Re: [PATCH] Input: goodix - clamp the device-reported contact count

Next message: Frank Li: "Re: [PATCH 04/17] dmaengine: dw-edma: Clean up vchan descriptors on termination"
Previous message: Justin Chen: "Re: [PATCH net-next 3/3] net: bcmgenet: allocate a single-queue netdev"
In reply to: Dmitry Torokhov: "Re: [PATCH] Input: goodix - clamp the device-reported contact count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas

Date: Mon Jun 15 2026 - 14:42:34 EST

On Sun, Jun 14, 2026 at 02:02:27PM -0700, Dmitry Torokhov wrote:
> Should we drop the report if is has bogus data in it?

We already do, for the per-interrupt count. goodix_ts_read_input_report()
drops a report whose reported touch count is out of range:

touch_num = data[0] & 0x0f;
if (touch_num > ts->max_touch_num)
return -EPROTO;

The only gap this patch closes is that ts->max_touch_num itself could be
larger than what point_data[] holds: it was taken straight from the 4-bit
config nibble (0..15), while the buffer is sized for GOODIX_MAX_CONTACTS
(10) -- 2 + 9*10 = 92 bytes. A config advertising 11..15 made that -EPROTO
check accept an out-of-range touch_num and overflow the stack buffer.

Clamping max_touch_num to GOODIX_MAX_CONTACTS at config-read time makes
that existing per-report drop a safe bound: a report claiming more than 10
contacts is now dropped with -EPROTO, and 10 is exactly point_data[]'s
capacity, so no legitimate report is lost (the driver maximum is 10, and
the other max_touch_num assignments already use GOODIX_MAX_CONTACTS).

If you'd rather flag a bogus config than silently clamp it, I'm happy to
add a dev_warn_ratelimited() in a v2 -- just say the word.

Thanks,
Bryam