All of lore.kernel.org
 help / color / mirror / Atom feed
From: John Garry <john.garry@huawei.com>
To: Damien Le Moal <damien.lemoal@opensource.wdc.com>,
	<linux-scsi@vger.kernel.org>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Xiang Chen <chenxiang66@hisilicon.com>,
	"Jason Yan" <yanaijie@huawei.com>,
	Luo Jiaxing <luojiaxing@huawei.com>
Subject: Re: [PATCH 20/20] scsi: pm8001: fix abort all task initialization
Date: Thu, 10 Feb 2022 14:28:00 +0000	[thread overview]
Message-ID: <f3606f3e-43ea-8c98-58f7-3572bbbf816c@huawei.com> (raw)
In-Reply-To: <20220210114218.632725-21-damien.lemoal@opensource.wdc.com>

On 10/02/2022 11:42, Damien Le Moal wrote:
> In pm80xx_send_abort_all(), the n_elem field of the ccb used is not
> initialized to 0. This missing initialization sometimes lead to the
> task completion path seeing the ccb with a non-zero n_elem resulting in
> the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),
> causing a crash such as:
> 
> [  197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280
> [  197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012
> [  197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0
> [  197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0
> [  197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b
> [  197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000
> [  197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000
> [  197.741493] FS:  0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000
> [  197.749659] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0
> [  197.762656] Call Trace:
> [  197.765127]  <IRQ>
> [  197.767162]  pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]
> [  197.772364]  ? do_raw_spin_unlock+0x54/0x220
> [  197.776680]  pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]
> [  197.782406]  process_oq+0xe85/0x7890 [pm80xx]
> [  197.786817]  ? lock_acquire+0x194/0x490
> [  197.790697]  ? handle_irq_event+0x10e/0x1b0
> [  197.794920]  ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]
> [  197.800378]  ? __wake_up_bit+0x100/0x100
> [  197.804340]  ? lock_is_held_type+0x98/0x110
> [  197.808565]  pm80xx_chip_isr+0x94/0x130 [pm80xx]
> [  197.813243]  tasklet_action_common.constprop.0+0x24b/0x2f0
> [  197.818785]  __do_softirq+0x1b5/0x82d
> [  197.822485]  ? do_raw_spin_unlock+0x54/0x220
> [  197.826799]  __irq_exit_rcu+0x17e/0x1e0
> [  197.830678]  irq_exit_rcu+0xa/0x20
> [  197.834114]  common_interrupt+0x78/0x90
> [  197.840051]  </IRQ>
> [  197.844236]  <TASK>
> [  197.848397]  asm_common_interrupt+0x1e/0x40
> 

That's nasty.

> Avoid this issue by always initializing the ccb n_elem field to 0 in
> pm8001_send_abort_all(), pm8001_send_read_log() and
> pm80xx_send_abort_all().
> 
> Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes")
> Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
> ---
>   drivers/scsi/pm8001/pm8001_hwi.c | 2 ++
>   drivers/scsi/pm8001/pm80xx_hwi.c | 1 +
>   2 files changed, 3 insertions(+)
> 
> diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
> index 8095eb0b04f7..d853e8d0195a 100644
> --- a/drivers/scsi/pm8001/pm8001_hwi.c
> +++ b/drivers/scsi/pm8001/pm8001_hwi.c
> @@ -1788,6 +1788,7 @@ static void pm8001_send_abort_all(struct pm8001_hba_info *pm8001_ha,
>   	ccb->device = pm8001_ha_dev;
>   	ccb->ccb_tag = ccb_tag;
>   	ccb->task = task;
> +	ccb->n_elem = 0;

Do you think that it would be better to clear this field when we free 
the tag/ccb in pm8001_ccb_task_free()? I will note that there are error 
paths whch only free the tag (not ccb), so need to be careful there.

BTW, I see that this never landed:
https://lore.kernel.org/lkml/20211214090337.29156-1-niejianglei2021@163.com/

Though alloc'ing a domain_device in pm8001_send_read_log() is questionable.

Thanks,
John

>   
>   	circularQ = &pm8001_ha->inbnd_q_tbl[0];
>   
> @@ -1849,6 +1850,7 @@ static void pm8001_send_read_log(struct pm8001_hba_info *pm8001_ha,
>   	ccb->device = pm8001_ha_dev;
>   	ccb->ccb_tag = ccb_tag;
>   	ccb->task = task;
> +	ccb->n_elem = 0;
>   	pm8001_ha_dev->id |= NCQ_READ_LOG_FLAG;
>   	pm8001_ha_dev->id |= NCQ_2ND_RLE_FLAG;
>   
> diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c
> index 4d88c0dbcefc..902af4eefa26 100644
> --- a/drivers/scsi/pm8001/pm80xx_hwi.c
> +++ b/drivers/scsi/pm8001/pm80xx_hwi.c
> @@ -1801,6 +1801,7 @@ static void pm80xx_send_abort_all(struct pm8001_hba_info *pm8001_ha,
>   	ccb->device = pm8001_ha_dev;
>   	ccb->ccb_tag = ccb_tag;
>   	ccb->task = task;
> +	ccb->n_elem = 0;
>   
>   	circularQ = &pm8001_ha->inbnd_q_tbl[0];
>   


