From patchwork Mon Feb 23 21:17:23 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 442673
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 1A320140119;
	Tue, 24 Feb 2015 08:18:00 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1YQ0Nz-0004Sx-9Z; Mon, 23 Feb 2015 21:17:51 +0000
Received: from mail-ob0-f178.google.com ([209.85.214.178])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <seth.forshee@canonical.com>) id 1YQ0Nt-0004ST-3Y
	for kernel-team@lists.ubuntu.com; Mon, 23 Feb 2015 21:17:45 +0000
Received: by mail-ob0-f178.google.com with SMTP id uz6so39219607obc.9
	for <kernel-team@lists.ubuntu.com>;
	Mon, 23 Feb 2015 13:17:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=guAxRxY7ORXnfzk3adzqicmuYTPGzlKmyQRP9GrAGKA=;
	b=QMFmgzAUkKz2flXxmjYzXw6WV/qqHOE/kaJNBwbzM25/sgPgi5YerNwHSvOkXfGhp7
	H5K2gxjpwhQZFFmyEYpI7CyJrbV715tabf0VTpZRd7onE2pb0ReXlYAAnd9aI2bi1uZM
	4Qnu6ctOPqmPqhEcfPFzscHZWHK23DPS5JBMuKcQSNc/gBjCzfsEUKxi+Jk1pQlq+51k
	NngRCigpF7GMN0jz9cMb4SYWmnLYA2vspkWzGgvwfdGdRryG4qIUPHq85tRUQ1D8rOz1
	G0d4IB+eissSm+f0vTAVWU2zAVi9vTavtEWdAN5pqIAQaOV2XFlMfjOQHdOsXnyWtbPF
	tCZg==
X-Gm-Message-State: 
 ALoCoQlwiiyfJmpgqXj2Qdf1ruYw0/7YplYPLbKy3qWLv9T318L4uMmUc0wYVUYm9of9usK33gMr
X-Received: by 10.202.200.10 with SMTP id y10mr8237947oif.38.1424726264342;
	Mon, 23 Feb 2015 13:17:44 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by mx.google.com with ESMTPSA id
	ea8sm20591231obb.24.2015.02.23.13.17.43
	for <kernel-team@lists.ubuntu.com>
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Mon, 23 Feb 2015 13:17:43 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH][vivid/unstable] HID: i2c-hid: Limit reads to wMaxInputLength
	bytes for input events
Date: Mon, 23 Feb 2015 15:17:23 -0600
Message-Id: <1424726243-115451-1-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
changed hid_get_input() to read ihid->bufsize bytes, which can be
more than wMaxInputLength. This is the case with the Dell XPS 13
9343, and it is causing events to be missed. In some cases the
missed events are releases, which can cause the cursor to jump or
freeze, among other problems. Limit the number of bytes read to
min(wMaxInputLength, ihid->bufsize) to prevent such problems.

Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
(cherry picked from commit 6d00f37e49d95e640a3937a4a1ae07dbe92a10cb
 git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid.git)
---

This should come in from upstream stable eventually, but for selfish
reasons I'd like to get it in sooner. I'm targeting 3.19 since I'm not
anticipating any more 3.18 releases for vivid, but it should apply fine
to 3.18 as well.

 drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index d43e967..5e72fc2 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
 static void i2c_hid_get_input(struct i2c_hid *ihid)
 {
 	int ret, ret_size;
-	int size = ihid->bufsize;
+	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
+
+	if (size > ihid->bufsize)
+		size = ihid->bufsize;
 
 	ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
 	if (ret != size) {