From: Rebecca Schultz Zavin rebecca@android.com
Check the return value of get_unused_fd to make sure a valid file descriptor is returned.
Make sure to call put_unused_fd even if an error occurs before the fd can be used.
Cc: Maarten Lankhorst maarten.lankhorst@canonical.com Cc: Erik Gilling konkers@android.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: Rob Clark robclark@gmail.com Cc: Sumit Semwal sumit.semwal@linaro.org Cc: Greg KH gregkh@linuxfoundation.org Cc: dri-devel@lists.freedesktop.org Cc: Android Kernel Team kernel-team@android.com Signed-off-by: Rebecca Schultz Zavin rebecca@android.com Signed-off-by: John Stultz john.stultz@linaro.org --- drivers/staging/android/sync.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c index 61c27bd..c4a3c1d 100644 --- a/drivers/staging/android/sync.c +++ b/drivers/staging/android/sync.c @@ -647,8 +647,13 @@ static long sync_fence_ioctl_merge(struct sync_fence *fence, unsigned long arg) struct sync_fence *fence2, *fence3; struct sync_merge_data data;
- if (copy_from_user(&data, (void __user *)arg, sizeof(data))) - return -EFAULT; + if (fd < 0) + return fd; + + if (copy_from_user(&data, (void __user *)arg, sizeof(data))) { + err = -EFAULT; + goto err_put_fd; + }
fence2 = sync_fence_fdget(data.fd2); if (fence2 == NULL) {