firewire: Don't touch DMA descriptors after appending.
When a DMA descriptor is appended to the context we sync it for
DMA and the device might potentially read it immediately. So,
we can't set the IRQ bits in the descriptor after appending.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: Use a buffer fill descriptor for receive when header size is 0.
When the DMA is setup to not strip any headers, we need to use
the buffer fill descriptor instead of the dual buffer, since the
dual buffer descriptor must strip a non-zero number of header quadlets.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: Generalize the iso transmit descriptor buffer logic.
The descriptor circular buffer logic used for iso transmission is
useful for async transmit too, so pull the sharable logic out in
a few standalone functions.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: Split the iso buffer out from fw_iso_context and avoid vmalloc.
This patch splits out the iso buffer so we can initialize it at mmap
time with the size provided in the mmap call. Furthermore, allocate
the backing pages using alloc_page to avoid setting up kernel side
virtual memory mappings for the pages.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: Schedule topology work before calling driver update functions.
This prevents superfluous bus traffic as fw-sbp2 logs in only to
get kicked off the device by another bus reset as the driver core
does bus management. Scheduling it this way lets the driver core
finish bus management before higher level drivers get the update
callback.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
When a management ORB times out, either because the fw_transaction
times out or when we don't get the status write, we need to properly
cancel the entire operation.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Drivers such as fw-sbp2 had no way to properly cancel in-progress
transactions, which could leave a pending transaction or an unset
packet in the low-level queues after kfree'ing the containing
structure. fw_cancel_transaction() lets drivers cancel a submitted
transaction.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
The old DMA program for receiving async packets stops DMA while
processing received packets and only expects one packet per
interrupt. Stopping DMA can silently drop packets and we need to
handle multiple received packets per interrupt.
This new version keeps DMA running at all times and just append new
pages as buffers fill up, and supports multiple packets per interrupt.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Stefan Richter [Sat, 27 Jan 2007 15:59:15 +0000 (16:59 +0100)]
firewire: fix compilation with gcc 3.4
drivers/firewire/fw-topology.c: In function `report_found_node':
drivers/firewire/fw-topology.c:345: error: `typeof' applied to a bit-field
drivers/firewire/fw-topology.c:345: error: `typeof' applied to a bit-field
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Stefan Richter [Tue, 23 Jan 2007 20:20:08 +0000 (21:20 +0100)]
firewire: fw-sbp2: set command set related device flags
Copied from sbp2:
- enable spin-up by START STOP UNIT for all devices
- enable INQUIRY (36) workaround on demand
- prefer READ/ WRITE (10) over (6) for all devices
- prefer MODE SENSE (10) for MMC devices
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Stefan Richter [Tue, 23 Jan 2007 20:11:43 +0000 (21:11 +0100)]
firewire: consistent usage of node_id
Definitions as per IEEE 1212 and IEEE 1394:
Node ID: Concatenation of bus ID and local ID. 16 bits long.
Bus ID: Identifies a particular bus within a group of buses
interconnected by bus bridges.
Local ID: Identifies a particular node on a bus.
PHY ID: Local ID of IEEE 1394 nodes. 6 bits long.
Never ever use a variable called node_id for anything else than a node ID.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Stefan Richter [Sun, 14 Jan 2007 14:29:07 +0000 (15:29 +0100)]
firewire: mark some structs const
Instances of struct file_operations and struct fw_card_driver can be
qualified as "const". Ditto with struct fw_descriptor.data, struct
fw_device_id, and predefined instances of struct fw_address_region,
at least in the current implementation.
Data qualified as const is placed into the .rodata section which won't
be mixed with dirty data.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Stefan Richter [Thu, 28 Dec 2006 11:46:54 +0000 (12:46 +0100)]
firewire: build fix 3
drivers/firewire/fw-sbp2.c: At top level:
drivers/firewire/fw-sbp2.c:1060: error: storage size of '__mod_ieee1394_device_table' isn't known
(error pointed out by akpm)
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Andrew Morton [Wed, 27 Dec 2006 22:49:23 +0000 (14:49 -0800)]
firewire: build fix 2
ia64:
drivers/firewire/fw-sbp2.c: In function `sbp2_command_orb_map_scatterlist':
drivers/firewire/fw-sbp2.c:826: warning: implicit declaration of function `sg_dma_len'
drivers/firewire/fw-sbp2.c:828: warning: implicit declaration of function `sg_dma_address'
drivers/firewire/fw-sbp2.c:837: error: invalid use of undefined type `struct scatterlist'
drivers/firewire/fw-sbp2.c:838: error: invalid use of undefined type `struct scatterlist'
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Andrew Morton [Wed, 27 Dec 2006 22:36:37 +0000 (14:36 -0800)]
firewire: build fix
alpha:
drivers/firewire/fw-ohci.c: In function 'ar_context_tasklet':
drivers/firewire/fw-ohci.c:266: warning: implicit declaration of function 'dma_sync_single_for_device'
drivers/firewire/fw-ohci.c:267: error: 'DMA_TO_DEVICE' undeclared (first use in this function)
drivers/firewire/fw-ohci.c:267: error: (Each undeclared identifier is reported only once
drivers/firewire/fw-ohci.c:267: error: for each function it appears in.)
drivers/firewire/fw-ohci.c: In function 'ar_context_init':
drivers/firewire/fw-ohci.c:282: warning: implicit declaration of function 'dma_map_single'
drivers/firewire/fw-ohci.c:283: error: 'DMA_TO_DEVICE' undeclared (first use in this function)
drivers/firewire/fw-ohci.c:293: error: 'DMA_FROM_DEVICE' undeclared (first use in this function)
etc.
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Andrew Morton [Wed, 27 Dec 2006 21:51:57 +0000 (13:51 -0800)]
firewire: printk warning fix
drivers/firewire/fw-ohci.c: In function 'ar_context_init':
drivers/firewire/fw-ohci.c:288: warning: format '%08x' expects type 'unsigned int', but argument 2 has type 'dma_addr_t'
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Linus Torvalds [Wed, 7 Mar 2007 03:52:50 +0000 (19:52 -0800)]
Merge branch 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] cio: Call cancel_halt_clear even when actl == 0.
[S390] cio: Use path verification to check for path state.
[S390] cio: Fix locking when calling notify function.
[S390] Fixed handling of access register mode faults.
[S390] dasd: Use default recovery for SNSS requests
[S390] check_bugs() should be inline.
[S390] tape: Compression overwrites crypto setting
[S390] nss: disable kexec.
[S390] reipl: move dump_prefix_page out of text section.
[S390] smp: disable preemption in smp_call_function/smp_call_function_on
[S390] kprobes breaks BUG_ON
Linus Torvalds [Wed, 7 Mar 2007 03:44:13 +0000 (19:44 -0800)]
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
pata_pdc202xx_old: fix data corruption and other problems
pata_legacy: fix io/irq mismatch
ahci: RAID mode SATA patch for Intel ICH9M
The commit was buggy in multiple ways:
- the conversion to ilog2() was incorrect to begin with
- it tested the wrong #defines, so on all architectures but FRV you'd
never see the bug except for constant arguments.
- the new "get_order()" macro used its arguments multiple times, and
didn't even parenthesize them properly
- despite the comments, it was not true that you could use it for
constant initializers, since not all architectures even use the
generic page.h header file.
All of the problems are individually fixable, but it all boils down to:
better just revert it, and re-do it from scratch.
Cc: David Howells <dhowells@redhat.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Wed, 7 Mar 2007 02:05:10 +0000 (18:05 -0800)]
Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
[IA64] kexec: Use EFI_LOADER_DATA for ELF core header
[IA64] permon use-after-free fix
[IA64] sync compat getdents
[IA64] always build arch/ia64/lib/xor.o
[IA64] Remove stack hard limit on ia64
[IA64] point saved_max_pfn to the max_pfn of the entire system
Revert "[IA64] swiotlb abstraction (e.g. for Xen)"
Marcel Holtmann [Tue, 6 Mar 2007 21:12:00 +0000 (22:12 +0100)]
[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
Based on a patch from Don Howard <dhoward@redhat.com>
When calling write() with a buffer larger than 512 bytes, the
driver's write buffer overflows, allowing to overwrite the EIP and
execute arbitrary code with kernel privileges.
In read(), there exists a similar problem, but coming from the device.
A malicous or buggy device sending more than 512 bytes can overflow
of the driver's read buffer, with the same effects as above.
sysfs_write_file downs buffer->sem while calling flush_write_buffer, and
flushing that particular write buffer entails downing buffer->sem in
orphan_all_buffers, resulting in the obvious self-deadlock.
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
[CIFS] cifs_prepare_write was incorrectly rereading page in some cases
[CIFS] Fix set file size to zero when doing chmod to Samba 3.0.26pre
[CIFS] Remove some unused functions/declarations
[CIFS] New file for previous commit
[CIFS] cifs export operations
[CIFS] small piece missing from previous patch
[CIFS] Fix locking problem around some cifs uses of i_size write
Linus Torvalds [Wed, 7 Mar 2007 01:31:29 +0000 (17:31 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc:
sdhci: release irq during suspend
sdhci: make isr tolerant of read errors
mmc: require explicit support for high-speed
ncpfs: make sure server connection survives a kill
Linus Torvalds [Wed, 7 Mar 2007 01:30:59 +0000 (17:30 -0800)]
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6:
sis900 warning fixes
mv643xx_eth: Place explicit port number in mv643xx_eth_platform_data
pcnet32: Fix PCnet32 performance bug on non-coherent architecutres
__devinit & __devexit cleanups for de2104x driver
3c59x: Handle pci_enable_device() failure while resuming
dmfe: Fix link detection
dmfe: fix two bugs
dmfe: trivial/spelling fixes
revert "drivers/net/tulip/dmfe: support basic carrier detection"
ucc_geth: returns NETDEV_TX_BUSY when BD ring is full
ucc_geth: Fix BD processing
natsemi: netpoll fixes
bonding: Improve IGMP join processing
bonding: only receive ARPs for us
bonding: fix double dev_add_pack
Magnus Damm [Tue, 6 Mar 2007 10:34:26 +0000 (02:34 -0800)]
[IA64] kexec: Use EFI_LOADER_DATA for ELF core header
The address where the ELF core header is stored is passed to the secondary
kernel as a kernel command line option. The memory area for this header is
also marked as a separate EFI memory descriptor on ia64.
The separate EFI memory descriptor is at the moment of the type
EFI_UNUSABLE_MEMORY. With such a type the secondary kernel skips over the
entire memory granule (config option, 16M or 64M) when detecting memory.
If we are lucky we will just lose some memory, but if we happen to have
data in the same granule (such as an initramfs image), then this data will
never get mapped and the kernel bombs out when trying to access it.
So this is an attempt to fix this by changing the EFI memory descriptor
type into EFI_LOADER_DATA. This type is the same type used for the kernel
data and for initramfs. In the secondary kernel we then handle the ELF
core header data the same way as we handle the initramfs image.
This patch contains the kernel changes to make this happen. Pretty
straightforward, we reserve the area in reserve_memory(). The address for
the area comes from the kernel command line and the size comes from the
specialized EFI parsing function vmcore_find_descriptor_size().
The kexec-tools-testing code for this can be found here:
http://lists.osdl.org/pipermail/fastboot/2007-February/005983.html
Signed-off-by: Magnus Damm <magnus@valinux.co.jp> Cc: Simon Horman <horms@verge.net.au> Cc: Vivek Goyal <vgoyal@in.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Tony Luck <tony.luck@intel.com>
Nick Piggin [Tue, 6 Mar 2007 10:34:25 +0000 (02:34 -0800)]
[IA64] permon use-after-free fix
Perfmon associates vmalloc()ed memory with a file descriptor, and installs
a vma mapping that memory. Unfortunately, the vm_file field is not filled
in, so processes with mappings to that memory do not prevent the file from
being closed and the memory freed. This results in use-after-free bugs and
multiple freeing of pages, etc.
I saw this bug on an Altix on SLES9. Haven't reproduced upstream but it
looks like the same issue is there.
Signed-off-by: Nick Piggin <npiggin@suse.de> Cc: Stephane Eranian <eranian@hpl.hp.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Tony Luck <tony.luck@intel.com>