syzkaller reported a crash in ata_bmdma_fill_sg() when writing to
/dev/sg1.  The immediate cause was that the ATA command's scatterlist
was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a
write to 'qc->ap->bmdma_prd[0xffffffff]'.

Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags.  The
root cause is that when __ata_scsi_queuecmd() is preparing to relay a
SCSI command to an ATAPI device, it doesn't correctly validate the CDB
length before copying it into the 16-byte buffer 'cdb' in 'struct
ata_queued_cmd'.  Namely, it validates the fixed CDB length expected
based on the SCSI opcode but not the actual CDB length, which can be
larger due to the use of the SG_NEXT_CMD_LEN ioctl.  Since 'flags' is
the next member in ata_queued_cmd, a buffer overflow corrupts it.

Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN).

[Really it seems the length should be required to be <= dev->cdb_len,
but the current behavior seems to have been intentionally introduced by
commit 607126c2 ("libata-scsi: be tolerant of 12-byte ATAPI commands
in 16-byte CDBs") to work around a userspace bug in mplayer.  Probably
the workaround is no longer needed (mplayer was fixed in 2007), but
continuing to allow lengths to up 16 appears harmless for now.]

Here's a reproducer that works in QEMU when /dev/sg1 refers to the
CD-ROM drive that qemu-system-x86_64 creates by default:

    #include <fcntl.h>
    #include <sys/ioctl.h>
    #include <unistd.h>

    #define SG_NEXT_CMD_LEN 0x2283

    int main()
    {
	    char buf[53] = { [36] = 0x7e, [52] = 0x02 };
	    int fd = open("/dev/sg1", O_RDWR);
	    ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 });
	    write(fd, buf, sizeof(buf));
    }

The crash was:

    BUG: unable to handle kernel paging request at ffff8cb97db37ffc
    IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline]
    IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727
    PGD fb6c067 P4D fb6c067 PUD 0
    Oops: 0002 [#1] SMP
    CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    [...]
    Call Trace:
     ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421
     ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024
     __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline]
     ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375
     scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727
     scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865
     __blk_run_queue_uncond block/blk-core.c:412 [inline]
     __blk_run_queue+0x3a/0x60 block/blk-core.c:432
     blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78
     sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806
     sg_write+0x1ef/0x340 drivers/scsi/sg.c:677
     __vfs_write+0x31/0x160 fs/read_write.c:480
     vfs_write+0xa7/0x160 fs/read_write.c:544
     SYSC_write fs/read_write.c:589 [inline]
     SyS_write+0x4d/0xc0 fs/read_write.c:581
     do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x21/0x86

Fixes: 607126c2 ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs")
Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v2.6.24+
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

This fixs the following comile warnings with ATA_DEBUG enabled,
which detected by Linaro GCC 5.2-2015.11:

  drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb':
  ./include/linux/kern_levels.h:5:18: warning: format '%d' expects
  argument of type 'int', but argument 6 has type 'u64 {aka long
   long unsigned int}' [-Wformat=]

tj: Patch hand-applied and description trimmed.
Signed-off-by: NDong Bo <dongbo4@huawei.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Don't populate const arrayis on the stack, instead make them static.
Makes the object code smaller by over 260 bytes:

Before:
   text	   data	    bss	    dec	    hex	filename
  64864	   5948	   4128	  74940	  124bc	drivers/ata/libata-scsi.o

After:
   text	   data	    bss	    dec	    hex	filename
  64183	   6364	   4128	  74675	  123b3	drivers/ata/libata-scsi.o
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

As described by Matthew Garret quite a while back:
https://mjg59.dreamwidth.org/34868.html

Intel CPUs starting with the Haswell generation need SATA links to power
down for the "package" part of the CPU to reach low power-states like
PC7 / P8 which bring a significant power-saving with them.

The default max_performance lpm policy does not allow for these high
PC states, both the medium_power and min_power policies do allow this.

The min_power policy saves significantly more power, but there are some
reports of some disks / SSDs not liking min_power leading to system
crashes and in some cases even data corruption has been reported.

Matthew has found a document documenting the default settings of
Intel's IRST Windows driver with which most laptops ship:
https://www-ssl.intel.com/content/dam/doc/reference-guide/sata-devices-implementation-recommendations.pdf

Matthew wrote a patch changing med_power to match those defaults, but
that never got anywhere as some people where reporting issues with the
patch-set that patch was a part of.

This commit is another attempt to make the default IRST driver settings
available under Linux, but instead of changing medium_power and
potentially introducing regressions, this commit adds a new
med_power_with_dipm setting which is identical to the existing
medium_power accept that it enables dipm on top, which makes it match
the Windows IRST driver settings, which should hopefully be safe to
use on most devices.

The med_power_with_dipm setting is close to min_power, except that:
a) It does not use host-initiated slumber mode (ASP not set),
   but it does allow device-initiated slumber
b) It does not enable DevSlp mode

On my T440s test laptop I get the following power savings when idle:
medium_power		0.9W
med_power_with_dipm	1.2W
min_power		1.2W
Suggested-by: NMatthew Garrett <mjg59@srcf.ucam.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

My static checker complains that "devno" can be negative, meaning that
we read before the start of the loop.  I've looked at the code, and I
think the warning is right.  This come from /proc so it's root only or
it would be quite a quite a serious bug.  The call tree looks like this:

proc_scsi_write() <- gets id and channel from simple_strtoul()
-> scsi_add_single_device() <- calls shost->transportt->user_scan()
   -> ata_scsi_user_scan()
      -> ata_find_dev()
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NTejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org # all versions at this point

Just wire up the generic TCG OPAL infrastructure to the SCSI disk driver
and the Security In/Out commands.

Note that I don't know of any actual SCSI disks that do support TCG OPAL,
but this is required to support ATA disks through libata.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Acked-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

b1ffbf85 ("libata: Support for an ATA PASS-THROUGH(32) command.")
introduced an unused goto label.  Remove it.
Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: NTejun Heo <tj@kernel.org>

SAT-4(SCSI/ATA Translation) supports for an ata pass-thru(32).
This patch will allow to translate an ata pass-thru(32) SCSI cmd
to an ATA cmd.
Signed-off-by: NMinwoo Im <dn3108@gmail.com>
Reviewed-by: NBart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

The function name used to be ata_scsiop_mode_select() but renamed to
ata_scsi_mode_select_xlat().  Update the comment accordingly.

tj: Minor commit desc update.
Signed-off-by: NMinwoo Im <dn3108@gmail.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Linus Torvalds changed the behavior of printks without KERN_<LEVEL>.

Convert the continuation prints to use pr_cont.

At the same time, convert the existing printks with KERN_<LEVEL> to
pr_<level>

Miscellanea:

o Coalesce a multiline format
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

This allows us to use the generic OPAL code with ATA devices.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

The libata documentation is now using ReST. Update references
to it to point to the new place.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Sphinx got confused with the markup identation:
	./drivers/ata/libata-scsi.c:3402: ERROR: Unexpected indentation.

No functional changes.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

The libata documentation is now using ReST. Update references
to it to point to the new place.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Sphinx got confused with the markup identation:
	./drivers/ata/libata-scsi.c:3402: ERROR: Unexpected indentation.

No functional changes.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

This was already disabled a while ago because it caused I/O errors,
and it's severly getting into the way of the discard / write zeroes
rework.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Reviewed-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

The WRITE SAME to TRIM translation rewrites the DATA OUT buffer.  While
the SCSI code accomodates for this by passing a read-writable buffer
userspace applications don't cater for this behavior.  In fact it can
be used to rewrite e.g. a readonly file through mmap and should be
considered as a security fix.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Reviewed-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

All but one caller want the decoded sense header, so offer the existing
__scsi_execute helper as the public scsi_execute API to simply the
callers.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>

This can be used to check for fs vs non-fs requests and basically
removes all knowledge of BLOCK_PC specific from the block layer,
as well as preparing for removing the cmd_type field in struct request.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NJens Axboe <axboe@fb.com>

And require all drivers that want to support BLOCK_PC to allocate it
as the first thing of their private data.  To support this the legacy
IDE and BSG code is switched to set cmd_size on their queues to let
the block layer allocate the additional space.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NJens Axboe <axboe@fb.com>

This reverts commit a234f739.

The commit tried to get rid of the shared global SCSI response buffer.
Unfortunately, it added blocking allocation to atomic path.  Revert it
for now.
Signed-off-by: NTejun Heo <tj@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>

Note of the emulated commands in the pageout/pagein path, so just do
a GFP_NOIO dynamic allocation.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

No need to copy a zeroed buffer to the caller if the command is defined
to not have a response in the SCSI spec.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

We always need to call ->scsi_done after we've finished emulating a
command, so do it in a single place at the end of ata_scsi_simulate.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

It's always the scsi_done callback, and we can get at that easily
in the place where ->done is called.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

It's only used in libata-scsi.c, so move it closer to the users.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

We only need to look at 4 bytes of the inquiry response for ATAPI
devices.  Instead of using the global ata_scsi_rbuf just use a
a stack buffer.  Also factor the fixup into it's own little helper
function to make it more readable.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NTejun Heo <tj@kernel.org>

Previously, when the ata device was being initialized we were
probing for NCQ prio support by checking the identify information
and also checking the log page that holds information about ncq prio
support.

This caused an error on an Intel HBA so the code is now updated to
only probe for NCQ prio support when the sysfs variable controlling
NCQ prio support is enabled.

tj: Update formatting, switch to spin_[un]lock_irq() and update
    locking a bit, use REVALIDATE instead of RESET, and return -EIO
    instead of -EINVAL on config failure.
Signed-off-by: NAdam Manzanares <adam.manzanares@wdc.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

SCT Write Same support had been introduced with
commit 7b203094 ("libata: Add support for SCT Write Same")

Some problems, namely excessive userspace segfaults, had been reported at

  http://lkml.kernel.org/r/20160908192736.GA4356@gmail.com

This lead to commit 0ce1b18c ("libata: Some drives failing on
SCT Write Same") which strived to disable SCT Write Same on !ZAC devices.
Due to the way this was done and to the logic in sd_config_write_same(),
this didn't work for those devices that have
->max_ws_blocks > SD_MAX_WS10_BLOCKS: for these, ->no_write_same and
->max_write_same_sectors would still be non-zero,
but ->ws10 == ->ws16 == 0. This would cause sd_setup_write_same_cmnd() to
demultiplex REQ_OP_WRITE_SAME requests to WRITE_SAME, and these in turn
aren't supported by libata-scsi:

  EXT4-fs (dm-1): Delayed block allocation failed for inode 2625094 at
                  logical offset 2032 with max blocks 2 with error 121
  EXT4-fs (dm-1): This should not happen!! Data will be lost

121 == EREMOTEIO is what scsi_io_completion() asserts in case of
invalid opcodes.

Back to the original problem of userspace segfaults: this can be tracked
down to ata_format_sct_write_same() overwriting the input page. Sometimes,
this page is ZERO_PAGE(0) which ceases to be filled with zeros from that
point on. Since ZERO_PAGE(0) is used for userspace .bss mappings, code of
the following is doomed:

  static char *a = NULL; /* .bss */
  ...
  if (a)
    *a = 'a';

This problem is not solved by disabling SCT Write Same for !ZAC devices
only.

It can certainly be fixed, but the final release is quite close -- so
disable SCT Write Same for all ATA devices rather than introducing some
SCT key buffer allocation schemes at this point.

Fixes: 7b203094 ("libata: Add support for SCT Write Same")
Signed-off-by: NNicolai Stange <nicstange@gmail.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

There's a typo in ata_gen_passthru_sense(), where the first byte
would be overwritten incorrectly later on.
Reported-by: NCharles Machalow <csm10495@gmail.com>
Signed-off-by: NHannes Reinecke <hare@suse.com>
Fixes: 11093cb1 ("libata-scsi: generate correct ATA pass-through sense")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: NTejun Heo <tj@kernel.org>

We previously had a check to see if the device has support for
prioritized ncq commands and a check to see if a device flag
is set, through a sysfs variable, in order to send a prioritized
command.

This patch only allows the sysfs variable to be set if the device
supports prioritized commands enabling one check in ata_build_rw_tf
in order to determine whether or not to send a prioritized command.

This patch depends on ata: ATA Command Priority Disabled By Default

tj: Minor subject and formatting updates.
Signed-off-by: NAdam Manzanares <adam.manzanares@wdc.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Add a sysfs entry to turn on priority information being passed
to a ATA device. By default this feature is turned off.

This patch depends on ata: Enabling ATA Command Priorities

tj: Renamed ncq_prio_on to ncq_prio_enable and removed trivial
    ata_ncq_prio_on() and open-coded the test.
Signed-off-by: NAdam Manzanares <adam.manzanares@hgst.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

This patch checks to see if an ATA device supports NCQ command priorities.
If so and the user has specified an iocontext that indicates
IO_PRIO_CLASS_RT then we build a tf with a high priority command.

This is done to improve the tail latency of commands that are high
priority by passing priority to the device.

tj: Removed trivial ata_ncq_prio_enabled() and open-coded the test.
Signed-off-by: NAdam Manzanares <adam.manzanares@hgst.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Restrict support SCT Write Same to devices which also support ZAC where
support is required.
Reported-by: NMike Krinkin <krinkin.m.u@gmail.com>
Signed-off-by: NShaun Tancheff <shaun.tancheff@seagate.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

Use non DMA write log when ATA_DFLAG_PIO is set.
Signed-off-by: NShaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Acked-by: NTejun Heo <tj@kernel.org>

Correct handling of devices with sector_size other that 512 bytes.

In the case of a 4Kn device sector_size it is possible to describe a much
larger DSM Trim than the current fixed default of 512 bytes.

This patch assumes the minimum descriptor is sector_size and fills out
the descriptor accordingly.

The ACS-2 specification is quite clear that the DSM command payload is
sized as number of 512 byte transfers so a 4Kn device will operate
correctly without this patch.
Signed-off-by: NShaun Tancheff <shaun.tancheff@seagate.com>
Acked-by: NTejun Heo <tj@kernel.org>

SATA drives may support write same via SCT. This is useful
for setting the drive contents to a specific pattern (0's).

Translate a SCSI WRITE SAME 16 command to be either a DSM TRIM
command or an SCT Write Same command.

Based on the UNMAP flag:
  - When set translate to DSM TRIM
  - When not set translate to SCT Write Same
Signed-off-by: NShaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Acked-by: NTejun Heo <tj@kernel.org>

Safely overwriting the attached page to ATA format from the SCSI formatted
variant.
Signed-off-by: NShaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: NHannes Reinecke <hare@suse.com>
Acked-by: NTejun Heo <tj@kernel.org>

scsi_done() was called repeatedly and apparently because of that,
the kernel would call trace when we touch the Control mode page:

Call Trace:
 [<ffffffff812ea0d2>] dump_stack+0x63/0x81
 [<ffffffff81079cfb>] __warn+0xcb/0xf0
 [<ffffffff81079e2d>] warn_slowpath_null+0x1d/0x20
 [<ffffffffa00f51b0>] ata_eh_finish+0xe0/0xf0 [libata]
 [<ffffffffa00fb830>] sata_pmp_error_handler+0x640/0xa50 [libata]
 [<ffffffffa00470ed>] ahci_error_handler+0x1d/0x70 [libahci]
 [<ffffffffa00f55f0>] ata_scsi_port_error_handler+0x430/0x770 [libata]
 [<ffffffffa00eff8d>] ? ata_scsi_cmd_error_handler+0xdd/0x160 [libata]
 [<ffffffffa00f59d7>] ata_scsi_error+0xa7/0xf0 [libata]
 [<ffffffffa00913ba>] scsi_error_handler+0xaa/0x560 [scsi_mod]
 [<ffffffffa0091310>] ? scsi_eh_get_sense+0x180/0x180 [scsi_mod]
 [<ffffffff81098eb8>] kthread+0xd8/0xf0
 [<ffffffff815d913f>] ret_from_fork+0x1f/0x40
 [<ffffffff81098de0>] ? kthread_worker_fn+0x170/0x170
---[ end trace 8b7501047e928a17 ]---

Removed the unnecessary code and let ata_scsi_translate() do the job.

Also, since ata_mselect_control() has no ATA command to send to the
device, ata_scsi_mode_select_xlat() should return 1 for it, so that
ata_scsi_translate() will finish early to avoid ata_qc_issue().
Signed-off-by: NTom Yan <tom.ty89@gmail.com>
Signed-off-by: NTejun Heo <tj@kernel.org>

ata_mselect_*() would initialize a char array for storing a copy of
the current mode page. However, char could be signed char. In that
case, bytes larger than 127 would be converted to negative number.

For example, 0xff from def_control_mpage[] would become -1. This
prevented ata_mselect_control() from working at all, since when it
did the read-only bits check, there would always be a mismatch.
Signed-off-by: NTom Yan <tom.ty89@gmail.com>
Signed-off-by: NTejun Heo <tj@kernel.org>