From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dl1-f50.google.com (mail-dl1-f50.google.com [74.125.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7F6A3E8C46 for ; Mon, 4 May 2026 18:54:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777920898; cv=none; b=RiTX7TX6baTIpklbIaBUc8k/l98GQPpPhOpvUhEF+RLkFn1RZur2ycNI7OgR/QV5YF4bT9D5PzlhUAKcWwWQVLwM/cK9NiEKw1rJlnOTFncyxeRHQcHh178alpuQv30I1PbEm5lVZODwLOP3NceA6T/UM/XBkLh+ZyszUnPVwaw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777920898; c=relaxed/simple; bh=P7VWyi/2lbgt4sThwchGcXNL9lz2H3z6UR0REd9qUIw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nqhkeDzNf+/VL2S7G2ZoqLw2oeE3pgGzzH02XKD3uomLJ7CcxkIxWwn78wZY4fvucQx022RoEUjH/sDG3K7ZY1dFAwbPrjYvSEJSYE+OjDoy+Tei5aft/Jqichf68XiHI0eIq8QveDg91FaP/qWA8Uu1xOCTUsll/NKyEYEgY5E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ERW/NoBk; arc=none smtp.client-ip=74.125.82.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ERW/NoBk" Received: by mail-dl1-f50.google.com with SMTP id a92af1059eb24-1309f4ee97fso760060c88.1 for ; Mon, 04 May 2026 11:54:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777920894; x=1778525694; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GIvP0Uw5IC9qQ1n84oFyoPGgjxzZR2GoiMZtJIt8iCY=; b=ERW/NoBkgU9XUADqa3YxUD4uXjosvCY4cHWDP8kngtWIKU9MImM8xQMk+BE0BJorY6 zLHGweHOYpFe7N6OCP7lWz1PSGn2OQyHrI28SwikKJbK1PKB96XC51bhQmh0a14iLx4h 5HIEIk0N4wxiHMzM1p7oNCfJsipeI0Kha3sKKpOQN+Lq+aEGAHjMp/XLxokcbUJ3VKwy jLtkV1o4rw8vcTYO+2jKEWPWg9ez96TccCADbSGKpZSCRmHtCSFGSnaQemA7GwitnfSq 5zTGG/r5p5UG6byEJCGG+44m7KFFomx0mDy7ls7owcd9H8ieOV/GxQcC7gMvwx8I7s7F Vs0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777920894; x=1778525694; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GIvP0Uw5IC9qQ1n84oFyoPGgjxzZR2GoiMZtJIt8iCY=; b=TNX2s2YlHig6FmJoMcNxJsyXjUex2m917clGAi95PqgIzsCEvkINksCGNOpXHKoYEh n46eucDZRfYYxZg7iceXzGUrHwhVkJGCWXkIqA1UP/k1/NLSOCZJYLm545CgI5ocWN9/ A7pfSykzkzJpV83S5f5itAizlsGz3H2m/7jW9ycv4Omd36+2r1AW/EPKEJ7UbP/+a/Bu MiDEStvHzwdjfuTDVVWunvhjwnykmqvEy8dO/ZP4enCLcdM0tajFM1SOn2oQNZ3/mAKm H3/wYRb1Ct8dUqY6MNq0wbHv9tdrjkX2HWNnlGfkH4xYswHGNPjAQz3GBHb/MuUD+RU5 rARQ== X-Forwarded-Encrypted: i=1; AFNElJ9vqcjj7naeiM63A+NB7pt3ZMtgU2aevx8a+JL2SfFiMF/E5ZOBTyaKSxoSPH6KeV6PlwxdjKOOdCuj3bk=@vger.kernel.org X-Gm-Message-State: AOJu0Yzklob2I0OgusNzLNGbBiQy0GZ8dFICkcTvKhYvGVZ+AVNOzK87 uN7PsdsFJw0EV3cHXqNKg9Byeqdi4h3Jtdg7odR5eG4FcHjc370tocuV X-Gm-Gg: AeBDievma3/RTGMBATVB97ue1IJ5iuKnldSVy+qkbDC2npZgvW7k9xfFB/jafb6R2ND Ia49lDO4g0WNrGXOKmlvpzt701TNQzcyvn1ACFG6+BB1s7hEsdASzBVjKqxSdOUJWRVEc3908KB EdPZNjzwudn/fvCz6pKcs2TfKlEgyvFsOG3s3jauy2c/gRp+NH+3/S8Cozk9H8kVEBV2AxiVwKW ouGxAkBwAEozALpS3zchy4mZ9RffuRlXuI+6RBDAjz3JcMYML0YVpCQ/ID2PWHxJfyp/6pZiI+B Hsh2Y/y4TJ6ZXYogojYaEyrvTZqzRlIh5aPtKg1gRc27JejBqv4W+9s1HjcgWRd9cKdPCp8aiuG ZRvxJtfaZk9WJHHqDci2ihgMuULzKEDcq2tivXt87h0odXi7lk5VNJ2qIs/PHqRZu9xz0d4BtUK KoBAKjpBBi6PUw9pRiuyEFo15K8uySo6tfmIdBZYALUP+4MjfUAwax0lrDSx4hJnOLwOr7nqLpJ RgyfdaHX2lg6/t43+kuY2Uw+w== X-Received: by 2002:a05:7300:f194:b0:2e2:185b:87d9 with SMTP id 5a478bee46e88-2efb9e7cf64mr5468284eec.20.1777920894192; Mon, 04 May 2026 11:54:54 -0700 (PDT) Received: from dtor-ws.sjc.corp.google.com ([2a00:79e0:2ebe:8:5b87:9b19:32e2:2981]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2ee3bf6812asm16830718eec.28.2026.05.04.11.54.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 11:54:53 -0700 (PDT) From: Dmitry Torokhov To: Nick Dyer , linux-input@vger.kernel.org Cc: Ricardo Ribalda , linux-kernel@vger.kernel.org Subject: [PATCH 2/3] Input: atmel_mxt_ts - check mem_size before calculating config memory size Date: Mon, 4 May 2026 11:54:46 -0700 Message-ID: <20260504185448.4055973-2-dmitry.torokhov@gmail.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog In-Reply-To: <20260504185448.4055973-1-dmitry.torokhov@gmail.com> References: <20260504185448.4055973-1-dmitry.torokhov@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In mxt_update_cfg(), the driver calculates the memory size needed to store the configuration as data->mem_size - cfg.start_ofs. If data->mem_size is less than or equal to cfg.start_ofs, this calculation will underflow or result in a zero-size buffer, neither of which is valid for a configuration update. Add a check to return -EINVAL if data->mem_size is too small. While at it, change the types of start_ofs and mem_size in struct mxt_cfg to u16 to match the device address space. Assisted-by: Gemini:gemini-3.1-pro Signed-off-by: Dmitry Torokhov --- drivers/input/touchscreen/atmel_mxt_ts.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c index 28b2bd889c70..d660cc5b5fe3 100644 --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c @@ -275,8 +275,8 @@ struct mxt_cfg { off_t raw_pos; u8 *mem; - size_t mem_size; - int start_ofs; + u16 mem_size; + u16 start_ofs; struct mxt_info info; }; @@ -1657,6 +1657,13 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) cfg.start_ofs = MXT_OBJECT_START + data->info->object_num * sizeof(struct mxt_object) + MXT_INFO_CHECKSUM_SIZE; + + if (data->mem_size < cfg.start_ofs) { + dev_err(dev, "Memory size too small: %u < %u\n", + data->mem_size, cfg.start_ofs); + return -EINVAL; + } + cfg.mem_size = data->mem_size - cfg.start_ofs; u8 *mem_buf __free(kfree) = cfg.mem = kzalloc(cfg.mem_size, GFP_KERNEL); -- 2.54.0.545.g6539524ca2-goog