Skip to content

Commit b127d75

Browse files
Andrew ChantGerrit - the friendly Code Review server
Andrew Chant
authored and
Gerrit - the friendly Code Review server
committed
input: synaptics: put offset checks under mutex.
Place file offset validity checks under mutex. BUG: 33555878 BUG: 33002026 Change-Id: I1945cfc8af7d1a310ae0d7bbb85002d4c448f30b Signed-off-by: Andrew Chant <[email protected]> Git-repo: https://android.googlesource.com/kernel/msm Git-commit: e1fb160 Resolved minor merge conflict Signed-off-by: Srinivasa Rao Kuppala <[email protected]>
1 parent 477fae1 commit b127d75

File tree

1 file changed

+36
-16
lines changed

1 file changed

+36
-16
lines changed

drivers/input/touchscreen/synaptics_rmi_dev.c

Lines changed: 36 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -299,18 +299,26 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
299299
return -EBADF;
300300
}
301301

302-
if (count == 0)
303-
return 0;
302+
mutex_lock(&(dev_data->file_mutex));
304303

305304
if (count > (REG_ADDR_LIMIT - *f_pos))
306305
count = REG_ADDR_LIMIT - *f_pos;
307306

308-
tmpbuf = kzalloc(count + 1, GFP_KERNEL);
309-
if (!tmpbuf)
310-
return -ENOMEM;
307+
if (count == 0) {
308+
retval = 0;
309+
goto unlock;
310+
}
311311

312-
mutex_lock(&(dev_data->file_mutex));
312+
if (*f_pos > REG_ADDR_LIMIT) {
313+
retval = -EFAULT;
314+
goto unlock;
315+
}
313316

317+
tmpbuf = kzalloc(count + 1, GFP_KERNEL);
318+
if (!tmpbuf) {
319+
retval = -ENOMEM;
320+
goto unlock;
321+
}
314322
retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
315323
*f_pos,
316324
tmpbuf,
@@ -324,8 +332,9 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
324332
*f_pos += retval;
325333

326334
clean_up:
327-
mutex_unlock(&(dev_data->file_mutex));
328335
kfree(tmpbuf);
336+
unlock:
337+
mutex_unlock(&(dev_data->file_mutex));
329338
return retval;
330339
}
331340

@@ -349,32 +358,43 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
349358
return -EBADF;
350359
}
351360

352-
if (count == 0)
353-
return 0;
361+
mutex_lock(&(dev_data->file_mutex));
362+
363+
if (*f_pos > REG_ADDR_LIMIT) {
364+
retval = -EFAULT;
365+
goto unlock;
366+
}
354367

355368
if (count > (REG_ADDR_LIMIT - *f_pos))
356369
count = REG_ADDR_LIMIT - *f_pos;
357370

371+
if (count == 0) {
372+
retval = 0;
373+
goto unlock;
374+
}
375+
358376
tmpbuf = kzalloc(count + 1, GFP_KERNEL);
359-
if (!tmpbuf)
360-
return -ENOMEM;
377+
if (!tmpbuf) {
378+
retval = -ENOMEM;
379+
goto unlock;
380+
}
361381

362382
if (copy_from_user(tmpbuf, buf, count)) {
363-
kfree(tmpbuf);
364-
return -EFAULT;
383+
retval = -EFAULT;
384+
goto clean_up;
365385
}
366386

367-
mutex_lock(&(dev_data->file_mutex));
368-
369387
retval = rmidev->fn_ptr->write(rmidev->rmi4_data,
370388
*f_pos,
371389
tmpbuf,
372390
count);
373391
if (retval >= 0)
374392
*f_pos += retval;
375393

376-
mutex_unlock(&(dev_data->file_mutex));
394+
clean_up:
377395
kfree(tmpbuf);
396+
unlock:
397+
mutex_unlock(&(dev_data->file_mutex));
378398
return retval;
379399
}
380400

0 commit comments

Comments
 (0)