linux/drivers/scsi
Douglas Gilbert f6a695cf7a sg: fix dxferp in from_to case
One of the strange things that the original sg driver did was let the
user provide both a data-out buffer (it followed the sg_header+cdb)
_and_ specify a reply length greater than zero. What happened was that
the user data-out buffer was copied into some kernel buffers and then
the mid level was told a read type operation would take place with the
data from the device overwriting the same kernel buffers. The user would
then read those kernel buffers back into the user space.

From what I can tell, the above action was broken by commit fad7f01e61
("sg: set dxferp to NULL for READ with the older SG interface") in 2008
and syzkaller found that out recently.

Make sure that a user space pointer is passed through when data follows
the sg_header structure and command.  Fix the abnormal case when a
non-zero reply_len is also given.

Fixes: fad7f01e61
Cc: <stable@vger.kernel.org> #v2.6.28+
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2016-03-14 15:50:25 -04:00
..
aacraid aacraid: Update driver version 2016-02-23 21:27:02 -05:00
aic7xxx aic7xxx: Fix queue depth handling 2016-02-23 21:27:02 -05:00
aic94xx scsi: Centralise ssp frame information units 2015-11-25 22:12:50 -05:00
arcmsr arcmsr: change driver version to v1.30.00.22-20151126 2015-11-30 18:51:20 -05:00
arm scsi: fas216: avoid fas216_log_setup for loadable module 2016-02-23 21:27:02 -05:00
be2iscsi be2iscsi: set the boot_kset pointer to NULL in case of failure 2016-03-14 15:50:11 -04:00
bfa bfa: deinline __bfa_trc() and __bfa_trc32() 2016-02-23 21:27:02 -05:00
bnx2fc bnx2fc: bnx2fc_eh_abort(): fix wrong return code. 2016-02-23 21:27:02 -05:00
bnx2i bnx2i: Fix call trace while device reset 2015-06-02 17:15:24 -07:00
csiostor scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
cxgbi cxgbi: Typo in MODULE_PARM_DESC 2016-01-08 12:51:04 -05:00
cxlflash cxlflash: Increase cmd_per_lun for better throughput 2016-03-08 21:17:33 -05:00
device_handler scsi_dh_emc: update 'access_state' field 2016-03-05 17:20:33 -05:00
dpt
esas2r esas2r: Fix array overrun 2016-02-23 21:27:02 -05:00
fcoe fcoe: fix reset of fip selection time. 2016-02-29 21:02:20 -05:00
fnic scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
hisi_sas hisi_sas: update driver version to 1.3 2016-02-29 21:00:03 -05:00
ibmvscsi ibmvfc: byteswap scsi_id, wwpn, and node_name prior to logging 2016-02-23 21:27:02 -05:00
isci SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
libfc libfc: Use the correct function name in kernel-doc comment. 2015-11-09 17:15:52 -08:00
libsas Merge branch 'for-4.0-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2015-03-24 17:08:29 -07:00
lpfc lpfc: fix missing zero termination in debugfs 2016-02-23 21:27:02 -05:00
megaraid megaraid_sas: Don't issue kill adapter for MFI controllers in case of PD list DCMD failure 2016-03-10 20:25:31 -05:00
mpt3sas mpt3sas: Remove unnecessary synchronize_irq() before free_irq() 2016-03-09 20:42:47 -05:00
mvsas Merge branch 'jejb-scsi' into misc 2016-01-07 15:51:13 -08:00
osd osd: remove deadcode 2016-02-25 21:11:42 -05:00
pcmcia scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
pm8001 SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
qla2xxx qla2xxx: Update driver version to 8.07.00.33-k 2016-02-23 21:27:02 -05:00
qla4xxx scsi: qla4xxx: shut up warning for rd_reg_indirect 2016-02-23 21:27:02 -05:00
snic snic: correctly check for array overrun on overly long version number 2016-03-01 20:08:49 -05:00
sym53c8xx_2 scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ufs scsi: ufs: fix typo in comment 2016-02-23 21:27:02 -05:00
.gitignore
3w-9xxx.c 3w-9xxx: don't unmap bounce buffered commands 2015-10-07 10:24:48 -07:00
3w-9xxx.h 3w-9xxx: fix command completion race 2015-04-27 10:10:19 -07:00
3w-sas.c 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-sas.h 3w-sas: fix command completion race 2015-04-27 10:04:39 -07:00
3w-xxxx.c 3w-xxxx: Pass through compat mode ioctls 2016-01-08 12:51:03 -05:00
3w-xxxx.h 3w-xxxx: fix command completion race 2015-04-27 10:05:55 -07:00
53c700_d.h_shipped
53c700.c scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
53c700.h
53c700.scr
a100u2w.c scsi: a100u2w: trivial typo in printk 2015-08-07 15:03:42 +02:00
a100u2w.h
a2091.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
a2091.h
a3000.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
a3000.h
a4000t.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
advansys.c Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
aha152x.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha152x.h
aha1542.c scsi: aha1542: avoid uninitialized variable warnings 2016-02-23 21:27:02 -05:00
aha1542.h aha1542: fix include guard and remove useless changelog 2015-04-09 18:08:31 -07:00
aha1740.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
aha1740.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
am53c974.c am53c974: Fix crash during modprobe 2015-04-17 10:13:56 -07:00
atari_NCR5380.c ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate 2016-03-01 09:38:58 -05:00
atari_scsi.c atari_scsi, sun3_scsi: Remove global Scsi_Host pointer 2016-01-06 21:43:08 -05:00
atp870u.c atp870u: Introduce atp870_init() 2015-11-25 22:08:55 -05:00
atp870u.h atp870u: Remove scam_on from struct atp_unit 2015-11-25 22:08:52 -05:00
BusLogic.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
BusLogic.h
bvme6000_scsi.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
ch.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-04-14 09:50:27 -07:00
constants.c scsi: Conditionally compile in constants.c 2015-01-09 15:44:31 +01:00
dc395x.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
dc395x.h
dmx3191d.c ncr5380: Fix soft lockups 2016-01-06 21:43:09 -05:00
dpt_i2o.c dpt_i2o: fix build warning 2016-02-23 21:27:02 -05:00
dpti.h scsi: use 64-bit LUNs 2014-07-17 22:07:37 +02:00
dtc.c ncr5380: Fix soft lockups 2016-01-06 21:43:09 -05:00
dtc.h ncr5380: Fix and cleanup scsi_host_template initializers 2016-01-06 21:43:03 -05:00
eata_generic.h
eata_pio.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
eata_pio.h
eata.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
esp_scsi.c scsi: use host wide tags by default 2015-11-09 17:11:57 -08:00
esp_scsi.h esp_scsi: correctly detect am53c974 2014-11-24 16:13:16 +01:00
fdomain.c scsi: fdomain: drop fdomain_pci_tbl when built-in 2016-02-23 21:27:02 -05:00
fdomain.h
FlashPoint.c FlashPoint: fix build warning 2015-11-09 16:32:14 -08:00
g_NCR5380_mmio.c
g_NCR5380.c ncr5380: Add support for HP C2502 2016-01-06 21:43:13 -05:00
g_NCR5380.h ncr5380: Add support for HP C2502 2016-01-06 21:43:13 -05:00
gdth_ioctl.h
gdth_proc.c gdth: replace struct timeval with ktime_get_real_seconds() 2016-02-25 21:16:49 -05:00
gdth_proc.h
gdth.c gdth: replace struct timeval with ktime_get_real_seconds() 2016-02-25 21:16:49 -05:00
gdth.h
gvp11.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00
gvp11.h
hosts.c scsi: Use ida for host number management 2016-02-23 21:27:02 -05:00
hpsa_cmd.h hpsa: update copyright information 2016-02-23 21:27:02 -05:00
hpsa.c hpsa: update copyright information 2016-02-23 21:27:02 -05:00
hpsa.h hpsa: update copyright information 2016-02-23 21:27:02 -05:00
hptiop.c hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
hptiop.h hptiop: Support HighPoint RR36xx HBAs and Support SAS tape and SAS media changer 2015-08-12 13:14:57 -07:00
imm.c imm: check parport_claim 2016-02-25 21:10:53 -05:00
imm.h
in2000.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
in2000.h
initio.c SCSI: initio: remove duplicate module device table 2015-11-20 11:39:03 -05:00
initio.h
ipr.c Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
ipr.h irq_poll: make blk-iopoll available outside the block layer 2015-12-11 11:52:24 -08:00
ips.c ips: remove pointless #warning 2015-06-02 17:24:54 -07:00
ips.h
iscsi_boot_sysfs.c [SCSI] iscsi_boot_sysfs: Fix a memory leak in iscsi_boot_destroy_kset() 2014-03-15 10:19:19 -07:00
iscsi_tcp.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
iscsi_tcp.h net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
jazz_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
Kconfig scsi: storvsc: Fix a build issue reported by kbuild test robot 2016-03-05 17:01:04 -05:00
lasi700.c
libiscsi_tcp.c [SCSI] libiscsi: Reduce locking contention in fast path 2014-03-15 10:19:18 -07:00
libiscsi.c libiscsi: Fix iscsi_check_transport_timeouts possible infinite loop 2015-09-17 07:25:02 -07:00
mac53c94.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
mac53c94.h
mac_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
mac_scsi.c ncr5380: Fix soft lockups 2016-01-06 21:43:09 -05:00
Makefile hisi_sas: Add initial bare main driver 2015-11-25 22:12:51 -05:00
megaraid.c megaraid : use dev_printk when possible 2015-08-26 07:23:04 -07:00
megaraid.h [SCSI] megaraid: simplify internal command handling 2014-03-27 08:26:31 -07:00
mesh.c powerpc: Move Power Macintosh drivers to generic byteswappers 2015-03-23 14:29:40 +11:00
mesh.h
mvme16x_scsi.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
mvme147.c
mvme147.h
mvumi.c scsi: mvumi: use __maybe_unused to hide pm functions 2016-03-05 17:07:46 -05:00
mvumi.h
ncr53c8xx.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ncr53c8xx.h scsi: Remove CONFIG_SCSI_MULTI_LUN 2014-07-17 22:07:35 +02:00
NCR53c406a.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
NCR5380.c ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate 2016-03-01 09:38:58 -05:00
NCR5380.h ncr5380: Use runtime register mapping 2016-01-06 21:43:10 -05:00
NCR_D700.c
NCR_D700.h
NCR_Q720.c
NCR_Q720.h
nsp32_debug.c
nsp32_io.h
nsp32.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
nsp32.h
osst_detect.h
osst_options.h
osst.c scsi: remove scsi_driver owner field 2014-11-24 20:01:28 +01:00
osst.h
pas16.c ncr5380: Fix soft lockups 2016-01-06 21:43:09 -05:00
pas16.h ncr5380: Fix and cleanup scsi_host_template initializers 2016-01-06 21:43:03 -05:00
pmcraid.c SCSI queue for 4.4. 2015-11-12 07:06:18 -05:00
pmcraid.h
ppa.c scsi: ppa: use new parport device model 2016-02-23 21:27:02 -05:00
ppa.h
ps3rom.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qla1280.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qla1280.h
qlogicfas408.c
qlogicfas408.h
qlogicfas.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
qlogicpti.c qlogicpti: Return correct error code 2016-03-01 20:06:49 -05:00
qlogicpti.h
raid_class.c
script_asm.pl
scsi_common.c scsi: Protect against buffer possible overflow in scsi_set_sense_information 2015-07-23 22:53:05 -07:00
scsi_debug.c Merge branch 'jejb-scsi' into misc 2016-01-07 15:51:13 -08:00
scsi_devinfo.c scsi_dh_alua: Add new blacklist flag 'BLIST_SYNC_ALUA' 2016-02-23 21:27:02 -05:00
scsi_dh.c scsi_dh: move 'dh_state' sysfs attribute to generic code 2015-12-02 16:29:19 -05:00
scsi_error.c mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM 2015-11-06 17:50:42 -08:00
scsi_ioctl.c scsi: return EAGAIN when resetting a device under EH 2014-11-12 11:16:12 +01:00
scsi_lib_dma.c
scsi_lib.c scsi_dh: add 'rescan' callback 2016-02-23 21:27:02 -05:00
scsi_logging.c scsi_logging: return void for dev_printk() functions 2015-02-04 08:00:24 -08:00
scsi_logging.h scsi: simplify scsi_log_(send|completion) 2014-11-12 11:16:05 +01:00
scsi_module.c
scsi_netlink.c net: Use netlink_ns_capable to verify the permisions of netlink messages 2014-04-24 13:44:54 -04:00
scsi_pm.c Revert "SCSI: Fix NULL pointer dereference in runtime PM" 2015-12-10 12:24:44 -05:00
scsi_priv.h scsi_dh: move 'dh_state' sysfs attribute to generic code 2015-12-02 16:29:19 -05:00
scsi_proc.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
scsi_sas_internal.h
scsi_scan.c scsi_dh: add 'rescan' callback 2016-02-23 21:27:02 -05:00
scsi_sysctl.c scsi: convert use of typedef ctl_table to struct ctl_table 2014-06-06 16:08:16 -07:00
scsi_sysfs.c scsi_sysfs: Fix typo in is_bin_visible() 2016-03-10 20:29:54 -05:00
scsi_trace.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
scsi_transport_api.h
scsi_transport_fc.c scsi_transport_fc: Introduce scsi_host_{get,put}() 2015-11-30 17:43:55 -05:00
scsi_transport_iscsi.c scsi_transport_iscsi: Add 25G and 40G speed definition 2016-02-23 21:27:02 -05:00
scsi_transport_sas.c scsi_transport_sas: add function to get SAS endpoint address 2015-12-18 19:29:50 -08:00
scsi_transport_spi.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
scsi_transport_srp.c IB/srp: Avoid using uninitialized variable 2015-07-14 13:20:09 -04:00
scsi_typedefs.h
scsi.c scsi: rescan VPD attributes 2015-11-30 11:23:45 -05:00
scsi.h
scsicam.c scsi: PC partition tables are little endian 2014-11-12 11:15:54 +01:00
sd_dif.c block: Consolidate static integrity profile properties 2015-10-21 14:42:38 -06:00
sd.c sd: Fix discard granularity when LBPRZ=1 2016-03-14 15:50:06 -04:00
sd.h block/sd: Fix device-imposed transfer length limits 2015-11-25 21:38:58 -05:00
ses.c ses: fix discovery of SATA devices in SAS enclosures 2015-12-18 19:29:50 -08:00
sg.c sg: fix dxferp in from_to case 2016-03-14 15:50:25 -04:00
sgiwd93.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sim710.c scsi: sim710: fix build warning 2016-02-23 21:27:02 -05:00
sni_53c710.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sr_ioctl.c sr: reduce debug noise in sr_do_ioctl 2015-01-20 19:43:24 +01:00
sr_vendor.c scsi: Implement sr_printk() 2014-07-17 22:07:39 +02:00
sr.c SCSI: fix crashes in sd and sr runtime PM 2016-01-26 17:24:16 -08:00
sr.h scsi: introduce sdev_prefix_printk() 2014-11-12 11:15:57 +01:00
st_options.h
st.c st: Fix MTMKPART to work with newer drives 2016-02-23 21:27:02 -05:00
st.h st: Remove obsolete scsi_tape.max_pfn 2015-11-18 11:59:09 -05:00
stex.c stex: Add S3/S4 support 2016-02-23 21:27:02 -05:00
storvsc_drv.c scsi: storvsc: fix SRB_STATUS_ABORTED handling 2016-03-14 15:50:16 -04:00
sun3_scsi_vme.c scsi/NCR5380: merge sun3_scsi_vme.c into sun3_scsi.c 2014-05-28 12:16:28 +02:00
sun3_scsi.c atari_scsi, sun3_scsi: Remove global Scsi_Host pointer 2016-01-06 21:43:08 -05:00
sun3_scsi.h sun3_scsi: Move macro definitions 2014-11-20 09:11:15 +01:00
sun3x_esp.c arch, drivers: don't include <asm/io.h> directly, use <linux/io.h> instead 2015-08-10 23:07:05 -04:00
sun_esp.c scsi: drop owner assignment from platform_drivers 2014-10-20 16:21:33 +02:00
sym53c416.c scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
sym53c416.h
t128.c ncr5380: Fix soft lockups 2016-01-06 21:43:09 -05:00
t128.h ncr5380: Fix and cleanup scsi_host_template initializers 2016-01-06 21:43:03 -05:00
u14-34f.c scsi: drop reason argument from ->change_queue_depth 2014-11-24 14:45:27 +01:00
ultrastor.c
ultrastor.h
virtio_scsi.c virtio/vhost: fixes for 4.2 2015-07-23 13:07:04 -07:00
vmw_pvscsi.c VMW_PVSCSI: Fix the issue of DMA-API related warnings. 2015-12-10 12:57:04 -05:00
vmw_pvscsi.h VMW_PVSCSI: Fix the issue of DMA-API related warnings. 2015-12-10 12:57:04 -05:00
wd33c93.c scsi: print single-character strings with seq_putc 2015-02-02 09:57:46 -08:00
wd33c93.h
wd719x.c [SCSI] Fix printk typos in drivers/scsi 2015-08-07 14:28:45 +02:00
wd719x.h scsi: Do not set cmd_per_lun to 1 in the host template 2015-05-31 18:06:28 -07:00
wd7000.c scsi: replace seq_printf with seq_puts 2015-02-02 09:57:45 -08:00
xen-scsifront.c xen: Use correctly the Xen memory terminologies 2015-09-08 18:03:49 +01:00
zalon.c
zorro7xx.c zorro: ZTWO_VADDR() should return "void __iomem *" 2013-11-26 11:09:07 +01:00