patch: fix ata panic with Thinkpad CD and DVD drives

Søren Schmidt sos at
Tue Mar 8 02:57:28 PST 2005

Nate Lawson wrote:
> If you've been having "memory modified after free" panics on -current 
> and have a Thinkpad, the attached patch should fix things for you.  A 
> quick check of RELENG_5 indicates that the bug is probably there also 
> but I haven't tested for it there.
> The bug is triggered by timeouts in the ata_getparam() probe path.  The 
> ata_timeout() fires and ata_end_transaction() is called to get the 
> status.  However, it continues down into ata_pio_read() even though 
> there is no data available since we had a timeout, not read completion. 
>    ata_pio_read() reads 512 bytes of probably bogus data.  The important 
> problem is that it also advances donecount.  On subsequent timeouts 
> (note there are 4 below), donecount advances into unallocated memory and 
> so subsequent ata_pio_read() calls overwrite 512 bytes of someone else's 
> memory.
> The fix is to exit immediately if ATA_R_TIMEOUT is set after reading the 
> status in ata_end_transaction().  It shouldn't go into ata_pio_read() if 
> there was a timeout.  The patch does this.
> However, it only handles PIO timeouts since I wasn't sure the best way 
> to proceed for unwinding DMA state and the like for the other cases. 
> This is enough to fix the overwrite and subsequent panic on my systems. 
>  I've run heavy IO stress and DVD accesses for a while and no further 
> panics.
> While looking into this, I found another potential problem.  In one 
> reinjection case, donecount wasn't reset to 0.  The patch for 
> ata-queue.c does this and I think it's necessary but don't hit this case 
> in testing so I can't be sure.  Finally, there's one whitespace nit that 
> helps with clarity.
> These are similar bugs to one found back in August that had the same 
> effect.  Here's the closest reference I could find in the mail archives 
> for this:

Just a note from here, these bugs are fixed in ATA mkIII so you could 
just have gleaned the solution from there (or maybe you did :))



More information about the freebsd-stable mailing list