From owner-svn-src-stable-11@freebsd.org Mon Dec 12 21:02:35 2016 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3FA35C73603; Mon, 12 Dec 2016 21:02:35 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1A39F1852; Mon, 12 Dec 2016 21:02:35 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBCL2YhU033286; Mon, 12 Dec 2016 21:02:34 GMT (envelope-from ken@FreeBSD.org) Received: (from ken@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBCL2Yof033285; Mon, 12 Dec 2016 21:02:34 GMT (envelope-from ken@FreeBSD.org) Message-Id: <201612122102.uBCL2Yof033285@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ken set sender to ken@FreeBSD.org using -f From: "Kenneth D. Merry" Date: Mon, 12 Dec 2016 21:02:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r309943 - stable/11/sbin/camcontrol X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2016 21:02:35 -0000 Author: ken Date: Mon Dec 12 21:02:34 2016 New Revision: 309943 URL: https://svnweb.freebsd.org/changeset/base/309943 Log: MFC r307684, r307747 ------------------------------------------------------------------------ r307684 | ken | 2016-10-20 13:42:26 -0600 (Thu, 20 Oct 2016) | 13 lines For CCBs allocated on the stack, we need to clear the entire CCB, not just the header. Otherwise stack garbage can lead to random flags getting set. This showed up as 'camcontrol rescan all' failing with EINVAL because the address type wasn't CAM_DATA_VADDR. sbin/camcontrol/camcontrol.c: In rescan_or_reset_bus(), bzero the stack-allocated CCBs before use instead of clearing the body. Sponsored by: Spectra Logic ------------------------------------------------------------------------ r307747 | ken | 2016-10-21 12:54:56 -0600 (Fri, 21 Oct 2016) | 27 lines Fix a problem in camcontrol(8) that cropped up with r307684. In r307684, I changed rescan_or_reset_bus() to bzero stack-allocated CCBs before sending them to the kernel because there was stack garbage in there that wound up meaning that bogus CCB flags were set. While this fixed the 'camcontrol rescan all' case (XPT_DEV_MATCH CCBs were failing previously), it broke the 'camcontrol rescan 0' (or any other number) case when INVARIANTS are turned on. Rescanning a single bus reliably produced an assert in cam_periph_runccb(): panic: cam_periph_runccb: ccb=0xfffff80044ffe000, func_code=0x708, flags=0xffffdde0 The flags values don't make sense from the code. Changing the CCBs in rescan_or_reset_bus() from stack to heap allocated avoids the problem. It would be better to understand why userland stack allocated CCBs don't work properly, since there may be other code that breaks if stack allocated CCBs don't work. sbin/camcontrol/camcontrol.c: In rescan_or_reset_bus(), allocate the CCBs using malloc(3) instead of on the stack to avoid an assertion in cam_periph_runccb(). Sponsored by: Spectra Logic ------------------------------------------------------------------------ Sponsored by: Spectra Logic Modified: stable/11/sbin/camcontrol/camcontrol.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/camcontrol/camcontrol.c ============================================================================== --- stable/11/sbin/camcontrol/camcontrol.c Mon Dec 12 21:01:20 2016 (r309942) +++ stable/11/sbin/camcontrol/camcontrol.c Mon Dec 12 21:02:34 2016 (r309943) @@ -3127,8 +3127,8 @@ dorescan_or_reset(int argc, char **argv, static int rescan_or_reset_bus(path_id_t bus, int rescan) { - union ccb ccb, matchccb; - int fd, retval; + union ccb *ccb = NULL, *matchccb = NULL; + int fd = -1, retval; int bufsize; retval = 0; @@ -3139,35 +3139,41 @@ rescan_or_reset_bus(path_id_t bus, int r return(1); } + ccb = malloc(sizeof(*ccb)); + if (ccb == NULL) { + warn("failed to allocate CCB"); + retval = 1; + goto bailout; + } + bzero(ccb, sizeof(*ccb)); + if (bus != CAM_BUS_WILDCARD) { - ccb.ccb_h.func_code = rescan ? XPT_SCAN_BUS : XPT_RESET_BUS; - ccb.ccb_h.path_id = bus; - ccb.ccb_h.target_id = CAM_TARGET_WILDCARD; - ccb.ccb_h.target_lun = CAM_LUN_WILDCARD; - ccb.crcn.flags = CAM_FLAG_NONE; + ccb->ccb_h.func_code = rescan ? XPT_SCAN_BUS : XPT_RESET_BUS; + ccb->ccb_h.path_id = bus; + ccb->ccb_h.target_id = CAM_TARGET_WILDCARD; + ccb->ccb_h.target_lun = CAM_LUN_WILDCARD; + ccb->crcn.flags = CAM_FLAG_NONE; /* run this at a low priority */ - ccb.ccb_h.pinfo.priority = 5; + ccb->ccb_h.pinfo.priority = 5; - if (ioctl(fd, CAMIOCOMMAND, &ccb) == -1) { + if (ioctl(fd, CAMIOCOMMAND, ccb) == -1) { warn("CAMIOCOMMAND ioctl failed"); - close(fd); - return(1); + retval = 1; + goto bailout; } - if ((ccb.ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) { + if ((ccb->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) { fprintf(stdout, "%s of bus %d was successful\n", rescan ? "Re-scan" : "Reset", bus); } else { fprintf(stdout, "%s of bus %d returned error %#x\n", rescan ? "Re-scan" : "Reset", bus, - ccb.ccb_h.status & CAM_STATUS_MASK); + ccb->ccb_h.status & CAM_STATUS_MASK); retval = 1; } - close(fd); - return(retval); - + goto bailout; } @@ -3181,58 +3187,64 @@ rescan_or_reset_bus(path_id_t bus, int r * no-op, sending a rescan to the xpt bus would result in a status of * CAM_REQ_INVALID. */ - CCB_CLEAR_ALL_EXCEPT_HDR(&matchccb.cdm); - matchccb.ccb_h.func_code = XPT_DEV_MATCH; - matchccb.ccb_h.path_id = CAM_BUS_WILDCARD; + matchccb = malloc(sizeof(*matchccb)); + if (matchccb == NULL) { + warn("failed to allocate CCB"); + retval = 1; + goto bailout; + } + bzero(matchccb, sizeof(*matchccb)); + matchccb->ccb_h.func_code = XPT_DEV_MATCH; + matchccb->ccb_h.path_id = CAM_BUS_WILDCARD; bufsize = sizeof(struct dev_match_result) * 20; - matchccb.cdm.match_buf_len = bufsize; - matchccb.cdm.matches=(struct dev_match_result *)malloc(bufsize); - if (matchccb.cdm.matches == NULL) { + matchccb->cdm.match_buf_len = bufsize; + matchccb->cdm.matches=(struct dev_match_result *)malloc(bufsize); + if (matchccb->cdm.matches == NULL) { warnx("can't malloc memory for matches"); retval = 1; goto bailout; } - matchccb.cdm.num_matches = 0; + matchccb->cdm.num_matches = 0; - matchccb.cdm.num_patterns = 1; - matchccb.cdm.pattern_buf_len = sizeof(struct dev_match_pattern); + matchccb->cdm.num_patterns = 1; + matchccb->cdm.pattern_buf_len = sizeof(struct dev_match_pattern); - matchccb.cdm.patterns = (struct dev_match_pattern *)malloc( - matchccb.cdm.pattern_buf_len); - if (matchccb.cdm.patterns == NULL) { + matchccb->cdm.patterns = (struct dev_match_pattern *)malloc( + matchccb->cdm.pattern_buf_len); + if (matchccb->cdm.patterns == NULL) { warnx("can't malloc memory for patterns"); retval = 1; goto bailout; } - matchccb.cdm.patterns[0].type = DEV_MATCH_BUS; - matchccb.cdm.patterns[0].pattern.bus_pattern.flags = BUS_MATCH_ANY; + matchccb->cdm.patterns[0].type = DEV_MATCH_BUS; + matchccb->cdm.patterns[0].pattern.bus_pattern.flags = BUS_MATCH_ANY; do { unsigned int i; - if (ioctl(fd, CAMIOCOMMAND, &matchccb) == -1) { + if (ioctl(fd, CAMIOCOMMAND, matchccb) == -1) { warn("CAMIOCOMMAND ioctl failed"); retval = 1; goto bailout; } - if ((matchccb.ccb_h.status != CAM_REQ_CMP) - || ((matchccb.cdm.status != CAM_DEV_MATCH_LAST) - && (matchccb.cdm.status != CAM_DEV_MATCH_MORE))) { + if ((matchccb->ccb_h.status != CAM_REQ_CMP) + || ((matchccb->cdm.status != CAM_DEV_MATCH_LAST) + && (matchccb->cdm.status != CAM_DEV_MATCH_MORE))) { warnx("got CAM error %#x, CDM error %d\n", - matchccb.ccb_h.status, matchccb.cdm.status); + matchccb->ccb_h.status, matchccb->cdm.status); retval = 1; goto bailout; } - for (i = 0; i < matchccb.cdm.num_matches; i++) { + for (i = 0; i < matchccb->cdm.num_matches; i++) { struct bus_match_result *bus_result; /* This shouldn't happen. */ - if (matchccb.cdm.matches[i].type != DEV_MATCH_BUS) + if (matchccb->cdm.matches[i].type != DEV_MATCH_BUS) continue; - bus_result = &matchccb.cdm.matches[i].result.bus_result; + bus_result =&matchccb->cdm.matches[i].result.bus_result; /* * We don't want to rescan or reset the xpt bus. @@ -3241,23 +3253,23 @@ rescan_or_reset_bus(path_id_t bus, int r if (bus_result->path_id == CAM_XPT_PATH_ID) continue; - ccb.ccb_h.func_code = rescan ? XPT_SCAN_BUS : + ccb->ccb_h.func_code = rescan ? XPT_SCAN_BUS : XPT_RESET_BUS; - ccb.ccb_h.path_id = bus_result->path_id; - ccb.ccb_h.target_id = CAM_TARGET_WILDCARD; - ccb.ccb_h.target_lun = CAM_LUN_WILDCARD; - ccb.crcn.flags = CAM_FLAG_NONE; + ccb->ccb_h.path_id = bus_result->path_id; + ccb->ccb_h.target_id = CAM_TARGET_WILDCARD; + ccb->ccb_h.target_lun = CAM_LUN_WILDCARD; + ccb->crcn.flags = CAM_FLAG_NONE; /* run this at a low priority */ - ccb.ccb_h.pinfo.priority = 5; + ccb->ccb_h.pinfo.priority = 5; - if (ioctl(fd, CAMIOCOMMAND, &ccb) == -1) { + if (ioctl(fd, CAMIOCOMMAND, ccb) == -1) { warn("CAMIOCOMMAND ioctl failed"); retval = 1; goto bailout; } - if ((ccb.ccb_h.status & CAM_STATUS_MASK) ==CAM_REQ_CMP){ + if ((ccb->ccb_h.status & CAM_STATUS_MASK)==CAM_REQ_CMP){ fprintf(stdout, "%s of bus %d was successful\n", rescan? "Re-scan" : "Reset", bus_result->path_id); @@ -3270,22 +3282,24 @@ rescan_or_reset_bus(path_id_t bus, int r fprintf(stderr, "%s of bus %d returned error " "%#x\n", rescan? "Re-scan" : "Reset", bus_result->path_id, - ccb.ccb_h.status & CAM_STATUS_MASK); + ccb->ccb_h.status & CAM_STATUS_MASK); retval = 1; } } - } while ((matchccb.ccb_h.status == CAM_REQ_CMP) - && (matchccb.cdm.status == CAM_DEV_MATCH_MORE)); + } while ((matchccb->ccb_h.status == CAM_REQ_CMP) + && (matchccb->cdm.status == CAM_DEV_MATCH_MORE)); bailout: if (fd != -1) close(fd); - if (matchccb.cdm.patterns != NULL) - free(matchccb.cdm.patterns); - if (matchccb.cdm.matches != NULL) - free(matchccb.cdm.matches); + if (matchccb != NULL) { + free(matchccb->cdm.patterns); + free(matchccb->cdm.matches); + free(matchccb); + } + free(ccb); return(retval); }