Commit Graph

146 Commits

Author SHA1 Message Date
Kenneth D. Merry
59fe76647c Fix a panic in camperiphfree().
If a peripheral driver (e.g. da, sa, cd) is added or removed from the
peripheral driver list while an unrelated peripheral driver instance (e.g.
da0, sa5, cd2) is going away and is inside camperiphfree(), we could
dereference an invalid pointer.

When peripheral drivers are added or removed (see periphdriver_register()
and periphdriver_unregister()), the peripheral driver array is resized
and existing entries are moved.

Although we hold the topology lock while we traverse the peripheral driver
list, we retain a pointer to the location of the peripheral driver pointer
and then drop the topology lock.  So we are still vulnerable to the list
getting moved around while the lock is dropped.

To solve the problem, cache a copy of the peripheral driver pointer.  If
its storage location in the list changes while we have the lock dropped, it
won't have any effect.

This doesn't solve the issue that peripheral drivers ("da", "cd", as opposed
to individual instances like "da0", "cd0") are not generally part of a
reference counting scheme to guard against deregistering them while there
are instances active.  The caller (generally the person unloading a module)
has to be aware of active drivers and not unload something that is in use.

sys/cam/cam_periph.c:
	In camperiphfree(), cache a pointer to the peripheral driver
	instance to avoid holding a pointer to an invalid memory location
	in the event that the peripheral driver list changes while we have
	the topology lock dropped.

PR:		kern/219701
Submitted by:	avg
MFC after:	3 days
Sponsored by:	Spectra Logic
2017-06-27 19:26:02 +00:00
Scott Long
da0d7209e0 Fix an unsafe malloc usage with sbufs.
Reported by:	ken
Sponsored by:	Netflix
2017-05-03 05:33:15 +00:00
Scott Long
5d01277f59 Add infrastructure to the ATA and SCSI transports that supports
using a driver-supplied sbuf for printing device discovery
announcements. This helps ensure that messages to the console
will be properly serialized (through sbuf_putbuf) and not be
truncated and interleaved with other messages. The
infrastructure mirrors the existing xpt_announce_periph()
entry point and is opt-in for now. No content or formatting
changes are visible to the operator other than the new coherency.

While here, eliminate the stack usage of the temporary
announcement buffer in some of the drivers. It's moved to the
softc for now, but future work will eliminate it entirely by
making the code flow more linear. Future work will also address
locking so that the sbufs can be dynamically sized.

The scsi_da, scs_cd, scsi_ses, and ata_da drivers are converted
at this point, other drivers can be converted at a later date.
A tunable+sysctl, kern.cam.announce_nosbuf, exists for testing
purposes but will be removed later.

TODO:
Eliminate all of the code duplication and temporary buffers.  The
old printf-based methods will be retired, and xpt_announce_periph()
will just be a wrapper that uses a dynamically sized sbuf.  This
requires that the register and deregister paths be made malloc-safe,
which they aren't currently.

Sponsored by:	Netflix
2017-04-19 15:04:52 +00:00
Alexander Motin
94173c3c9b Add mechanism to unload CAM periph drivers.
For now it allows to unload CTL kernel module if there are no target-capable
SIMs in CAM.  As next step full teardown of CAM targets can be implemented.
2017-03-07 17:41:08 +00:00
Alexander Motin
4902e14dc8 Improve CAM_CDB_POINTER support.
MFC after:	2 weeks
2017-01-13 08:31:55 +00:00
Conrad Meyer
8532d381a9 Add BUF_TRACKING and FULL_BUF_TRACKING buffer debugging
Upstream the BUF_TRACKING and FULL_BUF_TRACKING buffer debugging code.
This can be handy in tracking down what code touched hung bios and bufs
last. The full history is especially useful, but adds enough bloat that
it shouldn't be enabled in release builds.

Function names (or arbitrary string constants) are tracked in a
fixed-size ring in bufs. Bios gain a pointer to the upper buf for
tracking. SCSI CCBs gain a pointer to the upper bio for tracking.

Reviewed by:	markj
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8366
2016-10-31 23:09:52 +00:00
Mark Johnston
991b5d2630 cam_periph_ccbwait could return while ccb in progress
In cam_periph_runccb, cam_periph_ccbwait was using the value of the ccb
pinfo.index and status fields to determine whether the ccb was done,
but these fields are updated without a contending lock and could glitch
into states that would be erroneously interpreted as done.  Instead,
have cam_periph_ccbwait look for the explicit result of the function
cam_periph_done.

