diff options
author | Douglas Gilbert <dgilbert@interlog.com> | 2020-07-02 10:53:55 -0400 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2020-07-02 23:49:54 -0400 |
commit | 74595c044cb56cb073370c09fefc23eb8ed6d835 (patch) | |
tree | 093a812cdbb969fed4f9aa8f2753fcb0af2394a4 /drivers/scsi/scsi_debug.c | |
parent | 93bf02e5a2c2418bc290a778cd537837d789d9ee (diff) | |
download | linux-74595c044cb56cb073370c09fefc23eb8ed6d835.tar.gz linux-74595c044cb56cb073370c09fefc23eb8ed6d835.tar.bz2 linux-74595c044cb56cb073370c09fefc23eb8ed6d835.zip |
scsi: scsi_debug: Fix in_use bitmap corruption
Heavy testing indicates the irqsave() spinlock around the __set_bit() is
insufficient to stop following clear_bit() calls being rarely applied
out-of-order. Also the nearby failed kzalloc() path leading to
SCSI_MLQUEUE_HOST_BUSY does not properly undo the in_use bitmap and
num_in_q, fix.
Link: https://lore.kernel.org/r/20200702145355.522283-1-dgilbert@interlog.com
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/scsi_debug.c')
-rw-r--r-- | drivers/scsi/scsi_debug.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 843cccb38cb7..4692f5b6ad13 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -5430,7 +5430,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, else return SCSI_MLQUEUE_HOST_BUSY; } - __set_bit(k, sqp->in_use_bm); + set_bit(k, sqp->in_use_bm); atomic_inc(&devip->num_in_q); sqcp = &sqp->qc_arr[k]; sqcp->a_cmnd = cmnd; @@ -5439,10 +5439,13 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, spin_unlock_irqrestore(&sqp->qc_lock, iflags); if (unlikely(sdebug_every_nth && sdebug_any_injecting_opt)) setup_inject(sqp, sqcp); - if (sd_dp == NULL) { + if (!sd_dp) { sd_dp = kzalloc(sizeof(*sd_dp), GFP_ATOMIC); - if (sd_dp == NULL) + if (!sd_dp) { + atomic_dec(&devip->num_in_q); + clear_bit(k, sqp->in_use_bm); return SCSI_MLQUEUE_HOST_BUSY; + } new_sd_dp = true; } else { new_sd_dp = false; |