Merge android14-gs-pixel-5.15-24Q2 into android14-gs-pixel-5.15
SBMerger: 610748217
Change-Id: I43570d7d183542afea64c54a1c79c032c5373919
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c
index 12b3b99..a869463 100644
--- a/lwis_periodic_io.c
+++ b/lwis_periodic_io.c
@@ -534,7 +534,9 @@
periodic_io->active = false;
}
it_periodic_io_list->hr_timer_state = LWIS_HRTIMER_INACTIVE;
+ spin_unlock_irqrestore(&client->periodic_io_lock, flags);
hrtimer_cancel(&it_periodic_io_list->hr_timer);
+ spin_lock_irqsave(&client->periodic_io_lock, flags);
}
spin_unlock_irqrestore(&client->periodic_io_lock, flags);
diff --git a/lwis_transaction.c b/lwis_transaction.c
index 019a09b..0f4228b 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c
@@ -902,6 +902,15 @@
/* Event response payload consists of header, and address and offset pairs. */
resp_size = sizeof(struct lwis_transaction_response_header) +
read_entries * sizeof(struct lwis_io_result) + read_buf_size;
+
+ if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) {
+ return -EOVERFLOW;
+ }
+
+ if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) -
+ read_entries * sizeof(struct lwis_io_result)) {
+ return -EOVERFLOW;
+ }
/*
* Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is
* because this function can be called by transaction_replace while
