Re: [PATCH 7.1 00/21] 7.1.2-rc1 review

[Dmitry Torokhov]

On Fri, Jun 26, 2026 at 03:23:12PM -0700, Barry K. Nathan wrote:
> On 6/26/26 2:17 PM, Dmitry Torokhov wrote:
> > On Fri, Jun 26, 2026 at 01:41:38PM -0700, Barry K. Nathan wrote:
> > > On 6/26/26 12:56 PM, Dmitry Torokhov wrote:
> > > > Hi Barry,
> > > > 
> > > > On Fri, Jun 26, 2026 at 10:56:21AM -0700, Barry K. Nathan wrote:
> > > > > (cc Dmitry Torokhov because this is related to two of your commits)
> > > > > 
> > > > > On 6/25/26 6:03 AM, Greg Kroah-Hartman wrote:
> > > > > > This is the start of the stable review cycle for the 7.1.2 release.
> > > > > > There are 21 patches in this series, all will be posted as a response
> > > > > > to this one.  If anyone has any issues with these being applied, please
> > > > > > let me know.
> > > > > > 
> > > > > > Responses should be made by Sat, 27 Jun 2026 12:54:50 +0000.
> > > > > > Anything received after that time might be too late.
> > > > > > 
> > > > > > The whole patch series can be found in one patch at:
> > > > > > 	https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.2-rc1.gz
> > > > > > or in the git tree and branch at:
> > > > > > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> > > > > > and the diffstat can be found below.
> > > > > > 
> > > > > > thanks,
> > > > > > 
> > > > > > greg k-h
> > > > > > 
> > > > > Unfortunately, 7.1.2-rc1 breaks the Synaptics touchpad on my Lenovo
> > > > > ThinkPad T14 Gen 1 -- the pointer no longer moves when I touch the
> > > > > touchpad. Potentially relevant line from dmesg:
> > > > > 
> > > > > rmi4_f01 rmi4-00.fn01: found RMI device, manufacturer: Synaptics, product: TM3471-020, fw id: 3972349
> > > > > 
> > > > > > Dmitry Torokhov<dmitry.torokhov@xxxxxxxxx>
> > > > > >        Input: rmi4 - refactor register descriptor parsing
> > > > > > 
> > > > > > Dmitry Torokhov<dmitry.torokhov@xxxxxxxxx>
> > > > > >        Input: rmi4 - fix register descriptor address calculation
> > > > > > > Both of these patches seem bad in my testing. Either one, individually,
> > > > > causes the pointer to no longer move when I touch the touchpad. If I
> > > > > revert both of them, then my touchpad works again.
> > > > > 
> > > > > I have not yet tested 7.0.14-rc1 or 6.18.37-rc1. However, the problem
> > > > > also reproduces on current mainline as of this writing (commit
> > > > > 51cb1aa1250c36269474b8b6ca6b6319e170f5a5).
> > > > Could you please try applying this debug patch and send me dmesg?
> > > Sure, I applied the patch on top of mainline, and the dmesg output is
> > > below.
> > Thank you! So I messed up and "Input: rmi4 - fix register descriptor
> > address calculation" is totally wrong.
> > 
> > Can you please revert it (keeping the debug patch) and try booting again
> > and if the touchpad still does not work post the dmesg again.
> > 
> > Thanks!
> 
> I did the revert, while keeping the debug patch. With this kernel, the
> touchpad still doesn't work for me, so here's the new dmesg.

Thank you. It looks like the firmware is a bit sloppy and the new
tightened checks are tripping on it. Please try this patch:


Input: rmi4 - tolerate short register descriptor structure

From: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>

Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports
a register descriptor structure size that is too small for the number of
registers it claims to have in the presence map. The remaining bytes in
the structure are 0, which with the new strict bounds checking causes the
parser to fail with -EIO, aborting the device probe.

Tolerate such short reads by dropping the remaining (unparseable or
0-size) registers from the list instead of failing the probe,
preventing the driver from trying to use them.

Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing")
Reported-by: Barry K. Nathan <barryn@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
 drivers/input/rmi4/rmi_driver.c |   37 +++++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index a28eef1b765e..a58de7aad150 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -616,8 +616,8 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
 	unsigned int presence_offset;
 	unsigned int map_offset;
 	unsigned int offset;
+	unsigned int num_registers;
 	unsigned int reg;
-	int i;
 	int b;
 	int ret;
 
@@ -657,7 +657,7 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
 
 	memset(presence_map, 0, sizeof(presence_map));
 	map_offset = 0;
-	for (i = presence_offset; i < size_presence_reg; i++) {
+	for (int i = presence_offset; i < size_presence_reg; i++) {
 		for (b = 0; b < 8; b++) {
 			if (buf[i] & BIT(b)) {
 				if (map_offset >= RMI_REG_DESC_PRESENCE_BITS)
@@ -697,28 +697,41 @@ int rmi_read_register_desc(struct rmi_device *d, u16 addr,
 	if (ret)
 		return ret;
 
-	reg = find_first_bit(presence_map, RMI_REG_DESC_PRESENCE_BITS);
 	offset = 0;
-	for (i = 0; i < rdesc->num_registers; i++) {
-		struct rmi_register_desc_item *item = &rdesc->registers[i];
+	num_registers = 0;
+	for_each_set_bit(reg, presence_map, RMI_REG_DESC_PRESENCE_BITS) {
+		struct rmi_register_desc_item *item = &rdesc->registers[num_registers];
 		int item_size;
 
+		if (offset >= rdesc->struct_size)
+			break;
+
 		item_size = rmi_parse_register_desc_item(item,
 							 &struct_buf[offset],
 							 rdesc->struct_size - offset);
-		if (item_size < 0)
-			return item_size;
+		if (item_size < 0) {
+			dev_warn(&d->dev,
+				 "%s: Failed to parse register %d descriptor, ignoring it\n",
+				 __func__, reg);
+			break;
+		}
 
 		item->reg = reg;
 		offset += item_size;
 
-		rmi_dbg(RMI_DEBUG_CORE, &d->dev,
-			"%s: reg: %d reg size: %u subpackets: %d\n", __func__,
-			item->reg, item->reg_size, item->num_subpackets);
+		if (item->reg_size == 0) {
+			dev_warn(&d->dev,
+				 "%s: Register %d has 0 size, ignoring it\n",
+				 __func__, item->reg);
+		} else {
+			rmi_dbg(RMI_DEBUG_CORE, &d->dev,
+				"%s: reg: %d reg size: %u subpackets: %d\n", __func__,
+				item->reg, item->reg_size, item->num_subpackets);
 
-		reg = find_next_bit(presence_map,
-				    RMI_REG_DESC_PRESENCE_BITS, reg + 1);
+			num_registers++;
+		}
 	}
+	rdesc->num_registers = num_registers;
 
 	return 0;
 }


Thanks.

-- 
Dmitry