From owner-freebsd-stable@FreeBSD.ORG Sun Jul 3 00:39:49 2005 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255D316A42B; Sun, 3 Jul 2005 00:39:49 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 343CC441B4; Sun, 3 Jul 2005 00:24:12 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id CCF0E6265E; Sat, 2 Jul 2005 17:20:23 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 46E355C9BF; Tue, 8 Mar 2005 06:46:26 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id C5C5056FA1; Tue, 8 Mar 2005 14:46:25 +0000 (GMT) (envelope-from owner-freebsd-current@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 2C14916A502; Tue, 8 Mar 2005 14:46:21 +0000 (GMT) Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF60116A4CE; Tue, 8 Mar 2005 14:46:14 +0000 (GMT) Received: from www.cryptography.com (li-22.members.linode.com [64.5.53.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A8E043D1F; Tue, 8 Mar 2005 14:46:14 +0000 (GMT) (envelope-from nate@root.org) Received: from [10.0.1.4] ([218.149.156.148]) by www.cryptography.com (8.12.8/8.12.8) with ESMTP id j28Ek3Zj003259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Mar 2005 06:46:05 -0800 Message-ID: <422DBA9E.8060502@root.org> From: Nate Lawson User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?S=F8ren_Schmidt?= References: <422225D6.5020009@root.org> <422D84FF.1010707@DeepCore.dk> In-Reply-To: <422D84FF.1010707@DeepCore.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-current@freebsd.org Errors-To: owner-freebsd-current@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on elvis.mu.org X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00, MIME_8BIT_HEADER autolearn=no version=3.0.2 X-Spam-Level: Cc: stable@freebsd.org, current@freebsd.org Subject: Re: patch: fix ata panic with Thinkpad CD and DVD drives X-BeenThere: freebsd-stable@freebsd.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:39:49 -0000 X-Original-Date: Tue, 08 Mar 2005 06:45:50 -0800 X-List-Received-Date: Sun, 03 Jul 2005 00:39:49 -0000 Søren Schmidt wrote: > Nate Lawson wrote: > >> If you've been having "memory modified after free" panics on -current >> and have a Thinkpad, the attached patch should fix things for you. A >> quick check of RELENG_5 indicates that the bug is probably there also >> but I haven't tested for it there. >> >> The bug is triggered by timeouts in the ata_getparam() probe path. >> The ata_timeout() fires and ata_end_transaction() is called to get the >> status. However, it continues down into ata_pio_read() even though >> there is no data available since we had a timeout, not read >> completion. ata_pio_read() reads 512 bytes of probably bogus data. >> The important problem is that it also advances donecount. On >> subsequent timeouts (note there are 4 below), donecount advances into >> unallocated memory and so subsequent ata_pio_read() calls overwrite >> 512 bytes of someone else's memory. >> >> The fix is to exit immediately if ATA_R_TIMEOUT is set after reading >> the status in ata_end_transaction(). It shouldn't go into >> ata_pio_read() if there was a timeout. The patch does this. >> >> However, it only handles PIO timeouts since I wasn't sure the best way >> to proceed for unwinding DMA state and the like for the other cases. >> This is enough to fix the overwrite and subsequent panic on my >> systems. I've run heavy IO stress and DVD accesses for a while and no >> further panics. >> >> While looking into this, I found another potential problem. In one >> reinjection case, donecount wasn't reset to 0. The patch for >> ata-queue.c does this and I think it's necessary but don't hit this >> case in testing so I can't be sure. Finally, there's one whitespace >> nit that helps with clarity. >> >> These are similar bugs to one found back in August that had the same >> effect. Here's the closest reference I could find in the mail >> archives for this: >> http://lists.freebsd.org/mailman/htdig/freebsd-current/2004-August/033033.html > > > Just a note from here, these bugs are fixed in ATA mkIII so you could > just have gleaned the solution from there (or maybe you did :)) Nope, but I'm glad you can corroborate these fixes are correct. -- Nate _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"