> -----Original Message----- > From: Brian King [mailto:brking@xxxxxxxxxxxxxxxxxx] > Sent: Tuesday, August 29, 2017 9:00 AM > > This fixes a potential race condition observed on Power systems. > Several places throughout the aacraid driver call aac_fib_send or similar to send > a command to the aacraid adapter, then check the return code to determine if > the command was actually sent to the adapter, then update the phase field in > the scsi command scratch pad area to track that the firmware now owns this > command. > However, there is nothing that ensures that by the time the aac_fib_send > function returns and we go to write to the scsi command, that the command > hasn't already completed and the scsi command has been freed. > This was causing random crashes in the TCP stack which was tracked down to be > caused by memory that had been a struct request + scsi_cmnd being now used > for an skbuff. Memory poisoning was enabled in the kernel to debug this which > showed that the last owner of the memory that had been freed was aacraid and > that it was a struct request. > The memory that was corrupted was the exact data pattern of > AAC_OWNER_FIRMWARE and it was at the same offset that aacraid writes, > which is scsicmd->SCp.phase. The patch below resolves this issue. > > Cc: stable<stable@xxxxxxxxxxxxxxx> > Signed-off-by: Brian King <brking@xxxxxxxxxxxxxxxxxx> > --- > Reviewed-by: Dave Carroll <david.carroll@xxxxxxxxxxxxx>
