From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: Re: kernel BUG in drivers/scsi/53c700.c:1129
Date: Fri, 10 Jun 2016 14:33:41 -0700
Message-ID: <1465594421.2224.58.camel@HansenPartnership.com>
References: <5759C524.2030009@gmx.de>
	 <1465511002.2259.19.camel@HansenPartnership.com>  <575B2239.4020403@gmx.de>
	 <1465592285.20724.173.camel@localhost.localdomain>
	 <1465592473.2224.52.camel@HansenPartnership.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Cc: "linux-parisc@vger.kernel.org" <linux-parisc@vger.kernel.org>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	Christoph Hellwig <hch@infradead.org>
To: emilne@redhat.com, Helge Deller <deller@gmx.de>
Return-path: <linux-parisc-owner@vger.kernel.org>
In-Reply-To: <1465592473.2224.52.camel@HansenPartnership.com>
List-ID: <linux-parisc.vger.kernel.org>
List-Id: linux-parisc.vger.kernel.org

On Fri, 2016-06-10 at 14:01 -0700, James Bottomley wrote:
> On Fri, 2016-06-10 at 16:58 -0400, Ewan D. Milne wrote:
> > I'm not sure if this is the problem, but the tagging changes to
> > scsi_tcq.h may have altered the 53c700 driver's assumptions.
> > In one case it sets sdev->current_cmnd and then some of the
> > tagging calls would return it if the tag was SCSI_NO_TAG.
> > 
> > NCR_700_queuecommand_lck() does:
> > 
> >         if ((hostdata->tag_negotiated & (1<<scmd_id(SCp))) &&
> >             SCp->device->simple_tags) {
> >                 slot->tag = SCp->request->tag;
> >                 CDEBUG(KERN_DEBUG, SCp, "sending out tag %d, slot
> > %p\n",
> >                        slot->tag, slot);
> >         } else {
> >                 slot->tag = SCSI_NO_TAG;
> >                 /* must populate current_cmnd for
> > scsi_host_find_tag
> > to
> > work */
> >                 SCp->device->current_cmnd = SCp;
> >         }
> 
> Thanks ... I was just about to look for something this.  I'd got to
> interpreting the script as reselected with tag information present 
> and then trying to look the command up with no tag present, hence the
> BUG().

Yes, you're right, it's

commit 64d513ac31bd02a3c9b69ef04444f36c196f9a9d
Author: Christoph Hellwig <hch@lst.de>
Date:   Thu Oct 8 09:28:04 2015 +0100

    scsi: use host wide tags by default

Again.  This time because it's transformation of the handling of
SCSI_NO_TAG is wrong.  You can't replace the return sdev->current_cmnd
original in scsi_find_tag with the NULL return in scsi_find_host_tag.

I think this changesets wins the prize for the greatest number of
generated faults.

Does this fix 53c700.c?

I suppose we'd better look for other places where no tag fell through
...

James

---

diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c
index d4c2856..3ddc85e 100644
--- a/drivers/scsi/53c700.c
+++ b/drivers/scsi/53c700.c
@@ -1122,7 +1122,7 @@ process_script_interrupt(__u32 dsps, __u32 dsp, struct scsi_cmnd *SCp,
 		} else {
 			struct scsi_cmnd *SCp;
 
-			SCp = scsi_host_find_tag(SDp->host, SCSI_NO_TAG);
+			SCp = SDp->current_cmnd;
 			if(unlikely(SCp == NULL)) {
 				sdev_printk(KERN_ERR, SDp,
 					"no saved request for untagged cmd\n");
@@ -1826,7 +1826,7 @@ NCR_700_queuecommand_lck(struct scsi_cmnd *SCp, void (*done)(struct scsi_cmnd *)
 		       slot->tag, slot);
 	} else {
 		slot->tag = SCSI_NO_TAG;
-		/* must populate current_cmnd for scsi_host_find_tag to work */
+		/* save current command for reselection */
 		SCp->device->current_cmnd = SCp;
 	}
 	/* sanity check: some of the commands generated by the mid-layer