<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/scsi/ipr.c, branch v4.2</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipr: Fix invalid array indexing for HRRQ</title>
<updated>2015-07-30T17:38:47+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-07-14T16:41:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3f1c0581310d5d94bd72740231507e763a6252a4'/>
<id>3f1c0581310d5d94bd72740231507e763a6252a4</id>
<content type='text'>
Fixes another signed / unsigned array indexing bug in the ipr driver.
Currently, when hrrq_index wraps, it becomes a negative number. We
do the modulo, but still have a negative number, so we end up indexing
backwards in the array. Given where the hrrq array is located in memory,
we probably won't actually reference memory we don't own, but nonetheless
ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as
struct ipr_hrr_queue data, so bad things could certainly happen.

Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new
adapters.  Let's take an example:

Assume ioa_cfg-&gt;hrrq_index=0x7fffffffe and ioa_cfg-&gt;hrrq_num=4:

The atomic_add_return will then return -1. We mod this with 3 and get -2, add
one and get -1 for an array index.

On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter
initialization and error interrupts so that we can optimize the other queues
for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the
I/O requests across those HRRQs.

With the default module parameter settings, this bug won't hit, only when
someone sets the ipr.number_of_msix parameter to a value larger than 3 is when
bad things start to happen.

Cc: &lt;stable@vger.kernel.org&gt;
Tested-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fixes another signed / unsigned array indexing bug in the ipr driver.
Currently, when hrrq_index wraps, it becomes a negative number. We
do the modulo, but still have a negative number, so we end up indexing
backwards in the array. Given where the hrrq array is located in memory,
we probably won't actually reference memory we don't own, but nonetheless
ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as
struct ipr_hrr_queue data, so bad things could certainly happen.

Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new
adapters.  Let's take an example:

Assume ioa_cfg-&gt;hrrq_index=0x7fffffffe and ioa_cfg-&gt;hrrq_num=4:

The atomic_add_return will then return -1. We mod this with 3 and get -2, add
one and get -1 for an array index.

On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter
initialization and error interrupts so that we can optimize the other queues
for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the
I/O requests across those HRRQs.

With the default module parameter settings, this bug won't hit, only when
someone sets the ipr.number_of_msix parameter to a value larger than 3 is when
bad things start to happen.

Cc: &lt;stable@vger.kernel.org&gt;
Tested-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Fix incorrect trace indexing</title>
<updated>2015-07-30T17:38:00+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-07-14T16:41:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bb7c54339e6a10ecce5c4961adf5e75b3cf0af30'/>
<id>bb7c54339e6a10ecce5c4961adf5e75b3cf0af30</id>
<content type='text'>
When ipr's internal driver trace was changed to an atomic, a signed/unsigned
bug slipped in which results in us indexing backwards in our memory buffer
writing on memory that does not belong to us. This patch fixes this by removing
the modulo and instead just mask off the low bits.

Cc: &lt;stable@vger.kernel.org&gt;
Tested-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When ipr's internal driver trace was changed to an atomic, a signed/unsigned
bug slipped in which results in us indexing backwards in our memory buffer
writing on memory that does not belong to us. This patch fixes this by removing
the modulo and instead just mask off the low bits.

Cc: &lt;stable@vger.kernel.org&gt;
Tested-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Fix locking for unit attention handling</title>
<updated>2015-07-30T17:36:21+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-07-14T16:41:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=36b8e180e1e929e00b351c3b72aab3147fc14116'/>
<id>36b8e180e1e929e00b351c3b72aab3147fc14116</id>
<content type='text'>
Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes
a crash seen as the __devices list in the scsi host was changing as we were
iterating through it.

Cc: &lt;stable@vger.kernel.org&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes
a crash seen as the __devices list in the scsi host was changing as we were
iterating through it.

Cc: &lt;stable@vger.kernel.org&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi</title>
<updated>2015-04-16T23:02:04+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2015-04-16T23:02:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7d69cff26ceadce8638cb65191285932a3de3d4c'/>
<id>7d69cff26ceadce8638cb65191285932a3de3d4c</id>
<content type='text'>
Pull SCSI updates from James Bottomley:
 "This is the usual grab bag of driver updates (lpfc, qla2xxx, storvsc,
  aacraid, ipr) plus an assortment of minor updates.  There's also a
  major update to aic1542 which moves the driver into this millenium"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (106 commits)
  change SCSI Maintainer email
  sd, mmc, virtio_blk, string_helpers: fix block size units
  ufs: add support to allow non standard behaviours (quirks)
  ufs-qcom: save controller revision info in internal structure
  qla2xxx: Update driver version to 8.07.00.18-k
  qla2xxx: Restore physical port WWPN only, when port down detected for FA-WWPN port.
  qla2xxx: Fix virtual port configuration, when switch port is disabled/enabled.
  qla2xxx: Prevent multiple firmware dump collection for ISP27XX.
  qla2xxx: Disable Interrupt handshake for ISP27XX.
  qla2xxx: Add debugging info for MBX timeout.
  qla2xxx: Add serdes read/write support for ISP27XX
  qla2xxx: Add udev notification to save fw dump for ISP27XX
  qla2xxx: Add message for sucessful FW dump collected for ISP27XX.
  qla2xxx: Add support to load firmware from file for ISP 26XX/27XX.
  qla2xxx: Fix beacon blink for ISP27XX.
  qla2xxx: Increase the wait time for firmware to be ready for P3P.
  qla2xxx: Fix crash due to wrong casting of reg for ISP27XX.
  qla2xxx: Fix warnings reported by static checker.
  lpfc: Update version to 10.5.0.0 for upstream patch set
  lpfc: Update copyright to 2015
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull SCSI updates from James Bottomley:
 "This is the usual grab bag of driver updates (lpfc, qla2xxx, storvsc,
  aacraid, ipr) plus an assortment of minor updates.  There's also a
  major update to aic1542 which moves the driver into this millenium"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (106 commits)
  change SCSI Maintainer email
  sd, mmc, virtio_blk, string_helpers: fix block size units
  ufs: add support to allow non standard behaviours (quirks)
  ufs-qcom: save controller revision info in internal structure
  qla2xxx: Update driver version to 8.07.00.18-k
  qla2xxx: Restore physical port WWPN only, when port down detected for FA-WWPN port.
  qla2xxx: Fix virtual port configuration, when switch port is disabled/enabled.
  qla2xxx: Prevent multiple firmware dump collection for ISP27XX.
  qla2xxx: Disable Interrupt handshake for ISP27XX.
  qla2xxx: Add debugging info for MBX timeout.
  qla2xxx: Add serdes read/write support for ISP27XX
  qla2xxx: Add udev notification to save fw dump for ISP27XX
  qla2xxx: Add message for sucessful FW dump collected for ISP27XX.
  qla2xxx: Add support to load firmware from file for ISP 26XX/27XX.
  qla2xxx: Fix beacon blink for ISP27XX.
  qla2xxx: Increase the wait time for firmware to be ready for P3P.
  qla2xxx: Fix crash due to wrong casting of reg for ISP27XX.
  qla2xxx: Fix warnings reported by static checker.
  lpfc: Update version to 10.5.0.0 for upstream patch set
  lpfc: Update copyright to 2015
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: AF DASD raw mode implementation in ipr driver</title>
<updated>2015-04-09T21:17:57+00:00</updated>
<author>
<name>Wen Xiong</name>
<email>wenxiong@linux.vnet.ibm.com</email>
</author>
<published>2015-03-26T16:23:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f8ee25d7d2395212ba614ba08c12d1255f612f0e'/>
<id>f8ee25d7d2395212ba614ba08c12d1255f612f0e</id>
<content type='text'>
This patch implements raw mode support for AF DASD in ipr driver
which allows for tools to send commands directly to physical
devices which are members of RAID arrays when enabled in the firmware.

[jejb: fix up whitespace]
Signed-off-by: Wen Xiong&lt;wenxiong@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch implements raw mode support for AF DASD in ipr driver
which allows for tools to send commands directly to physical
devices which are members of RAID arrays when enabled in the firmware.

[jejb: fix up whitespace]
Signed-off-by: Wen Xiong&lt;wenxiong@linux.vnet.ibm.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Re-enable write same</title>
<updated>2015-04-09T21:14:53+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-03-26T16:23:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea30c1deb6c6ccbceb29b6a3d48e1f601aefddf1'/>
<id>ea30c1deb6c6ccbceb29b6a3d48e1f601aefddf1</id>
<content type='text'>
Re-enable write same support for ipr RAID adapters.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Re-enable write same support for ipr RAID adapters.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Fix possible error path oops during initialization</title>
<updated>2015-04-09T20:44:22+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-03-26T16:23:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a65e8f128eca1efafeb16039650ae36b25cfd0dc'/>
<id>a65e8f128eca1efafeb16039650ae36b25cfd0dc</id>
<content type='text'>
Fixes a possible oops during adapter initialization in some
memory allocation failure error paths scenarios.

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fixes a possible oops during adapter initialization in some
memory allocation failure error paths scenarios.

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Reset in task context</title>
<updated>2015-04-09T20:43:14+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-03-26T16:23:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2796ca5e51737ed0be8ebb6cf73fd56af05da0a7'/>
<id>2796ca5e51737ed0be8ebb6cf73fd56af05da0a7</id>
<content type='text'>
The pci_set_pcie_reset_state has changed semantics to not be callable
from interrupt context, so change ipr's usage of the API to comply with
this change by ensuring this occurs from a workqueue.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The pci_set_pcie_reset_state has changed semantics to not be callable
from interrupt context, so change ipr's usage of the API to comply with
this change by ensuring this occurs from a workqueue.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipr: Reboot speed improvements</title>
<updated>2015-04-09T20:42:07+00:00</updated>
<author>
<name>Brian King</name>
<email>brking@linux.vnet.ibm.com</email>
</author>
<published>2015-03-26T16:23:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4fdd7c7aabbec3aa9e5dc41c129bc9f6aed7e615'/>
<id>4fdd7c7aabbec3aa9e5dc41c129bc9f6aed7e615</id>
<content type='text'>
Currently when performing a reboot with an ipr adapter,
the adapter gets shutdown completely, flushing all write
cache, as well as performing a full hardware reset of the card
during the shutdown phase of the old kernel. This ensures
the adapter is in a fully quiesced state across the reboot.

There are scenarios, however, such as when performing
kexec, where this full adapter shutdown is not required
and not desired, since it can make the reboot process take
noticeably longer.

This patch adds a module parameter to allow for skipping the
full shutdown during reboot. Rather than performing a full
adapter shutdown and reset, we simply cancel any outstanding
error buffers, place the adapter into a state where it has no
memory of any DMA addresses from the old kernel, then disable
the device. This significantly speeds up kexec boot, particularly
in configurations with multiple ipr adapters.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently when performing a reboot with an ipr adapter,
the adapter gets shutdown completely, flushing all write
cache, as well as performing a full hardware reset of the card
during the shutdown phase of the old kernel. This ensures
the adapter is in a fully quiesced state across the reboot.

There are scenarios, however, such as when performing
kexec, where this full adapter shutdown is not required
and not desired, since it can make the reboot process take
noticeably longer.

This patch adds a module parameter to allow for skipping the
full shutdown during reboot. Rather than performing a full
adapter shutdown and reset, we simply cancel any outstanding
error buffers, place the adapter into a state where it has no
memory of any DMA addresses from the old kernel, then disable
the device. This significantly speeds up kexec boot, particularly
in configurations with multiple ipr adapters.

Signed-off-by: Brian King &lt;brking@linux.vnet.ibm.com&gt;
Reviewed-by: Wen Xiong &lt;wenxiong@linux.vnet.ibm.com&gt;
Reviewed-by: Daniel Kreling &lt;kreling@linux.vnet.ibm.com&gt;
Signed-off-by: James Bottomley &lt;JBottomley@Odin.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ata: Add a new flag to destinguish sas controller</title>
<updated>2015-03-19T18:14:43+00:00</updated>
<author>
<name>Shaohua Li</name>
<email>shli@fb.com</email>
</author>
<published>2015-03-12T17:32:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5067c0469c643512f24786990e315f9c15cc7d24'/>
<id>5067c0469c643512f24786990e315f9c15cc7d24</id>
<content type='text'>
SAS controller has its own tag allocation, which doesn't directly match to ATA
tag, so SAS and SATA have different code path for ata tags. Originally we use
port-&gt;scsi_host (98bd4be1) to destinguish SAS controller, but libsas set
-&gt;scsi_host too, so we can't use it for the destinguish, we add a new flag for
this purpose.

Without this patch, the following oops can happen because scsi-mq uses
a host-wide tag map shared among all devices with some integer tag
values &gt;= ATA_MAX_QUEUE.  These unexpectedly high tag values cause
__ata_qc_from_tag() to return NULL, which is then dereferenced in
ata_qc_new_init().

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
  IP: [&lt;ffffffff804fd46e&gt;] ata_qc_new_init+0x3e/0x120
  PGD 32adf0067 PUD 32adf1067 PMD 0
  Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
  Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi igb
  i2c_algo_bit ptp pps_core pm80xx libsas scsi_transport_sas sg coretemp
  eeprom w83795 i2c_i801
  CPU: 4 PID: 1450 Comm: cydiskbench Not tainted 4.0.0-rc3 #1
  Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b       05/04/12
  task: ffff8800ba86d500 ti: ffff88032a064000 task.ti: ffff88032a064000
  RIP: 0010:[&lt;ffffffff804fd46e&gt;]  [&lt;ffffffff804fd46e&gt;] ata_qc_new_init+0x3e/0x120
  RSP: 0018:ffff88032a067858  EFLAGS: 00010046
  RAX: 0000000000000000 RBX: ffff8800ba0d2230 RCX: 000000000000002a
  RDX: ffffffff80505ae0 RSI: 0000000000000020 RDI: ffff8800ba0d2230
  RBP: ffff88032a067868 R08: 0000000000000201 R09: 0000000000000001
  R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800ba0d0000
  R13: ffff8800ba0d2230 R14: ffffffff80505ae0 R15: ffff8800ba0d0000
  FS:  0000000041223950(0063) GS:ffff88033e480000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 0000000000000058 CR3: 000000032a0a3000 CR4: 00000000000006e0
  Stack:
   ffff880329eee758 ffff880329eee758 ffff88032a0678a8 ffffffff80502dad
   ffff8800ba167978 ffff880329eee758 ffff88032bf9c520 ffff8800ba167978
   ffff88032bf9c520 ffff88032bf9a290 ffff88032a0678b8 ffffffff80506909
  Call Trace:
   [&lt;ffffffff80502dad&gt;] ata_scsi_translate+0x3d/0x1b0
   [&lt;ffffffff80506909&gt;] ata_sas_queuecmd+0x149/0x2a0
   [&lt;ffffffffa0046650&gt;] sas_queuecommand+0xa0/0x1f0 [libsas]
   [&lt;ffffffff804ea544&gt;] scsi_dispatch_cmd+0xd4/0x1a0
   [&lt;ffffffff804eb50f&gt;] scsi_queue_rq+0x66f/0x7f0
   [&lt;ffffffff803e5098&gt;] __blk_mq_run_hw_queue+0x208/0x3f0
   [&lt;ffffffff803e54b8&gt;] blk_mq_run_hw_queue+0x88/0xc0
   [&lt;ffffffff803e5c74&gt;] blk_mq_insert_request+0xc4/0x130
   [&lt;ffffffff803e0b63&gt;] blk_execute_rq_nowait+0x73/0x160
   [&lt;ffffffffa0023fca&gt;] sg_common_write+0x3da/0x720 [sg]
   [&lt;ffffffffa0025100&gt;] sg_new_write+0x250/0x360 [sg]
   [&lt;ffffffffa0025feb&gt;] sg_write+0x13b/0x450 [sg]
   [&lt;ffffffff8032ec91&gt;] vfs_write+0xd1/0x1b0
   [&lt;ffffffff8032ee54&gt;] SyS_write+0x54/0xc0
   [&lt;ffffffff80689932&gt;] system_call_fastpath+0x12/0x17

tj: updated description.

