releases/4.9.49/scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch

   1 From 6a8dadcca81fceff9976e8828cceb072873b7bd5 Mon Sep 17 00:00:00 2001
   2 From: Todd Poynor <toddpoynor@google.com>
   3 Date: Tue, 15 Aug 2017 22:41:08 -0700
   4 Subject: scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
   5
   6 From: Todd Poynor <toddpoynor@google.com>
   7
   8 commit 6a8dadcca81fceff9976e8828cceb072873b7bd5 upstream.
   9
  10 Take f_mutex around mmap() processing to protect against races with the
  11 SG_SET_RESERVED_SIZE ioctl.  Ensure the reserve buffer length remains
  12 consistent during the mapping operation, and set the "mmap called" flag
  13 to prevent further changes to the reserved buffer size as an atomic
  14 operation with the mapping.
  15
  16 [mkp: fixed whitespace]
  17
  18 Signed-off-by: Todd Poynor <toddpoynor@google.com>
  19 Acked-by: Douglas Gilbert <dgilbert@interlog.com>
  20 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22
  23 ---
  24  drivers/scsi/sg.c |   12 +++++++++---
  25  1 file changed, 9 insertions(+), 3 deletions(-)
  26
  27 --- a/drivers/scsi/sg.c
  28 +++ b/drivers/scsi/sg.c
  29 @@ -1244,6 +1244,7 @@ sg_mmap(struct file *filp, struct vm_are
  30         unsigned long req_sz, len, sa;
  31         Sg_scatter_hold *rsv_schp;
  32         int k, length;
  33 +       int ret = 0;
  34
  35         if ((!filp) || (!vma) || (!(sfp = (Sg_fd *) filp->private_data)))
  36                 return -ENXIO;
  37 @@ -1254,8 +1255,11 @@ sg_mmap(struct file *filp, struct vm_are
  38         if (vma->vm_pgoff)
  39                 return -EINVAL; /* want no offset */
  40         rsv_schp = &sfp->reserve;
  41 -       if (req_sz > rsv_schp->bufflen)
  42 -               return -ENOMEM; /* cannot map more than reserved buffer */
  43 +       mutex_lock(&sfp->f_mutex);
  44 +       if (req_sz > rsv_schp->bufflen) {
  45 +               ret = -ENOMEM;  /* cannot map more than reserved buffer */
  46 +               goto out;
  47 +       }
  48
  49         sa = vma->vm_start;
  50         length = 1 << (PAGE_SHIFT + rsv_schp->page_order);
  51 @@ -1269,7 +1273,9 @@ sg_mmap(struct file *filp, struct vm_are
  52         vma->vm_flags |= VM_IO | VM_DONTEXPAND | VM_DONTDUMP;
  53         vma->vm_private_data = sfp;
  54         vma->vm_ops = &sg_mmap_vm_ops;
  55 -       return 0;
  56 +out:
  57 +       mutex_unlock(&sfp->f_mutex);
  58 +       return ret;
  59  }
  60
  61  static void