1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19#include <linux/kernel.h>
20#include <linux/errno.h>
21#include <linux/string.h>
22#include <linux/module.h>
23#include <linux/blkdev.h>
24#include <linux/capability.h>
25#include <linux/completion.h>
26#include <linux/cdrom.h>
27#include <linux/slab.h>
28#include <linux/times.h>
29#include <asm/uaccess.h>
30
31#include <scsi/scsi.h>
32#include <scsi/scsi_ioctl.h>
33#include <scsi/scsi_cmnd.h>
34
35struct blk_cmd_filter {
36 unsigned long read_ok[BLK_SCSI_CMD_PER_LONG];
37 unsigned long write_ok[BLK_SCSI_CMD_PER_LONG];
38};
39
40static struct blk_cmd_filter blk_default_cmd_filter;
41
42
43const unsigned char scsi_command_size_tbl[8] =
44{
45 6, 10, 10, 12,
46 16, 12, 10, 10
47};
48EXPORT_SYMBOL(scsi_command_size_tbl);
49
50#include <scsi/sg.h>
51
52static int sg_get_version(int __user *p)
53{
54 static const int sg_version_num = 30527;
55 return put_user(sg_version_num, p);
56}
57
58static int scsi_get_idlun(struct request_queue *q, int __user *p)
59{
60 return put_user(0, p);
61}
62
63static int scsi_get_bus(struct request_queue *q, int __user *p)
64{
65 return put_user(0, p);
66}
67
68static int sg_get_timeout(struct request_queue *q)
69{
70 return jiffies_to_clock_t(q->sg_timeout);
71}
72
73static int sg_set_timeout(struct request_queue *q, int __user *p)
74{
75 int timeout, err = get_user(timeout, p);
76
77 if (!err)
78 q->sg_timeout = clock_t_to_jiffies(timeout);
79
80 return err;
81}
82
83static int sg_get_reserved_size(struct request_queue *q, int __user *p)
84{
85 unsigned val = min(q->sg_reserved_size, queue_max_sectors(q) << 9);
86
87 return put_user(val, p);
88}
89
90static int sg_set_reserved_size(struct request_queue *q, int __user *p)
91{
92 int size, err = get_user(size, p);
93
94 if (err)
95 return err;
96
97 if (size < 0)
98 return -EINVAL;
99 if (size > (queue_max_sectors(q) << 9))
100 size = queue_max_sectors(q) << 9;
101
102 q->sg_reserved_size = size;
103 return 0;
104}
105
106
107
108
109
110static int sg_emulated_host(struct request_queue *q, int __user *p)
111{
112 return put_user(1, p);
113}
114
115static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
116{
117
118 __set_bit(TEST_UNIT_READY, filter->read_ok);
119 __set_bit(REQUEST_SENSE, filter->read_ok);
120 __set_bit(READ_6, filter->read_ok);
121 __set_bit(READ_10, filter->read_ok);
122 __set_bit(READ_12, filter->read_ok);
123 __set_bit(READ_16, filter->read_ok);
124 __set_bit(READ_BUFFER, filter->read_ok);
125 __set_bit(READ_DEFECT_DATA, filter->read_ok);
126 __set_bit(READ_CAPACITY, filter->read_ok);
127 __set_bit(READ_LONG, filter->read_ok);
128 __set_bit(INQUIRY, filter->read_ok);
129 __set_bit(MODE_SENSE, filter->read_ok);
130 __set_bit(MODE_SENSE_10, filter->read_ok);
131 __set_bit(LOG_SENSE, filter->read_ok);
132 __set_bit(START_STOP, filter->read_ok);
133 __set_bit(GPCMD_VERIFY_10, filter->read_ok);
134 __set_bit(VERIFY_16, filter->read_ok);
135 __set_bit(REPORT_LUNS, filter->read_ok);
136 __set_bit(SERVICE_ACTION_IN, filter->read_ok);
137 __set_bit(RECEIVE_DIAGNOSTIC, filter->read_ok);
138 __set_bit(MAINTENANCE_IN, filter->read_ok);
139 __set_bit(GPCMD_READ_BUFFER_CAPACITY, filter->read_ok);
140
141
142 __set_bit(GPCMD_PLAY_CD, filter->read_ok);
