Commit c0a2e4d1 authored by Julian Wiedmann's avatar Julian Wiedmann Committed by David S. Miller

s390/qeth: conclude all event processing before offlining a card

Work for Bridgeport events is currently placed on a driver-wide
workqueue. If the card is removed and freed while any such work is still
active, this causes a use-after-free.
So put the events on a per-card queue, where we can control their
lifetime. As we also don't want stale events to last beyond an
offline & online cycle, flush this queue when setting the card offline.

Fixes: b4d72c08 ("qeth: bridgeport support - basic control")
Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c2780c1a
...@@ -790,6 +790,7 @@ struct qeth_card { ...@@ -790,6 +790,7 @@ struct qeth_card {
struct qeth_seqno seqno; struct qeth_seqno seqno;
struct qeth_card_options options; struct qeth_card_options options;
struct workqueue_struct *event_wq;
wait_queue_head_t wait_q; wait_queue_head_t wait_q;
spinlock_t mclock; spinlock_t mclock;
unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)]; unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)];
...@@ -963,7 +964,6 @@ extern const struct attribute_group *qeth_osn_attr_groups[]; ...@@ -963,7 +964,6 @@ extern const struct attribute_group *qeth_osn_attr_groups[];
extern const struct attribute_group qeth_device_attr_group; extern const struct attribute_group qeth_device_attr_group;
extern const struct attribute_group qeth_device_blkt_group; extern const struct attribute_group qeth_device_blkt_group;
extern const struct device_type qeth_generic_devtype; extern const struct device_type qeth_generic_devtype;
extern struct workqueue_struct *qeth_wq;
int qeth_card_hw_is_reachable(struct qeth_card *); int qeth_card_hw_is_reachable(struct qeth_card *);
const char *qeth_get_cardname_short(struct qeth_card *); const char *qeth_get_cardname_short(struct qeth_card *);
......
...@@ -74,8 +74,7 @@ static void qeth_notify_skbs(struct qeth_qdio_out_q *queue, ...@@ -74,8 +74,7 @@ static void qeth_notify_skbs(struct qeth_qdio_out_q *queue,
static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf); static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf);
static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int); static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int);
struct workqueue_struct *qeth_wq; static struct workqueue_struct *qeth_wq;
EXPORT_SYMBOL_GPL(qeth_wq);
int qeth_card_hw_is_reachable(struct qeth_card *card) int qeth_card_hw_is_reachable(struct qeth_card *card)
{ {
...@@ -1469,6 +1468,10 @@ static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev) ...@@ -1469,6 +1468,10 @@ static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev)
CARD_RDEV(card) = gdev->cdev[0]; CARD_RDEV(card) = gdev->cdev[0];
CARD_WDEV(card) = gdev->cdev[1]; CARD_WDEV(card) = gdev->cdev[1];
CARD_DDEV(card) = gdev->cdev[2]; CARD_DDEV(card) = gdev->cdev[2];
card->event_wq = alloc_ordered_workqueue("%s", 0, dev_name(&gdev->dev));
if (!card->event_wq)
goto out_wq;
if (qeth_setup_channel(&card->read, true)) if (qeth_setup_channel(&card->read, true))
goto out_ip; goto out_ip;
if (qeth_setup_channel(&card->write, true)) if (qeth_setup_channel(&card->write, true))
...@@ -1484,6 +1487,8 @@ static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev) ...@@ -1484,6 +1487,8 @@ static struct qeth_card *qeth_alloc_card(struct ccwgroup_device *gdev)
out_channel: out_channel:
qeth_clean_channel(&card->read); qeth_clean_channel(&card->read);
out_ip: out_ip:
destroy_workqueue(card->event_wq);
out_wq:
dev_set_drvdata(&gdev->dev, NULL); dev_set_drvdata(&gdev->dev, NULL);
kfree(card); kfree(card);
out: out:
...@@ -5031,6 +5036,7 @@ static void qeth_core_free_card(struct qeth_card *card) ...@@ -5031,6 +5036,7 @@ static void qeth_core_free_card(struct qeth_card *card)
qeth_clean_channel(&card->read); qeth_clean_channel(&card->read);
qeth_clean_channel(&card->write); qeth_clean_channel(&card->write);
qeth_clean_channel(&card->data); qeth_clean_channel(&card->data);
destroy_workqueue(card->event_wq);
qeth_free_qdio_buffers(card); qeth_free_qdio_buffers(card);
unregister_service_level(&card->qeth_service_level); unregister_service_level(&card->qeth_service_level);
dev_set_drvdata(&card->gdev->dev, NULL); dev_set_drvdata(&card->gdev->dev, NULL);
......
...@@ -369,6 +369,8 @@ static void qeth_l2_stop_card(struct qeth_card *card, int recovery_mode) ...@@ -369,6 +369,8 @@ static void qeth_l2_stop_card(struct qeth_card *card, int recovery_mode)
qeth_clear_cmd_buffers(&card->read); qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write); qeth_clear_cmd_buffers(&card->write);
} }
flush_workqueue(card->event_wq);
} }
static int qeth_l2_process_inbound_buffer(struct qeth_card *card, static int qeth_l2_process_inbound_buffer(struct qeth_card *card,
...@@ -1436,7 +1438,7 @@ static void qeth_bridge_state_change(struct qeth_card *card, ...@@ -1436,7 +1438,7 @@ static void qeth_bridge_state_change(struct qeth_card *card,
data->card = card; data->card = card;
memcpy(&data->qports, qports, memcpy(&data->qports, qports,
sizeof(struct qeth_sbp_state_change) + extrasize); sizeof(struct qeth_sbp_state_change) + extrasize);
queue_work(qeth_wq, &data->worker); queue_work(card->event_wq, &data->worker);
} }
struct qeth_bridge_host_data { struct qeth_bridge_host_data {
...@@ -1508,7 +1510,7 @@ static void qeth_bridge_host_event(struct qeth_card *card, ...@@ -1508,7 +1510,7 @@ static void qeth_bridge_host_event(struct qeth_card *card,
data->card = card; data->card = card;
memcpy(&data->hostevs, hostevs, memcpy(&data->hostevs, hostevs,
sizeof(struct qeth_ipacmd_addr_change) + extrasize); sizeof(struct qeth_ipacmd_addr_change) + extrasize);
queue_work(qeth_wq, &data->worker); queue_work(card->event_wq, &data->worker);
} }
/* SETBRIDGEPORT support; sending commands */ /* SETBRIDGEPORT support; sending commands */
......
...@@ -1433,6 +1433,8 @@ static void qeth_l3_stop_card(struct qeth_card *card, int recovery_mode) ...@@ -1433,6 +1433,8 @@ static void qeth_l3_stop_card(struct qeth_card *card, int recovery_mode)
qeth_clear_cmd_buffers(&card->read); qeth_clear_cmd_buffers(&card->read);
qeth_clear_cmd_buffers(&card->write); qeth_clear_cmd_buffers(&card->write);
} }
flush_workqueue(card->event_wq);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment