Commit 5d40d95e authored by Andrew Duggan's avatar Andrew Duggan Committed by Dmitry Torokhov

Input: synaptics-rmi4 - do not consume more data than we have (F11, F12)

Currently, rmi_f11_attention() and rmi_f12_attention() functions update
the attn_data data pointer and size based on the size of the expected
size of the attention data. However, if the actual valid data in the
attn buffer is less then the expected value then the updated data
pointer will point to memory beyond the end of the attn buffer. Using
the calculated valid_bytes instead will prevent this from happening.
Signed-off-by: default avatarAndrew Duggan <aduggan@synaptics.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.comSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent f6aabe1f
...@@ -1284,8 +1284,8 @@ static irqreturn_t rmi_f11_attention(int irq, void *ctx) ...@@ -1284,8 +1284,8 @@ static irqreturn_t rmi_f11_attention(int irq, void *ctx)
valid_bytes = f11->sensor.attn_size; valid_bytes = f11->sensor.attn_size;
memcpy(f11->sensor.data_pkt, drvdata->attn_data.data, memcpy(f11->sensor.data_pkt, drvdata->attn_data.data,
valid_bytes); valid_bytes);
drvdata->attn_data.data += f11->sensor.attn_size; drvdata->attn_data.data += valid_bytes;
drvdata->attn_data.size -= f11->sensor.attn_size; drvdata->attn_data.size -= valid_bytes;
} else { } else {
error = rmi_read_block(rmi_dev, error = rmi_read_block(rmi_dev,
data_base_addr, f11->sensor.data_pkt, data_base_addr, f11->sensor.data_pkt,
......
...@@ -212,8 +212,8 @@ static irqreturn_t rmi_f12_attention(int irq, void *ctx) ...@@ -212,8 +212,8 @@ static irqreturn_t rmi_f12_attention(int irq, void *ctx)
valid_bytes = sensor->attn_size; valid_bytes = sensor->attn_size;
memcpy(sensor->data_pkt, drvdata->attn_data.data, memcpy(sensor->data_pkt, drvdata->attn_data.data,
valid_bytes); valid_bytes);
drvdata->attn_data.data += sensor->attn_size; drvdata->attn_data.data += valid_bytes;
drvdata->attn_data.size -= sensor->attn_size; drvdata->attn_data.size -= valid_bytes;
} else { } else {
retval = rmi_read_block(rmi_dev, f12->data_addr, retval = rmi_read_block(rmi_dev, f12->data_addr,
sensor->data_pkt, sensor->pkt_size); sensor->data_pkt, sensor->pkt_size);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment