1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19#include <linux/kernel.h>
20#include <linux/errno.h>
21#include <linux/string.h>
22#include <linux/module.h>
23#include <linux/blkdev.h>
24#include <linux/capability.h>
25#include <linux/completion.h>
26#include <linux/cdrom.h>
27#include <linux/slab.h>
28#include <linux/times.h>
29#include <asm/uaccess.h>
30
31#include <scsi/scsi.h>
32#include <scsi/scsi_ioctl.h>
33#include <scsi/scsi_cmnd.h>
34
35struct blk_cmd_filter {
36 unsigned long read_ok[BLK_SCSI_CMD_PER_LONG];
37 unsigned long write_ok[BLK_SCSI_CMD_PER_LONG];
38} blk_default_cmd_filter;
39
40
41const unsigned char scsi_command_size_tbl[8] =
42{
43 6, 10, 10, 12,
44 16, 12, 10, 10
45};
46EXPORT_SYMBOL(scsi_command_size_tbl);
47
48#include <scsi/sg.h>
49
50static int sg_get_version(int __user *p)
51{
52 static const int sg_version_num = 30527;
53 return put_user(sg_version_num, p);
54}
55
56static int scsi_get_idlun(struct request_queue *q, int __user *p)
57{
58 return put_user(0, p);
59}
60
61static int scsi_get_bus(struct request_queue *q, int __user *p)
62{
63 return put_user(0, p);
64}
65
66static int sg_get_timeout(struct request_queue *q)
67{
68 return jiffies_to_clock_t(q->sg_timeout);
69}
70
71static int sg_set_timeout(struct request_queue *q, int __user *p)
72{
73 int timeout, err = get_user(timeout, p);
74
75 if (!err)
76 q->sg_timeout = clock_t_to_jiffies(timeout);
77
78 return err;
79}
80
81static int sg_get_reserved_size(struct request_queue *q, int __user *p)
82{
83 unsigned val = min(q->sg_reserved_size, queue_max_sectors(q) << 9);
84
85 return put_user(val, p);
86}
87
88static int sg_set_reserved_size(struct request_queue *q, int __user *p)
89{
90 int size, err = get_user(size, p);
91
92 if (err)
93 return err;
94
95 if (size < 0)
96 return -EINVAL;
97 if (size > (queue_max_sectors(q) << 9))
98 size = queue_max_sectors(q) << 9;
99
100 q->sg_reserved_size = size;
101 return 0;
102}
103
104
105
106
107
108static int sg_emulated_host(struct request_queue *q, int __user *p)
109{
110 return put_user(1, p);
111}
112
113static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
114{
115
116 __set_bit(TEST_UNIT_READY, filter->read_ok);
117 __set_bit(REQUEST_SENSE, filter->read_ok);
118 __set_bit(READ_6, filter->read_ok);
119 __set_bit(READ_10, filter->read_ok);
120 __set_bit(READ_12, filter->read_ok);
121 __set_bit(READ_16, filter->read_ok);
122 __set_bit(READ_BUFFER, filter->read_ok);
123 __set_bit(READ_DEFECT_DATA, filter->read_ok);
124 __set_bit(READ_CAPACITY, filter->read_ok);
125 __set_bit(READ_LONG, filter->read_ok);
126 __set_bit(INQUIRY, filter->read_ok);
127 __set_bit(MODE_SENSE, filter->read_ok);
128 __set_bit(MODE_SENSE_10, filter->read_ok);
129 __set_bit(LOG_SENSE, filter->read_ok);
130 __set_bit(START_STOP, filter->read_ok);
131 __set_bit(GPCMD_VERIFY_10, filter->read_ok);
132 __set_bit(VERIFY_16, filter->read_ok);
133 __set_bit(REPORT_LUNS, filter->read_ok);
134 __set_bit(SERVICE_ACTION_IN, filter->read_ok);
135 __set_bit(RECEIVE_DIAGNOSTIC, filter->read_ok);
136 __set_bit(MAINTENANCE_IN, filter->read_ok);
137 __set_bit(GPCMD_READ_BUFFER_CAPACITY, filter->read_ok);
138
139
140 __set_bit(GPCMD_PLAY_CD, filter->read_ok);
141 __set_bit(GPCMD_PLAY_AUDIO_10, filter->read_ok);
142 __set_bit(GPCMD_PLAY_AUDIO_MSF, filter->read_ok);
143 __set_bit(GPCMD_PLAY_AUDIO_TI, filter->read_ok);
144 __set_bit(GPCMD_PAUSE_RESUME, filter->read_ok);
145
146
147 __set_bit(GPCMD_READ_CD, filter->read_ok);
148 __set_bit(GPCMD_READ_CD_MSF, filter->read_ok);
149 __set_bit(GPCMD_READ_DISC_INFO, filter->read_ok);
150 __set_bit(GPCMD_READ_CDVD_CAPACITY, filter->read_ok);
151 __set_bit(GPCMD_READ_DVD_STRUCTURE, filter->read_ok);
152 __set_bit(GPCMD_READ_HEADER, filter->read_ok);
153 __set_bit(GPCMD_READ_TRACK_RZONE_INFO, filter->read_ok);
154 __set_bit(GPCMD_READ_SUBCHANNEL, filter->read_ok);
155 __set_bit(GPCMD_READ_TOC_PMA_ATIP, filter->read_ok);
156 __set_bit(GPCMD_REPORT_KEY, filter->read_ok);
157 __set_bit(GPCMD_SCAN, filter->read_ok);
158 __set_bit(GPCMD_GET_CONFIGURATION, filter->read_ok);
159 __set_bit(GPCMD_READ_FORMAT_CAPACITIES, filter->read_ok);
160 __set_bit(GPCMD_GET_EVENT_STATUS_NOTIFICATION, filter->read_ok);
161 __set_bit(GPCMD_GET_PERFORMANCE, filter->read_ok);
162 __set_bit(GPCMD_SEEK, filter->read_ok);
163 __set_bit(GPCMD_STOP_PLAY_SCAN, filter->read_ok);
164
165
166 __set_bit(WRITE_6, filter->write_ok);
167 __set_bit(WRITE_10, filter->write_ok);
168 __set_bit(WRITE_VERIFY, filter->write_ok);
169 __set_bit(WRITE_12, filter->write_ok);
170 __set_bit(WRITE_VERIFY_12, filter->write_ok);
171 __set_bit(WRITE_16, filter->write_ok);
172 __set_bit(WRITE_LONG, filter->write_ok);
173 __set_bit(WRITE_LONG_2, filter->write_ok);
174 __set_bit(ERASE, filter->write_ok);
175 __set_bit(GPCMD_MODE_SELECT_10, filter->write_ok);
176 __set_bit(MODE_SELECT, filter->write_ok);
177 __set_bit(LOG_SELECT, filter->write_ok);
178 __set_bit(GPCMD_BLANK, filter->write_ok);
179 __set_bit(GPCMD_CLOSE_TRACK, filter->write_ok);
180 __set_bit(GPCMD_FLUSH_CACHE, filter->write_ok);
181 __set_bit(GPCMD_FORMAT_UNIT, filter->write_ok);
182 __set_bit(GPCMD_REPAIR_RZONE_TRACK, filter->write_ok);
183 __set_bit(GPCMD_RESERVE_RZONE_TRACK, filter->write_ok);
184 __set_bit(GPCMD_SEND_DVD_STRUCTURE, filter->write_ok);
185 __set_bit(GPCMD_SEND_EVENT, filter->write_ok);
186 __set_bit(GPCMD_SEND_KEY, filter->write_ok);
187 __set_bit(GPCMD_SEND_OPC, filter->write_ok);
188 __set_bit(GPCMD_SEND_CUE_SHEET, filter->write_ok);
189 __set_bit(GPCMD_SET_SPEED, filter->write_ok);
190 __set_bit(GPCMD_PREVENT_ALLOW_MEDIUM_REMOVAL, filter->write_ok);
191 __set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
192 __set_bit(GPCMD_SET_STREAMING, filter->write_ok);
193 __set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
194}
195
196int blk_verify_command(unsigned char *cmd, fmode_t has_write_perm)
197{
198 struct blk_cmd_filter *filter = &blk_default_cmd_filter;
199
200
201 if (capable(CAP_SYS_RAWIO))
202 return 0;
203
204
205 if (!filter)
206 return -EPERM;
207
208
209 if (test_bit(cmd[0], filter->read_ok))
210 return 0;
211
212
213 if (test_bit(cmd[0], filter->write_ok) && has_write_perm)
214 return 0;
215
216 return -EPERM;
217}
218EXPORT_SYMBOL(blk_verify_command);
219
220static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
221 struct sg_io_hdr *hdr, fmode_t mode)
222{
223 if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
224 return -EFAULT;
225 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
226 return -EPERM;
227
228
229
230
231 rq->cmd_len = hdr->cmd_len;
232 rq->cmd_type = REQ_TYPE_BLOCK_PC;
233
234 rq->timeout = msecs_to_jiffies(hdr->timeout);
235 if (!rq->timeout)
236 rq->timeout = q->sg_timeout;
237 if (!rq->timeout)
238 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
239 if (rq->timeout < BLK_MIN_SG_TIMEOUT)
240 rq->timeout = BLK_MIN_SG_TIMEOUT;
241
242 return 0;
243}
244
245static int blk_complete_sghdr_rq(struct request *rq, struct sg_io_hdr *hdr,
246 struct bio *bio)
247{
248 int r, ret = 0;
249
250
251
252
253 hdr->status = rq->errors & 0xff;
254 hdr->masked_status = status_byte(rq->errors);
255 hdr->msg_status = msg_byte(rq->errors);
256 hdr->host_status = host_byte(rq->errors);
257 hdr->driver_status = driver_byte(rq->errors);
258 hdr->info = 0;
259 if (hdr->masked_status || hdr->host_status || hdr->driver_status)
260 hdr->info |= SG_INFO_CHECK;
261 hdr->resid = rq->resid_len;
262 hdr->sb_len_wr = 0;
263
264 if (rq->sense_len && hdr->sbp) {
265 int len = min((unsigned int) hdr->mx_sb_len, rq->sense_len);
266
267 if (!copy_to_user(hdr->sbp, rq->sense, len))
268 hdr->sb_len_wr = len;
269 else
270 ret = -EFAULT;
271 }
272
273 r = blk_rq_unmap_user(bio);
274 if (!ret)
275 ret = r;
276 blk_put_request(rq);
277
278 return ret;
279}
280
281static int sg_io(struct request_queue *q, struct gendisk *bd_disk,
282 struct sg_io_hdr *hdr, fmode_t mode)
283{
284 unsigned long start_time;
285 int writing = 0, ret = 0;
286 struct request *rq;
287 char sense[SCSI_SENSE_BUFFERSIZE];
288 struct bio *bio;
289
290 if (hdr->interface_id != 'S')
291 return -EINVAL;
292 if (hdr->cmd_len > BLK_MAX_CDB)
293 return -EINVAL;
294
295 if (hdr->dxfer_len > (queue_max_hw_sectors(q) << 9))
296 return -EIO;
297
298 if (hdr->dxfer_len)
299 switch (hdr->dxfer_direction) {
300 default:
301 return -EINVAL;
302 case SG_DXFER_TO_DEV:
303 writing = 1;
304 break;
305 case SG_DXFER_TO_FROM_DEV:
306 case SG_DXFER_FROM_DEV:
307 break;
308 }
309
310 rq = blk_get_request(q, writing ? WRITE : READ, GFP_KERNEL);
311 if (!rq)
312 return -ENOMEM;
313
314 if (blk_fill_sghdr_rq(q, rq, hdr, mode)) {
315 blk_put_request(rq);
316 return -EFAULT;
317 }
318
319 if (hdr->iovec_count) {
320 const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
321 size_t iov_data_len;
322 struct sg_iovec *iov;
323
324 iov = kmalloc(size, GFP_KERNEL);
325 if (!iov) {
326 ret = -ENOMEM;
327 goto out;
328 }
329
330 if (copy_from_user(iov, hdr->dxferp, size)) {
331 kfree(iov);
332 ret = -EFAULT;
333 goto out;
334 }
335
336
337 iov_data_len = iov_length((struct iovec *)iov,
338 hdr->iovec_count);
339 if (hdr->dxfer_len < iov_data_len) {
340 hdr->iovec_count = iov_shorten((struct iovec *)iov,
341 hdr->iovec_count,
342 hdr->dxfer_len);
343 iov_data_len = hdr->dxfer_len;
344 }
345
346 ret = blk_rq_map_user_iov(q, rq, NULL, iov, hdr->iovec_count,
347 iov_data_len, GFP_KERNEL);
348 kfree(iov);
349 } else if (hdr->dxfer_len)
350 ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
351 GFP_KERNEL);
352
353 if (ret)
354 goto out;
355
356 bio = rq->bio;
357 memset(sense, 0, sizeof(sense));
358 rq->sense = sense;
359 rq->sense_len = 0;
360 rq->retries = 0;
361
362 start_time = jiffies;
363
364
365
366
367
368 blk_execute_rq(q, bd_disk, rq, 0);
369
370 hdr->duration = jiffies_to_msecs(jiffies - start_time);
371
372 return blk_complete_sghdr_rq(rq, hdr, bio);
373out:
374 blk_put_request(rq);
375 return ret;
376}
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411#define OMAX_SB_LEN 16
412int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
413 struct scsi_ioctl_command __user *sic)
414{
415 struct request *rq;
416 int err;
417 unsigned int in_len, out_len, bytes, opcode, cmdlen;
418 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
419
420 if (!sic)
421 return -EINVAL;
422
423
424
425
426 if (get_user(in_len, &sic->inlen))
427 return -EFAULT;
428 if (get_user(out_len, &sic->outlen))
429 return -EFAULT;
430 if (in_len > PAGE_SIZE || out_len > PAGE_SIZE)
431 return -EINVAL;
432 if (get_user(opcode, sic->data))
433 return -EFAULT;
434
435 bytes = max(in_len, out_len);
436 if (bytes) {
437 buffer = kzalloc(bytes, q->bounce_gfp | GFP_USER| __GFP_NOWARN);
438 if (!buffer)
439 return -ENOMEM;
440
441 }
442
443 rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
444
445 cmdlen = COMMAND_SIZE(opcode);
446
447
448
449
450 err = -EFAULT;
451 rq->cmd_len = cmdlen;
452 if (copy_from_user(rq->cmd, sic->data, cmdlen))
453 goto error;
454
455 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
456 goto error;
457
458 err = blk_verify_command(rq->cmd, mode & FMODE_WRITE);
459 if (err)
460 goto error;
461
462
463 rq->retries = 5;
464
465 switch (opcode) {
466 case SEND_DIAGNOSTIC:
467 case FORMAT_UNIT:
468 rq->timeout = FORMAT_UNIT_TIMEOUT;
469 rq->retries = 1;
470 break;
471 case START_STOP:
472 rq->timeout = START_STOP_TIMEOUT;
473 break;
474 case MOVE_MEDIUM:
475 rq->timeout = MOVE_MEDIUM_TIMEOUT;
476 break;
477 case READ_ELEMENT_STATUS:
478 rq->timeout = READ_ELEMENT_STATUS_TIMEOUT;
479 break;
480 case READ_DEFECT_DATA:
481 rq->timeout = READ_DEFECT_DATA_TIMEOUT;
482 rq->retries = 1;
483 break;
484 default:
485 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
486 break;
487 }
488
489 if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
490 err = DRIVER_ERROR << 24;
491 goto out;
492 }
493
494 memset(sense, 0, sizeof(sense));
495 rq->sense = sense;
496 rq->sense_len = 0;
497 rq->cmd_type = REQ_TYPE_BLOCK_PC;
498
499 blk_execute_rq(q, disk, rq, 0);
500
501out:
502 err = rq->errors & 0xff;
503 if (err) {
504 if (rq->sense_len && rq->sense) {
505 bytes = (OMAX_SB_LEN > rq->sense_len) ?
506 rq->sense_len : OMAX_SB_LEN;
507 if (copy_to_user(sic->data, rq->sense, bytes))
508 err = -EFAULT;
509 }
510 } else {
511 if (copy_to_user(sic->data, buffer, out_len))
512 err = -EFAULT;
513 }
514
515error:
516 kfree(buffer);
517 blk_put_request(rq);
518 return err;
519}
520EXPORT_SYMBOL_GPL(sg_scsi_ioctl);
521
522
523static int __blk_send_generic(struct request_queue *q, struct gendisk *bd_disk,
524 int cmd, int data)
525{
526 struct request *rq;
527 int err;
528
529 rq = blk_get_request(q, WRITE, __GFP_WAIT);
530 rq->cmd_type = REQ_TYPE_BLOCK_PC;
531 rq->timeout = BLK_DEFAULT_SG_TIMEOUT;
532 rq->cmd[0] = cmd;
533 rq->cmd[4] = data;
534 rq->cmd_len = 6;
535 err = blk_execute_rq(q, bd_disk, rq, 0);
536 blk_put_request(rq);
537
538 return err;
539}
540
541static inline int blk_send_start_stop(struct request_queue *q,
542 struct gendisk *bd_disk, int data)
543{
544 return __blk_send_generic(q, bd_disk, GPCMD_START_STOP_UNIT, data);
545}
546
547int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mode,
548 unsigned int cmd, void __user *arg)
549{
550 int err;
551
552 if (!q || blk_get_queue(q))
553 return -ENXIO;
554
555 switch (cmd) {
556
557
558
559 case SG_GET_VERSION_NUM:
560 err = sg_get_version(arg);
561 break;
562 case SCSI_IOCTL_GET_IDLUN:
563 err = scsi_get_idlun(q, arg);
564 break;
565 case SCSI_IOCTL_GET_BUS_NUMBER:
566 err = scsi_get_bus(q, arg);
567 break;
568 case SG_SET_TIMEOUT:
569 err = sg_set_timeout(q, arg);
570 break;
571 case SG_GET_TIMEOUT:
572 err = sg_get_timeout(q);
573 break;
574 case SG_GET_RESERVED_SIZE:
575 err = sg_get_reserved_size(q, arg);
576 break;
577 case SG_SET_RESERVED_SIZE:
578 err = sg_set_reserved_size(q, arg);
579 break;
580 case SG_EMULATED_HOST:
581 err = sg_emulated_host(q, arg);
582 break;
583 case SG_IO: {
584 struct sg_io_hdr hdr;
585
586 err = -EFAULT;
587 if (copy_from_user(&hdr, arg, sizeof(hdr)))
588 break;
589 err = sg_io(q, bd_disk, &hdr, mode);
590 if (err == -EFAULT)
591 break;
592
593 if (copy_to_user(arg, &hdr, sizeof(hdr)))
594 err = -EFAULT;
595 break;
596 }
597 case CDROM_SEND_PACKET: {
598 struct cdrom_generic_command cgc;
599 struct sg_io_hdr hdr;
600
601 err = -EFAULT;
602 if (copy_from_user(&cgc, arg, sizeof(cgc)))
603 break;
604 cgc.timeout = clock_t_to_jiffies(cgc.timeout);
605 memset(&hdr, 0, sizeof(hdr));
606 hdr.interface_id = 'S';
607 hdr.cmd_len = sizeof(cgc.cmd);
608 hdr.dxfer_len = cgc.buflen;
609 err = 0;
610 switch (cgc.data_direction) {
611 case CGC_DATA_UNKNOWN:
612 hdr.dxfer_direction = SG_DXFER_UNKNOWN;
613 break;
614 case CGC_DATA_WRITE:
615 hdr.dxfer_direction = SG_DXFER_TO_DEV;
616 break;
617 case CGC_DATA_READ:
618 hdr.dxfer_direction = SG_DXFER_FROM_DEV;
619 break;
620 case CGC_DATA_NONE:
621 hdr.dxfer_direction = SG_DXFER_NONE;
622 break;
623 default:
624 err = -EINVAL;
625 }
626 if (err)
627 break;
628
629 hdr.dxferp = cgc.buffer;
630 hdr.sbp = cgc.sense;
631 if (hdr.sbp)
632 hdr.mx_sb_len = sizeof(struct request_sense);
633 hdr.timeout = jiffies_to_msecs(cgc.timeout);
634 hdr.cmdp = ((struct cdrom_generic_command __user*) arg)->cmd;
635 hdr.cmd_len = sizeof(cgc.cmd);
636
637 err = sg_io(q, bd_disk, &hdr, mode);
638 if (err == -EFAULT)
639 break;
640
641 if (hdr.status)
642 err = -EIO;
643
644 cgc.stat = err;
645 cgc.buflen = hdr.resid;
646 if (copy_to_user(arg, &cgc, sizeof(cgc)))
647 err = -EFAULT;
648
649 break;
650 }
651
652
653
654
655 case SCSI_IOCTL_SEND_COMMAND:
656 printk(KERN_WARNING "program %s is using a deprecated SCSI ioctl, please convert it to SG_IO\n", current->comm);
657 err = -EINVAL;
658 if (!arg)
659 break;
660
661 err = sg_scsi_ioctl(q, bd_disk, mode, arg);
662 break;
663 case CDROMCLOSETRAY:
664 err = blk_send_start_stop(q, bd_disk, 0x03);
665 break;
666 case CDROMEJECT:
667 err = blk_send_start_stop(q, bd_disk, 0x02);
668 break;
669 default:
670 err = -ENOTTY;
671 }
672
673 blk_put_queue(q);
674 return err;
675}
676EXPORT_SYMBOL(scsi_cmd_ioctl);
677
678int __init blk_scsi_ioctl_init(void)
679{
680 blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
681 return 0;
682}
683fs_initcall(blk_scsi_ioctl_init);
684
