aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/scsi/megaraid/megaraid_mbox.c
diff options
context:
space:
mode:
authorJu, Seokmann <Seokmann.Ju@lsil.com>2006-04-27 05:33:06 -0400
committerJames Bottomley <jejb@mulgrave.il.steeleye.com>2006-04-27 15:08:53 -0400
commitc005fb4fb2d23ba29ad21dee5042b2f8451ca8ba (patch)
tree26cd8703ee65d01e611fb0990f502c56abc098b6 /drivers/scsi/megaraid/megaraid_mbox.c
parent509e5e5d206ff7ba08011b61a882d09369ec20c3 (diff)
[SCSI] megaraid_{mm,mbox}: fix a bug in reset handler
When abort failed, the driver gets reset handleer called. In the reset handler, driver calls 'scsi_done()' callback for same SCSI command packet (struct scsi_cmnd) multiple times if there are multiple SCSI command packet in the pend_list. More over, if there are entry in the pend_lsit with IOCTL packet associated, the driver returns it to wrong free_list so that, in turn, the driver could end up with 'NULL pointer dereference..' during I/O command building with incorrect resource. Also, the patch contains several minor/cosmetic changes besides this. Signed-off-by: Seokmann Ju <seokmann.ju@lsil.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Diffstat (limited to 'drivers/scsi/megaraid/megaraid_mbox.c')
-rw-r--r--drivers/scsi/megaraid/megaraid_mbox.c59
1 files changed, 41 insertions, 18 deletions
diff --git a/drivers/scsi/megaraid/megaraid_mbox.c b/drivers/scsi/megaraid/megaraid_mbox.c
index c11e5ce6865e..bec1424eda85 100644
--- a/drivers/scsi/megaraid/megaraid_mbox.c
+++ b/drivers/scsi/megaraid/megaraid_mbox.c
@@ -10,7 +10,7 @@
10 * 2 of the License, or (at your option) any later version. 10 * 2 of the License, or (at your option) any later version.
11 * 11 *
12 * FILE : megaraid_mbox.c 12 * FILE : megaraid_mbox.c
13 * Version : v2.20.4.7 (Nov 14 2005) 13 * Version : v2.20.4.8 (Apr 11 2006)
14 * 14 *
15 * Authors: 15 * Authors:
16 * Atul Mukker <Atul.Mukker@lsil.com> 16 * Atul Mukker <Atul.Mukker@lsil.com>
@@ -2278,6 +2278,7 @@ megaraid_mbox_dpc(unsigned long devp)
2278 unsigned long flags; 2278 unsigned long flags;
2279 uint8_t c; 2279 uint8_t c;
2280 int status; 2280 int status;
2281 uioc_t *kioc;
2281 2282
2282 2283
2283 if (!adapter) return; 2284 if (!adapter) return;
@@ -2320,6 +2321,9 @@ megaraid_mbox_dpc(unsigned long devp)
2320 // remove from local clist 2321 // remove from local clist
2321 list_del_init(&scb->list); 2322 list_del_init(&scb->list);
2322 2323
2324 kioc = (uioc_t *)scb->gp;
2325 kioc->status = 0;
2326
2323 megaraid_mbox_mm_done(adapter, scb); 2327 megaraid_mbox_mm_done(adapter, scb);
2324 2328
2325 continue; 2329 continue;
@@ -2636,6 +2640,7 @@ megaraid_reset_handler(struct scsi_cmnd *scp)
2636 int recovery_window; 2640 int recovery_window;
2637 int recovering; 2641 int recovering;
2638 int i; 2642 int i;
2643 uioc_t *kioc;
2639 2644
2640 adapter = SCP2ADAPTER(scp); 2645 adapter = SCP2ADAPTER(scp);
2641 raid_dev = ADAP2RAIDDEV(adapter); 2646 raid_dev = ADAP2RAIDDEV(adapter);
@@ -2655,32 +2660,51 @@ megaraid_reset_handler(struct scsi_cmnd *scp)
2655 // Also, reset all the commands currently owned by the driver 2660 // Also, reset all the commands currently owned by the driver
2656 spin_lock_irqsave(PENDING_LIST_LOCK(adapter), flags); 2661 spin_lock_irqsave(PENDING_LIST_LOCK(adapter), flags);
2657 list_for_each_entry_safe(scb, tmp, &adapter->pend_list, list) { 2662 list_for_each_entry_safe(scb, tmp, &adapter->pend_list, list) {
2658
2659 list_del_init(&scb->list); // from pending list 2663 list_del_init(&scb->list); // from pending list
2660 2664
2661 con_log(CL_ANN, (KERN_WARNING 2665 if (scb->sno >= MBOX_MAX_SCSI_CMDS) {
2662 "megaraid: %ld:%d[%d:%d], reset from pending list\n", 2666 con_log(CL_ANN, (KERN_WARNING
2663 scp->serial_number, scb->sno, 2667 "megaraid: IOCTL packet with %d[%d:%d] being reset\n",
2664 scb->dev_channel, scb->dev_target)); 2668 scb->sno, scb->dev_channel, scb->dev_target));
2665 2669
2666 scp->result = (DID_RESET << 16); 2670 scb->status = -1;
2667 scp->scsi_done(scp);
2668 2671
2669 megaraid_dealloc_scb(adapter, scb); 2672 kioc = (uioc_t *)scb->gp;
2673 kioc->status = -EFAULT;
2674
2675 megaraid_mbox_mm_done(adapter, scb);
2676 } else {
2677 if (scb->scp == scp) { // Found command
2678 con_log(CL_ANN, (KERN_WARNING
2679 "megaraid: %ld:%d[%d:%d], reset from pending list\n",
2680 scp->serial_number, scb->sno,
2681 scb->dev_channel, scb->dev_target));
2682 } else {
2683 con_log(CL_ANN, (KERN_WARNING
2684 "megaraid: IO packet with %d[%d:%d] being reset\n",
2685 scb->sno, scb->dev_channel, scb->dev_target));
2686 }
2687
2688 scb->scp->result = (DID_RESET << 16);
2689 scb->scp->scsi_done(scb->scp);
2690
2691 megaraid_dealloc_scb(adapter, scb);
2692 }
2670 } 2693 }
2671 spin_unlock_irqrestore(PENDING_LIST_LOCK(adapter), flags); 2694 spin_unlock_irqrestore(PENDING_LIST_LOCK(adapter), flags);
2672 2695
2673 if (adapter->outstanding_cmds) { 2696 if (adapter->outstanding_cmds) {
2674 con_log(CL_ANN, (KERN_NOTICE 2697 con_log(CL_ANN, (KERN_NOTICE
2675 "megaraid: %d outstanding commands. Max wait %d sec\n", 2698 "megaraid: %d outstanding commands. Max wait %d sec\n",
2676 adapter->outstanding_cmds, MBOX_RESET_WAIT)); 2699 adapter->outstanding_cmds,
2700 (MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT)));
2677 } 2701 }
2678 2702
2679 recovery_window = MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT; 2703 recovery_window = MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT;
2680 2704
2681 recovering = adapter->outstanding_cmds; 2705 recovering = adapter->outstanding_cmds;
2682 2706
2683 for (i = 0; i < recovery_window && adapter->outstanding_cmds; i++) { 2707 for (i = 0; i < recovery_window; i++) {
2684 2708
2685 megaraid_ack_sequence(adapter); 2709 megaraid_ack_sequence(adapter);
2686 2710
@@ -2689,12 +2713,11 @@ megaraid_reset_handler(struct scsi_cmnd *scp)
2689 con_log(CL_ANN, ( 2713 con_log(CL_ANN, (
2690 "megaraid mbox: Wait for %d commands to complete:%d\n", 2714 "megaraid mbox: Wait for %d commands to complete:%d\n",
2691 adapter->outstanding_cmds, 2715 adapter->outstanding_cmds,
2692 MBOX_RESET_WAIT - i)); 2716 (MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT) - i));
2693 } 2717 }
2694 2718
2695 // bailout if no recovery happended in reset time 2719 // bailout if no recovery happended in reset time
2696 if ((i == MBOX_RESET_WAIT) && 2720 if (adapter->outstanding_cmds == 0) {
2697 (recovering == adapter->outstanding_cmds)) {
2698 break; 2721 break;
2699 } 2722 }
2700 2723
@@ -2918,12 +2941,13 @@ mbox_post_sync_cmd_fast(adapter_t *adapter, uint8_t raw_mbox[])
2918 wmb(); 2941 wmb();
2919 WRINDOOR(raid_dev, raid_dev->mbox_dma | 0x1); 2942 WRINDOOR(raid_dev, raid_dev->mbox_dma | 0x1);
2920 2943
2921 for (i = 0; i < 0xFFFFF; i++) { 2944 for (i = 0; i < MBOX_SYNC_WAIT_CNT; i++) {
2922 if (mbox->numstatus != 0xFF) break; 2945 if (mbox->numstatus != 0xFF) break;
2923 rmb(); 2946 rmb();
2947 udelay(MBOX_SYNC_DELAY_200);
2924 } 2948 }
2925 2949
2926 if (i == 0xFFFFF) { 2950 if (i == MBOX_SYNC_WAIT_CNT) {
2927 // We may need to re-calibrate the counter 2951 // We may need to re-calibrate the counter
2928 con_log(CL_ANN, (KERN_CRIT 2952 con_log(CL_ANN, (KERN_CRIT
2929 "megaraid: fast sync command timed out\n")); 2953 "megaraid: fast sync command timed out\n"));
@@ -3475,7 +3499,7 @@ megaraid_cmm_register(adapter_t *adapter)
3475 adp.drvr_data = (unsigned long)adapter; 3499 adp.drvr_data = (unsigned long)adapter;
3476 adp.pdev = adapter->pdev; 3500 adp.pdev = adapter->pdev;
3477 adp.issue_uioc = megaraid_mbox_mm_handler; 3501 adp.issue_uioc = megaraid_mbox_mm_handler;
3478 adp.timeout = 300; 3502 adp.timeout = MBOX_RESET_WAIT + MBOX_RESET_EXT_WAIT;
3479 adp.max_kioc = MBOX_MAX_USER_CMDS; 3503 adp.max_kioc = MBOX_MAX_USER_CMDS;
3480 3504
3481 if ((rval = mraid_mm_register_adp(&adp)) != 0) { 3505 if ((rval = mraid_mm_register_adp(&adp)) != 0) {
@@ -3702,7 +3726,6 @@ megaraid_mbox_mm_done(adapter_t *adapter, scb_t *scb)
3702 unsigned long flags; 3726 unsigned long flags;
3703 3727
3704 kioc = (uioc_t *)scb->gp; 3728 kioc = (uioc_t *)scb->gp;
3705 kioc->status = 0;
3706 mbox64 = (mbox64_t *)(unsigned long)kioc->cmdbuf; 3729 mbox64 = (mbox64_t *)(unsigned long)kioc->cmdbuf;
3707 mbox64->mbox32.status = scb->status; 3730 mbox64->mbox32.status = scb->status;
3708 raw_mbox = (uint8_t *)&mbox64->mbox32; 3731 raw_mbox = (uint8_t *)&mbox64->mbox32;