143 __set_bit(GPCMD_PLAY_AUDIO_10, filter->read_ok);
144 __set_bit(GPCMD_PLAY_AUDIO_MSF, filter->read_ok);
145 __set_bit(GPCMD_PLAY_AUDIO_TI, filter->read_ok);
146 __set_bit(GPCMD_PAUSE_RESUME, filter->read_ok);
147
148
149 __set_bit(GPCMD_READ_CD, filter->read_ok);
150 __set_bit(GPCMD_READ_CD_MSF, filter->read_ok);
151 __set_bit(GPCMD_READ_DISC_INFO, filter->read_ok);
152 __set_bit(GPCMD_READ_CDVD_CAPACITY, filter->read_ok);
153 __set_bit(GPCMD_READ_DVD_STRUCTURE, filter->read_ok);
154 __set_bit(GPCMD_READ_HEADER, filter->read_ok);
155 __set_bit(GPCMD_READ_TRACK_RZONE_INFO, filter->read_ok);
156 __set_bit(GPCMD_READ_SUBCHANNEL, filter->read_ok);
157 __set_bit(GPCMD_READ_TOC_PMA_ATIP, filter->read_ok);
158 __set_bit(GPCMD_REPORT_KEY, filter->read_ok);
159 __set_bit(GPCMD_SCAN, filter->read_ok);
160 __set_bit(GPCMD_GET_CONFIGURATION, filter->read_ok);
161 __set_bit(GPCMD_READ_FORMAT_CAPACITIES, filter->read_ok);
162 __set_bit(GPCMD_GET_EVENT_STATUS_NOTIFICATION, filter->read_ok);
163 __set_bit(GPCMD_GET_PERFORMANCE, filter->read_ok);
164 __set_bit(GPCMD_SEEK, filter->read_ok);
165 __set_bit(GPCMD_STOP_PLAY_SCAN, filter->read_ok);
166
167
168 __set_bit(WRITE_6, filter->write_ok);
169 __set_bit(WRITE_10, filter->write_ok);
170 __set_bit(WRITE_VERIFY, filter->write_ok);
171 __set_bit(WRITE_12, filter->write_ok);
172 __set_bit(WRITE_VERIFY_12, filter->write_ok);
173 __set_bit(WRITE_16, filter->write_ok);
174 __set_bit(WRITE_LONG, filter->write_ok);
175 __set_bit(WRITE_LONG_2, filter->write_ok);
176 __set_bit(ERASE, filter->write_ok);
177 __set_bit(GPCMD_MODE_SELECT_10, filter->write_ok);
178 __set_bit(MODE_SELECT, filter->write_ok);
179 __set_bit(LOG_SELECT, filter->write_ok);
180 __set_bit(GPCMD_BLANK, filter->write_ok);
181 __set_bit(GPCMD_CLOSE_TRACK, filter->write_ok);
182 __set_bit(GPCMD_FLUSH_CACHE, filter->write_ok);
183 __set_bit(GPCMD_FORMAT_UNIT, filter->write_ok);
184 __set_bit(GPCMD_REPAIR_RZONE_TRACK, filter->write_ok);
185 __set_bit(GPCMD_RESERVE_RZONE_TRACK, filter->write_ok);
186 __set_bit(GPCMD_SEND_DVD_STRUCTURE, filter->write_ok);
187 __set_bit(GPCMD_SEND_EVENT, filter->write_ok);
188 __set_bit(GPCMD_SEND_KEY, filter->write_ok);
189 __set_bit(GPCMD_SEND_OPC, filter->write_ok);
190 __set_bit(GPCMD_SEND_CUE_SHEET, filter->write_ok);
191 __set_bit(GPCMD_SET_SPEED, filter->write_ok);
192 __set_bit(GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL, filter->write_ok);
193 __set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
194 __set_bit(GPCMD_SET_STREAMING, filter->write_ok);
195 __set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
196}
197
198int blk_verify_command(unsigned char *cmd, fmode_t has_write_perm)
199{
200 struct blk_cmd_filter *filter = &blk_default_cmd_filter;
201
202
203 if (capable(CAP_SYS_RAWIO))
204 return 0;
205
206
207 if (!filter)
208 return -EPERM;
209
210
211 if (test_bit(cmd[0], filter->read_ok))
212 return 0;
213
214
215 if (test_bit(cmd[0], filter->write_ok) && has_write_perm)
216 return 0;
217
218 return -EPERM;
219}
220EXPORT_SYMBOL(blk_verify_command);
221
222static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
223 struct sg_io_hdr *hdr, fmode_t mode)
224{
225 if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
226 return -EFAULT;
227 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
228 return -EPERM;
229
230
231
232
233 rq->cmd_len = hdr->cmd_len;
234 rq->cmd_type = REQ_TYPE_BLOCK_PC;
235
236 rq->timeout = msecs_to_jiffies(hdr->timeout);
237 if (!rq->timeout)
238 rq->timeout = q->sg_timeout;
239 if (!rq->timeout)
240 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
241 if (rq->timeout < BLK_MIN_SG_TIMEOUT)
242 rq->timeout = BLK_MIN_SG_TIMEOUT;
243
244 return 0;
245}
246
247static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
248 struct bio *bio)
249{
250 int r, ret = 0;
251
252
253
254
255 hdr->status = rq->errors & 0xff;
256 hdr->masked_status = status_byte(rq->errors);
257 hdr->msg_status = msg_byte(rq->errors);
258 hdr->host_status = host_byte(rq->errors);
259 hdr->driver_status = driver_byte(rq->errors);
260 hdr->info = 0;
261 if (hdr->masked_status || hdr->host_status || hdr->driver_status)
262 hdr->info |= SG_INFO_CHECK;
263 hdr->resid = rq->resid_len;
264 hdr->sb_len_wr = 0;
265
266 if (rq->sense_len && hdr->sbp) {
267 int len = min((unsigned int) hdr->mx_sb_len, rq->sense_len);
268
269 if (!copy_to_user(hdr->sbp, rq->sense, len))
270 hdr->sb_len_wr = len;
271 else
272 ret = -EFAULT;
273 }
274
275 r = blk_rq_unmap_user(bio);
276 if (!ret)
277 ret = r;
278 blk_put_request(rq);
279
280 return ret;
281}
282
283static int sg_io(struct request_queue *q, struct gendisk *bd_disk,
284 struct sg_io_hdr *hdr, fmode_t mode)
285{
286 unsigned long start_time;
287 int writing = 0, ret = 0;
288 struct request *rq;
289 char sense[SCSI_SENSE_BUFFERSIZE];
290 struct bio *bio;
291
292 if (hdr->interface_id != 'S')
293 return -EINVAL;
294 if (hdr->cmd_len > BLK_MAX_CDB)
295 return -EINVAL;
296
297 if (hdr->dxfer_len > (queue_max_hw_sectors(q) << 9))
298 return -EIO;
299
300 if (hdr->dxfer_len)
301 switch (hdr->dxfer_direction) {
302 default:
303 return -EINVAL;
304 case SG_DXFER_TO_DEV:
305 writing = 1;
306 break;
307 case SG_DXFER_TO_FROM_DEV:
308 case SG_DXFER_FROM_DEV:
309 break;
310 }
311
312 rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
313 if (!rq)
314 return -ENOMEM;
315
316 if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
317 blk_put_request(rq);
318 return -EFAULT;
319 }
320
321 if (hdr->iovec_count) {
322 const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
323 size_t iov_data_len;
324 struct sg_iovec *iov;
325
326 iov = kmalloc(size, GFP_KERNEL);
327 if (!iov) {
328 ret = -ENOMEM;
329 goto out;
330 }
331
332 if (copy_from_user(iov, hdr->dxferp, size)) {
333 kfree(iov);
334 ret = -EFAULT;
335 goto out;
336 }
337
338
339 iov_data_len = iov_length((struct iovec *)iov,
340 hdr->iovec_count);
341 if (hdr->dxfer_len < iov_data_len) {
342 hdr->iovec_count = iov_shorten((struct iovec *)iov,
343 hdr->iovec_count,
344 hdr->dxfer_len);
345 iov_data_len = hdr->dxfer_len;
346 }
347
348 ret = blk_rq_map_user_iov(q, rq, NULL, iov, hdr->iovec_count,
349 iov_data_len, GFP_KERNEL);
350 kfree(iov);
351 } else if (hdr->dxfer_len)
352 ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
353 GFP_KERNEL);
354
355 if (ret)
356 goto out;
357
358 bio = rq->bio;
359 memset(sense, 0, sizeof(sense));
360 rq->sense = sense;
361 rq->sense_len = 0;
362 rq->retries = 0;
363
364 start_time = jiffies;
365
366
367
368
369
370 blk_execute_rq(q, bd_disk, rq, 0);
371
372 hdr->duration = jiffies_to_msecs(jiffies - start_time);
373
374 return blk_complete_sghdr_rq(rq, hdr, bio);
375out:
376 blk_put_request(rq);
377 return ret;
378}
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413#define OMAX_SB_LEN 16
414int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
415 struct scsi_ioctl_command __user *sic)
416{
417 struct request *rq;
418 int err;
419 unsigned int in_len, out_len, bytes, opcode, cmdlen;
420 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
421
422 if (!sic)
423 return -EINVAL;
424
425
426
427
428 if (get_user(in_len, &sic->inlen))
429 return -EFAULT;
430 if (get_user(out_len, &sic->outlen))
431 return -EFAULT;
432 if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
433 return -EINVAL;
434 if (get_user(opcode, sic->data))
435 return -EFAULT;
436
437 bytes = max(in_len, out_len);
438 if (bytes) {
439 buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
440 if (!buffer)
441 return -ENOMEM;
442
443 }
444
445 rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
446
447 cmdlen = COMMAND_SIZE(opcode);
448
449
450
451
452 err = -EFAULT;
453 rq->cmd_len = cmdlen;
454 if (copy_from_user(rq->cmd, sic->data, cmdlen))
455 goto error;
456
457 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
458 goto error;
459
460 err = blk_verify_command(rq->cmd, mode & FMODE_WRITE);
461 if (err)
462 goto error;
463
464
465 rq->retries = 5;
466
467 switch (opcode) {
468 case SEND_DIAGNOSTIC:
469 case FORMAT_UNIT:
470 rq->timeout = FORMAT_UNIT_TIMEOUT;
471 rq->retries = 1;
472 break;
473 case START_STOP:
474 rq->timeout = START_STOP_TIMEOUT;
475 break;
476 case MOVE_MEDIUM:
477 rq->timeout = MOVE_MEDIUM_TIMEOUT;
478 break;
479 case READ_ELEMENT_STATUS:
480 rq->timeout = READ_ELEMENT_STATUS_TIMEOUT;
481 break;
482 case READ_DEFECT_DATA:
483 rq->timeout = READ_DEFECT_DATA_TIMEOUT;
484 rq->retries = 1;
485 break;
486 default:
487 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
488 break;
489 }
490
491 if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
492 err = DRIVER_ERROR << 24;
493 goto out;
494 }
495
496 memset(sense, 0, sizeof(sense));
497 rq->sense = sense;
498 rq->sense_len = 0;
499 rq->cmd_type = REQ_TYPE_BLOCK_PC;
500
501 blk_execute_rq(q, disk, rq, 0);
502
503out:
504 err = rq->errors & 0xff;
505 if (err) {
506 if (rq->sense_len && rq->sense) {
507 bytes = (OMAX_SB_LEN > rq->sense_len) ?
508 rq->sense_len : OMAX_SB_LEN;
509 if (copy_to_user(sic->data, rq->sense, bytes))
510 err = -EFAULT;
511 }
512 } else {
513 if (copy_to_user(sic->data, buffer, out_len))
514 err = -EFAULT;
515 }
516
517error:
518 kfree(buffer);
519 blk_put_request(rq);
520 return err;
521}
522EXPORT_SYMBOL_GPL(sg_scsi_ioctl);
523
524
525static int __blk_send_generic(struct request_queue *q, struct gendisk *bd_disk,
526 int cmd, int data)
527{
528 struct request *rq;
529 int err;
530
531 rq = blk_get_request(q, WRITE, __GFP_WAIT);
532 rq->cmd_type = REQ_TYPE_BLOCK_PC;
533 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
534 rq->cmd[0] = cmd;
535 rq->cmd[4] = data;
536 rq->cmd_len = 6;
537 err = blk_execute_rq(q, bd_disk, rq, 0);
538 blk_put_request(rq);
539
540 return err;
541}
542
543static inline int blk_send_start_stop(struct request_queue *q,
