aboutsummaryrefslogtreecommitdiff
path: root/drivers/firewire
AgeCommit message (Collapse)Author
2011-04-17firewire: ohci: fix race in AR split packet handlingClemens Ladisch
commit a1f805e5e73a8fe166b71c6592d3837df0cd5e2e upstream. When handling an AR buffer that has been completely filled, we assumed that its descriptor will not be read by the controller and can be overwritten. However, when the last received packet happens to end at the end of the buffer, the controller might not yet have moved on to the next buffer and might read the branch address later. If we overwrite and free the page before that, the DMA context will either go dead because of an invalid Z value, or go off into some random memory. To fix this, ensure that the descriptor does not get overwritten by using only the actual buffer instead of the entire page for reassembling the split packet. Furthermore, to avoid freeing the page too early, move on to the next buffer only when some data in it guarantees that the controller has moved on. This should eliminate the remaining firewire-net problems. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Tested-by: Maxim Levitsky <maximlevitsky@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2011-04-17firewire: ohci: fix buffer overflow in AR split packet handlingClemens Ladisch
commit 85f7ffd5d2b320f73912b15fe8cef34bae297daf upstream. When the controller had to split a received asynchronous packet into two buffers, the driver tries to reassemble it by copying both parts into the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet unhandled packets before the split packet, the split packet itself, and any received packets after the split packet are together larger than one page, then the memory after the first page would get overwritten. To fix this, do not try to copy the data of all unhandled packets at once, but copy the possibly needed data every time when handling a packet. This gets rid of most of the infamous crashes and data corruptions when using firewire-net. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Tested-by: Maxim Levitsky <maximlevitsky@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t) Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2010-07-05firewire: core: check for 1394a compliant IRM, fix inaccessibility of Sony ↵Stefan Richter
camcorder commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream. Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check whether the current IRM complies to 1394a-2000 or later. If not force a compliant node (e.g. itself) to become IRM. This was implemented in the older ieee1394 driver but not yet in firewire-core. An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM but neither 1394a-2000 IRM nor BM was now found to cause an interoperability bug: - Camcorder becomes root node when plugged in, hence gets IRM role. - firewire-core successfully contends for BM role, proceeds to perform gap count optimization and resets the bus. - Sony camcorder ignores presence of a BM (against the spec, this is a firmware bug), performs its idea of gap count optimization and resets the bus. - Preceding two steps are repeated endlessly, bus never settles, regular I/O is practically impossible. http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913 This is an interoperability regression from the old to the new drivers. Fix it indirectly by adding the 1394a IRM check. The spec suggests three and a half methods to determine 1394a compliance of a remote IRM; we choose the method of testing the Config_ROM.Bus_Info.generation field. This is data that firewire-core should have readily available at this point, i.e. does not require extra I/O. Reported-by: Clemens Ladisch <clemens@ladisch.de> (missing 1394a check) Reported-by: H. S. <hs.samix@gmail.com> (issue with Sony DCR-TRV25) Tested-by: H. S. <hs.samix@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-04-22Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: wait for local CSR lock access to finish firewire: ohci: prevent aliasing of locally handled register addresses firewire: core: fw_iso_resource_manage: return -EBUSY when out of resources firewire: core: fix retries calculation in iso manage_channel() firewire: cdev: fix cut+paste mistake in disclaimer
2010-04-19firewire: ohci: wait for local CSR lock access to finishClemens Ladisch
Add a loop to wait for the controller to finish a locally-initiated CSR lock operation. Google shows some occurrences of the "swap not done yet" message which might indicate that some OHCI controllers are not fast enough to do the lock/swap in the time needed for one PCI access. This also correctly handles the case where the lock operation did not finish, instead of silently returning an uninitialized value. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-19firewire: ohci: prevent aliasing of locally handled register addressesClemens Ladisch
We must compute the offset from the CSR register base with the full 48 address bits to prevent matching with addresses whose lower 32 bits happen to be equal with one of the specially handled registers. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-19firewire: core: fw_iso_resource_manage: return -EBUSY when out of resourcesClemens Ladisch
Returning -EIO for all errors would not allow clients to determine if the resource allocation process itself failed, or if the resources are not available. (The latter information is needed by CMP to synchronize restoring of overlayed connections after a bus reset.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-19firewire: core: fix retries calculation in iso manage_channel()Clemens Ladisch
If there is a permanent error condition when communicating with the IRM, after the sixth error, the retry variable will be decremented to -1. If, in this case, the bits in channels_mask are not yet exhausted, the next channel is retried 2^32 times. To fix this, check that retry is never decremented beyond zero. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-15Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: cdev: change license of exported header files to MIT license firewire: cdev: comment fixlet firewire: cdev: iso packet documentation firewire: cdev: fix information leak firewire: cdev: require quadlet-aligned headers for transmit packets firewire: cdev: disallow receive packets without header
2010-04-10firewire: cdev: fix information leakStefan Richter
A userspace client got to see uninitialized stack-allocated memory if it specified an _IOC_READ type of ioctl and an argument size larger than expected by firewire-core's ioctl handlers (but not larger than the core's union ioctl_arg). Fix this by clearing the requested buffer size to zero, but only at _IOR ioctls. This way, there is almost no runtime penalty to legitimate ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12 or 16 bytes to memset. [Another way to fix this would be strict checking of argument size (and possibly direction) vs. command number. However, we then need a lookup table, and we need to allow for slight size deviations in case of 32bit userland on 64bit kernel.] Reported-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-10firewire: cdev: require quadlet-aligned headers for transmit packetsClemens Ladisch
The definition of struct fw_cdev_iso_packet seems to imply that the header_length must be quadlet-aligned, and in fact, specifying an unaligned header has never really worked when using multiple packet structures, because the position of the next control word is computed by rounding the header_length _down_, so the last one to three bytes of the header would overlap the next control word. To avoid this problem, check that the header length is properly aligned. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-04-10firewire: cdev: disallow receive packets without headerClemens Ladisch
In receive contexts, reject packets with header_length==0. This would be an instruction to queue zero packets which would not make sense. This prevents a division by zero in the OHCI driver. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo
implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-26Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: core: align driver match with modalias firewire: core: fix Model_ID in modalias firewire: ohci: add cycle timer quirk for the TI TSB12LV22 firewire: core: fw_iso_resource_manage: fix error handling
2010-03-24firewire: core: align driver match with modaliasStefan Richter
The driver match strategy was: - Match vendor/model/specifier/version of the unit directory. - If that was a miss, match vendor from the root directory and model/specifier/version of the unit directory. This was inconsistent with how the modalias string was constructed until recently (take vendor/model from root directory and specifier/ version from unit directory). It was also inconsistent with how it is done since the parent commit: - Use vendor/model/specifier/version of the unit directory if possible, - fall back to one or more of vendor/model/specifier/version from the root directory depending on which ones are not present at the unit directory. Fix this inconsistency by sharing the ROM scanner function between modalias printer function and driver match function. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-03-24firewire: core: fix Model_ID in modaliasStefan Richter
