search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
[linux/fpc-iii.git] / drivers / scsi / sr_ioctl.c
blob3c3e8115f73d6b0d3f112cb05a0fc9efae71948b
1 #include <linux/kernel.h>
2 #include <linux/mm.h>
3 #include <linux/fs.h>
4 #include <linux/errno.h>
5 #include <linux/string.h>
6 #include <linux/blkdev.h>
7 #include <linux/module.h>
8 #include <linux/blkpg.h>
9 #include <linux/cdrom.h>
10 #include <linux/delay.h>
11 #include <linux/slab.h>
12 #include <asm/io.h>
13 #include <asm/uaccess.h>
14
15 #include <scsi/scsi.h>
16 #include <scsi/scsi_dbg.h>
17 #include <scsi/scsi_device.h>
18 #include <scsi/scsi_eh.h>
19 #include <scsi/scsi_host.h>
20 #include <scsi/scsi_ioctl.h>
21 #include <scsi/scsi_cmnd.h>
22
23 #include "sr.h"
24
25 #if 0
26 #define DEBUG
27 #endif
28
29 /* The sr_is_xa() seems to trigger firmware bugs with some drives :-(
30 * It is off by default and can be turned on with this module parameter */
31 static int xa_test = 0;
32
33 module_param(xa_test, int, S_IRUGO | S_IWUSR);
34
35 /* primitive to determine whether we need to have GFP_DMA set based on
36 * the status of the unchecked_isa_dma flag in the host structure */
37 #define SR_GFP_DMA(cd) (((cd)->device->host->unchecked_isa_dma) ? GFP_DMA : 0)
38
39 static int sr_read_tochdr(struct cdrom_device_info *cdi,
40 struct cdrom_tochdr *tochdr)
41 {
42 struct scsi_cd *cd = cdi->handle;
43 struct packet_command cgc;
44 int result;
45 unsigned char *buffer;
46
47 buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
48 if (!buffer)
49 return -ENOMEM;
50
51 memset(&cgc, 0, sizeof(struct packet_command));
52 cgc.timeout = IOCTL_TIMEOUT;
53 cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
54 cgc.cmd[8] = 12; /* LSB of length */
55 cgc.buffer = buffer;
56 cgc.buflen = 12;
57 cgc.quiet = 1;
58 cgc.data_direction = DMA_FROM_DEVICE;
59
60 result = sr_do_ioctl(cd, &cgc);
61
62 tochdr->cdth_trk0 = buffer[2];
63 tochdr->cdth_trk1 = buffer[3];
64
65 kfree(buffer);
66 return result;
67 }
68
69 static int sr_read_tocentry(struct cdrom_device_info *cdi,
70 struct cdrom_tocentry *tocentry)
71 {
72 struct scsi_cd *cd = cdi->handle;
73 struct packet_command cgc;
74 int result;
75 unsigned char *buffer;
76
77 buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
78 if (!buffer)
79 return -ENOMEM;
80
81 memset(&cgc, 0, sizeof(struct packet_command));
82 cgc.timeout = IOCTL_TIMEOUT;
83 cgc.cmd[0] = GPCMD_READ_TOC_PMA_ATIP;
84 cgc.cmd[1] |= (tocentry->cdte_format == CDROM_MSF) ? 0x02 : 0;
85 cgc.cmd[6] = tocentry->cdte_track;
86 cgc.cmd[8] = 12; /* LSB of length */
87 cgc.buffer = buffer;
88 cgc.buflen = 12;
89 cgc.data_direction = DMA_FROM_DEVICE;
90
91 result = sr_do_ioctl(cd, &cgc);
92
93 tocentry->cdte_ctrl = buffer[5] & 0xf;
94 tocentry->cdte_adr = buffer[5] >> 4;
95 tocentry->cdte_datamode = (tocentry->cdte_ctrl & 0x04) ? 1 : 0;
96 if (tocentry->cdte_format == CDROM_MSF) {
97 tocentry->cdte_addr.msf.minute = buffer[9];
98 tocentry->cdte_addr.msf.second = buffer[10];
99 tocentry->cdte_addr.msf.frame = buffer[11];
100 } else
101 tocentry->cdte_addr.lba = (((((buffer[8] << 8) + buffer[9]) << 8)
102 + buffer[10]) << 8) + buffer[11];
103
104 kfree(buffer);
105 return result;
106 }
107
108 #define IOCTL_RETRIES 3
109
