Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1-rc6 2026-05-07T17:09:54+00:00 2026-05-07T17:09:54+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2026-05-04T18:54:46+00:00 urn:sha1:a5fd88a5d63f812422e69682f3cb663d9d7f3e9c In mxt_update_cfg(), the driver calculates the memory size needed to store the configuration as data->mem_size - cfg.start_ofs. If data->mem_size is less than or equal to cfg.start_ofs, this calculation will underflow or result in a zero-size buffer, neither of which is valid for a configuration update. Add a check to return -EINVAL if data->mem_size is too small. While at it, change the types of start_ofs and mem_size in struct mxt_cfg to u16 to match the device address space. Assisted-by: Gemini:gemini-3.1-pro Link: https://patch.msgid.link/20260504185448.4055973-2-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-05-07T17:09:05+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2026-05-04T18:54:45+00:00 urn:sha1:baa0210fb6a9dc3882509a9411b6d284d88fe30e When a configuration file provides an object size that is larger than the driver's known mxt_obj_size(object), the driver intends to discard the extra bytes. The loop iterates using for (i = 0; i < size; i++). Inside the loop, the condition to skip processing extra bytes is: if (i > mxt_obj_size(object)) continue; Since i is a 0-based index, the valid indices for the object are 0 through mxt_obj_size(object) - 1. When i == mxt_obj_size(object), the condition evaluates to false, and the code processes the byte instead of discarding it. This causes the code to calculate byte_offset = reg + i - cfg->start_ofs and writes the byte there, overwriting exactly one byte of the adjacent instance or object. Update the boundary check to skip extra bytes correctly by using >=. Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader") Cc: stable@vger.kernel.org Assisted-by: Gemini:gemini-3.1-pro Reviewed-by: Ricardo Ribalda <ribalda@chromium.org> Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-04-27T04:00:25+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-20T16:00:27+00:00 urn:sha1:2905281cbda52ec9df540113b35b835feb5fafd3 nexio_read_data() pulls data_len and x_len from a packed __be16 header in the device's interrupt packet and then walks packet->data[0..x_len) and packet->data[x_len..data_len) comparing each byte against a threshold. Both fields are 16-bit on the wire (max 65535). The existing adjustments shave at most 0x100 / 0x80 off, so the loop bound can still reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size (1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the packed header — so packet->data[] has 1017 valid bytes. read_data() callbacks are not given urb->actual_length, and nothing else bounds the walk. A device that lies about its length can get a ~64 KiB out-of-bounds read past the coherent DMA allocation. The first index whose byte exceeds NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the reported touch coordinates, so adjacent kernel memory contents leak to userspace as ABS_X / ABS_Y events. Far enough out, the read can also hit an unmapped page and fault. Fix this all by clamping data_len to the buffer's data[] capacity and x_len to data_len. Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") Cc: stable <stable@kernel.org> Assisted-by: gkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-04-20T00:54:06+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2026-04-11T04:13:43+00:00 urn:sha1:f5f9e07060519e2287e99019a6de1eb3ebb65c37 The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer. To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free. Fixes: 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/adnJicDh-bTUaWXP@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-04-08T14:55:25+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2024-08-08T17:27:30+00:00 urn:sha1:86a9e4f4efc0a8dc4490023c6e2bf57fd8080ea3 This touchscreen controller was used om Gateway AOL Connected Touchpad released in 2000 and, according to Wikipedia, removed from the market in October 2001 due to slow sales. It looks like it can still be bought on eBay for $1000 but I really doubt anyone will actually use it. Remove the driver. Link: https://patch.msgid.link/20240808172733.1194442-5-dmitry.torokhov@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-04-01T17:37:38+00:00 Johan Hovold johan@kernel.org 2026-04-01T08:22:12+00:00 urn:sha1:f13b7800929df0df0ba2407226ba1b627b482c92 Use the common USB helpers for looking up bulk and interrupt endpoints (and determining endpoint numbers) instead of open coding. Note that the NEXIO data interface has two bulk endpoints (see commit 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") for the descriptors). The lookup in probe handles both bulk-in and interrupt-in endpoints and was added to handle NEXIO devices. Replace the open coded lookup with a lookup for the common interrupt endpoint and an explicit fallback accepting a bulk endpoint. This iterates over the (two) endpoints twice for NEXIO devices but makes it more clear what is going on. Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260401082212.2180434-1-johan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-03-25T16:08:17+00:00 Val Packett val@packett.cool 2026-03-21T07:30:07+00:00 urn:sha1:653f3100f551cf01974a18cce66e368f248ee48a Without a reported resolution, userspace was assuming 1 unit/mm which is wildly wrong: a regular smartphone is clearly not 2.4 meters tall. Most applications do not care much for this kind of raw mm value, but Phosh's on-screen keyboard would accidentally trigger swipe-to-close gestures due to misinterpreting small movements as huge ones. Do what the older goodix.c driver does and set the resolution to 10 units/mm to make sure the numbers calculated by userspace are reasonable. Signed-off-by: Val Packett <val@packett.cool> Link: https://patch.msgid.link/20260321073242.556253-1-val@packett.cool Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-03-25T14:54:00+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2024-08-18T02:08:21+00:00 urn:sha1:79df764dbecd5c4bf1b1431b865a361ce7bebb2d Guard notation simplifies code. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-03-25T14:54:00+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2024-08-16T22:18:44+00:00 urn:sha1:35ee82990df219f6f42962c0306c00231b85f238 Guard notation simplifies code. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2026-03-25T14:53:59+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2024-05-29T18:08:15+00:00 urn:sha1:da52f4b27a798304a7f4639ac5addc5574242cdf Start using __free() and guard() primitives to simplify the code and error handling. Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>