[PATCH 2/3] scsi: sg: reset 'res_in_use' after unlinking reserved array
Tyler Hicks
tyhicks at canonical.com
Fri Sep 14 18:52:48 UTC 2018
From: Hannes Reinecke <hare at suse.de>
Once the reserved page array is unused we can reset the 'res_in_use'
state; here we can do a lazy update without holding the mutex as we only
need to check against concurrent access, not concurrent release.
[mkp: checkpatch]
Fixes: 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
Signed-off-by: Hannes Reinecke <hare at suse.com>
Reviewed-by: Johannes Thumshirn <jthumshirn at suse.de>
Reviewed-by: Christoph Hellwig <hch at lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
CVE-2016-9576
(cherry picked from commit e791ce27c3f6a1d3c746fd6a8f8e36c9540ec6f9)
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index ee23298dd955..42e5a140ada5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1994,6 +1994,8 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp)
req_schp->sglist_len = 0;
sfp->save_scat_len = 0;
srp->res_used = 0;
+ /* Called without mutex lock to avoid deadlock */
+ sfp->res_in_use = 0;
}
static Sg_request *
--
2.7.4
More information about the kernel-team
mailing list