From patchwork Mon Mar  4 12:26:35 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
X-Patchwork-Id: 10837777
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3D2D21399
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Mon,  4 Mar 2019 12:26:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A4A42A03C
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Mon,  4 Mar 2019 12:26:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1E7C52A041; Mon,  4 Mar 2019 12:26:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAEB62A03C
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Mon,  4 Mar 2019 12:26:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726194AbfCDM0s (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Mon, 4 Mar 2019 07:26:48 -0500
Received: from mail-pg1-f196.google.com ([209.85.215.196]:35417 "EHLO
        mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726041AbfCDM0s (ORCPT
        <rfc822;linux-scsi@vger.kernel.org>); Mon, 4 Mar 2019 07:26:48 -0500
Received: by mail-pg1-f196.google.com with SMTP id e17so3020399pgd.2
        for <linux-scsi@vger.kernel.org>;
 Mon, 04 Mar 2019 04:26:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=qb5xOvSdb7+p7sw2YUsrljNFw7QwpcdTbS5CTsWHa2w=;
        b=GutwAA6hKEsj/2LHJHaXHLnMcLA5GXJp7bHKI50++c2ioXUEvyP4t+Gzc6bjWQqoDl
         /gSDEDz0F+o+Y0+i35EPaHsEnorLxtc5fy4H0woROHVy44F4NvIisgpG+ztSJxZ4fc+N
         cHFyx5ZHtWY96IZfAzypWkSkPYL2c2qEViD4s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=qb5xOvSdb7+p7sw2YUsrljNFw7QwpcdTbS5CTsWHa2w=;
        b=LNTzDQzf428hmClb03P4DTF9h1F6i3rhzRYJ0GH7cYTQIpsDtQElziCurmHFtfVASh
         Hl+kTrAfXlquTvTrCUZI3Vu4e9foCJlLsw3KSGYZI7Xo6ZPq7pSzzlX6GtTBkHcMmFiO
         SnKgmPIW2Op0ZV/bamgBuOdiFwlQ1Rb7+w8VK1wCfIHJztZvPUI/fFId33B0SomomAm4
         cwSysDk0QycL/j3M/oFS5zirsHjV2qWqMcgHbUozxIdJgbzI9UDMR5XgofT+7lzJzyqM
         BCp5pP2apeiWMP8yc7tlVEVydSz48XbQVRP3gJKutbzsaD5tmJUJ1CAq3SmB31ZemdsI
         Gtxg==
X-Gm-Message-State: APjAAAUGoDJ4rdt2fz1Ek5d0mmEyTrjs+VFy4VqXhdsX6ygVYIuMMQ/T
        VYzymHHOAH6UUzRnTmApRhgoDyfxUD/q/FU3lZ+7+G0VJwqoPmvFHT3DSo0WFu7xPfdK7oQipaE
        eLO0gMZzA1GxyUFN+6mp6OuCBjTH/iwBWBLVFn0L79LsNNnPjaemadIUtvBxu0eIyGFjDXHybRr
        KXUT6vJdh0
X-Google-Smtp-Source: 
 APXvYqy6Blog6KXkyrG0yHX3l66cd4xBJOKU62NLVgGoZq6CJ7JavNGGkA9M0GzTrlfV8HNxggZHbA==
X-Received: by 2002:a17:902:2ec1:: with SMTP id
 r59mr19947306plb.334.1551702406723;
        Mon, 04 Mar 2019 04:26:46 -0800 (PST)
Received: from dhcp-10-123-20-25.dhcp.broadcom.net ([192.19.252.250])
        by smtp.gmail.com with ESMTPSA id
 v9sm11355547pfg.130.2019.03.04.04.26.44
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 04 Mar 2019 04:26:46 -0800 (PST)
From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
To: linux-scsi@vger.kernel.org
Cc: Sathya.Prakash@broadcom.com, suganath-prabu.subramani@broadcom.com,
        Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Subject: [PATCH] mpt3sas: Fix kernel panic occurs during expander reset
Date: Mon,  4 Mar 2019 07:26:35 -0500
Message-Id: <1551702395-15526-1-git-send-email-sreekanth.reddy@broadcom.com>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

During expander reset handling, the driver invokes kernel function
scsi_host_find_tag() to obtain outstanding requests associated with
the scsi host managed by the driver. Driver loops from tag value
zero to hba queue depth to obtain the outstanding scmds. But when
blk-mq is enabled then Kernel’s block layer may return stale entry
for one or more requests. This may lead to Kernel panic if the
returned value is inaccessible or the memory pointed by the
returned value is reused.

Reference of upstream discussion -
https://patchwork.kernel.org/patch/10734933/

Fix:
Instead of calling scsi_host_find_tag() API for each and every
smid(smid is tag +1) from one to shost->can_queue, now driver
will call this API (to obtain the outstanding scmd) for only
those smid's which are outstanding at the driver level.

Driver will determine whether this smid is outstanding at driver
level by looking into it's corresponding MPI request frame,
if it's MPI request frame is empty then it means that this
smid is free and no need to call scsi_host_find_tag() API for
this smid.
By doing this driver will invoke scsi_host_find_tag() for only
those tags which are outstanding at the driver level.

Driver will check whether particular MPI request frame is empty
or not by looking into the "DevHandle" field. If this field is
zero then it means that this MPI request is empty. For active
MPI request DevHandle must be non-zero.

Also driver will memset the MPI request frame once the
corresponding scmd is processed (i.e. just before calling
scmd->done function).

Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
---
 drivers/scsi/mpt3sas/mpt3sas_base.c  |  6 ++++++
 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index e577744..1d8c584 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -3281,12 +3281,18 @@ void mpt3sas_base_clear_st(struct MPT3SAS_ADAPTER *ioc,
 
 	if (smid < ioc->hi_priority_smid) {
 		struct scsiio_tracker *st;
+		void *request;
 
 		st = _get_st_from_smid(ioc, smid);
 		if (!st) {
 			_base_recovery_check(ioc);
 			return;
 		}
+
+		/* Clear MPI request frame */
+		request = mpt3sas_base_get_msg_frame(ioc, smid);
+		memset(request, 0, ioc->request_sz);
+
 		mpt3sas_base_clear_st(ioc, st);
 		_base_recovery_check(ioc);
 		return;
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index 8bb5b8f..1ccfbc7 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -1462,11 +1462,23 @@ struct scsi_cmnd *
 {
 	struct scsi_cmnd *scmd = NULL;
 	struct scsiio_tracker *st;
+	Mpi25SCSIIORequest_t *mpi_request;
 
 	if (smid > 0  &&
 	    smid <= ioc->scsiio_depth - INTERNAL_SCSIIO_CMDS_COUNT) {
 		u32 unique_tag = smid - 1;
 
+		mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
+
+		/*
+		 * If SCSI IO request is outstanding at driver level then
+		 * DevHandle filed must be non-zero. If DevHandle is zero
+		 * then it means that this smid is free at driver level,
+		 * so return NULL.
+		 */
+		if (!mpi_request->DevHandle)
+			return scmd;
+
 		scmd = scsi_host_find_tag(ioc->shost, unique_tag);
 		if (scmd) {
 			st = scsi_cmd_priv(scmd);