linux-stable.git/drivers/hid, branch v3.16.4 Linux kernel stable tree HID: logitech-dj: prevent false errors to be shown 2014-10-05T20:40:54+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2014-08-22T20:16:05+00:00 af85b8619e6445594df097e713eb222e3b38f45f commit 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 upstream. Commit "HID: logitech: perform bounds checking on device_id early enough" unfortunately leaks some errors to dmesg which are not real ones: - if the report is not a DJ one, then there is not point in checking the device_id - the receiver (index 0) can also receive some notifications which can be safely ignored given the current implementation Move out the test regarding the report_id and also discards printing errors when the receiver got notified. Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 upstream.

Commit "HID: logitech: perform bounds checking on device_id early
enough" unfortunately leaks some errors to dmesg which are not real
ones:
- if the report is not a DJ one, then there is not point in checking
  the device_id
- the receiver (index 0) can also receive some notifications which
  can be safely ignored given the current implementation

Move out the test regarding the report_id and also discards
printing errors when the receiver got notified.

Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36

Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: magicmouse: sanity check report size in raw_event() callback 2014-10-05T20:40:54+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:12:24+00:00 249b61a6ba71975a83031c06b22013a37619a8b7 commit c54def7bd64d7c0b6993336abcffb8444795bf38 upstream. The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c54def7bd64d7c0b6993336abcffb8444795bf38 upstream.

The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.

Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: picolcd: sanity check report size in raw_event() callback 2014-10-05T20:40:54+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:13:15+00:00 0db6de5fa66e02a03089d69bdc5db6d6947ed76b commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream. The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 844817e47eef14141cf59b8d5ac08dd11c0a9189 upstream.

The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.

Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: fix a couple of off-by-ones 2014-09-05T23:36:24+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:48+00:00 fc1d74628298b9c14bd978ada534731e369dc29c commit 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 upstream. There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 upstream.

There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.

Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: logitech: perform bounds checking on device_id early enough 2014-09-05T23:36:23+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:17+00:00 e98c81884fe28d29a48a6dfa6512deccb8482fb7 commit ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 upstream. device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 upstream.

device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.

We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().

Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().

Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: logitech: fix bounds checking on LED report size 2014-09-05T23:36:23+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:56:47+00:00 b8c0d10f1f43301bab6146874963749003a3d567 commit 51217e69697fba92a06e07e16f55c9a52d8e8945 upstream. The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request() is wrong; the current check doesn't make any sense -- the report allocated by HID core in hid_hw_raw_request() can be much larger than DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't handle this properly at all. Fix the check by actually trimming down the report size properly if it is too large. Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 51217e69697fba92a06e07e16f55c9a52d8e8945 upstream.

The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
is wrong; the current check doesn't make any sense -- the report allocated
by HID core in hid_hw_raw_request() can be much larger than
DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
handle this properly at all.

Fix the check by actually trimming down the report size properly if it is
too large.

Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-07-07T20:13:03+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-07-07T20:13:03+00:00 4c2f503aade27ebf12f5733a583d711f99dc5ec1 Pull HID fixes from Jiri Kosina: "A few tiny HID subsystem fixes for 3.16" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: use multi input quirk for 22b9:2968 HID: sensor-hub: fix potential memory leak HID: usbhid: quirk for PM1610 and PM1640 Touchscreen. HID: rmi: Protect PM-only functions by #ifdef CONFIG_PM HID: sensor-hub: introduce Kconfig dependency on IOMEM HID: sensor-hub: make dyn_callback_lock IRQ-safe 
Pull HID fixes from Jiri Kosina:
 "A few tiny HID subsystem fixes for 3.16"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: use multi input quirk for 22b9:2968
  HID: sensor-hub: fix potential memory leak
  HID: usbhid: quirk for PM1610 and PM1640 Touchscreen.
  HID: rmi: Protect PM-only functions by #ifdef CONFIG_PM
  HID: sensor-hub: introduce Kconfig dependency on IOMEM
  HID: sensor-hub: make dyn_callback_lock IRQ-safe
HID: use multi input quirk for 22b9:2968 2014-07-07T13:40:18+00:00 Wen-chien Jesse Sung jesse.sung@canonical.com 2014-07-02T13:06:59+00:00 3179e8e684603645b573fdc46139473d5ee4b189 This device generates ABS_Z and ABS_RX events instead of ABS_X and ABS_Y. Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
This device generates ABS_Z and ABS_RX events instead of ABS_X and
ABS_Y.

Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: sensor-hub: fix potential memory leak 2014-06-30T11:21:50+00:00 Jiri Slaby jslaby@suse.cz 2014-06-30T09:34:48+00:00 ceec634076b91bea57107541a46e92d765c69488 hsdev is not freed in sensor_hub_probe when kasprintf inside the for loop fails. This is because hsdev is not set to platform_data yet (to be freed by the code in the err_no_mem label). So free the memory explicitly in the 'if' branch, as this is the only place where this is (and will) be needed. Reported-by: coverity Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: srinivas pandruvada <srinivas.pandruvada@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
hsdev is not freed in sensor_hub_probe when kasprintf inside the for
loop fails. This is because hsdev is not set to platform_data yet (to
be freed by the code in the err_no_mem label). So free the memory
explicitly in the 'if' branch, as this is the only place where this is
(and will) be needed.

Reported-by: coverity
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: srinivas pandruvada <srinivas.pandruvada@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: usbhid: quirk for PM1610 and PM1640 Touchscreen. 2014-06-27T14:02:39+00:00 John Sung penmount.touch@gmail.com 2014-06-27T08:22:08+00:00 66e5482752386786c4346f4f4b214b0998639702 These device needs to be added to the quirks list with HID_QUIRK_NOGET, otherwise they will reset upon receiving the get input report requests. Signed-off-by: John Sung <penmount.touch@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
These device needs to be added to the quirks list with HID_QUIRK_NOGET,
otherwise they will reset upon receiving the get input report requests.

Signed-off-by: John Sung <penmount.touch@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>