linux-stable.git/drivers/hid, branch v3.17.2 Linux kernel stable tree HID: rmi: check sanity of the incoming report 2014-10-30T16:43:07+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2014-09-11T01:02:37+00:00 ce3eba07f57ddeb53f8d576f3091d9b33efcbb07 commit 5b65c2a0296644dd3dbdd590d6f00174d18c96b3 upstream. In the Dell XPS 13 9333, it appears that sometimes the bus get confused and corrupts the incoming data. It fills the input report with the sentinel value "ff". Synaptics told us that such behavior does not comes from the touchpad itself, so we filter out such reports here. Unfortunately, we can not simply discard the incoming data because they may contain useful information. Most of the time, the misbehavior is quite near the end of the report, so we can still use the valid part of it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1123584 Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Andrew Duggan <aduggan@synaptics.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 5b65c2a0296644dd3dbdd590d6f00174d18c96b3 upstream.

In the Dell XPS 13 9333, it appears that sometimes the bus get confused
and corrupts the incoming data. It fills the input report with the
sentinel value "ff". Synaptics told us that such behavior does not comes
from the touchpad itself, so we filter out such reports here.

Unfortunately, we can not simply discard the incoming data because they
may contain useful information. Most of the time, the misbehavior is
quite near the end of the report, so we can still use the valid part of
it.

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1123584

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: wacom: fix timeout on probe for some wacoms 2014-10-30T16:43:07+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2014-09-16T20:56:39+00:00 42b0daa78ec43eb2b4e9a80e6dba0c237b1f778f commit 8ffffd5212846b72f116f7a9572e83d580e25802 upstream. Some Wacom tablets (at least the ISDv4 found in the Lenovo X230) timeout during probe while retrieving the input reports. The only time this information is valuable is during the feature_mapping stage, so we can ask for it there and discard the generic input reports retrieval. This gives a code path closer to the wacom.ko driver when it was in the input subtree (not HID). Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 8ffffd5212846b72f116f7a9572e83d580e25802 upstream.

Some Wacom tablets (at least the ISDv4 found in the Lenovo X230) timeout
during probe while retrieving the input reports.
The only time this information is valuable is during the feature_mapping
stage, so we can ask for it there and discard the generic input reports
retrieval.

This gives a code path closer to the wacom.ko driver when it was in the
input subtree (not HID).

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
HID: wacom - remove report_id from wacom_get_report interface 2014-10-30T16:43:07+00:00 Ping Cheng pinglinux@gmail.com 2014-09-10T19:41:04+00:00 dfdbe2eb1439432f1740760c9e8e489177d13b0a commit c64d883476812783e0400d37028756151d103e5c upstream. It is assigned in buf[0] anyway. Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c64d883476812783e0400d37028756151d103e5c upstream.

It is assigned in buf[0] anyway.

Signed-off-by: Ping Cheng <pingc@wacom.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-08-27T16:38:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-08-27T16:38:06+00:00 ff0c57ac70434bc936cb0110eaf033a0a1a62e52 Pull HID fixes from Jiri Kosina: - fixes for potential memory corruption problems in magicmouse and picolcd drivers (the HW would have to be manufactured to be deliberately evil to trigger those) which were found by Steven Vittitoe - fix for false error message appearing in dmesg from logitech-dj driver, from Benjamin Tissoires * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: picolcd: sanity check report size in raw_event() callback HID: magicmouse: sanity check report size in raw_event() callback HID: logitech-dj: prevent false errors to be shown 
Pull HID fixes from Jiri Kosina:

 - fixes for potential memory corruption problems in magicmouse and
   picolcd drivers (the HW would have to be manufactured to be
   deliberately evil to trigger those) which were found by Steven
   Vittitoe

 - fix for false error message appearing in dmesg from logitech-dj
   driver, from Benjamin Tissoires

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: picolcd: sanity check report size in raw_event() callback
  HID: magicmouse: sanity check report size in raw_event() callback
  HID: logitech-dj: prevent false errors to be shown
HID: picolcd: sanity check report size in raw_event() callback 2014-08-27T07:14:39+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:13:15+00:00 844817e47eef14141cf59b8d5ac08dd11c0a9189 The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: magicmouse: sanity check report size in raw_event() callback 2014-08-27T07:14:39+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:12:24+00:00 c54def7bd64d7c0b6993336abcffb8444795bf38 The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: logitech-dj: prevent false errors to be shown 2014-08-25T07:59:51+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2014-08-22T20:16:05+00:00 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 Commit "HID: logitech: perform bounds checking on device_id early enough" unfortunately leaks some errors to dmesg which are not real ones: - if the report is not a DJ one, then there is not point in checking the device_id - the receiver (index 0) can also receive some notifications which can be safely ignored given the current implementation Move out the test regarding the report_id and also discards printing errors when the receiver got notified. Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Cc: stable@vger.kernel.org Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
Commit "HID: logitech: perform bounds checking on device_id early
enough" unfortunately leaks some errors to dmesg which are not real
ones:
- if the report is not a DJ one, then there is not point in checking
  the device_id
- the receiver (index 0) can also receive some notifications which
  can be safely ignored given the current implementation

Move out the test regarding the report_id and also discards
printing errors when the receiver got notified.

Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36

Cc: stable@vger.kernel.org
Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-08-21T21:25:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-08-21T21:25:20+00:00 cee5aa1f81b1e88d8de05df226bfd207041954c2 Pull HID fixes from Jiri Kosina: - fixes for a couple potential memory corruption problems (the HW would have to be manufactured to be deliberately evil to trigger those) found by Ben Hawkes - fix for potential infinite loop when using sysfs interface of logitech driver, from Simon Wood - a couple more simple driver fixes * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: fix a couple of off-by-ones HID: logitech: perform bounds checking on device_id early enough HID: logitech: fix bounds checking on LED report size HID: logitech: Prevent possibility of infinite loop when using /sys interface HID: rmi: print an error if F11 is not found instead of stopping the device HID: hid-sensor-hub: use devm_ functions consistently HID: huion: Use allocated buffer for DMA HID: huion: Fail on parameter retrieval errors 
Pull HID fixes from Jiri Kosina:

 - fixes for a couple potential memory corruption problems (the HW would
   have to be manufactured to be deliberately evil to trigger those)
   found by Ben Hawkes
 - fix for potential infinite loop when using sysfs interface of
   logitech driver, from Simon Wood
 - a couple more simple driver fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: fix a couple of off-by-ones
  HID: logitech: perform bounds checking on device_id early enough
  HID: logitech: fix bounds checking on LED report size
  HID: logitech: Prevent possibility of infinite loop when using /sys interface
  HID: rmi: print an error if F11 is not found instead of stopping the device
  HID: hid-sensor-hub: use devm_ functions consistently
  HID: huion: Use allocated buffer for DMA
  HID: huion: Fail on parameter retrieval errors
HID: fix a couple of off-by-ones 2014-08-21T15:43:28+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:48+00:00 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: logitech: perform bounds checking on device_id early enough 2014-08-21T15:43:06+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:17+00:00 ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.

We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().

Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>