lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 05 Apr 2010 18:17:43 +0900
From:	Tejun Heo <tj@...nel.org>
To:	"David S. Miller" <davem@...emloft.net>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	lkml <linux-kernel@...r.kernel.org>,
	Bartlomiej Zolnierkiewicz <bzolnier@...il.com>
Subject: [PATCH ide#master] ide: clean up timed out request handling

8f6205cd572fece673da0255d74843680f67f879 introduced a bug where a
timed out DMA request is never requeued and lost.
6072f7491f5ef391a575e18a1165e72a3eef1601 fixed this by making
ide_dma_timeout_retry() requeue the request itself.  While the fix is
correct, it makes DMA and non-DMA paths asymmetric regarding how the
in flight request is requeued.

As long as hwif->rq is set, the IDE driver is assuming ownership of
the request and the request should either be completed or requeued
when clearing hwif->rq.  In the timeout path, the ide driver holds
onto the request as long as the recovery action (ie. reset) is in
progress and clears it after the state machine is stopped (ide_stopped
return), so the existing requeueing logic is correct.  The bug
occurred because ide_dma_timeout_retry() explicitly clears hwif->rq
without requeueing it.

ide_dma_timeout_retry() is called only by ide_timer_expiry() and
returns ide_started only when ide_error() would return it - ie. after
reset state machine has started in which case the state machine will
eventually end up executing the ide_stopped path in ide_timer_expiry()
after reset protocol is complete.  So, there is no need to clear
hwif->rq from ide_dma_timeout_retry().  ide_timer_expiry() will handle
it the same way as PIO timeout path.

Kill hwif->rq clearing and requeueing from ide_dma_timeout_retry() and
let ide_timer_expiry() deal with it.  The end result should remain the
same.

grepping shows ide_dma_timeout_retry() is the only site which clears
hwif->rq without taking care of the request, so there shouldn't be
similar fallouts.

Signed-off-by: Tejun Heo <tj@...nel.org>
Cc: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Bartlomiej Zolnierkiewicz <bzolnier@...il.com>
---
Herbert, can you please test this survives your test case?

Thanks.

 drivers/ide/ide-dma.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/ide/ide-dma.c b/drivers/ide/ide-dma.c
index fd40a81..963bc8b 100644
--- a/drivers/ide/ide-dma.c
+++ b/drivers/ide/ide-dma.c
@@ -448,7 +448,6 @@ ide_startstop_t ide_dma_timeout_retry(ide_drive_t *drive, int error)
 	ide_hwif_t *hwif = drive->hwif;
 	const struct ide_dma_ops *dma_ops = hwif->dma_ops;
 	struct ide_cmd *cmd = &hwif->cmd;
-	struct request *rq;
 	ide_startstop_t ret = ide_stopped;

 	/*
@@ -486,14 +485,10 @@ ide_startstop_t ide_dma_timeout_retry(ide_drive_t *drive, int error)
 	ide_dma_off_quietly(drive);

 	/*
-	 * un-busy drive etc and make sure request is sane
+	 * make sure request is sane
 	 */
-	rq = hwif->rq;
-	if (rq) {
-		hwif->rq = NULL;
-		rq->errors = 0;
-		ide_requeue_and_plug(drive, rq);
-	}
+	if (hwif->rq)
+		hwif->rq->errors = 0;
 	return ret;
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists