[V3,1/3] scsi: ufs: Fix error handler clear ua deadlock

There is no guarantee to be able to enter the queue if requests are
blocked. That is because freezing the queue will block entry to the
queue, but freezing also waits for outstanding requests which can make
no progress while the queue is blocked.

That situation can happen when the error handler issues requests to
clear unit attention condition. Requests can be blocked if the
ufshcd_state is UFSHCD_STATE_EH_SCHEDULED_FATAL, which can happen
as a result either of error handler activity, or theoretically a
request that is issued after the error handler unblocks the queue
but before clearing unit attention condition.

The deadlock is very unlikely, so the error handler can be expected
to clear ua at some point anyway, so the simple solution is not to
wait to enter the queue.

Additionally, note that the RPMB queue might be not be entered because
it is runtime suspended, but in that case ua will be cleared at RPMB
runtime resume.

Cc: stable@vger.kernel.org # 5.14+ ac1bc2ba060f: scsi: ufs: Request sense data asynchronously
Cc: stable@vger.kernel.org # 5.14+ 9b5ac8ab4e8b: scsi: ufs: Fix ufshcd_request_sense_async() for Samsung KLUFG8RHDA-B2D1
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
---


Changes in V3:

	Correct commit message.
	Amend stable tags to add dependent cherry picks


 drivers/scsi/ufs/ufshcd.c | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

On 9/5/21 2:51 AM, Adrian Hunter wrote:
> There is no guarantee to be able to enter the queue if requests are

> blocked. That is because freezing the queue will block entry to the

> queue, but freezing also waits for outstanding requests which can make

> no progress while the queue is blocked.

> 

> That situation can happen when the error handler issues requests to

> clear unit attention condition. Requests can be blocked if the

> ufshcd_state is UFSHCD_STATE_EH_SCHEDULED_FATAL, which can happen

> as a result either of error handler activity, or theoretically a

> request that is issued after the error handler unblocks the queue

> but before clearing unit attention condition.

> 

> The deadlock is very unlikely, so the error handler can be expected

> to clear ua at some point anyway, so the simple solution is not to

> wait to enter the queue.


Do you agree that the interaction between ufshcd_scsi_block_requests() and
blk_mq_freeze_queue() can only lead to a deadlock if blk_queue_enter() is
called without using the BLK_MQ_REQ_NOWAIT flag and if unblocking SCSI
request processing can only happen by the same thread?

Do you agree that no ufshcd_clear_ua_wluns() caller blocks SCSI request
processing and hence that it is not necessary to add a "nowait" argument
to ufshcd_clear_ua_wluns()?

Thanks,

Bart.

On 7/09/21 5:42 pm, Bart Van Assche wrote:
> On 9/5/21 2:51 AM, Adrian Hunter wrote:

>> There is no guarantee to be able to enter the queue if requests are

>> blocked. That is because freezing the queue will block entry to the

>> queue, but freezing also waits for outstanding requests which can make

>> no progress while the queue is blocked.

>>

>> That situation can happen when the error handler issues requests to

>> clear unit attention condition. Requests can be blocked if the

>> ufshcd_state is UFSHCD_STATE_EH_SCHEDULED_FATAL, which can happen

>> as a result either of error handler activity, or theoretically a

>> request that is issued after the error handler unblocks the queue

>> but before clearing unit attention condition.

>>

>> The deadlock is very unlikely, so the error handler can be expected

>> to clear ua at some point anyway, so the simple solution is not to

>> wait to enter the queue.

> 

> Do you agree that the interaction between ufshcd_scsi_block_requests() and

> blk_mq_freeze_queue() can only lead to a deadlock if blk_queue_enter() is

> called without using the BLK_MQ_REQ_NOWAIT flag and if unblocking SCSI

> request processing can only happen by the same thread?


Sure

> Do you agree that no ufshcd_clear_ua_wluns() caller blocks SCSI request

> processing and hence that it is not necessary to add a "nowait" argument

> to ufshcd_clear_ua_wluns()?


No.  Requests cannot make progress when ufshcd_state is
UFSHCD_STATE_EH_SCHEDULED_FATAL, and only the error handler can change that,
so if the error handler is waiting to enter the queue and blk_mq_freeze_queue()
is waiting for outstanding requests, they will deadlock.

On 9/7/21 8:43 AM, Adrian Hunter wrote:
> No.  Requests cannot make progress when ufshcd_state is

> UFSHCD_STATE_EH_SCHEDULED_FATAL, and only the error handler can change that,

> so if the error handler is waiting to enter the queue and blk_mq_freeze_queue()

> is waiting for outstanding requests, they will deadlock.


How about adding the above text as a comment above ufshcd_clear_ua_wluns() such
that this information becomes available to those who have not followed this
conversation?

Thanks,

Bart.

On 9/7/21 9:56 AM, Bart Van Assche wrote:
> On 9/7/21 8:43 AM, Adrian Hunter wrote:

>> No.  Requests cannot make progress when ufshcd_state is

>> UFSHCD_STATE_EH_SCHEDULED_FATAL, and only the error handler can change 

>> that,

>> so if the error handler is waiting to enter the queue and 

>> blk_mq_freeze_queue()

>> is waiting for outstanding requests, they will deadlock.

> 

> How about adding the above text as a comment above 

> ufshcd_clear_ua_wluns() such

> that this information becomes available to those who have not followed this

> conversation?


After having given patch 1/3 some further thought: an unfortunate
effect of this patch is that unit attention clearing is skipped for
the states UFSHCD_STATE_EH_SCHEDULED_FATAL and UFSHCD_STATE_RESET.
How about replacing patch 1/3 with the untested patch below since that
patch does not have the disadvantage of sometimes skipping clearing UA?

Thanks,

Bart.

[PATCH] scsi: ufs: Fix a recently introduced deadlock

Completing pending commands with DID_IMM_RETRY triggers the following
code paths:

   scsi_complete()
   -> scsi_queue_insert()
     -> __scsi_queue_insert()
       -> scsi_device_unbusy()
         -> scsi_dec_host_busy()
	  -> scsi_eh_wakeup()
       -> blk_mq_requeue_request()

   scsi_queue_rq()
   -> scsi_host_queue_ready()
     -> scsi_host_in_recovery()

Fixes: a113eaaf8637 ("scsi: ufs: Synchronize SCSI and UFS error handling")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>

---
  drivers/scsi/ufs/ufshcd.c | 8 ++++++++
  1 file changed, 8 insertions(+)

diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index c2c614da1fb8..9560f34f3d27 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -2707,6 +2707,14 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
  		}
  		fallthrough;
  	case UFSHCD_STATE_RESET:
+		/*
+		 * The SCSI error handler only starts after all pending commands
+		 * have failed or timed out. Complete commands with
+		 * DID_IMM_RETRY to allow the error handler to start
+		 * if it has been scheduled.
+		 */
+		set_host_byte(cmd, DID_IMM_RETRY);
+		cmd->scsi_done(cmd);
  		err = SCSI_MLQUEUE_HOST_BUSY;
  		goto out;
  	case UFSHCD_STATE_ERROR:

On 8/09/21 1:36 am, Bart Van Assche wrote:
> On 9/7/21 9:56 AM, Bart Van Assche wrote:

>> On 9/7/21 8:43 AM, Adrian Hunter wrote:

>>> No.  Requests cannot make progress when ufshcd_state is

>>> UFSHCD_STATE_EH_SCHEDULED_FATAL, and only the error handler can change that,

>>> so if the error handler is waiting to enter the queue and blk_mq_freeze_queue()

>>> is waiting for outstanding requests, they will deadlock.

>>

>> How about adding the above text as a comment above ufshcd_clear_ua_wluns() such

>> that this information becomes available to those who have not followed this

>> conversation?

> 

> After having given patch 1/3 some further thought: an unfortunate

> effect of this patch is that unit attention clearing is skipped for

> the states UFSHCD_STATE_EH_SCHEDULED_FATAL and UFSHCD_STATE_RESET.


Only if the error handler is racing with blk_mq_freeze_queue(), but it
is not ideal.

> How about replacing patch 1/3 with the untested patch below since that

> patch does not have the disadvantage of sometimes skipping clearing UA?


I presume you mean without reverting "scsi: ufs: Synchronize SCSI
and UFS error handling" but in that case the deadlock happens because:

error handler is waiting on blk_queue_enter()
blk_queue_enter() is waiting on blk_mq_freeze_queue()
blk_mq_freeze_queue() is waiting on outstanding requests
outstanding requests are blocked by the SCSI error handler shost_state == SHOST_RECOVERY set by scsi_schedule_eh()

> 

> Thanks,

> 

> Bart.

> 

> [PATCH] scsi: ufs: Fix a recently introduced deadlock

> 

> Completing pending commands with DID_IMM_RETRY triggers the following

> code paths:

> 

>   scsi_complete()

>   -> scsi_queue_insert()

>     -> __scsi_queue_insert()

>       -> scsi_device_unbusy()

>         -> scsi_dec_host_busy()

>       -> scsi_eh_wakeup()

>       -> blk_mq_requeue_request()

> 

>   scsi_queue_rq()

>   -> scsi_host_queue_ready()

>     -> scsi_host_in_recovery()

> 

> Fixes: a113eaaf8637 ("scsi: ufs: Synchronize SCSI and UFS error handling")

> Signed-off-by: Bart Van Assche <bvanassche@acm.org>

> ---

>  drivers/scsi/ufs/ufshcd.c | 8 ++++++++

>  1 file changed, 8 insertions(+)

> 

> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c

> index c2c614da1fb8..9560f34f3d27 100644

> --- a/drivers/scsi/ufs/ufshcd.c

> +++ b/drivers/scsi/ufs/ufshcd.c

> @@ -2707,6 +2707,14 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)

>          }

>          fallthrough;

>      case UFSHCD_STATE_RESET:

> +        /*

> +         * The SCSI error handler only starts after all pending commands

> +         * have failed or timed out. Complete commands with

> +         * DID_IMM_RETRY to allow the error handler to start

> +         * if it has been scheduled.

> +         */

> +        set_host_byte(cmd, DID_IMM_RETRY);

> +        cmd->scsi_done(cmd);


Setting non-zero return value, in this case "err = SCSI_MLQUEUE_HOST_BUSY"
will anyway cause scsi_dec_host_busy(), so does this make any difference?


>          err = SCSI_MLQUEUE_HOST_BUSY;

>          goto out;

>      case UFSHCD_STATE_ERROR:

On 9/11/21 09:47, Adrian Hunter wrote:
> On 8/09/21 1:36 am, Bart Van Assche wrote:

>> --- a/drivers/scsi/ufs/ufshcd.c

>> +++ b/drivers/scsi/ufs/ufshcd.c

>> @@ -2707,6 +2707,14 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)

>>           }

>>           fallthrough;

>>       case UFSHCD_STATE_RESET:

>> +        /*

>> +         * The SCSI error handler only starts after all pending commands

>> +         * have failed or timed out. Complete commands with

>> +         * DID_IMM_RETRY to allow the error handler to start

>> +         * if it has been scheduled.

>> +         */

>> +        set_host_byte(cmd, DID_IMM_RETRY);

>> +        cmd->scsi_done(cmd);

> 

> Setting non-zero return value, in this case "err = SCSI_MLQUEUE_HOST_BUSY"

> will anyway cause scsi_dec_host_busy(), so does this make any difference?


The return value should be changed into 0 since returning 
SCSI_MLQUEUE_HOST_BUSY is only allowed if cmd->scsi_done(cmd) has not 
yet been called.

I expect that setting the host byte to DID_IMM_RETRY and calling 
scsi_done will make a difference, otherwise I wouldn't have suggested 
this. As explained in my previous email doing that triggers the SCSI 
command completion and resubmission paths. Resubmission only happens if 
the SCSI error handler has not yet been scheduled. The SCSI error 
handler is scheduled after for all pending commands scsi_done() has been 
called or a timeout occurred. In other words, setting the host byte to 
DID_IMM_RETRY and calling scsi_done() makes it possible for the error 
handler to be scheduled, something that won't happen if 
ufshcd_queuecommand() systematically returns SCSI_MLQUEUE_HOST_BUSY. In 
the latter case the block layer timer is reset over and over again. See 
also the blk_mq_start_request() in scsi_queue_rq(). One could wonder 
whether this is really what the SCSI core should do if a SCSI LLD keeps 
returning the SCSI_MLQUEUE_HOST_BUSY status code ...

Bart.

