From: Dan Carpenter Date: Mon, 16 Jan 2017 11:58:08 +0000 (+0300) Subject: drm/msm: return -EFAULT if copy_from_user() fails X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=21c42da18ef128ca8fb4cc4ead888f5c61e3916a;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/msm: return -EFAULT if copy_from_user() fails copy_from_user_inatomic() is actually a local function that returns -EFAULT or positive values on error. Otherwise copy_from_user() returns the number of bytes remaining to be copied. We want to return -EFAULT here. I removed an unlikely() because we just did a copy_from_user() so I don't think it can possibly make a difference. Signed-off-by: Dan Carpenter Signed-off-by: Rob Clark --- diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 489676568a10..1172fe7a9252 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -95,13 +95,13 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, */ submit->bos[i].flags = 0; - ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo)); - if (unlikely(ret)) { + if (copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo))) { pagefault_enable(); spin_unlock(&file->table_lock); - ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo)); - if (ret) + if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) { + ret = -EFAULT; goto out; + } spin_lock(&file->table_lock); pagefault_disable(); } @@ -317,9 +317,10 @@ static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *ob uint64_t iova; bool valid; - ret = copy_from_user(&submit_reloc, userptr, sizeof(submit_reloc)); - if (ret) + if (copy_from_user(&submit_reloc, userptr, sizeof(submit_reloc))) { + ret = -EFAULT; goto out; + } if (submit_reloc.submit_offset % 4) { DRM_ERROR("non-aligned reloc offset: %u\n",