1. 12 1月, 2008 10 次提交
  2. 15 11月, 2007 1 次提交
    • T
      [SCSI] iscsi_tcp: fix potential lockup with write commands · 505f76b3
      Tony Battersby 提交于
      There is a race condition in iscsi_tcp.c that may cause it to forget
      that it received a R2T from the target.  This race may cause a data-out
      command (such as a write) to lock up.  The race occurs here:
      
      static int
      iscsi_send_unsol_pdu(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
      {
      	struct iscsi_tcp_cmd_task *tcp_ctask = ctask->dd_data;
      	int rc;
      
      	if (tcp_ctask->xmstate & XMSTATE_UNS_HDR) {
      		BUG_ON(!ctask->unsol_count);
      		tcp_ctask->xmstate &= ~XMSTATE_UNS_HDR; <---- RACE
      		...
      
      static int
      iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask)
      {
      	...
      	tcp_ctask->xmstate |= XMSTATE_SOL_HDR_INIT; <---- RACE
      	...
      
      While iscsi_xmitworker() (called from scsi_queue_work()) is preparing to
      send unsolicited data, iscsi_tcp_data_recv() (called from
      tcp_read_sock()) interrupts it upon receipt of a R2T from the target.
      Both contexts do read-modify-write of tcp_ctask->xmstate.  Usually, gcc
      on x86 will make &= and |= atomic on UP (not guaranteed of course), but
      in this case iscsi_send_unsol_pdu() reads the value of xmstate before
      clearing the bit, which causes gcc to read xmstate into a CPU register,
      test it, clear the bit, and then store it back to memory.  If the recv
      interrupt happens during this sequence, then the XMSTATE_SOL_HDR_INIT
      bit set by the recv interrupt will be lost, and the R2T will be
      forgotten.
      
      The patch below (against 2.6.24-rc1) converts accesses of xmstate to use
      set_bit, clear_bit, and test_bit instead of |= and &=.  I have tested
      this patch and verified that it fixes the problem.  Another possible
      approach would be to hold a lock during most of the rx/tx setup and
      post-processing, and drop the lock only for the actual rx/tx.
      Signed-off-by: NTony Battersby <tonyb@cybernetics.com>
      Signed-off-by: NMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
      505f76b3
  3. 27 10月, 2007 1 次提交
  4. 24 10月, 2007 1 次提交
  5. 23 10月, 2007 1 次提交
  6. 27 7月, 2007 2 次提交
  7. 21 7月, 2007 1 次提交
  8. 20 7月, 2007 1 次提交
  9. 18 6月, 2007 1 次提交
  10. 03 6月, 2007 7 次提交
  11. 02 6月, 2007 6 次提交
  12. 12 3月, 2007 3 次提交
  13. 10 2月, 2007 1 次提交
  14. 06 1月, 2007 3 次提交
  15. 10 11月, 2006 1 次提交
    • M
      [SCSI] iscsi_tcp: fix xmittask oops · db37c505
      Mike Christie 提交于
      XMSTATE_SOL_HDR could be set when the xmit thread tests it, but there may
      not be anything on the r2tqueue yet. Move the XMSTATE_SOL_HDR set
      before the addition to the queue to make sure that when we pull something
      off it it is valid. This does not add locks around the xmstate test or make
      that a atmoic_t because this is a fast path and if it is set when we test it
      we can handle it there without the overhead. Later on we check the xmitqueue
      for all requests with the session lock so we will not miss it.
      Signed-off-by: NMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: NJames Bottomley <James.Bottomley@SteelEye.com>
      db37c505