summaryrefslogtreecommitdiff
path: root/block/bsg.c
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2016-12-16 13:42:06 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2016-12-22 23:03:42 -0500
commit128394eff343fc6d2f32172f03e24829539c5835 (patch)
tree025d426075681b9904895045929e322429b8a251 /block/bsg.c
parentf698cccbc89e33cda4795a375e47daaa3689485e (diff)
downloadlinux-rpi-128394eff343fc6d2f32172f03e24829539c5835.tar.gz
linux-rpi-128394eff343fc6d2f32172f03e24829539c5835.tar.bz2
linux-rpi-128394eff343fc6d2f32172f03e24829539c5835.zip
sg_write()/bsg_write() is not fit to be called under KERNEL_DS
Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'block/bsg.c')
-rw-r--r--block/bsg.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/block/bsg.c b/block/bsg.c
index 8a05a404ae70..a57046de2f07 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
dprintk("%s: write %Zd bytes\n", bd->name, count);
+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ return -EINVAL;
+
bsg_set_block(bd, file);
bytes_written = 0;