Only uverbs_copy_to_struct_or_zero in uverbs_ioctl.c does not have a
check for uverbs_attr_get.
Although its usage in uverbs_response has a check for attr's validity,
UVERBS_HANDLER does not.
Therefore, it is better to add a check like other functions in
uverbs_ioctl.c.
Signed-off-by: Chuhong Yuan <hslester96@xxxxxxxxx>
---
drivers/infiniband/core/uverbs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/uverbs_ioctl.c b/drivers/infiniband/core/uverbs_ioctl.c
index 61758201d9b2..269938f59d3f 100644
--- a/drivers/infiniband/core/uverbs_ioctl.c
+++ b/drivers/infiniband/core/uverbs_ioctl.c
@@ -795,6 +795,9 @@ int uverbs_copy_to_struct_or_zero(const struct uverbs_attr_bundle *bundle,
{
const struct uverbs_attr *attr = uverbs_attr_get(bundle, idx);
+ if (IS_ERR(attr))
+ return PTR_ERR(attr);
+
if (size < attr->ptr_attr.len) {
if (clear_user(u64_to_user_ptr(attr->ptr_attr.data) + size,
attr->ptr_attr.len - size))
--
2.20.1
