From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Ingo Molnar <mingo@elte.hu>, Jeff Garzik <jeff@garzik.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
linux-ide@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>
Subject: Re: [bisected] Re: todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750()
Date: Sat, 10 Jan 2009 23:06:47 +0300 [thread overview]
Message-ID: <4968FFD7.6070302@ru.mvista.com> (raw)
In-Reply-To: <4968C5CA.6010508@ru.mvista.com>
Hello, I wrote:
>>> All the S/G counts printed out were divisible by 4 (36 for
>>> INQUIRY and 96 for REQUSET SENSE). It's the *actual* byte count for
>>> the REQUEST SENSE that's no divisible. The SCSI/ATAPI devices are
>>> free to sent less data than requested on non block transfer commands.
>
>> That is just fine - if the sg list is not corrupt or being mishandled
>> and
>> the atapi pio code is not buggy.
>
>> RTFS a bit and it becomes obvious that the core libata code has a bug:
>
> Oh, I have already... and saw where the issue could be. It just
> wasn't obvious why 32-bit PIO triggered it.
Got it now, however the issue doesn't seem as evident simple to me...
>> From libata-sff.c:
>> /* consumed can be larger than count only for the last
>> transfer */
>> WARN_ON_ONCE(qc->cursg && count != consumed);
>>
>> The big clue turns out to be that the code doesn't match the comment.
>>
>> Next note the check on qc->cursg. If my input sg list is a 36 byte
>> single
>> sg entry then qc->cursg should be NULL by the WARN_ON() - but it isn't.
>
> I think it's still not NULL because qc->cursg_ofs == sg->length
> check was *not* true right above, hence sg_next() wasn't called...
>
>> If qc->cursg is NULL when the sg_next() is run then we don't warn
>> because
>> we are quite happy with the last segment being padded or underrunning.
>
> I don't think that sg_next() is called on an underrun segment. And
> here lies the mistake.
>
>> What we actually want to explode on is a case where we transfer more
>> bytes than are wanted and where there are more sg entries to perform
>> - at
>> that point we would corrupt.
>
>> So at least one failure case is
>
>> Core code issues an SG list for 96 bytes
>> Drive indicates it wishes to return 18 bytes
>
>> data_xfer transfers 18 bytes + 2 padding (correctly) -> 20 bytes
Correctly indeed? I'm not at all sure it's correct to read an extra
16-bit word off the device when it thinks it's already done with the
data transfer. This is not the same as to read 16-bit word and ignore
its MSB as it happened. The same concern about the writes... Note that
the IDE code doesn't do this...
MBR, Sergei
next prev parent reply other threads:[~2009-01-10 20:07 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-09 12:34 todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750() Christian Borntraeger
2009-01-09 12:44 ` Alan Cox
2009-01-09 13:09 ` Christian Borntraeger
2009-01-10 9:09 ` Christian Borntraeger
2009-01-10 10:41 ` Alan Cox
2009-01-10 11:42 ` Christian Borntraeger
2009-01-10 11:49 ` Sergei Shtylyov
2009-01-10 12:21 ` Alan Cox
2009-01-10 13:01 ` Sergei Shtylyov
2009-01-10 13:55 ` Alan Cox
2009-01-10 13:04 ` Christian Borntraeger
2009-01-10 13:14 ` Jeff Garzik
2009-01-10 13:27 ` Christian Borntraeger
2009-01-10 13:51 ` Alan Cox
2009-01-10 21:21 ` Arjan van de Ven
2009-01-10 13:07 ` Ingo Molnar
2009-01-10 13:12 ` Jeff Garzik
2009-01-10 13:24 ` Ingo Molnar
2009-01-10 13:36 ` [bisected] " Ingo Molnar
2009-01-10 13:57 ` Alan Cox
2009-01-10 15:10 ` Sergei Shtylyov
2009-01-10 15:28 ` Alan Cox
2009-01-10 15:59 ` Sergei Shtylyov
2009-01-10 20:06 ` Sergei Shtylyov [this message]
2009-01-10 20:31 ` Jeff Garzik
2009-01-10 20:50 ` Sergei Shtylyov
2009-01-11 0:10 ` Alan Cox
2009-01-11 9:18 ` Sergei Shtylyov
2009-01-11 11:24 ` Alan Cox
2009-01-13 9:38 ` [PATCH] ata: fix wrong WARN_ON_ONCE Christian Borntraeger
2009-01-10 13:57 ` [bisected] Re: todays git: WARNING: at drivers/ata/libata-sff.c:1017 ata_sff_hsm_move+0x45e/0x750() Christian Borntraeger
2009-01-10 13:53 ` Alan Cox
2009-01-10 14:36 ` James Bottomley
2009-01-10 15:03 ` Jeff Garzik
2009-01-10 15:12 ` Alan Cox
2009-01-10 15:22 ` James Bottomley
2009-01-10 15:29 ` Alan Cox
2009-01-10 15:34 ` Sergei Shtylyov
2009-01-10 15:29 ` Sergei Shtylyov
2009-01-10 15:32 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4968FFD7.6070302@ru.mvista.com \
--to=sshtylyov@ru.mvista.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=borntraeger@de.ibm.com \
--cc=jeff@garzik.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox