Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.4.213 2019-05-16T17:45:00Z 2019-05-16T17:45:00Z He, Bo bo.he@intel.com 2019-03-14T02:28:21Z urn:sha1:e9358b9a5db175b02a67c01c2141c721bdfc63a8 [ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ] There is a race condition that could happen if hid_debug_rdesc_show() is running while hdev is in the process of going away (device removal, system suspend, etc) which could result in NULL pointer dereference: BUG: unable to handle kernel paging request at 0000000783316040 CPU: 1 PID: 1512 Comm: getevent Tainted: G U O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1 RIP: 0010:hid_dump_device+0x9b/0x160 Call Trace: hid_debug_rdesc_show+0x72/0x1d0 seq_read+0xe0/0x410 full_proxy_read+0x5f/0x90 __vfs_read+0x3a/0x170 vfs_read+0xa0/0x150 ksys_read+0x58/0xc0 __x64_sys_read+0x1a/0x20 do_syscall_64+0x55/0x110 entry_SYSCALL_64_after_hwframe+0x49/0xbe Grab driver_input_lock to make sure the input device exists throughout the whole process of dumping the rdesc. [jkosina@suse.cz: update changelog a bit] Signed-off-by: he, bo <bo.he@intel.com> Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-02-20T09:13:19Z Vladis Dronov vdronov@redhat.com 2019-01-29T10:58:35Z urn:sha1:b661fff5f8a0f19824df91cc3905ba2c5b54dc87 commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream. Ring buffer implementation in hid_debug_event() and hid_debug_events_read() is strange allowing lost or corrupted data. After commit 717adfdaf147 ("HID: debug: check length before copy_to_user()") it is possible to enter an infinite loop in hid_debug_events_read() by providing 0 as count, this locks up a system. Fix this by rewriting the ring buffer implementation with kfifo and simplify the code. This fixes CVE-2019-3819. v2: fix an execution logic and add a comment v3: use __set_current_state() instead of set_current_state() Backport to v4.4: some (tree-wide) patches are missing in v4.4 so cherry-pick relevant pieces from: * 6396bb22151 ("treewide: kzalloc() -> kcalloc()") * a9a08845e9ac ("vfs: do bulk POLL* -> EPOLL* replacement") * 92529623d242 ("HID: debug: improve hid_debug_event()") * 174cd4b1e5fb ("sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h>") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187 Cc: stable@vger.kernel.org # v4.18+ Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()") Signed-off-by: Vladis Dronov <vdronov@redhat.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-11T14:03:50Z Daniel Rosenberg drosen@google.com 2018-07-02T23:59:37Z urn:sha1:ef111ea31575bdc50c0c914fe036a1d0ad0cae4e commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream. If our length is greater than the size of the buffer, we overflow the buffer Cc: stable@vger.kernel.org Signed-off-by: Daniel Rosenberg <drosen@google.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-04-15T01:25:15Z Linus Torvalds torvalds@linux-foundation.org 2015-04-15T01:25:15Z urn:sha1:8691c130fae136bb2b7d0554422a2dff4c6ac169 Pull input subsystem updates from Dmitry Torokhov: "You will get the following new drivers: - Qualcomm PM8941 power key drver - ChipOne icn8318 touchscreen controller driver - Broadcom iProc touchscreen and keypad drivers - Semtech SX8654 I2C touchscreen controller driver ALPS driver now supports newer SS4 devices; Elantech got a fix that should make it work on some ASUS laptops; and a slew of other enhancements and random fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (51 commits) Input: alps - non interleaved V2 dualpoint has separate stick button bits Input: alps - fix touchpad buttons getting stuck when used with trackpoint Input: atkbd - document "no new force-release quirks" policy Input: ALPS - make alps_get_pkt_id_ss4_v2() and others static Input: ALPS - V7 devices can report 5-finger taps Input: ALPS - add support for SS4 touchpad devices Input: ALPS - refactor alps_set_abs_params_mt() Input: elantech - fix absolute mode setting on some ASUS laptops Input: atmel_mxt_ts - split out touchpad initialisation logic Input: atmel_mxt_ts - implement support for T100 touch object Input: cros_ec_keyb - fix clearing keyboard state on wakeup Input: gscps2 - drop pci_ids dependency Input: synaptics - allocate 3 slots to keep stability in image sensors Input: Revert "Revert "synaptics - use dmax in input_mt_assign_slots"" Input: MT - make slot assignment work for overcovered solutions mfd: tc3589x: enforce device-tree only mode Input: tc3589x - localize platform data Input: tsc2007 - Convert msecs to jiffies only once Input: edt-ft5x06 - remove EV_SYN event report Input: edt-ft5x06 - allow to setting the maximum axes value through the DT ... 2015-04-13T21:41:15Z Jiri Kosina jkosina@suse.cz 2015-04-13T21:41:15Z urn:sha1:05f6d02521d4c7a656c5135d6d81c345ce531ac0 2015-04-10T15:32:21Z Jiri Kosina jkosina@suse.cz 2015-04-09T11:32:35Z urn:sha1:8fec02a73e31407e14986fca67dab48d4f777f0e In the unlikely case of hdev vanishing while hid_debug_events_read() was sleeping, we can't really break out of the case switch as with other cases, as on the way out we'll try to remove ourselves from the hdev waitqueue. Fix this by taking a shortcut exit path and avoiding cleanup that doesn't make sense in case hdev doesn't exist any more anyway. Reported-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2015-03-12T04:04:13Z Seth Forshee seth.forshee@canonical.com 2015-03-11T22:26:41Z urn:sha1:2c6e0277e1eab3df5db81c59e408b7b1c14b1b72 According to [1], Windows Precision Touchpad devices must supply a button type usage in the device capabilities feature report. A value of 0 indicates that the device contains a depressible button (i.e. it's a click-pad) whereas a value of 1 indicates a non-depressible button. Add support for this usage and set INPUT_PROP_BUTTONPAD on the touchpad input device whenever a depressible button is present. [1] https://msdn.microsoft.com/en-us/library/windows/hardware/dn467314(v=vs.85).aspx Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2015-03-07T01:18:16Z Stefan Brüns stefan.bruens@rwth-aachen.de 2015-03-06T07:25:51Z urn:sha1:e92865edebe90cde1eef968cf85acb6613e5695f Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de> Acked-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2014-10-20T19:03:58Z Olivier Gay ogay@logitech.com 2014-10-17T23:53:39Z urn:sha1:f974008f07a62171a9dede08250c9a35c2b2b986 Add keyboard input assist controls usages from approved hid usage table request HUTTR42: http://www.usb.org/developers/hidpage/HUTRR42c.pdf Signed-off-by: Olivier Gay <ogay@logitech.com> Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 2014-06-03T11:27:24Z Ping Cheng pinglinux@gmail.com 2014-06-03T00:19:52Z urn:sha1:368c96640d10a145da5f258f2d2833668d4f3629 On Feb 17, 2014, two new usages are approved to HID usage Table 18 - Digitizer Page: 5A Secondary Barrel Switch MC 16.4 5B Transducer Serial Number SV 16.3.1 This patch adds relevant definitions to hid/input. It also removes outdated comments in hid.h. Signed-off-by: Ping Cheng <pingc@wacom.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>