[kernel/f15] HID: ntrig don't dereference unclaimed hidinput (rhbz#714827)

Tue Jun 21 20:06:39 UTC 2011

commit 7bbc91a67d83cdead4f616bf6d3020b656a40729
Author: Dave Jones <davej at redhat.com>
Date:   Tue Jun 21 16:06:15 2011 -0400

    HID: ntrig don't dereference unclaimed hidinput (rhbz#714827)

 hid-ntrig-deref-unclaimed-input.patch |   46 +++++++++++++++++++++++++++++++++
 kernel.spec                           |    8 +++++
 2 files changed, 54 insertions(+), 0 deletions(-)
---

diff --git a/hid-ntrig-deref-unclaimed-input.patch b/hid-ntrig-deref-unclaimed-input.patch
new file mode 100644
index 0000000..8719eae
--- /dev/null
+++ b/hid-ntrig-deref-unclaimed-input.patch
@@ -0,0 +1,46 @@
+commit f41a52d3010579949a3b9fd76783120d9643b60b
+Author: Rafi Rubin <rafi at seas.upenn.edu>
+Date:   Tue Mar 8 00:24:29 2011 -0500
+
+    HID: ntrig don't dereference unclaimed hidinput
+    
+    Check before dereferencing field->hidinput to fix a reported invalid
+    deference bug.
+    
+    Signed-off-by: Rafi Rubin <rafi at seas.upenn.edu>
+    Signed-off-by: Jiri Kosina <jkosina at suse.cz>
+
+diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
+index beb4034..a93e58c 100644
+--- a/drivers/hid/hid-ntrig.c
++++ b/drivers/hid/hid-ntrig.c
+@@ -539,8 +539,19 @@ static int ntrig_input_mapped(struct hid_device *hdev, struct hid_input *hi,
+ static int ntrig_event (struct hid_device *hid, struct hid_field *field,
+ 			struct hid_usage *usage, __s32 value)
+ {
+-	struct input_dev *input = field->hidinput->input;
+ 	struct ntrig_data *nd = hid_get_drvdata(hid);
++	struct input_dev *input;
++
++	/* Skip processing if not a claimed input */
++	if (!(hid->claimed & HID_CLAIMED_INPUT))
++		goto not_claimed_input;
++
++	/* This function is being called before the structures are fully
++	 * initialized */
++	if(!(field->hidinput && field->hidinput->input))
++		return -EINVAL;
++
++	input = field->hidinput->input;
+ 
+ 	/* No special handling needed for the pen */
+ 	if (field->application == HID_DG_PEN)
+@@ -810,6 +821,8 @@ static int ntrig_event (struct hid_device *hid, struct hid_field *field,
+ 		}
+ 	}
+ 
++not_claimed_input:
++
+ 	/* we have handled the hidinput part, now remains hiddev */
+ 	if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_hid_event)
+ 		hid->hiddev_hid_event(hid, field, usage, value);
diff --git a/kernel.spec b/kernel.spec
index 02301f0..c512787 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -746,9 +746,12 @@ Patch12404: x86-pci-preserve-existing-pci-bfsort-whitelist-for-dell-systems.patc
 
 Patch12407: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
 
+Patch12410: hid-ntrig-deref-unclaimed-input.patch
+
 Patch12415: hid-multitouch-add-support-for-elo-touchsystems.patch
 Patch12416: bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
 
+
 Patch12418: ath5k-disable-fast-channel-switching-by-default.patch
 Patch12419: iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch
 
@@ -1392,6 +1395,8 @@ ApplyPatch bonding-incorrect-tx-queue-offset.patch
 
 ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
 
+ApplyPatch hid-ntrig-deref-unclaimed-input.patch
+
 ApplyPatch hid-multitouch-add-support-for-elo-touchsystems.patch
 ApplyPatch bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
 
@@ -2012,6 +2017,9 @@ fi
 # and build.
 
 %changelog
+* Tue Jun 21 2011 Dave Jones <davej at redhat.com>
+- HID: ntrig don't dereference unclaimed hidinput (rhbz#714827)
+
 * Mon Jun 20 2011 Kyle McMartin <kmcmartin at redhat.com> 2.6.38.8-33
 - [sgruszka@] iwlwifi: fix general 11n instability (rhbz#648732)
 
