+++ /dev/null
-From c6ade20f5e50e188d20b711a618b20dd1d50457e Mon Sep 17 00:00:00 2001
-From: Christoph Hellwig <hch@lst.de>
-Date: Tue, 25 Apr 2017 13:39:54 +0200
-Subject: libata: reject passthrough WRITE SAME requests
-
-From: Christoph Hellwig <hch@lst.de>
-
-commit c6ade20f5e50e188d20b711a618b20dd1d50457e upstream.
-
-The WRITE SAME to TRIM translation rewrites the DATA OUT buffer. While
-the SCSI code accomodates for this by passing a read-writable buffer
-userspace applications don't cater for this behavior. In fact it can
-be used to rewrite e.g. a readonly file through mmap and should be
-considered as a security fix.
-
-Signed-off-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/ata/libata-scsi.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -3487,6 +3487,14 @@ static unsigned int ata_scsi_write_same_
- if (unlikely(!dev->dma_mode))
- goto invalid_opcode;
-
-+ /*
-+ * We only allow sending this command through the block layer,
-+ * as it modifies the DATA OUT buffer, which would corrupt user
-+ * memory for SG_IO commands.
-+ */
-+ if (unlikely(blk_rq_is_passthrough(scmd->request)))
-+ goto invalid_opcode;
-+
- if (unlikely(scmd->cmd_len < 16)) {
- fp = 15;
- goto invalid_fld;
bluetooth-fix-user-channel-for-32bit-userspace-on-64bit-kernel.patch
bluetooth-hci_bcm-add-missing-tty-device-sanity-check.patch
bluetooth-hci_intel-add-missing-tty-device-sanity-check.patch
-libata-reject-passthrough-write-same-requests.patch
+++ /dev/null
-From c6ade20f5e50e188d20b711a618b20dd1d50457e Mon Sep 17 00:00:00 2001
-From: Christoph Hellwig <hch@lst.de>
-Date: Tue, 25 Apr 2017 13:39:54 +0200
-Subject: libata: reject passthrough WRITE SAME requests
-
-From: Christoph Hellwig <hch@lst.de>
-
-commit c6ade20f5e50e188d20b711a618b20dd1d50457e upstream.
-
-The WRITE SAME to TRIM translation rewrites the DATA OUT buffer. While
-the SCSI code accomodates for this by passing a read-writable buffer
-userspace applications don't cater for this behavior. In fact it can
-be used to rewrite e.g. a readonly file through mmap and should be
-considered as a security fix.
-
-Signed-off-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/ata/libata-scsi.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -3405,6 +3405,14 @@ static unsigned int ata_scsi_write_same_
- if (unlikely(!dev->dma_mode))
- goto invalid_opcode;
-
-+ /*
-+ * We only allow sending this command through the block layer,
-+ * as it modifies the DATA OUT buffer, which would corrupt user
-+ * memory for SG_IO commands.
-+ */
-+ if (unlikely(blk_rq_is_passthrough(scmd->request)))
-+ goto invalid_opcode;
-+
- if (unlikely(scmd->cmd_len < 16)) {
- fp = 15;
- goto invalid_fld;
bluetooth-fix-user-channel-for-32bit-userspace-on-64bit-kernel.patch
bluetooth-hci_bcm-add-missing-tty-device-sanity-check.patch
bluetooth-hci_intel-add-missing-tty-device-sanity-check.patch
-libata-reject-passthrough-write-same-requests.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
