linux/drivers/firewire/fw-cdev.c, branch v2.6.26

firewire: fill_bus_reset_event needs lock protection

2008-06-18T22:12:35Z

Callers of fill_bus_reset_event() have to take card->lock. Otherwise access to node data may oops if node removal is in progress. A lockless alternative would be - event->local_node_id = card->local_node->node_id; + tmp = fw_node_get(card->local_node); + event->local_node_id = tmp->node_id; + fw_node_put(tmp); and ditto with the other node pointers which fill_bus_reset_event() accesses. But I went the locked route because one of the two callers already holds the lock. As a bonus, we don't need the memory barrier anymore because device->generation and device->node_id are written in a card->lock protected section. Signed-off-by: Stefan Richter Signed-off-by: Kristian Høgsberg

firewire: prevent userspace from accessing shut down devices

2008-05-20T16:24:17Z

If userspace ignores the POLLERR bit from poll(), and only attempts to read() the device when POLLIN is set, it can still make ioctl() calls on a device that has been removed from the system. The node_id and generation returned by GET_INFO will be outdated, but INITIATE_BUS_RESET would still cause a bus reset, and GET_CYCLE_TIMER will return data. And if you guess the correct generation to use, you can send requests to a different device on the bus, and get responses back. This patch prevents open, ioctl, compat_ioctl, and mmap against shutdown devices. Signed-off-by: Jay Fenlason Signed-off-by: Stefan Richter

firewire: reread config ROM when device reset the bus

2008-04-18T15:55:36Z

When a device changes its configuration ROM, it announces this with a bus reset. firewire-core has to check which node initiated a bus reset and whether any unit directories went away or were added on this node. Tested with an IOI FWB-IDE01AB which has its link-on bit set if bus power is available but does not respond to ROM read requests if self power is off. This implements - recognition of the units if self power is switched on after fw-core gave up the initial attempt to read the config ROM, - shutdown of the units when self power is switched off. Also tested with a second PC running Linux/ieee1394. When the eth1394 driver is inserted and removed on that node, fw-core now notices the addition and removal of the IPv4 unit on the ieee1394 node. Signed-off-by: Stefan Richter

firewire: fix NULL pointer deref. and resource leak

2008-02-21T18:05:56Z

By supplying ioctl()s in the wrong order, a userspace client was able to trigger NULL pointer dereferences. Furthermore, by calling ioctl_create_iso_context more than once, new contexts could be created without ever freeing the previously created contexts. Thanks to Anders Blomdell for the report. Signed-off-by: Stefan Richter

firewire: fix "kobject_add failed for fw* with -EEXIST"

2008-02-16T14:40:33Z

There is a race between shutdown and creation of devices: fw-core may attempt to add a device with the same name of an already existing device. http://bugzilla.kernel.org/show_bug.cgi?id=9828 Impact of the bug: Happens rarely (when shutdown of a device coincides with creation of another), forces the user to unplug and replug the new device to get it working. The fix is obvious: Free the minor number *after* instead of *before* device_unregister(). This requires to take an additional reference of the fw_device as long as the IDR tree points to it. And while we are at it, we fix an additional race condition: fw_device_op_open() took its reference of the fw_device a little bit too late, hence was in danger to access an already invalid fw_device. Signed-off-by: Stefan Richter

firewire: enforce access order between generation and node ID, fix "giving up on config rom"

2008-01-30T21:22:27Z

fw_device.node_id and fw_device.generation are accessed without mutexes. We have to ensure that all readers will get to see node_id updates before generation updates. Fixes an inability to recognize devices after "giving up on config rom", https://bugzilla.redhat.com/show_bug.cgi?id=429950 Signed-off-by: Stefan Richter Reviewed by Nick Piggin . Verified to fix 'giving up on config rom' issues on multiple system and drive combinations that were previously affected. Signed-off-by: Jarod Wilson Signed-off-by: Kristian Høgsberg

firewire: fw-cdev: use device generation, not card generation

2008-01-30T21:22:27Z

We have to use the fw_device.generation here, not the fw_card.generation, because the generation must never be newer than the node ID when we emit a transaction. This cannot be guaranteed with fw_card.generation. Signed-off-by: Stefan Richter Verified in concert with subsequent memory barriers patch to fix 'giving up on config rom' issues on multiple system and drive combinations that were previously affected. Signed-off-by: Jarod Wilson

firewire: fw-cdev: reorder wakeup vs. spinlock

2007-10-16T22:00:10Z

Signed-off-by: Jay Fenlason Prompted by https://bugzilla.redhat.com/show_bug.cgi?id=323411 Signed-off-by: Stefan Richter

firewire: adopt read cycle timer ABI from raw1394

2007-10-16T22:00:08Z

This duplicates the read cycle timer feature of raw1394 (added in Linux 2.6.21) in firewire-core's userspace ABI. The argument to the ioctl is reordered though to ensure 32/64 bit compatibility. Signed-off-by: Stefan Richter Signed-off-by: Kristian Høgsberg

firewire: fw-core: local variable shadows a global one

2007-10-16T22:00:01Z

Sparse warned about it although it was apparently harmless: drivers/firewire/fw-cdev.c:624:23: warning: symbol 'interrupt' shadows an earlier one include/asm/hw_irq.h:29:13: originally declared here Signed-off-by: Stefan Richter