mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-06 01:22:20 +00:00
92 lines
2.4 KiB
Diff
92 lines
2.4 KiB
Diff
From e6430a4da1fb0212a546379eadbe986f629c3ae9 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Chant <achant@google.com>
|
|
Date: Fri, 13 Jan 2017 11:41:03 -0800
|
|
Subject: [PATCH] input: synaptics_dsx: protect tmpbuf allocation.
|
|
|
|
Protect tmpbuf from concurrent access by mutex.
|
|
|
|
BUG: 33555878
|
|
BUG: 33002026
|
|
Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
|
|
Signed-off-by: Andrew Chant <achant@google.com>
|
|
---
|
|
.../synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c | 36 ++++++++++++++--------
|
|
1 file changed, 24 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
|
|
index e699dfea50c81..6878b71da9be0 100644
|
|
--- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
|
|
+++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_rmi_dev.c
|
|
@@ -565,18 +565,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
|
|
return -EBADF;
|
|
}
|
|
|
|
- if (count == 0)
|
|
- return 0;
|
|
+ mutex_lock(&(dev_data->file_mutex));
|
|
+
|
|
+ if (*f_pos > REG_ADDR_LIMIT) {
|
|
+ retval = -EFAULT;
|
|
+ goto clean_up;
|
|
+ }
|
|
|
|
if (count > (REG_ADDR_LIMIT - *f_pos))
|
|
count = REG_ADDR_LIMIT - *f_pos;
|
|
|
|
+ if (count == 0) {
|
|
+ retval = 0;
|
|
+ goto clean_up;
|
|
+ }
|
|
address = (unsigned short)(*f_pos);
|
|
|
|
rmidev_allocate_buffer(count);
|
|
|
|
- mutex_lock(&(dev_data->file_mutex));
|
|
-
|
|
retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
|
|
*f_pos,
|
|
rmidev->tmpbuf,
|
|
@@ -636,19 +642,25 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
|
|
return -EBADF;
|
|
}
|
|
|
|
- if (count == 0)
|
|
- return 0;
|
|
+ mutex_lock(&(dev_data->file_mutex));
|
|
|
|
+ if (*f_pos > REG_ADDR_LIMIT) {
|
|
+ retval = -EFAULT;
|
|
+ goto unlock;
|
|
+ }
|
|
if (count > (REG_ADDR_LIMIT - *f_pos))
|
|
count = REG_ADDR_LIMIT - *f_pos;
|
|
+ if (count == 0) {
|
|
+ retval = 0;
|
|
+ goto unlock;
|
|
+ }
|
|
|
|
rmidev_allocate_buffer(count);
|
|
|
|
- if (copy_from_user(rmidev->tmpbuf, buf, count))
|
|
- return -EFAULT;
|
|
-
|
|
- mutex_lock(&(dev_data->file_mutex));
|
|
-
|
|
+ if (copy_from_user(rmidev->tmpbuf, buf, count)) {
|
|
+ retval = -EFAULT;
|
|
+ goto unlock;
|
|
+ }
|
|
retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
|
|
*f_pos,
|
|
rmidev->tmpbuf,
|
|
@@ -656,8 +668,8 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
|
|
if (retval >= 0)
|
|
*f_pos += retval;
|
|
|
|
+unlock:
|
|
mutex_unlock(&(dev_data->file_mutex));
|
|
-
|
|
return retval;
|
|
}
|
|
|