From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:53446 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754450AbdIHHJz (ORCPT ); Fri, 8 Sep 2017 03:09:55 -0400 Subject: Patch "scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE" has been added to the 3.18-stable tree To: toddpoynor@google.com, dgilbert@interlog.com, gregkh@linuxfoundation.org, martin.petersen@oracle.com Cc: , From: Date: Fri, 08 Sep 2017 09:09:51 +0200 Message-ID: <150485459126170@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 6a8dadcca81fceff9976e8828cceb072873b7bd5 Mon Sep 17 00:00:00 2001 From: Todd Poynor Date: Tue, 15 Aug 2017 22:41:08 -0700 Subject: scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE From: Todd Poynor commit 6a8dadcca81fceff9976e8828cceb072873b7bd5 upstream. Take f_mutex around mmap() processing to protect against races with the SG_SET_RESERVED_SIZE ioctl. Ensure the reserve buffer length remains consistent during the mapping operation, and set the "mmap called" flag to prevent further changes to the reserved buffer size as an atomic operation with the mapping. [mkp: fixed whitespace] Signed-off-by: Todd Poynor Acked-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/sg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1295,6 +1295,7 @@ sg_mmap(struct file *filp, struct vm_are unsigned long req_sz, len, sa; Sg_scatter_hold *rsv_schp; int k, length; + int ret = 0; if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data))) return -ENXIO; @@ -1305,8 +1306,11 @@ sg_mmap(struct file *filp, struct vm_are if (vma->vm_pgoff) return -EINVAL; /* want no offset */ rsv_schp = &sfp->reserve; - if (req_sz > rsv_schp->bufflen) - return -ENOMEM; /* cannot map more than reserved buffer */ + mutex_lock(&sfp->f_mutex); + if (req_sz > rsv_schp->bufflen) { + ret = -ENOMEM; /* cannot map more than reserved buffer */ + goto out; + } sa = vma->vm_start; length = 1 << (PAGE_SHIFT + rsv_schp->page_order); @@ -1320,7 +1324,9 @@ sg_mmap(struct file *filp, struct vm_are vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP; vma->vm_private_data = sfp; vma->vm_ops = &sg_mmap_vm_ops; - return 0; +out: + mutex_unlock(&sfp->f_mutex); + return ret; } static void Patches currently in stable-queue which might be from toddpoynor@google.com are queue-3.18/scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch queue-3.18/scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch