If access sq_tail_slot without the protection from the sq_lock, race
condition can have multiple SQEs copied to duplicate SQE slot(s), which can
lead to multiple incredible stability issues. Fix it by moving the *dest
initialization, in ufshcd_send_command(), back under protection from the
sq_lock.
Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
Signed-off-by: Can Guo <[email protected]>
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ae9936f..2994aac 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
if (is_mcq_enabled(hba)) {
int utrd_size = sizeof(struct utp_transfer_req_desc);
struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
- struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
+ struct utp_transfer_req_desc *dest;
spin_lock(&hwq->sq_lock);
+ dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
memcpy(dest, src, utrd_size);
ufshcd_inc_sq_tail(hwq);
spin_unlock(&hwq->sq_lock);
--
2.7.4
On 12/18/23 07:32, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
>
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> Signed-off-by: Can Guo <[email protected]>
>
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
> if (is_mcq_enabled(hba)) {
> int utrd_size = sizeof(struct utp_transfer_req_desc);
> struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> + struct utp_transfer_req_desc *dest;
>
> spin_lock(&hwq->sq_lock);
> + dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> memcpy(dest, src, utrd_size);
> ufshcd_inc_sq_tail(hwq);
> spin_unlock(&hwq->sq_lock);
Reviewed-by: Bart Van Assche <[email protected]>
On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
>
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
Cc: [email protected]
> Signed-off-by: Can Guo <[email protected]>
Reviewed-by: Manivannan Sadhasivam <[email protected]>
- Mani
>
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
> if (is_mcq_enabled(hba)) {
> int utrd_size = sizeof(struct utp_transfer_req_desc);
> struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> + struct utp_transfer_req_desc *dest;
>
> spin_lock(&hwq->sq_lock);
> + dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> memcpy(dest, src, utrd_size);
> ufshcd_inc_sq_tail(hwq);
> spin_unlock(&hwq->sq_lock);
> --
> 2.7.4
>
--
மணிவண்ணன் சதாசிவம்
On 12/20/23 06:50, Manivannan Sadhasivam wrote:
> On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
>> If access sq_tail_slot without the protection from the sq_lock, race
>> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
>> lead to multiple incredible stability issues. Fix it by moving the *dest
>> initialization, in ufshcd_send_command(), back under protection from the
>> sq_lock.
>>
>> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
>
> Cc: [email protected]
Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present?
Bart.
On Wed, Dec 20, 2023 at 08:35:18AM -0800, Bart Van Assche wrote:
> On 12/20/23 06:50, Manivannan Sadhasivam wrote:
> > On Mon, Dec 18, 2023 at 07:32:17AM -0800, Can Guo wrote:
> > > If access sq_tail_slot without the protection from the sq_lock, race
> > > condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> > > lead to multiple incredible stability issues. Fix it by moving the *dest
> > > initialization, in ufshcd_send_command(), back under protection from the
> > > sq_lock.
> > >
> > > Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> >
> > Cc: [email protected]
>
> Hmm ... is the "Cc: stable" tag really required if a "Fixes:" tag is present?
>
Yes it is required as I pointed out in the other thread.
- Mani
> Bart.
>
--
மணிவண்ணன் சதாசிவம்
On 12/18/2023 7:32 AM, Can Guo wrote:
> If access sq_tail_slot without the protection from the sq_lock, race
> condition can have multiple SQEs copied to duplicate SQE slot(s), which can
> lead to multiple incredible stability issues. Fix it by moving the *dest
> initialization, in ufshcd_send_command(), back under protection from the
> sq_lock.
>
> Fixes: 3c85f087faec ("scsi: ufs: mcq: Use pointer arithmetic in ufshcd_send_command()")
> Signed-off-by: Can Guo <[email protected]>
>
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ae9936f..2994aac 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -2274,9 +2274,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag,
> if (is_mcq_enabled(hba)) {
> int utrd_size = sizeof(struct utp_transfer_req_desc);
> struct utp_transfer_req_desc *src = lrbp->utr_descriptor_ptr;
> - struct utp_transfer_req_desc *dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> + struct utp_transfer_req_desc *dest;
>
> spin_lock(&hwq->sq_lock);
> + dest = hwq->sqe_base_addr + hwq->sq_tail_slot;
> memcpy(dest, src, utrd_size);
> ufshcd_inc_sq_tail(hwq);
> spin_unlock(&hwq->sq_lock);
Reviewed and Tested-by: Bao D. Nguyen <[email protected]>