SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
This commit is contained in:
parent
2675c7c2e5
commit
76c256b5b8
|
@ -53,6 +53,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
|
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
|
||||||
|
* SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
|
* tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
From: Alan Stern <stern@rowland.harvard.edu>
|
||||||
|
Subject: SCSI: fix crashes in sd and sr runtime PM
|
||||||
|
Date: Wed, 20 Jan 2016 11:26:01 -0500 (EST)
|
||||||
|
Origin: http://article.gmane.org/gmane.linux.scsi/109795
|
||||||
|
Bug-Debian: https://bugs.debian.org/801925
|
||||||
|
|
||||||
|
Runtime suspend during driver probe and removal can cause problems.
|
||||||
|
The driver's runtime_suspend or runtime_resume callbacks may invoked
|
||||||
|
before the driver has finished binding to the device or after the
|
||||||
|
driver has unbound from the device.
|
||||||
|
|
||||||
|
This problem shows up with the sd and sr drivers, and can cause disk
|
||||||
|
or CD/DVD drives to become unusable as a result. The fix is simple.
|
||||||
|
The drivers store a pointer to the scsi_disk or scsi_cd structure as
|
||||||
|
their private device data when probing is finished, so we simply have
|
||||||
|
to be sure to clear the private data during removal and test it during
|
||||||
|
runtime suspend/resume.
|
||||||
|
|
||||||
|
This fixes <https://bugs.debian.org/801925>.
|
||||||
|
|
||||||
|
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||||
|
Reported-by: Paul Menzel <paul.menzel@giantmonkey.de>
|
||||||
|
Reported-by: Erich Schubert <erich@debian.org>
|
||||||
|
Reported-by: Alexandre Rossi <alexandre.rossi@gmail.com>
|
||||||
|
Tested-by: Paul Menzel <paul.menzel@giantmonkey.de>
|
||||||
|
CC: "James E.J. Bottomley" <JBottomley@odin.com>
|
||||||
|
CC: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
CC: <stable@vger.kernel.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
[as1795]
|
||||||
|
|
||||||
|
|
||||||
|
drivers/scsi/sd.c | 7 +++++--
|
||||||
|
drivers/scsi/sr.c | 4 ++++
|
||||||
|
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/drivers/scsi/sd.c
|
||||||
|
+++ b/drivers/scsi/sd.c
|
||||||
|
@@ -3142,8 +3142,8 @@ static int sd_suspend_common(struct devi
|
||||||
|
struct scsi_disk *sdkp = dev_get_drvdata(dev);
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
- if (!sdkp)
|
||||||
|
- return 0; /* this can happen */
|
||||||
|
+ if (!sdkp) /* E.g.: runtime suspend following sd_remove() */
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
if (sdkp->WCE && sdkp->media_present) {
|
||||||
|
sd_printk(KERN_NOTICE, sdkp, "Synchronizing SCSI cache\n");
|
||||||
|
@@ -3182,6 +3182,9 @@ static int sd_resume(struct device *dev)
|
||||||
|
{
|
||||||
|
struct scsi_disk *sdkp = dev_get_drvdata(dev);
|
||||||
|
|
||||||
|
+ if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if (!sdkp->device->manage_start_stop)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
--- a/drivers/scsi/sr.c
|
||||||
|
+++ b/drivers/scsi/sr.c
|
||||||
|
@@ -144,6 +144,9 @@ static int sr_runtime_suspend(struct dev
|
||||||
|
{
|
||||||
|
struct scsi_cd *cd = dev_get_drvdata(dev);
|
||||||
|
|
||||||
|
+ if (!cd) /* E.g.: runtime suspend following sr_remove() */
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if (cd->media_present)
|
||||||
|
return -EBUSY;
|
||||||
|
else
|
||||||
|
@@ -985,6 +988,7 @@ static int sr_remove(struct device *dev)
|
||||||
|
scsi_autopm_get_device(cd->device);
|
||||||
|
|
||||||
|
del_gendisk(cd->disk);
|
||||||
|
+ dev_set_drvdata(dev, NULL);
|
||||||
|
|
||||||
|
mutex_lock(&sr_ref_mutex);
|
||||||
|
kref_put(&cd->kref, sr_kref_release);
|
|
@ -142,3 +142,4 @@ bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
|
||||||
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
|
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
|
||||||
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
|
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
|
||||||
bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
|
bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
|
||||||
|
bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
|
||||||
|
|
Loading…
Reference in New Issue