From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f175.google.com (mail-dy1-f175.google.com [74.125.82.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A0B63C140F for ; Tue, 5 May 2026 05:00:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777957204; cv=none; b=frBmb24WWpZNQS7xpvhu/gx0CwAf0LUrvgefHYHhfDOIXmQNtaW+FKUOGyrZjFXhmi2PuIzYgaBSM5tJQV5XsjHcTKVFeb2Bv+c5QJ7+YGVvJ7sRgNCRxcltRQW2b51d+SQWrc2GRljP/WGEinAC7IaWWbCwhcvSMBLnjykACiM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777957204; c=relaxed/simple; bh=AXplrR7s7AGLwW1IX4e8KEzh0R3eAKBb1/o6rOguHPM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TlBIOwf0QBDOh2nkTwfpjLPtwJFouqo02iKykdAsQfmz9SCCAU6TixL1ZO3trLDCfNW4umSU4rlO6NLPvRiJCSLkfZMZfnrDMpIKbVD82lLiYesReILSVSG6+/Ke+2BU+isoCht16fBA7sCwRU33hN80im5/6W6RI+TrZL4vdZI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YzrEkew3; arc=none smtp.client-ip=74.125.82.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YzrEkew3" Received: by mail-dy1-f175.google.com with SMTP id 5a478bee46e88-2f0ad52830cso3294897eec.1 for ; Mon, 04 May 2026 22:00:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777957203; x=1778562003; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cJnK2nHTHKap6LV5wTwh1mU7zzvWh/QmG1m02AjJOGM=; b=YzrEkew3aDI1ObhRt2lip6cU/xkoykmP+vtMJDpqumXhPp9MMEAF3qOWHEqmuNiy5z qD0U2Y/xxPIp2p0t71Ch06s0IQ3b3X1+UEGkOxBz8LbiBbqjzsUsjk5rj5L7W1JgH79y B6W1fcQxTJe3OXtBW8XSL4vNNlgciQY3QOQMIk8uHrCV8p6DHUJ2P3xBfJY9bNpzZus5 5vB7nBfWEBMBMdYayNyyrqQKmtPF8Xmgkrh2Wz6cpsT06Top7AXY0BOT7WKDmqJLwlkm bPbXCBbgfVIgz1RzHZS0YKrt94m+2inBqnZ8n6Qsps2PueybdIgVyBumUhwbk/h9X7Cf LgMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777957203; x=1778562003; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cJnK2nHTHKap6LV5wTwh1mU7zzvWh/QmG1m02AjJOGM=; b=fqoJfnVP7KD5VXwWksQCceWbi7EAIrZ+F4nbkA368OIEejgh6L7ndsdTaqfrH8iH8i NKYp4PZfUGICSY2QND4AH5J7l1/QAQyiMElp6Zc+Mko5Es81S+wsbbmEWo0YmpM4YhH+ n3TJZU2kKf2YdOg5Tf9NqfdB0f3txmfU+77Cm8c3mx69eS1u9PExPUoVSpLyZrrFMJCM ydQCilSsq/blol59ggQbCLEoyfAs3A2Z0VeAeH3VJuMTogrd/39mgHC/0nxLnfaXbliT s9k/Pc03aQ8FbiiNnkfAnjfFaznoNChVsLNgMMG4N+qIH50vJMFd/YHqStQYFcN/t2nU LjbQ== X-Forwarded-Encrypted: i=1; AFNElJ9CZq3HcPMwjqO3pxKqLxPExynI6t3lHFTIfTZ7ZwO0UNCaVqIDKiDeSEefVhF56ZdVq/5G6vQ6NkIF1pI=@vger.kernel.org X-Gm-Message-State: AOJu0YxyXGk/uq5bZmUIB36oqnBhJFSydGaYA1WLtZuAhCRLApbIUMg+ nh71oBTw33wZ8aKDeX8JGREzQzk9sPbnQCNsLWeOswemNtBr0mWOOdUn X-Gm-Gg: AeBDieurcwGCnu48M3VUbOICqJOaJQcTGLNSc46d5uEIgZvIg7ENpznxZkpldoBIonJ drV8B3aHKuX3Un61pLjGAIszSPJH0mtwfatGb9u2RwYcJnUmMzTS/TarD4YXhWw96WxzqsapMrR gB/+zt4n6JCQs3mKU1SumG9hP9+BrMrOmXqNEGGOPK2OhNHn9JNFlc7sTcFr+XRZlhZq/jIGBkV