1 files changed, 25 insertions, 2 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 75bbd66f852..a320ab48edd 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -398,6 +398,7 @@ static int ioctl_send_request(struct client *client, void *buffer)
        struct fw_device *device = client->device;
        struct fw_cdev_send_request *request = buffer;
        struct response *response;
+        int ret;
        /* What is the biggest size we'll accept, really? */
        if (request->length > 4096)
@@ -414,8 +415,26 @@ static int ioctl_send_request(struct client *client, void *buffer)
        if (request->data &&
            copy_from_user(response->response.data,
                           u64_to_uptr(request->data), request->length)) {
-                kfree(response);
+                ret = -EFAULT;
-                return -EFAULT;
+                goto err;
+        }
+        switch (request->tcode) {
+        case TCODE_WRITE_QUADLET_REQUEST:
+        case TCODE_WRITE_BLOCK_REQUEST:
+        case TCODE_READ_QUADLET_REQUEST:
+        case TCODE_READ_BLOCK_REQUEST:
+        case TCODE_LOCK_MASK_SWAP:
+        case TCODE_LOCK_COMPARE_SWAP:
+        case TCODE_LOCK_FETCH_ADD:
+        case TCODE_LOCK_LITTLE_ADD:
+        case TCODE_LOCK_BOUNDED_ADD:
+        case TCODE_LOCK_WRAP_ADD:
+        case TCODE_LOCK_VENDOR_DEPENDENT:
+                break;
+        default:
+                ret = -EINVAL;
+                goto err;
        }
        response->resource.release = release_transaction;
@@ -434,6 +453,10 @@ static int ioctl_send_request(struct client *client, void *buffer)
                return sizeof(request) + request->length;
        else
                return sizeof(request);
+ err:
+        kfree(response);
+        return ret;
 }
 struct address_handler {

diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 75bbd66f852..a320ab48edd 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c
@@ -398,6 +398,7 @@ static int ioctl_send_request(struct client client, void buffer)
398	struct fw_device *device = client->device;	398	struct fw_device *device = client->device;
399	struct fw_cdev_send_request *request = buffer;	399	struct fw_cdev_send_request *request = buffer;
400	struct response *response;	400	struct response *response;
		401	int ret;
401		402
402	/* What is the biggest size we'll accept, really? */	403	/* What is the biggest size we'll accept, really? */
403	if (request->length > 4096)	404	if (request->length > 4096)
@@ -414,8 +415,26 @@ static int ioctl_send_request(struct client client, void buffer)
414	if (request->data &&	415	if (request->data &&
415	copy_from_user(response->response.data,	416	copy_from_user(response->response.data,
416	u64_to_uptr(request->data), request->length)) {	417	u64_to_uptr(request->data), request->length)) {
417	kfree(response);	418	ret = -EFAULT;
418	return -EFAULT;	419	goto err;
		420	}
		421
		422	switch (request->tcode) {
		423	case TCODE_WRITE_QUADLET_REQUEST:
		424	case TCODE_WRITE_BLOCK_REQUEST:
		425	case TCODE_READ_QUADLET_REQUEST:
		426	case TCODE_READ_BLOCK_REQUEST:
		427	case TCODE_LOCK_MASK_SWAP:
		428	case TCODE_LOCK_COMPARE_SWAP:
		429	case TCODE_LOCK_FETCH_ADD:
		430	case TCODE_LOCK_LITTLE_ADD:
		431	case TCODE_LOCK_BOUNDED_ADD:
		432	case TCODE_LOCK_WRAP_ADD:
		433	case TCODE_LOCK_VENDOR_DEPENDENT:
		434	break;
		435	default:
		436	ret = -EINVAL;
		437	goto err;
419	}	438	}
420		439
421	response->resource.release = release_transaction;	440	response->resource.release = release_transaction;
@@ -434,6 +453,10 @@ static int ioctl_send_request(struct client client, void buffer)
434	return sizeof(request) + request->length;	453	return sizeof(request) + request->length;
435	else	454	else
436	return sizeof(request);	455	return sizeof(request);
		456	err:
		457	kfree(response);
		458
		459	return ret;
437	}	460	}
438		461
439	struct address_handler {	462	struct address_handler {