input: synaptics: fix for buggy code poined by SIL tool

author Andrew Chant <achant@google.com>

Fri, 31 Mar 2017 10:03:48 +0000 (15:33 +0530)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Tue, 2 May 2017 08:18:11 +0000 (01:18 -0700)
author Andrew Chant <achant@google.com>
Fri, 31 Mar 2017 10:03:48 +0000 (15:33 +0530)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Tue, 2 May 2017 08:18:11 +0000 (01:18 -0700)
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c

index 9d61eb1..c1cbec8 100644 (file)
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c
@@ -355,18 +355,25 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
                 return -EBADF;
         }
  
-       if (count == 0)
-               return 0;
+       mutex_lock(&(dev_data->file_mutex));
  
         if (count > (REG_ADDR_LIMIT - *f_pos))
                 count = REG_ADDR_LIMIT - *f_pos;
  
-       tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-       if (!tmpbuf)
-               return -ENOMEM;
-
-       mutex_lock(&(dev_data->file_mutex));
+       if (count == 0) {
+               retval = 0;
+               goto unlock;
+       }
  
+       if (*f_pos > REG_ADDR_LIMIT) {
+               retval = -EFAULT;
+               goto unlock;
+       }
+       tmpbuf = kzalloc(count + 1, GFP_KERNEL);
+       if (!tmpbuf) {
+               retval = -ENOMEM;
+               goto unlock;
+       }
         retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
                         *f_pos,
                         tmpbuf,
@@ -380,8 +387,9 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
                 *f_pos += retval;
  
  clean_up:
-       mutex_unlock(&(dev_data->file_mutex));
         kfree(tmpbuf);
+unlock:
+       mutex_unlock(&(dev_data->file_mutex));
         return retval;
  }
  
@@ -405,21 +413,31 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
                 return -EBADF;
         }
  
-       if (count == 0)
-               return 0;
+       mutex_lock(&(dev_data->file_mutex));
+
+       if (*f_pos > REG_ADDR_LIMIT) {
+               retval = -EFAULT;
+               goto unlock;
+       }
  
         if (count > (REG_ADDR_LIMIT - *f_pos))
                 count = REG_ADDR_LIMIT - *f_pos;
  
+       if (count == 0) {
+               retval = 0;
+               goto unlock;
+       }
+
         tmpbuf = kzalloc(count + 1, GFP_KERNEL);
-       if (!tmpbuf)
-               return -ENOMEM;
+       if (!tmpbuf) {
+               retval = -ENOMEM;
+               goto unlock;
+       }
  
         if (copy_from_user(tmpbuf, buf, count)) {
-               kfree(tmpbuf);
-               return -EFAULT;
+               retval = -EFAULT;
+               goto clean_up;
         }
-       mutex_lock(&(dev_data->file_mutex));
  
         retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
                         *f_pos,
@@ -428,8 +446,10 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
         if (retval >= 0)
                 *f_pos += retval;
  
-       mutex_unlock(&(dev_data->file_mutex));
+clean_up:
         kfree(tmpbuf);
+unlock:
+       mutex_unlock(&(dev_data->file_mutex));
         return retval;
  }
author	Andrew Chant <achant@google.com>
	Fri, 31 Mar 2017 10:03:48 +0000 (15:33 +0530)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Tue, 2 May 2017 08:18:11 +0000 (01:18 -0700)