linux.git/drivers/firewire, branch v3.7-rc2 Linux kernel source tree firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel) 2012-10-09T16:26:28+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2012-10-06T12:12:56+00:00 790198f74c9d1b46b6a89504361b1a844670d050 Fix two bugs of the /dev/fw* character device concerning the FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset. (Practically all /dev/fw* clients issue this ioctl right after opening the device.) Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36 without natural alignment and 40 with natural alignment. 1) Memory corruption, affecting i386 userland on amd64 kernel: Userland reserves a 36 bytes large buffer, kernel writes 40 bytes. This has been first found and reported against libraw1394 if compiled with gcc 4.7 which happens to order libraw1394's stack such that the bug became visible as data corruption. 2) Information leak, affecting all kernel architectures except i386: 4 bytes of random kernel stack data were leaked to userspace. Hence limit the respective copy_to_user() to the 32-bit aligned size of struct fw_cdev_event_bus_reset. Reported-by: Simon Kirby <sim@hostway.ca> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: stable@kernel.org 
Fix two bugs of the /dev/fw* character device concerning the
FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
(Practically all /dev/fw* clients issue this ioctl right after opening
the device.)

Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
without natural alignment and 40 with natural alignment.

 1) Memory corruption, affecting i386 userland on amd64 kernel:
    Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
    This has been first found and reported against libraw1394 if
    compiled with gcc 4.7 which happens to order libraw1394's stack such
    that the bug became visible as data corruption.

 2) Information leak, affecting all kernel architectures except i386:
    4 bytes of random kernel stack data were leaked to userspace.

Hence limit the respective copy_to_user() to the 32-bit aligned size of
struct fw_cdev_event_bus_reset.

Reported-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: stable@kernel.org
firewire: addendum to address handler RCU conversion 2012-09-28T09:47:42+00:00 Stefan Richter stefanr@s5r6.in-berlin.de 2012-09-27T19:46:09+00:00 4d50c44381c981c9caa74e82ab894d4938dac9ca Follow up on commit c285f6ff6787 "firewire: remove global lock around address handlers, convert to RCU": - address_handler_lock no longer serializes the address handler, only its function to serialize updates to the list of handlers remains. Rename the lock to address_handler_list_lock. - Callers of fw_core_remove_address_handler() must be able to sleep. Comment on this in the API documentation. - The counterpart fw_core_add_address_handler() is by nature something which is used in process context. Replace spin_lock_bh() by spin_lock() in fw_core_add_address_handler() and in fw_core_remove_address_handler(), and document that process context is now required for fw_core_add_address_handler(). - Extend the documentation of fw_address_callback_t. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Follow up on commit c285f6ff6787 "firewire: remove global lock around
address handlers, convert to RCU":

  - address_handler_lock no longer serializes the address handler, only
    its function to serialize updates to the list of handlers remains.
    Rename the lock to address_handler_list_lock.

  - Callers of fw_core_remove_address_handler() must be able to sleep.
    Comment on this in the API documentation.

  - The counterpart fw_core_add_address_handler() is by nature something
    which is used in process context.  Replace spin_lock_bh() by
    spin_lock() in fw_core_add_address_handler() and in
    fw_core_remove_address_handler(), and document that process context
    is now required for fw_core_add_address_handler().

  - Extend the documentation of fw_address_callback_t.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: remove global lock around address handlers, convert to RCU 2012-09-28T09:47:41+00:00 Peter Hurley peter@hurleysoftware.com 2012-08-19T06:50:02+00:00 35202f7d8420fff586b372422a2419affeaba8ef Upper-layer handlers for inbound requests were called with a spinlock held by firewire-core. Calling into upper layers with a lower layer lock held is generally a bad idea. What's more, since commit ea102d0ec475 "firewire: core: convert AR-req handler lock from _irqsave to _bh", a caller of fw_send_request() i.e. initiator of outbound request could no longer do that while having interrupts disabled, if the local node was addressed by that request. In order to make all this more flexible, convert the management of address ranges and handlers from a global lock around readers and writers to RCU (and a remaining global lock for writers). As a minor side effect, handling of inbound requests at different cards and of local requests is now no longer serialized. (There is still per-card serialization of remote requests since firewire-ohci uses a single DMA tasklet for inbound request events.) In other words, address handlers are now called in an RCU read-side critical section instead of from within a spin_lock_bh serialized section. (Changelog rewritten by Stefan R.) Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Upper-layer handlers for inbound requests were called with a spinlock
held by firewire-core.  Calling into upper layers with a lower layer
lock held is generally a bad idea.

What's more, since commit ea102d0ec475 "firewire: core: convert AR-req
handler lock from _irqsave to _bh", a caller of fw_send_request() i.e.
initiator of outbound request could no longer do that while having
interrupts disabled, if the local node was addressed by that request.

In order to make all this more flexible, convert the management of
address ranges and handlers from a global lock around readers and
writers to RCU (and a remaining global lock for writers).  As a minor
side effect, handling of inbound requests at different cards and of
local requests is now no longer serialized.  (There is still per-card
serialization of remote requests since firewire-ohci uses a single DMA
tasklet for inbound request events.)

In other words, address handlers are now called in an RCU read-side
critical section instead of from within a spin_lock_bh serialized
section.

(Changelog rewritten by Stefan R.)

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: ohci: get IR bit from TSB41BA3D phy 2012-09-25T14:18:17+00:00 Stephan Gatzka stephan.gatzka@gmail.com 2012-09-03T19:17:50+00:00 52439d605d6604c15954281a1d2831471dbd024c In case of a self constructed selfID packet this patch correctly determines the information if the TSB41BA3D phy initiated a bus reset. Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
In case of a self constructed selfID packet this patch correctly
determines the information if the TSB41BA3D phy initiated a bus reset.

Signed-off-by: Stephan Gatzka <stephan.gatzka@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: core: feed /dev/random with devices' GUIDs 2012-09-25T14:18:17+00:00 Clemens Ladisch clemens@ladisch.de 2012-08-13T07:08:41+00:00 badfcb24891ccd6d37750864b97586af8ab052c3 Send the GUIDs of newly registered controllers and devices to the /dev/random driver to help seed its pools. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Send the GUIDs of newly registered controllers and devices
to the /dev/random driver to help seed its pools.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Merge tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 2012-07-30T16:32:39+00:00 Linus Torvalds torvalds@linux-foundation.org 2012-07-30T16:32:39+00:00 148b729b9f51a78c1a024369bdcdc592f01103d4 Pull firewire updates from Stefan Richter: - Small fixes and optimizations. - A new sysfs attribute to tell local and remote nodes apart. Useful to set special permissions/ ownership of local nodes' /dev/fw*, to start daemons on them (for diagnostics, management, AV targets, VersaPHY initiator or targets...), to pick up their GUID to use it as GUID of an SBP2 target instance, and of course for informational purposes. * tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: firewire: core: document is_local sysfs attribute firewire: core: add is_local sysfs device attribute firewire: ohci: initialize multiChanMode bits after reset firewire: core: fix multichannel IR with buffers larger than 2 GB firewire: ohci: sanity-check MMIO resource firewire: ohci: lazy bus time initialization firewire: core: allocate the low memory region firewire: core: make address handler length 64 bits 
Pull firewire updates from Stefan Richter:

 - Small fixes and optimizations.

 - A new sysfs attribute to tell local and remote nodes apart.
   Useful to set special permissions/ ownership of local nodes'
   /dev/fw*, to start daemons on them (for diagnostics, management,
   AV targets, VersaPHY initiator or targets...), to pick up their
   GUID to use it as GUID of an SBP2 target instance, and of course
   for informational purposes.

* tag 'firewire-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
  firewire: core: document is_local sysfs attribute
  firewire: core: add is_local sysfs device attribute
  firewire: ohci: initialize multiChanMode bits after reset
  firewire: core: fix multichannel IR with buffers larger than 2 GB
  firewire: ohci: sanity-check MMIO resource
  firewire: ohci: lazy bus time initialization
  firewire: core: allocate the low memory region
  firewire: core: make address handler length 64 bits
firewire: core: add is_local sysfs device attribute 2012-06-30T08:49:06+00:00 Clemens Ladisch clemens@ladisch.de 2012-06-17T14:40:36+00:00 baedee177e6c553af455865718971d9a9c75e537 Making this information available in sysfs allows to differentiate between controllers in the local and remote Linux PCs, and thus is useful for servers that are started with udev rules. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
Making this information available in sysfs allows to differentiate
between controllers in the local and remote Linux PCs, and thus is
useful for servers that are started with udev rules.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: ohci: initialize multiChanMode bits after reset 2012-06-17T17:35:26+00:00 Clemens Ladisch clemens@ladisch.de 2012-06-13T20:29:20+00:00 e18907cc8a3cd6e09510632b753b8b6fefa1752a OHCI 1.1 says: | Since the value of this bit is undefined after reset in all IR | contexts, software shall initialize this bit to zero in all contexts | whether or not active to maintain the exclusive nature of this bit. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
OHCI 1.1 says:
| Since the value of this bit is undefined after reset in all IR
| contexts, software shall initialize this bit to zero in all contexts
| whether or not active to maintain the exclusive nature of this bit.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: core: fix multichannel IR with buffers larger than 2 GB 2012-06-17T17:35:26+00:00 Clemens Ladisch clemens@ladisch.de 2012-06-13T20:28:24+00:00 9d23f9e946ad757344792a20ba5152f3a921688b With a 32-bit i, computing i<<PAGE_SHIFT might result in an overflow and in an eventual sign-extension. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
With a 32-bit i, computing i<<PAGE_SHIFT might result in
an overflow and in an eventual sign-extension.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: ohci: sanity-check MMIO resource 2012-06-04T22:57:37+00:00 Clemens Ladisch clemens@ladisch.de 2012-06-04T19:28:07+00:00 7baab9acfb25934a32541d617cbc676abd1fbf5b pci_request_region() does not fail on resources that have not been allocated by the BIOS or by the kernel, so to avoid accessing registers that are not there, we have to check for this explicitly. Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> 
pci_request_region() does not fail on resources that have not been
allocated by the BIOS or by the kernel, so to avoid accessing
registers that are not there, we have to check for this explicitly.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>