diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-08-11 11:52:08 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-10-16 23:59:55 +0200 |
commit | 261b5f664c6c68c5209656a71c41823eda0d938b (patch) | |
tree | 52045ab3beb1564b248a8389c241ac825b14c1bd | |
parent | c4f3d41fed11c9050aa93bbaeed9f7f06bcc93ba (diff) | |
download | op-kernel-dev-261b5f664c6c68c5209656a71c41823eda0d938b.zip op-kernel-dev-261b5f664c6c68c5209656a71c41823eda0d938b.tar.gz |
ieee1394: sbp2: fix unsafe iteration over list of devices
sbp2_host_reset and sbp2_handle_status_write are not serialized against
sbp2_alloc_device and sbp2_remove_device.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-rw-r--r-- | drivers/ieee1394/sbp2.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c index a81ba8f..1b353b9 100644 --- a/drivers/ieee1394/sbp2.c +++ b/drivers/ieee1394/sbp2.c @@ -242,6 +242,8 @@ static int sbp2_max_speed_and_size(struct sbp2_lu *); static const u8 sbp2_speedto_max_payload[] = { 0x7, 0x8, 0x9, 0xA, 0xB, 0xC }; +static DEFINE_RWLOCK(sbp2_hi_logical_units_lock); + static struct hpsb_highlevel sbp2_highlevel = { .name = SBP2_DEVICE_NAME, .host_reset = sbp2_host_reset, @@ -732,6 +734,7 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud) struct sbp2_fwhost_info *hi; struct Scsi_Host *shost = NULL; struct sbp2_lu *lu = NULL; + unsigned long flags; lu = kzalloc(sizeof(*lu), GFP_KERNEL); if (!lu) { @@ -784,7 +787,9 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud) lu->hi = hi; + write_lock_irqsave(&sbp2_hi_logical_units_lock, flags); list_add_tail(&lu->lu_list, &hi->logical_units); + write_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags); /* Register the status FIFO address range. We could use the same FIFO * for targets at different nodes. However we need different FIFOs per @@ -828,16 +833,20 @@ static void sbp2_host_reset(struct hpsb_host *host) { struct sbp2_fwhost_info *hi; struct sbp2_lu *lu; + unsigned long flags; hi = hpsb_get_hostinfo(&sbp2_highlevel, host); if (!hi) return; + + read_lock_irqsave(&sbp2_hi_logical_units_lock, flags); list_for_each_entry(lu, &hi->logical_units, lu_list) if (likely(atomic_read(&lu->state) != SBP2LU_STATE_IN_SHUTDOWN)) { atomic_set(&lu->state, SBP2LU_STATE_IN_RESET); scsi_block_requests(lu->shost); } + read_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags); } static int sbp2_start_device(struct sbp2_lu *lu) @@ -919,6 +928,7 @@ alloc_fail: static void sbp2_remove_device(struct sbp2_lu *lu) { struct sbp2_fwhost_info *hi; + unsigned long flags; if (!lu) return; @@ -933,7 +943,9 @@ static void sbp2_remove_device(struct sbp2_lu *lu) flush_scheduled_work(); sbp2util_remove_command_orb_pool(lu, hi->host); + write_lock_irqsave(&sbp2_hi_logical_units_lock, flags); list_del(&lu->lu_list); + write_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags); if (lu->login_response) dma_free_coherent(hi->host->device.parent, @@ -1707,6 +1719,7 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid, } /* Find the unit which wrote the status. */ + read_lock_irqsave(&sbp2_hi_logical_units_lock, flags); list_for_each_entry(lu_tmp, &hi->logical_units, lu_list) { if (lu_tmp->ne->nodeid == nodeid && lu_tmp->status_fifo_addr == addr) { @@ -1714,6 +1727,8 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid, break; } } + read_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags); + if (unlikely(!lu)) { SBP2_ERR("lu is NULL - device is gone?"); return RCODE_ADDRESS_ERROR; |