1. Patchew
  2. linux
  3. View series

[PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access

Can Guo posted 1 patch 2 years ago
[PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Can Guo 2 years ago 
If access sq_tail_slot without the protection from the sq_lock, race
condition can have multiple SQEs copied to duplicate SQE slot(s), which can
lead to multiple incredible stability issues. Fix it by moving the *dest
initialization, in ufshcd_send_command(), back under protection from the
sq_lock.

Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
Signed-off-by: Can Guo <quic_cang@quicinc.com>

diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ae9936f..2994aac 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
 	if (is_mcq_enabled(hba)) {
 		int utrd_size = sizeof(struct utp_transfer_req_desc);
 		struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
-		struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
+		struct utp_transfer_req_desc *dest;
 
 		spin_lock(&hwq->sq_lock);
+		dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
 		memcpy(dest, src, utrd_size);
 		ufshcd_inc_sq_tail(hwq);
 		spin_unlock(&hwq->sq_lock);
-- 
2.7.4
Re: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Bao D. Nguyen 1 year, 11 months ago 
On 12/18/2023 7:32 AM, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
> 
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> Signed-off-by: Can Guo <quic_cang@quicinc.com>
> 
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
>   	if (is_mcq_enabled(hba)) {
>   		int utrd_size = sizeof(struct utp_transfer_req_desc);
>   		struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> -		struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> +		struct utp_transfer_req_desc *dest;
>   
>   		spin_lock(&hwq->sq_lock);
> +		dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
>   		memcpy(dest, src, utrd_size);
>   		ufshcd_inc_sq_tail(hwq);
>   		spin_unlock(&hwq->sq_lock);

Reviewed and Tested-by: Bao D. Nguyen <quic_nguyenb@quicinc.com>
Re: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Manivannan Sadhasivam 1 year, 12 months ago 
On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
> 
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")

Cc: stable@vger.kernel.org

> Signed-off-by: Can Guo <quic_cang@quicinc.com>

Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

- Mani

> 
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
>  	if (is_mcq_enabled(hba)) {
>  		int utrd_size = sizeof(struct utp_transfer_req_desc);
>  		struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> -		struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> +		struct utp_transfer_req_desc *dest;
>  
>  		spin_lock(&hwq->sq_lock);
> +		dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
>  		memcpy(dest, src, utrd_size);
>  		ufshcd_inc_sq_tail(hwq);
>  		spin_unlock(&hwq->sq_lock);
> -- 
> 2.7.4
> 

-- 
மணிவண்ணன் சதாசிவம்
Re: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Bart Van Assche 1 year, 12 months ago 
On 12/20/23 06:50, Manivannan Sadhasivam wrote:
> On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
>> If access sq_tail_slot without the protection from the sq_lock, race
>> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
>> lead to multiple incredible stability issues. Fix it by moving the *dest
>> initialization, in ufshcd_send_command(), back under protection from the
>> sq_lock.
>>
>> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> 
> Cc: stable@vger.kernel.org

Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present?

Bart.
Re: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Manivannan Sadhasivam 1 year, 12 months ago 
On Wed, Dec 20, 2023 at 08:35:18AM -0800, Bart Van Assche wrote:
> On 12/20/23 06:50, Manivannan Sadhasivam wrote:
> > On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
> > > If access sq_tail_slot without the protection from the sq_lock, race
> > > condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> > > lead to multiple incredible stability issues. Fix it by moving the *dest
> > > initialization, in ufshcd_send_command(), back under protection from the
> > > sq_lock.
> > > 
> > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> > 
> > Cc: stable@vger.kernel.org
> 
> Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present?
> 

Yes it is required as I pointed out in the other thread.

- Mani

> Bart.
> 

-- 
மணிவண்ணன் சதாசிவம்
Re: [PATCH] scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
Posted by Bart Van Assche 2 years ago 
On 12/18/23 07:32, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
> 
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> Signed-off-by: Can Guo <quic_cang@quicinc.com>
> 
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
>   	if (is_mcq_enabled(hba)) {
>   		int utrd_size = sizeof(struct utp_transfer_req_desc);
>   		struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> -		struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> +		struct utp_transfer_req_desc *dest;
>   
>   		spin_lock(&hwq->sq_lock);
> +		dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
>   		memcpy(dest, src, utrd_size);
>   		ufshcd_inc_sq_tail(hwq);
>   		spin_unlock(&hwq->sq_lock);

Reviewed-by: Bart Van Assche <bvanassche@acm.org>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.