Input: rmi4 - fix num_subpackets overflow in register descriptor

RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
may overflow num_subpackets in struct rmi_register_desc_item which is
defined as a u8.

Fix this by changing the type of num_subpackets to u16.

Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/rmi4/rmi_driver.h b/drivers/input/rmi4/rmi_driver.h
index 5f769fcc758d71074f67597928934fc4b2148b88..6952059bf4f5194b119619ff26f43831b7c4fb45 100644 (file)
--- a/drivers/input/rmi4/rmi_driver.h
+++ b/drivers/input/rmi4/rmi_driver.h
@@ -53,7 +53,7 @@ struct pdt_entry {
 struct rmi_register_desc_item {
        u16 reg;
        unsigned long reg_size;
-       u8 num_subpackets;
+       u16 num_subpackets;
        unsigned long subpacket_map[BITS_TO_LONGS(
                                RMI_REG_DESC_SUBPACKET_BITS)];
 };

diff --git a/drivers/input/rmi4/rmi_f12.c b/drivers/input/rmi4/rmi_f12.c
index 8246fe77114bbd8b795ba35d5a37ede8727fc7cb..c2b07c6905d783ed8ce5a908a4cbfec5308d7da5 100644 (file)
--- a/drivers/input/rmi4/rmi_f12.c
+++ b/drivers/input/rmi4/rmi_f12.c
@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_function *fn)
                f12->data1 = item;
                f12->data1_offset = data_offset;
                data_offset += item->reg_size;
+
+               if (item->num_subpackets > 255) {
+                       dev_err(&fn->dev, "Too many fingers declared: %d\n",
+                               item->num_subpackets);
+                       return -EINVAL;
+               }
+
                sensor->nbr_fingers = item->num_subpackets;
                sensor->report_abs = 1;
                sensor->attn_size += item->reg_size;