From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Ingo Molnar <mingo@elte.hu>, Jeff Garzik <jeff@garzik.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
linux-ide@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>
Subject: Re: [bisected] Re: todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750()
Date: Sat, 10 Jan 2009 18:59:06 +0300 [thread overview]
Message-ID: <4968C5CA.6010508@ru.mvista.com> (raw)
In-Reply-To: <20090110152800.44308491@lxorguk.ukuu.org.uk>
Alan Cox wrote:
>> All the S/G counts printed out were divisible by 4 (36 for INQUIRY and 96
>>for REQUSET SENSE). It's the *actual* byte count for the REQUEST SENSE that's
>>no divisible. The SCSI/ATAPI devices are free to sent less data than requested
>>on non block transfer commands.
> That is just fine - if the sg list is not corrupt or being mishandled and
> the atapi pio code is not buggy.
> RTFS a bit and it becomes obvious that the core libata code has a bug:
Oh, I have already... and saw where the issue could be. It just wasn't
obvious why 32-bit PIO triggered it.
> From libata-sff.c:
> /* consumed can be larger than count only for the last transfer */
> WARN_ON_ONCE(qc->cursg && count != consumed);
>
> The big clue turns out to be that the code doesn't match the comment.
>
> Next note the check on qc->cursg. If my input sg list is a 36 byte single
> sg entry then qc->cursg should be NULL by the WARN_ON() - but it isn't.
I think it's still not NULL because qc->cursg_ofs == sg->length check was
*not* true right above, hence sg_next() wasn't called...
> If qc->cursg is NULL when the sg_next() is run then we don't warn because
> we are quite happy with the last segment being padded or underrunning.
I don't think that sg_next() is called on an underrun segment. And here
lies the mistake.
> What we actually want to explode on is a case where we transfer more
> bytes than are wanted and where there are more sg entries to perform - at
> that point we would corrupt.
> So at least one failure case is
> Core code issues an SG list for 96 bytes
> Drive indicates it wishes to return 18 bytes
> data_xfer transfers 18 bytes + 2 padding (correctly) -> 20 bytes
> At this point __atapi_pio_bytes breaks
> it updates qc->curbytes by 18
> it updates the offset by 18
> The last segment is not exhausted so it does not update qc->cursg
> qc->cursg is not updated and the WARN erroneously uses !=
> The bogus WARN_ON_ONCE() triggers.
Yes.
> So the bug is the WARN_ON being wrong. In fact __atapi_pio_bytes doesn't
> know enough to do the WARN check correctly as it doesn't know if it is
> the last request being made. It just happens it didn't break before
> because all our transfers are word aligned.
Er... I'm not sure what's changed with 32-bit PIO patch.
> Alan
MBR, Sergei
next prev parent reply other threads:[~2009-01-10 15:58 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-09 12:34 todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750() Christian Borntraeger
2009-01-09 12:44 ` Alan Cox
2009-01-09 13:09 ` Christian Borntraeger
2009-01-10 9:09 ` Christian Borntraeger
2009-01-10 10:41 ` Alan Cox
2009-01-10 11:42 ` Christian Borntraeger
2009-01-10 11:49 ` Sergei Shtylyov
2009-01-10 12:21 ` Alan Cox
2009-01-10 13:01 ` Sergei Shtylyov
2009-01-10 13:55 ` Alan Cox
2009-01-10 13:04 ` Christian Borntraeger
2009-01-10 13:14 ` Jeff Garzik
2009-01-10 13:27 ` Christian Borntraeger
2009-01-10 13:51 ` Alan Cox
2009-01-10 21:21 ` Arjan van de Ven
2009-01-10 13:07 ` Ingo Molnar
2009-01-10 13:12 ` Jeff Garzik
2009-01-10 13:24 ` Ingo Molnar
2009-01-10 13:36 ` [bisected] " Ingo Molnar
2009-01-10 13:57 ` Alan Cox
2009-01-10 15:10 ` Sergei Shtylyov
2009-01-10 15:28 ` Alan Cox
2009-01-10 15:59 ` Sergei Shtylyov [this message]
2009-01-10 20:06 ` Sergei Shtylyov
2009-01-10 20:31 ` Jeff Garzik
2009-01-10 20:50 ` Sergei Shtylyov
2009-01-11 0:10 ` Alan Cox
2009-01-11 9:18 ` Sergei Shtylyov
2009-01-11 11:24 ` Alan Cox
2009-01-13 9:38 ` [PATCH] ata: fix wrong WARN_ON_ONCE Christian Borntraeger
2009-01-10 13:57 ` [bisected] Re: todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750() Christian Borntraeger
2009-01-10 13:53 ` Alan Cox
2009-01-10 14:36 ` James Bottomley
2009-01-10 15:03 ` Jeff Garzik
2009-01-10 15:12 ` Alan Cox
2009-01-10 15:22 ` James Bottomley
2009-01-10 15:29 ` Alan Cox
2009-01-10 15:34 ` Sergei Shtylyov
2009-01-10 15:29 ` Sergei Shtylyov
2009-01-10 15:32 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4968C5CA.6010508@ru.mvista.com \
--to=sshtylyov@ru.mvista.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=borntraeger@de.ibm.com \
--cc=jeff@garzik.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.