[PATCH 1/2] Input: cyttsp - fix memcpy size param

[PATCH 1/2] Input: cyttsp - fix memcpy size param

[Ferruh Yigit]

memcpy param is wrong because of offset in bl_cmd, this may corrupt the
stack which may cause a crash.

Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
Signed-off-by: Ferruh Yigit <fery@cypress.com>
---
 drivers/input/touchscreen/cyttsp_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
index 8e60437..97ba891 100644
--- a/drivers/input/touchscreen/cyttsp_core.c
+++ b/drivers/input/touchscreen/cyttsp_core.c
@@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
        memcpy(bl_cmd, bl_command, sizeof(bl_command));
        if (ts->pdata->bl_keys)
                memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
-                       ts->pdata->bl_keys, sizeof(bl_command));
+                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);

        error = ttsp_write_block_data(ts, CY_REG_BASE,
                                      sizeof(bl_cmd), bl_cmd);
--
1.7.9.5

This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.

[PATCH 2/2] Input: cyttsp - add missing handshake

[Ferruh Yigit]

For the devices that has blocking with timeout communication, these
extra handshakes will prevent one timeout delay in startup sequence

Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
Signed-off-by: Ferruh Yigit <fery@cypress.com>
---
 drivers/input/touchscreen/cyttsp_core.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
index 97ba891..7007f58 100644
--- a/drivers/input/touchscreen/cyttsp_core.c
+++ b/drivers/input/touchscreen/cyttsp_core.c
@@ -116,6 +116,13 @@ static int ttsp_send_command(struct cyttsp *ts, u8 cmd)
        return ttsp_write_block_data(ts, CY_REG_BASE, sizeof(cmd), &cmd);
 }

+static int _cyttsp_hndshk(struct cyttsp *ts, u8 hst_mode)
+{
+       if (ts->pdata->use_hndshk)
+               return ttsp_send_command(ts, hst_mode ^ CY_HNDSHK_BIT);
+       return 0;
+}
+
 static int cyttsp_load_bl_regs(struct cyttsp *ts)
 {
        memset(&ts->bl_data, 0, sizeof(ts->bl_data));
@@ -167,6 +174,10 @@ static int cyttsp_set_operational_mode(struct cyttsp *ts)
        if (error)
                return error;

+       error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
+       if (error)
+               return error;
+
        return ts->xy_data.act_dist == CY_ACT_DIST_DFLT ? -EIO : 0;
 }

@@ -188,6 +199,10 @@ static int cyttsp_set_sysinfo_mode(struct cyttsp *ts)
        if (error)
                return error;

+       error = _cyttsp_hndshk(ts, ts->sysinfo_data.hst_mode);
+       if (error)
+               return error;
+
        if (!ts->sysinfo_data.tts_verh && !ts->sysinfo_data.tts_verl)
                return -EIO;

@@ -344,12 +359,9 @@ static irqreturn_t cyttsp_irq(int irq, void *handle)
                goto out;

        /* provide flow control handshake */
-       if (ts->pdata->use_hndshk) {
-               error = ttsp_send_command(ts,
-                               ts->xy_data.hst_mode ^ CY_HNDSHK_BIT);
-               if (error)
-                       goto out;
-       }
+       error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
+       if (error)
+               goto out;

        if (unlikely(ts->state == CY_IDLE_STATE))
                goto out;
--
1.7.9.5

This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.

Re: [PATCH 1/2] Input: cyttsp - fix memcpy size param

[Javier Martinez Canillas]

Hi Ferruh,

On Fri, May 10, 2013 at 3:32 PM, Ferruh Yigit <fery@cypress.com> wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
>
> Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <fery@cypress.com>

Nice catch, thanks for fixing it

Acked-by: Javier Martinez Canillas <javier@dowhile0.org>

> ---
>  drivers/input/touchscreen/cyttsp_core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
>         memcpy(bl_cmd, bl_command, sizeof(bl_command));
>         if (ts->pdata->bl_keys)
>                 memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> -                       ts->pdata->bl_keys, sizeof(bl_command));
> +                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);
>
>         error = ttsp_write_block_data(ts, CY_REG_BASE,
>                                       sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
>
> This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.