544 struct gendisk *bd_disk, int data)
545{
546 return __blk_send_generic(q, bd_disk, GPCMD_START_STOP_UNIT, data);
547}
548
549int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mode,
550 unsigned int cmd, void __user *arg)
551{
552 int err;
553
554 if (!q || blk_get_queue(q))
555 return -ENXIO;
556
557 switch (cmd) {
558
559
560
561 case SG_GET_VERSION_NUM:
562 err = sg_get_version(arg);
563 break;
564 case SCSI_IOCTL_GET_IDLUN:
565 err = scsi_get_idlun(q, arg);
566 break;
567 case SCSI_IOCTL_GET_BUS_NUMBER:
568 err = scsi_get_bus(q, arg);
569 break;
570 case SG_SET_TIMEOUT:
571 err = sg_set_timeout(q, arg);
572 break;
573 case SG_GET_TIMEOUT:
574 err = sg_get_timeout(q);
575 break;
576 case SG_GET_RESERVED_SIZE:
577 err = sg_get_reserved_size(q, arg);
578 break;
579 case SG_SET_RESERVED_SIZE:
580 err = sg_set_reserved_size(q, arg);
581 break;
582 case SG_EMULATED_HOST:
583 err = sg_emulated_host(q, arg);
584 break;
585 case SG_IO: {
586 struct sg_io_hdr hdr;
587
588 err = -EFAULT;
589 if (copy_from_user(&hdr, arg, sizeof(hdr)))
590 break;
591 err = sg_io(q, bd_disk, &hdr, mode);
592 if (err == -EFAULT)
593 break;
594
595 if (copy_to_user(arg, &hdr, sizeof(hdr)))
596 err = -EFAULT;
597 break;
598 }
599 case CDROM_SEND_PACKET: {
600 struct cdrom_generic_command cgc;
601 struct sg_io_hdr hdr;
602
603 err = -EFAULT;
604 if (copy_from_user(&cgc, arg, sizeof(cgc)))
605 break;
606 cgc.timeout = clock_t_to_jiffies(cgc.timeout);
607 memset(&hdr, 0, sizeof(hdr));
608 hdr.interface_id = 'S';
609 hdr.cmd_len = sizeof(cgc.cmd);
610 hdr.dxfer_len = cgc.buflen;
611 err = 0;
612 switch (cgc.data_direction) {
613 case CGC_DATA_UNKNOWN:
614 hdr.dxfer_direction = SG_DXFER_UNKNOWN;
615 break;
616 case CGC_DATA_WRITE:
617 hdr.dxfer_direction = SG_DXFER_TO_DEV;
618 break;
619 case CGC_DATA_READ:
620 hdr.dxfer_direction = SG_DXFER_FROM_DEV;
621 break;
622 case CGC_DATA_NONE:
623 hdr.dxfer_direction = SG_DXFER_NONE;
624 break;
625 default:
626 err = -EINVAL;
627 }
628 if (err)
629 break;
630
631 hdr.dxferp = cgc.buffer;
632 hdr.sbp = cgc.sense;
633 if (hdr.sbp)
634 hdr.mx_sb_len = sizeof(struct request_sense);
635 hdr.timeout = jiffies_to_msecs(cgc.timeout);
636 hdr.cmdp = ((struct cdrom_generic_command __user*) arg)->cmd;
637 hdr.cmd_len = sizeof(cgc.cmd);
638
639 err = sg_io(q, bd_disk, &hdr, mode);
640 if (err == -EFAULT)
641 break;
642
643 if (hdr.status)
644 err = -EIO;
645
646 cgc.stat = err;
647 cgc.buflen = hdr.resid;
648 if (copy_to_user(arg, &cgc, sizeof(cgc)))
649 err = -EFAULT;
650
651 break;
652 }
653
654
655
656
657 case SCSI_IOCTL_SEND_COMMAND:
658 printk(KERN_WARNING "program %s is using a deprecated SCSI ioctl, please convert it to SG_IO\n", current->comm);
659 err = -EINVAL;
660 if (!arg)
661 break;
662
663 err = sg_scsi_ioctl(q, bd_disk, mode, arg);
664 break;
665 case CDROMCLOSETRAY:
666 err = blk_send_start_stop(q, bd_disk, 0x03);
667 break;
668 case CDROMEJECT:
669 err = blk_send_start_stop(q, bd_disk, 0x02);
670 break;
671 default:
672 err = -ENOTTY;
673 }
674
675 blk_put_queue(q);
676 return err;
677}
678EXPORT_SYMBOL(scsi_cmd_ioctl);
679
680static int __init blk_scsi_ioctl_init(void)
681{
682 blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
683 return 0;
684}
685fs_initcall(blk_scsi_ioctl_init);
686
