From patchwork Mon Feb 23 21:17:23 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 442673 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 1A320140119; Tue, 24 Feb 2015 08:18:00 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1YQ0Nz-0004Sx-9Z; Mon, 23 Feb 2015 21:17:51 +0000 Received: from mail-ob0-f178.google.com ([209.85.214.178]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1YQ0Nt-0004ST-3Y for kernel-team@lists.ubuntu.com; Mon, 23 Feb 2015 21:17:45 +0000 Received: by mail-ob0-f178.google.com with SMTP id uz6so39219607obc.9 for ; Mon, 23 Feb 2015 13:17:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id; bh=guAxRxY7ORXnfzk3adzqicmuYTPGzlKmyQRP9GrAGKA=; b=QMFmgzAUkKz2flXxmjYzXw6WV/qqHOE/kaJNBwbzM25/sgPgi5YerNwHSvOkXfGhp7 H5K2gxjpwhQZFFmyEYpI7CyJrbV715tabf0VTpZRd7onE2pb0ReXlYAAnd9aI2bi1uZM 4Qnu6ctOPqmPqhEcfPFzscHZWHK23DPS5JBMuKcQSNc/gBjCzfsEUKxi+Jk1pQlq+51k NngRCigpF7GMN0jz9cMb4SYWmnLYA2vspkWzGgvwfdGdRryG4qIUPHq85tRUQ1D8rOz1 G0d4IB+eissSm+f0vTAVWU2zAVi9vTavtEWdAN5pqIAQaOV2XFlMfjOQHdOsXnyWtbPF tCZg== X-Gm-Message-State: ALoCoQlwiiyfJmpgqXj2Qdf1ruYw0/7YplYPLbKy3qWLv9T318L4uMmUc0wYVUYm9of9usK33gMr X-Received: by 10.202.200.10 with SMTP id y10mr8237947oif.38.1424726264342; Mon, 23 Feb 2015 13:17:44 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by mx.google.com with ESMTPSA id ea8sm20591231obb.24.2015.02.23.13.17.43 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 23 Feb 2015 13:17:43 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH][vivid/unstable] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Date: Mon, 23 Feb 2015 15:17:23 -0600 Message-Id: <1424726243-115451-1-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ) changed hid_get_input() to read ihid->bufsize bytes, which can be more than wMaxInputLength. This is the case with the Dell XPS 13 9343, and it is causing events to be missed. In some cases the missed events are releases, which can cause the cursor to jump or freeze, among other problems. Limit the number of bytes read to min(wMaxInputLength, ihid->bufsize) to prevent such problems. Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ" Signed-off-by: Seth Forshee Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina (cherry picked from commit 6d00f37e49d95e640a3937a4a1ae07dbe92a10cb git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid.git) --- This should come in from upstream stable eventually, but for selfish reasons I'd like to get it in sooner. I'm targeting 3.19 since I'm not anticipating any more 3.18 releases for vivid, but it should apply fine to 3.18 as well. drivers/hid/i2c-hid/i2c-hid.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index d43e967..5e72fc2 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) static void i2c_hid_get_input(struct i2c_hid *ihid) { int ret, ret_size; - int size = ihid->bufsize; + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); + + if (size > ihid->bufsize) + size = ihid->bufsize; ret = i2c_master_recv(ihid->client, ihid->inbuf, size); if (ret != size) {