On Thu, 2013-03-14 at 06:31 +0000, Berg, Johannes wrote:
> > > > /* and copy the data that needs to be copied */
> > > > cmd_pos = offsetof(struct iwl_device_cmd, payload);
> > > > + copy_size = sizeof(out_cmd->hdr);
> > > > for (i = 0; i < IWL_MAX_CMD_TFDS; i++) {
> > > > - if (!cmd->len[i])
> > > > + int copy = 0;
> > > > +
> > > > + if (!cmd->len)
> > > > continue;
> > >
> > > cmd->len is an array, so the new condition is always false. Shouldn't
> > > it be 'if (!cmdlen[i])'?
> >
> > To answer myself: no, it should still be 'if (!cmd->len[i])' as this loop needs to
> > include input fragments that will be completely copied into the header
> > fragment.
>
> Ick, good catch. It luckily doesn't matter as if cmd->len[i] is 0 (in
> which case we'd continue) the "if (copy)" below saves us in all the
> different code paths inside the loop. This is still clearly a mistake
> in the patch though.
>
> I will fix this upstream, I guess you'll want to wait for that for
> stable? I'll Cc:stable that patch as well.
I agree with your analysis that this is actually harmless, so no
objections to including the patch in stable as it is.
Ben.
--
Ben Hutchings
Humans are not rational beings; they are rationalising beings.
Attachment:
signature.asc
Description: This is a digitally signed message part