svn commit: r332280 - stable/10/sys/dev/nxge

Sun Apr 8 15:35:58 UTC 2018

Author: brooks
Date: Sun Apr  8 15:35:57 2018
New Revision: 332280
URL: https://svnweb.freebsd.org/changeset/base/332280

Log:
  MFC r331654, r331869
  
  r331654:
  Don't access userspace directly from the kernel in nxge(4).
  
  Update to what the previous code seemed to be doing via the correct
  interfaces.  Further issues exist in xge_ioctl_registers(), but this is
  debugging code in a driver that has few users and they don't appear to
  be crashes or leaks.
  
  Reviewed by:	jhb (prior version)
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D14848
  
  r331869:
  Fix the build on arches with default unsigned char.  Capture the fubyte()
  return value in an int as well as the char, and test the full int value
  for fubyte() failure.

Modified:
  stable/10/sys/dev/nxge/if_nxge.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/nxge/if_nxge.c
==============================================================================

--- stable/10/sys/dev/nxge/if_nxge.c	Sun Apr  8 15:30:58 2018	(r332279)
+++ stable/10/sys/dev/nxge/if_nxge.c	Sun Apr  8 15:35:57 2018	(r332280)
@@ -1361,11 +1361,16 @@ int
 xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifreqp)
 {
 	xge_hal_status_e status = XGE_HAL_OK;
-	char *data = (char *)ifreqp->ifr_data;
+	char cmd, mode;
 	void *info = NULL;
-	int retValue = EINVAL;
+	int retValue;
 
-	switch(*data) {
+	cmd = retValue = fubyte(ifreqp->ifr_data);
+	if (retValue == -1)
+		return (EFAULT);
+
+	retValue = EINVAL;
+	switch(cmd) {
 	    case XGE_QUERY_STATS:
 	        mtx_lock(&lldev->mtx_drv);
 	        status = xge_hal_stats_hw(lldev->devh,
@@ -1493,8 +1498,8 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre
 	    case XGE_SET_BUFFER_MODE_1:
 	    case XGE_SET_BUFFER_MODE_2:
 	    case XGE_SET_BUFFER_MODE_5:
-	        *data = (*data == XGE_SET_BUFFER_MODE_1) ? 'Y':'N';
-	        if(copyout(data, ifreqp->ifr_data, sizeof(data)) == 0)
+	        mode = (cmd == XGE_SET_BUFFER_MODE_1) ? 'Y':'N';
+	        if(copyout(&mode, ifreqp->ifr_data, sizeof(mode)) == 0)
 	            retValue = 0;
 	        break;
 	    default:
@@ -1515,10 +1520,17 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre
 int
 xge_ioctl_registers(xge_lldev_t *lldev, struct ifreq *ifreqp)
 {
-	xge_register_t *data = (xge_register_t *)ifreqp->ifr_data;
+	xge_register_t tmpdata;
+	xge_register_t *data;
 	xge_hal_status_e status = XGE_HAL_OK;
 	int retValue = EINVAL, offset = 0, index = 0;
+	int error;
 	u64 val64 = 0;
+
+	error = copyin(ifreqp->ifr_data, &tmpdata, sizeof(tmpdata));
+	if (error != 0)
+		return (error);
+	data = &tmpdata;
 
 	/* Reading a register */
 	if(strcmp(data->option, "-r") == 0) {
