From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2029348883 for ; Mon, 27 Apr 2026 16:20:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777306806; cv=none; b=fMYocazI3UrPXjDLt5Vn3uuUI3XI0Iw7utyknYy9EnarOQm03Qlnzq16Baa1ceckfuOXyy5EL9pKOpiYAsJczBqsIstnLyGt3djkDLUsO/FvsRALM4DxfBxx8LfzbGLELFrcSZXYWPSnDjkUz/LGg8G/2n3dyEtyX1ksedETwD0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777306806; c=relaxed/simple; bh=xidvJQjpM7yPCqe5PKIOorDtLSAo4K6bgw4e3ytK1qY=; h=From:Message-ID:Date:MIME-Version:Subject:To:Cc:References: In-Reply-To:Content-Type; b=QZc6iWFJBA1J4NqQAdmYeZQ7A/lv6aoDEZGEbaR1drt1hX4JeUxZbJHaGcr6PNWEay3zlRoSgY6dHGmnuS1s+nZ7P3GIlQO6+Fl4aT96jLLT+c+Bur3wX/v5ZfY1e2eqhGquOYRCd2+Q2pof21pi3wIcF1WlnPc5U6WiTA8D+0s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=embeddedts.com; spf=pass smtp.mailfrom=embeddedts.com; dkim=pass (1024-bit key) header.d=embeddedts.com header.i=@embeddedts.com header.b=FQs3GDZ5; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=embeddedts.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=embeddedts.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=embeddedts.com header.i=@embeddedts.com header.b="FQs3GDZ5" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-3590042fa8eso8002022a91.1 for ; Mon, 27 Apr 2026 09:20:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embeddedts.com; s=google; t=1777306804; x=1777911604; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:subject:user-agent:mime-version:date:message-id:from:from:to :cc:subject:date:message-id:reply-to; bh=ot5/VkkpAMcYPEn/1toyTMHXbfWqkhlcoGx5NqyUByo=; b=FQs3GDZ59mCkixfqWKRa0YoBHHPrPBCM6BijDOo3TqYenzhklcdOEaCrj1CAwHLtWy xL1nVWrmkPAF0Ub5UK46RDkBSXx5aY3iVO9/ulYVIMnQu317isIFU9saspWlKqzF1t6Q Jb13N3yS0TOOyXEkJQQlL+o39Iy196Yk4f5+4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777306804; x=1777911604; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:subject:user-agent:mime-version:date:message-id:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ot5/VkkpAMcYPEn/1toyTMHXbfWqkhlcoGx5NqyUByo=; b=Aava9PiInaj048nKoyzTqZoxPKFEgo+dJxNjWJY0bannmyrzePoJIBrBCnA53fcYkG H1CJXYpLYwfhr5OwbFz2gaWhr02ZBM4d7Lyt/ZHJahqwAxW6ZhSTjrPBojlaxjp2E8Ht mR5/KNV0ibo3z2hFfpxObyRdEB9OAUls6pFfQyUOJ23mb5CPO0iLc5U/zf3zT/KUPFsM Pu7H1jboMWNpPRmxZiRwcUvBU7ZcHuAaOgP2eZ+9H0YBBRlSmkJ398uxU0gIrB652Buo YdkrziBD2piKabW25gAM7Qb1BGtGN6F6WeROy4kcNNORr5Sn4dZuYeW9BuyaDS6lXKSz grkg== X-Forwarded-Encrypted: i=1; AFNElJ9MeF7L/Tr9zvq5dKlryfZm2El4yfz88IbJbSogTSE9/8XfK1K5lwuIQI0b6l8PZz2pBz5M+pMGsirBjLs=@vger.kernel.org X-Gm-Message-State: AOJu0YwvCw7FyHBA0Rs0NMIRmN0zvTzo4Om9FDOyoX6tTXDuuv2k9EnR l/iQclopJXZhiowyNhe5ka5dLK9i+mNgaTesqUhsUimdku+bS5xWAXkJo3Mf51UdGVQ= X-Gm-Gg: AeBDiesn0UXOZGop9SD154FaVonOaUgpEASa1sFk9hF1FI9wfAy+yO+suIHjTJNjqOf ahiwuPU2Hzt0OQKN/XfVAUwohiVvwMiNTRxD+Y/OUf86H6TmAPcH6pO1ofA71Z7yNmIBr8AtAYb OrSQUyOTaqVBFHMqbDOteu0XvKD76Obtg8o2l+18c+krkq+192AAlMFn0wkhDXGxz5e/wp60Tdd U22KtqlB3g9EedLfxsHMn21Qv8H1pKQdPqIfkJD2iLxjzANLIzSYAb8bOc2nVPKi8xx8NP6Rmb9 0bM7FYBVLFwj4Q1eNirQUN0/s2NyuKnvUJzV83Id/49ktQYzva4XYDYI2Bwvb656JX/3dGY3qm+ dIwGKvY2kFQSvQcYcgLyGfTrE4RQxXZp4MzwgXho4QdrAh5pyYg+UWEbIiLXjhmowr52ranYDkT qVwyE4S03kTbpnMNLQI7sh33iUTE9svQCBGdTT/3PenhyOIm/iYoYPWSkbGI+JPAb7/R1pAdR/C 9TJZG0o2nSPTJjglqwwHUP/qPDnijKIvL0GGdOVvCesWs4GQuelHKNKVoXsZR8nAVYfgq0zaVEw UWFWeb8AREtfKa1NQHv3oBE078EDiqlrUFgO X-Received: by 2002:a17:90b:3b4a:b0:35d:a4c0:a0ac with SMTP id 98e67ed59e1d1-361403d61camr43690659a91.3.1777306803667; Mon, 27 Apr 2026 09:20:03 -0700 (PDT) Received: from [10.10.10.191] (97-120-253-104.ptld.qwest.net. [97.120.253.104]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-361410cc196sm33025839a91.17.2026.04.27.09.20.