ADATA USB Drive lies about the RC16, so add a quirk to ignore it.
MFC After: 3 days
PR: 188999
Sponsored by: Netflix
(cherry picked from commit f11b6ce4a3bc6d455dbec375218c01ce9b6b5dc2)
The virtio_scsi device allows a VM guest to directly send SCSI commands
(ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl
(ctl.ko).
All kernel commands accessible from the guest are defined by
ctl_cmd_table.
The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows
the caller to call malloc() with an arbitrary size (uint32_t). This can
be used by the guest to overload the kernel memory (DOS attack).
Reported by: Synacktiv
Reviewed by: asomers
Security: HYP-08
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46044
(cherry picked from commit 64b0f52be2c9d7bcecebfeef393f8ec56cb85f47)
For EXT_CSD_PART_CONFIG_ACC_BOOT<n> and possibly others with suffixes
we fail to create proper disk aliases (symlinks), which shows up as
g_dev_taste: make_dev_alias_p() failed (name=mmcsd0, error=17)
In this case we ended up with the followng two:
/dev/mmcsd0 -> sdda0
/dev/mmcsd1 -> sdda0boot1
Note that (i) it should be mmcsd0boot1 and not mmcsd1 and that
(ii) there is no mmcsd0boot0 (failed above as it tried to create a
second mmcsd0).
Adjust the code (using a highly simplified version--compared to my
original approach--suggested by imp) using an extended format string
with (sdda/mmcsd) prefix as first argument to create proper names.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D43538
(cherry picked from commit a84d91d81a6f3eeb4949c4fb3440e0634f2b953a)
Zero-initialize the bitmap of preventers. Otherwise, the START STOP
UNIT command may not have the intended effect.
Sponsored by: Axcient
Reviewed by: emaste, markj
Pull Request: https://github.com/freebsd/freebsd-src/pull/1409
(cherry picked from commit 0f2b2276abc305905e7d88619a7abca26b0dd7eb)
When removing a port, the ioctl frontend requires the "-p" argument.
But other frontends, like cfiscsi, do not. So don't require that
argument in the ctladm command. The frontend driver will report an
error if any required argument is missing.
Sponsored by: Axcient
Reviewed by: mav
Pull Request: https://github.com/freebsd/freebsd-src/pull/1279
(cherry picked from commit edbd489d09babebdc6c03924a912013be584c409)
ctladm: don't require the use of "-p" with "port -r", part 2
* Remove a now superfluous FALLTHROUGH hint
* Don't specify "-p" with an empty argument in the tests
Reported by: jhb
(cherry picked from commit 7f50027321db3b08477f6236abded0297e9e5ed8)
This vulnerability is directly accessible to a guest VM through the
pci_virtio_scsi bhyve device.
In the function ctl_report_supported_opcodes() accessible from the VM,
the option RSO_OPTIONS_OC_ASA does not check the requested
service_action value before accessing &ctl_cmd_table[].
Reported by: Synacktiv
Reviewed by: asomers
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-42416
Security: HYP-06
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46027
(cherry picked from commit af438acbfde3d25dbdc82b2b3d72380f0191e9d9)
The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocation.
If one of these functions is called for the first time for a given LUN, a
kernel allocation is performed without the M_ZERO flag. Then a call to
ctl_read_buffer() returns the content of this allocation, which may
contain kernel data.
Reported by: Synacktiv
Reviewed by: asomers
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-8178
Security: HYP-05
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45952
(cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813)
The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability directly accessible from VMs through the pci_virtio_scsi
bhyve device.
The function ctl_write_buffer sets the CTL_FLAG_ALLOCATED flag, causing
the kern_data_ptr to be freed when the command finishes processing.
However, the buffer is still stored in lun->write_buffer, leading to a
Use-After-Free vulnerability.
Since the buffer needs to persist indefinitely, so it can be accessed by
READ BUFFER, do not set CTL_FLAG_ALLOCATED.
Reported by: Synacktiv
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-45063
Security: HYP-03
Sponsored by: Axcient
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46424
(cherry picked from commit 670b582db6cb827a8760df942ed8af0020a0b4d0)
Previously 3 bytes of data from the heap could be leaked to ctl
consumers.
Reported by: Synacktiv
Reviewed by: asomers, mav
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46091
(cherry picked from commit db87c98168b1605f067d283fa36a710369c3849d)
The scsi UNMAP path updated trim stats in the da sysctl, but the ATA
TRIM passthru and WRITE SAME paths did not. Add code so they do.
PR: 277637
Reviewed by: imp (tweaked WS path to update ranges)
(cherry picked from commit 12117d0e9314d1706508386c1c49ace2de578b31)
This is very unlikely to fail (and if it does, CAM isn't going to work
regardless), but fail with an error rather than a gauranteed panic via
NULL pointer dereference.
PR: 276770
Reported by: Qiushi <w290680224@gmail.com>
(cherry picked from commit eb86c6c5b462c996e44c45ba496937b75ef22da3)
NCQ TRIM for Samsung 860/870 SSDs results in data corruption on systems
with some SATA controllers.
This can be easily reproduced using ZFS which uses TRIM and is able to
detect block content changes.
Linux bug report for this issue:
https://bugzilla.kernel.org/show_bug.cgi?id=201693
Since at present we can not limit a quirk based on the contorller / SIM,
apply the quirk in all cases.
Reviewed by: imp
(cherry picked from commit c01af41c3c8fdd570764ff9b6bfbad6ac9ca1664)
Although the actual flash page size is either 8K or 16K for those
devices (according to different sources of various reliability), they
seem to be optimized for the "industry-standard" emulated 4K block size.
To do: consolidate very similar Samsung SSD entries for 830 - 870
models.
(cherry picked from commit b7dce5b8e988f47784c55aa096541deda7b1aaeb)
The Seagate IronWolf 110 SATA SSD drive has been reported to be unstable
with NCQ trim enabled.
PR: 264139
Sponsored by: Netflix
(cherry picked from commit a6cef617660a424fcaa8343787f96d0ae720a284)
This is left over from before the implementation of asynchronous media
probing, which was committed in dd78f43259
("scsi_cd: make the media check asynchronous") quite a while ago now.
No functional change intended.
MFC after: 1 week
Reviewed by: imp, avg
Differential Revision: https://reviews.freebsd.org/D43650
(cherry picked from commit 0c0ec5c8cc482e68e17e2389df4e550f65242985)
Otherwise nothing prevents the asynchronous media check state machine
from running after the periph has been destroyed, which can result in a
double free. Acquire the reference even when performing a synchronous
check, since that doesn't hurt and keeps things simpler.
PR: 276251
Reviewed by: imp
Fixes: dd78f43259 ("scsi_cd: make the media check asynchronous")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D43525
(cherry picked from commit c961afe82596bdeb7e6a8626f02ddb181c8a24b6)
Return EBUSY instead of a bare 1 if a port number is already active.
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D42929
(cherry picked from commit e03e77ba4d0570511fdc1be192459e1160c650a6)
In targstart() we are already handling an error and have no go way to
signal the failure to upper layers, so ignore the return value of
suword() there.
This is in preparation for annotating copyin() and related functions
with __result_use_check.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D43202
(cherry picked from commit 904cd456f0f95c10fdb4c99a0118f30d23242dec)
As of commit b059686a71, cam_periph_unmapmem() can legitimately fail
if the copyout() operation fails. However, this failure was never
signaled to upper layers. In practice it is unlikely to occur
since cap_periph_mapmem() would most likely fail in such
circumstances anyway, but an error is nonetheless possible.
However, some code reading revealed a few paths where the return value
of cam_periph_mapmem() is not checked, and this is definitely a bug.
Add error checking there and let cam_periph_unmapmem() return errors
from copyout().
Reviewed by: dab, mav
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D43201
(cherry picked from commit d068ea16e3264c2d62472a8acf794262cfe703dd)
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Reviewed by: ken
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D43203
(cherry picked from commit 4d3c234d8eb32f903d630b371208a0a931d3d5fe)
This reduces a second copy of (mostly) the same code.
Reviewed by: ken, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D42210
(cherry picked from commit e846a3e0168f9188a6eccedd52707c63fd83cba2)
Include <sys/malloc.h> in the kernel for struct malloc_type.
Reviewed by: ken, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D42205
(cherry picked from commit 2e539c6f5aba657c69790d91130ceceeb0b8c38e)
This is in preparation for annotating copyin() and related functions
with __result_use_check.
Reviewed by: mav, imp, asomers
Tested by: asomers
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D43130
(cherry picked from commit 771501e96ffd7e314c338300a351ad76d28a2f69)
In this case, just return.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42341
(cherry picked from commit 9d61fd08499609a2c95d1c66f97587932b446f06)
There is no need to allocate buffer, worry about overflows, etc.
MFC after: 2 weeks
(cherry picked from commit 1b44079584dc317230cf810c0fe0a8c401a5c791)
It is wrong to call sbuf_len() on third-party sbuf. If that sbuf
has a drain function, it ends up in assertion. But even would it
work, it would return not newly written length, but the full one.
Searching through the sources I don't see this value used.
(cherry picked from commit 6332e0f1a4b34707654d6ae2cd3c1e8799970d0b)
Prefer UNMAPPEDIO and ROTATING from flags sysctl. See
1. aeab0812e6 (Add flags sysctl to ada)
2. cf3ff63e55 (Convert unmappedio over to a flag)
3. 96eb32bf0f (Convert rotating to a flag bit)
Reviewed by: imp, ken, #cam
MFC after: immediately (we want this in 14.0)
Differential Revision: https://reviews.freebsd.org/D42402
(cherry picked from commit d24729b2fd66a87c2b925b0c30e46bb0a9d6446a)
The sysctl variable 'kern.cam.scsi_delay' is actually a loader tunable.
Add sysctl flag CTLFLAG_TUN to it so that `sysctl -T` will report it
correctly.
No functional change intended.
Reviewed by: kib, imp (for #cam)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42113
(cherry picked from commit e2ad7ce37b1a354750d2dd3567e77f72edeb7e1d)
Use an sbuf that drains to printf to avoid duplicating code in the two
versions of each function.
Reviewed by: mav
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D41263
