From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Aug 2017 19:35:52 +0000 (-0700)
Subject: 4.12-stable patches
X-Git-Tag: v3.18.65~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0603ae46ec28c3e6fc636167101b72d147c7e6f1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.12-stable patches

added patches:
	scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
---

diff --git a/queue-4.12/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch b/queue-4.12/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
new file mode 100644
index 00000000000..5a23ceaa08a
--- /dev/null
+++ b/queue-4.12/scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch
@@ -0,0 +1,71 @@
+From f930c7043663188429cd9b254e9d761edfc101ce Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Thu, 27 Jul 2017 09:11:26 +0200
+Subject: scsi: sg: only check for dxfer_len greater than 256M
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit f930c7043663188429cd9b254e9d761edfc101ce upstream.
+
+Don't make any assumptions on the sg_io_hdr_t::dxfer_direction or the
+sg_io_hdr_t::dxferp in order to determine if it is a valid request. The
+only way we can check for bad requests is by checking if the length
+exceeds 256M.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 28676d869bbb (scsi: sg: check for valid direction before starting the
+request)
+Reported-by: Jason L Tibbitts III <tibbs@math.uh.edu>
+Tested-by: Jason L Tibbitts III <tibbs@math.uh.edu>
+Suggested-by: Doug Gilbert <dgilbert@interlog.com>
+Cc: Doug Gilbert <dgilbert@interlog.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/scsi/sg.c |   25 +------------------------
+ 1 file changed, 1 insertion(+), 24 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -751,29 +751,6 @@ sg_new_write(Sg_fd *sfp, struct file *fi
+ 	return count;
+ }
+ 
+-static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
+-{
+-	switch (hp->dxfer_direction) {
+-	case SG_DXFER_NONE:
+-		if (hp->dxferp || hp->dxfer_len > 0)
+-			return false;
+-		return true;
+-	case SG_DXFER_TO_DEV:
+-	case SG_DXFER_FROM_DEV:
+-	case SG_DXFER_TO_FROM_DEV:
+-		if (!hp->dxferp || hp->dxfer_len == 0)
+-			return false;
+-		return true;
+-	case SG_DXFER_UNKNOWN:
+-		if ((!hp->dxferp && hp->dxfer_len) ||
+-		    (hp->dxferp && hp->dxfer_len == 0))
+-			return false;
+-		return true;
+-	default:
+-		return false;
+-	}
+-}
+-
+ static int
+ sg_common_write(Sg_fd * sfp, Sg_request * srp,
+ 		unsigned char *cmnd, int timeout, int blocking)
+@@ -794,7 +771,7 @@ sg_common_write(Sg_fd * sfp, Sg_request
+ 			"sg_common_write:  scsi opcode=0x%02x, cmd_size=%d\n",
+ 			(int) cmnd[0], (int) hp->cmd_len));
+ 
+-	if (!sg_is_valid_dxfer(hp))
++	if (hp->dxfer_len >= SZ_256M)
+ 		return -EINVAL;
+ 
+ 	k = sg_start_req(srp, cmnd);
diff --git a/queue-4.12/series b/queue-4.12/series
index bf2d9c6b793..81fc734a90f 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -13,3 +13,4 @@ net-avoid-skb_warn_bad_offload-false-positives-on-ufo.patch
 igmp-fix-regression-caused-by-igmp-sysctl-namespace-code.patch
 udp-consistently-apply-ufo-or-fragmentation.patch
 packet-fix-tp_reserve-race-in-packet_set_ring.patch
+scsi-sg-only-check-for-dxfer_len-greater-than-256m.patch