Skip to content

Commit 1bc0eb0

Browse files
hreineckemartinkpetersen
hreinecke
authored and
martinkpetersen
committed
scsi: sg: protect accesses to 'reserved' page array
The 'reserved' page array is used as a short-cut for mapping data, saving us to allocate pages per request. However, the 'reserved' array is only capable of holding one request, so this patch introduces a mutex for protect 'sg_fd' against concurrent accesses. Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Tested-by: Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent 136e57b commit 1bc0eb0

File tree

1 file changed

+25
-20
lines changed

1 file changed

+25
-20
lines changed

drivers/scsi/sg.c

Lines changed: 25 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,7 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
142142
struct sg_device *parentdp; /* owning device */
143143
wait_queue_head_t read_wait; /* queue read until command done */
144144
rwlock_t rq_list_lock; /* protect access to list in req_arr */
145+
struct mutex f_mutex; /* protect against changes in this fd */
145146
int timeout; /* defaults to SG_DEFAULT_TIMEOUT */
146147
int timeout_user; /* defaults to SG_DEFAULT_TIMEOUT_USER */
147148
Sg_scatter_hold reserve; /* buffer held for this file descriptor */
@@ -153,6 +154,7 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
153154
unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
154155
char keep_orphan; /* 0 -> drop orphan (def), 1 -> keep for read() */
155156
char mmap_called; /* 0 -> mmap() never called on this fd */
157+
char res_in_use; /* 1 -> 'reserve' array in use */
156158
struct kref f_ref;
157159
struct execute_work ew;
158160
} Sg_fd;
@@ -196,7 +198,6 @@ static void sg_remove_sfp(struct kref *);
196198
static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
197199
static Sg_request *sg_add_request(Sg_fd * sfp);
198200
static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
199-
static int sg_res_in_use(Sg_fd * sfp);
200201
static Sg_device *sg_get_dev(int dev);
201202
static void sg_device_destroy(struct kref *kref);
202203

@@ -612,6 +613,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
612613
}
613614
buf += SZ_SG_HEADER;
614615
__get_user(opcode, buf);
616+
mutex_lock(&sfp->f_mutex);
615617
if (sfp->next_cmd_len > 0) {
616618
cmd_size = sfp->next_cmd_len;
617619
sfp->next_cmd_len = 0; /* reset so only this write() effected */
@@ -620,6 +622,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
620622
if ((opcode >= 0xc0) && old_hdr.twelve_byte)
621623
cmd_size = 12;
622624
}
625+
mutex_unlock(&sfp->f_mutex);
623626
SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sdp,
624627
"sg_write: scsi opcode=0x%02x, cmd_size=%d\n", (int) opcode, cmd_size));
625628
/* Determine buffer size. */
@@ -719,7 +722,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
719722
sg_remove_request(sfp, srp);
720723
return -EINVAL; /* either MMAP_IO or DIRECT_IO (not both) */
721724
}
722-
if (sg_res_in_use(sfp)) {
725+
if (sfp->res_in_use) {
723726
sg_remove_request(sfp, srp);
724727
return -EBUSY; /* reserve buffer already being used */
725728
}
@@ -953,12 +956,18 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
953956
return -EINVAL;
954957
val = min_t(int, val,
955958
max_sectors_bytes(sdp->device->request_queue));
959+
mutex_lock(&sfp->f_mutex);
956960
if (val != sfp->reserve.bufflen) {
957-
if (sg_res_in_use(sfp) || sfp->mmap_called)
961+
if (sfp->mmap_called ||
962+
sfp->res_in_use) {
963+
mutex_unlock(&sfp->f_mutex);
958964
return -EBUSY;
965+
}
966+
959967
sg_remove_scat(sfp, &sfp->reserve);
960968
sg_build_reserve(sfp, val);
961969
}
970+
mutex_unlock(&sfp->f_mutex);
962971
return 0;
963972
case SG_GET_RESERVED_SIZE:
964973
val = min_t(int, sfp->reserve.bufflen,
@@ -1718,13 +1727,22 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
17181727
md = &map_data;
17191728

17201729
if (md) {
1721-
if (!sg_res_in_use(sfp) && dxfer_len <= rsv_schp->bufflen)
1730+
mutex_lock(&sfp->f_mutex);
1731+
if (dxfer_len <= rsv_schp->bufflen &&
1732+
!sfp->res_in_use) {
1733+
sfp->res_in_use = 1;
17221734
sg_link_reserve(sfp, srp, dxfer_len);
1723-
else {
1735+
} else if ((hp->flags & SG_FLAG_MMAP_IO) && sfp->res_in_use) {
1736+
mutex_unlock(&sfp->f_mutex);
1737+
return -EBUSY;
1738+
} else {
17241739
res = sg_build_indirect(req_schp, sfp, dxfer_len);
1725-
if (res)
1740+
if (res) {
1741+
mutex_unlock(&sfp->f_mutex);
17261742
return res;
1743+
}
17271744
}
1745+
mutex_unlock(&sfp->f_mutex);
17281746

17291747
md->pages = req_schp->pages;
17301748
md->page_order = req_schp->page_order;
@@ -2125,6 +2143,7 @@ sg_add_sfp(Sg_device * sdp)
21252143
rwlock_init(&sfp->rq_list_lock);
21262144

21272145
kref_init(&sfp->f_ref);
2146+
mutex_init(&sfp->f_mutex);
21282147
sfp->timeout = SG_DEFAULT_TIMEOUT;
21292148
sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
21302149
sfp->force_packid = SG_DEF_FORCE_PACK_ID;
@@ -2198,20 +2217,6 @@ sg_remove_sfp(struct kref *kref)
21982217
schedule_work(&sfp->ew.work);
21992218
}
22002219

2201-
static int
2202-
sg_res_in_use(Sg_fd * sfp)
2203-
{
2204-
const Sg_request *srp;
2205-
unsigned long iflags;
2206-
2207-
read_lock_irqsave(&sfp->rq_list_lock, iflags);
2208-
for (srp = sfp->headrp; srp; srp = srp->nextrp)
2209-
if (srp->res_used)
2210-
break;
2211-
read_unlock_irqrestore(&sfp->rq_list_lock, iflags);
2212-
return srp ? 1 : 0;
2213-
}
2214-
22152220
#ifdef CONFIG_SCSI_PROC_FS
22162221
static int
22172222
sg_idr_max_id(int id, void *p, void *data)

0 commit comments

Comments
 (0)