| Message ID | 20211212124242.81019-6-hdegoede@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Input: goodix - Various fixes and improvements | expand |
Hi Hans, On Sun, Dec 12, 2021 at 01:42:42PM +0100, Hans de Goede wrote: > Because there is no way to detect if the touchscreen has pen support, > the driver is allocating and registering the input_pen input_dev on > receiving the first pen event. > > But this means that the input_dev gets allocated after the request_irq() > call which means that the devm framework will free it before disabling > the irq, leaving a window where the irq handler may run and reference the > free-ed input_dev. > > To fix this move the allocation of the input_pen input_dev to before > the request_irq() call, while still only registering it on the first pen > event so that the driver does not advertise pen capability on touchscreens > without it (most goodix touchscreens do not have pen support). > > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > --- > drivers/input/touchscreen/goodix.c | 32 ++++++++++++++++++------------ > drivers/input/touchscreen/goodix.h | 1 + > 2 files changed, 20 insertions(+), 13 deletions(-) > > diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c > index 04baf5a770f5..1ada40fa6de6 100644 > --- a/drivers/input/touchscreen/goodix.c > +++ b/drivers/input/touchscreen/goodix.c > @@ -297,14 +297,14 @@ static int goodix_ts_read_input_report(struct goodix_ts_data *ts, u8 *data) > return -ENOMSG; > } > > -static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) > +static int goodix_create_pen_input(struct goodix_ts_data *ts) > { > struct device *dev = &ts->client->dev; > struct input_dev *input; > > input = devm_input_allocate_device(dev); > if (!input) > - return NULL; > + return -ENOMEM; > > input_copy_abs(input, ABS_X, ts->input_dev, ABS_MT_POSITION_X); > input_copy_abs(input, ABS_Y, ts->input_dev, ABS_MT_POSITION_Y); > @@ -331,23 +331,18 @@ static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) > input->id.product = 0x1001; > input->id.version = ts->version; > > - if (input_register_device(input) != 0) { > - input_free_device(input); > - return NULL; > - } > - > - return input; > + ts->input_pen = input; > + return 0; > } > > static void goodix_ts_report_pen_down(struct goodix_ts_data *ts, u8 *data) > { > - int input_x, input_y, input_w; > + int input_x, input_y, input_w, error; > u8 key_value; > > - if (!ts->input_pen) { > - ts->input_pen = goodix_create_pen_input(ts); > - if (!ts->input_pen) > - return; > + if (!ts->pen_input_registered) { > + error = input_register_device(ts->input_pen); > + ts->pen_input_registered = error == 0; I do not think you want to try and re-register input device if first registration failed. You probably also don't want to waste time and return early from here in case of failures. Thanks.
Hi, On 12/13/21 05:56, Dmitry Torokhov wrote: > Hi Hans, > > On Sun, Dec 12, 2021 at 01:42:42PM +0100, Hans de Goede wrote: >> Because there is no way to detect if the touchscreen has pen support, >> the driver is allocating and registering the input_pen input_dev on >> receiving the first pen event. >> >> But this means that the input_dev gets allocated after the request_irq() >> call which means that the devm framework will free it before disabling >> the irq, leaving a window where the irq handler may run and reference the >> free-ed input_dev. >> >> To fix this move the allocation of the input_pen input_dev to before >> the request_irq() call, while still only registering it on the first pen >> event so that the driver does not advertise pen capability on touchscreens >> without it (most goodix touchscreens do not have pen support). >> >> Signed-off-by: Hans de Goede <hdegoede@redhat.com> >> --- >> drivers/input/touchscreen/goodix.c | 32 ++++++++++++++++++------------ >> drivers/input/touchscreen/goodix.h | 1 + >> 2 files changed, 20 insertions(+), 13 deletions(-) >> >> diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c >> index 04baf5a770f5..1ada40fa6de6 100644 >> --- a/drivers/input/touchscreen/goodix.c >> +++ b/drivers/input/touchscreen/goodix.c >> @@ -297,14 +297,14 @@ static int goodix_ts_read_input_report(struct goodix_ts_data *ts, u8 *data) >> return -ENOMSG; >> } >> >> -static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) >> +static int goodix_create_pen_input(struct goodix_ts_data *ts) >> { >> struct device *dev = &ts->client->dev; >> struct input_dev *input; >> >> input = devm_input_allocate_device(dev); >> if (!input) >> - return NULL; >> + return -ENOMEM; >> >> input_copy_abs(input, ABS_X, ts->input_dev, ABS_MT_POSITION_X); >> input_copy_abs(input, ABS_Y, ts->input_dev, ABS_MT_POSITION_Y); >> @@ -331,23 +331,18 @@ static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) >> input->id.product = 0x1001; >> input->id.version = ts->version; >> >> - if (input_register_device(input) != 0) { >> - input_free_device(input); >> - return NULL; >> - } >> - >> - return input; >> + ts->input_pen = input; >> + return 0; >> } >> >> static void goodix_ts_report_pen_down(struct goodix_ts_data *ts, u8 *data) >> { >> - int input_x, input_y, input_w; >> + int input_x, input_y, input_w, error; >> u8 key_value; >> >> - if (!ts->input_pen) { >> - ts->input_pen = goodix_create_pen_input(ts); >> - if (!ts->input_pen) >> - return; >> + if (!ts->pen_input_registered) { >> + error = input_register_device(ts->input_pen); >> + ts->pen_input_registered = error == 0; > > I do not think you want to try and re-register input device if first > registration failed. You probably also don't want to waste time and > return early from here in case of failures. Ack, I've fixed both for v2 of this patch-series. Regards, Hans
diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c index 04baf5a770f5..1ada40fa6de6 100644 --- a/drivers/input/touchscreen/goodix.c +++ b/drivers/input/touchscreen/goodix.c @@ -297,14 +297,14 @@ static int goodix_ts_read_input_report(struct goodix_ts_data *ts, u8 *data) return -ENOMSG; } -static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) +static int goodix_create_pen_input(struct goodix_ts_data *ts) { struct device *dev = &ts->client->dev; struct input_dev *input; input = devm_input_allocate_device(dev); if (!input) - return NULL; + return -ENOMEM; input_copy_abs(input, ABS_X, ts->input_dev, ABS_MT_POSITION_X); input_copy_abs(input, ABS_Y, ts->input_dev, ABS_MT_POSITION_Y); @@ -331,23 +331,18 @@ static struct input_dev *goodix_create_pen_input(struct goodix_ts_data *ts) input->id.product = 0x1001; input->id.version = ts->version; - if (input_register_device(input) != 0) { - input_free_device(input); - return NULL; - } - - return input; + ts->input_pen = input; + return 0; } static void goodix_ts_report_pen_down(struct goodix_ts_data *ts, u8 *data) { - int input_x, input_y, input_w; + int input_x, input_y, input_w, error; u8 key_value; - if (!ts->input_pen) { - ts->input_pen = goodix_create_pen_input(ts); - if (!ts->input_pen) - return; + if (!ts->pen_input_registered) { + error = input_register_device(ts->input_pen); + ts->pen_input_registered = error == 0; } if (ts->contact_size == 9) { @@ -1207,6 +1202,17 @@ static int goodix_configure_dev(struct goodix_ts_data *ts) return error; } + /* + * Create the input_pen device before goodix_request_irq() calls + * devm_request_threaded_irq() so that the devm framework frees + * it after disabling the irq. + * Unfortunately there is no way to detect if the touchscreen has pen + * support, so registering the dev is delayed till the first pen event. + */ + error = goodix_create_pen_input(ts); + if (error) + return error; + ts->irq_flags = goodix_irq_flags[ts->int_trigger_type] | IRQF_ONESHOT; error = goodix_request_irq(ts); if (error) { diff --git a/drivers/input/touchscreen/goodix.h b/drivers/input/touchscreen/goodix.h index fa8602e78a64..30ea24f28f8a 100644 --- a/drivers/input/touchscreen/goodix.h +++ b/drivers/input/touchscreen/goodix.h @@ -94,6 +94,7 @@ struct goodix_ts_data { u16 version; bool reset_controller_at_probe; bool load_cfg_from_disk; + bool pen_input_registered; struct completion firmware_loading_complete; unsigned long irq_flags; enum goodix_irq_pin_access_method irq_pin_access_method;
Because there is no way to detect if the touchscreen has pen support, the driver is allocating and registering the input_pen input_dev on receiving the first pen event. But this means that the input_dev gets allocated after the request_irq() call which means that the devm framework will free it before disabling the irq, leaving a window where the irq handler may run and reference the free-ed input_dev. To fix this move the allocation of the input_pen input_dev to before the request_irq() call, while still only registering it on the first pen event so that the driver does not advertise pen capability on touchscreens without it (most goodix touchscreens do not have pen support). Signed-off-by: Hans de Goede <hdegoede@redhat.com> --- drivers/input/touchscreen/goodix.c | 32 ++++++++++++++++++------------ drivers/input/touchscreen/goodix.h | 1 + 2 files changed, 20 insertions(+), 13 deletions(-)