From: Rebecca Schultz Zavin <rebe...@android.com>
Check the return value of get_unused_fd to make sure a valid
file descriptor is returned.
Make sure to call put_unused_fd even if an error occurs before
the fd can be used.
Cc: Maarten Lankhorst <maarten.lankhorst at canonical.com>
Cc: Erik Gilling <konkers at android.com>
Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
Cc: Rob Clark <robclark at gmail.com>
Cc: Sumit Semwal <sumit.semwal at linaro.org>
Cc: Greg KH <gregkh at linuxfoundation.org>
Cc: dri-devel at lists.freedesktop.org
Cc: Android Kernel Team <kernel-team at android.com>
Signed-off-by: Rebecca Schultz Zavin <rebecca at android.com>
Signed-off-by: John Stultz <john.stultz at linaro.org>
---
drivers/staging/android/sync.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index 61c27bd..c4a3c1d 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -647,8 +647,13 @@ static long sync_fence_ioctl_merge(struct sync_fence
*fence, unsigned long arg)
struct sync_fence *fence2, *fence3;
struct sync_merge_data data;
- if (copy_from_user(&data, (void __user *)arg, sizeof(data)))
- return -EFAULT;
+ if (fd < 0)
+ return fd;
+
+ if (copy_from_user(&data, (void __user *)arg, sizeof(data))) {
+ err = -EFAULT;
+ goto err_put_fd;
+ }
fence2 = sync_fence_fdget(data.fd2);
if (fence2 == NULL) {
--
1.7.10.4
