From: Greg Kroah-Hartman Date: Tue, 7 Aug 2018 13:12:50 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.17.14~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc5330efbff8fd7e68f970f0bfee00f380365c0c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: genirq-make-force-irq-threading-setup-more-robust.patch jfs-fix-usercopy-whitelist-for-inline-inode-data.patch netlink-don-t-shift-on-64-for-ngroups.patch nohz-fix-local_timer_softirq_pending.patch nohz-fix-missing-tick-reprogram-when-interrupting-an-inline-softirq.patch perf-x86-intel-uncore-fix-hardcoded-index-of-broadwell-extra-pci-devices.patch scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch scsi-qla2xxx-fix-isp-recovery-on-unload.patch scsi-qla2xxx-fix-npiv-deletion-by-calling-wait_for_sess_deletion.patch scsi-qla2xxx-fix-unintialized-list-head-crash.patch scsi-qla2xxx-return-error-when-tmf-returns.patch --- diff --git a/queue-4.17/genirq-make-force-irq-threading-setup-more-robust.patch b/queue-4.17/genirq-make-force-irq-threading-setup-more-robust.patch new file mode 100644 index 00000000000..eb532afa83b --- /dev/null +++ b/queue-4.17/genirq-make-force-irq-threading-setup-more-robust.patch @@ -0,0 +1,65 @@ +From d1f0301b3333eef5efbfa1fe0f0edbea01863d5d Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 3 Aug 2018 14:44:59 +0200 +Subject: genirq: Make force irq threading setup more robust + +From: Thomas Gleixner + +commit d1f0301b3333eef5efbfa1fe0f0edbea01863d5d upstream. + +The support of force threading interrupts which are set up with both a +primary and a threaded handler wreckaged the setup of regular requested +threaded interrupts (primary handler == NULL). + +The reason is that it does not check whether the primary handler is set to +the default handler which wakes the handler thread. Instead it replaces the +thread handler with the primary handler as it would do with force threaded +interrupts which have been requested via request_irq(). So both the primary +and the thread handler become the same which then triggers the warnon that +the thread handler tries to wakeup a not configured secondary thread. + +Fortunately this only happens when the driver omits the IRQF_ONESHOT flag +when requesting the threaded interrupt, which is normaly caught by the +sanity checks when force irq threading is disabled. + +Fix it by skipping the force threading setup when a regular threaded +interrupt is requested. As a consequence the interrupt request which lacks +the IRQ_ONESHOT flag is rejected correctly instead of silently wreckaging +it. + +Fixes: 2a1d3ab8986d ("genirq: Handle force threading of irqs with primary and thread handler") +Reported-by: Kurt Kanzenbach +Signed-off-by: Thomas Gleixner +Tested-by: Kurt Kanzenbach +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1067,6 +1067,13 @@ static int irq_setup_forced_threading(st + if (new->flags & (IRQF_NO_THREAD | IRQF_PERCPU | IRQF_ONESHOT)) + return 0; + ++ /* ++ * No further action required for interrupts which are requested as ++ * threaded interrupts already ++ */ ++ if (new->handler == irq_default_primary_handler) ++ return 0; ++ + new->flags |= IRQF_ONESHOT; + + /* +@@ -1074,7 +1081,7 @@ static int irq_setup_forced_threading(st + * thread handler. We force thread them as well by creating a + * secondary action. + */ +- if (new->handler != irq_default_primary_handler && new->thread_fn) { ++ if (new->handler && new->thread_fn) { + /* Allocate the secondary action */ + new->secondary = kzalloc(sizeof(struct irqaction), GFP_KERNEL); + if (!new->secondary) diff --git a/queue-4.17/jfs-fix-usercopy-whitelist-for-inline-inode-data.patch b/queue-4.17/jfs-fix-usercopy-whitelist-for-inline-inode-data.patch new file mode 100644 index 00000000000..5aaf49fc679 --- /dev/null +++ b/queue-4.17/jfs-fix-usercopy-whitelist-for-inline-inode-data.patch @@ -0,0 +1,76 @@ +From 961b33c244e5ba1543ae26270a1ba29f29c2db83 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 3 Aug 2018 12:52:58 -0700 +Subject: jfs: Fix usercopy whitelist for inline inode data + +From: Kees Cook + +commit 961b33c244e5ba1543ae26270a1ba29f29c2db83 upstream. + +Bart Massey reported what turned out to be a usercopy whitelist false +positive in JFS when symlink contents exceeded 128 bytes. The inline +inode data (i_inline) is actually designed to overflow into the "extended +area" following it (i_inline_ea) when needed. So the whitelist needed to +be expanded to include both i_inline and i_inline_ea (the whole size +of which is calculated internally using IDATASIZE, 256, instead of +sizeof(i_inline), 128). + +$ cd /mnt/jfs +$ touch $(perl -e 'print "B" x 250') +$ ln -s B* b +$ ls -l >/dev/null + +[ 249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)! + +Reported-by: Bart Massey +Fixes: 8d2704d382a9 ("jfs: Define usercopy region in jfs_ip slab cache") +Cc: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jfs/jfs_dinode.h | 7 +++++++ + fs/jfs/jfs_incore.h | 1 + + fs/jfs/super.c | 3 +-- + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/jfs/jfs_dinode.h ++++ b/fs/jfs/jfs_dinode.h +@@ -115,6 +115,13 @@ struct dinode { + dxd_t _dxd; /* 16: */ + union { + __le32 _rdev; /* 4: */ ++ /* ++ * The fast symlink area ++ * is expected to overflow ++ * into _inlineea when ++ * needed (which will clear ++ * INLINEEA). ++ */ + u8 _fastsymlink[128]; + } _u; + u8 _inlineea[128]; +--- a/fs/jfs/jfs_incore.h ++++ b/fs/jfs/jfs_incore.h +@@ -87,6 +87,7 @@ struct jfs_inode_info { + struct { + unchar _unused[16]; /* 16: */ + dxd_t _dxd; /* 16: */ ++ /* _inline may overflow into _inline_ea when needed */ + unchar _inline[128]; /* 128: inline symlink */ + /* _inline_ea may overlay the last part of + * file._xtroot if maxentry = XTROOTINITSLOT +--- a/fs/jfs/super.c ++++ b/fs/jfs/super.c +@@ -967,8 +967,7 @@ static int __init init_jfs_fs(void) + jfs_inode_cachep = + kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info), + 0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT, +- offsetof(struct jfs_inode_info, i_inline), +- sizeof_field(struct jfs_inode_info, i_inline), ++ offsetof(struct jfs_inode_info, i_inline), IDATASIZE, + init_once); + if (jfs_inode_cachep == NULL) + return -ENOMEM; diff --git a/queue-4.17/netlink-don-t-shift-on-64-for-ngroups.patch b/queue-4.17/netlink-don-t-shift-on-64-for-ngroups.patch new file mode 100644 index 00000000000..2d06594c09e --- /dev/null +++ b/queue-4.17/netlink-don-t-shift-on-64-for-ngroups.patch @@ -0,0 +1,46 @@ +From 91874ecf32e41b5d86a4cb9d60e0bee50d828058 Mon Sep 17 00:00:00 2001 +From: Dmitry Safonov +Date: Sun, 5 Aug 2018 01:35:53 +0100 +Subject: netlink: Don't shift on 64 for ngroups + +From: Dmitry Safonov + +commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058 upstream. + +It's legal to have 64 groups for netlink_sock. + +As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe +only to first 32 groups. + +The check for correctness of .bind() userspace supplied parameter +is done by applying mask made from ngroups shift. Which broke Android +as they have 64 groups