1. 18 8月, 2021 1 次提交
  2. 01 6月, 2021 4 次提交
  3. 06 4月, 2021 1 次提交
  4. 24 10月, 2020 1 次提交
  5. 03 9月, 2020 1 次提交
    • T
      libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks · 3b545563
      Tejun Heo 提交于
      All three generations of Sandisk SSDs lock up hard intermittently.
      Experiments showed that disabling NCQ lowered the failure rate significantly
      and the kernel has been disabling NCQ for some models of SD7's and 8's,
      which is obviously undesirable.
      
      Karthik worked with Sandisk to root cause the hard lockups to trim commands
      larger than 128M. This patch implements ATA_HORKAGE_MAX_TRIM_128M which
      limits max trim size to 128M and applies it to all three generations of
      Sandisk SSDs.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: Karthik Shivaram <karthikgs@fb.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      3b545563
  6. 24 8月, 2020 1 次提交
  7. 17 7月, 2020 1 次提交
  8. 05 6月, 2020 1 次提交
    • Y
      ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function · f650ef61
      Ye Bin 提交于
      BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
      drivers/ata/libata-scsi.c:4045
      Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621
      
      CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      1.10.2-1ubuntu1 04/01/2014
      Call Trace:
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0xac/0xee lib/dump_stack.c:118
      print_address_description+0x60/0x223 mm/kasan/report.c:253
      kasan_report_error mm/kasan/report.c:351 [inline]
      kasan_report mm/kasan/report.c:409 [inline]
      kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
      ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
      ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
      __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
      ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
      scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
      scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
      blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
      blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
      blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
      __blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
      __blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
      blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
      blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
      blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
      blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
      sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
      sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
      vfs_ioctl fs/ioctl.c:46 [inline]
      file_ioctl fs/ioctl.c:501 [inline]
      do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
      ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
      __do_sys_ioctl fs/ioctl.c:712 [inline]
      __se_sys_ioctl fs/ioctl.c:710 [inline]
      __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
      do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c479
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
      f7 48
      89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f
      83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
      RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
      RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc
      
      Allocated by task 12577:
      set_track mm/kasan/kasan.c:460 [inline]
      kasan_kmalloc mm/kasan/kasan.c:553 [inline]
      kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
      __kmalloc+0xf3/0x1e0 mm/slub.c:3749
      kmalloc include/linux/slab.h:520 [inline]
      load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
      load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
      search_binary_handler fs/exec.c:1654 [inline]
      search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
      exec_binprm fs/exec.c:1696 [inline]
      __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
      do_execveat_common fs/exec.c:1866 [inline]
      do_execve fs/exec.c:1883 [inline]
      __do_sys_execve fs/exec.c:1964 [inline]
      __se_sys_execve fs/exec.c:1959 [inline]
      __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
      do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 12577:
      set_track mm/kasan/kasan.c:460 [inline]
      __kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
      slab_free_hook mm/slub.c:1370 [inline]
      slab_free_freelist_hook mm/slub.c:1397 [inline]
      slab_free mm/slub.c:2952 [inline]
      kfree+0x8b/0x1a0 mm/slub.c:3904
      load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
      search_binary_handler fs/exec.c:1654 [inline]
      search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
      exec_binprm fs/exec.c:1696 [inline]
      __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
      do_execveat_common fs/exec.c:1866 [inline]
      do_execve fs/exec.c:1883 [inline]
      __do_sys_execve fs/exec.c:1964 [inline]
      __se_sys_execve fs/exec.c:1959 [inline]
      __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
      do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The buggy address belongs to the object at ffff88803b8ccf00
      which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 259 bytes inside of
      512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
      The buggy address belongs to the page:
      page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
      index:0xffff88803b8cc780 compound_mapcount: 0
      flags: 0x100000000008100(slab|head)
      raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
      raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
      this error.
      
      The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
      which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
      maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
      may not page aligned.
      This also looks completely buggy on highmem systems and really needs to use a
      kmap_atomic.      --Christoph Hellwig
      To address above bugs, Paolo Bonzini advise to simpler to just make a char array
      of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
      to copy from the sglist into the buffer, and workthere.
      Signed-off-by: NYe Bin <yebin10@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      f650ef61
  9. 23 4月, 2020 2 次提交
  10. 27 3月, 2020 8 次提交
  11. 26 3月, 2020 2 次提交
    • L
      libata: Assign OF node to the SCSI device · 45b8084f
      Linus Walleij 提交于
      When we spawn a SCSI device from an ATA device in libata-scsi
      the SCSI device had no relation to the device tree.
      
      The DT binding allows us to define port nodes under a
      PATA (IDE) or SATA host controller, so we can have proper device
      nodes for these devices.
      
      If OF is enabled, walk the children of the host controller node
      to see if there is a valid device tree node to assign. The reg
      is used to match to ID 0 for the master device and ID 1 for the
      slave device.
      
      The corresponding device tree bindings have been accepted by
      the device tree maintainers.
      
      Cc: Chris Healy <cphealy@gmail.com>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Bart Van Assche <bvanassche@acm.org>
      Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      45b8084f
    • J
      libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() · 1d72f7ae
      John Garry 提交于
      If the call to scsi_add_host_with_dma() in ata_scsi_add_hosts() fails,
      then we may get use-after-free KASAN warns:
      
      ==================================================================
      BUG: KASAN: use-after-free in kobject_put+0x24/0x180
      Read of size 1 at addr ffff0026b8c80364 by task swapper/0/1
      CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W         5.6.0-rc3-00004-g5a71b206ea82-dirty #1765
      Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V3.B160.01 02/24/2020
      Call trace:
      dump_backtrace+0x0/0x298
      show_stack+0x14/0x20
      dump_stack+0x118/0x190
      print_address_description.isra.9+0x6c/0x3b8
      __kasan_report+0x134/0x23c
      kasan_report+0xc/0x18
      __asan_load1+0x5c/0x68
      kobject_put+0x24/0x180
      put_device+0x10/0x20
      scsi_host_put+0x10/0x18
      ata_devres_release+0x74/0xb0
      release_nodes+0x2d0/0x470
      devres_release_all+0x50/0x78
      really_probe+0x2d4/0x560
      driver_probe_device+0x7c/0x148
      device_driver_attach+0x94/0xa0
      __driver_attach+0xa8/0x110
      bus_for_each_dev+0xe8/0x158
      driver_attach+0x30/0x40
      bus_add_driver+0x220/0x2e0
      driver_register+0xbc/0x1d0
      __pci_register_driver+0xbc/0xd0
      ahci_pci_driver_init+0x20/0x28
      do_one_initcall+0xf0/0x608
      kernel_init_freeable+0x31c/0x384
      kernel_init+0x10/0x118
      ret_from_fork+0x10/0x18
      
      Allocated by task 5:
      save_stack+0x28/0xc8
      __kasan_kmalloc.isra.8+0xbc/0xd8
      kasan_kmalloc+0xc/0x18
      __kmalloc+0x1a8/0x280
      scsi_host_alloc+0x44/0x678
      ata_scsi_add_hosts+0x74/0x268
      ata_host_register+0x228/0x488
      ahci_host_activate+0x1c4/0x2a8
      ahci_init_one+0xd18/0x1298
      local_pci_probe+0x74/0xf0
      work_for_cpu_fn+0x2c/0x48
      process_one_work+0x488/0xc08
      worker_thread+0x330/0x5d0
      kthread+0x1c8/0x1d0
      ret_from_fork+0x10/0x18
      
      Freed by task 5:
      save_stack+0x28/0xc8
      __kasan_slab_free+0x118/0x180
      kasan_slab_free+0x10/0x18
      slab_free_freelist_hook+0xa4/0x1a0
      kfree+0xd4/0x3a0
      scsi_host_dev_release+0x100/0x148
      device_release+0x7c/0xe0
      kobject_put+0xb0/0x180
      put_device+0x10/0x20
      scsi_host_put+0x10/0x18
      ata_scsi_add_hosts+0x210/0x268
      ata_host_register+0x228/0x488
      ahci_host_activate+0x1c4/0x2a8
      ahci_init_one+0xd18/0x1298
      local_pci_probe+0x74/0xf0
      work_for_cpu_fn+0x2c/0x48
      process_one_work+0x488/0xc08
      worker_thread+0x330/0x5d0
      kthread+0x1c8/0x1d0
      ret_from_fork+0x10/0x18
      
      There is also refcount issue, as well:
      WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x170
      
      The issue is that we make an erroneous extra call to scsi_host_put()
      for that host:
      
      So in ahci_init_one()->ata_host_alloc_pinfo()->ata_host_alloc(), we setup
      a device release method - ata_devres_release() - which intends to release
      the SCSI hosts:
      
      static void ata_devres_release(struct device *gendev, void *res)
      {
      	...
      	for (i = 0; i < host->n_ports; i++) {
      		struct ata_port *ap = host->ports[i];
      
      		if (!ap)
      			continue;
      
      		if (ap->scsi_host)
      			scsi_host_put(ap->scsi_host);
      
      	}
      	...
      }
      
      However in the ata_scsi_add_hosts() error path, we also call
      scsi_host_put() for the SCSI hosts.
      
      Fix by removing the the scsi_host_put() calls in ata_scsi_add_hosts() and
      leave this to ata_devres_release().
      
      Fixes: f3187195 ("libata: separate out ata_host_alloc() and ata_host_register()")
      Signed-off-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      1d72f7ae
  12. 03 1月, 2020 1 次提交
    • A
      compat_ioctl: scsi: handle HDIO commands from drivers · 75c0b0e1
      Arnd Bergmann 提交于
      The ata_sas_scsi_ioctl() function implements a number of HDIO_* commands
      for SCSI devices, it is used by all libata drivers as well as a few
      drivers that support SAS attached SATA drives.
      
      The only command that is not safe for compat ioctls here is
      HDIO_GET_32BIT. Change the implementation to check for in_compat_syscall()
      in order to do both cases correctly, and change all callers to use it
      as both native and compat callback pointers, including the indirect
      callers through sas_ioctl and ata_scsi_ioctl.
      Reviewed-by: NBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      75c0b0e1
  13. 06 10月, 2019 1 次提交
  14. 08 8月, 2019 1 次提交
    • J
      libata: have ata_scsi_rw_xlat() fail invalid passthrough requests · 2d727150
      Jens Axboe 提交于
      For passthrough requests, libata-scsi takes what the user passes in
      as gospel. This can be problematic if the user fills in the CDB
      incorrectly. One example of that is in request sizes. For read/write
      commands, the CDB contains fields describing the transfer length of
      the request. These should match with the SG_IO header fields, but
      libata-scsi currently does no validation of that.
      
      Check that the number of blocks in the CDB for passthrough requests
      matches what was mapped into the request. If the CDB asks for more
      data then the validated SG_IO header fields, error it.
      Reported-by: NKrishna Ram Prakash R <krp@gtux.in>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      2d727150
  15. 21 5月, 2019 1 次提交
  16. 10 2月, 2019 2 次提交
  17. 09 2月, 2019 1 次提交
  18. 30 8月, 2018 1 次提交
  19. 03 8月, 2018 1 次提交
  20. 30 7月, 2018 1 次提交
    • S
      ata: ahci: Support state with min power but Partial low power state · a5ec5a7b
      Srinivas Pandruvada 提交于
      Currently when min_power policy is selected, the partial low power state
      is not entered and link will try aggressively enter to only slumber state.
      Add a new policy which still enable DEVSLP but also try to enter partial
      low power state. This policy is presented as "min_power_with_partial".
      
      For information the difference between partial and slumber
      Partial – PHY logic is powered up, and in a reduced power state. The link
      PM exit latency to active state maximum is 10 ns.
      Slumber – PHY logic is powered up, and in a reduced power state. The link
      PM exit latency to active state maximum is 10 ms.
      Devslp – PHY logic is powered down. The link PM exit latency from this
      state to active state maximum is 20 ms, unless otherwise specified by
      DETO.
      Suggested-and-reviewed-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      a5ec5a7b
  21. 13 7月, 2018 1 次提交
  22. 02 7月, 2018 2 次提交
  23. 12 5月, 2018 3 次提交
  24. 11 5月, 2018 1 次提交
    • D
      libata: Honor RQF_QUIET flag · 7eb49509
      Damien Le Moal 提交于
      Currently, libata ignores requests RQF_QUIET flag and print error
      messages for failed commands, regardless if this flag is set in the
      command request. Fix this by introducing the ata_eh_quiet() function and
      using this function in ata_eh_link_autopsy() to determine if the EH
      context should be quiet. This works by counting the number of failed
      commands and the number of commands with the quiet flag set. If both
      numbers are equal, the the EH context can be set to quiet and all error
      messages suppressed. Otherwise, only the error messages for the failed
      commands are suppressed and the link Emask and irq_stat messages printed.
      Signed-off-by: NDamien Le Moal <damien.lemoal@wdc.com>
      Reviewed-by: NHannes Reinecke <hare@suse.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      7eb49509