Commit 261b5f66 authored by Stefan Richter's avatar Stefan Richter

ieee1394: sbp2: fix unsafe iteration over list of devices

sbp2_host_reset and sbp2_handle_status_write are not serialized against
sbp2_alloc_device and sbp2_remove_device.
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
parent c4f3d41f
...@@ -242,6 +242,8 @@ static int sbp2_max_speed_and_size(struct sbp2_lu *); ...@@ -242,6 +242,8 @@ static int sbp2_max_speed_and_size(struct sbp2_lu *);
static const u8 sbp2_speedto_max_payload[] = { 0x7, 0x8, 0x9, 0xA, 0xB, 0xC }; static const u8 sbp2_speedto_max_payload[] = { 0x7, 0x8, 0x9, 0xA, 0xB, 0xC };
static DEFINE_RWLOCK(sbp2_hi_logical_units_lock);
static struct hpsb_highlevel sbp2_highlevel = { static struct hpsb_highlevel sbp2_highlevel = {
.name = SBP2_DEVICE_NAME, .name = SBP2_DEVICE_NAME,
.host_reset = sbp2_host_reset, .host_reset = sbp2_host_reset,
...@@ -732,6 +734,7 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud) ...@@ -732,6 +734,7 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud)
struct sbp2_fwhost_info *hi; struct sbp2_fwhost_info *hi;
struct Scsi_Host *shost = NULL; struct Scsi_Host *shost = NULL;
struct sbp2_lu *lu = NULL; struct sbp2_lu *lu = NULL;
unsigned long flags;
lu = kzalloc(sizeof(*lu), GFP_KERNEL); lu = kzalloc(sizeof(*lu), GFP_KERNEL);
if (!lu) { if (!lu) {
...@@ -784,7 +787,9 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud) ...@@ -784,7 +787,9 @@ static struct sbp2_lu *sbp2_alloc_device(struct unit_directory *ud)
lu->hi = hi; lu->hi = hi;
write_lock_irqsave(&sbp2_hi_logical_units_lock, flags);
list_add_tail(&lu->lu_list, &hi->logical_units); list_add_tail(&lu->lu_list, &hi->logical_units);
write_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags);
/* Register the status FIFO address range. We could use the same FIFO /* Register the status FIFO address range. We could use the same FIFO
* for targets at different nodes. However we need different FIFOs per * for targets at different nodes. However we need different FIFOs per
...@@ -828,16 +833,20 @@ static void sbp2_host_reset(struct hpsb_host *host) ...@@ -828,16 +833,20 @@ static void sbp2_host_reset(struct hpsb_host *host)
{ {
struct sbp2_fwhost_info *hi; struct sbp2_fwhost_info *hi;
struct sbp2_lu *lu; struct sbp2_lu *lu;
unsigned long flags;
hi = hpsb_get_hostinfo(&sbp2_highlevel, host); hi = hpsb_get_hostinfo(&sbp2_highlevel, host);
if (!hi) if (!hi)
return; return;
read_lock_irqsave(&sbp2_hi_logical_units_lock, flags);
list_for_each_entry(lu, &hi->logical_units, lu_list) list_for_each_entry(lu, &hi->logical_units, lu_list)
if (likely(atomic_read(&lu->state) != if (likely(atomic_read(&lu->state) !=
SBP2LU_STATE_IN_SHUTDOWN)) { SBP2LU_STATE_IN_SHUTDOWN)) {
atomic_set(&lu->state, SBP2LU_STATE_IN_RESET); atomic_set(&lu->state, SBP2LU_STATE_IN_RESET);
scsi_block_requests(lu->shost); scsi_block_requests(lu->shost);
} }
read_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags);
} }
static int sbp2_start_device(struct sbp2_lu *lu) static int sbp2_start_device(struct sbp2_lu *lu)
...@@ -919,6 +928,7 @@ alloc_fail: ...@@ -919,6 +928,7 @@ alloc_fail:
static void sbp2_remove_device(struct sbp2_lu *lu) static void sbp2_remove_device(struct sbp2_lu *lu)
{ {
struct sbp2_fwhost_info *hi; struct sbp2_fwhost_info *hi;
unsigned long flags;
if (!lu) if (!lu)
return; return;
...@@ -933,7 +943,9 @@ static void sbp2_remove_device(struct sbp2_lu *lu) ...@@ -933,7 +943,9 @@ static void sbp2_remove_device(struct sbp2_lu *lu)
flush_scheduled_work(); flush_scheduled_work();
sbp2util_remove_command_orb_pool(lu, hi->host); sbp2util_remove_command_orb_pool(lu, hi->host);
write_lock_irqsave(&sbp2_hi_logical_units_lock, flags);
list_del(&lu->lu_list); list_del(&lu->lu_list);
write_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags);
if (lu->login_response) if (lu->login_response)
dma_free_coherent(hi->host->device.parent, dma_free_coherent(hi->host->device.parent,
...@@ -1707,6 +1719,7 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid, ...@@ -1707,6 +1719,7 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid,
} }
/* Find the unit which wrote the status. */ /* Find the unit which wrote the status. */
read_lock_irqsave(&sbp2_hi_logical_units_lock, flags);
list_for_each_entry(lu_tmp, &hi->logical_units, lu_list) { list_for_each_entry(lu_tmp, &hi->logical_units, lu_list) {
if (lu_tmp->ne->nodeid == nodeid && if (lu_tmp->ne->nodeid == nodeid &&
lu_tmp->status_fifo_addr == addr) { lu_tmp->status_fifo_addr == addr) {
...@@ -1714,6 +1727,8 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid, ...@@ -1714,6 +1727,8 @@ static int sbp2_handle_status_write(struct hpsb_host *host, int nodeid,
break; break;
} }
} }
read_unlock_irqrestore(&sbp2_hi_logical_units_lock, flags);
if (unlikely(!lu)) { if (unlikely(!lu)) {
SBP2_ERR("lu is NULL - device is gone?"); SBP2_ERR("lu is NULL - device is gone?");
return RCODE_ADDRESS_ERROR; return RCODE_ADDRESS_ERROR;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment