1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Changes: |
4 | * Arnaldo Carvalho de Melo <acme@conectiva.com.br> 08/23/2000 |
5 | * - get rid of some verify_areas and use __copy*user and __get/put_user |
6 | * for the ones that remain |
7 | */ |
8 | #include <linux/module.h> |
9 | #include <linux/blkdev.h> |
10 | #include <linux/interrupt.h> |
11 | #include <linux/errno.h> |
12 | #include <linux/kernel.h> |
13 | #include <linux/sched.h> |
14 | #include <linux/mm.h> |
15 | #include <linux/string.h> |
16 | #include <linux/uaccess.h> |
17 | #include <linux/cdrom.h> |
18 | |
19 | #include <scsi/scsi.h> |
20 | #include <scsi/scsi_cmnd.h> |
21 | #include <scsi/scsi_device.h> |
22 | #include <scsi/scsi_eh.h> |
23 | #include <scsi/scsi_host.h> |
24 | #include <scsi/scsi_ioctl.h> |
25 | #include <scsi/sg.h> |
26 | #include <scsi/scsi_dbg.h> |
27 | |
28 | #include "scsi_logging.h" |
29 | |
30 | #define NORMAL_RETRIES 5 |
31 | #define IOCTL_NORMAL_TIMEOUT (10 * HZ) |
32 | |
33 | #define MAX_BUF PAGE_SIZE |
34 | |
35 | /** |
36 | * ioctl_probe -- return host identification |
37 | * @host: host to identify |
38 | * @buffer: userspace buffer for identification |
39 | * |
40 | * Return an identifying string at @buffer, if @buffer is non-NULL, filling |
41 | * to the length stored at * (int *) @buffer. |
42 | */ |
43 | static int ioctl_probe(struct Scsi_Host *host, void __user *buffer) |
44 | { |
45 | unsigned int len, slen; |
46 | const char *string; |
47 | |
48 | if (buffer) { |
49 | if (get_user(len, (unsigned int __user *) buffer)) |
50 | return -EFAULT; |
51 | |
52 | if (host->hostt->info) |
53 | string = host->hostt->info(host); |
54 | else |
55 | string = host->hostt->name; |
56 | if (string) { |
57 | slen = strlen(string); |
58 | if (len > slen) |
59 | len = slen + 1; |
60 | if (copy_to_user(to: buffer, from: string, n: len)) |
61 | return -EFAULT; |
62 | } |
63 | } |
64 | return 1; |
65 | } |
66 | |
67 | static int ioctl_internal_command(struct scsi_device *sdev, char *cmd, |
68 | int timeout, int retries) |
69 | { |
70 | int result; |
71 | struct scsi_sense_hdr sshdr; |
72 | const struct scsi_exec_args exec_args = { |
73 | .sshdr = &sshdr, |
74 | }; |
75 | |
76 | SCSI_LOG_IOCTL(1, sdev_printk(KERN_INFO, sdev, |
77 | "Trying ioctl with scsi command %d\n" , *cmd)); |
78 | |
79 | result = scsi_execute_cmd(sdev, cmd, opf: REQ_OP_DRV_IN, NULL, bufflen: 0, timeout, |
80 | retries, args: &exec_args); |
81 | |
82 | SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, |
83 | "Ioctl returned 0x%x\n" , result)); |
84 | |
85 | if (result < 0) |
86 | goto out; |
87 | if (scsi_sense_valid(sshdr: &sshdr)) { |
88 | switch (sshdr.sense_key) { |
89 | case ILLEGAL_REQUEST: |
90 | if (cmd[0] == ALLOW_MEDIUM_REMOVAL) |
91 | sdev->lockable = 0; |
92 | else |
93 | sdev_printk(KERN_INFO, sdev, |
94 | "ioctl_internal_command: " |
95 | "ILLEGAL REQUEST " |
96 | "asc=0x%x ascq=0x%x\n" , |
97 | sshdr.asc, sshdr.ascq); |
98 | break; |
99 | case NOT_READY: /* This happens if there is no disc in drive */ |
100 | if (sdev->removable) |
101 | break; |
102 | fallthrough; |
103 | case UNIT_ATTENTION: |
104 | if (sdev->removable) { |
105 | sdev->changed = 1; |
106 | result = 0; /* This is no longer considered an error */ |
107 | break; |
108 | } |
109 | fallthrough; /* for non-removable media */ |
110 | default: |
111 | sdev_printk(KERN_INFO, sdev, |
112 | "ioctl_internal_command return code = %x\n" , |
113 | result); |
114 | scsi_print_sense_hdr(sdev, NULL, &sshdr); |
115 | break; |
116 | } |
117 | } |
118 | out: |
119 | SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, |
120 | "IOCTL Releasing command\n" )); |
121 | return result; |
122 | } |
123 | |
124 | int scsi_set_medium_removal(struct scsi_device *sdev, char state) |
125 | { |
126 | char scsi_cmd[MAX_COMMAND_SIZE]; |
127 | int ret; |
128 | |
129 | if (!sdev->removable || !sdev->lockable) |
130 | return 0; |
131 | |
132 | scsi_cmd[0] = ALLOW_MEDIUM_REMOVAL; |
133 | scsi_cmd[1] = 0; |
134 | scsi_cmd[2] = 0; |
135 | scsi_cmd[3] = 0; |
136 | scsi_cmd[4] = state; |
137 | scsi_cmd[5] = 0; |
138 | |
139 | ret = ioctl_internal_command(sdev, cmd: scsi_cmd, |
140 | IOCTL_NORMAL_TIMEOUT, NORMAL_RETRIES); |
141 | if (ret == 0) |
142 | sdev->locked = (state == SCSI_REMOVAL_PREVENT); |
143 | return ret; |
144 | } |
145 | EXPORT_SYMBOL(scsi_set_medium_removal); |
146 | |
147 | /* |
148 | * The scsi_ioctl_get_pci() function places into arg the value |
149 | * pci_dev::slot_name (8 characters) for the PCI device (if any). |
150 | * Returns: 0 on success |
151 | * -ENXIO if there isn't a PCI device pointer |
152 | * (could be because the SCSI driver hasn't been |
153 | * updated yet, or because it isn't a SCSI |
154 | * device) |
155 | * any copy_to_user() error on failure there |
156 | */ |
157 | static int scsi_ioctl_get_pci(struct scsi_device *sdev, void __user *arg) |
158 | { |
159 | struct device *dev = scsi_get_device(shost: sdev->host); |
160 | const char *name; |
161 | |
162 | if (!dev) |
163 | return -ENXIO; |
164 | |
165 | name = dev_name(dev); |
166 | |
167 | /* compatibility with old ioctl which only returned |
168 | * 20 characters */ |
169 | return copy_to_user(to: arg, from: name, min(strlen(name), (size_t)20)) |
170 | ? -EFAULT: 0; |
171 | } |
172 | |
173 | static int sg_get_version(int __user *p) |
174 | { |
175 | static const int sg_version_num = 30527; |
176 | return put_user(sg_version_num, p); |
177 | } |
178 | |
179 | static int sg_set_timeout(struct scsi_device *sdev, int __user *p) |
180 | { |
181 | int timeout, err = get_user(timeout, p); |
182 | |
183 | if (!err) |
184 | sdev->sg_timeout = clock_t_to_jiffies(x: timeout); |
185 | |
186 | return err; |
187 | } |
188 | |
189 | static int sg_get_reserved_size(struct scsi_device *sdev, int __user *p) |
190 | { |
191 | int val = min(sdev->sg_reserved_size, |
192 | queue_max_bytes(sdev->request_queue)); |
193 | |
194 | return put_user(val, p); |
195 | } |
196 | |
197 | static int sg_set_reserved_size(struct scsi_device *sdev, int __user *p) |
198 | { |
199 | int size, err = get_user(size, p); |
200 | |
201 | if (err) |
202 | return err; |
203 | |
204 | if (size < 0) |
205 | return -EINVAL; |
206 | |
207 | sdev->sg_reserved_size = min_t(unsigned int, size, |
208 | queue_max_bytes(sdev->request_queue)); |
209 | return 0; |
210 | } |
211 | |
212 | /* |
213 | * will always return that we are ATAPI even for a real SCSI drive, I'm not |
214 | * so sure this is worth doing anything about (why would you care??) |
215 | */ |
216 | static int sg_emulated_host(struct request_queue *q, int __user *p) |
217 | { |
218 | return put_user(1, p); |
219 | } |
220 | |
221 | static int scsi_get_idlun(struct scsi_device *sdev, void __user *argp) |
222 | { |
223 | struct scsi_idlun v = { |
224 | .dev_id = (sdev->id & 0xff) + |
225 | ((sdev->lun & 0xff) << 8) + |
226 | ((sdev->channel & 0xff) << 16) + |
227 | ((sdev->host->host_no & 0xff) << 24), |
228 | .host_unique_id = sdev->host->unique_id |
229 | }; |
230 | if (copy_to_user(to: argp, from: &v, n: sizeof(struct scsi_idlun))) |
231 | return -EFAULT; |
232 | return 0; |
233 | } |
234 | |
235 | static int scsi_send_start_stop(struct scsi_device *sdev, int data) |
236 | { |
237 | u8 cdb[MAX_COMMAND_SIZE] = { }; |
238 | |
239 | cdb[0] = START_STOP; |
240 | cdb[4] = data; |
241 | return ioctl_internal_command(sdev, cmd: cdb, START_STOP_TIMEOUT, |
242 | NORMAL_RETRIES); |
243 | } |
244 | |
245 | /* |
246 | * Check if the given command is allowed. |
247 | * |
248 | * Only a subset of commands are allowed for unprivileged users. Commands used |
249 | * to format the media, update the firmware, etc. are not permitted. |
250 | */ |
251 | bool scsi_cmd_allowed(unsigned char *cmd, bool open_for_write) |
252 | { |
253 | /* root can do any command. */ |
254 | if (capable(CAP_SYS_RAWIO)) |
255 | return true; |
256 | |
257 | /* Anybody who can open the device can do a read-safe command */ |
258 | switch (cmd[0]) { |
259 | /* Basic read-only commands */ |
260 | case TEST_UNIT_READY: |
261 | case REQUEST_SENSE: |
262 | case READ_6: |
263 | case READ_10: |
264 | case READ_12: |
265 | case READ_16: |
266 | case READ_BUFFER: |
267 | case READ_DEFECT_DATA: |
268 | case READ_CAPACITY: /* also GPCMD_READ_CDVD_CAPACITY */ |
269 | case READ_LONG: |
270 | case INQUIRY: |
271 | case MODE_SENSE: |
272 | case MODE_SENSE_10: |
273 | case LOG_SENSE: |
274 | case START_STOP: |
275 | case GPCMD_VERIFY_10: |
276 | case VERIFY_16: |
277 | case REPORT_LUNS: |
278 | case SERVICE_ACTION_IN_16: |
279 | case RECEIVE_DIAGNOSTIC: |
280 | case MAINTENANCE_IN: /* also GPCMD_SEND_KEY, which is a write command */ |
281 | case GPCMD_READ_BUFFER_CAPACITY: |
282 | /* Audio CD commands */ |
283 | case GPCMD_PLAY_CD: |
284 | case GPCMD_PLAY_AUDIO_10: |
285 | case GPCMD_PLAY_AUDIO_MSF: |
286 | case GPCMD_PLAY_AUDIO_TI: |
287 | case GPCMD_PAUSE_RESUME: |
288 | /* CD/DVD data reading */ |
289 | case GPCMD_READ_CD: |
290 | case GPCMD_READ_CD_MSF: |
291 | case GPCMD_READ_DISC_INFO: |
292 | case GPCMD_READ_DVD_STRUCTURE: |
293 | case GPCMD_READ_HEADER: |
294 | case GPCMD_READ_TRACK_RZONE_INFO: |
295 | case GPCMD_READ_SUBCHANNEL: |
296 | case GPCMD_READ_TOC_PMA_ATIP: |
297 | case GPCMD_REPORT_KEY: |
298 | case GPCMD_SCAN: |
299 | case GPCMD_GET_CONFIGURATION: |
300 | case GPCMD_READ_FORMAT_CAPACITIES: |
301 | case GPCMD_GET_EVENT_STATUS_NOTIFICATION: |
302 | case GPCMD_GET_PERFORMANCE: |
303 | case GPCMD_SEEK: |
304 | case GPCMD_STOP_PLAY_SCAN: |
305 | /* ZBC */ |
306 | case ZBC_IN: |
307 | return true; |
308 | /* Basic writing commands */ |
309 | case WRITE_6: |
310 | case WRITE_10: |
311 | case WRITE_VERIFY: |
312 | case WRITE_12: |
313 | case WRITE_VERIFY_12: |
314 | case WRITE_16: |
315 | case WRITE_LONG: |
316 | case WRITE_LONG_2: |
317 | case WRITE_SAME: |
318 | case WRITE_SAME_16: |
319 | case WRITE_SAME_32: |
320 | case ERASE: |
321 | case GPCMD_MODE_SELECT_10: |
322 | case MODE_SELECT: |
323 | case LOG_SELECT: |
324 | case GPCMD_BLANK: |
325 | case GPCMD_CLOSE_TRACK: |
326 | case GPCMD_FLUSH_CACHE: |
327 | case GPCMD_FORMAT_UNIT: |
328 | case GPCMD_REPAIR_RZONE_TRACK: |
329 | case GPCMD_RESERVE_RZONE_TRACK: |
330 | case GPCMD_SEND_DVD_STRUCTURE: |
331 | case GPCMD_SEND_EVENT: |
332 | case GPCMD_SEND_OPC: |
333 | case GPCMD_SEND_CUE_SHEET: |
334 | case GPCMD_SET_SPEED: |
335 | case GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL: |
336 | case GPCMD_LOAD_UNLOAD: |
337 | case GPCMD_SET_STREAMING: |
338 | case GPCMD_SET_READ_AHEAD: |
339 | /* ZBC */ |
340 | case ZBC_OUT: |
341 | return open_for_write; |
342 | default: |
343 | return false; |
344 | } |
345 | } |
346 | EXPORT_SYMBOL(scsi_cmd_allowed); |
347 | |
348 | static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq, |
349 | struct sg_io_hdr *hdr, bool open_for_write) |
350 | { |
351 | struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq); |
352 | |
353 | if (hdr->cmd_len < 6) |
354 | return -EMSGSIZE; |
355 | if (copy_from_user(to: scmd->cmnd, from: hdr->cmdp, n: hdr->cmd_len)) |
356 | return -EFAULT; |
357 | if (!scsi_cmd_allowed(scmd->cmnd, open_for_write)) |
358 | return -EPERM; |
359 | scmd->cmd_len = hdr->cmd_len; |
360 | |
361 | rq->timeout = msecs_to_jiffies(m: hdr->timeout); |
362 | if (!rq->timeout) |
363 | rq->timeout = sdev->sg_timeout; |
364 | if (!rq->timeout) |
365 | rq->timeout = BLK_DEFAULT_SG_TIMEOUT; |
366 | if (rq->timeout < BLK_MIN_SG_TIMEOUT) |
367 | rq->timeout = BLK_MIN_SG_TIMEOUT; |
368 | |
369 | return 0; |
370 | } |
371 | |
372 | static int scsi_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr, |
373 | struct bio *bio) |
374 | { |
375 | struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq); |
376 | int r, ret = 0; |
377 | |
378 | /* |
379 | * fill in all the output members |
380 | */ |
381 | hdr->status = scmd->result & 0xff; |
382 | hdr->masked_status = sg_status_byte(scmd->result); |
383 | hdr->msg_status = COMMAND_COMPLETE; |
384 | hdr->host_status = host_byte(scmd->result); |
385 | hdr->driver_status = 0; |
386 | if (scsi_status_is_check_condition(status: hdr->status)) |
387 | hdr->driver_status = DRIVER_SENSE; |
388 | hdr->info = 0; |
389 | if (hdr->masked_status || hdr->host_status || hdr->driver_status) |
390 | hdr->info |= SG_INFO_CHECK; |
391 | hdr->resid = scmd->resid_len; |
392 | hdr->sb_len_wr = 0; |
393 | |
394 | if (scmd->sense_len && hdr->sbp) { |
395 | int len = min((unsigned int) hdr->mx_sb_len, scmd->sense_len); |
396 | |
397 | if (!copy_to_user(to: hdr->sbp, from: scmd->sense_buffer, n: len)) |
398 | hdr->sb_len_wr = len; |
399 | else |
400 | ret = -EFAULT; |
401 | } |
402 | |
403 | r = blk_rq_unmap_user(bio); |
404 | if (!ret) |
405 | ret = r; |
406 | |
407 | return ret; |
408 | } |
409 | |
410 | static int sg_io(struct scsi_device *sdev, struct sg_io_hdr *hdr, |
411 | bool open_for_write) |
412 | { |
413 | unsigned long start_time; |
414 | ssize_t ret = 0; |
415 | int writing = 0; |
416 | int at_head = 0; |
417 | struct request *rq; |
418 | struct scsi_cmnd *scmd; |
419 | struct bio *bio; |
420 | |
421 | if (hdr->interface_id != 'S') |
422 | return -EINVAL; |
423 | |
424 | if (hdr->dxfer_len > (queue_max_hw_sectors(q: sdev->request_queue) << 9)) |
425 | return -EIO; |
426 | |
427 | if (hdr->dxfer_len) |
428 | switch (hdr->dxfer_direction) { |
429 | default: |
430 | return -EINVAL; |
431 | case SG_DXFER_TO_DEV: |
432 | writing = 1; |
433 | break; |
434 | case SG_DXFER_TO_FROM_DEV: |
435 | case SG_DXFER_FROM_DEV: |
436 | break; |
437 | } |
438 | if (hdr->flags & SG_FLAG_Q_AT_HEAD) |
439 | at_head = 1; |
440 | |
441 | rq = scsi_alloc_request(q: sdev->request_queue, opf: writing ? |
442 | REQ_OP_DRV_OUT : REQ_OP_DRV_IN, flags: 0); |
443 | if (IS_ERR(ptr: rq)) |
444 | return PTR_ERR(ptr: rq); |
445 | scmd = blk_mq_rq_to_pdu(rq); |
446 | |
447 | if (hdr->cmd_len > sizeof(scmd->cmnd)) { |
448 | ret = -EINVAL; |
449 | goto out_put_request; |
450 | } |
451 | |
452 | ret = scsi_fill_sghdr_rq(sdev, rq, hdr, open_for_write); |
453 | if (ret < 0) |
454 | goto out_put_request; |
455 | |
456 | ret = blk_rq_map_user_io(rq, NULL, hdr->dxferp, hdr->dxfer_len, |
457 | GFP_KERNEL, hdr->iovec_count && hdr->dxfer_len, |
458 | hdr->iovec_count, 0, rq_data_dir(rq)); |
459 | if (ret) |
460 | goto out_put_request; |
461 | |
462 | bio = rq->bio; |
463 | scmd->allowed = 0; |
464 | |
465 | start_time = jiffies; |
466 | |
467 | blk_execute_rq(rq, at_head); |
468 | |
469 | hdr->duration = jiffies_to_msecs(j: jiffies - start_time); |
470 | |
471 | ret = scsi_complete_sghdr_rq(rq, hdr, bio); |
472 | |
473 | out_put_request: |
474 | blk_mq_free_request(rq); |
475 | return ret; |
476 | } |
477 | |
478 | /** |
479 | * sg_scsi_ioctl -- handle deprecated SCSI_IOCTL_SEND_COMMAND ioctl |
480 | * @q: request queue to send scsi commands down |
481 | * @open_for_write: is the file / block device opened for writing? |
482 | * @sic: userspace structure describing the command to perform |
483 | * |
484 | * Send down the scsi command described by @sic to the device below |
485 | * the request queue @q. |
486 | * |
487 | * Notes: |
488 | * - This interface is deprecated - users should use the SG_IO |
489 | * interface instead, as this is a more flexible approach to |
490 | * performing SCSI commands on a device. |
491 | * - The SCSI command length is determined by examining the 1st byte |
492 | * of the given command. There is no way to override this. |
493 | * - Data transfers are limited to PAGE_SIZE |
494 | * - The length (x + y) must be at least OMAX_SB_LEN bytes long to |
495 | * accommodate the sense buffer when an error occurs. |
496 | * The sense buffer is truncated to OMAX_SB_LEN (16) bytes so that |
497 | * old code will not be surprised. |
498 | * - If a Unix error occurs (e.g. ENOMEM) then the user will receive |
499 | * a negative return and the Unix error code in 'errno'. |
500 | * If the SCSI command succeeds then 0 is returned. |
501 | * Positive numbers returned are the compacted SCSI error codes (4 |
502 | * bytes in one int) where the lowest byte is the SCSI status. |
503 | */ |
504 | static int sg_scsi_ioctl(struct request_queue *q, bool open_for_write, |
505 | struct scsi_ioctl_command __user *sic) |
506 | { |
507 | struct request *rq; |
508 | int err; |
509 | unsigned int in_len, out_len, bytes, opcode, cmdlen; |
510 | struct scsi_cmnd *scmd; |
511 | char *buffer = NULL; |
512 | |
513 | if (!sic) |
514 | return -EINVAL; |
515 | |
516 | /* |
517 | * get in an out lengths, verify they don't exceed a page worth of data |
518 | */ |
519 | if (get_user(in_len, &sic->inlen)) |
520 | return -EFAULT; |
521 | if (get_user(out_len, &sic->outlen)) |
522 | return -EFAULT; |
523 | if (in_len > PAGE_SIZE || out_len > PAGE_SIZE) |
524 | return -EINVAL; |
525 | if (get_user(opcode, &sic->data[0])) |
526 | return -EFAULT; |
527 | |
528 | bytes = max(in_len, out_len); |
529 | if (bytes) { |
530 | buffer = kzalloc(size: bytes, GFP_NOIO | GFP_USER | __GFP_NOWARN); |
531 | if (!buffer) |
532 | return -ENOMEM; |
533 | |
534 | } |
535 | |
536 | rq = scsi_alloc_request(q, opf: in_len ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, flags: 0); |
537 | if (IS_ERR(ptr: rq)) { |
538 | err = PTR_ERR(ptr: rq); |
539 | goto error_free_buffer; |
540 | } |
541 | scmd = blk_mq_rq_to_pdu(rq); |
542 | |
543 | cmdlen = COMMAND_SIZE(opcode); |
544 | |
545 | /* |
546 | * get command and data to send to device, if any |
547 | */ |
548 | err = -EFAULT; |
549 | scmd->cmd_len = cmdlen; |
550 | if (copy_from_user(to: scmd->cmnd, from: sic->data, n: cmdlen)) |
551 | goto error; |
552 | |
553 | if (in_len && copy_from_user(to: buffer, from: sic->data + cmdlen, n: in_len)) |
554 | goto error; |
555 | |
556 | err = -EPERM; |
557 | if (!scsi_cmd_allowed(scmd->cmnd, open_for_write)) |
558 | goto error; |
559 | |
560 | /* default. possible overridden later */ |
561 | scmd->allowed = 5; |
562 | |
563 | switch (opcode) { |
564 | case SEND_DIAGNOSTIC: |
565 | case FORMAT_UNIT: |
566 | rq->timeout = FORMAT_UNIT_TIMEOUT; |
567 | scmd->allowed = 1; |
568 | break; |
569 | case START_STOP: |
570 | rq->timeout = START_STOP_TIMEOUT; |
571 | break; |
572 | case MOVE_MEDIUM: |
573 | rq->timeout = MOVE_MEDIUM_TIMEOUT; |
574 | break; |
575 | case READ_ELEMENT_STATUS: |
576 | rq->timeout = READ_ELEMENT_STATUS_TIMEOUT; |
577 | break; |
578 | case READ_DEFECT_DATA: |
579 | rq->timeout = READ_DEFECT_DATA_TIMEOUT; |
580 | scmd->allowed = 1; |
581 | break; |
582 | default: |
583 | rq->timeout = BLK_DEFAULT_SG_TIMEOUT; |
584 | break; |
585 | } |
586 | |
587 | if (bytes) { |
588 | err = blk_rq_map_kern(q, rq, buffer, bytes, GFP_NOIO); |
589 | if (err) |
590 | goto error; |
591 | } |
592 | |
593 | blk_execute_rq(rq, at_head: false); |
594 | |
595 | err = scmd->result & 0xff; /* only 8 bit SCSI status */ |
596 | if (err) { |
597 | if (scmd->sense_len && scmd->sense_buffer) { |
598 | /* limit sense len for backward compatibility */ |
599 | if (copy_to_user(to: sic->data, from: scmd->sense_buffer, |
600 | min(scmd->sense_len, 16U))) |
601 | err = -EFAULT; |
602 | } |
603 | } else { |
604 | if (copy_to_user(to: sic->data, from: buffer, n: out_len)) |
605 | err = -EFAULT; |
606 | } |
607 | |
608 | error: |
609 | blk_mq_free_request(rq); |
610 | |
611 | error_free_buffer: |
612 | kfree(objp: buffer); |
613 | |
614 | return err; |
615 | } |
616 | |
617 | int put_sg_io_hdr(const struct sg_io_hdr *hdr, void __user *argp) |
618 | { |
619 | #ifdef CONFIG_COMPAT |
620 | if (in_compat_syscall()) { |
621 | struct compat_sg_io_hdr hdr32 = { |
622 | .interface_id = hdr->interface_id, |
623 | .dxfer_direction = hdr->dxfer_direction, |
624 | .cmd_len = hdr->cmd_len, |
625 | .mx_sb_len = hdr->mx_sb_len, |
626 | .iovec_count = hdr->iovec_count, |
627 | .dxfer_len = hdr->dxfer_len, |
628 | .dxferp = (uintptr_t)hdr->dxferp, |
629 | .cmdp = (uintptr_t)hdr->cmdp, |
630 | .sbp = (uintptr_t)hdr->sbp, |
631 | .timeout = hdr->timeout, |
632 | .flags = hdr->flags, |
633 | .pack_id = hdr->pack_id, |
634 | .usr_ptr = (uintptr_t)hdr->usr_ptr, |
635 | .status = hdr->status, |
636 | .masked_status = hdr->masked_status, |
637 | .msg_status = hdr->msg_status, |
638 | .sb_len_wr = hdr->sb_len_wr, |
639 | .host_status = hdr->host_status, |
640 | .driver_status = hdr->driver_status, |
641 | .resid = hdr->resid, |
642 | .duration = hdr->duration, |
643 | .info = hdr->info, |
644 | }; |
645 | |
646 | if (copy_to_user(to: argp, from: &hdr32, n: sizeof(hdr32))) |
647 | return -EFAULT; |
648 | |
649 | return 0; |
650 | } |
651 | #endif |
652 | |
653 | if (copy_to_user(to: argp, from: hdr, n: sizeof(*hdr))) |
654 | return -EFAULT; |
655 | |
656 | return 0; |
657 | } |
658 | EXPORT_SYMBOL(put_sg_io_hdr); |
659 | |
660 | int get_sg_io_hdr(struct sg_io_hdr *hdr, const void __user *argp) |
661 | { |
662 | #ifdef CONFIG_COMPAT |
663 | struct compat_sg_io_hdr hdr32; |
664 | |
665 | if (in_compat_syscall()) { |
666 | if (copy_from_user(to: &hdr32, from: argp, n: sizeof(hdr32))) |
667 | return -EFAULT; |
668 | |
669 | *hdr = (struct sg_io_hdr) { |
670 | .interface_id = hdr32.interface_id, |
671 | .dxfer_direction = hdr32.dxfer_direction, |
672 | .cmd_len = hdr32.cmd_len, |
673 | .mx_sb_len = hdr32.mx_sb_len, |
674 | .iovec_count = hdr32.iovec_count, |
675 | .dxfer_len = hdr32.dxfer_len, |
676 | .dxferp = compat_ptr(uptr: hdr32.dxferp), |
677 | .cmdp = compat_ptr(uptr: hdr32.cmdp), |
678 | .sbp = compat_ptr(uptr: hdr32.sbp), |
679 | .timeout = hdr32.timeout, |
680 | .flags = hdr32.flags, |
681 | .pack_id = hdr32.pack_id, |
682 | .usr_ptr = compat_ptr(uptr: hdr32.usr_ptr), |
683 | .status = hdr32.status, |
684 | .masked_status = hdr32.masked_status, |
685 | .msg_status = hdr32.msg_status, |
686 | .sb_len_wr = hdr32.sb_len_wr, |
687 | .host_status = hdr32.host_status, |
688 | .driver_status = hdr32.driver_status, |
689 | .resid = hdr32.resid, |
690 | .duration = hdr32.duration, |
691 | .info = hdr32.info, |
692 | }; |
693 | |
694 | return 0; |
695 | } |
696 | #endif |
697 | |
698 | if (copy_from_user(to: hdr, from: argp, n: sizeof(*hdr))) |
699 | return -EFAULT; |
700 | |
701 | return 0; |
702 | } |
703 | EXPORT_SYMBOL(get_sg_io_hdr); |
704 | |
705 | #ifdef CONFIG_COMPAT |
706 | struct compat_cdrom_generic_command { |
707 | unsigned char cmd[CDROM_PACKET_SIZE]; |
708 | compat_caddr_t buffer; |
709 | compat_uint_t buflen; |
710 | compat_int_t stat; |
711 | compat_caddr_t sense; |
712 | unsigned char data_direction; |
713 | unsigned char pad[3]; |
714 | compat_int_t quiet; |
715 | compat_int_t timeout; |
716 | compat_caddr_t unused; |
717 | }; |
718 | #endif |
719 | |
720 | static int scsi_get_cdrom_generic_arg(struct cdrom_generic_command *cgc, |
721 | const void __user *arg) |
722 | { |
723 | #ifdef CONFIG_COMPAT |
724 | if (in_compat_syscall()) { |
725 | struct compat_cdrom_generic_command cgc32; |
726 | |
727 | if (copy_from_user(to: &cgc32, from: arg, n: sizeof(cgc32))) |
728 | return -EFAULT; |
729 | |
730 | *cgc = (struct cdrom_generic_command) { |
731 | .buffer = compat_ptr(uptr: cgc32.buffer), |
732 | .buflen = cgc32.buflen, |
733 | .stat = cgc32.stat, |
734 | .sense = compat_ptr(uptr: cgc32.sense), |
735 | .data_direction = cgc32.data_direction, |
736 | .quiet = cgc32.quiet, |
737 | .timeout = cgc32.timeout, |
738 | .unused = compat_ptr(uptr: cgc32.unused), |
739 | }; |
740 | memcpy(&cgc->cmd, &cgc32.cmd, CDROM_PACKET_SIZE); |
741 | return 0; |
742 | } |
743 | #endif |
744 | if (copy_from_user(to: cgc, from: arg, n: sizeof(*cgc))) |
745 | return -EFAULT; |
746 | |
747 | return 0; |
748 | } |
749 | |
750 | static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc, |
751 | void __user *arg) |
752 | { |
753 | #ifdef CONFIG_COMPAT |
754 | if (in_compat_syscall()) { |
755 | struct compat_cdrom_generic_command cgc32 = { |
756 | .buffer = (uintptr_t)(cgc->buffer), |
757 | .buflen = cgc->buflen, |
758 | .stat = cgc->stat, |
759 | .sense = (uintptr_t)(cgc->sense), |
760 | .data_direction = cgc->data_direction, |
761 | .quiet = cgc->quiet, |
762 | .timeout = cgc->timeout, |
763 | .unused = (uintptr_t)(cgc->unused), |
764 | }; |
765 | memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE); |
766 | |
767 | if (copy_to_user(to: arg, from: &cgc32, n: sizeof(cgc32))) |
768 | return -EFAULT; |
769 | |
770 | return 0; |
771 | } |
772 | #endif |
773 | if (copy_to_user(to: arg, from: cgc, n: sizeof(*cgc))) |
774 | return -EFAULT; |
775 | |
776 | return 0; |
777 | } |
778 | |
779 | static int scsi_cdrom_send_packet(struct scsi_device *sdev, bool open_for_write, |
780 | void __user *arg) |
781 | { |
782 | struct cdrom_generic_command cgc; |
783 | struct sg_io_hdr hdr; |
784 | int err; |
785 | |
786 | err = scsi_get_cdrom_generic_arg(cgc: &cgc, arg); |
787 | if (err) |
788 | return err; |
789 | |
790 | cgc.timeout = clock_t_to_jiffies(x: cgc.timeout); |
791 | memset(&hdr, 0, sizeof(hdr)); |
792 | hdr.interface_id = 'S'; |
793 | hdr.cmd_len = sizeof(cgc.cmd); |
794 | hdr.dxfer_len = cgc.buflen; |
795 | switch (cgc.data_direction) { |
796 | case CGC_DATA_UNKNOWN: |
797 | hdr.dxfer_direction = SG_DXFER_UNKNOWN; |
798 | break; |
799 | case CGC_DATA_WRITE: |
800 | hdr.dxfer_direction = SG_DXFER_TO_DEV; |
801 | break; |
802 | case CGC_DATA_READ: |
803 | hdr.dxfer_direction = SG_DXFER_FROM_DEV; |
804 | break; |
805 | case CGC_DATA_NONE: |
806 | hdr.dxfer_direction = SG_DXFER_NONE; |
807 | break; |
808 | default: |
809 | return -EINVAL; |
810 | } |
811 | |
812 | hdr.dxferp = cgc.buffer; |
813 | hdr.sbp = cgc.sense; |
814 | if (hdr.sbp) |
815 | hdr.mx_sb_len = sizeof(struct request_sense); |
816 | hdr.timeout = jiffies_to_msecs(j: cgc.timeout); |
817 | hdr.cmdp = ((struct cdrom_generic_command __user *) arg)->cmd; |
818 | hdr.cmd_len = sizeof(cgc.cmd); |
819 | |
820 | err = sg_io(sdev, hdr: &hdr, open_for_write); |
821 | if (err == -EFAULT) |
822 | return -EFAULT; |
823 | |
824 | if (hdr.status) |
825 | return -EIO; |
826 | |
827 | cgc.stat = err; |
828 | cgc.buflen = hdr.resid; |
829 | if (scsi_put_cdrom_generic_arg(cgc: &cgc, arg)) |
830 | return -EFAULT; |
831 | |
832 | return err; |
833 | } |
834 | |
835 | static int scsi_ioctl_sg_io(struct scsi_device *sdev, bool open_for_write, |
836 | void __user *argp) |
837 | { |
838 | struct sg_io_hdr hdr; |
839 | int error; |
840 | |
841 | error = get_sg_io_hdr(&hdr, argp); |
842 | if (error) |
843 | return error; |
844 | error = sg_io(sdev, hdr: &hdr, open_for_write); |
845 | if (error == -EFAULT) |
846 | return error; |
847 | if (put_sg_io_hdr(&hdr, argp)) |
848 | return -EFAULT; |
849 | return error; |
850 | } |
851 | |
852 | /** |
853 | * scsi_ioctl - Dispatch ioctl to scsi device |
854 | * @sdev: scsi device receiving ioctl |
855 | * @open_for_write: is the file / block device opened for writing? |
856 | * @cmd: which ioctl is it |
857 | * @arg: data associated with ioctl |
858 | * |
859 | * Description: The scsi_ioctl() function differs from most ioctls in that it |
860 | * does not take a major/minor number as the dev field. Rather, it takes |
861 | * a pointer to a &struct scsi_device. |
862 | */ |
863 | int scsi_ioctl(struct scsi_device *sdev, bool open_for_write, int cmd, |
864 | void __user *arg) |
865 | { |
866 | struct request_queue *q = sdev->request_queue; |
867 | struct scsi_sense_hdr sense_hdr; |
868 | |
869 | /* Check for deprecated ioctls ... all the ioctls which don't |
870 | * follow the new unique numbering scheme are deprecated */ |
871 | switch (cmd) { |
872 | case SCSI_IOCTL_SEND_COMMAND: |
873 | case SCSI_IOCTL_TEST_UNIT_READY: |
874 | case SCSI_IOCTL_BENCHMARK_COMMAND: |
875 | case SCSI_IOCTL_SYNC: |
876 | case SCSI_IOCTL_START_UNIT: |
877 | case SCSI_IOCTL_STOP_UNIT: |
878 | printk(KERN_WARNING "program %s is using a deprecated SCSI " |
879 | "ioctl, please convert it to SG_IO\n" , current->comm); |
880 | break; |
881 | default: |
882 | break; |
883 | } |
884 | |
885 | switch (cmd) { |
886 | case SG_GET_VERSION_NUM: |
887 | return sg_get_version(p: arg); |
888 | case SG_SET_TIMEOUT: |
889 | return sg_set_timeout(sdev, p: arg); |
890 | case SG_GET_TIMEOUT: |
891 | return jiffies_to_clock_t(x: sdev->sg_timeout); |
892 | case SG_GET_RESERVED_SIZE: |
893 | return sg_get_reserved_size(sdev, p: arg); |
894 | case SG_SET_RESERVED_SIZE: |
895 | return sg_set_reserved_size(sdev, p: arg); |
896 | case SG_EMULATED_HOST: |
897 | return sg_emulated_host(q, p: arg); |
898 | case SG_IO: |
899 | return scsi_ioctl_sg_io(sdev, open_for_write, argp: arg); |
900 | case SCSI_IOCTL_SEND_COMMAND: |
901 | return sg_scsi_ioctl(q, open_for_write, sic: arg); |
902 | case CDROM_SEND_PACKET: |
903 | return scsi_cdrom_send_packet(sdev, open_for_write, arg); |
904 | case CDROMCLOSETRAY: |
905 | return scsi_send_start_stop(sdev, data: 3); |
906 | case CDROMEJECT: |
907 | return scsi_send_start_stop(sdev, data: 2); |
908 | case SCSI_IOCTL_GET_IDLUN: |
909 | return scsi_get_idlun(sdev, argp: arg); |
910 | case SCSI_IOCTL_GET_BUS_NUMBER: |
911 | return put_user(sdev->host->host_no, (int __user *)arg); |
912 | case SCSI_IOCTL_PROBE_HOST: |
913 | return ioctl_probe(host: sdev->host, buffer: arg); |
914 | case SCSI_IOCTL_DOORLOCK: |
915 | return scsi_set_medium_removal(sdev, SCSI_REMOVAL_PREVENT); |
916 | case SCSI_IOCTL_DOORUNLOCK: |
917 | return scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); |
918 | case SCSI_IOCTL_TEST_UNIT_READY: |
919 | return scsi_test_unit_ready(sdev, IOCTL_NORMAL_TIMEOUT, |
920 | NORMAL_RETRIES, sshdr: &sense_hdr); |
921 | case SCSI_IOCTL_START_UNIT: |
922 | return scsi_send_start_stop(sdev, data: 1); |
923 | case SCSI_IOCTL_STOP_UNIT: |
924 | return scsi_send_start_stop(sdev, data: 0); |
925 | case SCSI_IOCTL_GET_PCI: |
926 | return scsi_ioctl_get_pci(sdev, arg); |
927 | case SG_SCSI_RESET: |
928 | return scsi_ioctl_reset(sdev, arg); |
929 | } |
930 | |
931 | #ifdef CONFIG_COMPAT |
932 | if (in_compat_syscall()) { |
933 | if (!sdev->host->hostt->compat_ioctl) |
934 | return -EINVAL; |
935 | return sdev->host->hostt->compat_ioctl(sdev, cmd, arg); |
936 | } |
937 | #endif |
938 | if (!sdev->host->hostt->ioctl) |
939 | return -EINVAL; |
940 | return sdev->host->hostt->ioctl(sdev, cmd, arg); |
941 | } |
942 | EXPORT_SYMBOL(scsi_ioctl); |
943 | |
944 | /* |
945 | * We can process a reset even when a device isn't fully operable. |
946 | */ |
947 | int scsi_ioctl_block_when_processing_errors(struct scsi_device *sdev, int cmd, |
948 | bool ndelay) |
949 | { |
950 | if (cmd == SG_SCSI_RESET && ndelay) { |
951 | if (scsi_host_in_recovery(shost: sdev->host)) |
952 | return -EAGAIN; |
953 | } else { |
954 | if (!scsi_block_when_processing_errors(sdev)) |
955 | return -ENODEV; |
956 | } |
957 | |
958 | return 0; |
959 | } |
960 | EXPORT_SYMBOL_GPL(scsi_ioctl_block_when_processing_errors); |
961 | |