SCSI WG agenda item 6.8 Q'ing data integrity problem

SPRENKLE_TODD at tandem.com SPRENKLE_TODD at tandem.com
Fri Sep 9 09:50:00 PDT 1994


Sept '94 SCSI Working Group attendees,

This message is in response to John Lohmeyer's draft agenda message
for the X3T10 SCSI Working Group Sept 13-14, 1994. Agenda item 6.8 is
"SCSI Queuing Data Integrity Problem?", based on my earlier query to
the reflector. Since I won't be attending the X3T10 meetings, I
thought it might be useful to follow-up on my original message with a
clearer statement of the problem and our progress on it.

Thanks,
Todd Sprenkle                                 sprenkle_todd at tandem.com

----------------------------------------------------------------------

We're developing host software to use SCSI-2 tagged queuing. We want
to avoid writing data to the wrong drive after a drive swap or to the
wrong media after media swap. Such a swap results in a unit attention
condition.

Assume that the drive doesn't support extended contingent allegiance.
So the contingent allegiance condition resulting from a CHECK
CONDITION status is cleared by a REQUEST SENSE command. Also assume
that an Automatic Request Sense feature of the host adaptor SCSI
controller chip is used.

Note that the host won't learn of the unit attention condition until
the REQUEST SENSE command has completed, since the unit attention
condition is indicated in the sense key within the sense data. Since
the contingent allegiance condition will have been cleared by the time
the host learns of the unit attention condition, we need to be sure
that any commands that make it to the drive before the unit attention
condition is initially reported are not executed.

For example, suppose that sometime after the drive or media is swapped
and comes ready -- but before the host knows about the swap -- the
host sends three write commands in quick succession. If the drive can
end up taking the first command, disconnecting, taking the second
command, disconnecting, and taking the third command before presenting
CHECK CONDITION for the unit attention condition, then we must
guarantee non-execution of all three of the commands that were
accepted by the drive before the initial reporting of the unit
attention condition.

Towards the end of section 7.8.2 (Tagged Queuing) of SCSI-2 revision
10k -- as pointed out by Milton Scritsmier (Array Technology) -- there
is a sentence that says "If commands are combined by the queuing
algorithm such that the exception condition affects more than one
command, then a contingent allegiance condition shall be generated for
all affected commands." I don't know if this sentence was meant to
apply to the scenario described above, but the behavior seems to be
what is needed. That is, it seems that the drive should report the
unit attention condition to all commands that were queued prior to the
initial unit attention reporting.

Unfortunately, it doesn't appear that the major drive vendors have
covered this potential data integrity problem. Their drives can end up
queuing the multiple write commands but only reporting the unit
attention condition on one of the queued commands. The other queued
write commands can end up inappropriately executing on the swapped
drive or media.

For the drive swap case, we have come up with a workaround protection
of configuring a saved DQue=1 MODE SELECT Control Mode parameter bit
and then activating DQue=0 mode during normal operation. After a drive
swap, subsequent tagged commands will get rejected because the drive
reverts to the saved DQue=1. The host must activate the DQue=0 mode
again to continue normal operation.

We don't yet have an equivalent workaround protection for the case of
media swap rather than drive swap.

----------------------------------------------------------------------




More information about the T10 mailing list