diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2020-01-14 21:11:26 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2020-01-14 21:11:26 +0100 |
| commit | 8e87e181b7ce77478bf0c0f9906149925371127c (patch) | |
| tree | 207b03b672aa3a2e19748cb5b6e3dfac88da0e04 /drivers/hid | |
| parent | bddad4a0ef9b9d63af534cfa364d658a31a9d950 (diff) | |
| parent | 05bbb560f4f40fef38df338f87a17852a308d9dc (diff) | |
Merge 4.4.210 into android-4.4-p
Changes in 4.4.210
kobject: Export kobject_get_unless_zero()
chardev: Avoid potential use-after-free in 'chrdev_open()'
usb: chipidea: host: Disable port power only if previously enabled
ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
HID: Fix slab-out-of-bounds read in hid_field_extract
HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
HID: hid-input: clear unmapped usages
Input: add safety guards to input_set_keycode()
drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
staging: vt6656: set usb_set_intfdata on driver fail.
USB: serial: option: add ZLP support for 0x1bc7/0x9010
usb: musb: Disable pullup at init
usb: musb: dma: Correct parameter passed to IRQ handler
staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
tty: link tty and port before configuring it as console
tty: always relink the port
mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
scsi: bfa: release allocated memory in case of error
rtl8xxxu: prevent leaking urb
USB: Fix: Don't skip endpoint descriptors with maxpacket=0
netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
drm/i915/gen9: Clear residual context state on context switch
Linux 4.4.210
Change-Id: I5ee00026c7108d6a3a1a2711e7413f05defc64ce
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'drivers/hid')
| -rw-r--r-- | drivers/hid/hid-core.c | 6 | ||||
| -rw-r--r-- | drivers/hid/hid-input.c | 16 | ||||
| -rw-r--r-- | drivers/hid/uhid.c | 3 |
3 files changed, 20 insertions, 5 deletions
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index ba6ae196e5c3..5fb6d762f051 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -269,6 +269,12 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign offset = report->size; report->size += parser->global.report_size * parser->global.report_count; + /* Total size check: Allow for possible report index byte */ + if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) { + hid_err(parser->device, "report is too long\n"); + return -1; + } + if (!parser->local.usage_index) /* Ignore padding fields */ return 0; diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 0e6e8fa94046..ff435d5012c9 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -1059,9 +1059,15 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel } mapped: - if (device->driver->input_mapped && device->driver->input_mapped(device, - hidinput, field, usage, &bit, &max) < 0) - goto ignore; + if (device->driver->input_mapped && + device->driver->input_mapped(device, hidinput, field, usage, + &bit, &max) < 0) { + /* + * The driver indicated that no further generic handling + * of the usage is desired. + */ + return; + } set_bit(usage->type, input->evbit); @@ -1119,9 +1125,11 @@ mapped: set_bit(MSC_SCAN, input->mscbit); } -ignore: return; +ignore: + usage->type = 0; + usage->code = 0; } void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value) diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index 4ee61e0ebd7e..5b738ca01a2f 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -26,6 +26,7 @@ #include <linux/uhid.h> #include <linux/wait.h> #include <linux/uaccess.h> +#include <linux/eventpoll.h> #define UHID_NAME "uhid" #define UHID_BUFSIZE 32 @@ -787,7 +788,7 @@ static unsigned int uhid_char_poll(struct file *file, poll_table *wait) if (uhid->head != uhid->tail) return POLLIN | POLLRDNORM; - return 0; + return EPOLLOUT | EPOLLWRNORM; } static const struct file_operations uhid_fops = { |