SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)

debian/changelog

@@ -53,6 +53,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
 
   [ Ben Hutchings ]
   * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
+  * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
 
   [ Salvatore Bonaccorso ]
   * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)

debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch

@@ -0,0 +1,82 @@
+From: Alan Stern <stern@rowland.harvard.edu>
+Subject: SCSI: fix crashes in sd and sr runtime PM
+Date: Wed, 20 Jan 2016 11:26:01 -0500 (EST)
+Origin: http://article.gmane.org/gmane.linux.scsi/109795
+Bug-Debian: https://bugs.debian.org/801925
+
+Runtime suspend during driver probe and removal can cause problems.
+The driver's runtime_suspend or runtime_resume callbacks may invoked
+before the driver has finished binding to the device or after the
+driver has unbound from the device.
+
+This problem shows up with the sd and sr drivers, and can cause disk
+or CD/DVD drives to become unusable as a result.  The fix is simple.
+The drivers store a pointer to the scsi_disk or scsi_cd structure as
+their private device data when probing is finished, so we simply have
+to be sure to clear the private data during removal and test it during
+runtime suspend/resume.
+
+This fixes <https://bugs.debian.org/801925>.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Paul Menzel <paul.menzel@giantmonkey.de>
+Reported-by: Erich Schubert <erich@debian.org>
+Reported-by: Alexandre Rossi <alexandre.rossi@gmail.com>
+Tested-by: Paul Menzel <paul.menzel@giantmonkey.de>
+CC: "James E.J. Bottomley" <JBottomley@odin.com>
+CC: Ben Hutchings <ben@decadent.org.uk>
+CC: <stable@vger.kernel.org>
+
+---
+
+
+[as1795]
+
+
+ drivers/scsi/sd.c |    7 +++++--
+ drivers/scsi/sr.c |    4 ++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3142,8 +3142,8 @@ static int sd_suspend_common(struct devi
+ 	struct scsi_disk *sdkp = dev_get_drvdata(dev);
+ 	int ret = 0;
+ 
+-	if (!sdkp)
+-		return 0;	/* this can happen */
++	if (!sdkp)	/* E.g.: runtime suspend following sd_remove() */
++		return 0;
+ 
+ 	if (sdkp->WCE && sdkp->media_present) {
+ 		sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n");
+@@ -3182,6 +3182,9 @@ static int sd_resume(struct device *dev)
+ {
+ 	struct scsi_disk *sdkp = dev_get_drvdata(dev);
+ 
++	if (!sdkp)	/* E.g.: runtime resume at the start of sd_probe() */
++		return 0;
++
+ 	if (!sdkp->device->manage_start_stop)
+ 		return 0;
+ 
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -144,6 +144,9 @@ static int sr_runtime_suspend(struct dev
+ {
+ 	struct scsi_cd *cd = dev_get_drvdata(dev);
+ 
++	if (!cd)	/* E.g.: runtime suspend following sr_remove() */
++		return 0;
++
+ 	if (cd->media_present)
+ 		return -EBUSY;
+ 	else
+@@ -985,6 +988,7 @@ static int sr_remove(struct device *dev)
+ 	scsi_autopm_get_device(cd->device);
+ 
+ 	del_gendisk(cd->disk);
++	dev_set_drvdata(dev, NULL);
+ 
+ 	mutex_lock(&sr_ref_mutex);
+ 	kref_put(&cd->kref, sr_kref_release);

debian/patches/series

@@ -142,3 +142,4 @@ bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
 bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
 bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
 bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
+bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch