From owner-svn-src-stable@freebsd.org Sun Apr 8 15:35:58 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 540FCF8AB60; Sun, 8 Apr 2018 15:35:58 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 062AA6CFC9; Sun, 8 Apr 2018 15:35:58 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D931C11CAA; Sun, 8 Apr 2018 15:35:57 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w38FZv0M067032; Sun, 8 Apr 2018 15:35:57 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w38FZvwg067031; Sun, 8 Apr 2018 15:35:57 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201804081535.w38FZvwg067031@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Sun, 8 Apr 2018 15:35:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r332280 - stable/10/sys/dev/nxge X-SVN-Group: stable-10 X-SVN-Commit-Author: brooks X-SVN-Commit-Paths: stable/10/sys/dev/nxge X-SVN-Commit-Revision: 332280 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Apr 2018 15:35:58 -0000 Author: brooks Date: Sun Apr 8 15:35:57 2018 New Revision: 332280 URL: https://svnweb.freebsd.org/changeset/base/332280 Log: MFC r331654, r331869 r331654: Don't access userspace directly from the kernel in nxge(4). Update to what the previous code seemed to be doing via the correct interfaces. Further issues exist in xge_ioctl_registers(), but this is debugging code in a driver that has few users and they don't appear to be crashes or leaks. Reviewed by: jhb (prior version) Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14848 r331869: Fix the build on arches with default unsigned char. Capture the fubyte() return value in an int as well as the char, and test the full int value for fubyte() failure. Modified: stable/10/sys/dev/nxge/if_nxge.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/nxge/if_nxge.c ============================================================================== --- stable/10/sys/dev/nxge/if_nxge.c Sun Apr 8 15:30:58 2018 (r332279) +++ stable/10/sys/dev/nxge/if_nxge.c Sun Apr 8 15:35:57 2018 (r332280) @@ -1361,11 +1361,16 @@ int xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifreqp) { xge_hal_status_e status = XGE_HAL_OK; - char *data = (char *)ifreqp->ifr_data; + char cmd, mode; void *info = NULL; - int retValue = EINVAL; + int retValue; - switch(*data) { + cmd = retValue = fubyte(ifreqp->ifr_data); + if (retValue == -1) + return (EFAULT); + + retValue = EINVAL; + switch(cmd) { case XGE_QUERY_STATS: mtx_lock(&lldev->mtx_drv); status = xge_hal_stats_hw(lldev->devh, @@ -1493,8 +1498,8 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre case XGE_SET_BUFFER_MODE_1: case XGE_SET_BUFFER_MODE_2: case XGE_SET_BUFFER_MODE_5: - *data = (*data == XGE_SET_BUFFER_MODE_1) ? 'Y':'N'; - if(copyout(data, ifreqp->ifr_data, sizeof(data)) == 0) + mode = (cmd == XGE_SET_BUFFER_MODE_1) ? 'Y':'N'; + if(copyout(&mode, ifreqp->ifr_data, sizeof(mode)) == 0) retValue = 0; break; default: @@ -1515,10 +1520,17 @@ xge_ioctl_stats(xge_lldev_t *lldev, struct ifreq *ifre int xge_ioctl_registers(xge_lldev_t *lldev, struct ifreq *ifreqp) { - xge_register_t *data = (xge_register_t *)ifreqp->ifr_data; + xge_register_t tmpdata; + xge_register_t *data; xge_hal_status_e status = XGE_HAL_OK; int retValue = EINVAL, offset = 0, index = 0; + int error; u64 val64 = 0; + + error = copyin(ifreqp->ifr_data, &tmpdata, sizeof(tmpdata)); + if (error != 0) + return (error); + data = &tmpdata; /* Reading a register */ if(strcmp(data->option, "-r") == 0) {