[PATCH 2/2] Input: rmi4 - fix num_subpackets overflow in register descriptor
From: Dmitry Torokhov
Date: Mon Apr 27 2026 - 21:10:04 EST
RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
may overflow num_subpackets in struct rmi_register_desc_item which is
defined as a u8.
Fix this by changing the type of num_subpackets to u16.
Pack the structure by rearranging the members to avoid holes, change
reg_size from unsigned long to u32 to save space and ensure consistent
size across 32-bit and 64-bit architectures, and use DECLARE_BITMAP()
for subpacket_map.
Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/rmi4/rmi_driver.h | 8 ++++----
drivers/input/rmi4/rmi_f12.c | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h
index e84495caab15..865ffc7882f3 100644
--- a/drivers/input/rmi4/rmi_driver.h
+++ b/drivers/input/rmi4/rmi_driver.h
@@ -11,6 +11,7 @@
#include <linux/hrtimer.h>
#include <linux/ktime.h>
#include <linux/input.h>
+#include <linux/types.h>
#include "rmi_bus.h"
#define SYNAPTICS_INPUT_DEVICE_NAME "Synaptics RMI4 Touch Sensor"
@@ -52,10 +53,9 @@ struct pdt_entry {
/* describes a single packet register */
struct rmi_register_desc_item {
u16 reg;
- unsigned long reg_size;
- u8 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
+ u16 num_subpackets;
+ u32 reg_size;
+ DECLARE_BITMAP(subpacket_map, RMI_REG_DESC_SUBPACKET_BITS);
};
/*
diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c
index 8246fe77114b..9bcc27e9d308 100644
--- a/drivers/input/rmi4/rmi_f12.c
+++ b/drivers/input/rmi4/rmi_f12.c
@@ -88,7 +88,7 @@ static int rmi_f12_read_sensor_tuning(struct f12_data *f12)
if (item->reg_size > sizeof(buf)) {
dev_err(&fn->dev,
- "F12 control8 should be no bigger than %zd bytes, not: %ld\n",
+ "F12 control8 should be no bigger than %zd bytes, not: %d\n",
sizeof(buf), item->reg_size);
return -ENODEV;
}
--
2.54.0.545.g6539524ca2-goog