Date: Tue, 08 Mar 2005 11:57:03 +0100 From: =?ISO-8859-1?Q?S=F8ren_Schmidt?= <sos@DeepCore.dk> To: Nate Lawson <nate@root.org> Cc: current@freebsd.org Subject: Re: patch: fix ata panic with Thinkpad CD and DVD drives Message-ID: <422D84FF.1010707@DeepCore.dk> In-Reply-To: <422225D6.5020009@root.org> References: <422225D6.5020009@root.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Lawson wrote: > If you've been having "memory modified after free" panics on -current=20 > and have a Thinkpad, the attached patch should fix things for you. A=20 > quick check of RELENG_5 indicates that the bug is probably there also=20 > but I haven't tested for it there. >=20 > The bug is triggered by timeouts in the ata_getparam() probe path. The= =20 > ata_timeout() fires and ata_end_transaction() is called to get the=20 > status. However, it continues down into ata_pio_read() even though=20 > there is no data available since we had a timeout, not read completion.= =20 > ata_pio_read() reads 512 bytes of probably bogus data. The importan= t=20 > problem is that it also advances donecount. On subsequent timeouts=20 > (note there are 4 below), donecount advances into unallocated memory an= d=20 > so subsequent ata_pio_read() calls overwrite 512 bytes of someone else'= s=20 > memory. >=20 > The fix is to exit immediately if ATA_R_TIMEOUT is set after reading th= e=20 > status in ata_end_transaction(). It shouldn't go into ata_pio_read() i= f=20 > there was a timeout. The patch does this. >=20 > However, it only handles PIO timeouts since I wasn't sure the best way = > to proceed for unwinding DMA state and the like for the other cases.=20 > This is enough to fix the overwrite and subsequent panic on my systems.= =20 > I've run heavy IO stress and DVD accesses for a while and no further=20 > panics. >=20 > While looking into this, I found another potential problem. In one=20 > reinjection case, donecount wasn't reset to 0. The patch for=20 > ata-queue.c does this and I think it's necessary but don't hit this cas= e=20 > in testing so I can't be sure. Finally, there's one whitespace nit tha= t=20 > helps with clarity. >=20 > These are similar bugs to one found back in August that had the same=20 > effect. Here's the closest reference I could find in the mail archives= =20 > for this: > http://lists.freebsd.org/mailman/htdig/freebsd-current/2004-August/0330= 33.html=20 Just a note from here, these bugs are fixed in ATA mkIII so you could=20 just have gleaned the solution from there (or maybe you did :)) --=20 -S=F8ren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?422D84FF.1010707>