xref: /openbmc/linux/drivers/scsi/scsi_ioctl.c (revision f3531d1a)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Changes:
4  * Arnaldo Carvalho de Melo <acme@conectiva.com.br> 08/23/2000
5  * - get rid of some verify_areas and use __copy*user and __get/put_user
6  *   for the ones that remain
7  */
8 #include <linux/module.h>
9 #include <linux/blkdev.h>
10 #include <linux/interrupt.h>
11 #include <linux/errno.h>
12 #include <linux/kernel.h>
13 #include <linux/sched.h>
14 #include <linux/mm.h>
15 #include <linux/string.h>
16 #include <linux/uaccess.h>
17 #include <linux/cdrom.h>
18 
19 #include <scsi/scsi.h>
20 #include <scsi/scsi_cmnd.h>
21 #include <scsi/scsi_device.h>
22 #include <scsi/scsi_eh.h>
23 #include <scsi/scsi_host.h>
24 #include <scsi/scsi_ioctl.h>
25 #include <scsi/sg.h>
26 #include <scsi/scsi_dbg.h>
27 
28 #include "scsi_logging.h"
29 
30 #define NORMAL_RETRIES			5
31 #define IOCTL_NORMAL_TIMEOUT			(10 * HZ)
32 
33 #define MAX_BUF PAGE_SIZE
34 
35 /**
36  * ioctl_probe  --  return host identification
37  * @host:	host to identify
38  * @buffer:	userspace buffer for identification
39  *
40  * Return an identifying string at @buffer, if @buffer is non-NULL, filling
41  * to the length stored at * (int *) @buffer.
42  */
43 static int ioctl_probe(struct Scsi_Host *host, void __user *buffer)
44 {
45 	unsigned int len, slen;
46 	const char *string;
47 
48 	if (buffer) {
49 		if (get_user(len, (unsigned int __user *) buffer))
50 			return -EFAULT;
51 
52 		if (host->hostt->info)
53 			string = host->hostt->info(host);
54 		else
55 			string = host->hostt->name;
56 		if (string) {
57 			slen = strlen(string);
58 			if (len > slen)
59 				len = slen + 1;
60 			if (copy_to_user(buffer, string, len))
61 				return -EFAULT;
62 		}
63 	}
64 	return 1;
65 }
66 
67 static int ioctl_internal_command(struct scsi_device *sdev, char *cmd,
68 				  int timeout, int retries)
69 {
70 	int result;
71 	struct scsi_sense_hdr sshdr;
72 
73 	SCSI_LOG_IOCTL(1, sdev_printk(KERN_INFO, sdev,
74 				      "Trying ioctl with scsi command %d\n", *cmd));
75 
76 	result = scsi_execute_req(sdev, cmd, DMA_NONE, NULL, 0,
77 				  &sshdr, timeout, retries, NULL);
78 
79 	SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev,
80 				      "Ioctl returned  0x%x\n", result));
81 
82 	if (result < 0)
83 		goto out;
84 	if (scsi_sense_valid(&sshdr)) {
85 		switch (sshdr.sense_key) {
86 		case ILLEGAL_REQUEST:
87 			if (cmd[0] == ALLOW_MEDIUM_REMOVAL)
88 				sdev->lockable = 0;
89 			else
90 				sdev_printk(KERN_INFO, sdev,
91 					    "ioctl_internal_command: "
92 					    "ILLEGAL REQUEST "
93 					    "asc=0x%x ascq=0x%x\n",
94 					    sshdr.asc, sshdr.ascq);
95 			break;
96 		case NOT_READY:	/* This happens if there is no disc in drive */
97 			if (sdev->removable)
98 				break;
99 			fallthrough;
100 		case UNIT_ATTENTION:
101 			if (sdev->removable) {
102 				sdev->changed = 1;
103 				result = 0;	/* This is no longer considered an error */
104 				break;
105 			}
106 			fallthrough;	/* for non-removable media */
107 		default:
108 			sdev_printk(KERN_INFO, sdev,
109 				    "ioctl_internal_command return code = %x\n",
110 				    result);
111 			scsi_print_sense_hdr(sdev, NULL, &sshdr);
112 			break;
113 		}
114 	}
115 out:
116 	SCSI_LOG_IOCTL(2, sdev_printk(KERN_INFO, sdev,
117 				      "IOCTL Releasing command\n"));
118 	return result;
119 }
120 
121 int scsi_set_medium_removal(struct scsi_device *sdev, char state)
122 {
123 	char scsi_cmd[MAX_COMMAND_SIZE];
124 	int ret;
125 
126 	if (!sdev->removable || !sdev->lockable)
127 	       return 0;
128 
129 	scsi_cmd[0] = ALLOW_MEDIUM_REMOVAL;
130 	scsi_cmd[1] = 0;
131 	scsi_cmd[2] = 0;
132 	scsi_cmd[3] = 0;
133 	scsi_cmd[4] = state;
134 	scsi_cmd[5] = 0;
135 
136 	ret = ioctl_internal_command(sdev, scsi_cmd,
137 			IOCTL_NORMAL_TIMEOUT, NORMAL_RETRIES);
138 	if (ret == 0)
139 		sdev->locked = (state == SCSI_REMOVAL_PREVENT);
140 	return ret;
141 }
142 EXPORT_SYMBOL(scsi_set_medium_removal);
143 
144 /*
145  * The scsi_ioctl_get_pci() function places into arg the value
146  * pci_dev::slot_name (8 characters) for the PCI device (if any).
147  * Returns: 0 on success
148  *          -ENXIO if there isn't a PCI device pointer
149  *                 (could be because the SCSI driver hasn't been
150  *                  updated yet, or because it isn't a SCSI
151  *                  device)
152  *          any copy_to_user() error on failure there
153  */
154 static int scsi_ioctl_get_pci(struct scsi_device *sdev, void __user *arg)
155 {
156 	struct device *dev = scsi_get_device(sdev->host);
157 	const char *name;
158 
159         if (!dev)
160 		return -ENXIO;
161 
162 	name = dev_name(dev);
163 
164 	/* compatibility with old ioctl which only returned
165 	 * 20 characters */
166         return copy_to_user(arg, name, min(strlen(name), (size_t)20))
167 		? -EFAULT: 0;
168 }
169 
170 static int sg_get_version(int __user *p)
171 {
172 	static const int sg_version_num = 30527;
173 	return put_user(sg_version_num, p);
174 }
175 
176 static int sg_set_timeout(struct scsi_device *sdev, int __user *p)
177 {
178 	int timeout, err = get_user(timeout, p);
179 
180 	if (!err)
181 		sdev->sg_timeout = clock_t_to_jiffies(timeout);
182 
183 	return err;
184 }
185 
186 static int sg_get_reserved_size(struct scsi_device *sdev, int __user *p)
187 {
188 	int val = min(sdev->sg_reserved_size,
189 		      queue_max_bytes(sdev->request_queue));
190 
191 	return put_user(val, p);
192 }
193 
194 static int sg_set_reserved_size(struct scsi_device *sdev, int __user *p)
195 {
196 	int size, err = get_user(size, p);
197 
198 	if (err)
199 		return err;
200 
201 	if (size < 0)
202 		return -EINVAL;
203 
204 	sdev->sg_reserved_size = min_t(unsigned int, size,
205 				       queue_max_bytes(sdev->request_queue));
206 	return 0;
207 }
208 
209 /*
210  * will always return that we are ATAPI even for a real SCSI drive, I'm not
211  * so sure this is worth doing anything about (why would you care??)
212  */
213 static int sg_emulated_host(struct request_queue *q, int __user *p)
214 {
215 	return put_user(1, p);
216 }
217 
218 static int scsi_get_idlun(struct scsi_device *sdev, void __user *argp)
219 {
220 	struct scsi_idlun v = {
221 		.dev_id = (sdev->id & 0xff) +
222 			((sdev->lun & 0xff) << 8) +
223 			((sdev->channel & 0xff) << 16) +
224 			((sdev->host->host_no & 0xff) << 24),
225 		.host_unique_id = sdev->host->unique_id
226 	};
227 	if (copy_to_user(argp, &v, sizeof(struct scsi_idlun)))
228 		return -EFAULT;
229 	return 0;
230 }
231 
232 static int scsi_send_start_stop(struct scsi_device *sdev, int data)
233 {
234 	u8 cdb[MAX_COMMAND_SIZE] = { };
235 
236 	cdb[0] = START_STOP;
237 	cdb[4] = data;
238 	return ioctl_internal_command(sdev, cdb, START_STOP_TIMEOUT,
239 				      NORMAL_RETRIES);
240 }
241 
242 /*
243  * Check if the given command is allowed.
244  *
245  * Only a subset of commands are allowed for unprivileged users. Commands used
246  * to format the media, update the firmware, etc. are not permitted.
247  */
248 bool scsi_cmd_allowed(unsigned char *cmd, fmode_t mode)
249 {
250 	/* root can do any command. */
251 	if (capable(CAP_SYS_RAWIO))
252 		return true;
253 
254 	/* Anybody who can open the device can do a read-safe command */
255 	switch (cmd[0]) {
256 	/* Basic read-only commands */
257 	case TEST_UNIT_READY:
258 	case REQUEST_SENSE:
259 	case READ_6:
260 	case READ_10:
261 	case READ_12:
262 	case READ_16:
263 	case READ_BUFFER:
264 	case READ_DEFECT_DATA:
265 	case READ_CAPACITY: /* also GPCMD_READ_CDVD_CAPACITY */
266 	case READ_LONG:
267 	case INQUIRY:
268 	case MODE_SENSE:
269 	case MODE_SENSE_10:
270 	case LOG_SENSE:
271 	case START_STOP:
272 	case GPCMD_VERIFY_10:
273 	case VERIFY_16:
274 	case REPORT_LUNS:
275 	case SERVICE_ACTION_IN_16:
276 	case RECEIVE_DIAGNOSTIC:
277 	case MAINTENANCE_IN: /* also GPCMD_SEND_KEY, which is a write command */
278 	case GPCMD_READ_BUFFER_CAPACITY:
279 	/* Audio CD commands */
280 	case GPCMD_PLAY_CD:
281 	case GPCMD_PLAY_AUDIO_10:
282 	case GPCMD_PLAY_AUDIO_MSF:
283 	case GPCMD_PLAY_AUDIO_TI:
284 	case GPCMD_PAUSE_RESUME:
285 	/* CD/DVD data reading */
286 	case GPCMD_READ_CD:
287 	case GPCMD_READ_CD_MSF:
288 	case GPCMD_READ_DISC_INFO:
289 	case GPCMD_READ_DVD_STRUCTURE:
290 	case GPCMD_READ_HEADER:
291 	case GPCMD_READ_TRACK_RZONE_INFO:
292 	case GPCMD_READ_SUBCHANNEL:
293 	case GPCMD_READ_TOC_PMA_ATIP:
294 	case GPCMD_REPORT_KEY:
295 	case GPCMD_SCAN:
296 	case GPCMD_GET_CONFIGURATION:
297 	case GPCMD_READ_FORMAT_CAPACITIES:
298 	case GPCMD_GET_EVENT_STATUS_NOTIFICATION:
299 	case GPCMD_GET_PERFORMANCE:
300 	case GPCMD_SEEK:
301 	case GPCMD_STOP_PLAY_SCAN:
302 	/* ZBC */
303 	case ZBC_IN:
304 		return true;
305 	/* Basic writing commands */
306 	case WRITE_6:
307 	case WRITE_10:
308 	case WRITE_VERIFY:
309 	case WRITE_12:
310 	case WRITE_VERIFY_12:
311 	case WRITE_16:
312 	case WRITE_LONG:
313 	case WRITE_LONG_2:
314 	case WRITE_SAME:
315 	case WRITE_SAME_16:
316 	case WRITE_SAME_32:
317 	case ERASE:
318 	case GPCMD_MODE_SELECT_10:
319 	case MODE_SELECT:
320 	case LOG_SELECT:
321 	case GPCMD_BLANK:
322 	case GPCMD_CLOSE_TRACK:
323 	case GPCMD_FLUSH_CACHE:
324 	case GPCMD_FORMAT_UNIT:
325 	case GPCMD_REPAIR_RZONE_TRACK:
326 	case GPCMD_RESERVE_RZONE_TRACK:
327 	case GPCMD_SEND_DVD_STRUCTURE:
328 	case GPCMD_SEND_EVENT:
329 	case GPCMD_SEND_OPC:
330 	case GPCMD_SEND_CUE_SHEET:
331 	case GPCMD_SET_SPEED:
332 	case GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL:
333 	case GPCMD_LOAD_UNLOAD:
334 	case GPCMD_SET_STREAMING:
335 	case GPCMD_SET_READ_AHEAD:
336 	/* ZBC */
337 	case ZBC_OUT:
338 		return (mode & FMODE_WRITE);
339 	default:
340 		return false;
341 	}
342 }
343 EXPORT_SYMBOL(scsi_cmd_allowed);
344 
345 static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq,
346 		struct sg_io_hdr *hdr, fmode_t mode)
347 {
348 	struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq);
349 
350 	if (hdr->cmd_len < 6)
351 		return -EMSGSIZE;
352 	if (copy_from_user(scmd->cmnd, hdr->cmdp, hdr->cmd_len))
353 		return -EFAULT;
354 	if (!scsi_cmd_allowed(scmd->cmnd, mode))
355 		return -EPERM;
356 	scmd->cmd_len = hdr->cmd_len;
357 
358 	rq->timeout = msecs_to_jiffies(hdr->timeout);
359 	if (!rq->timeout)
360 		rq->timeout = sdev->sg_timeout;
361 	if (!rq->timeout)
362 		rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
363 	if (rq->timeout < BLK_MIN_SG_TIMEOUT)
364 		rq->timeout = BLK_MIN_SG_TIMEOUT;
365 
366 	return 0;
367 }
368 
369 static int scsi_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
370 		struct bio *bio)
371 {
372 	struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq);
373 	int r, ret = 0;
374 
375 	/*
376 	 * fill in all the output members
377 	 */
378 	hdr->status = scmd->result & 0xff;
379 	hdr->masked_status = sg_status_byte(scmd->result);
380 	hdr->msg_status = COMMAND_COMPLETE;
381 	hdr->host_status = host_byte(scmd->result);
382 	hdr->driver_status = 0;
383 	if (scsi_status_is_check_condition(hdr->status))
384 		hdr->driver_status = DRIVER_SENSE;
385 	hdr->info = 0;
386 	if (hdr->masked_status || hdr->host_status || hdr->driver_status)
387 		hdr->info |= SG_INFO_CHECK;
388 	hdr->resid = scmd->resid_len;
389 	hdr->sb_len_wr = 0;
390 
391 	if (scmd->sense_len && hdr->sbp) {
392 		int len = min((unsigned int) hdr->mx_sb_len, scmd->sense_len);
393 
394 		if (!copy_to_user(hdr->sbp, scmd->sense_buffer, len))
395 			hdr->sb_len_wr = len;
396 		else
397 			ret = -EFAULT;
398 	}
399 
400 	r = blk_rq_unmap_user(bio);
401 	if (!ret)
402 		ret = r;
403 
404 	return ret;
405 }
406 
407 static int sg_io(struct scsi_device *sdev, struct sg_io_hdr *hdr, fmode_t mode)
408 {
409 	unsigned long start_time;
410 	ssize_t ret = 0;
411 	int writing = 0;
412 	int at_head = 0;
413 	struct request *rq;
414 	struct scsi_cmnd *scmd;
415 	struct bio *bio;
416 
417 	if (hdr->interface_id != 'S')
418 		return -EINVAL;
419 
420 	if (hdr->dxfer_len > (queue_max_hw_sectors(sdev->request_queue) << 9))
421 		return -EIO;
422 
423 	if (hdr->dxfer_len)
424 		switch (hdr->dxfer_direction) {
425 		default:
426 			return -EINVAL;
427 		case SG_DXFER_TO_DEV:
428 			writing = 1;
429 			break;
430 		case SG_DXFER_TO_FROM_DEV:
431 		case SG_DXFER_FROM_DEV:
432 			break;
433 		}
434 	if (hdr->flags & SG_FLAG_Q_AT_HEAD)
435 		at_head = 1;
436 
437 	rq = scsi_alloc_request(sdev->request_queue, writing ?
438 			     REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0);
439 	if (IS_ERR(rq))
440 		return PTR_ERR(rq);
441 	scmd = blk_mq_rq_to_pdu(rq);
442 
443 	if (hdr->cmd_len > sizeof(scmd->cmnd)) {
444 		ret = -EINVAL;
445 		goto out_put_request;
446 	}
447 
448 	ret = scsi_fill_sghdr_rq(sdev, rq, hdr, mode);
449 	if (ret < 0)
450 		goto out_put_request;
451 
452 	ret = blk_rq_map_user_io(rq, NULL, hdr->dxferp, hdr->dxfer_len,
453 			GFP_KERNEL, hdr->iovec_count && hdr->dxfer_len,
454 			hdr->iovec_count, 0, rq_data_dir(rq));
455 	if (ret)
456 		goto out_put_request;
457 
458 	bio = rq->bio;
459 	scmd->allowed = 0;
460 
461 	start_time = jiffies;
462 
463 	blk_execute_rq(rq, at_head);
464 
465 	hdr->duration = jiffies_to_msecs(jiffies - start_time);
466 
467 	ret = scsi_complete_sghdr_rq(rq, hdr, bio);
468 
469 out_put_request:
470 	blk_mq_free_request(rq);
471 	return ret;
472 }
473 
474 /**
475  * sg_scsi_ioctl  --  handle deprecated SCSI_IOCTL_SEND_COMMAND ioctl
476  * @q:		request queue to send scsi commands down
477  * @mode:	mode used to open the file through which the ioctl has been
478  *		submitted
479  * @sic:	userspace structure describing the command to perform
480  *
481  * Send down the scsi command described by @sic to the device below
482  * the request queue @q.
483  *
484  * Notes:
485  *   -  This interface is deprecated - users should use the SG_IO
486  *      interface instead, as this is a more flexible approach to
487  *      performing SCSI commands on a device.
488  *   -  The SCSI command length is determined by examining the 1st byte
489  *      of the given command. There is no way to override this.
490  *   -  Data transfers are limited to PAGE_SIZE
491  *   -  The length (x + y) must be at least OMAX_SB_LEN bytes long to
492  *      accommodate the sense buffer when an error occurs.
493  *      The sense buffer is truncated to OMAX_SB_LEN (16) bytes so that
494  *      old code will not be surprised.
495  *   -  If a Unix error occurs (e.g. ENOMEM) then the user will receive
496  *      a negative return and the Unix error code in 'errno'.
497  *      If the SCSI command succeeds then 0 is returned.
498  *      Positive numbers returned are the compacted SCSI error codes (4
499  *      bytes in one int) where the lowest byte is the SCSI status.
500  */
501 static int sg_scsi_ioctl(struct request_queue *q, fmode_t mode,
502 		struct scsi_ioctl_command __user *sic)
503 {
504 	struct request *rq;
505 	int err;
506 	unsigned int in_len, out_len, bytes, opcode, cmdlen;
507 	struct scsi_cmnd *scmd;
508 	char *buffer = NULL;
509 
510 	if (!sic)
511 		return -EINVAL;
512 
513 	/*
514 	 * get in an out lengths, verify they don't exceed a page worth of data
515 	 */
516 	if (get_user(in_len, &sic->inlen))
517 		return -EFAULT;
518 	if (get_user(out_len, &sic->outlen))
519 		return -EFAULT;
520 	if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
521 		return -EINVAL;
522 	if (get_user(opcode, &sic->data[0]))
523 		return -EFAULT;
524 
525 	bytes = max(in_len, out_len);
526 	if (bytes) {
527 		buffer = kzalloc(bytes, GFP_NOIO | GFP_USER | __GFP_NOWARN);
528 		if (!buffer)
529 			return -ENOMEM;
530 
531 	}
532 
533 	rq = scsi_alloc_request(q, in_len ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0);
534 	if (IS_ERR(rq)) {
535 		err = PTR_ERR(rq);
536 		goto error_free_buffer;
537 	}
538 	scmd = blk_mq_rq_to_pdu(rq);
539 
540 	cmdlen = COMMAND_SIZE(opcode);
541 
542 	/*
543 	 * get command and data to send to device, if any
544 	 */
545 	err = -EFAULT;
546 	scmd->cmd_len = cmdlen;
547 	if (copy_from_user(scmd->cmnd, sic->data, cmdlen))
548 		goto error;
549 
550 	if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
551 		goto error;
552 
553 	err = -EPERM;
554 	if (!scsi_cmd_allowed(scmd->cmnd, mode))
555 		goto error;
556 
557 	/* default.  possible overridden later */
558 	scmd->allowed = 5;
559 
560 	switch (opcode) {
561 	case SEND_DIAGNOSTIC:
562 	case FORMAT_UNIT:
563 		rq->timeout = FORMAT_UNIT_TIMEOUT;
564 		scmd->allowed = 1;
565 		break;
566 	case START_STOP:
567 		rq->timeout = START_STOP_TIMEOUT;
568 		break;
569 	case MOVE_MEDIUM:
570 		rq->timeout = MOVE_MEDIUM_TIMEOUT;
571 		break;
572 	case READ_ELEMENT_STATUS:
573 		rq->timeout = READ_ELEMENT_STATUS_TIMEOUT;
574 		break;
575 	case READ_DEFECT_DATA:
576 		rq->timeout = READ_DEFECT_DATA_TIMEOUT;
577 		scmd->allowed = 1;
578 		break;
579 	default:
580 		rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
581 		break;
582 	}
583 
584 	if (bytes) {
585 		err = blk_rq_map_kern(q, rq, buffer, bytes, GFP_NOIO);
586 		if (err)
587 			goto error;
588 	}
589 
590 	blk_execute_rq(rq, false);
591 
592 	err = scmd->result & 0xff;	/* only 8 bit SCSI status */
593 	if (err) {
594 		if (scmd->sense_len && scmd->sense_buffer) {
595 			/* limit sense len for backward compatibility */
596 			if (copy_to_user(sic->data, scmd->sense_buffer,
597 					 min(scmd->sense_len, 16U)))
598 				err = -EFAULT;
599 		}
600 	} else {
601 		if (copy_to_user(sic->data, buffer, out_len))
602 			err = -EFAULT;
603 	}
604 
605 error:
606 	blk_mq_free_request(rq);
607 
608 error_free_buffer:
609 	kfree(buffer);
610 
611 	return err;
612 }
613 
614 int put_sg_io_hdr(const struct sg_io_hdr *hdr, void __user *argp)
615 {
