1/*- 2 * Copyright (c) 1997, 1998, 2000 Justin T. Gibbs. 3 * Copyright (c) 1997, 1998, 1999 Kenneth D. Merry. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions, and the following disclaimer, 11 * without modification, immediately at the beginning of the file. 12 * 2. The name of the author may not be used to endorse or promote products 13 * derived from this software without specific prior written permission. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR 19 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD: stable/10/sys/cam/scsi/scsi_pass.c 331632 2018-03-27 17:42:04Z brooks $"); 30 31#include "opt_compat.h" 32 33#include <sys/param.h> 34#include <sys/systm.h> 35#include <sys/kernel.h> 36#include <sys/conf.h> 37#include <sys/types.h> 38#include <sys/bio.h> 39#include <sys/bus.h> 40#include <sys/devicestat.h> 41#include <sys/errno.h> 42#include <sys/fcntl.h> 43#include <sys/malloc.h> 44#include <sys/proc.h> 45#include <sys/poll.h> 46#include <sys/selinfo.h> 47#include <sys/sdt.h> 48#include <sys/sysent.h> 49#include <sys/taskqueue.h> 50#include <vm/uma.h> 51#include <vm/vm.h> 52#include <vm/vm_extern.h> 53 54#include <machine/bus.h> 55 56#include <cam/cam.h> 57#include <cam/cam_ccb.h> 58#include <cam/cam_periph.h> 59#include <cam/cam_queue.h> 60#include <cam/cam_xpt.h> 61#include <cam/cam_xpt_periph.h> 62#include <cam/cam_debug.h> 63#include <cam/cam_compat.h> 64#include <cam/cam_xpt_periph.h> 65 66#include <cam/scsi/scsi_all.h> 67#include <cam/scsi/scsi_pass.h> 68 69typedef enum { 70 PASS_FLAG_OPEN = 0x01, 71 PASS_FLAG_LOCKED = 0x02, 72 PASS_FLAG_INVALID = 0x04, 73 PASS_FLAG_INITIAL_PHYSPATH = 0x08, 74 PASS_FLAG_ZONE_INPROG = 0x10, 75 PASS_FLAG_ZONE_VALID = 0x20, 76 PASS_FLAG_UNMAPPED_CAPABLE = 0x40, 77 PASS_FLAG_ABANDONED_REF_SET = 0x80 78} pass_flags; 79 80typedef enum { 81 PASS_STATE_NORMAL 82} pass_state; 83 84typedef enum { 85 PASS_CCB_BUFFER_IO, 86 PASS_CCB_QUEUED_IO 87} pass_ccb_types; 88 89#define ccb_type ppriv_field0 90#define ccb_ioreq ppriv_ptr1 91 92/* 93 * The maximum number of memory segments we preallocate. 94 */ 95#define PASS_MAX_SEGS 16 96 97typedef enum { 98 PASS_IO_NONE = 0x00, 99 PASS_IO_USER_SEG_MALLOC = 0x01, 100 PASS_IO_KERN_SEG_MALLOC = 0x02, 101 PASS_IO_ABANDONED = 0x04 102} pass_io_flags; 103 104struct pass_io_req { 105 union ccb ccb; 106 union ccb *alloced_ccb; 107 union ccb *user_ccb_ptr; 108 camq_entry user_periph_links; 109 ccb_ppriv_area user_periph_priv; 110 struct cam_periph_map_info mapinfo; 111 pass_io_flags flags; 112 ccb_flags data_flags; 113 int num_user_segs; 114 bus_dma_segment_t user_segs[PASS_MAX_SEGS]; 115 int num_kern_segs; 116 bus_dma_segment_t kern_segs[PASS_MAX_SEGS]; 117 bus_dma_segment_t *user_segptr; 118 bus_dma_segment_t *kern_segptr; 119 int num_bufs; 120 uint32_t dirs[CAM_PERIPH_MAXMAPS]; 121 uint32_t lengths[CAM_PERIPH_MAXMAPS]; 122 uint8_t *user_bufs[CAM_PERIPH_MAXMAPS]; 123 uint8_t *kern_bufs[CAM_PERIPH_MAXMAPS]; 124 struct bintime start_time; 125 TAILQ_ENTRY(pass_io_req) links; 126}; 127 128struct pass_softc { 129 pass_state state; 130 pass_flags flags; 131 u_int8_t pd_type; 132 union ccb saved_ccb; 133 int open_count; 134 u_int maxio; 135 struct devstat *device_stats; 136 struct cdev *dev; 137 struct cdev *alias_dev; 138 struct task add_physpath_task; 139 struct task shutdown_kqueue_task; 140 struct selinfo read_select; 141 TAILQ_HEAD(, pass_io_req) incoming_queue; 142 TAILQ_HEAD(, pass_io_req) active_queue; 143 TAILQ_HEAD(, pass_io_req) abandoned_queue; 144 TAILQ_HEAD(, pass_io_req) done_queue; 145 struct cam_periph *periph; 146 char zone_name[12]; 147 char io_zone_name[12]; 148 uma_zone_t pass_zone; 149 uma_zone_t pass_io_zone; 150 size_t io_zone_size; 151}; 152 153static d_open_t passopen; 154static d_close_t passclose; 155static d_ioctl_t passioctl; 156static d_ioctl_t passdoioctl; 157static d_poll_t passpoll; 158static d_kqfilter_t passkqfilter; 159static void passreadfiltdetach(struct knote *kn); 160static int passreadfilt(struct knote *kn, long hint); 161 162static periph_init_t passinit; 163static periph_ctor_t passregister; 164static periph_oninv_t passoninvalidate; 165static periph_dtor_t passcleanup; 166static periph_start_t passstart; 167static void pass_shutdown_kqueue(void *context, int pending); 168static void pass_add_physpath(void *context, int pending); 169static void passasync(void *callback_arg, u_int32_t code, 170 struct cam_path *path, void *arg); 171static void passdone(struct cam_periph *periph, 172 union ccb *done_ccb); 173static int passcreatezone(struct cam_periph *periph); 174static void passiocleanup(struct pass_softc *softc, 175 struct pass_io_req *io_req); 176static int passcopysglist(struct cam_periph *periph, 177 struct pass_io_req *io_req, 178 ccb_flags direction); 179static int passmemsetup(struct cam_periph *periph, 180 struct pass_io_req *io_req); 181static int passmemdone(struct cam_periph *periph, 182 struct pass_io_req *io_req); 183static int passerror(union ccb *ccb, u_int32_t cam_flags, 184 u_int32_t sense_flags); 185static int passsendccb(struct cam_periph *periph, union ccb *ccb, 186 union ccb *inccb); 187 188static struct periph_driver passdriver = 189{ 190 passinit, "pass", 191 TAILQ_HEAD_INITIALIZER(passdriver.units), /* generation */ 0 192}; 193 194PERIPHDRIVER_DECLARE(pass, passdriver); 195 196static struct cdevsw pass_cdevsw = { 197 .d_version = D_VERSION, 198 .d_flags = D_TRACKCLOSE, 199 .d_open = passopen, 200 .d_close = passclose, 201 .d_ioctl = passioctl, 202 .d_poll = passpoll, 203 .d_kqfilter = passkqfilter, 204 .d_name = "pass", 205}; 206 207static struct filterops passread_filtops = { 208 .f_isfd = 1, 209 .f_detach = passreadfiltdetach, 210 .f_event = passreadfilt 211}; 212 213static MALLOC_DEFINE(M_SCSIPASS, "scsi_pass", "scsi passthrough buffers"); 214 215static void 216passinit(void) 217{ 218 cam_status status; 219 220 /* 221 * Install a global async callback. This callback will 222 * receive async callbacks like "new device found". 223 */ 224 status = xpt_register_async(AC_FOUND_DEVICE, passasync, NULL, NULL); 225 226 if (status != CAM_REQ_CMP) { 227 printf("pass: Failed to attach master async callback " 228 "due to status 0x%x!\n", status); 229 } 230 231} 232 233static void 234passrejectios(struct cam_periph *periph) 235{ 236 struct pass_io_req *io_req, *io_req2; 237 struct pass_softc *softc; 238 239 softc = (struct pass_softc *)periph->softc; 240 241 /* 242 * The user can no longer get status for I/O on the done queue, so 243 * clean up all outstanding I/O on the done queue. 244 */ 245 TAILQ_FOREACH_SAFE(io_req, &softc->done_queue, links, io_req2) { 246 TAILQ_REMOVE(&softc->done_queue, io_req, links); 247 passiocleanup(softc, io_req); 248 uma_zfree(softc->pass_zone, io_req); 249 } 250 251 /* 252 * The underlying device is gone, so we can't issue these I/Os. 253 * The devfs node has been shut down, so we can't return status to 254 * the user. Free any I/O left on the incoming queue. 255 */ 256 TAILQ_FOREACH_SAFE(io_req, &softc->incoming_queue, links, io_req2) { 257 TAILQ_REMOVE(&softc->incoming_queue, io_req, links); 258 passiocleanup(softc, io_req); 259 uma_zfree(softc->pass_zone, io_req); 260 } 261 262 /* 263 * Normally we would put I/Os on the abandoned queue and acquire a 264 * reference when we saw the final close. But, the device went 265 * away and devfs may have moved everything off to deadfs by the 266 * time the I/O done callback is called; as a result, we won't see 267 * any more closes. So, if we have any active I/Os, we need to put 268 * them on the abandoned queue. When the abandoned queue is empty, 269 * we'll release the remaining reference (see below) to the peripheral. 270 */ 271 TAILQ_FOREACH_SAFE(io_req, &softc->active_queue, links, io_req2) { 272 TAILQ_REMOVE(&softc->active_queue, io_req, links); 273 io_req->flags |= PASS_IO_ABANDONED; 274 TAILQ_INSERT_TAIL(&softc->abandoned_queue, io_req, links); 275 } 276 277 /* 278 * If we put any I/O on the abandoned queue, acquire a reference. 279 */ 280 if ((!TAILQ_EMPTY(&softc->abandoned_queue)) 281 && ((softc->flags & PASS_FLAG_ABANDONED_REF_SET) == 0)) { 282 cam_periph_doacquire(periph); 283 softc->flags |= PASS_FLAG_ABANDONED_REF_SET; 284 } 285} 286 287static void 288passdevgonecb(void *arg) 289{ 290 struct cam_periph *periph; 291 struct mtx *mtx; 292 struct pass_softc *softc; 293 int i; 294 295 periph = (struct cam_periph *)arg; 296 mtx = cam_periph_mtx(periph); 297 mtx_lock(mtx); 298 299 softc = (struct pass_softc *)periph->softc; 300 KASSERT(softc->open_count >= 0, ("Negative open count %d", 301 softc->open_count)); 302 303 /* 304 * When we get this callback, we will get no more close calls from 305 * devfs. So if we have any dangling opens, we need to release the 306 * reference held for that particular context. 307 */ 308 for (i = 0; i < softc->open_count; i++) 309 cam_periph_release_locked(periph); 310 311 softc->open_count = 0; 312 313 /* 314 * Release the reference held for the device node, it is gone now. 315 * Accordingly, inform all queued I/Os of their fate. 316 */ 317 cam_periph_release_locked(periph); 318 passrejectios(periph); 319 320 /* 321 * We reference the SIM lock directly here, instead of using 322 * cam_periph_unlock(). The reason is that the final call to 323 * cam_periph_release_locked() above could result in the periph 324 * getting freed. If that is the case, dereferencing the periph 325 * with a cam_periph_unlock() call would cause a page fault. 326 */ 327 mtx_unlock(mtx); 328 329 /* 330 * We have to remove our kqueue context from a thread because it 331 * may sleep. It would be nice if we could get a callback from 332 * kqueue when it is done cleaning up resources. 333 */ 334 taskqueue_enqueue(taskqueue_thread, &softc->shutdown_kqueue_task); 335} 336 337static void 338passoninvalidate(struct cam_periph *periph) 339{ 340 struct pass_softc *softc; 341 342 softc = (struct pass_softc *)periph->softc; 343 344 /* 345 * De-register any async callbacks. 346 */ 347 xpt_register_async(0, passasync, periph, periph->path); 348 349 softc->flags |= PASS_FLAG_INVALID; 350 351 /* 352 * Tell devfs this device has gone away, and ask for a callback 353 * when it has cleaned up its state. 354 */ 355 destroy_dev_sched_cb(softc->dev, passdevgonecb, periph); 356} 357 358static void 359passcleanup(struct cam_periph *periph) 360{ 361 struct pass_softc *softc; 362 363 softc = (struct pass_softc *)periph->softc; 364 365 cam_periph_assert(periph, MA_OWNED); 366 KASSERT(TAILQ_EMPTY(&softc->active_queue), 367 ("%s called when there are commands on the active queue!\n", 368 __func__)); 369 KASSERT(TAILQ_EMPTY(&softc->abandoned_queue), 370 ("%s called when there are commands on the abandoned queue!\n", 371 __func__)); 372 KASSERT(TAILQ_EMPTY(&softc->incoming_queue), 373 ("%s called when there are commands on the incoming queue!\n", 374 __func__)); 375 KASSERT(TAILQ_EMPTY(&softc->done_queue), 376 ("%s called when there are commands on the done queue!\n", 377 __func__)); 378 379 devstat_remove_entry(softc->device_stats); 380 381 cam_periph_unlock(periph); 382 383 /* 384 * We call taskqueue_drain() for the physpath task to make sure it 385 * is complete. We drop the lock because this can potentially 386 * sleep. XXX KDM that is bad. Need a way to get a callback when 387 * a taskqueue is drained. 388 * 389 * Note that we don't drain the kqueue shutdown task queue. This 390 * is because we hold a reference on the periph for kqueue, and 391 * release that reference from the kqueue shutdown task queue. So 392 * we cannot come into this routine unless we've released that 393 * reference. Also, because that could be the last reference, we 394 * could be called from the cam_periph_release() call in 395 * pass_shutdown_kqueue(). In that case, the taskqueue_drain() 396 * would deadlock. It would be preferable if we had a way to 397 * get a callback when a taskqueue is done. 398 */ 399 taskqueue_drain(taskqueue_thread, &softc->add_physpath_task); 400 401 cam_periph_lock(periph); 402 403 free(softc, M_DEVBUF); 404} 405 406static void 407pass_shutdown_kqueue(void *context, int pending) 408{ 409 struct cam_periph *periph; 410 struct pass_softc *softc; 411 412 periph = context; 413 softc = periph->softc; 414 415 knlist_clear(&softc->read_select.si_note, /*is_locked*/ 0); 416 knlist_destroy(&softc->read_select.si_note); 417 418 /* 419 * Release the reference we held for kqueue. 420 */ 421 cam_periph_release(periph); 422} 423 424static void 425pass_add_physpath(void *context, int pending) 426{ 427 struct cam_periph *periph; 428 struct pass_softc *softc; 429 struct mtx *mtx; 430 char *physpath; 431 432 /* 433 * If we have one, create a devfs alias for our 434 * physical path. 435 */ 436 periph = context; 437 softc = periph->softc; 438 physpath = malloc(MAXPATHLEN, M_DEVBUF, M_WAITOK); 439 mtx = cam_periph_mtx(periph); 440 mtx_lock(mtx); 441 442 if (periph->flags & CAM_PERIPH_INVALID) 443 goto out; 444 445 if (xpt_getattr(physpath, MAXPATHLEN, 446 "GEOM::physpath", periph->path) == 0 447 && strlen(physpath) != 0) { 448 449 mtx_unlock(mtx); 450 make_dev_physpath_alias(MAKEDEV_WAITOK, &softc->alias_dev, 451 softc->dev, softc->alias_dev, physpath); 452 mtx_lock(mtx); 453 } 454 455out: 456 /* 457 * Now that we've made our alias, we no longer have to have a 458 * reference to the device. 459 */ 460 if ((softc->flags & PASS_FLAG_INITIAL_PHYSPATH) == 0) 461 softc->flags |= PASS_FLAG_INITIAL_PHYSPATH; 462 463 /* 464 * We always acquire a reference to the periph before queueing this 465 * task queue function, so it won't go away before we run. 466 */ 467 while (pending-- > 0) 468 cam_periph_release_locked(periph); 469 mtx_unlock(mtx); 470 471 free(physpath, M_DEVBUF); 472} 473 474static void 475passasync(void *callback_arg, u_int32_t code, 476 struct cam_path *path, void *arg) 477{ 478 struct cam_periph *periph; 479 480 periph = (struct cam_periph *)callback_arg; 481 482 switch (code) { 483 case AC_FOUND_DEVICE: 484 { 485 struct ccb_getdev *cgd; 486 cam_status status; 487 488 cgd = (struct ccb_getdev *)arg; 489 if (cgd == NULL) 490 break; 491 492 /* 493 * Allocate a peripheral instance for 494 * this device and start the probe 495 * process. 496 */ 497 status = cam_periph_alloc(passregister, passoninvalidate, 498 passcleanup, passstart, "pass", 499 CAM_PERIPH_BIO, path, 500 passasync, AC_FOUND_DEVICE, cgd); 501 502 if (status != CAM_REQ_CMP 503 && status != CAM_REQ_INPROG) { 504 const struct cam_status_entry *entry; 505 506 entry = cam_fetch_status_entry(status); 507 508 printf("passasync: Unable to attach new device " 509 "due to status %#x: %s\n", status, entry ? 510 entry->status_text : "Unknown"); 511 } 512 513 break; 514 } 515 case AC_ADVINFO_CHANGED: 516 { 517 uintptr_t buftype; 518 519 buftype = (uintptr_t)arg; 520 if (buftype == CDAI_TYPE_PHYS_PATH) { 521 struct pass_softc *softc; 522 cam_status status; 523 524 softc = (struct pass_softc *)periph->softc; 525 /* 526 * Acquire a reference to the periph before we 527 * start the taskqueue, so that we don't run into 528 * a situation where the periph goes away before 529 * the task queue has a chance to run. 530 */ 531 status = cam_periph_acquire(periph); 532 if (status != CAM_REQ_CMP) 533 break; 534 535 taskqueue_enqueue(taskqueue_thread, 536 &softc->add_physpath_task); 537 } 538 break; 539 } 540 default: 541 cam_periph_async(periph, code, path, arg); 542 break; 543 } 544} 545 546static cam_status 547passregister(struct cam_periph *periph, void *arg) 548{ 549 struct pass_softc *softc; 550 struct ccb_getdev *cgd; 551 struct ccb_pathinq cpi; 552 struct make_dev_args args; 553 int error, no_tags; 554 555 cgd = (struct ccb_getdev *)arg; 556 if (cgd == NULL) { 557 printf("%s: no getdev CCB, can't register device\n", __func__); 558 return(CAM_REQ_CMP_ERR); 559 } 560 561 softc = (struct pass_softc *)malloc(sizeof(*softc), 562 M_DEVBUF, M_NOWAIT); 563 564 if (softc == NULL) { 565 printf("%s: Unable to probe new device. " 566 "Unable to allocate softc\n", __func__); 567 return(CAM_REQ_CMP_ERR); 568 } 569 570 bzero(softc, sizeof(*softc)); 571 softc->state = PASS_STATE_NORMAL; 572 if (cgd->protocol == PROTO_SCSI || cgd->protocol == PROTO_ATAPI) 573 softc->pd_type = SID_TYPE(&cgd->inq_data); 574 else if (cgd->protocol == PROTO_SATAPM) 575 softc->pd_type = T_ENCLOSURE; 576 else 577 softc->pd_type = T_DIRECT; 578 579 periph->softc = softc; 580 softc->periph = periph; 581 TAILQ_INIT(&softc->incoming_queue); 582 TAILQ_INIT(&softc->active_queue); 583 TAILQ_INIT(&softc->abandoned_queue); 584 TAILQ_INIT(&softc->done_queue); 585 snprintf(softc->zone_name, sizeof(softc->zone_name), "%s%d", 586 periph->periph_name, periph->unit_number); 587 snprintf(softc->io_zone_name, sizeof(softc->io_zone_name), "%s%dIO", 588 periph->periph_name, periph->unit_number); 589 softc->io_zone_size = MAXPHYS; 590 knlist_init_mtx(&softc->read_select.si_note, cam_periph_mtx(periph)); 591 592 bzero(&cpi, sizeof(cpi)); 593 xpt_setup_ccb(&cpi.ccb_h, periph->path, CAM_PRIORITY_NORMAL); 594 cpi.ccb_h.func_code = XPT_PATH_INQ; 595 xpt_action((union ccb *)&cpi); 596 597 if (cpi.maxio == 0) 598 softc->maxio = DFLTPHYS; /* traditional default */ 599 else if (cpi.maxio > MAXPHYS) 600 softc->maxio = MAXPHYS; /* for safety */ 601 else 602 softc->maxio = cpi.maxio; /* real value */ 603 604 if (cpi.hba_misc & PIM_UNMAPPED) 605 softc->flags |= PASS_FLAG_UNMAPPED_CAPABLE; 606 607 /* 608 * We pass in 0 for a blocksize, since we don't 609 * know what the blocksize of this device is, if 610 * it even has a blocksize. 611 */ 612 cam_periph_unlock(periph); 613 no_tags = (cgd->inq_data.flags & SID_CmdQue) == 0; 614 softc->device_stats = devstat_new_entry("pass", 615 periph->unit_number, 0, 616 DEVSTAT_NO_BLOCKSIZE 617 | (no_tags ? DEVSTAT_NO_ORDERED_TAGS : 0), 618 softc->pd_type | 619 XPORT_DEVSTAT_TYPE(cpi.transport) | 620 DEVSTAT_TYPE_PASS, 621 DEVSTAT_PRIORITY_PASS); 622 623 /* 624 * Initialize the taskqueue handler for shutting down kqueue. 625 */ 626 TASK_INIT(&softc->shutdown_kqueue_task, /*priority*/ 0, 627 pass_shutdown_kqueue, periph); 628 629 /* 630 * Acquire a reference to the periph that we can release once we've 631 * cleaned up the kqueue. 632 */ 633 if (cam_periph_acquire(periph) != CAM_REQ_CMP) { 634 xpt_print(periph->path, "%s: lost periph during " 635 "registration!\n", __func__); 636 cam_periph_lock(periph); 637 return (CAM_REQ_CMP_ERR); 638 } 639 640 /* 641 * Acquire a reference to the periph before we create the devfs 642 * instance for it. We'll release this reference once the devfs 643 * instance has been freed. 644 */ 645 if (cam_periph_acquire(periph) != CAM_REQ_CMP) { 646 xpt_print(periph->path, "%s: lost periph during " 647 "registration!\n", __func__); 648 cam_periph_lock(periph); 649 return (CAM_REQ_CMP_ERR); 650 } 651 652 /* Register the device */ 653 make_dev_args_init(&args); 654 args.mda_devsw = &pass_cdevsw; 655 args.mda_unit = periph->unit_number; 656 args.mda_uid = UID_ROOT; 657 args.mda_gid = GID_OPERATOR; 658 args.mda_mode = 0600; 659 args.mda_si_drv1 = periph; 660 error = make_dev_s(&args, &softc->dev, "%s%d", periph->periph_name, 661 periph->unit_number); 662 if (error != 0) { 663 cam_periph_lock(periph); 664 cam_periph_release_locked(periph); 665 return (CAM_REQ_CMP_ERR); 666 } 667 668 /* 669 * Hold a reference to the periph before we create the physical 670 * path alias so it can't go away. 671 */ 672 if (cam_periph_acquire(periph) != CAM_REQ_CMP) { 673 xpt_print(periph->path, "%s: lost periph during " 674 "registration!\n", __func__); 675 cam_periph_lock(periph); 676 return (CAM_REQ_CMP_ERR); 677 } 678 679 cam_periph_lock(periph); 680 681 TASK_INIT(&softc->add_physpath_task, /*priority*/0, 682 pass_add_physpath, periph); 683 684 /* 685 * See if physical path information is already available. 686 */ 687 taskqueue_enqueue(taskqueue_thread, &softc->add_physpath_task); 688 689 /* 690 * Add an async callback so that we get notified if 691 * this device goes away or its physical path 692 * (stored in the advanced info data of the EDT) has 693 * changed. 694 */ 695 xpt_register_async(AC_LOST_DEVICE | AC_ADVINFO_CHANGED, 696 passasync, periph, periph->path); 697 698 if (bootverbose) 699 xpt_announce_periph(periph, NULL); 700 701 return(CAM_REQ_CMP); 702} 703 704static int 705passopen(struct cdev *dev, int flags, int fmt, struct thread *td) 706{ 707 struct cam_periph *periph; 708 struct pass_softc *softc; 709 int error; 710 711 periph = (struct cam_periph *)dev->si_drv1; 712 if (cam_periph_acquire(periph) != CAM_REQ_CMP) 713 return (ENXIO); 714 715 cam_periph_lock(periph); 716 717 softc = (struct pass_softc *)periph->softc; 718 719 if (softc->flags & PASS_FLAG_INVALID) { 720 cam_periph_release_locked(periph); 721 cam_periph_unlock(periph); 722 return(ENXIO); 723 } 724 725 /* 726 * Don't allow access when we're running at a high securelevel. 727 */ 728 error = securelevel_gt(td->td_ucred, 1); 729 if (error) { 730 cam_periph_release_locked(periph); 731 cam_periph_unlock(periph); 732 return(error); 733 } 734 735 /* 736 * Only allow read-write access. 737 */ 738 if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) { 739 cam_periph_release_locked(periph); 740 cam_periph_unlock(periph); 741 return(EPERM); 742 } 743 744 /* 745 * We don't allow nonblocking access. 746 */ 747 if ((flags & O_NONBLOCK) != 0) { 748 xpt_print(periph->path, "can't do nonblocking access\n"); 749 cam_periph_release_locked(periph); 750 cam_periph_unlock(periph); 751 return(EINVAL); 752 } 753 754 softc->open_count++; 755 756 cam_periph_unlock(periph); 757 758 return (error); 759} 760 761static int 762passclose(struct cdev *dev, int flag, int fmt, struct thread *td) 763{ 764 struct cam_periph *periph; 765 struct pass_softc *softc; 766 struct mtx *mtx; 767 768 periph = (struct cam_periph *)dev->si_drv1; 769 mtx = cam_periph_mtx(periph); 770 mtx_lock(mtx); 771 772 softc = periph->softc; 773 softc->open_count--; 774 775 if (softc->open_count == 0) { 776 struct pass_io_req *io_req, *io_req2; 777 int need_unlock; 778 779 need_unlock = 0; 780 781 TAILQ_FOREACH_SAFE(io_req, &softc->done_queue, links, io_req2) { 782 TAILQ_REMOVE(&softc->done_queue, io_req, links); 783 passiocleanup(softc, io_req); 784 uma_zfree(softc->pass_zone, io_req); 785 } 786 787 TAILQ_FOREACH_SAFE(io_req, &softc->incoming_queue, links, 788 io_req2) { 789 TAILQ_REMOVE(&softc->incoming_queue, io_req, links); 790 passiocleanup(softc, io_req); 791 uma_zfree(softc->pass_zone, io_req); 792 } 793 794 /* 795 * If there are any active I/Os, we need to forcibly acquire a 796 * reference to the peripheral so that we don't go away 797 * before they complete. We'll release the reference when 798 * the abandoned queue is empty. 799 */ 800 io_req = TAILQ_FIRST(&softc->active_queue); 801 if ((io_req != NULL) 802 && (softc->flags & PASS_FLAG_ABANDONED_REF_SET) == 0) { 803 cam_periph_doacquire(periph); 804 softc->flags |= PASS_FLAG_ABANDONED_REF_SET; 805 } 806 807 /* 808 * Since the I/O in the active queue is not under our 809 * control, just set a flag so that we can clean it up when 810 * it completes and put it on the abandoned queue. This 811 * will prevent our sending spurious completions in the 812 * event that the device is opened again before these I/Os 813 * complete. 814 */ 815 TAILQ_FOREACH_SAFE(io_req, &softc->active_queue, links, 816 io_req2) { 817 TAILQ_REMOVE(&softc->active_queue, io_req, links); 818 io_req->flags |= PASS_IO_ABANDONED; 819 TAILQ_INSERT_TAIL(&softc->abandoned_queue, io_req, 820 links); 821 } 822 } 823 824 cam_periph_release_locked(periph); 825 826 /* 827 * We reference the lock directly here, instead of using 828 * cam_periph_unlock(). The reason is that the call to 829 * cam_periph_release_locked() above could result in the periph 830 * getting freed. If that is the case, dereferencing the periph 831 * with a cam_periph_unlock() call would cause a page fault. 832 * 833 * cam_periph_release() avoids this problem using the same method, 834 * but we're manually acquiring and dropping the lock here to 835 * protect the open count and avoid another lock acquisition and 836 * release. 