Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c4f4e499 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "Prevent potential double frees in sg driver"

parents e4401d0e 36f332c5

drivers/scsi/sg.c

+18 −10
Original line number Diff line number Diff line
@@ -898,8 +898,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
			return -ENXIO;

		if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))

			return -EFAULT;

		mutex_lock(&sfp->parentdp->open_rel_lock);

		result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,

				 1, read_only, 1, &srp);

		mutex_unlock(&sfp->parentdp->open_rel_lock);

		if (result < 0)

			return result;

		result = wait_event_interruptible(sfp->read_wait,
@@ -939,8 +941,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
			sfp->low_dma = 1;

			if ((0 == sfp->low_dma) && !sfp->res_in_use) {

				val = (int) sfp->reserve.bufflen;

				mutex_lock(&sfp->parentdp->open_rel_lock);

				sg_remove_scat(sfp, &sfp->reserve);

				sg_build_reserve(sfp, val);

				mutex_unlock(&sfp->parentdp->open_rel_lock);

			}

		} else {

			if (atomic_read(&sdp->detaching))
@@ -1020,9 +1024,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
				mutex_unlock(&sfp->f_mutex);

				return -EBUSY;

			}



			mutex_lock(&sfp->parentdp->open_rel_lock);

			sg_remove_scat(sfp, &sfp->reserve);

			sg_build_reserve(sfp, val);

			mutex_unlock(&sfp->parentdp->open_rel_lock);

		}

		mutex_unlock(&sfp->f_mutex);

		return 0;
@@ -2640,6 +2645,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp) 
			seq_puts(s, srp->done ?

				 ((1 == srp->done) ?  "rcv:" : "fin:")

				  : "act:");

			seq_printf(s, srp->done ?

				   ((1 == srp->done) ?  "rcv:" : "fin:")

				   : "act:");

			seq_printf(s, " id=%d blen=%d",

				   srp->header.pack_id, blen);

			if (srp->done)