input: synaptics: put offset checks under mutex.

Place file offset validity checks under mutex. BUG: 33555878 BUG: 33002026 Change-Id: I7eae42b9f69bf12114001e2edf752f219edfc56e Signed-off-by: Andrew Chant <achant@google.com>

input: synaptics: put offset checks under mutex.
2ac5dc64 · Andrew Chant · Ariel Yin · 3d63c530 · 2ac5dc64 · 2ac5dc64
Commit 2ac5dc64 authored Jan 17, 2017 by Andrew Chant Committed by Ariel Yin Jan 19, 2017
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
@@ -355,17 +355,24 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		return -EBADF;
 	}
-	if (count == 0)
+	mutex_lock(&(dev_data->file_mutex));
-		return 0;
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
 	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
+	if (!tmpbuf) {
-		return -ENOMEM;
+		retval = -ENOMEM;
+		goto unlock;
-	mutex_lock(&(dev_data->file_mutex));
+	}
 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
 			*f_pos,
@@ -380,9 +387,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		*f_pos += retval;
 clean_up:
+	kfree(tmpbuf);
+unlock:
 	mutex_unlock(&(dev_data->file_mutex));
-	kfree(tmpbuf);
 	return retval;
 }
@@ -406,32 +414,40 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 		return -EBADF;
 	}
-	if (count == 0)
+	mutex_lock(&(dev_data->file_mutex));
-		return 0;
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
 	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
+	if (!tmpbuf) {
-		return -ENOMEM;
+		retval = -ENOMEM;
+		goto unlock;
+	}
 	if (copy_from_user(tmpbuf, buf, count)) {
-		kfree(tmpbuf);
+		retval = -EFAULT;
-		return -EFAULT;
+		goto clean_up;
 	}
-	mutex_lock(&(dev_data->file_mutex));
 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
 			*f_pos,
 			tmpbuf,
 			count);
 	if (retval >= 0)
 		*f_pos += retval;
+clean_up:
-	mutex_unlock(&(dev_data->file_mutex));
 	kfree(tmpbuf);
+unlock:
+	mutex_unlock(&(dev_data->file_mutex));
 	return retval;
 }

--- a/drivers/input/touchscreen/synaptics_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_rmi_dev.c
@@ -299,13 +299,19 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		return -EBADF;
 	}
-	if (count == 0)
+	mutex_lock(&(dev_data->file_mutex));
-		return 0;
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto clean_up;
+	}
-	mutex_lock(&(dev_data->file_mutex));
 	retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
 			*f_pos,
@@ -345,16 +351,23 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 		return -EBADF;
 	}
-	if (count == 0)
+	mutex_lock(&(dev_data->file_mutex));
-		return 0;
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
+	if (count == 0) {
+		retval = 0;
+		goto clean_up;
+	}
-	if (copy_from_user(tmpbuf, buf, count))
+	if (copy_from_user(tmpbuf, buf, count)) {
-		return -EFAULT;
+		retval = -EFAULT;
+		goto clean_up;
-	mutex_lock(&(dev_data->file_mutex));
+	}
 	retval = rmidev->fn_ptr->write(rmidev->rmi4_data,
 			*f_pos,
@@ -362,7 +375,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 			count);
 	if (retval >= 0)
 		*f_pos += retval;
+clean_up:
 	mutex_unlock(&(dev_data->file_mutex));
 	return retval;