837 */ 838 mtx_unlock(mtx); 839 840 return (0); 841} 842 843 844static void 845passstart(struct cam_periph *periph, union ccb *start_ccb) 846{ 847 struct pass_softc *softc; 848 849 softc = (struct pass_softc *)periph->softc; 850 851 switch (softc->state) { 852 case PASS_STATE_NORMAL: { 853 struct pass_io_req *io_req; 854 855 /* 856 * Check for any queued I/O requests that require an 857 * allocated slot. 858 */ 859 io_req = TAILQ_FIRST(&softc->incoming_queue); 860 if (io_req == NULL) { 861 xpt_release_ccb(start_ccb); 862 break; 863 } 864 TAILQ_REMOVE(&softc->incoming_queue, io_req, links); 865 TAILQ_INSERT_TAIL(&softc->active_queue, io_req, links); 866 /* 867 * Merge the user's CCB into the allocated CCB. 868 */ 869 xpt_merge_ccb(start_ccb, &io_req->ccb); 870 start_ccb->ccb_h.ccb_type = PASS_CCB_QUEUED_IO; 871 start_ccb->ccb_h.ccb_ioreq = io_req; 872 start_ccb->ccb_h.cbfcnp = passdone; 873 io_req->alloced_ccb = start_ccb; 874 binuptime(&io_req->start_time); 875 devstat_start_transaction(softc->device_stats, 876 &io_req->start_time); 877 878 xpt_action(start_ccb); 879 880 /* 881 * If we have any more I/O waiting, schedule ourselves again. 882 */ 883 if (!TAILQ_EMPTY(&softc->incoming_queue)) 884 xpt_schedule(periph, CAM_PRIORITY_NORMAL); 885 break; 886 } 887 default: 888 break; 889 } 890} 891 892static void 893passdone(struct cam_periph *periph, union ccb *done_ccb) 894{ 895 struct pass_softc *softc; 896 struct ccb_scsiio *csio; 897 898 softc = (struct pass_softc *)periph->softc; 899 900 cam_periph_assert(periph, MA_OWNED); 901 902 csio = &done_ccb->csio; 903 switch (csio->ccb_h.ccb_type) { 904 case PASS_CCB_QUEUED_IO: { 905 struct pass_io_req *io_req; 906 907 io_req = done_ccb->ccb_h.ccb_ioreq; 908#if 0 909 xpt_print(periph->path, "%s: called for user CCB %p\n", 910 __func__, io_req->user_ccb_ptr); 911#endif 912 if (((done_ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) 913 && (done_ccb->ccb_h.flags & CAM_PASS_ERR_RECOVER) 914 && ((io_req->flags & PASS_IO_ABANDONED) == 0)) { 915 int error; 916 917 error = passerror(done_ccb, CAM_RETRY_SELTO, 918 SF_RETRY_UA | SF_NO_PRINT); 919 920 if (error == ERESTART) { 921 /* 922 * A retry was scheduled, so 923 * just return. 924 */ 925 return; 926 } 927 } 928 929 /* 930 * Copy the allocated CCB contents back to the malloced CCB 931 * so we can give status back to the user when he requests it. 932 */ 933 bcopy(done_ccb, &io_req->ccb, sizeof(*done_ccb)); 934 935 /* 936 * Log data/transaction completion with devstat(9). 937 */ 938 switch (done_ccb->ccb_h.func_code) { 939 case XPT_SCSI_IO: 940 devstat_end_transaction(softc->device_stats, 941 done_ccb->csio.dxfer_len - done_ccb->csio.resid, 942 done_ccb->csio.tag_action & 0x3, 943 ((done_ccb->ccb_h.flags & CAM_DIR_MASK) == 944 CAM_DIR_NONE) ? DEVSTAT_NO_DATA : 945 (done_ccb->ccb_h.flags & CAM_DIR_OUT) ? 946 DEVSTAT_WRITE : DEVSTAT_READ, NULL, 947 &io_req->start_time); 948 break; 949 case XPT_ATA_IO: 950 devstat_end_transaction(softc->device_stats, 951 done_ccb->ataio.dxfer_len - done_ccb->ataio.resid, 952 done_ccb->ataio.tag_action & 0x3, 953 ((done_ccb->ccb_h.flags & CAM_DIR_MASK) == 954 CAM_DIR_NONE) ? DEVSTAT_NO_DATA : 955 (done_ccb->ccb_h.flags & CAM_DIR_OUT) ? 956 DEVSTAT_WRITE : DEVSTAT_READ, NULL, 957 &io_req->start_time); 958 break; 959 case XPT_SMP_IO: 960 /* 961 * XXX KDM this isn't quite right, but there isn't 962 * currently an easy way to represent a bidirectional 963 * transfer in devstat. The only way to do it 964 * and have the byte counts come out right would 965 * mean that we would have to record two 966 * transactions, one for the request and one for the 967 * response. For now, so that we report something, 968 * just treat the entire thing as a read. 969 */ 970 devstat_end_transaction(softc->device_stats, 971 done_ccb->smpio.smp_request_len + 972 done_ccb->smpio.smp_response_len, 973 DEVSTAT_TAG_SIMPLE, DEVSTAT_READ, NULL, 974 &io_req->start_time); 975 break; 976 default: 977 devstat_end_transaction(softc->device_stats, 0, 978 DEVSTAT_TAG_NONE, DEVSTAT_NO_DATA, NULL, 979 &io_req->start_time); 980 break; 981 } 982 983 /* 984 * In the normal case, take the completed I/O off of the 985 * active queue and put it on the done queue. Notitfy the 986 * user that we have a completed I/O. 987 */ 988 if ((io_req->flags & PASS_IO_ABANDONED) == 0) { 989 TAILQ_REMOVE(&softc->active_queue, io_req, links); 990 TAILQ_INSERT_TAIL(&softc->done_queue, io_req, links); 991 selwakeuppri(&softc->read_select, PRIBIO); 992 KNOTE_LOCKED(&softc->read_select.si_note, 0); 993 } else { 994 /* 995 * In the case of an abandoned I/O (final close 996 * without fetching the I/O), take it off of the 997 * abandoned queue and free it. 998 */ 999 TAILQ_REMOVE(&softc->abandoned_queue, io_req, links); 1000 passiocleanup(softc, io_req); 1001 uma_zfree(softc->pass_zone, io_req); 1002 1003 /* 1004 * Release the done_ccb here, since we may wind up 1005 * freeing the peripheral when we decrement the 1006 * reference count below. 1007 */ 1008 xpt_release_ccb(done_ccb); 1009 1010 /* 1011 * If the abandoned queue is empty, we can release 1012 * our reference to the periph since we won't have 1013 * any more completions coming. 1014 */ 1015 if ((TAILQ_EMPTY(&softc->abandoned_queue)) 1016 && (softc->flags & PASS_FLAG_ABANDONED_REF_SET)) { 1017 softc->flags &= ~PASS_FLAG_ABANDONED_REF_SET; 1018 cam_periph_release_locked(periph); 1019 } 1020 1021 /* 1022 * We have already released the CCB, so we can 1023 * return. 1024 */ 1025 return; 1026 } 1027 break; 1028 } 1029 } 1030 xpt_release_ccb(done_ccb); 1031} 1032 1033static int 1034passcreatezone(struct cam_periph *periph) 1035{ 1036 struct pass_softc *softc; 1037 int error; 1038 1039 error = 0; 1040 softc = (struct pass_softc *)periph->softc; 1041 1042 cam_periph_assert(periph, MA_OWNED); 1043 KASSERT(((softc->flags & PASS_FLAG_ZONE_VALID) == 0), 1044 ("%s called when the pass(4) zone is valid!\n", __func__)); 1045 KASSERT((softc->pass_zone == NULL), 1046 ("%s called when the pass(4) zone is allocated!\n", __func__)); 1047 1048 if ((softc->flags & PASS_FLAG_ZONE_INPROG) == 0) { 1049 1050 /* 1051 * We're the first context through, so we need to create 1052 * the pass(4) UMA zone for I/O requests. 1053 */ 1054 softc->flags |= PASS_FLAG_ZONE_INPROG; 1055 1056 /* 1057 * uma_zcreate() does a blocking (M_WAITOK) allocation, 1058 * so we cannot hold a mutex while we call it. 1059 */ 1060 cam_periph_unlock(periph); 1061 1062 softc->pass_zone = uma_zcreate(softc->zone_name, 1063 sizeof(struct pass_io_req), NULL, NULL, NULL, NULL, 1064 /*align*/ 0, /*flags*/ 0); 1065 1066 softc->pass_io_zone = uma_zcreate(softc->io_zone_name, 1067 softc->io_zone_size, NULL, NULL, NULL, NULL, 1068 /*align*/ 0, /*flags*/ 0); 1069 1070 cam_periph_lock(periph); 1071 1072 if ((softc->pass_zone == NULL) 1073 || (softc->pass_io_zone == NULL)) { 1074 if (softc->pass_zone == NULL) 1075 xpt_print(periph->path, "unable to allocate " 1076 "IO Req UMA zone\n"); 1077 else 1078 xpt_print(periph->path, "unable to allocate " 1079 "IO UMA zone\n"); 1080 softc->flags &= ~PASS_FLAG_ZONE_INPROG; 1081 goto bailout; 1082 } 1083 1084 /* 1085 * Set the flags appropriately and notify any other waiters. 1086 */ 1087 softc->flags &= PASS_FLAG_ZONE_INPROG; 1088 softc->flags |= PASS_FLAG_ZONE_VALID; 1089 wakeup(&softc->pass_zone); 1090 } else { 1091 /* 1092 * In this case, the UMA zone has not yet been created, but 1093 * another context is in the process of creating it. We 1094 * need to sleep until the creation is either done or has 1095 * failed. 1096 */ 1097 while ((softc->flags & PASS_FLAG_ZONE_INPROG) 1098 && ((softc->flags & PASS_FLAG_ZONE_VALID) == 0)) { 1099 error = msleep(&softc->pass_zone, 1100 cam_periph_mtx(periph), PRIBIO, 1101 "paszon", 0); 1102 if (error != 0) 1103 goto bailout; 1104 } 1105 /* 1106 * If the zone creation failed, no luck for the user. 1107 */ 1108 if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0){ 1109 error = ENOMEM; 1110 goto bailout; 1111 } 1112 } 1113bailout: 1114 return (error); 1115} 1116 1117static void 1118passiocleanup(struct pass_softc *softc, struct pass_io_req *io_req) 1119{ 1120 union ccb *ccb; 1121 u_int8_t **data_ptrs[CAM_PERIPH_MAXMAPS]; 1122 int i, numbufs; 1123 1124 ccb = &io_req->ccb; 1125 1126 switch (ccb->ccb_h.func_code) { 1127 case XPT_DEV_MATCH: 1128 numbufs = min(io_req->num_bufs, 2); 1129 1130 if (numbufs == 1) { 1131 data_ptrs[0] = (u_int8_t **)&ccb->cdm.matches; 1132 } else { 1133 data_ptrs[0] = (u_int8_t **)&ccb->cdm.patterns; 1134 data_ptrs[1] = (u_int8_t **)&ccb->cdm.matches; 1135 } 1136 break; 1137 case XPT_SCSI_IO: 1138 case XPT_CONT_TARGET_IO: 1139 data_ptrs[0] = &ccb->csio.data_ptr; 1140 numbufs = min(io_req->num_bufs, 1); 1141 break; 1142 case XPT_ATA_IO: 1143 data_ptrs[0] = &ccb->ataio.data_ptr; 1144 numbufs = min(io_req->num_bufs, 1); 1145 break; 1146 case XPT_SMP_IO: 1147 numbufs = min(io_req->num_bufs, 2); 1148 data_ptrs[0] = &ccb->smpio.smp_request; 1149 data_ptrs[1] = &ccb->smpio.smp_response; 1150 break; 1151 case XPT_DEV_ADVINFO: 1152 numbufs = min(io_req->num_bufs, 1); 1153 data_ptrs[0] = (uint8_t **)&ccb->cdai.buf; 1154 break; 1155 default: 1156 /* allow ourselves to be swapped once again */ 1157 return; 1158 break; /* NOTREACHED */ 1159 } 1160 1161 if (io_req->flags & PASS_IO_USER_SEG_MALLOC) { 1162 free(io_req->user_segptr, M_SCSIPASS); 1163 io_req->user_segptr = NULL; 1164 } 1165 1166 /* 1167 * We only want to free memory we malloced. 1168 */ 1169 if (io_req->data_flags == CAM_DATA_VADDR) { 1170 for (i = 0; i < io_req->num_bufs; i++) { 1171 if (io_req->kern_bufs[i] == NULL) 1172 continue; 1173 1174 free(io_req->kern_bufs[i], M_SCSIPASS); 1175 io_req->kern_bufs[i] = NULL; 1176 } 1177 } else if (io_req->data_flags == CAM_DATA_SG) { 1178 for (i = 0; i < io_req->num_kern_segs; i++) { 1179 if ((uint8_t *)(uintptr_t) 1180 io_req->kern_segptr[i].ds_addr == NULL) 1181 continue; 1182 1183 uma_zfree(softc->pass_io_zone, (uint8_t *)(uintptr_t) 1184 io_req->kern_segptr[i].ds_addr); 1185 io_req->kern_segptr[i].ds_addr = 0; 1186 } 1187 } 1188 1189 if (io_req->flags & PASS_IO_KERN_SEG_MALLOC) { 1190 free(io_req->kern_segptr, M_SCSIPASS); 1191 io_req->kern_segptr = NULL; 1192 } 1193 1194 if (io_req->data_flags != CAM_DATA_PADDR) { 1195 for (i = 0; i < numbufs; i++) { 1196 /* 1197 * Restore the user's buffer pointers to their 1198 * previous values. 1199 */ 1200 if (io_req->user_bufs[i] != NULL) 1201 *data_ptrs[i] = io_req->user_bufs[i]; 1202 } 1203 } 1204 1205} 1206 1207static int 1208passcopysglist(struct cam_periph *periph, struct pass_io_req *io_req, 1209 ccb_flags direction) 1210{ 1211 bus_size_t kern_watermark, user_watermark, len_copied, len_to_copy; 1212 bus_dma_segment_t *user_sglist, *kern_sglist; 1213 int i, j, error; 1214 1215 error = 0; 1216 kern_watermark = 0; 1217 user_watermark = 0; 1218 len_to_copy = 0; 1219 len_copied = 0; 1220 user_sglist = io_req->user_segptr; 1221 kern_sglist = io_req->kern_segptr; 1222 1223 for (i = 0, j = 0; i < io_req->num_user_segs && 1224 j < io_req->num_kern_segs;) { 1225 uint8_t *user_ptr, *kern_ptr; 1226 1227 len_to_copy = min(user_sglist[i].ds_len -user_watermark, 1228 kern_sglist[j].ds_len - kern_watermark); 1229 1230 user_ptr = (uint8_t *)(uintptr_t)user_sglist[i].ds_addr; 1231 user_ptr = user_ptr + user_watermark; 1232 kern_ptr = (uint8_t *)(uintptr_t)kern_sglist[j].ds_addr; 1233 kern_ptr = kern_ptr + kern_watermark; 1234 1235 user_watermark += len_to_copy; 1236 kern_watermark += len_to_copy; 1237 1238 if (!useracc(user_ptr, len_to_copy, 1239 (direction == CAM_DIR_IN) ? VM_PROT_WRITE : VM_PROT_READ)) { 1240 xpt_print(periph->path, "%s: unable to access user " 1241 "S/G list element %p len %zu\n", __func__, 1242 user_ptr, len_to_copy); 1243 error = EFAULT; 1244 goto bailout; 1245 } 1246 1247 if (direction == CAM_DIR_IN) { 1248 error = copyout(kern_ptr, user_ptr, len_to_copy); 1249 if (error != 0) { 1250 xpt_print(periph->path, "%s: copyout of %u " 1251 "bytes from %p to %p failed with " 1252 "error %d\n", __func__, len_to_copy, 1253 kern_ptr, user_ptr, error); 1254 goto bailout; 1255 } 1256 } else { 1257 error = copyin(user_ptr, kern_ptr, len_to_copy); 1258 if (error != 0) { 1259 xpt_print(periph->path, "%s: copyin of %u " 1260 "bytes from %p to %p failed with " 1261 "error %d\n", __func__, len_to_copy, 1262 user_ptr, kern_ptr, error); 1263 goto bailout; 1264 } 1265 } 1266 1267 len_copied += len_to_copy; 1268 1269 if (user_sglist[i].ds_len == user_watermark) { 1270 i++; 1271 user_watermark = 0; 1272 } 1273 1274 if (kern_sglist[j].ds_len == kern_watermark) { 1275 j++; 1276 kern_watermark = 0; 1277 } 1278 } 1279 1280bailout: 1281 1282 return (error); 1283} 1284 1285static int 1286passmemsetup(struct cam_periph *periph, struct pass_io_req *io_req) 1287{ 1288 union ccb *ccb; 1289 struct pass_softc *softc; 1290 int numbufs, i; 1291 uint8_t **data_ptrs[CAM_PERIPH_MAXMAPS]; 1292 uint32_t lengths[CAM_PERIPH_MAXMAPS]; 1293 uint32_t dirs[CAM_PERIPH_MAXMAPS]; 1294 uint32_t num_segs; 1295 uint16_t *seg_cnt_ptr; 1296 size_t maxmap; 1297 int error; 1298 1299 cam_periph_assert(periph, MA_NOTOWNED); 1300 1301 softc = periph->softc; 1302 1303 error = 0; 1304 ccb = &io_req->ccb; 1305 maxmap = 0; 1306 num_segs = 0; 1307 seg_cnt_ptr = NULL; 1308 1309 switch(ccb->ccb_h.func_code) { 1310 case XPT_DEV_MATCH: 1311 if (ccb->cdm.match_buf_len == 0) { 1312 printf("%s: invalid match buffer length 0\n", __func__); 1313 return(EINVAL); 1314 } 1315 if (ccb->cdm.pattern_buf_len > 0) { 1316 data_ptrs[0] = (u_int8_t **)&ccb->cdm.patterns; 1317 lengths[0] = ccb->cdm.pattern_buf_len; 1318 dirs[0] = CAM_DIR_OUT; 1319 data_ptrs[1] = (u_int8_t **)&ccb->cdm.matches; 1320 lengths[1] = ccb->cdm.match_buf_len; 1321 dirs[1] = CAM_DIR_IN; 1322 numbufs = 2; 1323 } else { 1324 data_ptrs[0] = (u_int8_t **)&ccb->cdm.matches; 1325 lengths[0] = ccb->cdm.match_buf_len; 1326 dirs[0] = CAM_DIR_IN; 1327 numbufs = 1; 1328 } 1329 io_req->data_flags = CAM_DATA_VADDR; 1330 break; 1331 case XPT_SCSI_IO: 1332 case XPT_CONT_TARGET_IO: 1333 if ((ccb->ccb_h.flags & CAM_DIR_MASK) == CAM_DIR_NONE) 1334 return(0); 1335 1336 /* 1337 * The user shouldn't be able to supply a bio. 1338 */ 1339 if ((ccb->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_BIO) 1340 return (EINVAL); 1341 1342 io_req->data_flags = ccb->ccb_h.flags & CAM_DATA_MASK; 1343 1344 data_ptrs[0] = &ccb->csio.data_ptr; 1345 lengths[0] = ccb->csio.dxfer_len; 1346 dirs[0] = ccb->ccb_h.flags & CAM_DIR_MASK; 1347 num_segs = ccb->csio.sglist_cnt; 1348 seg_cnt_ptr = &ccb->csio.sglist_cnt; 1349 numbufs = 1; 1350 maxmap = softc->maxio; 1351 break; 1352 case XPT_ATA_IO: 1353 if ((ccb->ccb_h.flags & CAM_DIR_MASK) == CAM_DIR_NONE) 1354 return(0); 1355 1356 /* 1357 * We only support a single virtual address for ATA I/O. 1358 */ 1359 if ((ccb->ccb_h.flags & CAM_DATA_MASK) != CAM_DATA_VADDR) 1360 return (EINVAL); 1361 1362 io_req->data_flags = CAM_DATA_VADDR; 1363 1364 data_ptrs[0] = &ccb->ataio.data_ptr; 1365 lengths[0] = ccb->ataio.dxfer_len; 1366 dirs[0] = ccb->ccb_h.flags & CAM_DIR_MASK; 1367 numbufs = 1; 1368 maxmap = softc->maxio; 1369 break; 1370 case XPT_SMP_IO: 1371 io_req->data_flags = CAM_DATA_VADDR; 1372 1373 data_ptrs[0] = &ccb->smpio.smp_request; 1374 lengths[0] = ccb->smpio.smp_request_len; 1375 dirs[0] = CAM_DIR_OUT; 1376 data_ptrs[1] = &ccb->smpio.smp_response; 1377 lengths[1] = ccb->smpio.smp_response_len; 1378 dirs[1] = CAM_DIR_IN; 1379 numbufs = 2; 1380 maxmap = softc->maxio; 1381 break; 1382 case XPT_DEV_ADVINFO: 1383 if (ccb->cdai.bufsiz == 0) 1384 return (0); 1385 1386 io_req->data_flags = CAM_DATA_VADDR; 1387 1388 data_ptrs[0] = (uint8_t **)&ccb->cdai.buf; 1389 lengths[0] = ccb->cdai.bufsiz; 1390 dirs[0] = CAM_DIR_IN; 1391 numbufs = 1; 1392 break; 1393 default: 1394 return(EINVAL); 1395 break; /* NOTREACHED */ 1396 } 1397 1398 io_req->num_bufs = numbufs; 1399 1400 /* 1401 * If there is a maximum, check to make sure that the user's 1402 * request fits within the limit. In general, we should only have 1403 * a maximum length for requests that go to hardware. Otherwise it 1404 * is whatever we're able to malloc. 