Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Tue, 2021-01-12 at 08:45 +0800, Can Guo wrote:
> > > > > to
> > > > > talk to UFS, OCP can happen on VCCQ/VCCQ2. This leads to
> > > > > system
> > > > > CRASH
> > > > > too.
> > > > 
> > > > the same as above, share the crash log.
> > > > 
> > > 
> > > If you have hand-on experiences on NoC and/or OCP issues, you
> > > won't
> > > ask
> > > for the crash log. The tricky parts about critial NoC and OCP
> > > issues
> > > is
> > 
> > OK, interesting. would you tell me which register access node in
> > ufs-
> > sysfs.c can trigger this crash? let me verify your statement.
> > 
> > 
> 
> I believe I have explained enough to prove we need this change.
> 
> If you are really interested in NoC and OCP, feel free to ping me
> on teams, I will show you how to trigger one and what is it like
> on my setup.
> 
> Can Guo.

Ok, I no meant to stop or slow down your patch merging,
meant to avoid redundant instruction cycles.

Avri and Stanley have been convinced. let it go at that and merge.

Thanks,
Bean

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Stanley Chu]

On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> User layer may access sysfs nodes when system PM ops or error handling
> is running, which can cause various problems. Rename eh_sem to host_sem
> and use it to protect PM ops and error handling from user layer intervene.
> 
> Signed-off-by: Can Guo 
> 

Looks good to me.

Feel free to add
Reviewed-by: Stanley Chu 

RE: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Avri Altman]

> 
> On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > + * @shutting_down: flag to check if shutdown has been invoked
> > + * @host_sem: semaphore used to serialize concurrent contexts
> >   * @eh_wq: Workqueue that eh_work works on
> >   * @eh_work: Worker to handle UFS errors that require s/w attention
> >   * @eeh_work: Worker to handle exception events
> > @@ -751,7 +753,8 @@ struct ufs_hba {
> > u32 intr_mask;
> > u16 ee_ctrl_mask;
> > bool is_powered;
> > -   struct semaphore eh_sem;
> > +   bool shutting_down;
> > +   struct semaphore host_sem;
> >
> > /* Work Queues */
> > struct workqueue_struct *eh_wq;
> > @@ -875,6 +878,11 @@ static inline bool ufshcd_is_wb_allowed(struct
> > ufs_hba *hba)
> > return hba->caps & UFSHCD_CAP_WB_EN;
> >  }
> >
> > +static inline bool ufshcd_is_sysfs_allowed(struct ufs_hba *hba)
> > +{
> > +   return !hba->shutting_down;
> > +}
> > +
> 
> 
> Can,
> 
> Instead adding new shutting_down flag, can we use availible variable
> system_state?
> 
Like Can, I am too, don't think that using system state here, e.g. 
UFS_SHUTDOWN_PM suffices.
The use of the new flag, jointly with the semaphore, provides a tighter control.

Acked-by: Avri Altman 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-11 18:04, Bean Huo wrote:

On Mon, 2021-01-11 at 17:22 +0800, Can Guo wrote:

> > meaning you are tring to access a register when clocks are
> > disabled.
> > This
> > leads to system CRASH.
> >
>
> OK, let it simple, share this kind of crash log becuase of access
> sysfs
> node in the shutdown flow.
>
>
> > [2] OCP is over current protection. While UFS shutting down, you
> > may
> > have put UFS regulators to LPM. After that, if you are still
> > trying
> > to
> > talk to UFS, OCP can happen on VCCQ/VCCQ2. This leads to system
> > CRASH
> > too.
>
> the same as above, share the crash log.
>

If you have hand-on experiences on NoC and/or OCP issues, you won't
ask
for the crash log. The tricky parts about critial NoC and OCP issues
is


OK, interesting. would you tell me which register access node in ufs-
sysfs.c can trigger this crash? let me verify your statement.




I believe I have explained enough to prove we need this change.

If you are really interested in NoC and OCP, feel free to ping me
on teams, I will show you how to trigger one and what is it like
on my setup.

Can Guo.


Bean

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Mon, 2021-01-11 at 17:22 +0800, Can Guo wrote:
> > > meaning you are tring to access a register when clocks are
> > > disabled.
> > > This
> > > leads to system CRASH.
> > > 
> > 
> > OK, let it simple, share this kind of crash log becuase of access
> > sysfs
> > node in the shutdown flow.
> > 
> > 
> > > [2] OCP is over current protection. While UFS shutting down, you
> > > may
> > > have put UFS regulators to LPM. After that, if you are still
> > > trying
> > > to
> > > talk to UFS, OCP can happen on VCCQ/VCCQ2. This leads to system
> > > CRASH
> > > too.
> > 
> > the same as above, share the crash log.
> > 
> 
> If you have hand-on experiences on NoC and/or OCP issues, you won't
> ask
> for the crash log. The tricky parts about critial NoC and OCP issues
> is

OK, interesting. would you tell me which register access node in ufs-
sysfs.c can trigger this crash? let me verify your statement.


Bean

> 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-11 16:23, Bean Huo wrote:

On Mon, 2021-01-11 at 09:27 +0800, Can Guo wrote:

>
> If accessing sysfs nodes, which triggers a UFS UPIU request to
> read/write UFS device descriptors during shutdown flow, there is
> only
> one issue that sysfs node access failure since UFS device and LINK
> has
> been shutdown. Strictly speaking, the failure comes after
> ufshcd_set_dev_pwr_mode().
>
> __ufshcd_query_descriptor: opcode 0x01 for idn 0 failed, index
> 0,
> err = -11

You misunderstood it again. You are expecting a simple query cmd
error.
But what really matters are NoC issues[1] and OCP[2]. And
while/after
UFS
shutting down, either of them may happen.

[1] When a un-clocked register access issue happens, we call it a
NoC
issue,
meaning you are tring to access a register when clocks are disabled.
This
leads to system CRASH.



OK, let it simple, share this kind of crash log becuase of access sysfs
node in the shutdown flow.



[2] OCP is over current protection. While UFS shutting down, you may
have put UFS regulators to LPM. After that, if you are still trying
to
talk to UFS, OCP can happen on VCCQ/VCCQ2. This leads to system
CRASH
too.


the same as above, share the crash log.



If you have hand-on experiences on NoC and/or OCP issues, you won't ask
for the crash log. The tricky parts about critial NoC and OCP issues is
that they don't print much logs (maybe no logs at all) in uart, which is
why they are hard to debug and why I add another flag to help debug.

Take OCP as an example, when OCP happens on VCCQ/VCCQ2, PMIC will do a
hard reset and put the system to crash dump mode (this is a general 
design

in our mutual customers, but it may vary platform by platform).

And if you have a crash dump tool to collect the dump, after the dump is
parsed, the best part which you can count on is the last callstacks and
related flags, variables in hba. The callstack is pretty much same with
the one I shared with my debug patch applied during the weekend.

Stanley can correct me if I am wrong.

Thanks,
Can Guo.



>
> Since the shutdown is oneway process, this failure is not big
> issue. If
> you meant to avoid this failure for unsafe shutdown, I agree with
> you,
> But for the race issue, I don't know.
>

Easy for you to say. System crash is a big issue to any SoC vendors
I
belive.



indeed, crash is serious issue, share the log.


Thanks,
Bean



Can Guo.

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Mon, 2021-01-11 at 09:30 +0800, Can Guo wrote:
> > > +static inline bool ufshcd_is_sysfs_allowed(struct ufs_hba *hba)
> > > +{
> > > +   return !hba->shutting_down;
> > > +}
> > > +
> > 
> > 
> > Can,
> > 
> > Instead adding new shutting_down flag, can we use availible
> > variable
> > system_state?
> > 
> > Thanks,
> > Bean
> 
> Hi Bean,
> 
> I prefer the flag shutting_down, it tells us whether
> ufshcd_shutdown()
> has been invoked or not. It comes handy when debug some system crash
> issues caused by UFS during reboot/shutdown tests. system_state is
> too
> wide in this case.
> 

It is only a suggestion, and others LLD use system_state, you prefer
adding new flags.

Bean

> Thanks,
> Can Guo.

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Mon, 2021-01-11 at 09:27 +0800, Can Guo wrote:
> > 
> > If accessing sysfs nodes, which triggers a UFS UPIU request to
> > read/write UFS device descriptors during shutdown flow, there is
> > only
> > one issue that sysfs node access failure since UFS device and LINK
> > has
> > been shutdown. Strictly speaking, the failure comes after
> > ufshcd_set_dev_pwr_mode().
> > 
> > __ufshcd_query_descriptor: opcode 0x01 for idn 0 failed, index
> > 0,
> > err = -11
> 
> You misunderstood it again. You are expecting a simple query cmd
> error.
> But what really matters are NoC issues[1] and OCP[2]. And
> while/after 
> UFS
> shutting down, either of them may happen.
> 
> [1] When a un-clocked register access issue happens, we call it a
> NoC 
> issue,
> meaning you are tring to access a register when clocks are disabled. 
> This
> leads to system CRASH.
> 

OK, let it simple, share this kind of crash log becuase of access sysfs
node in the shutdown flow.


> [2] OCP is over current protection. While UFS shutting down, you may
> have put UFS regulators to LPM. After that, if you are still trying
> to
> talk to UFS, OCP can happen on VCCQ/VCCQ2. This leads to system
> CRASH 
> too.

the same as above, share the crash log.

> 
> > 
> > Since the shutdown is oneway process, this failure is not big
> > issue. If
> > you meant to avoid this failure for unsafe shutdown, I agree with
> > you,
> > But for the race issue, I don't know.
> > 
> 
> Easy for you to say. System crash is a big issue to any SoC vendors
> I 
> belive.
> 

indeed, crash is serious issue, share the log.


Thanks,
Bean


> Can Guo.

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-11 00:13, Bean Huo wrote:

On Sat, 2021-01-09 at 12:51 +0800, Can Guo wrote:

On 2021-01-09 12:45, Can Guo wrote:
> On 2021-01-08 19:29, Bean Huo wrote:
> > On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:
> > > Hi Bean,
> > >
> > > On 2021-01-06 02:38, Bean Huo wrote:
> > > > On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > > > > On 2021-01-05 04:05, Bean Huo wrote:
> > > > > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > > > > + * @shutting_down: flag to check if shutdown has been
> > > > > > > invoked
> > > > > >
> > > > > > I am not much sure if this flag is need, since once PM
> > > > > > going in
> > > > > > shutdown path, what will be returnded by
> > > > > > pm_runtime_get_sync()?
> > > > > >
> > > > > > If pm_runtime_get_sync() will fail, just check its
> > > > > > return.
> > > > > >
> > > > >
> > > > > That depends. During/after shutdown, for UFS's case only,
> > > > > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > > > > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > > > > will directly return 0... meaning you cannot count on it.
> > > > >
> > > > > Check Stanley's change -
> > > > > https://lore.kernel.org/patchwork/patch/1341389/
> > > > >
> > > > > Can Guo.
> > > >
> > > > Can,
> > > >
> > > > Thanks for pointing out that.
> > > >
> > > > Based on my understanding, that patch is redundent. maybe I
> > > > misundestood Linux shutdown sequence.
> > >
> > > Sorry, do you mean Stanley's change is redundant?
> >
> > yes.
> >
>
> No, it is definitely needed. As Stanley replied you in another
> thread, it is not protecting I/Os from user layer, but from
> other subsystems during shutdown.
>
> > >
> > > >
> > > > I checked the shutdown flow:
> > > >
> > > > 1. Set the "system_state" variable
> > > > 2. Disable usermod to ensure that no user from userspace can
> > > > start
> > > > a
> > > > request
> > >
> > > I hope it is like what you interpreted, but step #2 only stops
> > > UMH(#265)
> > > but not all user space activities. Whereas, UMH is for kernel
> > > space
> > > calling
> > > user space.
> >
> >
> > Can,
> >
> > I did further study and homework on the Linux shutdown in the
> > last few
> > days. Yes, you are right, usermodehelper_disable() is to prevent
> > executing the process from the kernel space.
> >
> > But I didn't reproduce this "maybe" race issue while shutdown. no
> > matter how I torment my system, once Linux shutdown/halt/reboot
> > starts,
> > nobody can access the sysfs node. I create 10 processes in the
> > user
> > space and constantly access UFS sysfs node, also, fio is running
> > in
> > the
> > background for the normal data read/write. there is a shutdown
> > thread
> > that will randomly trigger shutdown/halt/reboot. but no race
> > issue
> > appears.
> >
> > I don't know if this is a hypothetical issue(the race between
> > shutdown
> > flow and sysfs node access), it may not really exist in the Linux
> > envriroment. everytime, the shutdonw flow will be:
> >
> > e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-
> > > kernel_poweroff/kernel_halt()->device_shutdown()-
> > > >platform_shutdown()-
> > > ufshcd_platform_shutdown()->ufshcd_shutdown().
> >
> > I think before going into the kernel shutdown, the userspace
> > cannot
> > issue new requests anymore. otherwise, this would be a big issue.
> >
> > pm_runtime_get_sync() will return 0 or failure while shutdown?
> > the
> > answer is not important now, maybe as you said, it is always 0.
> > But in
> > my testing, it didn't get there the system has been shutdown.
> > Which
> > means once shutdonw starts, sysfs node access path cannot reach
> > pm_runtime_get_sync(). (note, I don't know if sysfs node access
> > thread
> > has been disabled or not)
> >
> >
> > Responsibly say, I didn't reproduce this issue on my system
> > (ubuntu),
> > maybe you are using Android. I am not an expert on this topic, if
> > you
> > have the best idea on how to reproduce this issue. please please
> > let
> > me
> > try. appreciate it!
> >
>
> When you do a reboot/shutdown/poweroff, how your system behaves
> highly
> depends on how the reboot cmd is implemented in C code under
> /sbin/.
>
> On Ubuntu, reboot looks like:
> $ reboot --help
> reboot [OPTIONS...] [ARG]
>
> Reboot the system.
>
>   --help  Show this help
>   --halt  Halt the machine
>-p --poweroff  Switch off the machine
>   --rebootReboot the machine
>-f --force Force immediate halt/power-off/reboot
>-w --wtmp-only Don't halt/power-off/reboot, just write wtmp
> record
>-d --no-wtmp   Don't write wtmp record
>   --no-wall   Don't send wall message before halt/power-
> off/reboot
>
>
> On a pure Linux with a initrd RAM FS built from busybox, reboot
> looks
> like:
> # reboot --help
> BusyBox v1.30.1 (2019-05-24 12:53:36 IST) multi-call binary.
>
> Usage: reboot [-d DELAY] [-n] [-f]
>
> Reboot the system
>
>  -d SEC  Delay interval
>  -n

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-11 00:18, Bean Huo wrote:

On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:

+ * @shutting_down: flag to check if shutdown has been invoked
+ * @host_sem: semaphore used to serialize concurrent contexts
  * @eh_wq: Workqueue that eh_work works on
  * @eh_work: Worker to handle UFS errors that require s/w attention
  * @eeh_work: Worker to handle exception events
@@ -751,7 +753,8 @@ struct ufs_hba {
u32 intr_mask;
u16 ee_ctrl_mask;
bool is_powered;
-   struct semaphore eh_sem;
+   bool shutting_down;
+   struct semaphore host_sem;

/* Work Queues */
struct workqueue_struct *eh_wq;
@@ -875,6 +878,11 @@ static inline bool ufshcd_is_wb_allowed(struct
ufs_hba *hba)
return hba->caps & UFSHCD_CAP_WB_EN;
 }

+static inline bool ufshcd_is_sysfs_allowed(struct ufs_hba *hba)
+{
+   return !hba->shutting_down;
+}
+



Can,

Instead adding new shutting_down flag, can we use availible variable
system_state?

Thanks,
Bean


Hi Bean,

I prefer the flag shutting_down, it tells us whether ufshcd_shutdown()
has been invoked or not. It comes handy when debug some system crash
issues caused by UFS during reboot/shutdown tests. system_state is too
wide in this case.

Thanks,
Can Guo.

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-11 00:13, Bean Huo wrote:

On Sat, 2021-01-09 at 12:51 +0800, Can Guo wrote:

On 2021-01-09 12:45, Can Guo wrote:
> On 2021-01-08 19:29, Bean Huo wrote:
> > On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:
> > > Hi Bean,
> > >
> > > On 2021-01-06 02:38, Bean Huo wrote:
> > > > On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > > > > On 2021-01-05 04:05, Bean Huo wrote:
> > > > > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > > > > + * @shutting_down: flag to check if shutdown has been
> > > > > > > invoked
> > > > > >
> > > > > > I am not much sure if this flag is need, since once PM
> > > > > > going in
> > > > > > shutdown path, what will be returnded by
> > > > > > pm_runtime_get_sync()?
> > > > > >
> > > > > > If pm_runtime_get_sync() will fail, just check its
> > > > > > return.
> > > > > >
> > > > >
> > > > > That depends. During/after shutdown, for UFS's case only,
> > > > > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > > > > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > > > > will directly return 0... meaning you cannot count on it.
> > > > >
> > > > > Check Stanley's change -
> > > > > https://lore.kernel.org/patchwork/patch/1341389/
> > > > >
> > > > > Can Guo.
> > > >
> > > > Can,
> > > >
> > > > Thanks for pointing out that.
> > > >
> > > > Based on my understanding, that patch is redundent. maybe I
> > > > misundestood Linux shutdown sequence.
> > >
> > > Sorry, do you mean Stanley's change is redundant?
> >
> > yes.
> >
>
> No, it is definitely needed. As Stanley replied you in another
> thread, it is not protecting I/Os from user layer, but from
> other subsystems during shutdown.
>
> > >
> > > >
> > > > I checked the shutdown flow:
> > > >
> > > > 1. Set the "system_state" variable
> > > > 2. Disable usermod to ensure that no user from userspace can
> > > > start
> > > > a
> > > > request
> > >
> > > I hope it is like what you interpreted, but step #2 only stops
> > > UMH(#265)
> > > but not all user space activities. Whereas, UMH is for kernel
> > > space
> > > calling
> > > user space.
> >
> >
> > Can,
> >
> > I did further study and homework on the Linux shutdown in the
> > last few
> > days. Yes, you are right, usermodehelper_disable() is to prevent
> > executing the process from the kernel space.
> >
> > But I didn't reproduce this "maybe" race issue while shutdown. no
> > matter how I torment my system, once Linux shutdown/halt/reboot
> > starts,
> > nobody can access the sysfs node. I create 10 processes in the
> > user
> > space and constantly access UFS sysfs node, also, fio is running
> > in
> > the
> > background for the normal data read/write. there is a shutdown
> > thread
> > that will randomly trigger shutdown/halt/reboot. but no race
> > issue
> > appears.
> >
> > I don't know if this is a hypothetical issue(the race between
> > shutdown
> > flow and sysfs node access), it may not really exist in the Linux
> > envriroment. everytime, the shutdonw flow will be:
> >
> > e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-
> > > kernel_poweroff/kernel_halt()->device_shutdown()-
> > > >platform_shutdown()-
> > > ufshcd_platform_shutdown()->ufshcd_shutdown().
> >
> > I think before going into the kernel shutdown, the userspace
> > cannot
> > issue new requests anymore. otherwise, this would be a big issue.
> >
> > pm_runtime_get_sync() will return 0 or failure while shutdown?
> > the
> > answer is not important now, maybe as you said, it is always 0.
> > But in
> > my testing, it didn't get there the system has been shutdown.
> > Which
> > means once shutdonw starts, sysfs node access path cannot reach
> > pm_runtime_get_sync(). (note, I don't know if sysfs node access
> > thread
> > has been disabled or not)
> >
> >
> > Responsibly say, I didn't reproduce this issue on my system
> > (ubuntu),
> > maybe you are using Android. I am not an expert on this topic, if
> > you
> > have the best idea on how to reproduce this issue. please please
> > let
> > me
> > try. appreciate it!
> >
>
> When you do a reboot/shutdown/poweroff, how your system behaves
> highly
> depends on how the reboot cmd is implemented in C code under
> /sbin/.
>
> On Ubuntu, reboot looks like:
> $ reboot --help
> reboot [OPTIONS...] [ARG]
>
> Reboot the system.
>
>   --help  Show this help
>   --halt  Halt the machine
>-p --poweroff  Switch off the machine
>   --rebootReboot the machine
>-f --force Force immediate halt/power-off/reboot
>-w --wtmp-only Don't halt/power-off/reboot, just write wtmp
> record
>-d --no-wtmp   Don't write wtmp record
>   --no-wall   Don't send wall message before halt/power-
> off/reboot
>
>
> On a pure Linux with a initrd RAM FS built from busybox, reboot
> looks
> like:
> # reboot --help
> BusyBox v1.30.1 (2019-05-24 12:53:36 IST) multi-call binary.
>
> Usage: reboot [-d DELAY] [-n] [-f]
>
> Reboot the system
>
>  -d SEC  Delay interval
>  -n

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> + * @shutting_down: flag to check if shutdown has been invoked
> + * @host_sem: semaphore used to serialize concurrent contexts
>   * @eh_wq: Workqueue that eh_work works on
>   * @eh_work: Worker to handle UFS errors that require s/w attention
>   * @eeh_work: Worker to handle exception events
> @@ -751,7 +753,8 @@ struct ufs_hba {
> u32 intr_mask;
> u16 ee_ctrl_mask;
> bool is_powered;
> -   struct semaphore eh_sem;
> +   bool shutting_down;
> +   struct semaphore host_sem;
>  
> /* Work Queues */
> struct workqueue_struct *eh_wq;
> @@ -875,6 +878,11 @@ static inline bool ufshcd_is_wb_allowed(struct
> ufs_hba *hba)
> return hba->caps & UFSHCD_CAP_WB_EN;
>  }
>  
> +static inline bool ufshcd_is_sysfs_allowed(struct ufs_hba *hba)
> +{
> +   return !hba->shutting_down;
> +}
> +


Can,

Instead adding new shutting_down flag, can we use availible variable
system_state?

Thanks,
Bean

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Sat, 2021-01-09 at 12:51 +0800, Can Guo wrote:
> On 2021-01-09 12:45, Can Guo wrote:
> > On 2021-01-08 19:29, Bean Huo wrote:
> > > On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:
> > > > Hi Bean,
> > > > 
> > > > On 2021-01-06 02:38, Bean Huo wrote:
> > > > > On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > > > > > On 2021-01-05 04:05, Bean Huo wrote:
> > > > > > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > > > > > + * @shutting_down: flag to check if shutdown has been
> > > > > > > > invoked
> > > > > > > 
> > > > > > > I am not much sure if this flag is need, since once PM
> > > > > > > going in
> > > > > > > shutdown path, what will be returnded by
> > > > > > > pm_runtime_get_sync()?
> > > > > > > 
> > > > > > > If pm_runtime_get_sync() will fail, just check its
> > > > > > > return.
> > > > > > > 
> > > > > > 
> > > > > > That depends. During/after shutdown, for UFS's case only,
> > > > > > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > > > > > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > > > > > will directly return 0... meaning you cannot count on it.
> > > > > > 
> > > > > > Check Stanley's change -
> > > > > > https://lore.kernel.org/patchwork/patch/1341389/
> > > > > > 
> > > > > > Can Guo.
> > > > > 
> > > > > Can,
> > > > > 
> > > > > Thanks for pointing out that.
> > > > > 
> > > > > Based on my understanding, that patch is redundent. maybe I
> > > > > misundestood Linux shutdown sequence.
> > > > 
> > > > Sorry, do you mean Stanley's change is redundant?
> > > 
> > > yes.
> > > 
> > 
> > No, it is definitely needed. As Stanley replied you in another
> > thread, it is not protecting I/Os from user layer, but from
> > other subsystems during shutdown.
> > 
> > > > 
> > > > > 
> > > > > I checked the shutdown flow:
> > > > > 
> > > > > 1. Set the "system_state" variable
> > > > > 2. Disable usermod to ensure that no user from userspace can
> > > > > start
> > > > > a
> > > > > request
> > > > 
> > > > I hope it is like what you interpreted, but step #2 only stops
> > > > UMH(#265)
> > > > but not all user space activities. Whereas, UMH is for kernel
> > > > space
> > > > calling
> > > > user space.
> > > 
> > > 
> > > Can,
> > > 
> > > I did further study and homework on the Linux shutdown in the
> > > last few
> > > days. Yes, you are right, usermodehelper_disable() is to prevent
> > > executing the process from the kernel space.
> > > 
> > > But I didn't reproduce this "maybe" race issue while shutdown. no
> > > matter how I torment my system, once Linux shutdown/halt/reboot 
> > > starts,
> > > nobody can access the sysfs node. I create 10 processes in the
> > > user
> > > space and constantly access UFS sysfs node, also, fio is running
> > > in 
> > > the
> > > background for the normal data read/write. there is a shutdown
> > > thread
> > > that will randomly trigger shutdown/halt/reboot. but no race
> > > issue
> > > appears.
> > > 
> > > I don't know if this is a hypothetical issue(the race between
> > > shutdown
> > > flow and sysfs node access), it may not really exist in the Linux
> > > envriroment. everytime, the shutdonw flow will be:
> > > 
> > > e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-
> > > > kernel_poweroff/kernel_halt()->device_shutdown()-
> > > > >platform_shutdown()-
> > > > ufshcd_platform_shutdown()->ufshcd_shutdown().
> > > 
> > > I think before going into the kernel shutdown, the userspace
> > > cannot
> > > issue new requests anymore. otherwise, this would be a big issue.
> > > 
> > > pm_runtime_get_sync() will return 0 or failure while shutdown?
> > > the
> > > answer is not important now, maybe as you said, it is always 0.
> > > But in
> > > my testing, it didn't get there the system has been shutdown.
> > > Which
> > > means once shutdonw starts, sysfs node access path cannot reach
> > > pm_runtime_get_sync(). (note, I don't know if sysfs node access
> > > thread
> > > has been disabled or not)
> > > 
> > > 
> > > Responsibly say, I didn't reproduce this issue on my system
> > > (ubuntu),
> > > maybe you are using Android. I am not an expert on this topic, if
> > > you
> > > have the best idea on how to reproduce this issue. please please
> > > let 
> > > me
> > > try. appreciate it!
> > > 
> > 
> > When you do a reboot/shutdown/poweroff, how your system behaves
> > highly
> > depends on how the reboot cmd is implemented in C code under
> > /sbin/.
> > 
> > On Ubuntu, reboot looks like:
> > $ reboot --help
> > reboot [OPTIONS...] [ARG]
> > 
> > Reboot the system.
> > 
> >   --help  Show this help
> >   --halt  Halt the machine
> >-p --poweroff  Switch off the machine
> >   --rebootReboot the machine
> >-f --force Force immediate halt/power-off/reboot
> >-w --wtmp-only Don't halt/power-off/reboot, just write wtmp
> > record
> >-d --no-wtmp   Don't write wtmp record
> >   --no-wall   Don't send wall message before halt/power-
> > 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-09 12:45, Can Guo wrote:

On 2021-01-08 19:29, Bean Huo wrote:

On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:

Hi Bean,

On 2021-01-06 02:38, Bean Huo wrote:
> On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > On 2021-01-05 04:05, Bean Huo wrote:
> > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > + * @shutting_down: flag to check if shutdown has been
> > > > invoked
> > >
> > > I am not much sure if this flag is need, since once PM going in
> > > shutdown path, what will be returnded by pm_runtime_get_sync()?
> > >
> > > If pm_runtime_get_sync() will fail, just check its return.
> > >
> >
> > That depends. During/after shutdown, for UFS's case only,
> > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > will directly return 0... meaning you cannot count on it.
> >
> > Check Stanley's change -
> > https://lore.kernel.org/patchwork/patch/1341389/
> >
> > Can Guo.
>
> Can,
>
> Thanks for pointing out that.
>
> Based on my understanding, that patch is redundent. maybe I
> misundestood Linux shutdown sequence.

Sorry, do you mean Stanley's change is redundant?


yes.



No, it is definitely needed. As Stanley replied you in another
thread, it is not protecting I/Os from user layer, but from
other subsystems during shutdown.



>
> I checked the shutdown flow:
>
> 1. Set the "system_state" variable
> 2. Disable usermod to ensure that no user from userspace can start
> a
> request

I hope it is like what you interpreted, but step #2 only stops
UMH(#265)
but not all user space activities. Whereas, UMH is for kernel space
calling
user space.



Can,

I did further study and homework on the Linux shutdown in the last few
days. Yes, you are right, usermodehelper_disable() is to prevent
executing the process from the kernel space.

But I didn't reproduce this "maybe" race issue while shutdown. no
matter how I torment my system, once Linux shutdown/halt/reboot 
starts,

nobody can access the sysfs node. I create 10 processes in the user
space and constantly access UFS sysfs node, also, fio is running in 
the

background for the normal data read/write. there is a shutdown thread
that will randomly trigger shutdown/halt/reboot. but no race issue
appears.

I don't know if this is a hypothetical issue(the race between shutdown
flow and sysfs node access), it may not really exist in the Linux
envriroment. everytime, the shutdonw flow will be:

e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-

kernel_poweroff/kernel_halt()->device_shutdown()->platform_shutdown()-
ufshcd_platform_shutdown()->ufshcd_shutdown().


I think before going into the kernel shutdown, the userspace cannot
issue new requests anymore. otherwise, this would be a big issue.

pm_runtime_get_sync() will return 0 or failure while shutdown? the
answer is not important now, maybe as you said, it is always 0. But in
my testing, it didn't get there the system has been shutdown. Which
means once shutdonw starts, sysfs node access path cannot reach
pm_runtime_get_sync(). (note, I don't know if sysfs node access thread
has been disabled or not)


Responsibly say, I didn't reproduce this issue on my system (ubuntu),
maybe you are using Android. I am not an expert on this topic, if you
have the best idea on how to reproduce this issue. please please let 
me

try. appreciate it!



When you do a reboot/shutdown/poweroff, how your system behaves highly
depends on how the reboot cmd is implemented in C code under /sbin/.

On Ubuntu, reboot looks like:
$ reboot --help
reboot [OPTIONS...] [ARG]

Reboot the system.

 --help  Show this help
 --halt  Halt the machine
  -p --poweroff  Switch off the machine
 --rebootReboot the machine
  -f --force Force immediate halt/power-off/reboot
  -w --wtmp-only Don't halt/power-off/reboot, just write wtmp record
  -d --no-wtmp   Don't write wtmp record
 --no-wall   Don't send wall message before halt/power-off/reboot


On a pure Linux with a initrd RAM FS built from busybox, reboot looks 
like:

# reboot --help
BusyBox v1.30.1 (2019-05-24 12:53:36 IST) multi-call binary.

Usage: reboot [-d DELAY] [-n] [-f]

Reboot the system

-d SEC  Delay interval
-n  Do not sync
-f  Force (don't go through init)


For example, when you work on a pure Linux with a filesystem built from
busybox, when you hit reboot cmd, halt_main() will be called. And based
on the reboot options passed to reboot cmd, halt_main() behaves 
differently.


A plain reboot cmd does things like sync filesystem, send SIGKILL to 
all
processes (except for init), remount all filesytem as read-only and so 
on

before invoking linux kernel reboot syscall. In this case, we are safe.

However, if you do a "reboot -f", halt_main() directly invokes 
reboot().

And with "reboot -f", I can easily reproduce the race condition we are
talking about here - it is not based on imagination.

Find the patch 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-08 19:29, Bean Huo wrote:

On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:

Hi Bean,

On 2021-01-06 02:38, Bean Huo wrote:
> On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > On 2021-01-05 04:05, Bean Huo wrote:
> > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > + * @shutting_down: flag to check if shutdown has been
> > > > invoked
> > >
> > > I am not much sure if this flag is need, since once PM going in
> > > shutdown path, what will be returnded by pm_runtime_get_sync()?
> > >
> > > If pm_runtime_get_sync() will fail, just check its return.
> > >
> >
> > That depends. During/after shutdown, for UFS's case only,
> > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > will directly return 0... meaning you cannot count on it.
> >
> > Check Stanley's change -
> > https://lore.kernel.org/patchwork/patch/1341389/
> >
> > Can Guo.
>
> Can,
>
> Thanks for pointing out that.
>
> Based on my understanding, that patch is redundent. maybe I
> misundestood Linux shutdown sequence.

Sorry, do you mean Stanley's change is redundant?


yes.



No, it is definitely needed. As Stanley replied you in another
thread, it is not protecting I/Os from user layer, but from
other subsystems during shutdown.



>
> I checked the shutdown flow:
>
> 1. Set the "system_state" variable
> 2. Disable usermod to ensure that no user from userspace can start
> a
> request

I hope it is like what you interpreted, but step #2 only stops
UMH(#265)
but not all user space activities. Whereas, UMH is for kernel space
calling
user space.



Can,

I did further study and homework on the Linux shutdown in the last few
days. Yes, you are right, usermodehelper_disable() is to prevent
executing the process from the kernel space.

But I didn't reproduce this "maybe" race issue while shutdown. no
matter how I torment my system, once Linux shutdown/halt/reboot starts,
nobody can access the sysfs node. I create 10 processes in the user
space and constantly access UFS sysfs node, also, fio is running in the
background for the normal data read/write. there is a shutdown thread
that will randomly trigger shutdown/halt/reboot. but no race issue
appears.

I don't know if this is a hypothetical issue(the race between shutdown
flow and sysfs node access), it may not really exist in the Linux
envriroment. everytime, the shutdonw flow will be:

e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-

kernel_poweroff/kernel_halt()->device_shutdown()->platform_shutdown()-
ufshcd_platform_shutdown()->ufshcd_shutdown().


I think before going into the kernel shutdown, the userspace cannot
issue new requests anymore. otherwise, this would be a big issue.

pm_runtime_get_sync() will return 0 or failure while shutdown? the
answer is not important now, maybe as you said, it is always 0. But in
my testing, it didn't get there the system has been shutdown. Which
means once shutdonw starts, sysfs node access path cannot reach
pm_runtime_get_sync(). (note, I don't know if sysfs node access thread
has been disabled or not)


Responsibly say, I didn't reproduce this issue on my system (ubuntu),
maybe you are using Android. I am not an expert on this topic, if you
have the best idea on how to reproduce this issue. please please let me
try. appreciate it!



When you do a reboot/shutdown/poweroff, how your system behaves highly
depends on how the reboot cmd is implemented in C code under /sbin/.

On Ubuntu, reboot looks like:
$ reboot --help
reboot [OPTIONS...] [ARG]

Reboot the system.

 --help  Show this help
 --halt  Halt the machine
  -p --poweroff  Switch off the machine
 --rebootReboot the machine
  -f --force Force immediate halt/power-off/reboot
  -w --wtmp-only Don't halt/power-off/reboot, just write wtmp record
  -d --no-wtmp   Don't write wtmp record
 --no-wall   Don't send wall message before halt/power-off/reboot


On a pure Linux with a initrd RAM FS built from busybox, reboot looks 
like:

# reboot --help
BusyBox v1.30.1 (2019-05-24 12:53:36 IST) multi-call binary.

Usage: reboot [-d DELAY] [-n] [-f]

Reboot the system

-d SEC  Delay interval
-n  Do not sync
-f  Force (don't go through init)


For example, when you work on a pure Linux with a filesystem built from
busybox, when you hit reboot cmd, halt_main() will be called. And based
on the reboot options passed to reboot cmd, halt_main() behaves 
differently.


A plain reboot cmd does things like sync filesystem, send SIGKILL to all
processes (except for init), remount all filesytem as read-only and so 
on

before invoking linux kernel reboot syscall. In this case, we are safe.

However, if you do a "reboot -f", halt_main() directly invokes reboot().
And with "reboot -f", I can easily reproduce the race condition we are
talking about here - it is not based on imagination.

Find the patch I used for replication in the attachment, fix 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Stanley Chu]

Hi Bean,

On Fri, 2021-01-08 at 12:29 +0100, Bean Huo wrote:
> On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:
> > Hi Bean,
> > 
> > On 2021-01-06 02:38, Bean Huo wrote:
> > > On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > > > On 2021-01-05 04:05, Bean Huo wrote:
> > > > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > > > + * @shutting_down: flag to check if shutdown has been
> > > > > > invoked
> > > > > 
> > > > > I am not much sure if this flag is need, since once PM going in
> > > > > shutdown path, what will be returnded by pm_runtime_get_sync()?
> > > > > 
> > > > > If pm_runtime_get_sync() will fail, just check its return.
> > > > > 
> > > > 
> > > > That depends. During/after shutdown, for UFS's case only,
> > > > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > > > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > > > will directly return 0... meaning you cannot count on it.
> > > > 
> > > > Check Stanley's change -
> > > > https://lore.kernel.org/patchwork/patch/1341389/
> > > > 
> > > > Can Guo.
> > > 
> > > Can,
> > > 
> > > Thanks for pointing out that.
> > > 
> > > Based on my understanding, that patch is redundent. maybe I
> > > misundestood Linux shutdown sequence.
> > 
> > Sorry, do you mean Stanley's change is redundant?
> 
> yes.
> 
> > 
> > > 
> > > I checked the shutdown flow:
> > > 
> > > 1. Set the "system_state" variable
> > > 2. Disable usermod to ensure that no user from userspace can start
> > > a
> > > request
> > 
> > I hope it is like what you interpreted, but step #2 only stops
> > UMH(#265)
> > but not all user space activities. Whereas, UMH is for kernel space 
> > calling
> > user space.
> 
> 
> Can,
> 
> I did further study and homework on the Linux shutdown in the last few
> days. Yes, you are right, usermodehelper_disable() is to prevent
> executing the process from the kernel space.
> 
> But I didn't reproduce this "maybe" race issue while shutdown. no
> matter how I torment my system, once Linux shutdown/halt/reboot starts,
> nobody can access the sysfs node. I create 10 processes in the user
> space and constantly access UFS sysfs node, also, fio is running in the
> background for the normal data read/write. there is a shutdown thread
> that will randomly trigger shutdown/halt/reboot. but no race issue
> appears.
> 
> I don't know if this is a hypothetical issue(the race between shutdown
> flow and sysfs node access), it may not really exist in the Linux
> envriroment. everytime, the shutdonw flow will be:
> 
> e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-
> >kernel_poweroff/kernel_halt()->device_shutdown()->platform_shutdown()-
> >ufshcd_platform_shutdown()->ufshcd_shutdown().
> 
> I think before going into the kernel shutdown, the userspace cannot
> issue new requests anymore. otherwise, this would be a big issue.
> 
> pm_runtime_get_sync() will return 0 or failure while shutdown? the
> answer is not important now, maybe as you said, it is always 0. But in
> my testing, it didn't get there the system has been shutdown. Which
> means once shutdonw starts, sysfs node access path cannot reach
> pm_runtime_get_sync(). (note, I don't know if sysfs node access thread
> has been disabled or not)
> 
> 
> Responsibly say, I didn't reproduce this issue on my system (ubuntu),
> maybe you are using Android. I am not an expert on this topic, if you
> have the best idea on how to reproduce this issue. please please let me
> try. appreciate it!
> 

One of the racing in my platforms happens due to I/O access triggered
from kernel space, not user space.

Thanks,
Stanley Chu

> 
> Thanks,
> Bean
> 
> 
> > 
> > 264 system_state = state;
> > 265 usermodehelper_disable();
> > 266 device_shutdown();
> > 
> > Thanks,
> > Can Guo.
> 

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Wed, 2021-01-06 at 09:20 +0800, Can Guo wrote:
> Hi Bean,
> 
> On 2021-01-06 02:38, Bean Huo wrote:
> > On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> > > On 2021-01-05 04:05, Bean Huo wrote:
> > > > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > > > + * @shutting_down: flag to check if shutdown has been
> > > > > invoked
> > > > 
> > > > I am not much sure if this flag is need, since once PM going in
> > > > shutdown path, what will be returnded by pm_runtime_get_sync()?
> > > > 
> > > > If pm_runtime_get_sync() will fail, just check its return.
> > > > 
> > > 
> > > That depends. During/after shutdown, for UFS's case only,
> > > pm_runtime_get_sync(hba->dev) will most likely return 0,
> > > because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> > > will directly return 0... meaning you cannot count on it.
> > > 
> > > Check Stanley's change -
> > > https://lore.kernel.org/patchwork/patch/1341389/
> > > 
> > > Can Guo.
> > 
> > Can,
> > 
> > Thanks for pointing out that.
> > 
> > Based on my understanding, that patch is redundent. maybe I
> > misundestood Linux shutdown sequence.
> 
> Sorry, do you mean Stanley's change is redundant?

yes.

> 
> > 
> > I checked the shutdown flow:
> > 
> > 1. Set the "system_state" variable
> > 2. Disable usermod to ensure that no user from userspace can start
> > a
> > request
> 
> I hope it is like what you interpreted, but step #2 only stops
> UMH(#265)
> but not all user space activities. Whereas, UMH is for kernel space 
> calling
> user space.


Can,

I did further study and homework on the Linux shutdown in the last few
days. Yes, you are right, usermodehelper_disable() is to prevent
executing the process from the kernel space.

But I didn't reproduce this "maybe" race issue while shutdown. no
matter how I torment my system, once Linux shutdown/halt/reboot starts,
nobody can access the sysfs node. I create 10 processes in the user
space and constantly access UFS sysfs node, also, fio is running in the
background for the normal data read/write. there is a shutdown thread
that will randomly trigger shutdown/halt/reboot. but no race issue
appears.

I don't know if this is a hypothetical issue(the race between shutdown
flow and sysfs node access), it may not really exist in the Linux
envriroment. everytime, the shutdonw flow will be:

e10_sync_handler()->e10_svc()->do_e10_svc()->__do_sys_reboot()-
>kernel_poweroff/kernel_halt()->device_shutdown()->platform_shutdown()-
>ufshcd_platform_shutdown()->ufshcd_shutdown().

I think before going into the kernel shutdown, the userspace cannot
issue new requests anymore. otherwise, this would be a big issue.

pm_runtime_get_sync() will return 0 or failure while shutdown? the
answer is not important now, maybe as you said, it is always 0. But in
my testing, it didn't get there the system has been shutdown. Which
means once shutdonw starts, sysfs node access path cannot reach
pm_runtime_get_sync(). (note, I don't know if sysfs node access thread
has been disabled or not)


Responsibly say, I didn't reproduce this issue on my system (ubuntu),
maybe you are using Android. I am not an expert on this topic, if you
have the best idea on how to reproduce this issue. please please let me
try. appreciate it!


Thanks,
Bean


> 
> 264 system_state = state;
> 265 usermodehelper_disable();
> 266 device_shutdown();
> 
> Thanks,
> Can Guo.

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

Hi Bean,

On 2021-01-06 02:38, Bean Huo wrote:

On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:

On 2021-01-05 04:05, Bean Huo wrote:
> On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > + * @shutting_down: flag to check if shutdown has been invoked
>
> I am not much sure if this flag is need, since once PM going in
> shutdown path, what will be returnded by pm_runtime_get_sync()?
>
> If pm_runtime_get_sync() will fail, just check its return.
>

That depends. During/after shutdown, for UFS's case only,
pm_runtime_get_sync(hba->dev) will most likely return 0,
because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
will directly return 0... meaning you cannot count on it.

Check Stanley's change -
https://lore.kernel.org/patchwork/patch/1341389/

Can Guo.


Can,

Thanks for pointing out that.

Based on my understanding, that patch is redundent. maybe I
misundestood Linux shutdown sequence.


Sorry, do you mean Stanley's change is redundant?



I checked the shutdown flow:

1. Set the "system_state" variable
2. Disable usermod to ensure that no user from userspace can start a
request


I hope it is like what you interpreted, but step #2 only stops UMH(#265)
but not all user space activities. Whereas, UMH is for kernel space 
calling

user space.

264 system_state = state;
265 usermodehelper_disable();
266 device_shutdown();

Thanks,
Can Guo.


3. device_shutdown()
So, userspace thread can not start a request to trigger runtime
resume(pm_runtime_get_sync) after step 2.

also,  no need to add that flag to checkup if shutdwon is running,
maybe it is better to check variable system_state:

if (system_state == SYSTEM_POWER_OFF || system_state == SYSTEM_HALT
|| system_state == SYSTEM_RESTART)
//shutdown start


I still hope Rafael or someone else can confirm that if
pm_runtime_get_sync() will really return ok in shutdown flow.


thanks,
Bean



> Hi Rafael
> would you please help us confirm this?
>
> thanks,
> Bean

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Tue, 2021-01-05 at 09:07 +0800, Can Guo wrote:
> On 2021-01-05 04:05, Bean Huo wrote:
> > On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> > > + * @shutting_down: flag to check if shutdown has been invoked
> > 
> > I am not much sure if this flag is need, since once PM going in
> > shutdown path, what will be returnded by pm_runtime_get_sync()?
> > 
> > If pm_runtime_get_sync() will fail, just check its return.
> > 
> 
> That depends. During/after shutdown, for UFS's case only,
> pm_runtime_get_sync(hba->dev) will most likely return 0,
> because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
> will directly return 0... meaning you cannot count on it.
> 
> Check Stanley's change -
> https://lore.kernel.org/patchwork/patch/1341389/
> 
> Can Guo.

Can,

Thanks for pointing out that.

Based on my understanding, that patch is redundent. maybe I
misundestood Linux shutdown sequence.

I checked the shutdown flow:
 
1. Set the "system_state" variable
2. Disable usermod to ensure that no user from userspace can start a
request
3. device_shutdown()
So, userspace thread can not start a request to trigger runtime
resume(pm_runtime_get_sync) after step 2.

also,  no need to add that flag to checkup if shutdwon is running,
maybe it is better to check variable system_state:

if (system_state == SYSTEM_POWER_OFF || system_state == SYSTEM_HALT
|| system_state == SYSTEM_RESTART) 
//shutdown start


I still hope Rafael or someone else can confirm that if
pm_runtime_get_sync() will really return ok in shutdown flow.


thanks,
Bean

> 
> > Hi Rafael
> > would you please help us confirm this?
> > 
> > thanks,
> > Bean

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

On 2021-01-05 04:05, Bean Huo wrote:

On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:

+ * @shutting_down: flag to check if shutdown has been invoked


I am not much sure if this flag is need, since once PM going in
shutdown path, what will be returnded by pm_runtime_get_sync()?

If pm_runtime_get_sync() will fail, just check its return.



That depends. During/after shutdown, for UFS's case only,
pm_runtime_get_sync(hba->dev) will most likely return 0,
because it is already RUNTIME_ACTIVE, pm_runtime_get_sync()
will directly return 0... meaning you cannot count on it.

Check Stanley's change -
https://lore.kernel.org/patchwork/patch/1341389/

Can Guo.


Hi Rafael
would you please help us confirm this?

thanks,
Bean



+ * @host_sem: semaphore used to serialize concurrent contexts
  * @eh_wq: Workqueue that eh_work works on
  * @eh_work: Worker to handle UFS errors that require s/w attention
  * @eeh_work: Worker to handle exception events
@@ -751,7 +753,8 @@ struct ufs_hba {
u32 intr_mask;
u16 ee_ctrl_mask;
bool is_powered;
-   struct semaphore eh_sem;
+   bool shutting_down;
+   struct semaphore host_sem;

Re: [PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Bean Huo]

On Sat, 2021-01-02 at 05:59 -0800, Can Guo wrote:
> + * @shutting_down: flag to check if shutdown has been invoked

I am not much sure if this flag is need, since once PM going in
shutdown path, what will be returnded by pm_runtime_get_sync()? 

If pm_runtime_get_sync() will fail, just check its return.

Hi Rafael
would you please help us confirm this?

thanks,
Bean


> + * @host_sem: semaphore used to serialize concurrent contexts
>   * @eh_wq: Workqueue that eh_work works on
>   * @eh_work: Worker to handle UFS errors that require s/w attention
>   * @eeh_work: Worker to handle exception events
> @@ -751,7 +753,8 @@ struct ufs_hba {
> u32 intr_mask;
> u16 ee_ctrl_mask;
> bool is_powered;
> -   struct semaphore eh_sem;
> +   bool shutting_down;
> +   struct semaphore host_sem;

[PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

User layer may access sysfs nodes when system PM ops or error handling
is running, which can cause various problems. Rename eh_sem to host_sem
and use it to protect PM ops and error handling from user layer intervene.

Signed-off-by: Can Guo 

diff --git a/drivers/scsi/ufs/ufs-sysfs.c b/drivers/scsi/ufs/ufs-sysfs.c
index 08e72b7..98a9447 100644
--- a/drivers/scsi/ufs/ufs-sysfs.c
+++ b/drivers/scsi/ufs/ufs-sysfs.c
@@ -154,18 +154,29 @@ static ssize_t auto_hibern8_show(struct device *dev,
 struct device_attribute *attr, char *buf)
 {
u32 ahit;
+   int ret;
struct ufs_hba *hba = dev_get_drvdata(dev);
 
if (!ufshcd_is_auto_hibern8_supported(hba))
return -EOPNOTSUPP;
 
+   down(>host_sem);
+   if (!ufshcd_is_sysfs_allowed(hba)) {
+   ret = -EBUSY;
+   goto out;
+   }
+
pm_runtime_get_sync(hba->dev);
ufshcd_hold(hba, false);
ahit = ufshcd_readl(hba, REG_AUTO_HIBERNATE_IDLE_TIMER);
ufshcd_release(hba);
pm_runtime_put_sync(hba->dev);
 
-   return scnprintf(buf, PAGE_SIZE, "%d\n", ufshcd_ahit_to_us(ahit));
+   ret = scnprintf(buf, PAGE_SIZE, "%d\n", ufshcd_ahit_to_us(ahit));
+
+out:
+   up(>host_sem);
+   return ret;
 }
 
 static ssize_t auto_hibern8_store(struct device *dev,
@@ -174,6 +185,7 @@ static ssize_t auto_hibern8_store(struct device *dev,
 {
struct ufs_hba *hba = dev_get_drvdata(dev);
unsigned int timer;
+   int ret = 0;
 
if (!ufshcd_is_auto_hibern8_supported(hba))
return -EOPNOTSUPP;
@@ -184,9 +196,17 @@ static ssize_t auto_hibern8_store(struct device *dev,
if (timer > UFSHCI_AHIBERN8_MAX)
return -EINVAL;
 
+   down(>host_sem);
+   if (!ufshcd_is_sysfs_allowed(hba)) {
+   ret = -EBUSY;
+   goto out;
+   }
+
ufshcd_auto_hibern8_update(hba, ufshcd_us_to_ahit(timer));
 
-   return count;
+out:
+   up(>host_sem);
+   return ret ? ret : count;
 }
 
 static DEVICE_ATTR_RW(rpm_lvl);
@@ -225,12 +245,21 @@ static ssize_t ufs_sysfs_read_desc_param(struct ufs_hba 
*hba,
if (param_size > 8)
return -EINVAL;
 
+   down(>host_sem);
+   if (!ufshcd_is_sysfs_allowed(hba)) {
+   ret = -EBUSY;
+   goto out;
+   }
+
pm_runtime_get_sync(hba->dev);
ret = ufshcd_read_desc_param(hba, desc_id, desc_index,
param_offset, desc_buf, param_size);
pm_runtime_put_sync(hba->dev);
-   if (ret)
-   return -EINVAL;
+   if (ret) {
+   ret = -EINVAL;
+   goto out;
+   }
+
switch (param_size) {
case 1:
ret = sprintf(sysfs_buf, "0x%02X\n", *desc_buf);
@@ -249,6 +278,8 @@ static ssize_t ufs_sysfs_read_desc_param(struct ufs_hba 
*hba,
break;
}
 
+out:
+   up(>host_sem);
return ret;
 }
 
@@ -591,9 +622,16 @@ static ssize_t _name##_show(struct device *dev,
\
int desc_len = QUERY_DESC_MAX_SIZE; \
u8 *desc_buf;   \
\
+   down(>host_sem);   \
+   if (!ufshcd_is_sysfs_allowed(hba)) {\
+   up(>host_sem); \
+   return -EBUSY;  \
+   }   \
desc_buf = kzalloc(QUERY_DESC_MAX_SIZE, GFP_ATOMIC);\
-   if (!desc_buf)  \
-   return -ENOMEM; \
+   if (!desc_buf) {\
+   up(>host_sem); \
+   return -ENOMEM; \
+   }   \
pm_runtime_get_sync(hba->dev);  \
ret = ufshcd_query_descriptor_retry(hba,\
UPIU_QUERY_OPCODE_READ_DESC, QUERY_DESC_IDN_DEVICE, \
@@ -613,6 +651,7 @@ static ssize_t _name##_show(struct device *dev, 
\
 out:   \
pm_runtime_put_sync(hba->dev);  \
kfree(desc_buf);\
+   up(>host_sem); \
return ret; \
 }  \
 static 

[PATCH 2/2] scsi: ufs: Protect PM ops and err_handler from user access through sysfs

[Can Guo]

User layer may access sysfs nodes when system PM ops or error handling
is running, which can cause various problems. Rename eh_sem to host_sem
and use it to protect PM ops and error handling from user layer intervene.

Signed-off-by: Can Guo 

diff --git a/drivers/scsi/ufs/ufs-sysfs.c b/drivers/scsi/ufs/ufs-sysfs.c
index 08e72b7..1828b34 100644
--- a/drivers/scsi/ufs/ufs-sysfs.c
+++ b/drivers/scsi/ufs/ufs-sysfs.c
@@ -154,18 +154,29 @@ static ssize_t auto_hibern8_show(struct device *dev,
 struct device_attribute *attr, char *buf)
 {
u32 ahit;
+   int ret;
struct ufs_hba *hba = dev_get_drvdata(dev);
 
if (!ufshcd_is_auto_hibern8_supported(hba))
return -EOPNOTSUPP;
 
+   down(>host_sem);
+   if (hba->shutting_down) {
+   ret = -EBUSY;
+   goto out;
+   }
+
pm_runtime_get_sync(hba->dev);
ufshcd_hold(hba, false);
ahit = ufshcd_readl(hba, REG_AUTO_HIBERNATE_IDLE_TIMER);
ufshcd_release(hba);
pm_runtime_put_sync(hba->dev);
 
-   return scnprintf(buf, PAGE_SIZE, "%d\n", ufshcd_ahit_to_us(ahit));
+   ret = scnprintf(buf, PAGE_SIZE, "%d\n", ufshcd_ahit_to_us(ahit));
+
+out:
+   up(>host_sem);
+   return ret;
 }
 
 static ssize_t auto_hibern8_store(struct device *dev,
@@ -174,6 +185,7 @@ static ssize_t auto_hibern8_store(struct device *dev,
 {
struct ufs_hba *hba = dev_get_drvdata(dev);
unsigned int timer;
+   int ret = 0;
 
if (!ufshcd_is_auto_hibern8_supported(hba))
return -EOPNOTSUPP;
@@ -184,9 +196,17 @@ static ssize_t auto_hibern8_store(struct device *dev,
if (timer > UFSHCI_AHIBERN8_MAX)
return -EINVAL;
 
+   down(>host_sem);
+   if (hba->shutting_down) {
+   ret = -EBUSY;
+   goto out;
+   }
+
ufshcd_auto_hibern8_update(hba, ufshcd_us_to_ahit(timer));
 
-   return count;
+out:
+   up(>host_sem);
+   return ret ? ret : count;
 }
 
 static DEVICE_ATTR_RW(rpm_lvl);
@@ -225,12 +245,21 @@ static ssize_t ufs_sysfs_read_desc_param(struct ufs_hba 
*hba,
if (param_size > 8)
return -EINVAL;
 
+   down(>host_sem);
+   if (hba->shutting_down) {
+   ret = -EBUSY;
+   goto out;
+   }
+
pm_runtime_get_sync(hba->dev);
ret = ufshcd_read_desc_param(hba, desc_id, desc_index,
param_offset, desc_buf, param_size);
pm_runtime_put_sync(hba->dev);
-   if (ret)
-   return -EINVAL;
+   if (ret) {
+   ret = -EINVAL;
+   goto out;
+   }
+
switch (param_size) {
case 1:
ret = sprintf(sysfs_buf, "0x%02X\n", *desc_buf);
@@ -249,6 +278,8 @@ static ssize_t ufs_sysfs_read_desc_param(struct ufs_hba 
*hba,
break;
}
 
+out:
+   up(>host_sem);
return ret;
 }
 
@@ -591,9 +622,16 @@ static ssize_t _name##_show(struct device *dev,
\
int desc_len = QUERY_DESC_MAX_SIZE; \
u8 *desc_buf;   \
\
+   down(>host_sem);   \
+   if (hba->shutting_down) {   \
+   up(>host_sem); \
+   return -EBUSY;  \
+   }   \
desc_buf = kzalloc(QUERY_DESC_MAX_SIZE, GFP_ATOMIC);\
-   if (!desc_buf)  \
-   return -ENOMEM; \
+   if (!desc_buf) {\
+   up(>host_sem); \
+   return -ENOMEM; \
+   }   \
pm_runtime_get_sync(hba->dev);  \
ret = ufshcd_query_descriptor_retry(hba,\
UPIU_QUERY_OPCODE_READ_DESC, QUERY_DESC_IDN_DEVICE, \
@@ -613,6 +651,7 @@ static ssize_t _name##_show(struct device *dev, 
\
 out:   \
pm_runtime_put_sync(hba->dev);  \
kfree(desc_buf);\
+   up(>host_sem); \
return ret; \
 }  \
 static DEVICE_ATTR_RO(_name)
@@ -651,15 +690,26 @@ static