From owner-svn-src-all@FreeBSD.ORG  Wed Jan 21 20:03:47 2015
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 90B9B9CC;
 Wed, 21 Jan 2015 20:03:47 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 636EF7B0;
 Wed, 21 Jan 2015 20:03:47 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0LK3loQ099843;
 Wed, 21 Jan 2015 20:03:47 GMT (envelope-from will@FreeBSD.org)
Received: (from will@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0LK3lHX099841;
 Wed, 21 Jan 2015 20:03:47 GMT (envelope-from will@FreeBSD.org)
Message-Id: <201501212003.t0LK3lHX099841@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: will set sender to will@FreeBSD.org
 using -f
From: Will Andrews <will@FreeBSD.org>
Date: Wed, 21 Jan 2015 20:03:47 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r277508 - head/sys/dev/firewire
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2015 20:03:47 -0000

Author: will
Date: Wed Jan 21 20:03:46 2015
New Revision: 277508
URL: https://svnweb.freebsd.org/changeset/base/277508

Log:
  Fix panic in firewire and creation of invalid config ROM.
  
  sys/boot/i386/libfirewire/firewire.c:
  sys/dev/firewire/firewire.c:
  	Fix configuration ROM generation count wrapping logic
  	so that the generation count is never outside of
  	allowed limits (0x2 -> 0xF).
  
  sys/dev/firewire/firewire.c:
  	In fw_xfer_unload(), xfer->fc may be NULL.  Protect
  	against this before taking the fc lock.
  
  Submitted by:	gibbs
  MFC after:	1 week
  Sponsored by:	Spectra Logic
  MFSpectraBSD:	1110685 on 2015/01/05

Modified:
  head/sys/dev/firewire/firewire.c

Modified: head/sys/dev/firewire/firewire.c
==============================================================================
--- head/sys/dev/firewire/firewire.c	Wed Jan 21 20:02:16 2015	(r277507)
+++ head/sys/dev/firewire/firewire.c	Wed Jan 21 20:03:46 2015	(r277508)
@@ -761,8 +761,15 @@ fw_busreset(struct firewire_comm *fc, ui
 	src = &fc->crom_src_buf->src;
 	crom_load(src, newrom, CROMSIZE);
 	if (bcmp(newrom, fc->config_rom, CROMSIZE) != 0) {
-		if (src->businfo.generation++ > FW_MAX_GENERATION)
+		/* Bump generation and reload. */
+		src->businfo.generation++;
+
+		/* Handle generation count wraps. */
+		if (src->businfo.generation < FW_GENERATION_CHANGEABLE)
 			src->businfo.generation = FW_GENERATION_CHANGEABLE;
+
+		/* Recalculate CRC to account for generation change. */
+		crom_load(src, newrom, CROMSIZE);
 		bcopy(newrom, fc->config_rom, CROMSIZE);
 	}
 	free(newrom, M_FW);
@@ -1156,16 +1163,18 @@ fw_xfer_unload(struct fw_xfer *xfer)
 
 	if (xfer == NULL)
 		return;
-	FW_GLOCK(xfer->fc);
-	if (xfer->flag & FWXF_INQ) {
-		STAILQ_REMOVE(&xfer->q->q, xfer, fw_xfer, link);
-		xfer->flag &= ~FWXF_INQ;
-#if 0
-		xfer->q->queued--;
-#endif
-	}
-	FW_GUNLOCK(xfer->fc);
+
 	if (xfer->fc != NULL) {
+		FW_GLOCK(xfer->fc);
+		if (xfer->flag & FWXF_INQ) {
+			STAILQ_REMOVE(&xfer->q->q, xfer, fw_xfer, link);
+			xfer->flag &= ~FWXF_INQ;
+	#if 0
+			xfer->q->queued--;
+	#endif
+		}
+		FW_GUNLOCK(xfer->fc);
+
 		/*
 		 * Ensure that any tlabel owner can't access this
 		 * xfer after it's freed.