Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) (5d40d95e) · Commits · 戴 / test

Currently, rmi_f11_attention() and rmi_f12_attention() functions update the attn_data data pointer and size based on the size of the expected size of the attention data. However, if the actual valid data in the attn buffer is less then the expected value then the updated data pointer will point to memory beyond the end of the attn buffer. Using the calculated valid_bytes instead will prevent this from happening. Signed-off-by:

Andrew Duggan <aduggan@synaptics.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.com Signed-off-by:

Dmitry Torokhov <dmitry.torokhov@gmail.com>

drivers/input/rmi4/rmi_f11.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1284,8 +1284,8 @@ static irqreturn_t rmi_f11_attention(int irq, void *ctx)
		valid_bytes = f11->sensor.attn_size;
		memcpy(f11->sensor.data_pkt, drvdata->attn_data.data,
		valid_bytes);
		drvdata->attn_data.data += f11->sensor.attn_size;
		drvdata->attn_data.size -= f11->sensor.attn_size;
		drvdata->attn_data.data += valid_bytes;
		drvdata->attn_data.size -= valid_bytes;
		} else {
		error = rmi_read_block(rmi_dev,
		data_base_addr, f11->sensor.data_pkt,

drivers/input/rmi4/rmi_f12.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -212,8 +212,8 @@ static irqreturn_t rmi_f12_attention(int irq, void *ctx)
		valid_bytes = sensor->attn_size;
		memcpy(sensor->data_pkt, drvdata->attn_data.data,
		valid_bytes);
		drvdata->attn_data.data += sensor->attn_size;
		drvdata->attn_data.size -= sensor->attn_size;
		drvdata->attn_data.data += valid_bytes;
		drvdata->attn_data.size -= valid_bytes;
		} else {
		retval = rmi_read_block(rmi_dev, f12->data_addr,
		sensor->data_pkt, sensor->pkt_size);

Admin message