diff options
Diffstat (limited to 'drivers/staging/rtl8188eu/os_dep/ioctl_linux.c')
-rw-r--r-- | drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 242 |
1 files changed, 114 insertions, 128 deletions
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index 4ad80ae1067f..2636e7f3dbb8 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -35,6 +35,7 @@ #include <rtw_mp.h> #include <rtw_iol.h> +#include <linux/vmalloc.h> #define RTL_IOCTL_WPA_SUPPLICANT (SIOCIWFIRSTPRIV + 30) @@ -472,8 +473,6 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, struct wifidirect_info *pwdinfo = &padapter->wdinfo; #endif /* CONFIG_88EU_P2P */ -_func_enter_; - param->u.crypt.err = 0; param->u.crypt.alg[IEEE_CRYPT_ALG_NAME_LEN - 1] = '\0'; @@ -614,9 +613,6 @@ _func_enter_; exit: kfree(pwep); - -_func_exit_; - return ret; } @@ -770,8 +766,6 @@ static int rtw_wx_get_name(struct net_device *dev, RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("cmd_code =%x\n", info->cmd)); - _func_enter_; - if (check_fwstate(pmlmepriv, _FW_LINKED|WIFI_ADHOC_MASTER_STATE) == true) { /* parsing HT_CAP_IE */ p = rtw_get_ie(&pcur_bss->IEs[12], _HT_CAPABILITY_IE_, &ht_ielen, pcur_bss->IELength-12); @@ -806,9 +800,6 @@ static int rtw_wx_get_name(struct net_device *dev, } else { snprintf(wrqu->name, IFNAMSIZ, "unassociated"); } - - _func_exit_; - return 0; } @@ -816,12 +807,7 @@ static int rtw_wx_set_freq(struct net_device *dev, struct iw_request_info *info, union iwreq_data *wrqu, char *extra) { - _func_enter_; - RT_TRACE(_module_rtl871x_mlme_c_, _drv_notice_, ("+rtw_wx_set_freq\n")); - - _func_exit_; - return 0; } @@ -854,8 +840,6 @@ static int rtw_wx_set_mode(struct net_device *dev, struct iw_request_info *a, enum ndis_802_11_network_infra networkType; int ret = 0; - _func_enter_; - if (_FAIL == rtw_pwr_wakeup(padapter)) { ret = -EPERM; goto exit; @@ -894,7 +878,6 @@ static int rtw_wx_set_mode(struct net_device *dev, struct iw_request_info *a, } rtw_setopmode_cmd(padapter, networkType); exit: - _func_exit_; return ret; } @@ -906,8 +889,6 @@ static int rtw_wx_get_mode(struct net_device *dev, struct iw_request_info *a, RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, (" rtw_wx_get_mode\n")); - _func_enter_; - if (check_fwstate(pmlmepriv, WIFI_STATION_STATE)) wrqu->mode = IW_MODE_INFRA; else if ((check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE)) || @@ -918,8 +899,6 @@ static int rtw_wx_get_mode(struct net_device *dev, struct iw_request_info *a, else wrqu->mode = IW_MODE_AUTO; - _func_exit_; - return 0; } @@ -1011,8 +990,6 @@ static int rtw_wx_get_range(struct net_device *dev, u16 val; int i; - _func_enter_; - RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_range. cmd_code =%x\n", info->cmd)); wrqu->data.length = sizeof(*range); @@ -1093,8 +1070,6 @@ static int rtw_wx_get_range(struct net_device *dev, range->scan_capa = IW_SCAN_CAPA_ESSID | IW_SCAN_CAPA_TYPE | IW_SCAN_CAPA_BSSID | IW_SCAN_CAPA_CHANNEL | IW_SCAN_CAPA_MODE | IW_SCAN_CAPA_RATE; - _func_exit_; - return 0; } @@ -1118,8 +1093,6 @@ static int rtw_wx_set_wap(struct net_device *dev, struct wlan_network *pnetwork = NULL; enum ndis_802_11_auth_mode authmode; - _func_enter_; - if (_FAIL == rtw_pwr_wakeup(padapter)) { ret = -1; goto exit; @@ -1138,15 +1111,15 @@ static int rtw_wx_set_wap(struct net_device *dev, authmode = padapter->securitypriv.ndisauthtype; spin_lock_bh(&queue->lock); phead = get_list_head(queue); - pmlmepriv->pscanned = get_next(phead); + pmlmepriv->pscanned = phead->next; while (1) { if ((rtw_end_of_queue_search(phead, pmlmepriv->pscanned)) == true) break; - pnetwork = LIST_CONTAINOR(pmlmepriv->pscanned, struct wlan_network, list); + pnetwork = container_of(pmlmepriv->pscanned, struct wlan_network, list); - pmlmepriv->pscanned = get_next(pmlmepriv->pscanned); + pmlmepriv->pscanned = pmlmepriv->pscanned->next; dst_bssid = pnetwork->network.MacAddress; @@ -1173,8 +1146,6 @@ static int rtw_wx_set_wap(struct net_device *dev, exit: - _func_exit_; - return ret; } @@ -1192,17 +1163,12 @@ static int rtw_wx_get_wap(struct net_device *dev, RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_wap\n")); - _func_enter_; - if (((check_fwstate(pmlmepriv, _FW_LINKED)) == true) || ((check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE)) == true) || ((check_fwstate(pmlmepriv, WIFI_AP_STATE)) == true)) memcpy(wrqu->ap_addr.sa_data, pcur_bss->MacAddress, ETH_ALEN); else _rtw_memset(wrqu->ap_addr.sa_data, 0, ETH_ALEN); - - _func_exit_; - return 0; } @@ -1252,7 +1218,6 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, #endif /* CONFIG_88EU_P2P */ RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_set_scan\n")); -_func_enter_; if (padapter->registrypriv.mp_mode == 1) { if (check_fwstate(pmlmepriv, WIFI_MP_STATE)) { ret = -1; @@ -1383,7 +1348,6 @@ _func_enter_; exit: -_func_exit_; return ret; } @@ -1407,8 +1371,6 @@ static int rtw_wx_get_scan(struct net_device *dev, struct iw_request_info *a, RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_scan\n")); RT_TRACE(_module_rtl871x_ioctl_os_c, _drv_info_, (" Start of Query SIOCGIWSCAN .\n")); - _func_enter_; - if (padapter->pwrctrlpriv.brfoffbyhw && padapter->bDriverStopped) { ret = -EINVAL; goto exit; @@ -1440,7 +1402,7 @@ static int rtw_wx_get_scan(struct net_device *dev, struct iw_request_info *a, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist)) @@ -1451,13 +1413,13 @@ static int rtw_wx_get_scan(struct net_device *dev, struct iw_request_info *a, break; } - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); /* report network only if the current channel set contains the channel to which this network belongs */ if (rtw_ch_set_search_ch(padapter->mlmeextpriv.channel_set, pnetwork->network.Configuration.DSConfig) >= 0) ev = translate_scan(padapter, a, pnetwork, ev, stop); - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -1466,7 +1428,6 @@ static int rtw_wx_get_scan(struct net_device *dev, struct iw_request_info *a, wrqu->data.flags = 0; exit: - _func_exit_; return ret; } @@ -1490,7 +1451,6 @@ static int rtw_wx_set_essid(struct net_device *dev, uint ret = 0, len; - _func_enter_; RT_TRACE(_module_rtl871x_ioctl_os_c, _drv_info_, ("+rtw_wx_set_essid: fw_state = 0x%08x\n", get_fwstate(pmlmepriv))); @@ -1530,7 +1490,7 @@ static int rtw_wx_set_essid(struct net_device *dev, RT_TRACE(_module_rtl871x_ioctl_os_c, _drv_info_, ("rtw_wx_set_essid: ssid =[%s]\n", src_ssid)); spin_lock_bh(&queue->lock); phead = get_list_head(queue); - pmlmepriv->pscanned = get_next(phead); + pmlmepriv->pscanned = phead->next; while (1) { if (rtw_end_of_queue_search(phead, pmlmepriv->pscanned) == true) { @@ -1540,9 +1500,9 @@ static int rtw_wx_set_essid(struct net_device *dev, break; } - pnetwork = LIST_CONTAINOR(pmlmepriv->pscanned, struct wlan_network, list); + pnetwork = container_of(pmlmepriv->pscanned, struct wlan_network, list); - pmlmepriv->pscanned = get_next(pmlmepriv->pscanned); + pmlmepriv->pscanned = pmlmepriv->pscanned->next; dst_ssid = pnetwork->network.Ssid.Ssid; @@ -1583,7 +1543,6 @@ exit: DBG_88E("<=%s, ret %d\n", __func__, ret); - _func_exit_; return ret; } @@ -1599,7 +1558,6 @@ static int rtw_wx_get_essid(struct net_device *dev, RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_essid\n")); - _func_enter_; if ((check_fwstate(pmlmepriv, _FW_LINKED)) || (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { @@ -1617,7 +1575,6 @@ static int rtw_wx_get_essid(struct net_device *dev, exit: - _func_exit_; return ret; } @@ -1634,7 +1591,6 @@ static int rtw_wx_set_rate(struct net_device *dev, u32 ratevalue = 0; u8 mpdatarate[NumRates] = {11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 0xff}; -_func_enter_; RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, (" rtw_wx_set_rate\n")); RT_TRACE(_module_rtl871x_ioctl_os_c, _drv_info_, ("target_rate = %d, fixed = %d\n", target_rate, fixed)); @@ -1706,7 +1662,6 @@ set_rate: ret = -1; } -_func_exit_; return ret; } @@ -1734,7 +1689,6 @@ static int rtw_wx_set_rts(struct net_device *dev, { struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); - _func_enter_; if (wrqu->rts.disabled) { padapter->registrypriv.rts_thresh = 2347; @@ -1748,7 +1702,6 @@ static int rtw_wx_set_rts(struct net_device *dev, DBG_88E("%s, rts_thresh =%d\n", __func__, padapter->registrypriv.rts_thresh); - _func_exit_; return 0; } @@ -1759,7 +1712,6 @@ static int rtw_wx_get_rts(struct net_device *dev, { struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); - _func_enter_; DBG_88E("%s, rts_thresh =%d\n", __func__, padapter->registrypriv.rts_thresh); @@ -1767,7 +1719,6 @@ static int rtw_wx_get_rts(struct net_device *dev, wrqu->rts.fixed = 0; /* no auto select */ /* wrqu->rts.disabled = (wrqu->rts.value == DEFAULT_RTS_THRESHOLD); */ - _func_exit_; return 0; } @@ -1778,7 +1729,6 @@ static int rtw_wx_set_frag(struct net_device *dev, { struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); - _func_enter_; if (wrqu->frag.disabled) { padapter->xmitpriv.frag_len = MAX_FRAG_THRESHOLD; @@ -1792,7 +1742,6 @@ static int rtw_wx_set_frag(struct net_device *dev, DBG_88E("%s, frag_len =%d\n", __func__, padapter->xmitpriv.frag_len); - _func_exit_; return 0; } @@ -1803,14 +1752,12 @@ static int rtw_wx_get_frag(struct net_device *dev, { struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); - _func_enter_; DBG_88E("%s, frag_len =%d\n", __func__, padapter->xmitpriv.frag_len); wrqu->frag.value = padapter->xmitpriv.frag_len; wrqu->frag.fixed = 0; /* no auto select */ - _func_exit_; return 0; } @@ -1844,7 +1791,6 @@ static int rtw_wx_set_enc(struct net_device *dev, key = erq->flags & IW_ENCODE_INDEX; - _func_enter_; if (erq->flags & IW_ENCODE_DISABLED) { DBG_88E("EncryptionDisabled\n"); @@ -1939,7 +1885,6 @@ static int rtw_wx_set_enc(struct net_device *dev, exit: - _func_exit_; return ret; } @@ -1953,7 +1898,6 @@ static int rtw_wx_get_enc(struct net_device *dev, struct iw_point *erq = &(wrqu->encoding); struct mlme_priv *pmlmepriv = &(padapter->mlmepriv); - _func_enter_; if (check_fwstate(pmlmepriv, _FW_LINKED) != true) { if (!check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE)) { @@ -2007,7 +1951,6 @@ static int rtw_wx_get_enc(struct net_device *dev, erq->flags |= IW_ENCODE_DISABLED; break; } - _func_exit_; return ret; } @@ -2210,6 +2153,7 @@ static int rtw_wx_read32(struct net_device *dev, u32 data32; u32 bytes; u8 *ptmp; + int rv; padapter = (struct adapter *)rtw_netdev_priv(dev); p = &wrqu->data; @@ -2225,7 +2169,11 @@ static int rtw_wx_read32(struct net_device *dev, bytes = 0; addr = 0; - sscanf(ptmp, "%d,%x", &bytes, &addr); + rv = sscanf(ptmp, "%d,%x", &bytes, &addr); + if (rv != 2) { + kfree(ptmp); + return -EINVAL; + } switch (bytes) { case 1: @@ -2255,6 +2203,7 @@ static int rtw_wx_write32(struct net_device *dev, union iwreq_data *wrqu, char *extra) { struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); + int rv; u32 addr; u32 data32; @@ -2263,7 +2212,9 @@ static int rtw_wx_write32(struct net_device *dev, bytes = 0; addr = 0; data32 = 0; - sscanf(extra, "%d,%x,%x", &bytes, &addr, &data32); + rv = sscanf(extra, "%d,%x,%x", &bytes, &addr, &data32); + if (rv != 3) + return -EINVAL; switch (bytes) { case 1: @@ -2607,13 +2558,13 @@ static int rtw_get_ap_info(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (hwaddr_aton_i(data, bssid)) { DBG_88E("Invalid BSSID '%s'.\n", (u8 *)data); @@ -2638,7 +2589,7 @@ static int rtw_get_ap_info(struct net_device *dev, } } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -2690,13 +2641,13 @@ static int rtw_wps_start(struct net_device *dev, struct iw_point *pdata = &wrqu->data; u32 u32wps_start = 0; - ret = copy_from_user((void *)&u32wps_start, pdata->pointer, 4); - if (ret) { + if ((padapter->bDriverStopped) || (pdata == NULL)) { ret = -EINVAL; goto exit; } - if ((padapter->bDriverStopped) || (pdata == NULL)) { + ret = copy_from_user((void *)&u32wps_start, pdata->pointer, 4); + if (ret) { ret = -EINVAL; goto exit; } @@ -3110,13 +3061,13 @@ static int rtw_p2p_get_wps_configmethod(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { u8 *wpsie; uint wpsie_len = 0; @@ -3134,7 +3085,7 @@ static int rtw_p2p_get_wps_configmethod(struct net_device *dev, } break; } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3180,13 +3131,13 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { /* Commented by Albert 2011/05/18 */ /* Match the device address located in the P2P IE */ @@ -3215,7 +3166,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev, } } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3264,13 +3215,13 @@ static int rtw_p2p_get_device_type(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { u8 *wpsie; uint wpsie_len = 0; @@ -3295,7 +3246,7 @@ static int rtw_p2p_get_device_type(struct net_device *dev, break; } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3343,13 +3294,13 @@ static int rtw_p2p_get_device_name(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { u8 *wpsie; uint wpsie_len = 0; @@ -3366,7 +3317,7 @@ static int rtw_p2p_get_device_name(struct net_device *dev, break; } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3414,13 +3365,13 @@ static int rtw_p2p_get_invitation_procedure(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { /* Commented by Albert 20121226 */ /* Match the device address located in the P2P IE */ @@ -3440,7 +3391,7 @@ static int rtw_p2p_get_invitation_procedure(struct net_device *dev, } } } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3496,19 +3447,19 @@ static int rtw_p2p_connect(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); if (!memcmp(pnetwork->network.MacAddress, peerMAC, ETH_ALEN)) { uintPeerChannel = pnetwork->network.Configuration.DSConfig; break; } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3591,13 +3542,13 @@ static int rtw_p2p_invite_req(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); /* Commented by Albert 2011/05/18 */ /* Match the device address located in the P2P IE */ @@ -3622,7 +3573,7 @@ static int rtw_p2p_invite_req(struct net_device *dev, } } } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3741,7 +3692,7 @@ static int rtw_p2p_prov_disc(struct net_device *dev, spin_lock_bh(&(pmlmepriv->scanned_queue.lock)); phead = get_list_head(queue); - plist = get_next(phead); + plist = phead->next; while (1) { if (rtw_end_of_queue_search(phead, plist) == true) @@ -3750,7 +3701,7 @@ static int rtw_p2p_prov_disc(struct net_device *dev, if (uintPeerChannel != 0) break; - pnetwork = LIST_CONTAINOR(plist, struct wlan_network, list); + pnetwork = container_of(plist, struct wlan_network, list); /* Commented by Albert 2011/05/18 */ /* Match the device address located in the P2P IE */ @@ -3781,7 +3732,7 @@ static int rtw_p2p_prov_disc(struct net_device *dev, } } - plist = get_next(plist); + plist = plist->next; } spin_unlock_bh(&pmlmepriv->scanned_queue.lock); @@ -3914,24 +3865,33 @@ static int rtw_p2p_get(struct net_device *dev, struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); if (padapter->bShowGetP2PState) - DBG_88E("[%s] extra = %s\n", __func__, (char *)wrqu->data.pointer); - if (!memcmp(wrqu->data.pointer, "status", 6)) { + DBG_88E("[%s] extra = %s\n", __func__, + (char __user *)wrqu->data.pointer); + if (!memcmp((__force const char *)wrqu->data.pointer, + "status", 6)) { rtw_p2p_get_status(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "role", 4)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "role", 4)) { rtw_p2p_get_role(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "peer_ifa", 8)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "peer_ifa", 8)) { rtw_p2p_get_peer_ifaddr(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "req_cm", 6)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "req_cm", 6)) { rtw_p2p_get_req_cm(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "peer_deva", 9)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "peer_deva", 9)) { /* Get the P2P device address when receiving the provision discovery request frame. */ rtw_p2p_get_peer_devaddr(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "group_id", 8)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "group_id", 8)) { rtw_p2p_get_groupid(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "peer_deva_inv", 9)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "peer_deva_inv", 9)) { /* Get the P2P device address when receiving the P2P Invitation request frame. */ rtw_p2p_get_peer_devaddr_by_invitation(dev, info, wrqu, extra); - } else if (!memcmp(wrqu->data.pointer, "op_ch", 5)) { + } else if (!memcmp((__force const char *)wrqu->data.pointer, + "op_ch", 5)) { rtw_p2p_get_op_ch(dev, info, wrqu, extra); } #endif /* CONFIG_88EU_P2P */ @@ -3945,7 +3905,8 @@ static int rtw_p2p_get2(struct net_device *dev, int ret = 0; #ifdef CONFIG_88EU_P2P - DBG_88E("[%s] extra = %s\n", __func__, (char *)wrqu->data.pointer); + DBG_88E("[%s] extra = %s\n", __func__, + (char __user *)wrqu->data.pointer); if (!memcmp(extra, "wpsCM =", 6)) { wrqu->data.length -= 6; rtw_p2p_get_wps_configmethod(dev, info, wrqu, &extra[6]); @@ -4436,12 +4397,12 @@ static int rtw_dbg_port(struct net_device *dev, for (i = 0; i < NUM_STA; i++) { phead = &(pstapriv->sta_hash[i]); - plist = get_next(phead); + plist = phead->next; while ((rtw_end_of_queue_search(phead, plist)) == false) { - psta = LIST_CONTAINOR(plist, struct sta_info, hash_list); + psta = container_of(plist, struct sta_info, hash_list); - plist = get_next(plist); + plist = plist->next; if (extra_arg == psta->aid) { DBG_88E("sta's macaddr:%pM\n", (psta->hwaddr)); @@ -4507,11 +4468,9 @@ static int rtw_dbg_port(struct net_device *dev, struct registry_priv *pregpriv = &padapter->registrypriv; /* 0: disable, bit(0):enable 2.4g, bit(1):enable 5g, 0x3: enable both 2.4g and 5g */ /* default is set to enable 2.4GHZ for IOT issue with bufflao's AP at 5GHZ */ - if (pregpriv && - (extra_arg == 0 || - extra_arg == 1 || - extra_arg == 2 || - extra_arg == 3)) { + if (!pregpriv) + break; + if (extra_arg >= 0 && extra_arg <= 3) { pregpriv->rx_stbc = extra_arg; DBG_88E("set rx_stbc =%d\n", pregpriv->rx_stbc); } else { @@ -4523,7 +4482,9 @@ static int rtw_dbg_port(struct net_device *dev, { struct registry_priv *pregpriv = &padapter->registrypriv; /* 0: disable, 0x1:enable (but wifi_spec should be 0), 0x2: force enable (don't care wifi_spec) */ - if (pregpriv && extra_arg >= 0 && extra_arg < 3) { + if (!pregpriv) + break; + if (extra_arg >= 0 && extra_arg < 3) { pregpriv->ampdu_enable = extra_arg; DBG_88E("set ampdu_enable =%d\n", pregpriv->ampdu_enable); } else { @@ -5648,12 +5609,12 @@ static int rtw_wx_set_priv(struct net_device *dev, return -EFAULT; len = dwrq->length; - ext = rtw_vmalloc(len); + ext = vmalloc(len); if (!ext) return -ENOMEM; if (copy_from_user(ext, dwrq->pointer, len)) { - rtw_vmfree(ext, len); + vfree(ext); return -EFAULT; } @@ -5693,7 +5654,7 @@ static int rtw_wx_set_priv(struct net_device *dev, FREE_EXT: - rtw_vmfree(ext, len); + vfree(ext); return ret; } @@ -5709,10 +5670,14 @@ static int rtw_pm_set(struct net_device *dev, DBG_88E("[%s] extra = %s\n", __func__, extra); if (!memcmp(extra, "lps =", 4)) { - sscanf(extra+4, "%u", &mode); + ret = sscanf(extra+4, "%u", &mode); + if (ret != 1) + return -EINVAL; ret = rtw_pm_set_lps(padapter, mode); } else if (!memcmp(extra, "ips =", 4)) { - sscanf(extra+4, "%u", &mode); + ret = sscanf(extra+4, "%u", &mode); + if (ret != 1) + return -EINVAL; ret = rtw_pm_set_ips(padapter, mode); } else { ret = -EINVAL; @@ -6812,8 +6777,11 @@ static int rtw_mp_bandwidth(struct net_device *dev, { u32 bandwidth = 0, sg = 0; struct adapter *padapter = rtw_netdev_priv(dev); + int rv; - sscanf(extra, "40M =%d, shortGI =%d", &bandwidth, &sg); + rv = sscanf(extra, "40M =%d, shortGI =%d", &bandwidth, &sg); + if (rv != 2) + return -EINVAL; if (bandwidth != HT_CHANNEL_WIDTH_40) bandwidth = HT_CHANNEL_WIDTH_20; @@ -6833,6 +6801,7 @@ static int rtw_mp_txpower(struct net_device *dev, u32 idx_a = 0, idx_b = 0; char *input = kmalloc(wrqu->length, GFP_KERNEL); struct adapter *padapter = rtw_netdev_priv(dev); + int rv; if (!input) return -ENOMEM; @@ -6840,7 +6809,11 @@ static int rtw_mp_txpower(struct net_device *dev, kfree(input); return -EFAULT; } - sscanf(input, "patha =%d, pathb =%d", &idx_a, &idx_b); + rv = sscanf(input, "patha =%d, pathb =%d", &idx_a, &idx_b); + if (rv != 2) { + kfree(input); + return -EINVAL; + } sprintf(extra, "Set power level path_A:%d path_B:%d", idx_a, idx_b); padapter->mppriv.txpoweridx = (u8)idx_a; @@ -6934,6 +6907,7 @@ static int rtw_mp_ctx(struct net_device *dev, u32 pkTx = 1, countPkTx = 1, cotuTx = 1, CarrSprTx = 1, scTx = 1, sgleTx = 1, stop = 1; u32 bStartTest = 1; u32 count = 0; + int rv; struct mp_priv *pmp_priv; struct pkt_attrib *pattrib; @@ -6953,7 +6927,9 @@ static int rtw_mp_ctx(struct net_device *dev, sgleTx = strncmp(extra, "background, stone", 20); pkTx = strncmp(extra, "background, pkt", 20); stop = strncmp(extra, "stop", 4); - sscanf(extra, "count =%d, pkt", &count); + rv = sscanf(extra, "count =%d, pkt", &count); + if (rv != 2) + return -EINVAL; _rtw_memset(extra, '\0', sizeof(*extra)); @@ -7312,6 +7288,7 @@ static int rtw_mp_phypara(struct net_device *dev, { char *input = kmalloc(wrqu->length, GFP_KERNEL); u32 valxcap; + int rv; if (!input) return -ENOMEM; @@ -7322,7 +7299,11 @@ static int rtw_mp_phypara(struct net_device *dev, DBG_88E("%s:iwpriv in =%s\n", __func__, input); - sscanf(input, "xcap =%d", &valxcap); + rv = sscanf(input, "xcap =%d", &valxcap); + if (rv != 1) { + kfree(input); + return -EINVAL; + } kfree(input); return 0; @@ -7888,6 +7869,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ s32 len; u8 *extra = NULL; u32 extra_size = 0; + int rv; s32 k; const iw_handler *priv; /* Private ioctl */ @@ -7913,7 +7895,11 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ ptr = input; len = input_len; - sscanf(ptr, "%16s", cmdname); + rv = sscanf(ptr, "%16s", cmdname); + if (rv != 1) { + err = -EINVAL; + goto exit; + } cmdlen = strlen(cmdname); DBG_88E("%s: cmd =%s\n", __func__, cmdname); |