<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/input/rmi4, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-27T05:23:40+00:00</updated>
<entry>
<title>Input: rmi4 - tolerate short register descriptor structure</title>
<updated>2026-06-27T05:23:40+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-06-26T23:33:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2d6d33e45dd4fb768758d5f6e747deadcd66b9fc'/>
<id>urn:sha1:2d6d33e45dd4fb768758d5f6e747deadcd66b9fc</id>
<content type='text'>
Some touchpads (e.g. ThinkPad T14 Gen 1) have buggy firmware that reports
a register descriptor structure size that is too small for the number of
registers it claims to have in the presence map. The remaining bytes in
the structure are 0, which with the new strict bounds checking causes the
parser to fail with -EIO, aborting the device probe.

Tolerate such short reads by dropping the remaining (unparseable or
0-size) registers from the list instead of failing the probe,
preventing the driver from trying to use them.

Fixes: 0adb483fbf2d ("Input: rmi4 - refactor register descriptor parsing")
Reported-by: Barry K. Nathan &lt;barryn@pobox.com&gt;
Tested-by: Barry K. Nathan &lt;barryn@pobox.com&gt;
Cc: stable@vger.kernel.org
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Revert "Input: rmi4 - fix register descriptor address calculation"</title>
<updated>2026-06-27T05:22:42+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-06-27T00:42:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d85589879f19ad8514c508709865f064be761df5'/>
<id>urn:sha1:d85589879f19ad8514c508709865f064be761df5</id>
<content type='text'>
The register descriptor presence register is a packet register, which
means its bytes share a single RMI address. It does not occupy
consecutive addresses, and the register structure that follows it
is located at the next RMI address (presence_address + 1), not
(presence_address + presence_size).

Revert the incorrect address calculation introduced in commit
a98518e72439.

Reported-by: "Barry K. Nathan" &lt;barryn@pobox.com&gt;
Tested-by: "Barry K. Nathan" &lt;barryn@pobox.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: synaptics-rmi4 - bound the F30 keymap to the GPIO/LED count</title>
<updated>2026-06-26T00:46:20+00:00</updated>
<author>
<name>Bryam Vargas</name>
<email>hexlabsecurity@proton.me</email>
</author>
<published>2026-06-14T05:36:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d577e46785d45484b2ab7e7309c49b18764bf56c'/>
<id>urn:sha1:d577e46785d45484b2ab7e7309c49b18764bf56c</id>
<content type='text'>
rmi_f30_map_gpios() allocates gpioled_key_map with
min(gpioled_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f30_attention() iterates the full f30-&gt;gpioled_count (device query
register, range 0..31) and dereferences gpioled_key_map[i], and
input-&gt;keycodemax is set to the full gpioled_count while input-&gt;keycode
points at the 6-entry allocation.

A device that reports gpioled_count &gt; 6 with GPIO support enabled
therefore causes an out-of-bounds read on the attention interrupt and
out-of-bounds read/write through the EVIOCGKEYCODE/EVIOCSKEYCODE ioctls,
which bound the index only against keycodemax. This is the same defect
as the F3A handler, which was copied from F30.

Size the keymap for the full gpioled_count; the mapping loop still
assigns only the first min(gpioled_count, TRACKSTICK_RANGE_END) entries.

Fixes: 3e64fcbdbd10 ("Input: synaptics-rmi4 - limit the range of what GPIOs are buttons")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-2-cf39a3615085@proton.me
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: synaptics-rmi4 - bound the F3A keymap to the GPIO count</title>
<updated>2026-06-26T00:46:20+00:00</updated>
<author>
<name>Bryam Vargas</name>
<email>hexlabsecurity@proton.me</email>
</author>
<published>2026-06-14T05:36:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=57c10915f2c16c90e0d46ad00876bf39ece40fc2'/>
<id>urn:sha1:57c10915f2c16c90e0d46ad00876bf39ece40fc2</id>
<content type='text'>
rmi_f3a_initialize() takes the GPIO count from the device query register
(f3a-&gt;gpio_count = buf &amp; RMI_F3A_GPIO_COUNT, range 0..127).
rmi_f3a_map_gpios() then allocates gpio_key_map with
min(gpio_count, TRACKSTICK_RANGE_END) == at most 6 entries, but
rmi_f3a_attention() iterates the full gpio_count and dereferences
gpio_key_map[i], and input-&gt;keycodemax is set to the full gpio_count
while input-&gt;keycode points at the 6-entry allocation.

A device that reports gpio_count &gt; 6 therefore causes an out-of-bounds
read of gpio_key_map[] on every attention interrupt, and out-of-bounds
accesses through the input core's default keymap ioctls: EVIOCGKEYCODE
reads past the buffer (leaking adjacent slab memory to user space) and
EVIOCSKEYCODE writes a caller-controlled value past it, for any process
able to open the evdev node, since input_default_getkeycode() and
input_default_setkeycode() only bound the index against keycodemax.

Size the keymap for the full gpio_count. The mapping loop is unchanged:
it still assigns only the first min(gpio_count, TRACKSTICK_RANGE_END)
entries; the remaining slots stay KEY_RESERVED (devm_kcalloc zero-fills)
and are skipped when reporting.

Fixes: 9e4c596bfd00 ("Input: synaptics-rmi4 - add support for F3A")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Link: https://patch.msgid.link/20260614-b4-disp-818d6bda-v1-1-cf39a3615085@proton.me
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - update formatting in F12</title>
<updated>2026-06-12T05:39:30+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=040b099a58aad06e436cd3a46475fa983efd6c93'/>
<id>urn:sha1:040b099a58aad06e436cd3a46475fa983efd6c93</id>
<content type='text'>
Clean up various style and formatting issues in the F12 code.

Link: https://patch.msgid.link/20260505045952.1570713-20-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - propagate proper error code in F12 sensor tuning</title>
<updated>2026-06-12T05:39:29+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=0655e58946e480cb99fb276e87280d0715b32ada'/>
<id>urn:sha1:0655e58946e480cb99fb276e87280d0715b32ada</id>
<content type='text'>
Propagate the actual error code returned by rmi_read() in
rmi_f12_read_sensor_tuning() instead of hardcoding -ENODEV.
Also, since rmi_read() returns 0 on success, use 'if (ret)'
instead of 'if (ret &lt; 0)'.

Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-19-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - simplify size calculations in F12</title>
<updated>2026-06-12T05:39:29+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7d8be1ecf44f032f3fb444088b43b933ead9b00d'/>
<id>urn:sha1:7d8be1ecf44f032f3fb444088b43b933ead9b00d</id>
<content type='text'>
Use min_t() to simplify the clamping logic when calculating the
number of objects to process and the number of valid bytes in the
attention handler.

Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-18-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators</title>
<updated>2026-06-12T05:39:29+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=57d9212421e3a10fc336bed732e70b8521fea1e6'/>
<id>urn:sha1:57d9212421e3a10fc336bed732e70b8521fea1e6</id>
<content type='text'>
Using sizeof(*ptr) is preferred over sizeof(struct) because it is
more robust against type changes. Also switch to checking for
allocation failure immediately after each call, and update
formatting.

Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-17-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - use devm_kmalloc for F12 data packet buffer</title>
<updated>2026-06-12T05:39:29+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1ea51794d7e67f54ffe003bb04dd7e43107644d1'/>
<id>urn:sha1:1ea51794d7e67f54ffe003bb04dd7e43107644d1</id>
<content type='text'>
The sensor-&gt;data_pkt buffer is used exclusively to store incoming
hardware data during the attention handler, where it is entirely
overwritten by either memcpy() or rmi_read_block(). Therefore,
there is no need to zero-initialize it during probe.

Switch to devm_kmalloc() to avoid the unnecessary memset overhead.

Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-16-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: rmi4 - use flexible array member for IRQ masks in F12</title>
<updated>2026-06-12T05:39:29+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-05-05T04:59:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bcaea0fe87d521c044a3efc4ba3b78914072ed03'/>
<id>urn:sha1:bcaea0fe87d521c044a3efc4ba3b78914072ed03</id>
<content type='text'>
Use a flexible array member to allocate the IRQ masks at the end of
the f12_data structure, and use the struct_size() helper to
calculate the allocation size safely. This replaces manual pointer
arithmetic.

Assisted-by: Gemini:gemini-3.1-pro
Link: https://patch.msgid.link/20260505045952.1570713-15-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
</feed>