  reply	other threads:[~2022-02-10 14:28 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-10 11:41 [PATCH 00/20] libsas and pm8001 fixes Damien Le Moal
2022-02-10 11:41 ` [PATCH 01/20] scsi: libsas: fix sas_ata_qc_issue() handling of NCQ NON DATA commands Damien Le Moal
2022-02-10 11:42 ` [PATCH 02/20] scsi: libsas: simplify sas_ata_qc_issue() detection of NCQ commands Damien Le Moal
2022-02-10 11:42 ` [PATCH 03/20] scsi: libsas: Remove unnecessary initialization in sas_ata_qc_issue() Damien Le Moal
2022-02-10 11:48   ` John Garry
2022-02-10 11:42 ` [PATCH 04/20] scsi: pm8001: fix __iomem pointer use in pm8001_phy_control() Damien Le Moal
2022-02-11  6:11   ` Christoph Hellwig
2022-02-11  7:03     ` Damien Le Moal
2022-02-10 11:42 ` [PATCH 05/20] scsi: pm8001: Remove local variable in pm8001_pci_resume() Damien Le Moal
2022-02-10 12:04   ` John Garry
2022-02-10 12:13     ` Damien Le Moal
2022-02-10 11:42 ` [PATCH 06/20] scsi: pm8001: Fix pm8001_update_flash() local variable type Damien Le Moal
2022-02-10 11:42 ` [PATCH 07/20] scsi: pm8001: Fix command initialization in pm80XX_send_read_log() Damien Le Moal
2022-02-10 14:32   ` John Garry
2022-02-10 11:42 ` [PATCH 08/20] scsi: pm8001: Fix local variable declaration in pm80xx_pci_mem_copy() Damien Le Moal
2022-02-10 14:42   ` John Garry
2022-02-11  6:14   ` Christoph Hellwig
2022-02-11  7:18     ` Damien Le Moal
2022-02-10 11:42 ` [PATCH 09/20] scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() Damien Le Moal
2022-02-10 11:42 ` [PATCH 10/20] scsi: pm8001: fix payload initialization in pm80xx_set_thermal_config() Damien Le Moal
2022-02-10 14:43   ` John Garry
2022-02-10 11:42 ` [PATCH 11/20] scsi: pm8001: fix le32 values handling in pm80xx_set_sas_protocol_timer_config() Damien Le Moal
2022-02-10 11:42 ` [PATCH 12/20] scsi: pm8001: fix payload initialization in pm80xx_encrypt_update() Damien Le Moal
2022-02-10 11:42 ` [PATCH 13/20] scsi: pm8001: fix le32 values handling in pm80xx_chip_ssp_io_req() Damien Le Moal
2022-02-10 11:42 ` [PATCH 14/20] scsi: pm8001: fix le32 values handling in pm80xx_chip_sata_req() Damien Le Moal
2022-02-10 11:42 ` [PATCH 15/20] scsi: pm8001: fix use of struct set_phy_profile_req fields Damien Le Moal
2022-02-10 11:42 ` [PATCH 16/20] scsi: pm8001: simplify pm8001_get_ncq_tag() Damien Le Moal
2022-02-10 14:50   ` John Garry
2022-02-10 11:42 ` [PATCH 17/20] scsi: pm8001: fix NCQ NON DATA command task initialization Damien Le Moal
2022-02-10 11:42 ` [PATCH 18/20] scsi: pm8001: fix NCQ NON DATA command completion handling Damien Le Moal
2022-02-10 11:42 ` [PATCH 19/20] scsi: pm8001: cleanup pm8001_queue_command() Damien Le Moal
2022-02-10 14:53   ` John Garry
2022-02-10 11:42 ` [PATCH 20/20] scsi: pm8001: fix abort all task initialization Damien Le Moal
2022-02-10 14:28   ` John Garry [this message]
2022-02-10 22:43     ` Damien Le Moal
2022-02-10 15:35 ` [PATCH 00/20] libsas and pm8001 fixes John Garry
2022-02-10 22:44   ` Damien Le Moal
2022-02-11  9:24     ` John Garry
2022-02-11 12:37       ` Damien Le Moal
2022-02-11 13:08         ` John Garry
2022-02-11 13:14           ` Damien Le Moal
2022-02-11 13:54             ` John Garry
2022-02-12  6:19               ` Damien Le Moal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f3606f3e-43ea-8c98-58f7-3572bbbf816c@huawei.com \
    --to=john.garry@huawei.com \
    --cc=chenxiang66@hisilicon.com \
    --cc=damien.lemoal@opensource.wdc.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=luojiaxing@huawei.com \
    --cc=martin.petersen@oracle.com \
    --cc=yanaijie@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.