archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 02:44:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

ata fixes for 7.0-rc2

Browse source 
- The newly introduced feature that issues a deferred (non-NCQ) command
    from a workqueue, forgot to consider the case where the deferred QC
    times out. Fix the code to take timeouts into consideration, which
    avoids a use after free (Damien)
 
  - The newly introduced feature that issues a deferred (non-NCQ) command
    from a workqueue, when unloading the module, calls cancel_work_sync(),
    a function that can sleep, while holding a spin lock. Move the function
    call outside the lock (Damien)
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRN+ES/c4tHlMch3DzJZDGjmcZNcgUCaZ8EIgAKCRDJZDGjmcZN
 cpRxAPwIr05t8DBcuSHXbxexUUtgk3uZ27yirTd1fnDHPJDwjgD+JuquvSZD0Kjv
 sofEpFt6h7sGrExF+dz9wl9rMsehGwk=
 =BNkD
 -----END PGP SIGNATURE-----

Merge tag 'ata-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux

Pull ata fixes from Niklas Cassel:

 - The newly introduced feature that issues a deferred (non-NCQ) command
   from a workqueue, forgot to consider the case where the deferred QC
   times out. Fix the code to take timeouts into consideration, which
   avoids a use after free (Damien)

 - The newly introduced feature that issues a deferred (non-NCQ) command
   from a workqueue, when unloading the module, calls cancel_work_sync(),
   a function that can sleep, while holding a spin lock. Move the function
   call outside the lock (Damien)

* tag 'ata-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/libata/linux:
  ata: libata-core: fix cancellation of a port deferred qc work
  ata: libata-eh: correctly handle deferred qc timeouts
This commit is contained in:
Linus Torvalds 2026-02-25 10:41:14 -08:00
commit d9d32e5bd5
2 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

8
drivers/ata/libata-core.c
View file

@ -6269,10 +6269,6 @@ static void ata_port_detach(struct ata_port *ap)
}
}
/* Make sure the deferred qc work finished. */
cancel_work_sync(&ap->deferred_qc_work);
WARN_ON(ap->deferred_qc);
/* Tell EH to disable all devices */
ap->pflags |= ATA_PFLAG_UNLOADING;
ata_port_schedule_eh(ap);
@ -6283,9 +6279,11 @@ static void ata_port_detach(struct ata_port *ap)
/* wait till EH commits suicide */
ata_port_wait_eh(ap);
/* it better be dead now */
/* It better be dead now and not have any remaining deferred qc. */
WARN_ON(!(ap->pflags & ATA_PFLAG_UNLOADED));
WARN_ON(ap->deferred_qc);
cancel_work_sync(&ap->deferred_qc_work);
cancel_delayed_work_sync(&ap->hotplug_task);
cancel_delayed_work_sync(&ap->scsi_rescan_task);

22
drivers/ata/libata-eh.c
View file

@ -640,12 +640,28 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
set_host_byte(scmd, DID_OK);
ata_qc_for_each_raw(ap, qc, i) {
if (qc->flags & ATA_QCFLAG_ACTIVE &&
qc->scsicmd == scmd)
if (qc->scsicmd != scmd)
continue;
if ((qc->flags & ATA_QCFLAG_ACTIVE) ||
qc == ap->deferred_qc)
break;
}
if (i < ATA_MAX_QUEUE) {
if (qc == ap->deferred_qc) {
/*
* This is a deferred command that timed out while
* waiting for the command queue to drain. Since the qc
* is not active yet (deferred_qc is still set, so the
* deferred qc work has not issued the command yet),
* simply signal the timeout by finishing the SCSI
* command and clear the deferred qc to prevent the
* deferred qc work from issuing this qc.
*/
WARN_ON_ONCE(qc->flags & ATA_QCFLAG_ACTIVE);
ap->deferred_qc = NULL;
set_host_byte(scmd, DID_TIME_OUT);
scsi_eh_finish_cmd(scmd, &ap->eh_done_q);
} else if (i < ATA_MAX_QUEUE) {
/* the scmd has an associated qc */
if (!(qc->flags & ATA_QCFLAG_EH)) {
/* which hasn't failed yet, timeout */