aboutsummaryrefslogtreecommitdiff
path: root/drivers/firewire/fw-card.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@woody.linux-foundation.org>2008-03-02 12:38:17 -0800
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-03-02 12:38:17 -0800
commit038f2f725503b55ab76cfd2645915a85594710fe (patch)
treedfed2103875ec09f4bb4e7031e6eb370f8095c58 /drivers/firewire/fw-card.c
parent8d07a67cface19ac07d7324f38bda7bbb06bbdb2 (diff)
parent855c603d61ede7e2810217f15f0d574b4f29c891 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: fix crash in automatic module unloading firewire: potentially invalid pointers used in fw_card_bm_work firewire: fw-sbp2: better fix for NULL pointer dereference in scsi_remove_device
Diffstat (limited to 'drivers/firewire/fw-card.c')
-rw-r--r--drivers/firewire/fw-card.c61
1 files changed, 43 insertions, 18 deletions
diff --git a/drivers/firewire/fw-card.c b/drivers/firewire/fw-card.c
index 3e9719948a8..a03462750b9 100644
--- a/drivers/firewire/fw-card.c
+++ b/drivers/firewire/fw-card.c
@@ -18,6 +18,7 @@
#include <linux/module.h>
#include <linux/errno.h>
+#include <linux/delay.h>
#include <linux/device.h>
#include <linux/mutex.h>
#include <linux/crc-itu-t.h>
@@ -214,17 +215,29 @@ static void
fw_card_bm_work(struct work_struct *work)
{
struct fw_card *card = container_of(work, struct fw_card, work.work);
- struct fw_device *root;
+ struct fw_device *root_device;
+ struct fw_node *root_node, *local_node;
struct bm_data bmd;
unsigned long flags;
int root_id, new_root_id, irm_id, gap_count, generation, grace;
int do_reset = 0;
spin_lock_irqsave(&card->lock, flags);
+ local_node = card->local_node;
+ root_node = card->root_node;
+
+ if (local_node == NULL) {
+ spin_unlock_irqrestore(&card->lock, flags);
+ return;
+ }
+ fw_node_get(local_node);
+ fw_node_get(root_node);
generation = card->generation;
- root = card->root_node->data;
- root_id = card->root_node->node_id;
+ root_device = root_node->data;
+ if (root_device)
+ fw_device_get(root_device);
+ root_id = root_node->node_id;
grace = time_after(jiffies, card->reset_jiffies + DIV_ROUND_UP(HZ, 10));
if (card->bm_generation + 1 == generation ||
@@ -243,14 +256,14 @@ fw_card_bm_work(struct work_struct *work)
irm_id = card->irm_node->node_id;
if (!card->irm_node->link_on) {
- new_root_id = card->local_node->node_id;
+ new_root_id = local_node->node_id;
fw_notify("IRM has link off, making local node (%02x) root.\n",
new_root_id);
goto pick_me;
}
bmd.lock.arg = cpu_to_be32(0x3f);
- bmd.lock.data = cpu_to_be32(card->local_node->node_id);
+ bmd.lock.data = cpu_to_be32(local_node->node_id);
spin_unlock_irqrestore(&card->lock, flags);
@@ -267,12 +280,12 @@ fw_card_bm_work(struct work_struct *work)
* Another bus reset happened. Just return,
* the BM work has been rescheduled.
*/
- return;
+ goto out;
}
if (bmd.rcode == RCODE_COMPLETE && bmd.old != 0x3f)
/* Somebody else is BM, let them do the work. */
- return;
+ goto out;
spin_lock_irqsave(&card->lock, flags);
if (bmd.rcode != RCODE_COMPLETE) {
@@ -282,7 +295,7 @@ fw_card_bm_work(struct work_struct *work)
* do a bus reset and pick the local node as
* root, and thus, IRM.
*/
- new_root_id = card->local_node->node_id;
+ new_root_id = local_node->node_id;
fw_notify("BM lock failed, making local node (%02x) root.\n",
new_root_id);
goto pick_me;
@@ -295,7 +308,7 @@ fw_card_bm_work(struct work_struct *work)
*/
spin_unlock_irqrestore(&card->lock, flags);
schedule_delayed_work(&card->work, DIV_ROUND_UP(HZ, 10));
- return;
+ goto out;
}
/*
@@ -305,20 +318,20 @@ fw_card_bm_work(struct work_struct *work)
*/
card->bm_generation = generation;
- if (root == NULL) {
+ if (root_device == NULL) {
/*
* Either link_on is false, or we failed to read the
* config rom. In either case, pick another root.
*/
- new_root_id = card->local_node->node_id;
- } else if (atomic_read(&root->state) != FW_DEVICE_RUNNING) {
+ new_root_id = local_node->node_id;
+ } else if (atomic_read(&root_device->state) != FW_DEVICE_RUNNING) {
/*
* If we haven't probed this device yet, bail out now
* and let's try again once that's done.
*/
spin_unlock_irqrestore(&card->lock, flags);
- return;
- } else if (root->config_rom[2] & BIB_CMC) {
+ goto out;
+ } else if (root_device->config_rom[2] & BIB_CMC) {
/*
* FIXME: I suppose we should set the cmstr bit in the
* STATE_CLEAR register of this node, as described in
@@ -332,7 +345,7 @@ fw_card_bm_work(struct work_struct *work)
* successfully read the config rom, but it's not
* cycle master capable.
*/
- new_root_id = card->local_node->node_id;
+ new_root_id = local_node->node_id;
}
pick_me:
@@ -341,8 +354,8 @@ fw_card_bm_work(struct work_struct *work)
* the typically much larger 1394b beta repeater delays though.
*/
if (!card->beta_repeaters_present &&
- card->root_node->max_hops < ARRAY_SIZE(gap_count_table))
- gap_count = gap_count_table[card->root_node->max_hops];
+ root_node->max_hops < ARRAY_SIZE(gap_count_table))
+ gap_count = gap_count_table[root_node->max_hops];
else
gap_count = 63;
@@ -364,6 +377,11 @@ fw_card_bm_work(struct work_struct *work)
fw_send_phy_config(card, new_root_id, generation, gap_count);
fw_core_initiate_bus_reset(card, 1);
}
+ out:
+ if (root_device)
+ fw_device_put(root_device);
+ fw_node_put(root_node);
+ fw_node_put(local_node);
}
static void
@@ -381,6 +399,7 @@ fw_card_initialize(struct fw_card *card, const struct fw_card_driver *driver,
static atomic_t index = ATOMIC_INIT(-1);
kref_init(&card->kref);
+ atomic_set(&card->device_count, 0);
card->index = atomic_inc_return(&index);
card->driver = driver;
card->device = device;
@@ -511,8 +530,14 @@ fw_core_remove_card(struct fw_card *card)
card->driver = &dummy_driver;
fw_destroy_nodes(card);
- flush_scheduled_work();
+ /*
+ * Wait for all device workqueue jobs to finish. Otherwise the
+ * firewire-core module could be unloaded before the jobs ran.
+ */
+ while (atomic_read(&card->device_count) > 0)
+ msleep(100);
+ cancel_delayed_work_sync(&card->work);
fw_flush_transactions(card);
del_timer_sync(&card->flush_timer);