summaryrefslogtreecommitdiffstats
path: root/kernel/drivers/scsi/sg.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/drivers/scsi/sg.c')
-rw-r--r--kernel/drivers/scsi/sg.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/kernel/drivers/scsi/sg.c b/kernel/drivers/scsi/sg.c
index 5e8206744..a1c29b0af 100644
--- a/kernel/drivers/scsi/sg.c
+++ b/kernel/drivers/scsi/sg.c
@@ -592,6 +592,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
sg_io_hdr_t *hp;
unsigned char cmnd[SG_MAX_CDB_SIZE];
+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+ return -EINVAL;
+
if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
return -ENXIO;
SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
@@ -652,7 +655,8 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
else
hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
hp->dxfer_len = mxsize;
- if (hp->dxfer_direction == SG_DXFER_TO_DEV)
+ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
+ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
hp->dxferp = (char __user *)buf + cmd_size;
else
hp->dxferp = NULL;