and the shift for mask resulted in an overflow. + +Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups") +Cc: "David S. Miller" +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Reported-and-Tested-by: Nathan Chancellor +Signed-off-by: Dmitry Safonov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlink/af_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1013,8 +1013,8 @@ static int netlink_bind(struct socket *s + + if (nlk->ngroups == 0) + groups = 0; +- else +- groups &= (1ULL << nlk->ngroups) - 1; ++ else if (nlk->ngroups < 8*sizeof(groups)) ++ groups &= (1UL << nlk->ngroups) - 1; + + bound = nlk->bound; + if (bound) { diff --git a/queue-4.17/nohz-fix-local_timer_softirq_pending.patch b/queue-4.17/nohz-fix-local_timer_softirq_pending.patch new file mode 100644 index 00000000000..a0a6edcec85 --- /dev/null +++ b/queue-4.17/nohz-fix-local_timer_softirq_pending.patch @@ -0,0 +1,44 @@ +From 80d20d35af1edd632a5e7a3b9c0ab7ceff92769e Mon Sep 17 00:00:00 2001 +From: Anna-Maria Gleixner +Date: Tue, 31 Jul 2018 18:13:58 +0200 +Subject: nohz: Fix local_timer_softirq_pending() + +From: Anna-Maria Gleixner + +commit 80d20d35af1edd632a5e7a3b9c0ab7ceff92769e upstream. + +local_timer_softirq_pending() checks whether the timer softirq is +pending with: local_softirq_pending() & TIMER_SOFTIRQ. + +This is wrong because TIMER_SOFTIRQ is the softirq number and not a +bitmask. So the test checks for the wrong bit. + +Use BIT(TIMER_SOFTIRQ) instead. + +Fixes: 5d62c183f9e9 ("nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()") +Signed-off-by: Anna-Maria Gleixner +Signed-off-by: Thomas Gleixner +Reviewed-by: Paul E. McKenney +Reviewed-by: Daniel Bristot de Oliveira +Acked-by: Frederic Weisbecker +Cc: bigeasy@linutronix.de +Cc: peterz@infradead.org +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180731161358.29472-1-anna-maria@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/tick-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -642,7 +642,7 @@ static void tick_nohz_restart(struct tic + + static inline bool local_timer_softirq_pending(void) + { +- return local_softirq_pending() & TIMER_SOFTIRQ; ++ return local_softirq_pending() & BIT(TIMER_SOFTIRQ); + } + + static ktime_t tick_nohz_next_event(struct tick_sched *ts, int cpu) diff --git a/queue-4.17/nohz-fix-missing-tick-reprogram-when-interrupting-an-inline-softirq.patch b/queue-4.17/nohz-fix-missing-tick-reprogram-when-interrupting-an-inline-softirq.patch new file mode 100644 index 00000000000..41a722aeb22 --- /dev/null +++ b/queue-4.17/nohz-fix-missing-tick-reprogram-when-interrupting-an-inline-softirq.patch @@ -0,0 +1,61 @@ +From 0a0e0829f990120cef165bbb804237f400953ec2 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Fri, 3 Aug 2018 15:31:34 +0200 +Subject: nohz: Fix missing tick reprogram when interrupting an inline softirq + +From: Frederic Weisbecker + +commit 0a0e0829f990120cef165bbb804237f400953ec2 upstream. + +The full nohz tick is reprogrammed in irq_exit() only if the exit is not in +a nesting interrupt. This stands as an optimization: whether a hardirq or a +softirq is interrupted, the tick is going to be reprogrammed when necessary +at the end of the inner interrupt, with even potential new updates on the +timer queue. + +When soft interrupts are interrupted, it's assumed that they are executing +on the tail of an interrupt return. In that case tick_nohz_irq_exit() is +called after softirq processing to take care of the tick reprogramming. + +But the assumption is wrong: softirqs can be processed inline as well, ie: +outside of an interrupt, like in a call to local_bh_enable() or from +ksoftirqd. + +Inline softirqs don't reprogram the tick once they are done, as opposed to +interrupt tail softirq processing. So if a tick interrupts an inline +softirq processing, the next timer will neither be reprogrammed from the +interrupting tick's irq_exit() nor after the interrupted softirq +processing. This situation may leave the tick unprogrammed while timers are +armed. + +To fix this, simply keep reprogramming the tick even if a softirq has been +interrupted. That can be optimized further, but for now correctness is more +important. + +Note that new timers enqueued in nohz_full mode after a softirq gets +interrupted will still be handled just fine through self-IPIs triggered by +the timer code. + +Reported-by: Anna-Maria Gleixner +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Tested-by: Anna-Maria Gleixner +Cc: stable@vger.kernel.org # 4.14+ +Link: https://lkml.kernel.org/r/1533303094-15855-1-git-send-email-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -387,7 +387,7 @@ static inline void tick_irq_exit(void) + + /* Make sure that timer wheel updates are propagated */ + if ((idle_cpu(cpu) && !need_resched()) || tick_nohz_full_cpu(cpu)) { +- if (!in_interrupt()) ++ if (!in_irq()) + tick_nohz_irq_exit(); + } + #endif diff --git a/queue-4.17/perf-x86-intel-uncore-fix-hardcoded-index-of-broadwell-extra-pci-devices.patch b/queue-4.17/perf-x86-intel-uncore-fix-hardcoded-index-of-broadwell-extra-pci-devices.patch new file mode 100644 index 00000000000..957a54e915b --- /dev/null +++ b/queue-4.17/perf-x86-intel-uncore-fix-hardcoded-index-of-broadwell-extra-pci-devices.patch @@ -0,0 +1,110 @@ +From 156c8b58ef5cfd97245928c95669fd4cb0f9c388 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Mon, 30 Jul 2018 08:28:08 -0400 +Subject: perf/x86/intel/uncore: Fix hardcoded index of Broadwell extra PCI devices + +From: Kan Liang + +commit 156c8b58ef5cfd97245928c95669fd4cb0f9c388 upstream. + +Masayoshi Mizuma reported that a warning message is shown while a CPU is +hot-removed on Broadwell servers: + + WARNING: CPU: 126 PID: 6 at arch/x86/events/intel/uncore.c:988 + uncore_pci_remove+0x10b/0x150 + Call Trace: + pci_device_remove+0x42/0xd0 + device_release_driver_internal+0x148/0x220 + pci_stop_bus_device+0x76/0xa0 + pci_stop_root_bus+0x44/0x60 + acpi_pci_root_remove+0x1f/0x80 + acpi_bus_trim+0x57/0x90 + acpi_bus_trim+0x2e/0x90 + acpi_device_hotplug+0x2bc/0x4b0 + acpi_hotplug_work_fn+0x1a/0x30 + process_one_work+0x174/0x3a0 + worker_thread+0x4c/0x3d0 + kthread+0xf8/0x130 + +This bug was introduced by: + + commit 15a3e845b01c ("perf/x86/intel/uncore: Fix SBOX support for Broadwell CPUs") + +The index of "QPI Port 2 filter" was hardcode to 2, but this conflicts with the +index of "PCU.3" which is "HSWEP_PCI_PCU_3", which equals to 2 as well. + +To fix the conflict, the hardcoded index needs to be cleaned up: + + - introduce a new enumerator "BDX_PCI_QPI_PORT2_FILTER" for "QPI Port 2 + filter" on Broadwell, + - increase UNCORE_EXTRA_PCI_DEV_MAX by one, + - clean up the hardcoded index. + +Debugged-by: Masayoshi Mizuma +Suggested-by: Ingo Molnar +Reported-by: Masayoshi Mizuma +Tested-by: Masayoshi Mizuma +Signed-off-by: Kan Liang +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: msys.mizuma@gmail.com +Cc: stable@vger.kernel.org +Fixes: 15a3e845b01c ("perf/x86/intel/uncore: Fix SBOX support for Broadwell CPUs") +Link: http://lkml.kernel.org/r/1532953688-15008-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/uncore.h | 2 +- + arch/x86/events/intel/uncore_snbep.