scsi: sg: sg_write(): __get_user() can fail...

Link: https://lore.kernel.org/r/20191017193925.25539-3-viro@ZenIV.linux.org.uk
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 026628a..4c62237 100644 (file)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -640,13 +640,15 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
        if (count < (SZ_SG_HEADER + 6))
                return -EIO;    /* The minimum scsi command length is 6 bytes. */
 
+       buf += SZ_SG_HEADER;
+       if (__get_user(opcode, buf))
+               return -EFAULT;
+
        if (!(srp = sg_add_request(sfp))) {
                SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sdp,
                                              "sg_write: queue full\n"));
                return -EDOM;
        }
-       buf += SZ_SG_HEADER;
-       __get_user(opcode, buf);
        mutex_lock(&sfp->f_mutex);
        if (sfp->next_cmd_len > 0) {
                cmd_size = sfp->next_cmd_len;