[kernel/f22] Add patch for HID i2c from Seth Forshee (rhbz 1188439)

Josh Boyer jwboyer at fedoraproject.org
Mon Feb 23 20:13:31 UTC 2015 

commit a36e7653dfe9dfeb47ba54282edf2a2f1ff0c249
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Feb 23 15:08:16 2015 -0500

    Add patch for HID i2c from Seth Forshee (rhbz 1188439)

 ...-Limit-reads-to-wMaxInputLength-bytes-for.patch | 39 ++++++++++++++++++++++
 kernel.spec                                        |  9 +++++
 2 files changed, 48 insertions(+)
---
diff --git a/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
new file mode 100644
index 0000000..27fe740
--- /dev/null
+++ b/HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
@@ -0,0 +1,39 @@
+From: Seth Forshee <seth.forshee () canonical ! com>
+Date: Fri, 20 Feb 2015 17:45:11 -0500
+Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
+ events
+
+d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
+changed hid_get_input() to read ihid->bufsize bytes, which can be
+more than wMaxInputLength. This is the case with the Dell XPS 13
+9343, and it is causing events to be missed. In some cases the
+missed events are releases, which can cause the cursor to jump or
+freeze, among other problems. Limit the number of bytes read to
+min(wMaxInputLength, ihid->bufsize) to prevent such problems.
+
+Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
+Cc: Benjamin Tissoires <benjamin.tissoires at redhat.com>
+Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
+index d43e967e7533..5e72fc2428f0 100644
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
+ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ {
+ 	int ret, ret_size;
+-	int size = ihid->bufsize;
++	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
++
++	if (size > ihid->bufsize)
++		size = ihid->bufsize;
+ 
+ 	ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
+ 	if (ret != size) {
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 0911aaa..d9276a9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -619,6 +619,9 @@ Patch26137: fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch
 #CVE-2015-0275 rhbz 1193907 1195178
 Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
 
+#rhbz 1188439
+Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 Patch30001: kernel-arm64-fix-psci-when-pg.patch
@@ -1345,6 +1348,9 @@ ApplyPatch fifo-nv04-remove-the-loop-from-the-interrupt-handler.patch
 #CVE-2015-0275 rhbz 1193907 1195178
 ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
 
+#rhbz 1188439
+ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2203,6 +2209,9 @@ fi
 #
 # 
 %changelog
+* Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch for HID i2c from Seth Forshee (rhbz 1188439)
+
 * Mon Feb 23 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.0.0-0.rc1.git0.1
 - Linux v4.0-rc1
 - CVE-2015-0275 ext4: fallocate zero range page size > block size BUG (rhbz 1193907 1195178)

More information about the scm-commits mailing list