IB/mthca: Return an error on ib_copy_to_udata() failure
authorYann Droneaud <ydroneaud@opteya.com>
Mon, 10 Mar 2014 22:06:26 +0000 (23:06 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 6 May 2014 14:55:30 +0000 (07:55 -0700)
commit 08e74c4b00c30c232d535ff368554959403d0432 upstream.

In case of error when writing to userspace, the function mthca_create_cq()
does not set an error code before following its error path.

This patch sets the error code to -EFAULT when ib_copy_to_udata() fails.

This was caught when using spatch (aka. coccinelle)
to rewrite call to ib_copy_{from,to}_udata().

Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci
Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/infiniband/hw/mthca/mthca_provider.c

index 5b71d43bd89c80926f2e1a4d6d3eae7b3ab7e91c..42dde06fdb91ad20449e4a811f4dad76cc8a86ff 100644 (file)
@@ -695,6 +695,7 @@ static struct ib_cq *mthca_create_cq(struct ib_device *ibdev, int entries,
 
        if (context && ib_copy_to_udata(udata, &cq->cqn, sizeof (__u32))) {
                mthca_free_cq(to_mdev(ibdev), cq);
+               err = -EFAULT;
                goto err_free;
        }