From: Jesper Juhl akpm: really, reads are supposed to return the number-of-bytes-read on faults, or -EFAULT of no bytes were read. This patch returns either zero or -EFAULT, ignoring any successfully transferred data. But the user interface (whcih is an ioctl()) was never set up to do that. Signed-off-by: Jesper Juhl Signed-off-by: Andrew Morton --- 25-akpm/drivers/cdrom/cdrom.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) diff -puN drivers/cdrom/cdrom.c~remember-to-check-return-value-from-__copy_to_user-in drivers/cdrom/cdrom.c --- 25/drivers/cdrom/cdrom.c~remember-to-check-return-value-from-__copy_to_user-in 2004-09-07 03:14:15.362906392 -0700 +++ 25-akpm/drivers/cdrom/cdrom.c 2004-09-07 03:16:42.870481832 -0700 @@ -2019,7 +2019,8 @@ static int cdrom_read_cdda_old(struct cd int lba, int nframes) { struct packet_command cgc; - int nr, ret; + int ret = 0; + int nr; cdi->last_sense = 0; @@ -2041,8 +2042,8 @@ static int cdrom_read_cdda_old(struct cd return -ENOMEM; if (!access_ok(VERIFY_WRITE, ubuf, nframes * CD_FRAMESIZE_RAW)) { - kfree(cgc.buffer); - return -EFAULT; + ret = -EFAULT; + goto out; } cgc.data_direction = CGC_DATA_READ; @@ -2053,13 +2054,17 @@ static int cdrom_read_cdda_old(struct cd ret = cdrom_read_block(cdi, &cgc, lba, nr, 1, CD_FRAMESIZE_RAW); if (ret) break; - __copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr); + if (__copy_to_user(ubuf, cgc.buffer, CD_FRAMESIZE_RAW * nr)) { + ret = -EFAULT; + break; + } ubuf += CD_FRAMESIZE_RAW * nr; nframes -= nr; lba += nr; } +out: kfree(cgc.buffer); - return 0; + return ret; } static int cdrom_read_cdda_bpc(struct cdrom_device_info *cdi, __u8 __user *ubuf, _