media: video: tegra: sh532u: fix out-of-bounds read
[linux-2.6.git] / block / blk-timeout.c
index 99c3efc..7803548 100644 (file)
@@ -28,7 +28,10 @@ int blk_should_fake_timeout(struct request_queue *q)
 
 static int __init fail_io_timeout_debugfs(void)
 {
-       return init_fault_attr_dentries(&fail_io_timeout, "fail_io_timeout");
+       struct dentry *dir = fault_create_debugfs_attr("fail_io_timeout",
+                                               NULL, &fail_io_timeout);
+
+       return IS_ERR(dir) ? PTR_ERR(dir) : 0;
 }
 
 late_initcall(fail_io_timeout_debugfs);
@@ -73,11 +76,7 @@ ssize_t part_timeout_store(struct device *dev, struct device_attribute *attr,
  */
 void blk_delete_timer(struct request *req)
 {
-       struct request_queue *q = req->q;
-
        list_del_init(&req->timeout_list);
-       if (list_empty(&q->timeout_list))
-               del_timer(&q->timeout);
 }
 
 static void blk_rq_timed_out(struct request *req)
@@ -113,6 +112,7 @@ void blk_rq_timed_out_timer(unsigned long data)
        struct request_queue *q = (struct request_queue *) data;
        unsigned long flags, next = 0;
        struct request *rq, *tmp;
+       int next_set = 0;
 
        spin_lock_irqsave(q->queue_lock, flags);
 
@@ -126,18 +126,13 @@ void blk_rq_timed_out_timer(unsigned long data)
                        if (blk_mark_rq_complete(rq))
                                continue;
                        blk_rq_timed_out(rq);
-               } else {
-                       if (!next || time_after(next, rq->deadline))
-                               next = rq->deadline;
+               } else if (!next_set || time_after(next, rq->deadline)) {
+                       next = rq->deadline;
+                       next_set = 1;
                }
        }
 
-       /*
-        * next can never be 0 here with the list non-empty, since we always
-        * bump ->deadline to 1 so we can detect if the timer was ever added
-        * or not. See comment in blk_add_timer()
-        */
-       if (next)
+       if (next_set)
                mod_timer(&q->timeout, round_jiffies_up(next));
 
        spin_unlock_irqrestore(q->queue_lock, flags);
@@ -180,16 +175,14 @@ void blk_add_timer(struct request *req)
        BUG_ON(!list_empty(&req->timeout_list));
        BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags));
 
-       if (req->timeout)
-               req->deadline = jiffies + req->timeout;
-       else {
-               req->deadline = jiffies + q->rq_timeout;
-               /*
-                * Some LLDs, like scsi, peek at the timeout to prevent
-                * a command from being retried forever.
-                */
+       /*
+        * Some LLDs, like scsi, peek at the timeout to prevent a
+        * command from being retried forever.
+        */
+       if (!req->timeout)
                req->timeout = q->rq_timeout;
-       }
+
+       req->deadline = jiffies + req->timeout;
        list_add_tail(&req->timeout_list, &q->timeout_list);
 
        /*
@@ -213,14 +206,34 @@ void blk_abort_queue(struct request_queue *q)
 {
        unsigned long flags;
        struct request *rq, *tmp;
+       LIST_HEAD(list);
+
+       /*
+        * Not a request based block device, nothing to abort
+        */
+       if (!q->request_fn)
+               return;
 
        spin_lock_irqsave(q->queue_lock, flags);
 
        elv_abort_queue(q);
 
-       list_for_each_entry_safe(rq, tmp, &q->timeout_list, timeout_list)
+       /*
+        * Splice entries to local list, to avoid deadlocking if entries
+        * get readded to the timeout list by error handling
+        */
+       list_splice_init(&q->timeout_list, &list);
+
+       list_for_each_entry_safe(rq, tmp, &list, timeout_list)
                blk_abort_request(rq);
 
+       /*
+        * Occasionally, blk_abort_request() will return without
+        * deleting the element from the list. Make sure we add those back
+        * instead of leaving them on the local stack list.
+        */
+       list_splice(&list, &q->timeout_list);
+
        spin_unlock_irqrestore(q->queue_lock, flags);
 
 }