Convert sd to kref and fix sd_open/sd_remove race

We actually fix this race by mediating the object release/get race (i.e. we destroy the scsi_disk object when its reference count goes 1->0, we use a semaphore to prevent something else trying to get a reference after or during this). The open/remove race is actually irrelevant because even if we open an already removed object, all that will happen is that we get a reference to a device that always returns EIO.

Convert sd to kref and fix sd_open/sd_remove race
We actually fix this race by mediating the object release/get race (i.e. we destroy the scsi_disk object when its reference count goes 1->0, we use a semaphore to prevent something else trying to get a reference after or during this). The open/remove race is actually irrelevant because even if we open an already removed object, all that will happen is that we get a reference to a device that always returns EIO.
c23510ca · James Bottomley · cdceba0e · c23510ca
Commit c23510ca authored Apr 10, 2004 by James Bottomley
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 33 deletions

drivers/scsi/sd.c drivers/scsi/sd.c +52 -33

No files found.
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -48,6 +48,7 @@
 #include <linux/vmalloc.h>
 #include <linux/blkdev.h>
 #include <linux/blkpg.h>
+#include <linux/kref.h>
 #include <asm/uaccess.h>
 #include "scsi.h"
@@ -77,16 +78,12 @@
 */
 #define SD_MAX_RETRIES		5
-static void scsi_disk_release (struct kobject *kobj);
+static void scsi_disk_release(struct kref *kref);
-static struct kobj_type scsi_disk_kobj_type = {
-	.release = scsi_disk_release,
-};
 struct scsi_disk {
 	struct scsi_driver *driver;	/* always &sd_template */
 	struct scsi_device *device;
-	struct kobject	kobj;
+	struct kref	kref;
 	struct gendisk	*disk;
 	unsigned int	openers;	/* protected by BKL for now, yuck */
 	sector_t	capacity;	/* size in 512-byte sectors */
@@ -101,6 +98,11 @@ struct scsi_disk {
 static unsigned long sd_index_bits[SD_DISKS / BITS_PER_LONG];
 static spinlock_t sd_index_lock = SPIN_LOCK_UNLOCKED;
+/* This semaphore is used to mediate the 0->1 reference get in the
+ * face of object destruction (i.e. we can't allow a get on an
+ * object after last put) */
+static DECLARE_MUTEX(sd_ref_sem);
 static int sd_revalidate_disk(struct gendisk *disk);
 static void sd_rw_intr(struct scsi_cmnd * SCpnt);
@@ -161,31 +163,33 @@ static unsigned int make_sd_dev(unsigned int sd_nr, unsigned int part)
 /* reverse mapping dev -> (sd_nr, part) not currently needed */
-#define to_scsi_disk(obj) container_of(obj,struct scsi_disk,kobj);
+#define to_scsi_disk(obj) container_of(obj,struct scsi_disk,kref)
 static inline struct scsi_disk *scsi_disk(struct gendisk *disk)
 {
 	return container_of(disk->private_data, struct scsi_disk, driver);
 }
-static int scsi_disk_get(struct scsi_disk *sdkp)
+static struct scsi_disk *scsi_disk_get(struct gendisk *disk)
 {
-	if (!kobject_get(&sdkp->kobj))
+	struct scsi_disk *sdkp = NULL;
-		goto out;
-	if (scsi_device_get(sdkp->device))
-		goto out_put_kobj;
-	return 0;
-out_put_kobj:
+	down(&sd_ref_sem);
-	kobject_put(&sdkp->kobj);
+	if (disk->private_data == NULL)
-out:
+		goto out;
-	return -ENXIO;
+	sdkp = scsi_disk(disk);
+	if (!kref_get(&sdkp->kref))
+		sdkp = NULL;
+ out:
+	up(&sd_ref_sem);
+	return sdkp;
 }
 static void scsi_disk_put(struct scsi_disk *sdkp)
 {
-	scsi_device_put(sdkp->device);
+	down(&sd_ref_sem);
-	kobject_put(&sdkp->kobj);
+	kref_put(&sdkp->kref);
+	up(&sd_ref_sem);
 }
 /**
@@ -406,15 +410,15 @@ static int sd_init_command(struct scsi_cmnd * SCpnt)
 static int sd_open(struct inode *inode, struct file *filp)
 {
 	struct gendisk *disk = inode->i_bdev->bd_disk;
-	struct scsi_disk *sdkp = scsi_disk(disk);
+	struct scsi_disk *sdkp;
 	struct scsi_device *sdev;
 	int retval;
-	SCSI_LOG_HLQUEUE(3, printk("sd_open: disk=%s\n", disk->disk_name));
+	if (!(sdkp = scsi_disk_get(disk)))
+		return -ENXIO;
-	retval = scsi_disk_get(sdkp);
-	if (retval)
+	SCSI_LOG_HLQUEUE(3, printk("sd_open: disk=%s\n", disk->disk_name));
-		return retval;
 	sdev = sdkp->device;
@@ -1338,17 +1342,19 @@ static int sd_probe(struct device *dev)
 	if ((sdp->type != TYPE_DISK) && (sdp->type != TYPE_MOD))
 		goto out;
+	if ((error = scsi_device_get(sdp)) != 0)
+		goto out;
 	SCSI_LOG_HLQUEUE(3, printk("sd_attach: scsi device: <%d,%d,%d,%d>\n", 
 			 sdp->host->host_no, sdp->channel, sdp->id, sdp->lun));
 	error = -ENOMEM;
 	sdkp = kmalloc(sizeof(*sdkp), GFP_KERNEL);
 	if (!sdkp)
-		goto out;
+		goto out_put_sdev;
 	memset (sdkp, 0, sizeof(*sdkp));
-	kobject_init(&sdkp->kobj);
+	kref_init(&sdkp->kref, scsi_disk_release);
-	sdkp->kobj.ktype = &scsi_disk_kobj_type;
 	/* Note: We can accomodate 64 partitions, but the genhd code
 	 * assumes partitions allocate consecutive minors, which they don't.
@@ -1421,6 +1427,8 @@ static int sd_probe(struct device *dev)
 	put_disk(gd);
 out_free:
 	kfree(sdkp);
+out_put_sdev:
+	scsi_device_put(sdp);
 out:
 	return error;
 }
@@ -1442,26 +1450,37 @@ static int sd_remove(struct device *dev)
 	del_gendisk(sdkp->disk);
 	sd_shutdown(dev);
-	kobject_put(&sdkp->kobj);
+	scsi_disk_put(sdkp);
 	return 0;
 }
 /**
 *	scsi_disk_release - Called to free the scsi_disk structure
- *	@kobj: pointer to embedded kobject
+ *	@kref: pointer to embedded kref
+ *
+ *	sd_ref_sem must be held entering this routine.  Because it is
+ *	called on last put, you should always use the scsi_disk_get()
+ *	scsi_disk_put() helpers which manipulate the semaphore directly
+ *	and never do a direct kref_put().
 **/
-static void scsi_disk_release(struct kobject *kobj)
+static void scsi_disk_release(struct kref *kref)
 {
-	struct scsi_disk *sdkp = to_scsi_disk(kobj);
+	struct scsi_disk *sdkp = to_scsi_disk(kref);
+	struct scsi_device *sdev = sdkp->device;
+	struct gendisk *disk = sdkp->disk;
-	put_disk(sdkp->disk);
 	spin_lock(&sd_index_lock);
 	clear_bit(sdkp->index, sd_index_bits);
 	spin_unlock(&sd_index_lock);
+	disk->private_data = NULL;
+	put_disk(disk);
 	kfree(sdkp);
+	scsi_device_put(sdev);
 }
 /*