ce75145267
It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG(). This problem is hard to reproduce making this patch hard to verify, but this fix will prevent the race. I have not been able to reproduce the problem, but here is a crash dump from a 2.6.32 kernel. On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE: crash> struct ata_port.hsm_task_state ffff881c1121c000 hsm_task_state = 0 Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(), which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value. PID: 11053 TASK: ffff8816e846cae0 CPU: 0 COMMAND: "sshd" #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92 #2 [ffff88008ba03a90] oops_end at ffffffff8152b510 #3 [ffff88008ba03ac0] die at ffffffff81010e0b #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74 #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95 #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b [exception RIP: ata_sff_hsm_move+317] RIP: ffffffff813a77ad RSP: ffff88008ba03ca0 RFLAGS: 00010097 RAX: 0000000000000000 RBX: ffff881c1121dc60 RCX: 0000000000000000 RDX: ffff881c1121dd10 RSI: ffff881c1121dc60 RDI: ffff881c1121c000 RBP: ffff88008ba03d00 R8: 0000000000000000 R9: 000000000000002e R10: 000000000001003f R11: 000000000000009b R12: ffff881c1121c000 R13: 0000000000000000 R14: 0000000000000050 R15: ffff881c1121dd78 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0 --- <IRQ stack> --- [exception RIP: pipe_poll+48] RIP: ffffffff81192780 RSP: ffff880f26d459b8 RFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff880f26d459c8 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff881a0539fa80 RBP: ffffffff8100bb8e R8: ffff8803b23324a0 R9: 0000000000000000 R10: ffff880f26d45dd0 R11: 0000000000000008 R12: ffffffff8109b646 R13: ffff880f26d45948 R14: 0000000000000246 R15: 0000000000000246 ORIG_RAX: ffffffffffffff10 CS: 0010 SS: 0018 RIP: 00007f26017435c3 RSP: 00007fffe020c420 RFLAGS: 00000206 RAX: 0000000000000017 RBX: ffffffff8100b072 RCX: 00007fffe020c45c RDX: 00007f2604a3f120 RSI: 00007f2604a3f140 RDI: 000000000000000d RBP: 0000000000000000 R8: 00007fffe020e570 R9: 0101010101010101 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffe020e5f0 R13: 00007fffe020e5f4 R14: 00007f26045f373c R15: 00007fffe020e5e0 ORIG_RAX: 0000000000000017 CS: 0033 SS: 002b Somewhere between the ata_sff_hsm_move() check and the ata_sff_host_intr() check, the value changed. On examining the other cpus to see what else was running, another cpu was running the error handler routines: PID: 326 TASK: ffff881c11014aa0 CPU: 1 COMMAND: "scsi_eh_1" #0 [ffff88008ba27e90] crash_nmi_callback at ffffffff8102fee6 #1 [ffff88008ba27ea0] notifier_call_chain at ffffffff8152d515 #2 [ffff88008ba27ee0] atomic_notifier_call_chain at ffffffff8152d57a #3 [ffff88008ba27ef0] notify_die at ffffffff810a154e #4 [ffff88008ba27f20] do_nmi at ffffffff8152b1db #5 [ffff88008ba27f50] nmi at ffffffff8152aaa0 [exception RIP: _spin_lock_irqsave+47] RIP: ffffffff8152a1ff RSP: ffff881c11a73aa0 RFLAGS: 00000006 RAX: 0000000000000001 RBX: ffff881c1121deb8 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000020 RDI: ffff881c122612d8 RBP: ffff881c11a73aa0 R8: ffff881c17083800 