diff options
author | Max Asbock <masbock@us.ibm.com> | 2005-06-21 20:16:36 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-06-21 22:07:35 -0400 |
commit | 8818760512424f60ad9fafb7a087b007a9274eb3 (patch) | |
tree | fb49ce398750f42803d4631a24e4a2ffe35d79d7 /drivers/misc/ibmasm/command.c | |
parent | 278d72ae8803ffcd16070c95fe1d53f4466dc741 (diff) |
[PATCH] ibmasm driver: fix race in command refcount logic
This patch fixes a race in the command reference counting logic by putting
spinlocks around kobject_put() in the command_put function.
- Also added debug messages.
- Changed a memcpy to memcpy_fromio since we are reading from io space.
Signed-off-by: Max Asbock <masbock@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/misc/ibmasm/command.c')
-rw-r--r-- | drivers/misc/ibmasm/command.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/drivers/misc/ibmasm/command.c b/drivers/misc/ibmasm/command.c index 245b0058381d..07a085ccbd5b 100644 --- a/drivers/misc/ibmasm/command.c +++ b/drivers/misc/ibmasm/command.c | |||
@@ -23,6 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "ibmasm.h" | 25 | #include "ibmasm.h" |
26 | #include "lowlevel.h" | ||
26 | 27 | ||
27 | static void exec_next_command(struct service_processor *sp); | 28 | static void exec_next_command(struct service_processor *sp); |
28 | static void free_command(struct kobject *kobj); | 29 | static void free_command(struct kobject *kobj); |
@@ -31,8 +32,9 @@ static struct kobj_type ibmasm_cmd_kobj_type = { | |||
31 | .release = free_command, | 32 | .release = free_command, |
32 | }; | 33 | }; |
33 | 34 | ||
35 | static atomic_t command_count = ATOMIC_INIT(0); | ||
34 | 36 | ||
35 | struct command *ibmasm_new_command(size_t buffer_size) | 37 | struct command *ibmasm_new_command(struct service_processor *sp, size_t buffer_size) |
36 | { | 38 | { |
37 | struct command *cmd; | 39 | struct command *cmd; |
38 | 40 | ||
@@ -55,11 +57,15 @@ struct command *ibmasm_new_command(size_t buffer_size) | |||
55 | 57 | ||
56 | kobject_init(&cmd->kobj); | 58 | kobject_init(&cmd->kobj); |
57 | cmd->kobj.ktype = &ibmasm_cmd_kobj_type; | 59 | cmd->kobj.ktype = &ibmasm_cmd_kobj_type; |
60 | cmd->lock = &sp->lock; | ||
58 | 61 | ||
59 | cmd->status = IBMASM_CMD_PENDING; | 62 | cmd->status = IBMASM_CMD_PENDING; |
60 | init_waitqueue_head(&cmd->wait); | 63 | init_waitqueue_head(&cmd->wait); |
61 | INIT_LIST_HEAD(&cmd->queue_node); | 64 | INIT_LIST_HEAD(&cmd->queue_node); |
62 | 65 | ||
66 | atomic_inc(&command_count); | ||
67 | dbg("command count: %d\n", atomic_read(&command_count)); | ||
68 | |||
63 | return cmd; | 69 | return cmd; |
64 | } | 70 | } |
65 | 71 | ||
@@ -68,6 +74,8 @@ static void free_command(struct kobject *kobj) | |||
68 | struct command *cmd = to_command(kobj); | 74 | struct command *cmd = to_command(kobj); |
69 | 75 | ||
70 | list_del(&cmd->queue_node); | 76 | list_del(&cmd->queue_node); |
77 | atomic_dec(&command_count); | ||
78 | dbg("command count: %d\n", atomic_read(&command_count)); | ||
71 | kfree(cmd->buffer); | 79 | kfree(cmd->buffer); |
72 | kfree(cmd); | 80 | kfree(cmd); |
73 | } | 81 | } |
@@ -94,8 +102,14 @@ static struct command *dequeue_command(struct service_processor *sp) | |||
94 | 102 | ||
95 | static inline void do_exec_command(struct service_processor *sp) | 103 | static inline void do_exec_command(struct service_processor *sp) |
96 | { | 104 | { |
105 | char tsbuf[32]; | ||
106 | |||
107 | dbg("%s:%d at %s\n", __FUNCTION__, __LINE__, get_timestamp(tsbuf)); | ||
108 | |||
97 | if (ibmasm_send_i2o_message(sp)) { | 109 | if (ibmasm_send_i2o_message(sp)) { |
98 | sp->current_command->status = IBMASM_CMD_FAILED; | 110 | sp->current_command->status = IBMASM_CMD_FAILED; |
111 | wake_up(&sp->current_command->wait); | ||
112 | command_put(sp->current_command); | ||
99 | exec_next_command(sp); | 113 | exec_next_command(sp); |
100 | } | 114 | } |
101 | } | 115 | } |
@@ -111,14 +125,16 @@ static inline void do_exec_command(struct service_processor *sp) | |||
111 | void ibmasm_exec_command(struct service_processor *sp, struct command *cmd) | 125 | void ibmasm_exec_command(struct service_processor *sp, struct command *cmd) |
112 | { | 126 | { |
113 | unsigned long flags; | 127 | unsigned long flags; |
128 | char tsbuf[32]; | ||
129 | |||
130 | dbg("%s:%d at %s\n", __FUNCTION__, __LINE__, get_timestamp(tsbuf)); | ||
114 | 131 | ||
115 | spin_lock_irqsave(&sp->lock, flags); | 132 | spin_lock_irqsave(&sp->lock, flags); |
116 | 133 | ||
117 | if (!sp->current_command) { | 134 | if (!sp->current_command) { |
118 | command_get(cmd); | ||
119 | sp->current_command = cmd; | 135 | sp->current_command = cmd; |
136 | command_get(sp->current_command); | ||
120 | spin_unlock_irqrestore(&sp->lock, flags); | 137 | spin_unlock_irqrestore(&sp->lock, flags); |
121 | |||
122 | do_exec_command(sp); | 138 | do_exec_command(sp); |
123 | } else { | 139 | } else { |
124 | enqueue_command(sp, cmd); | 140 | enqueue_command(sp, cmd); |
@@ -129,9 +145,9 @@ void ibmasm_exec_command(struct service_processor *sp, struct command *cmd) | |||
129 | static void exec_next_command(struct service_processor *sp) | 145 | static void exec_next_command(struct service_processor *sp) |
130 | { | 146 | { |
131 | unsigned long flags; | 147 | unsigned long flags; |
148 | char tsbuf[32]; | ||
132 | 149 | ||
133 | wake_up(&sp->current_command->wait); | 150 | dbg("%s:%d at %s\n", __FUNCTION__, __LINE__, get_timestamp(tsbuf)); |
134 | command_put(sp->current_command); | ||
135 | 151 | ||
136 | spin_lock_irqsave(&sp->lock, flags); | 152 | spin_lock_irqsave(&sp->lock, flags); |
137 | sp->current_command = dequeue_command(sp); | 153 | sp->current_command = dequeue_command(sp); |
@@ -169,7 +185,9 @@ void ibmasm_receive_command_response(struct service_processor *sp, void *respons | |||
169 | if (!sp->current_command) | 185 | if (!sp->current_command) |
170 | return; | 186 | return; |
171 | 187 | ||
172 | memcpy(cmd->buffer, response, min(size, cmd->buffer_size)); | 188 | memcpy_fromio(cmd->buffer, response, min(size, cmd->buffer_size)); |
173 | cmd->status = IBMASM_CMD_COMPLETE; | 189 | cmd->status = IBMASM_CMD_COMPLETE; |
190 | wake_up(&sp->current_command->wait); | ||
191 | command_put(sp->current_command); | ||
174 | exec_next_command(sp); | 192 | exec_next_command(sp); |
175 | } | 193 | } |