From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
Subject: [PATCH 3.18 09/61] libata: prevent HSM state change race between ISR and PIO
Date: Tue, 27 Jan 2015 17:26:21 -0800 [thread overview]
Message-ID: <20150128012637.960179244@linuxfoundation.org> (raw)
In-Reply-To: <20150128012636.936333725@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
commit ce7514526742c0898b837d4395f515b79dfb5a12 upstream.
It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
This problem is hard to reproduce making this patch hard to verify, but this
fix will prevent the race.
I have not been able to reproduce the problem, but here is a crash dump from
a 2.6.32 kernel.
On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
crash> struct ata_port.hsm_task_state ffff881c1121c000
hsm_task_state = 0
Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
PID: 11053 TASK: ffff8816e846cae0 CPU: 0 COMMAND: "sshd"
#0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
#1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
#2 [ffff88008ba03a90] oops_end at ffffffff8152b510
#3 [ffff88008ba03ac0] die at ffffffff81010e0b
#4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
#5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
#6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
[exception RIP: ata_sff_hsm_move+317]
RIP: ffffffff813a77ad RSP: ffff88008ba03ca0 RFLAGS: 00010097
RAX: 0000000000000000 RBX: ffff881c1121dc60 RCX: 0000000000000000
RDX: ffff881c1121dd10 RSI: ffff881c1121dc60 RDI: ffff881c1121c000
RBP: ffff88008ba03d00 R8: 0000000000000000 R9: 000000000000002e
R10: 000000000001003f R11: 000000000000009b R12: ffff881c1121c000
R13: 0000000000000000 R14: 0000000000000050 R15: ffff881c1121dd78
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
#8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
#9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
---
drivers/ata/libata-sff.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -1333,7 +1333,19 @@ void ata_sff_flush_pio_task(struct ata_p
DPRINTK("ENTER\n");
cancel_delayed_work_sync(&ap->sff_pio_task);
+
+ /*
+ * We wanna reset the HSM state to IDLE. If we do so without
+ * grabbing the port lock, critical sections protected by it which
+ * expect the HSM state to stay stable may get surprised. For
+ * example, we may set IDLE in between the time
+ * __ata_sff_port_intr() checks for HSM_ST_IDLE and before it calls
+ * ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
+ */
+ spin_lock_irq(ap->lock);
ap->hsm_task_state = HSM_ST_IDLE;
+ spin_unlock_irq(ap->lock);
+
ap->sff_pio_task_link = NULL;
if (ata_msg_ctl(ap))
next prev parent reply other threads:[~2015-01-28 1:26 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 1:26 [PATCH 3.18 00/61] 3.18.5-stable review Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 01/61] can: dev: fix crtlmode_supported check Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 02/61] can: m_can: tag current CAN FD controllers as non-ISO Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 03/61] pinctrl: qcom: Dont iterate past end of function array Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 04/61] pinctrl: Fix two deadlocks Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 05/61] mfd: tps65218: Make INT[12] and STATUS registers volatile Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 06/61] mfd: tps65218: Make INT1 our status_base register Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 07/61] mfd: rtsx_usb: Fix runtime PM deadlock Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 08/61] libata: allow sata_sil24 to opt-out of tag ordered submission Greg Kroah-Hartman
2015-01-28 1:26 ` Greg Kroah-Hartman [this message]
2015-01-28 1:26 ` [PATCH 3.18 10/61] ALSA: usb-audio: Add mic volume fix quirk for Logitech Webcam C210 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 11/61] workqueue: fix subtle pool management issue which can stall whole worker_pool Greg Kroah-Hartman
2015-01-28 1:51 ` Lai Jiangshan
2015-01-28 2:24 ` Tejun Heo
2015-01-28 3:15 ` Lai Jiangshan
2015-01-28 15:07 ` Tejun Heo
2015-01-28 17:54 ` Greg Kroah-Hartman
2015-01-29 20:33 ` Tejun Heo
2015-02-02 11:28 ` Luis Henriques
2015-01-28 1:26 ` [PATCH 3.18 12/61] scripts/recordmcount.pl: There is no -m32 gcc option on Super-H anymore Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 13/61] drm/i915: Ban Haswell from using RCS flips Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 14/61] drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 15/61] drm/radeon: add a dpm quirk list Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 16/61] drm/radeon: add si " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 17/61] drm/radeon: use rv515_ring_start on r5xx Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 18/61] PCI: Pass bridge device, not bus, when updating bridge windows Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 19/61] PCI: Add pci_claim_bridge_resource() to clip window if necessary Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 20/61] PCI: Add pci_bus_clip_resource() to clip to fit upstream window Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 21/61] x86/PCI: Clip bridge windows to fit in upstream windows Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 22/61] PCI: Add flag for devices where we cant use bus reset Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 23/61] PCI: Mark Atheros AR93xx to avoid " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 24/61] ipr: wait for aborted command responses Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 25/61] [media] cx23885: Split Hauppauge WinTV Starburst from HVR4400 card entry Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 26/61] [media] vb2: fix vb2_thread_stop race conditions Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 27/61] dm cache: share cache-metadata object across inactive and active DM tables Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 28/61] dm cache: fix problematic dual use of a single migration count variable Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 29/61] irqchip: omap-intc: Fix legacy DMA regression Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 30/61] time: settimeofday: Validate the values of tv from user Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 31/61] time: adjtimex: Validate the ADJ_FREQUENCY values Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 32/61] ARM: dts: imx25: Fix PWM "per" clocks Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 33/61] ARM: mvebu: completely disable hardware I/O coherency Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 34/61] bus: mvebu-mbus: fix support of MBus window 13 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 35/61] fix deadlock in cifs_ioctl_clone() Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 36/61] irqchip: atmel-aic-common: Prevent clobbering of priority when changing IRQ type Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 37/61] x86, irq: Properly tag virtualization entry in /proc/interrupts Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 38/61] clocksource: exynos_mct: Fix bitmask regression for exynos4_mct_write Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 39/61] x86, hyperv: Mark the Hyper-V clocksource as being continuous Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 40/61] x86/tsc: Change Fast TSC calibration failed from error to info Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 41/61] x86, boot: Skip relocs when load address unchanged Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 42/61] KVM: x86: SYSENTER emulation is broken Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 43/61] KVM: x86: Fix of previously incomplete fix for CVE-2014-8480 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 44/61] x86, tls, ldt: Stop checking lm in LDT_empty Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 45/61] x86, tls: Interpret an all-zero struct user_desc as "no segment" Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 46/61] x86/apic: Re-enable PCI_MSI support for non-SMP X86_32 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 47/61] sata_dwc_460ex: fix resource leak on error path Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 48/61] ahci_xgene: Fix the endianess issue in APM X-Gene SoC AHCI SATA controller driver Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 49/61] KEYS: close race between key lookup and freeing Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 50/61] mm: get rid of radix tree gfp mask for pagecache_get_page Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 51/61] netfilter: nfnetlink: validate nfnetlink header from batch Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 52/61] netfilter: nf_tables: fix flush ruleset chain dependencies Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 53/61] netfilter: nfnetlink: relax strict multicast group check from netlink_bind Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 54/61] netfilter: conntrack: fix race between confirmation and flush Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 55/61] ipvs: uninitialized data with IP_VS_IPV6 Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 56/61] Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 57/61] iwlwifi: mvm: add a flag to enable match found notification Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 58/61] ACPI / PM: Do not disable wakeup GPEs that have not been enabled Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 59/61] crypto: prefix module autoloading with "crypto-" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 60/61] crypto: include crypto- module prefix in template Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 61/61] crypto: add missing crypto module aliases Greg Kroah-Hartman
2015-01-28 14:15 ` [PATCH 3.18 00/61] 3.18.5-stable review Guenter Roeck
2015-01-28 17:55 ` Greg Kroah-Hartman
2015-01-28 16:50 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150128012637.960179244@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).