From a36e7653dfe9dfeb47ba54282edf2a2f1ff0c249 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 23 Feb 2015 15:08:16 -0500 Subject: [PATCH] Add patch for HID i2c from Seth Forshee (rhbz 1188439) --- ...t-reads-to-wMaxInputLength-bytes-for.patch | 39 +++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 48 insertions(+) create mode 100644 HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch diff --git a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch new file mode 100644 index 000000000..27fe74054 --- /dev/null +++ b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch @@ -0,0 +1,39 @@ +From: Seth Forshee +Date: Fri, 20 Feb 2015 17:45:11 -0500 +Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input + events + +d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ) +changed hid_get_input() to read ihid->bufsize bytes, which can be +more than wMaxInputLength. This is the case with the Dell XPS 13 +9343, and it is causing events to be missed. In some cases the +missed events are releases, which can cause the cursor to jump or +freeze, among other problems. Limit the number of bytes read to +min(wMaxInputLength, ihid->bufsize) to prevent such problems. + +Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ" +Cc: Benjamin Tissoires +Signed-off-by: Seth Forshee +--- + drivers/hid/i2c-hid/i2c-hid.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index d43e967e7533..5e72fc2428f0 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) + static void i2c_hid_get_input(struct i2c_hid *ihid) + { + int ret, ret_size; +- int size = ihid->bufsize; ++ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); ++ ++ if (size > ihid->bufsize) ++ size = ihid->bufsize; + + ret = i2c_master_recv(ihid->client, ihid->inbuf, size); + if (ret != size) { +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 0911aaad8..d9276a95d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -619,6 +619,9 @@ Patch26137: fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch #CVE-2015-0275 rhbz 1193907 1195178 Patch26138: ext4-Allocate-entire-range-in-zero-range.patch +#rhbz 1188439 +Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch Patch30001: kernel-arm64-fix-psci-when-pg.patch @@ -1345,6 +1348,9 @@ ApplyPatch fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch #CVE-2015-0275 rhbz 1193907 1195178 ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch +#rhbz 1188439 +ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2203,6 +2209,9 @@ fi # # %changelog +* Mon Feb 23 2015 Josh Boyer +- Add patch for HID i2c from Seth Forshee (rhbz 1188439) + * Mon Feb 23 2015 Josh Boyer - 4.0.0-0.rc1.git0.1 - Linux v4.0-rc1 - CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)