[PATCH] sparse: bluetooth annotation

drivers/bluetooth/hci_ldisc.c

@@ -498,11 +498,11 @@ static int hci_uart_tty_ioctl(struct tty_struct *tty, struct file * file,
 /*
  * We don't provide read/write/poll interface for user space.
  */
-static ssize_t hci_uart_tty_read(struct tty_struct *tty, struct file *file, unsigned char *buf, size_t nr)
+static ssize_t hci_uart_tty_read(struct tty_struct *tty, struct file *file, unsigned char __user *buf, size_t nr)
 {
 	return 0;
 }
-static ssize_t hci_uart_tty_write(struct tty_struct *tty, struct file *file, const unsigned char *data, size_t count)
+static ssize_t hci_uart_tty_write(struct tty_struct *tty, struct file *file, const unsigned char __user *data, size_t count)
 {
 	return 0;
 }

drivers/bluetooth/hci_vhci.c

@@ -127,7 +127,7 @@ static unsigned int hci_vhci_chr_poll(struct file *file, poll_table * wait)
 }
 
 /* Get packet from user space buffer(already verified) */
-static inline ssize_t hci_vhci_get_user(struct hci_vhci_struct *hci_vhci, const char *buf, size_t count)
+static inline ssize_t hci_vhci_get_user(struct hci_vhci_struct *hci_vhci, const char __user *buf, size_t count)
 {
 	struct sk_buff *skb;
 
@@ -152,7 +152,7 @@ static inline ssize_t hci_vhci_get_user(struct hci_vhci_struct *hci_vhci, const
 } 
 
 /* Write */
-static ssize_t hci_vhci_chr_write(struct file * file, const char * buf, 
+static ssize_t hci_vhci_chr_write(struct file * file, const char __user * buf, 
 			     size_t count, loff_t *pos)
 {
 	struct hci_vhci_struct *hci_vhci = (struct hci_vhci_struct *) file->private_data;
@@ -165,10 +165,11 @@ static ssize_t hci_vhci_chr_write(struct file * file, const char * buf,
 
 /* Put packet to user space buffer(already verified) */
 static inline ssize_t hci_vhci_put_user(struct hci_vhci_struct *hci_vhci,
-				       struct sk_buff *skb, char *buf, int count)
+				       struct sk_buff *skb, char __user *buf,
+				       int count)
 {
 	int len = count, total = 0;
-	char *ptr = buf;
+	char __user *ptr = buf;
 
 	len = min_t(unsigned int, skb->len, len);
 	if (copy_to_user(ptr, skb->data, len))
@@ -194,7 +195,7 @@ static inline ssize_t hci_vhci_put_user(struct hci_vhci_struct *hci_vhci,
 }
 
 /* Read */
-static ssize_t hci_vhci_chr_read(struct file * file, char * buf, size_t count, loff_t *pos)
+static ssize_t hci_vhci_chr_read(struct file * file, char __user * buf, size_t count, loff_t *pos)
 {
 	struct hci_vhci_struct *hci_vhci = (struct hci_vhci_struct *) file->private_data;
 	DECLARE_WAITQUEUE(wait, current);

include/net/bluetooth/hci_core.h

@@ -358,12 +358,12 @@ int hci_dev_open(__u16 dev);
 int hci_dev_close(__u16 dev);
 int hci_dev_reset(__u16 dev);
 int hci_dev_reset_stat(__u16 dev);
-int hci_dev_cmd(unsigned int cmd, unsigned long arg);
-int hci_get_dev_list(unsigned long arg);
-int hci_get_dev_info(unsigned long arg);
-int hci_get_conn_list(unsigned long arg);
-int hci_get_conn_info(struct hci_dev *hdev, unsigned long arg);
-int hci_inquiry(unsigned long arg);
+int hci_dev_cmd(unsigned int cmd, void __user *arg);
+int hci_get_dev_list(void __user *arg);
+int hci_get_dev_info(void __user *arg);
+int hci_get_conn_list(void __user *arg);
+int hci_get_conn_info(struct hci_dev *hdev, void __user *arg);
+int hci_inquiry(void __user *arg);
 
 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb);
 

include/net/bluetooth/rfcomm.h

@@ -348,7 +348,7 @@ struct rfcomm_dev_list_req {
 	struct   rfcomm_dev_info dev_info[0];
 };
 
-int  rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg);
+int  rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg);
 int  rfcomm_init_ttys(void);
 void rfcomm_cleanup_ttys(void);
 

net/bluetooth/bnep/sock.c

@@ -77,6 +77,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 	struct bnep_conndel_req  cd;
 	struct bnep_conninfo ci;
 	struct socket *nsock;
+	void __user *argp = (void __user *)arg;
 	int err;
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
@@ -86,7 +87,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 		if (!capable(CAP_NET_ADMIN))
 			return -EACCES;
 
-		if (copy_from_user(&ca, (void *) arg, sizeof(ca)))
+		if (copy_from_user(&ca, argp, sizeof(ca)))
 			return -EFAULT;
 	
 		nsock = sockfd_lookup(ca.sock, &err);
@@ -100,7 +101,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
-    			if (copy_to_user((void *) arg, &ca, sizeof(ca)))
+    			if (copy_to_user(argp, &ca, sizeof(ca)))
 				err = -EFAULT;
 		} else
 			fput(nsock->file);
@@ -111,30 +112,30 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 		if (!capable(CAP_NET_ADMIN))
 			return -EACCES;
 
-		if (copy_from_user(&cd, (void *) arg, sizeof(cd)))
+		if (copy_from_user(&cd, argp, sizeof(cd)))
 			return -EFAULT;
 	
 		return bnep_del_connection(&cd);
 
 	case BNEPGETCONNLIST:
-		if (copy_from_user(&cl, (void *) arg, sizeof(cl)))
+		if (copy_from_user(&cl, argp, sizeof(cl)))
 			return -EFAULT;
 
 		if (cl.cnum <= 0)
 			return -EINVAL;
 	
 		err = bnep_get_connlist(&cl);
-		if (!err && copy_to_user((void *) arg, &cl, sizeof(cl)))
+		if (!err && copy_to_user(argp, &cl, sizeof(cl)))
 			return -EFAULT;
 
 		return err;
 
 	case BNEPGETCONNINFO:
-		if (copy_from_user(&ci, (void *) arg, sizeof(ci)))
+		if (copy_from_user(&ci, argp, sizeof(ci)))
 			return -EFAULT;
 
 		err = bnep_get_conninfo(&ci);
-		if (!err && copy_to_user((void *) arg, &ci, sizeof(ci)))
+		if (!err && copy_to_user(argp, &ci, sizeof(ci)))
 			return -EFAULT;
 
 		return err;

net/bluetooth/cmtp/cmtp.h

@@ -55,7 +55,7 @@ struct cmtp_conninfo {
 
 struct cmtp_connlist_req {
 	__u32  cnum;
-	struct cmtp_conninfo *ci;
+	struct cmtp_conninfo __user *ci;
 };
 
 int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock);

net/bluetooth/cmtp/sock.c

@@ -71,6 +71,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 	struct cmtp_connlist_req cl;
 	struct cmtp_conninfo ci;
 	struct socket *nsock;
+	void __user *argp = (void __user *)arg;
 	int err;
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
@@ -80,7 +81,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 		if (!capable(CAP_NET_ADMIN))
 			return -EACCES;
 
-		if (copy_from_user(&ca, (void *) arg, sizeof(ca)))
+		if (copy_from_user(&ca, argp, sizeof(ca)))
 			return -EFAULT;
 
 		nsock = sockfd_lookup(ca.sock, &err);
@@ -94,7 +95,7 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 
 		err = cmtp_add_connection(&ca, nsock);
 		if (!err) {
-			if (copy_to_user((void *) arg, &ca, sizeof(ca)))
+			if (copy_to_user(argp, &ca, sizeof(ca)))
 				err = -EFAULT;
 		} else
 			fput(nsock->file);
@@ -105,30 +106,30 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 		if (!capable(CAP_NET_ADMIN))
 			return -EACCES;
 
-		if (copy_from_user(&cd, (void *) arg, sizeof(cd)))
+		if (copy_from_user(&cd, argp, sizeof(cd)))
 			return -EFAULT;
 
 		return cmtp_del_connection(&cd);
 
 	case CMTPGETCONNLIST:
-		if (copy_from_user(&cl, (void *) arg, sizeof(cl)))
+		if (copy_from_user(&cl, argp, sizeof(cl)))
 			return -EFAULT;
 
 		if (cl.cnum <= 0)
 			return -EINVAL;
 
 		err = cmtp_get_connlist(&cl);
-		if (!err && copy_to_user((void *) arg, &cl, sizeof(cl)))
+		if (!err && copy_to_user(argp, &cl, sizeof(cl)))
 			return -EFAULT;
 
 		return err;
 
 	case CMTPGETCONNINFO:
-		if (copy_from_user(&ci, (void *) arg, sizeof(ci)))
+		if (copy_from_user(&ci, argp, sizeof(ci)))
 			return -EFAULT;
 
 		err = cmtp_get_conninfo(&ci);
-		if (!err && copy_to_user((void *) arg, &ci, sizeof(ci)))
+		if (!err && copy_to_user(argp, &ci, sizeof(ci)))
 			return -EFAULT;
 
 		return err;

net/bluetooth/hci_conn.c

@@ -353,7 +353,7 @@ void hci_conn_hash_flush(struct hci_dev *hdev)
 	}
 }
 
-int hci_get_conn_list(unsigned long arg)
+int hci_get_conn_list(void __user *arg)
 {
 	struct hci_conn_list_req req, *cl;
 	struct hci_conn_info *ci;
@@ -361,7 +361,7 @@ int hci_get_conn_list(unsigned long arg)
 	struct list_head *p;
 	int n = 0, size, err;
 
-	if (copy_from_user(&req, (void *) arg, sizeof(req)))
+	if (copy_from_user(&req, arg, sizeof(req)))
 		return -EFAULT;
 
 	if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
@@ -401,20 +401,20 @@ int hci_get_conn_list(unsigned long arg)
 
 	hci_dev_put(hdev);
 
-	err = copy_to_user((void *) arg, cl, size);
+	err = copy_to_user(arg, cl, size);
 	kfree(cl);
 
 	return err ? -EFAULT : 0;
 }
 
-int hci_get_conn_info(struct hci_dev *hdev, unsigned long arg)
+int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
 {
 	struct hci_conn_info_req req;
 	struct hci_conn_info ci;
 	struct hci_conn *conn;
-	char *ptr = (void *) arg + sizeof(req);
+	char __user *ptr = arg + sizeof(req);
 
-	if (copy_from_user(&req, (void *) arg, sizeof(req)))
+	if (copy_from_user(&req, arg, sizeof(req)))
 		return -EFAULT;
 
 	hci_dev_lock_bh(hdev);

net/bluetooth/hci_core.c

@@ -366,15 +366,15 @@ static void hci_inq_req(struct hci_dev *hdev, unsigned long opt)
 	hci_send_cmd(hdev, OGF_LINK_CTL, OCF_INQUIRY, sizeof(cp), &cp);
 }
 
-int hci_inquiry(unsigned long arg)
+int hci_inquiry(void __user *arg)
 {
+	__u8 __user *ptr = arg;
 	struct hci_inquiry_req ir;
 	struct hci_dev *hdev;
 	int err = 0, do_inquiry = 0, max_rsp;
 	long timeo;
-	__u8 *buf, *ptr;
+	__u8 *buf;
 
-	ptr = (void *) arg;
 	if (copy_from_user(&ir, ptr, sizeof(ir)))
 		return -EFAULT;
 
@@ -616,13 +616,13 @@ int hci_dev_reset_stat(__u16 dev)
 	return ret;
 }
 
-int hci_dev_cmd(unsigned int cmd, unsigned long arg)
+int hci_dev_cmd(unsigned int cmd, void __user *arg)
 {
 	struct hci_dev *hdev;
 	struct hci_dev_req dr;
 	int err = 0;
 
-	if (copy_from_user(&dr, (void *) arg, sizeof(dr)))
+	if (copy_from_user(&dr, arg, sizeof(dr)))
 		return -EFAULT;
 
 	if (!(hdev = hci_dev_get(dr.dev_id)))
@@ -685,7 +685,7 @@ int hci_dev_cmd(unsigned int cmd, unsigned long arg)
 	return err;
 }
 
-int hci_get_dev_list(unsigned long arg)
+int hci_get_dev_list(void __user *arg)
 {
 	struct hci_dev_list_req *dl;
 	struct hci_dev_req *dr;
@@ -693,7 +693,7 @@ int hci_get_dev_list(unsigned long arg)
 	int n = 0, size, err;
 	__u16 dev_num;
 
-	if (get_user(dev_num, (__u16 *) arg))
+	if (get_user(dev_num, (__u16 __user *) arg))
 		return -EFAULT;
 
 	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
@@ -720,19 +720,19 @@ int hci_get_dev_list(unsigned long arg)
 	dl->dev_num = n;
 	size = sizeof(*dl) + n * sizeof(*dr);
 
-	err = copy_to_user((void *) arg, dl, size);
+	err = copy_to_user(arg, dl, size);
 	kfree(dl);
 
 	return err ? -EFAULT : 0;
 }
 
-int hci_get_dev_info(unsigned long arg)
+int hci_get_dev_info(void __user *arg)
 {
 	struct hci_dev *hdev;
 	struct hci_dev_info di;
 	int err = 0;
 
-	if (copy_from_user(&di, (void *) arg, sizeof(di)))
+	if (copy_from_user(&di, arg, sizeof(di)))
 		return -EFAULT;
 
 	if (!(hdev = hci_dev_get(di.dev_id)))
@@ -753,7 +753,7 @@ int hci_get_dev_info(unsigned long arg)
 	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
 	memcpy(&di.features, &hdev->features, sizeof(di.features));
 
-	if (copy_to_user((void *) arg, &di, sizeof(di)))
+	if (copy_to_user(arg, &di, sizeof(di)))
 		err = -EFAULT;
 
 	hci_dev_put(hdev);

net/bluetooth/hci_sock.c

@@ -186,7 +186,7 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
 		return 0;
 
 	case HCIGETCONNINFO:
-		return hci_get_conn_info(hdev, arg);
+		return hci_get_conn_info(hdev, (void __user *)arg);
 
 	default:
 		if (hdev->ioctl)
@@ -198,19 +198,20 @@ static inline int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsign
 static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 {
 	struct sock *sk = sock->sk;
+	void __user *argp = (void __user *)arg;
 	int err;
 
 	BT_DBG("cmd %x arg %lx", cmd, arg);
 
 	switch (cmd) {
 	case HCIGETDEVLIST:
-		return hci_get_dev_list(arg);
+		return hci_get_dev_list(argp);
 
 	case HCIGETDEVINFO:
-		return hci_get_dev_info(arg);
+		return hci_get_dev_info(argp);
 
 	case HCIGETCONNLIST:
-		return hci_get_conn_list(arg);
+		return hci_get_conn_list(argp);
 
 	case HCIDEVUP:
 		if (!capable(CAP_NET_ADMIN))
@@ -242,10 +243,10 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long a
 	case HCISETSCOMTU:
 		if (!capable(CAP_NET_ADMIN))
 			return -EACCES;
-		return hci_dev_cmd(cmd, arg);
+		return hci_dev_cmd(cmd, argp);
 
 	case HCIINQUIRY:
-		return hci_inquiry(arg);
+		return hci_inquiry(argp);
 
 	default:
 		lock_sock(sk);

net/bluetooth/rfcomm/sock.c

@@ -707,7 +707,7 @@ static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned lon
 	lock_sock(sk);
 
 #ifdef CONFIG_BT_RFCOMM_TTY
-	err = rfcomm_dev_ioctl(sk, cmd, arg);
+	err = rfcomm_dev_ioctl(sk, cmd, (void __user *)arg);
 #else
 	err = -EOPNOTSUPP;
 #endif

net/bluetooth/rfcomm/tty.c

@@ -302,13 +302,13 @@ static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size
 
 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
 
-static int rfcomm_create_dev(struct sock *sk, unsigned long arg)
+static int rfcomm_create_dev(struct sock *sk, void __user *arg)
 {
 	struct rfcomm_dev_req req;
 	struct rfcomm_dlc *dlc;
 	int id;
 
-	if (copy_from_user(&req, (void *) arg, sizeof(req)))
+	if (copy_from_user(&req, arg, sizeof(req)))
 		return -EFAULT;
 
 	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);
@@ -344,12 +344,12 @@ static int rfcomm_create_dev(struct sock *sk, unsigned long arg)
 	return id;
 }
 
-static int rfcomm_release_dev(unsigned long arg)
+static int rfcomm_release_dev(void __user *arg)
 {
 	struct rfcomm_dev_req req;
 	struct rfcomm_dev *dev;
 
-	if (copy_from_user(&req, (void *) arg, sizeof(req)))
+	if (copy_from_user(&req, arg, sizeof(req)))
 		return -EFAULT;
 
 	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);
@@ -370,7 +370,7 @@ static int rfcomm_release_dev(unsigned long arg)
 	return 0;
 }
 
-static int rfcomm_get_dev_list(unsigned long arg)
+static int rfcomm_get_dev_list(void __user *arg)
 {
 	struct rfcomm_dev_list_req *dl;
 	struct rfcomm_dev_info *di;
@@ -380,7 +380,7 @@ static int rfcomm_get_dev_list(unsigned long arg)
 
 	BT_DBG("");
 
-	if (get_user(dev_num, (u16 *) arg))
+	if (get_user(dev_num, (u16 __user *) arg))
 		return -EFAULT;
 
 	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
@@ -412,13 +412,13 @@ static int rfcomm_get_dev_list(unsigned long arg)
 	dl->dev_num = n;
 	size = sizeof(*dl) + n * sizeof(*di);
 
-	err = copy_to_user((void *) arg, dl, size);
+	err = copy_to_user(arg, dl, size);
 	kfree(dl);
 
 	return err ? -EFAULT : 0;
 }
 
-static int rfcomm_get_dev_info(unsigned long arg)
+static int rfcomm_get_dev_info(void __user *arg)
 {
 	struct rfcomm_dev *dev;
 	struct rfcomm_dev_info di;
@@ -426,7 +426,7 @@ static int rfcomm_get_dev_info(unsigned long arg)
 
 	BT_DBG("");
 
-	if (copy_from_user(&di, (void *)arg, sizeof(di)))
+	if (copy_from_user(&di, arg, sizeof(di)))
 		return -EFAULT;
 
 	if (!(dev = rfcomm_dev_get(di.id)))
@@ -438,16 +438,16 @@ static int rfcomm_get_dev_info(unsigned long arg)
 	bacpy(&di.src, &dev->src);
 	bacpy(&di.dst, &dev->dst);
 
-	if (copy_to_user((void *)arg, &di, sizeof(di)))
+	if (copy_to_user(arg, &di, sizeof(di)))
 		err = -EFAULT;
 
 	rfcomm_dev_put(dev);
 	return err;
 }
 
-int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
+int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
 {
-	BT_DBG("cmd %d arg %ld", cmd, arg);
+	BT_DBG("cmd %d arg %p", cmd, arg);
 
 	switch (cmd) {
 	case RFCOMMCREATEDEV: