From: sashiko-bot@kernel.org
To: "Jun Yan" <jerrysteve1101@gmail.com>
Cc: conor+dt@kernel.org, dmitry.torokhov@gmail.com,
linux-input@vger.kernel.org, devicetree@vger.kernel.org,
robh@kernel.org
Subject: Re: [PATCH v2 8/9] dt-bindings: input: microchip,cap11xx: Add CAP1114 support
Date: Fri, 12 Jun 2026 07:35:36 +0000 [thread overview]
Message-ID: <20260612073537.0C9ED1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612072237.1177304-9-jerrysteve1101@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Schema constraint conflict for `linux,keycodes` makes CAP1114 validation impossible.
- [High] Buffer overflow when parsing `microchip,calib-sensitivity` property for models with >8 channels.
--
commit f0d8405d987f3f3e2623cf6af9274da6bb531e55
Author: Jun Yan <jerrysteve1101@gmail.com>
dt-bindings: input: microchip,cap11xx: Add CAP1114 support
CAP1114 is a 14-channel capacitive touch sensor with 11 LED outputs
and hardware reset support. Add the compatible string for CAP1114,
update maximum LED channels, and add constraints for linux,keycodes.
> diff --git a/Documentation/devicetree/bindings/input/microchip,cap11xx.yaml b/Documentation/devicetree/bindings/input/microchip,cap11xx.yaml
> index 778ec6d659a8d..0e9a1a8a3f3e7 100644
> --- a/Documentation/devicetree/bindings/input/microchip,cap11xx.yaml
> +++ b/Documentation/devicetree/bindings/input/microchip,cap11xx.yaml
[ ... ]
> @@ -178,6 +182,18 @@ allOf:
> properties:
> reset-gpios: false
>
> + - if:
> + properties:
> + compatible:
> + contains:
> + enum:
> + - microchip,cap1114
> + then:
> + properties:
> + linux,keycodes:
> + minItems: 14
> + maxItems: 14
> +
[Severity: High]
This conditional block enforces 14 items for linux,keycodes, but earlier in
the file there is a global constraint that limits it to 8:
linux,keycodes:
minItems: 3
maxItems: 8
Because JSON Schema evaluates global and conditional constraints cumulatively,
any valid CAP1114 node with 14 keycodes will fail dt_binding_check against
the global 8-item limit. Should the global maxItems be increased to 14,
while keeping other models constrained in their respective blocks?
[ ... ]
One additional question regarding the CAP1114 integration with the driver:
[Severity: High]
When CAP1114 support is added to the driver (since num_channels will be 14),
can this lead to an out-of-bounds write?
In drivers/input/keyboard/cap11xx.c, calib_sensitivities is a fixed-size
8-element array:
struct cap11xx_priv {
...
u32 calib_sensitivities[8];
u32 keycodes[];
};
However, during initialization, the driver reads num_channels items into it:
if (!of_property_read_u32_array(node, "microchip,calib-sensitivity",
priv->calib_sensitivities,
priv->model->num_channels)) {
Even though the CAP1114 binding forbids microchip,calib-sensitivity, an
incorrectly configured or malicious device tree providing 14 items could
cause this to overflow the 8-element array by 24 bytes. Does the driver
need to be updated to prevent this when num_channels is greater than 8?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612072237.1177304-1-jerrysteve1101@gmail.com?part=8
next prev parent reply other threads:[~2026-06-12 7:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 7:22 [PATCH v2 0/9] Input: cap11xx - Add support for CAP1114 Jun Yan
2026-06-12 7:22 ` [PATCH v2 1/9] Input: cap11xx - clean up duplicate log and add probe error logs Jun Yan
2026-06-12 7:32 ` sashiko-bot
2026-06-12 7:22 ` [PATCH v2 2/9] Input: cap11xx - remove unused register macros Jun Yan
2026-06-12 7:22 ` [PATCH v2 3/9] dt-bindings: input: microchip,cap11xx: Update datasheet URL and LED reg range Jun Yan
2026-06-12 7:22 ` [PATCH v2 4/9] dt-bindings: input: microchip,cap11xx: Add microchip,cap1126 LED reg constraints Jun Yan
2026-06-12 7:22 ` [PATCH v2 5/9] dt-bindings: input: microchip,cap11xx: Add reset-gpios property Jun Yan
2026-06-12 7:32 ` sashiko-bot
2026-06-12 7:22 ` [PATCH v2 6/9] Input: cap11xx - add reset gpio support Jun Yan
2026-06-12 7:31 ` sashiko-bot
2026-06-12 7:22 ` [PATCH v2 7/9] Input: cap11xx - refactor code for better CAP1114 support Jun Yan
2026-06-12 7:35 ` sashiko-bot
2026-06-12 7:22 ` [PATCH v2 8/9] dt-bindings: input: microchip,cap11xx: Add " Jun Yan
2026-06-12 7:35 ` sashiko-bot [this message]
2026-06-12 7:22 ` [PATCH v2 9/9] Input: cap11xx - add support for CAP1114 Jun Yan
2026-06-12 7:42 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612073537.0C9ED1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jerrysteve1101@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox