On Mon, Oct 1, 2018 at 4:34 PM Douglas Gilbert dgilbert@interlog.com wrote:
On 2018-10-02 02:15 AM, Evan Green wrote:
From: Robb Glasser rglasser@google.com
sg_ioctl could be spammed by requests, leading to a double free in __free_pages. This protects the entry points of sg_ioctl where the memory could be corrupted by a double call to __free_pages if multiple requests are happening concurrently.
Hi, I don't like this patch. I would like to see the trace for the double call to the __free_pages you are referring too. A test program that show the fault, perhaps?
I have test code to "spam" the sg driver and have not seen a double __free_pages that you refer to (see sg3_utils package version 1.44, testing/sg_tst_async.cpp).
Currently I am dusting off 20 years of "laparoscopic" patches to the sg driver that have made a bit of a mess of the naming and comments. Also the 16 outstanding requests per file descriptor limit is being removed. Then I want to add the SG_IOSUBMIT and SG_IORECEIVE ioctls proposed by Linus Torvalds two week ago.
Executive summary: nak, without further information
That makes sense. Thanks for taking a look.