[PATCH v2 04/20] Input: rmi4 - fix num_subpackets overflow in register descriptor
From: Dmitry Torokhov
Date: Tue May 05 2026 - 01:01:08 EST
RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
may overflow num_subpackets in struct rmi_register_desc_item which is
defined as a u8.
Fix this by changing the type of num_subpackets to u16.
Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/rmi4/rmi_driver.h | 2 +-
drivers/input/rmi4/rmi_f12.c | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h
index 5f769fcc758d..6952059bf4f5 100644
--- a/drivers/input/rmi4/rmi_driver.h
+++ b/drivers/input/rmi4/rmi_driver.h
@@ -53,7 +53,7 @@ struct pdt_entry {
struct rmi_register_desc_item {
u16 reg;
unsigned long reg_size;
- u8 num_subpackets;
+ u16 num_subpackets;
unsigned long subpacket_map[BITS_TO_LONGS(
RMI_REG_DESC_SUBPACKET_BITS)];
};
diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c
index 8246fe77114b..c2b07c6905d7 100644
--- a/drivers/input/rmi4/rmi_f12.c
+++ b/drivers/input/rmi4/rmi_f12.c
@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_function *fn)
f12->data1 = item;
f12->data1_offset = data_offset;
data_offset += item->reg_size;
+
+ if (item->num_subpackets > 255) {
+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
+ item->num_subpackets);
+ return -EINVAL;
+ }
+
sensor->nbr_fingers = item->num_subpackets;
sensor->report_abs = 1;
sensor->attn_size += item->reg_size;
--
2.54.0.545.g6539524ca2-goog