Age | Commit message (Collapse) | Author |
|
The PCIe device
FireWire (IEEE 1394) [0c00]: Ricoh Co Ltd FireWire Host Controller
[1180:e832] (prog-if 10 [OHCI])
is unable to access attached FireWire devices when MSI is enabled but
works if MSI is disabled.
http://www.mail-archive.com/alsa-user@lists.sourceforge.net/msg28251.html
Hence add the "disable MSI" quirks flag for this device, or in fact for
safety and simplicity for all current (R5U230, R5U231, R5U240) and
future Ricoh PCIe 1394 controllers.
Reported-by: Stefan Thomas <kontrapunktstefan@googlemail.com>
Cc: 2.6.36+ <stable@vger.kernel.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The Audigy's SB1394 controller is actually from Texas Instruments
and has the same bus reset packet generation bug, so it needs the
same quirk entry.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.36+ <stable@vger.kernel.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add the dma_sync_single_* calls necessary to ensure proper cache
synchronization for isochronous data buffers on non-coherent
architectures.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
If a device's firmware initiates a bus reset by setting the IBR bit in
PHY register 1 without resetting the gap count field to 63 (and without
having sent a PHY configuration packet beforehand), the gap count of
this node will remain at the old value after the bus reset and thus be
inconsistent with the gap count on all other nodes.
The bus manager is supposed to detect the inconsistent gap count values
in the self ID packets and correct them by issuing another bus reset.
However, if the buggy device happens to be the cycle master, and if it
sends a cycle start packet immediately after the bus reset (which is
likely after a long bus reset), then the time between the end of the
selfID phase and the start of the cycle start packet will be based on
the too-small gap count value, so this gap will be too short to be
detected as a subaction gap by the other nodes. This means that the
cycle start packet will be assumed to be self ID data, and will be
stored after the actual self ID quadlets in the self ID buffer.
This garbage in the self ID buffer made firewire-core ignore all of the
self ID data, and thus prevented the Linux bus manager from correcting
the problem. Furthermore, because the bus reset handling was aborted
completely, asynchronous transfers would be no longer handled correctly,
and fw_run_transaction() would hang until the next bus reset.
To fix this, make the detection of inconsistent self IDs more
discriminating: If the invalid data in the self ID buffer looks like
a cycle start packet, we can assume that the previous data in the buffer
is correctly received self ID information, and process it normally.
(We inspect only the first quadlet of the cycle start packet, because
this value is different enough from any valid self ID quadlet, and many
controllers do not store the cycle start packet in five quadlets because
they expect self ID data to have an even number of quadlets.)
This bug has been observed when a bus-powered DesktopKonnekt6 is
switched off with its power button.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Change memory region to ohci "middle address space". This effectively
reduces the number of packets by 50%.
[Stefan R.:] This eliminates 1394 ack packets and improved throughput
by a few percent in some tests with an S400a connection with and without
gap count optimization. Since firewire-net taxes the AR-req DMA unit of
a FireWire controller much more than firewire-sbp2 (which uses the
middle address space with PCI posted writes too), this commit also
changes a related error printk into a ratelimited one as a precaution.
Side note: The IPv4-over-1394 drivers of Mac OS X 10.4, Windows XP SP3,
and the Thesycon 1394 bus driver for Windows all use the middle address
space too.
Signed-off-by: Stephan Gatzka <stephan@gatzka.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Takes less source code and machine code, and less runtime with PHYs
other than TSB41BA3D (e.g. TSB81BA3 with device ID 0x831304 which takes
one instead of six read_paged_phy_reg now).
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Fix: phy_reg_mutex must be held over the write/read_phy_reg pair which
gets PHY port status.
Only print to the log when a TSB41BA3D was found. By far most TSB82AA2
cards have a TSB81BA3, and firewire-ohci can keep quiet about that.
Shorten some strings and comments. Change some whitespace.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
This patch implements a work around for the Texas Instruments PHY
TSB41BA3D. This phy has a bug at least in combination with the TI LLCs
TSB82AA2B and TSB12LV26. The selfid coming from the locally connected
phy is not propagated into the selfid buffer of the OHCI (see
http://www.ti.com/litv/pdf/sllz059 for details). The main idea is to
construct the selfid ourselves.
Signed-off-by: Stephan Gatzka <stephan@gatzka.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Code inside bus_reset_work may now sleep. This is a prerequisite to
support a phy from Texas Instruments cleanly. The patch to support this
phy will be submitted later.
Signed-off-by: Stephan Gatzka <stephan@gatzka.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
This fixes https://bugs.launchpad.net/ubuntu/+source/linux/+bug/801719 .
An O2Micro PCI Express FireWire controller,
"FireWire (IEEE 1394) [0c00]: O2 Micro, Inc. Device [1217:11f7] (rev 05)"
which is a combination device together with an SDHCI controller and some
sort of storage controller, misses SBP-2 status writes from an attached
FireWire HDD. This problem goes away if MSI is disabled for this
FireWire controller.
The device reportedly does not require QUIRK_CYCLE_TIMER.
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (amended changelog)
Cc: <stable@kernel.org>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: ohci: fix DMA unmapping in an error path
firewire: cdev: fix 32 bit userland on 64 bit kernel compat corner cases
|
|
If request_irq failed, we would pass wrong arguments to
dma_free_coherent. https://bugzilla.redhat.com/show_bug.cgi?id=728185
Reported-by: Mads Kiilerich
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: document the sysfs ABIs
firewire: cdev: ABI documentation enhancements
firewire: cdev: prevent race between first get_info ioctl and bus reset event queuing
firewire: cdev: return -ENOTTY for unimplemented ioctls, not -EINVAL
firewire: ohci: skip soft reset retries after card ejection
firewire: ohci: fix PHY reg access after card ejection
firewire: ohci: add a comment on PHY reg access serialization
firewire: ohci: reduce potential context_stop latency
firewire: ohci: remove superfluous posted write flushes
firewire: net: replacing deprecated __attribute__((packed)) with __packed
|
|
When firewire-ohci is bound to a Pinnacle MovieBoard, eventually a
"Register access failure" is logged and an interrupt storm or a kernel
panic happens. https://bugzilla.kernel.org/show_bug.cgi?id=36622
Until this is sorted out (if that is going to succeed at all), let's
just prevent firewire-ohci from touching these devices.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org>
|
|
The software reset in firewire-ohci's pci_remove does not have a great
prospect of success if the card was already physically removed at this
point. So let's skip the 500 ms that were spent in retries here.
Also, replace a defined constant by its open-coded value. This is not a
constant from a specification but an arbitrarily chosen retry limit. It
was only used in this single place.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Detect and handle ejection of FireWire CardBus cards in PHY register
accesses:
- The last attempt of firewire-core to reset the bus during shutdown
caused a spurious "firewire_ohci: failed to write phy reg" error
message in the log. Skip this message as well as the prior retry
loop that needlessly took 100 milliseconds.
- In the unlikely case that a PHY register was read right after card
ejection, a bogus value was obtained and possibly acted upon.
Instead, fail the read attempt.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Stopping an isochronous reception DMA context takes two loop iterations
in context_stop on several controllers (JMicron, NEC, VIA). But there
is no extra delay necessary between these two reg_read trials; the MMIO
reads themselves are slow enough. Hence bring back the behavior from
before commit dd6254e5c0efe01ad255188898cb3dadf98cb56d "firewire: ohci:
remove superfluous posted write flushes" on these controllers by means
of an "if (i)" condition.
Isochronous context stop is performed in preemptible contexts (and only
rarely), hence this change is of little impact. (Besides, Agere and TI
controllers always, or almost always, have the context stopped already
at the first ContextControl read.)
More important is asynchronous transmit context stop, which is performed
while local interrupts are disabled (on the two AT DMAs in
bus_reset_tasklet, i.e. after a self-ID-complete event). In my
experience with several controllers, tested with a usermode AT-request
transmitter as well as with FTP transmission over firewire-net, the AT
contexts were luckily already stopped at the first ContextControl read,
i.e. never required another MMIO read let alone mdelay. A possible
explanation for this is that the controllers which I tested perhaps stop
AT DMA before they perform the self-ID reception DMA.
But we cannot be sure about that and should keep the interrupts-disabled
busy loop as short as possible. Hence, query the ContextControl
register in 1000 udelay(10) intervals instead of 10 udelay(1000)
intervals. I understand from an estimation by Clemens Ladisch that
stopping a busy DMA context should take microseconds or at worst tens of
microseconds, not milliseconds.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The call to flush_writes() in context_stop() is superfluous because
another register read is done immediately afterwards.
The call to flush_writes() in ar_context_run() does not need to be done
individually for each AR context, so move it to ohci_enable(). This
also makes ohci_enable() clearer because it no longer depends on a side
effect of ar_context_run() to flush its own register writes.
Finally, the setting of a context's wake bit does not need to be flushed
because neither the driver logic nor the API require the CPU to wait for
this action. This removes the last MMIO reads from the packet queueing
code paths.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When queueing iso packets, the run time is dominated by the two
MMIO accesses that set the DMA context's wake bit. Because most
drivers submit packets in batches, we can save much time by
removing all but the last wakeup.
The internal kernel API is changed to require a call to
fw_iso_context_queue_flush() after a batch of queued packets.
The user space API does not change, so one call to
FW_CDEV_IOC_QUEUE_ISO must specify multiple packets to take
advantage of this optimization.
In my measurements, this patch reduces the time needed to queue
fifty skip packets from userspace to one sixth on a 2.5 GHz CPU,
or to one third at 800 MHz.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
in order to pull in changes in drivers/media/dvb/firewire/ and
sound/firewire/.
|
|
Current implementation of ohci_set_config_rom() uses a deferred
bus reset via fw_schedule_bus_reset(). If clients add multiple
unit descriptors to the config_rom in quick succession, the
deferred bus reset may not have fired before succeeding update
requests have come in. This can lead to an incorrect partial
update of the config_rom for both addition and removal of
config_rom descriptors, as the ohci_set_config_rom() routine
will return -EBUSY if a previous pending update has not been
completed yet; the requested update just gets dropped on the floor.
This patch recognizes that the "in-flight" update can be modified
until it has been processed by the bus-reset, and the locking
in the bus_reset_tasklet ensures that the update is done atomically
with respect to modifications made by ohci_set_config_rom(). The
-EBUSY error case is simply removed.
[Stefan R: The bug always existed at least theoretically. But it
became easy to trigger since 2.6.36 commit 02d37bed188c "firewire: core:
integrate software-forced bus resets with bus management" which
introduced long mandatory delays between janitorial bus resets.]
Signed-off-by: Benjamin Buchalter <bj@mhlabs.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (trivial style changes)
Cc: <stable@kernel.org> # 2.6.36.y and newer
|
|
When z==2, the condition "key == 2" is superfluous because it cannot
occur without "b == 3", as a descriptor with b!=3 and key==2 would be
an OUTPUT_MORE_IMMEDIATE descriptor which cannot be used alone.
Also remove magic numbers and needless computations on the b field.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
For AT packet payloads of up to eight bytes, we have enough unused space
in the DMA descriptors list so that we can put a copy of the payload
there and thus avoid having to create a separate streaming DMA mapping
for the payload buffer.
In a CPU-bound microbenchmark that just sends 8-byte packets, bandwidth
was measured to increase by 5.7 %, from 1009 KB/s to 1067 KB/s. In
practice, the only performance-sensitive usage of small asynchronous
packets is the SBP-2 driver's write to the ORB_POINTER register during
SCSI command submission.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
OHCI 1.1 5.7.3 not only forbids enabling or starting any DMA contexts
before the linkEnable bit is set, but also explicitly warns of undefined
behaviour if this order is violated.
Don't violate it then.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
It seems drivers/firewire/ohci.c is making some optimistic assumptions
about struct fw_ohci and that member "card" will always remain the first
member of the struct.
Plus it's probably going to confuse a lot of static code analyzers too.
So I wonder if there is a good reason not to free the ohci struct just
like it was allocated instead of the tricky &ohci->card way?
Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
It is perhaps just a rudiment from before mainline submission of the
driver.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Since commit 82b662dc4102 "flush AT contexts after bus reset for OHCI 1.2",
the driver takes care of any AT packets that were enqueued during a bus
reset phase. The check from commit 76f73ca1b291 is therefore no longer
necessary and the MMIO read can be avoided.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
If a misguided program tried to start an isochronous context before it
has queued any packets, the call would appear to succeed, but the
context would not actually go into the running state, and the OHCI
controller would then raise an unrecoverableError interrupt because the
first Z value is zero and thus invalid. The driver logs such errors,
but there is no mechanism to report this back to the program.
