Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
firewire: Add ref-counting for sbp2 orbs (fix command abortion)
This handles the case where we get the status write before getting the
complete_transaction callback ("status write for unknown orb"). In
this case, we just assume that the initial orb pointer transaction
succeeded and finish the orb. To prevent the transaction callback
from touching freed memory, we ref-count the orb structures.
Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
authored by Kristian Høgsberg and committed by Stefan Richter e57d2011 8a2d9ed3
+40
-9
drivers/firewire/fw-sbp2.c
+40
-9
drivers/firewire/fw-sbp2.c
···
159
160
struct sbp2_orb {
161
struct fw_transaction t;
162
dma_addr_t request_bus;
163
int rcode;
164
struct sbp2_pointer pointer;
···
281
};
282
283
static void
284
sbp2_status_write(struct fw_card *card, struct fw_request *request,
285
int tcode, int destination, int source,
286
int generation, int speed,
···
321
spin_lock_irqsave(&card->lock, flags);
322
list_for_each_entry(orb, &sd->orb_list, link) {
323
if (STATUS_GET_ORB_HIGH(status) == 0 &&
324
-
STATUS_GET_ORB_LOW(status) == orb->request_bus &&
325
-
orb->rcode == RCODE_COMPLETE) {
326
list_del(&orb->link);
327
break;
328
}
···
334
else
335
fw_error("status write for unknown orb\n");
336
337
fw_send_response(card, request, RCODE_COMPLETE);
338
}
339
···
346
struct sbp2_orb *orb = data;
347
unsigned long flags;
348
349
-
orb->rcode = rcode;
350
-
if (rcode != RCODE_COMPLETE) {
351
-
spin_lock_irqsave(&card->lock, flags);
352
list_del(&orb->link);
353
-
spin_unlock_irqrestore(&card->lock, flags);
354
orb->callback(orb, NULL);
355
}
356
}
357
358
static void
···
384
spin_lock_irqsave(&device->card->lock, flags);
385
list_add_tail(&orb->link, &sd->orb_list);
386
spin_unlock_irqrestore(&device->card->lock, flags);
387
388
fw_send_request(device->card, &orb->t, TCODE_WRITE_BLOCK_REQUEST,
389
node_id, generation, device->max_speed, offset,
···
445
if (orb == NULL)
446
return -ENOMEM;
447
448
orb->response_bus =
449
dma_map_single(device->card->device, &orb->response,
450
sizeof(orb->response), DMA_FROM_DEVICE);
···
520
if (response)
521
fw_memcpy_from_be32(response,
522
orb->response, sizeof(orb->response));
523
-
kfree(orb);
524
525
return retval;
526
}
···
916
917
orb->cmd->result = result;
918
orb->done(orb->cmd);
919
-
kfree(orb);
920
}
921
922
static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb)
···
1034
1035
/* Initialize rcode to something not RCODE_COMPLETE. */
1036
orb->base.rcode = -1;
1037
1038
orb->unit = unit;
1039
orb->done = done;
···
1081
sbp2_send_orb(&orb->base, unit, sd->node_id, sd->generation,
1082
sd->command_block_agent_address + SBP2_ORB_POINTER);
1083
1084
return 0;
1085
1086
fail_mapping:
1087
-
kfree(orb);
1088
fail_alloc:
1089
return SCSI_MLQUEUE_HOST_BUSY;
1090
}
···
159
160
struct sbp2_orb {
161
struct fw_transaction t;
162
+
struct kref kref;
163
dma_addr_t request_bus;
164
int rcode;
165
struct sbp2_pointer pointer;
···
280
};
281
282
static void
283
+
free_orb(struct kref *kref)
284
+
{
285
+
struct sbp2_orb *orb = container_of(kref, struct sbp2_orb, kref);
286
+
287
+
kfree(orb);
288
+
}
289
+
290
+
static void
291
sbp2_status_write(struct fw_card *card, struct fw_request *request,
292
int tcode, int destination, int source,
293
int generation, int speed,
···
312
spin_lock_irqsave(&card->lock, flags);
313
list_for_each_entry(orb, &sd->orb_list, link) {
314
if (STATUS_GET_ORB_HIGH(status) == 0 &&
315
+
STATUS_GET_ORB_LOW(status) == orb->request_bus) {
316
+
orb->rcode = RCODE_COMPLETE;
317
list_del(&orb->link);
318
break;
319
}
···
325
else
326
fw_error("status write for unknown orb\n");
327
328
+
kref_put(&orb->kref, free_orb);
329
+
330
fw_send_response(card, request, RCODE_COMPLETE);
331
}
332
···
335
struct sbp2_orb *orb = data;
336
unsigned long flags;
337
338
+
/*
339
+
* This is a little tricky. We can get the status write for
340
+
* the orb before we get this callback. The status write
341
+
* handler above will assume the orb pointer transaction was
342
+
* successful and set the rcode to RCODE_COMPLETE for the orb.
343
+
* So this callback only sets the rcode if it hasn't already
344
+
* been set and only does the cleanup if the transaction
345
+
* failed and we didn't already get a status write.
346
+
*/
347
+
spin_lock_irqsave(&card->lock, flags);
348
+
349
+
if (orb->rcode == -1)
350
+
orb->rcode = rcode;
351
+
if (orb->rcode != RCODE_COMPLETE) {
352
list_del(&orb->link);
353
orb->callback(orb, NULL);
354
}
355
+
356
+
spin_unlock_irqrestore(&card->lock, flags);
357
+
358
+
kref_put(&orb->kref, free_orb);
359
}
360
361
static void
···
359
spin_lock_irqsave(&device->card->lock, flags);
360
list_add_tail(&orb->link, &sd->orb_list);
361
spin_unlock_irqrestore(&device->card->lock, flags);
362
+
363
+
/* Take a ref for the orb list and for the transaction callback. */
364
+
kref_get(&orb->kref);
365
+
kref_get(&orb->kref);
366
367
fw_send_request(device->card, &orb->t, TCODE_WRITE_BLOCK_REQUEST,
368
node_id, generation, device->max_speed, offset,
···
416
if (orb == NULL)
417
return -ENOMEM;
418
419
+
kref_init(&orb->base.kref);
420
orb->response_bus =
421
dma_map_single(device->card->device, &orb->response,
422
sizeof(orb->response), DMA_FROM_DEVICE);
···
490
if (response)
491
fw_memcpy_from_be32(response,
492
orb->response, sizeof(orb->response));
493
+
kref_put(&orb->base.kref, free_orb);
494
495
return retval;
496
}
···
886
887
orb->cmd->result = result;
888
orb->done(orb->cmd);
889
}
890
891
static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb)
···
1005
1006
/* Initialize rcode to something not RCODE_COMPLETE. */
1007
orb->base.rcode = -1;
1008
+
kref_init(&orb->base.kref);
1009
1010
orb->unit = unit;
1011
orb->done = done;
···
1051
sbp2_send_orb(&orb->base, unit, sd->node_id, sd->generation,
1052
sd->command_block_agent_address + SBP2_ORB_POINTER);
1053
1054
+
kref_put(&orb->base.kref, free_orb);
1055
return 0;
1056
1057
fail_mapping:
1058
+
kref_put(&orb->base.kref, free_orb);
1059
fail_alloc:
1060
return SCSI_MLQUEUE_HOST_BUSY;
1061
}