Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
To:     Doug Gilbert <dgilbert@interlog.com>,
        "James E.J. Bottomley" <jejb@linux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        <linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <liuzhiqiang26@huawei.com>, <linfeilong@huawei.com>
From:   Wu Bo <wubo40@huawei.com>
Subject: [PATCH] scsi:sg: add sg_remove_request in sg_write
Message-ID: <610618d9-e983-fd56-ed0f-639428343af7@huawei.com>
Date:   Tue, 14 Apr 2020 10:13:28 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

From: Wu Bo <wubo40@huawei.com>

If the __copy_from_user function return failed,
it should call sg_remove_request in sg_write.

Signed-off-by: Wu Bo <wubo40@huawei.com>
---
  drivers/scsi/sg.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4e6af59..ff3f532 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -685,8 +685,10 @@ static int get_sg_io_pack_id(int *pack_id, void 
__user *buf, size_t count)
         hp->flags = input_size; /* structure abuse ... */
         hp->pack_id = old_hdr.pack_id;
         hp->usr_ptr = NULL;
-       if (copy_from_user(cmnd, buf, cmd_size))
+       if (copy_from_user(cmnd, buf, cmd_size)) {
+               sg_remove_request(sfp, srp);
                 return -EFAULT;
+       }
         /*
          * SG_DXFER_TO_FROM_DEV is functionally equivalent to 
SG_DXFER_FROM_DEV,
          * but is is possible that the app intended SG_DXFER_TO_DEV, 
because there
--
1.8.3.1