From: Bart Van Assche <bvanassche@acm.org>
To: "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, Bart Van Assche <bvanassche@acm.org>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
Avri Altman <avri.altman@wdc.com>,
Stanley Jhu <chu.stanley@gmail.com>,
Can Guo <quic_cang@quicinc.com>,
Peter Wang <peter.wang@mediatek.com>,
"Bao D. Nguyen" <quic_nguyenb@quicinc.com>,
Andrew Halaney <ahalaney@redhat.com>,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
Bean Huo <beanhuo@micron.com>
Subject: [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler
Date: Tue, 16 Apr 2024 10:13:31 -0700 [thread overview]
Message-ID: <20240416171357.1062583-5-bvanassche@acm.org> (raw)
In-Reply-To: <20240416171357.1062583-1-bvanassche@acm.org>
If ufshcd_abort() returns SUCCESS for an already completed command then
that command is completed twice. This results in a crash. Prevent this by
checking whether a command has completed without completion interrupt from
the timeout handler. This CL fixes the following kernel crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Call trace:
dma_direct_map_sg+0x70/0x274
scsi_dma_map+0x84/0x124
ufshcd_queuecommand+0x3fc/0x880
scsi_queue_rq+0x7d0/0x111c
blk_mq_dispatch_rq_list+0x440/0xebc
blk_mq_do_dispatch_sched+0x5a4/0x6b8
__blk_mq_sched_dispatch_requests+0x150/0x220
__blk_mq_run_hw_queue+0xf0/0x218
__blk_mq_delay_run_hw_queue+0x8c/0x18c
blk_mq_run_hw_queue+0x1a4/0x360
blk_mq_sched_insert_requests+0x130/0x334
blk_mq_flush_plug_list+0x138/0x234
blk_flush_plug_list+0x118/0x164
blk_finish_plug()
read_pages+0x38c/0x408
page_cache_ra_unbounded+0x230/0x2f8
do_sync_mmap_readahead+0x1a4/0x208
filemap_fault+0x27c/0x8f4
f2fs_filemap_fault+0x28/0xfc
__do_fault+0xc4/0x208
handle_pte_fault+0x290/0xe04
do_handle_mm_fault+0x52c/0x858
do_page_fault+0x5dc/0x798
do_translation_fault+0x40/0x54
do_mem_abort+0x60/0x134
el0_da+0x40/0xb8
el0t_64_sync_handler+0xc4/0xe4
el0t_64_sync+0x1b4/0x1b8
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
---
drivers/ufs/core/ufshcd.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index c552bf391f79..c44515605031 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -8880,6 +8880,25 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
static enum scsi_timeout_action ufshcd_eh_timed_out(struct scsi_cmnd *scmd)
{
struct ufs_hba *hba = shost_priv(scmd->device->host);
+ struct scsi_cmnd *cmd2 = scmd;
+
+ WARN_ON_ONCE(!scmd);
+
+ if (is_mcq_enabled(hba)) {
+ struct request *rq = scsi_cmd_to_rq(scmd);
+ struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
+
+ ufshcd_mcq_poll_cqe_lock(hba, hwq, &cmd2);
+ } else {
+ __ufshcd_poll(hba->host, UFSHCD_POLL_FROM_INTERRUPT_CONTEXT,
+ &cmd2);
+ }
+ if (cmd2 == NULL) {
+ sdev_printk(KERN_INFO, scmd->device,
+ "%s: cmd with tag %#x has already been completed\n",
+ __func__, blk_mq_unique_tag(scsi_cmd_to_rq(scmd)));
+ return SCSI_EH_DONE;
+ }
if (!hba->system_suspending) {
/* Activate the error handler in the SCSI core. */
next prev parent reply other threads:[~2024-04-16 17:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 17:13 [PATCH v2 0/4] Fix a rare crash in the UFS driver Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 1/4] scsi: ufs: Declare ufshcd_mcq_poll_cqe_lock() once Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 2/4] scsi: ufs: Make ufshcd_poll() complain about unsupported arguments Bart Van Assche
2024-04-16 17:13 ` [PATCH v2 3/4] scsi: ufs: Make the polling code report which command has been completed Bart Van Assche
2024-04-16 17:13 ` Bart Van Assche [this message]
2024-04-18 2:55 ` [PATCH v2 4/4] scsi: ufs: Check for completion from the timeout handler Wenchao Hao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240416171357.1062583-5-bvanassche@acm.org \
--to=bvanassche@acm.org \
--cc=ahalaney@redhat.com \
--cc=avri.altman@wdc.com \
--cc=beanhuo@micron.com \
--cc=chu.stanley@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=linux-scsi@vger.kernel.org \
--cc=manivannan.sadhasivam@linaro.org \
--cc=martin.petersen@oracle.com \
--cc=peter.wang@mediatek.com \
--cc=quic_cang@quicinc.com \
--cc=quic_nguyenb@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.