[PATCH] Input: tc3589x-keypad - fix keymap size

[PATCH] Input: tc3589x-keypad - fix keymap size

[Rabin Vincent]

The keymap size used by tc3589x is too low, leading to the driver
overwriting other people's memory.  Fix this by making the driver use
the automatically allocated keymap provided by
matrix_keypad_build_keymap() instead of allocating one on its own.

Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com>
---
 drivers/input/keyboard/tc3589x-keypad.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/input/keyboard/tc3589x-keypad.c b/drivers/input/keyboard/tc3589x-keypad.c
index 2fb0d76..208de7c 100644
--- a/drivers/input/keyboard/tc3589x-keypad.c
+++ b/drivers/input/keyboard/tc3589x-keypad.c
@@ -70,8 +70,6 @@
 #define TC3589x_EVT_INT_CLR	0x2
 #define TC3589x_KBD_INT_CLR	0x1
 
-#define TC3589x_KBD_KEYMAP_SIZE     64
-
 /**
  * struct tc_keypad - data structure used by keypad driver
  * @tc3589x:    pointer to tc35893
@@ -88,7 +86,7 @@ struct tc_keypad {
 	const struct tc3589x_keypad_platform_data *board;
 	unsigned int krow;
 	unsigned int kcol;
-	unsigned short keymap[TC3589x_KBD_KEYMAP_SIZE];
+	unsigned short *keymap;
 	bool keypad_stopped;
 };
 
@@ -338,12 +336,14 @@ static int tc3589x_keypad_probe(struct platform_device *pdev)
 
 	error = matrix_keypad_build_keymap(plat->keymap_data, NULL,
 					   TC3589x_MAX_KPROW, TC3589x_MAX_KPCOL,
-					   keypad->keymap, input);
+					   NULL, input);
 	if (error) {
 		dev_err(&pdev->dev, "Failed to build keymap\n");
 		goto err_free_mem;
 	}
 
+	keypad->keymap = input->keycode;
+
 	input_set_capability(input, EV_MSC, MSC_SCAN);
 	if (!plat->no_autorepeat)
 		__set_bit(EV_REP, input->evbit);
-- 
1.8.1.5

Re: [PATCH] Input: tc3589x-keypad - fix keymap size

[Dmitry Torokhov]

On Fri, Mar 08, 2013 at 03:26:43PM +0100, Rabin Vincent wrote:
> The keymap size used by tc3589x is too low, leading to the driver
> overwriting other people's memory.  Fix this by making the driver use
> the automatically allocated keymap provided by
> matrix_keypad_build_keymap() instead of allocating one on its own.
> 
> Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com>

Applied, thank you Rabin.

Do you think you could prepare a patch against stable as older kernels
should have the same issue but matrix_keypad_build_keymap does not
allocate keymap there?

Thanks!

-- 
Dmitry

Re: [PATCH] Input: tc3589x-keypad - fix keymap size

[Rabin Vincent]

2013/3/10 Dmitry Torokhov <dmitry.torokhov@gmail.com>:
> On Fri, Mar 08, 2013 at 03:26:43PM +0100, Rabin Vincent wrote:
>> The keymap size used by tc3589x is too low, leading to the driver
>> overwriting other people's memory.  Fix this by making the driver use
>> the automatically allocated keymap provided by
>> matrix_keypad_build_keymap() instead of allocating one on its own.
>>
>> Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com>
>
> Do you think you could prepare a patch against stable as older kernels
> should have the same issue but matrix_keypad_build_keymap does not
> allocate keymap there?

The memory overwriting problem only exists after 1932811f426fee ("Input:
matrix-keymap - uninline and prepare for device tree support").  Before
that the driver was passing in a row_shift of 3, which, with a max rows
count of 8, fit into the 64 entries of keymap that the driver allocates.

1932811f426fee was introduced in v3.5.

5383116b86d8e87 ("Input: marix-keymap - automatically allocate memory
for keymap") was introduced in v3.8

The only stable kernel from v3.5 to v3.8 which is currently maintained
is v3.8.  So, it looks like this patch can be applied to v3.8 stable,
and no stable specific patches are needed.