1. 29 Nov, 2021 3 commits
    • Andrea Righi's avatar
      Input: elantech - fix stack out of bound access in elantech_change_report_id() · 1d72d9f9
      Andrea Righi authored
      The array param[] in elantech_change_report_id() must be at least 3
      bytes, because elantech_read_reg_params() is calling ps2_command() with
      PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but
      it's defined in the stack as an array of 2 bytes, therefore we have a
      potential stack out-of-bounds access here, also confirmed by KASAN:
      
      [    6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0
      [    6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118
      
      [    6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110
      [    6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020
      [    6.512436] Workqueue: events_long serio_handle_event
      [    6.512453] Call Trace:
      [    6.512462]  show_stack+0x52/0x58
      [    6.512474]  dump_stack+0xa1/0xd3
      [    6.512487]  print_address_description.constprop.0+0x1d/0x140
      [    6.512502]  ? __ps2_command+0x372/0x7e0
      [    6.512516]  __kasan_report.cold+0x7d/0x112
      [    6.512527]  ? _raw_write_lock_irq+0x20/0xd0
      [    6.512539]  ? __ps2_command+0x372/0x7e0
      [    6.512552]  kasan_report+0x3c/0x50
      [    6.512564]  __asan_load1+0x6a/0x70
      [    6.512575]  __ps2_command+0x372/0x7e0
      [    6.512589]  ? ps2_drain+0x240/0x240
      [    6.512601]  ? dev_printk_emit+0xa2/0xd3
      [    6.512612]  ? dev_vprintk_emit+0xc5/0xc5
      [    6.512621]  ? __kasan_check_write+0x14/0x20
      [    6.512634]  ? mutex_lock+0x8f/0xe0
      [    6.512643]  ? __mutex_lock_slowpath+0x20/0x20
      [    6.512655]  ps2_command+0x52/0x90
      [    6.512670]  elantech_ps2_command+0x4f/0xc0 [psmouse]
      [    6.512734]  elantech_change_report_id+0x1e6/0x256 [psmouse]
      [    6.512799]  ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse]
      [    6.512863]  ? ps2_command+0x7f/0x90
      [    6.512877]  elantech_query_info.cold+0x6bd/0x9ed [psmouse]
      [    6.512943]  ? elantech_setup_ps2+0x460/0x460 [psmouse]
      [    6.513005]  ? psmouse_reset+0x69/0xb0 [psmouse]
      [    6.513064]  ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse]
      [    6.513122]  ? phys_pmd_init+0x30e/0x521
      [    6.513137]  elantech_init+0x8a/0x200 [psmouse]
      [    6.513200]  ? elantech_init_ps2+0xf0/0xf0 [psmouse]
      [    6.513249]  ? elantech_query_info+0x440/0x440 [psmouse]
      [    6.513296]  ? synaptics_send_cmd+0x60/0x60 [psmouse]
      [    6.513342]  ? elantech_query_info+0x440/0x440 [psmouse]
      [    6.513388]  ? psmouse_try_protocol+0x11e/0x170 [psmouse]
      [    6.513432]  psmouse_extensions+0x65d/0x6e0 [psmouse]
      [    6.513476]  ? psmouse_try_protocol+0x170/0x170 [psmouse]
      [    6.513519]  ? mutex_unlock+0x22/0x40
      [    6.513526]  ? ps2_command+0x7f/0x90
      [    6.513536]  ? psmouse_probe+0xa3/0xf0 [psmouse]
      [    6.513580]  psmouse_switch_protocol+0x27d/0x2e0 [psmouse]
      [    6.513624]  psmouse_connect+0x272/0x530 [psmouse]
      [    6.513669]  serio_driver_probe+0x55/0x70
      [    6.513679]  really_probe+0x190/0x720
      [    6.513689]  driver_probe_device+0x160/0x1f0
      [    6.513697]  device_driver_attach+0x119/0x130
      [    6.513705]  ? device_driver_attach+0x130/0x130
      [    6.513713]  __driver_attach+0xe7/0x1a0
      [    6.513720]  ? device_driver_attach+0x130/0x130
      [    6.513728]  bus_for_each_dev+0xfb/0x150
      [    6.513738]  ? subsys_dev_iter_exit+0x10/0x10
      [    6.513748]  ? _raw_write_unlock_bh+0x30/0x30
      [    6.513757]  driver_attach+0x2d/0x40
      [    6.513764]  serio_handle_event+0x199/0x3d0
      [    6.513775]  process_one_work+0x471/0x740
      [    6.513785]  worker_thread+0x2d2/0x790
      [    6.513794]  ? process_one_work+0x740/0x740
      [    6.513802]  kthread+0x1b4/0x1e0
      [    6.513809]  ? set_kthread_struct+0x80/0x80
      [    6.513816]  ret_from_fork+0x22/0x30
      
      [    6.513832] The buggy address belongs to the page:
      [    6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7
      [    6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
      [    6.513860] raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
      [    6.513867] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [    6.513872] page dumped because: kasan: bad access detected
      
      [    6.513879] addr ffff8881024d77c2 is located in stack of task kworker/2:1/118 at offset 34 in frame:
      [    6.513887]  elantech_change_report_id+0x0/0x256 [psmouse]
      
      [    6.513941] this frame has 1 object:
      [    6.513947]  [32, 34) 'param'
      
      [    6.513956] Memory state around the buggy address:
      [    6.513962]  ffff8881024d7680: f2 f2 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00
      [    6.513969]  ffff8881024d7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    6.513976] >ffff8881024d7780: 00 00 00 00 f1 f1 f1 f1 02 f3 f3 f3 00 00 00 00
      [    6.513982]                                            ^
      [    6.513988]  ffff8881024d7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    6.513995]  ffff8881024d7880: 00 f1 f1 f1 f1 03 f2 03 f2 03 f3 f3 f3 00 00 00
      [    6.514000] ==================================================================
      
      Define param[] in elantech_change_report_id() as an array of 3 bytes to
      prevent the out-of-bounds access in the stack.
      
      Fixes: e4c90627 ("Input: elantech - fix protocol errors for some trackpoints in SMBus mode")
      BugLink: https://bugs.launchpad.net/bugs/1945590Signed-off-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Reviewed-by: default avatarWolfram Sang <wsa@kernel.org>
      Link: https://lore.kernel.org/r/20211116095559.24395-1-andrea.righi@canonical.comSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      1d72d9f9
    • Jeff LaBundy's avatar
      Input: iqs626a - prohibit inlining of channel parsing functions · e1f5e848
      Jeff LaBundy authored
      Some automated builds report a stack frame size in excess of 2 kB for
      iqs626_probe(); the culprit appears to be the call to iqs626_parse_prop().
      
      To solve this problem, specify noinline_for_stack for all of the
      iqs626_parse_*() helper functions which are called inside a for loop
      within iqs626_parse_prop().
      
      As a result, a build with '-Wframe-larger-than' as low as 512 is free of
      any such warnings.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarJeff LaBundy <jeff@labundy.com>
      Link: https://lore.kernel.org/r/20211129004104.453930-1-jeff@labundy.comSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      e1f5e848
    • Takashi Iwai's avatar
      Input: i8042 - add deferred probe support · 9222ba68
      Takashi Iwai authored
      We've got a bug report about the non-working keyboard on ASUS ZenBook
      UX425UA.  It seems that the PS/2 device isn't ready immediately at
      boot but takes some seconds to get ready.  Until now, the only
      workaround is to defer the probe, but it's available only when the
      driver is a module.  However, many distros, including openSUSE as in
      the original report, build the PS/2 input drivers into kernel, hence
      it won't work easily.
      
      This patch adds the support for the deferred probe for i8042 stuff as
      a workaround of the problem above.  When the deferred probe mode is
      enabled and the device couldn't be probed, it'll be repeated with the
      standard deferred probe mechanism.
      
      The deferred probe mode is enabled either via the new option
      i8042.probe_defer or via the quirk table entry.  As of this patch, the
      quirk table contains only ASUS ZenBook UX425UA.
      
      The deferred probe part is based on Fabio's initial work.
      
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1190256Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarSamuel Čavoj <samuel@cavoj.net>
      Link: https://lore.kernel.org/r/20211117063757.11380-1-tiwai@suse.deSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      9222ba68
  2. 12 Nov, 2021 1 commit
  3. 10 Nov, 2021 6 commits
  4. 06 Nov, 2021 1 commit
  5. 05 Nov, 2021 1 commit
  6. 03 Nov, 2021 1 commit
  7. 02 Nov, 2021 1 commit
  8. 17 Oct, 2021 7 commits
  9. 16 Oct, 2021 15 commits
  10. 13 Oct, 2021 2 commits
  11. 12 Oct, 2021 2 commits