From patchwork Tue May 9 14:42:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98921 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857420qge; Tue, 9 May 2017 07:43:14 -0700 (PDT) X-Received: by 10.98.62.213 with SMTP id y82mr245888pfj.93.1494340994331; Tue, 09 May 2017 07:43:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340994; cv=none; d=google.com; s=arc-20160816; b=gO8iJh8vTYBO4yBYje0xTR27mSiNVQRBsE2qxgYxHBqrQVjUBX0ZsR8t6gFqBZmoLX AkAQMMo+qqLHY8c3caIQRo8AdZf6z7JRffDIb/LG9NFic3vlypLFc4mGmYgTygvmU7Od v5IUC/F1BOFqfG2h2SxyzfouYB7Z0Avxn8FdXPVDtwmvt3UpI178xFC6TqqitX3K2tJN wxcRGVl1Usc6rSGKGZ27PWJJeohsFWSyszZPaZoemL32k0aka88dSW4asR10IMCMe3UU Af+rnrOK6A7NEGwI/7q3RIbSSkXn4o2afWrY4uTJYmvf2GN5J7mWWUeIFKrQ9ah30LM0 xokQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=PEwAao8TxIBEpu905W94hJj+JjcV4/Qnc00A0/8+pqsIVehu6KIJyBTWU+AtQxXfVe 0urFgbl3h7q4ltuYltCes7UCxbshonxNxXsTHe+hSMNaS8Gt+KPF3XPdO01wwnhnxDpG XEKeMyR3ID0jetq2ni9W9/YCVgLA87jSWX4dfk4UWoGBQ2YYzd+wMoIuFBrWt5T0ClI3 95Xw/mwNBemTnuhFOib48EBPcAQdSQRsyoi9r0o/wm/9uu7V9O1fQMyetTehHUXJac39 qqnO1V9xY15pu6HVzC73YQOp2GA3usO63gwQ26R+5IH2fVmZ35SlzgkvVMLv0Nks2ybX Q+Hg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.14; Tue, 09 May 2017 07:43:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753998AbdEIOnN (ORCPT + 6 others); Tue, 9 May 2017 10:43:13 -0400 Received: from mail-pf0-f169.google.com ([209.85.192.169]:35708 "EHLO mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnN (ORCPT ); Tue, 9 May 2017 10:43:13 -0400 Received: by mail-pf0-f169.google.com with SMTP id v14so1164532pfd.2 for ; Tue, 09 May 2017 07:43:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=HGXd/RVKi1z1VBKf1zEdcksqO1nbukRNVuUFhyCzj6Jq4lxdNUdOxotyJsAgJm95u8 rIxRGMySZiZIaksWiSOw2U2Kv/dIKJHFsJCGjO0Kdb56FeuQqB02sNrORLAwzVxsLshj Hof35Fv8uJfV3d5/hkUTh3fmvTkMpE2KGZj1A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=vIG8sd9AZ7DcEG3BkG8hIKLWH0JomhoPT6ptcCbiyFs=; b=g+jsQGAwC9bstX68hgRVNsLww7ETIYE9qJDKsWN4bdxH4CA1oU2FQ06vnYx3iFvczZ zwb+1/gthHuDAJ1FV6Vy8A1KXqf+yN3Y3qtLyConIu02/OzMF6p3HUWQ1C+NpS9HogTL E9yHl90U1NFJEt8CUAYShDh5JPfi6A6PLl0Gnik62R5NX7C9UzaRU/klBgq61NVQRhcy mFN9TlwF8WLjwbhzS1eiDU6QGkKKnpaWCRG4LgFvwaV5siiL43KBvhQeal3uxVV+yfgr fDqKaPgQRLso/ikvj8SybSZM7UQS5T1dtVEoVMdSmQSyoUq8eEQSzt1hzrWFDSyt5hyM keKg== X-Gm-Message-State: AODbwcA1fWAYRyZYIPfn6XrxPO2FvugCFvAHoj1cJspCeuNQ+kWNU0Fk 8pSXzVBL7wBPt+MB X-Received: by 10.99.63.141 with SMTP id m135mr476852pga.195.1494340992241; Tue, 09 May 2017 07:43:12 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:11 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Calvin Owens , "Martin K . Petersen" Subject: [PATCH for-3.18 08/24] sg: Fix double-free when drives detach during SG_IO Date: Tue, 9 May 2017 20:12:32 +0530 Message-Id: <1494340968-17152-9-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Calvin Owens commit f3951a3709ff50990bf3e188c27d346792103432 upstream. In sg_common_write(), we free the block request and return -ENODEV if the device is detached in the middle of the SG_IO ioctl(). Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we end up freeing rq->cmd in the already free rq object, and then free the object itself out from under the current user. This ends up corrupting random memory via the list_head on the rq object. The most common crash trace I saw is this: ------------[ cut here ]------------ kernel BUG at block/blk-core.c:1420! Call Trace: [] blk_put_request+0x5b/0x80 [] sg_finish_rem_req+0x6b/0x120 [sg] [] sg_common_write.isra.14+0x459/0x5a0 [sg] [] ? selinux_file_alloc_security+0x48/0x70 [] sg_new_write.isra.17+0x195/0x2d0 [sg] [] sg_ioctl+0x644/0xdb0 [sg] [] do_vfs_ioctl+0x90/0x520 [] ? file_has_perm+0x97/0xb0 [] SyS_ioctl+0x91/0xb0 [] tracesys+0xdd/0xe2 RIP [] __blk_put_request+0x154/0x1a0 The solution is straightforward: just set srp->rq to NULL in the failure branch so that sg_finish_rem_req() doesn't attempt to re-free it. Additionally, since sg_rq_end_io() will never be called on the object when this happens, we need to free memory backing ->cmd if it isn't embedded in the object itself. KASAN was extremely helpful in finding the root cause of this bug. Signed-off-by: Calvin Owens Acked-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir --- drivers/scsi/sg.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index e50adf710229..71b30e18f2f0 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -791,8 +791,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp, return k; /* probably out of space --> ENOMEM */ } if (atomic_read(&sdp->detaching)) { - if (srp->bio) + if (srp->bio) { + if (srp->rq->cmd != srp->rq->__cmd) + kfree(srp->rq->cmd); + blk_end_request_all(srp->rq, -EIO); + srp->rq = NULL; + } + sg_finish_rem_req(srp); return -ENODEV; }