git: f01b5e418745 - stable/13 - mps: Handle errors from copyout() in ioctl handlers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Jan 2024 01:13:09 UTC
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f01b5e41874584ffe3547e79bd80c2b20e557176 commit f01b5e41874584ffe3547e79bd80c2b20e557176 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-12-26 01:42:33 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-01-02 01:12:45 +0000 mps: Handle errors from copyout() in ioctl handlers In preparation for adding a __result_use_check annotation to copyin() and related functions, start checking for errors from copyout() in the mps(4) user command handler. This should make it easier to catch bugs. Reviewed by: imp, asomers MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D43176 (cherry picked from commit bcf4a7c7ace21a01d10003de9c7692f0887526c1) --- sys/dev/mps/mps_user.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c index 49dc0f05619c..48c2809eadff 100644 --- a/sys/dev/mps/mps_user.c +++ b/sys/dev/mps/mps_user.c @@ -727,9 +727,9 @@ mps_user_command(struct mps_softc *sc, struct mps_usr_command *cmd) } mps_unlock(sc); - copyout(rpl, cmd->rpl, sz); - if (buf != NULL) - copyout(buf, cmd->buf, cmd->len); + err = copyout(rpl, cmd->rpl, sz); + if (buf != NULL && err == 0) + err = copyout(buf, cmd->buf, cmd->len); mps_dprint(sc, MPS_USER, "%s: reply size %d\n", __func__, sz); RetFreeUnlocked: @@ -859,7 +859,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) /* * Copy the reply data and sense data to user space. */ - if ((cm != NULL) && (cm->cm_reply != NULL)) { + if (err == 0 && cm != NULL && cm->cm_reply != NULL) { rpl = (MPI2_DEFAULT_REPLY *)cm->cm_reply; sz = rpl->MsgLength * 4; @@ -869,8 +869,11 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) __func__, data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), + err = copyout(cm->cm_reply, PTRIN(data->PtrReply), MIN(sz, data->ReplySize)); + if (err != 0) + mps_dprint(sc, MPS_FAULT, + "%s: copyout failed\n", __func__); mps_lock(sc); } mpssas_free_tm(sc, cm); @@ -1013,7 +1016,7 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) /* * Copy the reply data and sense data to user space. */ - if (cm->cm_reply != NULL) { + if (err == 0 && cm->cm_reply != NULL) { rpl = (MPI2_DEFAULT_REPLY *)cm->cm_reply; sz = rpl->MsgLength * 4; @@ -1023,12 +1026,16 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) data->ReplySize, sz); } mps_unlock(sc); - copyout(cm->cm_reply, PTRIN(data->PtrReply), + err = copyout(cm->cm_reply, PTRIN(data->PtrReply), MIN(sz, data->ReplySize)); mps_lock(sc); + if (err != 0) + mps_dprint(sc, MPS_FAULT, "%s: failed to copy " + "IOCTL data to user space\n", __func__); - if ((function == MPI2_FUNCTION_SCSI_IO_REQUEST) || - (function == MPI2_FUNCTION_RAID_SCSI_IO_PASSTHROUGH)) { + if (err == 0 && + (function == MPI2_FUNCTION_SCSI_IO_REQUEST || + function == MPI2_FUNCTION_RAID_SCSI_IO_PASSTHROUGH)) { if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState & MPI2_SCSI_STATE_AUTOSENSE_VALID) { sense_len = @@ -1036,9 +1043,13 @@ mps_user_pass_thru(struct mps_softc *sc, mps_pass_thru_t *data) SenseCount)), sizeof(struct scsi_sense_data)); mps_unlock(sc); - copyout(cm->cm_sense, (PTRIN(data->PtrReply + + err = copyout(cm->cm_sense, (PTRIN(data->PtrReply + sizeof(MPI2_SCSI_IO_REPLY))), sense_len); mps_lock(sc); + if (err != 0) + mps_dprint(sc, MPS_FAULT, + "%s: failed to copy IOCTL data to " + "user space\n", __func__); } } }