staging: gdm72xx: add userspace data struct

This fixes the sparse warnings about dereferencing a userspace pointer.

Once I updated the sparse annotations, I noticed a bug in
gdm_wimax_ioctl() where we pass a user space pointer to gdm_update_fsm()
which dereferences it. I fixed this.

Signed-off-by: Wim de With <nauxuron@wimdewith.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/gdm72xx/gdm_wimax.c b/drivers/staging/gdm72xx/gdm_wimax.c
index b8eea21f265572b926d4008c59e96b4c8b4d9d87..ba03f9386567acbe140850881bb2ae7ab55feba6 100644 (file)
--- a/drivers/staging/gdm72xx/gdm_wimax.c
+++ b/drivers/staging/gdm72xx/gdm_wimax.c
@@ -363,7 +363,7 @@ static void kdelete(void **buf)
        }
 }
 
-static int gdm_wimax_ioctl_get_data(struct data_s *dst, struct data_s *src)
+static int gdm_wimax_ioctl_get_data(struct udata_s *dst, struct data_s *src)
 {
        int size;
 
@@ -379,7 +379,7 @@ static int gdm_wimax_ioctl_get_data(struct data_s *dst, struct data_s *src)
        return 0;
 }
 
-static int gdm_wimax_ioctl_set_data(struct data_s *dst, struct data_s *src)
+static int gdm_wimax_ioctl_set_data(struct data_s *dst, struct udata_s *src)
 {
        if (!src->size) {
                dst->size = 0;
@@ -455,6 +455,7 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
        struct wm_req_s *req = (struct wm_req_s *)ifr;
        struct nic *nic = netdev_priv(dev);
        int ret;
+       struct fsm_s fsm_buf;
 
        if (cmd != SIOCWMIOCTL)
                return -EOPNOTSUPP;
@@ -477,8 +478,11 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                                /* NOTE: gdm_update_fsm should be called
                                 * before gdm_wimax_ioctl_set_data is called.
                                 */
-                               gdm_update_fsm(dev,
-                                              req->data.buf);
+                               if (copy_from_user(&fsm_buf, req->data.buf,
+                                                  sizeof(struct fsm_s)))
+                                       return -EFAULT;
+
+                               gdm_update_fsm(dev, &fsm_buf);
                        }
                        ret = gdm_wimax_ioctl_set_data(
                                &nic->sdk_data[req->data_id], &req->data);

diff --git a/drivers/staging/gdm72xx/wm_ioctl.h b/drivers/staging/gdm72xx/wm_ioctl.h
index ed8f649c0042898617e9b7e9acf1442dd4d54c1c..631cb1d23c7e62e2b42b0eb5bb85e5ae028c2874 100644 (file)
--- a/drivers/staging/gdm72xx/wm_ioctl.h
+++ b/drivers/staging/gdm72xx/wm_ioctl.h
@@ -78,13 +78,18 @@ struct data_s {
        void    *buf;
 };
 
+struct udata_s {
+       int             size;
+       void __user     *buf;
+};
+
 struct wm_req_s {
        union {
                char ifrn_name[IFNAMSIZ];
        } ifr_ifrn;
        unsigned short  cmd;
        unsigned short  data_id;
-       struct data_s   data;
+       struct udata_s  data;
 
 /* NOTE: sizeof(struct wm_req_s) must be less than sizeof(struct ifreq). */
 };