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Apr 2026 09:20:02 -0700 (PDT) From: Kris Bahnsen X-Google-Original-From: Kris Bahnsen Message-ID: <12a76d8c-344e-49a3-b168-6cd353d720a0@embeddedTS.com> Date: Mon, 27 Apr 2026 09:20:01 -0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] Input: ads7846 - don't use scratch for tx_buf when clearing register To: Dmitry Torokhov Cc: Marek Vasut , stable@vger.kernel.org, Mark Featherston , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org References: <20260424192534.3504976-1-kris@embeddedTS.com> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 4/25/26 9:51 PM, Dmitry Torokhov wrote: > Hi Kris, > > On Fri, Apr 24, 2026 at 07:25:34PM +0000, Kris Bahnsen wrote: >> The workaround for XPT2046 clears the command register, giving the >> touchscreen controller a NOP. The change incorrectly re-uses the >> req->scratch variable which is used as rx_buf for xfer[5], so by >> the time xfer[6] occurs, the contents of req->scratch may not be >> 0. It was found that the touchscreen controller can end up in >> a completely unresponsive state due to it being given a command >> the driver does not expect. >> >> Instead, rely on the spi_transfer behavior of tx_buf being NULL to >> transmit all 0 bits, moving the 3 bytes to a single message. >> >> This change was tested on real TSC2046 and ADS7843 controllers, >> but not the XPT2046 the workaround was originally created for. >> Confirming that the original modification to clear the command >> register does not impact either real controller. >> >> Fixes: 781a07da9bb94 ("Input: ads7846 - add dummy command register clearing cycle") >> Cc: stable@vger.kernel.org >> Co-developed-by: Mark Featherston >> Signed-off-by: Mark Featherston >> Signed-off-by: Kris Bahnsen >> --- >> drivers/input/touchscreen/ads7846.c | 13 ++++--------- >> 1 file changed, 4 insertions(+), 9 deletions(-) >> >> diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c >> index 4b39f7212d35c..599793d27129e 100644 >> --- a/drivers/input/touchscreen/ads7846.c >> +++ b/drivers/input/touchscreen/ads7846.c >> @@ -327,7 +327,7 @@ struct ser_req { >> u8 ref_off; >> u16 scratch; >> struct spi_message msg; >> - struct spi_transfer xfer[8]; >> + struct spi_transfer xfer[7]; >> /* >> * DMA (thus cache coherency maintenance) requires the >> * transfer buffers to live in their own cache lines. >> @@ -403,16 +403,11 @@ static int ads7846_read12_ser(struct device *dev, unsigned command) >> spi_message_add_tail(&req->xfer[5], &req->msg); >> >> /* clear the command register */ >> - req->scratch = 0; >> - req->xfer[6].tx_buf = &req->scratch; >> - req->xfer[6].len = 1; >> + req->xfer[6].rx_buf = &req->scratch; >> + req->xfer[6].len = 3; > > Doesn't this overflow "scratch" which is only 2 bytes? I guess there is > a hole in ser_req between "scratch" and "msg" but I do not think we > should rely on this. > > Can we also set rx_buf to NULL to discard incoming data? Well spotted! I'm quite annoyed with myself that I fixed one pointer use bug to introduce a buffer overflow. Will send a v2 patch later today. > [credit to sashiko]. > > Thanks. > -- Kris Bahnsen Software Engineer embeddedTS