From: Bryam Vargas <hexlabsecurity@proton.me>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
Guenter Roeck <linux@roeck-us.net>,
Benjamin Tissoires <bentiss@kernel.org>
Subject: Re: [PATCH] Input: synaptics-rmi4 - bound the F54 report size to the allocated buffer
Date: Sat, 27 Jun 2026 21:38:49 +0000 [thread overview]
Message-ID: <20260627213845.34644-1-hexlabsecurity@proton.me> (raw)
In-Reply-To: <aj4LoEHHCMqUnyy2@google.com>
Hi Dmitry,
Thanks for picking this up and keeping the authorship on 03.
> there are more changes needed in F54. I incorporated it in the series I
> just posted, would appreviate if you could review it.
Went through all ten. It holds together. A few things worth flagging:
Backport ordering is the one to act on. 03 leans on 02's control flow: its
report_size > max_report_size guard lands in the worker tail that 02 folds
into the single out: write. And 03's Fixes: c762cc68b6a1 (Nov 2016) postdates
02's Fixes: 3a762dbd5347 (Jul 2016), so any stable tree old enough to want 03
still carries the abort:/error: form 02 reworks; cherry-picking 03 alone
conflicts on that hunk, and 06 touches the same tail. Keeping 02 -> 03 -> 06
together for stable (or a dependency note on 03) keeps AUTOSEL from taking 03
on its own.
01 is correct but instance-complete: a device honestly reporting a large F55
num_tx still oversizes report_size until 03 lands. Maybe a line in its commit
log pointing at 03.
One aside, not for this series: F54_FIFO_OFFSET is 16-bit but report_size
reaches 2 * 255 * 255 = 130050, so past 65535 the start offset wraps and the
device reads from the wrong place. It stays in bounds (report_data + i tracks
the same product), so it's correctness, not safety; maybe a later guard.
Otherwise it's straightforward. For the series:
Reviewed-by: Bryam Vargas <hexlabsecurity@proton.me>
03 is the one I sent, so drop it there. On the memory-safety patches I ran an
in-kernel A/B under KASAN: the unpatched arm overruns the plane (07), delivers
the stale frame (06), or overruns report_data (03's class); the patched arm is
clean. So for 05, 06 and 07:
Tested-by: Bryam Vargas <hexlabsecurity@proton.me>
Thanks,
Bryam
prev parent reply other threads:[~2026-06-27 21:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 4:01 [PATCH] Input: synaptics-rmi4 - bound the F54 report size to the allocated buffer Bryam Vargas via B4 Relay
2026-06-14 4:14 ` sashiko-bot
2026-06-26 5:19 ` Dmitry Torokhov
2026-06-27 21:38 ` Bryam Vargas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627213845.34644-1-hexlabsecurity@proton.me \
--to=hexlabsecurity@proton.me \
--cc=bentiss@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox