xref: /illumos-gate/usr/src/uts/common/io/openprom.c (revision dea9f5e6a4938723acec9624b3aa3f680f2f5c9f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright 2019 Peter Tribble.
25  */
26 
27 /*
28  * Ported from 4.1.1_PSRA: "@(#)openprom.c 1.19 91/02/19 SMI";
29  *
30  * Porting notes:
31  *
32  * OPROMU2P unsupported after SunOS 4.x.
33  *
34  * Only one of these devices per system is allowed.
35  */
36 
37 /*
38  * Openprom eeprom options/devinfo driver.
39  */
40 
41 #include <sys/types.h>
42 #include <sys/errno.h>
43 #include <sys/file.h>
44 #include <sys/cmn_err.h>
45 #include <sys/kmem.h>
46 #include <sys/openpromio.h>
47 #include <sys/conf.h>
48 #include <sys/stat.h>
49 #include <sys/modctl.h>
50 #include <sys/debug.h>
51 #include <sys/autoconf.h>
52 #include <sys/ddi.h>
53 #include <sys/sunddi.h>
54 #include <sys/promif.h>
55 #include <sys/sysmacros.h>	/* offsetof */
56 #include <sys/nvpair.h>
57 #include <sys/zone.h>
58 #include <sys/consplat.h>
59 #include <sys/bootconf.h>
60 #include <sys/systm.h>
61 #include <sys/bootprops.h>
62 
63 #define	MAX_OPENS	32	/* Up to this many simultaneous opens */
64 
65 #define	IOC_IDLE	0	/* snapshot ioctl states */
66 #define	IOC_SNAP	1	/* snapshot in progress */
67 #define	IOC_DONE	2	/* snapshot done, but not copied out */
68 #define	IOC_COPY	3	/* copyout in progress */
69 
70 /*
71  * XXX	Make this dynamic.. or (better still) make the interface stateless
72  */
73 static struct oprom_state {
74 	pnode_t	current_id;	/* node we're fetching props from */
75 	int16_t	already_open;	/* if true, this instance is 'active' */
76 	int16_t	ioc_state;	/* snapshot ioctl state */
77 	char	*snapshot;	/* snapshot of all prom nodes */
78 	size_t	size;		/* size of snapshot */
79 	prom_generation_cookie_t tree_gen;
80 } oprom_state[MAX_OPENS];
81 
82 static kmutex_t oprom_lock;	/* serialize instance assignment */
83 
84 static int opromopen(dev_t *, int, int, cred_t *);
85 static int opromioctl(dev_t, int, intptr_t, int, cred_t *, int *);
86 static int opromclose(dev_t, int, int, cred_t *);
87 
88 static int opinfo(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg,
89 		void **result);
90 static int opattach(dev_info_t *, ddi_attach_cmd_t cmd);
91 static int opdetach(dev_info_t *, ddi_detach_cmd_t cmd);
92 
93 /* help functions */
94 static int oprom_checknodeid(pnode_t, pnode_t);
95 static int oprom_copyinstr(intptr_t, char *, size_t, size_t);
96 static int oprom_copynode(pnode_t, uint_t, char **, size_t *);
97 static int oprom_snapshot(struct oprom_state *, intptr_t);
98 static int oprom_copyout(struct oprom_state *, intptr_t);
99 static int oprom_setstate(struct oprom_state *, int16_t);
100 
101 static struct cb_ops openeepr_cb_ops = {
102 	opromopen,		/* open */
103 	opromclose,		/* close */
104 	nodev,			/* strategy */
105 	nodev,			/* print */
106 	nodev,			/* dump */
107 	nodev,			/* read */
108 	nodev,			/* write */
109 	opromioctl,		/* ioctl */
110 	nodev,			/* devmap */
111 	nodev,			/* mmap */
112 	nodev,			/* segmap */
113 	nochpoll,		/* poll */
114 	ddi_prop_op,		/* prop_op */
115 	NULL,			/* streamtab  */
116 	D_NEW | D_MP		/* Driver compatibility flag */
117 };
118 
119 static struct dev_ops openeepr_ops = {
120 	DEVO_REV,		/* devo_rev, */
121 	0,			/* refcnt  */
122 	opinfo,			/* info */
123 	nulldev,		/* identify */
124 	nulldev,		/* probe */
125 	opattach,		/* attach */
126 	opdetach,		/* detach */
127 	nodev,			/* reset */
128 	&openeepr_cb_ops,	/* driver operations */
129 	NULL,			/* bus operations */
130 	NULL,			/* power */
131 	ddi_quiesce_not_needed,		/* quiesce */
132 };
133 
134 /*
135  * Module linkage information for the kernel.
136  */
137 static struct modldrv modldrv = {
138 	&mod_driverops,
139 	"OPENPROM/NVRAM Driver",
140 	&openeepr_ops
141 };
142 
143 static struct modlinkage modlinkage = {
144 	MODREV_1,
145 	&modldrv,
146 	NULL
147 };
148 
149 int
150 _init(void)
151 {
152 	int	error;
153 
154 	mutex_init(&oprom_lock, NULL, MUTEX_DRIVER, NULL);
155 
156 	error = mod_install(&modlinkage);
157 	if (error != 0) {
158 		mutex_destroy(&oprom_lock);
159 		return (error);
160 	}
161 
162 	return (0);
163 }
164 
165 int
166 _info(struct modinfo *modinfop)
167 {
168 	return (mod_info(&modlinkage, modinfop));
169 }
170 
171 int
172 _fini(void)
173 {
174 	int	error;
175 
176 	error = mod_remove(&modlinkage);
177 	if (error != 0)
178 		return (error);
179 
180 	mutex_destroy(&oprom_lock);
181 	return (0);
182 }
183 
184 static dev_info_t *opdip;
185 static pnode_t options_nodeid;
186 
187 /*ARGSUSED*/
188 static int
189 opinfo(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
190 {
191 	int error = DDI_FAILURE;
192 
193 	switch (infocmd) {
194 	case DDI_INFO_DEVT2DEVINFO:
195 		*result = (void *)opdip;
196 		error = DDI_SUCCESS;
197 		break;
198 	case DDI_INFO_DEVT2INSTANCE:
199 		/* All dev_t's map to the same, single instance */
200 		*result = (void *)0;
201 		error = DDI_SUCCESS;
202 		break;
203 	default:
204 		break;
205 	}
206 
207 	return (error);
208 }
209 
210 static int
211 opattach(dev_info_t *dip, ddi_attach_cmd_t cmd)
212 {
213 	switch (cmd) {
214 
215 	case DDI_ATTACH:
216 		if (prom_is_openprom()) {
217 			options_nodeid = prom_optionsnode();
218 		} else {
219 			options_nodeid = OBP_BADNODE;
220 		}
221 
222 		opdip = dip;
223 
224 		if (ddi_create_minor_node(dip, "openprom", S_IFCHR,
225 		    0, DDI_PSEUDO, 0) == DDI_FAILURE) {
226 			return (DDI_FAILURE);
227 		}
228 
229 		return (DDI_SUCCESS);
230 
231 	default:
232 		return (DDI_FAILURE);
233 	}
234 }
235 
236 static int
237 opdetach(dev_info_t *dip, ddi_detach_cmd_t cmd)
238 {
239 	if (cmd != DDI_DETACH)
240 		return (DDI_FAILURE);
241 
242 	ddi_remove_minor_node(dip, NULL);
243 	opdip = NULL;
244 
245 	return (DDI_SUCCESS);
246 }
247 
248 /*
249  * Allow multiple opens by tweaking the dev_t such that it looks like each
250  * open is getting a different minor device.  Each minor gets a separate
251  * entry in the oprom_state[] table.
252  */
253 /*ARGSUSED*/
254 static int
255 opromopen(dev_t *devp, int flag, int otyp, cred_t *credp)
256 {
257 	int m;
258 	struct oprom_state *st = oprom_state;
259 
260 	if (getminor(*devp) != 0)
261 		return (ENXIO);
262 
263 	mutex_enter(&oprom_lock);
264 	for (m = 0; m < MAX_OPENS; m++)
265 		if (st->already_open)
266 			st++;
267 		else {
268 			st->already_open = 1;
269 			/*
270 			 * It's ours.
271 			 */
272 			st->current_id = (pnode_t)0;
273 			ASSERT(st->snapshot == NULL && st->size == 0);
274 			ASSERT(st->ioc_state == IOC_IDLE);
275 			break;
276 		}
277 	mutex_exit(&oprom_lock);
278 
279 	if (m == MAX_OPENS)  {
280 		/*
281 		 * "Thank you for calling, but all our lines are
282 		 * busy at the moment.."
283 		 *
284 		 * We could get sophisticated here, and go into a
285 		 * sleep-retry loop .. but hey, I just can't see
286 		 * that many processes sitting in this driver.
287 		 *
288 		 * (And if it does become possible, then we should
289 		 * change the interface so that the 'state' is held
290 		 * external to the driver)
291 		 */
292 		return (EAGAIN);
293 	}
294 
295 	*devp = makedevice(getmajor(*devp), (minor_t)m);
296 
297 	return (0);
298 }
299 
300 /*ARGSUSED*/
301 static int
302 opromclose(dev_t dev, int flag, int otype, cred_t *cred_p)
303 {
304 	struct oprom_state *st;
305 
306 	st = &oprom_state[getminor(dev)];
307 	ASSERT(getminor(dev) < MAX_OPENS && st->already_open != 0);
308 	if (st->snapshot) {
309 		kmem_free(st->snapshot, st->size);
310 		st->snapshot = NULL;
311 		st->size = 0;
312 		st->ioc_state = IOC_IDLE;
313 	}
314 	mutex_enter(&oprom_lock);
315 	st->already_open = 0;
316 	mutex_exit(&oprom_lock);
317 
318 	return (0);
319 }
320 
321 #ifdef __sparc
322 static int
323 get_bootpath_prop(char *bootpath)
324 {
325 	if (root_is_ramdisk) {
326 		if (BOP_GETPROP(bootops, "bootarchive", bootpath) == -1)
327 			return (-1);
328 		(void) strlcat(bootpath, ":a", BO_MAXOBJNAME);
329 	} else {
330 		if ((BOP_GETPROP(bootops, "bootpath", bootpath) == -1) ||
331 		    strlen(bootpath) == 0) {
332 			if (BOP_GETPROP(bootops,
333 			    "boot-path", bootpath) == -1)
334 				return (-1);
335 		}
336 		if (memcmp(bootpath, BP_ISCSI_DISK,
337 		    strlen(BP_ISCSI_DISK)) == 0) {
338 			get_iscsi_bootpath_vhci(bootpath);
339 		}
340 	}
341 	return (0);
342 }
343 #endif
344 
345 struct opromioctl_args {
346 	struct oprom_state *st;
347 	int cmd;
348 	intptr_t arg;
349 	int mode;
350 };
351 
352 /*ARGSUSED*/
353 static int
354 opromioctl_cb(void *avp, int has_changed)
355 {
356 	struct opromioctl_args *argp = avp;
357 	int cmd;
358 	intptr_t arg;
359 	int mode;
360 	struct oprom_state *st;
361 	struct openpromio *opp;
362 	int valsize;
363 	char *valbuf;
364 	int error = 0;
365 	uint_t userbufsize;
366 	pnode_t node_id = OBP_NONODE;
367 	char propname[OBP_MAXPROPNAME];
368 
369 	st = argp->st;
370 	cmd = argp->cmd;
371 	arg = argp->arg;
372 	mode = argp->mode;
373 
374 	if (has_changed) {
375 		/*
376 		 * The prom tree has changed since we last used current_id,
377 		 * so we need to check it.
378 		 */
379 		if ((st->current_id != OBP_NONODE) &&
380 		    (st->current_id != OBP_BADNODE)) {
381 			if (oprom_checknodeid(st->current_id, OBP_NONODE) == 0)
382 				st->current_id = OBP_BADNODE;
383 		}
384 	}
385 
386 	/*
387 	 * Check permissions
388 	 * and weed out unsupported commands on x86 platform
389 	 */
390 	switch (cmd) {
391 #if !defined(__x86)
392 	case OPROMLISTKEYSLEN:
393 		valsize = prom_asr_list_keys_len();
394 		opp = (struct openpromio *)kmem_zalloc(
395 		    sizeof (uint_t) + 1, KM_SLEEP);
396 		opp->oprom_size = valsize;
397 		if (copyout(opp, (void *)arg, (sizeof (uint_t))) != 0)
398 			error = EFAULT;
399 		kmem_free(opp, sizeof (uint_t) + 1);
400 		break;
401 	case OPROMLISTKEYS:
402 		valsize = prom_asr_list_keys_len();
403 		if (copyin((void *)arg, &userbufsize, sizeof (uint_t)) != 0)
404 			return (EFAULT);
405 		if (valsize > userbufsize)
406 			return (EINVAL);
407 		valbuf = (char *)kmem_zalloc(valsize + 1, KM_SLEEP);
408 		if (prom_asr_list_keys((caddr_t)valbuf) == -1) {
409 			kmem_free(valbuf, valsize + 1);
410 			return (EFAULT);
411 		}
412 		opp = (struct openpromio *)kmem_zalloc(
413 		    valsize + sizeof (uint_t) + 1, KM_SLEEP);
414 		opp->oprom_size = valsize;
415 		bcopy(valbuf, opp->oprom_array, valsize);
416 		if (copyout(opp, (void *)arg, (valsize + sizeof (uint_t))) != 0)
417 			error = EFAULT;
418 		kmem_free(valbuf, valsize + 1);
419 		kmem_free(opp, valsize + sizeof (uint_t) + 1);
420 		break;
421 	case OPROMEXPORT:
422 		valsize = prom_asr_export_len();
423 		if (copyin((void *)arg, &userbufsize, sizeof (uint_t)) != 0)
424 			return (EFAULT);
425 		if (valsize > userbufsize)
426 			return (EINVAL);
427 		valbuf = (char *)kmem_zalloc(valsize + 1, KM_SLEEP);
428 		if (prom_asr_export((caddr_t)valbuf) == -1) {
429 			kmem_free(valbuf, valsize + 1);
430 			return (EFAULT);
431 		}
432 		opp = (struct openpromio *)kmem_zalloc(
433 		    valsize + sizeof (uint_t) + 1, KM_SLEEP);
434 		opp->oprom_size = valsize;
435 		bcopy(valbuf, opp->oprom_array, valsize);
436 		if (copyout(opp, (void *)arg, (valsize + sizeof (uint_t))) != 0)
437 			error = EFAULT;
438 		kmem_free(valbuf, valsize + 1);
439 		kmem_free(opp, valsize + sizeof (uint_t) + 1);
440 		break;
441 	case OPROMEXPORTLEN:
442 		valsize = prom_asr_export_len();
443 		opp = (struct openpromio *)kmem_zalloc(
444 		    sizeof (uint_t) + 1, KM_SLEEP);
445 		opp->oprom_size = valsize;
446 		if (copyout(opp, (void *)arg, (sizeof (uint_t))) != 0)
447 			error = EFAULT;
448 		kmem_free(opp, sizeof (uint_t) + 1);
449 		break;
450 #endif
451 	case OPROMGETOPT:
452 	case OPROMNXTOPT:
453 		if ((mode & FREAD) == 0) {
454 			return (EPERM);
455 		}
456 		node_id = options_nodeid;
457 		break;
458 
459 	case OPROMSETOPT:
460 	case OPROMSETOPT2:
461 #if !defined(__x86)
462 		if (mode & FWRITE) {
463 			node_id = options_nodeid;
464 			break;
465 		}
466 #endif /* !__x86 */
467 		return (EPERM);
468 
469 	case OPROMNEXT:
470 	case OPROMCHILD:
471 	case OPROMGETPROP:
472 	case OPROMGETPROPLEN:
473 	case OPROMNXTPROP:
474 	case OPROMSETNODEID:
475 		if ((mode & FREAD) == 0) {
476 			return (EPERM);
477 		}
478 		node_id = st->current_id;
479 		break;
480 	case OPROMCOPYOUT:
481 		if (st->snapshot == NULL)
482 			return (EINVAL);
483 		/*FALLTHROUGH*/
484 	case OPROMSNAPSHOT:
485 	case OPROMGETCONS:
486 	case OPROMGETBOOTARGS:
487 	case OPROMGETBOOTPATH:
488 	case OPROMGETVERSION:
489 	case OPROMPATH2DRV:
490 	case OPROMPROM2DEVNAME:
491 #if !defined(__x86)
492 	case OPROMGETFBNAME:
493 	case OPROMDEV2PROMNAME:
494 #endif	/* !__x86 */
495 		if ((mode & FREAD) == 0) {
496 			return (EPERM);
497 		}
498 		break;
499 
500 	default:
501 		return (EINVAL);
502 	}
503 
504 	/*
505 	 * Deal with SNAPSHOT and COPYOUT ioctls first
506 	 */
507 	switch (cmd) {
508 	case OPROMCOPYOUT:
509 		return (oprom_copyout(st, arg));
510 
511 	case OPROMSNAPSHOT:
512 		return (oprom_snapshot(st, arg));
513 	}
514 
515 	/*
516 	 * Copy in user argument length and allocation memory
517 	 *
518 	 * NB do not copyin the entire buffer we may not need
519 	 *	to. userbufsize can be as big as 32 K.
520 	 */
521 	if (copyin((void *)arg, &userbufsize, sizeof (uint_t)) != 0)
522 		return (EFAULT);
523 
524 	if (userbufsize == 0 || userbufsize > OPROMMAXPARAM)
525 		return (EINVAL);
526 
527 	opp = (struct openpromio *)kmem_zalloc(
528 	    userbufsize + sizeof (uint_t) + 1, KM_SLEEP);
529 
530 	/*
531 	 * Execute command
532 	 */
533 	switch (cmd) {
534 
535 	case OPROMGETOPT:
536 	case OPROMGETPROP:
537 	case OPROMGETPROPLEN:
538 
539 		if ((prom_is_openprom() == 0) ||
540 		    (node_id == OBP_NONODE) || (node_id == OBP_BADNODE)) {
541 			error = EINVAL;
542 			break;
543 		}
544 
545 		/*
546 		 * The argument, a NULL terminated string, is a prop name.
547 		 */
548 		if ((error = oprom_copyinstr(arg, opp->oprom_array,
549 		    (size_t)userbufsize, OBP_MAXPROPNAME)) != 0) {
550 			break;
551 		}
552 		(void) strcpy(propname, opp->oprom_array);
553 		valsize = prom_getproplen(node_id, propname);
554 
555 		/*
556 		 * 4010173: 'name' is a property, but not an option.
557 		 */
558 		if ((cmd == OPROMGETOPT) && (strcmp("name", propname) == 0))
559 			valsize = -1;
560 
561 		if (cmd == OPROMGETPROPLEN)  {
562 			int proplen = valsize;
563 
564 			if (userbufsize < sizeof (int)) {
565 				error = EINVAL;
566 				break;
567 			}
568 			opp->oprom_size = valsize = sizeof (int);
569 			bcopy(&proplen, opp->oprom_array, valsize);
570 		} else if (valsize > 0 && valsize <= userbufsize) {
571 			bzero(opp->oprom_array, valsize + 1);
572 			(void) prom_getprop(node_id, propname,
573 			    opp->oprom_array);
574 			opp->oprom_size = valsize;
575 			if (valsize < userbufsize)
576 				++valsize;	/* Forces NULL termination */
577 						/* If space permits */
578 		} else {
579 			/*
580 			 * XXX: There is no error code if the buf is too small.
581 			 * which is consistent with the current behavior.
582 			 *
583 			 * NB: This clause also handles the non-error
584 			 * zero length (boolean) property value case.
585 			 */
586 			opp->oprom_size = 0;
587 			(void) strcpy(opp->oprom_array, "");
588 			valsize = 1;
589 		}
590 		if (copyout(opp, (void *)arg, (valsize + sizeof (uint_t))) != 0)
591 			error = EFAULT;
592 		break;
593 
594 	case OPROMNXTOPT:
595 	case OPROMNXTPROP:
596 		if ((prom_is_openprom() == 0) ||
597 		    (node_id == OBP_NONODE) || (node_id == OBP_BADNODE)) {
598 			error = EINVAL;
599 			break;
600 		}
601 
602 		/*
603 		 * The argument, a NULL terminated string, is a prop name.
604 		 */
605 		if ((error = oprom_copyinstr(arg, opp->oprom_array,
606 		    (size_t)userbufsize, OBP_MAXPROPNAME)) != 0) {
607 			break;
608 		}
609 		valbuf = (char *)prom_nextprop(node_id, opp->oprom_array,
610 		    propname);
611 		valsize = strlen(valbuf);
612 
613 		/*
614 		 * 4010173: 'name' is a property, but it's not an option.
615 		 */
616 		if ((cmd == OPROMNXTOPT) && valsize &&
617 		    (strcmp(valbuf, "name") == 0)) {
618 			valbuf = (char *)prom_nextprop(node_id, "name",
619 			    propname);
620 			valsize = strlen(valbuf);
621 		}
622 
623 		if (valsize == 0) {
624 			opp->oprom_size = 0;
625 		} else if (++valsize <= userbufsize) {
626 			opp->oprom_size = valsize;
627 			bzero((caddr_t)opp->oprom_array, (size_t)valsize);
628 			bcopy((caddr_t)valbuf, (caddr_t)opp->oprom_array,
629 			    (size_t)valsize);
630 		}
631 
632 		if (copyout(opp, (void *)arg, valsize + sizeof (uint_t)) != 0)
633 			error = EFAULT;
634 		break;
635 
636 	case OPROMNEXT:
637 	case OPROMCHILD:
638 	case OPROMSETNODEID:
639 
640 		if (prom_is_openprom() == 0 ||
641 		    userbufsize < sizeof (pnode_t)) {
642 			error = EINVAL;
643 			break;
644 		}
645 
646 		/*
647 		 * The argument is a phandle. (aka pnode_t)
648 		 */
649 		if (copyin(((caddr_t)arg + sizeof (uint_t)),
650 		    opp->oprom_array, sizeof (pnode_t)) != 0) {
651 			error = EFAULT;
652 			break;
653 		}
654 
655 		/*
656 		 * If pnode_t from userland is garbage, we
657 		 * could confuse the PROM.
658 		 */
659 		node_id = *(pnode_t *)opp->oprom_array;
660 		if (oprom_checknodeid(node_id, st->current_id) == 0) {
661 			cmn_err(CE_NOTE, "!nodeid 0x%x not found",
662 			    (int)node_id);
663 			error = EINVAL;
664 			break;
665 		}
666 
667 		if (cmd == OPROMNEXT)
668 			st->current_id = prom_nextnode(node_id);
669 		else if (cmd == OPROMCHILD)
670 			st->current_id = prom_childnode(node_id);
671 		else {
672 			/* OPROMSETNODEID */
673 			st->current_id = node_id;
674 			break;
675 		}
676 
677 		opp->oprom_size = sizeof (pnode_t);
678 		*(pnode_t *)opp->oprom_array = st->current_id;
679 
680 		if (copyout(opp, (void *)arg,
681 		    sizeof (pnode_t) + sizeof (uint_t)) != 0)
682 			error = EFAULT;
683 		break;
684 
685 	case OPROMGETCONS:
686 		/*
687 		 * Is openboot supported on this machine?
688 		 * This ioctl used to return the console device,
689 		 * information; this is now done via modctl()
690 		 * in libdevinfo.
691 		 */
692 		opp->oprom_size = sizeof (char);
693 
694 		opp->oprom_array[0] |= prom_is_openprom() ?
695 		    OPROMCONS_OPENPROM : 0;
696 
697 		/*
698 		 * The rest of the info is needed by Install to
699 		 * decide if graphics should be started.
700 		 */
701 		if ((getzoneid() == GLOBAL_ZONEID) &&
702 		    plat_stdin_is_keyboard()) {
703 			opp->oprom_array[0] |= OPROMCONS_STDIN_IS_KBD;
704 		}
705 
706 		if ((getzoneid() == GLOBAL_ZONEID) &&
707 		    plat_stdout_is_framebuffer()) {
708 			opp->oprom_array[0] |= OPROMCONS_STDOUT_IS_FB;
709 		}
710 
711 		if (copyout(opp, (void *)arg,
712 		    sizeof (char) + sizeof (uint_t)) != 0)
713 			error = EFAULT;
714 		break;
715 
716 	case OPROMGETBOOTARGS: {
717 		extern char kern_bootargs[];
718 
719 		valsize = strlen(kern_bootargs) + 1;
720 		if (valsize > userbufsize) {
721 			error = EINVAL;
722 			break;
723 		}
724 		(void) strcpy(opp->oprom_array, kern_bootargs);
725 		opp->oprom_size = valsize - 1;
726 
727 		if (copyout(opp, (void *)arg, valsize + sizeof (uint_t)) != 0)
728 			error = EFAULT;
729 		break;
730 	}
731 
732 	case OPROMGETBOOTPATH: {
733 #if defined(__sparc) && defined(_OBP)
734 
735 		char bpath[OBP_MAXPATHLEN];
736 		if (get_bootpath_prop(bpath) != 0) {
737 			error = EINVAL;
738 			break;
739 		}
740 		valsize = strlen(bpath) + 1;
741 		if (valsize > userbufsize) {
742 			error = EINVAL;
743 			break;
744 		}
745 		(void) strcpy(opp->oprom_array, bpath);
746 
747 #elif defined(__x86)
748 
749 		extern char saved_cmdline[];
750 		valsize = strlen(saved_cmdline) + 1;
751 		if (valsize > userbufsize) {
752 			error = EINVAL;
753 			break;
754 		}
755 		(void) strcpy(opp->oprom_array, saved_cmdline);
756 #endif
757 		opp->oprom_size = valsize - 1;
758 		if (copyout(opp, (void *)arg, valsize + sizeof (uint_t)) != 0)
759 			error = EFAULT;
760 		break;
761 	}
762 
763 	/*
764 	 * convert a prom device path to an equivalent devfs path
765 	 */
766 	case OPROMPROM2DEVNAME: {
767 		char *dev_name;
768 
769 		/*
770 		 * The input argument, a pathname, is a NULL terminated string.
771 		 */
772 		if ((error = oprom_copyinstr(arg, opp->oprom_array,
773 		    (size_t)userbufsize, MAXPATHLEN)) != 0) {
774 			break;
775 		}
776 
777 		dev_name = kmem_alloc(MAXPATHLEN, KM_SLEEP);
778 
779 		error = i_promname_to_devname(opp->oprom_array, dev_name);
780 		if (error != 0) {
781 			kmem_free(dev_name, MAXPATHLEN);
782 			break;
783 		}
784 		valsize = opp->oprom_size = strlen(dev_name);
785 		if (++valsize > userbufsize) {
786 			kmem_free(dev_name, MAXPATHLEN);
787 			error = EINVAL;
788 			break;
789 		}
790 		(void) strcpy(opp->oprom_array, dev_name);
791 		if (copyout(opp, (void *)arg, sizeof (uint_t) + valsize) != 0)
792 			error = EFAULT;
793 
794 		kmem_free(dev_name, MAXPATHLEN);
795 		break;
796 	}
797 
798 	/*
799 	 * Convert a prom device path name to a driver name
800 	 */
801 	case OPROMPATH2DRV: {
802 		char *drv_name;
803 		major_t maj;
804 
805 		/*
806 		 * The input argument, a pathname, is a NULL terminated string.
807 		 */
808 		if ((error = oprom_copyinstr(arg, opp->oprom_array,
809 		    (size_t)userbufsize, MAXPATHLEN)) != 0) {
810 			break;
811 		}
812 
813 		/*
814 		 * convert path to a driver binding name
815 		 */
816 		maj = path_to_major((char *)opp->oprom_array);
817 		if (maj == DDI_MAJOR_T_NONE) {
818 			error = EINVAL;
819 			break;
820 		}
821 
822 		/*
823 		 * resolve any aliases
824 		 */
825 		if ((drv_name = ddi_major_to_name(maj)) == NULL) {
826 			error = EINVAL;
827 			break;
828 		}
829 
830 		(void) strcpy(opp->oprom_array, drv_name);
831 		opp->oprom_size = strlen(drv_name);
832 		if (copyout(opp, (void *)arg,
833 		    sizeof (uint_t) + opp->oprom_size + 1) != 0)
834 			error = EFAULT;
835 		break;
836 	}
837 
838 	case OPROMGETVERSION:
839 		/*
840 		 * Get a string representing the running version of the
841 		 * prom. How to create such a string is platform dependent,
842 		 * so we just defer to a promif function. If no such
843 		 * association exists, the promif implementation
844 		 * may copy the string "unknown" into the given buffer,
845 		 * and return its length (incl. NULL terminator).
846 		 *
847 		 * We expect prom_version_name to return the actual
848 		 * length of the string, but copy at most userbufsize
849 		 * bytes into the given buffer, including NULL termination.
850 		 */
851 
852 		valsize = prom_version_name(opp->oprom_array, userbufsize);
853 		if (valsize < 0) {
854 			error = EINVAL;
855 			break;
856 		}
857 
858 		/*
859 		 * copyout only the part of the user buffer we need to.
860 		 */
861 		if (copyout(opp, (void *)arg,
862 		    (size_t)(min((uint_t)valsize, userbufsize) +
863 		    sizeof (uint_t))) != 0)
864 			error = EFAULT;
865 		break;
866 
867 #if !defined(__x86)
868 	case OPROMGETFBNAME:
869 		/*
870 		 * Return stdoutpath, if it's a frame buffer.
871 		 * Yes, we are comparing a possibly longer string against
872 		 * the size we're really going to copy, but so what?
873 		 */
874 		if ((getzoneid() == GLOBAL_ZONEID) &&
875 		    (prom_stdout_is_framebuffer() != 0) &&
876 		    (userbufsize > strlen(prom_stdoutpath()))) {
877 			prom_strip_options(prom_stdoutpath(),
878 			    opp->oprom_array);	/* strip options and copy */
879 			valsize = opp->oprom_size = strlen(opp->oprom_array);
880 			if (copyout(opp, (void *)arg,
881 			    valsize + 1 + sizeof (uint_t)) != 0)
882 				error = EFAULT;
883 		} else
884 			error = EINVAL;
885 		break;
886 
887 	/*
888 	 * Convert a logical or physical device path to prom device path
889 	 */
890 	case OPROMDEV2PROMNAME: {
891 		char *prom_name;
892 
893 		/*
894 		 * The input argument, a pathname, is a NULL terminated string.
895 		 */
896 		if ((error = oprom_copyinstr(arg, opp->oprom_array,
897 		    (size_t)userbufsize, MAXPATHLEN)) != 0) {
898 			break;
899 		}
900 
901 		prom_name = kmem_alloc(userbufsize, KM_SLEEP);
902 
903 		/*
904 		 * convert the devfs path to an equivalent prom path
905 		 */
906 		error = i_devname_to_promname(opp->oprom_array, prom_name,
907 		    userbufsize);
908 
909 		if (error != 0) {
910 			kmem_free(prom_name, userbufsize);
911 			break;
912 		}
913 
914 		for (valsize = 0; valsize < userbufsize; valsize++) {
915 			opp->oprom_array[valsize] = prom_name[valsize];
916 
917 			if ((valsize > 0) && (prom_name[valsize] == '\0') &&
918 			    (prom_name[valsize-1] == '\0')) {
919 				break;
920 			}
921 		}
922 		opp->oprom_size = valsize;
923 
924 		kmem_free(prom_name, userbufsize);
925 		if (copyout(opp, (void *)arg, sizeof (uint_t) + valsize) != 0)
926 			error = EFAULT;
927 
928 		break;
929 	}
930 
931 	case OPROMSETOPT:
932 	case OPROMSETOPT2: {
933 		int namebuflen;
934 		int valbuflen;
935 
936 		if ((prom_is_openprom() == 0) ||
937 		    (node_id == OBP_NONODE) || (node_id == OBP_BADNODE)) {
938 			error = EINVAL;
939 			break;
940 		}
941 
942 		/*
943 		 * The arguments are a property name and a value.
944 		 * Copy in the entire user buffer.
945 		 */
946 		if (copyin(((caddr_t)arg + sizeof (uint_t)),
947 		    opp->oprom_array, userbufsize) != 0) {
948 			error = EFAULT;
949 			break;
950 		}
951 
952 		/*
953 		 * The property name is the first string, value second
954 		 */
955 		namebuflen = strlen(opp->oprom_array);
956 		valbuf = opp->oprom_array + namebuflen + 1;
957 		valbuflen = strlen(valbuf);
958 
959 		if (cmd == OPROMSETOPT) {
960 			valsize = valbuflen + 1;  /* +1 for the '\0' */
961 		} else {
962 			if ((namebuflen + 1 + valbuflen + 1) > userbufsize) {
963 				error = EINVAL;
964 				break;
965 			}
966 			valsize = (opp->oprom_array + userbufsize) - valbuf;
967 		}
968 
969 		/*
970 		 * 4010173: 'name' is not an option, but it is a property.
971 		 */
972 		if (strcmp(opp->oprom_array, "name") == 0)
973 			error = EINVAL;
974 		else if (prom_setprop(node_id, opp->oprom_array,
975 		    valbuf, valsize) < 0)
976 			error = EINVAL;
977 
978 		break;
979 	}
980 #endif	/* !__x86 */
981 	}	/* switch (cmd)	*/
982 
983 	kmem_free(opp, userbufsize + sizeof (uint_t) + 1);
984 	return (error);
985 }
986 
987 /*ARGSUSED*/
988 static int
989 opromioctl(dev_t dev, int cmd, intptr_t arg, int mode,
990     cred_t *credp, int *rvalp)
991 {
992 	struct oprom_state *st;
993 	struct opromioctl_args arg_block;
994 
995 	if (getminor(dev) >= MAX_OPENS)
996 		return (ENXIO);
997 
998 	st = &oprom_state[getminor(dev)];
999 	ASSERT(st->already_open);
1000 	arg_block.st = st;
1001 	arg_block.cmd = cmd;
1002 	arg_block.arg = arg;
1003 	arg_block.mode = mode;
1004 	return (prom_tree_access(opromioctl_cb, &arg_block, &st->tree_gen));
1005 }
1006 
1007 /*
1008  * Copyin string and verify the actual string length is less than maxsize
1009  * specified by the caller.
1010  *
1011  * Currently, maxsize is either OBP_MAXPROPNAME for property names
1012  * or MAXPATHLEN for device path names. userbufsize is specified
1013  * by the userland caller.
1014  */
1015 static int
1016 oprom_copyinstr(intptr_t arg, char *buf, size_t bufsize, size_t maxsize)
1017 {
1018 	int error;
1019 	size_t actual_len;
1020 
1021 	if ((error = copyinstr(((caddr_t)arg + sizeof (uint_t)),
1022 	    buf, bufsize, &actual_len)) != 0) {
1023 		return (error);
1024 	}
1025 	if ((actual_len == 0) || (actual_len > maxsize)) {
1026 		return (EINVAL);
1027 	}
1028 
1029 	return (0);
1030 }
1031 
1032 /*
1033  * Check pnode_t passed in from userland
1034  */
1035 static int
1036 oprom_checknodeid(pnode_t node_id, pnode_t current_id)
1037 {
1038 	int depth;
1039 	pnode_t id[OBP_STACKDEPTH];
1040 
1041 	/*
1042 	 * optimized path
1043 	 */
1044 	if (node_id == 0) {
1045 		return (1);
1046 	}
1047 	if (node_id == OBP_BADNODE) {
1048 		return (0);
1049 	}
1050 	if ((current_id != OBP_BADNODE) && ((node_id == current_id) ||
1051 	    (node_id == prom_nextnode(current_id)) ||
1052 	    (node_id == prom_childnode(current_id)))) {
1053 		return (1);
1054 	}
1055 
1056 	/*
1057 	 * long path: walk from root till we find node_id
1058 	 */
1059 	depth = 1;
1060 	id[0] = prom_nextnode((pnode_t)0);
1061 
1062 	while (depth) {
1063 		if (id[depth - 1] == node_id)
1064 			return (1);	/* node_id found */
1065 
1066 		if (id[depth] = prom_childnode(id[depth - 1])) {
1067 			depth++;
1068 			continue;
1069 		}
1070 
1071 		while (depth &&
1072 		    ((id[depth - 1] = prom_nextnode(id[depth - 1])) == 0))
1073 			depth--;
1074 	}
1075 	return (0);	/* node_id not found */
1076 }
1077 
1078 static int
1079 oprom_copytree(struct oprom_state *st, uint_t flag)
1080 {
1081 	ASSERT(st->snapshot == NULL && st->size == 0);
1082 	return (oprom_copynode(
1083 	    prom_nextnode(0), flag, &st->snapshot, &st->size));
1084 }
1085 
1086 static int
1087 oprom_snapshot(struct oprom_state *st, intptr_t arg)
1088 {
1089 	uint_t flag;
1090 
1091 	if (oprom_setstate(st, IOC_SNAP) == -1)
1092 		return (EBUSY);
1093 
1094 	/* copyin flag and create snapshot */
1095 	if ((copyin((void *)arg, &flag, sizeof (uint_t)) != 0) ||
1096 	    (oprom_copytree(st, flag) != 0)) {
1097 		(void) oprom_setstate(st, IOC_IDLE);
1098 		return (EFAULT);
1099 	}
1100 
1101 
1102 	/* copyout the size of the snapshot */
1103 	flag = (uint_t)st->size;
1104 	if (copyout(&flag, (void *)arg, sizeof (uint_t)) != 0) {
1105 		kmem_free(st->snapshot, st->size);
1106 		st->snapshot = NULL;
1107 		st->size = 0;
1108 		(void) oprom_setstate(st, IOC_IDLE);
1109 		return (EFAULT);
1110 	}
1111 
1112 	(void) oprom_setstate(st, IOC_DONE);
1113 	return (0);
1114 }
1115 
1116 static int
1117 oprom_copyout(struct oprom_state *st, intptr_t arg)
1118 {
1119 	int error = 0;
1120 	uint_t size;
1121 
1122 	if (oprom_setstate(st, IOC_COPY) == -1)
1123 		return (EBUSY);
1124 
1125 	/* copyin size and copyout snapshot */
1126 	if (copyin((void *)arg, &size, sizeof (uint_t)) != 0)
1127 		error = EFAULT;
1128 	else if (size < st->size)
1129 		error = EINVAL;
1130 	else if (copyout(st->snapshot, (void *)arg, st->size) != 0)
1131 		error = EFAULT;
1132 
1133 	if (error) {
1134 		/*
1135 		 * on error keep the snapshot until a successful
1136 		 * copyout or when the driver is closed.
1137 		 */
1138 		(void) oprom_setstate(st, IOC_DONE);
1139 		return (error);
1140 	}
1141 
1142 	kmem_free(st->snapshot, st->size);
1143 	st->snapshot = NULL;
1144 	st->size = 0;
1145 	(void) oprom_setstate(st, IOC_IDLE);
1146 	return (0);
1147 }
1148 
1149 /*
1150  * Copy all properties of nodeid into a single packed nvlist
1151  */
1152 static int
1153 oprom_copyprop(pnode_t nodeid, uint_t flag, nvlist_t *nvl)
1154 {
1155 	int proplen;
1156 	char *propname, *propval, *buf1, *buf2;
1157 
1158 	ASSERT(nvl != NULL);
1159 
1160 	/*
1161 	 * non verbose mode, get the "name" property only
1162 	 */
1163 	if (flag == 0) {
1164 		proplen = prom_getproplen(nodeid, "name");
1165 		if (proplen <= 0) {
1166 			cmn_err(CE_WARN,
1167 			    "failed to get the name of openprom node 0x%x",
1168 			    nodeid);
1169 			(void) nvlist_add_string(nvl, "name", "");
1170 			return (0);
1171 		}
1172 		propval = kmem_zalloc(proplen + 1, KM_SLEEP);
1173 		(void) prom_getprop(nodeid, "name", propval);
1174 		(void) nvlist_add_string(nvl, "name", propval);
1175 		kmem_free(propval, proplen + 1);
1176 		return (0);
1177 	}
1178 
1179 	/*
1180 	 * Ask for first property by passing a NULL string
1181 	 */
1182 	buf1 = kmem_alloc(OBP_MAXPROPNAME, KM_SLEEP);
1183 	buf2 = kmem_zalloc(OBP_MAXPROPNAME, KM_SLEEP);
1184 	buf1[0] = '\0';
1185 	while (propname = (char *)prom_nextprop(nodeid, buf1, buf2)) {
1186 		if (strlen(propname) == 0)
1187 			break;		/* end of prop list */
1188 		(void) strcpy(buf1, propname);
1189 
1190 		proplen = prom_getproplen(nodeid, propname);
1191 		if (proplen == 0) {
1192 			/* boolean property */
1193 			(void) nvlist_add_boolean(nvl, propname);
1194 			continue;
1195 		}
1196 		/* add 1 for null termination in case of a string */
1197 		propval = kmem_zalloc(proplen + 1, KM_SLEEP);
1198 		(void) prom_getprop(nodeid, propname, propval);
1199 		(void) nvlist_add_byte_array(nvl, propname,
1200 		    (uchar_t *)propval, proplen + 1);
1201 		kmem_free(propval, proplen + 1);
1202 		bzero(buf2, OBP_MAXPROPNAME);
1203 	}
1204 
1205 	kmem_free(buf1, OBP_MAXPROPNAME);
1206 	kmem_free(buf2, OBP_MAXPROPNAME);
1207 
1208 	return (0);
1209 }
1210 
1211 /*
1212  * Copy all children and descendents into a a packed nvlist
1213  */
1214 static int
1215 oprom_copychild(pnode_t nodeid, uint_t flag, char **buf, size_t *size)
1216 {
1217 	nvlist_t *nvl;
1218 	pnode_t child = prom_childnode(nodeid);
1219 
1220 	if (child == 0)
1221 		return (0);
1222 
1223 	(void) nvlist_alloc(&nvl, 0, KM_SLEEP);
1224 	while (child != 0) {
1225 		char *nodebuf = NULL;
1226 		size_t nodesize = 0;
1227 		if (oprom_copynode(child, flag, &nodebuf, &nodesize)) {
1228 			nvlist_free(nvl);
1229 			cmn_err(CE_WARN, "failed to copy nodeid 0x%x", child);
1230 			return (-1);
1231 		}
1232 		(void) nvlist_add_byte_array(nvl, "node",
1233 		    (uchar_t *)nodebuf, nodesize);
1234 		kmem_free(nodebuf, nodesize);
1235 		child = prom_nextnode(child);
1236 	}
1237 
1238 	(void) nvlist_pack(nvl, buf, size, NV_ENCODE_NATIVE, KM_SLEEP);
1239 	nvlist_free(nvl);
1240 	return (0);
1241 }
1242 
1243 /*
1244  * Copy a node into a packed nvlist
1245  */
1246 static int
1247 oprom_copynode(pnode_t nodeid, uint_t flag, char **buf, size_t *size)
1248 {
1249 	int error = 0;
1250 	nvlist_t *nvl;
1251 	char *childlist = NULL;
1252 	size_t childsize = 0;
1253 
1254 	(void) nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP);
1255 	ASSERT(nvl != NULL);
1256 
1257 	/* @nodeid -- @ is not a legal char in a 1275 property name */
1258 	(void) nvlist_add_int32(nvl, "@nodeid", (int32_t)nodeid);
1259 
1260 	/* properties */
1261 	if (error = oprom_copyprop(nodeid, flag, nvl))
1262 		goto fail;
1263 
1264 	/* children */
1265 	error = oprom_copychild(nodeid, flag, &childlist, &childsize);
1266 	if (error != 0)
1267 		goto fail;
1268 	if (childlist != NULL) {
1269 		(void) nvlist_add_byte_array(nvl, "@child",
1270 		    (uchar_t *)childlist, (uint_t)childsize);
1271 		kmem_free(childlist, childsize);
1272 	}
1273 
1274 	/* pack into contiguous buffer */
1275 	error = nvlist_pack(nvl, buf, size, NV_ENCODE_NATIVE, KM_SLEEP);
1276 
1277 fail:
1278 	nvlist_free(nvl);
1279 	return (error);
1280 }
1281 
1282 /*
1283  * The driver is stateful across OPROMSNAPSHOT and OPROMCOPYOUT.
1284  * This function encapsulates the state machine:
1285  *
1286  *	-> IOC_IDLE -> IOC_SNAP -> IOC_DONE -> IOC_COPY ->
1287  *	|		SNAPSHOT		COPYOUT	 |
1288  *	--------------------------------------------------
1289  *
1290  * Returns 0 on success and -1 on failure
1291  */
1292 static int
1293 oprom_setstate(struct oprom_state *st, int16_t new_state)
1294 {
1295 	int ret = 0;
1296 
1297 	mutex_enter(&oprom_lock);
1298 	switch (new_state) {
1299 	case IOC_IDLE:
1300 	case IOC_DONE:
1301 		break;
1302 	case IOC_SNAP:
1303 		if (st->ioc_state != IOC_IDLE)
1304 			ret = -1;
1305 		break;
1306 	case IOC_COPY:
1307 		if (st->ioc_state != IOC_DONE)
1308 			ret = -1;
1309 		break;
1310 	default:
1311 		ret = -1;
1312 	}
1313 
1314 	if (ret == 0)
1315 		st->ioc_state = new_state;
1316 	else
1317 		cmn_err(CE_NOTE, "incorrect state transition from %d to %d",
1318 		    st->ioc_state, new_state);
1319 	mutex_exit(&oprom_lock);
1320 	return (ret);
1321 }
1322