From: sashiko-bot@kernel.org
To: "Karan Tilak Kumar" <kartilak@cisco.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v4 11/13] scsi: fnic: Track NVMe transport statistics
Date: Fri, 12 Jun 2026 23:16:05 +0000 [thread overview]
Message-ID: <20260612231606.1976E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612180918.8554-12-kartilak@cisco.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] Deadlock between fnic_lock and timer lock during NVMe LS response.
- [High] Use-After-Free of io_req when writing waitq_start_time.
- [High] Memory and active_ios leak when ITMF abort fails.
- [Medium] active_fw_reqs counter permanently drifts upwards on ERSP completions.
--
commit b68b40c66de8d347db7bd91c9ea2450605172e71
Author: Karan Tilak Kumar <kartilak@cisco.com>
scsi: fnic: Track NVMe transport statistics
Add counters for NVMe requests, responses, LS handling, aborts, and
wait-queue activity.
Update NVMe I/O, completion, LS response, LS abort, and abort paths to
maintain the new counters.
> diff --git a/drivers/scsi/fnic/fnic_nvme.c b/drivers/scsi/fnic/fnic_nvme.c
> index 9cc8f0baf09cb..2ccbfa0dfa92d 100644
> --- a/drivers/scsi/fnic/fnic_nvme.c
> +++ b/drivers/scsi/fnic/fnic_nvme.c
[ ... ]
> @@ -193,6 +250,11 @@ inline int nvfnic_queue_wq_nvme_copy_desc(struct fnic *fnic,
> tport->max_payload_size, tport->r_a_tov,
> tport->e_d_tov);
>
> + atomic64_inc(&fnic->fnic_stats.fw_stats.active_fw_reqs);
> + if (atomic64_read(&fnic->fnic_stats.fw_stats.active_fw_reqs) >
> + atomic64_read(&fnic->fnic_stats.fw_stats.max_fw_reqs))
> + atomic64_set(&fnic->fnic_stats.fw_stats.max_fw_reqs,
> + atomic64_read(&fnic->fnic_stats.fw_stats.active_fw_reqs));
>
> spin_unlock_irqrestore(&fnic->wq_copy_lock[idx], intr_flags);
[Severity: Medium]
Since this function increments active_fw_reqs for NVMe requests, does the
decrement in fnic_fcpio_cmpl_handler() in fnic_scsi.c need to be updated
to include FCPIO_NVME_ERSP_HW_CMPL?
Without updating the switch statement in fnic_fcpio_cmpl_handler(), will
the counter permanently drift upwards when NVMe commands complete with an
Extended Response?
[ ... ]
> @@ -766,11 +878,18 @@ void nvfnic_fcpio_nvme_itmf_cmpl_handler(struct fnic *fnic,
>
> io_req->cmd_flags |= FNIC_IO_ABT_TERM_DONE;
>
> + if (!(io_req->cmd_flags & (FNIC_IO_ABORTED | FNIC_IO_DONE)))
> + atomic64_inc(&misc_stats->no_icmnd_itmf_cmpls);
>
> if (io_req->abts_state == FCPIO_SUCCESS) {
> io_req->fcp_req->transferred_length = 0;
> io_req->fcp_req->rcv_rsplen = 0;
> io_req->fcp_req->status = NVME_SC_ABORT_REQ;
> + atomic64_dec(&fnic_stats->io_stats.active_ios);
> + if (atomic64_read(&fnic->io_cmpl_skip))
> + atomic64_dec(&fnic->io_cmpl_skip);
> + else
> + atomic64_inc(&fnic_stats->io_stats.io_completions);
>
> nvfnic_release_nvme_ioreq_buf(iport, io_req);
> if (io_req->done)
[Severity: High]
Does this code leak memory and the active_ios counter when the abort status
is not FCPIO_SUCCESS?
If the abort fails, the function skips nvfnic_release_nvme_ioreq_buf(),
the io_req->done() callback, and the active_ios decrement before unlocking
and returning.
[ ... ]
> @@ -1067,11 +1191,14 @@ nvfnic_find_ls_req(struct fnic_tport_s *tport, uint16_t oxid)
> void nvfnic_fcpio_cmpl(struct fnic_io_req *io_req)
> {
> struct fnic *fnic = io_req->iport->fnic;
> + struct fnic_stats *fnic_stats = &fnic->fnic_stats;
>
> nvfnic_free_fcpio_tag(io_req->iport, io_req);
> + atomic64_inc(&fnic_stats->io_stats.nvme_ios_queued_for_rsp);
>
> llist_add(&io_req->nvfnic_io_cmpl, &fnic->nvme_io_event_llist);
> atomic_inc(&fnic->nvme_io_event_queued);
> + atomic64_inc(&fnic_stats->io_stats.nvme_num_ios_in_waitq);
>
> io_req->waitq_start_time = jiffies;
> queue_work(fnic_cmpl_queue, &fnic->nvme_io_cmpl_work);
[Severity: High]
Can this write to waitq_start_time cause a use-after-free?
The io_req is published to a lockless list via llist_add() before assigning
waitq_start_time. A concurrent worker thread could dequeue the request,
process the completion, and free the memory before this assignment occurs.
[ ... ]
> @@ -1215,6 +1348,7 @@ void nvfnic_ls_rsp_recv(struct fnic_iport_s *iport,
> }
>
> nvfnic_ls_req->state = FNIC_LS_REQ_CMD_COMPLETE;
> + atomic64_inc(&fnic_stats->nvme_stats.nvme_ls_responses);
>
> list_del_init(&nvfnic_ls_req->list);
> lsreq->private = NULL;
[Severity: High]
Is it possible the timer_delete_sync() call right after this block triggers
a deadlock?
nvfnic_ls_rsp_recv() is called with fnic->fnic_lock held. The sync
cancellation blocks on the timer callback if it's running, but the callback
(nvfnic_ls_req_timeout()) unconditionally attempts to acquire the same
fnic->fnic_lock, creating an AB-BA deadlock scenario.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612180918.8554-1-kartilak@cisco.com?part=11
next prev parent reply other threads:[~2026-06-12 23:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 18:09 [PATCH v4 00/13] Introduce functionality for NVMe initiator Karan Tilak Kumar
2026-06-12 18:09 ` [PATCH v4 01/13] scsi: fnic: Make debug logging protocol independent Karan Tilak Kumar
2026-06-12 18:42 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 02/13] scsi: fnic: Use fnic_num for non-SCSI identifiers Karan Tilak Kumar
2026-06-12 18:57 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 03/13] scsi: fnic: Decode firmware role configuration Karan Tilak Kumar
2026-06-12 18:09 ` [PATCH v4 04/13] scsi: fnic: Advertise NVMe initiator service parameters Karan Tilak Kumar
2026-06-12 18:09 ` [PATCH v4 05/13] scsi: fnic: Add FDLS role handling for NVMe initiators Karan Tilak Kumar
2026-06-12 21:42 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 06/13] scsi: fnic: Add the NVMe/FC transport path Karan Tilak Kumar
2026-06-12 21:59 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 07/13] scsi: fnic: Route completions and resets by initiator role Karan Tilak Kumar
2026-06-12 22:15 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 08/13] scsi: fnic: Handle NVMe LS frames in FDLS Karan Tilak Kumar
2026-06-12 22:29 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 09/13] scsi: fnic: Send NVMe LS requests through FDLS Karan Tilak Kumar
2026-06-12 22:45 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 10/13] scsi: fnic: Abort timed-out NVMe LS requests Karan Tilak Kumar
2026-06-12 22:57 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 11/13] scsi: fnic: Track NVMe transport statistics Karan Tilak Kumar
2026-06-12 23:16 ` sashiko-bot [this message]
2026-06-12 18:09 ` [PATCH v4 12/13] scsi: fnic: Expose NVMe transport state in debugfs Karan Tilak Kumar
2026-06-12 23:22 ` sashiko-bot
2026-06-12 18:09 ` [PATCH v4 13/13] scsi: fnic: Bump up version number Karan Tilak Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612231606.1976E1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kartilak@cisco.com \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox