xref: /openbmc/linux/Documentation/scsi/scsi_eh.rst (revision 022dacdd)

.. SPDX-License-Identifier: GPL-2.0

=======
SCSI EH
=======

This document describes SCSI midlayer error handling infrastructure.
Please refer to Documentation/scsi/scsi_mid_low_api.rst for more
information regarding SCSI midlayer.

.. TABLE OF CONTENTS

   [1] How SCSI commands travel through the midlayer and to EH
       [1-1] struct scsi_cmnd
       [1-2] How do scmd's get completed?
   	[1-2-1] Completing a scmd w/ scsi_done
   	[1-2-2] Completing a scmd w/ timeout
       [1-3] How EH takes over
   [2] How SCSI EH works
       [2-1] EH through fine-grained callbacks
   	[2-1-1] Overview
   	[2-1-2] Flow of scmds through EH
   	[2-1-3] Flow of control
       [2-2] EH through transportt->eh_strategy_handler()
   	[2-2-1] Pre transportt->eh_strategy_handler() SCSI midlayer conditions
   	[2-2-2] Post transportt->eh_strategy_handler() SCSI midlayer conditions
   	[2-2-3] Things to consider


1. How SCSI commands travel through the midlayer and to EH
==========================================================

1.1 struct scsi_cmnd
--------------------

Each SCSI command is represented with struct scsi_cmnd (== scmd).  A
scmd has two list_head's to link itself into lists.  The two are
scmd->list and scmd->eh_entry.  The former is used for free list or
per-device allocated scmd list and not of much interest to this EH
discussion.  The latter is used for completion and EH lists and unless
otherwise stated scmds are always linked using scmd->eh_entry in this
discussion.


1.2 How do scmd's get completed?
--------------------------------

Once LLDD gets hold of a scmd, either the LLDD will complete the
command by calling scsi_done callback passed from midlayer when
invoking hostt->queuecommand() or the block layer will time it out.


1.2.1 Completing a scmd w/ scsi_done
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For all non-EH commands, scsi_done() is the completion callback.  It
just calls blk_complete_request() to delete the block layer timer and
raise SCSI_SOFTIRQ

SCSI_SOFTIRQ handler scsi_softirq calls scsi_decide_disposition() to
determine what to do with the command.  scsi_decide_disposition()
looks at the scmd->result value and sense data to determine what to do
with the command.

 - SUCCESS

	scsi_finish_command() is invoked for the command.  The
	function does some maintenance chores and then calls
	scsi_io_completion() to finish the I/O.
	scsi_io_completion() then notifies the block layer on
	the completed request by calling blk_end_request and
	friends or figures out what to do with the remainder
	of the data in case of an error.

 - NEEDS_RETRY

 - ADD_TO_MLQUEUE

	scmd is requeued to blk queue.

 - otherwise

	scsi_eh_scmd_add(scmd) is invoked for the command.  See
	[1-3] for details of this function.


1.2.2 Completing a scmd w/ timeout
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The timeout handler is scsi_times_out().  When a timeout occurs, this
function

 1. invokes optional hostt->eh_timed_out() callback.  Return value can
    be one of

    - BLK_EH_RESET_TIMER
	This indicates that more time is required to finish the
	command.  Timer is restarted.  This action is counted as a
	retry and only allowed scmd->allowed + 1(!) times.  Once the
	limit is reached, action for BLK_EH_DONE is taken instead.

    - BLK_EH_DONE
        eh_timed_out() callback did not handle the command.
	Step #2 is taken.

 2. scsi_abort_command() is invoked to schedule an asynchrous abort.
    Asynchronous abort are not invoked for commands which the
    SCSI_EH_ABORT_SCHEDULED flag is set (this indicates that the command
    already had been aborted once, and this is a retry which failed),
    or when the EH deadline is expired. In these case Step #3 is taken.

 3. scsi_eh_scmd_add(scmd, SCSI_EH_CANCEL_CMD) is invoked for the
    command.  See [1-4] for more information.

1.3 Asynchronous command aborts
-------------------------------

 After a timeout occurs a command abort is scheduled from
 scsi_abort_command(). If the abort is successful the command
 will either be retried (if the number of retries is not exhausted)
 or terminated with DID_TIME_OUT.

 Otherwise scsi_eh_scmd_add() is invoked for the command.
 See [1-4] for more information.

1.4 How EH takes over
---------------------

scmds enter EH via scsi_eh_scmd_add(), which does the following.

 1. Links scmd->eh_entry to shost->eh_cmd_q

 2. Sets SHOST_RECOVERY bit in shost->shost_state

 3. Increments shost->host_failed

 4. Wakes up SCSI EH thread if shost->host_busy == shost->host_failed

As can be seen above, once any scmd is added to shost->eh_cmd_q,
SHOST_RECOVERY shost_state bit is turned on.  This prevents any new
scmd to be issued from blk queue to the host; eventually, all scmds on
the host either complete normally, fail and get added to eh_cmd_q, or
time out and get added to shost->eh_cmd_q.

If all scmds either complete or fail, the number of in-flight scmds
becomes equal to the number of failed scmds - i.e. shost->host_busy ==
shost->host_failed.  This wakes up SCSI EH thread.  So, once woken up,
SCSI EH thread can expect that all in-flight commands have failed and
are linked on shost->eh_cmd_q.

Note that this does not mean lower layers are quiescent.  If a LLDD
completed a scmd with error status, the LLDD and lower layers are
assumed to forget about the scmd at that point.  However, if a scmd
has timed out, unless hostt->eh_timed_out() made lower layers forget
about the scmd, which currently no LLDD does, the command is still
active as long as lower layers are concerned and completion could
occur at any time.  Of course, all such completions are ignored as the
timer has already expired.

We'll talk about how SCSI EH takes actions to abort - make LLDD
forget about - timed out scmds later.


2. How SCSI EH works
====================

LLDD's can implement SCSI EH actions in one of the following two
ways.

 - Fine-grained EH callbacks
	LLDD can implement fine-grained EH callbacks and let SCSI
	midlayer drive error handling and call appropriate callbacks.
	This will be discussed further in [2-1].

 - eh_strategy_handler() callback
	This is one big callback which should perform whole error
	handling.  As such, it should do all chores the SCSI midlayer
	performs during recovery.  This will be discussed in [2-2].

Once recovery is complete, SCSI EH resumes normal operation by
calling scsi_restart_operations(), which

 1. Checks if door locking is needed and locks door.

 2. Clears SHOST_RECOVERY shost_state bit

 3. Wakes up waiters on shost->host_wait.  This occurs if someone
    calls scsi_block_when_processing_errors() on the host.
    (*QUESTION* why is it needed?  All operations will be blocked
    anyway after it reaches blk queue.)

 4. Kicks queues in all devices on the host in the asses


2.1 EH through fine-grained callbacks
-------------------------------------

2.1.1 Overview
^^^^^^^^^^^^^^

If eh_strategy_handler() is not present, SCSI midlayer takes charge
of driving error handling.  EH's goals are two - make LLDD, host and
device forget about timed out scmds and make them ready for new
commands.  A scmd is said to be recovered if the scmd is forgotten by
lower layers and lower layers are ready to process or fail the scmd
again.

To achieve these goals, EH performs recovery actions with increasing
severity.  Some actions are performed by issuing SCSI commands and
others are performed by invoking one of the following fine-grained
hostt EH callbacks.  Callbacks may be omitted and omitted ones are
considered to fail always.

::

    int (* eh_abort_handler)(struct scsi_cmnd *);
    int (* eh_device_reset_handler)(struct scsi_cmnd *);
    int (* eh_bus_reset_handler)(struct scsi_cmnd *);
    int (* eh_host_reset_handler)(struct scsi_cmnd *);

Higher-severity actions are taken only when lower-severity actions
cannot recover some of failed scmds.  Also, note that failure of the
highest-severity action means EH failure and results in offlining of
all unrecovered devices.

During recovery, the following rules are followed

 - Recovery actions are performed on failed scmds on the to do list,
   eh_work_q.  If a recovery action succeeds for a scmd, recovered
   scmds are removed from eh_work_q.

   Note that single recovery action on a scmd can recover multiple
   scmds.  e.g. resetting a device recovers all failed scmds on the
   device.

 - Higher severity actions are taken iff eh_work_q is not empty after
   lower severity actions are complete.

 - EH reuses failed scmds to issue commands for recovery.  For
   timed-out scmds, SCSI EH ensures that LLDD forgets about a scmd
   before reusing it for EH commands.

When a scmd is recovered, the scmd is moved from eh_work_q to EH
local eh_done_q using scsi_eh_finish_cmd().  After all scmds are
recovered (eh_work_q is empty), scsi_eh_flush_done_q() is invoked to
either retry or error-finish (notify upper layer of failure) recovered
scmds.

scmds are retried iff its sdev is still online (not offlined during
EH), REQ_FAILFAST is not set and ++scmd->retries is less than
scmd->allowed.


2.1.2 Flow of scmds through EH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 1. Error completion / time out

    :ACTION: scsi_eh_scmd_add() is invoked for scmd

	- add scmd to shost->eh_cmd_q
	- set SHOST_RECOVERY
	- shost->host_failed++

    :LOCKING: shost->host_lock

 2. EH starts

    :ACTION: move all scmds to EH's local eh_work_q.  shost->eh_cmd_q
	     is cleared.

    :LOCKING: shost->host_lock (not strictly necessary, just for
             consistency)

 3. scmd recovered

    :ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd

	- scsi_setup_cmd_retry()
	- move from local eh_work_q to local eh_done_q

    :LOCKING: none

    :CONCURRENCY: at most one thread per separate eh_work_q to
		  keep queue manipulation lockless

 4. EH completes

    :ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper
	     layer of failure. May be called concurrently but must have
	     a no more than one thread per separate eh_work_q to
	     manipulate the queue locklessly

	     - scmd is removed from eh_done_q and scmd->eh_entry is cleared
	     - if retry is necessary, scmd is requeued using
	       scsi_queue_insert()
	     - otherwise, scsi_finish_command() is invoked for scmd
	     - zero shost->host_failed

    :LOCKING: queue or finish function performs appropriate locking


2.1.3 Flow of control
^^^^^^^^^^^^^^^^^^^^^^

 EH through fine-grained callbacks start from scsi_unjam_host().

``scsi_unjam_host``

    1. Lock shost->host_lock, splice_init shost->eh_cmd_q into local
       eh_work_q and unlock host_lock.  Note that shost->eh_cmd_q is
       cleared by this action.

    2. Invoke scsi_eh_get_sense.

    ``scsi_eh_get_sense``

	This action is taken for each error-completed
	(!SCSI_EH_CANCEL_CMD) commands without valid sense data.  Most
	SCSI transports/LLDDs automatically acquire sense data on
	command failures (autosense).  Autosense is recommended for
	performance reasons and as sense information could get out of
	sync between occurrence of CHECK CONDITION and this action.

	Note that if autosense is not supported, scmd->sense_buffer
	contains invalid sense data when error-completing the scmd
	with scsi_done().  scsi_decide_disposition() always returns
	FAILED in such cases thus invoking SCSI EH.  When the scmd
	reaches here, sense data is acquired and
	scsi_decide_disposition() is called again.

	1. Invoke scsi_request_sense() which issues REQUEST_SENSE
           command.  If fails, no action.  Note that taking no action
           causes higher-severity recovery to be taken for the scmd.

	2. Invoke scsi_decide_disposition() on the scmd

	   - SUCCESS
		scmd->retries is set to scmd->allowed preventing
		scsi_eh_flush_done_q() from retrying the scmd and
		scsi_eh_finish_cmd() is invoked.

	   - NEEDS_RETRY
		scsi_eh_finish_cmd() invoked

	   - otherwise
		No action.

    3. If !list_empty(&eh_work_q), invoke scsi_eh_abort_cmds().

    ``scsi_eh_abort_cmds``

	This action is taken for each timed out command when
	no_async_abort is enabled in the host template.
	hostt->eh_abort_handler() is invoked for each scmd.  The
	handler returns SUCCESS if it has succeeded to make LLDD and
	all related hardware forget about the scmd.

	If a timedout scmd is successfully aborted and the sdev is
	either offline or ready, scsi_eh_finish_cmd() is invoked for
	the scmd.  Otherwise, the scmd is left in eh_work_q for
	higher-severity actions.

	Note that both offline and ready status mean that the sdev is
	ready to process new scmds, where processing also implies
	immediate failing; thus, if a sdev is in one of the two
	states, no further recovery action is needed.

	Device readiness is tested using scsi_eh_tur() which issues
	TEST_UNIT_READY command.  Note that the scmd must have been
	aborted successfully before reusing it for TEST_UNIT_READY.

    4. If !list_empty(&eh_work_q), invoke scsi_eh_ready_devs()

    ``scsi_eh_ready_devs``

	This function takes four increasingly more severe measures to
	make failed sdevs ready for new commands.

