1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 1997, 1998, 2000 Justin T. Gibbs.
5 * Copyright (c) 1997, 1998, 1999 Kenneth D. Merry.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions, and the following disclaimer,
13 * without modification, immediately at the beginning of the file.
14 * 2. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/conf.h>
37 #include <sys/types.h>
38 #include <sys/bio.h>
39 #include <sys/bus.h>
40 #include <sys/devicestat.h>
41 #include <sys/errno.h>
42 #include <sys/fcntl.h>
43 #include <sys/malloc.h>
44 #include <sys/proc.h>
45 #include <sys/poll.h>
46 #include <sys/selinfo.h>
47 #include <sys/sdt.h>
48 #include <sys/sysent.h>
49 #include <sys/taskqueue.h>
50 #include <vm/uma.h>
51 #include <vm/vm.h>
52 #include <vm/vm_extern.h>
53
54 #include <machine/bus.h>
55
56 #include <cam/cam.h>
57 #include <cam/cam_ccb.h>
58 #include <cam/cam_periph.h>
59 #include <cam/cam_queue.h>
60 #include <cam/cam_xpt.h>
61 #include <cam/cam_xpt_periph.h>
62 #include <cam/cam_debug.h>
63 #include <cam/cam_compat.h>
64 #include <cam/cam_xpt_periph.h>
65
66 #include <cam/scsi/scsi_all.h>
67 #include <cam/scsi/scsi_pass.h>
68
69 typedef enum {
70 PASS_FLAG_OPEN = 0x01,
71 PASS_FLAG_LOCKED = 0x02,
72 PASS_FLAG_INVALID = 0x04,
73 PASS_FLAG_INITIAL_PHYSPATH = 0x08,
74 PASS_FLAG_ZONE_INPROG = 0x10,
75 PASS_FLAG_ZONE_VALID = 0x20,
76 PASS_FLAG_UNMAPPED_CAPABLE = 0x40,
77 PASS_FLAG_ABANDONED_REF_SET = 0x80
78 } pass_flags;
79
80 typedef enum {
81 PASS_STATE_NORMAL
82 } pass_state;
83
84 typedef enum {
85 PASS_CCB_BUFFER_IO,
86 PASS_CCB_QUEUED_IO
87 } pass_ccb_types;
88
89 #define ccb_type ppriv_field0
90 #define ccb_ioreq ppriv_ptr1
91
92 /*
93 * The maximum number of memory segments we preallocate.
94 */
95 #define PASS_MAX_SEGS 16
96
97 typedef enum {
98 PASS_IO_NONE = 0x00,
99 PASS_IO_USER_SEG_MALLOC = 0x01,
100 PASS_IO_KERN_SEG_MALLOC = 0x02,
101 PASS_IO_ABANDONED = 0x04
102 } pass_io_flags;
103
104 struct pass_io_req {
105 union ccb ccb;
106 union ccb *alloced_ccb;
107 union ccb *user_ccb_ptr;
108 camq_entry user_periph_links;
109 ccb_ppriv_area user_periph_priv;
110 struct cam_periph_map_info mapinfo;
111 pass_io_flags flags;
112 ccb_flags data_flags;
113 int num_user_segs;
114 bus_dma_segment_t user_segs[PASS_MAX_SEGS];
115 int num_kern_segs;
116 bus_dma_segment_t kern_segs[PASS_MAX_SEGS];
117 bus_dma_segment_t *user_segptr;
118 bus_dma_segment_t *kern_segptr;
119 int num_bufs;
120 uint32_t dirs[CAM_PERIPH_MAXMAPS];
121 uint32_t lengths[CAM_PERIPH_MAXMAPS];
122 uint8_t *user_bufs[CAM_PERIPH_MAXMAPS];
123 uint8_t *kern_bufs[CAM_PERIPH_MAXMAPS];
124 struct bintime start_time;
125 TAILQ_ENTRY(pass_io_req) links;
126 };
127
128 struct pass_softc {
129 pass_state state;
130 pass_flags flags;
131 u_int8_t pd_type;
132 union ccb saved_ccb;
133 int open_count;
134 u_int maxio;
135 struct devstat *device_stats;
136 struct cdev *dev;
137 struct cdev *alias_dev;
138 struct task add_physpath_task;
139 struct task shutdown_kqueue_task;
140 struct selinfo read_select;
141 TAILQ_HEAD(, pass_io_req) incoming_queue;
142 TAILQ_HEAD(, pass_io_req) active_queue;
143 TAILQ_HEAD(, pass_io_req) abandoned_queue;
144 TAILQ_HEAD(, pass_io_req) done_queue;
145 struct cam_periph *periph;
146 char zone_name[12];
147 char io_zone_name[12];
148 uma_zone_t pass_zone;
149 uma_zone_t pass_io_zone;
150 size_t io_zone_size;
151 };
152
153 static d_open_t passopen;
154 static d_close_t passclose;
155 static d_ioctl_t passioctl;
156 static d_ioctl_t passdoioctl;
157 static d_poll_t passpoll;
158 static d_kqfilter_t passkqfilter;
159 static void passreadfiltdetach(struct knote *kn);
160 static int passreadfilt(struct knote *kn, long hint);
161
162 static periph_init_t passinit;
163 static periph_ctor_t passregister;
164 static periph_oninv_t passoninvalidate;
165 static periph_dtor_t passcleanup;
166 static periph_start_t passstart;
167 static void pass_shutdown_kqueue(void *context, int pending);
168 static void pass_add_physpath(void *context, int pending);
169 static void passasync(void *callback_arg, u_int32_t code,
170 struct cam_path *path, void *arg);
171 static void passdone(struct cam_periph *periph,
172 union ccb *done_ccb);
173 static int passcreatezone(struct cam_periph *periph);
174 static void passiocleanup(struct pass_softc *softc,
175 struct pass_io_req *io_req);
176 static int passcopysglist(struct cam_periph *periph,
177 struct pass_io_req *io_req,
178 ccb_flags direction);
179 static int passmemsetup(struct cam_periph *periph,
180 struct pass_io_req *io_req);
181 static int passmemdone(struct cam_periph *periph,
182 struct pass_io_req *io_req);
183 static int passerror(union ccb *ccb, u_int32_t cam_flags,
184 u_int32_t sense_flags);
185 static int passsendccb(struct cam_periph *periph, union ccb *ccb,
186 union ccb *inccb);
187
188 static struct periph_driver passdriver =
189 {
190 passinit, "pass",
191 TAILQ_HEAD_INITIALIZER(passdriver.units), /* generation */ 0
192 };
193
194 PERIPHDRIVER_DECLARE(pass, passdriver);
195
196 static struct cdevsw pass_cdevsw = {
197 .d_version = D_VERSION,
198 .d_flags = D_TRACKCLOSE,
199 .d_open = passopen,
200 .d_close = passclose,
201 .d_ioctl = passioctl,
202 .d_poll = passpoll,
203 .d_kqfilter = passkqfilter,
204 .d_name = "pass",
205 };
206
207 static struct filterops passread_filtops = {
208 .f_isfd = 1,
209 .f_detach = passreadfiltdetach,
210 .f_event = passreadfilt
211 };
212
213 static MALLOC_DEFINE(M_SCSIPASS, "scsi_pass", "scsi passthrough buffers");
214
215 static void
216 passinit(void)
217 {
218 cam_status status;
219
220 /*
221 * Install a global async callback. This callback will
222 * receive async callbacks like "new device found".
223 */
224 status = xpt_register_async(AC_FOUND_DEVICE, passasync, NULL, NULL);
225
226 if (status != CAM_REQ_CMP) {
227 printf("pass: Failed to attach master async callback "
228 "due to status 0x%x!\n", status);
229 }
230
231 }
232
233 static void
234 passrejectios(struct cam_periph *periph)
235 {
236 struct pass_io_req *io_req, *io_req2;
237 struct pass_softc *softc;
238
239 softc = (struct pass_softc *)periph->softc;
240
241 /*
242 * The user can no longer get status for I/O on the done queue, so
243 * clean up all outstanding I/O on the done queue.
244 */
245 TAILQ_FOREACH_SAFE(io_req, &softc->done_queue, links, io_req2) {
246 TAILQ_REMOVE(&softc->done_queue, io_req, links);
247 passiocleanup(softc, io_req);
248 uma_zfree(softc->pass_zone, io_req);
249 }
250
251 /*
252 * The underlying device is gone, so we can't issue these I/Os.
253 * The devfs node has been shut down, so we can't return status to
254 * the user. Free any I/O left on the incoming queue.
255 */
256 TAILQ_FOREACH_SAFE(io_req, &softc->incoming_queue, links, io_req2) {
257 TAILQ_REMOVE(&softc->incoming_queue, io_req, links);
258 passiocleanup(softc, io_req);
259 uma_zfree(softc->pass_zone, io_req);
260 }
261
262 /*
263 * Normally we would put I/Os on the abandoned queue and acquire a
264 * reference when we saw the final close. But, the device went
265 * away and devfs may have moved everything off to deadfs by the
266 * time the I/O done callback is called; as a result, we won't see
267 * any more closes. So, if we have any active I/Os, we need to put
268 * them on the abandoned queue. When the abandoned queue is empty,
269 * we'll release the remaining reference (see below) to the peripheral.
270 */
271 TAILQ_FOREACH_SAFE(io_req, &softc->active_queue, links, io_req2) {
272 TAILQ_REMOVE(&softc->active_queue, io_req, links);
273 io_req->flags |= PASS_IO_ABANDONED;
274 TAILQ_INSERT_TAIL(&softc->abandoned_queue, io_req, links);
275 }
276
277 /*
278 * If we put any I/O on the abandoned queue, acquire a reference.
279 */
280 if ((!TAILQ_EMPTY(&softc->abandoned_queue))
281 && ((softc->flags & PASS_FLAG_ABANDONED_REF_SET) == 0)) {
282 cam_periph_doacquire(periph);
283 softc->flags |= PASS_FLAG_ABANDONED_REF_SET;
284 }
285 }
286
287 static void
288 passdevgonecb(void *arg)
289 {
290 struct cam_periph *periph;
291 struct mtx *mtx;
292 struct pass_softc *softc;
293 int i;
294
295 periph = (struct cam_periph *)arg;
296 mtx = cam_periph_mtx(periph);
297 mtx_lock(mtx);
298
299 softc = (struct pass_softc *)periph->softc;
300 KASSERT(softc->open_count >= 0, ("Negative open count %d",
301 softc->open_count));
302
303 /*
304 * When we get this callback, we will get no more close calls from
305 * devfs. So if we have any dangling opens, we need to release the
306 * reference held for that particular context.
307 */
308 for (i = 0; i < softc->open_count; i++)
309 cam_periph_release_locked(periph);
310
311 softc->open_count = 0;
312
313 /*
314 * Release the reference held for the device node, it is gone now.
315 * Accordingly, inform all queued I/Os of their fate.
316 */
317 cam_periph_release_locked(periph);
318 passrejectios(periph);
319
320 /*
321 * We reference the SIM lock directly here, instead of using
322 * cam_periph_unlock(). The reason is that the final call to
323 * cam_periph_release_locked() above could result in the periph
324 * getting freed. If that is the case, dereferencing the periph
325 * with a cam_periph_unlock() call would cause a page fault.
326 */
327 mtx_unlock(mtx);
328
329 /*
330 * We have to remove our kqueue context from a thread because it
331 * may sleep. It would be nice if we could get a callback from
332 * kqueue when it is done cleaning up resources.
333 */
334 taskqueue_enqueue(taskqueue_thread, &softc->shutdown_kqueue_task);
335 }
336
337 static void
338 passoninvalidate(struct cam_periph *periph)
339 {
340 struct pass_softc *softc;
341
342 softc = (struct pass_softc *)periph->softc;
343
344 /*
345 * De-register any async callbacks.
346 */
347 xpt_register_async(0, passasync, periph, periph->path);
348
349 softc->flags |= PASS_FLAG_INVALID;
350
351 /*
352 * Tell devfs this device has gone away, and ask for a callback
353 * when it has cleaned up its state.
354 */
355 destroy_dev_sched_cb(softc->dev, passdevgonecb, periph);
356 }
357
358 static void
359 passcleanup(struct cam_periph *periph)
360 {
361 struct pass_softc *softc;
362
363 softc = (struct pass_softc *)periph->softc;
364
365 cam_periph_assert(periph, MA_OWNED);
366 KASSERT(TAILQ_EMPTY(&softc->active_queue),
367 ("%s called when there are commands on the active queue!\n",
368 __func__));
369 KASSERT(TAILQ_EMPTY(&softc->abandoned_queue),
370 ("%s called when there are commands on the abandoned queue!\n",
371 __func__));
372 KASSERT(TAILQ_EMPTY(&softc->incoming_queue),
373 ("%s called when there are commands on the incoming queue!\n",
374 __func__));
375 KASSERT(TAILQ_EMPTY(&softc->done_queue),
376 ("%s called when there are commands on the done queue!\n",
377 __func__));
378
379 devstat_remove_entry(softc->device_stats);
380
381 cam_periph_unlock(periph);
382
383 /*
384 * We call taskqueue_drain() for the physpath task to make sure it
385 * is complete. We drop the lock because this can potentially
386 * sleep. XXX KDM that is bad. Need a way to get a callback when
387 * a taskqueue is drained.
388 *
389 * Note that we don't drain the kqueue shutdown task queue. This
390 * is because we hold a reference on the periph for kqueue, and
391 * release that reference from the kqueue shutdown task queue. So
392 * we cannot come into this routine unless we've released that
393 * reference. Also, because that could be the last reference, we
394 * could be called from the cam_periph_release() call in
395 * pass_shutdown_kqueue(). In that case, the taskqueue_drain()
396 * would deadlock. It would be preferable if we had a way to
397 * get a callback when a taskqueue is done.
398 */
399 taskqueue_drain(taskqueue_thread, &softc->add_physpath_task);
400
401 /*
402 * It should be safe to destroy the zones from here, because all
403 * of the references to this peripheral have been freed, and all
404 * I/O has been terminated and freed. We check the zones for NULL
405 * because they may not have been allocated yet if the device went
406 * away before any asynchronous I/O has been issued.
407 */
408 if (softc->pass_zone != NULL)
409 uma_zdestroy(softc->pass_zone);
410 if (softc->pass_io_zone != NULL)
411 uma_zdestroy(softc->pass_io_zone);
412
413 cam_periph_lock(periph);
414
415 free(softc, M_DEVBUF);
416 }
417
418 static void
419 pass_shutdown_kqueue(void *context, int pending)
420 {
421 struct cam_periph *periph;
422 struct pass_softc *softc;
423
424 periph = context;
425 softc = periph->softc;
426
427 knlist_clear(&softc->read_select.si_note, /*is_locked*/ 0);
428 knlist_destroy(&softc->read_select.si_note);
429
430 /*
431 * Release the reference we held for kqueue.
432 */
433 cam_periph_release(periph);
434 }
435
436 static void
437 pass_add_physpath(void *context, int pending)
438 {
439 struct cam_periph *periph;
440 struct pass_softc *softc;
441 struct mtx *mtx;
442 char *physpath;
443
444 /*
445 * If we have one, create a devfs alias for our
446 * physical path.
447 */
448 periph = context;
449 softc = periph->softc;
450 physpath = malloc(MAXPATHLEN, M_DEVBUF, M_WAITOK);
451 mtx = cam_periph_mtx(periph);
452 mtx_lock(mtx);
453
454 if (periph->flags & CAM_PERIPH_INVALID)
455 goto out;
456
457 if (xpt_getattr(physpath, MAXPATHLEN,
458 "GEOM::physpath", periph->path) == 0
459 && strlen(physpath) != 0) {
460
461 mtx_unlock(mtx);
462 make_dev_physpath_alias(MAKEDEV_WAITOK | MAKEDEV_CHECKNAME,
463 &softc->alias_dev, softc->dev,
464 softc->alias_dev, physpath);
465 mtx_lock(mtx);
466 }
467
468 out:
469 /*
470 * Now that we've made our alias, we no longer have to have a
471 * reference to the device.
472 */
473 if ((softc->flags & PASS_FLAG_INITIAL_PHYSPATH) == 0)
474 softc->flags |= PASS_FLAG_INITIAL_PHYSPATH;
475
476 /*
477 * We always acquire a reference to the periph before queueing this
478 * task queue function, so it won't go away before we run.
479 */
480 while (pending-- > 0)
481 cam_periph_release_locked(periph);
482 mtx_unlock(mtx);
483
484 free(physpath, M_DEVBUF);
485 }
486
487 static void
488 passasync(void *callback_arg, u_int32_t code,
489 struct cam_path *path, void *arg)
490 {
491 struct cam_periph *periph;
492
493 periph = (struct cam_periph *)callback_arg;
494
495 switch (code) {
496 case AC_FOUND_DEVICE:
497 {
498 struct ccb_getdev *cgd;
499 cam_status status;
500
501 cgd = (struct ccb_getdev *)arg;
502 if (cgd == NULL)
503 break;
504
505 /*
506 * Allocate a peripheral instance for
507 * this device and start the probe
508 * process.
509 */
510 status = cam_periph_alloc(passregister, passoninvalidate,
511 passcleanup, passstart, "pass",
512 CAM_PERIPH_BIO, path,
513 passasync, AC_FOUND_DEVICE, cgd);
514
515 if (status != CAM_REQ_CMP
516 && status != CAM_REQ_INPROG) {
517 const struct cam_status_entry *entry;
518
519 entry = cam_fetch_status_entry(status);
520
521 printf("passasync: Unable to attach new device "
522 "due to status %#x: %s\n", status, entry ?
523 entry->status_text : "Unknown");
524 }
525
526 break;
527 }
528 case AC_ADVINFO_CHANGED:
529 {
530 uintptr_t buftype;
531
532 buftype = (uintptr_t)arg;
533 if (buftype == CDAI_TYPE_PHYS_PATH) {
534 struct pass_softc *softc;
535
536 softc = (struct pass_softc *)periph->softc;
537 /*
538 * Acquire a reference to the periph before we
539 * start the taskqueue, so that we don't run into
540 * a situation where the periph goes away before
541 * the task queue has a chance to run.
542 */
543 if (cam_periph_acquire(periph) != 0)
544 break;
545
546 taskqueue_enqueue(taskqueue_thread,
547 &softc->add_physpath_task);
548 }
549 break;
550 }
551 default:
552 cam_periph_async(periph, code, path, arg);
553 break;
554 }
555 }
556
557 static cam_status
558 passregister(struct cam_periph *periph, void *arg)
559 {
560 struct pass_softc *softc;
561 struct ccb_getdev *cgd;
562 struct ccb_pathinq cpi;
563 struct make_dev_args args;
564 int error, no_tags;
565
566 cgd = (struct ccb_getdev *)arg;
567 if (cgd == NULL) {
568 printf("%s: no getdev CCB, can't register device\n", __func__);
569 return(CAM_REQ_CMP_ERR);
570 }
571
572 softc = (struct pass_softc *)malloc(sizeof(*softc),
573 M_DEVBUF, M_NOWAIT);
574
575 if (softc == NULL) {
576 printf("%s: Unable to probe new device. "
577 "Unable to allocate softc\n", __func__);
578 return(CAM_REQ_CMP_ERR);
579 }
580
581 bzero(softc, sizeof(*softc));
582 softc->state = PASS_STATE_NORMAL;
583 if (cgd->protocol == PROTO_SCSI || cgd->protocol == PROTO_ATAPI)
584 softc->pd_type = SID_TYPE(&cgd->inq_data);
585 else if (cgd->protocol == PROTO_SATAPM)
586 softc->pd_type = T_ENCLOSURE;
587 else
588 softc->pd_type = T_DIRECT;
589
590 periph->softc = softc;
591 softc->periph = periph;
592 TAILQ_INIT(&softc->incoming_queue);
593 TAILQ_INIT(&softc->active_queue);
594 TAILQ_INIT(&softc->abandoned_queue);
595 TAILQ_INIT(&softc->done_queue);
596 snprintf(softc->zone_name, sizeof(softc->zone_name), "%s%d",
597 periph->periph_name, periph->unit_number);
598 snprintf(softc->io_zone_name, sizeof(softc->io_zone_name), "%s%dIO",
599 periph->periph_name, periph->unit_number);
600 softc->io_zone_size = MAXPHYS;
601 knlist_init_mtx(&softc->read_select.si_note, cam_periph_mtx(periph));
602
603 xpt_path_inq(&cpi, periph->path);
604
605 if (cpi.maxio == 0)
606 softc->maxio = DFLTPHYS; /* traditional default */
607 else if (cpi.maxio > MAXPHYS)
608 softc->maxio = MAXPHYS; /* for safety */
609 else
610 softc->maxio = cpi.maxio; /* real value */
611
612 if (cpi.hba_misc & PIM_UNMAPPED)
613 softc->flags |= PASS_FLAG_UNMAPPED_CAPABLE;
614
615 /*
616 * We pass in 0 for a blocksize, since we don't
617 * know what the blocksize of this device is, if
618 * it even has a blocksize.
