2.6.25-stable review patch. If anyone has any objections, please let us know. ------------------ From: Pavel Emelyanov [ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ] I found some places, that erroneously return the value obtained from the copy_to_user() call: if some amount of bytes were not able to get to the user (this is what this one returns) the proper behavior is to return the -EFAULT error, not that number itself. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/can/raw.c | 3 ++- net/dccp/probe.c | 2 +- net/tipc/socket.c | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) --- a/net/can/raw.c +++ b/net/can/raw.c @@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket int fsize = ro->count * sizeof(struct can_filter); if (len > fsize) len = fsize; - err = copy_to_user(optval, ro->filter, len); + if (copy_to_user(optval, ro->filter, len)) + err = -EFAULT; } else len = 0; release_sock(sk); --- a/net/dccp/probe.c +++ b/net/dccp/probe.c @@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil goto out_free; cnt = kfifo_get(dccpw.fifo, tbuf, len); - error = copy_to_user(buf, tbuf, cnt); + error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0; out_free: vfree(tbuf); --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc else if (len < sizeof(value)) { res = -EINVAL; } - else if ((res = copy_to_user(ov, &value, sizeof(value)))) { - /* couldn't return value */ + else if (copy_to_user(ov, &value, sizeof(value))) { + res = -EFAULT; } else { res = put_user(sizeof(value), ol); -- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/