Re: [PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next

From: Oliver Neukum
Date: Wed Apr 23 2014 - 08:17:59 EST

Next message: Arnd Bergmann: "Re: [RFC 3/3] asm-generic: Drop renameat syscall from default list"
Previous message: Mika Westerberg: "Re: [PATCH] pinctrl-baytrail: fix for irq descriptor conflict on ASUS T100TA"
In reply to: Michal MalÃ: "[PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next"
Next in thread: Michal Malý: "Re: [PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2014-04-22 at 15:59 +0200, Michal MalÃ wrote:
> static int holtekff_play(struct input_dev *dev, void *data,
> - struct ff_effect *effect)
> + const struct mlnx_effect_command *command)
> {
> struct hid_device *hid = input_get_drvdata(dev);
> struct holtekff_device *holtekff = data;
> + const struct mlnx_rumble_force *rumble_force =
> &command->u.rumble_force;
> int left, right;
> /* effect type 1, length 65535 msec */
> u8 buf[HOLTEKFF_MSG_LENGTH] =
> { 0x01, 0x01, 0xff, 0xff, 0x10, 0xe0, 0x00 };

On the kernel stack.

>
> - left = effect->u.rumble.strong_magnitude;
> - right = effect->u.rumble.weak_magnitude;
> - dbg_hid("called with 0x%04x 0x%04x\n", left, right);
> + switch (command->cmd) {
> + case MLNX_START_RUMBLE:
> + left = rumble_force->strong;
> + right = rumble_force->weak;
> + dbg_hid("called with 0x%04x 0x%04x\n", left, right);
>
> - if (!left && !right) {
> - holtekff_send(holtekff, hid, stop_all6);
> - return 0;
> - }
> + if (!left && !right) {
> + holtekff_send(holtekff, hid, stop_all6);
> + return 0;
> + }
>
> - if (left)
> - buf[1] |= 0x80;
> - if (right)
> - buf[1] |= 0x40;
> + if (left)
> + buf[1] |= 0x80;
> + if (right)
> + buf[1] |= 0x40;
>
> - /* The device takes a single magnitude, so we just sum them
> up. */
> - buf[6] = min(0xf, (left >> 12) + (right >> 12));
> + /* The device takes a single magnitude, so we just sum
> them up. */
> + buf[6] = min(0xf, (left >> 12) + (right >> 12));
>
> - holtekff_send(holtekff, hid, buf);
> - holtekff_send(holtekff, hid, start_effect_1);
> + holtekff_send(holtekff, hid, buf);
> + holtekff_send(holtekff, hid, start_effect_1);
> + return 0;
> + case MLNX_STOP_RUMBLE:
> + holtekff_send(holtekff, hid, stop_all6);
> + return 0;
> + default:
> + return -EINVAL;
> + }
>
> return 0;
> }

This looks very much like doing DMA on the kernel stack.
That is very strictly forbidden. The bug is also in the current
code, but would you care to fix it up?

Regards
Oliver

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnd Bergmann: "Re: [RFC 3/3] asm-generic: Drop renameat syscall from default list"
Previous message: Mika Westerberg: "Re: [PATCH] pinctrl-baytrail: fix for irq descriptor conflict on ASUS T100TA"
In reply to: Michal MalÃ: "[PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next"
Next in thread: Michal Malý: "Re: [PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]