This was changed to bcm_flash2x_cs_info instead of bcm_flash_cs_info
when we got rid of the typedefs. bcm_flash2x_cs_info is quite a bit
larger than bcm_flash_cs_info (436 bytes instead of 96) so it would
corrupt user memory and it's an info leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for USER_BCM_DBG_STATE, and
changes the name of the struct to bcm_user_debug_state.
In addition, any calls to struct "USER_BCM_DBG_STATE"
are changed to call directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _LINK_STATE, and changes
the name of the struct to bcm_link_state. In addition,
any calls to struct "LINK_STATE, or PLINK_STATE" are
changed to call directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH_CS_INFO, and
changes the name of the struct to bcm_flash_cs_info.
In addition, any calls to typedefs FLASH_CS_INFO, or
*PFLASH_CS_INFO are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH_2X_CS_INFO, and
changes the name of the struct to bcm_flash2x_cs_info.
In addition, any calls to typedefs FLASH2X_CS_INFO, or
*PFLASH2X_CS_INFO are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _S_MIBS_HOST_STATS_MIBS,
and changes the name of the struct to bcm_host_stats_mibs.
In addition, any calls to typedefs S_MIBS_HOST_STATS_MIBS
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for rdmbuffer, and
changes the name of the struct to bcm_rdm_buffer.
In addition, any calls to typedefs RDM_BUFFER, or
*PRDM_BUFFER are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for wrmbuffer, and
changes the name of the struct to bcm_wrm_buffer.
In addition, any calls to typedefs WRM_BUFFER, or
*PWRM_BUFFER are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for stGPIOInfo, and
changes the name of the struct to bcm_gpio_info.
In addition, any calls to typedefs GPIO_INFO, or
*PGPIO_INFO are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for ioctlbuffer, and
changes the name of the struct to bcm_ioctl_buffer.
In addition, any calls to typedefs IOCTL_BUFFER, or
*PIOCTL_BUFFER are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for stUserThreadReq,
and changes the name of the struct to bcm_user_thread_req.
In addition, any calls to typedefs USER_THREAD_REQ, or
*PUSER_THREAD_REQ are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH2X_SECTION_VAL,
and changes the name of the enum to bcm_flash2x_section_val.
In addition, any calls to typedefs FLASH2X_SECTION_VAL
are changed to reference the enum directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _DEVICE_DRIVER_INFO,
and changes the name of the struct to
bcm_driver_info. In addition, any calls to
typedefs DEVICE_DRIVER_INFO are changed to call
the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH2X_READWRITE,
and changes the name of the struct to
bcm_flash2x_readwrite. In addition, any calls to
typedefs FLASH2X_READWRITE, or *PFLASH2X_READWRITE
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _NVM_READWRITE,
and changes the name of the struct to
bcm_nvm_readwrite. In addition, any calls to
typedefs NVM_READWRITE, or *PNVM_READWRITE
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for bulkwrmbuffer,
and changes the name of the struct to
bcm_bulk_wrm_buffer. In addition, any calls to
typedefs BULKWRM_BUFFER, or *PBULKWRM_BUFFER
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH2X_COPY_SECTION,
and changes the name of the struct to
bcm_flash2x_copy_section. In addition, any calls to
typedefs FLASH2X_COPY_SECTION, or *PFLASH2X_COPY_SECTION
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _FLASH2X_BITMAP,
and changes the name of the struct to
bcm_flash2x_bitmap. In addition, any calls
to typedefs FLASH2X_BITMAP, or *PFLASH2X_BITMAP
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _ST_TIME_ELAPSED_,
and changes the name of the struct to
bcm_time_elapsed. In addition, any calls
to typedefs ST_TIME_ELAPSED, or *PST_TIME_ELAPSED
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for stGPIOMultiInfo,
and changes the name of the struct to
bcm_gpio_multi_info. In addition, any calls
to typedefs GPIO_MULTI_INFO, or *PGPIO_MULTI_INFO
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for
stGPIOMultiMode, and changes the name of the
struct to bcm_gpio_multi_mode. In addition,
any calls to typedefs GPIO_MULTI_MODE, or
*PGPIO_MULTI_MODE are changed to call the
struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for
_S_INTERFACE_ADAPTER, changes the
name of the struct to bcm_interface_adapter.
In addition, any calls to typedefs
S_INTERFACE_ADAPTER, or *PS_INTERFACE_ADAPTER
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for
stLocalSFAddIndicationAlt, changes the
name of the struct to bcm_add_indication_alt,
and removes a comment. In addition, any
calls to typedef stLocalSFAddIndicationAlt
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
psFwInfo has been allocated in this function and should be
freed before leaving from the error handling cases.
spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _MINI_ADAPTER, changes the
name of the struct from _MINI_ADAPTER to bcm_mini_adapter.
In addition, any calls to the following typedefs
"MINI_ADAPTER, *PMINI_ADAPTER" are changed to call
the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for link_request, changes the
name of the struct from link_request to bcm_link_request.
In addition, any calls to the following typedefs
"LINK_REQUEST, *PLINK_REQUEST, *CONTROL_MESSAGE"
are changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _packet_info,
changes the name of the struct from
_packet_info to bcm_packet_info.
In addition, any calls to the following typedefs
"PacketInfo, _packet_info" are changed to call the
struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for _PER_TARANG_DATA,
changes the name of the struct from
_PER_TARANG_DATA to bcm_per_tarang_data.
In addition, any calls to the following typedefs
"PER_TARANG_DATA, *PPER_TARANG_DATA" are
changed to call the struct directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes typedef for FirmwareInfo,
changes the name from Firmwareinfo to
bcm_firmware_info. In addition, any calls to
the following typedefs "PFIRMWARE_INFO,
FIRMWARE_INFO" are changed to call the struct
directly.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a little bit restricted to reduce false positives
The semantic patch that makes this change is available
in scripts/coccinelle/api/memdup_user.cocci.
More information about semantic patching is available at
http://coccinelle.lip6.fr/
Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
are chosen from userspace and can be very high. The sum of
these two digits would result in a small number. Therefore,
this patch verifies a negative number was not entered, and
reorganizes the equation to remove the integer overflow.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Variable IoBuffer.InputLength is chosen from userspace,
and can therefore be less than the intended size. In this
case,the memory from the kmalloc call is eventually cast
to a PBULKWRM_BUFFER. If the IoBuffer.InputLength does not
meet the minimum size of PBULKWRM_BUFFER, then we will get
a kernel Oops. To resolve this issue, this patch verifies
IoBuffer.InputLength meets the minimum size before invoking
the kmalloc call.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
responsible for sending the driver version
to userspace. However, the requested size stored
in IoBuffer.OutputLength may be incorrect.
Therefore, we altered the code to send the
exact length of the version, plus one for the
null character.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In this clean up patch, I altered functions: copy_to/
from_user() to return -EFAULT when an error occurs.
I also replaced break statements when an error occurs
from copy_to/from_user() with direct returns of -EFAULT.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This is a clean up patch for IOCTL_BCM_NVM_WRITE
that replaces the assignment of the Status
variable with direct returns of the error code,
replaces the break statements with direct returns,
and removes a white space.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes a memory error in ioctl,
IOCTL_BCM_NVM_WRITE. While copying data to
user space, if an error occurs, pReadData
is freed. Then, at the end of the ioctl,
pReadData was being freed again.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch reorders the semaphore locking.
It makes better sense to first evaluate
fw_download_sema semaphore then
NVMRdmWrmLocl semaphore. The
fw_download_sema is suppose to be
acquired in the START ioctl. If this is
not true, then it does not make sense
to continue.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This is a cleanup patch. I've shuffled the code around to
move the error handling closer to the calls. I've removed
some indent levels. I've replaced break statements with
direct returns.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch evaluates/calls the down_trylock locking
function directly, instead of storing the results
in a variable and evaluating the variable. These
changes were made in:
IOCTL_BCM_BUFFER_DOWNLOAD_STOP and
IOCTL_BCM_BUFFER_DOWNLOAD_START.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch releases semaphore locks when
an error occurrs while attempting to
download firmware for the bcm driver.
When downloading firmware for this driver,
a process is expected to call
the following ioctl's in this order:
(1)IOCTL_BCM_BUFFER_DOWNLOAD_START,
(2)IOCTL_BCM_BUFFER_DOWNLOAD, and (3)
IOCTL_BCM_BUFFER_DOWNLOAD_STOP.
Semaphore, “Adapter->fw_download_sema” is
expected to be acquired in the first ioctl,
IOCTL_BCM_BUFFER_DOWNLOAD_START, and it should
block until IOCTL_BCM_BUFFER_DOWNLOAD_STOP
is called. In this case, if an error
occurred before STOP finished, the semaphore
"Adapter->fw_download_sema" was not being released.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In this ioctl, we are testing to see if the lock is held.
If it is not held, that means this ioctl used incorrectly.
Therefore, we do not want to take the lock ourselves here.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch removes a superfluous "do while"
statement in IOCTL_BCM_BUFFER_DOWNLOAD.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch verifies two conditions before executing
a kmalloc call. First, it checks to see that
IoBuffer.OutputLength is not greater than an
unsigned short. If so, an invalid value may be
returned. The second change is a check to make
sure IoBuffer.OutputLength is not equal to
zero. Which simply keeps this code inline with
the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes an information leak in ioctl
IOCTL_BCM_REGISTER_READ_PRIVATE and
IOCTL_BCM_EEPROM_REGISTER_READ when determining
the number of bytes to copy to user space. Function,
usb_control_msg, returns the correct number of
bytes from the hardware. Instead of using
this value, we were using a value derived from
user space. In this case, this value could be more
than the hardware allocated. Therefore, this
patch copies the proper number of bytes from
the hardware, and uses this value as the maximum
number of bytes for user space.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch alters a line of code to make it more readable
and easier to understand. The purpose of the original line
of code was to compute the amount of memory to request from
kmalloc. This mulit-step algorithm was being done in one
line of code, thus making it more difficult to understand.
Therefore, I split this algorithm into three logical steps.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes two issues within bcm/Bcmchar.c. The
first condition in the or statement checks if variable
IoBuffer.OutputLength, defined from user space, is
greater than the maximum value allowed for an
unsigned short. IoBuffer.OutputLength is then used
in a kmalloc call to return a pointer to memory. If
this size is greater than an unsigned short, it
becomes useless. The second condition in the or statement
checks if the same variable, IoBuffer.OutputLength is
equal to zero before invoking the kmalloc call. In
this case, if a zero size is sent to kmalloc, a valid
pointer to memory is returned instead of the expected NULL.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In the first alteration, the MAX_CNTL_PKT_SIZE is the
maximum size of the control packet in ->Adapter->txctlpacket[]
which is defined in InitAdapter(). This caps the size of
kmalloc memory allocation. In the second change, this max
cap fixes a potential memory corruption bug when subsequent
memset and memcpy calls are invoked.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If IoBuffer.InputLength is zero then this will cause an Oops when
we dereference the ZERO_SIZE_PTR. Or if it's smaller than
sizeof(struct link_request) then we would get memory corruption
when we set ->PLength in CopyBufferToControlPacket().
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes a potential memory leak were temp_buff buffer
is not being freed when a certain condition is true.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tool checkpatch.pl reported the following error: extern struct class *bcm_class;"
declaration not allowed in .c files. Therefore, I move this declaration into
the header "headers.h" file.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Carpenter