Skip to content

Commit 921195d

Browse files
torvaldstorvalds
committed
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley: "Eight fixes. The most important one is the mpt3sas fix which makes the driver work again on big endian systems. The rest are mostly minor error path or checker issues and the vmw_scsi one fixes a performance problem" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled scsi: mpt3sas: Swap I/O memory read value back to cpu endianness scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO scsi: fcoe: drop frames in ELS LOGO error path scsi: fcoe: fix use-after-free in fcoe_ctlr_els_send scsi: qedi: Fix a potential buffer overflow scsi: qla2xxx: Fix memory leak for allocating abort IOCB
2 parents b5b1404 + e95153b commit 921195d

File tree

7 files changed

+69
-49
lines changed

7 files changed

+69
-49
lines changed

drivers/scsi/fcoe/fcoe_ctlr.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -754,9 +754,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport,
754754
case ELS_LOGO:
755755
if (fip->mode == FIP_MODE_VN2VN) {
756756
if (fip->state != FIP_ST_VNMP_UP)
757-
return -EINVAL;
757+
goto drop;
758758
if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI)
759-
return -EINVAL;
759+
goto drop;
760760
} else {
761761
if (fip->state != FIP_ST_ENABLED)
762762
return 0;
@@ -799,9 +799,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport,
799799
fip->send(fip, skb);
800800
return -EINPROGRESS;
801801
drop:
802-
kfree_skb(skb);
803802
LIBFCOE_FIP_DBG(fip, "drop els_send op %u d_id %x\n",
804803
op, ntoh24(fh->fh_d_id));
804+
kfree_skb(skb);
805805
return -EINVAL;
806806
}
807807
EXPORT_SYMBOL(fcoe_ctlr_els_send);

drivers/scsi/libfc/fc_rport.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2164,6 +2164,7 @@ static void fc_rport_recv_logo_req(struct fc_lport *lport, struct fc_frame *fp)
21642164
FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n",
21652165
fc_rport_state(rdata));
21662166

2167+
rdata->flags &= ~FC_RP_STARTED;
21672168
fc_rport_enter_delete(rdata, RPORT_EV_STOP);
21682169
mutex_unlock(&rdata->rp_mutex);
21692170
kref_put(&rdata->kref, fc_rport_destroy);

drivers/scsi/mpt3sas/mpt3sas_base.c

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3343,11 +3343,10 @@ _base_mpi_ep_writeq(__u64 b, volatile void __iomem *addr,
33433343
spinlock_t *writeq_lock)
33443344
{
33453345
unsigned long flags;
3346-
__u64 data_out = b;
33473346

33483347
spin_lock_irqsave(writeq_lock, flags);
3349-
writel((u32)(data_out), addr);
3350-
writel((u32)(data_out >> 32), (addr + 4));
3348+
__raw_writel((u32)(b), addr);
3349+
__raw_writel((u32)(b >> 32), (addr + 4));
33513350
mmiowb();
33523351
spin_unlock_irqrestore(writeq_lock, flags);
33533352
}
@@ -3367,7 +3366,8 @@ _base_mpi_ep_writeq(__u64 b, volatile void __iomem *addr,
33673366
static inline void
33683367
_base_writeq(__u64 b, volatile void __iomem *addr, spinlock_t *writeq_lock)
33693368
{
3370-
writeq(b, addr);
3369+
__raw_writeq(b, addr);
3370+
mmiowb();
33713371
}
33723372
#else
33733373
static inline void
@@ -5268,7 +5268,7 @@ _base_handshake_req_reply_wait(struct MPT3SAS_ADAPTER *ioc, int request_bytes,
52685268

52695269
/* send message 32-bits at a time */
52705270
for (i = 0, failed = 0; i < request_bytes/4 && !failed; i++) {
5271-
writel((u32)(request[i]), &ioc->chip->Doorbell);
5271+
writel(cpu_to_le32(request[i]), &ioc->chip->Doorbell);
52725272
if ((_base_wait_for_doorbell_ack(ioc, 5)))
52735273
failed = 1;
52745274
}
@@ -5289,7 +5289,7 @@ _base_handshake_req_reply_wait(struct MPT3SAS_ADAPTER *ioc, int request_bytes,
52895289
}
52905290

52915291
/* read the first two 16-bits, it gives the total length of the reply */
5292-
reply[0] = (u16)(readl(&ioc->chip->Doorbell)
5292+
reply[0] = le16_to_cpu(readl(&ioc->chip->Doorbell)
52935293
& MPI2_DOORBELL_DATA_MASK);
52945294
writel(0, &ioc->chip->HostInterruptStatus);
52955295
if ((_base_wait_for_doorbell_int(ioc, 5))) {
@@ -5298,7 +5298,7 @@ _base_handshake_req_reply_wait(struct MPT3SAS_ADAPTER *ioc, int request_bytes,
52985298
ioc->name, __LINE__);
52995299
return -EFAULT;
53005300
}
5301-
reply[1] = (u16)(readl(&ioc->chip->Doorbell)
5301+
reply[1] = le16_to_cpu(readl(&ioc->chip->Doorbell)
53025302
& MPI2_DOORBELL_DATA_MASK);
53035303
writel(0, &ioc->chip->HostInterruptStatus);
53045304

@@ -5312,7 +5312,7 @@ _base_handshake_req_reply_wait(struct MPT3SAS_ADAPTER *ioc, int request_bytes,
53125312
if (i >= reply_bytes/2) /* overflow case */
53135313
readl(&ioc->chip->Doorbell);
53145314
else
5315-
reply[i] = (u16)(readl(&ioc->chip->Doorbell)
5315+
reply[i] = le16_to_cpu(readl(&ioc->chip->Doorbell)
53165316
& MPI2_DOORBELL_DATA_MASK);
53175317
writel(0, &ioc->chip->HostInterruptStatus);
53185318
}

drivers/scsi/qedi/qedi_main.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -888,7 +888,7 @@ static void qedi_get_boot_tgt_info(struct nvm_iscsi_block *block,
888888
ipv6_en = !!(block->generic.ctrl_flags &
889889
NVM_ISCSI_CFG_GEN_IPV6_ENABLED);
890890

891-
snprintf(tgt->iscsi_name, NVM_ISCSI_CFG_ISCSI_NAME_MAX_LEN, "%s\n",
891+
snprintf(tgt->iscsi_name, sizeof(tgt->iscsi_name), "%s\n",
892892
block->target[index].target_name.byte);
893893

894894
tgt->ipv6_en = ipv6_en;

drivers/scsi/qla2xxx/qla_iocb.c

Lines changed: 27 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -2130,34 +2130,11 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
21302130
req_cnt = 1;
21312131
handle = 0;
21322132

2133-
if (!sp)
2134-
goto skip_cmd_array;
2135-
2136-
/* Check for room in outstanding command list. */
2137-
handle = req->current_outstanding_cmd;
2138-
for (index = 1; index < req->num_outstanding_cmds; index++) {
2139-
handle++;
2140-
if (handle == req->num_outstanding_cmds)
2141-
handle = 1;
2142-
if (!req->outstanding_cmds[handle])
2143-
break;
2144-
}
2145-
if (index == req->num_outstanding_cmds) {
2146-
ql_log(ql_log_warn, vha, 0x700b,
2147-
"No room on outstanding cmd array.\n");
2148-
goto queuing_error;
2149-
}
2150-
2151-
/* Prep command array. */
2152-
req->current_outstanding_cmd = handle;
2153-
req->outstanding_cmds[handle] = sp;
2154-
sp->handle = handle;
2155-
2156-
/* Adjust entry-counts as needed. */
2157-
if (sp->type != SRB_SCSI_CMD)
2133+
if (sp && (sp->type != SRB_SCSI_CMD)) {
2134+
/* Adjust entry-counts as needed. */
21582135
req_cnt = sp->iocbs;
2136+
}
21592137

2160-
skip_cmd_array:
21612138
/* Check for room on request queue. */
21622139
if (req->cnt < req_cnt + 2) {
21632140
if (qpair->use_shadow_reg)
@@ -2183,6 +2160,28 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
21832160
if (req->cnt < req_cnt + 2)
21842161
goto queuing_error;
21852162

2163+
if (sp) {
2164+
/* Check for room in outstanding command list. */
2165+
handle = req->current_outstanding_cmd;
2166+
for (index = 1; index < req->num_outstanding_cmds; index++) {
2167+
handle++;
2168+
if (handle == req->num_outstanding_cmds)
2169+
handle = 1;
2170+
if (!req->outstanding_cmds[handle])
2171+
break;
2172+
}
2173+
if (index == req->num_outstanding_cmds) {
2174+
ql_log(ql_log_warn, vha, 0x700b,
2175+
"No room on outstanding cmd array.\n");
2176+
goto queuing_error;
2177+
}
2178+
2179+
/* Prep command array. */
2180+
req->current_outstanding_cmd = handle;
2181+
req->outstanding_cmds[handle] = sp;
2182+
sp->handle = handle;
2183+
}
2184+
21862185
/* Prep packet */
21872186
req->cnt -= req_cnt;
21882187
pkt = req->ring_ptr;
@@ -2195,6 +2194,8 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
21952194
pkt->handle = handle;
21962195
}
21972196

2197+
return pkt;
2198+
21982199
queuing_error:
21992200
qpair->tgt_counters.num_alloc_iocb_failed++;
22002201
return pkt;

drivers/scsi/sr.c

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -523,18 +523,26 @@ static int sr_init_command(struct scsi_cmnd *SCpnt)
523523
static int sr_block_open(struct block_device *bdev, fmode_t mode)
524524
{
525525
struct scsi_cd *cd;
526+
struct scsi_device *sdev;
526527
int ret = -ENXIO;
527528

529+
cd = scsi_cd_get(bdev->bd_disk);
530+
if (!cd)
531+
goto out;
532+
533+
sdev = cd->device;
534+
scsi_autopm_get_device(sdev);
528535
check_disk_change(bdev);
529536

530537
mutex_lock(&sr_mutex);
531-
cd = scsi_cd_get(bdev->bd_disk);
532-
if (cd) {
533-
ret = cdrom_open(&cd->cdi, bdev, mode);
534-
if (ret)
535-
scsi_cd_put(cd);
536-
}
538+
ret = cdrom_open(&cd->cdi, bdev, mode);
537539
mutex_unlock(&sr_mutex);
540+
541+
scsi_autopm_put_device(sdev);
542+
if (ret)
543+
scsi_cd_put(cd);
544+
545+
out:
538546
return ret;
539547
}
540548

@@ -562,6 +570,8 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
562570
if (ret)
563571
goto out;
564572

573+
scsi_autopm_get_device(sdev);
574+
565575
/*
566576
* Send SCSI addressing ioctls directly to mid level, send other
567577
* ioctls to cdrom/block level.
@@ -570,15 +580,18 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
570580
case SCSI_IOCTL_GET_IDLUN:
571581
case SCSI_IOCTL_GET_BUS_NUMBER:
572582
ret = scsi_ioctl(sdev, cmd, argp);
573-
goto out;
583+
goto put;
574584
}
575585

576586
ret = cdrom_ioctl(&cd->cdi, bdev, mode, cmd, arg);
577587
if (ret != -ENOSYS)
578-
goto out;
588+
goto put;
579589

580590
ret = scsi_ioctl(sdev, cmd, argp);
581591

592+
put:
593+
scsi_autopm_put_device(sdev);
594+
582595
out:
583596
mutex_unlock(&sr_mutex);
584597
return ret;

drivers/scsi/vmw_pvscsi.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -561,9 +561,14 @@ static void pvscsi_complete_request(struct pvscsi_adapter *adapter,
561561
(btstat == BTSTAT_SUCCESS ||
562562
btstat == BTSTAT_LINKED_COMMAND_COMPLETED ||
563563
btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) {
564-
cmd->result = (DID_OK << 16) | sdstat;
565-
if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer)
566-
cmd->result |= (DRIVER_SENSE << 24);
564+
if (sdstat == SAM_STAT_COMMAND_TERMINATED) {
565+
cmd->result = (DID_RESET << 16);
566+
} else {
567+
cmd->result = (DID_OK << 16) | sdstat;
568+
if (sdstat == SAM_STAT_CHECK_CONDITION &&
569+
cmd->sense_buffer)
570+
cmd->result |= (DRIVER_SENSE << 24);
571+
}
567572
} else
568573
switch (btstat) {
569574
case BTSTAT_SUCCESS:

0 commit comments

Comments
 (0)