From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 7 Dec 2016 00:18:14 +0000 (-0800)
Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
X-Git-Tag: v4.1.12-92~11^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=73c20723fbb05ac5bf501cb920054f39db304f06;p=users%2Fjedix%2Flinux-maple.git

Don't feed anything but regular iovec's to blk_rq_map_user_iov

In theory we could map other things, but there's a reason that function
is called "user_iov".  Using anything else (like splice can do) just
confuses it.

Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit a0ac402cfcdc904f9772e1762b3fda112dcc56a0)

Orabug: 25230657
CVE: CVE-2016-9576
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>

Conflicts:
	block/blk-map.c
---

diff --git a/block/blk-map.c b/block/blk-map.c
index da310a1054299..fd36d3742b94d 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -72,6 +72,11 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 	if (!iter || !iter->count)
 		return -EINVAL;
 
+	if (!iter_is_iovec(iter)) {
+		rq->bio = NULL;
+		return -EINVAL;
+	}
+
 	iov_for_each(iov, i, *iter) {
 		unsigned long uaddr = (unsigned long) iov.iov_base;