diff options
| author | Eddie Wai <eddie.wai@broadcom.com> | 2011-07-15 14:17:26 -0400 |
|---|---|---|
| committer | James Bottomley <JBottomley@Parallels.com> | 2011-07-21 17:03:27 -0400 |
| commit | 0d83ab65ff1b54ce8b6cd172285cf71a38c4cceb (patch) | |
| tree | c39185fbe3cc254a077643e5ef91d507ff8fceba /drivers/scsi | |
| parent | 2dabc55dfe655390a7bfd346e595c33ee2f2cc82 (diff) | |
[SCSI] bnx2i: Fixed kernel panic due to illegal usage of sc->request->cpu
A kernel panic was observed when passing the sc->request->cpu = -1 to
retrieve the per_cpu variable pointer:
#0 [ffff880011203960] machine_kexec at ffffffff81022bc3
#1 [ffff8800112039b0] crash_kexec at ffffffff81088630
#2 [ffff880011203a80] __die at ffffffff8139ea20
#3 [ffff880011203aa0] no_context at ffffffff8102f3a7
#4 [ffff880011203ae0] __bad_area_nosemaphore at ffffffff8102f665
#5 [ffff880011203ba0] retint_signal at ffffffff8139dd1f
#6 [ffff880011203cc8] bnx2i_indicate_kcqe at ffffffffa03dc4f2
#7 [ffff880011203da8] service_kcqes at ffffffffa03cb04f
#8 [ffff880011203e68] cnic_service_bnx2x_kcq at ffffffffa03cb14a
#9 [ffff880011203e88] cnic_service_bnx2x_bh at ffffffffa03cb1b3
The problem lies in the slow path sg_io (and perhaps sg_scsi_ioctl) call to
blk_get_request->get_request/wait->blk_alloc_request->blk_rq_init which
re-initializes the request->cpu to -1. There is no assignment for cpu from
that to the request_fn call to low level drivers.
When this happens, the sc->request->cpu will be using the init value of
-1. This will create a kernel panic when it hits bnx2i because the code
refers it to get the per_cpu variables ptr.
This change is to put in a guard against that and also for cases when
bio affinity/queue completion to the same cpu is not enabled. In those
cases, the request->cpu will remain a -1 also.
This bug was created from commit: b5cf6b63f73abdc051035f0050b367beeb2ef94c
For the case when the blk layer did not setup the request->cpu, bnx2i
will complete the sc with the current CPU of the thread.
Signed-off-by: Eddie Wai <eddie.wai@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi')
| -rw-r--r-- | drivers/scsi/bnx2i/bnx2i_hwi.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c index 54978c1de159..28c6693688d8 100644 --- a/drivers/scsi/bnx2i/bnx2i_hwi.c +++ b/drivers/scsi/bnx2i/bnx2i_hwi.c | |||
| @@ -1901,6 +1901,7 @@ static int bnx2i_queue_scsi_cmd_resp(struct iscsi_session *session, | |||
| 1901 | struct iscsi_task *task; | 1901 | struct iscsi_task *task; |
| 1902 | struct scsi_cmnd *sc; | 1902 | struct scsi_cmnd *sc; |
| 1903 | int rc = 0; | 1903 | int rc = 0; |
| 1904 | int cpu; | ||
| 1904 | 1905 | ||
| 1905 | spin_lock(&session->lock); | 1906 | spin_lock(&session->lock); |
| 1906 | task = iscsi_itt_to_task(bnx2i_conn->cls_conn->dd_data, | 1907 | task = iscsi_itt_to_task(bnx2i_conn->cls_conn->dd_data, |
| @@ -1912,7 +1913,12 @@ static int bnx2i_queue_scsi_cmd_resp(struct iscsi_session *session, | |||
| 1912 | sc = task->sc; | 1913 | sc = task->sc; |
| 1913 | spin_unlock(&session->lock); | 1914 | spin_unlock(&session->lock); |
| 1914 | 1915 | ||
| 1915 | p = &per_cpu(bnx2i_percpu, sc->request->cpu); | 1916 | if (!blk_rq_cpu_valid(sc->request)) |
| 1917 | cpu = smp_processor_id(); | ||
| 1918 | else | ||
| 1919 | cpu = sc->request->cpu; | ||
| 1920 | |||
| 1921 | p = &per_cpu(bnx2i_percpu, cpu); | ||
| 1916 | spin_lock(&p->p_work_lock); | 1922 | spin_lock(&p->p_work_lock); |
| 1917 | if (unlikely(!p->iothread)) { | 1923 | if (unlikely(!p->iothread)) { |
| 1918 | rc = -EINVAL; | 1924 | rc = -EINVAL; |