ide-cd: Do not access completed requests in the irq handler

Message ID	20100703110104.GB25293@liondog.tnic
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <linux-ide-owner@vger.kernel.org> Date: Sat, 3 Jul 2010 13:01:04 +0200 From: Borislav Petkov <bp@alien8.de> To: David Miller <davem@davemloft.net> Cc: Andrew Morton <akpm@linux-foundation.org>, Hans Mueller <hans42mueller@googlemail.com>, linux-ide <linux-ide@vger.kernel.org> Subject: [PATCH] ide-cd: Do not access completed requests in the irq handler Message-ID: <20100703110104.GB25293@liondog.tnic> References: <20100619005045.2173fcce@cpc> <20100619100511.GA31429@liondog.tnic> <20100619132708.030fe408@cpc> <20100623080200.GB5010@liondog.tnic> <20100625185846.72171be0@cpc> <20100630065426.GA1857@liondog.tnic> <20100630200254.45ab84d1@cpc> <20100630183138.GA11036@liondog.tnic> <20100703094918.03007437@cbook.fritz.box> <20100703082304.GA25293@liondog.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20100703082304.GA25293@liondog.tnic> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-ide-owner@vger.kernel.org Precedence: bulk

Message ID

20100703110104.GB25293@liondog.tnic

State

Accepted

Delegated to:

David Miller

Headers

Date: Sat, 3 Jul 2010 13:01:04 +0200
From: Borislav Petkov <bp@alien8.de>
To: David Miller <davem@davemloft.net>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Hans Mueller <hans42mueller@googlemail.com>,
	linux-ide <linux-ide@vger.kernel.org>
Subject: [PATCH] ide-cd: Do not access completed requests in the irq handler
Message-ID: <20100703110104.GB25293@liondog.tnic>
References: <20100619005045.2173fcce@cpc>
	<20100619100511.GA31429@liondog.tnic>
	<20100619132708.030fe408@cpc>
	<20100623080200.GB5010@liondog.tnic>
	<20100625185846.72171be0@cpc>
	<20100630065426.GA1857@liondog.tnic>
	<20100630200254.45ab84d1@cpc>
	<20100630183138.GA11036@liondog.tnic>
	<20100703094918.03007437@cbook.fritz.box>
	<20100703082304.GA25293@liondog.tnic>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20100703082304.GA25293@liondog.tnic>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: linux-ide-owner@vger.kernel.org
Precedence: bulk

Commit Message

Borislav Petkov July 3, 2010, 11:01 a.m. UTC

Hi Dave,

this came out as a by-product after debugging
https://bugzilla.kernel.org/show_bug.cgi?id=16142

It fixes the oops at
https://bugzilla.kernel.org/attachment.cgi?id=26776, please apply.

--
From: Borislav Petkov <bp@alien8.de>
Date: Fri, 2 Jul 2010 09:08:09 +0200
Subject: [PATCH] ide-cd: Do not access completed requests in the irq handler

ide_cd_error_cmd() can complete an erroneous request with leftover
buffers. Signal this with its return value so that the request is not
accessed after its completion in the irq handler and we oops.

Cc: <stable@kernel.org> # 32.x 33.x 34.x
Signed-off-by: Borislav Petkov <bp@alien8.de>
---
 drivers/ide/ide-cd.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

Comments

David Miller July 6, 2010, 4:24 a.m. UTC | #1

From: Borislav Petkov <bp@alien8.de>
Date: Sat, 3 Jul 2010 13:01:04 +0200

> this came out as a by-product after debugging
> https://bugzilla.kernel.org/show_bug.cgi?id=16142
> 
> It fixes the oops at
> https://bugzilla.kernel.org/attachment.cgi?id=26776, please apply.
> 
> --
> From: Borislav Petkov <bp@alien8.de>
> Date: Fri, 2 Jul 2010 09:08:09 +0200
> Subject: [PATCH] ide-cd: Do not access completed requests in the irq handler
> 
> ide_cd_error_cmd() can complete an erroneous request with leftover
> buffers. Signal this with its return value so that the request is not
> accessed after its completion in the irq handler and we oops.
> 
> Cc: <stable@kernel.org> # 32.x 33.x 34.x
> Signed-off-by: Borislav Petkov <bp@alien8.de>

Applied, thanks Borislav.
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index 64207df..2de76cc 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -506,15 +506,22 @@  int ide_cd_queue_pc(ide_drive_t *drive, const unsigned char *cmd,
 	return (flags & REQ_FAILED) ? -EIO : 0;
 }
 
-static void ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd)
+/*
+ * returns true if rq has been completed
+ */
+static bool ide_cd_error_cmd(ide_drive_t *drive, struct ide_cmd *cmd)
 {
 	unsigned int nr_bytes = cmd->nbytes - cmd->nleft;
 
 	if (cmd->tf_flags & IDE_TFLAG_WRITE)
 		nr_bytes -= cmd->last_xfer_len;
 
-	if (nr_bytes > 0)
+	if (nr_bytes > 0) {
 		ide_complete_rq(drive, 0, nr_bytes);
+		return true;
+	}
+
+	return false;
 }
 
 static ide_startstop_t cdrom_newpc_intr(ide_drive_t *drive)
@@ -679,7 +686,8 @@  out_end:
 		}
 
 		if (uptodate == 0 && rq->bio)
-			ide_cd_error_cmd(drive, cmd);
+			if (ide_cd_error_cmd(drive, cmd))
+				return ide_stopped;
 
 		/* make sure it's fully ended */
 		if (blk_fs_request(rq) == 0) {

ide-cd: Do not access completed requests in the irq handler

Commit Message

Comments

Patch