]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
Input: rmi4 - fix type overflow in register counts
authorDmitry Torokhov <dmitry.torokhov@gmail.com>
Tue, 5 May 2026 04:59:33 +0000 (21:59 -0700)
committerDmitry Torokhov <dmitry.torokhov@gmail.com>
Fri, 12 Jun 2026 05:39:27 +0000 (22:39 -0700)
The number of registers in the RMI4 register descriptor is populated
by counting the bits in the presence map using bitmap_weight(). Since
the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
storing this count in a u8 can overflow to 0 if all 256 bits are set.

Change the num_registers field in struct rmi_register_descriptor
from u8 to u16 to prevent potential integer overflow and ensure safe
processing of devices reporting large descriptors.

Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
drivers/input/rmi4/rmi_driver.h

index e84495caab1514f56b28a2144c32795b82039b1c..5f769fcc758d71074f67597928934fc4b2148b88 100644 (file)
@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
 struct rmi_register_descriptor {
        unsigned long struct_size;
        unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
-       u8 num_registers;
+       u16 num_registers;
        struct rmi_register_desc_item *registers;
 };