1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/*
3	* History:
4	* Started: Aug 9 by Lawrence Foard (entropy@world.std.com),
5	* to allow user process control of SCSI devices.
6	* Development Sponsored by Killy Corp. NY NY
7	*
8	* Original driver (sg.c):
9	* Copyright (C) 1992 Lawrence Foard
10	* Version 2 and 3 extensions to driver:
11	* Copyright (C) 1998 - 2014 Douglas Gilbert
12	*/
13
14	static int sg_version_num = 30536; /* 2 digits for each component */
15	#define SG_VERSION_STR "3.5.36"
16
17	/*
18	* D. P. Gilbert (dgilbert@interlog.com), notes:
19	* - scsi logging is available via SCSI_LOG_TIMEOUT macros. First
20	* the kernel/module needs to be built with CONFIG_SCSI_LOGGING
21	* (otherwise the macros compile to empty statements).
22	*
23	*/
24	#include <linux/module.h>
25
26	#include <linux/fs.h>
27	#include <linux/kernel.h>
28	#include <linux/sched.h>
29	#include <linux/string.h>
30	#include <linux/mm.h>
31	#include <linux/errno.h>
32	#include <linux/mtio.h>
33	#include <linux/ioctl.h>
34	#include <linux/major.h>
35	#include <linux/slab.h>
36	#include <linux/fcntl.h>
37	#include <linux/init.h>
38	#include <linux/poll.h>
39	#include <linux/moduleparam.h>
40	#include <linux/cdev.h>
41	#include <linux/idr.h>
42	#include <linux/seq_file.h>
43	#include <linux/blkdev.h>
44	#include <linux/delay.h>
45	#include <linux/blktrace_api.h>
46	#include <linux/mutex.h>
47	#include <linux/atomic.h>
48	#include <linux/ratelimit.h>
49	#include <linux/uio.h>
50	#include <linux/cred.h> /* for sg_check_file_access() */
51
52	#include <scsi/scsi.h>
53	#include <scsi/scsi_cmnd.h>
54	#include <scsi/scsi_dbg.h>
55	#include <scsi/scsi_device.h>
56	#include <scsi/scsi_driver.h>
57	#include <scsi/scsi_eh.h>
58	#include <scsi/scsi_host.h>
59	#include <scsi/scsi_ioctl.h>
60	#include <scsi/scsi_tcq.h>
61	#include <scsi/sg.h>
62
63	#include "scsi_logging.h"
64
65	#ifdef CONFIG_SCSI_PROC_FS
66	#include <linux/proc_fs.h>
67	static char *sg_version_date = "20140603";
68
69	static int sg_proc_init(void);
70	#endif
71
72	#define SG_ALLOW_DIO_DEF 0
73
74	#define SG_MAX_DEVS (1 << MINORBITS)
75
76	/* SG_MAX_CDB_SIZE should be 260 (spc4r37 section 3.1.30) however the type
77	* of sg_io_hdr::cmd_len can only represent 255. All SCSI commands greater
78	* than 16 bytes are "variable length" whose length is a multiple of 4
79	*/
80	#define SG_MAX_CDB_SIZE 252
81
82	#define SG_DEFAULT_TIMEOUT mult_frac(SG_DEFAULT_TIMEOUT_USER, HZ, USER_HZ)
83
84	static int sg_big_buff = SG_DEF_RESERVED_SIZE;
85	/* N.B. This variable is readable and writeable via
86	/proc/scsi/sg/def_reserved_size . Each time sg_open() is called a buffer
87	of this size (or less if there is not enough memory) will be reserved
88	for use by this file descriptor. [Deprecated usage: this variable is also
89	readable via /proc/sys/kernel/sg-big-buff if the sg driver is built into
90	the kernel (i.e. it is not a module).] */
91	static int def_reserved_size = -1; /* picks up init parameter */
92	static int sg_allow_dio = SG_ALLOW_DIO_DEF;
93
94	static int scatter_elem_sz = SG_SCATTER_SZ;
95	static int scatter_elem_sz_prev = SG_SCATTER_SZ;
96
97	#define SG_SECTOR_SZ 512
98
99	static int sg_add_device(struct device *);
100	static void sg_remove_device(struct device *);
101
102	static DEFINE_IDR(sg_index_idr);
103	static DEFINE_RWLOCK(sg_index_lock); /* Also used to lock
104	file descriptor list for device */
105
106	static struct class_interface sg_interface = {
107	.add_dev = sg_add_device,
108	.remove_dev = sg_remove_device,
109	};
110
111	typedef struct sg_scatter_hold { /* holding area for scsi scatter gather info */
112	unsigned short k_use_sg; /* Count of kernel scatter-gather pieces */
113	unsigned sglist_len; /* size of malloc'd scatter-gather list ++ */
114	unsigned bufflen; /* Size of (aggregate) data buffer */
115	struct page **pages;
116	int page_order;
117	char dio_in_use; /* 0->indirect IO (or mmap), 1->dio */
118	unsigned char cmd_opcode; /* first byte of command */
119	} Sg_scatter_hold;
120
121	struct sg_device; /* forward declarations */
122	struct sg_fd;
123
124	typedef struct sg_request { /* SG_MAX_QUEUE requests outstanding per file */
125	struct list_head entry; /* list entry */
126	struct sg_fd *parentfp; /* NULL -> not in use */
127	Sg_scatter_hold data; /* hold buffer, perhaps scatter list */
128	sg_io_hdr_t header; /* scsi command+info, see <scsi/sg.h> */
129	unsigned char sense_b[SCSI_SENSE_BUFFERSIZE];
130	char res_used; /* 1 -> using reserve buffer, 0 -> not ... */
131	char orphan; /* 1 -> drop on sight, 0 -> normal */
132	char sg_io_owned; /* 1 -> packet belongs to SG_IO */
133	/* done protected by rq_list_lock */
134	char done; /* 0->before bh, 1->before read, 2->read */
135	struct request *rq;
136	struct bio *bio;
137	struct execute_work ew;
138	} Sg_request;
139
140	typedef struct sg_fd { /* holds the state of a file descriptor */
141	struct list_head sfd_siblings; /* protected by device's sfd_lock */
142	struct sg_device *parentdp; /* owning device */
143	wait_queue_head_t read_wait; /* queue read until command done */
144	rwlock_t rq_list_lock; /* protect access to list in req_arr */
145	struct mutex f_mutex; /* protect against changes in this fd */
146	int timeout; /* defaults to SG_DEFAULT_TIMEOUT */
147	int timeout_user; /* defaults to SG_DEFAULT_TIMEOUT_USER */
148	Sg_scatter_hold reserve; /* buffer held for this file descriptor */
149	struct list_head rq_list; /* head of request list */
150	struct fasync_struct *async_qp; /* used by asynchronous notification */
151	Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */
152	char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
153	char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
154	unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
155	char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
156	char mmap_called; /* 0 -> mmap() never called on this fd */
157	char res_in_use; /* 1 -> 'reserve' array in use */
158	struct kref f_ref;
159	struct execute_work ew;
160	} Sg_fd;
161
162	typedef struct sg_device { /* holds the state of each scsi generic device */
163	struct scsi_device *device;
164	wait_queue_head_t open_wait; /* queue open() when O_EXCL present */
165	struct mutex open_rel_lock; /* held when in open() or release() */
166	int sg_tablesize; /* adapter's max scatter-gather table size */
167	u32 index; /* device index number */
168	struct list_head sfds;
169	rwlock_t sfd_lock; /* protect access to sfd list */
170	atomic_t detaching; /* 0->device usable, 1->device detaching */
171	bool exclude; /* 1->open(O_EXCL) succeeded and is active */
172	int open_cnt; /* count of opens (perhaps < num(sfds) ) */
173	char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */
174	char name[DISK_NAME_LEN];
175	struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */
176	struct kref d_ref;
177	} Sg_device;
178
179	/* tasklet or soft irq callback */
180	static enum rq_end_io_ret sg_rq_end_io(struct request *rq, blk_status_t status);
181	static int sg_start_req(Sg_request *srp, unsigned char *cmd);
182	static int sg_finish_rem_req(Sg_request * srp);
183	static int sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size);
184	static ssize_t sg_new_read(Sg_fd * sfp, char __user *buf, size_t count,
185	Sg_request * srp);
186	static ssize_t sg_new_write(Sg_fd *sfp, struct file *file,
187	const char __user *buf, size_t count, int blocking,
188	int read_only, int sg_io_owned, Sg_request **o_srp);
189	static int sg_common_write(Sg_fd * sfp, Sg_request * srp,
190	unsigned char *cmnd, int timeout, int blocking);
191	static int sg_read_oxfer(Sg_request * srp, char __user *outp, int num_read_xfer);
192	static void sg_remove_scat(Sg_fd * sfp, Sg_scatter_hold * schp);
193	static void sg_build_reserve(Sg_fd * sfp, int req_size);
194	static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size);
195	static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
196	static Sg_fd *sg_add_sfp(Sg_device * sdp);
197	static void sg_remove_sfp(struct kref *);
198	static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy);
199	static Sg_request *sg_add_request(Sg_fd * sfp);
200	static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
201	static Sg_device *sg_get_dev(int dev);
202	static void sg_device_destroy(struct kref *kref);
203
204	#define SZ_SG_HEADER sizeof(struct sg_header)
205	#define SZ_SG_IO_HDR sizeof(sg_io_hdr_t)
206	#define SZ_SG_IOVEC sizeof(sg_iovec_t)
207	#define SZ_SG_REQ_INFO sizeof(sg_req_info_t)
208
209	#define sg_printk(prefix, sdp, fmt, a...) \
210	sdev_prefix_printk(prefix, (sdp)->device, (sdp)->name, fmt, ##a)
211
212	/*
213	* The SCSI interfaces that use read() and write() as an asynchronous variant of
214	* ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
215	* to trigger read() and write() calls from various contexts with elevated
216	* privileges. This can lead to kernel memory corruption (e.g. if these
217	* interfaces are called through splice()) and privilege escalation inside
218	* userspace (e.g. if a process with access to such a device passes a file
219	* descriptor to a SUID binary as stdin/stdout/stderr).
220	*
221	* This function provides protection for the legacy API by restricting the
222	* calling context.
223	*/
224	static int sg_check_file_access(struct file *filp, const char *caller)
225	{
226	if (filp->f_cred != current_real_cred()) {
227	pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
228	caller, task_tgid_vnr(current), current->comm);
229	return -EPERM;
230	}
231	return 0;
232	}
233
234	static int sg_allow_access(struct file *filp, unsigned char *cmd)
235	{
236	struct sg_fd *sfp = filp->private_data;
237
238	if (sfp->parentdp->device->type == TYPE_SCANNER)
239	return 0;
240	if (!scsi_cmd_allowed(cmd, open_for_write: filp->f_mode & FMODE_WRITE))
241	return -EPERM;
242	return 0;
243	}
244
245	static int
246	open_wait(Sg_device *sdp, int flags)
247	{
248	int retval = 0;
249
250	if (flags & O_EXCL) {
251	while (sdp->open_cnt > 0) {
252	mutex_unlock(lock: &sdp->open_rel_lock);
253	retval = wait_event_interruptible(sdp->open_wait,
254	(atomic_read(&sdp->detaching) ||
255	!sdp->open_cnt));
256	mutex_lock(&sdp->open_rel_lock);
257
258	if (retval) /* -ERESTARTSYS */
259	return retval;
260	if (atomic_read(v: &sdp->detaching))
261	return -ENODEV;
262	}
263	} else {
264	while (sdp->exclude) {
265	mutex_unlock(lock: &sdp->open_rel_lock);
266	retval = wait_event_interruptible(sdp->open_wait,
267	(atomic_read(&sdp->detaching) ||
268	!sdp->exclude));
269	mutex_lock(&sdp->open_rel_lock);
270
271	if (retval) /* -ERESTARTSYS */
272	return retval;
273	if (atomic_read(v: &sdp->detaching))
274	return -ENODEV;
275	}
276	}
277
278	return retval;
279	}
280
281	/* Returns 0 on success, else a negated errno value */
282	static int
283	sg_open(struct inode *inode, struct file *filp)
284	{
285	int dev = iminor(inode);
286	int flags = filp->f_flags;
287	struct request_queue *q;
288	Sg_device *sdp;
289	Sg_fd *sfp;
290	int retval;
291
292	nonseekable_open(inode, filp);
293	if ((flags & O_EXCL) && (O_RDONLY == (flags & O_ACCMODE)))
294	return -EPERM; /* Can't lock it with read only access */
295	sdp = sg_get_dev(dev);
296	if (IS_ERR(ptr: sdp))
297	return PTR_ERR(ptr: sdp);
298
299	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
300	"sg_open: flags=0x%x\n", flags));
301
302	/* This driver's module count bumped by fops_get in <linux/fs.h> */
303	/* Prevent the device driver from vanishing while we sleep */
304	retval = scsi_device_get(sdp->device);
305	if (retval)
306	goto sg_put;
307
308	retval = scsi_autopm_get_device(sdp->device);
309	if (retval)
310	goto sdp_put;
311
312	/* scsi_block_when_processing_errors() may block so bypass
313	* check if O_NONBLOCK. Permits SCSI commands to be issued
314	* during error recovery. Tread carefully. */
315	if (!((flags & O_NONBLOCK) ||
316	scsi_block_when_processing_errors(sdp->device))) {
317	retval = -ENXIO;
318	/* we are in error recovery for this device */
319	goto error_out;
320	}
321
322	mutex_lock(&sdp->open_rel_lock);
323	if (flags & O_NONBLOCK) {
324	if (flags & O_EXCL) {
325	if (sdp->open_cnt > 0) {
326	retval = -EBUSY;
327	goto error_mutex_locked;
328	}
329	} else {
330	if (sdp->exclude) {
331	retval = -EBUSY;
332	goto error_mutex_locked;
333	}
334	}
335	} else {
336	retval = open_wait(sdp, flags);
337	if (retval) /* -ERESTARTSYS or -ENODEV */
338	goto error_mutex_locked;
339	}
340
341	/* N.B. at this point we are holding the open_rel_lock */
342	if (flags & O_EXCL)
343	sdp->exclude = true;
344
345	if (sdp->open_cnt < 1) { /* no existing opens */
346	sdp->sgdebug = 0;
347	q = sdp->device->request_queue;
348	sdp->sg_tablesize = queue_max_segments(q);
349	}
350	sfp = sg_add_sfp(sdp);
351	if (IS_ERR(ptr: sfp)) {
352	retval = PTR_ERR(ptr: sfp);
353	goto out_undo;
354	}
355
356	filp->private_data = sfp;
357	sdp->open_cnt++;
358	mutex_unlock(lock: &sdp->open_rel_lock);
359
360	retval = 0;
361	sg_put:
362	kref_put(kref: &sdp->d_ref, release: sg_device_destroy);
363	return retval;
364
365	out_undo:
366	if (flags & O_EXCL) {
367	sdp->exclude = false; /* undo if error */
368	wake_up_interruptible(&sdp->open_wait);
369	}
370	error_mutex_locked:
371	mutex_unlock(lock: &sdp->open_rel_lock);
372	error_out:
373	scsi_autopm_put_device(sdp->device);
374	sdp_put:
375	scsi_device_put(sdp->device);
376	goto sg_put;
377	}
378
379	/* Release resources associated with a successful sg_open()
380	* Returns 0 on success, else a negated errno value */
381	static int
382	sg_release(struct inode *inode, struct file *filp)
383	{
384	Sg_device *sdp;
385	Sg_fd *sfp;
386
387	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
388	return -ENXIO;
389	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, "sg_release\n"));
390
391	mutex_lock(&sdp->open_rel_lock);
392	scsi_autopm_put_device(sdp->device);
393	kref_put(kref: &sfp->f_ref, release: sg_remove_sfp);
394	sdp->open_cnt--;
395
396	/* possibly many open()s waiting on exlude clearing, start many;
397	* only open(O_EXCL)s wait on 0==open_cnt so only start one */
398	if (sdp->exclude) {
399	sdp->exclude = false;
400	wake_up_interruptible_all(&sdp->open_wait);
401	} else if (0 == sdp->open_cnt) {
402	wake_up_interruptible(&sdp->open_wait);
403	}
404	mutex_unlock(lock: &sdp->open_rel_lock);
405	return 0;
406	}
407
408	static int get_sg_io_pack_id(int *pack_id, void __user *buf, size_t count)
409	{
410	struct sg_header __user *old_hdr = buf;
411	int reply_len;
412
413	if (count >= SZ_SG_HEADER) {
414	/* negative reply_len means v3 format, otherwise v1/v2 */
415	if (get_user(reply_len, &old_hdr->reply_len))
416	return -EFAULT;
417
418	if (reply_len >= 0)
419	return get_user(*pack_id, &old_hdr->pack_id);
420
421	if (in_compat_syscall() &&
422	count >= sizeof(struct compat_sg_io_hdr)) {
423	struct compat_sg_io_hdr __user *hp = buf;
424
425	return get_user(*pack_id, &hp->pack_id);
426	}
427
428	if (count >= sizeof(struct sg_io_hdr)) {
429	struct sg_io_hdr __user *hp = buf;
430
431	return get_user(*pack_id, &hp->pack_id);
432	}
433	}
434
435	/* no valid header was passed, so ignore the pack_id */
436	*pack_id = -1;
437	return 0;
438	}
439
440	static ssize_t
441	sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
442	{
443	Sg_device *sdp;
444	Sg_fd *sfp;
445	Sg_request *srp;
446	int req_pack_id = -1;
447	bool busy;
448	sg_io_hdr_t *hp;
449	struct sg_header *old_hdr;
450	int retval;
451
452	/*
453	* This could cause a response to be stranded. Close the associated
454	* file descriptor to free up any resources being held.
455	*/
456	retval = sg_check_file_access(filp, caller: __func__);
457	if (retval)
458	return retval;
459
460	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
461	return -ENXIO;
462	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
463	"sg_read: count=%d\n", (int) count));
464
465	if (sfp->force_packid)
466	retval = get_sg_io_pack_id(pack_id: &req_pack_id, buf, count);
467	if (retval)
468	return retval;
469
470	srp = sg_get_rq_mark(sfp, pack_id: req_pack_id, busy: &busy);
471	if (!srp) { /* now wait on packet to arrive */
472	if (filp->f_flags & O_NONBLOCK)
473	return -EAGAIN;
474	retval = wait_event_interruptible(sfp->read_wait,
475	((srp = sg_get_rq_mark(sfp, req_pack_id, &busy)) ||
476	(!busy && atomic_read(&sdp->detaching))));
477	if (!srp)
478	/* signal or detaching */
479	return retval ? retval : -ENODEV;
480	}
481	if (srp->header.interface_id != '\0')
482	return sg_new_read(sfp, buf, count, srp);
483
484	hp = &srp->header;
485	old_hdr = kzalloc(SZ_SG_HEADER, GFP_KERNEL);
486	if (!old_hdr)
487	return -ENOMEM;
488
489	old_hdr->reply_len = (int) hp->timeout;
490	old_hdr->pack_len = old_hdr->reply_len; /* old, strange behaviour */
491	old_hdr->pack_id = hp->pack_id;
492	old_hdr->twelve_byte =
493	((srp->data.cmd_opcode >= 0xc0) && (12 == hp->cmd_len)) ? 1 : 0;
494	old_hdr->target_status = hp->masked_status;
495	old_hdr->host_status = hp->host_status;
496	old_hdr->driver_status = hp->driver_status;
497	if ((CHECK_CONDITION & hp->masked_status) ||
498	(srp->sense_b[0] & 0x70) == 0x70) {
499	old_hdr->driver_status = DRIVER_SENSE;
500	memcpy(old_hdr->sense_buffer, srp->sense_b,
501	sizeof (old_hdr->sense_buffer));
502	}
503	switch (hp->host_status) {
504	/* This setup of 'result' is for backward compatibility and is best
505	ignored by the user who should use target, host + driver status */
506	case DID_OK:
507	case DID_PASSTHROUGH:
508	case DID_SOFT_ERROR:
509	old_hdr->result = 0;
510	break;
511	case DID_NO_CONNECT:
512	case DID_BUS_BUSY:
513	case DID_TIME_OUT:
514	old_hdr->result = EBUSY;
515	break;
516	case DID_BAD_TARGET:
517	case DID_ABORT:
518	case DID_PARITY:
519	case DID_RESET:
520	case DID_BAD_INTR:
521	old_hdr->result = EIO;
522	break;
523	case DID_ERROR:
524	old_hdr->result = (srp->sense_b[0] == 0 &&
525	hp->masked_status == GOOD) ? 0 : EIO;
526	break;
527	default:
528	old_hdr->result = EIO;
529	break;
530	}
531
532	/* Now copy the result back to the user buffer. */
533	if (count >= SZ_SG_HEADER) {
534	if (copy_to_user(to: buf, from: old_hdr, SZ_SG_HEADER)) {
535	retval = -EFAULT;
536	goto free_old_hdr;
537	}
538	buf += SZ_SG_HEADER;
539	if (count > old_hdr->reply_len)
540	count = old_hdr->reply_len;
541	if (count > SZ_SG_HEADER) {
542	if (sg_read_oxfer(srp, outp: buf, num_read_xfer: count - SZ_SG_HEADER)) {
543	retval = -EFAULT;
544	goto free_old_hdr;
545	}
546	}
547	} else
548	count = (old_hdr->result == 0) ? 0 : -EIO;
549	sg_finish_rem_req(srp);
550	sg_remove_request(sfp, srp);
551	retval = count;
552	free_old_hdr:
553	kfree(objp: old_hdr);
554	return retval;
555	}
556
557	static ssize_t
558	sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
559	{
560	sg_io_hdr_t *hp = &srp->header;
561	int err = 0, err2;
562	int len;
563
564	if (in_compat_syscall()) {
565	if (count < sizeof(struct compat_sg_io_hdr)) {
566	err = -EINVAL;
567	goto err_out;
568	}
569	} else if (count < SZ_SG_IO_HDR) {
570	err = -EINVAL;
571	goto err_out;
572	}
573	hp->sb_len_wr = 0;
574	if ((hp->mx_sb_len > 0) && hp->sbp) {
575	if ((CHECK_CONDITION & hp->masked_status) ||
576	(srp->sense_b[0] & 0x70) == 0x70) {
577	int sb_len = SCSI_SENSE_BUFFERSIZE;
578	sb_len = (hp->mx_sb_len > sb_len) ? sb_len : hp->mx_sb_len;
579	len = 8 + (int) srp->sense_b[7]; /* Additional sense length field */
580	len = (len > sb_len) ? sb_len : len;
581	if (copy_to_user(to: hp->sbp, from: srp->sense_b, n: len)) {
582	err = -EFAULT;
583	goto err_out;
584	}
585	hp->driver_status = DRIVER_SENSE;
586	hp->sb_len_wr = len;
587	}
588	}
589	if (hp->masked_status || hp->host_status || hp->driver_status)
590	hp->info |= SG_INFO_CHECK;
591	err = put_sg_io_hdr(hdr: hp, argp: buf);
592	err_out:
593	err2 = sg_finish_rem_req(srp);
594	sg_remove_request(sfp, srp);
595	return err ? : err2 ? : count;
596	}
597
598	static ssize_t
599	sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
600	{
601	int mxsize, cmd_size, k;
602	int input_size, blocking;
603	unsigned char opcode;
604	Sg_device *sdp;
605	Sg_fd *sfp;
606	Sg_request *srp;
607	struct sg_header old_hdr;
608	sg_io_hdr_t *hp;
609	unsigned char cmnd[SG_MAX_CDB_SIZE];
610	int retval;
611
612	retval = sg_check_file_access(filp, caller: __func__);
613	if (retval)
614	return retval;
615
616	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
617	return -ENXIO;
618	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
619	"sg_write: count=%d\n", (int) count));
620	if (atomic_read(v: &sdp->detaching))
621	return -ENODEV;
622	if (!((filp->f_flags & O_NONBLOCK) ||
623	scsi_block_when_processing_errors(sdp->device)))
624	return -ENXIO;
625
626	if (count < SZ_SG_HEADER)
627	return -EIO;
628	if (copy_from_user(to: &old_hdr, from: buf, SZ_SG_HEADER))
629	return -EFAULT;
630	blocking = !(filp->f_flags & O_NONBLOCK);
631	if (old_hdr.reply_len < 0)
632	return sg_new_write(sfp, file: filp, buf, count,
633	blocking, read_only: 0, sg_io_owned: 0, NULL);
634	if (count < (SZ_SG_HEADER + 6))
635	return -EIO; /* The minimum scsi command length is 6 bytes. */
636
637	buf += SZ_SG_HEADER;
638	if (get_user(opcode, buf))
639	return -EFAULT;
640
641	if (!(srp = sg_add_request(sfp))) {
642	SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sdp,
643	"sg_write: queue full\n"));
644	return -EDOM;
645	}
646	mutex_lock(&sfp->f_mutex);
647	if (sfp->next_cmd_len > 0) {
648	cmd_size = sfp->next_cmd_len;
649	sfp->next_cmd_len = 0; /* reset so only this write() effected */
650	} else {
651	cmd_size = COMMAND_SIZE(opcode); /* based on SCSI command group */
652	if ((opcode >= 0xc0) && old_hdr.twelve_byte)
653	cmd_size = 12;
654	}
655	mutex_unlock(lock: &sfp->f_mutex);
656	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sdp,
657	"sg_write: scsi opcode=0x%02x, cmd_size=%d\n", (int) opcode, cmd_size));
658	/* Determine buffer size. */
659	input_size = count - cmd_size;
660	mxsize = (input_size > old_hdr.reply_len) ? input_size : old_hdr.reply_len;
661	mxsize -= SZ_SG_HEADER;
662	input_size -= SZ_SG_HEADER;
663	if (input_size < 0) {
664	sg_remove_request(sfp, srp);
665	return -EIO; /* User did not pass enough bytes for this command. */
666	}
667	hp = &srp->header;
668	hp->interface_id = '\0'; /* indicator of old interface tunnelled */
669	hp->cmd_len = (unsigned char) cmd_size;
670	hp->iovec_count = 0;
671	hp->mx_sb_len = 0;
672	if (input_size > 0)
673	hp->dxfer_direction = (old_hdr.reply_len > SZ_SG_HEADER) ?
