From: Hans de Goede <hdegoede@redhat.com>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Hans de Goede <hdegoede@redhat.com>,
Bastien Nocera <hadess@hadess.net>,
linux-input@vger.kernel.org
Subject: [PATCH v2 4/5] Input: goodix - Fix race on driver unbind
Date: Mon, 31 Jan 2022 15:35:38 +0100 [thread overview]
Message-ID: <20220131143539.109142-4-hdegoede@redhat.com> (raw)
In-Reply-To: <20220131143539.109142-1-hdegoede@redhat.com>
Because there is no way to detect if the touchscreen has pen support,
the driver is allocating and registering the input_pen input_dev on
receiving the first pen event.
But this means that the input_dev gets allocated after the request_irq()
call which means that the devm framework will free it before disabling
the irq, leaving a window where the irq handler may run and reference the
free-ed input_dev.
To fix this move the allocation of the input_pen input_dev to before
the request_irq() call, while still only registering it on the first pen
event so that the driver does not advertise pen capability on touchscreens
without it (most goodix touchscreens do not have pen support).
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
Changes in v2:
- Only try input_register_device(ts->input_pen) once
- Bail early if input_register_device(ts->input_pen) failed
---
drivers/input/touchscreen/goodix.c | 35 +++++++++++++++++++-----------
drivers/input/touchscreen/goodix.h | 1 +
2 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c
index 04baf5a770f5..b055815611de 100644
--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -297,14 +297,14 @@ static int goodix_ts_read_input_report(struct goodix_ts_data *ts, u8 *data)
return -ENOMSG;
}
-static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts)
+static int goodix_create_pen_input(struct goodix_ts_data *ts)
{
struct device *dev = &ts->client->dev;
struct input_dev *input;
input = devm_input_allocate_device(dev);
if (!input)
- return NULL;
+ return -ENOMEM;
input_copy_abs(input, ABS_X, ts->input_dev, ABS_MT_POSITION_X);
input_copy_abs(input, ABS_Y, ts->input_dev, ABS_MT_POSITION_Y);
@@ -331,25 +331,23 @@ static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts)
input->id.product = 0x1001;
input->id.version = ts->version;
- if (input_register_device(input) != 0) {
- input_free_device(input);
- return NULL;
- }
-
- return input;
+ ts->input_pen = input;
+ return 0;
}
static void goodix_ts_report_pen_down(struct goodix_ts_data *ts, u8 *data)
{
- int input_x, input_y, input_w;
+ int input_x, input_y, input_w, error;
u8 key_value;
- if (!ts->input_pen) {
- ts->input_pen = goodix_create_pen_input(ts);
- if (!ts->input_pen)
- return;
+ if (!ts->pen_input_registered) {
+ error = input_register_device(ts->input_pen);
+ ts->pen_input_registered = (error == 0) ? 1 : error;
}
+ if (ts->pen_input_registered < 0)
+ return;
+
if (ts->contact_size == 9) {
input_x = get_unaligned_le16(&data[4]);
input_y = get_unaligned_le16(&data[6]);
@@ -1207,6 +1205,17 @@ static int goodix_configure_dev(struct goodix_ts_data *ts)
return error;
}
+ /*
+ * Create the input_pen device before goodix_request_irq() calls
+ * devm_request_threaded_irq() so that the devm framework frees
+ * it after disabling the irq.
+ * Unfortunately there is no way to detect if the touchscreen has pen
+ * support, so registering the dev is delayed till the first pen event.
+ */
+ error = goodix_create_pen_input(ts);
+ if (error)
+ return error;
+
ts->irq_flags = goodix_irq_flags[ts->int_trigger_type] | IRQF_ONESHOT;
error = goodix_request_irq(ts);
if (error) {
diff --git a/drivers/input/touchscreen/goodix.h b/drivers/input/touchscreen/goodix.h
index fa8602e78a64..87797cc88b32 100644
--- a/drivers/input/touchscreen/goodix.h
+++ b/drivers/input/touchscreen/goodix.h
@@ -94,6 +94,7 @@ struct goodix_ts_data {
u16 version;
bool reset_controller_at_probe;
bool load_cfg_from_disk;
+ int pen_input_registered;
struct completion firmware_loading_complete;
unsigned long irq_flags;
enum goodix_irq_pin_access_method irq_pin_access_method;
--
2.33.1
next prev parent reply other threads:[~2022-01-31 14:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 14:35 [PATCH v2 1/5] Input: Set EV_ABS in dev->evbit even if input_alloc_absinfo() fails Hans de Goede
2022-01-31 14:35 ` [PATCH v2 2/5] Input: Add input_copy_abs() function Hans de Goede
2022-03-01 7:03 ` Dmitry Torokhov
2022-01-31 14:35 ` [PATCH v2 3/5] Input: goodix - Use input_copy_abs() helper Hans de Goede
2022-03-01 7:04 ` Dmitry Torokhov
2022-01-31 14:35 ` Hans de Goede [this message]
2022-03-01 7:04 ` [PATCH v2 4/5] Input: goodix - Fix race on driver unbind Dmitry Torokhov
2022-01-31 14:35 ` [PATCH v2 5/5] Input: goodix - Use the new soc_intel_is_byt() helper Hans de Goede
2022-03-01 7:01 ` Dmitry Torokhov
2022-03-01 7:03 ` [PATCH v2 1/5] Input: Set EV_ABS in dev->evbit even if input_alloc_absinfo() fails Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220131143539.109142-4-hdegoede@redhat.com \
--to=hdegoede@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=hadess@hadess.net \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).