aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorTony Battersby <tonyb@cybernetics.com>2009-01-21 14:45:50 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2009-03-12 13:58:04 -0400
commitc6517b7942fad663cc1cf3235cbe4207cf769332 (patch)
tree63af1b1aa434d756d7b7128f9e5d77bcdcbdf15e /drivers
parentbd5cd9cdc5379088b7e4e9a1757a1d101223a005 (diff)
[SCSI] sg: fix races during device removal
sg has the following problems related to device removal: * opening a sg fd races with removing a device * closing a sg fd races with removing a device * /proc/scsi/sg/* access races with removing a device * command completion races with removing a device * command completion races with closing a sg fd * can rmmod sg with active commands These problems can cause kernel oopses, memory-use-after-free, or double-free errors. This patch fixes these problems by using krefs to manage the lifetime of sg_device and sg_fd. Each command submitted to the midlevel holds a reference to sg_fd until the completion callback. This ensures that sg_fd doesn't go away if the fd is closed with commands still outstanding. sg_fd gets the reference of sg_device (with scsi_device) and also makes sure that the sg module doesn't go away. /proc/scsi/sg/* functions don't play nicely with krefs because they give information about sg_fds which have been closed but not yet freed due to still having outstanding commands and sg_devices which have been removed but not yet freed due to still being referenced by one or more sg_fds. To deal with this safely without removing functionality, /proc functions now access sg_device and sg_fd while holding a lock instead of using kref_get()/kref_put(). Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/scsi/sg.c418
1 files changed, 201 insertions, 217 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 516925d8b570..b447527555a7 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -101,6 +101,7 @@ static int scatter_elem_sz_prev = SG_SCATTER_SZ;
101#define SG_SECTOR_MSK (SG_SECTOR_SZ - 1) 101#define SG_SECTOR_MSK (SG_SECTOR_SZ - 1)
102 102
103static int sg_add(struct device *, struct class_interface *); 103static int sg_add(struct device *, struct class_interface *);
104static void sg_device_destroy(struct kref *kref);
104static void sg_remove(struct device *, struct class_interface *); 105static void sg_remove(struct device *, struct class_interface *);
105 106
106static DEFINE_IDR(sg_index_idr); 107static DEFINE_IDR(sg_index_idr);
@@ -158,6 +159,8 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
158 char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */ 159 char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */
159 char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */ 160 char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
160 char mmap_called; /* 0 -> mmap() never called on this fd */ 161 char mmap_called; /* 0 -> mmap() never called on this fd */
162 struct kref f_ref;
163 struct execute_work ew;
161} Sg_fd; 164} Sg_fd;
162 165
163typedef struct sg_device { /* holds the state of each scsi generic device */ 166typedef struct sg_device { /* holds the state of each scsi generic device */
@@ -171,6 +174,7 @@ typedef struct sg_device { /* holds the state of each scsi generic device */
171 char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */ 174 char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */
172 struct gendisk *disk; 175 struct gendisk *disk;
173 struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */ 176 struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */
177 struct kref d_ref;
174} Sg_device; 178} Sg_device;
175 179
176static int sg_fasync(int fd, struct file *filp, int mode); 180static int sg_fasync(int fd, struct file *filp, int mode);
@@ -194,13 +198,14 @@ static void sg_build_reserve(Sg_fd * sfp, int req_size);
194static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size); 198static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size);
195static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp); 199static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
196static Sg_fd *sg_add_sfp(Sg_device * sdp, int dev); 200static Sg_fd *sg_add_sfp(Sg_device * sdp, int dev);
197static int sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp); 201static void sg_remove_sfp(struct kref *);
198static void __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp);
199static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id); 202static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
200static Sg_request *sg_add_request(Sg_fd * sfp); 203static Sg_request *sg_add_request(Sg_fd * sfp);
201static int sg_remove_request(Sg_fd * sfp, Sg_request * srp); 204static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
202static int sg_res_in_use(Sg_fd * sfp); 205static int sg_res_in_use(Sg_fd * sfp);
206static Sg_device *sg_lookup_dev(int dev);
203static Sg_device *sg_get_dev(int dev); 207static Sg_device *sg_get_dev(int dev);
208static void sg_put_dev(Sg_device *sdp);
204#ifdef CONFIG_SCSI_PROC_FS 209#ifdef CONFIG_SCSI_PROC_FS
205static int sg_last_dev(void); 210static int sg_last_dev(void);
206#endif 211#endif
@@ -237,22 +242,17 @@ sg_open(struct inode *inode, struct file *filp)
237 nonseekable_open(inode, filp); 242 nonseekable_open(inode, filp);
238 SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags)); 243 SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags));
239 sdp = sg_get_dev(dev); 244 sdp = sg_get_dev(dev);
240 if ((!sdp) || (!sdp->device)) { 245 if (IS_ERR(sdp)) {
241 unlock_kernel(); 246 retval = PTR_ERR(sdp);
242 return -ENXIO; 247 sdp = NULL;
243 } 248 goto sg_put;
244 if (sdp->detached) {
245 unlock_kernel();
246 return -ENODEV;
247 } 249 }
248 250
249 /* This driver's module count bumped by fops_get in <linux/fs.h> */ 251 /* This driver's module count bumped by fops_get in <linux/fs.h> */
250 /* Prevent the device driver from vanishing while we sleep */ 252 /* Prevent the device driver from vanishing while we sleep */
251 retval = scsi_device_get(sdp->device); 253 retval = scsi_device_get(sdp->device);
252 if (retval) { 254 if (retval)
253 unlock_kernel(); 255 goto sg_put;
254 return retval;
255 }
256 256
257 if (!((flags & O_NONBLOCK) || 257 if (!((flags & O_NONBLOCK) ||
258 scsi_block_when_processing_errors(sdp->device))) { 258 scsi_block_when_processing_errors(sdp->device))) {
@@ -303,16 +303,20 @@ sg_open(struct inode *inode, struct file *filp)
303 if ((sfp = sg_add_sfp(sdp, dev))) 303 if ((sfp = sg_add_sfp(sdp, dev)))
304 filp->private_data = sfp; 304 filp->private_data = sfp;
305 else { 305 else {
306 if (flags & O_EXCL) 306 if (flags & O_EXCL) {
307 sdp->exclude = 0; /* undo if error */ 307 sdp->exclude = 0; /* undo if error */
308 wake_up_interruptible(&sdp->o_excl_wait);
309 }
308 retval = -ENOMEM; 310 retval = -ENOMEM;
309 goto error_out; 311 goto error_out;
310 } 312 }
311 unlock_kernel(); 313 retval = 0;
312 return 0; 314error_out:
313 315 if (retval)
314 error_out: 316 scsi_device_put(sdp->device);
315 scsi_device_put(sdp->device); 317sg_put:
318 if (sdp)
319 sg_put_dev(sdp);
316 unlock_kernel(); 320 unlock_kernel();
317 return retval; 321 return retval;
318} 322}
@@ -327,13 +331,13 @@ sg_release(struct inode *inode, struct file *filp)
327 if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) 331 if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
328 return -ENXIO; 332 return -ENXIO;
329 SCSI_LOG_TIMEOUT(3, printk("sg_release: %s\n", sdp->disk->disk_name)); 333 SCSI_LOG_TIMEOUT(3, printk("sg_release: %s\n", sdp->disk->disk_name));
330 if (0 == sg_remove_sfp(sdp, sfp)) { /* Returns 1 when sdp gone */ 334
331 if (!sdp->detached) { 335 sfp->closed = 1;
332 scsi_device_put(sdp->device); 336
333 } 337 sdp->exclude = 0;
334 sdp->exclude = 0; 338 wake_up_interruptible(&sdp->o_excl_wait);
335 wake_up_interruptible(&sdp->o_excl_wait); 339
336 } 340 kref_put(&sfp->f_ref, sg_remove_sfp);
337 return 0; 341 return 0;
338} 342}
339 343
@@ -755,6 +759,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
755 hp->duration = jiffies_to_msecs(jiffies); 759 hp->duration = jiffies_to_msecs(jiffies);
756 760
757 srp->rq->timeout = timeout; 761 srp->rq->timeout = timeout;
762 kref_get(&sfp->f_ref); /* sg_rq_end_io() does kref_put(). */
758 blk_execute_rq_nowait(sdp->device->request_queue, sdp->disk, 763 blk_execute_rq_nowait(sdp->device->request_queue, sdp->disk,
759 srp->rq, 1, sg_rq_end_io); 764 srp->rq, 1, sg_rq_end_io);
760 return 0; 765 return 0;
@@ -1247,24 +1252,23 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
1247static void sg_rq_end_io(struct request *rq, int uptodate) 1252static void sg_rq_end_io(struct request *rq, int uptodate)
1248{ 1253{
1249 struct sg_request *srp = rq->end_io_data; 1254 struct sg_request *srp = rq->end_io_data;
1250 Sg_device *sdp = NULL; 1255 Sg_device *sdp;
1251 Sg_fd *sfp; 1256 Sg_fd *sfp;
1252 unsigned long iflags; 1257 unsigned long iflags;
1253 unsigned int ms; 1258 unsigned int ms;
1254 char *sense; 1259 char *sense;
1255 int result, resid; 1260 int result, resid, done = 1;
1256 1261
1257 if (NULL == srp) { 1262 if (WARN_ON(srp->done != 0))
1258 printk(KERN_ERR "sg_cmd_done: NULL request\n");
1259 return; 1263 return;
1260 } 1264
1261 sfp = srp->parentfp; 1265 sfp = srp->parentfp;
1262 if (sfp) 1266 if (WARN_ON(sfp == NULL))
1263 sdp = sfp->parentdp;
1264 if ((NULL == sdp) || sdp->detached) {
1265 printk(KERN_INFO "sg_cmd_done: device detached\n");
1266 return; 1267 return;
1267 } 1268
1269 sdp = sfp->parentdp;
1270 if (unlikely(sdp->detached))
1271 printk(KERN_INFO "sg_rq_end_io: device detached\n");
1268 1272
1269 sense = rq->sense; 1273 sense = rq->sense;
1270 result = rq->errors; 1274 result = rq->errors;
@@ -1303,33 +1307,26 @@ static void sg_rq_end_io(struct request *rq, int uptodate)
1303 } 1307 }
1304 /* Rely on write phase to clean out srp status values, so no "else" */ 1308 /* Rely on write phase to clean out srp status values, so no "else" */
1305 1309
1306 if (sfp->closed) { /* whoops this fd already released, cleanup */ 1310 write_lock_irqsave(&sfp->rq_list_lock, iflags);
1307 SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, freeing ...\n")); 1311 if (unlikely(srp->orphan)) {
1308 sg_finish_rem_req(srp);
1309 srp = NULL;
1310 if (NULL == sfp->headrp) {
1311 SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, final cleanup\n"));
1312 if (0 == sg_remove_sfp(sdp, sfp)) { /* device still present */
1313 scsi_device_put(sdp->device);
1314 }
1315 sfp = NULL;
1316 }
1317 } else if (srp && srp->orphan) {
1318 if (sfp->keep_orphan) 1312 if (sfp->keep_orphan)
1319 srp->sg_io_owned = 0; 1313 srp->sg_io_owned = 0;
1320 else { 1314 else
1321 sg_finish_rem_req(srp); 1315 done = 0;
1322 srp = NULL;
1323 }
1324 } 1316 }
1325 if (sfp && srp) { 1317 srp->done = done;
1326 /* Now wake up any sg_read() that is waiting for this packet. */ 1318 write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1327 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); 1319
1328 write_lock_irqsave(&sfp->rq_list_lock, iflags); 1320 if (likely(done)) {
1329 srp->done = 1; 1321 /* Now wake up any sg_read() that is waiting for this
1322 * packet.
1323 */
1330 wake_up_interruptible(&sfp->read_wait); 1324 wake_up_interruptible(&sfp->read_wait);
1331 write_unlock_irqrestore(&sfp->rq_list_lock, iflags); 1325 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
1332 } 1326 } else
1327 sg_finish_rem_req(srp); /* call with srp->done == 0 */
1328
1329 kref_put(&sfp->f_ref, sg_remove_sfp);
1333} 1330}
1334 1331
1335static struct file_operations sg_fops = { 1332static struct file_operations sg_fops = {
@@ -1364,17 +1361,18 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
1364 printk(KERN_WARNING "kmalloc Sg_device failure\n"); 1361 printk(KERN_WARNING "kmalloc Sg_device failure\n");
1365 return ERR_PTR(-ENOMEM); 1362 return ERR_PTR(-ENOMEM);
1366 } 1363 }
1367 error = -ENOMEM; 1364
1368 if (!idr_pre_get(&sg_index_idr, GFP_KERNEL)) { 1365 if (!idr_pre_get(&sg_index_idr, GFP_KERNEL)) {
1369 printk(KERN_WARNING "idr expansion Sg_device failure\n"); 1366 printk(KERN_WARNING "idr expansion Sg_device failure\n");
1367 error = -ENOMEM;
1370 goto out; 1368 goto out;
1371 } 1369 }
1372 1370
1373 write_lock_irqsave(&sg_index_lock, iflags); 1371 write_lock_irqsave(&sg_index_lock, iflags);
1374 error = idr_get_new(&sg_index_idr, sdp, &k);
1375 write_unlock_irqrestore(&sg_index_lock, iflags);
1376 1372
1373 error = idr_get_new(&sg_index_idr, sdp, &k);
1377 if (error) { 1374 if (error) {
1375 write_unlock_irqrestore(&sg_index_lock, iflags);
1378 printk(KERN_WARNING "idr allocation Sg_device failure: %d\n", 1376 printk(KERN_WARNING "idr allocation Sg_device failure: %d\n",
1379 error); 1377 error);
1380 goto out; 1378 goto out;
@@ -1391,6 +1389,9 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
1391 init_waitqueue_head(&sdp->o_excl_wait); 1389 init_waitqueue_head(&sdp->o_excl_wait);
1392 sdp->sg_tablesize = min(q->max_hw_segments, q->max_phys_segments); 1390 sdp->sg_tablesize = min(q->max_hw_segments, q->max_phys_segments);
1393 sdp->index = k; 1391 sdp->index = k;
1392 kref_init(&sdp->d_ref);
1393
1394 write_unlock_irqrestore(&sg_index_lock, iflags);
1394 1395
1395 error = 0; 1396 error = 0;
1396 out: 1397 out:
@@ -1401,6 +1402,8 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
1401 return sdp; 1402 return sdp;
1402 1403
1403 overflow: 1404 overflow:
1405 idr_remove(&sg_index_idr, k);
1406 write_unlock_irqrestore(&sg_index_lock, iflags);
1404 sdev_printk(KERN_WARNING, scsidp, 1407 sdev_printk(KERN_WARNING, scsidp,
1405 "Unable to attach sg device type=%d, minor " 1408 "Unable to attach sg device type=%d, minor "
1406 "number exceeds %d\n", scsidp->type, SG_MAX_DEVS - 1); 1409 "number exceeds %d\n", scsidp->type, SG_MAX_DEVS - 1);
@@ -1488,49 +1491,46 @@ out:
1488 return error; 1491 return error;
1489} 1492}
1490 1493
1491static void 1494static void sg_device_destroy(struct kref *kref)
1492sg_remove(struct device *cl_dev, struct class_interface *cl_intf) 1495{
1496 struct sg_device *sdp = container_of(kref, struct sg_device, d_ref);
1497 unsigned long flags;
1498
1499 /* CAUTION! Note that the device can still be found via idr_find()
1500 * even though the refcount is 0. Therefore, do idr_remove() BEFORE
1501 * any other cleanup.
1502 */
1503
1504 write_lock_irqsave(&sg_index_lock, flags);
1505 idr_remove(&sg_index_idr, sdp->index);
1506 write_unlock_irqrestore(&sg_index_lock, flags);
1507
1508 SCSI_LOG_TIMEOUT(3,
1509 printk("sg_device_destroy: %s\n",
1510 sdp->disk->disk_name));
1511
1512 put_disk(sdp->disk);
1513 kfree(sdp);
1514}
1515
1516static void sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
1493{ 1517{
1494 struct scsi_device *scsidp = to_scsi_device(cl_dev->parent); 1518 struct scsi_device *scsidp = to_scsi_device(cl_dev->parent);
1495 Sg_device *sdp = dev_get_drvdata(cl_dev); 1519 Sg_device *sdp = dev_get_drvdata(cl_dev);
1496 unsigned long iflags; 1520 unsigned long iflags;
1497 Sg_fd *sfp; 1521 Sg_fd *sfp;
1498 Sg_fd *tsfp;
1499 Sg_request *srp;
1500 Sg_request *tsrp;
1501 int delay;
1502 1522
1503 if (!sdp) 1523 if (!sdp || sdp->detached)
1504 return; 1524 return;
1505 1525
1506 delay = 0; 1526 SCSI_LOG_TIMEOUT(3, printk("sg_remove: %s\n", sdp->disk->disk_name));
1527
1528 /* Need a write lock to set sdp->detached. */
1507 write_lock_irqsave(&sg_index_lock, iflags); 1529 write_lock_irqsave(&sg_index_lock, iflags);
1508 if (sdp->headfp) { 1530 sdp->detached = 1;
1509 sdp->detached = 1; 1531 for (sfp = sdp->headfp; sfp; sfp = sfp->nextfp) {
1510 for (sfp = sdp->headfp; sfp; sfp = tsfp) { 1532 wake_up_interruptible(&sfp->read_wait);
1511 tsfp = sfp->nextfp; 1533 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_HUP);
1512 for (srp = sfp->headrp; srp; srp = tsrp) {
1513 tsrp = srp->nextrp;
1514 if (sfp->closed || (0 == sg_srp_done(srp, sfp)))
1515 sg_finish_rem_req(srp);
1516 }
1517 if (sfp->closed) {
1518 scsi_device_put(sdp->device);
1519 __sg_remove_sfp(sdp, sfp);
1520 } else {
1521 delay = 1;
1522 wake_up_interruptible(&sfp->read_wait);
1523 kill_fasync(&sfp->async_qp, SIGPOLL,
1524 POLL_HUP);
1525 }
1526 }
1527 SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d, dirty\n", sdp->index));
1528 if (NULL == sdp->headfp) {
1529 idr_remove(&sg_index_idr, sdp->index);
1530 }
1531 } else { /* nothing active, simple case */
1532 SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d\n", sdp->index));
1533 idr_remove(&sg_index_idr, sdp->index);
1534 } 1534 }
1535 write_unlock_irqrestore(&sg_index_lock, iflags); 1535 write_unlock_irqrestore(&sg_index_lock, iflags);
1536 1536
@@ -1538,13 +1538,8 @@ sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
1538 device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index)); 1538 device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
1539 cdev_del(sdp->cdev); 1539 cdev_del(sdp->cdev);
1540 sdp->cdev = NULL; 1540 sdp->cdev = NULL;
1541 put_disk(sdp->disk);
1542 sdp->disk = NULL;
1543 if (NULL == sdp->headfp)
1544 kfree(sdp);
1545 1541
1546 if (delay) 1542 sg_put_dev(sdp);
1547 msleep(10); /* dirty detach so delay device destruction */
1548} 1543}
1549 1544
1550module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR); 1545module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
@@ -1941,22 +1936,6 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
1941 return resp; 1936 return resp;
1942} 1937}
1943 1938
1944#ifdef CONFIG_SCSI_PROC_FS
1945static Sg_request *
1946sg_get_nth_request(Sg_fd * sfp, int nth)
1947{
1948 Sg_request *resp;
1949 unsigned long iflags;
1950 int k;
1951
1952 read_lock_irqsave(&sfp->rq_list_lock, iflags);
1953 for (k = 0, resp = sfp->headrp; resp && (k < nth);
1954 ++k, resp = resp->nextrp) ;
1955 read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
1956 return resp;
1957}
1958#endif
1959
1960/* always adds to end of list */ 1939/* always adds to end of list */
1961static Sg_request * 1940static Sg_request *
1962sg_add_request(Sg_fd * sfp) 1941sg_add_request(Sg_fd * sfp)
@@ -2032,22 +2011,6 @@ sg_remove_request(Sg_fd * sfp, Sg_request * srp)
2032 return res; 2011 return res;
2033} 2012}
2034 2013
2035#ifdef CONFIG_SCSI_PROC_FS
2036static Sg_fd *
2037sg_get_nth_sfp(Sg_device * sdp, int nth)
2038{
2039 Sg_fd *resp;
2040 unsigned long iflags;
2041 int k;
2042
2043 read_lock_irqsave(&sg_index_lock, iflags);
2044 for (k = 0, resp = sdp->headfp; resp && (k < nth);
2045 ++k, resp = resp->nextfp) ;
2046 read_unlock_irqrestore(&sg_index_lock, iflags);
2047 return resp;
2048}
2049#endif
2050
2051static Sg_fd * 2014static Sg_fd *
2052sg_add_sfp(Sg_device * sdp, int dev) 2015sg_add_sfp(Sg_device * sdp, int dev)
2053{ 2016{
@@ -2062,6 +2025,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
2062 init_waitqueue_head(&sfp->read_wait); 2025 init_waitqueue_head(&sfp->read_wait);
2063 rwlock_init(&sfp->rq_list_lock); 2026 rwlock_init(&sfp->rq_list_lock);
2064 2027
2028 kref_init(&sfp->f_ref);
2065 sfp->timeout = SG_DEFAULT_TIMEOUT; 2029 sfp->timeout = SG_DEFAULT_TIMEOUT;
2066 sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER; 2030 sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
2067 sfp->force_packid = SG_DEF_FORCE_PACK_ID; 2031 sfp->force_packid = SG_DEF_FORCE_PACK_ID;
@@ -2089,15 +2053,54 @@ sg_add_sfp(Sg_device * sdp, int dev)
2089 sg_build_reserve(sfp, bufflen); 2053 sg_build_reserve(sfp, bufflen);
2090 SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n", 2054 SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
2091 sfp->reserve.bufflen, sfp->reserve.k_use_sg)); 2055 sfp->reserve.bufflen, sfp->reserve.k_use_sg));
2056
2057 kref_get(&sdp->d_ref);
2058 __module_get(THIS_MODULE);
2092 return sfp; 2059 return sfp;
2093} 2060}
2094 2061
2095static void 2062static void sg_remove_sfp_usercontext(struct work_struct *work)
2096__sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp) 2063{
2064 struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
2065 struct sg_device *sdp = sfp->parentdp;
2066
2067 /* Cleanup any responses which were never read(). */
2068 while (sfp->headrp)
2069 sg_finish_rem_req(sfp->headrp);
2070
2071 if (sfp->reserve.bufflen > 0) {
2072 SCSI_LOG_TIMEOUT(6,
2073 printk("sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
2074 (int) sfp->reserve.bufflen,
2075 (int) sfp->reserve.k_use_sg));
2076 sg_remove_scat(&sfp->reserve);
2077 }
2078
2079 SCSI_LOG_TIMEOUT(6,
2080 printk("sg_remove_sfp: %s, sfp=0x%p\n",
2081 sdp->disk->disk_name,
2082 sfp));
2083 kfree(sfp);
2084
2085 scsi_device_put(sdp->device);
2086 sg_put_dev(sdp);
2087 module_put(THIS_MODULE);
2088}
2089
2090static void sg_remove_sfp(struct kref *kref)
2097{ 2091{
2092 struct sg_fd *sfp = container_of(kref, struct sg_fd, f_ref);
2093 struct sg_device *sdp = sfp->parentdp;
2098 Sg_fd *fp; 2094 Sg_fd *fp;
2099 Sg_fd *prev_fp; 2095 Sg_fd *prev_fp;
2096 unsigned long iflags;
2097
2098 /* CAUTION! Note that sfp can still be found by walking sdp->headfp
2099 * even though the refcount is now 0. Therefore, unlink sfp from
2100 * sdp->headfp BEFORE doing any other cleanup.
