| Message ID | 1702913550-20631-1-git-send-email-quic_cang@quicinc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:24d3:b0:fb:cd0c:d3e with SMTP id r19csp1326797dyi;
Mon, 18 Dec 2023 07:37:08 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFWnMu+URswikvZJt9fBpG7EZa4OEYC8oLpjj9RsKp67o94xv4DC390KSSx0iuFcFCDV7K9
X-Received: by 2002:a17:907:2d12:b0:a19:9b79:8b45 with SMTP id
gs18-20020a1709072d1200b00a199b798b45mr7803626ejc.86.1702913828650;
Mon, 18 Dec 2023 07:37:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702913828; cv=none;
d=google.com; s=arc-20160816;
b=jrUWQ8khAGbxwEDywfG2/ZZIy+cyVJVvOBRqG1fMlL5u6BuLJtRMCjhSoElbwxDxSB
WjUvgDS1cJ41WiN49MGz/BRui3OnJF0wne3kpeOu5+APuZjq2n8WoDBIMUAmR8FAL88b
bJ1fveX9/9lUYPF+L5KLBDDol2egP6ImAVbKnzqoaNbvgbuGmKbycZ+M0GqbDWjF+xxC
ucZUpgCKiKZfwVPD7RiPOfHirIuvYG+h+cBvCQEsc4iu1XWQM+vW1HwSv+C9VZ26fAI8
qO79s7KdC5ksHimTQdw9CiTxhhqcYFXPCM2L2P5wWffXYcdYUrgjBmEVUvW62QzIlUSb
24Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date
:subject:cc:to:from:dkim-signature;
bh=Ow5SPTTNB88VcAirt4L0hAseb2z31VaLkP7mDGOMQDA=;
fh=CyUE7rnnbeS/9yd/oCkZJdsj+YtKXai8jFtWzhDSzOQ=;
b=yaxuC6QZMDGIi4mHCq8/u7KCl+OcoQNoOGTiz9c2vclgIDnL2Y8jMGI2n2k+5miMIO
zrldwRzldTEfLmEmwu/q6uR3YkiNvHHenceot9X5+zs1cVDIhGasjbjBbmHDdI9W7U6w
VeYsd7DfQIqCHjdMxQMWGanNjDVZO+IpgkBDGMyb3r2xkCZmCw3TBFH1ADbW9/sl9kIU
G/8fQ4Db1YRTM7oF0V8I5NSoSHYf9oErXHF/Mgk4JGCCkjl6YGWtLZjJ+gk45ezwsJyq
PzcjZzaeRfcHSgifQDNrUPupJ+4X4OYSUqiDF+dABLj657gEWqNZ8uR5jNrAIMkGrMeW
GC2g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=iQ24PMGu;
spf=pass (google.com: domain of
linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.80.249 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
by mx.google.com with ESMTPS id
v10-20020a170906564a00b00a2345201760si1511428ejr.48.2023.12.18.07.37.08
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 18 Dec 2023 07:37:08 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=iQ24PMGu;
spf=pass (google.com: domain of
linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.80.249 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-3940-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id A3D951F25A63
for <ouuuleilei@gmail.com>; Mon, 18 Dec 2023 15:35:23 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id F37CE42377;
Mon, 18 Dec 2023 15:35:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
header.b="iQ24PMGu"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
[205.220.168.131])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75D293D54D;
Mon, 18 Dec 2023 15:34:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=qualcomm.com
Received: from pps.filterd (m0279863.ppops.net [127.0.0.1])
by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
3BIAsWg9018798;
Mon, 18 Dec 2023 15:33:53 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
from:to:cc:subject:date:message-id; s=qcppdkim1; bh=Ow5SPTTNB88V
cAirt4L0hAseb2z31VaLkP7mDGOMQDA=; b=iQ24PMGu8XqJCIvZjt2R/W/gBFtI
wsvbFvOzqZvsRYEaqykLSNPv17pH72X1hRHJjbv2zAIvMwtNHqMc0TWcbjBJZzix
4AiFwvbfRC9Mc8tpVsTJCcpMD1pDLXbfay7hUK3uKCiBY5AX/y0FVc6SGtQ2aiYz
pd0qtHJmfvc27Uwz5ZVh1/w3m2ZpQIEMs0LXlXU99SLonXxlVufA8bbTS9K/dqOP
xaWP/BsVWRKYsQYkz928wfO9ftfNOg8jsv+b37tPMiFyYlH9z6CaQ5LMWvYOC7EV
BG9Ufw+PhTMarXdqfy5lJQ3DEMJ9Gv3uqH2hkKQT0Gqhqvj+e8vQRCWrUQ==
Received: from nasanppmta04.qualcomm.com (i-global254.qualcomm.com
[199.106.103.254])
by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3v2mfe0n99-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Mon, 18 Dec 2023 15:33:53 +0000 (GMT)
Received: from pps.filterd (NASANPPMTA04.qualcomm.com [127.0.0.1])
by NASANPPMTA04.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTP id
3BIFWXT3029489;
Mon, 18 Dec 2023 15:33:52 GMT
Received: from pps.reinject (localhost [127.0.0.1])
by NASANPPMTA04.qualcomm.com (PPS) with ESMTP id 3v14ykw605-1;
Mon, 18 Dec 2023 15:33:52 +0000
Received: from NASANPPMTA04.qualcomm.com (NASANPPMTA04.qualcomm.com
[127.0.0.1])
by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 3BIFXqos031583;
Mon, 18 Dec 2023 15:33:52 GMT
Received: from stor-dylan.qualcomm.com (stor-dylan.qualcomm.com
[192.168.140.207])
by NASANPPMTA04.qualcomm.com (PPS) with ESMTP id 3BIFXpFx031579;
Mon, 18 Dec 2023 15:33:52 +0000
Received: by stor-dylan.qualcomm.com (Postfix, from userid 359480)
id AE92E20A6B; Mon, 18 Dec 2023 07:33:51 -0800 (PST)
From: Can Guo <quic_cang@quicinc.com>
To: quic_cang@quicinc.com, bvanassche@acm.org, mani@kernel.org,
adrian.hunter@intel.com, beanhuo@micron.com, avri.altman@wdc.com,
junwoo80.lee@samsung.com, martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, linux-arm-msm@vger.kernel.org,
Alim Akhtar <alim.akhtar@samsung.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
Stanley Chu <stanley.chu@mediatek.com>,
Asutosh Das <quic_asutoshd@quicinc.com>,
Peter Wang <peter.wang@mediatek.com>,
"Bao D. Nguyen" <quic_nguyenb@quicinc.com>,
Arthur Simchaev <Arthur.Simchaev@wdc.com>,
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Date: Mon, 18 Dec 2023 07:32:17 -0800
Message-Id: <1702913550-20631-1-git-send-email-quic_cang@quicinc.com>
X-Mailer: git-send-email 2.7.4
X-QCInternal: smtphost
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
signatures=585085
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
signatures=585085
X-Proofpoint-ORIG-GUID: 2x7iaMGGHfK-tl-wx8Yqxco24rlFPNO4
X-Proofpoint-GUID: 2x7iaMGGHfK-tl-wx8Yqxco24rlFPNO4
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2023-12-09_01,2023-12-07_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
priorityscore=1501
clxscore=1011 suspectscore=0 malwarescore=0 lowpriorityscore=0 mlxscore=0
mlxlogscore=999 phishscore=0 adultscore=0 impostorscore=0 spamscore=0
bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.19.0-2311290000 definitions=main-2312180114
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785634570905323179
X-GMAIL-MSGID: 1785634570905323179
|
| Series |
scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
|
|
Commit Message
Can Guo
Dec. 18, 2023, 3:32 p.m. UTC
If access sq_tail_slot without the protection from the sq_lock, race
condition can have multiple SQEs copied to duplicate SQE slot(s), which can
lead to multiple incredible stability issues. Fix it by moving the *dest
initialization, in ufshcd_send_command(), back under protection from the
sq_lock.
Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
Signed-off-by: Can Guo <quic_cang@quicinc.com>
Comments
On 12/18/23 07:32, Can Guo wrote: > If access sq_tail_slot without the protection from the sq_lock, race > condition can have multiple SQEs copied to duplicate SQE slot(s), which can > lead to multiple incredible stability issues. Fix it by moving the *dest > initialization, in ufshcd_send_command(), back under protection from the > sq_lock. > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()") > Signed-off-by: Can Guo <quic_cang@quicinc.com> > > diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c > index ae9936f..2994aac 100644 > --- a/drivers/ufs/core/ufshcd.c > +++ b/drivers/ufs/core/ufshcd.c > @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag, > if (is_mcq_enabled(hba)) { > int utrd_size = sizeof(struct utp_transfer_req_desc); > struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr; > - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > + struct utp_transfer_req_desc *dest; > > spin_lock(&hwq->sq_lock); > + dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > memcpy(dest, src, utrd_size); > ufshcd_inc_sq_tail(hwq); > spin_unlock(&hwq->sq_lock); Reviewed-by: Bart Van Assche <bvanassche@acm.org>
On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote: > If access sq_tail_slot without the protection from the sq_lock, race > condition can have multiple SQEs copied to duplicate SQE slot(s), which can > lead to multiple incredible stability issues. Fix it by moving the *dest > initialization, in ufshcd_send_command(), back under protection from the > sq_lock. > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()") Cc: stable@vger.kernel.org > Signed-off-by: Can Guo <quic_cang@quicinc.com> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> - Mani > > diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c > index ae9936f..2994aac 100644 > --- a/drivers/ufs/core/ufshcd.c > +++ b/drivers/ufs/core/ufshcd.c > @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag, > if (is_mcq_enabled(hba)) { > int utrd_size = sizeof(struct utp_transfer_req_desc); > struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr; > - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > + struct utp_transfer_req_desc *dest; > > spin_lock(&hwq->sq_lock); > + dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > memcpy(dest, src, utrd_size); > ufshcd_inc_sq_tail(hwq); > spin_unlock(&hwq->sq_lock); > -- > 2.7.4 >
On 12/20/23 06:50, Manivannan Sadhasivam wrote: > On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote: >> If access sq_tail_slot without the protection from the sq_lock, race >> condition can have multiple SQEs copied to duplicate SQE slot(s), which can >> lead to multiple incredible stability issues. Fix it by moving the *dest >> initialization, in ufshcd_send_command(), back under protection from the >> sq_lock. >> >> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()") > > Cc: stable@vger.kernel.org Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present? Bart.
On Wed, Dec 20, 2023 at 08:35:18AM -0800, Bart Van Assche wrote: > On 12/20/23 06:50, Manivannan Sadhasivam wrote: > > On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote: > > > If access sq_tail_slot without the protection from the sq_lock, race > > > condition can have multiple SQEs copied to duplicate SQE slot(s), which can > > > lead to multiple incredible stability issues. Fix it by moving the *dest > > > initialization, in ufshcd_send_command(), back under protection from the > > > sq_lock. > > > > > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()") > > > > Cc: stable@vger.kernel.org > > Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present? > Yes it is required as I pointed out in the other thread. - Mani > Bart. >
On 12/18/2023 7:32 AM, Can Guo wrote: > If access sq_tail_slot without the protection from the sq_lock, race > condition can have multiple SQEs copied to duplicate SQE slot(s), which can > lead to multiple incredible stability issues. Fix it by moving the *dest > initialization, in ufshcd_send_command(), back under protection from the > sq_lock. > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()") > Signed-off-by: Can Guo <quic_cang@quicinc.com> > > diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c > index ae9936f..2994aac 100644 > --- a/drivers/ufs/core/ufshcd.c > +++ b/drivers/ufs/core/ufshcd.c > @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag, > if (is_mcq_enabled(hba)) { > int utrd_size = sizeof(struct utp_transfer_req_desc); > struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr; > - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > + struct utp_transfer_req_desc *dest; > > spin_lock(&hwq->sq_lock); > + dest = hwq->sqe_base_addr + hwq->sq_tail_slot; > memcpy(dest, src, utrd_size); > ufshcd_inc_sq_tail(hwq); > spin_unlock(&hwq->sq_lock); Reviewed and Tested-by: Bao D. Nguyen <quic_nguyenb@quicinc.com>
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index ae9936f..2994aac 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag, if (is_mcq_enabled(hba)) { int utrd_size = sizeof(struct utp_transfer_req_desc); struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr; - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot; + struct utp_transfer_req_desc *dest; spin_lock(&hwq->sq_lock); + dest = hwq->sqe_base_addr + hwq->sq_tail_slot; memcpy(dest, src, utrd_size); ufshcd_inc_sq_tail(hwq); spin_unlock(&hwq->sq_lock);