Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling
and host reset handling") caused two problems:
1. Commands sent to FW, after chip reset got stuck and never freed as FW
is not going to respond to them anymore.
2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a
("scsi: qla2xxx: Fix missed DMA unmap for aborted commands")
attempted to fix this, but introduced another bug under different
circumstances when two different CPUs were racing to call
qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in
dma_unmap_sg_attrs().
So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and
partially revert "scsi: qla2xxx: target: Fix offline port handling and
host reset handling" at __qla2x00_abort_all_cmds.
Fixes: aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling")
Fixes: 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands")
Co-developed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/0e7e5d26-e7a0-42d1-8235-40eeb27f3e98@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit d46c69a087aa upstream ]
Properly set the nport_handle field of the terminate exchange message.
Previously when this field was not set properly, the term exchange would
fail when cmd_sent_to_fw == 1 but work when cmd_sent_to_fw == 0 (i.e. it
would fail when the HW was actively transferring data or status for the
cmd but work when the HW was idle). With this change, term exchange
works in any cmd state, which now makes it possible to abort a command
that is locked up in the HW.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/1a221699-969b-4f28-8ea4-395d2f7a7c0a@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit ed382b95f5de upstream ]
When qla2xxx is loaded with qlini_mode=disabled,
ha->flags.disable_msix_handshake is used before it is set, resulting in
the wrong interrupt handler being used on certain HBAs
(qla2xxx_msix_rsp_q_hs() is used when qla2xxx_msix_rsp_q() should be
used). The only difference between these two interrupt handlers is that
the _hs() version writes to a register to clear the "RISC" interrupt,
whereas the other version does not. So this bug results in the RISC
interrupt being cleared when it should not be. This occasionally causes
a different interrupt handler qla24xx_msix_default() for a different
vector to see ((stat & HSRX_RISC_INT) == 0) and ignore its interrupt,
which then causes problems like:
qla2xxx [0000:02:00.0]-d04c:6: MBX Command timeout for cmd 20,
iocontrol=8 jiffies=1090c0300 mb[0-3]=[0x4000 0x0 0x40 0xda] mb7 0x500
host_status 0x40000010 hccr 0x3f00
qla2xxx [0000:02:00.0]-101e:6: Mailbox cmd timeout occurred, cmd=0x20,
mb[0]=0x20. Scheduling ISP abort
(the cmd varies; sometimes it is 0x20, 0x22, 0x54, 0x5a, 0x5d, or 0x6a)
This problem can be reproduced with a 16 or 32 Gbps HBA by loading
qla2xxx with qlini_mode=disabled and running a high IOPS test while
triggering frequent RSCN database change events.
While analyzing the problem I discovered that even with
disable_msix_handshake forced to 0, it is not necessary to clear the
RISC interrupt from qla2xxx_msix_rsp_q_hs() (more below). So just
completely remove qla2xxx_msix_rsp_q_hs() and the logic for selecting
it, which also fixes the bug with qlini_mode=disabled.
The test below describes the justification for not needing
qla2xxx_msix_rsp_q_hs():
Force disable_msix_handshake to 0:
qla24xx_config_rings():
if (0 && (ha->fw_attributes & BIT_6) && (IS_MSIX_NACK_CAPABLE(ha)) &&
(ha->flags.msix_enabled)) {
In qla24xx_msix_rsp_q() and qla2xxx_msix_rsp_q_hs(), check:
(rd_reg_dword(®->host_status) & HSRX_RISC_INT)
Count the number of calls to each function with HSRX_RISC_INT set and
the number with HSRX_RISC_INT not set while performing some I/O.
If qla2xxx_msix_rsp_q_hs() clears the RISC interrupt (original code):
qla24xx_msix_rsp_q: 50% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 5% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
If qla2xxx_msix_rsp_q_hs() does not clear the RISC interrupt (patched
code):
qla24xx_msix_rsp_q: 100% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 9% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
In the case of the original code, qla24xx_msix_rsp_q() was seeing
HSRX_RISC_INT set only 50% of the time because qla2xxx_msix_rsp_q_hs()
was clearing it when it shouldn't have been. In the patched code,
qla24xx_msix_rsp_q() sees HSRX_RISC_INT set 100% of the time, which
makes sense if that interrupt handler needs to clear the RISC interrupt
(which it does). qla2xxx_msix_rsp_q_hs() sees HSRX_RISC_INT only 9% of
the time, which is just overlap from the other interrupt during the
high IOPS test.
Tested with SCST on:
QLE2742 FW:v9.08.02 (32 Gbps 2-port)
QLE2694L FW:v9.10.11 (16 Gbps 4-port)
QLE2694L FW:v9.08.02 (16 Gbps 4-port)
QLE2672 FW:v8.07.12 (16 Gbps 2-port)
both initiator and target mode
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/56d378eb-14ad-49c7-bae9-c649b6c7691e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 4f6aaade2a22 upstream ]
When given the module parameter qlini_mode=exclusive, qla2xxx in
initiator mode is initially unable to successfully send SCSI commands to
devices it finds while scanning, resulting in an escalating series of
resets until an adapter reset clears the issue. Fix by checking the
active mode instead of the module parameter.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/1715ec14-ba9a-45dc-9cf2-d41aa6b81b5e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 8f58fc64d559 upstream ]
Change the error code EAGAIN to -EAGAIN in qla_nvme_xmt_ls_rsp() to
align with qla2x00_start_sp() returning negative error codes or
QLA_SUCCESS, preventing logical errors.
Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Message-ID: <20250905075446.381139-4-rongqianfeng@vivo.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 9877c004e9f4 upstream ]
Change the error code EAGAIN to -EAGAIN in START_SP_W_RETRIES() to align
with qla2x00_start_sp() returning negative error codes or QLA_SUCCESS,
preventing logical errors. Additionally, the '_rval' variable should
store negative error codes to conform to Linux kernel error code
conventions.
Fixes: 9803fb5d2759 ("scsi: qla2xxx: Fix task management cmd failure")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Message-ID: <20250905075446.381139-3-rongqianfeng@vivo.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 1f037e3acda7 upstream ]
Change the error code EAGAIN to -EAGAIN in qla24xx_sadb_update() and
qla_edif_process_els() to align with qla2x00_start_sp() returning
negative error codes or QLA_SUCCESS, preventing logical errors.
Fixes: 0b3f3143d473 ("scsi: qla2xxx: edif: Add retry for ELS passthrough")
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
Message-ID: <20250905075446.381139-2-rongqianfeng@vivo.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 066b8f3fa85c upstream ]
purex_item.iocb is defined as a 64-element u8 array, but 64 is the
minimum size and it can be allocated larger. This makes it a standard
empty flex array.
This was motivated by field-spanning write warnings during FPIN testing:
https://lore.kernel.org/linux-nvme/20250709211919.49100-1-bgurney@redhat.com/
> kernel: memcpy: detected field-spanning write (size 60) of single field
> "((uint8_t *)fpin_pkt + buffer_copy_offset)"
> at drivers/scsi/qla2xxx/qla_isr.c:1221 (size 44)
I removed the outer wrapper from the iocb flex array, so that it can be
linked to 'purex_item.size' with '__counted_by'.
These changes remove the default minimum 64-byte allocation, requiring
further changes.
In 'struct scsi_qla_host' the embedded 'default_item' is now followed
by '__default_item_iocb[QLA_DEFAULT_PAYLOAD_SIZE]' to reserve space
that will be used as 'default_item.iocb'. This is wrapped using the
'TRAILING_OVERLAP()' macro helper, which effectively creates a union
between flexible-array member 'default_item.iocb' and
'__default_item_iocb'.
Since 'struct pure_item' now contains a flexible-array member, the
helper must be placed at the end of 'struct scsi_qla_host' to prevent
a '-Wflex-array-member-not-at-end' warning.
'qla24xx_alloc_purex_item()' is adjusted to no longer expect the
default minimum size to be part of 'sizeof(struct purex_item)', the
entire flexible array size is added to the structure size for
allocation.
This also slightly changes the layout of the purex_item struct, as
2-bytes of padding are added between 'size' and 'iocb'. The resulting
size is the same, but iocb is shifted 2-bytes (the original 'purex_item'
structure was padded at the end, after the 64-byte defined array size).
I don't think this is a problem.
Tested-by: Bryan Gurney <bgurney@redhat.com>
Co-developed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/20250813200744.17975-10-bgurney@redhat.com
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 6f4b10226b6b upstream ]
After a Fatal Error has been reported by a device and has been recovered
through a Secondary Bus Reset, AER updates the device's error_state to
pci_channel_io_normal before invoking its driver's ->resume() callback.
By contrast, EEH updates the error_state earlier, namely after resetting
the device and before invoking its driver's ->slot_reset() callback.
Commit c58dc575f3c8 ("powerpc/pseries: Set error_state to
pci_channel_io_normal in eeh_report_reset()") explains in great detail
that the earlier invocation is necessitated by various drivers checking
accessibility of the device with pci_channel_offline() and avoiding
accesses if it returns true. It returns true for any other error_state
than pci_channel_io_normal.
The device should be accessible already after reset, hence the reasoning
is that it's safe to update the error_state immediately afterwards.
This deviation between AER and EEH seems problematic because drivers
behave differently depending on which error recovery mechanism the
platform uses. Three drivers have gone so far as to update the
error_state themselves, presumably to work around AER's behavior.
For consistency, amend AER to update the error_state at the same recovery
steps as EEH. Drop the now unnecessary workaround from the three drivers.
Keep updating the error_state before ->resume() in case ->error_detected()
or ->mmio_enabled() return PCI_ERS_RESULT_RECOVERED, which causes
->slot_reset() to be skipped. There are drivers doing this even for Fatal
Errors, e.g. mhi_pci_error_detected().
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/4517af6359ffb9d66152b827a5d2833459144e3f.1755008151.git.lukas@wunner.de
[commit 45bc82563d55 upstream]
* This fixes an issue where the resulting scst-dkms deb package was empty and could not be installed.
* By moving the .install file creation to the install target we ensure:
- The .install file is generated after the version is set
- Paths match the actual DKMS source location
- File contents aren't overwritten by later operations
Fix Perl precedence warnings:
Possible precedence problem between ! and numeric gt (>) at SCST.pm line 980.
Possible precedence problem between ! and numeric gt (>) at SCST.pm line 1223.
Possible precedence problem between ! and numeric gt (>) at SCST.pm line 3847.
Support for the following block layer and memory management changes in
the Linux kernel v6.18:
- d86eaa0f3c56 ("block: remove the bi_inline_vecs variable sized array
from struct bio")
- 84efbefa26df ("mm: remove nth_page()")
Add systemd service file when packaging for Debian. Current
systemd will automatically generate one, but this functionality
will be removed in a future version of systemd.
Fix indentation of config option's help text by adding leading spaces.
Generally help text is indented by couple of spaces more beyond the leading
tab <\t> character. It helps Kconfig parsers to read file without error.
The calculation of the upper limit for queues does not depend solely on
the number of online CPUs; for example, the isolcpus kernel
command-line option must also be considered.
To account for this, the block layer provides a helper function to
retrieve the maximum number of queues. Use it to set an appropriate
upper queue number limit.
The qla2x00_dfs_tgt_port_database_show() function constructs a fake
fc_port_t object on the stack, which--depending on the configuration--is
large enough to exceed the stack size warning limit:
drivers/scsi/qla2xxx/qla_dfs.c:176:1: error: stack frame size (1392) exceeds limit (1280) in 'qla2x00_dfs_tgt_port_database_show' [-Werror,-Wframe-larger-than]
Rework this function to no longer need the structure but instead call a
custom helper function that just prints the data directly from the
port_database_24xx structure.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20250620173232.864179-1-arnd@kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ commit 6243146bb019 upstream ]
Show the kernel compilation output whenever the run reached the
compilation stage (both pass/fail cases) and add a readable prefix
with the actual filename. Also refactor to use variables for version,
workdir, and output; quote expansions; and switch to titled GitHub
Actions annotations. Drop `-k` and rely on explicit cleanup.
Partial evaluation can yield guards like "+#if 0 && ...". These are false
but bypassed the filter that only matched exact "+#if 0"/"+#elif 0".
Tighten the regex to match the original spacing and catch both forms.
This is the minimal change addressing the bug observed in logs such as:
(c) +#if 0 && !(1 && defined(FC_PORTSPEED_256GBIT)) ...
(g2) ... output = 1 <-- wrong
After this change such guards are dropped correctly (output = 0).
Fix mismatch where generate-kernel-patch keyed paths by full_kver
(with ‘^’) but in-tree patches were written under krel
(before ‘^’). Derive krel=${full_kver/^*} and use it for qla2xxx path
resolution.
This value is available in initiator mode via
/sys/class/scsi_host/hostN/sg_tablesize; make it available in target
mode as well. Userspace code may use it when making decisions about
buffer sizes.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
If dev->generic_parse() detects a math overflow and calls
scst_set_cmd_error(), and scst_user is using SCST_USER_PARSE_EXCEPTION,
then it will trigger a sBUG() in scst_targ.c::scst_parse_cmd() where it
checks for a valid cmd->state:
scst: scst_parse_cmd:1385:***CRITICAL ERROR***: Bad state for completed cmd
(cmd 000000005abc21e1, state 1)
BUG at /usr/src/debug/scst/3.10+git/scst/src/scst_targ.c:1387
Fix by treating negative generic_parse() errors as final.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
SCST_GET_CDB_LEN() returns 0 for vendor-specific opcodes such as:
0xD1 READ DYN RUNTIME ATT
0xD2 WRITE DYN RUNTIME ATTR
0xE7 INIT ELEMENT STATUS WRANGE
This causes scst_set_cmd_from_cdb_info() to check cdb[-1] for the
control byte, causing an out-of-bounds array read.
- Move the parsing of the control byte after get_cdb_info() since that
may set the CDB length to a known value.
- If the CDB length is still unknown, then assume the control byte is
0 without accessing the CDB.
- Check for variable-length CDBs in scst_set_cmd_from_cdb_info() rather
than using the wrong control byte and then overriding it in
get_cdb_info_var_len(). This is necessary because the override would
no longer work after the change above.
Also, the following code doesn't work:
#define CONTROL_BYTE_NACA_BIT 0x04
unsigned int cmd_naca:1;
cmd_naca = (control & CONTROL_BYTE_NACA_BIT);
The result will always be 0. Use this instead:
cmd_naca = !!(control & CONTROL_BYTE_NACA_BIT);
(cmd_linked happened to work because CONTROL_BYTE_LINK_BIT is 0x01, but
apply the same fix there also for consistency).
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
-fstack-protector-strong is controlled by the in-tree
CONFIG_STACKPROTECTOR_STRONG config option. If the flag is set without
the config option, scst fails to build:
ERROR: modpost: "__stack_chk_fail" [scst/src/scst.ko] undefined!
-fstack-clash-protection is disabled in the kernel's Makefile due to an
incompatibility with randomize_kstack_offset.
Fixes: 86d3d4bb1d ("kbuild: Enable additional compiler warnings")
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
