linux/drivers/firewire/fw-cdev.c, branch v2.6.28Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v2.6.282008-10-15T20:21:10Zfirewire: fix ioctl() return code2008-10-15T20:21:10ZStefan Richterstefanr@s5r6.in-berlin.de2008-09-12T16:20:16Zurn:sha1:99692f71ee04c6f249d0bf6a581359f32f409a38
Reported by Jay Fenlason: ioctl() did not return as intended
- the size of data read into ioctl_send_request,
- the number of datagrams enqueued by ioctl_queue_iso.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: fix setting tag and sy in iso transmission2008-10-15T20:21:10ZStefan Richterstefanr@s5r6.in-berlin.de2008-09-12T16:09:55Zurn:sha1:7a1003449c693f0d57443c8786bbf19717921ae0
Reported by Jay Fenlason:
The iso packet control accessors in fw-cdev.c had bogus masks.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: Preserve response data alignment bug when it is harmless2008-08-02T18:03:49ZDavid Mooredcm@acm.org2008-07-30T06:46:25Zurn:sha1:8401d92ba46a1e859464cbd9c9ee304f6e361da3
Recently, a bug having to do with the alignment of transaction response
data was fixed. However, some apps such as libdc1394 relied on the
presence of that bug in order to function correctly. In order to stay
compatible with old versions of those apps, this patch preserves the bug
in cases where it is harmless to normal operation (such as the single
quadlet read) due to a simple duplication of data. This guarantees
maximum compatability for those users who are using the old app with the
fixed kernel.
Signed-off-by: David Moore <dcm@acm.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: queue the right number of data2008-07-20T13:25:03ZJiSheng Zhangjszhang3@mail.ustc.edu.cn2008-07-19T07:35:41Zurn:sha1:f9543d0ab6392a9a5bff0034622688dc10d9d225
There will be 4 padding bytes in struct fw_cdev_event_response on some platforms
The member:__u32 data will point to these padding bytes. While queue the
response and data in complete_transaction in fw-cdev.c, it will queue like this:
|response(excluding padding bytes)|4 padding bytes|4 padding bytes|data.
It queue 4 extra bytes. That is to say it use "&response + sizeof(response)"
while other place of kernel and userspace library use "&response + offsetof
(typeof(response), data)". So it will lost the last 4 bytes of data. This patch
can fix it while not changing the struct definition.
Signed-off-by: JiSheng Zhang <jszhang3@mail.ustc.edu.cn>
This fixes responses to outbound block read requests on 64bit architectures.
Tested on i686, x86-64, and x86-64 with i686 userland, using firecontrol and
gscanbus.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: fill_bus_reset_event needs lock protection2008-06-18T22:12:35ZStefan Richterstefanr@s5r6.in-berlin.de2008-06-06T20:11:30Zurn:sha1:5cb84067d646fa3889463129dad8b218806b4698
Callers of fill_bus_reset_event() have to take card->lock. Otherwise
access to node data may oops if node removal is in progress.
A lockless alternative would be
- event->local_node_id = card->local_node->node_id;
+ tmp = fw_node_get(card->local_node);
+ event->local_node_id = tmp->node_id;
+ fw_node_put(tmp);
and ditto with the other node pointers which fill_bus_reset_event()
accesses. But I went the locked route because one of the two callers
already holds the lock. As a bonus, we don't need the memory barrier
anymore because device->generation and device->node_id are written in
a card->lock protected section.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Kristian Høgsberg <krh@redhat.com>
firewire: prevent userspace from accessing shut down devices2008-05-20T16:24:17ZJay Fenlasonfenlason@redhat.com2008-05-16T15:15:23Zurn:sha1:551f4cb9de716ffcdaf968c99a450c22ff12e8c3
If userspace ignores the POLLERR bit from poll(), and only attempts to
read() the device when POLLIN is set, it can still make ioctl() calls on
a device that has been removed from the system. The node_id and
generation returned by GET_INFO will be outdated, but INITIATE_BUS_RESET
would still cause a bus reset, and GET_CYCLE_TIMER will return data.
And if you guess the correct generation to use, you can send requests to
a different device on the bus, and get responses back.
This patch prevents open, ioctl, compat_ioctl, and mmap against shutdown
devices.
Signed-off-by: Jay Fenlason <fenlason@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: reread config ROM when device reset the bus2008-04-18T15:55:36ZStefan Richterstefanr@s5r6.in-berlin.de2008-03-24T19:54:28Zurn:sha1:c9755e14a01987ada4063e8b4c50c2b6738d879e
When a device changes its configuration ROM, it announces this with a
bus reset. firewire-core has to check which node initiated a bus reset
and whether any unit directories went away or were added on this node.
Tested with an IOI FWB-IDE01AB which has its link-on bit set if bus
power is available but does not respond to ROM read requests if self
power is off. This implements
- recognition of the units if self power is switched on after fw-core
gave up the initial attempt to read the config ROM,
- shutdown of the units when self power is switched off.
Also tested with a second PC running Linux/ieee1394. When the eth1394
driver is inserted and removed on that node, fw-core now notices the
addition and removal of the IPv4 unit on the ieee1394 node.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: fix NULL pointer deref. and resource leak2008-02-21T18:05:56ZStefan Richterstefanr@s5r6.in-berlin.de2008-02-20T20:10:06Zurn:sha1:fae603121428ba83b7343c88e68a7144525ab3eb
By supplying ioctl()s in the wrong order, a userspace client was able to
trigger NULL pointer dereferences. Furthermore, by calling
ioctl_create_iso_context more than once, new contexts could be created
without ever freeing the previously created contexts.
Thanks to Anders Blomdell for the report.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: fix "kobject_add failed for fw* with -EEXIST"2008-02-16T14:40:33ZStefan Richterstefanr@s5r6.in-berlin.de2008-02-02T14:01:09Zurn:sha1:96b19062e741b715cf399312c30e0672d8889569
There is a race between shutdown and creation of devices: fw-core may
attempt to add a device with the same name of an already existing
device. http://bugzilla.kernel.org/show_bug.cgi?id=9828
Impact of the bug: Happens rarely (when shutdown of a device coincides
with creation of another), forces the user to unplug and replug the new
device to get it working.
The fix is obvious: Free the minor number *after* instead of *before*
device_unregister(). This requires to take an additional reference of
the fw_device as long as the IDR tree points to it.
And while we are at it, we fix an additional race condition:
fw_device_op_open() took its reference of the fw_device a little bit too
late, hence was in danger to access an already invalid fw_device.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: enforce access order between generation and node ID, fix "giving up on config rom"2008-01-30T21:22:27ZStefan Richterstefanr@s5r6.in-berlin.de2008-01-25T17:57:41Zurn:sha1:b5d2a5e04e6a26cb3f77af8cbc31e74c361d706c
fw_device.node_id and fw_device.generation are accessed without mutexes.
We have to ensure that all readers will get to see node_id updates
before generation updates.
Fixes an inability to recognize devices after "giving up on config rom",
https://bugzilla.redhat.com/show_bug.cgi?id=429950
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Reviewed by Nick Piggin <nickpiggin@yahoo.com.au>.
Verified to fix 'giving up on config rom' issues on multiple system and
drive combinations that were previously affected.
Signed-off-by: Jarod Wilson <jwilson@redhat.com>
Signed-off-by: Kristian Høgsberg <krh@redhat.com>