[GIT PULL] FireWire update

[Stefan Richter <stefanr@s5r6.in-berlin.de>]

Linus, please pull from the for-linus branch at

    git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6.git for-linus

to receive the following update for the firewire subsystem.

 drivers/firewire/fw-transaction.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

Stefan Richter (1):
      firewire: fix panic in handle_at_packet


commit 10a4c735515a5afc317abe4d697a4c95f6d9d764
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date:   Sun Mar 16 00:56:41 2008 +0100

    firewire: fix panic in handle_at_packet
    
    This fixes a use-after-free bug in the handling of split transactions.
    The AT DMA handler of the request was occasionally executed after the
    AR DMA handler of the response.  The AT DMA handler then accessed an
    already freed packet.
    
    Reported by Johannes Berg.
    http://bugzilla.kernel.org/show_bug.cgi?id=9617
    
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
    Tested-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: Jarod Wilson <jwilson@redhat.com>

diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c
index 99529e5..e6f1bda 100644
--- a/drivers/firewire/fw-transaction.c
+++ b/drivers/firewire/fw-transaction.c
@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p)
 		break;
 	}
 
+	/*
+	 * The response handler may be executed while the request handler
+	 * is still pending.  Cancel the request handler.
+	 */
+	card->driver->cancel_packet(card, &t->packet);
+
 	t->callback(card, rcode, data, data_length, t->callback_data);
 }
 EXPORT_SYMBOL(fw_core_handle_response);


Thanks,
-- 
Stefan Richter
-=====-==--- --== =-=--
http://arcgraph.de/sr/