From: Bart Van Assche <bvanassche@acm.org>
To: Adrian Hunter <adrian.hunter@intel.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, Jaegeuk Kim <jaegeuk@kernel.org>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
Bean Huo <beanhuo@micron.com>, Can Guo <cang@codeaurora.org>,
Stanley Chu <stanley.chu@mediatek.com>,
Asutosh Das <asutoshd@codeaurora.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Santosh Yaraganavi <santoshsy@gmail.com>,
Arnd Bergmann <arnd@arndb.de>, Vishak G <vishak.g@samsung.com>
Subject: Re: [PATCH 08/11] scsi: ufs: Improve SCSI abort handling further
Date: Mon, 15 Nov 2021 15:09:19 -0800 [thread overview]
Message-ID: <9ebeec91-ff62-3dcd-a377-1d6f98bd7c32@acm.org> (raw)
In-Reply-To: <985b86c5-e45f-8d07-31e3-7eed1c7c894c@intel.com>
On 11/12/21 2:56 AM, Adrian Hunter wrote:
> On 10/11/2021 20:56, Bart Van Assche wrote:
>> On 11/10/21 12:57 AM, Adrian Hunter wrote:
>>> Seems like something ufshcd_clear_cmd() should be doing instead?
>>
>> I'm concerned that would break ufshcd_eh_device_reset_handler()
>> since that reset handler retries SCSI commands by calling
>> __ufshcd_transfer_req_compl() after having called ufshcd_clear_cmd().
> Whenever an outstanding_reqs bit transitions 1 -> 0, then
> __ufshcd_transfer_req_compl() must be called.
I will look further into this.
> As a separate issue, in ufshcd_abort() there is:
>
> /* If command is already aborted/completed, return FAILED. */
> if (!(test_bit(tag, &hba->outstanding_reqs))) {
> dev_err(hba->dev,
> "%s: cmd at tag %d already completed, outstanding=0x%lx, doorbell=0x%x\n",
> __func__, tag, hba->outstanding_reqs, reg);
> goto release;
> }
>
> which seems wrong. FAILED should only be returned to escalate the
> error handling, so if the slot has already successfully been
> cleared, that is SUCCESS. scsi_times_out() has already blocked
> the scsi_done() path (by setting SCMD_STATE_COMPLETE), so any use
> after free must be being caused by SCSI not the ufs driver.
scmd_eh_abort_handler() would trigger a use-after-free if ufshcd_abort()
would return SUCCESS for completed commands. Hence the choice for the
return value FAILED for completed commands.
BTW, can this code path ever be reached since scsi_done() sets the
SCMD_STATE_COMPLETE bit before it calls blk_mq_complete_request() and
since scsi_times_out() tests that bit before it schedules a call of
ufshcd_abort()?
Thanks,
Bart.
next prev parent reply other threads:[~2021-11-15 23:11 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 0:44 [PATCH 00/11] UFS patches for kernel v5.17 Bart Van Assche
2021-11-10 0:44 ` [PATCH 01/11] scsi: ufs: Rename a function argument Bart Van Assche
2021-11-10 1:28 ` Chanho Park
2021-11-10 9:48 ` Keoseong Park
2021-11-11 16:59 ` Alim Akhtar
2021-11-10 0:44 ` [PATCH 02/11] scsi: ufs: Remove is_rpmb_wlun() Bart Van Assche
2021-11-10 17:47 ` Asutosh Das (asd)
2021-11-11 16:52 ` Alim Akhtar
2021-11-10 0:44 ` [PATCH 03/11] scsi: ufs: Remove the sdev_rpmb member Bart Van Assche
2021-11-10 17:50 ` Asutosh Das (asd)
2021-11-11 16:47 ` Alim Akhtar
2021-11-10 0:44 ` [PATCH 04/11] scsi: ufs: Remove dead code Bart Van Assche
2021-11-11 7:06 ` Avri Altman
2021-11-15 15:58 ` Bean Huo
2021-11-15 16:01 ` Bean Huo
2021-11-10 0:44 ` [PATCH 05/11] scsi: core: Add support for reserved tags Bart Van Assche
2021-11-10 0:44 ` [PATCH 06/11] scsi: ufs: Rework ufshcd_change_queue_depth() Bart Van Assche
2021-11-11 7:22 ` Avri Altman
2021-11-15 18:27 ` Bart Van Assche
2021-11-10 0:44 ` [PATCH 07/11] scsi: ufs: Fix a deadlock in the error handler Bart Van Assche
2021-11-10 6:42 ` Christoph Hellwig
2021-11-15 18:28 ` Bart Van Assche
2021-11-11 7:33 ` Avri Altman
2021-11-15 18:29 ` Bart Van Assche
2021-11-10 0:44 ` [PATCH 08/11] scsi: ufs: Improve SCSI abort handling further Bart Van Assche
2021-11-10 8:57 ` Adrian Hunter
2021-11-10 18:56 ` Bart Van Assche
2021-11-12 10:56 ` Adrian Hunter
2021-11-15 23:09 ` Bart Van Assche [this message]
2021-11-16 9:03 ` Adrian Hunter
2021-11-16 16:07 ` Bart Van Assche
2021-11-11 9:17 ` Peter Wang
2021-11-16 9:07 ` Peter Wang
2021-11-16 16:08 ` Bart Van Assche
2021-11-16 20:16 ` Adrian Hunter
2021-11-16 21:53 ` Bart Van Assche
2021-11-17 7:37 ` Adrian Hunter
2021-11-10 0:44 ` [PATCH 09/11] scsi: ufs: Fix a kernel crash during shutdown Bart Van Assche
2021-11-11 7:48 ` Avri Altman
2021-11-15 18:45 ` Bart Van Assche
2021-11-10 0:44 ` [PATCH 10/11] scsi: ufs: Optimize the command queueing code Bart Van Assche
2021-11-10 8:04 ` Adrian Hunter
2021-11-10 18:57 ` Bart Van Assche
2021-11-11 7:51 ` Avri Altman
2021-11-12 23:40 ` Asutosh Das (asd)
2021-11-10 0:44 ` [PATCH 11/11] scsi: ufs: Implement polling support Bart Van Assche
2021-11-10 1:36 ` Douglas Gilbert
2021-11-19 19:39 ` Bart Van Assche
2021-11-11 8:11 ` Avri Altman
2021-11-19 19:01 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ebeec91-ff62-3dcd-a377-1d6f98bd7c32@acm.org \
--to=bvanassche@acm.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=adrian.hunter@intel.com \
--cc=arnd@arndb.de \
--cc=asutoshd@codeaurora.org \
--cc=beanhuo@micron.com \
--cc=cang@codeaurora.org \
--cc=jaegeuk@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=santoshsy@gmail.com \
--cc=stanley.chu@mediatek.com \
--cc=vishak.g@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox