[SCSI] aacraid: fix security weakness
[linux-2.6] / drivers / scsi / libsrp.c
1 /*
2  * SCSI RDAM Protocol lib functions
3  *
4  * Copyright (C) 2006 FUJITA Tomonori <tomof@acm.org>
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License as
8  * published by the Free Software Foundation; either version 2 of the
9  * License, or (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful, but
12  * WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
19  * 02110-1301 USA
20  */
21 #include <linux/err.h>
22 #include <linux/kfifo.h>
23 #include <linux/scatterlist.h>
24 #include <linux/dma-mapping.h>
25 #include <scsi/scsi.h>
26 #include <scsi/scsi_cmnd.h>
27 #include <scsi/scsi_tcq.h>
28 #include <scsi/scsi_tgt.h>
29 #include <scsi/srp.h>
30 #include <scsi/libsrp.h>
31
32 enum srp_task_attributes {
33         SRP_SIMPLE_TASK = 0,
34         SRP_HEAD_TASK = 1,
35         SRP_ORDERED_TASK = 2,
36         SRP_ACA_TASK = 4
37 };
38
39 /* tmp - will replace with SCSI logging stuff */
40 #define eprintk(fmt, args...)                                   \
41 do {                                                            \
42         printk("%s(%d) " fmt, __FUNCTION__, __LINE__, ##args);  \
43 } while (0)
44 /* #define dprintk eprintk */
45 #define dprintk(fmt, args...)
46
47 static int srp_iu_pool_alloc(struct srp_queue *q, size_t max,
48                              struct srp_buf **ring)
49 {
50         int i;
51         struct iu_entry *iue;
52
53         q->pool = kcalloc(max, sizeof(struct iu_entry *), GFP_KERNEL);
54         if (!q->pool)
55                 return -ENOMEM;
56         q->items = kcalloc(max, sizeof(struct iu_entry), GFP_KERNEL);
57         if (!q->items)
58                 goto free_pool;
59
60         spin_lock_init(&q->lock);
61         q->queue = kfifo_init((void *) q->pool, max * sizeof(void *),
62                               GFP_KERNEL, &q->lock);
63         if (IS_ERR(q->queue))
64                 goto free_item;
65
66         for (i = 0, iue = q->items; i < max; i++) {
67                 __kfifo_put(q->queue, (void *) &iue, sizeof(void *));
68                 iue->sbuf = ring[i];
69                 iue++;
70         }
71         return 0;
72
73 free_item:
74         kfree(q->items);
75 free_pool:
76         kfree(q->pool);
77         return -ENOMEM;
78 }
79
80 static void srp_iu_pool_free(struct srp_queue *q)
81 {
82         kfree(q->items);
83         kfree(q->pool);
84 }
85
86 static struct srp_buf **srp_ring_alloc(struct device *dev,
87                                        size_t max, size_t size)
88 {
89         int i;
90         struct srp_buf **ring;
91
92         ring = kcalloc(max, sizeof(struct srp_buf *), GFP_KERNEL);
93         if (!ring)
94                 return NULL;
95
96         for (i = 0; i < max; i++) {
97                 ring[i] = kzalloc(sizeof(struct srp_buf), GFP_KERNEL);
98                 if (!ring[i])
99                         goto out;
100                 ring[i]->buf = dma_alloc_coherent(dev, size, &ring[i]->dma,
101                                                   GFP_KERNEL);
102                 if (!ring[i]->buf)
103                         goto out;
104         }
105         return ring;
106
107 out:
108         for (i = 0; i < max && ring[i]; i++) {
109                 if (ring[i]->buf)
110                         dma_free_coherent(dev, size, ring[i]->buf, ring[i]->dma);
111                 kfree(ring[i]);
112         }
113         kfree(ring);
114
115         return NULL;
116 }
117
118 static void srp_ring_free(struct device *dev, struct srp_buf **ring, size_t max,
119                           size_t size)
120 {
121         int i;
122
123         for (i = 0; i < max; i++) {
124                 dma_free_coherent(dev, size, ring[i]->buf, ring[i]->dma);
125                 kfree(ring[i]);
126         }
127 }
128
129 int srp_target_alloc(struct srp_target *target, struct device *dev,
130                      size_t nr, size_t iu_size)
131 {
132         int err;
133
134         spin_lock_init(&target->lock);
135         INIT_LIST_HEAD(&target->cmd_queue);
136
137         target->dev = dev;
138         target->dev->driver_data = target;
139
140         target->srp_iu_size = iu_size;
141         target->rx_ring_size = nr;
142         target->rx_ring = srp_ring_alloc(target->dev, nr, iu_size);
143         if (!target->rx_ring)
144                 return -ENOMEM;
145         err = srp_iu_pool_alloc(&target->iu_queue, nr, target->rx_ring);
146         if (err)
147                 goto free_ring;
148
149         return 0;
150
151 free_ring:
152         srp_ring_free(target->dev, target->rx_ring, nr, iu_size);
153         return -ENOMEM;
154 }
155 EXPORT_SYMBOL_GPL(srp_target_alloc);
156
157 void srp_target_free(struct srp_target *target)
158 {
159         srp_ring_free(target->dev, target->rx_ring, target->rx_ring_size,
160                       target->srp_iu_size);
161         srp_iu_pool_free(&target->iu_queue);
162 }
163 EXPORT_SYMBOL_GPL(srp_target_free);
164
165 struct iu_entry *srp_iu_get(struct srp_target *target)
166 {
167         struct iu_entry *iue = NULL;
168
169         kfifo_get(target->iu_queue.queue, (void *) &iue, sizeof(void *));
170         if (!iue)
171                 return iue;
172         iue->target = target;
173         INIT_LIST_HEAD(&iue->ilist);
174         iue->flags = 0;
175         return iue;
176 }
177 EXPORT_SYMBOL_GPL(srp_iu_get);
178
179 void srp_iu_put(struct iu_entry *iue)
180 {
181         kfifo_put(iue->target->iu_queue.queue, (void *) &iue, sizeof(void *));
182 }
183 EXPORT_SYMBOL_GPL(srp_iu_put);
184
185 static int srp_direct_data(struct scsi_cmnd *sc, struct srp_direct_buf *md,
186                            enum dma_data_direction dir, srp_rdma_t rdma_io,
187                            int dma_map, int ext_desc)
188 {
189         struct iu_entry *iue = NULL;
190         struct scatterlist *sg = NULL;
191         int err, nsg = 0, len;
192
193         if (dma_map) {
194                 iue = (struct iu_entry *) sc->SCp.ptr;
195                 sg = sc->request_buffer;
196
197                 dprintk("%p %u %u %d\n", iue, sc->request_bufflen,
198                         md->len, sc->use_sg);
199
200                 nsg = dma_map_sg(iue->target->dev, sg, sc->use_sg,
201                                  DMA_BIDIRECTIONAL);
202                 if (!nsg) {
203                         printk("fail to map %p %d\n", iue, sc->use_sg);
204                         return 0;
205                 }
206                 len = min(sc->request_bufflen, md->len);
207         } else
208                 len = md->len;
209
210         err = rdma_io(sc, sg, nsg, md, 1, dir, len);
211
212         if (dma_map)
213                 dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
214
215         return err;
216 }
217
218 static int srp_indirect_data(struct scsi_cmnd *sc, struct srp_cmd *cmd,
219                              struct srp_indirect_buf *id,
220                              enum dma_data_direction dir, srp_rdma_t rdma_io,
221                              int dma_map, int ext_desc)
222 {
223         struct iu_entry *iue = NULL;
224         struct srp_direct_buf *md = NULL;
225         struct scatterlist dummy, *sg = NULL;
226         dma_addr_t token = 0;
227         int err = 0;
228         int nmd, nsg = 0, len;
229
230         if (dma_map || ext_desc) {
231                 iue = (struct iu_entry *) sc->SCp.ptr;
232                 sg = sc->request_buffer;
233
234                 dprintk("%p %u %u %d %d\n",
235                         iue, sc->request_bufflen, id->len,
236                         cmd->data_in_desc_cnt, cmd->data_out_desc_cnt);
237         }
238
239         nmd = id->table_desc.len / sizeof(struct srp_direct_buf);
240
241         if ((dir == DMA_FROM_DEVICE && nmd == cmd->data_in_desc_cnt) ||
242             (dir == DMA_TO_DEVICE && nmd == cmd->data_out_desc_cnt)) {
243                 md = &id->desc_list[0];
244                 goto rdma;
245         }
246
247         if (ext_desc && dma_map) {
248                 md = dma_alloc_coherent(iue->target->dev, id->table_desc.len,
249                                 &token, GFP_KERNEL);
250                 if (!md) {
251                         eprintk("Can't get dma memory %u\n", id->table_desc.len);
252                         return -ENOMEM;
253                 }
254
255                 sg_init_one(&dummy, md, id->table_desc.len);
256                 sg_dma_address(&dummy) = token;
257                 sg_dma_len(&dummy) = id->table_desc.len;
258                 err = rdma_io(sc, &dummy, 1, &id->table_desc, 1, DMA_TO_DEVICE,
259                               id->table_desc.len);
260                 if (err) {
261                         eprintk("Error copying indirect table %d\n", err);
262                         goto free_mem;
263                 }
264         } else {
265                 eprintk("This command uses external indirect buffer\n");
266                 return -EINVAL;
267         }
268
269 rdma:
270         if (dma_map) {
271                 nsg = dma_map_sg(iue->target->dev, sg, sc->use_sg, DMA_BIDIRECTIONAL);
272                 if (!nsg) {
273                         eprintk("fail to map %p %d\n", iue, sc->use_sg);
274                         err = -EIO;
275                         goto free_mem;
276                 }
277                 len = min(sc->request_bufflen, id->len);
278         } else
279                 len = id->len;
280
281         err = rdma_io(sc, sg, nsg, md, nmd, dir, len);
282
283         if (dma_map)
284                 dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
285
286 free_mem:
287         if (token && dma_map)
288                 dma_free_coherent(iue->target->dev, id->table_desc.len, md, token);
289
290         return err;
291 }
292
293 static int data_out_desc_size(struct srp_cmd *cmd)
294 {
295         int size = 0;
296         u8 fmt = cmd->buf_fmt >> 4;
297
298         switch (fmt) {
299         case SRP_NO_DATA_DESC:
300                 break;
301         case SRP_DATA_DESC_DIRECT:
302                 size = sizeof(struct srp_direct_buf);
303                 break;
304         case SRP_DATA_DESC_INDIRECT:
305                 size = sizeof(struct srp_indirect_buf) +
306                         sizeof(struct srp_direct_buf) * cmd->data_out_desc_cnt;
307                 break;
308         default:
309                 eprintk("client error. Invalid data_out_format %x\n", fmt);
310                 break;
311         }
312         return size;
313 }
314
315 /*
316  * TODO: this can be called multiple times for a single command if it
317  * has very long data.
318  */
319 int srp_transfer_data(struct scsi_cmnd *sc, struct srp_cmd *cmd,
320                       srp_rdma_t rdma_io, int dma_map, int ext_desc)
321 {
322         struct srp_direct_buf *md;
323         struct srp_indirect_buf *id;
324         enum dma_data_direction dir;
325         int offset, err = 0;
326         u8 format;
327
328         offset = cmd->add_cdb_len * 4;
329
330         dir = srp_cmd_direction(cmd);
331         if (dir == DMA_FROM_DEVICE)
332                 offset += data_out_desc_size(cmd);
333
334         if (dir == DMA_TO_DEVICE)
335                 format = cmd->buf_fmt >> 4;
336         else
337                 format = cmd->buf_fmt & ((1U << 4) - 1);
338
339         switch (format) {
340         case SRP_NO_DATA_DESC:
341                 break;
342         case SRP_DATA_DESC_DIRECT:
343                 md = (struct srp_direct_buf *)
344                         (cmd->add_data + offset);
345                 err = srp_direct_data(sc, md, dir, rdma_io, dma_map, ext_desc);
346                 break;
347         case SRP_DATA_DESC_INDIRECT:
348                 id = (struct srp_indirect_buf *)
349                         (cmd->add_data + offset);
350                 err = srp_indirect_data(sc, cmd, id, dir, rdma_io, dma_map,
351                                         ext_desc);
352                 break;
353         default:
354                 eprintk("Unknown format %d %x\n", dir, format);
355                 err = -EINVAL;
356         }
357
358         return err;
359 }
360 EXPORT_SYMBOL_GPL(srp_transfer_data);
361
362 static int vscsis_data_length(struct srp_cmd *cmd, enum dma_data_direction dir)
363 {
364         struct srp_direct_buf *md;
365         struct srp_indirect_buf *id;
366         int len = 0, offset = cmd->add_cdb_len * 4;
367         u8 fmt;
368
369         if (dir == DMA_TO_DEVICE)
370                 fmt = cmd->buf_fmt >> 4;
371         else {
372                 fmt = cmd->buf_fmt & ((1U << 4) - 1);
373                 offset += data_out_desc_size(cmd);
374         }
375
376         switch (fmt) {
377         case SRP_NO_DATA_DESC:
378                 break;
379         case SRP_DATA_DESC_DIRECT:
380                 md = (struct srp_direct_buf *) (cmd->add_data + offset);
381                 len = md->len;
382                 break;
383         case SRP_DATA_DESC_INDIRECT:
384                 id = (struct srp_indirect_buf *) (cmd->add_data + offset);
385                 len = id->len;
386                 break;
387         default:
388                 eprintk("invalid data format %x\n", fmt);
389                 break;
390         }
391         return len;
392 }
393
394 int srp_cmd_queue(struct Scsi_Host *shost, struct srp_cmd *cmd, void *info,
395                   u64 itn_id, u64 addr)
396 {
397         enum dma_data_direction dir;
398         struct scsi_cmnd *sc;
399         int tag, len, err;
400
401         switch (cmd->task_attr) {
402         case SRP_SIMPLE_TASK:
403                 tag = MSG_SIMPLE_TAG;
404                 break;
405         case SRP_ORDERED_TASK:
406                 tag = MSG_ORDERED_TAG;
407                 break;
408         case SRP_HEAD_TASK:
409                 tag = MSG_HEAD_TAG;
410                 break;
411         default:
412                 eprintk("Task attribute %d not supported\n", cmd->task_attr);
413                 tag = MSG_ORDERED_TAG;
414         }
415
416         dir = srp_cmd_direction(cmd);
417         len = vscsis_data_length(cmd, dir);
418
419         dprintk("%p %x %lx %d %d %d %llx\n", info, cmd->cdb[0],
420                 cmd->lun, dir, len, tag, (unsigned long long) cmd->tag);
421
422         sc = scsi_host_get_command(shost, dir, GFP_KERNEL);
423         if (!sc)
424                 return -ENOMEM;
425
426         sc->SCp.ptr = info;
427         memcpy(sc->cmnd, cmd->cdb, MAX_COMMAND_SIZE);
428         sc->request_bufflen = len;
429         sc->request_buffer = (void *) (unsigned long) addr;
430         sc->tag = tag;
431         err = scsi_tgt_queue_command(sc, itn_id, (struct scsi_lun *)&cmd->lun,
432                                      cmd->tag);
433         if (err)
434                 scsi_host_put_command(shost, sc);
435
436         return err;
437 }
438 EXPORT_SYMBOL_GPL(srp_cmd_queue);
439
440 MODULE_DESCRIPTION("SCSI RDAM Protocol lib functions");
441 MODULE_AUTHOR("FUJITA Tomonori");
442 MODULE_LICENSE("GPL");