[PATCH 3/4] scsi: ufshpb: Verify that num_inflight_map_req is non-negative

From: Avri Altman
Date: Sun Aug 08 2021 - 05:01:20 EST


num_inflight_map_req should not be negative. It is incremented and
decremented without any protection, allowing it theoretically to be
negative, should some weird unbalanced count occur.

Verify that the those calls are properly serialized.

Fixes: 33845a2d844b (scsi: ufs: ufshpb: Limit the number of in-flight map requests)
Signed-off-by: Avri Altman <avri.altman@xxxxxxx>
---
drivers/scsi/ufs/ufshpb.c | 10 ++++++++++
drivers/scsi/ufs/ufshpb.h | 4 +++-
2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c
index 8e92c61ed9d4..cd48367f94cc 100644
--- a/drivers/scsi/ufs/ufshpb.c
+++ b/drivers/scsi/ufs/ufshpb.c
@@ -756,6 +756,7 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb,
{
struct ufshpb_req *map_req;
struct bio *bio;
+ unsigned long flags;

if (hpb->is_hcm &&
hpb->num_inflight_map_req >= hpb->params.inflight_map_req) {
@@ -780,7 +781,10 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb,

map_req->rb.srgn_idx = srgn->srgn_idx;
map_req->rb.mctx = srgn->mctx;
+
+ spin_lock_irqsave(&hpb->param_lock, flags);
hpb->num_inflight_map_req++;
+ spin_unlock_irqrestore(&hpb->param_lock, flags);

return map_req;
}
@@ -788,9 +792,14 @@ static struct ufshpb_req *ufshpb_get_map_req(struct ufshpb_lu *hpb,
static void ufshpb_put_map_req(struct ufshpb_lu *hpb,
struct ufshpb_req *map_req)
{
+ unsigned long flags;
+
bio_put(map_req->bio);
ufshpb_put_req(hpb, map_req);
+
+ spin_lock_irqsave(&hpb->param_lock, flags);
hpb->num_inflight_map_req--;
+ spin_unlock_irqrestore(&hpb->param_lock, flags);
}

static int ufshpb_clear_dirty_bitmap(struct ufshpb_lu *hpb,
@@ -2387,6 +2396,7 @@ static int ufshpb_lu_hpb_init(struct ufs_hba *hba, struct ufshpb_lu *hpb)

spin_lock_init(&hpb->rgn_state_lock);
spin_lock_init(&hpb->rsp_list_lock);
+ spin_lock_init(&hpb->param_lock);

INIT_LIST_HEAD(&hpb->lru_info.lh_lru_rgn);
INIT_LIST_HEAD(&hpb->lh_act_srgn);
diff --git a/drivers/scsi/ufs/ufshpb.h b/drivers/scsi/ufs/ufshpb.h
index 6df317dfe034..a79e07398970 100644
--- a/drivers/scsi/ufs/ufshpb.h
+++ b/drivers/scsi/ufs/ufshpb.h
@@ -237,7 +237,9 @@ struct ufshpb_lu {
struct ufshpb_req *pre_req;
int num_inflight_pre_req;
int throttle_pre_req;
- int num_inflight_map_req;
+ int num_inflight_map_req; /* hold param_lock */
+ spinlock_t param_lock;
+
struct list_head lh_pre_req_free;
int cur_read_id;
int pre_req_min_tr_len;
--
2.17.1