[Bug,49151] NULL pointer dereference in pata_acpi

Message ID 20121021165800.7637511FC25@bugzilla.kernel.org
State Not Applicable
Delegated to: David Miller
Headers show

Commit Message

bugzilla-daemon@bugzilla.kernel.org Oct. 21, 2012, 4:58 p.m.

--- Comment #5 from Borislav Petkov <bp@alien8.de>  2012-10-21 16:58:00 ---
On Sun, Oct 21, 2012 at 05:04:12PM +0100, Phillip Wood wrote:
> Thanks for responding to the bug report so quickly. I've applied your
> patch and the kernel now finds my hard drive and the logs (pasted
> below) have a couple of warnings generated by the patch. So if I've
> understood correctly then your theory that ata_timing_find_mode() is
> returning NULL is correct.

Yes, it appears so.

> Thanks for looking into this, just let me know if you want me to do
> anything else.

Right, so we know what exactly happens and I think we have the right
people on CC who can make sense of why it happens.

If I'd be to guess, this is most probably a BIOS bug (what else?! :-))
which the pata_acpi code is not ready to handle.

Btw, Jeff, AFAICT, libata code should the very least catch this
situation so that we know. Patch for this below. From a quick look there
a couple of drivers which do not check ata_timing_find_mode()'s retval
and I guess at least issuing a warning in such situations could be
helpful with future issues.

However, I don't know how chatty this warning could become and whether
this is the right approach and not auditing all users is better.

What you can do, Phillip, is check whether some other specific PATA
driver supports your hardware and enable it instead of PATA_ACPI. What
does lspci on the box say? Or rather 'lspci -v' for more details. You
can also send dmesg from the box.


From: Borislav Petkov <bp@alien8.de>
Date: Sun, 21 Oct 2012 18:49:08 +0200
Subject: [PATCH] libata: Warn when unable to find timing descriptor based on

ata_timing_find_mode could return NULL which is not checked by all
low-level ATA drivers using it and cause a NULL ptr deref. Warn at least
so that possible issues can get fixed easily.

Signed-off-by: Borislav Petkov <bp@alien8.de>
 drivers/ata/libata-core.c | 4 ++++
 1 file changed, 4 insertions(+)


diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 3cc7096cfda7..f46fbd3bd3fb 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2942,6 +2942,10 @@  const struct ata_timing *ata_timing_find_mode(u8

     if (xfer_mode == t->mode)
         return t;
+    WARN_ONCE(true, "%s: unable to find timing for xfer_mode 0x%x\n",
+            __func__, xfer_mode);
     return NULL;