In the future can you please drop this footer? It has no point to
state the above when you send emails to a public mailing list.

Best regards,
Javier

Re: [PATCH 2/2] Input: cyttsp - add missing handshake

[Javier Martinez Canillas]

On Fri, May 10, 2013 at 3:32 PM, Ferruh Yigit <fery@cypress.com> wrote:
> For the devices that has blocking with timeout communication, these
> extra handshakes will prevent one timeout delay in startup sequence
>
> Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <fery@cypress.com>
> ---
>  drivers/input/touchscreen/cyttsp_core.c |   24 ++++++++++++++++++------
>  1 file changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 97ba891..7007f58 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -116,6 +116,13 @@ static int ttsp_send_command(struct cyttsp *ts, u8 cmd)
>         return ttsp_write_block_data(ts, CY_REG_BASE, sizeof(cmd), &cmd);
>  }
>
> +static int _cyttsp_hndshk(struct cyttsp *ts, u8 hst_mode)
> +{
> +       if (ts->pdata->use_hndshk)
> +               return ttsp_send_command(ts, hst_mode ^ CY_HNDSHK_BIT);
> +       return 0;
> +}
> +
>  static int cyttsp_load_bl_regs(struct cyttsp *ts)
>  {
>         memset(&ts->bl_data, 0, sizeof(ts->bl_data));
> @@ -167,6 +174,10 @@ static int cyttsp_set_operational_mode(struct cyttsp *ts)
>         if (error)
>                 return error;
>
> +       error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
> +       if (error)
> +               return error;
> +
>         return ts->xy_data.act_dist == CY_ACT_DIST_DFLT ? -EIO : 0;
>  }
>
> @@ -188,6 +199,10 @@ static int cyttsp_set_sysinfo_mode(struct cyttsp *ts)
>         if (error)
>                 return error;
>
> +       error = _cyttsp_hndshk(ts, ts->sysinfo_data.hst_mode);
> +       if (error)
> +               return error;
> +
>         if (!ts->sysinfo_data.tts_verh && !ts->sysinfo_data.tts_verl)
>                 return -EIO;
>
> @@ -344,12 +359,9 @@ static irqreturn_t cyttsp_irq(int irq, void *handle)
>                 goto out;
>
>         /* provide flow control handshake */
> -       if (ts->pdata->use_hndshk) {
> -               error = ttsp_send_command(ts,
> -                               ts->xy_data.hst_mode ^ CY_HNDSHK_BIT);
> -               if (error)
> -                       goto out;
> -       }
> +       error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
> +       if (error)
> +               goto out;
>
>         if (unlikely(ts->state == CY_IDLE_STATE))
>                 goto out;
> --
> 1.7.9.5
>
> This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.

Acked-by: Javier Martinez Canillas <javier@dowhile0.org>

Re: [PATCH 1/2] Input: cyttsp - fix memcpy size param

[Djalal Harouni]

(Cc'ed Kees and Greg)

Hi Dmitry,

On Fri, May 10, 2013 at 04:32:48PM +0300, Ferruh Yigit wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
> 
> Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <fery@cypress.com>
> ---
>  drivers/input/touchscreen/cyttsp_core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
>         memcpy(bl_cmd, bl_command, sizeof(bl_command));
>         if (ts->pdata->bl_keys)
>                 memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> -                       ts->pdata->bl_keys, sizeof(bl_command));
> +                       ts->pdata->bl_keys, CY_NUM_BL_KEYS);
> 
>         error = ttsp_write_block_data(ts, CY_REG_BASE,
>                                       sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
I was going to send a patch and found that it was just fixed in todays
next-20130617

Anyway, will this overflow fix go for the next -rc?

Thanks in advance Dmitry!

-- 
Djalal Harouni
http://opendz.org

Re: [PATCH 1/2] Input: cyttsp - fix memcpy size param

[Greg KH]

On Mon, Jun 17, 2013 at 10:38:59PM +0100, Djalal Harouni wrote:
> (Cc'ed Kees and Greg)

Why me?

confused...