firewire: cdev: address handler input validation

Like before my commit 1415d918, fw_core_add_address_handler() does not align the address region now. Instead the caller is required to pass valid parameters. Since one of the callers of fw_core_add_address_handler() is the cdev userspace interface, we now check for valid input. If the client is buggy, we give it a hint with -EINVAL. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

firewire: cdev: address handler input validation
Like before my commit 1415d918, fw_core_add_address_handler() does not align the address region now. Instead the caller is required to pass valid parameters. Since one of the callers of fw_core_add_address_handler() is the cdev userspace interface, we now check for valid input. If the client is buggy, we give it a hint with -EINVAL. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
3e0b5f0d · Stefan Richter · 45ee3199 · 3e0b5f0d · 3e0b5f0d
Commit 3e0b5f0d authored Dec 14, 2008 by Stefan Richter
Show whitespace changes
Inline Side-by-side

Showing with 21 additions and 11 deletions

drivers/firewire/fw-cdev.c drivers/firewire/fw-cdev.c +3 -2

drivers/firewire/fw-transaction.c drivers/firewire/fw-transaction.c +18 -9

No files found.
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -591,9 +591,10 @@ static int ioctl_allocate(struct client *client, void *buffer)
 	handler->closure = request->closure;
 	handler->client = client;
-	if (fw_core_add_address_handler(&handler->handler, &region) < 0) {
+	ret = fw_core_add_address_handler(&handler->handler, &region);
+	if (ret < 0) {
 		kfree(handler);
-		return -EBUSY;
+		return ret;
 	}
 	handler->resource.release = release_address_handler;

--- a/drivers/firewire/fw-transaction.c
+++ b/drivers/firewire/fw-transaction.c
@@ -449,16 +449,19 @@ const struct fw_address_region fw_unit_space_region =
 #endif  /*  0  */
 /**
- * Allocate a range of addresses in the node space of the OHCI
+ * fw_core_add_address_handler - register for incoming requests
- * controller.  When a request is received that falls within the
+ * @handler: callback
- * specified address range, the specified callback is invoked.  The
+ * @region: region in the IEEE 1212 node space address range
- * parameters passed to the callback give the details of the
+ *
- * particular request.
+ * region->start, ->end, and handler->length have to be quadlet-aligned.
+ *
+ * When a request is received that falls within the specified address range,
+ * the specified callback is invoked.  The parameters passed to the callback
+ * give the details of the particular request.
 *
 * Return value:  0 on success, non-zero otherwise.
 * The start offset of the handler's address region is determined by
 * fw_core_add_address_handler() and is returned in handler->offset.
- * The offset is quadlet-aligned.
 */
 int
 fw_core_add_address_handler(struct fw_address_handler *handler,
@@ -468,17 +471,23 @@ fw_core_add_address_handler(struct fw_address_handler *handler,
 	unsigned long flags;
 	int ret = -EBUSY;
+	if (region->start & 0xffff000000000003ULL ||
+	    region->end   & 0xffff000000000003ULL ||
+	    region->start >= region->end ||
+	    handler->length & 3 ||
+	    handler->length == 0)
+		return -EINVAL;
 	spin_lock_irqsave(&address_handler_lock, flags);
-	handler->offset = roundup(region->start, 4);
+	handler->offset = region->start;
 	while (handler->offset + handler->length <= region->end) {
 		other =
 		    lookup_overlapping_address_handler(&address_handler_list,
 						       handler->offset,
 						       handler->length);
 		if (other != NULL) {
-			handler->offset =
+			handler->offset += other->length;
-			    roundup(other->offset + other->length, 4);
 		} else {
 			list_add_tail(&handler->link, &address_handler_list);
 			ret = 0;