From d0ad3bc97c06fba5d37b4ca03c03b7eeeda39c47 Mon Sep 17 00:00:00 2001 From: James Bottomley Date: Tue, 22 Jan 2008 13:43:48 -0600 Subject: [SCSI] libata: fix corruption induced by relaxed DMA alignment in SCSI Hugh Dickens noticed that SMART commands issued from user space can end up corupting memory. The problem occurs if the buffer used to read data spans two pages. The reason is that the PIO sector routines in libata are expecting physically contiguous pages when they do sector operations, so the left overs on the second page go into the next physically adjacent page rather than the next page in the sg mapping. Fix this by enforcing strict 512 byte alignment on all buffers from userspace. Acked-by: Hugh Dickins Acked-by: Jeff Garzik Signed-off-by: James Bottomley --- drivers/ata/libata-scsi.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'drivers/ata') diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 4bb268b9aaeb..bc5cf6b8a4b8 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -824,9 +824,6 @@ static void ata_scsi_sdev_config(struct scsi_device *sdev) * requests. */ sdev->max_device_blocked = 1; - - /* set the min alignment */ - blk_queue_update_dma_alignment(sdev->request_queue, ATA_DMA_PAD_SZ - 1); } static void ata_scsi_dev_config(struct scsi_device *sdev, @@ -842,7 +839,14 @@ static void ata_scsi_dev_config(struct scsi_device *sdev, if (dev->class == ATA_DEV_ATAPI) { struct request_queue *q = sdev->request_queue; blk_queue_max_hw_segments(q, q->max_hw_segments - 1); - } + + /* set the min alignment */ + blk_queue_update_dma_alignment(sdev->request_queue, + ATA_DMA_PAD_SZ - 1); + } else + /* ATA devices must be sector aligned */ + blk_queue_update_dma_alignment(sdev->request_queue, + ATA_SECT_SIZE - 1); if (dev->flags & ATA_DFLAG_AN) set_bit(SDEV_EVT_MEDIA_CHANGE, sdev->supported_events); -- cgit v1.2.3