[SCSI] sg: fix iovec bugs introduced by the block layer conversion

- needs to use copy_from_user for iovec before passing it to blk_rq_map_user_iov(). - before the block layer conversion, if ->dxfer_len and sum of iovec disagrees, the shorter one wins. However, currently sg returns -EINVAL. This restores the old behavior. Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Cc: stable@kernel.org Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
author: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> 2009-04-02 20:12:20 -0400
committer: James Bottomley <James.Bottomley@HansenPartnership.com> 2009-04-03 10:25:23 -0400
commit: 0fdf96b67ac2649cc1ddb29b316a0db11586c6a8 (patch)
tree: e70a5d8babcae1ec25c0df0722291b31df62a7cb /drivers/scsi/sg.c
parent: f894e74dc1983062d30d4e1b79bdb90b8a847f52 (diff)
1 files changed, 24 insertions, 4 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index ffc87851f2e8..1e405184ed76 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1656,10 +1656,30 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
                md->null_mapped = hp->dxferp ? 0 : 1;
        }
-        if (iov_count)
+        if (iov_count) {
-                res = blk_rq_map_user_iov(q, rq, md, hp->dxferp, iov_count,
+                int len, size = sizeof(struct sg_iovec) * iov_count;
-                                          hp->dxfer_len, GFP_ATOMIC);
+                struct iovec *iov;
-        else
+                iov = kmalloc(size, GFP_ATOMIC);
+                if (!iov)
+                        return -ENOMEM;
+                if (copy_from_user(iov, hp->dxferp, size)) {
+                        kfree(iov);
+                        return -EFAULT;
+                }
+                len = iov_length(iov, iov_count);
+                if (hp->dxfer_len < len) {
+                        iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
+                        len = hp->dxfer_len;
+                }
+                res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
+                                          iov_count,
+                                          len, GFP_ATOMIC);
+                kfree(iov);
+        } else
                res = blk_rq_map_user(q, rq, md, hp->dxferp,
                                      hp->dxfer_len, GFP_ATOMIC);
author	FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>	2009-04-02 20:12:20 -0400
committer	James Bottomley <James.Bottomley@HansenPartnership.com>	2009-04-03 10:25:23 -0400
commit	0fdf96b67ac2649cc1ddb29b316a0db11586c6a8 (patch)
tree	e70a5d8babcae1ec25c0df0722291b31df62a7cb /drivers/scsi/sg.c
parent	f894e74dc1983062d30d4e1b79bdb90b8a847f52 (diff)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index ffc87851f2e8..1e405184ed76 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c
@@ -1656,10 +1656,30 @@ static int sg_start_req(Sg_request srp, unsigned char cmd)
1656	md->null_mapped = hp->dxferp ? 0 : 1;	1656	md->null_mapped = hp->dxferp ? 0 : 1;
1657	}	1657	}
1658		1658
1659	if (iov_count)	1659	if (iov_count) {
1660	res = blk_rq_map_user_iov(q, rq, md, hp->dxferp, iov_count,	1660	int len, size = sizeof(struct sg_iovec) * iov_count;
1661	hp->dxfer_len, GFP_ATOMIC);	1661	struct iovec *iov;
1662	else	1662
		1663	iov = kmalloc(size, GFP_ATOMIC);
		1664	if (!iov)
		1665	return -ENOMEM;
		1666
		1667	if (copy_from_user(iov, hp->dxferp, size)) {
		1668	kfree(iov);
		1669	return -EFAULT;
		1670	}
		1671
		1672	len = iov_length(iov, iov_count);
		1673	if (hp->dxfer_len < len) {
		1674	iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
		1675	len = hp->dxfer_len;
		1676	}
		1677
		1678	res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
		1679	iov_count,
		1680	len, GFP_ATOMIC);
		1681	kfree(iov);
		1682	} else
1663	res = blk_rq_map_user(q, rq, md, hp->dxferp,	1683	res = blk_rq_map_user(q, rq, md, hp->dxferp,
1664	hp->dxfer_len, GFP_ATOMIC);	1684	hp->dxfer_len, GFP_ATOMIC);
1665		1685