Support for the following changes in the Linux kernel v7.0:
- e3b2cf6e5dba ("kernfs: pass struct ns_common instead of
const void * for namespace tags")
This is the result of running the Linux kernel Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci against the SCST tree.
This patch doesn't change any functionality.
Add compatibility helpers for the kmalloc_obj() family so SCST can use
the typed allocation helpers on kernels that do not provide them yet.
A following patch will convert existing non-scalar allocations to use
these helpers.
This patch doesn't change any functionality.
In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.
qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.
Fixes: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of fcport")
Fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset")
Signed-off-by: Vladimir Riabchun <ferr.lambarginio@gmail.com>
Signed-off-by: Farhat Abbas <fabbas@cloudlinux.com>
Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit c0b7da13a04b upstream ]
Upstream workqueue changes introduce a new WQ_PERCPU flag and plan to
switch alloc_workqueue()'s default from per-CPU to unbound
To keep SCST behaviour unchanged across kernels, explicitly request
WQ_PERCPU.
Issue occurred during a continuous reboot test of several thousand
iterations specific to a fabric topo with dual mode target where it
sends a PLOGI/PRLI and then sends a LOGO. The initiator was also in the
process of discovery and sent a PLOGI to the switch. It then queried a
list of ports logged in via mbx 75h and the GPDB response indicated that
the target was logged in. This caused a mismatch in the states between
the driver and FW. Requery the FW for the state and proceed with the
rest of discovery process.
Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery")
Cc: stable@vger.kernel.org
Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20251210101604.431868-11-njavali@marvell.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 42b2dab4340d upstream ]
System crash seen during load/unload test in a loop.
[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086
[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0
[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000
[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000
[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0
[105954.384928] PKRU: 55555554
[105954.384929] Call Trace:
[105954.384931] <IRQ>
[105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx]
[105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx]
[105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx]
[105954.384999] ? __wake_up_common+0x80/0x190
[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx]
[105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx]
[105954.385040] ? __handle_irq_event_percpu+0x3d/0x190
[105954.385044] ? handle_irq_event+0x58/0xb0
[105954.385046] ? handle_edge_irq+0x93/0x240
[105954.385050] ? __common_interrupt+0x41/0xa0
[105954.385055] ? common_interrupt+0x3e/0xa0
[105954.385060] ? asm_common_interrupt+0x22/0x40
The root cause of this was that there was a free (dma_free_attrs) in the
interrupt context. There was a device discovery/fabric scan in
progress. A module unload was issued which set the UNLOADING flag. As
part of the discovery, after receiving an interrupt a work queue was
scheduled (which involved a work to be queued). Since the UNLOADING
flag is set, the work item was not allocated and the mapped memory had
to be freed. The free occurred in interrupt context leading to system
crash. Delay the driver unload until the fabric scan is complete to
avoid the crash.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/202512090414.07Waorz0-lkp@intel.com/
Fixes: 783e0dc4f66a ("qla2xxx: Check for device state before unloading the driver.")
Cc: stable@vger.kernel.org
Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20251210101604.431868-8-njavali@marvell.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 8890bf450e0b upstream ]
In clang version 21.1 and later the -Wimplicit-enum-enum-cast warning
option has been introduced. This warning is enabled by default and can
be used to catch .queuecommand() implementations that return another
value than 0 or one of the SCSI_MLQUEUE_* constants. Hence this patch
that changes the return type of the .queuecommand() implementations from
'int' into 'enum scsi_qc_status'. No functionality has been changed.
When a LUN is replaced, scst_acg_repl_lun polls tgt_dev_cmd_count every
100ms waiting for in-flight commands on the old tgt_devs to drain before
freeing them. This is synchronous: the sysfs write to luns/mgmt blocks
until the drain completes.
If the old device becomes unreachable before the LUN replace (e.g. due to
a transport failure), in-flight commands may be stuck in error recovery for
up to the transport's recovery timeout, blocking the replace for that
entire window.
Add a bool module parameter async_lun_replace (default false). When
enabled, scst_acg_repl_lun schedules the tgt_dev drain and free on
system_wq and returns immediately. Falls back to synchronous behaviour
on allocation failure.
This is safe because __scst_acg_del_lun removes the old tgt_devs from
all session and device lookup paths before the work is scheduled. New
commands from the initiator use the new tgt_devs; only in-flight commands
still hold references via cmd->tgt_dev, and tgt_dev_cmd_count tracks
exactly those. synchronize_rcu ensures no RCU reader holds a stale
pointer before scst_free_tgt_dev is called.
SIGUSR1/SIGUSR2 set/clear logins_suspended. While set, any login
attempt is rejected with a retriable Target Error instead of the
permanent Initiator Error (TGT_NOT_FOUND) that causes initiators
to give up.
Simplify the Coverity build by always setting the BUILD_2X_MODULE,
CONFIG_SCSI_QLA_FC and CONFIG_SCSI_QLA2XXX_TARGET variables. Setting
these variables when not building a QLogic driver is safe because
these variables only have an impact when building the QLogic drivers.
See also commit 5c7fa24031 ("Makefile: Introduce the 'make cov-build'").
The current action branch fails with "No recipients defined" when
envelope_from is set in this workflow. The SMTP username already
provides the sender address, so envelope_from is unnecessary here.
pr_state is a common device attribute for save/restore of Persistent
Reservation state. pr_dump_dir is a dev_disk handler attribute that
triggers an automatic kernel-side PR state dump at unregistration time.
When pr_dump_dir is set to a directory path, each dev_disk device writes
its PR state to <dir>/<serial> on detach, using the same text format as
the pr_state sysfs attribute. The default is an empty string, which
disables the feature entirely.
This provides a race-free way to capture PR state at the point of device
teardown, after all in-flight commands have completed, for use cases that
need to preserve PR state across a device transition.
The dump must happen before scst_pr_clear_dev() wipes the in-memory
registrant list during device unregistration. To achieve this, a new
optional pre_unregister() callback is added to struct scst_dev_type,
called from both scst_unregister_device() and
scst_unregister_virtual_device() before scst_pr_clear_dev(). The disk
handler registers this callback (disk_pre_unregister) to perform the
dump at the correct moment.
The work is split across two phases to avoid filesystem I/O while
scst_mutex is held. disk_pre_unregister() (called under scst_mutex)
captures the PR state into a heap buffer and records the destination
path. disk_detach() (called after scst_mutex is released) writes the
buffer to the filesystem. To carry state between the two phases, dh_priv
is changed from a bare serial-number string to a struct disk_dh_priv
containing the serial plus the captured dump fields.
Add a read/write pr_state attribute to scst_device that serializes the
current persistent reservation state (generation, reservation type/scope,
and all registrants with their transport IDs) to a text format, and
restores it from the same format.
This provides a stable interface for saving and restoring PR state across
device transitions where the in-memory state would otherwise be lost.
Calling scst_unregister_session(wait=1) from qlt_free_session_done
blocks the qla2xxx_wq worker until session teardown completes, but
teardown requires the TM thread to process SCST_UNREG_SESS_TM while
the TM thread is blocked on scst_mutex held by concurrent session
teardown in the global management thread. Under load this stall
exceeds the hung-task timeout. Switch to wait=0 and wait on
fcport->unreg_done instead, matching the pattern in iscsi-scst.
In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size
reported by firmware is used to calculate the copy length into
item->iocb. However, the iocb member is defined as a fixed-size 64-byte
array within struct purex_item.
If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will
overflow the iocb member boundary. While extra memory might be allocated,
this cross-member write is unsafe and triggers warnings under
CONFIG_FORTIFY_SOURCE.
Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within the
bounds of the destination structure member.
Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 19bc5f2a6962 upstream ]
A dynamic remove/add storage adapter test hits EEH on PowerPC:
EEH: [c00000000004f77c] __eeh_send_failure_event+0x7c/0x160
EEH: [c000000000048464] eeh_dev_check_failure.part.0+0x254/0x660
EEH: [c000000000934e0c] __pci_read_msi_msg+0x1ac/0x280
EEH: [c000000000100f68] pseries_msi_compose_msg+0x28/0x40
EEH: [c00000000020e1cc] irq_chip_compose_msi_msg+0x5c/0x90
EEH: [c000000000214b1c] msi_domain_set_affinity+0xbc/0x100
EEH: [c000000000206be4] irq_do_set_affinity+0x214/0x2c0
EEH: [c000000000206e04] irq_set_affinity_locked+0x174/0x230
EEH: [c000000000207044] irq_set_affinity+0x64/0xa0
EEH: [c000000000212890] write_irq_affinity.constprop.0.isra.0+0x130/0x150
EEH: [c00000000068868c] proc_reg_write+0xfc/0x160
EEH: [c0000000005adb48] vfs_write+0xf8/0x4e0
EEH: [c0000000005ae234] ksys_write+0x84/0x140
EEH: [c00000000002e994] system_call_exception+0x164/0x310
EEH: [c00000000000bfe8] system_call_vectored_common+0xe8/0x278
The irqbalance daemon kicks in before invoking qla2xxx->slot_reset
during the EEH recovery process.
irqbalance daemon
->irq_set_affinity()
->msi_domain_set_affinity()
->irq_chip_set_affiinity_parent()
->xive_irq_set_affinity()
->pseries_msi_compose_ms()
->__pci_read_msi_msg()
->irq_chip_compose_msi_msg()
In __pci_read_msi_msg(), the first MSI-X vector is set to all F by the
irqbalance daemon. pci_write_msg_msix: index=0, lo=ffffffff hi=fffffff
IRQ balancing is not required during adapter reset.
Enable "IRQ_NO_BALANCING" bit before starting adapter reset and disable
it calling pci_restore_state(). The irqbalance daemon is disabled for
this short period of time (~2s).
Co-developed-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Wen Xiong <wenxiong@linux.ibm.com>
Link: https://patch.msgid.link/20251028142427.3969819-3-wenxiong@linux.ibm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit eaea513077cd upstream ]
Use 'bytes' (the return value from af_alg_final) instead of 'res'
(which is 0 after the last successful af_alg_update call) when
copying the digest.
This bug caused the memcpy to copy 0 bytes, resulting in an
uninitialized digest buffer. It also triggered a GCC
-Werror=stringop-overflow warning because 'res' could theoretically
be negative, leading to a huge unsigned size.
The symlink-based %files conditional was added when scstadmin supported
a procfs variant. Procfs support is legacy now, so drop the conditional
and always package the man pages.
