__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices() <-
scsi_finish_async_scan(). The result is use after free and/or double
free, oops.
The fix is simple, move scsi_forget_host() under scan_mutex.
scsi_forget_host() is just sequence of __scsi_remove_device(). All
another calls of __scsi_remove_device() are made under scan_mutex. So
that it is safe.
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Async scanning introduced a very wide window where the SCSI device is
up and running but has not yet been added to sysfs. We delay the
adding until all scans have completed to retain the same ordering as
sync scanning.
This delay in visibility causes an oops if a device is removed before
we make it visible because the SCSI removal routines have an inbuilt
assumption that if a device is in SDEV_RUNNING state, it must be
visible (which is not necessarily true in the async scanning case).
Fix this by introducing an additional is_visible flag which we can use
to condition the tear down so we do the right thing for running but
not yet made visible.
Reported-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
sd_dif.c was not updated to return -EILSEQ, leading to error handling
failures in applications which provide their own integrity metadata (as
opposed to being protected by the block layer functions).
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
A negative offset could be used to index before the event buffer and
lead to a security breach.
Signed-off-by: Dave Jones <davej@redhat.com>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
We should not set res to 0 in function sas_ex_discover_dev in order to let
it discover it further when wide port hotplug in .
Signed-off-by: Tom Peng <tom_peng@usish.com>
Signed-off-by: Jack Wang <jack_wang@usish.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Fix a reported ppc64 driver build issue. Removed cpu_to_le32 conversion
usage for flags in struct pmcraid_ioadl_desc. This was breaking the driver build in ppc64.
drivers/scsi/pmcraid.c: In function 'pmcraid_request_sense':
drivers/scsi/pmcraid.c:2254: warning: large integer implicitly truncated
to unsigned type
Signed-off-by: Anil Ravindranath<anil_ravindranath@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
This patch adds some additional logic to the interrupt service routine to fix
a potential problem where an MSI interrupt does not get cleared the first time.
Signed-off-by: Wayne Boyer <wayneb@linux.vnet.ibm.com>
Acked-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
BFA_PORT_ROLE_FCP_IPFC is 0x04 so this always evaluates to true
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Jing Huang <huangj@Brocade.COM>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Commit ef7562b7f2 ("dpt_i2o: Fix up
copy*user") had a silly typo: EINVAL should be -EINVAL.
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: stable@kernel.org
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
[SCSI] zfcp: Flush SCSI registration work when adding unit
[SCSI] zfcp: Fix timer initialization for ct and els requests
[SCSI] zfcp: Warn about storage devices with broken PLOGI data
[SCSI] zfcp: Handle WWPN mismatch in PLOGI payload
[SCSI] zfcp: fix kfree handling in zfcp_init_device_setup
[SCSI] fix memory leak in initialization
The root cause of the problem is the fact that dev_set_name() now
allocates storage instead of using the original array within the kobj.
That means that the SCSI assumption that if you haven't made the
containing object or any sub objects visible, you can just destroy it
(and its component devices) lock stock and barrel becomes false.
Fix this by doing the get of sdev_dev at parent time and thus do an
extra put of it in scsi_destroy_sdev() (and all other destruction
without add paths).
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: (34 commits)
[SCSI] qla2xxx: Fix NULL ptr deref bug in fail path during queue create
[SCSI] st: fix possible memory use after free after MTSETBLK ioctl
[SCSI] be2iscsi: Moving to pci_pools v3
[SCSI] libiscsi: iscsi_session_setup to allow for private space
[SCSI] be2iscsi: add 10Gbps iSCSI - BladeEngine 2 driver
[SCSI] zfcp: Fix hang when offlining device with offline chpid
[SCSI] zfcp: Fix lockdep warning when offlining device with offline chpid
[SCSI] zfcp: Fix oops during shutdown of offline device
[SCSI] zfcp: Fix initial device and cfdc for delayed adapter allocation
[SCSI] zfcp: correctly initialize unchained requests
[SCSI] mpt2sas: Bump version 02.100.03.00
[SCSI] mpt2sas: Support dev remove when phy status is MPI2_EVENT_SAS_TOPO_PHYSTATUS_VACANT
[SCSI] mpt2sas: Timeout occurred within the HANDSHAKE logic while waiting on firmware to ACK.
[SCSI] mpt2sas: Call init_completion on a per request basis.
[SCSI] mpt2sas: Target Reset will be issued from Interrupt context.
[SCSI] mpt2sas: Added SCSIIO, Internal and high priority memory pools to support multiple TM
[SCSI] mpt2sas: Copyright change to 2009.
[SCSI] mpt2sas: Added mpi2_history.txt for MPI2 headers.
[SCSI] mpt2sas: Update driver to MPI2 REV K headers.
[SCSI] bfa: Brocade BFA FC SCSI driver
...
Current code attempts to clean up resources when queue create fails and there it
invokes queue free call with a (NULL) pointer to the queue which could not be
allocated in the first place. Fix it by returning directly without invoking the
queue free call as no resources has been allocated at that point of time.
Reported-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
A memory use after free bug can manifest if the MTSETBLK or SET_DENS_AND_BLK
ioctl features are used to set the tape's blocksize from 0 to non-zero.
After the driver sets the new block size, in this one case it calls
normalize_buffer() to free the device's internal data buffers. However, the
ioctl code assumes there is always a buffer and does not check or allocate
a buffer if there isn't one. So any following ioctl calls can corrupt
a part of memory by writing data to memory that the st driver had freed.
This patch removes the normalize_buffer() call and the specialness of
changing from a 0 to non-zero blocksize to fix the possible use of
memory after it has been freed by the st driver.
signed-off-by: David Jeffery <djeffery@redhat.com>
Acked-by: Kai Makisara <kai.makisara@kolumbus.fi>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
This patch contains changes to use pci_pools for iscsi hdr
instead of pci_alloc_consistent. Here we alloc and free to pool
for every IO
v3:
- Remove cleanup loop in beiscsi_session_destroy
- Fixup for allocation failure handling in beiscsi_alloc_pdu
- Removed unused variable in beiscsi_session_destroy.
[jejb: fix up pci_pool_alloc address sizing problem]
Signed-off-by: Jayamohan Kallickal <jayamohank@serverengines.com>
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
This patch contains changes that allow iscsi_session_setup
to allocate private space for LLD's
Signed-off-by: Jayamohan Kallickal <jayamohank@serverengines.com>
Acked-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
[v2: fixed up virt_to_bus() issue spotted by sfr]
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: Jayamohan Kallickal <jayamohank@serverengines.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Add support to process device removal events when the phy status is set to
MPI2_EVENT_SAS_TOPO_PHYSTATUS_VACANT.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Following a diag_reset, a request to send an ioc_init is timing out. The
timeout occurred within the HANDSHAKE logic while waiting on firmware to
acknowledge that the driver had wrote to the doorbell register. This was
root caused to a logic timeout in the firmware code. The proposed solution
is for the driver to call the udelay instead of msleep API in function where
its looping reading the interrupt status. In addition to this change, there
were two additional cases where we deleted the clearing interrupt status
outside handshake context.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Now driver call init_completion on a per request basis. At some
point the wait_for_completion_timeout is not waiting for the timeout,
instead returning immediately, thus going into diag reset. This fix will
address all request using the wait_for_completion_timeout API. The previous
implimentation was only calling init_completion at driver
load time.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
(1) Added three new functions to handle sending target resest and OP_REMOVE
from interrupt time, they are _scsih_tm_tr_send, _scsih_tm_tr_complete, and
_scsih_sas_control_complete. This code will create a link list of pending
target resets if there is no more available request in the hipriority
request queue. The list is stored in ioc->delayed_tr_list.
