linux-stable.git/drivers/input/misc, branch v4.5.2 Linux kernel stable tree Input: ati_remote2 - fix crashes on detecting device with invalid descriptor 2016-04-12T14:33:48+00:00 Vladis Dronov vdronov@redhat.com 2016-03-23T18:53:46+00:00 e0a40d844832eb90c6ac790dada3d060332d654c commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream. The ati_remote2 driver expects at least two interfaces with one endpoint each. If given malicious descriptor that specify one interface or no endpoints, it will crash in the probe function. Ensure there is at least two interfaces and one endpoint for each interface before using it. The full disclosure: http://seclists.org/bugtraq/2016/Mar/90 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: ims-pcu - sanity check against missing interfaces 2016-04-12T14:33:48+00:00 Oliver Neukum oneukum@suse.com 2016-03-17T21:00:17+00:00 cadaf14c349dfd9dae5113a53f0d7f6d49b9d4ef commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff upstream. A malicious device missing interface can make the driver oops. Add sanity checking. Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff upstream.

A malicious device missing interface can make the driver oops.
Add sanity checking.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: powermate - fix oops with malicious USB descriptors 2016-04-12T14:33:22+00:00 Josh Boyer jwboyer@fedoraproject.org 2016-03-14T16:33:40+00:00 e97ae5113dd09d459d7f173710ba86ba2ad83a42 commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream. The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream.

The powermate driver expects at least one valid USB endpoint in its
probe function.  If given malicious descriptors that specify 0 for
the number of endpoints, it will crash.  Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: sirfsoc-onkey - allow modular build 2016-01-27T23:55:14+00:00 Arnd Bergmann arnd@arndb.de 2016-01-27T23:43:32+00:00 af6e94634d0a77aa42a9fdee35abd00a95b4ca54 CONFIG_INPUT may itself be a loadable module, but the sirf power key driver is listed as 'bool', which makes it possible to select a broken configuration with the driver built-in but the subsystem not loaded. In this configuration, we get a link error: drivers/input/built-in.o: In function `sirfsoc_pwrc_isr': drivers/input/misc/sirfsoc-onkey.c:63: undefined reference to `input_event' drivers/input/built-in.o: In function `sirfsoc_pwrc_isr': include/linux/input.h:414: undefined reference to `input_event' drivers/input/built-in.o: In function `sirfsoc_pwrc_probe': drivers/input/misc/sirfsoc-onkey.c:132: undefined reference to `devm_input_allocate_device' drivers/input/misc/sirfsoc-onkey.c:139: undefined reference to `input_set_capability' drivers/input/misc/sirfsoc-onkey.c:161: undefined reference to `input_register_device' drivers/input/built-in.o: In function `sirfsoc_pwrc_report_event': drivers/input/misc/sirfsoc-onkey.c:48: undefined reference to `input_event' drivers/input/built-in.o: In function `sirfsoc_pwrc_report_event': include/linux/input.h:414: undefined reference to `input_event' drivers/input/built-in.o:(.debug_addr+0x24): undefined reference to `input_event' drivers/input/built-in.o:(.debug_addr+0xbc): undefined reference to `devm_input_allocate_device' drivers/input/built-in.o:(.debug_addr+0x104): undefined reference to `input_set_capability' drivers/input/built-in.o:(.debug_addr+0x128): undefined reference to `input_register_device' This marks the driver as 'tristate' so it becomes possible to have it in a loadable module, mainly to help with randconfig builds. We also have to add a missing semicolon here, which ended up not being needed in built-in mode because the following MODULE_DEVICE_TABLE is an empty macro followed by another semicolon then. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
CONFIG_INPUT may itself be a loadable module, but the sirf power key
driver is listed as 'bool', which makes it possible to select
a broken configuration with the driver built-in but the subsystem
not loaded. In this configuration, we get a link error:

drivers/input/built-in.o: In function `sirfsoc_pwrc_isr':
drivers/input/misc/sirfsoc-onkey.c:63: undefined reference to `input_event'
drivers/input/built-in.o: In function `sirfsoc_pwrc_isr':
include/linux/input.h:414: undefined reference to `input_event'
drivers/input/built-in.o: In function `sirfsoc_pwrc_probe':
drivers/input/misc/sirfsoc-onkey.c:132: undefined reference to `devm_input_allocate_device'
drivers/input/misc/sirfsoc-onkey.c:139: undefined reference to `input_set_capability'
drivers/input/misc/sirfsoc-onkey.c:161: undefined reference to `input_register_device'
drivers/input/built-in.o: In function `sirfsoc_pwrc_report_event':
drivers/input/misc/sirfsoc-onkey.c:48: undefined reference to `input_event'
drivers/input/built-in.o: In function `sirfsoc_pwrc_report_event':
include/linux/input.h:414: undefined reference to `input_event'
drivers/input/built-in.o:(.debug_addr+0x24): undefined reference to `input_event'
drivers/input/built-in.o:(.debug_addr+0xbc): undefined reference to `devm_input_allocate_device'
drivers/input/built-in.o:(.debug_addr+0x104): undefined reference to `input_set_capability'
drivers/input/built-in.o:(.debug_addr+0x128): undefined reference to `input_register_device'

This marks the driver as 'tristate' so it becomes possible to have
it in a loadable module, mainly to help with randconfig builds.

We also have to add a missing semicolon here, which ended up not
being needed in built-in mode because the following MODULE_DEVICE_TABLE
is an empty macro followed by another semicolon then.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Merge branch 'next' into for-linus 2016-01-12T01:47:25+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2016-01-12T01:47:25+00:00 009f773836513960d3982e80c86e266d25528563 Prepare first round of input updates for 4.5 merge window. 
Prepare first round of input updates for 4.5 merge window.
Input: bma150 - constify bma150_cfg structure 2016-01-03T05:08:52+00:00 Julia Lawall Julia.Lawall@lip6.fr 2016-01-03T05:04:30+00:00 7ed5ff82c2f06965652f8d1a17c427ba8d363b92 The bma150_cfg structure is never modified, so declare it as const. Done with the help of Coccinelle. Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
The bma150_cfg structure is never modified, so declare it as const.

Done with the help of Coccinelle.

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: uinput - sanity check on ff_effects_max and EV_FF 2015-12-19T01:48:52+00:00 Elias Vanderstuyft elias.vds@gmail.com 2015-12-19T01:32:19+00:00 daf6cd0c1829c48cba197bd87d57fc8bf3f65faa Currently the user can set ff_effects_max to zero with the EV_FF bit (and the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized methods ff->set_gain and/or ff->set_autocenter can be dereferenced, resulting in a kernel oops. Check in uinput_create_device() and print a helpful message and return -EINVAL in case the check fails. Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
Currently the user can set ff_effects_max to zero with the EV_FF bit (and
the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized
methods ff->set_gain and/or ff->set_autocenter can be dereferenced,
resulting in a kernel oops.

Check in uinput_create_device() and print a helpful message and return
-EINVAL in case the check fails.

Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: uinput - rework ABS validation 2015-12-19T01:48:51+00:00 David Herrmann dh.herrmann@gmail.com 2015-10-25T09:34:13+00:00 fbae10db094046dba1d59e1c2ee5140835045f14 Rework the uinput ABS validation to check passed absinfo data immediately, but do ABS initialization as last step in UI_DEV_CREATE. The behavior observed by user-space is not changed, as ABS initialization was never checked for errors. With this in place, the order of device initialization and abs configuration is no longer fixed. Userspace can initialize the device and afterwards set absinfo just fine. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
Rework the uinput ABS validation to check passed absinfo data immediately,
but do ABS initialization as last step in UI_DEV_CREATE. The behavior
observed by user-space is not changed, as ABS initialization was never
checked for errors.

With this in place, the order of device initialization and abs
configuration is no longer fixed. Userspace can initialize the device and
afterwards set absinfo just fine.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: uinput - add new UINPUT_DEV_SETUP and UI_ABS_SETUP ioctl 2015-12-19T01:48:50+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2015-12-19T01:20:09+00:00 052876f8e5aec887d22c4d06e54aa5531ffcec75 This adds two new ioctls, UINPUT_DEV_SETUP and UI_ABS_SETUP, that replaces the old device setup method (by write()'ing "struct uinput_user_dev" to the node). The old method is not easily extendable and requires huge payloads. Furthermore, overloading write() without properly versioned objects is error-prone. Therefore, we introduce two new ioctls to replace the old method. These ioctls support all features of the old method, plus a "resolution" field for absinfo. Furthermore, it's properly forward-compatible to new ABS codes and a growing "struct input_absinfo" structure. UI_ABS_SETUP also allows user-space to skip unknown axes if not set. There is no need to copy the whole array temporarily into the kernel, but instead the caller issues several ioctl where we copy each value manually. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
This adds two new ioctls, UINPUT_DEV_SETUP and UI_ABS_SETUP, that replaces
the old device setup method (by write()'ing "struct uinput_user_dev" to the
node). The old method is not easily extendable and requires huge payloads.
Furthermore, overloading write() without properly versioned objects is
error-prone.

Therefore, we introduce two new ioctls to replace the old method.  These
ioctls support all features of the old method, plus a "resolution" field
for absinfo. Furthermore, it's properly forward-compatible to new ABS codes
and a growing "struct input_absinfo" structure.

UI_ABS_SETUP also allows user-space to skip unknown axes if not set.  There
is no need to copy the whole array temporarily into the kernel, but instead
the caller issues several ioctl where we copy each value manually.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
 Input: da9063 - report KEY_POWER instead of KEY_SLEEP during power key-press 2015-12-13T05:05:09+00:00 Steve Twiss stwiss.opensource@diasemi.com 2015-12-13T04:43:35+00:00 f889beaaab1ce2ff9d018302359abb345f49be29 Stop reporting KEY_SLEEP for a short key-press and report KEY_POWER instead This change applies to both DA9063 and DA9062 ONKEY drivers. A previous application used for testing by the developer required a KEY_SLEEP and KEY_POWER input_report_key event to distinguish between a short and long key-press of the power key. This is not the general convention and the typical solution is for KEY_POWER to be used in both cases: suspend and S/W power off. Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 
Stop reporting KEY_SLEEP for a short key-press and report KEY_POWER instead
This change applies to both DA9063 and DA9062 ONKEY drivers.

A previous application used for testing by the developer required a
KEY_SLEEP and KEY_POWER input_report_key event to distinguish between a
short and long key-press of the power key.  This is not the general
convention and the typical solution is for KEY_POWER to be used in both
cases: suspend and S/W power off.

Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>