From b07af7d76a087066c597aec11bef189e0da88541 Mon Sep 17 00:00:00 2001

From: Himanshu Madhani <hmadhani@redhat.com>

Date: Thu, 21 Nov 2019 16:36:43 -0500

Subject: [PATCH 133/155] [scsi] scsi: qla2xxx: Fix a race condition between

 aborting and completing a SCSI command

Message-id: <20191121163701.43688-9-hmadhani@redhat.com>

Patchwork-id: 287863

O-Subject: [RHLE 7.8 e-stor PATCH v3 08/26] scsi: qla2xxx: Fix a race condition between aborting and completing a SCSI command

Bugzilla: 1731581

RH-Acked-by: Jarod Wilson <jarod@redhat.com>

RH-Acked-by: Ewan Milne <emilne@redhat.com>

RH-Acked-by: Tony Camuso <tcamuso@redhat.com>

From: Bart Van Assche <bvanassche@acm.org>

Bugzilla 1731581

Instead of allocating a struct srb dynamically from inside .queuecommand(),

set qla2xxx_driver_template.cmd_size such that struct scsi_cmnd and struct

srb are contiguous. Do not call QLA_QPAIR_MARK_BUSY() /

QLA_QPAIR_MARK_NOT_BUSY() for SRBs associated with SCSI commands. That is

safe because scsi_remove_host() is called before queue pairs are deleted

and scsi_remove_host() waits for all outstanding SCSI commands to finish.

Cc: Himanshu Madhani <hmadhani@marvell.com>

Signed-off-by: Bart Van Assche <bvanassche@acm.org>

Tested-by: Himanshu Madhani <hmadhani@marvell.com>

Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

(cherry picked from commit 85cffefa09e448906a6f0bc20f422d75a18675bd)

Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>

Signed-off-by: Jan Stancek <jstancek@redhat.com>

---

 drivers/scsi/qla2xxx/qla_def.h |  1 -

 drivers/scsi/qla2xxx/qla_os.c  | 45 ++++++++----------------------------------

 2 files changed, 8 insertions(+), 38 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h

index 5975f107d65d..3f6319edabd4 100644

--- a/drivers/scsi/qla2xxx/qla_def.h

+++ b/drivers/scsi/qla2xxx/qla_def.h

@@ -569,7 +569,6 @@ typedef struct srb {

 } srb_t;

 #define GET_CMD_SP(sp) (sp->u.scmd.cmd)

-#define SET_CMD_SP(sp, cmd) (sp->u.scmd.cmd = cmd)

 #define GET_CMD_CTX_SP(sp) (sp->u.scmd.ctx)

 #define GET_CMD_SENSE_LEN(sp) \

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c

index 9e0a724f08f6..b2500db628f1 100644

--- a/drivers/scsi/qla2xxx/qla_os.c

+++ b/drivers/scsi/qla2xxx/qla_os.c

@@ -725,7 +725,6 @@ qla2x00_sp_compl(void *ptr, int res)

 	cmd->scsi_done(cmd);

 	if (comp)

 		complete(comp);

-	qla2x00_rel_sp(sp);

 }

 void

@@ -830,7 +829,6 @@ qla2xxx_qpair_sp_compl(void *ptr, int res)

 	cmd->scsi_done(cmd);

 	if (comp)

 		complete(comp);

-	qla2xxx_rel_qpair_sp(sp->qpair, sp);

 }

 static int

@@ -927,9 +925,8 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)

 	else

 		goto qc24_target_busy;

-	sp = qla2x00_get_sp(vha, fcport, GFP_ATOMIC);

-	if (!sp)

-		goto qc24_host_busy;

+	sp = scsi_cmd_priv(cmd);

+	qla2xxx_init_sp(sp, vha, vha->hw->base_qpair, fcport);

 	sp->u.scmd.cmd = cmd;

 	sp->type = SRB_SCSI_CMD;

@@ -950,9 +947,6 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)

 qc24_host_busy_free_sp:

 	sp->free(sp);

-qc24_host_busy:

-	return SCSI_MLQUEUE_HOST_BUSY;

-

 qc24_target_busy:

 	return SCSI_MLQUEUE_TARGET_BUSY;

@@ -1013,9 +1007,8 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,

 	else

 		goto qc24_target_busy;

-	sp = qla2xxx_get_qpair_sp(vha, qpair, fcport, GFP_ATOMIC);

-	if (!sp)

-		goto qc24_host_busy;

+	sp = scsi_cmd_priv(cmd);

+	qla2xxx_init_sp(sp, vha, qpair, fcport);

 	sp->u.scmd.cmd = cmd;

 	sp->type = SRB_SCSI_CMD;

@@ -1039,9 +1032,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,

 qc24_host_busy_free_sp:

 	sp->free(sp);

-qc24_host_busy:

-	return SCSI_MLQUEUE_HOST_BUSY;

-

 qc24_target_busy:

 	return SCSI_MLQUEUE_TARGET_BUSY;

@@ -1275,10 +1265,8 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)

 	srb_t *sp;

 	int ret;

 	unsigned int id, lun;

-	unsigned long flags;

 	int rval;

 	struct qla_hw_data *ha = vha->hw;

-	struct qla_qpair *qpair;

 	if (qla2x00_isp_reg_stat(ha)) {

 		ql_log(ql_log_info, vha, 0x8042,

@@ -1290,32 +1278,14 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)

 	if (ret != 0)

 		return ret;

-	sp = (srb_t *) CMD_SP(cmd);

-	if (!sp)

-		return SUCCESS;

-

-	qpair = sp->qpair;

-	if (!qpair)

-		return SUCCESS;

+	sp = scsi_cmd_priv(cmd);

 	if (sp->fcport && sp->fcport->deleted)

 		return SUCCESS;

-	spin_lock_irqsave(qpair->qp_lock_ptr, flags);

-	if (sp->type != SRB_SCSI_CMD || GET_CMD_SP(sp) != cmd) {

-		/* there's a chance an interrupt could clear

-		   the ptr as part of done & free */

-		spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);

-		return SUCCESS;

-	}

-

-	/* Get a reference to the sp and drop the lock. */

-	if (sp_get(sp)){

-		/* ref_count is already 0 */

-		spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);

+	/* Return if the command has already finished. */

+	if (sp_get(sp))

 		return SUCCESS;

-	}

-	spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);

 	id = cmd->device->id;

 	lun = cmd->device->lun;

@@ -7268,6 +7238,7 @@ struct scsi_host_template qla2xxx_driver_template = {

 	.supported_mode		= MODE_INITIATOR,

 	.use_host_wide_tags     = 1,

+	.cmd_size		= sizeof(srb_t),

 };

 static const struct pci_error_handlers qla2xxx_err_handler = {

-- 

2.13.6