Linux kernel source tree https://git.amat.us/linux/atom/drivers/firewire?h=v3.4.55 2013-03-03T22:06:41Z 2013-03-03T22:06:41Z Tejun Heo tj@kernel.org 2013-02-28T01:04:04Z urn:sha1:ef7a6c344031cd99e16a116a7984d9428dce8401 commit 3bec60d511179853138836ae6e1b61fe34d9235f upstream. fw_device_init() didn't check whether the allocated minor number isn't too large. Fail if it goes overflows MINORBITS. Signed-off-by: Tejun Heo <tj@kernel.org> Suggested-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-01-17T16:50:43Z Stephan Gatzka stephan.gatzka@gmail.com 2012-11-28T19:04:32Z urn:sha1:2d2b65eeb598b687403aa0f06d4d7da97661958a commit 9d2373420900a39f5212a3b289331aa3535b1000 upstream. This patch fixes both the transmit and receive portion of sending fragmented mutlicast and broadcast packets. The transmit section was broken because the offset for INTFRAG and LASTFRAG packets were just miscalculated by IEEE1394_GASP_HDR_SIZE (which was reserved with skb_push() in fwnet_send_packet). The receive section was broken because in fwnet_incoming_packet is a call to fwnet_peer_find_by_node_id(). Called with generation == -1 it will not find a peer and the partial datagrams are associated to a peer. [Stefan R: The fix to use context->card->generation is not perfect. It relies on the IR tasklet which processes packets from the prior bus generation to run before the self-ID-complete worklet which sets the current card generation. Alas, there is no simple way of a race-free implementation. Let's do it this way for now.] Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-10-21T16:27:58Z Stefan Richter stefanr@s5r6.in-berlin.de 2012-10-06T12:12:56Z urn:sha1:0bd1ed9ead1a2b7fc1534bff04729c3712a6fb25 commit 790198f74c9d1b46b6a89504361b1a844670d050 upstream. Fix two bugs of the /dev/fw* character device concerning the FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset. (Practically all /dev/fw* clients issue this ioctl right after opening the device.) Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36 without natural alignment and 40 with natural alignment. 1) Memory corruption, affecting i386 userland on amd64 kernel: Userland reserves a 36 bytes large buffer, kernel writes 40 bytes. This has been first found and reported against libraw1394 if compiled with gcc 4.7 which happens to order libraw1394's stack such that the bug became visible as data corruption. 2) Information leak, affecting all kernel architectures except i386: 4 bytes of random kernel stack data were leaked to userspace. Hence limit the respective copy_to_user() to the 32-bit aligned size of struct fw_cdev_event_bus_reset. Reported-by: Simon Kirby <sim@hostway.ca> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-03-28T17:30:03Z David Howells dhowells@redhat.com 2012-03-28T17:30:03Z urn:sha1:9ffc93f203c18a70623f21950f1dd473c9ec48cd Remove all #inclusions of asm/system.h preparatory to splitting and killing it. Performed with the following command: perl -p -i -e 's!^#\s*include\s*<asm/system[.]h>.*\n!!' `grep -Irl '^#\s*include\s*<asm/system[.]h>' *` Signed-off-by: David Howells <dhowells@redhat.com> 2012-03-23T03:31:15Z Linus Torvalds torvalds@linux-foundation.org 2012-03-23T03:31:15Z urn:sha1:34699403e9916060af8ae23f5e4705a6c078e79d Pull IEEE 1394 (FireWire) subsystem updates post v3.3 from Stefan Richter: - Some SBP-2 initiator fixes, side product from ongoing work on a target. - Reintroduction of an isochronous I/O feature of the older ieee1394 driver stack (flush buffer completions); it was evidently rarely used but not actually unused. Matching libraw1394 code is already available. - Be sure to prefix all kernel log messages with device name or card name, and other logging related cleanups. - Misc other small cleanups, among them a small API change that affects sound/firewire/ too. Clemens Ladisch is aware of it. * tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: (26 commits) firewire: allow explicit flushing of iso packet completions firewire: prevent dropping of completed iso packet header data firewire: ohci: factor out iso completion flushing code firewire: ohci: simplify iso header pointer arithmetic firewire: ohci: optimize control bit checks firewire: ohci: remove unused excess_bytes field firewire: ohci: copy_iso_headers(): make comment match the code firewire: cdev: fix IR multichannel event documentation firewire: ohci: fix too-early completion of IR multichannel buffers firewire: ohci: move runtime debug facility out of #ifdef firewire: tone down some diagnostic log messages firewire: sbp2: replace a GFP_ATOMIC allocation firewire: sbp2: Fix SCSI sense data mangling firewire: sbp2: Ignore SBP-2 targets on the local node firewire: sbp2: Take into account Unit_Unique_ID firewire: nosy: Use the macro DMA_BIT_MASK(). firewire: core: convert AR-req handler lock from _irqsave to _bh firewire: core: fix race at address_handler unregistration firewire: core: remove obsolete comment firewire: core: prefix log messages with card name ... 2012-03-18T21:15:39Z Clemens Ladisch clemens@ladisch.de 2012-03-18T18:06:39Z urn:sha1:d1bbd20972936b9b178fda3eb1ec417cb27fdc01 Extend the kernel and userspace APIs to allow reporting all currently completed isochronous packets, even if the next interrupt packet has not yet been reached. This is required to determine the status of the packets at the end of a paused or stopped stream, and useful for more precise synchronization of audio streams. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 2012-03-18T21:15:39Z Clemens Ladisch clemens@ladisch.de 2012-03-18T18:05:29Z urn:sha1:18d627113b830cda80792e96b28341bcd41cf40c The buffer for the header data of completed iso packets has a fixed size, so it is possible to configure a stream with a big interval between interrupt packets or with big headers so that this buffer would overflow. Previously, ohci.c would drop any data that would not fit, but this could make unsuspecting applications believe that fewer than the actual number of packets have completed. Instead of dropping data, add calls to flush_iso_completion() so that there are as many events as needed to report all of the data. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 2012-03-18T21:15:39Z Clemens Ladisch clemens@ladisch.de 2012-03-18T18:04:43Z urn:sha1:910e76c607546ead218de8b11c32597d6b8fe7e4 In preparation for the following patches that add more flushing, move the code for flushing accumulated header data into a common function. The timestamp of the last completed packed is passed through the context structure instead of a function parameter to allow accessing this value later outside of the handle_i?_packet functions. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 2012-03-18T21:15:38Z Clemens Ladisch clemens@ladisch.de 2012-03-18T18:04:05Z urn:sha1:73864012f386ca5a193f3231c9b1936e23709a94 When storing the header data of completed iso packets, we effectively treat the buffers as arrays of quadlets. Actually declaring the pointers as u32* avoids repetitive pointer arithmetic, removes the unhelpfully named "i" variables, and thus makes the code clearer. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 2012-03-18T21:15:38Z Clemens Ladisch clemens@ladisch.de 2012-03-18T18:03:26Z urn:sha1:90fcc8987390bffd79c6fd16aa59cc6ef549efcb Doing the endian conversion on the constant instead of the memory field allows the compiler to do the conversion at compile time. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>