* the first word of the parameter block, and use the command
* AR6000_IOCTL_EXTENDED_CMD on the ioctl call.
*/
- get_user(cmd, (int *)rq->ifr_data);
+ if (get_user(cmd, (int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ goto ioctl_done;
+ }
userdata = (char *)(((unsigned int *)rq->ifr_data)+1);
if(is_xioctl_allowed(ar->arNextMode, cmd) != A_OK) {
A_PRINTF("xioctl: cmd=%d not allowed in this mode\n",cmd);
break;
case AR6000_XIOCTL_BMI_READ_MEMORY:
- get_user(address, (unsigned int *)userdata);
- get_user(length, (unsigned int *)userdata + 1);
+ if (get_user(address, (unsigned int *)userdata) ||
+ get_user(length, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
+
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Read Memory (address: 0x%x, length: %d)\n",
address, length));
if ((buffer = (unsigned char *)A_MALLOC(length)) != NULL) {
break;
case AR6000_XIOCTL_BMI_WRITE_MEMORY:
- get_user(address, (unsigned int *)userdata);
- get_user(length, (unsigned int *)userdata + 1);
+ if (get_user(address, (unsigned int *)userdata) ||
+ get_user(length, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Write Memory (address: 0x%x, length: %d)\n",
address, length));
if ((buffer = (unsigned char *)A_MALLOC(length)) != NULL) {
break;
case AR6000_XIOCTL_BMI_EXECUTE:
- get_user(address, (unsigned int *)userdata);
- get_user(param, (unsigned int *)userdata + 1);
+ if (get_user(address, (unsigned int *)userdata) ||
+ get_user(param, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Execute (address: 0x%x, param: %d)\n",
address, param));
ret = BMIExecute(hifDevice, address, (A_UINT32*)¶m);
- put_user(param, (unsigned int *)rq->ifr_data); /* return value */
+ /* return value */
+ if (put_user(param, (unsigned int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ break;
+ }
break;
case AR6000_XIOCTL_BMI_SET_APP_START:
- get_user(address, (unsigned int *)userdata);
+ if (get_user(address, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Set App Start (address: 0x%x)\n", address));
ret = BMISetAppStart(hifDevice, address);
break;
case AR6000_XIOCTL_BMI_READ_SOC_REGISTER:
- get_user(address, (unsigned int *)userdata);
+ if (get_user(address, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
ret = BMIReadSOCRegister(hifDevice, address, (A_UINT32*)¶m);
- put_user(param, (unsigned int *)rq->ifr_data); /* return value */
+ /* return value */
+ if (put_user(param, (unsigned int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ break;
+ }
break;
case AR6000_XIOCTL_BMI_WRITE_SOC_REGISTER:
- get_user(address, (unsigned int *)userdata);
- get_user(param, (unsigned int *)userdata + 1);
+ if (get_user(address, (unsigned int *)userdata) ||
+ get_user(param, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
ret = BMIWriteSOCRegister(hifDevice, address, param);
break;
case AR6000_XIOCTL_HTC_RAW_READ:
if (arRawIfEnabled(ar)) {
unsigned int streamID;
- get_user(streamID, (unsigned int *)userdata);
- get_user(length, (unsigned int *)userdata + 1);
+ if (get_user(streamID, (unsigned int *)userdata) ||
+ get_user(length, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
buffer = (unsigned char*)rq->ifr_data + sizeof(length);
ret = ar6000_htc_raw_read(ar, (HTC_RAW_STREAM_ID)streamID,
