From 74595c044cb56cb073370c09fefc23eb8ed6d835 Mon Sep 17 00:00:00 2001 From: Douglas Gilbert Date: Thu, 2 Jul 2020 10:53:55 -0400 Subject: [PATCH] scsi: scsi_debug: Fix in_use bitmap corruption Heavy testing indicates the irqsave() spinlock around the __set_bit() is insufficient to stop following clear_bit() calls being rarely applied out-of-order. Also the nearby failed kzalloc() path leading to SCSI_MLQUEUE_HOST_BUSY does not properly undo the in_use bitmap and num_in_q, fix. Link: https://lore.kernel.org/r/20200702145355.522283-1-dgilbert@interlog.com Signed-off-by: Douglas Gilbert Signed-off-by: Martin K. Petersen --- drivers/scsi/scsi_debug.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 843cccb..4692f5b 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -5430,7 +5430,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, else return SCSI_MLQUEUE_HOST_BUSY; } - __set_bit(k, sqp->in_use_bm); + set_bit(k, sqp->in_use_bm); atomic_inc(&devip->num_in_q); sqcp = &sqp->qc_arr[k]; sqcp->a_cmnd = cmnd; @@ -5439,10 +5439,13 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, spin_unlock_irqrestore(&sqp->qc_lock, iflags); if (unlikely(sdebug_every_nth && sdebug_any_injecting_opt)) setup_inject(sqp, sqcp); - if (sd_dp == NULL) { + if (!sd_dp) { sd_dp = kzalloc(sizeof(*sd_dp), GFP_ATOMIC); - if (sd_dp == NULL) + if (!sd_dp) { + atomic_dec(&devip->num_in_q); + clear_bit(k, sqp->in_use_bm); return SCSI_MLQUEUE_HOST_BUSY; + } new_sd_dp = true; } else { new_sd_dp = false; -- 2.7.4