[1/1] core: ufs: fix racing issue between force complete and isr

Message ID 20231024084324.12197-1-alice.chao@mediatek.com
State New
Headers
Series [1/1] core: ufs: fix racing issue between force complete and isr |

Commit Message

Alice Chao Oct. 24, 2023, 8:43 a.m. UTC
  From: Alice Chao <alice.chao@mediatek.com>

While error handler force complete command (Thread A) and completion irq
raising (Thread B) of the same command, it may cause race condition.

Below is racing step (from 1 to 6):
	ufshcd_mcq_compl_pending_transfer (Thread A)
1	if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) {
5		spin_lock_irqsave(&hwq->cq_lock, flags);	// wait lock release
		set_host_byte(cmd, DID_REQUEUE);
6		ufshcd_release_scsi_cmd(hba, lrbp);	// access null pointer
		scsi_done(cmd);
		spin_unlock_irqrestore(&hwq->cq_lock, flags);
	}

	ufshcd_mcq_poll_cqe_lock (Thread B)
2	spin_lock_irqsave(&hwq->cq_lock, flags);
	 ufshcd_mcq_poll_cqe_nolock()
	  ufshcd_compl_one_cqe()
3	   ufshcd_release_scsi_cmd()	// lrbp->cmd = NULL;
4	spin_unlock_irqrestore(&hwq->cq_lock, flags);

Signed-off-by: Alice Chao <alice.chao@mediatek.com>
---
 drivers/ufs/core/ufshcd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
  

Comments

Bart Van Assche Oct. 24, 2023, 7 p.m. UTC | #1
On 10/24/23 01:43, alice.chao@mediatek.com wrote:
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index 8382e8cfa414..ef6bd146a767 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -5518,13 +5518,13 @@ static void ufshcd_mcq_compl_pending_transfer(struct ufs_hba *hba,
>   			 * For those cmds of which the cqes are not present
>   			 * in the cq, complete them explicitly.
>   			 */
> +			spin_lock_irqsave(&hwq->cq_lock, flags);
>   			if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) {
> -				spin_lock_irqsave(&hwq->cq_lock, flags);
>   				set_host_byte(cmd, DID_REQUEUE);
>   				ufshcd_release_scsi_cmd(hba, lrbp);
>   				scsi_done(cmd);
> -				spin_unlock_irqrestore(&hwq->cq_lock, flags);
>   			}
> +			spin_unlock_irqrestore(&hwq->cq_lock, flags);
>   		} else {
>   			ufshcd_mcq_poll_cqe_lock(hba, hwq);
>   		}

Reviewed-by: Bart Van Assche <bvanassche@acm.org>
  
Martin K. Petersen Oct. 25, 2023, 2:43 a.m. UTC | #2
Alice,

> While error handler force complete command (Thread A) and completion
> irq raising (Thread B) of the same command, it may cause race
> condition.

Applied to 6.7/scsi-staging, thanks!
  
Greg KH Oct. 25, 2023, 8:31 a.m. UTC | #3
On Wed, Oct 25, 2023 at 07:20:53AM +0000, Alice Chao (趙珮均) wrote:
> Can we take it to the LTS version(6.1)?

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>
  

Patch

diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 8382e8cfa414..ef6bd146a767 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -5518,13 +5518,13 @@  static void ufshcd_mcq_compl_pending_transfer(struct ufs_hba *hba,
 			 * For those cmds of which the cqes are not present
 			 * in the cq, complete them explicitly.
 			 */
+			spin_lock_irqsave(&hwq->cq_lock, flags);
 			if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) {
-				spin_lock_irqsave(&hwq->cq_lock, flags);
 				set_host_byte(cmd, DID_REQUEUE);
 				ufshcd_release_scsi_cmd(hba, lrbp);
 				scsi_done(cmd);
-				spin_unlock_irqrestore(&hwq->cq_lock, flags);
 			}
+			spin_unlock_irqrestore(&hwq->cq_lock, flags);
 		} else {
 			ufshcd_mcq_poll_cqe_lock(hba, hwq);
 		}