gntdev: Handle errors from suword32() in gntdev_alloc_gref()

Try to copy out output values before handling errors, and check that we
did so successfully.  In particular, it doesn't seem sensible to ignore
errors here, otherwise userspace won't have any way to refer to the
allocations.

This is in preparation for annotating copyin() and related functions
with __result_use_check.

Reviewed by:	royger
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D43145

1 files changed, 7 insertions, 5 deletions

diff --git a/sys/dev/xen/gntdev/gntdev.c b/sys/dev/xen/gntdev/gntdev.c
index a9b69ba1605e..4530feb1c76d 100644
--- a/sys/dev/xen/gntdev/gntdev.c
+++ b/sys/dev/xen/gntdev/gntdev.c
@@ -383,6 +383,13 @@ gntdev_alloc_gref(struct ioctl_gntdev_alloc_gref *arg)
 		}
 	}
 
+	/* Copy the output values. */
+	arg->index = file_offset;
+	for (i = 0; error == 0 && i < arg->count; i++) {
+		if (suword32(&arg->gref_ids[i], grefs[i].gref_id) != 0)
+			error = EFAULT;
+	}
+
 	if (error != 0) {
 		/*
 		 * If target domain maps the gref (by guessing the gref-id),
@@ -401,11 +408,6 @@ gntdev_alloc_gref(struct ioctl_gntdev_alloc_gref *arg)
 		return (error);
 	}
 
-	/* Copy the output values. */
-	arg->index = file_offset;
-	for (i = 0; i < arg->count; i++)
-		suword32(&arg->gref_ids[i], grefs[i].gref_id);
-
 	/* Modify the per user private data. */
 	mtx_lock(&priv_user->user_data_lock);
 	for (i = 0; i < arg->count; i++)