Commit d9d32e5b authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'ata-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux 

Pull ata fixes from Niklas Cassel:

 - The newly introduced feature that issues a deferred (non-NCQ) command
   from a workqueue, forgot to consider the case where the deferred QC
   times out. Fix the code to take timeouts into consideration, which
   avoids a use after free (Damien)

 - The newly introduced feature that issues a deferred (non-NCQ) command
   from a workqueue, when unloading the module, calls cancel_work_sync(),
   a function that can sleep, while holding a spin lock. Move the function
   call outside the lock (Damien)

* tag 'ata-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
  ata: libata-core: fix cancellation of a port deferred qc work
  ata: libata-eh: correctly handle deferred qc timeouts
parents 0e335a77 55db0099

drivers/ata/libata-core.c

+3 −5
Original line number Diff line number Diff line
@@ -6269,10 +6269,6 @@ static void ata_port_detach(struct ata_port *ap) 
		}

	}



	/* Make sure the deferred qc work finished. */

	cancel_work_sync(&ap->deferred_qc_work);

	WARN_ON(ap->deferred_qc);



	/* Tell EH to disable all devices */

	ap->pflags |= ATA_PFLAG_UNLOADING;

	ata_port_schedule_eh(ap);
@@ -6283,9 +6279,11 @@ static void ata_port_detach(struct ata_port *ap) 
	/* wait till EH commits suicide */

	ata_port_wait_eh(ap);



	/* it better be dead now */

	/* It better be dead now and not have any remaining deferred qc. */

	WARN_ON(!(ap->pflags & ATA_PFLAG_UNLOADED));

	WARN_ON(ap->deferred_qc);



	cancel_work_sync(&ap->deferred_qc_work);

	cancel_delayed_work_sync(&ap->hotplug_task);

	cancel_delayed_work_sync(&ap->scsi_rescan_task);

drivers/ata/libata-eh.c

+19 −3
Original line number Diff line number Diff line
@@ -640,12 +640,28 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap, 
		set_host_byte(scmd, DID_OK);



		ata_qc_for_each_raw(ap, qc, i) {

			if (qc->flags & ATA_QCFLAG_ACTIVE &&

			    qc->scsicmd == scmd)

			if (qc->scsicmd != scmd)

				continue;

			if ((qc->flags & ATA_QCFLAG_ACTIVE) ||

			    qc == ap->deferred_qc)

				break;

		}



		if (i < ATA_MAX_QUEUE) {

		if (qc == ap->deferred_qc) {

			/*

			 * This is a deferred command that timed out while

			 * waiting for the command queue to drain. Since the qc

			 * is not active yet (deferred_qc is still set, so the

			 * deferred qc work has not issued the command yet),

			 * simply signal the timeout by finishing the SCSI

			 * command and clear the deferred qc to prevent the

			 * deferred qc work from issuing this qc.

			 */

			WARN_ON_ONCE(qc->flags & ATA_QCFLAG_ACTIVE);

			ap->deferred_qc = NULL;

			set_host_byte(scmd, DID_TIME_OUT);

			scsi_eh_finish_cmd(scmd, &ap->eh_done_q);

		} else if (i < ATA_MAX_QUEUE) {

			/* the scmd has an associated qc */

			if (!(qc->flags & ATA_QCFLAG_EH)) {

				/* which hasn't failed yet, timeout */