From be30e0930e9fd78d34d5d04224d635d12337a8ce Mon Sep 17 00:00:00 2001
From: Roberto Pereira <rpere@google.com>
Date: Tue, 10 Oct 2017 17:14:48 -0700
Subject: [PATCH] ANDROID: scsi: Add segment checking in sg_read

Bug: 65023233
Signed-off-by: Roberto Pereira <rpere@google.com>
Change-Id: Ib45f402cf304f9b8bf18884738f92b9c3db55573
Signed-off-by: Francisco Franco <franciscofranco.1990@gmail.com>
---
 drivers/scsi/sg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 1f38a09ea453..5b935fe719bb 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -359,6 +359,9 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
 	struct sg_header *old_hdr = NULL;
 	int retval = 0;
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, printk("sg_read: %s, count=%d\n",