firewire: ohci: handle receive packets with a data length of zero

Queueing to receive an ISO packet with a payload length of zero silently does nothing in dualbuffer mode, and crashes the kernel in packet-per-buffer mode. Return an error in dualbuffer mode, because the DMA controller won't let us do what we want, and work correctly in packet-per-buffer mode. Signed-off-by: Jay Fenlason <fenlason@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: stable@kernel.org

firewire: ohci: handle receive packets with a data length of zero
Queueing to receive an ISO packet with a payload length of zero silently does nothing in dualbuffer mode, and crashes the kernel in packet-per-buffer mode. Return an error in dualbuffer mode, because the DMA controller won't let us do what we want, and work correctly in packet-per-buffer mode. Signed-off-by: Jay Fenlason <fenlason@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: stable@kernel.org
Jay Fenlason · Stefan Richter
1 parent af0940dac3
Showing 1 changed file with 10 additions and 2 deletions Side-by-side Diff
drivers/firewire/ohci.c
@@ -2189,6 +2189,13 @@
 	page     = payload >> PAGE_SHIFT;
 	offset   = payload & ~PAGE_MASK;
 	rest     = p->payload_length;
+	/*
+	 * The controllers I've tested have not worked correctly when
+	 * second_req_count is zero.  Rather than do something we know won't
+	 * work, return an error
+	 */
+	if (rest == 0)
+		return -EINVAL;
  
 	/* FIXME: make packet-per-buffer/dual-buffer a context option */
 	while (rest > 0) {
@@ -2242,7 +2249,7 @@
 					unsigned long payload)
 {
 	struct iso_context *ctx = container_of(base, struct iso_context, base);
-	struct descriptor *d = NULL, *pd = NULL;
+	struct descriptor *d, *pd;
 	struct fw_iso_packet *p = packet;
 	dma_addr_t d_bus, page_bus;
 	u32 z, header_z, rest;
  
@@ -2280,8 +2287,9 @@
 		d->data_address = cpu_to_le32(d_bus + (z * sizeof(*d)));
  
 		rest = payload_per_buffer;
+		pd = d;
 		for (j = 1; j < z; j++) {
-			pd = d + j;
+			pd++;
 			pd->control = cpu_to_le16(DESCRIPTOR_STATUS |
 						  DESCRIPTOR_INPUT_MORE);
...	...	@@ -2189,6 +2189,13 @@
2189	2189	page = payload >> PAGE_SHIFT;
2190	2190	offset = payload & ~PAGE_MASK;
2191	2191	rest = p->payload_length;
	2192	+ /*
	2193	+ * The controllers I've tested have not worked correctly when
	2194	+ * second_req_count is zero. Rather than do something we know won't
	2195	+ * work, return an error
	2196	+ */
	2197	+ if (rest == 0)
	2198	+ return -EINVAL;
2192	2199
2193	2200	/* FIXME: make packet-per-buffer/dual-buffer a context option */
2194	2201	while (rest > 0) {
...	...	@@ -2242,7 +2249,7 @@
2242	2249	unsigned long payload)
2243	2250	{
2244	2251	struct iso_context *ctx = container_of(base, struct iso_context, base);
2245		- struct descriptor d = NULL, pd = NULL;
	2252	+ struct descriptor d, pd;
2246	2253	struct fw_iso_packet *p = packet;
2247	2254	dma_addr_t d_bus, page_bus;
2248	2255	u32 z, header_z, rest;
2249	2256
...	...	@@ -2280,8 +2287,9 @@
2280	2287	d->data_address = cpu_to_le32(d_bus + (z * sizeof(*d)));
2281	2288
2282	2289	rest = payload_per_buffer;
	2290	+ pd = d;
2283	2291	for (j = 1; j < z; j++) {
2284		- pd = d + j;
	2292	+ pd++;
2285	2293	pd->control = cpu_to_le16(DESCRIPTOR_STATUS \|
2286	2294	DESCRIPTOR_INPUT_MORE);
2287	2295