D27963.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D27963.diff
View Options

	diff --git a/sys/dev/mpr/mpr_user.c b/sys/dev/mpr/mpr_user.c
	--- a/sys/dev/mpr/mpr_user.c
	+++ b/sys/dev/mpr/mpr_user.c
	@@ -737,11 +737,12 @@
	static int
	mpr_user_pass_thru(struct mpr_softc sc, mpr_pass_thru_t data)
	{
	- MPI2_REQUEST_HEADER *hdr, tmphdr;
	+ MPI2_REQUEST_HEADER hdr, tmphdr;
	MPI2_DEFAULT_REPLY *rpl;
	Mpi26NVMeEncapsulatedErrorReply_t *nvme_error_reply = NULL;
	Mpi26NVMeEncapsulatedRequest_t *nvme_encap_request = NULL;
	struct mpr_command *cm = NULL;
	+ void *req = NULL;
	int i, err = 0, dir = 0, sz;
	uint8_t tool, function = 0;
	u_int sense_len;
	@@ -793,22 +794,21 @@
	data->ReplySize, data->PtrData, data->DataSize,
	data->PtrDataOut, data->DataOutSize, data->DataDirection);

	- /*
	- * copy in the header so we know what we're dealing with before we
	- * commit to allocating a command for it.
	- */
	- err = copyin(PTRIN(data->PtrRequest), &tmphdr, data->RequestSize);
	- if (err != 0)
	- goto RetFreeUnlocked;
	-
	- if (data->RequestSize > (int)sc->reqframesz) {
	+ if (data->RequestSize > sc->reqframesz) {
	err = EINVAL;
	goto RetFreeUnlocked;
	}

	- function = tmphdr.Function;
	+ req = malloc(data->RequestSize, M_MPRUSER, M_WAITOK \| M_ZERO);
	+ tmphdr = (MPI2_REQUEST_HEADER *)req;
	+
	+ err = copyin(PTRIN(data->PtrRequest), req, data->RequestSize);
	+ if (err != 0)
	+ goto RetFreeUnlocked;
	+
	+ function = tmphdr->Function;
	mpr_dprint(sc, MPR_USER, "%s: Function %02X MsgFlags %02X\n", __func__,
	- function, tmphdr.MsgFlags);
	+ function, tmphdr->MsgFlags);

	/*
	* Handle a passthru TM request.
	@@ -825,7 +825,7 @@

	/* Copy the header in. Only a small fixup is needed. */
	task = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
	- bcopy(&tmphdr, task, data->RequestSize);
	+ memcpy(task, req, data->RequestSize);
	task->TaskMID = cm->cm_desc.Default.SMID;

	cm->cm_data = NULL;
	@@ -872,7 +872,6 @@

	mpr_lock(sc);
	cm = mpr_alloc_command(sc);
	-
	if (cm == NULL) {
	mpr_printf(sc, "%s: no mpr requests\n", __func__);
	err = ENOMEM;
	@@ -881,7 +880,7 @@
	mpr_unlock(sc);

	hdr = (MPI2_REQUEST_HEADER *)cm->cm_req;
	- bcopy(&tmphdr, hdr, data->RequestSize);
	+ memcpy(hdr, req, data->RequestSize);

	/*
	* Do some checking to make sure the IOCTL request contains a valid
	@@ -1154,6 +1153,7 @@
	Ret:
	sc->mpr_flags &= ~MPR_FLAGS_BUSY;
	mpr_unlock(sc);
	+ free(req, M_MPRUSER);

	return (err);
	}
	diff --git a/sys/dev/mps/mps_user.c b/sys/dev/mps/mps_user.c
	--- a/sys/dev/mps/mps_user.c
	+++ b/sys/dev/mps/mps_user.c
	@@ -677,7 +677,7 @@
	mps_dprint(sc, MPS_USER, "%s: req %p %d rpl %p %d\n", __func__,
	cmd->req, cmd->req_len, cmd->rpl, cmd->rpl_len);

	- if (cmd->req_len > (int)sc->reqframesz) {
	+ if (cmd->req_len > sc->reqframesz) {
	err = EINVAL;
	goto RetFreeUnlocked;
	}
	@@ -750,9 +750,10 @@
	static int
	mps_user_pass_thru(struct mps_softc sc, mps_pass_thru_t data)
	{
	- MPI2_REQUEST_HEADER *hdr, tmphdr;
	+ MPI2_REQUEST_HEADER hdr, tmphdr;
	MPI2_DEFAULT_REPLY *rpl = NULL;
	struct mps_command *cm = NULL;
	+ void *req = NULL;
	int err = 0, dir = 0, sz;
	uint8_t function = 0;
	u_int sense_len;
	@@ -804,22 +805,21 @@
	data->ReplySize, data->PtrData, data->DataSize,
	data->PtrDataOut, data->DataOutSize, data->DataDirection);

	- /*
	- * copy in the header so we know what we're dealing with before we
	- * commit to allocating a command for it.
	- */
	- err = copyin(PTRIN(data->PtrRequest), &tmphdr, data->RequestSize);
	- if (err != 0)
	- goto RetFreeUnlocked;
	-
	- if (data->RequestSize > (int)sc->reqframesz) {
	+ if (data->RequestSize > sc->reqframesz) {
	err = EINVAL;
	goto RetFreeUnlocked;
	}

	- function = tmphdr.Function;
	+ req = malloc(data->RequestSize, M_MPSUSER, M_WAITOK \| M_ZERO);
	+ tmphdr = (MPI2_REQUEST_HEADER *)req;
	+
	+ err = copyin(PTRIN(data->PtrRequest), req, data->RequestSize);
	+ if (err != 0)
	+ goto RetFreeUnlocked;
	+
	+ function = tmphdr->Function;
	mps_dprint(sc, MPS_USER, "%s: Function %02X MsgFlags %02X\n", __func__,
	- function, tmphdr.MsgFlags);
	+ function, tmphdr->MsgFlags);

	/*
	* Handle a passthru TM request.
	@@ -836,7 +836,7 @@

	/* Copy the header in. Only a small fixup is needed. */
	task = (MPI2_SCSI_TASK_MANAGE_REQUEST *)cm->cm_req;
	- bcopy(&tmphdr, task, data->RequestSize);
	+ memcpy(task, req, data->RequestSize);
	task->TaskMID = cm->cm_desc.Default.SMID;

	cm->cm_data = NULL;
	@@ -883,7 +883,6 @@

	mps_lock(sc);
	cm = mps_alloc_command(sc);
	-
	if (cm == NULL) {
	mps_printf(sc, "%s: no mps requests\n", __func__);
	err = ENOMEM;
	@@ -892,7 +891,7 @@
	mps_unlock(sc);

	hdr = (MPI2_REQUEST_HEADER *)cm->cm_req;
	- bcopy(&tmphdr, hdr, data->RequestSize);
	+ memcpy(hdr, req, data->RequestSize);

	/*
	* Do some checking to make sure the IOCTL request contains a valid
	@@ -1059,6 +1058,7 @@
	Ret:
	sc->mps_flags &= ~MPS_FLAGS_BUSY;
	mps_unlock(sc);
	+ free(req, M_MPSUSER);

	return (err);
	}

File Metadata

Mime Type: text/plain
Expires: Thu, Jan 16, 6:21 AM (20 h, 8 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 15818271
Default Alt Text: D27963.diff (4 KB)

D27963.diffNo OneTemporaryActions

D27963.diffView Options

File Metadata

Event Timeline

D27963.diff
No OneTemporary
Actions

D27963.diff
View Options