diff options
-rw-r--r-- | block/bsg.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/block/bsg.c b/block/bsg.c index 23ea4fd1a66d..d8b889d2e411 100644 --- a/block/bsg.c +++ b/block/bsg.c | |||
@@ -174,7 +174,11 @@ unlock: | |||
174 | static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq, | 174 | static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq, |
175 | struct sg_io_v4 *hdr, int has_write_perm) | 175 | struct sg_io_v4 *hdr, int has_write_perm) |
176 | { | 176 | { |
177 | memset(rq->cmd, 0, BLK_MAX_CDB); /* ATAPI hates garbage after CDB */ | 177 | if (hdr->request_len > BLK_MAX_CDB) { |
178 | rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL); | ||
179 | if (!rq->cmd) | ||
180 | return -ENOMEM; | ||
181 | } | ||
178 | 182 | ||
179 | if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request, | 183 | if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request, |
180 | hdr->request_len)) | 184 | hdr->request_len)) |
@@ -211,8 +215,6 @@ bsg_validate_sgv4_hdr(struct request_queue *q, struct sg_io_v4 *hdr, int *rw) | |||
211 | 215 | ||
212 | if (hdr->guard != 'Q') | 216 | if (hdr->guard != 'Q') |
213 | return -EINVAL; | 217 | return -EINVAL; |
214 | if (hdr->request_len > BLK_MAX_CDB) | ||
215 | return -EINVAL; | ||
216 | if (hdr->dout_xfer_len > (q->max_sectors << 9) || | 218 | if (hdr->dout_xfer_len > (q->max_sectors << 9) || |
217 | hdr->din_xfer_len > (q->max_sectors << 9)) | 219 | hdr->din_xfer_len > (q->max_sectors << 9)) |
218 | return -EIO; | 220 | return -EIO; |
@@ -302,6 +304,8 @@ bsg_map_hdr(struct bsg_device *bd, struct sg_io_v4 *hdr) | |||
302 | } | 304 | } |
303 | return rq; | 305 | return rq; |
304 | out: | 306 | out: |
307 | if (rq->cmd != rq->__cmd) | ||
308 | kfree(rq->cmd); | ||
305 | blk_put_request(rq); | 309 | blk_put_request(rq); |
306 | if (next_rq) { | 310 | if (next_rq) { |
307 | blk_rq_unmap_user(next_rq->bio); | 311 | blk_rq_unmap_user(next_rq->bio); |
@@ -455,6 +459,8 @@ static int blk_complete_sgv4_hdr_rq(struct request *rq, struct sg_io_v4 *hdr, | |||
455 | ret = rq->errors; | 459 | ret = rq->errors; |
456 | 460 | ||
457 | blk_rq_unmap_user(bio); | 461 | blk_rq_unmap_user(bio); |
462 | if (rq->cmd != rq->__cmd) | ||
463 | kfree(rq->cmd); | ||
458 | blk_put_request(rq); | 464 | blk_put_request(rq); |
459 | 465 | ||
460 | return ret; | 466 | return ret; |