From: Leon Romanovsky <leonro@mellanox.com>
Date: Tue, 2 Jun 2020 15:55:46 +0300
Subject: RDMA/mlx5: Return an error if copy_to_user fails
Patch-mainline: v5.8-rc1
Git-commit: 6512f11d386c7cf83a48e71cfd7c7c1b0003c151
References: jsc#SLE-15175

In theoretical event, the ib_copy_to_udata() can fail, so return -EFAULT
error to the user, so he will destroy the QP.

Fixes: 50aec2c3135e ("RDMA/mlx5: Return ECE data after modify QP")
Link: https://lore.kernel.org/r/20200602125548.172654-2-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 drivers/infiniband/hw/mlx5/qp.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -4305,12 +4305,8 @@ int mlx5_ib_modify_qp(struct ib_qp *ibqp
 	/* resp.response_length is set in ECE supported flows only */
 	if (!err && resp.response_length &&
 	    udata->outlen >= resp.response_length)
-		/*
-		 * We don't check return value of the function below
-		 * on purpose, because it is unclear how to unwind the
-		 * error flow after QP was modified to the new state.
-		 */
-		ib_copy_to_udata(udata, &resp, resp.response_length);
+		/* Return -EFAULT to the user and expect him to destroy QP. */
+		err = ib_copy_to_udata(udata, &resp, resp.response_length);
 
 out:
 	mutex_unlock(&qp->mutex);