110 /* ATAPI drives don't have a SCMD_PLAYAUDIO_TI command. When these drives
111 are emulating a SCSI device via the idescsi module, they need to have
112 CDROMPLAYTRKIND commands translated into CDROMPLAYMSF commands for them */
113
114 static int sr_fake_playtrkind(struct cdrom_device_info *cdi, struct cdrom_ti *ti)
115 {
116 struct cdrom_tocentry trk0_te, trk1_te;
117 struct cdrom_tochdr tochdr;
118 struct packet_command cgc;
119 int ntracks, ret;
120
121 ret = sr_read_tochdr(cdi, &tochdr);
122 if (ret)
123 return ret;
124
125 ntracks = tochdr.cdth_trk1 - tochdr.cdth_trk0 + 1;
126
127 if (ti->cdti_trk1 == ntracks)
128 ti->cdti_trk1 = CDROM_LEADOUT;
129 else if (ti->cdti_trk1 != CDROM_LEADOUT)
130 ti->cdti_trk1 ++;
131
132 trk0_te.cdte_track = ti->cdti_trk0;
133 trk0_te.cdte_format = CDROM_MSF;
134 trk1_te.cdte_track = ti->cdti_trk1;
135 trk1_te.cdte_format = CDROM_MSF;
136
137 ret = sr_read_tocentry(cdi, &trk0_te);
138 if (ret)
139 return ret;
140 ret = sr_read_tocentry(cdi, &trk1_te);
141 if (ret)
142 return ret;
143
144 memset(&cgc, 0, sizeof(struct packet_command));
145 cgc.cmd[0] = GPCMD_PLAY_AUDIO_MSF;
146 cgc.cmd[3] = trk0_te.cdte_addr.msf.minute;
147 cgc.cmd[4] = trk0_te.cdte_addr.msf.second;
148 cgc.cmd[5] = trk0_te.cdte_addr.msf.frame;
149 cgc.cmd[6] = trk1_te.cdte_addr.msf.minute;
150 cgc.cmd[7] = trk1_te.cdte_addr.msf.second;
151 cgc.cmd[8] = trk1_te.cdte_addr.msf.frame;
152 cgc.data_direction = DMA_NONE;
153 cgc.timeout = IOCTL_TIMEOUT;
154 return sr_do_ioctl(cdi->handle, &cgc);
155 }
156
157 static int sr_play_trkind(struct cdrom_device_info *cdi,
158 struct cdrom_ti *ti)
159
160 {
161 struct scsi_cd *cd = cdi->handle;
162 struct packet_command cgc;
163 int result;
164
165 memset(&cgc, 0, sizeof(struct packet_command));
166 cgc.timeout = IOCTL_TIMEOUT;
167 cgc.cmd[0] = GPCMD_PLAYAUDIO_TI;
168 cgc.cmd[4] = ti->cdti_trk0;
169 cgc.cmd[5] = ti->cdti_ind0;
170 cgc.cmd[7] = ti->cdti_trk1;
171 cgc.cmd[8] = ti->cdti_ind1;
172 cgc.data_direction = DMA_NONE;
173
174 result = sr_do_ioctl(cd, &cgc);
175 if (result == -EDRIVE_CANT_DO_THIS)
176 result = sr_fake_playtrkind(cdi, ti);
177
178 return result;
179 }
180
181 /* We do our own retries because we want to know what the specific
182 error code is. Normally the UNIT_ATTENTION code will automatically
183 clear after one error */
184
185 int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
186 {
187 struct scsi_device *SDev;
188 struct scsi_sense_hdr sshdr;
189 int result, err = 0, retries = 0;
190 unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE];
191
192 SDev = cd->device;
193
194 retry:
195 if (!scsi_block_when_processing_errors(SDev)) {
196 err = -ENODEV;
197 goto out;
198 }
199
200 memset(sense_buffer, 0, sizeof(sense_buffer));
201 result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
202 cgc->buffer, cgc->buflen, sense_buffer,
203 cgc->timeout, IOCTL_RETRIES, 0, NULL);
204
205 scsi_normalize_sense(sense_buffer, sizeof(sense_buffer), &sshdr);
206
207 if (cgc->sense)
208 memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
209
210 /* Minimal error checking. Ignore cases we know about, and report the rest. */
211 if (driver_byte(result) != 0) {
212 switch (sshdr.sense_key) {
213 case UNIT_ATTENTION:
214 SDev->changed = 1;
215 if (!cgc->quiet)
216 sr_printk(KERN_INFO, cd,
217 "disc change detected.\n");
218 if (retries++ < 10)
219 goto retry;
220 err = -ENOMEDIUM;
221 break;
222 case NOT_READY: /* This happens if there is no disc in drive */
223 if (sshdr.asc == 0x04 &&
224 sshdr.ascq == 0x01) {
225 /* sense: Logical unit is in process of becoming ready */
226 if (!cgc->quiet)
227 sr_printk(KERN_INFO, cd,
228 "CDROM not ready yet.\n");
229 if (retries++ < 10) {
230 /* sleep 2 sec and try again */
231 ssleep(2);
232 goto retry;
233 } else {
234 /* 20 secs are enough? */
235 err = -ENOMEDIUM;
236 break;
237 }
238 }
239 if (!cgc->quiet)
240 sr_printk(KERN_INFO, cd,
241 "CDROM not ready. Make sure there "
242 "is a disc in the drive.\n");
243 err = -ENOMEDIUM;
244 break;
245 case ILLEGAL_REQUEST:
246 err = -EIO;
247 if (sshdr.asc == 0x20 &&
248 sshdr.ascq == 0x00)
249 /* sense: Invalid command operation code */
250 err = -EDRIVE_CANT_DO_THIS;
251 break;
252 default:
253 err = -EIO;
254 }
255 }
256
257 /* Wake up a process waiting for device */
258 out:
259 cgc->stat = err;
260 return err;
261 }
262
263 /* ---------------------------------------------------------------------- */
264 /* interface to cdrom.c */
265
266 int sr_tray_move(struct cdrom_device_info *cdi, int pos)
267 {
268 Scsi_CD *cd = cdi->handle;
269 struct packet_command cgc;
270
271 memset(&cgc, 0, sizeof(struct packet_command));
272 cgc.cmd[0] = GPCMD_START_STOP_UNIT;
273 cgc.cmd[4] = (pos == 0) ? 0x03 /* close */ : 0x02 /* eject */ ;
274 cgc.data_direction = DMA_NONE;
275 cgc.timeout = IOCTL_TIMEOUT;
276 return sr_do_ioctl(cd, &cgc);
277 }
278
279 int sr_lock_door(struct cdrom_device_info *cdi, int lock)
280 {
281 Scsi_CD *cd = cdi->handle;
282
283 return scsi_set_medium_removal(cd->device, lock ?
284 SCSI_REMOVAL_PREVENT : SCSI_REMOVAL_ALLOW);
285 }
286
287 int sr_drive_status(struct cdrom_device_info *cdi, int slot)
288 {
289 struct scsi_cd *cd = cdi->handle;
290 struct scsi_sense_hdr sshdr;
291 struct media_event_desc med;
292
293 if (CDSL_CURRENT != slot) {
294 /* we have no changer support */
295 return -EINVAL;
296 }
297 if (!scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr))
298 return CDS_DISC_OK;
299
300 /* SK/ASC/ASCQ of 2/4/1 means "unit is becoming ready" */
301 if (scsi_sense_valid(&sshdr) && sshdr.sense_key == NOT_READY
302 && sshdr.asc == 0x04 && sshdr.ascq == 0x01)
303 return CDS_DRIVE_NOT_READY;
304
305 if (!cdrom_get_media_event(cdi, &med)) {
306 if (med.media_present)
307 return CDS_DISC_OK;
308 else if (med.door_open)
309 return CDS_TRAY_OPEN;
310 else
311 return CDS_NO_DISC;
312 }
313
314 /*
315 * SK/ASC/ASCQ of 2/4/2 means "initialization required"
316 * Using CD_TRAY_OPEN results in an START_STOP_UNIT to close
317 * the tray, which resolves the initialization requirement.
318 */
319 if (scsi_sense_valid(&sshdr) && sshdr.sense_key == NOT_READY
320 && sshdr.asc == 0x04 && sshdr.ascq == 0x02)
321 return CDS_TRAY_OPEN;
322
323 /*
324 * 0x04 is format in progress .. but there must be a disc present!
325 */
326 if (sshdr.sense_key == NOT_READY && sshdr.asc == 0x04)
327 return CDS_DISC_OK;
328
329 /*
330 * If not using Mt Fuji extended media tray reports,
331 * just return TRAY_OPEN since ATAPI doesn't provide
332 * any other way to detect this...
333 */
334 if (scsi_sense_valid(&sshdr) &&
335 /* 0x3a is medium not present */
336 sshdr.asc == 0x3a)
337 return CDS_NO_DISC;
338 else
339 return CDS_TRAY_OPEN;
340
341 return CDS_DRIVE_NOT_READY;
342 }
343
344 int sr_disk_status(struct cdrom_device_info *cdi)
345 {
346 Scsi_CD *cd = cdi->handle;
347 struct cdrom_tochdr toc_h;
348 struct cdrom_tocentry toc_e;
349 int i, rc, have_datatracks = 0;
350
351 /* look for data tracks */
352 rc = sr_read_tochdr(cdi, &toc_h);
353 if (rc)
354 return (rc == -ENOMEDIUM) ? CDS_NO_DISC : CDS_NO_INFO;
355
356 for (i = toc_h.cdth_trk0; i <= toc_h.cdth_trk1; i++) {
357 toc_e.cdte_track = i;
358 toc_e.cdte_format = CDROM_LBA;
359 if (sr_read_tocentry(cdi, &toc_e))
360 return CDS_NO_INFO;
361 if (toc_e.cdte_ctrl & CDROM_DATA_TRACK) {
362 have_datatracks = 1;
363 break;
364 }
365 }
366 if (!have_datatracks)
367 return CDS_AUDIO;
368
369 if (cd->xa_flag)
370 return CDS_XA_2_1;
371 else
372 return CDS_DATA_1;
373 }
374
375 int sr_get_last_session(struct cdrom_device_info *cdi,
376 struct cdrom_multisession *ms_info)
377 {
378 Scsi_CD *cd = cdi->handle;
379
380 ms_info->addr.lba = cd->ms_offset;
381 ms_info->xa_flag = cd->xa_flag || cd->ms_offset > 0;
382
383 return 0;
384 }
385
386 int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn)
387 {
388 Scsi_CD *cd = cdi->handle;
389 struct packet_command cgc;
390 char *buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd));
391 int result;
392
393 if (!buffer)
394 return -ENOMEM;
395
396 memset(&cgc, 0, sizeof(struct packet_command));
397 cgc.cmd[0] = GPCMD_READ_SUBCHANNEL;
398 cgc.cmd[2] = 0x40; /* I do want the subchannel info */
399 cgc.cmd[3] = 0x02; /* Give me medium catalog number info */
400 cgc.cmd[8] = 24;
401 cgc.buffer = buffer;
402 cgc.buflen = 24;
403 cgc.data_direction = DMA_FROM_DEVICE;
404 cgc.timeout = IOCTL_TIMEOUT;
405 result = sr_do_ioctl(cd, &cgc);
406
407 memcpy(mcn->medium_catalog_number, buffer + 9, 13);
408 mcn->medium_catalog_number[13] = 0;
409
410 kfree(buffer);
411 return result;
412 }
413
414 int sr_reset(struct cdrom_device_info *cdi)
415 {
416 return 0;
417 }
418
419 int sr_select_speed(struct cdrom_device_info *cdi, int speed)
420 {
421 Scsi_CD *cd = cdi->handle;
422 struct packet_command cgc;
423
424 if (speed == 0)
425 speed = 0xffff; /* set to max */
426 else
427 speed *= 177; /* Nx to kbyte/s */
428
429 memset(&cgc, 0, sizeof(struct packet_command));
430 cgc.cmd[0] = GPCMD_SET_SPEED; /* SET CD SPEED */
431 cgc.cmd[2] = (speed >> 8) & 0xff; /* MSB for speed (in kbytes/sec) */
432 cgc.cmd[3] = speed & 0xff; /* LSB */
433 cgc.data_direction = DMA_NONE;
434 cgc.timeout = IOCTL_TIMEOUT;
435
436 if (sr_do_ioctl(cd, &cgc))
437 return -EIO;
438 return 0;
439 }
440
441 /* ----------------------------------------------------------------------- */
442 /* this is called by the generic cdrom driver. arg is a _kernel_ pointer, */
443 /* because the generic cdrom driver does the user access stuff for us. */
444 /* only cdromreadtochdr and cdromreadtocentry are left - for use with the */
445 /* sr_disk_status interface for the generic cdrom driver. */
446
447 int sr_audio_ioctl(struct cdrom_device_info *cdi, unsigned int cmd, void *arg)
448 {
449 switch (cmd) {
450 case CDROMREADTOCHDR:
451 return sr_read_tochdr(cdi, arg);
452 case CDROMREADTOCENTRY:
453 return sr_read_tocentry(cdi, arg);
454 case CDROMPLAYTRKIND:
455 return sr_play_trkind(cdi, arg);
456 default:
457 return -EINVAL;
458 }
459 }
460
461 /* -----------------------------------------------------------------------
462 * a function to read all sorts of funny cdrom sectors using the READ_CD
463 * scsi-3 mmc command
464 *
465 * lba: linear block address
466 * format: 0 = data (anything)
467 * 1 = audio
468 * 2 = data (mode 1)
469 * 3 = data (mode 2)
470 * 4 = data (mode 2 form1)
471 * 5 = data (mode 2 form2)
472 * blksize: 2048 | 2336 | 2340 | 2352
473 */
474
475 static int sr_read_cd(Scsi_CD *cd, unsigned char *dest, int lba, int format, int blksize)
476 {
477 struct packet_command cgc;
478
479 #ifdef DEBUG
480 sr_printk(KERN_INFO, cd, "sr_read_cd lba=%d format=%d blksize=%d\n",
481 lba, format, blksize);
482 #endif
483
484 memset(&cgc, 0, sizeof(struct packet_command));
485 cgc.cmd[0] = GPCMD_READ_CD; /* READ_CD */
486 cgc.cmd[1] = ((format & 7) << 2);
487 cgc.cmd[2] = (unsigned char) (lba >> 24) & 0xff;
488 cgc.cmd[3] = (unsigned char) (lba >> 16) & 0xff;
489 cgc.cmd[4] = (unsigned char) (lba >> 8) & 0xff;
490 cgc.cmd[5] = (unsigned char) lba & 0xff;
491 cgc.cmd[8] = 1;
492 switch (blksize) {
493 case 2336:
494 cgc.cmd[9] = 0x58;
495 break;
496 case 2340:
497 cgc.cmd[9] = 0x78;
498 break;
499 case 2352:
500 cgc.cmd[9] = 0xf8;
501 break;
502 default:
503 cgc.cmd[9] = 0x10;
504 break;
505 }
506 cgc.buffer = dest;
507 cgc.buflen = blksize;
508 cgc.data_direction = DMA_FROM_DEVICE;
509 cgc.timeout = IOCTL_TIMEOUT;
510 return sr_do_ioctl(cd, &cgc);
511 }
512
513 /*
514 * read sectors with blocksizes other than 2048
515 */
516
517 static int sr_read_sector(Scsi_CD *cd, int lba, int blksize, unsigned char *dest)
518 {
519 struct packet_command cgc;
520 int rc;
521
522 /* we try the READ CD command first... */
523 if (cd->readcd_known) {
524 rc = sr_read_cd(cd, dest, lba, 0, blksize);
525 if (-EDRIVE_CANT_DO_THIS != rc)
526 return rc;
527 cd->readcd_known = 0;
528 sr_printk(KERN_INFO, cd,
529 "CDROM does'nt support READ CD (0xbe) command\n");
530 /* fall & retry the other way */
531 }
532 /* ... if this fails, we switch the blocksize using MODE SELECT */
533 if (blksize != cd->device->sector_size) {
534 if (0 != (rc = sr_set_blocklength(cd, blksize)))
535 return rc;
536 }
537 #ifdef DEBUG
538 sr_printk(KERN_INFO, cd, "sr_read_sector lba=%d blksize=%d\n",
539 lba, blksize);
540 #endif
541
542 memset(&cgc, 0, sizeof(struct packet_command));
543 cgc.cmd[0] = GPCMD_READ_10;
544 cgc.cmd[2] = (unsigned char) (lba >> 24) & 0xff;
545 cgc.cmd[3] = (unsigned char) (lba >> 16) & 0xff;
546 cgc.cmd[4] = (unsigned char) (lba >> 8) & 0xff;
547 cgc.cmd[5] = (unsigned char) lba & 0xff;
548 cgc.cmd[8] = 1;
549 cgc.buffer = dest;
550 cgc.buflen = blksize;
551 cgc.data_direction = DMA_FROM_DEVICE;
552 cgc.timeout = IOCTL_TIMEOUT;
553 rc = sr_do_ioctl(cd, &cgc);
554
555 return rc;
556 }
557
558 /*
559 * read a sector in raw mode to check the sector format
560 * ret: 1 == mode2 (XA), 0 == mode1, <0 == error
561 */
562
563 int sr_is_xa(Scsi_CD *cd)
564 {
565 unsigned char *raw_sector;
566 int is_xa;
567
568 if (!xa_test)
569 return 0;
570
571 raw_sector = kmalloc(2048, GFP_KERNEL | SR_GFP_DMA(cd));
572 if (!raw_sector)
573 return -ENOMEM;
574 if (0 == sr_read_sector(cd, cd->ms_offset + 16,
575 CD_FRAMESIZE_RAW1, raw_sector)) {
576 is_xa = (raw_sector[3] == 0x02) ? 1 : 0;
577 } else {
578 /* read a raw sector failed for some reason. */
579 is_xa = -1;
580 }
581 kfree(raw_sector);
582 #ifdef DEBUG
583 sr_printk(KERN_INFO, cd, "sr_is_xa: %d\n", is_xa);
584 #endif
585 return is_xa;
586 }
Linux with added FPC-III support