Google Git
Sign in
android / kernel / msm / 2ac5dc64f60a3c8829fd2b44ab0a7f320a22c8a9^! / .
commit2ac5dc64f60a3c8829fd2b44ab0a7f320a22c8a9[log] [tgz]
authorAndrew Chant <achant@google.com>Tue Jan 17 09:26:36 2017 -0800
committerAriel Yin <ayin@google.com>Wed Jan 18 16:13:15 2017 -0800
treeaa7bd120c6b765affd67e79f7cfb2a2ea532286d
parent3d63c530096ccd118ab7078c7b9f93c040f803bd [diff]
input: synaptics: put offset checks under mutex.

Place file offset validity checks under mutex.

BUG: 33555878
BUG: 33002026
Change-Id: I7eae42b9f69bf12114001e2edf752f219edfc56e
Signed-off-by: Andrew Chant <achant@google.com>

diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
index bb9ddd9..a9704af 100644
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c

@@ -355,17 +355,24 @@
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
 
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
 
 	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
-		return -ENOMEM;
-
-	mutex_lock(&(dev_data->file_mutex));
+	if (!tmpbuf) {
+		retval = -ENOMEM;
+		goto unlock;
+	}
 
 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
 			*f_pos,
@@ -380,9 +387,10 @@
 		*f_pos += retval;
 
 clean_up:
+	kfree(tmpbuf);
+unlock:
 	mutex_unlock(&(dev_data->file_mutex));
 
-	kfree(tmpbuf);
 	return retval;
 }
 
@@ -406,22 +414,29 @@
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
 
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
-
-	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
-		return -ENOMEM;
-
-	if (copy_from_user(tmpbuf, buf, count)) {
-		kfree(tmpbuf);
-		return -EFAULT;
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
 	}
 
-	mutex_lock(&(dev_data->file_mutex));
+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
+	if (!tmpbuf) {
+		retval = -ENOMEM;
+		goto unlock;
+	}
+
+	if (copy_from_user(tmpbuf, buf, count)) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 
 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
 			*f_pos,
@@ -429,9 +444,10 @@
 			count);
 	if (retval >= 0)
 		*f_pos += retval;
-
-	mutex_unlock(&(dev_data->file_mutex));
+clean_up:
 	kfree(tmpbuf);
+unlock:
+	mutex_unlock(&(dev_data->file_mutex));
 	return retval;
 }
 

diff --git a/drivers/input/touchscreen/synaptics_rmi_dev.c b/drivers/input/touchscreen/synaptics_rmi_dev.c
index 8859558..4e9812b 100644
--- a/drivers/input/touchscreen/synaptics_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_rmi_dev.c

@@ -299,13 +299,19 @@
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
 
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto clean_up;
+	}
 
-	mutex_lock(&(dev_data->file_mutex));
 
 	retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
 			*f_pos,
@@ -345,16 +351,23 @@
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
 
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto clean_up;
+	}
 
-	if (copy_from_user(tmpbuf, buf, count))
-		return -EFAULT;
-
-	mutex_lock(&(dev_data->file_mutex));
+	if (copy_from_user(tmpbuf, buf, count)) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 
 	retval = rmidev->fn_ptr->write(rmidev->rmi4_data,
 			*f_pos,
@@ -362,7 +375,7 @@
 			count);
 	if (retval >= 0)
 		*f_pos += retval;
-
+clean_up:
 	mutex_unlock(&(dev_data->file_mutex));
 
 	return retval;
@@ -503,7 +516,7 @@
 		goto err_rmidev;
 	}
 
-	rmidev->fn_ptr =  kzalloc(sizeof(*(rmidev->fn_ptr)), GFP_KERNEL);
+	rmidev->fn_ptr = kzalloc(sizeof(*(rmidev->fn_ptr)), GFP_KERNEL);
 	if (!rmidev->fn_ptr) {
 		dev_err(&rmi4_data->i2c_client->dev,
 				"%s: Failed to alloc mem for fn_ptr\n",