Date: Tue, 24 May 2005 20:39:04 GMT From: Sean McNeil <sean@mcneil.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/81450: ATAPI support broken in -STABLE Message-ID: <200505242039.j4OKd4fN080184@www.freebsd.org> Resent-Message-ID: <200505242040.j4OKe2Nt018127@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 81450
>Category: kern
>Synopsis: ATAPI support broken in -STABLE
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 24 20:40:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Sean McNeil
>Release: 5.4-STABLE
>Organization:
Sean McNeil Consulting, Inc
>Environment:
FreeBSD server.mcneil.com 5.4-STABLE FreeBSD 5.4-STABLE #25: Sun May 22 15:35:15 PDT 2005 root@server.mcneil.com:/usr/obj/usr/src/sys/AMD64 amd64
>Description:
ata-queue.c:ata_completed() will issue a sense request when it encounters an ATAPI error. This request fails to zero out the donecount which causes corruption of memory. On amd64, it overwrites the callback value and crashes the computer.
>How-To-Repeat:
Try to burn a CD from nautilus. Since nautilus just invokes cdrecord, it should cause the same result by running cdrecord from a command line.
>Fix:
The following patch fixes the crash:
--- sys/dev/ata/ata-queue.c.orig Sun May 22 15:28:03 2005
+++ sys/dev/ata/ata-queue.c Sun May 22 15:28:27 2005
@@ -340,6 +340,7 @@
request->data = (caddr_t)&request->u.atapi.sense_data;
request->bytecount = sizeof(struct atapi_sense);
request->transfersize = sizeof(struct atapi_sense);
+ request->donecount = 0;
request->timeout = 5;
request->flags &= (ATA_R_ATAPI | ATA_R_QUIET);
request->flags |= (ATA_R_READ | ATA_R_IMMEDIATE | ATA_R_REQUEUE);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505242039.j4OKd4fN080184>