input: synaptics: fix for buggy code poined by SIL tool · d60fed08b9 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

input: synaptics: fix for buggy code poined by SIL tool

Place file offset validity checks under mutex for
synaptics_dsx_rmi_dev.c touch driver.

Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e1fb1600fc222337989e3084d68df929882deae5
Change-Id: I2c32babbccb483547204cb2843973abf97e988a5
Signed-off-by: Andrew Chant <achant@google.com>
[srkupp@codeaurora.org: This change is a fix for buggy
code pointed by sil after merging the above commit.}
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>

This commit is contained in:

Andrew Chant

2017-03-31 15:33:48 +05:30

• committed by

Gerrit - the friendly Code Review server

parent f1a10f1598

commit d60fed08b9

1 changed files with 36 additions and 16 deletions

									
										52

drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
									
										View file
										
				@ -355,18 +355,25 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,

						return -EBADF;

					}

					if (count == 0)

						return 0;

					mutex_lock(&(dev_data->file_mutex));

					if (count > (REG_ADDR_LIMIT - *f_pos))

						count = REG_ADDR_LIMIT - *f_pos;

					if (count == 0) {

						retval = 0;

						goto unlock;

					}

					if (*f_pos > REG_ADDR_LIMIT) {

						retval = -EFAULT;

						goto unlock;

					}

					tmpbuf = kzalloc(count + 1, GFP_KERNEL);

					if (!tmpbuf)

						return -ENOMEM;

					mutex_lock(&(dev_data->file_mutex));

					if (!tmpbuf) {

						retval = -ENOMEM;

						goto unlock;

					}

					retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,

							*f_pos,

							tmpbuf,

				@ -380,8 +387,9 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,

						*f_pos += retval;

				clean_up:

					mutex_unlock(&(dev_data->file_mutex));

					kfree(tmpbuf);

				unlock:

					mutex_unlock(&(dev_data->file_mutex));

					return retval;

				}

				@ -405,21 +413,31 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,

						return -EBADF;

					}

					if (count == 0)

						return 0;

					mutex_lock(&(dev_data->file_mutex));

					if (*f_pos > REG_ADDR_LIMIT) {

						retval = -EFAULT;

						goto unlock;

					}

					if (count > (REG_ADDR_LIMIT - *f_pos))

						count = REG_ADDR_LIMIT - *f_pos;

					if (count == 0) {

						retval = 0;

						goto unlock;

					}

					tmpbuf = kzalloc(count + 1, GFP_KERNEL);

					if (!tmpbuf)

						return -ENOMEM;

					if (!tmpbuf) {

						retval = -ENOMEM;

						goto unlock;

					}

					if (copy_from_user(tmpbuf, buf, count)) {

						kfree(tmpbuf);

						return -EFAULT;

						retval = -EFAULT;

						goto clean_up;

					}

					mutex_lock(&(dev_data->file_mutex));

					retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,

							*f_pos,

				@ -428,8 +446,10 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,

					if (retval >= 0)

						*f_pos += retval;

					mutex_unlock(&(dev_data->file_mutex));

				clean_up:

					kfree(tmpbuf);

				unlock:

					mutex_unlock(&(dev_data->file_mutex));

					return retval;

				}