MFC 360818: Fix a memory leak for ENCIOC_GETSTRING I introduced in r360171.

MFC 360171,360179,360285,360388: Don't dereference various user pointers.

360171:
Don't access a user buffer directly from the kernel.

The handle_string callback for the ENCIOC_SETSTRING ioctl was passing
a user pointer to memcpy(). Fix by using copyin() instead.

For ENCIOC_GETSTRING ioctls, the handler was storing the user pointer
in a CCB's data_ptr field where it was indirected by other code. Fix
this by allocating a temporary buffer (which ENCIOC_SETSTRING already
did) and copying the result out to the user buffer after the CCB has
been processed.

360179:
Don't pass a user buffer pointer as the data pointer in a CCB.

Allocate a temporary buffer in the kernel to serve as the CCB data
pointer for a pass-through transaction and use copyin/copyout to
shuffle the data to/from the user buffer.

360285:
Don't indirect user pointers directly in two 802.11s ioctls.

IEEE80211_MESH_RTCMD_ADD was invoking memcmp() to validate the
supplied address directly on the user pointer rather than first doing
a copyin() and validating the copied value.

IEEE80211_MESH_RTCMD_DELETE was passing the user pointer directly to
ieee80211_mesh_rt_del() rather than copying the user buffer into a
temporary kernel buffer.

360388:
Don't run strcmp() against strings stored in user memory.

Instead, copy the strings into a temporary buffer on the stack and
run strcmp on the copies.

MFC r359662: Relax too strict SES element descriptors check in r355430.

SES specifications allows the string to be NULL-terminated, while previous
code was considering it as invalid due to incorrectly ordered conditions.

MFC r359146: Fix SES on device slots without phys after r349321.

Broadcom 9400-8i8e HBAs report virtual SES device, where slots representing
external connectors are reported having no phys. Since sasdev_phys is NULL
there and proto_hdr is a union, ses_paths_iter() misinterpreted them as ATA.
Add explicit protocol check to properly differentiate them.

MFC r355430:

ses: sanitize illegal strings in SES element descriptors

The SES4r3 standard requires that element descriptors may only contain ASCII
characters in the range 0x20 to 0x7e. Some SuperMicro expanders violate
that rule. This patch adds a sanity check to ses(4). Descriptors in
violation will be replaced by "<invalid>".

This patch fixes "sesutil --libxo xml" on such systems. Previously it would
generate non-well-formed XML output.

PR: 241929
Reviewed by: allanjude
Sponsored by: Axcient

MFC r352201: Fix assumptions of only one device per SES slot.

It is typical to have one, but no longer true for multi-actuator HDDs
with separate LUN for each actuator.

MFC r351606: Take proper lock in ses_setphyspath_callback().

XPT_DEV_ADVINFO call should be protected by the lock of the specific
device it is addressed to, not the lock of SES device. In some weird
case, probably with hardware violating standards, it sometimes caused
NULL dereference due to race.

To protect from it further, add lock assertion to *_dev_advinfo().

MFC r349321: Improve AHCI Enclosure Management and SES interoperation.

Since SES specs do not define mechanism to map enclosure slots to SATA
disks, AHCI EM code I written many years ago appeared quite useless,
that always bugged me. I was thinking whether it was a good idea, but
if LSI HBAs do that, why I shouldn't?

This change introduces simple non-standard mechanism for the mapping
into both AHCI EM and SES code, that makes AHCI EM on capable controllers
(most of Intel's) a first-class SES citizen, allowing it to report disk
physical path to GEOM, show devices inserted into each enclosure slot in
`sesutil map` and `getencstat`, control locate and fault LEDs for specific
devices with `sesutil locate adaX on` and `sesutil fault adaX on`, etc.

I've successfully tested this on Supermicro X10DRH-i motherboard connected
with sideband cable of its S-SATA Mini-SAS connector to SAS815TQ backplane.
It can indicate with LEDs Locate, Fault and Rebuild/Remap SES statuses for
each disk identical to real SES of Supermicro SAS2 backplanes.

MFC r349284: Make ELEMENT INDEX validation more strict.

SES specifications tell: "The Additional Element Status descriptors shall
be in the same order as the status elements in the Enclosure Status
diagnostic page". It allows us to question ELEMENT INDEX that is lower
then values we already processed. There are many SAS2 enclosures with
this kind of problem.

While there, add more specific error messages for cases when ELEMENT INDEX
is obviously wrong. Also skip elements with INVALID bit set.

MFC r349281: Fix individual_element_index when some type has 0 elements.

When some type has 0 elements, saved_individual_element_index was set
to -1 on second type bump, since individual_element_index was not
restored after the first. To me it looks easier just to increment
saved_individual_element_index separately than think when to save it.

MFC r343727: Use switch instead of chained if/else to improve readability.

Submitted by: Ryan Moeller <ryan@freqlabs.com>
Sponsored by: iXsystems, Inc.

MFC r320372:
Fix a memory leak in ses_get_elm_devnames().

Approved by: re (gjb)

MFC r309297: Make SES status updates more aggressive.

- On control request update all status pages, since they may also be
affected if user enables/disables enclosure slots.
- Periodically update element descriptors too, since there is some
hardware where they are changed dynamically.

MFC r309282: Explicitly initialize cdai.flags.

In SES driver uninitialized value caused unreliable physpath reporting.

MFC r308425: Add support for EIIOE flag in Additional Element Status.

It was added in SES-3 spec, and its support required to properly link
the Additional Element Status page data to the original elements.

MFC r307132: Use copyout() instead of pointing sbuf to user-space buffer.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Allow sleepable allocations in enclosure daemon threads.

There were at least two places where M_NOWAIT was used without NULL check.
This change should fix NULL-dereference panic there and possibly improve
operation in other ways under memory pressure.

MFC after: 2 weeks

Add API to obtain primary enclosure name and ID for /dev/sesX devices.

sesX device number may change between reboots, so to properly identify
the instance we need more data. Name and ID reported here may mach ones
reported by SCSI device, but that is not really required by specs.

MFC after: 1 week
Sponsored by: iXsystems, Inc.

Make sure that the flags for the XPT_DEV_ADVINFO CCB are initialized
properly.

If there is garbage in the flags field, it can sometimes include a
set CDAI_FLAG_STORE flag, which may cause either an error or
perhaps result in overwriting the field that was intended to be
read.

sys/cam/cam_ccb.h:
Add a new flag to the XPT_DEV_ADVINFO CCB, CDAI_FLAG_NONE,
that callers can use to set the flags field when no store
is desired.

sys/cam/scsi/scsi_enc_ses.c:
In ses_setphyspath_callback(), explicitly set the
XPT_DEV_ADVINFO flags to CDAI_FLAG_NONE when fetching the
physical path information. Instead of ORing in the
CDAI_FLAG_STORE flag when storing the physical path, set
the flags field to CDAI_FLAG_STORE.

sys/cam/scsi/scsi_sa.c:
Set the XPT_DEV_ADVINFO flags field to CDAI_FLAG_NONE when
fetching extended inquiry information.

sys/cam/scsi/scsi_da.c:
When storing extended READ CAPACITY information, set the
XPT_DEV_ADVINFO flags field to CDAI_FLAG_STORE instead of
ORing it into a field that isn't initialized.

sys/dev/mpr/mpr_sas.c,
sys/dev/mps/mps_sas.c:
When fetching extended READ CAPACITY information, set the
XPT_DEV_ADVINFO flags field to CDAI_FLAG_NONE instead of
setting it to 0.

sbin/camcontrol/camcontrol.c:
When fetching a device ID, set the XPT_DEV_ADVINFO flags
field to CDAI_FLAG_NONE instead of 0.

sys/sys/param.h:
Bump __FreeBSD_version to 1100061 for the new XPT_DEV_ADVINFO
CCB flag, CDAI_FLAG_NONE.

Sponsored by: Spectra Logic
MFC after: 1 week

Remove instances of variables that were set, but never used. gcc 4.9
warns about these by default.

Merge CAM locking changes from the projects/camlock branch to radically
reduce lock congestion and improve SMP scalability of the SCSI/ATA stack,
preparing the ground for the coming next GEOM direct dispatch support.

Replace big per-SIM locks with bunch of smaller ones:
- per-LUN locks to protect device and peripheral drivers state;
- per-target locks to protect list of LUNs on target;
- per-bus locks to protect reference counting;
- per-send queue locks to protect queue of CCBs to be sent;
- per-done queue locks to protect queue of completed CCBs;
- remaining per-SIM locks now protect only HBA driver internals.

While holding LUN lock it is allowed (while not recommended for performance
reasons) to take SIM lock. The opposite acquisition order is forbidden.
All the other locks are leaf locks, that can be taken anywhere, but should
not be cascaded. Many functions, such as: xpt_action(), xpt_done(),
xpt_async(), xpt_create_path(), etc. are no longer require (but allow) SIM
lock to be held.

To keep compatibility and solve cases where SIM lock can't be dropped, all
xpt_async() calls in addition to xpt_done() calls are queued to completion
threads for async processing in clean environment without SIM lock held.

Instead of single CAM SWI thread, used for commands completion processing
before, use multiple (depending on number of CPUs) threads. Load balanced
between them using "hash" of the device B:T:L address.

HBA drivers that can drop SIM lock during completion processing and have
sufficient number of completion threads to efficiently scale to multiple
CPUs can use new function xpt_done_direct() to avoid extra context switch.
Make ahci(4) driver to use this mechanism depending on hardware setup.

Sponsored by: iXsystems, Inc.
MFC after: 2 months

Make SES driver adequately react on simple enclosure devices -- read Short
Enclosure status to enclosure status field, clear previous state and exit.

Fix kernel panic if cache->nelms is zero.

MFC after: 2 weeks

Make CAM return and GEOM DISK pass through new GEOM::lunid attribute.

SPC-4 specification states that serial number may be property of device,
but not a specific logical unit. People reported about FC storages using
serial number in that way, making it unusable for purposes of LUN multipath
detection. SPC-4 states that designators associated with logical unit from
the VPD page 83h "Device Identification" should be used for that purpose.
Report first of them in the new attribute in such preference order: NAA,
EUI-64, T10 and SCSI name string.

While there, make GEOM DISK properly report GEOM::ident in XML output also
using d_getattr() method, if available. This fixes serial numbers reporting
for SCSI disks in `geom disk list` output and confxml.

Discussed with: gibbs, ken
Sponsored by: iXsystems, Inc.
MFC after: 2 weeks

Sanitize the element descriptor string before using it as a device name.

Reported and tested by: Vitalij Satanivskij
Reviewed by: gibbs, mav

Make SES driver to not fall out on some errors in Additional Status page.
This allows CAM devices still get their physical paths even if status of
later elements it corrupted.

Sponsored by: iXsystems, Inc.

Fix bug in r242720, that caused additional status page to not be used if
descriptor page is supported.

Use information about suported diagnostic pages to avoid reading optional
Element Descriptor page if it is not supported. This removes one error
message from verbose logs during boot on systems with some enclosures.

Sponsored by: iXsystems, Inc.

remove duplicate semicolons where possible.

Approved by: cperciva
MFC after: 1 week

XPT_DEV_MATCH is probably the only xpt_action() method that is called
without holding SIM lock. It really doesn't need that lock, but adding it
removes that specific exception, allowing to assert locking there later.

Submitted by: ken@ (earlier version)

Get SIM lock in several places while calling CAM functions.
This fixes several use-after-free panics on systems with SAS enclosures.

Submitted by: ken@, mav@

1. Remove SEN support. I doubt there are any working examples
of this hardware still running (close to twenty years now).

2. Quiesece and use ENC_VLOG instead of ENC_LOG for most
complaints. That is, they're visible with bootverbose, but
otherwise quiesced and not repeatedly spamming messages
with constant reminders that hardware in this space is
rarely fully compliant.

MFC after: 1 month

Remove opt_enc.h from files committed with r235911. enc(4) is the
'encapsulating interface' used with IPsec and has nothing to do with
storage 'enclosure' services.

MFC after: 3 days
Noticed while: debugging why enc(4) is no longer automatically created

Do not call ses_softc_cleanup() in case of configuration read failure.
Just free inclomplete daemon cache instead to let it retry next time.
Premature ses_softc_cleanup() caused NULL dereference when freed softc
was accessed later.

MFprojects/zfsd:
Revamp the CAM enclosure services driver.
This updated driver uses an in-kernel daemon to track state changes and
publishes physical path location information\for disk elements into the
CAM device database.

Sponsored by: Spectra Logic Corporation
Sponsored by: iXsystems, Inc.
Submitted by: gibbs, will, mav