| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Nov 2023 10:27:53 +0800
From: yangxingui <yangxingui@...wei.com>
To: John Garry <john.g.garry@...cle.com>, <yanaijie@...wei.com>,
<jejb@...ux.ibm.com>, <martin.petersen@...cle.com>,
<damien.lemoal@...nsource.wdc.com>
CC: <linux-scsi@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linuxarm@...wei.com>, <prime.zeng@...ilicon.com>,
<kangfenglong@...wei.com>, <chenxiang66@...ilicon.com>
Subject: Re: [PATCH v4] scsi: libsas: Fix the failure of adding phy with
zero-address to port
Hi John,
On 2023/11/23 22:52, John Garry wrote:
> On 17/11/2023 09:00, Xingui Yang wrote:
>
> Sorry for being slow to come back to this. However I still have
> questions...
>
>> When connecting to the epander device, first disable and then enable the
>
> /s/epander/expander/
>
> And connecting what to the expander? Is it a SATA disk?
>
> Or the SATA disk is already attached to the expander and we are now
> attaching the expander to the host?
>
> It is hard to follow this.
>
>> local phy.
>
> So is the local phy disabled initially? Or is was it initially enabled
> and we disable+re-enable just when attaching, so that there is a race?
>
>> The following BUG() will be triggered with a small probability:
>>
>> [562240.051046] sas: phy19 part of wide port with phy16
>
> Where is this print in the code? I see "part of a wide port with
> phy%02d" in sas_discover_dev()
>
>> [562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached:
>> 0000000000000000 (no device)
>> [562240.051203] sas: done REVALIDATING DOMAIN on port 0, pid:435909,
>> res 0x0
>> <...>
>> [562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached
>> [562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached:
>> 0000000000000000 (stp)
>> [562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's
>> already part of another port
>> [562240.085064] ------------[ cut here ]------------
>> [562240.096612] kernel BUG at drivers/scsi/scsi_transport_sas.c:1083!
>> [562240.109611] Internal error: Oops - BUG: 0 [#1] SMP
>> [562240.343518] Process kworker/u256:3 (pid: 435909, stack limit =
>> 0x0000000003bcbebf)
>> [562240.421714] Workqueue: 0000:b4:02.0_disco_q sas_revalidate_domain
>> [libsas]
>> [562240.437173] pstate: 40c00009 (nZcv daif +PAN +UAO)
>> [562240.450478] pc : sas_port_add_phy+0x13c/0x168 [scsi_transport_sas]
>> [562240.465283] lr : sas_port_add_phy+0x13c/0x168 [scsi_transport_sas]
>> [562240.479751] sp : ffff0000300cfa70
>> [562240.674822] Call trace:
>> [562240.682709] sas_port_add_phy+0x13c/0x168 [scsi_transport_sas]
>> [562240.694013] sas_ex_get_linkrate.isra.5+0xcc/0x128 [libsas]
>> [562240.704957] sas_ex_discover_end_dev+0xfc/0x538 [libsas]
>> [562240.715508] sas_ex_discover_dev+0x3cc/0x4b8 [libsas]
>> [562240.725634] sas_ex_discover_devices+0x9c/0x1a8 [libsas]
>> [562240.735855] sas_ex_revalidate_domain+0x2f0/0x450 [libsas]
>> [562240.746123] sas_revalidate_domain+0x158/0x160 [libsas]
>> [562240.756014] process_one_work+0x1b4/0x448
>> [562240.764548] worker_thread+0x54/0x468
>> [562240.772562] kthread+0x134/0x138
>> [562240.779989] ret_from_fork+0x10/0x18
>>
>> What causes this problem:
>> 1. When phy19 was initially added to the parent port, ex_phy->port was
>> not
>
> phy19 is the expander phy attached to the host, right?
>
>> set. As a result, when phy19 was removed from the parent wide port,
>
> You seem to be getting ahead of yourself. It has not been mentioned when
> phy19 is removed from the parent wide port.
>
>> it was
>> not deleted from the phy_list of the parent port.
>>
>> 2. The rate of the newly connected SATA device to phy0 is less than 1.5G,
>> and its sas_address was set to 0. After creating port 7:7:0
>
> is 7:7:0 the port which the SATA device is part of?
>
>> , it attempts to
>> add the expander's other zero-addressed phy to this port.
>>
>> 3. When adding phy19 to port-7:7:0
>
> Which would be the incorrect thing to do, right? I am basing that on my
> assumption that 7:7:0 is the port which the SATA device is part of.
>
>> , it is prompted that phy19 already
>> belongs to another port, which triggers the current problem.
>>
>> Fix the problem as follows:
>> 1. When ex_phy is added to the parent port, set ex_phy->port to
>> ex_dev->parent_port.
>>
>> 2. Set ex_dev->parent_port to NULL when the parent port's PHY count is 0.
>>
>> 3. When phy->attached_dev_type != NO_DEVICE, do not set the zero address
>> for phy->attached_sas_addr.
>>
>> Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
>> Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device
>> attached' conditions")
>> Signed-off-by: Xingui Yang <yangxingui@...wei.com>
>> ---
>> v3 -> v4:
>> 1. Update patch title and comments based on John's suggestion.
>>
>> v2 -> v3:
>> 1. Set ex_dev->parent_port to NULL when the number of PHYs of the parent
>> port becomes 0
>> 2. Update the comments
>>
>> v1 -> v2:
>> 1. Set ex_phy->port with parent_port when ex_phy is added to the
>> parent port
>> 2. Set ex_phy to NULL when free expander
>> 3. Update the comments
>> ---
>> drivers/scsi/libsas/sas_discover.c | 4 +++-
>> drivers/scsi/libsas/sas_expander.c | 8 +++++---
>> drivers/scsi/libsas/sas_internal.h | 1 +
>> 3 files changed, 9 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/scsi/libsas/sas_discover.c
>> b/drivers/scsi/libsas/sas_discover.c
>> index 8fb7c41c0962..8eb3888a9e57 100644
>> --- a/drivers/scsi/libsas/sas_discover.c
>> +++ b/drivers/scsi/libsas/sas_discover.c
>> @@ -296,8 +296,10 @@ void sas_free_device(struct kref *kref)
>> dev->phy = NULL;
>> /* remove the phys and ports, everything else should be gone */
>> - if (dev_is_expander(dev->dev_type))
>> + if (dev_is_expander(dev->dev_type)) {
>> kfree(dev->ex_dev.ex_phy);
>> + dev->ex_dev.ex_phy = NULL;
>
> This is strange, as we free the dev later. Where can dev->ex_dev.ex_phy
> be checked before dev is freed?
Yes, I saw this when locating this problem and detecting resource
release. Usually after calling kfree, we will set the pointer to null.
It has little to do with the current problem. I can delete this part of
the modification.
>
>> + }
>> if (dev_is_sata(dev) && dev->sata_dev.ap) {
>> ata_sas_tport_delete(dev->sata_dev.ap);
>> diff --git a/drivers/scsi/libsas/sas_expander.c
>> b/drivers/scsi/libsas/sas_expander.c
>> index a2204674b680..89d44a9dc4e3 100644
>> --- a/drivers/scsi/libsas/sas_expander.c
>> +++ b/drivers/scsi/libsas/sas_expander.c
>> @@ -239,8 +239,7 @@ static void sas_set_ex_phy(struct domain_device
>> *dev, int phy_id,
>> /* help some expanders that fail to zero sas_address in the 'no
>> * device' case
>> */
>> - if (phy->attached_dev_type == SAS_PHY_UNUSED ||
>> - phy->linkrate < SAS_LINK_RATE_1_5_GBPS)
>> + if (phy->attached_dev_type == SAS_PHY_UNUSED)
>> memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
>> else
>> memcpy(phy->attached_sas_addr, dr->attached_sas_addr,
>> SAS_ADDR_SIZE);
>> @@ -1844,9 +1843,12 @@ static void sas_unregister_devs_sas_addr(struct
>> domain_device *parent,
>> if (phy->port) {
>> sas_port_delete_phy(phy->port, phy->phy);
>> sas_device_set_phy(found, phy->port);
>> - if (phy->port->num_phys == 0)
>> + if (phy->port->num_phys == 0) {
>> list_add_tail(&phy->port->del_list,
>> &parent->port->sas_port_del_list);
>> + if (ex_dev->parent_port == phy->port)
>> + ex_dev->parent_port = NULL;
>> + }
>> phy->port = NULL;
>> }
>> }
>> diff --git a/drivers/scsi/libsas/sas_internal.h
>> b/drivers/scsi/libsas/sas_internal.h
>> index 3804aef165ad..e860d5b19880 100644
>> --- a/drivers/scsi/libsas/sas_internal.h
>> +++ b/drivers/scsi/libsas/sas_internal.h
>> @@ -202,6 +202,7 @@ static inline void sas_add_parent_port(struct
>> domain_device *dev, int phy_id)
>> sas_port_mark_backlink(ex->parent_port);
>> }
>> sas_port_add_phy(ex->parent_port, ex_phy->phy);
>> + ex_phy->port = ex->parent_port;
>
> We already do this in sas_ex_join_wide_port(), right?
No, If the addr of ex_phy matches dev->parent, sas_ex_join_wide_port()
will not be called, but sas_add_parent_port() will be called as follows:
static int sas_ex_discover_dev(struct domain_device *dev, int phy_id)
{
struct expander_device *ex = &dev->ex_dev;
struct ex_phy *ex_phy = &ex->ex_phy[phy_id];
struct domain_device *child = NULL;
int res = 0;
<...>
/* Parent and domain coherency */
if (!dev->parent && sas_phy_match_port_addr(dev->port, ex_phy)) {
sas_add_parent_port(dev, phy_id);
return 0;
}
if (dev->parent && sas_phy_match_dev_addr(dev->parent, ex_phy)) {
sas_add_parent_port(dev, phy_id);
if (ex_phy->routing_attr == TABLE_ROUTING)
sas_configure_phy(dev, phy_id,
dev->port->sas_addr, 1);
return 0;
}
<...>
}
>
> I am not saying that what we do now does not have a problem - I am just
> trying to understand what currently happens
ok, because ex_phy->port is not set when calling sas_add_parent_port(),
when deleting phy from the parent wide port, it is not removed from the
phy_list of the parent wide port as follows:
static void sas_unregister_devs_sas_addr(struct domain_device *parent,
int phy_id, bool last)
{
<...>
// Since ex_phy->port is not set, this branch will not be enter
if (phy->port) {
sas_port_delete_phy(phy->port, phy->phy);
sas_device_set_phy(found, phy->port);
if (phy->port->num_phys == 0) {
list_add_tail(&phy->port->del_list,
&parent->port->sas_port_del_list);
if (ex_dev->parent_port == phy->port)
ex_dev->parent_port = NULL;
}
phy->port = NULL;
}
}
Thanks,
Xingui
.
Powered by blists - more mailing lists