On 13/09/21 6:17 am, Bart Van Assche wrote:
> On 9/11/21 09:47, Adrian Hunter wrote:

>> On 8/09/21 1:36 am, Bart Van Assche wrote:

>>> --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c 

>>> @@ -2707,6 +2707,14 @@ static int ufshcd_queuecommand(struct

>>> Scsi_Host *host, struct scsi_cmnd *cmd) } fallthrough; case

>>> UFSHCD_STATE_RESET: +        /* +         * The SCSI error

>>> handler only starts after all pending commands +         * have

>>> failed or timed out. Complete commands with +         *

>>> DID_IMM_RETRY to allow the error handler to start +         * if

>>> it has been scheduled. +         */ +        set_host_byte(cmd,

>>> DID_IMM_RETRY); +        cmd->scsi_done(cmd);

>> 

>> Setting non-zero return value, in this case "err =

>> SCSI_MLQUEUE_HOST_BUSY" will anyway cause scsi_dec_host_busy(), so

>> does this make any difference?

> 

> The return value should be changed into 0 since returning

> SCSI_MLQUEUE_HOST_BUSY is only allowed if cmd->scsi_done(cmd) has not

> yet been called.

> 

> I expect that setting the host byte to DID_IMM_RETRY and calling

> scsi_done will make a difference, otherwise I wouldn't have suggested

> this. As explained in my previous email doing that triggers the SCSI> command completion and resubmission paths. Resubmission only happens

> if the SCSI error handler has not yet been scheduled. The SCSI error

> handler is scheduled after for all pending commands scsi_done() has

> been called or a timeout occurred. In other words, setting the host

> byte to DID_IMM_RETRY and calling scsi_done() makes it possible for

> the error handler to be scheduled, something that won't happen if

> ufshcd_queuecommand() systematically returns SCSI_MLQUEUE_HOST_BUSY.


Not getting it, sorry. :-(

The error handler sets UFSHCD_STATE_RESET and never leaves the state
as UFSHCD_STATE_RESET, so that case does not need to start the error
handler because it is already running.

The error handler is always scheduled after setting 
UFSHCD_STATE_EH_SCHEDULED_FATAL.

scsi_dec_host_busy() is called for any non-zero return value like
SCSI_MLQUEUE_HOST_BUSY:

i.e.
	reason = scsi_dispatch_cmd(cmd);
	if (reason) {
		scsi_set_blocked(cmd, reason);
		ret = BLK_STS_RESOURCE;
		goto out_dec_host_busy;
	}

	return BLK_STS_OK;

out_dec_host_busy:
	scsi_dec_host_busy(shost, cmd);

And that will wake the error handler:

static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)
{
	unsigned long flags;

	rcu_read_lock();
	__clear_bit(SCMD_STATE_INFLIGHT, &cmd->state);
	if (unlikely(scsi_host_in_recovery(shost))) {
		spin_lock_irqsave(shost->host_lock, flags);
		if (shost->host_failed || shost->host_eh_scheduled)
			scsi_eh_wakeup(shost);
		spin_unlock_irqrestore(shost->host_lock, flags);
	}
	rcu_read_unlock();
}

Note that scsi_host_queue_ready() won't let any requests through
when scsi_host_in_recovery(), so the potential problem is with
requests that have already been successfully submitted to the
UFS driver but have not completed. The change you suggest
does not help with that.

That seems like another problem with the patch 
"scsi: ufs: Synchronize SCSI and UFS error handling".


> In the latter case the block layer timer is reset over and over

> again. See also the blk_mq_start_request() in scsi_queue_rq(). One

> could wonder whether this is really what the SCSI core should do if a

> SCSI LLD keeps returning the SCSI_MLQUEUE_HOST_BUSY status code ...

> 

> Bart.

On 9/13/21 1:53 AM, Adrian Hunter wrote:
> scsi_dec_host_busy() is called for any non-zero return value like

> SCSI_MLQUEUE_HOST_BUSY:

> 

> i.e.

> 	reason = scsi_dispatch_cmd(cmd);

> 	if (reason) {

> 		scsi_set_blocked(cmd, reason);

> 		ret = BLK_STS_RESOURCE;

> 		goto out_dec_host_busy;

> 	}

> 

> 	return BLK_STS_OK;

> 

> out_dec_host_busy:

> 	scsi_dec_host_busy(shost, cmd);

> 

> And that will wake the error handler:

> 

> static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)

> {

> 	unsigned long flags;

> 

> 	rcu_read_lock();

> 	__clear_bit(SCMD_STATE_INFLIGHT, &cmd->state);

> 	if (unlikely(scsi_host_in_recovery(shost))) {

> 		spin_lock_irqsave(shost->host_lock, flags);

> 		if (shost->host_failed || shost->host_eh_scheduled)

> 			scsi_eh_wakeup(shost);

> 		spin_unlock_irqrestore(shost->host_lock, flags);

> 	}

> 	rcu_read_unlock();

> }


Returning SCSI_MLQUEUE_HOST_BUSY is not sufficient to wake up the SCSI
error handler because of the following test in scsi_error_handler():

	shost->host_failed != scsi_host_busy(shost)

As I mentioned in a previous email, all pending commands must have failed
or timed out before the error handler is woken up. Returning
SCSI_MLQUEUE_HOST_BUSY from ufshcd_queuecommand() does not fail a command
and prevents it from timing out. Hence my suggestion to change
"return SCSI_MLQUEUE_HOST_BUSY" into set_host_byte(cmd, DID_IMM_RETRY)
followed by cmd->scsi_done(cmd). A possible alternative is to move the
blk_mq_start_request() call in the SCSI core such that the block layer
request timer is not reset if a SCSI LLD returns SCSI_MLQUEUE_HOST_BUSY.

Bart.

On 13/09/21 7:33 pm, Bart Van Assche wrote:
> On 9/13/21 1:53 AM, Adrian Hunter wrote:

>> scsi_dec_host_busy() is called for any non-zero return value like

>> SCSI_MLQUEUE_HOST_BUSY:

>>

>> i.e.

>>     reason = scsi_dispatch_cmd(cmd);

>>     if (reason) {

>>         scsi_set_blocked(cmd, reason);

>>         ret = BLK_STS_RESOURCE;

>>         goto out_dec_host_busy;

>>     }

>>

>>     return BLK_STS_OK;

>>

>> out_dec_host_busy:

>>     scsi_dec_host_busy(shost, cmd);

>>

>> And that will wake the error handler:

>>

>> static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd)

>> {

>>     unsigned long flags;

>>

>>     rcu_read_lock();

>>     __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state);

>>     if (unlikely(scsi_host_in_recovery(shost))) {

>>         spin_lock_irqsave(shost->host_lock, flags);

>>         if (shost->host_failed || shost->host_eh_scheduled)

>>             scsi_eh_wakeup(shost);

>>         spin_unlock_irqrestore(shost->host_lock, flags);

>>     }

>>     rcu_read_unlock();

>> }

> 

> Returning SCSI_MLQUEUE_HOST_BUSY is not sufficient to wake up the SCSI

> error handler because of the following test in scsi_error_handler():

> 

>     shost->host_failed != scsi_host_busy(shost)


SCSI_MLQUEUE_HOST_BUSY causes scsi_host_busy() to decrement by calling
scsi_dec_host_busy() as described above, so the request is not being
counted in that condition anymore.

> 

> As I mentioned in a previous email, all pending commands must have failed

> or timed out before the error handler is woken up. Returning

> SCSI_MLQUEUE_HOST_BUSY from ufshcd_queuecommand() does not fail a command

> and prevents it from timing out. Hence my suggestion to change

> "return SCSI_MLQUEUE_HOST_BUSY" into set_host_byte(cmd, DID_IMM_RETRY)

> followed by cmd->scsi_done(cmd). A possible alternative is to move the

> blk_mq_start_request() call in the SCSI core such that the block layer

> request timer is not reset if a SCSI LLD returns SCSI_MLQUEUE_HOST_BUSY.

> 

> Bart.

On 9/13/21 10:13 AM, Adrian Hunter wrote:
> SCSI_MLQUEUE_HOST_BUSY causes scsi_host_busy() to decrement by calling

> scsi_dec_host_busy() as described above, so the request is not being

> counted in that condition anymore.


Let's take a step back. My understanding is that the deadlock is caused by
the combination of:
* SCSI command processing being blocked because of the state
   UFSHCD_STATE_EH_SCHEDULED_FATAL.
* The sdev_ufs_device and/or sdev_rpmb request queues are frozen
   (blk_mq_freeze_queue() has started).
* A REQUEST SENSE command being scheduled from inside the error handler
   (ufshcd_clear_ua_wlun()).

Is this a theoretical concern or something that has been observed on a test
setup?

If this has been observed on a test setup, was the error handler scheduled
(ufshcd_err_handler())?

