linux_dsm_epyc7002/drivers
David Jeffery ce75145267 libata: prevent HSM state change race between ISR and PIO
It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().

This problem is hard to reproduce making this patch hard to verify, but this
fix will prevent the race.

I have not been able to reproduce the problem, but here is a crash dump from
a 2.6.32 kernel.

On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:

crash> struct ata_port.hsm_task_state ffff881c1121c000
  hsm_task_state = 0

Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.

PID: 11053  TASK: ffff8816e846cae0  CPU: 0   COMMAND: "sshd"
 #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
 #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
 #2 [ffff88008ba03a90] oops_end at ffffffff8152b510
 #3 [ffff88008ba03ac0] die at ffffffff81010e0b
 #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
 #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
 #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
    [exception RIP: ata_sff_hsm_move+317]
    RIP: ffffffff813a77ad  RSP: ffff88008ba03ca0  RFLAGS: 00010097
    RAX: 0000000000000000  RBX: ffff881c1121dc60  RCX: 0000000000000000
    RDX: ffff881c1121dd10  RSI: ffff881c1121dc60  RDI: ffff881c1121c000
    RBP: ffff88008ba03d00   R8: 0000000000000000   R9: 000000000000002e
    R10: 000000000001003f  R11: 000000000000009b  R12: ffff881c1121c000
    R13: 0000000000000000  R14: 0000000000000050  R15: ffff881c1121dd78
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
 #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
 #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
--- <IRQ stack> ---
    [exception RIP: pipe_poll+48]
    RIP: ffffffff81192780  RSP: ffff880f26d459b8  RFLAGS: 00000246
    RAX: 0000000000000000  RBX: ffff880f26d459c8  RCX: 0000000000000000
    RDX: 0000000000000001  RSI: 0000000000000000  RDI: ffff881a0539fa80
    RBP: ffffffff8100bb8e   R8: ffff8803b23324a0   R9: 0000000000000000
    R10: ffff880f26d45dd0  R11: 0000000000000008  R12: ffffffff8109b646
    R13: ffff880f26d45948  R14: 0000000000000246  R15: 0000000000000246
    ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
    RIP: 00007f26017435c3  RSP: 00007fffe020c420  RFLAGS: 00000206
    RAX: 0000000000000017  RBX: ffffffff8100b072  RCX: 00007fffe020c45c
    RDX: 00007f2604a3f120  RSI: 00007f2604a3f140  RDI: 000000000000000d
    RBP: 0000000000000000   R8: 00007fffe020e570   R9: 0101010101010101
    R10: 0000000000000000  R11: 0000000000000246  R12: 00007fffe020e5f0
    R13: 00007fffe020e5f4  R14: 00007f26045f373c  R15: 00007fffe020e5e0
    ORIG_RAX: 0000000000000017  CS: 0033  SS: 002b

Somewhere between the ata_sff_hsm_move() check and the ata_sff_host_intr() check, the value changed.
On examining the other cpus to see what else was running, another cpu was running the error handler
routines:

PID: 326    TASK: ffff881c11014aa0  CPU: 1   COMMAND: "scsi_eh_1"
 #0 [ffff88008ba27e90] crash_nmi_callback at ffffffff8102fee6
 #1 [ffff88008ba27ea0] notifier_call_chain at ffffffff8152d515
 #2 [ffff88008ba27ee0] atomic_notifier_call_chain at ffffffff8152d57a
 #3 [ffff88008ba27ef0] notify_die at ffffffff810a154e
 #4 [ffff88008ba27f20] do_nmi at ffffffff8152b1db
 #5 [ffff88008ba27f50] nmi at ffffffff8152aaa0
    [exception RIP: _spin_lock_irqsave+47]
    RIP: ffffffff8152a1ff  RSP: ffff881c11a73aa0  RFLAGS: 00000006
    RAX: 0000000000000001  RBX: ffff881c1121deb8  RCX: 0000000000000000
    RDX: 0000000000000246  RSI: 0000000000000020  RDI: ffff881c122612d8
    RBP: ffff881c11a73aa0   R8: ffff881c17083800   R9: 0000000000000000
    R10: 0000000000000000  R11: 0000000000000000  R12: ffff881c1121c000
    R13: 000000000000001f  R14: ffff881c1121dd50  R15: ffff881c1121dc60
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
--- <NMI exception stack> ---
 #6 [ffff881c11a73aa0] _spin_lock_irqsave at ffffffff8152a1ff
 #7 [ffff881c11a73aa8] ata_exec_internal_sg at ffffffff81396fb5
 #8 [ffff881c11a73b58] ata_exec_internal at ffffffff81397109
 #9 [ffff881c11a73bd8] atapi_eh_request_sense at ffffffff813a34eb

Before it tried to acquire a spinlock, ata_exec_internal_sg() called ata_sff_flush_pio_task().
This function will set ap->hsm_task_state to HSM_ST_IDLE, and has no locking around setting this
value. ata_sff_flush_pio_task() can then race with the interrupt handler and potentially set
HSM_ST_IDLE at a fatal moment, which will trigger a kernel BUG.

v2: Fixup comment in ata_sff_flush_pio_task()

tj: Further updated comment.  Use ap->lock instead of shost lock and
    use the [un]lock_irq variant instead of the irqsave/restore one.

Signed-off-by: David Milburn <dmilburn@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
2015-01-19 14:11:23 -05:00
..
accessibility
acpi Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-19 14:02:02 -08:00
amba Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
android
ata libata: prevent HSM state change race between ISR and PIO 2015-01-19 14:11:23 -05:00
atm Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
auxdisplay
base More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
bcma Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-12-11 17:56:37 -08:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2014-12-17 16:03:12 -08:00
bluetooth Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2014-12-15 13:23:09 -05:00
bus Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
cdrom
char Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2014-12-15 15:52:01 -08:00
clk Please consider pulling the clk framework changes toward 3.19. It is 2014-12-20 16:42:36 -08:00
clocksource Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-12-11 17:56:37 -08:00
connector
coresight
cpufreq Update/Remove soon-to-be-dead email address 2014-12-19 12:56:15 -08:00
cpuidle powerpc updates for 3.19 batch 2 2014-12-19 12:57:45 -08:00
crypto Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
dca
devfreq
dio
dma Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
dma-buf
edac Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
eisa
extcon Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
firewire firewire: sbp2: replace card lock by target lock 2014-12-10 20:53:21 +01:00
firmware Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
fmc
gpio Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
gpu Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-12-12 10:26:47 -08:00
hsi * misc. fixes in omap-ssi and nokia-modem drivers 2014-12-15 17:33:47 -08:00
hv Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
hwmon Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2014-12-17 10:16:27 -08:00
hwspinlock
i2c Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2014-12-20 13:52:52 -08:00
ide Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
idle
iio Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00
infiniband SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2014-12-17 10:06:02 -08:00
iommu Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-19 14:02:02 -08:00
ipack
irqchip Merge branch 'irq-irqdomain-arm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-15 17:30:09 -08:00
isdn Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2014-12-12 10:08:06 -08:00
leds More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
lguest virtio: allow finalize_features to fail 2014-12-09 16:32:32 +02:00
macintosh macintosh: therm_pm72: delete deprecated driver 2014-12-19 19:32:47 +01:00
mailbox Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
mcb
md Three fixes for md 2014-12-14 12:13:05 -08:00
media More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
memory MTD updates for 3.19: 2014-12-17 09:59:26 -08:00
memstick
message
mfd Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
misc powerpc updates for 3.19 batch 2 2014-12-19 12:57:45 -08:00
mmc More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
mtd MTD updates for 3.19: 2014-12-17 09:59:26 -08:00
net Main batch of InfiniBand/RDMA changes for 3.19: 2014-12-18 20:10:44 -08:00
nfc More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
ntb
nubus
of ARM: SoC/iommu configuration for 3.19 2014-12-16 14:53:01 -08:00
oprofile
parisc
parport Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
pci Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-19 14:02:02 -08:00
pcmcia Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
phy More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
pinctrl Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
platform platform-drivers-x86 for 3.19 2014-12-18 20:24:55 -08:00
pnp
power More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v3.19-rc1 2014-12-17 10:10:51 -08:00
rapidio
ras
regulator Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
remoteproc Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
reset Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
rpmsg
rtc Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
s390 Driver core patches for 3.19-rc1 2014-12-14 16:10:09 -08:00
sbus
scsi SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
sfi
sh drivers: sh / PM: Replace CONFIG_PM_RUNTIME with CONFIG_PM 2014-12-05 03:08:24 +01:00
sn
soc Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2014-12-15 15:52:01 -08:00
spi spi: Replace CONFIG_PM_RUNTIME with CONFIG_PM 2014-12-19 15:25:31 +01:00
spmi
ssb Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-12-11 17:56:37 -08:00
staging Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-12-19 18:19:19 -08:00
target SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
tc
thermal Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-19 13:29:20 -08:00
thunderbolt
tty tty: 8250_omap: Replace CONFIG_PM_RUNTIME with CONFIG_PM 2014-12-19 15:27:58 +01:00
uio Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
usb SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
uwb
vfio VFIO updates for v3.19-rc1 2014-12-17 10:44:22 -08:00
vhost vhost/virtio: virtio 1.0 related fixes 2014-12-18 20:50:30 -08:00
video More ACPI and power management updates for 3.19-rc1 2014-12-18 20:28:33 -08:00
virt
virtio vhost/virtio: virtio 1.0 related fixes 2014-12-18 20:50:30 -08:00
vlynq
vme
w1 Char/Misc driver patches for 3.19-rc1 2014-12-14 16:43:47 -08:00
watchdog watchdog: imx2_wdt: Fix the argument of watchdog_active() 2014-12-18 16:01:20 +01:00
xen Merge remote-tracking branch 'scsi-queue/drivers-for-3.19' into for-linus 2014-12-18 05:56:29 -08:00
zorro
Kconfig Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00
Makefile Staging patches for 3.19-rc1 2014-12-15 18:06:13 -08:00