input: synaptics: fix for buggy code poined by SIL tool

Place file offset validity checks under mutex for
synaptics_dsx_rmi_dev.c touch driver.

Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e1fb1600fc222337989e3084d68df929882deae5
Change-Id: I2c32babbccb483547204cb2843973abf97e988a5
Signed-off-by: Andrew Chant <achant@google.com>
[srkupp@codeaurora.org: This change is a fix for buggy
code pointed by sil after merging the above commit.}
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>

1 files changed, 36 insertions, 16 deletions

diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
index 9d61eb110e2f..c1cbec81d7d6 100644
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
@@ -355,18 +355,25 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
 
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
 
-	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
-		return -ENOMEM;
-
-	mutex_lock(&(dev_data->file_mutex));
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
 
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
+	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
+	if (!tmpbuf) {
+		retval = -ENOMEM;
+		goto unlock;
+	}
 	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
 			*f_pos,
 			tmpbuf,
@@ -380,8 +387,9 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		*f_pos += retval;
 
 clean_up:
-	mutex_unlock(&(dev_data->file_mutex));
 	kfree(tmpbuf);
+unlock:
+	mutex_unlock(&(dev_data->file_mutex));
 	return retval;
 }
 
@@ -405,21 +413,31 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
+
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
 
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
+
 	tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-	if (!tmpbuf)
-		return -ENOMEM;
+	if (!tmpbuf) {
+		retval = -ENOMEM;
+		goto unlock;
+	}
 
 	if (copy_from_user(tmpbuf, buf, count)) {
-		kfree(tmpbuf);
-		return -EFAULT;
+		retval = -EFAULT;
+		goto clean_up;
 	}
-	mutex_lock(&(dev_data->file_mutex));
 
 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
 			*f_pos,
@@ -428,8 +446,10 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 	if (retval >= 0)
 		*f_pos += retval;
 
-	mutex_unlock(&(dev_data->file_mutex));
+clean_up:
 	kfree(tmpbuf);
+unlock:
+	mutex_unlock(&(dev_data->file_mutex));
 	return retval;
 }