return put_user(0, p);
}
-static int sg_get_timeout(struct request_queue *q)
+static int __intentional_overflow(-1) sg_get_timeout(struct request_queue *q)
{
return jiffies_to_clock_t(q->sg_timeout);
}
static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
struct sg_io_hdr *hdr, fmode_t mode)
{
- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
+ unsigned char tmpcmd[sizeof(rq->__cmd)];
+ unsigned char *cmdptr;
+
+ if (rq->cmd != rq->__cmd)
+ cmdptr = rq->cmd;
+ else
+ cmdptr = tmpcmd;
+
+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
return -EFAULT;
+
+ if (cmdptr != rq->cmd)
+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
+
if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
return -EPERM;
int err;
unsigned int in_len, out_len, bytes, opcode, cmdlen;
char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
+ unsigned char tmpcmd[sizeof(rq->__cmd)];
+ unsigned char *cmdptr;
if (!sic)
return -EINVAL;
*/
err = -EFAULT;
rq->cmd_len = cmdlen;
- if (copy_from_user(rq->cmd, sic->data, cmdlen))
+
+ if (rq->cmd != rq->__cmd)
+ cmdptr = rq->cmd;
+ else
+ cmdptr = tmpcmd;
+
+ if (copy_from_user(cmdptr, sic->data, cmdlen))
goto error;
+ if (rq->cmd != cmdptr)
+ memcpy(rq->cmd, cmdptr, cmdlen);
+
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
projects / people / ms / linux.git / blobdiff