evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

input: synaptics: fix for buggy code poined by SIL tool

Browse source 
Place file offset validity checks under mutex for
synaptics_dsx_rmi_dev.c touch driver.

Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e1fb1600fc222337989e3084d68df929882deae5
Change-Id: I2c32babbccb483547204cb2843973abf97e988a5
Signed-off-by: Andrew Chant <achant@google.com>
[srkupp@codeaurora.org: This change is a fix for buggy
code pointed by sil after merging the above commit.}
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
This commit is contained in:
Andrew Chant 2017-03-31 15:33:48 +05:30 committed by Gerrit - the friendly Code Review server
parent f1a10f1598
commit d60fed08b9
1 changed files with 36 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
View file

@ -355,18 +355,25 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
return -EBADF; return -EBADF;
} }
if (count == 0) mutex_lock(&(dev_data->file_mutex));
return 0;
if (count > (REG_ADDR_LIMIT - *f_pos)) if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos; count = REG_ADDR_LIMIT - *f_pos;
if (count == 0) {
retval = 0;
goto unlock;
}
if (*f_pos > REG_ADDR_LIMIT) {
retval = -EFAULT;
goto unlock;
}
tmpbuf = kzalloc(count + 1, GFP_KERNEL); tmpbuf = kzalloc(count + 1, GFP_KERNEL);
if (!tmpbuf) if (!tmpbuf) {
return -ENOMEM; retval = -ENOMEM;
goto unlock;
mutex_lock(&(dev_data->file_mutex)); }
retval = synaptics_rmi4_reg_read(rmidev->rmi4_data, retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
*f_pos, *f_pos,
tmpbuf, tmpbuf,
@ -380,8 +387,9 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
*f_pos += retval; *f_pos += retval;
clean_up: clean_up:
mutex_unlock(&(dev_data->file_mutex));
kfree(tmpbuf); kfree(tmpbuf);
unlock:
mutex_unlock(&(dev_data->file_mutex));
return retval; return retval;
} }
@ -405,21 +413,31 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
return -EBADF; return -EBADF;
} }
if (count == 0) mutex_lock(&(dev_data->file_mutex));
return 0;
if (*f_pos > REG_ADDR_LIMIT) {
retval = -EFAULT;
goto unlock;
}
if (count > (REG_ADDR_LIMIT - *f_pos)) if (count > (REG_ADDR_LIMIT - *f_pos))
count = REG_ADDR_LIMIT - *f_pos; count = REG_ADDR_LIMIT - *f_pos;
if (count == 0) {
retval = 0;
goto unlock;
}
tmpbuf = kzalloc(count + 1, GFP_KERNEL); tmpbuf = kzalloc(count + 1, GFP_KERNEL);
if (!tmpbuf) if (!tmpbuf) {
return -ENOMEM; retval = -ENOMEM;
goto unlock;
}
if (copy_from_user(tmpbuf, buf, count)) { if (copy_from_user(tmpbuf, buf, count)) {
kfree(tmpbuf); retval = -EFAULT;
return -EFAULT; goto clean_up;
} }
mutex_lock(&(dev_data->file_mutex));
retval = synaptics_rmi4_reg_write(rmidev->rmi4_data, retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
*f_pos, *f_pos,
@ -428,8 +446,10 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
if (retval >= 0) if (retval >= 0)
*f_pos += retval; *f_pos += retval;
mutex_unlock(&(dev_data->file_mutex)); clean_up:
kfree(tmpbuf); kfree(tmpbuf);
unlock:
mutex_unlock(&(dev_data->file_mutex));
return retval; return retval;
} }