kernel/linux.git/drivers/input/touchscreen/usbtouchscreen.c, branch v6.18.35

Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size

2026-06-09T10:28:23+00:00

commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream. nexio_read_data() pulls data_len and x_len from a packed __be16 header in the device's interrupt packet and then walks packet->data[0..x_len) and packet->data[x_len..data_len) comparing each byte against a threshold. Both fields are 16-bit on the wire (max 65535). The existing adjustments shave at most 0x100 / 0x80 off, so the loop bound can still reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size (1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the packed header — so packet->data[] has 1017 valid bytes. read_data() callbacks are not given urb->actual_length, and nothing else bounds the walk. A device that lies about its length can get a ~64 KiB out-of-bounds read past the coherent DMA allocation. The first index whose byte exceeds NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the reported touch coordinates, so adjacent kernel memory contents leak to userspace as ABS_X / ABS_Y events. Far enough out, the read can also hit an unmapped page and fault. Fix this all by clamping data_len to the buffer's data[] capacity and x_len to data_len. Cc: Dmitry Torokhov Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") Cc: stable Assisted-by: gkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman

Input: usbtouchscreen - switch to using __free() cleanup facility

2024-07-16T01:07:39+00:00

Use __free(kfree) cleanup facility when allocating temporary buffers for USB transfers. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-8-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - use guard notation when acquiring mutexes

2024-07-16T01:07:39+00:00

This makes the code more compact and error handling more robust. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-7-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - split device info table into individual pieces

2024-07-16T01:07:38+00:00

Instead of using a single table containing information about various touchscreens and enums to match the driver ID table data with chip information define individual per-protocol instances of usbtouch_device_info structure and reference them directly from the usbtouch_devices ID table. This is simpler, safer, and uses less memory in case some protocols are disabled. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-6-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - constify usbtouch_dev_info table

2024-07-16T01:07:38+00:00

The data in this table is shared between all instances of the touchscreens so it should not be modified. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-5-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - move process_pkt() into main device structure

2024-07-16T01:07:38+00:00

In preparation of splitting big usbtouch_dev_info table into separate per-protocol structures and constifying them move process_pkt() from the device info into main drvice structure and set it up in probe(). We can derive if we should use single- or multi-packet handling based on presence of get_pkt_len() method. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-4-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - move the driver ID table

2024-07-16T01:07:38+00:00

Move the driver's ID table closer to where it is used in preparation to it using pointers to device info/parameters instead of device type enum. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-3-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - remove custom USB_DEVICE_HID_CLASS macro

2024-07-16T01:07:38+00:00

There already exists perfectly suitable USB_DEVICE_INTERFACE_CLASS macro, use it. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-2-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: usbtouchscreen - use driver core to instantiate device attributes

2024-07-16T01:07:38+00:00

Instead of manually creating driver-specific device attributes set struct usb_driver->dev_groups pointer to have the driver core do it. Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20240712051851.3463657-1-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov

Input: touchscreen - use sizeof(*pointer) instead of sizeof(type)

2024-06-09T21:38:38+00:00

It is preferred to use sizeof(*pointer) instead of sizeof(type) due to the type of the variable can change and one needs not change the former (unlike the latter). The refactoring is mostly trivial except for "usbtouchscreen.c" file. Here, in the "mtouch_alloc" and "nexio_alloc" functions, it is necessary to use a variable with a predefined type instead of the "usbtouch->priv" variable (void * type). This way, the "sizeof" operator can now know the correct size. Moreover, we need to set the "usbtouch->priv" pointer after the memory allocation since now the "kmalloc" return value is not assigned directly. This patch has no effect on runtime behavior. Signed-off-by: Erick Archer Link: https://lore.kernel.org/r/AS8PR02MB723708364CC0DF2EAAFEE5968BC42@AS8PR02MB7237.eurprd02.prod.outlook.com Signed-off-by: Dmitry Torokhov