aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMartin Schwidefsky <schwidefsky@de.ibm.com>2008-05-30 04:03:33 -0400
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2008-05-30 04:03:36 -0400
commit4657fb8a98a4e02981a574492bbe470c147b6657 (patch)
tree9363e9452ce5b798cad43b83b0276bda6a7568c9 /drivers
parent54ad64129cc166b9eec7151f3f9fc83589e33555 (diff)
[S390] tape: fix race with stack local wait_queue_head_t.
A wait_event call with a stack local wait_queue_head_t structure that is used to do the wake up for the wait_event is inherently racy. After the wait_event finished the wake_up call might not have completed yet. Replace the stack local wait_queue_head_t in tape_do_io and tape_do_io_interruptible with a per device wait queue. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/s390/char/tape.h3
-rw-r--r--drivers/s390/char/tape_core.c16
2 files changed, 10 insertions, 9 deletions
diff --git a/drivers/s390/char/tape.h b/drivers/s390/char/tape.h
index dddf8d62c153..d0d565a05dfe 100644
--- a/drivers/s390/char/tape.h
+++ b/drivers/s390/char/tape.h
@@ -231,6 +231,9 @@ struct tape_device {
231 /* Request queue. */ 231 /* Request queue. */
232 struct list_head req_queue; 232 struct list_head req_queue;
233 233
234 /* Request wait queue. */
235 wait_queue_head_t wait_queue;
236
234 /* Each tape device has (currently) two minor numbers. */ 237 /* Each tape device has (currently) two minor numbers. */
235 int first_minor; 238 int first_minor;
236 239
diff --git a/drivers/s390/char/tape_core.c b/drivers/s390/char/tape_core.c
index 76e44eb7c47f..c20e3c548343 100644
--- a/drivers/s390/char/tape_core.c
+++ b/drivers/s390/char/tape_core.c
@@ -449,6 +449,7 @@ tape_alloc_device(void)
449 INIT_LIST_HEAD(&device->req_queue); 449 INIT_LIST_HEAD(&device->req_queue);
450 INIT_LIST_HEAD(&device->node); 450 INIT_LIST_HEAD(&device->node);
451 init_waitqueue_head(&device->state_change_wq); 451 init_waitqueue_head(&device->state_change_wq);
452 init_waitqueue_head(&device->wait_queue);
452 device->tape_state = TS_INIT; 453 device->tape_state = TS_INIT;
453 device->medium_state = MS_UNKNOWN; 454 device->medium_state = MS_UNKNOWN;
454 *device->modeset_byte = 0; 455 *device->modeset_byte = 0;
@@ -954,21 +955,19 @@ __tape_wake_up(struct tape_request *request, void *data)
954int 955int
955tape_do_io(struct tape_device *device, struct tape_request *request) 956tape_do_io(struct tape_device *device, struct tape_request *request)
956{ 957{
957 wait_queue_head_t wq;
958 int rc; 958 int rc;
959 959
960 init_waitqueue_head(&wq);
961 spin_lock_irq(get_ccwdev_lock(device->cdev)); 960 spin_lock_irq(get_ccwdev_lock(device->cdev));
962 /* Setup callback */ 961 /* Setup callback */
963 request->callback = __tape_wake_up; 962 request->callback = __tape_wake_up;
964 request->callback_data = &wq; 963 request->callback_data = &device->wait_queue;
965 /* Add request to request queue and try to start it. */ 964 /* Add request to request queue and try to start it. */
966 rc = __tape_start_request(device, request); 965 rc = __tape_start_request(device, request);
967 spin_unlock_irq(get_ccwdev_lock(device->cdev)); 966 spin_unlock_irq(get_ccwdev_lock(device->cdev));
968 if (rc) 967 if (rc)
969 return rc; 968 return rc;
970 /* Request added to the queue. Wait for its completion. */ 969 /* Request added to the queue. Wait for its completion. */
971 wait_event(wq, (request->callback == NULL)); 970 wait_event(device->wait_queue, (request->callback == NULL));
972 /* Get rc from request */ 971 /* Get rc from request */
973 return request->rc; 972 return request->rc;
974} 973}
@@ -989,20 +988,19 @@ int
989tape_do_io_interruptible(struct tape_device *device, 988tape_do_io_interruptible(struct tape_device *device,
990 struct tape_request *request) 989 struct tape_request *request)
991{ 990{
992 wait_queue_head_t wq;
993 int rc; 991 int rc;
994 992
995 init_waitqueue_head(&wq);
996 spin_lock_irq(get_ccwdev_lock(device->cdev)); 993 spin_lock_irq(get_ccwdev_lock(device->cdev));
997 /* Setup callback */ 994 /* Setup callback */
998 request->callback = __tape_wake_up_interruptible; 995 request->callback = __tape_wake_up_interruptible;
999 request->callback_data = &wq; 996 request->callback_data = &device->wait_queue;
1000 rc = __tape_start_request(device, request); 997 rc = __tape_start_request(device, request);
1001 spin_unlock_irq(get_ccwdev_lock(device->cdev)); 998 spin_unlock_irq(get_ccwdev_lock(device->cdev));
1002 if (rc) 999 if (rc)
1003 return rc; 1000 return rc;
1004 /* Request added to the queue. Wait for its completion. */ 1001 /* Request added to the queue. Wait for its completion. */
1005 rc = wait_event_interruptible(wq, (request->callback == NULL)); 1002 rc = wait_event_interruptible(device->wait_queue,
1003 (request->callback == NULL));
1006 if (rc != -ERESTARTSYS) 1004 if (rc != -ERESTARTSYS)
1007 /* Request finished normally. */ 1005 /* Request finished normally. */
1008 return request->rc; 1006 return request->rc;
@@ -1015,7 +1013,7 @@ tape_do_io_interruptible(struct tape_device *device,
1015 /* Wait for the interrupt that acknowledges the halt. */ 1013 /* Wait for the interrupt that acknowledges the halt. */
1016 do { 1014 do {
1017 rc = wait_event_interruptible( 1015 rc = wait_event_interruptible(
1018 wq, 1016 device->wait_queue,
1019 (request->callback == NULL) 1017 (request->callback == NULL)
1020 ); 1018 );
1021 } while (rc == -ERESTARTSYS); 1019 } while (rc == -ERESTARTSYS);