git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Tyrel Datwyler <tyreld@linux.ibm.com>
	Sun, 25 Oct 2020 00:13:55 +0000 (19:13 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 10 Nov 2020 11:39:06 +0000 (12:39 +0100)
commit	c4cb6cb14da227e884272e3340177e572eda010b
tree	62585bf79681310fee065e5c693c3dd190178acc	tree \| snapshot
parent	dca6a2dadf82ba6f950cbb08d6a7f083344e83c5	commit \| diff

scsi: ibmvscsi: Fix potential race after loss of transport

[ Upstream commit 665e0224a3d76f36da40bd9012270fa629aa42ed ]

After a loss of transport due to an adapter migration or crash/disconnect
from the host partner there is a tiny window where we can race adjusting
the request_limit of the adapter. The request limit is atomically
increased/decreased to track the number of inflight requests against the
allowed limit of our VIOS partner.

After a transport loss we set the request_limit to zero to reflect this
state.  However, there is a window where the adapter may attempt to queue a
command because the transport loss event hasn't been fully processed yet
and request_limit is still greater than zero.  The hypercall to send the
event will fail and the error path will increment the request_limit as a
result.  If the adapter processes the transport event prior to this
increment the request_limit becomes out of sync with the adapter state and
can result in SCSI commands being submitted on the now reset connection
prior to an SRP Login resulting in a protocol violation.

Fix this race by protecting request_limit with the host lock when changing
the value via atomic_set() to indicate no transport.

Link: https://lore.kernel.org/r/20201025001355.4527-1-tyreld@linux.ibm.com
Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>