1405 */ 1406 for (i = 0; i < numbufs; i++) { 1407 io_req->user_bufs[i] = *data_ptrs[i]; 1408 io_req->dirs[i] = dirs[i]; 1409 io_req->lengths[i] = lengths[i]; 1410 1411 if (maxmap == 0) 1412 continue; 1413 1414 if (lengths[i] <= maxmap) 1415 continue; 1416 1417 xpt_print(periph->path, "%s: data length %u > max allowed %u " 1418 "bytes\n", __func__, lengths[i], maxmap); 1419 error = EINVAL; 1420 goto bailout; 1421 } 1422 1423 switch (io_req->data_flags) { 1424 case CAM_DATA_VADDR: 1425 /* Map or copy the buffer into kernel address space */ 1426 for (i = 0; i < numbufs; i++) { 1427 uint8_t *tmp_buf; 1428 1429 /* 1430 * If for some reason no length is specified, we 1431 * don't need to allocate anything. 1432 */ 1433 if (io_req->lengths[i] == 0) 1434 continue; 1435 1436 /* 1437 * Make sure that the user's buffer is accessible 1438 * to that process. 1439 */ 1440 if (!useracc(io_req->user_bufs[i], io_req->lengths[i], 1441 (io_req->dirs[i] == CAM_DIR_IN) ? VM_PROT_WRITE : 1442 VM_PROT_READ)) { 1443 xpt_print(periph->path, "%s: user address %p " 1444 "length %u is not accessible\n", __func__, 1445 io_req->user_bufs[i], io_req->lengths[i]); 1446 error = EFAULT; 1447 goto bailout; 1448 } 1449 1450 tmp_buf = malloc(lengths[i], M_SCSIPASS, 1451 M_WAITOK | M_ZERO); 1452 io_req->kern_bufs[i] = tmp_buf; 1453 *data_ptrs[i] = tmp_buf; 1454 1455#if 0 1456 xpt_print(periph->path, "%s: malloced %p len %u, user " 1457 "buffer %p, operation: %s\n", __func__, 1458 tmp_buf, lengths[i], io_req->user_bufs[i], 1459 (dirs[i] == CAM_DIR_IN) ? "read" : "write"); 1460#endif 1461 /* 1462 * We only need to copy in if the user is writing. 1463 */ 1464 if (dirs[i] != CAM_DIR_OUT) 1465 continue; 1466 1467 error = copyin(io_req->user_bufs[i], 1468 io_req->kern_bufs[i], lengths[i]); 1469 if (error != 0) { 1470 xpt_print(periph->path, "%s: copy of user " 1471 "buffer from %p to %p failed with " 1472 "error %d\n", __func__, 1473 io_req->user_bufs[i], 1474 io_req->kern_bufs[i], error); 1475 goto bailout; 1476 } 1477 } 1478 break; 1479 case CAM_DATA_PADDR: 1480 /* Pass down the pointer as-is */ 1481 break; 1482 case CAM_DATA_SG: { 1483 size_t sg_length, size_to_go, alloc_size; 1484 uint32_t num_segs_needed; 1485 1486 /* 1487 * Copy the user S/G list in, and then copy in the 1488 * individual segments. 1489 */ 1490 /* 1491 * We shouldn't see this, but check just in case. 1492 */ 1493 if (numbufs != 1) { 1494 xpt_print(periph->path, "%s: cannot currently handle " 1495 "more than one S/G list per CCB\n", __func__); 1496 error = EINVAL; 1497 goto bailout; 1498 } 1499 1500 /* 1501 * We have to have at least one segment. 1502 */ 1503 if (num_segs == 0) { 1504 xpt_print(periph->path, "%s: CAM_DATA_SG flag set, " 1505 "but sglist_cnt=0!\n", __func__); 1506 error = EINVAL; 1507 goto bailout; 1508 } 1509 1510 /* 1511 * Make sure the user specified the total length and didn't 1512 * just leave it to us to decode the S/G list. 1513 */ 1514 if (lengths[0] == 0) { 1515 xpt_print(periph->path, "%s: no dxfer_len specified, " 1516 "but CAM_DATA_SG flag is set!\n", __func__); 1517 error = EINVAL; 1518 goto bailout; 1519 } 1520 1521 /* 1522 * We allocate buffers in io_zone_size increments for an 1523 * S/G list. This will generally be MAXPHYS. 1524 */ 1525 if (lengths[0] <= softc->io_zone_size) 1526 num_segs_needed = 1; 1527 else { 1528 num_segs_needed = lengths[0] / softc->io_zone_size; 1529 if ((lengths[0] % softc->io_zone_size) != 0) 1530 num_segs_needed++; 1531 } 1532 1533 /* Figure out the size of the S/G list */ 1534 sg_length = num_segs * sizeof(bus_dma_segment_t); 1535 io_req->num_user_segs = num_segs; 1536 io_req->num_kern_segs = num_segs_needed; 1537 1538 /* Save the user's S/G list pointer for later restoration */ 1539 io_req->user_bufs[0] = *data_ptrs[0]; 1540 1541 /* 1542 * If we have enough segments allocated by default to handle 1543 * the length of the user's S/G list, 1544 */ 1545 if (num_segs > PASS_MAX_SEGS) { 1546 io_req->user_segptr = malloc(sizeof(bus_dma_segment_t) * 1547 num_segs, M_SCSIPASS, M_WAITOK | M_ZERO); 1548 io_req->flags |= PASS_IO_USER_SEG_MALLOC; 1549 } else 1550 io_req->user_segptr = io_req->user_segs; 1551 1552 if (!useracc(*data_ptrs[0], sg_length, VM_PROT_READ)) { 1553 xpt_print(periph->path, "%s: unable to access user " 1554 "S/G list at %p\n", __func__, *data_ptrs[0]); 1555 error = EFAULT; 1556 goto bailout; 1557 } 1558 1559 error = copyin(*data_ptrs[0], io_req->user_segptr, sg_length); 1560 if (error != 0) { 1561 xpt_print(periph->path, "%s: copy of user S/G list " 1562 "from %p to %p failed with error %d\n", 1563 __func__, *data_ptrs[0], io_req->user_segptr, 1564 error); 1565 goto bailout; 1566 } 1567 1568 if (num_segs_needed > PASS_MAX_SEGS) { 1569 io_req->kern_segptr = malloc(sizeof(bus_dma_segment_t) * 1570 num_segs_needed, M_SCSIPASS, M_WAITOK | M_ZERO); 1571 io_req->flags |= PASS_IO_KERN_SEG_MALLOC; 1572 } else { 1573 io_req->kern_segptr = io_req->kern_segs; 1574 } 1575 1576 /* 1577 * Allocate the kernel S/G list. 1578 */ 1579 for (size_to_go = lengths[0], i = 0; 1580 size_to_go > 0 && i < num_segs_needed; 1581 i++, size_to_go -= alloc_size) { 1582 uint8_t *kern_ptr; 1583 1584 alloc_size = min(size_to_go, softc->io_zone_size); 1585 kern_ptr = uma_zalloc(softc->pass_io_zone, M_WAITOK); 1586 io_req->kern_segptr[i].ds_addr = 1587 (bus_addr_t)(uintptr_t)kern_ptr; 1588 io_req->kern_segptr[i].ds_len = alloc_size; 1589 } 1590 if (size_to_go > 0) { 1591 printf("%s: size_to_go = %zu, software error!\n", 1592 __func__, size_to_go); 1593 error = EINVAL; 1594 goto bailout; 1595 } 1596 1597 *data_ptrs[0] = (uint8_t *)io_req->kern_segptr; 1598 *seg_cnt_ptr = io_req->num_kern_segs; 1599 1600 /* 1601 * We only need to copy data here if the user is writing. 1602 */ 1603 if (dirs[0] == CAM_DIR_OUT) 1604 error = passcopysglist(periph, io_req, dirs[0]); 1605 break; 1606 } 1607 case CAM_DATA_SG_PADDR: { 1608 size_t sg_length; 1609 1610 /* 1611 * We shouldn't see this, but check just in case. 1612 */ 1613 if (numbufs != 1) { 1614 printf("%s: cannot currently handle more than one " 1615 "S/G list per CCB\n", __func__); 1616 error = EINVAL; 1617 goto bailout; 1618 } 1619 1620 /* 1621 * We have to have at least one segment. 1622 */ 1623 if (num_segs == 0) { 1624 xpt_print(periph->path, "%s: CAM_DATA_SG_PADDR flag " 1625 "set, but sglist_cnt=0!\n", __func__); 1626 error = EINVAL; 1627 goto bailout; 1628 } 1629 1630 /* 1631 * Make sure the user specified the total length and didn't 1632 * just leave it to us to decode the S/G list. 1633 */ 1634 if (lengths[0] == 0) { 1635 xpt_print(periph->path, "%s: no dxfer_len specified, " 1636 "but CAM_DATA_SG flag is set!\n", __func__); 1637 error = EINVAL; 1638 goto bailout; 1639 } 1640 1641 /* Figure out the size of the S/G list */ 1642 sg_length = num_segs * sizeof(bus_dma_segment_t); 1643 io_req->num_user_segs = num_segs; 1644 io_req->num_kern_segs = io_req->num_user_segs; 1645 1646 /* Save the user's S/G list pointer for later restoration */ 1647 io_req->user_bufs[0] = *data_ptrs[0]; 1648 1649 if (num_segs > PASS_MAX_SEGS) { 1650 io_req->user_segptr = malloc(sizeof(bus_dma_segment_t) * 1651 num_segs, M_SCSIPASS, M_WAITOK | M_ZERO); 1652 io_req->flags |= PASS_IO_USER_SEG_MALLOC; 1653 } else 1654 io_req->user_segptr = io_req->user_segs; 1655 1656 io_req->kern_segptr = io_req->user_segptr; 1657 1658 error = copyin(*data_ptrs[0], io_req->user_segptr, sg_length); 1659 if (error != 0) { 1660 xpt_print(periph->path, "%s: copy of user S/G list " 1661 "from %p to %p failed with error %d\n", 1662 __func__, *data_ptrs[0], io_req->user_segptr, 1663 error); 1664 goto bailout; 1665 } 1666 break; 1667 } 1668 default: 1669 case CAM_DATA_BIO: 1670 /* 1671 * A user shouldn't be attaching a bio to the CCB. It 1672 * isn't a user-accessible structure. 1673 */ 1674 error = EINVAL; 1675 break; 1676 } 1677 1678bailout: 1679 if (error != 0) 1680 passiocleanup(softc, io_req); 1681 1682 return (error); 1683} 1684 1685static int 1686passmemdone(struct cam_periph *periph, struct pass_io_req *io_req) 1687{ 1688 struct pass_softc *softc; 1689 union ccb *ccb; 1690 int error; 1691 int i; 1692 1693 error = 0; 1694 softc = (struct pass_softc *)periph->softc; 1695 ccb = &io_req->ccb; 1696 1697 switch (io_req->data_flags) { 1698 case CAM_DATA_VADDR: 1699 /* 1700 * Copy back to the user buffer if this was a read. 1701 */ 1702 for (i = 0; i < io_req->num_bufs; i++) { 1703 if (io_req->dirs[i] != CAM_DIR_IN) 1704 continue; 1705 1706 error = copyout(io_req->kern_bufs[i], 1707 io_req->user_bufs[i], io_req->lengths[i]); 1708 if (error != 0) { 1709 xpt_print(periph->path, "Unable to copy %u " 1710 "bytes from %p to user address %p\n", 1711 io_req->lengths[i], 1712 io_req->kern_bufs[i], 1713 io_req->user_bufs[i]); 1714 goto bailout; 1715 } 1716 1717 } 1718 break; 1719 case CAM_DATA_PADDR: 1720 /* Do nothing. The pointer is a physical address already */ 1721 break; 1722 case CAM_DATA_SG: 1723 /* 1724 * Copy back to the user buffer if this was a read. 1725 * Restore the user's S/G list buffer pointer. 1726 */ 1727 if (io_req->dirs[0] == CAM_DIR_IN) 1728 error = passcopysglist(periph, io_req, io_req->dirs[0]); 1729 break; 1730 case CAM_DATA_SG_PADDR: 1731 /* 1732 * Restore the user's S/G list buffer pointer. No need to 1733 * copy. 1734 */ 1735 break; 1736 default: 1737 case CAM_DATA_BIO: 1738 error = EINVAL; 1739 break; 1740 } 1741 1742bailout: 1743 /* 1744 * Reset the user's pointers to their original values and free 1745 * allocated memory. 1746 */ 1747 passiocleanup(softc, io_req); 1748 1749 return (error); 1750} 1751 1752static int 1753passioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread *td) 1754{ 1755 int error; 1756 1757 if ((error = passdoioctl(dev, cmd, addr, flag, td)) == ENOTTY) { 1758 error = cam_compat_ioctl(dev, cmd, addr, flag, td, passdoioctl); 1759 } 1760 return (error); 1761} 1762 1763static int 1764passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread *td) 1765{ 1766 struct cam_periph *periph; 1767 struct pass_softc *softc; 1768 int error; 1769 uint32_t priority; 1770 1771 periph = (struct cam_periph *)dev->si_drv1; 1772 cam_periph_lock(periph); 1773 softc = (struct pass_softc *)periph->softc; 1774 1775 error = 0; 1776 1777 switch (cmd) { 1778 1779 case CAMIOCOMMAND: 1780 { 1781 union ccb *inccb; 1782 union ccb *ccb; 1783 int ccb_malloced; 1784 1785 inccb = (union ccb *)addr; 1786 1787 /* 1788 * Some CCB types, like scan bus and scan lun can only go 1789 * through the transport layer device. 1790 */ 1791 if (inccb->ccb_h.func_code & XPT_FC_XPT_ONLY) { 1792 xpt_print(periph->path, "CCB function code %#x is " 1793 "restricted to the XPT device\n", 1794 inccb->ccb_h.func_code); 1795 error = ENODEV; 1796 break; 1797 } 1798 1799 /* Compatibility for RL/priority-unaware code. */ 1800 priority = inccb->ccb_h.pinfo.priority; 1801 if (priority <= CAM_PRIORITY_OOB) 1802 priority += CAM_PRIORITY_OOB + 1; 1803 1804 /* 1805 * Non-immediate CCBs need a CCB from the per-device pool 1806 * of CCBs, which is scheduled by the transport layer. 1807 * Immediate CCBs and user-supplied CCBs should just be 1808 * malloced. 1809 */ 1810 if ((inccb->ccb_h.func_code & XPT_FC_QUEUED) 1811 && ((inccb->ccb_h.func_code & XPT_FC_USER_CCB) == 0)) { 1812 ccb = cam_periph_getccb(periph, priority); 1813 ccb_malloced = 0; 1814 } else { 1815 ccb = xpt_alloc_ccb_nowait(); 1816 1817 if (ccb != NULL) 1818 xpt_setup_ccb(&ccb->ccb_h, periph->path, 1819 priority); 1820 ccb_malloced = 1; 1821 } 1822 1823 if (ccb == NULL) { 1824 xpt_print(periph->path, "unable to allocate CCB\n"); 1825 error = ENOMEM; 1826 break; 1827 } 1828 1829 error = passsendccb(periph, ccb, inccb); 1830 1831 if (ccb_malloced) 1832 xpt_free_ccb(ccb); 1833 else 1834 xpt_release_ccb(ccb); 1835 1836 break; 1837 } 1838 case CAMIOQUEUE: 1839 { 1840 struct pass_io_req *io_req; 1841 union ccb **user_ccb, *ccb; 1842 xpt_opcode fc; 1843 1844#ifdef COMPAT_FREEBSD32 1845 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { 1846 error = ENOTTY; 1847 goto bailout; 1848 } 1849#endif 1850 if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0) { 1851 error = passcreatezone(periph); 1852 if (error != 0) 1853 goto bailout; 1854 } 1855 1856 /* 1857 * We're going to do a blocking allocation for this I/O 1858 * request, so we have to drop the lock. 1859 */ 1860 cam_periph_unlock(periph); 1861 1862 io_req = uma_zalloc(softc->pass_zone, M_WAITOK | M_ZERO); 1863 ccb = &io_req->ccb; 1864 user_ccb = (union ccb **)addr; 1865 1866 /* 1867 * Unlike the CAMIOCOMMAND ioctl above, we only have a 1868 * pointer to the user's CCB, so we have to copy the whole 1869 * thing in to a buffer we have allocated (above) instead 1870 * of allowing the ioctl code to malloc a buffer and copy 1871 * it in. 1872 * 1873 * This is an advantage for this asynchronous interface, 1874 * since we don't want the memory to get freed while the 1875 * CCB is outstanding. 1876 */ 1877#if 0 1878 xpt_print(periph->path, "Copying user CCB %p to " 1879 "kernel address %p\n", *user_ccb, ccb); 1880#endif 1881 error = copyin(*user_ccb, ccb, sizeof(*ccb)); 1882 if (error != 0) { 1883 xpt_print(periph->path, "Copy of user CCB %p to " 1884 "kernel address %p failed with error %d\n", 1885 *user_ccb, ccb, error); 1886 uma_zfree(softc->pass_zone, io_req); 1887 cam_periph_lock(periph); 1888 break; 1889 } 1890 1891 if (ccb->ccb_h.flags & CAM_CDB_POINTER) { 1892 if (ccb->csio.cdb_len > IOCDBLEN) { 1893 error = EINVAL; 1894 break; 1895 } 1896 error = copyin(ccb->csio.cdb_io.cdb_ptr, 1897 ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len); 1898 if (error) 1899 break; 1900 ccb->ccb_h.flags &= ~CAM_CDB_POINTER; 1901 } 1902 1903 /* 1904 * Some CCB types, like scan bus and scan lun can only go 1905 * through the transport layer device. 1906 */ 1907 if (ccb->ccb_h.func_code & XPT_FC_XPT_ONLY) { 1908 xpt_print(periph->path, "CCB function code %#x is " 1909 "restricted to the XPT device\n", 1910 ccb->ccb_h.func_code); 1911 uma_zfree(softc->pass_zone, io_req); 1912 cam_periph_lock(periph); 1913 error = ENODEV; 1914 break; 1915 } 1916 1917 /* 1918 * Save the user's CCB pointer as well as his linked list 1919 * pointers and peripheral private area so that we can 1920 * restore these later. 1921 */ 1922 io_req->user_ccb_ptr = *user_ccb; 1923 io_req->user_periph_links = ccb->ccb_h.periph_links; 1924 io_req->user_periph_priv = ccb->ccb_h.periph_priv; 1925 1926 /* 1927 * Now that we've saved the user's values, we can set our 1928 * own peripheral private entry. 1929 */ 1930 ccb->ccb_h.ccb_ioreq = io_req; 1931 1932 /* Compatibility for RL/priority-unaware code. */ 1933 priority = ccb->ccb_h.pinfo.priority; 1934 if (priority <= CAM_PRIORITY_OOB) 1935 priority += CAM_PRIORITY_OOB + 1; 1936 1937 /* 1938 * Setup fields in the CCB like the path and the priority. 1939 * The path in particular cannot be done in userland, since 1940 * it is a pointer to a kernel data structure. 1941 */ 1942 xpt_setup_ccb_flags(&ccb->ccb_h, periph->path, priority, 1943 ccb->ccb_h.flags); 1944 1945 /* 1946 * Setup our done routine. There is no way for the user to 1947 * have a valid pointer here. 1948 */ 1949 ccb->ccb_h.cbfcnp = passdone; 1950 1951 fc = ccb->ccb_h.func_code; 1952 /* 1953 * If this function code has memory that can be mapped in 1954 * or out, we need to call passmemsetup(). 1955 */ 1956 if ((fc == XPT_SCSI_IO) || (fc == XPT_ATA_IO) 1957 || (fc == XPT_SMP_IO) || (fc == XPT_DEV_MATCH) 1958 || (fc == XPT_DEV_ADVINFO)) { 1959 error = passmemsetup(periph, io_req); 1960 if (error != 0) { 1961 uma_zfree(softc->pass_zone, io_req); 1962 cam_periph_lock(periph); 1963 break; 1964 } 1965 } else 1966 io_req->mapinfo.num_bufs_used = 0; 1967 1968 cam_periph_lock(periph); 1969 1970 /* 1971 * Everything goes on the incoming queue initially. 1972 */ 1973 TAILQ_INSERT_TAIL(&softc->incoming_queue, io_req, links); 1974 1975 /* 1976 * If the CCB is queued, and is not a user CCB, then 1977 * we need to allocate a slot for it. Call xpt_schedule() 1978 * so that our start routine will get called when a CCB is 1979 * available. 1980 */ 1981 if ((fc & XPT_FC_QUEUED) 1982 && ((fc & XPT_FC_USER_CCB) == 0)) { 1983 xpt_schedule(periph, priority); 1984 break; 1985 } 1986 1987 /* 1988 * At this point, the CCB in question is either an 1989 * immediate CCB (like XPT_DEV_ADVINFO) or it is a user CCB 1990 * and therefore should be malloced, not allocated via a slot. 1991 * Remove the CCB from the incoming queue and add it to the 1992 * active queue. 1993 */ 1994 TAILQ_REMOVE(&softc->incoming_queue, io_req, links); 1995 TAILQ_INSERT_TAIL(&softc->active_queue, io_req, links); 1996 1997 xpt_action(ccb); 1998 1999 /* 2000 * If this is not a queued CCB (i.e. it is an immediate CCB), 2001 * then it is already done. We need to put it on the done 2002 * queue for the user to fetch. 2003 */ 2004 if ((fc & XPT_FC_QUEUED) == 0) { 2005 TAILQ_REMOVE(&softc->active_queue, io_req, links); 2006 TAILQ_INSERT_TAIL(&softc->done_queue, io_req, links); 2007 } 2008 break; 2009 } 2010 case CAMIOGET: 2011 { 2012 union ccb **user_ccb; 2013 struct pass_io_req *io_req; 2014 int old_error; 2015 2016#ifdef COMPAT_FREEBSD32 2017 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { 2018 error = ENOTTY; 2019 goto bailout; 2020 } 2021#endif 2022 user_ccb = (union ccb **)addr; 2023 old_error = 0; 2024 2025 io_req = TAILQ_FIRST(&softc->done_queue); 2026 if (io_req == NULL) { 2027 error = ENOENT; 2028 break; 2029 } 2030 2031 /* 2032 * Remove the I/O from the done queue. 2033 */ 2034 TAILQ_REMOVE(&softc->done_queue, io_req, links); 2035 2036 /* 2037 * We have to drop the lock during the copyout because the 2038 * copyout can result in VM faults that require sleeping. 2039 */ 2040 cam_periph_unlock(periph); 2041 2042 /* 2043 * Do any needed copies (e.g. for reads) and revert the 2044 * pointers in the CCB back to the user's pointers. 2045 */ 2046 error = passmemdone(periph, io_req); 2047 2048 old_error = error; 2049 2050 io_req->ccb.ccb_h.periph_links = io_req->user_periph_links; 2051 io_req->ccb.ccb_h.periph_priv = io_req->user_periph_priv; 2052 2053#if 0 2054 xpt_print(periph->path, "Copying to user CCB %p from " 2055 "kernel address %p\n", *user_ccb, &io_req->ccb); 2056#endif 2057 2058 error = copyout(&io_req->ccb, *user_ccb, sizeof(union ccb)); 2059 if (error != 0) { 2060 xpt_print(periph->path, "Copy to user CCB %p from " 2061 "kernel address %p failed with error %d\n", 2062 *user_ccb, &io_req->ccb, error); 2063 } 2064 2065 /* 2066 * Prefer the first error we got back, and make sure we 2067 * don't overwrite bad status with good. 2068 */ 2069 if (old_error != 0) 2070 error = old_error; 2071 2072 cam_periph_lock(periph); 2073 2074 /* 2075 * At this point, if there was an error, we could potentially 2076 * re-queue the I/O and try again. But why? The error 2077 * would almost certainly happen again. We might as well 2078 * not leak memory. 2079 */ 2080 uma_zfree(softc->pass_zone, io_req); 2081 break; 2082 } 2083 default: 2084 error = cam_periph_ioctl(periph, cmd, addr, passerror); 2085 break; 2086 } 2087 2088bailout: 2089 cam_periph_unlock(periph); 2090 2091 return(error); 2092} 2093 2094static int 2095passpoll(struct cdev *dev, int poll_events, struct thread *td) 2096{ 2097 struct cam_periph *periph; 2098 struct pass_softc *softc; 2099 int revents; 2100 2101 periph = (struct cam_periph *)dev->si_drv1; 2102 softc = (struct pass_softc *)periph->softc; 2103 2104 revents = poll_events & (POLLOUT | POLLWRNORM); 2105 if ((poll_events & (POLLIN | POLLRDNORM)) != 0) { 2106 cam_periph_lock(periph); 2107 2108 if (!TAILQ_EMPTY(&softc->done_queue)) { 2109 revents |= poll_events & (POLLIN | POLLRDNORM); 2110 } 2111 cam_periph_unlock(periph); 2112 if (revents == 0) 2113 selrecord(td, &softc->read_select); 2114 } 2115 2116 return (revents); 2117} 2118 2119static int 2120passkqfilter(struct cdev *dev, struct knote *kn) 2121{ 2122 struct cam_periph *periph; 2123 struct pass_softc *softc; 2124 2125 periph = (struct cam_periph *)dev->si_drv1; 2126 softc = (struct pass_softc *)periph->softc; 2127 2128 kn->kn_hook = (caddr_t)periph; 2129 kn->kn_fop = &passread_filtops; 2130 knlist_add(&softc->read_select.si_note, kn, 0); 2131 2132 return (0); 2133} 2134 2135static void 2136passreadfiltdetach(struct knote *kn) 2137{ 2138 struct cam_periph *periph; 2139 struct pass_softc *softc; 2140 2141 periph = (struct cam_periph *)kn->kn_hook; 2142 softc = (struct pass_softc *)periph->softc; 2143 2144 knlist_remove(&softc->read_select.si_note, kn, 0); 2145} 2146 2147static int 2148passreadfilt(struct knote *kn, long hint) 2149{ 2150 struct cam_periph *periph; 2151 struct pass_softc *softc; 2152 int retval; 2153 2154 periph = (struct cam_periph *)kn->kn_hook; 2155 softc = (struct pass_softc *)periph->softc; 2156 2157 cam_periph_assert(periph, MA_OWNED); 2158 2159 if (TAILQ_EMPTY(&softc->done_queue)) 2160 retval = 0; 2161 else 2162 retval = 1; 2163 2164 return (retval); 2165} 2166 2167/* 2168 * Generally, "ccb" should be the CCB supplied by the kernel. "inccb" 2169 * should be the CCB that is copied in from the user. 2170 */ 2171static int 2172passsendccb(struct cam_periph *periph, union ccb *ccb, union ccb *inccb) 2173{ 2174 struct pass_softc *softc; 2175 struct cam_periph_map_info mapinfo; 2176 uint8_t *cmd; 2177 xpt_opcode fc; 2178 int error; 2179 2180 softc = (struct pass_softc *)periph->softc; 2181 2182 /* 2183 * There are some fields in the CCB header that need to be 2184 * preserved, the rest we get from the user. 2185 */ 2186 xpt_merge_ccb(ccb, inccb); 2187 2188 if (ccb->ccb_h.flags & CAM_CDB_POINTER) { 2189 cmd = __builtin_alloca(ccb->csio.cdb_len); 2190 error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd, ccb->csio.cdb_len); 2191 if (error) 2192 return (error); 2193 ccb->csio.cdb_io.cdb_ptr = cmd; 2194 } 2195 2196 /* 2197 */ 2198 ccb->ccb_h.cbfcnp = passdone; 2199 2200 /* 2201 * Let cam_periph_mapmem do a sanity check on the data pointer format. 2202 * Even if no data transfer is needed, it's a cheap check and it 2203 * simplifies the code. 2204 */ 2205 fc = ccb->ccb_h.func_code; 2206 if ((fc == XPT_SCSI_IO) || (fc == XPT_ATA_IO) || (fc == XPT_SMP_IO) 2207 || (fc == XPT_DEV_MATCH) || (fc == XPT_DEV_ADVINFO)) { 2208 bzero(&mapinfo, sizeof(mapinfo)); 2209 2210 /* 2211 * cam_periph_mapmem calls into proc and vm functions that can 2212 * sleep as well as trigger I/O, so we can't hold the lock. 2213 * Dropping it here is reasonably safe. 2214 */ 2215 cam_periph_unlock(periph); 2216 error = cam_periph_mapmem(ccb, &mapinfo, softc->maxio); 2217 cam_periph_lock(periph); 2218 2219 /* 2220 * cam_periph_mapmem returned an error, we can't continue. 2221 * Return the error to the user. 2222 */ 2223 if (error) 2224 return(error); 2225 } else 2226 /* Ensure that the unmap call later on is a no-op. */ 2227 mapinfo.num_bufs_used = 0; 2228 2229 /* 2230 * If the user wants us to perform any error recovery, then honor 2231 * that request. Otherwise, it's up to the user to perform any 2232 * error recovery. 2233 */ 2234 cam_periph_runccb(ccb, (ccb->ccb_h.flags & CAM_PASS_ERR_RECOVER) ? 2235 passerror : NULL, /* cam_flags */ CAM_RETRY_SELTO, 2236 /* sense_flags */ SF_RETRY_UA | SF_NO_PRINT, 2237 softc->device_stats); 2238 2239 cam_periph_unmapmem(ccb, &mapinfo); 2240 2241 ccb->ccb_h.cbfcnp = NULL; 2242 ccb->ccb_h.periph_priv = inccb->ccb_h.periph_priv; 2243 bcopy(ccb, inccb, sizeof(union ccb)); 2244 2245 return(0); 2246} 2247 2248static int 2249passerror(union ccb *ccb, u_int32_t cam_flags, u_int32_t sense_flags) 2250{ 2251 struct cam_periph *periph; 2252 struct pass_softc *softc; 2253 2254 periph = xpt_path_periph(ccb->ccb_h.path); 2255 softc = (struct pass_softc *)periph->softc; 2256 2257 return(cam_periph_error(ccb, cam_flags, sense_flags, 2258 &softc->saved_ccb)); 2259} 2260