input: synaptics_dsx_force: protect tmpbuf allocation

Protect tmpbuf from concurrent access by mutex.
BUG: 33555878
BUG: 33002026

Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
Signed-off-by: Andrew Chant <achant@google.com>
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e6430a4da1fb0212a546379eadbe986f629c3ae9
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
Signed-off-by: Chenyang Zhong <zhongcy95@gmail.com>
Signed-off-by: Khusika Dhamar Gusti <mail@khusika.com>

drivers/input/touchscreen/synaptics_dsx_force/synaptics_dsx_rmi_dev.c

@@ -566,15 +566,22 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf,
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
+
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto clean_up;
+	}
 
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
 
-	address = (unsigned short)(*f_pos);
+	if (count == 0) {
+		retval = 0;
+		goto clean_up;
+	}
 
-	mutex_lock(&(dev_data->file_mutex));
+	address = (unsigned short)(*f_pos);
 
 	rmidev_allocate_buffer(count);
 
@@ -637,19 +644,26 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 		return -EBADF;
 	}
 
-	if (count == 0)
-		return 0;
+	mutex_lock(&(dev_data->file_mutex));
+
+	if (*f_pos > REG_ADDR_LIMIT) {
+		retval = -EFAULT;
+		goto unlock;
+	}
 
 	if (count > (REG_ADDR_LIMIT - *f_pos))
 		count = REG_ADDR_LIMIT - *f_pos;
 
-	mutex_lock(&(dev_data->file_mutex));
+	if (count == 0) {
+		retval = 0;
+		goto unlock;
+	}
 
 	rmidev_allocate_buffer(count);
 
 	if (copy_from_user(rmidev->tmpbuf, buf, count)) {
-		mutex_unlock(&(dev_data->file_mutex));
 		return -EFAULT;
+		goto unlock;
 	}
 
 	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
@@ -659,6 +673,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf,
 	if (retval >= 0)
 		*f_pos += retval;
 
+unlock:
 	mutex_unlock(&(dev_data->file_mutex));
 
 	return retval;