Skip to content

Commit 28676d8

Browse files
Johannes Thumshirnmartinkpetersen
Johannes Thumshirn
authored and
martinkpetersen
committed
scsi: sg: check for valid direction before starting the request
Check for a valid direction before starting the request, otherwise we risk running into an assertion in the scsi midlayer checking for valid requests. [mkp: fixed typo] Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Link: http://www.spinics.net/lists/linux-scsi/msg104400.html Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Hannes Reinecke <hare@suse.com> Tested-by: Johannes Thumshirn <jthumshirn@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent 1bc0eb0 commit 28676d8

File tree

1 file changed

+34
-12
lines changed

1 file changed

+34
-12
lines changed

drivers/scsi/sg.c

Lines changed: 34 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -663,18 +663,14 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
663663
* is a non-zero input_size, so emit a warning.
664664
*/
665665
if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
666-
static char cmd[TASK_COMM_LEN];
667-
if (strcmp(current->comm, cmd)) {
668-
printk_ratelimited(KERN_WARNING
669-
"sg_write: data in/out %d/%d bytes "
670-
"for SCSI command 0x%x-- guessing "
671-
"data in;\n program %s not setting "
672-
"count and/or reply_len properly\n",
673-
old_hdr.reply_len - (int)SZ_SG_HEADER,
674-
input_size, (unsigned int) cmnd[0],
675-
current->comm);
676-
strcpy(cmd, current->comm);
677-
}
666+
printk_ratelimited(KERN_WARNING
667+
"sg_write: data in/out %d/%d bytes "
668+
"for SCSI command 0x%x-- guessing "
669+
"data in;\n program %s not setting "
670+
"count and/or reply_len properly\n",
671+
old_hdr.reply_len - (int)SZ_SG_HEADER,
672+
input_size, (unsigned int) cmnd[0],
673+
current->comm);
678674
}
679675
k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking);
680676
return (k < 0) ? k : count;
@@ -753,6 +749,29 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
753749
return count;
754750
}
755751

752+
static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
753+
{
754+
switch (hp->dxfer_direction) {
755+
case SG_DXFER_NONE:
756+
if (hp->dxferp || hp->dxfer_len > 0)
757+
return false;
758+
return true;
759+
case SG_DXFER_TO_DEV:
760+
case SG_DXFER_FROM_DEV:
761+
case SG_DXFER_TO_FROM_DEV:
762+
if (!hp->dxferp || hp->dxfer_len == 0)
763+
return false;
764+
return true;
765+
case SG_DXFER_UNKNOWN:
766+
if ((!hp->dxferp && hp->dxfer_len) ||
767+
(hp->dxferp && hp->dxfer_len == 0))
768+
return false;
769+
return true;
770+
default:
771+
return false;
772+
}
773+
}
774+
756775
static int
757776
sg_common_write(Sg_fd * sfp, Sg_request * srp,
758777
unsigned char *cmnd, int timeout, int blocking)
@@ -773,6 +792,9 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
773792
"sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
774793
(int) cmnd[0], (int) hp->cmd_len));
775794

795+
if (!sg_is_valid_dxfer(hp))
796+
return -EINVAL;
797+
776798
k = sg_start_req(srp, cmnd);
777799
if (k) {
778800
SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,

0 commit comments

Comments
 (0)