aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2011-07-09 10:43:22 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2011-07-16 01:24:32 -0400
commit93b37905f70083d6143f5f4dba0a45cc64379a62 (patch)
treeb6917581cd390ed9967e1df9922940362ad4309e
parentd873d794235efa590ab3c94d5ee22bb1fab19ac4 (diff)
firewire: cdev: prevent race between first get_info ioctl and bus reset event queuing
Between open(2) of a /dev/fw* and the first FW_CDEV_IOC_GET_INFO ioctl(2) on it, the kernel already queues FW_CDEV_EVENT_BUS_RESET events to be read(2) by the client. The get_info ioctl is practically always issued right away after open, hence this condition only occurs if the client opens during a bus reset, especially during a rapid series of bus resets. The problem with this condition is twofold: - These bus reset events carry the (as yet undocumented) @closure value of 0. But it is not the kernel's place to choose closures; they are privat to the client. E.g., this 0 value forced from the kernel makes it unsafe for clients to dereference it as a pointer to a closure object without NULL pointer check. - It is impossible for clients to determine the relative order of bus reset events from get_info ioctl(2) versus those from read(2), except in one way: By comparison of closure values. Again, such a procedure imposes complexity on clients and reduces freedom in use of the bus reset closure. So, change the ABI to suppress queuing of bus reset events before the first FW_CDEV_IOC_GET_INFO ioctl was issued by the client. Note, this ABI change cannot be version-controlled. The kernel cannot distinguish old from new clients before the first FW_CDEV_IOC_GET_INFO ioctl. We will try to back-merge this change into currently maintained stable/ longterm series, and we only document the new behaviour. The old behavior is now considered a kernel bug, which it basically is. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: <stable@kernel.org>
-rw-r--r--drivers/firewire/core-cdev.c18
-rw-r--r--include/linux/firewire-cdev.h3
2 files changed, 13 insertions, 8 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9b5915ebeb35..e6ad3bb6c1a6 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -253,14 +253,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file)
253 init_waitqueue_head(&client->wait); 253 init_waitqueue_head(&client->wait);
254 init_waitqueue_head(&client->tx_flush_wait); 254 init_waitqueue_head(&client->tx_flush_wait);
255 INIT_LIST_HEAD(&client->phy_receiver_link); 255 INIT_LIST_HEAD(&client->phy_receiver_link);
256 INIT_LIST_HEAD(&client->link);
256 kref_init(&client->kref); 257 kref_init(&client->kref);
257 258
258 file->private_data = client; 259 file->private_data = client;
259 260
260 mutex_lock(&device->client_list_mutex);
261 list_add_tail(&client->link, &device->client_list);
262 mutex_unlock(&device->client_list_mutex);
263
264 return nonseekable_open(inode, file); 261 return nonseekable_open(inode, file);
265} 262}
266 263
@@ -451,15 +448,20 @@ static int ioctl_get_info(struct client *client, union ioctl_arg *arg)
451 if (ret != 0) 448 if (ret != 0)
452 return -EFAULT; 449 return -EFAULT;
453 450
451 mutex_lock(&client->device->client_list_mutex);
452
454 client->bus_reset_closure = a->bus_reset_closure; 453 client->bus_reset_closure = a->bus_reset_closure;
455 if (a->bus_reset != 0) { 454 if (a->bus_reset != 0) {
456 fill_bus_reset_event(&bus_reset, client); 455 fill_bus_reset_event(&bus_reset, client);
457 if (copy_to_user(u64_to_uptr(a->bus_reset), 456 ret = copy_to_user(u64_to_uptr(a->bus_reset),
458 &bus_reset, sizeof(bus_reset))) 457 &bus_reset, sizeof(bus_reset));
459 return -EFAULT;
460 } 458 }
459 if (ret == 0 && list_empty(&client->link))
460 list_add_tail(&client->link, &client->device->client_list);
461 461
462 return 0; 462 mutex_unlock(&client->device->client_list_mutex);
463
464 return ret ? -EFAULT : 0;
463} 465}
464 466
465static int add_client_resource(struct client *client, 467static int add_client_resource(struct client *client,
diff --git a/include/linux/firewire-cdev.h b/include/linux/firewire-cdev.h
index 4ff09889c5c0..55814aa33be2 100644
--- a/include/linux/firewire-cdev.h
+++ b/include/linux/firewire-cdev.h
@@ -475,6 +475,9 @@ union fw_cdev_event {
475 * of the bus. This does not cause a bus reset to happen. 475 * of the bus. This does not cause a bus reset to happen.
476 * @bus_reset_closure: Value of &closure in this and subsequent bus reset events 476 * @bus_reset_closure: Value of &closure in this and subsequent bus reset events
477 * @card: The index of the card this device belongs to 477 * @card: The index of the card this device belongs to
478 *
479 * As a side effect, reception of %FW_CDEV_EVENT_BUS_RESET events to be read(2)
480 * is started by this ioctl.
478 */ 481 */
479struct fw_cdev_get_info { 482struct fw_cdev_get_info {
480 __u32 version; 483 __u32 version;