From: Alan Cox <alan@lxorguk.ukuu.org.uk>

Michal Miroslaw reported a problem (bugzilla #7023) where a user initiated
reset while the IDE layer was already resetting the channel caused a crash,
and provided a rough fix.

This is a slightly cleaner version of the fix which tracks the reset state
and blocks further reset requests while a reset is in progress.

Note this is not a security issue - random end users can't access the
ioctl in question anyway.

Signed-off-by: Alan Cox <alan@redhat.com>
Cc: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 drivers/ide/ide-iops.c |    4 ++++
 drivers/ide/ide.c      |    5 +++++
 include/linux/ide.h    |    3 +++
 3 files changed, 12 insertions(+)

diff -puN drivers/ide/ide-iops.c~ide-fix-crash-on-repeated-reset drivers/ide/ide-iops.c
--- a/drivers/ide/ide-iops.c~ide-fix-crash-on-repeated-reset
+++ a/drivers/ide/ide-iops.c
@@ -998,6 +998,7 @@ static ide_startstop_t atapi_reset_pollf
 	}
 	/* done polling */
 	hwgroup->polling = 0;
+	hwgroup->resetting = 0;
 	return ide_stopped;
 }
 
@@ -1057,6 +1058,7 @@ static ide_startstop_t reset_pollfunc (i
 		}
 	}
 	hwgroup->polling = 0;	/* done polling */
+	hwgroup->resetting = 0; /* done reset attempt */
 	return ide_stopped;
 }
 
@@ -1143,6 +1145,7 @@ static ide_startstop_t do_reset1 (ide_dr
 
 	/* For an ATAPI device, first try an ATAPI SRST. */
 	if (drive->media != ide_disk && !do_not_try_atapi) {
+		hwgroup->resetting = 1;
 		pre_reset(drive);
 		SELECT_DRIVE(drive);
 		udelay (20);
@@ -1168,6 +1171,7 @@ static ide_startstop_t do_reset1 (ide_dr
 		return ide_stopped;
 	}
 
+	hwgroup->resetting = 1;
 	/*
 	 * Note that we also set nIEN while resetting the device,
 	 * to mask unwanted interrupts from the interface during the reset.
diff -puN drivers/ide/ide.c~ide-fix-crash-on-repeated-reset drivers/ide/ide.c
--- a/drivers/ide/ide.c~ide-fix-crash-on-repeated-reset
+++ a/drivers/ide/ide.c
@@ -1364,6 +1364,11 @@ int generic_ide_ioctl(ide_drive_t *drive
 
 			spin_lock_irqsave(&ide_lock, flags);
 
+			if (HWGROUP(drive)->resetting) {
+				spin_unlock_irqrestore(&ide_lock, flags);
+				return -EBUSY;
+			}
+
 			ide_abort(drive, "drive reset");
 
 			BUG_ON(HWGROUP(drive)->handler);
diff -puN include/linux/ide.h~ide-fix-crash-on-repeated-reset include/linux/ide.h
--- a/include/linux/ide.h~ide-fix-crash-on-repeated-reset
+++ a/include/linux/ide.h
@@ -825,6 +825,9 @@ typedef struct hwgroup_s {
 	unsigned int sleeping	: 1;
 		/* BOOL: polling active & poll_timeout field valid */
 	unsigned int polling	: 1;
+	 	/* BOOL: in a polling reset situation. Must not trigger another reset yet */
+	unsigned	resetting  : 1;
+
 		/* current drive */
 	ide_drive_t *drive;
 		/* ptr to current hwif in linked-list */
_