commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.
No timer must be left running when the device goes away.
Change-Id: Icd16bfab1811857f77e026577f340ad072aadab0
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
sec_ts touch driver sysfs store callback had couple of userspace buffer copy
operations where it was not checking for validity of length being copied
from source buffer. This CL adds necessary boundary checks to make sure the
destination kernel buffer is not overflown.
Bug: 120211708
Bug: 120211415
Change-Id: I8bfe1ab9ae50d89ce12eeaf856204c20056a2061
Signed-off-by: Biswajit Dash <bisdash@google.com>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
This patch fix spelling typo in Documentation/DocBook.
It is because .html and .xml files are generated by make htmldocs,
I have to fix a typo within the source files.
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Currently we set CONFIG_CC_OPTIMIZE_FOR_SIZE which suppressed the compiler
warning of unused variables which can lead undefined behavior e.g. memory
corruption and panic. See https://lkml.org/lkml/2013/3/25/347.
This patch fixes all the uninitilized variables in kernel
Bug: 33353384
Test: On device
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I0ae1082f447b435d71156d471878ba71aa16c378
Limit the index to buffer length while copying from
'strptr' to 'firmware_id'.
Change-Id: I1d7cb7a3d9593ca213c7f7341776632e635eb0df
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
Xbox One controllers have multiple interfaces which all have the
same class, subclass, and protocol. One of the these interfaces
has only a single endpoint. When Xpad attempts to bind to this
interface, it causes an oops when trying initialize the output URB
by trying to access the second endpoint's descriptor.
This situation was avoided for known Xbox One devices by checking
the XTYPE constant associated with the VID and PID tuple. However,
this breaks when new or previously unknown Xbox One controllers
are attached to the system.
This change addresses the problem by deriving the XTYPE for Xbox
One controllers based on the interface protocol before checking
the interface number.
Change-Id: I4ff76812beaafe9ba79abb631150e17811109416
Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers")
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Git-commit: 7bbfe460f9428724ca1eda618c32eb0e2018c30c
Git-repo: https://android.googlesource.com/kernel/common.git
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Remove unused Synaptics DSX touch screen driver files as these
are not used in any of the latest targets.
Change-Id: I0cc19825691c92fee1c5b71ff7e9e7a6253f6afe
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
commit 00159f19a5057cb779146afce1cceede692af346 upstream.
Do not emit EV_SYN/SYN_REPORT on suspend if there were no keys that are
still pressed as we are suspending the device (and in all other cases when
input core is forcibly releasing keys via input_dev_release_keys() call).
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Bo Hu <bohu@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The current implementation prevents us to add variable-length ioctl.
Use a bunch of gotos instead of break to allow us to do so.
No functional changes.
Signed-off-by: Benjamin Tisssoires <benjamin.tissoires@redhat.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit e8b95728f724797f958912fd9b765a695595d3a6 upstream.
Normally, when input device supporting force feedback effects is being
destroyed, we try to "flush" currently playing effects, so that the
physical device does not continue vibrating (or executing other effects).
Unfortunately this does not work well for uinput as flushing of the effects
deadlocks with the destroy action:
- if device is being destroyed because the file descriptor is being closed,
then there is noone to even service FF requests;
- if device is being destroyed because userspace sent UI_DEV_DESTROY,
while theoretically it could be possible to service FF requests,
userspace is unlikely to do so (they'd need to make sure FF handling
happens on a separate thread) even if kernel solves the issue with FF
ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex.
To avoid lockups like the one below, let's install a custom input device
flush handler, and avoid trying to flush force feedback effects when we
destroying the device, and instead rely on uinput to shut off the device
properly.
NMI watchdog: Watchdog detected hard LOCKUP on cpu 3
...
<<EOE>> [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40
[<ffffffff810e633d>] complete+0x1d/0x50
[<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput]
[<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput]
[<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput]
[<ffffffff815d91ad>] erase_effect+0xad/0xf0
[<ffffffff815d929d>] flush_effects+0x4d/0x90
[<ffffffff815d4cc0>] input_flush_device+0x40/0x60
[<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0
[<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60
[<ffffffff815d74ac>] __input_unregister_device+0xac/0x150
[<ffffffff815d75f7>] input_unregister_device+0x47/0x70
[<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput]
[<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput]
[<ffffffff811231ab>] ? do_futex+0x12b/0xad0
[<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput]
[<ffffffff81241248>] do_vfs_ioctl+0x298/0x480
[<ffffffff81337553>] ? security_file_ioctl+0x43/0x60
[<ffffffff812414a9>] SyS_ioctl+0x79/0x90
[<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Reported-by: Clément VUCHENER <clement.vuchener@gmail.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Add checks of the user input count to avoid possible heap overflow
Signed-off-by: Min Chong <mchong@google.com>
Change-Id: I1d50a103a0abcbff5eb6bf204607170e9278dec3
Bug: 31913197
commit 45536d373a21d441bd488f618b6e3e9bfae839f3 upstream.
Postpone axis initialization to the first open instead of doing it
in joydev_connect. This is to make sure the generated startup events
are representative of the current joystick state rather than what
it was when joydev_connect() was called, potentially much earlier.
Once the first user is connected to joydev node we'll be updating
joydev->abs[] values and subsequent clients will be getting correct
initial states as well.
This solves issues with joystick driven menus that start scrolling
up each time they are started, until the user moves the joystick to
generate events. In emulator menu setups where the menu program is
restarted every time the game exits, the repeated need to move the
joystick to stop the unintended scrolling gets old rather quickly...
Signed-off-by: Raphael Assenat <raph@raphnet.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit cb1b494663e037253337623bf1ef2df727883cb7 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory that lie beyond the end of the endpoint
array should a malicious device lack the expected endpoints.
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b6fc513da50c5dbc457a8ad6b58b046a6a68fd9d upstream.
currently the controllers get the same product id as the wireless
receiver. However the controllers actually have their own product id.
The patch makes the driver expose the same product id as the windows
driver.
This improves compatibility when running applications with WINE.
see https://github.com/paroj/xpad/issues/54
Change-Id: Iceec5153b2c2f9de2fe34a5c08971170475e9909
Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit affa80bd97f7ca282d1faa91667b3ee9e4c590e6 upstream.
When running a 32-bit userspace on a 64-bit kernel, the UI_SET_PHYS
ioctl needs to be treated with special care, as it has the pointer
size encoded in the command.
Signed-off-by: Ricky Liang <jcliang@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
parse_hid_report_descriptor() has a while (i < length) loop, which
only guarantees that there's at least 1 byte in the buffer, but the
loop body can read multiple bytes which causes out-of-bounds access.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Change-Id: I7b57556c100d28d8f10c03ea5480224e770fb64a
Git-commit: a50829479f58416a013a4ccca791336af3c584c7
Git-repo: https://android.googlesource.com/kernel/common
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Bug: 62800865
Change-Id: I83428f32afc77050580d1f1b3f69938cf90f9256
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Validate the intr_reg_num value returned by touchscreen
to ensure no out of bounds access can occur.
Bug: 35472278
Change-Id: I70f0215d6e9a6bf42efad33e2d9d8e6f745be5a1
Signed-off-by: Andrew Chant <achant@google.com>
Validate the intr_reg_num value returned by touchscreen
to ensure no out of bounds access can occur.
Bug: 35472278
Signed-off-by: Andrew Chant <achant@google.com>
Change-Id: Ib2b5a53034fd1306d29a74ff0f2f698f149fc8c3
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: 70e632224737d448b1b4083af7d6b8fcee02b192
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Validate the intr_reg_num value returned by touchscreen
to ensure no out of bounds access can occur.
Bug: 35472278
Change-Id: I22f5b67815fe7d448b5ed847e4e3d65af63bed84
Signed-off-by: Andrew Chant <achant@google.com>
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: 271baca849983ef309e82a4e5953027790f36154
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@qti.qualcomm.com>
Place file offset validity checks under mutex for
synaptics_dsx_rmi_dev.c touch driver.
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e1fb1600fc222337989e3084d68df929882deae5
Change-Id: I2c32babbccb483547204cb2843973abf97e988a5
Signed-off-by: Andrew Chant <achant@google.com>
[srkupp@codeaurora.org: This change is a fix for buggy
code pointed by sil after merging the above commit.}
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Signed-off-by: Niranjan Reddy Dumbala <ndumba@codeaurora.org>
Remove data pointer from the driver structure which is obtained
from user-space. Exclude it from driver structure and move it
outside as another global data pointer.
The definition of CMD_HEAD_LENGTH is meant to exclude the
last member (*data) from the copy from userspace. This change
is meant to keep the definition of CMD_HEAD_LENGTH simple,
and handle the data separately.
Change-Id: I62f14c744e5c331718b6d84f67a4e89b511c9f44
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
The aiptek driver crashes in aiptek_probe() when a specially crafted USB
device without endpoints is detected. This fix adds a check that the device
has proper configuration expected by the driver. Also an error return value
is changed to more matching one in one of the error paths.
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Remove the sysfs entrypoints to fw_update of synaptics driver.
BUG: 32769717
Change-Id: I710cb37a8b5382dce7aa6a1d8748be5853a18a7a
Git-commit: 2615c5f302441568e6dd20007bc5246d72837e80
Git-repo: https://android.googlesource.com/kernel/msm.git
Signed-off-by: Andrew Chant <achant@google.com>
[shjain@codeaurora.org: picked those lines that are applying
cleanly to the driver. Some of the lines as per googlesource.com
git commit is not applying cleanly.]
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Fix memory corruption in Goodix touchscreen driver, by resetting
the global structure cmd_head to zero (except *data and wr flag)
in goodix_tool_write handler on error case.
Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
Remove msg21xx mstar touch driver from the kernel code
as it has never been used in any of the recent platforms.
Change-Id: I0ac1f93d9736c402732b6c4a8d22b1bf3500e4c4
Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Signed-off-by: Yasir Malik <ymalik@codeaurora.org>