scsi: scsi_debug: Fix in_use bitmap corruption

Heavy testing indicates the irqsave() spinlock around the __set_bit() is insufficient to stop following clear_bit() calls being rarely applied out-of-order. Also the nearby failed kzalloc() path leading to SCSI_MLQUEUE_HOST_BUSY does not properly undo the in_use bitmap and num_in_q, fix. Link: https://lore.kernel.org/r/20200702145355.522283-1-dgilbert@interlog.com Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
kernelci · Jul 3, 2020 · 74595c0 · 74595c0
1 parent 93bf02e
commit 74595c0
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
@@ -5430,7 +5430,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip,
 		else
 			return SCSI_MLQUEUE_HOST_BUSY;
 	}
-	__set_bit(k, sqp->in_use_bm);
+	set_bit(k, sqp->in_use_bm);
 	atomic_inc(&devip->num_in_q);
 	sqcp = &sqp->qc_arr[k];
 	sqcp->a_cmnd = cmnd;
@@ -5439,10 +5439,13 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip,
 	spin_unlock_irqrestore(&sqp->qc_lock, iflags);
 	if (unlikely(sdebug_every_nth && sdebug_any_injecting_opt))
 		setup_inject(sqp, sqcp);
-	if (sd_dp == NULL) {
+	if (!sd_dp) {
 		sd_dp = kzalloc(sizeof(*sd_dp), GFP_ATOMIC);
-		if (sd_dp == NULL)
+		if (!sd_dp) {
+			atomic_dec(&devip->num_in_q);
+			clear_bit(k, sqp->in_use_bm);
 			return SCSI_MLQUEUE_HOST_BUSY;
+		}
 		new_sd_dp = true;
 	} else {
 		new_sd_dp = false;