[thirdparty/kernel/stable-queue.git] / releases / 4.14.60 / scsi-cxlflash-synchronize-reset-and-remove-ops.patch

From foo@baz Sat Jul 28 10:25:26 CEST 2018
From: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
Date: Mon, 26 Mar 2018 11:35:27 -0500
Subject: scsi: cxlflash: Synchronize reset and remove ops

From: Uma Krishnan <ukrishn@linux.vnet.ibm.com>

[ Upstream commit a3feb6ef50def7c91244d7bd15a3625b7b49b81f ]

The following Oops can be encountered if a device removal or system shutdown
is initiated while an EEH recovery is in process:

[c000000ff2f479c0] c008000015256f18 cxlflash_pci_slot_reset+0xa0/0x100
                                      [cxlflash]
[c000000ff2f47a30] c00800000dae22e0 cxl_pci_slot_reset+0x168/0x290 [cxl]
[c000000ff2f47ae0] c00000000003ef1c eeh_report_reset+0xec/0x170
[c000000ff2f47b20] c00000000003d0b8 eeh_pe_dev_traverse+0x98/0x170
[c000000ff2f47bb0] c00000000003f80c eeh_handle_normal_event+0x56c/0x580
[c000000ff2f47c60] c00000000003fba4 eeh_handle_event+0x2a4/0x338
[c000000ff2f47d10] c0000000000400b8 eeh_event_handler+0x1f8/0x200
[c000000ff2f47dc0] c00000000013da48 kthread+0x1a8/0x1b0
[c000000ff2f47e30] c00000000000b528 ret_from_kernel_thread+0x5c/0xb4

The remove handler frees AFU memory while the EEH recovery is in progress,
leading to a race condition. This can result in a crash if the recovery thread
tries to access this memory.

To resolve this issue, the cxlflash remove handler will evaluate the device
state and yield to any active reset or probing threads.

Signed-off-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/cxlflash/main.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/cxlflash/main.c
+++ b/drivers/scsi/cxlflash/main.c
@@ -946,9 +946,9 @@ static void cxlflash_remove(struct pci_d
 		return;
 	}
 
-	/* If a Task Management Function is active, wait for it to complete
-	 * before continuing with remove.
-	 */
+	/* Yield to running recovery threads before continuing with remove */
+	wait_event(cfg->reset_waitq, cfg->state != STATE_RESET &&
+				     cfg->state != STATE_PROBING);
 	spin_lock_irqsave(&cfg->tmf_slock, lock_flags);
 	if (cfg->tmf_active)
 		wait_event_interruptible_lock_irq(cfg->tmf_waitq,
Commit	Line	Data
a65d4bac GKH	1	From foo@baz Sat Jul 28 10:25:26 CEST 2018
	2	From: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
	3	Date: Mon, 26 Mar 2018 11:35:27 -0500
	4	Subject: scsi: cxlflash: Synchronize reset and remove ops
	5
	6	From: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
	7
	8	[ Upstream commit a3feb6ef50def7c91244d7bd15a3625b7b49b81f ]
	9
	10	The following Oops can be encountered if a device removal or system shutdown
	11	is initiated while an EEH recovery is in process:
	12
	13	[c000000ff2f479c0] c008000015256f18 cxlflash_pci_slot_reset+0xa0/0x100
	14	[cxlflash]
	15	[c000000ff2f47a30] c00800000dae22e0 cxl_pci_slot_reset+0x168/0x290 [cxl]
	16	[c000000ff2f47ae0] c00000000003ef1c eeh_report_reset+0xec/0x170
	17	[c000000ff2f47b20] c00000000003d0b8 eeh_pe_dev_traverse+0x98/0x170
	18	[c000000ff2f47bb0] c00000000003f80c eeh_handle_normal_event+0x56c/0x580
	19	[c000000ff2f47c60] c00000000003fba4 eeh_handle_event+0x2a4/0x338
	20	[c000000ff2f47d10] c0000000000400b8 eeh_event_handler+0x1f8/0x200
	21	[c000000ff2f47dc0] c00000000013da48 kthread+0x1a8/0x1b0
	22	[c000000ff2f47e30] c00000000000b528 ret_from_kernel_thread+0x5c/0xb4
	23
	24	The remove handler frees AFU memory while the EEH recovery is in progress,
	25	leading to a race condition. This can result in a crash if the recovery thread
	26	tries to access this memory.
	27
	28	To resolve this issue, the cxlflash remove handler will evaluate the device
	29	state and yield to any active reset or probing threads.
	30
	31	Signed-off-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
	32	Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
	33	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	34	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	35	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	36	---
	37	drivers/scsi/cxlflash/main.c \| 6 +++---
	38	1 file changed, 3 insertions(+), 3 deletions(-)
	39
	40	--- a/drivers/scsi/cxlflash/main.c
	41	+++ b/drivers/scsi/cxlflash/main.c
	42	@@ -946,9 +946,9 @@ static void cxlflash_remove(struct pci_d
	43	return;
	44	}
	45
	46	- /* If a Task Management Function is active, wait for it to complete
	47	- * before continuing with remove.
	48	- */
	49	+ /* Yield to running recovery threads before continuing with remove */
	50	+ wait_event(cfg->reset_waitq, cfg->state != STATE_RESET &&
	51	+ cfg->state != STATE_PROBING);
	52	spin_lock_irqsave(&cfg->tmf_slock, lock_flags);
	53	if (cfg->tmf_active)
	54	wait_event_interruptible_lock_irq(cfg->tmf_waitq,