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/x86/events/intel/uncore.h ++++ b/arch/x86/events/intel/uncore.h +@@ -23,7 +23,7 @@ + #define UNCORE_PCI_DEV_TYPE(data) ((data >> 8) & 0xff) + #define UNCORE_PCI_DEV_IDX(data) (data & 0xff) + #define UNCORE_EXTRA_PCI_DEV 0xff +-#define UNCORE_EXTRA_PCI_DEV_MAX 3 ++#define UNCORE_EXTRA_PCI_DEV_MAX 4 + + #define UNCORE_EVENT_CONSTRAINT(c, n) EVENT_CONSTRAINT(c, n, 0xff) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -1029,6 +1029,7 @@ void snbep_uncore_cpu_init(void) + enum { + SNBEP_PCI_QPI_PORT0_FILTER, + SNBEP_PCI_QPI_PORT1_FILTER, ++ BDX_PCI_QPI_PORT2_FILTER, + HSWEP_PCI_PCU_3, + }; + +@@ -3286,15 +3287,18 @@ static const struct pci_device_id bdx_un + }, + { /* QPI Port 0 filter */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f86), +- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 0), ++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, ++ SNBEP_PCI_QPI_PORT0_FILTER), + }, + { /* QPI Port 1 filter */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f96), +- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 1), ++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, ++ SNBEP_PCI_QPI_PORT1_FILTER), + }, + { /* QPI Port 2 filter */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f46), +- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 2), ++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, ++ BDX_PCI_QPI_PORT2_FILTER), + }, + { /* PCU.3 (for Capability registers) */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6fc0), diff --git a/queue-4.17/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch b/queue-4.17/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch new file mode 100644 index 00000000000..2ac6c2fb25c --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch @@ -0,0 +1,172 @@ +From 45235022da9925b2b070c0139629233173e50089 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 18 Jul 2018 14:29:53 -0700 +Subject: scsi: qla2xxx: Fix driver unload by shutting down chip + +From: Quinn Tran + +commit 45235022da9925b2b070c0139629233173e50089 upstream. + +Use chip shutdown at the start of unload to stop all DMA + traffic and +bring down the laser. This prevents any link activities from triggering the +driver to be re-engaged. + +Fixes: 4b60c82736d0 ("scsi: qla2xxx: Add fw_started flags to qpair") +Cc: #4.16 +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 3 ++ + drivers/scsi/qla2xxx/qla_mbx.c | 6 +++++ + drivers/scsi/qla2xxx/qla_mid.c | 6 +++-- + drivers/scsi/qla2xxx/qla_os.c | 44 ++++++++++++++++------------------------- + drivers/scsi/qla2xxx/qla_sup.c | 3 ++ + 5 files changed, 34 insertions(+), 28 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -631,6 +631,9 @@ qla2x00_async_event(scsi_qla_host_t *vha + unsigned long flags; + fc_port_t *fcport = NULL; + ++ if (!vha->hw->flags.fw_started) ++ return; ++ + /* Setup to process RIO completion. */ + handle_cnt = 0; + if (IS_CNA_CAPABLE(ha)) +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -4212,6 +4212,9 @@ qla25xx_init_req_que(struct scsi_qla_hos + mbx_cmd_t *mcp = &mc; + struct qla_hw_data *ha = vha->hw; + ++ if (!ha->flags.fw_started) ++ return QLA_SUCCESS; ++ + ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d3, + "Entered %s.\n", __func__); + +@@ -4281,6 +4284,9 @@ qla25xx_init_rsp_que(struct scsi_qla_hos + mbx_cmd_t *mcp = &mc; + struct qla_hw_data *ha = vha->hw; + ++ if (!ha->flags.fw_started) ++ return QLA_SUCCESS; ++ + ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d6, + "Entered %s.\n", __func__); + +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -152,10 +152,12 @@ int + qla24xx_disable_vp(scsi_qla_host_t *vha) + { + unsigned long flags; +- int ret; ++ int ret = QLA_SUCCESS; + fc_port_t *fcport; + +- ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL); ++ if (vha->hw->flags.fw_started) ++ ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL); ++ + atomic_set(&vha->loop_state, LOOP_DOWN); + atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME); + list_for_each_entry(fcport, &vha->vp_fcports, list) +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -303,6 +303,7 @@ static void qla2x00_free_device(scsi_qla + static int qla2xxx_map_queues(struct Scsi_Host *shost); + static void qla2x00_destroy_deferred_work(struct qla_hw_data *); + ++ + struct scsi_host_template qla2xxx_driver_template = { + .module = THIS_MODULE, + .name = QLA2XXX_DRIVER_NAME, +@@ -3603,6 +3604,8 @@ qla2x00_remove_one(struct pci_dev *pdev) + + base_vha = pci_get_drvdata(pdev); + ha = base_vha->hw; ++ ql_log(ql_log_info, base_vha, 0xb079, ++ "Removing driver\n"); + + /* Indicate device removal to prevent future board_disable and wait + * until any pending board_disable has completed. */ +@@ -3625,6 +3628,21 @@ qla2x00_remove_one(struct pci_dev *pdev) + } + qla2x00_wait_for_hba_ready(base_vha); + ++ if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) { ++ if (ha->flags.fw_started) ++ qla2x00_abort_isp_cleanup(base_vha); ++ } else if (!IS_QLAFX00(ha)) { ++ if (IS_QLA8031(ha)) { ++ ql_dbg(ql_dbg_p3p, base_vha, 0xb07e, ++ "Clearing fcoe driver presence.\n"); ++ if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS) ++ ql_dbg(ql_dbg_p3p, base_vha, 0xb079, ++ "Error while clearing DRV-Presence.\n"); ++ } ++ ++ qla2x00_try_to_stop_firmware(base_vha); ++ } ++ + qla2x00_wait_for_sess_deletion(base_vha); + + /* +@@ -3648,14 +3666,6 @@ qla2x00_remove_one(struct pci_dev *pdev) + + qla2x00_delete_all_vps(ha, base_vha); + +- if (IS_QLA8031(ha)) { +- ql_dbg(ql_dbg_p3p, base_vha, 0xb07e, +- "Clearing fcoe driver presence.\n"); +- if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS) +- ql_dbg(ql_dbg_p3p, base_vha, 0xb079, +- "Error while clearing DRV-Presence.\n"); +- } +- + qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16); + + qla2x00_dfs_remove(base_vha); +@@ -3715,24 +3725,6 @@ qla2x00_free_device(scsi_qla_host_t *vha + qla2x00_stop_timer(vha); + + qla25xx_delete_queues(vha); +- +- if (ha->flags.fce_enabled) +- qla2x00_disable_fce_trace(vha, NULL, NULL); +- +- if (ha->eft) +- qla2x00_disable_eft_trace(vha); +- +- if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) { +- if (ha->flags.fw_started) +- qla2x00_abort_isp_cleanup(vha); +- } else { +- if (ha->flags.fw_started) { +- /* Stop currently executing firmware. */ +- qla2x00_try_to_stop_firmware(vha); +- ha->flags.fw_started = 0; +- } +- } +- + vha->flags.online = 0; + + /* turn-off interrupts on the card */ +--- a/drivers/scsi/qla2xxx/qla_sup.c ++++ b/drivers/scsi/qla2xxx/qla_sup.c +@@ -1880,6 +1880,9 @@ qla24xx_beacon_off(struct scsi_qla_host + if (IS_P3P_TYPE(ha)) + return QLA_SUCCESS; + ++ if (!ha->flags.fw_started) ++ return QLA_SUCCESS; ++ + ha->beacon_blink_led = 0; + + if (IS_QLA2031(ha) || IS_QLA27XX(ha)) diff --git a/queue-4.17/scsi-qla2xxx-fix-isp-recovery-on-unload.patch b/queue-4.17/scsi-qla2xxx-fix-isp-recovery-on-unload.patch