Commit 41abcae4 authored by Al Viro's avatar Al Viro Committed by Ben Hutchings

Fix missing sanity check in /dev/sg

commit 137d01df upstream.

What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len.  Or with ->dxferp pointing
to an array full of empty iovecs.

Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...

Found by Dmitry Vyukov and syzkaller.

[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
  underlying issue.  - Linus ]
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: we're not using iov_iter, but can check the
 byte length after truncation]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent e5ca28d1
......@@ -1716,6 +1716,10 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
len = hp->dxfer_len;
}
if (len == 0) {
kfree(iov);
return -EINVAL;
}
res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
iov_count,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment