libata: Fix use-after-iounmap
authorJeff Garzik <jgarzik@pobox.com>
Fri, 27 May 2005 01:54:27 +0000 (21:54 -0400)
committerJeff Garzik <jgarzik@pobox.com>
Fri, 27 May 2005 01:54:27 +0000 (21:54 -0400)
Jens Axboe pointed out that the iounmap() call in libata was occurring
too early, and some drivers (ahci, probably others) were using ioremap'd
memory after it had been unmapped.

The patch should address that problem by way of improving the libata
driver API:

* move ->host_stop() call after all ->port_stop() calls have occurred.

* create default helper function ata_host_stop(), and move iounmap()
call there.

* add ->host_stop_prewalk() hook, use it in sata_qstor.c (hi Mark).
sata_qstor appears to require the host-stop-before-port-stop ordering
that existed prior to applying the attached patch.

14 files changed:
drivers/scsi/ahci.c
drivers/scsi/ata_piix.c
drivers/scsi/libata-core.c
drivers/scsi/sata_nv.c
drivers/scsi/sata_promise.c
drivers/scsi/sata_qstor.c
drivers/scsi/sata_sil.c
drivers/scsi/sata_sis.c
drivers/scsi/sata_svw.c
drivers/scsi/sata_sx4.c
drivers/scsi/sata_uli.c
drivers/scsi/sata_via.c
drivers/scsi/sata_vsc.c
include/linux/libata.h

index da5bd33d982d7e521b6b0603adcb0911395b184d..8b468a62870049e89461f9a25a3222c85f0fb015 100644 (file)
@@ -289,6 +289,8 @@ static void ahci_host_stop(struct ata_host_set *host_set)
 {
        struct ahci_host_priv *hpriv = host_set->private_data;
        kfree(hpriv);
+
+       ata_host_stop(host_set);
 }
 
 static int ahci_port_start(struct ata_port *ap)
index 3867f91ef8c7bebe3d0edf0bd2e3b326a1d4061b..54c52349adc53297971c6e04067d931aabf3148d 100644 (file)
@@ -153,6 +153,7 @@ static struct ata_port_operations piix_pata_ops = {
 
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_operations piix_sata_ops = {
@@ -180,6 +181,7 @@ static struct ata_port_operations piix_sata_ops = {
 
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info piix_port_info[] = {
index ee9b96da841e1b14324a6551f48981be401de854..2b41cd3a8ec613509920bccf3ee3952ee2a2204f 100644 (file)
@@ -3321,6 +3321,13 @@ void ata_port_stop (struct ata_port *ap)
        dma_free_coherent(dev, ATA_PRD_TBL_SZ, ap->prd, ap->prd_dma);
 }
 
+void ata_host_stop (struct ata_host_set *host_set)
+{
+       if (host_set->mmio_base)
+               iounmap(host_set->mmio_base);
+}
+
+
 /**
  *     ata_host_remove - Unregister SCSI host structure with upper layers
  *     @ap: Port to unregister
@@ -3877,10 +3884,6 @@ void ata_pci_remove_one (struct pci_dev *pdev)
        }
 
        free_irq(host_set->irq, host_set);
-       if (host_set->ops->host_stop)
-               host_set->ops->host_stop(host_set);
-       if (host_set->mmio_base)
-               iounmap(host_set->mmio_base);
 
        for (i = 0; i < host_set->n_ports; i++) {
                ap = host_set->ports[i];
@@ -3899,6 +3902,9 @@ void ata_pci_remove_one (struct pci_dev *pdev)
                scsi_host_put(ap->host);
        }
 
+       if (host_set->ops->host_stop)
+               host_set->ops->host_stop(host_set);
+
        kfree(host_set);
 
        pci_release_regions(pdev);
@@ -3996,6 +4002,7 @@ EXPORT_SYMBOL_GPL(ata_chk_err);
 EXPORT_SYMBOL_GPL(ata_exec_command);
 EXPORT_SYMBOL_GPL(ata_port_start);
 EXPORT_SYMBOL_GPL(ata_port_stop);
+EXPORT_SYMBOL_GPL(ata_host_stop);
 EXPORT_SYMBOL_GPL(ata_interrupt);
 EXPORT_SYMBOL_GPL(ata_qc_prep);
 EXPORT_SYMBOL_GPL(ata_bmdma_setup);
index 69009f853a4917f54a88aa0c2cf3e6fb0428c8f7..b0403ccd8a25d97aec9e220d175844dd45448076 100644 (file)
@@ -329,6 +329,8 @@ static void nv_host_stop (struct ata_host_set *host_set)
                host->host_desc->disable_hotplug(host_set);
 
        kfree(host);
+
+       ata_host_stop(host_set);
 }
 
 static int nv_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
index c4e9e0298122334c272c4a33569d34fc6bee42be..b18c90582e67cf32216049f7aca031024779c966 100644 (file)
@@ -122,6 +122,7 @@ static struct ata_port_operations pdc_ata_ops = {
        .scr_write              = pdc_sata_scr_write,
        .port_start             = pdc_port_start,
        .port_stop              = pdc_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info pdc_port_info[] = {
index dfd3621047171dc748ba9a11c82a418f89faaed6..1383e8a28d728b34e936c0b9c7e04ffbf9a5818c 100644 (file)
@@ -536,6 +536,8 @@ static void qs_host_stop(struct ata_host_set *host_set)
 
        writeb(0, mmio_base + QS_HCT_CTRL); /* disable host interrupts */
        writeb(QS_CNFG3_GSRST, mmio_base + QS_HCF_CNFG3); /* global reset */
+
+       ata_host_stop(host_set);
 }
 
 static void qs_host_init(unsigned int chip_id, struct ata_probe_ent *pe)
index 2b2ff48be3960b14464e19018acb1b458c91819f..238580d244e697ec22427cda94ce1418a945aa2b 100644 (file)
@@ -161,6 +161,7 @@ static struct ata_port_operations sil_ops = {
        .scr_write              = sil_scr_write,
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info sil_port_info[] = {
index 5105ddd08447807df3710492f70c31bf6f0d8767..e418b89c6b9d8cf67c57a1b03431b91a19b585f2 100644 (file)
@@ -114,6 +114,7 @@ static struct ata_port_operations sis_ops = {
        .scr_write              = sis_scr_write,
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info sis_port_info = {
index 05075bd3a89309e2b8f39e18cef5dfb27191dcea..edef1fa969fcecba6907ae49b84bf81a5ecae7c3 100644 (file)
@@ -313,6 +313,7 @@ static struct ata_port_operations k2_sata_ops = {
        .scr_write              = k2_sata_scr_write,
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static void k2_sata_setup_port(struct ata_ioports *port, unsigned long base)
index 70118650c461e9d5d10ff0c3053ae5b49c6755a0..140cea05de3f23cdfa8d204af0d49b9f52f32913 100644 (file)
@@ -245,6 +245,8 @@ static void pdc20621_host_stop(struct ata_host_set *host_set)
 
        iounmap(dimm_mmio);
        kfree(hpriv);
+
+       ata_host_stop(host_set);
 }
 
 static int pdc_port_start(struct ata_port *ap)
index 0bff4f475f262c5c40254aecf85bd6a7137bd04e..a71fb54eebd301e07240310964a323b240db670d 100644 (file)
@@ -113,6 +113,7 @@ static struct ata_port_operations uli_ops = {
 
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info uli_port_info = {
index 3a7830667277f35f71a83db5705b8cb2d376bafc..f43183c19a12184ebd6902eadf154bc836a7e249 100644 (file)
@@ -134,6 +134,7 @@ static struct ata_port_operations svia_sata_ops = {
 
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static struct ata_port_info svia_port_info = {
index 2c28f0ad73c204420aa4b419a60341a8b801d7fa..f67c34330ae946768e025c4f51d806e97abf60c2 100644 (file)
@@ -230,6 +230,7 @@ static struct ata_port_operations vsc_sata_ops = {
        .scr_write              = vsc_sata_scr_write,
        .port_start             = ata_port_start,
        .port_stop              = ata_port_stop,
+       .host_stop              = ata_host_stop,
 };
 
 static void __devinit vsc_sata_setup_port(struct ata_ioports *port, unsigned long base)
index 1f7e2039a04e38bb0235c489301c1cfc094f611b..e74f301e9baea59df14efbbd75943a61b496651c 100644 (file)
@@ -410,6 +410,7 @@ extern u8 ata_chk_err(struct ata_port *ap);
 extern void ata_exec_command(struct ata_port *ap, struct ata_taskfile *tf);
 extern int ata_port_start (struct ata_port *ap);
 extern void ata_port_stop (struct ata_port *ap);
+extern void ata_host_stop (struct ata_host_set *host_set);
 extern irqreturn_t ata_interrupt (int irq, void *dev_instance, struct pt_regs *regs);
 extern void ata_qc_prep(struct ata_queued_cmd *qc);
 extern int ata_qc_issue_prot(struct ata_queued_cmd *qc);