From: Albert Lee <albertcc@tw.ibm.com>
To: Jeff Garzik <jgarzik@pobox.com>
Cc: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>,
Doug Maxey <dwm@maxeymade.com>,
IDE Linux <linux-ide@vger.kernel.org>
Subject: [PATCH 1/2] libata: Fix race condition in ata_pio_task()
Date: Fri, 24 Jun 2005 11:47:54 +0800 [thread overview]
Message-ID: <42BB826A.6040209@tw.ibm.com> (raw)
In-Reply-To: <42BA775B.1050601@tw.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]
Jeff,
This is patch 1/2. (The previous subject is incorrect. Resend it here.)
Problem:
'assert(qc != NULL)' failed in ata_pio_block() and ata_pio_complete().
Root cause:
Race condition in ata_pio_task() when accessing 'ap->pio_task_state' after ata_qc_complete():
If the next command is queued after ata_qc_complete() and before ata_pio_task() checks 'ap->pio_task_state',
'ap->pio_task_state' might have been changed from PIO_ST_IDLE to PIO_ST by ata_qc_issue_prot().
This will cause ata_pio_task() to run extra steps even if the command is finished.
The extra steps race with the next command and causing trouble.
Changes:
- Let ata_pio_complete() and ata_pio_block() return explicitly whether queuing next step is needed.
- Use the return value to determine whether next step is needed, instead of checking the volatile 'ap->pio_task_state' variable.
Attached please find the patch against the linux-2.6.git tree (HEAD ee98689be1b054897ff17655008c3048fe88be94)
for your review. Thanks.
Albert
Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
[-- Attachment #2: patch1.diff --]
[-- Type: text/plain, Size: 3011 bytes --]
--- linux-ori/drivers/scsi/libata-core.c 2005-06-23 15:34:21.000000000 +0800
+++ linux/drivers/scsi/libata-core.c 2005-06-23 15:57:16.000000000 +0800
@@ -2455,7 +2455,7 @@
* None. (executing in kernel thread context)
*/
-static void ata_pio_complete (struct ata_port *ap)
+static int ata_pio_complete (struct ata_port *ap)
{
struct ata_queued_cmd *qc;
u8 drv_stat;
@@ -2475,14 +2475,14 @@
if (drv_stat & (ATA_BUSY | ATA_DRQ)) {
ap->pio_task_state = PIO_ST_LAST_POLL;
ap->pio_task_timeout = jiffies + ATA_TMOUT_PIO;
- return;
+ return 1; /* queue next step */
}
}
drv_stat = ata_wait_idle(ap);
if (!ata_ok(drv_stat)) {
ap->pio_task_state = PIO_ST_ERR;
- return;
+ return 1; /* queue next step */
}
qc = ata_qc_from_tag(ap, ap->active_tag);
@@ -2493,6 +2493,7 @@
ata_irq_on(ap);
ata_qc_complete(qc, drv_stat);
+ return 0; /* last step */
}
@@ -2683,7 +2684,7 @@
* None. (executing in kernel thread context)
*/
-static void ata_pio_block(struct ata_port *ap)
+static int ata_pio_block(struct ata_port *ap)
{
struct ata_queued_cmd *qc;
u8 status;
@@ -2703,7 +2704,7 @@
if (status & ATA_BUSY) {
ap->pio_task_state = PIO_ST_POLL;
ap->pio_task_timeout = jiffies + ATA_TMOUT_PIO;
- return;
+ return 1; /* queue next step */
}
}
@@ -2718,7 +2719,7 @@
ata_irq_on(ap);
ata_qc_complete(qc, status);
- return;
+ return 0; /* last step */
}
atapi_pio_bytes(qc);
@@ -2726,11 +2727,13 @@
/* handle BSY=0, DRQ=0 as error */
if ((status & ATA_DRQ) == 0) {
ap->pio_task_state = PIO_ST_ERR;
- return;
+ return 1; /* queue next step */
}
ata_pio_sector(qc);
}
+
+ return 1; /* queue next step */
}
static void ata_pio_error(struct ata_port *ap)
@@ -2756,21 +2759,20 @@
{
struct ata_port *ap = _data;
unsigned long timeout = 0;
+ int next_step;
switch (ap->pio_task_state) {
- case PIO_ST_IDLE:
- return;
-
case PIO_ST:
- ata_pio_block(ap);
+ next_step = ata_pio_block(ap);
break;
case PIO_ST_LAST:
- ata_pio_complete(ap);
+ next_step = ata_pio_complete(ap);
break;
case PIO_ST_POLL:
case PIO_ST_LAST_POLL:
+ next_step = 1;
timeout = ata_pio_poll(ap);
break;
@@ -2778,11 +2780,26 @@
case PIO_ST_ERR:
ata_pio_error(ap);
return;
+ default:
+ printk(KERN_ERR "Unknown PIO task state %u\n",
+ ap->pio_task_state);
+ return;
}
+ /* Don't access ap->pio_task_state here.
+ *
+ * Access ap->pio_task_state here will cause race condition
+ * between this code path and the ata_qc_issue_prot() code path:
+ * If ata_qc_complete() has been called above, the SCSI layer
+ * might have sent the next command to libata for queuing.
+ * And ap->pio_task_state might have been changed
+ * by ata_qc_issue_prot().
+ */
+ if (!next_step)
+ return;
+
if (timeout)
- queue_delayed_work(ata_wq, &ap->pio_task,
- timeout);
+ queue_delayed_work(ata_wq, &ap->pio_task, timeout);
else
queue_work(ata_wq, &ap->pio_task);
}
next prev parent reply other threads:[~2005-06-24 3:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-23 8:48 [PATCH 0/2] libata: PIO race condition fixes Albert Lee
2005-06-23 9:09 ` Albert Lee
2005-06-23 9:13 ` [PATCH 2/2] libata: Remove 'case ATA_PROT_ATAPI' in ata_host_intr() Albert Lee
2005-06-24 3:47 ` Albert Lee [this message]
2005-06-27 9:40 ` [PATCH 1/2] libata: Fix race condition in ata_pio_task() Albert Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42BB826A.6040209@tw.ibm.com \
--to=albertcc@tw.ibm.com \
--cc=bzolnier@gmail.com \
--cc=dwm@maxeymade.com \
--cc=jgarzik@pobox.com \
--cc=linux-ide@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).