diff options
author | Jens Axboe <axboe@suse.de> | 2006-07-28 03:32:07 -0400 |
---|---|---|
committer | Jens Axboe <axboe@nelson.home.kernel.dk> | 2006-09-30 14:29:23 -0400 |
commit | cdd6026217c0e4cda2efce1bdc318661bef1f66f (patch) | |
tree | e26bb9c40b603b9cc321aa4217fecf34e1bc5f24 | |
parent | 49171e5c6f414d49a061b5c1c84967c2eb569822 (diff) |
[PATCH] Remove ->rq_status from struct request
After Christophs SCSI change, the only usage left is RQ_ACTIVE
and RQ_INACTIVE. The block layer sets RQ_INACTIVE right before freeing
the request, so any check for RQ_INACTIVE in a driver is a bug and
indicates use-after-free.
So kill/clean the remaining users, straight forward.
Signed-off-by: Jens Axboe <axboe@suse.de>
-rw-r--r-- | arch/um/drivers/ubd_kern.c | 2 | ||||
-rw-r--r-- | block/ll_rw_blk.c | 3 | ||||
-rw-r--r-- | drivers/block/paride/pd.c | 1 | ||||
-rw-r--r-- | drivers/block/swim3.c | 4 | ||||
-rw-r--r-- | drivers/block/swim_iop.c | 4 | ||||
-rw-r--r-- | drivers/fc4/fc.c | 1 | ||||
-rw-r--r-- | drivers/ide/ide-floppy.c | 3 | ||||
-rw-r--r-- | drivers/ide/ide-io.c | 1 | ||||
-rw-r--r-- | drivers/ide/ide-tape.c | 4 | ||||
-rw-r--r-- | drivers/scsi/ide-scsi.c | 2 | ||||
-rw-r--r-- | drivers/scsi/scsi.c | 2 | ||||
-rw-r--r-- | include/linux/blkdev.h | 13 |
12 files changed, 14 insertions, 26 deletions
diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c index 5fa4c8e258a..fda4a394069 100644 --- a/arch/um/drivers/ubd_kern.c +++ b/arch/um/drivers/ubd_kern.c | |||
@@ -981,8 +981,6 @@ static int prepare_request(struct request *req, struct io_thread_req *io_req) | |||
981 | __u64 offset; | 981 | __u64 offset; |
982 | int len; | 982 | int len; |
983 | 983 | ||
984 | if(req->rq_status == RQ_INACTIVE) return(1); | ||
985 | |||
986 | /* This should be impossible now */ | 984 | /* This should be impossible now */ |
987 | if((rq_data_dir(req) == WRITE) && !dev->openflags.w){ | 985 | if((rq_data_dir(req) == WRITE) && !dev->openflags.w){ |
988 | printk("Write attempted on readonly ubd device %s\n", | 986 | printk("Write attempted on readonly ubd device %s\n", |
diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c index f7462502bfd..b94a396aa62 100644 --- a/block/ll_rw_blk.c +++ b/block/ll_rw_blk.c | |||
@@ -283,7 +283,6 @@ static inline void rq_init(request_queue_t *q, struct request *rq) | |||
283 | INIT_LIST_HEAD(&rq->donelist); | 283 | INIT_LIST_HEAD(&rq->donelist); |
284 | 284 | ||
285 | rq->errors = 0; | 285 | rq->errors = 0; |
286 | rq->rq_status = RQ_ACTIVE; | ||
287 | rq->bio = rq->biotail = NULL; | 286 | rq->bio = rq->biotail = NULL; |
288 | INIT_HLIST_NODE(&rq->hash); | 287 | INIT_HLIST_NODE(&rq->hash); |
289 | RB_CLEAR_NODE(&rq->rb_node); | 288 | RB_CLEAR_NODE(&rq->rb_node); |
@@ -2685,8 +2684,6 @@ void __blk_put_request(request_queue_t *q, struct request *req) | |||
2685 | 2684 | ||
2686 | elv_completed_request(q, req); | 2685 | elv_completed_request(q, req); |
2687 | 2686 | ||
2688 | req->rq_status = RQ_INACTIVE; | ||
2689 | |||
2690 | /* | 2687 | /* |
2691 | * Request may not have originated from ll_rw_blk. if not, | 2688 | * Request may not have originated from ll_rw_blk. if not, |
2692 | * it didn't come out of our reserved rq pools | 2689 | * it didn't come out of our reserved rq pools |
diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c index 500d2ebb41e..38578b9dbfd 100644 --- a/drivers/block/paride/pd.c +++ b/drivers/block/paride/pd.c | |||
@@ -719,7 +719,6 @@ static int pd_special_command(struct pd_unit *disk, | |||
719 | 719 | ||
720 | memset(&rq, 0, sizeof(rq)); | 720 | memset(&rq, 0, sizeof(rq)); |
721 | rq.errors = 0; | 721 | rq.errors = 0; |
722 | rq.rq_status = RQ_ACTIVE; | ||
723 | rq.rq_disk = disk->gd; | 722 | rq.rq_disk = disk->gd; |
724 | rq.ref_count = 1; | 723 | rq.ref_count = 1; |
725 | rq.end_io_data = &wait; | 724 | rq.end_io_data = &wait; |
diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c index cc42e762396..f2305ee792a 100644 --- a/drivers/block/swim3.c +++ b/drivers/block/swim3.c | |||
@@ -319,8 +319,8 @@ static void start_request(struct floppy_state *fs) | |||
319 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", | 319 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", |
320 | req->rq_disk->disk_name, req->cmd, | 320 | req->rq_disk->disk_name, req->cmd, |
321 | (long)req->sector, req->nr_sectors, req->buffer); | 321 | (long)req->sector, req->nr_sectors, req->buffer); |
322 | printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", | 322 | printk(" errors=%d current_nr_sectors=%ld\n", |
323 | req->rq_status, req->errors, req->current_nr_sectors); | 323 | req->errors, req->current_nr_sectors); |
324 | #endif | 324 | #endif |
325 | 325 | ||
326 | if (req->sector < 0 || req->sector >= fs->total_secs) { | 326 | if (req->sector < 0 || req->sector >= fs->total_secs) { |
diff --git a/drivers/block/swim_iop.c b/drivers/block/swim_iop.c index 89e3c2f8b77..dfda796eba5 100644 --- a/drivers/block/swim_iop.c +++ b/drivers/block/swim_iop.c | |||
@@ -529,8 +529,8 @@ static void start_request(struct floppy_state *fs) | |||
529 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", | 529 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", |
530 | CURRENT->rq_disk->disk_name, CURRENT->cmd, | 530 | CURRENT->rq_disk->disk_name, CURRENT->cmd, |
531 | CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer); | 531 | CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer); |
532 | printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", | 532 | printk(" errors=%d current_nr_sectors=%ld\n", |
533 | CURRENT->rq_status, CURRENT->errors, CURRENT->current_nr_sectors); | 533 | CURRENT->errors, CURRENT->current_nr_sectors); |
534 | #endif | 534 | #endif |
535 | 535 | ||
536 | if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) { | 536 | if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) { |
diff --git a/drivers/fc4/fc.c b/drivers/fc4/fc.c index 1a159e8843c..22d17474755 100644 --- a/drivers/fc4/fc.c +++ b/drivers/fc4/fc.c | |||
@@ -974,7 +974,6 @@ int fcp_scsi_dev_reset(Scsi_Cmnd *SCpnt) | |||
974 | */ | 974 | */ |
975 | 975 | ||
976 | fc->rst_pkt->device->host->eh_action = &sem; | 976 | fc->rst_pkt->device->host->eh_action = &sem; |
977 | fc->rst_pkt->request->rq_status = RQ_SCSI_BUSY; | ||
978 | 977 | ||
979 | fc->rst_pkt->done = fcp_scsi_reset_done; | 978 | fc->rst_pkt->done = fcp_scsi_reset_done; |
980 | 979 | ||
diff --git a/drivers/ide/ide-floppy.c b/drivers/ide/ide-floppy.c index 0edc3220491..8ccee9c769f 100644 --- a/drivers/ide/ide-floppy.c +++ b/drivers/ide/ide-floppy.c | |||
@@ -1281,8 +1281,7 @@ static ide_startstop_t idefloppy_do_request (ide_drive_t *drive, struct request | |||
1281 | idefloppy_pc_t *pc; | 1281 | idefloppy_pc_t *pc; |
1282 | unsigned long block = (unsigned long)block_s; | 1282 | unsigned long block = (unsigned long)block_s; |
1283 | 1283 | ||
1284 | debug_log(KERN_INFO "rq_status: %d, dev: %s, flags: %lx, errors: %d\n", | 1284 | debug_log(KERN_INFO "dev: %s, flags: %lx, errors: %d\n", |
1285 | rq->rq_status, | ||
1286 | rq->rq_disk ? rq->rq_disk->disk_name : "?", | 1285 | rq->rq_disk ? rq->rq_disk->disk_name : "?", |
1287 | rq->flags, rq->errors); | 1286 | rq->flags, rq->errors); |
1288 | debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, " | 1287 | debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, " |
diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c index a3ffb04436b..38479a29d3e 100644 --- a/drivers/ide/ide-io.c +++ b/drivers/ide/ide-io.c | |||
@@ -1710,7 +1710,6 @@ int ide_do_drive_cmd (ide_drive_t *drive, struct request *rq, ide_action_t actio | |||
1710 | int must_wait = (action == ide_wait || action == ide_head_wait); | 1710 | int must_wait = (action == ide_wait || action == ide_head_wait); |
1711 | 1711 | ||
1712 | rq->errors = 0; | 1712 | rq->errors = 0; |
1713 | rq->rq_status = RQ_ACTIVE; | ||
1714 | 1713 | ||
1715 | /* | 1714 | /* |
1716 | * we need to hold an extra reference to request for safe inspection | 1715 | * we need to hold an extra reference to request for safe inspection |
diff --git a/drivers/ide/ide-tape.c b/drivers/ide/ide-tape.c index 66f9678d2f1..2ebc3760f26 100644 --- a/drivers/ide/ide-tape.c +++ b/drivers/ide/ide-tape.c | |||
@@ -2423,8 +2423,8 @@ static ide_startstop_t idetape_do_request(ide_drive_t *drive, | |||
2423 | #if IDETAPE_DEBUG_LOG | 2423 | #if IDETAPE_DEBUG_LOG |
2424 | #if 0 | 2424 | #if 0 |
2425 | if (tape->debug_level >= 5) | 2425 | if (tape->debug_level >= 5) |
2426 | printk(KERN_INFO "ide-tape: rq_status: %d, " | 2426 | printk(KERN_INFO "ide-tape: %d, " |
2427 | "dev: %s, cmd: %ld, errors: %d\n", rq->rq_status, | 2427 | "dev: %s, cmd: %ld, errors: %d\n", |
2428 | rq->rq_disk->disk_name, rq->cmd[0], rq->errors); | 2428 | rq->rq_disk->disk_name, rq->cmd[0], rq->errors); |
2429 | #endif | 2429 | #endif |
2430 | if (tape->debug_level >= 2) | 2430 | if (tape->debug_level >= 2) |
diff --git a/drivers/scsi/ide-scsi.c b/drivers/scsi/ide-scsi.c index 65b19695ebe..1427a41e844 100644 --- a/drivers/scsi/ide-scsi.c +++ b/drivers/scsi/ide-scsi.c | |||
@@ -708,7 +708,7 @@ static ide_startstop_t idescsi_issue_pc (ide_drive_t *drive, idescsi_pc_t *pc) | |||
708 | static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block) | 708 | static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block) |
709 | { | 709 | { |
710 | #if IDESCSI_DEBUG_LOG | 710 | #if IDESCSI_DEBUG_LOG |
711 | printk (KERN_INFO "rq_status: %d, dev: %s, cmd: %x, errors: %d\n",rq->rq_status, rq->rq_disk->disk_name,rq->cmd[0],rq->errors); | 711 | printk (KERN_INFO "dev: %s, cmd: %x, errors: %d\n", rq->rq_disk->disk_name,rq->cmd[0],rq->errors); |
712 | printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors); | 712 | printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors); |
713 | #endif /* IDESCSI_DEBUG_LOG */ | 713 | #endif /* IDESCSI_DEBUG_LOG */ |
714 | 714 | ||
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index 7a054f9d1ee..12f6639dda2 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c | |||
@@ -1065,7 +1065,7 @@ int scsi_device_cancel(struct scsi_device *sdev, int recovery) | |||
1065 | 1065 | ||
1066 | spin_lock_irqsave(&sdev->list_lock, flags); | 1066 | spin_lock_irqsave(&sdev->list_lock, flags); |
1067 | list_for_each_entry(scmd, &sdev->cmd_list, list) { | 1067 | list_for_each_entry(scmd, &sdev->cmd_list, list) { |
1068 | if (scmd->request && scmd->request->rq_status != RQ_INACTIVE) { | 1068 | if (scmd->request) { |
1069 | /* | 1069 | /* |
1070 | * If we are unable to remove the timer, it means | 1070 | * If we are unable to remove the timer, it means |
1071 | * that the command has already timed out or | 1071 | * that the command has already timed out or |
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index d4c1dd046e2..8a3e309e084 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h | |||
@@ -243,8 +243,6 @@ struct request { | |||
243 | 243 | ||
244 | void *completion_data; | 244 | void *completion_data; |
245 | 245 | ||
246 | int rq_status; /* should split this into a few status bits */ | ||
247 | int errors; | ||
248 | struct gendisk *rq_disk; | 246 | struct gendisk *rq_disk; |
249 | unsigned long start_time; | 247 | unsigned long start_time; |
250 | 248 | ||
@@ -262,14 +260,16 @@ struct request { | |||
262 | 260 | ||
263 | unsigned short ioprio; | 261 | unsigned short ioprio; |
264 | 262 | ||
265 | int tag; | ||
266 | |||
267 | int ref_count; | ||
268 | request_queue_t *q; | 263 | request_queue_t *q; |
269 | 264 | ||
270 | void *special; | 265 | void *special; |
271 | char *buffer; | 266 | char *buffer; |
272 | 267 | ||
268 | int tag; | ||
269 | int errors; | ||
270 | |||
271 | int ref_count; | ||
272 | |||
273 | /* | 273 | /* |
274 | * when request is used as a packet command carrier | 274 | * when request is used as a packet command carrier |
275 | */ | 275 | */ |
@@ -456,9 +456,6 @@ struct request_queue | |||
456 | struct mutex sysfs_lock; | 456 | struct mutex sysfs_lock; |
457 | }; | 457 | }; |
458 | 458 | ||
459 | #define RQ_INACTIVE (-1) | ||
460 | #define RQ_ACTIVE 1 | ||
461 | |||
462 | #define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */ | 459 | #define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */ |
463 | #define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */ | 460 | #define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */ |
464 | #define QUEUE_FLAG_STOPPED 2 /* queue is stopped */ | 461 | #define QUEUE_FLAG_STOPPED 2 /* queue is stopped */ |