[2/3] scsi: sg: reset 'res_in_use' after unlinking reserved array

Message ID 1538170157-10118-3-git-send-email-tyhicks@canonical.com
State New
Headers show
Series
  • CVE-2017-0794 - Privilege escalation in the SCSI driver
Related show

Commit Message

Tyler Hicks Sept. 28, 2018, 9:29 p.m.
From: Hannes Reinecke <hare@suse.de>

Once the reserved page array is unused we can reset the 'res_in_use'
state; here we can do a lazy update without holding the mutex as we only
need to check against concurrent access, not concurrent release.

[mkp: checkpatch]

Fixes: 1bc0eb044615 ("scsi: sg: protect accesses to 'reserved' page array")
Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

CVE-2017-0794

(cherry picked from commit e791ce27c3f6a1d3c746fd6a8f8e36c9540ec6f9)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/scsi/sg.c | 2 ++
 1 file changed, 2 insertions(+)

Patch

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index ee23298dd955..42e5a140ada5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1994,6 +1994,8 @@  sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp)
 	req_schp->sglist_len = 0;
 	sfp->save_scat_len = 0;
 	srp->res_used = 0;
+	/* Called without mutex lock to avoid deadlock */
+	sfp->res_in_use = 0;
 }
 
 static Sg_request *