From 6541932ea2f7de0b0c5203decf666b143ad5fa33 Mon Sep 17 00:00:00 2001
From: Khalid Aziz <khalid.aziz@oracle.com>
Date: Wed, 25 Sep 2013 11:45:11 -0600
Subject: [PATCH 1/3] [SCSI] BusLogic: Fix an oops when intializing multimaster
 adapter

This fixes an oops caused by buslogic driver when initializing a BusLogic
MultiMaster adapter. Initialization code used scope of a variable
incorrectly which created a NULL pointer. Oops message is below:

BUG: unable to handle kernel NULL pointer dereference at 0000000c
IP: [<c150c137>] blogic_init_mm_probeinfo.isra.17+0x20a/0x583
*pde = 00000000
Oops: 002 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.11.1.puz1 #1
Hardware name:    /Canterwood, BIOS 6.00 PG 05/16/2003
task: f7050000 ti: f7054000 task.ti: f7054000
EIP: 0060:[<c150c137>] EFLAGS: 00010246 CPU:1
EIP is at blogic_init_mm_probeinfo.isra.17+0x20a/0x583
EAX: 00000013 EBX: 00000000 ECX: 00000000 EDX: f8001000
ESI: f71cb800 EDI: f7388000 EBP: 00007800 ESP: f7055c84
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: 0000000c CR3: 0154f000 CR4: 000007d0
Stack:
 0000001c 00000000 c11a59f6 f7055c98 00008130 ffffffff ffffffff 00000000
 00000003 00000000 00000000 00000000 00000013 f8001000 00000001 000003d0
 00000000 00000000 00000000 c14e3f84 f78803c8 00000000 f738c000 000000e9
Call Trace:
 [<c11a59f6>] ? pci_get_subsys+0x33/0x38
 [<c150c4fb>] ? blogic_init_probeinfo_list+0x4b/0x19e
 [<c108d593>] ? __alloc_pages_nodemask+0xe3/0x623
 [<c108d593>] ? __alloc_pages_nodemask+0xe3/0x623
 [<c10fb99e>] ? sysfs_link_sibling+0x61/0x8d
 [<c10b0519>] ? kmem_cache_alloc+0x8b/0xb5
 [<c150cce5>] ? blogic_init+0xa1/0x10e8
 [<c10fc0a8>] ? sysfs_add_one+0x10/0x9d
 [<c10fc18a>] ? sysfs_addrm_finish+0x12/0x85
 [<c10fca37>] ? sysfs_do_create_link_sd+0x9d/0x1b4
 [<c117c272>] ? blk_register_queue+0x69/0xb3
 [<c10fcb68>] ? sysfs_create_link+0x1a/0x2c
 [<c1181a07>] ? add_disk+0x1a1/0x3c7
 [<c138737b>] ? klist_next+0x60/0xc3
 [<c122cc3a>] ? scsi_dh_detach+0x68/0x68
 [<c1213e36>] ? bus_for_each_dev+0x51/0x61
 [<c1000356>] ? do_one_initcall+0x22/0x12c
 [<c10f3688>] ? __proc_create+0x8c/0xba
 [<c150cc44>] ? blogic_setup+0x5f6/0x5f6
 [<c14e94aa>] ? repair_env_string+0xf/0x4d
 [<c14e949b>] ? do_early_param+0x71/0x71
 [<c103efaa>] ? parse_args+0x21f/0x33d
 [<c14e9a54>] ? kernel_init_freeable+0xdf/0x17d
 [<c14e949b>] ? do_early_param+0x71/0x71
 [<c1388b64>] ? kernel_init+0x8/0xc0
 [<c1392222>] ? ret_from_kernel_thread+0x6/0x28
 [<c1392227>] ? ret_from_kernel_thread+0x1b/0x28
 [<c1388b5c>] ? rest_init+0x6c/0x6c
Code: 89 44 24 10 0f b6 44 24 3d 89 44 24 0c c7 44 24 08 00 00 00 00 c7 44 24 04 38 62 46 c1 c7 04 24 02 00 00 00 e8 78 13 d2 ff 31 db <89> 6b 0c b0 20 89 ea ee
 c7 44 24 08 04 00 00 00 8d 44 24 4c 89
EIP: [<c150c137>] blogic_init_mm_probeinfo.isra.17+0x20a/0x583 SS:ESP 0068:f7055c84
CR2: 000000000000000c
---[ end trace 17f45f5196d40487 ]---
Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009

Signed-off-by: Khalid Aziz <khalid.aziz@oracle.com>
Cc: <stable@vger.kernel.org> # 3.11.x
Reported-by: Pierre Uszynski <pierre@rahul.net>
Tested-by: Pierre Uszynski <pierre@rahul.net>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
 drivers/scsi/BusLogic.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/BusLogic.c b/drivers/scsi/BusLogic.c
index feab3a5e50b5..757eb0716d45 100644
--- a/drivers/scsi/BusLogic.c
+++ b/drivers/scsi/BusLogic.c
@@ -696,7 +696,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter)
 	while ((pci_device = pci_get_device(PCI_VENDOR_ID_BUSLOGIC,
 					PCI_DEVICE_ID_BUSLOGIC_MULTIMASTER,
 					pci_device)) != NULL) {
-		struct blogic_adapter *adapter = adapter;
+		struct blogic_adapter *host_adapter = adapter;
 		struct blogic_adapter_info adapter_info;
 		enum blogic_isa_ioport mod_ioaddr_req;
 		unsigned char bus;
@@ -744,9 +744,9 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter)
 		   known and enabled, note that the particular Standard ISA I/O
 		   Address should not be probed.
 		 */
-		adapter->io_addr = io_addr;
-		blogic_intreset(adapter);
-		if (blogic_cmd(adapter, BLOGIC_INQ_PCI_INFO, NULL, 0,
+		host_adapter->io_addr = io_addr;
+		blogic_intreset(host_adapter);
+		if (blogic_cmd(host_adapter, BLOGIC_INQ_PCI_INFO, NULL, 0,
 				&adapter_info, sizeof(adapter_info)) ==
 				sizeof(adapter_info)) {
 			if (adapter_info.isa_port < 6)
@@ -762,7 +762,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter)
 		   I/O Address assigned at system initialization.
 		 */
 		mod_ioaddr_req = BLOGIC_IO_DISABLE;
-		blogic_cmd(adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req,
+		blogic_cmd(host_adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req,
 				sizeof(mod_ioaddr_req), NULL, 0);
 		/*
 		   For the first MultiMaster Host Adapter enumerated,
@@ -779,12 +779,12 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter)
 
 			fetch_localram.offset = BLOGIC_AUTOSCSI_BASE + 45;
 			fetch_localram.count = sizeof(autoscsi_byte45);
-			blogic_cmd(adapter, BLOGIC_FETCH_LOCALRAM,
+			blogic_cmd(host_adapter, BLOGIC_FETCH_LOCALRAM,
 					&fetch_localram, sizeof(fetch_localram),
 					&autoscsi_byte45,
 					sizeof(autoscsi_byte45));
-			blogic_cmd(adapter, BLOGIC_GET_BOARD_ID, NULL, 0, &id,
-					sizeof(id));
+			blogic_cmd(host_adapter, BLOGIC_GET_BOARD_ID, NULL, 0,
+					&id, sizeof(id));
 			if (id.fw_ver_digit1 == '5')
 				force_scan_order =
 					autoscsi_byte45.force_scan_order;

From 36008cf118235cee49b6753455f33b6f2c3a7543 Mon Sep 17 00:00:00 2001
From: Chad Dupuis <chad.dupuis@qlogic.com>
Date: Thu, 3 Oct 2013 03:21:13 -0400
Subject: [PATCH 2/3] [SCSI] qla2xxx: Fix request queue null dereference.

If an invalid IOCB is returned on the response queue then the index into the
request queue map could be invalid and could return to us a bogus value. This
could cause us to try to deference an invalid pointer and cause an exception.

If we encounter this condition, simply return as no context can be established
for this response.

Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
 drivers/scsi/qla2xxx/qla_dbg.c | 2 +-
 drivers/scsi/qla2xxx/qla_isr.c | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
index 2ef497ebadc0..ee5c1833eb73 100644
--- a/drivers/scsi/qla2xxx/qla_dbg.c
+++ b/drivers/scsi/qla2xxx/qla_dbg.c
@@ -20,7 +20,7 @@
  * | Device Discovery             |       0x2095       | 0x2020-0x2022, |
  * |                              |                    | 0x2011-0x2012, |
  * |                              |                    | 0x2016         |
- * | Queue Command and IO tracing |       0x3058       | 0x3006-0x300b  |
+ * | Queue Command and IO tracing |       0x3059       | 0x3006-0x300b  |
  * |                              |                    | 0x3027-0x3028  |
  * |                              |                    | 0x303d-0x3041  |
  * |                              |                    | 0x302d,0x3033  |
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index df1b30ba938c..ff9c86b1a0d8 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1957,6 +1957,15 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
 	que = MSW(sts->handle);
 	req = ha->req_q_map[que];
 
+	/* Check for invalid queue pointer */
+	if (req == NULL ||
+	    que >= find_first_zero_bit(ha->req_qid_map, ha->max_req_queues)) {
+		ql_dbg(ql_dbg_io, vha, 0x3059,
+		    "Invalid status handle (0x%x): Bad req pointer. req=%p, "
+		    "que=%u.\n", sts->handle, req, que);
+		return;
+	}
+
 	/* Validate handle. */
 	if (handle < req->num_outstanding_cmds)
 		sp = req->outstanding_cmds[handle];

From 10c580e4239df5c3344ca00322eca86ab2de880b Mon Sep 17 00:00:00 2001
From: Aaron Lu <aaron.lu@intel.com>
Date: Thu, 10 Oct 2013 13:22:36 +0800
Subject: [PATCH 3/3] [SCSI] sd: call blk_pm_runtime_init before add_disk

Sujit has found a race condition that would make q->nr_pending
unbalanced, it occurs as Sujit explained:

"
sd_probe_async() ->
	add_disk() ->
		disk_add_event() ->
			schedule(disk_events_workfn)
	sd_revalidate_disk()
	blk_pm_runtime_init()
return;

Let's say the disk_events_workfn() calls sd_check_events() which tries
to send test_unit_ready() and because of sd_revalidate_disk() trying to
send another commands the test_unit_ready() might be re-queued as the
tagged command queuing is disabled.

So the race condition is -

Thread 1 			  |		Thread 2
sd_revalidate_disk()		  |	sd_check_events()
...nr_pending = 0 as q->dev = NULL|	scsi_queue_insert()
blk_runtime_pm_init()		  | 	blk_pm_requeue_request() ->
				  |	nr_pending = -1 since
				  |	q->dev != NULL
"

The problem is, the test_unit_ready request doesn't get counted the
first time it is queued, so the later decrement of q->nr_pending in
blk_pm_requeue_request makes it unbalanced.

Fix this by calling blk_pm_runtime_init before add_disk so that all
requests initiated there will all be counted.

Signed-off-by: Aaron Lu <aaron.lu@intel.com>
Reported-and-tested-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
 drivers/scsi/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index e62d17d41d4e..5693f6d7eddb 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2854,6 +2854,7 @@ static void sd_probe_async(void *data, async_cookie_t cookie)
 		gd->events |= DISK_EVENT_MEDIA_CHANGE;
 	}
 
+	blk_pm_runtime_init(sdp->request_queue, dev);
 	add_disk(gd);
 	if (sdkp->capacity)
 		sd_dif_config_host(sdkp);
@@ -2862,7 +2863,6 @@ static void sd_probe_async(void *data, async_cookie_t cookie)
 
 	sd_printk(KERN_NOTICE, sdkp, "Attached SCSI %sdisk\n",
 		  sdp->removable ? "removable " : "");
-	blk_pm_runtime_init(sdp->request_queue, dev);
 	scsi_autopm_put_device(sdp);
 	put_device(&sdkp->dev);
 }