svn commit: r351911 - stable/12/sys/dev/nvme

Thu Sep 5 23:13:45 UTC 2019

Author: imp
Date: Thu Sep  5 23:13:44 2019
New Revision: 351911
URL: https://svnweb.freebsd.org/changeset/base/351911

Log:
  MFC r351706:
  
    In nvme_completion_poll, add a sanity check to make sure that we complete the
    polling within a second. Panic if we don't. All the commands that use this
    interface should typically complete within a few tens to hundreds of
    microseconds. Panic rather than return ETIMEDOUT because if the command
    somehow does later complete, it will randomly corrupt memory. Also, it helps
    to get a traceback from where the unexpected failure happens, rather than an
    infinite loop.

Modified:
  stable/12/sys/dev/nvme/nvme_private.h
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/dev/nvme/nvme_private.h
==============================================================================

--- stable/12/sys/dev/nvme/nvme_private.h	Thu Sep  5 23:12:56 2019	(r351910)
+++ stable/12/sys/dev/nvme/nvme_private.h	Thu Sep  5 23:13:44 2019	(r351911)
@@ -446,12 +446,24 @@ int	nvme_attach(device_t dev);
 int	nvme_shutdown(device_t dev);
 int	nvme_detach(device_t dev);
 
+/*
+ * Wait for a command to complete using the nvme_completion_poll_cb.
+ * Used in limited contexts where the caller knows it's OK to block
+ * briefly while the command runs. The ISR will run the callback which
+ * will set status->done to true.usually within microseconds. A 1s
+ * pause means something is seriously AFU and we should panic to
+ * provide the proper context to diagnose.
+ */
 static __inline
 void
 nvme_completion_poll(struct nvme_completion_poll_status *status)
 {
-	while (!atomic_load_acq_int(&status->done))
+	int sanity = hz * 1;
+
+	while (!atomic_load_acq_int(&status->done) && --sanity > 0)
 		pause("nvme", 1);
+	if (sanity <= 0)
+		panic("NVME polled command failed to complete within 1s.");
 }
 
 static __inline void
