Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2835751yba; Mon, 22 Apr 2019 13:58:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6qbQy7RPYT63DtFsX81UkLEOyZ05W4jmjj7AnfkaXHnGriyRzPSxx4FxHdrRBvlVSgTqo X-Received: by 2002:a17:902:a607:: with SMTP id u7mr4306366plq.66.1555966697441; Mon, 22 Apr 2019 13:58:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555966697; cv=none; d=google.com; s=arc-20160816; b=hXFusyEMzsdCIAI6sgoUEuFkBuuDK3gAHMN0D3zrjcgz6eyrjiZgpp3wH19Tg2K/pQ AOkOGrV/BhjMuM8LRYN9vKSqyOjFINepUc0Kp57dUkBBWK9HuLKRqBCOAPPD8gYpbfvs 8K1+qK39S/8uRpQPEJcHlTRZC4c+wJ+L0s9SHs+Lxh9WwkeHFhXjFa4UsAcBPvv7sBEV 1UdB+46+gpvS5IZrVl6poIaKuBKy0uL81Mx2KskwVU9BOJXuVutuLmY77sk+msOiwkaW hnDJb6haHk0vgWXoFsH1vX8/DRUMTGEd5ughHvld5Yyny45WesJN9Wbnv285EYJyOCgB TxeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Htttpbj/aluP250I8SOWZBMb53NLiU3/NLOzhBUnvLE=; b=MMT81oY/JToc1jCYFIvL7/oXqZziM/KoLVu8thfPABPVec1vvZHUDKcmwIyHCZoanh xWiPGX0dw2OmuktkKxYwg4VIIUIQyuoj1kVBgmO3zkb6T3PV/xgb+RwHe0MjXS7WFxXY bOiOIUzJMJHXBfw7mWu2oIvwKZyAyb54LG2QwGWuGTcxZbk6SGo4wkcoE7soiSgVguhv bS5LVvySVrP6wxZKyS9pcyKo9jjciqWoWwRYo/Lre2dXWL5XGoINIx6GayFu2257uvB5 Rqn2EMaksg0tEALMi+lDtrwRaKnfvO2962NK/5MSlFkEXg++XhfyIRtZjmpAuV2qMZZ6 eEzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=stPBqwU+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e92si14807424pld.308.2019.04.22.13.58.02; Mon, 22 Apr 2019 13:58:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=stPBqwU+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729378AbfDVToK (ORCPT + 99 others); Mon, 22 Apr 2019 15:44:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:45030 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729362AbfDVToH (ORCPT ); Mon, 22 Apr 2019 15:44:07 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA2B221901; Mon, 22 Apr 2019 19:44:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555962246; bh=R6FlOzbHHLkeznm9ddwVfXII6th+bXF9D10xHpzjA28=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=stPBqwU+eaxMiHS4b2jyX1iH6qWE12bQncb+w6t4bWQ4Bs1b22cc2FiYQ/JDGN7+4 sLYp10u+/qOvOSQNVv5k2is7hjhqKUnMJuq7wyXODQMz1j8lC/K68fBLQQY96s8Oey V9kGZ8ioycE+6+snasj0aiS9/o2Yf5neCUd0+7QI= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sreekanth Reddy , "Martin K . Petersen" , Sasha Levin , MPT-FusionLinux.pdl@broadcom.com, linux-scsi@vger.kernel.org Subject: [PATCH AUTOSEL 5.0 62/98] scsi: mpt3sas: Fix kernel panic during expander reset Date: Mon, 22 Apr 2019 15:41:29 -0400 Message-Id: <20190422194205.10404-62-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190422194205.10404-1-sashal@kernel.org> References: <20190422194205.10404-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sreekanth Reddy [ Upstream commit c2fe742ff6e77c5b4fe4ad273191ddf28fdea25e ] During expander reset handling, the driver invokes kernel function scsi_host_find_tag() to obtain outstanding requests associated with the scsi host managed by the driver. Driver loops from tag value zero to hba queue depth to obtain the outstanding scmds. But when blk-mq is enabled, the block layer may return stale entry for one or more requests. This may lead to kernel panic if the returned value is inaccessible or the memory pointed by the returned value is reused. Reference of upstream discussion: https://patchwork.kernel.org/patch/10734933/ Instead of calling scsi_host_find_tag() API for each and every smid (smid is tag +1) from one to shost->can_queue, now driver will call this API (to obtain the outstanding scmd) only for those smid's which are outstanding at the driver level. Driver will determine whether this smid is outstanding at driver level by looking into it's corresponding MPI request frame, if its MPI request frame is empty, then it means that this smid is free and does not need to call scsi_host_find_tag() for it. By doing this, driver will invoke scsi_host_find_tag() for only those tags which are outstanding at the driver level. Driver will check whether particular MPI request frame is empty or not by looking into the "DevHandle" field. If this field is zero then it means that this MPI request is empty. For active MPI request DevHandle must be non-zero. Also driver will memset the MPI request frame once the corresponding scmd is processed (i.e. just before calling scmd->done function). Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (Microsoft) --- drivers/scsi/mpt3sas/mpt3sas_base.c | 6 ++++++ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 0a6cb8f0680c..c39f88100f31 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -3281,12 +3281,18 @@ mpt3sas_base_free_smid(struct MPT3SAS_ADAPTER *ioc, u16 smid) if (smid < ioc->hi_priority_smid) { struct scsiio_tracker *st; + void *request; st = _get_st_from_smid(ioc, smid); if (!st) { _base_recovery_check(ioc); return; } + + /* Clear MPI request frame */ + request = mpt3sas_base_get_msg_frame(ioc, smid); + memset(request, 0, ioc->request_sz); + mpt3sas_base_clear_st(ioc, st); _base_recovery_check(ioc); return; diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c index 6be39dc27103..6173c211a5e5 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -1462,11 +1462,23 @@ mpt3sas_scsih_scsi_lookup_get(struct MPT3SAS_ADAPTER *ioc, u16 smid) { struct scsi_cmnd *scmd = NULL; struct scsiio_tracker *st; + Mpi25SCSIIORequest_t *mpi_request; if (smid > 0 && smid <= ioc->scsiio_depth - INTERNAL_SCSIIO_CMDS_COUNT) { u32 unique_tag = smid - 1; + mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); + + /* + * If SCSI IO request is outstanding at driver level then + * DevHandle filed must be non-zero. If DevHandle is zero + * then it means that this smid is free at driver level, + * so return NULL. + */ + if (!mpi_request->DevHandle) + return scmd; + scmd = scsi_host_find_tag(ioc->shost, unique_tag); if (scmd) { st = scsi_cmd_priv(scmd); -- 2.19.1