8001_dbg(pm8001_ha, FAIL, 2795 2795 "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", 2796 2796 t, status, ts->resp, ts->stat); 2797 + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 2797 2798 if (t->slow_task) 2798 2799 complete(&t->slow_task->completion); 2799 - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 2800 2800 } else { 2801 2801 spin_unlock_irqrestore(&t->task_state_lock, flags); 2802 2802 spin_unlock_irqrestore(&circularQ->oq_lock, ··· 2821 2821 u32 tag = le32_to_cpu(psataPayload->tag); 2822 2822 u32 port_id = le32_to_cpu(psataPayload->port_id); 2823 2823 u32 dev_id = le32_to_cpu(psataPayload->device_id); 2824 - unsigned long flags; 2825 2824 2826 2825 if (event) 2827 2826 pm8001_dbg(pm8001_ha, FAIL, "SATA EVENT 0x%x\n", event); ··· 2853 2854 ts->resp = SAS_TASK_COMPLETE; 2854 2855 ts->stat = SAS_DATA_OVERRUN; 2855 2856 ts->residual = 0; 2856 - if (pm8001_dev) 2857 - atomic_dec(&pm8001_dev->running_req); 2858 2857 break; 2859 2858 case IO_XFER_ERROR_BREAK: 2860 2859 pm8001_dbg(pm8001_ha, IO, "IO_XFER_ERROR_BREAK\n"); ··· 2901 2904 IO_OPEN_CNX_ERROR_IT_NEXUS_LOSS); 2902 2905 ts->resp = SAS_TASK_COMPLETE; 2903 2906 ts->stat = SAS_QUEUE_FULL; 2904 - spin_unlock_irqrestore(&circularQ->oq_lock, 2905 - circularQ->lock_flags); 2906 - pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); 2907 - spin_lock_irqsave(&circularQ->oq_lock, 2908 - circularQ->lock_flags); 2909 2907 return; 2910 2908 } 2911 2909 break; ··· 2999 3007 ts->resp = SAS_TASK_COMPLETE; 3000 3008 ts->stat = SAS_OPEN_TO; 3001 3009 break; 3002 - } 3003 - spin_lock_irqsave(&t->task_state_lock, flags); 3004 - t->task_state_flags &= ~SAS_TASK_STATE_PENDING; 3005 - t->task_state_flags &= ~SAS_TASK_AT_INITIATOR; 3006 - t->task_state_flags |= SAS_TASK_STATE_DONE; 3007 - if (unlikely((t->task_state_flags & SAS_TASK_STATE_ABORTED))) { 3008 - spin_unlock_irqrestore(&t->task_state_lock, flags); 3009 - pm8001_dbg(pm8001_ha, FAIL, 3010 - "task 0x%p done with io_status 0x%x resp 0x%x stat 0x%x but aborted by upper layer!\n", 3011 - t, event, ts->resp, ts->stat); 3012 - pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); 3013 - } else { 3014 - spin_unlock_irqrestore(&t->task_state_lock, flags); 3015 - spin_unlock_irqrestore(&circularQ->oq_lock, 3016 - circularQ->lock_flags); 3017 - pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); 3018 - spin_lock_irqsave(&circularQ->oq_lock, 3019 - circularQ->lock_flags); 3020 3010 } 3021 3011 } 3022 3012 ··· 3905 3931 /** 3906 3932 * process_one_iomb - process one outbound Queue memory block 3907 3933 * @pm8001_ha: our hba card information 3934 + * @circularQ: outbound circular queue 3908 3935 * @piomb: IO message buffer 3909 3936 */ 3910 3937 static void process_one_iomb(struct pm8001_hba_info *pm8001_ha,
+50 -5
drivers/scsi/scsi_scan.c
··· 214 214 SCSI_TIMEOUT, 3, NULL); 215 215 } 216 216 217 + static int scsi_realloc_sdev_budget_map(struct scsi_device *sdev, 218 + unsigned int depth) 219 + { 220 + int new_shift = sbitmap_calculate_shift(depth); 221 + bool need_alloc = !sdev->budget_map.map; 222 + bool need_free = false; 223 + int ret; 224 + struct sbitmap sb_backup; 225 + 226 + /* 227 + * realloc if new shift is calculated, which is caused by setting 228 + * up one new default queue depth after calling ->slave_configure 229 + */ 230 + if (!need_alloc && new_shift != sdev->budget_map.shift) 231 + need_alloc = need_free = true; 232 + 233 + if (!need_alloc) 234 + return 0; 235 + 236 + /* 237 + * Request queue has to be frozen for reallocating budget map, 238 + * and here disk isn't added yet, so freezing is pretty fast 239 + */ 240 + if (need_free) { 241 + blk_mq_freeze_queue(sdev->request_queue); 242 + sb_backup = sdev->budget_map; 243 + } 244 + ret = sbitmap_init_node(&sdev->budget_map, 245 + scsi_device_max_queue_depth(sdev), 246 + new_shift, GFP_KERNEL, 247 + sdev->request_queue->node, false, true); 248 + if (need_free) { 249 + if (ret) 250 + sdev->budget_map = sb_backup; 251 + else 252 + sbitmap_free(&sb_backup); 253 + ret = 0; 254 + blk_mq_unfreeze_queue(sdev->request_queue); 255 + } 256 + return ret; 257 + } 258 + 217 259 /** 218 260 * scsi_alloc_sdev - allocate and setup a scsi_Device 219 261 * @starget: which target to allocate a &scsi_device for ··· 348 306 * default device queue depth to figure out sbitmap shift 349 307 * since we use this queue depth most of times. 350 308 */ 351 - if (sbitmap_init_node(&sdev->budget_map, 352 - scsi_device_max_queue_depth(sdev), 353 - sbitmap_calculate_shift(depth), 354 - GFP_KERNEL, sdev->request_queue->node, 355 - false, true)) { 309 + if (scsi_realloc_sdev_budget_map(sdev, depth)) { 356 310 put_device(&starget->dev); 357 311 kfree(sdev); 358 312 goto out; ··· 1055 1017 } 1056 1018 return SCSI_SCAN_NO_RESPONSE; 1057 1019 } 1020 + 1021 + /* 1022 + * The queue_depth is often changed in ->slave_configure. 1023 + * Set up budget map again since memory consumption of 1024 + * the map depends on actual queue depth. 1025 + */ 1026 + scsi_realloc_sdev_budget_map(sdev, sdev->queue_depth); 1058 1027 } 1059 1028 1060 1029 if (sdev->scsi_level >= SCSI_3)