scsi: sg: sg_write(): __get_user() can fail...

Link: https://lore.kernel.org/r/20191017193925.25539-3-viro@ZenIV.linux.org.uk Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
author: Al Viro <viro@zeniv.linux.org.uk> 2019-10-17 20:39:20 +0100
committer: Martin K. Petersen <martin.petersen@oracle.com> 2019-11-06 00:04:03 -0500
commit: 062c9d4527ccbdbf49139607efd44c9c3f82a2fd (patch)
tree: 739b6b50fd154b7f155af9df290f0a0ceaf3b6d7 /drivers/scsi
parent: a62726cb9cb42b366f2af2c1951ae2fff66e2ad3 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 026628aa556d..4c62237cdf37 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -640,13 +640,15 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
 	if (count < (SZ_SG_HEADER + 6))
 		return -EIO;	/* The minimum scsi command length is 6 bytes. */
 
+	buf += SZ_SG_HEADER;
+	if (__get_user(opcode, buf))
+		return -EFAULT;
+
 	if (!(srp = sg_add_request(sfp))) {
 		SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sdp,
 					      "sg_write: queue full\n"));
 		return -EDOM;
 	}
-	buf += SZ_SG_HEADER;
-	__get_user(opcode, buf);
 	mutex_lock(&sfp->f_mutex);
 	if (sfp->next_cmd_len > 0) {
 		cmd_size = sfp->next_cmd_len;
author	Al Viro <viro@zeniv.linux.org.uk>	2019-10-17 20:39:20 +0100
committer	Martin K. Petersen <martin.petersen@oracle.com>	2019-11-06 00:04:03 -0500
commit	062c9d4527ccbdbf49139607efd44c9c3f82a2fd (patch)
tree	739b6b50fd154b7f155af9df290f0a0ceaf3b6d7 /drivers/scsi
parent	a62726cb9cb42b366f2af2c1951ae2fff66e2ad3 (diff)