From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 29 Mar 2018 05:31:33 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.15.15~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee4f2ce5b50c67d816546bbe9118349319e0d4d6;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	scsi-sg-don-t-return-bogus-sg_requests.patch
---

diff --git a/queue-3.18/scsi-sg-don-t-return-bogus-sg_requests.patch b/queue-3.18/scsi-sg-don-t-return-bogus-sg_requests.patch
new file mode 100644
index 00000000000..39a5d1ce2e8
--- /dev/null
+++ b/queue-3.18/scsi-sg-don-t-return-bogus-sg_requests.patch
@@ -0,0 +1,48 @@
+From 48ae8484e9fc324b4968d33c585e54bc98e44d61 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Wed, 10 May 2017 09:53:40 +0200
+Subject: scsi: sg: don't return bogus Sg_requests
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 48ae8484e9fc324b4968d33c585e54bc98e44d61 upstream.
+
+If the list search in sg_get_rq_mark() fails to find a valid request, we
+return a bogus element. This then can later lead to a GPF in
+sg_remove_scat().
+
+So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
+the list search doesn't find a valid request.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Doug Gilbert <dgilbert@interlog.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Doug Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Tony Battersby <tonyb@cybernetics.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2121,11 +2121,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
+ 		if ((1 == resp->done) && (!resp->sg_io_owned) &&
+ 		    ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
+ 			resp->done = 2;	/* guard against other readers */
+-			break;
++			write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++			return resp;
+ 		}
+ 	}
+ 	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+-	return resp;
++	return NULL;
+ }
+ 
+ /* always adds to end of list */
diff --git a/queue-3.18/series b/queue-3.18/series
index ae967b4a5d5..5a502752ae6 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -18,3 +18,4 @@ can-cc770-fix-queue-stall-dropped-rtr-reply.patch
 can-cc770-fix-use-after-free-in-cc770_tx_interrupt.patch
 tty-vt-fix-up-tabstops-properly.patch
 kvm-x86-fix-icebp-instruction-handling.patch
+scsi-sg-don-t-return-bogus-sg_requests.patch