diff options
Diffstat (limited to 'queue-3.16/scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch')
| -rw-r--r-- | queue-3.16/scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch | 573 |
1 files changed, 573 insertions, 0 deletions
diff --git a/queue-3.16/scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch b/queue-3.16/scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch new file mode 100644 index 00000000..7a98c275 --- /dev/null +++ b/queue-3.16/scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch @@ -0,0 +1,573 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 14 Jan 2020 15:34:14 +0300 +Subject: scsi: mptfusion: Fix double fetch bug in ioctl + +commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream. + +Tom Hatskevich reported that we look up "iocp" then, in the called +functions we do a second copy_from_user() and look it up again. +The problem that could cause is: + +drivers/message/fusion/mptctl.c + 674 /* All of these commands require an interrupt or + 675 * are unknown/illegal. + 676 */ + 677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0) + ^^^^ +We take this lock. + + 678 return ret; + 679 + 680 if (cmd == MPTFWDOWNLOAD) + 681 ret = mptctl_fw_download(arg); + ^^^ +Then the user memory changes and we look up "iocp" again but a different +one so now we are holding the incorrect lock and have a race condition. + + 682 else if (cmd == MPTCOMMAND) + 683 ret = mptctl_mpt_command(arg); + +The security impact of this bug is not as bad as it could have been +because these operations are all privileged and root already has +enormous destructive power. But it's still worth fixing. + +This patch passes the "iocp" pointer to the functions to avoid the +second lookup. That deletes 100 lines of code from the driver so +it's a nice clean up as well. + +Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam +Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/message/fusion/mptctl.c | 213 ++++++++------------------------ + 1 file changed, 50 insertions(+), 163 deletions(-) + +--- a/drivers/message/fusion/mptctl.c ++++ b/drivers/message/fusion/mptctl.c +@@ -100,19 +100,19 @@ struct buflist { + * Function prototypes. Called from OS entry point mptctl_ioctl. + * arg contents specific to function. + */ +-static int mptctl_fw_download(unsigned long arg); +-static int mptctl_getiocinfo(unsigned long arg, unsigned int cmd); +-static int mptctl_gettargetinfo(unsigned long arg); +-static int mptctl_readtest(unsigned long arg); +-static int mptctl_mpt_command(unsigned long arg); +-static int mptctl_eventquery(unsigned long arg); +-static int mptctl_eventenable(unsigned long arg); +-static int mptctl_eventreport(unsigned long arg); +-static int mptctl_replace_fw(unsigned long arg); +- +-static int mptctl_do_reset(unsigned long arg); +-static int mptctl_hp_hostinfo(unsigned long arg, unsigned int cmd); +-static int mptctl_hp_targetinfo(unsigned long arg); ++static int mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_getiocinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd); ++static int mptctl_gettargetinfo(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_readtest(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_mpt_command(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_eventquery(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_eventenable(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_eventreport(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_replace_fw(MPT_ADAPTER *iocp, unsigned long arg); ++ ++static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg); ++static int mptctl_hp_hostinfo(MPT_ADAPTER *iocp, unsigned long arg, unsigned int cmd); ++static int mptctl_hp_targetinfo(MPT_ADAPTER *iocp, unsigned long arg); + + static int mptctl_probe(struct pci_dev *, const struct pci_device_id *); + static void mptctl_remove(struct pci_dev *); +@@ -123,8 +123,8 @@ static long compat_mpctl_ioctl(struct fi + /* + * Private function calls. + */ +-static int mptctl_do_mpt_command(struct mpt_ioctl_command karg, void __user *mfPtr); +-static int mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen); ++static int mptctl_do_mpt_command(MPT_ADAPTER *iocp, struct mpt_ioctl_command karg, void __user *mfPtr); ++static int mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen); + static MptSge_t *kbuf_alloc_2_sgl(int bytes, u32 dir, int sge_offset, int *frags, + struct buflist **blp, dma_addr_t *sglbuf_dma, MPT_ADAPTER *ioc); + static void kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_dma, +@@ -656,19 +656,19 @@ __mptctl_ioctl(struct file *file, unsign + * by TM and FW reloads. + */ + if ((cmd & ~IOCSIZE_MASK) == (MPTIOCINFO & ~IOCSIZE_MASK)) { +- return mptctl_getiocinfo(arg, _IOC_SIZE(cmd)); ++ return mptctl_getiocinfo(iocp, arg, _IOC_SIZE(cmd)); + } else if (cmd == MPTTARGETINFO) { +- return mptctl_gettargetinfo(arg); ++ return mptctl_gettargetinfo(iocp, arg); + } else if (cmd == MPTTEST) { +- return mptctl_readtest(arg); ++ return mptctl_readtest(iocp, arg); + } else if (cmd == MPTEVENTQUERY) { +- return mptctl_eventquery(arg); ++ return mptctl_eventquery(iocp, arg); + } else if (cmd == MPTEVENTENABLE) { +- return mptctl_eventenable(arg); ++ return mptctl_eventenable(iocp, arg); + } else if (cmd == MPTEVENTREPORT) { +- return mptctl_eventreport(arg); ++ return mptctl_eventreport(iocp, arg); + } else if (cmd == MPTFWREPLACE) { +- return mptctl_replace_fw(arg); ++ return mptctl_replace_fw(iocp, arg); + } + + /* All of these commands require an interrupt or +@@ -678,15 +678,15 @@ __mptctl_ioctl(struct file *file, unsign + return ret; + + if (cmd == MPTFWDOWNLOAD) +- ret = mptctl_fw_download(arg); ++ ret = mptctl_fw_download(iocp, arg); + else if (cmd == MPTCOMMAND) +- ret = mptctl_mpt_command(arg); ++ ret = mptctl_mpt_command(iocp, arg); + else if (cmd == MPTHARDRESET) +- ret = mptctl_do_reset(arg); ++ ret = mptctl_do_reset(iocp, arg); + else if ((cmd & ~IOCSIZE_MASK) == (HP_GETHOSTINFO & ~IOCSIZE_MASK)) +- ret = mptctl_hp_hostinfo(arg, _IOC_SIZE(cmd)); ++ ret = mptctl_hp_hostinfo(iocp, arg, _IOC_SIZE(cmd)); + else if (cmd == HP_GETTARGETINFO) +- ret = mptctl_hp_targetinfo(arg); ++ ret = mptctl_hp_targetinfo(iocp, arg); + else + ret = -EINVAL; + +@@ -705,11 +705,10 @@ mptctl_ioctl(struct file *file, unsigned + return ret; + } + +-static int mptctl_do_reset(unsigned long arg) ++static int mptctl_do_reset(MPT_ADAPTER *iocp, unsigned long arg) + { + struct mpt_ioctl_diag_reset __user *urinfo = (void __user *) arg; + struct mpt_ioctl_diag_reset krinfo; +- MPT_ADAPTER *iocp; + + if (copy_from_user(&krinfo, urinfo, sizeof(struct mpt_ioctl_diag_reset))) { + printk(KERN_ERR MYNAM "%s@%d::mptctl_do_reset - " +@@ -718,12 +717,6 @@ static int mptctl_do_reset(unsigned long + return -EFAULT; + } + +- if (mpt_verify_adapter(krinfo.hdr.iocnum, &iocp) < 0) { +- printk(KERN_DEBUG MYNAM "%s@%d::mptctl_do_reset - ioc%d not found!\n", +- __FILE__, __LINE__, krinfo.hdr.iocnum); +- return -ENODEV; /* (-6) No such device or address */ +- } +- + dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "mptctl_do_reset called.\n", + iocp->name)); + +@@ -754,7 +747,7 @@ static int mptctl_do_reset(unsigned long + * -ENOMSG if FW upload returned bad status + */ + static int +-mptctl_fw_download(unsigned long arg) ++mptctl_fw_download(MPT_ADAPTER *iocp, unsigned long arg) + { + struct mpt_fw_xfer __user *ufwdl = (void __user *) arg; + struct mpt_fw_xfer kfwdl; +@@ -766,7 +759,7 @@ mptctl_fw_download(unsigned long arg) + return -EFAULT; + } + +- return mptctl_do_fw_download(kfwdl.iocnum, kfwdl.bufp, kfwdl.fwlen); ++ return mptctl_do_fw_download(iocp, kfwdl.bufp, kfwdl.fwlen); + } + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ +@@ -784,11 +777,10 @@ mptctl_fw_download(unsigned long arg) + * -ENOMSG if FW upload returned bad status + */ + static int +-mptctl_do_fw_download(int ioc, char __user *ufwbuf, size_t fwlen) ++mptctl_do_fw_download(MPT_ADAPTER *iocp, char __user *ufwbuf, size_t fwlen) + { + FWDownload_t *dlmsg; + MPT_FRAME_HDR *mf; +- MPT_ADAPTER *iocp; + FWDownloadTCSGE_t *ptsge; + MptSge_t *sgl, *sgIn; + char *sgOut; +@@ -808,17 +800,10 @@ mptctl_do_fw_download(int ioc, char __us + pFWDownloadReply_t ReplyMsg = NULL; + unsigned long timeleft; + +- if (mpt_verify_adapter(ioc, &iocp) < 0) { +- printk(KERN_DEBUG MYNAM "ioctl_fwdl - ioc%d not found!\n", +- ioc); +- return -ENODEV; /* (-6) No such device or address */ +- } else { +- +- /* Valid device. Get a message frame and construct the FW download message. +- */ +- if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL) +- return -EAGAIN; +- } ++ /* Valid device. Get a message frame and construct the FW download message. ++ */ ++ if ((mf = mpt_get_msg_frame(mptctl_id, iocp)) == NULL) ++ return -EAGAIN; + + dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT + "mptctl_do_fwdl called. mptctl_id = %xh.\n", iocp->name, mptctl_id)); +@@ -826,8 +811,6 @@ mptctl_do_fw_download(int ioc, char __us + iocp->name, ufwbuf)); + dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.fwlen = %d\n", + iocp->name, (int)fwlen)); +- dctlprintk(iocp, printk(MYIOC_s_DEBUG_FMT "DbG: kfwdl.ioc = %04xh\n", +- iocp->name, ioc)); + + dlmsg = (FWDownload_t*) mf; + ptsge = (FWDownloadTCSGE_t *) &dlmsg->SGL; +@@ -1234,13 +1217,11 @@ kfree_sgl(MptSge_t *sgl, dma_addr_t sgl_ + * -ENODEV if no such device/adapter + */ + static int +-mptctl_getiocinfo (unsigned long arg, unsigned int data_size) ++mptctl_getiocinfo (MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size) + { + struct mpt_ioctl_iocinfo __user *uarg = (void __user *) arg; + struct mpt_ioctl_iocinfo *karg; +- MPT_ADAPTER *ioc; + struct pci_dev *pdev; +- int iocnum; + unsigned int port; + int cim_rev; + struct scsi_device *sdev; +@@ -1276,14 +1257,6 @@ mptctl_getiocinfo (unsigned long arg, un + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg->hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_getiocinfo() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- kfree(karg); +- return -ENODEV; +- } +- + /* Verify the data transfer size is correct. */ + if (karg->hdr.maxDataSize != data_size) { + printk(MYIOC_s_ERR_FMT "%s@%d::mptctl_getiocinfo - " +@@ -1389,15 +1362,13 @@ mptctl_getiocinfo (unsigned long arg, un + * -ENODEV if no such device/adapter + */ + static int +-mptctl_gettargetinfo (unsigned long arg) ++mptctl_gettargetinfo (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_targetinfo __user *uarg = (void __user *) arg; + struct mpt_ioctl_targetinfo karg; +- MPT_ADAPTER *ioc; + VirtDevice *vdevice; + char *pmem; + int *pdata; +- int iocnum; + int numDevices = 0; + int lun; + int maxWordsLeft; +@@ -1412,13 +1383,6 @@ mptctl_gettargetinfo (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_gettargetinfo() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_gettargetinfo called.\n", + ioc->name)); + /* Get the port number and set the maximum number of bytes +@@ -1514,12 +1478,10 @@ mptctl_gettargetinfo (unsigned long arg) + * -ENODEV if no such device/adapter + */ + static int +-mptctl_readtest (unsigned long arg) ++mptctl_readtest (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_test __user *uarg = (void __user *) arg; + struct mpt_ioctl_test karg; +- MPT_ADAPTER *ioc; +- int iocnum; + + if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_test))) { + printk(KERN_ERR MYNAM "%s@%d::mptctl_readtest - " +@@ -1528,13 +1490,6 @@ mptctl_readtest (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_readtest() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_readtest called.\n", + ioc->name)); + /* Fill in the data and return the structure to the calling +@@ -1575,12 +1530,10 @@ mptctl_readtest (unsigned long arg) + * -ENODEV if no such device/adapter + */ + static int +-mptctl_eventquery (unsigned long arg) ++mptctl_eventquery (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_eventquery __user *uarg = (void __user *) arg; + struct mpt_ioctl_eventquery karg; +- MPT_ADAPTER *ioc; +- int iocnum; + + if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventquery))) { + printk(KERN_ERR MYNAM "%s@%d::mptctl_eventquery - " +@@ -1589,13 +1542,6 @@ mptctl_eventquery (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_eventquery() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventquery called.\n", + ioc->name)); + karg.eventEntries = MPTCTL_EVENT_LOG_SIZE; +@@ -1614,12 +1560,10 @@ mptctl_eventquery (unsigned long arg) + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + static int +-mptctl_eventenable (unsigned long arg) ++mptctl_eventenable (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_eventenable __user *uarg = (void __user *) arg; + struct mpt_ioctl_eventenable karg; +- MPT_ADAPTER *ioc; +- int iocnum; + + if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventenable))) { + printk(KERN_ERR MYNAM "%s@%d::mptctl_eventenable - " +@@ -1628,13 +1572,6 @@ mptctl_eventenable (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_eventenable() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventenable called.\n", + ioc->name)); + if (ioc->events == NULL) { +@@ -1662,12 +1599,10 @@ mptctl_eventenable (unsigned long arg) + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + static int +-mptctl_eventreport (unsigned long arg) ++mptctl_eventreport (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_eventreport __user *uarg = (void __user *) arg; + struct mpt_ioctl_eventreport karg; +- MPT_ADAPTER *ioc; +- int iocnum; + int numBytes, maxEvents, max; + + if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_eventreport))) { +@@ -1677,12 +1612,6 @@ mptctl_eventreport (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_eventreport() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_eventreport called.\n", + ioc->name)); + +@@ -1716,12 +1645,10 @@ mptctl_eventreport (unsigned long arg) + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + static int +-mptctl_replace_fw (unsigned long arg) ++mptctl_replace_fw (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_replace_fw __user *uarg = (void __user *) arg; + struct mpt_ioctl_replace_fw karg; +- MPT_ADAPTER *ioc; +- int iocnum; + int newFwSize; + + if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_replace_fw))) { +@@ -1731,13 +1658,6 @@ mptctl_replace_fw (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_replace_fw() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_replace_fw called.