The modalias string of devices that represent units on a FireWire node did not show Module_ID entries within unit directories. This was because firewire-core searched only the root directory of the configuration ROM for a Model_ID entry. We now search first the root directory, then the unit directory. IOW honor a unit directory's Model_ID if present, otherwise fall back to the root directory's model ID (if present). Furthermore, apply the same change to Vendor_ID. This had the same issue but it was less apparent because most devices provide Vendor_ID only in the root directory. And finally, also use this strategy for the remaining two IDs in the modalias, Specifier_ID and Version. It does not actually make sense to look for them elsewhere than in the unit directory because they are mandatory there. However, a uniform search order simplifies the implementation and has no adverse affect in practice. Side notes: - The older counterpart of this, nodemgr.c of ieee1394, looked for Vendor_ID first in the root directory, then in the unit directory, and for Model_ID only in the unit directory. - There is a single mainline driver which requires Vendor_ID and Model_ID --- the firedtv driver. This one worked because FireDTVs provide Vendor_ID in the root directory and Model_ID identically in root directory and unit directory. - Apart from firedtv, there are currently no drivers known to me (including userspace drivers) that look at the Vendor_ID or Model_ID of the modalias. Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-03-17firewire: ohci: add cycle timer quirk for the TI TSB12LV22Clemens Ladisch
Among the many entries in the TSB12LV22 errata list (TI literature number SLLS312) is the following: PCI Slave reads of the Cycle Timer register may occasionally get an incorrect value. Software may be able to validate value by reading the register multiple times rapidly and evaluating for a reasonable difference. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> (untested) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (added #define)
2010-03-15firewire: core: fw_iso_resource_manage: fix error handlingClemens Ladisch
If the bandwidth allocation fails, the error must be returned in *channel regardless of whether the channel allocation succeeded. Checking for c >= 0 is not correct if no channel allocation was requested, in which case this part of the code is reached with c == -EINVAL. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-03-07Driver core: create lock/unlock functions for struct deviceGreg Kroah-Hartman
In the future, we are going to be changing the lock type for struct device (once we get the lockdep infrastructure properly worked out) To make that changeover easier, and to possibly burry the lock in a different part of struct device, let's create some functions to lock and unlock a device so that no out-of-core code needs to be changed in the future. This patch creates the device_lock/unlock/trylock() functions, and converts all in-tree users to them. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Jean Delvare <khali@linux-fr.org> Cc: Dave Young <hidave.darkstar@gmail.com> Cc: Ming Lei <tom.leiming@gmail.com> Cc: Jiri Kosina <jkosina@suse.cz> Cc: Phil Carmody <ext-phil.2.carmody@nokia.com> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Rafael J. Wysocki <rjw@sisk.pl> Cc: Pavel Machek <pavel@ucw.cz> Cc: Len Brown <len.brown@intel.com> Cc: Magnus Damm <damm@igel.co.jp> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Randy Dunlap <randy.dunlap@oracle.com> Cc: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Vegard Nossum <vegard.nossum@gmail.com> Cc: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: Alex Chiang <achiang@hp.com> Cc: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andrew Patterson <andrew.patterson@hp.com> Cc: Yu Zhao <yu.zhao@intel.com> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: Wolfram Sang <w.sang@pengutronix.de> Cc: CHENG Renquan <rqcheng@smu.edu.sg> Cc: Oliver Neukum <oliver@neukum.org> Cc: Frans Pop <elendil@planet.nl> Cc: David Vrabel <david.vrabel@csr.com> Cc: Kay Sievers <kay.sievers@vrfy.org> Cc: Sarah Sharp <sarah.a.sharp@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-03Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: (23 commits) firewire: ohci: extend initialization log message firewire: ohci: fix IR/IT context mask mixup firewire: ohci: add module parameter to activate quirk fixes firewire: ohci: use an ID table for quirks detection firewire: ohci: reorder struct fw_ohci for better cache efficiency firewire: ohci: remove unused dualbuffer IR code firewire: core: combine a bit of repeated code firewire: core: change type of a data buffer firewire: cdev: increment ABI version number firewire: cdev: add more flexible cycle timer ioctl firewire: core: rename an internal function firewire: core: fix an information leak firewire: core: increase stack size of config ROM reader firewire: core: don't fail device creation in case of too large config ROM blocks firewire: core: fix "giving up on config rom" with Panasonic AG-DV2500 firewire: remove incomplete Bus_Time CSR support firewire: get_cycle_timer optimization and cleanup firewire: ohci: enable cycle timer fix on ALi and NEC controllers firewire: ohci: work around cycle timer bugs on VIA controllers firewire: make PCI device id constant ...
2010-02-26block: Rename blk_queue_max_sectors to blk_queue_max_hw_sectorsMartin K. Petersen
The block layer calling convention is blk_queue_<limit name>. blk_queue_max_sectors predates this practice, leading to some confusion. Rename the function to appropriately reflect that its intended use is to set max_hw_sectors. Also introduce a temporary wrapper for backwards compability. This can be removed after the merge window is closed. Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2010-02-24firewire: ohci: extend initialization log messageStefan Richter
by the number of available isochronous DMA contexts and active quirks which is occasionally useful information. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: ohci: fix IR/IT context mask mixupStefan Richter
This bug was present in firewire-ohci since day one: The number of available isochronous receive DMA contexts was mixed up with that of available isochronous transmit DMA contexts. This is harmless on a few chips which offer the same number of contexts in both directions, but most chips nowadays implement only the standard minimum of 4 IR contexts, but 8 IT contexts. If a user attempted to run a lot of IR contexts at once, results with more than four were therefore unpredictable. I suppose the controller would simply refuse to start DMA of any unimplemented context. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: ohci: add module parameter to activate quirk fixesStefan Richter
This way, we can advise users of precompiled kernel packages to test existing quirk fixes on chips which have not been listed yet, without them having to build a kernel from source. Note, to use this feature on a machine with more than one controller, steps like these are necessary: # lspci | grep 1394 # ls /sys/bus/pci/drivers/firewire_ohci/ # echo -n "0000:03:02.0" > /sys/bus/pci/drivers/firewire_ohci/unbind # echo 2 > /sys/module/firewire_ohci/parameters/quirks # echo -n "0000:03:02.0" > /sys/bus/pci/drivers/firewire_ohci/bind # echo 0 > /sys/module/firewire_ohci/parameters/quirks The parameter can also be used to switch off quirk flags that were hardwired into firewire-ohci's quirks table. Simply specify a non-zero quirks value but without any known flags, e.g. 0x100. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: ohci: use an ID table for quirks detectionStefan Richter
We don't have a lot of quirks to take into account (especially since dual-buffer IR is out of the picture), but still, a table-based approach is more organized than a series of if () clauses. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: ohci: reorder struct fw_ohci for better cache efficiencyStefan Richter
The config_rom struct members are only accessed during relatively infrequent self-ID-complete interrupts and only if the local config ROM was changed, while the ar_, at_, ir_, it_ members are used very frequently during I/O. Hence move the config_rom members further down. More importantly, make the huge self_id_buffer member the last one; this is only accessed in self-ID-complete interrupts. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: ohci: remove unused dualbuffer IR codeStefan Richter
This code was no longer used since 2.6.33, "firewire: ohci: always use packet-per-buffer mode for isochronous reception" commit 090699c0. If anybody needs this code in the future for special purposes, it can be brought back in. But it must not be re-enabled by default; drivers (kernelspace or userspace drivers) should only get this mode if they explicitly request it. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: combine a bit of repeated codeStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: change type of a data bufferStefan Richter
from array of char to union of structs. I already used a union to size the buffer which holds ioctl arguments; more consequent is to define it as an instance of this union in the first place. Also rename several local variables from "request" to "a"(rgument) since the term request can be mistaken to mean a transaction subaction, e.g. an instance of struct fw_request. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: cdev: add more flexible cycle timer ioctlStefan Richter
The system time from CLOCK_REALTIME is not monotonic, hence problematic for the main user of the FW_CDEV_IOC_GET_CYCLE_TIMER ioctl. This issue exists in its successor ABI, i.e. raw1394, too. http://subversion.ffado.org/ticket/242 We now offer an alternative ioctl which lets the caller choose between CLOCK_REALTIME, CLOCK_MONOTONIC, and CLOCK_MONOTONIC_RAW as source of the local time, very similar to the clock_gettime libc function. The format of the local time return value matches that of clock_gettime (seconds and nanoseconds, instead of a single microseconds value from the existing ioctl). Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: rename an internal functionStefan Richter
according to what it really does. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: fix an information leakStefan Richter
If a device exposes a sparsely populated configuration ROM, firewire-core's sysfs interface and character device file interface showed random data in the gaps between config ROM blocks. Fix this by zero-initialization of the config ROM reader's scratch buffer. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: increase stack size of config ROM readerStefan Richter
The stack size of 16 was artificially chosen and may be too small in extreme cases. A device won't be accessible then. Since it doesn't really matter to the slab allocator whether we ask for 1088 bytes or 2048 bytes of scratch memory, just allocate 2048 bytes for the sum of temporary config ROM image and stack, and we will never ever overflow the stack (because there simply can't be more stack items than ROM entries). Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: don't fail device creation in case of too large config ROM ↵Stefan Richter
blocks It never happened yet, but better safe than sorry: If a device's config ROM contains a block which overlaps the boundary at 0xfffff00007ff, just ignore that one block instead of refusing to add the device representation. That way, upper layers (kernelspace or userspace drivers) might still be able to use the device to some degree. That's better than total inaccessibility of the device. Worse, the core would have logged only a generic "giving up on config rom" message which could only be debugged by feeding a firewire-ohci debug logging session through a config ROM interpreter, IOW would likely remain undiagnosed. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24firewire: core: fix "giving up on config rom" with Panasonic AG-DV2500Stefan Richter
The Panasonic AG-DV2500 tape deck contains an invalid entry in its configuration ROM root directory: A leaf pointer with the undefined key ID 0 and an offset that points way out of the standard config ROM area. This caused firewire-core to dismiss the device with the generic log message "giving up on config rom for node id...", after which it was of course impossible to access the tape deck with dvgrab or any other program. https://bugzilla.redhat.com/show_bug.cgi?id=449252#c29 The fix is to simply ignore this invalid ROM entry and proceed to read the valid rest of the ROM. There is a catch though: When the kernel later iterates over the ROM, it would be nasty having to check again for such too large ROM offsets. Therefore we manipulate the defective or unsupported ROM entry to become a harmless immediate entry that won't have any side effects later (an entry with the value 0x00000000). Reported-by: George Chriss Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-24Merge tag 'v2.6.33' for its firewire changes since last branch pointStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-20firewire: remove incomplete Bus_Time CSR supportStefan Richter
The current implementation of Bus_Time read access was buggy since it did not ensure that Bus_Time.second_count_hi and second_count_lo came from the same 128 seconds period. Reported-by: Håkan Johansson <f96hajo@chalmers.se> Instead of a fix, remove Bus_Time register support altogether. The spec requires all cycle master capable nodes to implement this (all Linux nodes are cycle master capable) while it also says that it "may" be initialized by the bus manager or by the IRM standing in for a bus manager. (Neither Linux' firewire-core nor ieee1394 nodemgr implement this.) Since we cannot rely on Bus_Time having been initialized by a bus manager, it is better to return an error instead of a nonsensical value on a read request to Bus_Time. Alternatively, we could fix the Bus_Time read integrity bug _and_ implement (a) cycle master's write support of the register as well as (b) bus manager's Bus_Time initialization service, i.e. preservation of the Bus_Time when the cycle master node of a bus changes. However, that would be quite some code for a feature that is unreliable to begin with and very likely unused in practice. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-20firewire: get_cycle_timer optimization and cleanupStefan Richter
ohci: Break out of the retry loop if too many attempts were necessary. This may theoretically happen if the chip is fatally defective or if the get_cycle_timer ioctl was performed after a CardBus controller was ejected. Also micro-optimize the loop by re-using the last two register reads in the next iteration, remove a questionable inline keyword, and shuffle a comment around. core: ioctl_get_cycle_timer() is always called with interrupts on, therefore local_irq_save() can be replaced by local_irq_disable(). Disabled local IRQs imply disabled preemption, hence preempt_disable() can be removed. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-19firewire: ohci: enable cycle timer fix on ALi and NEC controllersStefan Richter
Discussed in "read_cycle_timer backwards for sub-cycle 0000, 0001", http://thread.gmane.org/gmane.linux.kernel.firewire.devel/13704 Known bad controllers: ALi M5271, listed by lspci as M5253 [10b9:5253] NEC OrangeLink [1033:00cd] (rev 03) NEC uPD72874 [1033:00f2] (rev 01) VIA VT6306 [1106:3044] (rev 46) VIA VT6308P, listed by lspci as rev c0 Reported-by: Pieter Palmers <pieterp@joow.be> Reported-by: Håkan Johansson <f96hajo@chalmers.se> Reported-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-19firewire: ohci: work around cycle timer bugs on VIA controllersClemens Ladisch
VIA controllers sometimes return an inconsistent value when reading the isochronous cycle timer register. To work around this, read the register multiple times and add consistency checks. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-by: Pieter Palmers <pieterp@joow.be> Reported-by: Håkan Johansson <f96hajo@chalmers.se> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-02-14firewire: ohci: retransmit isochronous transmit packets on cycle lossClemens Ladisch
In isochronous transmit DMA descriptors, link the skip address pointer back to the descriptor itself. When a cycle is lost, the controller will send the packet in the next cycle, instead of terminating the entire DMA program. There are two reasons for this: * This behaviour is compatible with the old IEEE1394 stack. Old applications would not expect the DMA program to stop in this case. * Since the OHCI driver does not report any uncompleted packets, the context would stop silently; clients would not have any chance to detect and handle this error without a watchdog timer. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Pieter Palmers notes: "The reason I added this retry behavior to the old stack is because some cards now and then fail to send a packet (e.g. the o2micro card in my dell laptop). I couldn't figure out why exactly this happens, my best guess is that the card cannot fetch the payload data on time. This happens much more frequently when sending large packets, which leads me to suspect that there are some contention issues with the DMA that fills the transmit FIFO. In the old stack it was a pretty critical issue as it resulted in a freeze of the userspace application. The omission of a packet doesn't necessarily have to be an issue. E.g. in IEC61883 streams the DBC field can be used to detect discontinuities in the stream. So as long as the other side doesn't bail when no [packet] is present in a cycle, there is not really a problem. I'm not convinced though that retrying is the proper solution, but it is simple and effective for what it had to do. And I think there are no reasons not to do it this way. Userspace can still detect this by checking the cycle the descriptor was sent in." Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (changelog, comment)
2010-02-01firewire: net: fix panic in fwnet_write_completeStefan Richter
In the transmit path of firewire-net (IPv4 over 1394), the following race condition may occur: - The networking soft IRQ inserts a datagram into the 1394 async request transmit DMA. - The 1394 async transmit completion tasklet runs to finish cleaning up (unlink datagram from list of pending ones, release skb and outbound 1394 transaction object) --- before the networking soft IRQ had a chance to proceed and add the datagram to the list of pending datagrams. This caused a panic in the 1394 async transmit completion tasklet when it dereferenced unitialized list heads: http://bugzilla.kernel.org/show_bug.cgi?id=15077 The fix is to add checks in the tx soft IRQ and in the tasklet to determine which of these two is the last referrer to the transaction object. Then handle the cleanup of the object by the last referrer rather than assuming that the tasklet is always the last one. There is another similar race: Between said tasklet and fwnet_close, i.e. at ifdown. However, that race is much less likely to occur in practice and shall be fixed in a separate update. Reported-by: Илья Басин <basinilya@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-01-27firewire: ohci: fix crashes with TSB43AB23 on 64bit systemsStefan Richter
Unsurprisingly, Texas Instruments TSB43AB23 exhibits the same behaviour as TSB43AB22/A in dual buffer IR DMA mode: If descriptors are located at physical addresses above the 31 bit address range (2 GB), the controller will overwrite random memory. With luck, this merely prevents video reception. With only a little less luck, the machine crashes. We use the same workaround here as with TSB43AB22/A: Switch off the dual buffer capability flag and use packet-per-buffer IR DMA instead. Another possible workaround would be to limit the coherent DMA mask to 31 bits. In Linux 2.6.33, this change serves effectively only as documentation since dual buffer mode is not used for any controller anymore. But somebody might want to re-enable it in the future to make use of features of dual buffer DMA that are not available in packet-per-buffer mode. In Linux 2.6.32 and older, this update is vital for anyone with this controller, more than 2 GB RAM, a 64 bit kernel, and FireWire video or audio applications. We have at least four reports: http://bugzilla.kernel.org/show_bug.cgi?id=13808 http://marc.info/?l=linux1394-user&m=126154279004083 https://bugzilla.redhat.com/show_bug.cgi?id=552142 http://marc.info/?l=linux1394-user&m=126432246128386 Reported-by: Paul Johnson Reported-by: Ronneil Camara Reported-by: G Zornetzer Reported-by: Mark Thompson Cc: stable@kernel.org Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-01-26firewire: core: fix use-after-free regression in FCP handlerStefan Richter
Commit db5d247a "firewire: fix use of multiple AV/C devices, allow multiple FCP listeners" introduced a regression into 2.6.33-rc3: The core freed payloads of incoming requests to FCP_Request or FCP_Response before a userspace driver accessed them. We need to copy such payloads for each registered userspace client and free the copies according to the lifetime rules of non-FCP client request resources. (This could possibly be optimized by reference counts instead of copies.) The presently only kernelspace driver which listens for FCP requests, firedtv, was not affected because it already copies FCP frames into an own buffer before returning to firewire-core's FCP handler dispatcher. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-01-26firewire: core: add_descriptor size checkStefan Richter
Presently, firewire-core only checks whether descriptors that are to be added by userspace drivers to the local node's config ROM do not exceed a size of 256 quadlets. However, the sum of the bare minimum ROM plus all descriptors (from firewire-core, from firewire-net, from userspace) must not exceed 256 quadlets. Otherwise, the bounds of a statically allocated buffer will be overwritten. If the kernel survives that, firewire-core will subsequently be unable to parse the local node's config ROM. (Note, userspace drivers can add descriptors only through device files of local nodes. These are usually only accessible by root, unlike device files of remote nodes which may be accessible to lesser privileged users.) Therefore add a test which takes the actual present and required ROM size into account for all descriptors of kernelspace and userspace drivers. Cc: stable@kernel.org Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2010-01-10firewire: make PCI device id constantNémeth Márton
The id_table field of the struct pci_driver is constant in <linux/pci.h> so it is worth to make pci_table also constant. Found with Coccinelle. Signed-off-by: Márton Németh <nm127@freemail.hu> Cc: Julia Lawall <julia@diku.dk> Cc: cocci@diku.dk Signed-off-by: Stefan Richter stefanr@s5r6.in-berlin.de> (changelog)
2009-12-29firewire: qualify config ROM cache pointers as const pointersStefan Richter
Several config ROM related functions only peek at the ROM cache; mark their arguments as const pointers. Ditto fw_device.config_rom and fw_unit.directory, as the memory behind them is meant to be write-once. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-12-29firewire, ieee1394: update Kconfig helpStefan Richter
Update the Kconfig help texts of both stacks to encourage a general move from the older to the newer drivers. However, do not label ieee1394 as "Obsolete" yet, as the newer drivers have not been deployed as default stack in the majority of Linux distributions yet, and those who start doing so now may still want to install the old drivers as fallback for unforeseen issues. Since Linux 2.6.32, FireWire audio devices can be driven by the newer firewire driver stack too, hence remove an outdated comment about audio devices. Also remove comments about library versions since the 2nd generation of libraw1394 and libdc1394 is now in common use; details on library versions can be read at the wiki link from the help texts. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-12-29firewire: core: fw_csr_string addendumStefan Richter
Witespace and comment changes, and a different way to say i + 1 < end. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-12-29firewire: add fw_csr_string() helper functionClemens Ladisch
The core (sysfs attributes), the firedtv driver, and possible future drivers all read strings from some configuration ROM directory. Factor out the generic code from show_text_leaf() into a new helper function, modified slightly to handle arbitrary buffer sizes. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>