lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[SCSI] sg: fix races during device removal

Browse Source 
sg has the following problems related to device removal:

* opening a sg fd races with removing a device
* closing a sg fd races with removing a device
* /proc/scsi/sg/* access races with removing a device
* command completion races with removing a device
* command completion races with closing a sg fd
* can rmmod sg with active commands

These problems can cause kernel oopses, memory-use-after-free, or
double-free errors.  This patch fixes these problems by using krefs
to manage the lifetime of sg_device and sg_fd.

Each command submitted to the midlevel holds a reference to sg_fd
until the completion callback.  This ensures that sg_fd doesn't go
away if the fd is closed with commands still outstanding.

sg_fd gets the reference of sg_device (with scsi_device) and also
makes sure that the sg module doesn't go away.

/proc/scsi/sg/* functions don't play nicely with krefs because they
give information about sg_fds which have been closed but not yet
freed due to still having outstanding commands and sg_devices which
have been removed but not yet freed due to still being referenced
by one or more sg_fds.  To deal with this safely without removing
functionality, /proc functions now access sg_device and sg_fd while
holding a lock instead of using kref_get()/kref_put().

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
Tony Battersby
2009-01-21 14:45:50 -05:00
committed by James Bottomley
parent bd5cd9cdc5
commit c6517b7942
1 changed files with 201 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

418
drivers/scsi/sg.c
View File

@@ -101,6 +101,7 @@ static int scatter_elem_sz_prev = SG_SCATTER_SZ;
#define SG_SECTOR_MSK (SG_SECTOR_SZ - 1) #define SG_SECTOR_MSK (SG_SECTOR_SZ - 1)
static int sg_add(struct device *, struct class_interface *); static int sg_add(struct device *, struct class_interface *);
static void sg_device_destroy(struct kref *kref);
static void sg_remove(struct device *, struct class_interface *); static void sg_remove(struct device *, struct class_interface *);
static DEFINE_IDR(sg_index_idr); static DEFINE_IDR(sg_index_idr);
@@ -158,6 +159,8 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */ char next_cmd_len; /* 0 -> automatic (def), >0 -> use on next write() */
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */ char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
char mmap_called; /* 0 -> mmap() never called on this fd */ char mmap_called; /* 0 -> mmap() never called on this fd */
struct kref f_ref;
struct execute_work ew;
} Sg_fd; } Sg_fd;
typedef struct sg_device { /* holds the state of each scsi generic device */ typedef struct sg_device { /* holds the state of each scsi generic device */
@@ -171,6 +174,7 @@ typedef struct sg_device { /* holds the state of each scsi generic device */
char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */ char sgdebug; /* 0->off, 1->sense, 9->dump dev, 10-> all devs */
struct gendisk *disk; struct gendisk *disk;
struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */ struct cdev * cdev; /* char_dev [sysfs: /sys/cdev/major/sg<n>] */
struct kref d_ref;
} Sg_device; } Sg_device;
static int sg_fasync(int fd, struct file *filp, int mode); static int sg_fasync(int fd, struct file *filp, int mode);
@@ -194,13 +198,14 @@ static void sg_build_reserve(Sg_fd * sfp, int req_size);
static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size); static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size);
static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp); static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
static Sg_fd *sg_add_sfp(Sg_device * sdp, int dev); static Sg_fd *sg_add_sfp(Sg_device * sdp, int dev);
static int sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp); static void sg_remove_sfp(struct kref *);
static void __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp);
static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id); static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
static Sg_request *sg_add_request(Sg_fd * sfp); static Sg_request *sg_add_request(Sg_fd * sfp);
static int sg_remove_request(Sg_fd * sfp, Sg_request * srp); static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
static int sg_res_in_use(Sg_fd * sfp); static int sg_res_in_use(Sg_fd * sfp);
static Sg_device *sg_lookup_dev(int dev);
static Sg_device *sg_get_dev(int dev); static Sg_device *sg_get_dev(int dev);
static void sg_put_dev(Sg_device *sdp);
#ifdef CONFIG_SCSI_PROC_FS #ifdef CONFIG_SCSI_PROC_FS
static int sg_last_dev(void); static int sg_last_dev(void);
#endif #endif
@@ -237,22 +242,17 @@ sg_open(struct inode *inode, struct file *filp)
nonseekable_open(inode, filp); nonseekable_open(inode, filp);
SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags)); SCSI_LOG_TIMEOUT(3, printk("sg_open: dev=%d, flags=0x%x\n", dev, flags));
sdp = sg_get_dev(dev); sdp = sg_get_dev(dev);
if ((!sdp) || (!sdp->device)) { if (IS_ERR(sdp)) {
unlock_kernel(); retval = PTR_ERR(sdp);
return -ENXIO; sdp = NULL;
} goto sg_put;
if (sdp->detached) {
unlock_kernel();
return -ENODEV;
} }
/* This driver's module count bumped by fops_get in <linux/fs.h> */ /* This driver's module count bumped by fops_get in <linux/fs.h> */
/* Prevent the device driver from vanishing while we sleep */ /* Prevent the device driver from vanishing while we sleep */
retval = scsi_device_get(sdp->device); retval = scsi_device_get(sdp->device);
if (retval) { if (retval)
unlock_kernel(); goto sg_put;
return retval;
}
if (!((flags & O_NONBLOCK) || if (!((flags & O_NONBLOCK) ||
scsi_block_when_processing_errors(sdp->device))) { scsi_block_when_processing_errors(sdp->device))) {
@@ -303,16 +303,20 @@ sg_open(struct inode *inode, struct file *filp)
if ((sfp = sg_add_sfp(sdp, dev))) if ((sfp = sg_add_sfp(sdp, dev)))
filp->private_data = sfp; filp->private_data = sfp;
else { else {
if (flags & O_EXCL) if (flags & O_EXCL) {
sdp->exclude = 0; /* undo if error */ sdp->exclude = 0; /* undo if error */
wake_up_interruptible(&sdp->o_excl_wait);
}
retval = -ENOMEM; retval = -ENOMEM;
goto error_out; goto error_out;
} }
unlock_kernel(); retval = 0;
return 0; error_out:
if (retval)
error_out: scsi_device_put(sdp->device);
scsi_device_put(sdp->device); sg_put:
if (sdp)
sg_put_dev(sdp);
unlock_kernel(); unlock_kernel();
return retval; return retval;
} }
@@ -327,13 +331,13 @@ sg_release(struct inode *inode, struct file *filp)
if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
return -ENXIO; return -ENXIO;
SCSI_LOG_TIMEOUT(3, printk("sg_release: %s\n", sdp->disk->disk_name)); SCSI_LOG_TIMEOUT(3, printk("sg_release: %s\n", sdp->disk->disk_name));
if (0 == sg_remove_sfp(sdp, sfp)) { /* Returns 1 when sdp gone */
if (!sdp->detached) { sfp->closed = 1;
scsi_device_put(sdp->device);
} sdp->exclude = 0;
sdp->exclude = 0; wake_up_interruptible(&sdp->o_excl_wait);
wake_up_interruptible(&sdp->o_excl_wait);
} kref_put(&sfp->f_ref, sg_remove_sfp);
return 0; return 0;
} }
@@ -755,6 +759,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
hp->duration = jiffies_to_msecs(jiffies); hp->duration = jiffies_to_msecs(jiffies);
srp->rq->timeout = timeout; srp->rq->timeout = timeout;
kref_get(&sfp->f_ref); /* sg_rq_end_io() does kref_put(). */
blk_execute_rq_nowait(sdp->device->request_queue, sdp->disk, blk_execute_rq_nowait(sdp->device->request_queue, sdp->disk,
srp->rq, 1, sg_rq_end_io); srp->rq, 1, sg_rq_end_io);
return 0; return 0;
@@ -1247,24 +1252,23 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
static void sg_rq_end_io(struct request *rq, int uptodate) static void sg_rq_end_io(struct request *rq, int uptodate)
{ {
struct sg_request *srp = rq->end_io_data; struct sg_request *srp = rq->end_io_data;
Sg_device *sdp = NULL; Sg_device *sdp;
Sg_fd *sfp; Sg_fd *sfp;
unsigned long iflags; unsigned long iflags;
unsigned int ms; unsigned int ms;
char *sense; char *sense;
int result, resid; int result, resid, done = 1;
if (NULL == srp) { if (WARN_ON(srp->done != 0))
printk(KERN_ERR "sg_cmd_done: NULL request\n");
return; return;
}
sfp = srp->parentfp; sfp = srp->parentfp;
if (sfp) if (WARN_ON(sfp == NULL))
sdp = sfp->parentdp;
if ((NULL == sdp) || sdp->detached) {
printk(KERN_INFO "sg_cmd_done: device detached\n");
return; return;
}
sdp = sfp->parentdp;
if (unlikely(sdp->detached))
printk(KERN_INFO "sg_rq_end_io: device detached\n");
sense = rq->sense; sense = rq->sense;
result = rq->errors; result = rq->errors;
@@ -1303,33 +1307,26 @@ static void sg_rq_end_io(struct request *rq, int uptodate)
} }
/* Rely on write phase to clean out srp status values, so no "else" */ /* Rely on write phase to clean out srp status values, so no "else" */
if (sfp->closed) { /* whoops this fd already released, cleanup */ write_lock_irqsave(&sfp->rq_list_lock, iflags);
SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, freeing ...\n")); if (unlikely(srp->orphan)) {
sg_finish_rem_req(srp);
srp = NULL;
if (NULL == sfp->headrp) {
SCSI_LOG_TIMEOUT(1, printk("sg_cmd_done: already closed, final cleanup\n"));
if (0 == sg_remove_sfp(sdp, sfp)) { /* device still present */
scsi_device_put(sdp->device);
}
sfp = NULL;
}
} else if (srp && srp->orphan) {
if (sfp->keep_orphan) if (sfp->keep_orphan)
srp->sg_io_owned = 0; srp->sg_io_owned = 0;
else { else
sg_finish_rem_req(srp); done = 0;
srp = NULL;
}
} }
if (sfp && srp) { srp->done = done;
/* Now wake up any sg_read() that is waiting for this packet. */ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
write_lock_irqsave(&sfp->rq_list_lock, iflags); if (likely(done)) {
srp->done = 1; /* Now wake up any sg_read() that is waiting for this
* packet.
*/
wake_up_interruptible(&sfp->read_wait); wake_up_interruptible(&sfp->read_wait);
write_unlock_irqrestore(&sfp->rq_list_lock, iflags); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
} } else
sg_finish_rem_req(srp); /* call with srp->done == 0 */
kref_put(&sfp->f_ref, sg_remove_sfp);
} }
static struct file_operations sg_fops = { static struct file_operations sg_fops = {
@@ -1364,17 +1361,18 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
printk(KERN_WARNING "kmalloc Sg_device failure\n"); printk(KERN_WARNING "kmalloc Sg_device failure\n");
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
} }
error = -ENOMEM;
if (!idr_pre_get(&sg_index_idr, GFP_KERNEL)) { if (!idr_pre_get(&sg_index_idr, GFP_KERNEL)) {
printk(KERN_WARNING "idr expansion Sg_device failure\n"); printk(KERN_WARNING "idr expansion Sg_device failure\n");
error = -ENOMEM;
goto out; goto out;
} }
write_lock_irqsave(&sg_index_lock, iflags); write_lock_irqsave(&sg_index_lock, iflags);
error = idr_get_new(&sg_index_idr, sdp, &k);
write_unlock_irqrestore(&sg_index_lock, iflags);
error = idr_get_new(&sg_index_idr, sdp, &k);
if (error) { if (error) {
write_unlock_irqrestore(&sg_index_lock, iflags);
printk(KERN_WARNING "idr allocation Sg_device failure: %d\n", printk(KERN_WARNING "idr allocation Sg_device failure: %d\n",
error); error);
goto out; goto out;
@@ -1391,6 +1389,9 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
init_waitqueue_head(&sdp->o_excl_wait); init_waitqueue_head(&sdp->o_excl_wait);
sdp->sg_tablesize = min(q->max_hw_segments, q->max_phys_segments); sdp->sg_tablesize = min(q->max_hw_segments, q->max_phys_segments);
sdp->index = k; sdp->index = k;
kref_init(&sdp->d_ref);
write_unlock_irqrestore(&sg_index_lock, iflags);
error = 0; error = 0;
out: out:
@@ -1401,6 +1402,8 @@ static Sg_device *sg_alloc(struct gendisk *disk, struct scsi_device *scsidp)
return sdp; return sdp;
overflow: overflow:
idr_remove(&sg_index_idr, k);
write_unlock_irqrestore(&sg_index_lock, iflags);
sdev_printk(KERN_WARNING, scsidp, sdev_printk(KERN_WARNING, scsidp,
"Unable to attach sg device type=%d, minor " "Unable to attach sg device type=%d, minor "
"number exceeds %d\n", scsidp->type, SG_MAX_DEVS - 1); "number exceeds %d\n", scsidp->type, SG_MAX_DEVS - 1);
@@ -1488,49 +1491,46 @@ out:
return error; return error;
} }
static void static void sg_device_destroy(struct kref *kref)
sg_remove(struct device *cl_dev, struct class_interface *cl_intf) {
struct sg_device *sdp = container_of(kref, struct sg_device, d_ref);
unsigned long flags;
/* CAUTION! Note that the device can still be found via idr_find()
* even though the refcount is 0. Therefore, do idr_remove() BEFORE
* any other cleanup.
*/
write_lock_irqsave(&sg_index_lock, flags);
idr_remove(&sg_index_idr, sdp->index);
write_unlock_irqrestore(&sg_index_lock, flags);
SCSI_LOG_TIMEOUT(3,
printk("sg_device_destroy: %s\n",
sdp->disk->disk_name));
put_disk(sdp->disk);
kfree(sdp);
}
static void sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
{ {
struct scsi_device *scsidp = to_scsi_device(cl_dev->parent); struct scsi_device *scsidp = to_scsi_device(cl_dev->parent);
Sg_device *sdp = dev_get_drvdata(cl_dev); Sg_device *sdp = dev_get_drvdata(cl_dev);
unsigned long iflags; unsigned long iflags;
Sg_fd *sfp; Sg_fd *sfp;
Sg_fd *tsfp;
Sg_request *srp;
Sg_request *tsrp;
int delay;
if (!sdp) if (!sdp || sdp->detached)
return; return;
delay = 0; SCSI_LOG_TIMEOUT(3, printk("sg_remove: %s\n", sdp->disk->disk_name));
/* Need a write lock to set sdp->detached. */
write_lock_irqsave(&sg_index_lock, iflags); write_lock_irqsave(&sg_index_lock, iflags);
if (sdp->headfp) { sdp->detached = 1;
sdp->detached = 1; for (sfp = sdp->headfp; sfp; sfp = sfp->nextfp) {
for (sfp = sdp->headfp; sfp; sfp = tsfp) { wake_up_interruptible(&sfp->read_wait);
tsfp = sfp->nextfp; kill_fasync(&sfp->async_qp, SIGPOLL, POLL_HUP);
for (srp = sfp->headrp; srp; srp = tsrp) {
tsrp = srp->nextrp;
if (sfp->closed || (0 == sg_srp_done(srp, sfp)))
sg_finish_rem_req(srp);
}
if (sfp->closed) {
scsi_device_put(sdp->device);
__sg_remove_sfp(sdp, sfp);
} else {
delay = 1;
wake_up_interruptible(&sfp->read_wait);
kill_fasync(&sfp->async_qp, SIGPOLL,
POLL_HUP);
}
}
SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d, dirty\n", sdp->index));
if (NULL == sdp->headfp) {
idr_remove(&sg_index_idr, sdp->index);
}
} else { /* nothing active, simple case */
SCSI_LOG_TIMEOUT(3, printk("sg_remove: dev=%d\n", sdp->index));
idr_remove(&sg_index_idr, sdp->index);
} }
write_unlock_irqrestore(&sg_index_lock, iflags); write_unlock_irqrestore(&sg_index_lock, iflags);
@@ -1538,13 +1538,8 @@ sg_remove(struct device *cl_dev, struct class_interface *cl_intf)
device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index)); device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
cdev_del(sdp->cdev); cdev_del(sdp->cdev);
sdp->cdev = NULL; sdp->cdev = NULL;
put_disk(sdp->disk);
sdp->disk = NULL;
if (NULL == sdp->headfp)
kfree(sdp);
if (delay) sg_put_dev(sdp);
msleep(10); /* dirty detach so delay device destruction */
} }
module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR); module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
@@ -1941,22 +1936,6 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
return resp; return resp;
} }
#ifdef CONFIG_SCSI_PROC_FS
static Sg_request *
sg_get_nth_request(Sg_fd * sfp, int nth)
{
Sg_request *resp;
unsigned long iflags;
int k;
read_lock_irqsave(&sfp->rq_list_lock, iflags);
for (k = 0, resp = sfp->headrp; resp && (k < nth);
++k, resp = resp->nextrp) ;
read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
return resp;
}
#endif
/* always adds to end of list */ /* always adds to end of list */
static Sg_request * static Sg_request *
sg_add_request(Sg_fd * sfp) sg_add_request(Sg_fd * sfp)
@@ -2032,22 +2011,6 @@ sg_remove_request(Sg_fd * sfp, Sg_request * srp)
return res; return res;
} }
#ifdef CONFIG_SCSI_PROC_FS
static Sg_fd *
sg_get_nth_sfp(Sg_device * sdp, int nth)
{
Sg_fd *resp;
unsigned long iflags;
int k;
read_lock_irqsave(&sg_index_lock, iflags);
for (k = 0, resp = sdp->headfp; resp && (k < nth);
++k, resp = resp->nextfp) ;
read_unlock_irqrestore(&sg_index_lock, iflags);
return resp;
}
#endif
static Sg_fd * static Sg_fd *
sg_add_sfp(Sg_device * sdp, int dev) sg_add_sfp(Sg_device * sdp, int dev)
{ {
@@ -2062,6 +2025,7 @@ sg_add_sfp(Sg_device * sdp, int dev)
init_waitqueue_head(&sfp->read_wait); init_waitqueue_head(&sfp->read_wait);
rwlock_init(&sfp->rq_list_lock); rwlock_init(&sfp->rq_list_lock);
kref_init(&sfp->f_ref);
sfp->timeout = SG_DEFAULT_TIMEOUT; sfp->timeout = SG_DEFAULT_TIMEOUT;
sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER; sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
sfp->force_packid = SG_DEF_FORCE_PACK_ID; sfp->force_packid = SG_DEF_FORCE_PACK_ID;
@@ -2089,15 +2053,54 @@ sg_add_sfp(Sg_device * sdp, int dev)
sg_build_reserve(sfp, bufflen); sg_build_reserve(sfp, bufflen);
SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n", SCSI_LOG_TIMEOUT(3, printk("sg_add_sfp: bufflen=%d, k_use_sg=%d\n",
sfp->reserve.bufflen, sfp->reserve.k_use_sg)); sfp->reserve.bufflen, sfp->reserve.k_use_sg));
kref_get(&sdp->d_ref);
__module_get(THIS_MODULE);
return sfp; return sfp;
} }
static void static void sg_remove_sfp_usercontext(struct work_struct *work)
__sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
{ {
struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
struct sg_device *sdp = sfp->parentdp;
/* Cleanup any responses which were never read(). */
while (sfp->headrp)
sg_finish_rem_req(sfp->headrp);
if (sfp->reserve.bufflen > 0) {
SCSI_LOG_TIMEOUT(6,
printk("sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
(int) sfp->reserve.bufflen,
(int) sfp->reserve.k_use_sg));
sg_remove_scat(&sfp->reserve);
}
SCSI_LOG_TIMEOUT(6,
printk("sg_remove_sfp: %s, sfp=0x%p\n",
sdp->disk->disk_name,
sfp));
kfree(sfp);
scsi_device_put(sdp->device);
sg_put_dev(sdp);
module_put(THIS_MODULE);
}
static void sg_remove_sfp(struct kref *kref)
{
struct sg_fd *sfp = container_of(kref, struct sg_fd, f_ref);
struct sg_device *sdp = sfp->parentdp;
Sg_fd *fp; Sg_fd *fp;
Sg_fd *prev_fp; Sg_fd *prev_fp;
unsigned long iflags;
/* CAUTION! Note that sfp can still be found by walking sdp->headfp
* even though the refcount is now 0. Therefore, unlink sfp from
* sdp->headfp BEFORE doing any other cleanup.
*/
write_lock_irqsave(&sg_index_lock, iflags);
prev_fp = sdp->headfp; prev_fp = sdp->headfp;
if (sfp == prev_fp) if (sfp == prev_fp)
sdp->headfp = prev_fp->nextfp; sdp->headfp = prev_fp->nextfp;
@@ -2110,54 +2113,10 @@ __sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
prev_fp = fp; prev_fp = fp;
} }
} }
if (sfp->reserve.bufflen > 0) { write_unlock_irqrestore(&sg_index_lock, iflags);
SCSI_LOG_TIMEOUT(6, wake_up_interruptible(&sdp->o_excl_wait);
printk("__sg_remove_sfp: bufflen=%d, k_use_sg=%d\n",
(int) sfp->reserve.bufflen, (int) sfp->reserve.k_use_sg));
sg_remove_scat(&sfp->reserve);
}
sfp->parentdp = NULL;
SCSI_LOG_TIMEOUT(6, printk("__sg_remove_sfp: sfp=0x%p\n", sfp));
kfree(sfp);
}
/* Returns 0 in normal case, 1 when detached and sdp object removed */ execute_in_process_context(sg_remove_sfp_usercontext, &sfp->ew);
static int
sg_remove_sfp(Sg_device * sdp, Sg_fd * sfp)
{
Sg_request *srp;
Sg_request *tsrp;
int dirty = 0;
int res = 0;
for (srp = sfp->headrp; srp; srp = tsrp) {
tsrp = srp->nextrp;
if (sg_srp_done(srp, sfp))
sg_finish_rem_req(srp);
else
++dirty;
}
if (0 == dirty) {
unsigned long iflags;
write_lock_irqsave(&sg_index_lock, iflags);
__sg_remove_sfp(sdp, sfp);
if (sdp->detached && (NULL == sdp->headfp)) {
idr_remove(&sg_index_idr, sdp->index);
kfree(sdp);
res = 1;
}
write_unlock_irqrestore(&sg_index_lock, iflags);
} else {
/* MOD_INC's to inhibit unloading sg and associated adapter driver */
/* only bump the access_count if we actually succeeded in
* throwing another counter on the host module */
scsi_device_get(sdp->device); /* XXX: retval ignored? */
sfp->closed = 1; /* flag dirty state on this fd */
SCSI_LOG_TIMEOUT(1, printk("sg_remove_sfp: worrisome, %d writes pending\n",
dirty));
}
return res;
} }
static int static int
@@ -2199,19 +2158,38 @@ sg_last_dev(void)
} }
#endif #endif
static Sg_device * /* must be called with sg_index_lock held */
sg_get_dev(int dev) static Sg_device *sg_lookup_dev(int dev)
{ {
Sg_device *sdp; return idr_find(&sg_index_idr, dev);
unsigned long iflags; }
read_lock_irqsave(&sg_index_lock, iflags); static Sg_device *sg_get_dev(int dev)
sdp = idr_find(&sg_index_idr, dev); {
read_unlock_irqrestore(&sg_index_lock, iflags); struct sg_device *sdp;
unsigned long flags;
read_lock_irqsave(&sg_index_lock, flags);
sdp = sg_lookup_dev(dev);
if (!sdp)
sdp = ERR_PTR(-ENXIO);
else if (sdp->detached) {
/* If sdp->detached, then the refcount may already be 0, in
* which case it would be a bug to do kref_get().
*/
sdp = ERR_PTR(-ENODEV);
} else
kref_get(&sdp->d_ref);
read_unlock_irqrestore(&sg_index_lock, flags);
return sdp; return sdp;
} }
static void sg_put_dev(struct sg_device *sdp)
{
kref_put(&sdp->d_ref, sg_device_destroy);
}
#ifdef CONFIG_SCSI_PROC_FS #ifdef CONFIG_SCSI_PROC_FS
static struct proc_dir_entry *sg_proc_sgp = NULL; static struct proc_dir_entry *sg_proc_sgp = NULL;
@@ -2468,8 +2446,10 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
Sg_device *sdp; Sg_device *sdp;
struct scsi_device *scsidp; struct scsi_device *scsidp;
unsigned long iflags;
sdp = it ? sg_get_dev(it->index) : NULL; read_lock_irqsave(&sg_index_lock, iflags);
sdp = it ? sg_lookup_dev(it->index) : NULL;
if (sdp && (scsidp = sdp->device) && (!sdp->detached)) if (sdp && (scsidp = sdp->device) && (!sdp->detached))
seq_printf(s, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", seq_printf(s, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
scsidp->host->host_no, scsidp->channel, scsidp->host->host_no, scsidp->channel,
@@ -2480,6 +2460,7 @@ static int sg_proc_seq_show_dev(struct seq_file *s, void *v)
(int) scsi_device_online(scsidp)); (int) scsi_device_online(scsidp));
else else
seq_printf(s, "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n"); seq_printf(s, "-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\t-1\n");
read_unlock_irqrestore(&sg_index_lock, iflags);
return 0; return 0;
} }
@@ -2493,16 +2474,20 @@ static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v)
struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
Sg_device *sdp; Sg_device *sdp;
struct scsi_device *scsidp; struct scsi_device *scsidp;
unsigned long iflags;
sdp = it ? sg_get_dev(it->index) : NULL; read_lock_irqsave(&sg_index_lock, iflags);
sdp = it ? sg_lookup_dev(it->index) : NULL;
if (sdp && (scsidp = sdp->device) && (!sdp->detached)) if (sdp && (scsidp = sdp->device) && (!sdp->detached))
seq_printf(s, "%8.8s\t%16.16s\t%4.4s\n", seq_printf(s, "%8.8s\t%16.16s\t%4.4s\n",
scsidp->vendor, scsidp->model, scsidp->rev); scsidp->vendor, scsidp->model, scsidp->rev);
else else
seq_printf(s, "<no active device>\n"); seq_printf(s, "<no active device>\n");
read_unlock_irqrestore(&sg_index_lock, iflags);
return 0; return 0;
} }
/* must be called while holding sg_index_lock */
static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp) static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
{ {
int k, m, new_interface, blen, usg; int k, m, new_interface, blen, usg;
@@ -2512,7 +2497,8 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
const char * cp; const char * cp;
unsigned int ms; unsigned int ms;
for (k = 0; (fp = sg_get_nth_sfp(sdp, k)); ++k) { for (k = 0, fp = sdp->headfp; fp != NULL; ++k, fp = fp->nextfp) {
read_lock(&fp->rq_list_lock); /* irqs already disabled */
seq_printf(s, " FD(%d): timeout=%dms bufflen=%d " seq_printf(s, " FD(%d): timeout=%dms bufflen=%d "
"(res)sgat=%d low_dma=%d\n", k + 1, "(res)sgat=%d low_dma=%d\n", k + 1,
jiffies_to_msecs(fp->timeout), jiffies_to_msecs(fp->timeout),
@@ -2522,7 +2508,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=%d\n", seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=%d\n",
(int) fp->cmd_q, (int) fp->force_packid, (int) fp->cmd_q, (int) fp->force_packid,
(int) fp->keep_orphan, (int) fp->closed); (int) fp->keep_orphan, (int) fp->closed);
for (m = 0; (srp = sg_get_nth_request(fp, m)); ++m) { for (m = 0, srp = fp->headrp;
srp != NULL;
++m, srp = srp->nextrp) {
hp = &srp->header; hp = &srp->header;
new_interface = (hp->interface_id == '\0') ? 0 : 1; new_interface = (hp->interface_id == '\0') ? 0 : 1;
if (srp->res_used) { if (srp->res_used) {
@@ -2559,6 +2547,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
} }
if (0 == m) if (0 == m)
seq_printf(s, " No requests active\n"); seq_printf(s, " No requests active\n");
read_unlock(&fp->rq_list_lock);
} }
} }
@@ -2571,39 +2560,34 @@ static int sg_proc_seq_show_debug(struct seq_file *s, void *v)
{ {
struct sg_proc_deviter * it = (struct sg_proc_deviter *) v; struct sg_proc_deviter * it = (struct sg_proc_deviter *) v;
Sg_device *sdp; Sg_device *sdp;
unsigned long iflags;
if (it && (0 == it->index)) { if (it && (0 == it->index)) {
seq_printf(s, "max_active_device=%d(origin 1)\n", seq_printf(s, "max_active_device=%d(origin 1)\n",
(int)it->max); (int)it->max);
seq_printf(s, " def_reserved_size=%d\n", sg_big_buff); seq_printf(s, " def_reserved_size=%d\n", sg_big_buff);
} }
sdp = it ? sg_get_dev(it->index) : NULL;
if (sdp) { read_lock_irqsave(&sg_index_lock, iflags);
sdp = it ? sg_lookup_dev(it->index) : NULL;
if (sdp && sdp->headfp) {
struct scsi_device *scsidp = sdp->device; struct scsi_device *scsidp = sdp->device;
if (NULL == scsidp) { seq_printf(s, " >>> device=%s ", sdp->disk->disk_name);
seq_printf(s, "device %d detached ??\n", if (sdp->detached)
(int)it->index); seq_printf(s, "detached pending close ");
return 0; else
} seq_printf
(s, "scsi%d chan=%d id=%d lun=%d em=%d",
if (sg_get_nth_sfp(sdp, 0)) { scsidp->host->host_no,
seq_printf(s, " >>> device=%s ", scsidp->channel, scsidp->id,
sdp->disk->disk_name); scsidp->lun,
if (sdp->detached) scsidp->host->hostt->emulated);
seq_printf(s, "detached pending close "); seq_printf(s, " sg_tablesize=%d excl=%d\n",
else sdp->sg_tablesize, sdp->exclude);
seq_printf
(s, "scsi%d chan=%d id=%d lun=%d em=%d",
scsidp->host->host_no,
scsidp->channel, scsidp->id,
scsidp->lun,
scsidp->host->hostt->emulated);
seq_printf(s, " sg_tablesize=%d excl=%d\n",
sdp->sg_tablesize, sdp->exclude);
}
sg_proc_debug_helper(s, sdp); sg_proc_debug_helper(s, sdp);
} }
read_unlock_irqrestore(&sg_index_lock, iflags);
return 0; return 0;
} }