From 4ca6b1df7a791daa07264794f170623ada216fc9 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Thu, 28 Mar 2019 20:54:32 +0800 Subject: [PATCH] scsi: core: Also call destroy_rcu_head() for passthrough requests mainline inclusion from mainline-5.1-rc2 commit db983f6eef57a9d78af79bc32389b7e60eb3c47d category: bugfix bugzilla: 13094 CVE: NA --------------------------- cmd->rcu is initialized by scsi_initialize_rq(). For passthrough requests, blk_get_request() calls scsi_initialize_rq(). For filesystem requests, scsi_init_command() calls scsi_initialize_rq(). Make sure that destroy_rcu_head() is called for passthrough requests. conflict drivers/scsi/scsi_lib.c Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Ewan D. Milne Cc: Johannes Thumshirn Reported-by: Ewan D. Milne Signed-off-by: Bart Van Assche Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Yufen Yu Reviewed-by: Jason Yan Signed-off-by: Yang Yingliang --- drivers/scsi/scsi_lib.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 3154e6e0c794..37237010953f 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -685,9 +685,16 @@ static bool scsi_end_request(struct request *req, blk_status_t error, if (!blk_rq_is_scsi(req)) { WARN_ON_ONCE(!(cmd->flags & SCMD_INITIALIZED)); cmd->flags &= ~SCMD_INITIALIZED; - destroy_rcu_head(&cmd->rcu); } + /* + * Calling rcu_barrier() is not necessary here because the + * SCSI error handler guarantees that the function called by + * call_rcu() has been called before scsi_end_request() is + * called. + */ + destroy_rcu_head(&cmd->rcu); + if (req->mq_ctx) { /* * In the MQ case the command gets freed by __blk_mq_end_request, -- GitLab