From nobody@FreeBSD.org  Thu Dec  2 08:30:31 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6ECFD106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Dec 2010 08:30:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4322A8FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Dec 2010 08:30:31 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id oB28UUdR033358
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 2 Dec 2010 08:30:30 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id oB28UUkS033357;
	Thu, 2 Dec 2010 08:30:30 GMT
	(envelope-from nobody)
Message-Id: <201012020830.oB28UUkS033357@red.freebsd.org>
Date: Thu, 2 Dec 2010 08:30:30 GMT
From: Sascha Wildner <saw@online.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Weird check in mfi(4)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         152768
>Category:       kern
>Synopsis:       [mfi] Weird check in mfi(4)
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 02 08:40:10 UTC 2010
>Closed-Date:    Wed Jan 26 20:09:32 UTC 2011
>Last-Modified:  Wed Jan 26 20:09:32 UTC 2011
>Originator:     Sascha Wildner
>Release:        none :)
>Organization:
>Environment:
>Description:
Hi there,

I recently ported FreeBSD's mfi(4) driver to DragonFly BSD and when
running clang's static analyzer on the kernel, it found:

http://yoyodyne.ath.cx/tmp/scan-build-2010-12-01-1/report-tCmTHj.html#EndPath

If device is T_DIRECT (0x00) or T_PROCESSOR (0x03) then (device & 0xe0)
can't be true. It kinda smells like the intention was something different
here, though I'm not sure which, so I thought I'd report it.

Kind regards,
Sascha

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Dec 2 18:09:11 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152768 
Responsible-Changed-From-To: freebsd-net->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Dec 2 18:09:40 UTC 2010 
Responsible-Changed-Why:  
bah.  too early in the morning, I guess. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152768 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 saw@online.de
Cc: scottl@freebsd.org
Subject: Re: kern/152768: [mfi] Weird check in mfi(4)
Date: Thu, 2 Dec 2010 13:30:51 -0500

 I think it should be 'ccb->csio.data_ptr[0] & 0xe0 | T_NODEVICE', or even 
 shorter would be to do this:
 
 Index: mfi_cam.c
 ===================================================================
 --- mfi_cam.c	(revision 216122)
 +++ mfi_cam.c	(working copy)
 @@ -340,14 +340,14 @@
  		ccbh->status = CAM_REQ_CMP;
  		csio->scsi_status = pt->header.scsi_status;
  		if (ccbh->flags & CAM_CDB_POINTER)
 -			command = ccb->csio.cdb_io.cdb_ptr[0];
 +			command = csio->cdb_io.cdb_ptr[0];
  		else
 -			command = ccb->csio.cdb_io.cdb_bytes[0];
 +			command = csio->cdb_io.cdb_bytes[0];
  		if (command == INQUIRY) {
 -			device = ccb->csio.data_ptr[0] & 0x1f;
 +			device = csio->data_ptr[0] & 0x1f;
  			if ((device == T_DIRECT) || (device == T_PROCESSOR))
  				csio->data_ptr[0] =
 -				     (device & 0xe0) | T_NODEVICE;
 +				     (csio->data_ptr[0] & 0xe0) | T_NODEVICE;
  		}
  		break;
  	}
 
 The intention from the code seems to be to mask T_DIRECT and T_PROCESSOR
 devices by mapping them to T_NODEVICE instead.
 
 -- 
 John Baldwin

From: John Baldwin <jhb@freebsd.org>
To: Scott Long <scottl@samsco.org>
Cc: bug-followup@freebsd.org,
 saw@online.de
Subject: Re: kern/152768: [mfi] Weird check in mfi(4)
Date: Mon, 6 Dec 2010 11:59:38 -0500

 On Monday, December 06, 2010 11:45:32 am Scott Long wrote:
 > John,
 > 
 > Had a chance to review this, and the patch looks reasonable.  This code was 
 basically a copy-and-paste from the aac driver, which will also need a similar 
 change.
 > 
 > Scott
 
 Ok, does this look right for aac?
 
 Index: aac_cam.c
 ===================================================================
 --- aac_cam.c	(revision 216122)
 +++ aac_cam.c	(working copy)
 @@ -587,7 +587,8 @@
  				    (device == T_PROCESSOR) ||
  				    (sc->flags & AAC_FLAGS_CAM_PASSONLY))
  					ccb->csio.data_ptr[0] =
 -					    ((device & 0xe0) | T_NODEVICE);
 +					    ((ccb->csio.data_ptr[0] & 0xe0) |
 +					    T_NODEVICE);
  				} else if (ccb->ccb_h.status == CAM_SEL_TIMEOUT &&
  					ccb->ccb_h.target_lun != 0) {
  					/* fix for INQUIRYs on Lun>0 */
 
 -- 
 John Baldwin
State-Changed-From-To: open->patched 
State-Changed-By: jhb 
State-Changed-When: Mon Dec 6 17:03:14 UTC 2010 
State-Changed-Why:  
Fix committed to HEAD, will MFC in a week or so. 


Responsible-Changed-From-To: freebsd-bugs->jhb 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Mon Dec 6 17:03:14 UTC 2010 
Responsible-Changed-Why:  
Fix committed to HEAD, will MFC in a week or so. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152768 

From: Scott Long <scottl@samsco.org>
To: John Baldwin <jhb@freebsd.org>
Cc: bug-followup@freebsd.org, saw@online.de
Subject: Re: kern/152768: [mfi] Weird check in mfi(4)
Date: Mon, 6 Dec 2010 10:01:13 -0700

 Yep, thanks a lot!
 
 Scott
 
 On Dec 6, 2010, at 9:59 AM, John Baldwin wrote:
 
 > On Monday, December 06, 2010 11:45:32 am Scott Long wrote:
 >> John,
 >>=20
 >> Had a chance to review this, and the patch looks reasonable.  This =
 code was=20
 > basically a copy-and-paste from the aac driver, which will also need a =
 similar=20
 > change.
 >>=20
 >> Scott
 >=20
 > Ok, does this look right for aac?
 >=20
 > Index: aac_cam.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > --- aac_cam.c	(revision 216122)
 > +++ aac_cam.c	(working copy)
 > @@ -587,7 +587,8 @@
 > 				    (device =3D=3D T_PROCESSOR) ||
 > 				    (sc->flags & =
 AAC_FLAGS_CAM_PASSONLY))
 > 					ccb->csio.data_ptr[0] =3D
 > -					    ((device & 0xe0) | =
 T_NODEVICE);
 > +					    ((ccb->csio.data_ptr[0] & =
 0xe0) |
 > +					    T_NODEVICE);
 > 				} else if (ccb->ccb_h.status =3D=3D =
 CAM_SEL_TIMEOUT &&
 > 					ccb->ccb_h.target_lun !=3D 0) {
 > 					/* fix for INQUIRYs on Lun>0 */
 >=20
 > --=20
 > John Baldwin
 

From: Scott Long <scottl@samsco.org>
To: John Baldwin <jhb@freebsd.org>
Cc: bug-followup@freebsd.org, saw@online.de
Subject: Re: kern/152768: [mfi] Weird check in mfi(4)
Date: Mon, 6 Dec 2010 09:45:32 -0700

 John,
 
 Had a chance to review this, and the patch looks reasonable.  This code =
 was basically a copy-and-paste from the aac driver, which will also need =
 a similar change.
 
 Scott
 
 On Dec 2, 2010, at 11:30 AM, John Baldwin wrote:
 
 > I think it should be 'ccb->csio.data_ptr[0] & 0xe0 | T_NODEVICE', or =
 even=20
 > shorter would be to do this:
 >=20
 > Index: mfi_cam.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > --- mfi_cam.c	(revision 216122)
 > +++ mfi_cam.c	(working copy)
 > @@ -340,14 +340,14 @@
 > 		ccbh->status =3D CAM_REQ_CMP;
 > 		csio->scsi_status =3D pt->header.scsi_status;
 > 		if (ccbh->flags & CAM_CDB_POINTER)
 > -			command =3D ccb->csio.cdb_io.cdb_ptr[0];
 > +			command =3D csio->cdb_io.cdb_ptr[0];
 > 		else
 > -			command =3D ccb->csio.cdb_io.cdb_bytes[0];
 > +			command =3D csio->cdb_io.cdb_bytes[0];
 > 		if (command =3D=3D INQUIRY) {
 > -			device =3D ccb->csio.data_ptr[0] & 0x1f;
 > +			device =3D csio->data_ptr[0] & 0x1f;
 > 			if ((device =3D=3D T_DIRECT) || (device =3D=3D =
 T_PROCESSOR))
 > 				csio->data_ptr[0] =3D
 > -				     (device & 0xe0) | T_NODEVICE;
 > +				     (csio->data_ptr[0] & 0xe0) | =
 T_NODEVICE;
 > 		}
 > 		break;
 > 	}
 >=20
 > The intention from the code seems to be to mask T_DIRECT and =
 T_PROCESSOR
 > devices by mapping them to T_NODEVICE instead.
 >=20
 > --=20
 > John Baldwin
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/152768: commit references a PR
Date: Mon,  6 Dec 2010 17:03:01 +0000 (UTC)

 Author: jhb
 Date: Mon Dec  6 17:02:56 2010
 New Revision: 216235
 URL: http://svn.freebsd.org/changeset/base/216235
 
 Log:
   When masking direct and processor devices during an inquiry, properly
   preserve the upper bits of the first data byte.
   
   While here, shorten a few nearby lines.
   
   PR:		kern/152768
   Reported by:	Sascha Wildner  saw of online.de
   Reviewed by:	scottl
   MFC after:	1 week
 
 Modified:
   head/sys/dev/mfi/mfi_cam.c
 
 Modified: head/sys/dev/mfi/mfi_cam.c
 ==============================================================================
 --- head/sys/dev/mfi/mfi_cam.c	Mon Dec  6 16:45:36 2010	(r216234)
 +++ head/sys/dev/mfi/mfi_cam.c	Mon Dec  6 17:02:56 2010	(r216235)
 @@ -340,14 +340,14 @@ mfip_done(struct mfi_command *cm)
  		ccbh->status = CAM_REQ_CMP;
  		csio->scsi_status = pt->header.scsi_status;
  		if (ccbh->flags & CAM_CDB_POINTER)
 -			command = ccb->csio.cdb_io.cdb_ptr[0];
 +			command = csio->cdb_io.cdb_ptr[0];
  		else
 -			command = ccb->csio.cdb_io.cdb_bytes[0];
 +			command = csio->cdb_io.cdb_bytes[0];
  		if (command == INQUIRY) {
 -			device = ccb->csio.data_ptr[0] & 0x1f;
 +			device = csio->data_ptr[0] & 0x1f;
  			if ((device == T_DIRECT) || (device == T_PROCESSOR))
  				csio->data_ptr[0] =
 -				     (device & 0xe0) | T_NODEVICE;
 +				     (csio->data_ptr[0] & 0xe0) | T_NODEVICE;
  		}
  		break;
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Wed Jan 26 20:09:19 UTC 2011 
State-Changed-Why:  
Fix merged to 7 and 8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152768 
>Unformatted:
