Re: [PATCH v2] drm: return -EFAULT if copy_to_user() fails

From: Sean Paul
Date: Tue Jun 18 2019 - 13:21:37 EST


On Tue, Jun 18, 2019 at 04:18:43PM +0300, Dan Carpenter wrote:
> The copy_from_user() function returns the number of bytes remaining
> to be copied but we want to return a negative error code. Otherwise
> the callers treat it as a successful copy.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Thanks Dan, I've applied this to drm-misc-fixes.

Sean

> ---
> v2: The first version was missing a chunk
>
> drivers/gpu/drm/drm_bufs.c | 5 ++++-
> drivers/gpu/drm/drm_ioc32.c | 5 ++++-
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
> index 68dacf8422c6..8ce9d73fab4f 100644
> --- a/drivers/gpu/drm/drm_bufs.c
> +++ b/drivers/gpu/drm/drm_bufs.c
> @@ -1351,7 +1351,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
> .size = from->buf_size,
> .low_mark = from->low_mark,
> .high_mark = from->high_mark};
> - return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
> +
> + if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
> + return -EFAULT;
> + return 0;
> }
>
> int drm_legacy_infobufs(struct drm_device *dev, void *data,
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index 586aa28024c5..a16b6dc2fa47 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -378,7 +378,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from)
> .size = from->buf_size,
> .low_mark = from->low_mark,
> .high_mark = from->high_mark};
> - return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags));
> +
> + if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)))
> + return -EFAULT;
> + return 0;
> }
>
> static int drm_legacy_infobufs32(struct drm_device *dev, void *data,
> --
> 2.20.1
>

--
Sean Paul, Software Engineer, Google / Chromium OS