1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19#include <linux/kernel.h>
20#include <linux/errno.h>
21#include <linux/string.h>
22#include <linux/module.h>
23#include <linux/blkdev.h>
24#include <linux/capability.h>
25#include <linux/completion.h>
26#include <linux/cdrom.h>
27#include <linux/slab.h>
28#include <linux/times.h>
29#include <asm/uaccess.h>
30
31#include <scsi/scsi.h>
32#include <scsi/scsi_ioctl.h>
33#include <scsi/scsi_cmnd.h>
34
35struct blk_cmd_filter {
36 unsigned long read_ok[BLK_SCSI_CMD_PER_LONG];
37 unsigned long write_ok[BLK_SCSI_CMD_PER_LONG];
38};
39
40static struct blk_cmd_filter blk_default_cmd_filter;
41
42
43const unsigned char scsi_command_size_tbl[8] =
44{
45 6, 10, 10, 12,
46 16, 12, 10, 10
47};
48EXPORT_SYMBOL(scsi_command_size_tbl);
49
50#include <scsi/sg.h>
51
52static int sg_get_version(int __user *p)
53{
54 static const int sg_version_num = 30527;
55 return put_user(sg_version_num, p);
56}
57
58static int scsi_get_idlun(struct request_queue *q, int __user *p)
59{
60 return put_user(0, p);
61}
62
63static int scsi_get_bus(struct request_queue *q, int __user *p)
64{
65 return put_user(0, p);
66}
67
68static int sg_get_timeout(struct request_queue *q)
69{
70 return jiffies_to_clock_t(q->sg_timeout);
71}
72
73static int sg_set_timeout(struct request_queue *q, int __user *p)
74{
75 int timeout, err = get_user(timeout, p);
76
77 if (!err)
78 q->sg_timeout = clock_t_to_jiffies(timeout);
79
80 return err;
81}
82
83static int sg_get_reserved_size(struct request_queue *q, int __user *p)
84{
85 unsigned val = min(q->sg_reserved_size, queue_max_sectors(q) << 9);
86
87 return put_user(val, p);
88}
89
90static int sg_set_reserved_size(struct request_queue *q, int __user *p)
91{
92 int size, err = get_user(size, p);
93
94 if (err)
95 return err;
96
97 if (size < 0)
98 return -EINVAL;
99 if (size > (queue_max_sectors(q) << 9))
100 size = queue_max_sectors(q) << 9;
101
102 q->sg_reserved_size = size;
103 return 0;
104}
105
106
107
108
109
110static int sg_emulated_host(struct request_queue *q, int __user *p)
111{
112 return put_user(1, p);
113}
114
115static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
116{
117
118 __set_bit(TEST_UNIT_READY, filter->read_ok);
119 __set_bit(REQUEST_SENSE, filter->read_ok);
120 __set_bit(READ_6, filter->read_ok);
121 __set_bit(READ_10, filter->read_ok);
122 __set_bit(READ_12, filter->read_ok);
123 __set_bit(READ_16, filter->read_ok);
124 __set_bit(READ_BUFFER, filter->read_ok);
125 __set_bit(READ_DEFECT_DATA, filter->read_ok);
126 __set_bit(READ_CAPACITY, filter->read_ok);
127 __set_bit(READ_LONG, filter->read_ok);
128 __set_bit(INQUIRY, filter->read_ok);
129 __set_bit(MODE_SENSE, filter->read_ok);
130 __set_bit(MODE_SENSE_10, filter->read_ok);
131 __set_bit(LOG_SENSE, filter->read_ok);
132 __set_bit(START_STOP, filter->read_ok);
133 __set_bit(GPCMD_VERIFY_10, filter->read_ok);
134 __set_bit(VERIFY_16, filter->read_ok);
135 __set_bit(REPORT_LUNS, filter->read_ok);
136 __set_bit(SERVICE_ACTION_IN, filter->read_ok);
137 __set_bit(RECEIVE_DIAGNOSTIC, filter->read_ok);
138 __set_bit(MAINTENANCE_IN, filter->read_ok);
139 __set_bit(GPCMD_READ_BUFFER_CAPACITY, filter->read_ok);
140
141
142 __set_bit(GPCMD_PLAY_CD, filter->read_ok);
143 __set_bit(GPCMD_PLAY_AUDIO_10, filter->read_ok);
144 __set_bit(GPCMD_PLAY_AUDIO_MSF, filter->read_ok);
145 __set_bit(GPCMD_PLAY_AUDIO_TI, filter->read_ok);
146 __set_bit(GPCMD_PAUSE_RESUME, filter->read_ok);
147
148
149 __set_bit(GPCMD_READ_CD, filter->read_ok);
150 __set_bit(GPCMD_READ_CD_MSF, filter->read_ok);
151 __set_bit(GPCMD_READ_DISC_INFO, filter->read_ok);
152 __set_bit(GPCMD_READ_CDVD_CAPACITY, filter->read_ok);
153 __set_bit(GPCMD_READ_DVD_STRUCTURE, filter->read_ok);
154 __set_bit(GPCMD_READ_HEADER, filter->read_ok);
155 __set_bit(GPCMD_READ_TRACK_RZONE_INFO, filter->read_ok);
156 __set_bit(GPCMD_READ_SUBCHANNEL, filter->read_ok);
157 __set_bit(GPCMD_READ_TOC_PMA_ATIP, filter->read_ok);
158 __set_bit(GPCMD_REPORT_KEY, filter->read_ok);
159 __set_bit(GPCMD_SCAN, filter->read_ok);
160 __set_bit(GPCMD_GET_CONFIGURATION, filter->read_ok);
161 __set_bit(GPCMD_READ_FORMAT_CAPACITIES, filter->read_ok);
162 __set_bit(GPCMD_GET_EVENT_STATUS_NOTIFICATION, filter->read_ok);
163 __set_bit(GPCMD_GET_PERFORMANCE, filter->read_ok);
164 __set_bit(GPCMD_SEEK, filter->read_ok);
165 __set_bit(GPCMD_STOP_PLAY_SCAN, filter->read_ok);
166
167
168 __set_bit(WRITE_6, filter->write_ok);
169 __set_bit(WRITE_10, filter->write_ok);
170 __set_bit(WRITE_VERIFY, filter->write_ok);
171 __set_bit(WRITE_12, filter->write_ok);
172 __set_bit(WRITE_VERIFY_12, filter->write_ok);
173 __set_bit(WRITE_16, filter->write_ok);
174 __set_bit(WRITE_LONG, filter->write_ok);
175 __set_bit(WRITE_LONG_2, filter->write_ok);
176 __set_bit(ERASE, filter->write_ok);
177 __set_bit(GPCMD_MODE_SELECT_10, filter->write_ok);
178 __set_bit(MODE_SELECT, filter->write_ok);
179 __set_bit(LOG_SELECT, filter->write_ok);
180 __set_bit(GPCMD_BLANK, filter->write_ok);
181 __set_bit(GPCMD_CLOSE_TRACK, filter->write_ok);
182 __set_bit(GPCMD_FLUSH_CACHE, filter->write_ok);
183 __set_bit(GPCMD_FORMAT_UNIT, filter->write_ok);
184 __set_bit(GPCMD_REPAIR_RZONE_TRACK, filter->write_ok);
185 __set_bit(GPCMD_RESERVE_RZONE_TRACK, filter->write_ok);
186 __set_bit(GPCMD_SEND_DVD_STRUCTURE, filter->write_ok);
187 __set_bit(GPCMD_SEND_EVENT, filter->write_ok);
188 __set_bit(GPCMD_SEND_KEY, filter->write_ok);
189 __set_bit(GPCMD_SEND_OPC, filter->write_ok);
190 __set_bit(GPCMD_SEND_CUE_SHEET, filter->write_ok);
191 __set_bit(GPCMD_SET_SPEED, filter->write_ok);
192 __set_bit(GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL, filter->write_ok);
193 __set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
194 __set_bit(GPCMD_SET_STREAMING, filter->write_ok);
195 __set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
196}
197
198int blk_verify_command(unsigned char *cmd, fmode_t has_write_perm)
199{
200 struct blk_cmd_filter *filter = &blk_default_cmd_filter;
201
202
203 if (capable(CAP_SYS_RAWIO))
204 return 0;
205
206
207 if (!filter)
208 return -EPERM;
209
210
211 if (test_bit(cmd[0], filter->read_ok))
212 return 0;
213
214
215 if (test_bit(cmd[0], filter->write_ok) && has_write_perm)
216 return 0;
217
218 return -EPERM;
219}
220EXPORT_SYMBOL(blk_verify_command);
221
222static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
223 struct sg_io_hdr *hdr, fmode_t mode)
224{
225 if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
226 return -EFAULT;
227 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
228 return -EPERM;
229
230
231
232
233 rq->cmd_len = hdr->cmd_len;
234 rq->cmd_type = REQ_TYPE_BLOCK_PC;
235
236 rq->timeout = msecs_to_jiffies(hdr->timeout);
237 if (!rq->timeout)
238 rq->timeout = q->sg_timeout;
239 if (!rq->timeout)
240 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
241 if (rq->timeout < BLK_MIN_SG_TIMEOUT)
242 rq->timeout = BLK_MIN_SG_TIMEOUT;
243
244 return 0;
245}
246
247static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
248 struct bio *bio)
249{
250 int r, ret = 0;
251
252
253
254
255 hdr->status = rq->errors & 0xff;
256 hdr->masked_status = status_byte(rq->errors);
257 hdr->msg_status = msg_byte(rq->errors);
258 hdr->host_status = host_byte(rq->errors);
259 hdr->driver_status = driver_byte(rq->errors);
260 hdr->info = 0;
261 if (hdr->masked_status || hdr->host_status || hdr->driver_status)
262 hdr->info |= SG_INFO_CHECK;
263 hdr->resid = rq->resid_len;
264 hdr->sb_len_wr = 0;
265
266 if (rq->sense_len && hdr->sbp) {
267 int len = min((unsigned int) hdr->mx_sb_len, rq->sense_len);
268
269 if (!copy_to_user(hdr->sbp, rq->sense, len))
270 hdr->sb_len_wr = len;
271 else
272 ret = -EFAULT;
273 }
274
275 r = blk_rq_unmap_user(bio);
276 if (!ret)
277 ret = r;
278 blk_put_request(rq);
279
280 return ret;
281}
282
283static int sg_io(struct request_queue *q, struct gendisk *bd_disk,
284 struct sg_io_hdr *hdr, fmode_t mode)
285{
286 unsigned long start_time;
287 int writing = 0, ret = 0;
288 struct request *rq;
289 char sense[SCSI_SENSE_BUFFERSIZE];
290 struct bio *bio;
291
292 if (hdr->interface_id != 'S')
293 return -EINVAL;
294 if (hdr->cmd_len > BLK_MAX_CDB)
295 return -EINVAL;
296
297 if (hdr->dxfer_len > (queue_max_hw_sectors(q) << 9))
298 return -EIO;
299
300 if (hdr->dxfer_len)
301 switch (hdr->dxfer_direction) {
302 default:
303 return -EINVAL;
304 case SG_DXFER_TO_DEV:
305 writing = 1;
306 break;
307 case SG_DXFER_TO_FROM_DEV:
308 case SG_DXFER_FROM_DEV:
309 break;
310 }
311
312 rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
313 if (!rq)
314 return -ENOMEM;
315
316 if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
317 blk_put_request(rq);
318 return -EFAULT;
319 }
320
321 if (hdr->iovec_count) {
322 const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
323 size_t iov_data_len;
324 struct sg_iovec *sg_iov;
325 struct iovec *iov;
326 int i;
327
328 sg_iov = kmalloc(size, GFP_KERNEL);
329 if (!sg_iov) {
330 ret = -ENOMEM;
331 goto out;
332 }
333
334 if (copy_from_user(sg_iov, hdr->dxferp, size)) {
335 kfree(sg_iov);
336 ret = -EFAULT;
337 goto out;
338 }
339
340
341
342
343 iov = (struct iovec *) sg_iov;
344 iov_data_len = 0;
345 for (i = 0; i < hdr->iovec_count; i++) {
346 if (iov_data_len + iov[i].iov_len < iov_data_len) {
347 kfree(sg_iov);
348 ret = -EINVAL;
349 goto out;
350 }
351 iov_data_len += iov[i].iov_len;
352 }
353
354
355 if (hdr->dxfer_len < iov_data_len) {
356 hdr->iovec_count = iov_shorten(iov,
357 hdr->iovec_count,
358 hdr->dxfer_len);
359 iov_data_len = hdr->dxfer_len;
360 }
361
362 ret = blk_rq_map_user_iov(q, rq, NULL, sg_iov, hdr->iovec_count,
363 iov_data_len, GFP_KERNEL);
364 kfree(sg_iov);
365 } else if (hdr->dxfer_len)
366 ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
367 GFP_KERNEL);
368
369 if (ret)
370 goto out;
371
372 bio = rq->bio;
373 memset(sense, 0, sizeof(sense));
374 rq->sense = sense;
375 rq->sense_len = 0;
376 rq->retries = 0;
377
378 start_time = jiffies;
379
380
381
382
383
384 blk_execute_rq(q, bd_disk, rq, 0);
385
386 hdr->duration = jiffies_to_msecs(jiffies - start_time);
387
388 return blk_complete_sghdr_rq(rq, hdr, bio);
389out:
390 blk_put_request(rq);
391 return ret;
392}
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427#define OMAX_SB_LEN 16
428int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
429 struct scsi_ioctl_command __user *sic)
430{
431 struct request *rq;
432 int err;
433 unsigned int in_len, out_len, bytes, opcode, cmdlen;
434 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
435
436 if (!sic)
437 return -EINVAL;
438
439
440
441
442 if (get_user(in_len, &sic->inlen))
443 return -EFAULT;
444 if (get_user(out_len, &sic->outlen))
445 return -EFAULT;
446 if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
447 return -EINVAL;
448 if (get_user(opcode, sic->data))
449 return -EFAULT;
450
451 bytes = max(in_len, out_len);
452 if (bytes) {
453 buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
454 if (!buffer)
455 return -ENOMEM;
456
457 }
458
459 rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
460
461 cmdlen = COMMAND_SIZE(opcode);
462
463
464
465
466 err = -EFAULT;
467 rq->cmd_len = cmdlen;
468 if (copy_from_user(rq->cmd, sic->data, cmdlen))
469 goto error;
470
471 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
472 goto error;
473
474 err = blk_verify_command(rq->cmd, mode & FMODE_WRITE);
475 if (err)
476 goto error;
477
478
479 rq->retries = 5;
480
481 switch (opcode) {
482 case SEND_DIAGNOSTIC:
483 case FORMAT_UNIT:
484 rq->timeout = FORMAT_UNIT_TIMEOUT;
485 rq->retries = 1;
486 break;
487 case START_STOP:
488 rq->timeout = START_STOP_TIMEOUT;
489 break;
490 case MOVE_MEDIUM:
491 rq->timeout = MOVE_MEDIUM_TIMEOUT;
492 break;
493 case READ_ELEMENT_STATUS:
494 rq->timeout = READ_ELEMENT_STATUS_TIMEOUT;
495 break;
496 case READ_DEFECT_DATA:
497 rq->timeout = READ_DEFECT_DATA_TIMEOUT;
498 rq->retries = 1;
499 break;
500 default:
501 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
502 break;
503 }
504
505 if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
506 err = DRIVER_ERROR << 24;
507 goto out;
508 }
509
510 memset(sense, 0, sizeof(sense));
511 rq->sense = sense;
512 rq->sense_len = 0;
513 rq->cmd_type = REQ_TYPE_BLOCK_PC;
514
515 blk_execute_rq(q, disk, rq, 0);
516
517out:
518 err = rq->errors & 0xff;
519 if (err) {
520 if (rq->sense_len && rq->sense) {
521 bytes = (OMAX_SB_LEN > rq->sense_len) ?
522 rq->sense_len : OMAX_SB_LEN;
523 if (copy_to_user(sic->data, rq->sense, bytes))
524 err = -EFAULT;
525 }
526 } else {
527 if (copy_to_user(sic->data, buffer, out_len))
528 err = -EFAULT;
529 }
530
531error:
532 kfree(buffer);
533 blk_put_request(rq);
534 return err;
535}
536EXPORT_SYMBOL_GPL(sg_scsi_ioctl);
537
538
539static int __blk_send_generic(struct request_queue *q, struct gendisk *bd_disk,
540 int cmd, int data)
541{
542 struct request *rq;
543 int err;
544
545 rq = blk_get_request(q, WRITE, __GFP_WAIT);
546 rq->cmd_type = REQ_TYPE_BLOCK_PC;
547 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
548 rq->cmd[0] = cmd;
549 rq->cmd[4] = data;
550 rq->cmd_len = 6;
551 err = blk_execute_rq(q, bd_disk, rq, 0);
552 blk_put_request(rq);
553
554 return err;
555}
556
557static inline int blk_send_start_stop(struct request_queue *q,
558 struct gendisk *bd_disk, int data)
559{
560 return __blk_send_generic(q, bd_disk, GPCMD_START_STOP_UNIT, data);
561}
562
563int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mode,
564 unsigned int cmd, void __user *arg)
565{
566 int err;
567
568 if (!q || blk_get_queue(q))
569 return -ENXIO;
570
571 switch (cmd) {
572
573
574
575 case SG_GET_VERSION_NUM:
576 err = sg_get_version(arg);
577 break;
578 case SCSI_IOCTL_GET_IDLUN:
579 err = scsi_get_idlun(q, arg);
580 break;
581 case SCSI_IOCTL_GET_BUS_NUMBER:
582 err = scsi_get_bus(q, arg);
583 break;
584 case SG_SET_TIMEOUT:
585 err = sg_set_timeout(q, arg);
586 break;
587 case SG_GET_TIMEOUT:
588 err = sg_get_timeout(q);
589 break;
590 case SG_GET_RESERVED_SIZE:
591 err = sg_get_reserved_size(q, arg);
592 break;
593 case SG_SET_RESERVED_SIZE:
594 err = sg_set_reserved_size(q, arg);
595 break;
596 case SG_EMULATED_HOST:
597 err = sg_emulated_host(q, arg);
598 break;
599 case SG_IO: {
600 struct sg_io_hdr hdr;
601
602 err = -EFAULT;
603 if (copy_from_user(&hdr, arg, sizeof(hdr)))
604 break;
605 err = sg_io(q, bd_disk, &hdr, mode);
606 if (err == -EFAULT)
607 break;
608
609 if (copy_to_user(arg, &hdr, sizeof(hdr)))
610 err = -EFAULT;
611 break;
612 }
613 case CDROM_SEND_PACKET: {
614 struct cdrom_generic_command cgc;
615 struct sg_io_hdr hdr;
616
617 err = -EFAULT;
618 if (copy_from_user(&cgc, arg, sizeof(cgc)))
619 break;
620 cgc.timeout = clock_t_to_jiffies(cgc.timeout);
621 memset(&hdr, 0, sizeof(hdr));
622 hdr.interface_id = 'S';
623 hdr.cmd_len = sizeof(cgc.cmd);
624 hdr.dxfer_len = cgc.buflen;
625 err = 0;
626 switch (cgc.data_direction) {
627 case CGC_DATA_UNKNOWN:
628 hdr.dxfer_direction = SG_DXFER_UNKNOWN;
629 break;
630 case CGC_DATA_WRITE:
631 hdr.dxfer_direction = SG_DXFER_TO_DEV;
632 break;
633 case CGC_DATA_READ:
634 hdr.dxfer_direction = SG_DXFER_FROM_DEV;
635 break;
636 case CGC_DATA_NONE:
637 hdr.dxfer_direction = SG_DXFER_NONE;
638 break;
639 default:
640 err = -EINVAL;
641 }
642 if (err)
643 break;
644
645 hdr.dxferp = cgc.buffer;
646 hdr.sbp = cgc.sense;
647 if (hdr.sbp)
648 hdr.mx_sb_len = sizeof(struct request_sense);
649 hdr.timeout = jiffies_to_msecs(cgc.timeout);
650 hdr.cmdp = ((struct cdrom_generic_command __user*) arg)->cmd;
651 hdr.cmd_len = sizeof(cgc.cmd);
652
653 err = sg_io(q, bd_disk, &hdr, mode);
654 if (err == -EFAULT)
655 break;
656
657 if (hdr.status)
658 err = -EIO;
659
660 cgc.stat = err;
661 cgc.buflen = hdr.resid;
662 if (copy_to_user(arg, &cgc, sizeof(cgc)))
663 err = -EFAULT;
664
665 break;
666 }
667
668
669
670
671 case SCSI_IOCTL_SEND_COMMAND:
672 printk(KERN_WARNING "program %s is using a deprecated SCSI ioctl, please convert it to SG_IO\n", current->comm);
673 err = -EINVAL;
674 if (!arg)
675 break;
676
677 err = sg_scsi_ioctl(q, bd_disk, mode, arg);
678 break;
679 case CDROMCLOSETRAY:
680 err = blk_send_start_stop(q, bd_disk, 0x03);
681 break;
682 case CDROMEJECT:
683 err = blk_send_start_stop(q, bd_disk, 0x02);
684 break;
685 default:
686 err = -ENOTTY;
687 }
688
689 blk_put_queue(q);
690 return err;
691}
692EXPORT_SYMBOL(scsi_cmd_ioctl);
693
694static int __init blk_scsi_ioctl_init(void)
695{
696 blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
697 return 0;
698}
699fs_initcall(blk_scsi_ioctl_init);
700
