1. 09 2月, 2017 1 次提交
  2. 18 1月, 2017 1 次提交
    • Q
      qla2xxx: Fix crash due to null pointer access · fc1ffd6c
      Quinn Tran 提交于
      During code inspection, while investigating following stack trace
      seen on one of the test setup, we found out there was possibility
      of memory leak becuase driver was not unwinding the stack properly.
      
      This issue has not been reproduced in a test environment or on a
      customer setup.
      
      Here's stack trace that was seen.
      
      [1469877.797315] Call Trace:
      [1469877.799940]  [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
      [1469877.806980]  [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
      [1469877.814013]  [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
      [1469877.820265]  [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
      [1469877.826776]  [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
      [1469877.833720]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
      [1469877.839885]  [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
      [1469877.846830]  [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
      [1469877.852562]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
      [1469877.858727]  [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NQuinn Tran <quinn.tran@cavium.com>
      Signed-off-by: NHimanshu Madhani <himanshu.madhani@cavium.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      [ bvanassche: Fixed spelling in patch description ]
      Signed-off-by: NBart Van Assche <bart.vanassche@sandisk.com>
      fc1ffd6c
  3. 10 1月, 2017 1 次提交
  4. 15 12月, 2016 3 次提交
  5. 15 11月, 2016 1 次提交
    • M
      scsi: qla2xxx: do not abort all commands in the adapter during EEH recovery · c733ab35
      Mauricio Faria de Oliveira 提交于
      The previous commit 1535aa75 ("qla2xxx: fix invalid DMA access after
      command aborts in PCI device remove") introduced a regression during an
      EEH recovery, since the change to the qla2x00_abort_all_cmds() function
      calls qla2xxx_eh_abort(), which verifies the EEH recovery condition but
      handles it heavy-handed. (commit a465537a "qla2xxx: Disable the
      adapter and skip error recovery in case of register disconnect.")
      
      This problem warrants a more general/optimistic solution right into
      qla2xxx_eh_abort() (eg in case a real command abort arrives during EEH
      recovery, or if it takes long enough to trigger command aborts); but
      it's still worth to add a check to ensure the code added by the previous
      commit is correct and contained within its owner function.
      
      This commit just adds a 'if (!ha->flags.eeh_busy)' check around it.
      (ahem; a trivial fix for this -rc series; sorry for this oversight.)
      
      With it applied, both PCI device remove and EEH recovery works fine.
      
      Fixes: 1535aa75 ("scsi: qla2xxx: fix invalid DMA access after command aborts in PCI device remove")
      Signed-off-by: NMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Acked-by: NHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      c733ab35
  6. 09 11月, 2016 2 次提交
  7. 02 11月, 2016 1 次提交
    • B
      scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init · a5dd506e
      Bill Kuzeja 提交于
      A system can get hung task timeouts if a qlogic board fails during
      initialization (if the board breaks again or fails the init). The hang
      involves the scsi scan.
      
      In a nutshell, since commit beb9e315 ("qla2xxx: Prevent removal and
      board_disable race"):
      
      ...it is possible to have freed ha (base_vha->hw) early by a call to
      qla2x00_remove_one when pdev->enable_cnt equals zero:
      
             if (!atomic_read(&pdev->enable_cnt)) {
                     scsi_host_put(base_vha->host);
                     kfree(ha);
                     pci_set_drvdata(pdev, NULL);
                     return;
      
      Almost always, the scsi_host_put above frees the vha structure
      (attached to the end of the Scsi_Host we're putting) since it's the last
      put, and life is good.  However, if we are entering this routine because
      the adapter has broken sometime during initialization AND a scsi scan is
      already in progress (and has done its own scsi_host_get), vha will not
      be freed. What's worse, the scsi scan will access the freed ha structure
      through qla2xxx_scan_finished:
      
              if (time > vha->hw->loop_reset_delay * HZ)
                      return 1;
      
      The scsi scan keeps checking to see if a scan is complete by calling
      qla2xxx_scan_finished. There is a timeout value that limits the length
      of time a scan can take (hw->loop_reset_delay, usually set to 5
      seconds), but this definition is in the data structure (hw) that can get
      freed early.
      
      This can yield unpredictable results, the worst of which is that the
      scsi scan can hang indefinitely. This happens when the freed structure
      gets reused and loop_reset_delay gets overwritten with garbage, which
      the scan obliviously uses as its timeout value.
      
      The fix for this is simple: at the top of qla2xxx_scan_finished, check
      for the UNLOADING bit in the vha structure (_vha is not freed at this
      point).  If UNLOADING is set, we exit the scan for this adapter
      immediately. After this last reference to the ha structure, we'll exit
      the scan for this adapter, and continue on.
      
      This problem is hard to hit, but I have run into it doing negative
      testing many times now (with a test specifically designed to bring it
      out), so I can verify that this fix works. My testing has been against a
      RHEL7 driver variant, but the bug and patch are equally relevant to to
      the upstream driver.
      
      Fixes: beb9e315 ("qla2xxx: Prevent removal and board_disable race")
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: NBill Kuzeja <william.kuzeja@stratus.com>
      Acked-by: NHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      a5dd506e
  8. 31 8月, 2016 1 次提交
  9. 09 8月, 2016 1 次提交
  10. 16 7月, 2016 5 次提交
  11. 24 2月, 2016 2 次提交
  12. 07 2月, 2016 1 次提交
    • Q
      qla2xxx: Fix stale pointer access. · cb43285f
      Quinn Tran 提交于
      [ Upstream Commit 84e32a06 ]
      
      Commit 84e32a06 ("qla2xxx: Use pci_enable_msix_range() instead of
      pci_enable_msix()") introduced a regression when target mode is enabled.
      In qla24xx_enable_msix(), ha->max_rsp_queues was incorrectly set
      to a value higher than the number of response queues allocated causing
      an invalid dereference. Specifically here in qla2x00_init_rings():
          *rsp->in_ptr = 0;
      
      Add additional check to make sure the pointer is valid. following
      call stack will be seen
      
      ---- 8< ----
      RIP: 0010:[<ffffffffa02ccadc>]  [<ffffffffa02ccadc>] qla2x00_init_rings+0xdc/0x320 [qla2xxx]
      RSP: 0018:ffff880429447dd8  EFLAGS: 00010082
      ....
      Call Trace:
      [<ffffffffa02ceb40>] qla2x00_abort_isp+0x170/0x6b0 [qla2xxx]
      [<ffffffffa02c6f77>] qla2x00_do_dpc+0x357/0x7f0 [qla2xxx]
      [<ffffffffa02c6c20>] ? qla2x00_relogin+0x260/0x260 [qla2xxx]
      [<ffffffff8107d2c9>] kthread+0xc9/0xe0
      [<ffffffff8107d200>] ? flush_kthread_worker+0x90/0x90
      [<ffffffff8172cc6f>] ret_from_fork+0x3f/0x70
      [<ffffffff8107d200>] ? flush_kthread_worker+0x90/0x90
      ---- 8< ----
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: NHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      cb43285f
  13. 08 1月, 2016 7 次提交
  14. 19 11月, 2015 1 次提交
  15. 10 11月, 2015 1 次提交
  16. 27 8月, 2015 7 次提交
  17. 25 7月, 2015 4 次提交