The copy_from_user() function returns the number of bytes remaining
to be copied but we want to return a negative error code. Otherwise
the callers treat it as a successful copy.
Signed-off-by: Dan Carpenter <[email protected]>
---
v2: The first version was missing a chunk
drivers/gpu/drm/drm_bufs.c | 5 ++++-
drivers/gpu/drm/drm_ioc32.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index 68dacf8422c6..8ce9d73fab4f 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -1351,7 +1351,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
.size = from->buf_size,
.low_mark = from->low_mark,
.high_mark = from->high_mark};
- return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
+
+ if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
+ return -EFAULT;
+ return 0;
}
int drm_legacy_infobufs(struct drm_device *dev, void *data,
diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index 586aa28024c5..a16b6dc2fa47 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -378,7 +378,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from)
.size = from->buf_size,
.low_mark = from->low_mark,
.high_mark = from->high_mark};
- return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags));
+
+ if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)))
+ return -EFAULT;
+ return 0;
}
static int drm_legacy_infobufs32(struct drm_device *dev, void *data,
--
2.20.1
On Tue, Jun 18, 2019 at 04:18:43PM +0300, Dan Carpenter wrote:
> The copy_from_user() function returns the number of bytes remaining
> to be copied but we want to return a negative error code. Otherwise
> the callers treat it as a successful copy.
>
> Signed-off-by: Dan Carpenter <[email protected]>
Thanks Dan, I've applied this to drm-misc-fixes.
Sean
> ---
> v2: The first version was missing a chunk
>
> drivers/gpu/drm/drm_bufs.c | 5 ++++-
> drivers/gpu/drm/drm_ioc32.c | 5 ++++-
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
> index 68dacf8422c6..8ce9d73fab4f 100644
> --- a/drivers/gpu/drm/drm_bufs.c
> +++ b/drivers/gpu/drm/drm_bufs.c
> @@ -1351,7 +1351,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
> .size = from->buf_size,
> .low_mark = from->low_mark,
> .high_mark = from->high_mark};
> - return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
> +
> + if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
> + return -EFAULT;
> + return 0;
> }
>
> int drm_legacy_infobufs(struct drm_device *dev, void *data,
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index 586aa28024c5..a16b6dc2fa47 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -378,7 +378,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from)
> .size = from->buf_size,
> .low_mark = from->low_mark,
> .high_mark = from->high_mark};
> - return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags));
> +
> + if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)))
> + return -EFAULT;
> + return 0;
> }
>
> static int drm_legacy_infobufs32(struct drm_device *dev, void *data,
> --
> 2.20.1
>
--
Sean Paul, Software Engineer, Google / Chromium OS
On Tue, Jun 18, 2019 at 01:16:29PM -0400, Sean Paul wrote:
> On Tue, Jun 18, 2019 at 04:18:43PM +0300, Dan Carpenter wrote:
> > The copy_from_user() function returns the number of bytes remaining
> > to be copied but we want to return a negative error code. Otherwise
> > the callers treat it as a successful copy.
> >
> > Signed-off-by: Dan Carpenter <[email protected]>
>
> Thanks Dan, I've applied this to drm-misc-fixes.
FWIW, Acked-by: Al Viro <[email protected]>