>>>>> "Doug" == Douglas Gilbert <dgilbert@xxxxxxxxxxxx> writes: Doug> This patch is in response to this report: Doug> http://www.spinics.net/lists/linux-scsi/msg93456.html Doug> One of the strange things that the original sg driver did was let Doug> the user provide both a data-out buffer (it followed the Doug> sg_header+cdb) _and_ specify a reply length greater than Doug> zero. What happened was that the user data-out buffer was copied Doug> into some kernel buffers and then the mid level was told a read Doug> type operation would take place with the data from the device Doug> overwriting the same kernel buffers. The user would then read Doug> those kernel buffers back into the user space. Doug> From what I can tell, the above action was broken by a change in Doug> 2008 and syzkaller found that out recently. Doug> ChangeLog: make sure that a user space pointer is passed Doug> through when data follows the sg_header structure and command. Doug> Fix the abnormal case when a non-zero reply_len is also given. Somebody please review. -- Martin K. Petersen Oracle Linux Engineering -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
