Input: mms114 - fix touch indexing for MMS134S and MMS136

The MMS134S and MMS136 touch controllers have an event size of 6 bytes
rather than 8 bytes. When __mms114_read_reg() reads the touch data
packet from the device into the touch buffer, the events are packed
tightly at 6-byte intervals. However, the driver iterates through the
events using standard C array indexing (touch[index]), where each
element is sizeof(struct mms114_touch) (8 bytes) apart. As a result, any
touch events beyond the first one are read from incorrect offsets and
parsed improperly.

Fix this by explicitly calculating the byte offset for each touch event
based on the device's specific event size.

Fixes: 53fefdd1d3a3 ("Input: mms114 - support MMS136")
Fixes: ab108678195f ("Input: mms114 - support MMS134S")
Reported-by: sashiko-bot@kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Reviewed-by: Bryam Vargas <hexlabsecurity@proton.me>
Link: https://patch.msgid.link/20260616050912.1531241-1-dmitry.torokhov@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/touchscreen/mms114.c b/drivers/input/touchscreen/mms114.c
index 4d748a13408d1deffca95230ba43fdf6d9779bf7..53ad35d61d476c12955edff69b52b12dc44bd898 100644 (file)
--- a/drivers/input/touchscreen/mms114.c
+++ b/drivers/input/touchscreen/mms114.c
@@ -217,7 +217,9 @@ static irqreturn_t mms114_interrupt(int irq, void *dev_id)
        struct mms114_data *data = dev_id;
        struct i2c_client *client = data->client;
        struct mms114_touch touch[MMS114_MAX_TOUCH];
+       struct mms114_touch *t;
        int packet_size;
+       int event_size;
        int touch_size;
        int index;
        int error;
@@ -234,9 +236,11 @@ static irqreturn_t mms114_interrupt(int irq, void *dev_id)
 
        /* MMS136 has slightly different event size */
        if (data->type == TYPE_MMS134S || data->type == TYPE_MMS136)
-               touch_size = packet_size / MMS136_EVENT_SIZE;
+               event_size = MMS136_EVENT_SIZE;
        else
-               touch_size = packet_size / MMS114_EVENT_SIZE;
+               event_size = MMS114_EVENT_SIZE;
+
+       touch_size = packet_size / event_size;
 
        error = __mms114_read_reg(data, MMS114_INFORMATION, packet_size,
                        (u8 *)touch);
@@ -244,18 +248,20 @@ static irqreturn_t mms114_interrupt(int irq, void *dev_id)
                goto out;
 
        for (index = 0; index < touch_size; index++) {
-               switch (touch[index].type) {
+               t = (struct mms114_touch *)((u8 *)touch + index * event_size);
+
+               switch (t->type) {
                case MMS114_TYPE_TOUCHSCREEN:
-                       mms114_process_mt(data, touch + index);
+                       mms114_process_mt(data, t);
                        break;
 
                case MMS114_TYPE_TOUCHKEY:
-                       mms114_process_touchkey(data, touch + index);
+                       mms114_process_touchkey(data, t);
                        break;
 
                default:
                        dev_err(&client->dev, "Wrong touch type (%d)\n",
-                               touch[index].type);
+                               t->type);
                        break;
                }
        }