From: Bart Van Assche <bvanassche@acm.org>

Date: Fri, 3 Dec 2021 15:19:42 -0800

Subject: scsi: ufs: Fix a deadlock in the error handler

Git-commit: 945c3cca05d78351bba29fa65d93834cb7934c7b

Patch-mainline: v5.17-rc1

References: git-fixes

The following deadlock has been observed on a test setup:

 - All tags allocated

 - The SCSI error handler calls ufshcd_eh_host_reset_handler()

 - ufshcd_eh_host_reset_handler() queues work that calls

   ufshcd_err_handler()

 - ufshcd_err_handler() locks up as follows:

Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt

Call trace:

 __switch_to+0x298/0x5d8

 __schedule+0x6cc/0xa94

 schedule+0x12c/0x298

 blk_mq_get_tag+0x210/0x480

 __blk_mq_alloc_request+0x1c8/0x284

 blk_get_request+0x74/0x134

 ufshcd_exec_dev_cmd+0x68/0x640

 ufshcd_verify_dev_init+0x68/0x35c

 ufshcd_probe_hba+0x12c/0x1cb8

 ufshcd_host_reset_and_restore+0x88/0x254

 ufshcd_reset_and_restore+0xd0/0x354

 ufshcd_err_handler+0x408/0xc58

 process_one_work+0x24c/0x66c

 worker_thread+0x3e8/0xa4c

 kthread+0x150/0x1b4

 ret_from_fork+0x10/0x30

Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved

request.

[lduncan: hand modified then refreshed to apply to ufshcd.c]

Link: https://lore.kernel.org/r/20211203231950.193369-10-bvanassche@acm.org

Tested-by: Bean Huo <beanhuo@micron.com>

Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>

Reviewed-by: Bean Huo <beanhuo@micron.com>

Signed-off-by: Bart Van Assche <bvanassche@acm.org>

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

Acked-by: Lee Duncan <lduncan@suse.com>

---

 drivers/scsi/ufs/ufshcd.c |   53 ++++++++++++----------------------------------

 drivers/scsi/ufs/ufshcd.h |    2 +

 2 files changed, 16 insertions(+), 39 deletions(-)

--- a/drivers/scsi/ufs/ufshcd.c

+++ b/drivers/scsi/ufs/ufshcd.c

@@ -124,8 +124,9 @@ EXPORT_SYMBOL_GPL(ufshcd_dump_regs);

 enum {

 	UFSHCD_MAX_CHANNEL	= 0,

 	UFSHCD_MAX_ID		= 1,

-	UFSHCD_CMD_PER_LUN	= 32,

-	UFSHCD_CAN_QUEUE	= 32,

+	UFSHCD_NUM_RESERVED	= 1,

+	UFSHCD_CMD_PER_LUN	= 32 - UFSHCD_NUM_RESERVED,

+	UFSHCD_CAN_QUEUE	= 32 - UFSHCD_NUM_RESERVED,

 };

 /* UFSHCD states */

@@ -2202,6 +2203,7 @@ static inline int ufshcd_hba_capabilitie

 	hba->nutrs = (hba->capabilities & MASK_TRANSFER_REQUESTS_SLOTS) + 1;

 	hba->nutmrs =

 	((hba->capabilities & MASK_TASK_MANAGEMENT_REQUEST_SLOTS) >> 16) + 1;

+	hba->reserved_slot = hba->nutrs - 1;

 	/* Read crypto capabilities */

 	err = ufshcd_hba_init_crypto_capabilities(hba);

@@ -2930,30 +2932,15 @@ static int ufshcd_wait_for_dev_cmd(struc

 static int ufshcd_exec_dev_cmd(struct ufs_hba *hba,

 		enum dev_cmd_type cmd_type, int timeout)

 {

-	struct request_queue *q = hba->cmd_queue;

 	DECLARE_COMPLETION_ONSTACK(wait);

-	struct request *req;

+	const u32 tag = hba->reserved_slot;

 	struct ufshcd_lrb *lrbp;

 	int err;

-	int tag;

-	down_read(&hba->clk_scaling_lock);

+	/* Protects use of hba->reserved_slot. */

+	lockdep_assert_held(&hba->dev_cmd.lock);

-	/*

-	 * Get free slot, sleep if slots are unavailable.

-	 * Even though we use wait_event() which sleeps indefinitely,

-	 * the maximum wait time is bounded by SCSI request timeout.

-	 */

-	req = blk_get_request(q, REQ_OP_DRV_OUT, 0);

-	if (IS_ERR(req)) {

-		err = PTR_ERR(req);

-		goto out_unlock;

-	}

-	tag = req->tag;

-	WARN_ON_ONCE(!ufshcd_valid_tag(hba, tag));

-	/* Set the timeout such that the SCSI error handler is not activated. */

-	req->timeout = msecs_to_jiffies(2 * timeout);

-	blk_mq_start_request(req);

+	down_read(&hba->clk_scaling_lock);

 	lrbp = &hba->lrb[tag];

 	WARN_ON(lrbp->cmd);

@@ -2973,8 +2960,6 @@ static int ufshcd_exec_dev_cmd(struct uf

 				    (struct utp_upiu_req *)lrbp->ucd_rsp_ptr);

 out:

-	blk_put_request(req);

-out_unlock:

 	up_read(&hba->clk_scaling_lock);

 	return err;

 }

@@ -6638,23 +6623,16 @@ static int ufshcd_issue_devman_upiu_cmd(

 					enum dev_cmd_type cmd_type,

 					enum query_opcode desc_op)

 {

-	struct request_queue *q = hba->cmd_queue;

 	DECLARE_COMPLETION_ONSTACK(wait);

-	struct request *req;

+	const u32 tag = hba->reserved_slot;

 	struct ufshcd_lrb *lrbp;

 	int err = 0;

-	int tag;

 	u8 upiu_flags;

-	down_read(&hba->clk_scaling_lock);

+	/* Protects use of hba->reserved_slot. */

+	lockdep_assert_held(&hba->dev_cmd.lock);

-	req = blk_get_request(q, REQ_OP_DRV_OUT, 0);

-	if (IS_ERR(req)) {

-		err = PTR_ERR(req);

-		goto out_unlock;

-	}

-	tag = req->tag;

-	WARN_ON_ONCE(!ufshcd_valid_tag(hba, tag));

+	down_read(&hba->clk_scaling_lock);

 	lrbp = &hba->lrb[tag];

 	WARN_ON(lrbp->cmd);

@@ -6725,9 +6703,6 @@ static int ufshcd_issue_devman_upiu_cmd(

 	ufshcd_add_query_upiu_trace(hba, err ? UFS_QUERY_ERR : UFS_QUERY_COMP,

 				    (struct utp_upiu_req *)lrbp->ucd_rsp_ptr);

-	blk_put_request(req);

-

-out_unlock:

 	up_read(&hba->clk_scaling_lock);

 	return err;

 }

@@ -9379,8 +9354,8 @@ int ufshcd_init(struct ufs_hba *hba, voi

 	/* Configure LRB */

 	ufshcd_host_memory_configure(hba);

-	host->can_queue = hba->nutrs;

-	host->cmd_per_lun = hba->nutrs;

+	host->can_queue = hba->nutrs - UFSHCD_NUM_RESERVED;

+	host->cmd_per_lun = hba->nutrs - UFSHCD_NUM_RESERVED;

 	host->max_id = UFSHCD_MAX_ID;

 	host->max_lun = UFS_MAX_LUNS;

 	host->max_channel = UFSHCD_MAX_CHANNEL;

--- a/drivers/scsi/ufs/ufshcd.h

+++ b/drivers/scsi/ufs/ufshcd.h

@@ -678,6 +678,7 @@ struct ufs_hba_monitor {

  * @capabilities: UFS Controller Capabilities

  * @nutrs: Transfer Request Queue depth supported by controller

  * @nutmrs: Task Management Queue depth supported by controller

+ * @reserved_slot: Used to submit device commands. Protected by @dev_cmd.lock.

  * @ufs_version: UFS Version to which controller complies

  * @vops: pointer to variant specific operations

  * @priv: pointer to variant specific private data

@@ -765,6 +766,7 @@ struct ufs_hba {

 	u32 capabilities;

 	int nutrs;

 	int nutmrs;

+	u32 reserved_slot;

 	u32 ufs_version;

 	const struct ufs_hba_variant_ops *vops;

 	struct ufs_hba_variant_params *vps;