g9V5jAMaMyBic9FXzGnVpjG1+rj5Jlkre6/CzSkAbbC8KBGnlgsvH7R9+S6yWWLFv1d/gkibyNp cpgyg2Z/Nn7cYHIbK5Lap8N9F18t5P+hQeTfzdubdHj6Z0/04bfyB/Ms59oHz02Dspaoy8pWeyQ txycx8WustPS2U8jVFLugHSJAgrNWuYyOKPtJlH9TfDeSyzon/VGEzhvALQD3hSBEj9ibq4kX+9 xLwaSX0/bHX9/rDnWdHczSpDKq2uxRaxFC2SKBWJNrQQySjqY1/4YEIgmJ3b6HgOHSUvGCgOnzV 24kfnQBD86Hny/mugqwNUDUVg== X-Received: by 2002:a05:7022:3897:b0:12c:44a5:fb4f with SMTP id a92af1059eb24-12dfd7bda5emr5489512c88.10.1777957202612; Mon, 04 May 2026 22:00:02 -0700 (PDT) Received: from dtor-ws.sjc.corp.google.com ([2a00:79e0:2ebe:8:94ef:a6f3:2c96:2d58]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-12df827a73fsm16897502c88.1.2026.05.04.22.00.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 22:00:01 -0700 (PDT) From: Dmitry Torokhov To: linux-input@vger.kernel.org Cc: Marge Yang , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2 04/20] Input: rmi4 - fix num_subpackets overflow in register descriptor Date: Mon, 4 May 2026 21:59:34 -0700 Message-ID: <20260505045952.1570713-4-dmitry.torokhov@gmail.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog In-Reply-To: <20260505045952.1570713-1-dmitry.torokhov@gmail.com> References: <20260505045952.1570713-1-dmitry.torokhov@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This may overflow num_subpackets in struct rmi_register_desc_item which is defined as a u8. Fix this by changing the type of num_subpackets to u16. Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") Cc: stable@vger.kernel.org Assisted-by: Gemini:gemini-3.1-pro Signed-off-by: Dmitry Torokhov --- drivers/input/rmi4/rmi_driver.h | 2 +- drivers/input/rmi4/rmi_f12.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h index 5f769fcc758d..6952059bf4f5 100644 --- a/drivers/input/rmi4/rmi_driver.h +++ b/drivers/input/rmi4/rmi_driver.h @@ -53,7 +53,7 @@ struct pdt_entry { struct rmi_register_desc_item { u16 reg; unsigned long reg_size; - u8 num_subpackets; + u16 num_subpackets; unsigned long subpacket_map[BITS_TO_LONGS( RMI_REG_DESC_SUBPACKET_BITS)]; }; diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c index 8246fe77114b..c2b07c6905d7 100644 --- a/drivers/input/rmi4/rmi_f12.c +++ b/drivers/input/rmi4/rmi_f12.c @@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_function *fn) f12->data1 = item; f12->data1_offset = data_offset; data_offset += item->reg_size; + + if (item->num_subpackets > 255) { + dev_err(&fn->dev, "Too many fingers declared: %d\n", + item->num_subpackets); + return -EINVAL; + } + sensor->nbr_fingers = item->num_subpackets; sensor->report_abs = 1; sensor->attn_size += item->reg_size; -- 2.54.0.545.g6539524ca2-goog