1. 13 12月, 2018 1 次提交
  2. 06 12月, 2018 1 次提交
  3. 01 12月, 2018 1 次提交
  4. 27 11月, 2018 6 次提交
  5. 14 11月, 2018 2 次提交
    • B
      HID: hiddev: fix potential Spectre v1 · b599ba13
      Breno Leitao 提交于
      commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.
      
      uref->usage_index can be indirectly controlled by userspace, hence leading
      to a potential exploitation of the Spectre variant 1 vulnerability.
      
      This field is used as an array index by the hiddev_ioctl_usage() function,
      when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
      HIDIOCSUSAGES.
      
      For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
      field->maxusage and then used as an index to dereference field->usage
      array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
      uref->usage_index is checked against an array maximum value and then it is
      used as an index in an array.
      
      This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
      traditional Spectre V1 first load:
      
      	copy_from_user(uref, user_arg, sizeof(*uref))
      	if (uref->usage_index >= field->maxusage)
      		goto inval;
      	i = field->usage[uref->usage_index].collection_index;
      	return i;
      
      This patch fixes this by sanitizing field uref->usage_index before using it
      to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
      HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NBreno Leitao <leitao@debian.org>
      v2: Contemplate cmd == HIDIOC{G,S}USAGES case
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b599ba13
    • J
      HID: wacom: Work around HID descriptor bug in DTK-2451 and DTH-2452 · 19785f4c
      Jason Gerecke 提交于
      commit 11db8173dbab7a94cf5ba5225fcedbfc0f3b7e54 upstream.
      
      The DTK-2451 and DTH-2452 have a buggy HID descriptor which incorrectly
      contains a Cintiq-like report, complete with pen tilt, rotation, twist, serial
      number, etc. The hardware doesn't actually support this data but our driver
      duitifully sets up the device as though it does. To ensure userspace has a
      correct view of devices without updated firmware, we clean up this incorrect
      data in wacom_setup_device_quirks.
      
      We're also careful to clear the WACOM_QUIRK_TOOLSERIAL flag since its presence
      causes the driver to wait for serial number information (via
      wacom_wac_pen_serial_enforce) that never comes, resulting in
      the pen being non-responsive.
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Fixes: 83417206 ("HID: wacom: Queue events with missing type/serial data for later processing")
      Cc: stable@vger.kernel.org # v4.16+
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19785f4c
  6. 24 9月, 2018 2 次提交
  7. 14 9月, 2018 1 次提交
  8. 06 9月, 2018 1 次提交
    • K
      HID: i2c-hid: Don't reset device upon system resume · 52cf93e6
      Kai-Heng Feng 提交于
      Raydium touchscreen triggers interrupt storm after system-wide suspend:
      
      	[ 179.085033] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/65535)
      
      According to Raydium, Windows driver does not reset the device after system
      resume.
      
      The HID over I2C spec does specify a reset should be used at intialization, but
      it doesn't specify if reset is required for system suspend.
      
      Tested this patch on other i2c-hid touchpanels I have and those touchpanels do
      work after S3 without doing reset. If any regression happens to other
      touchpanel vendors, we can use quirk for Raydium devices.
      
      There's still one device uses I2C_HID_QUIRK_RESEND_REPORT_DESCR so keep it
      there.
      
      Cc: Aaron Ma <aaron.ma@canonical.com>
      Cc: AceLan Kao <acelan.kao@canonical.com>
      Signed-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@gmail.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      52cf93e6
  9. 05 9月, 2018 4 次提交
  10. 30 8月, 2018 1 次提交
  11. 28 8月, 2018 5 次提交
  12. 02 8月, 2018 2 次提交
    • A
      HID: intel_ish-hid: tx_buf memory leak on probe/remove · 50fa9259
      Anton Vasilyev 提交于
      ish_dev_init() allocates 512*176 bytes memory for tx_buf and stores it at
      &dev->wr_free_list_head.link list on ish_probe().
      But there is no deallocation of this memory in ish_remove() and in
      ish_probe() error path.
      So current intel-ish-ipc provides 88 KB memory leak for each
      probe/release.
      
      The patch replaces kzalloc allocation by devm_kzalloc and removes
      ishtp_device *dev deallocation by kfree.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: NAnton Vasilyev <vasilyev@ispras.ru>
      Acked-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      50fa9259
    • S
      HID: intel-ish-hid: Prevent loading of driver on Mehlow · a1e9a9c0
      Srinivas Pandruvada 提交于
      On Mehlow Xeon-E workstation, ISH PCI device is enabled but without ISH
      firmware. Here the ISH device PCI device id was reused for some non Linux
      storage drivers. So this was not done for enabling ISH. But this has a
      undesirable side effect for Linux.
      
      Here the ISH driver will be loaded via PCI enumeration and will try to do
      reset sequence. But reset sequence will wait till timeout as there is no
      real ISH firmware is present to take action. This delay will add to boot
      time of Linux (This platform will still continue to boot after this
      timeout).
      
      To avoid this boot delay we need to prevent loading of ISH drivers on
      this platform. So we need to have hack to avoid treating this device as
      ISH on this platform. To identify this workstation, we need some runtime
      method. Luckily there are special PCI id on this workstation to
      distinguish from the client version of this platform. On client version,
      the ISH is supported using same PCI device id. So this change look for
      the presence of PCI device IDs A309 and A30A and exit.
      Signed-off-by: NSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Reviewed-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      a1e9a9c0
  13. 23 7月, 2018 2 次提交
  14. 17 7月, 2018 11 次提交