iwmc3200wifi: Test of wrong pointer after kzalloc in iwm_mlme_update_bss_table()

[safe/jmp/linux-2.6] / drivers / char / sx.c

diff --git a/drivers/char/sx.c b/drivers/char/sx.c
index 2162439..a81ec4f 100644 (file)
--- a/drivers/char/sx.c
+++ b/drivers/char/sx.c
@@ -216,6 +216,7 @@
 #include <linux/eisa.h>
 #include <linux/pci.h>
 #include <linux/slab.h>
+#include <linux/smp_lock.h>
 #include <linux/init.h>
 #include <linux/miscdevice.h>
 #include <linux/bitops.h>
@@ -279,15 +280,15 @@ static void sx_disable_tx_interrupts(void *ptr);
 static void sx_enable_tx_interrupts(void *ptr);
 static void sx_disable_rx_interrupts(void *ptr);
 static void sx_enable_rx_interrupts(void *ptr);
-static int sx_get_CD(void *ptr);
+static int sx_carrier_raised(struct tty_port *port);
 static void sx_shutdown_port(void *ptr);
 static int sx_set_real_termios(void *ptr);
 static void sx_close(void *ptr);
 static int sx_chars_in_buffer(void *ptr);
 static int sx_init_board(struct sx_board *board);
 static int sx_init_portstructs(int nboards, int nports);
-static int sx_fw_ioctl(struct inode *inode, struct file *filp,
-               unsigned int cmd, unsigned long arg);
+static long sx_fw_ioctl(struct file *filp, unsigned int cmd,
+                                               unsigned long arg);
 static int sx_init_drivers(void);
 
 static struct tty_driver *sx_driver;
@@ -360,7 +361,6 @@ static struct real_driver sx_real_driver = {
        sx_enable_tx_interrupts,
        sx_disable_rx_interrupts,
        sx_enable_rx_interrupts,
-       sx_get_CD,
        sx_shutdown_port,
        sx_set_real_termios,
        sx_chars_in_buffer,
@@ -396,7 +396,7 @@ static struct real_driver sx_real_driver = {
 
 static const struct file_operations sx_fw_fops = {
        .owner = THIS_MODULE,
-       .ioctl = sx_fw_ioctl,
+       .unlocked_ioctl = sx_fw_ioctl,
 };
 
 static struct miscdevice sx_fw_device = {
@@ -791,7 +791,7 @@ static int sx_getsignals(struct sx_port *port)
        sx_dprintk(SX_DEBUG_MODEMSIGNALS, "getsignals: %d/%d  (%d/%d) "
                        "%02x/%02x\n",
                        (o_stat & OP_DTR) != 0, (o_stat & OP_RTS) != 0,
-                       port->c_dcd, sx_get_CD(port),
+                       port->c_dcd, tty_port_carrier_raised(&port->gs.port),
                        sx_read_channel_byte(port, hi_ip),
                        sx_read_channel_byte(port, hi_state));
 
@@ -1190,7 +1190,7 @@ static inline void sx_check_modem_signals(struct sx_port *port)
 
        hi_state = sx_read_channel_byte(port, hi_state);
        sx_dprintk(SX_DEBUG_MODEMSIGNALS, "Checking modem signals (%d/%d)\n",
-                       port->c_dcd, sx_get_CD(port));
+                       port->c_dcd, tty_port_carrier_raised(&port->gs.port));
 
        if (hi_state & ST_BREAK) {
                hi_state &= ~ST_BREAK;
@@ -1202,11 +1202,11 @@ static inline void sx_check_modem_signals(struct sx_port *port)
                hi_state &= ~ST_DCD;
                sx_dprintk(SX_DEBUG_MODEMSIGNALS, "got a DCD change.\n");
                sx_write_channel_byte(port, hi_state, hi_state);
-               c_dcd = sx_get_CD(port);
+               c_dcd = tty_port_carrier_raised(&port->gs.port);
                sx_dprintk(SX_DEBUG_MODEMSIGNALS, "DCD is now %d\n", c_dcd);
                if (c_dcd != port->c_dcd) {
                        port->c_dcd = c_dcd;
-                       if (sx_get_CD(port)) {
+                       if (tty_port_carrier_raised(&port->gs.port)) {
                                /* DCD went UP */
                                if ((sx_read_channel_byte(port, hi_hstat) !=
                                                HS_IDLE_CLOSED) &&
@@ -1415,13 +1415,10 @@ static void sx_enable_rx_interrupts(void *ptr)
 }
 
 /* Jeez. Isn't this simple? */
-static int sx_get_CD(void *ptr)
+static int sx_carrier_raised(struct tty_port *port)
 {
-       struct sx_port *port = ptr;
-       func_enter2();
-
-       func_exit();
-       return ((sx_read_channel_byte(port, hi_ip) & IP_DCD) != 0);
+       struct sx_port *sp = container_of(port, struct sx_port, gs.port);
+       return ((sx_read_channel_byte(sp, hi_ip) & IP_DCD) != 0);
 }
 
 /* Jeez. Isn't this simple? */
@@ -1536,7 +1533,7 @@ static int sx_open(struct tty_struct *tty, struct file *filp)
        }
        /* tty->low_latency = 1; */
 
-       port->c_dcd = sx_get_CD(port);
+       port->c_dcd = sx_carrier_raised(&port->gs.port);
        sx_dprintk(SX_DEBUG_OPEN, "at open: cd=%d\n", port->c_dcd);
 
        func_exit();
@@ -1686,10 +1683,10 @@ static int do_memtest_w(struct sx_board *board, int min, int max)
 }
 #endif
 
-static int sx_fw_ioctl(struct inode *inode, struct file *filp,
-               unsigned int cmd, unsigned long arg)
+static long sx_fw_ioctl(struct file *filp, unsigned int cmd,
+                                                       unsigned long arg)
 {
-       int rc = 0;
+       long rc = 0;
        int __user *descr = (int __user *)arg;
        int i;
        static struct sx_board *board = NULL;
@@ -1699,13 +1696,10 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
 
        func_enter();
 
-#if 0
-       /* Removed superuser check: Sysops can use the permissions on the device
-          file to restrict access. Recommendation: Root only. (root.root 600) */
-       if (!capable(CAP_SYS_ADMIN)) {
+       if (!capable(CAP_SYS_RAWIO))
                return -EPERM;
-       }
-#endif
+
+       lock_kernel();
 
        sx_dprintk(SX_DEBUG_FIRMWARE, "IOCTL %x: %lx\n", cmd, arg);
 
@@ -1720,19 +1714,23 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                for (i = 0; i < SX_NBOARDS; i++)
                        sx_dprintk(SX_DEBUG_FIRMWARE, "<%x> ", boards[i].flags);
                sx_dprintk(SX_DEBUG_FIRMWARE, "\n");
-               return -EIO;
+               rc = -EIO;
+               goto out;
        }
 
        switch (cmd) {
        case SXIO_SET_BOARD:
                sx_dprintk(SX_DEBUG_FIRMWARE, "set board to %ld\n", arg);
+               rc = -EIO;
                if (arg >= SX_NBOARDS)
-                       return -EIO;
+                       break;
                sx_dprintk(SX_DEBUG_FIRMWARE, "not out of range\n");
                if (!(boards[arg].flags & SX_BOARD_PRESENT))
-                       return -EIO;
+                       break;
                sx_dprintk(SX_DEBUG_FIRMWARE, ".. and present!\n");
                board = &boards[arg];
+               rc = 0;
+               /* FIXME: And this does ... nothing?? */
                break;
        case SXIO_GET_TYPE:
                rc = -ENOENT;   /* If we manage to miss one, return error. */
@@ -1746,11 +1744,13 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                        rc = SX_TYPE_SI;
                if (IS_EISA_BOARD(board))
                        rc = SX_TYPE_SI;
-               sx_dprintk(SX_DEBUG_FIRMWARE, "returning type= %d\n", rc);
+               sx_dprintk(SX_DEBUG_FIRMWARE, "returning type= %ld\n", rc);
                break;
        case SXIO_DO_RAMTEST:
-               if (sx_initialized)     /* Already initialized: better not ramtest the board.  */
-                       return -EPERM;
+               if (sx_initialized) {   /* Already initialized: better not ramtest the board.  */
+                       rc = -EPERM;
+                       break;
+               }
                if (IS_SX_BOARD(board)) {
                        rc = do_memtest(board, 0, 0x7000);
                        if (!rc)
@@ -1760,19 +1760,26 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                        rc = do_memtest(board, 0, 0x7ff8);
                        /* if (!rc) rc = do_memtest_w (board, 0, 0x7ff8); */
                }
-               sx_dprintk(SX_DEBUG_FIRMWARE, "returning memtest result= %d\n",
-                          rc);
+               sx_dprintk(SX_DEBUG_FIRMWARE,
+                               "returning memtest result= %ld\n", rc);
                break;
        case SXIO_DOWNLOAD:
-               if (sx_initialized)     /* Already initialized */
-                       return -EEXIST;
-               if (!sx_reset(board))
-                       return -EIO;
+               if (sx_initialized) {/* Already initialized */
+                       rc = -EEXIST;
+                       break;
+               }
+               if (!sx_reset(board)) {
+                       rc = -EIO;
+                       break;
+               }
                sx_dprintk(SX_DEBUG_INIT, "reset the board...\n");
 
                tmp = kmalloc(SX_CHUNK_SIZE, GFP_USER);
-               if (!tmp)
-                       return -ENOMEM;
+               if (!tmp) {
+                       rc = -ENOMEM;
+                       break;
+               }
+               /* FIXME: check returns */
                get_user(nbytes, descr++);
                get_user(offset, descr++);
                get_user(data, descr++);
@@ -1782,7 +1789,8 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                                                (i + SX_CHUNK_SIZE > nbytes) ?
                                                nbytes - i : SX_CHUNK_SIZE)) {
                                        kfree(tmp);
-                                       return -EFAULT;
+                                       rc = -EFAULT;
+                                       goto out;
                                }
                                memcpy_toio(board->base2 + offset + i, tmp,
                                                (i + SX_CHUNK_SIZE > nbytes) ?
@@ -1798,13 +1806,17 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                rc = sx_nports;
                break;
        case SXIO_INIT:
-               if (sx_initialized)     /* Already initialized */
-                       return -EEXIST;
+               if (sx_initialized) {   /* Already initialized */
+                       rc = -EEXIST;
+                       break;
+               }
                /* This is not allowed until all boards are initialized... */
                for (i = 0; i < SX_NBOARDS; i++) {
                        if ((boards[i].flags & SX_BOARD_PRESENT) &&
-                               !(boards[i].flags & SX_BOARD_INITIALIZED))
-                               return -EIO;
+                               !(boards[i].flags & SX_BOARD_INITIALIZED)) {
+                               rc = -EIO;
+                               break;
+                       }
                }
                for (i = 0; i < SX_NBOARDS; i++)
                        if (!(boards[i].flags & SX_BOARD_PRESENT))
@@ -1832,10 +1844,11 @@ static int sx_fw_ioctl(struct inode *inode, struct file *filp,
                rc = sx_nports;
                break;
        default:
-               printk(KERN_WARNING "Unknown ioctl on firmware device (%x).\n",
-                               cmd);
+               rc = -ENOTTY;
                break;
        }
+out:
+       unlock_kernel();
        func_exit();
        return rc;
 }
@@ -1932,7 +1945,7 @@ static int sx_ioctl(struct tty_struct *tty, struct file *filp,
 
 static void sx_throttle(struct tty_struct *tty)
 {
-       struct sx_port *port = (struct sx_port *)tty->driver_data;
+       struct sx_port *port = tty->driver_data;
 
        func_enter2();
        /* If the port is using any type of input flow
@@ -1946,7 +1959,7 @@ static void sx_throttle(struct tty_struct *tty)
 
 static void sx_unthrottle(struct tty_struct *tty)
 {
-       struct sx_port *port = (struct sx_port *)tty->driver_data;
+       struct sx_port *port = tty->driver_data;
 
        func_enter2();
        /* Always unthrottle even if flow control is not enabled on
@@ -2341,6 +2354,10 @@ static const struct tty_operations sx_ops = {
        .tiocmset = sx_tiocmset,
 };
 
+static const struct tty_port_operations sx_port_ops = {
+       .carrier_raised = sx_carrier_raised,
+};
+
 static int sx_init_drivers(void)
 {
        int error;
@@ -2397,6 +2414,7 @@ static int sx_init_portstructs(int nboards, int nports)
                for (j = 0; j < boards[i].nports; j++) {
                        sx_dprintk(SX_DEBUG_INIT, "initing port %d\n", j);
                        tty_port_init(&port->gs.port);
+                       port->gs.port.ops = &sx_port_ops;
                        port->gs.magic = SX_MAGIC;
                        port->gs.close_delay = HZ / 2;
                        port->gs.closing_wait = 30 * HZ;
@@ -2491,7 +2509,7 @@ static void __devexit sx_remove_card(struct sx_board *board,
                del_timer(&board->timer);
                if (pdev) {
 #ifdef CONFIG_PCI
-                       pci_iounmap(pdev, board->base);
+                       iounmap(board->base2);
                        pci_release_region(pdev, IS_CF_BOARD(board) ? 3 : 2);
 #endif
                } else {
@@ -2664,7 +2682,7 @@ static int __devinit sx_pci_probe(struct pci_dev *pdev,
        }
        board->hw_base = pci_resource_start(pdev, reg);
        board->base2 =
-       board->base = pci_iomap(pdev, reg, WINDOW_LEN(board));
+       board->base = ioremap_nocache(board->hw_base, WINDOW_LEN(board));
        if (!board->base) {
                dev_err(&pdev->dev, "ioremap failed\n");
                goto err_reg;
@@ -2690,7 +2708,7 @@ static int __devinit sx_pci_probe(struct pci_dev *pdev,
 
        return 0;
 err_unmap:
-       pci_iounmap(pdev, board->base);
+       iounmap(board->base2);
 err_reg:
        pci_release_region(pdev, reg);
 err_flag: