[PATCH] scsi: avoid a double-fetch and a redundant copy

What we need is only "pack_id", so do not create a heap object or copy the whole object in. The fix efficiently copies "pack_id" only. Signed-off-by: Kangjie Lu --- drivers/scsi/sg.c | 12 ++-- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/drivers

[PATCH] scsi: fix a double-fetch bug in sg_write

"opcode" has been copied in from user space and checked. We should not copy it in again, which may have been modified by malicous multi-threading user programs through race conditions. The fix uses the opcode fetched in the first copy. Signed-off-by: Kangjie Lu --- drivers/scsi/sg.c

[PATCH] scsi: avoiding fetching signature from user space again after check

The signature is checked so that it must be "MEGANIT". After the check, if we fetch the signature again from user space, it may have been modified by malicious user programs through race conditions. The fix avoids fetching the signature again. Signed-off-by: Kangjie Lu --- dr

[PATCH] scsi: aacraid: fix a potential data inconsistency caused by double-fetch

"user_srb->count" may be changed by malicious user races. Let's set "user_srbcmd->count" fetched in the second copy to be the one fetched in the first copy. Signed-off-by: Kangjie Lu --- drivers/scsi/aacraid/commctrl.c | 2 ++ 1 file changed, 2 insertions(+) di

[PATCH] scsi: fix a double-fetch bug in adpt_i2o_passthru

use the checked size. Signed-off-by: Kangjie Lu --- drivers/scsi/dpt_i2o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 37de8fb186d7..93bd1d1bd5b5 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1733,6 +1733,9

[PATCH] scsi: a potential double-fetch bug when copying msg

user_msg[0] is copied in twice from user space. It contains size and is critical. The fix ensures it is not changed in the second copy. Signed-off-by: Kangjie Lu --- drivers/scsi/dpt_i2o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c

[PATCH] scsi: avoid a double-fetch and a redundant copy

What we need is only "pack_id", so do not create a heap object or copy the whole object in. The fix efficiently copies "pack_id" only. Signed-off-by: Kangjie Lu --- drivers/scsi/sg.c | 4 ++-- kernel/sched/core.c | 18 -- 2 files changed, 14 insert

[PATCH] scsi: aacraid: add a check for aac_fib_send

aac_fib_send could fail, so add a check to its return value: If it fails, issue an error message. Signed-off-by: Kangjie Lu --- drivers/scsi/aacraid/dpcsup.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/aacraid/dpcsup.c b/drivers/scsi/aacraid/dpcsup.c index ddc69738375f

[PATCH] target: fix a missing check for match_int

When match_int fails, "arg" is left uninitialized and may contain random value, thus should not be used. The fix checks if match_int fails, and if so, break. Signed-off-by: Kangjie Lu --- drivers/target/target_core_rd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) di

[PATCH v2] scsi: avoid a double-fetch and a redundant copy

What we need is only "pack_id", so do not create a heap object or copy the whole object in. The fix efficiently copies "pack_id" only and also avoids double-fetch. Signed-off-by: Kangjie Lu --- drivers/scsi/sg.c | 12 ++-- 1 file changed, 2 insertions(+), 10 deleti

[PATCH v2] target: fix a missing check of match_int

When match_int fails, "arg" is left uninitialized and may contain random value, thus should not be used. The fix checks if match_int fails, and if so, returns its error code. Signed-off-by: Kangjie Lu --- drivers/target/target_core_rd.c | 15 +-- 1 file changed, 13 insert