pwm: Ensure ioctl() returns a negative errno on error

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

copy_to_user() returns the number of bytes not copied, thus if there is
a problem a positive number. However the ioctl callback is supposed to
return a negative error code on error.

This error is a unfortunate as strictly speaking it became ABI with the
introduction of pwm character devices. However I never saw the issue in
real life -- I found this by code inspection -- and it only affects an
error case where readonly memory is passed to the ioctls or the address
mapping changes while the ioctl is active. Also there are already error
cases returning negative values, so the calling code must be prepared to
see such values already.

Fixes: 9c06f26ba5f5 ("pwm: Add support for pwmchip devices for faster and easier userspace access")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260119151325.571857-2-u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>

authored by

Uwe Kleine-König and committed by

Uwe Kleine-König 2 months ago c198b777 8f0b4cce

+6 -4

1 changed file

expand all

drivers

pwm

core.c

+6 -4

drivers/pwm/core.c

··· 2295 2295 .duty_offset_ns = wf.duty_offset_ns, 2296 2296 }; 2297 2297 2298 - return copy_to_user((struct pwmchip_waveform __user *)arg, 2299 - &cwf, sizeof(cwf)); 2298 + ret = copy_to_user((struct pwmchip_waveform __user *)arg, 2299 + &cwf, sizeof(cwf)); 2300 + return ret ? -EFAULT : 0; 2300 2301 } 2301 2302 2302 2303 case PWM_IOCTL_GETWF: ··· 2330 2329 .duty_offset_ns = wf.duty_offset_ns, 2331 2330 }; 2332 2331 2333 - return copy_to_user((struct pwmchip_waveform __user *)arg, 2334 - &cwf, sizeof(cwf)); 2332 + ret = copy_to_user((struct pwmchip_waveform __user *)arg, 2333 + &cwf, sizeof(cwf)); 2334 + return ret ? -EFAULT : 0; 2335 2335 } 2336 2336 2337 2337 case PWM_IOCTL_SETROUNDEDWF: