ieee1394: remove usage of skb_queue as packet queue
authorStefan Richter <stefanr@s5r6.in-berlin.de>
Sun, 25 Mar 2007 20:22:40 +0000 (22:22 +0200)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Sun, 29 Apr 2007 22:00:29 +0000 (00:00 +0200)
This considerably reduces the memory requirements for a packet and
eliminates ieee1394's dependency on CONFIG_NET.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
drivers/ieee1394/Kconfig
drivers/ieee1394/hosts.c
drivers/ieee1394/hosts.h
drivers/ieee1394/ieee1394_core.c
drivers/ieee1394/ieee1394_core.h
drivers/ieee1394/raw1394.c

index cd84a55ecf2020dfad052d88bfe9fabdad20a9ad..f8ff6b866e6e2aa5cb8169ba7c947448179d1de1 100644 (file)
@@ -5,7 +5,6 @@ menu "IEEE 1394 (FireWire) support"
 config IEEE1394
        tristate "IEEE 1394 (FireWire) support"
        depends on PCI || BROKEN
-       select NET
        help
          IEEE 1394 describes a high performance serial bus, which is also
          known as FireWire(tm) or i.Link(tm) and is used for connecting all
index 615ba62080131161ec1298ba529e06e3db1d216b..1bf4aa3e8d159a7de16cf8fdb860d85dc01003cd 100644 (file)
@@ -94,14 +94,6 @@ static int alloc_hostnum_cb(struct hpsb_host *host, void *__data)
        return 0;
 }
 
-/*
- * The pending_packet_queue is special in that it's processed
- * from hardirq context too (such as hpsb_bus_reset()). Hence
- * split the lock class from the usual networking skb-head
- * lock class by using a separate key for it:
- */
-static struct lock_class_key pending_packet_queue_key;
-
 static DEFINE_MUTEX(host_num_alloc);
 
 /**
@@ -137,9 +129,7 @@ struct hpsb_host *hpsb_alloc_host(struct hpsb_host_driver *drv, size_t extra,
        h->hostdata = h + 1;
        h->driver = drv;
 
-       skb_queue_head_init(&h->pending_packet_queue);
-       lockdep_set_class(&h->pending_packet_queue.lock,
-                          &pending_packet_queue_key);
+       INIT_LIST_HEAD(&h->pending_packets);
        INIT_LIST_HEAD(&h->addr_space);
 
        for (i = 2; i < 16; i++)
index 6b4e225079660618b89d7424dbb38bf802e715d1..feb55d032294f0559e17d655dbe20d501d311a47 100644 (file)
@@ -3,7 +3,6 @@
 
 #include <linux/device.h>
 #include <linux/list.h>
-#include <linux/skbuff.h>
 #include <linux/timer.h>
 #include <linux/types.h>
 #include <linux/workqueue.h>
@@ -25,8 +24,7 @@ struct hpsb_host {
 
        atomic_t generation;
 
-       struct sk_buff_head pending_packet_queue;
-
+       struct list_head pending_packets;
        struct timer_list timeout;
        unsigned long timeout_interval;
 
index 270885679df1716b79426f0498f6b557ee40ef42..d6e3d441f833b2b98180404fe4625f83f04749a8 100644 (file)
@@ -30,7 +30,6 @@
 #include <linux/moduleparam.h>
 #include <linux/bitops.h>
 #include <linux/kdev_t.h>
-#include <linux/skbuff.h>
 #include <linux/suspend.h>
 #include <linux/kthread.h>
 #include <linux/preempt.h>
@@ -103,6 +102,8 @@ static void queue_packet_complete(struct hpsb_packet *packet);
  *
  * Set the task that runs when a packet completes. You cannot call this more
  * than once on a single packet before it is sent.
+ *
+ * Typically, the complete @routine is responsible to call hpsb_free_packet().
  */
 void hpsb_set_packet_complete_task(struct hpsb_packet *packet,
                                   void (*routine)(void *), void *data)
@@ -115,12 +116,12 @@ void hpsb_set_packet_complete_task(struct hpsb_packet *packet,
 
 /**
  * hpsb_alloc_packet - allocate new packet structure
- * @data_size: size of the data block to be allocated
+ * @data_size: size of the data block to be allocated, in bytes
  *
  * This function allocates, initializes and returns a new &struct hpsb_packet.
- * It can be used in interrupt context.  A header block is always included, its
- * size is big enough to contain all possible 1394 headers.  The data block is
- * only allocated when @data_size is not zero.
+ * It can be used in interrupt context.  A header block is always included and
+ * initialized with zeros.  Its size is big enough to contain all possible 1394
+ * headers.  The data block is only allocated if @data_size is not zero.
  *
  * For packets for which responses will be received the @data_size has to be big
  * enough to contain the response's data block since no further allocation
@@ -135,50 +136,42 @@ void hpsb_set_packet_complete_task(struct hpsb_packet *packet,
  */
 struct hpsb_packet *hpsb_alloc_packet(size_t data_size)
 {
-       struct hpsb_packet *packet = NULL;
-       struct sk_buff *skb;
+       struct hpsb_packet *packet;
 
        data_size = ((data_size + 3) & ~3);
 
-       skb = alloc_skb(data_size + sizeof(*packet), GFP_ATOMIC);
-       if (skb == NULL)
+       packet = kzalloc(sizeof(*packet) + data_size, GFP_ATOMIC);
+       if (!packet)
                return NULL;
 
-       memset(skb->data, 0, data_size + sizeof(*packet));
-
-       packet = (struct hpsb_packet *)skb->data;
-       packet->skb = skb;
-
-       packet->header = packet->embedded_header;
        packet->state = hpsb_unused;
        packet->generation = -1;
        INIT_LIST_HEAD(&packet->driver_list);
+       INIT_LIST_HEAD(&packet->queue);
        atomic_set(&packet->refcnt, 1);
 
        if (data_size) {
-               packet->data = (quadlet_t *)(skb->data + sizeof(*packet));
-               packet->data_size = data_size;
+               packet->data = packet->embedded_data;
+               packet->allocated_data_size = data_size;
        }
-
        return packet;
 }
 
-
 /**
  * hpsb_free_packet - free packet and data associated with it
  * @packet: packet to free (is NULL safe)
  *
- * This function will free packet->data and finally the packet itself.
+ * Frees @packet->data only if it was allocated through hpsb_alloc_packet().
  */
 void hpsb_free_packet(struct hpsb_packet *packet)
 {
        if (packet && atomic_dec_and_test(&packet->refcnt)) {
-               BUG_ON(!list_empty(&packet->driver_list));
-               kfree_skb(packet->skb);
+               BUG_ON(!list_empty(&packet->driver_list) ||
+                      !list_empty(&packet->queue));
+               kfree(packet);
        }
 }
 
-
 /**
  * hpsb_reset_bus - initiate bus reset on the given host
  * @host: host controller whose bus to reset
@@ -494,6 +487,8 @@ void hpsb_selfid_complete(struct hpsb_host *host, int phyid, int isroot)
        highlevel_host_reset(host);
 }
 
+static spinlock_t pending_packets_lock = SPIN_LOCK_UNLOCKED;
+
 /**
  * hpsb_packet_sent - notify core of sending a packet
  *
@@ -509,24 +504,24 @@ void hpsb_packet_sent(struct hpsb_host *host, struct hpsb_packet *packet,
 {
        unsigned long flags;
 
-       spin_lock_irqsave(&host->pending_packet_queue.lock, flags);
+       spin_lock_irqsave(&pending_packets_lock, flags);
 
        packet->ack_code = ackcode;
 
        if (packet->no_waiter || packet->state == hpsb_complete) {
                /* if packet->no_waiter, must not have a tlabel allocated */
-               spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
+               spin_unlock_irqrestore(&pending_packets_lock, flags);
                hpsb_free_packet(packet);
                return;
        }
 
        atomic_dec(&packet->refcnt);    /* drop HC's reference */
-       /* here the packet must be on the host->pending_packet_queue */
+       /* here the packet must be on the host->pending_packetqueue */
 
        if (ackcode != ACK_PENDING || !packet->expect_response) {
                packet->state = hpsb_complete;
-               __skb_unlink(packet->skb, &host->pending_packet_queue);
-               spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
+               list_del_init(&packet->queue);
+               spin_unlock_irqrestore(&pending_packets_lock, flags);
                queue_packet_complete(packet);
                return;
        }
@@ -534,7 +529,7 @@ void hpsb_packet_sent(struct hpsb_host *host, struct hpsb_packet *packet,
        packet->state = hpsb_pending;
        packet->sendtime = jiffies;
 
-       spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
 
        mod_timer(&host->timeout, jiffies + host->timeout_interval);
 }
@@ -609,12 +604,16 @@ int hpsb_send_packet(struct hpsb_packet *packet)
        WARN_ON(packet->no_waiter && packet->expect_response);
 
        if (!packet->no_waiter || packet->expect_response) {
+               unsigned long flags;
+
                atomic_inc(&packet->refcnt);
                /* Set the initial "sendtime" to 10 seconds from now, to
                   prevent premature expiry.  If a packet takes more than
                   10 seconds to hit the wire, we have bigger problems :) */
                packet->sendtime = jiffies + 10 * HZ;
-               skb_queue_tail(&host->pending_packet_queue, packet->skb);
+               spin_lock_irqsave(&pending_packets_lock, flags);
+               list_add_tail(&packet->queue, &host->pending_packets);
+               spin_unlock_irqrestore(&pending_packets_lock, flags);
        }
 
        if (packet->node_id == host->node_id) {
@@ -690,86 +689,97 @@ static void send_packet_nocare(struct hpsb_packet *packet)
        }
 }
 
+static size_t packet_size_to_data_size(size_t packet_size, size_t header_size,
+                                      size_t buffer_size, int tcode)
+{
+       size_t ret = packet_size <= header_size ? 0 : packet_size - header_size;
+
+       if (unlikely(ret > buffer_size))
+               ret = buffer_size;
+
+       if (unlikely(ret + header_size != packet_size))
+               HPSB_ERR("unexpected packet size %d (tcode %d), bug?",
+                        packet_size, tcode);
+       return ret;
+}
 
 static void handle_packet_response(struct hpsb_host *host, int tcode,
                                   quadlet_t *data, size_t size)
 {
-       struct hpsb_packet *packet = NULL;
-       struct sk_buff *skb;
-       int tcode_match = 0;
-       int tlabel;
+       struct hpsb_packet *packet;
+       int tlabel = (data[0] >> 10) & 0x3f;
+       size_t header_size;
        unsigned long flags;
 
-       tlabel = (data[0] >> 10) & 0x3f;
-
-       spin_lock_irqsave(&host->pending_packet_queue.lock, flags);
-
-       skb_queue_walk(&host->pending_packet_queue, skb) {
-               packet = (struct hpsb_packet *)skb->data;
-               if ((packet->tlabel == tlabel)
-                   && (packet->node_id == (data[1] >> 16))){
-                       break;
-               }
+       spin_lock_irqsave(&pending_packets_lock, flags);
 
-               packet = NULL;
-       }
+       list_for_each_entry(packet, &host->pending_packets, queue)
+               if (packet->tlabel == tlabel &&
+                   packet->node_id == (data[1] >> 16))
+                       goto found;
 
-       if (packet == NULL) {
-               HPSB_DEBUG("unsolicited response packet received - no tlabel match");
-               dump_packet("contents", data, 16, -1);
-               spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
-               return;
-       }
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
+       HPSB_DEBUG("unsolicited response packet received - %s",
+                  "no tlabel match");
+       dump_packet("contents", data, 16, -1);
+       return;
 
+found:
        switch (packet->tcode) {
        case TCODE_WRITEQ:
        case TCODE_WRITEB:
-               if (tcode != TCODE_WRITE_RESPONSE)
+               if (unlikely(tcode != TCODE_WRITE_RESPONSE))
                        break;
-               tcode_match = 1;
-               memcpy(packet->header, data, 12);
-               break;
+               header_size = 12;
+               size = 0;
+               goto dequeue;
+
        case TCODE_READQ:
-               if (tcode != TCODE_READQ_RESPONSE)
+               if (unlikely(tcode != TCODE_READQ_RESPONSE))
                        break;
-               tcode_match = 1;
-               memcpy(packet->header, data, 16);
-               break;
+               header_size = 16;
+               size = 0;
+               goto dequeue;
+
        case TCODE_READB:
-               if (tcode != TCODE_READB_RESPONSE)
+               if (unlikely(tcode != TCODE_READB_RESPONSE))
                        break;
-               tcode_match = 1;
-               BUG_ON(packet->skb->len - sizeof(*packet) < size - 16);
-               memcpy(packet->header, data, 16);
-               memcpy(packet->data, data + 4, size - 16);
-               break;
+               header_size = 16;
+               size = packet_size_to_data_size(size, header_size,
+                                               packet->allocated_data_size,
+                                               tcode);
+               goto dequeue;
+
        case TCODE_LOCK_REQUEST:
-               if (tcode != TCODE_LOCK_RESPONSE)
+               if (unlikely(tcode != TCODE_LOCK_RESPONSE))
                        break;
-               tcode_match = 1;
-               size = min((size - 16), (size_t)8);
-               BUG_ON(packet->skb->len - sizeof(*packet) < size);
-               memcpy(packet->header, data, 16);
-               memcpy(packet->data, data + 4, size);
-               break;
+               header_size = 16;
+               size = packet_size_to_data_size(min(size, (size_t)(16 + 8)),
+                                               header_size,
+                                               packet->allocated_data_size,
+                                               tcode);
+               goto dequeue;
        }
 
-       if (!tcode_match) {
-               spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
-               HPSB_INFO("unsolicited response packet received - tcode mismatch");
-               dump_packet("contents", data, 16, -1);
-               return;
-       }
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
+       HPSB_DEBUG("unsolicited response packet received - %s",
+                  "tcode mismatch");
+       dump_packet("contents", data, 16, -1);
+       return;
 
-       __skb_unlink(skb, &host->pending_packet_queue);
+dequeue:
+       list_del_init(&packet->queue);
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
 
        if (packet->state == hpsb_queued) {
                packet->sendtime = jiffies;
                packet->ack_code = ACK_PENDING;
        }
-
        packet->state = hpsb_complete;
-       spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
+
+       memcpy(packet->header, data, header_size);
+       if (size)
+               memcpy(packet->data, data + 4, size);
 
        queue_packet_complete(packet);
 }
@@ -783,6 +793,7 @@ static struct hpsb_packet *create_reply_packet(struct hpsb_host *host,
        p = hpsb_alloc_packet(dsize);
        if (unlikely(p == NULL)) {
                /* FIXME - send data_error response */
+               HPSB_ERR("out of memory, cannot send response packet");
                return NULL;
        }
 
@@ -832,7 +843,6 @@ static void fill_async_readblock_resp(struct hpsb_packet *packet, int rcode,
 static void fill_async_write_resp(struct hpsb_packet *packet, int rcode)
 {
        PREP_ASYNC_HEAD_RCODE(TCODE_WRITE_RESPONSE);
-       packet->header[2] = 0;
        packet->header_size = 12;
        packet->data_size = 0;
 }
@@ -1002,8 +1012,8 @@ void hpsb_packet_received(struct hpsb_host *host, quadlet_t *data, size_t size,
 {
        int tcode;
 
-       if (host->in_bus_reset) {
-               HPSB_INFO("received packet during reset; ignoring");
+       if (unlikely(host->in_bus_reset)) {
+               HPSB_DEBUG("received packet during reset; ignoring");
                return;
        }
 
@@ -1037,23 +1047,27 @@ void hpsb_packet_received(struct hpsb_host *host, quadlet_t *data, size_t size,
                break;
 
        default:
-               HPSB_NOTICE("received packet with bogus transaction code %d",
-                           tcode);
+               HPSB_DEBUG("received packet with bogus transaction code %d",
+                          tcode);
                break;
        }
 }
 
-
 static void abort_requests(struct hpsb_host *host)
 {
-       struct hpsb_packet *packet;
-       struct sk_buff *skb;
+       struct hpsb_packet *packet, *p;
+       struct list_head tmp;
+       unsigned long flags;
 
        host->driver->devctl(host, CANCEL_REQUESTS, 0);
 
-       while ((skb = skb_dequeue(&host->pending_packet_queue)) != NULL) {
-               packet = (struct hpsb_packet *)skb->data;
+       INIT_LIST_HEAD(&tmp);
+       spin_lock_irqsave(&pending_packets_lock, flags);
+       list_splice_init(&host->pending_packets, &tmp);
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
 
+       list_for_each_entry_safe(packet, p, &tmp, queue) {
+               list_del_init(&packet->queue);
                packet->state = hpsb_complete;
                packet->ack_code = ACKX_ABORTED;
                queue_packet_complete(packet);
@@ -1063,87 +1077,90 @@ static void abort_requests(struct hpsb_host *host)
 void abort_timedouts(unsigned long __opaque)
 {
        struct hpsb_host *host = (struct hpsb_host *)__opaque;
-       unsigned long flags;
-       struct hpsb_packet *packet;
-       struct sk_buff *skb;
-       unsigned long expire;
+       struct hpsb_packet *packet, *p;
+       struct list_head tmp;
+       unsigned long flags, expire, j;
 
        spin_lock_irqsave(&host->csr.lock, flags);
        expire = host->csr.expire;
        spin_unlock_irqrestore(&host->csr.lock, flags);
 
-       /* Hold the lock around this, since we aren't dequeuing all
-        * packets, just ones we need. */
-       spin_lock_irqsave(&host->pending_packet_queue.lock, flags);
-
-       while (!skb_queue_empty(&host->pending_packet_queue)) {
-               skb = skb_peek(&host->pending_packet_queue);
+       j = jiffies;
+       INIT_LIST_HEAD(&tmp);
+       spin_lock_irqsave(&pending_packets_lock, flags);
 
-               packet = (struct hpsb_packet *)skb->data;
-
-               if (time_before(packet->sendtime + expire, jiffies)) {
-                       __skb_unlink(skb, &host->pending_packet_queue);
-                       packet->state = hpsb_complete;
-                       packet->ack_code = ACKX_TIMEOUT;
-                       queue_packet_complete(packet);
-               } else {
+       list_for_each_entry_safe(packet, p, &host->pending_packets, queue) {
+               if (time_before(packet->sendtime + expire, j))
+                       list_move_tail(&packet->queue, &tmp);
+               else
                        /* Since packets are added to the tail, the oldest
                         * ones are first, always. When we get to one that
                         * isn't timed out, the rest aren't either. */
                        break;
-               }
        }
+       if (!list_empty(&host->pending_packets))
+               mod_timer(&host->timeout, j + host->timeout_interval);
 
-       if (!skb_queue_empty(&host->pending_packet_queue))
-               mod_timer(&host->timeout, jiffies + host->timeout_interval);
+       spin_unlock_irqrestore(&pending_packets_lock, flags);
 
-       spin_unlock_irqrestore(&host->pending_packet_queue.lock, flags);
+       list_for_each_entry_safe(packet, p, &tmp, queue) {
+               list_del_init(&packet->queue);
+               packet->state = hpsb_complete;
+               packet->ack_code = ACKX_TIMEOUT;
+               queue_packet_complete(packet);
+       }
 }
 
-
-/* Kernel thread and vars, which handles packets that are completed. Only
- * packets that have a "complete" function are sent here. This way, the
- * completion is run out of kernel context, and doesn't block the rest of
- * the stack. */
 static struct task_struct *khpsbpkt_thread;
-static struct sk_buff_head hpsbpkt_queue;
+static LIST_HEAD(hpsbpkt_queue);
 
 static void queue_packet_complete(struct hpsb_packet *packet)
 {
+       unsigned long flags;
+
        if (packet->no_waiter) {
                hpsb_free_packet(packet);
                return;
        }
        if (packet->complete_routine != NULL) {
-               skb_queue_tail(&hpsbpkt_queue, packet->skb);
+               spin_lock_irqsave(&pending_packets_lock, flags);
+               list_add_tail(&packet->queue, &hpsbpkt_queue);
+               spin_unlock_irqrestore(&pending_packets_lock, flags);
                wake_up_process(khpsbpkt_thread);
        }
        return;
 }
 
+/*
+ * Kernel thread which handles packets that are completed.  This way the
+ * packet's "complete" function is asynchronously run in process context.
+ * Only packets which have a "complete" function may be sent here.
+ */
 static int hpsbpkt_thread(void *__hi)
 {
-       struct sk_buff *skb;
-       struct hpsb_packet *packet;
-       void (*complete_routine)(void*);
-       void *complete_data;
+       struct hpsb_packet *packet, *p;
+       struct list_head tmp;
+       int may_schedule;
 
        current->flags |= PF_NOFREEZE;
 
        while (!kthread_should_stop()) {
-               while ((skb = skb_dequeue(&hpsbpkt_queue)) != NULL) {
-                       packet = (struct hpsb_packet *)skb->data;
-
-                       complete_routine = packet->complete_routine;
-                       complete_data = packet->complete_data;
 
-                       packet->complete_routine = packet->complete_data = NULL;
+               INIT_LIST_HEAD(&tmp);
+               spin_lock_irq(&pending_packets_lock);
+               list_splice_init(&hpsbpkt_queue, &tmp);
+               spin_unlock_irq(&pending_packets_lock);
 
-                       complete_routine(complete_data);
+               list_for_each_entry_safe(packet, p, &tmp, queue) {
+                       list_del_init(&packet->queue);
+                       packet->complete_routine(packet->complete_data);
                }
 
                set_current_state(TASK_INTERRUPTIBLE);
-               if (!skb_peek(&hpsbpkt_queue))
+               spin_lock_irq(&pending_packets_lock);
+               may_schedule = list_empty(&hpsbpkt_queue);
+               spin_unlock_irq(&pending_packets_lock);
+               if (may_schedule)
                        schedule();
                __set_current_state(TASK_RUNNING);
        }
@@ -1154,8 +1171,6 @@ static int __init ieee1394_init(void)
 {
        int i, ret;
 
-       skb_queue_head_init(&hpsbpkt_queue);
-
        /* non-fatal error */
        if (hpsb_init_config_roms()) {
                HPSB_ERR("Failed to initialize some config rom entries.\n");
index 11b46d2db577f75883a0b60234211f9d32032878..ad526523d0ef85fa556beda8b8b63d2e01fab424 100644 (file)
@@ -4,7 +4,6 @@
 #include <linux/device.h>
 #include <linux/fs.h>
 #include <linux/list.h>
-#include <linux/skbuff.h>
 #include <linux/types.h>
 #include <asm/atomic.h>
 
@@ -13,7 +12,7 @@
 
 struct hpsb_packet {
        /* This struct is basically read-only for hosts with the exception of
-        * the data buffer contents and xnext - see below. */
+        * the data buffer contents and driver_list. */
 
        /* This can be used for host driver internal linking.
         *
@@ -49,35 +48,27 @@ struct hpsb_packet {
        /* Speed to transmit with: 0 = 100Mbps, 1 = 200Mbps, 2 = 400Mbps */
        unsigned speed_code:2;
 
-       /*
-        * *header and *data are guaranteed to be 32-bit DMAable and may be
-        * overwritten to allow in-place byte swapping.  Neither of these is
-        * CRCed (the sizes also don't include CRC), but contain space for at
-        * least one additional quadlet to allow in-place CRCing.  The memory is
-        * also guaranteed to be DMA mappable.
-        */
-       quadlet_t *header;
-       quadlet_t *data;
-       size_t header_size;
-       size_t data_size;
-
        struct hpsb_host *host;
        unsigned int generation;
 
        atomic_t refcnt;
+       struct list_head queue;
 
        /* Function (and possible data to pass to it) to call when this
         * packet is completed.  */
        void (*complete_routine)(void *);
        void *complete_data;
 
-       /* XXX This is just a hack at the moment */
-       struct sk_buff *skb;
-
        /* Store jiffies for implementing bus timeouts. */
        unsigned long sendtime;
 
-       quadlet_t embedded_header[5];
+       /* Sizes are in bytes. *data can be DMA-mapped. */
+       size_t allocated_data_size;     /* as allocated */
+       size_t data_size;               /* as filled in */
+       size_t header_size;             /* as filled in, not counting the CRC */
+       quadlet_t *data;
+       quadlet_t header[5];
+       quadlet_t embedded_data[0];     /* keep as last member */
 };
 
 void hpsb_set_packet_complete_task(struct hpsb_packet *packet,
index bb897a37d9f778cf2f64661c06069461d5d63fc5..c6aefd9ad0e836fff8ca4aab262e98347d7d91fd 100644 (file)
@@ -938,7 +938,8 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req)
        int header_length = req->req.misc & 0xffff;
        int expect_response = req->req.misc >> 16;
 
-       if ((header_length > req->req.length) || (header_length < 12)) {
+       if (header_length > req->req.length || header_length < 12 ||
+           header_length > FIELD_SIZEOF(struct hpsb_packet, header)) {
                req->req.error = RAW1394_ERROR_INVALID_ARG;
                req->req.length = 0;
                queue_complete_req(req);