firewire: ohci: handle receive packets with a data length of zero

commit 8c0c0cc2d9f4c523fde04bdfe41e4380dec8ee54 upstream.

Queueing to receive an ISO packet with a payload length of zero
silently does nothing in dualbuffer mode, and crashes the kernel in
packet-per-buffer mode.  Return an error in dualbuffer mode, because
the DMA controller won't let us do what we want, and work correctly in
packet-per-buffer mode.

Signed-off-by: Jay Fenlason <fenlason@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
index 76b321bb73f9419aa52c826a944047388d53cd0a..e5827da9229602705744ade9d6f9813125f35c32 100644 (file)
--- a/drivers/firewire/ohci.c
+++ b/drivers/firewire/ohci.c
@@ -2180,6 +2180,13 @@ static int ohci_queue_iso_receive_dualbuffer(struct fw_iso_context *base,
        page     = payload >> PAGE_SHIFT;
        offset   = payload & ~PAGE_MASK;
        rest     = p->payload_length;
+       /*
+        * The controllers I've tested have not worked correctly when
+        * second_req_count is zero.  Rather than do something we know won't
+        * work, return an error
+        */
+       if (rest == 0)
+               return -EINVAL;
 
        /* FIXME: make packet-per-buffer/dual-buffer a context option */
        while (rest > 0) {
@@ -2233,7 +2240,7 @@ static int ohci_queue_iso_receive_packet_per_buffer(struct fw_iso_context *base,
                                        unsigned long payload)
 {
        struct iso_context *ctx = container_of(base, struct iso_context, base);
-       struct descriptor *d = NULL, *pd = NULL;
+       struct descriptor *d, *pd;
        struct fw_iso_packet *p = packet;
        dma_addr_t d_bus, page_bus;
        u32 z, header_z, rest;
@@ -2271,8 +2278,9 @@ static int ohci_queue_iso_receive_packet_per_buffer(struct fw_iso_context *base,
                d->data_address = cpu_to_le32(d_bus + (z * sizeof(*d)));
 
                rest = payload_per_buffer;
+               pd = d;
                for (j = 1; j < z; j++) {
-                       pd = d + j;
+                       pd++;
                        pd->control = cpu_to_le16(DESCRIPTOR_STATUS |
                                                  DESCRIPTOR_INPUT_MORE);