From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: linux-input@vger.kernel.org
Cc: Marge Yang <Marge.Yang@tw.synaptics.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH v2 04/20] Input: rmi4 - fix num_subpackets overflow in register descriptor
Date: Mon, 4 May 2026 21:59:34 -0700 [thread overview]
Message-ID: <20260505045952.1570713-4-dmitry.torokhov@gmail.com> (raw)
In-Reply-To: <20260505045952.1570713-1-dmitry.torokhov@gmail.com>
RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
may overflow num_subpackets in struct rmi_register_desc_item which is
defined as a u8.
Fix this by changing the type of num_subpackets to u16.
Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
drivers/input/rmi4/rmi_driver.h | 2 +-
drivers/input/rmi4/rmi_f12.c | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h
index 5f769fcc758d..6952059bf4f5 100644
--- a/drivers/input/rmi4/rmi_driver.h
+++ b/drivers/input/rmi4/rmi_driver.h
@@ -53,7 +53,7 @@ struct pdt_entry {
struct rmi_register_desc_item {
u16 reg;
unsigned long reg_size;
- u8 num_subpackets;
+ u16 num_subpackets;
unsigned long subpacket_map[BITS_TO_LONGS(
RMI_REG_DESC_SUBPACKET_BITS)];
};
diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c
index 8246fe77114b..c2b07c6905d7 100644
--- a/drivers/input/rmi4/rmi_f12.c
+++ b/drivers/input/rmi4/rmi_f12.c
@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_function *fn)
f12->data1 = item;
f12->data1_offset = data_offset;
data_offset += item->reg_size;
+
+ if (item->num_subpackets > 255) {
+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
+ item->num_subpackets);
+ return -EINVAL;
+ }
+
sensor->nbr_fingers = item->num_subpackets;
sensor->report_abs = 1;
sensor->attn_size += item->reg_size;
--
2.54.0.545.g6539524ca2-goog
next prev parent reply other threads:[~2026-05-05 5:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 4:59 [PATCH v2 01/20] Input: rmi4 - fix register descriptor address calculation Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 02/20] Input: rmi4 - refactor register descriptor parsing Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 03/20] Input: rmi4 - fix type overflow in register counts Dmitry Torokhov
2026-05-05 4:59 ` Dmitry Torokhov [this message]
2026-05-05 4:59 ` [PATCH v2 05/20] Input: rmi4 - fix memory leak in rmi_set_attn_data() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 06/20] Input: rmi4 - iterative IRQ handler Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 07/20] Input: rmi4 - fix bit count in bitmap_copy() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 08/20] Input: rmi4 - fix limit in rmi_register_desc_has_subpacket() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 09/20] Input: rmi4 - use local presence map in rmi_read_register_desc() Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 10/20] Input: rmi4 - refactor function allocation and registration Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 11/20] Input: rmi4 - use kzalloc_flex() for struct rmi_function Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 12/20] Input: rmi4 - refactor F12 probe function Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 13/20] Input: rmi4 - change reg_size type to u32 Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 14/20] Input: rmi4 - use unaligned access helpers in F12 Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 15/20] Input: rmi4 - use flexible array member for IRQ masks " Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 16/20] Input: rmi4 - use devm_kmalloc for F12 data packet buffer Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 17/20] Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 18/20] Input: rmi4 - simplify size calculations in F12 Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 19/20] Input: rmi4 - propagate proper error code in F12 sensor tuning Dmitry Torokhov
2026-05-05 4:59 ` [PATCH v2 20/20] Input: rmi4 - update formatting in F12 Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505045952.1570713-4-dmitry.torokhov@gmail.com \
--to=dmitry.torokhov@gmail.com \
--cc=Marge.Yang@tw.synaptics.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox