Merge "Prevent potential double frees in sg driver" · c4f4e49994 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

Merge "Prevent potential double frees in sg driver"

This commit is contained in:

Linux Build Service Account

2017-11-21 06:44:56 -08:00

• committed by

Gerrit - the friendly Code Review server

parent e4401d0ea1 36f332c566

commit c4f4e49994

1 changed files with 18 additions and 10 deletions

									
										14

drivers/scsi/sg.c
									
										View file
										
				@ -898,8 +898,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)

							return -ENXIO;

						if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))

							return -EFAULT;

						mutex_lock(&sfp->parentdp->open_rel_lock);

						result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,

								 1, read_only, 1, &srp);

						mutex_unlock(&sfp->parentdp->open_rel_lock);

						if (result < 0)

							return result;

						result = wait_event_interruptible(sfp->read_wait,

				@ -939,8 +941,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)

							sfp->low_dma = 1;

							if ((0 == sfp->low_dma) && !sfp->res_in_use) {

								val = (int) sfp->reserve.bufflen;

								mutex_lock(&sfp->parentdp->open_rel_lock);

								sg_remove_scat(sfp, &sfp->reserve);

								sg_build_reserve(sfp, val);

								mutex_unlock(&sfp->parentdp->open_rel_lock);

							}

						} else {

							if (atomic_read(&sdp->detaching))

				@ -1009,8 +1013,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)

						result = get_user(val, ip);

						if (result)

							return result;

				                if (val < 0)

				                        return -EINVAL;

						if (val < 0)

							return -EINVAL;

						val = min_t(int, val,

							    max_sectors_bytes(sdp->device->request_queue));

						mutex_lock(&sfp->f_mutex);

				@ -1020,9 +1024,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)

								mutex_unlock(&sfp->f_mutex);

								return -EBUSY;

							}

							mutex_lock(&sfp->parentdp->open_rel_lock);

							sg_remove_scat(sfp, &sfp->reserve);

							sg_build_reserve(sfp, val);

							mutex_unlock(&sfp->parentdp->open_rel_lock);

						}

						mutex_unlock(&sfp->f_mutex);

						return 0;

				@ -2640,6 +2645,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)

							seq_puts(s, srp->done ?

								 ((1 == srp->done) ?  "rcv:" : "fin:")

								  : "act:");

							seq_printf(s, srp->done ?

								   ((1 == srp->done) ?  "rcv:" : "fin:")

								   : "act:");

							seq_printf(s, " id=%d blen=%d",

								   srp->header.pack_id, blen);

							if (srp->done)