linux-toradex.git/drivers/firewire, branch v2.6.34.3 Linux kernel for Apalis and Colibri modules firewire: core: check for 1394a compliant IRM, fix inaccessibility of Sony camcorder 2010-07-05T18:22:45+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2010-05-30T17:43:52+00:00 e2f415159f02c5815415260063c47e06cf7408ee commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream. Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check whether the current IRM complies to 1394a-2000 or later. If not force a compliant node (e.g. itself) to become IRM. This was implemented in the older ieee1394 driver but not yet in firewire-core. An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM but neither 1394a-2000 IRM nor BM was now found to cause an interoperability bug: - Camcorder becomes root node when plugged in, hence gets IRM role. - firewire-core successfully contends for BM role, proceeds to perform gap count optimization and resets the bus. - Sony camcorder ignores presence of a BM (against the spec, this is a firmware bug), performs its idea of gap count optimization and resets the bus. - Preceding two steps are repeated endlessly, bus never settles, regular I/O is practically impossible. http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913 This is an interoperability regression from the old to the new drivers. Fix it indirectly by adding the 1394a IRM check. The spec suggests three and a half methods to determine 1394a compliance of a remote IRM; we choose the method of testing the Config_ROM.Bus_Info.generation field. This is data that firewire-core should have readily available at this point, i.e. does not require extra I/O. Reported-by: Clemens Ladisch <clemens@ladisch.de> (missing 1394a check) Reported-by: H. S. <hs.samix@gmail.com> (issue with Sony DCR-TRV25) Tested-by: H. S. <hs.samix@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream.

Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check
whether the current IRM complies to 1394a-2000 or later.  If not force a
compliant node (e.g. itself) to become IRM.  This was implemented in the
older ieee1394 driver but not yet in firewire-core.

An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM
but neither 1394a-2000 IRM nor BM was now found to cause an
interoperability bug:
  - Camcorder becomes root node when plugged in, hence gets IRM role.
  - firewire-core successfully contends for BM role, proceeds to perform
    gap count optimization and resets the bus.
  - Sony camcorder ignores presence of a BM (against the spec, this is
    a firmware bug), performs its idea of gap count optimization and
    resets the bus.
  - Preceding two steps are repeated endlessly, bus never settles,
    regular I/O is practically impossible.
http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913

This is an interoperability regression from the old to the new drivers.
Fix it indirectly by adding the 1394a IRM check.  The spec suggests
three and a half methods to determine 1394a compliance of a remote IRM;
we choose the method of testing the Config_ROM.Bus_Info.generation
field.  This is data that firewire-core should have readily available at
this point, i.e. does not require extra I/O.

Reported-by: Clemens Ladisch <clemens@ladisch.de> (missing 1394a check)
Reported-by: H. S. <hs.samix@gmail.com> (issue with Sony DCR-TRV25)
Tested-by: H. S. <hs.samix@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2010-04-22T19:54:54+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-04-22T19:54:54+00:00 cfc94b2c9ac603b20db54225408df6ed80188dcd * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: wait for local CSR lock access to finish firewire: ohci: prevent aliasing of locally handled register addresses firewire: core: fw_iso_resource_manage: return -EBUSY when out of resources firewire: core: fix retries calculation in iso manage_channel() firewire: cdev: fix cut+paste mistake in disclaimer 
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: wait for local CSR lock access to finish
  firewire: ohci: prevent aliasing of locally handled register addresses
  firewire: core: fw_iso_resource_manage: return -EBUSY when out of resources
  firewire: core: fix retries calculation in iso manage_channel()
  firewire: cdev: fix cut+paste mistake in disclaimer
firewire: ohci: wait for local CSR lock access to finish 2010-04-19T17:58:32+00:00 Clemens Ladisch clemens@ladisch.de 2010-04-12T08:35:44+00:00 e1393667be574807a13bfaf1bb471f5fd1a5287b Add a loop to wait for the controller to finish a locally-initiated CSR lock operation. Google shows some occurrences of the "swap not done yet" message which might indicate that some OHCI controllers are not fast enough to do the lock/swap in the time needed for one PCI access. This also correctly handles the case where the lock operation did not finish, instead of silently returning an uninitialized value. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Add a loop to wait for the controller to finish a locally-initiated CSR
lock operation.  Google shows some occurrences of the "swap not done
yet" message which might indicate that some OHCI controllers are not
fast enough to do the lock/swap in the time needed for one PCI access.

This also correctly handles the case where the lock operation did not
finish, instead of silently returning an uninitialized value.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: ohci: prevent aliasing of locally handled register addresses 2010-04-19T17:58:32+00:00 Clemens Ladisch clemens@ladisch.de 2010-04-12T08:35:30+00:00 2608203daf5f87311c6e5d36e5de5efcb14aab24 We must compute the offset from the CSR register base with the full 48 address bits to prevent matching with addresses whose lower 32 bits happen to be equal with one of the specially handled registers. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
We must compute the offset from the CSR register base with the
full 48 address bits to prevent matching with addresses whose
lower 32 bits happen to be equal with one of the specially
handled registers.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: core: fw_iso_resource_manage: return -EBUSY when out of resources 2010-04-19T17:58:32+00:00 Clemens Ladisch clemens@ladisch.de 2010-04-12T08:35:18+00:00 d6372b6e7c6142e6cc2108b3b850584cd7ade106 Returning -EIO for all errors would not allow clients to determine if the resource allocation process itself failed, or if the resources are not available. (The latter information is needed by CMP to synchronize restoring of overlayed connections after a bus reset.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Returning -EIO for all errors would not allow clients to determine if
the resource allocation process itself failed, or if the resources are
not available.  (The latter information is needed by CMP to synchronize
restoring of overlayed connections after a bus reset.)

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: core: fix retries calculation in iso manage_channel() 2010-04-19T17:58:32+00:00 Clemens Ladisch clemens@ladisch.de 2010-04-12T08:35:05+00:00 3a1f0a0e3d871e3d3e08a1429009992151becda8 If there is a permanent error condition when communicating with the IRM, after the sixth error, the retry variable will be decremented to -1. If, in this case, the bits in channels_mask are not yet exhausted, the next channel is retried 2^32 times. To fix this, check that retry is never decremented beyond zero. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
If there is a permanent error condition when communicating with the IRM,
after the sixth error, the retry variable will be decremented to -1.
If, in this case, the bits in channels_mask are not yet exhausted, the
next channel is retried 2^32 times.

To fix this, check that retry is never decremented beyond zero.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2010-04-15T18:56:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-04-15T18:56:20+00:00 2fed94c032316d89422d4abfca2a882897489b94 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: cdev: change license of exported header files to MIT license firewire: cdev: comment fixlet firewire: cdev: iso packet documentation firewire: cdev: fix information leak firewire: cdev: require quadlet-aligned headers for transmit packets firewire: cdev: disallow receive packets without header 
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: cdev: change license of exported header files to MIT license
  firewire: cdev: comment fixlet
  firewire: cdev: iso packet documentation
  firewire: cdev: fix information leak
  firewire: cdev: require quadlet-aligned headers for transmit packets
  firewire: cdev: disallow receive packets without header
firewire: cdev: fix information leak 2010-04-10T14:51:13+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2010-04-07T06:30:50+00:00 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c A userspace client got to see uninitialized stack-allocated memory if it specified an _IOC_READ type of ioctl and an argument size larger than expected by firewire-core's ioctl handlers (but not larger than the core's union ioctl_arg). Fix this by clearing the requested buffer size to zero, but only at _IOR ioctls. This way, there is almost no runtime penalty to legitimate ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12 or 16 bytes to memset. [Another way to fix this would be strict checking of argument size (and possibly direction) vs. command number. However, we then need a lookup table, and we need to allow for slight size deviations in case of 32bit userland on 64bit kernel.] Reported-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).

Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls.  This way, there is almost no runtime penalty to legitimate
ioctls.  The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.

[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number.  However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]

Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: cdev: require quadlet-aligned headers for transmit packets 2010-04-10T14:51:13+00:00 Clemens Ladisch clemens@ladisch.de 2010-03-31T14:26:46+00:00 385ab5bcd4be586dffdba550b310308d89eade71 The definition of struct fw_cdev_iso_packet seems to imply that the header_length must be quadlet-aligned, and in fact, specifying an unaligned header has never really worked when using multiple packet structures, because the position of the next control word is computed by rounding the header_length _down_, so the last one to three bytes of the header would overlap the next control word. To avoid this problem, check that the header length is properly aligned. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
The definition of struct fw_cdev_iso_packet seems to imply that the
header_length must be quadlet-aligned, and in fact, specifying an
unaligned header has never really worked when using multiple packet
structures, because the position of the next control word is computed by
rounding the header_length _down_, so the last one to three bytes of the
header would overlap the next control word.

To avoid this problem, check that the header length is properly aligned.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: cdev: disallow receive packets without header 2010-04-10T14:51:13+00:00 Clemens Ladisch clemens@ladisch.de 2010-03-31T14:26:39+00:00 4ba1d9c0c22947a9207029e7184733252e6135f1 In receive contexts, reject packets with header_length==0. This would be an instruction to queue zero packets which would not make sense. This prevents a division by zero in the OHCI driver. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
In receive contexts, reject packets with header_length==0.  This would
be an instruction to queue zero packets which would not make sense.

This prevents a division by zero in the OHCI driver.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>