scsi: sg: check for valid direction before starting the request (28676d86) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/scsi/sg.c

+34 −12

Original line number	Diff line number	Diff line
		@@ -663,8 +663,6 @@ sg_write(struct file filp, const char __user buf, size_t count, loff_t * ppos)
		* is a non-zero input_size, so emit a warning.
		*/
		if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
		static char cmd[TASK_COMM_LEN];
		if (strcmp(current->comm, cmd)) {
		printk_ratelimited(KERN_WARNING
		"sg_write: data in/out %d/%d bytes "
		"for SCSI command 0x%x-- guessing "
		@@ -673,8 +671,6 @@ sg_write(struct file filp, const char __user buf, size_t count, loff_t * ppos)
		old_hdr.reply_len - (int)SZ_SG_HEADER,
		input_size, (unsigned int) cmnd[0],
		current->comm);
		strcpy(cmd, current->comm);
		}
		}
		k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking);
		return (k < 0) ? k : count;
		@@ -753,6 +749,29 @@ sg_new_write(Sg_fd sfp, struct file file, const char __user *buf,
		return count;
		}

		static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
		{
		switch (hp->dxfer_direction) {
		case SG_DXFER_NONE:
		if (hp->dxferp \|\| hp->dxfer_len > 0)
		return false;
		return true;
		case SG_DXFER_TO_DEV:
		case SG_DXFER_FROM_DEV:
		case SG_DXFER_TO_FROM_DEV:
		if (!hp->dxferp \|\| hp->dxfer_len == 0)
		return false;
		return true;
		case SG_DXFER_UNKNOWN:
		if ((!hp->dxferp && hp->dxfer_len) \|\|
		(hp->dxferp && hp->dxfer_len == 0))
		return false;
		return true;
		default:
		return false;
		}
		}

		static int
		sg_common_write(Sg_fd * sfp, Sg_request * srp,
		unsigned char *cmnd, int timeout, int blocking)
		@@ -773,6 +792,9 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
		"sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
		(int) cmnd[0], (int) hp->cmd_len));

		if (!sg_is_valid_dxfer(hp))
		return -EINVAL;

		k = sg_start_req(srp, cmnd);
		if (k) {
		SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,