kernel/linux.git/drivers/input/rmi4, branch v6.1.124

Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

2024-10-17T13:22:12+00:00

commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich Signed-off-by: Mathias Krause Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov Signed-off-by: Tzung-Bi Shih Signed-off-by: Sasha Levin

Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails

2024-04-13T11:05:04+00:00

[ Upstream commit bc4996184d56cfaf56d3811ac2680c8a0e2af56e ] While input core can work with input->phys set to NULL userspace might depend on it, so better fail probing if allocation fails. The system must be in a pretty bad shape for it to happen anyway. Signed-off-by: Kunwu Chan Link: https://lore.kernel.org/r/20240117073124.143636-1-chentao@kylinos.cn Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

2023-11-20T10:52:15+00:00

[ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ] The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin

Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport

2023-11-08T13:10:58+00:00

[ Upstream commit 5030b2fe6aab37fe42d14f31842ea38be7c55c57 ] Touch controllers need some time after receiving reset command for the firmware to finish re-initializing and be ready to respond to commands from the host. The driver already had handling for the post-reset delay for I2C and SPI transports, this change adds the handling to SMBus-connected devices. SMBus devices are peculiar because they implement legacy PS/2 compatibility mode, so reset is actually issued by psmouse driver on the associated serio port, after which the control is passed to the RMI4 driver with SMBus companion device. Note that originally the delay was added to psmouse driver in 92e24e0e57f7 ("Input: psmouse - add delay when deactivating for SMBus mode"), but that resulted in an unwanted delay in "fast" reconnect handler for the serio port, so it was decided to revert the patch and have the delay being handled in the RMI4 driver, similar to the other transports. Tested-by: Jeffery Miller Link: https://lore.kernel.org/r/ZR1yUFJ8a9Zt606N@penguin Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin

Input: synaptics-rmi4 - convert to use sysfs_emit() APIs

2022-09-27T16:00:41+00:00

Follow the advice of the Documentation/filesystems/sysfs.rst and show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. Reported-by: Zeal Robot Signed-off-by: zhang songyi Link: https://lore.kernel.org/r/20220927070936.258300-1-zhang.songyi@zte.com.cn Signed-off-by: Dmitry Torokhov

Input: synaptics-rmi4 - drop useless gotos in rmi_f34v7_do_reflash()

2022-09-23T20:00:14+00:00

Returning directly makes the code clearer. Signed-off-by: Matthias Schiffer Reviewed-by: Lyude Paul Link: https://lore.kernel.org/r/20220608124808.51402-10-matthias.schiffer@ew.tq-group.com Signed-off-by: Dmitry Torokhov

Input: synaptics-rmi4 - simplify rmi_f34v7_start_reflash()

2022-09-23T20:00:13+00:00

rmi_f34v7_enter_flash_prog() already enables IRQs and checks the flash status - there's no need for rmi_f34v7_start_reflash() to do the same just before calling rmi_f34v7_enter_flash_prog(). Signed-off-by: Matthias Schiffer Reviewed-by: Lyude Paul Link: https://lore.kernel.org/r/20220608124808.51402-9-matthias.schiffer@ew.tq-group.com Signed-off-by: Dmitry Torokhov

Input: synaptics-rmi4 - remove unneeded struct register_offset

2022-09-23T20:00:13+00:00

All register offsets are fixed, and a number of places even read or write multiple registers as a block, so there is no way to support reordering them without move involved changes. Remove the unneeded level of indirection in the register access. Signed-off-by: Matthias Schiffer Reviewed-by: Lyude Paul Link: https://lore.kernel.org/r/20220608124808.51402-8-matthias.schiffer@ew.tq-group.com Signed-off-by: Dmitry Torokhov

Input: synaptics-rmi4 - make rmi_f34v7_erase_all() use the "erase all" command

2022-09-23T20:00:13+00:00

A full erase is required to recover from error conditions like "Bad Partition Table". Various individual partition erase commands can be (and need to be) omitted, as they will fail until a new partition table has been written. Signed-off-by: Matthias Schiffer Reviewed-by: Lyude Paul Link: https://lore.kernel.org/r/20220608124808.51402-7-matthias.schiffer@ew.tq-group.com Signed-off-by: Dmitry Torokhov

Input: synaptics-rmi4 - reset after writing partition table

2022-09-23T20:00:13+00:00

When recovering from a bad partition table (for example after an interrupted update), a reset is necessary for the new partition table to become effective. Without this reset, writing the core code partition will fail with status 0x03 (Invalid Command). Signed-off-by: Matthias Schiffer Reviewed-by: Lyude Paul Link: https://lore.kernel.org/r/20220608124808.51402-6-matthias.schiffer@ew.tq-group.com Signed-off-by: Dmitry Torokhov