Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2024-07-11T10:49:06+00:00 2024-07-11T10:49:06+00:00 Erick Archer erick.archer@outlook.com 2024-04-27T15:05:56+00:00 urn:sha1:c727e46f0cc8bd81788bb29dac9a0a45f2dfa2eb [ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] This is an effort to get rid of all multiplications from allocation functions in order to prevent integer overflows [1][2]. As the "ff" variable is a pointer to "struct ff_device" and this structure ends in a flexible array: struct ff_device { [...] struct file *effect_owners[] __counted_by(max_effects); }; the preferred way in the kernel is to use the struct_size() helper to do the arithmetic instead of the calculation "size + count * size" in the kzalloc() function. The struct_size() helper returns SIZE_MAX on overflow. So, refactor the comparison to take advantage of this. This way, the code is more readable and safer. This code was detected with the help of Coccinelle, and audited and modified manually. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] Link: https://github.com/KSPP/linux/issues/160 [2] Signed-off-by: Erick Archer <erick.archer@outlook.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-09-29T23:25:42+00:00 Christophe JAILLET christophe.jaillet@wanadoo.fr 2022-09-29T19:11:36+00:00 urn:sha1:2d09ac951b7750780ecb3de3ccb642dffd7ef62b Commit 1a59d1b8e05e ("treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156") has left some empty comment blocks. Remove them to save a few lines of code. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/26a2b905b259bfffaf2de5b26f2007b8606970ed.1664478665.git.christophe.jaillet@wanadoo.fr Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2021-12-07T07:24:03+00:00 Charles Keepax ckeepax@opensource.cirrus.com 2021-12-07T07:23:00+00:00 urn:sha1:8c374ef45416281c7172dc29ed438dfb445795f1 When converting a rumble into a periodic effect, for compatibility, the magnitude is effectively calculated using: magnitude = max(strong_rubble / 3 + weak_rubble / 6, 0x7fff); The rumble magnitudes are both u16 and the resulting magnitude is s16. The max is presumably an attempt to limit the result of the calculation to the maximum possible magnitude for the s16 result, and thus should be a min. However in the case of strong = weak = 0xffff, the result of the first part of the calculation is 0x7fff, meaning that the min would be redundant anyway, so simply remove the current max. Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com> Link: https://lore.kernel.org/r/20211130135039.13726-1-ckeepax@opensource.cirrus.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2019-05-30T18:26:35+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-27T06:55:05+00:00 urn:sha1:1a59d1b8e05ea6ab45f7e18897de1ef0e6bc3da6 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 1334 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Richard Fontana <rfontana@redhat.com> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-21T23:31:22+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2017-09-02T00:13:43+00:00 urn:sha1:e8b95728f724797f958912fd9b765a695595d3a6 Normally, when input device supporting force feedback effects is being destroyed, we try to "flush" currently playing effects, so that the physical device does not continue vibrating (or executing other effects). Unfortunately this does not work well for uinput as flushing of the effects deadlocks with the destroy action: - if device is being destroyed because the file descriptor is being closed, then there is noone to even service FF requests; - if device is being destroyed because userspace sent UI_DEV_DESTROY, while theoretically it could be possible to service FF requests, userspace is unlikely to do so (they'd need to make sure FF handling happens on a separate thread) even if kernel solves the issue with FF ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex. To avoid lockups like the one below, let's install a custom input device flush handler, and avoid trying to flush force feedback effects when we destroying the device, and instead rely on uinput to shut off the device properly. NMI watchdog: Watchdog detected hard LOCKUP on cpu 3 ... <<EOE>> [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40 [<ffffffff810e633d>] complete+0x1d/0x50 [<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput] [<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput] [<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput] [<ffffffff815d91ad>] erase_effect+0xad/0xf0 [<ffffffff815d929d>] flush_effects+0x4d/0x90 [<ffffffff815d4cc0>] input_flush_device+0x40/0x60 [<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0 [<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60 [<ffffffff815d74ac>] __input_unregister_device+0xac/0x150 [<ffffffff815d75f7>] input_unregister_device+0x47/0x70 [<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput] [<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput] [<ffffffff811231ab>] ? do_futex+0x12b/0xad0 [<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput] [<ffffffff81241248>] do_vfs_ioctl+0x298/0x480 [<ffffffff81337553>] ? security_file_ioctl+0x43/0x60 [<ffffffff812414a9>] SyS_ioctl+0x79/0x90 [<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71 Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com> Reported-by: Clément VUCHENER <clement.vuchener@gmail.com> Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741 Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-10-16T22:32:16+00:00 Elias Vanderstuyft elias.vds@gmail.com 2015-10-15T00:29:37+00:00 urn:sha1:33b96d934902f96e901b72ac18bbc47afad1ac20 There is an undocumented upper bound for the total number of ff effects: FF_GAIN (= 96). This can be found as follows: - user: write(EV_FF, effect_id, iterations) calls kernel: ff->playback(effect_id, ...): starts effect "effect_id" - user: write(EV_FF, FF_GAIN, gain) calls kernel: ff->set_gain(gain, ...): sets gain A collision occurs when effect_id equals FF_GAIN. According to input_ff_event(), FF_GAIN is the smallest value where a collision occurs. Therefore the greatest safe value for effect_id is FF_GAIN - 1, and thus the total number of effects should never exceed FF_GAIN. Define FF_MAX_EFFECTS as FF_GAIN and check on this limit in ff-core. Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-09-29T23:09:36+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-09-29T23:02:29+00:00 urn:sha1:379d7cfa9bcae3b89299fdcb135ec0e2810e97bc My static checker complains that "value" comes from the user in evdev_do_ioctl() and we check that it's not too large here but we don't check that it's negative. It's harmless because the ->set_gain() and ->set_autocenter() functions truncate it to a valid u16 value, but we may as well fix it just to make the static checker happy. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-07-09T04:50:59+00:00 Anshul Garg aksgarg1989@gmail.com 2015-07-08T23:43:20+00:00 urn:sha1:948cea14487af7d6e8b8007dc24a5361869f410b Use for_each_set_bit to check for set bits in bitmap as it is more efficient than checking individual bits. Signed-off-by: Anshul Garg <aksgarg1989@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-05-20T21:45:42+00:00 Shailendra Verma shailendra.capricorn@gmail.com 2015-05-18T17:45:58+00:00 urn:sha1:4e3e4629e4c6ef755ce246e4d848eaad6eec7080 Signed-off-by: Shailendra Verma <shailendra.capricorn@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-05-08T23:35:58+00:00 Dan Murphy dmurphy@ti.com 2015-05-08T23:01:39+00:00 urn:sha1:8a4dda79a383ed9b09aa3af3ef74941bec2ee042 Fix spelling of magnitude s/manginude/magnitude Signed-off-by: Dan Murphy <dmurphy@ti.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>