diff options
Diffstat (limited to 'drivers/ieee1394')
-rw-r--r-- | drivers/ieee1394/raw1394.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/ieee1394/raw1394.c b/drivers/ieee1394/raw1394.c index d382500f4210..f1d05eeb9f51 100644 --- a/drivers/ieee1394/raw1394.c +++ b/drivers/ieee1394/raw1394.c | |||
@@ -936,6 +936,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) | |||
936 | struct hpsb_packet *packet; | 936 | struct hpsb_packet *packet; |
937 | int header_length = req->req.misc & 0xffff; | 937 | int header_length = req->req.misc & 0xffff; |
938 | int expect_response = req->req.misc >> 16; | 938 | int expect_response = req->req.misc >> 16; |
939 | size_t data_size; | ||
939 | 940 | ||
940 | if (header_length > req->req.length || header_length < 12 || | 941 | if (header_length > req->req.length || header_length < 12 || |
941 | header_length > FIELD_SIZEOF(struct hpsb_packet, header)) { | 942 | header_length > FIELD_SIZEOF(struct hpsb_packet, header)) { |
@@ -945,7 +946,8 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) | |||
945 | return sizeof(struct raw1394_request); | 946 | return sizeof(struct raw1394_request); |
946 | } | 947 | } |
947 | 948 | ||
948 | packet = hpsb_alloc_packet(req->req.length - header_length); | 949 | data_size = req->req.length - header_length; |
950 | packet = hpsb_alloc_packet(data_size); | ||
949 | req->packet = packet; | 951 | req->packet = packet; |
950 | if (!packet) | 952 | if (!packet) |
951 | return -ENOMEM; | 953 | return -ENOMEM; |
@@ -960,7 +962,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) | |||
960 | 962 | ||
961 | if (copy_from_user | 963 | if (copy_from_user |
962 | (packet->data, int2ptr(req->req.sendb) + header_length, | 964 | (packet->data, int2ptr(req->req.sendb) + header_length, |
963 | packet->data_size)) { | 965 | data_size)) { |
964 | req->req.error = RAW1394_ERROR_MEMFAULT; | 966 | req->req.error = RAW1394_ERROR_MEMFAULT; |
965 | req->req.length = 0; | 967 | req->req.length = 0; |
966 | queue_complete_req(req); | 968 | queue_complete_req(req); |
@@ -974,7 +976,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) | |||
974 | packet->host = fi->host; | 976 | packet->host = fi->host; |
975 | packet->expect_response = expect_response; | 977 | packet->expect_response = expect_response; |
976 | packet->header_size = header_length; | 978 | packet->header_size = header_length; |
977 | packet->data_size = req->req.length - header_length; | 979 | packet->data_size = data_size; |
978 | 980 | ||
979 | req->req.length = 0; | 981 | req->req.length = 0; |
980 | hpsb_set_packet_complete_task(packet, | 982 | hpsb_set_packet_complete_task(packet, |