[PATCH] Remove ->rq_status from struct request

After Christophs SCSI change, the only usage left is RQ_ACTIVE
and RQ_INACTIVE. The block layer sets RQ_INACTIVE right before freeing
the request, so any check for RQ_INACTIVE in a driver is a bug and
indicates use-after-free.

So kill/clean the remaining users, straight forward.

Signed-off-by: Jens Axboe <axboe@suse.de>
This commit is contained in:
Jens Axboe 2006-07-28 09:32:07 +02:00 committed by Jens Axboe
parent 49171e5c6f
commit cdd6026217
12 changed files with 14 additions and 26 deletions

View File

@ -981,8 +981,6 @@ static int prepare_request(struct request *req, struct io_thread_req *io_req)
__u64 offset; __u64 offset;
int len; int len;
if(req->rq_status == RQ_INACTIVE) return(1);
/* This should be impossible now */ /* This should be impossible now */
if((rq_data_dir(req) == WRITE) && !dev->openflags.w){ if((rq_data_dir(req) == WRITE) && !dev->openflags.w){
printk("Write attempted on readonly ubd device %s\n", printk("Write attempted on readonly ubd device %s\n",

View File

@ -283,7 +283,6 @@ static inline void rq_init(request_queue_t *q, struct request *rq)
INIT_LIST_HEAD(&rq->donelist); INIT_LIST_HEAD(&rq->donelist);
rq->errors = 0; rq->errors = 0;
rq->rq_status = RQ_ACTIVE;
rq->bio = rq->biotail = NULL; rq->bio = rq->biotail = NULL;
INIT_HLIST_NODE(&rq->hash); INIT_HLIST_NODE(&rq->hash);
RB_CLEAR_NODE(&rq->rb_node); RB_CLEAR_NODE(&rq->rb_node);
@ -2685,8 +2684,6 @@ void __blk_put_request(request_queue_t *q, struct request *req)
elv_completed_request(q, req); elv_completed_request(q, req);
req->rq_status = RQ_INACTIVE;
/* /*
* Request may not have originated from ll_rw_blk. if not, * Request may not have originated from ll_rw_blk. if not,
* it didn't come out of our reserved rq pools * it didn't come out of our reserved rq pools

View File

@ -719,7 +719,6 @@ static int pd_special_command(struct pd_unit *disk,
memset(&rq, 0, sizeof(rq)); memset(&rq, 0, sizeof(rq));
rq.errors = 0; rq.errors = 0;
rq.rq_status = RQ_ACTIVE;
rq.rq_disk = disk->gd; rq.rq_disk = disk->gd;
rq.ref_count = 1; rq.ref_count = 1;
rq.end_io_data = &wait; rq.end_io_data = &wait;

View File

@ -319,8 +319,8 @@ static void start_request(struct floppy_state *fs)
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
req->rq_disk->disk_name, req->cmd, req->rq_disk->disk_name, req->cmd,
(long)req->sector, req->nr_sectors, req->buffer); (long)req->sector, req->nr_sectors, req->buffer);
printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", printk(" errors=%d current_nr_sectors=%ld\n",
req->rq_status, req->errors, req->current_nr_sectors); req->errors, req->current_nr_sectors);
#endif #endif
if (req->sector < 0 || req->sector >= fs->total_secs) { if (req->sector < 0 || req->sector >= fs->total_secs) {

View File

@ -529,8 +529,8 @@ static void start_request(struct floppy_state *fs)
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n", printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
CURRENT->rq_disk->disk_name, CURRENT->cmd, CURRENT->rq_disk->disk_name, CURRENT->cmd,
CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer); CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer);
printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n", printk(" errors=%d current_nr_sectors=%ld\n",
CURRENT->rq_status, CURRENT->errors, CURRENT->current_nr_sectors); CURRENT->errors, CURRENT->current_nr_sectors);
#endif #endif
if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) { if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) {

View File

@ -974,7 +974,6 @@ int fcp_scsi_dev_reset(Scsi_Cmnd *SCpnt)
*/ */
fc->rst_pkt->device->host->eh_action = &sem; fc->rst_pkt->device->host->eh_action = &sem;
fc->rst_pkt->request->rq_status = RQ_SCSI_BUSY;
fc->rst_pkt->done = fcp_scsi_reset_done; fc->rst_pkt->done = fcp_scsi_reset_done;

View File

@ -1281,8 +1281,7 @@ static ide_startstop_t idefloppy_do_request (ide_drive_t *drive, struct request
idefloppy_pc_t *pc; idefloppy_pc_t *pc;
unsigned long block = (unsigned long)block_s; unsigned long block = (unsigned long)block_s;
debug_log(KERN_INFO "rq_status: %d, dev: %s, flags: %lx, errors: %d\n", debug_log(KERN_INFO "dev: %s, flags: %lx, errors: %d\n",
rq->rq_status,
rq->rq_disk ? rq->rq_disk->disk_name : "?", rq->rq_disk ? rq->rq_disk->disk_name : "?",
rq->flags, rq->errors); rq->flags, rq->errors);
debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, " debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, "

View File

@ -1710,7 +1710,6 @@ int ide_do_drive_cmd (ide_drive_t *drive, struct request *rq, ide_action_t actio
int must_wait = (action == ide_wait || action == ide_head_wait); int must_wait = (action == ide_wait || action == ide_head_wait);
rq->errors = 0; rq->errors = 0;
rq->rq_status = RQ_ACTIVE;
/* /*
* we need to hold an extra reference to request for safe inspection * we need to hold an extra reference to request for safe inspection

View File

@ -2423,8 +2423,8 @@ static ide_startstop_t idetape_do_request(ide_drive_t *drive,
#if IDETAPE_DEBUG_LOG #if IDETAPE_DEBUG_LOG
#if 0 #if 0
if (tape->debug_level >= 5) if (tape->debug_level >= 5)
printk(KERN_INFO "ide-tape: rq_status: %d, " printk(KERN_INFO "ide-tape: %d, "
"dev: %s, cmd: %ld, errors: %d\n", rq->rq_status, "dev: %s, cmd: %ld, errors: %d\n",
rq->rq_disk->disk_name, rq->cmd[0], rq->errors); rq->rq_disk->disk_name, rq->cmd[0], rq->errors);
#endif #endif
if (tape->debug_level >= 2) if (tape->debug_level >= 2)

View File

@ -708,7 +708,7 @@ static ide_startstop_t idescsi_issue_pc (ide_drive_t *drive, idescsi_pc_t *pc)
static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block) static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block)
{ {
#if IDESCSI_DEBUG_LOG #if IDESCSI_DEBUG_LOG
printk (KERN_INFO "rq_status: %d, dev: %s, cmd: %x, errors: %d\n",rq->rq_status, rq->rq_disk->disk_name,rq->cmd[0],rq->errors); printk (KERN_INFO "dev: %s, cmd: %x, errors: %d\n", rq->rq_disk->disk_name,rq->cmd[0],rq->errors);
printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors); printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors);
#endif /* IDESCSI_DEBUG_LOG */ #endif /* IDESCSI_DEBUG_LOG */

View File

@ -1065,7 +1065,7 @@ int scsi_device_cancel(struct scsi_device *sdev, int recovery)
spin_lock_irqsave(&sdev->list_lock, flags); spin_lock_irqsave(&sdev->list_lock, flags);
list_for_each_entry(scmd, &sdev->cmd_list, list) { list_for_each_entry(scmd, &sdev->cmd_list, list) {
if (scmd->request && scmd->request->rq_status != RQ_INACTIVE) { if (scmd->request) {
/* /*
* If we are unable to remove the timer, it means * If we are unable to remove the timer, it means
* that the command has already timed out or * that the command has already timed out or

View File

@ -243,8 +243,6 @@ struct request {
void *completion_data; void *completion_data;
int rq_status; /* should split this into a few status bits */
int errors;
struct gendisk *rq_disk; struct gendisk *rq_disk;
unsigned long start_time; unsigned long start_time;
@ -262,14 +260,16 @@ struct request {
unsigned short ioprio; unsigned short ioprio;
int tag;
int ref_count;
request_queue_t *q; request_queue_t *q;
void *special; void *special;
char *buffer; char *buffer;
int tag;
int errors;
int ref_count;
/* /*
* when request is used as a packet command carrier * when request is used as a packet command carrier
*/ */
@ -456,9 +456,6 @@ struct request_queue
struct mutex sysfs_lock; struct mutex sysfs_lock;
}; };
#define RQ_INACTIVE (-1)
#define RQ_ACTIVE 1
#define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */ #define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */
#define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */ #define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */
#define QUEUE_FLAG_STOPPED 2 /* queue is stopped */ #define QUEUE_FLAG_STOPPED 2 /* queue is stopped */