Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/sdmmc Fix a race between ld_sdmmc_start and ld_sdmmc...
details: https://anonhg.NetBSD.org/src/rev/a2d04000b00b
branches: trunk
changeset: 354190:a2d04000b00b
user: jmcneill <jmcneill%NetBSD.org@localhost>
date: Tue Jun 06 21:01:07 2017 +0000
description:
Fix a race between ld_sdmmc_start and ld_sdmmc_dobio that could result in
tasks getting lost from the task queue. The symptom of this is a NULL
deref in ld_sdmmc_start since the code assumes that a task will always be
available from the pool.
This changes the code to use pcq(9) instead of a TAILQ to manage the free
task list.
diffstat:
sys/dev/sdmmc/ld_sdmmc.c | 25 +++++++++++++++----------
1 files changed, 15 insertions(+), 10 deletions(-)
diffs (84 lines):
diff -r 5f2cc3daf565 -r a2d04000b00b sys/dev/sdmmc/ld_sdmmc.c
--- a/sys/dev/sdmmc/ld_sdmmc.c Tue Jun 06 20:19:04 2017 +0000
+++ b/sys/dev/sdmmc/ld_sdmmc.c Tue Jun 06 21:01:07 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ld_sdmmc.c,v 1.26 2017/04/22 14:19:36 jmcneill Exp $ */
+/* $NetBSD: ld_sdmmc.c,v 1.27 2017/06/06 21:01:07 jmcneill Exp $ */
/*
* Copyright (c) 2008 KIYOHARA Takashi
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ld_sdmmc.c,v 1.26 2017/04/22 14:19:36 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ld_sdmmc.c,v 1.27 2017/06/06 21:01:07 jmcneill Exp $");
#ifdef _KERNEL_OPT
#include "opt_sdmmc.h"
@@ -48,6 +48,7 @@
#include <sys/kthread.h>
#include <sys/syslog.h>
#include <sys/module.h>
+#include <sys/pcq.h>
#include <dev/ldvar.h>
@@ -82,7 +83,7 @@
struct sdmmc_function *sc_sf;
#define LD_SDMMC_MAXQUEUECNT 4
struct ld_sdmmc_task sc_task[LD_SDMMC_MAXQUEUECNT];
- TAILQ_HEAD(, sdmmc_task) sc_freeq;
+ pcq_t *sc_freeq;
};
static int ld_sdmmc_match(device_t, cfdata_t, void *);
@@ -129,12 +130,13 @@
sa->sf->cid.rev, sa->sf->cid.psn, sa->sf->cid.mdt);
aprint_naive("\n");
- TAILQ_INIT(&sc->sc_freeq);
- for (i = 0; i < __arraycount(sc->sc_task); i++) {
+ const int ntask = __arraycount(sc->sc_task);
+ sc->sc_freeq = pcq_create(ntask, KM_SLEEP);
+ for (i = 0; i < ntask; i++) {
task = &sc->sc_task[i];
task->task_sc = sc;
- callout_init(&task->task_restart_ch, 0);
- TAILQ_INSERT_TAIL(&sc->sc_freeq, &task->task, next);
+ callout_init(&task->task_restart_ch, CALLOUT_MPSAFE);
+ pcq_put(sc->sc_freeq, task);
}
sc->sc_hwunit = 0; /* always 0? */
@@ -193,6 +195,8 @@
for (i = 0; i < __arraycount(sc->sc_task); i++)
callout_destroy(&sc->sc_task[i].task_restart_ch);
+ pcq_destroy(sc->sc_freeq);
+
return 0;
}
@@ -200,9 +204,10 @@
ld_sdmmc_start(struct ld_softc *ld, struct buf *bp)
{
struct ld_sdmmc_softc *sc = device_private(ld->sc_dv);
- struct ld_sdmmc_task *task = (void *)TAILQ_FIRST(&sc->sc_freeq);
+ struct ld_sdmmc_task *task = pcq_get(sc->sc_freeq);
- TAILQ_REMOVE(&sc->sc_freeq, &task->task, next);
+ if (task == NULL)
+ return EAGAIN;
task->task_bp = bp;
task->task_retries = 0;
@@ -278,7 +283,7 @@
}
done:
- TAILQ_INSERT_TAIL(&sc->sc_freeq, &task->task, next);
+ pcq_put(sc->sc_freeq, task);
lddone(&sc->sc_ld, bp);
}
Home |
Main Index |
Thread Index |
Old Index