src/sys/dev/mpr/mpr_user.c, branch main FreeBSD source tree mps/mpr: Remove bogus sys/cdefs.h includes 2026-01-09T05:54:44+00:00 Warner Losh imp@FreeBSD.org 2026-01-09T05:48:13+00:00 d650b2ceda4641475e90ba1f6d349eac98aaa963 These are left over from the $FreeBSD$ stuff. Sponsored by: Netflix 
These are left over from the $FreeBSD$ stuff.

Sponsored by:		Netflix
mpr: Handle errors from copyout() in ioctl handlers 2023-12-26T02:04:01+00:00 Mark Johnston markj@FreeBSD.org 2023-12-26T01:42:49+00:00 68cc77a3b73ffda1e8ac891b9852faca833e11b7 In preparation for adding a __result_use_check annotation to copyin() and related functions, start checking for errors from copyout() in the mpr(4) user command handler. This should make it easier to catch bugs. Reviewed by: imp, asomers MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D43177 
In preparation for adding a __result_use_check annotation to copyin()
and related functions, start checking for errors from copyout() in
the mpr(4) user command handler.  This should make it easier to catch
bugs.

Reviewed by:	imp, asomers
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D43177
mprutil: "fix user reply buffer (64)..." warnings 2023-09-21T14:38:24+00:00 Alan Somers asomers@FreeBSD.org 2023-02-22T22:06:43+00:00 7d154c4dc64e61af7ca536c4e9927fa07c675a83 Depending on the card's firmware version, it may return different length responses for MPI2_FUNCTION_IOC_FACTS. But the first part of the response contains the length of the rest, so query it first to get the length and then use that to size the buffer for the full response. Also, correctly zero-initialize MPI2_IOC_FACTS_REQUEST. It only worked by luck before. PR: 264848 Reported by: Julien Cigar <julien@perdition.city> MFC after: 1 week Sponsored by: Axcient Reviewed by: scottl, imp Differential Revision: https://reviews.freebsd.org/D38739 
Depending on the card's firmware version, it may return different length
responses for MPI2_FUNCTION_IOC_FACTS.  But the first part of the
response contains the length of the rest, so query it first to get the
length and then use that to size the buffer for the full response.

Also, correctly zero-initialize MPI2_IOC_FACTS_REQUEST.  It only worked
by luck before.

PR:		264848
Reported by:	Julien Cigar <julien@perdition.city>
MFC after:	1 week
Sponsored by:	Axcient
Reviewed by:	scottl, imp
Differential Revision: https://reviews.freebsd.org/D38739
sys: Remove $FreeBSD$: one-line .c pattern 2023-08-16T17:54:36+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:54:36+00:00 685dc743dc3b5645e34836464128e1c0558b404b Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ 
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
sys: Remove $FreeBSD$: two-line .h pattern 2023-08-16T17:54:11+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:54:11+00:00 95ee2897e98f5d444f26ed2334cc7c439f9c16c6 Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/ 
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
Fix kernel memory disclosures in mpr and mps 2023-03-02T20:31:06+00:00 Alan Somers asomers@FreeBSD.org 2023-03-01T18:53:46+00:00 72aad3f9028af12e6c56a3a461b46a153abd7b24 In every mpr and mps ioctl that copies kernel data to userland, validate that the requested length does not exceed the size of the kernel's buffer. Note that all of these ioctls already required root access. MFC after: 2 weeks Sponsored by: Axcient Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D38842 
In every mpr and mps ioctl that copies kernel data to userland, validate
that the requested length does not exceed the size of the kernel's
buffer.

Note that all of these ioctls already required root access.

MFC after:	2 weeks
Sponsored by:	Axcient
Reviewed by:	imp
Differential Revision: https://reviews.freebsd.org/D38842
mpr: add \n in diagnostic printf 2022-03-31T00:14:07+00:00 Ed Maste emaste@FreeBSD.org 2022-03-28T17:24:06+00:00 27ac4281fddd81e1352cd05bb9f50ed303f12e89 Diff reduction between mpr and mps. Fixes: e2997a03b7f7 ("Diagnostic buffer fixes for the mps(4)...") MFC after: 3 days Sponsored by: The FreeBSD Foundation 
Diff reduction between mpr and mps.

Fixes:		e2997a03b7f7 ("Diagnostic buffer fixes for the mps(4)...")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
mpr/mps/mpt: verify cfg page ioctl lengths 2022-03-29T00:35:47+00:00 Ed Maste emaste@FreeBSD.org 2022-03-28T13:33:54+00:00 8276c4149b5fc7c755d6b244fbbf6dae1939f087 *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 
*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.

Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.

This change includes suggestions from scottl, markj and mav.

Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.

Reported by:	Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by:	imp, mav
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34692
mpr, mps: Fix an off-by-one bug in the BTDH_MAPPING ioctl 2021-01-08T18:32:05+00:00 Mark Johnston markj@FreeBSD.org 2021-01-08T18:32:05+00:00 adc0dcc352bb9f5a67a054d95c6959ea5aa26d91 The device mapping table contains sc->max_devices entries, so only indices in [0, sc->max_devices) are valid. MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27964 
The device mapping table contains sc->max_devices entries, so only
indices in [0, sc->max_devices) are valid.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D27964
mpr, mps: Fix a stack buffer overflow in the user passthru ioctl 2021-01-08T18:32:04+00:00 Mark Johnston markj@FreeBSD.org 2021-01-08T18:32:04+00:00 de828a91db29fb20440e0d92f3d3136b314a9584 Previously we copied in the request into a stack-allocated structure that could be smaller than the request size. Furthermore, we checked the request size only after doing the copyin. Fix this by allocating a buffer to hold the request, then copying the buffer's contents into a command descriptor. This is a bit heavy-handed but I expect the overhead will not be noticeable. The approach of coping the header in first is susceptible to TOCTOU problems. Reviewed by: imp Reported by: maxpl0it@protonmail.com MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27963 
Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size.  Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor.  This is a bit heavy-handed
but I expect the overhead will not be noticeable.  The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by:	imp
Reported by:	maxpl0it@protonmail.com
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D27963