[PATCH] libata: clear ap->active_tag atomically w.r.t. command completion

ap->active_tag was cleared in ata_qc_free().  This left ap->active_tag
dangling after ata_qc_complete().  Spurious interrupts inbetween could
incorrectly access the qc.  Clear active_tag in ata_qc_complete().
This change is necessary for later EH changes.

Signed-off-by: Tejun Heo <htejun@gmail.com>

diff --git a/drivers/scsi/libata-core.c b/drivers/scsi/libata-core.c
index 1669dae53ce33a134be4f372591cc081180d5c8b..86cd0e0895d0d372eb1b83c8f923009883e03d5f 100644 (file)
--- a/drivers/scsi/libata-core.c
+++ b/drivers/scsi/libata-core.c
@@ -4083,8 +4083,6 @@ void ata_qc_free(struct ata_queued_cmd *qc)
        qc->flags = 0;
        tag = qc->tag;
        if (likely(ata_tag_valid(tag))) {
-               if (tag == ap->active_tag)
-                       ap->active_tag = ATA_TAG_POISON;
                qc->tag = ATA_TAG_POISON;
                clear_bit(tag, &ap->qactive);
        }
@@ -4098,6 +4096,9 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
        if (likely(qc->flags & ATA_QCFLAG_DMAMAP))
                ata_sg_clean(qc);
 
+       /* command should be marked inactive atomically with qc completion */
+       qc->ap->active_tag = ATA_TAG_POISON;
+
        /* atapi: mark qc as inactive to prevent the interrupt handler
         * from completing the command twice later, before the error handler
         * is called. (when rc != 0 and atapi request sense is needed)