kernel/linux.git/drivers/ata/libata-sff.c, branch v6.6.131

ata: libata-sff: Ensure that we cannot write outside the allocated buffer

2025-02-17T08:40:35+00:00

commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream. reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. Cc: stable@vger.kernel.org Reported-by: reveliofuzzing Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/ Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org Signed-off-by: Niklas Cassel Signed-off-by: Greg Kroah-Hartman

ata: libata: remove references to non-existing error_handler()

2023-08-02T08:45:10+00:00

With commit 65a15d6560df ("scsi: ipr: Remove SATA support") all libata drivers now have the error_handler() callback provided, so we can stop checking for non-existing error_handler callback. Signed-off-by: Hannes Reinecke [niklas: fixed review comments, rebased, solved conflicts during rebase, fixed bug that unconditionally dumped all QCs, removed the now unused function ata_dump_status(), removed the now unreachable failure paths in atapi_qc_complete(), removed the non-EH function to request ATAPI sense] Signed-off-by: Niklas Cassel Reviewed-by: John Garry Reviewed-by: Jason Yan Reviewed-by: Martin K. Petersen Signed-off-by: Damien Le Moal

ata: fix debounce timings type

2023-08-02T08:37:06+00:00

sata_deb_timing_{hotplug|long|normal}[] store 'unsigned long' debounce timeouts in ms, while sata_link_debounce() eventually uses those timeouts by calling ata_{deadline|msleep}( which take just 'unsigned int'. Change the debounce timeout table element's type to 'unsigned int' -- all these timeouts happily fit into 'unsigned int'... Signed-off-by: Sergey Shtylyov Signed-off-by: Damien Le Moal

scsi: ata: Declare SCSI host templates const

2023-03-24T23:19:19+00:00

Make it explicit that ATA host templates are not modified. Reviewed-by: Linus Walleij Acked-by: Damien Le Moal Reviewed-by: Serge Semin (for DWC AHCI SATA) Reviewed-by: John Garry Reviewed-by: Jon Hunter (for Tegra) Cc: Christoph Hellwig Cc: Ming Lei Cc: Hannes Reinecke Cc: John Garry Cc: Mike Christie Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20230322195515.1267197-5-bvanassche@acm.org Signed-off-by: Martin K. Petersen

ata: libata: simplify qc_fill_rtf port operation interface

2023-01-04T04:37:45+00:00

The boolean return value of the qc_fill_rtf operation is used nowhere. Simplify this operation interface by making it a void function. All drivers defining this operation are also updated. Signed-off-by: Damien Le Moal Signed-off-by: Niklas Cassel Reviewed-by: John Garry

ata: scsi: rename flag ATA_QCFLAG_FAILED to ATA_QCFLAG_EH

2023-01-04T04:36:26+00:00

The name ATA_QCFLAG_FAILED is misleading since it does not mean that a QC completed in error, or that it didn't complete at all. It means that libata decided to schedule EH for the QC, so the QC is now owned by the libata error handler (EH). The normal execution path is responsible for not accessing a QC owned by EH. libata core enforces the rule by returning NULL from ata_qc_from_tag() for QCs owned by EH. It is quite easy to mistake that a QC marked with ATA_QCFLAG_FAILED was an error. However, a QC that was actually an error is instead indicated by having qc->err_mask set. E.g. when we have a NCQ error, we abort all QCs, which currently will mark all QCs as ATA_QCFLAG_FAILED. However, it will only be a single QC that is an error (i.e. has qc->err_mask set). Rename ATA_QCFLAG_FAILED to ATA_QCFLAG_EH to more clearly highlight that this flag simply means that a QC is now owned by EH. This new name will not mislead to think that the QC was an error (which is instead indicated by having qc->err_mask set). This also makes it more obvious that the EH code skips all QCs that do not have ATA_QCFLAG_EH set (rather than ATA_QCFLAG_FAILED), since the EH code should simply only care about QCs that are owned by EH itself. Signed-off-by: Niklas Cassel Reviewed-by: John Garry Signed-off-by: Damien Le Moal

ata: libata-sff: kill unused ata_sff_busy_sleep()

2022-11-11T08:20:26+00:00

Nobody seems to call ata_sff_busy_sleep(), so we can get rid of it... Signed-off-by: Sergey Shtylyov Signed-off-by: Damien Le Moal

ata: libata-sff: Fix double word in comments

2022-09-16T14:24:06+00:00

Remove the repeated word "Transfer" in comments. Signed-off-by: Shaomin Deng Signed-off-by: Damien Le Moal

ata: libata-sff: Fix compilation warning in ata_sff_lost_interrupt()

2022-04-04T00:49:42+00:00

When returning false, ata_sff_altstatus() does not return any status value, resulting in a compilation warning in ata_sff_lost_interrupt() ("uninitialized symbol 'status'"). Fix this by initializing the local variable "status" to 0. Fixes: 03c0e84f9c1e ("ata: libata-sff: refactor ata_sff_altstatus()") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal

ata: libata-sff: use switch statement in ata_sff_dev_classify()

2022-02-20T00:06:05+00:00

In ata_sff_dev_classify(), replace a string of the *if* statements checking the device's class with the *switch* statement that fits better here... While at it, fix the multi-line comment style in the vicinity... Signed-off-by: Sergey Shtylyov Signed-off-by: Damien Le Moal