In mxt_update_cfg(), the driver calculates the memory size needed to store
the configuration as data->mem_size - cfg.start_ofs. If data->mem_size is
less than or equal to cfg.start_ofs, this calculation will underflow or
result in a zero-size buffer, neither of which is valid for a configuration
update.
Add a check to return -EINVAL if data->mem_size is too small. While at it,
change the types of start_ofs and mem_size in struct mxt_cfg to u16 to
match the device address space.
Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260504185448.4055973-2-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
The commit 68743c500c ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.
To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.
Fixes: 68743c500c ("Input: edt-ft5x06 - use per-client debugfs directory")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/adnJicDh-bTUaWXP@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This touchscreen controller was used om Gateway AOL Connected Touchpad
released in 2000 and, according to Wikipedia, removed from the market
in October 2001 due to slow sales.
It looks like it can still be bought on eBay for $1000 but I really
doubt anyone will actually use it.
Remove the driver.
Link: https://patch.msgid.link/20240808172733.1194442-5-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Use the common USB helpers for looking up bulk and interrupt endpoints
(and determining endpoint numbers) instead of open coding.
Note that the NEXIO data interface has two bulk endpoints (see commit
5197424cdc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
for the descriptors).
The lookup in probe handles both bulk-in and interrupt-in endpoints and
was added to handle NEXIO devices. Replace the open coded lookup with a
lookup for the common interrupt endpoint and an explicit fallback
accepting a bulk endpoint.
This iterates over the (two) endpoints twice for NEXIO devices but makes
it more clear what is going on.
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260401082212.2180434-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Without a reported resolution, userspace was assuming 1 unit/mm which
is wildly wrong: a regular smartphone is clearly not 2.4 meters tall.
Most applications do not care much for this kind of raw mm value,
but Phosh's on-screen keyboard would accidentally trigger swipe-to-close
gestures due to misinterpreting small movements as huge ones.
Do what the older goodix.c driver does and set the resolution to 10
units/mm to make sure the numbers calculated by userspace are reasonable.
Signed-off-by: Val Packett <val@packett.cool>
Link: https://patch.msgid.link/20260321073242.556253-1-val@packett.cool
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Instead of requesting interrupt normally and immediately disabling it
with call to disable_irq() use IRQF_NOAUTOEN to keep it disabled until
it is needed. This avoids a tiny window when interrupt is enabled but
not needed.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Guard notation simplifies code.
Also use list_first_entry() instead of list_entry() to emphasize intent.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Guard notation simplifies code.
Also stop trying to check if input device is opened/in use in the
interrupt handler - the interrupt is disabled when device is closed or
suspended.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Using guard notation makes the code more compact and error handling
more robust by ensuring that locks are released in all code paths
when control leaves critical section.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Use __free(fwnode_handle) cleanup facility to ensure that references to
acquired fwnodes are dropped at appropriate times automatically.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Do not define or use iqs5xx_ihex_rec structure: the original code was
using just a couple of fields in it and instead used it to calculate
offset to record data. The data field was actually reserving space for
checksum.
Instead iterate through fields and advance pointer explicitly.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Guard notation simplifies code.
Note that callers of exc3000_vendor_data_request() always expect
response, so it was adjusted to always wait for it.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Guard notation simplifies code.
Also fix the touchscreen not being marked as suspended when noone has
opened/is using it.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-----BEGIN PGP SIGNATURE-----
iQFSBAABCgA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAmmuDMYeHHRvcnZhbGRz
QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGLO4IAJ5kpRUi1STiqseb
bLawF3gehuZp8VPAYnJsACYXN7kMx9OQJ2SE4Y0Y16ZlHtS1TTvsEAhwSTyYH7Jc
hb1iSfoN1kxgDh2U3yZZJz9+DzQh6/YCDXJjyhpSgWOejhaYe7r7er5xqdKpGgVx
6hlvN92/c1m7aqMjKNXeD7YKoXn35FzwPYQAyksJdwMWbq27HE1Vb42PHht21yUX
1ndEUw0UMYH3IrDON+7QtE/aXW1PlLLeQWPDpG9y5FhoseZFEcNkm5NVYshuZ8L4
WZj3Q5IvQ/zj9DuwagW4Gab9XwzKIWSXuuSLRyQzv+OcAyITiC+Uo3z55TFmvXs7
2DOHBkY=
=depW
-----END PGP SIGNATURE-----
Merge tag 'v7.0-rc3' into next
Sync up with the mainline to brig up the latest changes, specifically
changes to ALPS driver.
This was done entirely with mindless brute force, using
git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' |
xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/'
to convert the new alloc_obj() users that had a simple GFP_KERNEL
argument to just drop that argument.
Note that due to the extreme simplicity of the scripting, any slightly
more complex cases spread over multiple lines would not be triggered:
they definitely exist, but this covers the vast bulk of the cases, and
the resulting diff is also then easier to check automatically.
For the same reason the 'flex' versions will be done as a separate
conversion.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This is the result of running the Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to
avoid scalar types (which need careful case-by-case checking), and
instead replace kmalloc-family calls that allocate struct or union
object instances:
Single allocations: kmalloc(sizeof(TYPE), ...)
are replaced with: kmalloc_obj(TYPE, ...)
Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...)
are replaced with: kmalloc_objs(TYPE, COUNT, ...)
Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...)
are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...)
(where TYPE may also be *VAR)
The resulting allocations no longer return "void *", instead returning
"TYPE *".
Signed-off-by: Kees Cook <kees@kernel.org>
