From 37c58d6e5b05f5dfd3b5ee3bea1bc5e4141d4a8e Mon Sep 17 00:00:00 2001 From: Bodo Stroesser Date: Wed, 26 May 2021 13:39:43 +0000 Subject: [PATCH] scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not found stable inclusion from stable-5.10.39 commit d47d0d1a1fb2cddbc322a7ff19ccfc127cb561c5 bugzilla: 51881 CVE: NA -------------------------------- [ Upstream commit 9814b55cde0588b6d9bc496cee43f87316cbc6f1 ] If tcmu_handle_completions() finds an invalid cmd_id while looping over cmd responses from userspace it sets TCMU_DEV_BIT_BROKEN and breaks the loop. This means that it does further handling for the tcmu device. Skip that handling by replacing 'break' with 'return'. Additionally change tcmu_handle_completions() from unsigned int to bool, since the value used in return already is bool. Link: https://lore.kernel.org/r/20210423150123.24468-1-bostroesser@gmail.com Signed-off-by: Bodo Stroesser Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Chen Jun Acked-by: Weilong Chen Signed-off-by: Zheng Zengkai --- drivers/target/target_core_user.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c index 7d5814a95e1e..c6950f157b99 100644 --- a/drivers/target/target_core_user.c +++ b/drivers/target/target_core_user.c @@ -1391,7 +1391,7 @@ static int tcmu_run_tmr_queue(struct tcmu_dev *udev) return 1; } -static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) +static bool tcmu_handle_completions(struct tcmu_dev *udev) { struct tcmu_mailbox *mb; struct tcmu_cmd *cmd; @@ -1434,7 +1434,7 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) pr_err("cmd_id %u not found, ring is broken\n", entry->hdr.cmd_id); set_bit(TCMU_DEV_BIT_BROKEN, &udev->flags); - break; + return false; } tcmu_handle_completion(cmd, entry); -- GitLab