From patchwork Thu Sep 5 14:26:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1981297 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X01s54kGKz1yfv for ; Fri, 6 Sep 2024 00:27:05 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1smDRp-0006CV-Rp; Thu, 05 Sep 2024 14:26:57 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1smDRo-0006AW-8m for kernel-team@lists.ubuntu.com; Thu, 05 Sep 2024 14:26:56 +0000 Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DAE4B3F04D for ; Thu, 5 Sep 2024 14:26:55 +0000 (UTC) Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-5334acbac00so758090e87.0 for ; Thu, 05 Sep 2024 07:26:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725546415; x=1726151215; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=11Ovyx0sGjBoxMPV75d1q+bFcGkYjwcly3xwMte8QZk=; b=miGYXqhCS5Z7OH0NWRc+b/SgvjO6gRFRnl29gnXjyLVnShJkrI2WA6I9v0/8MBHH6j QusgvJOn+A962ldBgWbsKlgPR+JfSoDYGwS97hv4oHb9Z580SbbpDB/1Ki2u3FG5oOBJ YwXW9d3zFQJhNHz4eSVfqpHJC6D/EiRuS0RsxmlCneZ7dGAr70CC5+JouxUp0qcEVmpK 9oVb9W3/34NrucKnbkNvQq4R/OFPer1vc25fKP9fa/i65RcnM85oq1tmcsP3+ZLiMTG+ mb9OA6fDQ9bWcwFbGFXoD3XOTlAbZL6byrPmwIGoyQnN2he0fOqIl/9WYXZbLFSF/q/X wX2A== X-Gm-Message-State: AOJu0Yyj9TDUKm6+wG7N5FaGRWT83Ykt3EwaOgCJoftHReBx19emLN/4 fpAWa3Lipia7FrdnECjsebqki/QX6NPgmT8NVUROupIBbWc+Gykt2thiNa+CkoTayIYScqIlJcO do6Md52Pzl/42EJMHsROGfImv+1cvMqc5RO+FF9keHOZG0O3MxlhPNoXxCO+SBXUET3NhM4pdNK MPef7OLzxaZw== X-Received: by 2002:a05:6512:4025:b0:533:4b70:8722 with SMTP id 2adb3069b0e04-53546b033f5mr14958303e87.15.1725546415112; Thu, 05 Sep 2024 07:26:55 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFbPkohqiT0dPmhmRS5pr0hjElux4b7JUxdO7432NXdjfx30/xAy+rZneenjEYaxI++AvOT6g== X-Received: by 2002:a05:6512:4025:b0:533:4b70:8722 with SMTP id 2adb3069b0e04-53546b033f5mr14958252e87.15.1725546413796; Thu, 05 Sep 2024 07:26:53 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8a623a45b0sm146713766b.143.2024.09.05.07.26.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 07:26:53 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][J][PATCH 1/3] tls: rx: coalesce exit paths in tls_decrypt_sg() Date: Thu, 5 Sep 2024 16:26:42 +0200 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jakub Kicinski Jump to the free() call, instead of having to remember to free the memory in multiple places. Signed-off-by: Jakub Kicinski (backported from commit 03957d84055e59235c7d57c95a37617bd3aa5646) [juergh: Adjusted context.] CVE-2024-26800 Signed-off-by: Juerg Haefliger --- net/tls/tls_sw.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 065454136be7..02d2e883d476 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1501,10 +1501,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE, iv + iv_offset + prot->salt_size, prot->iv_size); - if (err < 0) { - kfree(mem); - return err; - } + if (err < 0) + goto exit_free; if (prot->version == TLS_1_3_VERSION || prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) memcpy(iv + iv_offset, tls_ctx->rx.iv, @@ -1525,10 +1523,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, err = skb_to_sgvec(skb, &sgin[1], rxm->offset + prot->prepend_size, rxm->full_len - prot->prepend_size); - if (err < 0) { - kfree(mem); - return err; - } + if (err < 0) + goto exit_free; if (n_sgout) { if (out_iov) { @@ -1561,7 +1557,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, /* Release the pages in case iov was mapped to pages */ for (; pages > 0; pages--) put_page(sg_page(&sgout[pages])); - +exit_free: kfree(mem); return err; } From patchwork Thu Sep 5 14:26:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1981299 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X01s90TY1z1yfv for ; Fri, 6 Sep 2024 00:27:09 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1smDRt-0006Hj-7y; Thu, 05 Sep 2024 14:27:01 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1smDRq-0006Ds-Cq for kernel-team@lists.ubuntu.com; Thu, 05 Sep 2024 14:26:58 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 383143F04D for ; Thu, 5 Sep 2024 14:26:58 +0000 (UTC) Received: by mail-ed1-f69.google.com with SMTP id 4fb4d7f45d1cf-5a16fae2ba7so646594a12.1 for ; Thu, 05 Sep 2024 07:26:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725546418; x=1726151218; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vhvFr/7ETt2tPWkRFMWyVqHlK4o/YUv85IOebcjFuow=; b=wEylI364p8KF94eqKkeivgEYE8F8gX1RdKTB2uaFcNtivFHJDzdste7eq4g/ITcJud IVPMZNvqSzBaVttbf0s9urjcCmS8k9pzclcAVwfErQXLDI/kCixI+un/HuPDWxVH7Wc+ 7qW4HWm5E80GPPLzt8b8it1rW1FongpdasNuz/7r2YcmW/ZP/KyHLNPkOpY74jM5Xea+ u9WdcB3hk7zs08eHWKpDRlFFsaWOuhG4wN04DAJAC+Nnb8pOFSGe3q0IvV4lw3b+/T5f BKhvG3+OUgN94nfVdu6yJATaEbnmLQ6fEfDLXv4mk1xGPp7evdP9KuRoN6wcmCA5Vw/U 4kEQ== X-Gm-Message-State: AOJu0YwKDsMrFubpSiGHT/fHg/lzjfXgzqop7WtLg0NB0ZUycEED2HHx ZFk4QCLxbnQTdnyRrbUNsWOr8pvFOIqO4vazfD0dT9ED2XHDiCrwSCXSFjHOacUJvljgtgFd3/Y zPeiZ93iAcrKPnSmvwb3e6PYISwajxeCL8Y56a97jyusPMDFy1ehg/wfSt+1cR5g6Lu1REP+m4b GHVgwdP8IlIw== X-Received: by 2002:a05:6402:4412:b0:5c0:adad:98a2 with SMTP id 4fb4d7f45d1cf-5c2c28f909fmr4117783a12.1.1725546417721; Thu, 05 Sep 2024 07:26:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEJe7kkOcZwvoOu67ZuUxHiihtK79oZw+nVg9kfOTVYdhDuxqJ1pw0yUwQ2KD7VaMqEdIzS3g== X-Received: by 2002:a05:6402:4412:b0:5c0:adad:98a2 with SMTP id 4fb4d7f45d1cf-5c2c28f909fmr4117756a12.1.1725546417014; Thu, 05 Sep 2024 07:26:57 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c3cc6a4d2asm1276355a12.81.2024.09.05.07.26.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 07:26:56 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][J][PATCH 2/3] tls: separate no-async decryption request handling from async Date: Thu, 5 Sep 2024 16:26:44 +0200 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sabrina Dubroca If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We should preferably also use a separate crypto_wait. I'm not seeing a UAF as I did in the past, I think aec7961916f3 ("tls: fix race between async notify and socket close") took care of it. This will make the next fix easier. Signed-off-by: Sabrina Dubroca Link: https://lore.kernel.org/r/47bde5f649707610eaef9f0d679519966fc31061.1709132643.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski (cherry picked from commit 41532b785e9d79636b3815a64ddf6a096647d011) CVE-2024-26800 Signed-off-by: Juerg Haefliger --- net/tls/tls_sw.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 02d2e883d476..9c78e319c4ca 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -277,9 +277,15 @@ static int tls_do_decryption(struct sock *sk, tls_decrypt_done, skb); atomic_inc(&ctx->decrypt_pending); } else { + DECLARE_CRYPTO_WAIT(wait); + aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &ctx->async_wait); + crypto_req_done, &wait); + ret = crypto_aead_decrypt(aead_req); + if (ret == -EINPROGRESS || ret == -EBUSY) + ret = crypto_wait_req(ret, &wait); + return ret; } ret = crypto_aead_decrypt(aead_req); @@ -288,10 +294,7 @@ static int tls_do_decryption(struct sock *sk, ret = ret ?: -EINPROGRESS; } if (ret == -EINPROGRESS) { - if (darg->async) - return 0; - - ret = crypto_wait_req(ret, &ctx->async_wait); + return 0; } else if (darg->async) { atomic_dec(&ctx->decrypt_pending); } From patchwork Thu Sep 5 14:26:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1981301 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X01sD2CTkz1yfv for ; Fri, 6 Sep 2024 00:27:12 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1smDRw-0006Pe-M1; Thu, 05 Sep 2024 14:27:04 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1smDRu-0006K2-2U for kernel-team@lists.ubuntu.com; Thu, 05 Sep 2024 14:27:02 +0000 Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id BC19D3F45F for ; Thu, 5 Sep 2024 14:27:01 +0000 (UTC) Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-5356aaecdf6so970681e87.2 for ; Thu, 05 Sep 2024 07:27:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725546421; x=1726151221; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7+lNgC9PIF3Ig2zetoVkBrd45/Q34XJV3WQ8pCri/8M=; b=jYEDM8FjUogydHsCXtTPKIUN5KkHjGDWkYEbNSrhfNCceN1orzHXXguaa7uYyutDpv 6/IWIe1M9Z0h04SSs1N2KJ/O0W6FsUcXRmJbNrclahioB6s0TkdMIl+Fk7fnODuMCHsQ evv2liH7ZGhBjJcROamefg5WtZhNrxL0aEq1yOhTZ3tATJojd3EqQeSwr38DfZ93ulIz mgFd8WCOA0rowalvCishJNUqEz6YXaExnHXVflirnT0vbBOGIqOp8acqytgMpW99I3lO sQ/2AYaP++MKSFhp15zPu2J/Ouugx4byjAAUghmMobAO654NCxbZRLFSe+wasJ15mQPJ iV8g== X-Gm-Message-State: AOJu0YzUBEUGPIf7AGm3Twua+RJNAJf9AmtMNGDeqRkiOZCz1uohixSr sjbTLL/+jsHmsuSb+twDJIPhU2QFOfs2x0ppFwbkDgkQEZDhUACxLD/qZCv1Zr6mb7NSOXW8HQp AyKkWKNbSR83eAyAdI8UObOdSvubIFjOmNYkABarCDJjyYnn5Uhai6aAcoay3d4UVKF0tuw5k/D TOYnbw7QE99w== X-Received: by 2002:a05:6512:12c8:b0:52c:e0fb:92c0 with SMTP id 2adb3069b0e04-53546b3fde1mr14366685e87.34.1725546420903; Thu, 05 Sep 2024 07:27:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFYBBPrY+L6kcoJW410DM+bqkiHU5zKHssx69laUmgdU7bsRSbf3II3YzQfSdVApHiD3ERgGA== X-Received: by 2002:a05:6512:12c8:b0:52c:e0fb:92c0 with SMTP id 2adb3069b0e04-53546b3fde1mr14366641e87.34.1725546419780; Thu, 05 Sep 2024 07:26:59 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8a62048758sm143900366b.54.2024.09.05.07.26.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 07:26:59 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][J][PATCH 3/3] tls: fix use-after-free on failed backlog decryption Date: Thu, 5 Sep 2024 16:26:46 +0200 Message-ID: <1a4a45a48529bf63c509ed7e418be6d6f39fe74c.1725545867.git.juerg.haefliger@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sabrina Dubroca When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests") Signed-off-by: Sabrina Dubroca Link: https://lore.kernel.org/r/4755dd8d9bebdefaa19ce1439b833d6199d4364c.1709132643.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski (backported from commit 13114dc5543069f7b97991e3b79937b6da05f5b0) [juergh: Adjusted context and 'return err' instead of 'goto exit_free_skb' due to missing commits: fd31f3996af2 ("tls: rx: decrypt into a fresh skb") 6bd116c8c654 ("tls: rx: return the decrypted skb via darg")] CVE-2024-26800 Signed-off-by: Juerg Haefliger --- net/tls/tls_sw.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 9c78e319c4ca..fb400e998c2b 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -47,6 +47,7 @@ struct tls_decrypt_arg { bool zc; bool async; + bool async_done; }; noinline void tls_err_abort(struct sock *sk, int err) @@ -289,15 +290,18 @@ static int tls_do_decryption(struct sock *sk, } ret = crypto_aead_decrypt(aead_req); + if (ret == -EINPROGRESS) + return 0; + if (ret == -EBUSY) { ret = tls_decrypt_async_wait(ctx); - ret = ret ?: -EINPROGRESS; - } - if (ret == -EINPROGRESS) { - return 0; - } else if (darg->async) { - atomic_dec(&ctx->decrypt_pending); + darg->async_done = true; + /* all completions have run, we're not doing async anymore */ + darg->async = false; + return ret; } + + atomic_dec(&ctx->decrypt_pending); darg->async = false; return ret; @@ -1554,9 +1558,17 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, /* Prepare and submit AEAD request */ err = tls_do_decryption(sk, skb, sgin, sgout, iv, data_len, aead_req, darg); + if (err) { + if (darg->async_done) + return err; + } + if (darg->async) return 0; + if (unlikely(darg->async_done)) + return 0; + /* Release the pages in case iov was mapped to pages */ for (; pages > 0; pages--) put_page(sg_page(&sgout[pages]));