1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Changes: 4 * Arnaldo Carvalho de Melo <acme@conectiva.com.br> 08/23/2000 5 * - get rid of some verify_areas and use __copy*user and __get/put_user 6 * for the ones that remain 7 */ 8 #include <linux/module.h> 9 #include <linux/blkdev.h> 10 #include <linux/interrupt.h> 11 #include <linux/errno.h> 12 #include <linux/kernel.h> 13 #include <linux/sched.h> 14 #include <linux/mm.h> 15 #include <linux/string.h> 16 #include <linux/uaccess.h> 17 #include <linux/cdrom.h> 18 19 #include <scsi/scsi.h> 20 #include <scsi/scsi_cmnd.h> 21 #include <scsi/scsi_device.h> 22 #include <scsi/scsi_eh.h> 23 #include <scsi/scsi_host.h> 24 #include <scsi/scsi_ioctl.h> 25 #include <scsi/sg.h> 26 #include <scsi/scsi_dbg.h> 27 28 #include "scsi_logging.h" 29 30 #define NORMAL_RETRIES 5 31 #define IOCTL_NORMAL_TIMEOUT (10 * HZ) 32 33 #define MAX_BUF PAGE_SIZE 34 35 /** 36 * ioctl_probe -- return host identification 37 * @host: host to identify 38 * @buffer: userspace buffer for identification 39 * 40 * Return an identifying string at @buffer, if @buffer is non-NULL, filling 41 * to the length stored at * (int *) @buffer. 42 */ 43 static int ioctl_probe(struct Scsi_Host *host, void __user *buffer) 44 { 45 unsigned int len, slen; 46 const char *string; 47 48 if (buffer) { 49 if (get_user(len, (unsigned int __user *) buffer)) 50 return -EFAULT; 51 52 if (host->hostt->info) 53 string = host->hostt->info(host); 54 else 55 string = host->hostt->name; 56 if (string) { 57 slen = strlen(string); 58 if (len > slen) 59 len = slen + 1; 60 if (copy_to_user(buffer, string, len)) 61 return -EFAULT; 62 } 63 } 64 return 1; 65 } 66 67 static int ioctl_internal_command(struct scsi_device *sdev, char *cmd, 68 int timeout, int retries) 69 { 70 int result; 71 struct scsi_sense_hdr sshdr; 72 73 SCSI_LOG_IOCTL(1, sdev_printk(KERN_INFO, sdev, 74 "Trying ioctl with scsi command %d\n", *cmd)); 75 76 result = scsi_execute_req(sdev, cmd, DMA_NONE, NULL, 0, 77 &sshdr, timeout, retries, NULL); 78 79 SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, 80 "Ioctl returned 0x%x\n", result)); 81 82 if (result < 0) 83 goto out; 84 if (scsi_sense_valid(&sshdr)) { 85 switch (sshdr.sense_key) { 86 case ILLEGAL_REQUEST: 87 if (cmd[0] == ALLOW_MEDIUM_REMOVAL) 88 sdev->lockable = 0; 89 else 90 sdev_printk(KERN_INFO, sdev, 91 "ioctl_internal_command: " 92 "ILLEGAL REQUEST " 93 "asc=0x%x ascq=0x%x\n", 94 sshdr.asc, sshdr.ascq); 95 break; 96 case NOT_READY: /* This happens if there is no disc in drive */ 97 if (sdev->removable) 98 break; 99 fallthrough; 100 case UNIT_ATTENTION: 101 if (sdev->removable) { 102 sdev->changed = 1; 103 result = 0; /* This is no longer considered an error */ 104 break; 105 } 106 fallthrough; /* for non-removable media */ 107 default: 108 sdev_printk(KERN_INFO, sdev, 109 "ioctl_internal_command return code = %x\n", 110 result); 111 scsi_print_sense_hdr(sdev, NULL, &sshdr); 112 break; 113 } 114 } 115 out: 116 SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev, 117 "IOCTL Releasing command\n")); 118 return result; 119 } 120 121 int scsi_set_medium_removal(struct scsi_device *sdev, char state) 122 { 123 char scsi_cmd[MAX_COMMAND_SIZE]; 124 int ret; 125 126 if (!sdev->removable || !sdev->lockable) 127 return 0; 128 129 scsi_cmd[0] = ALLOW_MEDIUM_REMOVAL; 130 scsi_cmd[1] = 0; 131 scsi_cmd[2] = 0; 132 scsi_cmd[3] = 0; 133 scsi_cmd[4] = state; 134 scsi_cmd[5] = 0; 135 136 ret = ioctl_internal_command(sdev, scsi_cmd, 137 IOCTL_NORMAL_TIMEOUT, NORMAL_RETRIES); 138 if (ret == 0) 139 sdev->locked = (state == SCSI_REMOVAL_PREVENT); 140 return ret; 141 } 142 EXPORT_SYMBOL(scsi_set_medium_removal); 143 144 /* 145 * The scsi_ioctl_get_pci() function places into arg the value 146 * pci_dev::slot_name (8 characters) for the PCI device (if any). 147 * Returns: 0 on success 148 * -ENXIO if there isn't a PCI device pointer 149 * (could be because the SCSI driver hasn't been 150 * updated yet, or because it isn't a SCSI 151 * device) 152 * any copy_to_user() error on failure there 153 */ 154 static int scsi_ioctl_get_pci(struct scsi_device *sdev, void __user *arg) 155 { 156 struct device *dev = scsi_get_device(sdev->host); 157 const char *name; 158 159 if (!dev) 160 return -ENXIO; 161 162 name = dev_name(dev); 163 164 /* compatibility with old ioctl which only returned 165 * 20 characters */ 166 return copy_to_user(arg, name, min(strlen(name), (size_t)20)) 167 ? -EFAULT: 0; 168 } 169 170 static int sg_get_version(int __user *p) 171 { 172 static const int sg_version_num = 30527; 173 return put_user(sg_version_num, p); 174 } 175 176 static int sg_set_timeout(struct scsi_device *sdev, int __user *p) 177 { 178 int timeout, err = get_user(timeout, p); 179 180 if (!err) 181 sdev->sg_timeout = clock_t_to_jiffies(timeout); 182 183 return err; 184 } 185 186 static int sg_get_reserved_size(struct scsi_device *sdev, int __user *p) 187 { 188 int val = min(sdev->sg_reserved_size, 189 queue_max_bytes(sdev->request_queue)); 190 191 return put_user(val, p); 192 } 193 194 static int sg_set_reserved_size(struct scsi_device *sdev, int __user *p) 195 { 196 int size, err = get_user(size, p); 197 198 if (err) 199 return err; 200 201 if (size < 0) 202 return -EINVAL; 203 204 sdev->sg_reserved_size = min_t(unsigned int, size, 205 queue_max_bytes(sdev->request_queue)); 206 return 0; 207 } 208 209 /* 210 * will always return that we are ATAPI even for a real SCSI drive, I'm not 211 * so sure this is worth doing anything about (why would you care??) 212 */ 213 static int sg_emulated_host(struct request_queue *q, int __user *p) 214 { 215 return put_user(1, p); 216 } 217 218 static int scsi_get_idlun(struct scsi_device *sdev, void __user *argp) 219 { 220 struct scsi_idlun v = { 221 .dev_id = (sdev->id & 0xff) + 222 ((sdev->lun & 0xff) << 8) + 223 ((sdev->channel & 0xff) << 16) + 224 ((sdev->host->host_no & 0xff) << 24), 225 .host_unique_id = sdev->host->unique_id 226 }; 227 if (copy_to_user(argp, &v, sizeof(struct scsi_idlun))) 228 return -EFAULT; 229 return 0; 230 } 231 232 static int scsi_send_start_stop(struct scsi_device *sdev, int data) 233 { 234 u8 cdb[MAX_COMMAND_SIZE] = { }; 235 236 cdb[0] = START_STOP; 237 cdb[4] = data; 238 return ioctl_internal_command(sdev, cdb, START_STOP_TIMEOUT, 239 NORMAL_RETRIES); 240 } 241 242 /* 243 * Check if the given command is allowed. 244 * 245 * Only a subset of commands are allowed for unprivileged users. Commands used 246 * to format the media, update the firmware, etc. are not permitted. 247 */ 248 bool scsi_cmd_allowed(unsigned char *cmd, fmode_t mode) 249 { 250 /* root can do any command. */ 251 if (capable(CAP_SYS_RAWIO)) 252 return true; 253 254 /* Anybody who can open the device can do a read-safe command */ 255 switch (cmd[0]) { 256 /* Basic read-only commands */ 257 case TEST_UNIT_READY: 258 case REQUEST_SENSE: 259 case READ_6: 260 case READ_10: 261 case READ_12: 262 case READ_16: 263 case READ_BUFFER: 264 case READ_DEFECT_DATA: 265 case READ_CAPACITY: /* also GPCMD_READ_CDVD_CAPACITY */ 266 case READ_LONG: 267 case INQUIRY: 268 case MODE_SENSE: 269 case MODE_SENSE_10: 270 case LOG_SENSE: 271 case START_STOP: 272 case GPCMD_VERIFY_10: 273 case VERIFY_16: 274 case REPORT_LUNS: 275 case SERVICE_ACTION_IN_16: 276 case RECEIVE_DIAGNOSTIC: 277 case MAINTENANCE_IN: /* also GPCMD_SEND_KEY, which is a write command */ 278 case GPCMD_READ_BUFFER_CAPACITY: 279 /* Audio CD commands */ 280 case GPCMD_PLAY_CD: 281 case GPCMD_PLAY_AUDIO_10: 282 case GPCMD_PLAY_AUDIO_MSF: 283 case GPCMD_PLAY_AUDIO_TI: 284 case GPCMD_PAUSE_RESUME: 285 /* CD/DVD data reading */ 286 case GPCMD_READ_CD: 287 case GPCMD_READ_CD_MSF: 288 case GPCMD_READ_DISC_INFO: 289 case GPCMD_READ_DVD_STRUCTURE: 290 case GPCMD_READ_HEADER: 291 case GPCMD_READ_TRACK_RZONE_INFO: 292 case GPCMD_READ_SUBCHANNEL: 293 case GPCMD_READ_TOC_PMA_ATIP: 294 case GPCMD_REPORT_KEY: 295 case GPCMD_SCAN: 296 case GPCMD_GET_CONFIGURATION: 297 case GPCMD_READ_FORMAT_CAPACITIES: 298 case GPCMD_GET_EVENT_STATUS_NOTIFICATION: 299 case GPCMD_GET_PERFORMANCE: 300 case GPCMD_SEEK: 301 case GPCMD_STOP_PLAY_SCAN: 302 /* ZBC */ 303 case ZBC_IN: 304 return true; 305 /* Basic writing commands */ 306 case WRITE_6: 307 case WRITE_10: 308 case WRITE_VERIFY: 309 case WRITE_12: 310 case WRITE_VERIFY_12: 311 case WRITE_16: 312 case WRITE_LONG: 313 case WRITE_LONG_2: 314 case WRITE_SAME: 315 case WRITE_SAME_16: 316 case WRITE_SAME_32: 317 case ERASE: 318 case GPCMD_MODE_SELECT_10: 319 case MODE_SELECT: 320 case LOG_SELECT: 321 case GPCMD_BLANK: 322 case GPCMD_CLOSE_TRACK: 323 case GPCMD_FLUSH_CACHE: 324 case GPCMD_FORMAT_UNIT: 325 case GPCMD_REPAIR_RZONE_TRACK: 326 case GPCMD_RESERVE_RZONE_TRACK: 327 case GPCMD_SEND_DVD_STRUCTURE: 328 case GPCMD_SEND_EVENT: 329 case GPCMD_SEND_OPC: 330 case GPCMD_SEND_CUE_SHEET: 331 case GPCMD_SET_SPEED: 332 case GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL: 333 case GPCMD_LOAD_UNLOAD: 334 case GPCMD_SET_STREAMING: 335 case GPCMD_SET_READ_AHEAD: 336 /* ZBC */ 337 case ZBC_OUT: 338 return (mode & FMODE_WRITE); 339 default: 340 return false; 341 } 342 } 343 EXPORT_SYMBOL(scsi_cmd_allowed); 344 345 static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq, 346 struct sg_io_hdr *hdr, fmode_t mode) 347 { 348 struct scsi_request *req = scsi_req(rq); 349 350 if (hdr->cmd_len < 6) 351 return -EMSGSIZE; 352 if (copy_from_user(req->cmd, hdr->cmdp, hdr->cmd_len)) 353 return -EFAULT; 354 if (!scsi_cmd_allowed(req->cmd, mode)) 355 return -EPERM; 356 357 /* 358 * fill in request structure 359 */ 360 req->cmd_len = hdr->cmd_len; 361 362 rq->timeout = msecs_to_jiffies(hdr->timeout); 363 if (!rq->timeout) 364 rq->timeout = sdev->sg_timeout; 365 if (!rq->timeout) 366 rq->timeout = BLK_DEFAULT_SG_TIMEOUT; 367 if (rq->timeout < BLK_MIN_SG_TIMEOUT) 368 rq->timeout = BLK_MIN_SG_TIMEOUT; 369 370 return 0; 371 } 372 373 static int scsi_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr, 374 struct bio *bio) 375 { 376 struct scsi_request *req = scsi_req(rq); 377 int r, ret = 0; 378 379 /* 380 * fill in all the output members 381 */ 382 hdr->status = req->result & 0xff; 383 hdr->masked_status = status_byte(req->result); 384 hdr->msg_status = COMMAND_COMPLETE; 385 hdr->host_status = host_byte(req->result); 386 hdr->driver_status = 0; 387 if (scsi_status_is_check_condition(hdr->status)) 388 hdr->driver_status = DRIVER_SENSE; 389 hdr->info = 0; 390 if (hdr->masked_status || hdr->host_status || hdr->driver_status) 391 hdr->info |= SG_INFO_CHECK; 392 hdr->resid = req->resid_len; 393 hdr->sb_len_wr = 0; 394 395 if (req->sense_len && hdr->sbp) { 396 int len = min((unsigned int) hdr->mx_sb_len, req->sense_len); 397 398 if (!copy_to_user(hdr->sbp, req->sense, len)) 399 hdr->sb_len_wr = len; 400 else 401 ret = -EFAULT; 402 } 403 404 r = blk_rq_unmap_user(bio); 405 if (!ret) 406 ret = r; 407 408 return ret; 409 } 410 411 static int sg_io(struct scsi_device *sdev, struct sg_io_hdr *hdr, fmode_t mode) 412 { 413 unsigned long start_time; 414 ssize_t ret = 0; 415 int writing = 0; 416 int at_head = 0; 417 struct request *rq; 418 struct scsi_request *req; 419 struct bio *bio; 420 421 if (hdr->interface_id != 'S') 422 return -EINVAL; 423 424 if (hdr->dxfer_len > (queue_max_hw_sectors(sdev->request_queue) << 9)) 425 return -EIO; 426 427 if (hdr->dxfer_len) 428 switch (hdr->dxfer_direction) { 429 default: 430 return -EINVAL; 431 case SG_DXFER_TO_DEV: 432 writing = 1; 433 break; 434 case SG_DXFER_TO_FROM_DEV: 435 case SG_DXFER_FROM_DEV: 436 break; 437 } 438 if (hdr->flags & SG_FLAG_Q_AT_HEAD) 439 at_head = 1; 440 441 ret = -ENOMEM; 442 rq = scsi_alloc_request(sdev->request_queue, writing ? 443 REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0); 444 if (IS_ERR(rq)) 445 return PTR_ERR(rq); 446 req = scsi_req(rq); 447 448 if (hdr->cmd_len > BLK_MAX_CDB) { 449 req->cmd = kzalloc(hdr->cmd_len, GFP_KERNEL); 450 if (!req->cmd) 451 goto out_put_request; 452 } 453 454 ret = scsi_fill_sghdr_rq(sdev, rq, hdr, mode); 455 if (ret < 0) 456 goto out_free_cdb; 457 458 ret = 0; 459 if (hdr->iovec_count) { 460 struct iov_iter i; 461 struct iovec *iov = NULL; 462 463 ret = import_iovec(rq_data_dir(rq), hdr->dxferp, 464 hdr->iovec_count, 0, &iov, &i); 465 if (ret < 0) 466 goto out_free_cdb; 467 468 /* SG_IO howto says that the shorter of the two wins */ 469 iov_iter_truncate(&i, hdr->dxfer_len); 470 471 ret = blk_rq_map_user_iov(rq->q, rq, NULL, &i, GFP_KERNEL); 472 kfree(iov); 473 } else if (hdr->dxfer_len) 474 ret = blk_rq_map_user(rq->q, rq, NULL, hdr->dxferp, 475 hdr->dxfer_len, GFP_KERNEL); 476 477 if (ret) 478 goto out_free_cdb; 479 480 bio = rq->bio; 481 req->retries = 0; 482 483 start_time = jiffies; 484 485 blk_execute_rq(rq, at_head); 486 487 hdr->duration = jiffies_to_msecs(jiffies - start_time); 488 489 ret = scsi_complete_sghdr_rq(rq, hdr, bio); 490 491 out_free_cdb: 492 scsi_req_free_cmd(req); 493 out_put_request: 494 blk_mq_free_request(rq); 495 return ret; 496 } 497 498 /** 499 * sg_scsi_ioctl -- handle deprecated SCSI_IOCTL_SEND_COMMAND ioctl 500 * @q: request queue to send scsi commands down 501 * @mode: mode used to open the file through which the ioctl has been 502 * submitted 503 * @sic: userspace structure describing the command to perform 504 * 505 * Send down the scsi command described by @sic to the device below 506 * the request queue @q. 507 * 508 * Notes: 509 * - This interface is deprecated - users should use the SG_IO 510 * interface instead, as this is a more flexible approach to 511 * performing SCSI commands on a device. 