Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d95b239d authored by Shantanu Jain's avatar Shantanu Jain
Browse files

input: synaptics_dsx_2.6: protect tmpbuf allocation 

Protect tmpbuf from concurrent access by mutex.
BUG: 33555878
BUG: 33002026

Git-repo: https://android.googlesource.com/kernel/msm


Git-commit: e6430a4da1fb0212a546379eadbe986f629c3ae9
Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
Signed-off-by: default avatarAndrew Chant <achant@google.com>
[shjain@codeaurora.org: apply the similar code change
to synaptics v2.6 driver, as it was not applying cleanly.]
Signed-off-by: default avatarShantanu Jain <shjain@codeaurora.org>
parent 23b255f3

drivers/input/touchscreen/synaptics_dsx_2.6/synaptics_dsx_rmi_dev.c

+24 −9
Original line number Diff line number Diff line
@@ -562,18 +562,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 
		return -EBADF;

	}



	if (count == 0)

		return 0;

	mutex_lock(&(dev_data->file_mutex));



	if (*f_pos > REG_ADDR_LIMIT) {

		retval = -EFAULT;

		goto clean_up;

	}



	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	if (count == 0) {

		retval = 0;

		goto clean_up;

	}

	address = (unsigned short)(*f_pos);



	rmidev_allocate_buffer(count);



	mutex_lock(&(dev_data->file_mutex));



	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,

			*f_pos,

			rmidev->tmpbuf,
@@ -633,18 +639,26 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
		return -EBADF;

	}



	if (count == 0)

		return 0;

	mutex_lock(&(dev_data->file_mutex));



	if (*f_pos > REG_ADDR_LIMIT) {

		retval = -EFAULT;

		goto unlock;

	}



	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	if (count == 0) {

		retval = 0;

		goto unlock;

	}

	rmidev_allocate_buffer(count);



	if (copy_from_user(rmidev->tmpbuf, buf, count))

	if (copy_from_user(rmidev->tmpbuf, buf, count)) {

		return -EFAULT;



	mutex_lock(&(dev_data->file_mutex));

		goto unlock;

	}



	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,

			*f_pos,
@@ -653,6 +667,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
	if (retval >= 0)

		*f_pos += retval;



unlock:

	mutex_unlock(&(dev_data->file_mutex));



	return retval;