1 files changed, 36 insertions, 14 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index e6d63849e78e..4eeaed57e219 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -35,6 +35,7 @@
 #include <linux/preempt.h>
 #include <linux/sched.h>
 #include <linux/spinlock.h>
+#include <linux/string.h>
 #include <linux/time.h>
 #include <linux/uaccess.h>
 #include <linux/vmalloc.h>
@@ -595,13 +596,20 @@ static int ioctl_send_request(struct client *client, void *buffer)
                            client->device->max_speed);
 }
+static inline bool is_fcp_request(struct fw_request *request)
+{
+        return request == NULL;
+}
 static void release_request(struct client *client,
                            struct client_resource *resource)
 {
        struct inbound_transaction_resource *r = container_of(resource,
                        struct inbound_transaction_resource, resource);
-        if (r->request)
+        if (is_fcp_request(r->request))
+                kfree(r->data);
+        else
                fw_send_response(client->device->card, r->request,
                                 RCODE_CONFLICT_ERROR);
        kfree(r);
@@ -616,6 +624,7 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        struct address_handler_resource *handler = callback_data;
        struct inbound_transaction_resource *r;
        struct inbound_transaction_event *e;
+        void *fcp_frame = NULL;
        int ret;
        r = kmalloc(sizeof(*r), GFP_ATOMIC);
@@ -627,6 +636,18 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        r->data    = payload;
        r->length  = length;
+        if (is_fcp_request(request)) {
+                /*
+                 * FIXME: Let core-transaction.c manage a
+                 * single reference-counted copy?
+                 */
+                fcp_frame = kmemdup(payload, length, GFP_ATOMIC);
+                if (fcp_frame == NULL)
+                        goto failed;
+                r->data = fcp_frame;
+        }
        r->resource.release = release_request;
        ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);
        if (ret < 0)
@@ -640,13 +661,15 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        e->request.closure = handler->closure;
        queue_event(handler->client, &e->event,
-                    &e->request, sizeof(e->request), payload, length);
+                    &e->request, sizeof(e->request), r->data, length);
        return;
 failed:
        kfree(r);
        kfree(e);
-        if (request)
+        kfree(fcp_frame);
+        if (!is_fcp_request(request))
                fw_send_response(card, request, RCODE_CONFLICT_ERROR);
 }
@@ -717,18 +740,17 @@ static int ioctl_send_response(struct client *client, void *buffer)
        r = container_of(resource, struct inbound_transaction_resource,
                         resource);
-        if (r->request) {
+        if (is_fcp_request(r->request))
-                if (request->length < r->length)
+                goto out;
-                        r->length = request->length;
-                if (copy_from_user(r->data, u64_to_uptr(request->data),
+        if (request->length < r->length)
-                                   r->length)) {
+                r->length = request->length;
-                        ret = -EFAULT;
+        if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
-                        kfree(r->request);
+                ret = -EFAULT;
-                        goto out;
+                kfree(r->request);
-                }
+                goto out;
-                fw_send_response(client->device->card, r->request,
-                                 request->rcode);
        }
+        fw_send_response(client->device->card, r->request, request->rcode);
 out:
        kfree(r);

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index e6d63849e78e..4eeaed57e219 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c
@@ -35,6 +35,7 @@
35	#include <linux/preempt.h>	35	#include <linux/preempt.h>
36	#include <linux/sched.h>	36	#include <linux/sched.h>
37	#include <linux/spinlock.h>	37	#include <linux/spinlock.h>
		38	#include <linux/string.h>
38	#include <linux/time.h>	39	#include <linux/time.h>
39	#include <linux/uaccess.h>	40	#include <linux/uaccess.h>
40	#include <linux/vmalloc.h>	41	#include <linux/vmalloc.h>
@@ -595,13 +596,20 @@ static int ioctl_send_request(struct client client, void buffer)
595	client->device->max_speed);	596	client->device->max_speed);
596	}	597	}
597		598
		599	static inline bool is_fcp_request(struct fw_request *request)
		600	{
		601	return request == NULL;
		602	}
		603
598	static void release_request(struct client *client,	604	static void release_request(struct client *client,
599	struct client_resource *resource)	605	struct client_resource *resource)
600	{	606	{
601	struct inbound_transaction_resource *r = container_of(resource,	607	struct inbound_transaction_resource *r = container_of(resource,
602	struct inbound_transaction_resource, resource);	608	struct inbound_transaction_resource, resource);
603		609
604	if (r->request)	610	if (is_fcp_request(r->request))
		611	kfree(r->data);
		612	else
605	fw_send_response(client->device->card, r->request,	613	fw_send_response(client->device->card, r->request,
606	RCODE_CONFLICT_ERROR);	614	RCODE_CONFLICT_ERROR);
607	kfree(r);	615	kfree(r);
@@ -616,6 +624,7 @@ static void handle_request(struct fw_card card, struct fw_request request,
616	struct address_handler_resource *handler = callback_data;	624	struct address_handler_resource *handler = callback_data;
617	struct inbound_transaction_resource *r;	625	struct inbound_transaction_resource *r;
618	struct inbound_transaction_event *e;	626	struct inbound_transaction_event *e;
		627	void *fcp_frame = NULL;
619	int ret;	628	int ret;
620		629
621	r = kmalloc(sizeof(*r), GFP_ATOMIC);	630	r = kmalloc(sizeof(*r), GFP_ATOMIC);
@@ -627,6 +636,18 @@ static void handle_request(struct fw_card card, struct fw_request request,
627	r->data = payload;	636	r->data = payload;
628	r->length = length;	637	r->length = length;
629		638
		639	if (is_fcp_request(request)) {
		640	/*
		641	* FIXME: Let core-transaction.c manage a
		642	* single reference-counted copy?
		643	*/
		644	fcp_frame = kmemdup(payload, length, GFP_ATOMIC);
		645	if (fcp_frame == NULL)
		646	goto failed;
		647
		648	r->data = fcp_frame;
		649	}
		650
630	r->resource.release = release_request;	651	r->resource.release = release_request;
631	ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);	652	ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);
632	if (ret < 0)	653	if (ret < 0)
@@ -640,13 +661,15 @@ static void handle_request(struct fw_card card, struct fw_request request,
640	e->request.closure = handler->closure;	661	e->request.closure = handler->closure;
641		662
642	queue_event(handler->client, &e->event,	663	queue_event(handler->client, &e->event,
643	&e->request, sizeof(e->request), payload, length);	664	&e->request, sizeof(e->request), r->data, length);
644	return;	665	return;
645		666
646	failed:	667	failed:
647	kfree(r);	668	kfree(r);
648	kfree(e);	669	kfree(e);
649	if (request)	670	kfree(fcp_frame);
		671
		672	if (!is_fcp_request(request))
650	fw_send_response(card, request, RCODE_CONFLICT_ERROR);	673	fw_send_response(card, request, RCODE_CONFLICT_ERROR);
651	}	674	}
652		675
@@ -717,18 +740,17 @@ static int ioctl_send_response(struct client client, void buffer)
717		740
718	r = container_of(resource, struct inbound_transaction_resource,	741	r = container_of(resource, struct inbound_transaction_resource,
719	resource);	742	resource);
720	if (r->request) {	743	if (is_fcp_request(r->request))
721	if (request->length < r->length)	744	goto out;
722	r->length = request->length;	745
723	if (copy_from_user(r->data, u64_to_uptr(request->data),	746	if (request->length < r->length)
724	r->length)) {	747	r->length = request->length;
725	ret = -EFAULT;	748	if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
726	kfree(r->request);	749	ret = -EFAULT;
727	goto out;	750	kfree(r->request);
728	}	751	goto out;
729	fw_send_response(client->device->card, r->request,
730	request->rcode);
731	}	752	}
		753	fw_send_response(client->device->card, r->request, request->rcode);
732	out:	754	out:
733	kfree(r);	755	kfree(r);
734		756