Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 08 Mar 2005 06:50:13 -0800
From:      Nate Lawson <nate@root.org>
To:        =?ISO-8859-1?Q?S=F8ren_Schmidt?= <sos@DeepCore.dk>
Cc:        current@freebsd.org
Subject:   Re: patch: fix ata panic with Thinkpad CD and DVD drives
Message-ID:  <422DBBA5.1000903@root.org>
In-Reply-To: <422D84FF.1010707@DeepCore.dk>
References:  <422225D6.5020009@root.org> <422D84FF.1010707@DeepCore.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
Søren Schmidt wrote:
> Nate Lawson wrote:
> 
>> If you've been having "memory modified after free" panics on -current 
>> and have a Thinkpad, the attached patch should fix things for you.  A 
>> quick check of RELENG_5 indicates that the bug is probably there also 
>> but I haven't tested for it there.
>>
>> The bug is triggered by timeouts in the ata_getparam() probe path.  
>> The ata_timeout() fires and ata_end_transaction() is called to get the 
>> status.  However, it continues down into ata_pio_read() even though 
>> there is no data available since we had a timeout, not read 
>> completion.    ata_pio_read() reads 512 bytes of probably bogus data.  
>> The important problem is that it also advances donecount.  On 
>> subsequent timeouts (note there are 4 below), donecount advances into 
>> unallocated memory and so subsequent ata_pio_read() calls overwrite 
>> 512 bytes of someone else's memory.
>>
>> The fix is to exit immediately if ATA_R_TIMEOUT is set after reading 
>> the status in ata_end_transaction().  It shouldn't go into 
>> ata_pio_read() if there was a timeout.  The patch does this.
>>
>> However, it only handles PIO timeouts since I wasn't sure the best way 
>> to proceed for unwinding DMA state and the like for the other cases. 
>> This is enough to fix the overwrite and subsequent panic on my 
>> systems.  I've run heavy IO stress and DVD accesses for a while and no 
>> further panics.
>>
>> While looking into this, I found another potential problem.  In one 
>> reinjection case, donecount wasn't reset to 0.  The patch for 
>> ata-queue.c does this and I think it's necessary but don't hit this 
>> case in testing so I can't be sure.  Finally, there's one whitespace 
>> nit that helps with clarity.
>>
>> These are similar bugs to one found back in August that had the same 
>> effect.  Here's the closest reference I could find in the mail 
>> archives for this:
>> http://lists.freebsd.org/mailman/htdig/freebsd-current/2004-August/033033.html 
> 
> 
> Just a note from here, these bugs are fixed in ATA mkIII so you could 
> just have gleaned the solution from there (or maybe you did :))

Nope, but I'm glad you can corroborate these fixes are correct.

-- 
Nate



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?422DBBA5.1000903>