diff options
| author | Tejun Heo <tj@kernel.org> | 2008-09-24 17:22:23 -0400 |
|---|---|---|
| committer | Eric Van Hensbergen <ericvh@ericvh-desktop.austin.ibm.com> | 2008-09-24 17:22:23 -0400 |
| commit | 7dc5d24be06a5ed874af035d52a083a7b61ef1bd (patch) | |
| tree | 74f8e59f6a32ffc099dca3eb1eed9d6e6b58b616 | |
| parent | 72029fe85d8d060b3f966f2dbc36b3c75b5a6532 (diff) | |
9p-trans_fd: fix trans_fd::p9_conn_destroy()
p9_conn_destroy() first kills all current requests by calling
p9_conn_cancel(), then waits for the request list to be cleared by
waiting on p9_conn->equeue. After that, polling is stopped and the
trans is destroyed. This sequence has a few problems.
* Read and write works were never cancelled and the p9_conn can be
destroyed while the works are running as r/w works remove requests
from the list and dereference the p9_conn from them.
* The list emptiness wait using p9_conn->equeue wouldn't trigger
because p9_conn_cancel() always clears all the lists and the only
way the wait can be triggered is to have another task to issue a
request between the slim window between p9_conn_cancel() and the
wait, which isn't safe under the current implementation with or
without the wait.
This patch fixes the problem by first stopping poll, which can
schedule r/w works, first and cancle r/w works which guarantees that
r/w works are not and will not run from that point and then calling
p9_conn_cancel() and do the rest of destruction.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
| -rw-r--r-- | net/9p/trans_fd.c | 24 |
1 files changed, 5 insertions, 19 deletions
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 6a32ffdb9429..ee0d151da31a 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c | |||
| @@ -151,7 +151,6 @@ struct p9_mux_poll_task { | |||
| 151 | * @trans: reference to transport instance for this connection | 151 | * @trans: reference to transport instance for this connection |
| 152 | * @tagpool: id accounting for transactions | 152 | * @tagpool: id accounting for transactions |
| 153 | * @err: error state | 153 | * @err: error state |
| 154 | * @equeue: event wait_q (?) | ||
| 155 | * @req_list: accounting for requests which have been sent | 154 | * @req_list: accounting for requests which have been sent |
| 156 | * @unsent_req_list: accounting for requests that haven't been sent | 155 | * @unsent_req_list: accounting for requests that haven't been sent |
| 157 | * @rcall: current response &p9_fcall structure | 156 | * @rcall: current response &p9_fcall structure |
| @@ -178,7 +177,6 @@ struct p9_conn { | |||
| 178 | struct p9_trans *trans; | 177 | struct p9_trans *trans; |
| 179 | struct p9_idpool *tagpool; | 178 | struct p9_idpool *tagpool; |
| 180 | int err; | 179 | int err; |
| 181 | wait_queue_head_t equeue; | ||
| 182 | struct list_head req_list; | 180 | struct list_head req_list; |
| 183 | struct list_head unsent_req_list; | 181 | struct list_head unsent_req_list; |
| 184 | struct p9_fcall *rcall; | 182 | struct p9_fcall *rcall; |
| @@ -430,7 +428,6 @@ static struct p9_conn *p9_conn_create(struct p9_trans *trans) | |||
| 430 | } | 428 | } |
| 431 | 429 | ||
| 432 | m->err = 0; | 430 | m->err = 0; |
| 433 | init_waitqueue_head(&m->equeue); | ||
| 434 | INIT_LIST_HEAD(&m->req_list); | 431 | INIT_LIST_HEAD(&m->req_list); |
| 435 | INIT_LIST_HEAD(&m->unsent_req_list); | 432 | INIT_LIST_HEAD(&m->unsent_req_list); |
| 436 | m->rcall = NULL; | 433 | m->rcall = NULL; |
| @@ -483,18 +480,13 @@ static void p9_conn_destroy(struct p9_conn *m) | |||
| 483 | { | 480 | { |
| 484 | P9_DPRINTK(P9_DEBUG_MUX, "mux %p prev %p next %p\n", m, | 481 | P9_DPRINTK(P9_DEBUG_MUX, "mux %p prev %p next %p\n", m, |
| 485 | m->mux_list.prev, m->mux_list.next); | 482 | m->mux_list.prev, m->mux_list.next); |
| 486 | p9_conn_cancel(m, -ECONNRESET); | ||
| 487 | |||
| 488 | if (!list_empty(&m->req_list)) { | ||
| 489 | /* wait until all processes waiting on this session exit */ | ||
| 490 | P9_DPRINTK(P9_DEBUG_MUX, | ||
| 491 | "mux %p waiting for empty request queue\n", m); | ||
| 492 | wait_event_timeout(m->equeue, (list_empty(&m->req_list)), 5000); | ||
| 493 | P9_DPRINTK(P9_DEBUG_MUX, "mux %p request queue empty: %d\n", m, | ||
| 494 | list_empty(&m->req_list)); | ||
| 495 | } | ||
| 496 | 483 | ||
| 497 | p9_mux_poll_stop(m); | 484 | p9_mux_poll_stop(m); |
| 485 | cancel_work_sync(&m->rq); | ||
| 486 | cancel_work_sync(&m->wq); | ||
| 487 | |||
| 488 | p9_conn_cancel(m, -ECONNRESET); | ||
| 489 | |||
| 498 | m->trans = NULL; | 490 | m->trans = NULL; |
| 499 | p9_idpool_destroy(m->tagpool); | 491 | p9_idpool_destroy(m->tagpool); |
| 500 | kfree(m); | 492 | kfree(m); |
| @@ -840,8 +832,6 @@ static void p9_read_work(struct work_struct *work) | |||
| 840 | (*req->cb) (req, req->cba); | 832 | (*req->cb) (req, req->cba); |
| 841 | else | 833 | else |
| 842 | kfree(req->rcall); | 834 | kfree(req->rcall); |
| 843 | |||
| 844 | wake_up(&m->equeue); | ||
| 845 | } | 835 | } |
| 846 | } else { | 836 | } else { |
| 847 | if (err >= 0 && rcall->id != P9_RFLUSH) | 837 | if (err >= 0 && rcall->id != P9_RFLUSH) |
| @@ -984,8 +974,6 @@ static void p9_mux_flush_cb(struct p9_req *freq, void *a) | |||
| 984 | (*req->cb) (req, req->cba); | 974 | (*req->cb) (req, req->cba); |
| 985 | else | 975 | else |
| 986 | kfree(req->rcall); | 976 | kfree(req->rcall); |
| 987 | |||
| 988 | wake_up(&m->equeue); | ||
| 989 | } | 977 | } |
| 990 | 978 | ||
| 991 | kfree(freq->tcall); | 979 | kfree(freq->tcall); |
| @@ -1191,8 +1179,6 @@ void p9_conn_cancel(struct p9_conn *m, int err) | |||
| 1191 | else | 1179 | else |
| 1192 | kfree(req->rcall); | 1180 | kfree(req->rcall); |
| 1193 | } | 1181 | } |
| 1194 | |||
| 1195 | wake_up(&m->equeue); | ||
| 1196 | } | 1182 | } |
| 1197 | 1183 | ||
| 1198 | /** | 1184 | /** |