mirror of https://gitee.com/openkylin/linux.git
[PATCH] Remove ->rq_status from struct request
After Christophs SCSI change, the only usage left is RQ_ACTIVE and RQ_INACTIVE. The block layer sets RQ_INACTIVE right before freeing the request, so any check for RQ_INACTIVE in a driver is a bug and indicates use-after-free. So kill/clean the remaining users, straight forward. Signed-off-by: Jens Axboe <axboe@suse.de>
This commit is contained in:
parent
49171e5c6f
commit
cdd6026217
|
@ -981,8 +981,6 @@ static int prepare_request(struct request *req, struct io_thread_req *io_req)
|
||||||
__u64 offset;
|
__u64 offset;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
if(req->rq_status == RQ_INACTIVE) return(1);
|
|
||||||
|
|
||||||
/* This should be impossible now */
|
/* This should be impossible now */
|
||||||
if((rq_data_dir(req) == WRITE) && !dev->openflags.w){
|
if((rq_data_dir(req) == WRITE) && !dev->openflags.w){
|
||||||
printk("Write attempted on readonly ubd device %s\n",
|
printk("Write attempted on readonly ubd device %s\n",
|
||||||
|
|
|
@ -283,7 +283,6 @@ static inline void rq_init(request_queue_t *q, struct request *rq)
|
||||||
INIT_LIST_HEAD(&rq->donelist);
|
INIT_LIST_HEAD(&rq->donelist);
|
||||||
|
|
||||||
rq->errors = 0;
|
rq->errors = 0;
|
||||||
rq->rq_status = RQ_ACTIVE;
|
|
||||||
rq->bio = rq->biotail = NULL;
|
rq->bio = rq->biotail = NULL;
|
||||||
INIT_HLIST_NODE(&rq->hash);
|
INIT_HLIST_NODE(&rq->hash);
|
||||||
RB_CLEAR_NODE(&rq->rb_node);
|
RB_CLEAR_NODE(&rq->rb_node);
|
||||||
|
@ -2685,8 +2684,6 @@ void __blk_put_request(request_queue_t *q, struct request *req)
|
||||||
|
|
||||||
elv_completed_request(q, req);
|
elv_completed_request(q, req);
|
||||||
|
|
||||||
req->rq_status = RQ_INACTIVE;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Request may not have originated from ll_rw_blk. if not,
|
* Request may not have originated from ll_rw_blk. if not,
|
||||||
* it didn't come out of our reserved rq pools
|
* it didn't come out of our reserved rq pools
|
||||||
|
|
|
@ -719,7 +719,6 @@ static int pd_special_command(struct pd_unit *disk,
|
||||||
|
|
||||||
memset(&rq, 0, sizeof(rq));
|
memset(&rq, 0, sizeof(rq));
|
||||||
rq.errors = 0;
|
rq.errors = 0;
|
||||||
rq.rq_status = RQ_ACTIVE;
|
|
||||||
rq.rq_disk = disk->gd;
|
rq.rq_disk = disk->gd;
|
||||||
rq.ref_count = 1;
|
rq.ref_count = 1;
|
||||||
rq.end_io_data = &wait;
|
rq.end_io_data = &wait;
|
||||||
|
|
|
@ -319,8 +319,8 @@ static void start_request(struct floppy_state *fs)
|
||||||
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
|
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
|
||||||
req->rq_disk->disk_name, req->cmd,
|
req->rq_disk->disk_name, req->cmd,
|
||||||
(long)req->sector, req->nr_sectors, req->buffer);
|
(long)req->sector, req->nr_sectors, req->buffer);
|
||||||
printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n",
|
printk(" errors=%d current_nr_sectors=%ld\n",
|
||||||
req->rq_status, req->errors, req->current_nr_sectors);
|
req->errors, req->current_nr_sectors);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (req->sector < 0 || req->sector >= fs->total_secs) {
|
if (req->sector < 0 || req->sector >= fs->total_secs) {
|
||||||
|
|
|
@ -529,8 +529,8 @@ static void start_request(struct floppy_state *fs)
|
||||||
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
|
printk("do_fd_req: dev=%s cmd=%d sec=%ld nr_sec=%ld buf=%p\n",
|
||||||
CURRENT->rq_disk->disk_name, CURRENT->cmd,
|
CURRENT->rq_disk->disk_name, CURRENT->cmd,
|
||||||
CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer);
|
CURRENT->sector, CURRENT->nr_sectors, CURRENT->buffer);
|
||||||
printk(" rq_status=%d errors=%d current_nr_sectors=%ld\n",
|
printk(" errors=%d current_nr_sectors=%ld\n",
|
||||||
CURRENT->rq_status, CURRENT->errors, CURRENT->current_nr_sectors);
|
CURRENT->errors, CURRENT->current_nr_sectors);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) {
|
if (CURRENT->sector < 0 || CURRENT->sector >= fs->total_secs) {
|
||||||
|
|
|
@ -974,7 +974,6 @@ int fcp_scsi_dev_reset(Scsi_Cmnd *SCpnt)
|
||||||
*/
|
*/
|
||||||
|
|
||||||
fc->rst_pkt->device->host->eh_action = &sem;
|
fc->rst_pkt->device->host->eh_action = &sem;
|
||||||
fc->rst_pkt->request->rq_status = RQ_SCSI_BUSY;
|
|
||||||
|
|
||||||
fc->rst_pkt->done = fcp_scsi_reset_done;
|
fc->rst_pkt->done = fcp_scsi_reset_done;
|
||||||
|
|
||||||
|
|
|
@ -1281,8 +1281,7 @@ static ide_startstop_t idefloppy_do_request (ide_drive_t *drive, struct request
|
||||||
idefloppy_pc_t *pc;
|
idefloppy_pc_t *pc;
|
||||||
unsigned long block = (unsigned long)block_s;
|
unsigned long block = (unsigned long)block_s;
|
||||||
|
|
||||||
debug_log(KERN_INFO "rq_status: %d, dev: %s, flags: %lx, errors: %d\n",
|
debug_log(KERN_INFO "dev: %s, flags: %lx, errors: %d\n",
|
||||||
rq->rq_status,
|
|
||||||
rq->rq_disk ? rq->rq_disk->disk_name : "?",
|
rq->rq_disk ? rq->rq_disk->disk_name : "?",
|
||||||
rq->flags, rq->errors);
|
rq->flags, rq->errors);
|
||||||
debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, "
|
debug_log(KERN_INFO "sector: %ld, nr_sectors: %ld, "
|
||||||
|
|
|
@ -1710,7 +1710,6 @@ int ide_do_drive_cmd (ide_drive_t *drive, struct request *rq, ide_action_t actio
|
||||||
int must_wait = (action == ide_wait || action == ide_head_wait);
|
int must_wait = (action == ide_wait || action == ide_head_wait);
|
||||||
|
|
||||||
rq->errors = 0;
|
rq->errors = 0;
|
||||||
rq->rq_status = RQ_ACTIVE;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* we need to hold an extra reference to request for safe inspection
|
* we need to hold an extra reference to request for safe inspection
|
||||||
|
|
|
@ -2423,8 +2423,8 @@ static ide_startstop_t idetape_do_request(ide_drive_t *drive,
|
||||||
#if IDETAPE_DEBUG_LOG
|
#if IDETAPE_DEBUG_LOG
|
||||||
#if 0
|
#if 0
|
||||||
if (tape->debug_level >= 5)
|
if (tape->debug_level >= 5)
|
||||||
printk(KERN_INFO "ide-tape: rq_status: %d, "
|
printk(KERN_INFO "ide-tape: %d, "
|
||||||
"dev: %s, cmd: %ld, errors: %d\n", rq->rq_status,
|
"dev: %s, cmd: %ld, errors: %d\n",
|
||||||
rq->rq_disk->disk_name, rq->cmd[0], rq->errors);
|
rq->rq_disk->disk_name, rq->cmd[0], rq->errors);
|
||||||
#endif
|
#endif
|
||||||
if (tape->debug_level >= 2)
|
if (tape->debug_level >= 2)
|
||||||
|
|
|
@ -708,7 +708,7 @@ static ide_startstop_t idescsi_issue_pc (ide_drive_t *drive, idescsi_pc_t *pc)
|
||||||
static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block)
|
static ide_startstop_t idescsi_do_request (ide_drive_t *drive, struct request *rq, sector_t block)
|
||||||
{
|
{
|
||||||
#if IDESCSI_DEBUG_LOG
|
#if IDESCSI_DEBUG_LOG
|
||||||
printk (KERN_INFO "rq_status: %d, dev: %s, cmd: %x, errors: %d\n",rq->rq_status, rq->rq_disk->disk_name,rq->cmd[0],rq->errors);
|
printk (KERN_INFO "dev: %s, cmd: %x, errors: %d\n", rq->rq_disk->disk_name,rq->cmd[0],rq->errors);
|
||||||
printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors);
|
printk (KERN_INFO "sector: %ld, nr_sectors: %ld, current_nr_sectors: %d\n",rq->sector,rq->nr_sectors,rq->current_nr_sectors);
|
||||||
#endif /* IDESCSI_DEBUG_LOG */
|
#endif /* IDESCSI_DEBUG_LOG */
|
||||||
|
|
||||||
|
|
|
@ -1065,7 +1065,7 @@ int scsi_device_cancel(struct scsi_device *sdev, int recovery)
|
||||||
|
|
||||||
spin_lock_irqsave(&sdev->list_lock, flags);
|
spin_lock_irqsave(&sdev->list_lock, flags);
|
||||||
list_for_each_entry(scmd, &sdev->cmd_list, list) {
|
list_for_each_entry(scmd, &sdev->cmd_list, list) {
|
||||||
if (scmd->request && scmd->request->rq_status != RQ_INACTIVE) {
|
if (scmd->request) {
|
||||||
/*
|
/*
|
||||||
* If we are unable to remove the timer, it means
|
* If we are unable to remove the timer, it means
|
||||||
* that the command has already timed out or
|
* that the command has already timed out or
|
||||||
|
|
|
@ -243,8 +243,6 @@ struct request {
|
||||||
|
|
||||||
void *completion_data;
|
void *completion_data;
|
||||||
|
|
||||||
int rq_status; /* should split this into a few status bits */
|
|
||||||
int errors;
|
|
||||||
struct gendisk *rq_disk;
|
struct gendisk *rq_disk;
|
||||||
unsigned long start_time;
|
unsigned long start_time;
|
||||||
|
|
||||||
|
@ -262,14 +260,16 @@ struct request {
|
||||||
|
|
||||||
unsigned short ioprio;
|
unsigned short ioprio;
|
||||||
|
|
||||||
int tag;
|
|
||||||
|
|
||||||
int ref_count;
|
|
||||||
request_queue_t *q;
|
request_queue_t *q;
|
||||||
|
|
||||||
void *special;
|
void *special;
|
||||||
char *buffer;
|
char *buffer;
|
||||||
|
|
||||||
|
int tag;
|
||||||
|
int errors;
|
||||||
|
|
||||||
|
int ref_count;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* when request is used as a packet command carrier
|
* when request is used as a packet command carrier
|
||||||
*/
|
*/
|
||||||
|
@ -456,9 +456,6 @@ struct request_queue
|
||||||
struct mutex sysfs_lock;
|
struct mutex sysfs_lock;
|
||||||
};
|
};
|
||||||
|
|
||||||
#define RQ_INACTIVE (-1)
|
|
||||||
#define RQ_ACTIVE 1
|
|
||||||
|
|
||||||
#define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */
|
#define QUEUE_FLAG_CLUSTER 0 /* cluster several segments into 1 */
|
||||||
#define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */
|
#define QUEUE_FLAG_QUEUED 1 /* uses generic tag queueing */
|
||||||
#define QUEUE_FLAG_STOPPED 2 /* queue is stopped */
|
#define QUEUE_FLAG_STOPPED 2 /* queue is stopped */
|
||||||
|
|
Loading…
Reference in New Issue