new file mode 100644 index 00000000000..53e3d5ed0ce --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-isp-recovery-on-unload.patch @@ -0,0 +1,38 @@ +From b08abbd9f5996309f021684f9ca74da30dcca36a Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 18 Jul 2018 14:29:54 -0700 +Subject: scsi: qla2xxx: Fix ISP recovery on unload + +From: Quinn Tran + +commit b08abbd9f5996309f021684f9ca74da30dcca36a upstream. + +During unload process, the chip can encounter problem where a FW dump would +be captured. For this case, the full reset sequence will be skip to bring +the chip back to full operational state. + +Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring") +Cc: +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6014,8 +6014,9 @@ qla2x00_do_dpc(void *data) + set_bit(ISP_ABORT_NEEDED, &base_vha->dpc_flags); + } + +- if (test_and_clear_bit(ISP_ABORT_NEEDED, +- &base_vha->dpc_flags)) { ++ if (test_and_clear_bit ++ (ISP_ABORT_NEEDED, &base_vha->dpc_flags) && ++ !test_bit(UNLOADING, &base_vha->dpc_flags)) { + + ql_dbg(ql_dbg_dpc, base_vha, 0x4007, + "ISP abort scheduled.\n"); diff --git a/queue-4.17/scsi-qla2xxx-fix-npiv-deletion-by-calling-wait_for_sess_deletion.patch b/queue-4.17/scsi-qla2xxx-fix-npiv-deletion-by-calling-wait_for_sess_deletion.patch new file mode 100644 index 00000000000..d8f4c37fb43 --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-npiv-deletion-by-calling-wait_for_sess_deletion.patch @@ -0,0 +1,74 @@ +From efa93f48fa9d423fda166bc3b6c0cbb09682492e Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 18 Jul 2018 14:29:52 -0700 +Subject: scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion + +From: Quinn Tran + +commit efa93f48fa9d423fda166bc3b6c0cbb09682492e upstream. + +Add wait for session deletion to finish before freeing an NPIV scsi host. + +Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") +Cc: +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_attr.c | 1 + + drivers/scsi/qla2xxx/qla_gbl.h | 1 + + drivers/scsi/qla2xxx/qla_mid.c | 5 +++++ + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 4 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2141,6 +2141,7 @@ qla24xx_vport_delete(struct fc_vport *fc + msleep(1000); + + qla24xx_disable_vp(vha); ++ qla2x00_wait_for_sess_deletion(vha); + + vha->flags.delete_progress = 1; + +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -213,6 +213,7 @@ void qla2x00_handle_login_done_event(str + int qla24xx_post_gnl_work(struct scsi_qla_host *, fc_port_t *); + int qla24xx_async_abort_cmd(srb_t *); + int qla24xx_post_relogin_work(struct scsi_qla_host *vha); ++void qla2x00_wait_for_sess_deletion(scsi_qla_host_t *); + + /* + * Global Functions in qla_mid.c source file. +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -153,10 +153,15 @@ qla24xx_disable_vp(scsi_qla_host_t *vha) + { + unsigned long flags; + int ret; ++ fc_port_t *fcport; + + ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL); + atomic_set(&vha->loop_state, LOOP_DOWN); + atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME); ++ list_for_each_entry(fcport, &vha->vp_fcports, list) ++ fcport->logout_on_delete = 0; ++ ++ qla2x00_mark_all_devices_lost(vha, 0); + + /* Remove port id from vp target map */ + spin_lock_irqsave(&vha->hw->hardware_lock, flags); +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1147,7 +1147,7 @@ static inline int test_fcport_count(scsi + * qla2x00_wait_for_sess_deletion can only be called from remove_one. + * it has dependency on UNLOADING