| Message ID | 1362752803-21853-1-git-send-email-rabin.vincent@stericsson.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Mar 08, 2013 at 03:26:43PM +0100, Rabin Vincent wrote: > The keymap size used by tc3589x is too low, leading to the driver > overwriting other people's memory. Fix this by making the driver use > the automatically allocated keymap provided by > matrix_keypad_build_keymap() instead of allocating one on its own. > > Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com> Applied, thank you Rabin. Do you think you could prepare a patch against stable as older kernels should have the same issue but matrix_keypad_build_keymap does not allocate keymap there? Thanks!
2013/3/10 Dmitry Torokhov <dmitry.torokhov@gmail.com>: > On Fri, Mar 08, 2013 at 03:26:43PM +0100, Rabin Vincent wrote: >> The keymap size used by tc3589x is too low, leading to the driver >> overwriting other people's memory. Fix this by making the driver use >> the automatically allocated keymap provided by >> matrix_keypad_build_keymap() instead of allocating one on its own. >> >> Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com> > > Do you think you could prepare a patch against stable as older kernels > should have the same issue but matrix_keypad_build_keymap does not > allocate keymap there? The memory overwriting problem only exists after 1932811f426fee ("Input: matrix-keymap - uninline and prepare for device tree support"). Before that the driver was passing in a row_shift of 3, which, with a max rows count of 8, fit into the 64 entries of keymap that the driver allocates. 1932811f426fee was introduced in v3.5. 5383116b86d8e87 ("Input: marix-keymap - automatically allocate memory for keymap") was introduced in v3.8 The only stable kernel from v3.5 to v3.8 which is currently maintained is v3.8. So, it looks like this patch can be applied to v3.8 stable, and no stable specific patches are needed. -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/input/keyboard/tc3589x-keypad.c b/drivers/input/keyboard/tc3589x-keypad.c index 2fb0d76..208de7c 100644 --- a/drivers/input/keyboard/tc3589x-keypad.c +++ b/drivers/input/keyboard/tc3589x-keypad.c @@ -70,8 +70,6 @@ #define TC3589x_EVT_INT_CLR 0x2 #define TC3589x_KBD_INT_CLR 0x1 -#define TC3589x_KBD_KEYMAP_SIZE 64 - /** * struct tc_keypad - data structure used by keypad driver * @tc3589x: pointer to tc35893 @@ -88,7 +86,7 @@ struct tc_keypad { const struct tc3589x_keypad_platform_data *board; unsigned int krow; unsigned int kcol; - unsigned short keymap[TC3589x_KBD_KEYMAP_SIZE]; + unsigned short *keymap; bool keypad_stopped; }; @@ -338,12 +336,14 @@ static int tc3589x_keypad_probe(struct platform_device *pdev) error = matrix_keypad_build_keymap(plat->keymap_data, NULL, TC3589x_MAX_KPROW, TC3589x_MAX_KPCOL, - keypad->keymap, input); + NULL, input); if (error) { dev_err(&pdev->dev, "Failed to build keymap\n"); goto err_free_mem; } + keypad->keymap = input->keycode; + input_set_capability(input, EV_MSC, MSC_SCAN); if (!plat->no_autorepeat) __set_bit(EV_REP, input->evbit);
The keymap size used by tc3589x is too low, leading to the driver overwriting other people's memory. Fix this by making the driver use the automatically allocated keymap provided by matrix_keypad_build_keymap() instead of allocating one on its own. Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com> --- drivers/input/keyboard/tc3589x-keypad.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)