summaryrefslogtreecommitdiffstats
path: root/drivers/staging
diff options
context:
space:
mode:
authorWim de With <nauxuron@wimdewith.com>2015-12-11 10:25:13 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-12-26 17:13:33 -0800
commitd1052aa5692d08aa4a058507ff5721317d2bef75 (patch)
tree8739397f4e3132ce6ff9eda4386f2b9626dc5aa8 /drivers/staging
parent2bc29a1abc5c1b89576f8ae864cce9c07d18fd44 (diff)
downloadlinux-d1052aa5692d08aa4a058507ff5721317d2bef75.tar.bz2
staging: gdm72xx: add userspace data struct
This fixes the sparse warnings about dereferencing a userspace pointer. Once I updated the sparse annotations, I noticed a bug in gdm_wimax_ioctl() where we pass a user space pointer to gdm_update_fsm() which dereferences it. I fixed this. Signed-off-by: Wim de With <nauxuron@wimdewith.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging')
-rw-r--r--drivers/staging/gdm72xx/gdm_wimax.c12
-rw-r--r--drivers/staging/gdm72xx/wm_ioctl.h7
2 files changed, 14 insertions, 5 deletions
diff --git a/drivers/staging/gdm72xx/gdm_wimax.c b/drivers/staging/gdm72xx/gdm_wimax.c
index b8eea21f2655..ba03f9386567 100644
--- a/drivers/staging/gdm72xx/gdm_wimax.c
+++ b/drivers/staging/gdm72xx/gdm_wimax.c
@@ -363,7 +363,7 @@ static void kdelete(void **buf)
}
}
-static int gdm_wimax_ioctl_get_data(struct data_s *dst, struct data_s *src)
+static int gdm_wimax_ioctl_get_data(struct udata_s *dst, struct data_s *src)
{
int size;
@@ -379,7 +379,7 @@ static int gdm_wimax_ioctl_get_data(struct data_s *dst, struct data_s *src)
return 0;
}
-static int gdm_wimax_ioctl_set_data(struct data_s *dst, struct data_s *src)
+static int gdm_wimax_ioctl_set_data(struct data_s *dst, struct udata_s *src)
{
if (!src->size) {
dst->size = 0;
@@ -455,6 +455,7 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
struct wm_req_s *req = (struct wm_req_s *)ifr;
struct nic *nic = netdev_priv(dev);
int ret;
+ struct fsm_s fsm_buf;
if (cmd != SIOCWMIOCTL)
return -EOPNOTSUPP;
@@ -477,8 +478,11 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
/* NOTE: gdm_update_fsm should be called
* before gdm_wimax_ioctl_set_data is called.
*/
- gdm_update_fsm(dev,
- req->data.buf);
+ if (copy_from_user(&fsm_buf, req->data.buf,
+ sizeof(struct fsm_s)))
+ return -EFAULT;
+
+ gdm_update_fsm(dev, &fsm_buf);
}
ret = gdm_wimax_ioctl_set_data(
&nic->sdk_data[req->data_id], &req->data);
diff --git a/drivers/staging/gdm72xx/wm_ioctl.h b/drivers/staging/gdm72xx/wm_ioctl.h
index ed8f649c0042..631cb1d23c7e 100644
--- a/drivers/staging/gdm72xx/wm_ioctl.h
+++ b/drivers/staging/gdm72xx/wm_ioctl.h
@@ -78,13 +78,18 @@ struct data_s {
void *buf;
};
+struct udata_s {
+ int size;
+ void __user *buf;
+};
+
struct wm_req_s {
union {
char ifrn_name[IFNAMSIZ];
} ifr_ifrn;
unsigned short cmd;
unsigned short data_id;
- struct data_s data;
+ struct udata_s data;
/* NOTE: sizeof(struct wm_req_s) must be less than sizeof(struct ifreq). */
};