Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15android-15-beta-1_r0.7android-gs-shusky-5.15-android15-dp

SBMerger: 610748217
Change-Id: I43570d7d183542afea64c54a1c79c032c5373919
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

2 files changed, 11 insertions, 0 deletions

diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c
index 12b3b99..a869463 100644
--- a/lwis_periodic_io.c
+++ b/lwis_periodic_io.c
@@ -534,7 +534,9 @@ int lwis_periodic_io_client_flush(struct lwis_client *client)
 			periodic_io->active = false;
 		}
 		it_periodic_io_list->hr_timer_state = LWIS_HRTIMER_INACTIVE;
+		spin_unlock_irqrestore(&client->periodic_io_lock, flags);
 		hrtimer_cancel(&it_periodic_io_list->hr_timer);
+		spin_lock_irqsave(&client->periodic_io_lock, flags);
 	}
 	spin_unlock_irqrestore(&client->periodic_io_lock, flags);
 
diff --git a/lwis_transaction.c b/lwis_transaction.c
index 019a09b..0f4228b 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c
@@ -902,6 +902,15 @@ static int prepare_response_locked(struct lwis_client *client, struct lwis_trans
 	/* Event response payload consists of header, and address and offset pairs. */
 	resp_size = sizeof(struct lwis_transaction_response_header) +
 		    read_entries * sizeof(struct lwis_io_result) + read_buf_size;
+
+	if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
+
+	if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) -
+				    read_entries * sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
 	/*
 	 * Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is
 	 * because this function can be called by transaction_replace while