releases/4.19.85/input-synaptics-rmi4-do-not-consume-more-data-than-we-have-f11-f12.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 5d40d95e7e64756cc30606c2ba169271704d47cb Mon Sep 17 00:00:00 2001
 From: Andrew Duggan <aduggan@synaptics.com>
 Date: Mon, 4 Nov 2019 16:07:30 -0800
 Subject: Input: synaptics-rmi4 - do not consume more data than we have (F11, F12)

 From: Andrew Duggan <aduggan@synaptics.com>

 commit 5d40d95e7e64756cc30606c2ba169271704d47cb upstream.

 Currently, rmi_f11_attention() and rmi_f12_attention() functions update
 the attn_data data pointer and size based on the size of the expected
 size of the attention data. However, if the actual valid data in the
 attn buffer is less then the expected value then the updated data
 pointer will point to memory beyond the end of the attn buffer. Using
 the calculated valid_bytes instead will prevent this from happening.

 Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
 Cc: stable@vger.kernel.org
 Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.com
 Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/input/rmi4/rmi_f11.c |    4 ++--
  drivers/input/rmi4/rmi_f12.c |    4 ++--
  2 files changed, 4 insertions(+), 4 deletions(-)

 --- a/drivers/input/rmi4/rmi_f11.c
 +++ b/drivers/input/rmi4/rmi_f11.c
 @@ -1287,8 +1287,8 @@ static irqreturn_t rmi_f11_attention(int
  			valid_bytes = f11->sensor.attn_size;
  		memcpy(f11->sensor.data_pkt, drvdata->attn_data.data,
  			valid_bytes);
 -		drvdata->attn_data.data += f11->sensor.attn_size;
 -		drvdata->attn_data.size -= f11->sensor.attn_size;
 +		drvdata->attn_data.data += valid_bytes;
 +		drvdata->attn_data.size -= valid_bytes;
  	} else {
  		error = rmi_read_block(rmi_dev,
  				data_base_addr, f11->sensor.data_pkt,
 --- a/drivers/input/rmi4/rmi_f12.c
 +++ b/drivers/input/rmi4/rmi_f12.c
 @@ -217,8 +217,8 @@ static irqreturn_t rmi_f12_attention(int
  			valid_bytes = sensor->attn_size;
  		memcpy(sensor->data_pkt, drvdata->attn_data.data,
  			valid_bytes);
 -		drvdata->attn_data.data += sensor->attn_size;
 -		drvdata->attn_data.size -= sensor->attn_size;
 +		drvdata->attn_data.data += valid_bytes;
 +		drvdata->attn_data.size -= valid_bytes;
  	} else {
  		retval = rmi_read_block(rmi_dev, f12->data_addr,
  					sensor->data_pkt, sensor->pkt_size);
	From 5d40d95e7e64756cc30606c2ba169271704d47cb Mon Sep 17 00:00:00 2001
	From: Andrew Duggan <aduggan@synaptics.com>
	Date: Mon, 4 Nov 2019 16:07:30 -0800
	Subject: Input: synaptics-rmi4 - do not consume more data than we have (F11, F12)

	From: Andrew Duggan <aduggan@synaptics.com>

	commit 5d40d95e7e64756cc30606c2ba169271704d47cb upstream.

	Currently, rmi_f11_attention() and rmi_f12_attention() functions update
	the attn_data data pointer and size based on the size of the expected
	size of the attention data. However, if the actual valid data in the
	attn buffer is less then the expected value then the updated data
	pointer will point to memory beyond the end of the attn buffer. Using
	the calculated valid_bytes instead will prevent this from happening.

	Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
	Cc: stable@vger.kernel.org
	Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.com
	Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/input/rmi4/rmi_f11.c \| 4 ++--
	drivers/input/rmi4/rmi_f12.c \| 4 ++--
	2 files changed, 4 insertions(+), 4 deletions(-)

	--- a/drivers/input/rmi4/rmi_f11.c
	+++ b/drivers/input/rmi4/rmi_f11.c
	@@ -1287,8 +1287,8 @@ static irqreturn_t rmi_f11_attention(int
	valid_bytes = f11->sensor.attn_size;
	memcpy(f11->sensor.data_pkt, drvdata->attn_data.data,
	valid_bytes);
	- drvdata->attn_data.data += f11->sensor.attn_size;
	- drvdata->attn_data.size -= f11->sensor.attn_size;
	+ drvdata->attn_data.data += valid_bytes;
	+ drvdata->attn_data.size -= valid_bytes;
	} else {
	error = rmi_read_block(rmi_dev,
	data_base_addr, f11->sensor.data_pkt,
	--- a/drivers/input/rmi4/rmi_f12.c
	+++ b/drivers/input/rmi4/rmi_f12.c
	@@ -217,8 +217,8 @@ static irqreturn_t rmi_f12_attention(int
	valid_bytes = sensor->attn_size;
	memcpy(sensor->data_pkt, drvdata->attn_data.data,
	valid_bytes);
	- drvdata->attn_data.data += sensor->attn_size;
	- drvdata->attn_data.size -= sensor->attn_size;
	+ drvdata->attn_data.data += valid_bytes;
	+ drvdata->attn_data.size -= valid_bytes;
	} else {
	retval = rmi_read_block(rmi_dev, f12->data_addr,
	sensor->data_pkt, sensor->pkt_size);