From 4b5f011ff0ae619706fbc4086920efe08daf5002 Mon Sep 17 00:00:00 2001 From: jhb Date: Wed, 16 Dec 2020 00:13:32 +0000 Subject: [PATCH] Use uintptr_t instead of unsigned long for pointers. The sense_ptr thing is quite broken. As near as I can tell, the driver tries to copyout to a physical address rather than whatever user address the sense buffer should be copied to. It is not immediately obvious what user address the sense buffer should be copied to. Reviewed by: imp Obtained from: CheriBSD Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D27578 --- sys/dev/mrsas/mrsas_ioctl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/dev/mrsas/mrsas_ioctl.c b/sys/dev/mrsas/mrsas_ioctl.c index c9b190e9cde4..1044fcbbcf92 100644 --- a/sys/dev/mrsas/mrsas_ioctl.c +++ b/sys/dev/mrsas/mrsas_ioctl.c @@ -136,7 +136,7 @@ mrsas_passthru(struct mrsas_softc *sc, void *arg, u_long ioctlCmd) * iocpacket itself. */ kern_sge32 = (struct mrsas_sge32 *) - ((unsigned long)cmd->frame + user_ioc->sgl_off); + ((uintptr_t)cmd->frame + user_ioc->sgl_off); memset(ioctl_data_tag, 0, (sizeof(bus_dma_tag_t) * MAX_IOCTL_SGE)); memset(ioctl_data_dmamap, 0, (sizeof(bus_dmamap_t) * MAX_IOCTL_SGE)); @@ -243,7 +243,7 @@ mrsas_passthru(struct mrsas_softc *sc, void *arg, u_long ioctlCmd) goto out; } sense_ptr = - (unsigned long *)((unsigned long)cmd->frame + user_ioc->sense_off); + (unsigned long *)((uintptr_t)cmd->frame + user_ioc->sense_off); *sense_ptr = ioctl_sense_phys_addr; } /* @@ -290,9 +290,9 @@ mrsas_passthru(struct mrsas_softc *sc, void *arg, u_long ioctlCmd) * sense_buff points to the location that has the user sense * buffer address */ - sense_ptr = (unsigned long *)((unsigned long)user_ioc->frame.raw + + sense_ptr = (unsigned long *)((uintptr_t)user_ioc->frame.raw + user_ioc->sense_off); - ret = copyout(ioctl_sense_mem, (unsigned long *)*sense_ptr, + ret = copyout(ioctl_sense_mem, (unsigned long *)(uintptr_t)*sense_ptr, user_ioc->sense_len); if (ret) { device_printf(sc->mrsas_dev, "IOCTL sense copyout failed!\n"); -- 2.41.0