aacraid broken in git

aacraid broken in git

[Yinghai Lu]

4/18 2.6-git got

Calling initcall 0xffffffff80f10f97: aac_init+0x0/0x95()
Adaptec aacraid driver 1.1-5[2455]-ms
ACPI: PCI Interrupt 0000:04:00.0[A] -> Link [LNEB] -> GSI 18 (level, low) -> IRQ
 18
PCI: Enabling bus mastering for device 0000:04:00.0
PCI: Setting latency timer of device 0000:04:00.0 to 64
AAC0: kernel 5.2-0[15594]
AAC0: monitor 5.2-0[15594]
AAC0: bios 5.2-0[15594]
AAC0: serial AA0009
AAC0: Non-DASD support enabled.
AAC0: 64bit support enabled.
AAC0: 64 Bit DAC enabled
aac_fib_free, XferState != 0, fibptr = 0xffff8108232e0000, XferState = 0x810ad
ACPI: PCI interrupt for device 0000:04:00.0 disabled
aacraid: probe of 0000:04:00.0 failed with error -4
initcall 0xffffffff80f10f97: aac_init+0x0/0x95() returned 0.
initcall 0xffffffff80f10f97 ran for 286 msecs: aac_init+0x0/0x95()


Linux LBSuse 2.6.25-x86-latest.git-01659-g1f8551e #106 SMP Fri Apr 18
18:24:39 PDT 2008 x86_64 x86_64 x86_64 GNU/Linux

YH

Re: aacraid broken in git

[Mark Salyzyn]

Why is ACPI disabling the interrupt? Maybe do bisects on the ACPI  
subsystem as well.

Sincerely -- Mark Salyzyn

On Apr 18, 2008, at 9:55 PM, Yinghai Lu wrote:

> 4/18 2.6-git got
>
> Calling initcall 0xffffffff80f10f97: aac_init+0x0/0x95()
> Adaptec aacraid driver 1.1-5[2455]-ms
> ACPI: PCI Interrupt 0000:04:00.0[A] -> Link [LNEB] -> GSI 18 (level,  
> low) -> IRQ
> 18
> PCI: Enabling bus mastering for device 0000:04:00.0
> PCI: Setting latency timer of device 0000:04:00.0 to 64
> AAC0: kernel 5.2-0[15594]
> AAC0: monitor 5.2-0[15594]
> AAC0: bios 5.2-0[15594]
> AAC0: serial AA0009
> AAC0: Non-DASD support enabled.
> AAC0: 64bit support enabled.
> AAC0: 64 Bit DAC enabled
> aac_fib_free, XferState != 0, fibptr = 0xffff8108232e0000, XferState  
> = 0x810ad
> ACPI: PCI interrupt for device 0000:04:00.0 disabled
> aacraid: probe of 0000:04:00.0 failed with error -4
> initcall 0xffffffff80f10f97: aac_init+0x0/0x95() returned 0.
> initcall 0xffffffff80f10f97 ran for 286 msecs: aac_init+0x0/0x95()
>
>
> Linux LBSuse 2.6.25-x86-latest.git-01659-g1f8551e #106 SMP Fri Apr 18
> 18:24:39 PDT 2008 x86_64 x86_64 x86_64 GNU/Linux
>
> YH

Re: aacraid broken in git

[Yinghai Lu]

On Sat, Apr 19, 2008 at 5:33 AM, Mark Salyzyn <Mark_Salyzyn@adaptec.com> wrote:
> Why is ACPI disabling the interrupt? Maybe do bisects on the ACPI subsystem
> as well.
probe fail, acpi disable irq routing for it.

YH

Re: aacraid broken in git

[Yinghai Lu]

bisected to:

yhlu@mpk12-office-77-185:~/xx/xx/kernel/linux-2.6> git-bisect good
e6990c6448ca9359b6d4ad027c0a6efbf4379e64 is first bad commit
commit e6990c6448ca9359b6d4ad027c0a6efbf4379e64
Author: Mark Salyzyn <Mark_Salyzyn@adaptec.com>
Date:   Mon Apr 14 14:20:16 2008 -0400

    [SCSI] aacraid: Fix down_interruptible() to check the return value

    Instead of ignoring the return value in aac_fib_send() return 2 to
    indicate to the layers above that fib transmission was aborted due to
    timeout.

    Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

:040000 040000 2f23bf33d76d6f37c558251003f88537c6e639fe
63d59091ca7ac527b5106540eea06d7b6649862d M      drivers

[PATCH] aacraid: Fix down_interruptible() to check the return value take 2 (was: aacraid broken in git)

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]

On Apr 21, 2008, at 8:42 PM, Yinghai Lu wrote:

> bisected to:
>
> yhlu@mpk12-office-77-185:~/xx/xx/kernel/linux-2.6> git-bisect good
> e6990c6448ca9359b6d4ad027c0a6efbf4379e64 is first bad commit
> commit e6990c6448ca9359b6d4ad027c0a6efbf4379e64
> Author: Mark Salyzyn <Mark_Salyzyn@adaptec.com>
> Date:   Mon Apr 14 14:20:16 2008 -0400
>
>    [SCSI] aacraid: Fix down_interruptible() to check the return value
>
>    Instead of ignoring the return value in aac_fib_send() return 2 to
>    indicate to the layers above that fib transmission was aborted  
> due to
>    timeout.
>
>    Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
>    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com 
> >
>
> :040000 040000 2f23bf33d76d6f37c558251003f88537c6e639fe
> 63d59091ca7ac527b5106540eea06d7b6649862d M      drivers


The return value for down_interruptible was incorrectly checked!  
updated patch enclosed.

This attached patch is against current scsi-misc-2.6 (minus original  
down_interruptible patch).

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments (inline gets damaged, please use  
attachment).

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  drivers/scsi/aacraid/commsup.c |    8 +++++---
  1 file changed, 5 insertions(+), 3 deletions(-)

diff -ru a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/ 
commsup.c
--- a/drivers/scsi/aacraid/commsup.c	2008-04-14 14:08:00.737201138 -0400
+++ b/drivers/scsi/aacraid/commsup.c	2008-04-14 14:09:34.019252960 -0400
@@ -515,10 +515,12 @@
  				}
  				udelay(5);
  			}
-		} else
-			(void)down_interruptible(&fibptr->event_wait);
+		} else if (down_interruptible(&fibptr->event_wait)) {
+			fibptr->done = 2;
+			up(&fibptr->event_wait);
+		}
  		spin_lock_irqsave(&fibptr->event_lock, flags);
-		if (fibptr->done == 0) {
+		if ((fibptr->done == 0) || (fibptr->done == 2)) {
  			fibptr->done = 2; /* Tell interrupt we aborted */
  			spin_unlock_irqrestore(&fibptr->event_lock, flags);
  			return -EINTR;

Sincerely - Mark Salyzyn


[-- Attachment #2: aacraid_down_interruptible2.patch --]
[-- Type: application/octet-stream, Size: 706 bytes --]

diff -ru a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
--- a/drivers/scsi/aacraid/commsup.c	2008-04-14 14:08:00.737201138 -0400
+++ b/drivers/scsi/aacraid/commsup.c	2008-04-14 14:09:34.019252960 -0400
@@ -515,10 +515,12 @@
 				}
 				udelay(5);
 			}
-		} else
-			(void)down_interruptible(&fibptr->event_wait);
+		} else if (down_interruptible(&fibptr->event_wait)) {
+			fibptr->done = 2;
+			up(&fibptr->event_wait);
+		}
 		spin_lock_irqsave(&fibptr->event_lock, flags);
-		if (fibptr->done == 0) {
+		if ((fibptr->done == 0) || (fibptr->done == 2)) {
 			fibptr->done = 2; /* Tell interrupt we aborted */
 			spin_unlock_irqrestore(&fibptr->event_lock, flags);
 			return -EINTR;

[-- Attachment #3: Type: text/plain, Size: 3 bytes --]

Re: [PATCH] aacraid: Fix down_interruptible() to check the return value take 2 (was: aacraid broken in git)

[Yinghai Lu]

On Wed, Apr 23, 2008 at 5:16 AM, Mark Salyzyn <Mark_Salyzyn@adaptec.com> wrote:
> On Apr 21, 2008, at 8:42 PM, Yinghai Lu wrote:
>
>
> > bisected to:
> >
> > yhlu@mpk12-office-77-185:~/xx/xx/kernel/linux-2.6> git-bisect good
> > e6990c6448ca9359b6d4ad027c0a6efbf4379e64 is first bad commit
> > commit e6990c6448ca9359b6d4ad027c0a6efbf4379e64
> > Author: Mark Salyzyn <Mark_Salyzyn@adaptec.com>
> > Date:   Mon Apr 14 14:20:16 2008 -0400
> >
> >   [SCSI] aacraid: Fix down_interruptible() to check the return value
> >
> >   Instead of ignoring the return value in aac_fib_send() return 2 to
> >   indicate to the layers above that fib transmission was aborted due to
> >   timeout.
> >
> >   Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
> >   Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> >
> > :040000 040000 2f23bf33d76d6f37c558251003f88537c6e639fe
> > 63d59091ca7ac527b5106540eea06d7b6649862d M      drivers
> >
>
>
>  The return value for down_interruptible was incorrectly checked! updated
> patch enclosed.
>
>  This attached patch is against current scsi-misc-2.6 (minus original
> down_interruptible patch).
>
>  ObligatoryDisclaimer: Please accept my condolences regarding Outlook's
> handling of patch attachments (inline gets damaged, please use attachment).
>
>  Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>
>
>   drivers/scsi/aacraid/commsup.c |    8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
>
>  diff -ru a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
>  --- a/drivers/scsi/aacraid/commsup.c    2008-04-14 14:08:00.737201138 -0400
>  +++ b/drivers/scsi/aacraid/commsup.c    2008-04-14 14:09:34.019252960 -0400
>  @@ -515,10 +515,12 @@
>                                 }
>                                 udelay(5);
>                         }
>  -               } else
>  -                       (void)down_interruptible(&fibptr->event_wait);
>  +               } else if (down_interruptible(&fibptr->event_wait)) {
>  +                       fibptr->done = 2;
>  +                       up(&fibptr->event_wait);
>  +               }
>                 spin_lock_irqsave(&fibptr->event_lock, flags);
>  -               if (fibptr->done == 0) {
>  +               if ((fibptr->done == 0) || (fibptr->done == 2)) {
>                         fibptr->done = 2; /* Tell interrupt we aborted */
>                         spin_unlock_irqrestore(&fibptr->event_lock, flags);
>                         return -EINTR;
>

it works.

Thanks

YH

[PATCH] aacraid: Fix warning about macro side-effects

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 1018 bytes --]

On some compile environments, warnings are produced regarding the  
usage of aac_logical_to_phys macro.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments (inline gets damaged, please use  
attachment).

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  drivers/scsi/aacraid/aacraid.h |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff -ru a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/ 
aacraid.h
--- a/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:17:53.770782679 -0400
+++ b/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:22:14.338590856 -0400
@@ -34,8 +34,8 @@
  #define CONTAINER_TO_ID(cont)		(cont)
  #define CONTAINER_TO_LUN(cont)		(0)

-#define aac_phys_to_logical(x)  (x+1)
-#define aac_logical_to_phys(x)  (x?x-1:0)
+#define aac_phys_to_logical(x)  ((x)+1)
+#define aac_logical_to_phys(x)  ((x)?(x)-1:0)

  /* #define AAC_DETAILED_STATUS_INFO */


Sincerely - Mark Salyzyn

[-- Attachment #2: aacraid_side_effects.patch --]
[-- Type: application/octet-stream, Size: 531 bytes --]

diff -ru a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
--- a/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:17:53.770782679 -0400
+++ b/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:22:14.338590856 -0400
@@ -34,8 +34,8 @@
 #define CONTAINER_TO_ID(cont)		(cont)
 #define CONTAINER_TO_LUN(cont)		(0)
 
-#define aac_phys_to_logical(x)  (x+1)
-#define aac_logical_to_phys(x)  (x?x-1:0)
+#define aac_phys_to_logical(x)  ((x)+1)
+#define aac_logical_to_phys(x)  ((x)?(x)-1:0)
 
 /* #define AAC_DETAILED_STATUS_INFO */
 

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

[PATCH] aacraid: Fix jbod operations scan issues

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 895 bytes --]

As JBOD devices (really just Simple Single Drive Volumes exported to  
the SCSI channel) are managed, they fail to update correctly when the  
driver triggers a SCSI scan. In addition, the ability to change  
multiple arrays or JBODs at the same time was resulting in dropped  
scans, set up a mechanism to issue a list of single target scans on a  
single configuration change notification from the Firmware.

Performed some additional sundry cosmetic code style cleanups.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments.

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  drivers/scsi/aacraid/commsup.c |   32 +++++++++++++++++++++++++-------
  drivers/scsi/aacraid/linit.c   |   16 +++++++++-------
  2 files changed, 34 insertions(+), 14 deletions(-)

Sincerely - Mark Salyzyn

[-- Attachment #2: aacraid_jbod_scan.patch --]
[-- Type: application/octet-stream, Size: 4182 bytes --]

diff -ru a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
--- a/drivers/scsi/aacraid/commsup.c	2008-04-30 15:29:36.074346998 -0400
+++ b/drivers/scsi/aacraid/commsup.c	2008-04-30 15:38:40.331089743 -0400
@@ -906,15 +906,22 @@
 		case AifEnAddJBOD:
 		case AifEnDeleteJBOD:
 			container = le32_to_cpu(((__le32 *)aifcmd->data)[1]);
-			if ((container >> 28))
+			if ((container >> 28)) {
+				container = (u32)-1;
 				break;
+			}
 			channel = (container >> 24) & 0xF;
-			if (channel >= dev->maximum_num_channels)
+			if (channel >= dev->maximum_num_channels) {
+				container = (u32)-1;
 				break;
+			}
 			id = container & 0xFFFF;
-			if (id >= dev->maximum_num_physicals)
+			if (id >= dev->maximum_num_physicals) {
+				container = (u32)-1;
 				break;
+			}
 			lun = (container >> 16) & 0xFF;
+			container = (u32)-1;
 			channel = aac_phys_to_logical(channel);
 			device_config_needed =
 			  (((__le32 *)aifcmd->data)[0] ==
@@ -933,13 +940,18 @@
 			case EM_DRIVE_REMOVAL:
 				container = le32_to_cpu(
 					((__le32 *)aifcmd->data)[2]);
-				if ((container >> 28))
+				if ((container >> 28)) {
+					container = (u32)-1;
 					break;
+				}
 				channel = (container >> 24) & 0xF;
-				if (channel >= dev->maximum_num_channels)
+				if (channel >= dev->maximum_num_channels) {
+					container = (u32)-1;
 					break;
+				}
 				id = container & 0xFFFF;
 				lun = (container >> 16) & 0xFF;
+				container = (u32)-1;
 				if (id >= dev->maximum_num_physicals) {
 					/* legacy dev_t ? */
 					if ((0x2000 <= id) || lun || channel ||
@@ -1025,9 +1037,10 @@
 		break;
 	}
 
+	container = 0;
+retry_next:
 	if (device_config_needed == NOTHING)
-	for (container = 0; container < dev->maximum_num_containers;
-	    ++container) {
+	for (; container < dev->maximum_num_containers; ++container) {
 		if ((dev->fsa_dev[container].config_waiting_on == 0) &&
 			(dev->fsa_dev[container].config_needed != NOTHING) &&
 			time_before(jiffies, dev->fsa_dev[container].config_waiting_stamp + AIF_SNIFF_TIMEOUT)) {
@@ -1110,6 +1123,11 @@
 	}
 	if (device_config_needed == ADD)
 		scsi_add_device(dev->scsi_host_ptr, channel, id, lun);
+	if (channel == CONTAINER_CHANNEL) {
+		container++;
+		device_config_needed = NOTHING;
+		goto retry_next;
+	}
 }
 
 static int _aac_reset_adapter(struct aac_dev *aac, int forced)
diff -ru a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
--- a/drivers/scsi/aacraid/linit.c	2008-04-30 15:29:36.075346870 -0400
+++ b/drivers/scsi/aacraid/linit.c	2008-04-30 15:38:40.332089616 -0400
@@ -401,6 +401,8 @@
 static int aac_slave_configure(struct scsi_device *sdev)
 {
 	struct aac_dev *aac = (struct aac_dev *)sdev->host->hostdata;
+	if (aac->jbod && (sdev->type == TYPE_DISK))
+		sdev->removable = 1;
 	if ((sdev->type == TYPE_DISK) &&
 			(sdev_channel(sdev) != CONTAINER_CHANNEL) &&
 			(!aac->jbod || sdev->inq_periph_qual) &&
@@ -1106,7 +1108,7 @@
 	aac->pdev = pdev;
 	aac->name = aac_driver_template.name;
 	aac->id = shost->unique_id;
-	aac->cardtype =  index;
+	aac->cardtype = index;
 	INIT_LIST_HEAD(&aac->entry);
 
 	aac->fibs = kmalloc(sizeof(struct fib) * (shost->can_queue + AAC_NUM_MGT_FIB), GFP_KERNEL);
@@ -1146,19 +1148,19 @@
 		goto out_deinit;
 
 	/*
- 	 * Lets override negotiations and drop the maximum SG limit to 34
- 	 */
+	 * Lets override negotiations and drop the maximum SG limit to 34
+	 */
 	if ((aac_drivers[index].quirks & AAC_QUIRK_34SG) &&
 			(shost->sg_tablesize > 34)) {
 		shost->sg_tablesize = 34;
 		shost->max_sectors = (shost->sg_tablesize * 8) + 112;
- 	}
+	}
 
- 	if ((aac_drivers[index].quirks & AAC_QUIRK_17SG) &&
+	if ((aac_drivers[index].quirks & AAC_QUIRK_17SG) &&
 			(shost->sg_tablesize > 17)) {
 		shost->sg_tablesize = 17;
 		shost->max_sectors = (shost->sg_tablesize * 8) + 112;
- 	}
+	}
 
 	error = pci_set_dma_max_seg_size(pdev,
 		(aac->adapter_info.options & AAC_OPT_NEW_COMM) ?
@@ -1174,7 +1176,7 @@
 	else
 		aac->printf_enabled = 0;
 
- 	/*
+	/*
 	 * max channel will be the physical channels plus 1 virtual channel
 	 * all containers are on the virtual channel 0 (CONTAINER_CHANNEL)
 	 * physical channels are address by their actual physical number+1

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

[PATCH] aacraid: Add Power Management support

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

For firmware that supports the feature(s), add the ability to start or  
stop an array using the associated SCSI commands, to automatically  
manage the spin-up of an array on new I/O reporting back the  
appropriate check conditions and actions in cooperation with the  
normal timeout mechanisms and enable the blackout period management in  
the Firmware associated with the background spin-down of the arrays  
when the Firmware times out and deems the arrays as idle.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments.

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  drivers/scsi/aacraid/aachba.c   |  133 ++++++++++++++++++++++++++++++ 
+++++++---
  drivers/scsi/aacraid/aacraid.h  |   24 ++++++-
  drivers/scsi/aacraid/comminit.c |    2
  drivers/scsi/aacraid/linit.c    |    6 +
  4 files changed, 154 insertions(+), 11 deletions(-)

Sincerely - Mark Salyzyn

[-- Attachment #2: aacraid_pm.patch --]
[-- Type: application/octet-stream, Size: 9856 bytes --]

diff -ru a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
--- a/drivers/scsi/aacraid/aachba.c	2008-04-30 15:47:53.564749004 -0400
+++ b/drivers/scsi/aacraid/aachba.c	2008-04-30 15:54:57.827962317 -0400
@@ -498,6 +498,11 @@
 		    (le32_to_cpu(dresp->mnt[0].vol) != CT_NONE) &&
 		    (le32_to_cpu(dresp->mnt[0].state) != FSCS_HIDDEN)) {
 			fsa_dev_ptr->valid = 1;
+			/* sense_key holds the current state of the spin-up */
+			if (dresp->mnt[0].state & cpu_to_le32(FSCS_NOT_READY))
+				fsa_dev_ptr->sense_data.sense_key = NOT_READY;
+			else if (fsa_dev_ptr->sense_data.sense_key == NOT_READY)
+				fsa_dev_ptr->sense_data.sense_key = NO_SENSE;
 			fsa_dev_ptr->type = le32_to_cpu(dresp->mnt[0].vol);
 			fsa_dev_ptr->size
 			  = ((u64)le32_to_cpu(dresp->mnt[0].capacity)) +
@@ -1509,20 +1514,35 @@
 	scsi_dma_unmap(scsicmd);
 
 	readreply = (struct aac_read_reply *)fib_data(fibptr);
-	if (le32_to_cpu(readreply->status) == ST_OK)
-		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | SAM_STAT_GOOD;
-	else {
+	switch (le32_to_cpu(readreply->status)) {
+	case ST_OK:
+		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+			SAM_STAT_GOOD;
+		dev->fsa_dev[cid].sense_data.sense_key = NO_SENSE;
+		break;
+	case ST_NOT_READY:
+		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+			SAM_STAT_CHECK_CONDITION;
+		set_sense(&dev->fsa_dev[cid].sense_data, NOT_READY,
+		  SENCODE_BECOMING_READY, ASENCODE_BECOMING_READY, 0, 0);
+		memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
+		       min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
+			     SCSI_SENSE_BUFFERSIZE));
+		break;
+	default:
 #ifdef AAC_DETAILED_STATUS_INFO
 		printk(KERN_WARNING "io_callback: io failed, status = %d\n",
 		  le32_to_cpu(readreply->status));
 #endif
-		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | SAM_STAT_CHECK_CONDITION;
+		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+			SAM_STAT_CHECK_CONDITION;
 		set_sense(&dev->fsa_dev[cid].sense_data,
 		  HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
 		  ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
 		memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
 		       min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
 			     SCSI_SENSE_BUFFERSIZE));
+		break;
 	}
 	aac_fib_complete(fibptr);
 	aac_fib_free(fibptr);
@@ -1863,6 +1883,84 @@
 	return SCSI_MLQUEUE_HOST_BUSY;
 }
 
+static void aac_start_stop_callback(void *context, struct fib *fibptr)
+{
+	struct scsi_cmnd *scsicmd = context;
+
+	if (!aac_valid_context(scsicmd, fibptr))
+		return;
+
+	BUG_ON(fibptr == NULL);
+
+	scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | SAM_STAT_GOOD;
+
+	aac_fib_complete(fibptr);
+	aac_fib_free(fibptr);
+	scsicmd->scsi_done(scsicmd);
+}
+
+static int aac_start_stop(struct scsi_cmnd *scsicmd)
+{
+	int status;
+	struct fib *cmd_fibcontext;
+	struct aac_power_management *pmcmd;
+	struct scsi_device *sdev = scsicmd->device;
+	struct aac_dev *aac = (struct aac_dev *)sdev->host->hostdata;
+
+	if (!(aac->supplement_adapter_info.SupportedOptions2 &
+	      AAC_OPTION_POWER_MANAGEMENT)) {
+		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+				  SAM_STAT_GOOD;
+		scsicmd->scsi_done(scsicmd);
+		return 0;
+	}
+
+	if (aac->in_reset)
+		return SCSI_MLQUEUE_HOST_BUSY;
+
+	/*
+	 *	Allocate and initialize a Fib
+	 */
+	cmd_fibcontext = aac_fib_alloc(aac);
+	if (!cmd_fibcontext)
+		return SCSI_MLQUEUE_HOST_BUSY;
+
+	aac_fib_init(cmd_fibcontext);
+
+	pmcmd = fib_data(cmd_fibcontext);
+	pmcmd->command = cpu_to_le32(VM_ContainerConfig);
+	pmcmd->type = cpu_to_le32(CT_POWER_MANAGEMENT);
+	/* Eject bit ignored, not relevant */
+	pmcmd->sub = (scsicmd->cmnd[4] & 1) ?
+		cpu_to_le32(CT_PM_START_UNIT) : cpu_to_le32(CT_PM_STOP_UNIT);
+	pmcmd->cid = cpu_to_le32(sdev_id(sdev));
+	pmcmd->parm = (scsicmd->cmnd[1] & 1) ?
+		cpu_to_le32(CT_PM_UNIT_IMMEDIATE) : 0;
+
+	/*
+	 *	Now send the Fib to the adapter
+	 */
+	status = aac_fib_send(ContainerCommand,
+		  cmd_fibcontext,
+		  sizeof(struct aac_power_management),
+		  FsaNormal,
+		  0, 1,
+		  (fib_callback)aac_start_stop_callback,
+		  (void *)scsicmd);
+
+	/*
+	 *	Check that the command queued to the controller
+	 */
+	if (status == -EINPROGRESS) {
+		scsicmd->SCp.phase = AAC_OWNER_FIRMWARE;
+		return 0;
+	}
+
+	aac_fib_complete(cmd_fibcontext);
+	aac_fib_free(cmd_fibcontext);
+	return SCSI_MLQUEUE_HOST_BUSY;
+}
+
 /**
  *	aac_scsi_cmd()		-	Process SCSI command
  *	@scsicmd:		SCSI command block
@@ -1899,7 +1997,9 @@
 			 *	If the target container doesn't exist, it may have
 			 *	been newly created
 			 */
-			if ((fsa_dev_ptr[cid].valid & 1) == 0) {
+			if (((fsa_dev_ptr[cid].valid & 1) == 0) ||
+			  (fsa_dev_ptr[cid].sense_data.sense_key ==
+			   NOT_READY)) {
 				switch (scsicmd->cmnd[0]) {
 				case SERVICE_ACTION_IN:
 					if (!(dev->raw_io_interface) ||
@@ -2091,8 +2191,8 @@
 		scsi_sg_copy_from_buffer(scsicmd, cp, sizeof(cp));
 		/* Do not cache partition table for arrays */
 		scsicmd->device->removable = 1;
-
-		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | SAM_STAT_GOOD;
+		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+		  SAM_STAT_GOOD;
 		scsicmd->scsi_done(scsicmd);
 
 		return 0;
@@ -2187,15 +2287,32 @@
 	 *	These commands are all No-Ops
 	 */
 	case TEST_UNIT_READY:
+		if (fsa_dev_ptr[cid].sense_data.sense_key == NOT_READY) {
+			scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
+				SAM_STAT_CHECK_CONDITION;
+			set_sense(&dev->fsa_dev[cid].sense_data,
+				  NOT_READY, SENCODE_BECOMING_READY,
+				  ASENCODE_BECOMING_READY, 0, 0);
+			memcpy(scsicmd->sense_buffer,
+			       &dev->fsa_dev[cid].sense_data,
+			       min_t(size_t,
+				     sizeof(dev->fsa_dev[cid].sense_data),
+				     SCSI_SENSE_BUFFERSIZE));
+			scsicmd->scsi_done(scsicmd);
+			return 0;
+		}
+		/* FALLTHRU */
 	case RESERVE:
 	case RELEASE:
 	case REZERO_UNIT:
 	case REASSIGN_BLOCKS:
 	case SEEK_10:
-	case START_STOP:
 		scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | SAM_STAT_GOOD;
 		scsicmd->scsi_done(scsicmd);
 		return 0;
+
+	case START_STOP:
+		return aac_start_stop(scsicmd);
 	}
 
 	switch (scsicmd->cmnd[0])
diff -ru a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
--- a/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:47:53.564749004 -0400
+++ b/drivers/scsi/aacraid/aacraid.h	2008-04-30 15:51:33.165908147 -0400
@@ -12,7 +12,7 @@
  *----------------------------------------------------------------------------*/
 
 #ifndef AAC_DRIVER_BUILD
-# define AAC_DRIVER_BUILD 2455
+# define AAC_DRIVER_BUILD 2456
 # define AAC_DRIVER_BRANCH "-ms"
 #endif
 #define MAXIMUM_NUM_CONTAINERS	32
@@ -424,6 +424,8 @@
 	 */
 	__le32	InitFlags;	/* flags for supported features */
 #define INITFLAGS_NEW_COMM_SUPPORTED	0x00000001
+#define INITFLAGS_DRIVER_USES_UTC_TIME	0x00000010
+#define INITFLAGS_DRIVER_SUPPORTS_PM	0x00000020
 	__le32	MaxIoCommands;	/* max outstanding commands */
 	__le32	MaxIoSize;	/* largest I/O command */
 	__le32	MaxFibSize;	/* largest FIB to adapter */
@@ -867,8 +869,10 @@
 };
 #define AAC_FEATURE_FALCON	cpu_to_le32(0x00000010)
 #define AAC_FEATURE_JBOD	cpu_to_le32(0x08000000)
-#define AAC_OPTION_MU_RESET	cpu_to_le32(0x00000001)
-#define AAC_OPTION_IGNORE_RESET	cpu_to_le32(0x00000002)
+/* SupportedOptions2 */
+#define AAC_OPTION_MU_RESET		cpu_to_le32(0x00000001)
+#define AAC_OPTION_IGNORE_RESET		cpu_to_le32(0x00000002)
+#define AAC_OPTION_POWER_MANAGEMENT	cpu_to_le32(0x00000004)
 #define AAC_SIS_VERSION_V3	3
 #define AAC_SIS_SLOT_UNKNOWN	0xFF
 
@@ -1148,6 +1152,7 @@
 #define		ST_DQUOT	69
 #define		ST_STALE	70
 #define		ST_REMOTE	71
+#define		ST_NOT_READY	72
 #define		ST_BADHANDLE	10001
 #define		ST_NOT_SYNC	10002
 #define		ST_BAD_COOKIE	10003
@@ -1269,6 +1274,18 @@
 	u8		data[16];
 };
 
+#define CT_POWER_MANAGEMENT	245
+#define CT_PM_START_UNIT	2
+#define CT_PM_STOP_UNIT		3
+#define CT_PM_UNIT_IMMEDIATE	1
+struct aac_power_management {
+	__le32		command;	/* VM_ContainerConfig */
+	__le32		type;		/* CT_POWER_MANAGEMENT */
+	__le32		sub;		/* CT_PM_* */
+	__le32		cid;
+	__le32		parm;		/* CT_PM_sub_* */
+};
+
 #define CT_PAUSE_IO    65
 #define CT_RELEASE_IO  66
 struct aac_pause {
@@ -1536,6 +1553,7 @@
 #define FSCS_NOTCLEAN	0x0001  /* fsck is necessary before mounting */
 #define FSCS_READONLY	0x0002	/* possible result of broken mirror */
 #define FSCS_HIDDEN	0x0004	/* should be ignored - set during a clear */
+#define FSCS_NOT_READY	0x0008	/* Array spinning up to fulfil request */
 
 struct aac_query_mount {
 	__le32		command;
diff -ru a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
--- a/drivers/scsi/aacraid/comminit.c	2008-04-30 15:47:53.565748877 -0400
+++ b/drivers/scsi/aacraid/comminit.c	2008-04-30 15:51:33.166908020 -0400
@@ -97,6 +97,8 @@
 		init->InitFlags = cpu_to_le32(INITFLAGS_NEW_COMM_SUPPORTED);
 		dprintk((KERN_WARNING"aacraid: New Comm Interface enabled\n"));
 	}
+	init->InitFlags |= cpu_to_le32(INITFLAGS_DRIVER_USES_UTC_TIME |
+				       INITFLAGS_DRIVER_SUPPORTS_PM);
 	init->MaxIoCommands = cpu_to_le32(dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB);
 	init->MaxIoSize = cpu_to_le32(dev->scsi_host_ptr->max_sectors << 9);
 	init->MaxFibSize = cpu_to_le32(dev->max_fib_size);
diff -ru a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
--- a/drivers/scsi/aacraid/linit.c	2008-04-30 15:47:53.566748750 -0400
+++ b/drivers/scsi/aacraid/linit.c	2008-04-30 15:54:14.672433234 -0400
@@ -811,6 +811,12 @@
 				"SAI_READ_CAPACITY_16\n");
 	if (dev->jbod)
 		len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n");
+	if (dev->supplement_adapter_info.SupportedOptions2 &
+		AAC_OPTION_POWER_MANAGEMENT)
+		len += snprintf(buf + len, PAGE_SIZE - len,
+				"SUPPORTED_POWER_MANAGEMENT\n");
+	if (dev->msi)
+		len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
 	return len;
 }
 

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

[PATCH] aacraid: Add Power Management cards to documentation

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 2657 bytes --]

Update the documented list of products supported by the aacraid driver.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments (inline gets damaged, please use  
attachment).

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  Documentation/scsi/aacraid.txt |   24 +++++++++++++++++++-----
  1 file changed, 19 insertions(+), 5 deletions(-)

diff -ru a/Documentation/scsi/aacraid.txt b/Documentation/scsi/ 
aacraid.txt
--- a/Documentation/scsi/aacraid.txt	2008-05-07 15:15:29.872438789 -0400
+++ b/Documentation/scsi/aacraid.txt	2008-05-07 15:19:01.684932465 -0400
@@ -56,19 +56,33 @@
  	9005:0285:9005:02d1	Adaptec	5405 (Voodoo40)
  	9005:0285:15d9:02d2	SMC	AOC-USAS-S8i-LP
  	9005:0285:15d9:02d3	SMC	AOC-USAS-S8iR-LP
-	9005:0285:9005:02d4	Adaptec	2045 (Voodoo04 Lite)
-	9005:0285:9005:02d5	Adaptec	2405 (Voodoo40 Lite)
-	9005:0285:9005:02d6	Adaptec	2445 (Voodoo44 Lite)
-	9005:0285:9005:02d7	Adaptec	2805 (Voodoo80 Lite)
+	9005:0285:9005:02d4	Adaptec	ASR-2045 (Voodoo04 Lite)
+	9005:0285:9005:02d5	Adaptec	ASR-2405 (Voodoo40 Lite)
+	9005:0285:9005:02d6	Adaptec	ASR-2445 (Voodoo44 Lite)
+	9005:0285:9005:02d7	Adaptec	ASR-2805 (Voodoo80 Lite)
+	9005:0285:9005:02d8	Adaptec	5405G (Voodoo40 PM)
+	9005:0285:9005:02d9	Adaptec	5445G (Voodoo44 PM)
+	9005:0285:9005:02da	Adaptec	5805G (Voodoo80 PM)
+	9005:0285:9005:02db	Adaptec	5085G (Voodoo08 PM)
+	9005:0285:9005:02dc	Adaptec	51245G (Voodoo124 PM)
+	9005:0285:9005:02dd	Adaptec	51645G (Voodoo164 PM)
+	9005:0285:9005:02de	Adaptec	52445G (Voodoo244 PM)
+	9005:0285:9005:02df	Adaptec	ASR-2045G (Voodoo04 Lite PM)
+	9005:0285:9005:02e0	Adaptec	ASR-2405G (Voodoo40 Lite PM)
+	9005:0285:9005:02e1	Adaptec	ASR-2445G (Voodoo44 Lite PM)
+	9005:0285:9005:02e2	Adaptec	ASR-2805G (Voodoo80 Lite PM)
  	1011:0046:9005:0364	Adaptec	5400S (Mustang)
+	1011:0046:9005:0365	Adaptec	5400S (Mustang)
  	9005:0287:9005:0800	Adaptec	Themisto (Jupiter)
  	9005:0200:9005:0200	Adaptec	Themisto (Jupiter)
  	9005:0286:9005:0800	Adaptec	Callisto (Jupiter)
  	1011:0046:9005:1364	Dell	PERC 2/QC (Quad Channel, Mustang)
+	1011:0046:9005:1365	Dell	PERC 2/QC (Quad Channel, Mustang)
  	1028:0001:1028:0001	Dell	PERC 2/Si (Iguana)
  	1028:0003:1028:0003	Dell	PERC 3/Si (SlimFast)
  	1028:0002:1028:0002	Dell	PERC 3/Di (Opal)
-	1028:0004:1028:0004	Dell	PERC 3/DiF (Iguana)
+	1028:0004:1028:0004	Dell	PERC 3/SiF (Iguana)
+	1028:0004:1028:00d0	Dell	PERC 3/DiF (Iguana)
  	1028:0002:1028:00d1	Dell	PERC 3/DiV (Viper)
  	1028:0002:1028:00d9	Dell	PERC 3/DiL (Lexus)
  	1028:000a:1028:0106	Dell	PERC 3/DiJ (Jaguar)

Sincerely - Mark Salyzyn

[-- Attachment #2: aacraid_pm_products.patch --]
[-- Type: application/octet-stream, Size: 2167 bytes --]

diff -ru a/Documentation/scsi/aacraid.txt b/Documentation/scsi/aacraid.txt
--- a/Documentation/scsi/aacraid.txt	2008-05-07 15:15:29.872438789 -0400
+++ b/Documentation/scsi/aacraid.txt	2008-05-07 15:19:01.684932465 -0400
@@ -56,19 +56,33 @@
 	9005:0285:9005:02d1	Adaptec	5405 (Voodoo40)
 	9005:0285:15d9:02d2	SMC	AOC-USAS-S8i-LP
 	9005:0285:15d9:02d3	SMC	AOC-USAS-S8iR-LP
-	9005:0285:9005:02d4	Adaptec	2045 (Voodoo04 Lite)
-	9005:0285:9005:02d5	Adaptec	2405 (Voodoo40 Lite)
-	9005:0285:9005:02d6	Adaptec	2445 (Voodoo44 Lite)
-	9005:0285:9005:02d7	Adaptec	2805 (Voodoo80 Lite)
+	9005:0285:9005:02d4	Adaptec	ASR-2045 (Voodoo04 Lite)
+	9005:0285:9005:02d5	Adaptec	ASR-2405 (Voodoo40 Lite)
+	9005:0285:9005:02d6	Adaptec	ASR-2445 (Voodoo44 Lite)
+	9005:0285:9005:02d7	Adaptec	ASR-2805 (Voodoo80 Lite)
+	9005:0285:9005:02d8	Adaptec	5405G (Voodoo40 PM)
+	9005:0285:9005:02d9	Adaptec	5445G (Voodoo44 PM)
+	9005:0285:9005:02da	Adaptec	5805G (Voodoo80 PM)
+	9005:0285:9005:02db	Adaptec	5085G (Voodoo08 PM)
+	9005:0285:9005:02dc	Adaptec	51245G (Voodoo124 PM)
+	9005:0285:9005:02dd	Adaptec	51645G (Voodoo164 PM)
+	9005:0285:9005:02de	Adaptec	52445G (Voodoo244 PM)
+	9005:0285:9005:02df	Adaptec	ASR-2045G (Voodoo04 Lite PM)
+	9005:0285:9005:02e0	Adaptec	ASR-2405G (Voodoo40 Lite PM)
+	9005:0285:9005:02e1	Adaptec	ASR-2445G (Voodoo44 Lite PM)
+	9005:0285:9005:02e2	Adaptec	ASR-2805G (Voodoo80 Lite PM)
 	1011:0046:9005:0364	Adaptec	5400S (Mustang)
+	1011:0046:9005:0365	Adaptec	5400S (Mustang)
 	9005:0287:9005:0800	Adaptec	Themisto (Jupiter)
 	9005:0200:9005:0200	Adaptec	Themisto (Jupiter)
 	9005:0286:9005:0800	Adaptec	Callisto (Jupiter)
 	1011:0046:9005:1364	Dell	PERC 2/QC (Quad Channel, Mustang)
+	1011:0046:9005:1365	Dell	PERC 2/QC (Quad Channel, Mustang)
 	1028:0001:1028:0001	Dell	PERC 2/Si (Iguana)
 	1028:0003:1028:0003	Dell	PERC 3/Si (SlimFast)
 	1028:0002:1028:0002	Dell	PERC 3/Di (Opal)
-	1028:0004:1028:0004	Dell	PERC 3/DiF (Iguana)
+	1028:0004:1028:0004	Dell	PERC 3/SiF (Iguana)
+	1028:0004:1028:00d0	Dell	PERC 3/DiF (Iguana)
 	1028:0002:1028:00d1	Dell	PERC 3/DiV (Viper)
 	1028:0002:1028:00d9	Dell	PERC 3/DiL (Lexus)
 	1028:000a:1028:0106	Dell	PERC 3/DiJ (Jaguar)

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

[PATCH] aacraid: prevent copy_from_user() BUG!

[Mark Salyzyn]

[-- Attachment #1: Type: text/plain, Size: 3009 bytes --]

Seen:

	kernel BUG at arch/i386/lib/usercopy.c:872

under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out  
ioctl condition in the aacraid driver.

Adaptec's special ioctl scb passthrough needs to check the validity of  
the individual scatter gather count fields to the maximum the adapter  
supports. Doing so will have the side effect of preventing  
copy_from_user() from bugging out while populating the dma buffers.  
This is a hardening effort, issue was triggered by an errant version  
of the management tools and thus the BUG should not be seen in the  
field.

This attached patch is against current scsi-misc-2.6.

ObligatoryDisclaimer: Please accept my condolences regarding Outlook's  
handling of patch attachments (inline gets damaged, please use  
attachment).

Signed-off-by: Mark Salyzyn <aacraid@adaptec.com>

  drivers/scsi/aacraid/commctrl.c |   32 ++++++++++++++++++++++++++++++ 
++
  1 file changed, 32 insertions(+)

diff -ru a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/ 
commctrl.c
--- a/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:13:39.505105412  
-0400
+++ b/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:16:53.619280840  
-0400
@@ -581,6 +581,14 @@
  			for (i = 0; i < upsg->count; i++) {
  				u64 addr;
  				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
  				/* Does this really need to be GFP_DMA? */
  				p = kmalloc(upsg->sg[i].count,GFP_KERNEL|__GFP_DMA);
  				if(!p) {
@@ -625,6 +633,14 @@
  			for (i = 0; i < usg->count; i++) {
  				u64 addr;
  				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
  				/* Does this really need to be GFP_DMA? */
  				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
  				if(!p) {
@@ -667,6 +683,14 @@
  			for (i = 0; i < upsg->count; i++) {
  				uintptr_t addr;
  				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
  				/* Does this really need to be GFP_DMA? */
  				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
  				if(!p) {
@@ -698,6 +722,14 @@
  			for (i = 0; i < upsg->count; i++) {
  				dma_addr_t addr;
  				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
  				p = kmalloc(upsg->sg[i].count, GFP_KERNEL);
  				if (!p) {
  					dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer -  
size = %d buffer number %d of %d\n",

Sincerely - Mark Salyzyn

[-- Attachment #2: aacraid_copy_from_user_BUG.patch --]
[-- Type: application/octet-stream, Size: 1996 bytes --]

diff -ru a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
--- a/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:13:39.505105412 -0400
+++ b/drivers/scsi/aacraid/commctrl.c	2008-05-28 15:16:53.619280840 -0400
@@ -581,6 +581,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				u64 addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(upsg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -625,6 +633,14 @@
 			for (i = 0; i < usg->count; i++) {
 				u64 addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -667,6 +683,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				uintptr_t addr;
 				void* p;
+				if (usg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				/* Does this really need to be GFP_DMA? */
 				p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
 				if(!p) {
@@ -698,6 +722,14 @@
 			for (i = 0; i < upsg->count; i++) {
 				dma_addr_t addr;
 				void* p;
+				if (upsg->sg[i].count >
+				    (dev->adapter_info.options &
+				     AAC_OPT_NEW_COMM) ?
+				      (dev->scsi_host_ptr->max_sectors << 9) :
+				      65536) {
+					rcode = -EINVAL;
+					goto cleanup;
+				}
 				p = kmalloc(upsg->sg[i].count, GFP_KERNEL);
 				if (!p) {
 					dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",

[-- Attachment #3: Type: text/plain, Size: 1 bytes --]

Re: [PATCH] aacraid: prevent copy_from_user() BUG!

[James Bottomley]

On Wed, 2008-05-28 at 15:32 -0400, Mark Salyzyn wrote:
> Seen:
> 
> 	kernel BUG at arch/i386/lib/usercopy.c:872
> 
> under a 2.6.18-8.el5 kernel. Traced it to a garbage-in/garbage-out  
> ioctl condition in the aacraid driver.
> 
> Adaptec's special ioctl scb passthrough needs to check the validity of  
> the individual scatter gather count fields to the maximum the adapter  
> supports. Doing so will have the side effect of preventing  
> copy_from_user() from bugging out while populating the dma buffers.  
> This is a hardening effort, issue was triggered by an errant version  
> of the management tools and thus the BUG should not be seen in the  
> field.
> 
> This attached patch is against current scsi-misc-2.6.

But not actually compiled I see:

  CC [M]  drivers/scsi/aacraid/commctrl.o
drivers/scsi/aacraid/commctrl.c: In function 'aac_send_raw_srb':
drivers/scsi/aacraid/commctrl.c:587: error: dereferencing pointer to incomplete type
drivers/scsi/aacraid/commctrl.c:639: error: dereferencing pointer to incomplete type
drivers/scsi/aacraid/commctrl.c:689: error: dereferencing pointer to incomplete type
drivers/scsi/aacraid/commctrl.c:728: error: dereferencing pointer to incomplete type

I fixed it using the patch below.

James

---

diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index ea96ddb..a735526 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -41,6 +41,7 @@
 #include <linux/kthread.h>
 #include <linux/semaphore.h>
 #include <asm/uaccess.h>
+#include <scsi/scsi_host.h>
 
 #include "aacraid.h"