Re: [PATCH] sg: Fix double-free when drives detach during SG_IO

[Douglas Gilbert <dgilbert@interlog.com>]

On 15-10-31 12:57 AM, Calvin Owens wrote:
> In sg_common_write(), we free the block request and return -ENODEV if
> the device is detached in the middle of the SG_IO ioctl().
>
> Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
> end up freeing rq->cmd in the already free rq object, and then free
> the object itself out from under the current user.
>
> This ends up corrupting random memory via the list_head on the rq
> object. The most common crash trace I saw is this:
>
>    ------------[ cut here ]------------
>    kernel BUG at block/blk-core.c:1420!
>    Call Trace:
>    [<ffffffff81281eab>] blk_put_request+0x5b/0x80
>    [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
>    [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
>    [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
>    [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
>    [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
>    [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
>    [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
>    [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
>    [<ffffffff81602afb>] tracesys+0xdd/0xe2
>      RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
>
> The solution is straightforward: just set srp->rq to NULL in the
> failure branch so that sg_finish_rem_req() doesn't attempt to re-free
> it.
>
> Additionally, since sg_rq_end_io() will never be called on the object
> when this happens, we need to free memory backing ->cmd if it isn't
> embedded in the object itself.
>
> KASAN was extremely helpful in finding the root cause of this bug.
>
> Signed-off-by: Calvin Owens <calvinowens@fb.com>

Acked-by: Douglas Gilbert <dgilbert@interlog.com>

Thanks.

> ---
>   drivers/scsi/sg.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
> index 9d7b7db..503ab8b 100644
> --- a/drivers/scsi/sg.c
> +++ b/drivers/scsi/sg.c
> @@ -787,8 +787,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
>   		return k;	/* probably out of space --> ENOMEM */
>   	}
>   	if (atomic_read(&sdp->detaching)) {
> -		if (srp->bio)
> +		if (srp->bio) {
> +			if (srp->rq->cmd != srp->rq->__cmd)
> +				kfree(srp->rq->cmd);
> +
>   			blk_end_request_all(srp->rq, -EIO);
> +			srp->rq = NULL;
> +		}
> +
>   		sg_finish_rem_req(srp);
>   		return -ENODEV;
>   	}
>