From 76c256b5b8d8792af6a87632b3454e6ff9f2fe49 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 27 Jan 2016 01:32:15 +0000 Subject: [PATCH] SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) --- debian/changelog | 1 + ...-fix-crashes-in-sd-and-sr-runtime-pm.patch | 82 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 84 insertions(+) create mode 100644 debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch diff --git a/debian/changelog b/debian/changelog index 6616c291c..7fc722836 100644 --- a/debian/changelog +++ b/debian/changelog @@ -53,6 +53,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) + * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) [ Salvatore Bonaccorso ] * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) diff --git a/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch b/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch new file mode 100644 index 000000000..780732318 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch @@ -0,0 +1,82 @@ +From: Alan Stern +Subject: SCSI: fix crashes in sd and sr runtime PM +Date: Wed, 20 Jan 2016 11:26:01 -0500 (EST) +Origin: http://article.gmane.org/gmane.linux.scsi/109795 +Bug-Debian: https://bugs.debian.org/801925 + +Runtime suspend during driver probe and removal can cause problems. +The driver's runtime_suspend or runtime_resume callbacks may invoked +before the driver has finished binding to the device or after the +driver has unbound from the device. + +This problem shows up with the sd and sr drivers, and can cause disk +or CD/DVD drives to become unusable as a result. The fix is simple. +The drivers store a pointer to the scsi_disk or scsi_cd structure as +their private device data when probing is finished, so we simply have +to be sure to clear the private data during removal and test it during +runtime suspend/resume. + +This fixes . + +Signed-off-by: Alan Stern +Reported-by: Paul Menzel +Reported-by: Erich Schubert +Reported-by: Alexandre Rossi +Tested-by: Paul Menzel +CC: "James E.J. Bottomley" +CC: Ben Hutchings +CC: + +--- + + +[as1795] + + + drivers/scsi/sd.c | 7 +++++-- + drivers/scsi/sr.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3142,8 +3142,8 @@ static int sd_suspend_common(struct devi + struct scsi_disk *sdkp = dev_get_drvdata(dev); + int ret = 0; + +- if (!sdkp) +- return 0; /* this can happen */ ++ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */ ++ return 0; + + if (sdkp->WCE && sdkp->media_present) { + sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n"); +@@ -3182,6 +3182,9 @@ static int sd_resume(struct device *dev) + { + struct scsi_disk *sdkp = dev_get_drvdata(dev); + ++ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ ++ return 0; ++ + if (!sdkp->device->manage_start_stop) + return 0; + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -144,6 +144,9 @@ static int sr_runtime_suspend(struct dev + { + struct scsi_cd *cd = dev_get_drvdata(dev); + ++ if (!cd) /* E.g.: runtime suspend following sr_remove() */ ++ return 0; ++ + if (cd->media_present) + return -EBUSY; + else +@@ -985,6 +988,7 @@ static int sr_remove(struct device *dev) + scsi_autopm_get_device(cd->device); + + del_gendisk(cd->disk); ++ dev_set_drvdata(dev, NULL); + + mutex_lock(&sr_ref_mutex); + kref_put(&cd->kref, sr_kref_release); diff --git a/debian/patches/series b/debian/patches/series index ff4957ee7..3e8a2fb29 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,3 +142,4 @@ bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch +bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch