Linux Input/HID development
 help / color / mirror / Atom feed
* [PATCH] Input: elants_i2c - prevent divide-by-zero on invalid EKTH data
@ 2026-07-04 12:17 Laxman Acharya Padhya
  2026-07-04 12:28 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Laxman Acharya Padhya @ 2026-07-04 12:17 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input, linux-kernel

elants_i2c_query_ts_info_ekth() checks the reported row, column and
oversampling values before calculating the touchscreen resolution, but
does not check the physical dimensions. If either physical dimension
is zero, DIV_ROUND_CLOSEST() divides by zero during probe.

Treat zero physical dimensions as invalid data and skip the resolution
calculation, as is already done for the other invalid information.

Fixes: 66aee90088da ("Input: add support for Elan eKTH I2C touchscreens")
Assisted-by: Codex:gpt-5
Signed-off-by: Laxman Acharya Padhya <acharyalaxman8848@gmail.com>
---
 drivers/input/touchscreen/elants_i2c.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
index 17175ad..68c5ee3 100644
--- a/drivers/input/touchscreen/elants_i2c.c
+++ b/drivers/input/touchscreen/elants_i2c.c
@@ -566,10 +566,11 @@ static int elants_i2c_query_ts_info_ekth(struct elants_data *ts)
 
 	dev_dbg(&client->dev, "phy_x=%d, phy_y=%d\n", phy_x, phy_y);
 
-	if (rows == 0 || cols == 0 || osr == 0) {
+	if (rows == 0 || cols == 0 || osr == 0 ||
+	    phy_x == 0 || phy_y == 0) {
 		dev_warn(&client->dev,
-			 "invalid trace number data: %d, %d, %d\n",
-			 rows, cols, osr);
+			 "invalid data: rows=%u cols=%u osr=%u phy_x=%u phy_y=%u\n",
+			 rows, cols, osr, phy_x, phy_y);
 	} else {
 		/* translate trace number to TS resolution */
 		ts->x_max = ELAN_TS_RESOLUTION(rows, osr);
-- 
2.51.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] Input: elants_i2c - prevent divide-by-zero on invalid EKTH data
  2026-07-04 12:17 [PATCH] Input: elants_i2c - prevent divide-by-zero on invalid EKTH data Laxman Acharya Padhya
@ 2026-07-04 12:28 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-07-04 12:28 UTC (permalink / raw)
  To: Laxman Acharya Padhya; +Cc: linux-input, dmitry.torokhov

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] A 0-byte firmware file causes out-of-bounds reads when verifying the remark ID and when sending firmware pages to the device.
- [High] Stack-allocated arrays are passed to i2c_transfer(), which is unsafe if the underlying I2C controller uses DMA.
--

commit 4ca9e1ffa7cb9eddbc7a0070d2fc1df01f66c3cd
Author: Laxman Acharya Padhya <acharyalaxman8848@gmail.com>

Input: elants_i2c - prevent divide-by-zero on invalid EKTH data

This commit adds checks for physical dimensions in the eKTH query function.
It treats zero values as invalid data and skips resolution calculations
to prevent a divide-by-zero error during probe.

Fixes: 66aee90088da ("Input: add support for Elan eKTH I2C touchscreens")
Assisted-by: Codex:gpt-5

> diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
> index 17175adcaebbd..68c5ee3aa1904 100644
> --- a/drivers/input/touchscreen/elants_i2c.c
> +++ b/drivers/input/touchscreen/elants_i2c.c
> @@ -566,10 +566,11 @@ static int elants_i2c_query_ts_info_ekth(struct elants_data *ts)
>  
>  	dev_dbg(&client->dev, "phy_x=%d, phy_y=%d\n", phy_x, phy_y);
>  
> -	if (rows == 0 || cols == 0 || osr == 0) {
> +	if (rows == 0 || cols == 0 || osr == 0 ||
> +	    phy_x == 0 || phy_y == 0) {
>  		dev_warn(&client->dev,
> -			 "invalid trace number data: %d, %d, %d\n",
> -			 rows, cols, osr);
> +			 "invalid data: rows=%u cols=%u osr=%u phy_x=%u phy_y=%u\n",
> +			 rows, cols, osr, phy_x, phy_y);
>  	} else {
>  		/* translate trace number to TS resolution */
>  		ts->x_max = ELAN_TS_RESOLUTION(rows, osr);

[Severity: High]
This isn't a bug introduced by this patch, but while looking at
elants_i2c_query_ts_info_ekth(), could there be an issue with how the command
buffers are passed to the I2C subsystem?

drivers/input/touchscreen/elants_i2c.c:elants_i2c_query_ts_info_ekth() {
...
	u8 resp[17];
	const u8 get_resolution_cmd[] = {
		CMD_HEADER_6B_READ, 0x00, 0x00, 0x00, 0x00, 0x00
...
	error = elants_i2c_execute_command(client,
					   get_resolution_cmd,
					   sizeof(get_resolution_cmd),
					   resp, sizeof(resp), 1,
					   "get resolution");
}

When elants_i2c_execute_command() assigns these buffers directly to the I2C
message:

drivers/input/touchscreen/elants_i2c.c:elants_i2c_execute_command() {
...
		msgs[0].buf = (u8 *)cmd;
...
		msgs[1].buf = resp;

		ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs));
}

If the I2C controller uses DMA, doesn't passing stack-allocated buffers like
get_resolution_cmd and resp cause a DMA mapping failure since stack memory
is virtually mapped?

[Severity: High]
This is a pre-existing issue, but does the firmware update routine properly
validate an empty firmware file?

If a 0-byte firmware file is loaded, the modulo check in
elants_i2c_fw_update() evaluates to 0:

drivers/input/touchscreen/elants_i2c.c:elants_i2c_fw_update() {
...
	if (fw->size % ELAN_FW_PAGESIZE) {
		dev_err(&client->dev, "Invalid firmware format: %zu\n",
			fw->size);
...
}

This would allow the empty firmware to proceed. Later, when validating the
remark ID, wouldn't the size calculation underflow and read out of bounds?

drivers/input/touchscreen/elants_i2c.c:elants_i2c_validate_remark_id() {
...
	fw_remark_id = get_unaligned_le16(&fw->data[fw->size - 4]);
...
}

Even if validation is skipped, could the actual update routine read out of
bounds when it unconditionally sends the first page?

drivers/input/touchscreen/elants_i2c.c:elants_i2c_do_update_firmware() {
...
	error = elants_i2c_send(client, fw->data, ELAN_FW_PAGESIZE);
...
}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260704121738.48071-1-acharyalaxman8848@gmail.com?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-04 12:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-04 12:17 [PATCH] Input: elants_i2c - prevent divide-by-zero on invalid EKTH data Laxman Acharya Padhya
2026-07-04 12:28 ` sashiko-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox