1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Changes: 4 * Arnaldo Carvalho de Melo <acme@conectiva.com.br> 08/23/2000 5 * - get rid of some verify_areas and use __copy*user and __get/put_user 6 * for the ones that remain 7 */ 8 #include <linux/module.h> 9 #include <linux/blkdev.h> 10 #include <linux/interrupt.h> 11 #include <linux/errno.h> 12 #include <linux/kernel.h> 13 #include <linux/sched.h> 14 #include <linux/mm.h> 15 #include <linux/string.h> 16 #include <linux/uaccess.h> 17 #include <linux/cdrom.h> 18 19 #include <scsi/scsi.h> 20 #include <scsi/scsi_cmnd.h> 21 #include <scsi/scsi_device.h> 22 #include <scsi/scsi_eh.h> 23 #include <scsi/scsi_host.h> 24 #include <scsi/scsi_ioctl.h> 25 #include <scsi/sg.h> 26 #include <scsi/scsi_dbg.h> 27 28 #include "scsi_logging.h" 29 30 #define NORMAL_RETRIES 5 31 #define IOCTL_NORMAL_TIMEOUT (10 * HZ) 32 33 #define MAX_BUF PAGE_SIZE 34 35 /** 36 * ioctl_probe -- return host identification 37 * @host: host to identify 38 * @buffer: userspace buffer for identification 39 * 40 * Return an identifying string at @buffer, if @buffer is non-NULL, filling 41 * to the length stored at * (int *) @buffer. 42 */ 43 static int ioctl_probe(struct Scsi_Host *host, void __user *buffer) 44 { 45 unsigned int len, slen; 46 const char *string; 47 48 if (buffer) { 49 if (get_user(len, (unsigned int __user *) buffer)) 50 return -EFAULT; 51 52 if (host->hostt->info) 53 string = host->hostt->info(host); 54 else 55 string = host->hostt->name; 56 if (string) { 57 slen = strlen(string); 58 if (len > slen) 59 len = slen + 1; 60 if (copy_to_user(buffer, string, len)) 61 return -EFAULT; 62 } 63 } 64 return 1; 65 } 66 67 static int ioctl_internal_command(struct scsi_device *sdev, char *cmd, 68 int timeout, int retries) 69 { 70 int result; 71 struct scsi_sense_hdr sshdr; 72 73 SCSI_LOG_IOCTL(1, sdev_printk(KERN_INFO, sdev, 74 "Trying ioctl with scsi command %d\n", *cmd)); 75 76 result = scsi_execute_req(sdev, cmd, DMA_NONE, NULL, 0, 77 &sshdr, timeout, retries, NULL); 78 79 SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, 80 "Ioctl returned 0x%x\n", result)); 81 82 if (result < 0) 83 goto out; 84 if (scsi_sense_valid(&sshdr)) { 85 switch (sshdr.sense_key) { 86 case ILLEGAL_REQUEST: 87 if (cmd[0] == ALLOW_MEDIUM_REMOVAL) 88 sdev->lockable = 0; 89 else 90 sdev_printk(KERN_INFO, sdev, 91 "ioctl_internal_command: " 92 "ILLEGAL REQUEST " 93 "asc=0x%x ascq=0x%x\n", 94 sshdr.asc, sshdr.ascq); 95 break; 96 case NOT_READY: /* This happens if there is no disc in drive */ 97 if (sdev->removable) 98 break; 99 fallthrough; 100 case UNIT_ATTENTION: 101 if (sdev->removable) { 102 sdev->changed = 1; 103 result = 0; /* This is no longer considered an error */ 104 break; 105 } 106 fallthrough; /* for non-removable media */ 107 default: 108 sdev_printk(KERN_INFO, sdev, 109 "ioctl_internal_command return code = %x\n", 110 result); 111 scsi_print_sense_hdr(sdev, NULL, &sshdr); 112 break; 113 } 114 } 115 out: 116 SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, 117 "IOCTL Releasing command\n")); 118 return result; 119 } 120 121 int scsi_set_medium_removal(struct scsi_device *sdev, char state) 122 { 123 char scsi_cmd[MAX_COMMAND_SIZE]; 124 int ret; 125 126 if (!sdev->removable || !sdev->lockable) 127 return 0; 128 129 scsi_cmd[0] = ALLOW_MEDIUM_REMOVAL; 130 scsi_cmd[1] = 0; 131 scsi_cmd[2] = 0; 132 scsi_cmd[3] = 0; 133 scsi_cmd[4] = state; 134 scsi_cmd[5] = 0; 135 136 ret = ioctl_internal_command(sdev, scsi_cmd, 137 IOCTL_NORMAL_TIMEOUT, NORMAL_RETRIES); 138 if (ret == 0) 139 sdev->locked = (state == SCSI_REMOVAL_PREVENT); 140 return ret; 141 } 142 EXPORT_SYMBOL(scsi_set_medium_removal); 143 144 /* 145 * The scsi_ioctl_get_pci() function places into arg the value 146 * pci_dev::slot_name (8 characters) for the PCI device (if any). 147 * Returns: 0 on success 148 * -ENXIO if there isn't a PCI device pointer 149 * (could be because the SCSI driver hasn't been 150 * updated yet, or because it isn't a SCSI 151 * device) 152 * any copy_to_user() error on failure there 153 */ 154 static int scsi_ioctl_get_pci(struct scsi_device *sdev, void __user *arg) 155 { 156 struct device *dev = scsi_get_device(sdev->host); 157 const char *name; 158 159 if (!dev) 160 return -ENXIO; 161 162 name = dev_name(dev); 163 164 /* compatibility with old ioctl which only returned 165 * 20 characters */ 166 return copy_to_user(arg, name, min(strlen(name), (size_t)20)) 167 ? -EFAULT: 0; 168 } 169 170 static int sg_get_version(int __user *p) 171 { 172 static const int sg_version_num = 30527; 173 return put_user(sg_version_num, p); 174 } 175 176 static int sg_set_timeout(struct scsi_device *sdev, int __user *p) 177 { 178 int timeout, err = get_user(timeout, p); 179 180 if (!err) 181 sdev->sg_timeout = clock_t_to_jiffies(timeout); 182 183 return err; 184 } 185 186 static int sg_get_reserved_size(struct scsi_device *sdev, int __user *p) 187 { 188 int val = min(sdev->sg_reserved_size, 189 queue_max_bytes(sdev->request_queue)); 190 191 return put_user(val, p); 192 } 193 194 static int sg_set_reserved_size(struct scsi_device *sdev, int __user *p) 195 { 196 int size, err = get_user(size, p); 197 198 if (err) 199 return err; 200 201 if (size < 0) 202 return -EINVAL; 203 204 sdev->sg_reserved_size = min_t(unsigned int, size, 205 queue_max_bytes(sdev->request_queue)); 206 return 0; 207 } 208 209 /* 210 * will always return that we are ATAPI even for a real SCSI drive, I'm not 211 * so sure this is worth doing anything about (why would you care??) 212 */ 213 static int sg_emulated_host(struct request_queue *q, int __user *p) 214 { 215 return put_user(1, p); 216 } 217 218 static int scsi_get_idlun(struct scsi_device *sdev, void __user *argp) 219 { 220 struct scsi_idlun v = { 221 .dev_id = (sdev->id & 0xff) + 222 ((sdev->lun & 0xff) << 8) + 223 ((sdev->channel & 0xff) << 16) + 224 ((sdev->host->host_no & 0xff) << 24), 225 .host_unique_id = sdev->host->unique_id 226 }; 227 if (copy_to_user(argp, &v, sizeof(struct scsi_idlun))) 228 return -EFAULT; 229 return 0; 230 } 231 232 static int scsi_send_start_stop(struct scsi_device *sdev, int data) 233 { 234 u8 cdb[MAX_COMMAND_SIZE] = { }; 235 236 cdb[0] = START_STOP; 237 cdb[4] = data; 238 return ioctl_internal_command(sdev, cdb, START_STOP_TIMEOUT, 239 NORMAL_RETRIES); 240 } 241 242 /* 243 * Check if the given command is allowed. 244 * 245 * Only a subset of commands are allowed for unprivileged users. Commands used 246 * to format the media, update the firmware, etc. are not permitted. 247 */ 248 bool scsi_cmd_allowed(unsigned char *cmd, fmode_t mode) 249 { 250 /* root can do any command. */ 251 if (capable(CAP_SYS_RAWIO)) 252 return true; 253 254 /* Anybody who can open the device can do a read-safe command */ 255 switch (cmd[0]) { 256 /* Basic read-only commands */ 257 case TEST_UNIT_READY: 258 case REQUEST_SENSE: 259 case READ_6: 260 case READ_10: 261 case READ_12: 262 case READ_16: 263 case READ_BUFFER: 264 case READ_DEFECT_DATA: 265 case READ_CAPACITY: /* also GPCMD_READ_CDVD_CAPACITY */ 266 case READ_LONG: 267 case INQUIRY: 268 case MODE_SENSE: 269 case MODE_SENSE_10: 270 case LOG_SENSE: 271 case START_STOP: 272 case GPCMD_VERIFY_10: 273 case VERIFY_16: 274 case REPORT_LUNS: 275 case SERVICE_ACTION_IN_16: 276 case RECEIVE_DIAGNOSTIC: 277 case MAINTENANCE_IN: /* also GPCMD_SEND_KEY, which is a write command */ 278 case GPCMD_READ_BUFFER_CAPACITY: 279 /* Audio CD commands */ 280 case GPCMD_PLAY_CD: 281 case GPCMD_PLAY_AUDIO_10: 282 case GPCMD_PLAY_AUDIO_MSF: 283 case GPCMD_PLAY_AUDIO_TI: 284 case GPCMD_PAUSE_RESUME: 285 /* CD/DVD data reading */ 286 case GPCMD_READ_CD: 287 case GPCMD_READ_CD_MSF: 288 case GPCMD_READ_DISC_INFO: 289 case GPCMD_READ_DVD_STRUCTURE: 290 case GPCMD_READ_HEADER: 291 case GPCMD_READ_TRACK_RZONE_INFO: 292 case GPCMD_READ_SUBCHANNEL: 293 case GPCMD_READ_TOC_PMA_ATIP: 294 case GPCMD_REPORT_KEY: 295 case GPCMD_SCAN: 296 case GPCMD_GET_CONFIGURATION: 297 case GPCMD_READ_FORMAT_CAPACITIES: 298 case GPCMD_GET_EVENT_STATUS_NOTIFICATION: 299 case GPCMD_GET_PERFORMANCE: 300 case GPCMD_SEEK: 301 case GPCMD_STOP_PLAY_SCAN: 302 /* ZBC */ 303 case ZBC_IN: 304 return true; 305 /* Basic writing commands */ 306 case WRITE_6: 307 case WRITE_10: 308 case WRITE_VERIFY: 309 case WRITE_12: 310 case WRITE_VERIFY_12: 311 case WRITE_16: 312 case WRITE_LONG: 313 case WRITE_LONG_2: 314 case WRITE_SAME: 315 case WRITE_SAME_16: 316 case WRITE_SAME_32: 317 case ERASE: 318 case GPCMD_MODE_SELECT_10: 319 case MODE_SELECT: 320 case LOG_SELECT: 321 case GPCMD_BLANK: 322 case GPCMD_CLOSE_TRACK: 323 case GPCMD_FLUSH_CACHE: 324 case GPCMD_FORMAT_UNIT: 325 case GPCMD_REPAIR_RZONE_TRACK: 326 case GPCMD_RESERVE_RZONE_TRACK: 327 case GPCMD_SEND_DVD_STRUCTURE: 328 case GPCMD_SEND_EVENT: 329 case GPCMD_SEND_OPC: 330 case GPCMD_SEND_CUE_SHEET: 331 case GPCMD_SET_SPEED: 332 case GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL: 333 case GPCMD_LOAD_UNLOAD: 334 case GPCMD_SET_STREAMING: 335 case GPCMD_SET_READ_AHEAD: 336 /* ZBC */ 337 case ZBC_OUT: 338 return (mode & FMODE_WRITE); 339 default: 340 return false; 341 } 342 } 343 EXPORT_SYMBOL(scsi_cmd_allowed); 344 345 static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq, 346 struct sg_io_hdr *hdr, fmode_t mode) 347 { 348 struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq); 349 350 if (hdr->cmd_len < 6) 351 return -EMSGSIZE; 352 if (copy_from_user(scmd->cmnd, hdr->cmdp, hdr->cmd_len)) 353 return -EFAULT; 354 if (!scsi_cmd_allowed(scmd->cmnd, mode)) 355 return -EPERM; 356 scmd->cmd_len = hdr->cmd_len; 357 358 rq->timeout = msecs_to_jiffies(hdr->timeout); 359 if (!rq->timeout) 360 rq->timeout = sdev->sg_timeout; 361 if (!rq->timeout) 362 rq->timeout = BLK_DEFAULT_SG_TIMEOUT; 363 if (rq->timeout < BLK_MIN_SG_TIMEOUT) 364 rq->timeout = BLK_MIN_SG_TIMEOUT; 365 366 return 0; 367 } 368 369 static int scsi_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr, 370 struct bio *bio) 371 { 372 struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq); 373 int r, ret = 0; 374 375 /* 376 * fill in all the output members 377 */ 378 hdr->status = scmd->result & 0xff; 379 hdr->masked_status = status_byte(scmd->result); 380 hdr->msg_status = COMMAND_COMPLETE; 381 hdr->host_status = host_byte(scmd->result); 382 hdr->driver_status = 0; 383 if (scsi_status_is_check_condition(hdr->status)) 384 hdr->driver_status = DRIVER_SENSE; 385 hdr->info = 0; 386 if (hdr->masked_status || hdr->host_status || hdr->driver_status) 387 hdr->info |= SG_INFO_CHECK; 388 hdr->resid = scmd->resid_len; 389 hdr->sb_len_wr = 0; 390 391 if (scmd->sense_len && hdr->sbp) { 392 int len = min((unsigned int) hdr->mx_sb_len, scmd->sense_len); 393 394 if (!copy_to_user(hdr->sbp, scmd->sense_buffer, len)) 395 hdr->sb_len_wr = len; 396 else 397 ret = -EFAULT; 398 } 399 400 r = blk_rq_unmap_user(bio); 401 if (!ret) 402 ret = r; 403 404 return ret; 405 } 406 407 static int sg_io(struct scsi_device *sdev, struct sg_io_hdr *hdr, fmode_t mode) 408 { 409 unsigned long start_time; 410 ssize_t ret = 0; 411 int writing = 0; 412 int at_head = 0; 413 struct request *rq; 414 struct scsi_cmnd *scmd; 415 struct bio *bio; 416 417 if (hdr->interface_id != 'S') 418 return -EINVAL; 419 420 if (hdr->dxfer_len > (queue_max_hw_sectors(sdev->request_queue) << 9)) 421 return -EIO; 422 423 if (hdr->dxfer_len) 424 switch (hdr->dxfer_direction) { 425 default: 426 return -EINVAL; 427 case SG_DXFER_TO_DEV: 428 writing = 1; 429 break; 430 case SG_DXFER_TO_FROM_DEV: 431 case SG_DXFER_FROM_DEV: 432 break; 433 } 434 if (hdr->flags & SG_FLAG_Q_AT_HEAD) 435 at_head = 1; 436 437 rq = scsi_alloc_request(sdev->request_queue, writing ? 438 REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0); 439 if (IS_ERR(rq)) 440 return PTR_ERR(rq); 441 scmd = blk_mq_rq_to_pdu(rq); 442 443 if (hdr->cmd_len > sizeof(scmd->cmnd)) { 444 ret = -EINVAL; 445 goto out_put_request; 446 } 447 448 ret = scsi_fill_sghdr_rq(sdev, rq, hdr, mode); 449 if (ret < 0) 450 goto out_put_request; 451 452 ret = 0; 453 if (hdr->iovec_count) { 454 struct iov_iter i; 455 struct iovec *iov = NULL; 456 457 ret = import_iovec(rq_data_dir(rq), hdr->dxferp, 458 hdr->iovec_count, 0, &iov, &i); 459 if (ret < 0) 460 goto out_put_request; 461 462 /* SG_IO howto says that the shorter of the two wins */ 463 iov_iter_truncate(&i, hdr->dxfer_len); 464 465 ret = blk_rq_map_user_iov(rq->q, rq, NULL, &i, GFP_KERNEL); 466 kfree(iov); 467 } else if (hdr->dxfer_len) 468 ret = blk_rq_map_user(rq->q, rq, NULL, hdr->dxferp, 469 hdr->dxfer_len, GFP_KERNEL); 470 471 if (ret) 472 goto out_put_request; 473 474 bio = rq->bio; 475 scmd->allowed = 0; 476 477 start_time = jiffies; 478 479 blk_execute_rq(rq, at_head); 480 481 hdr->duration = jiffies_to_msecs(jiffies - start_time); 482 483 ret = scsi_complete_sghdr_rq(rq, hdr, bio); 484 485 out_put_request: 486 blk_mq_free_request(rq); 487 return ret; 488 } 489 490 /** 491 * sg_scsi_ioctl -- handle deprecated SCSI_IOCTL_SEND_COMMAND ioctl 492 * @q: request queue to send scsi commands down 493 * @mode: mode used to open the file through which the ioctl has been 494 * submitted 495 * @sic: userspace structure describing the command to perform 496 * 497 * Send down the scsi command described by @sic to the device below 498 * the request queue @q. 499 * 500 * Notes: 501 * - This interface is deprecated - users should use the SG_IO 502 * interface instead, as this is a more flexible approach to 503 * performing SCSI commands on a device. 504 * - The SCSI command length is determined by examining the 1st byte 505 * of the given command. There is no way to override this. 506 * - Data transfers are limited to PAGE_SIZE 507 * - The length (x + y) must be at least OMAX_SB_LEN bytes long to 508 * accommodate the sense buffer when an error occurs. 509 * The sense buffer is truncated to OMAX_SB_LEN (16) bytes so that 510 * old code will not be surprised. 511 * - If a Unix error occurs (e.g. ENOMEM) then the user will receive 512 * a negative return and the Unix error code in 'errno'. 513 * If the SCSI command succeeds then 0 is returned. 514 * Positive numbers returned are the compacted SCSI error codes (4 515 * bytes in one int) where the lowest byte is the SCSI status. 516 */ 517 static int sg_scsi_ioctl(struct request_queue *q, fmode_t mode, 518 struct scsi_ioctl_command __user *sic) 519 { 520 struct request *rq; 521 int err; 522 unsigned int in_len, out_len, bytes, opcode, cmdlen; 523 struct scsi_cmnd *scmd; 524 char *buffer = NULL; 525 526 if (!sic) 527 return -EINVAL; 528 529 /* 530 * get in an out lengths, verify they don't exceed a page worth of data 531 */ 532 if (get_user(in_len, &sic->inlen)) 533 return -EFAULT; 534 if (get_user(out_len, &sic->outlen)) 535 return -EFAULT; 536 if (in_len > PAGE_SIZE || out_len > PAGE_SIZE) 537 return -EINVAL; 538 if (get_user(opcode, sic->data)) 539 return -EFAULT; 540 541 bytes = max(in_len, out_len); 542 if (bytes) { 543 buffer = kzalloc(bytes, GFP_NOIO | GFP_USER | __GFP_NOWARN); 544 if (!buffer) 545 return -ENOMEM; 546 547 } 548 549 rq = scsi_alloc_request(q, in_len ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0); 550 if (IS_ERR(rq)) { 551 err = PTR_ERR(rq); 552 goto error_free_buffer; 553 } 554 scmd = blk_mq_rq_to_pdu(rq); 555 556 cmdlen = COMMAND_SIZE(opcode); 557 558 /* 559 * get command and data to send to device, if any 560 */ 561 err = -EFAULT; 562 scmd->cmd_len = cmdlen; 563 if (copy_from_user(scmd->cmnd, sic->data, cmdlen)) 564 goto error; 565 566 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) 567 goto error; 568 569 err = -EPERM; 570 if (!scsi_cmd_allowed(scmd->cmnd, mode)) 571 goto error; 572 573 /* default. possible overridden later */ 574 scmd->allowed = 5; 575 576 switch (opcode) { 577 case SEND_DIAGNOSTIC: 578 case FORMAT_UNIT: 579 rq->timeout = FORMAT_UNIT_TIMEOUT; 580 scmd->allowed = 1; 581 break; 582 case START_STOP: 583 rq->timeout = START_STOP_TIMEOUT; 584 break; 585 case MOVE_MEDIUM: 586 rq->timeout = MOVE_MEDIUM_TIMEOUT; 587 break; 588 case READ_ELEMENT_STATUS: 589 rq->timeout = READ_ELEMENT_STATUS_TIMEOUT; 590 break; 591 case READ_DEFECT_DATA: 592 rq->timeout = READ_DEFECT_DATA_TIMEOUT; 593 scmd->allowed = 1; 594 break; 595 default: 596 rq->timeout = BLK_DEFAULT_SG_TIMEOUT; 597 break; 598 } 599 600 if (bytes) { 601 err = blk_rq_map_kern(q, rq, buffer, bytes, GFP_NOIO); 602 if (err) 603 goto error; 604 } 605 606 blk_execute_rq(rq, false); 607 608 err = scmd->result & 0xff; /* only 8 bit SCSI status */ 609 if (err) { 610 if (scmd->sense_len && scmd->sense_buffer) { 611 /* limit sense len for backward compatibility */ 612 if (copy_to_user(sic->data, scmd->sense_buffer, 613 min(scmd->sense_len, 16U))) 614 err = -EFAULT; 615 } 616 } else { 617 if (copy_to_user(sic->data, buffer, out_len)) 618 err = -EFAULT; 619 } 620 621 error: 622 blk_mq_free_request(rq); 623 624 error_free_buffer: 625 kfree(buffer); 626 627 return err; 628 } 629 630 int put_sg_io_hdr(const struct sg_io_hdr *hdr, void __user *argp) 631 { 632 #ifdef CONFIG_COMPAT 633 if (in_compat_syscall()) { 634 struct compat_sg_io_hdr hdr32 = { 635 .interface_id = hdr->interface_id, 636 .dxfer_direction = hdr->dxfer_direction, 637 .cmd_len = hdr->cmd_len, 638 .mx_sb_len = hdr->mx_sb_len, 639 .iovec_count = hdr->iovec_count, 640 .dxfer_len = hdr->dxfer_len, 641 .dxferp = (uintptr_t)hdr->dxferp, 642 .cmdp = (uintptr_t)hdr->cmdp, 643 .sbp = (uintptr_t)hdr->sbp, 644 .timeout = hdr->timeout, 645 .flags = hdr->flags, 646 .pack_id = hdr->pack_id, 647 .usr_ptr = (uintptr_t)hdr->usr_ptr, 648 .status = hdr->status, 649 .masked_status = hdr->masked_status, 650 .msg_status = hdr->msg_status, 651 .sb_len_wr = hdr->sb_len_wr, 652 .host_status = hdr->host_status, 653 .driver_status = hdr->driver_status, 654 .resid = hdr->resid, 655 .duration = hdr->duration, 656 .info = hdr->info, 657 }; 658 659 if (copy_to_user(argp, &hdr32, sizeof(hdr32))) 660 return -EFAULT; 661 662 return 0; 663 } 664 #endif 665 666 if (copy_to_user(argp, hdr, sizeof(*hdr))) 667 return -EFAULT; 668 669 return 0; 670 } 671 EXPORT_SYMBOL(put_sg_io_hdr); 672 673 int get_sg_io_hdr(struct sg_io_hdr *hdr, const void __user *argp) 674 { 675 #ifdef CONFIG_COMPAT 676 struct compat_sg_io_hdr hdr32; 677 678 if (in_compat_syscall()) { 679 if (copy_from_user(&hdr32, argp, sizeof(hdr32))) 680 return -EFAULT; 681 682 *hdr = (struct sg_io_hdr) { 683 .interface_id = hdr32.interface_id, 684 .dxfer_direction = hdr32.dxfer_direction, 685 .cmd_len = hdr32.cmd_len, 686 .mx_sb_len = hdr32.mx_sb_len, 687 .iovec_count = hdr32.iovec_count, 688 .dxfer_len = hdr32.dxfer_len, 689 .dxferp = compat_ptr(hdr32.dxferp), 690 .cmdp = compat_ptr(hdr32.cmdp), 691 .sbp = compat_ptr(hdr32.sbp), 692 .timeout = hdr32.timeout, 693 .flags = hdr32.flags, 694 .pack_id = hdr32.pack_id, 695 .usr_ptr = compat_ptr(hdr32.usr_ptr), 696 .status = hdr32.status, 697 .masked_status = hdr32.masked_status, 698 .msg_status = hdr32.msg_status, 699 .sb_len_wr = hdr32.sb_len_wr, 700 .host_status = hdr32.host_status, 701 .driver_status = hdr32.driver_status, 702 .resid = hdr32.resid, 703 .duration = hdr32.duration, 704 .info = hdr32.info, 705 }; 706 707 return 0; 708 } 709 #endif 710 711 if (copy_from_user(hdr, argp, sizeof(*hdr))) 712 return -EFAULT; 713 714 return 0; 715 } 716 EXPORT_SYMBOL(get_sg_io_hdr); 717 718 #ifdef CONFIG_COMPAT 719 struct compat_cdrom_generic_command { 720 unsigned char cmd[CDROM_PACKET_SIZE]; 721 compat_caddr_t buffer; 722 compat_uint_t buflen; 723 compat_int_t stat; 724 compat_caddr_t sense; 725 unsigned char data_direction; 726 unsigned char pad[3]; 727 compat_int_t quiet; 728 compat_int_t timeout; 729 compat_caddr_t unused; 730 }; 731 #endif 732 733 static int scsi_get_cdrom_generic_arg(struct cdrom_generic_command *cgc, 734 const void __user *arg) 735 { 736 #ifdef CONFIG_COMPAT 737 if (in_compat_syscall()) { 738 struct compat_cdrom_generic_command cgc32; 739 740 if (copy_from_user(&cgc32, arg, sizeof(cgc32))) 741 return -EFAULT; 742 743 *cgc = (struct cdrom_generic_command) { 744 .buffer = compat_ptr(cgc32.buffer), 745 .buflen = cgc32.buflen, 746 .stat = cgc32.stat, 747 .sense = compat_ptr(cgc32.sense), 748 .data_direction = cgc32.data_direction, 749 .quiet = cgc32.quiet, 750 .timeout = cgc32.timeout, 751 .unused = compat_ptr(cgc32.unused), 752 }; 753 memcpy(&cgc->cmd, &cgc32.cmd, CDROM_PACKET_SIZE); 754 return 0; 755 } 756 #endif 757 if (copy_from_user(cgc, arg, sizeof(*cgc))) 758 return -EFAULT; 759 760 return 0; 761 } 762 763 static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc, 764 void __user *arg) 765 { 766 #ifdef CONFIG_COMPAT 767 if (in_compat_syscall()) { 768 struct compat_cdrom_generic_command cgc32 = { 769 .buffer = (uintptr_t)(cgc->buffer), 770 .buflen = cgc->buflen, 771 .stat = cgc->stat, 772 .sense = (uintptr_t)(cgc->sense), 773 .data_direction = cgc->data_direction, 774 .quiet = cgc->quiet, 775 .timeout = cgc->timeout, 776 .unused = (uintptr_t)(cgc->unused), 777 }; 778 memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE); 779 780 if (copy_to_user(arg, &cgc32, sizeof(cgc32))) 781 return -EFAULT; 782 783 return 0; 784 } 785 #endif 786 if (copy_to_user(arg, cgc, sizeof(*cgc))) 787 return -EFAULT; 788 789 return 0; 790 } 791 792 static int scsi_cdrom_send_packet(struct scsi_device *sdev, fmode_t mode, 793 void __user *arg) 794 { 795 struct cdrom_generic_command cgc; 796 struct sg_io_hdr hdr; 797 int err; 798 799 err = scsi_get_cdrom_generic_arg(&cgc, arg); 800 if (err) 801 return err; 802 803 cgc.timeout = clock_t_to_jiffies(cgc.timeout); 804 memset(&hdr, 0, sizeof(hdr)); 805 hdr.interface_id = 'S'; 806 hdr.cmd_len = sizeof(cgc.cmd); 807 hdr.dxfer_len = cgc.buflen; 808 switch (cgc.data_direction) { 809 case CGC_DATA_UNKNOWN: 810 hdr.dxfer_direction = SG_DXFER_UNKNOWN; 811 break; 812 case CGC_DATA_WRITE: 813 hdr.dxfer_direction = SG_DXFER_TO_DEV; 814 break; 815 case CGC_DATA_READ: 816 hdr.dxfer_direction = SG_DXFER_FROM_DEV; 817 break; 818 case CGC_DATA_NONE: 819 hdr.dxfer_direction = SG_DXFER_NONE; 820 break; 821 default: 822 return -EINVAL; 823 } 824 825 hdr.dxferp = cgc.buffer; 826 hdr.sbp = cgc.sense; 827 if (hdr.sbp) 828 hdr.mx_sb_len = sizeof(struct request_sense); 829 hdr.timeout = jiffies_to_msecs(cgc.timeout); 830 hdr.cmdp = ((struct cdrom_generic_command __user *) arg)->cmd; 831 hdr.cmd_len = sizeof(cgc.cmd); 832 833 err = sg_io(sdev, &hdr, mode); 834 if (err == -EFAULT) 835 return -EFAULT; 836 837 if (hdr.status) 838 return -EIO; 839 840 cgc.stat = err; 841 cgc.buflen = hdr.resid; 842 if (scsi_put_cdrom_generic_arg(&cgc, arg)) 843 return -EFAULT; 844 845 return err; 846 } 847 848 static int scsi_ioctl_sg_io(struct scsi_device *sdev, fmode_t mode, 849 void __user *argp) 850 { 851 struct sg_io_hdr hdr; 852 int error; 853 854 error = get_sg_io_hdr(&hdr, argp); 855 if (error) 856 return error; 857 error = sg_io(sdev, &hdr, mode); 858 if (error == -EFAULT) 859 return error; 860 if (put_sg_io_hdr(&hdr, argp)) 861 return -EFAULT; 862 return error; 863 } 864 865 /** 866 * scsi_ioctl - Dispatch ioctl to scsi device 867 * @sdev: scsi device receiving ioctl 868 * @mode: mode the block/char device is opened with 869 * @cmd: which ioctl is it 870 * @arg: data associated with ioctl 871 * 872 * Description: The scsi_ioctl() function differs from most ioctls in that it 873 * does not take a major/minor number as the dev field. Rather, it takes 874 * a pointer to a &struct scsi_device. 875 */ 876 int scsi_ioctl(struct scsi_device *sdev, fmode_t mode, int cmd, 877 void __user *arg) 878 { 879 struct request_queue *q = sdev->request_queue; 880 struct scsi_sense_hdr sense_hdr; 881 882 /* Check for deprecated ioctls ... all the ioctls which don't 883 * follow the new unique numbering scheme are deprecated */ 884 switch (cmd) { 885 case SCSI_IOCTL_SEND_COMMAND: 886 case SCSI_IOCTL_TEST_UNIT_READY: 887 case SCSI_IOCTL_BENCHMARK_COMMAND: 888 case SCSI_IOCTL_SYNC: 889 case SCSI_IOCTL_START_UNIT: 890 case SCSI_IOCTL_STOP_UNIT: 891 printk(KERN_WARNING "program %s is using a deprecated SCSI " 892 "ioctl, please convert it to SG_IO\n", current->comm); 893 break; 894 default: 895 break; 896 } 897 898 switch (cmd) { 899 case SG_GET_VERSION_NUM: 900 return sg_get_version(arg); 901 case SG_SET_TIMEOUT: 902 return sg_set_timeout(sdev, arg); 903 case SG_GET_TIMEOUT: 904 return jiffies_to_clock_t(sdev->sg_timeout); 905 case SG_GET_RESERVED_SIZE: 906 return sg_get_reserved_size(sdev, arg); 907 case SG_SET_RESERVED_SIZE: 908 return sg_set_reserved_size(sdev, arg); 909 case SG_EMULATED_HOST: 910 return sg_emulated_host(q, arg); 911 case SG_IO: 912 return scsi_ioctl_sg_io(sdev, mode, arg); 913 case SCSI_IOCTL_SEND_COMMAND: 914 return sg_scsi_ioctl(q, mode, arg); 915 case CDROM_SEND_PACKET: 916 return scsi_cdrom_send_packet(sdev, mode, arg); 917 case CDROMCLOSETRAY: 918 return scsi_send_start_stop(sdev, 3); 919 case CDROMEJECT: 920 return scsi_send_start_stop(sdev, 2); 921 case SCSI_IOCTL_GET_IDLUN: 922 return scsi_get_idlun(sdev, arg); 923 case SCSI_IOCTL_GET_BUS_NUMBER: 924 return put_user(sdev->host->host_no, (int __user *)arg); 925 case SCSI_IOCTL_PROBE_HOST: 926 return ioctl_probe(sdev->host, arg); 927 case SCSI_IOCTL_DOORLOCK: 928 return scsi_set_medium_removal(sdev, SCSI_REMOVAL_PREVENT); 929 case SCSI_IOCTL_DOORUNLOCK: 930 return scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); 931 case SCSI_IOCTL_TEST_UNIT_READY: 932 return scsi_test_unit_ready(sdev, IOCTL_NORMAL_TIMEOUT, 933 NORMAL_RETRIES, &sense_hdr); 934 case SCSI_IOCTL_START_UNIT: 935 return scsi_send_start_stop(sdev, 1); 936 case SCSI_IOCTL_STOP_UNIT: 937 return scsi_send_start_stop(sdev, 0); 938 case SCSI_IOCTL_GET_PCI: 939 return scsi_ioctl_get_pci(sdev, arg); 940 case SG_SCSI_RESET: 941 return scsi_ioctl_reset(sdev, arg); 942 } 943 944 #ifdef CONFIG_COMPAT 945 if (in_compat_syscall()) { 946 if (!sdev->host->hostt->compat_ioctl) 947 return -EINVAL; 948 return sdev->host->hostt->compat_ioctl(sdev, cmd, arg); 949 } 950 #endif 951 if (!sdev->host->hostt->ioctl) 952 return -EINVAL; 953 return sdev->host->hostt->ioctl(sdev, cmd, arg); 954 } 955 EXPORT_SYMBOL(scsi_ioctl); 956 957 /* 958 * We can process a reset even when a device isn't fully operable. 959 */ 960 int scsi_ioctl_block_when_processing_errors(struct scsi_device *sdev, int cmd, 961 bool ndelay) 962 { 963 if (cmd == SG_SCSI_RESET && ndelay) { 964 if (scsi_host_in_recovery(sdev->host)) 965 return -EAGAIN; 966 } else { 967 if (!scsi_block_when_processing_errors(sdev)) 968 return -ENODEV; 969 } 970 971 return 0; 972 } 973 EXPORT_SYMBOL_GPL(scsi_ioctl_block_when_processing_errors); 974