512 * - The SCSI command length is determined by examining the 1st byte 513 * of the given command. There is no way to override this. 514 * - Data transfers are limited to PAGE_SIZE 515 * - The length (x + y) must be at least OMAX_SB_LEN bytes long to 516 * accommodate the sense buffer when an error occurs. 517 * The sense buffer is truncated to OMAX_SB_LEN (16) bytes so that 518 * old code will not be surprised. 519 * - If a Unix error occurs (e.g. ENOMEM) then the user will receive 520 * a negative return and the Unix error code in 'errno'. 521 * If the SCSI command succeeds then 0 is returned. 522 * Positive numbers returned are the compacted SCSI error codes (4 523 * bytes in one int) where the lowest byte is the SCSI status. 524 */ 525 static int sg_scsi_ioctl(struct request_queue *q, fmode_t mode, 526 struct scsi_ioctl_command __user *sic) 527 { 528 enum { OMAX_SB_LEN = 16 }; /* For backward compatibility */ 529 struct request *rq; 530 struct scsi_request *req; 531 int err; 532 unsigned int in_len, out_len, bytes, opcode, cmdlen; 533 char *buffer = NULL; 534 535 if (!sic) 536 return -EINVAL; 537 538 /* 539 * get in an out lengths, verify they don't exceed a page worth of data 540 */ 541 if (get_user(in_len, &sic->inlen)) 542 return -EFAULT; 543 if (get_user(out_len, &sic->outlen)) 544 return -EFAULT; 545 if (in_len > PAGE_SIZE || out_len > PAGE_SIZE) 546 return -EINVAL; 547 if (get_user(opcode, sic->data)) 548 return -EFAULT; 549 550 bytes = max(in_len, out_len); 551 if (bytes) { 552 buffer = kzalloc(bytes, GFP_NOIO | GFP_USER | __GFP_NOWARN); 553 if (!buffer) 554 return -ENOMEM; 555 556 } 557 558 rq = scsi_alloc_request(q, in_len ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0); 559 if (IS_ERR(rq)) { 560 err = PTR_ERR(rq); 561 goto error_free_buffer; 562 } 563 req = scsi_req(rq); 564 565 cmdlen = COMMAND_SIZE(opcode); 566 567 /* 568 * get command and data to send to device, if any 569 */ 570 err = -EFAULT; 571 req->cmd_len = cmdlen; 572 if (copy_from_user(req->cmd, sic->data, cmdlen)) 573 goto error; 574 575 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) 576 goto error; 577 578 err = -EPERM; 579 if (!scsi_cmd_allowed(req->cmd, mode)) 580 goto error; 581 582 /* default. possible overridden later */ 583 req->retries = 5; 584 585 switch (opcode) { 586 case SEND_DIAGNOSTIC: 587 case FORMAT_UNIT: 588 rq->timeout = FORMAT_UNIT_TIMEOUT; 589 req->retries = 1; 590 break; 591 case START_STOP: 592 rq->timeout = START_STOP_TIMEOUT; 593 break; 594 case MOVE_MEDIUM: 595 rq->timeout = MOVE_MEDIUM_TIMEOUT; 596 break; 597 case READ_ELEMENT_STATUS: 598 rq->timeout = READ_ELEMENT_STATUS_TIMEOUT; 599 break; 600 case READ_DEFECT_DATA: 601 rq->timeout = READ_DEFECT_DATA_TIMEOUT; 602 req->retries = 1; 603 break; 604 default: 605 rq->timeout = BLK_DEFAULT_SG_TIMEOUT; 606 break; 607 } 608 609 if (bytes) { 610 err = blk_rq_map_kern(q, rq, buffer, bytes, GFP_NOIO); 611 if (err) 612 goto error; 613 } 614 615 blk_execute_rq(rq, false); 616 617 err = req->result & 0xff; /* only 8 bit SCSI status */ 618 if (err) { 619 if (req->sense_len && req->sense) { 620 bytes = (OMAX_SB_LEN > req->sense_len) ? 621 req->sense_len : OMAX_SB_LEN; 622 if (copy_to_user(sic->data, req->sense, bytes)) 623 err = -EFAULT; 624 } 625 } else { 626 if (copy_to_user(sic->data, buffer, out_len)) 627 err = -EFAULT; 628 } 629 630 error: 631 blk_mq_free_request(rq); 632 633 error_free_buffer: 634 kfree(buffer); 635 636 return err; 637 } 638 639 int put_sg_io_hdr(const struct sg_io_hdr *hdr, void __user *argp) 640 { 641 #ifdef CONFIG_COMPAT 642 if (in_compat_syscall()) { 643 struct compat_sg_io_hdr hdr32 = { 644 .interface_id = hdr->interface_id, 645 .dxfer_direction = hdr->dxfer_direction, 646 .cmd_len = hdr->cmd_len, 647 .mx_sb_len = hdr->mx_sb_len, 648 .iovec_count = hdr->iovec_count, 649 .dxfer_len = hdr->dxfer_len, 650 .dxferp = (uintptr_t)hdr->dxferp, 651 .cmdp = (uintptr_t)hdr->cmdp, 652 .sbp = (uintptr_t)hdr->sbp, 653 .timeout = hdr->timeout, 654 .flags = hdr->flags, 655 .pack_id = hdr->pack_id, 656 .usr_ptr = (uintptr_t)hdr->usr_ptr, 657 .status = hdr->status, 658 .masked_status = hdr->masked_status, 659 .msg_status = hdr->msg_status, 660 .sb_len_wr = hdr->sb_len_wr, 661 .host_status = hdr->host_status, 662 .driver_status = hdr->driver_status, 663 .resid = hdr->resid, 664 .duration = hdr->duration, 665 .info = hdr->info, 666 }; 667 668 if (copy_to_user(argp, &hdr32, sizeof(hdr32))) 669 return -EFAULT; 670 671 return 0; 672 } 673 #endif 674 675 if (copy_to_user(argp, hdr, sizeof(*hdr))) 676 return -EFAULT; 677 678 return 0; 679 } 680 EXPORT_SYMBOL(put_sg_io_hdr); 681 682 int get_sg_io_hdr(struct sg_io_hdr *hdr, const void __user *argp) 683 { 684 #ifdef CONFIG_COMPAT 685 struct compat_sg_io_hdr hdr32; 686 687 if (in_compat_syscall()) { 688 if (copy_from_user(&hdr32, argp, sizeof(hdr32))) 689 return -EFAULT; 690 691 *hdr = (struct sg_io_hdr) { 692 .interface_id = hdr32.interface_id, 693 .dxfer_direction = hdr32.dxfer_direction, 694 .cmd_len = hdr32.cmd_len, 695 .mx_sb_len = hdr32.mx_sb_len, 696 .iovec_count = hdr32.iovec_count, 697 .dxfer_len = hdr32.dxfer_len, 698 .dxferp = compat_ptr(hdr32.dxferp), 699 .cmdp = compat_ptr(hdr32.cmdp), 700 .sbp = compat_ptr(hdr32.sbp), 701 .timeout = hdr32.timeout, 702 .flags = hdr32.flags, 703 .pack_id = hdr32.pack_id, 704 .usr_ptr = compat_ptr(hdr32.usr_ptr), 705 .status = hdr32.status, 706 .masked_status = hdr32.masked_status, 707 .msg_status = hdr32.msg_status, 708 .sb_len_wr = hdr32.sb_len_wr, 709 .host_status = hdr32.host_status, 710 .driver_status = hdr32.driver_status, 711 .resid = hdr32.resid, 712 .duration = hdr32.duration, 713 .info = hdr32.info, 714 }; 715 716 return 0; 717 } 718 #endif 719 720 if (copy_from_user(hdr, argp, sizeof(*hdr))) 721 return -EFAULT; 722 723 return 0; 724 } 725 EXPORT_SYMBOL(get_sg_io_hdr); 726 727 #ifdef CONFIG_COMPAT 728 struct compat_cdrom_generic_command { 729 unsigned char cmd[CDROM_PACKET_SIZE]; 730 compat_caddr_t buffer; 731 compat_uint_t buflen; 732 compat_int_t stat; 733 compat_caddr_t sense; 734 unsigned char data_direction; 735 unsigned char pad[3]; 736 compat_int_t quiet; 737 compat_int_t timeout; 738 compat_caddr_t unused; 739 }; 740 #endif 741 742 static int scsi_get_cdrom_generic_arg(struct cdrom_generic_command *cgc, 743 const void __user *arg) 744 { 745 #ifdef CONFIG_COMPAT 746 if (in_compat_syscall()) { 747 struct compat_cdrom_generic_command cgc32; 748 749 if (copy_from_user(&cgc32, arg, sizeof(cgc32))) 750 return -EFAULT; 751 752 *cgc = (struct cdrom_generic_command) { 753 .buffer = compat_ptr(cgc32.buffer), 754 .buflen = cgc32.buflen, 755 .stat = cgc32.stat, 756 .sense = compat_ptr(cgc32.sense), 757 .data_direction = cgc32.data_direction, 758 .quiet = cgc32.quiet, 759 .timeout = cgc32.timeout, 760 .unused = compat_ptr(cgc32.unused), 761 }; 762 memcpy(&cgc->cmd, &cgc32.cmd, CDROM_PACKET_SIZE); 763 return 0; 764 } 765 #endif 766 if (copy_from_user(cgc, arg, sizeof(*cgc))) 767 return -EFAULT; 768 769 return 0; 770 } 771 772 static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc, 773 void __user *arg) 774 { 775 #ifdef CONFIG_COMPAT 776 if (in_compat_syscall()) { 777 struct compat_cdrom_generic_command cgc32 = { 778 .buffer = (uintptr_t)(cgc->buffer), 779 .buflen = cgc->buflen, 780 .stat = cgc->stat, 781 .sense = (uintptr_t)(cgc->sense), 782 .data_direction = cgc->data_direction, 783 .quiet = cgc->quiet, 784 .timeout = cgc->timeout, 785 .unused = (uintptr_t)(cgc->unused), 786 }; 787 memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE); 788 789 if (copy_to_user(arg, &cgc32, sizeof(cgc32))) 790 return -EFAULT; 791 792 return 0; 793 } 794 #endif 795 if (copy_to_user(arg, cgc, sizeof(*cgc))) 796 return -EFAULT; 797 798 return 0; 799 } 800 801 static int scsi_cdrom_send_packet(struct scsi_device *sdev, fmode_t mode, 802 void __user *arg) 803 { 804 struct cdrom_generic_command cgc; 805 struct sg_io_hdr hdr; 806 int err; 807 808 err = scsi_get_cdrom_generic_arg(&cgc, arg); 809 if (err) 810 return err; 811 812 cgc.timeout = clock_t_to_jiffies(cgc.timeout); 813 memset(&hdr, 0, sizeof(hdr)); 814 hdr.interface_id = 'S'; 815 hdr.cmd_len = sizeof(cgc.cmd); 816 hdr.dxfer_len = cgc.buflen; 817 switch (cgc.data_direction) { 818 case CGC_DATA_UNKNOWN: 819 hdr.dxfer_direction = SG_DXFER_UNKNOWN; 820 break; 821 case CGC_DATA_WRITE: 822 hdr.dxfer_direction = SG_DXFER_TO_DEV; 823 break; 824 case CGC_DATA_READ: 825 hdr.dxfer_direction = SG_DXFER_FROM_DEV; 826 break; 827 case CGC_DATA_NONE: 828 hdr.dxfer_direction = SG_DXFER_NONE; 829 break; 830 default: 831 return -EINVAL; 832 } 833 834 hdr.dxferp = cgc.buffer; 835 hdr.sbp = cgc.sense; 836 if (hdr.sbp) 837 hdr.mx_sb_len = sizeof(struct request_sense); 838 hdr.timeout = jiffies_to_msecs(cgc.timeout); 839 hdr.cmdp = ((struct cdrom_generic_command __user *) arg)->cmd; 840 hdr.cmd_len = sizeof(cgc.cmd); 841 842 err = sg_io(sdev, &hdr, mode); 843 if (err == -EFAULT) 844 return -EFAULT; 845 846 if (hdr.status) 847 return -EIO; 848 849 cgc.stat = err; 850 cgc.buflen = hdr.resid; 851 if (scsi_put_cdrom_generic_arg(&cgc, arg)) 852 return -EFAULT; 853 854 return err; 855 } 856 857 static int scsi_ioctl_sg_io(struct scsi_device *sdev, fmode_t mode, 858 void __user *argp) 859 { 860 struct sg_io_hdr hdr; 861 int error; 862 863 error = get_sg_io_hdr(&hdr, argp); 864 if (error) 865 return error; 866 error = sg_io(sdev, &hdr, mode); 867 if (error == -EFAULT) 868 return error; 869 if (put_sg_io_hdr(&hdr, argp)) 870 return -EFAULT; 871 return error; 872 } 873 874 /** 875 * scsi_ioctl - Dispatch ioctl to scsi device 876 * @sdev: scsi device receiving ioctl 877 * @mode: mode the block/char device is opened with 878 * @cmd: which ioctl is it 879 * @arg: data associated with ioctl 880 * 881 * Description: The scsi_ioctl() function differs from most ioctls in that it 882 * does not take a major/minor number as the dev field. Rather, it takes 883 * a pointer to a &struct scsi_device. 884 */ 885 int scsi_ioctl(struct scsi_device *sdev, fmode_t mode, int cmd, 886 void __user *arg) 887 { 888 struct request_queue *q = sdev->request_queue; 889 struct scsi_sense_hdr sense_hdr; 890 891 /* Check for deprecated ioctls ... all the ioctls which don't 892 * follow the new unique numbering scheme are deprecated */ 893 switch (cmd) { 894 case SCSI_IOCTL_SEND_COMMAND: 895 case SCSI_IOCTL_TEST_UNIT_READY: 896 case SCSI_IOCTL_BENCHMARK_COMMAND: 897 case SCSI_IOCTL_SYNC: 898 case SCSI_IOCTL_START_UNIT: 899 case SCSI_IOCTL_STOP_UNIT: 900 printk(KERN_WARNING "program %s is using a deprecated SCSI " 901 "ioctl, please convert it to SG_IO\n", current->comm); 902 break; 903 default: 904 break; 905 } 906 907 switch (cmd) { 908 case SG_GET_VERSION_NUM: 909 return sg_get_version(arg); 910 case SG_SET_TIMEOUT: 911 return sg_set_timeout(sdev, arg); 912 case SG_GET_TIMEOUT: 913 return jiffies_to_clock_t(sdev->sg_timeout); 914 case SG_GET_RESERVED_SIZE: 915 return sg_get_reserved_size(sdev, arg); 916 case SG_SET_RESERVED_SIZE: 917 return sg_set_reserved_size(sdev, arg); 918 case SG_EMULATED_HOST: 919 return sg_emulated_host(q, arg); 920 case SG_IO: 921 return scsi_ioctl_sg_io(sdev, mode, arg); 922 case SCSI_IOCTL_SEND_COMMAND: 923 return sg_scsi_ioctl(q, mode, arg); 924 case CDROM_SEND_PACKET: 925 return scsi_cdrom_send_packet(sdev, mode, arg); 926 case CDROMCLOSETRAY: 927 return scsi_send_start_stop(sdev, 3); 928 case CDROMEJECT: 929 return scsi_send_start_stop(sdev, 2); 930 case SCSI_IOCTL_GET_IDLUN: 931 return scsi_get_idlun(sdev, arg); 932 case SCSI_IOCTL_GET_BUS_NUMBER: 933 return put_user(sdev->host->host_no, (int __user *)arg); 934 case SCSI_IOCTL_PROBE_HOST: 935 return ioctl_probe(sdev->host, arg); 936 case SCSI_IOCTL_DOORLOCK: 937 return scsi_set_medium_removal(sdev, SCSI_REMOVAL_PREVENT); 938 case SCSI_IOCTL_DOORUNLOCK: 939 return scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); 940 case SCSI_IOCTL_TEST_UNIT_READY: 941 return scsi_test_unit_ready(sdev, IOCTL_NORMAL_TIMEOUT, 942 NORMAL_RETRIES, &sense_hdr); 943 case SCSI_IOCTL_START_UNIT: 944 return scsi_send_start_stop(sdev, 1); 945 case SCSI_IOCTL_STOP_UNIT: 946 return scsi_send_start_stop(sdev, 0); 947 case SCSI_IOCTL_GET_PCI: 948 return scsi_ioctl_get_pci(sdev, arg); 949 case SG_SCSI_RESET: 950 return scsi_ioctl_reset(sdev, arg); 951 } 952 953 #ifdef CONFIG_COMPAT 954 if (in_compat_syscall()) { 955 if (!sdev->host->hostt->compat_ioctl) 956 return -EINVAL; 957 return sdev->host->hostt->compat_ioctl(sdev, cmd, arg); 958 } 959 #endif 960 if (!sdev->host->hostt->ioctl) 961 return -EINVAL; 962 return sdev->host->hostt->ioctl(sdev, cmd, arg); 963 } 964 EXPORT_SYMBOL(scsi_ioctl); 965 966 /* 967 * We can process a reset even when a device isn't fully operable. 968 */ 969 int scsi_ioctl_block_when_processing_errors(struct scsi_device *sdev, int cmd, 970 bool ndelay) 971 { 972 if (cmd == SG_SCSI_RESET && ndelay) { 973 if (scsi_host_in_recovery(sdev->host)) 974 return -EAGAIN; 975 } else { 976 if (!scsi_block_when_processing_errors(sdev)) 977 return -ENODEV; 978 } 979 980 return 0; 981 } 982 EXPORT_SYMBOL_GPL(scsi_ioctl_block_when_processing_errors); 983