freebsd-nq/sys/dev/iscsi_initiator/isc_cam.c
Alan Somers 4195c7de24 Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name)
The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are
fixed-length strings. AFAICT the only place they're read is in
sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated.
However, the kernel doesn't null-terminate them. A bunch of copy-pasted code
uses strncpy to write them, and doesn't guarantee null-termination. For at
least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually
overflows. You can see the result by doing "camcontrol negotiate da0 -v".

This change null-terminates those fields everywhere they're set in the
kernel. It also shortens a few strings to ensure they'll fit within the
16-character field.

PR:		215474
Reported by:	Coverity
CID:		1009997 1010000 1010001 1010002 1010003 1010004 1010005
CID:		1331519 1010006 1215097 1010007 1288967 1010008 1306000
CID:		1211924 1010009 1010010 1010011 1010012 1010013 1010014
CID:		1147190 1010017 1010016 1010018 1216435 1010020 1010021
CID:		1010022 1009666 1018185 1010023 1010025 1010026 1010027
CID:		1010028 1010029 1010030 1010031 1010033 1018186 1018187
CID:		1010035 1010036 1010042 1010041 1010040 1010039
Reviewed by:	imp, sephe, slm
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D9037
Differential Revision:	https://reviews.freebsd.org/D9038
2017-01-04 20:26:42 +00:00

381 lines
9.3 KiB
C

/*-
* Copyright (c) 2005-2010 Daniel Braniss <danny@cs.huji.ac.il>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
/*
| $Id: isc_cam.c 998 2009-12-20 10:32:45Z danny $
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_iscsi_initiator.h"
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/callout.h>
#if __FreeBSD_version >= 700000
#include <sys/lock.h>
#include <sys/mutex.h>
#endif
#include <sys/conf.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/uio.h>
#include <sys/sysctl.h>
#include <sys/sx.h>
#include <vm/uma.h>
#include <cam/cam.h>
#include <cam/cam_ccb.h>
#include <cam/cam_sim.h>
#include <cam/cam_xpt_sim.h>
#include <cam/cam_periph.h>
#include <dev/iscsi_initiator/iscsi.h>
#include <dev/iscsi_initiator/iscsivar.h>
static void
_inq(struct cam_sim *sim, union ccb *ccb)
{
struct ccb_pathinq *cpi = &ccb->cpi;
isc_session_t *sp = cam_sim_softc(sim);
debug_called(8);
debug(3, "sid=%d target=%d lun=%jx", sp->sid, ccb->ccb_h.target_id, (uintmax_t)ccb->ccb_h.target_lun);
cpi->version_num = 1; /* XXX??? */
cpi->hba_inquiry = PI_SDTR_ABLE | PI_TAG_ABLE | PI_WIDE_32;
cpi->target_sprt = 0;
cpi->hba_misc = 0;
cpi->hba_eng_cnt = 0;
cpi->max_target = 0; //ISCSI_MAX_TARGETS - 1;
cpi->initiator_id = ISCSI_MAX_TARGETS;
cpi->max_lun = sp->opt.maxluns - 1;
cpi->bus_id = cam_sim_bus(sim);
cpi->base_transfer_speed = 3300; // 40000; // XXX:
strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
strlcpy(cpi->hba_vid, "iSCSI", HBA_IDLEN);
strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
cpi->unit_number = cam_sim_unit(sim);
cpi->ccb_h.status = CAM_REQ_CMP;
#if defined(KNOB_VALID_ADDRESS)
cpi->transport = XPORT_ISCSI;
cpi->transport_version = 0;
#endif
}
static __inline int
_scsi_encap(struct cam_sim *sim, union ccb *ccb)
{
int ret;
#if __FreeBSD_version < 700000
ret = scsi_encap(sim, ccb);
#else
isc_session_t *sp = cam_sim_softc(sim);
mtx_unlock(&sp->cam_mtx);
ret = scsi_encap(sim, ccb);
mtx_lock(&sp->cam_mtx);
#endif
return ret;
}
void
ic_lost_target(isc_session_t *sp, int target)
{
debug_called(8);
sdebug(2, "lost target=%d", target);
if(sp->cam_path != NULL) {
mtx_lock(&sp->cam_mtx);
xpt_async(AC_LOST_DEVICE, sp->cam_path, NULL);
xpt_free_path(sp->cam_path);
mtx_unlock(&sp->cam_mtx);
sp->cam_path = 0; // XXX
}
}
static void
scan_callback(struct cam_periph *periph, union ccb *ccb)
{
isc_session_t *sp = (isc_session_t *)ccb->ccb_h.spriv_ptr0;
debug_called(8);
xpt_free_ccb(ccb);
if(sp->flags & ISC_SCANWAIT) {
sp->flags &= ~ISC_SCANWAIT;
wakeup(sp);
}
}
static int
ic_scan(isc_session_t *sp)
{
union ccb *ccb;
debug_called(8);
sdebug(2, "scanning sid=%d", sp->sid);
sp->flags &= ~ISC_CAMDEVS;
sp->flags |= ISC_SCANWAIT;
ccb = xpt_alloc_ccb();
ccb->ccb_h.path = sp->cam_path;
ccb->ccb_h.cbfcnp = scan_callback;
ccb->ccb_h.spriv_ptr0 = sp;
xpt_rescan(ccb);
while(sp->flags & ISC_SCANWAIT)
tsleep(sp, PRIBIO, "ffp", 5*hz); // the timeout time should
// be configurable
sdebug(2, "# of luns=%d", sp->target_nluns);
if(sp->target_nluns > 0) {
sp->flags |= ISC_CAMDEVS;
return 0;
}
return ENODEV;
}
static void
ic_action(struct cam_sim *sim, union ccb *ccb)
{
isc_session_t *sp = cam_sim_softc(sim);
struct ccb_hdr *ccb_h = &ccb->ccb_h;
debug_called(8);
ccb_h->spriv_ptr0 = sp;
sdebug(4, "func_code=0x%x flags=0x%x status=0x%x target=%d lun=%jx retry_count=%d timeout=%d",
ccb_h->func_code, ccb->ccb_h.flags, ccb->ccb_h.status,
ccb->ccb_h.target_id, (uintmax_t)ccb->ccb_h.target_lun,
ccb->ccb_h.retry_count, ccb_h->timeout);
if(sp == NULL) {
xdebug("sp == NULL! cannot happen");
return;
}
switch(ccb_h->func_code) {
case XPT_PATH_INQ:
_inq(sim, ccb);
break;
case XPT_RESET_BUS: // (can just be a stub that does nothing and completes)
{
struct ccb_pathinq *cpi = &ccb->cpi;
debug(3, "XPT_RESET_BUS");
cpi->ccb_h.status = CAM_REQ_CMP;
break;
}
case XPT_SCSI_IO:
{
struct ccb_scsiio* csio = &ccb->csio;
debug(4, "XPT_SCSI_IO cmd=0x%x", csio->cdb_io.cdb_bytes[0]);
if(sp == NULL) {
ccb_h->status = CAM_REQ_INVALID; //CAM_NO_NEXUS;
debug(4, "xpt_done.status=%d", ccb_h->status);
break;
}
if(ccb_h->target_lun == CAM_LUN_WILDCARD) {
debug(3, "target=%d: bad lun (-1)", ccb_h->target_id);
ccb_h->status = CAM_LUN_INVALID;
break;
}
if(_scsi_encap(sim, ccb) != 0)
return;
break;
}
case XPT_CALC_GEOMETRY:
{
struct ccb_calc_geometry *ccg;
ccg = &ccb->ccg;
debug(4, "sid=%d target=%d lun=%jx XPT_CALC_GEOMETRY vsize=%jd bsize=%d",
sp->sid, ccb->ccb_h.target_id, (uintmax_t)ccb->ccb_h.target_lun,
ccg->volume_size, ccg->block_size);
if(ccg->block_size == 0 ||
(ccg->volume_size < ccg->block_size)) {
// print error message ...
/* XXX: what error is appropriate? */
break;
}
else {
int lun, *off, boff;
lun = ccb->ccb_h.target_lun;
if(lun > ISCSI_MAX_LUNS) {
// XXX:
xdebug("lun %d > ISCSI_MAX_LUNS!\n", lun);
lun %= ISCSI_MAX_LUNS;
}
off = &sp->target_lun[lun / (sizeof(int)*8)];
boff = BIT(lun % (sizeof(int)*8));
debug(4, "sp->target_nluns=%d *off=%x boff=%x",
sp->target_nluns, *off, boff);
if((*off & boff) == 0) {
sp->target_nluns++;
*off |= boff;
}
cam_calc_geometry(ccg, /*extended*/1);
}
break;
}
case XPT_GET_TRAN_SETTINGS:
default:
ccb_h->status = CAM_REQ_INVALID;
break;
}
#if __FreeBSD_version < 700000
XPT_DONE(sp, ccb);
#else
xpt_done(ccb);
#endif
return;
}
static void
ic_poll(struct cam_sim *sim)
{
debug_called(4);
}
int
ic_getCamVals(isc_session_t *sp, iscsi_cam_t *cp)
{
debug_called(8);
if(sp && sp->cam_sim) {
cp->path_id = cam_sim_path(sp->cam_sim);
cp->target_id = 0;
cp->target_nluns = ISCSI_MAX_LUNS; // XXX: -1?
return 0;
}
return ENXIO;
}
void
ic_destroy(isc_session_t *sp )
{
debug_called(8);
if(sp->cam_path != NULL) {
sdebug(2, "name=%s unit=%d",
cam_sim_name(sp->cam_sim), cam_sim_unit(sp->cam_sim));
CAM_LOCK(sp);
#if 0
xpt_async(AC_LOST_DEVICE, sp->cam_path, NULL);
#else
xpt_async(XPT_RESET_BUS, sp->cam_path, NULL);
#endif
xpt_free_path(sp->cam_path);
xpt_bus_deregister(cam_sim_path(sp->cam_sim));
cam_sim_free(sp->cam_sim, TRUE /*free_devq*/);
CAM_UNLOCK(sp);
sdebug(2, "done");
}
}
int
ic_init(isc_session_t *sp)
{
struct cam_sim *sim;
struct cam_devq *devq;
debug_called(8);
if((devq = cam_simq_alloc(256)) == NULL)
return ENOMEM;
#if __FreeBSD_version >= 700000
mtx_init(&sp->cam_mtx, "isc-cam", NULL, MTX_DEF);
#else
isp->cam_mtx = Giant;
#endif
sim = cam_sim_alloc(ic_action,
ic_poll,
"iscsi",
sp,
sp->sid, // unit
#if __FreeBSD_version >= 700000
&sp->cam_mtx,
#endif
1, // max_dev_transactions
0, // max_tagged_dev_transactions
devq);
if(sim == NULL) {
cam_simq_free(devq);
#if __FreeBSD_version >= 700000
mtx_destroy(&sp->cam_mtx);
#endif
return ENXIO;
}
CAM_LOCK(sp);
if(xpt_bus_register(sim,
#if __FreeBSD_version >= 700000
NULL,
#endif
0/*bus_number*/) != CAM_SUCCESS) {
cam_sim_free(sim, /*free_devq*/TRUE);
CAM_UNLOCK(sp);
#if __FreeBSD_version >= 700000
mtx_destroy(&sp->cam_mtx);
#endif
return ENXIO;
}
sp->cam_sim = sim;
if(xpt_create_path(&sp->cam_path, NULL, cam_sim_path(sp->cam_sim),
CAM_TARGET_WILDCARD, CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
xpt_bus_deregister(cam_sim_path(sp->cam_sim));
cam_sim_free(sim, /*free_devq*/TRUE);
CAM_UNLOCK(sp);
#if __FreeBSD_version >= 700000
mtx_destroy(&sp->cam_mtx);
#endif
return ENXIO;
}
CAM_UNLOCK(sp);
sdebug(1, "cam subsystem initialized");
ic_scan(sp);
return 0;
}