From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com,
Eric Biggers <ebiggers@google.com>, Tejun Heo <tj@kernel.org>
Subject: [PATCH 4.9 16/67] libata: dont try to pass through NCQ commands to non-NCQ devices
Date: Tue, 27 Mar 2018 18:27:08 +0200 [thread overview]
Message-ID: <20180327162727.589082775@linuxfoundation.org> (raw)
In-Reply-To: <20180327162726.702411083@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 2c1ec6fda2d07044cda922ee25337cf5d4b429b3 upstream.
syzkaller hit a WARN() in ata_bmdma_qc_issue() when writing to /dev/sg0.
This happened because it issued an ATA pass-through command (ATA_16)
where the protocol field indicated that NCQ should be used -- but the
device did not support NCQ.
We could just remove the WARN() from libata-sff.c, but the real problem
seems to be that the SCSI -> ATA translation code passes through NCQ
commands without verifying that the device actually supports NCQ.
Fix this by adding the appropriate check to ata_scsi_pass_thru().
Here's reproducer that works in QEMU when /dev/sg0 refers to a disk of
the default type ("82371SB PIIX3 IDE"):
#include <fcntl.h>
#include <unistd.h>
int main()
{
char buf[53] = { 0 };
buf[36] = 0x85; /* ATA_16 */
buf[37] = (12 << 1); /* FPDMA */
buf[38] = 0x1; /* Has data */
buf[51] = 0xC8; /* ATA_CMD_READ */
write(open("/dev/sg0", O_RDWR), buf, sizeof(buf));
}
Fixes: ee7fb331c3ac ("libata: add support for NCQ commands for SG interface")
Reported-by: syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-scsi.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3226,6 +3226,12 @@ static unsigned int ata_scsi_pass_thru(s
goto invalid_fld;
}
+ /* We may not issue NCQ commands to devices not supporting NCQ */
+ if (ata_is_ncq(tf->protocol) && !ata_ncq_enabled(dev)) {
+ fp = 1;
+ goto invalid_fld;
+ }
+
/* sanity check for pio multi commands */
if ((cdb[1] & 0xe0) && !is_multi_taskfile(tf)) {
fp = 1;
next prev parent reply other threads:[~2018-03-27 16:27 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 16:26 [PATCH 4.9 00/67] 4.9.91-stable review Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 01/67] MIPS: ralink: Remove ralink_halt() Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 02/67] iio: st_pressure: st_accel: pass correct platform data to init Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 03/67] ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 04/67] ALSA: aloop: Sync stale timer before release Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 05/67] ALSA: aloop: Fix access to not-yet-ready substream via cable Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 06/67] ALSA: hda/realtek - Always immediately update mute LED with pin VREF Greg Kroah-Hartman
2018-03-27 16:26 ` [PATCH 4.9 07/67] mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 08/67] PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 09/67] ahci: Add PCI-id for the Highpoint Rocketraid 644L card Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 10/67] clk: bcm2835: Fix ana->maskX definitions Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 11/67] clk: bcm2835: Protect sections updating shared registers Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 12/67] clk: sunxi-ng: a31: Fix CLK_OUT_* clock ops Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 13/67] Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 14/67] libata: fix length validation of ATAPI-relayed SCSI commands Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 15/67] libata: remove WARN() for DMA or PIO command without data Greg Kroah-Hartman
2018-03-27 16:27 ` Greg Kroah-Hartman [this message]
2018-03-27 16:27 ` [PATCH 4.9 17/67] libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 18/67] libata: disable LPM for Crucial BX100 SSD 500GB drive Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 19/67] libata: Enable queued TRIM for Samsung SSD 860 Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 20/67] libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 21/67] libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 22/67] libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 23/67] nfsd: remove blocked locks on client teardown Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 24/67] mm/vmalloc: add interfaces to free unmapped page table Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 25/67] x86/mm: implement free pmd/pte page interfaces Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 26/67] mm/khugepaged.c: convert VM_BUG_ON() to collapse fail Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 27/67] mm/thp: do not wait for lock_page() in deferred_split_scan() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 28/67] mm/shmem: do not wait for lock_page() in shmem_unused_huge_shrink() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 