Flag iter as the data source if dxfer_direction is set to
SG_DXFER_TO_DEV or SG_DXFER_TO_FROM_DEV.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 0d8afffd1683..991c6554bef4 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1737,8 +1737,13 @@ sg_start_req(Sg_request *srp, unsigned char *cmd)
Sg_scatter_hold *rsv_schp = &sfp->reserve;
struct request_queue *q = sfp->parentdp->device->request_queue;
struct rq_map_data *md, map_data;
- int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? ITER_SOURCE : ITER_DEST;
struct scsi_cmnd *scmd;
+ int rw;
+ if (hp->dxfer_direction == SG_DXFER_TO_DEV ||
+ hp->dxfer_direction == SG_DXFER_TO_FROM_DEV)
+ rw = ITER_SOURCE;
+ else
+ rw = ITER_DEST;
SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
"sg_start_req: dxfer_len=%d\n",
