freebsd-skq/sys/dev/mfi/mfi_cam.c
Alan Somers 4195c7de24 Always null-terminate ccb_pathinq.(sim_vid|hba_vid|dev_name)
The sim_vid, hba_vid, and dev_name fields of struct ccb_pathinq are
fixed-length strings. AFAICT the only place they're read is in
sbin/camcontrol/camcontrol.c, which assumes they'll be null-terminated.
However, the kernel doesn't null-terminate them. A bunch of copy-pasted code
uses strncpy to write them, and doesn't guarantee null-termination. For at
least 4 drivers (mpr, mps, ciss, and hyperv), the hba_vid field actually
overflows. You can see the result by doing "camcontrol negotiate da0 -v".

This change null-terminates those fields everywhere they're set in the
kernel. It also shortens a few strings to ensure they'll fit within the
16-character field.

PR:		215474
Reported by:	Coverity
CID:		1009997 1010000 1010001 1010002 1010003 1010004 1010005
CID:		1331519 1010006 1215097 1010007 1288967 1010008 1306000
CID:		1211924 1010009 1010010 1010011 1010012 1010013 1010014
CID:		1147190 1010017 1010016 1010018 1216435 1010020 1010021
CID:		1010022 1009666 1018185 1010023 1010025 1010026 1010027
CID:		1010028 1010029 1010030 1010031 1010033 1018186 1018187
CID:		1010035 1010036 1010042 1010041 1010040 1010039
Reviewed by:	imp, sephe, slm
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D9037
Differential Revision:	https://reviews.freebsd.org/D9038
2017-01-04 20:26:42 +00:00

477 lines
12 KiB
C

/*-
* Copyright 2007 Scott Long
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_mfi.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/selinfo.h>
#include <sys/bus.h>
#include <sys/conf.h>
#include <sys/eventhandler.h>
#include <sys/rman.h>
#include <sys/bus_dma.h>
#include <sys/bio.h>
#include <sys/ioccom.h>
#include <sys/uio.h>
#include <sys/proc.h>
#include <sys/signalvar.h>
#include <sys/sysctl.h>
#include <cam/cam.h>
#include <cam/cam_ccb.h>
#include <cam/cam_debug.h>
#include <cam/cam_periph.h>
#include <cam/cam_sim.h>
#include <cam/cam_xpt_periph.h>
#include <cam/cam_xpt_sim.h>
#include <cam/scsi/scsi_all.h>
#include <cam/scsi/scsi_message.h>
#include <machine/md_var.h>
#include <machine/bus.h>
#include <machine/resource.h>
#include <dev/mfi/mfireg.h>
#include <dev/mfi/mfi_ioctl.h>
#include <dev/mfi/mfivar.h>
enum mfip_state {
MFIP_STATE_NONE,
MFIP_STATE_DETACH,
MFIP_STATE_RESCAN
};
struct mfip_softc {
device_t dev;
struct mfi_softc *mfi_sc;
struct cam_devq *devq;
struct cam_sim *sim;
struct cam_path *path;
enum mfip_state state;
};
static int mfip_probe(device_t);
static int mfip_attach(device_t);
static int mfip_detach(device_t);
static void mfip_cam_action(struct cam_sim *, union ccb *);
static void mfip_cam_poll(struct cam_sim *);
static void mfip_cam_rescan(struct mfi_softc *, uint32_t tid);
static struct mfi_command * mfip_start(void *);
static void mfip_done(struct mfi_command *cm);
static int mfi_allow_disks = 0;
SYSCTL_INT(_hw_mfi, OID_AUTO, allow_cam_disk_passthrough, CTLFLAG_RDTUN,
&mfi_allow_disks, 0, "event message locale");
static devclass_t mfip_devclass;
static device_method_t mfip_methods[] = {
DEVMETHOD(device_probe, mfip_probe),
DEVMETHOD(device_attach, mfip_attach),
DEVMETHOD(device_detach, mfip_detach),
DEVMETHOD_END
};
static driver_t mfip_driver = {
"mfip",
mfip_methods,
sizeof(struct mfip_softc)
};
DRIVER_MODULE(mfip, mfi, mfip_driver, mfip_devclass, 0, 0);
MODULE_DEPEND(mfip, cam, 1, 1, 1);
MODULE_DEPEND(mfip, mfi, 1, 1, 1);
#define ccb_mfip_ptr sim_priv.entries[0].ptr
static int
mfip_probe(device_t dev)
{
device_set_desc(dev, "SCSI Passthrough Bus");
return (0);
}
static int
mfip_attach(device_t dev)
{
struct mfip_softc *sc;
struct mfi_softc *mfisc;
sc = device_get_softc(dev);
if (sc == NULL)
return (EINVAL);
mfisc = device_get_softc(device_get_parent(dev));
sc->dev = dev;
sc->state = MFIP_STATE_NONE;
sc->mfi_sc = mfisc;
mfisc->mfi_cam_start = mfip_start;
if ((sc->devq = cam_simq_alloc(MFI_SCSI_MAX_CMDS)) == NULL)
return (ENOMEM);
sc->sim = cam_sim_alloc(mfip_cam_action, mfip_cam_poll, "mfi", sc,
device_get_unit(dev), &mfisc->mfi_io_lock, 1,
MFI_SCSI_MAX_CMDS, sc->devq);
if (sc->sim == NULL) {
cam_simq_free(sc->devq);
sc->devq = NULL;
device_printf(dev, "CAM SIM attach failed\n");
return (EINVAL);
}
mfisc->mfi_cam_rescan_cb = mfip_cam_rescan;
mtx_lock(&mfisc->mfi_io_lock);
if (xpt_bus_register(sc->sim, dev, 0) != 0) {
device_printf(dev, "XPT bus registration failed\n");
cam_sim_free(sc->sim, FALSE);
sc->sim = NULL;
cam_simq_free(sc->devq);
sc->devq = NULL;
mtx_unlock(&mfisc->mfi_io_lock);
return (EINVAL);
}
mtx_unlock(&mfisc->mfi_io_lock);
return (0);
}
static int
mfip_detach(device_t dev)
{
struct mfip_softc *sc;
sc = device_get_softc(dev);
if (sc == NULL)
return (EINVAL);
mtx_lock(&sc->mfi_sc->mfi_io_lock);
if (sc->state == MFIP_STATE_RESCAN) {
mtx_unlock(&sc->mfi_sc->mfi_io_lock);
return (EBUSY);
}
sc->state = MFIP_STATE_DETACH;
mtx_unlock(&sc->mfi_sc->mfi_io_lock);
sc->mfi_sc->mfi_cam_rescan_cb = NULL;
if (sc->sim != NULL) {
mtx_lock(&sc->mfi_sc->mfi_io_lock);
xpt_bus_deregister(cam_sim_path(sc->sim));
cam_sim_free(sc->sim, FALSE);
sc->sim = NULL;
mtx_unlock(&sc->mfi_sc->mfi_io_lock);
}
if (sc->devq != NULL) {
cam_simq_free(sc->devq);
sc->devq = NULL;
}
return (0);
}
static void
mfip_cam_action(struct cam_sim *sim, union ccb *ccb)
{
struct mfip_softc *sc = cam_sim_softc(sim);
struct mfi_softc *mfisc = sc->mfi_sc;
mtx_assert(&mfisc->mfi_io_lock, MA_OWNED);
switch (ccb->ccb_h.func_code) {
case XPT_PATH_INQ:
{
struct ccb_pathinq *cpi = &ccb->cpi;
cpi->version_num = 1;
cpi->hba_inquiry = PI_TAG_ABLE;
cpi->target_sprt = 0;
cpi->hba_misc = PIM_NOBUSRESET | PIM_SEQSCAN | PIM_UNMAPPED;
cpi->hba_eng_cnt = 0;
cpi->max_target = MFI_SCSI_MAX_TARGETS;
cpi->max_lun = MFI_SCSI_MAX_LUNS;
cpi->initiator_id = MFI_SCSI_INITIATOR_ID;
strlcpy(cpi->sim_vid, "FreeBSD", SIM_IDLEN);
strlcpy(cpi->hba_vid, "LSI", HBA_IDLEN);
strlcpy(cpi->dev_name, cam_sim_name(sim), DEV_IDLEN);
cpi->unit_number = cam_sim_unit(sim);
cpi->bus_id = cam_sim_bus(sim);
cpi->base_transfer_speed = 150000;
cpi->transport = XPORT_SAS;
cpi->transport_version = 0;
cpi->protocol = PROTO_SCSI;
cpi->protocol_version = SCSI_REV_2;
cpi->ccb_h.status = CAM_REQ_CMP;
break;
}
case XPT_RESET_BUS:
ccb->ccb_h.status = CAM_REQ_CMP;
break;
case XPT_RESET_DEV:
ccb->ccb_h.status = CAM_REQ_CMP;
break;
case XPT_GET_TRAN_SETTINGS:
{
struct ccb_trans_settings_scsi *scsi =
&ccb->cts.proto_specific.scsi;
struct ccb_trans_settings_sas *sas =
&ccb->cts.xport_specific.sas;
ccb->cts.protocol = PROTO_SCSI;
ccb->cts.protocol_version = SCSI_REV_2;
ccb->cts.transport = XPORT_SAS;
ccb->cts.transport_version = 0;
scsi->valid = CTS_SCSI_VALID_TQ;
scsi->flags = CTS_SCSI_FLAGS_TAG_ENB;
sas->valid &= ~CTS_SAS_VALID_SPEED;
sas->bitrate = 150000;
ccb->ccb_h.status = CAM_REQ_CMP;
break;
}
case XPT_SET_TRAN_SETTINGS:
ccb->ccb_h.status = CAM_FUNC_NOTAVAIL;
break;
case XPT_SCSI_IO:
{
struct ccb_hdr *ccbh = &ccb->ccb_h;
struct ccb_scsiio *csio = &ccb->csio;
ccbh->status = CAM_REQ_INPROG;
if (csio->cdb_len > MFI_SCSI_MAX_CDB_LEN) {
ccbh->status = CAM_REQ_INVALID;
break;
}
ccbh->ccb_mfip_ptr = sc;
TAILQ_INSERT_TAIL(&mfisc->mfi_cam_ccbq, ccbh, sim_links.tqe);
mfi_startio(mfisc);
return;
}
default:
ccb->ccb_h.status = CAM_REQ_INVALID;
break;
}
xpt_done(ccb);
return;
}
static void
mfip_cam_rescan(struct mfi_softc *sc, uint32_t tid)
{
union ccb *ccb;
struct mfip_softc *camsc;
struct cam_sim *sim;
device_t mfip_dev;
mtx_lock(&Giant);
mfip_dev = device_find_child(sc->mfi_dev, "mfip", -1);
mtx_unlock(&Giant);
if (mfip_dev == NULL) {
device_printf(sc->mfi_dev, "Couldn't find mfip child device!\n");
return;
}
mtx_lock(&sc->mfi_io_lock);
camsc = device_get_softc(mfip_dev);
if (camsc->state == MFIP_STATE_DETACH) {
mtx_unlock(&sc->mfi_io_lock);
return;
}
camsc->state = MFIP_STATE_RESCAN;
ccb = xpt_alloc_ccb_nowait();
if (ccb == NULL) {
mtx_unlock(&sc->mfi_io_lock);
device_printf(sc->mfi_dev,
"Cannot allocate ccb for bus rescan.\n");
return;
}
sim = camsc->sim;
if (xpt_create_path(&ccb->ccb_h.path, NULL, cam_sim_path(sim),
tid, CAM_LUN_WILDCARD) != CAM_REQ_CMP) {
xpt_free_ccb(ccb);
mtx_unlock(&sc->mfi_io_lock);
device_printf(sc->mfi_dev,
"Cannot create path for bus rescan.\n");
return;
}
xpt_rescan(ccb);
camsc->state = MFIP_STATE_NONE;
mtx_unlock(&sc->mfi_io_lock);
}
static struct mfi_command *
mfip_start(void *data)
{
union ccb *ccb = data;
struct ccb_hdr *ccbh = &ccb->ccb_h;
struct ccb_scsiio *csio = &ccb->csio;
struct mfip_softc *sc;
struct mfi_pass_frame *pt;
struct mfi_command *cm;
uint32_t context = 0;
sc = ccbh->ccb_mfip_ptr;
if ((cm = mfi_dequeue_free(sc->mfi_sc)) == NULL)
return (NULL);
/* Zero out the MFI frame */
context = cm->cm_frame->header.context;
bzero(cm->cm_frame, sizeof(union mfi_frame));
cm->cm_frame->header.context = context;
pt = &cm->cm_frame->pass;
pt->header.cmd = MFI_CMD_PD_SCSI_IO;
pt->header.cmd_status = 0;
pt->header.scsi_status = 0;
pt->header.target_id = ccbh->target_id;
pt->header.lun_id = ccbh->target_lun;
pt->header.flags = 0;
pt->header.timeout = 0;
pt->header.data_len = csio->dxfer_len;
pt->header.sense_len = MFI_SENSE_LEN;
pt->header.cdb_len = csio->cdb_len;
pt->sense_addr_lo = (uint32_t)cm->cm_sense_busaddr;
pt->sense_addr_hi = (uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32);
if (ccbh->flags & CAM_CDB_POINTER)
bcopy(csio->cdb_io.cdb_ptr, &pt->cdb[0], csio->cdb_len);
else
bcopy(csio->cdb_io.cdb_bytes, &pt->cdb[0], csio->cdb_len);
cm->cm_complete = mfip_done;
cm->cm_private = ccb;
cm->cm_sg = &pt->sgl;
cm->cm_total_frame_size = MFI_PASS_FRAME_SIZE;
cm->cm_data = ccb;
cm->cm_len = csio->dxfer_len;
switch (ccbh->flags & CAM_DIR_MASK) {
case CAM_DIR_IN:
cm->cm_flags = MFI_CMD_DATAIN | MFI_CMD_CCB;
break;
case CAM_DIR_OUT:
cm->cm_flags = MFI_CMD_DATAOUT | MFI_CMD_CCB;
break;
case CAM_DIR_NONE:
default:
cm->cm_data = NULL;
cm->cm_len = 0;
cm->cm_flags = 0;
break;
}
TAILQ_REMOVE(&sc->mfi_sc->mfi_cam_ccbq, ccbh, sim_links.tqe);
return (cm);
}
static void
mfip_done(struct mfi_command *cm)
{
union ccb *ccb = cm->cm_private;
struct ccb_hdr *ccbh = &ccb->ccb_h;
struct ccb_scsiio *csio = &ccb->csio;
struct mfip_softc *sc;
struct mfi_pass_frame *pt;
sc = ccbh->ccb_mfip_ptr;
pt = &cm->cm_frame->pass;
switch (pt->header.cmd_status) {
case MFI_STAT_OK:
{
uint8_t command, device;
ccbh->status = CAM_REQ_CMP;
csio->scsi_status = pt->header.scsi_status;
if (ccbh->flags & CAM_CDB_POINTER)
command = csio->cdb_io.cdb_ptr[0];
else
command = csio->cdb_io.cdb_bytes[0];
if (command == INQUIRY) {
device = csio->data_ptr[0] & 0x1f;
if ((!mfi_allow_disks && device == T_DIRECT) ||
(device == T_PROCESSOR))
csio->data_ptr[0] =
(csio->data_ptr[0] & 0xe0) | T_NODEVICE;
}
break;
}
case MFI_STAT_SCSI_DONE_WITH_ERROR:
{
int sense_len;
ccbh->status = CAM_SCSI_STATUS_ERROR | CAM_AUTOSNS_VALID;
csio->scsi_status = pt->header.scsi_status;
if (pt->header.sense_len < csio->sense_len)
csio->sense_resid = csio->sense_len -
pt->header.sense_len;
else
csio->sense_resid = 0;
sense_len = min(pt->header.sense_len,
sizeof(struct scsi_sense_data));
bzero(&csio->sense_data, sizeof(struct scsi_sense_data));
bcopy(&cm->cm_sense->data[0], &csio->sense_data, sense_len);
break;
}
case MFI_STAT_DEVICE_NOT_FOUND:
ccbh->status = CAM_SEL_TIMEOUT;
break;
case MFI_STAT_SCSI_IO_FAILED:
ccbh->status = CAM_REQ_CMP_ERR;
csio->scsi_status = pt->header.scsi_status;
break;
default:
ccbh->status = CAM_REQ_CMP_ERR;
csio->scsi_status = pt->header.scsi_status;
break;
}
mfi_release_command(cm);
xpt_done(ccb);
}
static void
mfip_cam_poll(struct cam_sim *sim)
{
struct mfip_softc *sc = cam_sim_softc(sim);
struct mfi_softc *mfisc = sc->mfi_sc;
mfisc->mfi_intr_ptr(mfisc);
}