releases/4.4.44/input-elants_i2c-avoid-divide-by-0-errors-on-bad-touchscreen-data.patch

   1 From 1c3415a06b1016a596bfe59e0cfee56c773aa958 Mon Sep 17 00:00:00 2001
   2 From: Guenter Roeck <linux@roeck-us.net>
   3 Date: Thu, 5 Jan 2017 14:14:54 -0800
   4 Subject: Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data
   5
   6 From: Guenter Roeck <linux@roeck-us.net>
   7
   8 commit 1c3415a06b1016a596bfe59e0cfee56c773aa958 upstream.
   9
  10 The following crash may be seen if bad data is received from the
  11 touchscreen.
  12
  13 [ 2189.425150] elants_i2c i2c-ELAN0001:00: unknown packet ff ff ff ff
  14 [ 2189.430738] divide error: 0000 [#1] PREEMPT SMP
  15 [ 2189.434679] gsmi: Log Shutdown Reason 0x03
  16 [ 2189.434689] Modules linked in: ip6t_REJECT nf_reject_ipv6 rfcomm evdi
  17 uinput uvcvideo cmac videobuf2_vmalloc videobuf2_memops snd_hda_codec_hdmi
  18 i2c_dev videobuf2_core snd_soc_sst_cht_bsw_rt5645 snd_hda_intel
  19 snd_intel_sst_acpi btusb btrtl btbcm btintel bluetooth snd_soc_sst_acpi
  20 snd_hda_codec snd_intel_sst_core snd_hwdep snd_soc_sst_mfld_platform
  21 snd_hda_core snd_soc_rt5645 memconsole_x86_legacy memconsole zram snd_soc_rl6231
  22 fuse ip6table_filter iwlmvm iwlwifi iwl7000_mac80211 cfg80211 iio_trig_sysfs
  23 joydev cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer
  24 kfifo_buf industrialio snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq
  25 snd_seq_device ppp_async ppp_generic slhc tun
  26 [ 2189.434866] CPU: 0 PID: 106 Comm: irq/184-ELAN000 Tainted: G        W
  27 3.18.0-13101-g57e8190 #1
  28 [ 2189.434883] Hardware name: GOOGLE Ultima, BIOS Google_Ultima.7287.131.43 07/20/2016
  29 [ 2189.434898] task: ffff88017a0b6d80 ti: ffff88017a2bc000 task.ti: ffff88017a2bc000
  30 [ 2189.434913] RIP: 0010:[<ffffffffbecc48d5>]  [<ffffffffbecc48d5>] elants_i2c_irq+0x190/0x200
  31 [ 2189.434937] RSP: 0018:ffff88017a2bfd98  EFLAGS: 00010293
  32 [ 2189.434948] RAX: 0000000000000000 RBX: ffff88017a967828 RCX: ffff88017a9678e8
  33 [ 2189.434962] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000000
  34 [ 2189.434975] RBP: ffff88017a2bfdd8 R08: 00000000000003e8 R09: 0000000000000000
  35 [ 2189.434989] R10: 0000000000000000 R11: 000000000044a2bd R12: ffff88017a991800
  36 [ 2189.435001] R13: ffffffffbe8a2a53 R14: ffff88017a0b6d80 R15: ffff88017a0b6d80
  37 [ 2189.435011] FS:  0000000000000000(0000) GS:ffff88017fc00000(0000) knlGS:0000000000000000
  38 [ 2189.435022] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  39 [ 2189.435030] CR2: 00007f678d94b000 CR3: 000000003f41a000 CR4: 00000000001007f0
  40 [ 2189.435039] Stack:
  41 [ 2189.435044]  ffff88017a2bfda8 ffff88017a9678e8 646464647a2bfdd8 0000000006e09574
  42 [ 2189.435060]  0000000000000000 ffff88017a088b80 ffff88017a921000 ffffffffbe8a2a53
  43 [ 2189.435074]  ffff88017a2bfe08 ffffffffbe8a2a73 ffff88017a0b6d80 0000000006e09574
  44 [ 2189.435089] Call Trace:
  45 [ 2189.435101]  [<ffffffffbe8a2a53>] ? irq_thread_dtor+0xa9/0xa9
  46 [ 2189.435112]  [<ffffffffbe8a2a73>] irq_thread_fn+0x20/0x40
  47 [ 2189.435123]  [<ffffffffbe8a2be1>] irq_thread+0x14e/0x222
  48 [ 2189.435135]  [<ffffffffbee8cbeb>] ? __schedule+0x3b3/0x57a
  49 [ 2189.435145]  [<ffffffffbe8a29aa>] ? wake_threads_waitq+0x2d/0x2d
  50 [ 2189.435156]  [<ffffffffbe8a2a93>] ? irq_thread_fn+0x40/0x40
  51 [ 2189.435168]  [<ffffffffbe87c385>] kthread+0x10e/0x116
  52 [ 2189.435178]  [<ffffffffbe87c277>] ? __kthread_parkme+0x67/0x67
  53 [ 2189.435189]  [<ffffffffbee900ac>] ret_from_fork+0x7c/0xb0
  54 [ 2189.435199]  [<ffffffffbe87c277>] ? __kthread_parkme+0x67/0x67
  55 [ 2189.435208] Code: ff ff eb 73 0f b6 bb c1 00 00 00 83 ff 03 7e 13 49 8d 7c
  56 24 20 ba 04 00 00 00 48 c7 c6 8a cd 21 bf eb 4d 0f b6 83 c2 00 00 00 99 <f7> ff
  57 83 f8 37 75 15 48 6b f7 37 4c 8d a3 c4 00 00 00 4c 8d ac
  58 [ 2189.435312] RIP  [<ffffffffbecc48d5>] elants_i2c_irq+0x190/0x200
  59 [ 2189.435323]  RSP <ffff88017a2bfd98>
  60 [ 2189.435350] ---[ end trace f4945345a75d96dd ]---
  61 [ 2189.443841] Kernel panic - not syncing: Fatal exception
  62 [ 2189.444307] Kernel Offset: 0x3d800000 from 0xffffffff81000000
  63         (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
  64 [ 2189.444519] gsmi: Log Shutdown Reason 0x02
  65
  66 The problem was seen with a 3.18 based kernel, but there is no reason
  67 to believe that the upstream code is safe.
  68
  69 Fixes: 66aee90088da2 ("Input: add support for Elan eKTH I2C touchscreens")
  70 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
  71 Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
  72 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  73
  74 ---
  75  drivers/input/touchscreen/elants_i2c.c |    4 ++--
  76  1 file changed, 2 insertions(+), 2 deletions(-)
  77
  78 --- a/drivers/input/touchscreen/elants_i2c.c
  79 +++ b/drivers/input/touchscreen/elants_i2c.c
  80 @@ -905,9 +905,9 @@ static irqreturn_t elants_i2c_irq(int ir
  81
  82                 case QUEUE_HEADER_NORMAL:
  83                         report_count = ts->buf[FW_HDR_COUNT];
  84 -                       if (report_count > 3) {
  85 +                       if (report_count == 0 || report_count > 3) {
  86                                 dev_err(&client->dev,
  87 -                                       "too large report count: %*ph\n",
  88 +                                       "bad report count: %*ph\n",
  89                                         HEADER_SIZE, ts->buf);
  90                                 break;
  91                         }