All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bart Van Assche <bvanassche@acm.org>
To: "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	Avri Altman <avri.altman@wdc.com>,
	Stanley Jhu <chu.stanley@gmail.com>,
	Can Guo <quic_cang@quicinc.com>,
	Peter Wang <peter.wang@mediatek.com>,
	"Bao D. Nguyen" <quic_nguyenb@quicinc.com>,
	Andrew Halaney <ahalaney@redhat.com>,
	Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
	Bean Huo <beanhuo@micron.com>
Subject: [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler
Date: Tue, 16 Apr 2024 10:13:31 -0700	[thread overview]
Message-ID: <20240416171357.1062583-5-bvanassche@acm.org> (raw)
In-Reply-To: <20240416171357.1062583-1-bvanassche@acm.org>

If ufshcd_abort() returns SUCCESS for an already completed command then
that command is completed twice. This results in a crash. Prevent this by
checking whether a command has completed without completion interrupt from
the timeout handler. This CL fixes the following kernel crash:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
 dma_direct_map_sg+0x70/0x274
 scsi_dma_map+0x84/0x124
 ufshcd_queuecommand+0x3fc/0x880
 scsi_queue_rq+0x7d0/0x111c
 blk_mq_dispatch_rq_list+0x440/0xebc
 blk_mq_do_dispatch_sched+0x5a4/0x6b8
 __blk_mq_sched_dispatch_requests+0x150/0x220
 __blk_mq_run_hw_queue+0xf0/0x218
 __blk_mq_delay_run_hw_queue+0x8c/0x18c
 blk_mq_run_hw_queue+0x1a4/0x360
 blk_mq_sched_insert_requests+0x130/0x334
 blk_mq_flush_plug_list+0x138/0x234
 blk_flush_plug_list+0x118/0x164
 blk_finish_plug()
 read_pages+0x38c/0x408
 page_cache_ra_unbounded+0x230/0x2f8
 do_sync_mmap_readahead+0x1a4/0x208
 filemap_fault+0x27c/0x8f4
 f2fs_filemap_fault+0x28/0xfc
 __do_fault+0xc4/0x208
 handle_pte_fault+0x290/0xe04
 do_handle_mm_fault+0x52c/0x858
 do_page_fault+0x5dc/0x798
 do_translation_fault+0x40/0x54
 do_mem_abort+0x60/0x134
 el0_da+0x40/0xb8
 el0t_64_sync_handler+0xc4/0xe4
 el0t_64_sync+0x1b4/0x1b8

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
 drivers/ufs/core/ufshcd.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index c552bf391f79..c44515605031 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -8880,6 +8880,25 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
 static enum scsi_timeout_action ufshcd_eh_timed_out(struct scsi_cmnd *scmd)
 {
 	struct ufs_hba *hba = shost_priv(scmd->device->host);
+	struct scsi_cmnd *cmd2 = scmd;
+
+	WARN_ON_ONCE(!scmd);
+
+	if (is_mcq_enabled(hba)) {
+		struct request *rq = scsi_cmd_to_rq(scmd);
+		struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
+
+		ufshcd_mcq_poll_cqe_lock(hba, hwq, &cmd2);
+	} else {
+		__ufshcd_poll(hba->host, UFSHCD_POLL_FROM_INTERRUPT_CONTEXT,
+			      &cmd2);
+	}
+	if (cmd2 == NULL) {
+		sdev_printk(KERN_INFO, scmd->device,
+			    "%s: cmd with tag %#x has already been completed\n",
+			    __func__, blk_mq_unique_tag(scsi_cmd_to_rq(scmd)));
+		return SCSI_EH_DONE;
+	}
 
 	if (!hba->system_suspending) {
 		/* Activate the error handler in the SCSI core. */

  parent reply	other threads:[~2024-04-16 17:14 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed Bart Van Assche
2024-04-16 17:13 ` Bart Van Assche [this message]
2024-04-18  2:55   ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Wenchao Hao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240416171357.1062583-5-bvanassche@acm.org \
    --to=bvanassche@acm.org \
    --cc=ahalaney@redhat.com \
    --cc=avri.altman@wdc.com \
    --cc=beanhuo@micron.com \
    --cc=chu.stanley@gmail.com \
    --cc=jejb@linux.ibm.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=manivannan.sadhasivam@linaro.org \
    --cc=martin.petersen@oracle.com \
    --cc=peter.wang@mediatek.com \
    --cc=quic_cang@quicinc.com \
    --cc=quic_nguyenb@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.