* [PATCH AUTOSEL 4.4 04/38] scsi: pm80xx: Avoid busywait in FW ready check
[not found] <20201223022516.2794471-1-sashal@kernel.org>
@ 2020-12-23 2:24 ` Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 05/38] scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2020-12-23 2:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akshatzen, Jack Wang, Viswas G, Ruksar Devadi, Radha Ramachandran,
Martin K . Petersen, Sasha Levin, linux-scsi
From: akshatzen <akshatzen@google.com>
[ Upstream commit 48cd6b38eb4f2874f091c4776ea1c26e7e4f967e ]
In function check_fw_ready() we busy wait using udelay. The CPU is not
released and we see need_resched failures.
Busy waiting is not necessary since we are in process context and we can
sleep instead. Replace udelay with msleep of 20 ms intervals while waiting
for firmware to become ready.
It has been verified that check_fw_ready is not being used in interrupt
context anywhere, hence it is safe to make this change.
Link: https://lore.kernel.org/r/20201102165528.26510-4-Viswas.G@microchip.com.com
Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: akshatzen <akshatzen@google.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Ruksar Devadi <Ruksar.devadi@microchip.com>
Signed-off-by: Radha Ramachandran <radha@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm80xx_hwi.c | 21 +++++++++++----------
drivers/scsi/pm8001/pm80xx_hwi.h | 6 ++++++
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c
index df5f0bc295875..50e0890ddc678 100644
--- a/drivers/scsi/pm8001/pm80xx_hwi.c
+++ b/drivers/scsi/pm8001/pm80xx_hwi.c
@@ -692,6 +692,7 @@ static int mpi_init_check(struct pm8001_hba_info *pm8001_ha)
/**
* check_fw_ready - The LLDD check if the FW is ready, if not, return error.
+ * This function sleeps hence it must not be used in atomic context.
* @pm8001_ha: our hba card information
*/
static int check_fw_ready(struct pm8001_hba_info *pm8001_ha)
@@ -702,16 +703,16 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha)
int ret = 0;
/* reset / PCIe ready */
- max_wait_time = max_wait_count = 100 * 1000; /* 100 milli sec */
+ max_wait_time = max_wait_count = 5; /* 100 milli sec */
do {
- udelay(1);
+ msleep(FW_READY_INTERVAL);
value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1);
} while ((value == 0xFFFFFFFF) && (--max_wait_count));
/* check ila status */
- max_wait_time = max_wait_count = 1000 * 1000; /* 1000 milli sec */
+ max_wait_time = max_wait_count = 50; /* 1000 milli sec */
do {
- udelay(1);
+ msleep(FW_READY_INTERVAL);
value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1);
} while (((value & SCRATCH_PAD_ILA_READY) !=
SCRATCH_PAD_ILA_READY) && (--max_wait_count));
@@ -724,9 +725,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha)
}
/* check RAAE status */
- max_wait_time = max_wait_count = 1800 * 1000; /* 1800 milli sec */
+ max_wait_time = max_wait_count = 90; /* 1800 milli sec */
do {
- udelay(1);
+ msleep(FW_READY_INTERVAL);
value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1);
} while (((value & SCRATCH_PAD_RAAE_READY) !=
SCRATCH_PAD_RAAE_READY) && (--max_wait_count));
@@ -739,9 +740,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha)
}
/* check iop0 status */
- max_wait_time = max_wait_count = 600 * 1000; /* 600 milli sec */
+ max_wait_time = max_wait_count = 30; /* 600 milli sec */
do {
- udelay(1);
+ msleep(FW_READY_INTERVAL);
value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1);
} while (((value & SCRATCH_PAD_IOP0_READY) != SCRATCH_PAD_IOP0_READY) &&
(--max_wait_count));
@@ -757,9 +758,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha)
if ((pm8001_ha->chip_id != chip_8008) &&
(pm8001_ha->chip_id != chip_8009)) {
/* 200 milli sec */
- max_wait_time = max_wait_count = 200 * 1000;
+ max_wait_time = max_wait_count = 10;
do {
- udelay(1);
+ msleep(FW_READY_INTERVAL);
value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1);
} while (((value & SCRATCH_PAD_IOP1_READY) !=
SCRATCH_PAD_IOP1_READY) && (--max_wait_count));
diff --git a/drivers/scsi/pm8001/pm80xx_hwi.h b/drivers/scsi/pm8001/pm80xx_hwi.h
index 411b414a9a0ef..85cdd6d9348a6 100644
--- a/drivers/scsi/pm8001/pm80xx_hwi.h
+++ b/drivers/scsi/pm8001/pm80xx_hwi.h
@@ -1534,3 +1534,9 @@ typedef struct SASProtocolTimerConfig SASProtocolTimerConfig_t;
#define MEMBASE_II_SHIFT_REGISTER 0x1010
#endif
+
+/**
+ * As we know sleep (1~20) ms may result in sleep longer than ~20 ms, hence we
+ * choose 20 ms interval.
+ */
+#define FW_READY_INTERVAL 20
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH AUTOSEL 4.4 05/38] scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition
[not found] <20201223022516.2794471-1-sashal@kernel.org>
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 04/38] scsi: pm80xx: Avoid busywait in FW ready check Sasha Levin
@ 2020-12-23 2:24 ` Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2020-12-23 2:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: yuuzheng, Jack Wang, Viswas G, Ruksar Devadi, Radha Ramachandran,
Martin K . Petersen, Sasha Levin, linux-scsi
From: yuuzheng <yuuzheng@google.com>
[ Upstream commit 1f889b58716a5f5e3e4fe0e6742c1a4472f29ac1 ]
A use-after-free or null-pointer error occurs when the 251-byte response
data is copied from IOMB buffer to response message buffer in function
pm8001_mpi_get_nvmd_resp().
After sending the command get_nvmd_data(), the caller begins to sleep by
calling wait_for_complete() and waits for the wake-up from calling
complete() in pm8001_mpi_get_nvmd_resp(). Due to unexpected events (e.g.,
interrupt), if response buffer gets freed before memcpy(), a use-after-free
error will occur. To fix this, the complete() should be called after
memcpy().
Link: https://lore.kernel.org/r/20201102165528.26510-5-Viswas.G@microchip.com.com
Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: yuuzheng <yuuzheng@google.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Ruksar Devadi <Ruksar.devadi@microchip.com>
Signed-off-by: Radha Ramachandran <radha@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_hwi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
index b3490b4a046a2..d431efb300b6f 100644
--- a/drivers/scsi/pm8001/pm8001_hwi.c
+++ b/drivers/scsi/pm8001/pm8001_hwi.c
@@ -3196,10 +3196,15 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
pm8001_ha->memoryMap.region[NVMD].virt_ptr,
fw_control_context->len);
kfree(ccb->fw_control_context);
+ /* To avoid race condition, complete should be
+ * called after the message is copied to
+ * fw_control_context->usrAddr
+ */
+ complete(pm8001_ha->nvmd_completion);
+ PM8001_MSG_DBG(pm8001_ha, pm8001_printk("Set nvm data complete!\n"));
ccb->task = NULL;
ccb->ccb_tag = 0xFFFFFFFF;
pm8001_tag_free(pm8001_ha, tag);
- complete(pm8001_ha->nvmd_completion);
}
int pm8001_mpi_local_phy_ctl(struct pm8001_hba_info *pm8001_ha, void *piomb)
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-23 2:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20201223022516.2794471-1-sashal@kernel.org>
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 04/38] scsi: pm80xx: Avoid busywait in FW ready check Sasha Levin
2020-12-23 2:24 ` [PATCH AUTOSEL 4.4 05/38] scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).