1. 27 Jul, 2016 2 commits
    • Uma Krishnan's avatar
      cxlflash: Verify problem state area is mapped before notifying shutdown · 1bd2b282
      Uma Krishnan authored
      If an EEH or some other hard error occurs while the adapter instance was
      being initialized, on the subsequent shutdown of the device, the system
      could crash with:
      
      [c000000f1da03b60] c0000000005eccfc pci_device_shutdown+0x6c/0x100
      [c000000f1da03ba0] c0000000006d67d4 device_shutdown+0x1b4/0x2c0
      [c000000f1da03c40] c0000000000ea30c kernel_restart_prepare+0x5c/0x80
      [c000000f1da03c70] c0000000000ea48c kernel_restart+0x2c/0xc0
      [c000000f1da03ce0] c0000000000ea970 SyS_reboot+0x1c0/0x2d0
      [c000000f1da03e30] c000000000009204 system_call+0x38/0xb4
      
      This crash is due to the AFU not being mapped when the shutdown
      notification routine is called and is a regression that was inserted
      recently with Commit 704c4b0d ("cxlflash: Shutdown notify support
      for CXL Flash cards").
      
      As a fix, shutdown notification should only occur when the AFU is
      mapped.
      
      Fixes: 704c4b0d ("cxlflash: Shutdown notify support for CXL Flash cards")
      Signed-off-by: default avatarUma Krishnan <ukrishn@linux.vnet.ibm.com>
      Reviewed-by: default avatarAndrew Donnellan <andrew.donnellan@au1.ibm.com>
      Acked-by: default avatarMatthew R. Ochs <mrochs@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      1bd2b282
    • Mauricio Faria de Oliveira's avatar
      lpfc: fix oops in lpfc_sli4_scmd_to_wqidx_distr() from lpfc_send_taskmgmt() · 05a05872
      Mauricio Faria de Oliveira authored
      The lpfc_sli4_scmd_to_wqidx_distr() function expects the scsi_cmnd
      'lpfc_cmd->pCmd' not to be null, and point to the midlayer command.
      
      That's not true in the .eh_(device|target|bus)_reset_handler path,
      because lpfc_send_taskmgmt() sends commands not from the midlayer, so
      does not set 'lpfc_cmd->pCmd'.
      
      That is true in the .queuecommand path because lpfc_queuecommand()
      stores the scsi_cmnd from midlayer in lpfc_cmd->pCmd; and lpfc_cmd is
      stored by lpfc_scsi_prep_cmnd() in piocbq->context1 -- which is passed
      to lpfc_sli4_scmd_to_wqidx_distr() as lpfc_cmd parameter.
      
      This problem can be hit on SCSI EH, and immediately with sg_reset.
      These 2 test-cases demonstrate the problem/fix with next-20160601.
      
      Test-case 1) sg_reset
      
          # strace sg_reset --device /dev/sdm
          <...>
          open("/dev/sdm", O_RDWR|O_NONBLOCK)     = 3
          ioctl(3, SG_SCSI_RESET, 0x3fffde6d0994 <unfinished ...>
          +++ killed by SIGSEGV +++
          Segmentation fault
      
          # dmesg
          Unable to handle kernel paging request for data at address 0x00000000
          Faulting instruction address: 0xd00000001c88442c
          Oops: Kernel access of bad area, sig: 11 [#1]
          <...>
          CPU: 104 PID: 16333 Comm: sg_reset Tainted: G        W       4.7.0-rc1-next-20160601-00004-g95b89dc #6
          <...>
          NIP [d00000001c88442c] lpfc_sli4_scmd_to_wqidx_distr+0xc/0xd0 [lpfc]
          LR [d00000001c826fe8] lpfc_sli_calc_ring.part.27+0x98/0xd0 [lpfc]
          Call Trace:
          [c000003c9ec876f0] [c000003c9ec87770] 0xc000003c9ec87770 (unreliable)
          [c000003c9ec87720] [d00000001c82e004] lpfc_sli_issue_iocb+0xd4/0x260 [lpfc]
          [c000003c9ec87780] [d00000001c831a3c] lpfc_sli_issue_iocb_wait+0x15c/0x5b0 [lpfc]
          [c000003c9ec87880] [d00000001c87f27c] lpfc_send_taskmgmt+0x24c/0x650 [lpfc]
          [c000003c9ec87950] [d00000001c87fd7c] lpfc_device_reset_handler+0x10c/0x200 [lpfc]
          [c000003c9ec87a10] [c000000000610694] scsi_try_bus_device_reset+0x44/0xc0
          [c000003c9ec87a40] [c0000000006113e8] scsi_ioctl_reset+0x198/0x2c0
          [c000003c9ec87bf0] [c00000000060fe5c] scsi_ioctl+0x13c/0x4b0
          [c000003c9ec87c80] [c0000000006629b0] sd_ioctl+0xf0/0x120
          [c000003c9ec87cd0] [c00000000046e4f8] blkdev_ioctl+0x248/0xb70
          [c000003c9ec87d30] [c0000000002a1f60] block_ioctl+0x70/0x90
          [c000003c9ec87d50] [c00000000026d334] do_vfs_ioctl+0xc4/0x890
          [c000003c9ec87de0] [c00000000026db60] SyS_ioctl+0x60/0xc0
          [c000003c9ec87e30] [c000000000009120] system_call+0x38/0x108
          Instruction dump:
          <...>
      
          With fix:
      
          # strace sg_reset --device /dev/sdm
          <...>
          open("/dev/sdm", O_RDWR|O_NONBLOCK)     = 3
          ioctl(3, SG_SCSI_RESET, 0x3fffe103c554) = 0
          close(3)                                = 0
          exit_group(0)                           = ?
          +++ exited with 0 +++
      
          # dmesg
          [  424.658649] lpfc 0006:01:00.4: 4:(0):0713 SCSI layer issued Device Reset (1, 0) return x2002
      
      Test-case 2) SCSI EH
      
          Using this debug patch to wire an SCSI EH trigger, for lpfc_scsi_cmd_iocb_cmpl():
          -       cmd->scsi_done(cmd);
          +       if ((phba->pport ? phba->pport->cfg_log_verbose : phba->cfg_log_verbose) == 0x32100000)
          +               printk(KERN_ALERT "lpfc: skip scsi_done()\n");
          +       else
          +               cmd->scsi_done(cmd);
      
          # echo 0x32100000 > /sys/class/scsi_host/host11/lpfc_log_verbose
      
          # dd if=/dev/sdm of=/dev/null iflag=direct &
          <...>
      
          After a while:
      
          # dmesg
          lpfc 0006:01:00.4: 4:(0):3053 lpfc_log_verbose changed from 0 (x0) to 839909376 (x32100000)
          lpfc: skip scsi_done()
          <...>
          Unable to handle kernel paging request for data at address 0x00000000
          Faulting instruction address: 0xd0000000199e448c
          Oops: Kernel access of bad area, sig: 11 [#1]
          <...>
          CPU: 96 PID: 28556 Comm: scsi_eh_11 Tainted: G        W       4.7.0-rc1-next-20160601-00004-g95b89dc #6
          <...>
          NIP [d0000000199e448c] lpfc_sli4_scmd_to_wqidx_distr+0xc/0xd0 [lpfc]
          LR [d000000019986fe8] lpfc_sli_calc_ring.part.27+0x98/0xd0 [lpfc]
          Call Trace:
          [c000000ff0d0b890] [c000000ff0d0b900] 0xc000000ff0d0b900 (unreliable)
          [c000000ff0d0b8c0] [d00000001998e004] lpfc_sli_issue_iocb+0xd4/0x260 [lpfc]
          [c000000ff0d0b920] [d000000019991a3c] lpfc_sli_issue_iocb_wait+0x15c/0x5b0 [lpfc]
          [c000000ff0d0ba20] [d0000000199df27c] lpfc_send_taskmgmt+0x24c/0x650 [lpfc]
          [c000000ff0d0baf0] [d0000000199dfd7c] lpfc_device_reset_handler+0x10c/0x200 [lpfc]
          [c000000ff0d0bbb0] [c000000000610694] scsi_try_bus_device_reset+0x44/0xc0
          [c000000ff0d0bbe0] [c0000000006126cc] scsi_eh_ready_devs+0x49c/0x9c0
          [c000000ff0d0bcb0] [c000000000614160] scsi_error_handler+0x580/0x680
          [c000000ff0d0bd80] [c0000000000ae848] kthread+0x108/0x130
          [c000000ff0d0be30] [c0000000000094a8] ret_from_kernel_thread+0x5c/0xb4
          Instruction dump:
          <...>
      
          With fix:
      
          # dmesg
          lpfc 0006:01:00.4: 4:(0):3053 lpfc_log_verbose changed from 0 (x0) to 839909376 (x32100000)
          lpfc: skip scsi_done()
          <...>
          lpfc 0006:01:00.4: 4:(0):0713 SCSI layer issued Device Reset (0, 0) return x2002
          <...>
          lpfc 0006:01:00.4: 4:(0):0723 SCSI layer issued Target Reset (1, 0) return x2002
          <...>
          lpfc 0006:01:00.4: 4:(0):0714 SCSI layer issued Bus Reset Data: x2002
          <...>
          lpfc 0006:01:00.4: 4:(0):3172 SCSI layer issued Host Reset Data:
          <...>
      
      Fixes: 8b0dff14 ("lpfc: Add support for using block multi-queue")
      Cc: <stable@vger.kernel.org> # v4.2+
      Signed-off-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Acked-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      05a05872
  2. 21 Jul, 2016 2 commits
    • Wei Fang's avatar
      scsi:libsas: fix oops caused by assigning a freed task to ->lldd_task · 354a086d
      Wei Fang authored
      A freed task has been assigned to ->lldd_task when lldd_execute_task()
      failed in sas_ata_qc_issue(), and access of ->lldd_task will cause an
      oops:
      
      Call trace:
      [<ffffffc000641f64>] sas_ata_post_internal+0x6c/0x150
      [<ffffffc0006c0d64>] ata_exec_internal_sg+0x32c/0x588
      [<ffffffc0006c1048>] ata_exec_internal+0x88/0xe8
      [<ffffffc0006c13b4>] ata_dev_read_id+0x204/0x5e0
      [<ffffffc0006c17f0>] ata_dev_reread_id+0x60/0xc8
      [<ffffffc0006c3098>] ata_dev_revalidate+0x88/0x1e0
      [<ffffffc0006cf828>] ata_eh_recover+0xcf8/0x13a8
      [<ffffffc0006d075c>] ata_do_eh+0x5c/0xe0
      [<ffffffc0006d0828>] ata_std_error_handler+0x48/0x98
      [<ffffffc0006d042c>] ata_scsi_port_error_handler+0x474/0x658
      [<ffffffc000641b78>] async_sas_ata_eh+0x50/0x80
      [<ffffffc0000ca664>] async_run_entry_fn+0x64/0x180
      [<ffffffc0000c085c>] process_one_work+0x164/0x438
      [<ffffffc0000c0c74>] worker_thread+0x144/0x4b0
      [<ffffffc0000c70fc>] kthread+0xfc/0x110
      
      Fix this by reassigning NULL to ->lldd_task in error path.
      Signed-off-by: default avatarWei Fang <fangwei1@huawei.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      354a086d
    • Dan Carpenter's avatar
      fnic: pci_dma_mapping_error() doesn't return an error code · dd7328e4
      Dan Carpenter authored
      pci_dma_mapping_error() returns true on error and false on success.
      
      Fixes: fd6ddfa4 ('fnic: check pci_map_single() return value')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      dd7328e4
  3. 20 Jul, 2016 4 commits
  4. 15 Jul, 2016 32 commits