(2) All callback handler return type is changed from void to u8.
Now _base_interrupt will check for return type of callback handlers to
take decision of message frame is already freed or not.
In genral,
Return 1 meaning mf should be freed from _base_interrupt
0 means the mf is freed from function.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
1) create a pool of high priority message frames in the region of memory
between message frames and chains. The modifications are in
_base_allocate_memory_pools. Also create a seperate pool of memory for
internal commands located near the same region of memory. The pool of high
priority message frames is restriced by the facts->HighPriorityCredit.
2) Create additional API for accessing request message frames. New function
mpt2sas_base_get_smid_hpr is for highpriority request. New function
mpt2sas_base_get_smid_scsiio for SCSI_IO, passing in the scsi command
pointer. The mpt2sas_base_get_smid function is for requesting internal
commands.
3) Added new function _base_get_cb_idx to obtain the callback
index from one of the three pools of request message frames.
4) Removed wrapper functions _scsih_scsi_lookup_set and
_scsih_scsi_lookup_getclear. These were removed because this handling was
moved into mpt2sas_base_get_smid_scsiio and mpt2sas_base_free_smid.
5) The function mpt2sas_base_free_smid is modified so the request message
frames are put back on one of the three pools of request message frames.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Update the copyright year to 2009 through out the code.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Added new file for MPI2 header version history.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Drivers header are updated to the MPI2 REV K headers.
Renamed VF_ID to msix_index in all call back handlers.
VF_ID is removed from all request descriptor.
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Add missing kernel-doc notation in scsi_transport_fc.c:
Warning(drivers/scsi/scsi_transport_fc.c:3593): No description found for parameter 'q'
Warning(drivers/scsi/scsi_transport_fc.c:3700): No description found for parameter 'q'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Add support for 32-byte READ/WRITE as well as DIF Type 2 protection.
Reject protected 10/12/16 byte READ/WRITE commands when Type 2 is
enabled.
Verify Type 2 reference tag according to Expected Initial LBA in 32-byte
CDB.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Disks formatted with DIF Type 2 reject READ/WRITE 6/10/12/16 commands
when protection is enabled. Only the 32-byte variants are supported.
Implement support for issusing 32-byte READ/WRITE and enable Type 2
drives in the protection type detection logic.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
We would leak a scsi_data_buffer if the free_list command was of the
protected variety.
Reported-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
So far we have only issued DIF commands if CONFIG_BLK_DEV_INTEGRITY is
enabled. However, communication between initiator and target should be
independent of protection information DMA. There are DIF-only host
adapters coming out that will be able to take advantage of this.
Move the relevant DIF bits to sd.c.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
The checksum format is orthogonal to whether the protection information
is being passed on beyond the HBA or not. It is perfectly valid to use
a non-T10 CRC with WRITE_STRIP and READ_INSERT.
Consequently it no longer makes sense to explicitly refer to the
conversion in the protection operation. Update sd_dif and lpfc
accordingly.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Ihab Hamadi <Ihab.Hamadi@Emulex.Com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
A target reset when I/O is ongoing might result
an eventual device offline, as scsi_eh_completed_normally()
might return ADD_TO_MLQUEUE in addition to the
advertised SUCCESS, FAILED, and NEEDS_RETRY.
Which is unfortunate as scsi_send_eh_cmnd() will
therefore map ADD_TO_MLQUEUE to FAILED instead of
the more appropriate NEEDS_RETRY.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Cc: Stable Tree <stable@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Running sg_luns on s390x with CONFIG_DEBUG_PAGEALLOC enabled fails
with EFAULT from the SG_IO ioctl. The EFAULT is the result from
copy_to_user failing in this call chain:
sg_ioctl
sg_new_read
sg_finish_rem_req
blk_rq_unmap_user
__blk_rq_unmap_user
bio_uncopy_user
__bio_copy_iov
copy_to_user
The sg driver calls sg_remove_scat to free the memory pages before
calling blk_rq_unmap_user that tries to copy the data back to
userspace. Change the order to first call blk_rq_unmap_user before
freeing the pages in sg_remove_scat.
Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: stable@kernel.org
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
On certain cases, UDF disc doesn't report capacity correctly via
READ_CAPACITY but TOC or trackinfo contains valid information which
can be obtained using cdrom_get_last_written(). ide-cd considers both
values and uses the larger one. Do the same in sr. This fixes
bko#9668.
http://bugzilla.kernel.org/show_bug.cgi?id=9668
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Milan Kocian <milan.kocian@wq.cz>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
5706/5708/5709 devices allow driver/user to set page size. By default it is
set to 4096. Current drivers do not program this register based on
architecture type (e.g. x86 = 4K, IA64 = 16K) and by choice lets device use
the defaults. So while mapping connection context memory (doorebll registers),
driver has to match page size used by the device. Included change fixes the
issue we uncovered during IA64 testing
Signed-off-by: Anil Veerabhadrappa <anilgv@broadcom.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Most code changes were made to support RR44xx adapters.
- add more PCI device ID.
- using PCI BAR[2] to access RR44xx IOP.
- using PCI BAR[0] to check and clear RR44xx IRQ.
Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
The function mode_select_handle_sense returns SCSI_DH_OK even when there is a sense code which is incorrect. Removing it so that it returns SCSI_DH_IO when there is sense that is not handled by this function.
Signed-off-by: Babu Moger <babu.moger@lsi.com>
Reviewed-by: Vijay Chauhan <vijay.chauhan@lsi.com>
Reviewed-by: Bob Stankey <Robert.stankey@lsi.com>
Reviewed-by: Chandra Seetharaman <sekharan@us.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
1.Changed driver prints to use scmd_printk, sdev_printk
2.Changed dev_err calls to scmd_printk for scsi related print messages
Signed-off-by: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
This is support for Areca SAS/SATA HBA, ARC-1300/1320, which quipped with
88SE6440/88SE9480 respectively.
Signed-off-by: Nick Cheng< nick.cheng@areca.com.tw >
Cc: Ke Wei <kewei.mv@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* mark struct vm_area_struct::vm_ops as const
* mark vm_ops in AGP code
But leave TTM code alone, something is fishy there with global vm_ops
being used.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* remove asm/atomic.h inclusion from kref.h -- not needed, linux/types.h
is enough for atomic_t
* remove linux/kref.h inclusion from files which do not need it.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Make all seq_operations structs const, to help mitigate against
revectoring user-triggerable function pointers.
This is derived from the grsecurity patch, although generated from scratch
because it's simpler than extracting the changes from there.
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (34 commits)
trivial: fix typo in aic7xxx comment
trivial: fix comment typo in drivers/ata/pata_hpt37x.c
trivial: typo in kernel-parameters.txt
trivial: fix typo in tracing documentation
trivial: add __init/__exit macros in drivers/gpio/bt8xxgpio.c
trivial: add __init macro/ fix of __exit macro location in ipmi_poweroff.c
trivial: remove unnecessary semicolons
trivial: Fix duplicated word "options" in comment
trivial: kbuild: remove extraneous blank line after declaration of usage()
trivial: improve help text for mm debug config options
trivial: doc: hpfall: accept disk device to unload as argument
trivial: doc: hpfall: reduce risk that hpfall can do harm
trivial: SubmittingPatches: Fix reference to renumbered step
trivial: fix typos "man[ae]g?ment" -> "management"
trivial: media/video/cx88: add __init/__exit macros to cx88 drivers
trivial: fix typo in CONFIG_DEBUG_FS in gcov doc
trivial: fix missing printk space in amd_k7_smp_check
trivial: fix typo s/ketymap/keymap/ in comment
trivial: fix typo "to to" in multiple files
trivial: fix typos in comments s/DGBU/DBGU/
...