Fixes: 12cb5ce101ab ("libata: use blk taging")
Reported-and-tested-by: Tony Battersby &lt;tonyb@cybernetics.com&gt;
Signed-off-by: Shaohua Li &lt;shli@fb.com&gt;
Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
SAS controller has its own tag allocation, which doesn't directly match to ATA
tag, so SAS and SATA have different code path for ata tags. Originally we use
port-&gt;scsi_host (98bd4be1) to destinguish SAS controller, but libsas set
-&gt;scsi_host too, so we can't use it for the destinguish, we add a new flag for
this purpose.

Without this patch, the following oops can happen because scsi-mq uses
a host-wide tag map shared among all devices with some integer tag
values &gt;= ATA_MAX_QUEUE.  These unexpectedly high tag values cause
__ata_qc_from_tag() to return NULL, which is then dereferenced in
ata_qc_new_init().

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
  IP: [&lt;ffffffff804fd46e&gt;] ata_qc_new_init+0x3e/0x120
  PGD 32adf0067 PUD 32adf1067 PMD 0
  Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
  Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi igb
  i2c_algo_bit ptp pps_core pm80xx libsas scsi_transport_sas sg coretemp
  eeprom w83795 i2c_i801
  CPU: 4 PID: 1450 Comm: cydiskbench Not tainted 4.0.0-rc3 #1
  Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b       05/04/12
  task: ffff8800ba86d500 ti: ffff88032a064000 task.ti: ffff88032a064000
  RIP: 0010:[&lt;ffffffff804fd46e&gt;]  [&lt;ffffffff804fd46e&gt;] ata_qc_new_init+0x3e/0x120
  RSP: 0018:ffff88032a067858  EFLAGS: 00010046
  RAX: 0000000000000000 RBX: ffff8800ba0d2230 RCX: 000000000000002a
  RDX: ffffffff80505ae0 RSI: 0000000000000020 RDI: ffff8800ba0d2230
  RBP: ffff88032a067868 R08: 0000000000000201 R09: 0000000000000001
  R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800ba0d0000
  R13: ffff8800ba0d2230 R14: ffffffff80505ae0 R15: ffff8800ba0d0000
  FS:  0000000041223950(0063) GS:ffff88033e480000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 0000000000000058 CR3: 000000032a0a3000 CR4: 00000000000006e0
  Stack:
   ffff880329eee758 ffff880329eee758 ffff88032a0678a8 ffffffff80502dad
   ffff8800ba167978 ffff880329eee758 ffff88032bf9c520 ffff8800ba167978
   ffff88032bf9c520 ffff88032bf9a290 ffff88032a0678b8 ffffffff80506909
  Call Trace:
   [&lt;ffffffff80502dad&gt;] ata_scsi_translate+0x3d/0x1b0
   [&lt;ffffffff80506909&gt;] ata_sas_queuecmd+0x149/0x2a0
   [&lt;ffffffffa0046650&gt;] sas_queuecommand+0xa0/0x1f0 [libsas]
   [&lt;ffffffff804ea544&gt;] scsi_dispatch_cmd+0xd4/0x1a0
   [&lt;ffffffff804eb50f&gt;] scsi_queue_rq+0x66f/0x7f0
   [&lt;ffffffff803e5098&gt;] __blk_mq_run_hw_queue+0x208/0x3f0
   [&lt;ffffffff803e54b8&gt;] blk_mq_run_hw_queue+0x88/0xc0
   [&lt;ffffffff803e5c74&gt;] blk_mq_insert_request+0xc4/0x130
   [&lt;ffffffff803e0b63&gt;] blk_execute_rq_nowait+0x73/0x160
   [&lt;ffffffffa0023fca&gt;] sg_common_write+0x3da/0x720 [sg]
   [&lt;ffffffffa0025100&gt;] sg_new_write+0x250/0x360 [sg]
   [&lt;ffffffffa0025feb&gt;] sg_write+0x13b/0x450 [sg]
   [&lt;ffffffff8032ec91&gt;] vfs_write+0xd1/0x1b0
   [&lt;ffffffff8032ee54&gt;] SyS_write+0x54/0xc0
   [&lt;ffffffff80689932&gt;] system_call_fastpath+0x12/0x17

tj: updated description.

Fixes: 12cb5ce101ab ("libata: use blk taging")
Reported-and-tested-by: Tony Battersby &lt;tonyb@cybernetics.com&gt;
Signed-off-by: Shaohua Li &lt;shli@fb.com&gt;
Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
