Commit 6d0dbeae authored by Andrew Duggan's avatar Andrew Duggan Committed by Dmitry Torokhov

Input: synaptics-rmi4 - handle incomplete input data

Commit 5b65c2a0 ("HID: rmi: check sanity of the incoming report") added
support for handling incomplete HID reports do to the input data being
corrupted in transit. This patch reimplements this functionality in the
function drivers so they can handle getting less valid data then they
expect.
Signed-off-by: default avatarAndrew Duggan <aduggan@synaptics.com>
Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent 3aeed5b5
...@@ -572,31 +572,48 @@ static inline u8 rmi_f11_parse_finger_state(const u8 *f_state, u8 n_finger) ...@@ -572,31 +572,48 @@ static inline u8 rmi_f11_parse_finger_state(const u8 *f_state, u8 n_finger)
static void rmi_f11_finger_handler(struct f11_data *f11, static void rmi_f11_finger_handler(struct f11_data *f11,
struct rmi_2d_sensor *sensor, struct rmi_2d_sensor *sensor,
unsigned long *irq_bits, int num_irq_regs) unsigned long *irq_bits, int num_irq_regs,
int size)
{ {
const u8 *f_state = f11->data.f_state; const u8 *f_state = f11->data.f_state;
u8 finger_state; u8 finger_state;
u8 i; u8 i;
int abs_fingers;
int rel_fingers;
int abs_size = sensor->nbr_fingers * RMI_F11_ABS_BYTES;
int abs_bits = bitmap_and(f11->result_bits, irq_bits, f11->abs_mask, int abs_bits = bitmap_and(f11->result_bits, irq_bits, f11->abs_mask,
num_irq_regs * 8); num_irq_regs * 8);
int rel_bits = bitmap_and(f11->result_bits, irq_bits, f11->rel_mask, int rel_bits = bitmap_and(f11->result_bits, irq_bits, f11->rel_mask,
num_irq_regs * 8); num_irq_regs * 8);
for (i = 0; i < sensor->nbr_fingers; i++) { if (abs_bits) {
/* Possible of having 4 fingers per f_statet register */ if (abs_size > size)
finger_state = rmi_f11_parse_finger_state(f_state, i); abs_fingers = size / RMI_F11_ABS_BYTES;
if (finger_state == F11_RESERVED) { else
pr_err("Invalid finger state[%d]: 0x%02x", i, abs_fingers = sensor->nbr_fingers;
finger_state);
continue; for (i = 0; i < abs_fingers; i++) {
} /* Possible of having 4 fingers per f_state register */
finger_state = rmi_f11_parse_finger_state(f_state, i);
if (finger_state == F11_RESERVED) {
pr_err("Invalid finger state[%d]: 0x%02x", i,
finger_state);
continue;
}
if (abs_bits)
rmi_f11_abs_pos_process(f11, sensor, &sensor->objs[i], rmi_f11_abs_pos_process(f11, sensor, &sensor->objs[i],
finger_state, i); finger_state, i);
}
}
if (rel_bits) {
if ((abs_size + sensor->nbr_fingers * RMI_F11_REL_BYTES) > size)
rel_fingers = (size - abs_size) / RMI_F11_REL_BYTES;
else
rel_fingers = sensor->nbr_fingers;
if (rel_bits) for (i = 0; i < rel_fingers; i++)
rmi_f11_rel_pos_report(f11, i); rmi_f11_rel_pos_report(f11, i);
} }
...@@ -612,7 +629,7 @@ static void rmi_f11_finger_handler(struct f11_data *f11, ...@@ -612,7 +629,7 @@ static void rmi_f11_finger_handler(struct f11_data *f11,
sensor->nbr_fingers, sensor->nbr_fingers,
sensor->dmax); sensor->dmax);
for (i = 0; i < sensor->nbr_fingers; i++) { for (i = 0; i < abs_fingers; i++) {
finger_state = rmi_f11_parse_finger_state(f_state, i); finger_state = rmi_f11_parse_finger_state(f_state, i);
if (finger_state == F11_RESERVED) if (finger_state == F11_RESERVED)
/* no need to send twice the error */ /* no need to send twice the error */
...@@ -1242,10 +1259,19 @@ static int rmi_f11_attention(struct rmi_function *fn, unsigned long *irq_bits) ...@@ -1242,10 +1259,19 @@ static int rmi_f11_attention(struct rmi_function *fn, unsigned long *irq_bits)
struct f11_data *f11 = dev_get_drvdata(&fn->dev); struct f11_data *f11 = dev_get_drvdata(&fn->dev);
u16 data_base_addr = fn->fd.data_base_addr; u16 data_base_addr = fn->fd.data_base_addr;
int error; int error;
int valid_bytes = f11->sensor.pkt_size;
if (rmi_dev->xport->attn_data) { if (rmi_dev->xport->attn_data) {
/*
* The valid data in the attention report is less then
* expected. Only process the complete fingers.
*/
if (f11->sensor.attn_size > rmi_dev->xport->attn_size)
valid_bytes = rmi_dev->xport->attn_size;
else
valid_bytes = f11->sensor.attn_size;
memcpy(f11->sensor.data_pkt, rmi_dev->xport->attn_data, memcpy(f11->sensor.data_pkt, rmi_dev->xport->attn_data,
f11->sensor.attn_size); valid_bytes);
rmi_dev->xport->attn_data += f11->sensor.attn_size; rmi_dev->xport->attn_data += f11->sensor.attn_size;
rmi_dev->xport->attn_size -= f11->sensor.attn_size; rmi_dev->xport->attn_size -= f11->sensor.attn_size;
} else { } else {
...@@ -1257,7 +1283,7 @@ static int rmi_f11_attention(struct rmi_function *fn, unsigned long *irq_bits) ...@@ -1257,7 +1283,7 @@ static int rmi_f11_attention(struct rmi_function *fn, unsigned long *irq_bits)
} }
rmi_f11_finger_handler(f11, &f11->sensor, irq_bits, rmi_f11_finger_handler(f11, &f11->sensor, irq_bits,
drvdata->num_of_irq_regs); drvdata->num_of_irq_regs, valid_bytes);
return 0; return 0;
} }
......
...@@ -26,6 +26,8 @@ enum rmi_f12_object_type { ...@@ -26,6 +26,8 @@ enum rmi_f12_object_type {
RMI_F12_OBJECT_SMALL_OBJECT = 0x0D, RMI_F12_OBJECT_SMALL_OBJECT = 0x0D,
}; };
#define F12_DATA1_BYTES_PER_OBJ 8
struct f12_data { struct f12_data {
struct rmi_2d_sensor sensor; struct rmi_2d_sensor sensor;
struct rmi_2d_sensor_platform_data sensor_pdata; struct rmi_2d_sensor_platform_data sensor_pdata;
...@@ -146,12 +148,16 @@ static int rmi_f12_read_sensor_tuning(struct f12_data *f12) ...@@ -146,12 +148,16 @@ static int rmi_f12_read_sensor_tuning(struct f12_data *f12)
return 0; return 0;
} }
static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1) static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1, int size)
{ {
int i; int i;
struct rmi_2d_sensor *sensor = &f12->sensor; struct rmi_2d_sensor *sensor = &f12->sensor;
int objects = f12->data1->num_subpackets;
if ((f12->data1->num_subpackets * F12_DATA1_BYTES_PER_OBJ) > size)
objects = size / F12_DATA1_BYTES_PER_OBJ;
for (i = 0; i < f12->data1->num_subpackets; i++) { for (i = 0; i < objects; i++) {
struct rmi_2d_sensor_abs_object *obj = &sensor->objs[i]; struct rmi_2d_sensor_abs_object *obj = &sensor->objs[i];
obj->type = RMI_2D_OBJECT_NONE; obj->type = RMI_2D_OBJECT_NONE;
...@@ -182,7 +188,7 @@ static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1) ...@@ -182,7 +188,7 @@ static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1)
rmi_2d_sensor_abs_process(sensor, obj, i); rmi_2d_sensor_abs_process(sensor, obj, i);
data1 += 8; data1 += F12_DATA1_BYTES_PER_OBJ;
} }
if (sensor->kernel_tracking) if (sensor->kernel_tracking)
...@@ -192,7 +198,7 @@ static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1) ...@@ -192,7 +198,7 @@ static void rmi_f12_process_objects(struct f12_data *f12, u8 *data1)
sensor->nbr_fingers, sensor->nbr_fingers,
sensor->dmax); sensor->dmax);
for (i = 0; i < sensor->nbr_fingers; i++) for (i = 0; i < objects; i++)
rmi_2d_sensor_abs_report(sensor, &sensor->objs[i], i); rmi_2d_sensor_abs_report(sensor, &sensor->objs[i], i);
} }
...@@ -203,10 +209,15 @@ static int rmi_f12_attention(struct rmi_function *fn, ...@@ -203,10 +209,15 @@ static int rmi_f12_attention(struct rmi_function *fn,
struct rmi_device *rmi_dev = fn->rmi_dev; struct rmi_device *rmi_dev = fn->rmi_dev;
struct f12_data *f12 = dev_get_drvdata(&fn->dev); struct f12_data *f12 = dev_get_drvdata(&fn->dev);
struct rmi_2d_sensor *sensor = &f12->sensor; struct rmi_2d_sensor *sensor = &f12->sensor;
int valid_bytes = sensor->pkt_size;
if (rmi_dev->xport->attn_data) { if (rmi_dev->xport->attn_data) {
if (sensor->attn_size > rmi_dev->xport->attn_size)
valid_bytes = rmi_dev->xport->attn_size;
else
valid_bytes = sensor->attn_size;
memcpy(sensor->data_pkt, rmi_dev->xport->attn_data, memcpy(sensor->data_pkt, rmi_dev->xport->attn_data,
sensor->attn_size); valid_bytes);
rmi_dev->xport->attn_data += sensor->attn_size; rmi_dev->xport->attn_data += sensor->attn_size;
rmi_dev->xport->attn_size -= sensor->attn_size; rmi_dev->xport->attn_size -= sensor->attn_size;
} else { } else {
...@@ -221,7 +232,7 @@ static int rmi_f12_attention(struct rmi_function *fn, ...@@ -221,7 +232,7 @@ static int rmi_f12_attention(struct rmi_function *fn,
if (f12->data1) if (f12->data1)
rmi_f12_process_objects(f12, rmi_f12_process_objects(f12,
&sensor->data_pkt[f12->data1_offset]); &sensor->data_pkt[f12->data1_offset], valid_bytes);
input_mt_sync_frame(sensor->input); input_mt_sync_frame(sensor->input);
......
...@@ -110,6 +110,10 @@ static int rmi_f30_attention(struct rmi_function *fn, unsigned long *irq_bits) ...@@ -110,6 +110,10 @@ static int rmi_f30_attention(struct rmi_function *fn, unsigned long *irq_bits)
/* Read the gpi led data. */ /* Read the gpi led data. */
if (rmi_dev->xport->attn_data) { if (rmi_dev->xport->attn_data) {
if (rmi_dev->xport->attn_size < f30->register_count) {
dev_warn(&fn->dev, "F30 interrupted, but data is missing\n");
return 0;
}
memcpy(f30->data_regs, rmi_dev->xport->attn_data, memcpy(f30->data_regs, rmi_dev->xport->attn_data,
f30->register_count); f30->register_count);
rmi_dev->xport->attn_data += f30->register_count; rmi_dev->xport->attn_data += f30->register_count;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment