From owner-svn-doc-all@FreeBSD.ORG Thu Aug 22 01:12:10 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C7790CC3; Thu, 22 Aug 2013 01:12:10 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B235F2B96; Thu, 22 Aug 2013 01:12:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7M1CACr025866; Thu, 22 Aug 2013 01:12:10 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7M1CAhe025819; Thu, 22 Aug 2013 01:12:10 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201308220112.r7M1CAhe025819@svn.freebsd.org> From: Xin LI Date: Thu, 22 Aug 2013 01:12:10 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42568 - in head/share: security/advisories security/patches/EN-13:03 security/patches/SA-13:09 security/patches/SA-13:10 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Aug 2013 01:12:10 -0000 Author: delphij Date: Thu Aug 22 01:12:09 2013 New Revision: 42568 URL: http://svnweb.freebsd.org/changeset/doc/42568 Log: Add two latest advisories: Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. [13:09] Fix a bug that could lead to kernel memory disclosure with SCTP state cookie. [13:10] Add latest errata notices: Fix a data corruption problem with mfi(4) operating on > 2TB disks in a JBOD. [EN-13:03] Added: head/share/security/advisories/FreeBSD-EN-13:03.mfi.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-13:10.sctp.asc (contents, props changed) head/share/security/patches/EN-13:03/ head/share/security/patches/EN-13:03/mfi.patch (contents, props changed) head/share/security/patches/EN-13:03/mfi.patch.asc (contents, props changed) head/share/security/patches/SA-13:09/ head/share/security/patches/SA-13:09/ip_multicast.patch (contents, props changed) head/share/security/patches/SA-13:09/ip_multicast.patch.asc (contents, props changed) head/share/security/patches/SA-13:10/ head/share/security/patches/SA-13:10/sctp.patch (contents, props changed) head/share/security/patches/SA-13:10/sctp.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-13:03.mfi.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-13:03.mfi.asc Thu Aug 22 01:12:09 2013 (r42568) @@ -0,0 +1,109 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-EN-13:03.mfi Errata Notice + The FreeBSD Project + +Topic: data corruption with mfi(4) JBOD disks > 2TB + +Category: contrib +Module: mfi +Announced: 2013-08-22 +Credits: Steven Hartland, Doug Ambrisko +Affects: FreeBSD 9.1 +Corrected: 2012-12-03 18:37:02 UTC (stable/9, 9.1-STABLE) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The mfi(4) driver supports LSI's next generation PCI Express SAS RAID +controllers. The driver supports JBOD attachment through /dev/mfisyspd? +device nodes. + +Logical block addressing (LBA) is a common scheme used for specifying the +location of sectors on hard drives. + +II. Problem Description + +The way mfi(4) implements access of "syspd" or also known as JBOD always +uses READ10/WRITE10 commands for underlying disk. When writing over 2^32 +sectors, the LBA would wrap and starts writing at the beginning of the +disk. + +III. Impact + +Writing beyond 2TB to mfi(4) connected JBODs would result in data corruption. + +IV. Workaround + +No workaround is available, but systems that do not use mfi(4) as a JBOD +HBA or do not have disks with 2^32 or more sectors (2^41 or more bytes with +512-byte logical sector size) are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-13:03/mfi.patch +# fetch http://security.FreeBSD.org/patches/EN-13:03/mfi.patch.asc +# gpg --verify mfi.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r243824 +releng/9.1/ r254631 +- ------------------------------------------------------------------------- + +VII. References + +http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/173291 + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-13:03.mfi.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEARECAAYFAlIVY1YACgkQFdaIBMps37IHmwCfZH+1Gi0u7eYMXYevu0KHaG3a +rCwAn2ecdXnLOsaC6D6i2mo4dmI4HLDk +=AwdQ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc Thu Aug 22 01:12:09 2013 (r42568) @@ -0,0 +1,121 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +FreeBSD-SA-13:09.ip_multicast Security Advisory + The FreeBSD Project + +Topic: integer overflow in IP_MSFILTER + +Category: core +Module: kernel +Announced: 2013-08-22 +Credits: Clement Lecigne (Google Security Team) +Affects: All supported versions of FreeBSD. +Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) + 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) + 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) + 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) +CVE Name: CVE-2013-3077 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +IP multicast is a method of sending Internet Protocol (IP) datagrams to a +group of interested receivers in a single transmission. + +II. Problem Description + +An integer overflow in computing the size of a temporary buffer can +result in a buffer which is too small for the requested operation. + +III. Impact + +An unprivileged process can read or write pages of memory which belong to +the kernel. These may lead to exposure of sensitive information or allow +privilege escalation. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch +# fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc +# gpg --verify ip_multicast.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r254629 +releng/8.3/ r254632 +releng/8.4/ r254632 +stable/9/ r254629 +releng/9.1/ r254631 +releng/9.2/ r254630 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing XXXXXX with the revision number, on a +machine with Subversion installed: + +# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing XXXXXX with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEARECAAYFAlIVY1YACgkQFdaIBMps37K1cwCeOwXryun/C0EceD7v1se+z8w1 +EUYAoJ7Hh/bOjyuD6oR6ZOEqtDVIL5LP +=6Ehk +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-13:10.sctp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:10.sctp.asc Thu Aug 22 01:12:09 2013 (r42568) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:10.sctp Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in sctp(4) + +Category: core +Module: sctp +Announced: 2013-08-22 +Credits: Julian Seward, Michael Tuexen +Affects: All supported versions of FreeBSD. +Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) + 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) + 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) + 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) +CVE Name: CVE-2013-5209 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The SCTP protocol provides reliable, flow-controlled, two-way transmission +of data. It is a message oriented protocol and can support the SOCK_STREAM +and SOCK_SEQPACKET abstractions. + +The SCTP protocol checks the integrity of messages by validating the state +cookie information that is returned from the peer. + +II. Problem Description + +When initializing the SCTP state cookie being sent in INIT-ACK chunks, +a buffer allocated from the kernel stack is not completely initialized. + +III. Impact + +Fragments of kernel memory may be included in SCTP packets and +transmitted over the network. For each SCTP session, there are two +separate instances in which a 4-byte fragment may be transmitted. + +This memory might contain sensitive information, such as portions of the +file cache or terminal buffers. This information might be directly +useful, or it might be leveraged to obtain elevated privileges in +some way. For example, a terminal buffer might include an user-entered +password. + +IV. Workaround + +No workaround is available, but systems not using the SCTP protocol +are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch +# fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc +# gpg --verify sctp.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r254354 +releng/8.3/ r254632 +releng/8.4/ r254632 +stable/9/ r254352 +releng/9.1/ r254631 +releng/9.2/ r254355 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing XXXXXX with the revision number, on a +machine with Subversion installed: + +# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing XXXXXX with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEARECAAYFAlIVY1YACgkQFdaIBMps37L0AQCgh30FZd+f+rmzMabRFkTPVEmX +tZgAnRuZptKgvlHkqnEhUj30tH6xLDCO +=KJ8k +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-13:03/mfi.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-13:03/mfi.patch Thu Aug 22 01:12:09 2013 (r42568) @@ -0,0 +1,994 @@ +Index: sys/dev/mfi/mfi.c +=================================================================== +--- sys/dev/mfi/mfi.c (revision 254079) ++++ sys/dev/mfi/mfi.c (working copy) +@@ -107,7 +107,7 @@ static void mfi_bio_complete(struct mfi_command *) + static struct mfi_command *mfi_build_ldio(struct mfi_softc *,struct bio*); + static struct mfi_command *mfi_build_syspdio(struct mfi_softc *,struct bio*); + static int mfi_send_frame(struct mfi_softc *, struct mfi_command *); +-static int mfi_abort(struct mfi_softc *, struct mfi_command *); ++static int mfi_abort(struct mfi_softc *, struct mfi_command **); + static int mfi_linux_ioctl_int(struct cdev *, u_long, caddr_t, int, struct thread *); + static void mfi_timeout(void *); + static int mfi_user_command(struct mfi_softc *, +@@ -373,6 +373,8 @@ mfi_attach(struct mfi_softc *sc) + sx_init(&sc->mfi_config_lock, "MFI config"); + TAILQ_INIT(&sc->mfi_ld_tqh); + TAILQ_INIT(&sc->mfi_syspd_tqh); ++ TAILQ_INIT(&sc->mfi_ld_pend_tqh); ++ TAILQ_INIT(&sc->mfi_syspd_pend_tqh); + TAILQ_INIT(&sc->mfi_evt_queue); + TASK_INIT(&sc->mfi_evt_task, 0, mfi_handle_evt, sc); + TASK_INIT(&sc->mfi_map_sync_task, 0, mfi_handle_map_sync, sc); +@@ -694,6 +696,7 @@ mfi_attach(struct mfi_softc *sc) + device_printf(sc->mfi_dev, "Cannot set up interrupt\n"); + return (EINVAL); + } ++ sc->mfi_intr_ptr = mfi_intr_tbolt; + sc->mfi_enable_intr(sc); + } else { + if ((error = mfi_comms_init(sc)) != 0) +@@ -704,6 +707,7 @@ mfi_attach(struct mfi_softc *sc) + device_printf(sc->mfi_dev, "Cannot set up interrupt\n"); + return (EINVAL); + } ++ sc->mfi_intr_ptr = mfi_intr; + sc->mfi_enable_intr(sc); + } + if ((error = mfi_get_controller_info(sc)) != 0) +@@ -1278,6 +1282,17 @@ mfi_shutdown(struct mfi_softc *sc) + struct mfi_command *cm; + int error; + ++ ++ if (sc->mfi_aen_cm) ++ sc->cm_aen_abort = 1; ++ if (sc->mfi_aen_cm != NULL) ++ mfi_abort(sc, &sc->mfi_aen_cm); ++ ++ if (sc->mfi_map_sync_cm) ++ sc->cm_map_abort = 1; ++ if (sc->mfi_map_sync_cm != NULL) ++ mfi_abort(sc, &sc->mfi_map_sync_cm); ++ + mtx_lock(&sc->mfi_io_lock); + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_CTRL_SHUTDOWN, NULL, 0); + if (error) { +@@ -1285,12 +1300,6 @@ mfi_shutdown(struct mfi_softc *sc) + return (error); + } + +- if (sc->mfi_aen_cm != NULL) +- mfi_abort(sc, sc->mfi_aen_cm); +- +- if (sc->mfi_map_sync_cm != NULL) +- mfi_abort(sc, sc->mfi_map_sync_cm); +- + dcmd = &cm->cm_frame->dcmd; + dcmd->header.flags = MFI_FRAME_DIR_NONE; + cm->cm_flags = MFI_CMD_POLLED; +@@ -1312,6 +1321,7 @@ mfi_syspdprobe(struct mfi_softc *sc) + struct mfi_command *cm = NULL; + struct mfi_pd_list *pdlist = NULL; + struct mfi_system_pd *syspd, *tmp; ++ struct mfi_system_pending *syspd_pend; + int error, i, found; + + sx_assert(&sc->mfi_config_lock, SA_XLOCKED); +@@ -1352,6 +1362,10 @@ mfi_syspdprobe(struct mfi_softc *sc) + if (syspd->pd_id == pdlist->addr[i].device_id) + found = 1; + } ++ TAILQ_FOREACH(syspd_pend, &sc->mfi_syspd_pend_tqh, pd_link) { ++ if (syspd_pend->pd_id == pdlist->addr[i].device_id) ++ found = 1; ++ } + if (found == 0) + mfi_add_sys_pd(sc, pdlist->addr[i].device_id); + } +@@ -1387,6 +1401,7 @@ mfi_ldprobe(struct mfi_softc *sc) + struct mfi_command *cm = NULL; + struct mfi_ld_list *list = NULL; + struct mfi_disk *ld; ++ struct mfi_disk_pending *ld_pend; + int error, i; + + sx_assert(&sc->mfi_config_lock, SA_XLOCKED); +@@ -1415,6 +1430,10 @@ mfi_ldprobe(struct mfi_softc *sc) + if (ld->ld_id == list->ld_list[i].ld.v.target_id) + goto skip_add; + } ++ TAILQ_FOREACH(ld_pend, &sc->mfi_ld_pend_tqh, ld_link) { ++ if (ld_pend->ld_id == list->ld_list[i].ld.v.target_id) ++ goto skip_add; ++ } + mfi_add_ld(sc, list->ld_list[i].ld.v.target_id); + skip_add:; + } +@@ -1617,9 +1636,7 @@ mfi_aen_register(struct mfi_softc *sc, int seq, in + < current_aen.members.evt_class) + current_aen.members.evt_class = + prior_aen.members.evt_class; +- mtx_lock(&sc->mfi_io_lock); +- mfi_abort(sc, sc->mfi_aen_cm); +- mtx_unlock(&sc->mfi_io_lock); ++ mfi_abort(sc, &sc->mfi_aen_cm); + } + } + +@@ -1811,10 +1828,17 @@ mfi_add_ld(struct mfi_softc *sc, int id) + struct mfi_command *cm; + struct mfi_dcmd_frame *dcmd = NULL; + struct mfi_ld_info *ld_info = NULL; ++ struct mfi_disk_pending *ld_pend; + int error; + + mtx_assert(&sc->mfi_io_lock, MA_OWNED); + ++ ld_pend = malloc(sizeof(*ld_pend), M_MFIBUF, M_NOWAIT | M_ZERO); ++ if (ld_pend != NULL) { ++ ld_pend->ld_id = id; ++ TAILQ_INSERT_TAIL(&sc->mfi_ld_pend_tqh, ld_pend, ld_link); ++ } ++ + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_LD_GET_INFO, + (void **)&ld_info, sizeof(*ld_info)); + if (error) { +@@ -1855,11 +1879,13 @@ mfi_add_ld_complete(struct mfi_command *cm) + hdr = &cm->cm_frame->header; + ld_info = cm->cm_private; + +- if (hdr->cmd_status != MFI_STAT_OK) { ++ if (sc->cm_map_abort || hdr->cmd_status != MFI_STAT_OK) { + free(ld_info, M_MFIBUF); ++ wakeup(&sc->mfi_map_sync_cm); + mfi_release_command(cm); + return; + } ++ wakeup(&sc->mfi_map_sync_cm); + mfi_release_command(cm); + + mtx_unlock(&sc->mfi_io_lock); +@@ -1884,10 +1910,17 @@ static int mfi_add_sys_pd(struct mfi_softc *sc, in + struct mfi_command *cm; + struct mfi_dcmd_frame *dcmd = NULL; + struct mfi_pd_info *pd_info = NULL; ++ struct mfi_system_pending *syspd_pend; + int error; + + mtx_assert(&sc->mfi_io_lock, MA_OWNED); + ++ syspd_pend = malloc(sizeof(*syspd_pend), M_MFIBUF, M_NOWAIT | M_ZERO); ++ if (syspd_pend != NULL) { ++ syspd_pend->pd_id = id; ++ TAILQ_INSERT_TAIL(&sc->mfi_syspd_pend_tqh, syspd_pend, pd_link); ++ } ++ + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_PD_GET_INFO, + (void **)&pd_info, sizeof(*pd_info)); + if (error) { +@@ -1981,19 +2014,87 @@ mfi_bio_command(struct mfi_softc *sc) + mfi_enqueue_bio(sc, bio); + return cm; + } ++ ++/* ++ * mostly copied from cam/scsi/scsi_all.c:scsi_read_write ++ */ ++ ++int ++mfi_build_cdb(int readop, uint8_t byte2, u_int64_t lba, u_int32_t block_count, uint8_t *cdb) ++{ ++ int cdb_len; ++ ++ if (((lba & 0x1fffff) == lba) ++ && ((block_count & 0xff) == block_count) ++ && (byte2 == 0)) { ++ /* We can fit in a 6 byte cdb */ ++ struct scsi_rw_6 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_6 *)cdb; ++ scsi_cmd->opcode = readop ? READ_6 : WRITE_6; ++ scsi_ulto3b(lba, scsi_cmd->addr); ++ scsi_cmd->length = block_count & 0xff; ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else if (((block_count & 0xffff) == block_count) && ((lba & 0xffffffff) == lba)) { ++ /* Need a 10 byte CDB */ ++ struct scsi_rw_10 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_10 *)cdb; ++ scsi_cmd->opcode = readop ? READ_10 : WRITE_10; ++ scsi_cmd->byte2 = byte2; ++ scsi_ulto4b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto2b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else if (((block_count & 0xffffffff) == block_count) && ++ ((lba & 0xffffffff) == lba)) { ++ /* Block count is too big for 10 byte CDB use a 12 byte CDB */ ++ struct scsi_rw_12 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_12 *)cdb; ++ scsi_cmd->opcode = readop ? READ_12 : WRITE_12; ++ scsi_cmd->byte2 = byte2; ++ scsi_ulto4b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto4b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else { ++ /* ++ * 16 byte CDB. We'll only get here if the LBA is larger ++ * than 2^32 ++ */ ++ struct scsi_rw_16 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_16 *)cdb; ++ scsi_cmd->opcode = readop ? READ_16 : WRITE_16; ++ scsi_cmd->byte2 = byte2; ++ scsi_u64to8b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto4b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } ++ ++ return cdb_len; ++} ++ + static struct mfi_command * + mfi_build_syspdio(struct mfi_softc *sc, struct bio *bio) + { + struct mfi_command *cm; + struct mfi_pass_frame *pass; +- int flags = 0, blkcount = 0; + uint32_t context = 0; ++ int flags = 0, blkcount = 0, readop; ++ uint8_t cdb_len; + + if ((cm = mfi_dequeue_free(sc)) == NULL) + return (NULL); + + /* Zero out the MFI frame */ +- context = cm->cm_frame->header.context; ++ context = cm->cm_frame->header.context; + bzero(cm->cm_frame, sizeof(union mfi_frame)); + cm->cm_frame->header.context = context; + pass = &cm->cm_frame->pass; +@@ -2001,35 +2102,31 @@ mfi_build_syspdio(struct mfi_softc *sc, struct bio + pass->header.cmd = MFI_CMD_PD_SCSI_IO; + switch (bio->bio_cmd & 0x03) { + case BIO_READ: +-#define SCSI_READ 0x28 +- pass->cdb[0] = SCSI_READ; + flags = MFI_CMD_DATAIN; ++ readop = 1; + break; + case BIO_WRITE: +-#define SCSI_WRITE 0x2a +- pass->cdb[0] = SCSI_WRITE; + flags = MFI_CMD_DATAOUT; ++ readop = 0; + break; + default: +- panic("Invalid bio command"); ++ /* TODO: what about BIO_DELETE??? */ ++ panic("Unsupported bio command %x\n", bio->bio_cmd); + } + + /* Cheat with the sector length to avoid a non-constant division */ + blkcount = (bio->bio_bcount + MFI_SECTOR_LEN - 1) / MFI_SECTOR_LEN; + /* Fill the LBA and Transfer length in CDB */ +- pass->cdb[2] = (bio->bio_pblkno & 0xff000000) >> 24; +- pass->cdb[3] = (bio->bio_pblkno & 0x00ff0000) >> 16; +- pass->cdb[4] = (bio->bio_pblkno & 0x0000ff00) >> 8; +- pass->cdb[5] = bio->bio_pblkno & 0x000000ff; +- pass->cdb[7] = (blkcount & 0xff00) >> 8; +- pass->cdb[8] = (blkcount & 0x00ff); ++ cdb_len = mfi_build_cdb(readop, 0, bio->bio_pblkno, blkcount, ++ pass->cdb); + pass->header.target_id = (uintptr_t)bio->bio_driver1; ++ pass->header.lun_id = 0; + pass->header.timeout = 0; + pass->header.flags = 0; + pass->header.scsi_status = 0; + pass->header.sense_len = MFI_SENSE_LEN; + pass->header.data_len = bio->bio_bcount; +- pass->header.cdb_len = 10; ++ pass->header.cdb_len = cdb_len; + pass->sense_addr_lo = (uint32_t)cm->cm_sense_busaddr; + pass->sense_addr_hi = (uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32); + cm->cm_complete = mfi_bio_complete; +@@ -2047,7 +2144,8 @@ mfi_build_ldio(struct mfi_softc *sc, struct bio *b + { + struct mfi_io_frame *io; + struct mfi_command *cm; +- int flags, blkcount; ++ int flags; ++ uint32_t blkcount; + uint32_t context = 0; + + if ((cm = mfi_dequeue_free(sc)) == NULL) +@@ -2068,7 +2166,8 @@ mfi_build_ldio(struct mfi_softc *sc, struct bio *b + flags = MFI_CMD_DATAOUT; + break; + default: +- panic("Invalid bio command"); ++ /* TODO: what about BIO_DELETE??? */ ++ panic("Unsupported bio command %x\n", bio->bio_cmd); + } + + /* Cheat with the sector length to avoid a non-constant division */ +@@ -2358,7 +2457,7 @@ mfi_complete(struct mfi_softc *sc, struct mfi_comm + } + + static int +-mfi_abort(struct mfi_softc *sc, struct mfi_command *cm_abort) ++mfi_abort(struct mfi_softc *sc, struct mfi_command **cm_abort) + { + struct mfi_command *cm; + struct mfi_abort_frame *abort; +@@ -2365,8 +2464,7 @@ static int + int i = 0; + uint32_t context = 0; + +- mtx_assert(&sc->mfi_io_lock, MA_OWNED); +- ++ mtx_lock(&sc->mfi_io_lock); + if ((cm = mfi_dequeue_free(sc)) == NULL) { + return (EBUSY); + } +@@ -2380,29 +2478,27 @@ static int + abort->header.cmd = MFI_CMD_ABORT; + abort->header.flags = 0; + abort->header.scsi_status = 0; +- abort->abort_context = cm_abort->cm_frame->header.context; +- abort->abort_mfi_addr_lo = (uint32_t)cm_abort->cm_frame_busaddr; ++ abort->abort_context = (*cm_abort)->cm_frame->header.context; ++ abort->abort_mfi_addr_lo = (uint32_t)(*cm_abort)->cm_frame_busaddr; + abort->abort_mfi_addr_hi = +- (uint32_t)((uint64_t)cm_abort->cm_frame_busaddr >> 32); ++ (uint32_t)((uint64_t)(*cm_abort)->cm_frame_busaddr >> 32); + cm->cm_data = NULL; + cm->cm_flags = MFI_CMD_POLLED; + +- if (sc->mfi_aen_cm) +- sc->cm_aen_abort = 1; +- if (sc->mfi_map_sync_cm) +- sc->cm_map_abort = 1; + mfi_mapcmd(sc, cm); + mfi_release_command(cm); + +- while (i < 5 && sc->mfi_aen_cm != NULL) { +- msleep(&sc->mfi_aen_cm, &sc->mfi_io_lock, 0, "mfiabort", ++ mtx_unlock(&sc->mfi_io_lock); ++ while (i < 5 && *cm_abort != NULL) { ++ tsleep(cm_abort, 0, "mfiabort", + 5 * hz); + i++; + } +- while (i < 5 && sc->mfi_map_sync_cm != NULL) { +- msleep(&sc->mfi_map_sync_cm, &sc->mfi_io_lock, 0, "mfiabort", +- 5 * hz); +- i++; ++ if (*cm_abort != NULL) { ++ /* Force a complete if command didn't abort */ ++ mtx_lock(&sc->mfi_io_lock); ++ (*cm_abort)->cm_complete(*cm_abort); ++ mtx_unlock(&sc->mfi_io_lock); + } + + return (0); +@@ -2458,8 +2554,8 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + { + struct mfi_command *cm; + struct mfi_pass_frame *pass; +- int error; +- int blkcount = 0; ++ int error, readop, cdb_len; ++ uint32_t blkcount; + + if ((cm = mfi_dequeue_free(sc)) == NULL) + return (EBUSY); +@@ -2467,14 +2563,10 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + pass = &cm->cm_frame->pass; + bzero(pass->cdb, 16); + pass->header.cmd = MFI_CMD_PD_SCSI_IO; +- pass->cdb[0] = SCSI_WRITE; +- pass->cdb[2] = (lba & 0xff000000) >> 24; +- pass->cdb[3] = (lba & 0x00ff0000) >> 16; +- pass->cdb[4] = (lba & 0x0000ff00) >> 8; +- pass->cdb[5] = (lba & 0x000000ff); ++ ++ readop = 0; + blkcount = (len + MFI_SECTOR_LEN - 1) / MFI_SECTOR_LEN; +- pass->cdb[7] = (blkcount & 0xff00) >> 8; +- pass->cdb[8] = (blkcount & 0x00ff); ++ cdb_len = mfi_build_cdb(readop, 0, lba, blkcount, pass->cdb); + pass->header.target_id = id; + pass->header.timeout = 0; + pass->header.flags = 0; +@@ -2481,7 +2573,7 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + pass->header.scsi_status = 0; + pass->header.sense_len = MFI_SENSE_LEN; + pass->header.data_len = len; +- pass->header.cdb_len = 10; ++ pass->header.cdb_len = cdb_len; + pass->sense_addr_lo = (uint32_t)cm->cm_sense_busaddr; + pass->sense_addr_hi = (uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32); + cm->cm_data = virt; +@@ -2488,7 +2580,7 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + cm->cm_len = len; + cm->cm_sg = &pass->sgl; + cm->cm_total_frame_size = MFI_PASS_FRAME_SIZE; +- cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT; ++ cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT | MFI_CMD_SCSI; + + error = mfi_mapcmd(sc, cm); + bus_dmamap_sync(sc->mfi_buffer_dmat, cm->cm_dmamap, +@@ -2687,16 +2779,24 @@ mfi_check_command_post(struct mfi_softc *sc, struc + } + } + +-static int mfi_check_for_sscd(struct mfi_softc *sc, struct mfi_command *cm) ++static int ++mfi_check_for_sscd(struct mfi_softc *sc, struct mfi_command *cm) + { +- struct mfi_config_data *conf_data=(struct mfi_config_data *)cm->cm_data; ++ struct mfi_config_data *conf_data; + struct mfi_command *ld_cm = NULL; + struct mfi_ld_info *ld_info = NULL; ++ struct mfi_ld_config *ld; ++ char *p; + int error = 0; + +- if ((cm->cm_frame->dcmd.opcode == MFI_DCMD_CFG_ADD) && +- (conf_data->ld[0].params.isSSCD == 1)) { +- error = 1; ++ conf_data = (struct mfi_config_data *)cm->cm_data; ++ ++ if (cm->cm_frame->dcmd.opcode == MFI_DCMD_CFG_ADD) { ++ p = (char *)conf_data->array; ++ p += conf_data->array_size * conf_data->array_count; ++ ld = (struct mfi_ld_config *)p; ++ if (ld->params.isSSCD == 1) ++ error = 1; + } else if (cm->cm_frame->dcmd.opcode == MFI_DCMD_LD_DELETE) { + error = mfi_dcmd_command (sc, &ld_cm, MFI_DCMD_LD_GET_INFO, + (void **)&ld_info, sizeof(*ld_info)); +Index: sys/dev/mfi/mfi_cam.c +=================================================================== +--- sys/dev/mfi/mfi_cam.c (revision 254079) ++++ sys/dev/mfi/mfi_cam.c (working copy) +@@ -79,6 +79,11 @@ static void mfip_cam_poll(struct cam_sim *); + static struct mfi_command * mfip_start(void *); + static void mfip_done(struct mfi_command *cm); + ++static int mfi_allow_disks = 0; ++TUNABLE_INT("hw.mfi.allow_cam_disk_passthrough", &mfi_allow_disks); ++SYSCTL_INT(_hw_mfi, OID_AUTO, allow_cam_disk_passthrough, CTLFLAG_RD, ++ &mfi_allow_disks, 0, "event message locale"); ++ + static devclass_t mfip_devclass; + static device_method_t mfip_methods[] = { + DEVMETHOD(device_probe, mfip_probe), +@@ -349,7 +354,8 @@ mfip_done(struct mfi_command *cm) + command = csio->cdb_io.cdb_bytes[0]; + if (command == INQUIRY) { + device = csio->data_ptr[0] & 0x1f; +- if ((device == T_DIRECT) || (device == T_PROCESSOR)) ++ if ((!mfi_allow_disks && device == T_DIRECT) || ++ (device == T_PROCESSOR)) + csio->data_ptr[0] = + (csio->data_ptr[0] & 0xe0) | T_NODEVICE; + } +@@ -392,6 +398,9 @@ mfip_done(struct mfi_command *cm) + static void + mfip_cam_poll(struct cam_sim *sim) + { +- return; ++ struct mfip_softc *sc = cam_sim_softc(sim); ++ struct mfi_softc *mfisc = sc->mfi_sc; ++ ++ mfisc->mfi_intr_ptr(mfisc); + } + +Index: sys/dev/mfi/mfi_disk.c +=================================================================== +--- sys/dev/mfi/mfi_disk.c (revision 254079) ++++ sys/dev/mfi/mfi_disk.c (working copy) +@@ -93,6 +93,7 @@ mfi_disk_attach(device_t dev) + { + struct mfi_disk *sc; + struct mfi_ld_info *ld_info; ++ struct mfi_disk_pending *ld_pend; + uint64_t sectors; + uint32_t secsize; + char *state; +@@ -111,6 +112,13 @@ mfi_disk_attach(device_t dev) + secsize = MFI_SECTOR_LEN; + mtx_lock(&sc->ld_controller->mfi_io_lock); + TAILQ_INSERT_TAIL(&sc->ld_controller->mfi_ld_tqh, sc, ld_link); ++ TAILQ_FOREACH(ld_pend, &sc->ld_controller->mfi_ld_pend_tqh, ++ ld_link) { ++ TAILQ_REMOVE(&sc->ld_controller->mfi_ld_pend_tqh, ++ ld_pend, ld_link); ++ free(ld_pend, M_MFIBUF); ++ break; ++ } + mtx_unlock(&sc->ld_controller->mfi_io_lock); + + switch (ld_info->ld_config.params.state) { +@@ -131,16 +139,16 @@ mfi_disk_attach(device_t dev) + break; + } + +- if ( strlen(ld_info->ld_config.properties.name) == 0 ) { +- device_printf(dev, +- "%juMB (%ju sectors) RAID volume (no label) is %s\n", +- sectors / (1024 * 1024 / secsize), sectors, state); +- } else { +- device_printf(dev, +- "%juMB (%ju sectors) RAID volume '%s' is %s\n", +- sectors / (1024 * 1024 / secsize), sectors, +- ld_info->ld_config.properties.name, state); +- } ++ if ( strlen(ld_info->ld_config.properties.name) == 0 ) { ++ device_printf(dev, ++ "%juMB (%ju sectors) RAID volume (no label) is %s\n", ++ sectors / (1024 * 1024 / secsize), sectors, state); ++ } else { ++ device_printf(dev, ++ "%juMB (%ju sectors) RAID volume '%s' is %s\n", ++ sectors / (1024 * 1024 / secsize), sectors, ++ ld_info->ld_config.properties.name, state); ++ } + + sc->ld_disk = disk_alloc(); + sc->ld_disk->d_drv1 = sc; +Index: sys/dev/mfi/mfi_syspd.c +=================================================================== +--- sys/dev/mfi/mfi_syspd.c (revision 254079) ++++ sys/dev/mfi/mfi_syspd.c (working copy) +@@ -89,7 +89,6 @@ DRIVER_MODULE(mfisyspd, mfi, mfi_syspd_driver, mfi + static int + mfi_syspd_probe(device_t dev) + { +- + return (0); + } + +@@ -98,12 +97,12 @@ mfi_syspd_attach(device_t dev) + { + struct mfi_system_pd *sc; + struct mfi_pd_info *pd_info; ++ struct mfi_system_pending *syspd_pend; + uint64_t sectors; + uint32_t secsize; + + sc = device_get_softc(dev); + pd_info = device_get_ivars(dev); +- + sc->pd_dev = dev; + sc->pd_id = pd_info->ref.v.device_id; + sc->pd_unit = device_get_unit(dev); +@@ -115,6 +114,13 @@ mfi_syspd_attach(device_t dev) + secsize = MFI_SECTOR_LEN; + mtx_lock(&sc->pd_controller->mfi_io_lock); + TAILQ_INSERT_TAIL(&sc->pd_controller->mfi_syspd_tqh, sc, pd_link); ++ TAILQ_FOREACH(syspd_pend, &sc->pd_controller->mfi_syspd_pend_tqh, ++ pd_link) { ++ TAILQ_REMOVE(&sc->pd_controller->mfi_syspd_pend_tqh, ++ syspd_pend, pd_link); ++ free(syspd_pend, M_MFIBUF); ++ break; ++ } + mtx_unlock(&sc->pd_controller->mfi_io_lock); + device_printf(dev, "%juMB (%ju sectors) SYSPD volume\n", + sectors / (1024 * 1024 / secsize), sectors); +@@ -139,6 +145,7 @@ mfi_syspd_attach(device_t dev) + disk_create(sc->pd_disk, DISK_VERSION); + + device_printf(dev, " SYSPD volume attached\n"); ++ + return (0); + } + +Index: sys/dev/mfi/mfi_tbolt.c +=================================================================== +--- sys/dev/mfi/mfi_tbolt.c (revision 254079) ++++ sys/dev/mfi/mfi_tbolt.c (working copy) +@@ -69,13 +69,10 @@ uint8_t + mfi_build_mpt_pass_thru(struct mfi_softc *sc, struct mfi_command *mfi_cmd); + union mfi_mpi2_request_descriptor *mfi_build_and_issue_cmd(struct mfi_softc + *sc, struct mfi_command *mfi_cmd); +-int mfi_tbolt_is_ldio(struct mfi_command *mfi_cmd); + void mfi_tbolt_build_ldio(struct mfi_softc *sc, struct mfi_command *mfi_cmd, + struct mfi_cmd_tbolt *cmd); + static int mfi_tbolt_make_sgl(struct mfi_softc *sc, struct mfi_command + *mfi_cmd, pMpi25IeeeSgeChain64_t sgl_ptr, struct mfi_cmd_tbolt *cmd); +-static int mfi_tbolt_build_cdb(struct mfi_softc *sc, struct mfi_command +- *mfi_cmd, uint8_t *cdb); + void + map_tbolt_cmd_status(struct mfi_command *mfi_cmd, uint8_t status, + uint8_t ext_status); +@@ -502,6 +499,7 @@ mfi_tbolt_alloc_cmd(struct mfi_softc *sc) + + i * MEGASAS_MAX_SZ_CHAIN_FRAME); + cmd->sg_frame_phys_addr = sc->sg_frame_busaddr + i + * MEGASAS_MAX_SZ_CHAIN_FRAME; ++ cmd->sync_cmd_idx = sc->mfi_max_fw_cmds; + + TAILQ_INSERT_TAIL(&(sc->mfi_cmd_tbolt_tqh), cmd, next); + } +@@ -574,11 +572,11 @@ void *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***