From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Igor Pylypiv <ipylypiv@google.com>,
Vishakha Channapattan <vishakhavc@google.com>,
Jack Wang <jinpu.wang@ionos.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.13 07/24] scsi: pm80xx: Fix TMF task completion race condition
Date: Tue, 10 Aug 2021 10:14:48 -0400 [thread overview]
Message-ID: <20210810141505.3117318-7-sashal@kernel.org> (raw)
In-Reply-To: <20210810141505.3117318-1-sashal@kernel.org>
From: Igor Pylypiv <ipylypiv@google.com>
[ Upstream commit d712d3fb484b7fa8d1d57e9ca6f134bb9d8c18b1 ]
The TMF timeout timer may trigger at the same time when the response from a
controller is being handled. When this happens the SAS task may get freed
before the response processing is finished.
Fix this by calling complete() only when SAS_TASK_STATE_DONE is not set.
A similar race condition was fixed in commit b90cd6f2b905 ("scsi: libsas:
fix a race condition when smp task timeout")
Link: https://lore.kernel.org/r/20210707185945.35559-1-ipylypiv@google.com
Reviewed-by: Vishakha Channapattan <vishakhavc@google.com>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 335cf37e6cb9..2e429e31f1f0 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -684,8 +684,7 @@ int pm8001_dev_found(struct domain_device *dev)
void pm8001_task_done(struct sas_task *task)
{
- if (!del_timer(&task->slow_task->timer))
- return;
+ del_timer(&task->slow_task->timer);
complete(&task->slow_task->completion);
}
@@ -693,9 +692,14 @@ static void pm8001_tmf_timedout(struct timer_list *t)
{
struct sas_task_slow *slow = from_timer(slow, t, timer);
struct sas_task *task = slow->task;
+ unsigned long flags;
- task->task_state_flags |= SAS_TASK_STATE_ABORTED;
- complete(&task->slow_task->completion);
+ spin_lock_irqsave(&task->task_state_lock, flags);
+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
+ task->task_state_flags |= SAS_TASK_STATE_ABORTED;
+ complete(&task->slow_task->completion);
+ }
+ spin_unlock_irqrestore(&task->task_state_lock, flags);
}
#define PM8001_TASK_TIMEOUT 20
@@ -748,13 +752,10 @@ static int pm8001_exec_internal_tmf_task(struct domain_device *dev,
}
res = -TMF_RESP_FUNC_FAILED;
/* Even TMF timed out, return direct. */
- if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
- pm8001_dbg(pm8001_ha, FAIL,
- "TMF task[%x]timeout.\n",
- tmf->tmf);
- goto ex_err;
- }
+ if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+ pm8001_dbg(pm8001_ha, FAIL, "TMF task[%x]timeout.\n",
+ tmf->tmf);
+ goto ex_err;
}
if (task->task_status.resp == SAS_TASK_COMPLETE &&
@@ -834,12 +835,9 @@ pm8001_exec_internal_task_abort(struct pm8001_hba_info *pm8001_ha,
wait_for_completion(&task->slow_task->completion);
res = TMF_RESP_FUNC_FAILED;
/* Even TMF timed out, return direct. */
- if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
- pm8001_dbg(pm8001_ha, FAIL,
- "TMF task timeout.\n");
- goto ex_err;
- }
+ if (task->task_state_flags & SAS_TASK_STATE_ABORTED) {
+ pm8001_dbg(pm8001_ha, FAIL, "TMF task timeout.\n");
+ goto ex_err;
}
if (task->task_status.resp == SAS_TASK_COMPLETE &&
--
2.30.2
next prev parent reply other threads:[~2021-08-10 14:15 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 14:14 [PATCH AUTOSEL 5.13 01/24] dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 02/24] dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 03/24] spi: spi-mux: Add module info needed for autoloading Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 04/24] net: xfrm: Fix end of loop tests for list_for_each_entry Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 05/24] ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 06/24] dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available Sasha Levin
2021-08-10 14:14 ` Sasha Levin [this message]
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 08/24] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 09/24] scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 10/24] scsi: core: Avoid printing an error if target_alloc() returns -ENXIO Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 11/24] scsi: core: Fix capacity set to zero after offlinining device Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 12/24] drm/amdgpu: fix the doorbell missing when in CGPG issue for renoir Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 13/24] qede: fix crash in rmmod qede while automatic debug collection Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 14/24] ARM: dts: nomadik: Fix up interrupt controller node names Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 16/24] Revert "ACPICA: Fix memory leak caused by _CID repair function" Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 17/24] riscv: dts: fix memory size for the SiFive HiFive Unmatched Sasha Levin
2021-08-10 14:14 ` [PATCH AUTOSEL 5.13 18/24] net: usb: pegasus: Check the return value of get_geristers() and friends; Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 19/24] net: usb: lan78xx: don't modify phy_device state concurrently Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 20/24] perf/x86: Fix out of bound MSR access Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 21/24] spi: cadence-quadspi: Fix check condition for DTR ops Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 22/24] drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 23/24] drm/amd/display: workaround for hard hang on HPD on native DP Sasha Levin
2021-08-10 14:15 ` [PATCH AUTOSEL 5.13 24/24] kyber: make trace_block_rq call consistent with documentation Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210810141505.3117318-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ipylypiv@google.com \
--cc=jinpu.wang@ionos.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=vishakhavc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox