diff options
| author | Hiral Shah <hishah@cisco.com> | 2014-11-10 15:54:36 -0500 |
|---|---|---|
| committer | Christoph Hellwig <hch@lst.de> | 2014-11-20 03:11:00 -0500 |
| commit | 41df7b02db82cf6c14f094757bac3830d10a827f (patch) | |
| tree | 4d32c8ce1aa9fe73dc269129a4a4c3b5626e90f0 | |
| parent | 0ee7b8714dca511a68826a300cc4966f2e83a6c3 (diff) | |
Fnic: Fnic Driver crashed with NULL pointer reference
When issuing I/O request, if the I/O completes before returning from
fnic_queuecommand(), we may be referencing scsi_cmnd structure that may
be freed by interrupt handler. Acquring IO lock would synchronize
fnic_queuecommand and interrupt handler.
- Increment fnic version from 1.6.0.15 to 1.6.0.16
Signed-off-by: Hiral Shah <hishah@cisco.com>
Signed-off-by: Sesidhar Baddela <sebaddel@cisco.com>
Signed-off-by: Anil Chintalapati <achintal@cisco.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
| -rw-r--r-- | drivers/scsi/fnic/fnic.h | 2 | ||||
| -rw-r--r-- | drivers/scsi/fnic/fnic_scsi.c | 21 |
2 files changed, 19 insertions, 4 deletions
diff --git a/drivers/scsi/fnic/fnic.h b/drivers/scsi/fnic/fnic.h index 977960b03c9f..3b73b96619e2 100644 --- a/drivers/scsi/fnic/fnic.h +++ b/drivers/scsi/fnic/fnic.h | |||
| @@ -39,7 +39,7 @@ | |||
| 39 | 39 | ||
| 40 | #define DRV_NAME "fnic" | 40 | #define DRV_NAME "fnic" |
| 41 | #define DRV_DESCRIPTION "Cisco FCoE HBA Driver" | 41 | #define DRV_DESCRIPTION "Cisco FCoE HBA Driver" |
| 42 | #define DRV_VERSION "1.6.0.15" | 42 | #define DRV_VERSION "1.6.0.16" |
| 43 | #define PFX DRV_NAME ": " | 43 | #define PFX DRV_NAME ": " |
| 44 | #define DFX DRV_NAME "%d: " | 44 | #define DFX DRV_NAME "%d: " |
| 45 | 45 | ||
diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c index 29d23a3c0686..2097de42a147 100644 --- a/drivers/scsi/fnic/fnic_scsi.c +++ b/drivers/scsi/fnic/fnic_scsi.c | |||
| @@ -421,9 +421,10 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_ | |||
| 421 | int ret; | 421 | int ret; |
| 422 | u64 cmd_trace; | 422 | u64 cmd_trace; |
| 423 | int sg_count = 0; | 423 | int sg_count = 0; |
| 424 | unsigned long flags; | 424 | unsigned long flags = 0; |
| 425 | unsigned long ptr; | 425 | unsigned long ptr; |
| 426 | struct fc_rport_priv *rdata; | 426 | struct fc_rport_priv *rdata; |
| 427 | spinlock_t *io_lock = NULL; | ||
| 427 | 428 | ||
| 428 | if (unlikely(fnic_chk_state_flags_locked(fnic, FNIC_FLAGS_IO_BLOCKED))) | 429 | if (unlikely(fnic_chk_state_flags_locked(fnic, FNIC_FLAGS_IO_BLOCKED))) |
| 429 | return SCSI_MLQUEUE_HOST_BUSY; | 430 | return SCSI_MLQUEUE_HOST_BUSY; |
| @@ -509,6 +510,13 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_ | |||
| 509 | } | 510 | } |
| 510 | } | 511 | } |
| 511 | 512 | ||
| 513 | /* | ||
| 514 | * Will acquire lock defore setting to IO initialized. | ||
| 515 | */ | ||
| 516 | |||
| 517 | io_lock = fnic_io_lock_hash(fnic, sc); | ||
| 518 | spin_lock_irqsave(io_lock, flags); | ||
| 519 | |||
| 512 | /* initialize rest of io_req */ | 520 | /* initialize rest of io_req */ |
| 513 | io_req->port_id = rport->port_id; | 521 | io_req->port_id = rport->port_id; |
| 514 | io_req->start_time = jiffies; | 522 | io_req->start_time = jiffies; |
| @@ -525,11 +533,9 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_ | |||
| 525 | * In case another thread cancelled the request, | 533 | * In case another thread cancelled the request, |
| 526 | * refetch the pointer under the lock. | 534 | * refetch the pointer under the lock. |
| 527 | */ | 535 | */ |
| 528 | spinlock_t *io_lock = fnic_io_lock_hash(fnic, sc); | ||
| 529 | FNIC_TRACE(fnic_queuecommand, sc->device->host->host_no, | 536 | FNIC_TRACE(fnic_queuecommand, sc->device->host->host_no, |
| 530 | sc->request->tag, sc, 0, 0, 0, | 537 | sc->request->tag, sc, 0, 0, 0, |
| 531 | (((u64)CMD_FLAGS(sc) << 32) | CMD_STATE(sc))); | 538 | (((u64)CMD_FLAGS(sc) << 32) | CMD_STATE(sc))); |
| 532 | spin_lock_irqsave(io_lock, flags); | ||
| 533 | io_req = (struct fnic_io_req *)CMD_SP(sc); | 539 | io_req = (struct fnic_io_req *)CMD_SP(sc); |
| 534 | CMD_SP(sc) = NULL; | 540 | CMD_SP(sc) = NULL; |
| 535 | CMD_STATE(sc) = FNIC_IOREQ_CMD_COMPLETE; | 541 | CMD_STATE(sc) = FNIC_IOREQ_CMD_COMPLETE; |
| @@ -538,6 +544,10 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_ | |||
| 538 | fnic_release_ioreq_buf(fnic, io_req, sc); | 544 | fnic_release_ioreq_buf(fnic, io_req, sc); |
| 539 | mempool_free(io_req, fnic->io_req_pool); | 545 | mempool_free(io_req, fnic->io_req_pool); |
| 540 | } | 546 | } |
| 547 | atomic_dec(&fnic->in_flight); | ||
| 548 | /* acquire host lock before returning to SCSI */ | ||
| 549 | spin_lock(lp->host->host_lock); | ||
| 550 | return ret; | ||
| 541 | } else { | 551 | } else { |
| 542 | atomic64_inc(&fnic_stats->io_stats.active_ios); | 552 | atomic64_inc(&fnic_stats->io_stats.active_ios); |
| 543 | atomic64_inc(&fnic_stats->io_stats.num_ios); | 553 | atomic64_inc(&fnic_stats->io_stats.num_ios); |
| @@ -559,6 +569,11 @@ out: | |||
| 559 | sc->request->tag, sc, io_req, | 569 | sc->request->tag, sc, io_req, |
| 560 | sg_count, cmd_trace, | 570 | sg_count, cmd_trace, |
| 561 | (((u64)CMD_FLAGS(sc) >> 32) | CMD_STATE(sc))); | 571 | (((u64)CMD_FLAGS(sc) >> 32) | CMD_STATE(sc))); |
| 572 | |||
| 573 | /* if only we issued IO, will we have the io lock */ | ||
| 574 | if (CMD_FLAGS(sc) & FNIC_IO_INITIALIZED) | ||
| 575 | spin_unlock_irqrestore(io_lock, flags); | ||
| 576 | |||
| 562 | atomic_dec(&fnic->in_flight); | 577 | atomic_dec(&fnic->in_flight); |
| 563 | /* acquire host lock before returning to SCSI */ | 578 | /* acquire host lock before returning to SCSI */ |
| 564 | spin_lock(lp->host->host_lock); | 579 | spin_lock(lp->host->host_lock); |