From: Bart Van Assche <bvanassche@acm.org>
To: "Peter Wang (王信友)" <peter.wang@mediatek.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
"martin.petersen@oracle.com" <martin.petersen@oracle.com>
Cc: "quic_asutoshd@guicinc.com" <quic_asutoshd@guicinc.com>
Subject: Re: [PATCH v1] ufs: core: decouple CQE processing from spinlock critical section
Date: Fri, 15 May 2026 09:43:38 -0700 [thread overview]
Message-ID: <2ed721de-0410-413a-bda1-99b5313b072d@acm.org> (raw)
In-Reply-To: <3d359319927f808dffa0aef52b03c437f803335e.camel@mediatek.com>
On 5/15/26 1:13 AM, Peter Wang (王信友) wrote:
> This is not an issue because the CQ head is protected by cq_lock.
> Only the CQEs from head to tail will be processed by ufshcd_poll
> or the ISR. The main difference is that these CQEs will be
> processed later, without holding the cq_lock.
Hi Peter,
Do you agree that the following can happen with this patch applied
(assuming there is space for 9 CQEs on completion queues)?
(1) Host allocates tags 0, 1, 2 and 3 and adds the corresponding SQEs to
a submission queue.
(2) ufshcd_mcq_poll_cqe_lock() is called from thread context because the
host is polling for completions. The CQ tail is updated but CQE
processing is delayed, e.g. because the process scheduler triggered
a context switch to another thread.
(3) The host allocates tags 4, 5, 6 and 7 and sends the corresponding
commands to the same submission queue.
(4) ufshcd_mcq_poll_cqe_lock() is called because a completion interrupt
has been generated and processes completions for tags 4, 5, 6 and 7.
The CQ tail is updated and the CQEs are processed.
(5) The host reallocates tags 4, 5, 6 and 7 and writes the corresponding
SQEs to the tail of the submission queue.
(6) The host controller completes the corresponding commands and stores
the CQEs in CQ slots 8, 0, 1 and 2. Hence, slots 0, 1 and 2 are
overwritten although the overwritten CQEs have not yet been
processed.
(7) The polling code from (2) continues and completes the CQEs in slots
0, 1, 2 and 3. This causes three of the four of the commands from
(6) to be reported as completed to the block layer although these
have not yet been completed. This will likely trigger data
corruption.
Thanks,
Bart.
prev parent reply other threads:[~2026-05-15 16:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 8:26 [PATCH v1] ufs: core: decouple CQE processing from spinlock critical section peter.wang
2026-05-14 16:22 ` Bart Van Assche
2026-05-15 8:13 ` Peter Wang (王信友)
2026-05-15 16:43 ` Bart Van Assche [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2ed721de-0410-413a-bda1-99b5313b072d@acm.org \
--to=bvanassche@acm.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=peter.wang@mediatek.com \
--cc=quic_asutoshd@guicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.