674	SG_DXFER_TO_FROM_DEV : SG_DXFER_TO_DEV;
675	else
676	hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
677	hp->dxfer_len = mxsize;
678	if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
679	(hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
680	hp->dxferp = (char __user *)buf + cmd_size;
681	else
682	hp->dxferp = NULL;
683	hp->sbp = NULL;
684	hp->timeout = old_hdr.reply_len; /* structure abuse ... */
685	hp->flags = input_size; /* structure abuse ... */
686	hp->pack_id = old_hdr.pack_id;
687	hp->usr_ptr = NULL;
688	if (copy_from_user(to: cmnd, from: buf, n: cmd_size)) {
689	sg_remove_request(sfp, srp);
690	return -EFAULT;
691	}
692	/*
693	* SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
694	* but is is possible that the app intended SG_DXFER_TO_DEV, because there
695	* is a non-zero input_size, so emit a warning.
696	*/
697	if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
698	printk_ratelimited(KERN_WARNING
699	"sg_write: data in/out %d/%d bytes "
700	"for SCSI command 0x%x-- guessing "
701	"data in;\n program %s not setting "
702	"count and/or reply_len properly\n",
703	old_hdr.reply_len - (int)SZ_SG_HEADER,
704	input_size, (unsigned int) cmnd[0],
705	current->comm);
706	}
707	k = sg_common_write(sfp, srp, cmnd, timeout: sfp->timeout, blocking);
708	return (k < 0) ? k : count;
709	}
710
711	static ssize_t
712	sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
713	size_t count, int blocking, int read_only, int sg_io_owned,
714	Sg_request **o_srp)
715	{
716	int k;
717	Sg_request *srp;
718	sg_io_hdr_t *hp;
719	unsigned char cmnd[SG_MAX_CDB_SIZE];
720	int timeout;
721	unsigned long ul_timeout;
722
723	if (count < SZ_SG_IO_HDR)
724	return -EINVAL;
725
726	sfp->cmd_q = 1; /* when sg_io_hdr seen, set command queuing on */
727	if (!(srp = sg_add_request(sfp))) {
728	SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,
729	"sg_new_write: queue full\n"));
730	return -EDOM;
731	}
732	srp->sg_io_owned = sg_io_owned;
733	hp = &srp->header;
734	if (get_sg_io_hdr(hdr: hp, argp: buf)) {
735	sg_remove_request(sfp, srp);
736	return -EFAULT;
737	}
738	if (hp->interface_id != 'S') {
739	sg_remove_request(sfp, srp);
740	return -ENOSYS;
741	}
742	if (hp->flags & SG_FLAG_MMAP_IO) {
743	if (hp->dxfer_len > sfp->reserve.bufflen) {
744	sg_remove_request(sfp, srp);
745	return -ENOMEM; /* MMAP_IO size must fit in reserve buffer */
746	}
747	if (hp->flags & SG_FLAG_DIRECT_IO) {
748	sg_remove_request(sfp, srp);
749	return -EINVAL; /* either MMAP_IO or DIRECT_IO (not both) */
750	}
751	if (sfp->res_in_use) {
752	sg_remove_request(sfp, srp);
753	return -EBUSY; /* reserve buffer already being used */
754	}
755	}
756	ul_timeout = msecs_to_jiffies(m: srp->header.timeout);
757	timeout = (ul_timeout < INT_MAX) ? ul_timeout : INT_MAX;
758	if ((!hp->cmdp) || (hp->cmd_len < 6) || (hp->cmd_len > sizeof (cmnd))) {
759	sg_remove_request(sfp, srp);
760	return -EMSGSIZE;
761	}
762	if (copy_from_user(to: cmnd, from: hp->cmdp, n: hp->cmd_len)) {
763	sg_remove_request(sfp, srp);
764	return -EFAULT;
765	}
766	if (read_only && sg_allow_access(filp: file, cmd: cmnd)) {
767	sg_remove_request(sfp, srp);
768	return -EPERM;
769	}
770	k = sg_common_write(sfp, srp, cmnd, timeout, blocking);
771	if (k < 0)
772	return k;
773	if (o_srp)
774	*o_srp = srp;
775	return count;
776	}
777
778	static int
779	sg_common_write(Sg_fd * sfp, Sg_request * srp,
780	unsigned char *cmnd, int timeout, int blocking)
781	{
782	int k, at_head;
783	Sg_device *sdp = sfp->parentdp;
784	sg_io_hdr_t *hp = &srp->header;
785
786	srp->data.cmd_opcode = cmnd[0]; /* hold opcode of command */
787	hp->status = 0;
788	hp->masked_status = 0;
789	hp->msg_status = 0;
790	hp->info = 0;
791	hp->host_status = 0;
792	hp->driver_status = 0;
793	hp->resid = 0;
794	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
795	"sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
796	(int) cmnd[0], (int) hp->cmd_len));
797
798	if (hp->dxfer_len >= SZ_256M) {
799	sg_remove_request(sfp, srp);
800	return -EINVAL;
801	}
802
803	k = sg_start_req(srp, cmd: cmnd);
804	if (k) {
805	SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,
806	"sg_common_write: start_req err=%d\n", k));
807	sg_finish_rem_req(srp);
808	sg_remove_request(sfp, srp);
809	return k; /* probably out of space --> ENOMEM */
810	}
811	if (atomic_read(v: &sdp->detaching)) {
812	if (srp->bio) {
813	blk_mq_free_request(rq: srp->rq);
814	srp->rq = NULL;
815	}
816
817	sg_finish_rem_req(srp);
818	sg_remove_request(sfp, srp);
819	return -ENODEV;
820	}
821
822	hp->duration = jiffies_to_msecs(j: jiffies);
823	if (hp->interface_id != '\0' && /* v3 (or later) interface */
824	(SG_FLAG_Q_AT_TAIL & hp->flags))
825	at_head = 0;
826	else
827	at_head = 1;
828
829	srp->rq->timeout = timeout;
830	kref_get(kref: &sfp->f_ref); /* sg_rq_end_io() does kref_put(). */
831	srp->rq->end_io = sg_rq_end_io;
832	blk_execute_rq_nowait(rq: srp->rq, at_head);
833	return 0;
834	}
835
836	static int srp_done(Sg_fd *sfp, Sg_request *srp)
837	{
838	unsigned long flags;
839	int ret;
840
841	read_lock_irqsave(&sfp->rq_list_lock, flags);
842	ret = srp->done;
843	read_unlock_irqrestore(&sfp->rq_list_lock, flags);
844	return ret;
845	}
846
847	static int max_sectors_bytes(struct request_queue *q)
848	{
849	unsigned int max_sectors = queue_max_sectors(q);
850
851	max_sectors = min_t(unsigned int, max_sectors, INT_MAX >> 9);
852
853	return max_sectors << 9;
854	}
855
856	static void
857	sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
858	{
859	Sg_request *srp;
860	int val;
861	unsigned int ms;
862
863	val = 0;
864	list_for_each_entry(srp, &sfp->rq_list, entry) {
865	if (val >= SG_MAX_QUEUE)
866	break;
867	rinfo[val].req_state = srp->done + 1;
868	rinfo[val].problem =
869	srp->header.masked_status &
870	srp->header.host_status &
871	srp->header.driver_status;
872	if (srp->done)
873	rinfo[val].duration =
874	srp->header.duration;
875	else {
876	ms = jiffies_to_msecs(j: jiffies);
877	rinfo[val].duration =
878	(ms > srp->header.duration) ?
879	(ms - srp->header.duration) : 0;
880	}
881	rinfo[val].orphan = srp->orphan;
882	rinfo[val].sg_io_owned = srp->sg_io_owned;
883	rinfo[val].pack_id = srp->header.pack_id;
884	rinfo[val].usr_ptr = srp->header.usr_ptr;
885	val++;
886	}
887	}
888
889	#ifdef CONFIG_COMPAT
890	struct compat_sg_req_info { /* used by SG_GET_REQUEST_TABLE ioctl() */
891	char req_state;
892	char orphan;
893	char sg_io_owned;
894	char problem;
895	int pack_id;
896	compat_uptr_t usr_ptr;
897	unsigned int duration;
898	int unused;
899	};
900
901	static int put_compat_request_table(struct compat_sg_req_info __user *o,
902	struct sg_req_info *rinfo)
903	{
904	int i;
905	for (i = 0; i < SG_MAX_QUEUE; i++) {
906	if (copy_to_user(to: o + i, from: rinfo + i, offsetof(sg_req_info_t, usr_ptr)) ||
907	put_user((uintptr_t)rinfo[i].usr_ptr, &o[i].usr_ptr) ||
908	put_user(rinfo[i].duration, &o[i].duration) ||
909	put_user(rinfo[i].unused, &o[i].unused))
910	return -EFAULT;
911	}
912	return 0;
913	}
914	#endif
915
916	static long
917	sg_ioctl_common(struct file *filp, Sg_device *sdp, Sg_fd *sfp,
918	unsigned int cmd_in, void __user *p)
919	{
920	int __user *ip = p;
921	int result, val, read_only;
922	Sg_request *srp;
923	unsigned long iflags;
924
925	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
926	"sg_ioctl: cmd=0x%x\n", (int) cmd_in));
927	read_only = (O_RDWR != (filp->f_flags & O_ACCMODE));
928
929	switch (cmd_in) {
930	case SG_IO:
931	if (atomic_read(v: &sdp->detaching))
932	return -ENODEV;
933	if (!scsi_block_when_processing_errors(sdp->device))
934	return -ENXIO;
935	result = sg_new_write(sfp, file: filp, buf: p, SZ_SG_IO_HDR,
936	blocking: 1, read_only, sg_io_owned: 1, o_srp: &srp);
937	if (result < 0)
938	return result;
939	result = wait_event_interruptible(sfp->read_wait,
940	srp_done(sfp, srp));
941	write_lock_irq(&sfp->rq_list_lock);
942	if (srp->done) {
943	srp->done = 2;
944	write_unlock_irq(&sfp->rq_list_lock);
945	result = sg_new_read(sfp, buf: p, SZ_SG_IO_HDR, srp);
946	return (result < 0) ? result : 0;
947	}
948	srp->orphan = 1;
949	write_unlock_irq(&sfp->rq_list_lock);
950	return result; /* -ERESTARTSYS because signal hit process */
951	case SG_SET_TIMEOUT:
952	result = get_user(val, ip);
953	if (result)
954	return result;
955	if (val < 0)
956	return -EIO;
957	if (val >= mult_frac((s64)INT_MAX, USER_HZ, HZ))
958	val = min_t(s64, mult_frac((s64)INT_MAX, USER_HZ, HZ),
959	INT_MAX);
960	sfp->timeout_user = val;
961	sfp->timeout = mult_frac(val, HZ, USER_HZ);
962
963	return 0;
964	case SG_GET_TIMEOUT: /* N.B. User receives timeout as return value */
965	/* strange ..., for backward compatibility */
966	return sfp->timeout_user;
967	case SG_SET_FORCE_LOW_DMA:
968	/*
969	* N.B. This ioctl never worked properly, but failed to
970	* return an error value. So returning '0' to keep compability
971	* with legacy applications.
972	*/
973	return 0;
974	case SG_GET_LOW_DMA:
975	return put_user(0, ip);
976	case SG_GET_SCSI_ID:
977	{
978	sg_scsi_id_t v;
979
980	if (atomic_read(v: &sdp->detaching))
981	return -ENODEV;
982	memset(&v, 0, sizeof(v));
983	v.host_no = sdp->device->host->host_no;
984	v.channel = sdp->device->channel;
985	v.scsi_id = sdp->device->id;
986	v.lun = sdp->device->lun;
987	v.scsi_type = sdp->device->type;
988	v.h_cmd_per_lun = sdp->device->host->cmd_per_lun;
989	v.d_queue_depth = sdp->device->queue_depth;
990	if (copy_to_user(to: p, from: &v, n: sizeof(sg_scsi_id_t)))
991	return -EFAULT;
992	return 0;
993	}
994	case SG_SET_FORCE_PACK_ID:
995	result = get_user(val, ip);
996	if (result)
997	return result;
998	sfp->force_packid = val ? 1 : 0;
999	return 0;
1000	case SG_GET_PACK_ID:
1001	read_lock_irqsave(&sfp->rq_list_lock, iflags);
1002	list_for_each_entry(srp, &sfp->rq_list, entry) {
1003	if ((1 == srp->done) && (!srp->sg_io_owned)) {
1004	read_unlock_irqrestore(&sfp->rq_list_lock,
1005	iflags);
1006	return put_user(srp->header.pack_id, ip);
1007	}
1008	}
1009	read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1010	return put_user(-1, ip);
1011	case SG_GET_NUM_WAITING:
1012	read_lock_irqsave(&sfp->rq_list_lock, iflags);
1013	val = 0;
1014	list_for_each_entry(srp, &sfp->rq_list, entry) {
1015	if ((1 == srp->done) && (!srp->sg_io_owned))
1016	++val;
1017	}
1018	read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1019	return put_user(val, ip);
1020	case SG_GET_SG_TABLESIZE:
1021	return put_user(sdp->sg_tablesize, ip);
1022	case SG_SET_RESERVED_SIZE:
1023	result = get_user(val, ip);
1024	if (result)
1025	return result;
1026	if (val < 0)
1027	return -EINVAL;
1028	val = min_t(int, val,
1029	max_sectors_bytes(sdp->device->request_queue));
1030	mutex_lock(&sfp->f_mutex);
1031	if (val != sfp->reserve.bufflen) {
1032	if (sfp->mmap_called ||
1033	sfp->res_in_use) {
1034	mutex_unlock(lock: &sfp->f_mutex);
1035	return -EBUSY;
1036	}
1037
1038	sg_remove_scat(sfp, schp: &sfp->reserve);
1039	sg_build_reserve(sfp, req_size: val);
1040	}
1041	mutex_unlock(lock: &sfp->f_mutex);
1042	return 0;
1043	case SG_GET_RESERVED_SIZE:
1044	val = min_t(int, sfp->reserve.bufflen,
1045	max_sectors_bytes(sdp->device->request_queue));
1046	return put_user(val, ip);
1047	case SG_SET_COMMAND_Q:
1048	result = get_user(val, ip);
1049	if (result)
1050	return result;
1051	sfp->cmd_q = val ? 1 : 0;
1052	return 0;
1053	case SG_GET_COMMAND_Q:
1054	return put_user((int) sfp->cmd_q, ip);
1055	case SG_SET_KEEP_ORPHAN:
1056	result = get_user(val, ip);
1057	if (result)
1058	return result;
1059	sfp->keep_orphan = val;
1060	return 0;
1061	case SG_GET_KEEP_ORPHAN:
1062	return put_user((int) sfp->keep_orphan, ip);
1063	case SG_NEXT_CMD_LEN:
1064	result = get_user(val, ip);
1065	if (result)
1066	return result;
1067	if (val > SG_MAX_CDB_SIZE)
1068	return -ENOMEM;
1069	sfp->next_cmd_len = (val > 0) ? val : 0;
1070	return 0;
1071	case SG_GET_VERSION_NUM:
1072	return put_user(sg_version_num, ip);
1073	case SG_GET_ACCESS_COUNT:
1074	/* faked - we don't have a real access count anymore */
1075	val = (sdp->device ? 1 : 0);
1076	return put_user(val, ip);
1077	case SG_GET_REQUEST_TABLE:
1078	{
1079	sg_req_info_t *rinfo;
1080
1081	rinfo = kcalloc(SG_MAX_QUEUE, SZ_SG_REQ_INFO,
1082	GFP_KERNEL);
1083	if (!rinfo)
1084	return -ENOMEM;
1085	read_lock_irqsave(&sfp->rq_list_lock, iflags);
1086	sg_fill_request_table(sfp, rinfo);
1087	read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1088	#ifdef CONFIG_COMPAT
1089	if (in_compat_syscall())
1090	result = put_compat_request_table(o: p, rinfo);
1091	else
1092	#endif
1093	result = copy_to_user(to: p, from: rinfo,
1094	SZ_SG_REQ_INFO * SG_MAX_QUEUE);
1095	result = result ? -EFAULT : 0;
1096	kfree(objp: rinfo);
1097	return result;
1098	}
1099	case SG_EMULATED_HOST:
1100	if (atomic_read(v: &sdp->detaching))
1101	return -ENODEV;
1102	return put_user(sdp->device->host->hostt->emulated, ip);
1103	case SCSI_IOCTL_SEND_COMMAND:
1104	if (atomic_read(v: &sdp->detaching))
1105	return -ENODEV;
1106	return scsi_ioctl(sdev: sdp->device, open_for_write: filp->f_mode & FMODE_WRITE,
1107	cmd: cmd_in, arg: p);
1108	case SG_SET_DEBUG:
1109	result = get_user(val, ip);
1110	if (result)
1111	return result;
1112	sdp->sgdebug = (char) val;
1113	return 0;
1114	case BLKSECTGET:
1115	return put_user(max_sectors_bytes(sdp->device->request_queue),
1116	ip);
1117	case BLKTRACESETUP:
1118	return blk_trace_setup(q: sdp->device->request_queue, name: sdp->name,
1119	MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
1120	NULL, arg: p);
1121	case BLKTRACESTART:
1122	return blk_trace_startstop(q: sdp->device->request_queue, start: 1);
1123	case BLKTRACESTOP:
1124	return blk_trace_startstop(q: sdp->device->request_queue, start: 0);
1125	case BLKTRACETEARDOWN:
1126	return blk_trace_remove(q: sdp->device->request_queue);
1127	case SCSI_IOCTL_GET_IDLUN:
1128	case SCSI_IOCTL_GET_BUS_NUMBER:
1129	case SCSI_IOCTL_PROBE_HOST:
1130	case SG_GET_TRANSFORM:
1131	case SG_SCSI_RESET:
1132	if (atomic_read(v: &sdp->detaching))
1133	return -ENODEV;
1134	break;
1135	default:
1136	if (read_only)
1137	return -EPERM; /* don't know so take safe approach */
1138	break;
1139	}
1140
1141	result = scsi_ioctl_block_when_processing_errors(sdev: sdp->device,
1142	cmd: cmd_in, ndelay: filp->f_flags & O_NDELAY);
1143	if (result)
1144	return result;
1145
1146	return -ENOIOCTLCMD;
1147	}
1148
1149	static long
1150	sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
1151	{
1152	void __user *p = (void __user *)arg;
1153	Sg_device *sdp;
1154	Sg_fd *sfp;
1155	int ret;
1156
1157	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
1158	return -ENXIO;
1159
1160	ret = sg_ioctl_common(filp, sdp, sfp, cmd_in, p);
1161	if (ret != -ENOIOCTLCMD)
1162	return ret;
1163	return scsi_ioctl(sdev: sdp->device, open_for_write: filp->f_mode & FMODE_WRITE, cmd: cmd_in, arg: p);
1164	}
1165
1166	static __poll_t
1167	sg_poll(struct file *filp, poll_table * wait)
1168	{
1169	__poll_t res = 0;
1170	Sg_device *sdp;
1171	Sg_fd *sfp;
1172	Sg_request *srp;
1173	int count = 0;
1174	unsigned long iflags;
1175
1176	sfp = filp->private_data;
1177	if (!sfp)
1178	return EPOLLERR;
1179	sdp = sfp->parentdp;
1180	if (!sdp)
1181	return EPOLLERR;
1182	poll_wait(filp, wait_address: &sfp->read_wait, p: wait);
1183	read_lock_irqsave(&sfp->rq_list_lock, iflags);
1184	list_for_each_entry(srp, &sfp->rq_list, entry) {
1185	/* if any read waiting, flag it */
1186	if ((0 == res) && (1 == srp->done) && (!srp->sg_io_owned))
1187	res = EPOLLIN | EPOLLRDNORM;
1188	++count;
1189	}
1190	read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1191
1192	if (atomic_read(v: &sdp->detaching))
1193	res |= EPOLLHUP;
1194	else if (!sfp->cmd_q) {
1195	if (0 == count)
1196	res |= EPOLLOUT | EPOLLWRNORM;
1197	} else if (count < SG_MAX_QUEUE)
1198	res |= EPOLLOUT | EPOLLWRNORM;
1199	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
1200	"sg_poll: res=0x%x\n", (__force u32) res));
1201	return res;
1202	}
1203
1204	static int
1205	sg_fasync(int fd, struct file *filp, int mode)
1206	{
1207	Sg_device *sdp;
1208	Sg_fd *sfp;
1209
1210	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
1211	return -ENXIO;
1212	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
1213	"sg_fasync: mode=%d\n", mode));
1214
1215	return fasync_helper(fd, filp, mode, &sfp->async_qp);
1216	}
1217
1218	static vm_fault_t
1219	sg_vma_fault(struct vm_fault *vmf)
1220	{
1221	struct vm_area_struct *vma = vmf->vma;
1222	Sg_fd *sfp;
1223	unsigned long offset, len, sa;
1224	Sg_scatter_hold *rsv_schp;
1225	int k, length;
1226
1227	if ((NULL == vma) || (!(sfp = (Sg_fd *) vma->vm_private_data)))
1228	return VM_FAULT_SIGBUS;
1229	rsv_schp = &sfp->reserve;
1230	offset = vmf->pgoff << PAGE_SHIFT;
1231	if (offset >= rsv_schp->bufflen)
1232	return VM_FAULT_SIGBUS;
1233	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sfp->parentdp,
1234	"sg_vma_fault: offset=%lu, scatg=%d\n",
1235	offset, rsv_schp->k_use_sg));
1236	sa = vma->vm_start;
1237	length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
1238	for (k = 0; k < rsv_schp->k_use_sg && sa < vma->vm_end; k++) {
1239	len = vma->vm_end - sa;
1240	len = (len < length) ? len : length;
1241	if (offset < len) {
1242	struct page *page = nth_page(rsv_schp->pages[k],
1243	offset >> PAGE_SHIFT);
1244	get_page(page); /* increment page count */
1245	vmf->page = page;
1246	return 0; /* success */
1247	}
1248	sa += len;
1249	offset -= len;
1250	}
1251
1252	return VM_FAULT_SIGBUS;
1253	}
1254
1255	static const struct vm_operations_struct sg_mmap_vm_ops = {
1256	.fault = sg_vma_fault,
1257	};
1258
1259	static int
1260	sg_mmap(struct file *filp, struct vm_area_struct *vma)
1261	{
1262	Sg_fd *sfp;
1263	unsigned long req_sz, len, sa;
1264	Sg_scatter_hold *rsv_schp;
1265	int k, length;
1266	int ret = 0;
1267
1268	if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
1269	return -ENXIO;
1270	req_sz = vma->vm_end - vma->vm_start;
1271	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sfp->parentdp,
1272	"sg_mmap starting, vm_start=%p, len=%d\n",
1273	(void *) vma->vm_start, (int) req_sz));
1274	if (vma->vm_pgoff)
1275	return -EINVAL; /* want no offset */
1276	rsv_schp = &sfp->reserve;
1277	mutex_lock(&sfp->f_mutex);
1278	if (req_sz > rsv_schp->bufflen) {
1279	ret = -ENOMEM; /* cannot map more than reserved buffer */
1280	goto out;
1281	}
1282
1283	sa = vma->vm_start;
1284	length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
1285	for (k = 0; k < rsv_schp->k_use_sg && sa < vma->vm_end; k++) {
1286	len = vma->vm_end - sa;
1287	len = (len < length) ? len : length;
1288	sa += len;
1289	}
1290
1291	sfp->mmap_called = 1;
1292	vm_flags_set(vma, VM_IO | VM_DONTEXPAND | VM_DONTDUMP);
1293	vma->vm_private_data = sfp;
1294	vma->vm_ops = &sg_mmap_vm_ops;
1295	out:
1296	mutex_unlock(lock: &sfp->f_mutex);
1297	return ret;
1298	}
1299
1300	static void
1301	sg_rq_end_io_usercontext(struct work_struct *work)
1302	{
1303	struct sg_request *srp = container_of(work, struct sg_request, ew.work);
1304	struct sg_fd *sfp = srp->parentfp;
1305
1306	sg_finish_rem_req(srp);
1307	sg_remove_request(sfp, srp);
1308	kref_put(kref: &sfp->f_ref, release: sg_remove_sfp);
1309	}
1310
1311	/*
1312	* This function is a "bottom half" handler that is called by the mid
1313	* level when a command is completed (or has failed).
1314	*/
1315	static enum rq_end_io_ret
1316	sg_rq_end_io(struct request *rq, blk_status_t status)
1317	{
1318	struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq);
1319	struct sg_request *srp = rq->end_io_data;
1320	Sg_device *sdp;
1321	Sg_fd *sfp;
1322	unsigned long iflags;
1323	unsigned int ms;
1324	char *sense;
1325	int result, resid, done = 1;
1326
1327	if (WARN_ON(srp->done != 0))
1328	return RQ_END_IO_NONE;
1329
1330	sfp = srp->parentfp;
1331	if (WARN_ON(sfp == NULL))
1332	return RQ_END_IO_NONE;
1333
1334	sdp = sfp->parentdp;
1335	if (unlikely(atomic_read(&sdp->detaching)))
1336	pr_info("%s: device detaching\n", __func__);
1337
1338	sense = scmd->sense_buffer;
1339	result = scmd->result;
1340	resid = scmd->resid_len;
1341
1342	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sdp,
1343	"sg_cmd_done: pack_id=%d, res=0x%x\n",
1344	srp->header.pack_id, result));
1345	srp->header.resid = resid;
1346	ms = jiffies_to_msecs(j: jiffies);
1347	srp->header.duration = (ms > srp->header.duration) ?
1348	(ms - srp->header.duration) : 0;
1349	if (0 != result) {
1350	struct scsi_sense_hdr sshdr;
1351
1352	srp->header.status = 0xff & result;
1353	srp->header.masked_status = sg_status_byte(result);
1354	srp->header.msg_status = COMMAND_COMPLETE;
1355	srp->header.host_status = host_byte(result);
1356	srp->header.driver_status = driver_byte(result);
1357	if ((sdp->sgdebug > 0) &&
1358	((CHECK_CONDITION == srp->header.masked_status) ||
1359	(COMMAND_TERMINATED == srp->header.masked_status)))
1360	__scsi_print_sense(sdp->device, name: __func__, sense_buffer: sense,
1361	SCSI_SENSE_BUFFERSIZE);
1362
1363	/* Following if statement is a patch supplied by Eric Youngdale */
1364	if (driver_byte(result) != 0
1365	&& scsi_normalize_sense(sense_buffer: sense, SCSI_SENSE_BUFFERSIZE, sshdr: &sshdr)
1366	&& !scsi_sense_is_deferred(sshdr: &sshdr)
1367	&& sshdr.sense_key == UNIT_ATTENTION
1368	&& sdp->device->removable) {
1369	/* Detected possible disc change. Set the bit - this */
1370	/* may be used if there are filesystems using this device */
1371	sdp->device->changed = 1;
1372	}
1373	}
1374
1375	if (scmd->sense_len)
1376	memcpy(srp->sense_b, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
1377
1378	/* Rely on write phase to clean out srp status values, so no "else" */
1379
1380	/*
1381	* Free the request as soon as it is complete so that its resources
1382	* can be reused without waiting for userspace to read() the
1383	* result. But keep the associated bio (if any) around until
1384	* blk_rq_unmap_user() can be called from user context.
1385	*/
1386	srp->rq = NULL;
1387	blk_mq_free_request(rq);
1388
1389	write_lock_irqsave(&sfp->rq_list_lock, iflags);
1390	if (unlikely(srp->orphan)) {
1391	if (sfp->keep_orphan)
1392	srp->sg_io_owned = 0;
1393	else
1394	done = 0;
1395	}
1396	srp->done = done;
1397	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1398
1399	if (likely(done)) {
1400	/* Now wake up any sg_read() that is waiting for this
1401	* packet.
1402	*/
1403	wake_up_interruptible(&sfp->read_wait);
1404	kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
1405	kref_put(kref: &sfp->f_ref, release: sg_remove_sfp);
1406	} else {
1407	INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
1408	schedule_work(work: &srp->ew.work);
1409	}
1410	return RQ_END_IO_NONE;
1411	}
1412
1413	static const struct file_operations sg_fops = {
1414	.owner = THIS_MODULE,
1415	.read = sg_read,
1416	.write = sg_write,
1417	.poll = sg_poll,
1418	.unlocked_ioctl = sg_ioctl,
1419	.compat_ioctl = compat_ptr_ioctl,
1420	.open = sg_open,
1421	.mmap = sg_mmap,
1422	.release = sg_release,
1423	.fasync = sg_fasync,
1424	.llseek = no_llseek,
1425	};
1426
1427	static struct class *sg_sysfs_class;
1428
1429	static int sg_sysfs_valid = 0;
1430
1431	static Sg_device *
1432	sg_alloc(struct scsi_device *scsidp)
1433	{
1434	struct request_queue *q = scsidp->request_queue;
1435	Sg_device *sdp;
1436	unsigned long iflags;
1437	int error;
1438	u32 k;
1439
1440	sdp = kzalloc(size: sizeof(Sg_device), GFP_KERNEL);
1441	if (!sdp) {
1442	sdev_printk(KERN_WARNING, scsidp, "%s: kmalloc Sg_device "
1443	"failure\n", __func__);
1444	return ERR_PTR(error: -ENOMEM);
1445	}
1446
1447	idr_preload(GFP_KERNEL);
1448	write_lock_irqsave(&sg_index_lock, iflags);
1449
1450	error = idr_alloc(&sg_index_idr, ptr: sdp, start: 0, SG_MAX_DEVS, GFP_NOWAIT);
1451	if (error < 0) {
1452	if (error == -ENOSPC) {
1453	sdev_printk(KERN_WARNING, scsidp,
1454	"Unable to attach sg device type=%d, minor number exceeds %d\n",
1455	scsidp->type, SG_MAX_DEVS - 1);
1456	error = -ENODEV;
1457	} else {
1458	sdev_printk(KERN_WARNING, scsidp, "%s: idr "
1459	"allocation Sg_device failure: %d\n",
1460	__func__, error);
1461	}
1462	goto out_unlock;
1463	}
1464	k = error;
1465
1466	SCSI_LOG_TIMEOUT(3, sdev_printk(KERN_INFO, scsidp,
1467	"sg_alloc: dev=%d \n", k));
1468	sprintf(buf: sdp->name, fmt: "sg%d", k);
1469	sdp->device = scsidp;
1470	mutex_init(&sdp->open_rel_lock);
1471	INIT_LIST_HEAD(list: &sdp->sfds);
1472	init_waitqueue_head(&sdp->open_wait);
1473	atomic_set(v: &sdp->detaching, i: 0);
1474	rwlock_init(&sdp->sfd_lock);
1475	sdp->sg_tablesize = queue_max_segments(q);
1476	sdp->index = k;
1477	kref_init(kref: &sdp->d_ref);
1478	error = 0;
1479
1480	out_unlock:
1481	write_unlock_irqrestore(&sg_index_lock, iflags);
1482	idr_preload_end();
1483
1484	if (error) {
1485	kfree(objp: sdp);
1486	return ERR_PTR(error);
1487	}
1488	return sdp;
1489	}
1490
1491	static int
1492	sg_add_device(struct device *cl_dev)
1493	{
1494	struct scsi_device *scsidp = to_scsi_device(cl_dev->parent);
1495	Sg_device *sdp = NULL;
1496	struct cdev * cdev = NULL;
1497	int error;
1498	unsigned long iflags;
1499
1500	if (!blk_get_queue(scsidp->request_queue)) {
1501	pr_warn("%s: get scsi_device queue failed\n", __func__);
1502	return -ENODEV;
1503	}
1504
1505	error = -ENOMEM;
1506	cdev = cdev_alloc();
1507	if (!cdev) {
1508	pr_warn("%s: cdev_alloc failed\n", __func__);
1509	goto out;
1510	}
1511	cdev->owner = THIS_MODULE;
1512	cdev->ops = &sg_fops;
1513
1514	sdp = sg_alloc(scsidp);
1515	if (IS_ERR(ptr: sdp)) {
1516	pr_warn("%s: sg_alloc failed\n", __func__);
1517	error = PTR_ERR(ptr: sdp);
1518	goto out;
1519	}
1520
1521	error = cdev_add(cdev, MKDEV(SCSI_GENERIC_MAJOR, sdp->index), 1);
1522	if (error)
1523	goto cdev_add_err;
1524
1525	sdp->cdev = cdev;
1526	if (sg_sysfs_valid) {
1527	struct device *sg_class_member;
1528
1529	sg_class_member = device_create(cls: sg_sysfs_class, parent: cl_dev->parent,
1530	MKDEV(SCSI_GENERIC_MAJOR,
1531	sdp->index),
1532	drvdata: sdp, fmt: "%s", sdp->name);
1533	if (IS_ERR(ptr: sg_class_member)) {
1534	pr_err("%s: device_create failed\n", __func__);
1535	error = PTR_ERR(ptr: sg_class_member);
1536	goto cdev_add_err;
1537	}
1538	error = sysfs_create_link(kobj: &scsidp->sdev_gendev.kobj,
1539	target: &sg_class_member->kobj, name: "generic");
1540	if (error)
1541	pr_err("%s: unable to make symlink 'generic' back "
1542	"to sg%d\n", __func__, sdp->index);
1543	} else
1544	pr_warn("%s: sg_sys Invalid\n", __func__);
1545
1546	sdev_printk(KERN_NOTICE, scsidp, "Attached scsi generic sg%d "
1547	"type %d\n", sdp->index, scsidp->type);
1548
1549	dev_set_drvdata(dev: cl_dev, data: sdp);
1550
1551	return 0;
1552
1553	cdev_add_err:
1554	write_lock_irqsave(&sg_index_lock, iflags);
1555	idr_remove(&sg_index_idr, id: sdp->index);
1556	write_unlock_irqrestore(&sg_index_lock, iflags);
1557	kfree(objp: sdp);
1558
1559	out:
1560	if (cdev)
1561	cdev_del(cdev);
1562	blk_put_queue(scsidp->request_queue);
1563	return error;
1564	}
1565
1566	static void
1567	sg_device_destroy(struct kref *kref)
1568	{
1569	struct sg_device *sdp = container_of(kref, struct sg_device, d_ref);
1570	struct request_queue *q = sdp->device->request_queue;
1571	unsigned long flags;
1572
1573	/* CAUTION! Note that the device can still be found via idr_find()
1574	* even though the refcount is 0. Therefore, do idr_remove() BEFORE
1575	* any other cleanup.
1576	*/
1577
1578	blk_trace_remove(q);
1579	blk_put_queue(q);
1580
1581	write_lock_irqsave(&sg_index_lock, flags);
1582	idr_remove(&sg_index_idr, id: sdp->index);
1583	write_unlock_irqrestore(&sg_index_lock, flags);
1584
1585	SCSI_LOG_TIMEOUT(3,
1586	sg_printk(KERN_INFO, sdp, "sg_device_destroy\n"));
1587
1588	kfree(objp: sdp);
1589	}
1590
1591	static void
1592	sg_remove_device(struct device *cl_dev)
1593	{
1594	struct scsi_device *scsidp = to_scsi_device(cl_dev->parent);
1595	Sg_device *sdp = dev_get_drvdata(dev: cl_dev);
1596	unsigned long iflags;
1597	Sg_fd *sfp;
1598	int val;
1599
1600	if (!sdp)
1601	return;
1602	/* want sdp->detaching non-zero as soon as possible */
1603	val = atomic_inc_return(v: &sdp->detaching);
1604	if (val > 1)
1605	return; /* only want to do following once per device */
1606
1607	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
1608	"%s\n", __func__));
1609
1610	read_lock_irqsave(&sdp->sfd_lock, iflags);
1611	list_for_each_entry(sfp, &sdp->sfds, sfd_siblings) {
1612	wake_up_interruptible_all(&sfp->read_wait);
1613	kill_fasync(&sfp->async_qp, SIGPOLL, POLL_HUP);
1614	}
1615	wake_up_interruptible_all(&sdp->open_wait);
1616	read_unlock_irqrestore(&sdp->sfd_lock, iflags);
1617
1618	sysfs_remove_link(kobj: &scsidp->sdev_gendev.kobj, name: "generic");
1619	device_destroy(cls: sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
1620	cdev_del(sdp->cdev);
1621	sdp->cdev = NULL;
1622
1623	kref_put(kref: &sdp->d_ref, release: sg_device_destroy);
1624	}
1625
1626	module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
1627	module_param_named(def_reserved_size, def_reserved_size, int,
1628	S_IRUGO | S_IWUSR);
1629	module_param_named(allow_dio, sg_allow_dio, int, S_IRUGO | S_IWUSR);
1630
1631	MODULE_AUTHOR("Douglas Gilbert");
1632	MODULE_DESCRIPTION("SCSI generic (sg) driver");
1633	MODULE_LICENSE("GPL");
1634	MODULE_VERSION(SG_VERSION_STR);
1635	MODULE_ALIAS_CHARDEV_MAJOR(SCSI_GENERIC_MAJOR);
1636
1637	MODULE_PARM_DESC(scatter_elem_sz, "scatter gather element "
1638	"size (default: max(SG_SCATTER_SZ, PAGE_SIZE))");
1639	MODULE_PARM_DESC(def_reserved_size, "size of buffer reserved for each fd");
1640	MODULE_PARM_DESC(allow_dio, "allow direct I/O (default: 0 (disallow))");
1641
1642	#ifdef CONFIG_SYSCTL
1643	#include <linux/sysctl.h>
1644
1645	static struct ctl_table sg_sysctls[] = {
1646	{
1647	.procname = "sg-big-buff",
1648	.data = &sg_big_buff,
1649	.maxlen = sizeof(int),
1650	.mode = 0444,
1651	.proc_handler = proc_dointvec,
1652	},
1653	};
1654
1655	static struct ctl_table_header *hdr;
1656	static void register_sg_sysctls(void)
1657	{
1658	if (!hdr)
1659	hdr = register_sysctl("kernel", sg_sysctls);
1660	}
1661
1662	static void unregister_sg_sysctls(void)
1663	{
1664	if (hdr)
1665	unregister_sysctl_table(table: hdr);
1666	}
1667	#else
1668	#define register_sg_sysctls() do { } while (0)
1669	#define unregister_sg_sysctls() do { } while (0)
1670	#endif /* CONFIG_SYSCTL */
1671
1672	static int __init
1673	init_sg(void)
1674	{
1675	int rc;
1676
1677	if (scatter_elem_sz < PAGE_SIZE) {
1678	scatter_elem_sz = PAGE_SIZE;
1679	scatter_elem_sz_prev = scatter_elem_sz;
1680	}
1681	if (def_reserved_size >= 0)
1682	sg_big_buff = def_reserved_size;
1683	else
1684	def_reserved_size = sg_big_buff;
1685
1686	rc = register_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0),
1687	SG_MAX_DEVS, "sg");
1688	if (rc)
1689	return rc;
1690	sg_sysfs_class = class_create(name: "scsi_generic");
1691	if ( IS_ERR(ptr: sg_sysfs_class) ) {
1692	rc = PTR_ERR(ptr: sg_sysfs_class);
1693	goto err_out;
1694	}
1695	sg_sysfs_valid = 1;
1696	rc = scsi_register_interface(&sg_interface);
1697	if (0 == rc) {
1698	#ifdef CONFIG_SCSI_PROC_FS
1699	sg_proc_init();
1700	#endif /* CONFIG_SCSI_PROC_FS */
1701	return 0;
1702	}
1703	class_destroy(cls: sg_sysfs_class);
1704	register_sg_sysctls();
1705	err_out:
1706	unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0), SG_MAX_DEVS);
1707	return rc;
1708	}
1709
1710	static void __exit
1711	exit_sg(void)
1712	{
1713	unregister_sg_sysctls();
1714	#ifdef CONFIG_SCSI_PROC_FS
1715	remove_proc_subtree("scsi/sg", NULL);
1716	#endif /* CONFIG_SCSI_PROC_FS */
1717	scsi_unregister_interface(&sg_interface);
1718	class_destroy(cls: sg_sysfs_class);
1719	sg_sysfs_valid = 0;
1720	unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0),
1721	SG_MAX_DEVS);
1722	idr_destroy(&sg_index_idr);
1723	}
1724
1725	static int
1726	sg_start_req(Sg_request *srp, unsigned char *cmd)
1727	{
1728	int res;
1729	struct request *rq;
1730	Sg_fd *sfp = srp->parentfp;
1731	sg_io_hdr_t *hp = &srp->header;
1732	int dxfer_len = (int) hp->dxfer_len;
1733	int dxfer_dir = hp->dxfer_direction;
1734	unsigned int iov_count = hp->iovec_count;
1735	Sg_scatter_hold *req_schp = &srp->data;
1736	Sg_scatter_hold *rsv_schp = &sfp->reserve;
1737	struct request_queue *q = sfp->parentdp->device->request_queue;
1738	struct rq_map_data *md, map_data;
1739	int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? ITER_SOURCE : ITER_DEST;
1740	struct scsi_cmnd *scmd;
1741
1742	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
1743	"sg_start_req: dxfer_len=%d\n",
1744	dxfer_len));
1745
1746	/*
1747	* NOTE
1748	*
1749	* With scsi-mq enabled, there are a fixed number of preallocated
1750	* requests equal in number to shost->can_queue. If all of the
1751	* preallocated requests are already in use, then scsi_alloc_request()
1752	* will sleep until an active command completes, freeing up a request.
1753	* Although waiting in an asynchronous interface is less than ideal, we
1754	* do not want to use BLK_MQ_REQ_NOWAIT here because userspace might
1755	* not expect an EWOULDBLOCK from this condition.
1756	*/
1757	rq = scsi_alloc_request(q, opf: hp->dxfer_direction == SG_DXFER_TO_DEV ?
1758	REQ_OP_DRV_OUT : REQ_OP_DRV_IN, flags: 0);
1759	if (IS_ERR(ptr: rq))
1760	return PTR_ERR(ptr: rq);
1761	scmd = blk_mq_rq_to_pdu(rq);
1762
1763	if (hp->cmd_len > sizeof(scmd->cmnd)) {
1764	blk_mq_free_request(rq);
1765	return -EINVAL;
1766	}
1767
1768	memcpy(scmd->cmnd, cmd, hp->cmd_len);
1769	scmd->cmd_len = hp->cmd_len;
1770
1771	srp->rq = rq;
1772	rq->end_io_data = srp;
1773	scmd->allowed = SG_DEFAULT_RETRIES;
1774
1775	if ((dxfer_len <= 0) || (dxfer_dir == SG_DXFER_NONE))
1776	return 0;
1777
1778	if (sg_allow_dio && hp->flags & SG_FLAG_DIRECT_IO &&
1779	dxfer_dir != SG_DXFER_UNKNOWN && !iov_count &&
1780	blk_rq_aligned(q, addr: (unsigned long)hp->dxferp, len: dxfer_len))
1781	md = NULL;
1782	else
1783	md = &map_data;
1784
1785	if (md) {
1786	mutex_lock(&sfp->f_mutex);
1787	if (dxfer_len <= rsv_schp->bufflen &&
1788	!sfp->res_in_use) {
1789	sfp->res_in_use = 1;
1790	sg_link_reserve(sfp, srp, size: dxfer_len);
1791	} else if (hp->flags & SG_FLAG_MMAP_IO) {
1792	res = -EBUSY; /* sfp->res_in_use == 1 */
1793	if (dxfer_len > rsv_schp->bufflen)
1794	res = -ENOMEM;
1795	mutex_unlock(lock: &sfp->f_mutex);
1796	return res;
1797	} else {
1798	res = sg_build_indirect(schp: req_schp, sfp, buff_size: dxfer_len);
1799	if (res) {
1800	mutex_unlock(lock: &sfp->f_mutex);
1801	return res;
1802	}
1803	}
1804	mutex_unlock(lock: &sfp->f_mutex);
1805
1806	md->pages = req_schp->pages;
1807	md->page_order = req_schp->page_order;
1808	md->nr_entries = req_schp->k_use_sg;
1809	md->offset = 0;
1810	md->null_mapped = hp->dxferp ? 0 : 1;
1811	if (dxfer_dir == SG_DXFER_TO_FROM_DEV)
1812	md->from_user = 1;
1813	else
1814	md->from_user = 0;
1815	}
1816
1817	res = blk_rq_map_user_io(rq, md, hp->dxferp, hp->dxfer_len,
1818	GFP_ATOMIC, iov_count, iov_count, 1, rw);
1819	if (!res) {
1820	srp->bio = rq->bio;
1821
1822	if (!md) {
1823	req_schp->dio_in_use = 1;
1824	hp->info |= SG_INFO_DIRECT_IO;
1825	}
1826	}
1827	return res;
1828	}
1829
1830	static int
1831	sg_finish_rem_req(Sg_request *srp)
1832	{
1833	int ret = 0;
1834
1835	Sg_fd *sfp = srp->parentfp;
1836	Sg_scatter_hold *req_schp = &srp->data;
1837
1838	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
1839	"sg_finish_rem_req: res_used=%d\n",
1840	(int) srp->res_used));
1841	if (srp->bio)
1842	ret = blk_rq_unmap_user(srp->bio);
1843
1844	if (srp->rq)
1845	blk_mq_free_request(rq: srp->rq);
1846
1847	if (srp->res_used)
1848	sg_unlink_reserve(sfp, srp);
1849	else
1850	sg_remove_scat(sfp, schp: req_schp);
1851
1852	return ret;
1853	}
1854
1855	static int
1856	sg_build_sgat(Sg_scatter_hold * schp, const Sg_fd * sfp, int tablesize)
1857	{
1858	int sg_bufflen = tablesize * sizeof(struct page *);
1859	gfp_t gfp_flags = GFP_ATOMIC | __GFP_NOWARN;
1860
1861	schp->pages = kzalloc(size: sg_bufflen, flags: gfp_flags);
1862	if (!schp->pages)
1863	return -ENOMEM;
1864	schp->sglist_len = sg_bufflen;
1865	return tablesize; /* number of scat_gath elements allocated */
1866	}
1867
1868	static int
1869	sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
1870	{
1871	int ret_sz = 0, i, k, rem_sz, num, mx_sc_elems;
1872	int sg_tablesize = sfp->parentdp->sg_tablesize;
1873	int blk_size = buff_size, order;
1874	gfp_t gfp_mask = GFP_ATOMIC | __GFP_COMP | __GFP_NOWARN | __GFP_ZERO;
1875
1876	if (blk_size < 0)
1877	return -EFAULT;
1878	if (0 == blk_size)
1879	++blk_size; /* don't know why */
1880	/* round request up to next highest SG_SECTOR_SZ byte boundary */
1881	blk_size = ALIGN(blk_size, SG_SECTOR_SZ);
1882	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
1883	"sg_build_indirect: buff_size=%d, blk_size=%d\n",
1884	buff_size, blk_size));
1885
1886	/* N.B. ret_sz carried into this block ... */
1887	mx_sc_elems = sg_build_sgat(schp, sfp, tablesize: sg_tablesize);
1888	if (mx_sc_elems < 0)
1889	return mx_sc_elems; /* most likely -ENOMEM */
1890
1891	num = scatter_elem_sz;
1892	if (unlikely(num != scatter_elem_sz_prev)) {
1893	if (num < PAGE_SIZE) {
1894	scatter_elem_sz = PAGE_SIZE;
1895	scatter_elem_sz_prev = PAGE_SIZE;
1896	} else
1897	scatter_elem_sz_prev = num;
1898	}
1899
1900	order = get_order(size: num);
1901	retry:
1902	ret_sz = 1 << (PAGE_SHIFT + order);
1903
1904	for (k = 0, rem_sz = blk_size; rem_sz > 0 && k < mx_sc_elems;
1905	k++, rem_sz -= ret_sz) {
1906
1907	num = (rem_sz > scatter_elem_sz_prev) ?
