Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b39bda6e authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: fix crashes with TSB43AB23 on 64bit systems
  firewire: core: fix use-after-free regression in FCP handler
  firewire: cdev: add_descriptor documentation fix
  firewire: core: add_descriptor size check
parents be8cde8b 7a481436

drivers/firewire/core-card.c

+28 −13
Original line number Diff line number Diff line
@@ -57,6 +57,8 @@ static LIST_HEAD(descriptor_list); 
static int descriptor_count;



static __be32 tmp_config_rom[256];

/* ROM header, bus info block, root dir header, capabilities = 7 quadlets */

static size_t config_rom_length = 1 + 4 + 1 + 1;



#define BIB_CRC(v)		((v) <<  0)

#define BIB_CRC_LENGTH(v)	((v) << 16)
@@ -73,7 +75,7 @@ static __be32 tmp_config_rom[256]; 
#define BIB_CMC			((1) << 30)

#define BIB_IMC			((1) << 31)



static size_t generate_config_rom(struct fw_card *card, __be32 *config_rom)

static void generate_config_rom(struct fw_card *card, __be32 *config_rom)

{

	struct fw_descriptor *desc;

	int i, j, k, length;
@@ -130,23 +132,30 @@ static size_t generate_config_rom(struct fw_card *card, __be32 *config_rom) 
	for (i = 0; i < j; i += length + 1)

		length = fw_compute_block_crc(config_rom + i);



	return j;

	WARN_ON(j != config_rom_length);

}



static void update_config_roms(void)

{

	struct fw_card *card;

	size_t length;



	list_for_each_entry (card, &card_list, link) {

		length = generate_config_rom(card, tmp_config_rom);

		card->driver->set_config_rom(card, tmp_config_rom, length);

		generate_config_rom(card, tmp_config_rom);

		card->driver->set_config_rom(card, tmp_config_rom,

					     config_rom_length);

	}

}



static size_t required_space(struct fw_descriptor *desc)

{

	/* descriptor + entry into root dir + optional immediate entry */

	return desc->length + 1 + (desc->immediate > 0 ? 1 : 0);

}



int fw_core_add_descriptor(struct fw_descriptor *desc)

{

	size_t i;

	int ret;



	/*

	 * Check descriptor is valid; the length of all blocks in the
@@ -162,15 +171,21 @@ int fw_core_add_descriptor(struct fw_descriptor *desc) 


	mutex_lock(&card_mutex);



	if (config_rom_length + required_space(desc) > 256) {

		ret = -EBUSY;

	} else {

		list_add_tail(&desc->link, &descriptor_list);

		config_rom_length += required_space(desc);

		descriptor_count++;

		if (desc->immediate > 0)

			descriptor_count++;

		update_config_roms();

		ret = 0;

	}



	mutex_unlock(&card_mutex);



	return 0;

	return ret;

}

EXPORT_SYMBOL(fw_core_add_descriptor);
@@ -179,6 +194,7 @@ void fw_core_remove_descriptor(struct fw_descriptor *desc) 
	mutex_lock(&card_mutex);



	list_del(&desc->link);

	config_rom_length -= required_space(desc);

	descriptor_count--;

	if (desc->immediate > 0)

		descriptor_count--;
@@ -428,7 +444,6 @@ EXPORT_SYMBOL(fw_card_initialize); 
int fw_card_add(struct fw_card *card,

		u32 max_receive, u32 link_speed, u64 guid)

{

	size_t length;

	int ret;



	card->max_receive = max_receive;
@@ -437,8 +452,8 @@ int fw_card_add(struct fw_card *card, 


	mutex_lock(&card_mutex);



	length = generate_config_rom(card, tmp_config_rom);

	ret = card->driver->enable(card, tmp_config_rom, length);

	generate_config_rom(card, tmp_config_rom);

	ret = card->driver->enable(card, tmp_config_rom, config_rom_length);

	if (ret == 0)

		list_add_tail(&card->link, &card_list);

drivers/firewire/core-cdev.c

+36 −14
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ 
#include <linux/preempt.h>

#include <linux/sched.h>

#include <linux/spinlock.h>

#include <linux/string.h>

#include <linux/time.h>

#include <linux/uaccess.h>

#include <linux/vmalloc.h>
@@ -595,13 +596,20 @@ static int ioctl_send_request(struct client *client, void *buffer) 
			    client->device->max_speed);

}



static inline bool is_fcp_request(struct fw_request *request)

{

	return request == NULL;

}



static void release_request(struct client *client,

			    struct client_resource *resource)

{

	struct inbound_transaction_resource *r = container_of(resource,

			struct inbound_transaction_resource, resource);



	if (r->request)

	if (is_fcp_request(r->request))

		kfree(r->data);

	else

		fw_send_response(client->device->card, r->request,

				 RCODE_CONFLICT_ERROR);

	kfree(r);
@@ -616,6 +624,7 @@ static void handle_request(struct fw_card *card, struct fw_request *request, 
	struct address_handler_resource *handler = callback_data;

	struct inbound_transaction_resource *r;

	struct inbound_transaction_event *e;

	void *fcp_frame = NULL;

	int ret;



	r = kmalloc(sizeof(*r), GFP_ATOMIC);
@@ -627,6 +636,18 @@ static void handle_request(struct fw_card *card, struct fw_request *request, 
	r->data    = payload;

	r->length  = length;



	if (is_fcp_request(request)) {

		/*

		 * FIXME: Let core-transaction.c manage a

		 * single reference-counted copy?

		 */

		fcp_frame = kmemdup(payload, length, GFP_ATOMIC);

		if (fcp_frame == NULL)

			goto failed;



		r->data = fcp_frame;

	}



	r->resource.release = release_request;

	ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);

	if (ret < 0)
@@ -640,13 +661,15 @@ static void handle_request(struct fw_card *card, struct fw_request *request, 
	e->request.closure = handler->closure;



	queue_event(handler->client, &e->event,

		    &e->request, sizeof(e->request), payload, length);

		    &e->request, sizeof(e->request), r->data, length);

	return;



 failed:

	kfree(r);

	kfree(e);

	if (request)

	kfree(fcp_frame);



	if (!is_fcp_request(request))

		fw_send_response(card, request, RCODE_CONFLICT_ERROR);

}
@@ -717,18 +740,17 @@ static int ioctl_send_response(struct client *client, void *buffer) 


	r = container_of(resource, struct inbound_transaction_resource,

			 resource);

	if (r->request) {

	if (is_fcp_request(r->request))

		goto out;



	if (request->length < r->length)

		r->length = request->length;

		if (copy_from_user(r->data, u64_to_uptr(request->data),

				   r->length)) {

	if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {

		ret = -EFAULT;

		kfree(r->request);

		goto out;

	}

		fw_send_response(client->device->card, r->request,

				 request->rcode);

	}

	fw_send_response(client->device->card, r->request, request->rcode);

 out:

	kfree(r);

drivers/firewire/ohci.c

+3 −1
Original line number Diff line number Diff line
@@ -2420,6 +2420,7 @@ static void ohci_pmac_off(struct pci_dev *dev) 


#define PCI_VENDOR_ID_AGERE		PCI_VENDOR_ID_ATT

#define PCI_DEVICE_ID_AGERE_FW643	0x5901

#define PCI_DEVICE_ID_TI_TSB43AB23	0x8024



static int __devinit pci_probe(struct pci_dev *dev,

			       const struct pci_device_id *ent)
@@ -2488,7 +2489,8 @@ static int __devinit pci_probe(struct pci_dev *dev, 
#if !defined(CONFIG_X86_32)

	/* dual-buffer mode is broken with descriptor addresses above 2G */

	if (dev->vendor == PCI_VENDOR_ID_TI &&

	    dev->device == PCI_DEVICE_ID_TI_TSB43AB22)

	    (dev->device == PCI_DEVICE_ID_TI_TSB43AB22 ||

	     dev->device == PCI_DEVICE_ID_TI_TSB43AB23))

		ohci->use_dualbuffer = false;

#endif

include/linux/firewire-cdev.h

+3 −1
Original line number Diff line number Diff line
@@ -380,7 +380,7 @@ struct fw_cdev_initiate_bus_reset { 
 * @immediate:	If non-zero, immediate key to insert before pointer

 * @key:	Upper 8 bits of root directory pointer

 * @data:	Userspace pointer to contents of descriptor block

 * @length:	Length of descriptor block data, in bytes

 * @length:	Length of descriptor block data, in quadlets

 * @handle:	Handle to the descriptor, written by the kernel

 *

 * Add a descriptor block and optionally a preceding immediate key to the local
@@ -394,6 +394,8 @@ struct fw_cdev_initiate_bus_reset { 
 * If not 0, the @immediate field specifies an immediate key which will be

 * inserted before the root directory pointer.

 *

 * @immediate, @key, and @data array elements are CPU-endian quadlets.

 *

 * If successful, the kernel adds the descriptor and writes back a handle to the

 * kernel-side object to be used for later removal of the descriptor block and

 * immediate key.