From: Greg Kroah-Hartman Date: Sat, 27 Jun 2026 09:00:31 +0000 (+0100) Subject: drop all the rmi4 patches X-Git-Tag: v6.18.37~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b77411a4399da3522c4c5831db8610788cc556f;p=thirdparty%2Fkernel%2Fstable-queue.git drop all the rmi4 patches didn't work so well just yet... --- diff --git a/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index 0177932fcb..0000000000 --- a/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 4542767c78..0000000000 --- a/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index ab13f8e531..0000000000 --- a/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index 8c138b24f5..0000000000 --- a/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-5.10/input-rmi4-iterative-irq-handler.patch b/queue-5.10/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index bed47cf0e6..0000000000 --- a/queue-5.10/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-5.10/series b/queue-5.10/series index eb9c0388c0..6c6d385f8a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -24,11 +24,5 @@ i2c-stub-reject-i2c-block-transfers-with-invalid-length.patch net-qualcomm-rmnet-fix-endpoint-use-after-free-in-rmnet_dellink.patch agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch diff --git a/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index 0177932fcb..0000000000 --- a/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 4542767c78..0000000000 --- a/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index ab13f8e531..0000000000 --- a/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index 8c138b24f5..0000000000 --- a/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-5.15/input-rmi4-iterative-irq-handler.patch b/queue-5.15/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index bed47cf0e6..0000000000 --- a/queue-5.15/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-5.15/series b/queue-5.15/series index 36cacfc7d4..ff8ab1afa4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -18,12 +18,6 @@ agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch xhci-fix-memory-leak-regression-when-freeing-xhci-vd.patch af_unix-reject-siocatmark-on-non-stream-sockets.patch regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch virtiofs-fix-uaf-on-submount-umount.patch diff --git a/queue-6.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-6.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index 0177932fcb..0000000000 --- a/queue-6.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-6.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-6.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 4542767c78..0000000000 --- a/queue-6.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-6.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-6.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index ab13f8e531..0000000000 --- a/queue-6.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-6.1/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-6.1/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index 8c138b24f5..0000000000 --- a/queue-6.1/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-6.1/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-6.1/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-6.1/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-6.1/input-rmi4-iterative-irq-handler.patch b/queue-6.1/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index bed47cf0e6..0000000000 --- a/queue-6.1/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-6.1/series b/queue-6.1/series index 5900fb5d64..5e37fb87c4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -37,12 +37,6 @@ ring-buffer-remove-ring_buffer_read_prepare_sync.patch regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch ksmbd-reject-non-valid-session-in-compound-request-branch.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch diff --git a/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index 0177932fcb..0000000000 --- a/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 4542767c78..0000000000 --- a/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index 2b07bcd9b2..0000000000 --- a/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index 8c138b24f5..0000000000 --- a/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-6.12/input-rmi4-iterative-irq-handler.patch b/queue-6.12/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index bed47cf0e6..0000000000 --- a/queue-6.12/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-6.12/series b/queue-6.12/series index 52d924faed..693e0ee198 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -85,12 +85,6 @@ net-ipv6-make-udp_tunnel6_xmit_skb-void.patch sctp-disable-bh-before-calling-udp_tunnel_xmit_skb.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch ksmbd-reject-non-valid-session-in-compound-request-branch.patch diff --git a/queue-6.18/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-6.18/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index beca842509..0000000000 --- a/queue-6.18/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-6.18/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-6.18/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 006668e86d..0000000000 --- a/queue-6.18/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-6.18/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-6.18/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index 2b07bcd9b2..0000000000 --- a/queue-6.18/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-6.18/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-6.18/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index b32bd203b9..0000000000 --- a/queue-6.18/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-6.18/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-6.18/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-6.18/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-6.18/input-rmi4-iterative-irq-handler.patch b/queue-6.18/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index 6852b8662e..0000000000 --- a/queue-6.18/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-6.18/input-rmi4-refactor-register-descriptor-parsing.patch b/queue-6.18/input-rmi4-refactor-register-descriptor-parsing.patch deleted file mode 100644 index 27017a9767..0000000000 --- a/queue-6.18/input-rmi4-refactor-register-descriptor-parsing.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:32 -0700 -Subject: Input: rmi4 - refactor register descriptor parsing - -From: Dmitry Torokhov - -commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream. - -Factor out parsing a register descriptor item from -rmi_read_register_desc() and ensure there are no out-of-bounds accesses. - -Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte -values. - -Reported-by: Greg Kroah-Hartman -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++---------------- - 1 file changed, 76 insertions(+), 48 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include "rmi_bus.h" - #include "rmi_driver.h" - -@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_ - return retval < 0 ? retval : 0; - } - -+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item, -+ const u8 *buf, size_t size) -+{ -+ unsigned int offset = 0; -+ unsigned int map_offset = 0; -+ int b; -+ -+ if (offset >= size) -+ return -EIO; -+ -+ item->reg_size = buf[offset++]; -+ if (item->reg_size == 0) { -+ if (size - offset < 2) -+ return -EIO; -+ item->reg_size = get_unaligned_le16(&buf[offset]); -+ offset += 2; -+ } -+ -+ if (item->reg_size == 0) { -+ if (size - offset < 4) -+ return -EIO; -+ item->reg_size = get_unaligned_le32(&buf[offset]); -+ offset += 4; -+ } -+ -+ do { -+ if (offset >= size) -+ return -EIO; -+ -+ for (b = 0; b < 7; b++) { -+ if (buf[offset] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS) -+ return -EIO; -+ __set_bit(map_offset, item->subpacket_map); -+ } -+ ++map_offset; -+ } -+ } while (buf[offset++] & BIT(7)); -+ -+ item->num_subpackets = bitmap_weight(item->subpacket_map, -+ RMI_REG_DESC_SUBPACKET_BITS); -+ -+ return offset; -+} -+ - int rmi_read_register_desc(struct rmi_device *d, u16 addr, -- struct rmi_register_descriptor *rdesc) -+ struct rmi_register_descriptor *rdesc) - { - int ret; - u8 size_presence_reg; - u8 buf[35]; -- int presense_offset = 1; -- u8 *struct_buf; -- int reg; -- int offset = 0; -- int map_offset = 0; -+ unsigned int presence_offset; -+ unsigned int map_offset; -+ unsigned int offset; -+ unsigned int reg; - int i; - int b; - - /* - * The first register of the register descriptor is the size of -- * the register descriptor's presense register. -+ * the register descriptor's presence register. - */ - ret = rmi_read(d, addr, &size_presence_reg); - if (ret) - return ret; - ++addr; - -- if (size_presence_reg < 0 || size_presence_reg > 35) -+ if (size_presence_reg < 1 || size_presence_reg > 35) - return -EIO; - - memset(buf, 0, sizeof(buf)); -@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de - addr += size_presence_reg; - - if (buf[0] == 0) { -- presense_offset = 3; -- rdesc->struct_size = buf[1] | (buf[2] << 8); -+ if (size_presence_reg < 3) -+ return -EIO; -+ presence_offset = 3; -+ rdesc->struct_size = get_unaligned_le16(&buf[1]); - } else { -+ presence_offset = 1; - rdesc->struct_size = buf[0]; - } - -- for (i = presense_offset; i < size_presence_reg; i++) { -+ map_offset = 0; -+ for (i = presence_offset; i < size_presence_reg; i++) { - for (b = 0; b < 8; b++) { -- if (buf[i] & (0x1 << b)) -+ if (buf[i] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS) -+ return -EIO; - bitmap_set(rdesc->presense_map, map_offset, 1); -+ } - ++map_offset; - } - } -@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de - * I'm not using devm_kzalloc here since it will not be retained - * after exiting this function - */ -- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL); -+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL); - if (!struct_buf) - return -ENOMEM; - -@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de - */ - ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size); - if (ret) -- goto free_struct_buff; -+ return ret; - - reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS); -+ offset = 0; - for (i = 0; i < rdesc->num_registers; i++) { - struct rmi_register_desc_item *item = &rdesc->registers[i]; -- int reg_size = struct_buf[offset]; -+ int item_size; - -- ++offset; -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8); -- offset += 2; -- } -- -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8) | -- (struct_buf[offset + 2] << 16) | -- (struct_buf[offset + 3] << 24); -- offset += 4; -- } -+ item_size = rmi_parse_register_desc_item(item, -+ &struct_buf[offset], -+ rdesc->struct_size - offset); -+ if (item_size < 0) -+ return item_size; - - item->reg = reg; -- item->reg_size = reg_size; -- -- map_offset = 0; -- -- do { -- for (b = 0; b < 7; b++) { -- if (struct_buf[offset] & (0x1 << b)) -- bitmap_set(item->subpacket_map, -- map_offset, 1); -- ++map_offset; -- } -- } while (struct_buf[offset++] & 0x80); -- -- item->num_subpackets = bitmap_weight(item->subpacket_map, -- RMI_REG_DESC_SUBPACKET_BITS); -+ offset += item_size; - - rmi_dbg(RMI_DEBUG_CORE, &d->dev, - "%s: reg: %d reg size: %ld subpackets: %d\n", __func__, - item->reg, item->reg_size, item->num_subpackets); - - reg = find_next_bit(rdesc->presense_map, -- RMI_REG_DESC_PRESENSE_BITS, reg + 1); -+ RMI_REG_DESC_PRESENSE_BITS, reg + 1); - } - --free_struct_buff: -- kfree(struct_buf); -- return ret; -+ return 0; - } - - const struct rmi_register_desc_item *rmi_get_register_desc_item( diff --git a/queue-6.18/series b/queue-6.18/series index 0ca388daf2..4186a76c02 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -43,13 +43,6 @@ net-export-netif_open-for-self_test-usage.patch net-net_failover-fix-the-deadlock-in-slave-register.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-refactor-register-descriptor-parsing.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch crypto-qat-remove-unused-character-device-and-ioctls.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch diff --git a/queue-6.6/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-6.6/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index 0177932fcb..0000000000 --- a/queue-6.6/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-6.6/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-6.6/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 4542767c78..0000000000 --- a/queue-6.6/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-6.6/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-6.6/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index ab13f8e531..0000000000 --- a/queue-6.6/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-6.6/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-6.6/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index 8c138b24f5..0000000000 --- a/queue-6.6/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-6.6/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-6.6/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-6.6/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-6.6/input-rmi4-iterative-irq-handler.patch b/queue-6.6/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index bed47cf0e6..0000000000 --- a/queue-6.6/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-6.6/series b/queue-6.6/series index 7d04f62462..75227c0b9a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -68,12 +68,6 @@ ftrace-check-against-is_kernel_text-instead-of-kaslr_offset.patch scripts-sorttable-use-normal-sort-if-theres-no-relocs-in-the-mcount-section.patch scripts-sorttable-allow-matches-to-functions-before-function-entry.patch scripts-sorttable-fix-endianness-handling-in-build-time-mcount-sort.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch ksmbd-reject-non-valid-session-in-compound-request-branch.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch diff --git a/queue-7.0/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-7.0/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index beca842509..0000000000 --- a/queue-7.0/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-7.0/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-7.0/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 006668e86d..0000000000 --- a/queue-7.0/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-7.0/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-7.0/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index 2b07bcd9b2..0000000000 --- a/queue-7.0/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-7.0/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-7.0/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index b32bd203b9..0000000000 --- a/queue-7.0/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-7.0/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-7.0/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-7.0/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-7.0/input-rmi4-iterative-irq-handler.patch b/queue-7.0/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index 6852b8662e..0000000000 --- a/queue-7.0/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-7.0/input-rmi4-refactor-register-descriptor-parsing.patch b/queue-7.0/input-rmi4-refactor-register-descriptor-parsing.patch deleted file mode 100644 index 27017a9767..0000000000 --- a/queue-7.0/input-rmi4-refactor-register-descriptor-parsing.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:32 -0700 -Subject: Input: rmi4 - refactor register descriptor parsing - -From: Dmitry Torokhov - -commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream. - -Factor out parsing a register descriptor item from -rmi_read_register_desc() and ensure there are no out-of-bounds accesses. - -Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte -values. - -Reported-by: Greg Kroah-Hartman -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++---------------- - 1 file changed, 76 insertions(+), 48 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include "rmi_bus.h" - #include "rmi_driver.h" - -@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_ - return retval < 0 ? retval : 0; - } - -+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item, -+ const u8 *buf, size_t size) -+{ -+ unsigned int offset = 0; -+ unsigned int map_offset = 0; -+ int b; -+ -+ if (offset >= size) -+ return -EIO; -+ -+ item->reg_size = buf[offset++]; -+ if (item->reg_size == 0) { -+ if (size - offset < 2) -+ return -EIO; -+ item->reg_size = get_unaligned_le16(&buf[offset]); -+ offset += 2; -+ } -+ -+ if (item->reg_size == 0) { -+ if (size - offset < 4) -+ return -EIO; -+ item->reg_size = get_unaligned_le32(&buf[offset]); -+ offset += 4; -+ } -+ -+ do { -+ if (offset >= size) -+ return -EIO; -+ -+ for (b = 0; b < 7; b++) { -+ if (buf[offset] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS) -+ return -EIO; -+ __set_bit(map_offset, item->subpacket_map); -+ } -+ ++map_offset; -+ } -+ } while (buf[offset++] & BIT(7)); -+ -+ item->num_subpackets = bitmap_weight(item->subpacket_map, -+ RMI_REG_DESC_SUBPACKET_BITS); -+ -+ return offset; -+} -+ - int rmi_read_register_desc(struct rmi_device *d, u16 addr, -- struct rmi_register_descriptor *rdesc) -+ struct rmi_register_descriptor *rdesc) - { - int ret; - u8 size_presence_reg; - u8 buf[35]; -- int presense_offset = 1; -- u8 *struct_buf; -- int reg; -- int offset = 0; -- int map_offset = 0; -+ unsigned int presence_offset; -+ unsigned int map_offset; -+ unsigned int offset; -+ unsigned int reg; - int i; - int b; - - /* - * The first register of the register descriptor is the size of -- * the register descriptor's presense register. -+ * the register descriptor's presence register. - */ - ret = rmi_read(d, addr, &size_presence_reg); - if (ret) - return ret; - ++addr; - -- if (size_presence_reg < 0 || size_presence_reg > 35) -+ if (size_presence_reg < 1 || size_presence_reg > 35) - return -EIO; - - memset(buf, 0, sizeof(buf)); -@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de - addr += size_presence_reg; - - if (buf[0] == 0) { -- presense_offset = 3; -- rdesc->struct_size = buf[1] | (buf[2] << 8); -+ if (size_presence_reg < 3) -+ return -EIO; -+ presence_offset = 3; -+ rdesc->struct_size = get_unaligned_le16(&buf[1]); - } else { -+ presence_offset = 1; - rdesc->struct_size = buf[0]; - } - -- for (i = presense_offset; i < size_presence_reg; i++) { -+ map_offset = 0; -+ for (i = presence_offset; i < size_presence_reg; i++) { - for (b = 0; b < 8; b++) { -- if (buf[i] & (0x1 << b)) -+ if (buf[i] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS) -+ return -EIO; - bitmap_set(rdesc->presense_map, map_offset, 1); -+ } - ++map_offset; - } - } -@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de - * I'm not using devm_kzalloc here since it will not be retained - * after exiting this function - */ -- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL); -+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL); - if (!struct_buf) - return -ENOMEM; - -@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de - */ - ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size); - if (ret) -- goto free_struct_buff; -+ return ret; - - reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS); -+ offset = 0; - for (i = 0; i < rdesc->num_registers; i++) { - struct rmi_register_desc_item *item = &rdesc->registers[i]; -- int reg_size = struct_buf[offset]; -+ int item_size; - -- ++offset; -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8); -- offset += 2; -- } -- -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8) | -- (struct_buf[offset + 2] << 16) | -- (struct_buf[offset + 3] << 24); -- offset += 4; -- } -+ item_size = rmi_parse_register_desc_item(item, -+ &struct_buf[offset], -+ rdesc->struct_size - offset); -+ if (item_size < 0) -+ return item_size; - - item->reg = reg; -- item->reg_size = reg_size; -- -- map_offset = 0; -- -- do { -- for (b = 0; b < 7; b++) { -- if (struct_buf[offset] & (0x1 << b)) -- bitmap_set(item->subpacket_map, -- map_offset, 1); -- ++map_offset; -- } -- } while (struct_buf[offset++] & 0x80); -- -- item->num_subpackets = bitmap_weight(item->subpacket_map, -- RMI_REG_DESC_SUBPACKET_BITS); -+ offset += item_size; - - rmi_dbg(RMI_DEBUG_CORE, &d->dev, - "%s: reg: %d reg size: %ld subpackets: %d\n", __func__, - item->reg, item->reg_size, item->num_subpackets); - - reg = find_next_bit(rdesc->presense_map, -- RMI_REG_DESC_PRESENSE_BITS, reg + 1); -+ RMI_REG_DESC_PRESENSE_BITS, reg + 1); - } - --free_struct_buff: -- kfree(struct_buf); -- return ret; -+ return 0; - } - - const struct rmi_register_desc_item *rmi_get_register_desc_item( diff --git a/queue-7.0/series b/queue-7.0/series index b45a9b21a2..6552c071bb 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -32,13 +32,6 @@ net-export-netif_open-for-self_test-usage.patch net-net_failover-fix-the-deadlock-in-slave-register.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-refactor-register-descriptor-parsing.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch crypto-qat-remove-unused-character-device-and-ioctls.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch diff --git a/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch deleted file mode 100644 index beca842509..0000000000 --- a/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:37 -0700 -Subject: Input: rmi4 - fix bit count in bitmap_copy() - -From: Dmitry Torokhov - -commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. - -bitmap_copy() takes number of bits, not bytes (or longs). Correct -the bit count in rmi_driver_set_irq_bits() and -rmi_driver_clear_irq_bits(). - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); - -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); - - error_unlock: -@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str - __func__); - goto error_unlock; - } -- bitmap_copy(data->current_irq_mask, data->new_irq_mask, -- data->num_of_irq_regs); -+ -+ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); - - error_unlock: - mutex_unlock(&data->irq_mutex); diff --git a/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch deleted file mode 100644 index 006668e86d..0000000000 --- a/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:35 -0700 -Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() - -From: Dmitry Torokhov - -commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. - -kfifo_put() returns 0 if the FIFO is full. In this case, we must -free the memory allocated for the attention data to avoid a leak. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device - attn_data.size = size; - attn_data.data = fifo_data; - -- kfifo_put(&drvdata->attn_fifo, attn_data); -+ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { -+ dev_warn_ratelimited(&rmi_dev->dev, -+ "Failed to enqueue attention data, FIFO full\n"); -+ kfree(fifo_data); -+ } - } - EXPORT_SYMBOL_GPL(rmi_set_attn_data); - diff --git a/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch deleted file mode 100644 index 2b07bcd9b2..0000000000 --- a/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:34 -0700 -Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor - -From: Dmitry Torokhov - -commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. - -RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This -may overflow num_subpackets in struct rmi_register_desc_item which is -defined as a u8. - -Fix this by changing the type of num_subpackets to u16. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - drivers/input/rmi4/rmi_f12.c | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -53,7 +53,7 @@ struct pdt_entry { - struct rmi_register_desc_item { - u16 reg; - unsigned long reg_size; -- u8 num_subpackets; -+ u16 num_subpackets; - unsigned long subpacket_map[BITS_TO_LONGS( - RMI_REG_DESC_SUBPACKET_BITS)]; - }; ---- a/drivers/input/rmi4/rmi_f12.c -+++ b/drivers/input/rmi4/rmi_f12.c -@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func - f12->data1 = item; - f12->data1_offset = data_offset; - data_offset += item->reg_size; -+ -+ if (item->num_subpackets > 255) { -+ dev_err(&fn->dev, "Too many fingers declared: %d\n", -+ item->num_subpackets); -+ return -EINVAL; -+ } -+ - sensor->nbr_fingers = item->num_subpackets; - sensor->report_abs = 1; - sensor->attn_size += item->reg_size; diff --git a/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch deleted file mode 100644 index b32bd203b9..0000000000 --- a/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:31 -0700 -Subject: Input: rmi4 - fix register descriptor address calculation - -From: Dmitry Torokhov - -commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. - -When reading the register descriptor, the base address is incremented by -1 to read the presence register block. However, after reading the -presence register block, the address is incorrectly incremented by only -1 byte (++addr) instead of the actual size of the presence block -(size_presence_reg). This causes the subsequent structure block read to -read from the wrong memory location if the presence block is larger than -1 byte. - -Fix this by advancing the address by size_presence_reg. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de - ret = rmi_read_block(d, addr, buf, size_presence_reg); - if (ret) - return ret; -- ++addr; -+ addr += size_presence_reg; - - if (buf[0] == 0) { - presense_offset = 3; diff --git a/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch deleted file mode 100644 index 0c40092d6c..0000000000 --- a/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:33 -0700 -Subject: Input: rmi4 - fix type overflow in register counts - -From: Dmitry Torokhov - -commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. - -The number of registers in the RMI4 register descriptor is populated -by counting the bits in the presence map using bitmap_weight(). Since -the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), -storing this count in a u8 can overflow to 0 if all 256 bits are set. - -Change the num_registers field in struct rmi_register_descriptor -from u8 to u16 to prevent potential integer overflow and ensure safe -processing of devices reporting large descriptors. - -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/input/rmi4/rmi_driver.h -+++ b/drivers/input/rmi4/rmi_driver.h -@@ -65,7 +65,7 @@ struct rmi_register_desc_item { - struct rmi_register_descriptor { - unsigned long struct_size; - unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; -- u8 num_registers; -+ u16 num_registers; - struct rmi_register_desc_item *registers; - }; - diff --git a/queue-7.1/input-rmi4-iterative-irq-handler.patch b/queue-7.1/input-rmi4-iterative-irq-handler.patch deleted file mode 100644 index 6852b8662e..0000000000 --- a/queue-7.1/input-rmi4-iterative-irq-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:36 -0700 -Subject: Input: rmi4 - iterative IRQ handler - -From: Dmitry Torokhov - -commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. - -The current IRQ handler uses recursion to drain the attention FIFO, -which can lead to stack overflow on deep queues. Convert it to a -loop. - -Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v - struct rmi4_attn_data attn_data = {0}; - int ret, count; - -- count = kfifo_get(&drvdata->attn_fifo, &attn_data); -- if (count) { -- *(drvdata->irq_status) = attn_data.irq_status; -- drvdata->attn_data = attn_data; -- } -+ do { -+ count = kfifo_get(&drvdata->attn_fifo, &attn_data); -+ if (count) { -+ *drvdata->irq_status = attn_data.irq_status; -+ drvdata->attn_data = attn_data; -+ } - -- ret = rmi_process_interrupt_requests(rmi_dev); -- if (ret) -- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -- "Failed to process interrupt request: %d\n", ret); -+ ret = rmi_process_interrupt_requests(rmi_dev); -+ if (ret) -+ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, -+ "Failed to process interrupt request: %d\n", -+ ret); - -- if (count) { -- kfree(attn_data.data); -- drvdata->attn_data.data = NULL; -- } -- -- if (!kfifo_is_empty(&drvdata->attn_fifo)) -- return rmi_irq_fn(irq, dev_id); -+ if (count) { -+ kfree(attn_data.data); -+ drvdata->attn_data.data = NULL; -+ } -+ } while (!kfifo_is_empty(&drvdata->attn_fifo)); - - return IRQ_HANDLED; - } diff --git a/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch b/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch deleted file mode 100644 index 27017a9767..0000000000 --- a/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov -Date: Mon, 4 May 2026 21:59:32 -0700 -Subject: Input: rmi4 - refactor register descriptor parsing - -From: Dmitry Torokhov - -commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream. - -Factor out parsing a register descriptor item from -rmi_read_register_desc() and ensure there are no out-of-bounds accesses. - -Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte -values. - -Reported-by: Greg Kroah-Hartman -Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") -Cc: stable@vger.kernel.org -Assisted-by: Gemini:gemini-3.1-pro -Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++---------------- - 1 file changed, 76 insertions(+), 48 deletions(-) - ---- a/drivers/input/rmi4/rmi_driver.c -+++ b/drivers/input/rmi4/rmi_driver.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include "rmi_bus.h" - #include "rmi_driver.h" - -@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_ - return retval < 0 ? retval : 0; - } - -+static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item, -+ const u8 *buf, size_t size) -+{ -+ unsigned int offset = 0; -+ unsigned int map_offset = 0; -+ int b; -+ -+ if (offset >= size) -+ return -EIO; -+ -+ item->reg_size = buf[offset++]; -+ if (item->reg_size == 0) { -+ if (size - offset < 2) -+ return -EIO; -+ item->reg_size = get_unaligned_le16(&buf[offset]); -+ offset += 2; -+ } -+ -+ if (item->reg_size == 0) { -+ if (size - offset < 4) -+ return -EIO; -+ item->reg_size = get_unaligned_le32(&buf[offset]); -+ offset += 4; -+ } -+ -+ do { -+ if (offset >= size) -+ return -EIO; -+ -+ for (b = 0; b < 7; b++) { -+ if (buf[offset] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS) -+ return -EIO; -+ __set_bit(map_offset, item->subpacket_map); -+ } -+ ++map_offset; -+ } -+ } while (buf[offset++] & BIT(7)); -+ -+ item->num_subpackets = bitmap_weight(item->subpacket_map, -+ RMI_REG_DESC_SUBPACKET_BITS); -+ -+ return offset; -+} -+ - int rmi_read_register_desc(struct rmi_device *d, u16 addr, -- struct rmi_register_descriptor *rdesc) -+ struct rmi_register_descriptor *rdesc) - { - int ret; - u8 size_presence_reg; - u8 buf[35]; -- int presense_offset = 1; -- u8 *struct_buf; -- int reg; -- int offset = 0; -- int map_offset = 0; -+ unsigned int presence_offset; -+ unsigned int map_offset; -+ unsigned int offset; -+ unsigned int reg; - int i; - int b; - - /* - * The first register of the register descriptor is the size of -- * the register descriptor's presense register. -+ * the register descriptor's presence register. - */ - ret = rmi_read(d, addr, &size_presence_reg); - if (ret) - return ret; - ++addr; - -- if (size_presence_reg < 0 || size_presence_reg > 35) -+ if (size_presence_reg < 1 || size_presence_reg > 35) - return -EIO; - - memset(buf, 0, sizeof(buf)); -@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de - addr += size_presence_reg; - - if (buf[0] == 0) { -- presense_offset = 3; -- rdesc->struct_size = buf[1] | (buf[2] << 8); -+ if (size_presence_reg < 3) -+ return -EIO; -+ presence_offset = 3; -+ rdesc->struct_size = get_unaligned_le16(&buf[1]); - } else { -+ presence_offset = 1; - rdesc->struct_size = buf[0]; - } - -- for (i = presense_offset; i < size_presence_reg; i++) { -+ map_offset = 0; -+ for (i = presence_offset; i < size_presence_reg; i++) { - for (b = 0; b < 8; b++) { -- if (buf[i] & (0x1 << b)) -+ if (buf[i] & BIT(b)) { -+ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS) -+ return -EIO; - bitmap_set(rdesc->presense_map, map_offset, 1); -+ } - ++map_offset; - } - } -@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de - * I'm not using devm_kzalloc here since it will not be retained - * after exiting this function - */ -- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL); -+ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL); - if (!struct_buf) - return -ENOMEM; - -@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de - */ - ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size); - if (ret) -- goto free_struct_buff; -+ return ret; - - reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS); -+ offset = 0; - for (i = 0; i < rdesc->num_registers; i++) { - struct rmi_register_desc_item *item = &rdesc->registers[i]; -- int reg_size = struct_buf[offset]; -+ int item_size; - -- ++offset; -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8); -- offset += 2; -- } -- -- if (reg_size == 0) { -- reg_size = struct_buf[offset] | -- (struct_buf[offset + 1] << 8) | -- (struct_buf[offset + 2] << 16) | -- (struct_buf[offset + 3] << 24); -- offset += 4; -- } -+ item_size = rmi_parse_register_desc_item(item, -+ &struct_buf[offset], -+ rdesc->struct_size - offset); -+ if (item_size < 0) -+ return item_size; - - item->reg = reg; -- item->reg_size = reg_size; -- -- map_offset = 0; -- -- do { -- for (b = 0; b < 7; b++) { -- if (struct_buf[offset] & (0x1 << b)) -- bitmap_set(item->subpacket_map, -- map_offset, 1); -- ++map_offset; -- } -- } while (struct_buf[offset++] & 0x80); -- -- item->num_subpackets = bitmap_weight(item->subpacket_map, -- RMI_REG_DESC_SUBPACKET_BITS); -+ offset += item_size; - - rmi_dbg(RMI_DEBUG_CORE, &d->dev, - "%s: reg: %d reg size: %ld subpackets: %d\n", __func__, - item->reg, item->reg_size, item->num_subpackets); - - reg = find_next_bit(rdesc->presense_map, -- RMI_REG_DESC_PRESENSE_BITS, reg + 1); -+ RMI_REG_DESC_PRESENSE_BITS, reg + 1); - } - --free_struct_buff: -- kfree(struct_buf); -- return ret; -+ return 0; - } - - const struct rmi_register_desc_item *rmi_get_register_desc_item( diff --git a/queue-7.1/series b/queue-7.1/series index cacf2f2248..45f502df2e 100644 --- a/queue-7.1/series +++ b/queue-7.1/series @@ -4,13 +4,6 @@ revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch -input-rmi4-fix-register-descriptor-address-calculation.patch -input-rmi4-refactor-register-descriptor-parsing.patch -input-rmi4-fix-type-overflow-in-register-counts.patch -input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch -input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch -input-rmi4-iterative-irq-handler.patch -input-rmi4-fix-bit-count-in-bitmap_copy.patch crypto-qat-remove-unused-character-device-and-ioctls.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch