linux-toradex.git/drivers/hid, branch v3.17-rc4 Linux kernel for Apalis and Colibri modules Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-08-27T16:38:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-08-27T16:38:06+00:00 ff0c57ac70434bc936cb0110eaf033a0a1a62e52 Pull HID fixes from Jiri Kosina: - fixes for potential memory corruption problems in magicmouse and picolcd drivers (the HW would have to be manufactured to be deliberately evil to trigger those) which were found by Steven Vittitoe - fix for false error message appearing in dmesg from logitech-dj driver, from Benjamin Tissoires * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: picolcd: sanity check report size in raw_event() callback HID: magicmouse: sanity check report size in raw_event() callback HID: logitech-dj: prevent false errors to be shown 
Pull HID fixes from Jiri Kosina:

 - fixes for potential memory corruption problems in magicmouse and
   picolcd drivers (the HW would have to be manufactured to be
   deliberately evil to trigger those) which were found by Steven
   Vittitoe

 - fix for false error message appearing in dmesg from logitech-dj
   driver, from Benjamin Tissoires

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: picolcd: sanity check report size in raw_event() callback
  HID: magicmouse: sanity check report size in raw_event() callback
  HID: logitech-dj: prevent false errors to be shown
HID: picolcd: sanity check report size in raw_event() callback 2014-08-27T07:14:39+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:13:15+00:00 844817e47eef14141cf59b8d5ac08dd11c0a9189 The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that raw_data that we hold in picolcd_pending structure are always kept within proper bounds. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: magicmouse: sanity check report size in raw_event() callback 2014-08-27T07:14:39+00:00 Jiri Kosina jkosina@suse.cz 2014-08-27T07:12:24+00:00 c54def7bd64d7c0b6993336abcffb8444795bf38 The report passed to us from transport driver could potentially be arbitrarily large, therefore we better sanity-check it so that magicmouse_emit_touch() gets only valid values of raw_id. Cc: stable@vger.kernel.org Reported-by: Steven Vittitoe <scvitti@google.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.

Cc: stable@vger.kernel.org
Reported-by: Steven Vittitoe <scvitti@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: logitech-dj: prevent false errors to be shown 2014-08-25T07:59:51+00:00 Benjamin Tissoires benjamin.tissoires@redhat.com 2014-08-22T20:16:05+00:00 5abfe85c1d4694d5d4bbd13ecc166262b937adf0 Commit "HID: logitech: perform bounds checking on device_id early enough" unfortunately leaks some errors to dmesg which are not real ones: - if the report is not a DJ one, then there is not point in checking the device_id - the receiver (index 0) can also receive some notifications which can be safely ignored given the current implementation Move out the test regarding the report_id and also discards printing errors when the receiver got notified. Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Cc: stable@vger.kernel.org Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
Commit "HID: logitech: perform bounds checking on device_id early
enough" unfortunately leaks some errors to dmesg which are not real
ones:
- if the report is not a DJ one, then there is not point in checking
  the device_id
- the receiver (index 0) can also receive some notifications which
  can be safely ignored given the current implementation

Move out the test regarding the report_id and also discards
printing errors when the receiver got notified.

Fixes: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36

Cc: stable@vger.kernel.org
Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-08-21T21:25:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-08-21T21:25:20+00:00 cee5aa1f81b1e88d8de05df226bfd207041954c2 Pull HID fixes from Jiri Kosina: - fixes for a couple potential memory corruption problems (the HW would have to be manufactured to be deliberately evil to trigger those) found by Ben Hawkes - fix for potential infinite loop when using sysfs interface of logitech driver, from Simon Wood - a couple more simple driver fixes * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: fix a couple of off-by-ones HID: logitech: perform bounds checking on device_id early enough HID: logitech: fix bounds checking on LED report size HID: logitech: Prevent possibility of infinite loop when using /sys interface HID: rmi: print an error if F11 is not found instead of stopping the device HID: hid-sensor-hub: use devm_ functions consistently HID: huion: Use allocated buffer for DMA HID: huion: Fail on parameter retrieval errors 
Pull HID fixes from Jiri Kosina:

 - fixes for a couple potential memory corruption problems (the HW would
   have to be manufactured to be deliberately evil to trigger those)
   found by Ben Hawkes
 - fix for potential infinite loop when using sysfs interface of
   logitech driver, from Simon Wood
 - a couple more simple driver fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: fix a couple of off-by-ones
  HID: logitech: perform bounds checking on device_id early enough
  HID: logitech: fix bounds checking on LED report size
  HID: logitech: Prevent possibility of infinite loop when using /sys interface
  HID: rmi: print an error if F11 is not found instead of stopping the device
  HID: hid-sensor-hub: use devm_ functions consistently
  HID: huion: Use allocated buffer for DMA
  HID: huion: Fail on parameter retrieval errors
HID: fix a couple of off-by-ones 2014-08-21T15:43:28+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:48+00:00 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 There are a few very theoretical off-by-one bugs in report descriptor size checking when performing a pre-parsing fixup. Fix those. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: logitech: perform bounds checking on device_id early enough 2014-08-21T15:43:06+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:57:17+00:00 ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 device_index is a char type and the size of paired_dj_deivces is 7 elements, therefore proper bounds checking has to be applied to device_index before it is used. We are currently performing the bounds checking in logi_dj_recv_add_djhid_device(), which is too late, as malicious device could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the problem in one of the report forwarding functions called from logi_dj_raw_event(). Fix this by performing the check at the earliest possible ocasion in logi_dj_raw_event(). Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.

We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().

Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: logitech: fix bounds checking on LED report size 2014-08-21T15:38:13+00:00 Jiri Kosina jkosina@suse.cz 2014-08-21T14:56:47+00:00 51217e69697fba92a06e07e16f55c9a52d8e8945 The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request() is wrong; the current check doesn't make any sense -- the report allocated by HID core in hid_hw_raw_request() can be much larger than DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't handle this properly at all. Fix the check by actually trimming down the report size properly if it is too large. Cc: stable@vger.kernel.org Reported-by: Ben Hawkes <hawkes@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
is wrong; the current check doesn't make any sense -- the report allocated
by HID core in hid_hw_raw_request() can be much larger than
DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
handle this properly at all.

Fix the check by actually trimming down the report size properly if it is
too large.

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2014-08-16T00:16:28+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-08-16T00:16:28+00:00 2f39691f31a22e0c6d82573d91306059f8ef920c Pull input layer fixes from Dmitry Torokhov: "Second round of updates for the input subsystem. Mostly small fixups to the code merged in the first round (atmel_mxt_ts, wacom) but also a smallish patch to xbox driver to support Xbox One controllers and a patch to better handle Synaptics profile sensors found in Cr-48 Chromebooks that should not affect any other devices" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: edt-ft5x06 - remove superfluous assignment Input: xpad - add support for Xbox One controllers Input: atmel_mxt_ts - fix a few issues reported by Coverity Input: atmel_mxt_ts - split config update a bit Input: atmel_mxt_ts - simplify mxt_initialize a bit Input: joystick - use get_cycles on ARMv8 Input: wacom - fix compiler warning if !CONFIG_PM Input: cap1106 - allow changing key mapping from userspace Input: synaptics - use firmware data for Cr-48 Input: synaptics - properly initialize slots for semi-MT Input: MT - make slot cleanup callable outside mt_sync_frame() Input: atmel_mxt_ts - mXT224 DMA quirk was fixed in firmware v2.0.AA 
Pull input layer fixes from Dmitry Torokhov:
 "Second round of updates for the input subsystem.  Mostly small fixups
  to the code merged in the first round (atmel_mxt_ts, wacom) but also a
  smallish patch to xbox driver to support Xbox One controllers and a
  patch to better handle Synaptics profile sensors found in Cr-48
  Chromebooks that should not affect any other devices"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: edt-ft5x06 - remove superfluous assignment
  Input: xpad - add support for Xbox One controllers
  Input: atmel_mxt_ts - fix a few issues reported by Coverity
  Input: atmel_mxt_ts - split config update a bit
  Input: atmel_mxt_ts - simplify mxt_initialize a bit
  Input: joystick - use get_cycles on ARMv8
  Input: wacom - fix compiler warning if !CONFIG_PM
  Input: cap1106 - allow changing key mapping from userspace
  Input: synaptics - use firmware data for Cr-48
  Input: synaptics - properly initialize slots for semi-MT
  Input: MT - make slot cleanup callable outside mt_sync_frame()
  Input: atmel_mxt_ts - mXT224 DMA quirk was fixed in firmware v2.0.AA
HID: logitech: Prevent possibility of infinite loop when using /sys interface 2014-08-15T08:54:13+00:00 Simon Wood simon@mungewell.org 2014-08-15T02:43:01+00:00 29ff66571d38f01c5a5d3af871401b8a65323422 If the device data is not accessible for some reason, returning 0 will cause the call to be continuously called again as none of the string has been 'consumed'. Signed-off-by: Simon Wood <simon@mungewell.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
If the device data is not accessible for some reason, returning 0 will cause the call to be
continuously called again as none of the string has been 'consumed'.

Signed-off-by: Simon Wood <simon@mungewell.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>