Date: Fri, 25 Sep 2020 21:19:56 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366175 - head/sys/cam/scsi Message-ID: <202009252119.08PLJujm010572@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Fri Sep 25 21:19:56 2020 New Revision: 366175 URL: https://svnweb.freebsd.org/changeset/base/366175 Log: Revert most of r360179. I had failed to notice that sgsendccb() was using cam_periph_mapmem() and thus was not passing down user pointers directly to drivers. In practice this broke requests submitted from userland. PR: 249395 Reported by: Trenton Schulz <trueos@norwegianrockcat.com> Reviewed by: scottl MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D26550 Modified: head/sys/cam/scsi/scsi_sg.c Modified: head/sys/cam/scsi/scsi_sg.c ============================================================================== --- head/sys/cam/scsi/scsi_sg.c Fri Sep 25 21:18:43 2020 (r366174) +++ head/sys/cam/scsi/scsi_sg.c Fri Sep 25 21:19:56 2020 (r366175) @@ -507,7 +507,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int struct cam_periph *periph; struct sg_softc *softc; struct sg_io_hdr *req; - void *data_ptr; int dir, error; periph = (struct cam_periph *)dev->si_drv1; @@ -552,20 +551,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int break; } - if (req->dxfer_len > MAXPHYS) { - error = EINVAL; - break; - } - - data_ptr = malloc(req->dxfer_len, M_DEVBUF, M_WAITOK); - ccb = cam_periph_getccb(periph, CAM_PRIORITY_NORMAL); csio = &ccb->csio; error = copyin(req->cmdp, &csio->cdb_io.cdb_bytes, req->cmd_len); if (error) { - free(data_ptr, M_DEVBUF); xpt_release_ccb(ccb); break; } @@ -586,21 +577,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int break; } - if (dir == CAM_DIR_IN || dir == CAM_DIR_BOTH) { - error = copyin(req->dxferp, data_ptr, req->dxfer_len); - if (error) { - free(data_ptr, M_DEVBUF); - xpt_release_ccb(ccb); - break; - } - } - cam_fill_csio(csio, /*retries*/1, /*cbfcnp*/NULL, dir|CAM_DEV_QFRZDIS, MSG_SIMPLE_Q_TAG, - data_ptr, + req->dxferp, req->dxfer_len, req->mx_sb_len, req->cmd_len, @@ -610,7 +592,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int if (error) { req->host_status = DID_ERROR; req->driver_status = DRIVER_INVALID; - free(data_ptr, M_DEVBUF); xpt_release_ccb(ccb); break; } @@ -629,10 +610,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int req->sb_len_wr); } - if ((dir == CAM_DIR_OUT || dir == CAM_DIR_BOTH) && error == 0) - error = copyout(data_ptr, req->dxferp, req->dxfer_len); - - free(data_ptr, M_DEVBUF); xpt_release_ccb(ccb); break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009252119.08PLJujm010572>