10 Oct, 2012
1 commit
-
Fix two bugs of the /dev/fw* character device concerning the
FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
(Practically all /dev/fw* clients issue this ioctl right after opening
the device.)Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
without natural alignment and 40 with natural alignment.1) Memory corruption, affecting i386 userland on amd64 kernel:
Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
This has been first found and reported against libraw1394 if
compiled with gcc 4.7 which happens to order libraw1394's stack such
that the bug became visible as data corruption.2) Information leak, affecting all kernel architectures except i386:
4 bytes of random kernel stack data were leaked to userspace.Hence limit the respective copy_to_user() to the 32-bit aligned size of
struct fw_cdev_event_bus_reset.Reported-by: Simon Kirby
Signed-off-by: Stefan Richter
Cc: stable@kernel.org
28 Sep, 2012
2 commits
-
Follow up on commit c285f6ff6787 "firewire: remove global lock around
address handlers, convert to RCU":- address_handler_lock no longer serializes the address handler, only
its function to serialize updates to the list of handlers remains.
Rename the lock to address_handler_list_lock.- Callers of fw_core_remove_address_handler() must be able to sleep.
Comment on this in the API documentation.- The counterpart fw_core_add_address_handler() is by nature something
which is used in process context. Replace spin_lock_bh() by
spin_lock() in fw_core_add_address_handler() and in
fw_core_remove_address_handler(), and document that process context
is now required for fw_core_add_address_handler().- Extend the documentation of fw_address_callback_t.
Signed-off-by: Stefan Richter
-
Upper-layer handlers for inbound requests were called with a spinlock
held by firewire-core. Calling into upper layers with a lower layer
lock held is generally a bad idea.What's more, since commit ea102d0ec475 "firewire: core: convert AR-req
handler lock from _irqsave to _bh", a caller of fw_send_request() i.e.
initiator of outbound request could no longer do that while having
interrupts disabled, if the local node was addressed by that request.In order to make all this more flexible, convert the management of
address ranges and handlers from a global lock around readers and
writers to RCU (and a remaining global lock for writers). As a minor
side effect, handling of inbound requests at different cards and of
local requests is now no longer serialized. (There is still per-card
serialization of remote requests since firewire-ohci uses a single DMA
tasklet for inbound request events.)In other words, address handlers are now called in an RCU read-side
critical section instead of from within a spin_lock_bh serialized
section.(Changelog rewritten by Stefan R.)
Signed-off-by: Peter Hurley
Signed-off-by: Stefan Richter
25 Sep, 2012
2 commits
-
In case of a self constructed selfID packet this patch correctly
determines the information if the TSB41BA3D phy initiated a bus reset.Signed-off-by: Stephan Gatzka
Signed-off-by: Stefan Richter -
Send the GUIDs of newly registered controllers and devices
to the /dev/random driver to help seed its pools.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
31 Jul, 2012
1 commit
-
Pull firewire updates from Stefan Richter:
- Small fixes and optimizations.
- A new sysfs attribute to tell local and remote nodes apart.
Useful to set special permissions/ ownership of local nodes'
/dev/fw*, to start daemons on them (for diagnostics, management,
AV targets, VersaPHY initiator or targets...), to pick up their
GUID to use it as GUID of an SBP2 target instance, and of course
for informational purposes.* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
firewire: core: document is_local sysfs attribute
firewire: core: add is_local sysfs device attribute
firewire: ohci: initialize multiChanMode bits after reset
firewire: core: fix multichannel IR with buffers larger than 2 GB
firewire: ohci: sanity-check MMIO resource
firewire: ohci: lazy bus time initialization
firewire: core: allocate the low memory region
firewire: core: make address handler length 64 bits
30 Jun, 2012
1 commit
-
Making this information available in sysfs allows to differentiate
between controllers in the local and remote Linux PCs, and thus is
useful for servers that are started with udev rules.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
18 Jun, 2012
2 commits
-
OHCI 1.1 says:
| Since the value of this bit is undefined after reset in all IR
| contexts, software shall initialize this bit to zero in all contexts
| whether or not active to maintain the exclusive nature of this bit.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
With a 32-bit i, computing i<
Signed-off-by: Stefan Richter
05 Jun, 2012
1 commit
-
pci_request_region() does not fail on resources that have not been
allocated by the BIOS or by the kernel, so to avoid accessing
registers that are not there, we have to check for this explicitly.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
27 May, 2012
2 commits
-
The Bus_Time CSR is virtually never used, so we can avoid burning CPU in
interrupt context for 1 or 3 IsochronousCycleTimer accesses every minute
by not tracking the bus time until the CSR is actually accessed for the
first time.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
Prevent userspace applications from allocating low memory address
ranges. Otherwise, if some application happens to allocate such
a range and intends for a remote node to access it, and if that node
also implements SBP-2 (which will become more likely with the upcoming
SBP-2 target support), these accesses would be routed by the physical
DMA unit to some wrong memory address.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
25 May, 2012
1 commit
-
Pull IEEE 1394 (FireWire) subsystem updates from Stefan Richter:
- Fix mismatch between DMA mapping direction (was wrong) and DMA
synchronization direction (was correct) of isochronous reception
buffers of userspace drivers if vma-mapped for R/W access. For
example, libdc1394 was affected.- more consistent retry stategy in device discovery/ rediscovery, and
improved failure diagnostics- various small cleanups, e.g. use SCSI layer's DMA mapping API in
firewire-sbp2* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
firewire: sbp2: document the absence of alignment requirements
firewire: sbp2: remove superfluous blk_queue_max_segment_size() call
firewire: sbp2: use scsi_dma_(un)map
firewire: sbp2: give correct DMA device to scsi framework
firewire: core: fw_device_refresh(): clean up error handling
firewire: core: log config rom reading errors
firewire: core: log error in case of failed bus manager lock
firewire: move rcode_string() to core
firewire: core: improve reread_config_rom() interface
firewire: core: wait for inaccessible devices after bus reset
firewire: ohci: omit spinlock IRQ flags where possible
firewire: ohci: correct signedness of a local variable
firewire: core: fix DMA mapping direction
firewire: use module_pci_driver
22 May, 2012
4 commits
-
The SBP-2/3 specifications do not require any alignment of data
buffers; only their own data structures need to be quadlet-aligned
[SR: or octlet-aligned].Fix the comments to reflect this, but leave the actual alignment at
32 bits to avoid theoretical problems with target implementations
that might handle this incorrectly.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
The SCSI framework automatically initializes the block queue's segment
size with the DMA device's segment size.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
Use the scsi_dma_map/scsi_dma_unmap helper to simplify the code
a little.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
The sbp2 driver does DMA not on the unit but on the card device.
The driver worked even with the wrong device because at the moment, it
happens to reimplement the DMA functions of the SCSI framework.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
10 May, 2012
2 commits
-
When writing a firewire driver that doesn't deal with struct fw_device
objects (e.g. it only publishes FireWire units and doesn't subscribe to
them), you likely need to keep referenced to struct fw_card objects so
that you can send messages to other nodes. This patch moves
fw_card_put(), fw_card_get() and fw_card_release() into the public
include/linux/firewire.h header instead of drivers/firewire/core.h, and
adds EXPORT_SYMBOL_GPL(fw_card_release).The firewire-sbp-target module requires these so it can keep a reference
to the fw_card object in order that it can fetch ORBs to execute and
read/write related data and status information.Signed-off-by: Chris Boot
Acked-by: Stefan Richter
Cc: Clemens Ladisch
Signed-off-by: Nicholas Bellinger -
Sometimes it's useful to know the FireWire speed of the request that has
just come in to a fw_address_handler callback. As struct fw_request is
opaque we can't peek inside to get the speed out of the struct fw_packet
that's just inside. For example, the SBP-2 spec says:"The speed at which the block write request to the MANAGEMENT_AGENT
register is received shall determine the speed used by the target for
all subsequent requests to read the initiator’s configuration ROM, fetch
ORB’s from initiator memory or store status at the initiator’s
status_FIFO. Command block ORB’s separately specify the speed for
requests addressed to the data buffer or page table."[ ANSI T10/1155D Revision 4 page 53/54 ]
Signed-off-by: Chris Boot
Acked-by: Stefan Richter
Cc: Clemens Ladisch
Signed-off-by: Nicholas Bellinger
18 Apr, 2012
9 commits
-
In fw_device_init() and fw_device_refresh(), if a call to
read_cofig_rom() fails, the operation is retried a few times, with
these retries being controlled by the MAX_RETRIES and RETRY_DELAY
symbols.fw_device_refresh() also reads part of the config rom by calling
reread_config_rom(). Any errors from this call resulted in retries
with MAX_RETRIES/2 and RETRY_DELAY/2.There is no reason to require that a device that has initiated a bus
reset must react faster to read requests than a device that has just
been plugged in. Furthermore, if the config rom has changed, any
errors from the following read_config_rom() call are then handled
with the normal retry count and delay.Remove this inconsistency by always using the normal retry count and
delay. (This also makes the two error handlers identical and allows
merging them.)Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
If reading or refreshing a config rom fails, also log the actual error
that caused it to fail.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
If the lock access to the bus manager register fails, also log the
actual error that caused it to fail.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
There is nothing audio-specific about the rcode_string() helper, so move
it from snd-firewire-lib into firewire-core to allow other code to use it.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter (fixed sound/firewire/cmp.c) -
The return value of reread_config_rom() was a mixture of two pieces of
information: whether the function succeeded, and whether the config rom
had changed.To clarify the semantics, and to allow returning the actual error code,
split the second information into a new output parameter.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
When reread_config_rom() encountered a config rom that was marked as not
yet accessible, that device would be treated as "gone". This would mean
that that device would effectively vanish until the next bus reset.The correct way to handle this situation is the same as in
read_config_rom(), to treat this like other errors and to retry the read
later, when the (possibly changed) config rom is available. The device
is marked "gone" only if it continues to return zero values after these
retries.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
bus_reset_work() is only called from workqueue thread context.
ohci_set_config_rom() and ohci_allocate_iso_context() perform GFP_KERNEL
memory allocations, therefore they must be called with interrupts
enabled.Hence these functions may disable and enable local IRQs without having
to track IRQ state.Signed-off-by: Stefan Richter
-
bus_reset_work's reg is a bitfield.
Signed-off-by: Stefan Richter
-
Seen with recent libdc1394: If a client mmap()s the buffer of an
isochronous reception buffer with PROT_READ|PROT_WRITE instead of just
PROT_READ, firewire-core sets the wrong DMA mapping direction during
buffer initialization.The fix is to split fw_iso_buffer_init() into allocation and DMA mapping
and to perform the latter after both buffer and DMA context were
allocated. Buffer allocation and context allocation may happen in any
order, but we need the context type (reception or transmission) in order
to set the DMA direction of the buffer.Signed-off-by: Stefan Richter
09 Apr, 2012
1 commit
-
This patch converts the drivers in drivers/firewire/* to use module_pci_driver()
macro which makes the code smaller and a bit simpler.Signed-off-by: Axel Lin
Signed-off-by: Stefan Richter
29 Mar, 2012
1 commit
-
Remove all #inclusions of asm/system.h preparatory to splitting and killing
it. Performed with the following command:perl -p -i -e 's!^#\s*include\s*.*\n!!' `grep -Irl '^#\s*include\s*' *`
Signed-off-by: David Howells
23 Mar, 2012
1 commit
-
Pull IEEE 1394 (FireWire) subsystem updates post v3.3 from Stefan Richter:
- Some SBP-2 initiator fixes, side product from ongoing work on a target.
- Reintroduction of an isochronous I/O feature of the older ieee1394 driver
stack (flush buffer completions); it was evidently rarely used but not
actually unused. Matching libraw1394 code is already available.- Be sure to prefix all kernel log messages with device name or card name,
and other logging related cleanups.- Misc other small cleanups, among them a small API change that affects
sound/firewire/ too. Clemens Ladisch is aware of it.* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: (26 commits)
firewire: allow explicit flushing of iso packet completions
firewire: prevent dropping of completed iso packet header data
firewire: ohci: factor out iso completion flushing code
firewire: ohci: simplify iso header pointer arithmetic
firewire: ohci: optimize control bit checks
firewire: ohci: remove unused excess_bytes field
firewire: ohci: copy_iso_headers(): make comment match the code
firewire: cdev: fix IR multichannel event documentation
firewire: ohci: fix too-early completion of IR multichannel buffers
firewire: ohci: move runtime debug facility out of #ifdef
firewire: tone down some diagnostic log messages
firewire: sbp2: replace a GFP_ATOMIC allocation
firewire: sbp2: Fix SCSI sense data mangling
firewire: sbp2: Ignore SBP-2 targets on the local node
firewire: sbp2: Take into account Unit_Unique_ID
firewire: nosy: Use the macro DMA_BIT_MASK().
firewire: core: convert AR-req handler lock from _irqsave to _bh
firewire: core: fix race at address_handler unregistration
firewire: core: remove obsolete comment
firewire: core: prefix log messages with card name
...
19 Mar, 2012
7 commits
-
Extend the kernel and userspace APIs to allow reporting all currently
completed isochronous packets, even if the next interrupt packet has not
yet been reached. This is required to determine the status of the
packets at the end of a paused or stopped stream, and useful for more
precise synchronization of audio streams.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
The buffer for the header data of completed iso packets has a fixed
size, so it is possible to configure a stream with a big interval
between interrupt packets or with big headers so that this buffer would
overflow. Previously, ohci.c would drop any data that would not fit,
but this could make unsuspecting applications believe that fewer than
the actual number of packets have completed.Instead of dropping data, add calls to flush_iso_completion() so that
there are as many events as needed to report all of the data.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
In preparation for the following patches that add more flushing, move
the code for flushing accumulated header data into a common function.
The timestamp of the last completed packed is passed through the context
structure instead of a function parameter to allow accessing this value
later outside of the handle_i?_packet functions.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
When storing the header data of completed iso packets, we effectively
treat the buffers as arrays of quadlets. Actually declaring the
pointers as u32* avoids repetitive pointer arithmetic, removes the
unhelpfully named "i" variables, and thus makes the code clearer.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
Doing the endian conversion on the constant instead of the memory
field allows the compiler to do the conversion at compile time.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
Commit 6498ba04aee6 (remove unused dualbuffer IR code) overlooked
a field in struct iso_context.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter -
The comment incorrectly talked about one little-endian quadlet, while
there are actually two. Furthermore, the endianness of the remaining
headers depends on whatever protocol is used, so don't mention them.Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
17 Mar, 2012
1 commit
-
handle_ir_buffer_fill() assumed that a completed descriptor would be
indicated by a non-zero transfer_status (as in most other descriptors).
However, this field is written by the controller as soon as (the end of)
the first packet has been written into the buffer. As a consequence, if
we happen to run into such a descriptor when the interrupt handler is
executed after such a packet has completed, the descriptor would be
taken out of the list of active descriptors as soon as the buffer had
been partially filled, so the event for the buffer being completely
filled would never be sent.To fix this, handle descriptors only when they have been completely
filled, i.e., when res_count == 0. (This also matches the condition
that is reported by the controller with an interrupt.)Signed-off-by: Clemens Ladisch
Cc: 2.6.36+
Signed-off-by: Stefan Richter
11 Mar, 2012
1 commit
-
CONFIG_FIREWIRE_OHCI_DEBUG could have been exposed to kernel tweakers
if CONFIG_EXPERT was set. But in hindsight, this stuff is far too
useful to omit it. So get rid of two #else branches that are only
going to bitrot otherwise.Signed-off-by: Stefan Richter