From: Alice Chao <[email protected]>
When task_tag > 32 (in mcq mode), 1U << task_tag will out of bound
for u32 mask. Fix this bug to prevent SHIFT_ISSUE (Bitwise shifts
that are out of bounds for their data type).
[name:debug_monitors&]Unexpected kernel BRK exception at EL1
[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP
[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done
[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000
[name:mrdump&]PHYS_OFFSET: 0x80000000
[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)
[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288
[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c
[name:mrdump&]sp : ffffffc0081471b0
<snip>
Workqueue: ufs_eh_wq_0 ufshcd_err_handler
Call trace:
dump_backtrace+0xf8/0x144
show_stack+0x18/0x24
dump_stack_lvl+0x78/0x9c
dump_stack+0x18/0x44
mrdump_common_die+0x254/0x480 [mrdump]
ipanic_die+0x20/0x30 [mrdump]
notify_die+0x15c/0x204
die+0x10c/0x5f8
arm64_notify_die+0x74/0x13c
do_debug_exception+0x164/0x26c
el1_dbg+0x64/0x80
el1h_64_sync_handler+0x3c/0x90
el1h_64_sync+0x68/0x6c
ufshcd_clear_cmd+0x280/0x288
ufshcd_wait_for_dev_cmd+0x3e4/0x82c
ufshcd_exec_dev_cmd+0x5bc/0x9ac
ufshcd_verify_dev_init+0x84/0x1c8
ufshcd_probe_hba+0x724/0x1ce0
ufshcd_host_reset_and_restore+0x260/0x574
ufshcd_reset_and_restore+0x138/0xbd0
ufshcd_err_handler+0x1218/0x2f28
process_one_work+0x5fc/0x1140
worker_thread+0x7d8/0xe20
kthread+0x25c/0x468
ret_from_fork+0x10/0x20
Signed-off-by: Alice Chao <[email protected]>
---
drivers/ufs/core/ufshcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 029d017fc1b6..c6cff4aa440a 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -3057,7 +3057,7 @@ bool ufshcd_cmd_inflight(struct scsi_cmnd *cmd)
*/
static int ufshcd_clear_cmd(struct ufs_hba *hba, u32 task_tag)
{
- u32 mask = 1U << task_tag;
+ u32 mask;
unsigned long flags;
int err;
@@ -3075,6 +3075,8 @@ static int ufshcd_clear_cmd(struct ufs_hba *hba, u32 task_tag)
return 0;
}
+ mask = 1U << task_tag;
+
/* clear outstanding transaction before retry */
spin_lock_irqsave(hba->host->host_lock, flags);
ufshcd_utrl_clear(hba, mask);
--
2.18.0
On Mon, Feb 5, 2024 at 7:27 PM <[email protected]> wrote:
>
> From: Alice Chao <[email protected]>
>
> When task_tag > 32 (in mcq mode), 1U << task_tag will out of bound
> for u32 mask. Fix this bug to prevent SHIFT_ISSUE (Bitwise shifts
> that are out of bounds for their data type).
>
> [name:debug_monitors&]Unexpected kernel BRK exception at EL1
> [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP
> [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done
> [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000
> [name:mrdump&]PHYS_OFFSET: 0x80000000
> [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)
> [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288
> [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c
> [name:mrdump&]sp : ffffffc0081471b0
> <snip>
> Workqueue: ufs_eh_wq_0 ufshcd_err_handler
> Call trace:
> dump_backtrace+0xf8/0x144
> show_stack+0x18/0x24
> dump_stack_lvl+0x78/0x9c
> dump_stack+0x18/0x44
> mrdump_common_die+0x254/0x480 [mrdump]
> ipanic_die+0x20/0x30 [mrdump]
> notify_die+0x15c/0x204
> die+0x10c/0x5f8
> arm64_notify_die+0x74/0x13c
> do_debug_exception+0x164/0x26c
> el1_dbg+0x64/0x80
> el1h_64_sync_handler+0x3c/0x90
> el1h_64_sync+0x68/0x6c
> ufshcd_clear_cmd+0x280/0x288
> ufshcd_wait_for_dev_cmd+0x3e4/0x82c
> ufshcd_exec_dev_cmd+0x5bc/0x9ac
> ufshcd_verify_dev_init+0x84/0x1c8
> ufshcd_probe_hba+0x724/0x1ce0
> ufshcd_host_reset_and_restore+0x260/0x574
> ufshcd_reset_and_restore+0x138/0xbd0
> ufshcd_err_handler+0x1218/0x2f28
> process_one_work+0x5fc/0x1140
> worker_thread+0x7d8/0xe20
> kthread+0x25c/0x468
> ret_from_fork+0x10/0x20
>
> Signed-off-by: Alice Chao <[email protected]>
Reviewed-by: Stanley Jhu <[email protected]>
On 2/5/24 02:49, [email protected] wrote:
> When task_tag > 32 (in mcq mode), 1U << task_tag will out of bound
^^^^^^^^^^^^^
task_tag >= 32 and sizeof(unsigned int) == 4
> for u32 mask. Fix this bug to prevent SHIFT_ISSUE (Bitwise shifts
> that are out of bounds for their data type).
Anyway:
Reviewed-by: Bart Van Assche <[email protected]>
On Mon, 05 Feb 2024 18:49:04 +0800, [email protected] wrote:
> When task_tag > 32 (in mcq mode), 1U << task_tag will out of bound
> for u32 mask. Fix this bug to prevent SHIFT_ISSUE (Bitwise shifts
> that are out of bounds for their data type).
>
> [name:debug_monitors&]Unexpected kernel BRK exception at EL1
> [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP
> [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done
> [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000
> [name:mrdump&]PHYS_OFFSET: 0x80000000
> [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)
> [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288
> [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c
> [name:mrdump&]sp : ffffffc0081471b0
> <snip>
> Workqueue: ufs_eh_wq_0 ufshcd_err_handler
> Call trace:
> dump_backtrace+0xf8/0x144
> show_stack+0x18/0x24
> dump_stack_lvl+0x78/0x9c
> dump_stack+0x18/0x44
> mrdump_common_die+0x254/0x480 [mrdump]
> ipanic_die+0x20/0x30 [mrdump]
> notify_die+0x15c/0x204
> die+0x10c/0x5f8
> arm64_notify_die+0x74/0x13c
> do_debug_exception+0x164/0x26c
> el1_dbg+0x64/0x80
> el1h_64_sync_handler+0x3c/0x90
> el1h_64_sync+0x68/0x6c
> ufshcd_clear_cmd+0x280/0x288
> ufshcd_wait_for_dev_cmd+0x3e4/0x82c
> ufshcd_exec_dev_cmd+0x5bc/0x9ac
> ufshcd_verify_dev_init+0x84/0x1c8
> ufshcd_probe_hba+0x724/0x1ce0
> ufshcd_host_reset_and_restore+0x260/0x574
> ufshcd_reset_and_restore+0x138/0xbd0
> ufshcd_err_handler+0x1218/0x2f28
> process_one_work+0x5fc/0x1140
> worker_thread+0x7d8/0xe20
> kthread+0x25c/0x468
> ret_from_fork+0x10/0x20
>
> [...]
Applied to 6.8/scsi-fixes, thanks!
[1/1] ufs: core: fix shift issue in ufshcd_clear_cmd
https://git.kernel.org/mkp/scsi/c/b513d30d59bb
--
Martin K. Petersen Oracle Linux Engineering