From owner-svn-src-head@freebsd.org  Mon Apr 13 21:04:34 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9767A2A9302;
 Mon, 13 Apr 2020 21:04:34 +0000 (UTC) (envelope-from imp@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 491Lhy3bH9z4CcM;
 Mon, 13 Apr 2020 21:04:34 +0000 (UTC) (envelope-from imp@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7463521B90;
 Mon, 13 Apr 2020 21:04:34 +0000 (UTC) (envelope-from imp@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03DL4YhF066771;
 Mon, 13 Apr 2020 21:04:34 GMT (envelope-from imp@FreeBSD.org)
Received: (from imp@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03DL4Yir066770;
 Mon, 13 Apr 2020 21:04:34 GMT (envelope-from imp@FreeBSD.org)
Message-Id: <202004132104.03DL4Yir066770@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: imp set sender to imp@FreeBSD.org
 using -f
From: Warner Losh <imp@FreeBSD.org>
Date: Mon, 13 Apr 2020 21:04:34 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r359902 - head/sys/cam/scsi
X-SVN-Group: head
X-SVN-Commit-Author: imp
X-SVN-Commit-Paths: head/sys/cam/scsi
X-SVN-Commit-Revision: 359902
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 21:04:34 -0000

Author: imp
Date: Mon Apr 13 21:04:33 2020
New Revision: 359902
URL: https://svnweb.freebsd.org/changeset/base/359902

Log:
  Checks here against useracc are not useful and are racy.
  
  copyin/copyout are sufficient to guard against bad addresses. They will return
  EFAULT if the user is up to no good (by choice or ignorance). There's no point
  in checking, since it doesn't even improve the error messages.
  
  Noticed by: jhb
  Reviewed by: brooks, jhb

Modified:
  head/sys/cam/scsi/scsi_pass.c

Modified: head/sys/cam/scsi/scsi_pass.c
==============================================================================
--- head/sys/cam/scsi/scsi_pass.c	Mon Apr 13 21:03:30 2020	(r359901)
+++ head/sys/cam/scsi/scsi_pass.c	Mon Apr 13 21:04:33 2020	(r359902)
@@ -1232,15 +1232,6 @@ passcopysglist(struct cam_periph *periph, struct pass_
 		user_watermark += len_to_copy;
 		kern_watermark += len_to_copy;
 
-		if (!useracc(user_ptr, len_to_copy,
-		    (direction == CAM_DIR_IN) ? VM_PROT_WRITE : VM_PROT_READ)) {
-			xpt_print(periph->path, "%s: unable to access user "
-				  "S/G list element %p len %zu\n", __func__,
-				  user_ptr, len_to_copy);
-			error = EFAULT;
-			goto bailout;
-		}
-
 		if (direction == CAM_DIR_IN) {
 			error = copyout(kern_ptr, user_ptr, len_to_copy);
 			if (error != 0) {
@@ -1445,20 +1436,6 @@ passmemsetup(struct cam_periph *periph, struct pass_io
 			if (io_req->lengths[i] == 0)
 				continue;
 
-			/*
-			 * Make sure that the user's buffer is accessible
-			 * to that process.
-			 */
-			if (!useracc(io_req->user_bufs[i], io_req->lengths[i],
-			    (io_req->dirs[i] == CAM_DIR_IN) ? VM_PROT_WRITE :
-			     VM_PROT_READ)) {
-				xpt_print(periph->path, "%s: user address %p "
-				    "length %u is not accessible\n", __func__,
-				    io_req->user_bufs[i], io_req->lengths[i]);
-				error = EFAULT;
-				goto bailout;
-			}
-
 			tmp_buf = malloc(lengths[i], M_SCSIPASS,
 					 M_WAITOK | M_ZERO);
 			io_req->kern_bufs[i] = tmp_buf;
@@ -1560,13 +1537,6 @@ passmemsetup(struct cam_periph *periph, struct pass_io
 			io_req->flags |= PASS_IO_USER_SEG_MALLOC;
 		} else
 			io_req->user_segptr = io_req->user_segs;
-
-		if (!useracc(*data_ptrs[0], sg_length, VM_PROT_READ)) {
-			xpt_print(periph->path, "%s: unable to access user "
-				  "S/G list at %p\n", __func__, *data_ptrs[0]);
-			error = EFAULT;
-			goto bailout;
-		}
 
 		error = copyin(*data_ptrs[0], io_req->user_segptr, sg_length);
 		if (error != 0) {