29/67] drm/vmwgfx: Fix a destoy-while-held mutex problem Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 30/67] drm/radeon: Dont turn off DP sink when disconnected Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 31/67] drm: udl: Properly check framebuffer mmap offsets Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 32/67] acpi, numa: fix pxm to online numa node associations Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 33/67] ACPI / watchdog: Fix off-by-one error at resource assignment Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 34/67] libnvdimm, {btt, blk}: do integrity setup before add_disk() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 35/67] brcmfmac: fix P2P_DEVICE ethernet address generation Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 36/67] rtlwifi: rtl8723be: Fix loss of signal Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 37/67] tracing: probeevent: Fix to support minus offset from symbol Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 38/67] mtdchar: fix usage of mtd_ooblayout_ecc() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 39/67] mtd: nand: fsl_ifc: Fix nand waitfunc return value Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 40/67] mtd: nand: fsl_ifc: Fix eccstat array overflow for IFC ver >= 2.0.0 Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 41/67] mtd: nand: fsl_ifc: Read ECCSTAT0 and ECCSTAT1 registers for IFC 2.0 Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 42/67] staging: ncpfs: memory corruption in ncp_read_kernel() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 43/67] can: ifi: Repair the error handling Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 44/67] can: ifi: Check core revision upon probe Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 45/67] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 46/67] can: cc770: Fix queue stall & dropped RTR reply Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 47/67] can: cc770: Fix use after free in cc770_tx_interrupt() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 48/67] tty: vt: fix up tabstops properly Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 49/67] selftests/x86/ptrace_syscall: Fix for yet more glibc interference Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 50/67] kvm/x86: fix icebp instruction handling Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 51/67] x86/build/64: Force the linker to use 2MB page size Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 52/67] x86/boot/64: Verify alignment of the LOAD segment Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 53/67] x86/entry/64: Dont use IST entry for #BP stack Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 54/67] perf/x86/intel/uncore: Fix Skylake UPI event format Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 55/67] perf stat: Fix CVS output format for non-supported counters Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 56/67] perf/x86/intel: Dont accidentally clear high bits in bdw_limit_period() Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 57/67] perf/x86/intel/uncore: Fix multi-domain PCI CHA enumeration bug on Skylake servers Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 58/67] iio: ABI: Fix name of timestamp sysfs file Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 59/67] staging: lustre: ptlrpc: kfree used instead of kvfree Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 60/67] selftests, x86, protection_keys: fix wrong offset in siginfo Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 61/67] selftests/x86/protection_keys: Fix syscall NR redefinition warnings Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 62/67] signal/testing: Dont look for __SI_FAULT in userspace Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 63/67] x86/pkeys/selftests: Rename si_pkey to siginfo_pkey Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 64/67] selftests: x86: sysret_ss_attrs doesnt build on a PIE build Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 65/67] kbuild: disable clangs default use of -fmerge-all-constants Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 66/67] bpf: skip unnecessary capability check Greg Kroah-Hartman
2018-03-27 16:27 ` [PATCH 4.9 67/67] bpf, x64: increase number of passes Greg Kroah-Hartman
2018-03-27 22:58 ` [PATCH 4.9 00/67] 4.9.91-stable review Shuah Khan
2018-03-28 0:21 ` kernelci.org bot
2018-03-28 1:35 ` Dan Rue
2018-03-28 8:21 ` Greg Kroah-Hartman
2018-03-28 15:50 ` Dan Rue
2018-03-28 16:21 ` Greg Kroah-Hartman
2018-03-28 18:28 ` Dan Rue
2018-03-28 19:24 ` Greg Kroah-Hartman
2018-03-28 14:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180327162727.589082775@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox