ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1818

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	drivers/message/i2o/i2o_config.c
Line in file:	507
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

   1/*
   2 * I2O Configuration Interface Driver
   3 *
   4 * (C) Copyright 1999-2002  Red Hat
   5 *
   6 * Written by Alan Cox, Building Number Three Ltd
   7 *
   8 * Fixes/additions:
   9 *        Deepak Saxena (04/20/1999):
  10 *                Added basic ioctl() support
  11 *        Deepak Saxena (06/07/1999):
  12 *                Added software download ioctl (still testing)
  13 *        Auvo H��kkinen (09/10/1999):
  14 *                Changes to i2o_cfg_reply(), ioctl_parms()
  15 *                Added ioct_validate()
  16 *        Taneli V��h��kangas (09/30/1999):
  17 *                Fixed ioctl_swdl()
  18 *        Taneli V��h��kangas (10/04/1999):
  19 *                Changed ioctl_swdl(), implemented ioctl_swul() and ioctl_swdel()
  20 *        Deepak Saxena (11/18/1999):
  21 *                Added event managmenet support
  22 *        Alan Cox <alan@redhat.com>:
  23 *                2.4 rewrite ported to 2.5
  24 *        Markus Lidel <Markus.Lidel@shadowconnect.com>:
  25 *                Added pass-thru support for Adaptec's raidutils
  26 *
  27 * This program is free software; you can redistribute it and/or
  28 * modify it under the terms of the GNU General Public License
  29 * as published by the Free Software Foundation; either version
  30 * 2 of the License, or (at your option) any later version.
  31 */
  32
  33#include <linux/miscdevice.h>
  34#include <linux/smp_lock.h>
  35#include <linux/compat.h>
  36
  37#include <asm/uaccess.h>
  38
  39#include "core.h"
  40
  41#define SG_TABLESIZE                30
  42
  43static int i2o_cfg_ioctl(struct inode *, struct file *, unsigned int,
  44                         unsigned long);
  45
  46static spinlock_t i2o_config_lock;
  47
  48#define MODINC(x,y) ((x) = ((x) + 1) % (y))
  49
  50struct sg_simple_element {
  51        u32 flag_count;
  52        u32 addr_bus;
  53};
  54
  55struct i2o_cfg_info {
  56        struct file *fp;
  57        struct fasync_struct *fasync;
  58        struct i2o_evt_info event_q[I2O_EVT_Q_LEN];
  59        u16 q_in;                // Queue head index
  60        u16 q_out;                // Queue tail index
  61        u16 q_len;                // Queue length
  62        u16 q_lost;                // Number of lost events
  63        ulong q_id;                // Event queue ID...used as tx_context
  64        struct i2o_cfg_info *next;
  65};
  66static struct i2o_cfg_info *open_files = NULL;
  67static ulong i2o_cfg_info_id = 0;
  68
  69static int i2o_cfg_getiops(unsigned long arg)
  70{
  71        struct i2o_controller *c;
  72        u8 __user *user_iop_table = (void __user *)arg;
  73        u8 tmp[MAX_I2O_CONTROLLERS];
  74        int ret = 0;
  75
  76        memset(tmp, 0, MAX_I2O_CONTROLLERS);
  77
  78        list_for_each_entry(c, &i2o_controllers, list)
  79            tmp[c->unit] = 1;
  80
  81        if (copy_to_user(user_iop_table, tmp, MAX_I2O_CONTROLLERS))
  82                ret = -EFAULT;
  83
  84        return ret;
  85};
  86
  87static int i2o_cfg_gethrt(unsigned long arg)
  88{
  89        struct i2o_controller *c;
  90        struct i2o_cmd_hrtlct __user *cmd = (struct i2o_cmd_hrtlct __user *)arg;
  91        struct i2o_cmd_hrtlct kcmd;
  92        i2o_hrt *hrt;
  93        int len;
  94        u32 reslen;
  95        int ret = 0;
  96
  97        if (copy_from_user(&kcmd, cmd, sizeof(struct i2o_cmd_hrtlct)))
  98                return -EFAULT;
  99
 100        if (get_user(reslen, kcmd.reslen) < 0)
 101                return -EFAULT;
 102
 103        if (kcmd.resbuf == NULL)
 104                return -EFAULT;
 105
 106        c = i2o_find_iop(kcmd.iop);
 107        if (!c)
 108                return -ENXIO;
 109
 110        hrt = (i2o_hrt *) c->hrt.virt;
 111
 112        len = 8 + ((hrt->entry_len * hrt->num_entries) << 2);
 113
 114        /* We did a get user...so assuming mem is ok...is this bad? */
 115        put_user(len, kcmd.reslen);
 116        if (len > reslen)
 117                ret = -ENOBUFS;
 118        if (copy_to_user(kcmd.resbuf, (void *)hrt, len))
 119                ret = -EFAULT;
 120
 121        return ret;
 122};
 123
 124static int i2o_cfg_getlct(unsigned long arg)
 125{
 126        struct i2o_controller *c;
 127        struct i2o_cmd_hrtlct __user *cmd = (struct i2o_cmd_hrtlct __user *)arg;
 128        struct i2o_cmd_hrtlct kcmd;
 129        i2o_lct *lct;
 130        int len;
 131        int ret = 0;
 132        u32 reslen;
 133
 134        if (copy_from_user(&kcmd, cmd, sizeof(struct i2o_cmd_hrtlct)))
 135                return -EFAULT;
 136
 137        if (get_user(reslen, kcmd.reslen) < 0)
 138                return -EFAULT;
 139
 140        if (kcmd.resbuf == NULL)
 141                return -EFAULT;
 142
 143        c = i2o_find_iop(kcmd.iop);
 144        if (!c)
 145                return -ENXIO;
 146
 147        lct = (i2o_lct *) c->lct;
 148
 149        len = (unsigned int)lct->table_size << 2;
 150        put_user(len, kcmd.reslen);
 151        if (len > reslen)
 152                ret = -ENOBUFS;
 153        else if (copy_to_user(kcmd.resbuf, lct, len))
 154                ret = -EFAULT;
 155
 156        return ret;
 157};
 158
 159static int i2o_cfg_parms(unsigned long arg, unsigned int type)
 160{
 161        int ret = 0;
 162        struct i2o_controller *c;
 163        struct i2o_device *dev;
 164        struct i2o_cmd_psetget __user *cmd =
 165            (struct i2o_cmd_psetget __user *)arg;
 166        struct i2o_cmd_psetget kcmd;
 167        u32 reslen;
 168        u8 *ops;
 169        u8 *res;
 170        int len = 0;
 171
 172        u32 i2o_cmd = (type == I2OPARMGET ?
 173                       I2O_CMD_UTIL_PARAMS_GET : I2O_CMD_UTIL_PARAMS_SET);
 174
 175        if (copy_from_user(&kcmd, cmd, sizeof(struct i2o_cmd_psetget)))
 176                return -EFAULT;
 177
 178        if (get_user(reslen, kcmd.reslen))
 179                return -EFAULT;
 180
 181        c = i2o_find_iop(kcmd.iop);
 182        if (!c)
 183                return -ENXIO;
 184
 185        dev = i2o_iop_find_device(c, kcmd.tid);
 186        if (!dev)
 187                return -ENXIO;
 188
 189        ops = kmalloc(kcmd.oplen, GFP_KERNEL);
 190        if (!ops)
 191                return -ENOMEM;
 192
 193        if (copy_from_user(ops, kcmd.opbuf, kcmd.oplen)) {
 194                kfree(ops);
 195                return -EFAULT;
 196        }
 197
 198        /*
 199         * It's possible to have a _very_ large table
 200         * and that the user asks for all of it at once...
 201         */
 202        res = kmalloc(65536, GFP_KERNEL);
 203        if (!res) {
 204                kfree(ops);
 205                return -ENOMEM;
 206        }
 207
 208        len = i2o_parm_issue(dev, i2o_cmd, ops, kcmd.oplen, res, 65536);
 209        kfree(ops);
 210
 211        if (len < 0) {
 212                kfree(res);
 213                return -EAGAIN;
 214        }
 215
 216        put_user(len, kcmd.reslen);
 217        if (len > reslen)
 218                ret = -ENOBUFS;
 219        else if (copy_to_user(kcmd.resbuf, res, len))
 220                ret = -EFAULT;
 221
 222        kfree(res);
 223
 224        return ret;
 225};
 226
 227static int i2o_cfg_swdl(unsigned long arg)
 228{
 229        struct i2o_sw_xfer kxfer;
 230        struct i2o_sw_xfer __user *pxfer = (struct i2o_sw_xfer __user *)arg;
 231        unsigned char maxfrag = 0, curfrag = 1;
 232        struct i2o_dma buffer;
 233        struct i2o_message *msg;
 234        unsigned int status = 0, swlen = 0, fragsize = 8192;
 235        struct i2o_controller *c;
 236
 237        if (copy_from_user(&kxfer, pxfer, sizeof(struct i2o_sw_xfer)))
 238                return -EFAULT;
 239
 240        if (get_user(swlen, kxfer.swlen) < 0)
 241                return -EFAULT;
 242
 243        if (get_user(maxfrag, kxfer.maxfrag) < 0)
 244                return -EFAULT;
 245
 246        if (get_user(curfrag, kxfer.curfrag) < 0)
 247                return -EFAULT;
 248
 249        if (curfrag == maxfrag)
 250                fragsize = swlen - (maxfrag - 1) * 8192;
 251
 252        if (!kxfer.buf || !access_ok(VERIFY_READ, kxfer.buf, fragsize))
 253                return -EFAULT;
 254
 255        c = i2o_find_iop(kxfer.iop);
 256        if (!c)
 257                return -ENXIO;
 258
 259        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 260        if (IS_ERR(msg))
 261                return PTR_ERR(msg);
 262
 263        if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) {
 264                i2o_msg_nop(c, msg);
 265                return -ENOMEM;
 266        }
 267
 268        if (__copy_from_user(buffer.virt, kxfer.buf, fragsize)) {
 269                i2o_msg_nop(c, msg);
 270                i2o_dma_free(&c->pdev->dev, &buffer);
 271                return -EFAULT;
 272        }
 273
 274        msg->u.head[0] = cpu_to_le32(NINE_WORD_MSG_SIZE | SGL_OFFSET_7);
 275        msg->u.head[1] =
 276            cpu_to_le32(I2O_CMD_SW_DOWNLOAD << 24 | HOST_TID << 12 |
 277                        ADAPTER_TID);
 278        msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
 279        msg->u.head[3] = cpu_to_le32(0);
 280        msg->body[0] =
 281            cpu_to_le32((((u32) kxfer.flags) << 24) | (((u32) kxfer.
 282                                                        sw_type) << 16) |
 283                        (((u32) maxfrag) << 8) | (((u32) curfrag)));
 284        msg->body[1] = cpu_to_le32(swlen);
 285        msg->body[2] = cpu_to_le32(kxfer.sw_id);
 286        msg->body[3] = cpu_to_le32(0xD0000000 | fragsize);
 287        msg->body[4] = cpu_to_le32(buffer.phys);
 288
 289        osm_debug("swdl frag %d/%d (size %d)\n", curfrag, maxfrag, fragsize);
 290        status = i2o_msg_post_wait_mem(c, msg, 60, &buffer);
 291
 292        if (status != -ETIMEDOUT)
 293                i2o_dma_free(&c->pdev->dev, &buffer);
 294
 295        if (status != I2O_POST_WAIT_OK) {
 296                // it fails if you try and send frags out of order
 297                // and for some yet unknown reasons too
 298                osm_info("swdl failed, DetailedStatus = %d\n", status);
 299                return status;
 300        }
 301
 302        return 0;
 303};
 304
 305static int i2o_cfg_swul(unsigned long arg)
 306{
 307        struct i2o_sw_xfer kxfer;
 308        struct i2o_sw_xfer __user *pxfer = (struct i2o_sw_xfer __user *)arg;
 309        unsigned char maxfrag = 0, curfrag = 1;
 310        struct i2o_dma buffer;
 311        struct i2o_message *msg;
 312        unsigned int status = 0, swlen = 0, fragsize = 8192;
 313        struct i2o_controller *c;
 314        int ret = 0;
 315
 316        if (copy_from_user(&kxfer, pxfer, sizeof(struct i2o_sw_xfer)))
 317                goto return_fault;
 318
 319        if (get_user(swlen, kxfer.swlen) < 0)
 320                goto return_fault;
 321
 322        if (get_user(maxfrag, kxfer.maxfrag) < 0)
 323                goto return_fault;
 324
 325        if (get_user(curfrag, kxfer.curfrag) < 0)
 326                goto return_fault;
 327
 328        if (curfrag == maxfrag)
 329                fragsize = swlen - (maxfrag - 1) * 8192;
 330
 331        if (!kxfer.buf)
 332                goto return_fault;
 333
 334        c = i2o_find_iop(kxfer.iop);
 335        if (!c)
 336                return -ENXIO;
 337
 338        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 339        if (IS_ERR(msg))
 340                return PTR_ERR(msg);
 341
 342        if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) {
 343                i2o_msg_nop(c, msg);
 344                return -ENOMEM;
 345        }
 346
 347        msg->u.head[0] = cpu_to_le32(NINE_WORD_MSG_SIZE | SGL_OFFSET_7);
 348        msg->u.head[1] =
 349            cpu_to_le32(I2O_CMD_SW_UPLOAD << 24 | HOST_TID << 12 | ADAPTER_TID);
 350        msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
 351        msg->u.head[3] = cpu_to_le32(0);
 352        msg->body[0] =
 353            cpu_to_le32((u32) kxfer.flags << 24 | (u32) kxfer.
 354                        sw_type << 16 | (u32) maxfrag << 8 | (u32) curfrag);
 355        msg->body[1] = cpu_to_le32(swlen);
 356        msg->body[2] = cpu_to_le32(kxfer.sw_id);
 357        msg->body[3] = cpu_to_le32(0xD0000000 | fragsize);
 358        msg->body[4] = cpu_to_le32(buffer.phys);
 359
 360        osm_debug("swul frag %d/%d (size %d)\n", curfrag, maxfrag, fragsize);
 361        status = i2o_msg_post_wait_mem(c, msg, 60, &buffer);
 362
 363        if (status != I2O_POST_WAIT_OK) {
 364                if (status != -ETIMEDOUT)
 365                        i2o_dma_free(&c->pdev->dev, &buffer);
 366
 367                osm_info("swul failed, DetailedStatus = %d\n", status);
 368                return status;
 369        }
 370
 371        if (copy_to_user(kxfer.buf, buffer.virt, fragsize))
 372                ret = -EFAULT;
 373
 374        i2o_dma_free(&c->pdev->dev, &buffer);
 375
 376      return_ret:
 377        return ret;
 378      return_fault:
 379        ret = -EFAULT;
 380        goto return_ret;
 381};
 382
 383static int i2o_cfg_swdel(unsigned long arg)
 384{
 385        struct i2o_controller *c;
 386        struct i2o_sw_xfer kxfer;
 387        struct i2o_sw_xfer __user *pxfer = (struct i2o_sw_xfer __user *)arg;
 388        struct i2o_message *msg;
 389        unsigned int swlen;
 390        int token;
 391
 392        if (copy_from_user(&kxfer, pxfer, sizeof(struct i2o_sw_xfer)))
 393                return -EFAULT;
 394
 395        if (get_user(swlen, kxfer.swlen) < 0)
 396                return -EFAULT;
 397
 398        c = i2o_find_iop(kxfer.iop);
 399        if (!c)
 400                return -ENXIO;
 401
 402        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 403        if (IS_ERR(msg))
 404                return PTR_ERR(msg);
 405
 406        msg->u.head[0] = cpu_to_le32(SEVEN_WORD_MSG_SIZE | SGL_OFFSET_0);
 407        msg->u.head[1] =
 408            cpu_to_le32(I2O_CMD_SW_REMOVE << 24 | HOST_TID << 12 | ADAPTER_TID);
 409        msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
 410        msg->u.head[3] = cpu_to_le32(0);
 411        msg->body[0] =
 412            cpu_to_le32((u32) kxfer.flags << 24 | (u32) kxfer.sw_type << 16);
 413        msg->body[1] = cpu_to_le32(swlen);
 414        msg->body[2] = cpu_to_le32(kxfer.sw_id);
 415
 416        token = i2o_msg_post_wait(c, msg, 10);
 417
 418        if (token != I2O_POST_WAIT_OK) {
 419                osm_info("swdel failed, DetailedStatus = %d\n", token);
 420                return -ETIMEDOUT;
 421        }
 422
 423        return 0;
 424};
 425
 426static int i2o_cfg_validate(unsigned long arg)
 427{
 428        int token;
 429        int iop = (int)arg;
 430        struct i2o_message *msg;
 431        struct i2o_controller *c;
 432
 433        c = i2o_find_iop(iop);
 434        if (!c)
 435                return -ENXIO;
 436
 437        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 438        if (IS_ERR(msg))
 439                return PTR_ERR(msg);
 440
 441        msg->u.head[0] = cpu_to_le32(FOUR_WORD_MSG_SIZE | SGL_OFFSET_0);
 442        msg->u.head[1] =
 443            cpu_to_le32(I2O_CMD_CONFIG_VALIDATE << 24 | HOST_TID << 12 | iop);
 444        msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
 445        msg->u.head[3] = cpu_to_le32(0);
 446
 447        token = i2o_msg_post_wait(c, msg, 10);
 448
 449        if (token != I2O_POST_WAIT_OK) {
 450                osm_info("Can't validate configuration, ErrorStatus = %d\n",
 451                         token);
 452                return -ETIMEDOUT;
 453        }
 454
 455        return 0;
 456};
 457
 458static int i2o_cfg_evt_reg(unsigned long arg, struct file *fp)
 459{
 460        struct i2o_message *msg;
 461        struct i2o_evt_id __user *pdesc = (struct i2o_evt_id __user *)arg;
 462        struct i2o_evt_id kdesc;
 463        struct i2o_controller *c;
 464        struct i2o_device *d;
 465
 466        if (copy_from_user(&kdesc, pdesc, sizeof(struct i2o_evt_id)))
 467                return -EFAULT;
 468
 469        /* IOP exists? */
 470        c = i2o_find_iop(kdesc.iop);
 471        if (!c)
 472                return -ENXIO;
 473
 474        /* Device exists? */
 475        d = i2o_iop_find_device(c, kdesc.tid);
 476        if (!d)
 477                return -ENODEV;
 478
 479        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 480        if (IS_ERR(msg))
 481                return PTR_ERR(msg);
 482
 483        msg->u.head[0] = cpu_to_le32(FOUR_WORD_MSG_SIZE | SGL_OFFSET_0);
 484        msg->u.head[1] =
 485            cpu_to_le32(I2O_CMD_UTIL_EVT_REGISTER << 24 | HOST_TID << 12 |
 486                        kdesc.tid);
 487        msg->u.head[2] = cpu_to_le32(i2o_config_driver.context);
 488        msg->u.head[3] = cpu_to_le32(i2o_cntxt_list_add(c, fp->private_data));
 489        msg->body[0] = cpu_to_le32(kdesc.evt_mask);
 490
 491        i2o_msg_post(c, msg);
 492
 493        return 0;
 494}
 495
 496static int i2o_cfg_evt_get(unsigned long arg, struct file *fp)
 497{
 498        struct i2o_cfg_info *p = NULL;
 499        struct i2o_evt_get __user *uget = (struct i2o_evt_get __user *)arg;
 500        struct i2o_evt_get kget;
 501        unsigned long flags;
 502
 503        for (p = open_files; p; p = p->next)
 504                if (p->q_id == (ulong) fp->private_data)
 505                        break;
 506
 507        if (!p->q_len)
 508                return -ENOENT;
 509
 510        memcpy(&kget.info, &p->event_q[p->q_out], sizeof(struct i2o_evt_info));
 511        MODINC(p->q_out, I2O_EVT_Q_LEN);
 512        spin_lock_irqsave(&i2o_config_lock, flags);
 513        p->q_len--;
 514        kget.pending = p->q_len;
 515        kget.lost = p->q_lost;
 516        spin_unlock_irqrestore(&i2o_config_lock, flags);
 517
 518        if (copy_to_user(uget, &kget, sizeof(struct i2o_evt_get)))
 519                return -EFAULT;
 520        return 0;
 521}
 522
 523#ifdef CONFIG_COMPAT
 524static int i2o_cfg_passthru32(struct file *file, unsigned cmnd,
 525                              unsigned long arg)
 526{
 527        struct i2o_cmd_passthru32 __user *cmd;
 528        struct i2o_controller *c;
 529        u32 __user *user_msg;
 530        u32 *reply = NULL;
 531        u32 __user *user_reply = NULL;
 532        u32 size = 0;
 533        u32 reply_size = 0;
 534        u32 rcode = 0;
 535        struct i2o_dma sg_list[SG_TABLESIZE];
 536        u32 sg_offset = 0;
 537        u32 sg_count = 0;
 538        u32 i = 0;
 539        u32 sg_index = 0;
 540        i2o_status_block *sb;
 541        struct i2o_message *msg;
 542        unsigned int iop;
 543
 544        cmd = (struct i2o_cmd_passthru32 __user *)arg;
 545
 546        if (get_user(iop, &cmd->iop) || get_user(i, &cmd->msg))
 547                return -EFAULT;
 548
 549        user_msg = compat_ptr(i);
 550
 551        c = i2o_find_iop(iop);
 552        if (!c) {
 553                osm_debug("controller %d not found\n", iop);
 554                return -ENXIO;
 555        }
 556
 557        sb = c->status_block.virt;
 558
 559        if (get_user(size, &user_msg[0])) {
 560                osm_warn("unable to get size!\n");
 561                return -EFAULT;
 562        }
 563        size = size >> 16;
 564
 565        if (size > sb->inbound_frame_size) {
 566                osm_warn("size of message > inbound_frame_size");
 567                return -EFAULT;
 568        }
 569
 570        user_reply = &user_msg[size];
 571
 572        size <<= 2;                // Convert to bytes
 573
 574        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 575        if (IS_ERR(msg))
 576                return PTR_ERR(msg);
 577
 578        rcode = -EFAULT;
 579        /* Copy in the user's I2O command */
 580        if (copy_from_user(msg, user_msg, size)) {
 581                osm_warn("unable to copy user message\n");
 582                goto out;
 583        }
 584        i2o_dump_message(msg);
 585
