* [PATCH v2 0/4] Fix a rare crash in the UFS driver
@ 2024-04-16 17:13 Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Bart Van Assche @ 2024-04-16 17:13 UTC (permalink / raw)
To: Martin K . Petersen; +Cc: linux-scsi, Bart Van Assche
Hi Martin,
Sporadic crashes have been observed with the UFS kernel driver if a timeout
occurs. This patch series fixes these crashes. Please consider this patch
series for the next merge window.
Thanks,
Bart.
Changes compared to v1: fixed a build error in the MediaTek driver.
Bart Van Assche (4):
scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once
scsi: ufs: Make ufshcd_poll() complain about unsupported arguments
scsi: ufs: Make the polling code report which command has been
completed
scsi: ufs: Check for completion from the timeout handler
drivers/ufs/core/ufs-mcq.c | 25 +++++++++-----
drivers/ufs/core/ufshcd-priv.h | 6 ++--
drivers/ufs/core/ufshcd.c | 61 ++++++++++++++++++++++++++-------
drivers/ufs/host/ufs-mediatek.c | 2 +-
drivers/ufs/host/ufs-qcom.c | 2 +-
include/ufs/ufshcd.h | 3 +-
6 files changed, 72 insertions(+), 27 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
@ 2024-04-16 17:13 ` Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments Bart Van Assche
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Bart Van Assche @ 2024-04-16 17:13 UTC (permalink / raw)
To: Martin K . Petersen
Cc: linux-scsi, Bart Van Assche, James E.J. Bottomley, Stanley Jhu,
Bao D. Nguyen, Can Guo, zhanghui, Po-Wen Kao, Keoseong Park
ufshcd_mcq_poll_cqe_lock() is declared in include/ufs/ufshcd.h and also in
drivers/ufs/core/ufshcd-priv.h. Remove the declaration from the latter file.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/ufs/core/ufshcd-priv.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/ufs/core/ufshcd-priv.h b/drivers/ufs/core/ufshcd-priv.h
index a1add22205db..fb4457a84d11 100644
--- a/drivers/ufs/core/ufshcd-priv.h
+++ b/drivers/ufs/core/ufshcd-priv.h
@@ -72,8 +72,6 @@ u32 ufshcd_mcq_read_cqis(struct ufs_hba *hba, int i);
void ufshcd_mcq_write_cqis(struct ufs_hba *hba, u32 val, int i);
struct ufs_hw_queue *ufshcd_mcq_req_to_hwq(struct ufs_hba *hba,
struct request *req);
-unsigned long ufshcd_mcq_poll_cqe_lock(struct ufs_hba *hba,
- struct ufs_hw_queue *hwq);
void ufshcd_mcq_compl_all_cqes_lock(struct ufs_hba *hba,
struct ufs_hw_queue *hwq);
bool ufshcd_cmd_inflight(struct scsi_cmnd *cmd);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
@ 2024-04-16 17:13 ` Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Bart Van Assche
3 siblings, 0 replies; 6+ messages in thread
From: Bart Van Assche @ 2024-04-16 17:13 UTC (permalink / raw)
To: Martin K . Petersen
Cc: linux-scsi, Bart Van Assche, James E.J. Bottomley, Avri Altman,
Stanley Jhu, Can Guo, Peter Wang, Bao D. Nguyen,
Manivannan Sadhasivam, Bean Huo
The ufshcd_poll() implementation does not support queue_num ==
UFSHCD_POLL_FROM_INTERRUPT_CONTEXT in MCQ mode. Hence complain
if queue_num == UFSHCD_POLL_FROM_INTERRUPT_CONTEXT in MCQ mode.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/ufs/core/ufshcd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 0819ddafe7a6..165557611ae0 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -5555,6 +5555,7 @@ static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
struct ufs_hw_queue *hwq;
if (is_mcq_enabled(hba)) {
+ WARN_ON_ONCE(queue_num == UFSHCD_POLL_FROM_INTERRUPT_CONTEXT);
hwq = &hba->uhq[queue_num];
return ufshcd_mcq_poll_cqe_lock(hba, hwq);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments Bart Van Assche
@ 2024-04-16 17:13 ` Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Bart Van Assche
3 siblings, 0 replies; 6+ messages in thread
From: Bart Van Assche @ 2024-04-16 17:13 UTC (permalink / raw)
To: Martin K . Petersen
Cc: linux-scsi, Bart Van Assche, James E.J. Bottomley, Peter Wang,
Bjorn Andersson, Konrad Dybcio, Manivannan Sadhasivam,
Matthias Brugger, AngeloGioacchino Del Regno, Stanley Jhu,
Can Guo, Po-Wen Kao, Bao D. Nguyen, ChanWoo Lee, Yang Li,
zhanghui, Keoseong Park, Avri Altman, Bean Huo, Maramaina Naresh,
Akinobu Mita
Prepare for introducing a new __ufshcd_poll() caller that will need to
know whether or not a specific command has been completed.
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/ufs/core/ufs-mcq.c | 25 +++++++++++++-------
drivers/ufs/core/ufshcd-priv.h | 4 ++--
drivers/ufs/core/ufshcd.c | 41 +++++++++++++++++++++++----------
drivers/ufs/host/ufs-mediatek.c | 2 +-
drivers/ufs/host/ufs-qcom.c | 2 +-
include/ufs/ufshcd.h | 3 ++-
6 files changed, 52 insertions(+), 25 deletions(-)
diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c
index 8ffac9f7d07d..fd47ce496138 100644
--- a/drivers/ufs/core/ufs-mcq.c
+++ b/drivers/ufs/core/ufs-mcq.c
@@ -278,17 +278,22 @@ static int ufshcd_mcq_get_tag(struct ufs_hba *hba, struct cq_entry *cqe)
return div_u64(addr, ufshcd_get_ucd_size(hba));
}
-static void ufshcd_mcq_process_cqe(struct ufs_hba *hba,
- struct ufs_hw_queue *hwq)
+/* Returns true if and only if @compl_cmd has been completed. */
+static bool ufshcd_mcq_process_cqe(struct ufs_hba *hba,
+ struct ufs_hw_queue *hwq,
+ struct scsi_cmnd *compl_cmd)
{
struct cq_entry *cqe = ufshcd_mcq_cur_cqe(hwq);
- int tag = ufshcd_mcq_get_tag(hba, cqe);
if (cqe->command_desc_base_addr) {
- ufshcd_compl_one_cqe(hba, tag, cqe);
- /* After processed the cqe, mark it empty (invalid) entry */
+ const int tag = ufshcd_mcq_get_tag(hba, cqe);
+
+ /* Mark the CQE as invalid. */
cqe->command_desc_base_addr = 0;
+
+ return ufshcd_compl_one_cqe(hba, tag, cqe, compl_cmd);
}
+ return false;
}
void ufshcd_mcq_compl_all_cqes_lock(struct ufs_hba *hba,
@@ -299,7 +304,7 @@ void ufshcd_mcq_compl_all_cqes_lock(struct ufs_hba *hba,
spin_lock_irqsave(&hwq->cq_lock, flags);
while (entries > 0) {
- ufshcd_mcq_process_cqe(hba, hwq);
+ ufshcd_mcq_process_cqe(hba, hwq, NULL);
ufshcd_mcq_inc_cq_head_slot(hwq);
entries--;
}
@@ -309,8 +314,10 @@ void ufshcd_mcq_compl_all_cqes_lock(struct ufs_hba *hba,
spin_unlock_irqrestore(&hwq->cq_lock, flags);
}
+/* Clears *@compl_cmd if and only if *@compl_cmd has been completed. */
unsigned long ufshcd_mcq_poll_cqe_lock(struct ufs_hba *hba,
- struct ufs_hw_queue *hwq)
+ struct ufs_hw_queue *hwq,
+ struct scsi_cmnd **compl_cmd)
{
unsigned long completed_reqs = 0;
unsigned long flags;
@@ -318,7 +325,9 @@ unsigned long ufshcd_mcq_poll_cqe_lock(struct ufs_hba *hba,
spin_lock_irqsave(&hwq->cq_lock, flags);
ufshcd_mcq_update_cq_tail_slot(hwq);
while (!ufshcd_mcq_is_cq_empty(hwq)) {
- ufshcd_mcq_process_cqe(hba, hwq);
+ if (ufshcd_mcq_process_cqe(hba, hwq,
+ compl_cmd ? *compl_cmd : NULL))
+ *compl_cmd = NULL;
ufshcd_mcq_inc_cq_head_slot(hwq);
completed_reqs++;
}
diff --git a/drivers/ufs/core/ufshcd-priv.h b/drivers/ufs/core/ufshcd-priv.h
index fb4457a84d11..42802fd689fb 100644
--- a/drivers/ufs/core/ufshcd-priv.h
+++ b/drivers/ufs/core/ufshcd-priv.h
@@ -61,8 +61,8 @@ int ufshcd_query_attr(struct ufs_hba *hba, enum query_opcode opcode,
int ufshcd_query_flag(struct ufs_hba *hba, enum query_opcode opcode,
enum flag_idn idn, u8 index, bool *flag_res);
void ufshcd_auto_hibern8_update(struct ufs_hba *hba, u32 ahit);
-void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
- struct cq_entry *cqe);
+bool ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
+ struct cq_entry *cqe, struct scsi_cmnd *compl_cmd);
int ufshcd_mcq_init(struct ufs_hba *hba);
int ufshcd_mcq_decide_queue_depth(struct ufs_hba *hba);
int ufshcd_mcq_memory_alloc(struct ufs_hba *hba);
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 165557611ae0..c552bf391f79 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -5481,9 +5481,12 @@ void ufshcd_release_scsi_cmd(struct ufs_hba *hba,
* @hba: per adapter instance
* @task_tag: the task tag of the request to be completed
* @cqe: pointer to the completion queue entry
+ * @compl_cmd: if not NULL, check whether this command has been completed
+ *
+ * Returns: true if and only if @compl_cmd has been completed.
*/
-void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
- struct cq_entry *cqe)
+bool ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
+ struct cq_entry *cqe, struct scsi_cmnd *compl_cmd)
{
struct ufshcd_lrb *lrbp;
struct scsi_cmnd *cmd;
@@ -5500,6 +5503,7 @@ void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
ufshcd_release_scsi_cmd(hba, lrbp);
/* Do not touch lrbp after scsi done */
scsi_done(cmd);
+ return cmd == compl_cmd;
} else if (hba->dev_cmd.complete) {
if (cqe) {
ocs = le32_to_cpu(cqe->status) & MASK_OCS;
@@ -5507,20 +5511,26 @@ void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag,
}
complete(hba->dev_cmd.complete);
}
+ return false;
}
/**
* __ufshcd_transfer_req_compl - handle SCSI and query command completion
* @hba: per adapter instance
* @completed_reqs: bitmask that indicates which requests to complete
+ * @compl_cmd: if not NULL, check whether *@compl_cmd has been completed.
+ * Clear *@compl_cmd if it has been completed.
*/
static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
- unsigned long completed_reqs)
+ unsigned long completed_reqs,
+ struct scsi_cmnd **compl_cmd)
{
int tag;
for_each_set_bit(tag, &completed_reqs, hba->nutrs)
- ufshcd_compl_one_cqe(hba, tag, NULL);
+ if (ufshcd_compl_one_cqe(hba, tag, NULL,
+ compl_cmd ? *compl_cmd : NULL))
+ *compl_cmd = NULL;
}
/* Any value that is not an existing queue number is fine for this constant. */
@@ -5547,7 +5557,8 @@ static void ufshcd_clear_polled(struct ufs_hba *hba,
* Return: > 0 if one or more commands have been completed or 0 if no
* requests have been completed.
*/
-static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
+static int __ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num,
+ struct scsi_cmnd **compl_cmd)
{
struct ufs_hba *hba = shost_priv(shost);
unsigned long completed_reqs, flags;
@@ -5558,7 +5569,7 @@ static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
WARN_ON_ONCE(queue_num == UFSHCD_POLL_FROM_INTERRUPT_CONTEXT);
hwq = &hba->uhq[queue_num];
- return ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ return ufshcd_mcq_poll_cqe_lock(hba, hwq, compl_cmd);
}
spin_lock_irqsave(&hba->outstanding_lock, flags);
@@ -5575,11 +5586,16 @@ static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
spin_unlock_irqrestore(&hba->outstanding_lock, flags);
if (completed_reqs)
- __ufshcd_transfer_req_compl(hba, completed_reqs);
+ __ufshcd_transfer_req_compl(hba, completed_reqs, compl_cmd);
return completed_reqs != 0;
}
+static int ufshcd_poll(struct Scsi_Host *shost, unsigned int queue_num)
+{
+ return __ufshcd_poll(shost, queue_num, NULL);
+}
+
/**
* ufshcd_mcq_compl_pending_transfer - MCQ mode function. It is
* invoked from the error handler context or ufshcd_host_reset_and_restore()
@@ -5623,7 +5639,7 @@ static void ufshcd_mcq_compl_pending_transfer(struct ufs_hba *hba,
}
spin_unlock_irqrestore(&hwq->cq_lock, flags);
} else {
- ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, NULL);
}
}
}
@@ -6898,7 +6914,7 @@ static irqreturn_t ufshcd_handle_mcq_cq_events(struct ufs_hba *hba)
ufshcd_mcq_write_cqis(hba, events, i);
if (events & UFSHCD_MCQ_CQIS_TAIL_ENT_PUSH_STS)
- ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, NULL);
}
return IRQ_HANDLED;
@@ -7391,7 +7407,7 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd)
lrbp->lun == lun) {
ufshcd_clear_cmd(hba, pos);
hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd));
- ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, NULL);
}
}
err = 0;
@@ -7419,7 +7435,8 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd)
__func__, pos);
}
}
- __ufshcd_transfer_req_compl(hba, pending_reqs & ~not_cleared_mask);
+ __ufshcd_transfer_req_compl(hba, pending_reqs & ~not_cleared_mask,
+ NULL);
out:
hba->req_abort_count = 0;
@@ -7596,7 +7613,7 @@ static int ufshcd_abort(struct scsi_cmnd *cmd)
dev_err(hba->dev,
"%s: cmd was completed, but without a notifying intr, tag = %d",
__func__, tag);
- __ufshcd_transfer_req_compl(hba, 1UL << tag);
+ __ufshcd_transfer_req_compl(hba, 1UL << tag, NULL);
goto release;
}
diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c
index c4f997196c57..a89a4106e76d 100644
--- a/drivers/ufs/host/ufs-mediatek.c
+++ b/drivers/ufs/host/ufs-mediatek.c
@@ -1715,7 +1715,7 @@ static irqreturn_t ufs_mtk_mcq_intr(int irq, void *__intr_info)
ufshcd_mcq_write_cqis(hba, events, qid);
if (events & UFSHCD_MCQ_CQIS_TAIL_ENT_PUSH_STS)
- ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, NULL);
return IRQ_HANDLED;
}
diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c
index 0b02e697ea5b..772e4dd35c12 100644
--- a/drivers/ufs/host/ufs-qcom.c
+++ b/drivers/ufs/host/ufs-qcom.c
@@ -1709,7 +1709,7 @@ static irqreturn_t ufs_qcom_mcq_esi_handler(int irq, void *data)
struct ufs_hw_queue *hwq = &hba->uhq[id];
ufshcd_mcq_write_cqis(hba, 0x1, id);
- ufshcd_mcq_poll_cqe_lock(hba, hwq);
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, NULL);
return IRQ_HANDLED;
}
diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h
index 4c60c62eddd6..cf2dc8886607 100644
--- a/include/ufs/ufshcd.h
+++ b/include/ufs/ufshcd.h
@@ -1266,7 +1266,8 @@ void ufshcd_mcq_config_mac(struct ufs_hba *hba, u32 max_active_cmds);
u32 ufshcd_mcq_read_cqis(struct ufs_hba *hba, int i);
void ufshcd_mcq_write_cqis(struct ufs_hba *hba, u32 val, int i);
unsigned long ufshcd_mcq_poll_cqe_lock(struct ufs_hba *hba,
- struct ufs_hw_queue *hwq);
+ struct ufs_hw_queue *hwq,
+ struct scsi_cmnd **compl_cmd);
void ufshcd_mcq_make_queues_operational(struct ufs_hba *hba);
void ufshcd_mcq_enable_esi(struct ufs_hba *hba);
void ufshcd_mcq_enable(struct ufs_hba *hba);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
` (2 preceding siblings ...)
