Google Git
Sign in
kernel / pub / scm / linux / kernel / git / paulg / longterm-queue-5.2 / 3667dbef7d8a3829e020a1a910312c9260501cd0 / . / release / 5.2.40 / scsi-sg-add-sg_remove_request-in-sg_write.patch
blob: bd106daf1cec1e30e359de91edd7083b39d2beb6 [file] [log] [blame]
From 054f654ed8486f8ef33c2ace0d455eb0997a3543 Mon Sep 17 00:00:00 2001
From: Wu Bo <wubo40@huawei.com>
Date: Tue, 14 Apr 2020 10:13:28 +0800
Subject: [PATCH] scsi: sg: add sg_remove_request in sg_write
commit 83c6f2390040f188cc25b270b4befeb5628c1aee upstream.
If the __copy_from_user function failed we need to call sg_remove_request
in sg_write.
Link: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343af7@huawei.com
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Wu Bo <wubo40@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index cce757506383..d586d5943747 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -689,8 +689,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
hp->flags = input_size; /* structure abuse ... */
hp->pack_id = old_hdr.pack_id;
hp->usr_ptr = NULL;
- if (__copy_from_user(cmnd, buf, cmd_size))
+ if (__copy_from_user(cmnd, buf, cmd_size)) {
+ sg_remove_request(sfp, srp);
return -EFAULT;
+ }
/*
* SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
* but is is possible that the app intended SG_DXFER_TO_DEV, because there
--
2.7.4