input: synaptics: put offset checks under mutex.
Place file offset validity checks under mutex.
BUG: 33555878
BUG: 33002026
Change-Id: I7eae42b9f69bf12114001e2edf752f219edfc56e
Signed-off-by: Andrew Chant <achant@google.com>
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
index bb9ddd9..a9704af 100644
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
@@ -355,17 +355,24 @@
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto unlock;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
+ if (count == 0) {
+ retval = 0;
+ goto unlock;
+ }
tmpbuf = kzalloc(count + 1, GFP_KERNEL);
- if (!tmpbuf)
- return -ENOMEM;
-
- mutex_lock(&(dev_data->file_mutex));
+ if (!tmpbuf) {
+ retval = -ENOMEM;
+ goto unlock;
+ }
retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
*f_pos,
@@ -380,9 +387,10 @@
*f_pos += retval;
clean_up:
+ kfree(tmpbuf);
+unlock:
mutex_unlock(&(dev_data->file_mutex));
- kfree(tmpbuf);
return retval;
}
@@ -406,22 +414,29 @@
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto unlock;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
-
- tmpbuf = kzalloc(count + 1, GFP_KERNEL);
- if (!tmpbuf)
- return -ENOMEM;
-
- if (copy_from_user(tmpbuf, buf, count)) {
- kfree(tmpbuf);
- return -EFAULT;
+ if (count == 0) {
+ retval = 0;
+ goto unlock;
}
- mutex_lock(&(dev_data->file_mutex));
+ tmpbuf = kzalloc(count + 1, GFP_KERNEL);
+ if (!tmpbuf) {
+ retval = -ENOMEM;
+ goto unlock;
+ }
+
+ if (copy_from_user(tmpbuf, buf, count)) {
+ retval = -EFAULT;
+ goto clean_up;
+ }
retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
*f_pos,
@@ -429,9 +444,10 @@
count);
if (retval >= 0)
*f_pos += retval;
-
- mutex_unlock(&(dev_data->file_mutex));
+clean_up:
kfree(tmpbuf);
+unlock:
+ mutex_unlock(&(dev_data->file_mutex));
return retval;
}
diff --git a/drivers/input/touchscreen/synaptics_rmi_dev.c b/drivers/input/touchscreen/synaptics_rmi_dev.c
index 8859558..4e9812b 100644
--- a/drivers/input/touchscreen/synaptics_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_rmi_dev.c
@@ -299,13 +299,19 @@
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto clean_up;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
+ if (count == 0) {
+ retval = 0;
+ goto clean_up;
+ }
- mutex_lock(&(dev_data->file_mutex));
retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
*f_pos,
@@ -345,16 +351,23 @@
return -EBADF;
}
- if (count == 0)
- return 0;
+ mutex_lock(&(dev_data->file_mutex));
+ if (*f_pos > REG_ADDR_LIMIT) {
+ retval = -EFAULT;
+ goto clean_up;
+ }
if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos;
+ if (count == 0) {
+ retval = 0;
+ goto clean_up;
+ }
- if (copy_from_user(tmpbuf, buf, count))
- return -EFAULT;
-
- mutex_lock(&(dev_data->file_mutex));
+ if (copy_from_user(tmpbuf, buf, count)) {
+ retval = -EFAULT;
+ goto clean_up;
+ }
retval = rmidev->fn_ptr->write(rmidev->rmi4_data,
*f_pos,
@@ -362,7 +375,7 @@
count);
if (retval >= 0)
*f_pos += retval;
-
+clean_up:
mutex_unlock(&(dev_data->file_mutex));
return retval;
@@ -503,7 +516,7 @@
goto err_rmidev;
}
- rmidev->fn_ptr = kzalloc(sizeof(*(rmidev->fn_ptr)), GFP_KERNEL);
+ rmidev->fn_ptr = kzalloc(sizeof(*(rmidev->fn_ptr)), GFP_KERNEL);
if (!rmidev->fn_ptr) {
dev_err(&rmi4_data->i2c_client->dev,
"%s: Failed to alloc mem for fn_ptr\n",