diff options
author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2024-03-03 18:35:47 -0800 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2024-03-03 18:35:47 -0800 |
commit | b2d348143eab2adb6b0e37b30b83266ef3a6ab6d (patch) | |
tree | 03ab77f08ebfc6737ad52363e8040c5216d1045d | |
parent | 516e32c5121566291779c9f24b4dbe42a9bf4edc (diff) | |
parent | e876445f635623e647d590dcd6840d5f079f396a (diff) | |
download | lwis-android-gs-shusky-5.15-android15-dp.tar.gz |
Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15android-15-beta-1_r0.7android-gs-shusky-5.15-android15-dp
SBMerger: 610748217
Change-Id: I43570d7d183542afea64c54a1c79c032c5373919
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | lwis_periodic_io.c | 2 | ||||
-rw-r--r-- | lwis_transaction.c | 9 |
2 files changed, 11 insertions, 0 deletions
diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c index 12b3b99..a869463 100644 --- a/lwis_periodic_io.c +++ b/lwis_periodic_io.c @@ -534,7 +534,9 @@ int lwis_periodic_io_client_flush(struct lwis_client *client) periodic_io->active = false; } it_periodic_io_list->hr_timer_state = LWIS_HRTIMER_INACTIVE; + spin_unlock_irqrestore(&client->periodic_io_lock, flags); hrtimer_cancel(&it_periodic_io_list->hr_timer); + spin_lock_irqsave(&client->periodic_io_lock, flags); } spin_unlock_irqrestore(&client->periodic_io_lock, flags); diff --git a/lwis_transaction.c b/lwis_transaction.c index 019a09b..0f4228b 100644 --- a/lwis_transaction.c +++ b/lwis_transaction.c @@ -902,6 +902,15 @@ static int prepare_response_locked(struct lwis_client *client, struct lwis_trans /* Event response payload consists of header, and address and offset pairs. */ resp_size = sizeof(struct lwis_transaction_response_header) + read_entries * sizeof(struct lwis_io_result) + read_buf_size; + + if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) { + return -EOVERFLOW; + } + + if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) - + read_entries * sizeof(struct lwis_io_result)) { + return -EOVERFLOW; + } /* * Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is * because this function can be called by transaction_replace while |