sg_write()/bsg_write() is not fit to be called under KERNEL_DS commit 128394eff343fc6d2f32172f03e24829539c5835 upstream. Both damn things interpret userland pointers embedded into the payload; worse, they are actually traversing those. Leaving aside the bad API design, this is very much _not_ safe to call with KERNEL_DS. Bail out early if that happens. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 3f3a6bbe6f9f5e895d8945494173594ee51632da [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Fri Dec 16 13:42:06 2016 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Mon Jan 09 08:32:25 2017 +0100
tree: 07d69582b4b05fe1b7cf99dc58ab907eb4d0113a
parent: d024532a97db32db4b0fc4cd27c7a9ac15b84e5b [diff] [blame]
diff --git a/block/bsg.c b/block/bsg.c
index d214e92..b9a5361 100644
--- a/block/bsg.c
+++ b/block/bsg.c

@@ -655,6 +655,9 @@
 
 	dprintk("%s: write %Zd bytes\n", bd->name, count);
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	bsg_set_block(bd, file);
 
 	bytes_written = 0;
commit	3f3a6bbe6f9f5e895d8945494173594ee51632da	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Fri Dec 16 13:42:06 2016 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Mon Jan 09 08:32:25 2017 +0100
tree	07d69582b4b05fe1b7cf99dc58ab907eb4d0113a
parent	d024532a97db32db4b0fc4cd27c7a9ac15b84e5b [diff] [blame]