[git pull] FireWire fixes
Linus, please pull from the tag "firewire-fixes" at git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394.git firewire-fixes to receive the following FireWire (IEEE 1394) subsystem fixes: - Add missing input validation to the firewire-net driver. Invalid IP-over-1394 encapsulation headers could trigger buffer overflows (CVE 2016-8633). - IP-over-1394 link fragmentation headers were read and written incorrectly, breaking fragmented RX/TX with other OS's stacks. Stefan Richter (2): firewire: net: guard against rx buffer overflows firewire: net: fix fragmented datagram_size off-by-one drivers/firewire/net.c | 59 -- 1 file changed, 39 insertions(+), 20 deletions(-) Thanks, -- Stefan Richter -==- =-== --=-= http://arcgraph.de/sr/
[git pull] FireWire fixes
Linus, please pull from the tag "firewire-fixes" at git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394.git firewire-fixes to receive a regression fix for the IEEE 1394 subsystem: Re-enable IRQ-based asynchronous request reception at addresses below 128 TB. Stefan Richter (1): firewire: revert to 4 GB RDMA, fix protocols using Memory Space Documentation/debugging-via-ohci1394.txt | 13 - drivers/firewire/core.h | 4 ++-- drivers/firewire/ohci.c | 2 +- 3 files changed, 11 insertions(+), 8 deletions(-) Thanks, -- Stefan Richter -=-- -=-= - http://arcgraph.de/sr/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[git pull] FireWire fixes
Linus, please pull from the tag "firewire-fixes" at git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394.git firewire-fixes to receive the following IEEE 1394 (FireWire) subsystem changes. These fix a use-after-free regression since v3.4 and an initialization regression since v3.10. Stefan Richter (2): firewire: net: fix use after free firewire: ohci: fix probe failure with Agere/LSI controllers drivers/firewire/net.c | 6 +++--- drivers/firewire/ohci.c | 15 ++- 2 files changed, 5 insertions(+), 16 deletions(-) Thanks. -- Stefan Richter -=-- --== -=--- http://arcgraph.de/sr/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] FireWire fixes
Linus, please pull from the for-linus branch at git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6.git for-linus to receive the following fixes for the new and old 1394 subsystems: Kristian Høgsberg (1): firewire: Add ref-counting for sbp2 orbs (fix command abortion) Stefan Richter (2): ieee1394: sbp2: fix sbp2_remove_device for error cases firewire: fix unloading of fw-ohci while devices are attached drivers/firewire/fw-card.c |6 +++- drivers/firewire/fw-sbp2.c | 49 +-- drivers/ieee1394/sbp2.c| 14 +- 3 files changed, 51 insertions(+), 18 deletions(-) commit e57d2011a6276d55a87f26653a0395f302ce0d51 Author: Kristian Høgsberg <[EMAIL PROTECTED]> Date: Fri Aug 24 18:59:58 2007 -0400 firewire: Add ref-counting for sbp2 orbs (fix command abortion) This handles the case where we get the status write before getting the complete_transaction callback ("status write for unknown orb"). In this case, we just assume that the initial orb pointer transaction succeeded and finish the orb. To prevent the transaction callback from touching freed memory, we ref-count the orb structures. Signed-off-by: Kristian Høgsberg <[EMAIL PROTECTED]> Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c index ba816ef..238730f 100644 --- a/drivers/firewire/fw-sbp2.c +++ b/drivers/firewire/fw-sbp2.c @@ -159,6 +159,7 @@ struct sbp2_pointer { struct sbp2_orb { struct fw_transaction t; + struct kref kref; dma_addr_t request_bus; int rcode; struct sbp2_pointer pointer; @@ -280,6 +281,14 @@ static const struct { }; static void +free_orb(struct kref *kref) +{ + struct sbp2_orb *orb = container_of(kref, struct sbp2_orb, kref); + + kfree(orb); +} + +static void sbp2_status_write(struct fw_card *card, struct fw_request *request, int tcode, int destination, int source, int generation, int speed, @@ -312,8 +321,8 @@ sbp2_status_write(struct fw_card *card, struct fw_request *request, spin_lock_irqsave(&card->lock, flags); list_for_each_entry(orb, &sd->orb_list, link) { if (STATUS_GET_ORB_HIGH(status) == 0 && - STATUS_GET_ORB_LOW(status) == orb->request_bus && - orb->rcode == RCODE_COMPLETE) { + STATUS_GET_ORB_LOW(status) == orb->request_bus) { + orb->rcode = RCODE_COMPLETE; list_del(&orb->link); break; } @@ -325,6 +334,8 @@ sbp2_status_write(struct fw_card *card, struct fw_request *request, else fw_error("status write for unknown orb\n"); + kref_put(&orb->kref, free_orb); + fw_send_response(card, request, RCODE_COMPLETE); } @@ -335,13 +346,27 @@ complete_transaction(struct fw_card *card, int rcode, struct sbp2_orb *orb = data; unsigned long flags; - orb->rcode = rcode; - if (rcode != RCODE_COMPLETE) { - spin_lock_irqsave(&card->lock, flags); + /* +* This is a little tricky. We can get the status write for +* the orb before we get this callback. The status write +* handler above will assume the orb pointer transaction was +* successful and set the rcode to RCODE_COMPLETE for the orb. +* So this callback only sets the rcode if it hasn't already +* been set and only does the cleanup if the transaction +* failed and we didn't already get a status write. +*/ + spin_lock_irqsave(&card->lock, flags); + + if (orb->rcode == -1) + orb->rcode = rcode; + if (orb->rcode != RCODE_COMPLETE) { list_del(&orb->link); - spin_unlock_irqrestore(&card->lock, flags); orb->callback(orb, NULL); } + + spin_unlock_irqrestore(&card->lock, flags); + + kref_put(&orb->kref, free_orb); } static void @@ -360,6 +385,10 @@ sbp2_send_orb(struct sbp2_orb *orb, struct fw_unit *unit, list_add_tail(&orb->link, &sd->orb_list); spin_unlock_irqrestore(&device->card->lock, flags); + /* Take a ref for the orb list and for the transaction callback. */ + kref_get(&orb->kref); + kref_get(&orb->kref); + fw_send_request(device->card, &orb->t, TCODE_WRITE_BLOCK_REQUEST, node_id, generation, device->max_speed, offset, &orb->pointer, sizeof(orb->pointer), @@ -416,6 +445,7 @@ sbp2_send_management_orb(struct fw_unit *unit, int node_id, int generation, if (orb == NULL) return -ENOMEM; + kref_init(&orb->base.kref); orb->response_bus = dma_map_single(device->card->device, &orb->response, sizeof(orb
[GIT PULL] FireWire fixes
Linus, please pull from the for-linus branch at git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6.git for-linus to receive the following fixes for the new and old 1394 subsystems: Stefan Richter (5): ieee1394: revert "sbp2: enforce 32bit DMA mapping" ieee1394: sbp2: more correct Kconfig dependencies firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters) firewire: fw-ohci: dma_free_coherent needs IRQs enabled firewire: fw-core: make two variables static Stat, log, and combined diff: drivers/firewire/fw-ohci.c| 20 +--- drivers/firewire/fw-sbp2.c|5 - drivers/firewire/fw-transaction.c |4 ++-- drivers/firewire/fw-transaction.h |2 +- drivers/ieee1394/Kconfig |2 +- drivers/ieee1394/sbp2.c |5 - 6 files changed, 21 insertions(+), 17 deletions(-) commit ae57988f68acdc9fbee649765148f15eb7a1b991 Author: Stefan Richter <[EMAIL PROTECTED]> Date: Thu Aug 2 20:34:17 2007 +0200 firewire: fw-core: make two variables static Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> commit 4eaff7d63052d781732de9eff4d2287c8e00348f Author: Stefan Richter <[EMAIL PROTECTED]> Date: Wed Jul 25 19:18:08 2007 +0200 firewire: fw-ohci: dma_free_coherent needs IRQs enabled Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> commit 25659f7183376c6b37661da6141d5eaa21479061 Author: Stefan Richter <[EMAIL PROTECTED]> Date: Sat Jul 21 22:43:05 2007 +0200 firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters) As far as I know, all CardBus FireWire 400 adapters have a maximum payload of 1024 bytes which is less than the speed-dependent limit of 2048 bytes. Fw-sbp2 has to take the host adapter's limit into account. This apparently fixes Juju's incompatibility with my CardBus cards, a NEC based card and a VIA based card. Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> Acked-by: Kristian Høgsberg <[EMAIL PROTECTED]> commit e4f8cac5e07528f7e0bc21d3682c16c9de993ecb Author: Stefan Richter <[EMAIL PROTECTED]> Date: Sat Jul 21 17:51:22 2007 +0200 ieee1394: sbp2: more correct Kconfig dependencies Make the option SBP2_PHYS_DMA available on all architectures where it compiles. This includes x86-64 where I runtime-tested it successfully. Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> commit a9c2f18800753c82c45fc13b27bdc148849bdbb2 Author: Stefan Richter <[EMAIL PROTECTED]> Date: Wed Aug 1 20:30:36 2007 +0200 ieee1394: revert "sbp2: enforce 32bit DMA mapping" Revert commit 0555659d63c285ceb7ead3115532e1b71b0f27a7 from 2.6.22-rc1. The dma_set_mask call somehow failed on a PowerMac G5, PPC64: http://lkml.org/lkml/2007/8/1/344 Should there ever occur a DMA mapping beyond the physical DMA range, a proper SBP-2 firmware will report transport errors. So let's leave it at that. Signed-off-by: Stefan Richter <[EMAIL PROTECTED]> Tested-by: Olaf Hering <[EMAIL PROTECTED]> diff --git a/drivers/firewire/fw-ohci.c b/drivers/firewire/fw-ohci.c index db70375..7e427b4 100644 --- a/drivers/firewire/fw-ohci.c +++ b/drivers/firewire/fw-ohci.c @@ -907,6 +907,8 @@ static void bus_reset_tasklet(unsigned long data) int self_id_count, i, j, reg; int generation, new_generation; unsigned long flags; + void *free_rom = NULL; + dma_addr_t free_rom_bus = 0; reg = reg_read(ohci, OHCI1394_NodeID); if (!(reg & OHCI1394_NodeID_idValid)) { @@ -970,8 +972,8 @@ static void bus_reset_tasklet(unsigned long data) */ if (ohci->next_config_rom != NULL) { - dma_free_coherent(ohci->card.device, CONFIG_ROM_SIZE, - ohci->config_rom, ohci->config_rom_bus); + free_rom = ohci->config_rom; + free_rom_bus = ohci->config_rom_bus; ohci->config_rom = ohci->next_config_rom; ohci->config_rom_bus = ohci->next_config_rom_bus; ohci->next_config_rom = NULL; @@ -990,6 +992,10 @@ static void bus_reset_tasklet(unsigned long data) spin_unlock_irqrestore(&ohci->lock, flags); + if (free_rom) + dma_free_coherent(ohci->card.device, CONFIG_ROM_SIZE, + free_rom, free_rom_bus); + fw_core_handle_bus_reset(&ohci->card, ohci->node_id, generation, self_id_count, ohci->self_id_buffer); } @@ -1186,7 +1192,7 @@ ohci_set_config_rom(struct fw_card *card, u32 *config_rom, size_t length) { struct fw_ohci *ohci; unsigned long flags; - int retval = 0; + int retval = -EBUSY; __be32 *next_config_rom; dma_addr_t next_config_rom_bus; @@ -1240,10 +1246,7 @@ ohci_set_config_rom(struct fw_card *card, u32 *config_rom, size_t length)