 586        if (get_user(reply_size, &user_reply[0]) < 0)
 587                goto out;
 588
 589        reply_size >>= 16;
 590        reply_size <<= 2;
 591
 592        rcode = -ENOMEM;
 593        reply = kzalloc(reply_size, GFP_KERNEL);
 594        if (!reply) {
 595                printk(KERN_WARNING "%s: Could not allocate reply buffer\n",
 596                       c->name);
 597                goto out;
 598        }
 599
 600        sg_offset = (msg->u.head[0] >> 4) & 0x0f;
 601
 602        memset(sg_list, 0, sizeof(sg_list[0]) * SG_TABLESIZE);
 603        if (sg_offset) {
 604                struct sg_simple_element *sg;
 605
 606                if (sg_offset * 4 >= size) {
 607                        rcode = -EFAULT;
 608                        goto cleanup;
 609                }
 610                // TODO 64bit fix
 611                sg = (struct sg_simple_element *)((&msg->u.head[0]) +
 612                                                  sg_offset);
 613                sg_count =
 614                    (size - sg_offset * 4) / sizeof(struct sg_simple_element);
 615                if (sg_count > SG_TABLESIZE) {
 616                        printk(KERN_DEBUG "%s:IOCTL SG List too large (%u)\n",
 617                               c->name, sg_count);
 618                        rcode = -EINVAL;
 619                        goto cleanup;
 620                }
 621
 622                for (i = 0; i < sg_count; i++) {
 623                        int sg_size;
 624                        struct i2o_dma *p;
 625
 626                        if (!(sg[i].flag_count & 0x10000000
 627                              /*I2O_SGL_FLAGS_SIMPLE_ADDRESS_ELEMENT */ )) {
 628                                printk(KERN_DEBUG
 629                                       "%s:Bad SG element %d - not simple (%x)\n",
 630                                       c->name, i, sg[i].flag_count);
 631                                rcode = -EINVAL;
 632                                goto cleanup;
 633                        }
 634                        sg_size = sg[i].flag_count & 0xffffff;
 635                        p = &(sg_list[sg_index]);
 636                        /* Allocate memory for the transfer */
 637                        if (i2o_dma_alloc(&c->pdev->dev, p, sg_size)) {
 638                                printk(KERN_DEBUG
 639                                       "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
 640                                       c->name, sg_size, i, sg_count);
 641                                rcode = -ENOMEM;
 642                                goto sg_list_cleanup;
 643                        }
 644                        sg_index++;
 645                        /* Copy in the user's SG buffer if necessary */
 646                        if (sg[i].
 647                            flag_count & 0x04000000 /*I2O_SGL_FLAGS_DIR */ ) {
 648                                // TODO 64bit fix
 649                                if (copy_from_user
 650                                    (p->virt,
 651                                     (void __user *)(unsigned long)sg[i].
 652                                     addr_bus, sg_size)) {
 653                                        printk(KERN_DEBUG
 654                                               "%s: Could not copy SG buf %d FROM user\n",
 655                                               c->name, i);
 656                                        rcode = -EFAULT;
 657                                        goto sg_list_cleanup;
 658                                }
 659                        }
 660                        //TODO 64bit fix
 661                        sg[i].addr_bus = (u32) p->phys;
 662                }
 663        }
 664
 665        rcode = i2o_msg_post_wait(c, msg, 60);
 666        msg = NULL;
 667        if (rcode) {
 668                reply[4] = ((u32) rcode) << 24;
 669                goto sg_list_cleanup;
 670        }
 671
 672        if (sg_offset) {
 673                u32 rmsg[I2O_OUTBOUND_MSG_FRAME_SIZE];
 674                /* Copy back the Scatter Gather buffers back to user space */
 675                u32 j;
 676                // TODO 64bit fix
 677                struct sg_simple_element *sg;
 678                int sg_size;
 679
 680                // re-acquire the original message to handle correctly the sg copy operation
 681                memset(&rmsg, 0, I2O_OUTBOUND_MSG_FRAME_SIZE * 4);
 682                // get user msg size in u32s
 683                if (get_user(size, &user_msg[0])) {
 684                        rcode = -EFAULT;
 685                        goto sg_list_cleanup;
 686                }
 687                size = size >> 16;
 688                size *= 4;
 689                /* Copy in the user's I2O command */
 690                if (copy_from_user(rmsg, user_msg, size)) {
 691                        rcode = -EFAULT;
 692                        goto sg_list_cleanup;
 693                }
 694                sg_count =
 695                    (size - sg_offset * 4) / sizeof(struct sg_simple_element);
 696
 697                // TODO 64bit fix
 698                sg = (struct sg_simple_element *)(rmsg + sg_offset);
 699                for (j = 0; j < sg_count; j++) {
 700                        /* Copy out the SG list to user's buffer if necessary */
 701                        if (!
 702                            (sg[j].
 703                             flag_count & 0x4000000 /*I2O_SGL_FLAGS_DIR */ )) {
 704                                sg_size = sg[j].flag_count & 0xffffff;
 705                                // TODO 64bit fix
 706                                if (copy_to_user
 707                                    ((void __user *)(u64) sg[j].addr_bus,
 708                                     sg_list[j].virt, sg_size)) {
 709                                        printk(KERN_WARNING
 710                                               "%s: Could not copy %p TO user %x\n",
 711                                               c->name, sg_list[j].virt,
 712                                               sg[j].addr_bus);
 713                                        rcode = -EFAULT;
 714                                        goto sg_list_cleanup;
 715                                }
 716                        }
 717                }
 718        }
 719
 720sg_list_cleanup:
 721        /* Copy back the reply to user space */
 722        if (reply_size) {
 723                // we wrote our own values for context - now restore the user supplied ones
 724                if (copy_from_user(reply + 2, user_msg + 2, sizeof(u32) * 2)) {
 725                        printk(KERN_WARNING
 726                               "%s: Could not copy message context FROM user\n",
 727                               c->name);
 728                        rcode = -EFAULT;
 729                }
 730                if (copy_to_user(user_reply, reply, reply_size)) {
 731                        printk(KERN_WARNING
 732                               "%s: Could not copy reply TO user\n", c->name);
 733                        rcode = -EFAULT;
 734                }
 735        }
 736        for (i = 0; i < sg_index; i++)
 737                i2o_dma_free(&c->pdev->dev, &sg_list[i]);
 738
 739cleanup:
 740        kfree(reply);
 741out:
 742        if (msg)
 743                i2o_msg_nop(c, msg);
 744        return rcode;
 745}
 746
 747static long i2o_cfg_compat_ioctl(struct file *file, unsigned cmd,
 748                                 unsigned long arg)
 749{
 750        int ret;
 751        lock_kernel();
 752        switch (cmd) {
 753        case I2OGETIOPS:
 754                ret = i2o_cfg_ioctl(NULL, file, cmd, arg);
 755                break;
 756        case I2OPASSTHRU32:
 757                ret = i2o_cfg_passthru32(file, cmd, arg);
 758                break;
 759        default:
 760                ret = -ENOIOCTLCMD;
 761                break;
 762        }
 763        unlock_kernel();
 764        return ret;
 765}
 766
 767#endif
 768
 769#ifdef CONFIG_I2O_EXT_ADAPTEC
 770static int i2o_cfg_passthru(unsigned long arg)
 771{
 772        struct i2o_cmd_passthru __user *cmd =
 773            (struct i2o_cmd_passthru __user *)arg;
 774        struct i2o_controller *c;
 775        u32 __user *user_msg;
 776        u32 *reply = NULL;
 777        u32 __user *user_reply = NULL;
 778        u32 size = 0;
 779        u32 reply_size = 0;
 780        u32 rcode = 0;
 781        struct i2o_dma sg_list[SG_TABLESIZE];
 782        u32 sg_offset = 0;
 783        u32 sg_count = 0;
 784        int sg_index = 0;
 785        u32 i = 0;
 786        i2o_status_block *sb;
 787        struct i2o_message *msg;
 788        unsigned int iop;
 789
 790        if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
 791                return -EFAULT;
 792
 793        c = i2o_find_iop(iop);
 794        if (!c) {
 795                osm_warn("controller %d not found\n", iop);
 796                return -ENXIO;
 797        }
 798
 799        sb = c->status_block.virt;
 800
 801        if (get_user(size, &user_msg[0]))
 802                return -EFAULT;
 803        size = size >> 16;
 804
 805        if (size > sb->inbound_frame_size) {
 806                osm_warn("size of message > inbound_frame_size");
 807                return -EFAULT;
 808        }
 809
 810        user_reply = &user_msg[size];
 811
 812        size <<= 2;                // Convert to bytes
 813
 814        msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET);
 815        if (IS_ERR(msg))
 816                return PTR_ERR(msg);
 817
 818        rcode = -EFAULT;
 819        /* Copy in the user's I2O command */
 820        if (copy_from_user(msg, user_msg, size))
 821                goto out;
 822
 823        if (get_user(reply_size, &user_reply[0]) < 0)
 824                goto out;
 825
 826        reply_size >>= 16;
 827        reply_size <<= 2;
 828
 829        reply = kzalloc(reply_size, GFP_KERNEL);
 830        if (!reply) {
 831                printk(KERN_WARNING "%s: Could not allocate reply buffer\n",
 832                       c->name);
 833                rcode = -ENOMEM;
 834                goto out;
 835        }
 836
 837        sg_offset = (msg->u.head[0] >> 4) & 0x0f;
 838
 839        memset(sg_list, 0, sizeof(sg_list[0]) * SG_TABLESIZE);
 840        if (sg_offset) {
 841                struct sg_simple_element *sg;
 842                struct i2o_dma *p;
 843
 844                if (sg_offset * 4 >= size) {
 845                        rcode = -EFAULT;
 846                        goto cleanup;
 847                }
 848                // TODO 64bit fix
 849                sg = (struct sg_simple_element *)((&msg->u.head[0]) +
 850                                                  sg_offset);
 851                sg_count =
 852                    (size - sg_offset * 4) / sizeof(struct sg_simple_element);
 853                if (sg_count > SG_TABLESIZE) {
 854                        printk(KERN_DEBUG "%s:IOCTL SG List too large (%u)\n",
 855                               c->name, sg_count);
 856                        rcode = -EINVAL;
 857                        goto cleanup;
 858                }
 859
 860                for (i = 0; i < sg_count; i++) {
 861                        int sg_size;
 862
 863                        if (!(sg[i].flag_count & 0x10000000
 864                              /*I2O_SGL_FLAGS_SIMPLE_ADDRESS_ELEMENT */ )) {
 865                                printk(KERN_DEBUG
 866                                       "%s:Bad SG element %d - not simple (%x)\n",
 867                                       c->name, i, sg[i].flag_count);
 868                                rcode = -EINVAL;
 869                                goto sg_list_cleanup;
 870                        }
 871                        sg_size = sg[i].flag_count & 0xffffff;
 872                        p = &(sg_list[sg_index]);
 873                        if (i2o_dma_alloc(&c->pdev->dev, p, sg_size)) {
 874                        /* Allocate memory for the transfer */
 875                                printk(KERN_DEBUG
 876                                       "%s: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
 877                                       c->name, sg_size, i, sg_count);
 878                                rcode = -ENOMEM;
 879                                goto sg_list_cleanup;
 880                        }
 881                        sg_index++;
 882                        /* Copy in the user's SG buffer if necessary */
 883                        if (sg[i].
 884                            flag_count & 0x04000000 /*I2O_SGL_FLAGS_DIR */ ) {
 885                                // TODO 64bit fix
 886                                if (copy_from_user
 887                                    (p->virt, (void __user *)sg[i].addr_bus,
 888                                     sg_size)) {
 889                                        printk(KERN_DEBUG
 890                                               "%s: Could not copy SG buf %d FROM user\n",
 891                                               c->name, i);
 892                                        rcode = -EFAULT;
 893                                        goto sg_list_cleanup;
 894                                }
 895                        }
 896                        sg[i].addr_bus = p->phys;
 897                }
 898        }
 899
 900        rcode = i2o_msg_post_wait(c, msg, 60);
 901        msg = NULL;
 902        if (rcode) {
 903                reply[4] = ((u32) rcode) << 24;
 904                goto sg_list_cleanup;
 905        }
 906
 907        if (sg_offset) {
 908                u32 rmsg[I2O_OUTBOUND_MSG_FRAME_SIZE];
 909                /* Copy back the Scatter Gather buffers back to user space */
 910                u32 j;
 911                // TODO 64bit fix
 912                struct sg_simple_element *sg;
 913                int sg_size;
 914
 915                // re-acquire the original message to handle correctly the sg copy operation
 916                memset(&rmsg, 0, I2O_OUTBOUND_MSG_FRAME_SIZE * 4);
 917                // get user msg size in u32s
 918                if (get_user(size, &user_msg[0])) {
 919                        rcode = -EFAULT;
 920                        goto sg_list_cleanup;
 921                }
 922                size = size >> 16;
 923                size *= 4;
 924                /* Copy in the user's I2O command */
 925                if (copy_from_user(rmsg, user_msg, size)) {
 926                        rcode = -EFAULT;
 927                        goto sg_list_cleanup;
 928                }
 929                sg_count =
 930                    (size - sg_offset * 4) / sizeof(struct sg_simple_element);
 931
 932                // TODO 64bit fix
 933                sg = (struct sg_simple_element *)(rmsg + sg_offset);
 934                for (j = 0; j < sg_count; j++) {
 935                        /* Copy out the SG list to user's buffer if necessary */
 936                        if (!
 937                            (sg[j].
 938                             flag_count & 0x4000000 /*I2O_SGL_FLAGS_DIR */ )) {
 939                                sg_size = sg[j].flag_count & 0xffffff;
 940                                // TODO 64bit fix
 941                                if (copy_to_user
 942                                    ((void __user *)sg[j].addr_bus, sg_list[j].virt,
 943                                     sg_size)) {
 944                                        printk(KERN_WARNING
 945                                               "%s: Could not copy %p TO user %x\n",
 946                                               c->name, sg_list[j].virt,
 947                                               sg[j].addr_bus);
 948                                        rcode = -EFAULT;
 949                                        goto sg_list_cleanup;
 950                                }
 951                        }
 952                }
 953        }
 954
 955sg_list_cleanup:
 956        /* Copy back the reply to user space */
 957        if (reply_size) {
 958                // we wrote our own values for context - now restore the user supplied ones
 959                if (copy_from_user(reply + 2, user_msg + 2, sizeof(u32) * 2)) {
 960                        printk(KERN_WARNING
 961                               "%s: Could not copy message context FROM user\n",
 962                               c->name);
 963                        rcode = -EFAULT;
 964                }
 965                if (copy_to_user(user_reply, reply, reply_size)) {
 966                        printk(KERN_WARNING
 967                               "%s: Could not copy reply TO user\n", c->name);
 968                        rcode = -EFAULT;
 969                }
 970        }
 971
 972        for (i = 0; i < sg_index; i++)
 973                i2o_dma_free(&c->pdev->dev, &sg_list[i]);
 974
 975cleanup:
 976        kfree(reply);
 977out:
 978        if (msg)
 979                i2o_msg_nop(c, msg);
 980        return rcode;
 981}
 982#endif
 983
 984/*
 985 * IOCTL Handler
 986 */
 987static int i2o_cfg_ioctl(struct inode *inode, struct file *fp, unsigned int cmd,
 988                         unsigned long arg)
 989{
 990        int ret;
 991
 992        switch (cmd) {
 993        case I2OGETIOPS:
 994                ret = i2o_cfg_getiops(arg);
 995                break;
 996
 997        case I2OHRTGET:
 998                ret = i2o_cfg_gethrt(arg);
 999                break;
1000
1001        case I2OLCTGET:
1002                ret = i2o_cfg_getlct(arg);
1003                break;
1004
1005        case I2OPARMSET:
1006                ret = i2o_cfg_parms(arg, I2OPARMSET);
1007                break;
1008
1009        case I2OPARMGET:
1010                ret = i2o_cfg_parms(arg, I2OPARMGET);
1011                break;
1012
1013        case I2OSWDL:
1014                ret = i2o_cfg_swdl(arg);
1015                break;
1016
1017        case I2OSWUL:
1018                ret = i2o_cfg_swul(arg);
1019                break;
1020
1021        case I2OSWDEL:
1022                ret = i2o_cfg_swdel(arg);
1023                break;
1024
1025        case I2OVALIDATE:
1026                ret = i2o_cfg_validate(arg);
1027                break;
1028
1029        case I2OEVTREG:
1030                ret = i2o_cfg_evt_reg(arg, fp);
1031                break;
1032
1033        case I2OEVTGET:
1034                ret = i2o_cfg_evt_get(arg, fp);
1035                break;
1036
1037#ifdef CONFIG_I2O_EXT_ADAPTEC
1038        case I2OPASSTHRU:
1039                ret = i2o_cfg_passthru(arg);
1040                break;
1041#endif
1042
1043        default:
1044                osm_debug("unknown ioctl called!\n");
1045                ret = -EINVAL;
1046        }
1047
1048        return ret;
1049}
1050
1051static int cfg_open(struct inode *inode, struct file *file)
1052{
1053        struct i2o_cfg_info *tmp =
1054            (struct i2o_cfg_info *)kmalloc(sizeof(struct i2o_cfg_info),
1055                                           GFP_KERNEL);
1056        unsigned long flags;
1057
1058        if (!tmp)
1059                return -ENOMEM;
1060
1061        lock_kernel();
1062        file->private_data = (void *)(i2o_cfg_info_id++);
1063        tmp->fp = file;
1064        tmp->fasync = NULL;
1065        tmp->q_id = (ulong) file->private_data;
1066        tmp->q_len = 0;
1067        tmp->q_in = 0;
1068        tmp->q_out = 0;
1069        tmp->q_lost = 0;
1070        tmp->next = open_files;
1071
1072        spin_lock_irqsave(&i2o_config_lock, flags);
1073        open_files = tmp;
1074        spin_unlock_irqrestore(&i2o_config_lock, flags);
1075        unlock_kernel();
1076
1077        return 0;
1078}
1079
1080static int cfg_fasync(int fd, struct file *fp, int on)
1081{
1082        ulong id = (ulong) fp->private_data;
1083        struct i2o_cfg_info *p;
1084        int ret = -EBADF;
1085
1086        lock_kernel();
1087        for (p = open_files; p; p = p->next)
1088                if (p->q_id == id)
1089                        break;
1090
1091        if (p)
1092                ret = fasync_helper(fd, fp, on, &p->fasync);
1093        unlock_kernel();
1094        return ret;
1095}
1096
1097static int cfg_release(struct inode *inode, struct file *file)
1098{
1099        ulong id = (ulong) file->private_data;
1100        struct i2o_cfg_info *p, **q;
1101        unsigned long flags;
1102
1103        lock_kernel();
1104        spin_lock_irqsave(&i2o_config_lock, flags);
1105        for (q = &open_files; (p = *q) != NULL; q = &p->next) {
1106                if (p->q_id == id) {
1107                        *q = p->next;
1108                        kfree(p);
1109                        break;
1110                }
1111        }
1112        spin_unlock_irqrestore(&i2o_config_lock, flags);
1113        unlock_kernel();
1114
1115        return 0;
1116}
1117
1118static const struct file_operations config_fops = {
1119        .owner = THIS_MODULE,
1120        .llseek = no_llseek,
1121        .ioctl = i2o_cfg_ioctl,
1122#ifdef CONFIG_COMPAT
1123        .compat_ioctl = i2o_cfg_compat_ioctl,
1124#endif
1125        .open = cfg_open,
1126        .release = cfg_release,
1127        .fasync = cfg_fasync,
1128};
1129
1130static struct miscdevice i2o_miscdev = {
1131        I2O_MINOR,
1132        "i2octl",
1133        &config_fops
1134};
1135
1136static int __init i2o_config_old_init(void)
1137{
1138        spin_lock_init(&i2o_config_lock);
1139
1140        if (misc_register(&i2o_miscdev) < 0) {
1141                osm_err("can't register device.\n");
1142                return -EBUSY;
1143        }
1144
1145        return 0;
1146}
1147
1148static void i2o_config_old_exit(void)
1149{
1150        misc_deregister(&i2o_miscdev);
1151}
1152
1153MODULE_AUTHOR("Red Hat Software");