From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Nick Dyer <nick@shmanahar.org>, linux-input@vger.kernel.org
Cc: Ricardo Ribalda <ribalda@chromium.org>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] Input: atmel_mxt_ts - check mem_size before calculating config memory size
Date: Mon, 4 May 2026 15:59:14 -0700 [thread overview]
Message-ID: <afkko_we5fAgmKxg@google.com> (raw)
In-Reply-To: <20260504185448.4055973-2-dmitry.torokhov@gmail.com>
On Mon, May 04, 2026 at 11:54:46AM -0700, Dmitry Torokhov wrote:
> In mxt_update_cfg(), the driver calculates the memory size needed to store
> the configuration as data->mem_size - cfg.start_ofs. If data->mem_size is
> less than or equal to cfg.start_ofs, this calculation will underflow or
> result in a zero-size buffer, neither of which is valid for a configuration
> update.
>
> Add a check to return -EINVAL if data->mem_size is too small. While at it,
> change the types of start_ofs and mem_size in struct mxt_cfg to u16 to
> match the device address space.
>
> Assisted-by: Gemini:gemini-3.1-pro
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> ---
> drivers/input/touchscreen/atmel_mxt_ts.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
> index 28b2bd889c70..d660cc5b5fe3 100644
> --- a/drivers/input/touchscreen/atmel_mxt_ts.c
> +++ b/drivers/input/touchscreen/atmel_mxt_ts.c
> @@ -275,8 +275,8 @@ struct mxt_cfg {
> off_t raw_pos;
>
> u8 *mem;
> - size_t mem_size;
> - int start_ofs;
> + u16 mem_size;
> + u16 start_ofs;
>
> struct mxt_info info;
> };
> @@ -1657,6 +1657,13 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
> cfg.start_ofs = MXT_OBJECT_START +
> data->info->object_num * sizeof(struct mxt_object) +
> MXT_INFO_CHECKSUM_SIZE;
> +
> + if (data->mem_size < cfg.start_ofs) {
This is supposed to be "<=", like the commit message says.
> + dev_err(dev, "Memory size too small: %u < %u\n",
> + data->mem_size, cfg.start_ofs);
> + return -EINVAL;
> + }
> +
> cfg.mem_size = data->mem_size - cfg.start_ofs;
>
> u8 *mem_buf __free(kfree) = cfg.mem = kzalloc(cfg.mem_size, GFP_KERNEL);
--
Dmitry
next prev parent reply other threads:[~2026-05-04 22:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 18:54 [PATCH 1/3] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Dmitry Torokhov
2026-05-04 18:54 ` [PATCH 2/3] Input: atmel_mxt_ts - check mem_size before calculating config memory size Dmitry Torokhov
2026-05-04 22:59 ` Dmitry Torokhov [this message]
2026-05-04 18:54 ` [PATCH 3/3] Input: atmel_mxt_ts - use __free() for obuf in mxt_object_show Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afkko_we5fAgmKxg@google.com \
--to=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nick@shmanahar.org \
--cc=ribalda@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox