[kernel/f20] Add patch for HID i2c from Seth Forshee (rhbz 1188439)
Josh Boyer
jwboyer at fedoraproject.org
Mon Feb 23 20:13:09 UTC 2015
commit 87e9e415954a45dc0499ef744ec176d57167bf4e
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Feb 23 15:08:16 2015 -0500
Add patch for HID i2c from Seth Forshee (rhbz 1188439)
...-Limit-reads-to-wMaxInputLength-bytes-for.patch | 39 ++++++++++++++++++++++
kernel.spec | 7 ++++
2 files changed, 46 insertions(+)
---
diff --git a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
new file mode 100644
index 0000000..0df8a04
--- /dev/null
+++ b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
@@ -0,0 +1,39 @@
+From: Seth Forshee <seth.forshee () canonical ! com>
+Date: Fri, 20 Feb 2015 17:45:11 -0500
+Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
+ events
+
+d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
+changed hid_get_input() to read ihid->bufsize bytes, which can be
+more than wMaxInputLength. This is the case with the Dell XPS 13
+9343, and it is causing events to be missed. In some cases the
+missed events are releases, which can cause the cursor to jump or
+freeze, among other problems. Limit the number of bytes read to
+min(wMaxInputLength, ihid->bufsize) to prevent such problems.
+
+Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
+Cc: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
+index 80e33e0abc52..6d7c9c580ceb 100644
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
+ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ {
+ int ret, ret_size;
+- int size = ihid->bufsize;
++ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
++
++ if (size > ihid->bufsize)
++ size = ihid->bufsize;
+
+ ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
+ if (ret != size) {
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 3b76c18..853aa13 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -767,6 +767,9 @@ Patch26136: vhost-scsi-potential-memory-corruption.patch
#CVE-2015-0275 rhbz 1193907 1195178
Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
+#rhbz 1188439
+Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1497,6 +1500,9 @@ ApplyPatch vhost-scsi-potential-memory-corruption.patch
#CVE-2015-0275 rhbz 1193907 1195178
ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
+#rhbz 1188439
+ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2316,6 +2322,7 @@ fi
# || ||
%changelog
* Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch for HID i2c from Seth Forshee (rhbz 1188439)
- CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)
* Mon Feb 16 2015 Josh Boyer <jwboyer at fedoraproject.org>
More information about the scm-commits
mailing list