From patchwork Fri Feb 20 17:45:11 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 5857521 X-Patchwork-Delegate: jikos@jikos.cz Return-Path: X-Original-To: patchwork-linux-input@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1201D9F380 for ; Fri, 20 Feb 2015 17:45:37 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 32975204E0 for ; Fri, 20 Feb 2015 17:45:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DF3D32045B for ; Fri, 20 Feb 2015 17:45:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754738AbbBTRpd (ORCPT ); Fri, 20 Feb 2015 12:45:33 -0500 Received: from mail-oi0-f52.google.com ([209.85.218.52]:47889 "EHLO mail-oi0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754421AbbBTRpd (ORCPT ); Fri, 20 Feb 2015 12:45:33 -0500 Received: by mail-oi0-f52.google.com with SMTP id u20so3802436oif.11 for ; Fri, 20 Feb 2015 09:45:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=bSjZAQXYlmg/YfWOG0lyUG3sV5MXL+kvB462odX+lPg=; b=CNKP6pwBcd+Ha6a03RAUQ6re9iShKvJJ5LtrAL/bjeV5qWoAXNdM5FRkxtTvcsh8Qx LFsbvwQDSEmbkt7WxFDG1b4CohLaklmY4kgbEbtCqVeGd1KYwlrhlOn1GvzMB3QXxOXw XWE2wqb1yYUqPMCjMEgW3zMwH0m8ggGRI8MYs19TaV4mZLt5NOwBgGlF4ephvUAguPCG hzElEPyyEXmvjkOfzxnqGfyMq6gLn4bVisMVXrMY9JzDp6+JE6h2ibUqm+dapj0cA/BM JGBRQrCbiETYuyziaLDM7HXFfd1bYdeuOc8fMKRSsF7ZniNSd7X4EZKMGBIaBHuygFfd YRow== X-Gm-Message-State: ALoCoQmNXjEo769xIZUui1heiIpNsYPcIfGpu995Cn2YWXQ79OHMDsAE0vFC3Bs6kWnIs3SokvCb X-Received: by 10.202.51.137 with SMTP id z131mr6991611oiz.10.1424454332801; Fri, 20 Feb 2015 09:45:32 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by mx.google.com with ESMTPSA id d10sm17063062obf.17.2015.02.20.09.45.32 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 20 Feb 2015 09:45:32 -0800 (PST) From: Seth Forshee To: Jiri Kosina Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Seth Forshee , Benjamin Tissoires Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Date: Fri, 20 Feb 2015 11:45:11 -0600 Message-Id: <1424454311-70750-1-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Spam-Status: No, score=-7.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ) changed hid_get_input() to read ihid->bufsize bytes, which can be more than wMaxInputLength. This is the case with the Dell XPS 13 9343, and it is causing events to be missed. In some cases the missed events are releases, which can cause the cursor to jump or freeze, among other problems. Limit the number of bytes read to min(wMaxInputLength, ihid->bufsize) to prevent such problems. Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ" Cc: Benjamin Tissoires Signed-off-by: Seth Forshee Reviewed-by: Benjamin Tissoires --- drivers/hid/i2c-hid/i2c-hid.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c index d43e967..5e72fc2 100644 --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client) static void i2c_hid_get_input(struct i2c_hid *ihid) { int ret, ret_size; - int size = ihid->bufsize; + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength); + + if (size > ihid->bufsize) + size = ihid->bufsize; ret = i2c_master_recv(ihid->client, ihid->inbuf, size); if (ret != size) {