Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de93dd11 authored by Robb Glasser's avatar Robb Glasser Committed by Gerrit - the friendly Code Review server
Browse files

Prevent potential double frees in sg driver 



sg_ioctl could be spammed by requests, leading to a double free in
__free_pages. This protects the entry points of sg_ioctl where the
memory could be corrupted by a double call to __free_pages if multiple
requests are happening concurrently.

Bug:35644812

Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1
Signed-off-by: default avatarRobb Glasser <rglasser@google.com>
Git-commit: 22d8e80738b5ce8784d59b48b0b051a520da4bec
Git-repo: https://android.googlesource.com/kernel/msm


[srkupp@codeaurora.org: Resolved trivial conflicts]
Signed-off-by: default avatarSrinivasa Rao Kuppala <srkupp@codeaurora.org>
parent d432e507

drivers/scsi/sg.c

+20 −13
Original line number Diff line number Diff line
@@ -878,8 +878,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
			return -ENXIO;

		if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))

			return -EFAULT;

		mutex_lock(&sfp->parentdp->open_rel_lock);

		result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,

				 1, read_only, 1, &srp);

		mutex_unlock(&sfp->parentdp->open_rel_lock);

		if (result < 0)

			return result;

		result = wait_event_interruptible(sfp->read_wait,
@@ -921,6 +923,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
				val = (int) sfp->reserve.bufflen;

				sg_remove_scat(sfp, &sfp->reserve);

				sg_build_reserve(sfp, val);

				mutex_unlock(&sfp->parentdp->open_rel_lock);

			}

		} else {

			if (atomic_read(&sdp->detaching))
@@ -997,6 +1000,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) 
				return -EBUSY;

			sg_remove_scat(sfp, &sfp->reserve);

			sg_build_reserve(sfp, val);

			mutex_unlock(&sfp->parentdp->open_rel_lock);

		}

		return 0;

	case SG_GET_RESERVED_SIZE:
@@ -2689,6 +2693,9 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp) 
			seq_puts(s, srp->done ?

				 ((1 == srp->done) ?  "rcv:" : "fin:")

				  : "act:");

			seq_printf(s, srp->done ?

				   ((1 == srp->done) ?  "rcv:" : "fin:")

				   : "act:");

			seq_printf(s, " id=%d blen=%d",

				   srp->header.pack_id, blen);

			if (srp->done)