diff mbox series

scsi: aacraid: fix a potential data inconsistency caused by double-fetch

Message ID 20181225211136.69702-1-kjlu@umn.edu (mailing list archive)
State Deferred
Headers show
Series scsi: aacraid: fix a potential data inconsistency caused by double-fetch | expand

Commit Message

Kangjie Lu Dec. 25, 2018, 9:11 p.m. UTC 
"user_srb->count" may be changed by malicious user races. Let's set
"user_srbcmd->count" fetched in the second copy to be the one fetched in
the first copy.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
---
 drivers/scsi/aacraid/commctrl.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 25f6600d6c09..eb18117c431a 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -539,6 +539,8 @@  static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
 		rcode = -EFAULT;
 		goto cleanup;
 	}
+	/* Ensure user_srb->count is not changed */
+	user_srbcmd->count = fibsize;
 
 	flags = user_srbcmd->flags; /* from user in cpu order */
 	switch (flags & (SRB_DataIn | SRB_DataOut)) {