From: Rebecca Schultz Zavin <rebecca@xxxxxxxxxxx> Check the return value of get_unused_fd to make sure a valid file descriptor is returned. Make sure to call put_unused_fd even if an error occurs before the fd can be used. Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxx> Cc: Erik Gilling <konkers@xxxxxxxxxxx> Cc: Daniel Vetter <daniel.vetter@xxxxxxxx> Cc: Rob Clark <robclark@xxxxxxxxx> Cc: Sumit Semwal <sumit.semwal@xxxxxxxxxx> Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx Cc: Android Kernel Team <kernel-team@xxxxxxxxxxx> Signed-off-by: Rebecca Schultz Zavin <rebecca@xxxxxxxxxxx> Signed-off-by: John Stultz <john.stultz@xxxxxxxxxx> --- drivers/staging/android/sync.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c index 61c27bd..c4a3c1d 100644 --- a/drivers/staging/android/sync.c +++ b/drivers/staging/android/sync.c @@ -647,8 +647,13 @@ static long sync_fence_ioctl_merge(struct sync_fence *fence, unsigned long arg) struct sync_fence *fence2, *fence3; struct sync_merge_data data; - if (copy_from_user(&data, (void __user *)arg, sizeof(data))) - return -EFAULT; + if (fd < 0) + return fd; + + if (copy_from_user(&data, (void __user *)arg, sizeof(data))) { + err = -EFAULT; + goto err_put_fd; + } fence2 = sync_fence_fdget(data.fd2); if (fence2 == NULL) { -- 1.7.10.4 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel