[PATCH 07/10] Input: synaptics-rmi4 - check V4L2 buffer size in F54 queue

Next message: Dmitry Torokhov: "[PATCH 08/10] Input: synaptics-rmi4 - F54 style and typo fixes"
Previous message: Dmitry Torokhov: "[PATCH 06/10] Input: synaptics-rmi4 - propagate F54 worker errors to V4L2 queue"
In reply to: Dmitry Torokhov: "[PATCH 06/10] Input: synaptics-rmi4 - propagate F54 worker errors to V4L2 queue"
Next in thread: Dmitry Torokhov: "[PATCH 08/10] Input: synaptics-rmi4 - F54 style and typo fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Fri Jun 26 2026 - 01:20:00 EST

Add a safety check in rmi_f54_buffer_queue() to ensure that the
requested report size (f54->report_size) does not exceed the actual
allocated size of the V4L2 buffer (vb2_plane_size()).

This provides a defense-in-depth measure against any potential size
mismatches between the V4L2 queue and the driver's internal state.

Fixes: 3a762dbd5347 ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/rmi4/rmi_f54.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c
index c86bc81845bb..93526feea563 100644
--- a/drivers/input/rmi4/rmi_f54.c
+++ b/drivers/input/rmi4/rmi_f54.c
@@ -354,6 +354,13 @@ static void rmi_f54_buffer_queue(struct vb2_buffer *vb)
goto data_done;
}

+ if (f54->report_size > vb2_plane_size(vb, 0)) {
+ dev_err(&f54->fn->dev, "Buffer too small (%lu < %d)\n",
+ vb2_plane_size(vb, 0), f54->report_size);
+ state = VB2_BUF_STATE_ERROR;
+ goto data_done;
+ }
+
memcpy(ptr, f54->report_data, f54->report_size);
vb2_set_plane_payload(vb, 0, rmi_f54_get_report_size(f54));
state = VB2_BUF_STATE_DONE;
--
2.55.0.rc0.799.gd6f94ed593-goog