From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
Subject: [PATCH 3.14 04/77] libata: prevent HSM state change race between ISR and PIO
Date: Tue, 27 Jan 2015 17:26:42 -0800 [thread overview]
Message-ID: <20150128012746.100173312@linuxfoundation.org> (raw)
In-Reply-To: <20150128012745.971137091@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
commit ce7514526742c0898b837d4395f515b79dfb5a12 upstream.
It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
This problem is hard to reproduce making this patch hard to verify, but this
fix will prevent the race.
I have not been able to reproduce the problem, but here is a crash dump from
a 2.6.32 kernel.
On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
crash> struct ata_port.hsm_task_state ffff881c1121c000
hsm_task_state = 0
Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
PID: 11053 TASK: ffff8816e846cae0 CPU: 0 COMMAND: "sshd"
#0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
#1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
#2 [ffff88008ba03a90] oops_end at ffffffff8152b510
#3 [ffff88008ba03ac0] die at ffffffff81010e0b
#4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
#5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
#6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
[exception RIP: ata_sff_hsm_move+317]
RIP: ffffffff813a77ad RSP: ffff88008ba03ca0 RFLAGS: 00010097
RAX: 0000000000000000 RBX: ffff881c1121dc60 RCX: 0000000000000000
RDX: ffff881c1121dd10 RSI: ffff881c1121dc60 RDI: ffff881c1121c000
RBP: ffff88008ba03d00 R8: 0000000000000000 R9: 000000000000002e
R10: 000000000001003f R11: 000000000000009b R12: ffff881c1121c000
R13: 0000000000000000 R14: 0000000000000050 R15: ffff881c1121dd78
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
#8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
#9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
---
drivers/ata/libata-sff.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -1333,7 +1333,19 @@ void ata_sff_flush_pio_task(struct ata_p
DPRINTK("ENTER\n");
cancel_delayed_work_sync(&ap->sff_pio_task);
+
+ /*
+ * We wanna reset the HSM state to IDLE. If we do so without
+ * grabbing the port lock, critical sections protected by it which
+ * expect the HSM state to stay stable may get surprised. For
+ * example, we may set IDLE in between the time
+ * __ata_sff_port_intr() checks for HSM_ST_IDLE and before it calls
+ * ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
+ */
+ spin_lock_irq(ap->lock);
ap->hsm_task_state = HSM_ST_IDLE;
+ spin_unlock_irq(ap->lock);
+
ap->sff_pio_task_link = NULL;
if (ata_msg_ctl(ap))
next prev parent reply other threads:[~2015-01-28 1:26 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 1:26 [PATCH 3.14 00/77] 3.14.31-stable review Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 01/77] gpio: sysfs: fix gpio-chip device-attribute leak Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 02/77] gpio: sysfs: fix gpio " Greg Kroah-Hartman
2015-01-28 14:30 ` Luis Henriques
2015-01-28 15:24 ` Johan Hovold
2015-01-28 16:02 ` [PATCH v2] " Johan Hovold
2015-01-28 17:52 ` Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 03/77] pinctrl: Fix two deadlocks Greg Kroah-Hartman
2015-01-28 1:26 ` Greg Kroah-Hartman [this message]
2015-01-28 1:26 ` [PATCH 3.14 05/77] ALSA: usb-audio: Add mic volume fix quirk for Logitech Webcam C210 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 06/77] scripts/recordmcount.pl: There is no -m32 gcc option on Super-H anymore Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 07/77] drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 08/77] drm/radeon: add a dpm quirk list Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 09/77] drm/radeon: add si " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 10/77] drm/radeon: use rv515_ring_start on r5xx Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 11/77] PCI: Add flag for devices where we cant use bus reset Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 12/77] PCI: Mark Atheros AR93xx to avoid " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 13/77] ipr: wait for aborted command responses Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 14/77] dm cache: share cache-metadata object across inactive and active DM tables Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 15/77] dm cache: fix problematic dual use of a single migration count variable Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 16/77] time: settimeofday: Validate the values of tv from user Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 17/77] time: adjtimex: Validate the ADJ_FREQUENCY values Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 18/77] ARM: dts: imx25: Fix PWM "per" clocks Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 19/77] bus: mvebu-mbus: fix support of MBus window 13 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 20/77] fix deadlock in cifs_ioctl_clone() Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.14 21/77] can: dev: fix crtlmode_supported check Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 22/77] clocksource: exynos_mct: Fix bitmask regression for exynos4_mct_write Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 23/77] x86, hyperv: Mark the Hyper-V clocksource as being continuous Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 24/77] x86/tsc: Change Fast TSC calibration failed from error to info Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 25/77] x86, boot: Skip relocs when load address unchanged Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 26/77] KVM: x86: Fix of previously incomplete fix for CVE-2014-8480 Greg Kroah-Hartman
2015-01-28 8:51 ` Nadav Amit
2015-01-28 1:27 ` [PATCH 3.14 27/77] x86, tls, ldt: Stop checking lm in LDT_empty Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 28/77] x86, tls: Interpret an all-zero struct user_desc as "no segment" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 29/77] x86/apic: Re-enable PCI_MSI support for non-SMP X86_32 Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 30/77] x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 31/77] sata_dwc_460ex: fix resource leak on error path Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 32/77] KEYS: close race between key lookup and freeing Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 33/77] netfilter: nfnetlink: validate nfnetlink header from batch Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 34/77] ipvs: uninitialized data with IP_VS_IPV6 Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 35/77] Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 36/77] drbd: merge_bvec_fn: properly remap bvm->bi_bdev Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 37/77] crypto: prefix module autoloading with "crypto-" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 38/77] crypto: include crypto- module prefix in template Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 39/77] crypto: add missing crypto module aliases Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 40/77] ARC: Delete stale barrier.h Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 41/77] ARC: Fix build breakage for !CONFIG_ARC_DW2_UNWIND Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 42/77] Input: evdev - fix EVIOCG{type} ioctl Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 43/77] tty: Fix pty master poll() after slave closes v2 Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 44/77] mmc: sdhci: Dont signal the sdio irq if its not setup Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 45/77] mm/swap.c: clean up *lru_cache_add* functions Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 46/77] mm: page_alloc: do not update zlc unless the zlc is active Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 47/77] mm: page_alloc: do not treat a zone that cannot be used for dirty pages as "full" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 48/77] include/linux/jump_label.h: expose the reference count Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 49/77] mm: page_alloc: use jump labels to avoid checking number_of_cpusets Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 50/77] mm: page_alloc: calculate classzone_idx once from the zonelist ref Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 51/77] mm: page_alloc: only check the zone id check if pages are buddies Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 52/77] mm: page_alloc: only check the alloc flags and gfp_mask for dirty once Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 53/77] mm: page_alloc: take the ALLOC_NO_WATERMARK check out of the fast path Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 54/77] mm: page_alloc: use unsigned int for order in more places Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 55/77] mm: page_alloc: reduce number of times page_to_pfn is called Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 56/77] mm: page_alloc: convert hot/cold parameter and immediate callers to bool Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 57/77] mm: page_alloc: lookup pageblock migratetype with IRQs enabled during free Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 58/77] mm: shmem: avoid atomic operation during shmem_getpage_gfp Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 59/77] mm: do not use atomic operations when releasing pages Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 60/77] mm: do not use unnecessary atomic operations when adding pages to the LRU Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 61/77] fs: buffer: do not use unnecessary atomic operations when discarding buffers Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 62/77] mm: non-atomically mark page accessed during page cache allocation where possible Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 63/77] mm: avoid unnecessary atomic operations during end_page_writeback() Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 64/77] shmem: fix init_page_accessed use to stop !PageLRU bug Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 65/77] mm/memory.c: use entry = ACCESS_ONCE(*pte) in handle_pte_fault() Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 66/77] mm, thp: only collapse hugepages to nodes with affinity for zone_reclaim_mode Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 67/77] mm: make copy_pte_range static again Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 68/77] vmalloc: use rcu list iterator to reduce vmap_area_lock contention Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 69/77] memcg, vmscan: Fix forced scan of anonymous pages Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 70/77] mm: pagemap: avoid unnecessary overhead when tracepoints are deactivated Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 71/77] mm: rearrange zone fields into read-only, page alloc, statistics and page reclaim lines Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 72/77] mm: move zone->pages_scanned into a vmstat counter Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 73/77] mm: vmscan: only update per-cpu thresholds for online CPU Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 74/77] mm: page_alloc: abort fair zone allocation policy when remotes nodes are encountered Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 75/77] mm: page_alloc: reduce cost of the fair zone allocation policy Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 76/77] mm: get rid of radix tree gfp mask for pagecache_get_page Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.14 77/77] md/raid5: fetch_block must fetch all the blocks handle_stripe_dirtying wants Greg Kroah-Hartman
2015-01-28 14:15 ` [PATCH 3.14 00/77] 3.14.31-stable review Guenter Roeck
2015-01-28 16:51 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150128012746.100173312@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).