Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'for-linus-2023030901' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Benjamin Tissoires:
- fix potential out of bound write of zeroes in HID core with a
specially crafted uhid device (Lee Jones)
- fix potential use-after-free in work function in intel-ish-hid (Reka
Norman)
- selftests config fixes (Benjamin Tissoires)
- few device small fixes and support
* tag 'for-linus-2023030901' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
HID: intel-ish-hid: ipc: Fix potential use-after-free in work function
HID: logitech-hidpp: Add support for Logitech MX Master 3S mouse
HID: cp2112: Fix driver not registering GPIO IRQ chip as threaded
selftest: hid: fix hid_bpf not set in config
HID: uhid: Over-ride the default maximum data buffer value with our own
HID: core: Provide new max_buffer_size attribute to over-ride the default
+41
-8
+25
-7
drivers/hid/hid-core.c
+25
-7
drivers/hid/hid-core.c
···
256
256
{
257
257
struct hid_report *report;
258
258
struct hid_field *field;
259
+
unsigned int max_buffer_size = HID_MAX_BUFFER_SIZE;
259
260
unsigned int usages;
260
261
unsigned int offset;
261
262
unsigned int i;
···
287
286
offset = report->size;
288
287
report->size += parser->global.report_size * parser->global.report_count;
289
288
289
+
if (parser->device->ll_driver->max_buffer_size)
290
+
max_buffer_size = parser->device->ll_driver->max_buffer_size;
291
+
290
292
/* Total size check: Allow for possible report index byte */
291
-
if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
293
+
if (report->size > (max_buffer_size - 1) << 3) {
292
294
hid_err(parser->device, "report is too long\n");
293
295
return -1;
294
296
}
···
1967
1963
struct hid_report_enum *report_enum = hid->report_enum + type;
1968
1964
struct hid_report *report;
1969
1965
struct hid_driver *hdrv;
1966
+
int max_buffer_size = HID_MAX_BUFFER_SIZE;
1970
1967
u32 rsize, csize = size;
1971
1968
u8 *cdata = data;
1972
1969
int ret = 0;
···
1983
1978
1984
1979
rsize = hid_compute_report_size(report);
1985
1980
1986
-
if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
1987
-
rsize = HID_MAX_BUFFER_SIZE - 1;
1988
-
else if (rsize > HID_MAX_BUFFER_SIZE)
1989
-
rsize = HID_MAX_BUFFER_SIZE;
1981
+
if (hid->ll_driver->max_buffer_size)
1982
+
max_buffer_size = hid->ll_driver->max_buffer_size;
1983
+
1984
+
if (report_enum->numbered && rsize >= max_buffer_size)
1985
+
rsize = max_buffer_size - 1;
1986
+
else if (rsize > max_buffer_size)
1987
+
rsize = max_buffer_size;
1990
1988
1991
1989
if (csize < rsize) {
1992
1990
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
···
2404
2396
unsigned char reportnum, __u8 *buf,
2405
2397
size_t len, enum hid_report_type rtype, enum hid_class_request reqtype)
2406
2398
{
2407
-
if (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)
2399
+
unsigned int max_buffer_size = HID_MAX_BUFFER_SIZE;
2400
+
2401
+
if (hdev->ll_driver->max_buffer_size)
2402
+
max_buffer_size = hdev->ll_driver->max_buffer_size;
2403
+
2404
+
if (len < 1 || len > max_buffer_size || !buf)
2408
2405
return -EINVAL;
2409
2406
2410
2407
return hdev->ll_driver->raw_request(hdev, reportnum, buf, len,
···
2428
2415
*/
2429
2416
int hid_hw_output_report(struct hid_device *hdev, __u8 *buf, size_t len)
2430
2417
{
2431
-
if (len < 1 || len > HID_MAX_BUFFER_SIZE || !buf)
2418
+
unsigned int max_buffer_size = HID_MAX_BUFFER_SIZE;
2419
+
2420
+
if (hdev->ll_driver->max_buffer_size)
2421
+
max_buffer_size = hdev->ll_driver->max_buffer_size;
2422
+
2423
+
if (len < 1 || len > max_buffer_size || !buf)
2432
2424
return -EINVAL;
2433
2425
2434
2426
if (hdev->ll_driver->output_report)
+1
drivers/hid/hid-cp2112.c
+1
drivers/hid/hid-cp2112.c
+2
drivers/hid/hid-logitech-hidpp.c
+2
drivers/hid/hid-logitech-hidpp.c
···
4399
4399
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb02a) },
4400
4400
{ /* MX Master 3 mouse over Bluetooth */
4401
4401
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb023) },
4402
+
{ /* MX Master 3S mouse over Bluetooth */
4403
+
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb034) },
4402
4404
{}
4403
4405
};
4404
4406
+8
-1
drivers/hid/intel-ish-hid/ipc/ipc.c
+8
-1
drivers/hid/intel-ish-hid/ipc/ipc.c
···
5
5
* Copyright (c) 2014-2016, Intel Corporation.
6
6
*/
7
7
8
+
#include <linux/devm-helpers.h>
8
9
#include <linux/sched.h>
9
10
#include <linux/spinlock.h>
10
11
#include <linux/delay.h>
···
622
621
case MNG_RESET_NOTIFY:
623
622
if (!ishtp_dev) {
624
623
ishtp_dev = dev;
625
-
INIT_WORK(&fw_reset_work, fw_reset_work_fn);
626
624
}
627
625
schedule_work(&fw_reset_work);
628
626
break;
···
940
940
{
941
941
struct ishtp_device *dev;
942
942
int i;
943
+
int ret;
943
944
944
945
dev = devm_kzalloc(&pdev->dev,
945
946
sizeof(struct ishtp_device) + sizeof(struct ish_hw),
···
974
973
break;
975
974
}
976
975
list_add_tail(&tx_buf->link, &dev->wr_free_list);
976
+
}
977
+
978
+
ret = devm_work_autocancel(&pdev->dev, &fw_reset_work, fw_reset_work_fn);
979
+
if (ret) {
980
+
dev_err(dev->devc, "Failed to initialise FW reset work\n");
981
+
return NULL;
977
982
}
978
983
979
984
dev->ops = &ish_hw_ops;
+1
drivers/hid/uhid.c
+1
drivers/hid/uhid.c
+3
include/linux/hid.h
+3
include/linux/hid.h
···
834
834
* @output_report: send output report to device
835
835
* @idle: send idle request to device
836
836
* @may_wakeup: return if device may act as a wakeup source during system-suspend
837
+
* @max_buffer_size: over-ride maximum data buffer size (default: HID_MAX_BUFFER_SIZE)
837
838
*/
838
839
struct hid_ll_driver {
839
840
int (*start)(struct hid_device *hdev);
···
860
859
861
860
int (*idle)(struct hid_device *hdev, int report, int idle, int reqtype);
862
861
bool (*may_wakeup)(struct hid_device *hdev);
862
+
863
+
unsigned int max_buffer_size;
863
864
};
864
865
865
866
extern bool hid_is_usb(const struct hid_device *hdev);