From owner-freebsd-bugs@FreeBSD.ORG Tue May 24 20:40:02 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B652716A41F for ; Tue, 24 May 2005 20:40:02 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 419DA43D5F for ; Tue, 24 May 2005 20:40:02 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4OKe2RI018128 for ; Tue, 24 May 2005 20:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4OKe2Nt018127; Tue, 24 May 2005 20:40:02 GMT (envelope-from gnats) Resent-Date: Tue, 24 May 2005 20:40:02 GMT Resent-Message-Id: <200505242040.j4OKe2Nt018127@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Sean McNeil Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF7F616A41C for ; Tue, 24 May 2005 20:39:04 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC76543D48 for ; Tue, 24 May 2005 20:39:04 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j4OKd4Xt080190 for ; Tue, 24 May 2005 20:39:04 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j4OKd4fN080184; Tue, 24 May 2005 20:39:04 GMT (envelope-from nobody) Message-Id: <200505242039.j4OKd4fN080184@www.freebsd.org> Date: Tue, 24 May 2005 20:39:04 GMT From: Sean McNeil To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/81450: ATAPI support broken in -STABLE X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 20:40:02 -0000 >Number: 81450 >Category: kern >Synopsis: ATAPI support broken in -STABLE >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 24 20:40:01 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Sean McNeil >Release: 5.4-STABLE >Organization: Sean McNeil Consulting, Inc >Environment: FreeBSD server.mcneil.com 5.4-STABLE FreeBSD 5.4-STABLE #25: Sun May 22 15:35:15 PDT 2005 root@server.mcneil.com:/usr/obj/usr/src/sys/AMD64 amd64 >Description: ata-queue.c:ata_completed() will issue a sense request when it encounters an ATAPI error. This request fails to zero out the donecount which causes corruption of memory. On amd64, it overwrites the callback value and crashes the computer. >How-To-Repeat: Try to burn a CD from nautilus. Since nautilus just invokes cdrecord, it should cause the same result by running cdrecord from a command line. >Fix: The following patch fixes the crash: --- sys/dev/ata/ata-queue.c.orig Sun May 22 15:28:03 2005 +++ sys/dev/ata/ata-queue.c Sun May 22 15:28:27 2005 @@ -340,6 +340,7 @@ request->data = (caddr_t)&request->u.atapi.sense_data; request->bytecount = sizeof(struct atapi_sense); request->transfersize = sizeof(struct atapi_sense); + request->donecount = 0; request->timeout = 5; request->flags &= (ATA_R_ATAPI | ATA_R_QUIET); request->flags |= (ATA_R_READ | ATA_R_IMMEDIATE | ATA_R_REQUEUE); >Release-Note: >Audit-Trail: >Unformatted: