In ata_tf_to_lba48(), when evaluating (tf->hob_lbal & 0xff) << 24 the expression is promoted to signed int (since int can hold all values of u8). However, if hob_lbal is 128 or more, then it is treated as a negative signed value and sign-extended when promoted to u64 to | into sectors, which leads to the MSB 32 bits of section getting set incorrectly. Actual results: May cause data corruption on large disks (1.5 TB). Expected results: Large disk should work correctly.
Created attachment 322342 [details] Upstream patch to correct problem commit ba14a9c291aa867896a90b3571fcc1c3759942ff Author: Roland Dreier <rdreier> Date: Tue Oct 28 16:52:20 2008 -0700 libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127 In ata_tf_to_lba48(), when evaluating (tf->hob_lbal & 0xff) << 24 the expression is promoted to signed int (since int can hold all values of u8). However, if hob_lbal is 128 or more, then it is treated as a negative signed value and sign-extended when promoted to u64 to | into sectors, which leads to the MSB 32 bits of section getting set incorrectly. For example, Phillip O'Donnell <phillip.odonnell> reported that a 1.5GB drive caused: ata3.00: HPA detected: current 2930277168, native 18446744072344861488 where 2930277168 == 0xAEA87B30 and 18446744072344861488 == 0xffffffffaea87b3 which shows the problem when hob_lbal is 0xae. Fix this by adding a cast to u64, just as is used by for hob_lbah and hob_lbam in the function. Reported-by: Phillip O'Donnell <phillip.odonnell> Signed-off-by: Roland Dreier <rolandd> Signed-off-by: Jeff Garzik <jgarzik>
*** Bug 469716 has been marked as a duplicate of this bug. ***
in kernel-2.6.18-123.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
An additional overflow has been found. Fixed by: 44901a96847b9967c057832b185e2f34ee6a14e5 libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
Opened BZ 471576 for possible overflow in ata_tf_read_block.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html