firewire: core: fix upper bound of possible CSR allocations region->end is defined as an upper bound of the requested address range, exclusive --- i.e. as an address outside of the range in which the requested CSR is to be placed. Hence 0x0001,0000,0000,0000 is the biggest valid region->end, not 0x0000,ffff,ffff,fffc like the current check asserted. For simplicity, the fix drops the region->end & 3 test because there is no actual problem with these bits set in region->end. The allocated address range will be quadlet aligned and of a size of multiple quadlets due to the checks for region->start & 3 and handler->length & 3 alone. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

commit: 0c9ae701ae1caf657326db22d61074b40a747c9d [log] [tgz]
author: Stefan Richter <stefanr@s5r6.in-berlin.de> Fri Jul 23 13:02:54 2010 +0200
committer: Stefan Richter <stefanr@s5r6.in-berlin.de> Fri Jul 23 13:36:28 2010 +0200
tree: 97eccc9b9941e71c471b5b3f32450c89f476093f
parent: cc550216ae9a2993ef3973464714dc1a39ab1f86 [diff] [blame]
diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
index 6f225ca..ca7ca56 100644
--- a/drivers/firewire/core-transaction.c
+++ b/drivers/firewire/core-transaction.c

@@ -543,8 +543,8 @@
 	int ret = -EBUSY;
 
 	if (region->start & 0xffff000000000003ULL ||
-	    region->end   & 0xffff000000000003ULL ||
 	    region->start >= region->end ||
+	    region->end   > 0x0001000000000000ULL ||
 	    handler->length & 3 ||
 	    handler->length == 0)
 		return -EINVAL;
commit	0c9ae701ae1caf657326db22d61074b40a747c9d	[log] [tgz]
author	Stefan Richter <stefanr@s5r6.in-berlin.de>	Fri Jul 23 13:02:54 2010 +0200
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>	Fri Jul 23 13:36:28 2010 +0200
tree	97eccc9b9941e71c471b5b3f32450c89f476093f
parent	cc550216ae9a2993ef3973464714dc1a39ab1f86 [diff] [blame]