flag to stop device discovery + */ +-static void ++void + qla2x00_wait_for_sess_deletion(scsi_qla_host_t *vha) + { + qla2x00_mark_all_devices_lost(vha, 0); diff --git a/queue-4.17/scsi-qla2xxx-fix-unintialized-list-head-crash.patch b/queue-4.17/scsi-qla2xxx-fix-unintialized-list-head-crash.patch new file mode 100644 index 00000000000..6a8df376cb2 --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-unintialized-list-head-crash.patch @@ -0,0 +1,61 @@ +From e3dde080ebbdbb4bda8eee35d770714fee8c59ac Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 18 Jul 2018 14:29:51 -0700 +Subject: scsi: qla2xxx: Fix unintialized List head crash + +From: Quinn Tran + +commit e3dde080ebbdbb4bda8eee35d770714fee8c59ac upstream. + +In case of IOCB Queue full or system where memory is low and driver +receives large number of RSCN storm, the stale sp pointer can stay on +gpnid_list resulting in page_fault. + +This patch fixes this issue by initializing the sp->elem list head and +removing sp->elem before memory is freed. + +Following stack trace is seen + + 9 [ffff987b37d1bc60] page_fault at ffffffffad516768 [exception RIP: qla24xx_async_gpnid+496] +10 [ffff987b37d1bd10] qla24xx_async_gpnid at ffffffffc039866d [qla2xxx] +11 [ffff987b37d1bd80] qla2x00_do_work at ffffffffc036169c [qla2xxx] +12 [ffff987b37d1be38] qla2x00_do_dpc_all_vps at ffffffffc03adfed [qla2xxx] +13 [ffff987b37d1be78] qla2x00_do_dpc at ffffffffc036458a [qla2xxx] +14 [ffff987b37d1bec8] kthread at ffffffffacebae31 + +Fixes: 2d73ac6102d9 ("scsi: qla2xxx: Serialize GPNID for multiple RSCN") +Cc: # v4.17+ +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_gs.c | 4 ++++ + drivers/scsi/qla2xxx/qla_inline.h | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3712,6 +3712,10 @@ int qla24xx_async_gpnid(scsi_qla_host_t + return rval; + + done_free_sp: ++ spin_lock_irqsave(&vha->hw->vport_slock, flags); ++ list_del(&sp->elem); ++ spin_unlock_irqrestore(&vha->hw->vport_slock, flags); ++ + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -222,6 +222,8 @@ qla2xxx_get_qpair_sp(struct qla_qpair *q + sp->fcport = fcport; + sp->iocbs = 1; + sp->vha = qpair->vha; ++ INIT_LIST_HEAD(&sp->elem); ++ + done: + if (!sp) + QLA_QPAIR_MARK_NOT_BUSY(qpair); diff --git a/queue-4.17/scsi-qla2xxx-return-error-when-tmf-returns.patch b/queue-4.17/scsi-qla2xxx-return-error-when-tmf-returns.patch new file mode 100644 index 00000000000..b9ddd625a41 --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-return-error-when-tmf-returns.patch @@ -0,0 +1,40 @@ +From b4146c4929ef61d5afca011474d59d0918a0cd82 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 18 Jul 2018 14:29:55 -0700 +Subject: scsi: qla2xxx: Return error when TMF returns + +From: Anil Gurumurthy + +commit b4146c4929ef61d5afca011474d59d0918a0cd82 upstream. + +Propagate the task management completion status properly to avoid +unnecessary waits for commands to complete. + +Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling") +Cc: +Signed-off-by: Anil Gurumurthy +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1518,11 +1518,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, + + wait_for_completion(&tm_iocb->u.tmf.comp); + +- rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ? +- QLA_SUCCESS : QLA_FUNCTION_FAILED; ++ rval = tm_iocb->u.tmf.data; + +- if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) { +- ql_dbg(ql_dbg_taskm, vha, 0x8030, ++ if (rval != QLA_SUCCESS) { ++ ql_log(ql_log_warn, vha, 0x8030, + "TM IOCB failed (%x).\n", rval); + } +