memcpy param is wrong because of offset in bl_cmd, this may corrupt the
stack which may cause a crash.
Tested-by: Ferruh Yigit <[email protected]> on TMA300-DVK
Signed-off-by: Ferruh Yigit <[email protected]>
---
drivers/input/touchscreen/cyttsp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
index 8e60437..97ba891 100644
--- a/drivers/input/touchscreen/cyttsp_core.c
+++ b/drivers/input/touchscreen/cyttsp_core.c
@@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
memcpy(bl_cmd, bl_command, sizeof(bl_command));
if (ts->pdata->bl_keys)
memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
- ts->pdata->bl_keys, sizeof(bl_command));
+ ts->pdata->bl_keys, CY_NUM_BL_KEYS);
error = ttsp_write_block_data(ts, CY_REG_BASE,
sizeof(bl_cmd), bl_cmd);
--
1.7.9.5
This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.
For the devices that has blocking with timeout communication, these
extra handshakes will prevent one timeout delay in startup sequence
Tested-by: Ferruh Yigit <[email protected]> on TMA300-DVK
Signed-off-by: Ferruh Yigit <[email protected]>
---
drivers/input/touchscreen/cyttsp_core.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
index 97ba891..7007f58 100644
--- a/drivers/input/touchscreen/cyttsp_core.c
+++ b/drivers/input/touchscreen/cyttsp_core.c
@@ -116,6 +116,13 @@ static int ttsp_send_command(struct cyttsp *ts, u8 cmd)
return ttsp_write_block_data(ts, CY_REG_BASE, sizeof(cmd), &cmd);
}
+static int _cyttsp_hndshk(struct cyttsp *ts, u8 hst_mode)
+{
+ if (ts->pdata->use_hndshk)
+ return ttsp_send_command(ts, hst_mode ^ CY_HNDSHK_BIT);
+ return 0;
+}
+
static int cyttsp_load_bl_regs(struct cyttsp *ts)
{
memset(&ts->bl_data, 0, sizeof(ts->bl_data));
@@ -167,6 +174,10 @@ static int cyttsp_set_operational_mode(struct cyttsp *ts)
if (error)
return error;
+ error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
+ if (error)
+ return error;
+
return ts->xy_data.act_dist == CY_ACT_DIST_DFLT ? -EIO : 0;
}
@@ -188,6 +199,10 @@ static int cyttsp_set_sysinfo_mode(struct cyttsp *ts)
if (error)
return error;
+ error = _cyttsp_hndshk(ts, ts->sysinfo_data.hst_mode);
+ if (error)
+ return error;
+
if (!ts->sysinfo_data.tts_verh && !ts->sysinfo_data.tts_verl)
return -EIO;
@@ -344,12 +359,9 @@ static irqreturn_t cyttsp_irq(int irq, void *handle)
goto out;
/* provide flow control handshake */
- if (ts->pdata->use_hndshk) {
- error = ttsp_send_command(ts,
- ts->xy_data.hst_mode ^ CY_HNDSHK_BIT);
- if (error)
- goto out;
- }
+ error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
+ if (error)
+ goto out;
if (unlikely(ts->state == CY_IDLE_STATE))
goto out;
--
1.7.9.5
This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.
Hi Ferruh,
On Fri, May 10, 2013 at 3:32 PM, Ferruh Yigit <[email protected]> wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
>
> Tested-by: Ferruh Yigit <[email protected]> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <[email protected]>
Nice catch, thanks for fixing it
Acked-by: Javier Martinez Canillas <[email protected]>
> ---
> drivers/input/touchscreen/cyttsp_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
> memcpy(bl_cmd, bl_command, sizeof(bl_command));
> if (ts->pdata->bl_keys)
> memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> - ts->pdata->bl_keys, sizeof(bl_command));
> + ts->pdata->bl_keys, CY_NUM_BL_KEYS);
>
> error = ttsp_write_block_data(ts, CY_REG_BASE,
> sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
>
> This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.
In the future can you please drop this footer? It has no point to
state the above when you send emails to a public mailing list.
Best regards,
Javier
On Fri, May 10, 2013 at 3:32 PM, Ferruh Yigit <[email protected]> wrote:
> For the devices that has blocking with timeout communication, these
> extra handshakes will prevent one timeout delay in startup sequence
>
> Tested-by: Ferruh Yigit <[email protected]> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <[email protected]>
> ---
> drivers/input/touchscreen/cyttsp_core.c | 24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 97ba891..7007f58 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -116,6 +116,13 @@ static int ttsp_send_command(struct cyttsp *ts, u8 cmd)
> return ttsp_write_block_data(ts, CY_REG_BASE, sizeof(cmd), &cmd);
> }
>
> +static int _cyttsp_hndshk(struct cyttsp *ts, u8 hst_mode)
> +{
> + if (ts->pdata->use_hndshk)
> + return ttsp_send_command(ts, hst_mode ^ CY_HNDSHK_BIT);
> + return 0;
> +}
> +
> static int cyttsp_load_bl_regs(struct cyttsp *ts)
> {
> memset(&ts->bl_data, 0, sizeof(ts->bl_data));
> @@ -167,6 +174,10 @@ static int cyttsp_set_operational_mode(struct cyttsp *ts)
> if (error)
> return error;
>
> + error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
> + if (error)
> + return error;
> +
> return ts->xy_data.act_dist == CY_ACT_DIST_DFLT ? -EIO : 0;
> }
>
> @@ -188,6 +199,10 @@ static int cyttsp_set_sysinfo_mode(struct cyttsp *ts)
> if (error)
> return error;
>
> + error = _cyttsp_hndshk(ts, ts->sysinfo_data.hst_mode);
> + if (error)
> + return error;
> +
> if (!ts->sysinfo_data.tts_verh && !ts->sysinfo_data.tts_verl)
> return -EIO;
>
> @@ -344,12 +359,9 @@ static irqreturn_t cyttsp_irq(int irq, void *handle)
> goto out;
>
> /* provide flow control handshake */
> - if (ts->pdata->use_hndshk) {
> - error = ttsp_send_command(ts,
> - ts->xy_data.hst_mode ^ CY_HNDSHK_BIT);
> - if (error)
> - goto out;
> - }
> + error = _cyttsp_hndshk(ts, ts->xy_data.hst_mode);
> + if (error)
> + goto out;
>
> if (unlikely(ts->state == CY_IDLE_STATE))
> goto out;
> --
> 1.7.9.5
>
> This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message.
Acked-by: Javier Martinez Canillas <[email protected]>
(Cc'ed Kees and Greg)
Hi Dmitry,
On Fri, May 10, 2013 at 04:32:48PM +0300, Ferruh Yigit wrote:
> memcpy param is wrong because of offset in bl_cmd, this may corrupt the
> stack which may cause a crash.
>
> Tested-by: Ferruh Yigit <[email protected]> on TMA300-DVK
> Signed-off-by: Ferruh Yigit <[email protected]>
> ---
> drivers/input/touchscreen/cyttsp_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/cyttsp_core.c b/drivers/input/touchscreen/cyttsp_core.c
> index 8e60437..97ba891 100644
> --- a/drivers/input/touchscreen/cyttsp_core.c
> +++ b/drivers/input/touchscreen/cyttsp_core.c
> @@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cyttsp *ts)
> memcpy(bl_cmd, bl_command, sizeof(bl_command));
> if (ts->pdata->bl_keys)
> memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
> - ts->pdata->bl_keys, sizeof(bl_command));
> + ts->pdata->bl_keys, CY_NUM_BL_KEYS);
>
> error = ttsp_write_block_data(ts, CY_REG_BASE,
> sizeof(bl_cmd), bl_cmd);
> --
> 1.7.9.5
I was going to send a patch and found that it was just fixed in todays
next-20130617
Anyway, will this overflow fix go for the next -rc?
Thanks in advance Dmitry!
--
Djalal Harouni
http://opendz.org
On Mon, Jun 17, 2013 at 10:38:59PM +0100, Djalal Harouni wrote:
> (Cc'ed Kees and Greg)
Why me?
confused...