releases/3.16.3/fix-regression-in-scsi_ioctl_send_command.patch

   1 From 2ba136daa3ae1e881c9f586f283fcaa164767dce Mon Sep 17 00:00:00 2001
   2 From: Tony Battersby <tonyb@cybernetics.com>
   3 Date: Fri, 22 Aug 2014 15:53:35 -0400
   4 Subject: fix regression in SCSI_IOCTL_SEND_COMMAND
   5
   6 From: Tony Battersby <tonyb@cybernetics.com>
   7
   8 commit 2ba136daa3ae1e881c9f586f283fcaa164767dce upstream.
   9
  10 blk_rq_set_block_pc() memsets rq->cmd to 0, so it should come
  11 immediately after blk_get_request() to avoid overwriting the
  12 user-supplied CDB.  Also check for failure to allocate rq.
  13
  14 Fixes: f27b087b81b7 ("block: add blk_rq_set_block_pc()")
  15 Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
  16 Signed-off-by: Jens Axboe <axboe@fb.com>
  17 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18
  19 ---
  20  block/scsi_ioctl.c |    9 +++++++--
  21  1 file changed, 7 insertions(+), 2 deletions(-)
  22
  23 --- a/block/scsi_ioctl.c
  24 +++ b/block/scsi_ioctl.c
  25 @@ -438,6 +438,11 @@ int sg_scsi_ioctl(struct request_queue *
  26         }
  27
  28         rq = blk_get_request(q, in_len ? WRITE : READ, __GFP_WAIT);
  29 +       if (!rq) {
  30 +               err = -ENOMEM;
  31 +               goto error;
  32 +       }
  33 +       blk_rq_set_block_pc(rq);
  34
  35         cmdlen = COMMAND_SIZE(opcode);
  36
  37 @@ -491,7 +496,6 @@ int sg_scsi_ioctl(struct request_queue *
  38         memset(sense, 0, sizeof(sense));
  39         rq->sense = sense;
  40         rq->sense_len = 0;
  41 -       blk_rq_set_block_pc(rq);
  42
  43         blk_execute_rq(q, disk, rq, 0);
  44
  45 @@ -511,7 +515,8 @@ out:
  46
  47  error:
  48         kfree(buffer);
  49 -       blk_put_request(rq);
  50 +       if (rq)
  51 +               blk_put_request(rq);
  52         return err;
  53  }
  54  EXPORT_SYMBOL_GPL(sg_scsi_ioctl);