linux.git/drivers/input/misc, branch v7.1-rc6 Linux kernel source tree Merge tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2026-05-31T15:27:18+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-31T15:27:18+00:00 227abb780c68687d6800cf9eafaff0cbeca4bf45 Pull input fixes from Dmitry Torokhov: - updates to Elan I2C touchpad driver to handle a new IC type and to validate size of supplied firmware to prevent OOB access - updates to Xpad controller driver to recognize ASUS ROG RAIKIRI II and "Nova 2 Lite" from GameSir controllers as well as a fix to prevent a potential OOB access when handling "Share" button - an update to Synaptics touchpad driver to use RMI mode for touchpad in Thinkpad E490 - updates to Atmel MXT driver adding checks to prevent potential OOB accesses - a fix to IMS PCU driver to free correct amount of memory when tearing it down - a fixup to the recent change to Atlas buttons driver - a small cleanup in fm801-fp for PCI IDs table initialisation * tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Input: atlas - check ACPI_COMPANION() against NULL Input: atmel_mxt_ts - check mem_size before calculating config memory size Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Input: fm801-gp - simplify initialisation of pci_device_id array Input: xpad - add "Nova 2 Lite" from GameSir Input: xpad - add support for ASUS ROG RAIKIRI II Input: elan_i2c - validate firmware size before use Input: xpad - fix out-of-bounds access for Share button Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Input: elan_i2c - increase device reset wait timeout after update FW Input: elan_i2c - add ic type 0x19 
Pull input fixes from Dmitry Torokhov:

 - updates to Elan I2C touchpad driver to handle a new IC type and to
   validate size of supplied firmware to prevent OOB access

 - updates to Xpad controller driver to recognize ASUS ROG RAIKIRI II
   and "Nova 2 Lite" from GameSir controllers as well as a fix to
   prevent a potential OOB access when handling "Share" button

 - an update to Synaptics touchpad driver to use RMI mode for touchpad
   in Thinkpad E490

 - updates to Atmel MXT driver adding checks to prevent potential OOB
   accesses

 - a fix to IMS PCU driver to free correct amount of memory when tearing
   it down

 - a fixup to the recent change to Atlas buttons driver

 - a small cleanup in fm801-fp for PCI IDs table initialisation

* tag 'input-for-v7.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
  Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
  Input: atlas - check ACPI_COMPANION() against NULL
  Input: atmel_mxt_ts - check mem_size before calculating config memory size
  Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
  Input: fm801-gp - simplify initialisation of pci_device_id array
  Input: xpad - add "Nova 2 Lite" from GameSir
  Input: xpad - add support for ASUS ROG RAIKIRI II
  Input: elan_i2c - validate firmware size before use
  Input: xpad - fix out-of-bounds access for Share button
  Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
  Input: elan_i2c - increase device reset wait timeout after update FW
  Input: elan_i2c - add ic type 0x19
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() 2026-05-22T17:01:52+00:00 Thomas Fourier fourier.thomas@gmail.com 2026-05-22T08:54:04+00:00 dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 The input buffer size is pcu->max_in_size, but pcu->max_out_size is passed to usb_free_coherent(). Change size to match the allocation size. Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") Cc: stable@vger.kernel.org Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
The input buffer size is pcu->max_in_size, but pcu->max_out_size is
passed to usb_free_coherent().

Change size to match the allocation size.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: atlas - check ACPI_COMPANION() against NULL 2026-05-12T17:57:03+00:00 Rafael J. Wysocki rafael.j.wysocki@intel.com 2026-05-12T16:26:54+00:00 6f89d96fff65aec1ff12bc566fca0eb1bb59e16e Every platform driver can be forced to match a device that doesn't match its list of device IDs because of device_match_driver_override(), so platform drivers that rely on the existence of a device's ACPI companion object need to verify its presence. Accordingly, add a requisite ACPI_COMPANION() check against NULL to the atlas_btns driver. Fixes: b8303880b641 ("Input: atlas - convert ACPI driver to a platform one") Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Link: https://patch.msgid.link/8696590.T7Z3S40VBb@rafael.j.wysocki Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
Every platform driver can be forced to match a device that doesn't match
its list of device IDs because of device_match_driver_override(), so
platform drivers that rely on the existence of a device's ACPI companion
object need to verify its presence.

Accordingly, add a requisite ACPI_COMPANION() check against NULL to the
atlas_btns driver.

Fixes: b8303880b641 ("Input: atlas - convert ACPI driver to a platform one")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/8696590.T7Z3S40VBb@rafael.j.wysocki
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Merge tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2026-04-23T01:36:40+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-23T01:36:40+00:00 429e6c7f90d12a8551b3eaa9faca7cfaefd99b1d Pull input updates from Dmitry Torokhov: - a new charlieplex GPIO keypad driver - an update to aw86927 driver to support 86938 chip - an update for Chrome OS EC keyboard driver to support Fn-<key> keymap extension - an UAF fix in debugfs teardown in EDT touchscreen driver - a number of conversions for input drivers to use guard() and __free() cleanup primitives - several drivers for bus mice (inport, logibm) and other very old devices have been removed - OLPC HGPK PS/2 protocol has been removed as it's been broken and inactive for 10 something years - dedicated kpsmoused has been removed from psmouse driver - other assorted cleanups and fixups * tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (101 commits) Input: charlieplex_keypad - add GPIO charlieplex keypad dt-bindings: input: add GPIO charlieplex keypad dt-bindings: input: add settling-time-us common property dt-bindings: input: add debounce-delay-ms common property Input: imx_keypad - fix spelling mistake "Colums" -> "Columns" Input: edt-ft5x06 - fix use-after-free in debugfs teardown Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data() Input: ct82c710 - remove driver Input: mk712 - remove driver Input: logibm - remove driver Input: inport - remove driver Input: qt1070 - inline i2c_check_functionality check Input: qt1050 - inline i2c_check_functionality check Input: aiptek - validate raw macro indices before updating state Input: gf2k - skip invalid hat lookup values Input: xpad - add RedOctane Games vendor id Input: xpad - remove stale TODO and changelog header Input: usbtouchscreen - refactor endpoint lookup Input: aw86927 - add support for Awinic AW86938 dt-bindings: input: awinic,aw86927: Add Awinic AW86938 ... 
Pull input updates from Dmitry Torokhov:

 - a new charlieplex GPIO keypad driver

 - an update to aw86927 driver to support 86938 chip

 - an update for Chrome OS EC keyboard driver to support Fn-<key> keymap
   extension

 - an UAF fix in debugfs teardown in EDT touchscreen driver

 - a number of conversions for input drivers to use guard() and __free()
   cleanup primitives

 - several drivers for bus mice (inport, logibm) and other very old
   devices have been removed

 - OLPC HGPK PS/2 protocol has been removed as it's been broken and
   inactive for 10 something years

 - dedicated kpsmoused has been removed from psmouse driver

 - other assorted cleanups and fixups

* tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (101 commits)
  Input: charlieplex_keypad - add GPIO charlieplex keypad
  dt-bindings: input: add GPIO charlieplex keypad
  dt-bindings: input: add settling-time-us common property
  dt-bindings: input: add debounce-delay-ms common property
  Input: imx_keypad - fix spelling mistake "Colums" -> "Columns"
  Input: edt-ft5x06 - fix use-after-free in debugfs teardown
  Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
  Input: ct82c710 - remove driver
  Input: mk712 - remove driver
  Input: logibm - remove driver
  Input: inport - remove driver
  Input: qt1070 - inline i2c_check_functionality check
  Input: qt1050 - inline i2c_check_functionality check
  Input: aiptek - validate raw macro indices before updating state
  Input: gf2k - skip invalid hat lookup values
  Input: xpad - add RedOctane Games vendor id
  Input: xpad - remove stale TODO and changelog header
  Input: usbtouchscreen - refactor endpoint lookup
  Input: aw86927 - add support for Awinic AW86938
  dt-bindings: input: awinic,aw86927: Add Awinic AW86938
  ...
Merge branch 'next' into for-linus 2026-04-20T01:28:57+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2026-04-20T01:28:57+00:00 f4b369c6fe0ceaba2da2daff8c9eb415f85926dd Prepare input updates for 7.1 merge window. 
Prepare input updates for 7.1 merge window.
Merge tag 'mips_7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux 2026-04-17T15:53:23+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-17T15:53:23+00:00 d730905bc3c0075275b2d109cd971735274b98c0 Pull MIPS updates from Thomas Bogendoerfer: - Support for Mobileye EyeQ6Lplus - Cleanups and fixes * tag 'mips_7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: (30 commits) MIPS/mtd: Handle READY GPIO in generic NAND platform data MIPS/input: Move RB532 button to GPIO descriptors MIPS: validate DT bootargs before appending them MIPS: Alchemy: Remove unused forward declaration MAINTAINERS: Mobileye: Add EyeQ6Lplus files MIPS: config: add eyeq6lplus_defconfig MIPS: Add Mobileye EyeQ6Lplus evaluation board dts MIPS: Add Mobileye EyeQ6Lplus SoC dtsi clk: eyeq: Add Mobileye EyeQ6Lplus OLB clk: eyeq: Adjust PLL accuracy computation clk: eyeq: Skip post-divisor when computing PLL frequency pinctrl: eyeq5: Add Mobileye EyeQ6Lplus OLB pinctrl: eyeq5: Use match data reset: eyeq: Add Mobileye EyeQ6Lplus OLB MIPS: Add Mobileye EyeQ6Lplus support dt-bindings: soc: mobileye: Add EyeQ6Lplus OLB dt-bindings: mips: Add Mobileye EyeQ6Lplus SoC MIPS: dts: loongson64g-package: Switch to Loongson UART driver mips: pci-mt7620: rework initialization procedure mips: pci-mt7620: add more register init values ... 
Pull MIPS updates from Thomas Bogendoerfer:

 - Support for Mobileye EyeQ6Lplus

 - Cleanups and fixes

* tag 'mips_7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: (30 commits)
  MIPS/mtd: Handle READY GPIO in generic NAND platform data
  MIPS/input: Move RB532 button to GPIO descriptors
  MIPS: validate DT bootargs before appending them
  MIPS: Alchemy: Remove unused forward declaration
  MAINTAINERS: Mobileye: Add EyeQ6Lplus files
  MIPS: config: add eyeq6lplus_defconfig
  MIPS: Add Mobileye EyeQ6Lplus evaluation board dts
  MIPS: Add Mobileye EyeQ6Lplus SoC dtsi
  clk: eyeq: Add Mobileye EyeQ6Lplus OLB
  clk: eyeq: Adjust PLL accuracy computation
  clk: eyeq: Skip post-divisor when computing PLL frequency
  pinctrl: eyeq5: Add Mobileye EyeQ6Lplus OLB
  pinctrl: eyeq5: Use match data
  reset: eyeq: Add Mobileye EyeQ6Lplus OLB
  MIPS: Add Mobileye EyeQ6Lplus support
  dt-bindings: soc: mobileye: Add EyeQ6Lplus OLB
  dt-bindings: mips: Add Mobileye EyeQ6Lplus SoC
  MIPS: dts: loongson64g-package: Switch to Loongson UART driver
  mips: pci-mt7620: rework initialization procedure
  mips: pci-mt7620: add more register init values
  ...
MIPS/input: Move RB532 button to GPIO descriptors 2026-04-13T13:41:56+00:00 Linus Walleij linusw@kernel.org 2026-03-28T15:55:47+00:00 42671e9c1e40032f982d2163ba4867dc85e23832 Convert the Mikrotik RouterBoard RB532 to use GPIO descriptors by defining a software node for the GPIO chip, then register the button platform device with full info passing the GPIO as a device property. This can be used as a base to move more of the RB532 devices over to passing GPIOs using device properties. Use the GPIO_ACTIVE_LOW flag and drop the inversion in the rb532_button_pressed() function. Signed-off-by: Linus Walleij <linusw@kernel.org> Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> 
Convert the Mikrotik RouterBoard RB532 to use GPIO descriptors
by defining a software node for the GPIO chip, then register
the button platform device with full info passing the GPIO
as a device property.

This can be used as a base to move more of the RB532 devices
over to passing GPIOs using device properties.

Use the GPIO_ACTIVE_LOW flag and drop the inversion in the
rb532_button_pressed() function.

Signed-off-by: Linus Walleij <linusw@kernel.org>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Merge tag 'input-for-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2026-04-11T18:12:38+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-11T18:12:38+00:00 778322a06e217e768ba3dc550a6f599f73ed781d Pull input fixes from Dmitry Torokhov: "Two fixes for force feedback handling in uinput driver: - fix circular locking dependency in uinput - fix potential corruption of uinput event queue" * tag 'input-for-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: uinput - take event lock when submitting FF request "event" Input: uinput - fix circular locking dependency with ff-core 
Pull input fixes from Dmitry Torokhov:
 "Two fixes for force feedback handling in uinput driver:

   - fix circular locking dependency in uinput

   - fix potential corruption of uinput event queue"

* tag 'input-for-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: uinput - take event lock when submitting FF request "event"
  Input: uinput - fix circular locking dependency with ff-core
Input: uinput - take event lock when submitting FF request "event" 2026-04-08T17:16:49+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2026-04-08T05:16:27+00:00 ff14dafde15c11403fac61367a34fea08926e9ee To avoid racing with FF playback events and corrupting device's event queue take event_lock spinlock when calling uinput_dev_event() when submitting a FF upload or erase "event". Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
To avoid racing with FF playback events and corrupting device's event
queue take event_lock spinlock when calling uinput_dev_event() when
submitting a FF upload or erase "event".

Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data() 2026-04-08T17:15:46+00:00 Seungjin Bae eeodqql09@gmail.com 2026-04-08T16:03:59+00:00 875115b82c295277b81b6dfee7debc725f44e854 The `ims_pcu_process_data()` processes incoming URB data byte by byte. However, it fails to check if the `read_pos` index exceeds IMS_PCU_BUF_SIZE. If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE, `read_pos` will increment indefinitely. Moreover, since `read_pos` is located immediately after `read_buf`, the attacker can overwrite `read_pos` itself to arbitrarily control the index. This manipulated `read_pos` is subsequently used in `ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a heap buffer overflow. Specifically, an attacker can overwrite the `cmd_done.wait.head` located at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`. Consequently, when the driver calls `complete(&pcu->cmd_done)`, it triggers a control flow hijack by using the manipulated pointer. Fix this by adding a bounds check for `read_pos` before writing to `read_buf`. If the packet is too long, discard it, log a warning, and reset the parser state. Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver") Co-developed-by: Sanghoon Choi <csh0052@gmail.com> Signed-off-by: Sanghoon Choi <csh0052@gmail.com> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com> Link: https://patch.msgid.link/20251221211442.841549-2-eeodqql09@gmail.com [dtor: factor out resetting packet state, reset checksum as well] Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
The `ims_pcu_process_data()` processes incoming URB data byte by byte.
However, it fails to check if the `read_pos` index exceeds
IMS_PCU_BUF_SIZE.

If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
`read_pos` will increment indefinitely. Moreover, since `read_pos` is
located immediately after `read_buf`, the attacker can overwrite
`read_pos` itself to arbitrarily control the index.

This manipulated `read_pos` is subsequently used in
`ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
heap buffer overflow.

Specifically, an attacker can overwrite the `cmd_done.wait.head` located
at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
triggers a control flow hijack by using the manipulated pointer.

Fix this by adding a bounds check for `read_pos` before writing to
`read_buf`. If the packet is too long, discard it, log a warning,
and reset the parser state.

Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
Co-developed-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://patch.msgid.link/20251221211442.841549-2-eeodqql09@gmail.com
[dtor: factor out resetting packet state, reset checksum as well]
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>