I don't see how SCSI command processing could get stuck indefinitely since
it is guaranteed that the UFS error handler will get scheduled and also that
the UFS error handler will change ufshcd_state from
UFSHCD_STATE_EH_SCHEDULED_FATAL into another state?

What am I missing?

Thanks,

Bart.

On 13/09/21 11:11 pm, Bart Van Assche wrote:
> On 9/13/21 10:13 AM, Adrian Hunter wrote:

>> SCSI_MLQUEUE_HOST_BUSY causes scsi_host_busy() to decrement by calling

>> scsi_dec_host_busy() as described above, so the request is not being

>> counted in that condition anymore.

> 

> Let's take a step back. My understanding is that the deadlock is caused by

> the combination of:

> * SCSI command processing being blocked because of the state

>   UFSHCD_STATE_EH_SCHEDULED_FATAL.


That assumes "scsi: ufs: Synchronize SCSI and UFS error handling" is reverted.
With "scsi: ufs: Synchronize SCSI and UFS error handling" all requests are
blocked because scsi_host_in_recovery().

> * The sdev_ufs_device and/or sdev_rpmb request queues are frozen

>   (blk_mq_freeze_queue() has started).


Yes

> * A REQUEST SENSE command being scheduled from inside the error handler

>   (ufshcd_clear_ua_wlun()).


Not exactly.  It is not possible to enter the queue after freezing starts
so blk_queue_enter() is stuck waiting on any existing requests to exit
the queue, but existing requests are blocked as described above.

> 

> Is this a theoretical concern or something that has been observed on a test

> setup?


It is observed on Samsung Galaxy Book S when suspending.

> 

> If this has been observed on a test setup, was the error handler scheduled

> (ufshcd_err_handler())?


Yes.

> 

> I don't see how SCSI command processing could get stuck indefinitely since

> it is guaranteed that the UFS error handler will get scheduled and also that

> the UFS error handler will change ufshcd_state from

> UFSHCD_STATE_EH_SCHEDULED_FATAL into another state?


The error handler is stuck waiting on the freeze, which is stuck waiting on
requests which are stuck waiting on the error handler.


> 

> What am I missing?


You have not responded to the issues raised by
"scsi: ufs: Synchronize SCSI and UFS error handling"

On 9/13/21 9:55 PM, Adrian Hunter wrote:
> On 13/09/21 11:11 pm, Bart Van Assche wrote: >> What am I missing?

> 

> You have not responded to the issues raised by

> "scsi: ufs: Synchronize SCSI and UFS error handling"


Because one of the follow-up messages to that patch was so cryptic that I
did not comprehend it. Anyway, based on the patch at the start of this email
thread I assume that the deadlock is caused by calling blk_get_request()
without the BLK_MQ_REQ_NOWAIT flag from inside a SCSI error handler. How
about fixing this by removing the code that submits a REQUEST SENSE command
and calling scsi_report_bus_reset() or scsi_report_device_reset() instead?
ufshcd_reset_and_restore() already uses that approach to make sure that the
unit attention condition triggered by a reset is not reported to the SCSI
command submitter. I think only if needs_restore == true and
needs_reset == false that ufshcd_err_handler() can trigger a UA condition
without calling scsi_report_bus_reset().

The following code from scsi_error.c makes sure that the UA after a reset
does not reach the upper-level driver:

	case NOT_READY:
	case UNIT_ATTENTION:
		/*
		 * if we are expecting a cc/ua because of a bus reset that we
		 * performed, treat this just as a retry.  otherwise this is
		 * information that we should pass up to the upper-level driver
		 * so that we can deal with it there.
		 */
		if (scmd->device->expecting_cc_ua) {
			/*
			 * Because some device does not queue unit
			 * attentions correctly, we carefully check
			 * additional sense code and qualifier so as
			 * not to squash media change unit attention.
			 */
			if (sshdr.asc != 0x28 || sshdr.ascq != 0x00) {
				scmd->device->expecting_cc_ua = 0;
				return NEEDS_RETRY;
			}
		}

Bart.

On 15/09/21 1:28 am, Bart Van Assche wrote:
> On 9/13/21 9:55 PM, Adrian Hunter wrote:

>> On 13/09/21 11:11 pm, Bart Van Assche wrote: >> What am I missing?

>>

>> You have not responded to the issues raised by

>> "scsi: ufs: Synchronize SCSI and UFS error handling"

> 

> Because one of the follow-up messages to that patch was so cryptic that I

> did not comprehend it. Anyway, based on the patch at the start of this email

> thread I assume that the deadlock is caused by calling blk_get_request()

> without the BLK_MQ_REQ_NOWAIT flag from inside a SCSI error handler. How

> about fixing this by removing the code that submits a REQUEST SENSE command

> and calling scsi_report_bus_reset() or scsi_report_device_reset() instead?

> ufshcd_reset_and_restore() already uses that approach to make sure that the

> unit attention condition triggered by a reset is not reported to the SCSI

> command submitter. I think only if needs_restore == true and

> needs_reset == false that ufshcd_err_handler() can trigger a UA condition

> without calling scsi_report_bus_reset().

> 

> The following code from scsi_error.c makes sure that the UA after a reset

> does not reach the upper-level driver:

> 

>     case NOT_READY:

>     case UNIT_ATTENTION:

>         /*

>          * if we are expecting a cc/ua because of a bus reset that we

>          * performed, treat this just as a retry.  otherwise this is

>          * information that we should pass up to the upper-level driver

>          * so that we can deal with it there.

>          */

>         if (scmd->device->expecting_cc_ua) {

>             /*

>              * Because some device does not queue unit

>              * attentions correctly, we carefully check

>              * additional sense code and qualifier so as

>              * not to squash media change unit attention.

>              */

>             if (sshdr.asc != 0x28 || sshdr.ascq != 0x00) {

>                 scmd->device->expecting_cc_ua = 0;

>                 return NEEDS_RETRY;

>             }

>         }

> 

> Bart.



Thanks for the idea.  Unfortunately it does not work for pass-through
requests, refer scsi_noretry_cmd().  sdev_ufs_device and sdev_rpmb are
used with pass-through requests.

On 9/15/21 8:35 AM, Adrian Hunter wrote:
> Thanks for the idea.  Unfortunately it does not work for pass-through

> requests, refer scsi_noretry_cmd().  sdev_ufs_device and sdev_rpmb are

> used with pass-through requests.


How about allocating and submitting the REQUEST SENSE command from the context
of a workqueue, or in other words, switching back to scsi_execute()? Although
that approach doesn't guarantee that the unit attention condition is cleared
before the first SCSI command is received from outside the UFS driver, I don't
see any other solution since my understanding is that the deadlock between
blk_mq_freeze_queue() and blk_get_request() from inside ufshcd_err_handler()
can also happen without "ufs: Synchronize SCSI and UFS error handling".

The only code I know of that relies on the UFS driver clearing unit attentions
is this code:
https://android.googlesource.com/platform/system/core/+/master/trusty/storage/proxy/rpmb.c
The code that submits a REQUEST SENSE was added in the UFS driver as the result
of a request from the team that maintains the Trusty code. Earlier today I have
been promised that unit attention handling support will be added in Trusty but I
do not when this will be realized.

Bart.

On 16/09/21 1:41 am, Bart Van Assche wrote:
> On 9/15/21 8:35 AM, Adrian Hunter wrote:

>> Thanks for the idea.  Unfortunately it does not work for pass-through

>> requests, refer scsi_noretry_cmd().  sdev_ufs_device and sdev_rpmb are

>> used with pass-through requests.

> 

> How about allocating and submitting the REQUEST SENSE command from the context

> of a workqueue, or in other words, switching back to scsi_execute()? Although

> that approach doesn't guarantee that the unit attention condition is cleared

> before the first SCSI command is received from outside the UFS driver, I don't

> see any other solution since my understanding is that the deadlock between

> blk_mq_freeze_queue() and blk_get_request() from inside ufshcd_err_handler()

> can also happen without "ufs: Synchronize SCSI and UFS error handling".


The issue can also be fixed by sending REQUEST SENSE directly avoiding the
SCSI queues.  Please see V4.

> 

> The only code I know of that relies on the UFS driver clearing unit attentions

> is this code:

> https://android.googlesource.com/platform/system/core/+/master/trusty/storage/proxy/rpmb.c

> The code that submits a REQUEST SENSE was added in the UFS driver as the result

> of a request from the team that maintains the Trusty code. Earlier today I have

> been promised that unit attention handling support will be added in Trusty but I

> do not when this will be realized.

> 

> Bart.

> 

>