From: Stephen Hemminger <stephen.hemminger@xxxxxxxxxx>
Sparse caught several places where ioctl interface was incorrectly using user
memory. Fix all the ioctl cases for casting and __user annotation.
Signed-off-by: Stephen Hemminger <shemminger@xxxxxxxxxx>
---
drivers/staging/bcm/Bcmchar.c | 796 +++++++++++++-------------------------
drivers/staging/bcm/HostMibs.h | 7 -
drivers/staging/bcm/Prototypes.h | 6 +-
drivers/staging/bcm/headers.h | 1 -
drivers/staging/bcm/hostmibs.c | 24 +-
5 files changed, 282 insertions(+), 552 deletions(-)
delete mode 100644 drivers/staging/bcm/HostMibs.h
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 6c9db72..3a1b990 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -102,11 +102,11 @@ static int bcm_char_release(struct inode *inode, struct file *filp)
static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, loff_t *f_pos)
{
- PPER_TARANG_DATA pTarang = (PPER_TARANG_DATA)filp->private_data;
+ PPER_TARANG_DATA pTarang = filp->private_data;
PMINI_ADAPTER Adapter = pTarang->Adapter;
- struct sk_buff* Packet = NULL;
- UINT PktLen = 0;
- int wait_ret_val=0;
+ struct sk_buff* Packet = NULL;
+ ssize_t PktLen = 0;
+ int wait_ret_val=0;
wait_ret_val = wait_event_interruptible(Adapter->process_read_wait_queue,
(pTarang->RxAppControlHead || Adapter->device_removed));
@@ -145,7 +145,9 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "\nReturning from copy to user failure \n");
return -EFAULT;
}
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Read %d Bytes From Adapter packet = 0x%p by process %d!\n", PktLen, Packet, current->pid);
+ BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,
+ "Read %zd Bytes From Adapter packet = %p by process %d!\n",
+ PktLen, Packet, current->pid);
dev_kfree_skb(Packet);
}
@@ -155,15 +157,12 @@ static ssize_t bcm_char_read(struct file *filp, char __user *buf, size_t size, l
static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
{
- PPER_TARANG_DATA pTarang = (PPER_TARANG_DATA)filp->private_data;
- void __user *argp = (void __user *)argp;
+ PPER_TARANG_DATA pTarang = filp->private_data;
+ void __user *argp = (void __user *)arg;
PMINI_ADAPTER Adapter = pTarang->Adapter;
INT Status = STATUS_FAILURE;
- IOCTL_BUFFER IoBuffer={};
-#ifndef BCM_SHM_INTERFACE
- int timeout = 0;
-#endif
-
+ int timeout = 0;
+ IOCTL_BUFFER IoBuffer;
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Parameters Passed to control IOCTL cmd=0x%X arg=0x%lX", cmd, arg);
@@ -204,49 +203,40 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status = vendorextnIoctl(Adapter, cmd, arg);
if(Status != CONTINUE_COMMON_PATH )
- {
return Status;
- }
switch(cmd){
// Rdms for Swin Idle...
case IOCTL_BCM_REGISTER_READ_PRIVATE:
{
RDM_BUFFER sRdmBuffer = {0};
- PCHAR temp_buff = NULL;
- UINT Bufflen = 0;
+ PCHAR temp_buff;
+ UINT Bufflen;
+
/* Copy Ioctl Buffer structure */
- if(copy_from_user((PCHAR)&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (IoBuffer.InputLength > sizeof(sRdmBuffer))
+ return -EINVAL;
+ if(copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
+
+ /* FIXME: need to restrict BuffLen */
Bufflen = IoBuffer.OutputLength + (4 - IoBuffer.OutputLength%4)%4;
- temp_buff = (PCHAR)kmalloc(Bufflen, GFP_KERNEL);
+ temp_buff = kmalloc(Bufflen, GFP_KERNEL);
if(!temp_buff)
- {
- return STATUS_FAILURE;
- }
- if(copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
+ return -ENOMEM;
+
Status = rdmalt(Adapter, (UINT)sRdmBuffer.Register,
(PUINT)temp_buff, Bufflen);
- if(Status != STATUS_SUCCESS)
- {
- kfree(temp_buff);
- return Status;
- }
- if(copy_to_user(IoBuffer.OutputBuffer,
- (PCHAR)temp_buff, (UINT)IoBuffer.OutputLength))
+ if(Status == STATUS_SUCCESS)
{
- Status = -EFAULT;
+ if(copy_to_user(IoBuffer.OutputBuffer, temp_buff, IoBuffer.OutputLength))
+ Status = -EFAULT;
}
+
kfree(temp_buff);
break;
}
@@ -256,19 +246,16 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
UINT uiTempVar=0;
/* Copy Ioctl Buffer structure */
- if(copy_from_user(&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (IoBuffer.InputLength > sizeof(sWrmBuffer))
+ return -EINVAL;
+
/* Get WrmBuffer structure */
- if(copy_from_user(&sWrmBuffer, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&sWrmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
+
uiTempVar = sWrmBuffer.Register & EEPROM_REJECT_MASK;
if(!((Adapter->pstargetparams->m_u32Customize) & VSG_MODE) &&
((uiTempVar == EEPROM_REJECT_REG_1)||
@@ -277,8 +264,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
(uiTempVar == EEPROM_REJECT_REG_4)))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "EEPROM Access Denied, not in VSG Mode\n");
- Status = -EFAULT;
- break;
+ return -EFAULT;
}
Status = wrmalt(Adapter, (UINT)sWrmBuffer.Register,
(PUINT)sWrmBuffer.Data, sizeof(ULONG));
@@ -305,53 +291,38 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
(Adapter->bPreparingForLowPowerMode ==TRUE))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Device in Idle Mode, Blocking Rdms\n");
- Status = -EACCES;
- break;
+ return -EACCES;
}
/* Copy Ioctl Buffer structure */
- if(copy_from_user(&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (IoBuffer.InputLength > sizeof(sRdmBuffer))
+ return -EINVAL;
+
+ if(copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
- temp_buff = (PCHAR)kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
+ /* FIXME: don't trust user supplied length */
+ temp_buff = kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
if(!temp_buff)
- {
return STATUS_FAILURE;
- }
- if(copy_from_user(&sRdmBuffer, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
- if(
- (((ULONG)sRdmBuffer.Register & 0x0F000000) != 0x0F000000) ||
- ((ULONG)sRdmBuffer.Register & 0x3)
- )
+ if((((ULONG)sRdmBuffer.Register & 0x0F000000) != 0x0F000000) ||
+ ((ULONG)sRdmBuffer.Register & 0x3))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "RDM Done On invalid Address : %x Access Denied.\n",
(int)sRdmBuffer.Register);
- Status = -EINVAL;
- break;
+ return -EINVAL;
}
uiTempVar = sRdmBuffer.Register & EEPROM_REJECT_MASK;
Status = rdmaltWithLock(Adapter, (UINT)sRdmBuffer.Register,
(PUINT)temp_buff, IoBuffer.OutputLength);
- if(Status != STATUS_SUCCESS)
- {
- kfree(temp_buff);
- return Status;
- }
- if(copy_to_user(IoBuffer.OutputBuffer,
- (PCHAR)temp_buff, (UINT)IoBuffer.OutputLength))
- {
- Status = -EFAULT;
- }
+ if(Status == STATUS_SUCCESS)
+ if(copy_to_user(IoBuffer.OutputBuffer, temp_buff, IoBuffer.OutputLength))
+ Status = -EFAULT;
+
kfree(temp_buff);
break;
}
@@ -365,34 +336,28 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
(Adapter->bPreparingForLowPowerMode ==TRUE))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Device in Idle Mode, Blocking Wrms\n");
- Status = -EACCES;
- break;
+ return -EACCES;
}
+
/* Copy Ioctl Buffer structure */
- if(copy_from_user((PCHAR)&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (IoBuffer.InputLength > sizeof(sWrmBuffer))
+ return -EINVAL;
+
/* Get WrmBuffer structure */
- if(copy_from_user(&sWrmBuffer, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
- if(
+ if(copy_from_user(&sWrmBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
- (((ULONG)sWrmBuffer.Register & 0x0F000000) != 0x0F000000) ||
- ((ULONG)sWrmBuffer.Register & 0x3)
- )
+ if( (((ULONG)sWrmBuffer.Register & 0x0F000000) != 0x0F000000) ||
+ ((ULONG)sWrmBuffer.Register & 0x3) )
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "WRM Done On invalid Address : %x Access Denied.\n",
(int)sWrmBuffer.Register);
- Status = -EINVAL;
- break;
+ return -EINVAL;
}
+
uiTempVar = sWrmBuffer.Register & EEPROM_REJECT_MASK;
if(!((Adapter->pstargetparams->m_u32Customize) & VSG_MODE) &&
((uiTempVar == EEPROM_REJECT_REG_1)||
@@ -402,8 +367,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
(cmd == IOCTL_BCM_REGISTER_WRITE))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "EEPROM Access Denied, not in VSG Mode\n");
- Status = -EFAULT;
- break;
+ return -EFAULT;
}
Status = wrmaltWithLock(Adapter, (UINT)sWrmBuffer.Register,
@@ -432,19 +396,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
(Adapter->bPreparingForLowPowerMode ==TRUE))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"GPIO Can't be set/clear in Low power Mode");
- Status = -EACCES;
- break;
+ return -EACCES;
}
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
+ if (IoBuffer.InputLength > sizeof(gpio_info))
+ return -EINVAL;
if(copy_from_user(&gpio_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
uiBit = gpio_info.uiGpioNumber;
uiOperation = gpio_info.uiGpioValue;
@@ -513,8 +472,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
break;
case BCM_LED_THREAD_STATE_CHANGE_REQ:
{
-
- USER_THREAD_REQ threadReq = {0};
+ USER_THREAD_REQ threadReq = { 0 };
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"User made LED thread InActive");
if((Adapter->IdleMode == TRUE) ||
@@ -525,21 +483,16 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status = -EACCES;
break;
}
- Status =copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the IOBufer from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
- Status= copy_from_user(&threadReq, IoBuffer.InputBuffer, IoBuffer.InputLength);
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the InputBuffer from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (IoBuffer.InputLength > sizeof(threadReq))
+ return -EINVAL;
+
+ if (copy_from_user(&threadReq, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
+
//if LED thread is running(Actively or Inactively) set it state to make inactive
if(Adapter->LEDInfo.led_thread_running)
{
@@ -568,19 +521,13 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if((Adapter->IdleMode == TRUE) ||
(Adapter->bShutStatus ==TRUE) ||
(Adapter->bPreparingForLowPowerMode ==TRUE))
- {
- Status = -EACCES;
- break;
- }
- if(copy_from_user((PCHAR)&IoBuffer, argp, sizeof(IOCTL_BUFFER))) {
- Status = -EFAULT;
- break;
- }
- if(copy_from_user(&gpio_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
- {
- Status = -EFAULT;
- break;
- }
+ return -EACCES;
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+ if (IoBuffer.InputLength > sizeof(gpio_info))
+ return -EINVAL;
+ if(copy_from_user(&gpio_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
uiBit = gpio_info.uiGpioNumber;
//Set the gpio output register
Status = rdmaltWithLock(Adapter, (UINT)GPIO_PIN_STATE_REGISTER,
@@ -604,25 +551,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if((Adapter->IdleMode == TRUE) ||
(Adapter->bShutStatus ==TRUE) ||
(Adapter->bPreparingForLowPowerMode ==TRUE))
- {
- Status = -EINVAL;
- break;
- }
- Status = copy_from_user( (PCHAR)&IoBuffer, argp, sizeof( IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the IOBufer from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
+ return -EINVAL;
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+ if (IoBuffer.InputLength > sizeof(gpio_multi_info))
+ return -EINVAL;
+ if (copy_from_user(&gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
- Status = copy_from_user( &gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength);
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the IOBufer Contents from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
if(IsReqGpioIsLedInNVM(Adapter,pgpio_multi_info[WIMAX_IDX].uiGPIOMask)== FALSE)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Sorry, Requested GPIO<0x%X> is not correspond to NVM LED bit map<0x%X>!!!",pgpio_multi_info[WIMAX_IDX].uiGPIOMask,Adapter->gpioBitMap);
@@ -682,7 +618,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying Content to IOBufer for user space err:%d",Status);
- Status = -EFAULT;
break;
}
}
@@ -696,25 +631,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if((Adapter->IdleMode == TRUE) ||
(Adapter->bShutStatus ==TRUE) ||
(Adapter->bPreparingForLowPowerMode ==TRUE))
- {
- Status = -EINVAL;
- break;
- }
- Status = copy_from_user(&IoBuffer, argp, sizeof( IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the IOBufer from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
+ return -EINVAL;
- Status = copy_from_user( &gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength);
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying the IOBufer Contents from user space err:%d",Status);
- Status = -EFAULT;
- break;
- }
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+ if (IoBuffer.InputLength > sizeof(gpio_multi_mode))
+ return -EINVAL;
+ if (copy_from_user(&gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
Status = rdmaltWithLock( Adapter, ( UINT) GPIO_MODE_REGISTER, ( PUINT) ucResetValue, sizeof( UINT));
if( STATUS_SUCCESS != Status)
@@ -765,7 +689,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Failed while copying Content to IOBufer for user space err:%d",Status);
- Status = -EFAULT;
break;
}
}
@@ -779,21 +702,17 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_IDLE_REQ:
{
PVOID pvBuffer=NULL;
+
/* Copy Ioctl Buffer structure */
- if(copy_from_user(&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
- pvBuffer=kmalloc(IoBuffer.InputLength, GFP_KERNEL);
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ /* FIXME: don't accept any length from user */
+ pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
if(!pvBuffer)
- {
return -ENOMEM;
- }
- if(copy_from_user(pvBuffer, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
+ if(copy_from_user(pvBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
{
Status = -EFAULT;
kfree(pvBuffer);
@@ -839,7 +758,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status = reset_card_proc(Adapter);
if(Status)
{
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "reset_card_proc Failed!\n");
+ pr_err(PFX "%s: reset_card_proc Failed!\n", Adapter->dev->name);
up(&Adapter->fw_download_sema);
up(&Adapter->NVMRdmWrmLock);
break;
@@ -857,7 +776,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
}
case IOCTL_BCM_BUFFER_DOWNLOAD:
{
- FIRMWARE_INFO *psFwInfo=NULL;
+ FIRMWARE_INFO *psFwInfo = NULL;
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Starting the firmware download PID =0x%x!!!!\n", current->pid);
do{
if(!down_trylock(&Adapter->fw_download_sema))
@@ -866,29 +785,23 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status=-EINVAL;
break;
}
+
/* Copy Ioctl Buffer structure */
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "copy_from_user 1 failed\n");
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
+
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Length for FW DLD is : %lx\n",
IoBuffer.InputLength);
- psFwInfo=kmalloc(sizeof(*psFwInfo), GFP_KERNEL);
+
+ if (IoBuffer.InputLength > sizeof(FIRMWARE_INFO))
+ return -EINVAL;
+
+ psFwInfo = kmalloc(sizeof(*psFwInfo), GFP_KERNEL);
if(!psFwInfo)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Failed to allocate buffer!!!!\n");
- Status = -ENOMEM;
- break;
- }
- if(copy_from_user(psFwInfo, IoBuffer.InputBuffer,
- IoBuffer.InputLength))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy_from_user 2 failed\n");
- Status = -EFAULT;
- break;
- }
+ return -ENOMEM;
+
+ if(copy_from_user(psFwInfo, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ return -EFAULT;
if(!psFwInfo->pvMappedFirmwareAddress ||
(psFwInfo->u32FirmwareLength == 0))
@@ -941,7 +854,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Adapter->bBinDownloaded=TRUE;
Adapter->bCfgDownloaded=TRUE;
atomic_set(&Adapter->CurrNumFreeTxDesc, 0);
- atomic_set(&Adapter->RxRollOverCount, 0);
+
Adapter->CurrNumRecvDescs=0;
Adapter->downloadDDR = 0;
@@ -1038,22 +951,16 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
break;
case IOCTL_GET_PACK_INFO:
- if(copy_to_user(argp, &Adapter->PackInfo,
- sizeof(PacketInfo)*NO_OF_QUEUES))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_to_user(argp, &Adapter->PackInfo, sizeof(PacketInfo)*NO_OF_QUEUES))
+ return -EFAULT;
Status = STATUS_SUCCESS;
break;
case IOCTL_BCM_SWITCH_TRANSFER_MODE:
{
UINT uiData = 0;
if(copy_from_user(&uiData, argp, sizeof(UINT)))
- {
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
+
if(uiData) /* Allow All Packets */
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "IOCTL_BCM_SWITCH_TRANSFER_MODE: ETH_PACKET_TUNNELING_MODE\n");
@@ -1072,22 +979,17 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
{
/* Copy Ioctl Buffer structure */
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
- if(copy_to_user(IoBuffer.OutputBuffer,
- VER_FILEVERSION_STR, (UINT)IoBuffer.OutputLength))
- {
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
+
+ if(copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
+ return -EFAULT;
Status = STATUS_SUCCESS;
break;
}
case IOCTL_BCM_GET_CURRENT_STATUS:
{
- LINK_STATE *plink_state = NULL;
+ LINK_STATE link_state;
+
/* Copy Ioctl Buffer structure */
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
{
@@ -1095,12 +997,15 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status = -EFAULT;
break;
}
- plink_state = (LINK_STATE*)arg;
- plink_state->bIdleMode = (UCHAR)Adapter->IdleMode;
- plink_state->bShutdownMode = Adapter->bShutStatus;
- plink_state->ucLinkStatus = (UCHAR)Adapter->LinkStatus;
- if(copy_to_user(IoBuffer.OutputBuffer,
- (PUCHAR)plink_state, (UINT)IoBuffer.OutputLength))
+
+
+ memset(&link_state, 0, sizeof(link_state));
+ link_state.bIdleMode = Adapter->IdleMode;
+ link_state.bShutdownMode = Adapter->bShutStatus;
+ link_state.ucLinkStatus = Adapter->LinkStatus;
+
+ if (copy_to_user(IoBuffer.OutputBuffer, &link_state,
+ min_t(size_t, sizeof(link_state), IoBuffer.OutputLength)))
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy_to_user Failed..\n");
Status = -EFAULT;
@@ -1112,17 +1017,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_BCM_SET_MAC_TRACING:
{
UINT tracing_flag;
+
/* copy ioctl Buffer structure */
- if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
- if(copy_from_user(&tracing_flag, IoBuffer.InputBuffer,sizeof(UINT)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if(copy_from_user(&tracing_flag,IoBuffer.InputBuffer,sizeof(UINT)))
+ return -EFAULT;
+
if (tracing_flag)
Adapter->pTarangs->MacTracingEnabled = TRUE;
else
@@ -1132,70 +1034,51 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_BCM_GET_DSX_INDICATION:
{
ULONG ulSFId=0;
- if(copy_from_user((PCHAR)&IoBuffer, argp,
- sizeof(IOCTL_BUFFER)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Invalid IO buffer!!!" );
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
if(IoBuffer.OutputLength < sizeof(stLocalSFAddIndicationAlt))
{
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Mismatch req: %lx needed is =0x%zx!!!",
- IoBuffer.OutputLength, sizeof(stLocalSFAddIndicationAlt));
+ BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,
+ "Mismatch req: %lx needed is =0x%zx!!!",
+ IoBuffer.OutputLength, sizeof(stLocalSFAddIndicationAlt));
return -EINVAL;
}
- if(copy_from_user(&ulSFId, IoBuffer.InputBuffer,
- sizeof(ulSFId)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Invalid SFID!!! %lu", ulSFId );
- Status = -EFAULT;
- break;
- }
+
+ if(copy_from_user(&ulSFId, IoBuffer.InputBuffer, sizeof(ulSFId)))
+ return -EFAULT;
+
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Get DSX Data SF ID is =%lx\n", ulSFId );
- get_dsx_sf_data_to_application(Adapter, ulSFId,
- IoBuffer.OutputBuffer);
+ get_dsx_sf_data_to_application(Adapter, ulSFId, IoBuffer.OutputBuffer);
Status=STATUS_SUCCESS;
}
break;
case IOCTL_BCM_GET_HOST_MIBS:
{
- PCHAR temp_buff;
+ PVOID temp_buff;
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy_from user for IoBuff failed\n");
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
if(IoBuffer.OutputLength != sizeof(S_MIBS_HOST_STATS_MIBS))
{
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Length Check failed %lu %zd\n", IoBuffer.OutputLength,
- sizeof(S_MIBS_HOST_STATS_MIBS));
- return -EINVAL;
+ BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,
+ "Length Check failed %lu %zd\n",
+ IoBuffer.OutputLength, sizeof(S_MIBS_HOST_STATS_MIBS));
+ return -EINVAL;
}
- temp_buff = (PCHAR)kmalloc(IoBuffer.OutputLength, GFP_KERNEL);
-
+ /* FIXME: HOST_STATS are too big for kmalloc (122048)! */
+ temp_buff = kzalloc(sizeof(S_MIBS_HOST_STATS_MIBS), GFP_KERNEL);
if(!temp_buff)
- {
return STATUS_FAILURE;
- }
-
- Status = ProcessGetHostMibs(Adapter,
- (PUCHAR)temp_buff, IoBuffer.OutputLength);
- Status = GetDroppedAppCntrlPktMibs((PVOID)temp_buff,
- (PPER_TARANG_DATA)filp->private_data);
+ Status = ProcessGetHostMibs(Adapter, temp_buff);
+ GetDroppedAppCntrlPktMibs(temp_buff, pTarang);
- if(copy_to_user(IoBuffer.OutputBuffer,(PCHAR)temp_buff,
- sizeof(S_MIBS_HOST_STATS_MIBS)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy to user failed\n");
- kfree(temp_buff);
- return -EFAULT;
- }
+ if (Status != STATUS_FAILURE)
+ if(copy_to_user(IoBuffer.OutputBuffer, temp_buff, sizeof(S_MIBS_HOST_STATS_MIBS)))
+ Status = -EFAULT;
kfree(temp_buff);
break;
@@ -1225,22 +1108,18 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
Status = -EACCES;
break;
}
+
/* Copy Ioctl Buffer structure */
- if(copy_from_user((PCHAR)&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
- pvBuffer=kmalloc(IoBuffer.InputLength, GFP_KERNEL);
+ /* FIXME: restrict length */
+ pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
if(!pvBuffer)
- {
return -ENOMEM;
- break;
- }
/* Get WrmBuffer structure */
- if(copy_from_user(pvBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
+ if(copy_from_user(pvBuffer, IoBuffer.InputBuffer, IoBuffer.InputLength))
{
kfree(pvBuffer);
Status = -EFAULT;
@@ -1288,25 +1167,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
}
case IOCTL_BCM_GET_NVM_SIZE:
- {
-
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- //IOLog("failed NVM first");
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
+
if(Adapter->eNVMType == NVM_EEPROM || Adapter->eNVMType == NVM_FLASH ) {
- if(copy_to_user(IoBuffer.OutputBuffer,
- (unsigned char *)&Adapter->uiNVMDSDSize, (UINT)sizeof(UINT)))
- {
- Status = -EFAULT;
- return Status;
- }
+ if(copy_to_user(IoBuffer.OutputBuffer, &Adapter->uiNVMDSDSize, sizeof(UINT)))
+ return -EFAULT;
}
-
Status = STATUS_SUCCESS ;
- }
break;
case IOCTL_BCM_CAL_INIT :
@@ -1315,38 +1183,26 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
UINT uiSectorSize = 0 ;
if(Adapter->eNVMType == NVM_FLASH)
{
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Copy From User space failed. status :%d", Status);
+ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
return -EFAULT;
- }
- uiSectorSize = *((PUINT)(IoBuffer.InputBuffer)); /* FIXME: unchecked __user access */
+
+ if (copy_from_user(&uiSectorSize, IoBuffer.InputBuffer, sizeof(UINT)))
+ return -EFAULT;
+
if((uiSectorSize < MIN_SECTOR_SIZE) || (uiSectorSize > MAX_SECTOR_SIZE))
{
-
- Status = copy_to_user(IoBuffer.OutputBuffer,
- (unsigned char *)&Adapter->uiSectorSize ,
- (UINT)sizeof(UINT));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Coping the sector size to use space failed. status:%d",Status);
- return -EFAULT;
- }
+ if (copy_to_user(IoBuffer.OutputBuffer, &Adapter->uiSectorSize,
+ sizeof(UINT)))
+ return -EFAULT;
}
else
{
if(IsFlash2x(Adapter))
{
- Status = copy_to_user(IoBuffer.OutputBuffer,
- (unsigned char *)&Adapter->uiSectorSize ,
- (UINT)sizeof(UINT));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Coping the sector size to use space failed. status:%d",Status);
- return -EFAULT;
- }
-
+ if (copy_to_user(IoBuffer.OutputBuffer,
+ &Adapter->uiSectorSize ,
+ sizeof(UINT)))
+ return -EFAULT;
}
else
{
@@ -1370,25 +1226,19 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
}
break;
case IOCTL_BCM_SET_DEBUG :
+#ifdef DEBUG
{
USER_BCM_DBG_STATE sUserDebugState;
// BCM_DEBUG_PRINT (Adapter, DBG_TYPE_PRINTK, 0, 0, "Entered the ioctl %x \n", IOCTL_BCM_SET_DEBUG );
BCM_DEBUG_PRINT (Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "In SET_DEBUG ioctl\n");
- Status = copy_from_user((PCHAR)&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT (Adapter, DBG_TYPE_PRINTK, 0, 0, "Copy from user failed\n");
- Status = -EFAULT;
- break;
- }
- Status = copy_from_user(&sUserDebugState,IoBuffer.InputBuffer, sizeof(USER_BCM_DBG_STATE));
- if(Status)
- {
- BCM_DEBUG_PRINT (Adapter, DBG_TYPE_PRINTK, 0, 0, "Copy of IoBuffer.InputBuffer failed");
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
+ if (copy_from_user(&sUserDebugState, IoBuffer.InputBuffer, sizeof(USER_BCM_DBG_STATE)))
return -EFAULT;
- }
+
BCM_DEBUG_PRINT (Adapter, DBG_TYPE_PRINTK, 0, 0, "IOCTL_BCM_SET_DEBUG: OnOff=%d Type = 0x%x ",
sUserDebugState.OnOff, sUserDebugState.Type);
@@ -1411,15 +1261,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
BCM_SHOW_DEBUG_BITMAP(Adapter);
}
+#endif
break;
case IOCTL_BCM_NVM_READ:
case IOCTL_BCM_NVM_WRITE:
{
-
- NVM_READWRITE stNVMReadWrite = {};
+ NVM_READWRITE stNVMReadWrite;
PUCHAR pReadData = NULL;
- void __user * pBuffertobeCopied = NULL;
- ULONG ulDSDMagicNumInUsrBuff = 0 ;
+ ULONG ulDSDMagicNumInUsrBuff = 0;
struct timeval tv0, tv1;
memset(&tv0,0,sizeof(struct timeval));
memset(&tv1,0,sizeof(struct timeval));
@@ -1444,21 +1293,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
/* Copy Ioctl Buffer structure */
if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"copy_from_user failed\n");
- Status = -EFAULT;
- break;
- }
- if(IOCTL_BCM_NVM_READ == cmd)
- pBuffertobeCopied = IoBuffer.OutputBuffer;
- else
- pBuffertobeCopied = IoBuffer.InputBuffer;
+ return -EFAULT;
- if(copy_from_user(&stNVMReadWrite, pBuffertobeCopied,sizeof(NVM_READWRITE)))
- {
- Status = -EFAULT;
- break;
- }
+ if(copy_from_user(&stNVMReadWrite,
+ (IOCTL_BCM_NVM_READ == cmd) ? IoBuffer.OutputBuffer : IoBuffer.InputBuffer,
+ sizeof(NVM_READWRITE)))
+ return -EFAULT;
//
// Deny the access if the offset crosses the cal area limit.
@@ -1471,13 +1311,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
break;
}
- pReadData =(PCHAR)kmalloc(stNVMReadWrite.uiNumBytes, GFP_KERNEL);
-
+ pReadData = kzalloc(stNVMReadWrite.uiNumBytes, GFP_KERNEL);
if(!pReadData)
return -ENOMEM;
- memset(pReadData,0,stNVMReadWrite.uiNumBytes);
-
if(copy_from_user(pReadData, stNVMReadWrite.pBuffer,
stNVMReadWrite.uiNumBytes))
{
@@ -1511,8 +1348,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
kfree(pReadData);
return Status;
}
- if(copy_to_user(stNVMReadWrite.pBuffer,
- pReadData, (UINT)stNVMReadWrite.uiNumBytes))
+ if(copy_to_user(stNVMReadWrite.pBuffer,pReadData, stNVMReadWrite.uiNumBytes))
{
kfree(pReadData);
Status = -EFAULT;
@@ -1604,7 +1440,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
UINT BuffSize = 0;
UINT ReadBytes = 0;
UINT ReadOffset = 0;
- char __user *OutPutBuff = NULL;
+ void __user *OutPutBuff;
if(IsFlash2x(Adapter) != TRUE)
{
@@ -1613,20 +1449,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
}
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "IOCTL_BCM_FLASH2X_SECTION_READ Called");
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
return -EFAULT;
- }
//Reading FLASH 2.x READ structure
- Status = copy_from_user(&sFlash2xRead, IoBuffer.InputBuffer,sizeof(FLASH2X_READWRITE));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of Input Buffer failed");
+ if (copy_from_user(&sFlash2xRead, IoBuffer.InputBuffer,sizeof(FLASH2X_READWRITE)))
return -EFAULT;
- }
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\nsFlash2xRead.Section :%x" ,sFlash2xRead.Section);
@@ -1690,7 +1518,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"Copy to use failed with status :%d", Status);
- Status = -EFAULT;
break;
}
NOB = NOB - ReadBytes;
@@ -1709,8 +1536,8 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_BCM_FLASH2X_SECTION_WRITE :
{
FLASH2X_READWRITE sFlash2xWrite = {0};
- PUCHAR pWriteBuff = NULL;
- void __user *InputAddr = NULL;
+ PUCHAR pWriteBuff;
+ void __user *InputAddr;
UINT NOB = 0;
UINT BuffSize = 0;
UINT WriteOffset = 0;
@@ -1727,20 +1554,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, " IOCTL_BCM_FLASH2X_SECTION_WRITE Called");
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
return -EFAULT;
- }
//Reading FLASH 2.x READ structure
- Status = copy_from_user(&sFlash2xWrite, IoBuffer.InputBuffer, sizeof(FLASH2X_READWRITE));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Reading of output Buffer from IOCTL buffer fails");
+ if (copy_from_user(&sFlash2xWrite, IoBuffer.InputBuffer, sizeof(FLASH2X_READWRITE)))
return -EFAULT;
- }
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\nsFlash2xRead.Section :%x" ,sFlash2xWrite.Section);
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\nsFlash2xRead.offset :%d" ,sFlash2xWrite.offset);
@@ -1765,12 +1584,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
else
BuffSize = NOB ;
- pWriteBuff = (PCHAR)kmalloc(BuffSize, GFP_KERNEL);
+ pWriteBuff = kmalloc(BuffSize, GFP_KERNEL);
if(pWriteBuff == NULL)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Memory allocation failed for Flash 2.x Read Structure");
return -ENOMEM;
- }
+
//extracting the remainder of the given offset.
WriteBytes = Adapter->uiSectorSize ;
@@ -1798,7 +1615,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Copy to user failed with status :%d", Status);
- Status = -EFAULT;
break ;
}
BCM_DEBUG_PRINT_BUFFER(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,pWriteBuff,WriteBytes);
@@ -1832,22 +1648,16 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_BCM_GET_FLASH2X_SECTION_BITMAP :
{
- PFLASH2X_BITMAP psFlash2xBitMap = NULL ;
+ PFLASH2X_BITMAP psFlash2xBitMap;
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "IOCTL_BCM_GET_FLASH2X_SECTION_BITMAP Called");
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
return -EFAULT;
- }
+
if(IoBuffer.OutputLength != sizeof(FLASH2X_BITMAP))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Structure size mismatch Lib :0x%lx Driver :0x%zx ",IoBuffer.OutputLength, sizeof(FLASH2X_BITMAP));
- break;
- }
+ return -EINVAL;
- psFlash2xBitMap = (PFLASH2X_BITMAP)kzalloc(sizeof(FLASH2X_BITMAP), GFP_KERNEL);
+ psFlash2xBitMap = kzalloc(sizeof(FLASH2X_BITMAP), GFP_KERNEL);
if(psFlash2xBitMap == NULL)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Memory is not available");
@@ -1868,13 +1678,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
BcmGetFlash2xSectionalBitMap(Adapter, psFlash2xBitMap);
up(&Adapter->NVMRdmWrmLock);
- Status = copy_to_user(IoBuffer.OutputBuffer, psFlash2xBitMap, sizeof(FLASH2X_BITMAP));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "copying Flash2x bitMap failed");
- kfree(psFlash2xBitMap);
- return -EFAULT;
- }
+ if (copy_to_user(IoBuffer.OutputBuffer, psFlash2xBitMap, sizeof(FLASH2X_BITMAP)))
+ Status = -EFAULT;
+
kfree(psFlash2xBitMap);
}
break ;
@@ -1893,14 +1699,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
- return -EFAULT;
+ return Status;
}
Status = copy_from_user(&eFlash2xSectionVal,IoBuffer.InputBuffer, sizeof(INT));
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of flash section val failed");
- return -EFAULT;
+ return Status;
}
down(&Adapter->NVMRdmWrmLock);
@@ -1948,14 +1754,14 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed Status :%d", Status);
- return -EFAULT;
+ return Status;
}
- Status = copy_from_user(&sCopySectStrut,IoBuffer.InputBuffer, sizeof(FLASH2X_COPY_SECTION));
+ Status = copy_from_user(&sCopySectStrut, IoBuffer.InputBuffer, sizeof(FLASH2X_COPY_SECTION));
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of Copy_Section_Struct failed with Status :%d", Status);
- return -EFAULT;
+ return Status;
}
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Source SEction :%x", sCopySectStrut.SrcSection);
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Destination SEction :%x", sCopySectStrut.DstSection);
@@ -2026,7 +1832,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
- Status = -EFAULT;
break;
}
if(Adapter->eNVMType != NVM_FLASH)
@@ -2039,35 +1844,18 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
{
if(IoBuffer.OutputLength < sizeof(FLASH2X_CS_INFO))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0," Passed buffer size:0x%lX is insufficient for the CS structure.. \nRequired size :0x%zx ",IoBuffer.OutputLength, sizeof(FLASH2X_CS_INFO));
- Status = -EINVAL;
- break;
- }
+ return -EINVAL;
- Status = copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlash2xCSInfo, sizeof(FLASH2X_CS_INFO));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "copying Flash2x cs info failed");
- Status = -EFAULT;
- break;
- }
+ if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlash2xCSInfo, sizeof(FLASH2X_CS_INFO)))
+ return -EFAULT;
}
else
{
if(IoBuffer.OutputLength < sizeof(FLASH_CS_INFO))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0," Passed buffer size:0x%lX is insufficient for the CS structure.. Required size :0x%zx ",IoBuffer.OutputLength, sizeof(FLASH_CS_INFO));
- Status = -EINVAL;
- break;
- }
- Status = copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(FLASH_CS_INFO));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "copying Flash CS info failed");
- Status = -EFAULT;
- break;
- }
+ return -EINVAL;
+
+ if (copy_to_user(IoBuffer.OutputBuffer, Adapter->psFlashCSInfo, sizeof(FLASH_CS_INFO)))
+ return -EFAULT;
}
}
@@ -2089,13 +1877,13 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
- return -EFAULT;
+ return Status;
}
- Status = copy_from_user(&eFlash2xSectionVal,IoBuffer.InputBuffer, sizeof(INT));
+ Status = copy_from_user(&eFlash2xSectionVal, IoBuffer.InputBuffer, sizeof(INT));
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of flash section val failed");
- return -EFAULT;
+ return Status;
}
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"Read Section :%d", eFlash2xSectionVal);
@@ -2125,13 +1913,13 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
case IOCTL_BCM_NVM_RAW_READ :
{
- NVM_READWRITE stNVMRead = {};
+ NVM_READWRITE stNVMRead;
INT NOB ;
INT BuffSize ;
INT ReadOffset = 0;
UINT ReadBytes = 0 ;
- PUCHAR pReadBuff = NULL ;
- char __user *OutPutBuff = NULL ;
+ PUCHAR pReadBuff;
+ void __user *OutPutBuff;
if(Adapter->eNVMType != NVM_FLASH)
{
@@ -2148,10 +1936,7 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
}
if(copy_from_user(&stNVMRead, IoBuffer.OutputBuffer,sizeof(NVM_READWRITE)))
- {
- Status = -EFAULT;
- break;
- }
+ return -EFAULT;
NOB = stNVMRead.uiNumBytes;
//In Raw-Read max Buff size : 64MB
@@ -2161,11 +1946,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
else
BuffSize = NOB ;
- ReadOffset = stNVMRead.uiOffset ;
+ ReadOffset = stNVMRead.uiOffset;
OutPutBuff = stNVMRead.pBuffer;
-
- pReadBuff = (PCHAR)kzalloc(BuffSize , GFP_KERNEL);
+ pReadBuff = kzalloc(BuffSize , GFP_KERNEL);
if(pReadBuff == NULL)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Memory allocation failed for Flash 2.x Read Structure");
@@ -2200,13 +1984,12 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
break;
}
- BCM_DEBUG_PRINT_BUFFER(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,pReadBuff, ReadBytes);
+ BCM_DEBUG_PRINT_BUFFER(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,pReadBuff,ReadBytes);
Status = copy_to_user(OutPutBuff, pReadBuff,ReadBytes);
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Copy to use failed with status :%d", Status);
- Status = -EFAULT;
break;
}
NOB = NOB - ReadBytes;
@@ -2232,7 +2015,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of Ioctl buffer is failed from user space");
- Status = -EFAULT;
break;
}
@@ -2240,7 +2022,6 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
if(Status)
{
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"copy of control bit mask failed from user space");
- Status = -EFAULT;
break;
}
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"\n Got user defined cntrl msg bit mask :%lx", RxCntrlMsgBitMask);
@@ -2259,66 +2040,41 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
DevInfo.u32NVMType = Adapter->eNVMType;
DevInfo.u32InterfaceType = BCM_USB;
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
- Status = -EFAULT;
- break;
- }
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
if(IoBuffer.OutputLength < sizeof(DevInfo))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"User Passed buffer length is less than actural buffer size");
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"user passed buffer size :0x%lX, expected size :0x%zx",IoBuffer.OutputLength, sizeof(DevInfo));
- Status = -EINVAL;
- break;
- }
- Status = copy_to_user(IoBuffer.OutputBuffer, &DevInfo, sizeof(DevInfo));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"copying Dev info structure to user space buffer failed");
- Status = -EFAULT;
- break;
- }
+ return -EINVAL;
+
+ if (copy_to_user(IoBuffer.OutputBuffer, &DevInfo, sizeof(DevInfo)))
+ return -EFAULT;
}
break ;
case IOCTL_BCM_TIME_SINCE_NET_ENTRY:
{
ST_TIME_ELAPSED stTimeElapsedSinceNetEntry = {0};
- struct timeval tv = {0} ;
BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"IOCTL_BCM_TIME_SINCE_NET_ENTRY called");
- Status = copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy of IOCTL BUFFER failed");
- Status = -EFAULT;
- break;
- }
+ if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
+ return -EFAULT;
+
if(IoBuffer.OutputLength < sizeof(ST_TIME_ELAPSED))
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"User Passed buffer length:0x%lx is less than expected buff size :0x%zX",IoBuffer.OutputLength,sizeof(ST_TIME_ELAPSED));
- Status = -EINVAL;
- break;
- }
+ return -EINVAL;
- //stTimeElapsedSinceNetEntry.ul64TimeElapsedSinceNetEntry = Adapter->liTimeSinceLastNetEntry;
- do_gettimeofday(&tv);
- stTimeElapsedSinceNetEntry.ul64TimeElapsedSinceNetEntry = tv.tv_sec - Adapter->liTimeSinceLastNetEntry;
+ stTimeElapsedSinceNetEntry.ul64TimeElapsedSinceNetEntry = get_seconds() - Adapter->liTimeSinceLastNetEntry;
- Status = copy_to_user(IoBuffer.OutputBuffer, &stTimeElapsedSinceNetEntry, sizeof(ST_TIME_ELAPSED));
- if(Status)
- {
- BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"copying ST_TIME_ELAPSED structure to user space buffer failed");
- Status = -EFAULT;
- break;
- }
+ if (copy_to_user(IoBuffer.OutputBuffer, &stTimeElapsedSinceNetEntry, sizeof(ST_TIME_ELAPSED)))
+ return -EFAULT;
}
break;
+ case IOCTL_CLOSE_NOTIFICATION:
+ BCM_DEBUG_PRINT(Adapter,DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL,"IOCTL_CLOSE_NOTIFICATION");
+ break;
+
default:
pr_info(DRV_NAME ": unknown ioctl cmd=%#x\n", cmd);
Status = STATUS_FAILURE;
diff --git a/drivers/staging/bcm/HostMibs.h b/drivers/staging/bcm/HostMibs.h
deleted file mode 100644
index 28a5783..0000000
--- a/drivers/staging/bcm/HostMibs.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _HOST_MIBS_H
-#define _HOST_MIBS_H
-
-INT ProcessGetHostMibs(PMINI_ADAPTER Adapter,
- PVOID ioBuffer,
- ULONG inputBufferLength);
-#endif
diff --git a/drivers/staging/bcm/Prototypes.h b/drivers/staging/bcm/Prototypes.h
index a4b57bb..c9e1d61 100644
--- a/drivers/staging/bcm/Prototypes.h
+++ b/drivers/staging/bcm/Prototypes.h
@@ -108,10 +108,8 @@ void SendIdleModeResponse(PMINI_ADAPTER Adapter);
void HandleShutDownModeRequest(PMINI_ADAPTER Adapter,PUCHAR pucBuffer);
-int ProcessGetHostMibs(PMINI_ADAPTER Adapter, PVOID ioBuffer,
- ULONG inputBufferLength);
-
-int GetDroppedAppCntrlPktMibs(PVOID ioBuffer, PPER_TARANG_DATA pTarang);
+int ProcessGetHostMibs(PMINI_ADAPTER Adapter, S_MIBS_HOST_STATS_MIBS *buf);
+void GetDroppedAppCntrlPktMibs(S_MIBS_HOST_STATS_MIBS *ioBuffer, PPER_TARANG_DATA pTarang);
void beceem_parse_target_struct(PMINI_ADAPTER Adapter);
void doPowerAutoCorrection(PMINI_ADAPTER psAdapter);
diff --git a/drivers/staging/bcm/headers.h b/drivers/staging/bcm/headers.h
index 0fdee95..473f11e 100644
--- a/drivers/staging/bcm/headers.h
+++ b/drivers/staging/bcm/headers.h
@@ -56,7 +56,6 @@
#include "CmHost.h"
#include "DDRInit.h"
#include "Debug.h"
-#include "HostMibs.h"
#include "IPv6ProtocolHdr.h"
#include "PHSModule.h"
#include "Protocol.h"
diff --git a/drivers/staging/bcm/hostmibs.c b/drivers/staging/bcm/hostmibs.c
index 0d75ff7..1445900 100644
--- a/drivers/staging/bcm/hostmibs.c
+++ b/drivers/staging/bcm/hostmibs.c
@@ -10,12 +10,8 @@
*/
#include "headers.h"
-INT ProcessGetHostMibs(PMINI_ADAPTER Adapter,
- PVOID ioBuffer,
- ULONG inputBufferLength)
+INT ProcessGetHostMibs(PMINI_ADAPTER Adapter, S_MIBS_HOST_STATS_MIBS *pstHostMibs)
{
-
- S_MIBS_HOST_STATS_MIBS *pstHostMibs = NULL;
S_SERVICEFLOW_ENTRY *pstServiceFlowEntry = NULL;
S_PHS_RULE *pstPhsRule = NULL;
S_CLASSIFIER_TABLE *pstClassifierTable = NULL;
@@ -30,15 +26,6 @@ INT ProcessGetHostMibs(PMINI_ADAPTER Adapter,
return STATUS_FAILURE;
}
- if(ioBuffer == NULL)
- {
- return -EINVAL;
- }
- memset(ioBuffer,0,sizeof(S_MIBS_HOST_STATS_MIBS));
-
- pstHostMibs = (S_MIBS_HOST_STATS_MIBS *)ioBuffer;
-
-
//Copy the classifier Table
for(nClassifierIndex=0; nClassifierIndex < MAX_CLASSIFIERS;
nClassifierIndex++)
@@ -115,13 +102,10 @@ INT ProcessGetHostMibs(PMINI_ADAPTER Adapter,
}
-INT GetDroppedAppCntrlPktMibs(PVOID ioBuffer, PPER_TARANG_DATA pTarang)
+VOID GetDroppedAppCntrlPktMibs(S_MIBS_HOST_STATS_MIBS *pstHostMibs, const PPER_TARANG_DATA pTarang)
{
- S_MIBS_HOST_STATS_MIBS *pstHostMibs = (S_MIBS_HOST_STATS_MIBS *)ioBuffer;
-
- memcpy((PVOID)&(pstHostMibs->stDroppedAppCntrlMsgs),(PVOID)&(pTarang->stDroppedAppCntrlMsgs),sizeof(S_MIBS_DROPPED_APP_CNTRL_MESSAGES));
-
- return STATUS_SUCCESS ;
+ memcpy(&(pstHostMibs->stDroppedAppCntrlMsgs),
+ &(pTarang->stDroppedAppCntrlMsgs),sizeof(S_MIBS_DROPPED_APP_CNTRL_MESSAGES));
}
--
1.7.3.2
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
