1. 11 Jan, 2008 10 commits
  2. 14 Nov, 2007 1 commit
    • Tony Battersby's avatar
      [SCSI] iscsi_tcp: fix potential lockup with write commands · 505f76b3
      Tony Battersby authored
      
      
      There is a race condition in iscsi_tcp.c that may cause it to forget
      that it received a R2T from the target.  This race may cause a data-out
      command (such as a write) to lock up.  The race occurs here:
      
      static int
      iscsi_send_unsol_pdu(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
      {
      	struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
      	int rc;
      
      	if (tcp_ctask->xmstate & XMSTATE_UNS_HDR) {
      		BUG_ON(!ctask->unsol_count);
      		tcp_ctask->xmstate &= ~XMSTATE_UNS_HDR; <---- RACE
      		...
      
      static int
      iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
      {
      	...
      	tcp_ctask->xmstate |= XMSTATE_SOL_HDR_INIT; <---- RACE
      	...
      
      While iscsi_xmitworker() (called from scsi_queue_work()) is preparing to
      send unsolicited data, iscsi_tcp_data_recv() (called from
      tcp_read_sock()) interrupts it upon receipt of a R2T from the target.
      Both contexts do read-modify-write of tcp_ctask->xmstate.  Usually, gcc
      on x86 will make &= and |= atomic on UP (not guaranteed of course), but
      in this case iscsi_send_unsol_pdu() reads the value of xmstate before
      clearing the bit, which causes gcc to read xmstate into a CPU register,
      test it, clear the bit, and then store it back to memory.  If the recv
      interrupt happens during this sequence, then the XMSTATE_SOL_HDR_INIT
      bit set by the recv interrupt will be lost, and the R2T will be
      forgotten.
      
      The patch below (against 2.6.24-rc1) converts accesses of xmstate to use
      set_bit, clear_bit, and test_bit instead of |= and &=.  I have tested
      this patch and verified that it fixes the problem.  Another possible
      approach would be to hold a lock during most of the rx/tx setup and
      post-processing, and drop the lock only for the actual rx/tx.
      
      Signed-off-by: default avatarTony Battersby <tonyb@cybernetics.com>
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      505f76b3
  3. 27 Oct, 2007 1 commit
  4. 24 Oct, 2007 1 commit
  5. 22 Oct, 2007 1 commit
  6. 27 Jul, 2007 2 commits
  7. 20 Jul, 2007 2 commits
  8. 17 Jun, 2007 1 commit
  9. 02 Jun, 2007 7 commits
  10. 01 Jun, 2007 6 commits
  11. 11 Mar, 2007 3 commits
  12. 09 Feb, 2007 1 commit
  13. 06 Jan, 2007 3 commits
  14. 09 Nov, 2006 1 commit
    • Mike Christie's avatar
      [SCSI] iscsi_tcp: fix xmittask oops · db37c505
      Mike Christie authored
      
      
      XMSTATE_SOL_HDR could be set when the xmit thread tests it, but there may
      not be anything on the r2tqueue yet. Move the XMSTATE_SOL_HDR set
      before the addition to the queue to make sure that when we pull something
      off it it is valid. This does not add locks around the xmstate test or make
      that a atmoic_t because this is a fast path and if it is set when we test it
      we can handle it there without the overhead. Later on we check the xmitqueue
      for all requests with the session lock so we will not miss it.
      
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarJames Bottomley <James.Bottomley@SteelEye.com>
      db37c505