src/sys/dev/mpr/mpr_user.c, branch release/12.4.0 FreeBSD source tree mpr/mps/mpt: verify cfg page ioctl lengths 2022-04-04T00:46:34+00:00 Ed Maste emaste@FreeBSD.org 2022-03-28T13:33:54+00:00 56d0638c738e3f9b7fbc7f78bd49590523e01ada *_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Add checks that the size is at least the required minimum. Note that the device nodes are owned by root:operator with 0640 permissions so the ioctls are not available to unprivileged users. This change includes suggestions from scottl, markj and mav. Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative; scottl reported the third case in mpt. Same issue found in mpr and mps after discussion with imp. Reported by: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative Reviewed by: imp, mav MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34692 (cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087) 
*_CFG_PAGE ioctl handlers in the mpr, mps, and mpt drivers allocated a
buffer of a caller-specified size, but copied to it a fixed size header.
Add checks that the size is at least the required minimum.

Note that the device nodes are owned by root:operator with 0640
permissions so the ioctls are not available to unprivileged users.

This change includes suggestions from scottl, markj and mav.

Two of the mpt cases were reported by Lucas Leong (@_wmliang_) of
Trend Micro Zero Day Initiative; scottl reported the third case in mpt.
Same issue found in mpr and mps after discussion with imp.

Reported by:	Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative
Reviewed by:	imp, mav
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34692

(cherry picked from commit 8276c4149b5fc7c755d6b244fbbf6dae1939f087)
mpr, mps: Fix a stack buffer overflow in the user passthru ioctl 2021-01-11T14:43:37+00:00 Mark Johnston markj@FreeBSD.org 2021-01-08T18:32:04+00:00 ed6fa9d618bff47dcd3fb000e5805e29d331578d Previously we copied in the request into a stack-allocated structure that could be smaller than the request size. Furthermore, we checked the request size only after doing the copyin. Fix this by allocating a buffer to hold the request, then copying the buffer's contents into a command descriptor. This is a bit heavy-handed but I expect the overhead will not be noticeable. The approach of coping the header in first is susceptible to TOCTOU problems. Reviewed by: imp Reported by: maxpl0it@protonmail.com Differential Revision: https://reviews.freebsd.org/D27963 (cherry picked from commit de828a91db29fb20440e0d92f3d3136b314a9584) 
Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size.  Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor.  This is a bit heavy-handed
but I expect the overhead will not be noticeable.  The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by:	imp
Reported by:	maxpl0it@protonmail.com
Differential Revision:	https://reviews.freebsd.org/D27963

(cherry picked from commit de828a91db29fb20440e0d92f3d3136b314a9584)
mpr, mps: Fix an off-by-one bug in the BTDH_MAPPING ioctl 2021-01-11T14:43:17+00:00 Mark Johnston markj@FreeBSD.org 2021-01-08T18:32:05+00:00 ee01a1e7d862a5a33b43b8ae9da220d83f089c21 The device mapping table contains sc->max_devices entries, so only indices in [0, sc->max_devices) are valid. Differential Revision: https://reviews.freebsd.org/D27964 (cherry picked from commit adc0dcc352bb9f5a67a054d95c6959ea5aa26d91) 
The device mapping table contains sc->max_devices entries, so only
indices in [0, sc->max_devices) are valid.

Differential Revision:	https://reviews.freebsd.org/D27964

(cherry picked from commit adc0dcc352bb9f5a67a054d95c6959ea5aa26d91)
MFC r363608: 2020-08-03T23:06:33+00:00 Mark Johnston markj@FreeBSD.org 2020-08-03T23:06:33+00:00 9c4a78a41a2cdce7b1a749ad9a295a8953faa9ab mpr(4), mps(4): Stop checking for failures from malloc(M_WAITOK). 
mpr(4), mps(4): Stop checking for failures from malloc(M_WAITOK).
MFC r359937: 2020-04-28T17:59:37+00:00 Brooks Davis brooks@FreeBSD.org 2020-04-28T17:59:37+00:00 18fec7394da653a176be797ebcdd1eaf55897f9d Centralize compatability translation macros. Copy the CP, PTRIN, etc macros from freebsd32.h into a sys/abi_compat.h and replace existing definitation with includes where required. This eliminates duplicate code and allows Linux and FreeBSD compatability headers to be included in the same files. Obtained from: CheriBSD Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D24275 
Centralize compatability translation macros.

Copy the CP, PTRIN, etc macros from freebsd32.h into a sys/abi_compat.h
and replace existing definitation with includes where required. This
eliminates duplicate code and allows Linux and FreeBSD compatability
headers to be included in the same files.

Obtained from:	CheriBSD
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D24275
Catch up with stability fixes to mpr/mps in -current since 12 2019-09-26T01:54:24+00:00 Warner Losh imp@FreeBSD.org 2019-09-26T01:54:24+00:00 40d21e921a551c61306276dfee10a5529ffe6dbf was branched. MFC r341755,r342354,r342355,r342386,r342387,r342388,r342526,r342528, r342530,r342531,r342533,r342534,r342535,r342536,r342659,r345479, r345485,r345573,r347237,r349849,r349909: r341755: Copy and clear the reply descriptor atomically. This prevents concurrency in the interrupt handlers (usually due to timeout/error recovery) from seeing and processing the same descriptor twice. r342354: mps(4), mpr(4): Fix lifetime of command buffer for mp?sas_get_sata_identify r342355: mps(4), mpr(4): remove SATA ID command cancellation hack r342386: First step in refactoring and fixing the error recovery and task management code in the mpr and mps drivers. Eliminate duplicated code and fix some comments. r342387: Commands for user-initated device resets should come from the high-priority allocator. Prior to this change, they would leak from the normal allocator. r342388: Further refactoring for task management commands. Also fix a related typo from the previous commit. r342526: Update MPI header files version to 2.00.52 from 2.00.48 r342528: Copy back the Sense data at proper location expected by the application r342530: Added support for NVMe Task Management r342531: Add Sea,Aero adapter support r342533: Enable atomic type descriptor support only for Sea & Aero cards r342534: On Aero/Sea A0 cards retry MPT Fusion registers reads for max three times r342535: Update copyright information r342536: Update mpr driver version to v23.00.00.00-fbsd r342659: Fix whitespace from r342528 r345479: r329522 created problemss with commands that enter the TIMEDOUT state but are successfully returned by the card (usually due to an abort being issued as part of timeout recovery). Remove what amounts to an insufficient KASSERT, and don't overwrite the state value. State should probably be re-designed, and that will be done with a future commit. r345485: Add event table decoding for SAS Broadcast Primitive events. r345573: Add missing break statements. Coverity CID 1400446. r347237: Add missing newline to debug printf. r349849: Fix bugs in recovery path and improve cm tracking r349909: More fully implement the state machine. Sponsored by: Netflix, Inc 
was branched.

MFC r341755,r342354,r342355,r342386,r342387,r342388,r342526,r342528,
r342530,r342531,r342533,r342534,r342535,r342536,r342659,r345479,
r345485,r345573,r347237,r349849,r349909:

  r341755:
    Copy and clear the reply descriptor atomically.  This prevents concurrency
    in the interrupt handlers (usually due to timeout/error recovery) from
    seeing and processing the same descriptor twice.
  r342354:
    mps(4), mpr(4): Fix lifetime of command buffer for mp?sas_get_sata_identify
  r342355:
    mps(4), mpr(4): remove SATA ID command cancellation hack
  r342386:
    First step in refactoring and fixing the error recovery and task management
    code in the mpr and mps drivers.  Eliminate duplicated code and fix some
    comments.
  r342387:
    Commands for user-initated device resets should come from the high-priority
    allocator.  Prior to this change, they would leak from the normal
    allocator.
  r342388:
    Further refactoring for task management commands.  Also fix a related typo
    from the previous commit.
  r342526:
    Update MPI header files version to 2.00.52 from 2.00.48
  r342528:
    Copy back the Sense data at proper location expected by the application
  r342530:
    Added support for NVMe Task Management
  r342531:
    Add Sea,Aero adapter support
  r342533:
    Enable atomic type descriptor support only for Sea & Aero cards
  r342534:
    On Aero/Sea A0 cards retry MPT Fusion registers reads for max three times
  r342535:
    Update copyright information
  r342536:
    Update mpr driver version to v23.00.00.00-fbsd
  r342659:
    Fix whitespace from r342528
  r345479:
    r329522 created problemss with commands that enter the TIMEDOUT state but
    are successfully returned by the card (usually due to an abort being issued
    as part of timeout recovery). Remove what amounts to an insufficient
    KASSERT, and don't overwrite the state value. State should probably be
    re-designed, and that will be done with a future commit.
  r345485:
    Add event table decoding for SAS Broadcast Primitive events.
  r345573:
    Add missing break statements.  Coverity CID 1400446.
  r347237:
    Add missing newline to debug printf.
  r349849:
    Fix bugs in recovery path and improve cm tracking
  r349909:
    More fully implement the state machine.

Sponsored by: Netflix, Inc
MFC r348417: Fix busy status leak in case of incorrect passthrough args. 2019-06-06T01:16:04+00:00 Alexander Motin mav@FreeBSD.org 2019-06-06T01:16:04+00:00 9f7521af587c2de56a2c19a7240f6beab2c7a81e 






Move most of the contents of opt_compat.h to opt_global.h.
2018-04-06T17:35:35+00:00

Brooks Davis
brooks@FreeBSD.org

2018-04-06T17:35:35+00:00

6469bdcdb6a5968dc7edfcfb495d427b4bfdb3dd

opt_compat.h is mentioned in nearly 180 files. In-progress network
driver compabibility improvements may add over 100 more so this is
closer to "just about everywhere" than "only some files" per the
guidance in sys/conf/options.

Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of
sys/compat/linux/*.c.  A fake _COMPAT_LINUX option ensure opt_compat.h
is created on all architectures.

Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the
set of compiled files.

Reviewed by:	kib, cem, jhb, jtl
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14941





opt_compat.h is mentioned in nearly 180 files. In-progress network
driver compabibility improvements may add over 100 more so this is
closer to "just about everywhere" than "only some files" per the
guidance in sys/conf/options.

Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of
sys/compat/linux/*.c.  A fake _COMPAT_LINUX option ensure opt_compat.h
is created on all architectures.

Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the
set of compiled files.

Reviewed by:	kib, cem, jhb, jtl
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14941







Update mpr(4) driver from v15 to v18 from Broadcom site.
2018-03-19T23:21:45+00:00

Alexander Motin
mav@FreeBSD.org

2018-03-19T23:21:45+00:00

5f5baf0e9697eea27a5a8e77fbdb639397f7f388

Version 16 is just a number bump, since we already had those changes.

Version 17 introduces new AdapterType value, that allows new user-space
tools from Broadcom to differentiate adapter generations 3 and 3.5.

Version 18 updates headers and adds SAS_DEVICE_DISCOVERY_ERROR reporting.

MFC after:	2 weeks





Version 16 is just a number bump, since we already had those changes.

Version 17 introduces new AdapterType value, that allows new user-space
tools from Broadcom to differentiate adapter generations 3 and 3.5.

Version 18 updates headers and adds SAS_DEVICE_DISCOVERY_ERROR reporting.

MFC after:	2 weeks







Cache the value of the request and reply frame size since it's used quite
2018-02-06T21:01:38+00:00

Scott Long
scottl@FreeBSD.org

2018-02-06T21:01:38+00:00

964107031b45bfdae417fc22847e41463c6918c3

a bit in the normal operation of the driver.  Covert it to represent bytes
instead of 32bit words.  Fix what I believe to be is a bug in this respect
with the Tri-mode cards.

Sponsored by:	Netflix





a bit in the normal operation of the driver.  Covert it to represent bytes
instead of 32bit words.  Fix what I believe to be is a bug in this respect
with the Tri-mode cards.

Sponsored by:	Netflix