ieee1394: raw1394: Fix async send
While playing with libiec61883 I've noticed that async_send is broken because it was doing copy_from_user(...., packet->data_size) before packet->data_size was set to any useful value. It got broken when packet->allocated_data_size got introduced, as hpsb_alloc_packet does not set packet->data_size anymore. (Regression in 2.6.22-rc1) Signed-off-by: Petr Vandrovec <petr@vandrovec.name> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
This commit is contained in:
Petr Vandrovec
committed by
Stefan Richter
Stefan Richter
parent
ef50a6c59d
commit
976da96a5d
@@ -936,6 +936,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
|
|||||||
struct hpsb_packet *packet;
|
struct hpsb_packet *packet;
|
||||||
int header_length = req->req.misc & 0xffff;
|
int header_length = req->req.misc & 0xffff;
|
||||||
int expect_response = req->req.misc >> 16;
|
int expect_response = req->req.misc >> 16;
|
||||||
|
size_t data_size;
|
||||||
|
|
||||||
if (header_length > req->req.length || header_length < 12 ||
|
if (header_length > req->req.length || header_length < 12 ||
|
||||||
header_length > FIELD_SIZEOF(struct hpsb_packet, header)) {
|
header_length > FIELD_SIZEOF(struct hpsb_packet, header)) {
|
||||||
@@ -945,7 +946,8 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
|
|||||||
return sizeof(struct raw1394_request);
|
return sizeof(struct raw1394_request);
|
||||||
}
|
}
|
||||||
|
|
||||||
packet = hpsb_alloc_packet(req->req.length - header_length);
|
data_size = req->req.length - header_length;
|
||||||
|
packet = hpsb_alloc_packet(data_size);
|
||||||
req->packet = packet;
|
req->packet = packet;
|
||||||
if (!packet)
|
if (!packet)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
@@ -960,7 +962,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
|
|||||||
|
|
||||||
if (copy_from_user
|
if (copy_from_user
|
||||||
(packet->data, int2ptr(req->req.sendb) + header_length,
|
(packet->data, int2ptr(req->req.sendb) + header_length,
|
||||||
packet->data_size)) {
|
data_size)) {
|
||||||
req->req.error = RAW1394_ERROR_MEMFAULT;
|
req->req.error = RAW1394_ERROR_MEMFAULT;
|
||||||
req->req.length = 0;
|
req->req.length = 0;
|
||||||
queue_complete_req(req);
|
queue_complete_req(req);
|
||||||
@@ -974,7 +976,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
|
|||||||
packet->host = fi->host;
|
packet->host = fi->host;
|
||||||
packet->expect_response = expect_response;
|
packet->expect_response = expect_response;
|
||||||
packet->header_size = header_length;
|
packet->header_size = header_length;
|
||||||
packet->data_size = req->req.length - header_length;
|
packet->data_size = data_size;
|
||||||
|
|
||||||
req->req.length = 0;
|
req->req.length = 0;
|
||||||
hpsb_set_packet_complete_task(packet,
|
hpsb_set_packet_complete_task(packet,
|
||||||
|
|||||||
Reference in New Issue
Block a user