svn commit: r351706 - head/sys/dev/nvme

[Warner Losh]

Author: imp
Date: Mon Sep  2 17:11:32 2019
New Revision: 351706
URL: https://svnweb.freebsd.org/changeset/base/351706

Log:
  In nvme_completion_poll, add a sanity check to make sure that we complete the
  polling within a second. Panic if we don't. All the commands that use this
  interface should typically complete within a few tens to hundreds of
  microseconds. Panic rather than return ETIMEDOUT because if the command somehow
  does later complete, it will randomly corrupt memory. Also, it helps to get a
  traceback from where the unexpected failure happens, rather than an infinite
  loop.

Modified:
  head/sys/dev/nvme/nvme_private.h

Modified: head/sys/dev/nvme/nvme_private.h
==============================================================================
--- head/sys/dev/nvme/nvme_private.h	Mon Sep  2 17:11:27 2019	(r351705)
+++ head/sys/dev/nvme/nvme_private.h	Mon Sep  2 17:11:32 2019	(r351706)
@@ -446,12 +446,24 @@ int	nvme_attach(device_t dev);
 int	nvme_shutdown(device_t dev);
 int	nvme_detach(device_t dev);
 
+/*
+ * Wait for a command to complete using the nvme_completion_poll_cb.
+ * Used in limited contexts where the caller knows it's OK to block
+ * briefly while the command runs. The ISR will run the callback which
+ * will set status->done to true.usually within microseconds. A 1s
+ * pause means something is seriously AFU and we should panic to
+ * provide the proper context to diagnose.
+ */
 static __inline
 void
 nvme_completion_poll(struct nvme_completion_poll_status *status)
 {
-	while (!atomic_load_acq_int(&status->done))
+	int sanity = hz * 1;
+
+	while (!atomic_load_acq_int(&status->done) && --sanity > 0)
 		pause("nvme", 1);
+	if (sanity <= 0)
+		panic("NVME polled command failed to complete within 1s.");
 }
 
 static __inline void