user/sven/linux.git/drivers/hid, branch v3.11.2 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.11.2 2013-09-27T00:21:47Z HID: usbhid: quirk for N-Trig DuoSense Touch Screen 2013-09-27T00:21:47Z Vasily Titskiy qehgt0@gmail.com 2013-08-30T22:25:04Z urn:sha1:c2bb0ac102c4d80963c26a68aabd78faa173652e commit 9e0bf92c223dabe0789714f8f85f6e26f8f9cda4 upstream. The DuoSense touchscreen device causes a 10 second timeout. This fix removes the delay. Signed-off-by: Vasily Titskiy <qehgt0@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: check for NULL field when setting values 2013-09-27T00:21:46Z Kees Cook keescook@chromium.org 2013-08-28T20:32:01Z urn:sha1:b78f205047ea6dadfe560b696d99e374d0c497c0 commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream. Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: hidraw: correctly deallocate memory on device disconnect 2013-09-27T00:21:46Z Manoj Chourasia mchourasia@nvidia.com 2013-07-22T10:03:13Z urn:sha1:11c32876ee1e04043f251b4ffadae2e639f5bfdf commit 212a871a3934beccf43431608c27ed2e05a476ec upstream. This changes puts the commit 4fe9f8e203f back in place with the fixes for slab corruption because of the commit. When a device is unplugged, wait for all processes that have opened the device to close before deallocating the device. This commit was solving kernel crash because of the corruption in rb tree of vmalloc. The rootcause was the device data pointer was geting excessed after the memory associated with hidraw was freed. The commit 4fe9f8e203f was buggy as it was also freeing the hidraw first and then calling delete operation on the list associated with that hidraw leading to slab corruption. Signed-off-by: Manoj Chourasia <mchourasia@nvidia.com> Tested-by: Peter Wu <lekensteyn@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: battery: don't do DMA from stack 2013-09-27T00:21:46Z Jiri Kosina jkosina@suse.cz 2013-09-02T11:43:00Z urn:sha1:f0c298af1d7ac27bef191a8593c14244341efb01 commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream. Instead of using data from stack for DMA in hidinput_get_battery_property(), allocate the buffer dynamically. Reported-by: Richard Ryniker <ryniker@alum.mit.edu> Reported-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: picolcd: Prevent NULL pointer dereference on _remove() 2013-09-27T00:21:46Z Bruno Prémont bonbons@linux-vserver.org 2013-08-31T12:07:48Z urn:sha1:6794022829cf3bea51a4dc9c4e1ca94a42aaa677 commit 1cde501bb4655e98fb832194beb88ac73be5a05d upstream. When picolcd is switched into bootloader mode (for FW flashing) make sure not to try to dereference NULL-pointers of feature-devices during unplug/unbind. This fixes following BUG: BUG: unable to handle kernel NULL pointer dereference at 00000298 IP: [<f811f56b>] picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] *pde = 00000000 Oops: 0000 [#1] Modules linked in: hid_picolcd syscopyarea sysfillrect sysimgblt fb_sys_fops CPU: 0 PID: 15 Comm: khubd Not tainted 3.11.0-rc7-00002-g50d62d4 #2 EIP: 0060:[<f811f56b>] EFLAGS: 00010292 CPU: 0 EIP is at picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] Call Trace: [<f811d1ab>] picolcd_remove+0xcb/0x120 [hid_picolcd] [<c1469b09>] hid_device_remove+0x59/0xc0 [<c13464ca>] __device_release_driver+0x5a/0xb0 [<c134653f>] device_release_driver+0x1f/0x30 [<c134603d>] bus_remove_device+0x9d/0xd0 [<c13439a5>] device_del+0xd5/0x150 [<c14696a4>] hid_destroy_device+0x24/0x60 [<c1474cbb>] usbhid_disconnect+0x1b/0x40 ... Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: ntrig: validate feature report details 2013-09-27T00:21:46Z Kees Cook keescook@chromium.org 2013-08-28T20:31:28Z urn:sha1:fced5cedf4b0b2bc79413ac3c9498bbe2f98f7ba commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream. A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: picolcd_core: validate output report details 2013-09-27T00:21:46Z Kees Cook keescook@chromium.org 2013-08-28T20:31:52Z urn:sha1:b6381b665759c46c1d0676b934a6129a20df7eef commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream. A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. [jkosina@suse.cz: changed report->maxfield < 1 to report->maxfield != 1 as suggested by Bruno]. CVE-2013-2899 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org> Acked-by: Bruno Prémont <bonbons@linux-vserver.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: validate HID report id size 2013-09-27T00:21:46Z Kees Cook keescook@chromium.org 2013-08-28T20:29:55Z urn:sha1:eedeac300ac807db2f7b035b93b4644e894656d7 commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream. The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: sensor-hub: validate feature report details 2013-09-27T00:21:46Z Kees Cook keescook@chromium.org 2013-08-28T20:31:44Z urn:sha1:0c268dc93631a821dc5cc323e77b8be51bc58ea5 commit 9e8910257397372633e74b333ef891f20c800ee4 upstream. A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> HID: Fix Speedlink VAD Cezanne support for some devices 2013-09-27T00:21:46Z Stefan Kriwanek dev@stefankriwanek.de 2013-08-25T08:46:13Z urn:sha1:2a767434dc7cd4cc3e188c20ba53a2f4ecd3f413 commit 06bb5219118fb098f4b0c7dcb484b28a52bf1c14 upstream. Some devices of the "Speedlink VAD Cezanne" model need more aggressive fixing than already done. I made sure through testing that this patch would not interfere with the proper working of a device that is bug-free. (The driver drops EV_REL events with abs(val) >= 256, which are not achievable even on the highest laser resolution hardware setting.) Signed-off-by: Stefan Kriwanek <mail@stefankriwanek.de> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>