1908	scatter_elem_sz_prev : rem_sz;
1909
1910	schp->pages[k] = alloc_pages(gfp: gfp_mask, order);
1911	if (!schp->pages[k])
1912	goto out;
1913
1914	if (num == scatter_elem_sz_prev) {
1915	if (unlikely(ret_sz > scatter_elem_sz_prev)) {
1916	scatter_elem_sz = ret_sz;
1917	scatter_elem_sz_prev = ret_sz;
1918	}
1919	}
1920
1921	SCSI_LOG_TIMEOUT(5, sg_printk(KERN_INFO, sfp->parentdp,
1922	"sg_build_indirect: k=%d, num=%d, ret_sz=%d\n",
1923	k, num, ret_sz));
1924	} /* end of for loop */
1925
1926	schp->page_order = order;
1927	schp->k_use_sg = k;
1928	SCSI_LOG_TIMEOUT(5, sg_printk(KERN_INFO, sfp->parentdp,
1929	"sg_build_indirect: k_use_sg=%d, rem_sz=%d\n",
1930	k, rem_sz));
1931
1932	schp->bufflen = blk_size;
1933	if (rem_sz > 0) /* must have failed */
1934	return -ENOMEM;
1935	return 0;
1936	out:
1937	for (i = 0; i < k; i++)
1938	__free_pages(page: schp->pages[i], order);
1939
1940	if (--order >= 0)
1941	goto retry;
1942
1943	return -ENOMEM;
1944	}
1945
1946	static void
1947	sg_remove_scat(Sg_fd * sfp, Sg_scatter_hold * schp)
1948	{
1949	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
1950	"sg_remove_scat: k_use_sg=%d\n", schp->k_use_sg));
1951	if (schp->pages && schp->sglist_len > 0) {
1952	if (!schp->dio_in_use) {
1953	int k;
1954
1955	for (k = 0; k < schp->k_use_sg && schp->pages[k]; k++) {
1956	SCSI_LOG_TIMEOUT(5,
1957	sg_printk(KERN_INFO, sfp->parentdp,
1958	"sg_remove_scat: k=%d, pg=0x%p\n",
1959	k, schp->pages[k]));
1960	__free_pages(page: schp->pages[k], order: schp->page_order);
1961	}
1962
1963	kfree(objp: schp->pages);
1964	}
1965	}
1966	memset(schp, 0, sizeof (*schp));
1967	}
1968
1969	static int
1970	sg_read_oxfer(Sg_request * srp, char __user *outp, int num_read_xfer)
1971	{
1972	Sg_scatter_hold *schp = &srp->data;
1973	int k, num;
1974
1975	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, srp->parentfp->parentdp,
1976	"sg_read_oxfer: num_read_xfer=%d\n",
1977	num_read_xfer));
1978	if ((!outp) || (num_read_xfer <= 0))
1979	return 0;
1980
1981	num = 1 << (PAGE_SHIFT + schp->page_order);
1982	for (k = 0; k < schp->k_use_sg && schp->pages[k]; k++) {
1983	if (num > num_read_xfer) {
1984	if (copy_to_user(to: outp, page_address(schp->pages[k]),
1985	n: num_read_xfer))
1986	return -EFAULT;
1987	break;
1988	} else {
1989	if (copy_to_user(to: outp, page_address(schp->pages[k]),
1990	n: num))
1991	return -EFAULT;
1992	num_read_xfer -= num;
1993	if (num_read_xfer <= 0)
1994	break;
1995	outp += num;
1996	}
1997	}
1998
1999	return 0;
2000	}
2001
2002	static void
2003	sg_build_reserve(Sg_fd * sfp, int req_size)
2004	{
2005	Sg_scatter_hold *schp = &sfp->reserve;
2006
2007	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
2008	"sg_build_reserve: req_size=%d\n", req_size));
2009	do {
2010	if (req_size < PAGE_SIZE)
2011	req_size = PAGE_SIZE;
2012	if (0 == sg_build_indirect(schp, sfp, buff_size: req_size))
2013	return;
2014	else
2015	sg_remove_scat(sfp, schp);
2016	req_size >>= 1; /* divide by 2 */
2017	} while (req_size > (PAGE_SIZE / 2));
2018	}
2019
2020	static void
2021	sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size)
2022	{
2023	Sg_scatter_hold *req_schp = &srp->data;
2024	Sg_scatter_hold *rsv_schp = &sfp->reserve;
2025	int k, num, rem;
2026
2027	srp->res_used = 1;
2028	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
2029	"sg_link_reserve: size=%d\n", size));
2030	rem = size;
2031
2032	num = 1 << (PAGE_SHIFT + rsv_schp->page_order);
2033	for (k = 0; k < rsv_schp->k_use_sg; k++) {
2034	if (rem <= num) {
2035	req_schp->k_use_sg = k + 1;
2036	req_schp->sglist_len = rsv_schp->sglist_len;
2037	req_schp->pages = rsv_schp->pages;
2038
2039	req_schp->bufflen = size;
2040	req_schp->page_order = rsv_schp->page_order;
2041	break;
2042	} else
2043	rem -= num;
2044	}
2045
2046	if (k >= rsv_schp->k_use_sg)
2047	SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,
2048	"sg_link_reserve: BAD size\n"));
2049	}
2050
2051	static void
2052	sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp)
2053	{
2054	Sg_scatter_hold *req_schp = &srp->data;
2055
2056	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, srp->parentfp->parentdp,
2057	"sg_unlink_reserve: req->k_use_sg=%d\n",
2058	(int) req_schp->k_use_sg));
2059	req_schp->k_use_sg = 0;
2060	req_schp->bufflen = 0;
2061	req_schp->pages = NULL;
2062	req_schp->page_order = 0;
2063	req_schp->sglist_len = 0;
2064	srp->res_used = 0;
2065	/* Called without mutex lock to avoid deadlock */
2066	sfp->res_in_use = 0;
2067	}
2068
2069	static Sg_request *
2070	sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy)
2071	{
2072	Sg_request *resp;
2073	unsigned long iflags;
2074
2075	*busy = false;
2076	write_lock_irqsave(&sfp->rq_list_lock, iflags);
2077	list_for_each_entry(resp, &sfp->rq_list, entry) {
2078	/* look for requests that are not SG_IO owned */
2079	if ((!resp->sg_io_owned) &&
2080	((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
2081	switch (resp->done) {
2082	case 0: /* request active */
2083	*busy = true;
2084	break;
2085	case 1: /* request done; response ready to return */
2086	resp->done = 2; /* guard against other readers */
2087	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2088	return resp;
2089	case 2: /* response already being returned */
2090	break;
2091	}
2092	}
2093	}
2094	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2095	return NULL;
2096	}
2097
2098	/* always adds to end of list */
2099	static Sg_request *
2100	sg_add_request(Sg_fd * sfp)
2101	{
2102	int k;
2103	unsigned long iflags;
2104	Sg_request *rp = sfp->req_arr;
2105
2106	write_lock_irqsave(&sfp->rq_list_lock, iflags);
2107	if (!list_empty(head: &sfp->rq_list)) {
2108	if (!sfp->cmd_q)
2109	goto out_unlock;
2110
2111	for (k = 0; k < SG_MAX_QUEUE; ++k, ++rp) {
2112	if (!rp->parentfp)
2113	break;
2114	}
2115	if (k >= SG_MAX_QUEUE)
2116	goto out_unlock;
2117	}
2118	memset(rp, 0, sizeof (Sg_request));
2119	rp->parentfp = sfp;
2120	rp->header.duration = jiffies_to_msecs(j: jiffies);
2121	list_add_tail(new: &rp->entry, head: &sfp->rq_list);
2122	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2123	return rp;
2124	out_unlock:
2125	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2126	return NULL;
2127	}
2128
2129	/* Return of 1 for found; 0 for not found */
2130	static int
2131	sg_remove_request(Sg_fd * sfp, Sg_request * srp)
2132	{
2133	unsigned long iflags;
2134	int res = 0;
2135
2136	if (!sfp || !srp || list_empty(head: &sfp->rq_list))
2137	return res;
2138	write_lock_irqsave(&sfp->rq_list_lock, iflags);
2139	if (!list_empty(head: &srp->entry)) {
2140	list_del(entry: &srp->entry);
2141	srp->parentfp = NULL;
2142	res = 1;
2143	}
2144	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2145
2146	/*
2147	* If the device is detaching, wakeup any readers in case we just
2148	* removed the last response, which would leave nothing for them to
2149	* return other than -ENODEV.
2150	*/
2151	if (unlikely(atomic_read(&sfp->parentdp->detaching)))
2152	wake_up_interruptible_all(&sfp->read_wait);
2153
2154	return res;
2155	}
2156
2157	static Sg_fd *
2158	sg_add_sfp(Sg_device * sdp)
2159	{
2160	Sg_fd *sfp;
2161	unsigned long iflags;
2162	int bufflen;
2163
2164	sfp = kzalloc(size: sizeof(*sfp), GFP_ATOMIC | __GFP_NOWARN);
2165	if (!sfp)
2166	return ERR_PTR(error: -ENOMEM);
2167
2168	init_waitqueue_head(&sfp->read_wait);
2169	rwlock_init(&sfp->rq_list_lock);
2170	INIT_LIST_HEAD(list: &sfp->rq_list);
2171	kref_init(kref: &sfp->f_ref);
2172	mutex_init(&sfp->f_mutex);
2173	sfp->timeout = SG_DEFAULT_TIMEOUT;
2174	sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
2175	sfp->force_packid = SG_DEF_FORCE_PACK_ID;
2176	sfp->cmd_q = SG_DEF_COMMAND_Q;
2177	sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
2178	sfp->parentdp = sdp;
2179	write_lock_irqsave(&sdp->sfd_lock, iflags);
2180	if (atomic_read(v: &sdp->detaching)) {
2181	write_unlock_irqrestore(&sdp->sfd_lock, iflags);
2182	kfree(objp: sfp);
2183	return ERR_PTR(error: -ENODEV);
2184	}
2185	list_add_tail(new: &sfp->sfd_siblings, head: &sdp->sfds);
2186	write_unlock_irqrestore(&sdp->sfd_lock, iflags);
2187	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
2188	"sg_add_sfp: sfp=0x%p\n", sfp));
2189	if (unlikely(sg_big_buff != def_reserved_size))
2190	sg_big_buff = def_reserved_size;
2191
2192	bufflen = min_t(int, sg_big_buff,
2193	max_sectors_bytes(sdp->device->request_queue));
2194	sg_build_reserve(sfp, req_size: bufflen);
2195	SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
2196	"sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
2197	sfp->reserve.bufflen,
2198	sfp->reserve.k_use_sg));
2199
2200	kref_get(kref: &sdp->d_ref);
2201	__module_get(THIS_MODULE);
2202	return sfp;
2203	}
2204
2205	static void
2206	sg_remove_sfp_usercontext(struct work_struct *work)
2207	{
2208	struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
2209	struct sg_device *sdp = sfp->parentdp;
2210	Sg_request *srp;
2211	unsigned long iflags;
2212
2213	/* Cleanup any responses which were never read(). */
2214	write_lock_irqsave(&sfp->rq_list_lock, iflags);
2215	while (!list_empty(head: &sfp->rq_list)) {
2216	srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
2217	sg_finish_rem_req(srp);
2218	list_del(entry: &srp->entry);
2219	srp->parentfp = NULL;
2220	}
2221	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2222
2223	if (sfp->reserve.bufflen > 0) {
2224	SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp,
2225	"sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
2226	(int) sfp->reserve.bufflen,
2227	(int) sfp->reserve.k_use_sg));
2228	sg_remove_scat(sfp, schp: &sfp->reserve);
2229	}
2230
2231	SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp,
2232	"sg_remove_sfp: sfp=0x%p\n", sfp));
2233	kfree(objp: sfp);
2234
2235	scsi_device_put(sdp->device);
2236	kref_put(kref: &sdp->d_ref, release: sg_device_destroy);
2237	module_put(THIS_MODULE);
2238	}
2239
2240	static void
2241	sg_remove_sfp(struct kref *kref)
2242	{
2243	struct sg_fd *sfp = container_of(kref, struct sg_fd, f_ref);
2244	struct sg_device *sdp = sfp->parentdp;
2245	unsigned long iflags;
2246
2247	write_lock_irqsave(&sdp->sfd_lock, iflags);
2248	list_del(entry: &sfp->sfd_siblings);
2249	write_unlock_irqrestore(&sdp->sfd_lock, iflags);
2250
2251	INIT_WORK(&sfp->ew.work, sg_remove_sfp_usercontext);
2252	schedule_work(work: &sfp->ew.work);
2253	}
2254
2255	#ifdef CONFIG_SCSI_PROC_FS
2256	static int
2257	sg_idr_max_id(int id, void *p, void *data)
2258	{
2259	int *k = data;
2260
2261	if (*k < id)
2262	*k = id;
2263
2264	return 0;
2265	}
2266
2267	static int
2268	sg_last_dev(void)
2269	{
2270	int k = -1;
2271	unsigned long iflags;
2272
2273	read_lock_irqsave(&sg_index_lock, iflags);
2274	idr_for_each(&sg_index_idr, fn: sg_idr_max_id, data: &k);
2275	read_unlock_irqrestore(&sg_index_lock, iflags);
2276	return k + 1; /* origin 1 */
2277	}
2278	#endif
2279
2280	/* must be called with sg_index_lock held */
2281	static Sg_device *sg_lookup_dev(int dev)
2282	{
2283	return idr_find(&sg_index_idr, id: dev);
2284	}
2285
2286	static Sg_device *
2287	sg_get_dev(int dev)
2288	{
2289	struct sg_device *sdp;
2290	unsigned long flags;
2291
2292	read_lock_irqsave(&sg_index_lock, flags);
2293	sdp = sg_lookup_dev(dev);
2294	if (!sdp)
2295	sdp = ERR_PTR(error: -ENXIO);
2296	else if (atomic_read(v: &sdp->detaching)) {
2297	/* If sdp->detaching, then the refcount may already be 0, in
2298	* which case it would be a bug to do kref_get().
2299	*/
2300	sdp = ERR_PTR(error: -ENODEV);
2301	} else
2302	kref_get(kref: &sdp->d_ref);
2303	read_unlock_irqrestore(&sg_index_lock, flags);
2304
2305	return sdp;
2306	}
2307
2308	#ifdef CONFIG_SCSI_PROC_FS
2309	static int sg_proc_seq_show_int(struct seq_file *s, void *v);
2310
2311	static int sg_proc_single_open_adio(struct inode *inode, struct file *file);
2312	static ssize_t sg_proc_write_adio(struct file *filp, const char __user *buffer,
2313	size_t count, loff_t *off);
2314	static const struct proc_ops adio_proc_ops = {
2315	.proc_open = sg_proc_single_open_adio,
2316	.proc_read = seq_read,
2317	.proc_lseek = seq_lseek,
2318	.proc_write = sg_proc_write_adio,
2319	.proc_release = single_release,
2320	};
2321
2322	static int sg_proc_single_open_dressz(struct inode *inode, struct file *file);
2323	static ssize_t sg_proc_write_dressz(struct file *filp,
2324	const char __user *buffer, size_t count, loff_t *off);
2325	static const struct proc_ops dressz_proc_ops = {
2326	.proc_open = sg_proc_single_open_dressz,
2327	.proc_read = seq_read,
2328	.proc_lseek = seq_lseek,
2329	.proc_write = sg_proc_write_dressz,
2330	.proc_release = single_release,
2331	};
2332
2333	static int sg_proc_seq_show_version(struct seq_file *s, void *v);
2334	static int sg_proc_seq_show_devhdr(struct seq_file *s, void *v);
2335	static int sg_proc_seq_show_dev(struct seq_file *s, void *v);
2336	static void * dev_seq_start(struct seq_file *s, loff_t *pos);
2337	static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos);
2338	static void dev_seq_stop(struct seq_file *s, void *v);
2339	static const struct seq_operations dev_seq_ops = {
2340	.start = dev_seq_start,
2341	.next = dev_seq_next,
2342	.stop = dev_seq_stop,
2343	.show = sg_proc_seq_show_dev,
2344	};
2345
2346	static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v);
2347	static const struct seq_operations devstrs_seq_ops = {
2348	.start = dev_seq_start,
2349	.next = dev_seq_next,
2350	.stop = dev_seq_stop,
2351	.show = sg_proc_seq_show_devstrs,
2352	};
2353
2354	static int sg_proc_seq_show_debug(struct seq_file *s, void *v);
2355	static const struct seq_operations debug_seq_ops = {
2356	.start = dev_seq_start,
2357	.next = dev_seq_next,
2358	.stop = dev_seq_stop,
2359	.show = sg_proc_seq_show_debug,
2360	};
2361
2362	static int
2363	sg_proc_init(void)
2364	{
2365	struct proc_dir_entry *p;
2366
2367	p = proc_mkdir("scsi/sg", NULL);
2368	if (!p)
2369	return 1;
2370
2371	proc_create(name: "allow_dio", S_IRUGO | S_IWUSR, parent: p, proc_ops: &adio_proc_ops);
2372	proc_create_seq("debug", S_IRUGO, p, &debug_seq_ops);
2373	proc_create(name: "def_reserved_size", S_IRUGO | S_IWUSR, parent: p, proc_ops: &dressz_proc_ops);
2374	proc_create_single("device_hdr", S_IRUGO, p, sg_proc_seq_show_devhdr);
2375	proc_create_seq("devices", S_IRUGO, p, &dev_seq_ops);
2376	proc_create_seq("device_strs", S_IRUGO, p, &devstrs_seq_ops);
2377	proc_create_single("version", S_IRUGO, p, sg_proc_seq_show_version);
2378	return 0;
2379	}
2380
2381
2382	static int sg_proc_seq_show_int(struct seq_file *s, void *v)
2383	{
2384	seq_printf(m: s, fmt: "%d\n", *((int *)s->private));
2385	return 0;
2386	}
2387
2388	static int sg_proc_single_open_adio(struct inode *inode, struct file *file)
2389	{
2390	return single_open(file, sg_proc_seq_show_int, &sg_allow_dio);
2391	}
2392
2393	static ssize_t
2394	sg_proc_write_adio(struct file *filp, const char __user *buffer,
2395	size_t count, loff_t *off)
2396	{
2397	int err;
2398	unsigned long num;
2399
2400	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
2401	return -EACCES;
2402	err = kstrtoul_from_user(s: buffer, count, base: 0, res: &num);
2403	if (err)
2404	return err;
2405	sg_allow_dio = num ? 1 : 0;
2406	return count;
2407	}
2408
2409	static int sg_proc_single_open_dressz(struct inode *inode, struct file *file)
2410	{
2411	return single_open(file, sg_proc_seq_show_int, &sg_big_buff);
2412	}
2413
2414	static ssize_t
2415	sg_proc_write_dressz(struct file *filp, const char __user *buffer,
2416	size_t count, loff_t *off)
2417	{
2418	int err;
2419	unsigned long k = ULONG_MAX;
2420
2421	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
2422	return -EACCES;
2423
2424	err = kstrtoul_from_user(s: buffer, count, base: 0, res: &k);
2425	if (err)
2426	return err;
2427	if (k <= 1048576) { /* limit "big buff" to 1 MB */
2428	sg_big_buff = k;
2429	return count;
2430	}
2431	return -ERANGE;
2432	}
2433
2434	static int sg_proc_seq_show_version(struct seq_file *s, void *v)
2435	{
2436	seq_printf(m: s, fmt: "%d\t%s [%s]\n", sg_version_num, SG_VERSION_STR,
2437	sg_version_date);
2438	return 0;
2439	}
2440
2441	static int sg_proc_seq_show_devhdr(struct seq_file *s, void *v)
2442	{
2443	seq_puts(m: s, s: "host\tchan\tid\tlun\ttype\topens\tqdepth\tbusy\tonline\n");
2444	return 0;
2445	}
2446
2447	struct sg_proc_deviter {
2448	loff_t index;
2449	size_t max;
2450	};
2451
2452	static void * dev_seq_start(struct seq_file *s, loff_t *pos)
2453	{
2454	struct sg_proc_deviter * it = kmalloc(size: sizeof(*it), GFP_KERNEL);
2455
2456	s->private = it;
2457	if (! it)
2458	return NULL;
2459
2460	it->index = *pos;
2461	it->max = sg_last_dev();
2462	if (it->index >= it->max)
2463	return NULL;
2464	return it;
2465	}
2466
2467	static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos)
2468	{
2469	struct sg_proc_deviter * it = s->private;
2470
2471	*pos = ++it->index;
2472	return (it->index < it->max) ? it : NULL;
2473	}
2474
2475	static void dev_seq_stop(struct seq_file *s, void *v)
2476	{
2477	kfree(objp: s->private);
2478	}
2479
2480	static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
2481	{
2482	struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2483	Sg_device *sdp;
2484	struct scsi_device *scsidp;
2485	unsigned long iflags;
2486
2487	read_lock_irqsave(&sg_index_lock, iflags);
2488	sdp = it ? sg_lookup_dev(dev: it->index) : NULL;
2489	if ((NULL == sdp) || (NULL == sdp->device) ||
2490	(atomic_read(v: &sdp->detaching)))
2491	seq_puts(m: s, s: "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n");
2492	else {
2493	scsidp = sdp->device;
2494	seq_printf(m: s, fmt: "%d\t%d\t%d\t%llu\t%d\t%d\t%d\t%d\t%d\n",
2495	scsidp->host->host_no, scsidp->channel,
2496	scsidp->id, scsidp->lun, (int) scsidp->type,
2497	1,
2498	(int) scsidp->queue_depth,
2499	(int) scsi_device_busy(sdev: scsidp),
2500	(int) scsi_device_online(sdev: scsidp));
2501	}
2502	read_unlock_irqrestore(&sg_index_lock, iflags);
2503	return 0;
2504	}
2505
2506	static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v)
2507	{
2508	struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2509	Sg_device *sdp;
2510	struct scsi_device *scsidp;
2511	unsigned long iflags;
2512
2513	read_lock_irqsave(&sg_index_lock, iflags);
2514	sdp = it ? sg_lookup_dev(dev: it->index) : NULL;
2515	scsidp = sdp ? sdp->device : NULL;
2516	if (sdp && scsidp && (!atomic_read(v: &sdp->detaching)))
2517	seq_printf(m: s, fmt: "%8.8s\t%16.16s\t%4.4s\n",
2518	scsidp->vendor, scsidp->model, scsidp->rev);
2519	else
2520	seq_puts(m: s, s: "<no active device>\n");
2521	read_unlock_irqrestore(&sg_index_lock, iflags);
2522	return 0;
2523	}
2524
2525	/* must be called while holding sg_index_lock */
2526	static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
2527	{
2528	int k, new_interface, blen, usg;
2529	Sg_request *srp;
2530	Sg_fd *fp;
2531	const sg_io_hdr_t *hp;
2532	const char * cp;
2533	unsigned int ms;
2534
2535	k = 0;
2536	list_for_each_entry(fp, &sdp->sfds, sfd_siblings) {
2537	k++;
2538	read_lock(&fp->rq_list_lock); /* irqs already disabled */
2539	seq_printf(m: s, fmt: " FD(%d): timeout=%dms bufflen=%d "
2540	"(res)sgat=%d low_dma=%d\n", k,
2541	jiffies_to_msecs(j: fp->timeout),
2542	fp->reserve.bufflen,
2543	(int) fp->reserve.k_use_sg, 0);
2544	seq_printf(m: s, fmt: " cmd_q=%d f_packid=%d k_orphan=%d closed=0\n",
2545	(int) fp->cmd_q, (int) fp->force_packid,
2546	(int) fp->keep_orphan);
2547	list_for_each_entry(srp, &fp->rq_list, entry) {
2548	hp = &srp->header;
2549	new_interface = (hp->interface_id == '\0') ? 0 : 1;
2550	if (srp->res_used) {
2551	if (new_interface &&
2552	(SG_FLAG_MMAP_IO & hp->flags))
2553	cp = " mmap>> ";
2554	else
2555	cp = " rb>> ";
2556	} else {
2557	if (SG_INFO_DIRECT_IO_MASK & hp->info)
2558	cp = " dio>> ";
2559	else
2560	cp = " ";
2561	}
2562	seq_puts(m: s, s: cp);
2563	blen = srp->data.bufflen;
2564	usg = srp->data.k_use_sg;
2565	seq_puts(m: s, s: srp->done ?
2566	((1 == srp->done) ? "rcv:" : "fin:")
2567	: "act:");
2568	seq_printf(m: s, fmt: " id=%d blen=%d",
2569	srp->header.pack_id, blen);
2570	if (srp->done)
2571	seq_printf(m: s, fmt: " dur=%d", hp->duration);
2572	else {
2573	ms = jiffies_to_msecs(j: jiffies);
2574	seq_printf(m: s, fmt: " t_o/elap=%d/%d",
2575	(new_interface ? hp->timeout :
2576	jiffies_to_msecs(j: fp->timeout)),
2577	(ms > hp->duration ? ms - hp->duration : 0));
2578	}
2579	seq_printf(m: s, fmt: "ms sgat=%d op=0x%02x\n", usg,
2580	(int) srp->data.cmd_opcode);
2581	}
2582	if (list_empty(head: &fp->rq_list))
2583	seq_puts(m: s, s: " No requests active\n");
2584	read_unlock(&fp->rq_list_lock);
2585	}
2586	}
2587
2588	static int sg_proc_seq_show_debug(struct seq_file *s, void *v)
2589	{
2590	struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2591	Sg_device *sdp;
2592	unsigned long iflags;
2593
2594	if (it && (0 == it->index))
2595	seq_printf(m: s, fmt: "max_active_device=%d def_reserved_size=%d\n",
2596	(int)it->max, sg_big_buff);
2597
2598	read_lock_irqsave(&sg_index_lock, iflags);
2599	sdp = it ? sg_lookup_dev(dev: it->index) : NULL;
2600	if (NULL == sdp)
2601	goto skip;
2602	read_lock(&sdp->sfd_lock);
2603	if (!list_empty(head: &sdp->sfds)) {
2604	seq_printf(m: s, fmt: " >>> device=%s ", sdp->name);
2605	if (atomic_read(v: &sdp->detaching))
2606	seq_puts(m: s, s: "detaching pending close ");
2607	else if (sdp->device) {
2608	struct scsi_device *scsidp = sdp->device;
2609
2610	seq_printf(m: s, fmt: "%d:%d:%d:%llu em=%d",
2611	scsidp->host->host_no,
2612	scsidp->channel, scsidp->id,
2613	scsidp->lun,
2614	scsidp->host->hostt->emulated);
2615	}
2616	seq_printf(m: s, fmt: " sg_tablesize=%d excl=%d open_cnt=%d\n",
2617	sdp->sg_tablesize, sdp->exclude, sdp->open_cnt);
2618	sg_proc_debug_helper(s, sdp);
2619	}
2620	read_unlock(&sdp->sfd_lock);
2621	skip:
2622	read_unlock_irqrestore(&sg_index_lock, iflags);
2623	return 0;
2624	}
2625
2626	#endif /* CONFIG_SCSI_PROC_FS */
2627
2628	module_init(init_sg);
2629	module_exit(exit_sg);
2630