From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 24 Sep 2017 22:36:44 +0000 (-0400)
Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=357621bca2cb346513d7f4d8f57edb53bd7bbe44;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

fix a page leak in vhost_scsi_iov_to_sgl() error recovery

commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream.

we are advancing sg as we go, so the pages we need to drop in
case of error are *before* the current sg.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 046f6d280af5..e47c5bc3ddca 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -688,6 +688,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write,
 		      struct scatterlist *sg, int sg_count)
 {
 	size_t off = iter->iov_offset;
+	struct scatterlist *p = sg;
 	int i, ret;
 
 	for (i = 0; i < iter->nr_segs; i++) {
@@ -696,8 +697,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_cmd *cmd, bool write,
 
 		ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write);
 		if (ret < 0) {
-			for (i = 0; i < sg_count; i++) {
-				struct page *page = sg_page(&sg[i]);
+			while (p < sg) {
+				struct page *page = sg_page(p++);
 				if (page)
 					put_page(page);
 			}