diff options
| author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2008-12-14 13:21:01 -0500 |
|---|---|---|
| committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2009-03-24 15:56:38 -0400 |
| commit | 3e0b5f0d7cb5fef402517e41eebff5a0f0e65a13 (patch) | |
| tree | b712284afebff56dd2e104242f4e6665aaf6c8e4 /drivers | |
| parent | 45ee3199eb3e4233b755a9bb353a0527a4c58b5f (diff) | |
firewire: cdev: address handler input validation
Like before my commit 1415d9189e8c59aa9c77a3bba419dcea062c145f,
fw_core_add_address_handler() does not align the address region now.
Instead the caller is required to pass valid parameters.
Since one of the callers of fw_core_add_address_handler() is the cdev
userspace interface, we now check for valid input. If the client is
buggy, we give it a hint with -EINVAL.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/firewire/fw-cdev.c | 5 | ||||
| -rw-r--r-- | drivers/firewire/fw-transaction.c | 27 |
2 files changed, 21 insertions, 11 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 094aee5c8bcf..44af45205dcd 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c | |||
| @@ -591,9 +591,10 @@ static int ioctl_allocate(struct client *client, void *buffer) | |||
| 591 | handler->closure = request->closure; | 591 | handler->closure = request->closure; |
| 592 | handler->client = client; | 592 | handler->client = client; |
| 593 | 593 | ||
| 594 | if (fw_core_add_address_handler(&handler->handler, ®ion) < 0) { | 594 | ret = fw_core_add_address_handler(&handler->handler, ®ion); |
| 595 | if (ret < 0) { | ||
| 595 | kfree(handler); | 596 | kfree(handler); |
| 596 | return -EBUSY; | 597 | return ret; |
| 597 | } | 598 | } |
| 598 | 599 | ||
| 599 | handler->resource.release = release_address_handler; | 600 | handler->resource.release = release_address_handler; |
diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c index 699ac041f39a..12a6cdcb4475 100644 --- a/drivers/firewire/fw-transaction.c +++ b/drivers/firewire/fw-transaction.c | |||
| @@ -449,16 +449,19 @@ const struct fw_address_region fw_unit_space_region = | |||
| 449 | #endif /* 0 */ | 449 | #endif /* 0 */ |
| 450 | 450 | ||
| 451 | /** | 451 | /** |
| 452 | * Allocate a range of addresses in the node space of the OHCI | 452 | * fw_core_add_address_handler - register for incoming requests |
| 453 | * controller. When a request is received that falls within the | 453 | * @handler: callback |
| 454 | * specified address range, the specified callback is invoked. The | 454 | * @region: region in the IEEE 1212 node space address range |
| 455 | * parameters passed to the callback give the details of the | 455 | * |
| 456 | * particular request. | 456 | * region->start, ->end, and handler->length have to be quadlet-aligned. |
| 457 | * | ||
| 458 | * When a request is received that falls within the specified address range, | ||
| 459 | * the specified callback is invoked. The parameters passed to the callback | ||
| 460 | * give the details of the particular request. | ||
| 457 | * | 461 | * |
| 458 | * Return value: 0 on success, non-zero otherwise. | 462 | * Return value: 0 on success, non-zero otherwise. |
| 459 | * The start offset of the handler's address region is determined by | 463 | * The start offset of the handler's address region is determined by |
| 460 | * fw_core_add_address_handler() and is returned in handler->offset. | 464 | * fw_core_add_address_handler() and is returned in handler->offset. |
| 461 | * The offset is quadlet-aligned. | ||
| 462 | */ | 465 | */ |
| 463 | int | 466 | int |
| 464 | fw_core_add_address_handler(struct fw_address_handler *handler, | 467 | fw_core_add_address_handler(struct fw_address_handler *handler, |
| @@ -468,17 +471,23 @@ fw_core_add_address_handler(struct fw_address_handler *handler, | |||
| 468 | unsigned long flags; | 471 | unsigned long flags; |
| 469 | int ret = -EBUSY; | 472 | int ret = -EBUSY; |
| 470 | 473 | ||
| 474 | if (region->start & 0xffff000000000003ULL || | ||
| 475 | region->end & 0xffff000000000003ULL || | ||
| 476 | region->start >= region->end || | ||
| 477 | handler->length & 3 || | ||
| 478 | handler->length == 0) | ||
| 479 | return -EINVAL; | ||
| 480 | |||
| 471 | spin_lock_irqsave(&address_handler_lock, flags); | 481 | spin_lock_irqsave(&address_handler_lock, flags); |
| 472 | 482 | ||
| 473 | handler->offset = roundup(region->start, 4); | 483 | handler->offset = region->start; |
| 474 | while (handler->offset + handler->length <= region->end) { | 484 | while (handler->offset + handler->length <= region->end) { |
| 475 | other = | 485 | other = |
| 476 | lookup_overlapping_address_handler(&address_handler_list, | 486 | lookup_overlapping_address_handler(&address_handler_list, |
| 477 | handler->offset, | 487 | handler->offset, |
| 478 | handler->length); | 488 | handler->length); |
| 479 | if (other != NULL) { | 489 | if (other != NULL) { |
| 480 | handler->offset = | 490 | handler->offset += other->length; |
| 481 | roundup(other->offset + other->length, 4); | ||
| 482 | } else { | 491 | } else { |
| 483 | list_add_tail(&handler->link, &address_handler_list); | 492 | list_add_tail(&handler->link, &address_handler_list); |
| 484 | ret = 0; | 493 | ret = 0; |