Age | Commit message (Collapse) | Author | Files | Lines |
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: core: ignore link-active bit of new nodes, fix device recognition
firewire: sbp2: revert obsolete 'fix stall with "Unsolicited response"'
firewire: core: increase default SPLIT_TIMEOUT value
firewire: ohci: Misleading kfree in ohci.c::pci_probe/remove
firewire: ohci: omit IntEvent.busReset check rom AT queueing
firewire: ohci: prevent starting of iso contexts with empty queue
firewire: ohci: prevent iso completion callbacks after context stop
firewire: core: rename some variables
firewire: nosy: should work on Power Mac G4 PCI too
firewire: core: fix card->reset_jiffies overflow
firewire: cdev: remove unneeded reference
firewire: cdev: always wait for outbound transactions to complete
firewire: cdev: remove unneeded idr_find() from complete_transaction()
firewire: ohci: log dead DMA contexts
|
|
Like the older ieee1394 core driver, firewire-core skipped scanning of
any new node whose PHY sent a self ID without "link active" bit. If a
device had this bit off mistakenly, it meant that it was inaccessible to
kernel drivers with the old IEEE 1394 driver stack but could still be
accessed by userspace drivers through the raw1394 interface.
But with firewire-core, userspace drivers don't get to see such buggy
devices anymore. This is effectively a driver regression since this
device bug is otherwise harmless.
We now attempt to scan all devices, even repeaters that don't have a
link or powered-down devices that have everything but their PHY shut
down when plugged in. This results in futile repeated scanning attempts
in case of such devices that really don't have an active link, but this
doesn't hurt since recent workqueue infrastructure lets us run more
concurrent scanning jobs than we can shake a stick at.
This should fix accessibility of Focusrite Saffire PRO 26 I/O:
http://sourceforge.net/mailarchive/forum.php?thread_name=20110314215622.5c751bb0%40stein&forum_name=ffado-user
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Now that firewire-core sets the local node's SPLIT_TIMEOUT to 2 seconds
per default, commit a481e97d3cdc40b9d58271675bd4f0abb79d4872 is no
longer required.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The SPLIT_TIMEOUT mechanism is intended to detect requests that somehow
got lost. However, when the timeout value is too low, transactions that
could have been completed successfully will be cancelled. Furthermore,
there are chips whose firmwares ignore the configured split timeout and
send late split response; known examples are the DM1x00 (BeBoB), TCD22x0
(DICE), and some OXUF936QSE firmwares.
This patch changes the default timeout to two seconds, which happens to
be the default on other OSes, too.
Actual lost requests are extremely rare, so there should be no practical
downside to increasing the split timeout even on devices that work
correctly.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add a driver for two playback-only FireWire devices based on the OXFW970
chip.
v2: better AMDTP API abstraction; fix fw_unit leak; small fixes
v3: cache the iPCR value
v4: FireWave constraints; fix fw_device reference counting;
fix PCR caching; small changes and fixes
v5: volume/mute support; fix crashing due to pcm stop races
v6: fix build; one-channel volume for LaCie
v7: use signed values to make volume (range checks) work; fix function
block IDs for volume/mute; always use channel 0 for LaCie volume
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Acked-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Jay Fenlason <fenlason@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
It seems drivers/firewire/ohci.c is making some optimistic assumptions
about struct fw_ohci and that member "card" will always remain the first
member of the struct.
Plus it's probably going to confuse a lot of static code analyzers too.
So I wonder if there is a good reason not to free the ohci struct just
like it was allocated instead of the tricky &ohci->card way?
Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
It is perhaps just a rudiment from before mainline submission of the
driver.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Since commit 82b662dc4102 "flush AT contexts after bus reset for OHCI 1.2",
the driver takes care of any AT packets that were enqueued during a bus
reset phase. The check from commit 76f73ca1b291 is therefore no longer
necessary and the MMIO read can be avoided.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
If a misguided program tried to start an isochronous context before it
has queued any packets, the call would appear to succeed, but the
context would not actually go into the running state, and the OHCI
controller would then raise an unrecoverableError interrupt because the
first Z value is zero and thus invalid. The driver logs such errors,
but there is no mechanism to report this back to the program.
Add an explicit check so that this error can be returned synchronously.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
To prevent the iso packet callback from being called after
fw_iso_context_stop() has returned, make sure that the
context's tasklet has finished executing before that.
This fixes access-after-free bugs that have so far been
observed only in the upcoming snd-firewire-speakers driver,
but can theoretically also happen in the firedtv driver.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
In manage_channel(), rename the variables "c" and "i" to the more
expressive "bit" and "channel".
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The first board generation of Power Mac G4 ("Yikes!", those with PCI
graphics) still had a PCILynx controller like their G3 predecessors,
but not the later AGP models. (Jonathan Woithe recalls to have heard
of it, and some web sources reinforce it.)
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
On a 32-bit machine with, e.g., HZ=1000, jiffies will overflow after
about 50 days, so if there are between 25 and 50 days between bus
resets, the card->reset_jiffies comparisons can get wrong results.
To fix this, ensure that this timestamp always uses 64 bits.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: "Stefan Richter" <stefanr@s5r6.in-berlin.de>
|
|
For outbound transactions, the IDR's and the callback's references now
have exactly the same lifetime, so we do not need both of them.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: "Stefan Richter" <stefanr@s5r6.in-berlin.de>
|
|
We must not use fw_cancel_transaction() because it cannot correctly
abort still-active transactions. The only place in core-cdev where this
matters is when the file is released. Instead of trying to abort the
transactions, we wait for them to complete normally, i.e., until all
outbound transaction resources have been removed from the IDR tree.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: "Stefan Richter" <stefanr@s5r6.in-berlin.de>
|
|
Outbound transactions are never aborted with release_client_resource(),
so it is not necessary for complete_transaction() to check whether the
resource is still registered. Only shutdown_resource() can abort such
an transaction, and this is already handled with the in_shutdown check.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: "Stefan Richter" <stefanr@s5r6.in-berlin.de>
|
|
When a DMA context goes into the dead state (and the controller thus
stops working correctly), logging this error and the controller's error
code might be helpful for debugging.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: core: fix unstable I/O with Canon camcorder
* 'fwnet' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: net: is not experimental anymore
firewire: net: invalidate ARP entries of removed nodes
|
|
thanks to Clemens' and Maxim's fixes to firewire-ohci and -net in the
last two kernel releases.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
This makes it possible to resume communication with a node that dropped
off the bus for a brief period. Otherwise communication will only be
possible after ARP cache entry timeouts.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (rebased)
|
|
Regression since commit 10389536742c, "firewire: core: check for 1394a
compliant IRM, fix inaccessibility of Sony camcorder":
The camcorder Canon MV5i generates lots of bus resets when asynchronous
requests are sent to it (e.g. Config ROM read requests or FCP Command
write requests) if the camcorder is not root node. This causes drop-
outs in videos or makes the camcorder entirely inaccessible.
https://bugzilla.redhat.com/show_bug.cgi?id=633260
Fix this by allowing any Canon device, even if it is a pre-1394a IRM
like MV5i are, to remain root node (if it is at least Cycle Master
capable). With the FireWire controller cards that I tested, MV5i always
becomes root node when plugged in and left to its own devices.
Reported-by: Ralf Lange
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org> # 2.6.32.y and newer
|
|
PAGE_KERNEL_RO is not available on all architectures, so its use
in the new AR code broke compilation on sparc64.
Because the read-only mapping was just a debugging aid, just use
PAGE_KERNEL instead.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
James Bottomley wrote:
> On Thu, 2011-01-13 at 08:27 +0100, Clemens Ladisch wrote:
>> firewire: ohci: fix compilation on arches without PAGE_KERNEL_RO, e.g. sparc
>>
>> PAGE_KERNEL_RO is not available on all architectures, so its use in the
>> new AR code broke compilation on sparc64.
>>
>> Because the R/O mapping is only used to catch drivers that try to write
>> to the reception buffer and not actually required for correct operation,
>> we can just use a normal PAGE_KERNEL mapping where _RO is not available.
[...]
>> +/*
>> + * For archs where PAGE_KERNEL_RO is not supported;
>> + * mapping the AR buffers readonly for the CPU is just a debugging aid.
>> + */
>> +#ifndef PAGE_KERNEL_RO
>> +#define PAGE_KERNEL_RO PAGE_KERNEL
>> +#endif
>
> This might cause interesting issues on sparc64 if it ever acquired a
> PAGE_KERNEL_RO. Sparc64 has extern pgprot_t for it's PAGE_KERNEL types
> rather than #defines, so the #ifdef check wouldn't see this.
>
> I think either PAGE_PROT_RO becomes part of our arch API (so all
> architectures are forced to add it), or, if it's not part of the API,
> ohci isn't entitled to use it. The latter seems simplest since you have
> no real use for write protection anyway.
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Instead of starting the split transaction timeout timer when any request
is submitted, start it only when the destination's ACK_PENDING has been
received. This prevents us from using a timeout that is too short, and,
if the controller's AT queue is emptying very slowly, from cancelling
a packet that has not yet been sent.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
"firewire: ohci: restart iso DMA contexts on resume from low power mode"
added the flag struct context.active and "firewire: ohci: cache the
context run bit" added struct context.running.
These flags contain the same information; combine them.
Also, normalize whitespace in pci_resume().
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The DMA context run control bit is entirely controlled by software, so
it is safe to cache it. This allows the driver to avoid doing an
additional MMIO read when queueing an AT packet.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add comments
- on why bus_reset_tasklet flushes AT queues,
- that commit 76f73ca1b291 can possibly be reverted now.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Jarod Wilson <jarod@redhat.com>
|
|
The OHCI 1.2 (draft) specification, clause 7.2.3.3, allows and
recommends that, after a bus reset, the controller does not flush all
the packets in the AT queues. Therefore, the driver has to do this
itself.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
At ifup, carrier status would be shown on even if it actually was off.
Also add an include for ethtool_ops rather than to rely on the one from
netdevice.h.
Note, we can alas not use fwnet_device_mutex to serialize access to
dev->peer_count (as I originally wanted). This would cause a lock
inversion:
- fwnet_probe | takes fwnet_device_mutex
+ register_netdev | takes rtnl_mutex
- devinet_ioctl | takes rtnl_mutex
+ fwnet_open | ...must not take fwnet_device_mutex
Hence use the dev->lock spinlock for serialization.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
To make userland, e.g. NetworkManager work with firewire, we need to
detect whether cable is plugged or not. Simple and correct way of doing
that is just counting number of peers. No peers - no link and vice
versa.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Unfortunately its easy to trigger such error messages by removing the
cable while sending streams of data over the link.
Such errors are normal, and therefore this patch stops firewire-net from
flooding the kernel log with these errors, by combining series of same
errors together.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
(Stefan R:) Eventually we should remove this logging when firewire-net
and related firewire-ohci facilities have been stabilized.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Restore iso channels DMA so that iso channels could continue to work
after resume from RAM/disk.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Some lousy BIOSes, e.g. my Aspire 5720 BIOS forget to restore the GUID
register on resume from RAM.
Fix that by setting it to the last value that was read from it.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The buffers used for the selfIDs packets and the AR request and response
descriptors end up using three pages because dma_alloc_coherent()
allocates at least one page per call. However, these data structures
would all fit into 4 KB, so we can save space by using a common buffer
for them.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When the isochRx/isochTx bit is clear, we do not need to read the
corresponding iso interrupt event register.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Change the header of PHY packets to be sent to include a pseudo
transaction code. This makes the header consistent with that of
received PHY packets, and allows at_context_queue_packet() and
log_ar_at_event() to see the packet type directly instead of having
to deduce it from the header length or even from the header contents.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
To remove the error information from the controller's queue and to allow
more posted writes, the driver has to read the failed posted write
address before clearing the postedWriteErr interrupt bit.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
(Stefan R:) The spec is somewhat fuzzy about the actual requirements.
To err on the safe side, let's do these two read accesses.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Make sure that interrupt event clear bit writes are executed before the
interrupt handler returns.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add proper error handling for the context_init() calls.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Move the AR DMA descriptors out of the buffer pages, and map the buffer
pages linearly into the kernel's address space. This allows the driver
to ignore any page boundaries in the DMA data and thus to avoid any
copying around of packet payloads.
This fixes the bug where S800 packets that are so big (> 4080 bytes)
that they can be split over three pages were not handled correctly.
Due to the changed algorithm, we can now use arbitrarily many buffer
pages, which improves performance because the controller can more easily
unload its DMA FIFO.
Furthermore, using streaming DMA mappings should improve perfomance on
architectures where coherent DMA mappings are not cacheable. Even on
other architectures, the caching behaviour should be improved slightly
because the CPU no longer writes to the buffer pages.
v2: Detect the last filled buffer page by searching the descriptor's
residual count value fields in order (like in the old code), instead
of going backwards through the transfer status fields; it looks as
if some controllers do not set the latter correctly.
v3: Fix an old resume bug that would now make the handler run into
a BUG_ON, and replace that check with more useful error handling.
Increase the buffer size for better performance with non-TI chips.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Maxim Levitsky writes:
Works almost perfectly. I can still see RCODE_BUSY errors
sometimes, not very often though. 64K here eliminates these errors
completely. This is most likely due to nouveau drivers and lowest
perf level I use to lower card temperature. That increases
latencies too much I think. Besides that the IO is just perfect.
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add missing newlines.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Amend .open handler accordingly and remove the .llseek handler.
.llseek = NULL means no_llseek (return error) since commit 776c163b1b93.
The only client that uses this interface is nosy-dump in linux/tools/firewire
and it knows not to seek in this char dev.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Agere FW643 rev 06, listed as "11c1:5901 (rev 06) (prog-if 10 [OHCI])",
produced SBP-2 I/O errors since kernel 2.6.36. Disabling MSI fixes it.
Since MSI work on Agere FW643-E (same vendor and device ID, but rev 07),
introduce a device revision field into firewire-ohci's quirks list so
that different quirks can be defined for older and newer revisions.
Reported-by: Jonathan Isom <jeisom@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org> # 2.6.36.y
|
|
"VIA Technologies, Inc. VT6315 Series Firewire Controller [1106:3403]"
does not generate any interrupts if Message Signaled Interrupts were
enabled. This is a regression since kernel 2.6.36 in which MSI support
was added to firewire-ohci. Hence blacklist MSI on all VIA controllers.
Reported-by: Robin Cook <rcook@wyrms.net>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org> # 2.6.36.y
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'fwnet' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: net: throttle TX queue before running out of tlabels
firewire: net: replace lists by counters
firewire: net: fix memory leaks
firewire: net: count stats.tx_packets and stats.tx_bytes
|
|
This prevents firewire-net from submitting write requests in fast
succession until failure due to all 64 transaction labels were used up
for unfinished split transactions. The netif_stop/wake_queue API is
used for this purpose.
Without this stop/wake mechanism, datagrams were simply lost whenever
the tlabel pool was exhausted. Plus, tlabel exhaustion by firewire-net
also prevented other unrelated outbound transactions to be initiated.
The chosen queue depth was checked by me to hit the maximum possible
throughput with an OS X peer whose receive DMA is good enough to never
reject requests due to busy inbound request FIFO. Current Linux peers
show a mixed picture of -5%...+15% change in bandwidth; their current
bottleneck are RCODE_BUSY situations (fewer or more, depending on TX
queue depth) due to too small AR buffer in firewire-ohci.
Maxim Levitsky tested this change with similar watermarks with a Linux
peer and some pending firewire-ohci improvements that address the
RCODE_BUSY problem and confirmed that these TX queue limits are good.
Note: This removes some netif_wake_queue from reception code paths.
They were apparently copy&paste artefacts from a nonsensical
netif_wake_queue use in the older eth1394 driver. This belongs only
into the transmit path.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
|
|
The current transmit code does not at all make use of
- fwnet_device.packet_list
and only very limited use of
- fwnet_device.broadcasted_list,
- fwnet_device.queued_packets.
Their current function is to track whether the TX soft-IRQ finished
dealing with an skb when the AT-req tasklet takes over, and to discard
pending tx datagrams (if there are any) when the local node is removed.
The latter does actually contain a race condition bug with TX soft-IRQ
and AT-req tasklet.
Instead of these lists and the corresponding link in fwnet_packet_task,
- a flag in fwnet_packet_task to track whether fwnet_tx is done,
- a counter of queued datagrams in fwnet_device
do the job as well.
The above mentioned theoretic race condition is resolved by letting
fwnet_remove sleep until all datagrams were flushed. It may sleep
almost arbitrarily long since fwnet_remove is executed in the context of
a multithreaded (concurrency managed) workqueue.
The type of max_payload is changed to u16 here to avoid waste in struct
fwnet_packet_task. This value cannot exceed 4096 per IEEE 1394:2008
table 16-18 (or 32678 per specification of packet headers, if there is
ever going to be something else than beta mode).
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
a) fwnet_transmit_packet_done used to poison ptask->pt_link by list_del.
If fwnet_send_packet checked later whether it was responsible to clean
up (in the border case that the TX soft IRQ was outpaced by the AT-req
tasklet on another CPU), it missed this because ptask->pt_link was no
longer shown as empty.
b) If fwnet_write_complete got an rcode other than RCODE_COMPLETE, we
missed to free the skb and ptask entirely.
Also, count stats.tx_dropped and stats.tx_errors when rcode != 0.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Move the mid-layer's ->queuecommand() invocation from being locked
with the host lock to being unlocked to facilitate speeding up the
critical path for drivers who don't need this lock taken anyway.
The patch below presents a simple SCSI host lock push-down as an
equivalent transformation. No locking or other behavior should change
with this patch. All existing bugs and locking orders are preserved.
Additionally, add one parameter to queuecommand,
struct Scsi_Host *
and remove one parameter from queuecommand,
void (*done)(struct scsi_cmnd *)
Scsi_Host* is a convenient pointer that most host drivers need anyway,
and 'done' is redundant to struct scsi_cmnd->scsi_done.
Minimal code disturbance was attempted with this change. Most drivers
needed only two one-line modifications for their host lock push-down.
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Acked-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: ohci: fix race when reading count in AR descriptor
firewire: ohci: avoid reallocation of AR buffers
firewire: ohci: fix race in AR split packet handling
firewire: ohci: fix buffer overflow in AR split packet handling
|
|
If the controller is storing a split packet and therefore changing
d->res_count to zero between the two reads by the driver, we end up with
an end pointer that is not at a packet boundary, and therefore overflow
the buffer when handling the split packet.
To fix this, read the field once, atomically. The compiler usually
merges the two reads anyway, but for correctness, we have to enforce it.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|