Submitted by:	Ryan Libby <rlibby@gmail.com>
Reviewed by:	mav
MFC after:	3 weeks
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D8020
2016-09-30 21:00:09 +00:00
Alexander Motin
cd3752643c Don't report to devd statuses that CAM doesn't consider errors.
Some statuses, such as "ATA pass through information available", are part
part of absolutely normal operation and do not worth reporting.

MFC after:	2 weeks
2016-09-08 13:33:33 +00:00
Eitan Adler
cef367e6a1 Don't repeat the the word 'the'
(one manual change to fix grammar)

Confirmed With: db
Approved by: secteam (not really, but this is a comment typo fix)
2016-05-17 12:52:31 +00:00
Scott Long
de482e7bbb Fix a memory leak in the devctl notify code.
Submitted by:	markj
MFC after:	asap
2016-05-03 14:30:26 +00:00
Pedro F. Giffuni
1ffe58516c sys/cam: spelling fixes in comments.
No functional change.
2016-04-29 21:05:48 +00:00
Warner Losh
e4cc6558b3 tag_action is not used at all in ata. It's set to 1 for ordered
transactions, but that value isn't used. It's bogusly used to report
in devstat, due to a cut and paste error from SCSI. Mark it as unused
in cam_fill_ataio. Reclaim the memory as a new ata_flags. In addition,
tag_id and init_id are completely unused, so reclaim those as 'unused'
now too. These were needlessly copied when ata was split from scsi.

This allows us, in the future, to create structures that can
communicate AUXILIARY regsiter to the SIMs, which cannot be done now.

Differential Revision: https://reviews.freebsd.org/D5598
2016-04-17 05:24:28 +00:00
Scott Long
a30ecd42b8 Add a devctl/devd notification conduit for CAM errors that happen at the
periph level.  When a relevant error is reported to the periph, some
amplifying information is gathered, and the error and information are fed
to devctl with the attributes / keys system=CAM, subsystem=periph.  The
'type' key will be either 'error' or 'timeout', and based on this, various
other keys are also populated.

The purpose of this is to provide a concise mechanism for error reporting
that is less noisy than the system console but higher in resolution and
fidelity than simple sysctl counters.  We will be using it at Netflix to
populate a structured log and database to track errors and error trends
across our world-wide population of drives.

Submitted by:	imp, scottl
Approved by:	kenm
MFC after:	3 days
Sponsored by:	Netflix
Differential Revision:	D5943
2016-04-14 21:55:42 +00:00
Alexander Motin
de2393124c Make pass, sg and targ drivers respect HBA's maxio.
Previous limitation of 64K (DFLTPHYS) is quite annoying.
2015-09-30 13:31:37 +00:00
Jeff Roberson
fade8dd714 Refactor unmapped buffer address handling.
- Use pointer assignment rather than a combination of pointers and
   flags to switch buffers between unmapped and mapped.  This eliminates
   multiple flags and generally simplifies the logic.
 - Eliminate b_saveaddr since it is only used with pager bufs which have
   their b_data re-initialized on each allocation.
 - Gather up some convenience routines in the buffer cache for
   manipulating buf space and buf malloc space.
 - Add an inline, buf_mapped(), to standardize checks around unmapped
   buffers.

In collaboration with: mlaier
Reviewed by:	kib
Tested by:	pho (many small revisions ago)
Sponsored by:	EMC / Isilon Storage Division
2015-07-23 19:13:41 +00:00
Edward Tomasz Napierala
5719711f8b Make periphdriver_register() take XPT lock when modifying the periph_drivers
array.

This fixes a panic that sometimes occured when kldloading ctl.ko.

Reviewed by:	mav@
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
2015-03-02 22:48:11 +00:00
Kenneth D. Merry
fd8be18f3f Fix I/O size calculation for pass(4) driver requests and add latency
tracking.

It is important to subtract the residual from the requested
transfer size to see how much data was actually transferred.  With
tape drives in particular, it is common to request more data than is
returned.

Also, add I/O latency tracking for CAM requests issued by
cam_periph_runccb().

If the caller supplies a struct devstat, and the I/O is a SCSI or
ATA I/O, we will track the elapsed time to provide I/O latency
statistics for the request.

sys/cam/scsi/cam_periph.c:
	In cam_periph_runccb(), subtract the residual when reporting I/O
	totals to devstat(9) for SCSI and ATA passthrough requests.

	In cam_periph_runccb(), grab the I/O start time and supply
	the start time to devstat_end_transaction() so that it can
	calculate the elapsed I/O time.

Sponsored by:	Spectra Logic
MFC after:	1 week
2015-02-27 21:35:36 +00:00
Alexander Motin
174b32ced4 Retry indefinitely on SCSI BUSY status from VMware disks and CDs.
VMware returns BUSY status when storage has transient connectivity issues.
It is often better to wait and let VM admin fix the problem then crash.

Discussed with:	ken
MFC after:	1 week
2015-02-02 20:23:05 +00:00
Marius Strobl
de6a705e34 Don't denounce peripherals on system shutdown. Together with r267321,
we're now back to the pre-r228483 level of default verbosity. This in
turn again typically allows for reading information that userland might
have printed on the screen before initiating a halt, but still permits
to debug potential device shutdown problems on system shutdown via
CAM_DEBUG etc.

Reviewed by:	mav
MFC after:	3 days
Sponsored by:	Bally Wulff Games & Entertainment GmbH
2014-06-19 09:08:20 +00:00
Alexander Motin
357478a5af Do not retry on CAM_FUNC_NOTAVAIL error, but return immediately.
MFC after:	2 weeks
2014-03-04 15:07:00 +00:00
Alexander Motin
c33e40291b Take additional reference on SCSI probe periph to cover its freeze count.
Otherwise periph may be invalidated and freed before single-stepping freeze
is dropped, causing use after free panic.
2014-01-11 13:35:36 +00:00
Alexander Motin
3231e8bddb Fix memory and references leak due to unfreed path.
Coverity CID:	1054773
2013-10-22 13:56:30 +00:00
Alexander Motin
227d67aa54 Merge CAM locking changes from the projects/camlock branch to radically
reduce lock congestion and improve SMP scalability of the SCSI/ATA stack,
preparing the ground for the coming next GEOM direct dispatch support.

Replace big per-SIM locks with bunch of smaller ones:
 - per-LUN locks to protect device and peripheral drivers state;
 - per-target locks to protect list of LUNs on target;
 - per-bus locks to protect reference counting;
 - per-send queue locks to protect queue of CCBs to be sent;
 - per-done queue locks to protect queue of completed CCBs;
 - remaining per-SIM locks now protect only HBA driver internals.

While holding LUN lock it is allowed (while not recommended for performance
reasons) to take SIM lock.  The opposite acquisition order is forbidden.
All the other locks are leaf locks, that can be taken anywhere, but should
not be cascaded.  Many functions, such as: xpt_action(), xpt_done(),
xpt_async(), xpt_create_path(), etc. are no longer require (but allow) SIM
lock to be held.

To keep compatibility and solve cases where SIM lock can't be dropped, all
xpt_async() calls in addition to xpt_done() calls are queued to completion
threads for async processing in clean environment without SIM lock held.

Instead of single CAM SWI thread, used for commands completion processing
before, use multiple (depending on number of CPUs) threads.  Load balanced
between them using "hash" of the device B:T:L address.

HBA drivers that can drop SIM lock during completion processing and have
sufficient number of completion threads to efficiently scale to multiple
CPUs can use new function xpt_done_direct() to avoid extra context switch.
Make ahci(4) driver to use this mechanism depending on hardware setup.

Sponsored by:	iXsystems, Inc.
MFC after:	2 months
2013-10-21 12:00:26 +00:00
Alexander Motin
8d36a71b76 Unify periph invalidation and destruction reporting.
Print message containing device model and serial number on invalidation.

Requested by:   glebius
MFC after:	1 week
2013-10-15 17:59:41 +00:00
Alexander Motin
0d4f3c316e Add debug trace points for freeze/release device queue. 2013-09-01 17:37:19 +00:00
Alexander Motin
a29779e865 Remove droping topology mutex after iterating 100 periphs in CAMGETPASSTHRU.
That is not so slow and so often operation to handle unneeded otherwise
xsoftc.xpt_generation and respective locking complications.
2013-08-07 11:34:20 +00:00
Alexander Motin
e5736ac88c Make some improvements to r253322 to really rescan target, not a bus.
Add there and in two more places checks for NULL on xpt_alloc_ccb_nowait().
2013-07-15 18:17:31 +00:00
Alexander Motin
0181d54b6b Improve handling of 0x3F/0x0E "Reported LUNs data has changed" and 0x25/0x00
"Logical unit not supported" errors.  First initiates specific target rescan,
second -- destroys specific LUN.  That allows to automatically detect changes
in list of device LUNs.  This mechanism doesn't work when target is completely
idle, but probably that is all what can be done without active polling.

Reviewed by:	ken
Sponsored by:	iXsystems, Inc.
2013-07-13 13:35:09 +00:00
Scott Long
95fbded695 Simplify the checking of flags for cam_periph_mapmem(). This gets rid of
a lot of code redundancy and grossness at very minor expense.

Reviewed by:	smh
Obtained from:	Netflix
MFC after:	3 days
2013-06-07 00:22:38 +00:00
Alexander Motin
d38c0e53a8 MFprojects/camlock r249541:
Give periph validity flag own periph reference.  That slightly simplifies
the release logic and covers hypothetical case if lock is dropped inside
the periph_oninval() method.
2013-04-27 12:39:28 +00:00
Alexander Motin
cccf422080 MFprojects/camlock r248890, r248897, r248898, r248900, r248903, r248905,
r248917, r248918, r248978, r249001, r249014, r249030:

Remove multilevel freezing mechanism, implemented to handle specifics of
the ATA/SATA error recovery, when post-reset recovery commands should be
allocated when queues are already full of payload requests.  Instead of
removing frozen CCBs with specified range of priorities from the queue
to provide free openings, use simple hack, allowing explicit CCBs over-
allocation for requests with priority higher (numerically lower) then
CAM_PRIORITY_OOB threshold.

Simplify CCB allocation logic by removing SIM-level allocation queue.
After that SIM-level queue manages only CCBs execution, while allocation
logic is localized within each single device.

Suggested by:	gibbs
2013-04-14 09:28:14 +00:00
Alexander Motin
dcdf6e7418 MFprojects/camlock:
r249017:
Some cosmetic things:
 - Unify device to target insertion inside xpt_alloc_device() instead of
duplicating it three times.
 - Remove extra checks for empty lists of devices and targets on release
since zero refcount check also implies it.
 - Reformat code to reduce indentation.

r249103:
 - Add lock assertions to every point where reference counters are modified.
 - When reference counters are reaching zero, add assertions that there are
no children items left.
 - Add a bit more locking to the xptpdperiphtraverse().
2013-04-04 20:31:40 +00:00
Edward Tomasz Napierala
9e0d30e20d Fix panic in the error path caused by recursive acquisition of XPT topology
lock.

Reviewed by:	ken
2013-04-02 09:38:04 +00:00
Konstantin Belousov
e81ff91e62 Do not remap usermode pages into KVA for physio.
Sponsored by:	The FreeBSD Foundation
Tested by:	pho
2013-03-19 14:43:57 +00:00
Konstantin Belousov
b4862fafd5 Assert that a ccb passed to cam_periph_mapmem() for XPT_SCSI_IO and
XPT_ATA_IO holds virtual buffer address.

Sponsored by:	The FreeBSD Foundation
Tested by:	pho
2013-03-19 13:10:14 +00:00
Kenneth D. Merry
33a38f7453 Fix a panic during CAM EDT traversal.
The problem was a race condition between the EDT traversal used by
things like 'camcontrol devlist', and CAM peripheral driver
removal.

The EDT traversal code holds the CAM topology lock, and wants
to show devices that have been invalidated.  It acquires a
reference to the peripheral to make sure the peripheral it is
examining doesn't go away.

However, because the peripheral removal code in camperiphfree()
drops the CAM topology lock to call the peripheral's destructor
routine, we can run into a situation where the EDT traversal
increments the peripheral reference count after free process is
already in progress.  At that point, the reference count is
ignored, because it was 0 when we started the process.

