commit e57d2011a6276d55a87f26653a0395f302ce0d51 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

firewire: Add ref-counting for sbp2 orbs (fix command abortion)

This handles the case where we get the status write before getting the
complete_transaction callback ("status write for unknown orb"). In
this case, we just assume that the initial orb pointer transaction
succeeded and finish the orb. To prevent the transaction callback
from touching freed memory, we ref-count the orb structures.

Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

authored by Kristian Høgsberg and committed by Stefan Richter 18 years ago e57d2011 8a2d9ed3

+40 -9

1 changed file

expand all

unified split

drivers

firewire

fw-sbp2.c

+40 -9

drivers/firewire/fw-sbp2.c

··· 159 159 160 160 struct sbp2_orb { 161 161 struct fw_transaction t; 162 + struct kref kref; 162 163 dma_addr_t request_bus; 163 164 int rcode; 164 165 struct sbp2_pointer pointer; ··· 281 280 }; 282 281 283 282 static void 283 + free_orb(struct kref *kref) 284 + { 285 + struct sbp2_orb *orb = container_of(kref, struct sbp2_orb, kref); 286 + 287 + kfree(orb); 288 + } 289 + 290 + static void 284 291 sbp2_status_write(struct fw_card *card, struct fw_request *request, 285 292 int tcode, int destination, int source, 286 293 int generation, int speed, ··· 321 312 spin_lock_irqsave(&card->lock, flags); 322 313 list_for_each_entry(orb, &sd->orb_list, link) { 323 314 if (STATUS_GET_ORB_HIGH(status) == 0 && 324 - STATUS_GET_ORB_LOW(status) == orb->request_bus && 325 - orb->rcode == RCODE_COMPLETE) { 315 + STATUS_GET_ORB_LOW(status) == orb->request_bus) { 316 + orb->rcode = RCODE_COMPLETE; 326 317 list_del(&orb->link); 327 318 break; 328 319 } ··· 334 325 else 335 326 fw_error("status write for unknown orb\n"); 336 327 328 + kref_put(&orb->kref, free_orb); 329 + 337 330 fw_send_response(card, request, RCODE_COMPLETE); 338 331 } 339 332 ··· 346 335 struct sbp2_orb *orb = data; 347 336 unsigned long flags; 348 337 349 - orb->rcode = rcode; 350 - if (rcode != RCODE_COMPLETE) { 351 - spin_lock_irqsave(&card->lock, flags); 338 + /* 339 + * This is a little tricky. We can get the status write for 340 + * the orb before we get this callback. The status write 341 + * handler above will assume the orb pointer transaction was 342 + * successful and set the rcode to RCODE_COMPLETE for the orb. 343 + * So this callback only sets the rcode if it hasn't already 344 + * been set and only does the cleanup if the transaction 345 + * failed and we didn't already get a status write. 346 + */ 347 + spin_lock_irqsave(&card->lock, flags); 348 + 349 + if (orb->rcode == -1) 350 + orb->rcode = rcode; 351 + if (orb->rcode != RCODE_COMPLETE) { 352 352 list_del(&orb->link); 353 - spin_unlock_irqrestore(&card->lock, flags); 354 353 orb->callback(orb, NULL); 355 354 } 355 + 356 + spin_unlock_irqrestore(&card->lock, flags); 357 + 358 + kref_put(&orb->kref, free_orb); 356 359 } 357 360 358 361 static void ··· 384 359 spin_lock_irqsave(&device->card->lock, flags); 385 360 list_add_tail(&orb->link, &sd->orb_list); 386 361 spin_unlock_irqrestore(&device->card->lock, flags); 362 + 363 + /* Take a ref for the orb list and for the transaction callback. */ 364 + kref_get(&orb->kref); 365 + kref_get(&orb->kref); 387 366 388 367 fw_send_request(device->card, &orb->t, TCODE_WRITE_BLOCK_REQUEST, 389 368 node_id, generation, device->max_speed, offset, ··· 445 416 if (orb == NULL) 446 417 return -ENOMEM; 447 418 419 + kref_init(&orb->base.kref); 448 420 orb->response_bus = 449 421 dma_map_single(device->card->device, &orb->response, 450 422 sizeof(orb->response), DMA_FROM_DEVICE); ··· 520 490 if (response) 521 491 fw_memcpy_from_be32(response, 522 492 orb->response, sizeof(orb->response)); 523 - kfree(orb); 493 + kref_put(&orb->base.kref, free_orb); 524 494 525 495 return retval; 526 496 } ··· 916 886 917 887 orb->cmd->result = result; 918 888 orb->done(orb->cmd); 919 - kfree(orb); 920 889 } 921 890 922 891 static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb) ··· 1034 1005 1035 1006 /* Initialize rcode to something not RCODE_COMPLETE. */ 1036 1007 orb->base.rcode = -1; 1008 + kref_init(&orb->base.kref); 1037 1009 1038 1010 orb->unit = unit; 1039 1011 orb->done = done; ··· 1081 1051 sbp2_send_orb(&orb->base, unit, sd->node_id, sd->generation, 1082 1052 sd->command_block_agent_address + SBP2_ORB_POINTER); 1083 1053 1054 + kref_put(&orb->base.kref, free_orb); 1084 1055 return 0; 1085 1056 1086 1057 fail_mapping: 1087 - kfree(orb); 1058 + kref_put(&orb->base.kref, free_orb); 1088 1059 fail_alloc: 1089 1060 return SCSI_MLQUEUE_HOST_BUSY; 1090 1061 }