From 22aede9f48b6766fb67441610120db9b04adf109 Mon Sep 17 00:00:00 2001 From: Avri Altman Date: Sun, 8 Aug 2021 12:00:23 +0300 Subject: [PATCH] scsi: ufs: ufshpb: Verify that 'num_inflight_map_req' is non-negative 'num_inflight_map_req' should not be negative. It is incremented and decremented without any protection, allowing it theoretically to be negative, should some weird unbalanced count occur. Verify that the those calls are properly serialized. Link: https://lore.kernel.org/r/20210808090024.21721-4-avri.altman@wdc.com Fixes: 33845a2d844b (scsi: ufs: ufshpb: Limit the number of in-flight map requests) Signed-off-by: Avri Altman Signed-off-by: Martin K. Petersen --- drivers/scsi/ufs/ufshpb.c | 10 ++++++++++ drivers/scsi/ufs/ufshpb.h | 4 +++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c index 8e92c61..cd48367 100644 --- a/drivers/scsi/ufs/ufshpb.c +++ b/drivers/scsi/ufs/ufshpb.c @@ -756,6 +756,7 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb, { struct ufshpb_req *map_req; struct bio *bio; + unsigned long flags; if (hpb->is_hcm && hpb->num_inflight_map_req >= hpb->params.inflight_map_req) { @@ -780,7 +781,10 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb, map_req->rb.srgn_idx = srgn->srgn_idx; map_req->rb.mctx = srgn->mctx; + + spin_lock_irqsave(&hpb->param_lock, flags); hpb->num_inflight_map_req++; + spin_unlock_irqrestore(&hpb->param_lock, flags); return map_req; } @@ -788,9 +792,14 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb, static void ufshpb_put_map_req(struct ufshpb_lu *hpb, struct ufshpb_req *map_req) { + unsigned long flags; + bio_put(map_req->bio); ufshpb_put_req(hpb, map_req); + + spin_lock_irqsave(&hpb->param_lock, flags); hpb->num_inflight_map_req--; + spin_unlock_irqrestore(&hpb->param_lock, flags); } static int ufshpb_clear_dirty_bitmap(struct ufshpb_lu *hpb, @@ -2387,6 +2396,7 @@ static int ufshpb_lu_hpb_init(struct ufs_hba *hba, struct ufshpb_lu *hpb) spin_lock_init(&hpb->rgn_state_lock); spin_lock_init(&hpb->rsp_list_lock); + spin_lock_init(&hpb->param_lock); INIT_LIST_HEAD(&hpb->lru_info.lh_lru_rgn); INIT_LIST_HEAD(&hpb->lh_act_srgn); diff --git a/drivers/scsi/ufs/ufshpb.h b/drivers/scsi/ufs/ufshpb.h index 6df317d..a79e073 100644 --- a/drivers/scsi/ufs/ufshpb.h +++ b/drivers/scsi/ufs/ufshpb.h @@ -237,7 +237,9 @@ struct ufshpb_lu { struct ufshpb_req *pre_req; int num_inflight_pre_req; int throttle_pre_req; - int num_inflight_map_req; + int num_inflight_map_req; /* hold param_lock */ + spinlock_t param_lock; + struct list_head lh_pre_req_free; int cur_read_id; int pre_req_min_tr_len; -- 2.7.4