From patchwork Mon Nov 4 11:44:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lucas Stach X-Patchwork-Id: 11225511 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 771AA1390 for ; Mon, 4 Nov 2019 11:44:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5F89E21D81 for ; Mon, 4 Nov 2019 11:44:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728542AbfKDLoz (ORCPT ); Mon, 4 Nov 2019 06:44:55 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:54673 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbfKDLoz (ORCPT ); Mon, 4 Nov 2019 06:44:55 -0500 Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.pengutronix.de.) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1iRan0-0006tb-4I; Mon, 04 Nov 2019 12:44:54 +0100 From: Lucas Stach To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, patchwork-lst@pengutronix.de, kernel@pengutronix.de Subject: [PATCH resend 1/3] Input: synaptics-rmi4 - fix video buffer size Date: Mon, 4 Nov 2019 12:44:52 +0100 Message-Id: <20191104114454.10500-1-l.stach@pengutronix.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::28 X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-input@vger.kernel.org Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The video buffer used by the queue is a vb2_v4l2_buffer, not a plain vb2_buffer. Using the wrong type causes the allocation of the buffer storage to be too small, causing a out of bounds write when __init_vb2_v4l2_buffer initializes the buffer. Fixes: 3a762dbd5347 ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics") Signed-off-by: Lucas Stach --- drivers/input/rmi4/rmi_f54.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c index 710b02595486..4841354af0d7 100644 --- a/drivers/input/rmi4/rmi_f54.c +++ b/drivers/input/rmi4/rmi_f54.c @@ -359,7 +359,7 @@ static const struct vb2_ops rmi_f54_queue_ops = { static const struct vb2_queue rmi_f54_queue = { .type = V4L2_BUF_TYPE_VIDEO_CAPTURE, .io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF | VB2_READ, - .buf_struct_size = sizeof(struct vb2_buffer), + .buf_struct_size = sizeof(struct vb2_v4l2_buffer), .ops = &rmi_f54_queue_ops, .mem_ops = &vb2_vmalloc_memops, .timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC, From patchwork Mon Nov 4 11:44:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lucas Stach X-Patchwork-Id: 11225515 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 05D501864 for ; Mon, 4 Nov 2019 11:44:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7CB12184C for ; Mon, 4 Nov 2019 11:44:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728502AbfKDLo4 (ORCPT ); Mon, 4 Nov 2019 06:44:56 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:45787 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726526AbfKDLo4 (ORCPT ); Mon, 4 Nov 2019 06:44:56 -0500 Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.pengutronix.de.) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1iRan0-0006tb-6Q; Mon, 04 Nov 2019 12:44:54 +0100 From: Lucas Stach To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, patchwork-lst@pengutronix.de, kernel@pengutronix.de Subject: [PATCH resend 2/3] Input: synaptics-rmi4 - add dummy F54 attention handler Date: Mon, 4 Nov 2019 12:44:53 +0100 Message-Id: <20191104114454.10500-2-l.stach@pengutronix.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191104114454.10500-1-l.stach@pengutronix.de> References: <20191104114454.10500-1-l.stach@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::28 X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-input@vger.kernel.org Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org F54 is IRQ capable, even if it is not used in the current driver implementation. The common driver code in rmi_create_function_irq always installs a irq handler for functions that are IRQ capable. Without a assigned attention handler, this means a NULL pointer being passed as the nested IRQ handler. This seems to work with some architecture implementations, but crashes on others like ARM64. Don't rely on implementation defined behavior and actually install a proper attention handler. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Signed-off-by: Lucas Stach --- drivers/input/rmi4/rmi_f54.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c index 4841354af0d7..22390e89c680 100644 --- a/drivers/input/rmi4/rmi_f54.c +++ b/drivers/input/rmi4/rmi_f54.c @@ -732,6 +732,11 @@ static void rmi_f54_remove(struct rmi_function *fn) v4l2_device_unregister(&f54->v4l2); } +static irqreturn_t rmi_f54_attention(int irq, void *ctx) +{ + return IRQ_HANDLED; +} + struct rmi_function_handler rmi_f54_handler = { .driver = { .name = F54_NAME, @@ -740,4 +745,5 @@ struct rmi_function_handler rmi_f54_handler = { .probe = rmi_f54_probe, .config = rmi_f54_config, .remove = rmi_f54_remove, + .attention = rmi_f54_attention, }; From patchwork Mon Nov 4 11:44:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lucas Stach X-Patchwork-Id: 11225513 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9694216B1 for ; Mon, 4 Nov 2019 11:44:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 800662184C for ; Mon, 4 Nov 2019 11:44:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726441AbfKDLoz (ORCPT ); Mon, 4 Nov 2019 06:44:55 -0500 Received: from metis.ext.pengutronix.de ([85.220.165.71]:41617 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728502AbfKDLoz (ORCPT ); Mon, 4 Nov 2019 06:44:55 -0500 Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.pengutronix.de.) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1iRan0-0006tb-78; Mon, 04 Nov 2019 12:44:54 +0100 From: Lucas Stach To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, patchwork-lst@pengutronix.de, kernel@pengutronix.de Subject: [PATCH resend 3/3] Input: synaptics-rmi4 - simplify data read in rmi_f54_work Date: Mon, 4 Nov 2019 12:44:54 +0100 Message-Id: <20191104114454.10500-3-l.stach@pengutronix.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191104114454.10500-1-l.stach@pengutronix.de> References: <20191104114454.10500-1-l.stach@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::28 X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-input@vger.kernel.org Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org The body of the for loop is only ever run once as the second standard_report element is never changed from its initial zero init, so the loop condition is never satisfies after the first run. Equally the start member of the first element is never changed from 0, so the index offset is always a constant 0. Remove this needless obfuscation of the code and write it in a straight forward manner. Signed-off-by: Lucas Stach --- drivers/input/rmi4/rmi_f54.c | 48 ++++++++++++------------------------ 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c index 22390e89c680..5b1799bdfb62 100644 --- a/drivers/input/rmi4/rmi_f54.c +++ b/drivers/input/rmi4/rmi_f54.c @@ -81,11 +81,6 @@ static const char * const rmi_f54_report_type_names[] = { = "Full Raw Capacitance RX Offset Removed", }; -struct rmi_f54_reports { - int start; - int size; -}; - struct f54_data { struct rmi_function *fn; @@ -98,7 +93,6 @@ struct f54_data { enum rmi_f54_report_type report_type; u8 *report_data; int report_size; - struct rmi_f54_reports standard_report[2]; bool is_busy; struct mutex status_mutex; @@ -516,13 +510,10 @@ static void rmi_f54_work(struct work_struct *work) struct f54_data *f54 = container_of(work, struct f54_data, work.work); struct rmi_function *fn = f54->fn; u8 fifo[2]; - struct rmi_f54_reports *report; int report_size; u8 command; - u8 *data; int error; - data = f54->report_data; report_size = rmi_f54_get_report_size(f54); if (report_size == 0) { dev_err(&fn->dev, "Bad report size, report type=%d\n", @@ -530,8 +521,6 @@ static void rmi_f54_work(struct work_struct *work) error = -EINVAL; goto error; /* retry won't help */ } - f54->standard_report[0].size = report_size; - report = f54->standard_report; mutex_lock(&f54->data_mutex); @@ -556,28 +545,23 @@ static void rmi_f54_work(struct work_struct *work) rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Get report command completed, reading data\n"); - report_size = 0; - for (; report->size; report++) { - fifo[0] = report->start & 0xff; - fifo[1] = (report->start >> 8) & 0xff; - error = rmi_write_block(fn->rmi_dev, - fn->fd.data_base_addr + F54_FIFO_OFFSET, - fifo, sizeof(fifo)); - if (error) { - dev_err(&fn->dev, "Failed to set fifo start offset\n"); - goto abort; - } + fifo[0] = 0; + fifo[1] = 0; + error = rmi_write_block(fn->rmi_dev, + fn->fd.data_base_addr + F54_FIFO_OFFSET, + fifo, sizeof(fifo)); + if (error) { + dev_err(&fn->dev, "Failed to set fifo start offset\n"); + goto abort; + } - error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + - F54_REPORT_DATA_OFFSET, data, - report->size); - if (error) { - dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", - __func__, report->size, error); - goto abort; - } - data += report->size; - report_size += report->size; + error = rmi_read_block(fn->rmi_dev, fn->fd.data_base_addr + + F54_REPORT_DATA_OFFSET, f54->report_data, + report_size); + if (error) { + dev_err(&fn->dev, "%s: read [%d bytes] returned %d\n", + __func__, report_size, error); + goto abort; } abort: