Hello, The following program triggers WARNING in ata_sff_qc_issue: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <sys/syscall.h> #include <stdint.h> int main() { syscall(__NR_mmap, 0x20000000ul, 0xf9b000ul, 0x3ul, 0x32ul, -1, 0); int fd = syscall(__NR_open, "/dev/sg0", 0x800142ul, 0, 0, 0, 0, 0, 0); (*(uint32_t*)0x20007000 = (uint32_t)0x50); (*(uint32_t*)0x20007004 = (uint32_t)0xd7b); (*(uint64_t*)0x20007008 = (uint64_t)0x1000000000); (*(uint32_t*)0x20007010 = (uint32_t)0x6); (*(uint32_t*)0x20007014 = (uint32_t)0x5); (*(uint32_t*)0x20007018 = (uint32_t)0x10001); (*(uint32_t*)0x2000701c = (uint32_t)0x0); (*(uint16_t*)0x20007020 = (uint16_t)0x3); (*(uint16_t*)0x20007022 = (uint16_t)0xfffffffffffffffd); (*(uint32_t*)0x20007024 = (uint32_t)0x8000000001885); (*(uint32_t*)0x20007028 = (uint32_t)0x1); (*(uint32_t*)0x2000702c = (uint32_t)0x0); (*(uint32_t*)0x20007030 = (uint32_t)0x0); (*(uint32_t*)0x20007034 = (uint32_t)0x0); (*(uint32_t*)0x20007038 = (uint32_t)0x0); (*(uint32_t*)0x2000703c = (uint32_t)0x0); (*(uint32_t*)0x20007040 = (uint32_t)0x0); (*(uint32_t*)0x20007044 = (uint32_t)0x0); (*(uint32_t*)0x20007048 = (uint32_t)0x0); (*(uint32_t*)0x2000704c = (uint32_t)0x0); syscall(__NR_write, fd, 0x20007000ul, 0x50ul); return 0; } sg_write: data in/out 3415/28 bytes for SCSI command 0x85-- guessing data in; program a.out not setting count and/or reply_len properly ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2936 at drivers/ata/libata-sff.c:1485 ata_sff_qc_issue+0x6a2/0x820 drivers/ata/libata-sff.c:1485 Kernel panic - not syncing: panic_on_warn set ... CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0+ #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 panic+0x1fb/0x412 kernel/panic.c:179 __warn+0x1c4/0x1e0 kernel/panic.c:540 warn_slowpath_null+0x2c/0x40 kernel/panic.c:583 ata_sff_qc_issue+0x6a2/0x820 drivers/ata/libata-sff.c:1485 ata_bmdma_qc_issue+0x288/0x5b0 drivers/ata/libata-sff.c:2799 ata_qc_issue+0x6f5/0x1030 drivers/ata/libata-core.c:5335 ata_scsi_translate+0x39b/0x5f0 drivers/ata/libata-scsi.c:2025 __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4253 [inline] ata_scsi_queuecmd+0x37b/0x7d0 drivers/ata/libata-scsi.c:4302 scsi_dispatch_cmd+0x43a/0xb80 drivers/scsi/scsi_lib.c:1691 scsi_request_fn+0x1071/0x1d80 drivers/scsi/scsi_lib.c:1826 __blk_run_queue_uncond block/blk-core.c:305 [inline] __blk_run_queue+0xc5/0x130 block/blk-core.c:323 blk_execute_rq_nowait+0x31b/0x470 block/blk-exec.c:79 sg_common_write.isra.21+0x11b7/0x1c10 drivers/scsi/sg.c:803 sg_write+0x7fa/0xe90 drivers/scsi/sg.c:679 __vfs_write+0x5b1/0x740 fs/read_write.c:510 vfs_write+0x187/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xfb/0x230 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x1f/0xc2 RIP: 0033:0x434b09 RSP: 002b:00007ffd3ba38278 EFLAGS: 00000203 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000401860 RCX: 0000000000434b09 RDX: 0000000000000050 RSI: 0000000020007000 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000203 R12: 0000001000000000 R13: 0000000000401860 R14: 00000000004018f0 R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds.. If the WARNING is merely to inform user about invalid protocol, please issue a single line pr_err without the stack trace (invalid protocol value may be more interesting). On commit e5d56efc97f8240d0b5d66c03949382b6d7e5570 -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html