2024-04-16 17:13 ` [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed Bart Van Assche
@ 2024-04-16 17:13 ` Bart Van Assche
2024-04-18 2:55 ` Wenchao Hao
3 siblings, 1 reply; 6+ messages in thread
From: Bart Van Assche @ 2024-04-16 17:13 UTC (permalink / raw)
To: Martin K . Petersen
Cc: linux-scsi, Bart Van Assche, James E.J. Bottomley, Avri Altman,
Stanley Jhu, Can Guo, Peter Wang, Bao D. Nguyen, Andrew Halaney,
Manivannan Sadhasivam, Bean Huo
If ufshcd_abort() returns SUCCESS for an already completed command then
that command is completed twice. This results in a crash. Prevent this by
checking whether a command has completed without completion interrupt from
the timeout handler. This CL fixes the following kernel crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
dma_direct_map_sg+0x70/0x274
scsi_dma_map+0x84/0x124
ufshcd_queuecommand+0x3fc/0x880
scsi_queue_rq+0x7d0/0x111c
blk_mq_dispatch_rq_list+0x440/0xebc
blk_mq_do_dispatch_sched+0x5a4/0x6b8
__blk_mq_sched_dispatch_requests+0x150/0x220
__blk_mq_run_hw_queue+0xf0/0x218
__blk_mq_delay_run_hw_queue+0x8c/0x18c
blk_mq_run_hw_queue+0x1a4/0x360
blk_mq_sched_insert_requests+0x130/0x334
blk_mq_flush_plug_list+0x138/0x234
blk_flush_plug_list+0x118/0x164
blk_finish_plug()
read_pages+0x38c/0x408
page_cache_ra_unbounded+0x230/0x2f8
do_sync_mmap_readahead+0x1a4/0x208
filemap_fault+0x27c/0x8f4
f2fs_filemap_fault+0x28/0xfc
__do_fault+0xc4/0x208
handle_pte_fault+0x290/0xe04
do_handle_mm_fault+0x52c/0x858
do_page_fault+0x5dc/0x798
do_translation_fault+0x40/0x54
do_mem_abort+0x60/0x134
el0_da+0x40/0xb8
el0t_64_sync_handler+0xc4/0xe4
el0t_64_sync+0x1b4/0x1b8
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/ufs/core/ufshcd.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index c552bf391f79..c44515605031 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -8880,6 +8880,25 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
static enum scsi_timeout_action ufshcd_eh_timed_out(struct scsi_cmnd *scmd)
{
struct ufs_hba *hba = shost_priv(scmd->device->host);
+ struct scsi_cmnd *cmd2 = scmd;
+
+ WARN_ON_ONCE(!scmd);
+
+ if (is_mcq_enabled(hba)) {
+ struct request *rq = scsi_cmd_to_rq(scmd);
+ struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
+
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, &cmd2);
+ } else {
+ __ufshcd_poll(hba->host, UFSHCD_POLL_FROM_INTERRUPT_CONTEXT,
+ &cmd2);
+ }
+ if (cmd2 == NULL) {
+ sdev_printk(KERN_INFO, scmd->device,
+ "%s: cmd with tag %#x has already been completed\n",
+ __func__, blk_mq_unique_tag(scsi_cmd_to_rq(scmd)));
+ return SCSI_EH_DONE;
+ }
if (!hba->system_suspending) {
/* Activate the error handler in the SCSI core. */
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler
2024-04-16 17:13 ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Bart Van Assche
@ 2024-04-18 2:55 ` Wenchao Hao
0 siblings, 0 replies; 6+ messages in thread
From: Wenchao Hao @ 2024-04-18 2:55 UTC (permalink / raw)
To: Bart Van Assche, Martin K . Petersen
Cc: linux-scsi, James E.J. Bottomley, Avri Altman, Stanley Jhu,
Can Guo, Peter Wang, Bao D. Nguyen, Andrew Halaney,
Manivannan Sadhasivam, Bean Huo
On 2024/4/17 1:13, Bart Van Assche wrote:
> If ufshcd_abort() returns SUCCESS for an already completed command then
> that command is completed twice. This results in a crash. Prevent this by
> checking whether a command has completed without completion interrupt from
> the timeout handler. This CL fixes the following kernel crash:
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> Call trace:
> dma_direct_map_sg+0x70/0x274
> scsi_dma_map+0x84/0x124
> ufshcd_queuecommand+0x3fc/0x880
> scsi_queue_rq+0x7d0/0x111c
> blk_mq_dispatch_rq_list+0x440/0xebc
> blk_mq_do_dispatch_sched+0x5a4/0x6b8
> __blk_mq_sched_dispatch_requests+0x150/0x220
> __blk_mq_run_hw_queue+0xf0/0x218
> __blk_mq_delay_run_hw_queue+0x8c/0x18c
> blk_mq_run_hw_queue+0x1a4/0x360
> blk_mq_sched_insert_requests+0x130/0x334
> blk_mq_flush_plug_list+0x138/0x234
> blk_flush_plug_list+0x118/0x164
> blk_finish_plug()
> read_pages+0x38c/0x408
> page_cache_ra_unbounded+0x230/0x2f8
> do_sync_mmap_readahead+0x1a4/0x208
> filemap_fault+0x27c/0x8f4
> f2fs_filemap_fault+0x28/0xfc
> __do_fault+0xc4/0x208
> handle_pte_fault+0x290/0xe04
> do_handle_mm_fault+0x52c/0x858
> do_page_fault+0x5dc/0x798
> do_translation_fault+0x40/0x54
> do_mem_abort+0x60/0x134
> el0_da+0x40/0xb8
> el0t_64_sync_handler+0xc4/0xe4
> el0t_64_sync+0x1b4/0x1b8
>
> Signed-off-by: Bart Van Assche <bvanassche@acm.org>
> ---
> drivers/ufs/core/ufshcd.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index c552bf391f79..c44515605031 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -8880,6 +8880,25 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
> static enum scsi_timeout_action ufshcd_eh_timed_out(struct scsi_cmnd *scmd)
> {
> struct ufs_hba *hba = shost_priv(scmd->device->host);
> + struct scsi_cmnd *cmd2 = scmd;
> +
> + WARN_ON_ONCE(!scmd);
> +
> + if (is_mcq_enabled(hba)) {
> + struct request *rq = scsi_cmd_to_rq(scmd);
> + struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
> +
> + ufshcd_mcq_poll_cqe_lock(hba, hwq, &cmd2);
> + } else {
> + __ufshcd_poll(hba->host, UFSHCD_POLL_FROM_INTERRUPT_CONTEXT,
> + &cmd2);
> + }
> + if (cmd2 == NULL) {
> + sdev_printk(KERN_INFO, scmd->device,
> + "%s: cmd with tag %#x has already been completed\n",
> + __func__, blk_mq_unique_tag(scsi_cmd_to_rq(scmd)));
Would here cause a UAF because the scsi_cmnd has already been completed?
If UAF would not happen, I think maybe scmd_printk() would be better than sdev_printk()
> + return SCSI_EH_DONE;
> + }
>
> if (!hba->system_suspending) {
> /* Activate the error handler in the SCSI core. */
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-04-18 2:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Bart Van Assche
2024-04-18 2:55 ` Wenchao Hao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.