aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Vandrovec <petr@vandrovec.name>2007-05-14 01:14:44 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2007-05-27 17:21:00 -0400
commit976da96a5d4fe84bd292b950e566325dc3e5904e (patch)
treece6f96ec99f8e2e138d2239fb2ac857c29de2b28
parentef50a6c59dc66f22eba67704e291d709f21e0456 (diff)
ieee1394: raw1394: Fix async send
While playing with libiec61883 I've noticed that async_send is broken because it was doing copy_from_user(...., packet->data_size) before packet->data_size was set to any useful value. It got broken when packet->allocated_data_size got introduced, as hpsb_alloc_packet does not set packet->data_size anymore. (Regression in 2.6.22-rc1) Signed-off-by: Petr Vandrovec <petr@vandrovec.name> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-rw-r--r--drivers/ieee1394/raw1394.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/ieee1394/raw1394.c b/drivers/ieee1394/raw1394.c
index d382500f4210..f1d05eeb9f51 100644
--- a/drivers/ieee1394/raw1394.c
+++ b/drivers/ieee1394/raw1394.c
@@ -936,6 +936,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
936 struct hpsb_packet *packet; 936 struct hpsb_packet *packet;
937 int header_length = req->req.misc & 0xffff; 937 int header_length = req->req.misc & 0xffff;
938 int expect_response = req->req.misc >> 16; 938 int expect_response = req->req.misc >> 16;
939 size_t data_size;
939 940
940 if (header_length > req->req.length || header_length < 12 || 941 if (header_length > req->req.length || header_length < 12 ||
941 header_length > FIELD_SIZEOF(struct hpsb_packet, header)) { 942 header_length > FIELD_SIZEOF(struct hpsb_packet, header)) {
@@ -945,7 +946,8 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
945 return sizeof(struct raw1394_request); 946 return sizeof(struct raw1394_request);
946 } 947 }
947 948
948 packet = hpsb_alloc_packet(req->req.length - header_length); 949 data_size = req->req.length - header_length;
950 packet = hpsb_alloc_packet(data_size);
949 req->packet = packet; 951 req->packet = packet;
950 if (!packet) 952 if (!packet)
951 return -ENOMEM; 953 return -ENOMEM;
@@ -960,7 +962,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
960 962
961 if (copy_from_user 963 if (copy_from_user
962 (packet->data, int2ptr(req->req.sendb) + header_length, 964 (packet->data, int2ptr(req->req.sendb) + header_length,
963 packet->data_size)) { 965 data_size)) {
964 req->req.error = RAW1394_ERROR_MEMFAULT; 966 req->req.error = RAW1394_ERROR_MEMFAULT;
965 req->req.length = 0; 967 req->req.length = 0;
966 queue_complete_req(req); 968 queue_complete_req(req);
@@ -974,7 +976,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
974 packet->host = fi->host; 976 packet->host = fi->host;
975 packet->expect_response = expect_response; 977 packet->expect_response = expect_response;
976 packet->header_size = header_length; 978 packet->header_size = header_length;
977 packet->data_size = req->req.length - header_length; 979 packet->data_size = data_size;
978 980
979 req->req.length = 0; 981 req->req.length = 0;
980 hpsb_set_packet_complete_task(packet, 982 hpsb_set_packet_complete_task(packet,