From: gregkh@suse.de
To: linux-kernel@vger.kernel.org, stable@kernel.org,
Linus Torvalds <torvalds@osdl.org>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Jody McIntyre <scjody@modernduck.com>,
Stefan Richter <stefanr@s5r6.in-berlin.de>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 06/26] sbp2: fix spinlock recursion
Date: Tue, 4 Apr 2006 17:00:00 -0700 [thread overview]
Message-ID: <20060405000000.GG27049@kroah.com> (raw)
In-Reply-To: <20060404235927.GA27049@kroah.com>
[-- Attachment #1: sbp2-fix-spinlock-recursion.patch --]
[-- Type: text/plain, Size: 3720 bytes --]
sbp2util_mark_command_completed takes a lock which was already taken by
sbp2scsi_complete_all_commands. This is a regression in Linux 2.6.15.
Reported by Kristian Harms at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187394
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/ieee1394/sbp2.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
--- linux-2.6.16.1.orig/drivers/ieee1394/sbp2.c
+++ linux-2.6.16.1/drivers/ieee1394/sbp2.c
@@ -495,22 +495,17 @@ static struct sbp2_command_info *sbp2uti
/*
* This function finds the sbp2_command for a given outstanding SCpnt.
* Only looks at the inuse list.
+ * Must be called with scsi_id->sbp2_command_orb_lock held.
*/
-static struct sbp2_command_info *sbp2util_find_command_for_SCpnt(struct scsi_id_instance_data *scsi_id, void *SCpnt)
+static struct sbp2_command_info *sbp2util_find_command_for_SCpnt(
+ struct scsi_id_instance_data *scsi_id, void *SCpnt)
{
struct sbp2_command_info *command;
- unsigned long flags;
- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
- if (!list_empty(&scsi_id->sbp2_command_orb_inuse)) {
- list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list) {
- if (command->Current_SCpnt == SCpnt) {
- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
+ if (!list_empty(&scsi_id->sbp2_command_orb_inuse))
+ list_for_each_entry(command, &scsi_id->sbp2_command_orb_inuse, list)
+ if (command->Current_SCpnt == SCpnt)
return command;
- }
- }
- }
- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
return NULL;
}
@@ -579,17 +574,15 @@ static void sbp2util_free_command_dma(st
/*
* This function moves a command to the completed orb list.
+ * Must be called with scsi_id->sbp2_command_orb_lock held.
*/
-static void sbp2util_mark_command_completed(struct scsi_id_instance_data *scsi_id,
- struct sbp2_command_info *command)
+static void sbp2util_mark_command_completed(
+ struct scsi_id_instance_data *scsi_id,
+ struct sbp2_command_info *command)
{
- unsigned long flags;
-
- spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
list_del(&command->list);
sbp2util_free_command_dma(command);
list_add_tail(&command->list, &scsi_id->sbp2_command_orb_completed);
- spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
}
/*
@@ -2177,7 +2170,9 @@ static int sbp2_handle_status_write(stru
* Matched status with command, now grab scsi command pointers and check status
*/
SCpnt = command->Current_SCpnt;
+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
sbp2util_mark_command_completed(scsi_id, command);
+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
if (SCpnt) {
@@ -2513,6 +2508,7 @@ static int sbp2scsi_abort(struct scsi_cm
(struct scsi_id_instance_data *)SCpnt->device->host->hostdata[0];
struct sbp2scsi_host_info *hi = scsi_id->hi;
struct sbp2_command_info *command;
+ unsigned long flags;
SBP2_ERR("aborting sbp2 command");
scsi_print_command(SCpnt);
@@ -2523,6 +2519,7 @@ static int sbp2scsi_abort(struct scsi_cm
* Right now, just return any matching command structures
* to the free pool.
*/
+ spin_lock_irqsave(&scsi_id->sbp2_command_orb_lock, flags);
command = sbp2util_find_command_for_SCpnt(scsi_id, SCpnt);
if (command) {
SBP2_DEBUG("Found command to abort");
@@ -2540,6 +2537,7 @@ static int sbp2scsi_abort(struct scsi_cm
command->Current_done(command->Current_SCpnt);
}
}
+ spin_unlock_irqrestore(&scsi_id->sbp2_command_orb_lock, flags);
/*
* Initiate a fetch agent reset.
--
next prev parent reply other threads:[~2006-04-05 0:09 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060404235634.696852000@quad.kroah.org>
2006-04-04 23:59 ` [patch 00/26] 2.6.16.2 -stable review gregkh
2006-04-04 23:59 ` [patch 01/26] tlclk: fix handling of device major gregkh
2006-04-04 23:59 ` [patch 02/26] USB: Fix irda-usb use after use gregkh
2006-04-05 0:16 ` David S. Miller
2006-04-06 0:55 ` [stable] " Greg KH
2006-04-05 0:22 ` Randy.Dunlap
2006-04-04 23:59 ` [patch 03/26] sysfs: zero terminate sysfs write buffers (CVE-2006-1055) gregkh
2006-04-05 15:09 ` Sergey Vlasov
2006-04-05 15:21 ` Al Viro
2006-04-05 15:38 ` Jon Smirl
2006-04-05 15:39 ` Al Viro
2006-04-05 15:43 ` Jon Smirl
2006-04-05 15:46 ` Al Viro
2006-04-05 16:18 ` Jon Smirl
2006-04-05 17:04 ` Al Viro
2006-04-05 19:58 ` Valdis.Kletnieks
2006-04-05 20:07 ` Greg KH
2006-04-06 1:05 ` Al Viro
2006-04-05 16:34 ` Jon Smirl
2006-04-05 17:02 ` Al Viro
2006-04-05 17:06 ` Jon Smirl
2006-04-05 17:27 ` Al Viro
2006-04-05 15:30 ` Jon Smirl
2006-04-05 18:52 ` [stable] " Greg KH
2006-04-04 23:59 ` [patch 04/26] USB: EHCI full speed ISO bugfixes gregkh
2006-04-04 23:59 ` [patch 05/26] USB: usbcore: usb_set_configuration oops (NULL ptr dereference) gregkh
2006-04-05 0:00 ` gregkh [this message]
2006-04-05 0:00 ` [patch 07/26] powerpc: make ISA floppies work again gregkh
2006-04-05 0:00 ` [patch 08/26] PCMCIA_SPECTRUM must select FW_LOADER gregkh
2006-04-05 0:00 ` [patch 09/26] pcmcia: permit single-character-identifiers gregkh
2006-04-05 0:00 ` [patch 10/26] opti9x - Fix compile without CONFIG_PNP gregkh
2006-04-05 0:00 ` [patch 11/26] IPOB: Move destructor from neigh->ops to neigh_param gregkh
2006-04-05 0:07 ` David S. Miller
2006-04-05 0:12 ` [stable] " Greg KH
2006-04-05 0:14 ` Roland Dreier
2006-04-05 0:17 ` David S. Miller
2006-04-05 0:42 ` Roland Dreier
2006-04-05 0:47 ` David S. Miller
2006-04-05 1:08 ` Roland Dreier
2006-04-05 7:58 ` Michael S. Tsirkin
2006-04-05 0:00 ` [patch 12/26] Mark longhaul driver as broken gregkh
2006-04-05 0:00 ` [patch 13/26] isicom must select FW_LOADER gregkh
2006-04-05 0:00 ` [patch 14/26] {ip, nf}_conntrack_netlink: fix expectation notifier unregistration gregkh
2006-04-05 0:00 ` [patch 15/26] wrong error path in dup_fd() leading to oopses in RCU gregkh
2006-04-05 0:00 ` [patch 16/26] Fix the p4-clockmod N60 errata workaround gregkh
2006-04-05 0:00 ` [patch 17/26] Fix module refcount leak in __set_personality() gregkh
2006-04-05 0:00 ` [patch 18/26] fib_trie.c node freeing fix gregkh
2006-04-05 0:01 ` [patch 19/26] fbcon: Fix big-endian bogosity in slow_imageblit() gregkh
2006-04-05 0:01 ` [patch 20/26] drivers/net/wireless/ipw2200.c: fix an array overun gregkh
2006-04-05 0:01 ` [patch 21/26] Fix NULL pointer dereference in node_read_numastat() gregkh
2006-04-05 0:01 ` [patch 22/26] AIRO{,_CS} <-> CRYPTO fixes gregkh
2006-04-05 0:01 ` [patch 23/26] Add default entry for CTL Travel Master U553W gregkh
2006-04-05 0:01 ` [patch 24/26] hostap: Fix EAPOL frame encryption gregkh
2006-04-05 0:01 ` [patch 25/26] knfsd: Correct reserved reply space for read requests gregkh
2006-04-05 0:01 ` [patch 26/26] kdump proc vmcore size oveflow fix gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060405000000.GG27049@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=scjody@modernduck.com \
--cc=stable@kernel.org \
--cc=stefanr@s5r6.in-berlin.de \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.