From: Rebecca Schultz Zavin <rebe...@android.com>
Check the return value of get_unused_fd to make sure a valid
file descriptor is returned.
Make sure to call put_unused_fd even if an error occurs before
the fd can be used.
Cc: Maarten Lankhorst <maarten.lankhorst at canonical.com>
Cc: Erik Gilling <konkers at android.com>
Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
Cc: Rob Clark <robclark at gmail.com>
Cc: Sumit Semwal <sumit.semwal at linaro.org>
Cc: Greg KH <gregkh at linuxfoundation.org>
Cc: dri-devel at lists.freedesktop.org
Cc: Android Kernel Team <kernel-team at android.com>
Signed-off-by: Rebecca Schultz Zavin <rebecca at android.com>
Signed-off-by: John Stultz <john.stultz at linaro.org>
---
drivers/staging/android/sw_sync.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/android/sw_sync.c
b/drivers/staging/android/sw_sync.c
index d689760..d768893 100644
--- a/drivers/staging/android/sw_sync.c
+++ b/drivers/staging/android/sw_sync.c
@@ -170,8 +170,13 @@ long sw_sync_ioctl_create_fence(struct sw_sync_timeline
*obj, unsigned long arg)
struct sync_fence *fence;
struct sw_sync_create_fence_data data;
- if (copy_from_user(&data, (void __user *)arg, sizeof(data)))
- return -EFAULT;
+ if (fd < 0)
+ return fd;
+
+ if (copy_from_user(&data, (void __user *)arg, sizeof(data))) {
+ err = -EFAULT;
+ goto err;
+ }
pt = sw_sync_pt_create(obj, data.value);
if (pt == NULL) {
--
1.7.10.4