2101 */
2100 2102
2103 write_lock_irqsave(&sg_index_lock, iflags);
2101 prev_fp = sdp->headfp; 2104 prev_fp = sdp->headfp;
2102 if (sfp == prev_fp) 2105 if (sfp == prev_fp)
2103 sdp->headfp = prev_fp->nextfp; 2106 sdp->headfp = prev_fp->nextfp;
@@ -2110,54 +2113,10 @@ __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
2110 prev_fp = fp; 2113 prev_fp = fp;
2111 } 2114 }
2112 } 2115 }
2113 if (sfp->reserve.bufflen > 0) { 2116 write_unlock_irqrestore(&sg_index_lock, iflags);
2114 SCSI_LOG_TIMEOUT(6, 2117 wake_up_interruptible(&sdp->o_excl_wait);
2115 printk("__sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
2116 (int) sfp->reserve.bufflen, (int) sfp->reserve.k_use_sg));
2117 sg_remove_scat(&sfp->reserve);
2118 }
2119 sfp->parentdp = NULL;
2120 SCSI_LOG_TIMEOUT(6, printk("__sg_remove_sfp: sfp=0x%p\n", sfp));
2121 kfree(sfp);
2122}
2123
2124/* Returns 0 in normal case, 1 when detached and sdp object removed */
2125static int
2126sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
2127{
2128 Sg_request *srp;
2129 Sg_request *tsrp;
2130 int dirty = 0;
2131 int res = 0;
2132
2133 for (srp = sfp->headrp; srp; srp = tsrp) {
2134 tsrp = srp->nextrp;
2135 if (sg_srp_done(srp, sfp))
2136 sg_finish_rem_req(srp);
2137 else
2138 ++dirty;
2139 }
2140 if (0 == dirty) {
2141 unsigned long iflags;
2142 2118
2143 write_lock_irqsave(&sg_index_lock, iflags); 2119 execute_in_process_context(sg_remove_sfp_usercontext, &sfp->ew);
2144 __sg_remove_sfp(sdp, sfp);
2145 if (sdp->detached && (NULL == sdp->headfp)) {
2146 idr_remove(&sg_index_idr, sdp->index);
2147 kfree(sdp);
2148 res = 1;
2149 }
2150 write_unlock_irqrestore(&sg_index_lock, iflags);
2151 } else {
2152 /* MOD_INC's to inhibit unloading sg and associated adapter driver */
2153 /* only bump the access_count if we actually succeeded in
2154 * throwing another counter on the host module */
2155 scsi_device_get(sdp->device); /* XXX: retval ignored? */
2156 sfp->closed = 1; /* flag dirty state on this fd */
2157 SCSI_LOG_TIMEOUT(1, printk("sg_remove_sfp: worrisome, %d writes pending\n",
2158 dirty));
2159 }
2160 return res;
2161} 2120}
2162 2121
2163static int 2122static int
@@ -2199,19 +2158,38 @@ sg_last_dev(void)
2199} 2158}
2200#endif 2159#endif
2201 2160
2202static Sg_device * 2161/* must be called with sg_index_lock held */
2203sg_get_dev(int dev) 2162static Sg_device *sg_lookup_dev(int dev)
2204{ 2163{
2205 Sg_device *sdp; 2164 return idr_find(&sg_index_idr, dev);
2206 unsigned long iflags; 2165}
2207 2166
2208 read_lock_irqsave(&sg_index_lock, iflags); 2167static Sg_device *sg_get_dev(int dev)
2209 sdp = idr_find(&sg_index_idr, dev); 2168{
2210 read_unlock_irqrestore(&sg_index_lock, iflags); 2169 struct sg_device *sdp;
2170 unsigned long flags;
2171
2172 read_lock_irqsave(&sg_index_lock, flags);
2173 sdp = sg_lookup_dev(dev);
2174 if (!sdp)
2175 sdp = ERR_PTR(-ENXIO);
2176 else if (sdp->detached) {
2177 /* If sdp->detached, then the refcount may already be 0, in
2178 * which case it would be a bug to do kref_get().
2179 */
2180 sdp = ERR_PTR(-ENODEV);
2181 } else
2182 kref_get(&sdp->d_ref);
2183 read_unlock_irqrestore(&sg_index_lock, flags);
2211 2184
2212 return sdp; 2185 return sdp;
2213} 2186}
2214 2187
2188static void sg_put_dev(struct sg_device *sdp)
2189{
2190 kref_put(&sdp->d_ref, sg_device_destroy);
2191}
2192
2215#ifdef CONFIG_SCSI_PROC_FS 2193#ifdef CONFIG_SCSI_PROC_FS
2216 2194
2217static struct proc_dir_entry *sg_proc_sgp = NULL; 2195static struct proc_dir_entry *sg_proc_sgp = NULL;
@@ -2468,8 +2446,10 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
2468 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; 2446 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2469 Sg_device *sdp; 2447 Sg_device *sdp;
2470 struct scsi_device *scsidp; 2448 struct scsi_device *scsidp;
2449 unsigned long iflags;
2471 2450
2472 sdp = it ? sg_get_dev(it->index) : NULL; 2451 read_lock_irqsave(&sg_index_lock, iflags);
2452 sdp = it ? sg_lookup_dev(it->index) : NULL;
2473 if (sdp && (scsidp = sdp->device) && (!sdp->detached)) 2453 if (sdp && (scsidp = sdp->device) && (!sdp->detached))
2474 seq_printf(s, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", 2454 seq_printf(s, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
2475 scsidp->host->host_no, scsidp->channel, 2455 scsidp->host->host_no, scsidp->channel,
@@ -2480,6 +2460,7 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
2480 (int) scsi_device_online(scsidp)); 2460 (int) scsi_device_online(scsidp));
2481 else 2461 else
2482 seq_printf(s, "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n"); 2462 seq_printf(s, "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n");
2463 read_unlock_irqrestore(&sg_index_lock, iflags);
2483 return 0; 2464 return 0;
2484} 2465}
2485 2466
@@ -2493,16 +2474,20 @@ static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v)
2493 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; 2474 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2494 Sg_device *sdp; 2475 Sg_device *sdp;
2495 struct scsi_device *scsidp; 2476 struct scsi_device *scsidp;
2477 unsigned long iflags;
2496 2478
2497 sdp = it ? sg_get_dev(it->index) : NULL; 2479 read_lock_irqsave(&sg_index_lock, iflags);
2480 sdp = it ? sg_lookup_dev(it->index) : NULL;
2498 if (sdp && (scsidp = sdp->device) && (!sdp->detached)) 2481 if (sdp && (scsidp = sdp->device) && (!sdp->detached))
2499 seq_printf(s, "%8.8s\t%16.16s\t%4.4s\n", 2482 seq_printf(s, "%8.8s\t%16.16s\t%4.4s\n",
2500 scsidp->vendor, scsidp->model, scsidp->rev); 2483 scsidp->vendor, scsidp->model, scsidp->rev);
2501 else 2484 else
2502 seq_printf(s, "<no active device>\n"); 2485 seq_printf(s, "<no active device>\n");
2486 read_unlock_irqrestore(&sg_index_lock, iflags);
2503 return 0; 2487 return 0;
2504} 2488}
2505 2489
2490/* must be called while holding sg_index_lock */
2506static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp) 2491static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
2507{ 2492{
2508 int k, m, new_interface, blen, usg; 2493 int k, m, new_interface, blen, usg;
@@ -2512,7 +2497,8 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
2512 const char * cp; 2497 const char * cp;
2513 unsigned int ms; 2498 unsigned int ms;
2514 2499
2515 for (k = 0; (fp = sg_get_nth_sfp(sdp, k)); ++k) { 2500 for (k = 0, fp = sdp->headfp; fp != NULL; ++k, fp = fp->nextfp) {
2501 read_lock(&fp->rq_list_lock); /* irqs already disabled */
2516 seq_printf(s, " FD(%d): timeout=%dms bufflen=%d " 2502 seq_printf(s, " FD(%d): timeout=%dms bufflen=%d "
2517 "(res)sgat=%d low_dma=%d\n", k + 1, 2503 "(res)sgat=%d low_dma=%d\n", k + 1,
2518 jiffies_to_msecs(fp->timeout), 2504 jiffies_to_msecs(fp->timeout),
@@ -2522,7 +2508,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
2522 seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=%d\n", 2508 seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=%d\n",
2523 (int) fp->cmd_q, (int) fp->force_packid, 2509 (int) fp->cmd_q, (int) fp->force_packid,
2524 (int) fp->keep_orphan, (int) fp->closed); 2510 (int) fp->keep_orphan, (int) fp->closed);
2525 for (m = 0; (srp = sg_get_nth_request(fp, m)); ++m) { 2511 for (m = 0, srp = fp->headrp;
2512 srp != NULL;
2513 ++m, srp = srp->nextrp) {
2526 hp = &srp->header; 2514 hp = &srp->header;
2527 new_interface = (hp->interface_id == '\0') ? 0 : 1; 2515 new_interface = (hp->interface_id == '\0') ? 0 : 1;
2528 if (srp->res_used) { 2516 if (srp->res_used) {
@@ -2559,6 +2547,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
2559 } 2547 }
2560 if (0 == m) 2548 if (0 == m)
2561 seq_printf(s, " No requests active\n"); 2549 seq_printf(s, " No requests active\n");
2550 read_unlock(&fp->rq_list_lock);
2562 } 2551 }
2563} 2552}
2564 2553
@@ -2571,39 +2560,34 @@ static int sg_proc_seq_show_debug(struct seq_file *s, void *v)
2571{ 2560{
2572 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; 2561 struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
2573 Sg_device *sdp; 2562 Sg_device *sdp;
2563 unsigned long iflags;
2574 2564
2575 if (it && (0 == it->index)) { 2565 if (it && (0 == it->index)) {
2576 seq_printf(s, "max_active_device=%d(origin 1)\n", 2566 seq_printf(s, "max_active_device=%d(origin 1)\n",
2577 (int)it->max); 2567 (int)it->max);
2578 seq_printf(s, " def_reserved_size=%d\n", sg_big_buff); 2568 seq_printf(s, " def_reserved_size=%d\n", sg_big_buff);
2579 } 2569 }
2580 sdp = it ? sg_get_dev(it->index) : NULL;
2581 if (sdp) {
2582 struct scsi_device *scsidp = sdp->device;
2583 2570
2584 if (NULL == scsidp) { 2571 read_lock_irqsave(&sg_index_lock, iflags);
2585 seq_printf(s, "device %d detached ??\n", 2572 sdp = it ? sg_lookup_dev(it->index) : NULL;
2586 (int)it->index); 2573 if (sdp && sdp->headfp) {
2587 return 0; 2574 struct scsi_device *scsidp = sdp->device;
2588 }
2589 2575
2590 if (sg_get_nth_sfp(sdp, 0)) { 2576 seq_printf(s, " >>> device=%s ", sdp->disk->disk_name);
2591 seq_printf(s, " >>> device=%s ", 2577 if (sdp->detached)
2592 sdp->disk->disk_name); 2578 seq_printf(s, "detached pending close ");
2593 if (sdp->detached) 2579 else
2594 seq_printf(s, "detached pending close "); 2580 seq_printf
2595 else 2581 (s, "scsi%d chan=%d id=%d lun=%d em=%d",
2596 seq_printf 2582 scsidp->host->host_no,
2597 (s, "scsi%d chan=%d id=%d lun=%d em=%d", 2583 scsidp->channel, scsidp->id,
2598 scsidp->host->host_no, 2584 scsidp->lun,
2599 scsidp->channel, scsidp->id, 2585 scsidp->host->hostt->emulated);
2600 scsidp->lun, 2586 seq_printf(s, " sg_tablesize=%d excl=%d\n",
2601 scsidp->host->hostt->emulated); 2587 sdp->sg_tablesize, sdp->exclude);
2602 seq_printf(s, " sg_tablesize=%d excl=%d\n",
2603 sdp->sg_tablesize, sdp->exclude);
2604 }
2605 sg_proc_debug_helper(s, sdp); 2588 sg_proc_debug_helper(s, sdp);
2606 } 2589 }
2590 read_unlock_irqrestore(&sg_index_lock, iflags);
2607 return 0; 2591 return 0;
2608} 2592}
2609 2593
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-05 13:56:48 -0500