From owner-svn-src-stable-11@freebsd.org  Sun Apr  8 15:30:59 2018
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FBD0F8A461;
 Sun,  8 Apr 2018 15:30:59 +0000 (UTC)
 (envelope-from brooks@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1D52E6A1E2;
 Sun,  8 Apr 2018 15:30:59 +0000 (UTC)
 (envelope-from brooks@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EDC8911B3A;
 Sun,  8 Apr 2018 15:30:58 +0000 (UTC)
 (envelope-from brooks@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w38FUwLr063222;
 Sun, 8 Apr 2018 15:30:58 GMT (envelope-from brooks@FreeBSD.org)
Received: (from brooks@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w38FUwmc063221;
 Sun, 8 Apr 2018 15:30:58 GMT (envelope-from brooks@FreeBSD.org)
Message-Id: <201804081530.w38FUwmc063221@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: brooks set sender to
 brooks@FreeBSD.org using -f
From: Brooks Davis <brooks@FreeBSD.org>
Date: Sun, 8 Apr 2018 15:30:58 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r332279 - stable/11/sys/dev/nxge
X-SVN-Group: stable-11
X-SVN-Commit-Author: brooks
X-SVN-Commit-Paths: stable/11/sys/dev/nxge
X-SVN-Commit-Revision: 332279
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Apr 2018 15:30:59 -0000

Author: brooks
Date: Sun Apr  8 15:30:58 2018
New Revision: 332279
URL: https://svnweb.freebsd.org/changeset/base/332279

Log:
  MFC r331654, r331869
  
  r331654:
  Don't access userspace directly from the kernel in nxge(4).
  
  Update to what the previous code seemed to be doing via the correct
  interfaces.  Further issues exist in xge_ioctl_registers(), but this is
  debugging code in a driver that has few users and they don't appear to
  be crashes or leaks.
  
  Reviewed by:	jhb (prior version)
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D14848
  
  r331869:
  Fix the build on arches with default unsigned char.  Capture the fubyte()
  return value in an int as well as the char, and test the full int value
  for fubyte() failure.

Modified:
  stable/11/sys/dev/nxge/if_nxge.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/nxge/if_nxge.c
==============================================================================
--- stable/11/sys/dev/nxge/if_nxge.c	Sun Apr  8 15:21:12 2018	(r332278)
+++ stable/11/sys/dev/nxge/if_nxge.c	Sun Apr  8 15:30:58 2018	(r332279)
@@ -1362,11 +1362,16 @@ int
 xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifreqp)
 {
 	xge_hal_status_e status = XGE_HAL_OK;
-	char *data = (char *)ifreqp->ifr_data;
+	char cmd, mode;
 	void *info = NULL;
-	int retValue = EINVAL;
+	int retValue;
 
-	switch(*data) {
+	cmd = retValue = fubyte(ifreqp->ifr_data);
+	if (retValue == -1)
+		return (EFAULT);
+
+	retValue = EINVAL;
+	switch(cmd) {
 	    case XGE_QUERY_STATS:
 	        mtx_lock(&lldev->mtx_drv);
 	        status = xge_hal_stats_hw(lldev->devh,
@@ -1494,8 +1499,8 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre
 	    case XGE_SET_BUFFER_MODE_1:
 	    case XGE_SET_BUFFER_MODE_2:
 	    case XGE_SET_BUFFER_MODE_5:
-	        *data = (*data == XGE_SET_BUFFER_MODE_1) ? 'Y':'N';
-	        if(copyout(data, ifreqp->ifr_data, sizeof(data)) == 0)
+	        mode = (cmd == XGE_SET_BUFFER_MODE_1) ? 'Y':'N';
+	        if(copyout(&mode, ifreqp->ifr_data, sizeof(mode)) == 0)
 	            retValue = 0;
 	        break;
 	    default:
@@ -1516,10 +1521,17 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre
 int
 xge_ioctl_registers(xge_lldev_t *lldev, struct ifreq *ifreqp)
 {
-	xge_register_t *data = (xge_register_t *)ifreqp->ifr_data;
+	xge_register_t tmpdata;
+	xge_register_t *data;
 	xge_hal_status_e status = XGE_HAL_OK;
 	int retValue = EINVAL, offset = 0, index = 0;
+	int error;
 	u64 val64 = 0;
+
+	error = copyin(ifreqp->ifr_data, &tmpdata, sizeof(tmpdata));
+	if (error != 0)
+		return (error);
+	data = &tmpdata;
 
 	/* Reading a register */
 	if(strcmp(data->option, "-r") == 0) {