619 */
620 cam_periph_unlock(periph);
621 no_tags = (cgd->inq_data.flags & SID_CmdQue) == 0;
622 softc->device_stats = devstat_new_entry("pass",
623 periph->unit_number, 0,
624 DEVSTAT_NO_BLOCKSIZE
625 | (no_tags ? DEVSTAT_NO_ORDERED_TAGS : 0),
626 softc->pd_type |
627 XPORT_DEVSTAT_TYPE(cpi.transport) |
628 DEVSTAT_TYPE_PASS,
629 DEVSTAT_PRIORITY_PASS);
630
631 /*
632 * Initialize the taskqueue handler for shutting down kqueue.
633 */
634 TASK_INIT(&softc->shutdown_kqueue_task, /*priority*/ 0,
635 pass_shutdown_kqueue, periph);
636
637 /*
638 * Acquire a reference to the periph that we can release once we've
639 * cleaned up the kqueue.
640 */
641 if (cam_periph_acquire(periph) != 0) {
642 xpt_print(periph->path, "%s: lost periph during "
643 "registration!\n", __func__);
644 cam_periph_lock(periph);
645 return (CAM_REQ_CMP_ERR);
646 }
647
648 /*
649 * Acquire a reference to the periph before we create the devfs
650 * instance for it. We'll release this reference once the devfs
651 * instance has been freed.
652 */
653 if (cam_periph_acquire(periph) != 0) {
654 xpt_print(periph->path, "%s: lost periph during "
655 "registration!\n", __func__);
656 cam_periph_lock(periph);
657 return (CAM_REQ_CMP_ERR);
658 }
659
660 /* Register the device */
661 make_dev_args_init(&args);
662 args.mda_devsw = &pass_cdevsw;
663 args.mda_unit = periph->unit_number;
664 args.mda_uid = UID_ROOT;
665 args.mda_gid = GID_OPERATOR;
666 args.mda_mode = 0600;
667 args.mda_si_drv1 = periph;
668 error = make_dev_s(&args, &softc->dev, "%s%d", periph->periph_name,
669 periph->unit_number);
670 if (error != 0) {
671 cam_periph_lock(periph);
672 cam_periph_release_locked(periph);
673 return (CAM_REQ_CMP_ERR);
674 }
675
676 /*
677 * Hold a reference to the periph before we create the physical
678 * path alias so it can't go away.
679 */
680 if (cam_periph_acquire(periph) != 0) {
681 xpt_print(periph->path, "%s: lost periph during "
682 "registration!\n", __func__);
683 cam_periph_lock(periph);
684 return (CAM_REQ_CMP_ERR);
685 }
686
687 cam_periph_lock(periph);
688
689 TASK_INIT(&softc->add_physpath_task, /*priority*/0,
690 pass_add_physpath, periph);
691
692 /*
693 * See if physical path information is already available.
694 */
695 taskqueue_enqueue(taskqueue_thread, &softc->add_physpath_task);
696
697 /*
698 * Add an async callback so that we get notified if
699 * this device goes away or its physical path
700 * (stored in the advanced info data of the EDT) has
701 * changed.
702 */
703 xpt_register_async(AC_LOST_DEVICE | AC_ADVINFO_CHANGED,
704 passasync, periph, periph->path);
705
706 if (bootverbose)
707 xpt_announce_periph(periph, NULL);
708
709 return(CAM_REQ_CMP);
710 }
711
712 static int
713 passopen(struct cdev *dev, int flags, int fmt, struct thread *td)
714 {
715 struct cam_periph *periph;
716 struct pass_softc *softc;
717 int error;
718
719 periph = (struct cam_periph *)dev->si_drv1;
720 if (cam_periph_acquire(periph) != 0)
721 return (ENXIO);
722
723 cam_periph_lock(periph);
724
725 softc = (struct pass_softc *)periph->softc;
726
727 if (softc->flags & PASS_FLAG_INVALID) {
728 cam_periph_release_locked(periph);
729 cam_periph_unlock(periph);
730 return(ENXIO);
731 }
732
733 /*
734 * Don't allow access when we're running at a high securelevel.
735 */
736 error = securelevel_gt(td->td_ucred, 1);
737 if (error) {
738 cam_periph_release_locked(periph);
739 cam_periph_unlock(periph);
740 return(error);
741 }
742
743 /*
744 * Only allow read-write access.
745 */
746 if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {
747 cam_periph_release_locked(periph);
748 cam_periph_unlock(periph);
749 return(EPERM);
750 }
751
752 /*
753 * We don't allow nonblocking access.
754 */
755 if ((flags & O_NONBLOCK) != 0) {
756 xpt_print(periph->path, "can't do nonblocking access\n");
757 cam_periph_release_locked(periph);
758 cam_periph_unlock(periph);
759 return(EINVAL);
760 }
761
762 softc->open_count++;
763
764 cam_periph_unlock(periph);
765
766 return (error);
767 }
768
769 static int
770 passclose(struct cdev *dev, int flag, int fmt, struct thread *td)
771 {
772 struct cam_periph *periph;
773 struct pass_softc *softc;
774 struct mtx *mtx;
775
776 periph = (struct cam_periph *)dev->si_drv1;
777 mtx = cam_periph_mtx(periph);
778 mtx_lock(mtx);
779
780 softc = periph->softc;
781 softc->open_count--;
782
783 if (softc->open_count == 0) {
784 struct pass_io_req *io_req, *io_req2;
785
786 TAILQ_FOREACH_SAFE(io_req, &softc->done_queue, links, io_req2) {
787 TAILQ_REMOVE(&softc->done_queue, io_req, links);
788 passiocleanup(softc, io_req);
789 uma_zfree(softc->pass_zone, io_req);
790 }
791
792 TAILQ_FOREACH_SAFE(io_req, &softc->incoming_queue, links,
793 io_req2) {
794 TAILQ_REMOVE(&softc->incoming_queue, io_req, links);
795 passiocleanup(softc, io_req);
796 uma_zfree(softc->pass_zone, io_req);
797 }
798
799 /*
800 * If there are any active I/Os, we need to forcibly acquire a
801 * reference to the peripheral so that we don't go away
802 * before they complete. We'll release the reference when
803 * the abandoned queue is empty.
804 */
805 io_req = TAILQ_FIRST(&softc->active_queue);
806 if ((io_req != NULL)
807 && (softc->flags & PASS_FLAG_ABANDONED_REF_SET) == 0) {
808 cam_periph_doacquire(periph);
809 softc->flags |= PASS_FLAG_ABANDONED_REF_SET;
810 }
811
812 /*
813 * Since the I/O in the active queue is not under our
814 * control, just set a flag so that we can clean it up when
815 * it completes and put it on the abandoned queue. This
816 * will prevent our sending spurious completions in the
817 * event that the device is opened again before these I/Os
818 * complete.
819 */
820 TAILQ_FOREACH_SAFE(io_req, &softc->active_queue, links,
821 io_req2) {
822 TAILQ_REMOVE(&softc->active_queue, io_req, links);
823 io_req->flags |= PASS_IO_ABANDONED;
824 TAILQ_INSERT_TAIL(&softc->abandoned_queue, io_req,
825 links);
826 }
827 }
828
829 cam_periph_release_locked(periph);
830
831 /*
832 * We reference the lock directly here, instead of using
833 * cam_periph_unlock(). The reason is that the call to
834 * cam_periph_release_locked() above could result in the periph
835 * getting freed. If that is the case, dereferencing the periph
836 * with a cam_periph_unlock() call would cause a page fault.
837 *
838 * cam_periph_release() avoids this problem using the same method,
839 * but we're manually acquiring and dropping the lock here to
840 * protect the open count and avoid another lock acquisition and
841 * release.
842 */
843 mtx_unlock(mtx);
844
845 return (0);
846 }
847
848
849 static void
850 passstart(struct cam_periph *periph, union ccb *start_ccb)
851 {
852 struct pass_softc *softc;
853
854 softc = (struct pass_softc *)periph->softc;
855
856 switch (softc->state) {
857 case PASS_STATE_NORMAL: {
858 struct pass_io_req *io_req;
859
860 /*
861 * Check for any queued I/O requests that require an
862 * allocated slot.
863 */
864 io_req = TAILQ_FIRST(&softc->incoming_queue);
865 if (io_req == NULL) {
866 xpt_release_ccb(start_ccb);
867 break;
868 }
869 TAILQ_REMOVE(&softc->incoming_queue, io_req, links);
870 TAILQ_INSERT_TAIL(&softc->active_queue, io_req, links);
871 /*
872 * Merge the user's CCB into the allocated CCB.
873 */
874 xpt_merge_ccb(start_ccb, &io_req->ccb);
875 start_ccb->ccb_h.ccb_type = PASS_CCB_QUEUED_IO;
876 start_ccb->ccb_h.ccb_ioreq = io_req;
877 start_ccb->ccb_h.cbfcnp = passdone;
878 io_req->alloced_ccb = start_ccb;
879 binuptime(&io_req->start_time);
880 devstat_start_transaction(softc->device_stats,
881 &io_req->start_time);
882
883 xpt_action(start_ccb);
884
885 /*
886 * If we have any more I/O waiting, schedule ourselves again.
887 */
888 if (!TAILQ_EMPTY(&softc->incoming_queue))
889 xpt_schedule(periph, CAM_PRIORITY_NORMAL);
890 break;
891 }
892 default:
893 break;
894 }
895 }
896
897 static void
898 passdone(struct cam_periph *periph, union ccb *done_ccb)
899 {
900 struct pass_softc *softc;
901 struct ccb_scsiio *csio;
902
903 softc = (struct pass_softc *)periph->softc;
904
905 cam_periph_assert(periph, MA_OWNED);
906
907 csio = &done_ccb->csio;
908 switch (csio->ccb_h.ccb_type) {
909 case PASS_CCB_QUEUED_IO: {
910 struct pass_io_req *io_req;
911
912 io_req = done_ccb->ccb_h.ccb_ioreq;
913 #if 0
914 xpt_print(periph->path, "%s: called for user CCB %p\n",
915 __func__, io_req->user_ccb_ptr);
916 #endif
917 if (((done_ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP)
918 && (done_ccb->ccb_h.flags & CAM_PASS_ERR_RECOVER)
919 && ((io_req->flags & PASS_IO_ABANDONED) == 0)) {
920 int error;
921
922 error = passerror(done_ccb, CAM_RETRY_SELTO,
923 SF_RETRY_UA | SF_NO_PRINT);
924
925 if (error == ERESTART) {
926 /*
927 * A retry was scheduled, so
928 * just return.
929 */
930 return;
931 }
932 }
933
934 /*
935 * Copy the allocated CCB contents back to the malloced CCB
936 * so we can give status back to the user when he requests it.
937 */
938 bcopy(done_ccb, &io_req->ccb, sizeof(*done_ccb));
939
940 /*
941 * Log data/transaction completion with devstat(9).
942 */
943 switch (done_ccb->ccb_h.func_code) {
944 case XPT_SCSI_IO:
945 devstat_end_transaction(softc->device_stats,
946 done_ccb->csio.dxfer_len - done_ccb->csio.resid,
947 done_ccb->csio.tag_action & 0x3,
948 ((done_ccb->ccb_h.flags & CAM_DIR_MASK) ==
949 CAM_DIR_NONE) ? DEVSTAT_NO_DATA :
950 (done_ccb->ccb_h.flags & CAM_DIR_OUT) ?
951 DEVSTAT_WRITE : DEVSTAT_READ, NULL,
952 &io_req->start_time);
953 break;
954 case XPT_ATA_IO:
955 devstat_end_transaction(softc->device_stats,
956 done_ccb->ataio.dxfer_len - done_ccb->ataio.resid,
957 0, /* Not used in ATA */
958 ((done_ccb->ccb_h.flags & CAM_DIR_MASK) ==
959 CAM_DIR_NONE) ? DEVSTAT_NO_DATA :
960 (done_ccb->ccb_h.flags & CAM_DIR_OUT) ?
961 DEVSTAT_WRITE : DEVSTAT_READ, NULL,
962 &io_req->start_time);
963 break;
964 case XPT_SMP_IO:
965 /*
966 * XXX KDM this isn't quite right, but there isn't
967 * currently an easy way to represent a bidirectional
968 * transfer in devstat. The only way to do it
969 * and have the byte counts come out right would
970 * mean that we would have to record two
971 * transactions, one for the request and one for the
972 * response. For now, so that we report something,
973 * just treat the entire thing as a read.
974 */
975 devstat_end_transaction(softc->device_stats,
976 done_ccb->smpio.smp_request_len +
977 done_ccb->smpio.smp_response_len,
978 DEVSTAT_TAG_SIMPLE, DEVSTAT_READ, NULL,
979 &io_req->start_time);
980 break;
981 default:
982 devstat_end_transaction(softc->device_stats, 0,
983 DEVSTAT_TAG_NONE, DEVSTAT_NO_DATA, NULL,
984 &io_req->start_time);
985 break;
986 }
987
988 /*
989 * In the normal case, take the completed I/O off of the
990 * active queue and put it on the done queue. Notitfy the
991 * user that we have a completed I/O.
992 */
993 if ((io_req->flags & PASS_IO_ABANDONED) == 0) {
994 TAILQ_REMOVE(&softc->active_queue, io_req, links);
995 TAILQ_INSERT_TAIL(&softc->done_queue, io_req, links);
996 selwakeuppri(&softc->read_select, PRIBIO);
997 KNOTE_LOCKED(&softc->read_select.si_note, 0);
998 } else {
999 /*
1000 * In the case of an abandoned I/O (final close
1001 * without fetching the I/O), take it off of the
1002 * abandoned queue and free it.
1003 */
1004 TAILQ_REMOVE(&softc->abandoned_queue, io_req, links);
1005 passiocleanup(softc, io_req);
1006 uma_zfree(softc->pass_zone, io_req);
1007
1008 /*
1009 * Release the done_ccb here, since we may wind up
1010 * freeing the peripheral when we decrement the
1011 * reference count below.
1012 */
1013 xpt_release_ccb(done_ccb);
1014
1015 /*
1016 * If the abandoned queue is empty, we can release
1017 * our reference to the periph since we won't have
1018 * any more completions coming.
1019 */
1020 if ((TAILQ_EMPTY(&softc->abandoned_queue))
1021 && (softc->flags & PASS_FLAG_ABANDONED_REF_SET)) {
1022 softc->flags &= ~PASS_FLAG_ABANDONED_REF_SET;
1023 cam_periph_release_locked(periph);
1024 }
1025
1026 /*
1027 * We have already released the CCB, so we can
1028 * return.
1029 */
1030 return;
1031 }
1032 break;
1033 }
1034 }
1035 xpt_release_ccb(done_ccb);
1036 }
1037
1038 static int
1039 passcreatezone(struct cam_periph *periph)
1040 {
1041 struct pass_softc *softc;
1042 int error;
1043
1044 error = 0;
1045 softc = (struct pass_softc *)periph->softc;
1046
1047 cam_periph_assert(periph, MA_OWNED);
1048 KASSERT(((softc->flags & PASS_FLAG_ZONE_VALID) == 0),
1049 ("%s called when the pass(4) zone is valid!\n", __func__));
1050 KASSERT((softc->pass_zone == NULL),
1051 ("%s called when the pass(4) zone is allocated!\n", __func__));
1052
1053 if ((softc->flags & PASS_FLAG_ZONE_INPROG) == 0) {
1054
1055 /*
1056 * We're the first context through, so we need to create
1057 * the pass(4) UMA zone for I/O requests.
1058 */
1059 softc->flags |= PASS_FLAG_ZONE_INPROG;
1060
1061 /*
1062 * uma_zcreate() does a blocking (M_WAITOK) allocation,
1063 * so we cannot hold a mutex while we call it.
1064 */
1065 cam_periph_unlock(periph);
1066
1067 softc->pass_zone = uma_zcreate(softc->zone_name,
1068 sizeof(struct pass_io_req), NULL, NULL, NULL, NULL,
1069 /*align*/ 0, /*flags*/ 0);
1070
1071 softc->pass_io_zone = uma_zcreate(softc->io_zone_name,
1072 softc->io_zone_size, NULL, NULL, NULL, NULL,
1073 /*align*/ 0, /*flags*/ 0);
1074
1075 cam_periph_lock(periph);
1076
1077 if ((softc->pass_zone == NULL)
1078 || (softc->pass_io_zone == NULL)) {
1079 if (softc->pass_zone == NULL)
1080 xpt_print(periph->path, "unable to allocate "
1081 "IO Req UMA zone\n");
1082 else
1083 xpt_print(periph->path, "unable to allocate "
1084 "IO UMA zone\n");
1085 softc->flags &= ~PASS_FLAG_ZONE_INPROG;
1086 goto bailout;
1087 }
1088
1089 /*
1090 * Set the flags appropriately and notify any other waiters.
1091 */
1092 softc->flags &= ~PASS_FLAG_ZONE_INPROG;
1093 softc->flags |= PASS_FLAG_ZONE_VALID;
1094 wakeup(&softc->pass_zone);
1095 } else {
1096 /*
1097 * In this case, the UMA zone has not yet been created, but
1098 * another context is in the process of creating it. We
1099 * need to sleep until the creation is either done or has
1100 * failed.
1101 */
1102 while ((softc->flags & PASS_FLAG_ZONE_INPROG)
1103 && ((softc->flags & PASS_FLAG_ZONE_VALID) == 0)) {
1104 error = msleep(&softc->pass_zone,
1105 cam_periph_mtx(periph), PRIBIO,
1106 "paszon", 0);
1107 if (error != 0)
1108 goto bailout;
1109 }
1110 /*
1111 * If the zone creation failed, no luck for the user.
1112 */
1113 if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0){
1114 error = ENOMEM;
1115 goto bailout;
1116 }
1117 }
1118 bailout:
1119 return (error);
1120 }
1121
1122 static void
1123 passiocleanup(struct pass_softc *softc, struct pass_io_req *io_req)
1124 {
1125 union ccb *ccb;
1126 u_int8_t **data_ptrs[CAM_PERIPH_MAXMAPS];
1127 int i, numbufs;
1128
1129 ccb = &io_req->ccb;
1130
1131 switch (ccb->ccb_h.func_code) {
1132 case XPT_DEV_MATCH:
1133 numbufs = min(io_req->num_bufs, 2);
1134
1135 if (numbufs == 1) {
1136 data_ptrs[0] = (u_int8_t **)&ccb->cdm.matches;
1137 } else {
1138 data_ptrs[0] = (u_int8_t **)&ccb->cdm.patterns;
1139 data_ptrs[1] = (u_int8_t **)&ccb->cdm.matches;
1140 }
1141 break;
1142 case XPT_SCSI_IO:
1143 case XPT_CONT_TARGET_IO:
1144 data_ptrs[0] = &ccb->csio.data_ptr;
1145 numbufs = min(io_req->num_bufs, 1);
1146 break;
1147 case XPT_ATA_IO:
1148 data_ptrs[0] = &ccb->ataio.data_ptr;
1149 numbufs = min(io_req->num_bufs, 1);
1150 break;
1151 case XPT_SMP_IO:
1152 numbufs = min(io_req->num_bufs, 2);
1153 data_ptrs[0] = &ccb->smpio.smp_request;
1154 data_ptrs[1] = &ccb->smpio.smp_response;
1155 break;
1156 case XPT_DEV_ADVINFO:
1157 numbufs = min(io_req->num_bufs, 1);
1158 data_ptrs[0] = (uint8_t **)&ccb->cdai.buf;
1159 break;
1160 case XPT_NVME_IO:
1161 case XPT_NVME_ADMIN:
1162 data_ptrs[0] = &ccb->nvmeio.data_ptr;
1163 numbufs = min(io_req->num_bufs, 1);
1164 break;
1165 default:
1166 /* allow ourselves to be swapped once again */
1167 return;
1168 break; /* NOTREACHED */
1169 }
1170
1171 if (io_req->flags & PASS_IO_USER_SEG_MALLOC) {
1172 free(io_req->user_segptr, M_SCSIPASS);
1173 io_req->user_segptr = NULL;
1174 }
1175
1176 /*
1177 * We only want to free memory we malloced.
1178 */
1179 if (io_req->data_flags == CAM_DATA_VADDR) {
1180 for (i = 0; i < io_req->num_bufs; i++) {
1181 if (io_req->kern_bufs[i] == NULL)
1182 continue;
1183
1184 free(io_req->kern_bufs[i], M_SCSIPASS);
1185 io_req->kern_bufs[i] = NULL;
1186 }
1187 } else if (io_req->data_flags == CAM_DATA_SG) {
1188 for (i = 0; i < io_req->num_kern_segs; i++) {
1189 if ((uint8_t *)(uintptr_t)
1190 io_req->kern_segptr[i].ds_addr == NULL)
1191 continue;
1192
1193 uma_zfree(softc->pass_io_zone, (uint8_t *)(uintptr_t)
1194 io_req->kern_segptr[i].ds_addr);
1195 io_req->kern_segptr[i].ds_addr = 0;
1196 }
1197 }
1198
1199 if (io_req->flags & PASS_IO_KERN_SEG_MALLOC) {
1200 free(io_req->kern_segptr, M_SCSIPASS);
1201 io_req->kern_segptr = NULL;
1202 }
1203
1204 if (io_req->data_flags != CAM_DATA_PADDR) {
1205 for (i = 0; i < numbufs; i++) {
1206 /*
1207 * Restore the user's buffer pointers to their
1208 * previous values.
1209 */
1210 if (io_req->user_bufs[i] != NULL)
1211 *data_ptrs[i] = io_req->user_bufs[i];
1212 }
1213 }
1214
1215 }
1216
1217 static int
1218 passcopysglist(struct cam_periph *periph, struct pass_io_req *io_req,
1219 ccb_flags direction)
1220 {
1221 bus_size_t kern_watermark, user_watermark, len_copied, len_to_copy;
1222 bus_dma_segment_t *user_sglist, *kern_sglist;
1223 int i, j, error;
1224
1225 error = 0;
1226 kern_watermark = 0;
1227 user_watermark = 0;
1228 len_to_copy = 0;
1229 len_copied = 0;
1230 user_sglist = io_req->user_segptr;
1231 kern_sglist = io_req->kern_segptr;
1232
1233 for (i = 0, j = 0; i < io_req->num_user_segs &&
1234 j < io_req->num_kern_segs;) {
1235 uint8_t *user_ptr, *kern_ptr;
1236
1237 len_to_copy = min(user_sglist[i].ds_len -user_watermark,
1238 kern_sglist[j].ds_len - kern_watermark);
1239
1240 user_ptr = (uint8_t *)(uintptr_t)user_sglist[i].ds_addr;
1241 user_ptr = user_ptr + user_watermark;
1242 kern_ptr = (uint8_t *)(uintptr_t)kern_sglist[j].ds_addr;
1243 kern_ptr = kern_ptr + kern_watermark;
1244
1245 user_watermark += len_to_copy;
1246 kern_watermark += len_to_copy;
1247
1248 if (!useracc(user_ptr, len_to_copy,
1249 (direction == CAM_DIR_IN) ? VM_PROT_WRITE : VM_PROT_READ)) {
1250 xpt_print(periph->path, "%s: unable to access user "
1251 "S/G list element %p len %zu\n", __func__,
1252 user_ptr, len_to_copy);
1253 error = EFAULT;
1254 goto bailout;
1255 }
1256
1257 if (direction == CAM_DIR_IN) {
1258 error = copyout(kern_ptr, user_ptr, len_to_copy);
1259 if (error != 0) {
1260 xpt_print(periph->path, "%s: copyout of %u "
1261 "bytes from %p to %p failed with "
1262 "error %d\n", __func__, len_to_copy,
1263 kern_ptr, user_ptr, error);
1264 goto bailout;
1265 }
1266 } else {
1267 error = copyin(user_ptr, kern_ptr, len_to_copy);
1268 if (error != 0) {
1269 xpt_print(periph->path, "%s: copyin of %u "
1270 "bytes from %p to %p failed with "
1271 "error %d\n", __func__, len_to_copy,
1272 user_ptr, kern_ptr, error);
1273 goto bailout;
1274 }
1275 }
1276
1277 len_copied += len_to_copy;
1278
1279 if (user_sglist[i].ds_len == user_watermark) {
1280 i++;
1281 user_watermark = 0;
1282 }
1283
1284 if (kern_sglist[j].ds_len == kern_watermark) {
1285 j++;
1286 kern_watermark = 0;
1287 }
1288 }
1289
1290 bailout:
1291
1292 return (error);
1293 }
1294
1295 static int
1296 passmemsetup(struct cam_periph *periph, struct pass_io_req *io_req)
1297 {
1298 union ccb *ccb;
1299 struct pass_softc *softc;
1300 int numbufs, i;
1301 uint8_t **data_ptrs[CAM_PERIPH_MAXMAPS];
1302 uint32_t lengths[CAM_PERIPH_MAXMAPS];
1303 uint32_t dirs[CAM_PERIPH_MAXMAPS];
1304 uint32_t num_segs;
1305 uint16_t *seg_cnt_ptr;
1306 size_t maxmap;
1307 int error;
1308
1309 cam_periph_assert(periph, MA_NOTOWNED);
1310
1311 softc = periph->softc;
1312
1313 error = 0;
1314 ccb = &io_req->ccb;
1315 maxmap = 0;
1316 num_segs = 0;
1317 seg_cnt_ptr = NULL;
1318
1319 switch(ccb->ccb_h.func_code) {
1320 case XPT_DEV_MATCH:
1321 if (ccb->cdm.match_buf_len == 0) {
1322 printf("%s: invalid match buffer length 0\n", __func__);
1323 return(EINVAL);
1324 }
1325 if (ccb->cdm.pattern_buf_len > 0) {
1326 data_ptrs[0] = (u_int8_t **)&ccb->cdm.patterns;
1327 lengths[0] = ccb->cdm.pattern_buf_len;
1328 dirs[0] = CAM_DIR_OUT;
1329 data_ptrs[1] = (u_int8_t **)&ccb->cdm.matches;
1330 lengths[1] = ccb->cdm.match_buf_len;
1331 dirs[1] = CAM_DIR_IN;
1332 numbufs = 2;
1333 } else {
1334 data_ptrs[0] = (u_int8_t **)&ccb->cdm.matches;
1335 lengths[0] = ccb->cdm.match_buf_len;
1336 dirs[0] = CAM_DIR_IN;
1337 numbufs = 1;
1338 }
1339 io_req->data_flags = CAM_DATA_VADDR;
1340 break;
1341 case XPT_SCSI_IO:
1342 case XPT_CONT_TARGET_IO:
1343 if ((ccb->ccb_h.flags & CAM_DIR_MASK) == CAM_DIR_NONE)
1344 return(0);
1345
1346 /*
1347 * The user shouldn't be able to supply a bio.
1348 */
1349 if ((ccb->ccb_h.flags & CAM_DATA_MASK) == CAM_DATA_BIO)
1350 return (EINVAL);
1351
1352 io_req->data_flags = ccb->ccb_h.flags & CAM_DATA_MASK;
1353
1354 data_ptrs[0] = &ccb->csio.data_ptr;
1355 lengths[0] = ccb->csio.dxfer_len;
1356 dirs[0] = ccb->ccb_h.flags & CAM_DIR_MASK;
1357 num_segs = ccb->csio.sglist_cnt;
1358 seg_cnt_ptr = &ccb->csio.sglist_cnt;
1359 numbufs = 1;
1360 maxmap = softc->maxio;
1361 break;
1362 case XPT_ATA_IO:
1363 if ((ccb->ccb_h.flags & CAM_DIR_MASK) == CAM_DIR_NONE)
1364 return(0);
1365
1366 /*
1367 * We only support a single virtual address for ATA I/O.
1368 */
1369 if ((ccb->ccb_h.flags & CAM_DATA_MASK) != CAM_DATA_VADDR)
1370 return (EINVAL);
1371
1372 io_req->data_flags = CAM_DATA_VADDR;
1373
1374 data_ptrs[0] = &ccb->ataio.data_ptr;
1375 lengths[0] = ccb->ataio.dxfer_len;
1376 dirs[0] = ccb->ccb_h.flags & CAM_DIR_MASK;
1377 numbufs = 1;
1378 maxmap = softc->maxio;
1379 break;
1380 case XPT_SMP_IO:
1381 io_req->data_flags = CAM_DATA_VADDR;
1382
1383 data_ptrs[0] = &ccb->smpio.smp_request;
1384 lengths[0] = ccb->smpio.smp_request_len;
1385 dirs[0] = CAM_DIR_OUT;
1386 data_ptrs[1] = &ccb->smpio.smp_response;
1387 lengths[1] = ccb->smpio.smp_response_len;
1388 dirs[1] = CAM_DIR_IN;
1389 numbufs = 2;
1390 maxmap = softc->maxio;
1391 break;
1392 case XPT_DEV_ADVINFO:
1393 if (ccb->cdai.bufsiz == 0)
1394 return (0);
1395
1396 io_req->data_flags = CAM_DATA_VADDR;
1397
1398 data_ptrs[0] = (uint8_t **)&ccb->cdai.buf;
1399 lengths[0] = ccb->cdai.bufsiz;
1400 dirs[0] = CAM_DIR_IN;
1401 numbufs = 1;
1402 break;
1403 case XPT_NVME_ADMIN:
1404 case XPT_NVME_IO:
1405 if ((ccb->ccb_h.flags & CAM_DIR_MASK) == CAM_DIR_NONE)
1406 return (0);
1407
1408 io_req->data_flags = ccb->ccb_h.flags & CAM_DATA_MASK;
1409
1410 data_ptrs[0] = &ccb->nvmeio.data_ptr;
1411 lengths[0] = ccb->nvmeio.dxfer_len;
1412 dirs[0] = ccb->ccb_h.flags & CAM_DIR_MASK;
1413 num_segs = ccb->nvmeio.sglist_cnt;
1414 seg_cnt_ptr = &ccb->nvmeio.sglist_cnt;
1415 numbufs = 1;
1416 maxmap = softc->maxio;
1417 break;
1418 default:
1419 return(EINVAL);
1420 break; /* NOTREACHED */
1421 }
1422
1423 io_req->num_bufs = numbufs;
1424
1425 /*
1426 * If there is a maximum, check to make sure that the user's
1427 * request fits within the limit. In general, we should only have
1428 * a maximum length for requests that go to hardware. Otherwise it
1429 * is whatever we're able to malloc.
1430 */
1431 for (i = 0; i < numbufs; i++) {
1432 io_req->user_bufs[i] = *data_ptrs[i];
1433 io_req->dirs[i] = dirs[i];
1434 io_req->lengths[i] = lengths[i];
1435
1436 if (maxmap == 0)
1437 continue;
1438
1439 if (lengths[i] <= maxmap)
1440 continue;
1441
1442 xpt_print(periph->path, "%s: data length %u > max allowed %u "
1443 "bytes\n", __func__, lengths[i], maxmap);
1444 error = EINVAL;
1445 goto bailout;
1446 }
1447
1448 switch (io_req->data_flags) {
1449 case CAM_DATA_VADDR:
1450 /* Map or copy the buffer into kernel address space */
1451 for (i = 0; i < numbufs; i++) {
1452 uint8_t *tmp_buf;
1453
1454 /*
1455 * If for some reason no length is specified, we
1456 * don't need to allocate anything.
1457 */
1458 if (io_req->lengths[i] == 0)
1459 continue;
1460
1461 /*
1462 * Make sure that the user's buffer is accessible
1463 * to that process.
1464 */
1465 if (!useracc(io_req->user_bufs[i], io_req->lengths[i],
1466 (io_req->dirs[i] == CAM_DIR_IN) ? VM_PROT_WRITE :
1467 VM_PROT_READ)) {
1468 xpt_print(periph->path, "%s: user address %p "
1469 "length %u is not accessible\n", __func__,
1470 io_req->user_bufs[i], io_req->lengths[i]);
1471 error = EFAULT;
1472 goto bailout;
1473 }
1474
1475 tmp_buf = malloc(lengths[i], M_SCSIPASS,
1476 M_WAITOK | M_ZERO);
1477 io_req->kern_bufs[i] = tmp_buf;
1478 *data_ptrs[i] = tmp_buf;
1479
1480 #if 0
1481 xpt_print(periph->path, "%s: malloced %p len %u, user "
1482 "buffer %p, operation: %s\n", __func__,
1483 tmp_buf, lengths[i], io_req->user_bufs[i],
1484 (dirs[i] == CAM_DIR_IN) ? "read" : "write");
1485 #endif
1486 /*
1487 * We only need to copy in if the user is writing.
1488 */
1489 if (dirs[i] != CAM_DIR_OUT)
1490 continue;
1491
1492 error = copyin(io_req->user_bufs[i],
1493 io_req->kern_bufs[i], lengths[i]);
1494 if (error != 0) {
1495 xpt_print(periph->path, "%s: copy of user "
1496 "buffer from %p to %p failed with "
1497 "error %d\n", __func__,
1498 io_req->user_bufs[i],
1499 io_req->kern_bufs[i], error);
1500 goto bailout;
1501 }
1502 }
1503 break;
1504 case CAM_DATA_PADDR:
1505 /* Pass down the pointer as-is */
1506 break;
1507 case CAM_DATA_SG: {
1508 size_t sg_length, size_to_go, alloc_size;
1509 uint32_t num_segs_needed;
1510
1511 /*
1512 * Copy the user S/G list in, and then copy in the
1513 * individual segments.
1514 */
1515 /*
1516 * We shouldn't see this, but check just in case.
1517 */
1518 if (numbufs != 1) {
1519 xpt_print(periph->path, "%s: cannot currently handle "
1520 "more than one S/G list per CCB\n", __func__);
1521 error = EINVAL;
1522 goto bailout;
1523 }
1524
1525 /*
1526 * We have to have at least one segment.
1527 */
1528 if (num_segs == 0) {
1529 xpt_print(periph->path, "%s: CAM_DATA_SG flag set, "
1530 "but sglist_cnt=0!\n", __func__);
1531 error = EINVAL;
1532 goto bailout;
1533 }
1534
1535 /*
1536 * Make sure the user specified the total length and didn't
1537 * just leave it to us to decode the S/G list.
1538 */
1539 if (lengths[0] == 0) {
1540 xpt_print(periph->path, "%s: no dxfer_len specified, "
1541 "but CAM_DATA_SG flag is set!\n", __func__);
1542 error = EINVAL;
1543 goto bailout;
1544 }
1545
1546 /*
1547 * We allocate buffers in io_zone_size increments for an
1548 * S/G list. This will generally be MAXPHYS.
1549 */
1550 if (lengths[0] <= softc->io_zone_size)
1551 num_segs_needed = 1;
1552 else {
1553 num_segs_needed = lengths[0] / softc->io_zone_size;
1554 if ((lengths[0] % softc->io_zone_size) != 0)
1555 num_segs_needed++;
1556 }
1557
1558 /* Figure out the size of the S/G list */
1559 sg_length = num_segs * sizeof(bus_dma_segment_t);
1560 io_req->num_user_segs = num_segs;
1561 io_req->num_kern_segs = num_segs_needed;
1562
1563 /* Save the user's S/G list pointer for later restoration */
1564 io_req->user_bufs[0] = *data_ptrs[0];
1565
1566 /*
1567 * If we have enough segments allocated by default to handle
1568 * the length of the user's S/G list,
1569 */
1570 if (num_segs > PASS_MAX_SEGS) {
1571 io_req->user_segptr = malloc(sizeof(bus_dma_segment_t) *
1572 num_segs, M_SCSIPASS, M_WAITOK | M_ZERO);
1573 io_req->flags |= PASS_IO_USER_SEG_MALLOC;
1574 } else
1575 io_req->user_segptr = io_req->user_segs;
1576
1577 if (!useracc(*data_ptrs[0], sg_length, VM_PROT_READ)) {
1578 xpt_print(periph->path, "%s: unable to access user "
1579 "S/G list at %p\n", __func__, *data_ptrs[0]);
1580 error = EFAULT;
1581 goto bailout;
1582 }
1583
1584 error = copyin(*data_ptrs[0], io_req->user_segptr, sg_length);
1585 if (error != 0) {
1586 xpt_print(periph->path, "%s: copy of user S/G list "
1587 "from %p to %p failed with error %d\n",
1588 __func__, *data_ptrs[0], io_req->user_segptr,
1589 error);
1590 goto bailout;
1591 }
1592
1593 if (num_segs_needed > PASS_MAX_SEGS) {
1594 io_req->kern_segptr = malloc(sizeof(bus_dma_segment_t) *
1595 num_segs_needed, M_SCSIPASS, M_WAITOK | M_ZERO);
1596 io_req->flags |= PASS_IO_KERN_SEG_MALLOC;
1597 } else {
1598 io_req->kern_segptr = io_req->kern_segs;
1599 }
1600
1601 /*
1602 * Allocate the kernel S/G list.
1603 */
1604 for (size_to_go = lengths[0], i = 0;
1605 size_to_go > 0 && i < num_segs_needed;
1606 i++, size_to_go -= alloc_size) {
1607 uint8_t *kern_ptr;
1608
1609 alloc_size = min(size_to_go, softc->io_zone_size);
1610 kern_ptr = uma_zalloc(softc->pass_io_zone, M_WAITOK);
1611 io_req->kern_segptr[i].ds_addr =
1612 (bus_addr_t)(uintptr_t)kern_ptr;
1613 io_req->kern_segptr[i].ds_len = alloc_size;
1614 }
1615 if (size_to_go > 0) {
1616 printf("%s: size_to_go = %zu, software error!\n",
1617 __func__, size_to_go);
1618 error = EINVAL;
1619 goto bailout;
1620 }
1621
1622 *data_ptrs[0] = (uint8_t *)io_req->kern_segptr;
1623 *seg_cnt_ptr = io_req->num_kern_segs;
1624
1625 /*
1626 * We only need to copy data here if the user is writing.
1627 */
1628 if (dirs[0] == CAM_DIR_OUT)
1629 error = passcopysglist(periph, io_req, dirs[0]);
1630 break;
1631 }
1632 case CAM_DATA_SG_PADDR: {
1633 size_t sg_length;
1634
1635 /*
1636 * We shouldn't see this, but check just in case.
1637 */
1638 if (numbufs != 1) {
1639 printf("%s: cannot currently handle more than one "
1640 "S/G list per CCB\n", __func__);
1641 error = EINVAL;
1642 goto bailout;
1643 }
1644
1645 /*
1646 * We have to have at least one segment.
1647 */
1648 if (num_segs == 0) {
1649 xpt_print(periph->path, "%s: CAM_DATA_SG_PADDR flag "
1650 "set, but sglist_cnt=0!\n", __func__);
1651 error = EINVAL;
1652 goto bailout;
1653 }
1654
1655 /*
1656 * Make sure the user specified the total length and didn't
1657 * just leave it to us to decode the S/G list.
1658 */
1659 if (lengths[0] == 0) {
1660 xpt_print(periph->path, "%s: no dxfer_len specified, "
1661 "but CAM_DATA_SG flag is set!\n", __func__);
1662 error = EINVAL;
1663 goto bailout;
1664 }
1665
1666 /* Figure out the size of the S/G list */
1667 sg_length = num_segs * sizeof(bus_dma_segment_t);
1668 io_req->num_user_segs = num_segs;
1669 io_req->num_kern_segs = io_req->num_user_segs;
1670
1671 /* Save the user's S/G list pointer for later restoration */
1672 io_req->user_bufs[0] = *data_ptrs[0];
1673
1674 if (num_segs > PASS_MAX_SEGS) {
1675 io_req->user_segptr = malloc(sizeof(bus_dma_segment_t) *
1676 num_segs, M_SCSIPASS, M_WAITOK | M_ZERO);
1677 io_req->flags |= PASS_IO_USER_SEG_MALLOC;
1678 } else
1679 io_req->user_segptr = io_req->user_segs;
1680
1681 io_req->kern_segptr = io_req->user_segptr;
1682
1683 error = copyin(*data_ptrs[0], io_req->user_segptr, sg_length);
1684 if (error != 0) {
1685 xpt_print(periph->path, "%s: copy of user S/G list "
1686 "from %p to %p failed with error %d\n",
1687 __func__, *data_ptrs[0], io_req->user_segptr,
1688 error);
1689 goto bailout;
1690 }
1691 break;
1692 }
1693 default:
1694 case CAM_DATA_BIO:
1695 /*
1696 * A user shouldn't be attaching a bio to the CCB. It
1697 * isn't a user-accessible structure.
1698 */
1699 error = EINVAL;
1700 break;
1701 }
1702
1703 bailout:
1704 if (error != 0)
1705 passiocleanup(softc, io_req);
1706
1707 return (error);
1708 }
1709
1710 static int
1711 passmemdone(struct cam_periph *periph, struct pass_io_req *io_req)
1712 {
1713 struct pass_softc *softc;
1714 int error;
1715 int i;
1716
1717 error = 0;
1718 softc = (struct pass_softc *)periph->softc;
1719
1720 switch (io_req->data_flags) {
1721 case CAM_DATA_VADDR:
1722 /*
1723 * Copy back to the user buffer if this was a read.
1724 */
1725 for (i = 0; i < io_req->num_bufs; i++) {
1726 if (io_req->dirs[i] != CAM_DIR_IN)
1727 continue;
1728
1729 error = copyout(io_req->kern_bufs[i],
1730 io_req->user_bufs[i], io_req->lengths[i]);
1731 if (error != 0) {
1732 xpt_print(periph->path, "Unable to copy %u "
1733 "bytes from %p to user address %p\n",
1734 io_req->lengths[i],
1735 io_req->kern_bufs[i],
1736 io_req->user_bufs[i]);
1737 goto bailout;
1738 }
1739
1740 }
1741 break;
1742 case CAM_DATA_PADDR:
1743 /* Do nothing. The pointer is a physical address already */
1744 break;
1745 case CAM_DATA_SG:
1746 /*
1747 * Copy back to the user buffer if this was a read.
1748 * Restore the user's S/G list buffer pointer.
1749 */
1750 if (io_req->dirs[0] == CAM_DIR_IN)
1751 error = passcopysglist(periph, io_req, io_req->dirs[0]);
1752 break;
1753 case CAM_DATA_SG_PADDR:
1754 /*
1755 * Restore the user's S/G list buffer pointer. No need to
1756 * copy.
1757 */
1758 break;
1759 default:
1760 case CAM_DATA_BIO:
1761 error = EINVAL;
1762 break;
1763 }
1764
1765 bailout:
1766 /*
1767 * Reset the user's pointers to their original values and free
1768 * allocated memory.
1769 */
1770 passiocleanup(softc, io_req);
1771
1772 return (error);
1773 }
1774
1775 static int
1776 passioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread *td)
1777 {
1778 int error;
1779
1780 if ((error = passdoioctl(dev, cmd, addr, flag, td)) == ENOTTY) {
1781 error = cam_compat_ioctl(dev, cmd, addr, flag, td, passdoioctl);
1782 }
1783 return (error);
1784 }
1785
1786 static int
1787 passdoioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag, struct thread *td)
1788 {
1789 struct cam_periph *periph;
1790 struct pass_softc *softc;
1791 int error;
1792 uint32_t priority;
1793
1794 periph = (struct cam_periph *)dev->si_drv1;
1795 cam_periph_lock(periph);
1796 softc = (struct pass_softc *)periph->softc;
1797
1798 error = 0;
1799
1800 switch (cmd) {
1801
1802 case CAMIOCOMMAND:
1803 {
1804 union ccb *inccb;
1805 union ccb *ccb;
1806 int ccb_malloced;
1807
1808 inccb = (union ccb *)addr;
1809 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
1810 if (inccb->ccb_h.func_code == XPT_SCSI_IO)
1811 inccb->csio.bio = NULL;
1812 #endif
1813
1814 if (inccb->ccb_h.flags & CAM_UNLOCKED) {
1815 error = EINVAL;
1816 break;
1817 }
1818
1819 /*
1820 * Some CCB types, like scan bus and scan lun can only go
1821 * through the transport layer device.
1822 */
1823 if (inccb->ccb_h.func_code & XPT_FC_XPT_ONLY) {
1824 xpt_print(periph->path, "CCB function code %#x is "
1825 "restricted to the XPT device\n",
1826 inccb->ccb_h.func_code);
1827 error = ENODEV;
1828 break;
1829 }
1830
1831 /* Compatibility for RL/priority-unaware code. */
1832 priority = inccb->ccb_h.pinfo.priority;
1833 if (priority <= CAM_PRIORITY_OOB)
1834 priority += CAM_PRIORITY_OOB + 1;
1835
1836 /*
1837 * Non-immediate CCBs need a CCB from the per-device pool
1838 * of CCBs, which is scheduled by the transport layer.
1839 * Immediate CCBs and user-supplied CCBs should just be
1840 * malloced.
1841 */
1842 if ((inccb->ccb_h.func_code & XPT_FC_QUEUED)
1843 && ((inccb->ccb_h.func_code & XPT_FC_USER_CCB) == 0)) {
1844 ccb = cam_periph_getccb(periph, priority);
1845 ccb_malloced = 0;
1846 } else {
1847 ccb = xpt_alloc_ccb_nowait();
1848
1849 if (ccb != NULL)
1850 xpt_setup_ccb(&ccb->ccb_h, periph->path,
1851 priority);
1852 ccb_malloced = 1;
1853 }
1854
1855 if (ccb == NULL) {
1856 xpt_print(periph->path, "unable to allocate CCB\n");
1857 error = ENOMEM;
1858 break;
1859 }
1860
1861 error = passsendccb(periph, ccb, inccb);
1862
1863 if (ccb_malloced)
1864 xpt_free_ccb(ccb);
1865 else
1866 xpt_release_ccb(ccb);
1867
1868 break;
1869 }
1870 case CAMIOQUEUE:
1871 {
1872 struct pass_io_req *io_req;
1873 union ccb **user_ccb, *ccb;
1874 xpt_opcode fc;
1875
1876 #ifdef COMPAT_FREEBSD32
1877 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
1878 error = ENOTTY;
1879 goto bailout;
1880 }
1881 #endif
1882 if ((softc->flags & PASS_FLAG_ZONE_VALID) == 0) {
1883 error = passcreatezone(periph);
1884 if (error != 0)
1885 goto bailout;
1886 }
1887
1888 /*
1889 * We're going to do a blocking allocation for this I/O
1890 * request, so we have to drop the lock.
1891 */
1892 cam_periph_unlock(periph);
1893
1894 io_req = uma_zalloc(softc->pass_zone, M_WAITOK | M_ZERO);
1895 ccb = &io_req->ccb;
1896 user_ccb = (union ccb **)addr;
1897
1898 /*
1899 * Unlike the CAMIOCOMMAND ioctl above, we only have a
1900 * pointer to the user's CCB, so we have to copy the whole
1901 * thing in to a buffer we have allocated (above) instead
1902 * of allowing the ioctl code to malloc a buffer and copy
1903 * it in.
1904 *
1905 * This is an advantage for this asynchronous interface,
1906 * since we don't want the memory to get freed while the
1907 * CCB is outstanding.
1908 */
1909 #if 0
1910 xpt_print(periph->path, "Copying user CCB %p to "
1911 "kernel address %p\n", *user_ccb, ccb);
1912 #endif
1913 error = copyin(*user_ccb, ccb, sizeof(*ccb));
1914 if (error != 0) {
1915 xpt_print(periph->path, "Copy of user CCB %p to "
1916 "kernel address %p failed with error %d\n",
1917 *user_ccb, ccb, error);
1918 goto camioqueue_error;
1919 }
1920 #if defined(BUF_TRACKING) || defined(FULL_BUF_TRACKING)
1921 if (ccb->ccb_h.func_code == XPT_SCSI_IO)
1922 ccb->csio.bio = NULL;
1923 #endif
1924
1925 if (ccb->ccb_h.flags & CAM_UNLOCKED) {
1926 error = EINVAL;
1927 goto camioqueue_error;
1928 }
1929
1930 if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
1931 if (ccb->csio.cdb_len > IOCDBLEN) {
1932 error = EINVAL;
1933 goto camioqueue_error;
1934 }
1935 error = copyin(ccb->csio.cdb_io.cdb_ptr,
1936 ccb->csio.cdb_io.cdb_bytes, ccb->csio.cdb_len);
1937 if (error != 0)
1938 goto camioqueue_error;
1939 ccb->ccb_h.flags &= ~CAM_CDB_POINTER;
1940 }
1941
1942 /*
1943 * Some CCB types, like scan bus and scan lun can only go
1944 * through the transport layer device.
1945 */
1946 if (ccb->ccb_h.func_code & XPT_FC_XPT_ONLY) {
1947 xpt_print(periph->path, "CCB function code %#x is "
1948 "restricted to the XPT device\n",
1949 ccb->ccb_h.func_code);
1950 error = ENODEV;
1951 goto camioqueue_error;
1952 }
1953
1954 /*
1955 * Save the user's CCB pointer as well as his linked list
1956 * pointers and peripheral private area so that we can
1957 * restore these later.
1958 */
1959 io_req->user_ccb_ptr = *user_ccb;
1960 io_req->user_periph_links = ccb->ccb_h.periph_links;
1961 io_req->user_periph_priv = ccb->ccb_h.periph_priv;
1962
1963 /*
1964 * Now that we've saved the user's values, we can set our
1965 * own peripheral private entry.
1966 */
1967 ccb->ccb_h.ccb_ioreq = io_req;
1968
1969 /* Compatibility for RL/priority-unaware code. */
1970 priority = ccb->ccb_h.pinfo.priority;
1971 if (priority <= CAM_PRIORITY_OOB)
1972 priority += CAM_PRIORITY_OOB + 1;
1973
1974 /*
1975 * Setup fields in the CCB like the path and the priority.
1976 * The path in particular cannot be done in userland, since
1977 * it is a pointer to a kernel data structure.
1978 */
1979 xpt_setup_ccb_flags(&ccb->ccb_h, periph->path, priority,
1980 ccb->ccb_h.flags);
1981
1982 /*
1983 * Setup our done routine. There is no way for the user to
1984 * have a valid pointer here.
1985 */
1986 ccb->ccb_h.cbfcnp = passdone;
1987
1988 fc = ccb->ccb_h.func_code;
1989 /*
1990 * If this function code has memory that can be mapped in
1991 * or out, we need to call passmemsetup().
1992 */
1993 if ((fc == XPT_SCSI_IO) || (fc == XPT_ATA_IO)
1994 || (fc == XPT_SMP_IO) || (fc == XPT_DEV_MATCH)
1995 || (fc == XPT_DEV_ADVINFO)
1996 || (fc == XPT_NVME_ADMIN) || (fc == XPT_NVME_IO)) {
1997 error = passmemsetup(periph, io_req);
1998 if (error != 0)
1999 goto camioqueue_error;
2000 } else
2001 io_req->mapinfo.num_bufs_used = 0;
2002
2003 cam_periph_lock(periph);
2004
2005 /*
2006 * Everything goes on the incoming queue initially.
2007 */
2008 TAILQ_INSERT_TAIL(&softc->incoming_queue, io_req, links);
2009
2010 /*
2011 * If the CCB is queued, and is not a user CCB, then
2012 * we need to allocate a slot for it. Call xpt_schedule()
2013 * so that our start routine will get called when a CCB is
2014 * available.
2015 */
2016 if ((fc & XPT_FC_QUEUED)
2017 && ((fc & XPT_FC_USER_CCB) == 0)) {
2018 xpt_schedule(periph, priority);
2019 break;
2020 }
2021
2022 /*
2023 * At this point, the CCB in question is either an
2024 * immediate CCB (like XPT_DEV_ADVINFO) or it is a user CCB
2025 * and therefore should be malloced, not allocated via a slot.
2026 * Remove the CCB from the incoming queue and add it to the
2027 * active queue.
2028 */
2029 TAILQ_REMOVE(&softc->incoming_queue, io_req, links);
2030 TAILQ_INSERT_TAIL(&softc->active_queue, io_req, links);
2031
2032 xpt_action(ccb);
2033
2034 /*
2035 * If this is not a queued CCB (i.e. it is an immediate CCB),
2036 * then it is already done. We need to put it on the done
2037 * queue for the user to fetch.
2038 */
2039 if ((fc & XPT_FC_QUEUED) == 0) {
2040 TAILQ_REMOVE(&softc->active_queue, io_req, links);
2041 TAILQ_INSERT_TAIL(&softc->done_queue, io_req, links);
2042 }
2043 break;
2044
2045 camioqueue_error:
2046 uma_zfree(softc->pass_zone, io_req);
2047 cam_periph_lock(periph);
2048 break;
2049 }
2050 case CAMIOGET:
2051 {
2052 union ccb **user_ccb;
2053 struct pass_io_req *io_req;
2054 int old_error;
2055
2056 #ifdef COMPAT_FREEBSD32
2057 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
2058 error = ENOTTY;
2059 goto bailout;
2060 }
2061 #endif
2062 user_ccb = (union ccb **)addr;
2063 old_error = 0;
2064
2065 io_req = TAILQ_FIRST(&softc->done_queue);
2066 if (io_req == NULL) {
2067 error = ENOENT;
2068 break;
2069 }
2070
2071 /*
2072 * Remove the I/O from the done queue.
2073 */
2074 TAILQ_REMOVE(&softc->done_queue, io_req, links);
2075
2076 /*
2077 * We have to drop the lock during the copyout because the
2078 * copyout can result in VM faults that require sleeping.
2079 */
2080 cam_periph_unlock(periph);
2081
2082 /*
2083 * Do any needed copies (e.g. for reads) and revert the
2084 * pointers in the CCB back to the user's pointers.
2085 */
2086 error = passmemdone(periph, io_req);
2087
2088 old_error = error;
2089
2090 io_req->ccb.ccb_h.periph_links = io_req->user_periph_links;
2091 io_req->ccb.ccb_h.periph_priv = io_req->user_periph_priv;
2092
2093 #if 0
2094 xpt_print(periph->path, "Copying to user CCB %p from "
2095 "kernel address %p\n", *user_ccb, &io_req->ccb);
2096 #endif
2097
2098 error = copyout(&io_req->ccb, *user_ccb, sizeof(union ccb));
2099 if (error != 0) {
2100 xpt_print(periph->path, "Copy to user CCB %p from "
2101 "kernel address %p failed with error %d\n",
2102 *user_ccb, &io_req->ccb, error);
2103 }
2104
2105 /*
2106 * Prefer the first error we got back, and make sure we
2107 * don't overwrite bad status with good.
2108 */
2109 if (old_error != 0)
2110 error = old_error;
2111
2112 cam_periph_lock(periph);
2113
2114 /*
2115 * At this point, if there was an error, we could potentially
2116 * re-queue the I/O and try again. But why? The error
2117 * would almost certainly happen again. We might as well
2118 * not leak memory.
2119 */
2120 uma_zfree(softc->pass_zone, io_req);
2121 break;
2122 }
2123 default:
2124 error = cam_periph_ioctl(periph, cmd, addr, passerror);
2125 break;
2126 }
2127
2128 bailout:
2129 cam_periph_unlock(periph);
2130
2131 return(error);
2132 }
2133
2134 static int
2135 passpoll(struct cdev *dev, int poll_events, struct thread *td)
2136 {
2137 struct cam_periph *periph;
2138 struct pass_softc *softc;
2139 int revents;
2140
2141 periph = (struct cam_periph *)dev->si_drv1;
2142 softc = (struct pass_softc *)periph->softc;
2143
2144 revents = poll_events & (POLLOUT | POLLWRNORM);
2145 if ((poll_events & (POLLIN | POLLRDNORM)) != 0) {
2146 cam_periph_lock(periph);
2147
2148 if (!TAILQ_EMPTY(&softc->done_queue)) {
2149 revents |= poll_events & (POLLIN | POLLRDNORM);
2150 }
2151 cam_periph_unlock(periph);
2152 if (revents == 0)
2153 selrecord(td, &softc->read_select);
2154 }
2155
2156 return (revents);
2157 }
2158
2159 static int
2160 passkqfilter(struct cdev *dev, struct knote *kn)
2161 {
2162 struct cam_periph *periph;
2163 struct pass_softc *softc;
2164
2165 periph = (struct cam_periph *)dev->si_drv1;
2166 softc = (struct pass_softc *)periph->softc;
2167
2168 kn->kn_hook = (caddr_t)periph;
2169 kn->kn_fop = &passread_filtops;
2170 knlist_add(&softc->read_select.si_note, kn, 0);
2171
2172 return (0);
2173 }
2174
2175 static void
2176 passreadfiltdetach(struct knote *kn)
2177 {
2178 struct cam_periph *periph;
2179 struct pass_softc *softc;
2180
2181 periph = (struct cam_periph *)kn->kn_hook;
2182 softc = (struct pass_softc *)periph->softc;
2183
2184 knlist_remove(&softc->read_select.si_note, kn, 0);
2185 }
2186
2187 static int
2188 passreadfilt(struct knote *kn, long hint)
2189 {
2190 struct cam_periph *periph;
2191 struct pass_softc *softc;
2192 int retval;
2193
2194 periph = (struct cam_periph *)kn->kn_hook;
2195 softc = (struct pass_softc *)periph->softc;
2196
2197 cam_periph_assert(periph, MA_OWNED);
2198
2199 if (TAILQ_EMPTY(&softc->done_queue))
2200 retval = 0;
2201 else
2202 retval = 1;
2203
2204 return (retval);
2205 }
2206
2207 /*
2208 * Generally, "ccb" should be the CCB supplied by the kernel. "inccb"
2209 * should be the CCB that is copied in from the user.
2210 */
2211 static int
2212 passsendccb(struct cam_periph *periph, union ccb *ccb, union ccb *inccb)
2213 {
2214 struct pass_softc *softc;
2215 struct cam_periph_map_info mapinfo;
2216 uint8_t *cmd;
2217 xpt_opcode fc;
2218 int error;
2219
2220 softc = (struct pass_softc *)periph->softc;
2221
2222 /*
2223 * There are some fields in the CCB header that need to be
2224 * preserved, the rest we get from the user.
2225 */
2226 xpt_merge_ccb(ccb, inccb);
2227
2228 if (ccb->ccb_h.flags & CAM_CDB_POINTER) {
2229 cmd = __builtin_alloca(ccb->csio.cdb_len);
2230 error = copyin(ccb->csio.cdb_io.cdb_ptr, cmd, ccb->csio.cdb_len);
2231 if (error)
2232 return (error);
2233 ccb->csio.cdb_io.cdb_ptr = cmd;
2234 }
2235
2236 /*
2237 * Let cam_periph_mapmem do a sanity check on the data pointer format.
2238 * Even if no data transfer is needed, it's a cheap check and it
2239 * simplifies the code.
2240 */
2241 fc = ccb->ccb_h.func_code;
2242 if ((fc == XPT_SCSI_IO) || (fc == XPT_ATA_IO) || (fc == XPT_SMP_IO)
2243 || (fc == XPT_DEV_MATCH) || (fc == XPT_DEV_ADVINFO) || (fc == XPT_MMC_IO)
2244 || (fc == XPT_NVME_ADMIN) || (fc == XPT_NVME_IO)) {
2245
2246 bzero(&mapinfo, sizeof(mapinfo));
2247
2248 /*
2249 * cam_periph_mapmem calls into proc and vm functions that can
2250 * sleep as well as trigger I/O, so we can't hold the lock.
2251 * Dropping it here is reasonably safe.
2252 */
2253 cam_periph_unlock(periph);
2254 error = cam_periph_mapmem(ccb, &mapinfo, softc->maxio);
2255 cam_periph_lock(periph);
2256
2257 /*
2258 * cam_periph_mapmem returned an error, we can't continue.
2259 * Return the error to the user.
2260 */
2261 if (error)
2262 return(error);
2263 } else
2264 /* Ensure that the unmap call later on is a no-op. */
2265 mapinfo.num_bufs_used = 0;
2266
2267 /*
2268 * If the user wants us to perform any error recovery, then honor
2269 * that request. Otherwise, it's up to the user to perform any
2270 * error recovery.
2271 */
2272 cam_periph_runccb(ccb, (ccb->ccb_h.flags & CAM_PASS_ERR_RECOVER) ?
2273 passerror : NULL, /* cam_flags */ CAM_RETRY_SELTO,
2274 /* sense_flags */ SF_RETRY_UA | SF_NO_PRINT,
2275 softc->device_stats);
2276
2277 cam_periph_unlock(periph);
2278 cam_periph_unmapmem(ccb, &mapinfo);
2279 cam_periph_lock(periph);
2280
2281 ccb->ccb_h.cbfcnp = NULL;
2282 ccb->ccb_h.periph_priv = inccb->ccb_h.periph_priv;
2283 bcopy(ccb, inccb, sizeof(union ccb));
2284
2285 return(0);
2286 }
2287
2288 static int
2289 passerror(union ccb *ccb, u_int32_t cam_flags, u_int32_t sense_flags)
2290 {
2291 struct cam_periph *periph;
2292 struct pass_softc *softc;
2293
2294 periph = xpt_path_periph(ccb->ccb_h.path);
2295 softc = (struct pass_softc *)periph->softc;
2296
2297 return(cam_periph_error(ccb, cam_flags, sense_flags));
2298 }
Cache object: 628085463caed6ed87c94f2449309b11
|