These debugging tools let you call: status = usb_control_msg_recv/send(udev, 0, REALTEK_USB_VENQT_CMD_REQ, REALTEK_USB_VENQT_READ/WRITE, value, REALTEK_USB_VENQT_CMD_IDX, io_buf, size, RTW_USB_CONTROL_MSG_TIMEOUT, GFP_KERNEL); with a user controlled "value" in the 0-0xffff range. It's not a valid API. Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 86 +------------------- 1 file changed, 2 insertions(+), 84 deletions(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c index 42cb79cee2ae..a802c1e7b456 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -1886,88 +1886,6 @@ static int rtw_wx_get_nick(struct net_device *dev, return 0; } -static int rtw_wx_read32(struct net_device *dev, - struct iw_request_info *info, - union iwreq_data *wrqu, char *extra) -{ - struct adapter *padapter; - struct iw_point *p; - u16 len; - u32 addr; - u32 data32; - u32 bytes; - u8 *ptmp; - int ret; - - padapter = (struct adapter *)rtw_netdev_priv(dev); - p = &wrqu->data; - len = p->length; - ptmp = memdup_user(p->pointer, len); - if (IS_ERR(ptmp)) - return PTR_ERR(ptmp); - - bytes = 0; - addr = 0; - sscanf(ptmp, "%d,%x", &bytes, &addr); - - switch (bytes) { - case 1: - data32 = rtw_read8(padapter, addr); - sprintf(extra, "0x%02X", data32); - break; - case 2: - data32 = rtw_read16(padapter, addr); - sprintf(extra, "0x%04X", data32); - break; - case 4: - data32 = rtw_read32(padapter, addr); - sprintf(extra, "0x%08X", data32); - break; - default: - ret = -EINVAL; - goto err_free_ptmp; - } - - kfree(ptmp); - return 0; - -err_free_ptmp: - kfree(ptmp); - return ret; -} - -static int rtw_wx_write32(struct net_device *dev, - struct iw_request_info *info, - union iwreq_data *wrqu, char *extra) -{ - struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); - - u32 addr; - u32 data32; - u32 bytes; - - bytes = 0; - addr = 0; - data32 = 0; - sscanf(extra, "%d,%x,%x", &bytes, &addr, &data32); - - switch (bytes) { - case 1: - rtw_write8(padapter, addr, (u8)data32); - break; - case 2: - rtw_write16(padapter, addr, (u16)data32); - break; - case 4: - rtw_write32(padapter, addr, data32); - break; - default: - return -EINVAL; - } - - return 0; -} - static int rtw_wx_read_rf(struct net_device *dev, struct iw_request_info *info, union iwreq_data *wrqu, char *extra) @@ -3771,8 +3689,8 @@ static const struct iw_priv_args rtw_private_args[] = { }; static iw_handler rtw_private_handler[] = { -rtw_wx_write32, /* 0x00 */ -rtw_wx_read32, /* 0x01 */ + NULL, /* 0x00 */ + NULL, /* 0x01 */ NULL, /* 0x02 */ NULL, /* 0x03 */ /* for MM DTV platform */ -- 2.35.1