[PATCH] Input: penmount: bound packet buffer indices in IRQ path

Next message: Jonathan Cameron: "Re: [PATCH V8 3/8] dax: add fsdev.c driver for fs-dax on character dax"
Previous message: Ilpo J&#xE4;rvinen: "Re: [PATCH v14] platform/x86: bitland-mifs-wmi: Add new Bitland MIFS WMI driver"
Next in thread: Andy Shevchenko: "Re: [PATCH] Input: penmount: bound packet buffer indices in IRQ path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 23 2026 - 08:17:32 EST

The IRQ handler stores each incoming byte into pm->data[] before the
packet parser gets a chance to reset pm->idx. If the incoming serial
stream never matches one of the expected packet headers, pm->idx can
advance past the fixed receive buffer and the next IRQ will write beyond
PM_MAX_LENGTH.

Reset stale indices before writing the next byte so malformed packet
streams cannot walk past the end of the local packet buffer.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/input/touchscreen/penmount.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/input/touchscreen/penmount.c b/drivers/input/touchscreen/penmount.c
index 4b57b6664e37..ba09096c6573 100644
--- a/drivers/input/touchscreen/penmount.c
+++ b/drivers/input/touchscreen/penmount.c
@@ -163,6 +163,9 @@ static irqreturn_t pm_interrupt(struct serio *serio,
{
struct pm *pm = serio_get_drvdata(serio);

+ if (pm->idx >= pm->packetsize || pm->idx >= PM_MAX_LENGTH)
+ pm->idx = 0;
+
pm->data[pm->idx] = data;

pm->parse_packet(pm);
--
2.50.1 (Apple Git-155)