projects / unionfs-2.6.39.y.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1d2c2b4)
SCSI: sg: fix iovec bugs introduced by the block layer conversion
authorFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Mon, 6 Apr 2009 20:55:08 +0000 (20:55 +0000)
committerChris Wright <chrisw@sous-sol.org>
Mon, 27 Apr 2009 17:36:53 +0000 (10:36 -0700)
upstream commit: 0fdf96b67ac2649cc1ddb29b316a0db11586c6a8

- needs to use copy_from_user for iovec before passing it to
blk_rq_map_user_iov().

- before the block layer conversion, if ->dxfer_len and sum of iovec
disagrees, the shorter one wins. However, currently sg returns
-EINVAL. This restores the old behavior.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Cc: stable@kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
drivers/scsi/sg.c patch | blob | history

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 516925d8b570c3fab05d5d1b0a6b729e0ebce395..0aa7e1fd0aa422422bf50842494133b7fc1e33f8 100644 (file)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1673,10 +1673,30 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
                md->null_mapped = hp->dxferp ? 0 : 1;
        }
 
-       if (iov_count)
-               res = blk_rq_map_user_iov(q, rq, md, hp->dxferp, iov_count,
-                                         hp->dxfer_len, GFP_ATOMIC);
-       else
+       if (iov_count) {
+               int len, size = sizeof(struct sg_iovec) * iov_count;
+               struct iovec *iov;
+
+               iov = kmalloc(size, GFP_ATOMIC);
+               if (!iov)
+                       return -ENOMEM;
+
+               if (copy_from_user(iov, hp->dxferp, size)) {
+                       kfree(iov);
+                       return -EFAULT;
+               }
+
+               len = iov_length(iov, iov_count);
+               if (hp->dxfer_len < len) {
+                       iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
+                       len = hp->dxfer_len;
+               }
+
+               res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
+                                         iov_count,
+                                         len, GFP_ATOMIC);
+               kfree(iov);
+       } else
                res = blk_rq_map_user(q, rq, md, hp->dxferp,
                                      hp->dxfer_len, GFP_ATOMIC);
 
unionfs2-2.6.39.y