\n", + ioc->name)); + /* If caching FW, Free the old FW image +@@ -1789,12 +1709,10 @@ mptctl_replace_fw (unsigned long arg) + * -ENOMEM if memory allocation error + */ + static int +-mptctl_mpt_command (unsigned long arg) ++mptctl_mpt_command (MPT_ADAPTER *ioc, unsigned long arg) + { + struct mpt_ioctl_command __user *uarg = (void __user *) arg; + struct mpt_ioctl_command karg; +- MPT_ADAPTER *ioc; +- int iocnum; + int rc; + + +@@ -1805,14 +1723,7 @@ mptctl_mpt_command (unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_mpt_command() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- +- rc = mptctl_do_mpt_command (karg, &uarg->MF); ++ rc = mptctl_do_mpt_command (ioc, karg, &uarg->MF); + + return rc; + } +@@ -1830,9 +1741,8 @@ mptctl_mpt_command (unsigned long arg) + * -EPERM if SCSI I/O and target is untagged + */ + static int +-mptctl_do_mpt_command (struct mpt_ioctl_command karg, void __user *mfPtr) ++mptctl_do_mpt_command (MPT_ADAPTER *ioc, struct mpt_ioctl_command karg, void __user *mfPtr) + { +- MPT_ADAPTER *ioc; + MPT_FRAME_HDR *mf = NULL; + MPIHeader_t *hdr; + char *psge; +@@ -1841,7 +1751,7 @@ mptctl_do_mpt_command (struct mpt_ioctl_ + dma_addr_t dma_addr_in; + dma_addr_t dma_addr_out; + int sgSize = 0; /* Num SG elements */ +- int iocnum, flagsLength; ++ int flagsLength; + int sz, rc = 0; + int msgContext; + u16 req_idx; +@@ -1856,13 +1766,6 @@ mptctl_do_mpt_command (struct mpt_ioctl_ + bufIn.kptr = bufOut.kptr = NULL; + bufIn.len = bufOut.len = 0; + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_do_mpt_command() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } +- + spin_lock_irqsave(&ioc->taskmgmt_lock, flags); + if (ioc->ioc_reset_in_progress) { + spin_unlock_irqrestore(&ioc->taskmgmt_lock, flags); +@@ -2418,17 +2321,15 @@ done_free_mem: + * -ENOMEM if memory allocation error + */ + static int +-mptctl_hp_hostinfo(unsigned long arg, unsigned int data_size) ++mptctl_hp_hostinfo(MPT_ADAPTER *ioc, unsigned long arg, unsigned int data_size) + { + hp_host_info_t __user *uarg = (void __user *) arg; +- MPT_ADAPTER *ioc; + struct pci_dev *pdev; + char *pbuf=NULL; + dma_addr_t buf_dma; + hp_host_info_t karg; + CONFIGPARMS cfg; + ConfigPageHeader_t hdr; +- int iocnum; + int rc, cim_rev; + ToolboxIstwiReadWriteRequest_t *IstwiRWRequest; + MPT_FRAME_HDR *mf = NULL; +@@ -2452,12 +2353,6 @@ mptctl_hp_hostinfo(unsigned long arg, un + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_hp_hostinfo() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT ": mptctl_hp_hostinfo called.\n", + ioc->name)); + +@@ -2670,15 +2565,13 @@ retry_wait: + * -ENOMEM if memory allocation error + */ + static int +-mptctl_hp_targetinfo(unsigned long arg) ++mptctl_hp_targetinfo(MPT_ADAPTER *ioc, unsigned long arg) + { + hp_target_info_t __user *uarg = (void __user *) arg; + SCSIDevicePage0_t *pg0_alloc; + SCSIDevicePage3_t *pg3_alloc; +- MPT_ADAPTER *ioc; + MPT_SCSI_HOST *hd = NULL; + hp_target_info_t karg; +- int iocnum; + int data_sz; + dma_addr_t page_dma; + CONFIGPARMS cfg; +@@ -2692,12 +2585,6 @@ mptctl_hp_targetinfo(unsigned long arg) + return -EFAULT; + } + +- if (((iocnum = mpt_verify_adapter(karg.hdr.iocnum, &ioc)) < 0) || +- (ioc == NULL)) { +- printk(KERN_DEBUG MYNAM "%s::mptctl_hp_targetinfo() @%d - ioc%d not found!\n", +- __FILE__, __LINE__, iocnum); +- return -ENODEV; +- } + if (karg.hdr.id >= MPT_MAX_FC_DEVICES) + return -EINVAL; + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", +@@ -2865,7 +2752,7 @@ compat_mptfwxfer_ioctl(struct file *filp + kfw.fwlen = kfw32.fwlen; + kfw.bufp = compat_ptr(kfw32.bufp); + +- ret = mptctl_do_fw_download(kfw.iocnum, kfw.bufp, kfw.fwlen); ++ ret = mptctl_do_fw_download(iocp, kfw.bufp, kfw.fwlen); + + mutex_unlock(&iocp->ioctl_cmds.mutex); + +@@ -2919,7 +2806,7 @@ compat_mpt_command(struct file *filp, un + + /* Pass new structure to do_mpt_command + */ +- ret = mptctl_do_mpt_command (karg, &uarg->MF); ++ ret = mptctl_do_mpt_command (iocp, karg, &uarg->MF); + + mutex_unlock(&iocp->ioctl_cmds.mutex); + |