diff options
author | Petr Vandrovec <petr@vandrovec.name> | 2007-05-13 22:14:44 -0700 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-05-27 23:21:00 +0200 |
commit | 976da96a5d4fe84bd292b950e566325dc3e5904e (patch) | |
tree | ce6f96ec99f8e2e138d2239fb2ac857c29de2b28 /drivers | |
parent | ef50a6c59dc66f22eba67704e291d709f21e0456 (diff) | |
download | lwn-976da96a5d4fe84bd292b950e566325dc3e5904e.tar.gz lwn-976da96a5d4fe84bd292b950e566325dc3e5904e.zip |
ieee1394: raw1394: Fix async send
While playing with libiec61883 I've noticed that async_send is broken
because it was doing copy_from_user(...., packet->data_size) before
packet->data_size was set to any useful value. It got broken when
packet->allocated_data_size got introduced, as hpsb_alloc_packet does
not set packet->data_size anymore. (Regression in 2.6.22-rc1)
Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/ieee1394/raw1394.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/ieee1394/raw1394.c b/drivers/ieee1394/raw1394.c index d382500f4210..f1d05eeb9f51 100644 --- a/drivers/ieee1394/raw1394.c +++ b/drivers/ieee1394/raw1394.c @@ -936,6 +936,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) struct hpsb_packet *packet; int header_length = req->req.misc & 0xffff; int expect_response = req->req.misc >> 16; + size_t data_size; if (header_length > req->req.length || header_length < 12 || header_length > FIELD_SIZEOF(struct hpsb_packet, header)) { @@ -945,7 +946,8 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) return sizeof(struct raw1394_request); } - packet = hpsb_alloc_packet(req->req.length - header_length); + data_size = req->req.length - header_length; + packet = hpsb_alloc_packet(data_size); req->packet = packet; if (!packet) return -ENOMEM; @@ -960,7 +962,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) if (copy_from_user (packet->data, int2ptr(req->req.sendb) + header_length, - packet->data_size)) { + data_size)) { req->req.error = RAW1394_ERROR_MEMFAULT; req->req.length = 0; queue_complete_req(req); @@ -974,7 +976,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) packet->host = fi->host; packet->expect_response = expect_response; packet->header_size = header_length; - packet->data_size = req->req.length - header_length; + packet->data_size = data_size; req->req.length = 0; hpsb_set_packet_complete_task(packet, |