Thread (3 messages) 3 messages, 2 authors, 3d ago

Re: [PATCH 1/2] HID: multitouch: fix out-of-bounds bit access on mt_io_flags

From: Benjamin Tissoires <bentiss@kernel.org>
Date: 2026-07-01 19:12:15
Also in: lkml, stable

On Thu, 02 Jul 2026 00:13:19 +0700, Trung Nguyen wrote:
mt_io_flags is a single unsigned long, but mt_process_slot(),
mt_release_pending_palms() and mt_release_contacts() use it as a
per-slot bitmap indexed by the slot number. That slot number is only
bounded by td->maxcontacts, which is taken from the device's
ContactCountMaximum feature report and can be up to 255, not by
BITS_PER_LONG.

[...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/upstream-fixes), thanks!

[1/2] HID: multitouch: fix out-of-bounds bit access on mt_io_flags
      https://git.kernel.org/hid/hid/c/8813b0612275
[2/2] selftests/hid: multitouch: test a large ContactCountMaximum
      https://git.kernel.org/hid/hid/c/b6eb022890c7

Cheers,
-- 
Benjamin Tissoires [off-list ref]
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help