	1. Invoke scsi_eh_stu()

	``scsi_eh_stu``

	    For each sdev which has failed scmds with valid sense data
	    of which scsi_check_sense()'s verdict is FAILED,
	    START_STOP_UNIT command is issued w/ start=1.  Note that
	    as we explicitly choose error-completed scmds, it is known
	    that lower layers have forgotten about the scmd and we can
	    reuse it for STU.

	    If STU succeeds and the sdev is either offline or ready,
	    all failed scmds on the sdev are EH-finished with
	    scsi_eh_finish_cmd().

	    *NOTE* If hostt->eh_abort_handler() isn't implemented or
	    failed, we may still have timed out scmds at this point
	    and STU doesn't make lower layers forget about those
	    scmds.  Yet, this function EH-finish all scmds on the sdev
	    if STU succeeds leaving lower layers in an inconsistent
	    state.  It seems that STU action should be taken only when
	    a sdev has no timed out scmd.

	2. If !list_empty(&eh_work_q), invoke scsi_eh_bus_device_reset().

	``scsi_eh_bus_device_reset``

	    This action is very similar to scsi_eh_stu() except that,
	    instead of issuing STU, hostt->eh_device_reset_handler()
	    is used.  Also, as we're not issuing SCSI commands and
	    resetting clears all scmds on the sdev, there is no need
	    to choose error-completed scmds.

	3. If !list_empty(&eh_work_q), invoke scsi_eh_bus_reset()

	``scsi_eh_bus_reset``

	    hostt->eh_bus_reset_handler() is invoked for each channel
	    with failed scmds.  If bus reset succeeds, all failed
	    scmds on all ready or offline sdevs on the channel are
	    EH-finished.

	4. If !list_empty(&eh_work_q), invoke scsi_eh_host_reset()

	``scsi_eh_host_reset``

	    This is the last resort.  hostt->eh_host_reset_handler()
	    is invoked.  If host reset succeeds, all failed scmds on
	    all ready or offline sdevs on the host are EH-finished.

	5. If !list_empty(&eh_work_q), invoke scsi_eh_offline_sdevs()

	``scsi_eh_offline_sdevs``

	    Take all sdevs which still have unrecovered scmds offline
	    and EH-finish the scmds.

    5. Invoke scsi_eh_flush_done_q().

	``scsi_eh_flush_done_q``

	    At this point all scmds are recovered (or given up) and
	    put on eh_done_q by scsi_eh_finish_cmd().  This function
	    flushes eh_done_q by either retrying or notifying upper
	    layer of failure of the scmds.


2.2 EH through transportt->eh_strategy_handler()
------------------------------------------------

transportt->eh_strategy_handler() is invoked in the place of
scsi_unjam_host() and it is responsible for whole recovery process.
On completion, the handler should have made lower layers forget about
all failed scmds and either ready for new commands or offline.  Also,
it should perform SCSI EH maintenance chores to maintain integrity of
SCSI midlayer.  IOW, of the steps described in [2-1-2], all steps
except for #1 must be implemented by eh_strategy_handler().


2.2.1 Pre transportt->eh_strategy_handler() SCSI midlayer conditions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 The following conditions are true on entry to the handler.

 - Each failed scmd's eh_flags field is set appropriately.

 - Each failed scmd is linked on scmd->eh_cmd_q by scmd->eh_entry.

 - SHOST_RECOVERY is set.

 - shost->host_failed == shost->host_busy


2.2.2 Post transportt->eh_strategy_handler() SCSI midlayer conditions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 The following conditions must be true on exit from the handler.

 - shost->host_failed is zero.

 - Each scmd is in such a state that scsi_setup_cmd_retry() on the
   scmd doesn't make any difference.

 - shost->eh_cmd_q is cleared.

 - Each scmd->eh_entry is cleared.

 - Either scsi_queue_insert() or scsi_finish_command() is called on
   each scmd.  Note that the handler is free to use scmd->retries and
   ->allowed to limit the number of retries.


2.2.3 Things to consider
^^^^^^^^^^^^^^^^^^^^^^^^

 - Know that timed out scmds are still active on lower layers.  Make
   lower layers forget about them before doing anything else with
   those scmds.

 - For consistency, when accessing/modifying shost data structure,
   grab shost->host_lock.

 - On completion, each failed sdev must have forgotten about all
   active scmds.

 - On completion, each failed sdev must be ready for new commands or
   offline.


Tejun Heo
htejun@gmail.com

11th September 2005