switchtec_dev_read() didn't handle copy_to_user() errors correctly: it
assigned "rc = -EFAULT", but actually returned either "size", -ENXIO, or
-EBADMSG instead.
Update the failure cases to unlock mrpc_mutex and return -EFAULT directly.
Link: https://lore.kernel.org/r/20221216162126.207863-3-helgaas@kernel.org
Fixes:
080b47def5e5 ("MicroSemi Switchtec management interface driver")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
rc = copy_to_user(data, &stuser->return_code,
sizeof(stuser->return_code));
if (rc) {
- rc = -EFAULT;
- goto out;
+ mutex_unlock(&stdev->mrpc_mutex);
+ return -EFAULT;
}
data += sizeof(stuser->return_code);
rc = copy_to_user(data, &stuser->data,
size - sizeof(stuser->return_code));
if (rc) {
- rc = -EFAULT;
- goto out;
+ mutex_unlock(&stdev->mrpc_mutex);
+ return -EFAULT;
}
stuser_set_state(stuser, MRPC_IDLE);
-out:
mutex_unlock(&stdev->mrpc_mutex);
if (stuser->status == SWITCHTEC_MRPC_STATUS_DONE ||