616 #ifdef CONFIG_COMPAT
617 	if (in_compat_syscall()) {
618 		struct compat_sg_io_hdr hdr32 =  {
619 			.interface_id	 = hdr->interface_id,
620 			.dxfer_direction = hdr->dxfer_direction,
621 			.cmd_len	 = hdr->cmd_len,
622 			.mx_sb_len	 = hdr->mx_sb_len,
623 			.iovec_count	 = hdr->iovec_count,
624 			.dxfer_len	 = hdr->dxfer_len,
625 			.dxferp		 = (uintptr_t)hdr->dxferp,
626 			.cmdp		 = (uintptr_t)hdr->cmdp,
627 			.sbp		 = (uintptr_t)hdr->sbp,
628 			.timeout	 = hdr->timeout,
629 			.flags		 = hdr->flags,
630 			.pack_id	 = hdr->pack_id,
631 			.usr_ptr	 = (uintptr_t)hdr->usr_ptr,
632 			.status		 = hdr->status,
633 			.masked_status	 = hdr->masked_status,
634 			.msg_status	 = hdr->msg_status,
635 			.sb_len_wr	 = hdr->sb_len_wr,
636 			.host_status	 = hdr->host_status,
637 			.driver_status	 = hdr->driver_status,
638 			.resid		 = hdr->resid,
639 			.duration	 = hdr->duration,
640 			.info		 = hdr->info,
641 		};
642 
643 		if (copy_to_user(argp, &hdr32, sizeof(hdr32)))
644 			return -EFAULT;
645 
646 		return 0;
647 	}
648 #endif
649 
650 	if (copy_to_user(argp, hdr, sizeof(*hdr)))
651 		return -EFAULT;
652 
653 	return 0;
654 }
655 EXPORT_SYMBOL(put_sg_io_hdr);
656 
657 int get_sg_io_hdr(struct sg_io_hdr *hdr, const void __user *argp)
658 {
659 #ifdef CONFIG_COMPAT
660 	struct compat_sg_io_hdr hdr32;
661 
662 	if (in_compat_syscall()) {
663 		if (copy_from_user(&hdr32, argp, sizeof(hdr32)))
664 			return -EFAULT;
665 
666 		*hdr = (struct sg_io_hdr) {
667 			.interface_id	 = hdr32.interface_id,
668 			.dxfer_direction = hdr32.dxfer_direction,
669 			.cmd_len	 = hdr32.cmd_len,
670 			.mx_sb_len	 = hdr32.mx_sb_len,
671 			.iovec_count	 = hdr32.iovec_count,
672 			.dxfer_len	 = hdr32.dxfer_len,
673 			.dxferp		 = compat_ptr(hdr32.dxferp),
674 			.cmdp		 = compat_ptr(hdr32.cmdp),
675 			.sbp		 = compat_ptr(hdr32.sbp),
676 			.timeout	 = hdr32.timeout,
677 			.flags		 = hdr32.flags,
678 			.pack_id	 = hdr32.pack_id,
679 			.usr_ptr	 = compat_ptr(hdr32.usr_ptr),
680 			.status		 = hdr32.status,
681 			.masked_status	 = hdr32.masked_status,
682 			.msg_status	 = hdr32.msg_status,
683 			.sb_len_wr	 = hdr32.sb_len_wr,
684 			.host_status	 = hdr32.host_status,
685 			.driver_status	 = hdr32.driver_status,
686 			.resid		 = hdr32.resid,
687 			.duration	 = hdr32.duration,
688 			.info		 = hdr32.info,
689 		};
690 
691 		return 0;
692 	}
693 #endif
694 
695 	if (copy_from_user(hdr, argp, sizeof(*hdr)))
696 		return -EFAULT;
697 
698 	return 0;
699 }
700 EXPORT_SYMBOL(get_sg_io_hdr);
701 
702 #ifdef CONFIG_COMPAT
703 struct compat_cdrom_generic_command {
704 	unsigned char	cmd[CDROM_PACKET_SIZE];
705 	compat_caddr_t	buffer;
706 	compat_uint_t	buflen;
707 	compat_int_t	stat;
708 	compat_caddr_t	sense;
709 	unsigned char	data_direction;
710 	unsigned char	pad[3];
711 	compat_int_t	quiet;
712 	compat_int_t	timeout;
713 	compat_caddr_t	unused;
714 };
715 #endif
716 
717 static int scsi_get_cdrom_generic_arg(struct cdrom_generic_command *cgc,
718 				      const void __user *arg)
719 {
720 #ifdef CONFIG_COMPAT
721 	if (in_compat_syscall()) {
722 		struct compat_cdrom_generic_command cgc32;
723 
724 		if (copy_from_user(&cgc32, arg, sizeof(cgc32)))
725 			return -EFAULT;
726 
727 		*cgc = (struct cdrom_generic_command) {
728 			.buffer		= compat_ptr(cgc32.buffer),
729 			.buflen		= cgc32.buflen,
730 			.stat		= cgc32.stat,
731 			.sense		= compat_ptr(cgc32.sense),
732 			.data_direction	= cgc32.data_direction,
733 			.quiet		= cgc32.quiet,
734 			.timeout	= cgc32.timeout,
735 			.unused		= compat_ptr(cgc32.unused),
736 		};
737 		memcpy(&cgc->cmd, &cgc32.cmd, CDROM_PACKET_SIZE);
738 		return 0;
739 	}
740 #endif
741 	if (copy_from_user(cgc, arg, sizeof(*cgc)))
742 		return -EFAULT;
743 
744 	return 0;
745 }
746 
747 static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc,
748 				      void __user *arg)
749 {
750 #ifdef CONFIG_COMPAT
751 	if (in_compat_syscall()) {
752 		struct compat_cdrom_generic_command cgc32 = {
753 			.buffer		= (uintptr_t)(cgc->buffer),
754 			.buflen		= cgc->buflen,
755 			.stat		= cgc->stat,
756 			.sense		= (uintptr_t)(cgc->sense),
757 			.data_direction	= cgc->data_direction,
758 			.quiet		= cgc->quiet,
759 			.timeout	= cgc->timeout,
760 			.unused		= (uintptr_t)(cgc->unused),
761 		};
762 		memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE);
763 
764 		if (copy_to_user(arg, &cgc32, sizeof(cgc32)))
765 			return -EFAULT;
766 
767 		return 0;
768 	}
769 #endif
770 	if (copy_to_user(arg, cgc, sizeof(*cgc)))
771 		return -EFAULT;
772 
773 	return 0;
774 }
775 
776 static int scsi_cdrom_send_packet(struct scsi_device *sdev, fmode_t mode,
777 		void __user *arg)
778 {
779 	struct cdrom_generic_command cgc;
780 	struct sg_io_hdr hdr;
781 	int err;
782 
783 	err = scsi_get_cdrom_generic_arg(&cgc, arg);
784 	if (err)
785 		return err;
786 
787 	cgc.timeout = clock_t_to_jiffies(cgc.timeout);
788 	memset(&hdr, 0, sizeof(hdr));
789 	hdr.interface_id = 'S';
790 	hdr.cmd_len = sizeof(cgc.cmd);
791 	hdr.dxfer_len = cgc.buflen;
792 	switch (cgc.data_direction) {
793 	case CGC_DATA_UNKNOWN:
794 		hdr.dxfer_direction = SG_DXFER_UNKNOWN;
795 		break;
796 	case CGC_DATA_WRITE:
797 		hdr.dxfer_direction = SG_DXFER_TO_DEV;
798 		break;
799 	case CGC_DATA_READ:
800 		hdr.dxfer_direction = SG_DXFER_FROM_DEV;
801 		break;
802 	case CGC_DATA_NONE:
803 		hdr.dxfer_direction = SG_DXFER_NONE;
804 		break;
805 	default:
806 		return -EINVAL;
807 	}
808 
809 	hdr.dxferp = cgc.buffer;
810 	hdr.sbp = cgc.sense;
811 	if (hdr.sbp)
812 		hdr.mx_sb_len = sizeof(struct request_sense);
813 	hdr.timeout = jiffies_to_msecs(cgc.timeout);
814 	hdr.cmdp = ((struct cdrom_generic_command __user *) arg)->cmd;
815 	hdr.cmd_len = sizeof(cgc.cmd);
816 
817 	err = sg_io(sdev, &hdr, mode);
818 	if (err == -EFAULT)
819 		return -EFAULT;
820 
821 	if (hdr.status)
822 		return -EIO;
823 
824 	cgc.stat = err;
825 	cgc.buflen = hdr.resid;
826 	if (scsi_put_cdrom_generic_arg(&cgc, arg))
827 		return -EFAULT;
828 
829 	return err;
830 }
831 
832 static int scsi_ioctl_sg_io(struct scsi_device *sdev, fmode_t mode,
833 		void __user *argp)
834 {
835 	struct sg_io_hdr hdr;
836 	int error;
837 
838 	error = get_sg_io_hdr(&hdr, argp);
839 	if (error)
840 		return error;
841 	error = sg_io(sdev, &hdr, mode);
842 	if (error == -EFAULT)
843 		return error;
844 	if (put_sg_io_hdr(&hdr, argp))
845 		return -EFAULT;
846 	return error;
847 }
848 
849 /**
850  * scsi_ioctl - Dispatch ioctl to scsi device
851  * @sdev: scsi device receiving ioctl
852  * @mode: mode the block/char device is opened with
853  * @cmd: which ioctl is it
854  * @arg: data associated with ioctl
855  *
856  * Description: The scsi_ioctl() function differs from most ioctls in that it
857  * does not take a major/minor number as the dev field.  Rather, it takes
858  * a pointer to a &struct scsi_device.
859  */
860 int scsi_ioctl(struct scsi_device *sdev, fmode_t mode, int cmd,
861 		void __user *arg)
862 {
863 	struct request_queue *q = sdev->request_queue;
864 	struct scsi_sense_hdr sense_hdr;
865 
866 	/* Check for deprecated ioctls ... all the ioctls which don't
867 	 * follow the new unique numbering scheme are deprecated */
868 	switch (cmd) {
869 	case SCSI_IOCTL_SEND_COMMAND:
870 	case SCSI_IOCTL_TEST_UNIT_READY:
871 	case SCSI_IOCTL_BENCHMARK_COMMAND:
872 	case SCSI_IOCTL_SYNC:
873 	case SCSI_IOCTL_START_UNIT:
874 	case SCSI_IOCTL_STOP_UNIT:
875 		printk(KERN_WARNING "program %s is using a deprecated SCSI "
876 		       "ioctl, please convert it to SG_IO\n", current->comm);
877 		break;
878 	default:
879 		break;
880 	}
881 
882 	switch (cmd) {
883 	case SG_GET_VERSION_NUM:
884 		return sg_get_version(arg);
885 	case SG_SET_TIMEOUT:
886 		return sg_set_timeout(sdev, arg);
887 	case SG_GET_TIMEOUT:
888 		return jiffies_to_clock_t(sdev->sg_timeout);
889 	case SG_GET_RESERVED_SIZE:
890 		return sg_get_reserved_size(sdev, arg);
891 	case SG_SET_RESERVED_SIZE:
892 		return sg_set_reserved_size(sdev, arg);
893 	case SG_EMULATED_HOST:
894 		return sg_emulated_host(q, arg);
895 	case SG_IO:
896 		return scsi_ioctl_sg_io(sdev, mode, arg);
897 	case SCSI_IOCTL_SEND_COMMAND:
898 		return sg_scsi_ioctl(q, mode, arg);
899 	case CDROM_SEND_PACKET:
900 		return scsi_cdrom_send_packet(sdev, mode, arg);
901 	case CDROMCLOSETRAY:
902 		return scsi_send_start_stop(sdev, 3);
903 	case CDROMEJECT:
904 		return scsi_send_start_stop(sdev, 2);
905 	case SCSI_IOCTL_GET_IDLUN:
906 		return scsi_get_idlun(sdev, arg);
907 	case SCSI_IOCTL_GET_BUS_NUMBER:
908 		return put_user(sdev->host->host_no, (int __user *)arg);
909 	case SCSI_IOCTL_PROBE_HOST:
910 		return ioctl_probe(sdev->host, arg);
911 	case SCSI_IOCTL_DOORLOCK:
912 		return scsi_set_medium_removal(sdev, SCSI_REMOVAL_PREVENT);
913 	case SCSI_IOCTL_DOORUNLOCK:
914 		return scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW);
915 	case SCSI_IOCTL_TEST_UNIT_READY:
916 		return scsi_test_unit_ready(sdev, IOCTL_NORMAL_TIMEOUT,
917 					    NORMAL_RETRIES, &sense_hdr);
918 	case SCSI_IOCTL_START_UNIT:
919 		return scsi_send_start_stop(sdev, 1);
920 	case SCSI_IOCTL_STOP_UNIT:
921 		return scsi_send_start_stop(sdev, 0);
922         case SCSI_IOCTL_GET_PCI:
923                 return scsi_ioctl_get_pci(sdev, arg);
924 	case SG_SCSI_RESET:
925 		return scsi_ioctl_reset(sdev, arg);
926 	}
927 
928 #ifdef CONFIG_COMPAT
929 	if (in_compat_syscall()) {
930 		if (!sdev->host->hostt->compat_ioctl)
931 			return -EINVAL;
932 		return sdev->host->hostt->compat_ioctl(sdev, cmd, arg);
933 	}
934 #endif
935 	if (!sdev->host->hostt->ioctl)
936 		return -EINVAL;
937 	return sdev->host->hostt->ioctl(sdev, cmd, arg);
938 }
939 EXPORT_SYMBOL(scsi_ioctl);
940 
941 /*
942  * We can process a reset even when a device isn't fully operable.
943  */
944 int scsi_ioctl_block_when_processing_errors(struct scsi_device *sdev, int cmd,
945 		bool ndelay)
946 {
947 	if (cmd == SG_SCSI_RESET && ndelay) {
948 		if (scsi_host_in_recovery(sdev->host))
949 			return -EAGAIN;
950 	} else {
951 		if (!scsi_block_when_processing_errors(sdev))
952 			return -ENODEV;
953 	}
954 
955 	return 0;
956 }
957 EXPORT_SYMBOL_GPL(scsi_ioctl_block_when_processing_errors);
958