1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2024 Oxide Computer Company
14 */
15
16 /*
17 * Perform various validation checks for user and kernel initiated requests.
18 * This file focuses on the validation of NVMe semantic operations. It assumes
19 * that any necessary permission checks (privileges, exclusive access, etc.)
20 * are being taken care of separately.
21 *
22 * Log Pages
23 * ---------
24 *
25 * Log page requests come into the kernel and we have a few different
26 * constraints that we need to consider while performing validation. There are a
27 * few different gotchas:
28 *
29 * 1) The arguments that one can pass to a get log page command have changed
30 * over the different device revisions. While specifying the log page ID (lid)
31 * has always been supported, a log-specific field (lsp) was added in NVMe 1.3,
32 * and the ability to specify a command-set identifier (csi) was added in NVMe
33 * 2.0. Regardless of whether this is a vendor-specific command or not, we need
34 * to be able to validate that we're not going to send parameters to the
35 * controller that will cause the command to be rejected.
36 *
37 * 2) There are going to be log pages that we know about and some that we don't.
38 * At the moment, we constrain non-admin pass through log pages to be log pages
39 * that the kernel knows about and therefore has an expected size for. This
40 * means that there is a lot more that we can check and enforce, such as whether
41 * or not specific pages support an lsp, lsi, etc. Conversely, for log pages
42 * that are admin pass-through commands, there's not a whole lot that we can
43 * actually do and will only do the version-specific checking.
44 *
45 * For any log page request that comes in, we'll try to identify which of the
46 * different types of log pages that it is, and go through and validate it
47 * appropriately.
48 *
49 * Get Feature
50 * -----------
51 *
52 * Currently, the kernel only allows standard features to be requested that it
53 * knows about. This will be loosened and look a little bit more like log pages
54 * when we have support for vendor-unique features.
55 *
56 * Like with log pages, in addition to the set of features having evolved, the
57 * arguments to the get features command has also changed to include additions
58 * like whether you want the default or saved value of a feature rather than its
59 * current value.
60 *
61 * One general complication with features is that for a number of optional
62 * features, there is no good way to know whether or not the device supports
63 * said feature other than asking for it.
64 *
65 * The last bit we need to be cognizant of is the fact that only a handful of
66 * features accept a namespace ID. Those that do, may not even support the use
67 * of a broadcast namespace ID. While the controller node may ask for any
68 * feature, those using a namespace node are limited in terms of what they can
69 * actually issue.
70 *
71 * Identify
72 * --------
73 *
74 * The kernel currently knows about the various identify data structure commands
75 * that it supports. It does this to enforce checking the version and if certain
76 * fields are set. The most complicated form of this is related to the namespace
77 * due to the fact that identify commands come in a few forms:
78 *
79 * 1) Identify commands that do not use a namespace ID at all (like identify
80 * controller).
81 * 2) Identify commands that are used to list namespaces. These allow a zero to
82 * be listed in the namespace ID field to ensure all namespaces are captured.
83 * 3) Identify commands that require a valid namespace and allow the broadcast
84 * namespace ID to be specified.
85 * 4) Identify commands that require a valid namespace and do not allow for a
86 * broadcast namespace ID to be specified.
87 *
88 * The cases here are identified based on flags in the nvme_identify_info_t. We
89 * must check the entire validity here.
90 *
91 * Vendor Unique Commands
92 * ----------------------
93 *
94 * When it comes to vendor unique commands, the main things that we try to
95 * validate are limited to what the specification requires of the shape of these
96 * commands and the constraints that we have. While there is discovery
97 * functionality in libnvme, we explicitly are not trying to leverage and know
98 * what those are here. This makes things fairly different to both identify
99 * commands and log pages.
100 *
101 * Format Requests
102 * ---------------
103 *
104 * There are a few different things that we need to check before we allow a
105 * format request to proceed. Note, some of these are artificial constraints
106 * that we have opted to place in the driver right now. In particular, right now
107 * we don't support any namespaces with metadata or protection. There is no way
108 * to set this right now in our ioctl interface. Therefore, this stuff is not
109 * verified.
110 *
111 * 1) First we must verify that the controller actually supports the Format NVM
112 * command at all.
113 *
114 * 2) Once that is good, we must validate the secure erase settings and that the
115 * LBA format is valid.
116 *
117 * 3) A controller can limit whether a secure erase or a format must impact the
118 * whole device or not.
119 *
120 * Firmware Download and Commit
121 * ----------------------------
122 *
123 * Validating a firmware download request is fairly straightforward. Here we're
124 * mostly checking that the requested sizes and offsets have the proper
125 * alignment and aren't beyond the underlying command's maximum sizes. We also
126 * verify whether or not the device actually supports firmware download requests
127 * at all. We don't try to validate the contents of the data or ask if there are
128 * other ongoing things or if we've skipped gaps in the download by changing
129 * offsets.
130 *
131 * When we opt to perform a firmware commit, then all we check is that the
132 * command is supported, that we aren't going to a read-only slot when saving,
133 * or related.
