diff options
| author | Jens Axboe <axboe@suse.de> | 2006-07-28 03:32:07 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@nelson.home.kernel.dk> | 2006-09-30 14:29:23 -0400 |
| commit | cdd6026217c0e4cda2efce1bdc318661bef1f66f (patch) | |
| tree | e26bb9c40b603b9cc321aa4217fecf34e1bc5f24 | |
| parent | 49171e5c6f414d49a061b5c1c84967c2eb569822 (diff) | |
[PATCH] Remove ->rq_status from struct request
After Christophs SCSI change, the only usage left is RQ_ACTIVE
and RQ_INACTIVE. The block layer sets RQ_INACTIVE right before freeing
the request, so any check for RQ_INACTIVE in a driver is a bug and
indicates use-after-free.
So kill/clean the remaining users, straight forward.
Signed-off-by: Jens Axboe <axboe@suse.de>
| -rw-r--r-- | arch/um/drivers/ubd_kern.c | 2 | ||||
| -rw-r--r-- | block/ll_rw_blk.c | 3 | ||||
| -rw-r--r-- | drivers/block/paride/pd.c | 1 | ||||
| -rw-r--r-- | drivers/block/swim3.c | 4 | ||||
| -rw-r--r-- | drivers/block/swim_iop.c | 4 | ||||
| -rw-r--r-- | drivers/fc4/fc.c | 1 | ||||
| -rw-r--r-- | drivers/ide/ide-floppy.c | 3 | ||||
| -rw-r--r-- | drivers/ide/ide-io.c | 1 | ||||
| -rw-r--r-- | drivers/ide/ide-tape.c | 4 | ||||
| -rw-r--r-- | drivers/scsi/ide-scsi.c | 2 | ||||
| -rw-r--r-- | drivers/scsi/scsi.c | 2 | ||||
| -rw-r--r-- | include/linux/blkdev.h | 13 |
12 files changed, 14 insertions, 26 deletions
diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c index 5fa4c8e258a4..fda4a3940698 100644 --- a/arch/um/drivers/ubd_kern.c +++ b/arch/um/drivers/ubd_kern.c | |||
| @@ -981,8 +981,6 @@ static int prepare_request(struct request *req, struct io_thread_req *io_req) | |||
| 981 | __u64 offset; | 981 | __u64 offset; |
| 982 | int len; | 982 | int len; |
| 983 | 983 | ||
| 984 | if(req->rq_status == RQ_INACTIVE) return(1); | ||
| 985 | |||
| 986 | /* This should be impossible now */ | 984 | /* This should be impossible now */ |
| 987 | if((rq_data_dir(req) == WRITE) && !dev->openflags.w){ | 985 | if((rq_data_dir(req) == WRITE) && !dev->openflags.w){ |
| 988 | printk("Write attempted on readonly ubd device %s\n", | 986 | printk("Write attempted on readonly ubd device %s\n", |
diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c index f7462502bfdf..b94a396aa624 100644 --- a/block/ll_rw_blk.c +++ b/block/ll_rw_blk.c | |||
| @@ -283,7 +283,6 @@ static inline void rq_init(request_queue_t *q, struct request *rq) | |||
| 283 | INIT_LIST_HEAD(&rq->donelist); | 283 | INIT_LIST_HEAD(&rq->donelist); |
| 284 | 284 | ||
| 285 | rq->errors = 0; | 285 | rq->errors = 0; |
| 286 | rq->rq_status = RQ_ACTIVE; | ||
| 287 | rq->bio = rq->biotail = NULL; | 286 | rq->bio = rq->biotail = NULL; |
| 288 | INIT_HLIST_NODE(&rq->hash); | 287 | INIT_HLIST_NODE(&rq->hash); |
| 289 | RB_CLEAR_NODE(&rq->rb_node); | 288 | RB_CLEAR_NODE(&rq->rb_node); |
| @@ -2685,8 +2684,6 @@ void __blk_put_request(request_queue_t *q, struct request *req) | |||
| 2685 | 2684 | ||
| 2686 | elv_completed_request(q, req); | 2685 | elv_completed_request(q, req); |
| 2687 | 2686 | ||
| 2688 | req->rq_status = RQ_INACTIVE; | ||
| 2689 | |||
| 2690 | /* | 2687 | /* |
| 2691 | * Request may not have originated from ll_rw_blk. if not, | 2688 | * Request may not have originated from ll_rw_blk. if not, |
| 2692 | * it didn't come out of our reserved rq pools | 2689 | * it didn't come out of our reserved rq pools |
diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c index 500d2ebb41e4..38578b9dbfd1 100644 --- a/drivers/block/paride/pd.c +++ b/drivers/block/paride/pd.c | |||
| @@ -719,7 +719,6 @@ static int pd_special_command(struct pd_unit *disk, | |||
| 719 | 719 | ||
| 720 | memset(&rq, 0, sizeof(rq)); | 720 | memset(&rq, 0, sizeof(rq)); |
| 721 | rq.errors = 0; | 721 | rq.errors = 0; |
| 722 | rq.rq_status = RQ_ACTIVE; | ||
| 723 | rq.rq_disk = disk->gd; | 722 | rq.rq_disk = disk->gd; |
| 724 | rq.ref_count = 1; | 723 | rq.ref_count = 1; |
| 725 | rq.end_io_data = &wait; | 724 | rq.end_io_data = &wait; |
diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c index cc42e762396f..f2305ee792a1 100644 --- a/drivers/block/swim3.c +++ b/drivers/block/swim3.c | |||
| @@ -319,8 +319,8 @@ static void start_request(struct floppy_state *fs) | |||
| 319 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", | 319 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", |
| 320 | req->rq_disk->disk_name, req->cmd, | 320 | req->rq_disk->disk_name, req->cmd, |
| 321 | (long)req->sector, req->nr_sectors, req->buffer); | 321 | (long)req->sector, req->nr_sectors, req->buffer); |
| 322 | printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", | 322 | printk(" errors=%d current_nr_sectors=%ld\n", |
| 323 | req->rq_status, req->errors, req->current_nr_sectors); | 323 | req->errors, req->current_nr_sectors); |
| 324 | #endif | 324 | #endif |
| 325 | 325 | ||
| 326 | if (req->sector < 0 || req->sector >= fs->total_secs) { | 326 | if (req->sector < 0 || req->sector >= fs->total_secs) { |
diff --git a/drivers/block/swim_iop.c b/drivers/block/swim_iop.c index 89e3c2f8b776..dfda796eba56 100644 --- a/drivers/block/swim_iop.c +++ b/drivers/block/swim_iop.c | |||
| @@ -529,8 +529,8 @@ static void start_request(struct floppy_state *fs) | |||
| 529 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", | 529 | printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", |
| 530 | CURRENT->rq_disk->disk_name, CURRENT->cmd, | 530 | CURRENT->rq_disk->disk_name, CURRENT->cmd, |
| 531 | CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer); | 531 | CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer); |
| 532 | printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", | 532 | printk(" errors=%d current_nr_sectors=%ld\n", |
| 533 | CURRENT->rq_status, CURRENT->errors, CURRENT->current_nr_sectors); | 533 | CURRENT->errors, CURRENT->current_nr_sectors); |
| 534 | #endif | 534 | #endif |
| 535 | 535 | ||
| 536 | if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) { | 536 | if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) { |
diff --git a/drivers/fc4/fc.c b/drivers/fc4/fc.c index 1a159e8843ca..22d17474755f 100644 --- a/drivers/fc4/fc.c +++ b/drivers/fc4/fc.c | |||
| @@ -974,7 +974,6 @@ int fcp_scsi_dev_reset(Scsi_Cmnd *SCpnt) | |||
| 974 | */ | 974 | */ |
| 975 | 975 | ||
| 976 | fc->rst_pkt->device->host->eh_action = &sem; | 976 | fc->rst_pkt->device->host->eh_action = &sem; |
| 977 | fc->rst_pkt->request->rq_status = RQ_SCSI_BUSY; | ||
| 978 | 977 | ||
| 979 | fc->rst_pkt->done = fcp_scsi_reset_done; | 978 | fc->rst_pkt->done = fcp_scsi_reset_done; |
| 980 | 979 | ||
diff --git a/drivers/ide/ide-floppy.c b/drivers/ide/ide-floppy.c index 0edc32204915..8ccee9c769f8 100644 --- a/drivers/ide/ide-floppy.c +++ b/drivers/ide/ide-floppy.c | |||
| @@ -1281,8 +1281,7 @@ static ide_startstop_t idefloppy_do_request (ide_drive_t *drive, struct request | |||
| 1281 | idefloppy_pc_t *pc; | 1281 | idefloppy_pc_t *pc; |
| 1282 | unsigned long block = (unsigned long)block_s; | 1282 | unsigned long block = (unsigned long)block_s; |
| 1283 | 1283 | ||
| 1284 | debug_log(KERN_INFO "rq_status: %d, dev: %s, flags: %lx, errors: %d\n", | 1284 | debug_log(KERN_INFO "dev: %s, flags: %lx, errors: %d\n", |
| 1285 | rq->rq_status, | ||
| 1286 | rq->rq_disk ? rq->rq_disk->disk_name : "?", | 1285 | rq->rq_disk ? rq->rq_disk->disk_name : "?", |
| 1287 | rq->flags, rq->errors); | 1286 | rq->flags, rq->errors); |
| 1288 | debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, " | 1287 | debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, " |
diff --git a/drivers/ide/ide-io.c b/drivers/ide/ide-io.c index a3ffb04436bd..38479a29d3e1 100644 --- a/drivers/ide/ide-io.c +++ b/drivers/ide/ide-io.c | |||
| @@ -1710,7 +1710,6 @@ int ide_do_drive_cmd (ide_drive_t *drive, struct request *rq, ide_action_t actio | |||
| 1710 | int must_wait = (action == ide_wait || action == ide_head_wait); | 1710 | int must_wait = (action == ide_wait || action == ide_head_wait); |
| 1711 | 1711 | ||
| 1712 | rq->errors = 0; | 1712 | rq->errors = 0; |
| 1713 | rq->rq_status = RQ_ACTIVE; | ||
| 1714 | 1713 | ||
| 1715 | /* | 1714 | /* |
| 1716 | * we need to hold an extra reference to request for safe inspection | 1715 | * we need to hold an extra reference to request for safe inspection |
diff --git a/drivers/ide/ide-tape.c b/drivers/ide/ide-tape.c index 66f9678d2f10..2ebc3760f261 100644 --- a/drivers/ide/ide-tape.c +++ b/drivers/ide/ide-tape.c | |||
| @@ -2423,8 +2423,8 @@ static ide_startstop_t idetape_do_request(ide_drive_t *drive, | |||
| 2423 | #if IDETAPE_DEBUG_LOG | 2423 | #if IDETAPE_DEBUG_LOG |
| 2424 | #if 0 | 2424 | #if 0 |
| 2425 | if (tape->debug_level >= 5) | 2425 | if (tape->debug_level >= 5) |
| 2426 | printk(KERN_INFO "ide-tape: rq_status: %d, " | 2426 | printk(KERN_INFO "ide-tape: %d, " |
| 2427 | "dev: %s, cmd: %ld, errors: %d\n", rq->rq_status, | 2427 | "dev: %s, cmd: %ld, errors: %d\n", |
| 2428 | rq->rq_disk->disk_name, rq->cmd[0], rq->errors); | 2428 | rq->rq_disk->disk_name, rq->cmd[0], rq->errors); |
| 2429 | #endif | 2429 | #endif |
| 2430 | if (tape->debug_level >= 2) | 2430 | if (tape->debug_level >= 2) |
diff --git a/drivers/scsi/ide-scsi.c b/drivers/scsi/ide-scsi.c index 65b19695ebe2..1427a41e8441 100644 --- a/drivers/scsi/ide-scsi.c +++ b/drivers/scsi/ide-scsi.c | |||
| @@ -708,7 +708,7 @@ static ide_startstop_t idescsi_issue_pc (ide_drive_t *drive, idescsi_pc_t *pc) | |||
| 708 | static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block) | 708 | static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block) |
| 709 | { | 709 | { |
| 710 | #if IDESCSI_DEBUG_LOG | 710 | #if IDESCSI_DEBUG_LOG |
| 711 | printk (KERN_INFO "rq_status: %d, dev: %s, cmd: %x, errors: %d\n",rq->rq_status, rq->rq_disk->disk_name,rq->cmd[0],rq->errors); | 711 | printk (KERN_INFO "dev: %s, cmd: %x, errors: %d\n", rq->rq_disk->disk_name,rq->cmd[0],rq->errors); |
| 712 | printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors); | 712 | printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors); |
| 713 | #endif /* IDESCSI_DEBUG_LOG */ | 713 | #endif /* IDESCSI_DEBUG_LOG */ |
| 714 | 714 | ||
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index 7a054f9d1ee3..12f6639dda2d 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c | |||
| @@ -1065,7 +1065,7 @@ int scsi_device_cancel(struct scsi_device *sdev, int recovery) | |||
| 1065 | 1065 | ||
| 1066 | spin_lock_irqsave(&sdev->list_lock, flags); | 1066 | spin_lock_irqsave(&sdev->list_lock, flags); |
| 1067 | list_for_each_entry(scmd, &sdev->cmd_list, list) { | 1067 | list_for_each_entry(scmd, &sdev->cmd_list, list) { |
| 1068 | if (scmd->request && scmd->request->rq_status != RQ_INACTIVE) { | 1068 | if (scmd->request) { |
| 1069 | /* | 1069 | /* |
| 1070 | * If we are unable to remove the timer, it means | 1070 | * If we are unable to remove the timer, it means |
| 1071 | * that the command has already timed out or | 1071 | * that the command has already timed out or |
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index d4c1dd046e27..8a3e309e0842 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h | |||
| @@ -243,8 +243,6 @@ struct request { | |||
| 243 | 243 | ||
| 244 | void *completion_data; | 244 | void *completion_data; |
| 245 | 245 | ||
| 246 | int rq_status; /* should split this into a few status bits */ | ||
| 247 | int errors; | ||
| 248 | struct gendisk *rq_disk; | 246 | struct gendisk *rq_disk; |
| 249 | unsigned long start_time; | 247 | unsigned long start_time; |
| 250 | 248 | ||
| @@ -262,14 +260,16 @@ struct request { | |||
| 262 | 260 | ||
| 263 | unsigned short ioprio; | 261 | unsigned short ioprio; |
| 264 | 262 | ||
| 265 | int tag; | ||
| 266 | |||
| 267 | int ref_count; | ||
| 268 | request_queue_t *q; | 263 | request_queue_t *q; |
| 269 | 264 | ||
| 270 | void *special; | 265 | void *special; |
| 271 | char *buffer; | 266 | char *buffer; |
| 272 | 267 | ||
| 268 | int tag; | ||
| 269 | int errors; | ||
| 270 | |||
| 271 | int ref_count; | ||
| 272 | |||
| 273 | /* | 273 | /* |
| 274 | * when request is used as a packet command carrier | 274 | * when request is used as a packet command carrier |
| 275 | */ | 275 | */ |
| @@ -456,9 +456,6 @@ struct request_queue | |||
| 456 | struct mutex sysfs_lock; | 456 | struct mutex sysfs_lock; |
| 457 | }; | 457 | }; |
| 458 | 458 | ||
| 459 | #define RQ_INACTIVE (-1) | ||
| 460 | #define RQ_ACTIVE 1 | ||
| 461 | |||
| 462 | #define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */ | 459 | #define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */ |
| 463 | #define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */ | 460 | #define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */ |
| 464 | #define QUEUE_FLAG_STOPPED 2 /* queue is stopped */ | 461 | #define QUEUE_FLAG_STOPPED 2 /* queue is stopped */ |