From nobody Mon Feb 9 11:34:19 2026 Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com [209.85.160.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50C7B32BF44 for ; Wed, 14 Jan 2026 19:43:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768419830; cv=none; b=FfaTttGw/jt7/y2e5atMonvP2/8bXjAahaiP3tQKKzspa2BlGmOUmMtbje0vM74c86JTLULGHZTGBio2Jn1lEQx13zthcYHXaj7aMIC2GzX9O84O5VWgghfvNdaxRlLfj03r9UsGlCv7XUeWfu25LEChJFv6EKFSVcIrf1+EFus= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768419830; c=relaxed/simple; bh=ECsyCZR1oem+N3GAJxPI3yL96zKRIx0/UUcTOdfTf9s=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=nwhmKuE+1aIoMGR0Ej1tH9/tcgXenz6zJ2tYr7DpKUd+YVQ/lxq8+C8haPfl+GKHuEfiY0sMbE4nvPQsVAoMOJ6CKevBA5We1zP4X8aV2t25gEGvjfDWn6m8YX5DWAHNtXinZ/BxM0pkVORlR0D5y7VwSyGoxMDsfWUaBL+Lp/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MJuX9a2y; arc=none smtp.client-ip=209.85.160.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MJuX9a2y" Received: by mail-qt1-f179.google.com with SMTP id d75a77b69052e-4f4cd02f915so1087051cf.1 for ; Wed, 14 Jan 2026 11:43:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768419828; x=1769024628; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Pc2s5FmDLZbixCr2af+4LcE/WrMe2mhGjN+MEfbV9yI=; b=MJuX9a2yll5Pj7yC+cPxe4S8YptYMj38Hk+0TO/98cYqIceclXcx003RZpsBYwVFSH RgdBlYgh979I2upPjx0TmytgT5EFLz7p/aVDcFcp1dAXj4PFLaImlbav63AKLsb/UutB Y3qSVIj9SBxn3tUVWlYj7WwGCkDnxGsKVSteInpDrNuAUAbKsyMYJoSmBHtCs+r5FbX4 VKB9ca8WpPTrN7r6f8Rp9cV0TymMQE2FW3TA/0EZyomoTySO4IZ+wyDMO9GIFlB6AWLE sZGXkPRTVuVHi2f8SBHYHfo0qoj9ui6udewJo8LMDgv6DCQD1YzzK/DxqTlc3UAfiFHs 8AIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768419828; x=1769024628; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Pc2s5FmDLZbixCr2af+4LcE/WrMe2mhGjN+MEfbV9yI=; b=mWw1GuqUwx9Jbs+Ej/yjOO5zkFR15iquHCrnVHasgoZLzlKuklanAlXvKQMZ2cZUYK GQcs8gypx1a011Do1/9ZcIubCj71UigfqJWRx8PFog5XWVKJRfdbJqKRbNRlSMkNJD2z UNVhK6Bo2CXSkS5sd3oerJVj78F7SCcQazN3/KIKq7/6wU23lxbiqGr5pF8eOrIZEKL9 x/KMZG2txJlULoQA8P7Ha+mG6J9GxjjJt3v1A+rH6hi/lvtdikBcJsPujFc+lDe5jGYC EcqUV1/vC4+BtFwiYeh64iKB6pJ0s622vBaT2DbVOgbhuqrLDfo+5Lk0Vtx2tvkKgYLI KWDQ== X-Forwarded-Encrypted: i=1; AJvYcCWNktX42mQ0OxQAfQnI8RiHnrCoWA38BOsty74mK+8kKwvLdaxCdCaBYmqVUrTvEy3PPMsR+1uv+mjVwJk=@vger.kernel.org X-Gm-Message-State: AOJu0Yx3GKhfnBR+whadrSj67MIuLT/QZDljh4p+wugMnUjR8vhf21Yu +skA28zraj4a6W2b/ONqSP4n0UhLVgtVSZkeAYIfOYQYQ7M+1DWUS9ezgtxSS9Zmz/1Mwgtii7g rswB2wL799MQxfS3S6QhY5yY7z5tdjQ== X-Gm-Gg: AY/fxX6jHaM0bkuCg5lWWI7xDO0oValmiyuoIvLRsSec3AA92yIvBObPV7iuNs+DCpT v7YnxjTROMXc+KkokWS6Bgn8y0pyFk3Ym4X8wdtjaET0PuhYpBleX03wtvaH944LSy3X5H9RJ2G WiCLexSJXOlTBIz81GzA57Dgzi5oPYWL9ptgNE5JkFCAB1XfkNF+U6s/28ea0x7pL2o58jF/drX Uee+PXWfzKEBXz0byckLBg6K9iyW3Nd4iTT0D7a9RPxH+FnoH2u4CuCecPiUF0MSfV2oA== X-Received: by 2002:a05:622a:38e:b0:501:f700:1792 with SMTP id d75a77b69052e-501f7001a62mr4263141cf.79.1768419828089; Wed, 14 Jan 2026 11:43:48 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: =?UTF-8?B?6b2Q5p+v5a6H?= Date: Thu, 15 Jan 2026 03:43:37 +0800 X-Gm-Features: AZwV_QilhZAfru7k85cYgLWDqfKfRXH9sFbHBIVEaZpVdS51qPNRri8u1O4RMHc Message-ID: Subject: [PATCH] Input: atmel_mxt_ts - fix NULL pointer dereference in mxt_object_show To: nick@shmanahar.org, dmitry.torokhov@gmail.com Cc: rydberg@euromail.se, jy0922.shim@samsung.com, bleung@chromium.org, ezequiel@vanguardiasur.com.ar, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?B?6b2Q5p+v5a6H?= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This fix was discovered through static code analysis. In mxt_object_show(), the code directly dereferences data->info and data->object_table without checking if they are NULL. This can lead to a NULL pointer dereference kernel crash when the sysfs file is accessed during firmware update or device removal. [Call Chain Analysis] The vulnerable sysfs handler is exposed through the following registration: Driver registration: mxt_driver.driver.dev_groups =3D mxt_groups -> mxt_attrs[] contains: - dev_attr_object.attr -> mxt_object_show() [VULNERABLE] - dev_attr_update_fw.attr -> mxt_update_fw_store() [TRIGGERS FREE] Initialization path: mxt_probe() -> mxt_initialize() -> mxt_read_info_block() -> data->info =3D (struct mxt_info *)id_buf [line 1918] -> data->object_table =3D (struct mxt_object *)... [line 1934] Resource release path (called during firmware update or device removal): mxt_update_fw_store() OR mxt_remove() -> mxt_free_object_table() -> data->object_table =3D NULL [line 1713] -> data->info =3D NULL [line 1714] [Data Flow Analysis] The critical data flow is: data->info: - Allocated and set in mxt_read_info_block() from id_buf - Released and set to NULL in mxt_free_object_table() - Accessed in mxt_object_show() at line 2868: data->info->object_num data->object_table: - Set in mxt_read_info_block() as pointer into id_buf - Set to NULL in mxt_free_object_table() - Accessed in mxt_object_show() at line 2869: data->object_table + i [Race Condition Scenario] The vulnerability can be triggered by the following race condition: Thread A (reading sysfs) Thread B (firmware update) -------------------------- -------------------------- T1: open /sys/.../object T2: mxt_object_show() T3: data =3D dev_get_drvdata(dev) T4: obuf =3D kmalloc(...) T5: echo fw > /sys/.../update_fw T6: mxt_update_fw_store() T7: mxt_free_object_table() T8: data->info =3D NULL T9: for (i < data->info->object_num) -> NULL pointer dereference! [User-Triggerable Paths] Users can trigger this vulnerability through: 1. Firmware update race condition (requires root): Terminal A: # cat /sys/bus/i2c/devices//object Terminal B: # echo firmware.bin > /sys/bus/i2c/devices//update_fw 2. Device unbind race condition (requires root): Terminal A: # cat /sys/bus/i2c/devices//object Terminal B: # echo "" > /sys/bus/i2c/drivers/atmel_mxt_ts/unbind 3. Physical device removal: Reading sysfs while physically removing the touchscreen device How to fix: Add NULL checks for data->info and data->object_table at the beginning of mxt_object_show() to prevent NULL pointer dereference when these resources are freed during concurrent firmware update or device removal. Fixes: 4cf51c383d7a ("Input: Add ATMEL QT602240 touchscreen driver") Fixes: 068bdb67ef74 ("Input: atmel_mxt_ts - fix the firmware update") Signed-off-by: Kery Qi --- drivers/input/touchscreen/atmel_mxt_ts.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c index dd0544cc1bc1..401fcae2264d 100644 --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c @@ -2859,6 +2859,10 @@ static ssize_t mxt_object_show(struct device *dev, int error; u8 *obuf; + /* Check for NULL to prevent race condition during firmware update */ + if (!data->info || !data->object_table) + return -ENODEV; + /* Pre-allocate buffer large enough to hold max sized object. */ obuf =3D kmalloc(256, GFP_KERNEL); if (!obuf) --=20 2.34.1