Fix two bugs of the /dev/fw* character device concerning the
FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
(Practically all /dev/fw* clients issue this ioctl right after opening
the device.)
Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
without natural alignment and 40 with natural alignment.
1) Memory corruption, affecting i386 userland on amd64 kernel:
Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
This has been first found and reported against libraw1394 if
compiled with gcc 4.7 which happens to order libraw1394's stack such
that the bug became visible as data corruption.
2) Information leak, affecting all kernel architectures except i386:
4 bytes of random kernel stack data were leaked to userspace.
Hence limit the respective copy_to_user() to the 32-bit aligned size of
struct fw_cdev_event_bus_reset.
Reported-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: stable@kernel.org
Follow up on commit c285f6ff6787 "firewire: remove global lock around
address handlers, convert to RCU":
- address_handler_lock no longer serializes the address handler, only
its function to serialize updates to the list of handlers remains.
Rename the lock to address_handler_list_lock.
- Callers of fw_core_remove_address_handler() must be able to sleep.
Comment on this in the API documentation.
- The counterpart fw_core_add_address_handler() is by nature something
which is used in process context. Replace spin_lock_bh() by
spin_lock() in fw_core_add_address_handler() and in
fw_core_remove_address_handler(), and document that process context
is now required for fw_core_add_address_handler().
- Extend the documentation of fw_address_callback_t.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Upper-layer handlers for inbound requests were called with a spinlock
held by firewire-core. Calling into upper layers with a lower layer
lock held is generally a bad idea.
What's more, since commit ea102d0ec4 "firewire: core: convert AR-req
handler lock from _irqsave to _bh", a caller of fw_send_request() i.e.
initiator of outbound request could no longer do that while having
interrupts disabled, if the local node was addressed by that request.
In order to make all this more flexible, convert the management of
address ranges and handlers from a global lock around readers and
writers to RCU (and a remaining global lock for writers). As a minor
side effect, handling of inbound requests at different cards and of
local requests is now no longer serialized. (There is still per-card
serialization of remote requests since firewire-ohci uses a single DMA
tasklet for inbound request events.)
In other words, address handlers are now called in an RCU read-side
critical section instead of from within a spin_lock_bh serialized
section.
(Changelog rewritten by Stefan R.)
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
In case of a self constructed selfID packet this patch correctly
determines the information if the TSB41BA3D phy initiated a bus reset.
Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Send the GUIDs of newly registered controllers and devices
to the /dev/random driver to help seed its pools.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Pull firewire updates from Stefan Richter:
- Small fixes and optimizations.
- A new sysfs attribute to tell local and remote nodes apart.
Useful to set special permissions/ ownership of local nodes'
/dev/fw*, to start daemons on them (for diagnostics, management,
AV targets, VersaPHY initiator or targets...), to pick up their
GUID to use it as GUID of an SBP2 target instance, and of course
for informational purposes.
* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
firewire: core: document is_local sysfs attribute
firewire: core: add is_local sysfs device attribute
firewire: ohci: initialize multiChanMode bits after reset
firewire: core: fix multichannel IR with buffers larger than 2 GB
firewire: ohci: sanity-check MMIO resource
firewire: ohci: lazy bus time initialization
firewire: core: allocate the low memory region
firewire: core: make address handler length 64 bits
Making this information available in sysfs allows to differentiate
between controllers in the local and remote Linux PCs, and thus is
useful for servers that are started with udev rules.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
OHCI 1.1 says:
| Since the value of this bit is undefined after reset in all IR
| contexts, software shall initialize this bit to zero in all contexts
| whether or not active to maintain the exclusive nature of this bit.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
With a 32-bit i, computing i<<PAGE_SHIFT might result in
an overflow and in an eventual sign-extension.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
pci_request_region() does not fail on resources that have not been
allocated by the BIOS or by the kernel, so to avoid accessing
registers that are not there, we have to check for this explicitly.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
The Bus_Time CSR is virtually never used, so we can avoid burning CPU in
interrupt context for 1 or 3 IsochronousCycleTimer accesses every minute
by not tracking the bus time until the CSR is actually accessed for the
first time.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Prevent userspace applications from allocating low memory address
ranges. Otherwise, if some application happens to allocate such
a range and intends for a remote node to access it, and if that node
also implements SBP-2 (which will become more likely with the upcoming
SBP-2 target support), these accesses would be routed by the physical
DMA unit to some wrong memory address.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Pull IEEE 1394 (FireWire) subsystem updates from Stefan Richter:
- Fix mismatch between DMA mapping direction (was wrong) and DMA
synchronization direction (was correct) of isochronous reception
buffers of userspace drivers if vma-mapped for R/W access. For
example, libdc1394 was affected.
- more consistent retry stategy in device discovery/ rediscovery, and
improved failure diagnostics
- various small cleanups, e.g. use SCSI layer's DMA mapping API in
firewire-sbp2
* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
firewire: sbp2: document the absence of alignment requirements
firewire: sbp2: remove superfluous blk_queue_max_segment_size() call
firewire: sbp2: use scsi_dma_(un)map
firewire: sbp2: give correct DMA device to scsi framework
firewire: core: fw_device_refresh(): clean up error handling
firewire: core: log config rom reading errors
firewire: core: log error in case of failed bus manager lock
firewire: move rcode_string() to core
firewire: core: improve reread_config_rom() interface
firewire: core: wait for inaccessible devices after bus reset
firewire: ohci: omit spinlock IRQ flags where possible
firewire: ohci: correct signedness of a local variable
firewire: core: fix DMA mapping direction
firewire: use module_pci_driver
The SBP-2/3 specifications do not require any alignment of data
buffers; only their own data structures need to be quadlet-aligned
[SR: or octlet-aligned].
Fix the comments to reflect this, but leave the actual alignment at
32 bits to avoid theoretical problems with target implementations
that might handle this incorrectly.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
The SCSI framework automatically initializes the block queue's segment
size with the DMA device's segment size.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Use the scsi_dma_map/scsi_dma_unmap helper to simplify the code
a little.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
The sbp2 driver does DMA not on the unit but on the card device.
The driver worked even with the wrong device because at the moment, it
happens to reimplement the DMA functions of the SCSI framework.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
When writing a firewire driver that doesn't deal with struct fw_device
objects (e.g. it only publishes FireWire units and doesn't subscribe to
them), you likely need to keep referenced to struct fw_card objects so
that you can send messages to other nodes. This patch moves
fw_card_put(), fw_card_get() and fw_card_release() into the public
include/linux/firewire.h header instead of drivers/firewire/core.h, and
adds EXPORT_SYMBOL_GPL(fw_card_release).
The firewire-sbp-target module requires these so it can keep a reference
to the fw_card object in order that it can fetch ORBs to execute and
read/write related data and status information.
Signed-off-by: Chris Boot <bootc@bootc.net>
Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Sometimes it's useful to know the FireWire speed of the request that has
just come in to a fw_address_handler callback. As struct fw_request is
opaque we can't peek inside to get the speed out of the struct fw_packet
that's just inside. For example, the SBP-2 spec says:
"The speed at which the block write request to the MANAGEMENT_AGENT
register is received shall determine the speed used by the target for
all subsequent requests to read the initiator’s configuration ROM, fetch
ORB’s from initiator memory or store status at the initiator’s
status_FIFO. Command block ORB’s separately specify the speed for
requests addressed to the data buffer or page table."
[ ANSI T10/1155D Revision 4 page 53/54 ]
Signed-off-by: Chris Boot <bootc@bootc.net>
Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
In fw_device_init() and fw_device_refresh(), if a call to
read_cofig_rom() fails, the operation is retried a few times, with
these retries being controlled by the MAX_RETRIES and RETRY_DELAY
symbols.
fw_device_refresh() also reads part of the config rom by calling
reread_config_rom(). Any errors from this call resulted in retries
with MAX_RETRIES/2 and RETRY_DELAY/2.
There is no reason to require that a device that has initiated a bus
reset must react faster to read requests than a device that has just
been plugged in. Furthermore, if the config rom has changed, any
errors from the following read_config_rom() call are then handled
with the normal retry count and delay.
Remove this inconsistency by always using the normal retry count and
delay. (This also makes the two error handlers identical and allows
merging them.)
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
If reading or refreshing a config rom fails, also log the actual error
that caused it to fail.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
If the lock access to the bus manager register fails, also log the
actual error that caused it to fail.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
There is nothing audio-specific about the rcode_string() helper, so move
it from snd-firewire-lib into firewire-core to allow other code to use it.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (fixed sound/firewire/cmp.c)
The return value of reread_config_rom() was a mixture of two pieces of
information: whether the function succeeded, and whether the config rom
had changed.
To clarify the semantics, and to allow returning the actual error code,
split the second information into a new output parameter.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
When reread_config_rom() encountered a config rom that was marked as not
yet accessible, that device would be treated as "gone". This would mean
that that device would effectively vanish until the next bus reset.
The correct way to handle this situation is the same as in
read_config_rom(), to treat this like other errors and to retry the read
later, when the (possibly changed) config rom is available. The device
is marked "gone" only if it continues to return zero values after these
retries.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
