From: Andrew Morton <akpm@osdl.org>
To: Jeff Garzik <jeff@garzik.org>
Cc: Tejun Heo <htejun@gmail.com>, linux-ide@vger.kernel.org
Subject: Re: ata kmap_atomic abuse
Date: Sat, 16 Dec 2006 09:20:05 -0800 [thread overview]
Message-ID: <20061216092005.f962b2cd.akpm@osdl.org> (raw)
In-Reply-To: <4584217D.7090500@garzik.org>
On Sat, 16 Dec 2006 11:40:29 -0500
Jeff Garzik <jeff@garzik.org> wrote:
> Andrew Morton wrote:
> > On Mon, 11 Dec 2006 11:07:06 -0500
> > Jeff Garzik <jeff@garzik.org> wrote:
> >
> >> Andrew Morton wrote:
> >>> [ 231.948000] SCSI device sda: 195371568 512-byte hdwr sectors (100030 MB)
> >>> [ 232.232000] ata1.00: configured for UDMA/33
> >>> [ 232.404000] WARNING (1) at arch/i386/mm/highmem.c:47 kmap_atomic()
> >>> It's using KM_USER0 from softirq.
> >> I thought that was OK if it was kmap_atomic(). Live and learn.
> >
> > Each kmap_atomic slot is basically a per-cpu global variable. If a CPU is
> > inside process-level kmap_atomic(KM_USER0) and then runs that softirq,
> > it'll return from the softirq with its kmap slot pointing at the wrong
> > page.
> >
> >> Checked in the attached.
> >
> >
> > diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
> >> index 664e137..a4790be 100644
> >> --- a/drivers/ata/libata-scsi.c
> >> +++ b/drivers/ata/libata-scsi.c
> >> @@ -1539,7 +1539,7 @@ static unsigned int ata_scsi_rbuf_get(st
> >> struct scatterlist *sg;
> >>
> >> sg = (struct scatterlist *) cmd->request_buffer;
> >> - buf = kmap_atomic(sg->page, KM_USER0) + sg->offset;
> >> + buf = kmap_atomic(sg->page, KM_IRQ0) + sg->offset;
> >> buflen = sg->length;
> >> } else {
> >> buf = cmd->request_buffer;
> >> @@ -1567,7 +1567,7 @@ static inline void ata_scsi_rbuf_put(str
> >> struct scatterlist *sg;
> >>
> >> sg = (struct scatterlist *) cmd->request_buffer;
> >> - kunmap_atomic(buf - sg->offset, KM_USER0);
> >> + kunmap_atomic(buf - sg->offset, KM_IRQ0);
> >> }
> >> }
> >>
> >
> > KM_IRQ0 can only be used with local interrupts disabled, for the same
> > reason.
>
> Are you making a comment, or pointing out a flaw in the patch?
<tries to remember>
> AFAICS, the code in question is always under spin_lock_irqsave()
ok. That is in fact obligatory: if we were to call this (as-modified)
function from softirq context but with local IRQs enabled, an intervening
interrupt could come in and make out kmap slot point somewhere else.
We require that local interrupts remain disabled by the caller until the
caller has called ata_scsi_rbuf_put().
This means that we require that all callers of the non-static
ata_scsi_rbuf_fill() have disabled local IRQs. The nice comment says they
must do that, so hopefully we're OK there.
So yes, it all looks to be solid to me.
prev parent reply other threads:[~2006-12-16 17:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-11 8:13 ata kmap_atomic abuse Andrew Morton
2006-12-11 16:07 ` Jeff Garzik
2006-12-11 18:00 ` Andrew Morton
2006-12-16 16:40 ` Jeff Garzik
2006-12-16 17:20 ` Andrew Morton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061216092005.f962b2cd.akpm@osdl.org \
--to=akpm@osdl.org \
--cc=htejun@gmail.com \
--cc=jeff@garzik.org \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.