scsi: ufs: core: Fix race between force complete and ISR

While error handler force complete command (Thread A) and completion IRQ raising (Thread B) of the same command, it may cause race condition. Below is racing step (from 1 to 6): ufshcd_mcq_compl_pending_transfer (Thread A) 1 if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) { 5 spin_lock_irqsave(&hwq->cq_lock, flags); // wait lock release set_host_byte(cmd, DID_REQUEUE); 6 ufshcd_release_scsi_cmd(hba, lrbp); // access null pointer scsi_done(cmd); spin_unlock_irqrestore(&hwq->cq_lock, flags); } ufshcd_mcq_poll_cqe_lock (Thread B) 2 spin_lock_irqsave(&hwq->cq_lock, flags); ufshcd_mcq_poll_cqe_nolock() ufshcd_compl_one_cqe() 3 ufshcd_release_scsi_cmd() // lrbp->cmd = NULL; 4 spin_unlock_irqrestore(&hwq->cq_lock, flags); Signed-off-by: Alice Chao <alice.chao@mediatek.com> Link: https://lore.kernel.org/r/20231024084324.12197-1-alice.chao@mediatek.comReviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

scsi: ufs: core: Fix race between force complete and ISR
While error handler force complete command (Thread A) and completion IRQ raising (Thread B) of the same command, it may cause race condition. Below is racing step (from 1 to 6): ufshcd_mcq_compl_pending_transfer (Thread A) 1 if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) { 5 spin_lock_irqsave(&hwq->cq_lock, flags); // wait lock release set_host_byte(cmd, DID_REQUEUE); 6 ufshcd_release_scsi_cmd(hba, lrbp); // access null pointer scsi_done(cmd); spin_unlock_irqrestore(&hwq->cq_lock, flags); } ufshcd_mcq_poll_cqe_lock (Thread B) 2 spin_lock_irqsave(&hwq->cq_lock, flags); ufshcd_mcq_poll_cqe_nolock() ufshcd_compl_one_cqe() 3 ufshcd_release_scsi_cmd() // lrbp->cmd = NULL; 4 spin_unlock_irqrestore(&hwq->cq_lock, flags); Signed-off-by: Alice Chao <alice.chao@mediatek.com> Link: https://lore.kernel.org/r/20231024084324.12197-1-alice.chao@mediatek.comReviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
a5181c89 · Alice Chao · Martin K. Petersen · f2d79aa1 · a5181c89
Commit a5181c89 authored Oct 24, 2023 by Alice Chao Committed by Martin K. Petersen Oct 24, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/ufs/core/ufshcd.c drivers/ufs/core/ufshcd.c +2 -2

No files found.
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -5615,13 +5615,13 @@ static void ufshcd_mcq_compl_pending_transfer(struct ufs_hba *hba,
 			 * For those cmds of which the cqes are not present
 			 * in the cq, complete them explicitly.
 			 */
+			spin_lock_irqsave(&hwq->cq_lock, flags);
 			if (cmd && !test_bit(SCMD_STATE_COMPLETE, &cmd->state)) {
-				spin_lock_irqsave(&hwq->cq_lock, flags);
 				set_host_byte(cmd, DID_REQUEUE);
 				ufshcd_release_scsi_cmd(hba, lrbp);
 				scsi_done(cmd);
-				spin_unlock_irqrestore(&hwq->cq_lock, flags);
 			}
+			spin_unlock_irqrestore(&hwq->cq_lock, flags);
 		} else {
 			ufshcd_mcq_poll_cqe_lock(hba, hwq);
 		}