134 */
135
136 #include <sys/sysmacros.h>
137 #include <sys/nvme.h>
138
139 #include "nvme_reg.h"
140 #include "nvme_var.h"
141
142 typedef struct nvme_validate_info {
143 const nvme_field_info_t *err_fields;
144 size_t err_index;
145 uint32_t err_unuse_bit;
146 nvme_ioctl_errno_t err_field_range;
147 nvme_ioctl_errno_t err_field_unsup;
148 nvme_ioctl_errno_t err_field_unuse;
149 } nvme_validate_info_t;
150
151 static boolean_t
nvme_validate_one_field(nvme_ioctl_common_t * com,uint64_t val,const nvme_validate_info_t * info,const nvme_valid_ctrl_data_t * data,uint32_t valid)152 nvme_validate_one_field(nvme_ioctl_common_t *com, uint64_t val,
153 const nvme_validate_info_t *info, const nvme_valid_ctrl_data_t *data,
154 uint32_t valid)
155 {
156 const nvme_field_info_t *field = &info->err_fields[info->err_index];
157 nvme_field_error_t err;
158
159 if (val == 0) {
160 return (B_TRUE);
161 }
162
163 if (valid != 0 && info->err_unuse_bit != 0 &&
164 (valid & info->err_unuse_bit) == 0) {
165 VERIFY3U(info->err_field_unuse, !=, 0);
166 return (nvme_ioctl_error(com, info->err_field_unuse, 0, 0));
167 }
168
169 err = nvme_field_validate(field, data, val, NULL, 0);
170 switch (err) {
171 case NVME_FIELD_ERR_UNSUP_VERSION:
172 case NVME_FIELD_ERR_UNSUP_FIELD:
173 VERIFY3U(info->err_field_unsup, !=, 0);
174 return (nvme_ioctl_error(com, info->err_field_unsup, 0, 0));
175 case NVME_FIELD_ERR_BAD_VALUE:
176 VERIFY3U(info->err_field_range, !=, 0);
177 return (nvme_ioctl_error(com, info->err_field_range, 0, 0));
178 case NVME_FIELD_ERR_OK:
179 return (B_TRUE);
180 default:
181 panic("unsupported nvme_field_validate() value: 0x%x", err);
182 }
183 }
184
185 /*
186 * NVMe devices specify log page requests in units of uint32_t's. The original
187 * spec had a zeros based value that was 12 bits wide, providing a little over
188 * 16 KiB for a log page. In NVMe 1.3, this was changed and a device could
189 * optionally support a 32-bit wide length argument. We opt to support a smaller
190 * amount than the NVMe 1.3 maximum: 1 MiB, which is a fairly arbitrary sized
191 * value.
192 */
193 uint32_t nvme_log_page_max_size = 1 * 1024 * 1024;
194
195 static boolean_t
nvme_logpage_is_vendor(nvme_ioctl_get_logpage_t * log)196 nvme_logpage_is_vendor(nvme_ioctl_get_logpage_t *log)
197 {
198 return (log->nigl_lid >= NVME_LOGPAGE_VEND_MIN &&
199 log->nigl_lid <= NVME_LOGPAGE_VEND_MAX);
200 }
201
202 static const nvme_validate_info_t nvme_valid_log_csi = {
203 nvme_log_fields, NVME_LOG_REQ_FIELD_CSI, 0,
204 NVME_IOCTL_E_LOG_CSI_RANGE, 0, NVME_IOCTL_E_LOG_CSI_UNSUP
205 };
206
207 static const nvme_validate_info_t nvme_valid_log_lid = {
208 nvme_log_fields, NVME_LOG_REQ_FIELD_LID, 0,
209 NVME_IOCTL_E_LOG_LID_RANGE, 0, 0
210 };
211
212 static const nvme_validate_info_t nvme_valid_log_lsp = {
213 nvme_log_fields, NVME_LOG_REQ_FIELD_LSP,
214 NVME_LOG_DISC_F_NEED_LSP, NVME_IOCTL_E_LOG_LSP_RANGE,
215 NVME_IOCTL_E_LOG_LSP_UNSUP, NVME_IOCTL_E_LOG_LSP_UNUSE
216 };
217
218 static const nvme_validate_info_t nvme_valid_log_lsi = {
219 nvme_log_fields, NVME_LOG_REQ_FIELD_LSI,
220 NVME_LOG_DISC_F_NEED_LSI, NVME_IOCTL_E_LOG_LSI_RANGE,
221 NVME_IOCTL_E_LOG_LSI_UNSUP, NVME_IOCTL_E_LOG_LSI_UNUSE
222 };
223
224 static const nvme_validate_info_t nvme_valid_log_rae = {
225 nvme_log_fields, NVME_LOG_REQ_FIELD_RAE,
226 NVME_LOG_DISC_F_NEED_RAE, NVME_IOCTL_E_LOG_RAE_RANGE,
227 NVME_IOCTL_E_LOG_RAE_UNSUP, NVME_IOCTL_E_LOG_RAE_UNUSE
228 };
229
230 static const nvme_validate_info_t nvme_valid_log_size = {
231 nvme_log_fields, NVME_LOG_REQ_FIELD_SIZE, 0,
232 NVME_IOCTL_E_LOG_SIZE_RANGE, 0, 0
233 };
234
235 static const nvme_validate_info_t nvme_valid_log_offset = {
236 nvme_log_fields, NVME_LOG_REQ_FIELD_OFFSET, 0,
237 NVME_IOCTL_E_LOG_OFFSET_RANGE, 0, NVME_IOCTL_E_LOG_OFFSET_UNSUP
238 };
239
240 /*
241 * Validate all of the fields that are present in a log request. The only one we
242 * don't take care of here is the namespace ID, because we have already checked
243 * it prior to this as part of nvme_ioctl_check().
244 */
245 static boolean_t
nvme_validate_logpage_fields(nvme_ioctl_get_logpage_t * log,const nvme_valid_ctrl_data_t * ctrl_data,const nvme_log_page_info_t * info)246 nvme_validate_logpage_fields(nvme_ioctl_get_logpage_t *log,
247 const nvme_valid_ctrl_data_t *ctrl_data, const nvme_log_page_info_t *info)
248 {
249 uint32_t disc = 0;
250
251 if (info != NULL) {
252 disc = info->nlpi_disc;
253 }
254
255 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_csi,
256 &nvme_valid_log_csi, ctrl_data, disc)) {
257 return (B_FALSE);
258 }
259
260 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_lid,
261 &nvme_valid_log_lid, ctrl_data, disc)) {
262 return (B_FALSE);
263 }
264
265 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_lsp,
266 &nvme_valid_log_lsp, ctrl_data, disc)) {
267 return (B_FALSE);
268 }
269
270 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_lsi,
271 &nvme_valid_log_lsi, ctrl_data, disc)) {
272 return (B_FALSE);
273 }
274
275 /*
276 * Just like the LID, we treat the size as having two of the same error
277 * type right now as it's always been supported since NVMe 1.0. The
278 * common check confirms that the value is non-zero and that it is
279 * 4-byte aligned.
280 */
281 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_len,
282 &nvme_valid_log_size, ctrl_data, disc)) {
283 return (B_FALSE);
284 }
285
286 /*
287 * Ensure that the log page does not exceed the kernel's maximum size
288 * that one can get in one request.
289 */
290 if (log->nigl_len > nvme_log_page_max_size) {
291 return (nvme_ioctl_error(&log->nigl_common,
292 NVME_IOCTL_E_LOG_SIZE_RANGE, 0, 0));
293 }
294
295 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_rae,
296 &nvme_valid_log_rae, ctrl_data, disc)) {
297 return (B_FALSE);
298 }
299
300 if (!nvme_validate_one_field(&log->nigl_common, log->nigl_offset,
301 &nvme_valid_log_offset, ctrl_data, disc)) {
302 return (B_FALSE);
303 }
304
305 /*
306 * Log pages may either have a known fixed size, a variable size, or an
307 * unknown size. If we have a log page with a known, fixed size, then we
308 * require that the requested size match that and we do not allow an
309 * offset to be specified at this time. Otherwise, there is nothing to
310 * check for a variable length page as we have constrained everything by
311 * the maximum size above. As we encounter fixed size log pages that
312 * exceed the kernel's maximum value, we will likely have to change this
313 * in the future.
314 */
315 if (info != NULL) {
316 bool var;
317 size_t targ = nvme_log_page_info_size(info, ctrl_data, &var);
318
319 if (!var) {
320 if (targ != 0 && targ != log->nigl_len) {
321 return (nvme_ioctl_error(&log->nigl_common,
322 NVME_IOCTL_E_LOG_SIZE_RANGE, 0, 0));
323 }
324
325 if (log->nigl_offset != 0) {
326 return (nvme_ioctl_error(&log->nigl_common,
327 NVME_IOCTL_E_LOG_OFFSET_RANGE, 0, 0));
328 }
329 }
330 }
331
332 return (B_TRUE);
333 }
334
335 /*
336 * Validating a log page comes in a series of a few different steps. Once we
337 * identify that this is a known log page, we first validate that our controller
338 * actually supports the command. Once we know that, then we'll move onto the
339 * question of whether we have an appropriate scope. After that we go through
340 * and make sure all of the fields are set appropriately for the log page.
341 */
342 boolean_t
nvme_validate_logpage(nvme_t * nvme,nvme_ioctl_get_logpage_t * log)343 nvme_validate_logpage(nvme_t *nvme, nvme_ioctl_get_logpage_t *log)
344 {
345 const nvme_log_page_info_t *info = NULL;
346 nvme_valid_ctrl_data_t ctrl_data;
347 nvme_log_disc_scope_t scope, req_scope;
348
349 ctrl_data.vcd_vers = &nvme->n_version;
350 ctrl_data.vcd_id = nvme->n_idctl;
351
352 if (nvme_logpage_is_vendor(log)) {
353 return (nvme_validate_logpage_fields(log, &ctrl_data, NULL));
354 }
355
356 for (size_t i = 0; i < nvme_std_log_npages; i++) {
357 if (nvme_std_log_pages[i].nlpi_csi == log->nigl_csi &&
358 nvme_std_log_pages[i].nlpi_lid == log->nigl_lid) {
359 info = &nvme_std_log_pages[i];
360 break;
361 }
362 }
363
364 if (info == NULL) {
365 return (nvme_ioctl_error(&log->nigl_common,
366 NVME_IOCTL_E_UNKNOWN_LOG_PAGE, 0, 0));
367 }
368
369 if (!nvme_log_page_info_supported(info, &ctrl_data)) {
370 return (nvme_ioctl_error(&log->nigl_common,
371 NVME_IOCTL_E_UNSUP_LOG_PAGE, 0, 0));
372 }
373
374 scope = nvme_log_page_info_scope(info, &ctrl_data);
375 if (log->nigl_common.nioc_nsid == NVME_NSID_BCAST) {
376 req_scope = NVME_LOG_SCOPE_CTRL | NVME_LOG_SCOPE_NVM;
377 } else {
378 req_scope = NVME_LOG_SCOPE_NS;
379 }
380
381 if ((scope & req_scope) == 0) {
382 return (nvme_ioctl_error(&log->nigl_common,
383 NVME_IOCTL_E_BAD_LOG_SCOPE, 0, 0));
384 }
385
386 return (nvme_validate_logpage_fields(log, &ctrl_data, info));
387 }
388
389 static const nvme_validate_info_t nvme_valid_get_feat_sel = {
390 nvme_get_feat_fields, NVME_GET_FEAT_REQ_FIELD_SEL, 0,
391 NVME_IOCTL_E_GET_FEAT_SEL_RANGE, NVME_IOCTL_E_GET_FEAT_SEL_UNSUP, 0
392 };
393
394 static const nvme_validate_info_t nvme_valid_get_feat_cdw11 = {
395 nvme_get_feat_fields, NVME_GET_FEAT_REQ_FIELD_CDW11,
396 NVME_GET_FEAT_F_CDW11, NVME_IOCTL_E_GET_FEAT_CDW11_RANGE,
397 0, NVME_IOCTL_E_GET_FEAT_CDW11_UNUSE
398 };
399
400 /*
401 * To validate a feature we take the following high-level steps:
402 *
403 * 1) First, we have to determine that this is a feature that we know about.
404 * 2) Ensure that this feature is actually supported. We may not be able to
405 * confirm that it is, but we can sometimes confirm that it is not. Do not
406 * execute any unsupported features.
407 * 3) We have to determine whether we can actually issue this feature with the
408 * specified namespace or not.
409 * 4) Go through and validate all the remaining fields.
410 */
411 boolean_t
nvme_validate_get_feature(nvme_t * nvme,nvme_ioctl_get_feature_t * get)412 nvme_validate_get_feature(nvme_t *nvme, nvme_ioctl_get_feature_t *get)
413 {
414 const nvme_feat_info_t *feat = NULL;
415 const uint32_t nsid = get->nigf_common.nioc_nsid;
416 nvme_valid_ctrl_data_t ctrl_data;
417 nvme_feat_impl_t impl;
418
419 ctrl_data.vcd_vers = &nvme->n_version;
420 ctrl_data.vcd_id = nvme->n_idctl;
421
422 for (size_t i = 0; i < nvme_std_nfeats; i++) {
423 if (nvme_std_feats[i].nfeat_fid == get->nigf_fid) {
424 feat = &nvme_std_feats[i];
425 break;
426 }
427 }
428
429 if (feat == NULL) {
430 return (nvme_ioctl_error(&get->nigf_common,
431 NVME_IOCTL_E_UNKNOWN_FEATURE, 0, 0));
432 }
433
434 /*
435 * Before we do anything else, determine if this is supported. For
436 * things that are unknown, there is naught we can do, but try.
437 */
438 impl = nvme_feat_supported(feat, &ctrl_data);
439 if (impl == NVME_FEAT_IMPL_UNSUPPORTED) {
440 return (nvme_ioctl_error(&get->nigf_common,
441 NVME_IOCTL_E_UNSUP_FEATURE, 0, 0));
442 }
443
444 /*
445 * To check the namespace related information we rely on whether the get
446 * fields indicates a namespace is required or not. We prefer to use
447 * this rather than the scope as we've seen log pages that end up
448 * supporting multiple scopes. If a namespace is specified, but there is
449 * not one required for the feature, then we assume that this is an
450 * attempt to read something from the controller node. After that we
451 * must check if the broadcast namespace is allowed.
452 *
453 * Conversely, if a namespace is required, then we can't be on the
454 * generic controller node with the namespace left as 0.
455 */
456 if ((feat->nfeat_in_get & NVME_GET_FEAT_F_NSID) != 0) {
457 if (nsid == 0 || (nsid == NVME_NSID_BCAST &&
458 (feat->nfeat_flags & NVME_FEAT_F_GET_BCAST_NSID) == 0)) {
459 return (nvme_ioctl_error(&get->nigf_common,
460 NVME_IOCTL_E_NS_RANGE, 0, 0));
461 }
462 } else {
463 if (nsid != 0) {
464 return (nvme_ioctl_error(&get->nigf_common,
465 NVME_IOCTL_E_NS_UNUSE, 0, 0));
466 }
467 }
468
469 /*
470 * The last step is to perform field validation. Note, we've already
471 * validated the nsid above and we skip validating the fid because we've
472 * already taken care of that by selecting for a valid feature. For a
473 * get features, this leaves us with cdw11, a data pointer, and the
474 * 'sel' field. We validate the sel field first. If we find a request
475 * that is asking for the supported capabilities, then we will change
476 * our validation policy and require that the other fields explicitly be
477 * zero to proceed.
478 */
479 if (!nvme_validate_one_field(&get->nigf_common, get->nigf_sel,
480 &nvme_valid_get_feat_sel, &ctrl_data, feat->nfeat_in_get)) {
481 return (B_FALSE);
482 }
483
484 if (get->nigf_sel == NVME_FEATURE_SEL_SUPPORTED) {
485 if (get->nigf_cdw11 != 0) {
486 return (nvme_ioctl_error(&get->nigf_common,
487 NVME_IOCTL_E_GET_FEAT_CDW11_UNUSE, 0, 0));
488 }
489
490 if (get->nigf_data != 0 || get->nigf_len != 0) {
491 return (nvme_ioctl_error(&get->nigf_common,
492 NVME_IOCTL_E_GET_FEAT_DATA_UNUSE, 0, 0));
493 }
494
495 return (B_TRUE);
496 }
497
498 if (!nvme_validate_one_field(&get->nigf_common, get->nigf_cdw11,
499 &nvme_valid_get_feat_cdw11, &ctrl_data, feat->nfeat_in_get)) {
500 return (B_FALSE);
501 }
502
503 /*
504 * The last piece we need to do here is validate the size that we've
505 * been given. There are no size/offset fields in the get feature
506 * request unlike with get log page. Therefore we must be given a data
507 * buffer that matches exactly what the feature requires.
508 */
509 if ((feat->nfeat_in_get & NVME_GET_FEAT_F_DATA) == 0) {
510 if (get->nigf_data != 0 || get->nigf_len != 0) {
511 return (nvme_ioctl_error(&get->nigf_common,
512 NVME_IOCTL_E_GET_FEAT_DATA_UNUSE, 0, 0));
513 }
514 } else {
515 if (get->nigf_data == 0 || get->nigf_len != feat->nfeat_len) {
516 return (nvme_ioctl_error(&get->nigf_common,
517 NVME_IOCTL_E_GET_FEAT_DATA_RANGE, 0, 0));
518 }
519 }
520
521 /*
522 * In the past, the driver also checked a few of the specific values of
523 * cdw11 against information that the kernel had such as the maximum
524 * number of interrupts that we had configured or the valid temperature
525 * types in the temperature thrshold. In the future, if we wanted to add
526 * a cdw11-specific validation, this is where we'd want to insert it
527 * roughly.
528 */
529
530 return (B_TRUE);
531 }
532
533 static const nvme_validate_info_t nvme_valid_identify_nsid = {
534 nvme_identify_fields, NVME_ID_REQ_F_NSID,
535 1 << NVME_ID_REQ_F_NSID, NVME_IOCTL_E_NS_RANGE, 0,
536 NVME_IOCTL_E_NS_UNUSE
537 };
538
539 static const nvme_validate_info_t nvme_valid_identify_ctrlid = {
540 nvme_identify_fields, NVME_ID_REQ_F_CTRLID,
541 1 << NVME_ID_REQ_F_CTRLID, NVME_IOCTL_E_IDENTIFY_CTRLID_RANGE,
542 NVME_IOCTL_E_IDENTIFY_CTRLID_UNSUP, NVME_IOCTL_E_IDENTIFY_CTRLID_UNUSE
543 };
544
545 boolean_t
nvme_validate_identify(nvme_t * nvme,nvme_ioctl_identify_t * id,boolean_t ns_minor)546 nvme_validate_identify(nvme_t *nvme, nvme_ioctl_identify_t *id,
547 boolean_t ns_minor)
548 {
549 const nvme_identify_info_t *info = NULL;
550 nvme_valid_ctrl_data_t ctrl_data;
551
552 ctrl_data.vcd_vers = &nvme->n_version;
553 ctrl_data.vcd_id = nvme->n_idctl;
554
555 for (size_t i = 0; i < nvme_identify_ncmds; i++) {
556 if (nvme_identify_cmds[i].nii_csi == NVME_CSI_NVM &&
557 nvme_identify_cmds[i].nii_cns == id->nid_cns) {
558 info = &nvme_identify_cmds[i];
559 break;
560 }
561 }
562
563 if (info == NULL) {
564 return (nvme_ioctl_error(&id->nid_common,
565 NVME_IOCTL_E_UNKNOWN_IDENTIFY, 0, 0));
566 }
567
568 if (!nvme_identify_info_supported(info, &ctrl_data)) {
569 return (nvme_ioctl_error(&id->nid_common,
570 NVME_IOCTL_E_UNSUP_IDENTIFY, 0, 0));
571 }
572
573 /*
574 * Now it's time for our favorite thing, checking the namespace. Unlike
575 * other validation routines, we can't rely on the general ioctl
576 * checking logic due to all the variations of namespace usage in
577 * commands. See the Identify Commands section of the theory statement
578 * for more information.
579 *
580 * Note: we do not explicitly test the CNS field for validity as we do
581 * the others below as we only allow known CNS values which are
582 * determined above. In addition, we don't use the full generic field
583 * validation for the nsid because it was valid in NVMe 1.0 and its size
584 * hasn't changed throughout.
585 *
586 * First, check that if we're issuing a command that doesn't allow a
587 * namespace to call it, that we've not specified one. In particular, a
588 * namespace minor would already have had its nsid set here, so this is
589 * what would cause us to fail that.
590 */
591 if ((info->nii_flags & NVME_IDENTIFY_INFO_F_NS_OK) == 0 && ns_minor) {
592 return (nvme_ioctl_error(&id->nid_common, NVME_IOCTL_E_NOT_CTRL,
593 0, 0));
594 }
595
596 /*
597 * If we've been told that the broadcast namespace is usable here,
598 * translate that first if we can use it. Otherwise we need to try and
599 * translate this to a namespace ID that'll hopefully have some
600 * information, which means we try nsid 1.
601 */
602 if ((info->nii_flags & NVME_IDENTIFY_INFO_F_BCAST) != 0 &&
603 id->nid_common.nioc_nsid == 0) {
604 if (nvme_ctrl_atleast(nvme, &nvme_vers_1v2) &&
605 nvme->n_idctl->id_oacs.oa_nsmgmt != 0) {
606 id->nid_common.nioc_nsid = NVME_NSID_BCAST;
607 } else {
608 id->nid_common.nioc_nsid = 1;
609 }
610 }
611
612 /*
613 * Perform namespace ID check. We have three different groups of
614 * commands here that we need to consider and all have different
615 * handling:
616 *
617 * 1) Commands that must not have a namespace specified.
618 * 2) Commands which require a namespace ID, but whether the
619 * broadcast namespace can be used is variable.
620 * 3) Commands which are listing namespaces and therefore can take any
621 * value in the namespace list.
622 *
623 * In addition, because of all the weird semantics above, we have not
624 * leveraged our common ioctl logic for checking whether or not the
625 * namespace is valid. In addition, the general field checking logic
626 * allows a zero here. So for case (1) and (2) we start with the normal
627 * field check. Then we verify a non-zero and broadcast namespace check
628 * for (2). For (3), anything goes. Note, we've already verified the
629 * minor is allowed to use this.
630 */
631 if ((info->nii_flags & NVME_IDENTIFY_INFO_F_NSID_LIST) == 0 &&
632 !nvme_validate_one_field(&id->nid_common, id->nid_common.nioc_nsid,
633 &nvme_valid_identify_nsid, &ctrl_data, info->nii_fields)) {
634 return (B_FALSE);
635 }
636
637 if ((info->nii_fields & (1 << NVME_ID_REQ_F_NSID)) != 0 &&
638 (info->nii_flags & NVME_IDENTIFY_INFO_F_NSID_LIST) == 0) {
639 const uint32_t ns = id->nid_common.nioc_nsid;
640 boolean_t allow_bcast = (info->nii_flags &
641 NVME_IDENTIFY_INFO_F_BCAST) != 0;
642
643 if (ns == 0 || ns > nvme->n_namespace_count) {
644 if (ns != NVME_NSID_BCAST) {
645 return (nvme_ioctl_error(&id->nid_common,
646 NVME_IOCTL_E_NS_RANGE, 0, 0));
647 } else if (!allow_bcast) {
648 return (nvme_ioctl_error(&id->nid_common,
649 NVME_IOCTL_E_NO_BCAST_NS, 0, 0));
650 }
651 }
652 }
653
654 if (!nvme_validate_one_field(&id->nid_common, id->nid_ctrlid,
655 &nvme_valid_identify_ctrlid, &ctrl_data, info->nii_fields)) {
656 return (B_FALSE);
657 }
658
659 return (B_TRUE);
660 }
661
662 static const nvme_validate_info_t nvme_valid_vuc_opcode = {
663 nvme_vuc_fields, NVME_VUC_REQ_FIELD_OPC, 0,
664 NVME_IOCTL_E_VUC_OPCODE_RANGE, 0, 0
665 };
666
667 static const nvme_validate_info_t nvme_valid_vuc_nsid = {
668 nvme_vuc_fields, NVME_VUC_REQ_FIELD_NSID, 0,
669 NVME_IOCTL_E_NS_RANGE, 0, 0
670 };
671
672 static const nvme_validate_info_t nvme_valid_vuc_ndt = {
673 nvme_vuc_fields, NVME_VUC_REQ_FIELD_NDT, 0,
674 NVME_IOCTL_E_VUC_NDT_RANGE, 0, 0
675 };
676
677 boolean_t
nvme_validate_vuc(nvme_t * nvme,nvme_ioctl_passthru_t * pass)678 nvme_validate_vuc(nvme_t *nvme, nvme_ioctl_passthru_t *pass)
679 {
680 nvme_valid_ctrl_data_t ctrl_data;
681 const uint32_t all_flags = NVME_PASSTHRU_READ | NVME_PASSTHRU_WRITE;
682 const uint32_t all_impact = NVME_IMPACT_NS;
683
684 ctrl_data.vcd_vers = &nvme->n_version;
685 ctrl_data.vcd_id = nvme->n_idctl;
686
687 /*
688 * If there's no controller support, there's nothing that we can do.
689 */
690 if (nvme->n_idctl->id_nvscc.nv_spec == 0) {
691 return (nvme_ioctl_error(&pass->npc_common,
692 NVME_IOCTL_E_CTRL_VUC_UNSUP, 0, 0));
693 }
694
695 /*
696 * We don't use the common validation code for the timeout because
697 * there's no way for it to know the kernel's max value right now.
698 */
699 if (pass->npc_timeout == 0 ||
700 pass->npc_timeout > nvme_vendor_specific_admin_cmd_max_timeout) {
701 return (nvme_ioctl_error(&pass->npc_common,
702 NVME_IOCTL_E_VUC_TIMEOUT_RANGE, 0, 0));
703 }
704
705 if (!nvme_validate_one_field(&pass->npc_common, pass->npc_opcode,
706 &nvme_valid_vuc_opcode, &ctrl_data, 0)) {
707 return (B_FALSE);
708 }
709
710 if (!nvme_validate_one_field(&pass->npc_common,
711 pass->npc_common.nioc_nsid, &nvme_valid_vuc_nsid, &ctrl_data, 0)) {
712 return (B_FALSE);
713 }
714
715 /*
716 * Ensure that the flags and impact fields only have known values.
717 */
718 if ((pass->npc_flags & ~all_flags) != 0) {
719 return (nvme_ioctl_error(&pass->npc_common,
720 NVME_IOCTL_E_VUC_FLAGS_RANGE, 0, 0));
721 }
722
723 if ((pass->npc_impact & ~all_impact) != 0) {
724 return (nvme_ioctl_error(&pass->npc_common,
725 NVME_IOCTL_E_VUC_IMPACT_RANGE, 0, 0));
726 }
727
728 /*
729 * We need to validate several different things related to the buffer
730 * and its length:
731 *
732 * - The buffer length must be a multiple of 4 bytes (checked by common
733 * code).
734 * - The buffer length cannot exceed the hardware max (checked by
735 * common code).
736 * - The buffer length cannot exceed our maximum size.
737 * - That if the buffer is present, a length is set.
738 * - That if there is no buffer, the length is zero.
739 * - That if a buffer is set, we have the direction flags set.
740 * - That both direction flags aren't set at the same time.
741 *
742 * We only fall into the normal validation code after all this to make
743 * sure there is nothing additional weird here.
744 */
745 if (!nvme_validate_one_field(&pass->npc_common, pass->npc_buflen,
746 &nvme_valid_vuc_ndt, &ctrl_data, 0)) {
747 return (B_FALSE);
748 }
749
750 if (pass->npc_buflen > nvme_vendor_specific_admin_cmd_size) {
751 return (nvme_ioctl_error(&pass->npc_common,
752 NVME_IOCTL_E_VUC_NDT_RANGE, 0, 0));
753 }
754
755 if ((pass->npc_buflen != 0 && pass->npc_buf == 0) ||
756 (pass->npc_buflen == 0 && pass->npc_buf != 0)) {
757 return (nvme_ioctl_error(&pass->npc_common,
758 NVME_IOCTL_E_INCONSIST_VUC_BUF_NDT, 0, 0));
759 }
760
761 if ((pass->npc_buflen != 0 && pass->npc_flags == 0) ||
762 ((pass->npc_buflen == 0 && pass->npc_flags != 0))) {
763 return (nvme_ioctl_error(&pass->npc_common,
764 NVME_IOCTL_E_INCONSIST_VUC_FLAGS_NDT, 0, 0));
765 }
766
767 if ((pass->npc_flags & NVME_PASSTHRU_READ) != 0 &&
768 (pass->npc_flags & NVME_PASSTHRU_WRITE) != 0) {
769 return (nvme_ioctl_error(&pass->npc_common,
770 NVME_IOCTL_E_VUC_FLAGS_RANGE, 0, 0));
771 }
772
773 return (B_TRUE);
774 }
775
776 static const nvme_validate_info_t nvme_valid_format_lbaf = {
777 nvme_format_fields, NVME_FORMAT_REQ_FIELD_LBAF, 0,
778 NVME_IOCTL_E_FORMAT_LBAF_RANGE, 0, 0
779 };
780
781 static const nvme_validate_info_t nvme_valid_format_ses = {
782 nvme_format_fields, NVME_FORMAT_REQ_FIELD_SES, 0,
783 NVME_IOCTL_E_FORMAT_SES_RANGE, 0, 0
784 };
785
786 boolean_t
nvme_validate_format(nvme_t * nvme,nvme_ioctl_format_t * ioc)787 nvme_validate_format(nvme_t *nvme, nvme_ioctl_format_t *ioc)
788 {
789 nvme_valid_ctrl_data_t ctrl_data;
790 const nvme_identify_nsid_t *idns;
791
792 ctrl_data.vcd_vers = &nvme->n_version;
793 ctrl_data.vcd_id = nvme->n_idctl;
794
795 if (!nvme_format_cmds_supported(&ctrl_data)) {
796 return (nvme_ioctl_error(&ioc->nif_common,
797 NVME_IOCTL_E_CTRL_FORMAT_UNSUP, 0, 0));
798 }
799
800 if (!nvme_validate_one_field(&ioc->nif_common, ioc->nif_lbaf,
801 &nvme_valid_format_lbaf, &ctrl_data, 0)) {
802 return (B_FALSE);
803 }
804
805 if (!nvme_validate_one_field(&ioc->nif_common, ioc->nif_ses,
806 &nvme_valid_format_ses, &ctrl_data, 0)) {
807 return (B_FALSE);
808 }
809
810 /*
811 * Now we need to determine if this LBA format is actually one that is
812 * supported by the controller and by the operating system. Note, the
813 * number of LBA formats is considered a zeros values (that is the
814 * actual value is what's there plus one). In the future we should
815 * consider pulling the id_nlbaf check into the common validation code
816 * and passing the common namespace information there as well.
817 */
818 idns = nvme->n_idcomns;
819 if (ioc->nif_lbaf > idns->id_nlbaf) {
820 return (nvme_ioctl_error(&ioc->nif_common,
821 NVME_IOCTL_E_FORMAT_LBAF_RANGE, 0, 0));
822 }
823
824 if (idns->id_lbaf[ioc->nif_lbaf].lbaf_ms != 0) {
825 return (nvme_ioctl_error(&ioc->nif_common,
826 NVME_IOCTL_E_UNSUP_LBAF_META, 0, 0));
827 }
828
829 if (ioc->nif_ses == NVME_FRMT_SES_CRYPTO &&
830 nvme->n_idctl->id_fna.fn_crypt_erase == 0) {
831 return (nvme_ioctl_error(&ioc->nif_common,
832 NVME_IOCTL_E_CTRL_CRYPTO_SE_UNSUP, 0, 0));
833 }
834
835 /*
836 * The remaining checks only apply to cases where we're targeting a
837 * single namespace.
838 */
839 if (ioc->nif_common.nioc_nsid == NVME_NSID_BCAST) {
840 return (B_TRUE);
841 }
842
843 if (nvme->n_idctl->id_fna.fn_format != 0) {
844 return (nvme_ioctl_error(&ioc->nif_common,
845 NVME_IOCTL_E_CTRL_NS_FORMAT_UNSUP, 0, 0));
846 }
847
848 if (ioc->nif_ses != NVME_FRMT_SES_NONE &&
849 nvme->n_idctl->id_fna.fn_sec_erase != 0) {
850 return (nvme_ioctl_error(&ioc->nif_common,
851 NVME_IOCTL_E_CTRL_NS_SE_UNSUP, 0, 0));
852 }
853
854 return (B_TRUE);
855 }
856
857 static const nvme_validate_info_t nvme_valid_fw_load_numd = {
858 nvme_fw_load_fields, NVME_FW_LOAD_REQ_FIELD_NUMD, 0,
859 NVME_IOCTL_E_FW_LOAD_LEN_RANGE, 0, 0
860 };
861
862 static const nvme_validate_info_t nvme_valid_fw_load_offset = {
863 nvme_fw_load_fields, NVME_FW_LOAD_REQ_FIELD_OFFSET, 0,
864 NVME_IOCTL_E_FW_LOAD_OFFSET_RANGE, 0, 0
865 };
866
867 boolean_t
nvme_validate_fw_load(nvme_t * nvme,nvme_ioctl_fw_load_t * fw)868 nvme_validate_fw_load(nvme_t *nvme, nvme_ioctl_fw_load_t *fw)
869 {
870 nvme_valid_ctrl_data_t ctrl_data;
871
872 ctrl_data.vcd_vers = &nvme->n_version;
873 ctrl_data.vcd_id = nvme->n_idctl;
874
875 if (!nvme_fw_cmds_supported(&ctrl_data)) {
876 return (nvme_ioctl_error(&fw->fwl_common,
877 NVME_IOCTL_E_CTRL_FW_UNSUP, 0, 0));
878 }
879
880 if (!nvme_validate_one_field(&fw->fwl_common, fw->fwl_len,
881 &nvme_valid_fw_load_numd, &ctrl_data, 0)) {
882 return (B_FALSE);
883 }
884
885 if (!nvme_validate_one_field(&fw->fwl_common, fw->fwl_off,
886 &nvme_valid_fw_load_offset, &ctrl_data, 0)) {
887 return (B_FALSE);
888 }
889
890 return (B_TRUE);
891 }
892
893 static const nvme_validate_info_t nvme_valid_fw_commit_slot = {
894 nvme_fw_commit_fields, NVME_FW_COMMIT_REQ_FIELD_SLOT, 0,
895 NVME_IOCTL_E_FW_COMMIT_SLOT_RANGE, 0, 0
896 };
897
898 static const nvme_validate_info_t nvme_valid_fw_commit_act = {
899 nvme_fw_commit_fields, NVME_FW_COMMIT_REQ_FIELD_ACT, 0,
900 NVME_IOCTL_E_FW_COMMIT_ACTION_RANGE, 0, 0
901 };
902
903 boolean_t
nvme_validate_fw_commit(nvme_t * nvme,nvme_ioctl_fw_commit_t * fw)904 nvme_validate_fw_commit(nvme_t *nvme, nvme_ioctl_fw_commit_t *fw)
905 {
906 nvme_valid_ctrl_data_t ctrl_data;
907
908 ctrl_data.vcd_vers = &nvme->n_version;
909 ctrl_data.vcd_id = nvme->n_idctl;
910
911 if (!nvme_fw_cmds_supported(&ctrl_data)) {
912 return (nvme_ioctl_error(&fw->fwc_common,
913 NVME_IOCTL_E_CTRL_FW_UNSUP, 0, 0));
914 }
915
916 if (!nvme_validate_one_field(&fw->fwc_common, fw->fwc_slot,
917 &nvme_valid_fw_commit_slot, &ctrl_data, 0)) {
918 return (B_FALSE);
919 }
920
921 if (!nvme_validate_one_field(&fw->fwc_common, fw->fwc_action,
922 &nvme_valid_fw_commit_act, &ctrl_data, 0)) {
923 return (B_FALSE);
924 }
925
926 /*
927 * Do not allow someone to explicitly download an image to a read-only
928 * firmware slot. The specification only allows slot 1 to be marked
929 * read-only.
930 */
931 if (fw->fwc_slot == 1 && nvme->n_idctl->id_frmw.fw_readonly &&
932 (fw->fwc_action == NVME_FWC_SAVE ||
933 fw->fwc_action == NVME_FWC_SAVE_ACTIVATE)) {
934 return (nvme_ioctl_error(&fw->fwc_common,
935 NVME_IOCTL_E_RO_FW_SLOT, 0, 0));
936 }
937
938 return (B_TRUE);
939 }
940