rpms/kernel/devel linux-2.6-firewire-git-pending.patch, 1.30, 1.31 kernel.spec, 1.1101, 1.1102 linux-2.6-firewire-git-update.patch, 1.17, 1.18
Jarod Wilson
jwilson at fedoraproject.org
Wed Oct 29 15:32:36 UTC 2008
Author: jwilson
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27365
Modified Files:
kernel.spec linux-2.6-firewire-git-update.patch
Added Files:
linux-2.6-firewire-git-pending.patch
Log Message:
* Wed Oct 29 2008 Jarod Wilson <jarod at redhat.com> 2.6.27.4-66
- Update to latest firewire git code:
* Resolve spb2/ohci module load race causing delayed sbp2 logins (#466679)
* Prevent >256 bus resets from crashing the system (improves #244576)
* Fix assorted memory leaks
* Include timestamps in iso packet headers
linux-2.6-firewire-git-pending.patch:
Index: linux-2.6-firewire-git-pending.patch
===================================================================
RCS file: linux-2.6-firewire-git-pending.patch
diff -N linux-2.6-firewire-git-pending.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ linux-2.6-firewire-git-pending.patch 29 Oct 2008 15:32:05 -0000 1.31
@@ -0,0 +1,130 @@
+#
+# Patches under review and/or pending inclusion in the linux1394-git
+# tree (and/or in by the time your read this), which we want...
+#
+
+Date: Fri, 26 Sep 2008 16:35:45 -0400
+From: Jay Fenlason <fenlason at redhat.com>
+Subject: [Patch] fix two resource allocation bugs in fw-cdev.c
+
+Bug #1: the resource_handle used to number resources will eventually
+wrap, potentially resulting in two resources having the same handle.
+This will lead to a system crash when the wrong resource is freed.
+
+A better fix for this bug would be to use the idr functions rather
+than keeping a linked list of resources. I will include that in a
+future patch.
+
+Bug #2: the release_client_resource() function does not check the type
+of the resource it is being asked to free. Because the handle numbers
+can come directly from userspace, a malicious or buggy program may
+free resources that it shouldn't, possibly causing a program crash.
+
+Signed-off-by: Jay Fenlason <fenlason at redhat.com>
+
+--
+
+ fw-cdev.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff -rup linux-2.6/drivers/firewire/fw-cdev.c linux-2.6.firewire/drivers/firewire/fw-cdev.c
+--- linux-2.6/drivers/firewire/fw-cdev.c 2008-09-22 14:56:02.000000000 -0400
++++ linux-2.6.firewire/drivers/firewire/fw-cdev.c 2008-09-25 16:13:00.000000000 -0400
+@@ -77,7 +77,6 @@ struct client {
+ u32 version;
+ struct fw_device *device;
+ spinlock_t lock;
+- u32 resource_handle;
+ struct list_head resource_list;
+ struct list_head event_list;
+ wait_queue_head_t wait;
+@@ -321,13 +320,32 @@ add_client_resource(struct client *clien
+ unsigned long flags;
+
+ spin_lock_irqsave(&client->lock, flags);
+- list_add_tail(&resource->link, &client->resource_list);
+- resource->handle = client->resource_handle++;
++ if (list_empty(&client->resource_list)
++ || list_first_entry(&client->resource_list,
++ struct client_resource,
++ link)->handle > 0) {
++ resource->handle = 0;
++ list_add(&resource->link, &client->resource_list);
++ } else {
++ struct client_resource *c_tmp, *c_tmp2;
++
++ c_tmp2 = NULL;
++ list_for_each_entry(c_tmp, &client->resource_list,
++ link) {
++ if (c_tmp2 && c_tmp->handle != c_tmp2->handle+1)
++ break;
++ c_tmp2 = c_tmp;
++ }
++ BUG_ON(c_tmp2 == NULL);
++ resource->handle = c_tmp2->handle+1;
++ list_add(&resource->link, &c_tmp2->link);
++ }
+ spin_unlock_irqrestore(&client->lock, flags);
+ }
+
+ static int
+ release_client_resource(struct client *client, u32 handle,
++ void (*func)(struct client *client, struct client_resource *r),
+ struct client_resource **resource)
+ {
+ struct client_resource *r;
+@@ -335,7 +353,7 @@ release_client_resource(struct client *c
+
+ spin_lock_irqsave(&client->lock, flags);
+ list_for_each_entry(r, &client->resource_list, link) {
+- if (r->handle == handle) {
++ if (r->handle == handle && r->release == func) {
+ list_del(&r->link);
+ break;
+ }
+@@ -555,7 +573,7 @@ static int ioctl_deallocate(struct clien
+ {
+ struct fw_cdev_deallocate *request = buffer;
+
+- return release_client_resource(client, request->handle, NULL);
++ return release_client_resource(client, request->handle, release_address_handler, NULL);
+ }
+
+ static int ioctl_send_response(struct client *client, void *buffer)
+@@ -564,7 +582,7 @@ static int ioctl_send_response(struct cl
+ struct client_resource *resource;
+ struct request *r;
+
+- if (release_client_resource(client, request->handle, &resource) < 0)
++ if (release_client_resource(client, request->handle, release_request, &resource) < 0)
+ return -EINVAL;
+ r = container_of(resource, struct request, resource);
+ if (request->length < r->length)
+@@ -646,7 +664,7 @@ static int ioctl_remove_descriptor(struc
+ {
+ struct fw_cdev_remove_descriptor *request = buffer;
+
+- return release_client_resource(client, request->handle, NULL);
++ return release_client_resource(client, request->handle, release_descriptor, NULL);
+ }
+
+ static void
+
+----------------------
+Date: Wed, 22 Oct 2008 15:59:42 -0400
+From: Jay Fenlason <fenlason at redhat.com>
+Subject: firewire: typo in comment
+
+Signed-off-by: Jay Fenlason <fenlason at redhat.com>
+diff -upr linux-2.6/drivers/firewire/fw-card.c linux-2.6.fw/drivers/firewire/fw-card.c
+--- linux-2.6/drivers/firewire/fw-card.c 2008-10-07 11:26:15.000000000 -0400
++++ linux-2.6.fw/drivers/firewire/fw-card.c 2008-10-22 14:40:14.000000000 -0400
+@@ -76,7 +76,7 @@ generate_config_rom(struct fw_card *card
+ * controller, block reads to the config rom accesses the host
+ * memory, but quadlet read access the hardware bus info block
+ * registers. That's just crack, but it means we should make
+- * sure the contents of bus info block in host memory mathces
++ * sure the contents of bus info block in host memory matches
+ * the version stored in the OHCI registers.
+ */
+
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1101
retrieving revision 1.1102
diff -u -r1.1101 -r1.1102
--- kernel.spec 29 Oct 2008 05:48:41 -0000 1.1101
+++ kernel.spec 29 Oct 2008 15:32:05 -0000 1.1102
@@ -683,6 +683,7 @@
# linux1394 git patches
Patch2200: linux-2.6-firewire-git-update.patch
+Patch2201: linux-2.6-firewire-git-pending.patch
