31e6cdbe0e
The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer: qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx] Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks. When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one. If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put(). Link: https://lore.kernel.org/r/20220110050218.3958-3-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Co-developed-by: Daniel Wagner <dwagner@suse.de> Signed-off-by: Daniel Wagner <dwagner@suse.de> Signed-off-by: Saurav Kashyap <skashyap@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
499 lines
11 KiB
C
499 lines
11 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* QLogic Fibre Channel HBA Driver
|
|
* Copyright (c) 2003-2014 QLogic Corporation
|
|
*/
|
|
|
|
#include "qla_target.h"
|
|
/**
|
|
* qla24xx_calc_iocbs() - Determine number of Command Type 3 and
|
|
* Continuation Type 1 IOCBs to allocate.
|
|
*
|
|
* @vha: HA context
|
|
* @dsds: number of data segment descriptors needed
|
|
*
|
|
* Returns the number of IOCB entries needed to store @dsds.
|
|
*/
|
|
static inline uint16_t
|
|
qla24xx_calc_iocbs(scsi_qla_host_t *vha, uint16_t dsds)
|
|
{
|
|
uint16_t iocbs;
|
|
|
|
iocbs = 1;
|
|
if (dsds > 1) {
|
|
iocbs += (dsds - 1) / 5;
|
|
if ((dsds - 1) % 5)
|
|
iocbs++;
|
|
}
|
|
return iocbs;
|
|
}
|
|
|
|
/*
|
|
* qla2x00_debounce_register
|
|
* Debounce register.
|
|
*
|
|
* Input:
|
|
* port = register address.
|
|
*
|
|
* Returns:
|
|
* register value.
|
|
*/
|
|
static __inline__ uint16_t
|
|
qla2x00_debounce_register(volatile __le16 __iomem *addr)
|
|
{
|
|
volatile uint16_t first;
|
|
volatile uint16_t second;
|
|
|
|
do {
|
|
first = rd_reg_word(addr);
|
|
barrier();
|
|
cpu_relax();
|
|
second = rd_reg_word(addr);
|
|
} while (first != second);
|
|
|
|
return (first);
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_poll(struct rsp_que *rsp)
|
|
{
|
|
struct qla_hw_data *ha = rsp->hw;
|
|
|
|
if (IS_P3P_TYPE(ha))
|
|
qla82xx_poll(0, rsp);
|
|
else
|
|
ha->isp_ops->intr_handler(0, rsp);
|
|
}
|
|
|
|
static inline uint8_t *
|
|
host_to_fcp_swap(uint8_t *fcp, uint32_t bsize)
|
|
{
|
|
uint32_t *ifcp = (uint32_t *) fcp;
|
|
uint32_t *ofcp = (uint32_t *) fcp;
|
|
uint32_t iter = bsize >> 2;
|
|
|
|
for (; iter ; iter--)
|
|
*ofcp++ = swab32(*ifcp++);
|
|
|
|
return fcp;
|
|
}
|
|
|
|
static inline void
|
|
host_to_adap(uint8_t *src, uint8_t *dst, uint32_t bsize)
|
|
{
|
|
uint32_t *isrc = (uint32_t *) src;
|
|
__le32 *odest = (__le32 *) dst;
|
|
uint32_t iter = bsize >> 2;
|
|
|
|
for ( ; iter--; isrc++)
|
|
*odest++ = cpu_to_le32(*isrc);
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_clean_dsd_pool(struct qla_hw_data *ha, struct crc_context *ctx)
|
|
{
|
|
struct dsd_dma *dsd, *tdsd;
|
|
|
|
/* clean up allocated prev pool */
|
|
list_for_each_entry_safe(dsd, tdsd, &ctx->dsd_list, list) {
|
|
dma_pool_free(ha->dl_dma_pool, dsd->dsd_addr,
|
|
dsd->dsd_list_dma);
|
|
list_del(&dsd->list);
|
|
kfree(dsd);
|
|
}
|
|
INIT_LIST_HEAD(&ctx->dsd_list);
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_set_fcport_disc_state(fc_port_t *fcport, int state)
|
|
{
|
|
int old_val;
|
|
uint8_t shiftbits, mask;
|
|
|
|
/* This will have to change when the max no. of states > 16 */
|
|
shiftbits = 4;
|
|
mask = (1 << shiftbits) - 1;
|
|
|
|
fcport->disc_state = state;
|
|
while (1) {
|
|
old_val = atomic_read(&fcport->shadow_disc_state);
|
|
if (old_val == atomic_cmpxchg(&fcport->shadow_disc_state,
|
|
old_val, (old_val << shiftbits) | state)) {
|
|
ql_dbg(ql_dbg_disc, fcport->vha, 0x2134,
|
|
"FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n",
|
|
fcport->port_name, port_dstate_str[old_val & mask],
|
|
port_dstate_str[state], fcport->d_id.b24);
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
static inline int
|
|
qla2x00_hba_err_chk_enabled(srb_t *sp)
|
|
{
|
|
/*
|
|
* Uncomment when corresponding SCSI changes are done.
|
|
*
|
|
if (!sp->cmd->prot_chk)
|
|
return 0;
|
|
*
|
|
*/
|
|
switch (scsi_get_prot_op(GET_CMD_SP(sp))) {
|
|
case SCSI_PROT_READ_STRIP:
|
|
case SCSI_PROT_WRITE_INSERT:
|
|
if (ql2xenablehba_err_chk >= 1)
|
|
return 1;
|
|
break;
|
|
case SCSI_PROT_READ_PASS:
|
|
case SCSI_PROT_WRITE_PASS:
|
|
if (ql2xenablehba_err_chk >= 2)
|
|
return 1;
|
|
break;
|
|
case SCSI_PROT_READ_INSERT:
|
|
case SCSI_PROT_WRITE_STRIP:
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
qla2x00_reset_active(scsi_qla_host_t *vha)
|
|
{
|
|
scsi_qla_host_t *base_vha = pci_get_drvdata(vha->hw->pdev);
|
|
|
|
/* Test appropriate base-vha and vha flags. */
|
|
return test_bit(ISP_ABORT_NEEDED, &base_vha->dpc_flags) ||
|
|
test_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags) ||
|
|
test_bit(ISP_ABORT_RETRY, &base_vha->dpc_flags) ||
|
|
test_bit(ISP_ABORT_NEEDED, &vha->dpc_flags) ||
|
|
test_bit(ABORT_ISP_ACTIVE, &vha->dpc_flags);
|
|
}
|
|
|
|
static inline int
|
|
qla2x00_chip_is_down(scsi_qla_host_t *vha)
|
|
{
|
|
return (qla2x00_reset_active(vha) || !vha->hw->flags.fw_started);
|
|
}
|
|
|
|
static void qla2xxx_init_sp(srb_t *sp, scsi_qla_host_t *vha,
|
|
struct qla_qpair *qpair, fc_port_t *fcport)
|
|
{
|
|
memset(sp, 0, sizeof(*sp));
|
|
sp->fcport = fcport;
|
|
sp->iocbs = 1;
|
|
sp->vha = vha;
|
|
sp->qpair = qpair;
|
|
sp->cmd_type = TYPE_SRB;
|
|
/* ref : INIT - normal flow */
|
|
kref_init(&sp->cmd_kref);
|
|
INIT_LIST_HEAD(&sp->elem);
|
|
}
|
|
|
|
static inline srb_t *
|
|
qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair,
|
|
fc_port_t *fcport, gfp_t flag)
|
|
{
|
|
srb_t *sp = NULL;
|
|
uint8_t bail;
|
|
|
|
QLA_QPAIR_MARK_BUSY(qpair, bail);
|
|
if (unlikely(bail))
|
|
return NULL;
|
|
|
|
sp = mempool_alloc(qpair->srb_mempool, flag);
|
|
if (sp)
|
|
qla2xxx_init_sp(sp, vha, qpair, fcport);
|
|
else
|
|
QLA_QPAIR_MARK_NOT_BUSY(qpair);
|
|
return sp;
|
|
}
|
|
|
|
void qla2xxx_rel_done_warning(srb_t *sp, int res);
|
|
void qla2xxx_rel_free_warning(srb_t *sp);
|
|
|
|
static inline void
|
|
qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp)
|
|
{
|
|
sp->qpair = NULL;
|
|
sp->done = qla2xxx_rel_done_warning;
|
|
sp->free = qla2xxx_rel_free_warning;
|
|
mempool_free(sp, qpair->srb_mempool);
|
|
QLA_QPAIR_MARK_NOT_BUSY(qpair);
|
|
}
|
|
|
|
static inline srb_t *
|
|
qla2x00_get_sp(scsi_qla_host_t *vha, fc_port_t *fcport, gfp_t flag)
|
|
{
|
|
srb_t *sp = NULL;
|
|
uint8_t bail;
|
|
struct qla_qpair *qpair;
|
|
|
|
QLA_VHA_MARK_BUSY(vha, bail);
|
|
if (unlikely(bail))
|
|
return NULL;
|
|
|
|
qpair = vha->hw->base_qpair;
|
|
sp = qla2xxx_get_qpair_sp(vha, qpair, fcport, flag);
|
|
if (!sp)
|
|
goto done;
|
|
|
|
sp->vha = vha;
|
|
done:
|
|
if (!sp)
|
|
QLA_VHA_MARK_NOT_BUSY(vha);
|
|
return sp;
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_rel_sp(srb_t *sp)
|
|
{
|
|
QLA_VHA_MARK_NOT_BUSY(sp->vha);
|
|
qla2xxx_rel_qpair_sp(sp->qpair, sp);
|
|
}
|
|
|
|
static inline int
|
|
qla2x00_gid_list_size(struct qla_hw_data *ha)
|
|
{
|
|
if (IS_QLAFX00(ha))
|
|
return sizeof(uint32_t) * 32;
|
|
else
|
|
return sizeof(struct gid_list_info) * ha->max_fibre_devices;
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_handle_mbx_completion(struct qla_hw_data *ha, int status)
|
|
{
|
|
if (test_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags) &&
|
|
(status & MBX_INTERRUPT) && ha->flags.mbox_int) {
|
|
set_bit(MBX_INTERRUPT, &ha->mbx_cmd_flags);
|
|
clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
|
|
complete(&ha->mbx_intr_comp);
|
|
}
|
|
}
|
|
|
|
static inline void
|
|
qla2x00_set_retry_delay_timestamp(fc_port_t *fcport, uint16_t sts_qual)
|
|
{
|
|
u8 scope;
|
|
u16 qual;
|
|
#define SQ_SCOPE_MASK 0xc000 /* SAM-6 rev5 5.3.2 */
|
|
#define SQ_SCOPE_SHIFT 14
|
|
#define SQ_QUAL_MASK 0x3fff
|
|
|
|
#define SQ_MAX_WAIT_SEC 60 /* Max I/O hold off time in seconds. */
|
|
#define SQ_MAX_WAIT_TIME (SQ_MAX_WAIT_SEC * 10) /* in 100ms. */
|
|
|
|
if (!sts_qual) /* Common case. */
|
|
return;
|
|
|
|
scope = (sts_qual & SQ_SCOPE_MASK) >> SQ_SCOPE_SHIFT;
|
|
/* Handle only scope 1 or 2, which is for I-T nexus. */
|
|
if (scope != 1 && scope != 2)
|
|
return;
|
|
|
|
/* Skip processing, if retry delay timer is already in effect. */
|
|
if (fcport->retry_delay_timestamp &&
|
|
time_before(jiffies, fcport->retry_delay_timestamp))
|
|
return;
|
|
|
|
qual = sts_qual & SQ_QUAL_MASK;
|
|
if (qual < 1 || qual > 0x3fef)
|
|
return;
|
|
qual = min(qual, (u16)SQ_MAX_WAIT_TIME);
|
|
|
|
/* qual is expressed in 100ms increments. */
|
|
fcport->retry_delay_timestamp = jiffies + (qual * HZ / 10);
|
|
|
|
ql_log(ql_log_warn, fcport->vha, 0x5101,
|
|
"%8phC: I/O throttling requested (status qualifier = %04xh), holding off I/Os for %ums.\n",
|
|
fcport->port_name, sts_qual, qual * 100);
|
|
}
|
|
|
|
static inline bool
|
|
qla_is_exch_offld_enabled(struct scsi_qla_host *vha)
|
|
{
|
|
if (qla_ini_mode_enabled(vha) &&
|
|
(vha->ql2xiniexchg > FW_DEF_EXCHANGES_CNT))
|
|
return true;
|
|
else if (qla_tgt_mode_enabled(vha) &&
|
|
(vha->ql2xexchoffld > FW_DEF_EXCHANGES_CNT))
|
|
return true;
|
|
else if (qla_dual_mode_enabled(vha) &&
|
|
((vha->ql2xiniexchg + vha->ql2xexchoffld) > FW_DEF_EXCHANGES_CNT))
|
|
return true;
|
|
else
|
|
return false;
|
|
}
|
|
|
|
static inline void
|
|
qla_cpu_update(struct qla_qpair *qpair, uint16_t cpuid)
|
|
{
|
|
qpair->cpuid = cpuid;
|
|
|
|
if (!list_empty(&qpair->hints_list)) {
|
|
struct qla_qpair_hint *h;
|
|
|
|
list_for_each_entry(h, &qpair->hints_list, hint_elem)
|
|
h->cpuid = qpair->cpuid;
|
|
}
|
|
}
|
|
|
|
static inline struct qla_qpair_hint *
|
|
qla_qpair_to_hint(struct qla_tgt *tgt, struct qla_qpair *qpair)
|
|
{
|
|
struct qla_qpair_hint *h;
|
|
u16 i;
|
|
|
|
for (i = 0; i < tgt->ha->max_qpairs + 1; i++) {
|
|
h = &tgt->qphints[i];
|
|
if (h->qpair == qpair)
|
|
return h;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static inline void
|
|
qla_83xx_start_iocbs(struct qla_qpair *qpair)
|
|
{
|
|
struct req_que *req = qpair->req;
|
|
|
|
req->ring_index++;
|
|
if (req->ring_index == req->length) {
|
|
req->ring_index = 0;
|
|
req->ring_ptr = req->ring;
|
|
} else
|
|
req->ring_ptr++;
|
|
|
|
wrt_reg_dword(req->req_q_in, req->ring_index);
|
|
}
|
|
|
|
static inline int
|
|
qla2xxx_get_fc4_priority(struct scsi_qla_host *vha)
|
|
{
|
|
uint32_t data;
|
|
|
|
data =
|
|
((uint8_t *)vha->hw->nvram)[NVRAM_DUAL_FCP_NVME_FLAG_OFFSET];
|
|
|
|
|
|
return (data >> 6) & BIT_0 ? FC4_PRIORITY_FCP : FC4_PRIORITY_NVME;
|
|
}
|
|
|
|
enum {
|
|
RESOURCE_NONE,
|
|
RESOURCE_INI,
|
|
};
|
|
|
|
static inline int
|
|
qla_get_iocbs(struct qla_qpair *qp, struct iocb_resource *iores)
|
|
{
|
|
u16 iocbs_used, i;
|
|
struct qla_hw_data *ha = qp->vha->hw;
|
|
|
|
if (!ql2xenforce_iocb_limit) {
|
|
iores->res_type = RESOURCE_NONE;
|
|
return 0;
|
|
}
|
|
|
|
if ((iores->iocb_cnt + qp->fwres.iocbs_used) < qp->fwres.iocbs_qp_limit) {
|
|
qp->fwres.iocbs_used += iores->iocb_cnt;
|
|
return 0;
|
|
} else {
|
|
/* no need to acquire qpair lock. It's just rough calculation */
|
|
iocbs_used = ha->base_qpair->fwres.iocbs_used;
|
|
for (i = 0; i < ha->max_qpairs; i++) {
|
|
if (ha->queue_pair_map[i])
|
|
iocbs_used += ha->queue_pair_map[i]->fwres.iocbs_used;
|
|
}
|
|
|
|
if ((iores->iocb_cnt + iocbs_used) < qp->fwres.iocbs_limit) {
|
|
qp->fwres.iocbs_used += iores->iocb_cnt;
|
|
return 0;
|
|
} else {
|
|
iores->res_type = RESOURCE_NONE;
|
|
return -ENOSPC;
|
|
}
|
|
}
|
|
}
|
|
|
|
static inline void
|
|
qla_put_iocbs(struct qla_qpair *qp, struct iocb_resource *iores)
|
|
{
|
|
switch (iores->res_type) {
|
|
case RESOURCE_NONE:
|
|
break;
|
|
default:
|
|
if (qp->fwres.iocbs_used >= iores->iocb_cnt) {
|
|
qp->fwres.iocbs_used -= iores->iocb_cnt;
|
|
} else {
|
|
// should not happen
|
|
qp->fwres.iocbs_used = 0;
|
|
}
|
|
break;
|
|
}
|
|
iores->res_type = RESOURCE_NONE;
|
|
}
|
|
|
|
#define ISP_REG_DISCONNECT 0xffffffffU
|
|
/**************************************************************************
|
|
* qla2x00_isp_reg_stat
|
|
*
|
|
* Description:
|
|
* Read the host status register of ISP before aborting the command.
|
|
*
|
|
* Input:
|
|
* ha = pointer to host adapter structure.
|
|
*
|
|
*
|
|
* Returns:
|
|
* Either true or false.
|
|
*
|
|
* Note: Return true if there is register disconnect.
|
|
**************************************************************************/
|
|
static inline
|
|
uint32_t qla2x00_isp_reg_stat(struct qla_hw_data *ha)
|
|
{
|
|
struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
|
|
struct device_reg_82xx __iomem *reg82 = &ha->iobase->isp82;
|
|
|
|
if (IS_P3P_TYPE(ha))
|
|
return ((rd_reg_dword(®82->host_int)) == ISP_REG_DISCONNECT);
|
|
else
|
|
return ((rd_reg_dword(®->host_status)) ==
|
|
ISP_REG_DISCONNECT);
|
|
}
|
|
|
|
static inline
|
|
bool qla_pci_disconnected(struct scsi_qla_host *vha,
|
|
struct device_reg_24xx __iomem *reg)
|
|
{
|
|
uint32_t stat;
|
|
bool ret = false;
|
|
|
|
stat = rd_reg_dword(®->host_status);
|
|
if (stat == 0xffffffff) {
|
|
ql_log(ql_log_info, vha, 0x8041,
|
|
"detected PCI disconnect.\n");
|
|
qla_schedule_eeh_work(vha);
|
|
ret = true;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static inline bool
|
|
fcport_is_smaller(fc_port_t *fcport)
|
|
{
|
|
if (wwn_to_u64(fcport->port_name) <
|
|
wwn_to_u64(fcport->vha->port_name))
|
|
return true;
|
|
else
|
|
return false;
|
|
}
|
|
|
|
static inline bool
|
|
fcport_is_bigger(fc_port_t *fcport)
|
|
{
|
|
return !fcport_is_smaller(fcport);
|
|
}
|