2012-11-30 02:14:21 +00:00
|
|
|
/*
|
|
|
|
* Management Module Support for MPT (Message Passing Technology) based
|
|
|
|
* controllers
|
|
|
|
*
|
|
|
|
* This code is based on drivers/scsi/mpt3sas/mpt3sas_ctl.h
|
2014-09-12 10:05:29 +00:00
|
|
|
* Copyright (C) 2012-2014 LSI Corporation
|
2015-01-12 06:09:02 +00:00
|
|
|
* Copyright (C) 2013-2014 Avago Technologies
|
|
|
|
* (mailto: MPT-FusionLinux.pdl@avagotech.com)
|
2012-11-30 02:14:21 +00:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* NO WARRANTY
|
|
|
|
* THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
|
|
* CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT
|
|
|
|
* LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT,
|
|
|
|
* MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is
|
|
|
|
* solely responsible for determining the appropriateness of using and
|
|
|
|
* distributing the Program and assumes all risks associated with its
|
|
|
|
* exercise of rights under this Agreement, including but not limited to
|
|
|
|
* the risks and costs of program errors, damage to or loss of data,
|
|
|
|
* programs or equipment, and unavailability or interruption of operations.
|
|
|
|
|
|
|
|
* DISCLAIMER OF LIABILITY
|
|
|
|
* NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY
|
|
|
|
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND
|
|
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
|
|
|
|
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
|
|
* USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED
|
|
|
|
* HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES
|
|
|
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
|
|
* USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef MPT3SAS_CTL_H_INCLUDED
|
|
|
|
#define MPT3SAS_CTL_H_INCLUDED
|
|
|
|
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
#include <linux/miscdevice.h>
|
|
|
|
#endif
|
|
|
|
|
scsi: mpt3sas: Fix out-of-bounds warnings in _ctl_addnl_diag_query
Fix the following out-of-bounds warnings by embedding existing struct
htb_rel_query into struct mpt3_addnl_diag_query, instead of duplicating its
members:
include/linux/fortify-string.h:20:29: warning: '__builtin_memcpy' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
include/linux/fortify-string.h:22:29: warning: '__builtin_memset' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
The problem is that the original code is trying to copy data into a bunch
of struct members adjacent to each other in a single call to memcpy(). All
those members are exactly the same contained in struct htb_rel_query, so
instead of duplicating them into struct mpt3_addnl_diag_query, replace them
with new member rel_query of type struct htb_rel_query. So, now that this
new object is introduced, memcpy() doesn't overrun the length of
&karg.buffer_rel_condition, because the address of the new struct object
_rel_query_ is used as destination, instead. The same issue is present when
calling memset(), and it is fixed with this same approach.
Below is a comparison of struct mpt3_addnl_diag_query, before and after
this change (the size and cachelines remain the same):
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
uint16_t buffer_rel_condition; /* 16 2 */
uint16_t reserved1; /* 18 2 */
uint32_t trigger_type; /* 20 4 */
uint32_t trigger_info_dwords[2]; /* 24 8 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 7 */
/* last cacheline: 40 bytes */
};
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
struct htb_rel_query rel_query; /* 16 16 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 4 */
/* last cacheline: 40 bytes */
};
Also, this helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines on
memcpy().
Link: https://github.com/KSPP/linux/issues/109
Link: https://lore.kernel.org/lkml/60659889.bJJILx2THu3hlpxW%25lkp@intel.com/
Link: https://lore.kernel.org/r/20210401162054.GA397186@embeddedor
Build-tested-by: kernel test robot <lkp@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-04-01 16:20:54 +00:00
|
|
|
#include "mpt3sas_base.h"
|
|
|
|
|
2015-11-11 12:00:20 +00:00
|
|
|
#ifndef MPT2SAS_MINOR
|
|
|
|
#define MPT2SAS_MINOR (MPT_MINOR + 1)
|
|
|
|
#endif
|
2012-11-30 02:14:21 +00:00
|
|
|
#ifndef MPT3SAS_MINOR
|
|
|
|
#define MPT3SAS_MINOR (MPT_MINOR + 2)
|
|
|
|
#endif
|
2015-11-11 12:00:20 +00:00
|
|
|
#define MPT2SAS_DEV_NAME "mpt2ctl"
|
2012-11-30 02:14:21 +00:00
|
|
|
#define MPT3SAS_DEV_NAME "mpt3ctl"
|
|
|
|
#define MPT3_MAGIC_NUMBER 'L'
|
|
|
|
#define MPT3_IOCTL_DEFAULT_TIMEOUT (10) /* in seconds */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* IOCTL opcodes
|
|
|
|
*/
|
|
|
|
#define MPT3IOCINFO _IOWR(MPT3_MAGIC_NUMBER, 17, \
|
|
|
|
struct mpt3_ioctl_iocinfo)
|
|
|
|
#define MPT3COMMAND _IOWR(MPT3_MAGIC_NUMBER, 20, \
|
|
|
|
struct mpt3_ioctl_command)
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
#define MPT3COMMAND32 _IOWR(MPT3_MAGIC_NUMBER, 20, \
|
|
|
|
struct mpt3_ioctl_command32)
|
|
|
|
#endif
|
|
|
|
#define MPT3EVENTQUERY _IOWR(MPT3_MAGIC_NUMBER, 21, \
|
|
|
|
struct mpt3_ioctl_eventquery)
|
|
|
|
#define MPT3EVENTENABLE _IOWR(MPT3_MAGIC_NUMBER, 22, \
|
|
|
|
struct mpt3_ioctl_eventenable)
|
|
|
|
#define MPT3EVENTREPORT _IOWR(MPT3_MAGIC_NUMBER, 23, \
|
|
|
|
struct mpt3_ioctl_eventreport)
|
|
|
|
#define MPT3HARDRESET _IOWR(MPT3_MAGIC_NUMBER, 24, \
|
|
|
|
struct mpt3_ioctl_diag_reset)
|
|
|
|
#define MPT3BTDHMAPPING _IOWR(MPT3_MAGIC_NUMBER, 31, \
|
|
|
|
struct mpt3_ioctl_btdh_mapping)
|
|
|
|
|
|
|
|
/* diag buffer support */
|
|
|
|
#define MPT3DIAGREGISTER _IOWR(MPT3_MAGIC_NUMBER, 26, \
|
|
|
|
struct mpt3_diag_register)
|
|
|
|
#define MPT3DIAGRELEASE _IOWR(MPT3_MAGIC_NUMBER, 27, \
|
|
|
|
struct mpt3_diag_release)
|
|
|
|
#define MPT3DIAGUNREGISTER _IOWR(MPT3_MAGIC_NUMBER, 28, \
|
|
|
|
struct mpt3_diag_unregister)
|
|
|
|
#define MPT3DIAGQUERY _IOWR(MPT3_MAGIC_NUMBER, 29, \
|
|
|
|
struct mpt3_diag_query)
|
|
|
|
#define MPT3DIAGREADBUFFER _IOWR(MPT3_MAGIC_NUMBER, 30, \
|
|
|
|
struct mpt3_diag_read_buffer)
|
2021-02-04 03:37:23 +00:00
|
|
|
#define MPT3ADDNLDIAGQUERY _IOWR(MPT3_MAGIC_NUMBER, 32, \
|
|
|
|
struct mpt3_addnl_diag_query)
|
2012-11-30 02:14:21 +00:00
|
|
|
|
2019-09-13 13:04:42 +00:00
|
|
|
/* Trace Buffer default UniqueId */
|
|
|
|
#define MPT2DIAGBUFFUNIQUEID (0x07075900)
|
|
|
|
#define MPT3DIAGBUFFUNIQUEID (0x4252434D)
|
|
|
|
|
|
|
|
/* UID not found */
|
|
|
|
#define MPT3_DIAG_UID_NOT_FOUND (0xFF)
|
|
|
|
|
|
|
|
|
2012-11-30 02:14:21 +00:00
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_header - main header structure
|
|
|
|
* @ioc_number - IOC unit number
|
|
|
|
* @port_number - IOC port number
|
|
|
|
* @max_data_size - maximum number bytes to transfer on read
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_header {
|
|
|
|
uint32_t ioc_number;
|
|
|
|
uint32_t port_number;
|
|
|
|
uint32_t max_data_size;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_diag_reset - diagnostic reset
|
|
|
|
* @hdr - generic header
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_diag_reset {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_pci_info - pci device info
|
|
|
|
* @device - pci device id
|
|
|
|
* @function - pci function id
|
|
|
|
* @bus - pci bus id
|
|
|
|
* @segment_id - pci segment id
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_pci_info {
|
|
|
|
union {
|
|
|
|
struct {
|
|
|
|
uint32_t device:5;
|
|
|
|
uint32_t function:3;
|
|
|
|
uint32_t bus:24;
|
|
|
|
} bits;
|
|
|
|
uint32_t word;
|
|
|
|
} u;
|
|
|
|
uint32_t segment_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
#define MPT2_IOCTL_INTERFACE_SCSI (0x00)
|
|
|
|
#define MPT2_IOCTL_INTERFACE_FC (0x01)
|
|
|
|
#define MPT2_IOCTL_INTERFACE_FC_IP (0x02)
|
|
|
|
#define MPT2_IOCTL_INTERFACE_SAS (0x03)
|
|
|
|
#define MPT2_IOCTL_INTERFACE_SAS2 (0x04)
|
2015-11-11 12:00:28 +00:00
|
|
|
#define MPT2_IOCTL_INTERFACE_SAS2_SSS6200 (0x05)
|
2012-11-30 02:14:21 +00:00
|
|
|
#define MPT3_IOCTL_INTERFACE_SAS3 (0x06)
|
2016-10-26 08:04:37 +00:00
|
|
|
#define MPT3_IOCTL_INTERFACE_SAS35 (0x07)
|
2012-11-30 02:14:21 +00:00
|
|
|
#define MPT2_IOCTL_VERSION_LENGTH (32)
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_iocinfo - generic controller info
|
|
|
|
* @hdr - generic header
|
|
|
|
* @adapter_type - type of adapter (spi, fc, sas)
|
|
|
|
* @port_number - port number
|
|
|
|
* @pci_id - PCI Id
|
|
|
|
* @hw_rev - hardware revision
|
|
|
|
* @sub_system_device - PCI subsystem Device ID
|
|
|
|
* @sub_system_vendor - PCI subsystem Vendor ID
|
|
|
|
* @rsvd0 - reserved
|
|
|
|
* @firmware_version - firmware version
|
|
|
|
* @bios_version - BIOS version
|
|
|
|
* @driver_version - driver version - 32 ASCII characters
|
|
|
|
* @rsvd1 - reserved
|
|
|
|
* @scsi_id - scsi id of adapter 0
|
|
|
|
* @rsvd2 - reserved
|
|
|
|
* @pci_information - pci info (2nd revision)
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_iocinfo {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t adapter_type;
|
|
|
|
uint32_t port_number;
|
|
|
|
uint32_t pci_id;
|
|
|
|
uint32_t hw_rev;
|
|
|
|
uint32_t subsystem_device;
|
|
|
|
uint32_t subsystem_vendor;
|
|
|
|
uint32_t rsvd0;
|
|
|
|
uint32_t firmware_version;
|
|
|
|
uint32_t bios_version;
|
|
|
|
uint8_t driver_version[MPT2_IOCTL_VERSION_LENGTH];
|
|
|
|
uint8_t rsvd1;
|
|
|
|
uint8_t scsi_id;
|
|
|
|
uint16_t rsvd2;
|
|
|
|
struct mpt3_ioctl_pci_info pci_information;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* number of event log entries */
|
2018-04-24 09:28:36 +00:00
|
|
|
#define MPT3SAS_CTL_EVENT_LOG_SIZE (200)
|
2012-11-30 02:14:21 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_eventquery - query event count and type
|
|
|
|
* @hdr - generic header
|
|
|
|
* @event_entries - number of events returned by get_event_report
|
|
|
|
* @rsvd - reserved
|
|
|
|
* @event_types - type of events currently being captured
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_eventquery {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint16_t event_entries;
|
|
|
|
uint16_t rsvd;
|
|
|
|
uint32_t event_types[MPI2_EVENT_NOTIFY_EVENTMASK_WORDS];
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_eventenable - enable/disable event capturing
|
|
|
|
* @hdr - generic header
|
|
|
|
* @event_types - toggle off/on type of events to be captured
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_eventenable {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t event_types[4];
|
|
|
|
};
|
|
|
|
|
|
|
|
#define MPT3_EVENT_DATA_SIZE (192)
|
|
|
|
/**
|
|
|
|
* struct MPT3_IOCTL_EVENTS -
|
|
|
|
* @event - the event that was reported
|
|
|
|
* @context - unique value for each event assigned by driver
|
|
|
|
* @data - event data returned in fw reply message
|
|
|
|
*/
|
|
|
|
struct MPT3_IOCTL_EVENTS {
|
|
|
|
uint32_t event;
|
|
|
|
uint32_t context;
|
|
|
|
uint8_t data[MPT3_EVENT_DATA_SIZE];
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_eventreport - returing event log
|
|
|
|
* @hdr - generic header
|
|
|
|
* @event_data - (see struct MPT3_IOCTL_EVENTS)
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_eventreport {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
struct MPT3_IOCTL_EVENTS event_data[1];
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_command - generic mpt firmware passthru ioctl
|
|
|
|
* @hdr - generic header
|
|
|
|
* @timeout - command timeout in seconds. (if zero then use driver default
|
|
|
|
* value).
|
|
|
|
* @reply_frame_buf_ptr - reply location
|
|
|
|
* @data_in_buf_ptr - destination for read
|
|
|
|
* @data_out_buf_ptr - data source for write
|
|
|
|
* @sense_data_ptr - sense data location
|
|
|
|
* @max_reply_bytes - maximum number of reply bytes to be sent to app.
|
|
|
|
* @data_in_size - number bytes for data transfer in (read)
|
|
|
|
* @data_out_size - number bytes for data transfer out (write)
|
|
|
|
* @max_sense_bytes - maximum number of bytes for auto sense buffers
|
|
|
|
* @data_sge_offset - offset in words from the start of the request message to
|
|
|
|
* the first SGL
|
|
|
|
* @mf[1];
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_command {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t timeout;
|
|
|
|
void __user *reply_frame_buf_ptr;
|
|
|
|
void __user *data_in_buf_ptr;
|
|
|
|
void __user *data_out_buf_ptr;
|
|
|
|
void __user *sense_data_ptr;
|
|
|
|
uint32_t max_reply_bytes;
|
|
|
|
uint32_t data_in_size;
|
|
|
|
uint32_t data_out_size;
|
|
|
|
uint32_t max_sense_bytes;
|
|
|
|
uint32_t data_sge_offset;
|
|
|
|
uint8_t mf[1];
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
struct mpt3_ioctl_command32 {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t timeout;
|
|
|
|
uint32_t reply_frame_buf_ptr;
|
|
|
|
uint32_t data_in_buf_ptr;
|
|
|
|
uint32_t data_out_buf_ptr;
|
|
|
|
uint32_t sense_data_ptr;
|
|
|
|
uint32_t max_reply_bytes;
|
|
|
|
uint32_t data_in_size;
|
|
|
|
uint32_t data_out_size;
|
|
|
|
uint32_t max_sense_bytes;
|
|
|
|
uint32_t data_sge_offset;
|
|
|
|
uint8_t mf[1];
|
|
|
|
};
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_ioctl_btdh_mapping - mapping info
|
|
|
|
* @hdr - generic header
|
|
|
|
* @id - target device identification number
|
|
|
|
* @bus - SCSI bus number that the target device exists on
|
|
|
|
* @handle - device handle for the target device
|
|
|
|
* @rsvd - reserved
|
|
|
|
*
|
|
|
|
* To obtain a bus/id the application sets
|
|
|
|
* handle to valid handle, and bus/id to 0xFFFF.
|
|
|
|
*
|
|
|
|
* To obtain the device handle the application sets
|
|
|
|
* bus/id valid value, and the handle to 0xFFFF.
|
|
|
|
*/
|
|
|
|
struct mpt3_ioctl_btdh_mapping {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t id;
|
|
|
|
uint32_t bus;
|
|
|
|
uint16_t handle;
|
|
|
|
uint16_t rsvd;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* application flags for mpt3_diag_register, mpt3_diag_query */
|
|
|
|
#define MPT3_APP_FLAGS_APP_OWNED (0x0001)
|
|
|
|
#define MPT3_APP_FLAGS_BUFFER_VALID (0x0002)
|
|
|
|
#define MPT3_APP_FLAGS_FW_BUFFER_ACCESS (0x0004)
|
2019-09-13 13:04:44 +00:00
|
|
|
#define MPT3_APP_FLAGS_DYNAMIC_BUFFER_ALLOC (0x0008)
|
2012-11-30 02:14:21 +00:00
|
|
|
|
|
|
|
/* flags for mpt3_diag_read_buffer */
|
|
|
|
#define MPT3_FLAGS_REREGISTER (0x0001)
|
|
|
|
|
|
|
|
#define MPT3_PRODUCT_SPECIFIC_DWORDS 23
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_diag_register - application register with driver
|
|
|
|
* @hdr - generic header
|
|
|
|
* @reserved -
|
|
|
|
* @buffer_type - specifies either TRACE, SNAPSHOT, or EXTENDED
|
|
|
|
* @application_flags - misc flags
|
|
|
|
* @diagnostic_flags - specifies flags affecting command processing
|
|
|
|
* @product_specific - product specific information
|
|
|
|
* @requested_buffer_size - buffers size in bytes
|
|
|
|
* @unique_id - tag specified by application that is used to signal ownership
|
|
|
|
* of the buffer.
|
|
|
|
*
|
|
|
|
* This will allow the driver to setup any required buffers that will be
|
|
|
|
* needed by firmware to communicate with the driver.
|
|
|
|
*/
|
|
|
|
struct mpt3_diag_register {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint8_t reserved;
|
|
|
|
uint8_t buffer_type;
|
|
|
|
uint16_t application_flags;
|
|
|
|
uint32_t diagnostic_flags;
|
|
|
|
uint32_t product_specific[MPT3_PRODUCT_SPECIFIC_DWORDS];
|
|
|
|
uint32_t requested_buffer_size;
|
|
|
|
uint32_t unique_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_diag_unregister - application unregister with driver
|
|
|
|
* @hdr - generic header
|
|
|
|
* @unique_id - tag uniquely identifies the buffer to be unregistered
|
|
|
|
*
|
|
|
|
* This will allow the driver to cleanup any memory allocated for diag
|
|
|
|
* messages and to free up any resources.
|
|
|
|
*/
|
|
|
|
struct mpt3_diag_unregister {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t unique_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_diag_query - query relevant info associated with diag buffers
|
|
|
|
* @hdr - generic header
|
|
|
|
* @reserved -
|
|
|
|
* @buffer_type - specifies either TRACE, SNAPSHOT, or EXTENDED
|
|
|
|
* @application_flags - misc flags
|
|
|
|
* @diagnostic_flags - specifies flags affecting command processing
|
|
|
|
* @product_specific - product specific information
|
|
|
|
* @total_buffer_size - diag buffer size in bytes
|
|
|
|
* @driver_added_buffer_size - size of extra space appended to end of buffer
|
|
|
|
* @unique_id - unique id associated with this buffer.
|
|
|
|
*
|
|
|
|
* The application will send only buffer_type and unique_id. Driver will
|
|
|
|
* inspect unique_id first, if valid, fill in all the info. If unique_id is
|
|
|
|
* 0x00, the driver will return info specified by Buffer Type.
|
|
|
|
*/
|
|
|
|
struct mpt3_diag_query {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint8_t reserved;
|
|
|
|
uint8_t buffer_type;
|
|
|
|
uint16_t application_flags;
|
|
|
|
uint32_t diagnostic_flags;
|
|
|
|
uint32_t product_specific[MPT3_PRODUCT_SPECIFIC_DWORDS];
|
|
|
|
uint32_t total_buffer_size;
|
|
|
|
uint32_t driver_added_buffer_size;
|
|
|
|
uint32_t unique_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_diag_release - request to send Diag Release Message to firmware
|
|
|
|
* @hdr - generic header
|
|
|
|
* @unique_id - tag uniquely identifies the buffer to be released
|
|
|
|
*
|
|
|
|
* This allows ownership of the specified buffer to returned to the driver,
|
|
|
|
* allowing an application to read the buffer without fear that firmware is
|
2017-02-27 22:29:48 +00:00
|
|
|
* overwriting information in the buffer.
|
2012-11-30 02:14:21 +00:00
|
|
|
*/
|
|
|
|
struct mpt3_diag_release {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t unique_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct mpt3_diag_read_buffer - request for copy of the diag buffer
|
|
|
|
* @hdr - generic header
|
|
|
|
* @status -
|
|
|
|
* @reserved -
|
|
|
|
* @flags - misc flags
|
|
|
|
* @starting_offset - starting offset within drivers buffer where to start
|
|
|
|
* reading data at into the specified application buffer
|
|
|
|
* @bytes_to_read - number of bytes to copy from the drivers buffer into the
|
|
|
|
* application buffer starting at starting_offset.
|
|
|
|
* @unique_id - unique id associated with this buffer.
|
|
|
|
* @diagnostic_data - data payload
|
|
|
|
*/
|
|
|
|
struct mpt3_diag_read_buffer {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint8_t status;
|
|
|
|
uint8_t reserved;
|
|
|
|
uint16_t flags;
|
|
|
|
uint32_t starting_offset;
|
|
|
|
uint32_t bytes_to_read;
|
|
|
|
uint32_t unique_id;
|
|
|
|
uint32_t diagnostic_data[1];
|
|
|
|
};
|
|
|
|
|
2021-02-04 03:37:23 +00:00
|
|
|
/**
|
|
|
|
* struct mpt3_addnl_diag_query - diagnostic buffer release reason
|
|
|
|
* @hdr - generic header
|
|
|
|
* @unique_id - unique id associated with this buffer.
|
scsi: mpt3sas: Fix out-of-bounds warnings in _ctl_addnl_diag_query
Fix the following out-of-bounds warnings by embedding existing struct
htb_rel_query into struct mpt3_addnl_diag_query, instead of duplicating its
members:
include/linux/fortify-string.h:20:29: warning: '__builtin_memcpy' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
include/linux/fortify-string.h:22:29: warning: '__builtin_memset' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
The problem is that the original code is trying to copy data into a bunch
of struct members adjacent to each other in a single call to memcpy(). All
those members are exactly the same contained in struct htb_rel_query, so
instead of duplicating them into struct mpt3_addnl_diag_query, replace them
with new member rel_query of type struct htb_rel_query. So, now that this
new object is introduced, memcpy() doesn't overrun the length of
&karg.buffer_rel_condition, because the address of the new struct object
_rel_query_ is used as destination, instead. The same issue is present when
calling memset(), and it is fixed with this same approach.
Below is a comparison of struct mpt3_addnl_diag_query, before and after
this change (the size and cachelines remain the same):
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
uint16_t buffer_rel_condition; /* 16 2 */
uint16_t reserved1; /* 18 2 */
uint32_t trigger_type; /* 20 4 */
uint32_t trigger_info_dwords[2]; /* 24 8 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 7 */
/* last cacheline: 40 bytes */
};
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
struct htb_rel_query rel_query; /* 16 16 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 4 */
/* last cacheline: 40 bytes */
};
Also, this helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines on
memcpy().
Link: https://github.com/KSPP/linux/issues/109
Link: https://lore.kernel.org/lkml/60659889.bJJILx2THu3hlpxW%25lkp@intel.com/
Link: https://lore.kernel.org/r/20210401162054.GA397186@embeddedor
Build-tested-by: kernel test robot <lkp@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-04-01 16:20:54 +00:00
|
|
|
* @rel_query - release query.
|
2021-02-04 03:37:23 +00:00
|
|
|
* @reserved2
|
|
|
|
*/
|
|
|
|
struct mpt3_addnl_diag_query {
|
|
|
|
struct mpt3_ioctl_header hdr;
|
|
|
|
uint32_t unique_id;
|
scsi: mpt3sas: Fix out-of-bounds warnings in _ctl_addnl_diag_query
Fix the following out-of-bounds warnings by embedding existing struct
htb_rel_query into struct mpt3_addnl_diag_query, instead of duplicating its
members:
include/linux/fortify-string.h:20:29: warning: '__builtin_memcpy' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
include/linux/fortify-string.h:22:29: warning: '__builtin_memset' offset [19, 32] from the object at 'karg' is out of the bounds of referenced subobject 'buffer_rel_condition' with type 'short unsigned int' at offset 16 [-Warray-bounds]
The problem is that the original code is trying to copy data into a bunch
of struct members adjacent to each other in a single call to memcpy(). All
those members are exactly the same contained in struct htb_rel_query, so
instead of duplicating them into struct mpt3_addnl_diag_query, replace them
with new member rel_query of type struct htb_rel_query. So, now that this
new object is introduced, memcpy() doesn't overrun the length of
&karg.buffer_rel_condition, because the address of the new struct object
_rel_query_ is used as destination, instead. The same issue is present when
calling memset(), and it is fixed with this same approach.
Below is a comparison of struct mpt3_addnl_diag_query, before and after
this change (the size and cachelines remain the same):
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
uint16_t buffer_rel_condition; /* 16 2 */
uint16_t reserved1; /* 18 2 */
uint32_t trigger_type; /* 20 4 */
uint32_t trigger_info_dwords[2]; /* 24 8 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 7 */
/* last cacheline: 40 bytes */
};
$ pahole -C mpt3_addnl_diag_query drivers/scsi/mpt3sas/mpt3sas_ctl.o
struct mpt3_addnl_diag_query {
struct mpt3_ioctl_header hdr; /* 0 12 */
uint32_t unique_id; /* 12 4 */
struct htb_rel_query rel_query; /* 16 16 */
uint32_t reserved2[2]; /* 32 8 */
/* size: 40, cachelines: 1, members: 4 */
/* last cacheline: 40 bytes */
};
Also, this helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines on
memcpy().
Link: https://github.com/KSPP/linux/issues/109
Link: https://lore.kernel.org/lkml/60659889.bJJILx2THu3hlpxW%25lkp@intel.com/
Link: https://lore.kernel.org/r/20210401162054.GA397186@embeddedor
Build-tested-by: kernel test robot <lkp@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-04-01 16:20:54 +00:00
|
|
|
struct htb_rel_query rel_query;
|
2021-02-04 03:37:23 +00:00
|
|
|
uint32_t reserved2[2];
|
|
|
|
};
|
|
|
|
|
2012-11-30 02:14:21 +00:00
|
|
|
#endif /* MPT3SAS_CTL_H_INCLUDED */
|