1. 02 11月, 2016 1 次提交
    • B
      scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init · a5dd506e
      Bill Kuzeja 提交于
      A system can get hung task timeouts if a qlogic board fails during
      initialization (if the board breaks again or fails the init). The hang
      involves the scsi scan.
      
      In a nutshell, since commit beb9e315 ("qla2xxx: Prevent removal and
      board_disable race"):
      
      ...it is possible to have freed ha (base_vha->hw) early by a call to
      qla2x00_remove_one when pdev->enable_cnt equals zero:
      
             if (!atomic_read(&pdev->enable_cnt)) {
                     scsi_host_put(base_vha->host);
                     kfree(ha);
                     pci_set_drvdata(pdev, NULL);
                     return;
      
      Almost always, the scsi_host_put above frees the vha structure
      (attached to the end of the Scsi_Host we're putting) since it's the last
      put, and life is good.  However, if we are entering this routine because
      the adapter has broken sometime during initialization AND a scsi scan is
      already in progress (and has done its own scsi_host_get), vha will not
      be freed. What's worse, the scsi scan will access the freed ha structure
      through qla2xxx_scan_finished:
      
              if (time > vha->hw->loop_reset_delay * HZ)
                      return 1;
      
      The scsi scan keeps checking to see if a scan is complete by calling
      qla2xxx_scan_finished. There is a timeout value that limits the length
      of time a scan can take (hw->loop_reset_delay, usually set to 5
      seconds), but this definition is in the data structure (hw) that can get
      freed early.
      
      This can yield unpredictable results, the worst of which is that the
      scsi scan can hang indefinitely. This happens when the freed structure
      gets reused and loop_reset_delay gets overwritten with garbage, which
      the scan obliviously uses as its timeout value.
      
      The fix for this is simple: at the top of qla2xxx_scan_finished, check
      for the UNLOADING bit in the vha structure (_vha is not freed at this
      point).  If UNLOADING is set, we exit the scan for this adapter
      immediately. After this last reference to the ha structure, we'll exit
      the scan for this adapter, and continue on.
      
      This problem is hard to hit, but I have run into it doing negative
      testing many times now (with a test specifically designed to bring it
      out), so I can verify that this fix works. My testing has been against a
      RHEL7 driver variant, but the bug and patch are equally relevant to to
      the upstream driver.
      
      Fixes: beb9e315 ("qla2xxx: Prevent removal and board_disable race")
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: NBill Kuzeja <william.kuzeja@stratus.com>
      Acked-by: NHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      a5dd506e
  2. 31 8月, 2016 1 次提交
  3. 09 8月, 2016 1 次提交
  4. 16 7月, 2016 5 次提交
  5. 24 2月, 2016 2 次提交
  6. 07 2月, 2016 1 次提交
    • Q
      qla2xxx: Fix stale pointer access. · cb43285f
      Quinn Tran 提交于
      [ Upstream Commit 84e32a06 ]
      
      Commit 84e32a06 ("qla2xxx: Use pci_enable_msix_range() instead of
      pci_enable_msix()") introduced a regression when target mode is enabled.
      In qla24xx_enable_msix(), ha->max_rsp_queues was incorrectly set
      to a value higher than the number of response queues allocated causing
      an invalid dereference. Specifically here in qla2x00_init_rings():
          *rsp->in_ptr = 0;
      
      Add additional check to make sure the pointer is valid. following
      call stack will be seen
      
      ---- 8< ----
      RIP: 0010:[<ffffffffa02ccadc>]  [<ffffffffa02ccadc>] qla2x00_init_rings+0xdc/0x320 [qla2xxx]
      RSP: 0018:ffff880429447dd8  EFLAGS: 00010082
      ....
      Call Trace:
      [<ffffffffa02ceb40>] qla2x00_abort_isp+0x170/0x6b0 [qla2xxx]
      [<ffffffffa02c6f77>] qla2x00_do_dpc+0x357/0x7f0 [qla2xxx]
      [<ffffffffa02c6c20>] ? qla2x00_relogin+0x260/0x260 [qla2xxx]
      [<ffffffff8107d2c9>] kthread+0xc9/0xe0
      [<ffffffff8107d200>] ? flush_kthread_worker+0x90/0x90
      [<ffffffff8172cc6f>] ret_from_fork+0x3f/0x70
      [<ffffffff8107d200>] ? flush_kthread_worker+0x90/0x90
      ---- 8< ----
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: NHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      cb43285f
  7. 08 1月, 2016 7 次提交
  8. 19 11月, 2015 1 次提交
  9. 10 11月, 2015 1 次提交
  10. 27 8月, 2015 7 次提交
  11. 25 7月, 2015 4 次提交
  12. 13 6月, 2015 1 次提交
  13. 10 4月, 2015 1 次提交
  14. 07 3月, 2015 2 次提交
  15. 06 1月, 2015 1 次提交
    • B
      qla2xxx: fix busy wait regression · 975f7d46
      Bruno Prémont 提交于
      Commit e05fe292 (qla2xxx: Honor FCP_RSP retry delay timer field.)
      causes systems to busy-wait for about 3 minutes after boot prior to
      detecting SAN disks.
      
      During this wait period one kworker is running full-time
      (though /proc/<pid>/stack has no useful data). Another kworker is
      waiting for IO to complete during that whole time period.
      
      Looking at drivers/scsi/qla2xxx/qla_os.c, fcport->retry_delay_timestamp
      has a special value of 0 though that 0 value forces system to wait when
      jiffies is very large value (e.g. 4294952605 - "negative" value when
      signed on 32bit systems).
      Signed-off-by: NBruno Prémont <bonbons@linux-vserver.org>
      Acked-by: NChad Dupuis <chad.dupuis@qlogic.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      975f7d46
  16. 04 12月, 2014 1 次提交
  17. 24 11月, 2014 2 次提交
  18. 12 11月, 2014 1 次提交
    • C
      scsi: don't set tagging state from scsi_adjust_queue_depth · c8b09f6f
      Christoph Hellwig 提交于
      Remove the tagged argument from scsi_adjust_queue_depth, and just let it
      handle the queue depth.  For most drivers those two are fairly separate,
      given that most modern drivers don't care about the SCSI "tagged" status
      of a command at all, and many old drivers allow queuing of multiple
      untagged commands in the driver.
      
      Instead we start out with the ->simple_tags flag set before calling
      ->slave_configure, which is how all drivers actually looking at
      ->simple_tags except for one worke anyway.  The one other case looks
      broken, but I've kept the behavior as-is for now.
      
      Except for that we only change ->simple_tags from the ->change_queue_type,
      and when rejecting a tag message in a single driver, so keeping this
      churn out of scsi_adjust_queue_depth is a clear win.
      
      Now that the usage of scsi_adjust_queue_depth is more obvious we can
      also remove all the trivial instances in ->slave_alloc or ->slave_configure
      that just set it to the cmd_per_lun default.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NMike Christie <michaelc@cs.wisc.edu>
      Reviewed-by: NHannes Reinecke <hare@suse.de>
      Reviewed-by: NMartin K. Petersen <martin.petersen@oracle.com>
      c8b09f6f