Revert most of r360179.

I had failed to notice that sgsendccb() was using cam_periph_mapmem() and thus was not passing down user pointers directly to drivers. In practice this broke requests submitted from userland. PR: 249395 Reported by: Trenton Schulz <trueos@norwegianrockcat.com> Reviewed by: scottl MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D26550
2020-09-25 21:19:56 +00:00 · 2020-09-25 21:19:56 +00:00 · 83a277830f
commit 83a277830f
parent 728757f256
1 changed files with 1 additions and 24 deletions
--- a/sys/cam/scsi/scsi_sg.c
+++ b/sys/cam/scsi/scsi_sg.c
@ -507,7 +507,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 	struct cam_periph *periph;
 	struct sg_softc *softc;
 	struct sg_io_hdr *req;
-	void *data_ptr;
 	int dir, error;

 	periph = (struct cam_periph *)dev->si_drv1;
@ -552,20 +551,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 			break;
 		}

-		if (req->dxfer_len > MAXPHYS) {
-			error = EINVAL;
-			break;
-		}
-
-		data_ptr = malloc(req->dxfer_len, M_DEVBUF, M_WAITOK);
-
 		ccb = cam_periph_getccb(periph, CAM_PRIORITY_NORMAL);
 		csio = &ccb->csio;

 		error = copyin(req->cmdp, &csio->cdb_io.cdb_bytes,
 		    req->cmd_len);
 		if (error) {
-			free(data_ptr, M_DEVBUF);
 			xpt_release_ccb(ccb);
 			break;
 		}
@ -586,21 +577,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 			break;
 		}

-		if (dir == CAM_DIR_IN || dir == CAM_DIR_BOTH) {
-			error = copyin(req->dxferp, data_ptr, req->dxfer_len);
-			if (error) {
-				free(data_ptr, M_DEVBUF);
-				xpt_release_ccb(ccb);
-				break;
-			}
-		}
-
 		cam_fill_csio(csio,
 			      /*retries*/1,
 			      /*cbfcnp*/NULL,
 			      dir|CAM_DEV_QFRZDIS,
 			      MSG_SIMPLE_Q_TAG,
-			      data_ptr,
+			      req->dxferp,
 			      req->dxfer_len,
 			      req->mx_sb_len,
 			      req->cmd_len,
@ -610,7 +592,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 		if (error) {
 			req->host_status = DID_ERROR;
 			req->driver_status = DRIVER_INVALID;
-			free(data_ptr, M_DEVBUF);
 			xpt_release_ccb(ccb);
 			break;
 		}
@ -629,10 +610,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 					req->sb_len_wr);
 		}

-		if ((dir == CAM_DIR_OUT || dir == CAM_DIR_BOTH) && error == 0)
-			error = copyout(data_ptr, req->dxferp, req->dxfer_len);
-
-		free(data_ptr, M_DEVBUF);
 		xpt_release_ccb(ccb);
 		break;