R9: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff881c1121c000 R13: 000000000000001f R14: ffff881c1121dd50 R15: ffff881c1121dc60 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0000 --- <NMI exception stack> --- #6 [ffff881c11a73aa0] _spin_lock_irqsave at ffffffff8152a1ff #7 [ffff881c11a73aa8] ata_exec_internal_sg at ffffffff81396fb5 #8 [ffff881c11a73b58] ata_exec_internal at ffffffff81397109 #9 [ffff881c11a73bd8] atapi_eh_request_sense at ffffffff813a34eb Before it tried to acquire a spinlock, ata_exec_internal_sg() called ata_sff_flush_pio_task(). This function will set ap->hsm_task_state to HSM_ST_IDLE, and has no locking around setting this value. ata_sff_flush_pio_task() can then race with the interrupt handler and potentially set HSM_ST_IDLE at a fatal moment, which will trigger a kernel BUG. v2: Fixup comment in ata_sff_flush_pio_task() tj: Further updated comment. Use ap->lock instead of shost lock and use the [un]lock_irq variant instead of the irqsave/restore one. Signed-off-by: David Milburn <dmilburn@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@vger.kernel.org |
||
---|---|---|
.. | ||
acard-ahci.c | ||
ahci_da850.c | ||
ahci_imx.c | ||
ahci_mvebu.c | ||
ahci_platform.c | ||
ahci_st.c | ||
ahci_sunxi.c | ||
ahci_tegra.c | ||
ahci_xgene.c | ||
ahci.c | ||
ahci.h | ||
ata_generic.c | ||
ata_piix.c | ||
Kconfig | ||
libahci_platform.c | ||
libahci.c | ||
libata-acpi.c | ||
libata-core.c | ||
libata-eh.c | ||
libata-pmp.c | ||
libata-scsi.c | ||
libata-sff.c | ||
libata-transport.c | ||
libata-transport.h | ||
libata-zpodd.c | ||
libata.h | ||
Makefile | ||
pata_acpi.c | ||
pata_ali.c | ||
pata_amd.c | ||
pata_arasan_cf.c | ||
pata_artop.c | ||
pata_at32.c | ||
pata_at91.c | ||
pata_atiixp.c | ||
pata_atp867x.c | ||
pata_bf54x.c | ||
pata_cmd64x.c | ||
pata_cmd640.c | ||
pata_cs5520.c | ||
pata_cs5530.c | ||
pata_cs5535.c | ||
pata_cs5536.c | ||
pata_cypress.c | ||
pata_efar.c | ||
pata_ep93xx.c | ||
pata_hpt3x2n.c | ||
pata_hpt3x3.c | ||
pata_hpt37x.c | ||
pata_hpt366.c | ||
pata_icside.c | ||
pata_imx.c | ||
pata_isapnp.c | ||
pata_it821x.c | ||
pata_it8213.c | ||
pata_ixp4xx_cf.c | ||
pata_jmicron.c | ||
pata_legacy.c | ||
pata_macio.c | ||
pata_marvell.c | ||
pata_mpc52xx.c | ||
pata_mpiix.c | ||
pata_netcell.c | ||
pata_ninja32.c | ||
pata_ns87410.c | ||
pata_ns87415.c | ||
pata_octeon_cf.c | ||
pata_of_platform.c | ||
pata_oldpiix.c | ||
pata_opti.c | ||
pata_optidma.c | ||
pata_palmld.c | ||
pata_pcmcia.c | ||
pata_pdc202xx_old.c | ||
pata_pdc2027x.c | ||
pata_piccolo.c | ||
pata_platform.c | ||
pata_pxa.c | ||
pata_radisys.c | ||
pata_rb532_cf.c | ||
pata_rdc.c | ||
pata_rz1000.c | ||
pata_samsung_cf.c | ||
pata_sc1200.c | ||
pata_scc.c | ||
pata_sch.c | ||
pata_serverworks.c | ||
pata_sil680.c | ||
pata_sis.c | ||
pata_sl82c105.c | ||
pata_triflex.c | ||
pata_via.c | ||
pdc_adma.c | ||
sata_dwc_460ex.c | ||
sata_fsl.c | ||
sata_highbank.c | ||
sata_inic162x.c | ||
sata_mv.c | ||
sata_nv.c | ||
sata_promise.c | ||
sata_promise.h | ||
sata_qstor.c | ||
sata_rcar.c | ||
sata_sil24.c | ||
sata_sil.c | ||
sata_sis.c | ||
sata_svw.c | ||
sata_sx4.c | ||
sata_uli.c | ||
sata_via.c | ||
sata_vsc.c | ||
sis.h |