From: David Milburn <dmilburn@redhat.com>
Date: Mon, 3 Nov 2008 11:26:09 -0600
Subject: [sata] libata is broken with large disks
Message-id: 20081103172609.GA4918@dhcp-210.hsv.redhat.com
O-Subject: [RHEL5.3 PATCH] libata is broken with large disks (1.5TB)
Bugzilla: 469715
RH-Acked-by: Jeff Garzik <jgarzik@redhat.com>
RH-Acked-by: Jonathan Brassow <jbrassow@redhat.com>
RH-Acked-by: Alan Cox <alan@redhat.com>

On Fri, Oct 31, 2008 at 07:00:25PM -0400, Chuck Ebbert wrote:
> Per this commit headed for upstream:
>
> From: Roland Dreier <rdreier@cisco.com>
> Date: Tue, 28 Oct 2008 23:52:20 +0000 (-0700)
> Subject: libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127
> X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjgarzik%2Flibata-dev.git;a=commitdiff_plain;h=ba14a9c291aa867896a90b3571fcc1c3759942ff
>
> libata: Avoid overflow in ata_tf_to_lba48() when tf->hba_lbal > 127
>
> In ata_tf_to_lba48(), when evaluating
>
> 	(tf->hob_lbal & 0xff) << 24
>
> the expression is promoted to signed int (since int can hold all values
> of u8).  However, if hob_lbal is 128 or more, then it is treated as a
> negative signed value and sign-extended when promoted to u64 to | into
> sectors, which leads to the MSB 32 bits of section getting set
> incorrectly.
>
> For example, Phillip O'Donnell <phillip.odonnell@gmail.com> reported
> that a 1.5GB drive caused:
>
>     ata3.00: HPA detected: current 2930277168, native 18446744072344861488
>
> where 2930277168 == 0xAEA87B30 and 18446744072344861488 == 0xffffffffaea87b30
> which shows the problem when hob_lbal is 0xae.
>
> Fix this by adding a cast to u64, just as is used by for hob_lbah and
> hob_lbam in the function.
>
> Reported-by: Phillip O'Donnell <phillip.odonnell@gmail.com>
> Signed-off-by: Roland Dreier <rolandd@cisco.com>
> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
> ---
>
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e398df1..8824c8d 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -1268,7 +1268,7 @@ u64 ata_tf_to_lba48(const struct ata_taskfile *tf)
>
>  	sectors |= ((u64)(tf->hob_lbah & 0xff)) << 40;
>  	sectors |= ((u64)(tf->hob_lbam & 0xff)) << 32;
> -	sectors |= (tf->hob_lbal & 0xff) << 24;
> +	sectors |= ((u64)(tf->hob_lbal & 0xff)) << 24;
>  	sectors |= (tf->lbah & 0xff) << 16;
>  	sectors |= (tf->lbam & 0xff) << 8;
>  	sectors |= (tf->lbal & 0xff);
>

Thanks Chuck, opened up BZ 469715 and rediff'd against
rhel5.

David

 drivers/ata/libata-core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index ca76707..2f46fcd 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -1197,7 +1197,7 @@ u64 ata_tf_to_lba48(const struct ata_taskfile *tf)
 
 	sectors |= ((u64)(tf->hob_lbah & 0xff)) << 40;
 	sectors |= ((u64)(tf->hob_lbam & 0xff)) << 32;
-	sectors |= (tf->hob_lbal & 0xff) << 24;
+	sectors |= ((u64)(tf->hob_lbal & 0xff)) << 24;
 	sectors |= (tf->lbah & 0xff) << 16;
 	sectors |= (tf->lbam & 0xff) << 8;
 	sectors |= (tf->lbal & 0xff);