copy_to_user() returns the number of bytes that could not be copied, not an error code. Currently, hvpipe_rtas_recv_msg() and papr_hvpipe_handle_read() return this positive value directly on failure, which userspace interprets as a successful read of that many bytes.
Return -EFAULT when copy_to_user() fails. Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> Closes: https://lore.kernel.org/r/[email protected]/ Signed-off-by: Alper Ak <[email protected]> --- arch/powerpc/platforms/pseries/papr-hvpipe.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c index dd7b668799d9..0dee94c7c887 100644 --- a/arch/powerpc/platforms/pseries/papr-hvpipe.c +++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c @@ -209,7 +209,9 @@ static int hvpipe_rtas_recv_msg(char __user *buf, int size) ret = copy_to_user(buf, rtas_work_area_raw_buf(work_area), bytes_written); - if (!ret) + if (ret) + ret = -EFAULT; + else ret = bytes_written; } } else { @@ -376,7 +378,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file, ret = copy_to_user(buf, &hdr, HVPIPE_HDR_LEN); if (ret) - return ret; + return -EFAULT; /* * Message event has payload, so get the payload with -- 2.43.0
