commit f2154eef2a926435cdf79156cd361092d6cba91e · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: Add ref-counting for sbp2 orbs (fix command abortion)
firewire: fix unloading of fw-ohci while devices are attached
ieee1394: sbp2: fix sbp2_remove_device for error cases

Linus Torvalds 18 years ago f2154eef 6ae26fa4

+51 -18

3 changed files

expand all

unified split

drivers

firewire

fw-card.c

fw-sbp2.c

ieee1394

sbp2.c

+4 -2

drivers/firewire/fw-card.c

··· 510 510 /* Set up the dummy driver. */ 511 511 card->driver = &dummy_driver; 512 512 513 - fw_flush_transactions(card); 514 - 515 513 fw_destroy_nodes(card); 514 + flush_scheduled_work(); 515 + 516 + fw_flush_transactions(card); 517 + del_timer_sync(&card->flush_timer); 516 518 517 519 fw_card_put(card); 518 520 }

+40 -9

drivers/firewire/fw-sbp2.c

··· 159 159 160 160 struct sbp2_orb { 161 161 struct fw_transaction t; 162 + struct kref kref; 162 163 dma_addr_t request_bus; 163 164 int rcode; 164 165 struct sbp2_pointer pointer; ··· 281 280 }; 282 281 283 282 static void 283 + free_orb(struct kref *kref) 284 + { 285 + struct sbp2_orb *orb = container_of(kref, struct sbp2_orb, kref); 286 + 287 + kfree(orb); 288 + } 289 + 290 + static void 284 291 sbp2_status_write(struct fw_card *card, struct fw_request *request, 285 292 int tcode, int destination, int source, 286 293 int generation, int speed, ··· 321 312 spin_lock_irqsave(&card->lock, flags); 322 313 list_for_each_entry(orb, &sd->orb_list, link) { 323 314 if (STATUS_GET_ORB_HIGH(status) == 0 && 324 - STATUS_GET_ORB_LOW(status) == orb->request_bus && 325 - orb->rcode == RCODE_COMPLETE) { 315 + STATUS_GET_ORB_LOW(status) == orb->request_bus) { 316 + orb->rcode = RCODE_COMPLETE; 326 317 list_del(&orb->link); 327 318 break; 328 319 } ··· 334 325 else 335 326 fw_error("status write for unknown orb\n"); 336 327 328 + kref_put(&orb->kref, free_orb); 329 + 337 330 fw_send_response(card, request, RCODE_COMPLETE); 338 331 } 339 332 ··· 346 335 struct sbp2_orb *orb = data; 347 336 unsigned long flags; 348 337 349 - orb->rcode = rcode; 350 - if (rcode != RCODE_COMPLETE) { 351 - spin_lock_irqsave(&card->lock, flags); 338 + /* 339 + * This is a little tricky. We can get the status write for 340 + * the orb before we get this callback. The status write 341 + * handler above will assume the orb pointer transaction was 342 + * successful and set the rcode to RCODE_COMPLETE for the orb. 343 + * So this callback only sets the rcode if it hasn't already 344 + * been set and only does the cleanup if the transaction 345 + * failed and we didn't already get a status write. 346 + */ 347 + spin_lock_irqsave(&card->lock, flags); 348 + 349 + if (orb->rcode == -1) 350 + orb->rcode = rcode; 351 + if (orb->rcode != RCODE_COMPLETE) { 352 352 list_del(&orb->link); 353 - spin_unlock_irqrestore(&card->lock, flags); 354 353 orb->callback(orb, NULL); 355 354 } 355 + 356 + spin_unlock_irqrestore(&card->lock, flags); 357 + 358 + kref_put(&orb->kref, free_orb); 356 359 } 357 360 358 361 static void ··· 384 359 spin_lock_irqsave(&device->card->lock, flags); 385 360 list_add_tail(&orb->link, &sd->orb_list); 386 361 spin_unlock_irqrestore(&device->card->lock, flags); 362 + 363 + /* Take a ref for the orb list and for the transaction callback. */ 364 + kref_get(&orb->kref); 365 + kref_get(&orb->kref); 387 366 388 367 fw_send_request(device->card, &orb->t, TCODE_WRITE_BLOCK_REQUEST, 389 368 node_id, generation, device->max_speed, offset, ··· 445 416 if (orb == NULL) 446 417 return -ENOMEM; 447 418 419 + kref_init(&orb->base.kref); 448 420 orb->response_bus = 449 421 dma_map_single(device->card->device, &orb->response, 450 422 sizeof(orb->response), DMA_FROM_DEVICE); ··· 520 490 if (response) 521 491 fw_memcpy_from_be32(response, 522 492 orb->response, sizeof(orb->response)); 523 - kfree(orb); 493 + kref_put(&orb->base.kref, free_orb); 524 494 525 495 return retval; 526 496 } ··· 916 886 917 887 orb->cmd->result = result; 918 888 orb->done(orb->cmd); 919 - kfree(orb); 920 889 } 921 890 922 891 static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb) ··· 1034 1005 1035 1006 /* Initialize rcode to something not RCODE_COMPLETE. */ 1036 1007 orb->base.rcode = -1; 1008 + kref_init(&orb->base.kref); 1037 1009 1038 1010 orb->unit = unit; 1039 1011 orb->done = done; ··· 1081 1051 sbp2_send_orb(&orb->base, unit, sd->node_id, sd->generation, 1082 1052 sd->command_block_agent_address + SBP2_ORB_POINTER); 1083 1053 1054 + kref_put(&orb->base.kref, free_orb); 1084 1055 return 0; 1085 1056 1086 1057 fail_mapping: 1087 - kfree(orb); 1058 + kref_put(&orb->base.kref, free_orb); 1088 1059 fail_alloc: 1089 1060 return SCSI_MLQUEUE_HOST_BUSY; 1090 1061 }

+7 -7

drivers/ieee1394/sbp2.c

··· 513 513 return 0; 514 514 } 515 515 516 - static void sbp2util_remove_command_orb_pool(struct sbp2_lu *lu) 516 + static void sbp2util_remove_command_orb_pool(struct sbp2_lu *lu, 517 + struct hpsb_host *host) 517 518 { 518 - struct hpsb_host *host = lu->hi->host; 519 519 struct list_head *lh, *next; 520 520 struct sbp2_command_info *cmd; 521 521 unsigned long flags; ··· 922 922 923 923 if (!lu) 924 924 return; 925 - 926 925 hi = lu->hi; 926 + if (!hi) 927 + goto no_hi; 927 928 928 929 if (lu->shost) { 929 930 scsi_remove_host(lu->shost); 930 931 scsi_host_put(lu->shost); 931 932 } 932 933 flush_scheduled_work(); 933 - sbp2util_remove_command_orb_pool(lu); 934 + sbp2util_remove_command_orb_pool(lu, hi->host); 934 935 935 936 list_del(&lu->lu_list); 936 937 ··· 972 971 973 972 lu->ud->device.driver_data = NULL; 974 973 975 - if (hi) 976 - module_put(hi->host->driver->owner); 977 - 974 + module_put(hi->host->driver->owner); 975 + no_hi: 978 976 kfree(lu); 979 977 } 980 978