Merge android-4.4@29d0b65 (v4.4.88) into msm-4.4

* refs/heads/tmp-29d0b65 Linux 4.4.88 xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present NFS: Fix 2 use after free issues in the I/O code ARM: 8692/1: mm: abort uaccess retries upon fatal signal Bluetooth: Properly check L2CAP config option output buffer length ALSA: msnd: Optimize / harden DSP and MIDI loops locktorture: Fix potential memory leak with rw lock test btrfs: resume qgroup rescan on rw remount drm/bridge: adv7511: Re-write the i2c address before EDID probing drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event() drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context drm/bridge: adv7511: Fix mutex deadlock when interrupts are disabled drm: adv7511: really enable interrupts for EDID detection scsi: sg: recheck MMAP_IO request length with lock held scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE cs5536: add support for IDE controller variant workqueue: Fix flag collision drm/nouveau/pci/msi: disable MSI on big-endian platforms by default mwifiex: correct channel stat buffer overflows dlm: avoid double-free on error path in dlm_device_{register,unregister} Bluetooth: Add support of 13d3:3494 RTL8723BE device rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter Input: trackpoint - assume 3 buttons when buttons detection fails ath10k: fix memory leak in rx ring buffer allocation intel_th: pci: Add Cannon Lake PCH-LP support intel_th: pci: Add Cannon Lake PCH-H support driver core: bus: Fix a potential double free staging/rts5208: fix incorrect shift to extract upper nybble USB: core: Avoid race of async_completed() w/ usbdev_release() usb:xhci:Fix regression when ATI chipsets detected usb: Add device quirk for Logitech HD Pro Webcam C920-C USB: serial: option: add support for D-Link DWM-157 C1 usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard ANDROID: sdcardfs: Add missing break ANDROID: Sdcardfs: Move gid derivation under flag ANDROID: mnt: Fix freeing of mount data drivers: cpufreq: checks to avoid kernel crash in cpufreq_interactive ANDROID: Use sk_uid to replace uid get from socket file ANDROID: nf: xt_qtaguid: fix handling for cases where tunnels are used. Revert "ANDROID: Use sk_uid to replace uid get from socket file" ANDROID: fiq_debugger: Fix minor bug in code Conflicts: drivers/cpufreq/cpufreq_interactive.c drivers/net/wireless/ath/ath10k/core.c drivers/staging/android/fiq_debugger/fiq_debugger.c net/netfilter/xt_qtaguid.c Change-Id: I49c67ff84d4bee0799691cc1ee0a023e2dd13e66 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
author: Blagovest Kolenichev <bkolenichev@codeaurora.org> 2017-09-21 14:00:18 -0700
committer: Blagovest Kolenichev <bkolenichev@codeaurora.org> 2017-09-21 14:00:18 -0700
commit: 3e99b7f6eb0303ac4efec0ccff6e63e671ed8869 (patch)
tree: 073a1475b27c724427c0b564c3f7835de47071a7 /drivers/scsi
parent: c988eaaeaf5f1194a7366ecfab9209d0fda13b0e (diff)
parent: 29d0b657c322a4bb7cd6bba644b74215be87277a (diff)
1 files changed, 14 insertions, 5 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index f4170ea2c6b6..06bef0fc43c7 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1254,6 +1254,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
 	unsigned long req_sz, len, sa;
 	Sg_scatter_hold *rsv_schp;
 	int k, length;
+	int ret = 0;
 
 	if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
 		return -ENXIO;
@@ -1264,8 +1265,11 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
 	if (vma->vm_pgoff)
 		return -EINVAL;	/* want no offset */
 	rsv_schp = &sfp->reserve;
-	if (req_sz > rsv_schp->bufflen)
-		return -ENOMEM;	/* cannot map more than reserved buffer */
+	mutex_lock(&sfp->f_mutex);
+	if (req_sz > rsv_schp->bufflen) {
+		ret = -ENOMEM;	/* cannot map more than reserved buffer */
+		goto out;
+	}
 
 	sa = vma->vm_start;
 	length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
@@ -1279,7 +1283,9 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
 	vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
 	vma->vm_private_data = sfp;
 	vma->vm_ops = &sg_mmap_vm_ops;
-	return 0;
+out:
+	mutex_unlock(&sfp->f_mutex);
+	return ret;
 }
 
 static void
@@ -1748,9 +1754,12 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
 		    !sfp->res_in_use) {
 			sfp->res_in_use = 1;
 			sg_link_reserve(sfp, srp, dxfer_len);
-		} else if ((hp->flags & SG_FLAG_MMAP_IO) && sfp->res_in_use) {
+		} else if (hp->flags & SG_FLAG_MMAP_IO) {
+			res = -EBUSY; /* sfp->res_in_use == 1 */
+			if (dxfer_len > rsv_schp->bufflen)
+				res = -ENOMEM;
 			mutex_unlock(&sfp->f_mutex);
-			return -EBUSY;
+			return res;
 		} else {
 			res = sg_build_indirect(req_schp, sfp, dxfer_len);
 			if (res) {
author	Blagovest Kolenichev <bkolenichev@codeaurora.org>	2017-09-21 14:00:18 -0700
committer	Blagovest Kolenichev <bkolenichev@codeaurora.org>	2017-09-21 14:00:18 -0700
commit	3e99b7f6eb0303ac4efec0ccff6e63e671ed8869 (patch)
tree	073a1475b27c724427c0b564c3f7835de47071a7 /drivers/scsi
parent	c988eaaeaf5f1194a7366ecfab9209d0fda13b0e (diff)
parent	29d0b657c322a4bb7cd6bba644b74215be87277a (diff)