| Message ID | 610618d9-e983-fd56-ed0f-639428343af7@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | scsi:sg: add sg_remove_request in sg_write | expand |
On 2020-04-13 10:13 p.m., Wu Bo wrote: > From: Wu Bo <wubo40@huawei.com> > > If the __copy_from_user function return failed, > it should call sg_remove_request in sg_write. This is a fix. Acked-by: Douglas Gilbert <dgilbert@interlog.com> > Signed-off-by: Wu Bo <wubo40@huawei.com> > --- > drivers/scsi/sg.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 4e6af59..ff3f532 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -685,8 +685,10 @@ static int get_sg_io_pack_id(int *pack_id, void __user > *buf, size_t count) > hp->flags = input_size; /* structure abuse ... */ > hp->pack_id = old_hdr.pack_id; > hp->usr_ptr = NULL; > - if (copy_from_user(cmnd, buf, cmd_size)) > + if (copy_from_user(cmnd, buf, cmd_size)) { > + sg_remove_request(sfp, srp); > return -EFAULT; > + } > /* > * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV, > * but is is possible that the app intended SG_DXFER_TO_DEV, because there > -- > 1.8.3.1 >
Wu, > If the __copy_from_user function return failed, it should call > sg_remove_request in sg_write. Applied to 5.7/scsi-fixes (by hand, another mangled patch). Thanks.
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 4e6af59..ff3f532 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -685,8 +685,10 @@ static int get_sg_io_pack_id(int *pack_id, void __user *buf, size_t count) hp->flags = input_size; /* structure abuse ... */ hp->pack_id = old_hdr.pack_id; hp->usr_ptr = NULL; - if (copy_from_user(cmnd, buf, cmd_size)) + if (copy_from_user(cmnd, buf, cmd_size)) { + sg_remove_request(sfp, srp); return -EFAULT; + } /* * SG_DXFER_TO_FROM_DEV is functionally equivalent to