From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: "Barry K. Nathan" <barryn@pobox.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, patches@lists.linux.dev,
linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, linux@roeck-us.net, shuah@kernel.org,
patches@kernelci.org, lkft-triage@lists.linaro.org,
pavel@nabladev.com, jonathanh@nvidia.com, f.fainelli@gmail.com,
sudipm.mukherjee@gmail.com, rwarsow@gmx.de, conor@kernel.org,
hargar@microsoft.com, broonie@kernel.org, achill@achill.org,
sr@sladewatkins.com
Subject: Re: [PATCH 7.1 00/21] 7.1.2-rc1 review
Date: Fri, 26 Jun 2026 17:31:58 -0700 [thread overview]
Message-ID: <aj8WEfam__6fnNuM@google.com> (raw)
In-Reply-To: <626fc564-6f4b-430d-92f3-653981e3dcdd@pobox.com>
On Fri, Jun 26, 2026 at 03:23:12PM -0700, Barry K. Nathan wrote:
> On 6/26/26 2:17 PM, Dmitry Torokhov wrote:
> > On Fri, Jun 26, 2026 at 01:41:38PM -0700, Barry K. Nathan wrote:
> > > On 6/26/26 12:56 PM, Dmitry Torokhov wrote:
> > > > Hi Barry,
> > > >
> > > > On Fri, Jun 26, 2026 at 10:56:21AM -0700, Barry K. Nathan wrote:
> > > > > (cc Dmitry Torokhov because this is related to two of your commits)
> > > > >
> > > > > On 6/25/26 6:03 AM, Greg Kroah-Hartman wrote:
> > > > > > This is the start of the stable review cycle for the 7.1.2 release.
> > > > > > There are 21 patches in this series, all will be posted as a response
> > > > > > to this one. If anyone has any issues with these being applied, please
> > > > > > let me know.
> > > > > >
> > > > > > Responses should be made by Sat, 27 Jun 2026 12:54:50 +0000.
> > > > > > Anything received after that time might be too late.
> > > > > >
> > > > > > The whole patch series can be found in one patch at:
> > > > > > https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.2-rc1.gz
> > > > > > or in the git tree and branch at:
> > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> > > > > > and the diffstat can be found below.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > > >
> > > > > Unfortunately, 7.1.2-rc1 breaks the Synaptics touchpad on my Lenovo
> > > > > ThinkPad T14 Gen 1 -- the pointer no longer moves when I touch the
> > > > > touchpad. Potentially relevant line from dmesg:
> > > > >
> > > > > rmi4_f01 rmi4-00.fn01: found RMI device, manufacturer: Synaptics, product: TM3471-020, fw id: 3972349
> > > > >
> > > > > > Dmitry Torokhov<dmitry.torokhov@gmail.com>
> > > > > > Input: rmi4 - refactor register descriptor parsing
> > > > > >
> > > > > > Dmitry Torokhov<dmitry.torokhov@gmail.com>
> > > > > > Input: rmi4 - fix register descriptor address calculation
> > > > > > > Both of these patches seem bad in my testing. Either one, individually,
> > > > > causes the pointer to no longer move when I touch the touchpad. If I
> > > > > revert both of them, then my touchpad works again.
> > > > >
> > > > > I have not yet tested 7.0.14-rc1 or 6.18.37-rc1. However, the problem
> > > > > also reproduces on current mainline as of this writing (commit
> > > > > 51cb1aa1250c36269474b8b6ca6b6319e170f5a5).
> > > > Could you please try applying this debug patch and send me dmesg?
> > > Sure, I applied the patch on top of mainline, and the dmesg output is
> > > below.
> > Thank you! So I messed up and "Input: rmi4 - fix register descriptor
> > address calculation" is totally wrong.
> >
> > Can you please revert it (keeping the debug patch) and try booting again
> > and if the touchpad still does not work post the dmesg again.
> >
> > Thanks!
>
> I did the revert, while keeping the debug patch. With this kernel, the
> touchpad still doesn't work for me, so here's the new dmesg.
Thank you. It looks like the firmware is a bit sloppy and the new
tightened checks are tripping on it. Please try this patch:
Input: rmi4 - tolerate short register descriptor structure
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports
a register descriptor structure size that is too small for the number of
registers it claims to have in the presence map. The remaining bytes in
the structure are 0, which with the new strict bounds checking causes the
parser to fail with -EIO, aborting the device probe.
Tolerate such short reads by dropping the remaining (unparseable or
0-size) registers from the list instead of failing the probe,
preventing the driver from trying to use them.
Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing")
Reported-by: Barry K. Nathan <barryn@pobox.com>
Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/rmi4/rmi_driver.c | 37 +++++++++++++++++++++++++------------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index a28eef1b765e..a58de7aad150 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -616,8 +616,8 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
unsigned int presence_offset;
unsigned int map_offset;
unsigned int offset;
+ unsigned int num_registers;
unsigned int reg;
- int i;
int b;
int ret;
@@ -657,7 +657,7 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
memset(presence_map, 0, sizeof(presence_map));
map_offset = 0;
- for (i = presence_offset; i < size_presence_reg; i++) {
+ for (int i = presence_offset; i < size_presence_reg; i++) {
for (b = 0; b < 8; b++) {
if (buf[i] & BIT(b)) {
if (map_offset >= RMI_REG_DESC_PRESENCE_BITS)
@@ -697,28 +697,41 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
if (ret)
return ret;
- reg = find_first_bit(presence_map, RMI_REG_DESC_PRESENCE_BITS);
offset = 0;
- for (i = 0; i < rdesc->num_registers; i++) {
- struct rmi_register_desc_item *item = &rdesc->registers[i];
+ num_registers = 0;
+ for_each_set_bit(reg, presence_map, RMI_REG_DESC_PRESENCE_BITS) {
+ struct rmi_register_desc_item *item = &rdesc->registers[num_registers];
int item_size;
+ if (offset >= rdesc->struct_size)
+ break;
+
item_size = rmi_parse_register_desc_item(item,
&struct_buf[offset],
rdesc->struct_size - offset);
- if (item_size < 0)
- return item_size;
+ if (item_size < 0) {
+ dev_warn(&d->dev,
+ "%s: Failed to parse register %d descriptor, ignoring it\n",
+ __func__, reg);
+ break;
+ }
item->reg = reg;
offset += item_size;
- rmi_dbg(RMI_DEBUG_CORE, &d->dev,
- "%s: reg: %d reg size: %u subpackets: %d\n", __func__,
- item->reg, item->reg_size, item->num_subpackets);
+ if (item->reg_size == 0) {
+ dev_warn(&d->dev,
+ "%s: Register %d has 0 size, ignoring it\n",
+ __func__, item->reg);
+ } else {
+ rmi_dbg(RMI_DEBUG_CORE, &d->dev,
+ "%s: reg: %d reg size: %u subpackets: %d\n", __func__,
+ item->reg, item->reg_size, item->num_subpackets);
- reg = find_next_bit(presence_map,
- RMI_REG_DESC_PRESENCE_BITS, reg + 1);
+ num_registers++;
+ }
}
+ rdesc->num_registers = num_registers;
return 0;
}
Thanks.
--
Dmitry
next prev parent reply other threads:[~2026-06-27 0:32 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 13:03 [PATCH 7.1 00/21] 7.1.2-rc1 review Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 01/21] io_uring/net: Avoid msghdr on op_connect/op_bind async data Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 02/21] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 03/21] Revert "NFSD: Defer sub-object cleanup in export put callbacks" Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 04/21] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 05/21] iio: light: veml6075: add bounds check to veml6075_it_ms index Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 06/21] iio: adc: ti-ads1298: add bounds check to pga_settings index Greg Kroah-Hartman
2026-06-25 13:03 ` [PATCH 7.1 07/21] Input: rmi4 - fix register descriptor address calculation Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 08/21] Input: rmi4 - refactor register descriptor parsing Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 09/21] Input: rmi4 - fix type overflow in register counts Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 10/21] Input: rmi4 - fix num_subpackets overflow in register descriptor Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 11/21] Input: rmi4 - fix memory leak in rmi_set_attn_data() Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 12/21] Input: rmi4 - iterative IRQ handler Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 13/21] Input: rmi4 - fix bit count in bitmap_copy() Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 14/21] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 15/21] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 16/21] serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 17/21] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 18/21] drivers/base/memory: set mem->altmap after successful device registration Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 19/21] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 20/21] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-06-25 13:04 ` [PATCH 7.1 21/21] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-06-25 13:54 ` [PATCH 7.1 00/21] 7.1.2-rc1 review Florian Fainelli
2026-06-25 15:27 ` Brett A C Sheffield
2026-06-25 17:30 ` Justin Forbes
2026-06-25 18:19 ` Peter Schneider
2026-06-25 23:55 ` Shuah Khan
2026-06-26 4:59 ` Ron Economos
2026-06-26 10:37 ` Miguel Ojeda
2026-06-26 11:24 ` Pavel Machek
2026-06-26 11:43 ` Pavel Machek
2026-06-26 11:35 ` Dileep malepu
2026-06-26 12:35 ` Takeshi Ogasawara
2026-06-26 13:15 ` Mark Brown
2026-06-26 15:58 ` Jeffrin Thalakkottoor
2026-06-26 17:56 ` Barry K. Nathan
2026-06-26 19:56 ` Dmitry Torokhov
2026-06-26 20:41 ` Barry K. Nathan
2026-06-26 21:17 ` Dmitry Torokhov
2026-06-26 22:23 ` Barry K. Nathan
2026-06-27 0:31 ` Dmitry Torokhov [this message]
2026-06-27 2:09 ` Barry K. Nathan
2026-06-27 2:15 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aj8WEfam__6fnNuM@google.com \
--to=dmitry.torokhov@gmail.com \
--cc=achill@achill.org \
--cc=akpm@linux-foundation.org \
--cc=barryn@pobox.com \
--cc=broonie@kernel.org \
--cc=conor@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hargar@microsoft.com \
--cc=jonathanh@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=lkft-triage@lists.linaro.org \
--cc=patches@kernelci.org \
--cc=patches@lists.linux.dev \
--cc=pavel@nabladev.com \
--cc=rwarsow@gmx.de \
--cc=shuah@kernel.org \
--cc=sr@sladewatkins.com \
--cc=stable@vger.kernel.org \
--cc=sudipm.mukherjee@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox