Commit Graph

337 Commits

Author SHA1 Message Date
Eric Biggers
2c1ec6fda2 libata: don't try to pass through NCQ commands to non-NCQ devices
syzkaller hit a WARN() in ata_bmdma_qc_issue() when writing to /dev/sg0.
This happened because it issued an ATA pass-through command (ATA_16)
where the protocol field indicated that NCQ should be used -- but the
device did not support NCQ.

We could just remove the WARN() from libata-sff.c, but the real problem
seems to be that the SCSI -> ATA translation code passes through NCQ
commands without verifying that the device actually supports NCQ.

Fix this by adding the appropriate check to ata_scsi_pass_thru().

Here's reproducer that works in QEMU when /dev/sg0 refers to a disk of
the default type ("82371SB PIIX3 IDE"):

    #include <fcntl.h>
    #include <unistd.h>

    int main()
    {
            char buf[53] = { 0 };

	    buf[36] = 0x85;		/* ATA_16 */
	    buf[37] = (12 << 1);	/* FPDMA */
	    buf[38] = 0x1;		/* Has data */
	    buf[51] = 0xC8;		/* ATA_CMD_READ */
            write(open("/dev/sg0", O_RDWR), buf, sizeof(buf));
    }

Fixes: ee7fb331c3 ("libata: add support for NCQ commands for SG interface")
Reported-by: syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2018-02-12 09:21:25 -08:00
Eric Biggers
058f58e235 libata: fix length validation of ATAPI-relayed SCSI commands
syzkaller reported a crash in ata_bmdma_fill_sg() when writing to
/dev/sg1.  The immediate cause was that the ATA command's scatterlist
was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a
write to 'qc->ap->bmdma_prd[0xffffffff]'.

Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags.  The
root cause is that when __ata_scsi_queuecmd() is preparing to relay a
SCSI command to an ATAPI device, it doesn't correctly validate the CDB
length before copying it into the 16-byte buffer 'cdb' in 'struct
ata_queued_cmd'.  Namely, it validates the fixed CDB length expected
based on the SCSI opcode but not the actual CDB length, which can be
larger due to the use of the SG_NEXT_CMD_LEN ioctl.  Since 'flags' is
the next member in ata_queued_cmd, a buffer overflow corrupts it.

Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN).

[Really it seems the length should be required to be <= dev->cdb_len,
but the current behavior seems to have been intentionally introduced by
commit 607126c2a2 ("libata-scsi: be tolerant of 12-byte ATAPI commands
in 16-byte CDBs") to work around a userspace bug in mplayer.  Probably
the workaround is no longer needed (mplayer was fixed in 2007), but
continuing to allow lengths to up 16 appears harmless for now.]

Here's a reproducer that works in QEMU when /dev/sg1 refers to the
CD-ROM drive that qemu-system-x86_64 creates by default:

    #include <fcntl.h>
    #include <sys/ioctl.h>
    #include <unistd.h>

    #define SG_NEXT_CMD_LEN 0x2283

    int main()
    {
	    char buf[53] = { [36] = 0x7e, [52] = 0x02 };
	    int fd = open("/dev/sg1", O_RDWR);
	    ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 });
	    write(fd, buf, sizeof(buf));
    }

The crash was:

    BUG: unable to handle kernel paging request at ffff8cb97db37ffc
    IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline]
    IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727
    PGD fb6c067 P4D fb6c067 PUD 0
    Oops: 0002 [#1] SMP
    CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    [...]
    Call Trace:
     ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421
     ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024
     __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline]
     ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375
     scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727
     scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865
     __blk_run_queue_uncond block/blk-core.c:412 [inline]
     __blk_run_queue+0x3a/0x60 block/blk-core.c:432
     blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78
     sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806
     sg_write+0x1ef/0x340 drivers/scsi/sg.c:677
     __vfs_write+0x31/0x160 fs/read_write.c:480
     vfs_write+0xa7/0x160 fs/read_write.c:544
     SYSC_write fs/read_write.c:589 [inline]
     SyS_write+0x4d/0xc0 fs/read_write.c:581
     do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x21/0x86

Fixes: 607126c2a2 ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs")
Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org> # v2.6.24+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2018-02-12 09:19:44 -08:00
Dong Bo
0d3e45bc65 libata: Fix compile warning with ATA_DEBUG enabled
This fixs the following comile warnings with ATA_DEBUG enabled,
which detected by Linaro GCC 5.2-2015.11:

  drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb':
  ./include/linux/kern_levels.h:5:18: warning: format '%d' expects
  argument of type 'int', but argument 6 has type 'u64 {aka long
   long unsigned int}' [-Wformat=]

tj: Patch hand-applied and description trimmed.

Signed-off-by: Dong Bo <dongbo4@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2018-02-12 08:58:08 -08:00
Colin Ian King
e94f7914fa libata: make static arrays const, reduces object code size
Don't populate const arrayis on the stack, instead make them static.
Makes the object code smaller by over 260 bytes:

Before:
   text	   data	    bss	    dec	    hex	filename
  64864	   5948	   4128	  74940	  124bc	drivers/ata/libata-scsi.o

After:
   text	   data	    bss	    dec	    hex	filename
  64183	   6364	   4128	  74675	  123b3	drivers/ata/libata-scsi.o

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-09-19 11:53:11 -07:00
Hans de Goede
f4ac647694 libata: Add new med_power_with_dipm link_power_management_policy setting
As described by Matthew Garret quite a while back:
https://mjg59.dreamwidth.org/34868.html

Intel CPUs starting with the Haswell generation need SATA links to power
down for the "package" part of the CPU to reach low power-states like
PC7 / P8 which bring a significant power-saving with them.

The default max_performance lpm policy does not allow for these high
PC states, both the medium_power and min_power policies do allow this.

The min_power policy saves significantly more power, but there are some
reports of some disks / SSDs not liking min_power leading to system
crashes and in some cases even data corruption has been reported.

Matthew has found a document documenting the default settings of
Intel's IRST Windows driver with which most laptops ship:
https://www-ssl.intel.com/content/dam/doc/reference-guide/sata-devices-implementation-recommendations.pdf

Matthew wrote a patch changing med_power to match those defaults, but
that never got anywhere as some people where reporting issues with the
patch-set that patch was a part of.

This commit is another attempt to make the default IRST driver settings
available under Linux, but instead of changing medium_power and
potentially introducing regressions, this commit adds a new
med_power_with_dipm setting which is identical to the existing
medium_power accept that it enables dipm on top, which makes it match
the Windows IRST driver settings, which should hopefully be safe to
use on most devices.

The med_power_with_dipm setting is close to min_power, except that:
a) It does not use host-initiated slumber mode (ASP not set),
   but it does allow device-initiated slumber
b) It does not enable DevSlp mode

On my T440s test laptop I get the following power savings when idle:
medium_power		0.9W
med_power_with_dipm	1.2W
min_power		1.2W

Suggested-by: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-09-18 20:22:04 -07:00
Dan Carpenter
59a5e266c3 libata: array underflow in ata_find_dev()
My static checker complains that "devno" can be negative, meaning that
we read before the start of the loop.  I've looked at the code, and I
think the warning is right.  This come from /proc so it's root only or
it would be quite a quite a serious bug.  The call tree looks like this:

proc_scsi_write() <- gets id and channel from simple_strtoul()
-> scsi_add_single_device() <- calls shost->transportt->user_scan()
   -> ata_scsi_user_scan()
      -> ata_find_dev()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org # all versions at this point
2017-07-19 10:31:51 -04:00
Christoph Hellwig
d80210f25f sd: add support for TCG OPAL self encrypting disks
Just wire up the generic TCG OPAL infrastructure to the SCSI disk driver
and the Security In/Out commands.

Note that I don't know of any actual SCSI disks that do support TCG OPAL,
but this is required to support ATA disks through libata.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-29 10:21:15 -04:00
Tejun Heo
c8ccf812c3 libata: fix build warning from unused goto label
b1ffbf854e ("libata: Support for an ATA PASS-THROUGH(32) command.")
introduced an unused goto label.  Remove it.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-29 10:20:59 -04:00
Minwoo Im
b1ffbf854e libata: Support for an ATA PASS-THROUGH(32) command.
SAT-4(SCSI/ATA Translation) supports for an ata pass-thru(32).
This patch will allow to translate an ata pass-thru(32) SCSI cmd
to an ATA cmd.

Signed-off-by: Minwoo Im <dn3108@gmail.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-27 11:25:39 -04:00
Minwoo Im
01efd6006d libata: make the function name in comment match the actual function
The function name used to be ata_scsiop_mode_select() but renamed to
ata_scsi_mode_select_xlat().  Update the comment accordingly.

tj: Minor commit desc update.

Signed-off-by: Minwoo Im <dn3108@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-20 13:35:15 -04:00
Joe Perches
6ef56325d8 libata: Convert bare printks to pr_cont
Linus Torvalds changed the behavior of printks without KERN_<LEVEL>.

Convert the continuation prints to use pr_cont.

At the same time, convert the existing printks with KERN_<LEVEL> to
pr_<level>

Miscellanea:

o Coalesce a multiline format

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-12 15:28:22 -04:00
Christoph Hellwig
818831c8b2 libata: implement SECURITY PROTOCOL IN/OUT
This allows us to use the generic OPAL code with ATA devices.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-06-05 15:29:22 -04:00
Mauro Carvalho Chehab
9bb9a39ce5 ata: update references for libata documentation
The libata documentation is now using ReST. Update references
to it to point to the new place.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-05-16 11:25:59 -04:00
Mauro Carvalho Chehab
6baf20bce8 libata: fix identation on a kernel-doc markup
Sphinx got confused with the markup identation:
	./drivers/ata/libata-scsi.c:3402: ERROR: Unexpected indentation.

No functional changes.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-05-16 11:23:45 -04:00
Christoph Hellwig
63ccc19164 libata: remove SCT WRITE SAME support
This was already disabled a while ago because it caused I/O errors,
and it's severly getting into the way of the discard / write zeroes
rework.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-04-28 18:09:59 -04:00
Christoph Hellwig
c6ade20f5e libata: reject passthrough WRITE SAME requests
The WRITE SAME to TRIM translation rewrites the DATA OUT buffer.  While
the SCSI code accomodates for this by passing a read-writable buffer
userspace applications don't cater for this behavior.  In fact it can
be used to rewrite e.g. a readonly file through mmap and should be
considered as a security fix.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-04-28 18:08:21 -04:00
Christoph Hellwig
76aaf87b4c scsi: merge __scsi_execute into scsi_execute
All but one caller want the decoded sense header, so offer the existing
__scsi_execute helper as the public scsi_execute API to simply the
callers.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-02-23 16:57:19 -05:00
Linus Torvalds
79f4d1d5c0 Merge branch 'for-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata
Pull libata updates from Tejun Heo:

 - Bartlomiej added pata_falcon

 - Christoph is trying to remove use of static 4k buf.  It's still WIP

 - config cleanup around HAS_DMA

 - other fixes and driver-specific changes

* 'for-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: (29 commits)
  ata: pata_of_platform: using of_property_read_u32() helper
  pata_atiixp: Don't use unconnected secondary port on SB600/SB700
  libata-sff: Don't scan disabled ports when checking for legacy mode.
  pata_octeon_cf: remove unused local variables from octeon_cf_set_piomode()
  ahci: qoriq: added ls2088a platforms support
  ahci: qoriq: report error when ecc register address is missing in dts
  ahci: qoriq: added a condition to enable dma coherence
  Revert "libata: switch to dynamic allocation instead of ata_scsi_rbuf"
  ahci: imx: fix building without hwmon or thermal
  ata: add Atari Falcon PATA controller driver
  ata: pass queued command to ->sff_data_xfer method
  ata: allow subsystem to be used on m68k arch
  libata: switch to dynamic allocation instead of ata_scsi_rbuf
  libata: don't call ata_scsi_rbuf_fill for command without a response buffer
  libata: call ->scsi_done from ata_scsi_simulate
  libata: remove the done callback from ata_scsi_args
  libata: move struct ata_scsi_args to libata-scsi.c
  libata: avoid global response buffer in atapi_qc_complete
  libata-eh: Use switch() instead of sparse array for protocol strings
  ata: sata_mv: Convert to devm_ioremap_resource()
  ...
2017-02-21 17:21:32 -08:00
Christoph Hellwig
57292b58dd block: introduce blk_rq_is_passthrough
This can be used to check for fs vs non-fs requests and basically
removes all knowledge of BLOCK_PC specific from the block layer,
as well as preparing for removing the cmd_type field in struct request.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-31 14:00:34 -07:00
Christoph Hellwig
82ed4db499 block: split scsi_request out of struct request
And require all drivers that want to support BLOCK_PC to allocate it
as the first thing of their private data.  To support this the legacy
IDE and BSG code is switched to set cmd_size on their queues to let
the block layer allocate the additional space.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-27 15:08:35 -07:00
Tejun Heo
d4ae1e2648 Revert "libata: switch to dynamic allocation instead of ata_scsi_rbuf"
This reverts commit a234f7395c.

The commit tried to get rid of the shared global SCSI response buffer.
Unfortunately, it added blocking allocation to atomic path.  Revert it
for now.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
2017-01-18 11:15:29 -08:00
Christoph Hellwig
a234f7395c libata: switch to dynamic allocation instead of ata_scsi_rbuf
Note of the emulated commands in the pageout/pagein path, so just do
a GFP_NOIO dynamic allocation.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 11:05:21 -05:00
Christoph Hellwig
a0c0b0e945 libata: don't call ata_scsi_rbuf_fill for command without a response buffer
No need to copy a zeroed buffer to the caller if the command is defined
to not have a response in the SCSI spec.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 10:55:40 -05:00
Christoph Hellwig
8fc6c0657b libata: call ->scsi_done from ata_scsi_simulate
We always need to call ->scsi_done after we've finished emulating a
command, so do it in a single place at the end of ata_scsi_simulate.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 10:55:40 -05:00
Christoph Hellwig
506db3609c libata: remove the done callback from ata_scsi_args
It's always the scsi_done callback, and we can get at that easily
in the place where ->done is called.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 10:55:40 -05:00
Christoph Hellwig
f0a37d12f5 libata: move struct ata_scsi_args to libata-scsi.c
It's only used in libata-scsi.c, so move it closer to the users.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 10:55:39 -05:00
Christoph Hellwig
aa18da8b7e libata: avoid global response buffer in atapi_qc_complete
We only need to look at 4 bytes of the inquiry response for ATAPI
devices.  Instead of using the global ata_scsi_rbuf just use a
a stack buffer.  Also factor the fixup into it's own little helper
function to make it more readable.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2017-01-10 10:55:38 -05:00
Linus Torvalds
7b882cb800 Merge branch 'for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata
Pull another libata patch from Tejun Heo:
 "One more patch from Adam added.

  It makes libata skip probing for NCQ prio unless the feature is
  explicitly requested by the user. This is necessary because some
  controllers lock up after the optional feature is probed"

* 'for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
  ata: avoid probing NCQ Prio Support if not explicitly requested
2016-12-13 15:30:50 -08:00
Adam Manzanares
9f56eca3ae ata: avoid probing NCQ Prio Support if not explicitly requested
Previously, when the ata device was being initialized we were
probing for NCQ prio support by checking the identify information
and also checking the log page that holds information about ncq prio
support.

This caused an error on an Intel HBA so the code is now updated to
only probe for NCQ prio support when the sysfs variable controlling
NCQ prio support is enabled.

tj: Update formatting, switch to spin_[un]lock_irq() and update
    locking a bit, use REVALIDATE instead of RESET, and return -EIO
    instead of -EINVAL on config failure.

Signed-off-by: Adam Manzanares <adam.manzanares@wdc.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-12-13 17:20:17 -05:00
Linus Torvalds
b92e09bb5b Merge branch 'for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata
Pull libata updates from Tejun Heo:

 - Adam added opt-in ATA command priority support.

 - There are machines which hide multiple nvme devices behind an ahci
   BAR. Dan Williams proposed a solution to force-switch the mode but
   deemed too hackishd. People are gonna discuss the proper way to
   handle the situation in nvme standard meetings. For now, detect and
   warn about the situation.

 - Low level driver specific changes.

Christoph Hellwig pipes in about the hidden nvme warning:
 "I wish that was the case. We've pretty much agreed that we'll want to
  implement it as a virtual PCIe root bridge, similar to Intels other
  'innovation' VMD that we work around that way.

  But Intel management has apparently decided that they don't want to
  spend more cycles on this now that Lenovo has an optional BIOS that
  doesn't force this broken mode anymore, and no one outside of Intel
  has enough information to implement something like this.

  So for now I guess this warning is it, until Intel reconsideres and
  spends resources on fixing up the damage their Chipset people caused"

* 'for-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
  ahci: warn about remapped NVMe devices
  ahci-remap.h: add ahci remapping definitions
  nvme: move NVMe class code to pci_ids.h
  pata: imx: support controller modes up to PIO4
  pata: imx: add support of setting timings for PIO modes
  pata: imx: set controller PIO mode with .set_piomode callback
  pata: imx: sort headers out
  ata: set ncq_prio_enabled iff device has support
  ata: ATA Command Priority Disabled By Default
  ata: Enabling ATA Command Priorities
  block: Add iocontext priority to request
  ahci: qoriq: added ls1046a platform support
2016-12-13 13:26:24 -08:00
Nicolai Stange
e185934ff9 libata-scsi: disable SCT Write Same for the moment
SCT Write Same support had been introduced with
commit 7b20309428 ("libata: Add support for SCT Write Same")

Some problems, namely excessive userspace segfaults, had been reported at

  http://lkml.kernel.org/r/20160908192736.GA4356@gmail.com

This lead to commit 0ce1b18c42 ("libata: Some drives failing on
SCT Write Same") which strived to disable SCT Write Same on !ZAC devices.
Due to the way this was done and to the logic in sd_config_write_same(),
this didn't work for those devices that have
->max_ws_blocks > SD_MAX_WS10_BLOCKS: for these, ->no_write_same and
->max_write_same_sectors would still be non-zero,
but ->ws10 == ->ws16 == 0. This would cause sd_setup_write_same_cmnd() to
demultiplex REQ_OP_WRITE_SAME requests to WRITE_SAME, and these in turn
aren't supported by libata-scsi:

  EXT4-fs (dm-1): Delayed block allocation failed for inode 2625094 at
                  logical offset 2032 with max blocks 2 with error 121
  EXT4-fs (dm-1): This should not happen!! Data will be lost

121 == EREMOTEIO is what scsi_io_completion() asserts in case of
invalid opcodes.

Back to the original problem of userspace segfaults: this can be tracked
down to ata_format_sct_write_same() overwriting the input page. Sometimes,
this page is ZERO_PAGE(0) which ceases to be filled with zeros from that
point on. Since ZERO_PAGE(0) is used for userspace .bss mappings, code of
the following is doomed:

  static char *a = NULL; /* .bss */
  ...
  if (a)
    *a = 'a';

This problem is not solved by disabling SCT Write Same for !ZAC devices
only.

It can certainly be fixed, but the final release is quite close -- so
disable SCT Write Same for all ATA devices rather than introducing some
SCT key buffer allocation schemes at this point.

Fixes: 7b20309428 ("libata: Add support for SCT Write Same")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-12-07 16:29:09 -05:00
Hannes Reinecke
e0029dcb5b libata-scsi: Fixup ata_gen_passthru_sense()
There's a typo in ata_gen_passthru_sense(), where the first byte
would be overwritten incorrectly later on.

Reported-by: Charles Machalow <csm10495@gmail.com>
Signed-off-by: Hannes Reinecke <hare@suse.com>
Fixes: 11093cb1ef ("libata-scsi: generate correct ATA pass-through sense")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-11-01 11:30:15 -06:00
Adam Manzanares
4e647d960c ata: set ncq_prio_enabled iff device has support
We previously had a check to see if the device has support for
prioritized ncq commands and a check to see if a device flag
is set, through a sysfs variable, in order to send a prioritized
command.

This patch only allows the sysfs variable to be set if the device
supports prioritized commands enabling one check in ata_build_rw_tf
in order to determine whether or not to send a prioritized command.

This patch depends on ata: ATA Command Priority Disabled By Default

tj: Minor subject and formatting updates.

Signed-off-by: Adam Manzanares <adam.manzanares@wdc.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-10-20 10:06:30 -04:00
Adam Manzanares
84f95243b5 ata: ATA Command Priority Disabled By Default
Add a sysfs entry to turn on priority information being passed
to a ATA device. By default this feature is turned off.

This patch depends on ata: Enabling ATA Command Priorities

tj: Renamed ncq_prio_on to ncq_prio_enable and removed trivial
    ata_ncq_prio_on() and open-coded the test.

Signed-off-by: Adam Manzanares <adam.manzanares@hgst.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-10-19 14:34:36 -04:00
Adam Manzanares
8e061784b5 ata: Enabling ATA Command Priorities
This patch checks to see if an ATA device supports NCQ command priorities.
If so and the user has specified an iocontext that indicates
IO_PRIO_CLASS_RT then we build a tf with a high priority command.

This is done to improve the tail latency of commands that are high
priority by passing priority to the device.

tj: Removed trivial ata_ncq_prio_enabled() and open-coded the test.

Signed-off-by: Adam Manzanares <adam.manzanares@hgst.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-10-19 14:34:36 -04:00
Shaun Tancheff
0ce1b18c42 libata: Some drives failing on SCT Write Same
Restrict support SCT Write Same to devices which also support ZAC where
support is required.

Reported-by: Mike Krinkin <krinkin.m.u@gmail.com>
Signed-off-by: Shaun Tancheff <shaun.tancheff@seagate.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-09-09 15:21:21 -04:00
Shaun Tancheff
7d36dd00ab libata: SCT Write Same handle ATA_DFLAG_PIO
Use non DMA write log when ATA_DFLAG_PIO is set.

Signed-off-by: Shaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
2016-08-25 11:26:48 -04:00
Shaun Tancheff
ef2d7392c4 libata: SCT Write Same / DSM Trim
Correct handling of devices with sector_size other that 512 bytes.

In the case of a 4Kn device sector_size it is possible to describe a much
larger DSM Trim than the current fixed default of 512 bytes.

This patch assumes the minimum descriptor is sector_size and fills out
the descriptor accordingly.

The ACS-2 specification is quite clear that the DSM command payload is
sized as number of 512 byte transfers so a 4Kn device will operate
correctly without this patch.

Signed-off-by: Shaun Tancheff <shaun.tancheff@seagate.com>
Acked-by: Tejun Heo <tj@kernel.org>
2016-08-25 11:26:48 -04:00
Shaun Tancheff
7b20309428 libata: Add support for SCT Write Same
SATA drives may support write same via SCT. This is useful
for setting the drive contents to a specific pattern (0's).

Translate a SCSI WRITE SAME 16 command to be either a DSM TRIM
command or an SCT Write Same command.

Based on the UNMAP flag:
  - When set translate to DSM TRIM
  - When not set translate to SCT Write Same

Signed-off-by: Shaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
2016-08-25 11:26:48 -04:00
Shaun Tancheff
9379e6b8e0 libata: Safely overwrite attached page in WRITE SAME xlat
Safely overwriting the attached page to ATA format from the SCSI formatted
variant.

Signed-off-by: Shaun Tancheff <shaun.tancheff@seagate.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
2016-08-25 11:26:48 -04:00
Tom Yan
535fd07220 libata-scsi: fix MODE SELECT translation for Control mode page
scsi_done() was called repeatedly and apparently because of that,
the kernel would call trace when we touch the Control mode page:

Call Trace:
 [<ffffffff812ea0d2>] dump_stack+0x63/0x81
 [<ffffffff81079cfb>] __warn+0xcb/0xf0
 [<ffffffff81079e2d>] warn_slowpath_null+0x1d/0x20
 [<ffffffffa00f51b0>] ata_eh_finish+0xe0/0xf0 [libata]
 [<ffffffffa00fb830>] sata_pmp_error_handler+0x640/0xa50 [libata]
 [<ffffffffa00470ed>] ahci_error_handler+0x1d/0x70 [libahci]
 [<ffffffffa00f55f0>] ata_scsi_port_error_handler+0x430/0x770 [libata]
 [<ffffffffa00eff8d>] ? ata_scsi_cmd_error_handler+0xdd/0x160 [libata]
 [<ffffffffa00f59d7>] ata_scsi_error+0xa7/0xf0 [libata]
 [<ffffffffa00913ba>] scsi_error_handler+0xaa/0x560 [scsi_mod]
 [<ffffffffa0091310>] ? scsi_eh_get_sense+0x180/0x180 [scsi_mod]
 [<ffffffff81098eb8>] kthread+0xd8/0xf0
 [<ffffffff815d913f>] ret_from_fork+0x1f/0x40
 [<ffffffff81098de0>] ? kthread_worker_fn+0x170/0x170
---[ end trace 8b7501047e928a17 ]---

Removed the unnecessary code and let ata_scsi_translate() do the job.

Also, since ata_mselect_control() has no ATA command to send to the
device, ata_scsi_mode_select_xlat() should return 1 for it, so that
ata_scsi_translate() will finish early to avoid ata_qc_issue().

Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-08-09 23:38:14 -04:00
Tom Yan
d7372cb629 libata-scsi: use u8 array to store mode page copy
ata_mselect_*() would initialize a char array for storing a copy of
the current mode page. However, char could be signed char. In that
case, bytes larger than 127 would be converted to negative number.

For example, 0xff from def_control_mpage[] would become -1. This
prevented ata_mselect_control() from working at all, since when it
did the read-only bits check, there would always be a mismatch.

Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-08-09 16:13:04 -04:00
Linus Torvalds
d05d7f4079 Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block
Pull core block updates from Jens Axboe:

   - the big change is the cleanup from Mike Christie, cleaning up our
     uses of command types and modified flags.  This is what will throw
     some merge conflicts

   - regression fix for the above for btrfs, from Vincent

   - following up to the above, better packing of struct request from
     Christoph

   - a 2038 fix for blktrace from Arnd

   - a few trivial/spelling fixes from Bart Van Assche

   - a front merge check fix from Damien, which could cause issues on
     SMR drives

   - Atari partition fix from Gabriel

   - convert cfq to highres timers, since jiffies isn't granular enough
     for some devices these days.  From Jan and Jeff

   - CFQ priority boost fix idle classes, from me

   - cleanup series from Ming, improving our bio/bvec iteration

   - a direct issue fix for blk-mq from Omar

   - fix for plug merging not involving the IO scheduler, like we do for
     other types of merges.  From Tahsin

   - expose DAX type internally and through sysfs.  From Toshi and Yigal

* 'for-4.8/core' of git://git.kernel.dk/linux-block: (76 commits)
  block: Fix front merge check
  block: do not merge requests without consulting with io scheduler
  block: Fix spelling in a source code comment
  block: expose QUEUE_FLAG_DAX in sysfs
  block: add QUEUE_FLAG_DAX for devices to advertise their DAX support
  Btrfs: fix comparison in __btrfs_map_block()
  block: atari: Return early for unsupported sector size
  Doc: block: Fix a typo in queue-sysfs.txt
  cfq-iosched: Charge at least 1 jiffie instead of 1 ns
  cfq-iosched: Fix regression in bonnie++ rewrite performance
  cfq-iosched: Convert slice_resid from u64 to s64
  block: Convert fifo_time from ulong to u64
  blktrace: avoid using timespec
  block/blk-cgroup.c: Declare local symbols static
  block/bio-integrity.c: Add #include "blk.h"
  block/partition-generic.c: Remove a set-but-not-used variable
  block: bio: kill BIO_MAX_SIZE
  cfq-iosched: temporarily boost queue priority for idle classes
  block: drbd: avoid to use BIO_MAX_SIZE
  block: bio: remove BIO_MAX_SECTORS
  ...
2016-07-26 15:03:07 -07:00
Tom Yan
737bee9308 libata-scsi: better style in ata_msense_*()
`changeable` is the "version" of mode page requested by the user.
It will be less confusing/misleading if we do not check it
"together" with the setting bits of the drive.

Not to mention that we currently have ata_mselect_*() implemented
in a way that each of them will serve exclusively a particular bit
on each page. The old style will hence make the condition look even
more unnecessarily arcane if the ata_msense_*() is reflecting more
than one bit.

Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-20 11:19:35 -04:00
Damien Le Moal
2950cefac0 libata-scsi: minor cleanup for ata_scsi_zbc_out_xlat
The reset_all variable name is misleading as this bit is also applicable to
open, close, and finish actions. So rename that variable to "all" and remove
the unnecessary mask operation that's already done earlier.

Signed-off-by: Damien Le Moal <damien.lemoal@hgst.com>
[hch: split from the previous patch]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-15 08:08:14 -04:00
Damien Le Moal
ee194b7531 libata-scsi: Fix ZBC management out command translation
The subcommand for NCQ NON-DATA must be specified in the feature
(low byte), not the high-order count byte.  Also make sure to properly
cast the all bit to a u16 before shiting it by 8 to avoid undefined
behavior.

Signed-off-by: Damien Le Moal <damien.lemoal@hgst.com>
[hch: split the original patch into two, updated changelog]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-15 08:08:14 -04:00
Damien Le Moal
3f17422b42 libata-scsi: Fix translation of REPORT ZONES command
Include reporting options when translating REPORT ZONES commmand to
ATA NCQ, and make sure we only look at the actually specified bits
in the CDB for the options.

Signed-off-by: Damien Le Moal <damien.lemoal@hgst.com>
[hch: update patch description]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-15 08:08:13 -04:00
Hannes Reinecke
5b844b63dd ata: Handle ATA NCQ NO-DATA commands correctly
Add a new taskfile protocol ATA_PROT_NCQ_NODATA to handle
ATA NCQ NO-DATA commands correctly.
And fixup ata_scsi_zbc_out_xlat() to use it.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-15 08:08:13 -04:00
Hannes Reinecke
179b310ae7 libata: use ata_is_ncq() accessors
Use accessor functions instead of the raw value.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-14 10:44:57 -04:00
Tom Yan
2983860c76 libata-scsi: avoid repeated calculation of number of TRIM ranges
Currently libata statically allows only 1-block (512-byte) payload
for each TRIM command. Each payload can carry 64 TRIM ranges since
each range requires 8 bytes.

It is silly to keep doing the calculation (512 / 8) in different
places. Hence, define the new ATA_MAX_TRIM_RNUM for the result.

Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2016-07-12 16:37:17 -04:00