linux-toradex.git/drivers/firewire/core-cdev.c, branch v6.5-rc4 Linux kernel for Apalis and Colibri modules firewire: cdev: implement new event relevant to phy packet with time stamp 2023-05-29T23:12:40+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:40+00:00 fe971f9163b67b5338dfe4a0e4ce1cfa1b6cd325 In 1394 OHCI, the OUTPUT_LAST descriptor of Asynchronous Transmit (AT) context has timeStamp field, in which 1394 OHCI controller record the isochronous cycle when the packet was sent for the request subaction. Additionally, the trailing quadlet of Asynchronous Receive (AR) context has timeStamp field as well in which 1394 OHCI controller record the isochronous cycle when the packet arrived. The time stamps are also available for the cases to send and receive phy packet. This commit implements new events with time stamp field for user space. Link: https://lore.kernel.org/r/20230529113406.986289-13-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
In 1394 OHCI, the OUTPUT_LAST descriptor of Asynchronous Transmit (AT)
context has timeStamp field, in which 1394 OHCI controller record the
isochronous cycle when the packet was sent for the request subaction.
Additionally, the trailing quadlet of Asynchronous Receive (AR) context
has timeStamp field as well in which 1394 OHCI controller record the
isochronous cycle when the packet arrived. The time stamps are also
available for the cases to send and receive phy packet.

This commit implements new events with time stamp field for user space.

Link: https://lore.kernel.org/r/20230529113406.986289-13-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: code refactoring to dispatch event for phy packet 2023-05-29T23:12:40+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:40+00:00 1ef147710b54d47f4108c802d8ee6f3d27fe922d In 1394 OHCI, both Asynchronous Transmit (AT) and Asynchronous Receive (AR) contexts are used to deliver the phy packet of IEEE 1394. The time stamp is available as well as the usual asynchronous transaction. This commit is a preparation for future commit to handle the time stamp. Link: https://lore.kernel.org/r/20230529113406.986289-11-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
In 1394 OHCI, both Asynchronous Transmit (AT) and Asynchronous Receive
(AR) contexts are used to deliver the phy packet of IEEE 1394. The time
stamp is available as well as the usual asynchronous transaction.

This commit is a preparation for future commit to handle the time stamp.

Link: https://lore.kernel.org/r/20230529113406.986289-11-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: implement new event to notify response subaction with time stamp 2023-05-29T23:12:40+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:40+00:00 d8527cab6c311da34193b7c04f4d363fc2d72458 The callback function now receives an argument for time stamps relevant to asynchronous transaction. This commit implements a new event to notify response subaction with the time stamps for user space. Link: https://lore.kernel.org/r/20230529113406.986289-10-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
The callback function now receives an argument for time stamps relevant
to asynchronous transaction. This commit implements a new event to
notify response subaction with the time stamps for user space.

Link: https://lore.kernel.org/r/20230529113406.986289-10-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: code refactoring to operate event of response 2023-05-29T23:12:40+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:40+00:00 147e9d3af34a92ff567c58b0e89099d26787faba This commit is a preparation to handle time stamp of asynchronous transaction for user space application. Link: https://lore.kernel.org/r/20230529113406.986289-8-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
This commit is a preparation to handle time stamp of asynchronous
transaction for user space application.

Link: https://lore.kernel.org/r/20230529113406.986289-8-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: implement new event to notify request subaction with time stamp 2023-05-29T23:12:40+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:40+00:00 865efffb2d11402bc6f96c7e390b89384e9d209d In 1394 OHCI, the trailer quadlet of descriptor in Asynchronous Receive (AR) request context has timeStamp field, in which the 1394 OHCI controller record the isochronous cycle when the packet arrived. Current implementation of 1394 OHCI controller driver stores the value of field to internal structure as time stamp, while the implementation of FireWire character device doesn't have a field for the time stamp, thus it is not available in user space. The time stamp is convenient to some kind of application in which data from several sources are compared in isochronous cycle unit. This commit implement the new event, fw_cdev_event_request3, with an additional field, tstamp. Link: https://lore.kernel.org/r/20230529113406.986289-5-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
In 1394 OHCI, the trailer quadlet of descriptor in Asynchronous Receive
(AR) request context has timeStamp field, in which the 1394 OHCI
controller record the isochronous cycle when the packet arrived.

Current implementation of 1394 OHCI controller driver stores the value
of field to internal structure as time stamp, while the implementation
of FireWire character device doesn't have a field for the time stamp,
thus it is not available in user space. The time stamp is convenient to
some kind of application in which data from several sources are compared
in isochronous cycle unit.

This commit implement the new event, fw_cdev_event_request3, with an
additional field, tstamp.

Link: https://lore.kernel.org/r/20230529113406.986289-5-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: add new version of ABI to notify time stamp at request/response subaction of transaction 2023-05-29T23:12:39+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-05-29T23:12:39+00:00 6add87e9764dd308006b078cbdbf36d5a611cc9b This commit adds new version of ABI for future new events with time stamp for request/response subaction of asynchronous transaction to user space. Link: https://lore.kernel.org/r/20230529113406.986289-3-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
This commit adds new version of ABI for future new events with time stamp
for request/response subaction of asynchronous transaction to user
space.

Link: https://lore.kernel.org/r/20230529113406.986289-3-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
firewire: cdev: use single object to dispatch event for request to IEC 61883-1 FCP region 2023-01-23T08:17:46+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-01-20T09:03:44+00:00 39859be8537ca372c48b76458f498064e075aaa3 The core function always passes the data of request to the callback of listener in any case. Additionally, the listener can maintain the lifetime of data by reference count. In character device, no need to duplicate the payload of request anymore to copy it to user space. This commit extends the lifetime of data to obsolete duplication of payload for request in character device. Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20230120090344.296451-4-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The core function always passes the data of request to the callback of
listener in any case. Additionally, the listener can maintain the lifetime
of data by reference count. In character device, no need to duplicate the
payload of request anymore to copy it to user space.

This commit extends the lifetime of data to obsolete duplication of
payload for request in character device.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230120090344.296451-4-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
firewire: cdev: obsolete NULL check to detect IEC 61883-1 FCP region 2023-01-23T08:17:44+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-01-20T09:03:43+00:00 e699600232e0ca6237b996aa1a94a056cf776582 In the character device, the listener to address space should distinguish whether the request is to IEC 61883-1 FCP region or not. The user space application needs to access to the object of request in enough later by read(2), while the core function releases the object of request in the FCP case after completing the callback to handler. The handler guarantees the access safe by some way. It's done by duplication of the object after NULL check to the request, since core function passes NULL in the FCP case. It's inconvenient since the object of request includes some helpful information. It's better to add another way to check whether the request is to FCP region or not. Conveniently the file of transaction layer includes local implementation for the purpose. This commit moves it to module local file and use it instead of the NULL check, then the result of check is stored to per-client data for the inbound transaction so that the result can be referred by later to release the data. Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20230120090344.296451-3-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai@suse.de> 
In the character device, the listener to address space should distinguish
whether the request is to IEC 61883-1 FCP region or not. The user space
application needs to access to the object of request in enough later by
read(2), while the core function releases the object of request in the FCP
case after completing the callback to handler.

The handler guarantees the access safe by some way. It's done by
duplication of the object after NULL check to the request, since core
function passes NULL in the FCP case. It's inconvenient since the object
of request includes some helpful information. It's better to add another
way to check whether the request is to FCP region or not.

Conveniently the file of transaction layer includes local implementation
for the purpose. This commit moves it to module local file and use it
instead of the NULL check, then the result of check is stored to
per-client data for the inbound transaction so that the result can be
referred by later to release the data.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230120090344.296451-3-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
firewire: core: use kref structure to maintain lifetime of data for fw_request structure 2023-01-23T08:17:43+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-01-20T09:03:42+00:00 13a55d6bb15fa6bf0dcaf997e0676f532f258f52 Developers have acknowledged that maintenance of lifetime for fw_transaction structure is effective when handling asynchronous transaction to IEC 61883-1 FCP region, since the core function allows multiples listeners to the region. Some of them needs to access to the payload of request in process context after the callback to listener, while the core function releases the object for the structure just after completing the callbacks to listeners. One of the listeners is character device. Current implementation of the character device duplicates the object for the payload of transaction, while it's a cost in kernel memory consumption. The lifetime management can reduce it. The typical way to maintain the lifetime is reference count. This commit uses kref structure as a first step for the purpose. Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20230120090344.296451-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Developers have acknowledged that maintenance of lifetime for
fw_transaction structure is effective when handling asynchronous
transaction to IEC 61883-1 FCP region, since the core function allows
multiples listeners to the region. Some of them needs to access to the
payload of request in process context after the callback to listener,
while the core function releases the object for the structure just after
completing the callbacks to listeners.

One of the listeners is character device. Current implementation of the
character device duplicates the object for the payload of transaction,
while it's a cost in kernel memory consumption. The lifetime management
can reduce it.

The typical way to maintain the lifetime is reference count. This commit
uses kref structure as a first step for the purpose.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230120090344.296451-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 2023-01-17T17:09:21+00:00 Takashi Sakamoto o-takashi@sakamocchi.jp 2023-01-17T09:06:10+00:00 531390a243ef47448f8bad01c186c2787666bf4d This patch is fix for Linux kernel v2.6.33 or later. For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem have had an issue of use-after-free. The subsystem allows multiple user space listeners to the region, while data of the payload was likely released before the listeners execute read(2) to access to it for copying to user space. The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler"). The object of payload is duplicated in kernel space for each listener. When the listener executes ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to be released. However, it causes memory leak since the commit relies on call of release_request() in drivers/firewire/core-cdev.c. Against the expectation, the function is never called due to the design of release_client_resource(). The function delegates release task to caller when called with non-NULL fourth argument. The implementation of ioctl_send_response() is the case. It should release the object explicitly. This commit fixes the bug. Cc: <stable@vger.kernel.org> Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler") Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai@suse.de> 
This patch is fix for Linux kernel v2.6.33 or later.

For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.

The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.

However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.

This commit fixes the bug.

Cc: <stable@vger.kernel.org>
Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>