[PATCH] Input: synaptics - fix crash when enabling pass-through port

[PATCH] Input: synaptics - fix crash when enabling pass-through port

[Dmitry Torokhov]

When enabling a pass-through port an interrupt might come before psmouse
driver binds to the pass-through port. However synaptics sub-driver
tries to access psmouse instance presumably associated with the
pass-through port to figure out if only 1 byte of response or entire
protocol packet needs to be forwarded to the pass-through port and may
crash if psmouse instance has not been attached to the port yet.

Fix the crash by introducing open() and close() methods for the port and
check if the port is open before trying to access psmouse instance.
Because psmouse calls serio_open() only after attaching psmouse instance
to serio port instance this prevents the potential crash.

Reported-by: Takashi Iwai <tiwai@suse.de>
Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata")
Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/input/mouse/synaptics.c | 56 ++++++++++++++++++++++++---------
 drivers/input/mouse/synaptics.h |  1 +
 2 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index 2735f86c23cc..aba57abe6978 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -665,23 +665,50 @@ static void synaptics_pt_stop(struct serio *serio)
 	priv->pt_port = NULL;
 }
 
+static int synaptics_pt_open(struct serio *serio)
+{
+	struct psmouse *parent = psmouse_from_serio(serio->parent);
+	struct synaptics_data *priv = parent->private;
+
+	guard(serio_pause_rx)(parent->ps2dev.serio);
+	priv->pt_port_open = true;
+
+	return 0;
+}
+
+static void synaptics_pt_close(struct serio *serio)
+{
+	struct psmouse *parent = psmouse_from_serio(serio->parent);
+	struct synaptics_data *priv = parent->private;
+
+	guard(serio_pause_rx)(parent->ps2dev.serio);
+	priv->pt_port_open = false;
+}
+
 static int synaptics_is_pt_packet(u8 *buf)
 {
 	return (buf[0] & 0xFC) == 0x84 && (buf[3] & 0xCC) == 0xC4;
 }
 
-static void synaptics_pass_pt_packet(struct serio *ptport, u8 *packet)
+static void synaptics_pass_pt_packet(struct synaptics_data *priv, u8 *packet)
 {
-	struct psmouse *child = psmouse_from_serio(ptport);
+	struct serio *ptport;
 
-	if (child && child->state == PSMOUSE_ACTIVATED) {
-		serio_interrupt(ptport, packet[1], 0);
-		serio_interrupt(ptport, packet[4], 0);
-		serio_interrupt(ptport, packet[5], 0);
-		if (child->pktsize == 4)
-			serio_interrupt(ptport, packet[2], 0);
-	} else {
-		serio_interrupt(ptport, packet[1], 0);
+	ptport = priv->pt_port;
+	if (!ptport)
+		return;
+
+	serio_interrupt(ptport, packet[1], 0);
+
+	if (priv->pt_port_open) {
+		struct psmouse *child = psmouse_from_serio(ptport);
+
+		if (child->state == PSMOUSE_ACTIVATED) {
+			serio_interrupt(ptport, packet[4], 0);
+			serio_interrupt(ptport, packet[5], 0);
+			if (child->pktsize == 4)
+				serio_interrupt(ptport, packet[2], 0);
+		}
 	}
 }
 
@@ -720,6 +747,8 @@ static void synaptics_pt_create(struct psmouse *psmouse)
 	serio->write = synaptics_pt_write;
 	serio->start = synaptics_pt_start;
 	serio->stop = synaptics_pt_stop;
+	serio->open = synaptics_pt_open;
+	serio->close = synaptics_pt_close;
 	serio->parent = psmouse->ps2dev.serio;
 
 	psmouse->pt_activate = synaptics_pt_activate;
@@ -1216,11 +1245,10 @@ static psmouse_ret_t synaptics_process_byte(struct psmouse *psmouse)
 
 		if (SYN_CAP_PASS_THROUGH(priv->info.capabilities) &&
 		    synaptics_is_pt_packet(psmouse->packet)) {
-			if (priv->pt_port)
-				synaptics_pass_pt_packet(priv->pt_port,
-							 psmouse->packet);
-		} else
+			synaptics_pass_pt_packet(priv, psmouse->packet);
+		} else {
 			synaptics_process_packet(psmouse);
+		}
 
 		return PSMOUSE_FULL_PACKET;
 	}
diff --git a/drivers/input/mouse/synaptics.h b/drivers/input/mouse/synaptics.h
index 899aee598632..3853165b6b3a 100644
--- a/drivers/input/mouse/synaptics.h
+++ b/drivers/input/mouse/synaptics.h
@@ -188,6 +188,7 @@ struct synaptics_data {
 	bool disable_gesture;			/* disable gestures */
 
 	struct serio *pt_port;			/* Pass-through serio port */
+	bool pt_port_open;
 
 	/*
 	 * Last received Advanced Gesture Mode (AGM) packet. An AGM packet
-- 
2.48.0.rc2.279.g1de40edade-goog


-- 
Dmitry

Re: [PATCH] Input: synaptics - fix crash when enabling pass-through port

[Takashi Iwai]

On Fri, 17 Jan 2025 18:23:40 +0100,
Dmitry Torokhov wrote:
> 
> When enabling a pass-through port an interrupt might come before psmouse
> driver binds to the pass-through port. However synaptics sub-driver
> tries to access psmouse instance presumably associated with the
> pass-through port to figure out if only 1 byte of response or entire
> protocol packet needs to be forwarded to the pass-through port and may
> crash if psmouse instance has not been attached to the port yet.
> 
> Fix the crash by introducing open() and close() methods for the port and
> check if the port is open before trying to access psmouse instance.
> Because psmouse calls serio_open() only after attaching psmouse instance
> to serio port instance this prevents the potential crash.
> 
> Reported-by: Takashi Iwai <tiwai@suse.de>
> Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata")
> Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> Cc: stable@vger.kernel.org
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

Reviewed-by: Takashi Iwai <tiwai@suse.de>


Thanks!

Takashi

Re: [PATCH] Input: synaptics - fix crash when enabling pass-through port

[Takashi Iwai]

On Sat, 18 Jan 2025 09:46:29 +0100,
Takashi Iwai wrote:
> 
> On Fri, 17 Jan 2025 18:23:40 +0100,
> Dmitry Torokhov wrote:
> > 
> > When enabling a pass-through port an interrupt might come before psmouse
> > driver binds to the pass-through port. However synaptics sub-driver
> > tries to access psmouse instance presumably associated with the
> > pass-through port to figure out if only 1 byte of response or entire
> > protocol packet needs to be forwarded to the pass-through port and may
> > crash if psmouse instance has not been attached to the port yet.
> > 
> > Fix the crash by introducing open() and close() methods for the port and
> > check if the port is open before trying to access psmouse instance.
> > Because psmouse calls serio_open() only after attaching psmouse instance
> > to serio port instance this prevents the potential crash.
> > 
> > Reported-by: Takashi Iwai <tiwai@suse.de>
> > Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata")
> > Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> 
> Reviewed-by: Takashi Iwai <tiwai@suse.de>

BTW, backporting this patch to stable kernels wouldn't be trivial; it
needs the recent changes for guard(), too.


Takashi

Re: [PATCH] Input: synaptics - fix crash when enabling pass-through port

[Dmitry Torokhov]

On Sat, Jan 18, 2025 at 10:33:44AM +0100, Takashi Iwai wrote:
> On Sat, 18 Jan 2025 09:46:29 +0100,
> Takashi Iwai wrote:
> > 
> > On Fri, 17 Jan 2025 18:23:40 +0100,
> > Dmitry Torokhov wrote:
> > > 
> > > When enabling a pass-through port an interrupt might come before psmouse
> > > driver binds to the pass-through port. However synaptics sub-driver
> > > tries to access psmouse instance presumably associated with the
> > > pass-through port to figure out if only 1 byte of response or entire
> > > protocol packet needs to be forwarded to the pass-through port and may
> > > crash if psmouse instance has not been attached to the port yet.
> > > 
> > > Fix the crash by introducing open() and close() methods for the port and
> > > check if the port is open before trying to access psmouse instance.
> > > Because psmouse calls serio_open() only after attaching psmouse instance
> > > to serio port instance this prevents the potential crash.
> > > 
> > > Reported-by: Takashi Iwai <tiwai@suse.de>
> > > Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata")
> > > Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> > 
> > Reviewed-by: Takashi Iwai <tiwai@suse.de>

Thank you for the review.

> 
> BTW, backporting this patch to stable kernels wouldn't be trivial; it
> needs the recent changes for guard(), too.

It is as simple as changing it to pairs of
serio_pause_rx()/serio_continue_rx() so pretty trivial.

Thanks.

-- 
Dmitry

Re: [PATCH] Input: synaptics - fix crash when enabling pass-through port

[Takashi Iwai]

On Tue, 21 Jan 2025 06:25:18 +0100,
Dmitry Torokhov wrote:
> 
> On Sat, Jan 18, 2025 at 10:33:44AM +0100, Takashi Iwai wrote:
> > On Sat, 18 Jan 2025 09:46:29 +0100,
> > Takashi Iwai wrote:
> > > 
> > > On Fri, 17 Jan 2025 18:23:40 +0100,
> > > Dmitry Torokhov wrote:
> > > > 
> > > > When enabling a pass-through port an interrupt might come before psmouse
> > > > driver binds to the pass-through port. However synaptics sub-driver
> > > > tries to access psmouse instance presumably associated with the
> > > > pass-through port to figure out if only 1 byte of response or entire
> > > > protocol packet needs to be forwarded to the pass-through port and may
> > > > crash if psmouse instance has not been attached to the port yet.
> > > > 
> > > > Fix the crash by introducing open() and close() methods for the port and
> > > > check if the port is open before trying to access psmouse instance.
> > > > Because psmouse calls serio_open() only after attaching psmouse instance
> > > > to serio port instance this prevents the potential crash.
> > > > 
> > > > Reported-by: Takashi Iwai <tiwai@suse.de>
> > > > Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata")
> > > > Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522
> > > > Cc: stable@vger.kernel.org
> > > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> > > 
> > > Reviewed-by: Takashi Iwai <tiwai@suse.de>
> 
> Thank you for the review.
> 
> > 
> > BTW, backporting this patch to stable kernels wouldn't be trivial; it
> > needs the recent changes for guard(), too.
> 
> It is as simple as changing it to pairs of
> serio_pause_rx()/serio_continue_rx() so pretty trivial.

Yes, but for applying it to stable kernels, you'd need either modify
the patch itself or pick up the preliminary patches.  It won't be
obvious for stable maintainers unless you explicitly order so.


thanks,

Takashi