From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: linux-input@vger.kernel.org
Cc: Marge Yang <Marge.Yang@tw.synaptics.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 13/20] Input: rmi4 - change reg_size type to u32
Date: Mon, 4 May 2026 21:59:43 -0700 [thread overview]
Message-ID: <20260505045952.1570713-13-dmitry.torokhov@gmail.com> (raw)
In-Reply-To: <20260505045952.1570713-1-dmitry.torokhov@gmail.com>
Change reg_size from unsigned long to u32 to save space and ensure
consistent size across 32-bit and 64-bit architectures, and use
DECLARE_BITMAP() for subpacket_map.
Also pack the structure by rearranging the members to avoid holes,
and use size_add() to prevent potential integer overflows when
calculating the total size of registers.
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/rmi4/rmi_2d_sensor.h | 4 ++--
drivers/input/rmi4/rmi_driver.c | 4 ++--
drivers/input/rmi4/rmi_driver.h | 5 ++---
drivers/input/rmi4/rmi_f11.c | 2 +-
drivers/input/rmi4/rmi_f12.c | 25 +++++++++++++++++++------
5 files changed, 26 insertions(+), 14 deletions(-)
diff --git a/drivers/input/rmi4/rmi_2d_sensor.h b/drivers/input/rmi4/rmi_2d_sensor.h
index 61a99c8a7a26..f9d9c1dd5eb0 100644
--- a/drivers/input/rmi4/rmi_2d_sensor.h
+++ b/drivers/input/rmi4/rmi_2d_sensor.h
@@ -56,8 +56,8 @@ struct rmi_2d_sensor {
u16 max_y;
u8 nbr_fingers;
u8 *data_pkt;
- int pkt_size;
- int attn_size;
+ u32 pkt_size;
+ u32 attn_size;
bool topbuttonpad;
enum rmi_sensor_type sensor_type;
struct input_dev *input;
diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index aae4a9bb76fb..6416c1d97a6d 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -713,7 +713,7 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
offset += item_size;
rmi_dbg(RMI_DEBUG_CORE, &d->dev,
- "%s: reg: %d reg size: %ld subpackets: %d\n", __func__,
+ "%s: reg: %d reg size: %u subpackets: %d\n", __func__,
item->reg, item->reg_size, item->num_subpackets);
reg = find_next_bit(presence_map,
@@ -746,7 +746,7 @@ size_t rmi_register_desc_calc_size(struct rmi_register_descriptor *rdesc)
for (i = 0; i < rdesc->num_registers; i++) {
item = &rdesc->registers[i];
- size += item->reg_size;
+ size = size_add(size, item->reg_size);
}
return size;
}
diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h
index b93905a6a43a..abeafb77a483 100644
--- a/drivers/input/rmi4/rmi_driver.h
+++ b/drivers/input/rmi4/rmi_driver.h
@@ -52,11 +52,10 @@ struct pdt_entry {
/* describes a single packet register */
struct rmi_register_desc_item {
+ u32 reg_size;
u16 reg;
- unsigned long reg_size;
u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
+ DECLARE_BITMAP(subpacket_map, RMI_REG_DESC_SUBPACKET_BITS);
};
/*
diff --git a/drivers/input/rmi4/rmi_f11.c b/drivers/input/rmi4/rmi_f11.c
index 49ca9168685a..9ade74b36edb 100644
--- a/drivers/input/rmi4/rmi_f11.c
+++ b/drivers/input/rmi4/rmi_f11.c
@@ -1304,7 +1304,7 @@ static irqreturn_t rmi_f11_attention(int irq, void *ctx)
struct f11_data *f11 = dev_get_drvdata(&fn->dev);
u16 data_base_addr = fn->fd.data_base_addr;
int error;
- int valid_bytes = f11->sensor.pkt_size;
+ u32 valid_bytes = f11->sensor.pkt_size;
if (drvdata->attn_data.data) {
/*
diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c
index 973288103b6a..b179980003f1 100644
--- a/drivers/input/rmi4/rmi_f12.c
+++ b/drivers/input/rmi4/rmi_f12.c
@@ -5,6 +5,7 @@
#include <linux/input.h>
#include <linux/input/mt.h>
#include <linux/rmi.h>
+#include <linux/sizes.h>
#include "rmi_driver.h"
#include "rmi_2d_sensor.h"
@@ -118,7 +119,7 @@ static int rmi_f12_read_sensor_tuning(struct f12_data *f12)
if (item->reg_size > sizeof(buf)) {
dev_err(&fn->dev,
- "F12 control8 should be no bigger than %zd bytes, not: %ld\n",
+ "F12 control8 should be no bigger than %zd bytes, not: %u\n",
sizeof(buf), item->reg_size);
return -ENODEV;
}
@@ -256,7 +257,7 @@ static irqreturn_t rmi_f12_attention(int irq, void *ctx)
struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
struct f12_data *f12 = dev_get_drvdata(&fn->dev);
struct rmi_2d_sensor *sensor = &f12->sensor;
- int valid_bytes = sensor->pkt_size;
+ u32 valid_bytes = sensor->pkt_size;
if (drvdata->attn_data.data) {
if (sensor->attn_size > drvdata->attn_data.size)
@@ -310,7 +311,7 @@ static int rmi_f12_write_control_regs(struct rmi_function *fn)
* on the existence of subpacket 0. If control 20 is
* larger then 3 bytes, just read the first 3.
*/
- control_size = min(item->reg_size, 3UL);
+ control_size = min(item->reg_size, 3U);
ret = rmi_read_block(rmi_dev, fn->fd.control_base_addr
+ control_offset, buf, control_size);
@@ -379,7 +380,8 @@ static int rmi_f12_probe(struct rmi_function *fn)
struct rmi_2d_sensor *sensor;
struct rmi_device_platform_data *pdata = rmi_get_platform_data(rmi_dev);
struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
- u16 data_offset = 0;
+ size_t data_offset = 0;
+ size_t pkt_size;
int mask_size;
int i;
@@ -431,7 +433,12 @@ static int rmi_f12_probe(struct rmi_function *fn)
sensor = &f12->sensor;
sensor->fn = fn;
f12->data_addr = fn->fd.data_base_addr;
- sensor->pkt_size = rmi_register_desc_calc_size(&f12->data_reg_desc);
+ pkt_size = rmi_register_desc_calc_size(&f12->data_reg_desc);
+ if (pkt_size > SZ_1M) {
+ dev_err(&fn->dev, "Invalid data packet size: %zu\n", pkt_size);
+ return -EINVAL;
+ }
+ sensor->pkt_size = pkt_size;
sensor->axis_align =
f12->sensor_pdata.axis_align;
@@ -444,7 +451,7 @@ static int rmi_f12_probe(struct rmi_function *fn)
sensor->sensor_type =
f12->sensor_pdata.sensor_type;
- rmi_dbg(RMI_DEBUG_FN, &fn->dev, "%s: data packet size: %d\n", __func__,
+ rmi_dbg(RMI_DEBUG_FN, &fn->dev, "%s: data packet size: %u\n", __func__,
sensor->pkt_size);
sensor->data_pkt = devm_kzalloc(&fn->dev, sensor->pkt_size, GFP_KERNEL);
if (!sensor->data_pkt)
@@ -471,6 +478,12 @@ static int rmi_f12_probe(struct rmi_function *fn)
if (drvdata->attn_data.data && i != 1 && i != 5)
continue;
+ if (data_offset > U16_MAX) {
+ dev_err(&fn->dev, "Invalid offset for data%d: %zu\n",
+ i, data_offset);
+ return -EINVAL;
+ }
+
switch (i) {
case 1:
f12->data1 = item;
--
2.54.0.545.g6539524ca2-goog
next prev parent reply other threads:[~2026-05-05 5:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 4:59 [PATCH v2 01/20] Input: rmi4 - fix register descriptor address calculation Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 02/20] Input: rmi4 - refactor register descriptor parsing Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 03/20] Input: rmi4 - fix type overflow in register counts Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 04/20] Input: rmi4 - fix num_subpackets overflow in register descriptor Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 05/20] Input: rmi4 - fix memory leak in rmi_set_attn_data() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 06/20] Input: rmi4 - iterative IRQ handler Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 07/20] Input: rmi4 - fix bit count in bitmap_copy() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 08/20] Input: rmi4 - fix limit in rmi_register_desc_has_subpacket() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 09/20] Input: rmi4 - use local presence map in rmi_read_register_desc() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 10/20] Input: rmi4 - refactor function allocation and registration Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 11/20] Input: rmi4 - use kzalloc_flex() for struct rmi_function Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 12/20] Input: rmi4 - refactor F12 probe function Dmitry Torokhov
2026-05-05 4:59 ` Dmitry Torokhov [this message]
2026-05-05 4:59 ` [PATCH v2 14/20] Input: rmi4 - use unaligned access helpers in F12 Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 15/20] Input: rmi4 - use flexible array member for IRQ masks " Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 16/20] Input: rmi4 - use devm_kmalloc for F12 data packet buffer Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 17/20] Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 18/20] Input: rmi4 - simplify size calculations in F12 Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 19/20] Input: rmi4 - propagate proper error code in F12 sensor tuning Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 20/20] Input: rmi4 - update formatting in F12 Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505045952.1570713-13-dmitry.torokhov@gmail.com \
--to=dmitry.torokhov@gmail.com \
--cc=Marge.Yang@tw.synaptics.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox