[RESEND] scsi: sg: Prevent potential double frees in sg driver

Commit Message

Evan Green Oct. 1, 2018, 4:15 p.m. UTC

From: Robb Glasser <rglasser@google.com>

sg_ioctl could be spammed by requests, leading to a double free in
__free_pages. This protects the entry points of sg_ioctl where the
memory could be corrupted by a double call to __free_pages if multiple
requests are happening concurrently.

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Evan Green <evgreen@chromium.org>
Cc: stable@vger.kernel.org

---
Reposting this patch from last summer, as it looks like it fell in between
the cracks.

 drivers/scsi/sg.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Nick Desaulniers Oct. 1, 2018, 5:12 p.m. UTC | #1

On Mon, Oct 1, 2018 at 9:16 AM Evan Green <evgreen@chromium.org> wrote:
>
> From: Robb Glasser <rglasser@google.com>
>
> sg_ioctl could be spammed by requests, leading to a double free in
> __free_pages. This protects the entry points of sg_ioctl where the
> memory could be corrupted by a double call to __free_pages if multiple
> requests are happening concurrently.
>
> Signed-off-by: Robb Glasser <rglasser@google.com>
> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
> Signed-off-by: Evan Green <evgreen@chromium.org>
> Cc: stable@vger.kernel.org
>
> ---
> Reposting this patch from last summer, as it looks like it fell in between
> the cracks.

Christoph, do you still feel strongly about: https://lkml.org/lkml/2017/8/5/75 ?

>
>  drivers/scsi/sg.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 8a254bb46a9b..25579d8a16b5 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -924,8 +924,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>                         return -ENXIO;
>                 if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
>                         return -EFAULT;
> +               mutex_lock(&sfp->parentdp->open_rel_lock);
>                 result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
>                                  1, read_only, 1, &srp);
> +               mutex_unlock(&sfp->parentdp->open_rel_lock);
>                 if (result < 0)
>                         return result;
>                 result = wait_event_interruptible(sfp->read_wait,
> --
> 2.19.0.605.g01d371f741-goog
>

Bart Van Assche Oct. 1, 2018, 5:20 p.m. UTC | #2

On Mon, 2018-10-01 at 10:12 -0700, Nick Desaulniers wrote:
> On Mon, Oct 1, 2018 at 9:16 AM Evan Green <evgreen@chromium.org> wrote:
> > 
> > From: Robb Glasser <rglasser@google.com>
> > 
> > sg_ioctl could be spammed by requests, leading to a double free in
> > __free_pages. This protects the entry points of sg_ioctl where the
> > memory could be corrupted by a double call to __free_pages if multiple
> > requests are happening concurrently.
> > 
> > Signed-off-by: Robb Glasser <rglasser@google.com>
> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
> > Signed-off-by: Evan Green <evgreen@chromium.org>
> > Cc: stable@vger.kernel.org
> > 
> > ---
> > Reposting this patch from last summer, as it looks like it fell in between
> > the cracks.
> 
> Christoph, do you still feel strongly about: https://lkml.org/lkml/2017/8/5/75 ?

I don't know how Christoph feels about it, but serializing all SG I/O seems
like a regression to me. If one sg command hangs I usually try to send
another sg command to the same SCSI device from another shell to get more
information about the nature of the hang. Serializing all SG I/O would make
that impossible.

Bart.

Douglas Gilbert Oct. 1, 2018, 11:34 p.m. UTC | #3

On 2018-10-02 02:15 AM, Evan Green wrote:
> From: Robb Glasser <rglasser@google.com>
> 
> sg_ioctl could be spammed by requests, leading to a double free in
> __free_pages. This protects the entry points of sg_ioctl where the
> memory could be corrupted by a double call to __free_pages if multiple
> requests are happening concurrently.

Hi,
I  don't like this patch. I would like to see the trace for the double
call to the __free_pages you are referring too. A test program that
show the fault, perhaps?

I have test code to "spam" the sg driver and have not seen a double
__free_pages that you refer to (see sg3_utils package version 1.44,
testing/sg_tst_async.cpp).

Currently I am dusting off 20 years of "laparoscopic" patches to the sg
driver that have made a bit of a mess of the naming and comments. Also
the 16 outstanding requests per file descriptor limit is being removed.
Then I want to add the SG_IOSUBMIT and SG_IORECEIVE ioctls proposed by
Linus Torvalds two week ago.

Executive summary: nak, without further information

Doug Gilbert

> Signed-off-by: Robb Glasser <rglasser@google.com>
> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
> Signed-off-by: Evan Green <evgreen@chromium.org>
> Cc: stable@vger.kernel.org
> 
> ---
> Reposting this patch from last summer, as it looks like it fell in between
> the cracks.
> 
>   drivers/scsi/sg.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 8a254bb46a9b..25579d8a16b5 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -924,8 +924,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
>   			return -ENXIO;
>   		if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
>   			return -EFAULT;
> +		mutex_lock(&sfp->parentdp->open_rel_lock);
>   		result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
>   				 1, read_only, 1, &srp);
> +		mutex_unlock(&sfp->parentdp->open_rel_lock);
>   		if (result < 0)
>   			return result;
>   		result = wait_event_interruptible(sfp->read_wait,
>

Evan Green Oct. 2, 2018, 3:21 p.m. UTC | #4

On Mon, Oct 1, 2018 at 4:34 PM Douglas Gilbert <dgilbert@interlog.com> wrote:
>
> On 2018-10-02 02:15 AM, Evan Green wrote:
> > From: Robb Glasser <rglasser@google.com>
> >
> > sg_ioctl could be spammed by requests, leading to a double free in
> > __free_pages. This protects the entry points of sg_ioctl where the
> > memory could be corrupted by a double call to __free_pages if multiple
> > requests are happening concurrently.
>
> Hi,
> I  don't like this patch. I would like to see the trace for the double
> call to the __free_pages you are referring too. A test program that
> show the fault, perhaps?
>
> I have test code to "spam" the sg driver and have not seen a double
> __free_pages that you refer to (see sg3_utils package version 1.44,
> testing/sg_tst_async.cpp).
>
> Currently I am dusting off 20 years of "laparoscopic" patches to the sg
> driver that have made a bit of a mess of the naming and comments. Also
> the 16 outstanding requests per file descriptor limit is being removed.
> Then I want to add the SG_IOSUBMIT and SG_IORECEIVE ioctls proposed by
> Linus Torvalds two week ago.
>
> Executive summary: nak, without further information

That makes sense. Thanks for taking a look.

Patch

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 8a254bb46a9b..25579d8a16b5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -924,8 +924,10 @@  sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 			return -ENXIO;
 		if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
 			return -EFAULT;
+		mutex_lock(&sfp->parentdp->open_rel_lock);
 		result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
 				 1, read_only, 1, &srp);
+		mutex_unlock(&sfp->parentdp->open_rel_lock);
 		if (result < 0)
 			return result;
 		result = wait_event_interruptible(sfp->read_wait,