Fix this race by setting a flag, CAM_PERIPH_FREE, that I previously
added and checked in xptperiphtraverse() and xptpdperiphtravsere(),
but failed to use.  If the EDT traversal code sees that flag,
it will know that the peripheral free process has already started,
and that it should not access that peripheral.

Also, fix an inconsistency in the locking between
xptpdperiphtraverse() and xptperiphtraverse().  They now both
hold the CAM topology lock while calling the peripheral traversal
function.

cam_xpt.c:	Change xptperiphtraverse() to hold the CAM topology
		lock across calls to the traversal function.

		Take out the comment in xptpdperiphtraverse() that
		referenced the locking inconsistency.

cam_periph.c:	Set the CAM_PERIPH_FREE flag when we are in the
		process of freeing a peripheral driver.

Sponsored by:	Spectra Logic Corporation
MFC after:	1 week
2012-12-07 23:48:54 +00:00
Alexander Motin
f8ff57d287 Add explicit check for not set time inside cam_periph_freeze_after_event().
System time is set later on boot process then initial bus scan by CAM.
Until that moment microtime() is equal to microuptime(), and if system
boots quickly, the value can be close to zero. That causes settle time
waiting even for buses that don't use reset during probe.

On my test system this reduces boot time by 1 second if USB enabled, or
by 4 seconds if USB disabled.  CAM waited for ctl2cam0 bus "settle".
2012-10-14 08:50:05 +00:00
Alexander Motin
3631c6382f Implement media change notification for DA and CD removable media devices.
It includes three parts:
 1) Modifications to CAM to detect media media changes and report them to
disk(9) layer. For modern SATA (and potentially UAS) devices it utilizes
Asynchronous Notification mechanism to receive events from hardware.
Active polling with TEST UNIT READY commands with 3 seconds period is used
for incapable hardware. After that both CD and DA drivers work the same way,
detecting two conditions: "NOT READY: Medium not present" after medium was
detected previously, and "UNIT ATTENTION: Not ready to ready change, medium
may have changed". First one reported to disk(9) as media removal, second
as media insert/change. To reliably receive second event new
AC_UNIT_ATTENTION async added to make UAs broadcasted to all periphs by
generic error handling code in cam_periph_error().
 2) Modifications to GEOM core to handle media remove and change events.
Media removal handled by spoiling all consumers attached to the provider.
Media change event also schedules provider retaste after spoiling to probe
new media. New flag G_CF_ORPHAN was added to consumers to reflect that
consumer is in process of destruction. It allows retaste to create new
geom instance of the same class, while previous one is still dying.
 3) Modifications to some GEOM classes: DEV -- to report media change
events to devd; VFS -- to handle spoiling same as orphan to prevent
accessing replaced media. PART class already handles spoiling alike to
orphan.

Reviewed by:	silence on geom@ and scsi@
Tested by:	avg
Sponsored by:	iXsystems, Inc. / PC-BSD
MFC after:	2 months
2012-07-29 11:51:48 +00:00
Kenneth D. Merry
905cb85d78 Fix a typo in a panic() call.
PR:		kern/169497
Submitted by:	Steven Hartland <steven.hartland@multiplay.co.uk>
MFC after:	3 days
2012-06-28 03:36:13 +00:00
Alexander Motin
e7493b2841 Add scsi_extract_sense_ccb() -- wrapper around scsi_extract_sense_len().
It allows to remove number of duplicate checks from several places.
2012-06-23 12:32:53 +00:00
Alexander Motin
84c4de2d47 Don't print SCSI Queue Full and CAM_REQUEUE_REQ statuses as errors if they
were handled and retried. They are part of normal operation for SCSI TCQ.

MFC after:	3 days
2012-06-22 16:20:13 +00:00
Alexander Motin
aed9c88cff Make cam_periph_hold() behavior consistent: drop taken reference and
return ENXIO if periph was invalidated while we were waiting for it.

MFC after:	1 week
2012-06-21 15:14:51 +00:00
Kenneth D. Merry
ea37f51942 Fix several reference counting and object lifetime issues between
the pass(4) and enc(4) drivers and devfs.

The pass(4) driver uses the destroy_dev_sched() routine to
schedule its device node for destruction in a separate thread
context.  It does this because the passcleanup() routine can get
called indirectly from the passclose() routine, and that would
cause a deadlock if the close routine tried to destroy its own
device node.

