drivers/usr/*.c

	- fix copy_{to,from}_user error handling (thanks to Rusty for pointing this out)

drivers/usb/class/audio.c

@@ -2542,7 +2542,9 @@ static int usb_audio_ioctl(struct inode *inode, struct file *file, unsigned int
 		if (as->usbin.dma.mapped)
 			as->usbin.dma.count &= as->usbin.dma.fragsize-1;
 		spin_unlock_irqrestore(&as->lock, flags);
-		return copy_to_user((void *)arg, &cinfo, sizeof(cinfo));
+		if (copy_to_user((void *)arg, &cinfo, sizeof(cinfo)))
+			return -EFAULT;
+		return 0;
 
 	case SNDCTL_DSP_GETOPTR:
 		if (!(file->f_mode & FMODE_WRITE))
@@ -2554,7 +2556,9 @@ static int usb_audio_ioctl(struct inode *inode, struct file *file, unsigned int
 		if (as->usbout.dma.mapped)
 			as->usbout.dma.count &= as->usbout.dma.fragsize-1;
 		spin_unlock_irqrestore(&as->lock, flags);
-		return copy_to_user((void *)arg, &cinfo, sizeof(cinfo));
+		if (copy_to_user((void *)arg, &cinfo, sizeof(cinfo)))
+			return -EFAULT;
+		return 0;
 
        case SNDCTL_DSP_GETBLKSIZE:
 		if (file->f_mode & FMODE_WRITE) {

drivers/usb/class/bluetty.c

@@ -490,7 +490,10 @@ static int bluetooth_write (struct tty_struct * tty, int from_user, const unsign
 			retval = -ENOMEM;
 			goto exit;
 		}
-		copy_from_user (temp_buffer, buf, count);
+		if (copy_from_user (temp_buffer, buf, count)) {
+			retval = -EFAULT;
+			goto exit;
+		}
 		current_buffer = temp_buffer;
 	} else {
 		current_buffer = buf;

drivers/usb/class/cdc-acm.c

@@ -367,9 +367,10 @@ static int acm_tty_write(struct tty_struct *tty, int from_user, const unsigned c
 
 	count = (count > acm->writesize) ? acm->writesize : count;
 
-	if (from_user)
-		copy_from_user(acm->writeurb->transfer_buffer, buf, count);
-	else
+	if (from_user) {
+		if (copy_from_user(acm->writeurb->transfer_buffer, buf, count))
+			return -EFAULT;
+	} else
 		memcpy(acm->writeurb->transfer_buffer, buf, count);
 
 	acm->writeurb->transfer_buffer_length = count;

drivers/usb/host/uhci-debug.c

@@ -552,7 +552,8 @@ static ssize_t uhci_proc_read(struct file *file, char *buf, size_t nbytes,
 	if (!access_ok(VERIFY_WRITE, buf, nbytes))
 		return -EINVAL;
 
-	copy_to_user(buf, up->data + pos, nbytes);
+	if (copy_to_user(buf, up->data + pos, nbytes))
+		return -EFAULT;
 
 	*ppos += nbytes;
 

drivers/usb/input/hiddev.c

@@ -389,7 +389,9 @@ static int hiddev_ioctl(struct inode *inode, struct file *file,
 		dinfo.product = dev->descriptor.idProduct;
 		dinfo.version = dev->descriptor.bcdDevice;
 		dinfo.num_applications = hid->maxapplication;
-		return copy_to_user((void *) arg, &dinfo, sizeof(dinfo));
+		if (copy_to_user((void *) arg, &dinfo, sizeof(dinfo)))
+			return -EFAULT;
+		return 0;
 	}
 
 	case HIDIOCGFLAG:
@@ -480,7 +482,9 @@ static int hiddev_ioctl(struct inode *inode, struct file *file,
 
 		rinfo.num_fields = report->maxfield;
 
-		return copy_to_user((void *) arg, &rinfo, sizeof(rinfo));
+		if (copy_to_user((void *) arg, &rinfo, sizeof(rinfo)))
+			return -EFAULT;
+		return 0;
 
 	case HIDIOCGFIELDINFO:
 	{
@@ -512,7 +516,9 @@ static int hiddev_ioctl(struct inode *inode, struct file *file,
 		finfo.unit_exponent = field->unit_exponent;
 		finfo.unit = field->unit;
 
-		return copy_to_user((void *) arg, &finfo, sizeof(finfo));
+		if (copy_to_user((void *) arg, &finfo, sizeof(finfo)))
+			return -EFAULT;
+		return 0;
 	}
 
 	case HIDIOCGUCODE:
@@ -533,7 +539,9 @@ static int hiddev_ioctl(struct inode *inode, struct file *file,
 
 		uref.usage_code = field->usage[uref.usage_index].hid;
 
-		return copy_to_user((void *) arg, &uref, sizeof(uref));
+		if (copy_to_user((void *) arg, &uref, sizeof(uref)))
+			return -EFAULT;
+		return 0;
 
 	case HIDIOCGUSAGE:
 	case HIDIOCSUSAGE:
@@ -564,7 +572,9 @@ static int hiddev_ioctl(struct inode *inode, struct file *file,
 
 		if (cmd == HIDIOCGUSAGE) {
 			uref.value = field->value[uref.usage_index];
-			return copy_to_user((void *) arg, &uref, sizeof(uref));
+			if (copy_to_user((void *) arg, &uref, sizeof(uref)))
+				return -EFAULT;
+			return 0;
 		} else {
 			field->value[uref.usage_index] = uref.value;
 		}

drivers/usb/media/dabusb.c

@@ -680,7 +680,9 @@ static int dabusb_ioctl (struct inode *inode, struct file *file, unsigned int cm
 
 		ret=dabusb_bulk (s, pbulk);
 		if(ret==0)
-			ret = copy_to_user ((void *) arg, pbulk, sizeof (bulk_transfer_t));
+			if (copy_to_user((void *)arg, pbulk,
+					 sizeof(bulk_transfer_t)))
+				ret = -EFAULT;
 		kfree (pbulk);
 		break;
 

drivers/usb/misc/auerswald.c

@@ -1553,7 +1553,7 @@ static int auerchar_ioctl (struct inode *inode, struct file *file, unsigned int
 		if (u > devinfo.bsize) {
 			u = devinfo.bsize;
 		}
-		ret = copy_to_user(devinfo.buf, cp->dev_desc, u);
+		ret = copy_to_user(devinfo.buf, cp->dev_desc, u) ? -EFAULT : 0;
 		break;
 
 	/* get the max. string descriptor length */
@@ -1803,7 +1803,7 @@ static ssize_t auerchar_write (struct file *file, const char *buf, size_t len, l
 		wake_up (&cp->bufferwait);
 		up (&cp->mutex);
 		up (&ccp->mutex);
-		return -EIO;
+		return -EFAULT;
 	}
 
 	/* set the header byte */

drivers/usb/serial/ipaq.c

@@ -353,7 +353,8 @@ static int ipaq_write_bulk(struct usb_serial_port *port, int from_user, const un
 	}
 
 	if (from_user) {
-		copy_from_user(pkt->data, buf, count);
+		if (copy_from_user(pkt->data, buf, count))
+			return -EFAULT;
 	} else {
 		memcpy(pkt->data, buf, count);
 	}

drivers/usb/serial/safe_serial.c

@@ -319,7 +319,8 @@ static int safe_write (struct usb_serial_port *port, int from_user, const unsign
 	memset (data, '0', packet_length);
 
 	if (from_user) {
-		copy_from_user (data, buf, count);
+		if (copy_from_user (data, buf, count))
+			return -EFAULT;
 	} else {
 		memcpy (data, buf, count);
 	}