didn't work so well just yet...
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
net-qualcomm-rmnet-fix-endpoint-use-after-free-in-rmnet_dellink.patch
agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
xhci-fix-memory-leak-regression-when-freeing-xhci-vd.patch
af_unix-reject-siocatmark-on-non-stream-sockets.patch
regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
virtiofs-fix-uaf-on-submount-umount.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
ksmbd-reject-non-valid-session-in-compound-request-branch.patch
media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
sctp-disable-bh-before-calling-udp_tunnel_xmit_skb.patch
iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch
iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch
ksmbd-reject-non-valid-session-in-compound-request-branch.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
+++ /dev/null
-From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:32 -0700
-Subject: Input: rmi4 - refactor register descriptor parsing
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream.
-
-Factor out parsing a register descriptor item from
-rmi_read_register_desc() and ensure there are no out-of-bounds accesses.
-
-Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte
-values.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++----------------
- 1 file changed, 76 insertions(+), 48 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -22,6 +22,7 @@
- #include <uapi/linux/input.h>
- #include <linux/rmi.h>
- #include <linux/export.h>
-+#include <linux/unaligned.h>
- #include "rmi_bus.h"
- #include "rmi_driver.h"
-
-@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_
- return retval < 0 ? retval : 0;
- }
-
-+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item,
-+ const u8 *buf, size_t size)
-+{
-+ unsigned int offset = 0;
-+ unsigned int map_offset = 0;
-+ int b;
-+
-+ if (offset >= size)
-+ return -EIO;
-+
-+ item->reg_size = buf[offset++];
-+ if (item->reg_size == 0) {
-+ if (size - offset < 2)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le16(&buf[offset]);
-+ offset += 2;
-+ }
-+
-+ if (item->reg_size == 0) {
-+ if (size - offset < 4)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le32(&buf[offset]);
-+ offset += 4;
-+ }
-+
-+ do {
-+ if (offset >= size)
-+ return -EIO;
-+
-+ for (b = 0; b < 7; b++) {
-+ if (buf[offset] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS)
-+ return -EIO;
-+ __set_bit(map_offset, item->subpacket_map);
-+ }
-+ ++map_offset;
-+ }
-+ } while (buf[offset++] & BIT(7));
-+
-+ item->num_subpackets = bitmap_weight(item->subpacket_map,
-+ RMI_REG_DESC_SUBPACKET_BITS);
-+
-+ return offset;
-+}
-+
- int rmi_read_register_desc(struct rmi_device *d, u16 addr,
-- struct rmi_register_descriptor *rdesc)
-+ struct rmi_register_descriptor *rdesc)
- {
- int ret;
- u8 size_presence_reg;
- u8 buf[35];
-- int presense_offset = 1;
-- u8 *struct_buf;
-- int reg;
-- int offset = 0;
-- int map_offset = 0;
-+ unsigned int presence_offset;
-+ unsigned int map_offset;
-+ unsigned int offset;
-+ unsigned int reg;
- int i;
- int b;
-
- /*
- * The first register of the register descriptor is the size of
-- * the register descriptor's presense register.
-+ * the register descriptor's presence register.
- */
- ret = rmi_read(d, addr, &size_presence_reg);
- if (ret)
- return ret;
- ++addr;
-
-- if (size_presence_reg < 0 || size_presence_reg > 35)
-+ if (size_presence_reg < 1 || size_presence_reg > 35)
- return -EIO;
-
- memset(buf, 0, sizeof(buf));
-@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de
- addr += size_presence_reg;
-
- if (buf[0] == 0) {
-- presense_offset = 3;
-- rdesc->struct_size = buf[1] | (buf[2] << 8);
-+ if (size_presence_reg < 3)
-+ return -EIO;
-+ presence_offset = 3;
-+ rdesc->struct_size = get_unaligned_le16(&buf[1]);
- } else {
-+ presence_offset = 1;
- rdesc->struct_size = buf[0];
- }
-
-- for (i = presense_offset; i < size_presence_reg; i++) {
-+ map_offset = 0;
-+ for (i = presence_offset; i < size_presence_reg; i++) {
- for (b = 0; b < 8; b++) {
-- if (buf[i] & (0x1 << b))
-+ if (buf[i] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS)
-+ return -EIO;
- bitmap_set(rdesc->presense_map, map_offset, 1);
-+ }
- ++map_offset;
- }
- }
-@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de
- * I'm not using devm_kzalloc here since it will not be retained
- * after exiting this function
- */
-- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL);
-+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL);
- if (!struct_buf)
- return -ENOMEM;
-
-@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de
- */
- ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size);
- if (ret)
-- goto free_struct_buff;
-+ return ret;
-
- reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS);
-+ offset = 0;
- for (i = 0; i < rdesc->num_registers; i++) {
- struct rmi_register_desc_item *item = &rdesc->registers[i];
-- int reg_size = struct_buf[offset];
-+ int item_size;
-
-- ++offset;
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8);
-- offset += 2;
-- }
--
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8) |
-- (struct_buf[offset + 2] << 16) |
-- (struct_buf[offset + 3] << 24);
-- offset += 4;
-- }
-+ item_size = rmi_parse_register_desc_item(item,
-+ &struct_buf[offset],
-+ rdesc->struct_size - offset);
-+ if (item_size < 0)
-+ return item_size;
-
- item->reg = reg;
-- item->reg_size = reg_size;
--
-- map_offset = 0;
--
-- do {
-- for (b = 0; b < 7; b++) {
-- if (struct_buf[offset] & (0x1 << b))
-- bitmap_set(item->subpacket_map,
-- map_offset, 1);
-- ++map_offset;
-- }
-- } while (struct_buf[offset++] & 0x80);
--
-- item->num_subpackets = bitmap_weight(item->subpacket_map,
-- RMI_REG_DESC_SUBPACKET_BITS);
-+ offset += item_size;
-
- rmi_dbg(RMI_DEBUG_CORE, &d->dev,
- "%s: reg: %d reg size: %ld subpackets: %d\n", __func__,
- item->reg, item->reg_size, item->num_subpackets);
-
- reg = find_next_bit(rdesc->presense_map,
-- RMI_REG_DESC_PRESENSE_BITS, reg + 1);
-+ RMI_REG_DESC_PRESENSE_BITS, reg + 1);
- }
-
--free_struct_buff:
-- kfree(struct_buf);
-- return ret;
-+ return 0;
- }
-
- const struct rmi_register_desc_item *rmi_get_register_desc_item(
net-net_failover-fix-the-deadlock-in-slave-register.patch
iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch
iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-refactor-register-descriptor-parsing.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
crypto-qat-remove-unused-character-device-and-ioctls.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
scripts-sorttable-use-normal-sort-if-theres-no-relocs-in-the-mcount-section.patch
scripts-sorttable-allow-matches-to-functions-before-function-entry.patch
scripts-sorttable-fix-endianness-handling-in-build-time-mcount-sort.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
ksmbd-reject-non-valid-session-in-compound-request-branch.patch
media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
+++ /dev/null
-From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:32 -0700
-Subject: Input: rmi4 - refactor register descriptor parsing
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream.
-
-Factor out parsing a register descriptor item from
-rmi_read_register_desc() and ensure there are no out-of-bounds accesses.
-
-Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte
-values.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++----------------
- 1 file changed, 76 insertions(+), 48 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -22,6 +22,7 @@
- #include <uapi/linux/input.h>
- #include <linux/rmi.h>
- #include <linux/export.h>
-+#include <linux/unaligned.h>
- #include "rmi_bus.h"
- #include "rmi_driver.h"
-
-@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_
- return retval < 0 ? retval : 0;
- }
-
-+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item,
-+ const u8 *buf, size_t size)
-+{
-+ unsigned int offset = 0;
-+ unsigned int map_offset = 0;
-+ int b;
-+
-+ if (offset >= size)
-+ return -EIO;
-+
-+ item->reg_size = buf[offset++];
-+ if (item->reg_size == 0) {
-+ if (size - offset < 2)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le16(&buf[offset]);
-+ offset += 2;
-+ }
-+
-+ if (item->reg_size == 0) {
-+ if (size - offset < 4)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le32(&buf[offset]);
-+ offset += 4;
-+ }
-+
-+ do {
-+ if (offset >= size)
-+ return -EIO;
-+
-+ for (b = 0; b < 7; b++) {
-+ if (buf[offset] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS)
-+ return -EIO;
-+ __set_bit(map_offset, item->subpacket_map);
-+ }
-+ ++map_offset;
-+ }
-+ } while (buf[offset++] & BIT(7));
-+
-+ item->num_subpackets = bitmap_weight(item->subpacket_map,
-+ RMI_REG_DESC_SUBPACKET_BITS);
-+
-+ return offset;
-+}
-+
- int rmi_read_register_desc(struct rmi_device *d, u16 addr,
-- struct rmi_register_descriptor *rdesc)
-+ struct rmi_register_descriptor *rdesc)
- {
- int ret;
- u8 size_presence_reg;
- u8 buf[35];
-- int presense_offset = 1;
-- u8 *struct_buf;
-- int reg;
-- int offset = 0;
-- int map_offset = 0;
-+ unsigned int presence_offset;
-+ unsigned int map_offset;
-+ unsigned int offset;
-+ unsigned int reg;
- int i;
- int b;
-
- /*
- * The first register of the register descriptor is the size of
-- * the register descriptor's presense register.
-+ * the register descriptor's presence register.
- */
- ret = rmi_read(d, addr, &size_presence_reg);
- if (ret)
- return ret;
- ++addr;
-
-- if (size_presence_reg < 0 || size_presence_reg > 35)
-+ if (size_presence_reg < 1 || size_presence_reg > 35)
- return -EIO;
-
- memset(buf, 0, sizeof(buf));
-@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de
- addr += size_presence_reg;
-
- if (buf[0] == 0) {
-- presense_offset = 3;
-- rdesc->struct_size = buf[1] | (buf[2] << 8);
-+ if (size_presence_reg < 3)
-+ return -EIO;
-+ presence_offset = 3;
-+ rdesc->struct_size = get_unaligned_le16(&buf[1]);
- } else {
-+ presence_offset = 1;
- rdesc->struct_size = buf[0];
- }
-
-- for (i = presense_offset; i < size_presence_reg; i++) {
-+ map_offset = 0;
-+ for (i = presence_offset; i < size_presence_reg; i++) {
- for (b = 0; b < 8; b++) {
-- if (buf[i] & (0x1 << b))
-+ if (buf[i] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS)
-+ return -EIO;
- bitmap_set(rdesc->presense_map, map_offset, 1);
-+ }
- ++map_offset;
- }
- }
-@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de
- * I'm not using devm_kzalloc here since it will not be retained
- * after exiting this function
- */
-- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL);
-+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL);
- if (!struct_buf)
- return -ENOMEM;
-
-@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de
- */
- ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size);
- if (ret)
-- goto free_struct_buff;
-+ return ret;
-
- reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS);
-+ offset = 0;
- for (i = 0; i < rdesc->num_registers; i++) {
- struct rmi_register_desc_item *item = &rdesc->registers[i];
-- int reg_size = struct_buf[offset];
-+ int item_size;
-
-- ++offset;
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8);
-- offset += 2;
-- }
--
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8) |
-- (struct_buf[offset + 2] << 16) |
-- (struct_buf[offset + 3] << 24);
-- offset += 4;
-- }
-+ item_size = rmi_parse_register_desc_item(item,
-+ &struct_buf[offset],
-+ rdesc->struct_size - offset);
-+ if (item_size < 0)
-+ return item_size;
-
- item->reg = reg;
-- item->reg_size = reg_size;
--
-- map_offset = 0;
--
-- do {
-- for (b = 0; b < 7; b++) {
-- if (struct_buf[offset] & (0x1 << b))
-- bitmap_set(item->subpacket_map,
-- map_offset, 1);
-- ++map_offset;
-- }
-- } while (struct_buf[offset++] & 0x80);
--
-- item->num_subpackets = bitmap_weight(item->subpacket_map,
-- RMI_REG_DESC_SUBPACKET_BITS);
-+ offset += item_size;
-
- rmi_dbg(RMI_DEBUG_CORE, &d->dev,
- "%s: reg: %d reg size: %ld subpackets: %d\n", __func__,
- item->reg, item->reg_size, item->num_subpackets);
-
- reg = find_next_bit(rdesc->presense_map,
-- RMI_REG_DESC_PRESENSE_BITS, reg + 1);
-+ RMI_REG_DESC_PRESENSE_BITS, reg + 1);
- }
-
--free_struct_buff:
-- kfree(struct_buf);
-- return ret;
-+ return 0;
- }
-
- const struct rmi_register_desc_item *rmi_get_register_desc_item(
net-net_failover-fix-the-deadlock-in-slave-register.patch
iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch
iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-refactor-register-descriptor-parsing.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
crypto-qat-remove-unused-character-device-and-ioctls.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch
+++ /dev/null
-From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:37 -0700
-Subject: Input: rmi4 - fix bit count in bitmap_copy()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
-
-bitmap_copy() takes number of bits, not bytes (or longs). Correct
-the bit count in rmi_driver_set_irq_bits() and
-rmi_driver_clear_irq_bits().
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
- bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
-
- error_unlock:
-@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str
- __func__);
- goto error_unlock;
- }
-- bitmap_copy(data->current_irq_mask, data->new_irq_mask,
-- data->num_of_irq_regs);
-+
-+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
-
- error_unlock:
- mutex_unlock(&data->irq_mutex);
+++ /dev/null
-From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:35 -0700
-Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
-
-kfifo_put() returns 0 if the FIFO is full. In this case, we must
-free the memory allocated for the attention data to avoid a leak.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device
- attn_data.size = size;
- attn_data.data = fifo_data;
-
-- kfifo_put(&drvdata->attn_fifo, attn_data);
-+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
-+ dev_warn_ratelimited(&rmi_dev->dev,
-+ "Failed to enqueue attention data, FIFO full\n");
-+ kfree(fifo_data);
-+ }
- }
- EXPORT_SYMBOL_GPL(rmi_set_attn_data);
-
+++ /dev/null
-From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:34 -0700
-Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
-
-RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
-may overflow num_subpackets in struct rmi_register_desc_item which is
-defined as a u8.
-
-Fix this by changing the type of num_subpackets to u16.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- drivers/input/rmi4/rmi_f12.c | 7 +++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -53,7 +53,7 @@ struct pdt_entry {
- struct rmi_register_desc_item {
- u16 reg;
- unsigned long reg_size;
-- u8 num_subpackets;
-+ u16 num_subpackets;
- unsigned long subpacket_map[BITS_TO_LONGS(
- RMI_REG_DESC_SUBPACKET_BITS)];
- };
---- a/drivers/input/rmi4/rmi_f12.c
-+++ b/drivers/input/rmi4/rmi_f12.c
-@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func
- f12->data1 = item;
- f12->data1_offset = data_offset;
- data_offset += item->reg_size;
-+
-+ if (item->num_subpackets > 255) {
-+ dev_err(&fn->dev, "Too many fingers declared: %d\n",
-+ item->num_subpackets);
-+ return -EINVAL;
-+ }
-+
- sensor->nbr_fingers = item->num_subpackets;
- sensor->report_abs = 1;
- sensor->attn_size += item->reg_size;
+++ /dev/null
-From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:31 -0700
-Subject: Input: rmi4 - fix register descriptor address calculation
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
-
-When reading the register descriptor, the base address is incremented by
-1 to read the presence register block. However, after reading the
-presence register block, the address is incorrectly incremented by only
-1 byte (++addr) instead of the actual size of the presence block
-(size_presence_reg). This causes the subsequent structure block read to
-read from the wrong memory location if the presence block is larger than
-1 byte.
-
-Fix this by advancing the address by size_presence_reg.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de
- ret = rmi_read_block(d, addr, buf, size_presence_reg);
- if (ret)
- return ret;
-- ++addr;
-+ addr += size_presence_reg;
-
- if (buf[0] == 0) {
- presense_offset = 3;
+++ /dev/null
-From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:33 -0700
-Subject: Input: rmi4 - fix type overflow in register counts
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
-
-The number of registers in the RMI4 register descriptor is populated
-by counting the bits in the presence map using bitmap_weight(). Since
-the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
-storing this count in a u8 can overflow to 0 if all 256 bits are set.
-
-Change the num_registers field in struct rmi_register_descriptor
-from u8 to u16 to prevent potential integer overflow and ensure safe
-processing of devices reporting large descriptors.
-
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/input/rmi4/rmi_driver.h
-+++ b/drivers/input/rmi4/rmi_driver.h
-@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
- struct rmi_register_descriptor {
- unsigned long struct_size;
- unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-- u8 num_registers;
-+ u16 num_registers;
- struct rmi_register_desc_item *registers;
- };
-
+++ /dev/null
-From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:36 -0700
-Subject: Input: rmi4 - iterative IRQ handler
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
-
-The current IRQ handler uses recursion to drain the attention FIFO,
-which can lead to stack overflow on deep queues. Convert it to a
-loop.
-
-Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
- struct rmi4_attn_data attn_data = {0};
- int ret, count;
-
-- count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-- if (count) {
-- *(drvdata->irq_status) = attn_data.irq_status;
-- drvdata->attn_data = attn_data;
-- }
-+ do {
-+ count = kfifo_get(&drvdata->attn_fifo, &attn_data);
-+ if (count) {
-+ *drvdata->irq_status = attn_data.irq_status;
-+ drvdata->attn_data = attn_data;
-+ }
-
-- ret = rmi_process_interrupt_requests(rmi_dev);
-- if (ret)
-- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-- "Failed to process interrupt request: %d\n", ret);
-+ ret = rmi_process_interrupt_requests(rmi_dev);
-+ if (ret)
-+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
-+ "Failed to process interrupt request: %d\n",
-+ ret);
-
-- if (count) {
-- kfree(attn_data.data);
-- drvdata->attn_data.data = NULL;
-- }
--
-- if (!kfifo_is_empty(&drvdata->attn_fifo))
-- return rmi_irq_fn(irq, dev_id);
-+ if (count) {
-+ kfree(attn_data.data);
-+ drvdata->attn_data.data = NULL;
-+ }
-+ } while (!kfifo_is_empty(&drvdata->attn_fifo));
-
- return IRQ_HANDLED;
- }
+++ /dev/null
-From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Mon, 4 May 2026 21:59:32 -0700
-Subject: Input: rmi4 - refactor register descriptor parsing
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream.
-
-Factor out parsing a register descriptor item from
-rmi_read_register_desc() and ensure there are no out-of-bounds accesses.
-
-Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte
-values.
-
-Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
-Cc: stable@vger.kernel.org
-Assisted-by: Gemini:gemini-3.1-pro
-Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++----------------
- 1 file changed, 76 insertions(+), 48 deletions(-)
-
---- a/drivers/input/rmi4/rmi_driver.c
-+++ b/drivers/input/rmi4/rmi_driver.c
-@@ -22,6 +22,7 @@
- #include <uapi/linux/input.h>
- #include <linux/rmi.h>
- #include <linux/export.h>
-+#include <linux/unaligned.h>
- #include "rmi_bus.h"
- #include "rmi_driver.h"
-
-@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_
- return retval < 0 ? retval : 0;
- }
-
-+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item,
-+ const u8 *buf, size_t size)
-+{
-+ unsigned int offset = 0;
-+ unsigned int map_offset = 0;
-+ int b;
-+
-+ if (offset >= size)
-+ return -EIO;
-+
-+ item->reg_size = buf[offset++];
-+ if (item->reg_size == 0) {
-+ if (size - offset < 2)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le16(&buf[offset]);
-+ offset += 2;
-+ }
-+
-+ if (item->reg_size == 0) {
-+ if (size - offset < 4)
-+ return -EIO;
-+ item->reg_size = get_unaligned_le32(&buf[offset]);
-+ offset += 4;
-+ }
-+
-+ do {
-+ if (offset >= size)
-+ return -EIO;
-+
-+ for (b = 0; b < 7; b++) {
-+ if (buf[offset] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS)
-+ return -EIO;
-+ __set_bit(map_offset, item->subpacket_map);
-+ }
-+ ++map_offset;
-+ }
-+ } while (buf[offset++] & BIT(7));
-+
-+ item->num_subpackets = bitmap_weight(item->subpacket_map,
-+ RMI_REG_DESC_SUBPACKET_BITS);
-+
-+ return offset;
-+}
-+
- int rmi_read_register_desc(struct rmi_device *d, u16 addr,
-- struct rmi_register_descriptor *rdesc)
-+ struct rmi_register_descriptor *rdesc)
- {
- int ret;
- u8 size_presence_reg;
- u8 buf[35];
-- int presense_offset = 1;
-- u8 *struct_buf;
-- int reg;
-- int offset = 0;
-- int map_offset = 0;
-+ unsigned int presence_offset;
-+ unsigned int map_offset;
-+ unsigned int offset;
-+ unsigned int reg;
- int i;
- int b;
-
- /*
- * The first register of the register descriptor is the size of
-- * the register descriptor's presense register.
-+ * the register descriptor's presence register.
- */
- ret = rmi_read(d, addr, &size_presence_reg);
- if (ret)
- return ret;
- ++addr;
-
-- if (size_presence_reg < 0 || size_presence_reg > 35)
-+ if (size_presence_reg < 1 || size_presence_reg > 35)
- return -EIO;
-
- memset(buf, 0, sizeof(buf));
-@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de
- addr += size_presence_reg;
-
- if (buf[0] == 0) {
-- presense_offset = 3;
-- rdesc->struct_size = buf[1] | (buf[2] << 8);
-+ if (size_presence_reg < 3)
-+ return -EIO;
-+ presence_offset = 3;
-+ rdesc->struct_size = get_unaligned_le16(&buf[1]);
- } else {
-+ presence_offset = 1;
- rdesc->struct_size = buf[0];
- }
-
-- for (i = presense_offset; i < size_presence_reg; i++) {
-+ map_offset = 0;
-+ for (i = presence_offset; i < size_presence_reg; i++) {
- for (b = 0; b < 8; b++) {
-- if (buf[i] & (0x1 << b))
-+ if (buf[i] & BIT(b)) {
-+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS)
-+ return -EIO;
- bitmap_set(rdesc->presense_map, map_offset, 1);
-+ }
- ++map_offset;
- }
- }
-@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de
- * I'm not using devm_kzalloc here since it will not be retained
- * after exiting this function
- */
-- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL);
-+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL);
- if (!struct_buf)
- return -ENOMEM;
-
-@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de
- */
- ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size);
- if (ret)
-- goto free_struct_buff;
-+ return ret;
-
- reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS);
-+ offset = 0;
- for (i = 0; i < rdesc->num_registers; i++) {
- struct rmi_register_desc_item *item = &rdesc->registers[i];
-- int reg_size = struct_buf[offset];
-+ int item_size;
-
-- ++offset;
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8);
-- offset += 2;
-- }
--
-- if (reg_size == 0) {
-- reg_size = struct_buf[offset] |
-- (struct_buf[offset + 1] << 8) |
-- (struct_buf[offset + 2] << 16) |
-- (struct_buf[offset + 3] << 24);
-- offset += 4;
-- }
-+ item_size = rmi_parse_register_desc_item(item,
-+ &struct_buf[offset],
-+ rdesc->struct_size - offset);
-+ if (item_size < 0)
-+ return item_size;
-
- item->reg = reg;
-- item->reg_size = reg_size;
--
-- map_offset = 0;
--
-- do {
-- for (b = 0; b < 7; b++) {
-- if (struct_buf[offset] & (0x1 << b))
-- bitmap_set(item->subpacket_map,
-- map_offset, 1);
-- ++map_offset;
-- }
-- } while (struct_buf[offset++] & 0x80);
--
-- item->num_subpackets = bitmap_weight(item->subpacket_map,
-- RMI_REG_DESC_SUBPACKET_BITS);
-+ offset += item_size;
-
- rmi_dbg(RMI_DEBUG_CORE, &d->dev,
- "%s: reg: %d reg size: %ld subpackets: %d\n", __func__,
- item->reg, item->reg_size, item->num_subpackets);
-
- reg = find_next_bit(rdesc->presense_map,
-- RMI_REG_DESC_PRESENSE_BITS, reg + 1);
-+ RMI_REG_DESC_PRESENSE_BITS, reg + 1);
- }
-
--free_struct_buff:
-- kfree(struct_buf);
-- return ret;
-+ return 0;
- }
-
- const struct rmi_register_desc_item *rmi_get_register_desc_item(
agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch
iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch
-input-rmi4-fix-register-descriptor-address-calculation.patch
-input-rmi4-refactor-register-descriptor-parsing.patch
-input-rmi4-fix-type-overflow-in-register-counts.patch
-input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
-input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
-input-rmi4-iterative-irq-handler.patch
-input-rmi4-fix-bit-count-in-bitmap_copy.patch
crypto-qat-remove-unused-character-device-and-ioctls.patch
vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
