From cab537d609fb718e9fb09d73e3e3e3062db25743 Mon Sep 17 00:00:00 2001
From: James Bottomley <[mailto:James.Bottomley@SteelEye.com]>
Date: Wed, 16 May 2007 10:06:39 -0400
Subject: [SCSI] aacraid: fix panic on short Inquiry

Unable to handle kernel paging request at ffff8101c0000000 RIP:
 [<ffffffff880b22a1>] :aacraid:aac_internal_transfer+0xd6/0xe3
PGD 8063 PUD 0
Oops: 0000 [1] SMP
last sysfs file: /block/sdb/removable
CPU 2
Modules linked in: autofs4(U) hidp(U) nfs(U) lockd(U)
fscache(U) nfs_acl(U) rfcomm(U) l2cap(U) bluetooth(U)
sunrpc(U) ipv6(U) cpufreq_ondemand(U) dm_mirror(U) dm_mod(U)
video(U) sbs(U) i2c_ec(U) button(U) battery(U) asus_acpi(U)
acpi_memhotplug(U) ac(U) parport_pc(U) lp(U) parport(U)
joydev(U) ide_cd(U) i2c_i801(U) i2c_core(U) shpchp(U)
cdrom(U) bnx2(U) sg(U) pcspkr(U) ata_piix(U) libata(U)
aacraid(U) sd_mod(U) scsi_mod(U) ext3(U) jbd(U) ehci_hcd(U)
ohci_hcd(U) uhci_hcd(U)
Pid: 2352, comm: syslogd Not tainted 2.6.18-prep #1
RIP: 0010:[<ffffffff880b22a1>]  [<ffffffff880b22a1>] :aacraid:aac_internal_transfer+0xd6/0xe3
RSP: 0000:ffff8101bfd1fe68  EFLAGS: 00010083
RAX: 0000000000000063 RBX: 0000000000000008 RCX: 00000000ffd1fea0
RDX: ffffffff802da628 RSI: ffff8101c0000000 RDI: ffff8101b2a08168
RBP: ffff8101b2728010 R08: ffffffff802da628 R09: 0000000000000046
R10: 0000000000000000 R11: 0000000000000080 R12: 0000000000000010
R13: ffff8101bfd1fea8 R14: ffff8101bc74df58 R15: ffff8101bc74df58
FS:  00002aaaab0146f0(0000) GS:ffff8101bfcd2e40(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8101c0000000 CR3: 00000001bdecd000 CR4: 00000000000006e0
Process syslogd (pid: 2352, threadinfo ffff8101bc74c000, task ffff8101bd979040)
Stack:  0000000000000012 0000000000000036 0000000000000000 ffff8101bee9a800
 ffff8101be9d3a00 ffff8101be9d3a00 ffff8101be8014f8 ffffffff880b26cc
 40212227607e3141 2029282a26252423 0000000000000003 ffff810037e3a000
Call Trace:
 <IRQ [<ffffffff880b26cc>] :aacraid:get_container_name_callback+0x8b/0xb5
 [<ffffffff880b6f67>] :aacraid:aac_intr_normal+0x1b3/0x1f9
 [<ffffffff880b8007>] :aacraid:aac_rkt_intr+0x37/0x115
 [<ffffffff80099749>] __rcu_process_callbacks+0xf8/0x1a8
 [<ffffffff80010705>] handle_IRQ_event+0x29/0x58
 [<ffffffff800b2fe0>] __do_IRQ+0xa4/0x105
 [<ffffffff80011c19>] __do_softirq+0x5e/0xd5
 [<ffffffff8006a193>] do_IRQ+0xe7/0xf5
 [<ffffffff8005b649>] ret_from_intr+0x0/0xa

On digging into it, it turned out that the customer was probing an
aacraid device with an INQUIRY of 8 bytes.  The way aacraid works, it
was blindly trying to use aac_internal_transfer to copy the container
name to byte 16 of the inquiry data, resulting in a negative transfer
length.  It then copies over the whole of kernel memory before
dropping off the end.

Fix updated and corrected by Mark Salyzyn

Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
---
 drivers/scsi/aacraid/aachba.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'drivers/scsi/aacraid/aachba.c')

diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 1e82c69b36b..6c4319c98fe 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -340,7 +340,7 @@ int aac_get_containers(struct aac_dev *dev)
 static void aac_internal_transfer(struct scsi_cmnd *scsicmd, void *data, unsigned int offset, unsigned int len)
 {
 	void *buf;
-	unsigned int transfer_len;
+	int transfer_len;
 	struct scatterlist *sg = scsicmd->request_buffer;
 
 	if (scsicmd->use_sg) {
@@ -351,7 +351,7 @@ static void aac_internal_transfer(struct scsi_cmnd *scsicmd, void *data, unsigne
 		transfer_len = min(scsicmd->request_bufflen, len + offset);
 	}
 	transfer_len -= offset;
-	if (buf && transfer_len)
+	if (buf && transfer_len > 0)
 		memcpy(buf + offset, data, transfer_len);
 
 	if (scsicmd->use_sg) 
-- 
cgit v1.2.3


From 1208bab5d07c9a9172f04b76dc107c37507a9bb3 Mon Sep 17 00:00:00 2001
From: "Salyzyn, Mark" <mark_salyzyn@adaptec.com>
Date: Tue, 22 May 2007 09:32:29 -0400
Subject: [SCSI] aacraid: apply commit config for reset_devices flag

Under some conditions associated with the unclean transition to kdump,
the aacraid adapters will view the array as foreign and not export it to
prevent access and data manipulation. The solution is to submit a commit
configuration to export the devices since this is a expected behavior
when transitioning to a kdump kernel.

This patch adds the aacraid.reset_devices flag and when either this or
the global reset_devices flag is set, ensures that a commit config is
issued and extends the startup_timeout if it is set less than 5 minutes.

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
---
 drivers/scsi/aacraid/aachba.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'drivers/scsi/aacraid/aachba.c')

diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 6c4319c98fe..8dcfe4ec35c 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -146,7 +146,7 @@ static char *aac_get_status_string(u32 status);
 static int nondasd = -1;
 static int dacmode = -1;
 
-static int commit = -1;
+int aac_commit = -1;
 int startup_timeout = 180;
 int aif_timeout = 120;
 
@@ -154,7 +154,7 @@ module_param(nondasd, int, S_IRUGO|S_IWUSR);
 MODULE_PARM_DESC(nondasd, "Control scanning of hba for nondasd devices. 0=off, 1=on");
 module_param(dacmode, int, S_IRUGO|S_IWUSR);
 MODULE_PARM_DESC(dacmode, "Control whether dma addressing is using 64 bit DAC. 0=off, 1=on");
-module_param(commit, int, S_IRUGO|S_IWUSR);
+module_param_named(commit, aac_commit, int, S_IRUGO|S_IWUSR);
 MODULE_PARM_DESC(commit, "Control whether a COMMIT_CONFIG is issued to the adapter for foreign arrays.\nThis is typically needed in systems that do not have a BIOS. 0=off, 1=on");
 module_param(startup_timeout, int, S_IRUGO|S_IWUSR);
 MODULE_PARM_DESC(startup_timeout, "The duration of time in seconds to wait for adapter to have it's kernel up and\nrunning. This is typically adjusted for large systems that do not have a BIOS.");
@@ -173,6 +173,9 @@ int expose_physicals = -1;
 module_param(expose_physicals, int, S_IRUGO|S_IWUSR);
 MODULE_PARM_DESC(expose_physicals, "Expose physical components of the arrays. -1=protect 0=off, 1=on");
 
+int aac_reset_devices = 0;
+module_param_named(reset_devices, aac_reset_devices, int, S_IRUGO|S_IWUSR);
+MODULE_PARM_DESC(reset_devices, "Force an adapter reset at initialization.");
 
 static inline int aac_valid_context(struct scsi_cmnd *scsicmd,
 		struct fib *fibptr) {
@@ -246,7 +249,7 @@ int aac_get_config_status(struct aac_dev *dev, int commit_flag)
 	aac_fib_complete(fibptr);
 	/* Send a CT_COMMIT_CONFIG to enable discovery of devices */
 	if (status >= 0) {
-		if ((commit == 1) || commit_flag) {
+		if ((aac_commit == 1) || commit_flag) {
 			struct aac_commit_config * dinfo;
 			aac_fib_init(fibptr);
 			dinfo = (struct aac_commit_config *) fib_data(fibptr);
@@ -261,7 +264,7 @@ int aac_get_config_status(struct aac_dev *dev, int commit_flag)
 				    1, 1,
 				    NULL, NULL);
 			aac_fib_complete(fibptr);
-		} else if (commit == 0) {
+		} else if (aac_commit == 0) {
 			printk(KERN_WARNING
 			  "aac_get_config_status: Foreign device configurations are being ignored\n");
 		}
-- 
cgit v1.2.3