input: touchscreen: gt9xx: fix memory corruption in Goodix driver

Fix memory corruption in Goodix touchscreen driver, by resetting
the global structure cmd_head to zero (except *data and wr flag)
in goodix_tool_write handler on error case.

Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>

1 files changed, 7 insertions, 1 deletions

diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
index 1657f56558ce..ded8c88fdac9 100644
--- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
+++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
@@ -1,7 +1,7 @@
 /* drivers/input/touchscreen/goodix_tool.c
  *
  * 2010 - 2012 Goodix Technology.
- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -308,6 +308,7 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
 						size_t count, loff_t *ppos)
 {
 	s32 ret = 0;
+	u8 *dataptr = NULL;
 
 	mutex_lock(&lock);
 	ret = copy_from_user(&cmd_head, userbuf, CMD_HEAD_LENGTH);
@@ -463,6 +464,11 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
 	ret = CMD_HEAD_LENGTH;
 
 exit:
+	dataptr = cmd_head.data;
+	memset(&cmd_head, 0, sizeof(cmd_head));
+	cmd_head.wr = 0xFF;
+	cmd_head.data = dataptr;
+
 	mutex_unlock(&lock);
 	return ret;
 }