From 2eb415874924cdca73d57ab2e194a16f8bf069e8 Mon Sep 17 00:00:00 2001 From: Stanley Chu Date: Tue, 6 Jun 2023 12:59:19 +0800 Subject: [PATCH] BACKPORT: scsi: ufs: mcq: Fix the incorrect OCS value for the device command In MCQ mode, when a device command uses a hardware queue shared with other commands, a race condition may occur in the following scenario: 1. A device command is completed in CQx with CQE entry "e". 2. The interrupt handler copies the "cqe" pointer to "hba->dev_cmd.cqe" and completes "hba->dev_cmd.complete". 3. The "ufshcd_wait_for_dev_cmd()" function is awakened and retrieves the OCS value from "hba->dev_cmd.cqe". However, there is a possibility that the CQE entry "e" will be overwritten by newly completed commands in CQx, resulting in an incorrect OCS value being received by "ufshcd_wait_for_dev_cmd()". To avoid this race condition, the OCS value should be immediately copied to the struct "lrb" of the device command. Then "ufshcd_wait_for_dev_cmd()" can retrieve the OCS value from the struct "lrb". Bug: 267974767 Fixes: 57b1c0ef89ac ("scsi: ufs: core: mcq: Add support to allocate multiple queues") Suggested-by: Can Guo Signed-off-by: Stanley Chu Link: https://lore.kernel.org/r/20230610021553.1213-2-powen.kao@mediatek.com Tested-by: Po-Wen Kao Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Change-Id: I835e435c8a5fffa63b02bd1481f7b41d2a16e706 (cherry picked from commit 0fef6bb730c490fcdc4347dbd21646d3ffe62cf5) [powen: Keep hba->dev_cmd.cqe for KMI freeze] --- drivers/ufs/core/ufshcd.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 25e7f7c2d83b..88e636f850c8 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3166,7 +3166,7 @@ retry: * not trigger any race conditions. */ hba->dev_cmd.complete = NULL; - err = ufshcd_get_tr_ocs(lrbp, hba->dev_cmd.cqe); + err = ufshcd_get_tr_ocs(lrbp, NULL); if (!err) err = ufshcd_dev_cmd_completion(hba, lrbp); } else { @@ -3262,7 +3262,6 @@ static int ufshcd_exec_dev_cmd(struct ufs_hba *hba, goto out; hba->dev_cmd.complete = &wait; - hba->dev_cmd.cqe = NULL; ufshcd_add_query_upiu_trace(hba, UFS_QUERY_SEND, lrbp->ucd_req_ptr); @@ -5520,6 +5519,7 @@ void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag, { struct ufshcd_lrb *lrbp; struct scsi_cmnd *cmd; + enum utp_ocs ocs; lrbp = &hba->lrb[task_tag]; lrbp->compl_time_stamp = ktime_get(); @@ -5538,7 +5538,11 @@ void ufshcd_compl_one_cqe(struct ufs_hba *hba, int task_tag, lrbp->command_type == UTP_CMD_TYPE_UFS_STORAGE) { if (hba->dev_cmd.complete) { trace_android_vh_ufs_compl_command(hba, lrbp); - hba->dev_cmd.cqe = cqe; + if (cqe) { + ocs = le32_to_cpu(cqe->status) & MASK_OCS; + lrbp->utr_descriptor_ptr->header.dword_2 = + cpu_to_le32(ocs); + } ufshcd_add_command_trace(hba, task_tag, UFS_DEV_COMP); complete(hba->dev_cmd.complete); ufshcd_clk_scaling_update_busy(hba);