From aefd886eef3d1789f514e3e564f0df0d9f790635 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 29 May 2020 21:20:44 +0200
Subject: [PATCH] scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)

---
 debian/changelog                              |  1 +
 ...sg-add-sg_remove_request-in-sg_write.patch | 42 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 44 insertions(+)
 create mode 100644 debian/patches/bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch

diff --git a/debian/changelog b/debian/changelog
index 724da7be6..61883698c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
     (CVE-2020-12464)
   * [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init()
     (CVE-2020-12768)
+  * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 May 2020 23:02:30 +0200
 
diff --git a/debian/patches/bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch b/debian/patches/bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
new file mode 100644
index 000000000..6d9c96f1f
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
@@ -0,0 +1,42 @@
+From: Wu Bo <wubo40@huawei.com>
+Date: Tue, 14 Apr 2020 10:13:28 +0800
+Subject: scsi: sg: add sg_remove_request in sg_write
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=34fcb4291e234468f9bf9d4b851c9f522f3bbb13
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-12770
+
+commit 83c6f2390040f188cc25b270b4befeb5628c1aee upstream.
+
+If the __copy_from_user function failed we need to call sg_remove_request
+in sg_write.
+
+Link: https://lore.kernel.org/r/610618d9-e983-fd56-ed0f-639428343af7@huawei.com
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Wu Bo <wubo40@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[groeck: Backport to v5.4.y and older kernels]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index ac8535d2b41a..6bb45ae19d58 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -694,8 +694,10 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
+ 	hp->flags = input_size;	/* structure abuse ... */
+ 	hp->pack_id = old_hdr.pack_id;
+ 	hp->usr_ptr = NULL;
+-	if (__copy_from_user(cmnd, buf, cmd_size))
++	if (__copy_from_user(cmnd, buf, cmd_size)) {
++		sg_remove_request(sfp, srp);
+ 		return -EFAULT;
++	}
+ 	/*
+ 	 * SG_DXFER_TO_FROM_DEV is functionally equivalent to SG_DXFER_FROM_DEV,
+ 	 * but is is possible that the app intended SG_DXFER_TO_DEV, because there
+-- 
+2.27.0.rc0
+
diff --git a/debian/patches/series b/debian/patches/series
index 610328ed5..67efa3575 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -304,5 +304,6 @@ bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
 bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
 bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
 bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
+bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
 
 # ABI maintenance