aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>2009-04-03 11:35:42 -0400
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2009-04-27 10:38:11 -0400
commite7ee4cc04b058d1eae9c1ac359031301b1798e3f (patch)
tree3edc28a8f84a84b9893813e047b805e2915528c5
parent96bcc722c47d07b6fd05c9d0cb3ab8ea5574c5b1 (diff)
[SCSI] sg: return EFAULT for an invalid user address
blk_rq_unmap_user() returns EFAULT if a program passes an invalid address to kernel (the kernel fails to copy data to user space). sg needs to pass the returned value to user space instead of ignoring it. Before the block layer conversion, sg returns EFAULT properly. This restores the old behavior. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r--drivers/scsi/sg.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 82312df9b0bf..e1716f14cd47 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -179,7 +179,7 @@ typedef struct sg_device { /* holds the state of each scsi generic device */
179/* tasklet or soft irq callback */ 179/* tasklet or soft irq callback */
180static void sg_rq_end_io(struct request *rq, int uptodate); 180static void sg_rq_end_io(struct request *rq, int uptodate);
181static int sg_start_req(Sg_request *srp, unsigned char *cmd); 181static int sg_start_req(Sg_request *srp, unsigned char *cmd);
182static void sg_finish_rem_req(Sg_request * srp); 182static int sg_finish_rem_req(Sg_request * srp);
183static int sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size); 183static int sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size);
184static ssize_t sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, 184static ssize_t sg_new_read(Sg_fd * sfp, char __user *buf, size_t count,
185 Sg_request * srp); 185 Sg_request * srp);
@@ -518,7 +518,7 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
518 goto err_out; 518 goto err_out;
519 } 519 }
520err_out: 520err_out:
521 sg_finish_rem_req(srp); 521 err = sg_finish_rem_req(srp);
522 return (0 == err) ? count : err; 522 return (0 == err) ? count : err;
523} 523}
524 524
@@ -1696,9 +1696,10 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
1696 return res; 1696 return res;
1697} 1697}
1698 1698
1699static void 1699static int sg_finish_rem_req(Sg_request * srp)
1700sg_finish_rem_req(Sg_request * srp)
1701{ 1700{
1701 int ret = 0;
1702
1702 Sg_fd *sfp = srp->parentfp; 1703 Sg_fd *sfp = srp->parentfp;
1703 Sg_scatter_hold *req_schp = &srp->data; 1704 Sg_scatter_hold *req_schp = &srp->data;
1704 1705
@@ -1710,12 +1711,14 @@ sg_finish_rem_req(Sg_request * srp)
1710 1711
1711 if (srp->rq) { 1712 if (srp->rq) {
1712 if (srp->bio) 1713 if (srp->bio)
1713 blk_rq_unmap_user(srp->bio); 1714 ret = blk_rq_unmap_user(srp->bio);
1714 1715
1715 blk_put_request(srp->rq); 1716 blk_put_request(srp->rq);
1716 } 1717 }
1717 1718
1718 sg_remove_request(sfp, srp); 1719 sg_remove_request(sfp, srp);
1720
1721 return ret;
1719} 1722}
1720 1723
1721static int 1724static int