[PATCH] Possible SCSI + block-layer bugs

From: Mark Hemment (markhe@veritas.com)
Date: Sat Mar 31 2001 - 10:07:13 EST

Next message: Delbert Matlock: "2.4.3 compile fail (conflicting types) - Alpha processor - init/main.c"

Previous message: kuznet@ms2.inr.ac.ru: "Re: IP layer bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've never seen these trigger, but they look theoretically possible.

When processing the completion of a SCSI request in a bottom-half,
__scsi_end_request() can find all the buffers associated with the request
haven't been completed (ie. leftovers).

One question is; can this ever happen?
If it can't then the code should be removed from __scsi_end_request(),
if it can happen then there appears to be a few problems;

The request is re-queued to the block layer via
scsi_queue_next_request(), which uses the "special" pointer in the request
structure to remember the Scsi_Cmnd associated with the request. The SCSI
request function is then called, but doesn't guarantee to immediately
process the re-queued request even though it was added at the head (say,
the queue has become plugged). This can trigger two possible bugs.

The first is that __scsi_end_request() doesn't decrement the
hard_nr_sectors count in the request. As the request is back on the
queue, it is possible for newly arriving buffer-heads to merge with the
heads already hanging off the request. This merging uses the
hard_nr_sectors when calculating both the merged hard_nr_sectors and
nr_sectors counts.
As the request is at the head, only back-merging can occur, but if
__scsi_end_request() triggers another uncompleted request to be re-queued,
it is possible to get front merging as well.

The merging of a re-queued request looks safe, except for the
hard_nr_sectors. This patch corrects the hard_nr_sectors accounting.

The second bug is from request merging in attempt_merge().

  For a re-queued request, the request structure is the one embedded in
the Scsi_Cmnd (which is a copy of the request taken in the
scsi_request_fn).
  In attempt_merge(), q->merge_requests_fn() is called to see the requests
are allowed to merge. __scsi_merge_requests_fn() checks number of
segments, etc, but doesn't check if one of the requests is a re-queued one
(ie. no test against ->special).
  This can lead to attempt_merge() releasing the embedded request
structure (which, as an extract copy, has the ->q set, so to
blkdev_release_request() it looks like a request which originated from
the block layer). This isn't too healthy.

The fix here is to add a check in __scsi_merge_requests_fn() to check
for ->special being non-NULL.

The attached patch is against 2.4.3.

Jens, Eric, anyone, comments?

Mark

TEXT/PLAIN attachment: scsi.patch

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Delbert Matlock: "2.4.3 compile fail (conflicting types) - Alpha processor - init/main.c"
Previous message: kuznet@ms2.inr.ac.ru: "Re: IP layer bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Mar 31 2001 - 11:06:47 EST