In any case, once a particular passthrough driver number, e.g.
pass3, is destroyed, CAM considers that unit number (3 in this
case) available for reuse.

The problem is that devfs may not be done cleaning up the previous
instance of pass3, and will panic if isn't done cleaning up the
previous instance.

The solution is to get a callback from devfs when the device node
is removed, and make sure we hold a reference to the peripheral
until that happens.

Testing exposed some other cases where we have reference counting
issues, and those were also fixed in the pass(4) driver.

cam_periph.c:	In camperiphfree(), reorder some of the operations.

		The peripheral destructor needs to be called before
		the peripheral is removed from the peripheral is
		removed from the list.  This is because once we
		remove the peripheral from the list, and drop the
		topology lock, the peripheral number may be reused.
		But if the destructor hasn't been called yet, there
		may still be resources hanging around (like devfs
		nodes) that haven't been fully cleaned up.

cam_xpt.c:	Add an argument to xpt_remove_periph() to indicate
		whether the topology lock is already held.

scsi_enc.c:	Acquire an extra reference to the peripheral during
		registration, and release it once we get a callback
		from devfs indicating that the device node is gone.

		Call destroy_dev_sched_cb() in enc_oninvalidate()
		instead of calling destroy_dev() in the cleanup
		routine.

scsi_pass.c:	Add reference counting to handle peripheral and
		devfs object lifetime issues.

		Add a reference to the peripheral and the devfs
		node in the peripheral registration.

		Don't attempt to add a physical path alias if the
		peripheral has been marked invalid.

		Release the devfs reference once the initial
		physical path alias taskqueue run has completed.

		Schedule devfs node destruction in the
		passoninvalidate(), and release our peripheral
		reference in a new routine, passdevgonecb() once
		the devfs node is gone.  This allows the peripheral
		to fully go away, and the peripheral destructor,
		passcleanup(), will get called.

MFC after:	3 days
Sponsored by:	Spectra Logic
2012-06-20 17:08:00 +00:00
Alexander Motin
0191d9b367 One more major cam_periph_error() rewrite to improve error handling and
reporting. It includes:
 - removing of error messages controlled by bootverbose, replacing them
with more universal and informative debugging on CAM_DEBUG_INFO level,
that is now built into the kernel by default;
 - more close following to the arguments submitted by caller, such as
SF_PRINT_ALWAYS, SF_QUIET_IR and SF_NO_PRINT; consumer knows better which
errors are usual/expected at this point and which are really informative;
 - adding two new flags SF_NO_RECOVERY and SF_NO_RETRY to allow caller
specify how much assistance it needs at this point; previously consumers
controlled that by not calling cam_periph_error() at all, but that made
behavior inconsistent and debugging complicated;
 - tuning debug messages and taken actions order to make debugging output
more readable and cause-effect relationships visible;
 - making camperiphdone() (common device recovery completion handler) to
also use cam_periph_error() in most cases, instead of own dumb code;
 - removing manual sense fetching code from cam_periph_error(); I was told
by number of people that it is SIM obligation to fetch sense data, so this
code is useless and only significantly complicates recovery logic;
 - making ada, da and pass driver to use cam_periph_error() with new limited
recovery options to handle error recovery and debugging in common way;
as one of results, CAM_REQUEUE_REQ and other retrying statuses are now
working fine with pass driver, that caused many problems before.
 - reverting r186891 by raj@ to avoid burning few seconds in tight DELAY()
loops on device probe, while device simply loads media; I think that problem
may already be fixed in other way, and even if it is not, solution must be
different.

Sponsored by:	iXsystems, Inc.
MFC after:	2 weeks
2012-06-09 13:07:44 +00:00
Alexander Motin
22c7d606d5 Add CAM_DEBUG_INFO debug messages for periph created/invalidated/destroyed
and for asyncs sent.
2012-06-07 10:53:42 +00:00
Kenneth D. Merry
6e4e0e26f1 Fix a bug introduced in r230000. We were eliminating all LUNs on a target
in response to CAM_DEV_NOT_THERE, instead of just the LUN in question.

This will now just eliminate the specified LUN in response to
CAM_DEV_NOT_THERE.

Reported by:	Richard Todd <rmtodd@servalan.servalan.com>
MFC after:	3 days
2012-01-25 17:58:47 +00:00
Kenneth D. Merry
8900f4b872 Fix a race condition in CAM peripheral free handling, locking
in the CAM XPT bus traversal code, and a number of other periph level
issues.

cam_periph.h,
cam_periph.c:	Modify cam_periph_acquire() to test the CAM_PERIPH_INVALID
		flag prior to allowing a reference count to be gained
		on a peripheral.  Callers of this function will receive
		CAM_REQ_CMP_ERR status in the situation of attempting to
		reference an invalidated periph.  This guarantees that
		a peripheral scheduled for a deferred free will not
		be accessed during its wait for destruction.

		Panic during attempts to drop a reference count on
		a peripheral that already has a zero reference count.

		In cam_periph_list(), use a local sbuf with SBUF_FIXEDLEN
		set so that mallocs do not occur while the xpt topology
		lock is held, regardless of the allocation policy of the
		passed in sbuf.

		Add a new routine, cam_periph_release_locked_buses(),
		that can be called when the caller already holds
		the CAM topology lock.

		Add some extra debugging for duplicate peripheral
		allocations in cam_periph_alloc().

		Treat CAM_DEV_NOT_THERE much the same as a selection
		timeout (AC_LOST_DEVICE is emitted), but forgo retries.

cam_xpt.c:      Revamp the way the EDT traversal code does locking
		and reference counting.  This was broken, since it
		assumed that the EDT would not change during
		traversal, but that assumption is no longer valid.

		So, to prevent devices from going away while we
		traverse the EDT, make sure we properly lock
		everything and hold references on devices that
		we are using.

		The two peripheral driver traversal routines should
		be examined.  xptpdperiphtraverse() holds the
		topology lock for the entire time it runs.
		xptperiphtraverse() is now locked properly, but
		only holds the topology lock while it is traversing
		the list, and not while the traversal function is
		running.

		The bus locking code in xptbustraverse() should
		also be revisited at a later time, since it is
		complex and should probably be simplified.

scsi_da.c:	Pay attention to the return value from cam_periph_acquire().

		Return 0 always from daclose() even if the disk is now gone.

		Add some rudimentary error injection support.

scsi_sg.c:	Fix reference counting in the sg(4) driver.

		The sg driver was calling cam_periph_release() on close,
		but never called cam_periph_acquire() (which increments
		the reference count) on open.

		The periph code correctly complained that the sg(4)
		driver was trying to decrement the refcount when it
		was already 0.

Sponsored by:	Spectra Logic
MFC after:	2 weeks
2012-01-12 00:41:48 +00:00
Ed Schouten
d745c852be Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.
This means that their use is restricted to a single C file.
2011-11-07 06:44:47 +00:00
Kenneth D. Merry
1cc052e80f Add descriptor sense support to CAM, and honor sense residuals properly in
CAM.

Desriptor sense is a new sense data format that originated in SPC-3.  Among
other things, it allows for an 8-byte info field, which is necessary to
pass back block numbers larger than 4 bytes.

This change adds a number of new functions to scsi_all.c (and therefore
libcam) that abstract out most access to sense data.

This includes a bump of CAM_VERSION, because the CCB ABI has changed.
Userland programs that use the CAM pass(4) driver will need to be
recompiled.

camcontrol.c:	Change uses of scsi_extract_sense() to use
		scsi_extract_sense_len().

		Use scsi_get_sks() instead of accessing sense key specific
		data directly.

scsi_modes:	Update the control mode page to the latest version (SPC-4).

scsi_cmds.c,
scsi_target.c:	Change references to struct scsi_sense_data to struct
		scsi_sense_data_fixed.  This should be changed to allow the
		user to specify fixed or descriptor sense, and then use
		scsi_set_sense_data() to build the sense data.

ps3cdrom.c:	Use scsi_set_sense_data() instead of setting sense data
		manually.

cam_periph.c:	Use scsi_extract_sense_len() instead of using
		scsi_extract_sense() or accessing sense data directly.

cam_ccb.h:	Bump the CAM_VERSION from 0x15 to 0x16.  The change of
		struct scsi_sense_data from 32 to 252 bytes changes the
		size of struct ccb_scsiio, but not the size of union ccb.
		So the version must be bumped to prevent structure
		mis-matches.

scsi_all.h:	Lots of updated SCSI sense data and other structures.

		Add function prototypes for the new sense data functions.

		Take out the inline implementation of scsi_extract_sense().
		It is now too large to put in a header file.

		Add macros to calculate whether fields are present and
		filled in fixed and descriptor sense data

scsi_all.c:	In scsi_op_desc(), allow the user to pass in NULL inquiry
		data, and we'll assume a direct access device in that case.

		Changed the SCSI RESERVED sense key name and description
		to COMPLETED, as it is now defined in the spec.

		Change the error recovery action for a number of read errors
		to prevent lots of retries when the drive has said that the
		block isn't accessible.  This speeds up reconstruction of
		the block by any RAID software running on top of the drive
		(e.g. ZFS).

		In scsi_sense_desc(), allow for invalid sense key numbers.
		This allows calling this routine without checking the input
		values first.

		Change scsi_error_action() to use scsi_extract_sense_len(),
		and handle things when invalid asc/ascq values are
		encountered.

		Add a new routine, scsi_desc_iterate(), that will call the
		supplied function for every descriptor in descriptor format
		sense data.

		Add scsi_set_sense_data(), and scsi_set_sense_data_va(),
		which build descriptor and fixed format sense data.  They
		currently default to fixed format sense data.

		Add a number of scsi_get_*() functions, which get different
		types of sense data fields from either fixed or descriptor
		format sense data, if the data is present.

		Add a number of scsi_*_sbuf() functions, which print
		formatted versions of various sense data fields.  These
		functions work for either fixed or descriptor sense.

		Add a number of scsi_sense_*_sbuf() functions, which have a
		standard calling interface and print the indicated field.
		These functions take descriptors only.

		Add scsi_sense_desc_sbuf(), which will print a formatted
		version of the given sense descriptor.

		Pull out a majority of the scsi_sense_sbuf() function and
		put it into scsi_sense_only_sbuf().  This allows callers
		that don't use struct ccb_scsiio to easily utilize the
		printing routines.  Revamp that function to handle
		descriptor sense and use the new sense fetching and
		printing routines.

		Move scsi_extract_sense() into scsi_all.c, and implement it
		in terms of the new function, scsi_extract_sense_len().
		The _len() version takes a length (which should be the
		sense length - residual) and can indicate which fields are
		present and valid in the sense data.

		Add a couple of new scsi_get_*() routines to get the sense
		key, asc, and ascq only.

mly.c:		Rename struct scsi_sense_data to struct
		scsi_sense_data_fixed.

sbp_targ.c:	Use the new sense fetching routines to get sense data
		instead of accessing it directly.

sbp.c:		Change the firewire/SCSI sense data transformation code to
		use struct scsi_sense_data_fixed instead of struct
		scsi_sense_data.  This should be changed later to use
		scsi_set_sense_data().

ciss.c:		Calculate the sense residual properly.  Use
		scsi_get_sense_key() to fetch the sense key.

mps_sas.c,
mpt_cam.c:	Set the sense residual properly.

iir.c:		Use scsi_set_sense_data() instead of building sense data by
		hand.

iscsi_subr.c:	Use scsi_extract_sense_len() instead of grabbing sense data
		directly.

umass.c:	Use scsi_set_sense_data() to build sense data.

		Grab the sense key using scsi_get_sense_key().

		Calculate the sense residual properly.

isp_freebsd.h:	Use scsi_get_*() routines to grab asc, ascq, and sense key
		values.

		Calculate and set the sense residual.

MFC after:	3 days
Sponsored by:	Spectra Logic Corporation
2011-10-03 20:32:55 +00:00
Alexander Motin
a07e846be0 In some cases failed SATA disks may report their presence, but don't
respond to any commands. I've found that because of multiple command
retries, each of which cause 30s timeout, bus reset and another retry or
requeue for many commands, it may take ages to eventually drop the
failed device. The odd thing is that those retries continue even after
XPT considered device as dead and invalidated it.

This patch makes cam_periph_error() to block any command retries after
periph was marked as invalid. With that patch all activity completes in
1-2 minutes, just after several timeouts, required to consider device
death. This should make ZFS, gmirror, graid, etc. operation more robust.

Reviewed by:	mjacob@ on scsi@

Approved by:	re (kib)
2011-07-29 20:30:28 +00:00