| Age | Commit message (Collapse) | Author |
|---|
|
In mxt_update_cfg(), the driver calculates the memory size needed to store
the configuration as data->mem_size - cfg.start_ofs. If data->mem_size is
less than or equal to cfg.start_ofs, this calculation will underflow or
result in a zero-size buffer, neither of which is valid for a configuration
update.
Add a check to return -EINVAL if data->mem_size is too small. While at it,
change the types of start_ofs and mem_size in struct mxt_cfg to u16 to
match the device address space.
Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260504185448.4055973-2-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs
directory") removed the manual debugfs teardown, relying on the I2C core
to handle it. However, this creates a window where debugfs files are
still accessible after edt_ft5x06_ts_teardown_debugfs() frees
tsdata->raw_buffer.
To prevent a use-after-free, protect the freeing of raw_buffer with the
device mutex and set raw_buffer to NULL. The debugfs read function
already checks if raw_buffer is NULL under the same mutex, so this
safely avoids the use-after-free.
Fixes: 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/adnJicDh-bTUaWXP@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This touchscreen controller was used om Gateway AOL Connected Touchpad
released in 2000 and, according to Wikipedia, removed from the market
in October 2001 due to slow sales.
It looks like it can still be bought on eBay for $1000 but I really
doubt anyone will actually use it.
Remove the driver.
Link: https://patch.msgid.link/20240808172733.1194442-5-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Use the common USB helpers for looking up bulk and interrupt endpoints
(and determining endpoint numbers) instead of open coding.
Note that the NEXIO data interface has two bulk endpoints (see commit
5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
for the descriptors).
The lookup in probe handles both bulk-in and interrupt-in endpoints and
was added to handle NEXIO devices. Replace the open coded lookup with a
lookup for the common interrupt endpoint and an explicit fallback
accepting a bulk endpoint.
This iterates over the (two) endpoints twice for NEXIO devices but makes
it more clear what is going on.
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260401082212.2180434-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Without a reported resolution, userspace was assuming 1 unit/mm which
is wildly wrong: a regular smartphone is clearly not 2.4 meters tall.
Most applications do not care much for this kind of raw mm value,
but Phosh's on-screen keyboard would accidentally trigger swipe-to-close
gestures due to misinterpreting small movements as huge ones.
Do what the older goodix.c driver does and set the resolution to 10
units/mm to make sure the numbers calculated by userspace are reasonable.
Signed-off-by: Val Packett <val@packett.cool>
Link: https://patch.msgid.link/20260321073242.556253-1-val@packett.cool
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This makes the code more compact and error handling more robust.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Instead of requesting interrupt normally and immediately disabling it
with call to disable_irq() use IRQF_NOAUTOEN to keep it disabled until
it is needed. This avoids a tiny window when interrupt is enabled but
not needed.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Also use list_first_entry() instead of list_entry() to emphasize intent.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code and shows critical section more clearly.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Also stop trying to check if input device is opened/in use in the
interrupt handler - the interrupt is disabled when device is closed or
suspended.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Using guard notation makes the code more compact and error handling
more robust by ensuring that locks are released in all code paths
when control leaves critical section.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Use __free(fwnode_handle) cleanup facility to ensure that references to
acquired fwnodes are dropped at appropriate times automatically.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Do not define or use iqs5xx_ihex_rec structure: the original code was
using just a couple of fields in it and instead used it to calculate
offset to record data. The data field was actually reserving space for
checksum.
Instead iterate through fields and advance pointer explicitly.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code and error
handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code and error
handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free(firmware) to simplify the code and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Note that callers of exc3000_vendor_data_request() always expect
response, so it was adjusted to always wait for it.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This makes the code more compact and error handling more robust.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Also fix the touchscreen not being marked as suspended when noone has
opened/is using it.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Guard notation simplifies code.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This makes the code more compact and error handling more robust.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Start using __free() and guard() primitives to simplify the code
and error handling.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This makes the code more compact and error handling more robust.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
This makes the code more compact and error handling more robust.
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
|
Sync up with the mainline to brig up the latest changes, specifically
changes to ALPS driver.
|
|
This was done entirely with mindless brute force, using
git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' |
xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/'
to convert the new alloc_obj() users that had a simple GFP_KERNEL
argument to just drop that argument.
Note that due to the extreme simplicity of the scripting, any slightly
more complex cases spread over multiple lines would not be triggered:
they definitely exist, but this covers the vast bulk of the cases, and
the resulting diff is also then easier to check automatically.
For the same reason the 'flex' versions will be done as a separate
conversion.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
This is the result of running the Coccinelle script from
scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to
avoid scalar types (which need careful case-by-case checking), and
instead replace kmalloc-family calls that allocate struct or union
object instances:
Single allocations: kmalloc(sizeof(TYPE), ...)
are replaced with: kmalloc_obj(TYPE, ...)
Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...)
are replaced with: kmalloc_objs(TYPE, COUNT, ...)
Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...)
are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...)
(where TYPE may also be *VAR)
The resulting allocations no longer return "void *", instead returning
"TYPE *".
Signed-off-by: Kees Cook <kees@kernel.org>
|
