Merge "HID: qvr: Fix for potential heap buffer overflow"

	return sensor->calib_data_len;

}

static uint8_t *read_calibration_data(void)

static uint8_t *read_calibration_data(int calib_data_len)

{

	struct qvr_external_sensor *sensor = &qvr_external_sensor;

	__u8 *hid_buf;

	uint8_t read_len;

	uint8_t *complete_data = NULL;

	if (sensor->calib_data_len < 0) {

	if (calib_data_len <= 0) {

		pr_err("%s: calibration data len missing\n", __func__);

		return NULL;

	}

	hid_buf[0] = QVR_HID_REPORT_ID_CAL;

	hid_buf[1] = QVR_CMD_ID_CALIBRATION_BLOCK_DATA;

	complete_data = kzalloc(sensor->calib_data_len, GFP_KERNEL);

	complete_data = kzalloc(calib_data_len, GFP_KERNEL);

	if (complete_data == NULL) {

		kfree(hid_buf);

		return NULL;

	}

	total_read_len = 0;

	while (total_read_len < sensor->calib_data_len) {

	while (total_read_len < calib_data_len) {

		sensor->calib_data_recv = 0;

		ret = hid_hw_raw_request(sensor->hdev, hid_buf[0],

			hid_buf,

			return NULL;

		}

		read_len = sensor->calib_data_pkt[2];

		if (total_read_len > sensor->calib_data_len - read_len) {

		if (read_len <= 0) {

			pr_err("%s:Viewer returned non positve length\n", __func__);

			kfree(hid_buf);

			kfree(complete_data);

			return NULL;

		}

		if (total_read_len > calib_data_len - read_len) {

			kfree(hid_buf);

			kfree(complete_data);

			return NULL;

	struct qvr_external_sensor *sensor = &qvr_external_sensor;

	struct qvr_calib_data data;

	uint8_t *calib_data;

	int lcalib_data_len;

	void __user *argp = (void __user *)arg;

	int ret;

			return -EFAULT;

		return 0;

	case QVR_READ_CALIB_DATA:

		lcalib_data_len = sensor->calib_data_len;

		sensor->calib_data_recv = 0;

		calib_data = read_calibration_data();

		calib_data = read_calibration_data(lcalib_data_len);

		if (calib_data == NULL)

			return -ENOMEM;

		data.data_ptr = (__u64)arg;

		if (copy_to_user(u64_to_user_ptr(data.data_ptr), calib_data,

				sensor->calib_data_len)) {

				lcalib_data_len)) {

			kfree(calib_data);

			return -EFAULT;

		}