(char*)buffer, length);
- put_user(ret, (unsigned int *)rq->ifr_data);
+ if (put_user(ret, (unsigned int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ break;
+ }
} else {
ret = A_ERROR;
}
case AR6000_XIOCTL_HTC_RAW_WRITE:
if (arRawIfEnabled(ar)) {
unsigned int streamID;
- get_user(streamID, (unsigned int *)userdata);
- get_user(length, (unsigned int *)userdata + 1);
+ if (get_user(streamID, (unsigned int *)userdata) ||
+ get_user(length, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
buffer = (unsigned char*)userdata + sizeof(streamID) + sizeof(length);
ret = ar6000_htc_raw_write(ar, (HTC_RAW_STREAM_ID)streamID,
(char*)buffer, length);
- put_user(ret, (unsigned int *)rq->ifr_data);
+ if (put_user(ret, (unsigned int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ break;
+ }
} else {
ret = A_ERROR;
}
#endif /* HTC_RAW_INTERFACE */
case AR6000_XIOCTL_BMI_LZ_STREAM_START:
- get_user(address, (unsigned int *)userdata);
+ if (get_user(address, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Start Compressed Stream (address: 0x%x)\n", address));
ret = BMILZStreamStart(hifDevice, address);
break;
case AR6000_XIOCTL_BMI_LZ_DATA:
- get_user(length, (unsigned int *)userdata);
+ if (get_user(length, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Send Compressed Data (length: %d)\n", length));
if ((buffer = (unsigned char *)A_MALLOC(length)) != NULL) {
A_MEMZERO(buffer, length);
{
A_UINT32 period;
A_UINT32 nbins;
- get_user(period, (unsigned int *)userdata);
- get_user(nbins, (unsigned int *)userdata + 1);
+ if (get_user(period, (unsigned int *)userdata) ||
+ get_user(nbins, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
if (wmi_prof_cfg_cmd(ar->arWmi, period, nbins) != A_OK) {
ret = -EIO;
case AR6000_XIOCTL_PROF_ADDR_SET:
{
A_UINT32 addr;
- get_user(addr, (unsigned int *)userdata);
+ if (get_user(addr, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
if (wmi_prof_addr_set_cmd(ar->arWmi, addr) != A_OK) {
ret = -EIO;
if (ar->arWmiReady == FALSE) {
ret = -EIO;
- } else {
- get_user(cmd.ieType, userdata);
- if (cmd.ieType >= WMI_MAX_ASSOC_INFO_TYPE) {
- ret = -EIO;
- } else {
- get_user(cmd.bufferSize, userdata + 1);
- if (cmd.bufferSize > WMI_MAX_ASSOC_INFO_LEN) {
- ret = -EFAULT;
- break;
- }
- if (copy_from_user(assocInfo, userdata + 2,
- cmd.bufferSize))
- {
- ret = -EFAULT;
- } else {
- if (wmi_associnfo_cmd(ar->arWmi, cmd.ieType,
- cmd.bufferSize,
- assocInfo) != A_OK)
- {
- ret = -EIO;
- }
- }
- }
- }
+ break;
+ }
+
+ if (get_user(cmd.ieType, userdata))
+ ret = -EFAULT;
+ break;
+ }
+ if (cmd.ieType >= WMI_MAX_ASSOC_INFO_TYPE) {
+ ret = -EIO;
+ break;
+ }
+
+ if (get_user(cmd.bufferSize, userdata + 1) ||
+ (cmd.bufferSize > WMI_MAX_ASSOC_INFO_LEN) ||
+ copy_from_user(assocInfo, userdata + 2, cmd.bufferSize)) {
+ ret = -EFAULT;
+ break;
+ }
+ if (wmi_associnfo_cmd(ar->arWmi, cmd.ieType,
+ cmd.bufferSize, assocInfo) != A_OK) {
+ ret = -EIO;
+ break;
+ }
break;
}
case AR6000_IOCTL_WMI_SET_ACCESS_PARAMS:
case AR6000_XIOCTRL_WMI_SET_WLAN_STATE:
{
AR6000_WLAN_STATE state;
- get_user(state, (unsigned int *)userdata);
- if (ar6000_set_wlan_state(ar, state)!=A_OK) {
+ if (get_user(state, (unsigned int *)userdata))
+ ret = -EFAULT;
+ else if (ar6000_set_wlan_state(ar, state) != A_OK)
ret = -EIO;
- }
break;
}
case AR6000_XIOCTL_WMI_GET_ROAM_DATA:
case AR6000_XIOCTL_DIAG_READ:
{
A_UINT32 addr, data;
- get_user(addr, (unsigned int *)userdata);
+ if (get_user(addr, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
addr = TARG_VTOP(ar->arTargetType, addr);
if (ar6000_ReadRegDiag(ar->arHifDevice, &addr, &data) != A_OK) {
ret = -EIO;
}
- put_user(data, (unsigned int *)userdata + 1);
+ if (put_user(data, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
break;
}
case AR6000_XIOCTL_DIAG_WRITE:
{
A_UINT32 addr, data;
- get_user(addr, (unsigned int *)userdata);
- get_user(data, (unsigned int *)userdata + 1);
+ if (get_user(addr, (unsigned int *)userdata) ||
+ get_user(data, (unsigned int *)userdata + 1)) {
+ ret = -EFAULT;
+ break;
+ }
addr = TARG_VTOP(ar->arTargetType, addr);
if (ar6000_WriteRegDiag(ar->arHifDevice, &addr, &data) != A_OK) {
ret = -EIO;
ret = -EIO;
goto ioctl_done;
}
- get_user(fType, (A_UINT32 *)userdata);
+ if (get_user(fType, (A_UINT32 *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
appIEcmd.mgmtFrmType = fType;
if (appIEcmd.mgmtFrmType >= IEEE80211_APPIE_NUM_OF_FRAME) {
ret = -EIO;
} else {
- get_user(ieLen, (A_UINT32 *)(userdata + 4));
+ if (get_user(ieLen, (A_UINT32 *)(userdata + 4))) {
+ ret = -EFAULT;
+ break;
+ }
appIEcmd.ieLen = ieLen;
A_PRINTF("WPSIE: Type-%d, Len-%d\n",appIEcmd.mgmtFrmType, appIEcmd.ieLen);
if (appIEcmd.ieLen > IEEE80211_APPIE_FRAME_MAX_LEN) {
A_UINT32 do_activate;
A_UINT32 rompatch_id;
- get_user(ROM_addr, (A_UINT32 *)userdata);
- get_user(RAM_addr, (A_UINT32 *)userdata + 1);
- get_user(nbytes, (A_UINT32 *)userdata + 2);
- get_user(do_activate, (A_UINT32 *)userdata + 3);
+ if (get_user(ROM_addr, (A_UINT32 *)userdata) ||
+ get_user(RAM_addr, (A_UINT32 *)userdata + 1) ||
+ get_user(nbytes, (A_UINT32 *)userdata + 2) ||
+ get_user(do_activate, (A_UINT32 *)userdata + 3)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Install rompatch from ROM: 0x%x to RAM: 0x%x length: %d\n",
ROM_addr, RAM_addr, nbytes));
ret = BMIrompatchInstall(hifDevice, ROM_addr, RAM_addr,
nbytes, do_activate, &rompatch_id);
if (ret == A_OK) {
- put_user(rompatch_id, (unsigned int *)rq->ifr_data); /* return value */
+ /* return value */
+ if (put_user(rompatch_id, (unsigned int *)rq->ifr_data)) {
+ ret = -EFAULT;
+ break;
+ }
}
break;
}
{
A_UINT32 rompatch_id;
- get_user(rompatch_id, (A_UINT32 *)userdata);
+ if (get_user(rompatch_id, (A_UINT32 *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("UNinstall rompatch_id %d\n", rompatch_id));
ret = BMIrompatchUninstall(hifDevice, rompatch_id);
break;
{
A_UINT32 rompatch_count;
- get_user(rompatch_count, (A_UINT32 *)userdata);
+ if (get_user(rompatch_count, (A_UINT32 *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
AR_DEBUG_PRINTF(ATH_DEBUG_INFO,("Change rompatch activation count=%d\n", rompatch_count));
length = sizeof(A_UINT32) * rompatch_count;
if ((buffer = (unsigned char *)A_MALLOC(length)) != NULL) {
case AR6000_XIOCTL_SET_BT_HW_POWER_STATE:
{
unsigned int state;
- get_user(state, (unsigned int *)userdata);
+ if (get_user(state, (unsigned int *)userdata)) {
+ ret = -EFAULT;
+ break;
+ }
if (ar6000_set_bt_hw_state(ar, state)!=A_OK) {
ret = -EIO;
}