# make USB EHCI driver respect "nousb" parameter
Patch2300: linux-2.6-usb-ehci-hcd-respect-nousb.patch
@@ -1286,10 +1287,10 @@
# linux1394 git patches
ApplyPatch linux-2.6-firewire-git-update.patch
-#C=$(wc -l $RPM_SOURCE_DIR/linux-2.6-firewire-git-pending.patch | awk '{print $1}')
-#if [ "$C" -gt 10 ]; then
-#ApplyPatch linux-2.6-firewire-git-pending.patch
-#fi
+C=$(wc -l $RPM_SOURCE_DIR/linux-2.6-firewire-git-pending.patch | awk '{print $1}')
+if [ "$C" -gt 10 ]; then
+ApplyPatch linux-2.6-firewire-git-pending.patch
+fi
# get rid of imacfb and make efifb work everywhere it was used
ApplyPatch linux-2.6-merge-efifb-imacfb.patch
@@ -1883,6 +1884,13 @@
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Wed Oct 29 2008 Jarod Wilson <jarod at redhat.com> 2.6.27.4-66
+- Update to latest firewire git code:
+ * Resolve spb2/ohci module load race causing delayed sbp2 logins (#466679)
+ * Prevent >256 bus resets from crashing the system (improves #244576)
+ * Fix assorted memory leaks
+ * Include timestamps in iso packet headers
+
* Wed Oct 29 2008 Dave Airlie <airlied at redhat.com> 2.6.27.4-65
- radeon modesetting : misc fixes - rs690, agp unload, module unload warning
linux-2.6-firewire-git-update.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.17 -r 1.18 linux-2.6-firewire-git-update.patch
Index: linux-2.6-firewire-git-update.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/linux-2.6-firewire-git-update.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- linux-2.6-firewire-git-update.patch 8 Aug 2008 18:42:36 -0000 1.17
+++ linux-2.6-firewire-git-update.patch 29 Oct 2008 15:32:05 -0000 1.18
@@ -1,14 +1,34 @@
-Diff between linux-2.6-git at version 2.6.27-rc2-git1 and the linux1394-2.6-git
-tree at commit 2d2da062fae0d87c5a6ad241662040ad9895e5be on 2008-08-08.
-
-Not done via straight git, since the linux1394-2.6-git tree hasn't been rebased
-since 2.6.26, which makes things a touch messy right now...
+Git diff in linux1394-2.6-git at commit 3346610742cdef8b1670d090008aca0911e95880
+vs. tag v2.6.27, on 2008-10-29.
---
-diff -Naurp linux-2.6-git/drivers/firewire/fw-card.c firewire-git/drivers/firewire/fw-card.c
---- linux-2.6-git/drivers/firewire/fw-card.c 2008-08-04 18:04:26.000000000 -0400
-+++ firewire-git/drivers/firewire/fw-card.c 2008-08-04 16:39:51.000000000 -0400
+ drivers/firewire/fw-card.c | 58 ++------
+ drivers/firewire/fw-cdev.c | 42 +++---
+ drivers/firewire/fw-device.c | 40 ++----
+ drivers/firewire/fw-device.h | 4 +
+ drivers/firewire/fw-ohci.c | 123 ++++++++++------
+ drivers/firewire/fw-sbp2.c | 154 +++++++++-----------
+ drivers/firewire/fw-topology.c | 18 ++-
+ drivers/firewire/fw-transaction.c | 48 ++++++-
+ drivers/firewire/fw-transaction.h | 20 ++-
+ drivers/ieee1394/csr1212.c | 2 +-
+ drivers/ieee1394/dv1394.c | 2 +-
+ drivers/ieee1394/eth1394.c | 2 +-
+ drivers/ieee1394/nodemgr.c | 279 ++++++++++++++----------------------
+ drivers/ieee1394/nodemgr.h | 2 +-
+ drivers/ieee1394/raw1394-private.h | 1 +
+ drivers/ieee1394/raw1394.c | 230 ++++++++++++++++-------------
+ drivers/ieee1394/sbp2.c | 218 ++++++++++++----------------
+ drivers/ieee1394/sbp2.h | 33 ++---
+ drivers/ieee1394/video1394.c | 8 +-
+ include/linux/firewire-cdev.h | 9 +-
+ 20 files changed, 622 insertions(+), 671 deletions(-)
+
+diff --git a/drivers/firewire/fw-card.c b/drivers/firewire/fw-card.c
+index bbd73a4..94cf070 100644
+--- a/drivers/firewire/fw-card.c
++++ b/drivers/firewire/fw-card.c
@@ -189,39 +189,16 @@ static const char gap_count_table[] = {
63, 5, 7, 8, 10, 13, 16, 18, 21, 24, 26, 29, 32, 35, 37, 40
};
@@ -51,7 +71,7 @@
spin_lock_irqsave(&card->lock, flags);
local_node = card->local_node;
-@@ -241,7 +218,7 @@ fw_card_bm_work(struct work_struct *work
+@@ -241,7 +218,7 @@ fw_card_bm_work(struct work_struct *work)
root_id = root_node->node_id;
grace = time_after(jiffies, card->reset_jiffies + DIV_ROUND_UP(HZ, 10));
@@ -60,7 +80,7 @@
(card->bm_generation != generation && grace)) {
/*
* This first step is to figure out who is IRM and
-@@ -263,33 +240,28 @@ fw_card_bm_work(struct work_struct *work
+@@ -263,33 +240,28 @@ fw_card_bm_work(struct work_struct *work)
goto pick_me;
}
@@ -106,10 +126,182 @@
/*
* The lock request failed, maybe the IRM
* isn't really IRM capable after all. Let's
-diff -Naurp linux-2.6-git/drivers/firewire/fw-device.c firewire-git/drivers/firewire/fw-device.c
---- linux-2.6-git/drivers/firewire/fw-device.c 2008-07-23 15:03:03.000000000 -0400
-+++ firewire-git/drivers/firewire/fw-device.c 2008-08-04 16:39:51.000000000 -0400
-@@ -381,46 +381,21 @@ static struct device_attribute fw_device
+diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
+index 2e6d584..75bbd66 100644
+--- a/drivers/firewire/fw-cdev.c
++++ b/drivers/firewire/fw-cdev.c
+@@ -24,9 +24,11 @@
+ #include <linux/errno.h>
+ #include <linux/device.h>
+ #include <linux/vmalloc.h>
++#include <linux/mutex.h>
+ #include <linux/poll.h>
+ #include <linux/preempt.h>
+ #include <linux/time.h>
++#include <linux/spinlock.h>
+ #include <linux/delay.h>
+ #include <linux/mm.h>
+ #include <linux/idr.h>
+@@ -107,7 +109,6 @@ static int fw_device_op_open(struct inode *inode, struct file *file)
+ {
+ struct fw_device *device;
+ struct client *client;
+- unsigned long flags;
+
+ device = fw_device_get_by_devt(inode->i_rdev);
+ if (device == NULL)
+@@ -132,9 +133,9 @@ static int fw_device_op_open(struct inode *inode, struct file *file)
+
+ file->private_data = client;
+
+- spin_lock_irqsave(&device->card->lock, flags);
++ mutex_lock(&device->client_list_mutex);
+ list_add_tail(&client->link, &device->client_list);
+- spin_unlock_irqrestore(&device->card->lock, flags);
++ mutex_unlock(&device->client_list_mutex);
+
+ return 0;
+ }
+@@ -205,12 +206,14 @@ fw_device_op_read(struct file *file,
+ return dequeue_event(client, buffer, count);
+ }
+
+-/* caller must hold card->lock so that node pointers can be dereferenced here */
+ static void
+ fill_bus_reset_event(struct fw_cdev_event_bus_reset *event,
+ struct client *client)
+ {
+ struct fw_card *card = client->device->card;
++ unsigned long flags;
++
++ spin_lock_irqsave(&card->lock, flags);
+
+ event->closure = client->bus_reset_closure;
+ event->type = FW_CDEV_EVENT_BUS_RESET;
+@@ -220,22 +223,20 @@ fill_bus_reset_event(struct fw_cdev_event_bus_reset *event,
+ event->bm_node_id = 0; /* FIXME: We don't track the BM. */
+ event->irm_node_id = card->irm_node->node_id;
+ event->root_node_id = card->root_node->node_id;
++
++ spin_unlock_irqrestore(&card->lock, flags);
+ }
+
+ static void
+ for_each_client(struct fw_device *device,
+ void (*callback)(struct client *client))
+ {
+- struct fw_card *card = device->card;
+ struct client *c;
+- unsigned long flags;
+-
+- spin_lock_irqsave(&card->lock, flags);
+
++ mutex_lock(&device->client_list_mutex);
+ list_for_each_entry(c, &device->client_list, link)
+ callback(c);
+-
+- spin_unlock_irqrestore(&card->lock, flags);
++ mutex_unlock(&device->client_list_mutex);
+ }
+
+ static void
+@@ -243,7 +244,7 @@ queue_bus_reset_event(struct client *client)
+ {
+ struct bus_reset *bus_reset;
+
+- bus_reset = kzalloc(sizeof(*bus_reset), GFP_ATOMIC);
++ bus_reset = kzalloc(sizeof(*bus_reset), GFP_KERNEL);
+ if (bus_reset == NULL) {
+ fw_notify("Out of memory when allocating bus reset event\n");
+ return;
+@@ -274,11 +275,11 @@ static int ioctl_get_info(struct client *client, void *buffer)
+ {
+ struct fw_cdev_get_info *get_info = buffer;
+ struct fw_cdev_event_bus_reset bus_reset;
+- struct fw_card *card = client->device->card;
+ unsigned long ret = 0;
+
+ client->version = get_info->version;
+ get_info->version = FW_CDEV_VERSION;
++ get_info->card = client->device->card->index;
+
+ down_read(&fw_device_rwsem);
+
+@@ -300,18 +301,12 @@ static int ioctl_get_info(struct client *client, void *buffer)
+ client->bus_reset_closure = get_info->bus_reset_closure;
+ if (get_info->bus_reset != 0) {
+ void __user *uptr = u64_to_uptr(get_info->bus_reset);
+- unsigned long flags;
+
+- spin_lock_irqsave(&card->lock, flags);
+ fill_bus_reset_event(&bus_reset, client);
+- spin_unlock_irqrestore(&card->lock, flags);
+-
+ if (copy_to_user(uptr, &bus_reset, sizeof(bus_reset)))
+ return -EFAULT;
+ }
+
+- get_info->card = card->index;
+-
+ return 0;
+ }
+
+@@ -720,8 +715,8 @@ static int ioctl_create_iso_context(struct client *client, void *buffer)
+ #define GET_PAYLOAD_LENGTH(v) ((v) & 0xffff)
+ #define GET_INTERRUPT(v) (((v) >> 16) & 0x01)
[...1952 lines suppressed...]
+ }
+
+@@ -1789,13 +1775,6 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid,
+ else
+ cmd = sbp2util_find_command_for_orb(lu, sb->ORB_offset_lo);
+ if (cmd) {
+- dma_sync_single_for_cpu(hi->host->device.parent,
+- cmd->command_orb_dma,
+- sizeof(struct sbp2_command_orb),
+- DMA_TO_DEVICE);
+- dma_sync_single_for_cpu(hi->host->device.parent, cmd->sge_dma,
+- sizeof(cmd->scatter_gather_element),
+- DMA_TO_DEVICE);
+ /* Grab SCSI command pointers and check status. */
+ /*
+ * FIXME: If the src field in the status is 1, the ORB DMA must
+@@ -1912,7 +1891,6 @@ done:
+
+ static void sbp2scsi_complete_all_commands(struct sbp2_lu *lu, u32 status)
+ {
+- struct sbp2_fwhost_info *hi = lu->hi;
+ struct list_head *lh;
+ struct sbp2_command_info *cmd;
+ unsigned long flags;
+@@ -1921,13 +1899,6 @@ static void sbp2scsi_complete_all_commands(struct sbp2_lu *lu, u32 status)
+ while (!list_empty(&lu->cmd_orb_inuse)) {
+ lh = lu->cmd_orb_inuse.next;
+ cmd = list_entry(lh, struct sbp2_command_info, list);
+- dma_sync_single_for_cpu(hi->host->device.parent,
+- cmd->command_orb_dma,
+- sizeof(struct sbp2_command_orb),
+- DMA_TO_DEVICE);
+- dma_sync_single_for_cpu(hi->host->device.parent, cmd->sge_dma,
+- sizeof(cmd->scatter_gather_element),
+- DMA_TO_DEVICE);
+ sbp2util_mark_command_completed(lu, cmd);
+ if (cmd->Current_SCpnt) {
+ cmd->Current_SCpnt->result = status << 16;
+@@ -2033,6 +2004,8 @@ static int sbp2scsi_slave_configure(struct scsi_device *sdev)
+ sdev->start_stop_pwr_cond = 1;
+ if (lu->workarounds & SBP2_WORKAROUND_128K_MAX_TRANS)
+ blk_queue_max_sectors(sdev->request_queue, 128 * 1024 / 512);
++
++ blk_queue_max_segment_size(sdev->request_queue, SBP2_MAX_SEG_SIZE);
+ return 0;
+ }
+
+@@ -2049,7 +2022,6 @@ static void sbp2scsi_slave_destroy(struct scsi_device *sdev)
+ static int sbp2scsi_abort(struct scsi_cmnd *SCpnt)
+ {
+ struct sbp2_lu *lu = (struct sbp2_lu *)SCpnt->device->host->hostdata[0];
+- struct sbp2_fwhost_info *hi = lu->hi;
+ struct sbp2_command_info *cmd;
+ unsigned long flags;
+
+@@ -2063,14 +2035,6 @@ static int sbp2scsi_abort(struct scsi_cmnd *SCpnt)
+ spin_lock_irqsave(&lu->cmd_orb_lock, flags);
+ cmd = sbp2util_find_command_for_SCpnt(lu, SCpnt);
+ if (cmd) {
+- dma_sync_single_for_cpu(hi->host->device.parent,
+- cmd->command_orb_dma,
+- sizeof(struct sbp2_command_orb),
+- DMA_TO_DEVICE);
+- dma_sync_single_for_cpu(hi->host->device.parent,
+- cmd->sge_dma,
+- sizeof(cmd->scatter_gather_element),
+- DMA_TO_DEVICE);
+ sbp2util_mark_command_completed(lu, cmd);
+ if (cmd->Current_SCpnt) {
+ cmd->Current_SCpnt->result = DID_ABORT << 16;
+diff --git a/drivers/ieee1394/sbp2.h b/drivers/ieee1394/sbp2.h
+index 875428b..c5036f1 100644
+--- a/drivers/ieee1394/sbp2.h
++++ b/drivers/ieee1394/sbp2.h
+@@ -139,13 +139,10 @@ struct sbp2_logout_orb {
+ u32 status_fifo_lo;
+ } __attribute__((packed));
+
+-#define PAGE_TABLE_SET_SEGMENT_BASE_HI(v) ((v) & 0xffff)
+-#define PAGE_TABLE_SET_SEGMENT_LENGTH(v) (((v) & 0xffff) << 16)
+-
+ struct sbp2_unrestricted_page_table {
+- u32 length_segment_base_hi;
+- u32 segment_base_lo;
+-} __attribute__((packed));
++ __be32 high;
++ __be32 low;
++};
+
+ #define RESP_STATUS_REQUEST_COMPLETE 0x0
+ #define RESP_STATUS_TRANSPORT_FAILURE 0x1
+@@ -216,15 +213,18 @@ struct sbp2_status_block {
+ #define SBP2_UNIT_SPEC_ID_ENTRY 0x0000609e
+ #define SBP2_SW_VERSION_ENTRY 0x00010483
+
+-
+ /*
+- * SCSI specific definitions
++ * The default maximum s/g segment size of a FireWire controller is
++ * usually 0x10000, but SBP-2 only allows 0xffff. Since buffers have to
++ * be quadlet-aligned, we set the length limit to 0xffff & ~3.
+ */
++#define SBP2_MAX_SEG_SIZE 0xfffc
+
+-#define SBP2_MAX_SG_ELEMENT_LENGTH 0xf000
+-/* There is no real limitation of the queue depth (i.e. length of the linked
++/*
++ * There is no real limitation of the queue depth (i.e. length of the linked
+ * list of command ORBs) at the target. The chosen depth is merely an
+- * implementation detail of the sbp2 driver. */
++ * implementation detail of the sbp2 driver.
++ */
+ #define SBP2_MAX_CMDS 8
+
+ #define SBP2_SCSI_STATUS_GOOD 0x0
+@@ -240,12 +240,6 @@ struct sbp2_status_block {
+ * Representations of commands and devices
+ */
+
+-enum sbp2_dma_types {
+- CMD_DMA_NONE,
+- CMD_DMA_PAGE,
+- CMD_DMA_SINGLE
+-};
+-
+ /* Per SCSI command */
+ struct sbp2_command_info {
+ struct list_head list;
+@@ -258,11 +252,6 @@ struct sbp2_command_info {
+ struct sbp2_unrestricted_page_table
+ scatter_gather_element[SG_ALL] __attribute__((aligned(8)));
+ dma_addr_t sge_dma;
+- void *sge_buffer;
+- dma_addr_t cmd_dma;
+- enum sbp2_dma_types dma_type;
+- unsigned long dma_size;
+- enum dma_data_direction dma_dir;
+ };
+
+ /* Per FireWire host */
+diff --git a/drivers/ieee1394/video1394.c b/drivers/ieee1394/video1394.c
+index 25db6e6..fa9e7d8 100644
+--- a/drivers/ieee1394/video1394.c
++++ b/drivers/ieee1394/video1394.c
+@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file *file,
+ if (unlikely(d == NULL))
+ return -EFAULT;
+
+- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
++ if (unlikely(v.buffer >= d->num_desc - 1)) {
+ PRINT(KERN_ERR, ohci->host->id,
+ "Buffer %d out of range",v.buffer);
+ return -EINVAL;
+@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file *file,
+ if (unlikely(d == NULL))
+ return -EFAULT;
+
+- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
++ if (unlikely(v.buffer > d->num_desc - 1)) {
+ PRINT(KERN_ERR, ohci->host->id,
+ "Buffer %d out of range",v.buffer);
+ return -EINVAL;
+@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file *file,
+ d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
+ if (d == NULL) return -EFAULT;
+
+- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
++ if (v.buffer >= d->num_desc - 1) {
+ PRINT(KERN_ERR, ohci->host->id,
+ "Buffer %d out of range",v.buffer);
+ return -EINVAL;
+@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file *file,
+ d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
+ if (d == NULL) return -EFAULT;
+
+- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
++ if (v.buffer >= d->num_desc - 1) {
+ PRINT(KERN_ERR, ohci->host->id,
+ "Buffer %d out of range",v.buffer);
+ return -EINVAL;
+diff --git a/include/linux/firewire-cdev.h b/include/linux/firewire-cdev.h
+index 0f0e271..4d078e9 100644
+--- a/include/linux/firewire-cdev.h
++++ b/include/linux/firewire-cdev.h
+@@ -154,8 +154,13 @@ struct fw_cdev_event_iso_interrupt {
+ * @request: Valid if @common.type == %FW_CDEV_EVENT_REQUEST
+ * @iso_interrupt: Valid if @common.type == %FW_CDEV_EVENT_ISO_INTERRUPT
+ *
+- * Convenience union for userspace use. Events could be read(2) into a char
+- * buffer and then cast to this union for further processing.
++ * Convenience union for userspace use. Events could be read(2) into an
++ * appropriately aligned char buffer and then cast to this union for further
++ * processing. Note that for a request, response or iso_interrupt event,
++ * the data[] or header[] may make the size of the full event larger than
++ * sizeof(union fw_cdev_event). Also note that if you attempt to read(2)
++ * an event into a buffer that is not large enough for it, the data that does
++ * not fit will be discarded so that the next read(2) will return a new event.
+ */
+ union fw_cdev_event {
+ struct fw_cdev_event_common common;
More information about the fedora-extras-commits
mailing list