From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Christian Lamparter <chunkeey@gmail.com>
Cc: linux-ide@vger.kernel.org,
Damien Le Moal <damien.lemoal@opensource.wdc.com>,
Jens Axboe <axboe@kernel.dk>, Tejun Heo <tj@kernel.org>
Subject: Re: [PATCH v1 1/2] ata: sata_dwc_460ex: Fix crash due to OOB write
Date: Fri, 18 Mar 2022 16:16:40 +0200 [thread overview]
Message-ID: <YjSUSJV2FZy1yjN3@smile.fi.intel.com> (raw)
In-Reply-To: <ba068938e629eb1a8b423a54405233e685cedb78.1647594132.git.chunkeey@gmail.com>
On Fri, Mar 18, 2022 at 10:03:11AM +0100, Christian Lamparter wrote:
> the driver uses libata's "tag" values from in various arrays.
> Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32,
> the value of the SATA_DWC_QCMD_MAX needs to be bumped to 33.
>
> Otherwise ATA_TAG_INTERNAL cause a crash like this:
>
> | BUG: Kernel NULL pointer dereference at 0x00000000
> | Faulting instruction address: 0xc03ed4b8
> | Oops: Kernel access of bad area, sig: 11 [#1]
> | BE PAGE_SIZE=4K PowerPC 44x Platform
> | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0
> | NIP: c03ed4b8 LR: c03d27e8 CTR: c03ed36c
> | REGS: cfa59950 TRAP: 0300 Not tainted (5.4.163)
> | MSR: 00021000 <CE,ME> CR: 42000222 XER: 00000000
> | DEAR: 00000000 ESR: 00000000
> | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]
> | [..]
> | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254
> | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc
> | Call Trace:
> | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)
> | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc
> | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524
> | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0
> | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204
> | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130
> | [...]
>
> this is because sata_dwc_dma_xfer_complete() NULLs the
> dma_pending's next neighbour "chan" (a *dma_chan struct) in
> this '32' case right here (line ~735):
> > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;
>
> Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes
> the NULL'd hsdevp->chan to the dmaengine_slave_config() which then
> causes the crash.
...
> ticerex said when I've asked him about his real name+email for the patches:
> "Please use my forum nick."
> <https://forum.openwrt.org/t/my-book-live-duo-reboot-loop/122464/14>
> (I know checkpatch.pl complains about that. But what can you do?)
I think Reported-by: is fine to have any kind of reference to the reporter.
I can consider it false positive.
...
> -#define SATA_DWC_QCMD_MAX 32
> +#define SATA_DWC_QCMD_MAX 33
Can't we use
#define SATA_DWC_QCMD_MAX (ATA_TAG_INTERNAL + 1)
instead?
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2022-03-18 14:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-18 9:03 [PATCH v1 1/2] ata: sata_dwc_460ex: Fix crash due to OOB write Christian Lamparter
2022-03-18 9:03 ` [PATCH v1 2/2] ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs Christian Lamparter
2022-03-18 9:47 ` Damien Le Moal
2022-03-18 14:20 ` Andy Shevchenko
2022-03-18 9:34 ` [PATCH v1 1/2] ata: sata_dwc_460ex: Fix crash due to OOB write Damien Le Moal
2022-03-18 11:43 ` Christian Lamparter
2022-03-19 0:04 ` Damien Le Moal
2022-03-18 14:16 ` Andy Shevchenko [this message]
2022-03-18 18:06 ` Christian Lamparter
2022-03-19 0:00 ` Damien Le Moal
2022-03-19 0:13 ` Damien Le Moal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YjSUSJV2FZy1yjN3@smile.fi.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=axboe@kernel.dk \
--cc=chunkeey@gmail.com \
--cc=damien.lemoal@opensource.wdc.com \
--cc=linux-ide@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.