Add an explicit check so that this error can be returned synchronously.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
To prevent the iso packet callback from being called after
fw_iso_context_stop() has returned, make sure that the
context's tasklet has finished executing before that.
This fixes access-after-free bugs that have so far been
observed only in the upcoming snd-firewire-speakers driver,
but can theoretically also happen in the firedtv driver.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When a DMA context goes into the dead state (and the controller thus
stops working correctly), logging this error and the controller's error
code might be helpful for debugging.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
PAGE_KERNEL_RO is not available on all architectures, so its use
in the new AR code broke compilation on sparc64.
Because the read-only mapping was just a debugging aid, just use
PAGE_KERNEL instead.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
James Bottomley wrote:
> On Thu, 2011-01-13 at 08:27 +0100, Clemens Ladisch wrote:
>> firewire: ohci: fix compilation on arches without PAGE_KERNEL_RO, e.g. sparc
>>
>> PAGE_KERNEL_RO is not available on all architectures, so its use in the
>> new AR code broke compilation on sparc64.
>>
>> Because the R/O mapping is only used to catch drivers that try to write
>> to the reception buffer and not actually required for correct operation,
>> we can just use a normal PAGE_KERNEL mapping where _RO is not available.
[...]
>> +/*
>> + * For archs where PAGE_KERNEL_RO is not supported;
>> + * mapping the AR buffers readonly for the CPU is just a debugging aid.
>> + */
>> +#ifndef PAGE_KERNEL_RO
>> +#define PAGE_KERNEL_RO PAGE_KERNEL
>> +#endif
>
> This might cause interesting issues on sparc64 if it ever acquired a
> PAGE_KERNEL_RO. Sparc64 has extern pgprot_t for it's PAGE_KERNEL types
> rather than #defines, so the #ifdef check wouldn't see this.
>
> I think either PAGE_PROT_RO becomes part of our arch API (so all
> architectures are forced to add it), or, if it's not part of the API,
> ohci isn't entitled to use it. The latter seems simplest since you have
> no real use for write protection anyway.
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
"firewire: ohci: restart iso DMA contexts on resume from low power mode"
added the flag struct context.active and "firewire: ohci: cache the
context run bit" added struct context.running.
These flags contain the same information; combine them.
Also, normalize whitespace in pci_resume().
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The DMA context run control bit is entirely controlled by software, so
it is safe to cache it. This allows the driver to avoid doing an
additional MMIO read when queueing an AT packet.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add comments
- on why bus_reset_tasklet flushes AT queues,
- that commit 76f73ca1b291 can possibly be reverted now.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Jarod Wilson <jarod@redhat.com>
|
|
The OHCI 1.2 (draft) specification, clause 7.2.3.3, allows and
recommends that, after a bus reset, the controller does not flush all
the packets in the AT queues. Therefore, the driver has to do this
itself.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Restore iso channels DMA so that iso channels could continue to work
after resume from RAM/disk.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Some lousy BIOSes, e.g. my Aspire 5720 BIOS forget to restore the GUID
register on resume from RAM.
Fix that by setting it to the last value that was read from it.
Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
The buffers used for the selfIDs packets and the AR request and response
descriptors end up using three pages because dma_alloc_coherent()
allocates at least one page per call. However, these data structures
would all fit into 4 KB, so we can save space by using a common buffer
for them.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When the isochRx/isochTx bit is clear, we do not need to read the
corresponding iso interrupt event register.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Change the header of PHY packets to be sent to include a pseudo
transaction code. This makes the header consistent with that of
received PHY packets, and allows at_context_queue_packet() and
log_ar_at_event() to see the packet type directly instead of having
to deduce it from the header length or even from the header contents.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
To remove the error information from the controller's queue and to allow
more posted writes, the driver has to read the failed posted write
address before clearing the postedWriteErr interrupt bit.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
(Stefan R:) The spec is somewhat fuzzy about the actual requirements.
To err on the safe side, let's do these two read accesses.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Make sure that interrupt event clear bit writes are executed before the
interrupt handler returns.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Add proper error handling for the context_init() calls.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Move the AR DMA descriptors out of the buffer pages, and map the buffer
pages linearly into the kernel's address space. This allows the driver
to ignore any page boundaries in the DMA data and thus to avoid any
copying around of packet payloads.
This fixes the bug where S800 packets that are so big (> 4080 bytes)
that they can be split over three pages were not handled correctly.
Due to the changed algorithm, we can now use arbitrarily many buffer
pages, which improves performance because the controller can more easily
unload its DMA FIFO.
Furthermore, using streaming DMA mappings should improve perfomance on
architectures where coherent DMA mappings are not cacheable. Even on
other architectures, the caching behaviour should be improved slightly
because the CPU no longer writes to the buffer pages.
v2: Detect the last filled buffer page by searching the descriptor's
residual count value fields in order (like in the old code), instead
of going backwards through the transfer status fields; it looks as
if some controllers do not set the latter correctly.
v3: Fix an old resume bug that would now make the handler run into
a BUG_ON, and replace that check with more useful error handling.
Increase the buffer size for better performance with non-TI chips.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Maxim Levitsky writes:
Works almost perfectly. I can still see RCODE_BUSY errors
sometimes, not very often though. 64K here eliminates these errors
completely. This is most likely due to nouveau drivers and lowest
perf level I use to lower card temperature. That increases
latencies too much I think. Besides that the IO is just perfect.
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Agere FW643 rev 06, listed as "11c1:5901 (rev 06) (prog-if 10 [OHCI])",
produced SBP-2 I/O errors since kernel 2.6.36. Disabling MSI fixes it.
Since MSI work on Agere FW643-E (same vendor and device ID, but rev 07),
introduce a device revision field into firewire-ohci's quirks list so
that different quirks can be defined for older and newer revisions.
Reported-by: Jonathan Isom <jeisom@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org> # 2.6.36.y
|
|
"VIA Technologies, Inc. VT6315 Series Firewire Controller [1106:3403]"
does not generate any interrupts if Message Signaled Interrupts were
enabled. This is a regression since kernel 2.6.36 in which MSI support
was added to firewire-ohci. Hence blacklist MSI on all VIA controllers.
Reported-by: Robin Cook <rcook@wyrms.net>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: <stable@kernel.org> # 2.6.36.y
|
|
If the controller is storing a split packet and therefore changing
d->res_count to zero between the two reads by the driver, we end up with
an end pointer that is not at a packet boundary, and therefore overflow
the buffer when handling the split packet.
To fix this, read the field once, atomically. The compiler usually
merges the two reads anyway, but for correctness, we have to enforce it.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
Freeing an AR buffer page just to allocate a new page immediately
afterwards is not only a pointless effort but also dangerous because
the allocation can fail, which would result in an oops later.
Split ar_context_add_page() into two functions so that we can reuse
the old page directly.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When handling an AR buffer that has been completely filled, we assumed
that its descriptor will not be read by the controller and can be
overwritten. However, when the last received packet happens to end at
the end of the buffer, the controller might not yet have moved on to the
next buffer and might read the branch address later. If we overwrite
and free the page before that, the DMA context will either go dead
because of an invalid Z value, or go off into some random memory.
To fix this, ensure that the descriptor does not get overwritten by
using only the actual buffer instead of the entire page for reassembling
the split packet. Furthermore, to avoid freeing the page too early,
move on to the next buffer only when some data in it guarantees that the
controller has moved on.
This should eliminate the remaining firewire-net problems.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.22-2.6.36 <stable@kernel.org>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
|
When the controller had to split a received asynchronous packet into two
buffers, the driver tries to reassemble it by copying both parts into
the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet
unhandled packets before the split packet, the split packet itself, and
any received packets after the split packet are together larger than one
page, then the memory after the first page would get overwritten.
To fix this, do not try to copy the data of all unhandled packets at
once, but copy the possibly needed data every time when handling
a packet.
This gets rid of most of the infamous crashes and data corruptions when
using firewire-net.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.22-2.6.36 <stable@kernel.org>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t)
|