--- /dev/null
+From bb8958d5dc79acbd071397abb57b8756375fe1ce Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alex@ghiti.fr>
+Date: Sat, 18 Sep 2021 18:02:21 +0200
+Subject: riscv: Flush current cpu icache before other cpus
+
+From: Alexandre Ghiti <alex@ghiti.fr>
+
+commit bb8958d5dc79acbd071397abb57b8756375fe1ce upstream.
+
+On SiFive Unmatched, I recently fell onto the following BUG when booting:
+
+[ 0.000000] ftrace: allocating 36610 entries in 144 pages
+[ 0.000000] Oops - illegal instruction [#1]
+[ 0.000000] Modules linked in:
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.13.1+ #5
+[ 0.000000] Hardware name: SiFive HiFive Unmatched A00 (DT)
+[ 0.000000] epc : riscv_cpuid_to_hartid_mask+0x6/0xae
+[ 0.000000] ra : __sbi_rfence_v02+0xc8/0x10a
+[ 0.000000] epc : ffffffff80007240 ra : ffffffff80009964 sp : ffffffff81803e10
+[ 0.000000] gp : ffffffff81a1ea70 tp : ffffffff8180f500 t0 : ffffffe07fe30000
+[ 0.000000] t1 : 0000000000000004 t2 : 0000000000000000 s0 : ffffffff81803e60
+[ 0.000000] s1 : 0000000000000000 a0 : ffffffff81a22238 a1 : ffffffff81803e10
+[ 0.000000] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000
+[ 0.000000] a5 : 0000000000000000 a6 : ffffffff8000989c a7 : 0000000052464e43
+[ 0.000000] s2 : ffffffff81a220c8 s3 : 0000000000000000 s4 : 0000000000000000
+[ 0.000000] s5 : 0000000000000000 s6 : 0000000200000100 s7 : 0000000000000001
+[ 0.000000] s8 : ffffffe07fe04040 s9 : ffffffff81a22c80 s10: 0000000000001000
+[ 0.000000] s11: 0000000000000004 t3 : 0000000000000001 t4 : 0000000000000008
+[ 0.000000] t5 : ffffffcf04000808 t6 : ffffffe3ffddf188
+[ 0.000000] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000002
+[ 0.000000] [<ffffffff80007240>] riscv_cpuid_to_hartid_mask+0x6/0xae
+[ 0.000000] [<ffffffff80009474>] sbi_remote_fence_i+0x1e/0x26
+[ 0.000000] [<ffffffff8000b8f4>] flush_icache_all+0x12/0x1a
+[ 0.000000] [<ffffffff8000666c>] patch_text_nosync+0x26/0x32
+[ 0.000000] [<ffffffff8000884e>] ftrace_init_nop+0x52/0x8c
+[ 0.000000] [<ffffffff800f051e>] ftrace_process_locs.isra.0+0x29c/0x360
+[ 0.000000] [<ffffffff80a0e3c6>] ftrace_init+0x80/0x130
+[ 0.000000] [<ffffffff80a00f8c>] start_kernel+0x5c4/0x8f6
+[ 0.000000] ---[ end trace f67eb9af4d8d492b ]---
+[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task!
+[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---
+
+While ftrace is looping over a list of addresses to patch, it always failed
+when patching the same function: riscv_cpuid_to_hartid_mask. Looking at the
+backtrace, the illegal instruction is encountered in this same function.
+However, patch_text_nosync, after patching the instructions, calls
+flush_icache_range. But looking at what happens in this function:
+
+flush_icache_range -> flush_icache_all
+ -> sbi_remote_fence_i
+ -> __sbi_rfence_v02
+ -> riscv_cpuid_to_hartid_mask
+
+The icache and dcache of the current cpu are never synchronized between the
+patching of riscv_cpuid_to_hartid_mask and calling this same function.
+
+So fix this by flushing the current cpu's icache before asking for the other
+cpus to do the same.
+
+Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
+Fixes: fab957c11efe ("RISC-V: Atomic and Locking Code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/cacheflush.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/riscv/mm/cacheflush.c
++++ b/arch/riscv/mm/cacheflush.c
+@@ -16,6 +16,8 @@ static void ipi_remote_fence_i(void *inf
+
+ void flush_icache_all(void)
+ {
++ local_flush_icache_all();
++
+ if (IS_ENABLED(CONFIG_RISCV_SBI))
+ sbi_remote_fence_i(NULL);
+ else
--- /dev/null
+From f5ef336fd2e4c36dedae4e7ca66cf5349d6fda62 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 22 Sep 2021 12:10:59 +0300
+Subject: scsi: ufs: core: Fix task management completion
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit f5ef336fd2e4c36dedae4e7ca66cf5349d6fda62 upstream.
+
+The UFS driver uses blk_mq_tagset_busy_iter() when identifying task
+management requests to complete, however blk_mq_tagset_busy_iter() doesn't
+work.
+
+blk_mq_tagset_busy_iter() only iterates requests dispatched by the block
+layer. That appears as if it might have started since commit 37f4a24c2469
+("blk-mq: centralise related handling into blk_mq_get_driver_tag") which
+removed 'data->hctx->tags->rqs[rq->tag] = rq' from blk_mq_rq_ctx_init()
+which gets called:
+
+ blk_get_request
+ blk_mq_alloc_request
+ __blk_mq_alloc_request
+ blk_mq_rq_ctx_init
+
+Since UFS task management requests are not dispatched by the block layer,
+hctx->tags->rqs[rq->tag] remains NULL, and since blk_mq_tagset_busy_iter()
+relies on finding requests using hctx->tags->rqs[rq->tag], UFS task
+management requests are never found by blk_mq_tagset_busy_iter().
+
+By using blk_mq_tagset_busy_iter(), the UFS driver was relying on internal
+details of the block layer, which was fragile and subsequently got
+broken. Fix by removing the use of blk_mq_tagset_busy_iter() and having the
+driver keep track of task management requests.
+
+Link: https://lore.kernel.org/r/20210922091059.4040-1-adrian.hunter@intel.com
+Fixes: 1235fc569e0b ("scsi: ufs: core: Fix task management request completion timeout")
+Fixes: 69a6c269c097 ("scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs")
+Cc: stable@vger.kernel.org
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 52 +++++++++++++++++++---------------------------
+ drivers/scsi/ufs/ufshcd.h | 1
+ 2 files changed, 23 insertions(+), 30 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6365,27 +6365,6 @@ static irqreturn_t ufshcd_check_errors(s
+ return retval;
+ }
+
+-struct ctm_info {
+- struct ufs_hba *hba;
+- unsigned long pending;
+- unsigned int ncpl;
+-};
+-
+-static bool ufshcd_compl_tm(struct request *req, void *priv, bool reserved)
+-{
+- struct ctm_info *const ci = priv;
+- struct completion *c;
+-
+- WARN_ON_ONCE(reserved);
+- if (test_bit(req->tag, &ci->pending))
+- return true;
+- ci->ncpl++;
+- c = req->end_io_data;
+- if (c)
+- complete(c);
+- return true;
+-}
+-
+ /**
+ * ufshcd_tmc_handler - handle task management function completion
+ * @hba: per adapter instance
+@@ -6396,18 +6375,24 @@ static bool ufshcd_compl_tm(struct reque
+ */
+ static irqreturn_t ufshcd_tmc_handler(struct ufs_hba *hba)
+ {
+- unsigned long flags;
+- struct request_queue *q = hba->tmf_queue;
+- struct ctm_info ci = {
+- .hba = hba,
+- };
++ unsigned long flags, pending, issued;
++ irqreturn_t ret = IRQ_NONE;
++ int tag;
++
++ pending = ufshcd_readl(hba, REG_UTP_TASK_REQ_DOOR_BELL);
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
+- ci.pending = ufshcd_readl(hba, REG_UTP_TASK_REQ_DOOR_BELL);
+- blk_mq_tagset_busy_iter(q->tag_set, ufshcd_compl_tm, &ci);
++ issued = hba->outstanding_tasks & ~pending;
++ for_each_set_bit(tag, &issued, hba->nutmrs) {
++ struct request *req = hba->tmf_rqs[tag];
++ struct completion *c = req->end_io_data;
++
++ complete(c);
++ ret = IRQ_HANDLED;
++ }
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+- return ci.ncpl ? IRQ_HANDLED : IRQ_NONE;
++ return ret;
+ }
+
+ /**
+@@ -6530,9 +6515,9 @@ static int __ufshcd_issue_tm_cmd(struct
+ ufshcd_hold(hba, false);
+
+ spin_lock_irqsave(host->host_lock, flags);
+- blk_mq_start_request(req);
+
+ task_tag = req->tag;
++ hba->tmf_rqs[req->tag] = req;
+ treq->upiu_req.req_header.dword_0 |= cpu_to_be32(task_tag);
+
+ memcpy(hba->utmrdl_base_addr + task_tag, treq, sizeof(*treq));
+@@ -6576,6 +6561,7 @@ static int __ufshcd_issue_tm_cmd(struct
+ }
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
++ hba->tmf_rqs[req->tag] = NULL;
+ __clear_bit(task_tag, &hba->outstanding_tasks);
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+@@ -9568,6 +9554,12 @@ int ufshcd_init(struct ufs_hba *hba, voi
+ err = PTR_ERR(hba->tmf_queue);
+ goto free_tmf_tag_set;
+ }
++ hba->tmf_rqs = devm_kcalloc(hba->dev, hba->nutmrs,
++ sizeof(*hba->tmf_rqs), GFP_KERNEL);
++ if (!hba->tmf_rqs) {
++ err = -ENOMEM;
++ goto free_tmf_queue;
++ }
+
+ /* Reset the attached device */
+ ufshcd_device_reset(hba);
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -780,6 +780,7 @@ struct ufs_hba {
+
+ struct blk_mq_tag_set tmf_tag_set;
+ struct request_queue *tmf_queue;
++ struct request **tmf_rqs;
+
+ struct uic_command *active_uic_cmd;
+ struct mutex uic_cmd_mutex;
projects / thirdparty / kernel / stable-queue.git / commitdiff
